diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 41fba0d..39a5bd1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,16 +15,11 @@ on: jobs: ci: - uses: ./.github/workflows/cish-keycloak.yml + uses: ansible-middleware/github-actions/.github/workflows/ci.yml@rootperm secrets: inherit with: fqcn: 'middleware_automation/keycloak' + root_permission_varname: 'keycloak_install_requires_become' debug_verbosity: "${{ github.event.inputs.debug_verbosity }}" molecule_tests: >- - [ "debian", "quarkus", "quarkus_ha", "quarkus_ha_remote", "quarkus_ha_26.4_below" ] - podman_tests_current: >- - [ "default", "quarkus_devmode", "quarkus_upgrade" ] - podman_tests_middle: >- - [ "default", "quarkus_devmode", "quarkus_upgrade" ] - podman_tests_next: >- - [ "default", "quarkus_devmode", "quarkus_upgrade" ] + [ "debian", "quarkus", "quarkus_ha", "quarkus_ha_remote", "quarkus_ha_26.4_below", "default", "quarkus_devmode", "quarkus_upgrade" ] diff --git a/.github/workflows/cish-keycloak.yml b/.github/workflows/cish-keycloak.yml deleted file mode 100644 index c53180f..0000000 --- a/.github/workflows/cish-keycloak.yml +++ /dev/null @@ -1,488 +0,0 @@ ---- -# Vendor of ansible-middleware/github-actions/.github/workflows/cish.yml (sync when CI workflow changes). -# Podman Molecule jobs: upstream uses self-hosted runners; forks and other repos use ubuntu-22.04 + podman. -# Cross-repo PRs (fork → upstream) are skipped here so untrusted code does not run on org runners with secrets. -name: CI -on: - workflow_call: - inputs: - fqcn: - required: true - type: string - molecule_tests: - required: false - type: string - podman_tests_current: - required: true - type: string - podman_tests_middle: - required: true - type: string - podman_tests_next: - required: true - type: string - sanity_includes: - required: false - type: string - default: "[]" - sanity_excludes: - required: false - type: string - default: "[]" - fail_fast: - required: false - type: boolean - default: false - debug_verbosity: - required: false - type: string - default: '0' -env: - COLORTERM: 'yes' - TERM: 'xterm-256color' - PYTEST_ADDOPTS: '--color=yes' - PY_COLORS: '1' - ANSIBLE_FORCE_COLOR: '1' - -jobs: - linter: - runs-on: ubuntu-latest - strategy: - matrix: - python_version: ["3.12"] - ansible_version: ["2.18", "2.19", "2.20"] - steps: - - name: Check out code - uses: actions/checkout@v4 - with: - path: ansible_collections/${{ inputs.fqcn }} - - - name: Set up Python ${{ matrix.python_version }} - uses: actions/setup-python@v5 - with: - python-version: ${{ matrix.python_version }} - cache: 'pip' - - - name: Create default collection path - run: | - mkdir -p /home/runner/.ansible/ - ln -s ${{ github.workspace }} /home/runner/.ansible/collections - - - name: Install yamllint, ansible and dependencies - uses: nick-fields/retry@v3 - with: - timeout_minutes: 5 - retry_wait_seconds: 60 - max_attempts: 3 - command: | - python -m pip install --upgrade pip - pip install yamllint ansible-core~=${{ matrix.ansible_version }} ansible-lint - if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.txt ]; then - pip install -r ansible_collections/${{ inputs.fqcn }}/requirements.txt - fi - if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.yml ]; then - ansible-galaxy collection install -r ansible_collections/${{ inputs.fqcn }}/requirements.yml -p /home/runner/.ansible/collections --force-with-deps - fi - - - name: Install ansible-lint custom rules - uses: actions/checkout@v4 - with: - repository: ansible-middleware/ansible-lint-custom-rules - path: ansible-lint-custom-rules/ - - - name: Run linter - run: | - ansible-lint --version - ansible-lint -v - working-directory: ./ansible_collections/${{ inputs.fqcn }} - - sanity: - runs-on: ubuntu-latest - strategy: - matrix: - python_version: ["3.12"] - ansible_version: ["stable-2.18", "stable-2.19", "stable-2.20"] - exclude: ${{ fromJSON(inputs.sanity_excludes) }} - include: ${{ fromJSON(inputs.sanity_includes) }} - steps: - - name: Check out code - uses: actions/checkout@v4 - with: - path: ansible_collections/${{ inputs.fqcn }} - - - name: Create default collection path - run: | - mkdir -p /home/runner/.ansible/ - ln -s ${{ github.workspace }} /home/runner/.ansible/collections - - - name: Set up Python ${{ matrix.python_version }} - uses: actions/setup-python@v5 - if: matrix.python_version != '2.7' - with: - python-version: ${{ matrix.python_version }} - cache: "pip" - - - name: Set up Python ${{ matrix.python_version }} virtualenv - if: matrix.python_version == '2.7' - run: | - sudo add-apt-repository universe - sudo apt update - sudo apt install -y python2 - curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py - sudo python2 get-pip.py - sudo apt install -y virtualenv - virtualenv -p python2 /home/runner/virtualenv/2.11 - source /home/runner/virtualenv/2.11/bin/activate - pip install ansible-core==2.11 - - - name: Install ansible-core ${{ matrix.ansible_version }} - run: | - wget https://github.com/ansible/ansible/archive/${{ matrix.ansible_version }}.tar.gz - pip install ${{ matrix.ansible_version }}.tar.gz --disable-pip-version-check - - - name: Run sanity tests - run: | - python -V - ansible-test sanity -v --color --requirements --python ${{ matrix.python_version }} --exclude molecule/ --exclude docs/conf.py --exclude changelogs/fragments/.gitignore --skip-test symlinks - working-directory: ./ansible_collections/${{ inputs.fqcn }} - - molecule: - runs-on: ubuntu-22.04 - if: ${{ inputs.molecule_tests != '[]' && inputs.molecule_tests != '' }} - strategy: - matrix: - python_version: ["3.12"] - ansible_version: ["2.18", "2.19", "2.20"] - molecule_test: ${{ fromJSON(inputs.molecule_tests) }} - fail-fast: ${{ inputs.fail_fast }} - steps: - - name: Check out code - uses: actions/checkout@v4 - with: - path: ansible_collections/${{ inputs.fqcn }} - - - name: Set up Python ${{ matrix.python_version }} - uses: actions/setup-python@v5 - with: - python-version: ${{ matrix.python_version }} - cache: 'pip' - - - name: Install ansible and molecule - uses: nick-fields/retry@v3 - with: - timeout_minutes: 5 - retry_wait_seconds: 60 - max_attempts: 3 - command: | - python -m pip install --upgrade pip - ansible_ver='${{ matrix.ansible_version }}' - ansible_next_ver="2.$((${ansible_ver#*.}+1))" - pip install --progress-bar off 'molecule>=24.2.0' 'molecule-plugins[docker]>=23.0.0' "ansible-core<${ansible_next_ver}" - if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.txt ]; then - echo "=== Installing python deps" - pip install --progress-bar off -r ansible_collections/${{ inputs.fqcn }}/requirements.txt - fi - if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.yml ]; then - echo "=== Installing dependencies" - ansible-galaxy collection install -r ansible_collections/${{ inputs.fqcn }}/requirements.yml -p /home/runner/.ansible/collections --force-with-deps - fi - if [ -f ansible_collections/${{ inputs.fqcn }}/molecule/requirements.yml ]; then - echo "=== Installing test dependencies" - ansible-galaxy role install -r ansible_collections/${{ inputs.fqcn }}/molecule/requirements.yml ||: - ansible-galaxy collection install -r ansible_collections/${{ inputs.fqcn }}/molecule/requirements.yml -p /home/runner/.ansible/collections - fi - exit 0 - - - name: Run molecule test - run: | - molecule --version - molecule test -s ${{ matrix.molecule_test }} - working-directory: ./ansible_collections/${{ inputs.fqcn }} - env: - ANSIBLE_VERBOSITY: ${{ inputs.debug_verbosity }} - PROD_JBOSSNETWORK_API_CLIENTID: '${{ secrets.PROD_JBOSSNETWORK_API_CLIENTID }}' - PROD_JBOSSNETWORK_API_SECRET: '${{ secrets.PROD_JBOSSNETWORK_API_SECRET }}' - STAGE_JBOSSNETWORK_API_CLIENTID: '${{ secrets.STAGE_JBOSSNETWORK_API_CLIENTID }}' - STAGE_JBOSSNETWORK_API_SECRET: '${{ secrets.STAGE_JBOSSNETWORK_API_SECRET }}' - - molecule_current: - if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name }} - runs-on: ${{ github.repository == 'ansible-middleware/keycloak' && 'molecule-2.18' || 'ubuntu-22.04' }} - strategy: - matrix: - python_version: ["3.12"] - molecule_test: ${{ fromJSON(inputs.podman_tests_current) }} - fail-fast: ${{ inputs.fail_fast }} - env: - PROXY: ${{ github.repository == 'ansible-middleware/keycloak' && '10.88.0.1:3128' || '' }} - NO_PROXY: ${{ github.repository == 'ansible-middleware/keycloak' && 'localhost,.redhat.com,.ansible.com' || '' }} - steps: - - name: Check out code - uses: actions/checkout@v4 - with: - path: ansible_collections/${{ inputs.fqcn }} - - - name: Set up Python ${{ matrix.python_version }} - if: ${{ github.repository != 'ansible-middleware/keycloak' }} - uses: actions/setup-python@v5 - with: - python-version: ${{ matrix.python_version }} - cache: 'pip' - cache-dependency-path: ansible_collections/${{ inputs.fqcn }}/requirements.txt - - - name: Ensure podman is available - run: | - if command -v podman &> /dev/null; then - echo "podman $(podman --version)" - exit 0 - fi - echo "::warning::podman not found in PATH, attempting to install" - if command -v apt-get &> /dev/null; then - sudo apt-get update -y - sudo apt-get install -y podman - elif command -v dnf &> /dev/null; then - sudo dnf install -y podman - else - echo "::error::Unsupported package manager; install podman on the runner image." - exit 1 - fi - echo "podman $(podman --version)" - - - name: Use vfs storage for rootless podman (GitHub-hosted) - if: ${{ github.repository != 'ansible-middleware/keycloak' }} - run: | - mkdir -p "${HOME}/.config/containers" - printf '%s\n' '[storage]' 'driver = "vfs"' > "${HOME}/.config/containers/storage.conf" - - - name: Initialize podman for current user - run: | - podman system migrate || true - podman info --format '{{.Host.Security.Rootless}}' - - - name: Install ansible and molecule - uses: nick-fields/retry@v3 - with: - timeout_minutes: 5 - retry_wait_seconds: 60 - max_attempts: 3 - command: | - python3.12 -m pip install --upgrade pip - if [ "${{ github.repository }}" != "ansible-middleware/keycloak" ]; then - python3.12 -m pip install --progress-bar off \ - 'molecule>=24.2.0' 'molecule-plugins[podman]>=23.0.0' 'ansible-core~=2.18' - fi - if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.txt ]; then - echo "=== Installing python deps" - python3.12 -m pip install --progress-bar off -r ansible_collections/${{ inputs.fqcn }}/requirements.txt - fi - if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.yml ]; then - echo "=== Installing dependencies" - ansible-galaxy collection install -r ansible_collections/${{ inputs.fqcn }}/requirements.yml -p /home/runner/.ansible/collections --force-with-deps - fi - if [ -f ansible_collections/${{ inputs.fqcn }}/molecule/requirements.yml ]; then - echo "=== Installing test dependencies" - ansible-galaxy role install -r ansible_collections/${{ inputs.fqcn }}/molecule/requirements.yml ||: - ansible-galaxy collection install -r ansible_collections/${{ inputs.fqcn }}/molecule/requirements.yml -p /home/runner/.ansible/collections - fi - exit 0 - - - name: Run molecule test - run: | - molecule --version - molecule test -s ${{ matrix.molecule_test }} - working-directory: ./ansible_collections/${{ inputs.fqcn }} - env: - ANSIBLE_REMOTE_TMP: /tmp - ANSIBLE_VERBOSITY: ${{ inputs.debug_verbosity }} - PROD_JBOSSNETWORK_API_CLIENTID: '${{ secrets.PROD_JBOSSNETWORK_API_CLIENTID }}' - PROD_JBOSSNETWORK_API_SECRET: '${{ secrets.PROD_JBOSSNETWORK_API_SECRET }}' - STAGE_JBOSSNETWORK_API_CLIENTID: '${{ secrets.STAGE_JBOSSNETWORK_API_CLIENTID }}' - STAGE_JBOSSNETWORK_API_SECRET: '${{ secrets.STAGE_JBOSSNETWORK_API_SECRET }}' - - molecule_middle: - if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name }} - runs-on: ${{ github.repository == 'ansible-middleware/keycloak' && 'molecule-2.19' || 'ubuntu-22.04' }} - strategy: - matrix: - python_version: ["3.12"] - molecule_test: ${{ fromJSON(inputs.podman_tests_middle) }} - fail-fast: ${{ inputs.fail_fast }} - env: - PROXY: ${{ github.repository == 'ansible-middleware/keycloak' && '10.88.0.1:3128' || '' }} - NO_PROXY: ${{ github.repository == 'ansible-middleware/keycloak' && 'localhost,.redhat.com,.ansible.com' || '' }} - steps: - - name: Check out code - uses: actions/checkout@v4 - with: - path: ansible_collections/${{ inputs.fqcn }} - - - name: Set up Python ${{ matrix.python_version }} - if: ${{ github.repository != 'ansible-middleware/keycloak' }} - uses: actions/setup-python@v5 - with: - python-version: ${{ matrix.python_version }} - cache: 'pip' - cache-dependency-path: ansible_collections/${{ inputs.fqcn }}/requirements.txt - - - name: Ensure podman is available - run: | - if command -v podman &> /dev/null; then - echo "podman $(podman --version)" - exit 0 - fi - echo "::warning::podman not found in PATH, attempting to install" - if command -v apt-get &> /dev/null; then - sudo apt-get update -y - sudo apt-get install -y podman - elif command -v dnf &> /dev/null; then - sudo dnf install -y podman - else - echo "::error::Unsupported package manager; install podman on the runner image." - exit 1 - fi - echo "podman $(podman --version)" - - - name: Use vfs storage for rootless podman (GitHub-hosted) - if: ${{ github.repository != 'ansible-middleware/keycloak' }} - run: | - mkdir -p "${HOME}/.config/containers" - printf '%s\n' '[storage]' 'driver = "vfs"' > "${HOME}/.config/containers/storage.conf" - - - name: Initialize podman for current user - run: | - podman system migrate || true - podman info --format '{{.Host.Security.Rootless}}' - - - name: Install dependencies - uses: nick-fields/retry@v3 - with: - timeout_minutes: 5 - retry_wait_seconds: 60 - max_attempts: 3 - command: | - python3.12 -m pip install --upgrade pip - if [ "${{ github.repository }}" != "ansible-middleware/keycloak" ]; then - python3.12 -m pip install --progress-bar off \ - 'molecule>=24.2.0' 'molecule-plugins[podman]>=23.0.0' 'ansible-core~=2.19' - fi - if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.txt ]; then - echo "=== Installing python deps" - python3.12 -m pip install --progress-bar off -r ansible_collections/${{ inputs.fqcn }}/requirements.txt - fi - if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.yml ]; then - echo "=== Installing dependencies" - ansible-galaxy collection install -r ansible_collections/${{ inputs.fqcn }}/requirements.yml -p /home/runner/.ansible/collections --force-with-deps - fi - if [ -f ansible_collections/${{ inputs.fqcn }}/molecule/requirements.yml ]; then - echo "=== Installing test dependencies" - ansible-galaxy role install -r ansible_collections/${{ inputs.fqcn }}/molecule/requirements.yml ||: - ansible-galaxy collection install -r ansible_collections/${{ inputs.fqcn }}/molecule/requirements.yml -p /home/runner/.ansible/collections - fi - exit 0 - - - name: Run molecule test - run: | - molecule --version - molecule test -s ${{ matrix.molecule_test }} - working-directory: ./ansible_collections/${{ inputs.fqcn }} - env: - ANSIBLE_REMOTE_TMP: /tmp - ANSIBLE_VERBOSITY: ${{ inputs.debug_verbosity }} - PROD_JBOSSNETWORK_API_CLIENTID: '${{ secrets.PROD_JBOSSNETWORK_API_CLIENTID }}' - PROD_JBOSSNETWORK_API_SECRET: '${{ secrets.PROD_JBOSSNETWORK_API_SECRET }}' - STAGE_JBOSSNETWORK_API_CLIENTID: '${{ secrets.STAGE_JBOSSNETWORK_API_CLIENTID }}' - STAGE_JBOSSNETWORK_API_SECRET: '${{ secrets.STAGE_JBOSSNETWORK_API_SECRET }}' - - molecule_next: - if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name }} - runs-on: ${{ github.repository == 'ansible-middleware/keycloak' && 'molecule-2.20' || 'ubuntu-22.04' }} - strategy: - matrix: - python_version: ["3.12"] - molecule_test: ${{ fromJSON(inputs.podman_tests_next) }} - fail-fast: ${{ inputs.fail_fast }} - env: - PROXY: ${{ github.repository == 'ansible-middleware/keycloak' && '10.88.0.1:3128' || '' }} - NO_PROXY: ${{ github.repository == 'ansible-middleware/keycloak' && 'localhost,.redhat.com,.ansible.com' || '' }} - steps: - - name: Check out code - uses: actions/checkout@v4 - with: - path: ansible_collections/${{ inputs.fqcn }} - - - name: Set up Python ${{ matrix.python_version }} - if: ${{ github.repository != 'ansible-middleware/keycloak' }} - uses: actions/setup-python@v5 - with: - python-version: ${{ matrix.python_version }} - cache: 'pip' - cache-dependency-path: ansible_collections/${{ inputs.fqcn }}/requirements.txt - - - name: Ensure podman is available - run: | - if command -v podman &> /dev/null; then - echo "podman $(podman --version)" - exit 0 - fi - echo "::warning::podman not found in PATH, attempting to install" - if command -v apt-get &> /dev/null; then - sudo apt-get update -y - sudo apt-get install -y podman - elif command -v dnf &> /dev/null; then - sudo dnf install -y podman - else - echo "::error::Unsupported package manager; install podman on the runner image." - exit 1 - fi - echo "podman $(podman --version)" - - - name: Use vfs storage for rootless podman (GitHub-hosted) - if: ${{ github.repository != 'ansible-middleware/keycloak' }} - run: | - mkdir -p "${HOME}/.config/containers" - printf '%s\n' '[storage]' 'driver = "vfs"' > "${HOME}/.config/containers/storage.conf" - - - name: Initialize podman for current user - run: | - podman system migrate || true - podman info --format '{{.Host.Security.Rootless}}' - - - name: Install dependencies - uses: nick-fields/retry@v3 - with: - timeout_minutes: 5 - retry_wait_seconds: 60 - max_attempts: 3 - command: | - python3.12 -m pip install --upgrade pip - if [ "${{ github.repository }}" != "ansible-middleware/keycloak" ]; then - python3.12 -m pip install --progress-bar off \ - 'molecule>=24.2.0' 'molecule-plugins[podman]>=23.0.0' 'ansible-core~=2.20' - fi - if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.txt ]; then - echo "=== Installing python deps" - python3.12 -m pip install --progress-bar off -r ansible_collections/${{ inputs.fqcn }}/requirements.txt - fi - if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.yml ]; then - echo "=== Installing dependencies" - ansible-galaxy collection install -r ansible_collections/${{ inputs.fqcn }}/requirements.yml -p /home/runner/.ansible/collections --force-with-deps - fi - if [ -f ansible_collections/${{ inputs.fqcn }}/molecule/requirements.yml ]; then - echo "=== Installing test dependencies" - ansible-galaxy role install -r ansible_collections/${{ inputs.fqcn }}/molecule/requirements.yml ||: - ansible-galaxy collection install -r ansible_collections/${{ inputs.fqcn }}/molecule/requirements.yml -p /home/runner/.ansible/collections - fi - exit 0 - - - name: Run molecule test - run: | - molecule --version - molecule test -s ${{ matrix.molecule_test }} - working-directory: ./ansible_collections/${{ inputs.fqcn }} - env: - ANSIBLE_REMOTE_TMP: /tmp - ANSIBLE_VERBOSITY: ${{ inputs.debug_verbosity }} - PROD_JBOSSNETWORK_API_CLIENTID: '${{ secrets.PROD_JBOSSNETWORK_API_CLIENTID }}' - PROD_JBOSSNETWORK_API_SECRET: '${{ secrets.PROD_JBOSSNETWORK_API_SECRET }}' - STAGE_JBOSSNETWORK_API_CLIENTID: '${{ secrets.STAGE_JBOSSNETWORK_API_CLIENTID }}' - STAGE_JBOSSNETWORK_API_SECRET: '${{ secrets.STAGE_JBOSSNETWORK_API_SECRET }}' diff --git a/molecule/debian/converge.yml b/molecule/debian/converge.yml index 88cb98d..1539162 100644 --- a/molecule/debian/converge.yml +++ b/molecule/debian/converge.yml @@ -1,6 +1,8 @@ --- - name: Converge hosts: all + vars_files: + - ../group_vars/all/vars.yml vars: keycloak_quarkus_show_deprecation_warnings: false keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" diff --git a/molecule/debian/prepare.yml b/molecule/debian/prepare.yml index 7cab507..e6d1203 100644 --- a/molecule/debian/prepare.yml +++ b/molecule/debian/prepare.yml @@ -1,6 +1,8 @@ --- - name: Prepare hosts: all + vars_files: + - ../group_vars/all/vars.yml gather_facts: yes tasks: - name: Install sudo diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 2b899de..463cda0 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -1,6 +1,8 @@ --- - name: Converge hosts: all + vars_files: + - ../group_vars/all/vars.yml vars: keycloak_quarkus_show_deprecation_warnings: false keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 587a3c8..626f430 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -24,6 +24,9 @@ provisioner: converge: converge.yml verify: verify.yml inventory: + group_vars: + all: + keycloak_install_requires_become: true host_vars: localhost: ansible_python_interpreter: "{{ ansible_playbook_python }}" diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 58b2ac6..f815f19 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -1,6 +1,8 @@ --- - name: Prepare hosts: all + vars_files: + - ../group_vars/all/vars.yml gather_facts: yes vars: sudo_pkg_name: sudo diff --git a/molecule/group_vars/all/vars.yml b/molecule/group_vars/all/vars.yml new file mode 100644 index 0000000..3e54a86 --- /dev/null +++ b/molecule/group_vars/all/vars.yml @@ -0,0 +1,26 @@ +--- +keycloak_quarkus_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}" +keycloak_quarkus_systemd_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}" +keycloak_quarkus_install_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}" +keycloak_quarkus_firewalld_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}" +keycloak_quarkus_iptables_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}" +keycloak_quarkus_jdbc_driver_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}" +keycloak_quarkus_config_store_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}" +keycloak_quarkus_restart_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}" +keycloak_quarkus_start_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}" +keycloak_quarkus_rebuild_config_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}" +keycloak_quarkus_fastpackages_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}" +keycloak_quarkus_bootstrapped_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}" +keycloak_quarkus_invalidate_theme_cache_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}" +keycloak_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}" +keycloak_systemd_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}" +keycloak_install_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}" +keycloak_firewalld_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}" +keycloak_iptables_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}" +keycloak_jdbc_driver_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}" +keycloak_restart_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}" +keycloak_start_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}" +keycloak_stop_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}" +keycloak_fastpackages_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}" +keycloak_rhsso_patch_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}" +molecule_prepare_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}" diff --git a/molecule/https_revproxy/converge.yml b/molecule/https_revproxy/converge.yml index 92994fa..fcba56b 100644 --- a/molecule/https_revproxy/converge.yml +++ b/molecule/https_revproxy/converge.yml @@ -1,6 +1,8 @@ --- - name: Converge hosts: all + vars_files: + - ../group_vars/all/vars.yml vars: keycloak_quarkus_show_deprecation_warnings: false keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" diff --git a/molecule/https_revproxy/prepare.yml b/molecule/https_revproxy/prepare.yml index 0ef0595..8d81958 100644 --- a/molecule/https_revproxy/prepare.yml +++ b/molecule/https_revproxy/prepare.yml @@ -1,6 +1,8 @@ --- - name: Prepare hosts: all + vars_files: + - ../group_vars/all/vars.yml tasks: - name: Install sudo ansible.builtin.dnf: @@ -41,11 +43,11 @@ src: "{{ item.name }}" dest: "{{ item.dest }}" mode: 0444 - become: true + become: "{{ molecule_prepare_require_privilege_escalation }}" loop: - { name: 'cert.pem', dest: '/etc/nginx/tls/certificate.crt' } - { name: 'key.pem', dest: '/etc/nginx/tls/certificate.key' } - name: Update CA trust ansible.builtin.command: update-ca-trust changed_when: false - become: true + become: "{{ molecule_prepare_require_privilege_escalation }}" diff --git a/molecule/overridexml/converge.yml b/molecule/overridexml/converge.yml index 7537684..623415f 100644 --- a/molecule/overridexml/converge.yml +++ b/molecule/overridexml/converge.yml @@ -1,6 +1,8 @@ --- - name: Converge hosts: all + vars_files: + - ../group_vars/all/vars.yml vars: keycloak_admin_password: "remembertochangeme" keycloak_config_override_template: custom.xml.j2 diff --git a/molecule/overridexml/prepare.yml b/molecule/overridexml/prepare.yml index 26245be..d5d9adc 100644 --- a/molecule/overridexml/prepare.yml +++ b/molecule/overridexml/prepare.yml @@ -1,6 +1,8 @@ --- - name: Prepare hosts: all + vars_files: + - ../group_vars/all/vars.yml gather_facts: yes vars: sudo_pkg_name: sudo diff --git a/molecule/prepare.yml b/molecule/prepare.yml index 27486a3..2d5f306 100644 --- a/molecule/prepare.yml +++ b/molecule/prepare.yml @@ -25,11 +25,12 @@ fail_msg: "sudo is not installed on target system" - name: "Install iproute" - become: true ansible.builtin.yum: name: - iproute state: present + when: + - ansible_user_id == 'root' - name: "Retrieve assets server from env" ansible.builtin.set_fact: diff --git a/molecule/quarkus/converge.yml b/molecule/quarkus/converge.yml index dbce67b..34cf56b 100644 --- a/molecule/quarkus/converge.yml +++ b/molecule/quarkus/converge.yml @@ -1,6 +1,8 @@ --- - name: Converge hosts: all + vars_files: + - ../group_vars/all/vars.yml vars: keycloak_quarkus_show_deprecation_warnings: false keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" diff --git a/molecule/quarkus/prepare.yml b/molecule/quarkus/prepare.yml index cf33427..90163d9 100644 --- a/molecule/quarkus/prepare.yml +++ b/molecule/quarkus/prepare.yml @@ -1,6 +1,8 @@ --- - name: Prepare hosts: all + vars_files: + - ../group_vars/all/vars.yml tasks: - name: "Display hera_home if defined." ansible.builtin.set_fact: @@ -17,7 +19,7 @@ changed_when: false - name: Create vault directory - become: true + become: "{{ molecule_prepare_require_privilege_escalation }}" ansible.builtin.file: state: directory path: "/opt/keycloak/vault" @@ -28,7 +30,7 @@ ansible.builtin.package: name: java-21-openjdk-headless state: present - become: true + become: "{{ molecule_prepare_require_privilege_escalation }}" failed_when: false - name: Create vault keystore @@ -41,7 +43,7 @@ failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0 - name: Copy certificates and vault - become: true + become: "{{ molecule_prepare_require_privilege_escalation }}" ansible.builtin.copy: src: keystore.p12 dest: /opt/keycloak/vault/keystore.p12 diff --git a/molecule/quarkus/verify.yml b/molecule/quarkus/verify.yml index 1d9d2c3..65b220f 100644 --- a/molecule/quarkus/verify.yml +++ b/molecule/quarkus/verify.yml @@ -1,6 +1,8 @@ --- - name: Verify hosts: all + vars_files: + - ../group_vars/all/vars.yml vars: keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" @@ -56,7 +58,7 @@ fail_msg: "Service log symlink not correctly created" - name: Check log file - become: true + become: "{{ molecule_prepare_require_privilege_escalation }}" ansible.builtin.stat: path: /tmp/keycloak/keycloak.log register: keycloak_log_file @@ -68,7 +70,7 @@ - not keycloak_log_file.stat.isdir - name: Check default log folder - become: yes + become: "{{ molecule_prepare_require_privilege_escalation }}" ansible.builtin.stat: path: /var/log/keycloak register: keycloak_default_log_folder @@ -80,7 +82,7 @@ - not keycloak_default_log_folder.stat.exists - name: Verify vault SPI in logfile - become: true + become: "{{ molecule_prepare_require_privilege_escalation }}" ansible.builtin.shell: | set -o pipefail zgrep 'Configured KeystoreVaultProviderFactory with the keystore file' /opt/keycloak/keycloak-*/data/log/keycloak.log*zip diff --git a/molecule/quarkus_devmode/converge.yml b/molecule/quarkus_devmode/converge.yml index a849ce3..32ad6c0 100644 --- a/molecule/quarkus_devmode/converge.yml +++ b/molecule/quarkus_devmode/converge.yml @@ -1,6 +1,8 @@ --- - name: Converge hosts: all + vars_files: + - ../group_vars/all/vars.yml vars: keycloak_quarkus_show_deprecation_warnings: false keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" diff --git a/molecule/quarkus_devmode/prepare.yml b/molecule/quarkus_devmode/prepare.yml index 9ce721e..fe423e6 100644 --- a/molecule/quarkus_devmode/prepare.yml +++ b/molecule/quarkus_devmode/prepare.yml @@ -1,6 +1,8 @@ --- - name: Prepare hosts: all + vars_files: + - ../group_vars/all/vars.yml tasks: - name: Install sudo ansible.builtin.apt: @@ -15,7 +17,7 @@ ansible.builtin.include_tasks: ../prepare.yml - name: Install JDK17 - become: yes + become: "{{ molecule_prepare_require_privilege_escalation }}" ansible.builtin.yum: name: - java-17-openjdk-headless @@ -24,7 +26,7 @@ - ansible_facts.os_family == 'RedHat' - name: Link default logs directory - become: yes + become: "{{ molecule_prepare_require_privilege_escalation }}" ansible.builtin.file: state: link src: "{{ item }}" diff --git a/molecule/quarkus_ha/converge.yml b/molecule/quarkus_ha/converge.yml index fa5314f..b39a3c3 100644 --- a/molecule/quarkus_ha/converge.yml +++ b/molecule/quarkus_ha/converge.yml @@ -1,6 +1,8 @@ --- - name: Converge hosts: keycloak + vars_files: + - ../group_vars/all/vars.yml vars: keycloak_quarkus_show_deprecation_warnings: false keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" diff --git a/molecule/quarkus_ha/prepare.yml b/molecule/quarkus_ha/prepare.yml index a8ff317..f47f837 100644 --- a/molecule/quarkus_ha/prepare.yml +++ b/molecule/quarkus_ha/prepare.yml @@ -1,6 +1,8 @@ --- - name: Prepare hosts: keycloak + vars_files: + - ../group_vars/all/vars.yml tasks: - name: "Display hera_home if defined." ansible.builtin.set_fact: @@ -17,7 +19,7 @@ changed_when: False - name: Create vault directory - become: true + become: "{{ molecule_prepare_require_privilege_escalation }}" ansible.builtin.file: state: directory path: "/opt/keycloak/vault" @@ -28,7 +30,7 @@ ansible.builtin.package: name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}" state: present - become: true + become: "{{ molecule_prepare_require_privilege_escalation }}" failed_when: false - name: Create vault keystore @@ -39,7 +41,7 @@ failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0 - name: Copy certificates and vault - become: true + become: "{{ molecule_prepare_require_privilege_escalation }}" ansible.builtin.copy: src: keystore.p12 dest: /opt/keycloak/vault/keystore.p12 diff --git a/molecule/quarkus_ha/verify.yml b/molecule/quarkus_ha/verify.yml index c1a2fb9..f45df6c 100644 --- a/molecule/quarkus_ha/verify.yml +++ b/molecule/quarkus_ha/verify.yml @@ -1,6 +1,8 @@ --- - name: Verify hosts: keycloak + vars_files: + - ../group_vars/all/vars.yml tasks: - name: Populate service facts ansible.builtin.service_facts: @@ -17,7 +19,7 @@ hera_home: "{{ lookup('env', 'HERA_HOME') }}" - name: Check log file - become: true + become: "{{ molecule_prepare_require_privilege_escalation }}" ansible.builtin.stat: path: /var/log/keycloak/keycloak.log register: keycloak_log_file diff --git a/molecule/quarkus_ha_26.4_below/converge.yml b/molecule/quarkus_ha_26.4_below/converge.yml index e148c12..c5e8cac 100644 --- a/molecule/quarkus_ha_26.4_below/converge.yml +++ b/molecule/quarkus_ha_26.4_below/converge.yml @@ -1,6 +1,8 @@ --- - name: Converge hosts: keycloak + vars_files: + - ../group_vars/all/vars.yml vars: keycloak_quarkus_show_deprecation_warnings: false keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" diff --git a/molecule/quarkus_ha_26.4_below/prepare.yml b/molecule/quarkus_ha_26.4_below/prepare.yml index a8ff317..f47f837 100644 --- a/molecule/quarkus_ha_26.4_below/prepare.yml +++ b/molecule/quarkus_ha_26.4_below/prepare.yml @@ -1,6 +1,8 @@ --- - name: Prepare hosts: keycloak + vars_files: + - ../group_vars/all/vars.yml tasks: - name: "Display hera_home if defined." ansible.builtin.set_fact: @@ -17,7 +19,7 @@ changed_when: False - name: Create vault directory - become: true + become: "{{ molecule_prepare_require_privilege_escalation }}" ansible.builtin.file: state: directory path: "/opt/keycloak/vault" @@ -28,7 +30,7 @@ ansible.builtin.package: name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}" state: present - become: true + become: "{{ molecule_prepare_require_privilege_escalation }}" failed_when: false - name: Create vault keystore @@ -39,7 +41,7 @@ failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0 - name: Copy certificates and vault - become: true + become: "{{ molecule_prepare_require_privilege_escalation }}" ansible.builtin.copy: src: keystore.p12 dest: /opt/keycloak/vault/keystore.p12 diff --git a/molecule/quarkus_ha_26.4_below/verify.yml b/molecule/quarkus_ha_26.4_below/verify.yml index c1a2fb9..f45df6c 100644 --- a/molecule/quarkus_ha_26.4_below/verify.yml +++ b/molecule/quarkus_ha_26.4_below/verify.yml @@ -1,6 +1,8 @@ --- - name: Verify hosts: keycloak + vars_files: + - ../group_vars/all/vars.yml tasks: - name: Populate service facts ansible.builtin.service_facts: @@ -17,7 +19,7 @@ hera_home: "{{ lookup('env', 'HERA_HOME') }}" - name: Check log file - become: true + become: "{{ molecule_prepare_require_privilege_escalation }}" ansible.builtin.stat: path: /var/log/keycloak/keycloak.log register: keycloak_log_file diff --git a/molecule/quarkus_ha_remote/converge.yml b/molecule/quarkus_ha_remote/converge.yml index e62ae23..67589a0 100644 --- a/molecule/quarkus_ha_remote/converge.yml +++ b/molecule/quarkus_ha_remote/converge.yml @@ -1,6 +1,10 @@ --- - name: Converge hosts: infinispan + vars_files: + - ../group_vars/all/vars.yml + vars: + ansible_become: "{{ keycloak_install_requires_become | default(true) }}" roles: - role: middleware_automation.infinispan.infinispan infinispan_service_name: infinispan @@ -18,6 +22,8 @@ - name: Converge hosts: keycloak + vars_files: + - ../group_vars/all/vars.yml vars: keycloak_quarkus_show_deprecation_warnings: false keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" diff --git a/molecule/quarkus_ha_remote/prepare.yml b/molecule/quarkus_ha_remote/prepare.yml index dbbfb38..ea8cac0 100644 --- a/molecule/quarkus_ha_remote/prepare.yml +++ b/molecule/quarkus_ha_remote/prepare.yml @@ -1,6 +1,8 @@ --- - name: Prepare hosts: 'keycloak:infinispan' + vars_files: + - ../group_vars/all/vars.yml tasks: - name: "Display hera_home if defined." ansible.builtin.set_fact: @@ -17,7 +19,7 @@ changed_when: False - name: Create vault directory - become: true + become: "{{ molecule_prepare_require_privilege_escalation }}" ansible.builtin.file: state: directory path: "/opt/keycloak/vault" @@ -28,7 +30,7 @@ ansible.builtin.package: name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}" state: present - become: true + become: "{{ molecule_prepare_require_privilege_escalation }}" failed_when: false - name: Create vault keystore @@ -41,7 +43,7 @@ failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0 - name: Copy certificates and vault - become: true + become: "{{ molecule_prepare_require_privilege_escalation }}" ansible.builtin.copy: src: keystore.p12 dest: /opt/keycloak/vault/keystore.p12 diff --git a/molecule/quarkus_ha_remote/verify.yml b/molecule/quarkus_ha_remote/verify.yml index c1a2fb9..f45df6c 100644 --- a/molecule/quarkus_ha_remote/verify.yml +++ b/molecule/quarkus_ha_remote/verify.yml @@ -1,6 +1,8 @@ --- - name: Verify hosts: keycloak + vars_files: + - ../group_vars/all/vars.yml tasks: - name: Populate service facts ansible.builtin.service_facts: @@ -17,7 +19,7 @@ hera_home: "{{ lookup('env', 'HERA_HOME') }}" - name: Check log file - become: true + become: "{{ molecule_prepare_require_privilege_escalation }}" ansible.builtin.stat: path: /var/log/keycloak/keycloak.log register: keycloak_log_file diff --git a/molecule/quarkus_upgrade/converge.yml b/molecule/quarkus_upgrade/converge.yml index 0f67169..cb498aa 100644 --- a/molecule/quarkus_upgrade/converge.yml +++ b/molecule/quarkus_upgrade/converge.yml @@ -2,6 +2,7 @@ - name: Converge hosts: all vars_files: + - ../group_vars/all/vars.yml - vars.yml vars: keycloak_quarkus_show_deprecation_warnings: false diff --git a/molecule/quarkus_upgrade/prepare.yml b/molecule/quarkus_upgrade/prepare.yml index 87de97e..cd4bd3c 100644 --- a/molecule/quarkus_upgrade/prepare.yml +++ b/molecule/quarkus_upgrade/prepare.yml @@ -2,6 +2,7 @@ - name: Prepare hosts: all vars_files: + - ../group_vars/all/vars.yml - vars.yml vars: sudo_pkg_name: sudo @@ -55,4 +56,4 @@ ansible.builtin.file: path: /etc/ansible/facts.d/keycloak.fact state: absent - become: true + become: "{{ molecule_prepare_require_privilege_escalation }}" diff --git a/roles/keycloak/tasks/fastpackages.yml b/roles/keycloak/tasks/fastpackages.yml index a89f7f6..ab34dbb 100644 --- a/roles/keycloak/tasks/fastpackages.yml +++ b/roles/keycloak/tasks/fastpackages.yml @@ -13,7 +13,7 @@ when: ansible_facts.os_family == "RedHat" - name: "Install packages: {{ packages_to_install }}" - become: true + become: "{{ keycloak_fastpackages_require_privilege_escalation }}" ansible.builtin.dnf: name: "{{ packages_to_install }}" state: present @@ -22,7 +22,7 @@ - ansible_facts.os_family == "RedHat" - name: "Install packages: {{ packages_list }}" - become: true + become: "{{ keycloak_fastpackages_require_privilege_escalation }}" ansible.builtin.package: name: "{{ packages_list }}" state: present diff --git a/roles/keycloak/tasks/firewalld.yml b/roles/keycloak/tasks/firewalld.yml index f48f580..9697cae 100644 --- a/roles/keycloak/tasks/firewalld.yml +++ b/roles/keycloak/tasks/firewalld.yml @@ -6,14 +6,14 @@ - firewalld - name: Enable and start the firewalld service - become: true + become: "{{ keycloak_firewalld_require_privilege_escalation }}" ansible.builtin.systemd: name: firewalld enabled: true state: started - name: "Configure firewall ports for {{ keycloak.service_name }}" - become: true + become: "{{ keycloak_firewalld_require_privilege_escalation }}" ansible.posix.firewalld: port: "{{ item }}" permanent: true diff --git a/roles/keycloak/tasks/install.yml b/roles/keycloak/tasks/install.yml index df46b77..9879c8a 100644 --- a/roles/keycloak/tasks/install.yml +++ b/roles/keycloak/tasks/install.yml @@ -11,7 +11,7 @@ quiet: true - name: Check for an existing deployment - become: true + become: "{{ keycloak_install_require_privilege_escalation }}" ansible.builtin.stat: path: "{{ keycloak_jboss_home }}" register: existing_deploy @@ -20,24 +20,24 @@ when: existing_deploy.stat.exists and keycloak_force_install | bool block: - name: "Stop the old {{ keycloak.service_name }} service" - become: true + become: "{{ keycloak_install_require_privilege_escalation }}" failed_when: false ansible.builtin.systemd: name: keycloak state: stopped - name: "Remove the old {{ keycloak.service_name }} deployment" - become: true + become: "{{ keycloak_install_require_privilege_escalation }}" ansible.builtin.file: path: "{{ keycloak_jboss_home }}" state: absent - name: Check for an existing deployment after possible forced removal - become: true + become: "{{ keycloak_install_require_privilege_escalation }}" ansible.builtin.stat: path: "{{ keycloak_jboss_home }}" - name: "Create service user/group for {{ keycloak.service_name }}" - become: true + become: "{{ keycloak_install_require_privilege_escalation }}" ansible.builtin.user: name: "{{ keycloak_service_user }}" home: /opt/keycloak @@ -45,7 +45,7 @@ create_home: false - name: "Create install location for {{ keycloak.service_name }}" - become: true + become: "{{ keycloak_install_require_privilege_escalation }}" ansible.builtin.file: dest: "{{ keycloak_dest }}" state: directory @@ -54,7 +54,7 @@ mode: '0750' - name: Create pidfile folder - become: true + become: "{{ keycloak_install_require_privilege_escalation }}" ansible.builtin.file: dest: "{{ keycloak_service_pidfile | dirname }}" state: directory @@ -68,7 +68,7 @@ archive: "{{ keycloak_dest }}/{{ keycloak.bundle }}" - name: Check download archive path - become: true + become: "{{ keycloak_install_require_privilege_escalation }}" ansible.builtin.stat: path: "{{ archive }}" register: archive_path @@ -168,13 +168,13 @@ - not archive_path.stat.exists - local_archive_path.stat is defined - local_archive_path.stat.exists - become: true + become: "{{ keycloak_install_require_privilege_escalation }}" - name: "Check target directory: {{ keycloak.home }}" ansible.builtin.stat: path: "{{ keycloak.home }}" register: path_to_workdir - become: true + become: "{{ keycloak_install_require_privilege_escalation }}" - name: "Extract {{ keycloak_service_desc }} archive on target" ansible.builtin.unarchive: @@ -184,7 +184,7 @@ creates: "{{ keycloak.home }}" owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_group }}" - become: true + become: "{{ keycloak_install_require_privilege_escalation }}" when: - new_version_downloaded.changed or not path_to_workdir.stat.exists notify: @@ -202,13 +202,13 @@ owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_group }}" recurse: true - become: true + become: "{{ keycloak_install_require_privilege_escalation }}" changed_when: false - name: Ensure permissions are correct on existing deploy ansible.builtin.command: chown -R "{{ keycloak_service_user }}:{{ keycloak_service_group }}" "{{ keycloak.home }}" when: keycloak_service_runas - become: true + become: "{{ keycloak_install_require_privilege_escalation }}" changed_when: false # driver and configuration @@ -217,7 +217,7 @@ when: keycloak_jdbc[keycloak_jdbc_engine].enabled - name: "Deploy custom {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }} from {{ keycloak_config_override_template }}" - become: true + become: "{{ keycloak_install_require_privilege_escalation }}" ansible.builtin.template: src: "templates/{{ keycloak_config_override_template }}" dest: "{{ keycloak_config_path_to_standalone_xml }}" @@ -229,7 +229,7 @@ when: keycloak_config_override_template | length > 0 - name: "Deploy standalone {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}" - become: true + become: "{{ keycloak_install_require_privilege_escalation }}" ansible.builtin.template: src: templates/standalone.xml.j2 dest: "{{ keycloak_config_path_to_standalone_xml }}" @@ -257,7 +257,7 @@ when: keycloak_ha_enabled and keycloak_ha_discovery == 'TCPPING' - name: "Deploy HA {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}" - become: true + become: "{{ keycloak_install_require_privilege_escalation }}" ansible.builtin.template: src: templates/standalone-ha.xml.j2 dest: "{{ keycloak_config_path_to_standalone_xml }}" @@ -272,7 +272,7 @@ - keycloak_config_override_template | length == 0 - name: "Deploy HA {{ keycloak.service_name }} config with infinispan remote cache store to {{ keycloak_config_path_to_standalone_xml }}" - become: true + become: "{{ keycloak_install_require_privilege_escalation }}" ansible.builtin.template: src: templates/standalone-infinispan.xml.j2 dest: "{{ keycloak_config_path_to_standalone_xml }}" @@ -287,7 +287,7 @@ - keycloak_config_override_template | length == 0 - name: "Deploy profile.properties file to {{ keycloak_config_path_to_properties }}" - become: true + become: "{{ keycloak_install_require_privilege_escalation }}" ansible.builtin.template: src: keycloak-profile.properties.j2 dest: "{{ keycloak_config_path_to_properties }}" diff --git a/roles/keycloak/tasks/iptables.yml b/roles/keycloak/tasks/iptables.yml index 8ebc16e..c157e25 100644 --- a/roles/keycloak/tasks/iptables.yml +++ b/roles/keycloak/tasks/iptables.yml @@ -6,7 +6,7 @@ - iptables - name: "Configure firewall ports for {{ keycloak.service_name }}" - become: true + become: "{{ keycloak_iptables_require_privilege_escalation }}" ansible.builtin.iptables: destination_port: "{{ item }}" action: "insert" diff --git a/roles/keycloak/tasks/jdbc_driver.yml b/roles/keycloak/tasks/jdbc_driver.yml index bec80e3..8f84e49 100644 --- a/roles/keycloak/tasks/jdbc_driver.yml +++ b/roles/keycloak/tasks/jdbc_driver.yml @@ -3,7 +3,7 @@ ansible.builtin.stat: path: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}" register: dest_path - become: true + become: "{{ keycloak_jdbc_driver_require_privilege_escalation }}" - name: "Set up module dir for JDBC Driver {{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}" ansible.builtin.file: @@ -13,7 +13,7 @@ owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_group }}" mode: '0750' - become: true + become: "{{ keycloak_jdbc_driver_require_privilege_escalation }}" when: - not dest_path.stat.exists - name: "Verify valid parameters for download credentials when specified" @@ -34,7 +34,7 @@ url_password: "{{ keycloak_jdbc_download_pass | default(omit) }}" validate_certs: "{{ keycloak_jdbc_download_validate_certs | default(omit) }}" mode: '0640' - become: true + become: "{{ keycloak_jdbc_driver_require_privilege_escalation }}" - name: "Deploy module.xml for JDBC Driver" ansible.builtin.template: @@ -43,4 +43,4 @@ group: "{{ keycloak_service_group }}" owner: "{{ keycloak_service_user }}" mode: '0640' - become: true + become: "{{ keycloak_jdbc_driver_require_privilege_escalation }}" diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml index f826b63..d128511 100644 --- a/roles/keycloak/tasks/main.yml +++ b/roles/keycloak/tasks/main.yml @@ -51,7 +51,7 @@ state: link src: "{{ keycloak_jboss_home }}/standalone/log" dest: "{{ keycloak_log_target }}" - become: true + become: "{{ keycloak_require_privilege_escalation }}" - name: Set admin credentials and restart if not already created block: @@ -75,7 +75,7 @@ - "-u{{ keycloak_admin_user }}" - "-p{{ keycloak_admin_password }}" changed_when: true - become: true + become: "{{ keycloak_require_privilege_escalation }}" - name: "Restart {{ keycloak.service_name }}" ansible.builtin.include_tasks: tasks/restart_keycloak.yml - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}" diff --git a/roles/keycloak/tasks/restart_keycloak.yml b/roles/keycloak/tasks/restart_keycloak.yml index 7284bd0..b6add67 100644 --- a/roles/keycloak/tasks/restart_keycloak.yml +++ b/roles/keycloak/tasks/restart_keycloak.yml @@ -5,7 +5,7 @@ enabled: true state: restarted daemon_reload: true - become: true + become: "{{ keycloak_restart_require_privilege_escalation }}" delegate_to: "{{ ansible_play_hosts | first }}" run_once: true @@ -24,5 +24,5 @@ name: keycloak enabled: true state: restarted - become: true + become: "{{ keycloak_restart_require_privilege_escalation }}" when: inventory_hostname != ansible_play_hosts | first diff --git a/roles/keycloak/tasks/rhsso_patch.yml b/roles/keycloak/tasks/rhsso_patch.yml index 23d75bf..f028211 100644 --- a/roles/keycloak/tasks/rhsso_patch.yml +++ b/roles/keycloak/tasks/rhsso_patch.yml @@ -12,7 +12,7 @@ path: "{{ patch_archive }}" register: patch_archive_path when: sso_patch_version is defined - become: true + become: "{{ keycloak_rhsso_patch_require_privilege_escalation }}" - name: Perform patch download from RHN via JBossNetwork API delegate_to: localhost @@ -86,7 +86,7 @@ ansible.builtin.stat: path: "{{ patch_archive }}" register: patch_archive_path - become: true + become: "{{ keycloak_rhsso_patch_require_privilege_escalation }}" ## copy and unpack - name: Copy patch archive to target nodes @@ -101,7 +101,7 @@ - not patch_archive_path.stat.exists - local_archive_path.stat is defined - local_archive_path.stat.exists - become: true + become: "{{ keycloak_rhsso_patch_require_privilege_escalation }}" - name: "Check installed patches" ansible.builtin.include_tasks: rhsso_cli.yml @@ -109,7 +109,7 @@ cli_query: "patch info" args: apply: - become: true + become: "{{ keycloak_rhsso_patch_require_privilege_escalation }}" become_user: "{{ keycloak_service_user }}" - name: "Perform patching" @@ -124,7 +124,7 @@ cli_query: "patch apply {{ patch_archive }}" args: apply: - become: true + become: "{{ keycloak_rhsso_patch_require_privilege_escalation }}" become_user: "{{ keycloak_service_user }}" - name: "Restart server to ensure patch content is running" @@ -135,7 +135,7 @@ - cli_result.rc == 0 args: apply: - become: true + become: "{{ keycloak_rhsso_patch_require_privilege_escalation }}" become_user: "{{ keycloak_service_user }}" - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}" @@ -152,7 +152,7 @@ cli_query: "patch info" args: apply: - become: true + become: "{{ keycloak_rhsso_patch_require_privilege_escalation }}" become_user: "{{ keycloak_service_user }}" - name: "Verify installed patch version" diff --git a/roles/keycloak/tasks/start_keycloak.yml b/roles/keycloak/tasks/start_keycloak.yml index 5aed248..06be6a2 100644 --- a/roles/keycloak/tasks/start_keycloak.yml +++ b/roles/keycloak/tasks/start_keycloak.yml @@ -5,7 +5,7 @@ enabled: true state: started daemon_reload: true - become: true + become: "{{ keycloak_start_require_privilege_escalation }}" - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}" ansible.builtin.uri: diff --git a/roles/keycloak/tasks/stop_keycloak.yml b/roles/keycloak/tasks/stop_keycloak.yml index 7f30433..96dc0a5 100644 --- a/roles/keycloak/tasks/stop_keycloak.yml +++ b/roles/keycloak/tasks/stop_keycloak.yml @@ -4,4 +4,4 @@ name: keycloak enabled: true state: stopped - become: true + become: "{{ keycloak_stop_require_privilege_escalation }}" diff --git a/roles/keycloak/tasks/systemd.yml b/roles/keycloak/tasks/systemd.yml index 1653406..0ebbe62 100644 --- a/roles/keycloak/tasks/systemd.yml +++ b/roles/keycloak/tasks/systemd.yml @@ -1,6 +1,6 @@ --- - name: "Configure {{ keycloak.service_name }} service script wrapper" - become: true + become: "{{ keycloak_systemd_require_privilege_escalation }}" ansible.builtin.template: src: keycloak-service.sh.j2 dest: "{{ keycloak_dest }}/keycloak-service.sh" @@ -11,7 +11,7 @@ - restart keycloak - name: "Configure sysconfig file for {{ keycloak.service_name }} service" - become: true + become: "{{ keycloak_systemd_require_privilege_escalation }}" ansible.builtin.template: src: keycloak-sysconfig.j2 dest: "{{ keycloak_sysconf_file }}" @@ -28,7 +28,7 @@ owner: root group: root mode: '0644' - become: true + become: "{{ keycloak_systemd_require_privilege_escalation }}" register: systemdunit notify: - restart keycloak diff --git a/roles/keycloak_quarkus/tasks/bootstrapped.yml b/roles/keycloak_quarkus/tasks/bootstrapped.yml index 3cbc5c4..4a888a8 100644 --- a/roles/keycloak_quarkus/tasks/bootstrapped.yml +++ b/roles/keycloak_quarkus/tasks/bootstrapped.yml @@ -1,6 +1,6 @@ --- - name: Save ansible custom facts - become: true + become: "{{ keycloak_quarkus_bootstrapped_require_privilege_escalation }}" ansible.builtin.template: src: keycloak.fact.j2 dest: /etc/ansible/facts.d/keycloak.fact diff --git a/roles/keycloak_quarkus/tasks/config_store.yml b/roles/keycloak_quarkus/tasks/config_store.yml index 2d8b39e..bb723d0 100644 --- a/roles/keycloak_quarkus/tasks/config_store.yml +++ b/roles/keycloak_quarkus/tasks/config_store.yml @@ -6,7 +6,7 @@ value: "{{ keycloak_quarkus_db_pass }}" - name: "Initialize empty configuration key store" - become: true + become: "{{ keycloak_quarkus_config_store_require_privilege_escalation }}" # keytool doesn't allow creating an empty key store, so this is a hacky way around it ansible.builtin.shell: | # noqa blocked_modules shell is necessary here set -o nounset # abort on unbound variable @@ -38,7 +38,7 @@ echo {{ item.value | quote }} | keytool -noprompt -importpass -alias {{ item.key | quote }} -keystore {{ keycloak_quarkus_config_key_store_file | quote }} -storepass {{ keycloak_quarkus_config_key_store_password | quote }} -storetype PKCS12 loop: "{{ store_items }}" no_log: true - become: true + become: "{{ keycloak_quarkus_config_store_require_privilege_escalation }}" changed_when: true notify: - restart keycloak @@ -49,4 +49,4 @@ owner: "{{ keycloak.service_user }}" group: "{{ keycloak.service_group }}" mode: '0400' - become: true + become: "{{ keycloak_quarkus_config_store_require_privilege_escalation }}" diff --git a/roles/keycloak_quarkus/tasks/fastpackages.yml b/roles/keycloak_quarkus/tasks/fastpackages.yml index 9dc1621..998ef3c 100644 --- a/roles/keycloak_quarkus/tasks/fastpackages.yml +++ b/roles/keycloak_quarkus/tasks/fastpackages.yml @@ -13,7 +13,7 @@ when: ansible_facts.os_family == "RedHat" - name: "Install packages: {{ packages_to_install }}" - become: true + become: "{{ keycloak_quarkus_fastpackages_require_privilege_escalation }}" ansible.builtin.dnf: name: "{{ packages_to_install }}" state: present @@ -22,7 +22,7 @@ - ansible_facts.os_family == "RedHat" - name: "Install packages: {{ packages_list }}" - become: true + become: "{{ keycloak_quarkus_fastpackages_require_privilege_escalation }}" ansible.builtin.package: name: "{{ packages_list }}" state: present diff --git a/roles/keycloak_quarkus/tasks/firewalld.yml b/roles/keycloak_quarkus/tasks/firewalld.yml index 2d48124..daefcf4 100644 --- a/roles/keycloak_quarkus/tasks/firewalld.yml +++ b/roles/keycloak_quarkus/tasks/firewalld.yml @@ -6,14 +6,14 @@ - firewalld - name: Enable and start the firewalld service - become: true + become: "{{ keycloak_quarkus_firewalld_require_privilege_escalation }}" ansible.builtin.systemd: name: firewalld enabled: true state: started - name: "Configure firewall for {{ keycloak.service_name }} http port" - become: true + become: "{{ keycloak_quarkus_firewalld_require_privilege_escalation }}" ansible.posix.firewalld: port: "{{ item }}" permanent: true @@ -24,7 +24,7 @@ when: keycloak_quarkus_http_enabled | bool - name: "Configure firewall for {{ keycloak.service_name }} ports" - become: true + become: "{{ keycloak_quarkus_firewalld_require_privilege_escalation }}" ansible.posix.firewalld: port: "{{ item }}" permanent: true diff --git a/roles/keycloak_quarkus/tasks/install.yml b/roles/keycloak_quarkus/tasks/install.yml index ac9b5cd..64a492f 100644 --- a/roles/keycloak_quarkus/tasks/install.yml +++ b/roles/keycloak_quarkus/tasks/install.yml @@ -12,7 +12,7 @@ quiet: true - name: Check for an existing deployment - become: true + become: "{{ keycloak_quarkus_install_require_privilege_escalation }}" ansible.builtin.stat: path: "{{ keycloak.home }}" register: existing_deploy @@ -21,25 +21,25 @@ when: existing_deploy.stat.exists and keycloak_quarkus_force_install | bool block: - name: "Stop the old {{ keycloak.service_name }} service" - become: true + become: "{{ keycloak_quarkus_install_require_privilege_escalation }}" failed_when: false ansible.builtin.systemd: name: keycloak state: stopped - name: "Remove the old {{ keycloak.service_name }} deployment" - become: true + become: "{{ keycloak_quarkus_install_require_privilege_escalation }}" ansible.builtin.file: path: "{{ keycloak_quarkus_home }}" state: absent - name: Check for an existing deployment after possible forced removal - become: true + become: "{{ keycloak_quarkus_install_require_privilege_escalation }}" ansible.builtin.stat: path: "{{ keycloak_quarkus_home }}" register: existing_deploy - name: "Create {{ keycloak.service_name }} service user/group" - become: true + become: "{{ keycloak_quarkus_install_require_privilege_escalation }}" ansible.builtin.user: name: "{{ keycloak.service_user }}" home: /opt/keycloak @@ -47,7 +47,7 @@ create_home: false - name: "Create {{ keycloak.service_name }} install location" - become: true + become: "{{ keycloak_quarkus_install_require_privilege_escalation }}" ansible.builtin.file: dest: "{{ keycloak_quarkus_dest }}" state: directory @@ -56,7 +56,7 @@ mode: '0750' - name: Create directory for ansible custom facts - become: true + become: "{{ keycloak_quarkus_install_require_privilege_escalation }}" ansible.builtin.file: state: directory recurse: true @@ -68,7 +68,7 @@ archive: "{{ keycloak_quarkus_dest }}/{{ keycloak.bundle }}" - name: Check download archive path - become: true + become: "{{ keycloak_quarkus_install_require_privilege_escalation }}" ansible.builtin.stat: path: "{{ archive }}" register: archive_path @@ -172,13 +172,13 @@ - not archive_path.stat.exists - local_archive_path.stat is defined - local_archive_path.stat.exists - become: true + become: "{{ keycloak_quarkus_install_require_privilege_escalation }}" - name: "Check target directory: {{ keycloak.home }}/bin/" ansible.builtin.stat: path: "{{ keycloak.home }}/bin/" register: path_to_workdir - become: true + become: "{{ keycloak_quarkus_install_require_privilege_escalation }}" - name: "Extract Keycloak archive on target" # noqa no-handler need to run this here ansible.builtin.unarchive: @@ -188,7 +188,7 @@ creates: "{{ keycloak.home }}/bin/" owner: "{{ keycloak.service_user }}" group: "{{ keycloak.service_group }}" - become: true + become: "{{ keycloak_quarkus_install_require_privilege_escalation }}" when: - (not path_to_workdir.stat.exists) or new_version_downloaded.changed notify: @@ -207,7 +207,7 @@ owner: "{{ keycloak.service_user }}" group: "{{ keycloak.service_group }}" mode: '0640' - become: true + become: "{{ keycloak_quarkus_install_require_privilege_escalation }}" when: - keycloak_quarkus_https_key_file_enabled is defined and keycloak_quarkus_https_key_file_enabled - keycloak_quarkus_key_file_copy_enabled is defined and keycloak_quarkus_key_file_copy_enabled @@ -220,7 +220,7 @@ owner: "{{ keycloak.service_user }}" group: "{{ keycloak.service_group }}" mode: '0644' - become: true + become: "{{ keycloak_quarkus_install_require_privilege_escalation }}" when: - keycloak_quarkus_https_key_file_enabled is defined and keycloak_quarkus_https_key_file_enabled - keycloak_quarkus_cert_file_copy_enabled is defined and keycloak_quarkus_cert_file_copy_enabled @@ -240,7 +240,7 @@ group: "{{ keycloak.service_group }}" mode: '0640' checksum: "{{ item.checksum | default(omit) }}" - become: true + become: "{{ keycloak_quarkus_install_require_privilege_escalation }}" loop: "{{ keycloak_quarkus_providers }}" when: item.url is defined and item.url | length > 0 notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}" @@ -269,7 +269,7 @@ group: "{{ keycloak.service_group }}" mode: '0640' checksum: "{{ item.checksum | default(omit) }}" - become: true + become: "{{ keycloak_quarkus_install_require_privilege_escalation }}" loop: "{{ keycloak_quarkus_providers }}" when: item.maven is defined no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}" @@ -283,7 +283,7 @@ group: "{{ keycloak.service_group }}" mode: '0640' remote_src: "{{ item.remote | default(false) }}" - become: true + become: "{{ keycloak_quarkus_install_require_privilege_escalation }}" loop: "{{ keycloak_quarkus_providers }}" when: item.local_path is defined notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}" @@ -295,7 +295,7 @@ owner: "{{ keycloak.service_user }}" group: "{{ keycloak.service_group }}" mode: '0750' - become: true + become: "{{ keycloak_quarkus_install_require_privilege_escalation }}" loop: "{{ keycloak_quarkus_supported_policy_types }}" - name: "Install custom policies" @@ -305,7 +305,7 @@ owner: "{{ keycloak.service_user }}" group: "{{ keycloak.service_group }}" mode: '0640' - become: true + become: "{{ keycloak_quarkus_install_require_privilege_escalation }}" loop: "{{ keycloak_quarkus_policies }}" when: item.url is defined and item.url | length > 0 notify: "restart keycloak" diff --git a/roles/keycloak_quarkus/tasks/invalidate_theme_cache.yml b/roles/keycloak_quarkus/tasks/invalidate_theme_cache.yml index 90ff67f..fd1966f 100644 --- a/roles/keycloak_quarkus/tasks/invalidate_theme_cache.yml +++ b/roles/keycloak_quarkus/tasks/invalidate_theme_cache.yml @@ -8,4 +8,4 @@ ansible.builtin.file: path: "{{ keycloak.home }}/data/tmp/kc-gzip-cache" state: absent - become: true + become: "{{ keycloak_quarkus_invalidate_theme_cache_require_privilege_escalation }}" diff --git a/roles/keycloak_quarkus/tasks/iptables.yml b/roles/keycloak_quarkus/tasks/iptables.yml index b487b89..1f29628 100644 --- a/roles/keycloak_quarkus/tasks/iptables.yml +++ b/roles/keycloak_quarkus/tasks/iptables.yml @@ -6,7 +6,7 @@ - iptables - name: "Configure firewall ports for {{ keycloak.service_name }}" - become: true + become: "{{ keycloak_quarkus_iptables_require_privilege_escalation }}" ansible.builtin.iptables: destination_port: "{{ item }}" action: "insert" diff --git a/roles/keycloak_quarkus/tasks/jdbc_driver.yml b/roles/keycloak_quarkus/tasks/jdbc_driver.yml index ba3f4b8..f948a30 100644 --- a/roles/keycloak_quarkus/tasks/jdbc_driver.yml +++ b/roles/keycloak_quarkus/tasks/jdbc_driver.yml @@ -17,6 +17,6 @@ url_password: "{{ keycloak_quarkus_jdbc_download_pass | default(omit) }}" validate_certs: "{{ keycloak_quarkus_jdbc_download_validate_certs | default(omit) }}" mode: '0640' - become: true + become: "{{ keycloak_quarkus_jdbc_driver_require_privilege_escalation }}" notify: - restart keycloak diff --git a/roles/keycloak_quarkus/tasks/main.yml b/roles/keycloak_quarkus/tasks/main.yml index d2ae419..26ef4f6 100644 --- a/roles/keycloak_quarkus/tasks/main.yml +++ b/roles/keycloak_quarkus/tasks/main.yml @@ -82,7 +82,7 @@ owner: "{{ keycloak.service_user }}" group: "{{ keycloak.service_group }}" mode: '0640' - become: true + become: "{{ keycloak_quarkus_require_privilege_escalation }}" loop: "{{ keycloak_quarkus_config_files }}" notify: - rebuild keycloak config @@ -95,7 +95,7 @@ owner: "{{ keycloak.service_user }}" group: "{{ keycloak.service_group }}" mode: '0775' - become: true + become: "{{ keycloak_quarkus_require_privilege_escalation }}" - name: Ensure tmp-directory exists ansible.builtin.file: @@ -104,7 +104,7 @@ owner: "{{ keycloak.service_user }}" group: "{{ keycloak.service_group }}" mode: '0755' - become: true + become: "{{ keycloak_quarkus_require_privilege_escalation }}" - name: Flush pending handlers ansible.builtin.meta: flush_handlers @@ -118,7 +118,7 @@ src: "{{ keycloak.log.file | dirname }}" dest: "{{ keycloak_quarkus_log_target }}" force: true - become: true + become: "{{ keycloak_quarkus_require_privilege_escalation }}" - name: Check service status ansible.builtin.systemd_service: diff --git a/roles/keycloak_quarkus/tasks/rebuild_config.yml b/roles/keycloak_quarkus/tasks/rebuild_config.yml index 1d43127..0f64c38 100644 --- a/roles/keycloak_quarkus/tasks/rebuild_config.yml +++ b/roles/keycloak_quarkus/tasks/rebuild_config.yml @@ -3,5 +3,5 @@ - name: "Rebuild {{ keycloak.service_name }} config" ansible.builtin.shell: | # noqa blocked_modules shell is necessary here env -i bash -c "set -a ; source {{ keycloak_quarkus_sysconf_file }} ; {{ keycloak.home }}/bin/kc.sh build " - become: true + become: "{{ keycloak_quarkus_rebuild_config_require_privilege_escalation }}" changed_when: true diff --git a/roles/keycloak_quarkus/tasks/restart.yml b/roles/keycloak_quarkus/tasks/restart.yml index 3aa97f6..66f3e0c 100644 --- a/roles/keycloak_quarkus/tasks/restart.yml +++ b/roles/keycloak_quarkus/tasks/restart.yml @@ -5,7 +5,7 @@ enabled: true state: restarted daemon_reload: true - become: true + become: "{{ keycloak_quarkus_restart_require_privilege_escalation }}" - name: "Wait until {{ keycloak.service_name }} service becomes active {{ keycloak.health_url }}" ansible.builtin.uri: diff --git a/roles/keycloak_quarkus/tasks/restart/serial_then_parallel.yml b/roles/keycloak_quarkus/tasks/restart/serial_then_parallel.yml index d883ff1..a5ea7e6 100644 --- a/roles/keycloak_quarkus/tasks/restart/serial_then_parallel.yml +++ b/roles/keycloak_quarkus/tasks/restart/serial_then_parallel.yml @@ -16,5 +16,5 @@ enabled: true state: restarted daemon_reload: true - become: true + become: "{{ keycloak_quarkus_restart_require_privilege_escalation }}" when: inventory_hostname != ansible_play_hosts | first diff --git a/roles/keycloak_quarkus/tasks/start.yml b/roles/keycloak_quarkus/tasks/start.yml index 5a3ad5f..4fc63bd 100644 --- a/roles/keycloak_quarkus/tasks/start.yml +++ b/roles/keycloak_quarkus/tasks/start.yml @@ -5,7 +5,7 @@ enabled: true state: started daemon_reload: true - become: true + become: "{{ keycloak_quarkus_start_require_privilege_escalation }}" - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}" ansible.builtin.uri: diff --git a/roles/keycloak_quarkus/tasks/systemd.yml b/roles/keycloak_quarkus/tasks/systemd.yml index fda37f5..6d6168a 100644 --- a/roles/keycloak_quarkus/tasks/systemd.yml +++ b/roles/keycloak_quarkus/tasks/systemd.yml @@ -1,6 +1,6 @@ --- - name: "Configure sysconfig file for {{ keycloak.service_name }} service" - become: true + become: "{{ keycloak_quarkus_systemd_require_privilege_escalation }}" ansible.builtin.template: src: keycloak-sysconfig.j2 dest: "{{ keycloak_quarkus_sysconf_file }}" @@ -20,7 +20,7 @@ owner: root group: root mode: '0644' - become: true + become: "{{ keycloak_quarkus_systemd_require_privilege_escalation }}" register: systemdunit notify: - rebuild keycloak config