Update changelog for release 1.0.6

* keycloak_quarkus: add https to molecule test setup

* move converge pre_tasks to prepare phase

* Update zipfile unarchive to cater for existing certs

.ansible-lint

@@ -5,6 +5,7 @@ exclude_paths:
   - molecule/
   - .ansible-lint
   - .yamllint
+  - meta/
 
 rulesdir:
    - ../../ansible-lint-custom-rules/rules/

.gitignore

@@ -9,3 +9,4 @@ docs/_build/
 .mypy_cache/
 *.retry
 changelogs/.plugin-cache.yaml
+*.pem

CHANGELOG.rst

@@ -6,6 +6,23 @@ middleware_automation.keycloak Release Notes
 
 This changelog describes changes after version 0.2.6.
 
+v1.0.6
+======
+
+Bugfixes
+--------
+
+- keycloak_quarkus: add selected java to PATH in systemd unit `#34 <https://github.com/ansible-middleware/keycloak/pull/34>`_
+- keycloak_quarkus: set logfile path correctly under keycloak home `#35 <https://github.com/ansible-middleware/keycloak/pull/35>`_
+
+v1.0.5
+======
+
+Minor Changes
+-------------
+
+- Update config options: keycloak and quarkus `#32 <https://github.com/ansible-middleware/keycloak/pull/32>`_
+
 v1.0.4
 ======
 

bindep.txt

@@ -0,0 +1,7 @@
+python39-devel [platform:rpm compile]
+git-lfs [platform:rpm]
+python3-netaddr [platform:rpm]
+python3-lxml [platform:rpm]
+python3-jmespath [platform:rpm]
+python3-requests [platform:rpm]
+

changelogs/changelog.yaml

@@ -60,3 +60,25 @@ releases:
     release_date: '2022-05-09'
   1.0.4:
     release_date: '2022-05-11'
+  1.0.5:
+    changes:
+      minor_changes:
+      - 'Update config options: keycloak and quarkus `#32 <https://github.com/ansible-middleware/keycloak/pull/32>`_
+
+        '
+    fragments:
+    - 32.yaml
+    release_date: '2022-05-25'
+  1.0.6:
+    changes:
+      bugfixes:
+      - 'keycloak_quarkus: add selected java to PATH in systemd unit `#34 <https://github.com/ansible-middleware/keycloak/pull/34>`_
+
+        '
+      - 'keycloak_quarkus: set logfile path correctly under keycloak home `#35 <https://github.com/ansible-middleware/keycloak/pull/35>`_
+
+        '
+    fragments:
+    - 34.yaml
+    - 35.yaml
+    release_date: '2022-06-01'

docs/testing.md

@@ -46,4 +46,3 @@ EOF
 # run the playbook
 ansible-playbook -i inventory playbooks/keycloak.yml
 ```
-

galaxy.yml

@@ -1,7 +1,7 @@
 ---
 namespace: middleware_automation
 name: keycloak
-version: "1.0.4"
+version: "1.0.6"
 readme: README.md
 authors:
   - Romain Pelisse <rpelisse@redhat.com>

meta/execution-environment.yml

@@ -0,0 +1,11 @@
+---
+version: 1
+build_arg_defaults:
+  EE_BASE_IMAGE: 'quay.io/ansible/ansible-runner:stable-2.12-devel'
+dependencies:
+  galaxy: requirements.yml
+  python: requirements.txt
+  system: bindep.txt
+additional_build_steps:
+  append:
+    - RUN alternatives --set python /usr/bin/python3

molecule/default/prepare.yml

@@ -2,10 +2,6 @@
 - name: Prepare
   hosts: all
   tasks:
-    - name: Disable beta repos
-      ansible.builtin.command: yum config-manager --disable '*beta*'
-      ignore_errors: yes
-
     - name: Install sudo
       ansible.builtin.yum:
         name:

molecule/quarkus/converge.yml

@@ -5,6 +5,12 @@
     keycloak_quarkus_admin_pass: "remembertochangeme"
     keycloak_admin_password: "remembertochangeme"
     keycloak_realm: TestRealm
+    keycloak_quarkus_host: instance:8443
+    keycloak_quarkus_http_relative_path: ''
+    keycloak_quarkus_log: file
+    keycloak_quarkus_https_enabled: True
+    keycloak_quarkus_key_file: conf/key.pem
+    keycloak_quarkus_cert_file: conf/cert.pem
   roles:
     - role: keycloak_quarkus
     - role: keycloak_realm

molecule/quarkus/molecule.yml

@@ -16,7 +16,9 @@ platforms:
     port_bindings:
       - "8080/tcp"
       - "8443/tcp"
-      - "8009/tcp"      
+      - "8009/tcp"
+    published_ports:
+      - 0.0.0.0:8443:8443/tcp
 provisioner:
   name: ansible
   config_options:

molecule/quarkus/prepare.yml

@@ -2,11 +2,25 @@
 - name: Prepare
   hosts: all
   tasks:
-    - name: Disable beta repos
-      ansible.builtin.command: yum config-manager --disable '*beta*'
-      ignore_errors: yes
-
     - name: Install sudo
       ansible.builtin.yum:
         name: sudo
         state: present
+    - command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
+      delegate_to: localhost
+    - lineinfile:
+        dest: /etc/hosts
+        line: "127.0.0.1 instance"
+        state: present
+      delegate_to: localhost
+      become: yes
+    - file:
+        state: directory
+        path: /opt/keycloak/keycloak-18.0.0/conf/
+    - copy:
+        src: "{{ item }}"
+        dest: "/opt/keycloak/keycloak-18.0.0/conf/{{ item }}"
+        mode: 0444
+      loop:
+        - cert.pem
+        - key.pem

molecule/quarkus/verify.yml

@@ -9,3 +9,19 @@
         that:
           - ansible_facts.services["keycloak.service"]["state"] == "running"
           - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+    - name: Fetch openID config
+      shell: |
+        curl https://instance:8443/realms/master/.well-known/openid-configuration -k | jq .
+      delegate_to: localhost
+      register: openid_config
+    - debug:
+        msg: " {{ openid_config.stdout | from_json }}"
+      delegate_to: localhost
+    - name: Verify endpoint URLs
+      assert:
+        that:
+          - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance:8443/realms/master/protocol/openid-connect/ext/ciba/auth'
+          - (openid_config.stdout | from_json)['issuer'] == 'https://instance:8443/realms/master'
+          - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/auth'
+          - (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/token'
+      delegate_to: localhost

playbooks/keycloak_quarkus.yml

@@ -0,0 +1,15 @@
+---
+- name: Playbook for Keycloak X Hosts
+  hosts: all
+  vars:
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_host: localhost:8443
+    keycloak_quarkus_http_relative_path: ''
+    keycloak_quarkus_log: file
+    keycloak_quarkus_https_enabled: True
+    keycloak_quarkus_key_file: conf/key.pem
+    keycloak_quarkus_cert_file: conf/cert.pem
+  collections:
+    - middleware_automation.keycloak
+  roles:
+    - keycloak_quarkus

roles/keycloak_quarkus/README.md

@@ -7,6 +7,13 @@ Install [keycloak](https://keycloak.org/) >= 17.0.0 (quarkus) server configurati
 Role Defaults
 -------------
 
+* Installation options
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_quarkus_version`| keycloak.org package version | `17.0.1` |
+
+
 * Service configuration
 
 | Variable | Description | Default |
@@ -20,13 +27,18 @@ Role Defaults
 |`keycloak_quarkus_https_port`| TLS HTTP port | `8443` |
 |`keycloak_quarkus_ajp_port`| AJP port | `8009` |
 |`keycloak_quarkus_jgroups_port`| jgroups cluster tcp port | `7600` |
-|`keycloak_quarkus_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
 |`keycloak_quarkus_service_user`| Posix account username | `keycloak` |
 |`keycloak_quarkus_service_group`| Posix account group | `keycloak` |
 |`keycloak_quarkus_service_pidfile`| Pid file path for service | `/run/keycloak.pid` |
 |`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-11-openjdk-headless` |
+|`keycloak_quarkus_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_quarkus_jvm_package RPM path | `None` |
+|`keycloak_quarkus_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
 |`keycloak_quarkus_frontend_url`| Service public URL | `http://localhost:8080/auth` |
 |`keycloak_quarkus_http_relative_path` | Service context path | `auth` |
+|`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` |
+|`keycloak_quarkus_https_enabled`| Enable listener on HTTPS port | `False` |
+|`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `conf/server.key.pem` |
+|`keycloak_quarkus_cert_file`| The file path to a server certificate or certificate chain in PEM format | `conf/server.crt.pem` |
 
 
 * Database configuration
@@ -70,6 +82,7 @@ Role Defaults
 | Variable | Description | Default |
 |:---------|:------------|:--------|
 |`keycloak_quarkus_metrics_enabled`| Whether to enable metrics | `False` |
+|`keycloak_quarkus_health_enabled`| If the server should expose health check endpoints | `True` |
 |`keycloak_quarkus_archive` | keycloak install archive filename | `keycloak-{{ keycloak_quarkus_version }}.zip` |
 |`keycloak_quarkus_installdir` | Installation path | `{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}` |
 |`keycloak_quarkus_home` | Installation work directory | `{{ keycloak_quarkus_installdir }}` |
@@ -79,14 +92,19 @@ Role Defaults
 |`keycloak_force_install` | Remove pre-existing versions of service | `False` |
 |`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_quarkus_host }}:{{ keycloak_http_port }}` |
 |`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_quarkus_host }}:{{ keycloak_management_http_port }}` |
+|`keycloak_quarkus_log`| Enable one or more log handlers in a comma-separated list | `file` |
+|`keycloak_quarkus_log_level`| The log level of the root category or a comma-separated list of individual categories and their levels | `info` |
+|`keycloak_quarkus_log_file`| Set the log file path and filename relative to keycloak home | `data/log/keycloak.log` |
+|`keycloak_quarkus_log_format`| Set a format specific to file log entries | `%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n` |
+|`keycloak_quarkus_proxy_mode`| The proxy address forwarding mode if the server is behind a reverse proxy | `edge` |
 
 
 Role Variables
 --------------
 
-| Variable | Description |
-|:---------|:------------|
-|`keycloak_quarkus_admin_pass`| Password of console admin account |
+| Variable | Description | Required |
+|:---------|:------------|----------|
+|`keycloak_quarkus_admin_pass`| Password of console admin account | `yes` |
 
 
 License

roles/keycloak_quarkus/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 ### Configuration specific to keycloak
-keycloak_quarkus_version: 17.0.1
+keycloak_quarkus_version: 18.0.0
 keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip"
 keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"  
 keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"
@@ -10,6 +10,7 @@ keycloak_quarkus_offline_install: False
 
 ### Install location and service settings
 keycloak_quarkus_jvm_package: java-11-openjdk-headless
+keycloak_quarkus_java_home:
 keycloak_quarkus_dest: /opt/keycloak
 keycloak_quarkus_home: "{{ keycloak_quarkus_installdir }}"
 keycloak_quarkus_config_dir: "{{ keycloak_quarkus_home }}/conf"
@@ -26,12 +27,18 @@ keycloak_quarkus_master_realm: master
 ### Configuration settings
 keycloak_quarkus_bind_address: 0.0.0.0
 keycloak_quarkus_host: localhost
+keycloak_quarkus_http_enabled: True
 keycloak_quarkus_http_port: 8080
 keycloak_quarkus_https_port: 8443
 keycloak_quarkus_ajp_port: 8009
 keycloak_quarkus_jgroups_port: 7600
 keycloak_quarkus_java_opts: "-Xms1024m -Xmx2048m"
 
+### TLS/HTTPS configuration
+keycloak_quarkus_https_enabled: False
+keycloak_quarkus_key_file: conf/server.key.pem
+keycloak_quarkus_cert_file: conf/server.crt.pem
+
 ### Enable configuration for database backend, clustering and remote caches on infinispan
 keycloak_quarkus_ha_enabled: False
 ### Enable database configuration, must be enabled when HA is configured
@@ -41,7 +48,11 @@ keycloak_quarkus_db_enabled: "{{ True if keycloak_quarkus_ha_enabled else False
 keycloak_quarkus_http_relative_path: auth
 keycloak_quarkus_frontend_url: http://localhost:8080/auth
 
+# proxy address forwarding mode if the server is behind a reverse proxy. [edge, reencrypt, passthrough]
+keycloak_quarkus_proxy_mode: edge
+
 keycloak_quarkus_metrics_enabled: False
+keycloak_quarkus_health_enabled: True
 
 ### infinispan remote caches access (hotrod)
 keycloak_quarkus_ispn_user: supervisor
@@ -67,4 +78,10 @@ keycloak_quarkus_default_jdbc:
     version: 9.4.1212
   mariadb:
     url: 'jdbc:mariadb://localhost:3306/keycloak'
-    version: 2.7.4
+    version: 2.7.4
+
+### logging configuration
+keycloak_quarkus_log: file
+keycloak_quarkus_log_level: info
+keycloak_quarkus_log_file: data/log/keycloak.log
+keycloak_quarkus_log_format: '%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n'

roles/keycloak_quarkus/meta/argument_specs.yml

@@ -31,6 +31,9 @@ argument_specs:
                 default: "java-11-openjdk-headless"
                 description: "RHEL java package runtime"
                 type: "str"
+            keycloak_quarkus_java_home:
+                description: "JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path"
+                type: "str"
             keycloak_quarkus_dest:
                 # line 13 of defaults/main.yml
                 default: "/opt/keycloak"
@@ -91,11 +94,27 @@ argument_specs:
                 default: "localhost"
                 description: "hostname"
                 type: "str"
+            keycloak_quarkus_http_enabled:
+                default: true
+                description: "Enable listener on HTTP port"
+                type: "bool"                
             keycloak_quarkus_http_port:
                 # line 29 of defaults/main.yml
                 default: 8080
                 description: "HTTP port"
                 type: "int"
+            keycloak_quarkus_https_enabled:
+                default: false
+                description: "Enable listener on HTTPS port"
+                type: "bool" 
+            keycloak_quarkus_key_file:
+                default: "conf/server.key.pem"
+                description: "The file path to a private key in PEM format"
+                type: "str"
+            keycloak_quarkus_cert_file:
+                default: "conf/server.crt.pem"
+                description: "The file path to a server certificate or certificate chain in PEM format"
+                type: "str"
             keycloak_quarkus_https_port:
                 # line 30 of defaults/main.yml
                 default: 8443
@@ -141,6 +160,10 @@ argument_specs:
                 default: false
                 description: "Whether to enable metrics"
                 type: "bool"
+            keycloak_quarkus_health_enabled:
+                default: true
+                description: "If the server should expose health check endpoints"
+                type: "bool"
             keycloak_quarkus_ispn_user:
                 # line 46 of defaults/main.yml
                 default: "supervisor"
@@ -201,3 +224,23 @@ argument_specs:
                 default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].version }}"
                 description: "Version for JDBC driver"
                 type: "str"
+            keycloak_quarkus_log:
+                default: "file"
+                type: "str"
+                description: "Enable one or more log handlers in a comma-separated list"
+            keycloak_quarkus_log_level:
+                default: "info"
+                type: "str"
+                description: "The log level of the root category or a comma-separated list of individual categories and their levels"
+            keycloak_quarkus_log_file:
+                default: "data/log/keycloak.log"
+                type: "str"
+                description: "Set the log file path and filename relative to keycloak home"
+            keycloak_quarkus_log_format:
+                default: '%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n'
+                type: "str"
+                description: "Set a format specific to file log entries"
+            keycloak_quarkus_proxy_mode:
+                default: 'edge'
+                type: "str"
+                description: "The proxy address forwarding mode if the server is behind a reverse proxy"

roles/keycloak_quarkus/tasks/fastpackages.yml

@@ -14,7 +14,7 @@
         packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | flatten }}"
       when: rpm_info.failed
 
-- name: "Install packages: {{ packages_to_install }}"
+- name: "Install packages: {{ packages_to_install | join(',') }}"
   become: yes
   ansible.builtin.yum:
     name: "{{ packages_to_install }}"

roles/keycloak_quarkus/tasks/install.yml

@@ -84,9 +84,9 @@
     - local_archive_path.stat.exists
   become: yes
 
-- name: "Check target directory: {{ keycloak.home }}"
+- name: "Check target directory: {{ keycloak.home }}/bin/"
   ansible.builtin.stat:
-    path: "{{ keycloak.home }}"
+    path: "{{ keycloak.home }}/bin/"
   register: path_to_workdir
   become: yes
 
@@ -95,12 +95,12 @@
     remote_src: yes
     src: "{{ archive }}"
     dest: "{{ keycloak_quarkus_dest }}"
-    creates: "{{ keycloak.home }}"
+    creates: "{{ keycloak.home }}/bin/"
     owner: "{{ keycloak.service_user }}"
     group: "{{ keycloak.service_group }}"
   become: yes
   when:
-    - new_version_downloaded.changed or not path_to_workdir.stat.exists
+    - (not path_to_workdir.stat.exists) or new_version_downloaded.changed
   notify:
     - restart keycloak
 
@@ -108,4 +108,4 @@
   ansible.builtin.debug:
     msg: "{{ keycloak.home }} already exists and version unchanged, skipping decompression"
   when:
-    - not new_version_downloaded.changed and path_to_workdir.stat.exists
+    - (not new_version_downloaded.changed) and path_to_workdir.stat.exists

roles/keycloak_quarkus/tasks/main.yml

@@ -1,6 +1,5 @@
 ---
 # tasks file for keycloak
-
 - name: Check prerequisites
   ansible.builtin.include_tasks: prereqs.yml
   tags:
@@ -32,10 +31,35 @@
   notify:
     - restart keycloak
 
+- name: "Configure quarkus config for keycloak service"
+  ansible.builtin.template:
+    src: quarkus.properties.j2
+    dest: "{{ keycloak.home }}/conf/quarkus.properties"
+    owner: "{{ keycloak.service_user }}"
+    group: "{{ keycloak.service_group }}"
+    mode: 0644
+  notify:
+    - restart keycloak    
+
+- name: Ensure logdirectory exists
+  ansible.builtin.file:
+    state: directory
+    path:  "{{ keycloak.home }}/{{ keycloak.log.file | dirname }}"
+    owner: "{{ keycloak.service_user }}"
+    group: "{{ keycloak.service_group }}"
+    mode: 0775
+
 - name: "Start and wait for keycloak service"
   ansible.builtin.include_tasks: start.yml
 
 - name: Check service status
   ansible.builtin.command: "systemctl status keycloak"
   register: keycloak_service_status
-  changed_when: False
+  changed_when: False
+
+- name: Link default logs directory
+  ansible.builtin.file:
+    state: link
+    src: "{{ keycloak.home }}/{{ keycloak.log.file | dirname }}"
+    dest: /var/log/keycloak
+    force: yes

roles/keycloak_quarkus/tasks/systemd.yml

@@ -1,4 +1,13 @@
 ---
+- name: Determine JAVA_HOME for selected JVM RPM  # noqa blocked_modules
+  ansible.builtin.shell: |
+    set -o pipefail
+    rpm -ql {{ keycloak_quarkus_jvm_package }} | grep -Po '/usr/lib/jvm/.*(?=/bin/java$)'
+  args:
+    executable: /bin/bash
+  changed_when: False
+  register: rpm_java_home
+
 - name: "Configure sysconfig file for keycloak service"
   become: yes
   ansible.builtin.template:
@@ -7,6 +16,8 @@
     owner: root
     group: root
     mode: 0644
+  vars:
+    keycloak_rpm_java_home: "{{ rpm_java_home.stdout }}"
   notify:
     - restart keycloak
 

roles/keycloak_quarkus/templates/keycloak-sysconfig.j2

@@ -1,3 +1,5 @@
 # {{ ansible_managed }}
 KEYCLOAK_ADMIN={{ keycloak_quarkus_admin_user }}
-KEYCLOAK_ADMIN_PASSWORD='{{ keycloak_quarkus_admin_pass }}'
+KEYCLOAK_ADMIN_PASSWORD='{{ keycloak_quarkus_admin_pass }}'
+PATH={{ keycloak_java_home  | default(keycloak_rpm_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+JAVA_HOME={{ keycloak_java_home  | default(keycloak_rpm_java_home, true) }}

roles/keycloak_quarkus/templates/keycloak.conf.j2

@@ -1,51 +1,47 @@
 # {{ ansible_managed }}
 
+{% if keycloak_quarkus_db_enabled %}
 # Database
-# Database vendor [dev-file, dev-mem, mariadb, mssql, mysql, oracle, postgres]
-#db=postgres
-# The username of the database user.
-#db-username=keycloak
-# The password of the database user.
-#db-password=password
-# The full database JDBC URL. If not provided, a default URL is set based on the selected database vendor.
-#db-url=jdbc:postgresql://localhost/keycloak
+db={{ keycloak_quarkus_jdbc_engine }}
+db-url={{ keycloak_quarkus_jdbc_url }}
+db-username={{ keycloak_quarkus_db_user }}
+db-password={{ keycloak_quarkus_db_pass }}
+{% endif %}
 
 # Observability
-# If the server should expose metrics and healthcheck endpoints.
-#metrics-enabled=true
+metrics-enabled={{ keycloak_quarkus_metrics_enabled }}
+health-enabled={{ keycloak_quarkus_health_enabled }}
 
 # HTTP
-http-enabled=true
-http-port=8080
-https-port=8443
-# The file path to a server certificate or certificate chain in PEM format.
-#https-certificate-file=${kc.home.dir}conf/server.crt.pem
-# The file path to a private key in PEM format.
-#https-certificate-key-file=${kc.home.dir}conf/server.key.pem
-# The proxy address forwarding mode if the server is behind a reverse proxy.
-#proxy=reencrypt
-# Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy
-#spi-sticky-session-encoder-infinispan-should-attach-route=false
+http-enabled={{ keycloak_quarkus_http_enabled }}
+http-port={{ keycloak_quarkus_http_port }}
+
+# HTTPS
+https-port={{ keycloak_quarkus_https_port }}
+{% if keycloak_quarkus_https_enabled %}
+https-certificate-file={{ keycloak.home }}/{{ keycloak_quarkus_cert_file}}
+https-certificate-key-file={{ keycloak.home }}/{{ keycloak_quarkus_key_file }}
+{% endif %}
 
 # Hostname for the Keycloak server.
 hostname={{ keycloak_quarkus_host }}
 hostname-path={{ keycloak_quarkus_http_relative_path }}
 
 # Cluster
-#cache=ispn
-#Defines the cache mechanism for high-availability. [local, ispn]
-#cache-config-file=conf/cache-ispn.xml
-#Defines the file from which cache configuration should be loaded from.
-#cache-stack=tcp
-#Define the default stack to use for cluster communication and node discovery. [tcp, udp, kubernetes, ec2, azure, google]
+{% if keycloak_quarkus_ha_enabled %}
+cache=ispn
+cache-config-file=conf/cache-ispn.xml
+cache-stack=tcp
+{% endif %}
 
 # Proxy
-# The proxy address forwarding mode if the server is behind a reverse proxy. [edge, reencrypt, passthrough]
-#proxy=
+proxy={{ keycloak_quarkus_proxy_mode }}
+# Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy
+#spi-sticky-session-encoder-infinispan-should-attach-route=false
 
 # Logging
-# The format of log entries.
 #log-format=%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n
-# The log level of the root category or a comma-separated list of individual categories and their levels.
-#log-level=info
-
+log={{ keycloak_quarkus_log }}
+log-level={{ keycloak.log.level }}
+log-file={{ keycloak.log.file }}
+log-file-format={{ keycloak.log.format }}

roles/keycloak_quarkus/templates/keycloak.service.j2

@@ -7,8 +7,8 @@ After=network.target
 Type=simple
 EnvironmentFile=-/etc/sysconfig/keycloak
 PIDFile={{ keycloak_quarkus_service_pidfile }}
-ExecStart={{ keycloak.home }}/bin/kc.sh start 
-#--http-relative-path={{ keycloak_quarkus_http_relative_path }}
+ExecStart={{ keycloak.home }}/bin/kc.sh start --auto-build --log={{ keycloak_quarkus_log }}
+User={{ keycloak.service_user }}
 
 [Install]
 WantedBy=multi-user.target

roles/keycloak_quarkus/templates/quarkus.properties.j2

@@ -0,0 +1,19 @@
+# {{ ansible_managed }}
+{% if keycloak_quarkus_ha_enabled %}
+quarkus.infinispan-client.server-list={{ keycloak_quarkus_ispn_url }}
+quarkus.infinispan-client.client-intelligence=HASH_DISTRIBUTION_AWARE
+quarkus.infinispan-client.use-auth=true
+quarkus.infinispan-client.auth-username={{ keycloak_quarkus_ispn_user }}
+quarkus.infinispan-client.auth-password={{ keycloak_quarkus_ispn_pass }}
+quarkus.infinispan-client.auth-realm=default
+quarkus.infinispan-client.auth-server-name=infinispan
+quarkus.infinispan-client.sasl-mechanism={{ keycloak_quarkus_ispn_sasl_mechanism }}
+{% if keycloak_quarkus_ispn_use_ssl %}
+quarkus.infinispan-client.trust-store={{ keycloak_quarkus_ispn_trust_store_path }}
+quarkus.infinispan-client.trust-store-password={{ keycloak_quarkus_ispn_trust_store_password }}
+quarkus.infinispan-client.trust-store-type=jks
+{% endif %}
+#quarkus.infinispan-client.use-schema-registration=true
+#quarkus.infinispan-client.auth-client-subject
+#quarkus.infinispan-client.auth-callback-handler
+{% endif %}

roles/keycloak_quarkus/vars/main.yml

@@ -8,4 +8,8 @@ keycloak:
   cli_path: "{{ keycloak_quarkus_home }}/bin/kcadm.sh"
   service_user: "{{ keycloak_quarkus_service_user }}"
   service_group: "{{ keycloak_quarkus_service_group }}"
-  offline_install: "{{ keycloak_quarkus_offline_install }}"
+  offline_install: "{{ keycloak_quarkus_offline_install }}"
+  log:
+    file: "{{ keycloak_quarkus_home }}/{{ keycloak_quarkus_log_file }}"
+    level: "{{ keycloak_quarkus_log_level }}"
+    format: "{{ keycloak_quarkus_log_format }}"

roles/keycloak_realm/README.md

@@ -8,9 +8,10 @@ Role Defaults
 -------------
 
 | Variable | Description | Default |
-|:---------|:------------|:---------|
+|:---------|:------------|:--------|
 |`keycloak_admin_user`| Administration console user account | `admin` |
 |`keycloak_host`| hostname | `localhost` |
+|`keycloak_context`| Context path for rest calls | `/auth` |
 |`keycloak_http_port`| HTTP port | `8080` |
 |`keycloak_https_port`| TLS HTTP port | `8443` |
 |`keycloak_auth_realm`| Name of the main authentication realm | `master` |