Update changelog for release 3.0.5

Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>
Merge pull request #335 from RanabirChakraborty/AMW-528
2026-06-13 12:05:54 +00:00 · 2026-05-20 18:44:31 +00:00 · 2026-05-21 00:09:58 +05:30 · 2026-05-20 23:51:34 +05:30 · 2026-05-20 13:38:22 +00:00 · 2026-05-20 13:38:01 +00:00
179 changed files with 18594 additions and 1714 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -6,6 +6,7 @@ exclude_paths:
  - .ansible-lint
  - .yamllint
  - meta/
  - playbooks/roles/
 rulesdir:
   - ../../ansible-lint-custom-rules/rules/
@@ -20,11 +21,22 @@ warn_list:
  - experimental
  - ignore-errors
  - no-handler
  - fqcn-builtins
  - no-log-password
  - jinja[spacing]
  - jinja[invalid]
  - meta-no-tags
  - name[casing]
  - fqcn[action]
  - schema[meta]
  - key-order[task]
  - blocked_modules
  - run-once[task]
 skip_list:
  - vars_should_not_be_used
  - file_is_small_enough
  - file_has_valid_name
  - name[template]
  - var-naming[no-role-prefix]
 use_default_rules: true
 parseable: true
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,51 +1,25 @@
 ---
 name: CI
-"on":
+on:
  push:
    branches:
      - main
  pull_request:
  workflow_dispatch:
    inputs:
      debug_verbosity:
        description: 'ANSIBLE_VERBOSITY envvar value'
        required: false
  schedule:
    - cron: '15 6 * * *'
 jobs:
  ci:
-    runs-on: ubuntu-latest
+    uses: ansible-middleware/github-actions/.github/workflows/ci.yml@rootperm
-    strategy:
+    secrets: inherit
      matrix:
        python_version: ["3.9"]
    steps:
      - name: Check out code
        uses: actions/checkout@v2
    with:
-          path: ansible_collections/middleware_automation/keycloak
+      fqcn: 'middleware_automation/keycloak'
-
+      root_permission_varname: 'keycloak_install_requires_become'
-      - name: Set up Python ${{ matrix.python_version }}
+      debug_verbosity: "${{ github.event.inputs.debug_verbosity }}"
-        uses: actions/setup-python@v1
+      molecule_tests: >-
-        with:
+        [ "debian", "quarkus", "quarkus_ha", "quarkus_ha_remote", "quarkus_ha_26.4_below", "default", "quarkus_devmode", "quarkus_upgrade" ]
          python-version: ${{ matrix.python_version }}
      - name: Install yamllint, ansible and molecule
        run: |
          python -m pip install --upgrade pip
          pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous
          pip install -r ansible_collections/middleware_automation/keycloak/requirements.txt
      - name: Install ansible-lint custom rules
        uses: actions/checkout@v2
        with:
          repository: ansible-middleware/ansible-lint-custom-rules
          path: ansible_collections/ansible-lint-custom-rules/
      - name: Create default collection path
        run: |
          mkdir -p /home/runner/.ansible/collections/ansible_collections
      - name: Run sanity tests
        run: ansible-test sanity --docker -v --color --python ${{ matrix.python_version }} --exclude changelogs/fragments/.gitignore
        working-directory: ./ansible_collections/middleware_automation/keycloak
      - name: Run molecule test
        run: molecule test --all
        working-directory: ./ansible_collections/middleware_automation/keycloak
        env:
          PY_COLORS: '1'
          ANSIBLE_FORCE_COLOR: '1'
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -8,54 +8,11 @@ on:
      - "[0-9]+.[0-9]+.[0-9]+"
  workflow_dispatch:
 env:
  COLORTERM: 'yes'
  TERM: 'xterm-256color'
  PYTEST_ADDOPTS: '--color=yes'
 jobs:
  docs:
-    runs-on: ubuntu-latest
+    uses: ansible-middleware/github-actions/.github/workflows/docs.yml@main
-    if: github.repository == 'ansible-middleware/keycloak'
+    secrets: inherit
    permissions:
      actions: write
      checks: write
      contents: write
      deployments: write
      packages: write
      pages: write
    steps:
      - name: Check out code
        uses: actions/checkout@v2
    with:
-          path: ansible_collections/middleware_automation/keycloak
+      fqcn: 'middleware_automation/keycloak'
-          fetch-depth: 0
+      collection_fqcn: 'middleware_automation.keycloak'
-
+      historical_docs: 'false'
      - name: Set up Python
        uses: actions/setup-python@v2
        with:
          python-version: 3.9
      - name: Install doc dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -r ansible_collections/middleware_automation/keycloak/docs/requirements.txt
          pip install -r ansible_collections/middleware_automation/keycloak/requirements.txt
          sudo apt install -y sed hub
      - name: Create default collection path
        run: |
          mkdir -p /home/runner/.ansible/collections/ansible_collections
      - name: Create changelog and documentation
        uses: ansible-middleware/collection-docs-action@main
        with:
          collection_fqcn: middleware_automation.keycloak
          collection_repo: ansible-middleware/keycloak
          dependencies: false
          commit_changelog: false
          commit_ghpages: true
          changelog_release: false
          generate_docs: true
          path: ansible_collections/middleware_automation/keycloak
          token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -2,96 +2,27 @@
 name: Release collection
 on:
  workflow_dispatch:
    inputs:
      release_summary:
        description: 'Optional release summary for changelogs'
        required: false
 jobs:
  release:
-    runs-on: ubuntu-latest
+    uses: ansible-middleware/github-actions/.github/workflows/release.yml@main
    if: github.repository == 'ansible-middleware/keycloak'
    permissions:
      actions: write
      checks: write
      contents: write
      deployments: write
      packages: write
      pages: write
    outputs:
      tag_version: ${{ steps.get_version.outputs.TAG_VERSION }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
    with:
-          fetch-depth: 0
+      collection_fqcn: 'middleware_automation.keycloak'
-          token: ${{ secrets.TRIGGERING_PAT }}
+      downstream_name: 'rhbk'
-
+      release_summary: "${{ github.event.inputs.release_summary }}"
-      - name: Set up Python
+    secrets:
-        uses: actions/setup-python@v1
+      galaxy_token: ${{ secrets.ANSIBLE_GALAXY_API_KEY }}
-        with:
+      jira_webhook: ${{ secrets.JIRA_WEBHOOK_CREATE_VERSION }}
          python-version: "3.x"
      - name: Get current version
        id: get_version
        run: echo "::set-output name=TAG_VERSION::$(grep version galaxy.yml | awk -F'"' '{ print $2 }')"
      - name: Check if tag exists
        id: check_tag
        run: echo "::set-output name=TAG_EXISTS::$(git tag | grep ${{ steps.get_version.outputs.TAG_VERSION }})"
      - name: Fail if tag exists
        if: ${{ steps.get_version.outputs.TAG_VERSION == steps.check_tag.outputs.TAG_EXISTS }}
        uses: actions/github-script@v3
        with:
          script: |
              core.setFailed('Release tag already exists')
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install ansible-core antsibull
          sudo apt install -y sed hub
      - name: Build collection
        run: |
          ansible-galaxy collection build .
      - name: Create changelog and documentation
        uses: ansible-middleware/collection-docs-action@main
        with:
          collection_fqcn: middleware_automation.keycloak
          collection_repo: ansible-middleware/keycloak
          dependencies: false
          commit_changelog: true
          commit_ghpages: false
          changelog_release: true
          generate_docs: false
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Publish collection
        env:
          ANSIBLE_GALAXY_API_KEY: ${{ secrets.ANSIBLE_GALAXY_API_KEY }}
        run: |
          ansible-galaxy collection publish *.tar.gz --api-key $ANSIBLE_GALAXY_API_KEY
      - name: Create release tag
        run: |
          git config user.name github-actions
          git config user.email github-actions@github.com
          git tag -a ${{ steps.get_version.outputs.TAG_VERSION }} -m "Release v${{ steps.get_version.outputs.TAG_VERSION }}" || true
          git push origin --tags
      - name: Publish Release
        uses: softprops/action-gh-release@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tag_name: ${{ steps.get_version.outputs.TAG_VERSION }}
          files: "*.tar.gz"
          body_path: gh-release.md
  dispatch:
    needs: release
    strategy:
      matrix:
-        repo: ['ansible-middleware/cross-dc-rhsso-demo', 'ansible-middleware/flange-demo', 'ansible-middleware/ansible-middleware-ee']
+        repo: ['ansible-middleware/ansible-middleware-ee']
    runs-on: ubuntu-latest
    steps:
      - name: Repository Dispatch
--- a/.github/workflows/traffic.yml
+++ b/.github/workflows/traffic.yml
@@ -0,0 +1,26 @@
 name: Collect traffic stats
 on:
  schedule:
    - cron: "51 23 * * 0"
  workflow_dispatch:
 jobs:
  traffic:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          ref: "gh-pages"
      - name: GitHub traffic
        uses: sangonzal/repository-traffic-action@v.0.1.6
        env:
          TRAFFIC_ACTION_TOKEN: ${{ secrets.TRIGGERING_PAT }}
      - name: Commit changes
        uses: EndBug/add-and-commit@v4
        with:
          author_name: Ansible Middleware
          message: "GitHub traffic"
          add: "./traffic/*"
          ref: "gh-pages"
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,8 @@
 *.zip
 .tmp
 .cache
 .vscode/
 __pycache__/
 docs/plugins/
 docs/roles/
 docs/_build/
@@ -10,3 +12,6 @@ docs/_build/
 *.retry
 changelogs/.plugin-cache.yaml
 *.pem
 *.key
 *.p12
 .ansible/
--- a/.yamllint
+++ b/.yamllint
@@ -15,7 +15,8 @@ rules:
  commas:
    max-spaces-after: -1
    level: error
-  comments: disable
+  comments:
    min-spaces-from-content: 1
  comments-indentation: disable
  document-start: disable
  empty-lines:
@@ -31,3 +32,7 @@ rules:
    type: unix
  trailing-spaces: disable
  truthy: disable
  octal-values:
    forbid-implicit-octal: true
    forbid-explicit-octal: true
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -1,11 +1,483 @@
-============================================
+=============================================
-middleware_automation.keycloak Release Notes
+middleware\_automation.keycloak Release Notes
-============================================
+=============================================
 .. contents:: Topics
 This changelog describes changes after version 0.2.6.
 v3.0.5
 ======
 Minor Changes
 -------------
 - AMW-528 Deployment fails in keycloak_quarkus due to missing escalation variables `#335 <https://github.com/ansible-middleware/keycloak/pull/335>`_
 v3.0.4
 ======
 Major Changes
 -------------
 - AMW-467 Download keycloak binary from password protected HTTP location `#321 <https://github.com/ansible-middleware/keycloak/pull/321>`_
 - v26.4.x compability `#317 <https://github.com/ansible-middleware/keycloak/pull/317>`_
 Minor Changes
 -------------
 - AMW-518 Validating arguments against arg spec 'main' fails unexpectedly. `#324 <https://github.com/ansible-middleware/keycloak/pull/324>`_
 Bugfixes
 --------
 - Removing parseable from lint file as Additional properties are not allowed `#319 <https://github.com/ansible-middleware/keycloak/pull/319>`_
 v3.0.3
 ======
 Major Changes
 -------------
 - Update to keycloak 26.3.0 `#293 <https://github.com/ansible-middleware/keycloak/pull/293>`_
 - ansible-core 2.19 compatibility `#310 <https://github.com/ansible-middleware/keycloak/pull/310>`_
 Minor Changes
 -------------
 - Allow to install provider jars from remote paths `#303 <https://github.com/ansible-middleware/keycloak/pull/303>`_
 - Declared proxy_mode as deprecated, updated quarkus and realm readme `#306 <https://github.com/ansible-middleware/keycloak/pull/306>`_
 - Fix config_key_store_file description to match variable name `#308 <https://github.com/ansible-middleware/keycloak/pull/308>`_
 Bugfixes
 --------
 - keycloak collection CI label is showing no status `#312 <https://github.com/ansible-middleware/keycloak/pull/312>`_
 - keycloak_realm: allow secret in keycloak_clients `#304 <https://github.com/ansible-middleware/keycloak/pull/304>`_
 v3.0.2
 ======
 Minor Changes
 -------------
 - New ``checksum`` property for keycloak_quarkus_providers `#280 <https://github.com/ansible-middleware/keycloak/pull/280>`_
 - New parameter to set the jgroups host IP address `#281 <https://github.com/ansible-middleware/keycloak/pull/281>`_
 - Session storage / distributed caches `#287 <https://github.com/ansible-middleware/keycloak/pull/287>`_
 - Update keycloak/RHBK to v26.2.4 `#283 <https://github.com/ansible-middleware/keycloak/pull/283>`_
 Bugfixes
 --------
 - Fix ``keycloak_quarkus_force_install`` parameter being ignored by install `#296 <https://github.com/ansible-middleware/keycloak/pull/296>`_
 - Fix alternate download location being ignored (JBossNeworkAPI always used) `#298 <https://github.com/ansible-middleware/keycloak/pull/298>`_
 - Run config rebuild after SPI providers update `#285 <https://github.com/ansible-middleware/keycloak/pull/285>`_
 - Use jdk21 as default in debian `#289 <https://github.com/ansible-middleware/keycloak/pull/289>`_
 - keycloak_realm: federation default provider type should be a string `#302 <https://github.com/ansible-middleware/keycloak/pull/302>`_
 v3.0.1
 ======
 Minor Changes
 -------------
 - Version update to 26.0.8 / rhbk 26.0.11 `#277 <https://github.com/ansible-middleware/keycloak/pull/277>`_
 Bugfixes
 --------
 - Trigger rebuild handler on envvars file change `#276 <https://github.com/ansible-middleware/keycloak/pull/276>`_
 v3.0.0
 ======
 Minor Changes
 -------------
 - Add theme cache invalidation handler `#252 <https://github.com/ansible-middleware/keycloak/pull/252>`_
 - keycloak_realm: change url variables to defaults `#268 <https://github.com/ansible-middleware/keycloak/pull/268>`_
 Breaking Changes / Porting Guide
 --------------------------------
 - Bump major and ansible-core versions `#266 <https://github.com/ansible-middleware/keycloak/pull/266>`_
 - Rename parameters to follow upstream `#270 <https://github.com/ansible-middleware/keycloak/pull/270>`_
 - Update for keycloak v26 `#254 <https://github.com/ansible-middleware/keycloak/pull/254>`_
 Bugfixes
 --------
 - Access token lifespan is too short for ansible run `#251 <https://github.com/ansible-middleware/keycloak/pull/251>`_
 - Load environment vars during kc rebuild `#274 <https://github.com/ansible-middleware/keycloak/pull/274>`_
 - Rebuild config and restart service for local providers `#250 <https://github.com/ansible-middleware/keycloak/pull/250>`_
 - Rename and honour parameter ``keycloak_quarkus_http_host`` `#271 <https://github.com/ansible-middleware/keycloak/pull/271>`_
 New Modules
 -----------
 - middleware_automation.keycloak.keycloak_realm - Allows administration of Keycloak realm via Keycloak API
 v2.4.3
 ======
 Minor Changes
 -------------
 - Update keycloak to 24.0.5 `#241 <https://github.com/ansible-middleware/keycloak/pull/241>`_
 v2.4.2
 ======
 Minor Changes
 -------------
 - New parameter ``keycloak_quarkus_download_path``  `#239 <https://github.com/ansible-middleware/keycloak/pull/239>`_
 Bugfixes
 --------
 - Add wait_for_port number parameter `#237 <https://github.com/ansible-middleware/keycloak/pull/237>`_
 v2.4.1
 ======
 Release Summary
 ---------------
 Internal release, documentation or test changes only.
 v2.4.0
 ======
 Major Changes
 -------------
 - Enable by default health check on restart `#234 <https://github.com/ansible-middleware/keycloak/pull/234>`_
 - Update minimum ansible-core version > 2.15 `#232 <https://github.com/ansible-middleware/keycloak/pull/232>`_
 v2.3.0
 ======
 Major Changes
 -------------
 - Allow for custom providers hosted on maven repositories `#223 <https://github.com/ansible-middleware/keycloak/pull/223>`_
 - Restart handler strategy behaviour `#231 <https://github.com/ansible-middleware/keycloak/pull/231>`_
 Minor Changes
 -------------
 - Add support for policy files `#225 <https://github.com/ansible-middleware/keycloak/pull/225>`_
 - Allow to add extra custom env vars in sysconfig file `#229 <https://github.com/ansible-middleware/keycloak/pull/229>`_
 - Download from alternate URL with optional http authentication `#220 <https://github.com/ansible-middleware/keycloak/pull/220>`_
 - Update Keycloak to version 24.0.4 `#218 <https://github.com/ansible-middleware/keycloak/pull/218>`_
 - ``proxy-header`` enhancement `#227 <https://github.com/ansible-middleware/keycloak/pull/227>`_
 Bugfixes
 --------
 - ``kc.sh build`` uses configured jdk `#211 <https://github.com/ansible-middleware/keycloak/pull/211>`_
 v2.2.2
 ======
 Minor Changes
 -------------
 - Copying of key material for TLS configuration `#210 <https://github.com/ansible-middleware/keycloak/pull/210>`_
 - Validate certs parameter for JDBC driver downloads `#207 <https://github.com/ansible-middleware/keycloak/pull/207>`_
 Bugfixes
 --------
 - Turn off controller privilege escalation `#209 <https://github.com/ansible-middleware/keycloak/pull/209>`_
 v2.2.1
 ======
 Release Summary
 ---------------
 Internal release, documentation or test changes only.
 Bugfixes
 --------
 - JDBC provider: fix clause in argument validation `#204 <https://github.com/ansible-middleware/keycloak/pull/204>`_
 v2.2.0
 ======
 Major Changes
 -------------
 - Support java keystore for configuration of sensitive options `#189 <https://github.com/ansible-middleware/keycloak/pull/189>`_
 Minor Changes
 -------------
 - Add ``wait_for_port`` and ``wait_for_log`` systemd unit logic `#199 <https://github.com/ansible-middleware/keycloak/pull/199>`_
 - Customize jdbc driver downloads, optional authentication `#202 <https://github.com/ansible-middleware/keycloak/pull/202>`_
 - Keystore-based vault SPI configuration `#196 <https://github.com/ansible-middleware/keycloak/pull/196>`_
 - New ``keycloak_quarkus_hostname_strict_https`` parameter `#195 <https://github.com/ansible-middleware/keycloak/pull/195>`_
 - Providers config and custom providers `#201 <https://github.com/ansible-middleware/keycloak/pull/201>`_
 - Remove administrator credentials from files once keycloak is bootstrapped `#197 <https://github.com/ansible-middleware/keycloak/pull/197>`_
 - Update keycloak to 24.0 `#194 <https://github.com/ansible-middleware/keycloak/pull/194>`_
 v2.1.2
 ======
 Release Summary
 ---------------
 Internal release, documentation or test changes only.
 v2.1.1
 ======
 Minor Changes
 -------------
 - Add reverse ``proxy_headers`` config, supersedes ``proxy_mode`` `#187 <https://github.com/ansible-middleware/keycloak/pull/187>`_
 - Debian/Ubuntu compatibility `#178 <https://github.com/ansible-middleware/keycloak/pull/178>`_
 - Use ``keycloak_realm`` as default for sub-entities `#180 <https://github.com/ansible-middleware/keycloak/pull/180>`_
 Bugfixes
 --------
 - Fix permissions on controller-side downloaded artifacts `#184 <https://github.com/ansible-middleware/keycloak/pull/184>`_
 - JVM args moved to ``JAVA_OPTS`` envvar (instead of JAVA_OPTS_APPEND) `#186 <https://github.com/ansible-middleware/keycloak/pull/186>`_
 - Unrelax configuration file permissions `#191 <https://github.com/ansible-middleware/keycloak/pull/191>`_
 - Utilize comment filter for ``ansible_managed`` annotations `#176 <https://github.com/ansible-middleware/keycloak/pull/176>`_
 v2.1.0
 ======
 Major Changes
 -------------
 - Implement infinispan TCPPING discovery protocol `#159 <https://github.com/ansible-middleware/keycloak/pull/159>`_
 Minor Changes
 -------------
 - Set enable-recovery when xa transactions are enabled `#167 <https://github.com/ansible-middleware/keycloak/pull/167>`_
 - keycloak_quarkus: Allow configuring log rotate options in quarkus configuration `#161 <https://github.com/ansible-middleware/keycloak/pull/161>`_
 - keycloak_quarkus: ``sticky-session`` for infinispan routes `#163 <https://github.com/ansible-middleware/keycloak/pull/163>`_
 Breaking Changes / Porting Guide
 --------------------------------
 - keycloak_quarkus: renamed infinispan host list configuration `#157 <https://github.com/ansible-middleware/keycloak/pull/157>`_
 Bugfixes
 --------
 - keycloak_quarkus: fix custom JAVA_HOME parameter name `#171 <https://github.com/ansible-middleware/keycloak/pull/171>`_
 v2.0.2
 ======
 Minor Changes
 -------------
 - keycloak_quarkus: Add support for sqlserver jdbc driver `#148 <https://github.com/ansible-middleware/keycloak/pull/148>`_
 - keycloak_quarkus: allow configuration of ``hostname-strict-backchannel`` `#152 <https://github.com/ansible-middleware/keycloak/pull/152>`_
 - keycloak_quarkus: systemd restart behavior `#145 <https://github.com/ansible-middleware/keycloak/pull/145>`_
 Bugfixes
 --------
 - keycloak_quarkus: Use ``keycloak_quarkus_java_opts`` `#154 <https://github.com/ansible-middleware/keycloak/pull/154>`_
 - keycloak_quarkus: allow ports <1024 (e.g. :443) in systemd unit `#150 <https://github.com/ansible-middleware/keycloak/pull/150>`_
 v2.0.1
 ======
 Minor Changes
 -------------
 - keycloak_quarkus: add hostname-strict parameter `#139 <https://github.com/ansible-middleware/keycloak/pull/139>`_
 - keycloak_quarkus: update to version 23.0.1 `#133 <https://github.com/ansible-middleware/keycloak/pull/133>`_
 Bugfixes
 --------
 - keycloak_quarkus: template requires lowercase boolean values `#138 <https://github.com/ansible-middleware/keycloak/pull/138>`_
 v2.0.0
 ======
 Minor Changes
 -------------
 - Add new parameter for port offset configuration `#124 <https://github.com/ansible-middleware/keycloak/pull/124>`_
 - Update Keycloak to version 22.0.5 `#122 <https://github.com/ansible-middleware/keycloak/pull/122>`_
 Breaking Changes / Porting Guide
 --------------------------------
 - Add support for more http-related configs `#115 <https://github.com/ansible-middleware/keycloak/pull/115>`_
 - Update minimum ansible-core version > 2.14 `#119 <https://github.com/ansible-middleware/keycloak/pull/119>`_
 - keycloak_quarkus: enable config of key store and trust store `#116 <https://github.com/ansible-middleware/keycloak/pull/116>`_
 v1.3.0
 ======
 Major Changes
 -------------
 - Run service as ``keycloak_service_user`` `#106 <https://github.com/ansible-middleware/keycloak/pull/106>`_
 Minor Changes
 -------------
 - keycloak_quarkus: Update Keycloak to version 22.0.3 `#112 <https://github.com/ansible-middleware/keycloak/pull/112>`_
 - keycloak_quarkus: fix admin console redirect when running locally `#111 <https://github.com/ansible-middleware/keycloak/pull/111>`_
 - keycloak_quarkus: skip proxy config if ``keycloak_quarkus_proxy_mode`` is ``none`` `#109 <https://github.com/ansible-middleware/keycloak/pull/109>`_
 Bugfixes
 --------
 - keycloak_quarkus: fix validation failure upon port configuration change `#113 <https://github.com/ansible-middleware/keycloak/pull/113>`_
 v1.2.8
 ======
 Minor Changes
 -------------
 - keycloak_quarkus: set openjdk 17 as default `#103 <https://github.com/ansible-middleware/keycloak/pull/103>`_
 - keycloak_quarkus: update to version 22.0.1 `#107 <https://github.com/ansible-middleware/keycloak/pull/107>`_
 Bugfixes
 --------
 - Fix incorrect checks for ``keycloak_jgroups_subnet`` `#98 <https://github.com/ansible-middleware/keycloak/pull/98>`_
 - Undefine ``keycloak_db_valid_conn_sql`` default `#91 <https://github.com/ansible-middleware/keycloak/pull/91>`_
 - Update bindep.txt package python3-devel to support RHEL9 `#105 <https://github.com/ansible-middleware/keycloak/pull/105>`_
 v1.2.7
 ======
 Minor Changes
 -------------
 - Allow to override jgroups subnet `#93 <https://github.com/ansible-middleware/keycloak/pull/93>`_
 - keycloak-quarkus: update keycloakx to v21.1.1 `#92 <https://github.com/ansible-middleware/keycloak/pull/92>`_
 v1.2.6
 ======
 Minor Changes
 -------------
 - Add profile features enabling/disabling `#87 <https://github.com/ansible-middleware/keycloak/pull/87>`_
 - Improve service restart behavior configuration `#88 <https://github.com/ansible-middleware/keycloak/pull/88>`_
 - Update default xa_datasource_class value for mariadb jdbc configuration `#89 <https://github.com/ansible-middleware/keycloak/pull/89>`_
 Bugfixes
 --------
 - Handle WFLYCTL0117 when background validation millis is 0 `#90 <https://github.com/ansible-middleware/keycloak/pull/90>`_
 v1.2.5
 ======
 Minor Changes
 -------------
 - Add configuration for database connection pool validation `#85 <https://github.com/ansible-middleware/keycloak/pull/85>`_
 - Allow to configure administration endpoint URL `#86 <https://github.com/ansible-middleware/keycloak/pull/86>`_
 - Allow to force backend URLs to frontend URLs `#84 <https://github.com/ansible-middleware/keycloak/pull/84>`_
 - Introduce systemd unit restart behavior `#81 <https://github.com/ansible-middleware/keycloak/pull/81>`_
 v1.2.4
 ======
 Minor Changes
 -------------
 - Add ``sqlserver`` to keycloak role jdbc configurations `#78 <https://github.com/ansible-middleware/keycloak/pull/78>`_
 - Add configurability for XA transactions `#73 <https://github.com/ansible-middleware/keycloak/pull/73>`_
 Bugfixes
 --------
 - Fix deprecation warning for ``ipaddr`` `#77 <https://github.com/ansible-middleware/keycloak/pull/77>`_
 - Fix undefined facts when offline patching sso `#71 <https://github.com/ansible-middleware/keycloak/pull/71>`_
 v1.2.1
 ======
 Minor Changes
 -------------
 - Allow to setup keycloak HA cluster without remote cache store `#68 <https://github.com/ansible-middleware/keycloak/pull/68>`_
 Bugfixes
 --------
 - Pass attributes to realm clients `#69 <https://github.com/ansible-middleware/keycloak/pull/69>`_
 v1.2.0
 ======
 Major Changes
 -------------
 - Provide config for multiple modcluster proxies `#60 <https://github.com/ansible-middleware/keycloak/pull/60>`_
 Minor Changes
 -------------
 - Allow to configure TCPPING for cluster discovery `#62 <https://github.com/ansible-middleware/keycloak/pull/62>`_
 - Drop community.general from dependencies `#61 <https://github.com/ansible-middleware/keycloak/pull/61>`_
 - Switch middleware_automation.redhat_csp_download for middleware_automation.common `#63 <https://github.com/ansible-middleware/keycloak/pull/63>`_
 - Switch to middleware_automation.common for rh-sso patching `#64 <https://github.com/ansible-middleware/keycloak/pull/64>`_
 v1.1.1
 ======
 Bugfixes
 --------
 - keycloak-quarkus: fix ``cache-config-file`` path in keycloak.conf.j2 template `#53 <https://github.com/ansible-middleware/keycloak/pull/53>`_
 v1.1.0
 ======
 Minor Changes
 -------------
 - Update keycloak to 18.0.2 - sso to 7.6.1 `#46 <https://github.com/ansible-middleware/keycloak/pull/46>`_
 - Variable ``keycloak_no_log`` controls ansible ``no_log`` parameter (for debugging purposes) `#47 <https://github.com/ansible-middleware/keycloak/pull/47>`_
 - Variables to override service start retries and delay `#51 <https://github.com/ansible-middleware/keycloak/pull/51>`_
 - keycloak_quarkus: variable to enable development mode `#45 <https://github.com/ansible-middleware/keycloak/pull/45>`_
 Breaking Changes / Porting Guide
 --------------------------------
 - Rename variables from ``infinispan_`` prefix to ``keycloak_infinispan_`` `#42 <https://github.com/ansible-middleware/keycloak/pull/42>`_
 Bugfixes
 --------
 - keycloak_quarkus: fix /var/log/keycloak symlink to keycloak log directory `#44 <https://github.com/ansible-middleware/keycloak/pull/44>`_
 v1.0.7
 ======
 Breaking Changes / Porting Guide
 --------------------------------
 - keycloak_quarkus: use absolute path for certificate files `#39 <https://github.com/ansible-middleware/keycloak/pull/39>`_
 Bugfixes
 --------
 - keycloak_quarkus: use become for tasks that will otherwise fail `#38 <https://github.com/ansible-middleware/keycloak/pull/38>`_
 v1.0.6
 ======
@@ -26,6 +498,11 @@ Minor Changes
 v1.0.4
 ======
 Release Summary
 ---------------
 Internal release, documentation or test changes only.
 v1.0.3
 ======
@@ -66,7 +543,6 @@ Release Summary
 Minor enhancements, bug and documentation fixes.
 Major Changes
 -------------
@@ -84,4 +560,3 @@ Release Summary
 ---------------
 This is the first stable release of the ``middleware_automation.keycloak`` collection.
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,3 +1,37 @@
 ## Developing
 ### Build and install locally
 Clone the repository, checkout the tag you want to build, or pick the main branch for the development version; then:
    ansible-galaxy collection build .
    ansible-galaxy collection install middleware_automation-keycloak-*.tar.gz
 ### Development environment
 Make sure your development machine has avilable:
 * python 3.11+
 * virtualenv
 * docker (or podman)
 In order to run setup the development environment and run the molecule tests locally, after cloning the repository:
 ```
 # create new virtualenv using python 3
 virtualenv $PATH_TO_DEV_VIRTUALENV
 # activate the virtual env
 source $PATH_TO_DEV_VIRTUALENV/bin/activate
 # install ansible and tools onto the virtualenv
 pip install yamllint 'molecule>=6.0' 'molecule-plugins[docker]' 'ansible-core>=2.16' ansible-lint
 # install collection dependencies
 ansible-galaxy collection install -r requirements.yml
 # install python dependencies
 pip install -r requirements.txt molecule/requirements.txt
 # execute the tests (replace --all with -s subdirectory to run a single test)
 molecule test --all
 ```
 ## Contributor's Guidelines
--- a/README.md
+++ b/README.md
@@ -1,14 +1,18 @@
 # Ansible Collection - middleware_automation.keycloak
-[![Build Status](https://github.com/ansible-middleware/keycloak/workflows/CI/badge.svg?branch=main)](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml)
+<!--start build_status -->
 [![Build Status](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml)
 > **_NOTE:_ If you are Red Hat customer, install `redhat.rhbk` (for Red Hat Build of Keycloak) or `redhat.sso` (for Red Hat Single Sign-On) from [Automation Hub](https://console.redhat.com/ansible/ansible-dashboard) as the certified version of this collection.**
-Collection to install and configure [Keycloak](https://www.keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on). 
+<!--end build_status -->
-
+<!--start description -->
 Collection to install and configure [Keycloak](https://www.keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on) / [Red Hat Build of Keycloak](https://access.redhat.com/products/red-hat-build-of-keycloak).
 <!--end description -->
 <!--start requires_ansible-->
 ## Ansible version compatibility
-This collection has been tested against following Ansible versions: **>=2.9.10**.
+This collection has been tested against following Ansible versions: **>=2.16.0**.
 Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions.
 <!--end requires_ansible-->
@@ -16,12 +20,15 @@ Plugins and modules within a collection may be tested with only specific Ansible
 ## Installation
 <!--start galaxy_download -->
 ### Installing the Collection from Ansible Galaxy
 Before using the collection, you need to install it with the Ansible Galaxy CLI:
    ansible-galaxy collection install middleware_automation.keycloak
 <!--end galaxy_download -->
 You can also include it in a `requirements.yml` file and install it via `ansible-galaxy collection install -r requirements.yml`, using the format:
 ```yaml
@@ -33,84 +40,60 @@ collections:
 The keycloak collection also depends on the following python packages to be present on the controller host:
 * netaddr
 * lxml
 A requirement file is provided to install:
    pip install -r requirements.txt
-
+<!--start roles_paths -->
 ### Included roles
-* [`keycloak`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md): role for installing the service.
+* `keycloak_quarkus`: role for installing keycloak (>= 19.0.0, quarkus based).
-* [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, user federation(s), clients and users, in an installed service.
+* `keycloak_realm`: role for configuring a realm, user federation(s), clients and users, in an installed service.
-* [`keycloak_quarkus`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_quarkus/README.md): role for installing the quarkus variant of keycloak (>= 17.0.0).
+* `keycloak`: role for installing legacy keycloak (<= 19.0, wildfly based).
 <!--end roles_paths -->
 ### Included modules
 * `keycloak_realm`: module for managing Keycloak realms (create/update/delete).
 * `keycloak_client`: module for managing Keycloak clients (create/update/delete).
 * `keycloak_role`: module for managing Keycloak roles — realm roles and client roles (create/update/delete).
 * `keycloak_user_federation`: module for managing user federations such as LDAP/AD (create/update/delete).
 * `keycloak_client_scope`: module for managing client scopes and protocol mappers (create/update/delete).
 * `keycloak_authentication_flow`: module for managing authentication flows and execution steps (create/delete, copy existing flows).
 ## Usage
 ### Install Playbook
-
+<!--start rhbk_playbook -->
-* [`playbooks/keycloak.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak.yml) installs the upstream(Keycloak) based on the defined variables.
+* [`playbooks/keycloak_quarkus.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_quarkus.yml) installs keycloak >= 17 based on the defined variables (using most defaults).
-* [`playbooks/rhsso.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/rhsso.yml) installs Red Hat Single Sign-On(RHSSO) based on defined variables.
+* [`playbooks/keycloak.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak.yml) installs keycloak legacy based on the defined variables (using most defaults).
 Both playbooks include the `keycloak` role, with different settings, as described in the following sections.
 For full service configuration details, refer to the [keycloak role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md).
 <!--end rhbk_playbook -->
 #### Install from controller node (offline)
-### Choosing between upstream project (Keycloak) and Red Hat Single Sign-On (RHSSO)
+Making the keycloak zip archive available to the playbook working directory, and setting `keycloak_offline_install` to `true`, allows to skip
-
+the download tasks. The local path for the archive does match the downloaded archive path, so that it is also used as a cache when multiple hosts are provisioned in a cluster.
 The general flag `keycloak_rhsso_enable` controls what to install between upstream (Keycloak, when `False`) or Red Hat Single Sign-On (when `True`).
 The default value for the flag if `True` when Red Hat Network credentials are defined, `False` otherwise.
 #### Install upstream (Keycloak) from keycloak releases
 This is the default approach when RHN credentials are not defined. Keycloak is downloaded from keycloak builds (hosted on github.com) locally, and distributed to target nodes.
 #### Install RHSSO from the Red Hat Customer Support Portal
 Define the credentials as follows, and the default behaviour is to download a fresh archive of RHSSO on the controller node, then distribute to target nodes.
 ```yaml
-rhn_username: '<customer_portal_username>'
+keycloak_offline_install: true
 rhn_password: '<customer_portal_password>'
 # (keycloak_rhsso_enable defaults to True)
 ```
-#### Install from controller node (local source)
+<!--start rhn_credentials -->
-
+<!--end rhn_credentials -->
 Making the keycloak zip archive (or the RHSSO zip archive), available to the playbook repository root directory, and setting `keycloak_offline_install` to `True`, allows to skip
 the download tasks. The local path for the archive matches the downloaded archive path, so it is also used as a cache when multiple hosts are provisioned in a cluster.
 ```yaml
 keycloak_offline_install: True
 ```
 And depending on `keycloak_rhsso_enable`:
 * `True`: install RHSSO using file rh-sso-x.y.z-server-dist.zip
 * `False`: install keycloak using file keycloak-x.y.zip
 #### Install from alternate sources (like corporate Nexus, artifactory, proxy, etc)
-For RHSSO:
+It is possible to perform downloads from alternate sources, using the `keycloak_download_url` variable; make sure the final downloaded filename matches with the source filename (ie. keycloak-legacy-x.y.zip or rh-sso-x.y.z-server-dist.zip).
 ```yaml
 keycloak_rhsso_enable: True
 keycloak_rhsso_download_url: "https://<internal-nexus.private.net>/<path>/<to>/rh-sso-x.y.z-server-dist.zip"
 ```
 For keycloak:
 ```yaml
 keycloak_rhsso_enable: False
 keycloak_download_url: "https://<internal-nexus.private.net>/<path>/<to>/keycloak-x.y.zip"
 ```
 ### Example installation command
@@ -129,14 +112,19 @@ ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e
  localhost ansible_connection=local
  ```
 Note: when deploying clustered configurations, all hosts belonging to the cluster must be present in `ansible_play_batch`; ie. they must be targeted by the same ansible-playbook execution.
 ## Configuration
-### Config Playbook
+### Config Playbooks
-
+<!--start rhbk_realm_playbook -->
-[`playbooks/keycloak_realm.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_realm.yml) creates or updates provided realm, user federation(s), client(s), client role(s) and client user(s).
+* [`playbooks/keycloak_realm.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_realm.yml) creates or updates provided realm, user federation(s), client(s), client role(s) and client user(s).
-
+<!--end rhbk_realm_playbook -->
 * [`playbooks/keycloak_realm_client.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_realm_client.yml) creates a realm with clients, roles and users using the `keycloak_realm` role.
 * [`playbooks/keycloak_client_scope.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_client_scope.yml) creates a client scope with protocol mappers using the `keycloak_client_scope` module.
 * [`playbooks/keycloak_authentication_flow.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_authentication_flow.yml) creates a custom authentication flow with execution steps using the `keycloak_authentication_flow` module.
 ### Example configuration command
@@ -154,16 +142,28 @@ ansible-playbook -i <ansible_hosts> playbooks/keycloak_realm.yml -e keycloak_adm
  [keycloak]
  localhost ansible_connection=local
  ```
-
+<!--start rhbk_realm_readme -->
 For full configuration details, refer to the [keycloak_realm role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md).
 <!--end rhbk_realm_readme -->
 ## Support
-Keycloak collection v1.0.0 is a Beta release and for [Technical Preview](https://access.redhat.com/support/offerings/techpreview). If you have any issues or questions related to collection, please don't hesitate to contact us on Ansible-middleware-core@redhat.com or open an issue on https://github.com/ansible-middleware/keycloak/issues
+<!--start support -->
 For bug reports and feature requests, use [GitHub Issues](https://github.com/ansible-middleware/keycloak/issues).
 <!--end support -->
 ## Release and Upgrade Notes
 For details on changes between versions, please see the [CHANGELOG](https://github.com/ansible-middleware/keycloak/blob/main/CHANGELOG.rst) for this collection.
 ## License
 Apache License v2.0 or later
-
+<!--start license -->
 See [LICENSE](LICENSE) to view the full text.
-
+<!--end license -->
--- a/bindep.txt
+++ b/bindep.txt
@@ -1,7 +1,9 @@
-python39-devel [platform:rpm compile]
+python3-dev [compile platform:dpkg]
-git-lfs [platform:rpm]
+python3-devel [compile platform:rpm]
-python3-netaddr [platform:rpm]
+python39-devel [compile platform:centos-8 platform:rhel-8]
-python3-lxml [platform:rpm]
+git-lfs [platform:rpm platform:dpkg]
-python3-jmespath [platform:rpm]
+python3-netaddr [platform:rpm platform:dpkg]
-python3-requests [platform:rpm]
+python3-lxml [platform:rpm platform:dpkg]
 python3-jmespath [platform:rpm platform:dpkg]
 python3-requests [platform:rpm platform:dpkg]
--- a/changelogs/changelog.yaml
+++ b/changelogs/changelog.yaml
@@ -59,6 +59,10 @@ releases:
    - 31.yaml
    release_date: '2022-05-09'
  1.0.4:
    changes:
      release_summary: 'Internal release, documentation or test changes only.
        '
    release_date: '2022-05-11'
  1.0.5:
    changes:
@@ -82,3 +86,708 @@ releases:
    - 34.yaml
    - 35.yaml
    release_date: '2022-06-01'
  1.0.7:
    changes:
      breaking_changes:
      - 'keycloak_quarkus: use absolute path for certificate files `#39 <https://github.com/ansible-middleware/keycloak/pull/39>`_
        '
      bugfixes:
      - 'keycloak_quarkus: use become for tasks that will otherwise fail `#38 <https://github.com/ansible-middleware/keycloak/pull/38>`_
        '
    fragments:
    - 38.yaml
    - 39.yaml
    release_date: '2022-07-06'
  1.1.0:
    changes:
      breaking_changes:
      - 'Rename variables from ``infinispan_`` prefix to ``keycloak_infinispan_``
        `#42 <https://github.com/ansible-middleware/keycloak/pull/42>`_
        '
      bugfixes:
      - 'keycloak_quarkus: fix /var/log/keycloak symlink to keycloak log directory
        `#44 <https://github.com/ansible-middleware/keycloak/pull/44>`_
        '
      minor_changes:
      - 'Update keycloak to 18.0.2 - sso to 7.6.1 `#46 <https://github.com/ansible-middleware/keycloak/pull/46>`_
        '
      - 'Variable ``keycloak_no_log`` controls ansible ``no_log`` parameter (for debugging
        purposes) `#47 <https://github.com/ansible-middleware/keycloak/pull/47>`_
        '
      - 'Variables to override service start retries and delay `#51 <https://github.com/ansible-middleware/keycloak/pull/51>`_
        '
      - 'keycloak_quarkus: variable to enable development mode `#45 <https://github.com/ansible-middleware/keycloak/pull/45>`_
        '
    fragments:
    - 42.yaml
    - 44.yaml
    - 45.yaml
    - 46.yaml
    - 47.yaml
    - 51.yaml
    release_date: '2023-01-09'
  1.1.1:
    changes:
      bugfixes:
      - 'keycloak-quarkus: fix ``cache-config-file`` path in keycloak.conf.j2 template
        `#53 <https://github.com/ansible-middleware/keycloak/pull/53>`_
        '
    fragments:
    - 53.yaml
    release_date: '2023-03-07'
  1.2.0:
    changes:
      major_changes:
      - 'Provide config for multiple modcluster proxies `#60 <https://github.com/ansible-middleware/keycloak/pull/60>`_
        '
      minor_changes:
      - 'Allow to configure TCPPING for cluster discovery `#62 <https://github.com/ansible-middleware/keycloak/pull/62>`_
        '
      - 'Drop community.general from dependencies `#61 <https://github.com/ansible-middleware/keycloak/pull/61>`_
        '
      - 'Switch middleware_automation.redhat_csp_download for middleware_automation.common
        `#63 <https://github.com/ansible-middleware/keycloak/pull/63>`_
        '
      - 'Switch to middleware_automation.common for rh-sso patching `#64 <https://github.com/ansible-middleware/keycloak/pull/64>`_
        '
    fragments:
    - 60.yaml
    - 61.yaml
    - 62.yaml
    - 63.yaml
    - 64.yaml
    release_date: '2023-03-16'
  1.2.1:
    changes:
      bugfixes:
      - 'Pass attributes to realm clients `#69 <https://github.com/ansible-middleware/keycloak/pull/69>`_
        '
      minor_changes:
      - 'Allow to setup keycloak HA cluster without remote cache store `#68 <https://github.com/ansible-middleware/keycloak/pull/68>`_
        '
    fragments:
    - 68.yaml
    - 69.yaml
    release_date: '2023-04-11'
  1.2.4:
    changes:
      bugfixes:
      - 'Fix deprecation warning for ``ipaddr`` `#77 <https://github.com/ansible-middleware/keycloak/pull/77>`_
        '
      - 'Fix undefined facts when offline patching sso `#71 <https://github.com/ansible-middleware/keycloak/pull/71>`_
        '
      minor_changes:
      - 'Add ``sqlserver`` to keycloak role jdbc configurations `#78 <https://github.com/ansible-middleware/keycloak/pull/78>`_
        '
      - 'Add configurability for XA transactions `#73 <https://github.com/ansible-middleware/keycloak/pull/73>`_
        '
    fragments:
    - 71.yaml
    - 73.yaml
    - 77.yaml
    - 78.yaml
    release_date: '2023-05-09'
  1.2.5:
    changes:
      minor_changes:
      - 'Add configuration for database connection pool validation `#85 <https://github.com/ansible-middleware/keycloak/pull/85>`_
        '
      - 'Allow to configure administration endpoint URL `#86 <https://github.com/ansible-middleware/keycloak/pull/86>`_
        '
      - 'Allow to force backend URLs to frontend URLs `#84 <https://github.com/ansible-middleware/keycloak/pull/84>`_
        '
      - 'Introduce systemd unit restart behavior `#81 <https://github.com/ansible-middleware/keycloak/pull/81>`_
        '
    fragments:
    - 81.yaml
    - 84.yaml
    - 85.yaml
    - 86.yaml
    release_date: '2023-05-26'
  1.2.6:
    changes:
      bugfixes:
      - 'Handle WFLYCTL0117 when background validation millis is 0 `#90 <https://github.com/ansible-middleware/keycloak/pull/90>`_
        '
      minor_changes:
      - 'Add profile features enabling/disabling `#87 <https://github.com/ansible-middleware/keycloak/pull/87>`_
        '
      - 'Improve service restart behavior configuration `#88 <https://github.com/ansible-middleware/keycloak/pull/88>`_
        '
      - 'Update default xa_datasource_class value for mariadb jdbc configuration `#89
        <https://github.com/ansible-middleware/keycloak/pull/89>`_
        '
    fragments:
    - 87.yaml
    - 88.yaml
    - 89.yaml
    - 90.yaml
    release_date: '2023-06-07'
  1.2.7:
    changes:
      minor_changes:
      - 'Allow to override jgroups subnet `#93 <https://github.com/ansible-middleware/keycloak/pull/93>`_
        '
      - 'keycloak-quarkus: update keycloakx to v21.1.1 `#92 <https://github.com/ansible-middleware/keycloak/pull/92>`_
        '
    fragments:
    - 92.yaml
    - 93.yaml
    release_date: '2023-06-19'
  1.2.8:
    changes:
      bugfixes:
      - 'Fix incorrect checks for ``keycloak_jgroups_subnet`` `#98 <https://github.com/ansible-middleware/keycloak/pull/98>`_
        '
      - 'Undefine ``keycloak_db_valid_conn_sql`` default `#91 <https://github.com/ansible-middleware/keycloak/pull/91>`_
        '
      - 'Update bindep.txt package python3-devel to support RHEL9 `#105 <https://github.com/ansible-middleware/keycloak/pull/105>`_
        '
      minor_changes:
      - 'keycloak_quarkus: set openjdk 17 as default `#103 <https://github.com/ansible-middleware/keycloak/pull/103>`_
        '
      - 'keycloak_quarkus: update to version 22.0.1 `#107 <https://github.com/ansible-middleware/keycloak/pull/107>`_
        '
    fragments:
    - 103.yaml
    - 105.yaml
    - 107.yaml
    - 91.yaml
    - 98.yaml
    release_date: '2023-08-28'
  1.3.0:
    changes:
      bugfixes:
      - 'keycloak_quarkus: fix validation failure upon port configuration change `#113
        <https://github.com/ansible-middleware/keycloak/pull/113>`_
        '
      major_changes:
      - 'Run service as ``keycloak_service_user`` `#106 <https://github.com/ansible-middleware/keycloak/pull/106>`_
        '
      minor_changes:
      - 'keycloak_quarkus: Update Keycloak to version 22.0.3 `#112 <https://github.com/ansible-middleware/keycloak/pull/112>`_
        '
      - 'keycloak_quarkus: fix admin console redirect when running locally `#111 <https://github.com/ansible-middleware/keycloak/pull/111>`_
        '
      - 'keycloak_quarkus: skip proxy config if ``keycloak_quarkus_proxy_mode`` is
        ``none`` `#109 <https://github.com/ansible-middleware/keycloak/pull/109>`_
        '
    fragments:
    - 106.yaml
    - 109.yaml
    - 111.yaml
    - 112.yaml
    - 113.yaml
    release_date: '2023-09-25'
  2.0.0:
    changes:
      breaking_changes:
      - 'Add support for more http-related configs `#115 <https://github.com/ansible-middleware/keycloak/pull/115>`_
        '
      - 'Update minimum ansible-core version > 2.14 `#119 <https://github.com/ansible-middleware/keycloak/pull/119>`_
        '
      - 'keycloak_quarkus: enable config of key store and trust store `#116 <https://github.com/ansible-middleware/keycloak/pull/116>`_
        '
      minor_changes:
      - 'Add new parameter for port offset configuration `#124 <https://github.com/ansible-middleware/keycloak/pull/124>`_
        '
      - 'Update Keycloak to version 22.0.5 `#122 <https://github.com/ansible-middleware/keycloak/pull/122>`_
        '
    fragments:
    - 115.yaml
    - 116.yaml
    - 119.yaml
    - 122.yaml
    - 124.yaml
    release_date: '2023-11-20'
  2.0.1:
    changes:
      bugfixes:
      - 'keycloak_quarkus: template requires lowercase boolean values `#138 <https://github.com/ansible-middleware/keycloak/pull/138>`_
        '
      minor_changes:
      - 'keycloak_quarkus: add hostname-strict parameter `#139 <https://github.com/ansible-middleware/keycloak/pull/139>`_
        '
      - 'keycloak_quarkus: update to version 23.0.1 `#133 <https://github.com/ansible-middleware/keycloak/pull/133>`_
        '
    fragments:
    - 133.yaml
    - 138.yaml
    - 139.yaml
    release_date: '2023-12-07'
  2.0.2:
    changes:
      bugfixes:
      - 'keycloak_quarkus: Use ``keycloak_quarkus_java_opts`` `#154 <https://github.com/ansible-middleware/keycloak/pull/154>`_
        '
      - 'keycloak_quarkus: allow ports <1024 (e.g. :443) in systemd unit `#150 <https://github.com/ansible-middleware/keycloak/pull/150>`_
        '
      minor_changes:
      - 'keycloak_quarkus: Add support for sqlserver jdbc driver `#148 <https://github.com/ansible-middleware/keycloak/pull/148>`_
        '
      - 'keycloak_quarkus: allow configuration of ``hostname-strict-backchannel``
        `#152 <https://github.com/ansible-middleware/keycloak/pull/152>`_
        '
      - 'keycloak_quarkus: systemd restart behavior `#145 <https://github.com/ansible-middleware/keycloak/pull/145>`_
        '
    fragments:
    - 145.yaml
    - 148.yaml
    - 150.yaml
    - 152.yaml
    - 154.yaml
    release_date: '2024-01-17'
  2.1.0:
    changes:
      breaking_changes:
      - 'keycloak_quarkus: renamed infinispan host list configuration `#157 <https://github.com/ansible-middleware/keycloak/pull/157>`_
        '
      bugfixes:
      - 'keycloak_quarkus: fix custom JAVA_HOME parameter name `#171 <https://github.com/ansible-middleware/keycloak/pull/171>`_
        '
      major_changes:
      - 'Implement infinispan TCPPING discovery protocol `#159 <https://github.com/ansible-middleware/keycloak/pull/159>`_
        '
      minor_changes:
      - 'Set enable-recovery when xa transactions are enabled `#167 <https://github.com/ansible-middleware/keycloak/pull/167>`_
        '
      - 'keycloak_quarkus: Allow configuring log rotate options in quarkus configuration
        `#161 <https://github.com/ansible-middleware/keycloak/pull/161>`_
        '
      - 'keycloak_quarkus: ``sticky-session`` for infinispan routes `#163 <https://github.com/ansible-middleware/keycloak/pull/163>`_
        '
    fragments:
    - 157.yaml
    - 159.yaml
    - 161.yaml
    - 163.yaml
    - 167.yaml
    - 171.yaml
    release_date: '2024-02-28'
  2.1.1:
    changes:
      bugfixes:
      - 'Fix permissions on controller-side downloaded artifacts `#184 <https://github.com/ansible-middleware/keycloak/pull/184>`_
        '
      - 'JVM args moved to ``JAVA_OPTS`` envvar (instead of JAVA_OPTS_APPEND) `#186
        <https://github.com/ansible-middleware/keycloak/pull/186>`_
        '
      - 'Unrelax configuration file permissions `#191 <https://github.com/ansible-middleware/keycloak/pull/191>`_
        '
      - 'Utilize comment filter for ``ansible_managed`` annotations `#176 <https://github.com/ansible-middleware/keycloak/pull/176>`_
        '
      minor_changes:
      - 'Add reverse ``proxy_headers`` config, supersedes ``proxy_mode`` `#187 <https://github.com/ansible-middleware/keycloak/pull/187>`_
        '
      - 'Debian/Ubuntu compatibility `#178 <https://github.com/ansible-middleware/keycloak/pull/178>`_
        '
      - 'Use ``keycloak_realm`` as default for sub-entities `#180 <https://github.com/ansible-middleware/keycloak/pull/180>`_
        '
    fragments:
    - 176.yaml
    - 178.yaml
    - 180.yaml
    - 184.yaml
    - 186.yaml
    - 187.yaml
    - 191.yaml
    release_date: '2024-04-17'
  2.1.2:
    changes:
      release_summary: 'Internal release, documentation or test changes only.
        '
    release_date: '2024-04-17'
  2.2.0:
    changes:
      major_changes:
      - 'Support java keystore for configuration of sensitive options `#189 <https://github.com/ansible-middleware/keycloak/pull/189>`_
        '
      minor_changes:
      - 'Add ``wait_for_port`` and ``wait_for_log`` systemd unit logic `#199 <https://github.com/ansible-middleware/keycloak/pull/199>`_
        '
      - 'Customize jdbc driver downloads, optional authentication `#202 <https://github.com/ansible-middleware/keycloak/pull/202>`_
        '
      - 'Keystore-based vault SPI configuration `#196 <https://github.com/ansible-middleware/keycloak/pull/196>`_
        '
      - 'New ``keycloak_quarkus_hostname_strict_https`` parameter `#195 <https://github.com/ansible-middleware/keycloak/pull/195>`_
        '
      - 'Providers config and custom providers `#201 <https://github.com/ansible-middleware/keycloak/pull/201>`_
        '
      - 'Remove administrator credentials from files once keycloak is bootstrapped
        `#197 <https://github.com/ansible-middleware/keycloak/pull/197>`_
        '
      - 'Update keycloak to 24.0 `#194 <https://github.com/ansible-middleware/keycloak/pull/194>`_
        '
    fragments:
    - 189.yaml
    - 194.yaml
    - 195.yaml
    - 196.yaml
    - 197.yaml
    - 199.yaml
    - 201.yaml
    - 202.yaml
    release_date: '2024-05-01'
  2.2.1:
    changes:
      bugfixes:
      - 'JDBC provider: fix clause in argument validation `#204 <https://github.com/ansible-middleware/keycloak/pull/204>`_
        '
      release_summary: Internal release, documentation or test changes only.
    fragments:
    - 204.yaml
    - v2.2.1-devel_summary.yaml
    release_date: '2024-05-02'
  2.2.2:
    changes:
      bugfixes:
      - 'Turn off controller privilege escalation `#209 <https://github.com/ansible-middleware/keycloak/pull/209>`_
        '
      minor_changes:
      - 'Copying of key material for TLS configuration `#210 <https://github.com/ansible-middleware/keycloak/pull/210>`_
        '
      - 'Validate certs parameter for JDBC driver downloads `#207 <https://github.com/ansible-middleware/keycloak/pull/207>`_
        '
    fragments:
    - 207.yaml
    - 209.yaml
    - 210.yaml
    release_date: '2024-05-06'
  2.3.0:
    changes:
      bugfixes:
      - '``kc.sh build`` uses configured jdk `#211 <https://github.com/ansible-middleware/keycloak/pull/211>`_
        '
      major_changes:
      - 'Allow for custom providers hosted on maven repositories `#223 <https://github.com/ansible-middleware/keycloak/pull/223>`_
        '
      - 'Restart handler strategy behaviour `#231 <https://github.com/ansible-middleware/keycloak/pull/231>`_
        '
      minor_changes:
      - 'Add support for policy files `#225 <https://github.com/ansible-middleware/keycloak/pull/225>`_
        '
      - 'Allow to add extra custom env vars in sysconfig file `#229 <https://github.com/ansible-middleware/keycloak/pull/229>`_
        '
      - 'Download from alternate URL with optional http authentication `#220 <https://github.com/ansible-middleware/keycloak/pull/220>`_
        '
      - 'Update Keycloak to version 24.0.4 `#218 <https://github.com/ansible-middleware/keycloak/pull/218>`_
        '
      - '``proxy-header`` enhancement `#227 <https://github.com/ansible-middleware/keycloak/pull/227>`_
        '
    fragments:
    - 211.yaml
    - 218.yaml
    - 220.yaml
    - 223.yaml
    - 225.yaml
    - 227.yaml
    - 229.yaml
    - 231.yaml
    release_date: '2024-05-20'
  2.4.0:
    changes:
      major_changes:
      - 'Enable by default health check on restart `#234 <https://github.com/ansible-middleware/keycloak/pull/234>`_
        '
      - 'Update minimum ansible-core version > 2.15 `#232 <https://github.com/ansible-middleware/keycloak/pull/232>`_
        '
    fragments:
    - 232.yaml
    - 234.yaml
    release_date: '2024-06-04'
  2.4.1:
    changes:
      release_summary: Internal release, documentation or test changes only.
    fragments:
    - v2.4.1-devel_summary.yaml
    release_date: '2024-07-02'
  2.4.2:
    changes:
      bugfixes:
      - 'Add wait_for_port number parameter `#237 <https://github.com/ansible-middleware/keycloak/pull/237>`_
        '
      minor_changes:
      - 'New parameter ``keycloak_quarkus_download_path``  `#239 <https://github.com/ansible-middleware/keycloak/pull/239>`_
        '
    fragments:
    - 237.yaml
    - 239.yaml
    release_date: '2024-09-26'
  2.4.3:
    changes:
      minor_changes:
      - 'Update keycloak to 24.0.5 `#241 <https://github.com/ansible-middleware/keycloak/pull/241>`_
        '
    fragments:
    - 241.yaml
    release_date: '2024-10-16'
  3.0.0:
    changes:
      breaking_changes:
      - 'Bump major and ansible-core versions `#266 <https://github.com/ansible-middleware/keycloak/pull/266>`_
        '
      - 'Rename parameters to follow upstream `#270 <https://github.com/ansible-middleware/keycloak/pull/270>`_
        '
      - 'Update for keycloak v26 `#254 <https://github.com/ansible-middleware/keycloak/pull/254>`_
        '
      bugfixes:
      - 'Access token lifespan is too short for ansible run `#251 <https://github.com/ansible-middleware/keycloak/pull/251>`_
        '
      - 'Load environment vars during kc rebuild `#274 <https://github.com/ansible-middleware/keycloak/pull/274>`_
        '
      - 'Rebuild config and restart service for local providers `#250 <https://github.com/ansible-middleware/keycloak/pull/250>`_
        '
      - 'Rename and honour parameter ``keycloak_quarkus_http_host`` `#271 <https://github.com/ansible-middleware/keycloak/pull/271>`_
        '
      minor_changes:
      - 'Add theme cache invalidation handler `#252 <https://github.com/ansible-middleware/keycloak/pull/252>`_
        '
      - 'keycloak_realm: change url variables to defaults `#268 <https://github.com/ansible-middleware/keycloak/pull/268>`_
        '
    fragments:
    - 250.yaml
    - 251.yaml
    - 252.yaml
    - 254.yaml
    - 266.yaml
    - 268.yaml
    - 270.yaml
    - 271.yaml
    - 274.yaml
    modules:
    - description: Allows administration of Keycloak realm via Keycloak API
      name: keycloak_realm
      namespace: ''
    release_date: '2025-04-23'
  3.0.1:
    changes:
      bugfixes:
      - 'Trigger rebuild handler on envvars file change `#276 <https://github.com/ansible-middleware/keycloak/pull/276>`_
        '
      minor_changes:
      - 'Version update to 26.0.8 / rhbk 26.0.11 `#277 <https://github.com/ansible-middleware/keycloak/pull/277>`_
        '
    fragments:
    - 276.yaml
    - 277.yaml
    release_date: '2025-05-02'
  3.0.2:
    changes:
      bugfixes:
      - 'Fix ``keycloak_quarkus_force_install`` parameter being ignored by install
        `#296 <https://github.com/ansible-middleware/keycloak/pull/296>`_
        '
      - 'Fix alternate download location being ignored (JBossNeworkAPI always used)
        `#298 <https://github.com/ansible-middleware/keycloak/pull/298>`_
        '
      - 'Run config rebuild after SPI providers update `#285 <https://github.com/ansible-middleware/keycloak/pull/285>`_
        '
      - 'Use jdk21 as default in debian `#289 <https://github.com/ansible-middleware/keycloak/pull/289>`_
        '
      - 'keycloak_realm: federation default provider type should be a string `#302
        <https://github.com/ansible-middleware/keycloak/pull/302>`_
        '
      minor_changes:
      - 'New ``checksum`` property for keycloak_quarkus_providers `#280 <https://github.com/ansible-middleware/keycloak/pull/280>`_
        '
      - 'New parameter to set the jgroups host IP address `#281 <https://github.com/ansible-middleware/keycloak/pull/281>`_
        '
      - 'Session storage / distributed caches `#287 <https://github.com/ansible-middleware/keycloak/pull/287>`_
        '
      - 'Update keycloak/RHBK to v26.2.4 `#283 <https://github.com/ansible-middleware/keycloak/pull/283>`_
        '
    fragments:
    - 280.yaml
    - 281.yaml
    - 283.yaml
    - 285.yaml
    - 287.yaml
    - 289.yaml
    - 296.yaml
    - 298.yaml
    - 302.yaml
    release_date: '2025-07-01'
  3.0.3:
    changes:
      bugfixes:
      - 'keycloak collection CI label is showing no status `#312 <https://github.com/ansible-middleware/keycloak/pull/312>`_
        '
      - 'keycloak_realm: allow secret in keycloak_clients `#304 <https://github.com/ansible-middleware/keycloak/pull/304>`_
        '
      major_changes:
      - 'Update to keycloak 26.3.0 `#293 <https://github.com/ansible-middleware/keycloak/pull/293>`_
        '
      - 'ansible-core 2.19 compatibility `#310 <https://github.com/ansible-middleware/keycloak/pull/310>`_
        '
      minor_changes:
      - 'Allow to install provider jars from remote paths `#303 <https://github.com/ansible-middleware/keycloak/pull/303>`_
        '
      - 'Declared proxy_mode as deprecated, updated quarkus and realm readme `#306
        <https://github.com/ansible-middleware/keycloak/pull/306>`_
        '
      - 'Fix config_key_store_file description to match variable name `#308 <https://github.com/ansible-middleware/keycloak/pull/308>`_
        '
    fragments:
    - 293.yaml
    - 303.yaml
    - 304.yaml
    - 306.yaml
    - 308.yaml
    - 310.yaml
    - 312.yaml
    release_date: '2025-12-16'
  3.0.4:
    changes:
      bugfixes:
      - 'Removing parseable from lint file as Additional properties are not allowed
        `#319 <https://github.com/ansible-middleware/keycloak/pull/319>`_
        '
      major_changes:
      - 'AMW-467 Download keycloak binary from password protected HTTP location `#321
        <https://github.com/ansible-middleware/keycloak/pull/321>`_
        '
      - 'v26.4.x compability `#317 <https://github.com/ansible-middleware/keycloak/pull/317>`_
        '
      minor_changes:
      - 'AMW-518 Validating arguments against arg spec ''main'' fails unexpectedly.
        `#324 <https://github.com/ansible-middleware/keycloak/pull/324>`_
        '
    fragments:
    - 317.yaml
    - 319.yaml
    - 321.yaml
    - 324.yaml
    release_date: '2026-05-20'
  3.0.5:
    changes:
      minor_changes:
      - 'AMW-528 Deployment fails in keycloak_quarkus due to missing escalation variables
        `#335 <https://github.com/ansible-middleware/keycloak/pull/335>`_
        '
    fragments:
    - 335.yaml
    release_date: '2026-05-20'
--- a/changelogs/config.yaml
+++ b/changelogs/config.yaml
@@ -11,21 +11,21 @@ notesdir: fragments
 prelude_section_name: release_summary
 prelude_section_title: Release Summary
 sections:
- - major_changes
+  - - major_changes
    - Major Changes
- - minor_changes
+  - - minor_changes
    - Minor Changes
- - breaking_changes
+  - - breaking_changes
    - Breaking Changes / Porting Guide
- - deprecated_features
+  - - deprecated_features
    - Deprecated Features
- - removed_features
+  - - removed_features
    - Removed Features
- - security_fixes
+  - - security_fixes
    - Security Fixes
- - bugfixes
+  - - bugfixes
    - Bugfixes
- - known_issues
+  - - known_issues
    - Known Issues
 title: middleware_automation.keycloak
 trivial_section_name: trivial
--- a/docs/_gh_include/footer.inc
+++ b/docs/_gh_include/footer.inc
@@ -7,7 +7,7 @@
      </div>
      <hr/>
      <div role="contentinfo">
-        <p>&#169; Copyright 2022, Red Hat, Inc.</p>
+        <p>&#169; Copyright 2024, Red Hat, Inc.</p>
      </div>
      Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
        <a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
--- a/docs/_gh_include/header.inc
+++ b/docs/_gh_include/header.inc
@@ -21,6 +21,20 @@
        <div class="wy-side-nav-search" >
            <a href="#" class="icon icon-home"> Keycloak Ansible Collection</a>
        </div>
        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
            <p class="caption" role="heading"><span class="caption-text">Middleware Automation</span></p>
            <ul>
              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/infinispan/main/">Infinispan / Red Hat Data Grid</a></li>
              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/keycloak/main/">Keycloak / Red Hat Single Sign-On</a></li>
              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/wildfly/main/">Wildfly / Red Hat JBoss EAP</a></li>
              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/jws/main/">Tomcat / Red Hat JWS</a></li>
              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/amq/main/">ActiveMQ / Red Hat AMQ Broker</a></li>
              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/amq_streams/main/">Kafka / Red Hat AMQ Streams</a></li>
              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/common/main/">Ansible Middleware utilities</a></li>
              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/redhat-csp-download/main/">Red Hat CSP Download</a></li>
              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/ansible_collections_jcliff/main/">JCliff</a></li>
            </ul>
        </div>
      </div>
    </nav>
    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -43,6 +43,7 @@ extensions = [
    'myst_parser',
    'sphinx.ext.autodoc',
    'sphinx.ext.intersphinx',
    'sphinx_antsibull_ext',
    'ansible_basic_sphinx_ext',
 ]
@@ -63,7 +64,7 @@ master_doc = 'index'
 #
 # This is also used if you do content translation via gettext catalogs.
 # Usually you set "language" from the command line for these cases.
-language = None
+language = 'en'
 # List of patterns, relative to source directory, that match files and
 # directories to ignore when looking for source files.
@@ -71,7 +72,7 @@ language = None
 exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store', '.tmp']
 # The name of the Pygments (syntax highlighting) style to use.
-pygments_style = 'sphinx'
+pygments_style = 'ansible'
 highlight_language = 'YAML+Jinja'
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -10,23 +10,25 @@ Welcome to Keycloak Collection documentation
   README
   plugins/index
   roles/index
   Changelog <CHANGELOG>
 .. toctree::
   :maxdepth: 2
   :caption: Developer documentation
-   testing
+   Developing <developing>
-   developing
+   Testing <testing>
-   releasing
+   Releasing <releasing>
 .. toctree::
   :maxdepth: 2
-   :caption: General
+   :caption: Middleware collections
-   Changelog <CHANGELOG>
+   Keycloak / Red Hat Single Sign-On <https://ansible-middleware.github.io/keycloak/main/>
-
+   Infinispan / Red Hat Data Grid <https://ansible-middleware.github.io/infinispan/main/>
-Indices and tables
+   Wildfly / Red Hat JBoss EAP <https://ansible-middleware.github.io/wildfly/main/>
-==================
+   Tomcat / Red Hat JWS <https://ansible-middleware.github.io/jws/main/>
-
+   ActiveMQ / Red Hat AMQ Broker <https://ansible-middleware.github.io/amq/main/>
-* :ref:`genindex`
+   Kafka / Red Hat AMQ Streams <https://ansible-middleware.github.io/amq_streams/main/>
-* :ref:`search`
+   Ansible Middleware utilities <https://ansible-middleware.github.io/common/main/>
   JCliff <https://ansible-middleware.github.io/ansible_collections_jcliff/main/>
--- a/docs/requirements.txt
+++ b/docs/requirements.txt
@@ -1,5 +1,10 @@
 # ansible_basic_sphinx_ext still imports pkg_resources (removed in setuptools 82+).
 setuptools>=70.0.0,<81.0.0
 antsibull>=0.17.0
-ansible-base>=2.10.12
+antsibull-docs
 antsibull-changelog
 ansible-core>=2.16.0
 ansible-pygments
 sphinx-rtd-theme
 git+https://github.com/felixfontein/ansible-basic-sphinx-ext
 myst-parser
--- a/docs/testing.md
+++ b/docs/testing.md
@@ -4,24 +4,7 @@
 The collection is tested with a [molecule](https://github.com/ansible-community/molecule) setup covering the included roles and verifying correct installation and idempotency.
 In order to run the molecule tests locally with python 3.9 available, after cloning the repository:
-
+The test scenarios are available on the source code repository each on his own subdirectory under [molecule/](https://github.com/ansible-middleware/keycloak/molecule).
 ```
 pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous
 molecule test --all
 ```
 ## Integration testing
 Demo repositories which depend on the collection, and aggregate functionality with other middleware_automation collections, are automatically rebuilt
 at every collection release to ensure non-breaking changes and consistent behaviour.
 The repository are:
 - [Flange demo](https://github.com/ansible-middleware/flange-demo)
   A deployment of Wildfly cluster integrated with keycloak and infinispan.
 - [CrossDC keycloak demo](https://github.com/ansible-middleware/cross-dc-rhsso-demo)
   A clustered multi-regional installation of keycloak with infinispan remote caches.
 ## Test playbooks
@@ -29,15 +12,7 @@ The repository are:
 Sample playbooks are provided in the `playbooks/` directory; to run the playbooks locally (requires a rhel system with python 3.9+, ansible, and systemd) the steps are as follows:
 ```
-# setup environment
+# setup environment as in developing
 pip install ansible-core
 # clone the repository
 git clone https://github.com/ansible-middleware/keycloak
 cd keycloak
 # install collection dependencies
 ansible-galaxy collection install -r requirements.yml
 # install collection python deps
 pip install -r requirements.txt
 # create inventory for localhost
 cat << EOF > inventory
 [keycloak]
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -1,12 +1,13 @@
 ---
 namespace: middleware_automation
 name: keycloak
-version: "1.0.6"
+version: "3.0.5"
 readme: README.md
 authors:
  - Romain Pelisse <rpelisse@redhat.com>
  - Guido Grazioli <ggraziol@redhat.com>
  - Pavan Kumar Motaparthi <pmotapar@redhat.com>
  - Helmut Wolf <hwo@world-direct.at>
 description: Install and configure a keycloak, or Red Hat Single Sign-on, service.
 license_file: "LICENSE"
 tags:
@@ -20,15 +21,28 @@ tags:
  - security
  - infrastructure
  - authentication
  - java
  - runtimes
  - middleware
  - a4mw
 dependencies:
-  "middleware_automation.redhat_csp_download": ">=1.2.1"
+  "middleware_automation.common": ">=1.2.1"
-  "middleware_automation.wildfly": ">=1.0.0"
+  "ansible.posix": ">=1.4.0"
 repository: https://github.com/ansible-middleware/keycloak
 documentation: https://ansible-middleware.github.io/keycloak
 homepage: https://github.com/ansible-middleware/keycloak
 issues: https://github.com/ansible-middleware/keycloak/issues
 build_ignore:
-  - molecule
+  - .gitignore
  - .github
  - .ansible-lint
  - .yamllint
  - .DS_Store
  - '*.tar.gz'
  - '*.zip'
  - molecule
  - changelogs
  - docs/_gh_include
  - docs/conf.py
  - docs/roles.rst.template
  - docs/requirements.yml
--- a/meta/runtime.yml
+++ b/meta/runtime.yml
@@ -1,2 +1,2 @@
 ---
-requires_ansible: ">=2.9.10"
+requires_ansible: ">=2.16.0"
--- a/molecule/debian/converge.yml
+++ b/molecule/debian/converge.yml
@@ -0,0 +1,45 @@
 ---
 - name: Converge
  hosts: all
  vars_files:
    - ../group_vars/all/vars.yml
  vars:
    keycloak_quarkus_show_deprecation_warnings: false
    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
    keycloak_quarkus_hostname: http://instance:8080
    keycloak_quarkus_log: file
    keycloak_quarkus_start_dev: true
    keycloak_quarkus_proxy_mode: none
  roles:
    - role: keycloak_quarkus
    - role: keycloak_realm
      keycloak_url: "{{ keycloak_quarkus_hostname }}"
      keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
      keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
      keycloak_client_users:
        - username: TestUser
          password: password
          client_roles:
            - client: TestClient
              role: TestRoleUser
              realm: "{{ keycloak_realm }}"
        - username: TestAdmin
          password: password
          client_roles:
            - client: TestClient
              role: TestRoleUser
              realm: "{{ keycloak_realm }}"
            - client: TestClient
              role: TestRoleAdmin
              realm: "{{ keycloak_realm }}"
      keycloak_realm: TestRealm
      keycloak_clients:
        - name: TestClient
          realm: "{{ keycloak_realm }}"
          public_client: "{{ keycloak_client_public }}"
          web_origins: "{{ keycloak_client_web_origins }}"
          users: "{{ keycloak_client_users }}"
          client_id: TestClient
          attributes:
            post.logout.redirect.uris: '/public/logout'
--- a/molecule/debian/molecule.yml
+++ b/molecule/debian/molecule.yml
@@ -0,0 +1,48 @@
 ---
 driver:
  name: docker
 platforms:
  - name: instance
    image: ghcr.io/hspaans/molecule-containers:debian-13
    pre_build_image: true
    privileged: true
    port_bindings:
      - "8080/tcp"
      - "8443/tcp"
      - "8009/tcp"
    cgroupns_mode: host
    command: "/lib/systemd/systemd"
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:rw
 provisioner:
  name: ansible
  config_options:
    defaults:
      interpreter_python: auto_silent
    ssh_connection:
      pipelining: false
  playbooks:
    prepare: prepare.yml
    converge: converge.yml
    verify: verify.yml
  inventory:
    host_vars:
      localhost:
        ansible_python_interpreter: /usr/bin/python3
  env:
    ANSIBLE_FORCE_COLOR: "true"
    ANSIBLE_REMOTE_TMP: /tmp/.ansible/tmp
 verifier:
  name: ansible
 scenario:
  test_sequence:
    - cleanup
    - destroy
    - create
    - prepare
    - converge
    - idempotence
    - side_effect
    - verify
    - cleanup
    - destroy
--- a/molecule/debian/prepare.yml
+++ b/molecule/debian/prepare.yml
@@ -0,0 +1,13 @@
 ---
 - name: Prepare
  hosts: all
  vars_files:
    - ../group_vars/all/vars.yml
  gather_facts: yes
  tasks:
    - name: Install sudo
      ansible.builtin.apt:
        name:
          - sudo
          - openjdk-21-jdk-headless
          - iproute2
--- a/molecule/debian/roles
+++ b/molecule/debian/roles
@@ -0,0 +1 @@
 ../../roles
--- a/molecule/debian/verify.yml
+++ b/molecule/debian/verify.yml
@@ -0,0 +1,40 @@
 ---
 - name: Verify
  hosts: all
  vars:
    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
    keycloak_uri: "http://localhost:{{ 8080 + ( keycloak_jboss_port_offset | default(0) ) }}"
    keycloak_management_port: "http://localhost:{{ 9990 + ( keycloak_jboss_port_offset | default(0) ) }}"
    keycloak_jboss_port_offset: 10
  tasks:
    - name: Populate service facts
      ansible.builtin.service_facts:
    - name: Check if keycloak service started
      ansible.builtin.assert:
        that:
          - ansible_facts.services["keycloak.service"]["state"] == "running"
          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
    - name: Verify openid config
      block:
        - name: Fetch openID config # noqa blocked_modules command-instead-of-module
          ansible.builtin.shell: |
            set -o pipefail
            curl http://localhost:8080/realms/master/.well-known/openid-configuration -k | jq .
          args:
            executable: /bin/bash
          delegate_to: localhost
          register: openid_config
          changed_when: False
        - name: Verify endpoint URLs
          ansible.builtin.assert:
            that:
              - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'http://localhost:8080/realms/master/protocol/openid-connect/ext/ciba/auth'
              - (openid_config.stdout | from_json)['issuer'] == 'http://localhost:8080/realms/master'
              - (openid_config.stdout | from_json)['authorization_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/auth'
              - (openid_config.stdout | from_json)['token_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/token'
          delegate_to: localhost
      when:
        - hera_home is defined
        - hera_home | length == 0
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@@ -1,19 +1,27 @@
 ---
 - name: Converge
  hosts: all
  vars_files:
    - ../group_vars/all/vars.yml
  vars:
-    keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_show_deprecation_warnings: false
-    keycloak_jvm_package: java-11-openjdk-headless
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
    keycloak_quarkus_hostname: http://instance:8080
    keycloak_quarkus_log: file
    keycloak_quarkus_log_level: debug
    keycloak_quarkus_log_target: /tmp/keycloak
    keycloak_quarkus_start_dev: true
    keycloak_quarkus_proxy_mode: none
    keycloak_quarkus_offline_install: true
    keycloak_quarkus_download_path: /tmp/keycloak/
    keycloak_quarkus_java_heap_opts: "-Xms640m -Xmx640m "
  roles:
-    - role: keycloak
+    - role: keycloak_quarkus
-  tasks:
+    - role: keycloak_realm
-    - name: Keycloak Realm Role
+      keycloak_url: "{{ keycloak_quarkus_hostname }}"
-      ansible.builtin.include_role:
+      keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
-        name: keycloak_realm
+      keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
      vars:
        keycloak_client_default_roles:
          - TestRoleAdmin
          - TestRoleUser
      keycloak_client_users:
        - username: TestUser
          password: password
@@ -33,7 +41,6 @@
      keycloak_realm: TestRealm
      keycloak_clients:
        - name: TestClient
            roles: "{{ keycloak_client_default_roles }}"
          realm: "{{ keycloak_realm }}"
          public_client: "{{ keycloak_client_public }}"
          web_origins: "{{ keycloak_client_web_origins }}"
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@@ -1,15 +1,9 @@
 ---
 dependency:
  name: shell
  command: ansible-galaxy collection install -r molecule/default/requirements.yml -p $HOME/.ansible/collections --force-with-deps
 driver:
-  name: docker
+  name: podman
 lint: |
  ansible-lint --version
  ansible-lint -v
 platforms:
  - name: instance
-    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
    privileged: true
    command: "/usr/sbin/init"
@@ -17,6 +11,7 @@ platforms:
      - "8080/tcp"
      - "8443/tcp"
      - "8009/tcp"
      - "9000/tcp"
 provisioner:
  name: ansible
  config_options:
@@ -29,20 +24,22 @@ provisioner:
    converge: converge.yml
    verify: verify.yml
  inventory:
    group_vars:
      all:
        keycloak_install_requires_become: true
    host_vars:
      localhost:
        ansible_python_interpreter: "{{ ansible_playbook_python }}"
  env:
    ANSIBLE_FORCE_COLOR: "true"
    PROXY: "${PROXY}"
    NO_PROXY: "${NO_PROXY}"
 verifier:
  name: ansible
 scenario:
  test_sequence:
    - dependency
    - lint
    - cleanup
    - destroy
    - syntax
    - create
    - prepare
    - converge
--- a/molecule/default/prepare.yml
+++ b/molecule/default/prepare.yml
@@ -1,10 +1,27 @@
 ---
 - name: Prepare
  hosts: all
  vars_files:
    - ../group_vars/all/vars.yml
  gather_facts: yes
  vars:
    sudo_pkg_name: sudo
  tasks:
-    - name: Install sudo
+    - name: "Run preparation common to all scenario"
-      ansible.builtin.yum:
+      ansible.builtin.include_tasks: ../prepare.yml
-        name:
+
-          - sudo
+    - name: Create controller directory for downloads
-          - java-1.8.0-openjdk
+      ansible.builtin.file: # noqa risky-file-permissions delegated, uses controller host user
-        state: present
+        path: /tmp/keycloak
        state: directory
        mode: '0750'
      delegate_to: localhost
      run_once: true
    - name: Download keycloak archive to controller directory
      ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
        url: https://github.com/keycloak/keycloak/releases/download/26.4.7/keycloak-26.4.7.zip
        dest: /tmp/keycloak
        mode: '0640'
      delegate_to: localhost
      run_once: true
--- a/molecule/default/requirements.yml
+++ b/molecule/default/requirements.yml
@@ -1,10 +0,0 @@
 ---
 collections:
  - name: middleware_automation.redhat_csp_download
    version: ">=1.2.1"
  - name: middleware_automation.wildfly
    version: ">=0.0.5"
  - name: community.general
  - name: community.docker
    version: ">=1.9.1"
--- a/molecule/default/verify.yml
+++ b/molecule/default/verify.yml
@@ -2,10 +2,9 @@
 - name: Verify
  hosts: all
  vars:
-    keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
-    keycloak_jvm_package: java-11-openjdk-headless
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
-    keycloak_port: http://localhost:8080
+    keycloak_uri: "http://localhost:8080"
    keycloak_management_port: http://localhost:9990
  tasks:
    - name: Populate service facts
      ansible.builtin.service_facts:
@@ -14,14 +13,11 @@
        that:
          - ansible_facts.services["keycloak.service"]["state"] == "running"
          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
    - name: Verify we are running on requested jvm
      shell: |
        ps -ef | grep /usr/lib/jvm/java-11 | grep -v grep
    - name: Verify token api call
      ansible.builtin.uri:
-        url: "{{ keycloak_port }}/auth/realms/master/protocol/openid-connect/token"
+        url: "{{ keycloak_uri }}/realms/master/protocol/openid-connect/token"
        method: POST
-        body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password"
+        body: "client_id=admin-cli&username={{ keycloak_quarkus_bootstrap_admin_user }}&password={{ keycloak_quarkus_bootstrap_admin_user }}&grant_type=password"
        validate_certs: no
      register: keycloak_auth_response
      until: keycloak_auth_response.status == 200
--- a/molecule/group_vars/all/vars.yml
+++ b/molecule/group_vars/all/vars.yml
@@ -0,0 +1,26 @@
 ---
 keycloak_quarkus_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
 keycloak_quarkus_systemd_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
 keycloak_quarkus_install_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
 keycloak_quarkus_firewalld_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
 keycloak_quarkus_iptables_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
 keycloak_quarkus_jdbc_driver_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
 keycloak_quarkus_config_store_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
 keycloak_quarkus_restart_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
 keycloak_quarkus_start_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
 keycloak_quarkus_rebuild_config_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
 keycloak_quarkus_fastpackages_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
 keycloak_quarkus_bootstrapped_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
 keycloak_quarkus_invalidate_theme_cache_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
 keycloak_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
 keycloak_systemd_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
 keycloak_install_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
 keycloak_firewalld_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
 keycloak_iptables_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
 keycloak_jdbc_driver_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
 keycloak_restart_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
 keycloak_start_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
 keycloak_stop_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
 keycloak_fastpackages_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
 keycloak_rhsso_patch_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
 molecule_prepare_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
--- a/molecule/https_revproxy/converge.yml
+++ b/molecule/https_revproxy/converge.yml
@@ -0,0 +1,18 @@
 ---
 - name: Converge
  hosts: all
  vars_files:
    - ../group_vars/all/vars.yml
  vars:
    keycloak_quarkus_show_deprecation_warnings: false
    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
    keycloak_quarkus_hostname: https://proxy
    keycloak_quarkus_log: file
    keycloak_quarkus_http_enabled: True
    keycloak_quarkus_http_port: 8080
    keycloak_quarkus_proxy_mode: edge
    keycloak_quarkus_http_relative_path: /
    keycloak_quarkus_health_check_url: http://proxy:8080/realms/master/.well-known/openid-configuration
  roles:
    - role: keycloak_quarkus
--- a/molecule/https_revproxy/molecule.yml
+++ b/molecule/https_revproxy/molecule.yml
@@ -0,0 +1,57 @@
 ---
 driver:
  name: docker
 platforms:
  - name: instance
    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
    privileged: true
    command: "/usr/sbin/init"
    networks:
      - name: keycloak
    port_bindings:
      - "8080/tcp"
    published_ports:
      - 0.0.0.0:8080:8080/tcp
  - name: proxy
    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
    privileged: true
    command: "/usr/sbin/init"
    networks:
      - name: keycloak
    port_bindings:
      - "443/tcp"
    published_ports:
      - 0.0.0.0:443:443/tcp
 provisioner:
  name: ansible
  config_options:
    defaults:
      interpreter_python: auto_silent
    ssh_connection:
      pipelining: false
  playbooks:
    prepare: prepare.yml
    converge: converge.yml
    verify: verify.yml
  inventory:
    host_vars:
      localhost:
        ansible_python_interpreter: "{{ ansible_playbook_python }}"
  env:
    ANSIBLE_FORCE_COLOR: "true"
 verifier:
  name: ansible
 scenario:
  test_sequence:
    - cleanup
    - destroy
    - create
    - prepare
    - converge
    - idempotence
    - side_effect
    - verify
    - cleanup
    - destroy
--- a/molecule/https_revproxy/prepare.yml
+++ b/molecule/https_revproxy/prepare.yml
@@ -0,0 +1,53 @@
 ---
 - name: Prepare
  hosts: all
  vars_files:
    - ../group_vars/all/vars.yml
  tasks:
    - name: Install sudo
      ansible.builtin.dnf:
        name: sudo
        state: present
    - name: "Display hera_home if defined."
      ansible.builtin.set_fact:
        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
 - name: Prepare proxy
  hosts: proxy
  vars:
    nginx_proxy: |
      location / {
          proxy_set_header        Host $host;
          proxy_set_header        X-Real-IP $remote_addr;
          proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header        X-Forwarded-Proto $scheme;
          proxy_pass              http://instance:8080;
      }
  roles:
    - elan.simple_nginx_reverse_proxy
  pre_tasks:
    - name: Create certificate request
      ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=proxy'
      args:
        chdir: "{{ playbook_dir }}"
      delegate_to: localhost
      changed_when: false
    - name: Make certificate directory
      ansible.builtin.file:
        path: /etc/nginx/tls
        state: directory
        mode: 0755
    - name: Copy certificates
      ansible.builtin.copy:
        src: "{{ item.name }}"
        dest: "{{ item.dest }}"
        mode: 0444
      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
      loop:
        - { name: 'cert.pem', dest: '/etc/nginx/tls/certificate.crt' }
        - { name: 'key.pem', dest: '/etc/nginx/tls/certificate.key' }
    - name: Update CA trust
      ansible.builtin.command: update-ca-trust
      changed_when: false
      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
--- a/molecule/https_revproxy/roles
+++ b/molecule/https_revproxy/roles
@@ -0,0 +1 @@
 ../../roles
--- a/molecule/https_revproxy/verify.yml
+++ b/molecule/https_revproxy/verify.yml
@@ -0,0 +1,28 @@
 ---
 - name: Verify
  hosts: instance
  tasks:
    - name: Populate service facts
      ansible.builtin.service_facts:
    - name: Check if keycloak service started
      ansible.builtin.assert:
        that:
          - ansible_facts.services["keycloak.service"]["state"] == "running"
          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
    - name: Verify openid config
      block:
        - name: Fetch openID config # noqa blocked_modules command-instead-of-module
          ansible.builtin.uri:
            url: http://localhost:8080/realms/master/.well-known/openid-configuration
            validate_certs: false
            headers:
              Host: proxy
          register: openid_config
          changed_when: False
        - name: Verify endpoint URLs
          ansible.builtin.assert:
            that:
              - openid_config.json['issuer'] == 'https://proxy/realms/master'
              - openid_config.json['authorization_endpoint'] == 'https://proxy/realms/master/protocol/openid-connect/auth'
--- a/molecule/overridexml/converge.yml
+++ b/molecule/overridexml/converge.yml
@@ -1,43 +1,13 @@
 ---
 - name: Converge
  hosts: all
  vars_files:
    - ../group_vars/all/vars.yml
  vars:
    keycloak_admin_password: "remembertochangeme"
    keycloak_config_override_template: custom.xml.j2
    keycloak_http_port: 8081
    keycloak_management_http_port: 19990
    keycloak_service_runas: True
  roles:
    - role: keycloak
  tasks:
    - name: Keycloak Realm Role
      ansible.builtin.include_role:
        name: keycloak_realm
      vars:
        keycloak_client_default_roles:
          - TestRoleAdmin
          - TestRoleUser
        keycloak_client_users:
          - username: TestUser
            password: password
            client_roles:
              - client: TestClient
                role: TestRoleUser
                realm: "{{ keycloak_realm }}"
          - username: TestAdmin
            password: password
            client_roles:
              - client: TestClient
                role: TestRoleUser
                realm: "{{ keycloak_realm }}"
              - client: TestClient
                role: TestRoleAdmin
                realm: "{{ keycloak_realm }}"
        keycloak_realm: TestRealm
        keycloak_clients:
          - name: TestClient
            roles: "{{ keycloak_client_default_roles }}"
            realm: "{{ keycloak_realm }}"
            public_client: "{{ keycloak_client_public }}"
            web_origins: "{{ keycloak_client_web_origins }}"
            users: "{{ keycloak_client_users }}"
            client_id: TestClient
--- a/molecule/overridexml/molecule.yml
+++ b/molecule/overridexml/molecule.yml
@@ -1,15 +1,9 @@
 ---
 dependency:
  name: shell
  command: ansible-galaxy collection install -r molecule/default/requirements.yml -p $HOME/.ansible/collections --force-with-deps
 driver:
  name: docker
 lint: |
  ansible-lint --version
  ansible-lint -v
 platforms:
  - name: instance
-    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
    privileged: true
    command: "/usr/sbin/init"
@@ -17,6 +11,7 @@ platforms:
      - "8080/tcp"
      - "8443/tcp"
      - "8009/tcp"
      - "9000/tcp"
 provisioner:
  name: ansible
  config_options:
@@ -38,11 +33,8 @@ verifier:
  name: ansible
 scenario:
  test_sequence:
    - dependency
    - lint
    - cleanup
    - destroy
    - syntax
    - create
    - prepare
    - converge
--- a/molecule/overridexml/prepare.yml
+++ b/molecule/overridexml/prepare.yml
@@ -1,12 +1,14 @@
 ---
 - name: Prepare
  hosts: all
  vars_files:
    - ../group_vars/all/vars.yml
  gather_facts: yes
  vars:
    sudo_pkg_name: sudo
  tasks:
-    - name: Disable beta repos
+    - name: "Run preparation common to all scenario"
-      ansible.builtin.command: yum config-manager --disable '*beta*'
+      ansible.builtin.include_tasks: ../prepare.yml
-      ignore_errors: yes
+      vars:
-
+        assets:
-    - name: Install sudo
+          - "{{ assets_server }}/sso/7.6.0/rh-sso-7.6.0-server-dist.zip"
      ansible.builtin.yum:
        name: sudo
        state: present
--- a/molecule/overridexml/requirements.yml
+++ b/molecule/overridexml/requirements.yml
@@ -1,10 +0,0 @@
 ---
 collections:
  - name: middleware_automation.redhat_csp_download
    version: ">=1.2.1"
  - name: middleware_automation.wildfly
    version: ">=0.0.5"
  - name: community.general
  - name: community.docker
    version: ">=1.9.1"
--- a/molecule/overridexml/templates/custom.xml.j2
+++ b/molecule/overridexml/templates/custom.xml.j2
@@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<!-- {{ ansible_managed }} -->
+<!-- this is a custom file -->
 <server xmlns="urn:jboss:domain:16.0">
    <extensions>
        <extension module="org.jboss.as.clustering.infinispan"/>
@@ -15,7 +15,6 @@
        <extension module="org.jboss.as.modcluster"/>
        <extension module="org.jboss.as.naming"/>
        <extension module="org.jboss.as.remoting"/>
        <extension module="org.jboss.as.security"/>
        <extension module="org.jboss.as.transactions"/>
        <extension module="org.jboss.as.weld"/>
        <extension module="org.keycloak.keycloak-server-subsystem"/>
@@ -30,31 +29,6 @@
        <extension module="org.wildfly.extension.undertow"/>
    </extensions>
    <management>
        <security-realms>
            <security-realm name="ManagementRealm">
                <authentication>
                    <local default-user="$local" skip-group-loading="true"/>
                    <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
                <authorization map-groups-to-roles="false">
                    <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
                </authorization>
            </security-realm>
            <security-realm name="ApplicationRealm">
                <server-identities>
                    <ssl>
                        <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
                    </ssl>
                </server-identities>
                <authentication>
                    <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
                <authorization>
                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
                </authorization>
            </security-realm>
        </security-realms>
        <audit-log>
            <formatters>
                <json-formatter name="json-formatter"/>
@@ -69,8 +43,8 @@
            </logger>
        </audit-log>
        <management-interfaces>
-            <http-interface security-realm="ManagementRealm">
+            <http-interface http-authentication-factory="management-http-authentication">
-                <http-upgrade enabled="true"/>
+                <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
                <socket-binding http="management-http"/>
            </http-interface>
        </management-interfaces>
@@ -205,6 +179,9 @@
                </thread-pool>
            </thread-pools>
            <default-security-domain value="other"/>
            <application-security-domains>
                <application-security-domain name="other" security-domain="ApplicationDomain"/>
            </application-security-domains>
            <default-missing-method-permissions-deny-access value="true"/>
            <statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
            <log-system-exceptions value="true"/>
@@ -278,6 +255,13 @@
                        </mechanism>
                    </mechanism-configuration>
                </http-authentication-factory>
                <http-authentication-factory name="application-http-authentication" security-domain="ApplicationDomain" http-server-mechanism-factory="global">
                    <mechanism-configuration>
                        <mechanism mechanism-name="BASIC">
                            <mechanism-realm realm-name="ApplicationRealm"/>
                        </mechanism>
                    </mechanism-configuration>
                </http-authentication-factory>
                <provider-http-server-mechanism-factory name="global"/>
            </http>
            <sasl>
@@ -497,8 +481,8 @@
                <default-provider>default</default-provider>
                <provider name="default" enabled="true">
                    <properties>
-                        <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
+                        <property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
-                        <property name="forceBackendUrlToFrontendUrl" value="true"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="false"/>
                    </properties>
                </provider>
            </spi>
@@ -513,41 +497,9 @@
            <remote-naming/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:remoting:4.0">
-            <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
+            <http-connector name="http-remoting-connector" connector-ref="default" sasl-authentication-factory="application-sasl-authentication"/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
        <subsystem xmlns="urn:jboss:domain:security:2.0">
            <security-domains>
                <security-domain name="other" cache-type="default">
                    <authentication>
                        <login-module code="Remoting" flag="optional">
                            <module-option name="password-stacking" value="useFirstPass"/>
                        </login-module>
                        <login-module code="RealmDirect" flag="required">
                            <module-option name="password-stacking" value="useFirstPass"/>
                        </login-module>
                    </authentication>
                </security-domain>
                <security-domain name="jboss-web-policy" cache-type="default">
                    <authorization>
                        <policy-module code="Delegating" flag="required"/>
                    </authorization>
                </security-domain>
                <security-domain name="jaspitest" cache-type="default">
                    <authentication-jaspi>
                        <login-module-stack name="dummy">
                            <login-module code="Dummy" flag="optional"/>
                        </login-module-stack>
                        <auth-module code="Dummy"/>
                    </authentication-jaspi>
                </security-domain>
                <security-domain name="jboss-ejb-policy" cache-type="default">
                    <authorization>
                        <policy-module code="Delegating" flag="required"/>
                    </authorization>
                </security-domain>
            </security-domains>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
            <deployment-permissions>
                <maximum-set>
@@ -568,10 +520,11 @@
        <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
            <buffer-cache name="default"/>
            <server name="default-server">
-                <http-listener name="default" socket-binding="http"/>
+                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
                <https-listener name="https" socket-binding="https" ssl-context="applicationSSC" enable-http2="true"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
-                    <http-invoker security-realm="ApplicationRealm"/>
+                    <http-invoker http-authentication-factory="application-http-authentication"/>
                </host>
            </server>
            <servlet-container name="default">
@@ -581,20 +534,25 @@
            <handlers>
                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
            </handlers>
            <application-security-domains>
                <application-security-domain name="other" security-domain="ApplicationDomain"/>
            </application-security-domains>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
    </profile>
    <interfaces>
        <interface name="management">
-            <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
+            <inet-address value="127.0.0.1"/>
        </interface>
        <interface name="public">
-            <inet-address value="${jboss.bind.address:127.0.0.1}"/>
+            <inet-address value="127.0.0.1"/>
        </interface>
    </interfaces>
    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
        <socket-binding name="http" port="8081"/>
        <socket-binding name="https" port="8443"/>
        <socket-binding name="management-http" interface="management" port="19990"/>
        <socket-binding name="management-https" interface="management" port="19991"/>
        <socket-binding name="txn-recovery-environment" port="4712"/>
        <socket-binding name="txn-status-manager" port="4713"/>
        <outbound-socket-binding name="mail-smtp">
--- a/molecule/overridexml/verify.yml
+++ b/molecule/overridexml/verify.yml
@@ -1,6 +1,10 @@
 ---
 - name: Verify
  hosts: all
  vars:
    keycloak_uri: "http://localhost:8081"
    keycloak_management_port: "http://localhost:19990"
    keycloak_admin_password: "remembertochangeme"
  tasks:
    - name: Populate service facts
      ansible.builtin.service_facts:
@@ -9,3 +13,20 @@
        that:
          - ansible_facts.services["keycloak.service"]["state"] == "running"
          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
    - name: Verify we are running on requested jvm # noqa blocked_modules command-instead-of-module
      ansible.builtin.shell: |
        set -o pipefail
        ps -ef | grep '/etc/alternatives/jre_1.8.0/' | grep -v grep
      args:
        executable: /bin/bash
      changed_when: no
    - name: Verify token api call
      ansible.builtin.uri:
        url: "{{ keycloak_uri }}/auth/realms/master/protocol/openid-connect/token"
        method: POST
        body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password"
        validate_certs: no
      register: keycloak_auth_response
      until: keycloak_auth_response.status == 200
      retries: 2
      delay: 2
--- a/molecule/prepare.yml
+++ b/molecule/prepare.yml
@@ -0,0 +1,59 @@
 ---
 - name: Display Ansible version
  ansible.builtin.debug:
    msg: "Ansible version is  {{ ansible_version.full }}"
 - name: "Set package name for sudo"
  ansible.builtin.set_fact:
    sudo_pkg_name: sudo
 - name: "Ensure {{ sudo_pkg_name }} is installed (if user is root)."
  ansible.builtin.yum:
    name: "{{ sudo_pkg_name }}"
    state: present
  when:
    - ansible_user_id == 'root'
 - name: Gather the package facts
  ansible.builtin.package_facts:
    manager: auto
 - name: "Check if sudo is installed."
  ansible.builtin.assert:
    that:
      - sudo_pkg_name in ansible_facts.packages
    fail_msg: "sudo is not installed on target system"
 - name: "Install iproute"
  ansible.builtin.yum:
    name:
      - iproute
    state: present
  when:
    - ansible_user_id == 'root'
 - name: "Retrieve assets server from env"
  ansible.builtin.set_fact:
    assets_server: "{{ lookup('env', 'MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"
 - name: "Download artefacts only if assets_server is set"
  when:
    - assets_server is defined
    - assets_server | length > 0
    - assets is defined
    - assets | length > 0
  block:
    - name: "Set offline when assets server from env is defined"
      ansible.builtin.set_fact:
        sso_offline_install: True
    - name: "Download and deploy zips from {{ assets_server }}"
      ansible.builtin.get_url:
        url: "{{ asset }}"
        dest: "{{ lookup('env', 'PWD') }}"
        validate_certs: no
        mode: '0644'
      delegate_to: localhost
      loop: "{{ assets }}"
      loop_control:
        loop_var: asset
--- a/molecule/quarkus/converge.yml
+++ b/molecule/quarkus/converge.yml
@@ -1,20 +1,70 @@
 ---
 - name: Converge
  hosts: all
  vars_files:
    - ../group_vars/all/vars.yml
  vars:
-    keycloak_quarkus_admin_pass: "remembertochangeme"
+    keycloak_quarkus_show_deprecation_warnings: false
-    keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
    keycloak_realm: TestRealm
-    keycloak_quarkus_host: instance:8443
+    keycloak_quarkus_hostname: https://instance:8443
    keycloak_quarkus_http_relative_path: ''
    keycloak_quarkus_log: file
-    keycloak_quarkus_https_enabled: True
+    keycloak_quarkus_log_level: debug # needed for the verify step
-    keycloak_quarkus_key_file: conf/key.pem
+    keycloak_quarkus_https_key_file_enabled: true
-    keycloak_quarkus_cert_file: conf/cert.pem
+    keycloak_quarkus_key_file_copy_enabled: true
    keycloak_quarkus_key_content: "{{ lookup('file', 'key.pem') }}"
    keycloak_quarkus_cert_file_copy_enabled: true
    keycloak_quarkus_cert_file_src: cert.pem
    keycloak_quarkus_log_target: /tmp/keycloak
    keycloak_quarkus_ks_vault_enabled: true
    keycloak_quarkus_ks_vault_file: "/opt/keycloak/vault/keystore.p12"
    keycloak_quarkus_ks_vault_pass: keystorepassword
    keycloak_quarkus_systemd_wait_for_port: true
    keycloak_quarkus_systemd_wait_for_timeout: 20
    keycloak_quarkus_systemd_wait_for_delay: 2
    keycloak_quarkus_systemd_wait_for_log: true
    keycloak_quarkus_restart_health_check: false # would fail because of self-signed cert
    keycloak_quarkus_version: 26.4.7
    keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx1024m"
    keycloak_quarkus_additional_env_vars:
      - key: KC_FEATURES_DISABLED
        value: impersonation,kerberos
    keycloak_quarkus_providers:
      - id: http-client
        spi: connections
        default: true
        restart: true
        properties:
          - key: default-connection-pool-size
            value: 10
      - id: spid-saml
        url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar
      - id: spid-saml-w-checksum
        url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar
        checksum: sha256:fbb50e73739d7a6d35b5bff611b1c01668b29adf6f6259624b95e466a305f377
      - id: keycloak-kerberos-federation
        maven:
          repository_url: https://repo1.maven.org/maven2/ # https://mvnrepository.com/artifact/org.keycloak/keycloak-kerberos-federation/24.0.4
          group_id: org.keycloak
          artifact_id: keycloak-kerberos-federation
          version: 26.4.7 # optional
          # username: myUser # optional
          # password: myPAT # optional
      # - id: my-static-theme
      #   local_path: /tmp/my-static-theme.jar
    keycloak_quarkus_policies:
      - name: "cain-and-abel.txt"
        url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/cain-and-abel.txt"
      - name: "john-the-ripper.txt"
        url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/john-the-ripper.txt"
        type: password-blacklists
  roles:
    - role: keycloak_quarkus
    - role: keycloak_realm
-      keycloak_context: ''
+      keycloak_url: http://instance:8080
      keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
      keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
      keycloak_client_default_roles:
        - TestRoleAdmin
        - TestRoleUser
--- a/molecule/quarkus/molecule.yml
+++ b/molecule/quarkus/molecule.yml
@@ -1,15 +1,9 @@
 ---
 dependency:
  name: shell
  command: ansible-galaxy collection install -r molecule/default/requirements.yml -p $HOME/.ansible/collections --force-with-deps
 driver:
  name: docker
 lint: |
  ansible-lint --version
  ansible-lint -v
 platforms:
  - name: instance
-    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
    privileged: true
    command: "/usr/sbin/init"
@@ -17,6 +11,7 @@ platforms:
      - "8080/tcp"
      - "8443/tcp"
      - "8009/tcp"
      - "9000/tcp"
    published_ports:
      - 0.0.0.0:8443:8443/tcp
 provisioner:
@@ -36,15 +31,15 @@ provisioner:
        ansible_python_interpreter: "{{ ansible_playbook_python }}"
  env:
    ANSIBLE_FORCE_COLOR: "true"
    PYTHONHTTPSVERIFY: 0
    PROXY: "${PROXY}"
    NO_PROXY: "${NO_PROXY}"
 verifier:
  name: ansible
 scenario:
  test_sequence:
    - dependency
    - lint
    - cleanup
    - destroy
    - syntax
    - create
    - prepare
    - converge
--- a/molecule/quarkus/prepare.yml
+++ b/molecule/quarkus/prepare.yml
@@ -1,26 +1,50 @@
 ---
 - name: Prepare
  hosts: all
  vars_files:
    - ../group_vars/all/vars.yml
  tasks:
-    - name: Install sudo
+    - name: "Display hera_home if defined."
-      ansible.builtin.yum:
+      ansible.builtin.set_fact:
-        name: sudo
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
-        state: present
+
-    - command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
+    - name: "Ensure common prepare phase are set."
      ansible.builtin.include_tasks: ../prepare.yml
    - name: Create certificate request
      ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
      args:
        chdir: "{{ playbook_dir }}"
      delegate_to: localhost
-    - lineinfile:
+      changed_when: false
-        dest: /etc/hosts
+
-        line: "127.0.0.1 instance"
+    - name: Create vault directory
-        state: present
+      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
-      delegate_to: localhost
+      ansible.builtin.file:
      become: yes
    - file:
        state: directory
-        path: /opt/keycloak/keycloak-18.0.0/conf/
+        path: "/opt/keycloak/vault"
-    - copy:
+        mode: '0755'
-        src: "{{ item }}"
+
-        dest: "/opt/keycloak/keycloak-18.0.0/conf/{{ item }}"
+    - name: Make sure a jre is available (for keytool to prepare keystore)
-        mode: 0444
+      delegate_to: localhost
-      loop:
+      ansible.builtin.package:
-        - cert.pem
+        name: java-21-openjdk-headless
-        - key.pem
+        state: present
      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
      failed_when: false
    - name: Create vault keystore
      ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword
      args:
        chdir: "{{ playbook_dir }}"
      delegate_to: localhost
      register: keytool_cmd
      changed_when: False
      failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
    - name: Copy certificates and vault
      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
      ansible.builtin.copy:
        src: keystore.p12
        dest: /opt/keycloak/vault/keystore.p12
        mode: '0444'
--- a/molecule/quarkus/requirements.yml
+++ b/molecule/quarkus/requirements.yml
@@ -1,10 +0,0 @@
 ---
 collections:
  - name: middleware_automation.redhat_csp_download
    version: ">=1.2.1"
  - name: middleware_automation.wildfly
    version: ">=0.0.5"
  - name: community.general
  - name: community.docker
    version: ">=1.9.1"
--- a/molecule/quarkus/verify.yml
+++ b/molecule/quarkus/verify.yml
@@ -1,27 +1,130 @@
 ---
 - name: Verify
  hosts: all
  vars_files:
    - ../group_vars/all/vars.yml
  vars:
    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
  tasks:
    - name: Populate service facts
      ansible.builtin.service_facts:
    - name: Check if keycloak service started
      ansible.builtin.assert:
        that:
          - ansible_facts.services["keycloak.service"]["state"] == "running"
          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
-    - name: Fetch openID config
+        fail_msg: "Service not running"
-      shell: |
+
-        curl https://instance:8443/realms/master/.well-known/openid-configuration -k | jq .
+    - name: Set internal envvar
      ansible.builtin.set_fact:
        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
    - name: Verify openid config
      when:
        - hera_home is defined
        - hera_home | length == 0
      block:
        - name: Fetch openID config # noqa blocked_modules command-instead-of-module
          ansible.builtin.shell: |
            set -o pipefail
            curl -H 'Host: instance' https://localhost:8443/realms/master/.well-known/openid-configuration -k | jq .
          args:
            executable: /bin/bash
          delegate_to: localhost
          register: openid_config
-    - debug:
+          changed_when: False
        msg: " {{ openid_config.stdout | from_json }}"
      delegate_to: localhost
        - name: Verify endpoint URLs
-      assert:
+          ansible.builtin.assert:
            that:
              - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance:8443/realms/master/protocol/openid-connect/ext/ciba/auth'
              - (openid_config.stdout | from_json)['issuer'] == 'https://instance:8443/realms/master'
              - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/auth'
              - (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/token'
          delegate_to: localhost
    - name: Check log folder
      ansible.builtin.stat:
        path: /tmp/keycloak
      register: keycloak_log_folder
    - name: Check that keycloak log folder exists and is a link
      ansible.builtin.assert:
        that:
          - keycloak_log_folder.stat.exists
          - not keycloak_log_folder.stat.isdir
          - keycloak_log_folder.stat.islnk
        fail_msg: "Service log symlink not correctly created"
    - name: Check log file
      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
      ansible.builtin.stat:
        path: /tmp/keycloak/keycloak.log
      register: keycloak_log_file
    - name: Check if keycloak file exists
      ansible.builtin.assert:
        that:
          - keycloak_log_file.stat.exists
          - not keycloak_log_file.stat.isdir
    - name: Check default log folder
      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
      ansible.builtin.stat:
        path: /var/log/keycloak
      register: keycloak_default_log_folder
      failed_when: false
    - name: Check that default keycloak log folder doesn't exist
      ansible.builtin.assert:
        that:
          - not keycloak_default_log_folder.stat.exists
    - name: Verify vault SPI in logfile
      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
      ansible.builtin.shell: |
        set -o pipefail
        zgrep 'Configured KeystoreVaultProviderFactory with the keystore file' /opt/keycloak/keycloak-*/data/log/keycloak.log*zip
      changed_when: false
      failed_when: slurped_log.rc != 0
      register: slurped_log
    - name: Verify token api call
      ansible.builtin.uri:
        url: "https://instance:8443/realms/master/protocol/openid-connect/token"
        method: POST
        body: "client_id=admin-cli&username={{ keycloak_quarkus_bootstrap_admin_user }}&password={{ keycloak_quarkus_bootstrap_admin_password}}&grant_type=password"
        validate_certs: no
      register: keycloak_auth_response
      until: keycloak_auth_response.status == 200
      retries: 2
      delay: 2
    - name: "Get Clients"
      ansible.builtin.uri:
        url: "https://instance:8443/admin/realms/TestRealm/clients"
        validate_certs: false
        headers:
          Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
      register: keycloak_clients
    - name: Get client uuid
      ansible.builtin.set_fact:
        keycloak_client_uuid: "{{ ((keycloak_clients.json | selectattr('clientId', '==', 'TestClient')) | first).id }}"
    - name: "Get Client {{ keycloak_client_uuid }}"
      ansible.builtin.uri:
        url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}"
        validate_certs: false
        headers:
          Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
      register: keycloak_test_client
    - name: "Get Client roles"
      ansible.builtin.uri:
        url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}/roles"
        validate_certs: false
        headers:
          Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
      register: keycloak_test_client_roles
--- a/molecule/quarkus_devmode/converge.yml
+++ b/molecule/quarkus_devmode/converge.yml
@@ -0,0 +1,51 @@
 ---
 - name: Converge
  hosts: all
  vars_files:
    - ../group_vars/all/vars.yml
  vars:
    keycloak_quarkus_show_deprecation_warnings: false
    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
    keycloak_realm: TestRealm
    keycloak_quarkus_log: file
    keycloak_quarkus_hostname: 'http://localhost:8080'
    keycloak_quarkus_start_dev: True
    keycloak_quarkus_proxy_mode: none
    keycloak_quarkus_java_home: /opt/openjdk/
    keycloak_quarkus_java_heap_opts: "-Xms640m -Xmx640m"
  roles:
    - role: keycloak_quarkus
    - role: keycloak_realm
      keycloak_url: "{{ keycloak_quarkus_hostname }}"
      keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
      keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
      keycloak_client_default_roles:
        - TestRoleAdmin
        - TestRoleUser
      keycloak_client_users:
        - username: TestUser
          password: password
          client_roles:
            - client: TestClient
              role: TestRoleUser
              realm: "{{ keycloak_realm }}"
        - username: TestAdmin
          password: password
          client_roles:
            - client: TestClient
              role: TestRoleUser
              realm: "{{ keycloak_realm }}"
            - client: TestClient
              role: TestRoleAdmin
              realm: "{{ keycloak_realm }}"
      keycloak_realm: TestRealm
      keycloak_clients:
        - name: TestClient
          roles: "{{ keycloak_client_default_roles }}"
          realm: "{{ keycloak_realm }}"
          public_client: "{{ keycloak_client_public }}"
          web_origins: "{{ keycloak_client_web_origins }}"
          users: "{{ keycloak_client_users }}"
          client_id: TestClient
--- a/molecule/quarkus_devmode/molecule.yml
+++ b/molecule/quarkus_devmode/molecule.yml
@@ -0,0 +1,49 @@
 ---
 driver:
  name: podman
 platforms:
  - name: instance
    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
    privileged: true
    command: "/usr/sbin/init"
    port_bindings:
      - "8080/tcp"
      - "8009/tcp"
      - "9000/tcp"
    published_ports:
      - 0.0.0.0:8080:8080/tcp
      - 0.0.0.0:9000:9000/TCP
 provisioner:
  name: ansible
  config_options:
    defaults:
      interpreter_python: auto_silent
    ssh_connection:
      pipelining: false
  playbooks:
    prepare: prepare.yml
    converge: converge.yml
    verify: verify.yml
  inventory:
    host_vars:
      localhost:
        ansible_python_interpreter: "{{ ansible_playbook_python }}"
  env:
    ANSIBLE_FORCE_COLOR: "true"
    PROXY: "${PROXY}"
    NO_PROXY: "${NO_PROXY}"
 verifier:
  name: ansible
 scenario:
  test_sequence:
    - cleanup
    - destroy
    - create
    - prepare
    - converge
    - idempotence
    - side_effect
    - verify
    - cleanup
    - destroy
--- a/molecule/quarkus_devmode/prepare.yml
+++ b/molecule/quarkus_devmode/prepare.yml
@@ -0,0 +1,51 @@
 ---
 - name: Prepare
  hosts: all
  vars_files:
    - ../group_vars/all/vars.yml
  tasks:
    - name: Install sudo
      ansible.builtin.apt:
        name:
          - sudo
          - openjdk-17-jdk-headless
        state: present
      when:
        - ansible_facts.os_family == 'Debian'
    - name: "Ensure common prepare phase are set."
      ansible.builtin.include_tasks: ../prepare.yml
    - name: Install JDK17
      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
      ansible.builtin.yum:
        name:
          - java-17-openjdk-headless
        state: present
      when:
        - ansible_facts.os_family == 'RedHat'
    - name: Link default logs directory
      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
      ansible.builtin.file:
        state: link
        src: "{{ item }}"
        dest: /opt/openjdk
        force: true
      with_fileglob:
        - /usr/lib/jvm/java-17-openjdk*
      when:
        - ansible_facts.os_family == "Debian"
    - name: Link default logs directory
      ansible.builtin.file:
        state: link
        src: /usr/lib/jvm/jre-17-openjdk
        dest: /opt/openjdk
        force: true
      when:
        - ansible_facts.os_family == "RedHat"
    - name: "Display hera_home if defined."
      ansible.builtin.set_fact:
        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
--- a/molecule/quarkus_devmode/roles
+++ b/molecule/quarkus_devmode/roles
@@ -0,0 +1 @@
 ../../roles
--- a/molecule/quarkus_devmode/verify.yml
+++ b/molecule/quarkus_devmode/verify.yml
@@ -0,0 +1,47 @@
 ---
 - name: Verify
  hosts: all
  tasks:
    - name: Populate service facts
      ansible.builtin.service_facts:
    - name: Check if keycloak service started
      ansible.builtin.assert:
        that:
          - ansible_facts.services["keycloak.service"]["state"] == "running"
          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
    - name: Verify we are running on requested JAVA_HOME # noqa blocked_modules command-instead-of-module
      ansible.builtin.shell: |
        set -o pipefail
        ps -ef | grep '/opt/openjdk' | grep -v grep
      args:
        executable: /bin/bash
      changed_when: False
    - name: Set internal envvar
      ansible.builtin.set_fact:
        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
    - name: Verify openid config
      block:
        - name: Fetch openID config # noqa blocked_modules command-instead-of-module
          ansible.builtin.shell: |
            set -o pipefail
            curl http://localhost:8080/realms/master/.well-known/openid-configuration -k | jq .
          args:
            executable: /bin/bash
          delegate_to: localhost
          register: openid_config
          changed_when: False
        - name: Verify endpoint URLs
          ansible.builtin.assert:
            that:
              - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'http://localhost:8080/realms/master/protocol/openid-connect/ext/ciba/auth'
              - (openid_config.stdout | from_json)['issuer'] == 'http://localhost:8080/realms/master'
              - (openid_config.stdout | from_json)['authorization_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/auth'
              - (openid_config.stdout | from_json)['token_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/token'
          delegate_to: localhost
      when:
        - hera_home is defined
        - hera_home | length == 0
--- a/molecule/quarkus_ha/converge.yml
+++ b/molecule/quarkus_ha/converge.yml
@@ -0,0 +1,31 @@
 ---
 - name: Converge
  hosts: keycloak
  vars_files:
    - ../group_vars/all/vars.yml
  vars:
    keycloak_quarkus_show_deprecation_warnings: false
    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
    keycloak_quarkus_hostname: "http://{{ inventory_hostname }}:8080"
    keycloak_quarkus_log: file
    keycloak_quarkus_log_level: info
    keycloak_quarkus_https_key_file_enabled: true
    keycloak_quarkus_key_file_copy_enabled: true
    keycloak_quarkus_key_content: "{{ lookup('file', inventory_hostname + '.key') }}"
    keycloak_quarkus_cert_file_copy_enabled: true
    keycloak_quarkus_cert_file_src: "{{ inventory_hostname }}.pem"
    keycloak_quarkus_ks_vault_enabled: true
    keycloak_quarkus_ks_vault_file: "/opt/keycloak/vault/keystore.p12"
    keycloak_quarkus_ks_vault_pass: keystorepassword
    keycloak_quarkus_systemd_wait_for_port: true
    keycloak_quarkus_systemd_wait_for_timeout: 20
    keycloak_quarkus_systemd_wait_for_delay: 2
    keycloak_quarkus_systemd_wait_for_log: true
    keycloak_quarkus_ha_enabled: true
    keycloak_quarkus_restart_strategy: restart/serial.yml
    keycloak_quarkus_db_user: keycloak
    keycloak_quarkus_db_pass: mysecretpass
    keycloak_quarkus_db_url: jdbc:postgresql://postgres:5432/keycloak
  roles:
    - role: keycloak_quarkus
--- a/molecule/quarkus_ha/molecule.yml
+++ b/molecule/quarkus_ha/molecule.yml
@@ -0,0 +1,82 @@
 ---
 driver:
  name: docker
 platforms:
  - name: instance1
    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
    privileged: true
    command: "/usr/sbin/init"
    groups:
      - keycloak
    networks:
      - name: rhbk
    port_bindings:
      - "8080/tcp"
      - "8443/tcp"
      - "9000/tcp"
  - name: instance2
    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
    privileged: true
    command: "/usr/sbin/init"
    groups:
      - keycloak
    networks:
      - name: rhbk
    port_bindings:
      - "8080/tcp"
      - "8443/tcp"
      - "9000/tcp"
  - name: postgres
    image: ubuntu/postgres:14-22.04_beta
    pre_build_image: true
    privileged: true
    command: postgres
    groups:
      - database
    networks:
      - name: rhbk
    port_bindings:
      - "5432/tcp"
    mounts:
      - type: bind
        target: /etc/postgresql/postgresql.conf
        source: ${MOLECULE_PROJECT_DIRECTORY}/molecule/quarkus_ha/postgresql/postgresql.conf
    env:
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: mysecretpass
      POSTGRES_DB: keycloak
      POSTGRES_HOST_AUTH_METHOD: trust
 provisioner:
  name: ansible
  config_options:
    defaults:
      interpreter_python: auto_silent
    ssh_connection:
      pipelining: false
  playbooks:
    prepare: prepare.yml
    converge: converge.yml
    verify: verify.yml
  inventory:
    host_vars:
      localhost:
        ansible_python_interpreter: "{{ ansible_playbook_python }}"
  env:
    ANSIBLE_FORCE_COLOR: "true"
    PYTHONHTTPSVERIFY: 0
 verifier:
  name: ansible
 scenario:
  test_sequence:
    - cleanup
    - destroy
    - create
    - prepare
    - converge
    - idempotence
    - side_effect
    - verify
    - cleanup
    - destroy
--- a/molecule/quarkus_ha/postgresql/postgresql.conf
+++ b/molecule/quarkus_ha/postgresql/postgresql.conf
@@ -0,0 +1,750 @@
 # -----------------------------
 # PostgreSQL configuration file
 # -----------------------------
 #
 # This file consists of lines of the form:
 #
 #   name = value
 #
 # (The "=" is optional.)  Whitespace may be used.  Comments are introduced with
 # "#" anywhere on a line.  The complete list of parameter names and allowed
 # values can be found in the PostgreSQL documentation.
 #
 # The commented-out settings shown in this file represent the default values.
 # Re-commenting a setting is NOT sufficient to revert it to the default value;
 # you need to reload the server.
 #
 # This file is read on server startup and when the server receives a SIGHUP
 # signal.  If you edit the file on a running system, you have to SIGHUP the
 # server for the changes to take effect, run "pg_ctl reload", or execute
 # "SELECT pg_reload_conf()".  Some parameters, which are marked below,
 # require a server shutdown and restart to take effect.
 #
 # Any parameter can also be given as a command-line option to the server, e.g.,
 # "postgres -c log_connections=on".  Some parameters can be changed at run time
 # with the "SET" SQL command.
 #
 # Memory units:  kB = kilobytes        Time units:  ms  = milliseconds
 #                MB = megabytes                     s   = seconds
 #                GB = gigabytes                     min = minutes
 #                TB = terabytes                     h   = hours
 #                                                   d   = days
 #------------------------------------------------------------------------------
 # FILE LOCATIONS
 #------------------------------------------------------------------------------
 # The default values of these variables are driven from the -D command-line
 # option or PGDATA environment variable, represented here as ConfigDir.
 #data_directory = 'ConfigDir'		# use data in another directory
 					# (change requires restart)
 #hba_file = 'ConfigDir/pg_hba.conf'	# host-based authentication file
 					# (change requires restart)
 #ident_file = 'ConfigDir/pg_ident.conf'	# ident configuration file
 					# (change requires restart)
 # If external_pid_file is not explicitly set, no extra PID file is written.
 #external_pid_file = ''			# write an extra PID file
 					# (change requires restart)
 #------------------------------------------------------------------------------
 # CONNECTIONS AND AUTHENTICATION
 #------------------------------------------------------------------------------
 # - Connection Settings -
 listen_addresses = '*'		# what IP address(es) to listen on;
 					# comma-separated list of addresses;
 					# defaults to 'localhost'; use '*' for all
 					# (change requires restart)
 #port = 5432				# (change requires restart)
 #max_connections = 100			# (change requires restart)
 #superuser_reserved_connections = 3	# (change requires restart)
 #unix_socket_directories = '/tmp'	# comma-separated list of directories
 					# (change requires restart)
 #unix_socket_group = ''			# (change requires restart)
 #unix_socket_permissions = 0777		# begin with 0 to use octal notation
 					# (change requires restart)
 #bonjour = off				# advertise server via Bonjour
 					# (change requires restart)
 #bonjour_name = ''			# defaults to the computer name
 					# (change requires restart)
 # - TCP settings -
 # see "man 7 tcp" for details
 #tcp_keepalives_idle = 0		# TCP_KEEPIDLE, in seconds;
 					# 0 selects the system default
 #tcp_keepalives_interval = 0		# TCP_KEEPINTVL, in seconds;
 					# 0 selects the system default
 #tcp_keepalives_count = 0		# TCP_KEEPCNT;
 					# 0 selects the system default
 #tcp_user_timeout = 0			# TCP_USER_TIMEOUT, in milliseconds;
 					# 0 selects the system default
 # - Authentication -
 #authentication_timeout = 1min		# 1s-600s
 #password_encryption = md5		# md5 or scram-sha-256
 #db_user_namespace = off
 # GSSAPI using Kerberos
 #krb_server_keyfile = ''
 #krb_caseins_users = off
 # - SSL -
 #ssl = off
 #ssl_ca_file = ''
 #ssl_cert_file = 'server.crt'
 #ssl_crl_file = ''
 #ssl_key_file = 'server.key'
 #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
 #ssl_prefer_server_ciphers = on
 #ssl_ecdh_curve = 'prime256v1'
 #ssl_min_protocol_version = 'TLSv1'
 #ssl_max_protocol_version = ''
 #ssl_dh_params_file = ''
 #ssl_passphrase_command = ''
 #ssl_passphrase_command_supports_reload = off
 #------------------------------------------------------------------------------
 # RESOURCE USAGE (except WAL)
 #------------------------------------------------------------------------------
 # - Memory -
 #shared_buffers = 32MB			# min 128kB
 					# (change requires restart)
 #huge_pages = try			# on, off, or try
 					# (change requires restart)
 #temp_buffers = 8MB			# min 800kB
 #max_prepared_transactions = 0		# zero disables the feature
 					# (change requires restart)
 # Caution: it is not advisable to set max_prepared_transactions nonzero unless
 # you actively intend to use prepared transactions.
 #work_mem = 4MB				# min 64kB
 #maintenance_work_mem = 64MB		# min 1MB
 #autovacuum_work_mem = -1		# min 1MB, or -1 to use maintenance_work_mem
 #max_stack_depth = 2MB			# min 100kB
 #shared_memory_type = mmap		# the default is the first option
 					# supported by the operating system:
 					#   mmap
 					#   sysv
 					#   windows
 					# (change requires restart)
 #dynamic_shared_memory_type = posix	# the default is the first option
 					# supported by the operating system:
 					#   posix
 					#   sysv
 					#   windows
 					#   mmap
 					# (change requires restart)
 # - Disk -
 #temp_file_limit = -1			# limits per-process temp file space
 					# in kB, or -1 for no limit
 # - Kernel Resources -
 #max_files_per_process = 1000		# min 25
 					# (change requires restart)
 # - Cost-Based Vacuum Delay -
 #vacuum_cost_delay = 0			# 0-100 milliseconds (0 disables)
 #vacuum_cost_page_hit = 1		# 0-10000 credits
 #vacuum_cost_page_miss = 10		# 0-10000 credits
 #vacuum_cost_page_dirty = 20		# 0-10000 credits
 #vacuum_cost_limit = 200		# 1-10000 credits
 # - Background Writer -
 #bgwriter_delay = 200ms			# 10-10000ms between rounds
 #bgwriter_lru_maxpages = 100		# max buffers written/round, 0 disables
 #bgwriter_lru_multiplier = 2.0		# 0-10.0 multiplier on buffers scanned/round
 #bgwriter_flush_after = 0		# measured in pages, 0 disables
 # - Asynchronous Behavior -
 #effective_io_concurrency = 1		# 1-1000; 0 disables prefetching
 #max_worker_processes = 8		# (change requires restart)
 #max_parallel_maintenance_workers = 2	# taken from max_parallel_workers
 #max_parallel_workers_per_gather = 2	# taken from max_parallel_workers
 #parallel_leader_participation = on
 #max_parallel_workers = 8		# maximum number of max_worker_processes that
 					# can be used in parallel operations
 #old_snapshot_threshold = -1		# 1min-60d; -1 disables; 0 is immediate
 					# (change requires restart)
 #backend_flush_after = 0		# measured in pages, 0 disables
 #------------------------------------------------------------------------------
 # WRITE-AHEAD LOG
 #------------------------------------------------------------------------------
 # - Settings -
 #wal_level = replica			# minimal, replica, or logical
 					# (change requires restart)
 #fsync = on				# flush data to disk for crash safety
 					# (turning this off can cause
 					# unrecoverable data corruption)
 #synchronous_commit = on		# synchronization level;
 					# off, local, remote_write, remote_apply, or on
 #wal_sync_method = fsync		# the default is the first option
 					# supported by the operating system:
 					#   open_datasync
 					#   fdatasync (default on Linux)
 					#   fsync
 					#   fsync_writethrough
 					#   open_sync
 #full_page_writes = on			# recover from partial page writes
 #wal_compression = off			# enable compression of full-page writes
 #wal_log_hints = off			# also do full page writes of non-critical updates
 					# (change requires restart)
 #wal_init_zero = on			# zero-fill new WAL files
 #wal_recycle = on			# recycle WAL files
 #wal_buffers = -1			# min 32kB, -1 sets based on shared_buffers
 					# (change requires restart)
 #wal_writer_delay = 200ms		# 1-10000 milliseconds
 #wal_writer_flush_after = 1MB		# measured in pages, 0 disables
 #commit_delay = 0			# range 0-100000, in microseconds
 #commit_siblings = 5			# range 1-1000
 # - Checkpoints -
 #checkpoint_timeout = 5min		# range 30s-1d
 #max_wal_size = 1GB
 #min_wal_size = 80MB
 #checkpoint_completion_target = 0.5	# checkpoint target duration, 0.0 - 1.0
 #checkpoint_flush_after = 0		# measured in pages, 0 disables
 #checkpoint_warning = 30s		# 0 disables
 # - Archiving -
 #archive_mode = off		# enables archiving; off, on, or always
 				# (change requires restart)
 #archive_command = ''		# command to use to archive a logfile segment
 				# placeholders: %p = path of file to archive
 				#               %f = file name only
 				# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
 #archive_timeout = 0		# force a logfile segment switch after this
 				# number of seconds; 0 disables
 # - Archive Recovery -
 # These are only used in recovery mode.
 #restore_command = ''		# command to use to restore an archived logfile segment
 				# placeholders: %p = path of file to restore
 				#               %f = file name only
 				# e.g. 'cp /mnt/server/archivedir/%f %p'
 				# (change requires restart)
 #archive_cleanup_command = ''	# command to execute at every restartpoint
 #recovery_end_command = ''	# command to execute at completion of recovery
 # - Recovery Target -
 # Set these only when performing a targeted recovery.
 #recovery_target = ''		# 'immediate' to end recovery as soon as a
                                # consistent state is reached
 				# (change requires restart)
 #recovery_target_name = ''	# the named restore point to which recovery will proceed
 				# (change requires restart)
 #recovery_target_time = ''	# the time stamp up to which recovery will proceed
 				# (change requires restart)
 #recovery_target_xid = ''	# the transaction ID up to which recovery will proceed
 				# (change requires restart)
 #recovery_target_lsn = ''	# the WAL LSN up to which recovery will proceed
 				# (change requires restart)
 #recovery_target_inclusive = on # Specifies whether to stop:
 				# just after the specified recovery target (on)
 				# just before the recovery target (off)
 				# (change requires restart)
 #recovery_target_timeline = 'latest'	# 'current', 'latest', or timeline ID
 				# (change requires restart)
 #recovery_target_action = 'pause'	# 'pause', 'promote', 'shutdown'
 				# (change requires restart)
 #------------------------------------------------------------------------------
 # REPLICATION
 #------------------------------------------------------------------------------
 # - Sending Servers -
 # Set these on the master and on any standby that will send replication data.
 #max_wal_senders = 10		# max number of walsender processes
 				# (change requires restart)
 #wal_keep_segments = 0		# in logfile segments; 0 disables
 #wal_sender_timeout = 60s	# in milliseconds; 0 disables
 #max_replication_slots = 10	# max number of replication slots
 				# (change requires restart)
 #track_commit_timestamp = off	# collect timestamp of transaction commit
 				# (change requires restart)
 # - Master Server -
 # These settings are ignored on a standby server.
 #synchronous_standby_names = ''	# standby servers that provide sync rep
 				# method to choose sync standbys, number of sync standbys,
 				# and comma-separated list of application_name
 				# from standby(s); '*' = all
 #vacuum_defer_cleanup_age = 0	# number of xacts by which cleanup is delayed
 # - Standby Servers -
 # These settings are ignored on a master server.
 #primary_conninfo = ''			# connection string to sending server
 					# (change requires restart)
 #primary_slot_name = ''			# replication slot on sending server
 					# (change requires restart)
 #promote_trigger_file = ''		# file name whose presence ends recovery
 #hot_standby = on			# "off" disallows queries during recovery
 					# (change requires restart)
 #max_standby_archive_delay = 30s	# max delay before canceling queries
 					# when reading WAL from archive;
 					# -1 allows indefinite delay
 #max_standby_streaming_delay = 30s	# max delay before canceling queries
 					# when reading streaming WAL;
 					# -1 allows indefinite delay
 #wal_receiver_status_interval = 10s	# send replies at least this often
 					# 0 disables
 #hot_standby_feedback = off		# send info from standby to prevent
 					# query conflicts
 #wal_receiver_timeout = 60s		# time that receiver waits for
 					# communication from master
 					# in milliseconds; 0 disables
 #wal_retrieve_retry_interval = 5s	# time to wait before retrying to
 					# retrieve WAL after a failed attempt
 #recovery_min_apply_delay = 0		# minimum delay for applying changes during recovery
 # - Subscribers -
 # These settings are ignored on a publisher.
 #max_logical_replication_workers = 4	# taken from max_worker_processes
 					# (change requires restart)
 #max_sync_workers_per_subscription = 2	# taken from max_logical_replication_workers
 #------------------------------------------------------------------------------
 # QUERY TUNING
 #------------------------------------------------------------------------------
 # - Planner Method Configuration -
 #enable_bitmapscan = on
 #enable_hashagg = on
 #enable_hashjoin = on
 #enable_indexscan = on
 #enable_indexonlyscan = on
 #enable_material = on
 #enable_mergejoin = on
 #enable_nestloop = on
 #enable_parallel_append = on
 #enable_seqscan = on
 #enable_sort = on
 #enable_tidscan = on
 #enable_partitionwise_join = off
 #enable_partitionwise_aggregate = off
 #enable_parallel_hash = on
 #enable_partition_pruning = on
 # - Planner Cost Constants -
 #seq_page_cost = 1.0			# measured on an arbitrary scale
 #random_page_cost = 4.0			# same scale as above
 #cpu_tuple_cost = 0.01			# same scale as above
 #cpu_index_tuple_cost = 0.005		# same scale as above
 #cpu_operator_cost = 0.0025		# same scale as above
 #parallel_tuple_cost = 0.1		# same scale as above
 #parallel_setup_cost = 1000.0	# same scale as above
 #jit_above_cost = 100000		# perform JIT compilation if available
 					# and query more expensive than this;
 					# -1 disables
 #jit_inline_above_cost = 500000		# inline small functions if query is
 					# more expensive than this; -1 disables
 #jit_optimize_above_cost = 500000	# use expensive JIT optimizations if
 					# query is more expensive than this;
 					# -1 disables
 #min_parallel_table_scan_size = 8MB
 #min_parallel_index_scan_size = 512kB
 #effective_cache_size = 4GB
 # - Genetic Query Optimizer -
 #geqo = on
 #geqo_threshold = 12
 #geqo_effort = 5			# range 1-10
 #geqo_pool_size = 0			# selects default based on effort
 #geqo_generations = 0			# selects default based on effort
 #geqo_selection_bias = 2.0		# range 1.5-2.0
 #geqo_seed = 0.0			# range 0.0-1.0
 # - Other Planner Options -
 #default_statistics_target = 100	# range 1-10000
 #constraint_exclusion = partition	# on, off, or partition
 #cursor_tuple_fraction = 0.1		# range 0.0-1.0
 #from_collapse_limit = 8
 #join_collapse_limit = 8		# 1 disables collapsing of explicit
 					# JOIN clauses
 #force_parallel_mode = off
 #jit = on				# allow JIT compilation
 #plan_cache_mode = auto			# auto, force_generic_plan or
 					# force_custom_plan
 #------------------------------------------------------------------------------
 # REPORTING AND LOGGING
 #------------------------------------------------------------------------------
 # - Where to Log -
 #log_destination = 'stderr'		# Valid values are combinations of
 					# stderr, csvlog, syslog, and eventlog,
 					# depending on platform.  csvlog
 					# requires logging_collector to be on.
 # This is used when logging to stderr:
 #logging_collector = off		# Enable capturing of stderr and csvlog
 					# into log files. Required to be on for
 					# csvlogs.
 					# (change requires restart)
 # These are only used if logging_collector is on:
 #log_directory = 'log'			# directory where log files are written,
 					# can be absolute or relative to PGDATA
 #log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'	# log file name pattern,
 					# can include strftime() escapes
 #log_file_mode = 0600			# creation mode for log files,
 					# begin with 0 to use octal notation
 #log_truncate_on_rotation = off		# If on, an existing log file with the
 					# same name as the new log file will be
 					# truncated rather than appended to.
 					# But such truncation only occurs on
 					# time-driven rotation, not on restarts
 					# or size-driven rotation.  Default is
 					# off, meaning append to existing files
 					# in all cases.
 #log_rotation_age = 1d			# Automatic rotation of logfiles will
 					# happen after that time.  0 disables.
 #log_rotation_size = 10MB		# Automatic rotation of logfiles will
 					# happen after that much log output.
 					# 0 disables.
 # These are relevant when logging to syslog:
 #syslog_facility = 'LOCAL0'
 #syslog_ident = 'postgres'
 #syslog_sequence_numbers = on
 #syslog_split_messages = on
 # This is only relevant when logging to eventlog (win32):
 # (change requires restart)
 #event_source = 'PostgreSQL'
 # - When to Log -
 #log_min_messages = warning		# values in order of decreasing detail:
 					#   debug5
 					#   debug4
 					#   debug3
 					#   debug2
 					#   debug1
 					#   info
 					#   notice
 					#   warning
 					#   error
 					#   log
 					#   fatal
 					#   panic
 #log_min_error_statement = error	# values in order of decreasing detail:
 					#   debug5
 					#   debug4
 					#   debug3
 					#   debug2
 					#   debug1
 					#   info
 					#   notice
 					#   warning
 					#   error
 					#   log
 					#   fatal
 					#   panic (effectively off)
 #log_min_duration_statement = -1	# -1 is disabled, 0 logs all statements
 					# and their durations, > 0 logs only
 					# statements running at least this number
 					# of milliseconds
 #log_transaction_sample_rate = 0.0	# Fraction of transactions whose statements
 					# are logged regardless of their duration. 1.0 logs all
 					# statements from all transactions, 0.0 never logs.
 # - What to Log -
 #debug_print_parse = off
 #debug_print_rewritten = off
 #debug_print_plan = off
 #debug_pretty_print = on
 #log_checkpoints = off
 #log_connections = off
 #log_disconnections = off
 #log_duration = off
 #log_error_verbosity = default		# terse, default, or verbose messages
 #log_hostname = off
 #log_line_prefix = '%m [%p] '		# special values:
 					#   %a = application name
 					#   %u = user name
 					#   %d = database name
 					#   %r = remote host and port
 					#   %h = remote host
 					#   %p = process ID
 					#   %t = timestamp without milliseconds
 					#   %m = timestamp with milliseconds
 					#   %n = timestamp with milliseconds (as a Unix epoch)
 					#   %i = command tag
 					#   %e = SQL state
 					#   %c = session ID
 					#   %l = session line number
 					#   %s = session start timestamp
 					#   %v = virtual transaction ID
 					#   %x = transaction ID (0 if none)
 					#   %q = stop here in non-session
 					#        processes
 					#   %% = '%'
 					# e.g. '<%u%%%d> '
 #log_lock_waits = off			# log lock waits >= deadlock_timeout
 #log_statement = 'none'			# none, ddl, mod, all
 #log_replication_commands = off
 #log_temp_files = -1			# log temporary files equal or larger
 					# than the specified size in kilobytes;
 					# -1 disables, 0 logs all temp files
 #log_timezone = 'GMT'
 #------------------------------------------------------------------------------
 # PROCESS TITLE
 #------------------------------------------------------------------------------
 #cluster_name = ''			# added to process titles if nonempty
 					# (change requires restart)
 #update_process_title = on
 #------------------------------------------------------------------------------
 # STATISTICS
 #------------------------------------------------------------------------------
 # - Query and Index Statistics Collector -
 #track_activities = on
 #track_counts = on
 #track_io_timing = off
 #track_functions = none			# none, pl, all
 #track_activity_query_size = 1024	# (change requires restart)
 #stats_temp_directory = 'pg_stat_tmp'
 # - Monitoring -
 #log_parser_stats = off
 #log_planner_stats = off
 #log_executor_stats = off
 #log_statement_stats = off
 #------------------------------------------------------------------------------
 # AUTOVACUUM
 #------------------------------------------------------------------------------
 #autovacuum = on			# Enable autovacuum subprocess?  'on'
 					# requires track_counts to also be on.
 #log_autovacuum_min_duration = -1	# -1 disables, 0 logs all actions and
 					# their durations, > 0 logs only
 					# actions running at least this number
 					# of milliseconds.
 #autovacuum_max_workers = 3		# max number of autovacuum subprocesses
 					# (change requires restart)
 #autovacuum_naptime = 1min		# time between autovacuum runs
 #autovacuum_vacuum_threshold = 50	# min number of row updates before
 					# vacuum
 #autovacuum_analyze_threshold = 50	# min number of row updates before
 					# analyze
 #autovacuum_vacuum_scale_factor = 0.2	# fraction of table size before vacuum
 #autovacuum_analyze_scale_factor = 0.1	# fraction of table size before analyze
 #autovacuum_freeze_max_age = 200000000	# maximum XID age before forced vacuum
 					# (change requires restart)
 #autovacuum_multixact_freeze_max_age = 400000000	# maximum multixact age
 					# before forced vacuum
 					# (change requires restart)
 #autovacuum_vacuum_cost_delay = 2ms	# default vacuum cost delay for
 					# autovacuum, in milliseconds;
 					# -1 means use vacuum_cost_delay
 #autovacuum_vacuum_cost_limit = -1	# default vacuum cost limit for
 					# autovacuum, -1 means use
 					# vacuum_cost_limit
 #------------------------------------------------------------------------------
 # CLIENT CONNECTION DEFAULTS
 #------------------------------------------------------------------------------
 # - Statement Behavior -
 #client_min_messages = notice		# values in order of decreasing detail:
 					#   debug5
 					#   debug4
 					#   debug3
 					#   debug2
 					#   debug1
 					#   log
 					#   notice
 					#   warning
 					#   error
 #search_path = '"$user", public'	# schema names
 #row_security = on
 #default_tablespace = ''		# a tablespace name, '' uses the default
 #temp_tablespaces = ''			# a list of tablespace names, '' uses
 					# only default tablespace
 #default_table_access_method = 'heap'
 #check_function_bodies = on
 #default_transaction_isolation = 'read committed'
 #default_transaction_read_only = off
 #default_transaction_deferrable = off
 #session_replication_role = 'origin'
 #statement_timeout = 0			# in milliseconds, 0 is disabled
 #lock_timeout = 0			# in milliseconds, 0 is disabled
 #idle_in_transaction_session_timeout = 0	# in milliseconds, 0 is disabled
 #vacuum_freeze_min_age = 50000000
 #vacuum_freeze_table_age = 150000000
 #vacuum_multixact_freeze_min_age = 5000000
 #vacuum_multixact_freeze_table_age = 150000000
 #vacuum_cleanup_index_scale_factor = 0.1	# fraction of total number of tuples
 						# before index cleanup, 0 always performs
 						# index cleanup
 #bytea_output = 'hex'			# hex, escape
 #xmlbinary = 'base64'
 #xmloption = 'content'
 #gin_fuzzy_search_limit = 0
 #gin_pending_list_limit = 4MB
 # - Locale and Formatting -
 #datestyle = 'iso, mdy'
 #intervalstyle = 'postgres'
 #timezone = 'GMT'
 #timezone_abbreviations = 'Default'     # Select the set of available time zone
 					# abbreviations.  Currently, there are
 					#   Default
 					#   Australia (historical usage)
 					#   India
 					# You can create your own file in
 					# share/timezonesets/.
 #extra_float_digits = 1			# min -15, max 3; any value >0 actually
 					# selects precise output mode
 #client_encoding = sql_ascii		# actually, defaults to database
 					# encoding
 # These settings are initialized by initdb, but they can be changed.
 #lc_messages = 'C'			# locale for system error message
 					# strings
 #lc_monetary = 'C'			# locale for monetary formatting
 #lc_numeric = 'C'			# locale for number formatting
 #lc_time = 'C'				# locale for time formatting
 # default configuration for text search
 #default_text_search_config = 'pg_catalog.simple'
 # - Shared Library Preloading -
 #shared_preload_libraries = ''	# (change requires restart)
 #local_preload_libraries = ''
 #session_preload_libraries = ''
 #jit_provider = 'llvmjit'		# JIT library to use
 # - Other Defaults -
 #dynamic_library_path = '$libdir'
 #------------------------------------------------------------------------------
 # LOCK MANAGEMENT
 #------------------------------------------------------------------------------
 #deadlock_timeout = 1s
 #max_locks_per_transaction = 64		# min 10
 					# (change requires restart)
 #max_pred_locks_per_transaction = 64	# min 10
 					# (change requires restart)
 #max_pred_locks_per_relation = -2	# negative values mean
 					# (max_pred_locks_per_transaction
 					#  / -max_pred_locks_per_relation) - 1
 #max_pred_locks_per_page = 2            # min 0
 #------------------------------------------------------------------------------
 # VERSION AND PLATFORM COMPATIBILITY
 #------------------------------------------------------------------------------
 # - Previous PostgreSQL Versions -
 #array_nulls = on
 #backslash_quote = safe_encoding	# on, off, or safe_encoding
 #escape_string_warning = on
 #lo_compat_privileges = off
 #operator_precedence_warning = off
 #quote_all_identifiers = off
 #standard_conforming_strings = on
 #synchronize_seqscans = on
 # - Other Platforms and Clients -
 #transform_null_equals = off
 #------------------------------------------------------------------------------
 # ERROR HANDLING
 #------------------------------------------------------------------------------
 #exit_on_error = off			# terminate session on any error?
 #restart_after_crash = on		# reinitialize after backend crash?
 #data_sync_retry = off			# retry or panic on failure to fsync
 					# data?
 					# (change requires restart)
 #------------------------------------------------------------------------------
 # CONFIG FILE INCLUDES
 #------------------------------------------------------------------------------
 # These options allow settings to be loaded from files other than the
 # default postgresql.conf.  Note that these are directives, not variable
 # assignments, so they can usefully be given more than once.
 #include_dir = '...'			# include files ending in '.conf' from
 					# a directory, e.g., 'conf.d'
 #include_if_exists = '...'		# include file only if it exists
 #include = '...'			# include file
 #------------------------------------------------------------------------------
 # CUSTOMIZED OPTIONS
 #------------------------------------------------------------------------------
 # Add settings for extensions here
--- a/molecule/quarkus_ha/prepare.yml
+++ b/molecule/quarkus_ha/prepare.yml
@@ -0,0 +1,48 @@
 ---
 - name: Prepare
  hosts: keycloak
  vars_files:
    - ../group_vars/all/vars.yml
  tasks:
    - name: "Display hera_home if defined."
      ansible.builtin.set_fact:
        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
    - name: "Ensure common prepare phase are set."
      ansible.builtin.include_tasks: ../prepare.yml
    - name: Create certificate request
      ansible.builtin.command: "openssl req -x509 -newkey rsa:4096 -keyout {{ inventory_hostname }}.key -out {{ inventory_hostname }}.pem -sha256 -days 365 -nodes -subj '/CN={{ inventory_hostname }}'"
      args:
        chdir: "{{ playbook_dir }}"
      delegate_to: localhost
      changed_when: False
    - name: Create vault directory
      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
      ansible.builtin.file:
        state: directory
        path: "/opt/keycloak/vault"
        mode: 0755
    - name: Make sure a jre is available (for keytool to prepare keystore)
      delegate_to: localhost
      ansible.builtin.package:
        name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
        state: present
      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
      failed_when: false
    - name: Create vault keystore
      ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword
      delegate_to: localhost
      register: keytool_cmd
      changed_when: False
      failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
    - name: Copy certificates and vault
      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
      ansible.builtin.copy:
        src: keystore.p12
        dest: /opt/keycloak/vault/keystore.p12
        mode: 0444
--- a/molecule/quarkus_ha/roles
+++ b/molecule/quarkus_ha/roles
@@ -0,0 +1 @@
 ../../roles
--- a/molecule/quarkus_ha/verify.yml
+++ b/molecule/quarkus_ha/verify.yml
@@ -0,0 +1,31 @@
 ---
 - name: Verify
  hosts: keycloak
  vars_files:
    - ../group_vars/all/vars.yml
  tasks:
    - name: Populate service facts
      ansible.builtin.service_facts:
    - name: Check if keycloak service started
      ansible.builtin.assert:
        that:
          - ansible_facts.services["keycloak.service"]["state"] == "running"
          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
        fail_msg: "Service not running"
    - name: Set internal envvar
      ansible.builtin.set_fact:
        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
    - name: Check log file
      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
      ansible.builtin.stat:
        path: /var/log/keycloak/keycloak.log
      register: keycloak_log_file
    - name: Check if keycloak file exists
      ansible.builtin.assert:
        that:
          - keycloak_log_file.stat.exists
          - not keycloak_log_file.stat.isdir
--- a/molecule/quarkus_ha_26.4_below/converge.yml
+++ b/molecule/quarkus_ha_26.4_below/converge.yml
@@ -0,0 +1,32 @@
 ---
 - name: Converge
  hosts: keycloak
  vars_files:
    - ../group_vars/all/vars.yml
  vars:
    keycloak_quarkus_show_deprecation_warnings: false
    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
    keycloak_quarkus_hostname: "http://{{ inventory_hostname }}:8080"
    keycloak_quarkus_log: file
    keycloak_quarkus_log_level: info
    keycloak_quarkus_https_key_file_enabled: true
    keycloak_quarkus_key_file_copy_enabled: true
    keycloak_quarkus_key_content: "{{ lookup('file', inventory_hostname + '.key') }}"
    keycloak_quarkus_cert_file_copy_enabled: true
    keycloak_quarkus_cert_file_src: "{{ inventory_hostname }}.pem"
    keycloak_quarkus_ks_vault_enabled: true
    keycloak_quarkus_ks_vault_file: "/opt/keycloak/vault/keystore.p12"
    keycloak_quarkus_ks_vault_pass: keystorepassword
    keycloak_quarkus_systemd_wait_for_port: true
    keycloak_quarkus_systemd_wait_for_timeout: 20
    keycloak_quarkus_systemd_wait_for_delay: 2
    keycloak_quarkus_systemd_wait_for_log: true
    keycloak_quarkus_ha_enabled: true
    keycloak_quarkus_restart_strategy: restart/serial.yml
    keycloak_quarkus_db_user: keycloak
    keycloak_quarkus_db_pass: mysecretpass
    keycloak_quarkus_db_url: jdbc:postgresql://postgres:5432/keycloak
    keycloak_quarkus_version: 26.3.5
  roles:
    - role: keycloak_quarkus
--- a/molecule/quarkus_ha_26.4_below/molecule.yml
+++ b/molecule/quarkus_ha_26.4_below/molecule.yml
@@ -0,0 +1,82 @@
 ---
 driver:
  name: docker
 platforms:
  - name: instance1
    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
    privileged: true
    command: "/usr/sbin/init"
    groups:
      - keycloak
    networks:
      - name: rhbk
    port_bindings:
      - "8080/tcp"
      - "8443/tcp"
      - "9000/tcp"
  - name: instance2
    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
    privileged: true
    command: "/usr/sbin/init"
    groups:
      - keycloak
    networks:
      - name: rhbk
    port_bindings:
      - "8080/tcp"
      - "8443/tcp"
      - "9000/tcp"
  - name: postgres
    image: ubuntu/postgres:14-22.04_beta
    pre_build_image: true
    privileged: true
    command: postgres
    groups:
      - database
    networks:
      - name: rhbk
    port_bindings:
      - "5432/tcp"
    mounts:
      - type: bind
        target: /etc/postgresql/postgresql.conf
        source: ${MOLECULE_PROJECT_DIRECTORY}/molecule/quarkus_ha/postgresql/postgresql.conf
    env:
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: mysecretpass
      POSTGRES_DB: keycloak
      POSTGRES_HOST_AUTH_METHOD: trust
 provisioner:
  name: ansible
  config_options:
    defaults:
      interpreter_python: auto_silent
    ssh_connection:
      pipelining: false
  playbooks:
    prepare: prepare.yml
    converge: converge.yml
    verify: verify.yml
  inventory:
    host_vars:
      localhost:
        ansible_python_interpreter: "{{ ansible_playbook_python }}"
  env:
    ANSIBLE_FORCE_COLOR: "true"
    PYTHONHTTPSVERIFY: 0
 verifier:
  name: ansible
 scenario:
  test_sequence:
    - cleanup
    - destroy
    - create
    - prepare
    - converge
    - idempotence
    - side_effect
    - verify
    - cleanup
    - destroy
--- a/molecule/quarkus_ha_26.4_below/postgresql/postgresql.conf
+++ b/molecule/quarkus_ha_26.4_below/postgresql/postgresql.conf
@@ -0,0 +1,750 @@
 # -----------------------------
 # PostgreSQL configuration file
 # -----------------------------
 #
 # This file consists of lines of the form:
 #
 #   name = value
 #
 # (The "=" is optional.)  Whitespace may be used.  Comments are introduced with
 # "#" anywhere on a line.  The complete list of parameter names and allowed
 # values can be found in the PostgreSQL documentation.
 #
 # The commented-out settings shown in this file represent the default values.
 # Re-commenting a setting is NOT sufficient to revert it to the default value;
 # you need to reload the server.
 #
 # This file is read on server startup and when the server receives a SIGHUP
 # signal.  If you edit the file on a running system, you have to SIGHUP the
 # server for the changes to take effect, run "pg_ctl reload", or execute
 # "SELECT pg_reload_conf()".  Some parameters, which are marked below,
 # require a server shutdown and restart to take effect.
 #
 # Any parameter can also be given as a command-line option to the server, e.g.,
 # "postgres -c log_connections=on".  Some parameters can be changed at run time
 # with the "SET" SQL command.
 #
 # Memory units:  kB = kilobytes        Time units:  ms  = milliseconds
 #                MB = megabytes                     s   = seconds
 #                GB = gigabytes                     min = minutes
 #                TB = terabytes                     h   = hours
 #                                                   d   = days
 #------------------------------------------------------------------------------
 # FILE LOCATIONS
 #------------------------------------------------------------------------------
 # The default values of these variables are driven from the -D command-line
 # option or PGDATA environment variable, represented here as ConfigDir.
 #data_directory = 'ConfigDir'		# use data in another directory
 					# (change requires restart)
 #hba_file = 'ConfigDir/pg_hba.conf'	# host-based authentication file
 					# (change requires restart)
 #ident_file = 'ConfigDir/pg_ident.conf'	# ident configuration file
 					# (change requires restart)
 # If external_pid_file is not explicitly set, no extra PID file is written.
 #external_pid_file = ''			# write an extra PID file
 					# (change requires restart)
 #------------------------------------------------------------------------------
 # CONNECTIONS AND AUTHENTICATION
 #------------------------------------------------------------------------------
 # - Connection Settings -
 listen_addresses = '*'		# what IP address(es) to listen on;
 					# comma-separated list of addresses;
 					# defaults to 'localhost'; use '*' for all
 					# (change requires restart)
 #port = 5432				# (change requires restart)
 #max_connections = 100			# (change requires restart)
 #superuser_reserved_connections = 3	# (change requires restart)
 #unix_socket_directories = '/tmp'	# comma-separated list of directories
 					# (change requires restart)
 #unix_socket_group = ''			# (change requires restart)
 #unix_socket_permissions = 0777		# begin with 0 to use octal notation
 					# (change requires restart)
 #bonjour = off				# advertise server via Bonjour
 					# (change requires restart)
 #bonjour_name = ''			# defaults to the computer name
 					# (change requires restart)
 # - TCP settings -
 # see "man 7 tcp" for details
 #tcp_keepalives_idle = 0		# TCP_KEEPIDLE, in seconds;
 					# 0 selects the system default
 #tcp_keepalives_interval = 0		# TCP_KEEPINTVL, in seconds;
 					# 0 selects the system default
 #tcp_keepalives_count = 0		# TCP_KEEPCNT;
 					# 0 selects the system default
 #tcp_user_timeout = 0			# TCP_USER_TIMEOUT, in milliseconds;
 					# 0 selects the system default
 # - Authentication -
 #authentication_timeout = 1min		# 1s-600s
 #password_encryption = md5		# md5 or scram-sha-256
 #db_user_namespace = off
 # GSSAPI using Kerberos
 #krb_server_keyfile = ''
 #krb_caseins_users = off
 # - SSL -
 #ssl = off
 #ssl_ca_file = ''
 #ssl_cert_file = 'server.crt'
 #ssl_crl_file = ''
 #ssl_key_file = 'server.key'
 #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
 #ssl_prefer_server_ciphers = on
 #ssl_ecdh_curve = 'prime256v1'
 #ssl_min_protocol_version = 'TLSv1'
 #ssl_max_protocol_version = ''
 #ssl_dh_params_file = ''
 #ssl_passphrase_command = ''
 #ssl_passphrase_command_supports_reload = off
 #------------------------------------------------------------------------------
 # RESOURCE USAGE (except WAL)
 #------------------------------------------------------------------------------
 # - Memory -
 #shared_buffers = 32MB			# min 128kB
 					# (change requires restart)
 #huge_pages = try			# on, off, or try
 					# (change requires restart)
 #temp_buffers = 8MB			# min 800kB
 #max_prepared_transactions = 0		# zero disables the feature
 					# (change requires restart)
 # Caution: it is not advisable to set max_prepared_transactions nonzero unless
 # you actively intend to use prepared transactions.
 #work_mem = 4MB				# min 64kB
 #maintenance_work_mem = 64MB		# min 1MB
 #autovacuum_work_mem = -1		# min 1MB, or -1 to use maintenance_work_mem
 #max_stack_depth = 2MB			# min 100kB
 #shared_memory_type = mmap		# the default is the first option
 					# supported by the operating system:
 					#   mmap
 					#   sysv
 					#   windows
 					# (change requires restart)
 #dynamic_shared_memory_type = posix	# the default is the first option
 					# supported by the operating system:
 					#   posix
 					#   sysv
 					#   windows
 					#   mmap
 					# (change requires restart)
 # - Disk -
 #temp_file_limit = -1			# limits per-process temp file space
 					# in kB, or -1 for no limit
 # - Kernel Resources -
 #max_files_per_process = 1000		# min 25
 					# (change requires restart)
 # - Cost-Based Vacuum Delay -
 #vacuum_cost_delay = 0			# 0-100 milliseconds (0 disables)
 #vacuum_cost_page_hit = 1		# 0-10000 credits
 #vacuum_cost_page_miss = 10		# 0-10000 credits
 #vacuum_cost_page_dirty = 20		# 0-10000 credits
 #vacuum_cost_limit = 200		# 1-10000 credits
 # - Background Writer -
 #bgwriter_delay = 200ms			# 10-10000ms between rounds
 #bgwriter_lru_maxpages = 100		# max buffers written/round, 0 disables
 #bgwriter_lru_multiplier = 2.0		# 0-10.0 multiplier on buffers scanned/round
 #bgwriter_flush_after = 0		# measured in pages, 0 disables
 # - Asynchronous Behavior -
 #effective_io_concurrency = 1		# 1-1000; 0 disables prefetching
 #max_worker_processes = 8		# (change requires restart)
 #max_parallel_maintenance_workers = 2	# taken from max_parallel_workers
 #max_parallel_workers_per_gather = 2	# taken from max_parallel_workers
 #parallel_leader_participation = on
 #max_parallel_workers = 8		# maximum number of max_worker_processes that
 					# can be used in parallel operations
 #old_snapshot_threshold = -1		# 1min-60d; -1 disables; 0 is immediate
 					# (change requires restart)
 #backend_flush_after = 0		# measured in pages, 0 disables
 #------------------------------------------------------------------------------
 # WRITE-AHEAD LOG
 #------------------------------------------------------------------------------
 # - Settings -
 #wal_level = replica			# minimal, replica, or logical
 					# (change requires restart)
 #fsync = on				# flush data to disk for crash safety
 					# (turning this off can cause
 					# unrecoverable data corruption)
 #synchronous_commit = on		# synchronization level;
 					# off, local, remote_write, remote_apply, or on
 #wal_sync_method = fsync		# the default is the first option
 					# supported by the operating system:
 					#   open_datasync
 					#   fdatasync (default on Linux)
 					#   fsync
 					#   fsync_writethrough
 					#   open_sync
 #full_page_writes = on			# recover from partial page writes
 #wal_compression = off			# enable compression of full-page writes
 #wal_log_hints = off			# also do full page writes of non-critical updates
 					# (change requires restart)
 #wal_init_zero = on			# zero-fill new WAL files
 #wal_recycle = on			# recycle WAL files
 #wal_buffers = -1			# min 32kB, -1 sets based on shared_buffers
 					# (change requires restart)
 #wal_writer_delay = 200ms		# 1-10000 milliseconds
 #wal_writer_flush_after = 1MB		# measured in pages, 0 disables
 #commit_delay = 0			# range 0-100000, in microseconds
 #commit_siblings = 5			# range 1-1000
 # - Checkpoints -
 #checkpoint_timeout = 5min		# range 30s-1d
 #max_wal_size = 1GB
 #min_wal_size = 80MB
 #checkpoint_completion_target = 0.5	# checkpoint target duration, 0.0 - 1.0
 #checkpoint_flush_after = 0		# measured in pages, 0 disables
 #checkpoint_warning = 30s		# 0 disables
 # - Archiving -
 #archive_mode = off		# enables archiving; off, on, or always
 				# (change requires restart)
 #archive_command = ''		# command to use to archive a logfile segment
 				# placeholders: %p = path of file to archive
 				#               %f = file name only
 				# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
 #archive_timeout = 0		# force a logfile segment switch after this
 				# number of seconds; 0 disables
 # - Archive Recovery -
 # These are only used in recovery mode.
 #restore_command = ''		# command to use to restore an archived logfile segment
 				# placeholders: %p = path of file to restore
 				#               %f = file name only
 				# e.g. 'cp /mnt/server/archivedir/%f %p'
 				# (change requires restart)
 #archive_cleanup_command = ''	# command to execute at every restartpoint
 #recovery_end_command = ''	# command to execute at completion of recovery
 # - Recovery Target -
 # Set these only when performing a targeted recovery.
 #recovery_target = ''		# 'immediate' to end recovery as soon as a
                                # consistent state is reached
 				# (change requires restart)
 #recovery_target_name = ''	# the named restore point to which recovery will proceed
 				# (change requires restart)
 #recovery_target_time = ''	# the time stamp up to which recovery will proceed
 				# (change requires restart)
 #recovery_target_xid = ''	# the transaction ID up to which recovery will proceed
 				# (change requires restart)
 #recovery_target_lsn = ''	# the WAL LSN up to which recovery will proceed
 				# (change requires restart)
 #recovery_target_inclusive = on # Specifies whether to stop:
 				# just after the specified recovery target (on)
 				# just before the recovery target (off)
 				# (change requires restart)
 #recovery_target_timeline = 'latest'	# 'current', 'latest', or timeline ID
 				# (change requires restart)
 #recovery_target_action = 'pause'	# 'pause', 'promote', 'shutdown'
 				# (change requires restart)
 #------------------------------------------------------------------------------
 # REPLICATION
 #------------------------------------------------------------------------------
 # - Sending Servers -
 # Set these on the master and on any standby that will send replication data.
 #max_wal_senders = 10		# max number of walsender processes
 				# (change requires restart)
 #wal_keep_segments = 0		# in logfile segments; 0 disables
 #wal_sender_timeout = 60s	# in milliseconds; 0 disables
 #max_replication_slots = 10	# max number of replication slots
 				# (change requires restart)
 #track_commit_timestamp = off	# collect timestamp of transaction commit
 				# (change requires restart)
 # - Master Server -
 # These settings are ignored on a standby server.
 #synchronous_standby_names = ''	# standby servers that provide sync rep
 				# method to choose sync standbys, number of sync standbys,
 				# and comma-separated list of application_name
 				# from standby(s); '*' = all
 #vacuum_defer_cleanup_age = 0	# number of xacts by which cleanup is delayed
 # - Standby Servers -
 # These settings are ignored on a master server.
 #primary_conninfo = ''			# connection string to sending server
 					# (change requires restart)
 #primary_slot_name = ''			# replication slot on sending server
 					# (change requires restart)
 #promote_trigger_file = ''		# file name whose presence ends recovery
 #hot_standby = on			# "off" disallows queries during recovery
 					# (change requires restart)
 #max_standby_archive_delay = 30s	# max delay before canceling queries
 					# when reading WAL from archive;
 					# -1 allows indefinite delay
 #max_standby_streaming_delay = 30s	# max delay before canceling queries
 					# when reading streaming WAL;
 					# -1 allows indefinite delay
 #wal_receiver_status_interval = 10s	# send replies at least this often
 					# 0 disables
 #hot_standby_feedback = off		# send info from standby to prevent
 					# query conflicts
 #wal_receiver_timeout = 60s		# time that receiver waits for
 					# communication from master
 					# in milliseconds; 0 disables
 #wal_retrieve_retry_interval = 5s	# time to wait before retrying to
 					# retrieve WAL after a failed attempt
 #recovery_min_apply_delay = 0		# minimum delay for applying changes during recovery
 # - Subscribers -
 # These settings are ignored on a publisher.
 #max_logical_replication_workers = 4	# taken from max_worker_processes
 					# (change requires restart)
 #max_sync_workers_per_subscription = 2	# taken from max_logical_replication_workers
 #------------------------------------------------------------------------------
 # QUERY TUNING
 #------------------------------------------------------------------------------
 # - Planner Method Configuration -
 #enable_bitmapscan = on
 #enable_hashagg = on
 #enable_hashjoin = on
 #enable_indexscan = on
 #enable_indexonlyscan = on
 #enable_material = on
 #enable_mergejoin = on
 #enable_nestloop = on
 #enable_parallel_append = on
 #enable_seqscan = on
 #enable_sort = on
 #enable_tidscan = on
 #enable_partitionwise_join = off
 #enable_partitionwise_aggregate = off
 #enable_parallel_hash = on
 #enable_partition_pruning = on
 # - Planner Cost Constants -
 #seq_page_cost = 1.0			# measured on an arbitrary scale
 #random_page_cost = 4.0			# same scale as above
 #cpu_tuple_cost = 0.01			# same scale as above
 #cpu_index_tuple_cost = 0.005		# same scale as above
 #cpu_operator_cost = 0.0025		# same scale as above
 #parallel_tuple_cost = 0.1		# same scale as above
 #parallel_setup_cost = 1000.0	# same scale as above
 #jit_above_cost = 100000		# perform JIT compilation if available
 					# and query more expensive than this;
 					# -1 disables
 #jit_inline_above_cost = 500000		# inline small functions if query is
 					# more expensive than this; -1 disables
 #jit_optimize_above_cost = 500000	# use expensive JIT optimizations if
 					# query is more expensive than this;
 					# -1 disables
 #min_parallel_table_scan_size = 8MB
 #min_parallel_index_scan_size = 512kB
 #effective_cache_size = 4GB
 # - Genetic Query Optimizer -
 #geqo = on
 #geqo_threshold = 12
 #geqo_effort = 5			# range 1-10
 #geqo_pool_size = 0			# selects default based on effort
 #geqo_generations = 0			# selects default based on effort
 #geqo_selection_bias = 2.0		# range 1.5-2.0
 #geqo_seed = 0.0			# range 0.0-1.0
 # - Other Planner Options -
 #default_statistics_target = 100	# range 1-10000
 #constraint_exclusion = partition	# on, off, or partition
 #cursor_tuple_fraction = 0.1		# range 0.0-1.0
 #from_collapse_limit = 8
 #join_collapse_limit = 8		# 1 disables collapsing of explicit
 					# JOIN clauses
 #force_parallel_mode = off
 #jit = on				# allow JIT compilation
 #plan_cache_mode = auto			# auto, force_generic_plan or
 					# force_custom_plan
 #------------------------------------------------------------------------------
 # REPORTING AND LOGGING
 #------------------------------------------------------------------------------
 # - Where to Log -
 #log_destination = 'stderr'		# Valid values are combinations of
 					# stderr, csvlog, syslog, and eventlog,
 					# depending on platform.  csvlog
 					# requires logging_collector to be on.
 # This is used when logging to stderr:
 #logging_collector = off		# Enable capturing of stderr and csvlog
 					# into log files. Required to be on for
 					# csvlogs.
 					# (change requires restart)
 # These are only used if logging_collector is on:
 #log_directory = 'log'			# directory where log files are written,
 					# can be absolute or relative to PGDATA
 #log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'	# log file name pattern,
 					# can include strftime() escapes
 #log_file_mode = 0600			# creation mode for log files,
 					# begin with 0 to use octal notation
 #log_truncate_on_rotation = off		# If on, an existing log file with the
 					# same name as the new log file will be
 					# truncated rather than appended to.
 					# But such truncation only occurs on
 					# time-driven rotation, not on restarts
 					# or size-driven rotation.  Default is
 					# off, meaning append to existing files
 					# in all cases.
 #log_rotation_age = 1d			# Automatic rotation of logfiles will
 					# happen after that time.  0 disables.
 #log_rotation_size = 10MB		# Automatic rotation of logfiles will
 					# happen after that much log output.
 					# 0 disables.
 # These are relevant when logging to syslog:
 #syslog_facility = 'LOCAL0'
 #syslog_ident = 'postgres'
 #syslog_sequence_numbers = on
 #syslog_split_messages = on
 # This is only relevant when logging to eventlog (win32):
 # (change requires restart)
 #event_source = 'PostgreSQL'
 # - When to Log -
 #log_min_messages = warning		# values in order of decreasing detail:
 					#   debug5
 					#   debug4
 					#   debug3
 					#   debug2
 					#   debug1
 					#   info
 					#   notice
 					#   warning
 					#   error
 					#   log
 					#   fatal
 					#   panic
 #log_min_error_statement = error	# values in order of decreasing detail:
 					#   debug5
 					#   debug4
 					#   debug3
 					#   debug2
 					#   debug1
 					#   info
 					#   notice
 					#   warning
 					#   error
 					#   log
 					#   fatal
 					#   panic (effectively off)
 #log_min_duration_statement = -1	# -1 is disabled, 0 logs all statements
 					# and their durations, > 0 logs only
 					# statements running at least this number
 					# of milliseconds
 #log_transaction_sample_rate = 0.0	# Fraction of transactions whose statements
 					# are logged regardless of their duration. 1.0 logs all
 					# statements from all transactions, 0.0 never logs.
 # - What to Log -
 #debug_print_parse = off
 #debug_print_rewritten = off
 #debug_print_plan = off
 #debug_pretty_print = on
 #log_checkpoints = off
 #log_connections = off
 #log_disconnections = off
 #log_duration = off
 #log_error_verbosity = default		# terse, default, or verbose messages
 #log_hostname = off
 #log_line_prefix = '%m [%p] '		# special values:
 					#   %a = application name
 					#   %u = user name
 					#   %d = database name
 					#   %r = remote host and port
 					#   %h = remote host
 					#   %p = process ID
 					#   %t = timestamp without milliseconds
 					#   %m = timestamp with milliseconds
 					#   %n = timestamp with milliseconds (as a Unix epoch)
 					#   %i = command tag
 					#   %e = SQL state
 					#   %c = session ID
 					#   %l = session line number
 					#   %s = session start timestamp
 					#   %v = virtual transaction ID
 					#   %x = transaction ID (0 if none)
 					#   %q = stop here in non-session
 					#        processes
 					#   %% = '%'
 					# e.g. '<%u%%%d> '
 #log_lock_waits = off			# log lock waits >= deadlock_timeout
 #log_statement = 'none'			# none, ddl, mod, all
 #log_replication_commands = off
 #log_temp_files = -1			# log temporary files equal or larger
 					# than the specified size in kilobytes;
 					# -1 disables, 0 logs all temp files
 #log_timezone = 'GMT'
 #------------------------------------------------------------------------------
 # PROCESS TITLE
 #------------------------------------------------------------------------------
 #cluster_name = ''			# added to process titles if nonempty
 					# (change requires restart)
 #update_process_title = on
 #------------------------------------------------------------------------------
 # STATISTICS
 #------------------------------------------------------------------------------
 # - Query and Index Statistics Collector -
 #track_activities = on
 #track_counts = on
 #track_io_timing = off
 #track_functions = none			# none, pl, all
 #track_activity_query_size = 1024	# (change requires restart)
 #stats_temp_directory = 'pg_stat_tmp'
 # - Monitoring -
 #log_parser_stats = off
 #log_planner_stats = off
 #log_executor_stats = off
 #log_statement_stats = off
 #------------------------------------------------------------------------------
 # AUTOVACUUM
 #------------------------------------------------------------------------------
 #autovacuum = on			# Enable autovacuum subprocess?  'on'
 					# requires track_counts to also be on.
 #log_autovacuum_min_duration = -1	# -1 disables, 0 logs all actions and
 					# their durations, > 0 logs only
 					# actions running at least this number
 					# of milliseconds.
 #autovacuum_max_workers = 3		# max number of autovacuum subprocesses
 					# (change requires restart)
 #autovacuum_naptime = 1min		# time between autovacuum runs
 #autovacuum_vacuum_threshold = 50	# min number of row updates before
 					# vacuum
 #autovacuum_analyze_threshold = 50	# min number of row updates before
 					# analyze
 #autovacuum_vacuum_scale_factor = 0.2	# fraction of table size before vacuum
 #autovacuum_analyze_scale_factor = 0.1	# fraction of table size before analyze
 #autovacuum_freeze_max_age = 200000000	# maximum XID age before forced vacuum
 					# (change requires restart)
 #autovacuum_multixact_freeze_max_age = 400000000	# maximum multixact age
 					# before forced vacuum
 					# (change requires restart)
 #autovacuum_vacuum_cost_delay = 2ms	# default vacuum cost delay for
 					# autovacuum, in milliseconds;
 					# -1 means use vacuum_cost_delay
 #autovacuum_vacuum_cost_limit = -1	# default vacuum cost limit for
 					# autovacuum, -1 means use
 					# vacuum_cost_limit
 #------------------------------------------------------------------------------
 # CLIENT CONNECTION DEFAULTS
 #------------------------------------------------------------------------------
 # - Statement Behavior -
 #client_min_messages = notice		# values in order of decreasing detail:
 					#   debug5
 					#   debug4
 					#   debug3
 					#   debug2
 					#   debug1
 					#   log
 					#   notice
 					#   warning
 					#   error
 #search_path = '"$user", public'	# schema names
 #row_security = on
 #default_tablespace = ''		# a tablespace name, '' uses the default
 #temp_tablespaces = ''			# a list of tablespace names, '' uses
 					# only default tablespace
 #default_table_access_method = 'heap'
 #check_function_bodies = on
 #default_transaction_isolation = 'read committed'
 #default_transaction_read_only = off
 #default_transaction_deferrable = off
 #session_replication_role = 'origin'
 #statement_timeout = 0			# in milliseconds, 0 is disabled
 #lock_timeout = 0			# in milliseconds, 0 is disabled
 #idle_in_transaction_session_timeout = 0	# in milliseconds, 0 is disabled
 #vacuum_freeze_min_age = 50000000
 #vacuum_freeze_table_age = 150000000
 #vacuum_multixact_freeze_min_age = 5000000
 #vacuum_multixact_freeze_table_age = 150000000
 #vacuum_cleanup_index_scale_factor = 0.1	# fraction of total number of tuples
 						# before index cleanup, 0 always performs
 						# index cleanup
 #bytea_output = 'hex'			# hex, escape
 #xmlbinary = 'base64'
 #xmloption = 'content'
 #gin_fuzzy_search_limit = 0
 #gin_pending_list_limit = 4MB
 # - Locale and Formatting -
 #datestyle = 'iso, mdy'
 #intervalstyle = 'postgres'
 #timezone = 'GMT'
 #timezone_abbreviations = 'Default'     # Select the set of available time zone
 					# abbreviations.  Currently, there are
 					#   Default
 					#   Australia (historical usage)
 					#   India
 					# You can create your own file in
 					# share/timezonesets/.
 #extra_float_digits = 1			# min -15, max 3; any value >0 actually
 					# selects precise output mode
 #client_encoding = sql_ascii		# actually, defaults to database
 					# encoding
 # These settings are initialized by initdb, but they can be changed.
 #lc_messages = 'C'			# locale for system error message
 					# strings
 #lc_monetary = 'C'			# locale for monetary formatting
 #lc_numeric = 'C'			# locale for number formatting
 #lc_time = 'C'				# locale for time formatting
 # default configuration for text search
 #default_text_search_config = 'pg_catalog.simple'
 # - Shared Library Preloading -
 #shared_preload_libraries = ''	# (change requires restart)
 #local_preload_libraries = ''
 #session_preload_libraries = ''
 #jit_provider = 'llvmjit'		# JIT library to use
 # - Other Defaults -
 #dynamic_library_path = '$libdir'
 #------------------------------------------------------------------------------
 # LOCK MANAGEMENT
 #------------------------------------------------------------------------------
 #deadlock_timeout = 1s
 #max_locks_per_transaction = 64		# min 10
 					# (change requires restart)
 #max_pred_locks_per_transaction = 64	# min 10
 					# (change requires restart)
 #max_pred_locks_per_relation = -2	# negative values mean
 					# (max_pred_locks_per_transaction
 					#  / -max_pred_locks_per_relation) - 1
 #max_pred_locks_per_page = 2            # min 0
 #------------------------------------------------------------------------------
 # VERSION AND PLATFORM COMPATIBILITY
 #------------------------------------------------------------------------------
 # - Previous PostgreSQL Versions -
 #array_nulls = on
 #backslash_quote = safe_encoding	# on, off, or safe_encoding
 #escape_string_warning = on
 #lo_compat_privileges = off
 #operator_precedence_warning = off
 #quote_all_identifiers = off
 #standard_conforming_strings = on
 #synchronize_seqscans = on
 # - Other Platforms and Clients -
 #transform_null_equals = off
 #------------------------------------------------------------------------------
 # ERROR HANDLING
 #------------------------------------------------------------------------------
 #exit_on_error = off			# terminate session on any error?
 #restart_after_crash = on		# reinitialize after backend crash?
 #data_sync_retry = off			# retry or panic on failure to fsync
 					# data?
 					# (change requires restart)
 #------------------------------------------------------------------------------
 # CONFIG FILE INCLUDES
 #------------------------------------------------------------------------------
 # These options allow settings to be loaded from files other than the
 # default postgresql.conf.  Note that these are directives, not variable
 # assignments, so they can usefully be given more than once.
 #include_dir = '...'			# include files ending in '.conf' from
 					# a directory, e.g., 'conf.d'
 #include_if_exists = '...'		# include file only if it exists
 #include = '...'			# include file
 #------------------------------------------------------------------------------
 # CUSTOMIZED OPTIONS
 #------------------------------------------------------------------------------
 # Add settings for extensions here
--- a/molecule/quarkus_ha_26.4_below/prepare.yml
+++ b/molecule/quarkus_ha_26.4_below/prepare.yml
@@ -0,0 +1,48 @@
 ---
 - name: Prepare
  hosts: keycloak
  vars_files:
    - ../group_vars/all/vars.yml
  tasks:
    - name: "Display hera_home if defined."
      ansible.builtin.set_fact:
        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
    - name: "Ensure common prepare phase are set."
      ansible.builtin.include_tasks: ../prepare.yml
    - name: Create certificate request
      ansible.builtin.command: "openssl req -x509 -newkey rsa:4096 -keyout {{ inventory_hostname }}.key -out {{ inventory_hostname }}.pem -sha256 -days 365 -nodes -subj '/CN={{ inventory_hostname }}'"
      args:
        chdir: "{{ playbook_dir }}"
      delegate_to: localhost
      changed_when: False
    - name: Create vault directory
      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
      ansible.builtin.file:
        state: directory
        path: "/opt/keycloak/vault"
        mode: 0755
    - name: Make sure a jre is available (for keytool to prepare keystore)
      delegate_to: localhost
      ansible.builtin.package:
        name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
        state: present
      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
      failed_when: false
    - name: Create vault keystore
      ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword
      delegate_to: localhost
      register: keytool_cmd
      changed_when: False
      failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
    - name: Copy certificates and vault
      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
      ansible.builtin.copy:
        src: keystore.p12
        dest: /opt/keycloak/vault/keystore.p12
        mode: 0444
--- a/molecule/quarkus_ha_26.4_below/roles
+++ b/molecule/quarkus_ha_26.4_below/roles
@@ -0,0 +1 @@
 ../../roles
--- a/molecule/quarkus_ha_26.4_below/verify.yml
+++ b/molecule/quarkus_ha_26.4_below/verify.yml
@@ -0,0 +1,31 @@
 ---
 - name: Verify
  hosts: keycloak
  vars_files:
    - ../group_vars/all/vars.yml
  tasks:
    - name: Populate service facts
      ansible.builtin.service_facts:
    - name: Check if keycloak service started
      ansible.builtin.assert:
        that:
          - ansible_facts.services["keycloak.service"]["state"] == "running"
          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
        fail_msg: "Service not running"
    - name: Set internal envvar
      ansible.builtin.set_fact:
        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
    - name: Check log file
      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
      ansible.builtin.stat:
        path: /var/log/keycloak/keycloak.log
      register: keycloak_log_file
    - name: Check if keycloak file exists
      ansible.builtin.assert:
        that:
          - keycloak_log_file.stat.exists
          - not keycloak_log_file.stat.isdir
--- a/molecule/quarkus_ha_remote/converge.yml
+++ b/molecule/quarkus_ha_remote/converge.yml
@@ -0,0 +1,63 @@
 ---
 - name: Converge
  hosts: infinispan
  vars_files:
    - ../group_vars/all/vars.yml
  vars:
    ansible_become: "{{ keycloak_install_requires_become | default(true) }}"
  roles:
    - role: middleware_automation.infinispan.infinispan
      infinispan_service_name: infinispan
      infinispan_supervisor_password: remembertochangeme
      infinispan_keycloak_caches: true
      infinispan_keycloak_persistence: False
      infinispan_jdbc_engine: postgres
      infinispan_jdbc_url: jdbc:postgresql://postgres:5432/keycloak
      infinispan_jdbc_driver_version: 9.4.1212
      infinispan_jdbc_user: keycloak
      infinispan_jdbc_pass: mysecretpass
      infinispan_bind_address: "{{ ansible_default_ipv4.address }}"
      infinispan_users:
        - { name: 'testuser', password: 'test', roles: 'observer' }
 - name: Converge
  hosts: keycloak
  vars_files:
    - ../group_vars/all/vars.yml
  vars:
    keycloak_quarkus_show_deprecation_warnings: false
    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
    keycloak_quarkus_hostname: "http://{{ inventory_hostname }}:8080"
    keycloak_quarkus_log: file
    keycloak_quarkus_log_level: info
    keycloak_quarkus_https_key_file_enabled: true
    keycloak_quarkus_key_file_copy_enabled: true
    keycloak_quarkus_key_content: "{{ lookup('file', inventory_hostname + '.key') }}"
    keycloak_quarkus_cert_file_copy_enabled: true
    keycloak_quarkus_cert_file_src: "{{ inventory_hostname }}.pem"
    keycloak_quarkus_ks_vault_enabled: true
    keycloak_quarkus_ks_vault_file: "/opt/keycloak/vault/keystore.p12"
    keycloak_quarkus_ks_vault_pass: keystorepassword
    keycloak_quarkus_systemd_wait_for_port: true
    keycloak_quarkus_systemd_wait_for_timeout: 20
    keycloak_quarkus_systemd_wait_for_delay: 2
    keycloak_quarkus_systemd_wait_for_log: true
    keycloak_quarkus_ha_enabled: true
    keycloak_quarkus_restart_strategy: restart/serial.yml
    keycloak_quarkus_db_user: keycloak
    keycloak_quarkus_db_pass: mysecretpass
    keycloak_quarkus_db_url: jdbc:postgresql://postgres:5432/keycloak
    keycloak_quarkus_cache_remote: true
    keycloak_quarkus_cache_remote_username: supervisor
    keycloak_quarkus_cache_remote_password: remembertochangeme
    keycloak_quarkus_cache_remote_host: "infinispan1"
    keycloak_quarkus_cache_remote_port: 11222
    keycloak_quarkus_cache_remote_tls_enabled: false
    keycloak_quarkus_additional_env_vars:
      - key: KC_FEATURES
        value: clusterless
      - key: KC_FEATURES_DISABLED
        value: persistent-user-sessions
  roles:
    - role: keycloak_quarkus
--- a/molecule/quarkus_ha_remote/molecule.yml
+++ b/molecule/quarkus_ha_remote/molecule.yml
@@ -0,0 +1,80 @@
 ---
 driver:
  name: docker
 platforms:
  - name: keycloak1
    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
    privileged: true
    command: "/usr/sbin/init"
    groups:
      - keycloak
    networks:
      - name: rhbk
    port_bindings:
      - "8080/tcp"
      - "8443/tcp"
      - "9000/tcp"
  - name: infinispan1
    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
    privileged: true
    command: "/usr/sbin/init"
    groups:
      - infinispan
    networks:
      - name: rhbk
    port_bindings:
      - "11222/tcp"
  - name: postgres
    image: ubuntu/postgres:14-22.04_beta
    pre_build_image: true
    privileged: true
    command: postgres
    groups:
      - database
    networks:
      - name: rhbk
    port_bindings:
      - "5432/tcp"
    mounts:
      - type: bind
        target: /etc/postgresql/postgresql.conf
        source: ${MOLECULE_PROJECT_DIRECTORY}/molecule/quarkus_ha/postgresql/postgresql.conf
    env:
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: mysecretpass
      POSTGRES_DB: keycloak
      POSTGRES_HOST_AUTH_METHOD: trust
 provisioner:
  name: ansible
  config_options:
    defaults:
      interpreter_python: auto_silent
    ssh_connection:
      pipelining: false
  playbooks:
    prepare: prepare.yml
    converge: converge.yml
    verify: verify.yml
  inventory:
    host_vars:
      localhost:
        ansible_python_interpreter: "{{ ansible_playbook_python }}"
  env:
    ANSIBLE_FORCE_COLOR: "true"
    PYTHONHTTPSVERIFY: 0
 verifier:
  name: ansible
 scenario:
  test_sequence:
    - cleanup
    - destroy
    - create
    - prepare
    - converge
    - idempotence
    - side_effect
    - verify
    - cleanup
    - destroy
--- a/molecule/quarkus_ha_remote/postgresql/postgresql.conf
+++ b/molecule/quarkus_ha_remote/postgresql/postgresql.conf
@@ -0,0 +1,750 @@
 # -----------------------------
 # PostgreSQL configuration file
 # -----------------------------
 #
 # This file consists of lines of the form:
 #
 #   name = value
 #
 # (The "=" is optional.)  Whitespace may be used.  Comments are introduced with
 # "#" anywhere on a line.  The complete list of parameter names and allowed
 # values can be found in the PostgreSQL documentation.
 #
 # The commented-out settings shown in this file represent the default values.
 # Re-commenting a setting is NOT sufficient to revert it to the default value;
 # you need to reload the server.
 #
 # This file is read on server startup and when the server receives a SIGHUP
 # signal.  If you edit the file on a running system, you have to SIGHUP the
 # server for the changes to take effect, run "pg_ctl reload", or execute
 # "SELECT pg_reload_conf()".  Some parameters, which are marked below,
 # require a server shutdown and restart to take effect.
 #
 # Any parameter can also be given as a command-line option to the server, e.g.,
 # "postgres -c log_connections=on".  Some parameters can be changed at run time
 # with the "SET" SQL command.
 #
 # Memory units:  kB = kilobytes        Time units:  ms  = milliseconds
 #                MB = megabytes                     s   = seconds
 #                GB = gigabytes                     min = minutes
 #                TB = terabytes                     h   = hours
 #                                                   d   = days
 #------------------------------------------------------------------------------
 # FILE LOCATIONS
 #------------------------------------------------------------------------------
 # The default values of these variables are driven from the -D command-line
 # option or PGDATA environment variable, represented here as ConfigDir.
 #data_directory = 'ConfigDir'		# use data in another directory
 					# (change requires restart)
 #hba_file = 'ConfigDir/pg_hba.conf'	# host-based authentication file
 					# (change requires restart)
 #ident_file = 'ConfigDir/pg_ident.conf'	# ident configuration file
 					# (change requires restart)
 # If external_pid_file is not explicitly set, no extra PID file is written.
 #external_pid_file = ''			# write an extra PID file
 					# (change requires restart)
 #------------------------------------------------------------------------------
 # CONNECTIONS AND AUTHENTICATION
 #------------------------------------------------------------------------------
 # - Connection Settings -
 listen_addresses = '*'		# what IP address(es) to listen on;
 					# comma-separated list of addresses;
 					# defaults to 'localhost'; use '*' for all
 					# (change requires restart)
 #port = 5432				# (change requires restart)
 #max_connections = 100			# (change requires restart)
 #superuser_reserved_connections = 3	# (change requires restart)
 #unix_socket_directories = '/tmp'	# comma-separated list of directories
 					# (change requires restart)
 #unix_socket_group = ''			# (change requires restart)
 #unix_socket_permissions = 0777		# begin with 0 to use octal notation
 					# (change requires restart)
 #bonjour = off				# advertise server via Bonjour
 					# (change requires restart)
 #bonjour_name = ''			# defaults to the computer name
 					# (change requires restart)
 # - TCP settings -
 # see "man 7 tcp" for details
 #tcp_keepalives_idle = 0		# TCP_KEEPIDLE, in seconds;
 					# 0 selects the system default
 #tcp_keepalives_interval = 0		# TCP_KEEPINTVL, in seconds;
 					# 0 selects the system default
 #tcp_keepalives_count = 0		# TCP_KEEPCNT;
 					# 0 selects the system default
 #tcp_user_timeout = 0			# TCP_USER_TIMEOUT, in milliseconds;
 					# 0 selects the system default
 # - Authentication -
 #authentication_timeout = 1min		# 1s-600s
 #password_encryption = md5		# md5 or scram-sha-256
 #db_user_namespace = off
 # GSSAPI using Kerberos
 #krb_server_keyfile = ''
 #krb_caseins_users = off
 # - SSL -
 #ssl = off
 #ssl_ca_file = ''
 #ssl_cert_file = 'server.crt'
 #ssl_crl_file = ''
 #ssl_key_file = 'server.key'
 #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
 #ssl_prefer_server_ciphers = on
 #ssl_ecdh_curve = 'prime256v1'
 #ssl_min_protocol_version = 'TLSv1'
 #ssl_max_protocol_version = ''
 #ssl_dh_params_file = ''
 #ssl_passphrase_command = ''
 #ssl_passphrase_command_supports_reload = off
 #------------------------------------------------------------------------------
 # RESOURCE USAGE (except WAL)
 #------------------------------------------------------------------------------
 # - Memory -
 #shared_buffers = 32MB			# min 128kB
 					# (change requires restart)
 #huge_pages = try			# on, off, or try
 					# (change requires restart)
 #temp_buffers = 8MB			# min 800kB
 #max_prepared_transactions = 0		# zero disables the feature
 					# (change requires restart)
 # Caution: it is not advisable to set max_prepared_transactions nonzero unless
 # you actively intend to use prepared transactions.
 #work_mem = 4MB				# min 64kB
 #maintenance_work_mem = 64MB		# min 1MB
 #autovacuum_work_mem = -1		# min 1MB, or -1 to use maintenance_work_mem
 #max_stack_depth = 2MB			# min 100kB
 #shared_memory_type = mmap		# the default is the first option
 					# supported by the operating system:
 					#   mmap
 					#   sysv
 					#   windows
 					# (change requires restart)
 #dynamic_shared_memory_type = posix	# the default is the first option
 					# supported by the operating system:
 					#   posix
 					#   sysv
 					#   windows
 					#   mmap
 					# (change requires restart)
 # - Disk -
 #temp_file_limit = -1			# limits per-process temp file space
 					# in kB, or -1 for no limit
 # - Kernel Resources -
 #max_files_per_process = 1000		# min 25
 					# (change requires restart)
 # - Cost-Based Vacuum Delay -
 #vacuum_cost_delay = 0			# 0-100 milliseconds (0 disables)
 #vacuum_cost_page_hit = 1		# 0-10000 credits
 #vacuum_cost_page_miss = 10		# 0-10000 credits
 #vacuum_cost_page_dirty = 20		# 0-10000 credits
 #vacuum_cost_limit = 200		# 1-10000 credits
 # - Background Writer -
 #bgwriter_delay = 200ms			# 10-10000ms between rounds
 #bgwriter_lru_maxpages = 100		# max buffers written/round, 0 disables
 #bgwriter_lru_multiplier = 2.0		# 0-10.0 multiplier on buffers scanned/round
 #bgwriter_flush_after = 0		# measured in pages, 0 disables
 # - Asynchronous Behavior -
 #effective_io_concurrency = 1		# 1-1000; 0 disables prefetching
 #max_worker_processes = 8		# (change requires restart)
 #max_parallel_maintenance_workers = 2	# taken from max_parallel_workers
 #max_parallel_workers_per_gather = 2	# taken from max_parallel_workers
 #parallel_leader_participation = on
 #max_parallel_workers = 8		# maximum number of max_worker_processes that
 					# can be used in parallel operations
 #old_snapshot_threshold = -1		# 1min-60d; -1 disables; 0 is immediate
 					# (change requires restart)
 #backend_flush_after = 0		# measured in pages, 0 disables
 #------------------------------------------------------------------------------
 # WRITE-AHEAD LOG
 #------------------------------------------------------------------------------
 # - Settings -
 #wal_level = replica			# minimal, replica, or logical
 					# (change requires restart)
 #fsync = on				# flush data to disk for crash safety
 					# (turning this off can cause
 					# unrecoverable data corruption)
 #synchronous_commit = on		# synchronization level;
 					# off, local, remote_write, remote_apply, or on
 #wal_sync_method = fsync		# the default is the first option
 					# supported by the operating system:
 					#   open_datasync
 					#   fdatasync (default on Linux)
 					#   fsync
 					#   fsync_writethrough
 					#   open_sync
 #full_page_writes = on			# recover from partial page writes
 #wal_compression = off			# enable compression of full-page writes
 #wal_log_hints = off			# also do full page writes of non-critical updates
 					# (change requires restart)
 #wal_init_zero = on			# zero-fill new WAL files
 #wal_recycle = on			# recycle WAL files
 #wal_buffers = -1			# min 32kB, -1 sets based on shared_buffers
 					# (change requires restart)
 #wal_writer_delay = 200ms		# 1-10000 milliseconds
 #wal_writer_flush_after = 1MB		# measured in pages, 0 disables
 #commit_delay = 0			# range 0-100000, in microseconds
 #commit_siblings = 5			# range 1-1000
 # - Checkpoints -
 #checkpoint_timeout = 5min		# range 30s-1d
 #max_wal_size = 1GB
 #min_wal_size = 80MB
 #checkpoint_completion_target = 0.5	# checkpoint target duration, 0.0 - 1.0
 #checkpoint_flush_after = 0		# measured in pages, 0 disables
 #checkpoint_warning = 30s		# 0 disables
 # - Archiving -
 #archive_mode = off		# enables archiving; off, on, or always
 				# (change requires restart)
 #archive_command = ''		# command to use to archive a logfile segment
 				# placeholders: %p = path of file to archive
 				#               %f = file name only
 				# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
 #archive_timeout = 0		# force a logfile segment switch after this
 				# number of seconds; 0 disables
 # - Archive Recovery -
 # These are only used in recovery mode.
 #restore_command = ''		# command to use to restore an archived logfile segment
 				# placeholders: %p = path of file to restore
 				#               %f = file name only
 				# e.g. 'cp /mnt/server/archivedir/%f %p'
 				# (change requires restart)
 #archive_cleanup_command = ''	# command to execute at every restartpoint
 #recovery_end_command = ''	# command to execute at completion of recovery
 # - Recovery Target -
 # Set these only when performing a targeted recovery.
 #recovery_target = ''		# 'immediate' to end recovery as soon as a
                                # consistent state is reached
 				# (change requires restart)
 #recovery_target_name = ''	# the named restore point to which recovery will proceed
 				# (change requires restart)
 #recovery_target_time = ''	# the time stamp up to which recovery will proceed
 				# (change requires restart)
 #recovery_target_xid = ''	# the transaction ID up to which recovery will proceed
 				# (change requires restart)
 #recovery_target_lsn = ''	# the WAL LSN up to which recovery will proceed
 				# (change requires restart)
 #recovery_target_inclusive = on # Specifies whether to stop:
 				# just after the specified recovery target (on)
 				# just before the recovery target (off)
 				# (change requires restart)
 #recovery_target_timeline = 'latest'	# 'current', 'latest', or timeline ID
 				# (change requires restart)
 #recovery_target_action = 'pause'	# 'pause', 'promote', 'shutdown'
 				# (change requires restart)
 #------------------------------------------------------------------------------
 # REPLICATION
 #------------------------------------------------------------------------------
 # - Sending Servers -
 # Set these on the master and on any standby that will send replication data.
 #max_wal_senders = 10		# max number of walsender processes
 				# (change requires restart)
 #wal_keep_segments = 0		# in logfile segments; 0 disables
 #wal_sender_timeout = 60s	# in milliseconds; 0 disables
 #max_replication_slots = 10	# max number of replication slots
 				# (change requires restart)
 #track_commit_timestamp = off	# collect timestamp of transaction commit
 				# (change requires restart)
 # - Master Server -
 # These settings are ignored on a standby server.
 #synchronous_standby_names = ''	# standby servers that provide sync rep
 				# method to choose sync standbys, number of sync standbys,
 				# and comma-separated list of application_name
 				# from standby(s); '*' = all
 #vacuum_defer_cleanup_age = 0	# number of xacts by which cleanup is delayed
 # - Standby Servers -
 # These settings are ignored on a master server.
 #primary_conninfo = ''			# connection string to sending server
 					# (change requires restart)
 #primary_slot_name = ''			# replication slot on sending server
 					# (change requires restart)
 #promote_trigger_file = ''		# file name whose presence ends recovery
 #hot_standby = on			# "off" disallows queries during recovery
 					# (change requires restart)
 #max_standby_archive_delay = 30s	# max delay before canceling queries
 					# when reading WAL from archive;
 					# -1 allows indefinite delay
 #max_standby_streaming_delay = 30s	# max delay before canceling queries
 					# when reading streaming WAL;
 					# -1 allows indefinite delay
 #wal_receiver_status_interval = 10s	# send replies at least this often
 					# 0 disables
 #hot_standby_feedback = off		# send info from standby to prevent
 					# query conflicts
 #wal_receiver_timeout = 60s		# time that receiver waits for
 					# communication from master
 					# in milliseconds; 0 disables
 #wal_retrieve_retry_interval = 5s	# time to wait before retrying to
 					# retrieve WAL after a failed attempt
 #recovery_min_apply_delay = 0		# minimum delay for applying changes during recovery
 # - Subscribers -
 # These settings are ignored on a publisher.
 #max_logical_replication_workers = 4	# taken from max_worker_processes
 					# (change requires restart)
 #max_sync_workers_per_subscription = 2	# taken from max_logical_replication_workers
 #------------------------------------------------------------------------------
 # QUERY TUNING
 #------------------------------------------------------------------------------
 # - Planner Method Configuration -
 #enable_bitmapscan = on
 #enable_hashagg = on
 #enable_hashjoin = on
 #enable_indexscan = on
 #enable_indexonlyscan = on
 #enable_material = on
 #enable_mergejoin = on
 #enable_nestloop = on
 #enable_parallel_append = on
 #enable_seqscan = on
 #enable_sort = on
 #enable_tidscan = on
 #enable_partitionwise_join = off
 #enable_partitionwise_aggregate = off
 #enable_parallel_hash = on
 #enable_partition_pruning = on
 # - Planner Cost Constants -
 #seq_page_cost = 1.0			# measured on an arbitrary scale
 #random_page_cost = 4.0			# same scale as above
 #cpu_tuple_cost = 0.01			# same scale as above
 #cpu_index_tuple_cost = 0.005		# same scale as above
 #cpu_operator_cost = 0.0025		# same scale as above
 #parallel_tuple_cost = 0.1		# same scale as above
 #parallel_setup_cost = 1000.0	# same scale as above
 #jit_above_cost = 100000		# perform JIT compilation if available
 					# and query more expensive than this;
 					# -1 disables
 #jit_inline_above_cost = 500000		# inline small functions if query is
 					# more expensive than this; -1 disables
 #jit_optimize_above_cost = 500000	# use expensive JIT optimizations if
 					# query is more expensive than this;
 					# -1 disables
 #min_parallel_table_scan_size = 8MB
 #min_parallel_index_scan_size = 512kB
 #effective_cache_size = 4GB
 # - Genetic Query Optimizer -
 #geqo = on
 #geqo_threshold = 12
 #geqo_effort = 5			# range 1-10
 #geqo_pool_size = 0			# selects default based on effort
 #geqo_generations = 0			# selects default based on effort
 #geqo_selection_bias = 2.0		# range 1.5-2.0
 #geqo_seed = 0.0			# range 0.0-1.0
 # - Other Planner Options -
 #default_statistics_target = 100	# range 1-10000
 #constraint_exclusion = partition	# on, off, or partition
 #cursor_tuple_fraction = 0.1		# range 0.0-1.0
 #from_collapse_limit = 8
 #join_collapse_limit = 8		# 1 disables collapsing of explicit
 					# JOIN clauses
 #force_parallel_mode = off
 #jit = on				# allow JIT compilation
 #plan_cache_mode = auto			# auto, force_generic_plan or
 					# force_custom_plan
 #------------------------------------------------------------------------------
 # REPORTING AND LOGGING
 #------------------------------------------------------------------------------
 # - Where to Log -
 #log_destination = 'stderr'		# Valid values are combinations of
 					# stderr, csvlog, syslog, and eventlog,
 					# depending on platform.  csvlog
 					# requires logging_collector to be on.
 # This is used when logging to stderr:
 #logging_collector = off		# Enable capturing of stderr and csvlog
 					# into log files. Required to be on for
 					# csvlogs.
 					# (change requires restart)
 # These are only used if logging_collector is on:
 #log_directory = 'log'			# directory where log files are written,
 					# can be absolute or relative to PGDATA
 #log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'	# log file name pattern,
 					# can include strftime() escapes
 #log_file_mode = 0600			# creation mode for log files,
 					# begin with 0 to use octal notation
 #log_truncate_on_rotation = off		# If on, an existing log file with the
 					# same name as the new log file will be
 					# truncated rather than appended to.
 					# But such truncation only occurs on
 					# time-driven rotation, not on restarts
 					# or size-driven rotation.  Default is
 					# off, meaning append to existing files
 					# in all cases.
 #log_rotation_age = 1d			# Automatic rotation of logfiles will
 					# happen after that time.  0 disables.
 #log_rotation_size = 10MB		# Automatic rotation of logfiles will
 					# happen after that much log output.
 					# 0 disables.
 # These are relevant when logging to syslog:
 #syslog_facility = 'LOCAL0'
 #syslog_ident = 'postgres'
 #syslog_sequence_numbers = on
 #syslog_split_messages = on
 # This is only relevant when logging to eventlog (win32):
 # (change requires restart)
 #event_source = 'PostgreSQL'
 # - When to Log -
 #log_min_messages = warning		# values in order of decreasing detail:
 					#   debug5
 					#   debug4
 					#   debug3
 					#   debug2
 					#   debug1
 					#   info
 					#   notice
 					#   warning
 					#   error
 					#   log
 					#   fatal
 					#   panic
 #log_min_error_statement = error	# values in order of decreasing detail:
 					#   debug5
 					#   debug4
 					#   debug3
 					#   debug2
 					#   debug1
 					#   info
 					#   notice
 					#   warning
 					#   error
 					#   log
 					#   fatal
 					#   panic (effectively off)
 #log_min_duration_statement = -1	# -1 is disabled, 0 logs all statements
 					# and their durations, > 0 logs only
 					# statements running at least this number
 					# of milliseconds
 #log_transaction_sample_rate = 0.0	# Fraction of transactions whose statements
 					# are logged regardless of their duration. 1.0 logs all
 					# statements from all transactions, 0.0 never logs.
 # - What to Log -
 #debug_print_parse = off
 #debug_print_rewritten = off
 #debug_print_plan = off
 #debug_pretty_print = on
 #log_checkpoints = off
 #log_connections = off
 #log_disconnections = off
 #log_duration = off
 #log_error_verbosity = default		# terse, default, or verbose messages
 #log_hostname = off
 #log_line_prefix = '%m [%p] '		# special values:
 					#   %a = application name
 					#   %u = user name
 					#   %d = database name
 					#   %r = remote host and port
 					#   %h = remote host
 					#   %p = process ID
 					#   %t = timestamp without milliseconds
 					#   %m = timestamp with milliseconds
 					#   %n = timestamp with milliseconds (as a Unix epoch)
 					#   %i = command tag
 					#   %e = SQL state
 					#   %c = session ID
 					#   %l = session line number
 					#   %s = session start timestamp
 					#   %v = virtual transaction ID
 					#   %x = transaction ID (0 if none)
 					#   %q = stop here in non-session
 					#        processes
 					#   %% = '%'
 					# e.g. '<%u%%%d> '
 #log_lock_waits = off			# log lock waits >= deadlock_timeout
 #log_statement = 'none'			# none, ddl, mod, all
 #log_replication_commands = off
 #log_temp_files = -1			# log temporary files equal or larger
 					# than the specified size in kilobytes;
 					# -1 disables, 0 logs all temp files
 #log_timezone = 'GMT'
 #------------------------------------------------------------------------------
 # PROCESS TITLE
 #------------------------------------------------------------------------------
 #cluster_name = ''			# added to process titles if nonempty
 					# (change requires restart)
 #update_process_title = on
 #------------------------------------------------------------------------------
 # STATISTICS
 #------------------------------------------------------------------------------
 # - Query and Index Statistics Collector -
 #track_activities = on
 #track_counts = on
 #track_io_timing = off
 #track_functions = none			# none, pl, all
 #track_activity_query_size = 1024	# (change requires restart)
 #stats_temp_directory = 'pg_stat_tmp'
 # - Monitoring -
 #log_parser_stats = off
 #log_planner_stats = off
 #log_executor_stats = off
 #log_statement_stats = off
 #------------------------------------------------------------------------------
 # AUTOVACUUM
 #------------------------------------------------------------------------------
 #autovacuum = on			# Enable autovacuum subprocess?  'on'
 					# requires track_counts to also be on.
 #log_autovacuum_min_duration = -1	# -1 disables, 0 logs all actions and
 					# their durations, > 0 logs only
 					# actions running at least this number
 					# of milliseconds.
 #autovacuum_max_workers = 3		# max number of autovacuum subprocesses
 					# (change requires restart)
 #autovacuum_naptime = 1min		# time between autovacuum runs
 #autovacuum_vacuum_threshold = 50	# min number of row updates before
 					# vacuum
 #autovacuum_analyze_threshold = 50	# min number of row updates before
 					# analyze
 #autovacuum_vacuum_scale_factor = 0.2	# fraction of table size before vacuum
 #autovacuum_analyze_scale_factor = 0.1	# fraction of table size before analyze
 #autovacuum_freeze_max_age = 200000000	# maximum XID age before forced vacuum
 					# (change requires restart)
 #autovacuum_multixact_freeze_max_age = 400000000	# maximum multixact age
 					# before forced vacuum
 					# (change requires restart)
 #autovacuum_vacuum_cost_delay = 2ms	# default vacuum cost delay for
 					# autovacuum, in milliseconds;
 					# -1 means use vacuum_cost_delay
 #autovacuum_vacuum_cost_limit = -1	# default vacuum cost limit for
 					# autovacuum, -1 means use
 					# vacuum_cost_limit
 #------------------------------------------------------------------------------
 # CLIENT CONNECTION DEFAULTS
 #------------------------------------------------------------------------------
 # - Statement Behavior -
 #client_min_messages = notice		# values in order of decreasing detail:
 					#   debug5
 					#   debug4
 					#   debug3
 					#   debug2
 					#   debug1
 					#   log
 					#   notice
 					#   warning
 					#   error
 #search_path = '"$user", public'	# schema names
 #row_security = on
 #default_tablespace = ''		# a tablespace name, '' uses the default
 #temp_tablespaces = ''			# a list of tablespace names, '' uses
 					# only default tablespace
 #default_table_access_method = 'heap'
 #check_function_bodies = on
 #default_transaction_isolation = 'read committed'
 #default_transaction_read_only = off
 #default_transaction_deferrable = off
 #session_replication_role = 'origin'
 #statement_timeout = 0			# in milliseconds, 0 is disabled
 #lock_timeout = 0			# in milliseconds, 0 is disabled
 #idle_in_transaction_session_timeout = 0	# in milliseconds, 0 is disabled
 #vacuum_freeze_min_age = 50000000
 #vacuum_freeze_table_age = 150000000
 #vacuum_multixact_freeze_min_age = 5000000
 #vacuum_multixact_freeze_table_age = 150000000
 #vacuum_cleanup_index_scale_factor = 0.1	# fraction of total number of tuples
 						# before index cleanup, 0 always performs
 						# index cleanup
 #bytea_output = 'hex'			# hex, escape
 #xmlbinary = 'base64'
 #xmloption = 'content'
 #gin_fuzzy_search_limit = 0
 #gin_pending_list_limit = 4MB
 # - Locale and Formatting -
 #datestyle = 'iso, mdy'
 #intervalstyle = 'postgres'
 #timezone = 'GMT'
 #timezone_abbreviations = 'Default'     # Select the set of available time zone
 					# abbreviations.  Currently, there are
 					#   Default
 					#   Australia (historical usage)
 					#   India
 					# You can create your own file in
 					# share/timezonesets/.
 #extra_float_digits = 1			# min -15, max 3; any value >0 actually
 					# selects precise output mode
 #client_encoding = sql_ascii		# actually, defaults to database
 					# encoding
 # These settings are initialized by initdb, but they can be changed.
 #lc_messages = 'C'			# locale for system error message
 					# strings
 #lc_monetary = 'C'			# locale for monetary formatting
 #lc_numeric = 'C'			# locale for number formatting
 #lc_time = 'C'				# locale for time formatting
 # default configuration for text search
 #default_text_search_config = 'pg_catalog.simple'
 # - Shared Library Preloading -
 #shared_preload_libraries = ''	# (change requires restart)
 #local_preload_libraries = ''
 #session_preload_libraries = ''
 #jit_provider = 'llvmjit'		# JIT library to use
 # - Other Defaults -
 #dynamic_library_path = '$libdir'
 #------------------------------------------------------------------------------
 # LOCK MANAGEMENT
 #------------------------------------------------------------------------------
 #deadlock_timeout = 1s
 #max_locks_per_transaction = 64		# min 10
 					# (change requires restart)
 #max_pred_locks_per_transaction = 64	# min 10
 					# (change requires restart)
 #max_pred_locks_per_relation = -2	# negative values mean
 					# (max_pred_locks_per_transaction
 					#  / -max_pred_locks_per_relation) - 1
 #max_pred_locks_per_page = 2            # min 0
 #------------------------------------------------------------------------------
 # VERSION AND PLATFORM COMPATIBILITY
 #------------------------------------------------------------------------------
 # - Previous PostgreSQL Versions -
 #array_nulls = on
 #backslash_quote = safe_encoding	# on, off, or safe_encoding
 #escape_string_warning = on
 #lo_compat_privileges = off
 #operator_precedence_warning = off
 #quote_all_identifiers = off
 #standard_conforming_strings = on
 #synchronize_seqscans = on
 # - Other Platforms and Clients -
 #transform_null_equals = off
 #------------------------------------------------------------------------------
 # ERROR HANDLING
 #------------------------------------------------------------------------------
 #exit_on_error = off			# terminate session on any error?
 #restart_after_crash = on		# reinitialize after backend crash?
 #data_sync_retry = off			# retry or panic on failure to fsync
 					# data?
 					# (change requires restart)
 #------------------------------------------------------------------------------
 # CONFIG FILE INCLUDES
 #------------------------------------------------------------------------------
 # These options allow settings to be loaded from files other than the
 # default postgresql.conf.  Note that these are directives, not variable
 # assignments, so they can usefully be given more than once.
 #include_dir = '...'			# include files ending in '.conf' from
 					# a directory, e.g., 'conf.d'
 #include_if_exists = '...'		# include file only if it exists
 #include = '...'			# include file
 #------------------------------------------------------------------------------
 # CUSTOMIZED OPTIONS
 #------------------------------------------------------------------------------
 # Add settings for extensions here
--- a/molecule/quarkus_ha_remote/prepare.yml
+++ b/molecule/quarkus_ha_remote/prepare.yml
@@ -0,0 +1,50 @@
 ---
 - name: Prepare
  hosts: 'keycloak:infinispan'
  vars_files:
    - ../group_vars/all/vars.yml
  tasks:
    - name: "Display hera_home if defined."
      ansible.builtin.set_fact:
        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
    - name: "Ensure common prepare phase are set."
      ansible.builtin.include_tasks: ../prepare.yml
    - name: Create certificate request
      ansible.builtin.command: "openssl req -x509 -newkey rsa:4096 -keyout {{ inventory_hostname }}.key -out {{ inventory_hostname }}.pem -sha256 -days 365 -nodes -subj '/CN={{ inventory_hostname }}'"
      args:
        chdir: "{{ playbook_dir }}"
      delegate_to: localhost
      changed_when: False
    - name: Create vault directory
      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
      ansible.builtin.file:
        state: directory
        path: "/opt/keycloak/vault"
        mode: 0755
    - name: Make sure a jre is available (for keytool to prepare keystore)
      delegate_to: localhost
      ansible.builtin.package:
        name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
        state: present
      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
      failed_when: false
    - name: Create vault keystore
      ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword
      args:
        chdir: "{{ playbook_dir }}"
      delegate_to: localhost
      register: keytool_cmd
      changed_when: False
      failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
    - name: Copy certificates and vault
      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
      ansible.builtin.copy:
        src: keystore.p12
        dest: /opt/keycloak/vault/keystore.p12
        mode: 0444
--- a/molecule/quarkus_ha_remote/roles
+++ b/molecule/quarkus_ha_remote/roles
@@ -0,0 +1 @@
 ../../roles
--- a/molecule/quarkus_ha_remote/verify.yml
+++ b/molecule/quarkus_ha_remote/verify.yml
@@ -0,0 +1,31 @@
 ---
 - name: Verify
  hosts: keycloak
  vars_files:
    - ../group_vars/all/vars.yml
  tasks:
    - name: Populate service facts
      ansible.builtin.service_facts:
    - name: Check if keycloak service started
      ansible.builtin.assert:
        that:
          - ansible_facts.services["keycloak.service"]["state"] == "running"
          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
        fail_msg: "Service not running"
    - name: Set internal envvar
      ansible.builtin.set_fact:
        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
    - name: Check log file
      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
      ansible.builtin.stat:
        path: /var/log/keycloak/keycloak.log
      register: keycloak_log_file
    - name: Check if keycloak file exists
      ansible.builtin.assert:
        that:
          - keycloak_log_file.stat.exists
          - not keycloak_log_file.stat.isdir
--- a/molecule/quarkus_upgrade/converge.yml
+++ b/molecule/quarkus_upgrade/converge.yml
@@ -0,0 +1,14 @@
 ---
 - name: Converge
  hosts: all
  vars_files:
    - ../group_vars/all/vars.yml
    - vars.yml
  vars:
    keycloak_quarkus_show_deprecation_warnings: false
    keycloak_quarkus_additional_env_vars:
      - key: KC_FEATURES_DISABLED
        value: ciba,device-flow,impersonation,kerberos,docker
    keycloak_quarkus_version: 26.0.7
  roles:
    - role: keycloak_quarkus
--- a/molecule/quarkus_upgrade/molecule.yml
+++ b/molecule/quarkus_upgrade/molecule.yml
@@ -0,0 +1,49 @@
 ---
 dependency:
  name: galaxy
  options:
    requirements-file: molecule/requirements.yml
 driver:
  name: podman
 platforms:
  - name: instance
    image: registry.access.redhat.com/ubi9/ubi-init:latest
    command: "/usr/sbin/init"
    pre_build_image: true
    privileged: true
    port_bindings:
      - 8080:8080
      - "9000/tcp"
    published_ports:
      - 0.0.0.0:8080:8080/TCP
      - 0.0.0.0:9000:9000/TCP
 provisioner:
  name: ansible
  playbooks:
    prepare: prepare.yml
    converge: converge.yml
    verify: verify.yml
  inventory:
    host_vars:
      localhost:
        ansible_python_interpreter: "{{ ansible_playbook_python }}"
  env:
    ANSIBLE_FORCE_COLOR: "true"
    PROXY: "${PROXY}"
    NO_PROXY: "${NO_PROXY}"
 verifier:
  name: ansible
 scenario:
  test_sequence:
    - dependency
    - cleanup
    - destroy
    - syntax
    - create
    - prepare
    - converge
    - idempotence
    - side_effect
    - verify
    - cleanup
    - destroy
--- a/molecule/quarkus_upgrade/prepare.yml
+++ b/molecule/quarkus_upgrade/prepare.yml
@@ -0,0 +1,59 @@
 ---
 - name: Prepare
  hosts: all
  vars_files:
    - ../group_vars/all/vars.yml
    - vars.yml
  vars:
    sudo_pkg_name: sudo
    keycloak_quarkus_version: 26.0.4
    keycloak_quarkus_additional_env_vars:
      - key: KC_FEATURES_DISABLED
        value: impersonation,kerberos
  pre_tasks:
    - name: Install sudo
      ansible.builtin.apt:
        name:
          - sudo
          - openjdk-17-jdk-headless
        state: present
      when:
        - ansible_facts.os_family == 'Debian'
    - name: "Ensure common prepare phase are set."
      ansible.builtin.include_tasks: ../prepare.yml
    - name: Display Ansible version
      ansible.builtin.debug:
        msg: "Ansible version is {{ ansible_version.full }}"
    - name: "Ensure {{ sudo_pkg_name }} is installed (if user is root)."
      ansible.builtin.dnf:
        name: "{{ sudo_pkg_name }}"
      when:
        - ansible_user_id == 'root'
    - name: Gather the package facts
      ansible.builtin.package_facts:
        manager: auto
    - name: "Check if {{ sudo_pkg_name }} is installed."
      ansible.builtin.assert:
        that:
          - sudo_pkg_name in ansible_facts.packages
    - name: Create certificate request
      ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
      args:
        chdir: "{{ playbook_dir }}"
      delegate_to: localhost
      changed_when: false
  roles:
    - role: keycloak_quarkus
  post_tasks:
    - name: "Delete custom fact"
      ansible.builtin.file:
        path: /etc/ansible/facts.d/keycloak.fact
        state: absent
      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
--- a/molecule/quarkus_upgrade/roles
+++ b/molecule/quarkus_upgrade/roles
@@ -0,0 +1 @@
 ../../roles
--- a/molecule/quarkus_upgrade/vars.yml
+++ b/molecule/quarkus_upgrade/vars.yml
@@ -0,0 +1,13 @@
 ---
 keycloak_quarkus_offline_install: false
 keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
 keycloak_quarkus_realm: TestRealm
 keycloak_quarkus_hostname: http://instance:8080
 keycloak_quarkus_log: file
 keycloak_quarkus_https_key_file_enabled: true
 keycloak_quarkus_log_target: /tmp/keycloak
 keycloak_quarkus_hostname_strict: false
 keycloak_quarkus_cert_file_copy_enabled: true
 keycloak_quarkus_key_file_copy_enabled: true
 keycloak_quarkus_key_content: "{{ lookup('file', 'key.pem') }}"
 keycloak_quarkus_cert_file_src: cert.pem
--- a/molecule/quarkus_upgrade/verify.yml
+++ b/molecule/quarkus_upgrade/verify.yml
@@ -0,0 +1,31 @@
 ---
 - name: Verify
  hosts: instance
  vars:
    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
    keycloak_quarkus_port: http://localhost:8080
  tasks:
    - name: Populate service facts
      ansible.builtin.service_facts:
    - name: Check if keycloak service started
      ansible.builtin.assert:
        that:
          - ansible_facts.services["keycloak.service"]["state"] == "running"
          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
    - name: Verify Java 21 runtime is installed (UBI/RHEL)
      ansible.builtin.command:
        cmd: rpm -q java-21-openjdk-headless
      changed_when: false
    - name: Verify token api call
      ansible.builtin.uri:
        url: "{{ keycloak_quarkus_port }}/realms/master/protocol/openid-connect/token"
        method: POST
        body: "client_id=admin-cli&username=admin&password={{ keycloak_quarkus_bootstrap_admin_password }}&grant_type=password"
        validate_certs: no
      register: keycloak_auth_response
      until: keycloak_auth_response.status == 200
      retries: 45
      delay: 5
--- a/molecule/requirements.yml
+++ b/molecule/requirements.yml
@@ -0,0 +1,14 @@
 ---
 collections:
  - name: middleware_automation.common
  - name: middleware_automation.jbcs
  - name: middleware_automation.infinispan
  - name: community.general
  - name: ansible.posix
  - name: community.docker
    version: ">=3.8.0"
  - name: containers.podman
    version: ">=1.8.1"
 roles:
  - name: elan.simple_nginx_reverse_proxy
--- a/playbooks/keycloak.yml
+++ b/playbooks/keycloak.yml
@@ -3,7 +3,5 @@
  hosts: all
  vars:
    keycloak_admin_password: "remembertochangeme"
  collections:
    - middleware_automation.keycloak
  roles:
-    - keycloak
+    - middleware_automation.keycloak.keycloak
--- a/playbooks/keycloak_authentication_flow.yml
+++ b/playbooks/keycloak_authentication_flow.yml
@@ -0,0 +1,27 @@
 ---
 - name: Playbook for Keycloak Authentication Flow Configuration
  hosts: all
  vars:
    keycloak_admin_user: admin
    keycloak_admin_password: "remembertochangeme"
    keycloak_url: "http://localhost:8080"
    keycloak_realm: TestRealm
  tasks:
    - name: Create authentication flow with executions
      middleware_automation.keycloak.keycloak_authentication_flow:
        auth_keycloak_url: "{{ keycloak_url }}"
        auth_realm: master
        auth_username: "{{ keycloak_admin_user }}"
        auth_password: "{{ keycloak_admin_password }}"
        realm: "{{ keycloak_realm }}"
        alias: my-browser-flow
        description: "Custom browser authentication flow"
        provider_id: basic-flow
        executions:
          - provider_id: auth-cookie
            requirement: ALTERNATIVE
          - provider_id: auth-password
            requirement: REQUIRED
          - provider_id: auth-otp-form
            requirement: ALTERNATIVE
        state: present
--- a/playbooks/keycloak_client_scope.yml
+++ b/playbooks/keycloak_client_scope.yml
@@ -0,0 +1,48 @@
 ---
 - name: Playbook for Keycloak Client Scope Configuration
  hosts: all
  vars:
    keycloak_admin_user: admin
    keycloak_admin_password: "remembertochangeme"
    keycloak_url: "http://localhost:8080"
    keycloak_realm: TestRealm
  tasks:
    - name: Create client scope with protocol mappers
      middleware_automation.keycloak.keycloak_client_scope:
        auth_keycloak_url: "{{ keycloak_url }}"
        auth_realm: master
        auth_username: "{{ keycloak_admin_user }}"
        auth_password: "{{ keycloak_admin_password }}"
        realm: "{{ keycloak_realm }}"
        name: TestClientScope
        description: "Client scope created via Ansible"
        protocol: openid-connect
        protocol_mappers:
          - name: email
            protocolMapper: oidc-usermodel-attribute-mapper
            config:
              user.attribute: email
              claim.name: email
              jsonType.label: String
              id.token.claim: "true"
              access.token.claim: "true"
              userinfo.token.claim: "true"
          - name: firstName
            protocolMapper: oidc-usermodel-attribute-mapper
            config:
              user.attribute: firstName
              claim.name: given_name
              jsonType.label: String
              id.token.claim: "true"
              access.token.claim: "true"
              userinfo.token.claim: "true"
          - name: username
            protocolMapper: oidc-usermodel-attribute-mapper
            config:
              user.attribute: username
              claim.name: preferred_username
              jsonType.label: String
              id.token.claim: "true"
              access.token.claim: "true"
              userinfo.token.claim: "true"
        state: present
--- a/playbooks/keycloak_federation.yml
+++ b/playbooks/keycloak_federation.yml
@@ -0,0 +1,68 @@
 ---
 - name: Playbook for Keycloak Hosts
  hosts: all
  tasks:
    - name: Keycloak Realm Role
      ansible.builtin.include_role:
        name: keycloak_realm
      vars:
        keycloak_admin_password: "remembertochangeme"
        keycloak_realm: TestRealm
        keycloak_user_federation:
          - realm: TestRealm
            name: my-ldap
            provider_id: ldap
            provider_type: org.keycloak.storage.UserStorageProvider
            config:
              priority: '0'
              enabled: true
              cachePolicy: DEFAULT
              batchSizeForSync: '1000'
              editMode: READ_ONLY
              importEnabled: true
              syncRegistrations: false
              vendor: other
              usernameLDAPAttribute: uid
              rdnLDAPAttribute: uid
              uuidLDAPAttribute: entryUUID
              userObjectClasses: inetOrgPerson, organizationalPerson
              connectionUrl: ldaps://ldap.example.com:636
              usersDn: ou=Users,dc=example,dc=com
              authType: simple
              bindDn: cn=directory reader
              bindCredential: password
              searchScope: '1'
              validatePasswordPolicy: false
              trustEmail: false
              useTruststoreSpi: ldapsOnly
              connectionPooling: true
              pagination: true
              allowKerberosAuthentication: false
              debug: false
              useKerberosForPasswordAuthentication: false
            mappers:
              - name: "full name"
                providerId: "full-name-ldap-mapper"
                providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
                config:
                  ldap.full.name.attribute: cn
                  read.only: true
                  write.only: false
        keycloak_clients:
          - name: TestClient1
            client_id: TestClient1
            roles:
              - TestClient1Admin
              - TestClient1User
            realm: "{{ keycloak_realm }}"
            public_client: true
            web_origins:
              - http://testclient1origin/application
              - http://testclient1origin/other
            users:
              - username: TestUser
                password: password
                client_roles:
                  - client: TestClient1
                    role: TestClient1User
                    realm: "{{ keycloak_realm }}"
--- a/playbooks/keycloak_quarkus.yml
+++ b/playbooks/keycloak_quarkus.yml
@@ -1,15 +1,11 @@
 ---
- name: Playbook for Keycloak X Hosts
+- name: Playbook for Keycloak X Hosts with HTTPS enabled
  hosts: all
  vars:
-    keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
-    keycloak_quarkus_host: localhost:8443
+    keycloak_quarkus_hostname: http://localhost
-    keycloak_quarkus_http_relative_path: ''
+    keycloak_quarkus_port: 8443
    keycloak_quarkus_log: file
-    keycloak_quarkus_https_enabled: True
+    keycloak_quarkus_proxy_mode: none
    keycloak_quarkus_key_file: conf/key.pem
    keycloak_quarkus_cert_file: conf/cert.pem
  collections:
    - middleware_automation.keycloak
  roles:
-    - keycloak_quarkus
+    - middleware_automation.keycloak.keycloak_quarkus
--- a/playbooks/keycloak_quarkus_dev.yml
+++ b/playbooks/keycloak_quarkus_dev.yml
@@ -0,0 +1,12 @@
 ---
 - name: Playbook for Keycloak X Hosts in develop mode
  hosts: all
  vars:
    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
    keycloak_quarkus_hostname: http://localhost
    keycloak_quarkus_port: 8080
    keycloak_quarkus_log: file
    keycloak_quarkus_start_dev: true
    keycloak_quarkus_proxy_mode: none
  roles:
    - middleware_automation.keycloak.keycloak_quarkus
--- a/playbooks/keycloak_realm.yml
+++ b/playbooks/keycloak_realm.yml
@@ -1,60 +1,16 @@
 ---
 - name: Playbook for Keycloak Hosts
  hosts: all
  tasks:
    - name: Keycloak Realm Role
      ansible.builtin.include_role:
        name: middleware_automation.keycloak.keycloak_realm
  vars:
    keycloak_admin_password: "remembertochangeme"
        keycloak_realm: TestRealm
        keycloak_user_federation:
          - realm: TestRealm
            name: my-ldap
            provider_id: ldap
            provider_type: org.keycloak.storage.UserStorageProvider
            config:
              priority: '0'
              enabled: true
              cachePolicy: DEFAULT
              batchSizeForSync: '1000'
              editMode: READ_ONLY
              importEnabled: true
              syncRegistrations: false
              vendor: other
              usernameLDAPAttribute: uid
              rdnLDAPAttribute: uid
              uuidLDAPAttribute: entryUUID
              userObjectClasses: inetOrgPerson, organizationalPerson
              connectionUrl: ldaps://ldap.example.com:636
              usersDn: ou=Users,dc=example,dc=com
              authType: simple
              bindDn: cn=directory reader
              bindCredential: password
              searchScope: '1'
              validatePasswordPolicy: false
              trustEmail: false
              useTruststoreSpi: ldapsOnly
              connectionPooling: true
              pagination: true
              allowKerberosAuthentication: false
              debug: false
              useKerberosForPasswordAuthentication: false
            mappers:
              - name: "full name"
                providerId: "full-name-ldap-mapper"
                providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
                config:
                  ldap.full.name.attribute: cn
                  read.only: true
                  write.only: false
    keycloak_clients:
      - name: TestClient1
        client_id: TestClient1
        roles:
          - TestClient1Admin
          - TestClient1User
-            realm: "{{ keycloak_realm }}"
+        realm: TestRealm
-            public_client: True
+        public_client: true
        web_origins:
          - http://testclient1origin/application
          - http://testclient1origin/other
@@ -64,4 +20,7 @@
            client_roles:
              - client: TestClient1
                role: TestClient1User
-                  realm: "{{ keycloak_realm }}"
+                realm: TestRealm
  roles:
    - role: middleware_automation.keycloak.keycloak_realm
      keycloak_realm: TestRealm
--- a/playbooks/keycloak_realm_client.yml
+++ b/playbooks/keycloak_realm_client.yml
@@ -0,0 +1,39 @@
 ---
 - name: Playbook for Keycloak Realm and Client Configuration
  hosts: all
  tasks:
    - name: Keycloak Realm Role
      ansible.builtin.include_role:
        name: middleware_automation.keycloak.keycloak_realm
      vars:
        keycloak_admin_password: "remembertochangeme"
        keycloak_realm: TestRealm
        keycloak_client_default_roles:
          - TestRoleAdmin
          - TestRoleUser
        keycloak_client_users:
          - username: TestUser
            password: password
            client_roles:
              - client: TestClient1
                role: TestRoleUser
                realm: TestRealm
          - username: TestAdmin
            password: password
            client_roles:
              - client: TestClient1
                role: TestRoleUser
                realm: TestRealm
              - client: TestClient1
                role: TestRoleAdmin
                realm: TestRealm
        keycloak_clients:
          - name: TestClient1
            client_id: TestClient1
            roles: "{{ keycloak_client_default_roles }}"
            realm: TestRealm
            public_client: true
            web_origins:
              - http://testclient1origin/application
              - http://testclient1origin/other
            users: "{{ keycloak_client_users }}"
--- a/playbooks/rhsso.yml
+++ b/playbooks/rhsso.yml
@@ -1,12 +1,8 @@
 ---
- name: Playbook for Keycloak Hosts
+- name: Playbook for Red Hat SSO Hosts
-  hosts: keycloak
+  hosts: sso
  vars:
    keycloak_admin_password: "remembertochangeme"
-    keycloak_rhsso_enable: True
+    sso_enable: true
  collections:
    - middleware_automation.redhat_csp_download
    - middleware_automation.keycloak
  roles:
    - middleware_automation.redhat_csp_download.redhat_csp_download
    - middleware_automation.keycloak.keycloak
--- a/plugins/doc_fragments/attributes.py
+++ b/plugins/doc_fragments/attributes.py
@@ -0,0 +1,93 @@
 # -*- coding: utf-8 -*-
 # Copyright (c) Ansible Project
 # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
 # SPDX-License-Identifier: GPL-3.0-or-later
 from __future__ import (absolute_import, division, print_function)
 __metaclass__ = type
 class ModuleDocFragment(object):
    # Standard documentation fragment
    DOCUMENTATION = r'''
 options: {}
 attributes:
    check_mode:
      description: Can run in C(check_mode) and return changed status prediction without modifying target.
    diff_mode:
      description: Will return details on what has changed (or possibly needs changing in C(check_mode)), when in diff mode.
 '''
    PLATFORM = r'''
 options: {}
 attributes:
    platform:
      description: Target OS/families that can be operated against.
      support: N/A
 '''
    # Should be used together with the standard fragment
    INFO_MODULE = r'''
 options: {}
 attributes:
    check_mode:
      support: full
      details:
        - This action does not modify state.
    diff_mode:
      support: N/A
      details:
        - This action does not modify state.
 '''
    CONN = r'''
 options: {}
 attributes:
    become:
      description: Is usable alongside C(become) keywords.
    connection:
      description: Uses the target's configured connection information to execute code on it.
    delegation:
      description: Can be used in conjunction with C(delegate_to) and related keywords.
 '''
    FACTS = r'''
 options: {}
 attributes:
    facts:
      description: Action returns an C(ansible_facts) dictionary that will update existing host facts.
 '''
    # Should be used together with the standard fragment and the FACTS fragment
    FACTS_MODULE = r'''
 options: {}
 attributes:
    check_mode:
      support: full
      details:
        - This action does not modify state.
    diff_mode:
      support: N/A
      details:
        - This action does not modify state.
    facts:
      support: full
 '''
    FILES = r'''
 options: {}
 attributes:
    safe_file_operations:
      description: Uses Ansible's strict file operation functions to ensure proper permissions and avoid data corruption.
 '''
    FLOW = r'''
 options: {}
 attributes:
    action:
      description: Indicates this has a corresponding action plugin so some parts of the options can be executed on the controller.
    async:
      description: Supports being used with the C(async) keyword.
 '''
--- a/plugins/doc_fragments/keycloak.py
+++ b/plugins/doc_fragments/keycloak.py
@@ -0,0 +1,78 @@
 # -*- coding: utf-8 -*-
 # Copyright (c) 2017, Eike Frost <ei@kefro.st>
 # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
 # SPDX-License-Identifier: GPL-3.0-or-later
 from __future__ import (absolute_import, division, print_function)
 __metaclass__ = type
 class ModuleDocFragment(object):
    # Standard documentation fragment
    DOCUMENTATION = r'''
 options:
    auth_keycloak_url:
        description:
            - URL to the Keycloak instance.
        type: str
        required: true
        aliases:
          - url
    auth_client_id:
        description:
            - OpenID Connect I(client_id) to authenticate to the API with.
        type: str
        default: admin-cli
    auth_realm:
        description:
            - Keycloak realm name to authenticate to for API access.
        type: str
    auth_client_secret:
        description:
            - Client Secret to use in conjunction with I(auth_client_id) (if required).
        type: str
    auth_username:
        description:
            - Username to authenticate for API access with.
        type: str
        aliases:
          - username
    auth_password:
        description:
            - Password to authenticate for API access with.
        type: str
        aliases:
          - password
    token:
        description:
            - Authentication token for Keycloak API.
        type: str
        version_added: 3.0.0
    validate_certs:
        description:
            - Verify TLS certificates (do not disable this in production).
        type: bool
        default: true
    connection_timeout:
        description:
            - Controls the HTTP connections timeout period (in seconds) to Keycloak API.
        type: int
        default: 10
        version_added: 4.5.0
    http_agent:
        description:
            - Configures the HTTP User-Agent header.
        type: str
        default: Ansible
        version_added: 5.4.0
 '''
--- a/plugins/module_utils/identity/keycloak/keycloak.py
+++ b/plugins/module_utils/identity/keycloak/keycloak.py
--- a/plugins/modules/keycloak_authentication_flow.py
+++ b/plugins/modules/keycloak_authentication_flow.py
@@ -0,0 +1,296 @@
 #!/usr/bin/python
 # -*- coding: utf-8 -*-
 # Copyright (c) 2024, Contributors to the middleware_automation.keycloak collection
 # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
 # SPDX-License-Identifier: GPL-3.0-or-later
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
 DOCUMENTATION = '''
 ---
 module: keycloak_authentication_flow
 short_description: Allows administration of Keycloak authentication flows via Keycloak API
 description:
    - This module allows you to add, remove or modify Keycloak authentication flows via the Keycloak REST API.
      It requires access to the REST API via OpenID Connect; the user connecting and the client being
      used must have the requisite access rights. In a default Keycloak installation, admin-cli
      and an admin user would work, as would a separate client definition with the scope tailored
      to your needs and a user having the expected roles.
    - This module supports creating new top-level authentication flows, copying existing flows,
      and adding execution steps to a flow.
 attributes:
    check_mode:
        support: full
    diff_mode:
        support: full
 options:
    state:
        description:
            - State of the authentication flow.
            - On V(present), the flow will be created if it does not yet exist.
            - On V(absent), the flow will be removed if it exists.
        default: 'present'
        type: str
        choices:
            - present
            - absent
    alias:
        type: str
        required: true
        description:
            - Alias (name) of the authentication flow.
    description:
        type: str
        description:
            - Description of the authentication flow.
        default: ''
    realm:
        type: str
        description:
            - The Keycloak realm under which this authentication flow resides.
        default: 'master'
    provider_id:
        type: str
        description:
            - The provider ID for the flow.
        default: 'basic-flow'
        aliases:
            - providerId
    copy_from:
        type: str
        description:
            - If set, the new flow is created as a copy of the flow with this alias.
            - Cannot be used together with O(executions).
        aliases:
            - copyFrom
    executions:
        type: list
        elements: dict
        description:
            - A list of executions (authenticator steps) to add to the flow.
            - Each execution is a dict with keys C(provider_id) (or C(providerId)) and C(requirement).
            - Executions are only added when the flow is first created.
        default: []
        suboptions:
            provider_id:
                type: str
                required: true
                description:
                    - The authenticator provider ID (e.g. V(auth-cookie), V(auth-password), V(auth-otp-form)).
                aliases:
                    - providerId
            requirement:
                type: str
                required: true
                description:
                    - The requirement level for this execution.
                choices:
                    - REQUIRED
                    - ALTERNATIVE
                    - DISABLED
                    - CONDITIONAL
 extends_documentation_fragment:
    - middleware_automation.keycloak.keycloak
    - middleware_automation.keycloak.attributes
 author:
    - Paulo Menon (@paulomenon)
 '''
 EXAMPLES = '''
 - name: Create an authentication flow with executions
  middleware_automation.keycloak.keycloak_authentication_flow:
    auth_keycloak_url: http://localhost:8080
    auth_realm: master
    auth_username: admin
    auth_password: password
    realm: TestRealm
    alias: my-browser-flow
    description: "Custom browser flow"
    provider_id: basic-flow
    executions:
      - provider_id: auth-cookie
        requirement: ALTERNATIVE
      - provider_id: auth-password
        requirement: REQUIRED
      - provider_id: auth-otp-form
        requirement: ALTERNATIVE
    state: present
  delegate_to: localhost
 - name: Create an authentication flow by copying an existing one
  middleware_automation.keycloak.keycloak_authentication_flow:
    auth_keycloak_url: http://localhost:8080
    auth_realm: master
    auth_username: admin
    auth_password: password
    realm: TestRealm
    alias: my-copy-of-browser
    copy_from: browser
    state: present
  delegate_to: localhost
 - name: Create a flow using token authentication
  middleware_automation.keycloak.keycloak_authentication_flow:
    auth_keycloak_url: http://localhost:8080
    token: MY_TOKEN
    realm: TestRealm
    alias: my-flow
    state: present
  delegate_to: localhost
 - name: Delete an authentication flow
  middleware_automation.keycloak.keycloak_authentication_flow:
    auth_keycloak_url: http://localhost:8080
    auth_realm: master
    auth_username: admin
    auth_password: password
    realm: TestRealm
    alias: my-browser-flow
    state: absent
  delegate_to: localhost
 '''
 RETURN = '''
 msg:
    description: Message as to what action was taken.
    returned: always
    type: str
    sample: "Authentication flow my-browser-flow has been created"
 end_state:
    description: Representation of the authentication flow after module execution.
    returned: on success
    type: dict
    sample: {
        "id": "uuid-here",
        "alias": "my-browser-flow",
        "providerId": "basic-flow",
        "topLevel": true,
        "builtIn": false
    }
 '''
 from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
    keycloak_argument_spec, get_token, KeycloakError
 from ansible.module_utils.basic import AnsibleModule
 def main():
    argument_spec = keycloak_argument_spec()
    execution_spec = dict(
        provider_id=dict(type='str', required=True, aliases=['providerId']),
        requirement=dict(type='str', required=True, choices=['REQUIRED', 'ALTERNATIVE', 'DISABLED', 'CONDITIONAL']),
    )
    meta_args = dict(
        state=dict(type='str', default='present', choices=['present', 'absent']),
        alias=dict(type='str', required=True),
        description=dict(type='str', default=''),
        realm=dict(type='str', default='master'),
        provider_id=dict(type='str', default='basic-flow', aliases=['providerId']),
        copy_from=dict(type='str', aliases=['copyFrom']),
        executions=dict(type='list', default=[], options=execution_spec, elements='dict'),
    )
    argument_spec.update(meta_args)
    module = AnsibleModule(argument_spec=argument_spec,
                           supports_check_mode=True,
                           required_one_of=([['token', 'auth_realm', 'auth_username', 'auth_password']]),
                           required_together=([['auth_realm', 'auth_username', 'auth_password']]),
                           mutually_exclusive=[['copy_from', 'executions']])
    result = dict(changed=False, msg='', diff={}, end_state={})
    try:
        connection_header = get_token(module.params)
    except KeycloakError as e:
        module.fail_json(msg=str(e))
    kc = KeycloakAPI(module, connection_header)
    realm = module.params.get('realm')
    alias = module.params.get('alias')
    state = module.params.get('state')
    description = module.params.get('description')
    provider_id = module.params.get('provider_id')
    copy_from = module.params.get('copy_from')
    executions = module.params.get('executions')
    before_flow = kc.get_authentication_flow_by_alias(alias, realm=realm)
    flow_exists = bool(before_flow)
    if state == 'absent':
        if flow_exists:
            result['changed'] = True
            if module._diff:
                result['diff'] = dict(before=before_flow, after='')
            if module.check_mode:
                module.exit_json(**result)
            kc.delete_authentication_flow_by_id(before_flow['id'], realm=realm)
            result['msg'] = "Authentication flow {alias} has been deleted".format(alias=alias)
        else:
            result['msg'] = "Authentication flow {alias} does not exist, doing nothing".format(alias=alias)
        result['end_state'] = {}
        module.exit_json(**result)
    if flow_exists:
        result['changed'] = False
        result['end_state'] = before_flow
        result['msg'] = "Authentication flow {alias} already exists".format(alias=alias)
        module.exit_json(**result)
    result['changed'] = True
    flow_config = {
        'alias': alias,
        'description': description,
        'providerId': provider_id,
    }
    if module._diff:
        result['diff'] = dict(before='', after=flow_config)
    if module.check_mode:
        module.exit_json(**result)
    if copy_from:
        flow_config['copyFrom'] = copy_from
        after_flow = kc.copy_auth_flow(flow_config, realm=realm)
        result['msg'] = "Authentication flow {alias} has been created (copied from {src})".format(alias=alias, src=copy_from)
    else:
        after_flow = kc.create_empty_auth_flow(flow_config, realm=realm)
        if executions:
            for execution in executions:
                exec_rep = {
                    'providerId': execution['provider_id'],
                    'requirement': execution['requirement'],
                }
                kc.create_execution(exec_rep, alias, realm=realm)
        result['msg'] = "Authentication flow {alias} has been created".format(alias=alias)
    after_flow = kc.get_authentication_flow_by_alias(alias, realm=realm)
    result['end_state'] = after_flow
    module.exit_json(**result)
 if __name__ == '__main__':
    main()
--- a/plugins/modules/keycloak_client.py
+++ b/plugins/modules/keycloak_client.py
--- a/plugins/modules/keycloak_client_scope.py
+++ b/plugins/modules/keycloak_client_scope.py
@@ -0,0 +1,324 @@
 #!/usr/bin/python
 # -*- coding: utf-8 -*-
 # Copyright (c) 2024, Contributors to the middleware_automation.keycloak collection
 # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
 # SPDX-License-Identifier: GPL-3.0-or-later
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
 DOCUMENTATION = '''
 ---
 module: keycloak_client_scope
 short_description: Allows administration of Keycloak client scopes via Keycloak API
 description:
    - This module allows you to add, remove or modify Keycloak client scopes via the Keycloak REST API.
      It requires access to the REST API via OpenID Connect; the user connecting and the client being
      used must have the requisite access rights. In a default Keycloak installation, admin-cli
      and an admin user would work, as would a separate client definition with the scope tailored
      to your needs and a user having the expected roles.
    - This module also supports managing protocol mappers within a client scope.
 attributes:
    check_mode:
        support: full
    diff_mode:
        support: full
 options:
    state:
        description:
            - State of the client scope.
            - On V(present), the client scope will be created if it does not yet exist, or updated with the parameters you provide.
            - On V(absent), the client scope will be removed if it exists.
        default: 'present'
        type: str
        choices:
            - present
            - absent
    name:
        type: str
        required: true
        description:
            - Name of the client scope.
    description:
        type: str
        default: ''
        description:
            - Description of the client scope.
    realm:
        type: str
        description:
            - The Keycloak realm under which this client scope resides.
        default: 'master'
    protocol:
        type: str
        description:
            - The protocol associated with the client scope.
        default: 'openid-connect'
        choices:
            - openid-connect
            - saml
    attributes:
        type: dict
        description:
            - A dict of key/value pairs to set as attributes for the client scope.
    protocol_mappers:
        type: list
        elements: dict
        description:
            - A list of protocol mappers to associate with the client scope.
            - Each mapper is a dict with the keys C(name), C(protocol), C(protocolMapper), and C(config).
        default: []
        suboptions:
            name:
                type: str
                required: true
                description:
                    - Name of the protocol mapper.
            protocol:
                type: str
                description:
                    - Protocol for the mapper.
                default: 'openid-connect'
            protocolMapper:
                type: str
                required: true
                description:
                    - The mapper type (e.g. V(oidc-usermodel-attribute-mapper), V(oidc-audience-mapper)).
                aliases:
                    - protocol_mapper_type
            config:
                type: dict
                required: true
                description:
                    - Configuration for the protocol mapper.
 extends_documentation_fragment:
    - middleware_automation.keycloak.keycloak
    - middleware_automation.keycloak.attributes
 author:
    - Paulo Menon (@paulomenon)
 '''
 EXAMPLES = '''
 - name: Create a client scope with protocol mappers
  middleware_automation.keycloak.keycloak_client_scope:
    auth_keycloak_url: http://localhost:8080
    auth_realm: master
    auth_username: admin
    auth_password: password
    realm: TestRealm
    name: my-client-scope
    description: "A custom client scope"
    protocol: openid-connect
    protocol_mappers:
      - name: email
        protocol: openid-connect
        protocolMapper: oidc-usermodel-attribute-mapper
        config:
          user.attribute: email
          claim.name: email
          jsonType.label: String
          id.token.claim: "true"
          access.token.claim: "true"
          userinfo.token.claim: "true"
    state: present
  delegate_to: localhost
 - name: Create a client scope using token authentication
  middleware_automation.keycloak.keycloak_client_scope:
    auth_keycloak_url: http://localhost:8080
    token: MY_TOKEN
    realm: TestRealm
    name: my-scope
    state: present
  delegate_to: localhost
 - name: Delete a client scope
  middleware_automation.keycloak.keycloak_client_scope:
    auth_keycloak_url: http://localhost:8080
    auth_realm: master
    auth_username: admin
    auth_password: password
    realm: TestRealm
    name: my-client-scope
    state: absent
  delegate_to: localhost
 '''
 RETURN = '''
 msg:
    description: Message as to what action was taken.
    returned: always
    type: str
    sample: "Client scope my-scope has been created"
 end_state:
    description: Representation of the client scope after module execution.
    returned: on success
    type: dict
    sample: {
        "id": "uuid-here",
        "name": "my-scope",
        "protocol": "openid-connect",
        "description": "A custom scope"
    }
 '''
 from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
    keycloak_argument_spec, get_token, KeycloakError
 from ansible.module_utils.basic import AnsibleModule
 def main():
    argument_spec = keycloak_argument_spec()
    mapper_spec = dict(
        name=dict(type='str', required=True),
        protocol=dict(type='str', default='openid-connect'),
        protocolMapper=dict(type='str', required=True, aliases=['protocol_mapper_type']),
        config=dict(type='dict', required=True),
    )
    meta_args = dict(
        state=dict(type='str', default='present', choices=['present', 'absent']),
        name=dict(type='str', required=True),
        description=dict(type='str', default=''),
        realm=dict(type='str', default='master'),
        protocol=dict(type='str', default='openid-connect', choices=['openid-connect', 'saml']),
        attributes=dict(type='dict'),
        protocol_mappers=dict(type='list', default=[], options=mapper_spec, elements='dict'),
    )
    argument_spec.update(meta_args)
    module = AnsibleModule(argument_spec=argument_spec,
                           supports_check_mode=True,
                           required_one_of=([['token', 'auth_realm', 'auth_username', 'auth_password']]),
                           required_together=([['auth_realm', 'auth_username', 'auth_password']]))
    result = dict(changed=False, msg='', diff={}, end_state={})
    try:
        connection_header = get_token(module.params)
    except KeycloakError as e:
        module.fail_json(msg=str(e))
    kc = KeycloakAPI(module, connection_header)
    realm = module.params.get('realm')
    name = module.params.get('name')
    state = module.params.get('state')
    protocol = module.params.get('protocol')
    description = module.params.get('description')
    attributes = module.params.get('attributes')
    protocol_mappers = module.params.get('protocol_mappers')
    before_scope = kc.get_clientscope_by_name(name, realm=realm)
    if state == 'absent':
        if before_scope:
            result['changed'] = True
            if module._diff:
                result['diff'] = dict(before=before_scope, after='')
            if module.check_mode:
                module.exit_json(**result)
            kc.delete_clientscope(cid=before_scope['id'], realm=realm)
            result['msg'] = "Client scope {name} has been deleted".format(name=name)
        else:
            result['msg'] = "Client scope {name} does not exist, doing nothing".format(name=name)
        result['end_state'] = {}
        module.exit_json(**result)
    scope_rep = {
        'name': name,
        'protocol': protocol,
        'description': description,
    }
    if attributes:
        scope_rep['attributes'] = attributes
    if not before_scope:
        result['changed'] = True
        if module._diff:
            result['diff'] = dict(before='', after=scope_rep)
        if module.check_mode:
            module.exit_json(**result)
        kc.create_clientscope(scope_rep, realm=realm)
        after_scope = kc.get_clientscope_by_name(name, realm=realm)
        if protocol_mappers:
            for mapper in protocol_mappers:
                mapper_rep = {
                    'name': mapper['name'],
                    'protocol': mapper.get('protocol', protocol),
                    'protocolMapper': mapper['protocolMapper'],
                    'config': mapper['config'],
                }
                kc.create_clientscope_protocolmapper(after_scope['id'], mapper_rep, realm=realm)
            after_scope = kc.get_clientscope_by_name(name, realm=realm)
        result['end_state'] = after_scope
        result['msg'] = "Client scope {name} has been created".format(name=name)
        module.exit_json(**result)
    else:
        changed = False
        for key in ('protocol', 'description'):
            if scope_rep.get(key) and scope_rep[key] != before_scope.get(key):
                changed = True
                break
        if attributes and attributes != before_scope.get('attributes', {}):
            changed = True
        if changed:
            result['changed'] = True
            scope_rep['id'] = before_scope['id']
            if module._diff:
                result['diff'] = dict(before=before_scope, after=scope_rep)
            if module.check_mode:
                module.exit_json(**result)
            kc.update_clientscope(scope_rep, realm=realm)
        if protocol_mappers:
            existing_mappers = kc.get_clientscope_protocolmappers(before_scope['id'], realm=realm)
            existing_mapper_names = {m['name'] for m in existing_mappers}
            for mapper in protocol_mappers:
                if mapper['name'] not in existing_mapper_names:
                    result['changed'] = True
                    if not module.check_mode:
                        mapper_rep = {
                            'name': mapper['name'],
                            'protocol': mapper.get('protocol', protocol),
                            'protocolMapper': mapper['protocolMapper'],
                            'config': mapper['config'],
                        }
                        kc.create_clientscope_protocolmapper(before_scope['id'], mapper_rep, realm=realm)
        after_scope = kc.get_clientscope_by_name(name, realm=realm)
        result['end_state'] = after_scope
        if result['changed']:
            result['msg'] = "Client scope {name} has been updated".format(name=name)
        else:
            result['msg'] = "No changes required to client scope {name}".format(name=name)
        module.exit_json(**result)
 if __name__ == '__main__':
    main()
--- a/plugins/modules/keycloak_realm.py
+++ b/plugins/modules/keycloak_realm.py
@@ -0,0 +1,848 @@
 #!/usr/bin/python
 # -*- coding: utf-8 -*-
 # Copyright (c) 2017, Eike Frost <ei@kefro.st>
 # Copyright (c) 2021, Christophe Gilles <christophe.gilles54@gmail.com>
 # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
 # SPDX-License-Identifier: GPL-3.0-or-later
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
 DOCUMENTATION = '''
 ---
 module: keycloak_realm
 short_description: Allows administration of Keycloak realm via Keycloak API
 version_added: 3.0.0
 description:
    - This module allows the administration of Keycloak realm via the Keycloak REST API. It
      requires access to the REST API via OpenID Connect; the user connecting and the realm being
      used must have the requisite access rights. In a default Keycloak installation, admin-cli
      and an admin user would work, as would a separate realm definition with the scope tailored
      to your needs and a user having the expected roles.
    - The names of module options are snake_cased versions of the camelCase ones found in the
      Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
      Aliases are provided so camelCased versions can be used as well.
    - The Keycloak API does not always sanity check inputs e.g. you can set
      SAML-specific settings on an OpenID Connect client for instance and vice versa. Be careful.
      If you do not specify a setting, usually a sensible default is chosen.
 attributes:
    check_mode:
        support: full
    diff_mode:
        support: full
 options:
    state:
        description:
            - State of the realm.
            - On V(present), the realm will be created (or updated if it exists already).
            - On V(absent), the realm will be removed if it exists.
        choices: ['present', 'absent']
        default: 'present'
        type: str
    id:
        description:
            - The realm to create.
        type: str
    realm:
        description:
            - The realm name.
        type: str
    access_code_lifespan:
        description:
            - The realm access code lifespan.
        aliases:
            - accessCodeLifespan
        type: int
    access_code_lifespan_login:
        description:
            - The realm access code lifespan login.
        aliases:
            - accessCodeLifespanLogin
        type: int
    access_code_lifespan_user_action:
        description:
            - The realm access code lifespan user action.
        aliases:
            - accessCodeLifespanUserAction
        type: int
    access_token_lifespan:
        description:
            - The realm access token lifespan.
        aliases:
            - accessTokenLifespan
        type: int
    access_token_lifespan_for_implicit_flow:
        description:
            - The realm access token lifespan for implicit flow.
        aliases:
            - accessTokenLifespanForImplicitFlow
        type: int
    account_theme:
        description:
            - The realm account theme.
        aliases:
            - accountTheme
        type: str
    action_token_generated_by_admin_lifespan:
        description:
            - The realm action token generated by admin lifespan.
        aliases:
            - actionTokenGeneratedByAdminLifespan
        type: int
    action_token_generated_by_user_lifespan:
        description:
            - The realm action token generated by user lifespan.
        aliases:
            - actionTokenGeneratedByUserLifespan
        type: int
    admin_events_details_enabled:
        description:
            - The realm admin events details enabled.
        aliases:
            - adminEventsDetailsEnabled
        type: bool
    admin_events_enabled:
        description:
            - The realm admin events enabled.
        aliases:
            - adminEventsEnabled
        type: bool
    admin_theme:
        description:
            - The realm admin theme.
        aliases:
            - adminTheme
        type: str
    attributes:
        description:
            - The realm attributes.
        type: dict
    browser_flow:
        description:
            - The realm browser flow.
        aliases:
            - browserFlow
        type: str
    browser_security_headers:
        description:
            - The realm browser security headers.
        aliases:
            - browserSecurityHeaders
        type: dict
    brute_force_protected:
        description:
            - The realm brute force protected.
        aliases:
            - bruteForceProtected
        type: bool
    client_authentication_flow:
        description:
            - The realm client authentication flow.
        aliases:
            - clientAuthenticationFlow
        type: str
    client_scope_mappings:
        description:
            - The realm client scope mappings.
        aliases:
            - clientScopeMappings
        type: dict
    default_default_client_scopes:
        description:
            - The realm default default client scopes.
        aliases:
            - defaultDefaultClientScopes
        type: list
        elements: str
    default_groups:
        description:
            - The realm default groups.
        aliases:
            - defaultGroups
        type: list
        elements: str
    default_locale:
        description:
            - The realm default locale.
        aliases:
            - defaultLocale
        type: str
    default_optional_client_scopes:
        description:
            - The realm default optional client scopes.
        aliases:
            - defaultOptionalClientScopes
        type: list
        elements: str
    default_roles:
        description:
            - The realm default roles.
        aliases:
            - defaultRoles
        type: list
        elements: str
    default_signature_algorithm:
        description:
            - The realm default signature algorithm.
        aliases:
            - defaultSignatureAlgorithm
        type: str
    direct_grant_flow:
        description:
            - The realm direct grant flow.
        aliases:
            - directGrantFlow
        type: str
    display_name:
        description:
            - The realm display name.
        aliases:
            - displayName
        type: str
    display_name_html:
        description:
            - The realm display name HTML.
        aliases:
            - displayNameHtml
        type: str
    docker_authentication_flow:
        description:
            - The realm docker authentication flow.
        aliases:
            - dockerAuthenticationFlow
        type: str
    duplicate_emails_allowed:
        description:
            - The realm duplicate emails allowed option.
        aliases:
            - duplicateEmailsAllowed
        type: bool
    edit_username_allowed:
        description:
            - The realm edit username allowed option.
        aliases:
            - editUsernameAllowed
        type: bool
    email_theme:
        description:
            - The realm email theme.
        aliases:
            - emailTheme
        type: str
    enabled:
        description:
            - The realm enabled option.
        type: bool
    enabled_event_types:
        description:
            - The realm enabled event types.
        aliases:
            - enabledEventTypes
        type: list
        elements: str
    events_enabled:
        description:
            - Enables or disables login events for this realm.
        aliases:
            - eventsEnabled
        type: bool
        version_added: 3.6.0
    events_expiration:
        description:
            - The realm events expiration.
        aliases:
            - eventsExpiration
        type: int
    events_listeners:
        description:
            - The realm events listeners.
        aliases:
            - eventsListeners
        type: list
        elements: str
    failure_factor:
        description:
            - The realm failure factor.
        aliases:
            - failureFactor
        type: int
    internationalization_enabled:
        description:
            - The realm internationalization enabled option.
        aliases:
            - internationalizationEnabled
        type: bool
    login_theme:
        description:
            - The realm login theme.
        aliases:
            - loginTheme
        type: str
    login_with_email_allowed:
        description:
            - The realm login with email allowed option.
        aliases:
            - loginWithEmailAllowed
        type: bool
    max_delta_time_seconds:
        description:
            - The realm max delta time in seconds.
        aliases:
            - maxDeltaTimeSeconds
        type: int
    max_failure_wait_seconds:
        description:
            - The realm max failure wait in seconds.
        aliases:
            - maxFailureWaitSeconds
        type: int
    minimum_quick_login_wait_seconds:
        description:
            - The realm minimum quick login wait in seconds.
        aliases:
            - minimumQuickLoginWaitSeconds
        type: int
    not_before:
        description:
            - The realm not before.
        aliases:
            - notBefore
        type: int
    offline_session_idle_timeout:
        description:
            - The realm offline session idle timeout.
        aliases:
            - offlineSessionIdleTimeout
        type: int
    offline_session_max_lifespan:
        description:
            - The realm offline session max lifespan.
        aliases:
            - offlineSessionMaxLifespan
        type: int
    offline_session_max_lifespan_enabled:
        description:
            - The realm offline session max lifespan enabled option.
        aliases:
            - offlineSessionMaxLifespanEnabled
        type: bool
    otp_policy_algorithm:
        description:
            - The realm otp policy algorithm.
        aliases:
            - otpPolicyAlgorithm
        type: str
    otp_policy_digits:
        description:
            - The realm otp policy digits.
        aliases:
            - otpPolicyDigits
        type: int
    otp_policy_initial_counter:
        description:
            - The realm otp policy initial counter.
        aliases:
            - otpPolicyInitialCounter
        type: int
    otp_policy_look_ahead_window:
        description:
            - The realm otp policy look ahead window.
        aliases:
            - otpPolicyLookAheadWindow
        type: int
    otp_policy_period:
        description:
            - The realm otp policy period.
        aliases:
            - otpPolicyPeriod
        type: int
    otp_policy_type:
        description:
            - The realm otp policy type.
        aliases:
            - otpPolicyType
        type: str
    otp_supported_applications:
        description:
            - The realm otp supported applications.
        aliases:
            - otpSupportedApplications
        type: list
        elements: str
    password_policy:
        description:
            - The realm password policy.
        aliases:
            - passwordPolicy
        type: str
    permanent_lockout:
        description:
            - The realm permanent lockout.
        aliases:
            - permanentLockout
        type: bool
    quick_login_check_milli_seconds:
        description:
            - The realm quick login check in milliseconds.
        aliases:
            - quickLoginCheckMilliSeconds
        type: int
    refresh_token_max_reuse:
        description:
            - The realm refresh token max reuse.
        aliases:
            - refreshTokenMaxReuse
        type: int
    registration_allowed:
        description:
            - The realm registration allowed option.
        aliases:
            - registrationAllowed
        type: bool
    registration_email_as_username:
        description:
            - The realm registration email as username option.
        aliases:
            - registrationEmailAsUsername
        type: bool
    registration_flow:
        description:
            - The realm registration flow.
        aliases:
            - registrationFlow
        type: str
    remember_me:
        description:
            - The realm remember me option.
        aliases:
            - rememberMe
        type: bool
    reset_credentials_flow:
        description:
            - The realm reset credentials flow.
        aliases:
            - resetCredentialsFlow
        type: str
    reset_password_allowed:
        description:
            - The realm reset password allowed option.
        aliases:
            - resetPasswordAllowed
        type: bool
    revoke_refresh_token:
        description:
            - The realm revoke refresh token option.
        aliases:
            - revokeRefreshToken
        type: bool
    smtp_server:
        description:
            - The realm smtp server.
        aliases:
            - smtpServer
        type: dict
    ssl_required:
        description:
            - The realm ssl required option.
        choices: ['all', 'external', 'none']
        aliases:
            - sslRequired
        type: str
    sso_session_idle_timeout:
        description:
            - The realm sso session idle timeout.
        aliases:
            - ssoSessionIdleTimeout
        type: int
    sso_session_idle_timeout_remember_me:
        description:
            - The realm sso session idle timeout remember me.
        aliases:
            - ssoSessionIdleTimeoutRememberMe
        type: int
    sso_session_max_lifespan:
        description:
            - The realm sso session max lifespan.
        aliases:
            - ssoSessionMaxLifespan
        type: int
    sso_session_max_lifespan_remember_me:
        description:
            - The realm sso session max lifespan remember me.
        aliases:
            - ssoSessionMaxLifespanRememberMe
        type: int
    supported_locales:
        description:
            - The realm supported locales.
        aliases:
            - supportedLocales
        type: list
        elements: str
    user_managed_access_allowed:
        description:
            - The realm user managed access allowed option.
        aliases:
            - userManagedAccessAllowed
        type: bool
    verify_email:
        description:
            - The realm verify email option.
        aliases:
            - verifyEmail
        type: bool
    wait_increment_seconds:
        description:
            - The realm wait increment in seconds.
        aliases:
            - waitIncrementSeconds
        type: int
 extends_documentation_fragment:
    - middleware_automation.keycloak.keycloak
    - middleware_automation.keycloak.attributes
 author:
    - Christophe Gilles (@kris2kris)
 '''
 EXAMPLES = '''
 - name: Create or update Keycloak realm (minimal example)
  middleware_automation.keycloak.keycloak_realm:
    auth_client_id: admin-cli
    auth_keycloak_url: https://auth.example.com/auth
    auth_realm: master
    auth_username: USERNAME
    auth_password: PASSWORD
    id: realm
    realm: realm
    state: present
 - name: Delete a Keycloak realm
  middleware_automation.keycloak.keycloak_realm:
    auth_client_id: admin-cli
    auth_keycloak_url: https://auth.example.com/auth
    auth_realm: master
    auth_username: USERNAME
    auth_password: PASSWORD
    id: test
    state: absent
 '''
 RETURN = '''
 msg:
    description: Message as to what action was taken.
    returned: always
    type: str
    sample: "Realm testrealm has been updated"
 proposed:
    description: Representation of proposed realm.
    returned: always
    type: dict
    sample: {
      id: "test"
    }
 existing:
    description: Representation of existing realm (sample is truncated).
    returned: always
    type: dict
    sample: {
        "adminUrl": "http://www.example.com/admin_url",
        "attributes": {
            "request.object.signature.alg": "RS256",
        }
    }
 end_state:
    description: Representation of realm after module execution (sample is truncated).
    returned: on success
    type: dict
    sample: {
        "adminUrl": "http://www.example.com/admin_url",
        "attributes": {
            "request.object.signature.alg": "RS256",
        }
    }
 '''
 from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
    keycloak_argument_spec, get_token, KeycloakError
 from ansible.module_utils.basic import AnsibleModule
 def normalise_cr(realmrep):
    """ Re-sorts any properties where the order is important so that diff's is minimised and the change detection is more effective.
    :param realmrep: the realmrep dict to be sanitized
    :return: normalised realmrep dict
    """
    # Avoid the dict passed in to be modified
    realmrep = realmrep.copy()
    if 'enabledEventTypes' in realmrep:
        realmrep['enabledEventTypes'] = list(sorted(realmrep['enabledEventTypes']))
    if 'otpSupportedApplications' in realmrep:
        realmrep['otpSupportedApplications'] = list(sorted(realmrep['otpSupportedApplications']))
    if 'supportedLocales' in realmrep:
        realmrep['supportedLocales'] = list(sorted(realmrep['supportedLocales']))
    return realmrep
 def sanitize_cr(realmrep):
    """ Removes probably sensitive details from a realm representation.
    :param realmrep: the realmrep dict to be sanitized
    :return: sanitized realmrep dict
    """
    result = realmrep.copy()
    if 'secret' in result:
        result['secret'] = '********'
    if 'attributes' in result:
        if 'saml.signing.private.key' in result['attributes']:
            result['attributes'] = result['attributes'].copy()
            result['attributes']['saml.signing.private.key'] = '********'
    return normalise_cr(result)
 def main():
    """
    Module execution
    :return:
    """
    argument_spec = keycloak_argument_spec()
    meta_args = dict(
        state=dict(default='present', choices=['present', 'absent']),
        id=dict(type='str'),
        realm=dict(type='str'),
        access_code_lifespan=dict(type='int', aliases=['accessCodeLifespan']),
        access_code_lifespan_login=dict(type='int', aliases=['accessCodeLifespanLogin']),
        access_code_lifespan_user_action=dict(type='int', aliases=['accessCodeLifespanUserAction']),
        access_token_lifespan=dict(type='int', aliases=['accessTokenLifespan'], no_log=False),
        access_token_lifespan_for_implicit_flow=dict(type='int', aliases=['accessTokenLifespanForImplicitFlow'], no_log=False),
        account_theme=dict(type='str', aliases=['accountTheme']),
        action_token_generated_by_admin_lifespan=dict(type='int', aliases=['actionTokenGeneratedByAdminLifespan'], no_log=False),
        action_token_generated_by_user_lifespan=dict(type='int', aliases=['actionTokenGeneratedByUserLifespan'], no_log=False),
        admin_events_details_enabled=dict(type='bool', aliases=['adminEventsDetailsEnabled']),
        admin_events_enabled=dict(type='bool', aliases=['adminEventsEnabled']),
        admin_theme=dict(type='str', aliases=['adminTheme']),
        attributes=dict(type='dict'),
        browser_flow=dict(type='str', aliases=['browserFlow']),
        browser_security_headers=dict(type='dict', aliases=['browserSecurityHeaders']),
        brute_force_protected=dict(type='bool', aliases=['bruteForceProtected']),
        client_authentication_flow=dict(type='str', aliases=['clientAuthenticationFlow']),
        client_scope_mappings=dict(type='dict', aliases=['clientScopeMappings']),
        default_default_client_scopes=dict(type='list', elements='str', aliases=['defaultDefaultClientScopes']),
        default_groups=dict(type='list', elements='str', aliases=['defaultGroups']),
        default_locale=dict(type='str', aliases=['defaultLocale']),
        default_optional_client_scopes=dict(type='list', elements='str', aliases=['defaultOptionalClientScopes']),
        default_roles=dict(type='list', elements='str', aliases=['defaultRoles']),
        default_signature_algorithm=dict(type='str', aliases=['defaultSignatureAlgorithm']),
        direct_grant_flow=dict(type='str', aliases=['directGrantFlow']),
        display_name=dict(type='str', aliases=['displayName']),
        display_name_html=dict(type='str', aliases=['displayNameHtml']),
        docker_authentication_flow=dict(type='str', aliases=['dockerAuthenticationFlow']),
        duplicate_emails_allowed=dict(type='bool', aliases=['duplicateEmailsAllowed']),
        edit_username_allowed=dict(type='bool', aliases=['editUsernameAllowed']),
        email_theme=dict(type='str', aliases=['emailTheme']),
        enabled=dict(type='bool'),
        enabled_event_types=dict(type='list', elements='str', aliases=['enabledEventTypes']),
        events_enabled=dict(type='bool', aliases=['eventsEnabled']),
        events_expiration=dict(type='int', aliases=['eventsExpiration']),
        events_listeners=dict(type='list', elements='str', aliases=['eventsListeners']),
        failure_factor=dict(type='int', aliases=['failureFactor']),
        internationalization_enabled=dict(type='bool', aliases=['internationalizationEnabled']),
        login_theme=dict(type='str', aliases=['loginTheme']),
        login_with_email_allowed=dict(type='bool', aliases=['loginWithEmailAllowed']),
        max_delta_time_seconds=dict(type='int', aliases=['maxDeltaTimeSeconds']),
        max_failure_wait_seconds=dict(type='int', aliases=['maxFailureWaitSeconds']),
        minimum_quick_login_wait_seconds=dict(type='int', aliases=['minimumQuickLoginWaitSeconds']),
        not_before=dict(type='int', aliases=['notBefore']),
        offline_session_idle_timeout=dict(type='int', aliases=['offlineSessionIdleTimeout']),
        offline_session_max_lifespan=dict(type='int', aliases=['offlineSessionMaxLifespan']),
        offline_session_max_lifespan_enabled=dict(type='bool', aliases=['offlineSessionMaxLifespanEnabled']),
        otp_policy_algorithm=dict(type='str', aliases=['otpPolicyAlgorithm']),
        otp_policy_digits=dict(type='int', aliases=['otpPolicyDigits']),
        otp_policy_initial_counter=dict(type='int', aliases=['otpPolicyInitialCounter']),
        otp_policy_look_ahead_window=dict(type='int', aliases=['otpPolicyLookAheadWindow']),
        otp_policy_period=dict(type='int', aliases=['otpPolicyPeriod']),
        otp_policy_type=dict(type='str', aliases=['otpPolicyType']),
        otp_supported_applications=dict(type='list', elements='str', aliases=['otpSupportedApplications']),
        password_policy=dict(type='str', aliases=['passwordPolicy'], no_log=False),
        permanent_lockout=dict(type='bool', aliases=['permanentLockout']),
        quick_login_check_milli_seconds=dict(type='int', aliases=['quickLoginCheckMilliSeconds']),
        refresh_token_max_reuse=dict(type='int', aliases=['refreshTokenMaxReuse'], no_log=False),
        registration_allowed=dict(type='bool', aliases=['registrationAllowed']),
        registration_email_as_username=dict(type='bool', aliases=['registrationEmailAsUsername']),
        registration_flow=dict(type='str', aliases=['registrationFlow']),
        remember_me=dict(type='bool', aliases=['rememberMe']),
        reset_credentials_flow=dict(type='str', aliases=['resetCredentialsFlow']),
        reset_password_allowed=dict(type='bool', aliases=['resetPasswordAllowed'], no_log=False),
        revoke_refresh_token=dict(type='bool', aliases=['revokeRefreshToken']),
        smtp_server=dict(type='dict', aliases=['smtpServer']),
        ssl_required=dict(choices=["external", "all", "none"], aliases=['sslRequired']),
        sso_session_idle_timeout=dict(type='int', aliases=['ssoSessionIdleTimeout']),
        sso_session_idle_timeout_remember_me=dict(type='int', aliases=['ssoSessionIdleTimeoutRememberMe']),
        sso_session_max_lifespan=dict(type='int', aliases=['ssoSessionMaxLifespan']),
        sso_session_max_lifespan_remember_me=dict(type='int', aliases=['ssoSessionMaxLifespanRememberMe']),
        supported_locales=dict(type='list', elements='str', aliases=['supportedLocales']),
        user_managed_access_allowed=dict(type='bool', aliases=['userManagedAccessAllowed']),
        verify_email=dict(type='bool', aliases=['verifyEmail']),
        wait_increment_seconds=dict(type='int', aliases=['waitIncrementSeconds']),
    )
    argument_spec.update(meta_args)
    module = AnsibleModule(argument_spec=argument_spec,
                           supports_check_mode=True,
                           required_one_of=([['id', 'realm', 'enabled'],
                                             ['token', 'auth_realm', 'auth_username', 'auth_password']]),
                           required_together=([['auth_realm', 'auth_username', 'auth_password']]))
    result = dict(changed=False, msg='', diff={}, proposed={}, existing={}, end_state={})
    # Obtain access token, initialize API
    try:
        connection_header = get_token(module.params)
    except KeycloakError as e:
        module.fail_json(msg=str(e))
    kc = KeycloakAPI(module, connection_header)
    realm = module.params.get('realm')
    state = module.params.get('state')
    # convert module parameters to realm representation parameters (if they belong in there)
    params_to_ignore = list(keycloak_argument_spec().keys()) + ['state']
    # Filter and map the parameters names that apply to the role
    realm_params = [x for x in module.params
                    if x not in params_to_ignore and
                    module.params.get(x) is not None]
    # See whether the realm already exists in Keycloak
    before_realm = kc.get_realm_by_id(realm=realm)
    if before_realm is None:
        before_realm = {}
    # Build a proposed changeset from parameters given to this module
    changeset = {}
    for realm_param in realm_params:
        new_param_value = module.params.get(realm_param)
        changeset[camel(realm_param)] = new_param_value
    # Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis)
    desired_realm = before_realm.copy()
    desired_realm.update(changeset)
    result['proposed'] = sanitize_cr(changeset)
    before_realm_sanitized = sanitize_cr(before_realm)
    result['existing'] = before_realm_sanitized
    # Cater for when it doesn't exist (an empty dict)
    if not before_realm:
        if state == 'absent':
            # Do nothing and exit
            if module._diff:
                result['diff'] = dict(before='', after='')
            result['changed'] = False
            result['end_state'] = {}
            result['msg'] = 'Realm does not exist, doing nothing.'
            module.exit_json(**result)
        # Process a creation
        result['changed'] = True
        if 'id' not in desired_realm:
            module.fail_json(msg='id needs to be specified when creating a new realm')
        if module._diff:
            result['diff'] = dict(before='', after=sanitize_cr(desired_realm))
        if module.check_mode:
            module.exit_json(**result)
        # create it
        kc.create_realm(desired_realm)
        after_realm = kc.get_realm_by_id(desired_realm['id'])
        result['end_state'] = sanitize_cr(after_realm)
        result['msg'] = 'Realm %s has been created.' % desired_realm['id']
        module.exit_json(**result)
    else:
        if state == 'present':
            # Process an update
            # doing an update
            result['changed'] = True
            if module.check_mode:
                # We can only compare the current realm with the proposed updates we have
                before_norm = normalise_cr(before_realm)
                desired_norm = normalise_cr(desired_realm)
                if module._diff:
                    result['diff'] = dict(before=sanitize_cr(before_norm),
                                          after=sanitize_cr(desired_norm))
                result['changed'] = (before_norm != desired_norm)
                module.exit_json(**result)
            # do the update
            kc.update_realm(desired_realm, realm=realm)
            after_realm = kc.get_realm_by_id(realm=realm)
            if before_realm == after_realm:
                result['changed'] = False
            result['end_state'] = sanitize_cr(after_realm)
            if module._diff:
                result['diff'] = dict(before=before_realm_sanitized,
                                      after=sanitize_cr(after_realm))
            result['msg'] = 'Realm %s has been updated.' % desired_realm['id']
            module.exit_json(**result)
        else:
            # Process a deletion (because state was not 'present')
            result['changed'] = True
            if module._diff:
                result['diff'] = dict(before=before_realm_sanitized, after='')
            if module.check_mode:
                module.exit_json(**result)
            # delete it
            kc.delete_realm(realm=realm)
            result['proposed'] = {}
            result['end_state'] = {}
            result['msg'] = 'Realm %s has been deleted.' % before_realm['id']
    module.exit_json(**result)
 if __name__ == '__main__':
    main()
--- a/plugins/modules/keycloak_role.py
+++ b/plugins/modules/keycloak_role.py
@@ -0,0 +1,439 @@
 #!/usr/bin/python
 # -*- coding: utf-8 -*-
 # Copyright (c) 2019, Adam Goossens <adam.goossens@gmail.com>
 # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
 # SPDX-License-Identifier: GPL-3.0-or-later
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
 DOCUMENTATION = '''
 ---
 module: keycloak_role
 short_description: Allows administration of Keycloak roles via Keycloak API
 version_added: 3.4.0
 description:
    - This module allows you to add, remove or modify Keycloak roles via the Keycloak REST API.
      It requires access to the REST API via OpenID Connect; the user connecting and the client being
      used must have the requisite access rights. In a default Keycloak installation, admin-cli
      and an admin user would work, as would a separate client definition with the scope tailored
      to your needs and a user having the expected roles.
    - The names of module options are snake_cased versions of the camelCase ones found in the
      Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
    - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
      be returned that way by this module. You may pass single values for attributes when calling the module,
      and this will be translated into a list suitable for the API.
 attributes:
    check_mode:
        support: full
    diff_mode:
        support: full
 options:
    state:
        description:
            - State of the role.
            - On V(present), the role will be created if it does not yet exist, or updated with the parameters you provide.
            - On V(absent), the role will be removed if it exists.
        default: 'present'
        type: str
        choices:
            - present
            - absent
    name:
        type: str
        required: true
        description:
            - Name of the role.
            - This parameter is required.
    description:
        type: str
        description:
            - The role description.
    realm:
        type: str
        description:
            - The Keycloak realm under which this role resides.
        default: 'master'
    client_id:
        type: str
        description:
            - If the role is a client role, the client id under which it resides.
            - If this parameter is absent, the role is considered a realm role.
    attributes:
        type: dict
        description:
            - A dict of key/value pairs to set as custom attributes for the role.
            - Values may be single values (e.g. a string) or a list of strings.
    composite:
        description:
            - If V(true), the role is a composition of other realm and/or client role.
        default: false
        type: bool
        version_added: 7.1.0
    composites:
        description:
            - List of roles to include to the composite realm role.
            - If the composite role is a client role, the C(clientId) (not ID of the client) must be specified.
        default: []
        type: list
        elements: dict
        version_added: 7.1.0
        suboptions:
            name:
                description:
                    - Name of the role. This can be the name of a REALM role or a client role.
                type: str
                required: true
            client_id:
                description:
                    - Client ID if the role is a client role. Do not include this option for a REALM role.
                    - Use the client ID you can see in the Keycloak console, not the technical ID of the client.
                type: str
                required: false
                aliases:
                    - clientId
            state:
                description:
                    - Create the composite if present, remove it if absent.
                type: str
                choices:
                    - present
                    - absent
                default: present
 extends_documentation_fragment:
    - middleware_automation.keycloak.keycloak
    - middleware_automation.keycloak.attributes
 author:
    - Laurent Paumier (@laurpaum)
 '''
 EXAMPLES = '''
 - name: Create a Keycloak realm role, authentication with credentials
  middleware_automation.keycloak.keycloak_role:
    name: my-new-kc-role
    realm: MyCustomRealm
    state: present
    auth_client_id: admin-cli
    auth_keycloak_url: https://auth.example.com/auth
    auth_realm: master
    auth_username: USERNAME
    auth_password: PASSWORD
  delegate_to: localhost
 - name: Create a Keycloak realm role, authentication with token
  middleware_automation.keycloak.keycloak_role:
    name: my-new-kc-role
    realm: MyCustomRealm
    state: present
    auth_client_id: admin-cli
    auth_keycloak_url: https://auth.example.com/auth
    token: TOKEN
  delegate_to: localhost
 - name: Create a Keycloak client role
  middleware_automation.keycloak.keycloak_role:
    name: my-new-kc-role
    realm: MyCustomRealm
    client_id: MyClient
    state: present
    auth_client_id: admin-cli
    auth_keycloak_url: https://auth.example.com/auth
    auth_realm: master
    auth_username: USERNAME
    auth_password: PASSWORD
  delegate_to: localhost
 - name: Delete a Keycloak role
  middleware_automation.keycloak.keycloak_role:
    name: my-role-for-deletion
    state: absent
    auth_client_id: admin-cli
    auth_keycloak_url: https://auth.example.com/auth
    auth_realm: master
    auth_username: USERNAME
    auth_password: PASSWORD
  delegate_to: localhost
 - name: Create a keycloak role with some custom attributes
  middleware_automation.keycloak.keycloak_role:
    auth_client_id: admin-cli
    auth_keycloak_url: https://auth.example.com/auth
    auth_realm: master
    auth_username: USERNAME
    auth_password: PASSWORD
    name: my-new-role
    attributes:
        attrib1: value1
        attrib2: value2
        attrib3:
            - with
            - numerous
            - individual
            - list
            - items
  delegate_to: localhost
 '''
 RETURN = '''
 msg:
    description: Message as to what action was taken.
    returned: always
    type: str
    sample: "Role myrole has been updated"
 proposed:
    description: Representation of proposed role.
    returned: always
    type: dict
    sample: {
        "description": "My updated test description"
    }
 existing:
    description: Representation of existing role.
    returned: always
    type: dict
    sample: {
        "attributes": {},
        "clientRole": true,
        "composite": false,
        "containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a",
        "description": "My client test role",
        "id": "561703dd-0f38-45ff-9a5a-0c978f794547",
        "name": "myrole"
    }
 end_state:
    description: Representation of role after module execution (sample is truncated).
    returned: on success
    type: dict
    sample: {
        "attributes": {},
        "clientRole": true,
        "composite": false,
        "containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a",
        "description": "My updated client test role",
        "id": "561703dd-0f38-45ff-9a5a-0c978f794547",
        "name": "myrole"
    }
 '''
 from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
    keycloak_argument_spec, get_token, KeycloakError, is_struct_included
 from ansible.module_utils.basic import AnsibleModule
 import copy
 def main():
    """
    Module execution
    :return:
    """
    argument_spec = keycloak_argument_spec()
    composites_spec = dict(
        name=dict(type='str', required=True),
        client_id=dict(type='str', aliases=['clientId'], required=False),
        state=dict(type='str', default='present', choices=['present', 'absent'])
    )
    meta_args = dict(
        state=dict(type='str', default='present', choices=['present', 'absent']),
        name=dict(type='str', required=True),
        description=dict(type='str'),
        realm=dict(type='str', default='master'),
        client_id=dict(type='str'),
        attributes=dict(type='dict'),
        composites=dict(type='list', default=[], options=composites_spec, elements='dict'),
        composite=dict(type='bool', default=False),
    )
    argument_spec.update(meta_args)
    module = AnsibleModule(argument_spec=argument_spec,
                           supports_check_mode=True,
                           required_one_of=([['token', 'auth_realm', 'auth_username', 'auth_password']]),
                           required_together=([['auth_realm', 'auth_username', 'auth_password']]))
    result = dict(changed=False, msg='', diff={}, proposed={}, existing={}, end_state={})
    # Obtain access token, initialize API
    try:
        connection_header = get_token(module.params)
    except KeycloakError as e:
        module.fail_json(msg=str(e))
    kc = KeycloakAPI(module, connection_header)
    realm = module.params.get('realm')
    clientid = module.params.get('client_id')
    name = module.params.get('name')
    state = module.params.get('state')
    # attributes in Keycloak have their values returned as lists
    # via the API. attributes is a dict, so we'll transparently convert
    # the values to lists.
    if module.params.get('attributes') is not None:
        for key, val in module.params['attributes'].items():
            module.params['attributes'][key] = [val] if not isinstance(val, list) else val
    # Filter and map the parameters names that apply to the role
    role_params = [x for x in module.params
                   if x not in list(keycloak_argument_spec().keys()) + ['state', 'realm', 'client_id'] and
                   module.params.get(x) is not None]
    # See if it already exists in Keycloak
    if clientid is None:
        before_role = kc.get_realm_role(name, realm)
    else:
        before_role = kc.get_client_role(name, clientid, realm)
    if before_role is None:
        before_role = {}
    # Build a proposed changeset from parameters given to this module
    changeset = {}
    for param in role_params:
        new_param_value = module.params.get(param)
        old_value = before_role[param] if param in before_role else None
        if new_param_value != old_value:
            changeset[camel(param)] = copy.deepcopy(new_param_value)
    # Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis)
    desired_role = copy.deepcopy(before_role)
    desired_role.update(changeset)
    result['proposed'] = changeset
    result['existing'] = before_role
    # Cater for when it doesn't exist (an empty dict)
    if not before_role:
        if state == 'absent':
            # Do nothing and exit
            if module._diff:
                result['diff'] = dict(before='', after='')
            result['changed'] = False
            result['end_state'] = {}
            result['msg'] = 'Role does not exist, doing nothing.'
            module.exit_json(**result)
        # Process a creation
        result['changed'] = True
        if name is None:
            module.fail_json(msg='name must be specified when creating a new role')
        if module._diff:
            result['diff'] = dict(before='', after=desired_role)
        if module.check_mode:
            module.exit_json(**result)
        # create it
        if clientid is None:
            kc.create_realm_role(desired_role, realm)
            after_role = kc.get_realm_role(name, realm)
        else:
            kc.create_client_role(desired_role, clientid, realm)
            after_role = kc.get_client_role(name, clientid, realm)
        if after_role['composite']:
            after_role['composites'] = kc.get_role_composites(rolerep=after_role, clientid=clientid, realm=realm)
        result['end_state'] = after_role
        result['msg'] = 'Role {name} has been created'.format(name=name)
        module.exit_json(**result)
    else:
        if state == 'present':
            compare_exclude = []
            if 'composites' in desired_role and isinstance(desired_role['composites'], list) and len(desired_role['composites']) > 0:
                composites = kc.get_role_composites(rolerep=before_role, clientid=clientid, realm=realm)
                before_role['composites'] = []
                for composite in composites:
                    before_composite = {}
                    if composite['clientRole']:
                        composite_client = kc.get_client_by_id(id=composite['containerId'], realm=realm)
                        before_composite['client_id'] = composite_client['clientId']
                    else:
                        before_composite['client_id'] = None
                    before_composite['name'] = composite['name']
                    before_composite['state'] = 'present'
                    before_role['composites'].append(before_composite)
            else:
                compare_exclude.append('composites')
            # Process an update
            # no changes
            if is_struct_included(desired_role, before_role, exclude=compare_exclude):
                result['changed'] = False
                result['end_state'] = desired_role
                result['msg'] = "No changes required to role {name}.".format(name=name)
                module.exit_json(**result)
            # doing an update
            result['changed'] = True
            if module._diff:
                result['diff'] = dict(before=before_role, after=desired_role)
            if module.check_mode:
                module.exit_json(**result)
            # do the update
            if clientid is None:
                kc.update_realm_role(desired_role, realm)
                after_role = kc.get_realm_role(name, realm)
            else:
                kc.update_client_role(desired_role, clientid, realm)
                after_role = kc.get_client_role(name, clientid, realm)
            if after_role['composite']:
                after_role['composites'] = kc.get_role_composites(rolerep=after_role, clientid=clientid, realm=realm)
            result['end_state'] = after_role
            result['msg'] = "Role {name} has been updated".format(name=name)
            module.exit_json(**result)
        else:
            # Process a deletion (because state was not 'present')
            result['changed'] = True
            if module._diff:
                result['diff'] = dict(before=before_role, after='')
            if module.check_mode:
                module.exit_json(**result)
            # delete it
            if clientid is None:
                kc.delete_realm_role(name, realm)
            else:
                kc.delete_client_role(name, clientid, realm)
            result['end_state'] = {}
            result['msg'] = "Role {name} has been deleted".format(name=name)
    module.exit_json(**result)
 if __name__ == '__main__':
    main()
--- a/plugins/modules/keycloak_user_federation.py
+++ b/plugins/modules/keycloak_user_federation.py
--- a/requirements.txt
+++ b/requirements.txt
@@ -4,3 +4,4 @@
 # pip install -r requirements.txt
 #
 netaddr
 lxml # for middleware_automation.common.maven_artifact
--- a/requirements.yml
+++ b/requirements.yml
@@ -1,7 +1,5 @@
 ---
 collections:
-  - name: middleware_automation.redhat_csp_download
+  - name: middleware_automation.common
    version: ">=1.2.1"
-  - name: middleware_automation.wildfly
+  - name: ansible.posix
    version: ">=0.0.5"
  - name: community.general
--- a/roles/keycloak/README.md
+++ b/roles/keycloak/README.md
@@ -10,6 +10,7 @@ Requirements
 This role requires the `python3-netaddr` library installed on the controller node.
 * to install via yum/dnf: `dnf install python3-netaddr`
 * to install via apt: `apt install python3-netaddr`
 * or via pip: `pip install netaddr==0.8.0`
 * or via the collection: `pip install -r requirements.txt`
@@ -19,8 +20,12 @@ Dependencies
 The roles depends on:
-* the `redhat_csp_download` role from [middleware_automation.redhat_csp_download](https://github.com/ansible-middleware/redhat-csp-download) collection if Red Hat Single Sign-on zip have to be downloaded from RHN.
+* [middleware_automation.common](https://github.com/ansible-middleware/common)
-* the `wildfly_driver` role from [middleware_automation.wildfly](https://github.com/ansible-middleware/wildfly) collection
+* [ansible-posix](https://docs.ansible.com/ansible/latest/collections/ansible/posix/index.html)
 To install all the dependencies via galaxy:
    ansible-galaxy collection install -r requirements.yml
 Versions
@@ -28,18 +33,19 @@ Versions
 | RH-SSO VERSION | Release Date      | Keycloak Version | EAP Version | Notes           |
 |:---------------|:------------------|:-----------------|:------------|:----------------|
-|`7.5.0 GA`      |September 20, 2021 |`15.0.2`          | `7.4.0`     |[Release Notes](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/html/release_notes/index)|
+|`7.5.0 GA`      |September 20, 2021 |`15.0.2`          | `7.4.6`     |[Release Notes](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/html/release_notes/index)|
 |`7.6.0 GA`      |June 30, 2022      |`18.0.3`          | `7.4.6`     |[Release Notes](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html-single/release_notes/index)|
 Patching
 --------
-When variable `keycloak_rhsso_apply_patches` is `True` (default: `False`), the role will automatically apply the latest cumulative patch for the selected base version.
+When variable `keycloak_rhsso_apply_patches` is `true` (default: `false`), the role will automatically apply the latest cumulative patch for the selected base version.
 | RH-SSO VERSION | Release Date      | RH-SSO LATEST CP | Notes           |
 |:---------------|:------------------|:-----------------|:----------------|
-|`7.5.0 GA`      |January 20, 2022   |`7.5.1 GA`        |[Release Notes](https://access.redhat.com/articles/6646321)|
+|`7.5.0 GA`      |January 20, 2022   |`7.5.3 GA`        |[Release Notes](https://access.redhat.com/articles/6646321)|
-
+|`7.6.0 GA`      |November 11, 2022  |`7.6.1 GA`        |[Release Notes](https://access.redhat.com/articles/6982711)|
 Role Defaults
@@ -50,9 +56,12 @@ Role Defaults
 | Variable | Description | Default |
 |:---------|:------------|:---------|
 |`keycloak_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
 |`keycloak_ha_discovery`| Discovery protocol for HA cluster members | `JDBC_PING` if `keycloak_db_enabled` else `TCPPING` |
 |`keycloak_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_ha_enabled` is True, else `False` |
 |`keycloak_remote_cache_enabled`| Enable remote cache store when in clustered ha configurations | `True` if `keycloak_ha_enabled` else `False` |
 |`keycloak_admin_user`| Administration console user account | `admin` |
 |`keycloak_bind_address`| Address for binding service ports | `0.0.0.0` |
 |`keycloak_management_port_bind_address`| Address for binding management ports | `127.0.0.1` |
 |`keycloak_host`| hostname | `localhost` |
 |`keycloak_http_port`| HTTP port | `8080` |
 |`keycloak_https_port`| TLS HTTP port | `8443` |
@@ -60,13 +69,19 @@ Role Defaults
 |`keycloak_jgroups_port`| jgroups cluster tcp port | `7600` |
 |`keycloak_management_http_port`| Management port | `9990` |
 |`keycloak_management_https_port`| TLS management port | `9993` |
-|`keycloak_prefer_ipv4`| Prefer IPv4 stack and addresses for port binding | `True` |
+|`keycloak_prefer_ipv4`| Prefer IPv4 stack and addresses for port binding | `true` |
 |`keycloak_config_standalone_xml`| filename for configuration | `keycloak.xml` |
 |`keycloak_service_user`| posix account username | `keycloak` |
 |`keycloak_service_group`| posix account group | `keycloak` |
-|`keycloak_service_pidfile`| pid file path for service | `/run/keycloak.pid` |
+|`keycloak_service_restart_always`| systemd restart always behavior activation | `False` |
 |`keycloak_service_restart_on_failure`| systemd restart on-failure behavior activation | `False` |
 |`keycloak_service_startlimitintervalsec`| systemd StartLimitIntervalSec | `300` |
 |`keycloak_service_startlimitburst`| systemd StartLimitBurst | `5` |
 |`keycloak_service_restartsec`| systemd RestartSec | `10s` |
 |`keycloak_service_pidfile`| pid file path for service | `/run/keycloak/keycloak.pid` |
 |`keycloak_features` | List of `name`/`status` pairs of features (also known as profiles on RH-SSO) to `enable` or `disable`, example: `[ { name: 'docker', status: 'enabled' } ]` | `[]`
 |`keycloak_jvm_package`| RHEL java package runtime | `java-1.8.0-openjdk-headless` |
-|`keycloak_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path | `None` |
+|`keycloak_java_home`| `JAVA_HOME` of installed JRE, leave empty for using RPM path at `keycloak_jvm_package` | `None` |
 |`keycloak_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
@@ -74,39 +89,37 @@ Role Defaults
 | Variable | Description | Default |
 |:---------|:------------|:---------|
-|`keycloak_rhsso_enable`| Enable Red Hat Single Sign-on installation | `False` |
+|`keycloak_offline_install` | perform an offline install | `false`|
 |`keycloak_offline_install` | perform an offline install | `False`|
 |`keycloak_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`|
-|`keycloak_rhsso_download_url`| Download URL for RHSSO | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=<productID>`|
+|`keycloak_version`| keycloak.org package version | `18.0.2` |
 |`keycloak_version`| keycloak.org package version | `15.0.2` |
 |`keycloak_rhsso_version`| RHSSO version | `7.5.0` |
 |`keycloak_rhsso_apply_patches`| Install RHSSO more recent cumulative patch | `False` |
 |`keycloak_dest`| Installation root path | `/opt/keycloak` |
 |`keycloak_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}` |
-|`keycloak_rhn_url` | Base download URI for customer portal | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=` |
+|`keycloak_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `false` |
 |`keycloak_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
 * Miscellaneous configuration
 | Variable | Description | Default |
 |:---------|:------------|:--------|
-|`keycloak_archive` | keycloak install archive filename | `keycloak-{{ keycloak_version }}.zip` |
+|`keycloak_archive` | keycloak install archive filename | `keycloak-legacy-{{ keycloak_version }}.zip` |
 |`keycloak_download_url_9x` | Download URL for keycloak (deprecated) | `https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}` |
 |`keycloak_installdir` | Installation path | `{{ keycloak_dest }}/keycloak-{{ keycloak_version }}` |
-|`keycloak_rhsso_archive` | Red Hat SSO install archive filename | `rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip` |
+|`keycloak_jboss_home` | Installation work directory | `{{ keycloak_rhsso_installdir }}` |
-|`keycloak_rhsso_installdir`| Installation path for Red Hat SSO | `{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\.([0-9]*).*', '\1.\2') }}` |
+|`keycloak_jboss_port_offset` | Port offset for the JBoss socket binding | `0` |
 |`keycloak_rhsso_download_url`| Full download URI for Red Hat SSO | `{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}` |
 |`keycloak_jboss_home` | Installation work directory | `{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}` |
 |`keycloak_config_dir` | Path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration` |
 |`keycloak_config_path_to_standalone_xml` | Custom path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}` |
 |`keycloak_config_override_template` | Path to custom template for standalone.xml configuration | `''` |
 |`keycloak_auth_realm` | Name for rest authentication realm | `master` |
 |`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` |
-|`keycloak_force_install` | Remove pre-existing versions of service | `False` |
+|`keycloak_force_install` | Remove pre-existing versions of service | `false` |
-|`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` |
+|`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}` |
-|`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` |
+|`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}` |
-|`rhsso_rhn_id` | Customer Portal product ID for Red Hat SSO | `{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}` |
+|`keycloak_frontend_url_force` | Force backend requests to use the frontend URL | `false` |
 |`keycloak_db_background_validation` | Enable background validation of database connection | `false` |
 |`keycloak_db_background_validation_millis`| How frequenly the connection pool is validated in the background | `10000` if background validation enabled |
 |`keycloak_db_background_validate_on_match` | Enable validate on match for database connections | `false` |
 |`keycloak_frontend_url` | frontend URL for keycloak endpoint | `http://localhost:8080/auth/` |
 |`keycloak_log_target`| Set the destination of the keycloak log folder link | `/var/log/keycloak` |
 Role Variables
@@ -117,25 +130,28 @@ The following are a set of _required_ variables for the role:
 | Variable | Description |
 |:---------|:------------|
 |`keycloak_admin_password`| Password for the administration console user account (minimum 12 characters) |
-|`keycloak_frontend_url` | frontend URL for keycloak endpoint | `http://localhost:8080/auth` |
+|`keycloak_frontend_url` | frontend URL for keycloak endpoint | `http://localhost:8080/auth/` |
-The following variables are _required_ only when `keycloak_ha_enabled` is True:
+The following parameters are _required_ only when `keycloak_ha_enabled` is true:
 | Variable | Description | Default |
-|:---------|:------------|:---------|
+|:---------|:------------|:--------|
-|`keycloak_modcluster_url` | URL for the modcluster reverse proxy | `localhost` |
+|`keycloak_modcluster_enabled`| Enable configuration for modcluster subsystem | `True` if `keycloak_ha_enabled` is True, else `False` |
-|`keycloak_jdbc_engine` | backend database engine when db is enabled: [ postgres, mariadb ] | `postgres` |
+|`keycloak_modcluster_url` | _deprecated_ Host for the modcluster reverse proxy | `localhost` |
-|`infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` |
+|`keycloak_modcluster_port` | _deprecated_ Port for the modcluster reverse proxy | `6666` |
-|`infinispan_user` | username for connecting to infinispan | `supervisor` |
+|`keycloak_modcluster_urls` | List of {host,port} dicts for the modcluster reverse proxies | `[ { localhost:6666 } ]` |
-|`infinispan_pass` | password for connecting to infinispan | `supervisor` |
+|`keycloak_jdbc_engine` | backend database engine when db is enabled: [ postgres, mariadb, sqlserver ] | `postgres` |
-|`infinispan_sasl_mechanism`| Authentication type | `SCRAM-SHA-512` |
+|`keycloak_infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` |
-|`infinispan_use_ssl`| Enable hotrod TLS communication | `False` |
+|`keycloak_infinispan_user` | username for connecting to infinispan | `supervisor` |
-|`infinispan_trust_store_path`| Path to truststore with infinispan server certificate | `/etc/pki/java/cacerts` |
+|`keycloak_infinispan_pass` | password for connecting to infinispan | `supervisor` |
-|`infinispan_trust_store_password`| Password for opening truststore | `changeit` |
+|`keycloak_infinispan_sasl_mechanism`| Authentication type | `SCRAM-SHA-512` |
 |`keycloak_infinispan_use_ssl`| Enable hotrod TLS communication | `False` |
 |`keycloak_infinispan_trust_store_path`| Path to truststore with infinispan server certificate | `/etc/pki/java/cacerts` |
 |`keycloak_infinispan_trust_store_password`| Password for opening truststore | `changeit` |
-The following variables are _required_ only when `keycloak_db_enabled` is True:
+The following parameters are _required_ only when `keycloak_db_enabled` is true:
 | Variable | Description | Default |
 |:---------|:------------|:---------|
@@ -145,12 +161,17 @@ The following variables are _required_ only when `keycloak_db_enabled` is True:
 |`keycloak_db_pass` | password for connecting to postgres | `keycloak-pass` |
-Example Playbooks
+The following variables are _optional_:
 | Variable | Description |
 |:---------|:------------|
 |`keycloak_db_valid_conn_sql` | Override the default database connection validation query sql |
 |`keycloak_admin_url` | Override the default administration endpoint URL |
 |`keycloak_jgroups_subnet`| Override the subnet match for jgroups cluster formation; if not defined, it will be inferred from local machine route configuration |
 Example Playbook
 -----------------
 _NOTE_: use ansible vaults or other security systems for storing credentials.
 * The following is an example playbook that makes use of the role to install keycloak from remote:
 ```yaml
@@ -158,33 +179,10 @@ _NOTE_: use ansible vaults or other security systems for storing credentials.
 - hosts: ...
      vars:
        keycloak_admin_password: "remembertochangeme"
      collections:
        - middleware_automation.keycloak
      roles:
        - middleware_automation.keycloak.keycloak
 ```
 * The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from RHN:
 ```yaml
 ---
 - name: Playbook for RHSSO
  hosts: keycloak
  collections:
    - middleware_automation.redhat_csp_download
  roles:
    - redhat_csp_download
  tasks:
    - name: Keycloak Role
      include_role:
        name: keycloak
      vars:
        keycloak_admin_password: "remembertochangeme"
        keycloak_rhsso_enable: True
        rhn_username: '<customer portal username>'
        rhn_password: '<customer portal password>'
 ```
 * The following example playbook makes use of the role to install keycloak from the controller node:
@@ -199,49 +197,10 @@ _NOTE_: use ansible vaults or other security systems for storing credentials.
            name: keycloak
          vars:
            keycloak_admin_password: "remembertochangeme"
-            keycloak_offline_install: True
+            keycloak_offline_install: true
            # This should be the filename of keycloak archive on Ansible node: keycloak-16.1.0.zip
 ```
 * This playbook installs Red Hat Single Sign-On from an alternate url:
 ```yaml
 ---
 - hosts: keycloak
  collections:
    - middleware_automation.keycloak
  tasks:
    - name: Keycloak Role
      include_role:
        name: keycloak
      vars:
        keycloak_admin_password: "remembertochangeme"
        keycloak_rhsso_enable: True
        keycloak_rhsso_download_url: "<REPLACE with download url>"
        # This should be the full of remote source rhsso zip file and can contain basic authentication credentials
 ```
 * The following is an example playbook that makes use of the role to install Red Hat Single Sign-On offline from the controller node, and apply latest cumulative patch:
 ```yaml
 ---
 - hosts: keycloak
  collections:
    - middleware_automation.keycloak
  tasks:
    - name: Keycloak Role
      include_role:
        name: keycloak
      vars:
        keycloak_admin_password: "remembertochangeme"
        keycloak_rhsso_enable: True
        keycloak_offline_install: True
        keycloak_rhsso_apply_patches: True
        # This should be the filename of rhsso zip file on Ansible node: rh-sso-7.5-server-dist.zip
 ```
 License
 -------
--- a/Show More
+++ b/Show More
`@@ -1,2 +1,2 @@`
	`---`	`---`
	`requires_ansible: ">=2.9.10"`	`requires_ansible: ">=2.16.0"`