chore: manage infinispan configuration file

roles/keycloak_quarkus/README.md

@@ -132,6 +132,17 @@ Role Defaults
 |`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` |
 
 
+#### Infinispan configuration
+
+| Variable                                           | Description                     | Default                                                      |
+| :------------------------------------------------- | :------------------------------ | :----------------------------------------------------------- |
+| `keycloak_quarkus_cache_managed_infinispan_config` | Manage infinispan configuration | `"{{ keycloak_quarkus_version is version('26.4.0', '<') }}"` |
+| `keycloak_quarkus_cache_infinispan_template`       | Infinispan cache template file  | `cache-ispn.xml`                                             |
+
+As explained in the [official documentation](https://www.keycloak.org/server/caching#_modifying_cache_configuration_defaults), since version 26.4, it is recommended not to modify the XML configuration file but rather to configure the cache via the keycloak.properties file. By default, the role will no longer automatically deploy this file for versions higher than 26.4.
+
+For earlier versions, it is possible to override the given template to customize the cache using the `keycloak_quarkus_cache_infinispan_template` variable.
+
 #### Database configuration
 
 | Variable | Description | Default |
@@ -154,6 +165,7 @@ Role Defaults
 |`keycloak_quarkus_cache_remote_port`| Port for connecting to infinispan | `11222` |
 |`keycloak_quarkus_cache_remote_sasl_mechanism` | Infinispan auth mechanism | `SCRAM-SHA-512` |
 |`keycloak_quarkus_cache_remote_tls_enabled` | Whether infinispan uses TLS connection | `false` |
+|`keycloak_quarkus_cache_embedded_properties` | Embedded cache properties | `` |
 
 
 #### Logging configuration

roles/keycloak_quarkus/defaults/main.yml

@@ -117,25 +117,14 @@ keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route: true
 keycloak_quarkus_metrics_enabled: false
 keycloak_quarkus_health_enabled: true
 
+### infinispan; must read: https://forum.keycloak.org/t/keycloak-26-4-7-ha/31202
+keycloak_quarkus_cache_managed_infinispan_config: "{{ keycloak_quarkus_version is version('26.4.0', '<') }}"
+keycloak_quarkus_cache_infinispan_template: cache-ispn.xml
+
 ### caches; must read: https://www.keycloak.org/2024/12/storing-sessions-in-kc26
 ### embedded caches
 # https://www.keycloak.org/server/caching
-keycloak_quarkus_cache_metrics_enabled: false
-keycloak_quarkus_cache_embedded_authorization_max_count:
-keycloak_quarkus_cache_embedded_client_sessions_max_count:
-keycloak_quarkus_cache_embedded_crl_max_count:
-keycloak_quarkus_cache_embedded_keys_max_count:
-keycloak_quarkus_cache_embedded_offline_client_sessions_max_count:
-keycloak_quarkus_cache_embedded_offline_sessions_max_count:
-keycloak_quarkus_cache_embedded_realms_max_count:
-keycloak_quarkus_cache_embedded_sessions_max_count:
-keycloak_quarkus_cache_embedded_users_max_count:
-keycloak_quarkus_cache_embedded_mtls_enabled: true
-keycloak_quarkus_cache_embedded_mtls_key_store_file: "{{ keycloak.home }}/conf/cache_key_store.p12"
-keycloak_quarkus_cache_embedded_mtls_key_store_password: ''
-keycloak_quarkus_cache_embedded_mtls_rotation_interval_days: 30
-keycloak_quarkus_cache_embedded_mtls_trust_store_file: "{{ keycloak.home }}/conf/cache_trust_store.p12"
-keycloak_quarkus_cache_embedded_mtls_trust_store_password: ''
+keycloak_quarkus_cache_embedded_properties: ""
 
 ### infinispan remote caches access (hotrod)
 # https://www.keycloak.org/server/caching#_remote_cache

roles/keycloak_quarkus/meta/argument_specs.yml

@@ -476,70 +476,6 @@ argument_specs:
                 description: "Path local to controller for offline/download of install archives"
                 default: "{{ lookup('env', 'PWD') }}"
                 type: "str"
-            keycloak_quarkus_cache_metrics_enabled:
-                description: 'Enable histograms for metrics for the embedded caches'
-                default: false
-                type: 'bool'
-            keycloak_quarkus_cache_embedded_authorization_max_count:
-                description: 'The maximum number of entries that can be stored in-memory by the authorization cache'
-                required: false
-                type: "int"
-            keycloak_quarkus_cache_embedded_client_sessions_max_count:
-                description: 'The maximum number of entries that can be stored in-memory by the clientSessions cache'
-                required: false
-                type: "int"
-            keycloak_quarkus_cache_embedded_crl_max_count:
-                description: 'The maximum number of entries that can be stored in-memory by the crl cache'
-                required: false
-                type: "int"
-            keycloak_quarkus_cache_embedded_keys_max_count:
-                description: 'The maximum number of entries that can be stored in-memory by the keys cache'
-                required: false
-                type: "int"
-            keycloak_quarkus_cache_embedded_offline_client_sessions_max_count:
-                description: 'The maximum number of entries that can be stored in-memory by the offlineClientSessions cache'
-                required: false
-                type: "int"
-            keycloak_quarkus_cache_embedded_offline_sessions_max_count:
-                description: 'The maximum number of entries that can be stored in-memory by the offlineSessions cache'
-                required: false
-                type: "int"
-            keycloak_quarkus_cache_embedded_realms_max_count:
-                description: 'The maximum number of entries that can be stored in-memory by the realms cache'
-                required: false
-                type: "int"
-            keycloak_quarkus_cache_embedded_sessions_max_count:
-                description: 'The maximum number of entries that can be stored in-memory by the sessions cache'
-                required: false
-                type: "int"
-            keycloak_quarkus_cache_embedded_users_max_count:
-                description: 'The maximum number of entries that can be stored in-memory by the users cache'
-                required: false
-                type: 'int'
-            keycloak_quarkus_cache_embedded_mtls_enabled:
-                description: 'Encrypts the network communication between Keycloak servers'
-                default: true
-                type: 'bool'
-            keycloak_quarkus_cache_embedded_mtls_key_store_file:
-                description: 'The Keystore file path'
-                default: "{{ keycloak.home }}/conf/cache_key_store.p12"
-                type: "str"
-            keycloak_quarkus_cache_embedded_mtls_key_store_password:
-                description: 'The password to access the Keystore'
-                default: ''
-                type: "str"
-            keycloak_quarkus_cache_embedded_mtls_rotation_interval_days:
-                description: 'Rotation period in days of automatic JGroups MTLS certificates'
-                default: 30
-                type: 'int'
-            keycloak_quarkus_cache_embedded_mtls_trust_store_file:
-                description: 'The Truststore file path'
-                default: "{{ keycloak.home }}/conf/cache_trust_store.p12"
-                type: "str"
-            keycloak_quarkus_cache_embedded_mtls_trust_store_password:
-                description: 'The password to access the Truststore.'
-                default: ''
-                type: "str"
             keycloak_quarkus_jgroups_port:
                 description: 'jgroups bind port'
                 default: 7800
@@ -560,6 +496,18 @@ argument_specs:
                 description: "JVM arguments for jgroups configuration"
                 default: "-Djgroups.bind.address={{ keycloak_quarkus_jgroups_bind_address }} -Djgroups.external_port={{ keycloak_quarkus_jgroups_external_port }} -Djgroups.external_addr={{ keycloak_quarkus_jgroups_external_addr }}"
                 type: "str"
+            keycloak_quarkus_cache_managed_infinispan_config:
+                description: "Manage infinispan configuration"
+                default: "{{ keycloak_quarkus_version is version('26.4.0', '<') }}"
+                type: bool
+            keycloak_quarkus_cache_infinispan_template:
+                description: "Infinispan cache template file"
+                default: "cache-ispn.xml"
+                type: str
+            keycloak_quarkus_cache_embedded_properties:
+                description: Embedded cache properties
+                default: ""
+                type: str
     downstream:
         options:
             rhbk_version:

roles/keycloak_quarkus/tasks/main.yml

@@ -70,6 +70,11 @@
   loop: "{{ ansible_play_batch }}"
   when: keycloak_quarkus_ha_enabled and keycloak_quarkus_ha_discovery == 'TCPPING'
 
+
+- name: Determine the config files
+  ansible.builtin.set_fact:
+    keycloak_quarkus_config_files: "{{ ['keycloak.conf', 'quarkus.properties'] + (keycloak_quarkus_cache_managed_infinispan_config | ternary([keycloak_quarkus_cache_infinispan_template], [])) }}"
+
 - name: "Configure config files for keycloak service"
   ansible.builtin.template:
     src: "{{ item }}.j2"
@@ -78,10 +83,7 @@
     group: "{{ keycloak.service_group }}"
     mode: '0640'
   become: true
-  loop:
-    - keycloak.conf
-    - quarkus.properties
-    - cache-ispn.xml
+  loop: "{{ keycloak_quarkus_config_files }}" 
   notify:
     - rebuild keycloak config
     - restart keycloak

roles/keycloak_quarkus/templates/keycloak.conf.j2

@@ -66,6 +66,7 @@ cache-remote-host={{ keycloak_quarkus_cache_remote_host }}
 cache-remote-port={{ keycloak_quarkus_cache_remote_port }}
 cache-remote-tls-enabled={{ keycloak_quarkus_cache_remote_tls_enabled | lower }}
 {% endif %}
+{{ keycloak_quarkus_cache_embedded_properties }}
 {% endif %}
 
 {% if keycloak_quarkus_proxy_headers | length > 0 %}