docs: fix typo

Replace use of serial with run_once

CONTRIBUTING.md

@@ -1,7 +1,7 @@
 
 ## Contributor's Guidelines
 
-- All YAML files named with '.yml' extension
+- All YAML files named with `.yml` extension
 - Use spaces around jinja variables. `{{ var }}` over `{{var}}`
 - Variables that are internal to the role should be lowercase and start with the role name
 - Keep roles self contained - Roles should avoid including tasks from other roles when possible
@@ -11,4 +11,4 @@
 - Indentation - Use 2 spaces for each indent
 - `vars/` vs `defaults/` - internal or interpolated variables that don't need to change or be overridden by user go in `vars/`, those that a user would likely override, go under `defaults/` directory
 - All role arguments have a specification in `meta/argument_specs.yml`
-- All playbooks/roles should be focused on compatibility with Ansible Tower
+- All playbooks/roles should be focused on compatibility with Ansible Automation Platform

docs/_gh_include/footer.inc

@@ -7,7 +7,7 @@
       </div>
       <hr/>
       <div role="contentinfo">
-        <p>&#169; Copyright 2022, Red Hat, Inc..</p>
+        <p>&#169; Copyright 2022, Red Hat, Inc.</p>
       </div>
       Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
         <a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>

docs/releasing.md

@@ -0,0 +1,61 @@
+# Collection Versioning Strategy
+
+Each supported collection maintained by Ansible follows Semantic Versioning 2.0.0 (https://semver.org/), for example:
+Given a version number MAJOR.MINOR.PATCH, the following is incremented:
+
+MAJOR version: when making incompatible API changes (see Feature Release scenarios below for examples)
+
+MINOR version: when adding features or functionality in a backwards compatible manner, or updating testing matrix and/or metadata (deprecation)
+
+PATCH version: when adding backwards compatible bug fixes or security fixes (strict).
+
+Additional labels for pre-release and build metadata are available as extensions to the MAJOR.MINOR.PATCH format.
+
+The first version of a generally available supported collection on Ansible Automation Hub shall be version 1.0.0. NOTE: By default, all newly created collections may begin with a smaller default version of 0.1.0, and therefore a version of 1.0.0 should be explicitly stated by the collection maintainer.
+
+## New content is added to an existing collection
+
+Assuming the current release is 1.0.0, and a new module is ready to be added to the collection, the minor version would be incremented to 1.1.0. The change in the MINOR version indicates an additive change was made while maintaining backward compatibility for existing content within the collection.
+
+
+## New feature to existing plugin or role within a collection (backwards compatible)
+
+Assuming the current release is 1.0.0, and new features for an existing module are ready for release . We would increment the MINOR version to 1.1.0. The change in the MINOR version indicates an additive change was made while maintaining backward compatibility for existing content within the collection.
+
+
+## Bug fix or security fix to existing content within a collection
+
+Assuming the current release is 1.0.0 and a bug is fixed prior to the next minor release, the PATCH version would be incremented to 1.0.1. The patch indicates only a bug was fixed within a current version. The PATCH release does not contain new content, nor was functionality removed. Bug fixes may be included in a MINOR or MAJOR feature release if the timing allows, eliminating the need for a PATCH dedicated to the fix.
+
+
+## Breaking change to any content within a collection
+
+Assuming the current release is 1.0.0, and a breaking change (API or module) is introduced for a user or developer. The MAJOR version would be incremented to 2.0.0.
+
+Examples of breaking changes within a collection may include but are not limited to:
+
+ - Argspec changes for a module that require either inventory structure or playbook changes.
+ - A change in the shape of either the inbound or returned payload of a filter plugin.
+ - Changes to a connection plugin that require additional inventory parameters or ansible.cfg entries.
+ - New functionality added to a module that changes the outcome of that module as released in previous versions.
+ - The removal of plugins from a collection.
+
+
+## Content removed from a collection
+
+Deleting a module or API is a breaking change. Please see the 'Breaking change' section for how to version this.
+
+
+## A typographical error was fixed in the documentation for a collection
+
+A correction to the README would be considered a bug fix and the PATCH incremented. See 'Bug fix' above.
+
+
+## Documentation added/removed/modified within a collection
+
+Only the PATCH version should be increased for a release that contains changes limited to revised documentation.
+
+
+## Release automation
+
+New releases are triggered by annotated git tags named after semantic versioning. The automation publishes the built artifacts to ansible-galaxy and github releases page.

docs/testing.md

@@ -0,0 +1,49 @@
+# Testing
+
+## Continuous integration
+
+The collection is tested with a [molecule](https://github.com/ansible-community/molecule) setup covering the included roles and verifying correct installation and idempotency.
+In order to run the molecule tests locally with python 3.9 available, after cloning the repository:
+
+```
+pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous
+molecule test --all
+```
+
+
+## Integration testing
+
+Demo repositories which depend on the collection, and aggregate functionality with other middleware_automation collections, are automatically rebuilt
+at every collection release to ensure non-breaking changes and consistent behaviour.
+
+The repository are:
+
+ - [Flange demo](https://github.com/ansible-middleware/flange-demo)
+   A deployment of Wildfly cluster integrated with keycloak and infinispan.
+ - [CrossDC keycloak demo](https://github.com/ansible-middleware/cross-dc-rhsso-demo)
+   A clustered multi-regional installation of keycloak with infinispan remote caches.
+
+
+## Test playbooks
+
+Sample playbooks are provided in the `playbooks/` directory; to run the playbooks locally (requires a rhel system with python 3.9+, ansible, and systemd) the steps are as follows:
+
+```
+# setup environment
+pip install ansible-core
+# clone the repository
+git clone https://github.com/ansible-middleware/keycloak
+cd keycloak
+# install collection dependencies
+ansible-galaxy collection install -r requirements.yml
+# install collection python deps
+pip install -r requirements.txt
+# create inventory for localhost
+cat << EOF > inventory
+[keycloak]
+localhost ansible_connection=local
+EOF
+# run the playbook
+ansible-playbook -i inventory playbooks/keycloak.yml
+```
+

galaxy.yml

@@ -1,7 +1,7 @@
 ---
 namespace: middleware_automation
 name: keycloak
-version: "1.0.0"
+version: "1.0.1"
 readme: README.md
 authors:
   - Romain Pelisse <rpelisse@redhat.com>

roles/keycloak/README.md

@@ -31,6 +31,17 @@ Versions
 |`7.5.0 GA`      |September 20, 2021 |`15.0.2`          | `7.4.0`     |[Release Notes](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/html/release_notes/index)|
 
 
+Patching
+--------
+
+When variable `keycloak_rhsso_apply_patches` is `True` (default: `True`), the role will automatically apply the latest cumulative patch for the selected base version.
+
+| RH-SSO VERSION | Release Date      | RH-SSO LATEST CP | Notes           |
+|:---------------|:------------------|:-----------------|:----------------|
+|`7.5.0 GA`      |January 20, 2022   |`7.5.1 GA`        |[Release Notes](https://access.redhat.com/articles/6646321)|
+
+
+
 Role Defaults
 -------------
 
@@ -62,15 +73,17 @@ Role Defaults
 
 | Variable | Description | Default |
 |:---------|:------------|:---------|
-|`keycloak_rhsso_enable`| Enable Red Hat Single Sign-on installation  | `False` |
+|`keycloak_rhsso_enable`| Enable Red Hat Single Sign-on installation | `False` |
 |`keycloak_offline_install` | perform an offline install | `False`|
 |`keycloak_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`| 
 |`keycloak_rhsso_download_url`| Download URL for RHSSO | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=<productID>`|
 |`keycloak_version`| keycloak.org package version | `15.0.2` |
 |`keycloak_rhsso_version`| RHSSO version | `7.5.0` |
+|`keycloak_rhsso_apply_patches`| Install RHSSO more recent cumulative patch | `True` |
 |`keycloak_dest`| Installation root path | `/opt/keycloak` |
 |`keycloak_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}` |
 |`keycloak_rhn_url` | Base download URI for customer portal | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=` |
+|`keycloak_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
 
 
 * Miscellaneous configuration
@@ -91,7 +104,7 @@ Role Defaults
 |`keycloak_force_install` | Remove pre-existing versions of service | `False` |
 |`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` |
 |`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` |
-|`rhsso_rhn_id` | Customer Portal product ID for Red Hat SSO | `{{ rhsso_rhn_ids[keycloak_rhsso_version] }}` |
+|`rhsso_rhn_id` | Customer Portal product ID for Red Hat SSO | `{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}` |
 
 
 Role Variables

roles/keycloak/defaults/main.yml

@@ -8,11 +8,12 @@ keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
 
 ### Configuration specific to Red Hat Single Sing-On
 keycloak_rhsso_version: 7.5.0
-rhsso_rhn_id: "{{ rhsso_rhn_ids[keycloak_rhsso_version] }}"
+rhsso_rhn_id: "{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}"
 keycloak_rhsso_archive: "rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip"
 keycloak_rhsso_installdir: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}"
 keycloak_rhn_url: 'https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId='
 keycloak_rhsso_download_url: "{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}"
+keycloak_rhsso_apply_patches: True
 
 ### keycloak/rhsso choice: by default install rhsso if rhn credentials are defined
 keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined and rhn_username is defined and rhn_password is defined else False }}"
@@ -29,6 +30,7 @@ keycloak_config_path_to_standalone_xml: "{{ keycloak_jboss_home }}/standalone/co
 keycloak_service_user: keycloak
 keycloak_service_group: keycloak
 keycloak_service_pidfile: "/run/keycloak.pid"
+keycloak_configure_firewalld: False
 
 ### Common configuration settings
 keycloak_bind_address: 0.0.0.0

roles/keycloak/meta/argument_specs.yml

@@ -11,6 +11,11 @@ argument_specs:
                 default: "keycloak-{{ keycloak_version }}.zip"
                 description: "keycloak install archive filename"
                 type: "str"
+            keycloak_configure_firewalld:
+                # line 33 of keycloak/defaults/main.yml
+                default: false
+                description: "Ensure firewalld is running and configure keycloak ports"
+                type: "bool"
             keycloak_download_url:
                 # line 5 of keycloak/defaults/main.yml
                 default: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"
@@ -33,7 +38,7 @@ argument_specs:
                 type: "str"
             rhsso_rhn_id:
                 # line 11 of keycloak/defaults/main.yml
-                default: "{{ rhsso_rhn_ids[keycloak_rhsso_version] }}"
+                default: "{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}"
                 description: "Customer Portal product ID for Red Hat SSO"
                 type: "str"
             keycloak_rhsso_archive:
@@ -41,6 +46,11 @@ argument_specs:
                 default: "rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip"
                 description: "ed Hat SSO install archive filename"
                 type: "str"
+            keycloak_rhsso_apply_patches:
+                # line 16 of keycloak/defaults/main.yml
+                default: true
+                description: "Install RHSSO more recent cumulative patch"
+                type: "bool"
             keycloak_rhsso_installdir:
                 # line 13 of keycloak/defaults/main.yml
                 default: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}"

roles/keycloak/tasks/main.yml

@@ -6,11 +6,28 @@
   tags:
     - prereqs
 
+- name: Include firewall config tasks
+  ansible.builtin.include_tasks: firewalld.yml
+  when: keycloak_configure_firewalld
+  tags:
+    - firewall
+
 - name: Include install tasks
-  ansible.builtin.include_tasks: tasks/install.yml
+  ansible.builtin.include_tasks: install.yml
+  tags:
+    - install
 
 - name: Include systemd tasks
-  ansible.builtin.include_tasks: tasks/systemd.yml
+  ansible.builtin.include_tasks: systemd.yml
+  tags:
+    - systemd
+
+- name: Include patch install tasks
+  ansible.builtin.include_tasks: rhsso_patch.yml
+  when: keycloak_rhsso_apply_patches and keycloak_rhsso_enable
+  tags:
+    - install
+    - patch
 
 - name: Link default logs directory
   ansible.builtin.file:

roles/keycloak/tasks/rhsso_cli.yml

@@ -0,0 +1,13 @@
+---
+- name: Ensure required params for CLI have been provided
+  ansible.builtin.assert:
+    that:
+      - query is defined
+    fail_msg: "Missing required parameters to execute CLI."
+    quiet: true
+
+- name: "Execute CLI query: {{ query }}"
+  ansible.builtin.command: >
+    {{ keycloak.cli_path }} --connect --command='{{ query }}' --controller={{ keycloak_host }}:{{ keycloak_management_http_port }}
+  changed_when: false
+  register: cli_result

roles/keycloak/tasks/rhsso_patch.yml

@@ -0,0 +1,87 @@
+---
+## check remote patch archive
+- name: Set download patch archive path
+  ansible.builtin.set_fact:
+    patch_archive: "{{ keycloak_dest }}/{{ keycloak.patch_bundle }}"
+
+- name: Check download patch archive path
+  ansible.builtin.stat:
+    path: "{{ patch_archive }}"
+  register: patch_archive_path
+
+- name: Perform download from RHN
+  middleware_automation.redhat_csp_download.redhat_csp_download:
+    url: "{{ keycloak_rhn_url }}{{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.id }}"
+    dest: "{{ local_path.stat.path }}/{{ keycloak.patch_bundle }}"
+    username: "{{ rhn_username }}"
+    password: "{{ rhn_password }}"
+  no_log: "{{ omit_rhn_output | default(true) }}"
+  delegate_to: localhost
+  when:
+    - patch_archive_path is defined
+    - patch_archive_path.stat is defined
+    - not patch_archive_path.stat.exists
+    - keycloak_rhsso_enable
+    - not keycloak_offline_install
+
+## copy and unpack
+- name: Copy patch archive to target nodes
+  ansible.builtin.copy:
+    src: "{{ local_path.stat.path }}/{{ keycloak.patch_bundle }}"
+    dest: "{{ patch_archive }}"
+    owner: "{{ keycloak_service_user }}"
+    group: "{{ keycloak_service_group }}"
+    mode: 0750
+  register: new_version_downloaded
+  when:
+    - not patch_archive_path.stat.exists
+    - local_archive_path.stat is defined
+    - local_archive_path.stat.exists
+  become: yes
+
+- name: "Check installed patches"
+  ansible.builtin.include_tasks: rhsso_cli.yml
+  vars:
+    query: "patch info"
+
+- name: "Perform patching"
+  when: 
+    - cli_result is defined
+    - cli_result.stdout is defined
+    - rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v not in cli_result.stdout
+  block:
+    - name: "Apply patch {{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }} to server"
+      ansible.builtin.include_tasks: rhsso_cli.yml
+      vars:
+        query: "patch apply {{ patch_archive }}"
+
+    - name: "Restart server to ensure patch content is running"
+      ansible.builtin.include_tasks: rhsso_cli.yml
+      vars:
+        query: "shutdown --restart"
+      when:
+        - cli_result.rc == 0
+
+    - name: "Wait until Keycloak becomes active {{ keycloak.health_url }}"
+      ansible.builtin.uri:
+        url: "{{ keycloak.health_url }}"
+      register: keycloak_status
+      until: keycloak_status.status == 200
+      retries: 25
+      delay: 10
+
+    - name: "Query installed patch after restart"
+      ansible.builtin.include_tasks: rhsso_cli.yml
+      vars:
+        query: "patch info"
+  
+    - name: "Verify installed patch version"
+      ansible.builtin.assert:
+        that:
+          - rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v not in cli_result.stdout
+        fail_msg: "Patch installation failed"
+        success_msg: "Patch installation successful"
+
+- name: "Skipping patch"
+  debug:
+    msg: "Latest cumulative patch {{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }} already installed, skipping patch installation."

roles/keycloak/tasks/start_keycloak.yml

@@ -0,0 +1,15 @@
+---
+- name: start keycloak
+  ansible.builtin.systemd:
+    name: keycloak
+    enabled: yes
+    state: started
+  become: yes
+
+- name: "Wait until Keycloak becomes active {{ keycloak.health_url }}"
+  ansible.builtin.uri:
+    url: "{{ keycloak.health_url }}"
+  register: keycloak_status
+  until: keycloak_status.status == 200
+  retries: 25
+  delay: 10

roles/keycloak/tasks/stop_keycloak.yml

@@ -1,5 +1,5 @@
 ---
-- name: "Stop SSO service"
+- name: Stop keycloak
   ansible.builtin.systemd:
     name: keycloak
     enabled: yes

roles/keycloak/tasks/systemd.yml

@@ -1,4 +1,4 @@
-- name: configure keycloak service script wrapper
+- name: Configure keycloak service script wrapper
   become: yes
   ansible.builtin.template:
     src: keycloak-service.sh.j2
@@ -9,7 +9,7 @@
   notify:
     - restart keycloak
 
-- name: configure sysconfig file for keycloak service
+- name: Configure sysconfig file for keycloak service
   become: yes
   ansible.builtin.template:
     src: keycloak-sysconfig.j2
@@ -20,7 +20,7 @@
   notify:
     - restart keycloak
 
-- name: configure systemd unit file for keycloak service
+- name: Configure systemd unit file for keycloak service
   ansible.builtin.template:
     src: keycloak.service.j2
     dest: /etc/systemd/system/keycloak.service
@@ -32,18 +32,19 @@
   notify:
     - restart keycloak
 
-- name: reload systemd
+- name: Reload systemd
   become: yes
   ansible.builtin.systemd:
     daemon_reload: yes
   when: systemdunit.changed
 
-- name: start keycloak
-  ansible.builtin.systemd:
-    name: keycloak
-    enabled: yes
-    state: started
-  become: yes
+- name: Start and wait for keycloak service (first node db)
+  ansible.builtin.include_tasks: start_keycloak.yml
+  run_once: yes
+  when: keycloak_db_enabled
+
+- name: Start and wait for keycloak service (remaining nodes)
+  ansible.builtin.include_tasks: start_keycloak.yml
 
 - name: Check service status
   ansible.builtin.command: "systemctl status keycloak"
@@ -58,11 +59,3 @@
 
 - name: Flush handlers
   ansible.builtin.meta: flush_handlers
-
-- name: "Wait until Keycloak becomes active {{ keycloak.health_url }}"
-  ansible.builtin.uri:
-    url: "{{ keycloak.health_url }}"
-  register: keycloak_status
-  until: keycloak_status.status == 200
-  retries: 25
-  delay: 10

roles/keycloak/templates/standalone-infinispan.xml.j2

@@ -633,7 +633,7 @@
         <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
 {% if keycloak_modcluster.enabled %}    
         <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
-            <proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
+            <proxy name="default" advertise="false" listener="ajp" proxies="proxy1">
                 <dynamic-load-provider>
                     <load-metric type="cpu"/>
                 </dynamic-load-provider>
@@ -726,7 +726,7 @@
         <interface name="management">
             <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
         </interface>
-	    <interface name="jgroups">
+        <interface name="jgroups">
 {% if ansible_default_ipv4 is defined %}
             <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ipaddr('net') }}"/>
 {% else %}
@@ -744,7 +744,6 @@
         <socket-binding name="management-http" interface="management" port="{{ keycloak_management_http_port }}"/>
         <socket-binding name="management-https" interface="management" port="{{ keycloak_management_https_port }}"/>
         <socket-binding name="jgroups-tcp" interface="jgroups" port="{{ keycloak_jgroups_port }}"/>
-        <socket-binding name="modcluster" multicast-address="${jboss.modcluster.multicast.address:224.0.1.105}" multicast-port="23364"/>
         <socket-binding name="txn-recovery-environment" port="4712"/>
         <socket-binding name="txn-status-manager" port="4713"/>
         <outbound-socket-binding name="mail-smtp">

roles/keycloak/templates/standalone.xml.j2

@@ -546,7 +546,7 @@
         <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
 {% if keycloak_modcluster.enabled %}        
         <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
-            <proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
+            <proxy name="default" advertise="false" listener="ajp" proxies="proxy1">
                 <dynamic-load-provider>
                     <load-metric type="cpu"/>
                 </dynamic-load-provider>
@@ -644,7 +644,6 @@
         <socket-binding name="https" port="{{ keycloak_https_port }}"/>
         <socket-binding name="management-http" interface="management" port="{{ keycloak_management_http_port }}"/>
         <socket-binding name="management-https" interface="management" port="{{ keycloak_management_https_port }}"/>
-        <socket-binding name="modcluster" multicast-address="${jboss.modcluster.multicast.address:224.0.1.105}" multicast-port="23364"/>
         <socket-binding name="txn-recovery-environment" port="4712"/>
         <socket-binding name="txn-status-manager" port="4713"/>
         <outbound-socket-binding name="mail-smtp">

roles/keycloak/vars/main.yml

@@ -5,8 +5,11 @@ keycloak_admin_password:
 
 # internal variables below
 rhsso_rhn_ids:
-  '7.5.0': '101971'
-  '7.5.1': '103836'
+  '7.5.0':
+    id: '101971'
+    latest_cp:
+      id: '103836'
+      v: '7.5.1'
 
 # locations
 keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
@@ -17,8 +20,10 @@ keycloak:
   home: "{{ keycloak_jboss_home }}"
   config_dir: "{{ keycloak_config_dir }}"
   bundle: "{{ keycloak_rhsso_archive if keycloak_rhsso_enable else keycloak_archive }}"
+  patch_bundle: "rh-sso-{{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }}-patch.zip"
   service_name: "{{ 'rhsso' if keycloak_rhsso_enable else 'keycloak' }}"
   health_url: "{{ keycloak_management_url }}/health"
+  cli_path: "{{ keycloak_jboss_home }}/bin/jboss-cli.sh"
 
 # database
 keycloak_jdbc: