docs: fix unbalanced quotes in release workflow

docs: add changelogs

.github/workflows/ci.yml

@@ -40,7 +40,7 @@ jobs:
           mkdir -p /home/runner/.ansible/collections/ansible_collections
 
       - name: Run sanity tests
-        run: ansible-test sanity --docker -v --color --python ${{ matrix.python_version }}
+        run: ansible-test sanity --docker -v --color --python ${{ matrix.python_version }} --exclude changelogs/fragments/.gitignore
         working-directory: ./ansible_collections/middleware_automation/keycloak
 
       - name: Run molecule test

.github/workflows/docs.yml

@@ -40,6 +40,7 @@ jobs:
           python -m pip install --upgrade pip
           pip install -r ansible_collections/middleware_automation/keycloak/docs/requirements.txt
           pip install -r ansible_collections/middleware_automation/keycloak/requirements.txt
+          sudo apt install -y sed hub
 
       - name: Create default collection path
         run: |
@@ -50,9 +51,42 @@ jobs:
           mkdir -p ./docs/plugins ./docs/roles
           cat ./docs/roles.rst.template > ./docs/roles/index.rst
           antsibull-docs collection --use-current --squash-hierarchy --dest-dir docs/plugins  middleware_automation.keycloak
-          for role_readme in roles/*/README.md; do ln -f -s ../../$role_readme ./docs/roles/$(basename $(dirname $role_readme)).md; echo " * :doc:\`$(basename $(dirname $role_readme))\`" >> ./docs/roles/index.rst; done
+          for role_readme in roles/*/README.md; do
+            ln -f -s ../../$role_readme ./docs/roles/$(basename $(dirname $role_readme)).md
+            echo "    $(basename $(dirname $role_readme))" >> ./docs/roles/index.rst
+          done
         working-directory: ansible_collections/middleware_automation/keycloak
 
+      - name: Scan PR merges from latest tag
+        run: |
+          TYPES=("minor_changes" "major_changes" "bugfixes" "deprecated_features" "removed_features" "breaking_changes")
+          TAG=$(git describe --abbrev=0 --tags)
+          if [[ "${{github.ref}}" == "refs/heads/main" ]]; then
+            PRS=($(comm -12 <(git log --oneline ${TAG}.. --format="tformat:%H" | sort ) <(hub pr list -s all -f '%sm%n' --color=never | sort )))
+          else
+            PREV_TAG=$(git tag | grep -P "^[0-9]+[.][0-9]+[.][0-9]+$" | sort --version-sort -r | head -n2 | grep -v "${TAG}")
+            PRS=($(comm -12 <(git log --oneline ${PREV_TAG}..${TAG} --format="tformat:%H" | sort ) <(hub pr list -s all -f '%sm%n' --color=never | sort )))
+          fi
+          if [[ ${#PRS[@]} > 0 ]]; then
+            IFS=$'\n' FRAGMENTS=($(hub pr list -s all -f '%sm~%I~%L~%t~%n' --color=never | grep -P "$(echo "^(${PRS[@]})" | tr ' ' '|')"))
+            for frag in "${FRAGMENTS[@]}"; do
+              PR=$(echo $frag|cut -d~ -f2)
+              type="$(echo $frag|cut -d~ -f3)"
+              msg="$(echo $frag|cut -d~ -f4|sed 's/`/``/g')"
+              if [[ "${TYPES[*]}" =~ "${type}" ]]; then
+                echo -e "$type:\n  - >\n    $msg \`#${PR} <https://github.com/ansible-middleware/keycloak/pull/${PR}>\`_" \
+                  > changelogs/fragments/${PR}.yaml
+              fi
+            done
+            antsibull-changelog lint -vvv
+            if [[ "${{github.ref}}" == "refs/heads/main" ]]; then
+              antsibull-changelog release --version "$(grep version galaxy.yml | awk -F'"' '{ print $2 }')-devel" -v
+            fi
+          fi
+        working-directory: ansible_collections/middleware_automation/keycloak
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Run sphinx
         run: |
           sphinx-build -M html . _build -v
@@ -62,6 +96,7 @@ jobs:
         run: |
           git config user.name github-actions
           git config user.email github-actions@github.com
+          git stash
           git checkout gh-pages
           rm -rf $(basename ${GITHUB_REF})
           mv docs/_build/html $(basename ${GITHUB_REF})

.github/workflows/release.yml

@@ -1,47 +1,112 @@
 ---
 name: Release collection
 on:
-  push:
-    tags:
-      - "[0-9]+.[0-9]+.[0-9]+"
+  workflow_dispatch:
 
 jobs:
   release:
     runs-on: ubuntu-latest
+    if: github.repository == 'ansible-middleware/keycloak'
+    permissions:
+      actions: write
+      checks: write
+      contents: write
+      deployments: write
+      packages: write
+      pages: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
       - name: Set up Python
         uses: actions/setup-python@v1
         with:
           python-version: "3.x"
-      - name: Get Tag Version
+
+      - name: Get current version
         id: get_version
-        run: echo ::set-output name=TAG_VERSION::${GITHUB_REF#refs/tags/}
+        run: echo "::set-output name=TAG_VERSION::$(grep version galaxy.yml | awk -F'"' '{ print $2 }')"
+
+      - name: Check if tag exists
+        id: check_tag
+        run: echo "::set-output name=TAG_EXISTS::$(git tag | grep ${{ steps.get_version.outputs.TAG_VERSION }})"
+
+      - name: Fail if tag exists
+        if: ${{ steps.get_version.outputs.TAG_VERSION == steps.check_tag.outputs.TAG_EXISTS }}
+        uses: actions/github-script@v3
+        with:
+          script: |
+              core.setFailed('Release tag already exists')
+
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
-          pip install ansible-core
+          pip install ansible-core antsibull
+          sudo apt install -y sed hub
+
       - name: Build collection
         run: |
           ansible-galaxy collection build .
-      - name: Publish Release
-        uses: softprops/action-gh-release@v1
+
+      - name: Scan PR merges from latest tag
+        run: |
+          TYPES=("minor_changes" "major_changes" "bugfixes" "deprecated_features" "removed_features" "breaking_changes")
+          TAG=$(git describe --abbrev=0 --tags)
+          PRS=($(comm -12 <(git log --oneline ${TAG}.. --format="tformat:%H" | sort ) <(hub pr list -s all -f '%sm%n' --color=never | sort )))
+          IFS=$'\n' FRAGMENTS=($(hub pr list -s all -f '%sm~%I~%L~%t~%n' --color=never| grep -P "$(echo "^(${PRS[@]})" | tr ' ' '|')"))
+          for frag in "${FRAGMENTS[@]}"; do
+            PR=$(echo $frag|cut -d~ -f2)
+            type="$(echo $frag|cut -d~ -f3)"
+            msg="$(echo $frag|cut -d~ -f4|sed 's/`/``/g')"
+            if [[ "${TYPES[*]}" =~ "${type}" ]]; then
+              echo -e "$type:\n  - >\n    $msg \`#${PR} <https://github.com/ansible-middleware/keycloak/pull/${PR}>\`_" \
+                > changelogs/fragments/${PR}.yaml
+            fi
+          done
+          antsibull-changelog lint -vvv
+          antsibull-changelog generate
+          antsibull-changelog release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          files: "*.tar.gz"
-          body: "Release v${{ steps.get_version.outputs.TAG_VERSION }}"
+
+      - name: Commit changelogs
+        run: |
+          git config user.name github-actions
+          git config user.email github-actions@github.com
+          git diff --minimal --output-indicator-new=' ' -U0 --no-indent-heuristic CHANGELOG.rst | grep "^ "| sed -e 's/`\(#[0-9]\+\) <.*_/\1/g' > gh-release.md
+          git add CHANGELOG.rst changelogs/changelog.yaml
+          git commit -m "Update changelog for release ${{ steps.get_version.outputs.TAG_VERSION }}" || true
+          git push origin
+
       - name: Publish collection
         env:
           ANSIBLE_GALAXY_API_KEY: ${{ secrets.ANSIBLE_GALAXY_API_KEY }}
         run: |
           ansible-galaxy collection publish *.tar.gz --api-key $ANSIBLE_GALAXY_API_KEY
+
+      - name: Create release tag
+        run: |
+          git config user.name github-actions
+          git config user.email github-actions@github.com
+          git tag -a ${{ steps.get_version.outputs.TAG_VERSION }} -m "Release v${{ steps.get_version.outputs.TAG_VERSION }}" || true
+          git push origin --tags
+
+      - name: Publish Release
+        uses: softprops/action-gh-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ steps.get_version.outputs.TAG_VERSION }}
+          files: "*.tar.gz"
+          body_path: gh-release.md
+
   dispatch:
     needs: release
     strategy:
       matrix:
-        repo: ['ansible-middleware/cross-dc-rhsso-demo', 'ansible-middleware/flange-demo']
+        repo: ['ansible-middleware/cross-dc-rhsso-demo', 'ansible-middleware/flange-demo', 'ansible-middleware/ansible-middleware-ee']
     runs-on: ubuntu-latest
     steps:
       - name: Repository Dispatch
@@ -49,5 +114,5 @@ jobs:
         with:
           token: ${{ secrets.TRIGGERING_PAT }}
           repository: ${{ matrix.repo }}
-          event-type: "Dependency released - Keycloak"
+          event-type: "Dependency released - Keycloak v${{ steps.get_version.outputs.TAG_VERSION }}"
           client-payload: '{ "github": ${{toJson(github)}} }'

.gitignore

@@ -8,3 +8,4 @@ docs/_build/
 .pytest_cache/
 .mypy_cache/
 *.retry
+changelogs/.plugin-cache.yaml

CHANGELOG.rst

@@ -0,0 +1,49 @@
+============================================
+middleware_automation.keycloak Release Notes
+============================================
+
+.. contents:: Topics
+
+This changelog describes changes after version 0.2.6.
+
+v1.0.2
+======
+
+Minor Changes
+-------------
+
+- Make ``keycloak_admin_password`` a default with assert (was: role variable) `#26 <https://github.com/ansible-middleware/keycloak/pull/26>`_
+- Simplify dependency install logic and reduce play execution time `#19 <https://github.com/ansible-middleware/keycloak/pull/19>`_
+
+Bugfixes
+--------
+
+- Set ``keycloak_frontend_url`` default according to other defaults `#25 <https://github.com/ansible-middleware/keycloak/pull/25>`_
+
+v1.0.1
+======
+
+Release Summary
+---------------
+
+Minor enhancements, bug and documentation fixes.
+
+
+Major Changes
+-------------
+
+- Apply latest cumulative patch of RH-SSO automatically when new parameter ``keycloak_rhsso_apply_patches`` is ``true`` `#18 <https://github.com/ansible-middleware/keycloak/pull/18>`_
+
+Minor Changes
+-------------
+
+- Clustered installs now perform database initialization on first node to avoid locking issues `#17 <https://github.com/ansible-middleware/keycloak/pull/17>`_
+
+v1.0.0
+======
+
+Release Summary
+---------------
+
+This is the first stable release of the ``middleware_automation.keycloak`` collection.
+

README.md

@@ -50,12 +50,12 @@ A requirement file is provided to install:
 
 ### Install Playbook
 
-* [`playbooks/keycloak.yml`](playbooks/keycloak.yml) installs the upstream(Keycloak) based on the defined variables.
-* [`playbooks/rhsso.yml`](playbooks/rhsso.yml) installs Red Hat Single Sign-On(RHSSO) based on defined variables.
+* [`playbooks/keycloak.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak.yml) installs the upstream(Keycloak) based on the defined variables.
+* [`playbooks/rhsso.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/rhsso.yml) installs Red Hat Single Sign-On(RHSSO) based on defined variables.
 
 Both playbooks include the `keycloak` role, with different settings, as described in the following sections.
 
-For full service configuration details, refer to the [keycloak role README](roles/keycloak/README.md).
+For full service configuration details, refer to the [keycloak role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md).
 
 
 ### Choosing between upstream project (Keycloak) and Red Hat Single Sign-On (RHSSO)
@@ -134,7 +134,7 @@ ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e
 
 ### Config Playbook
 
-[`playbooks/keycloak_realm.yml`](playbooks/keycloak_realm.yml) creates or updates provided realm, user federation(s), client(s), client role(s) and client user(s).
+[`playbooks/keycloak_realm.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_realm.yml) creates or updates provided realm, user federation(s), client(s), client role(s) and client user(s).
 
 
 ### Example configuration command
@@ -154,7 +154,7 @@ ansible-playbook -i <ansible_hosts> playbooks/keycloak_realm.yml -e keycloak_adm
   localhost ansible_connection=local
   ```
 
-For full configuration details, refer to the [keycloak_realm role README](roles/keycloak_realm/README.md).
+For full configuration details, refer to the [keycloak_realm role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md).
 
 ## Support
 

changelogs/changelog.yaml

@@ -0,0 +1,40 @@
+ancestor: 0.2.6
+releases:
+  1.0.0:
+    changes:
+      release_summary: 'This is the first stable release of the ``middleware_automation.keycloak``
+        collection.
+
+        '
+    release_date: '2022-03-04'
+  1.0.1:
+    changes:
+      major_changes:
+      - Apply latest cumulative patch of RH-SSO automatically when new parameter ``keycloak_rhsso_apply_patches``
+        is ``true`` `#18 <https://github.com/ansible-middleware/keycloak/pull/18>`_
+      minor_changes:
+      - Clustered installs now perform database initialization on first node to avoid
+        locking issues `#17 <https://github.com/ansible-middleware/keycloak/pull/17>`_
+      release_summary: 'Minor enhancements, bug and documentation fixes.
+
+        '
+    release_date: '2022-03-11'
+  1.0.2:
+    changes:
+      bugfixes:
+      - 'Set ``keycloak_frontend_url`` default according to other defaults `#25 <https://github.com/ansible-middleware/keycloak/pull/25>`_
+
+        '
+      minor_changes:
+      - 'Make ``keycloak_admin_password`` a default with assert (was: role variable)
+        `#26 <https://github.com/ansible-middleware/keycloak/pull/26>`_
+
+        '
+      - 'Simplify dependency install logic and reduce play execution time `#19 <https://github.com/ansible-middleware/keycloak/pull/19>`_
+
+        '
+    fragments:
+    - 19.yaml
+    - 25.yaml
+    - 26.yaml
+    release_date: '2022-04-01'

changelogs/config.yaml

@@ -0,0 +1,32 @@
+---
+changelog_filename_template: ../CHANGELOG.rst
+changelog_filename_version_depth: 0
+changes_file: changelog.yaml
+changes_format: combined
+ignore_other_fragment_extensions: true
+keep_fragments: false
+mention_ancestor: true
+new_plugins_after_name: removed_features
+notesdir: fragments
+prelude_section_name: release_summary
+prelude_section_title: Release Summary
+sections:
+- - major_changes
+  - Major Changes
+- - minor_changes
+  - Minor Changes
+- - breaking_changes
+  - Breaking Changes / Porting Guide
+- - deprecated_features
+  - Deprecated Features
+- - removed_features
+  - Removed Features
+- - security_fixes
+  - Security Fixes
+- - bugfixes
+  - Bugfixes
+- - known_issues
+  - Known Issues
+title: middleware_automation.keycloak
+trivial_section_name: trivial
+use_fqcn: true

changelogs/fragments/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

docs/CHANGELOG.rst

@@ -0,0 +1 @@
+../CHANGELOG.rst

docs/index.rst

@@ -15,8 +15,8 @@ Welcome to Keycloak Collection documentation
    :maxdepth: 2
    :caption: Developer documentation
 
-   developing
    testing
+   developing
    releasing
 
 .. toctree::

docs/roles.rst.template

@@ -1,3 +1,4 @@
 Role Index
 ==========
 
+.. toctree::

galaxy.yml

@@ -1,7 +1,7 @@
 ---
 namespace: middleware_automation
 name: keycloak
-version: "1.0.1"
+version: "1.0.2"
 readme: README.md
 authors:
   - Romain Pelisse <rpelisse@redhat.com>
@@ -22,12 +22,13 @@ tags:
   - authentication
 dependencies:
   "middleware_automation.redhat_csp_download": ">=1.2.1"
-  "middleware_automation.wildfly": ">=0.0.6"
+  "middleware_automation.wildfly": ">=1.0.0"
 repository: https://github.com/ansible-middleware/keycloak
 documentation: https://ansible-middleware.github.io/keycloak
 homepage: https://github.com/ansible-middleware/keycloak
 issues: https://github.com/ansible-middleware/keycloak/issues
 build_ignore:
   - molecule
-  - docs
   - .github
+  - '*.tar.gz'
+  - '*.zip'

molecule/default/converge.yml

@@ -2,17 +2,15 @@
 - name: Converge
   hosts: all
   vars: 
+    keycloak_admin_password: "remembertochangeme"
   tasks:
     - name: Include keycloak role
       include_role:
         name: ../../roles/keycloak
-      vars:
-        keycloak_admin_password: "changeme"
     - name: Keycloak Realm Role
       include_role:
         name: ../../roles/keycloak_realm
       vars:
-        keycloak_admin_password: "changeme"
         keycloak_client_default_roles:
           - TestRoleAdmin
           - TestRoleUser

molecule/default/verify.yml

@@ -8,3 +8,4 @@
       ansible.builtin.assert:
         that:
           - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"

playbooks/keycloak.yml

@@ -1,11 +1,9 @@
 ---
 - name: Playbook for Keycloak Hosts
   hosts: keycloak
+  vars:
+    keycloak_admin_password: "remembertochangeme"
   collections:
     - middleware_automation.keycloak
-  tasks:
-    - name: Include keycloak role
-      ansible.builtin.include_role:
-        name: middleware_automation.keycloak.keycloak
-      vars:
-        keycloak_admin_password: "changeme"
+  roles:
+    - middleware_automation.keycloak.keycloak

playbooks/keycloak_realm.yml

@@ -6,7 +6,7 @@
       ansible.builtin.include_role:
         name: middleware_automation.keycloak.keycloak_realm
       vars:
-        keycloak_admin_password: "changeme"
+        keycloak_admin_password: "remembertochangeme"
         keycloak_realm: TestRealm
         keycloak_user_federation:
           - realm: TestRealm

playbooks/rhsso.yml

@@ -1,14 +1,12 @@
 ---
 - name: Playbook for Keycloak Hosts
   hosts: keycloak
+  vars:
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_rhsso_enable: True
   collections:
     - middleware_automation.redhat_csp_download
+    - middleware_automation.keycloak
   roles:
     - middleware_automation.redhat_csp_download.redhat_csp_download
-  tasks:
-    - name: Keycloak Role
-      ansible.builtin.include_role:
-        name: middleware_automation.keycloak.keycloak
-      vars:
-        keycloak_admin_password: "changeme"
-        keycloak_rhsso_enable: True
+    - middleware_automation.keycloak.keycloak

roles/keycloak/README.md

@@ -1,7 +1,7 @@
 keycloak
 ========
 
-Install [keycloak](https://keycloak.org/) or [Red Hat Single Sing-On](https://access.redhat.com/products/red-hat-single-sign-on) server configurations.
+Install [keycloak](https://keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on) server configurations.
 
 
 Requirements
@@ -34,7 +34,7 @@ Versions
 Patching
 --------
 
-When variable `keycloak_rhsso_apply_patches` is `True` (default: `True`), the role will automatically apply the latest cumulative patch for the selected base version.
+When variable `keycloak_rhsso_apply_patches` is `True` (default: `False`), the role will automatically apply the latest cumulative patch for the selected base version.
 
 | RH-SSO VERSION | Release Date      | RH-SSO LATEST CP | Notes           |
 |:---------------|:------------------|:-----------------|:----------------|
@@ -66,7 +66,7 @@ Role Defaults
 |`keycloak_service_user`| posix account username | `keycloak` |
 |`keycloak_service_group`| posix account group | `keycloak` |
 |`keycloak_service_pidfile`| pid file path for service | `/run/keycloak.pid` |
-|`jvm_package`| RHEL java package runtime | `java-1.8.0-openjdk-devel` |
+|`keycloak_jvm_package`| RHEL java package runtime | `java-1.8.0-openjdk-devel` |
 
 
 * Install options
@@ -79,7 +79,7 @@ Role Defaults
 |`keycloak_rhsso_download_url`| Download URL for RHSSO | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=<productID>`|
 |`keycloak_version`| keycloak.org package version | `15.0.2` |
 |`keycloak_rhsso_version`| RHSSO version | `7.5.0` |
-|`keycloak_rhsso_apply_patches`| Install RHSSO more recent cumulative patch | `True` |
+|`keycloak_rhsso_apply_patches`| Install RHSSO more recent cumulative patch | `False` |
 |`keycloak_dest`| Installation root path | `/opt/keycloak` |
 |`keycloak_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}` |
 |`keycloak_rhn_url` | Base download URI for customer portal | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=` |
@@ -114,7 +114,8 @@ The following are a set of _required_ variables for the role:
 
 | Variable | Description |
 |:---------|:------------|
-|`keycloak_admin_password`| Password for the administration console user account |
+|`keycloak_admin_password`| Password for the administration console user account (minimum 12 characters) |
+|`keycloak_frontend_url` | frontend URL for keycloak endpoint | `http://localhost:8080/auth` |
 
 
 The following variables are _required_ only when `keycloak_ha_enabled` is True:
@@ -122,8 +123,7 @@ The following variables are _required_ only when `keycloak_ha_enabled` is True:
 | Variable | Description | Default |
 |:---------|:------------|:---------|
 |`keycloak_modcluster_url` | URL for the modcluster reverse proxy | `localhost` |
-|`keycloak_frontend_url` | frontend URL for keycloak endpoints when a reverse proxy is used | `http://localhost` |
-|`keycloak_jdbc_engine` | backend database flavour when db is enabled: [ postgres, mariadb ] | `postgres` |
+|`keycloak_jdbc_engine` | backend database engine when db is enabled: [ postgres, mariadb ] | `postgres` |
 |`infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` |
 |`infinispan_user` | username for connecting to infinispan | `supervisor` |
 |`infinispan_pass` | password for connecting to infinispan | `supervisor` |
@@ -154,14 +154,12 @@ _NOTE_: use ansible vaults or other security systems for storing credentials.
 ```yaml
 ---
 - hosts: ...
+      vars:
+        keycloak_admin_password: "remembertochangeme"
       collections:
         - middleware_automation.keycloak
-      tasks:
-        - name: Include keycloak role
-          include_role:
-            name: keycloak
-          vars:
-            keycloak_admin_password: "changeme"
+      roles:
+        - middleware_automation.keycloak.keycloak
 ```
 
 * The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from RHN:
@@ -179,7 +177,7 @@ _NOTE_: use ansible vaults or other security systems for storing credentials.
       include_role:
         name: keycloak
       vars:
-        keycloak_admin_password: "changeme"
+        keycloak_admin_password: "remembertochangeme"
         keycloak_rhsso_enable: True
         rhn_username: '<customer portal username>'
         rhn_password: '<customer portal password>'
@@ -198,7 +196,7 @@ _NOTE_: use ansible vaults or other security systems for storing credentials.
           include_role:
             name: keycloak
           vars:
-            keycloak_admin_password: "changeme"
+            keycloak_admin_password: "remembertochangeme"
             keycloak_offline_install: True
             # This should be the filename of keycloak archive on Ansible node: keycloak-16.1.0.zip
 ```
@@ -216,14 +214,14 @@ _NOTE_: use ansible vaults or other security systems for storing credentials.
       include_role:
         name: keycloak
       vars:
-        keycloak_admin_password: "changeme"
+        keycloak_admin_password: "remembertochangeme"
         keycloak_rhsso_enable: True
         keycloak_rhsso_download_url: "<REPLACE with download url>"
         # This should be the full of remote source rhsso zip file and can contain basic authentication credentials
 ```
 
 
-* The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from the controller node:
+* The following is an example playbook that makes use of the role to install Red Hat Single Sign-On offline from the controller node, and apply latest cumulative patch:
 
 ```yaml
 ---
@@ -235,9 +233,10 @@ _NOTE_: use ansible vaults or other security systems for storing credentials.
       include_role:
         name: keycloak
       vars:
-        keycloak_admin_password: "changeme"
+        keycloak_admin_password: "remembertochangeme"
         keycloak_rhsso_enable: True
         keycloak_offline_install: True
+        keycloak_rhsso_apply_patches: True
         # This should be the filename of rhsso zip file on Ansible node: rh-sso-7.5-server-dist.zip
 ```
 

roles/keycloak/defaults/main.yml

@@ -6,14 +6,14 @@ keycloak_download_url: "https://github.com/keycloak/keycloak/releases/download/{
 keycloak_download_url_9x: "https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}"
 keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
 
-### Configuration specific to Red Hat Single Sing-On
+### Configuration specific to Red Hat Single Sign-On
 keycloak_rhsso_version: 7.5.0
 rhsso_rhn_id: "{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}"
 keycloak_rhsso_archive: "rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip"
 keycloak_rhsso_installdir: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}"
 keycloak_rhn_url: 'https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId='
 keycloak_rhsso_download_url: "{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}"
-keycloak_rhsso_apply_patches: True
+keycloak_rhsso_apply_patches: False
 
 ### keycloak/rhsso choice: by default install rhsso if rhn credentials are defined
 keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined and rhn_username is defined and rhn_password is defined else False }}"
@@ -21,7 +21,7 @@ keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined and rhn_username is d
 keycloak_offline_install: False
 
 ### Install location and service settings
-jvm_package: java-1.8.0-openjdk-devel
+keycloak_jvm_package: java-1.8.0-openjdk-devel
 keycloak_dest: /opt/keycloak
 keycloak_jboss_home: "{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}"
 keycloak_config_dir: "{{ keycloak_jboss_home }}/standalone/configuration"
@@ -32,6 +32,9 @@ keycloak_service_group: keycloak
 keycloak_service_pidfile: "/run/keycloak.pid"
 keycloak_configure_firewalld: False
 
+### administrator console password
+keycloak_admin_password: ''
+
 ### Common configuration settings
 keycloak_bind_address: 0.0.0.0
 keycloak_host: localhost
@@ -58,7 +61,9 @@ keycloak_force_install: False
 
 ### mod_cluster reverse proxy
 keycloak_modcluster_url: localhost
-keycloak_frontend_url: http://localhost
+
+### keycloak frontend url
+keycloak_frontend_url: http://localhost:8080/auth
 
 ### infinispan remote caches access (hotrod)
 infinispan_user: supervisor

roles/keycloak/handlers/main.yml

@@ -1,3 +1,4 @@
 ---
-- name: restart keycloak
+- name: "Restart {{ keycloak.service_name }}"
   ansible.builtin.include_tasks: restart_keycloak.yml
+  listen: "restart keycloak"

roles/keycloak/meta/argument_specs.yml

@@ -48,7 +48,7 @@ argument_specs:
                 type: "str"
             keycloak_rhsso_apply_patches:
                 # line 16 of keycloak/defaults/main.yml
-                default: true
+                default: false
                 description: "Install RHSSO more recent cumulative patch"
                 type: "bool"
             keycloak_rhsso_installdir:
@@ -76,7 +76,7 @@ argument_specs:
                 default: false
                 description: "Perform an offline install"
                 type: "bool"
-            jvm_package:
+            keycloak_jvm_package:
                 # line 23 of keycloak/defaults/main.yml
                 default: "java-1.8.0-openjdk-devel"
                 description: "RHEL java package runtime rpm"

roles/keycloak/meta/main.yml

@@ -7,7 +7,7 @@ galaxy_info:
   role_name: keycloak
   namespace: middleware_automation
   author: Romain Pelisse, Guido Grazioli, Pavan Kumar Motaparthi
-  description: Install keycloak or Red Hat Single Sing-On server configurations
+  description: Install keycloak or Red Hat Single Sign-On server configurations
   company: Red Hat, Inc.
 
   license: Apache License 2.0
@@ -23,5 +23,7 @@ galaxy_info:
     - keycloak
     - redhat
     - rhel
-    - rhn
-    - sso
+    - sso
+    - authentication
+    - identity
+    - security

roles/keycloak/tasks/fastpackages.yml

@@ -0,0 +1,21 @@
+---
+- block:
+  - name: "Check if packages are already installed"
+    ansible.builtin.command: "rpm -q {{ packages_list | join(' ') }}"
+    args:
+      warn: no
+    register: rpm_info
+    changed_when: rpm_info.failed
+
+  rescue:
+    - name: "Add missing packages to the yum install list"
+      ansible.builtin.set_fact:
+        packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | flatten }}"
+      when: rpm_info.failed
+
+- name: "Install packages: {{ packages_to_install }}"
+  become: yes
+  ansible.builtin.yum:
+    name: "{{ packages_to_install }}"
+    state: present
+  when: packages_to_install | default([]) | length > 0

roles/keycloak/tasks/fastpackages/check.yml

@@ -1,14 +0,0 @@
----
-- block:
-  - name: "Check if package {{ package_name }} is already installed"
-    ansible.builtin.command: rpm -q {{ package_name }}
-    args:
-      warn: no
-    register: rpm_info
-    changed_when: rpm_info.failed
-
-  rescue:
-    - name: "Add {{ package_name }} to the yum install list if missing"
-      ansible.builtin.set_fact:
-        packages_to_install: "{{ packages_to_install + [ package_name ] }}"
-      when: rpm_info.failed

roles/keycloak/tasks/fastpackages/install.yml

@@ -1,18 +0,0 @@
----
-- name: Set facts
-  ansible.builtin.set_fact:
-    update_cache: true
-    packages_to_install: []
-
-- name: "Check packages to be installed"
-  ansible.builtin.include_tasks: check.yml
-  loop: "{{ packages_list | flatten }}"
-  loop_control:
-    loop_var: package_name
-
-- name: "Install packages: {{ packages_to_install }}"
-  become: yes
-  ansible.builtin.yum:
-    name: "{{ packages_to_install }}"
-    state: present
-  when: packages_to_install | length > 0

roles/keycloak/tasks/firewalld.yml

@@ -1,6 +1,6 @@
 ---
-- name: Ensures required package firewalld are installed
-  ansible.builtin.include_tasks: fastpackages/install.yml
+- name: Ensure required package firewalld are installed
+  ansible.builtin.include_tasks: fastpackages.yml
   vars:
     packages_list:
       - firewalld
@@ -12,7 +12,7 @@
     enabled: yes
     state: started
 
-- name: Configure firewall for keycloak ports
+- name: "Configure firewall for {{ keycloak.service_name }} ports"
   become: yes
   firewalld:
     port: "{{ item }}"

roles/keycloak/tasks/install.yml

@@ -17,25 +17,25 @@
   register: existing_deploy
 
 - block:
-    - name: Stop the old keycloak service
+    - name: "Stop the old {{ keycloak.service_name }} service"
       become: yes
       ignore_errors: yes
       ansible.builtin.systemd:
         name: keycloak
         state: stopped
-    - name: Remove the old Keycloak deployment
+    - name: "Remove the old {{ keycloak.service_name }} deployment"
       become: yes
       ansible.builtin.file:
         path: "{{ keycloak_jboss_home }}"
         state: absent
   when: existing_deploy.stat.exists and keycloak_force_install|bool
 
-- name: check for an existing deployment after possible forced removal
+- name: Check for an existing deployment after possible forced removal
   become: yes
   ansible.builtin.stat:
     path: "{{ keycloak_jboss_home }}"
 
-- name: create Keycloak service user/group
+- name: "Create {{ keycloak.service_name }} service user/group"
   become: yes
   ansible.builtin.user:
     name: "{{ keycloak_service_user }}"
@@ -43,7 +43,7 @@
     system: yes
     create_home: no
 
-- name: create Keycloak install location
+- name: "Create {{ keycloak.service_name }} install location"
   become: yes
   ansible.builtin.file:
     dest: "{{ keycloak_dest }}"
@@ -58,6 +58,7 @@
     archive: "{{ keycloak_dest }}/{{ keycloak.bundle }}"
 
 - name: Check download archive path
+  become: yes
   ansible.builtin.stat:
     path: "{{ archive }}"
   register: archive_path

roles/keycloak/tasks/main.yml

@@ -36,7 +36,7 @@
     dest: /var/log/keycloak
 
 - block:
-    - name: Check admin credentials by generating a token
+    - name: Check admin credentials by generating a token (supposed to fail on first installation)
       ansible.builtin.uri:
         url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
         method: POST

roles/keycloak/tasks/prereqs.yml

@@ -1,4 +1,12 @@
 ---
+- name: Validate admin console password
+  ansible.builtin.assert:
+    that:
+      - keycloak_admin_password | length > 12
+    quiet: True
+    fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_admin_password variable to a 16+ char long string"
+    success_msg: "{{ 'Console administrator password OK' }}"
+
 - name: Validate configuration
   ansible.builtin.assert:
     that:
@@ -16,15 +24,11 @@
     fail_msg: "Cannot install Red Hat SSO without RHN credentials. Check rhn_username and rhn_password are defined"
     success_msg: "{{ 'Installing Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Installing keycloak.org' }}"
 
-- name: Set required packages facts
-  ansible.builtin.set_fact:
-    required_packages:
-    - "{{ jvm_package }}"
-    - unzip
-    - procps-ng
-    - initscripts
-
-- name: Ensures required packages are installed
-  ansible.builtin.include_tasks: fastpackages/install.yml
+- name: Ensure required packages are installed
+  ansible.builtin.include_tasks: fastpackages.yml
   vars:
-    packages_list: "{{ required_packages }}"
+    packages_list:
+      - "{{ keycloak_jvm_package }}"
+      - unzip
+      - procps-ng
+      - initscripts

roles/keycloak/tasks/restart_keycloak.yml

@@ -1,5 +1,5 @@
 ---
-- name: "Restart and enable keycloack service"
+- name: "Restart and enable {{ keycloak.service_name }} service"
   ansible.builtin.systemd:
     name: keycloak
     enabled: yes

roles/keycloak/tasks/rhsso_patch.yml

@@ -62,7 +62,7 @@
       when:
         - cli_result.rc == 0
 
-    - name: "Wait until Keycloak becomes active {{ keycloak.health_url }}"
+    - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
       ansible.builtin.uri:
         url: "{{ keycloak.health_url }}"
       register: keycloak_status

roles/keycloak/tasks/start_keycloak.yml

@@ -1,12 +1,12 @@
 ---
-- name: start keycloak
+- name: "Start {{ keycloak.service_name }} service"
   ansible.builtin.systemd:
     name: keycloak
     enabled: yes
     state: started
   become: yes
 
-- name: "Wait until Keycloak becomes active {{ keycloak.health_url }}"
+- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
   ansible.builtin.uri:
     url: "{{ keycloak.health_url }}"
   register: keycloak_status

roles/keycloak/tasks/stop_keycloak.yml

@@ -1,5 +1,5 @@
 ---
-- name: Stop keycloak
+- name: "Stop {{ keycloak.service_name }}"
   ansible.builtin.systemd:
     name: keycloak
     enabled: yes

roles/keycloak/tasks/systemd.yml

@@ -1,4 +1,4 @@
-- name: Configure keycloak service script wrapper
+- name: "Configure {{ keycloak.service_name }} service script wrapper"
   become: yes
   ansible.builtin.template:
     src: keycloak-service.sh.j2
@@ -9,7 +9,7 @@
   notify:
     - restart keycloak
 
-- name: Configure sysconfig file for keycloak service
+- name: "Configure sysconfig file for {{ keycloak.service_name }} service"
   become: yes
   ansible.builtin.template:
     src: keycloak-sysconfig.j2
@@ -20,7 +20,7 @@
   notify:
     - restart keycloak
 
-- name: Configure systemd unit file for keycloak service
+- name: "Configure systemd unit file for {{ keycloak.service_name }} service"
   ansible.builtin.template:
     src: keycloak.service.j2
     dest: /etc/systemd/system/keycloak.service
@@ -38,12 +38,12 @@
     daemon_reload: yes
   when: systemdunit.changed
 
-- name: Start and wait for keycloak service (first node db)
+- name: "Start and wait for {{ keycloak.service_name }} service (first node db)"
   ansible.builtin.include_tasks: start_keycloak.yml
   run_once: yes
   when: keycloak_db_enabled
 
-- name: Start and wait for keycloak service (remaining nodes)
+- name: "Start and wait for {{ keycloak.service_name }} service (remaining nodes)"
   ansible.builtin.include_tasks: start_keycloak.yml
 
 - name: Check service status

roles/keycloak/templates/keycloak.service.j2

@@ -1,6 +1,6 @@
 # {{ ansible_managed }}
 [Unit]
-Description=Keycloak Server
+Description={{ keycloak.service_name }} Server
 After=network.target
 
 [Service]

roles/keycloak/vars/main.yml

@@ -1,8 +1,4 @@
 ---
-# required variables for keycloak
-# administrator console password
-keycloak_admin_password:
-
 # internal variables below
 rhsso_rhn_ids:
   '7.5.0':

roles/keycloak_realm/README.md

@@ -1,7 +1,7 @@
 keycloak_realm
 ==============
 
-Create realms and clients in [keycloak](https://keycloak.org/) or [Red Hat Single Sing-On](https://access.redhat.com/products/red-hat-single-sign-on) services.
+Create realms and clients in [keycloak](https://keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on) services.
 
 
 Role Defaults
@@ -30,8 +30,8 @@ The following are a set of _required_ variables for the role:
 
 | Variable | Description |
 |:---------|:------------|
-|`keycloak_admin_password`| Password for the administration console user account |
 |`keycloak_realm` | Name of the realm to be created |
+|`keycloak_admin_password`| Password for the administration console user account |
 
 
 The following variables are available for creating clients:

roles/keycloak_realm/defaults/main.yml

@@ -11,6 +11,8 @@ keycloak_admin_user: admin
 keycloak_auth_realm: master
 keycloak_auth_client: admin-cli
 
+# administrator console password, this is a required variable
+keycloak_admin_password: ''
 
 ### Keycloak realms, clients, roles, federation
 # list of clients to create in the realm

roles/keycloak_realm/meta/main.yml

@@ -3,7 +3,7 @@ galaxy_info:
   role_name: keycloak_realm
   namespace: middleware_automation
   author: Romain Pelisse, Guido Grazioli
-  description: Create realms and clients in keycloak or Red Hat Single Sing-On
+  description: Create realms and clients in keycloak or Red Hat Single Sign-On
   company: Red Hat, Inc.
 
   license: Apache License 2.0

roles/keycloak_realm/vars/main.yml

@@ -1,9 +1,6 @@
 ---
 # vars file for keycloak_realm
 
-# administrator console password, this is a required variable
-keycloak_admin_password:
-
 # name of the realm to create, this is a required variable
 keycloak_realm: