Update changelog for release 1.0.7

keycloak_quarkus: use absolute path for certificate files

.ansible-lint

@@ -5,6 +5,8 @@ exclude_paths:
   - molecule/
   - .ansible-lint
   - .yamllint
+  - meta/
+  - playbooks/roles/
 
 rulesdir:
    - ../../ansible-lint-custom-rules/rules/

.gitignore

@@ -9,3 +9,4 @@ docs/_build/
 .mypy_cache/
 *.retry
 changelogs/.plugin-cache.yaml
+*.pem

CHANGELOG.rst

@@ -6,6 +6,28 @@ middleware_automation.keycloak Release Notes
 
 This changelog describes changes after version 0.2.6.
 
+v1.0.7
+======
+
+Breaking Changes / Porting Guide
+--------------------------------
+
+- keycloak_quarkus: use absolute path for certificate files `#39 <https://github.com/ansible-middleware/keycloak/pull/39>`_
+
+Bugfixes
+--------
+
+- keycloak_quarkus: use become for tasks that will otherwise fail `#38 <https://github.com/ansible-middleware/keycloak/pull/38>`_
+
+v1.0.6
+======
+
+Bugfixes
+--------
+
+- keycloak_quarkus: add selected java to PATH in systemd unit `#34 <https://github.com/ansible-middleware/keycloak/pull/34>`_
+- keycloak_quarkus: set logfile path correctly under keycloak home `#35 <https://github.com/ansible-middleware/keycloak/pull/35>`_
+
 v1.0.5
 ======
 

changelogs/changelog.yaml

@@ -69,3 +69,30 @@ releases:
     fragments:
     - 32.yaml
     release_date: '2022-05-25'
+  1.0.6:
+    changes:
+      bugfixes:
+      - 'keycloak_quarkus: add selected java to PATH in systemd unit `#34 <https://github.com/ansible-middleware/keycloak/pull/34>`_
+
+        '
+      - 'keycloak_quarkus: set logfile path correctly under keycloak home `#35 <https://github.com/ansible-middleware/keycloak/pull/35>`_
+
+        '
+    fragments:
+    - 34.yaml
+    - 35.yaml
+    release_date: '2022-06-01'
+  1.0.7:
+    changes:
+      breaking_changes:
+      - 'keycloak_quarkus: use absolute path for certificate files `#39 <https://github.com/ansible-middleware/keycloak/pull/39>`_
+
+        '
+      bugfixes:
+      - 'keycloak_quarkus: use become for tasks that will otherwise fail `#38 <https://github.com/ansible-middleware/keycloak/pull/38>`_
+
+        '
+    fragments:
+    - 38.yaml
+    - 39.yaml
+    release_date: '2022-07-06'

docs/testing.md

@@ -46,4 +46,3 @@ EOF
 # run the playbook
 ansible-playbook -i inventory playbooks/keycloak.yml
 ```
-

galaxy.yml

@@ -1,7 +1,7 @@
 ---
 namespace: middleware_automation
 name: keycloak
-version: "1.0.5"
+version: "1.0.7"
 readme: README.md
 authors:
   - Romain Pelisse <rpelisse@redhat.com>
@@ -32,3 +32,4 @@ build_ignore:
   - .github
   - '*.tar.gz'
   - '*.zip'
+  - changelogs/fragments/.gitignore

molecule/default/prepare.yml

@@ -2,10 +2,6 @@
 - name: Prepare
   hosts: all
   tasks:
-    - name: Disable beta repos
-      ansible.builtin.command: yum config-manager --disable '*beta*'
-      ignore_errors: yes
-
     - name: Install sudo
       ansible.builtin.yum:
         name:

molecule/quarkus/converge.yml

@@ -5,6 +5,12 @@
     keycloak_quarkus_admin_pass: "remembertochangeme"
     keycloak_admin_password: "remembertochangeme"
     keycloak_realm: TestRealm
+    keycloak_quarkus_host: instance:8443
+    keycloak_quarkus_http_relative_path: ''
+    keycloak_quarkus_log: file
+    keycloak_quarkus_https_enabled: True
+    keycloak_quarkus_key_file: "{{ keycloak.home }}/conf/key.pem"
+    keycloak_quarkus_cert_file: "{{ keycloak.home }}/conf/cert.pem"
   roles:
     - role: keycloak_quarkus
     - role: keycloak_realm

molecule/quarkus/molecule.yml

@@ -16,7 +16,9 @@ platforms:
     port_bindings:
       - "8080/tcp"
       - "8443/tcp"
-      - "8009/tcp"      
+      - "8009/tcp"
+    published_ports:
+      - 0.0.0.0:8443:8443/tcp
 provisioner:
   name: ansible
   config_options:

molecule/quarkus/prepare.yml

@@ -2,11 +2,25 @@
 - name: Prepare
   hosts: all
   tasks:
-    - name: Disable beta repos
-      ansible.builtin.command: yum config-manager --disable '*beta*'
-      ignore_errors: yes
-
     - name: Install sudo
       ansible.builtin.yum:
         name: sudo
         state: present
+    - command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
+      delegate_to: localhost
+    - lineinfile:
+        dest: /etc/hosts
+        line: "127.0.0.1 instance"
+        state: present
+      delegate_to: localhost
+      become: yes
+    - file:
+        state: directory
+        path: /opt/keycloak/keycloak-18.0.0/conf/
+    - copy:
+        src: "{{ item }}"
+        dest: "/opt/keycloak/keycloak-18.0.0/conf/{{ item }}"
+        mode: 0444
+      loop:
+        - cert.pem
+        - key.pem

molecule/quarkus/verify.yml

@@ -9,3 +9,19 @@
         that:
           - ansible_facts.services["keycloak.service"]["state"] == "running"
           - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+    - name: Fetch openID config
+      shell: |
+        curl https://instance:8443/realms/master/.well-known/openid-configuration -k | jq .
+      delegate_to: localhost
+      register: openid_config
+    - debug:
+        msg: " {{ openid_config.stdout | from_json }}"
+      delegate_to: localhost
+    - name: Verify endpoint URLs
+      assert:
+        that:
+          - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance:8443/realms/master/protocol/openid-connect/ext/ciba/auth'
+          - (openid_config.stdout | from_json)['issuer'] == 'https://instance:8443/realms/master'
+          - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/auth'
+          - (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/token'
+      delegate_to: localhost

playbooks/keycloak_quarkus.yml

@@ -0,0 +1,15 @@
+---
+- name: Playbook for Keycloak X Hosts
+  hosts: all
+  vars:
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_host: localhost:8443
+    keycloak_quarkus_http_relative_path: ''
+    keycloak_quarkus_log: file
+    keycloak_quarkus_https_enabled: True
+    keycloak_quarkus_key_file: conf/key.pem
+    keycloak_quarkus_cert_file: conf/cert.pem
+  collections:
+    - middleware_automation.keycloak
+  roles:
+    - keycloak_quarkus

playbooks/keyclock_quarkus.yml

@@ -1,9 +0,0 @@
----
-- name: Playbook for Keycloak X Hosts
-  hosts: all
-  vars:
-    keycloak_admin_password: "remembertochangeme"
-  collections:
-    - middleware_automation.keycloak
-  roles:
-    - keycloak_quarkus

roles/keycloak_quarkus/README.md

@@ -37,8 +37,8 @@ Role Defaults
 |`keycloak_quarkus_http_relative_path` | Service context path | `auth` |
 |`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` |
 |`keycloak_quarkus_https_enabled`| Enable listener on HTTPS port | `False` |
-|`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `conf/server.key.pem` |
-|`keycloak_quarkus_cert_file`| The file path to a server certificate or certificate chain in PEM format | `conf/server.crt.pem` |
+|`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `{{ keycloak.home }}/conf/server.key.pem` |
+|`keycloak_quarkus_cert_file`| The file path to a server certificate or certificate chain in PEM format | `{{ keycloak.home }}/conf/server.crt.pem` |
 
 
 * Database configuration

roles/keycloak_quarkus/defaults/main.yml

@@ -36,8 +36,8 @@ keycloak_quarkus_java_opts: "-Xms1024m -Xmx2048m"
 
 ### TLS/HTTPS configuration
 keycloak_quarkus_https_enabled: False
-keycloak_quarkus_key_file: conf/server.key.pem
-keycloak_quarkus_cert_file: conf/server.crt.pem
+keycloak_quarkus_key_file: "{{ keycloak.home }}/conf/server.key.pem"
+keycloak_quarkus_cert_file: "{{ keycloak.home }}/conf/server.crt.pem"
 
 ### Enable configuration for database backend, clustering and remote caches on infinispan
 keycloak_quarkus_ha_enabled: False

roles/keycloak_quarkus/meta/argument_specs.yml

@@ -108,11 +108,11 @@ argument_specs:
                 description: "Enable listener on HTTPS port"
                 type: "bool" 
             keycloak_quarkus_key_file:
-                default: "conf/server.key.pem"
+                default: "{{ keycloak.home }}/conf/server.key.pem"
                 description: "The file path to a private key in PEM format"
                 type: "str"
             keycloak_quarkus_cert_file:
-                default: "conf/server.crt.pem"
+                default: "{{ keycloak.home }}/conf/server.crt.pem"
                 description: "The file path to a server certificate or certificate chain in PEM format"
                 type: "str"
             keycloak_quarkus_https_port:

roles/keycloak_quarkus/tasks/install.yml

@@ -84,9 +84,9 @@
     - local_archive_path.stat.exists
   become: yes
 
-- name: "Check target directory: {{ keycloak.home }}"
+- name: "Check target directory: {{ keycloak.home }}/bin/"
   ansible.builtin.stat:
-    path: "{{ keycloak.home }}"
+    path: "{{ keycloak.home }}/bin/"
   register: path_to_workdir
   become: yes
 
@@ -95,12 +95,12 @@
     remote_src: yes
     src: "{{ archive }}"
     dest: "{{ keycloak_quarkus_dest }}"
-    creates: "{{ keycloak.home }}"
+    creates: "{{ keycloak.home }}/bin/"
     owner: "{{ keycloak.service_user }}"
     group: "{{ keycloak.service_group }}"
   become: yes
   when:
-    - new_version_downloaded.changed or not path_to_workdir.stat.exists
+    - (not path_to_workdir.stat.exists) or new_version_downloaded.changed
   notify:
     - restart keycloak
 
@@ -108,4 +108,4 @@
   ansible.builtin.debug:
     msg: "{{ keycloak.home }} already exists and version unchanged, skipping decompression"
   when:
-    - not new_version_downloaded.changed and path_to_workdir.stat.exists
+    - (not new_version_downloaded.changed) and path_to_workdir.stat.exists

roles/keycloak_quarkus/tasks/main.yml

@@ -28,6 +28,7 @@
     owner: "{{ keycloak.service_user }}"
     group: "{{ keycloak.service_group }}"
     mode: 0644
+  become: yes
   notify:
     - restart keycloak
 
@@ -38,9 +39,19 @@
     owner: "{{ keycloak.service_user }}"
     group: "{{ keycloak.service_group }}"
     mode: 0644
+  become: yes
   notify:
     - restart keycloak    
 
+- name: Ensure logdirectory exists
+  ansible.builtin.file:
+    state: directory
+    path:  "{{ keycloak.home }}/{{ keycloak.log.file | dirname }}"
+    owner: "{{ keycloak.service_user }}"
+    group: "{{ keycloak.service_group }}"
+    mode: 0775
+  become: yes
+
 - name: "Start and wait for keycloak service"
   ansible.builtin.include_tasks: start.yml
 
@@ -52,6 +63,7 @@
 - name: Link default logs directory
   ansible.builtin.file:
     state: link
-    src: "{{ keycloak.home }}/{{ keycloak.log.file }}"
+    src: "{{ keycloak.home }}/{{ keycloak.log.file | dirname }}"
     dest: /var/log/keycloak
     force: yes
+  become: yes

roles/keycloak_quarkus/templates/keycloak-sysconfig.j2

@@ -1,4 +1,5 @@
 # {{ ansible_managed }}
 KEYCLOAK_ADMIN={{ keycloak_quarkus_admin_user }}
 KEYCLOAK_ADMIN_PASSWORD='{{ keycloak_quarkus_admin_pass }}'
+PATH={{ keycloak_java_home  | default(keycloak_rpm_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 JAVA_HOME={{ keycloak_java_home  | default(keycloak_rpm_java_home, true) }}

roles/keycloak_quarkus/templates/keycloak.conf.j2

@@ -19,8 +19,8 @@ http-port={{ keycloak_quarkus_http_port }}
 # HTTPS
 https-port={{ keycloak_quarkus_https_port }}
 {% if keycloak_quarkus_https_enabled %}
-https-certificate-file={{ keycloak.home }}/{{ keycloak_quarkus_cert_file}}
-https-certificate-key-file={{ keycloak.home }}/{{ keycloak_quarkus_key_file }}
+https-certificate-file={{ keycloak_quarkus_cert_file}}
+https-certificate-key-file={{ keycloak_quarkus_key_file }}
 {% endif %}
 
 # Hostname for the Keycloak server.

roles/keycloak_quarkus/vars/main.yml

@@ -10,6 +10,6 @@ keycloak:
   service_group: "{{ keycloak_quarkus_service_group }}"
   offline_install: "{{ keycloak_quarkus_offline_install }}"
   log:
-    file: "{{ keycloak_quarkus_log_file }}"
+    file: "{{ keycloak_quarkus_home }}/{{ keycloak_quarkus_log_file }}"
     level: "{{ keycloak_quarkus_log_level }}"
     format: "{{ keycloak_quarkus_log_format }}"