diff --git a/roles/keycloak_quarkus/README.md b/roles/keycloak_quarkus/README.md index 664f2a4..0083b43 100644 --- a/roles/keycloak_quarkus/README.md +++ b/roles/keycloak_quarkus/README.md @@ -132,6 +132,17 @@ Role Defaults |`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` | +#### Infinispan configuration + +| Variable | Description | Default | +| :------------------------------------------------- | :------------------------------ | :----------------------------------------------------------- | +| `keycloak_quarkus_cache_managed_infinispan_config` | Manage infinispan configuration | `"{{ keycloak_quarkus_version is version('26.4.0', '<') }}"` | +| `keycloak_quarkus_cache_infinispan_template` | Infinispan cache template file | `cache-ispn.xml` | + +As explained in the [official documentation](https://www.keycloak.org/server/caching#_modifying_cache_configuration_defaults), since version 26.4, it is recommended not to modify the XML configuration file but rather to configure the cache via the keycloak.properties file. By default, the role will no longer automatically deploy this file for versions higher than 26.4. + +For earlier versions, it is possible to override the given template to customize the cache using the `keycloak_quarkus_cache_infinispan_template` variable. + #### Database configuration | Variable | Description | Default | @@ -154,6 +165,7 @@ Role Defaults |`keycloak_quarkus_cache_remote_port`| Port for connecting to infinispan | `11222` | |`keycloak_quarkus_cache_remote_sasl_mechanism` | Infinispan auth mechanism | `SCRAM-SHA-512` | |`keycloak_quarkus_cache_remote_tls_enabled` | Whether infinispan uses TLS connection | `false` | +|`keycloak_quarkus_cache_embedded_properties` | Embedded cache properties | `` | #### Logging configuration diff --git a/roles/keycloak_quarkus/defaults/main.yml b/roles/keycloak_quarkus/defaults/main.yml index e73973e..e868c2d 100644 --- a/roles/keycloak_quarkus/defaults/main.yml +++ b/roles/keycloak_quarkus/defaults/main.yml @@ -117,25 +117,14 @@ keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route: true keycloak_quarkus_metrics_enabled: false keycloak_quarkus_health_enabled: true +### infinispan; must read: https://forum.keycloak.org/t/keycloak-26-4-7-ha/31202 +keycloak_quarkus_cache_managed_infinispan_config: "{{ keycloak_quarkus_version is version('26.4.0', '<') }}" +keycloak_quarkus_cache_infinispan_template: cache-ispn.xml + ### caches; must read: https://www.keycloak.org/2024/12/storing-sessions-in-kc26 ### embedded caches # https://www.keycloak.org/server/caching -keycloak_quarkus_cache_metrics_enabled: false -keycloak_quarkus_cache_embedded_authorization_max_count: -keycloak_quarkus_cache_embedded_client_sessions_max_count: -keycloak_quarkus_cache_embedded_crl_max_count: -keycloak_quarkus_cache_embedded_keys_max_count: -keycloak_quarkus_cache_embedded_offline_client_sessions_max_count: -keycloak_quarkus_cache_embedded_offline_sessions_max_count: -keycloak_quarkus_cache_embedded_realms_max_count: -keycloak_quarkus_cache_embedded_sessions_max_count: -keycloak_quarkus_cache_embedded_users_max_count: -keycloak_quarkus_cache_embedded_mtls_enabled: true -keycloak_quarkus_cache_embedded_mtls_key_store_file: "{{ keycloak.home }}/conf/cache_key_store.p12" -keycloak_quarkus_cache_embedded_mtls_key_store_password: '' -keycloak_quarkus_cache_embedded_mtls_rotation_interval_days: 30 -keycloak_quarkus_cache_embedded_mtls_trust_store_file: "{{ keycloak.home }}/conf/cache_trust_store.p12" -keycloak_quarkus_cache_embedded_mtls_trust_store_password: '' +keycloak_quarkus_cache_embedded_properties: "" ### infinispan remote caches access (hotrod) # https://www.keycloak.org/server/caching#_remote_cache diff --git a/roles/keycloak_quarkus/meta/argument_specs.yml b/roles/keycloak_quarkus/meta/argument_specs.yml index cecbe20..cebe12c 100644 --- a/roles/keycloak_quarkus/meta/argument_specs.yml +++ b/roles/keycloak_quarkus/meta/argument_specs.yml @@ -476,70 +476,6 @@ argument_specs: description: "Path local to controller for offline/download of install archives" default: "{{ lookup('env', 'PWD') }}" type: "str" - keycloak_quarkus_cache_metrics_enabled: - description: 'Enable histograms for metrics for the embedded caches' - default: false - type: 'bool' - keycloak_quarkus_cache_embedded_authorization_max_count: - description: 'The maximum number of entries that can be stored in-memory by the authorization cache' - required: false - type: "int" - keycloak_quarkus_cache_embedded_client_sessions_max_count: - description: 'The maximum number of entries that can be stored in-memory by the clientSessions cache' - required: false - type: "int" - keycloak_quarkus_cache_embedded_crl_max_count: - description: 'The maximum number of entries that can be stored in-memory by the crl cache' - required: false - type: "int" - keycloak_quarkus_cache_embedded_keys_max_count: - description: 'The maximum number of entries that can be stored in-memory by the keys cache' - required: false - type: "int" - keycloak_quarkus_cache_embedded_offline_client_sessions_max_count: - description: 'The maximum number of entries that can be stored in-memory by the offlineClientSessions cache' - required: false - type: "int" - keycloak_quarkus_cache_embedded_offline_sessions_max_count: - description: 'The maximum number of entries that can be stored in-memory by the offlineSessions cache' - required: false - type: "int" - keycloak_quarkus_cache_embedded_realms_max_count: - description: 'The maximum number of entries that can be stored in-memory by the realms cache' - required: false - type: "int" - keycloak_quarkus_cache_embedded_sessions_max_count: - description: 'The maximum number of entries that can be stored in-memory by the sessions cache' - required: false - type: "int" - keycloak_quarkus_cache_embedded_users_max_count: - description: 'The maximum number of entries that can be stored in-memory by the users cache' - required: false - type: 'int' - keycloak_quarkus_cache_embedded_mtls_enabled: - description: 'Encrypts the network communication between Keycloak servers' - default: true - type: 'bool' - keycloak_quarkus_cache_embedded_mtls_key_store_file: - description: 'The Keystore file path' - default: "{{ keycloak.home }}/conf/cache_key_store.p12" - type: "str" - keycloak_quarkus_cache_embedded_mtls_key_store_password: - description: 'The password to access the Keystore' - default: '' - type: "str" - keycloak_quarkus_cache_embedded_mtls_rotation_interval_days: - description: 'Rotation period in days of automatic JGroups MTLS certificates' - default: 30 - type: 'int' - keycloak_quarkus_cache_embedded_mtls_trust_store_file: - description: 'The Truststore file path' - default: "{{ keycloak.home }}/conf/cache_trust_store.p12" - type: "str" - keycloak_quarkus_cache_embedded_mtls_trust_store_password: - description: 'The password to access the Truststore.' - default: '' - type: "str" keycloak_quarkus_jgroups_port: description: 'jgroups bind port' default: 7800 @@ -560,6 +496,18 @@ argument_specs: description: "JVM arguments for jgroups configuration" default: "-Djgroups.bind.address={{ keycloak_quarkus_jgroups_bind_address }} -Djgroups.external_port={{ keycloak_quarkus_jgroups_external_port }} -Djgroups.external_addr={{ keycloak_quarkus_jgroups_external_addr }}" type: "str" + keycloak_quarkus_cache_managed_infinispan_config: + description: "Manage infinispan configuration" + default: "{{ keycloak_quarkus_version is version('26.4.0', '<') }}" + type: bool + keycloak_quarkus_cache_infinispan_template: + description: "Infinispan cache template file" + default: "cache-ispn.xml" + type: str + keycloak_quarkus_cache_embedded_properties: + description: Embedded cache properties + default: "" + type: str downstream: options: rhbk_version: diff --git a/roles/keycloak_quarkus/tasks/main.yml b/roles/keycloak_quarkus/tasks/main.yml index 6a7a4b0..00b8e0e 100644 --- a/roles/keycloak_quarkus/tasks/main.yml +++ b/roles/keycloak_quarkus/tasks/main.yml @@ -70,6 +70,11 @@ loop: "{{ ansible_play_batch }}" when: keycloak_quarkus_ha_enabled and keycloak_quarkus_ha_discovery == 'TCPPING' + +- name: Determine the config files + ansible.builtin.set_fact: + keycloak_quarkus_config_files: "{{ ['keycloak.conf', 'quarkus.properties'] + (keycloak_quarkus_cache_managed_infinispan_config | ternary([keycloak_quarkus_cache_infinispan_template], [])) }}" + - name: "Configure config files for keycloak service" ansible.builtin.template: src: "{{ item }}.j2" @@ -78,10 +83,7 @@ group: "{{ keycloak.service_group }}" mode: '0640' become: true - loop: - - keycloak.conf - - quarkus.properties - - cache-ispn.xml + loop: "{{ keycloak_quarkus_config_files }}" notify: - rebuild keycloak config - restart keycloak diff --git a/roles/keycloak_quarkus/templates/keycloak.conf.j2 b/roles/keycloak_quarkus/templates/keycloak.conf.j2 index 7642715..2cad17d 100644 --- a/roles/keycloak_quarkus/templates/keycloak.conf.j2 +++ b/roles/keycloak_quarkus/templates/keycloak.conf.j2 @@ -66,6 +66,7 @@ cache-remote-host={{ keycloak_quarkus_cache_remote_host }} cache-remote-port={{ keycloak_quarkus_cache_remote_port }} cache-remote-tls-enabled={{ keycloak_quarkus_cache_remote_tls_enabled | lower }} {% endif %} +{{ keycloak_quarkus_cache_embedded_properties }} {% endif %} {% if keycloak_quarkus_proxy_headers | length > 0 %}