internet/ansible-middleware.keycloak
3
0
Fork 0
mirror of https://github.com/ansible-middleware/keycloak.git synced 2026-05-06 13:23:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

SET-1341 Without ansible-core tag tests are failing in keycloak

Browse Source
This commit is contained in:
Ranabir Chakraborty
2026-04-28 19:09:10 +05:30
parent fb76736441
commit e5690d7513
54 changed files with 190 additions and 603 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
.github/workflows/ci.yml vendored
View File

@@ -15,16 +15,11 @@ on:
jobs:
ci:
uses: ./.github/workflows/cish-keycloak.yml
uses: ansible-middleware/github-actions/.github/workflows/ci.yml@rootperm
secrets: inherit
with:
fqcn: 'middleware_automation/keycloak'
root_permission_varname: 'keycloak_install_requires_become'
debug_verbosity: "${{ github.event.inputs.debug_verbosity }}"
molecule_tests: >-
[ "debian", "quarkus", "quarkus_ha", "quarkus_ha_remote", "quarkus_ha_26.4_below" ]
podman_tests_current: >-
[ "default", "quarkus_devmode", "quarkus_upgrade" ]
podman_tests_middle: >-
[ "default", "quarkus_devmode", "quarkus_upgrade" ]
podman_tests_next: >-
[ "default", "quarkus_devmode", "quarkus_upgrade" ]
[ "debian", "quarkus", "quarkus_ha", "quarkus_ha_remote", "quarkus_ha_26.4_below", "default", "quarkus_devmode", "quarkus_upgrade" ]

488
.github/workflows/cish-keycloak.yml vendored
View File

@@ -1,488 +0,0 @@
---
# Vendor of ansible-middleware/github-actions/.github/workflows/cish.yml (sync when CI workflow changes).
# Podman Molecule jobs: upstream uses self-hosted runners; forks and other repos use ubuntu-22.04 + podman.
# Cross-repo PRs (fork → upstream) are skipped here so untrusted code does not run on org runners with secrets.
name: CI
on:
workflow_call:
inputs:
fqcn:
required: true
type: string
molecule_tests:
required: false
type: string
podman_tests_current:
required: true
type: string
podman_tests_middle:
required: true
type: string
podman_tests_next:
required: true
type: string
sanity_includes:
required: false
type: string
default: "[]"
sanity_excludes:
required: false
type: string
default: "[]"
fail_fast:
required: false
type: boolean
default: false
debug_verbosity:
required: false
type: string
default: '0'
env:
COLORTERM: 'yes'
TERM: 'xterm-256color'
PYTEST_ADDOPTS: '--color=yes'
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
jobs:
linter:
runs-on: ubuntu-latest
strategy:
matrix:
python_version: ["3.12"]
ansible_version: ["2.18", "2.19", "2.20"]
steps:
- name: Check out code
uses: actions/checkout@v4
with:
path: ansible_collections/${{ inputs.fqcn }}
- name: Set up Python ${{ matrix.python_version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python_version }}
cache: 'pip'
- name: Create default collection path
run: |
mkdir -p /home/runner/.ansible/
ln -s ${{ github.workspace }} /home/runner/.ansible/collections
- name: Install yamllint, ansible and dependencies
uses: nick-fields/retry@v3
with:
timeout_minutes: 5
retry_wait_seconds: 60
max_attempts: 3
command: |
python -m pip install --upgrade pip
pip install yamllint ansible-core~=${{ matrix.ansible_version }} ansible-lint
if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.txt ]; then
pip install -r ansible_collections/${{ inputs.fqcn }}/requirements.txt
fi
if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.yml ]; then
ansible-galaxy collection install -r ansible_collections/${{ inputs.fqcn }}/requirements.yml -p /home/runner/.ansible/collections --force-with-deps
fi
- name: Install ansible-lint custom rules
uses: actions/checkout@v4
with:
repository: ansible-middleware/ansible-lint-custom-rules
path: ansible-lint-custom-rules/
- name: Run linter
run: |
ansible-lint --version
ansible-lint -v
working-directory: ./ansible_collections/${{ inputs.fqcn }}
sanity:
runs-on: ubuntu-latest
strategy:
matrix:
python_version: ["3.12"]
ansible_version: ["stable-2.18", "stable-2.19", "stable-2.20"]
exclude: ${{ fromJSON(inputs.sanity_excludes) }}
include: ${{ fromJSON(inputs.sanity_includes) }}
steps:
- name: Check out code
uses: actions/checkout@v4
with:
path: ansible_collections/${{ inputs.fqcn }}
- name: Create default collection path
run: |
mkdir -p /home/runner/.ansible/
ln -s ${{ github.workspace }} /home/runner/.ansible/collections
- name: Set up Python ${{ matrix.python_version }}
uses: actions/setup-python@v5
if: matrix.python_version != '2.7'
with:
python-version: ${{ matrix.python_version }}
cache: "pip"
- name: Set up Python ${{ matrix.python_version }} virtualenv
if: matrix.python_version == '2.7'
run: |
sudo add-apt-repository universe
sudo apt update
sudo apt install -y python2
curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py
sudo python2 get-pip.py
sudo apt install -y virtualenv
virtualenv -p python2 /home/runner/virtualenv/2.11
source /home/runner/virtualenv/2.11/bin/activate
pip install ansible-core==2.11
- name: Install ansible-core ${{ matrix.ansible_version }}
run: |
wget https://github.com/ansible/ansible/archive/${{ matrix.ansible_version }}.tar.gz
pip install ${{ matrix.ansible_version }}.tar.gz --disable-pip-version-check
- name: Run sanity tests
run: |
python -V
ansible-test sanity -v --color --requirements --python ${{ matrix.python_version }} --exclude molecule/ --exclude docs/conf.py --exclude changelogs/fragments/.gitignore --skip-test symlinks
working-directory: ./ansible_collections/${{ inputs.fqcn }}
molecule:
runs-on: ubuntu-22.04
if: ${{ inputs.molecule_tests != '[]' && inputs.molecule_tests != '' }}
strategy:
matrix:
python_version: ["3.12"]
ansible_version: ["2.18", "2.19", "2.20"]
molecule_test: ${{ fromJSON(inputs.molecule_tests) }}
fail-fast: ${{ inputs.fail_fast }}
steps:
- name: Check out code
uses: actions/checkout@v4
with:
path: ansible_collections/${{ inputs.fqcn }}
- name: Set up Python ${{ matrix.python_version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python_version }}
cache: 'pip'
- name: Install ansible and molecule
uses: nick-fields/retry@v3
with:
timeout_minutes: 5
retry_wait_seconds: 60
max_attempts: 3
command: |
python -m pip install --upgrade pip
ansible_ver='${{ matrix.ansible_version }}'
ansible_next_ver="2.$((${ansible_ver#*.}+1))"
pip install --progress-bar off 'molecule>=24.2.0' 'molecule-plugins[docker]>=23.0.0' "ansible-core<${ansible_next_ver}"
if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.txt ]; then
echo "=== Installing python deps"
pip install --progress-bar off -r ansible_collections/${{ inputs.fqcn }}/requirements.txt
fi
if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.yml ]; then
echo "=== Installing dependencies"
ansible-galaxy collection install -r ansible_collections/${{ inputs.fqcn }}/requirements.yml -p /home/runner/.ansible/collections --force-with-deps
fi
if [ -f ansible_collections/${{ inputs.fqcn }}/molecule/requirements.yml ]; then
echo "=== Installing test dependencies"
ansible-galaxy role install -r ansible_collections/${{ inputs.fqcn }}/molecule/requirements.yml ||:
ansible-galaxy collection install -r ansible_collections/${{ inputs.fqcn }}/molecule/requirements.yml -p /home/runner/.ansible/collections
fi
exit 0
- name: Run molecule test
run: |
molecule --version
molecule test -s ${{ matrix.molecule_test }}
working-directory: ./ansible_collections/${{ inputs.fqcn }}
env:
ANSIBLE_VERBOSITY: ${{ inputs.debug_verbosity }}
PROD_JBOSSNETWORK_API_CLIENTID: '${{ secrets.PROD_JBOSSNETWORK_API_CLIENTID }}'
PROD_JBOSSNETWORK_API_SECRET: '${{ secrets.PROD_JBOSSNETWORK_API_SECRET }}'
STAGE_JBOSSNETWORK_API_CLIENTID: '${{ secrets.STAGE_JBOSSNETWORK_API_CLIENTID }}'
STAGE_JBOSSNETWORK_API_SECRET: '${{ secrets.STAGE_JBOSSNETWORK_API_SECRET }}'
molecule_current:
if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name }}
runs-on: ${{ github.repository == 'ansible-middleware/keycloak' && 'molecule-2.18' || 'ubuntu-22.04' }}
strategy:
matrix:
python_version: ["3.12"]
molecule_test: ${{ fromJSON(inputs.podman_tests_current) }}
fail-fast: ${{ inputs.fail_fast }}
env:
PROXY: ${{ github.repository == 'ansible-middleware/keycloak' && '10.88.0.1:3128' || '' }}
NO_PROXY: ${{ github.repository == 'ansible-middleware/keycloak' && 'localhost,.redhat.com,.ansible.com' || '' }}
steps:
- name: Check out code
uses: actions/checkout@v4
with:
path: ansible_collections/${{ inputs.fqcn }}
- name: Set up Python ${{ matrix.python_version }}
if: ${{ github.repository != 'ansible-middleware/keycloak' }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python_version }}
cache: 'pip'
cache-dependency-path: ansible_collections/${{ inputs.fqcn }}/requirements.txt
- name: Ensure podman is available
run: |
if command -v podman &> /dev/null; then
echo "podman $(podman --version)"
exit 0
fi
echo "::warning::podman not found in PATH, attempting to install"
if command -v apt-get &> /dev/null; then
sudo apt-get update -y
sudo apt-get install -y podman
elif command -v dnf &> /dev/null; then
sudo dnf install -y podman
else
echo "::error::Unsupported package manager; install podman on the runner image."
exit 1
fi
echo "podman $(podman --version)"
- name: Use vfs storage for rootless podman (GitHub-hosted)
if: ${{ github.repository != 'ansible-middleware/keycloak' }}
run: |
mkdir -p "${HOME}/.config/containers"
printf '%s\n' '[storage]' 'driver = "vfs"' > "${HOME}/.config/containers/storage.conf"
- name: Initialize podman for current user
run: |
podman system migrate || true
podman info --format '{{.Host.Security.Rootless}}'
- name: Install ansible and molecule
uses: nick-fields/retry@v3
with:
timeout_minutes: 5
retry_wait_seconds: 60
max_attempts: 3
command: |
python3.12 -m pip install --upgrade pip
if [ "${{ github.repository }}" != "ansible-middleware/keycloak" ]; then
python3.12 -m pip install --progress-bar off \
'molecule>=24.2.0' 'molecule-plugins[podman]>=23.0.0' 'ansible-core~=2.18'
fi
if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.txt ]; then
echo "=== Installing python deps"
python3.12 -m pip install --progress-bar off -r ansible_collections/${{ inputs.fqcn }}/requirements.txt
fi
if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.yml ]; then
echo "=== Installing dependencies"
ansible-galaxy collection install -r ansible_collections/${{ inputs.fqcn }}/requirements.yml -p /home/runner/.ansible/collections --force-with-deps
fi
if [ -f ansible_collections/${{ inputs.fqcn }}/molecule/requirements.yml ]; then
echo "=== Installing test dependencies"
ansible-galaxy role install -r ansible_collections/${{ inputs.fqcn }}/molecule/requirements.yml ||:
ansible-galaxy collection install -r ansible_collections/${{ inputs.fqcn }}/molecule/requirements.yml -p /home/runner/.ansible/collections
fi
exit 0
- name: Run molecule test
run: |
molecule --version
molecule test -s ${{ matrix.molecule_test }}
working-directory: ./ansible_collections/${{ inputs.fqcn }}
env:
ANSIBLE_REMOTE_TMP: /tmp
ANSIBLE_VERBOSITY: ${{ inputs.debug_verbosity }}
PROD_JBOSSNETWORK_API_CLIENTID: '${{ secrets.PROD_JBOSSNETWORK_API_CLIENTID }}'
PROD_JBOSSNETWORK_API_SECRET: '${{ secrets.PROD_JBOSSNETWORK_API_SECRET }}'
STAGE_JBOSSNETWORK_API_CLIENTID: '${{ secrets.STAGE_JBOSSNETWORK_API_CLIENTID }}'
STAGE_JBOSSNETWORK_API_SECRET: '${{ secrets.STAGE_JBOSSNETWORK_API_SECRET }}'
molecule_middle:
if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name }}
runs-on: ${{ github.repository == 'ansible-middleware/keycloak' && 'molecule-2.19' || 'ubuntu-22.04' }}
strategy:
matrix:
python_version: ["3.12"]
molecule_test: ${{ fromJSON(inputs.podman_tests_middle) }}
fail-fast: ${{ inputs.fail_fast }}
env:
PROXY: ${{ github.repository == 'ansible-middleware/keycloak' && '10.88.0.1:3128' || '' }}
NO_PROXY: ${{ github.repository == 'ansible-middleware/keycloak' && 'localhost,.redhat.com,.ansible.com' || '' }}
steps:
- name: Check out code
uses: actions/checkout@v4
with:
path: ansible_collections/${{ inputs.fqcn }}
- name: Set up Python ${{ matrix.python_version }}
if: ${{ github.repository != 'ansible-middleware/keycloak' }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python_version }}
cache: 'pip'
cache-dependency-path: ansible_collections/${{ inputs.fqcn }}/requirements.txt
- name: Ensure podman is available
run: |
if command -v podman &> /dev/null; then
echo "podman $(podman --version)"
exit 0
fi
echo "::warning::podman not found in PATH, attempting to install"
if command -v apt-get &> /dev/null; then
sudo apt-get update -y
sudo apt-get install -y podman
elif command -v dnf &> /dev/null; then
sudo dnf install -y podman
else
echo "::error::Unsupported package manager; install podman on the runner image."
exit 1
fi
echo "podman $(podman --version)"
- name: Use vfs storage for rootless podman (GitHub-hosted)
if: ${{ github.repository != 'ansible-middleware/keycloak' }}
run: |
mkdir -p "${HOME}/.config/containers"
printf '%s\n' '[storage]' 'driver = "vfs"' > "${HOME}/.config/containers/storage.conf"
- name: Initialize podman for current user
run: |
podman system migrate || true
podman info --format '{{.Host.Security.Rootless}}'
- name: Install dependencies
uses: nick-fields/retry@v3
with:
timeout_minutes: 5
retry_wait_seconds: 60
max_attempts: 3
command: |
python3.12 -m pip install --upgrade pip
if [ "${{ github.repository }}" != "ansible-middleware/keycloak" ]; then
python3.12 -m pip install --progress-bar off \
'molecule>=24.2.0' 'molecule-plugins[podman]>=23.0.0' 'ansible-core~=2.19'
fi
if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.txt ]; then
echo "=== Installing python deps"
python3.12 -m pip install --progress-bar off -r ansible_collections/${{ inputs.fqcn }}/requirements.txt
fi
if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.yml ]; then
echo "=== Installing dependencies"
ansible-galaxy collection install -r ansible_collections/${{ inputs.fqcn }}/requirements.yml -p /home/runner/.ansible/collections --force-with-deps
fi
if [ -f ansible_collections/${{ inputs.fqcn }}/molecule/requirements.yml ]; then
echo "=== Installing test dependencies"
ansible-galaxy role install -r ansible_collections/${{ inputs.fqcn }}/molecule/requirements.yml ||:
ansible-galaxy collection install -r ansible_collections/${{ inputs.fqcn }}/molecule/requirements.yml -p /home/runner/.ansible/collections
fi
exit 0
- name: Run molecule test
run: |
molecule --version
molecule test -s ${{ matrix.molecule_test }}
working-directory: ./ansible_collections/${{ inputs.fqcn }}
env:
ANSIBLE_REMOTE_TMP: /tmp
ANSIBLE_VERBOSITY: ${{ inputs.debug_verbosity }}
PROD_JBOSSNETWORK_API_CLIENTID: '${{ secrets.PROD_JBOSSNETWORK_API_CLIENTID }}'
PROD_JBOSSNETWORK_API_SECRET: '${{ secrets.PROD_JBOSSNETWORK_API_SECRET }}'
STAGE_JBOSSNETWORK_API_CLIENTID: '${{ secrets.STAGE_JBOSSNETWORK_API_CLIENTID }}'
STAGE_JBOSSNETWORK_API_SECRET: '${{ secrets.STAGE_JBOSSNETWORK_API_SECRET }}'
molecule_next:
if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name }}
runs-on: ${{ github.repository == 'ansible-middleware/keycloak' && 'molecule-2.20' || 'ubuntu-22.04' }}
strategy:
matrix:
python_version: ["3.12"]
molecule_test: ${{ fromJSON(inputs.podman_tests_next) }}
fail-fast: ${{ inputs.fail_fast }}
env:
PROXY: ${{ github.repository == 'ansible-middleware/keycloak' && '10.88.0.1:3128' || '' }}
NO_PROXY: ${{ github.repository == 'ansible-middleware/keycloak' && 'localhost,.redhat.com,.ansible.com' || '' }}
steps:
- name: Check out code
uses: actions/checkout@v4
with:
path: ansible_collections/${{ inputs.fqcn }}
- name: Set up Python ${{ matrix.python_version }}
if: ${{ github.repository != 'ansible-middleware/keycloak' }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python_version }}
cache: 'pip'
cache-dependency-path: ansible_collections/${{ inputs.fqcn }}/requirements.txt
- name: Ensure podman is available
run: |
if command -v podman &> /dev/null; then
echo "podman $(podman --version)"
exit 0
fi
echo "::warning::podman not found in PATH, attempting to install"
if command -v apt-get &> /dev/null; then
sudo apt-get update -y
sudo apt-get install -y podman
elif command -v dnf &> /dev/null; then
sudo dnf install -y podman
else
echo "::error::Unsupported package manager; install podman on the runner image."
exit 1
fi
echo "podman $(podman --version)"
- name: Use vfs storage for rootless podman (GitHub-hosted)
if: ${{ github.repository != 'ansible-middleware/keycloak' }}
run: |
mkdir -p "${HOME}/.config/containers"
printf '%s\n' '[storage]' 'driver = "vfs"' > "${HOME}/.config/containers/storage.conf"
- name: Initialize podman for current user
run: |
podman system migrate || true
podman info --format '{{.Host.Security.Rootless}}'
- name: Install dependencies
uses: nick-fields/retry@v3
with:
timeout_minutes: 5
retry_wait_seconds: 60
max_attempts: 3
command: |
python3.12 -m pip install --upgrade pip
if [ "${{ github.repository }}" != "ansible-middleware/keycloak" ]; then
python3.12 -m pip install --progress-bar off \
'molecule>=24.2.0' 'molecule-plugins[podman]>=23.0.0' 'ansible-core~=2.20'
fi
if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.txt ]; then
echo "=== Installing python deps"
python3.12 -m pip install --progress-bar off -r ansible_collections/${{ inputs.fqcn }}/requirements.txt
fi
if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.yml ]; then
echo "=== Installing dependencies"
ansible-galaxy collection install -r ansible_collections/${{ inputs.fqcn }}/requirements.yml -p /home/runner/.ansible/collections --force-with-deps
fi
if [ -f ansible_collections/${{ inputs.fqcn }}/molecule/requirements.yml ]; then
echo "=== Installing test dependencies"
ansible-galaxy role install -r ansible_collections/${{ inputs.fqcn }}/molecule/requirements.yml ||:
ansible-galaxy collection install -r ansible_collections/${{ inputs.fqcn }}/molecule/requirements.yml -p /home/runner/.ansible/collections
fi
exit 0
- name: Run molecule test
run: |
molecule --version
molecule test -s ${{ matrix.molecule_test }}
working-directory: ./ansible_collections/${{ inputs.fqcn }}
env:
ANSIBLE_REMOTE_TMP: /tmp
ANSIBLE_VERBOSITY: ${{ inputs.debug_verbosity }}
PROD_JBOSSNETWORK_API_CLIENTID: '${{ secrets.PROD_JBOSSNETWORK_API_CLIENTID }}'
PROD_JBOSSNETWORK_API_SECRET: '${{ secrets.PROD_JBOSSNETWORK_API_SECRET }}'
STAGE_JBOSSNETWORK_API_CLIENTID: '${{ secrets.STAGE_JBOSSNETWORK_API_CLIENTID }}'
STAGE_JBOSSNETWORK_API_SECRET: '${{ secrets.STAGE_JBOSSNETWORK_API_SECRET }}'

2
molecule/debian/converge.yml
View File

@@ -1,6 +1,8 @@
---
- name: Converge
hosts: all
vars_files:
- ../group_vars/all/vars.yml
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"

2
molecule/debian/prepare.yml
View File

@@ -1,6 +1,8 @@
---
- name: Prepare
hosts: all
vars_files:
- ../group_vars/all/vars.yml
gather_facts: yes
tasks:
- name: Install sudo

2
molecule/default/converge.yml
View File

@@ -1,6 +1,8 @@
---
- name: Converge
hosts: all
vars_files:
- ../group_vars/all/vars.yml
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"

3
molecule/default/molecule.yml
View File

@@ -24,6 +24,9 @@ provisioner:
converge: converge.yml
verify: verify.yml
inventory:
group_vars:
all:
keycloak_install_requires_become: true
host_vars:
localhost:
ansible_python_interpreter: "{{ ansible_playbook_python }}"

2
molecule/default/prepare.yml
View File

@@ -1,6 +1,8 @@
---
- name: Prepare
hosts: all
vars_files:
- ../group_vars/all/vars.yml
gather_facts: yes
vars:
sudo_pkg_name: sudo

26
molecule/group_vars/all/vars.yml Normal file
View File

@@ -0,0 +1,26 @@
---
keycloak_quarkus_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
keycloak_quarkus_systemd_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
keycloak_quarkus_install_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
keycloak_quarkus_firewalld_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
keycloak_quarkus_iptables_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
keycloak_quarkus_jdbc_driver_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
keycloak_quarkus_config_store_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
keycloak_quarkus_restart_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
keycloak_quarkus_start_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
keycloak_quarkus_rebuild_config_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
keycloak_quarkus_fastpackages_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
keycloak_quarkus_bootstrapped_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
keycloak_quarkus_invalidate_theme_cache_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
keycloak_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
keycloak_systemd_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
keycloak_install_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
keycloak_firewalld_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
keycloak_iptables_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
keycloak_jdbc_driver_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
keycloak_restart_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
keycloak_start_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
keycloak_stop_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
keycloak_fastpackages_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
keycloak_rhsso_patch_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
molecule_prepare_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"

2
molecule/https_revproxy/converge.yml
View File

@@ -1,6 +1,8 @@
---
- name: Converge
hosts: all
vars_files:
- ../group_vars/all/vars.yml
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"

6
molecule/https_revproxy/prepare.yml
View File

@@ -1,6 +1,8 @@
---
- name: Prepare
hosts: all
vars_files:
- ../group_vars/all/vars.yml
tasks:
- name: Install sudo
ansible.builtin.dnf:
@@ -41,11 +43,11 @@
src: "{{ item.name }}"
dest: "{{ item.dest }}"
mode: 0444
become: true
become: "{{ molecule_prepare_require_privilege_escalation }}"
loop:
- { name: 'cert.pem', dest: '/etc/nginx/tls/certificate.crt' }
- { name: 'key.pem', dest: '/etc/nginx/tls/certificate.key' }
- name: Update CA trust
ansible.builtin.command: update-ca-trust
changed_when: false
become: true
become: "{{ molecule_prepare_require_privilege_escalation }}"

2
molecule/overridexml/converge.yml
View File

@@ -1,6 +1,8 @@
---
- name: Converge
hosts: all
vars_files:
- ../group_vars/all/vars.yml
vars:
keycloak_admin_password: "remembertochangeme"
keycloak_config_override_template: custom.xml.j2

2
molecule/overridexml/prepare.yml
View File

@@ -1,6 +1,8 @@
---
- name: Prepare
hosts: all
vars_files:
- ../group_vars/all/vars.yml
gather_facts: yes
vars:
sudo_pkg_name: sudo

3
molecule/prepare.yml
View File

@@ -25,11 +25,12 @@
fail_msg: "sudo is not installed on target system"
- name: "Install iproute"
become: true
ansible.builtin.yum:
name:
- iproute
state: present
when:
- ansible_user_id == 'root'
- name: "Retrieve assets server from env"
ansible.builtin.set_fact:

2
molecule/quarkus/converge.yml
View File

@@ -1,6 +1,8 @@
---
- name: Converge
hosts: all
vars_files:
- ../group_vars/all/vars.yml
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"

8
molecule/quarkus/prepare.yml
View File

@@ -1,6 +1,8 @@
---
- name: Prepare
hosts: all
vars_files:
- ../group_vars/all/vars.yml
tasks:
- name: "Display hera_home if defined."
ansible.builtin.set_fact:
@@ -17,7 +19,7 @@
changed_when: false
- name: Create vault directory
become: true
become: "{{ molecule_prepare_require_privilege_escalation }}"
ansible.builtin.file:
state: directory
path: "/opt/keycloak/vault"
@@ -28,7 +30,7 @@
ansible.builtin.package:
name: java-21-openjdk-headless
state: present
become: true
become: "{{ molecule_prepare_require_privilege_escalation }}"
failed_when: false
- name: Create vault keystore
@@ -41,7 +43,7 @@
failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
- name: Copy certificates and vault
become: true
become: "{{ molecule_prepare_require_privilege_escalation }}"
ansible.builtin.copy:
src: keystore.p12
dest: /opt/keycloak/vault/keystore.p12

8
molecule/quarkus/verify.yml
View File

@@ -1,6 +1,8 @@
---
- name: Verify
hosts: all
vars_files:
- ../group_vars/all/vars.yml
vars:
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
@@ -56,7 +58,7 @@
fail_msg: "Service log symlink not correctly created"
- name: Check log file
become: true
become: "{{ molecule_prepare_require_privilege_escalation }}"
ansible.builtin.stat:
path: /tmp/keycloak/keycloak.log
register: keycloak_log_file
@@ -68,7 +70,7 @@
- not keycloak_log_file.stat.isdir
- name: Check default log folder
become: yes
become: "{{ molecule_prepare_require_privilege_escalation }}"
ansible.builtin.stat:
path: /var/log/keycloak
register: keycloak_default_log_folder
@@ -80,7 +82,7 @@
- not keycloak_default_log_folder.stat.exists
- name: Verify vault SPI in logfile
become: true
become: "{{ molecule_prepare_require_privilege_escalation }}"
ansible.builtin.shell: |
set -o pipefail
zgrep 'Configured KeystoreVaultProviderFactory with the keystore file' /opt/keycloak/keycloak-*/data/log/keycloak.log*zip

2
molecule/quarkus_devmode/converge.yml
View File

@@ -1,6 +1,8 @@
---
- name: Converge
hosts: all
vars_files:
- ../group_vars/all/vars.yml
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"

6
molecule/quarkus_devmode/prepare.yml
View File

@@ -1,6 +1,8 @@
---
- name: Prepare
hosts: all
vars_files:
- ../group_vars/all/vars.yml
tasks:
- name: Install sudo
ansible.builtin.apt:
@@ -15,7 +17,7 @@
ansible.builtin.include_tasks: ../prepare.yml
- name: Install JDK17
become: yes
become: "{{ molecule_prepare_require_privilege_escalation }}"
ansible.builtin.yum:
name:
- java-17-openjdk-headless
@@ -24,7 +26,7 @@
- ansible_facts.os_family == 'RedHat'
- name: Link default logs directory
become: yes
become: "{{ molecule_prepare_require_privilege_escalation }}"
ansible.builtin.file:
state: link
src: "{{ item }}"

2
molecule/quarkus_ha/converge.yml
View File

@@ -1,6 +1,8 @@
---
- name: Converge
hosts: keycloak
vars_files:
- ../group_vars/all/vars.yml
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"

8
molecule/quarkus_ha/prepare.yml
View File

@@ -1,6 +1,8 @@
---
- name: Prepare
hosts: keycloak
vars_files:
- ../group_vars/all/vars.yml
tasks:
- name: "Display hera_home if defined."
ansible.builtin.set_fact:
@@ -17,7 +19,7 @@
changed_when: False
- name: Create vault directory
become: true
become: "{{ molecule_prepare_require_privilege_escalation }}"
ansible.builtin.file:
state: directory
path: "/opt/keycloak/vault"
@@ -28,7 +30,7 @@
ansible.builtin.package:
name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
state: present
become: true
become: "{{ molecule_prepare_require_privilege_escalation }}"
failed_when: false
- name: Create vault keystore
@@ -39,7 +41,7 @@
failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
- name: Copy certificates and vault
become: true
become: "{{ molecule_prepare_require_privilege_escalation }}"
ansible.builtin.copy:
src: keystore.p12
dest: /opt/keycloak/vault/keystore.p12

4
molecule/quarkus_ha/verify.yml
View File

@@ -1,6 +1,8 @@
---
- name: Verify
hosts: keycloak
vars_files:
- ../group_vars/all/vars.yml
tasks:
- name: Populate service facts
ansible.builtin.service_facts:
@@ -17,7 +19,7 @@
hera_home: "{{ lookup('env', 'HERA_HOME') }}"
- name: Check log file
become: true
become: "{{ molecule_prepare_require_privilege_escalation }}"
ansible.builtin.stat:
path: /var/log/keycloak/keycloak.log
register: keycloak_log_file

2
molecule/quarkus_ha_26.4_below/converge.yml
View File

@@ -1,6 +1,8 @@
---
- name: Converge
hosts: keycloak
vars_files:
- ../group_vars/all/vars.yml
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"

8
molecule/quarkus_ha_26.4_below/prepare.yml
View File

@@ -1,6 +1,8 @@
---
- name: Prepare
hosts: keycloak
vars_files:
- ../group_vars/all/vars.yml
tasks:
- name: "Display hera_home if defined."
ansible.builtin.set_fact:
@@ -17,7 +19,7 @@
changed_when: False
- name: Create vault directory
become: true
become: "{{ molecule_prepare_require_privilege_escalation }}"
ansible.builtin.file:
state: directory
path: "/opt/keycloak/vault"
@@ -28,7 +30,7 @@
ansible.builtin.package:
name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
state: present
become: true
become: "{{ molecule_prepare_require_privilege_escalation }}"
failed_when: false
- name: Create vault keystore
@@ -39,7 +41,7 @@
failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
- name: Copy certificates and vault
become: true
become: "{{ molecule_prepare_require_privilege_escalation }}"
ansible.builtin.copy:
src: keystore.p12
dest: /opt/keycloak/vault/keystore.p12

4
molecule/quarkus_ha_26.4_below/verify.yml
View File

@@ -1,6 +1,8 @@
---
- name: Verify
hosts: keycloak
vars_files:
- ../group_vars/all/vars.yml
tasks:
- name: Populate service facts
ansible.builtin.service_facts:
@@ -17,7 +19,7 @@
hera_home: "{{ lookup('env', 'HERA_HOME') }}"
- name: Check log file
become: true
become: "{{ molecule_prepare_require_privilege_escalation }}"
ansible.builtin.stat:
path: /var/log/keycloak/keycloak.log
register: keycloak_log_file

6
molecule/quarkus_ha_remote/converge.yml
View File

@@ -1,6 +1,10 @@
---
- name: Converge
hosts: infinispan
vars_files:
- ../group_vars/all/vars.yml
vars:
ansible_become: "{{ keycloak_install_requires_become | default(true) }}"
roles:
- role: middleware_automation.infinispan.infinispan
infinispan_service_name: infinispan
@@ -18,6 +22,8 @@
- name: Converge
hosts: keycloak
vars_files:
- ../group_vars/all/vars.yml
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"

8
molecule/quarkus_ha_remote/prepare.yml
View File

@@ -1,6 +1,8 @@
---
- name: Prepare
hosts: 'keycloak:infinispan'
vars_files:
- ../group_vars/all/vars.yml
tasks:
- name: "Display hera_home if defined."
ansible.builtin.set_fact:
@@ -17,7 +19,7 @@
changed_when: False
- name: Create vault directory
become: true
become: "{{ molecule_prepare_require_privilege_escalation }}"
ansible.builtin.file:
state: directory
path: "/opt/keycloak/vault"
@@ -28,7 +30,7 @@
ansible.builtin.package:
name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
state: present
become: true
become: "{{ molecule_prepare_require_privilege_escalation }}"
failed_when: false
- name: Create vault keystore
@@ -41,7 +43,7 @@
failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
- name: Copy certificates and vault
become: true
become: "{{ molecule_prepare_require_privilege_escalation }}"
ansible.builtin.copy:
src: keystore.p12
dest: /opt/keycloak/vault/keystore.p12

4
molecule/quarkus_ha_remote/verify.yml
View File

@@ -1,6 +1,8 @@
---
- name: Verify
hosts: keycloak
vars_files:
- ../group_vars/all/vars.yml
tasks:
- name: Populate service facts
ansible.builtin.service_facts:
@@ -17,7 +19,7 @@
hera_home: "{{ lookup('env', 'HERA_HOME') }}"
- name: Check log file
become: true
become: "{{ molecule_prepare_require_privilege_escalation }}"
ansible.builtin.stat:
path: /var/log/keycloak/keycloak.log
register: keycloak_log_file

1
molecule/quarkus_upgrade/converge.yml
View File

@@ -2,6 +2,7 @@
- name: Converge
hosts: all
vars_files:
- ../group_vars/all/vars.yml
- vars.yml
vars:
keycloak_quarkus_show_deprecation_warnings: false

3
molecule/quarkus_upgrade/prepare.yml
View File

@@ -2,6 +2,7 @@
- name: Prepare
hosts: all
vars_files:
- ../group_vars/all/vars.yml
- vars.yml
vars:
sudo_pkg_name: sudo
@@ -55,4 +56,4 @@
ansible.builtin.file:
path: /etc/ansible/facts.d/keycloak.fact
state: absent
become: true
become: "{{ molecule_prepare_require_privilege_escalation }}"

4
roles/keycloak/tasks/fastpackages.yml
View File

@@ -13,7 +13,7 @@
when: ansible_facts.os_family == "RedHat"
- name: "Install packages: {{ packages_to_install }}"
become: true
become: "{{ keycloak_fastpackages_require_privilege_escalation }}"
ansible.builtin.dnf:
name: "{{ packages_to_install }}"
state: present
@@ -22,7 +22,7 @@
- ansible_facts.os_family == "RedHat"
- name: "Install packages: {{ packages_list }}"
become: true
become: "{{ keycloak_fastpackages_require_privilege_escalation }}"
ansible.builtin.package:
name: "{{ packages_list }}"
state: present

4
roles/keycloak/tasks/firewalld.yml
View File

@@ -6,14 +6,14 @@
- firewalld
- name: Enable and start the firewalld service
become: true
become: "{{ keycloak_firewalld_require_privilege_escalation }}"
ansible.builtin.systemd:
name: firewalld
enabled: true
state: started
- name: "Configure firewall ports for {{ keycloak.service_name }}"
become: true
become: "{{ keycloak_firewalld_require_privilege_escalation }}"
ansible.posix.firewalld:
port: "{{ item }}"
permanent: true

36
roles/keycloak/tasks/install.yml
View File

@@ -11,7 +11,7 @@
quiet: true
- name: Check for an existing deployment
become: true
become: "{{ keycloak_install_require_privilege_escalation }}"
ansible.builtin.stat:
path: "{{ keycloak_jboss_home }}"
register: existing_deploy
@@ -20,24 +20,24 @@
when: existing_deploy.stat.exists and keycloak_force_install | bool
block:
- name: "Stop the old {{ keycloak.service_name }} service"
become: true
become: "{{ keycloak_install_require_privilege_escalation }}"
failed_when: false
ansible.builtin.systemd:
name: keycloak
state: stopped
- name: "Remove the old {{ keycloak.service_name }} deployment"
become: true
become: "{{ keycloak_install_require_privilege_escalation }}"
ansible.builtin.file:
path: "{{ keycloak_jboss_home }}"
state: absent
- name: Check for an existing deployment after possible forced removal
become: true
become: "{{ keycloak_install_require_privilege_escalation }}"
ansible.builtin.stat:
path: "{{ keycloak_jboss_home }}"
- name: "Create service user/group for {{ keycloak.service_name }}"
become: true
become: "{{ keycloak_install_require_privilege_escalation }}"
ansible.builtin.user:
name: "{{ keycloak_service_user }}"
home: /opt/keycloak
@@ -45,7 +45,7 @@
create_home: false
- name: "Create install location for {{ keycloak.service_name }}"
become: true
become: "{{ keycloak_install_require_privilege_escalation }}"
ansible.builtin.file:
dest: "{{ keycloak_dest }}"
state: directory
@@ -54,7 +54,7 @@
mode: '0750'
- name: Create pidfile folder
become: true
become: "{{ keycloak_install_require_privilege_escalation }}"
ansible.builtin.file:
dest: "{{ keycloak_service_pidfile | dirname }}"
state: directory
@@ -68,7 +68,7 @@
archive: "{{ keycloak_dest }}/{{ keycloak.bundle }}"
- name: Check download archive path
become: true
become: "{{ keycloak_install_require_privilege_escalation }}"
ansible.builtin.stat:
path: "{{ archive }}"
register: archive_path
@@ -168,13 +168,13 @@
- not archive_path.stat.exists
- local_archive_path.stat is defined
- local_archive_path.stat.exists
become: true
become: "{{ keycloak_install_require_privilege_escalation }}"
- name: "Check target directory: {{ keycloak.home }}"
ansible.builtin.stat:
path: "{{ keycloak.home }}"
register: path_to_workdir
become: true
become: "{{ keycloak_install_require_privilege_escalation }}"
- name: "Extract {{ keycloak_service_desc }} archive on target"
ansible.builtin.unarchive:
@@ -184,7 +184,7 @@
creates: "{{ keycloak.home }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
become: true
become: "{{ keycloak_install_require_privilege_escalation }}"
when:
- new_version_downloaded.changed or not path_to_workdir.stat.exists
notify:
@@ -202,13 +202,13 @@
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
recurse: true
become: true
become: "{{ keycloak_install_require_privilege_escalation }}"
changed_when: false
- name: Ensure permissions are correct on existing deploy
ansible.builtin.command: chown -R "{{ keycloak_service_user }}:{{ keycloak_service_group }}" "{{ keycloak.home }}"
when: keycloak_service_runas
become: true
become: "{{ keycloak_install_require_privilege_escalation }}"
changed_when: false
# driver and configuration
@@ -217,7 +217,7 @@
when: keycloak_jdbc[keycloak_jdbc_engine].enabled
- name: "Deploy custom {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }} from {{ keycloak_config_override_template }}"
become: true
become: "{{ keycloak_install_require_privilege_escalation }}"
ansible.builtin.template:
src: "templates/{{ keycloak_config_override_template }}"
dest: "{{ keycloak_config_path_to_standalone_xml }}"
@@ -229,7 +229,7 @@
when: keycloak_config_override_template | length > 0
- name: "Deploy standalone {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}"
become: true
become: "{{ keycloak_install_require_privilege_escalation }}"
ansible.builtin.template:
src: templates/standalone.xml.j2
dest: "{{ keycloak_config_path_to_standalone_xml }}"
@@ -257,7 +257,7 @@
when: keycloak_ha_enabled and keycloak_ha_discovery == 'TCPPING'
- name: "Deploy HA {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}"
become: true
become: "{{ keycloak_install_require_privilege_escalation }}"
ansible.builtin.template:
src: templates/standalone-ha.xml.j2
dest: "{{ keycloak_config_path_to_standalone_xml }}"
@@ -272,7 +272,7 @@
- keycloak_config_override_template | length == 0
- name: "Deploy HA {{ keycloak.service_name }} config with infinispan remote cache store to {{ keycloak_config_path_to_standalone_xml }}"
become: true
become: "{{ keycloak_install_require_privilege_escalation }}"
ansible.builtin.template:
src: templates/standalone-infinispan.xml.j2
dest: "{{ keycloak_config_path_to_standalone_xml }}"
@@ -287,7 +287,7 @@
- keycloak_config_override_template | length == 0
- name: "Deploy profile.properties file to {{ keycloak_config_path_to_properties }}"
become: true
become: "{{ keycloak_install_require_privilege_escalation }}"
ansible.builtin.template:
src: keycloak-profile.properties.j2
dest: "{{ keycloak_config_path_to_properties }}"

2
roles/keycloak/tasks/iptables.yml
View File

@@ -6,7 +6,7 @@
- iptables
- name: "Configure firewall ports for {{ keycloak.service_name }}"
become: true
become: "{{ keycloak_iptables_require_privilege_escalation }}"
ansible.builtin.iptables:
destination_port: "{{ item }}"
action: "insert"

8
roles/keycloak/tasks/jdbc_driver.yml
View File

@@ -3,7 +3,7 @@
ansible.builtin.stat:
path: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}"
register: dest_path
become: true
become: "{{ keycloak_jdbc_driver_require_privilege_escalation }}"
- name: "Set up module dir for JDBC Driver {{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}"
ansible.builtin.file:
@@ -13,7 +13,7 @@
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: '0750'
become: true
become: "{{ keycloak_jdbc_driver_require_privilege_escalation }}"
when:
- not dest_path.stat.exists
- name: "Verify valid parameters for download credentials when specified"
@@ -34,7 +34,7 @@
url_password: "{{ keycloak_jdbc_download_pass | default(omit) }}"
validate_certs: "{{ keycloak_jdbc_download_validate_certs | default(omit) }}"
mode: '0640'
become: true
become: "{{ keycloak_jdbc_driver_require_privilege_escalation }}"
- name: "Deploy module.xml for JDBC Driver"
ansible.builtin.template:
@@ -43,4 +43,4 @@
group: "{{ keycloak_service_group }}"
owner: "{{ keycloak_service_user }}"
mode: '0640'
become: true
become: "{{ keycloak_jdbc_driver_require_privilege_escalation }}"

4
roles/keycloak/tasks/main.yml
View File

@@ -51,7 +51,7 @@
state: link
src: "{{ keycloak_jboss_home }}/standalone/log"
dest: "{{ keycloak_log_target }}"
become: true
become: "{{ keycloak_require_privilege_escalation }}"
- name: Set admin credentials and restart if not already created
block:
@@ -75,7 +75,7 @@
- "-u{{ keycloak_admin_user }}"
- "-p{{ keycloak_admin_password }}"
changed_when: true
become: true
become: "{{ keycloak_require_privilege_escalation }}"
- name: "Restart {{ keycloak.service_name }}"
ansible.builtin.include_tasks: tasks/restart_keycloak.yml
- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"

4
roles/keycloak/tasks/restart_keycloak.yml
View File

@@ -5,7 +5,7 @@
enabled: true
state: restarted
daemon_reload: true
become: true
become: "{{ keycloak_restart_require_privilege_escalation }}"
delegate_to: "{{ ansible_play_hosts | first }}"
run_once: true
@@ -24,5 +24,5 @@
name: keycloak
enabled: true
state: restarted
become: true
become: "{{ keycloak_restart_require_privilege_escalation }}"
when: inventory_hostname != ansible_play_hosts | first

14
roles/keycloak/tasks/rhsso_patch.yml
View File

@@ -12,7 +12,7 @@
path: "{{ patch_archive }}"
register: patch_archive_path
when: sso_patch_version is defined
become: true
become: "{{ keycloak_rhsso_patch_require_privilege_escalation }}"
- name: Perform patch download from RHN via JBossNetwork API
delegate_to: localhost
@@ -86,7 +86,7 @@
ansible.builtin.stat:
path: "{{ patch_archive }}"
register: patch_archive_path
become: true
become: "{{ keycloak_rhsso_patch_require_privilege_escalation }}"
## copy and unpack
- name: Copy patch archive to target nodes
@@ -101,7 +101,7 @@
- not patch_archive_path.stat.exists
- local_archive_path.stat is defined
- local_archive_path.stat.exists
become: true
become: "{{ keycloak_rhsso_patch_require_privilege_escalation }}"
- name: "Check installed patches"
ansible.builtin.include_tasks: rhsso_cli.yml
@@ -109,7 +109,7 @@
cli_query: "patch info"
args:
apply:
become: true
become: "{{ keycloak_rhsso_patch_require_privilege_escalation }}"
become_user: "{{ keycloak_service_user }}"
- name: "Perform patching"
@@ -124,7 +124,7 @@
cli_query: "patch apply {{ patch_archive }}"
args:
apply:
become: true
become: "{{ keycloak_rhsso_patch_require_privilege_escalation }}"
become_user: "{{ keycloak_service_user }}"
- name: "Restart server to ensure patch content is running"
@@ -135,7 +135,7 @@
- cli_result.rc == 0
args:
apply:
become: true
become: "{{ keycloak_rhsso_patch_require_privilege_escalation }}"
become_user: "{{ keycloak_service_user }}"
- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
@@ -152,7 +152,7 @@
cli_query: "patch info"
args:
apply:
become: true
become: "{{ keycloak_rhsso_patch_require_privilege_escalation }}"
become_user: "{{ keycloak_service_user }}"
- name: "Verify installed patch version"

2
roles/keycloak/tasks/start_keycloak.yml
View File

@@ -5,7 +5,7 @@
enabled: true
state: started
daemon_reload: true
become: true
become: "{{ keycloak_start_require_privilege_escalation }}"
- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
ansible.builtin.uri:

2
roles/keycloak/tasks/stop_keycloak.yml
View File

@@ -4,4 +4,4 @@
name: keycloak
enabled: true
state: stopped
become: true
become: "{{ keycloak_stop_require_privilege_escalation }}"

6
roles/keycloak/tasks/systemd.yml
View File

@@ -1,6 +1,6 @@
---
- name: "Configure {{ keycloak.service_name }} service script wrapper"
become: true
become: "{{ keycloak_systemd_require_privilege_escalation }}"
ansible.builtin.template:
src: keycloak-service.sh.j2
dest: "{{ keycloak_dest }}/keycloak-service.sh"
@@ -11,7 +11,7 @@
- restart keycloak
- name: "Configure sysconfig file for {{ keycloak.service_name }} service"
become: true
become: "{{ keycloak_systemd_require_privilege_escalation }}"
ansible.builtin.template:
src: keycloak-sysconfig.j2
dest: "{{ keycloak_sysconf_file }}"
@@ -28,7 +28,7 @@
owner: root
group: root
mode: '0644'
become: true
become: "{{ keycloak_systemd_require_privilege_escalation }}"
register: systemdunit
notify:
- restart keycloak

2
roles/keycloak_quarkus/tasks/bootstrapped.yml
View File

@@ -1,6 +1,6 @@
---
- name: Save ansible custom facts
become: true
become: "{{ keycloak_quarkus_bootstrapped_require_privilege_escalation }}"
ansible.builtin.template:
src: keycloak.fact.j2
dest: /etc/ansible/facts.d/keycloak.fact

6
roles/keycloak_quarkus/tasks/config_store.yml
View File

@@ -6,7 +6,7 @@
value: "{{ keycloak_quarkus_db_pass }}"
- name: "Initialize empty configuration key store"
become: true
become: "{{ keycloak_quarkus_config_store_require_privilege_escalation }}"
# keytool doesn't allow creating an empty key store, so this is a hacky way around it
ansible.builtin.shell: | # noqa blocked_modules shell is necessary here
set -o nounset # abort on unbound variable
@@ -38,7 +38,7 @@
echo {{ item.value | quote }} | keytool -noprompt -importpass -alias {{ item.key | quote }} -keystore {{ keycloak_quarkus_config_key_store_file | quote }} -storepass {{ keycloak_quarkus_config_key_store_password | quote }} -storetype PKCS12
loop: "{{ store_items }}"
no_log: true
become: true
become: "{{ keycloak_quarkus_config_store_require_privilege_escalation }}"
changed_when: true
notify:
- restart keycloak
@@ -49,4 +49,4 @@
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: '0400'
become: true
become: "{{ keycloak_quarkus_config_store_require_privilege_escalation }}"

4
roles/keycloak_quarkus/tasks/fastpackages.yml
View File

@@ -13,7 +13,7 @@
when: ansible_facts.os_family == "RedHat"
- name: "Install packages: {{ packages_to_install }}"
become: true
become: "{{ keycloak_quarkus_fastpackages_require_privilege_escalation }}"
ansible.builtin.dnf:
name: "{{ packages_to_install }}"
state: present
@@ -22,7 +22,7 @@
- ansible_facts.os_family == "RedHat"
- name: "Install packages: {{ packages_list }}"
become: true
become: "{{ keycloak_quarkus_fastpackages_require_privilege_escalation }}"
ansible.builtin.package:
name: "{{ packages_list }}"
state: present

6
roles/keycloak_quarkus/tasks/firewalld.yml
View File

@@ -6,14 +6,14 @@
- firewalld
- name: Enable and start the firewalld service
become: true
become: "{{ keycloak_quarkus_firewalld_require_privilege_escalation }}"
ansible.builtin.systemd:
name: firewalld
enabled: true
state: started
- name: "Configure firewall for {{ keycloak.service_name }} http port"
become: true
become: "{{ keycloak_quarkus_firewalld_require_privilege_escalation }}"
ansible.posix.firewalld:
port: "{{ item }}"
permanent: true
@@ -24,7 +24,7 @@
when: keycloak_quarkus_http_enabled | bool
- name: "Configure firewall for {{ keycloak.service_name }} ports"
become: true
become: "{{ keycloak_quarkus_firewalld_require_privilege_escalation }}"
ansible.posix.firewalld:
port: "{{ item }}"
permanent: true

36
roles/keycloak_quarkus/tasks/install.yml
View File

@@ -12,7 +12,7 @@
quiet: true
- name: Check for an existing deployment
become: true
become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
ansible.builtin.stat:
path: "{{ keycloak.home }}"
register: existing_deploy
@@ -21,25 +21,25 @@
when: existing_deploy.stat.exists and keycloak_quarkus_force_install | bool
block:
- name: "Stop the old {{ keycloak.service_name }} service"
become: true
become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
failed_when: false
ansible.builtin.systemd:
name: keycloak
state: stopped
- name: "Remove the old {{ keycloak.service_name }} deployment"
become: true
become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
ansible.builtin.file:
path: "{{ keycloak_quarkus_home }}"
state: absent
- name: Check for an existing deployment after possible forced removal
become: true
become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
ansible.builtin.stat:
path: "{{ keycloak_quarkus_home }}"
register: existing_deploy
- name: "Create {{ keycloak.service_name }} service user/group"
become: true
become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
ansible.builtin.user:
name: "{{ keycloak.service_user }}"
home: /opt/keycloak
@@ -47,7 +47,7 @@
create_home: false
- name: "Create {{ keycloak.service_name }} install location"
become: true
become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
ansible.builtin.file:
dest: "{{ keycloak_quarkus_dest }}"
state: directory
@@ -56,7 +56,7 @@
mode: '0750'
- name: Create directory for ansible custom facts
become: true
become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
ansible.builtin.file:
state: directory
recurse: true
@@ -68,7 +68,7 @@
archive: "{{ keycloak_quarkus_dest }}/{{ keycloak.bundle }}"
- name: Check download archive path
become: true
become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
ansible.builtin.stat:
path: "{{ archive }}"
register: archive_path
@@ -172,13 +172,13 @@
- not archive_path.stat.exists
- local_archive_path.stat is defined
- local_archive_path.stat.exists
become: true
become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
- name: "Check target directory: {{ keycloak.home }}/bin/"
ansible.builtin.stat:
path: "{{ keycloak.home }}/bin/"
register: path_to_workdir
become: true
become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
- name: "Extract Keycloak archive on target" # noqa no-handler need to run this here
ansible.builtin.unarchive:
@@ -188,7 +188,7 @@
creates: "{{ keycloak.home }}/bin/"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
become: true
become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
when:
- (not path_to_workdir.stat.exists) or new_version_downloaded.changed
notify:
@@ -207,7 +207,7 @@
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: '0640'
become: true
become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
when:
- keycloak_quarkus_https_key_file_enabled is defined and keycloak_quarkus_https_key_file_enabled
- keycloak_quarkus_key_file_copy_enabled is defined and keycloak_quarkus_key_file_copy_enabled
@@ -220,7 +220,7 @@
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: '0644'
become: true
become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
when:
- keycloak_quarkus_https_key_file_enabled is defined and keycloak_quarkus_https_key_file_enabled
- keycloak_quarkus_cert_file_copy_enabled is defined and keycloak_quarkus_cert_file_copy_enabled
@@ -240,7 +240,7 @@
group: "{{ keycloak.service_group }}"
mode: '0640'
checksum: "{{ item.checksum | default(omit) }}"
become: true
become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
loop: "{{ keycloak_quarkus_providers }}"
when: item.url is defined and item.url | length > 0
notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}"
@@ -269,7 +269,7 @@
group: "{{ keycloak.service_group }}"
mode: '0640'
checksum: "{{ item.checksum | default(omit) }}"
become: true
become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
loop: "{{ keycloak_quarkus_providers }}"
when: item.maven is defined
no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}"
@@ -283,7 +283,7 @@
group: "{{ keycloak.service_group }}"
mode: '0640'
remote_src: "{{ item.remote | default(false) }}"
become: true
become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
loop: "{{ keycloak_quarkus_providers }}"
when: item.local_path is defined
notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}"
@@ -295,7 +295,7 @@
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: '0750'
become: true
become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
loop: "{{ keycloak_quarkus_supported_policy_types }}"
- name: "Install custom policies"
@@ -305,7 +305,7 @@
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: '0640'
become: true
become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
loop: "{{ keycloak_quarkus_policies }}"
when: item.url is defined and item.url | length > 0
notify: "restart keycloak"

2
roles/keycloak_quarkus/tasks/invalidate_theme_cache.yml
View File

@@ -8,4 +8,4 @@
ansible.builtin.file:
path: "{{ keycloak.home }}/data/tmp/kc-gzip-cache"
state: absent
become: true
become: "{{ keycloak_quarkus_invalidate_theme_cache_require_privilege_escalation }}"

2
roles/keycloak_quarkus/tasks/iptables.yml
View File

@@ -6,7 +6,7 @@
- iptables
- name: "Configure firewall ports for {{ keycloak.service_name }}"
become: true
become: "{{ keycloak_quarkus_iptables_require_privilege_escalation }}"
ansible.builtin.iptables:
destination_port: "{{ item }}"
action: "insert"

2
roles/keycloak_quarkus/tasks/jdbc_driver.yml
View File

@@ -17,6 +17,6 @@
url_password: "{{ keycloak_quarkus_jdbc_download_pass | default(omit) }}"
validate_certs: "{{ keycloak_quarkus_jdbc_download_validate_certs | default(omit) }}"
mode: '0640'
become: true
become: "{{ keycloak_quarkus_jdbc_driver_require_privilege_escalation }}"
notify:
- restart keycloak

8
roles/keycloak_quarkus/tasks/main.yml
View File

@@ -82,7 +82,7 @@
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: '0640'
become: true
become: "{{ keycloak_quarkus_require_privilege_escalation }}"
loop: "{{ keycloak_quarkus_config_files }}"
notify:
- rebuild keycloak config
@@ -95,7 +95,7 @@
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: '0775'
become: true
become: "{{ keycloak_quarkus_require_privilege_escalation }}"
- name: Ensure tmp-directory exists
ansible.builtin.file:
@@ -104,7 +104,7 @@
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: '0755'
become: true
become: "{{ keycloak_quarkus_require_privilege_escalation }}"
- name: Flush pending handlers
ansible.builtin.meta: flush_handlers
@@ -118,7 +118,7 @@
src: "{{ keycloak.log.file | dirname }}"
dest: "{{ keycloak_quarkus_log_target }}"
force: true
become: true
become: "{{ keycloak_quarkus_require_privilege_escalation }}"
- name: Check service status
ansible.builtin.systemd_service:

2
roles/keycloak_quarkus/tasks/rebuild_config.yml
View File

@@ -3,5 +3,5 @@
- name: "Rebuild {{ keycloak.service_name }} config"
ansible.builtin.shell: | # noqa blocked_modules shell is necessary here
env -i bash -c "set -a ; source {{ keycloak_quarkus_sysconf_file }} ; {{ keycloak.home }}/bin/kc.sh build "
become: true
become: "{{ keycloak_quarkus_rebuild_config_require_privilege_escalation }}"
changed_when: true

2
roles/keycloak_quarkus/tasks/restart.yml
View File

@@ -5,7 +5,7 @@
enabled: true
state: restarted
daemon_reload: true
become: true
become: "{{ keycloak_quarkus_restart_require_privilege_escalation }}"
- name: "Wait until {{ keycloak.service_name }} service becomes active {{ keycloak.health_url }}"
ansible.builtin.uri:

2
roles/keycloak_quarkus/tasks/restart/serial_then_parallel.yml
View File

@@ -16,5 +16,5 @@
enabled: true
state: restarted
daemon_reload: true
become: true
become: "{{ keycloak_quarkus_restart_require_privilege_escalation }}"
when: inventory_hostname != ansible_play_hosts | first

2
roles/keycloak_quarkus/tasks/start.yml
View File

@@ -5,7 +5,7 @@
enabled: true
state: started
daemon_reload: true
become: true
become: "{{ keycloak_quarkus_start_require_privilege_escalation }}"
- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
ansible.builtin.uri:

4
roles/keycloak_quarkus/tasks/systemd.yml
View File

@@ -1,6 +1,6 @@
---
- name: "Configure sysconfig file for {{ keycloak.service_name }} service"
become: true
become: "{{ keycloak_quarkus_systemd_require_privilege_escalation }}"
ansible.builtin.template:
src: keycloak-sysconfig.j2
dest: "{{ keycloak_quarkus_sysconf_file }}"
@@ -20,7 +20,7 @@
owner: root
group: root
mode: '0644'
become: true
become: "{{ keycloak_quarkus_systemd_require_privilege_escalation }}"
register: systemdunit
notify:
- rebuild keycloak config