Merge pull request #344 from RanabirChakraborty/rhbk_version_fix

AMW-551 Providing correct rhbk version

bindep.txt

@@ -6,4 +6,5 @@ python3-netaddr [platform:rpm platform:dpkg]
 python3-lxml [platform:rpm platform:dpkg]
 python3-jmespath [platform:rpm platform:dpkg]
 python3-requests [platform:rpm platform:dpkg]
+podman [platform:rpm platform:dpkg]
 

molecule/default/molecule.yml

@@ -1,6 +1,6 @@
 ---
 driver:
-  name: podman
+  name: docker
 platforms:
   - name: instance
     image: registry.access.redhat.com/ubi9/ubi-init:latest

molecule/default/prepare.yml

@@ -20,8 +20,50 @@
 
     - name: Download keycloak archive to controller directory
       ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
-        url: https://github.com/keycloak/keycloak/releases/download/26.4.7/keycloak-26.4.7.zip
+        url: https://github.com/keycloak/keycloak/releases/download/26.6.2/keycloak-26.6.2.zip
         dest: /tmp/keycloak
         mode: '0640'
       delegate_to: localhost
       run_once: true
+      ignore_errors: true
+
+    - name: Attempt RHBK download using redhat.runtimes_common collection
+      when:
+        - rhn_username is defined
+        - rhn_username | length > 0
+      block:
+        - name: Retrieve RHBK product download using Unified Downloads API
+          middleware_automation.common.product_search:
+            client_id: "{{ rhn_username }}"
+            client_secret: "{{ rhn_password }}"
+            product_type: DISTRIBUTION
+            product_version: "{{ keycloak_quarkus_version | default('26.6.2') }}"
+            product_category: "RHBK"
+          register: rhn_products
+          no_log: "{{ omit_rhn_output | default(true) }}"
+          delegate_to: localhost
+          run_once: true
+          ignore_errors: true
+
+        - name: Determine install zipfile from search results
+          ansible.builtin.set_fact:
+            rhn_matched_products: "{{ rhn_products.results | selectattr('file_name', 'match', '.*keycloak-' + (keycloak_quarkus_version | default('26.6.2')) + '.zip$') }}"
+          delegate_to: localhost
+          run_once: true
+          when:
+            - rhn_products is defined
+            - rhn_products.results is defined
+
+        - name: Download Red Hat Build of Keycloak
+          middleware_automation.common.product_download:
+            client_id: "{{ rhn_username }}"
+            client_secret: "{{ rhn_password }}"
+            product_id: "{{ (rhn_matched_products | first).id }}"
+            dest: "/tmp/keycloak/keycloak-{{ keycloak_quarkus_version | default('26.6.2') }}.zip"
+          no_log: "{{ omit_rhn_output | default(true) }}"
+          delegate_to: localhost
+          run_once: true
+          when:
+            - rhn_matched_products is defined
+            - rhn_matched_products | length > 0
+          ignore_errors: true

molecule/keycloak_modules/molecule.yml

@@ -1,6 +1,6 @@
 ---
 driver:
-  name: podman
+  name: docker
 platforms:
   - name: instance
     image: registry.access.redhat.com/ubi9/ubi-init:latest

molecule/overridexml/converge.yml

@@ -4,7 +4,11 @@
   vars_files:
     - ../group_vars/all/vars.yml
   vars:
+    rhn_username: "{{ lookup('env', 'rhn_username') | default('4278e994-7f90-46eb-b99c-90f2815b845f', true) }}"
+    rhn_password: "{{ lookup('env', 'rhn_password') | default('AHOLJo08ursGdWVm0F66iDR5Owk0CwpL', true) }}"
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
     keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_hostname: "http://instance:8080"
     keycloak_config_override_template: custom.xml.j2
     keycloak_http_port: 8081
     keycloak_management_http_port: 19990

molecule/quarkus/converge.yml

@@ -25,7 +25,7 @@
     keycloak_quarkus_systemd_wait_for_delay: 2
     keycloak_quarkus_systemd_wait_for_log: true
     keycloak_quarkus_restart_health_check: false # would fail because of self-signed cert
-    keycloak_quarkus_version: 26.4.7
+    keycloak_quarkus_version: 26.6.2
     keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx1024m"
     keycloak_quarkus_additional_env_vars:
       - key: KC_FEATURES_DISABLED
@@ -39,16 +39,16 @@
           - key: default-connection-pool-size
             value: 10
       - id: spid-saml
-        url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar
+        url: https://github.com/italia/spid-keycloak-provider/releases/download/26.5.6/spid-provider.jar
       - id: spid-saml-w-checksum
-        url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar
+        url: https://github.com/italia/spid-keycloak-provider/releases/download/26.5.6/spid-provider.jar
-        checksum: sha256:fbb50e73739d7a6d35b5bff611b1c01668b29adf6f6259624b95e466a305f377
+        checksum: sha256:2ddafc389a5f017d8665bfdfa2f72b3784fc74b9f3a482e796fa89a5ba5cc95b
       - id: keycloak-kerberos-federation
         maven:
           repository_url: https://repo1.maven.org/maven2/ # https://mvnrepository.com/artifact/org.keycloak/keycloak-kerberos-federation/24.0.4
           group_id: org.keycloak
           artifact_id: keycloak-kerberos-federation
-          version: 26.4.7 # optional
+          version: 26.6.3 # optional
           # username: myUser # optional
           # password: myPAT # optional
       # - id: my-static-theme

molecule/quarkus_devmode/molecule.yml

@@ -1,6 +1,6 @@
 ---
 driver:
-  name: podman
+  name: docker
 platforms:
   - name: instance
     image: registry.access.redhat.com/ubi9/ubi-init:latest

molecule/quarkus_upgrade/converge.yml

@@ -9,6 +9,6 @@
     keycloak_quarkus_additional_env_vars:
       - key: KC_FEATURES_DISABLED
         value: ciba,device-flow,impersonation,kerberos,docker
-    keycloak_quarkus_version: 26.0.7
+    keycloak_quarkus_version: 26.6.2
   roles:
     - role: keycloak_quarkus

molecule/quarkus_upgrade/molecule.yml

@@ -4,7 +4,7 @@ dependency:
   options:
     requirements-file: molecule/requirements.yml
 driver:
-  name: podman
+  name: docker
 platforms:
   - name: instance
     image: registry.access.redhat.com/ubi9/ubi-init:latest

molecule/quarkus_upgrade/prepare.yml

@@ -6,7 +6,7 @@
     - vars.yml
   vars:
     sudo_pkg_name: sudo
-    keycloak_quarkus_version: 26.0.4
+    keycloak_quarkus_version: 26.6.1
     keycloak_quarkus_additional_env_vars:
       - key: KC_FEATURES_DISABLED
         value: impersonation,kerberos

requirements.yml

@@ -2,4 +2,14 @@
 collections:
   - name: middleware_automation.common
     version: ">=1.2.4"
+  - name: middleware_automation.infinispan
+  - name: community.general
   - name: ansible.posix
+  - name: community.docker
+    version: ">=3.8.0"
+  - name: containers.podman
+    version: ">=1.8.1"
+
+roles:
+  - name: elan.simple_nginx_reverse_proxy
+    version: "0.2.1"

roles/keycloak_quarkus/README.md

@@ -33,7 +33,7 @@ Role Defaults
 
 | Variable | Description | Default |
 |:---------|:------------|:--------|
-|`keycloak_quarkus_version`| keycloak.org package version | `26.4.7` |
+|`keycloak_quarkus_version`| keycloak.org package version | `26.6.2` |
 |`keycloak_quarkus_offline_install` | Perform an offline install | `False`|
 |`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` |
 |`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` |

roles/keycloak_quarkus/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 ### Configuration specific to keycloak
-keycloak_quarkus_version: 26.4.7
+keycloak_quarkus_version: 26.6.2
 keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip"
 keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"
 keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"

roles/keycloak_quarkus/meta/argument_specs.yml

@@ -2,7 +2,7 @@ argument_specs:
     main:
         options:
             keycloak_quarkus_version:
-                default: "26.4.7"
+                default: "26.6.2"
                 description: "keycloak.org package version"
                 type: "str"
             keycloak_quarkus_archive:
@@ -519,7 +519,7 @@ argument_specs:
     downstream:
         options:
             rhbk_version:
-                default: "26.4.7"
+                default: "26.4.11"
                 description: "Red Hat Build of Keycloak version"
                 type: "str"
             rhbk_archive:

roles/keycloak_quarkus/tasks/prereqs.yml

@@ -2,6 +2,8 @@
 - name: Validate admin console password
   ansible.builtin.assert:
     that:
+      - keycloak_quarkus_bootstrap_admin_password is defined
+      - keycloak_quarkus_bootstrap_admin_password is not none
       - keycloak_quarkus_bootstrap_admin_password | length > 12
     quiet: true
     fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_bootstrap_admin_password to a 12+ char long string"

roles/keycloak_quarkus/templates/rhbk-sysconfig.j2

@@ -0,0 +1,15 @@
+{{ ansible_managed | comment }}
+{% if not ansible_local.keycloak.general.bootstrapped | default(false) | bool %}
+KC_BOOTSTRAP_ADMIN_USERNAME={{ keycloak_quarkus_bootstrap_admin_user }}
+KC_BOOTSTRAP_ADMIN_PASSWORD='{{ keycloak_quarkus_bootstrap_admin_password }}'
+{% else %}
+{{ keycloak.bootstrap_mnemonic }}
+{% endif %}
+PATH="{{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+JAVA_HOME="{{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}"
+JAVA_OPTS="{{ keycloak_quarkus_java_opts }}"
+
+# Custom ENV variables
+{% for env in keycloak_quarkus_additional_env_vars %}
+{{ env.key }}={{ env.value }}
+{% endfor %}

roles/keycloak_quarkus/templates/rhbk.conf.j2

@@ -0,0 +1,110 @@
+{{ ansible_managed | comment }}
+
+{% if keycloak_quarkus_db_enabled %}
+# Database
+db={{ keycloak_quarkus_db_engine }}
+db-url={{ keycloak_quarkus_db_url }}
+db-username={{ keycloak_quarkus_db_user }}
+{% if not keycloak.config_key_store_enabled %}
+db-password={{ keycloak_quarkus_db_pass }}
+{% endif %}
+{% endif %}
+
+{% if keycloak.config_key_store_enabled %}
+# Config store
+config-keystore={{ keycloak_quarkus_config_key_store_file }}
+config-keystore-password={{ keycloak_quarkus_config_key_store_password }}
+{% endif %}
+
+# Observability
+metrics-enabled={{ keycloak_quarkus_metrics_enabled | lower }}
+health-enabled={{ keycloak_quarkus_health_enabled | lower }}
+
+# HTTP
+http-enabled={{ keycloak_quarkus_http_enabled | lower }}
+{% if keycloak_quarkus_http_enabled %}
+http-port={{ keycloak_quarkus_http_port }}
+{% endif %}
+http-relative-path={{ keycloak_quarkus_http_relative_path }}
+http-host={{ keycloak_quarkus_http_host }}
+
+# Management
+http-management-port={{ keycloak_quarkus_http_management_port }}
+{% if keycloak_quarkus_http_management_relative_path is defined and keycloak_quarkus_http_management_relative_path | length > 0 %}
+http-management-relative-path={{ keycloak_quarkus_http_management_relative_path }}
+{% endif %}
+
+# HTTPS
+https-port={{ keycloak_quarkus_https_port }}
+{% if keycloak_quarkus_https_key_file_enabled %}
+https-certificate-file={{ keycloak_quarkus_cert_file}}
+https-certificate-key-file={{ keycloak_quarkus_key_file }}
+{% endif %}
+{% if keycloak_quarkus_https_key_store_enabled %}
+https-key-store-file={{ keycloak_quarkus_https_key_store_file }}
+https-key-store-password={{ keycloak_quarkus_https_key_store_password }}
+{% endif %}
+{% if keycloak_quarkus_https_trust_store_enabled %}
+https-trust-store-file={{ keycloak_quarkus_https_trust_store_file }}
+https-trust-store-password={{ keycloak_quarkus_https_trust_store_password }}
+{% endif %}
+
+# Client URL configuration
+hostname={{ keycloak_quarkus_hostname }}
+hostname-admin={{ keycloak_quarkus_hostname_admin }}
+hostname-strict={{ keycloak_quarkus_hostname_strict | lower }}
+hostname-backchannel-dynamic={{ keycloak_quarkus_hostname_backchannel_dynamic | lower }}
+
+# Cluster
+{% if keycloak_quarkus_ha_enabled %}
+cache=ispn
+{% if keycloak_quarkus_cache_managed_infinispan_config %}
+cache-config-file=cache-ispn.xml
+{% endif %}
+{% if keycloak_quarkus_cache_remote %}
+cache-remote-username={{ keycloak_quarkus_cache_remote_username }}
+cache-remote-password={{ keycloak_quarkus_cache_remote_password }}
+cache-remote-host={{ keycloak_quarkus_cache_remote_host }}
+cache-remote-port={{ keycloak_quarkus_cache_remote_port }}
+cache-remote-tls-enabled={{ keycloak_quarkus_cache_remote_tls_enabled | lower }}
+{% endif %}
+{{ keycloak_quarkus_cache_embedded_properties }}
+{% endif %}
+
+{% if keycloak_quarkus_proxy_headers | length > 0 %}
+proxy-headers={{ keycloak_quarkus_proxy_headers | lower }}
+{% elif keycloak_quarkus_proxy_mode is defined and keycloak_quarkus_proxy_mode != "none" %}
+# Deprecated Proxy configuration
+proxy={{ keycloak_quarkus_proxy_mode }}
+{% endif %}
+
+spi-sticky-session-encoder-infinispan-should-attach-route={{ keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route | d(true) | lower }}
+
+# Transaction
+transaction-xa-enabled={{ keycloak_quarkus_transaction_xa_enabled | lower }}
+
+# Logging
+#log-format=%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n
+log={{ keycloak_quarkus_log }}
+log-level={{ keycloak.log.level }}
+log-file={{ keycloak.log.file }}
+log-file-format={{ keycloak.log.format }}
+
+# Vault
+{% if keycloak_quarkus_ks_vault_enabled %}
+vault=keystore
+vault-file={{ keycloak_quarkus_ks_vault_file }}
+vault-type={{ keycloak_quarkus_ks_vault_type }}
+vault-pass={{ keycloak_quarkus_ks_vault_pass }}
+{% endif %}
+
+
+# Providers
+{% for provider in keycloak_quarkus_providers %}
+{% if provider.default is defined and provider.default %}
+spi-{{ provider.spi }}-provider={{ provider.id }}
+{% endif %}
+{% if provider.properties is defined %}{% for property in provider.properties %}
+spi-{{ provider.spi }}-{{ provider.id }}-{{ property.key }}={{ property.value }}
+{% endfor %}{% endif %}
+{% endfor %}

roles/keycloak_quarkus/templates/rhbk.fact.j2

@@ -0,0 +1,2 @@
+[general]
+bootstrapped={{ bootstrapped | lower }}

roles/keycloak_quarkus/templates/rhbk.service.j2

@@ -0,0 +1,33 @@
+{{ ansible_managed | comment }}
+[Unit]
+Description=Keycloak Server
+After=network.target
+
+[Service]
+EnvironmentFile=-{{ keycloak_quarkus_sysconf_file }}
+{% if keycloak_quarkus_start_dev %}
+ExecStart={{ keycloak.home }}/bin/kc.sh start-dev
+{% else %}
+ExecStart={{ keycloak.home }}/bin/kc.sh start --optimized
+{% endif %}
+User={{ keycloak.service_user }}
+Group={{ keycloak.service_group }}
+SuccessExitStatus=0 143
+{% if keycloak_quarkus_service_restart_always %}
+Restart=always
+{% elif keycloak_quarkus_service_restart_on_failure %}
+Restart=on-failure
+{% endif %}
+RestartSec={{ keycloak_quarkus_service_restartsec }}
+{% if keycloak_quarkus_http_port | int < 1024 or keycloak_quarkus_https_port | int < 1024 %}
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+{% endif %}
+{% if keycloak_quarkus_systemd_wait_for_port %}
+ExecStartPost=/usr/bin/timeout {{ keycloak_quarkus_systemd_wait_for_timeout }} sh -c 'while ! ss -H -t -l -n sport = :{{ keycloak_quarkus_systemd_wait_for_port_number }} | grep -q "^LISTEN.*:{{ keycloak_quarkus_systemd_wait_for_port_number }}"; do sleep 1; done && /bin/sleep {{ keycloak_quarkus_systemd_wait_for_delay }}'
+{% endif %}
+{% if keycloak_quarkus_systemd_wait_for_log %}
+ExecStartPost=/usr/bin/timeout {{ keycloak_quarkus_systemd_wait_for_timeout }} sh -c 'cat {{ keycloak.log.file }} | sed "/Profile.*activated/ q" && /bin/sleep {{ keycloak_quarkus_systemd_wait_for_delay }}'
+{% endif %}
+
+[Install]
+WantedBy=multi-user.target