internet/ansible-middleware.keycloak
3
0
Fork 0
mirror of https://github.com/ansible-middleware/keycloak.git synced 2026-03-27 13:53:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: internet:1.2.1
Branches Tags
internet:main internet:gh-pages internet:feature/182_restart_handler internet:rhbk_mol_sudo
internet:3.0.3 internet:3.0.2 internet:3.0.1 internet:3.0.0 internet:2.4.3 internet:2.4.2 internet:2.4.1 internet:2.4.0 internet:2.3.0 internet:2.2.2 internet:2.2.1 internet:2.2.0 internet:2.1.2 internet:2.1.1 internet:2.1.0 internet:2.0.2 internet:2.0.1 internet:2.0.0 internet:1.3.0 internet:1.2.8 internet:1.2.7 internet:1.2.6 internet:1.2.5 internet:1.2.4 internet:1.2.1 internet:1.2.0 internet:1.1.1 internet:1.1.0 internet:1.0.7 internet:1.0.6 internet:1.0.5 internet:1.0.4 internet:1.0.3 internet:1.0.2 internet:1.0.1 internet:1.0.0 internet:v0.2.5 internet:v0.2.4 internet:v0.2.3 internet:0.2.2 internet:v0.2.1 internet:v0.2.0 internet:v0.1.8 internet:v0.1.7 internet:v0.1.6 internet:v0.1.5 internet:v0.1.4 internet:v0.1.3 internet:v0.1.2 internet:v0.1.1 internet:v0.1.0 internet:v0.0.4 internet:v0.0.3 internet:v0.0.2 internet:v0.0.1
...
compare: internet:2.0.2
Branches Tags
internet:main internet:gh-pages internet:feature/182_restart_handler internet:rhbk_mol_sudo
internet:3.0.3 internet:3.0.2 internet:3.0.1 internet:3.0.0 internet:2.4.3 internet:2.4.2 internet:2.4.1 internet:2.4.0 internet:2.3.0 internet:2.2.2 internet:2.2.1 internet:2.2.0 internet:2.1.2 internet:2.1.1 internet:2.1.0 internet:2.0.2 internet:2.0.1 internet:2.0.0 internet:1.3.0 internet:1.2.8 internet:1.2.7 internet:1.2.6 internet:1.2.5 internet:1.2.4 internet:1.2.1 internet:1.2.0 internet:1.1.1 internet:1.1.0 internet:1.0.7 internet:1.0.6 internet:1.0.5 internet:1.0.4 internet:1.0.3 internet:1.0.2 internet:1.0.1 internet:1.0.0 internet:v0.2.5 internet:v0.2.4 internet:v0.2.3 internet:0.2.2 internet:v0.2.1 internet:v0.2.0 internet:v0.1.8 internet:v0.1.7 internet:v0.1.6 internet:v0.1.5 internet:v0.1.4 internet:v0.1.3 internet:v0.1.2 internet:v0.1.1 internet:v0.1.0 internet:v0.0.4 internet:v0.0.3 internet:v0.0.2 internet:v0.0.1

209 Commits
1.2.1 ... 2.0.2

Author SHA1 Message Date
ansible-middleware-core
2985f808ea Update changelog for release 2.0.2 
Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>
 2024-01-17 08:50:24 +00:00
Guido Grazioli
30309582f3 Update README.md 2024-01-16 09:17:47 +01:00
Guido Grazioli
40229631e6 Merge pull request #150 from world-direct/fix/149 
keycloak_quarkus: allow ports <1024 (e.g. :443) in systemd unit
 2024-01-16 09:04:54 +01:00
Helmut Wolf
8adc018cb3 fix/#149: keycloak_quarkus: Allow ports <1024 (e.g., :443) 2024-01-16 08:33:34 +01:00
Guido Grazioli
053d0f9873 Merge pull request #152 from world-direct/fix/151 
keycloak_quarkus: allow configuration of `hostname-strict-backchannel`
 2024-01-16 00:42:12 +01:00
Guido Grazioli
eb80ed0bd4 Merge pull request #148 from world-direct/feature/rhbk_mssql_driver 
keycloak_quarkus: Add support for sqlserver jdbc driver
 2024-01-16 00:41:47 +01:00
Guido Grazioli
d138b4b2ff Merge pull request #145 from world-direct/feature/keycloak_quarkus_systemd 
keycloak_quarkus: systemd restart behavior
 2024-01-16 00:41:35 +01:00
Helmut Wolf
922e4c10f5 #145 - CR changes 2024-01-15 14:40:46 +01:00
Guido Grazioli
313bd8452a Merge pull request #154 from world-direct/fix/#153 
fix/#153: keycloak_quarkus: Use `keycloak_quarkus_java_opts`
 2024-01-15 09:57:34 +01:00
Helmut Wolf
b1b31427d5 fix/#153: keycloak_quarkus: Use keycloak_quarkus_java_opts 
Note: when multiple -X options of the same kind are provided, the last option seems to take precendence as per <https://stackoverflow.com/a/26727332>:

> java -Xmx1G -XX:+PrintFlagsFinal -Xmx2G 2>/dev/null | grep MaxHeapSize
 2024-01-10 16:30:02 +01:00
Helmut Wolf
b057f0297a fix/#151: keycloak_quarkus: allow configuration of hostname-strict-backchannel 2024-01-09 08:46:11 +01:00
Helmut Wolf
bfd9db6703 fix/147: keycloak_quarkus: RBKC: Add support for sqlserver jdbc driver 2024-01-08 17:51:11 +01:00
Helmut Wolf
1d5ce87c16 keycloak_quarkus: Remove legacy (?) keycloak_management_url 2023-12-19 09:55:02 +01:00
Helmut Wolf
83bcb6712a keycloak_quarkus: add systemd control options 
* keycloak_quarkus_service_restart_always
* keycloak_quarkus_service_restart_on_failure
* keycloak_quarkus_service_restartsec
 2023-12-19 09:30:30 +01:00
Guido Grazioli
dab388d744 Merge pull request #142 from RanabirChakraborty/AMW-170 
AMW-170 Ansible Hub links for rhbk are broken
 2023-12-12 15:32:00 +01:00
Ranabir Chakraborty
ed6dbd60fb AMW-170 Ansible Hub links for rhbk are broken 2023-12-11 22:12:39 +05:30
ansible-middleware-core
db19fd5d19 Bump version to 2.0.2 2023-12-07 14:30:27 +00:00
ansible-middleware-core
473fb212c3 Update changelog for release 2.0.1 
Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>
 2023-12-07 14:30:17 +00:00
Guido Grazioli
98b82ccb4f ci: runner playbook no keypair 2023-12-07 11:15:12 +01:00
Guido Grazioli
0fbf454279 ci: test alternate certs dir 2023-12-07 11:00:28 +01:00
Guido Grazioli
d469d5df8b ci: downstream update sample playbooks 2023-12-06 18:52:46 +01:00
Guido Grazioli
a23bf4c540 ci: downstream use correct version 2023-12-06 18:24:29 +01:00
Guido Grazioli
ac0b421456 downstream: fix rhbk install path 2023-12-06 16:34:55 +01:00
Guido Grazioli
5b8fcb67dc ci: update sample quarkus playbook 2023-12-06 16:03:37 +01:00
Guido Grazioli
acdee7fa63 ci: downstream arg specs for realm role 2023-12-06 15:40:28 +01:00
Guido Grazioli
86576de6e8 Merge pull request #141 from guidograzioli/rhbk_arg_specs 
downstream: add rhbk bits
 2023-12-06 10:16:05 +01:00
Guido Grazioli
89944a6cd1 downstream: add rhbk bits 2023-12-06 09:57:33 +01:00
Guido Grazioli
33e6d428b5 Merge pull request #140 from guidograzioli/molecule_jbcs_to_nginx 
use nginx instead of jbcs for https_revproxy test
 2023-12-05 20:09:08 +01:00
Guido Grazioli
f365351abf use nginx instead of jbcs for https_revproxy test 2023-12-05 19:53:26 +01:00
Guido Grazioli
75899dfa77 Merge pull request #139 from guidograzioli/128_hostname_strict 
keycloak_quarkus: add hostname-strict parameter
 2023-12-05 12:44:02 +01:00
Guido Grazioli
593c4df861 keycloak_quarkus: add hostname-strict parameter 2023-12-05 10:48:48 +01:00
Guido Grazioli
4a72e3818c Merge pull request #138 from guidograzioli/fix_keycloak_23_booleans 
Update template to lowercase booleans
 2023-12-05 10:39:38 +01:00
Guido Grazioli
72ca9f5dfa switch pull_req_target to pull_req 2023-12-05 10:26:20 +01:00
Guido Grazioli
842e61c43e Update template to lowercase booleans 2023-12-05 10:13:12 +01:00
Guido Grazioli
1728b20cd3 Merge pull request #133 from Footur/update-keycloak 
Update Keycloak to version 23.0.1
 2023-12-01 14:11:04 +01:00
Footur
c01ffed113 Merge branch 'ansible-middleware:main' into update-keycloak 2023-12-01 14:02:45 +01:00
Guido Grazioli
fea7ae0c6f Merge pull request #134 from guidograzioli/linter_yaml_2 
Linter yaml 2
 2023-12-01 12:42:10 +01:00
Guido Grazioli
94530640c1 update wf 2023-12-01 12:37:20 +01:00
Guido Grazioli
d6f020ab44 linter fixes 2023-12-01 12:36:20 +01:00
Footur
55c02d7fc5 Update Keycloak to version 23.0.1 2023-12-01 10:34:04 +01:00
Guido Grazioli
5e8e8c67e8 Merge pull request #132 from saadsb20/patch-1 
Add prefix check for keycloak_quarkus_http_relative_path
 2023-11-30 12:52:18 +01:00
Saâd Bouryaln
88935abb62 Validate relative path 
validate the relative path ... must begin with /
 2023-11-30 12:26:22 +01:00
Saâd Bouryaln
3a1d9099a7 reverte change 2023-11-30 12:01:49 +01:00
Saâd Bouryaln
a439ccab5e fix health_url 2023-11-29 15:36:00 +01:00
ansible-middleware-core
e086ee8d29 Bump version to 2.0.1 2023-11-20 17:10:52 +00:00
ansible-middleware-core
2841c7a951 Update changelog for release 2.0.0 
Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>
 2023-11-20 17:10:43 +00:00
Guido Grazioli
d947e85745 Merge pull request #129 from JMuff22/patch-1 
Update admin password variable in keycloak_quarkus.yml
 2023-11-17 16:55:35 +01:00
Jake Muff
143084d726 Update admin password variable in keycloak_quarkus.yml 2023-11-16 10:19:47 +02:00
Guido Grazioli
23bda1b4c5 Merge pull request #127 from RanabirChakraborty/AMWSUP-17 
AMWSUP-17 keycloak Ansible Hub documentation link broken
 2023-11-13 18:27:55 +01:00
Guido Grazioli
efc3e547fe ci: https_revproxy molecule verify step 2023-11-13 18:24:06 +01:00
Guido Grazioli
8af5d6e556 ci: https_revproxy molecule verify step 2023-11-13 18:10:40 +01:00
Guido Grazioli
a0f6a4931f ci: https_revproxy molecule verify step 2023-11-13 16:47:03 +01:00
Guido Grazioli
49c5071733 ci: fix envvars 2023-11-13 16:38:11 +01:00
Ranabir Chakraborty
7a1eeec6b6 AMWSUP-17 keycloak Ansible Hub documentation link broken 2023-11-13 18:18:52 +05:30
Guido Grazioli
69bd5b6ca8 Merge pull request #119 from guidograzioli/min_ansible_version 
Update minimum ansible-core version > 2.14
 2023-11-13 11:37:53 +01:00
Guido Grazioli
cee02cfd36 Merge pull request #116 from Footur/keystore 
[keycloak_quarkus] Enable config of a key store and trust store
 2023-11-13 11:37:36 +01:00
Guido Grazioli
ea086e8a62 ci: add missing header to molecule test 2023-11-13 11:37:18 +01:00
Guido Grazioli
24787e4607 Merge pull request #115 from gionn/114-add-more-configs 
Add support for more http-related configs
 2023-11-13 11:36:50 +01:00
Giovanni Toraldo
0e510c093a Set default keycloak_quarkus_http_relative_path as per upstream docs 2023-11-13 10:07:01 +01:00
Giovanni Toraldo
880d70ffb9 enable https_revproxy test 2023-11-07 10:21:05 +01:00
Giovanni Toraldo
c8f968a587 cleanup vars 2023-11-07 10:20:01 +01:00
Giovanni Toraldo
8eb5185287 use relative path to build health url 2023-11-07 10:20:01 +01:00
Giovanni Toraldo
316cde4759 Add support for more http-related configs 
* keycloak_quarkus_http_relative_path var now populate http-relative-path config [breaking change]
* http-relative-path defaults to / [breaking change]
* enable configuration of hostname-url and hostname-admin-url
 2023-11-07 10:20:01 +01:00
Guido Grazioli
92639e40cb Merge pull request #124 from jacobdotcosta/issue-57 
feat: jboss port offset configuration
 2023-11-06 16:03:02 +01:00
A.C
027ac1a78e Merge branch 'main' into issue-57 2023-11-06 15:10:05 +01:00
Antonio Costa
5543217c6a rebase for changes made in PR 120 2023-11-06 15:02:28 +01:00
Guido Grazioli
61730b981b ddisable new test 2023-11-06 15:02:28 +01:00
Guido Grazioli
03175e283b molecule test for keycloakx with proxy 2023-11-06 15:02:28 +01:00
Footur
62e5380d38 Update Keycloak to version 22.0.5 2023-11-06 15:02:28 +01:00
Antonio Costa
a538828f0d feat: add a destination variable for the log link 
docs: argument specs for the keycloak_quarkus_log_target

docs: added parameter to the roles README

fix: role variable is keycloak_log_target and not keycloak_quarkus_log_target
 2023-11-06 15:02:25 +01:00
Guido Grazioli
12147b4769 linter 2023-11-06 15:01:39 +01:00
Guido Grazioli
cad87557d6 Merge pull request #121 from guidograzioli/quarkus_rev_proxy_test 
internal: molecule test for keycloakx with proxy
 2023-11-03 11:16:10 +01:00
Guido Grazioli
363c5d9f9e ddisable new test 2023-11-03 10:58:25 +01:00
Guido Grazioli
19a2013fa8 Merge pull request #122 from Footur/update-keycloak 
Update Keycloak to version 22.0.5
 2023-11-03 10:56:18 +01:00
Guido Grazioli
b819c98ab3 Merge pull request #120 from jacobdotcosta/issue-79 
feat: add a destination variable for the log link
 2023-11-03 10:55:21 +01:00
Antonio Costa
9ddd6d7d5e feat: jboss port offset configuration 2023-10-30 09:27:30 +01:00
Footur
6f26fa3da4 Update Keycloak to version 22.0.5 2023-10-27 15:32:15 +02:00
Antonio Costa
6970236201 feat: add a destination variable for the log link 
docs: argument specs for the keycloak_quarkus_log_target

docs: added parameter to the roles README

fix: role variable is keycloak_log_target and not keycloak_quarkus_log_target
 2023-10-26 09:18:07 +02:00
Guido Grazioli
e5f0a3efe1 molecule test for keycloakx with proxy 2023-10-25 18:51:49 +02:00
Guido Grazioli
41c1306602 linter 2023-10-25 18:20:03 +02:00
Guido Grazioli
c67b301f97 Merge pull request #118 from gionn/fixup-molecule-hera 
Do not require hosts edit for running quarkus molecule suite locally
 2023-10-16 16:41:07 +02:00
Giovanni Toraldo
d945c51172 apply review suggestions 2023-10-16 15:52:04 +02:00
Guido Grazioli
d6c57a17a8 Merge pull request #117 from Footur/update-keycloak 
Update Keycloak to version 22.0.4
 2023-10-16 15:29:29 +02:00
Guido Grazioli
bf1cb3695e Update minimum ansible-core version > 2.14 2023-10-16 15:27:24 +02:00
Giovanni Toraldo
307eee771f Do not require hosts edit for running quarkus molecule suite 2023-10-16 12:59:44 +02:00
Footur
e842462a22 Enable config of a key store and trust store 2023-10-13 16:30:58 +02:00
Footur
0f7bbc7ef9 Update Keycloak to version 22.0.4 2023-10-13 16:24:46 +02:00
ansible-middleware-core
00e6cb6b0e Bump version to 1.3.1 2023-09-25 10:57:25 +00:00
ansible-middleware-core
dded412bd0 Update changelog for release 1.3.0 
Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>
 2023-09-25 10:56:54 +00:00
Guido Grazioli
5b70d3db2a Merge pull request #113 from gionn/fix-port-restart 
Fix validation failure upon port configuration change
 2023-09-25 11:56:11 +02:00
Giovanni Toraldo
e3ce4bd574 fixup linter 2023-09-23 18:38:49 +02:00
Guido Grazioli
af0dc3c5f1 Merge pull request #112 from Footur/keycloak-update-22.0.3 
keycloak_quarkus: Update Keycloak to version 22.0.3
 2023-09-22 18:38:53 +02:00
Giovanni Toraldo
f3104285bc Enforce service restart when needed before service checking 2023-09-22 16:30:16 +02:00
footur
cb25c28bb8 Update Keycloak to version 22.0.3 2023-09-22 15:42:06 +02:00
Guido Grazioli
3bb32ed075 ci: update release wf 2023-09-21 12:33:29 +02:00
Guido Grazioli
80e4df8dce Merge pull request #111 from gionn/fix-108 
Fix admin login redirect when running locally
 2023-09-19 19:23:39 +02:00
Giovanni Toraldo
194101f010 add new playbook example for localhost quarkus 2023-09-19 17:14:17 +02:00
Giovanni Toraldo
f0f90b8930 apply review suggestions 2023-09-19 17:05:00 +02:00
Giovanni Toraldo
38ff519624 update arguments 2023-09-19 14:00:15 +02:00
Giovanni Toraldo
9c361c9628 add in README 2023-09-19 13:56:51 +02:00
Giovanni Toraldo
9a46b455f6 Fix admin login redirect when running locally 2023-09-19 13:53:32 +02:00
Guido Grazioli
aa7902b9c3 Merge pull request #110 from guidograzioli/molecule_quarkus_devmod 
Add molecule quarkus keycloak in dev-mode test
 2023-09-19 12:39:25 +02:00
Guido Grazioli
0f17e09731 add new test to CI 2023-09-19 12:25:38 +02:00
Guido Grazioli
942b5fce0f add molecule quarkus keycloak in dev-mode test 2023-09-19 12:23:34 +02:00
Guido Grazioli
bef20b6a57 Merge pull request #109 from msherman13/feature/msherman/quarkus_none_proxy 
keycloak_quarkus: skip proxy config if `keycloak_quarkus_proxy_mode` is `none`
 2023-09-19 10:46:24 +02:00
Miles Sherman
d673fcf48a update documentation for change to keycloak_quarkus_proxy_mode handling 2023-09-18 17:21:45 +00:00
Miles Sherman
b72460e464 quarkus role: do not populate proxy to config if keycloak_quarkus_proxy_mode is undefined or set to 'none' 2023-09-18 14:46:56 +00:00
Guido Grazioli
6c65fadf31 Bump version to 1.3.0 2023-08-30 11:13:17 +02:00
Guido Grazioli
d12f62b89d Merge pull request #106 from schmaxit/main 
Run service as `keycloak_service_user`
 2023-08-30 11:07:25 +02:00
Guido Grazioli
7bb9647d0d update systemd unit to use standalone.sh directly 2023-08-30 10:58:37 +02:00
Guido Grazioli
0199e554b5 overridexml test uses runas feature 2023-08-30 10:16:41 +02:00
Massimo Schiavon
276444ce0e Add default for keycloak_service_runas 2023-08-29 22:02:18 +02:00
Massimo Schiavon
40c015d3e1 always create pidfile folder 
add keycloak_service_runas feature flag
fix previous installs permissions
 2023-08-29 21:41:38 +02:00
github-actions
df7fab8f41 Bump version to 1.2.9 2023-08-28 15:56:38 +00:00
github-actions
6330f08b28 Update changelog for release 1.2.8 
Signed-off-by: github-actions <ggraziol@redhat.com>
 2023-08-28 15:55:52 +00:00
Guido Grazioli
5c8d7d9554 ci: update release workflow 2023-08-28 17:45:52 +02:00
Guido Grazioli
2513ac2c43 Merge pull request #107 from Footur/keycloak-update-22.0.1 
Update Keycloak to version 22.0.1
 2023-08-28 08:59:53 +02:00
footur
6e6bf2ff71 Fix JRE version in README 2023-08-27 21:57:25 +02:00
Guido Grazioli
11621516e3 update workflows 2023-08-25 11:40:27 +02:00
footur
7c05ee5239 Update Keycloak to version 22.0.1 2023-08-25 11:38:45 +02:00
Guido Grazioli
5251826477 ci: update workflows 2023-08-24 13:57:38 +02:00
Guido Grazioli
0783000849 ci: update workflows 2023-08-24 13:53:22 +02:00
Guido Grazioli
ca2dbe78c2 ci: update workflows 2023-08-24 13:46:50 +02:00
Guido Grazioli
52d9286ea3 ci: update workflows 2023-08-24 13:20:49 +02:00
Massimo Schiavon
c8ebbe72d2 change default pidfile location 
Signed-off-by: Massimo Schiavon <schmaxit@users.noreply.github.com>
 2023-08-09 09:31:47 +02:00
Massimo Schiavon
91ec411699 create pidfile folder if needed 2023-08-08 17:49:43 +02:00
Massimo Schiavon
07b1c514bb Add User and Group directives in systemd unit file 2023-08-08 16:52:23 +02:00
Guido Grazioli
345c50fb85 Merge pull request #105 from JoelKle/JoelKle-patch-1 
Update bindep.txt package python3-devel to support RHEL9
 2023-08-08 15:30:30 +02:00
Joel
db0aafd465 Update bindep.txt to support RHEL9 
On RHEL9 the rpm package `python39-devel` doesn't exists. The real name is `python3-devel`.
 2023-08-08 11:05:25 +02:00
Guido Grazioli
b950cdb8b4 Merge pull request #103 from guidograzioli/quarkus_java_17 
keycloak_quarkus: set openjdk 17 as default
 2023-07-31 10:48:26 +02:00
Guido Grazioli
5b01123846 fix verify for molecule default scenario 2023-07-31 10:39:47 +02:00
Guido Grazioli
84d6e7baca set java-17 for keycloak_quarkus 2023-07-31 10:29:28 +02:00
Guido Grazioli
ea735ea79e Merge pull request #100 from Footur/keycloak-update-22.0.0 
Update keycloak_quarkus to Keycloak version 22.0.0
 2023-07-31 09:50:38 +02:00
Guido Grazioli
9db1cbd564 Merge pull request #91 from schmaxit/main 
Undefine `keycloak_db_valid_conn_sql` default
 2023-07-31 09:22:01 +02:00
Guido Grazioli
7933592725 Revert README.md 2023-07-31 09:19:47 +02:00
Guido Grazioli
3170af8b2b Merge pull request #102 from guidograzioli/bugzilla_2224411 
fix_java_11_tzdata
 2023-07-31 09:17:34 +02:00
Guido Grazioli
f400a5bbf8 fix_java_11_tzdata 2023-07-31 09:01:54 +02:00
Guido Grazioli
5385fbb8e9 ci: update molecule 2023-07-31 08:40:17 +02:00
Guido Grazioli
7fea211639 ci: update molecule 2023-07-31 08:38:36 +02:00
Guido Grazioli
8738240a24 docs: add missing param in defaults comment 2023-07-28 09:57:37 +02:00
footur
f195d164d1 Enable Ansible verbosity in the CI test 2023-07-14 13:21:27 +02:00
footur
7c4d420fea Update Keycloak to version 22.0.0 2023-07-14 11:36:54 +02:00
Massimo Schiavon
d45071bf58 Merge branch 'ansible-middleware:main' into main 2023-07-03 09:54:47 +02:00
Guido Grazioli
10876ba615 Merge pull request #99 from Footur/update-keycloak 
Update the Keycloakx version in the README
 2023-06-23 15:20:36 +02:00
Guido Grazioli
f3815403c8 Merge pull request #98 from world-direct/fix/missing_if 
Fix #97 - proper checks for keycloak_jgroups_subnet
 2023-06-23 15:18:20 +02:00
Footur
18d686b43a Merge branch 'ansible-middleware:main' into update-keycloak 2023-06-23 12:36:16 +02:00
footur
26a9249d07 Update the Keycloakx version in the README 2023-06-23 12:32:35 +02:00
Helmut Wolf
fae3079751 Fix #97 - proper checks for keycloak_jgroups_subnet 2023-06-23 11:40:15 +02:00
Guido Grazioli
a82e654cc4 Bump to 1.2.8 2023-06-19 17:26:15 +02:00
github-actions
cebec9c717 Update changelog for release 1.2.7 2023-06-19 15:23:06 +00:00
Guido Grazioli
ad59cd8cb3 Merge pull request #95 from guidograzioli/aap_11169 
add certified collection notice
 2023-06-19 17:05:12 +02:00
Guido Grazioli
926353f395 add certified collection notice 2023-06-19 16:41:35 +02:00
Guido Grazioli
fed86ac0c3 Merge pull request #92 from Footur/update-keycloak 
Update keycloakx to v21.1.1
 2023-06-19 11:15:16 +02:00
footur
5f1f8b5762 [CI] Use ansible-lint in v6.17.0 2023-06-17 13:16:10 +02:00
Footur
bab3069712 Merge branch 'ansible-middleware:main' into update-keycloak 2023-06-16 10:20:56 +02:00
footur
fc6e00974d Define the varbosity of Ansible in Molecule 2023-06-16 10:19:31 +02:00
footur
83525dbed0 Update the Keycloakx version in Molecule 2023-06-16 10:15:59 +02:00
Guido Grazioli
7ec695ee15 Fix wrong task message 2023-06-10 19:27:48 +02:00
Guido Grazioli
14e7b402b7 fix typo in templates 2023-06-10 18:37:58 +02:00
Guido Grazioli
832432b86c Merge pull request #93 from guidograzioli/override_jgroups_subnet_match 
Allow to override jgroups subnet
 2023-06-10 16:47:36 +02:00
Guido Grazioli
8f697f6a53 Bump to 1.2.7 2023-06-10 16:45:13 +02:00
Guido Grazioli
1dd579a6d1 Allow to override jgroups subnet 2023-06-10 16:31:19 +02:00
footur
3340428194 Remove the "--auto-build" flag – it's deprecated 
Signed-off-by: footur <3769085+Footur@users.noreply.github.com>
 2023-06-10 15:18:31 +02:00
footur
18e60daa93 Update Keycloakx to v21.1.1 
Signed-off-by: footur <3769085+Footur@users.noreply.github.com>
 2023-06-10 15:16:58 +02:00
Massimo Schiavon
874215a592 remove empty string default for keycloak_db_valid_conn_sql 
rely on defaults set in keycloak_jdbc dict
 2023-06-09 10:51:13 +02:00
github-actions
97bea7ba39 Update changelog for release 1.2.6 2023-06-07 12:29:15 +00:00
Guido Grazioli
e99a0db174 Add missing type conversion in templates 2023-06-07 12:25:58 +02:00
Guido Grazioli
3b03c54fed Merge pull request #90 from guidograzioli/background-validation-millis 
handle WFLYCTL0117 when validation_millis is 0
 2023-06-07 11:56:55 +02:00
Guido Grazioli
ced4ce7828 handle WFLYCTL0117 when validation_millis is 0 2023-06-07 11:56:12 +02:00
Guido Grazioli
6986190159 Bumo to v1.2.6 2023-06-01 10:27:46 +02:00
Guido Grazioli
db480d0bc9 Merge pull request #88 from world-direct/feature/improve_service_restart_behavior 
Improve service restart behavior configuration
 2023-06-01 10:18:26 +02:00
Helmut Wolf
bc4cb5c52a Introduce keycloak_service_restart_always alongside keycloak_service_restart_on_failure 2023-05-31 20:29:24 +02:00
Guido Grazioli
8f042d3e29 Merge pull request #89 from schmaxit/main 
Change xa_datasource_class value for mariadb jdbc configuration
 2023-05-31 17:24:53 +02:00
Guido Grazioli
24eaacc1ac Merge pull request #87 from world-direct/feature/profiles 
Keycloak: add feature enabling/disabling
 2023-05-31 17:19:08 +02:00
Helmut Wolf
623db426e0 Keycloak: add feature enabling/disabling 2023-05-31 16:41:57 +02:00
Massimo Schiavon
b77c166945 change xa_datasource_class for mariadb jdbc configuration 2023-05-31 11:12:24 +02:00
github-actions
b7eef6a720 Update changelog for release 1.2.5 2023-05-26 21:00:15 +00:00
Guido Grazioli
203e6c06ac Merge pull request #86 from guidograzioli/admin_url 
Allow to configure administration endpoint URL
 2023-05-26 19:46:59 +02:00
Guido Grazioli
aaae1d1129 Allow to configure admin_url 2023-05-26 16:31:13 +02:00
Guido Grazioli
cca20a067d Merge pull request #85 from guidograzioli/datasource_validation 
Add configuration for database connection pool validation
 2023-05-26 16:09:51 +02:00
Guido Grazioli
2be35f9a67 typo in readme 2023-05-26 14:28:52 +02:00
Guido Grazioli
19f1750a33 Add db pool validation configuration 2023-05-25 11:47:19 +02:00
Guido Grazioli
c3d8bbc94e Merge pull request #84 from guidograzioli/hostname_spi 
Allow to force backend URLs to frontend URLs
 2023-05-25 11:34:37 +02:00
Guido Grazioli
c4b4be3c3b add variable for force_frontend_url 2023-05-25 11:10:18 +02:00
Guido Grazioli
98e1633c43 ci: new linter rules take 2 2023-05-22 16:24:28 +02:00
Guido Grazioli
fd375a141d ci: update linter settings, fix new linter issues 2023-05-22 16:12:25 +02:00
Guido Grazioli
0cf7b3ac49 Merge pull request #81 from world-direct/fix/80 
Close #80 - introduce systemd restart behavior
 2023-05-22 15:41:30 +02:00
Helmut Wolf
370d424b24 Close #80 - introduce systemd restart behavior 2023-05-22 11:30:11 +02:00
Guido Grazioli
01fd2cc4fd Bump to 1.2.5 2023-05-09 16:44:16 +02:00
github-actions
7471e07921 Update changelog for release 1.2.4 2023-05-09 13:49:15 +00:00
Guido Grazioli
e8e0f6718b Merge pull request #78 from world-direct/fix/74 
Close #74 - add `sqlserver` support to keycloak role
 2023-05-09 15:31:01 +02:00
Guido Grazioli
e4811221be ci: fix release wf, bump to 1.2.4 2023-05-09 15:25:41 +02:00
Guido Grazioli
6cb4aac556 Merge pull request #77 from world-direct/fix/76 
Close #76 - Keycloak role: fix deprecation warning for `ipaddr`
 2023-05-09 15:14:07 +02:00
Helmut Wolf
aad373a8e9 Close #74 - add sqlserver support to keycloak role 2023-05-09 13:14:42 +02:00
Helmut Wolf
fd0a4e4492 Close #76 - Keycloak role: fix deprecation warning for ipaddr 2023-05-09 11:45:25 +02:00
Guido Grazioli
706677910b ci: update apt before installing hub 2023-05-05 11:07:42 +02:00
Guido Grazioli
a3bffe9401 Bump to 1.2.3 2023-05-03 15:23:46 +02:00
Guido Grazioli
f566917bc2 ci: rename galaxy tag 2023-05-03 08:54:20 +02:00
Guido Grazioli
44ad3b8e6d add galaxy tag 2023-05-02 18:05:12 +02:00
Guido Grazioli
1a450ea1d7 ci: add galaxy tags 2023-05-02 17:00:26 +02:00
Guido Grazioli
b0a01a8e46 Merge pull request #73 from jonathanspw/main 
add configurability for XA transactions
 2023-04-24 16:48:20 +02:00
Jonathan Wright
020bc86955 document keycloak_quarkus_transaction_xa_enabled 2023-04-24 08:52:36 -05:00
Jonathan Wright
d72d46c945 fix typo 2023-04-24 08:50:16 -05:00
Jonathan Wright
c7d2bdcee3 add configurability for XA transactions 2023-04-21 15:12:59 -05:00
Guido Grazioli
43d978370d bump to 1.2.2 2023-04-14 15:50:48 +02:00
Guido Grazioli
3d37def38d Merge pull request #71 from guidograzioli/downstream_offline_patching_fix 
Fix undefined facts when offline patching sso
 2023-04-14 15:31:13 +02:00
Guido Grazioli
8d16e241c1 fix undefined facts when offline patching sso 2023-04-14 14:58:40 +02:00
Guido Grazioli
6ac0c18842 fix: drop xml element not available in 7.6 2023-04-12 11:12:32 +02:00
Guido Grazioli
6334daf244 ci: fix typo and indent for TCPPING discovery 2023-04-12 10:59:21 +02:00
92 changed files with 1641 additions and 701 deletions
Expand all files Collapse all files

6
.ansible-lint
View File

@@ -21,19 +21,21 @@ warn_list:
- experimental
- ignore-errors
- no-handler
- fqcn-builtins
- no-log-password
- jinja[spacing]
- jinja[invalid]
- meta-no-tags
- name[template]
- name[casing]
- fqcn[action]
- schema[meta]
- var-naming[no-role-prefix]
- key-order[task]
- blocked_modules
skip_list:
- vars_should_not_be_used
- file_is_small_enough
- name[template]
use_default_rules: true
parseable: true

55
.github/workflows/ci.yml vendored
View File

@@ -5,53 +5,14 @@ on:
branches:
- main
pull_request:
env:
COLORTERM: 'yes'
TERM: 'xterm-256color'
PYTEST_ADDOPTS: '--color=yes'
schedule:
- cron: '15 6 * * *'
jobs:
ci:
runs-on: ubuntu-latest
strategy:
matrix:
python_version: ["3.9"]
steps:
- name: Check out code
uses: actions/checkout@v2
with:
path: ansible_collections/middleware_automation/keycloak
- name: Set up Python ${{ matrix.python_version }}
uses: actions/setup-python@v1
with:
python-version: ${{ matrix.python_version }}
- name: Install yamllint, ansible and molecule
run: |
python -m pip install --upgrade pip
pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous
pip install -r ansible_collections/middleware_automation/keycloak/requirements.txt
- name: Create default collection path
run: |
mkdir -p /home/runner/.ansible/
ln -s /home/runner/work/keycloak/keycloak /home/runner/.ansible/collections
- name: Install ansible-lint custom rules
uses: actions/checkout@v2
with:
repository: ansible-middleware/ansible-lint-custom-rules
path: ansible_collections/ansible-lint-custom-rules/
- name: Run sanity tests
run: ansible-test sanity -v --color --python ${{ matrix.python_version }} --exclude changelogs/fragments/.gitignore --skip-test symlinks
working-directory: ./ansible_collections/middleware_automation/keycloak
- name: Run molecule test
run: molecule test --all
working-directory: ./ansible_collections/middleware_automation/keycloak
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
uses: ansible-middleware/github-actions/.github/workflows/ci.yml@main
secrets: inherit
with:
fqcn: 'middleware_automation/keycloak'
molecule_tests: >-
[ "default", "overridexml", "https_revproxy", "quarkus", "quarkus-devmode" ]

55
.github/workflows/docs.yml vendored
View File

@@ -8,55 +8,10 @@ on:
- "[0-9]+.[0-9]+.[0-9]+"
workflow_dispatch:
env:
COLORTERM: 'yes'
TERM: 'xterm-256color'
PYTEST_ADDOPTS: '--color=yes'
jobs:
docs:
runs-on: ubuntu-latest
if: github.repository == 'ansible-middleware/keycloak'
permissions:
actions: write
checks: write
contents: write
deployments: write
packages: write
pages: write
steps:
- name: Check out code
uses: actions/checkout@v2
with:
path: ansible_collections/middleware_automation/keycloak
fetch-depth: 0
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: 3.9
- name: Install doc dependencies
run: |
python -m pip install --upgrade pip
pip install -r ansible_collections/middleware_automation/keycloak/docs/requirements.txt
pip install -r ansible_collections/middleware_automation/keycloak/requirements.txt
sudo apt install -y sed hub
- name: Create default collection path
run: |
mkdir -p /home/runner/.ansible/
ln -s /home/runner/work/keycloak/keycloak /home/runner/.ansible/collections
- name: Create changelog and documentation
uses: ansible-middleware/collection-docs-action@main
with:
collection_fqcn: middleware_automation.keycloak
collection_repo: ansible-middleware/keycloak
dependencies: false
commit_changelog: false
commit_ghpages: true
changelog_release: false
generate_docs: true
path: ansible_collections/middleware_automation/keycloak
token: ${{ secrets.GITHUB_TOKEN }}
uses: ansible-middleware/github-actions/.github/workflows/docs.yml@main
secrets: inherit
with:
fqcn: 'middleware_automation/keycloak'
collection_fqcn: 'middleware_automation.keycloak'

86
.github/workflows/release.yml vendored
View File

@@ -5,87 +5,11 @@ on:
jobs:
release:
runs-on: ubuntu-latest
if: github.repository == 'ansible-middleware/keycloak'
permissions:
actions: write
checks: write
contents: write
deployments: write
packages: write
pages: write
outputs:
tag_version: ${{ steps.get_version.outputs.TAG_VERSION }}
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TRIGGERING_PAT }}
- name: Set up Python
uses: actions/setup-python@v1
with:
python-version: "3.x"
- name: Get current version
id: get_version
run: echo "::set-output name=TAG_VERSION::$(grep version galaxy.yml | awk -F'"' '{ print $2 }')"
- name: Check if tag exists
id: check_tag
run: echo "::set-output name=TAG_EXISTS::$(git tag | grep ${{ steps.get_version.outputs.TAG_VERSION }})"
- name: Fail if tag exists
if: ${{ steps.get_version.outputs.TAG_VERSION == steps.check_tag.outputs.TAG_EXISTS }}
uses: actions/github-script@v3
with:
script: |
core.setFailed('Release tag already exists')
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install ansible-core antsibull
sudo apt install -y sed hub
- name: Build collection
run: |
ansible-galaxy collection build .
- name: Create changelog and documentation
uses: ansible-middleware/collection-docs-action@main
with:
collection_fqcn: middleware_automation.keycloak
collection_repo: ansible-middleware/keycloak
dependencies: false
commit_changelog: true
commit_ghpages: false
changelog_release: true
generate_docs: false
token: ${{ secrets.GITHUB_TOKEN }}
- name: Publish collection
env:
ANSIBLE_GALAXY_API_KEY: ${{ secrets.ANSIBLE_GALAXY_API_KEY }}
run: |
ansible-galaxy collection publish *.tar.gz --api-key $ANSIBLE_GALAXY_API_KEY
- name: Create release tag
run: |
git config user.name github-actions
git config user.email github-actions@github.com
git tag -a ${{ steps.get_version.outputs.TAG_VERSION }} -m "Release v${{ steps.get_version.outputs.TAG_VERSION }}" || true
git push origin --tags
- name: Publish Release
uses: softprops/action-gh-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ steps.get_version.outputs.TAG_VERSION }}
files: "*.tar.gz"
body_path: gh-release.md
uses: ansible-middleware/github-actions/.github/workflows/release.yml@main
with:
collection_fqcn: 'middleware_automation.keycloak'
secrets:
galaxy_token: ${{ secrets.ANSIBLE_GALAXY_API_KEY }}
dispatch:
needs: release

2
.gitignore vendored
View File

@@ -2,6 +2,8 @@
*.zip
.tmp
.cache
.vscode/
__pycache__/
docs/plugins/
docs/roles/
docs/_build/

132
CHANGELOG.rst
View File

@@ -6,6 +6,138 @@ middleware_automation.keycloak Release Notes
This changelog describes changes after version 0.2.6.
v2.0.2
======
Minor Changes
-------------
- keycloak_quarkus: Add support for sqlserver jdbc driver `#148 <https://github.com/ansible-middleware/keycloak/pull/148>`_
- keycloak_quarkus: allow configuration of ``hostname-strict-backchannel`` `#152 <https://github.com/ansible-middleware/keycloak/pull/152>`_
- keycloak_quarkus: systemd restart behavior `#145 <https://github.com/ansible-middleware/keycloak/pull/145>`_
Bugfixes
--------
- keycloak_quarkus: Use ``keycloak_quarkus_java_opts`` `#154 <https://github.com/ansible-middleware/keycloak/pull/154>`_
- keycloak_quarkus: allow ports <1024 (e.g. :443) in systemd unit `#150 <https://github.com/ansible-middleware/keycloak/pull/150>`_
v2.0.1
======
Minor Changes
-------------
- keycloak_quarkus: add hostname-strict parameter `#139 <https://github.com/ansible-middleware/keycloak/pull/139>`_
- keycloak_quarkus: update to version 23.0.1 `#133 <https://github.com/ansible-middleware/keycloak/pull/133>`_
Bugfixes
--------
- keycloak_quarkus: template requires lowercase boolean values `#138 <https://github.com/ansible-middleware/keycloak/pull/138>`_
v2.0.0
======
Minor Changes
-------------
- Add new parameter for port offset configuration `#124 <https://github.com/ansible-middleware/keycloak/pull/124>`_
- Update Keycloak to version 22.0.5 `#122 <https://github.com/ansible-middleware/keycloak/pull/122>`_
Breaking Changes / Porting Guide
--------------------------------
- Add support for more http-related configs `#115 <https://github.com/ansible-middleware/keycloak/pull/115>`_
- Update minimum ansible-core version > 2.14 `#119 <https://github.com/ansible-middleware/keycloak/pull/119>`_
- keycloak_quarkus: enable config of key store and trust store `#116 <https://github.com/ansible-middleware/keycloak/pull/116>`_
v1.3.0
======
Major Changes
-------------
- Run service as ``keycloak_service_user`` `#106 <https://github.com/ansible-middleware/keycloak/pull/106>`_
Minor Changes
-------------
- keycloak_quarkus: Update Keycloak to version 22.0.3 `#112 <https://github.com/ansible-middleware/keycloak/pull/112>`_
- keycloak_quarkus: fix admin console redirect when running locally `#111 <https://github.com/ansible-middleware/keycloak/pull/111>`_
- keycloak_quarkus: skip proxy config if ``keycloak_quarkus_proxy_mode`` is ``none`` `#109 <https://github.com/ansible-middleware/keycloak/pull/109>`_
Bugfixes
--------
- keycloak_quarkus: fix validation failure upon port configuration change `#113 <https://github.com/ansible-middleware/keycloak/pull/113>`_
v1.2.8
======
Minor Changes
-------------
- keycloak_quarkus: set openjdk 17 as default `#103 <https://github.com/ansible-middleware/keycloak/pull/103>`_
- keycloak_quarkus: update to version 22.0.1 `#107 <https://github.com/ansible-middleware/keycloak/pull/107>`_
Bugfixes
--------
- Fix incorrect checks for ``keycloak_jgroups_subnet`` `#98 <https://github.com/ansible-middleware/keycloak/pull/98>`_
- Undefine ``keycloak_db_valid_conn_sql`` default `#91 <https://github.com/ansible-middleware/keycloak/pull/91>`_
- Update bindep.txt package python3-devel to support RHEL9 `#105 <https://github.com/ansible-middleware/keycloak/pull/105>`_
v1.2.7
======
Minor Changes
-------------
- Allow to override jgroups subnet `#93 <https://github.com/ansible-middleware/keycloak/pull/93>`_
- keycloak-quarkus: update keycloakx to v21.1.1 `#92 <https://github.com/ansible-middleware/keycloak/pull/92>`_
v1.2.6
======
Minor Changes
-------------
- Add profile features enabling/disabling `#87 <https://github.com/ansible-middleware/keycloak/pull/87>`_
- Improve service restart behavior configuration `#88 <https://github.com/ansible-middleware/keycloak/pull/88>`_
- Update default xa_datasource_class value for mariadb jdbc configuration `#89 <https://github.com/ansible-middleware/keycloak/pull/89>`_
Bugfixes
--------
- Handle WFLYCTL0117 when background validation millis is 0 `#90 <https://github.com/ansible-middleware/keycloak/pull/90>`_
v1.2.5
======
Minor Changes
-------------
- Add configuration for database connection pool validation `#85 <https://github.com/ansible-middleware/keycloak/pull/85>`_
- Allow to configure administration endpoint URL `#86 <https://github.com/ansible-middleware/keycloak/pull/86>`_
- Allow to force backend URLs to frontend URLs `#84 <https://github.com/ansible-middleware/keycloak/pull/84>`_
- Introduce systemd unit restart behavior `#81 <https://github.com/ansible-middleware/keycloak/pull/81>`_
v1.2.4
======
Minor Changes
-------------
- Add ``sqlserver`` to keycloak role jdbc configurations `#78 <https://github.com/ansible-middleware/keycloak/pull/78>`_
- Add configurability for XA transactions `#73 <https://github.com/ansible-middleware/keycloak/pull/73>`_
Bugfixes
--------
- Fix deprecation warning for ``ipaddr`` `#77 <https://github.com/ansible-middleware/keycloak/pull/77>`_
- Fix undefined facts when offline patching sso `#71 <https://github.com/ansible-middleware/keycloak/pull/71>`_
v1.2.1
======

38
README.md
View File

@@ -3,13 +3,15 @@
<!--start build_status -->
[![Build Status](https://github.com/ansible-middleware/keycloak/workflows/CI/badge.svg?branch=main)](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml)
> **_NOTE:_ If you are Red Hat customer, install `redhat.sso` (for Red Hat Single Sign-On) or `redhat.rhbk` (for Red Hat Build of Keycloak) from [Automation Hub](https://console.redhat.com/ansible/ansible-dashboard) as the certified version of this collection.**
<!--end build_status -->
Collection to install and configure [Keycloak](https://www.keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on).
Collection to install and configure [Keycloak](https://www.keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on) / [Red Hat Build of Keycloak](https://access.redhat.com/products/red-hat-build-of-keycloak).
<!--start requires_ansible-->
## Ansible version compatibility
This collection has been tested against following Ansible versions: **>=2.9.10**.
This collection has been tested against following Ansible versions: **>=2.14.0**.
Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions.
<!--end requires_ansible-->
@@ -42,33 +44,34 @@ A requirement file is provided to install:
pip install -r requirements.txt
<!--start roles_paths -->
### Included roles
* [`keycloak`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md): role for installing the service.
* [`keycloak`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md): role for installing the service (keycloak <= 19.0).
* [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, user federation(s), clients and users, in an installed service.
* [`keycloak_quarkus`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_quarkus/README.md): role for installing the quarkus variant of keycloak (>= 17.0.0).
<!--end roles_paths -->
## Usage
### Install Playbook
* [`playbooks/keycloak.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak.yml) installs based on the defined variables (using most defaults).
<!--start rhbk_playbook -->
* [`playbooks/keycloak.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak.yml) installs keycloak legacy based on the defined variables (using most defaults).
* [`playbooks/keycloak_quarkus.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_quarkus.yml) installs keycloak >= 17 based on the defined variables (using most defaults).
Both playbooks include the `keycloak` role, with different settings, as described in the following sections.
For full service configuration details, refer to the [keycloak role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md).
<!--end rhbk_playbook -->
#### Install from controller node (offline)
Making the keycloak zip archive available to the playbook working directory, and setting `keycloak_offline_install` to `True`, allows to skip
Making the keycloak zip archive available to the playbook working directory, and setting `keycloak_offline_install` to `true`, allows to skip
the download tasks. The local path for the archive does match the downloaded archive path, so that it is also used as a cache when multiple hosts are provisioned in a cluster.
```yaml
keycloak_offline_install: True
keycloak_offline_install: true
```
@@ -83,7 +86,7 @@ It is possible to perform downloads from alternate sources, using the `keycloak_
### Example installation command
Execute the following command from the source root directory
Execute the following command from the source root directory
```
ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e keycloak_admin_password=<changeme>
@@ -104,9 +107,9 @@ Note: when deploying clustered configurations, all hosts belonging to the cluste
### Config Playbook
<!--start rhbk_realm_playbook -->
[`playbooks/keycloak_realm.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_realm.yml) creates or updates provided realm, user federation(s), client(s), client role(s) and client user(s).
<!--end rhbk_realm_playbook -->
### Example configuration command
@@ -124,9 +127,9 @@ ansible-playbook -i <ansible_hosts> playbooks/keycloak_realm.yml -e keycloak_adm
[keycloak]
localhost ansible_connection=local
```
<!--start rhbk_realm_readme -->
For full configuration details, refer to the [keycloak_realm role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md).
<!--end rhbk_realm_readme -->
<!--start support -->
<!--end support -->
@@ -135,6 +138,7 @@ For full configuration details, refer to the [keycloak_realm role README](https:
## License
Apache License v2.0 or later
<!--start license -->
See [LICENSE](LICENSE) to view the full text.
<!--end license -->

3
bindep.txt
View File

@@ -1,4 +1,5 @@
python39-devel [platform:rpm compile]
python3-devel [compile platform:rpm]
python39-devel [compile platform:centos-8 platform:rhel-8]
git-lfs [platform:rpm]
python3-netaddr [platform:rpm]
python3-lxml [platform:rpm]

205
changelogs/changelog.yaml
View File

@@ -181,3 +181,208 @@ releases:
- 68.yaml
- 69.yaml
release_date: '2023-04-11'
1.2.4:
changes:
bugfixes:
- 'Fix deprecation warning for ``ipaddr`` `#77 <https://github.com/ansible-middleware/keycloak/pull/77>`_
'
- 'Fix undefined facts when offline patching sso `#71 <https://github.com/ansible-middleware/keycloak/pull/71>`_
'
minor_changes:
- 'Add ``sqlserver`` to keycloak role jdbc configurations `#78 <https://github.com/ansible-middleware/keycloak/pull/78>`_
'
- 'Add configurability for XA transactions `#73 <https://github.com/ansible-middleware/keycloak/pull/73>`_
'
fragments:
- 71.yaml
- 73.yaml
- 77.yaml
- 78.yaml
release_date: '2023-05-09'
1.2.5:
changes:
minor_changes:
- 'Add configuration for database connection pool validation `#85 <https://github.com/ansible-middleware/keycloak/pull/85>`_
'
- 'Allow to configure administration endpoint URL `#86 <https://github.com/ansible-middleware/keycloak/pull/86>`_
'
- 'Allow to force backend URLs to frontend URLs `#84 <https://github.com/ansible-middleware/keycloak/pull/84>`_
'
- 'Introduce systemd unit restart behavior `#81 <https://github.com/ansible-middleware/keycloak/pull/81>`_
'
fragments:
- 81.yaml
- 84.yaml
- 85.yaml
- 86.yaml
release_date: '2023-05-26'
1.2.6:
changes:
bugfixes:
- 'Handle WFLYCTL0117 when background validation millis is 0 `#90 <https://github.com/ansible-middleware/keycloak/pull/90>`_
'
minor_changes:
- 'Add profile features enabling/disabling `#87 <https://github.com/ansible-middleware/keycloak/pull/87>`_
'
- 'Improve service restart behavior configuration `#88 <https://github.com/ansible-middleware/keycloak/pull/88>`_
'
- 'Update default xa_datasource_class value for mariadb jdbc configuration `#89
<https://github.com/ansible-middleware/keycloak/pull/89>`_
'
fragments:
- 87.yaml
- 88.yaml
- 89.yaml
- 90.yaml
release_date: '2023-06-07'
1.2.7:
changes:
minor_changes:
- 'Allow to override jgroups subnet `#93 <https://github.com/ansible-middleware/keycloak/pull/93>`_
'
- 'keycloak-quarkus: update keycloakx to v21.1.1 `#92 <https://github.com/ansible-middleware/keycloak/pull/92>`_
'
fragments:
- 92.yaml
- 93.yaml
release_date: '2023-06-19'
1.2.8:
changes:
bugfixes:
- 'Fix incorrect checks for ``keycloak_jgroups_subnet`` `#98 <https://github.com/ansible-middleware/keycloak/pull/98>`_
'
- 'Undefine ``keycloak_db_valid_conn_sql`` default `#91 <https://github.com/ansible-middleware/keycloak/pull/91>`_
'
- 'Update bindep.txt package python3-devel to support RHEL9 `#105 <https://github.com/ansible-middleware/keycloak/pull/105>`_
'
minor_changes:
- 'keycloak_quarkus: set openjdk 17 as default `#103 <https://github.com/ansible-middleware/keycloak/pull/103>`_
'
- 'keycloak_quarkus: update to version 22.0.1 `#107 <https://github.com/ansible-middleware/keycloak/pull/107>`_
'
fragments:
- 103.yaml
- 105.yaml
- 107.yaml
- 91.yaml
- 98.yaml
release_date: '2023-08-28'
1.3.0:
changes:
bugfixes:
- 'keycloak_quarkus: fix validation failure upon port configuration change `#113
<https://github.com/ansible-middleware/keycloak/pull/113>`_
'
major_changes:
- 'Run service as ``keycloak_service_user`` `#106 <https://github.com/ansible-middleware/keycloak/pull/106>`_
'
minor_changes:
- 'keycloak_quarkus: Update Keycloak to version 22.0.3 `#112 <https://github.com/ansible-middleware/keycloak/pull/112>`_
'
- 'keycloak_quarkus: fix admin console redirect when running locally `#111 <https://github.com/ansible-middleware/keycloak/pull/111>`_
'
- 'keycloak_quarkus: skip proxy config if ``keycloak_quarkus_proxy_mode`` is
``none`` `#109 <https://github.com/ansible-middleware/keycloak/pull/109>`_
'
fragments:
- 106.yaml
- 109.yaml
- 111.yaml
- 112.yaml
- 113.yaml
release_date: '2023-09-25'
2.0.0:
changes:
breaking_changes:
- 'Add support for more http-related configs `#115 <https://github.com/ansible-middleware/keycloak/pull/115>`_
'
- 'Update minimum ansible-core version > 2.14 `#119 <https://github.com/ansible-middleware/keycloak/pull/119>`_
'
- 'keycloak_quarkus: enable config of key store and trust store `#116 <https://github.com/ansible-middleware/keycloak/pull/116>`_
'
minor_changes:
- 'Add new parameter for port offset configuration `#124 <https://github.com/ansible-middleware/keycloak/pull/124>`_
'
- 'Update Keycloak to version 22.0.5 `#122 <https://github.com/ansible-middleware/keycloak/pull/122>`_
'
fragments:
- 115.yaml
- 116.yaml
- 119.yaml
- 122.yaml
- 124.yaml
release_date: '2023-11-20'
2.0.1:
changes:
bugfixes:
- 'keycloak_quarkus: template requires lowercase boolean values `#138 <https://github.com/ansible-middleware/keycloak/pull/138>`_
'
minor_changes:
- 'keycloak_quarkus: add hostname-strict parameter `#139 <https://github.com/ansible-middleware/keycloak/pull/139>`_
'
- 'keycloak_quarkus: update to version 23.0.1 `#133 <https://github.com/ansible-middleware/keycloak/pull/133>`_
'
fragments:
- 133.yaml
- 138.yaml
- 139.yaml
release_date: '2023-12-07'
2.0.2:
changes:
bugfixes:
- 'keycloak_quarkus: Use ``keycloak_quarkus_java_opts`` `#154 <https://github.com/ansible-middleware/keycloak/pull/154>`_
'
- 'keycloak_quarkus: allow ports <1024 (e.g. :443) in systemd unit `#150 <https://github.com/ansible-middleware/keycloak/pull/150>`_
'
minor_changes:
- 'keycloak_quarkus: Add support for sqlserver jdbc driver `#148 <https://github.com/ansible-middleware/keycloak/pull/148>`_
'
- 'keycloak_quarkus: allow configuration of ``hostname-strict-backchannel``
`#152 <https://github.com/ansible-middleware/keycloak/pull/152>`_
'
- 'keycloak_quarkus: systemd restart behavior `#145 <https://github.com/ansible-middleware/keycloak/pull/145>`_
'
fragments:
- 145.yaml
- 148.yaml
- 150.yaml
- 152.yaml
- 154.yaml
release_date: '2024-01-17'

3
docs/conf.py
View File

@@ -43,6 +43,7 @@ extensions = [
'myst_parser',
'sphinx.ext.autodoc',
'sphinx.ext.intersphinx',
'sphinx_antsibull_ext',
'ansible_basic_sphinx_ext',
]
@@ -71,7 +72,7 @@ language = None
exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store', '.tmp']
# The name of the Pygments (syntax highlighting) style to use.
pygments_style = 'sphinx'
pygments_style = 'ansible'
highlight_language = 'YAML+Jinja'

1
docs/requirements.txt
View File

@@ -2,6 +2,7 @@ antsibull>=0.17.0
antsibull-docs
antsibull-changelog
ansible-core>=2.14.1
ansible-pygments
sphinx-rtd-theme
git+https://github.com/felixfontein/ansible-basic-sphinx-ext
myst-parser

8
galaxy.yml
View File

@@ -1,12 +1,13 @@
---
namespace: middleware_automation
name: keycloak
version: "1.2.1"
version: "2.0.2"
readme: README.md
authors:
- Romain Pelisse <rpelisse@redhat.com>
- Guido Grazioli <ggraziol@redhat.com>
- Pavan Kumar Motaparthi <pmotapar@redhat.com>
- Helmut Wolf <hwo@world-direct.at>
description: Install and configure a keycloak, or Red Hat Single Sign-on, service.
license_file: "LICENSE"
tags:
@@ -21,8 +22,11 @@ tags:
- infrastructure
- authentication
- java
- runtimes
- middleware
- a4mw
dependencies:
"middleware_automation.common": ">=1.0.0"
"middleware_automation.common": ">=1.1.0"
"ansible.posix": ">=1.4.0"
repository: https://github.com/ansible-middleware/keycloak
documentation: https://ansible-middleware.github.io/keycloak

2
meta/runtime.yml
View File

@@ -1,2 +1,2 @@
---
requires_ansible: ">=2.9.10"
requires_ansible: ">=2.14.0"

2
molecule/default/converge.yml
View File

@@ -10,6 +10,8 @@
port: 16667
- host: myhost2
port: 16668
keycloak_jboss_port_offset: 10
keycloak_log_target: /tmp/keycloak
roles:
- role: keycloak
tasks:

9
molecule/default/molecule.yml
View File

@@ -1,12 +1,6 @@
---
dependency:
name: shell
command: ansible-galaxy collection install -r molecule/requirements.yml -p $HOME/.ansible/collections --force-with-deps
driver:
name: docker
lint: |
ansible-lint --version
ansible-lint -v
platforms:
- name: instance
image: registry.access.redhat.com/ubi8/ubi-init:latest
@@ -38,11 +32,8 @@ verifier:
name: ansible
scenario:
test_sequence:
- dependency
- lint
- cleanup
- destroy
- syntax
- create
- prepare
- converge

44
molecule/default/verify.yml
View File

@@ -4,8 +4,9 @@
vars:
keycloak_admin_password: "remembertochangeme"
keycloak_jvm_package: java-11-openjdk-headless
keycloak_uri: http://localhost:8080
keycloak_management_port: http://localhost:9990
keycloak_uri: "http://localhost:{{ 8080 + ( keycloak_jboss_port_offset | default(0) ) }}"
keycloak_management_port: "http://localhost:{{ 9990 + ( keycloak_jboss_port_offset | default(0) ) }}"
keycloak_jboss_port_offset: 10
tasks:
- name: Populate service facts
ansible.builtin.service_facts:
@@ -14,9 +15,12 @@
that:
- ansible_facts.services["keycloak.service"]["state"] == "running"
- ansible_facts.services["keycloak.service"]["status"] == "enabled"
- name: Verify we are running on requested jvm
shell: |
ps -ef | grep /usr/lib/jvm/java-11 | grep -v grep
- name: Verify we are running on requested jvm # noqa blocked_modules command-instead-of-module
ansible.builtin.shell: |
set -o pipefail
ps -ef | grep '/etc/alternatives/jre_11/' | grep -v grep
args:
executable: /bin/bash
changed_when: no
- name: Verify token api call
ansible.builtin.uri:
@@ -48,9 +52,35 @@
headers:
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
register: keycloak_query_clients
- debug:
msg: "{{ keycloak_query_clients.json | selectattr('clientId','equalto','TestClient') }}"
- name: Verify expected config
ansible.builtin.assert:
that:
- (keycloak_query_clients.json | selectattr('clientId','equalto','TestClient') | first)["attributes"]["post.logout.redirect.uris"] == '/public/logout'
- name: Check log folder
ansible.builtin.stat:
path: "/tmp/keycloak"
register: keycloak_log_folder
- name: Check that keycloak log folder exists and is a link
ansible.builtin.assert:
that:
- keycloak_log_folder.stat.exists
- not keycloak_log_folder.stat.isdir
- keycloak_log_folder.stat.islnk
- name: Check log file
ansible.builtin.stat:
path: "/tmp/keycloak/server.log"
register: keycloak_log_file
- name: Check if keycloak file exists
ansible.builtin.assert:
that:
- keycloak_log_file.stat.exists
- not keycloak_log_file.stat.isdir
- name: Check default log folder
ansible.builtin.stat:
path: "/var/log/keycloak"
register: keycloak_default_log_folder
failed_when: false
- name: Check that default keycloak log folder doesn't exist
ansible.builtin.assert:
that:
- not keycloak_default_log_folder.stat.exists

16
molecule/https_revproxy/converge.yml Normal file
View File

@@ -0,0 +1,16 @@
---
- name: Converge
hosts: all
vars:
keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_admin_password: "remembertochangeme"
keycloak_realm: TestRealm
keycloak_quarkus_host: instance
keycloak_quarkus_log: file
keycloak_quarkus_http_enabled: True
keycloak_quarkus_http_port: 8080
keycloak_quarkus_proxy_mode: edge
keycloak_quarkus_http_relative_path: /
keycloak_quarkus_frontend_url: https://proxy/
roles:
- role: keycloak_quarkus

57
molecule/https_revproxy/molecule.yml Normal file
View File

@@ -0,0 +1,57 @@
---
driver:
name: docker
platforms:
- name: instance
image: registry.access.redhat.com/ubi8/ubi-init:latest
pre_build_image: true
privileged: true
command: "/usr/sbin/init"
networks:
- name: keycloak
port_bindings:
- "8080/tcp"
published_ports:
- 0.0.0.0:8080:8080/tcp
- name: proxy
image: registry.access.redhat.com/ubi8/ubi-init:latest
pre_build_image: true
privileged: true
command: "/usr/sbin/init"
networks:
- name: keycloak
port_bindings:
- "443/tcp"
published_ports:
- 0.0.0.0:443:443/tcp
provisioner:
name: ansible
config_options:
defaults:
interpreter_python: auto_silent
ssh_connection:
pipelining: false
playbooks:
prepare: prepare.yml
converge: converge.yml
verify: verify.yml
inventory:
host_vars:
localhost:
ansible_python_interpreter: "{{ ansible_playbook_python }}"
env:
ANSIBLE_FORCE_COLOR: "true"
verifier:
name: ansible
scenario:
test_sequence:
- cleanup
- destroy
- create
- prepare
- converge
- idempotence
- side_effect
- verify
- cleanup
- destroy

48
molecule/https_revproxy/prepare.yml Normal file
View File

@@ -0,0 +1,48 @@
---
- name: Prepare
hosts: all
tasks:
- name: Install sudo
ansible.builtin.dnf:
name: sudo
state: present
- name: "Display hera_home if defined."
ansible.builtin.set_fact:
hera_home: "{{ lookup('env', 'HERA_HOME') }}"
- name: Prepare proxy
hosts: proxy
vars:
nginx_proxy: |
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://instance:8080;
}
roles:
- elan.simple_nginx_reverse_proxy
pre_tasks:
- name: Create certificate request
ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=proxy'
delegate_to: localhost
changed_when: false
- name: Make certificate directory
ansible.builtin.file:
path: /etc/nginx/tls
state: directory
- name: Copy certificates
ansible.builtin.copy:
src: "{{ item.name }}"
dest: "{{ item.dest }}"
mode: 0444
become: true
loop:
- { name: 'cert.pem', dest: '/etc/nginx/tls/certificate.crt' }
- { name: 'key.pem', dest: '/etc/nginx/tls/certificate.key' }
- name: Update CA trust
ansible.builtin.command: update-ca-trust
changed_when: false
become: true

1
molecule/https_revproxy/roles Symbolic link
View File

@@ -0,0 +1 @@
../../roles

28
molecule/https_revproxy/verify.yml Normal file
View File

@@ -0,0 +1,28 @@
---
- name: Verify
hosts: instance
tasks:
- name: Populate service facts
ansible.builtin.service_facts:
- name: Check if keycloak service started
ansible.builtin.assert:
that:
- ansible_facts.services["keycloak.service"]["state"] == "running"
- ansible_facts.services["keycloak.service"]["status"] == "enabled"
- name: Verify openid config
block:
- name: Fetch openID config # noqa blocked_modules command-instead-of-module
ansible.builtin.uri:
url: http://localhost:8080/realms/master/.well-known/openid-configuration
validate_certs: false
headers:
Host: proxy
register: openid_config
changed_when: False
- name: Verify endpoint URLs
ansible.builtin.assert:
that:
- openid_config.json['issuer'] == 'https://proxy/realms/master'
- openid_config.json['authorization_endpoint'] == 'https://proxy/realms/master/protocol/openid-connect/auth'

3
molecule/overridexml/converge.yml
View File

@@ -6,6 +6,7 @@
keycloak_config_override_template: custom.xml.j2
keycloak_http_port: 8081
keycloak_management_http_port: 19990
keycloak_service_runas: True
roles:
- role: keycloak
tasks:
@@ -51,4 +52,4 @@
sso_offline_install: True
when:
- assets_server is defined
- assets_server | length > 0
- assets_server | length > 0

9
molecule/overridexml/molecule.yml
View File

@@ -1,12 +1,6 @@
---
dependency:
name: shell
command: ansible-galaxy collection install -r molecule/requirements.yml -p $HOME/.ansible/collections --force-with-deps
driver:
name: docker
lint: |
ansible-lint --version
ansible-lint -v
platforms:
- name: instance
image: registry.access.redhat.com/ubi8/ubi-init:latest
@@ -38,11 +32,8 @@ verifier:
name: ansible
scenario:
test_sequence:
- dependency
- lint
- cleanup
- destroy
- syntax
- create
- prepare
- converge

43
molecule/quarkus-devmode/converge.yml Normal file
View File

@@ -0,0 +1,43 @@
---
- name: Converge
hosts: all
vars:
keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_admin_password: "remembertochangeme"
keycloak_realm: TestRealm
keycloak_quarkus_log: file
keycloak_quarkus_frontend_url: 'http://localhost:8080/'
keycloak_quarkus_start_dev: True
keycloak_quarkus_proxy_mode: none
roles:
- role: keycloak_quarkus
- role: keycloak_realm
keycloak_context: ''
keycloak_client_default_roles:
- TestRoleAdmin
- TestRoleUser
keycloak_client_users:
- username: TestUser
password: password
client_roles:
- client: TestClient
role: TestRoleUser
realm: "{{ keycloak_realm }}"
- username: TestAdmin
password: password
client_roles:
- client: TestClient
role: TestRoleUser
realm: "{{ keycloak_realm }}"
- client: TestClient
role: TestRoleAdmin
realm: "{{ keycloak_realm }}"
keycloak_realm: TestRealm
keycloak_clients:
- name: TestClient
roles: "{{ keycloak_client_default_roles }}"
realm: "{{ keycloak_realm }}"
public_client: "{{ keycloak_client_public }}"
web_origins: "{{ keycloak_client_web_origins }}"
users: "{{ keycloak_client_users }}"
client_id: TestClient

45
molecule/quarkus-devmode/molecule.yml Normal file
View File

@@ -0,0 +1,45 @@
---
driver:
name: docker
platforms:
- name: instance
image: registry.access.redhat.com/ubi8/ubi-init:latest
pre_build_image: true
privileged: true
command: "/usr/sbin/init"
port_bindings:
- "8080/tcp"
- "8009/tcp"
published_ports:
- 0.0.0.0:8080:8080/tcp
provisioner:
name: ansible
config_options:
defaults:
interpreter_python: auto_silent
ssh_connection:
pipelining: false
playbooks:
prepare: prepare.yml
converge: converge.yml
verify: verify.yml
inventory:
host_vars:
localhost:
ansible_python_interpreter: "{{ ansible_playbook_python }}"
env:
ANSIBLE_FORCE_COLOR: "true"
verifier:
name: ansible
scenario:
test_sequence:
- cleanup
- destroy
- create
- prepare
- converge
- idempotence
- side_effect
- verify
- cleanup
- destroy

12
molecule/quarkus-devmode/prepare.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- name: Prepare
hosts: all
tasks:
- name: Install sudo
ansible.builtin.yum:
name: sudo
state: present
- name: "Display hera_home if defined."
ansible.builtin.set_fact:
hera_home: "{{ lookup('env', 'HERA_HOME') }}"

1
molecule/quarkus-devmode/roles Symbolic link
View File

@@ -0,0 +1 @@
../../roles

39
molecule/quarkus-devmode/verify.yml Normal file
View File

@@ -0,0 +1,39 @@
---
- name: Verify
hosts: all
tasks:
- name: Populate service facts
ansible.builtin.service_facts:
- name: Check if keycloak service started
ansible.builtin.assert:
that:
- ansible_facts.services["keycloak.service"]["state"] == "running"
- ansible_facts.services["keycloak.service"]["status"] == "enabled"
- name: Set internal envvar
ansible.builtin.set_fact:
hera_home: "{{ lookup('env', 'HERA_HOME') }}"
- name: Verify openid config
block:
- name: Fetch openID config # noqa blocked_modules command-instead-of-module
ansible.builtin.shell: |
set -o pipefail
curl http://localhost:8080/realms/master/.well-known/openid-configuration -k | jq .
args:
executable: /bin/bash
delegate_to: localhost
register: openid_config
changed_when: False
- name: Verify endpoint URLs
ansible.builtin.assert:
that:
- (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'http://localhost:8080/realms/master/protocol/openid-connect/ext/ciba/auth'
- (openid_config.stdout | from_json)['issuer'] == 'http://localhost:8080/realms/master'
- (openid_config.stdout | from_json)['authorization_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/auth'
- (openid_config.stdout | from_json)['token_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/token'
delegate_to: localhost
when:
- hera_home is defined
- hera_home | length == 0

8
molecule/quarkus/converge.yml
View File

@@ -6,11 +6,11 @@
keycloak_admin_password: "remembertochangeme"
keycloak_realm: TestRealm
keycloak_quarkus_host: instance
keycloak_quarkus_http_relative_path: ''
keycloak_quarkus_log: file
keycloak_quarkus_https_enabled: True
keycloak_quarkus_key_file: "{{ keycloak.home }}/conf/key.pem"
keycloak_quarkus_cert_file: "{{ keycloak.home }}/conf/cert.pem"
keycloak_quarkus_https_key_file_enabled: True
keycloak_quarkus_key_file: "/opt/keycloak/certs/key.pem"
keycloak_quarkus_cert_file: "/opt/keycloak/certs/cert.pem"
keycloak_quarkus_log_target: /tmp/keycloak
roles:
- role: keycloak_quarkus
- role: keycloak_realm

9
molecule/quarkus/molecule.yml
View File

@@ -1,12 +1,6 @@
---
dependency:
name: shell
command: ansible-galaxy collection install -r molecule/requirements.yml -p $HOME/.ansible/collections --force-with-deps
driver:
name: docker
lint: |
ansible-lint --version
ansible-lint -v
platforms:
- name: instance
image: registry.access.redhat.com/ubi8/ubi-init:latest
@@ -40,11 +34,8 @@ verifier:
name: ansible
scenario:
test_sequence:
- dependency
- lint
- cleanup
- destroy
- syntax
- create
- prepare
- converge

26
molecule/quarkus/prepare.yml
View File

@@ -11,27 +11,21 @@
ansible.builtin.set_fact:
hera_home: "{{ lookup('env', 'HERA_HOME') }}"
- ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
- name: Create certificate request
ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
delegate_to: localhost
changed_when: False
- block:
- ansible.builtin.lineinfile:
dest: /etc/hosts
line: "127.0.0.1 instance"
state: present
delegate_to: localhost
become: yes
when:
- hera_home is defined
- hera_home | length == 0
- ansible.builtin.file:
- name: Create conf directory # risky-file-permissions in test user account does not exist yet
ansible.builtin.file:
state: directory
path: /opt/keycloak/keycloak-18.0.0/conf/
path: "/opt/keycloak/certs/"
mode: 0755
- ansible.builtin.copy:
- name: Copy certificates
ansible.builtin.copy:
src: "{{ item }}"
dest: "/opt/keycloak/keycloak-18.0.0/conf/{{ item }}"
dest: "/opt/keycloak/certs/{{ item }}"
mode: 0444
loop:
- cert.pem

62
molecule/quarkus/verify.yml
View File

@@ -4,32 +4,70 @@
tasks:
- name: Populate service facts
ansible.builtin.service_facts:
- name: Check if keycloak service started
ansible.builtin.assert:
that:
- ansible_facts.services["keycloak.service"]["state"] == "running"
- ansible_facts.services["keycloak.service"]["status"] == "enabled"
- set_fact:
- name: Set internal envvar
ansible.builtin.set_fact:
hera_home: "{{ lookup('env', 'HERA_HOME') }}"
- block:
- name: Fetch openID config
shell: |
curl https://instance:8443/realms/master/.well-known/openid-configuration -k | jq .
- name: Verify openid config
when:
- hera_home is defined
- hera_home | length == 0
block:
- name: Fetch openID config # noqa blocked_modules command-instead-of-module
ansible.builtin.shell: |
set -o pipefail
curl -H 'Host: instance' https://localhost:8443/realms/master/.well-known/openid-configuration -k | jq .
args:
executable: /bin/bash
delegate_to: localhost
register: openid_config
- debug:
msg: " {{ openid_config.stdout | from_json }}"
delegate_to: localhost
changed_when: False
- name: Verify endpoint URLs
assert:
ansible.builtin.assert:
that:
- (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance/realms/master/protocol/openid-connect/ext/ciba/auth'
- (openid_config.stdout | from_json)['issuer'] == 'https://instance/realms/master'
- (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/auth'
- (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/token'
delegate_to: localhost
when:
- hera_home is defined
- hera_home | length == 0
- name: Check log folder
ansible.builtin.stat:
path: "/tmp/keycloak"
register: keycloak_log_folder
- name: Check that keycloak log folder exists and is a link
ansible.builtin.assert:
that:
- keycloak_log_folder.stat.exists
- not keycloak_log_folder.stat.isdir
- keycloak_log_folder.stat.islnk
- name: Check log file
ansible.builtin.stat:
path: "/tmp/keycloak/keycloak.log"
register: keycloak_log_file
- name: Check if keycloak file exists
ansible.builtin.assert:
that:
- keycloak_log_file.stat.exists
- not keycloak_log_file.stat.isdir
- name: Check default log folder
ansible.builtin.stat:
path: "/var/log/keycloak"
register: keycloak_default_log_folder
failed_when: false
- name: Check that default keycloak log folder doesn't exist
ansible.builtin.assert:
that:
- not keycloak_default_log_folder.stat.exists

5
molecule/requirements.yml
View File

@@ -1,8 +1,11 @@
---
collections:
- name: middleware_automation.common
- name: middleware_automation.jbcs
- name: community.general
- name: ansible.posix
- name: community.docker
version: ">=1.9.1"
roles:
- name: elan.simple_nginx_reverse_proxy

14
playbooks/keycloak_federation.yml
View File

@@ -55,14 +55,14 @@
- TestClient1Admin
- TestClient1User
realm: "{{ keycloak_realm }}"
public_client: True
public_client: true
web_origins:
- http://testclient1origin/application
- http://testclient1origin/other
users:
- username: TestUser
password: password
client_roles:
- client: TestClient1
role: TestClient1User
realm: "{{ keycloak_realm }}"
- username: TestUser
password: password
client_roles:
- client: TestClient1
role: TestClient1User
realm: "{{ keycloak_realm }}"

12
playbooks/keycloak_quarkus.yml
View File

@@ -1,13 +1,11 @@
---
- name: Playbook for Keycloak X Hosts
- name: Playbook for Keycloak X Hosts with HTTPS enabled
hosts: all
vars:
keycloak_admin_password: "remembertochangeme"
keycloak_quarkus_host: localhost:8443
keycloak_quarkus_http_relative_path: ''
keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_quarkus_host: localhost
keycloak_quarkus_port: 8443
keycloak_quarkus_log: file
keycloak_quarkus_https_enabled: True
keycloak_quarkus_key_file: conf/key.pem
keycloak_quarkus_cert_file: conf/cert.pem
keycloak_quarkus_proxy_mode: none
roles:
- middleware_automation.keycloak.keycloak_quarkus

12
playbooks/keycloak_quarkus_dev.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- name: Playbook for Keycloak X Hosts in develop mode
hosts: all
vars:
keycloak_admin_password: "remembertochangeme"
keycloak_quarkus_host: localhost
keycloak_quarkus_port: 8080
keycloak_quarkus_log: file
keycloak_quarkus_start_dev: true
keycloak_quarkus_proxy_mode: none
roles:
- middleware_automation.keycloak.keycloak_quarkus

14
playbooks/keycloak_realm.yml
View File

@@ -10,17 +10,17 @@
- TestClient1Admin
- TestClient1User
realm: TestRealm
public_client: True
public_client: true
web_origins:
- http://testclient1origin/application
- http://testclient1origin/other
users:
- username: TestUser
password: password
client_roles:
- client: TestClient1
role: TestClient1User
realm: TestRealm
- username: TestUser
password: password
client_roles:
- client: TestClient1
role: TestClient1User
realm: TestRealm
roles:
- role: middleware_automation.keycloak.keycloak_realm
keycloak_realm: TestRealm

2
playbooks/rhsso.yml
View File

@@ -3,6 +3,6 @@
hosts: sso
vars:
keycloak_admin_password: "remembertochangeme"
sso_enable: True
sso_enable: true
roles:
- middleware_automation.keycloak.keycloak

52
plugins/filter/version_sort.py
View File

@@ -1,52 +0,0 @@
# -*- coding: utf-8 -*-
# Copyright (C) 2021 Eric Lavarde <elavarde@redhat.com>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
DOCUMENTATION = '''
name: version_sort
short_description: Sort a list according to version order instead of pure alphabetical one
version_added: 2.2.0
author: Eric L. (@ericzolf)
description:
- Sort a list according to version order instead of pure alphabetical one.
options:
_input:
description: A list of strings to sort.
type: list
elements: string
required: true
'''
EXAMPLES = '''
- name: Convert list of tuples into dictionary
ansible.builtin.set_fact:
dictionary: "{{ ['2.1', '2.10', '2.9'] | middleware_automation.keycloak.version_sort }}"
# Result is ['2.1', '2.9', '2.10']
'''
RETURN = '''
_value:
description: The list of strings sorted by version.
type: list
elements: string
'''
from ansible_collections.middleware_automation.keycloak.plugins.module_utils.version import LooseVersion
def version_sort(value, reverse=False):
'''Sort a list according to loose versions so that e.g. 2.9 is smaller than 2.10'''
return sorted(value, key=LooseVersion, reverse=reverse)
class FilterModule(object):
''' Version sort filter '''
def filters(self):
return {
'version_sort': version_sort
}

22
plugins/module_utils/version.py
View File

@@ -1,22 +0,0 @@
# -*- coding: utf-8 -*-
# Copyright (c) 2021, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
"""Provide version object to compare version numbers."""
from __future__ import absolute_import, division, print_function
__metaclass__ = type
from ansible.module_utils.six import raise_from
try:
from ansible.module_utils.compat.version import LooseVersion # noqa: F401, pylint: disable=unused-import
except ImportError:
try:
from distutils.version import LooseVersion # noqa: F401, pylint: disable=unused-import
except ImportError as exc:
msg = 'To use this plugin or module with ansible-core 2.11, you need to use Python < 3.12 with distutils.version present'
raise_from(ImportError(msg), exc)

1
plugins/modules/keycloak_user_federation.py
View File

@@ -568,7 +568,6 @@ EXAMPLES = '''
realm: my-realm
name: my-federation
state: absent
'''
RETURN = '''

55
roles/keycloak/README.md
View File

@@ -39,7 +39,7 @@ Versions
Patching
--------
When variable `keycloak_rhsso_apply_patches` is `True` (default: `False`), the role will automatically apply the latest cumulative patch for the selected base version.
When variable `keycloak_rhsso_apply_patches` is `true` (default: `false`), the role will automatically apply the latest cumulative patch for the selected base version.
| RH-SSO VERSION | Release Date | RH-SSO LATEST CP | Notes |
|:---------------|:------------------|:-----------------|:----------------|
@@ -55,7 +55,7 @@ Role Defaults
| Variable | Description | Default |
|:---------|:------------|:---------|
|`keycloak_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
|`keycloak_ha_discovery`| Discovery protocol for HA cluster members | `JDBC_PING` if keycloak_db_enabled else `TCPPING` |
|`keycloak_ha_discovery`| Discovery protocol for HA cluster members | `JDBC_PING` if `keycloak_db_enabled` else `TCPPING` |
|`keycloak_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_ha_enabled` is True, else `False` |
|`keycloak_remote_cache_enabled`| Enable remote cache store when in clustered ha configurations | `True` if `keycloak_ha_enabled` else `False` |
|`keycloak_admin_user`| Administration console user account | `admin` |
@@ -68,13 +68,19 @@ Role Defaults
|`keycloak_jgroups_port`| jgroups cluster tcp port | `7600` |
|`keycloak_management_http_port`| Management port | `9990` |
|`keycloak_management_https_port`| TLS management port | `9993` |
|`keycloak_prefer_ipv4`| Prefer IPv4 stack and addresses for port binding | `True` |
|`keycloak_prefer_ipv4`| Prefer IPv4 stack and addresses for port binding | `true` |
|`keycloak_config_standalone_xml`| filename for configuration | `keycloak.xml` |
|`keycloak_service_user`| posix account username | `keycloak` |
|`keycloak_service_group`| posix account group | `keycloak` |
|`keycloak_service_pidfile`| pid file path for service | `/run/keycloak.pid` |
|`keycloak_service_restart_always`| systemd restart always behavior activation | `False` |
|`keycloak_service_restart_on_failure`| systemd restart on-failure behavior activation | `False` |
|`keycloak_service_startlimitintervalsec`| systemd StartLimitIntervalSec | `300` |
|`keycloak_service_startlimitburst`| systemd StartLimitBurst | `5` |
|`keycloak_service_restartsec`| systemd RestartSec | `10s` |
|`keycloak_service_pidfile`| pid file path for service | `/run/keycloak/keycloak.pid` |
|`keycloak_features` | List of `name`/`status` pairs of features (also known as profiles on RH-SSO) to `enable` or `disable`, example: `[ { name: 'docker', status: 'enabled' } ]` | `[]`
|`keycloak_jvm_package`| RHEL java package runtime | `java-1.8.0-openjdk-headless` |
|`keycloak_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path | `None` |
|`keycloak_java_home`| `JAVA_HOME` of installed JRE, leave empty for using RPM path at `keycloak_jvm_package` | `None` |
|`keycloak_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
@@ -82,12 +88,12 @@ Role Defaults
| Variable | Description | Default |
|:---------|:------------|:---------|
|`keycloak_offline_install` | perform an offline install | `False`|
|`keycloak_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`|
|`keycloak_offline_install` | perform an offline install | `false`|
|`keycloak_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`|
|`keycloak_version`| keycloak.org package version | `18.0.2` |
|`keycloak_dest`| Installation root path | `/opt/keycloak` |
|`keycloak_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}` |
|`keycloak_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
|`keycloak_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `false` |
* Miscellaneous configuration
@@ -98,14 +104,21 @@ Role Defaults
|`keycloak_download_url_9x` | Download URL for keycloak (deprecated) | `https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}` |
|`keycloak_installdir` | Installation path | `{{ keycloak_dest }}/keycloak-{{ keycloak_version }}` |
|`keycloak_jboss_home` | Installation work directory | `{{ keycloak_rhsso_installdir }}` |
|`keycloak_jboss_port_offset` | Port offset for the JBoss socket binding | `0` |
|`keycloak_config_dir` | Path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration` |
|`keycloak_config_path_to_standalone_xml` | Custom path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}` |
|`keycloak_config_override_template` | Path to custom template for standalone.xml configuration | `''` |
|`keycloak_auth_realm` | Name for rest authentication realm | `master` |
|`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` |
|`keycloak_force_install` | Remove pre-existing versions of service | `False` |
|`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` |
|`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` |
|`keycloak_force_install` | Remove pre-existing versions of service | `false` |
|`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}` |
|`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}` |
|`keycloak_frontend_url_force` | Force backend requests to use the frontend URL | `false` |
|`keycloak_db_background_validation` | Enable background validation of database connection | `false` |
|`keycloak_db_background_validation_millis`| How frequenly the connection pool is validated in the background | `10000` if background validation enabled |
|`keycloak_db_background_validate_on_match` | Enable validate on match for database connections | `false` |
|`keycloak_frontend_url` | frontend URL for keycloak endpoint | `http://localhost:8080/auth/` |
|`keycloak_log_target`| Set the destination of the keycloak log folder link | `/var/log/keycloak` |
Role Variables
@@ -116,10 +129,10 @@ The following are a set of _required_ variables for the role:
| Variable | Description |
|:---------|:------------|
|`keycloak_admin_password`| Password for the administration console user account (minimum 12 characters) |
|`keycloak_frontend_url` | frontend URL for keycloak endpoint | `http://localhost:8080/auth` |
|`keycloak_frontend_url` | frontend URL for keycloak endpoint | `http://localhost:8080/auth/` |
The following variables are _required_ only when `keycloak_ha_enabled` is True:
The following parameters are _required_ only when `keycloak_ha_enabled` is true:
| Variable | Description | Default |
|:---------|:------------|:--------|
@@ -127,7 +140,7 @@ The following variables are _required_ only when `keycloak_ha_enabled` is True:
|`keycloak_modcluster_url` | _deprecated_ Host for the modcluster reverse proxy | `localhost` |
|`keycloak_modcluster_port` | _deprecated_ Port for the modcluster reverse proxy | `6666` |
|`keycloak_modcluster_urls` | List of {host,port} dicts for the modcluster reverse proxies | `[ { localhost:6666 } ]` |
|`keycloak_jdbc_engine` | backend database engine when db is enabled: [ postgres, mariadb ] | `postgres` |
|`keycloak_jdbc_engine` | backend database engine when db is enabled: [ postgres, mariadb, sqlserver ] | `postgres` |
|`keycloak_infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` |
|`keycloak_infinispan_user` | username for connecting to infinispan | `supervisor` |
|`keycloak_infinispan_pass` | password for connecting to infinispan | `supervisor` |
@@ -137,7 +150,7 @@ The following variables are _required_ only when `keycloak_ha_enabled` is True:
|`keycloak_infinispan_trust_store_password`| Password for opening truststore | `changeit` |
The following variables are _required_ only when `keycloak_db_enabled` is True:
The following parameters are _required_ only when `keycloak_db_enabled` is true:
| Variable | Description | Default |
|:---------|:------------|:---------|
@@ -147,6 +160,14 @@ The following variables are _required_ only when `keycloak_db_enabled` is True:
|`keycloak_db_pass` | password for connecting to postgres | `keycloak-pass` |
The following variables are _optional_:
| Variable | Description |
|:---------|:------------|
|`keycloak_db_valid_conn_sql` | Override the default database connection validation query sql |
|`keycloak_admin_url` | Override the default administration endpoint URL |
|`keycloak_jgroups_subnet`| Override the subnet match for jgroups cluster formation; if not defined, it will be inferred from local machine route configuration |
Example Playbook
-----------------
@@ -157,8 +178,6 @@ Example Playbook
- hosts: ...
vars:
keycloak_admin_password: "remembertochangeme"
collections:
- middleware_automation.keycloak
roles:
- middleware_automation.keycloak.keycloak
```
@@ -177,7 +196,7 @@ Example Playbook
name: keycloak
vars:
keycloak_admin_password: "remembertochangeme"
keycloak_offline_install: True
keycloak_offline_install: true
# This should be the filename of keycloak archive on Ansible node: keycloak-16.1.0.zip
```

42
roles/keycloak/defaults/main.yml
View File

@@ -5,26 +5,34 @@ keycloak_archive: "keycloak-legacy-{{ keycloak_version }}.zip"
keycloak_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"
keycloak_download_url_9x: "https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}"
keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
keycloak_offline_install: False
keycloak_offline_install: false
### Install location and service settings
keycloak_jvm_package: java-1.8.0-openjdk-headless
keycloak_java_home:
keycloak_dest: /opt/keycloak
keycloak_jboss_home: "{{ keycloak_installdir }}"
keycloak_jboss_port_offset: 0
keycloak_config_dir: "{{ keycloak_jboss_home }}/standalone/configuration"
keycloak_config_standalone_xml: "keycloak.xml"
keycloak_config_path_to_standalone_xml: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}"
keycloak_config_override_template: ''
keycloak_config_path_to_properties: "{{ keycloak_jboss_home }}/standalone/configuration/profile.properties"
keycloak_service_runas: false
keycloak_service_user: keycloak
keycloak_service_group: keycloak
keycloak_service_pidfile: "/run/keycloak.pid"
keycloak_service_pidfile: "/run/keycloak/keycloak.pid"
keycloak_service_name: keycloak
keycloak_service_desc: Keycloak
keycloak_service_start_delay: 10
keycloak_service_start_retries: 25
keycloak_service_restart_always: false
keycloak_service_restart_on_failure: false
keycloak_service_startlimitintervalsec: "300"
keycloak_service_startlimitburst: "5"
keycloak_service_restartsec: "10s"
keycloak_configure_firewalld: False
keycloak_configure_firewalld: false
### administrator console password
keycloak_admin_password: ''
@@ -36,14 +44,16 @@ keycloak_http_port: 8080
keycloak_https_port: 8443
keycloak_ajp_port: 8009
keycloak_jgroups_port: 7600
keycloak_jgroups_subnet:
keycloak_management_port_bind_address: 127.0.0.1
keycloak_management_http_port: 9990
keycloak_management_https_port: 9993
keycloak_java_opts: "-Xms1024m -Xmx2048m"
keycloak_prefer_ipv4: True
keycloak_prefer_ipv4: true
keycloak_features: []
### Enable configuration for database backend, clustering and remote caches on infinispan
keycloak_ha_enabled: False
keycloak_ha_enabled: false
### Enable database configuration, must be enabled when HA is configured
keycloak_db_enabled: "{{ True if keycloak_ha_enabled else False }}"
### Discovery protocol for ha cluster members, valus [ 'JDBC_PING', 'TCPPING' ]
@@ -56,7 +66,7 @@ keycloak_admin_user: admin
keycloak_auth_realm: master
keycloak_auth_client: admin-cli
keycloak_force_install: False
keycloak_force_install: false
### mod_cluster reverse proxy list
keycloak_modcluster_enabled: "{{ True if keycloak_ha_enabled else False }}"
@@ -67,23 +77,29 @@ keycloak_modcluster_urls:
port: "{{ keycloak_modcluster_port }}"
### keycloak frontend url
keycloak_frontend_url: http://localhost:8080/auth
keycloak_frontend_url: http://localhost:8080/auth/
keycloak_frontend_url_force: false
keycloak_admin_url:
### infinispan remote caches access (hotrod)
keycloak_infinispan_user: supervisor
keycloak_infinispan_pass: supervisor
keycloak_infinispan_url: localhost
keycloak_infinispan_sasl_mechanism: SCRAM-SHA-512
keycloak_infinispan_use_ssl: False
keycloak_infinispan_use_ssl: false
# if ssl is enabled, import ispn server certificate here
keycloak_infinispan_trust_store_path: /etc/pki/java/cacerts
keycloak_infinispan_trust_store_password: changeit
### database backend engine: values [ 'postgres', 'mariadb' ]
### database backend engine: values [ 'postgres', 'mariadb', 'sqlserver' ]
keycloak_jdbc_engine: postgres
### database backend credentials
keycloak_db_user: keycloak-user
keycloak_db_pass: keycloak-pass
## connection validation
keycloak_db_background_validation: false
keycloak_db_background_validation_millis: "{{ 10000 if keycloak_db_background_validation else 0 }}"
keycloak_db_background_validate_on_match: false
keycloak_jdbc_url: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].url }}"
keycloak_jdbc_driver_version: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].version }}"
# override the variables above, following defaults show minimum supported versions
@@ -94,5 +110,11 @@ keycloak_default_jdbc:
mariadb:
url: 'jdbc:mariadb://localhost:3306/keycloak'
version: 2.7.4
sqlserver:
url: 'jdbc:sqlserver://localhost:1433;databaseName=keycloak;'
version: 12.2.0
# role specific vars
keycloak_no_log: True
keycloak_no_log: true
### logging configuration
keycloak_log_target: /var/log/keycloak

84
roles/keycloak/meta/argument_specs.yml
View File

@@ -54,6 +54,10 @@ argument_specs:
default: "{{ keycloak_installdir }}"
description: "Installation work directory"
type: "str"
keycloak_jboss_port_offset:
default: 0
description: "Port offset for the JBoss socket binding"
type: "int"
keycloak_config_dir:
# line 26 of keycloak/defaults/main.yml
default: "{{ keycloak_jboss_home }}/standalone/configuration"
@@ -74,6 +78,11 @@ argument_specs:
default: ""
description: "Path to custom template for standalone.xml configuration"
type: "str"
keycloak_service_runas:
# line 20 of keycloak/defaults/main.yml
default: false
description: "Enable execution of service as `keycloak_service_user`"
type: "bool"
keycloak_service_user:
# line 29 of keycloak/defaults/main.yml
default: "keycloak"
@@ -86,9 +95,14 @@ argument_specs:
type: "str"
keycloak_service_pidfile:
# line 31 of keycloak/defaults/main.yml
default: "/run/keycloak.pid"
default: "/run/keycloak/keycloak.pid"
description: "PID file path for service"
type: "str"
keycloak_features:
# line 17 of keycloak/defaults/main.yml
default: "[]"
description: "List of `name`/`status` pairs of features (also known as profiles on RH-SSO) to `enable` or `disable`, example: `[ { name: 'docker', status: 'enabled' } ]`"
type: "list"
keycloak_bind_address:
# line 34 of keycloak/defaults/main.yml
default: "0.0.0.0"
@@ -96,7 +110,7 @@ argument_specs:
type: "str"
keycloak_management_port_bind_address:
default: "127.0.0.1"
description: "Address for binding the managemnt ports"
description: "Address for binding the management ports"
type: "str"
keycloak_host:
# line 35 of keycloak/defaults/main.yml
@@ -199,6 +213,10 @@ argument_specs:
default: "http://localhost"
description: "Frontend URL for keycloak endpoints when a reverse proxy is used"
type: "str"
keycloak_frontend_url_force:
default: false
description: "Force backend requests to use the frontend URL"
type: "bool"
keycloak_infinispan_user:
# line 62 of keycloak/defaults/main.yml
default: "supervisor"
@@ -237,7 +255,7 @@ argument_specs:
keycloak_jdbc_engine:
# line 72 of keycloak/defaults/main.yml
default: "postgres"
description: "Backend database flavour when db is enabled: [ postgres, mariadb ]"
description: "Backend database flavour when db is enabled: [ postgres, mariadb, sqlserver ]"
type: "str"
keycloak_db_user:
# line 74 of keycloak/defaults/main.yml
@@ -266,12 +284,12 @@ argument_specs:
type: "str"
keycloak_url:
# line 12 of keycloak/vars/main.yml
default: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
default: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}"
description: "URL for configuration rest calls"
type: "str"
keycloak_management_url:
# line 13 of keycloak/vars/main.yml
default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}"
description: "URL for management console rest calls"
type: "str"
keycloak_service_name:
@@ -290,6 +308,26 @@ argument_specs:
default: "25"
description: "How many time should Ansible retry to connect to the service after it was started, before failing."
type: "int"
keycloak_service_restart_always:
default: false
description: "systemd restart always behavior activation for keycloak"
type: "bool"
keycloak_service_restart_on_failure:
default: false
description: "systemd restart on-failure behavior activation for keycloak"
type: "bool"
keycloak_service_startlimitintervalsec:
default: 300
description: "systemd StartLimitIntervalSec for keycloak"
type: "int"
keycloak_service_startlimitburst:
default: 5
description: "systemd StartLimitBurst for keycloak"
type: "int"
keycloak_service_restartsec:
default: "5s"
description: "systemd RestartSec for keycloak"
type: "str"
keycloak_no_log:
default: true
type: "bool"
@@ -298,6 +336,34 @@ argument_specs:
default: "{{ True if keycloak_ha_enabled else False }}"
description: "Enable remote cache store when in clustered ha configurations"
type: "bool"
keycloak_db_background_validation:
default: false
description: "Enable background validation of database connection"
type: "bool"
keycloak_db_background_validation_millis:
default: "{{ 10000 if keycloak_db_background_validation else 0 }}"
description: "How frequenly the connection pool is validated in the background"
type: 'int'
keycloak_db_background_validate_on_match:
default: false
description: "Enable validate on match for database connections"
type: "bool"
keycloak_db_valid_conn_sql:
required: false
description: "Override the default database connection validation query sql"
type: "str"
keycloak_admin_url:
required: false
description: "Override the default administration endpoint URL"
type: "str"
keycloak_jgroups_subnet:
required: false
description: "Override the subnet match for jgroups cluster formation; if not defined, it will be inferred from local machine route configuration"
type: "str"
keycloak_log_target:
default: '/var/log/keycloak'
type: "str"
description: "Set the destination of the keycloak log folder link"
downstream:
options:
sso_version:
@@ -317,15 +383,15 @@ argument_specs:
description: "Installation path for Red Hat SSO"
type: "str"
sso_apply_patches:
default: False
default: false
description: "Install Red Hat SSO most recent cumulative patch"
type: "bool"
sso_enable:
default: True
default: true
description: "Enable Red Hat Single Sign-on installation"
type: "str"
sso_offline_install:
default: False
default: false
description: "Perform an offline install"
type: "bool"
sso_service_name:
@@ -337,7 +403,7 @@ argument_specs:
description: "systemd description for Red Hat Single Sign-On"
type: "str"
sso_patch_version:
required: False
required: false
description: "Red Hat Single Sign-On latest cumulative patch version to apply; defaults to latest version when sso_apply_patches is True"
type: "str"
sso_patch_bundle:

8
roles/keycloak/meta/main.yml
View File

@@ -12,12 +12,12 @@ galaxy_info:
license: Apache License 2.0
min_ansible_version: "2.9"
min_ansible_version: "2.14"
platforms:
- name: EL
versions:
- 8
- name: EL
versions:
- "8"
galaxy_tags:
- keycloak

21
roles/keycloak/tasks/fastpackages.yml
View File

@@ -1,19 +1,16 @@
---
- name: Check packages to be installed
block:
- name: "Check if packages are already installed" # noqa command-instead-of-module this runs faster
ansible.builtin.command: "rpm -q {{ packages_list | join(' ') }}"
register: rpm_info
changed_when: rpm_info.failed
- name: "Check if packages are already installed" # noqa command-instead-of-module this runs faster
ansible.builtin.command: "rpm -q {{ packages_list | join(' ') }}"
register: rpm_info
changed_when: false
failed_when: false
rescue:
- name: "Add missing packages to the yum install list"
ansible.builtin.set_fact:
packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | flatten }}"
when: rpm_info.failed
- name: "Add missing packages to the yum install list"
ansible.builtin.set_fact:
packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | default([]) | flatten }}"
- name: "Install packages: {{ packages_to_install }}"
become: yes
become: true
ansible.builtin.yum:
name: "{{ packages_to_install }}"
state: present

10
roles/keycloak/tasks/firewalld.yml
View File

@@ -6,19 +6,19 @@
- firewalld
- name: Enable and start the firewalld service
become: yes
become: true
ansible.builtin.systemd:
name: firewalld
enabled: yes
enabled: true
state: started
- name: "Configure firewall for {{ keycloak.service_name }} ports"
become: yes
- name: "Configure firewall ports for {{ keycloak.service_name }}"
become: true
ansible.posix.firewalld:
port: "{{ item }}"
permanent: true
state: enabled
immediate: yes
immediate: true
loop:
- "{{ keycloak_http_port }}/tcp"
- "{{ keycloak_https_port }}/tcp"

85
roles/keycloak/tasks/install.yml
View File

@@ -11,7 +11,7 @@
quiet: true
- name: Check for an existing deployment
become: yes
become: true
ansible.builtin.stat:
path: "{{ keycloak_jboss_home }}"
register: existing_deploy
@@ -20,32 +20,32 @@
when: existing_deploy.stat.exists and keycloak_force_install | bool
block:
- name: "Stop the old {{ keycloak.service_name }} service"
become: yes
ignore_errors: yes
become: true
failed_when: false
ansible.builtin.systemd:
name: keycloak
state: stopped
- name: "Remove the old {{ keycloak.service_name }} deployment"
become: yes
become: true
ansible.builtin.file:
path: "{{ keycloak_jboss_home }}"
state: absent
- name: Check for an existing deployment after possible forced removal
become: yes
become: true
ansible.builtin.stat:
path: "{{ keycloak_jboss_home }}"
- name: "Create {{ keycloak.service_name }} service user/group"
become: yes
- name: "Create service user/group for {{ keycloak.service_name }}"
become: true
ansible.builtin.user:
name: "{{ keycloak_service_user }}"
home: /opt/keycloak
system: yes
create_home: no
- name: "Create {{ keycloak.service_name }} install location"
become: yes
- name: "Create install location for {{ keycloak.service_name }}"
become: true
ansible.builtin.file:
dest: "{{ keycloak_dest }}"
state: directory
@@ -53,13 +53,22 @@
group: "{{ keycloak_service_group }}"
mode: 0750
- name: Create pidfile folder
become: true
ansible.builtin.file:
dest: "{{ keycloak_service_pidfile | dirname }}"
state: directory
owner: "{{ keycloak_service_user if keycloak_service_runas else omit }}"
group: "{{ keycloak_service_group if keycloak_service_runas else omit }}"
mode: 0750
## check remote archive
- name: Set download archive path
ansible.builtin.set_fact:
archive: "{{ keycloak_dest }}/{{ keycloak.bundle }}"
- name: Check download archive path
become: yes
become: true
ansible.builtin.stat:
path: "{{ archive }}"
register: archive_path
@@ -77,7 +86,7 @@
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
mode: 0644
delegate_to: localhost
run_once: yes
run_once: true
when:
- archive_path is defined
- archive_path.stat is defined
@@ -87,7 +96,7 @@
- name: Perform download from RHN using JBoss Network API
delegate_to: localhost
run_once: yes
run_once: true
when:
- archive_path is defined
- archive_path.stat is defined
@@ -105,13 +114,13 @@
register: rhn_products
no_log: "{{ omit_rhn_output | default(true) }}"
delegate_to: localhost
run_once: yes
run_once: true
- name: Determine install zipfile from search results
ansible.builtin.set_fact:
rhn_filtered_products: "{{ rhn_products.results | selectattr('file_path', 'match', '[^/]*/' + sso_archive + '$') }}"
delegate_to: localhost
run_once: yes
run_once: true
- name: Download Red Hat Single Sign-On
middleware_automation.common.product_download: # noqa risky-file-permissions delegated, uses controller host user
@@ -121,7 +130,7 @@
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
no_log: "{{ omit_rhn_output | default(true) }}"
delegate_to: localhost
run_once: yes
run_once: true
- name: Download rhsso archive from alternate location
ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
@@ -129,7 +138,7 @@
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
mode: 0644
delegate_to: localhost
run_once: yes
run_once: true
when:
- archive_path is defined
- archive_path.stat is defined
@@ -157,23 +166,23 @@
- not archive_path.stat.exists
- local_archive_path.stat is defined
- local_archive_path.stat.exists
become: yes
become: true
- name: "Check target directory: {{ keycloak.home }}"
ansible.builtin.stat:
path: "{{ keycloak.home }}"
register: path_to_workdir
become: yes
become: true
- name: "Extract {{ keycloak_service_desc }} archive on target"
ansible.builtin.unarchive:
remote_src: yes
remote_src: true
src: "{{ archive }}"
dest: "{{ keycloak_dest }}"
creates: "{{ keycloak.home }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
become: yes
become: true
when:
- new_version_downloaded.changed or not path_to_workdir.stat.exists
notify:
@@ -191,7 +200,13 @@
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
recurse: true
become: yes
become: true
changed_when: false
- name: Ensure permissions are correct on existing deploy
ansible.builtin.command: chown -R "{{ keycloak_service_user }}:{{ keycloak_service_group }}" "{{ keycloak.home }}"
when: keycloak_service_runas
become: true
changed_when: false
# driver and configuration
@@ -200,7 +215,7 @@
when: keycloak_jdbc[keycloak_jdbc_engine].enabled
- name: "Deploy custom {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }} from {{ keycloak_config_override_template }}"
become: yes
become: true
ansible.builtin.template:
src: "templates/{{ keycloak_config_override_template }}"
dest: "{{ keycloak_config_path_to_standalone_xml }}"
@@ -212,7 +227,7 @@
when: keycloak_config_override_template | length > 0
- name: "Deploy standalone {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}"
become: yes
become: true
ansible.builtin.template:
src: templates/standalone.xml.j2
dest: "{{ keycloak_config_path_to_standalone_xml }}"
@@ -232,15 +247,15 @@
{
"name": item,
"address": 'jgroups-' + item,
"inventory_host": hostvars[item].ansible_default_ipv4.address | default(item) + '[' + keycloak_jgroups_port + ']',
"inventory_host": hostvars[item].ansible_default_ipv4.address | default(item) + '[' + (keycloak_jgroups_port | string) + ']',
"value": hostvars[item].ansible_default_ipv4.address | default(item)
}
] }}
loop: "{{ ansible_play_batch }}"
loop: "{{ ansible_play_batch }}"
when: keycloak_ha_enabled and keycloak_ha_discovery == 'TCPPING'
- name: "Deploy HA {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }} from {{ keycloak.config_template_source }}"
become: yes
- name: "Deploy HA {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}"
become: true
ansible.builtin.template:
src: templates/standalone-ha.xml.j2
dest: "{{ keycloak_config_path_to_standalone_xml }}"
@@ -255,7 +270,7 @@
- keycloak_config_override_template | length == 0
- name: "Deploy HA {{ keycloak.service_name }} config with infinispan remote cache store to {{ keycloak_config_path_to_standalone_xml }}"
become: yes
become: true
ansible.builtin.template:
src: templates/standalone-infinispan.xml.j2
dest: "{{ keycloak_config_path_to_standalone_xml }}"
@@ -266,5 +281,17 @@
- restart keycloak
when:
- keycloak_ha_enabled
- keycloak_remote_cache_enabled
- keycloak_remote_cache_enabled
- keycloak_config_override_template | length == 0
- name: "Deploy profile.properties file to {{ keycloak_config_path_to_properties }}"
become: true
ansible.builtin.template:
src: keycloak-profile.properties.j2
dest: "{{ keycloak_config_path_to_properties }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0640
notify:
- restart keycloak
when: keycloak_features | length > 0

10
roles/keycloak/tasks/jdbc_driver.yml
View File

@@ -3,17 +3,17 @@
ansible.builtin.stat:
path: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}"
register: dest_path
become: yes
become: true
- name: "Set up module dir for JDBC Driver {{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}"
ansible.builtin.file:
path: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}"
state: directory
recurse: yes
recurse: true
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0750
become: yes
become: true
when:
- not dest_path.stat.exists
@@ -24,7 +24,7 @@
group: "{{ keycloak_service_group }}"
owner: "{{ keycloak_service_user }}"
mode: 0640
become: yes
become: true
- name: "Deploy module.xml for JDBC Driver"
ansible.builtin.template:
@@ -33,4 +33,4 @@
group: "{{ keycloak_service_group }}"
owner: "{{ keycloak_service_user }}"
mode: 0640
become: yes
become: true

10
roles/keycloak/tasks/main.yml
View File

@@ -34,8 +34,8 @@
ansible.builtin.file:
state: link
src: "{{ keycloak_jboss_home }}/standalone/log"
dest: /var/log/keycloak
become: yes
dest: "{{ keycloak_log_target }}"
become: true
- name: Set admin credentials and restart if not already created
block:
@@ -44,7 +44,7 @@
url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
method: POST
body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
validate_certs: no
validate_certs: false
register: keycloak_auth_response
until: keycloak_auth_response.status == 200
retries: 2
@@ -58,8 +58,8 @@
- "-rmaster"
- "-u{{ keycloak_admin_user }}"
- "-p{{ keycloak_admin_password }}"
changed_when: yes
become: yes
changed_when: true
become: true
- name: "Restart {{ keycloak.service_name }}"
ansible.builtin.include_tasks: tasks/restart_keycloak.yml
- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"

21
roles/keycloak/tasks/prereqs.yml
View File

@@ -3,7 +3,7 @@
ansible.builtin.assert:
that:
- keycloak_admin_password | length > 12
quiet: True
quiet: true
fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_admin_password variable to a 12+ char long string"
success_msg: "{{ 'Console administrator password OK' }}"
@@ -11,35 +11,27 @@
ansible.builtin.assert:
that:
- (keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and not keycloak_db_enabled)
quiet: True
quiet: true
fail_msg: "Cannot install HA setup without a backend database service. Check keycloak_ha_enabled and keycloak_db_enabled"
success_msg: "{{ 'Configuring HA' if keycloak_ha_enabled else 'Configuring standalone' }}"
- name: Validate remote cache store configuration
ansible.builtin.assert:
that:
- (keycloak_remote_cache_enabled and keycloak_ha_enabled) or (not keycloak_ha_enabled)
quiet: True
fail_msg: "Cannot deploy with remote cache storage on infinispan when keycloak_ha_enabled is false"
success_msg: "{{ 'Configuring HA with infinispan remote cache storage' if keycloak_ha_enabled else 'Configuring standalone' }}"
- name: Validate credentials
ansible.builtin.assert:
that:
- (rhn_username is defined and sso_enable is defined and sso_enable) or not sso_enable is defined or not sso_enable or keycloak_offline_install
- (rhn_password is defined and sso_enable is defined and sso_enable) or not sso_enable is defined or not sso_enable or keycloak_offline_install
quiet: True
quiet: true
fail_msg: "Cannot install Red Hat SSO without RHN credentials. Check rhn_username and rhn_password are defined"
success_msg: "Installing {{ keycloak_service_desc }}"
- name: Validate persistence configuration
ansible.builtin.assert:
that:
- keycloak_jdbc_engine is defined and keycloak_jdbc_engine in [ 'postgres', 'mariadb' ]
- keycloak_jdbc_engine is defined and keycloak_jdbc_engine in [ 'postgres', 'mariadb', 'sqlserver' ]
- keycloak_jdbc_url | length > 0
- keycloak_db_user | length > 0
- keycloak_db_pass | length > 0
quiet: True
quiet: true
fail_msg: "Configuration for the JDBC persistence is invalid or incomplete"
success_msg: "Configuring JDBC persistence using {{ keycloak_jdbc_engine }} database"
when: keycloak_db_enabled
@@ -51,4 +43,5 @@
- "{{ keycloak_jvm_package }}"
- unzip
- procps-ng
- initscripts
- initscripts
- tzdata-java

11
roles/keycloak/tasks/restart_keycloak.yml
View File

@@ -2,11 +2,12 @@
- name: "Restart and enable {{ keycloak.service_name }} service"
ansible.builtin.systemd:
name: keycloak
enabled: yes
enabled: true
state: restarted
become: yes
daemon_reload: true
become: true
delegate_to: "{{ ansible_play_hosts | first }}"
run_once: True
run_once: true
- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
ansible.builtin.uri:
@@ -14,7 +15,7 @@
register: keycloak_status
until: keycloak_status.status == 200
delegate_to: "{{ ansible_play_hosts | first }}"
run_once: True
run_once: true
retries: "{{ keycloak_service_start_retries }}"
delay: "{{ keycloak_service_start_delay }}"
@@ -23,5 +24,5 @@
name: keycloak
enabled: yes
state: restarted
become: yes
become: true
when: inventory_hostname != ansible_play_hosts | first

39
roles/keycloak/tasks/rhsso_patch.yml
View File

@@ -3,6 +3,8 @@
- name: Set download patch archive path
ansible.builtin.set_fact:
patch_archive: "{{ keycloak_dest }}/{{ sso_patch_bundle }}"
patch_bundle: "{{ sso_patch_bundle }}"
patch_version: "{{ sso_patch_version }}"
when: sso_patch_version is defined
- name: Check download patch archive path
@@ -10,10 +12,11 @@
path: "{{ patch_archive }}"
register: patch_archive_path
when: sso_patch_version is defined
become: true
- name: Perform patch download from RHN via JBossNetwork API
delegate_to: localhost
run_once: yes
run_once: true
when:
- sso_enable is defined and sso_enable
- not keycloak_offline_install
@@ -29,21 +32,21 @@
register: rhn_products
no_log: "{{ omit_rhn_output | default(true) }}"
delegate_to: localhost
run_once: yes
run_once: true
- name: Determine patch versions list
set_fact:
filtered_versions: "{{ rhn_products.results | map(attribute='file_path') | select('match', '^[^/]*/rh-sso-.*[0-9]*[.][0-9]*[.][0-9]*.*$') | map('regex_replace','[^/]*/rh-sso-([0-9]*[.][0-9]*[.][0-9]*)-.*','\\1' ) | list | unique }}"
ansible.builtin.set_fact:
filtered_versions: "{{ rhn_products.results | map(attribute='file_path') | select('match', '^[^/]*/rh-sso-.*[0-9]*[.][0-9]*[.][0-9]*.*$') | map('regex_replace', '[^/]*/rh-sso-([0-9]*[.][0-9]*[.][0-9]*)-.*', '\\1') | list | unique }}"
when: sso_patch_version is not defined or sso_patch_version | length == 0
delegate_to: localhost
run_once: yes
run_once: true
- name: Determine latest version
set_fact:
sso_latest_version: "{{ filtered_versions | middleware_automation.keycloak.version_sort | last }}"
ansible.builtin.set_fact:
sso_latest_version: "{{ filtered_versions | middleware_automation.common.version_sort | last }}"
when: sso_patch_version is not defined or sso_patch_version | length == 0
delegate_to: localhost
run_once: yes
run_once: true
- name: Determine install zipfile from search results
ansible.builtin.set_fact:
@@ -52,16 +55,16 @@
patch_version: "{{ sso_latest_version }}"
when: sso_patch_version is not defined or sso_patch_version | length == 0
delegate_to: localhost
run_once: yes
run_once: true
- name: "Determine selected patch from supplied version: {{ sso_patch_version }}"
set_fact:
ansible.builtin.set_fact:
rhn_filtered_products: "{{ rhn_products.results | selectattr('file_path', 'match', '[^/]*/' + sso_patch_bundle + '$') }}"
patch_bundle: "{{ sso_patch_bundle }}"
patch_version: "{{ sso_patch_version }}"
when: sso_patch_version is defined
delegate_to: localhost
run_once: yes
run_once: true
- name: Download Red Hat Single Sign-On patch
middleware_automation.common.product_download: # noqa risky-file-permissions delegated, uses controller host user
@@ -71,7 +74,7 @@
dest: "{{ local_path.stat.path }}/{{ patch_bundle }}"
no_log: "{{ omit_rhn_output | default(true) }}"
delegate_to: localhost
run_once: yes
run_once: true
- name: Set download patch archive path
ansible.builtin.set_fact:
@@ -81,7 +84,7 @@
ansible.builtin.stat:
path: "{{ patch_archive }}"
register: patch_archive_path
become: yes
become: true
## copy and unpack
- name: Copy patch archive to target nodes
@@ -96,7 +99,7 @@
- not patch_archive_path.stat.exists
- local_archive_path.stat is defined
- local_archive_path.stat.exists
become: yes
become: true
- name: "Check installed patches"
ansible.builtin.include_tasks: rhsso_cli.yml
@@ -104,7 +107,7 @@
query: "patch info"
args:
apply:
become: yes
become: true
become_user: "{{ keycloak_service_user }}"
- name: "Perform patching"
@@ -119,7 +122,7 @@
query: "patch apply {{ patch_archive }}"
args:
apply:
become: yes
become: true
become_user: "{{ keycloak_service_user }}"
- name: "Restart server to ensure patch content is running"
@@ -130,7 +133,7 @@
- cli_result.rc == 0
args:
apply:
become: yes
become: true
become_user: "{{ keycloak_service_user }}"
- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
@@ -147,7 +150,7 @@
query: "patch info"
args:
apply:
become: yes
become: true
become_user: "{{ keycloak_service_user }}"
- name: "Verify installed patch version"

5
roles/keycloak/tasks/start_keycloak.yml
View File

@@ -2,9 +2,10 @@
- name: "Start {{ keycloak.service_name }} service"
ansible.builtin.systemd:
name: keycloak
enabled: yes
enabled: true
state: started
become: yes
daemon_reload: true
become: true
- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
ansible.builtin.uri:

4
roles/keycloak/tasks/stop_keycloak.yml
View File

@@ -2,6 +2,6 @@
- name: "Stop {{ keycloak.service_name }}"
ansible.builtin.systemd:
name: keycloak
enabled: yes
enabled: true
state: stopped
become: yes
become: true

29
roles/keycloak/tasks/systemd.yml
View File

@@ -1,6 +1,6 @@
---
- name: "Configure {{ keycloak.service_name }} service script wrapper"
become: yes
become: true
ansible.builtin.template:
src: keycloak-service.sh.j2
dest: "{{ keycloak_dest }}/keycloak-service.sh"
@@ -10,17 +10,12 @@
notify:
- restart keycloak
- name: Determine JAVA_HOME for selected JVM RPM # noqa blocked_modules
ansible.builtin.shell: |
set -o pipefail
rpm -ql {{ keycloak_jvm_package }} | grep -Po '/usr/lib/jvm/.*(?=/bin/java$)'
args:
executable: /bin/bash
changed_when: False
register: rpm_java_home
- name: Determine JAVA_HOME for selected JVM RPM
ansible.builtin.set_fact:
rpm_java_home: "/etc/alternatives/jre_{{ keycloak_jvm_package | regex_search('(?<=java-)[0-9.]+') }}"
- name: "Configure sysconfig file for {{ keycloak.service_name }} service"
become: yes
become: true
ansible.builtin.template:
src: keycloak-sysconfig.j2
dest: /etc/sysconfig/keycloak
@@ -28,7 +23,7 @@
group: root
mode: 0644
vars:
keycloak_rpm_java_home: "{{ rpm_java_home.stdout }}"
keycloak_rpm_java_home: "{{ rpm_java_home }}"
notify:
- restart keycloak
@@ -39,20 +34,14 @@
owner: root
group: root
mode: 0644
become: yes
become: true
register: systemdunit
notify:
- restart keycloak
- name: Reload systemd
become: yes
ansible.builtin.systemd:
daemon_reload: yes
when: systemdunit.changed
- name: "Start and wait for {{ keycloak.service_name }} service (first node db)"
ansible.builtin.include_tasks: start_keycloak.yml
run_once: yes
run_once: true
when: keycloak_db_enabled
- name: "Start and wait for {{ keycloak.service_name }} service (remaining nodes)"
@@ -61,7 +50,7 @@
- name: Check service status
ansible.builtin.command: "systemctl status keycloak"
register: keycloak_service_status
changed_when: False
changed_when: false
- name: Verify service status
ansible.builtin.assert:

8
roles/keycloak/templates/15.0.8/standalone-infinispan.xml.j2
View File

@@ -631,7 +631,7 @@
</mail-session>
</subsystem>
<subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
{% if keycloak_modcluster.enabled %}
{% if keycloak_modcluster.enabled %}
<subsystem xmlns="urn:jboss:domain:modcluster:5.0">
<proxy name="default" advertise="false" listener="ajp" proxies="proxy1">
<dynamic-load-provider>
@@ -639,7 +639,7 @@
</dynamic-load-provider>
</proxy>
</subsystem>
{% endif %}
{% endif %}
<subsystem xmlns="urn:jboss:domain:naming:2.0">
<remote-naming/>
</subsystem>
@@ -728,7 +728,7 @@
</interface>
<interface name="jgroups">
{% if ansible_default_ipv4 is defined %}
<subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ipaddr('net') }}"/>
<subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') }}"/>
{% else %}
<any-address />
{% endif %}
@@ -737,7 +737,7 @@
<inet-address value="{{ keycloak_bind_address }}"/>
</interface>
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
<socket-binding name="ajp" port="{{ keycloak_ajp_port }}"/>
<socket-binding name="http" port="{{ keycloak_http_port }}"/>
<socket-binding name="https" port="{{ keycloak_https_port }}"/>

2
roles/keycloak/templates/15.0.8/standalone.xml.j2
View File

@@ -638,7 +638,7 @@
<inet-address value="{{ keycloak_bind_address }}"/>
</interface>
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
<socket-binding name="ajp" port="{{ keycloak_ajp_port }}"/>
<socket-binding name="http" port="{{ keycloak_http_port }}"/>
<socket-binding name="https" port="{{ keycloak_https_port }}"/>

4
roles/keycloak/templates/9.0.2/standalone-infinispan.xml.j2
View File

@@ -725,7 +725,7 @@
</interface>
<interface name="jgroups">
{% if ansible_default_ipv4 is defined %}
<subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ipaddr('net') }}"/>
<subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') }}"/>
{% else %}
<any-address />
{% endif %}
@@ -734,7 +734,7 @@
<inet-address value="${jboss.bind.address:127.0.0.1}"/>
</interface>
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>

2
roles/keycloak/templates/9.0.2/standalone.xml.j2
View File

@@ -598,7 +598,7 @@
<inet-address value="${jboss.bind.address:127.0.0.1}"/>
</interface>
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>

3
roles/keycloak/templates/keycloak-profile.properties.j2 Normal file
View File

@@ -0,0 +1,3 @@
{% for feature in keycloak.features %}
feature.{{ feature.name }}={{ feature.status | default('enabled') }}
{% endfor %}

10
roles/keycloak/templates/keycloak-sysconfig.j2
View File

@@ -8,4 +8,12 @@ KEYCLOAK_HTTPS_PORT={{ keycloak_https_port }}
KEYCLOAK_MANAGEMENT_HTTP_PORT={{ keycloak_management_http_port }}
KEYCLOAK_MANAGEMENT_HTTPS_PORT={{ keycloak_management_https_port }}
JBOSS_PIDFILE='{{ keycloak_service_pidfile }}'
LAUNCH_JBOSS_IN_BACKGROUND=1
WILDFLY_OPTS=-Djboss.bind.address=${KEYCLOAK_BIND_ADDRESS} \
-Djboss.http.port=${KEYCLOAK_HTTP_PORT} \
-Djboss.https.port=${KEYCLOAK_HTTPS_PORT} \
-Djboss.management.http.port=${KEYCLOAK_MANAGEMENT_HTTP_PORT} \
-Djboss.management.https.port=${KEYCLOAK_MANAGEMENT_HTTPS_PORT} \
-Djboss.node.name={{ inventory_hostname }} \
{% if keycloak_prefer_ipv4 %}-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true {% endif %}\
{% if keycloak_config_standalone_xml is defined %}--server-config={{ keycloak_config_standalone_xml }}{% endif %}

18
roles/keycloak/templates/keycloak.service.j2
View File

@@ -2,16 +2,28 @@
[Unit]
Description={{ keycloak.service_name }} Server
After=network.target
StartLimitIntervalSec={{ keycloak_service_startlimitintervalsec }}
StartLimitBurst={{ keycloak_service_startlimitburst }}
[Service]
Type=forking
{% if keycloak_service_runas %}
User={{ keycloak_service_user }}
Group={{ keycloak_service_group }}
{% endif -%}
EnvironmentFile=-/etc/sysconfig/keycloak
PIDFile={{ keycloak_service_pidfile }}
ExecStart={{ keycloak_dest }}/keycloak-service.sh start
ExecStop={{ keycloak_dest }}/keycloak-service.sh stop
ExecStart={{ keycloak.home }}/bin/standalone.sh $WILDFLY_OPTS
WorkingDirectory={{ keycloak.home }}
TimeoutStartSec=30
TimeoutStopSec=30
LimitNOFILE=102642
{% if keycloak_service_restart_always %}
Restart=always
{% elif keycloak_service_restart_on_failure %}
Restart=on-failure
{% endif %}
RestartSec={{ keycloak_service_restartsec }}
[Install]
WantedBy=multi-user.target

28
roles/keycloak/templates/standalone-ha.xml.j2
View File

@@ -136,6 +136,14 @@
<user-name>{{ keycloak_jdbc[keycloak_jdbc_engine].db_user }}</user-name>
<password>{{ keycloak_jdbc[keycloak_jdbc_engine].db_password }}</password>
</security>
<validation>
<check-valid-connection-sql>{{ keycloak_jdbc[keycloak_jdbc_engine].validate_query }}</check-valid-connection-sql>
<validate-on-match>{{ keycloak_db_background_validate_on_match }}</validate-on-match>
{% if keycloak_db_background_validation_millis | int > 0 or keycloak_db_background_validation %}
<background-validation>{{ keycloak_db_background_validation }}</background-validation>
<background-validation-millis>{{ keycloak_db_background_validation_millis }}</background-validation-millis>
{% endif %}
</validation>
{% else %}
<connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
<driver>h2</driver>
@@ -376,7 +384,6 @@
<distributed-cache name="offlineClientSessions" owners="2"/>
<distributed-cache name="loginFailures" owners="2"/>
<distributed-cache name="actionTokens" owners="2">
<object-memory size="-1"/>
<expiration interval="300000" max-idle="-1"/>
</distributed-cache>
<local-cache name="authorization">
@@ -574,7 +581,10 @@
<provider name="default" enabled="true">
<properties>
<property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
<property name="forceBackendUrlToFrontendUrl" value="true"/>
<property name="forceBackendUrlToFrontendUrl" value="{{ keycloak_modcluster.force_frontend_url }}"/>
{% if keycloak_modcluster.admin_url | length > 0 %}
<property name="adminUrl" value="{{ keycloak_modcluster.admin_url }}" />
{% endif %}
</properties>
</provider>
</spi>
@@ -585,7 +595,7 @@
</mail-session>
</subsystem>
<subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
{% if keycloak_modcluster.enabled %}
{% if keycloak_modcluster.enabled %}
<subsystem xmlns="urn:jboss:domain:modcluster:5.0">
<proxy name="default" advertise="false" listener="ajp" proxies="{{ ['proxy_'] | product(keycloak_modcluster.reverse_proxy_urls | map(attribute='host')) | map('join') | list | join(' ') }}">
<dynamic-load-provider>
@@ -593,7 +603,7 @@
</dynamic-load-provider>
</proxy>
</subsystem>
{% endif %}
{% endif %}
<subsystem xmlns="urn:jboss:domain:naming:2.0">
<remote-naming/>
</subsystem>
@@ -639,7 +649,7 @@
</handlers>
<application-security-domains>
<application-security-domain name="other" security-domain="ApplicationDomain"/>
</application-security-domains>
</application-security-domains>
<filters>
<filter name="proxy-peer" module="io.undertow.core"
class-name="io.undertow.server.handlers.ProxyPeerAddressHandler"/>
@@ -652,8 +662,10 @@
<inet-address value="{{ keycloak_management_port_bind_address }}"/>
</interface>
<interface name="jgroups">
{% if ansible_default_ipv4 is defined %}
<subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ipaddr('net') }}"/>
{% if keycloak_jgroups_subnet is defined and keycloak_jgroups_subnet is not none and keycloak_jgroups_subnet | string | length > 0 %}
<subnet-match value="{{ keycloak_jgroups_subnet | string }}"/>
{% elif ansible_default_ipv4 is defined and (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') | length > 0 %}
<subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') }}"/>
{% else %}
<any-address />
{% endif %}
@@ -662,7 +674,7 @@
<inet-address value="{{ keycloak_bind_address }}"/>
</interface>
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
<socket-binding name="ajp" port="{{ keycloak_ajp_port }}"/>
<socket-binding name="http" port="{{ keycloak_http_port }}"/>
<socket-binding name="https" port="{{ keycloak_https_port }}"/>

27
roles/keycloak/templates/standalone-infinispan.xml.j2
View File

@@ -136,6 +136,14 @@
<user-name>{{ keycloak_jdbc[keycloak_jdbc_engine].db_user }}</user-name>
<password>{{ keycloak_jdbc[keycloak_jdbc_engine].db_password }}</password>
</security>
<validation>
<check-valid-connection-sql>{{ keycloak_jdbc[keycloak_jdbc_engine].validate_query }}</check-valid-connection-sql>
<validate-on-match>{{ keycloak_db_background_validate_on_match }}</validate-on-match>
{% if keycloak_db_background_validation_millis | int > 0 or keycloak_db_background_validation %}
<background-validation>{{ keycloak_db_background_validation }}</background-validation>
<background-validation-millis>{{ keycloak_db_background_validation_millis }}</background-validation-millis>
{% endif %}
</validation>
{% else %}
<connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
<driver>h2</driver>
@@ -611,7 +619,10 @@
<provider name="default" enabled="true">
<properties>
<property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
<property name="forceBackendUrlToFrontendUrl" value="true"/>
<property name="forceBackendUrlToFrontendUrl" value="{{ keycloak_modcluster.force_frontend_url }}"/>
{% if keycloak_modcluster.admin_url | length > 0 %}
<property name="adminUrl" value="{{ keycloak_modcluster.admin_url }}" />
{% endif %}
</properties>
</provider>
</spi>
@@ -622,7 +633,7 @@
</mail-session>
</subsystem>
<subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
{% if keycloak_modcluster.enabled %}
{% if keycloak_modcluster.enabled %}
<subsystem xmlns="urn:jboss:domain:modcluster:5.0">
<proxy name="default" advertise="false" listener="ajp" proxies="{{ ['proxy_'] | product(keycloak_modcluster.reverse_proxy_urls | map(attribute='host')) | map('join') | list | join(' ') }}">
<dynamic-load-provider>
@@ -630,7 +641,7 @@
</dynamic-load-provider>
</proxy>
</subsystem>
{% endif %}
{% endif %}
<subsystem xmlns="urn:jboss:domain:naming:2.0">
<remote-naming/>
</subsystem>
@@ -676,7 +687,7 @@
</handlers>
<application-security-domains>
<application-security-domain name="other" security-domain="ApplicationDomain"/>
</application-security-domains>
</application-security-domains>
<filters>
<filter name="proxy-peer" module="io.undertow.core"
class-name="io.undertow.server.handlers.ProxyPeerAddressHandler"/>
@@ -689,8 +700,10 @@
<inet-address value="{{ keycloak_management_port_bind_address }}"/>
</interface>
<interface name="jgroups">
{% if ansible_default_ipv4 is defined %}
<subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ipaddr('net') }}"/>
{% if keycloak_jgroups_subnet is defined and keycloak_jgroups_subnet is not none and keycloak_jgroups_subnet | string | length > 0 %}
<subnet-match value="{{ keycloak_jgroups_subnet | string }}"/>
{% elif ansible_default_ipv4 is defined and (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') | length > 0 %}
<subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') }}"/>
{% else %}
<any-address />
{% endif %}
@@ -699,7 +712,7 @@
<inet-address value="{{ keycloak_bind_address }}"/>
</interface>
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
<socket-binding name="ajp" port="{{ keycloak_ajp_port }}"/>
<socket-binding name="http" port="{{ keycloak_http_port }}"/>
<socket-binding name="https" port="{{ keycloak_https_port }}"/>

15
roles/keycloak/templates/standalone.xml.j2
View File

@@ -123,6 +123,14 @@
<user-name>{{ keycloak_jdbc[keycloak_jdbc_engine].db_user }}</user-name>
<password>{{ keycloak_jdbc[keycloak_jdbc_engine].db_password }}</password>
</security>
<validation>
<check-valid-connection-sql>{{ keycloak_jdbc[keycloak_jdbc_engine].validate_query }}</check-valid-connection-sql>
<validate-on-match>{{ keycloak_db_background_validate_on_match }}</validate-on-match>
{% if keycloak_db_background_validation_millis | int > 0 or keycloak_db_background_validation %}
<background-validation>{{ keycloak_db_background_validation }}</background-validation>
<background-validation-millis>{{ keycloak_db_background_validation_millis }}</background-validation-millis>
{% endif %}
</validation>
{% else %}
<connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
<driver>h2</driver>
@@ -517,7 +525,10 @@
<provider name="default" enabled="true">
<properties>
<property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
<property name="forceBackendUrlToFrontendUrl" value="true"/>
<property name="forceBackendUrlToFrontendUrl" value="{{ keycloak_modcluster.force_frontend_url }}"/>
{% if keycloak_modcluster.admin_url | length > 0 %}
<property name="adminUrl" value="{{ keycloak_modcluster.admin_url }}" />
{% endif %}
</properties>
</provider>
</spi>
@@ -593,7 +604,7 @@
<inet-address value="{{ keycloak_bind_address }}"/>
</interface>
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
<socket-binding name="ajp" port="{{ keycloak_ajp_port }}"/>
<socket-binding name="http" port="{{ keycloak_http_port }}"/>
<socket-binding name="https" port="{{ keycloak_https_port }}"/>

36
roles/keycloak/vars/main.yml
View File

@@ -2,8 +2,8 @@
# internal variables below
# locations
keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}"
keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}"
keycloak:
@@ -14,6 +14,7 @@ keycloak:
health_url: "{{ keycloak_management_url }}/health"
cli_path: "{{ keycloak_jboss_home }}/bin/jboss-cli.sh"
config_template_source: "{{ keycloak_config_override_template if keycloak_config_override_template | length > 0 else 'standalone-ha.xml.j2' if keycloak_remote_cache_enabled else 'standalone.xml.j2' }}"
features: "{{ keycloak_features }}"
# database
keycloak_jdbc:
@@ -29,6 +30,7 @@ keycloak_jdbc:
connection_url: "{{ keycloak_jdbc_url }}"
db_user: "{{ keycloak_db_user }}"
db_password: "{{ keycloak_db_pass }}"
validate_query: "{{ keycloak_db_valid_conn_sql | default('select 1') }}"
initialize_db: >
CREATE TABLE IF NOT EXISTS JGROUPSPING (
own_addr varchar(200) NOT NULL,
@@ -39,7 +41,7 @@ keycloak_jdbc:
mariadb:
enabled: "{{ (keycloak_ha_enabled or keycloak_db_enabled) and keycloak_jdbc_engine == 'mariadb' }}"
driver_class: org.mariadb.jdbc.Driver
xa_datasource_class: org.mariadb.jdbc.MySQLDataSource
xa_datasource_class: org.mariadb.jdbc.MariaDbDataSource
driver_module_name: "org.mariadb"
driver_module_dir: "{{ keycloak_jboss_home }}/modules/org/mariadb/main"
driver_version: "{{ keycloak_jdbc_driver_version }}"
@@ -48,6 +50,7 @@ keycloak_jdbc:
connection_url: "{{ keycloak_jdbc_url }}"
db_user: "{{ keycloak_db_user }}"
db_password: "{{ keycloak_db_pass }}"
validate_query: "{{ keycloak_db_valid_conn_sql | default('select 1') }}"
initialize_db: >
CREATE TABLE IF NOT EXISTS JGROUPSPING (
own_addr varchar(200) NOT NULL,
@@ -56,12 +59,37 @@ keycloak_jdbc:
ping_data varbinary(5000) DEFAULT NULL,
PRIMARY KEY (own_addr, cluster_name))
ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin
sqlserver:
enabled: "{{ (keycloak_ha_enabled or keycloak_db_enabled) and keycloak_jdbc_engine == 'sqlserver' }}"
driver_class: com.microsoft.sqlserver.jdbc.SQLServerDriver
xa_datasource_class: com.microsoft.sqlserver.jdbc.SQLServerXADataSource
driver_module_name: "com.microsoft.sqlserver"
driver_module_dir: "{{ keycloak_jboss_home }}/modules/com/microsoft/sqlserver/main"
driver_version: "{{ keycloak_jdbc_driver_version }}"
driver_jar_filename: "mssql-java-client-{{ keycloak_jdbc_driver_version }}.jar"
driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/{{ keycloak_jdbc_driver_version }}.jre11/mssql-jdbc-{{ keycloak_jdbc_driver_version }}.jre11.jar" # e.g., https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.2.0.jre11/mssql-jdbc-12.2.0.jre11.jar
connection_url: "{{ keycloak_jdbc_url }}"
db_user: "{{ keycloak_db_user }}"
db_password: "{{ keycloak_db_pass }}"
validate_query: "{{ keycloak_db_valid_conn_sql | default('select 1') }}"
initialize_db: >
IF NOT EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[JGROUPSPING]') AND type in (N'U'))
BEGIN
CREATE TABLE JGROUPSPING (
own_addr varchar(200) NOT NULL,
cluster_name varchar(200) NOT NULL,
updated DATETIME2 DEFAULT SYSUTCDATETIME(),
ping_data varbinary(5000) DEFAULT NULL,
PRIMARY KEY (own_addr, cluster_name))
END
# reverse proxy mod_cluster
keycloak_modcluster:
enabled: "{{ keycloak_ha_enabled or keycloak_modcluster_enabled }}"
reverse_proxy_urls: "{{ keycloak_modcluster_urls }}"
frontend_url: "{{ keycloak_frontend_url }}"
force_frontend_url: "{{ keycloak_frontend_url_force }}"
admin_url: "{{ keycloak_admin_url | default('') }}"
# infinispan
keycloak_remotecache:
@@ -73,4 +101,4 @@ keycloak_remotecache:
server_name: "{{ keycloak_infinispan_url }}"
use_ssl: "{{ keycloak_infinispan_use_ssl }}"
trust_store_path: "{{ keycloak_infinispan_trust_store_path }}"
trust_store_password: "{{ keycloak_infinispan_trust_store_password }}"
trust_store_password: "{{ keycloak_infinispan_trust_store_password }}"

51
roles/keycloak_quarkus/README.md
View File

@@ -1,7 +1,7 @@
keycloak_quarkus
================
Install [keycloak](https://keycloak.org/) >= 17.0.0 (quarkus) server configurations.
Install [keycloak](https://keycloak.org/) >= 20.0.0 (quarkus) server configurations.
Role Defaults
@@ -11,7 +11,7 @@ Role Defaults
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_version`| keycloak.org package version | `17.0.1` |
|`keycloak_quarkus_version`| keycloak.org package version | `23.0.1` |
* Service configuration
@@ -22,30 +22,51 @@ Role Defaults
|`keycloak_quarkus_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_quarkus_ha_enabled` is True, else `False` |
|`keycloak_quarkus_admin_user`| Administration console user account | `admin` |
|`keycloak_quarkus_bind_address`| Address for binding service ports | `0.0.0.0` |
|`keycloak_quarkus_host`| hostname | `localhost` |
|`keycloak_quarkus_http_port`| HTTP port | `8080` |
|`keycloak_quarkus_https_port`| TLS HTTP port | `8443` |
|`keycloak_quarkus_host`| Hostname for the Keycloak server | `localhost` |
|`keycloak_quarkus_port`| The port used by the proxy when exposing the hostname | `-1` |
|`keycloak_quarkus_path`| This should be set if proxy uses a different context-path for Keycloak | |
|`keycloak_quarkus_http_port`| HTTP listening port | `8080` |
|`keycloak_quarkus_https_port`| TLS HTTP listening port | `8443` |
|`keycloak_quarkus_ajp_port`| AJP port | `8009` |
|`keycloak_quarkus_jgroups_port`| jgroups cluster tcp port | `7600` |
|`keycloak_quarkus_service_user`| Posix account username | `keycloak` |
|`keycloak_quarkus_service_group`| Posix account group | `keycloak` |
|`keycloak_quarkus_service_restart_always`| systemd restart always behavior activation | `False` |
|`keycloak_quarkus_service_restart_on_failure`| systemd restart on-failure behavior activation | `False` |
|`keycloak_quarkus_service_restartsec`| systemd RestartSec | `10s` |
|`keycloak_quarkus_service_pidfile`| Pid file path for service | `/run/keycloak.pid` |
|`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-11-openjdk-headless` |
|`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-17-openjdk-headless` |
|`keycloak_quarkus_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_quarkus_jvm_package RPM path | `None` |
|`keycloak_quarkus_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
|`keycloak_quarkus_frontend_url`| Service public URL | `http://localhost:8080/auth` |
|`keycloak_quarkus_http_relative_path` | Service context path | `auth` |
|`keycloak_quarkus_frontend_url`| Set the base URL for frontend URLs, including scheme, host, port and path | |
|`keycloak_quarkus_admin_url`| Set the base URL for accessing the administration console, including scheme, host, port and path | |
|`keycloak_quarkus_http_relative_path` | Set the path relative to / for serving resources. The path must start with a / | `/` |
|`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` |
|`keycloak_quarkus_https_enabled`| Enable listener on HTTPS port | `False` |
|`keycloak_quarkus_https_key_file_enabled`| Enable listener on HTTPS port | `False` |
|`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `{{ keycloak.home }}/conf/server.key.pem` |
|`keycloak_quarkus_cert_file`| The file path to a server certificate or certificate chain in PEM format | `{{ keycloak.home }}/conf/server.crt.pem` |
|`keycloak_quarkus_https_key_store_enabled`| Enable configuration of HTTPS via a key store | `False` |
|`keycloak_quarkus_key_store_file`| The file pat to the key store | `{{ keycloak.home }}/conf/key_store.p12` |
|`keycloak_quarkus_key_store_password`| Password for the key store | `""` |
|`keycloak_quarkus_https_trust_store_enabled`| Enalbe confiugration of a trust store | `False` |
|`keycloak_quarkus_trust_store_file`| The file pat to the trust store | `{{ keycloak.home }}/conf/trust_store.p12` |
|`keycloak_quarkus_trust_store_password`| Password for the trust store | `""` |
* Hostname configuration
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_http_relative_path`| Set the path relative to / for serving resources. The path must start with a / | `/` |
|`keycloak_quarkus_hostname_strict`| Disables dynamically resolving the hostname from request headers | `true` |
|`keycloak_quarkus_hostname_strict_backchannel`| By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all applications use the public URL this option should be enabled. | `false` |
* Database configuration
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_jdbc_engine` | Database engine [mariadb,postres] | `postgres` |
|`keycloak_quarkus_jdbc_engine` | Database engine [mariadb,postres,mssql] | `postgres` |
|`keycloak_quarkus_db_user` | User for database connection | `keycloak-user` |
|`keycloak_quarkus_db_pass` | Password for database connection | `keycloak-pass` |
|`keycloak_quarkus_jdbc_url` | JDBC URL for connecting to database | `jdbc:postgresql://localhost:5432/keycloak` |
@@ -62,7 +83,7 @@ Role Defaults
|`keycloak_quarkus_ispn_sasl_mechanism` | Infinispan auth mechanism | `SCRAM-SHA-512` |
|`keycloak_quarkus_ispn_use_ssl` | Whether infinispan uses TLS connection | `false` |
|`keycloak_quarkus_ispn_trust_store_path` | Path to infinispan server trust certificate | `/etc/pki/java/cacerts` |
|`keycloak_quarkus_ispn_trust_store_password` | Password for infinispan certificate keystore | `changeit` |
|`keycloak_quarkus_ispn_trust_store_password` | Password for infinispan certificate keystore | `changeit` |
* Install options
@@ -70,8 +91,7 @@ Role Defaults
| Variable | Description | Default |
|:---------|:------------|:---------|
|`keycloak_quarkus_offline_install` | Perform an offline install | `False`|
|`keycloak_quarkus_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`|
|`keycloak_quarkus_version`| keycloak.org package version | `17.0.1` |
|`keycloak_quarkus_version`| keycloak.org package version | `23.0.1` |
|`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` |
|`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` |
|`keycloak_quarkus_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
@@ -91,13 +111,14 @@ Role Defaults
|`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` |
|`keycloak_force_install` | Remove pre-existing versions of service | `False` |
|`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_quarkus_host }}:{{ keycloak_http_port }}` |
|`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_quarkus_host }}:{{ keycloak_management_http_port }}` |
|`keycloak_quarkus_log`| Enable one or more log handlers in a comma-separated list | `file` |
|`keycloak_quarkus_log_level`| The log level of the root category or a comma-separated list of individual categories and their levels | `info` |
|`keycloak_quarkus_log_file`| Set the log file path and filename relative to keycloak home | `data/log/keycloak.log` |
|`keycloak_quarkus_log_format`| Set a format specific to file log entries | `%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n` |
|`keycloak_quarkus_log_target`| Set the destination of the keycloak log folder link | `/var/log/keycloak` |
|`keycloak_quarkus_proxy_mode`| The proxy address forwarding mode if the server is behind a reverse proxy | `edge` |
|`keycloak_quarkus_start_dev`| Whether to start the service in development mode (start-dev) | `False` |
|`keycloak_quarkus_transaction_xa_enabled`| Whether to use XA transactions | `True` |
Role Variables
@@ -106,6 +127,8 @@ Role Variables
| Variable | Description | Required |
|:---------|:------------|----------|
|`keycloak_quarkus_admin_pass`| Password of console admin account | `yes` |
|`keycloak_quarkus_frontend_url`| Base URL for frontend URLs, including scheme, host, port and path | `no` |
|`keycloak_quarkus_admin_url`| Base URL for accessing the administration console, including scheme, host, port and path | `no` |
License

67
roles/keycloak_quarkus/defaults/main.yml
View File

@@ -1,34 +1,39 @@
---
### Configuration specific to keycloak
keycloak_quarkus_version: 18.0.0
keycloak_quarkus_version: 23.0.1
keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip"
keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"
keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"
keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"
# whether to install from local archive
keycloak_quarkus_offline_install: False
keycloak_quarkus_offline_install: false
### Install location and service settings
keycloak_quarkus_jvm_package: java-11-openjdk-headless
keycloak_quarkus_jvm_package: java-17-openjdk-headless
keycloak_quarkus_java_home:
keycloak_quarkus_dest: /opt/keycloak
keycloak_quarkus_home: "{{ keycloak_quarkus_installdir }}"
keycloak_quarkus_config_dir: "{{ keycloak_quarkus_home }}/conf"
keycloak_quarkus_start_dev: False
keycloak_quarkus_start_dev: false
keycloak_quarkus_service_user: keycloak
keycloak_quarkus_service_group: keycloak
keycloak_quarkus_service_pidfile: "/run/keycloak.pid"
keycloak_quarkus_configure_firewalld: False
keycloak_quarkus_service_pidfile: "/run/keycloak/keycloak.pid"
keycloak_quarkus_configure_firewalld: false
keycloak_quarkus_service_restart_always: false
keycloak_quarkus_service_restart_on_failure: false
keycloak_quarkus_service_restartsec: "10s"
### administrator console password
keycloak_quarkus_admin_user: admin
keycloak_quarkus_admin_pass: ''
keycloak_quarkus_admin_pass:
keycloak_quarkus_master_realm: master
### Configuration settings
keycloak_quarkus_bind_address: 0.0.0.0
keycloak_quarkus_host: localhost
keycloak_quarkus_http_enabled: True
keycloak_quarkus_port: -1
keycloak_quarkus_path:
keycloak_quarkus_http_enabled: true
keycloak_quarkus_http_port: 8080
keycloak_quarkus_https_port: 8443
keycloak_quarkus_ajp_port: 8009
@@ -36,31 +41,53 @@ keycloak_quarkus_jgroups_port: 7600
keycloak_quarkus_java_opts: "-Xms1024m -Xmx2048m"
### TLS/HTTPS configuration
keycloak_quarkus_https_enabled: False
keycloak_quarkus_https_key_file_enabled: false
keycloak_quarkus_key_file: "{{ keycloak.home }}/conf/server.key.pem"
keycloak_quarkus_cert_file: "{{ keycloak.home }}/conf/server.crt.pem"
#### key store configuration
keycloak_quarkus_https_key_store_enabled: false
keycloak_quarkus_key_store_file: "{{ keycloak.home }}/conf/key_store.p12"
keycloak_quarkus_key_store_password: ''
##### trust store configuration
keycloak_quarkus_https_trust_store_enabled: false
keycloak_quarkus_trust_store_file: "{{ keycloak.home }}/conf/trust_store.p12"
keycloak_quarkus_trust_store_password: ''
### Enable configuration for database backend, clustering and remote caches on infinispan
keycloak_quarkus_ha_enabled: False
keycloak_quarkus_ha_enabled: false
### Enable database configuration, must be enabled when HA is configured
keycloak_quarkus_db_enabled: "{{ True if keycloak_quarkus_ha_enabled else False }}"
### keycloak frontend url
keycloak_quarkus_http_relative_path: auth
keycloak_quarkus_frontend_url: http://localhost:8080/auth
keycloak_quarkus_frontend_url:
keycloak_quarkus_admin_url:
# proxy address forwarding mode if the server is behind a reverse proxy. [edge, reencrypt, passthrough]
### Set the path relative to / for serving resources. The path must start with a /
### (set to `/auth` for retrocompatibility with pre-quarkus releases)
keycloak_quarkus_http_relative_path: /
# Disables dynamically resolving the hostname from request headers.
# Should always be set to true in production, unless proxy verifies the Host header.
keycloak_quarkus_hostname_strict: true
# By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications.
# If all applications use the public URL this option should be enabled.
keycloak_quarkus_hostname_strict_backchannel: false
# proxy address forwarding mode if the server is behind a reverse proxy. [none, edge, reencrypt, passthrough]
keycloak_quarkus_proxy_mode: edge
keycloak_quarkus_metrics_enabled: False
keycloak_quarkus_health_enabled: True
# disable xa transactions
keycloak_quarkus_transaction_xa_enabled: true
keycloak_quarkus_metrics_enabled: false
keycloak_quarkus_health_enabled: true
### infinispan remote caches access (hotrod)
keycloak_quarkus_ispn_user: supervisor
keycloak_quarkus_ispn_pass: supervisor
keycloak_quarkus_ispn_url: localhost
keycloak_quarkus_ispn_sasl_mechanism: SCRAM-SHA-512
keycloak_quarkus_ispn_use_ssl: False
keycloak_quarkus_ispn_use_ssl: false
# if ssl is enabled, import ispn server certificate here
keycloak_quarkus_ispn_trust_store_path: /etc/pki/java/cacerts
keycloak_quarkus_ispn_trust_store_password: changeit
@@ -80,9 +107,13 @@ keycloak_quarkus_default_jdbc:
mariadb:
url: 'jdbc:mariadb://localhost:3306/keycloak'
version: 2.7.4
mssql:
url: 'jdbc:sqlserver://localhost:1433;databaseName=keycloak;'
version: 12.2.0
driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.2.0.jre11/mssql-jdbc-12.2.0.jre11.jar" # cf. https://access.redhat.com/documentation/en-us/red_hat_build_of_keycloak/22.0/html/server_guide/db-#db-installing-the-microsoft-sql-server-driver
### logging configuration
keycloak_quarkus_log: file
keycloak_quarkus_log_level: info
keycloak_quarkus_log_file: data/log/keycloak.log
keycloak_quarkus_log_format: '%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n'
keycloak_quarkus_log_target: /var/log/keycloak

146
roles/keycloak_quarkus/meta/argument_specs.yml
View File

@@ -61,7 +61,7 @@ argument_specs:
type: "str"
keycloak_quarkus_service_pidfile:
# line 18 of defaults/main.yml
default: "/run/keycloak.pid"
default: "/run/keycloak/keycloak.pid"
description: "Pid file path for service"
type: "str"
keycloak_quarkus_configure_firewalld:
@@ -69,14 +69,24 @@ argument_specs:
default: false
description: "Ensure firewalld is running and configure keycloak ports"
type: "bool"
keycloak_service_restart_always:
default: false
description: "systemd restart always behavior of service; takes precedence over keycloak_service_restart_on_failure if true"
type: "bool"
keycloak_service_restart_on_failure:
default: false
description: "systemd restart on-failure behavior of service"
type: "bool"
keycloak_service_restartsec:
default: "10s"
description: "systemd RestartSec for service"
type: "str"
keycloak_quarkus_admin_user:
# line 22 of defaults/main.yml
default: "admin"
description: "Administration console user account"
type: "str"
keycloak_quarkus_admin_pass:
# line 23 of defaults/main.yml
default: ""
required: true
description: "Password of console admin account"
type: "str"
keycloak_quarkus_master_realm:
@@ -90,23 +100,30 @@ argument_specs:
description: "Address for binding service ports"
type: "str"
keycloak_quarkus_host:
# line 28 of defaults/main.yml
default: "localhost"
description: "hostname"
description: "Hostname for the Keycloak server"
type: "str"
keycloak_quarkus_port:
default: -1
description: "The port used by the proxy when exposing the hostname"
type: "int"
keycloak_quarkus_path:
required: false
description: "This should be set if proxy uses a different context-path for Keycloak"
type: "str"
keycloak_quarkus_http_enabled:
default: true
description: "Enable listener on HTTP port"
type: "bool"
type: "bool"
keycloak_quarkus_http_port:
# line 29 of defaults/main.yml
default: 8080
description: "HTTP port"
type: "int"
keycloak_quarkus_https_enabled:
keycloak_quarkus_https_key_file_enabled:
default: false
description: "Enable listener on HTTPS port"
type: "bool"
description: "Enable configuration of HTTPS via files in PEM format"
type: "bool"
keycloak_quarkus_key_file:
default: "{{ keycloak.home }}/conf/server.key.pem"
description: "The file path to a private key in PEM format"
@@ -115,6 +132,30 @@ argument_specs:
default: "{{ keycloak.home }}/conf/server.crt.pem"
description: "The file path to a server certificate or certificate chain in PEM format"
type: "str"
keycloak_quarkus_https_key_store_enabled:
default: false
description: "Enable configuration of HTTPS via a key store"
type: "bool"
keycloak_quarkus_key_store_file:
default: "{{ keycloak.home }}/conf/key_store.p12"
description: "The file path to the key store"
type: "str"
keycloak_quarkus_key_store_password:
default: ""
description: "Password for the key store"
type: "str"
keycloak_quarkus_https_trust_store_enabled:
default: false
description: "Enalbe confiugration of a trust store"
type: "bool"
keycloak_quarkus_trust_store_file:
default: "{{ keycloak.home }}/conf/trust_store.p12"
description: "The file path to the trust store"
type: "str"
keycloak_quarkus_trust_store_password:
default: ""
description: "Password for the trust store"
type: "str"
keycloak_quarkus_https_port:
# line 30 of defaults/main.yml
default: 8443
@@ -146,15 +187,18 @@ argument_specs:
description: "Enable auto configuration for database backend"
type: "str"
keycloak_quarkus_http_relative_path:
# line 41 of defaults/main.yml
default: "auth"
description: "Service context path"
required: false
default: /
description: "Set the path relative to / for serving resources. The path must start with a /"
type: "str"
keycloak_quarkus_frontend_url:
# line 41 of defaults/main.yml
default: "http://localhost:8080/auth"
required: false
description: "Service public URL"
type: "str"
keycloak_quarkus_admin_url:
required: false
description: "Service URL for the admin console"
type: "str"
keycloak_quarkus_metrics_enabled:
# line 43 of defaults/main.yml
default: false
@@ -202,7 +246,7 @@ argument_specs:
keycloak_quarkus_jdbc_engine:
# line 56 of defaults/main.yml
default: "postgres"
description: "Database engine [mariadb,postres]"
description: "Database engine [mariadb,postres,mssql]"
type: "str"
keycloak_quarkus_db_user:
# line 58 of defaults/main.yml
@@ -240,11 +284,77 @@ argument_specs:
default: '%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n'
type: "str"
description: "Set a format specific to file log entries"
keycloak_quarkus_log_target:
default: '/var/log/keycloak'
type: "str"
description: "Set the destination of the keycloak log folder link"
keycloak_quarkus_proxy_mode:
default: 'edge'
type: "str"
description: "The proxy address forwarding mode if the server is behind a reverse proxy"
description: "The proxy address forwarding mode if the server is behind a reverse proxy. Set to 'none' if not using a proxy"
keycloak_quarkus_start_dev:
default: False
default: false
type: "bool"
description: "Whether to start the service in development mode (start-dev)"
keycloak_quarkus_transaction_xa_enabled:
default: true
type: "bool"
description: "Enable or disable XA transactions which may not be supported by some DBMS"
keycloak_quarkus_hostname_strict:
default: true
type: "bool"
description: "Disables dynamically resolving the hostname from request headers. Should always be set to true in production, unless proxy verifies the Host header."
keycloak_quarkus_hostname_strict_backchannel:
default: false
type: "bool"
description: "By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all applications use the public URL this option should be enabled."
downstream:
options:
rhbk_version:
default: "22.0.6"
description: "Red Hat Build of Keycloak version"
type: "str"
rhbk_archive:
default: "rhbk-{{ rhbk_version }}.zip"
description: "Red Hat Build of Keycloak install archive filename"
type: "str"
rhbk_dest:
default: "/opt/rhbk"
description: "Root installation directory"
type: "str"
rhbk_installdir:
default: "{{ rhbk_dest }}/rhbk-{{ rhbk_version }}"
description: "Installation path for Red Hat Build of Keycloak"
type: "str"
rhbk_apply_patches:
default: false
description: "Install Red Hat Build of Keycloak most recent cumulative patch"
type: "bool"
rhbk_enable:
default: true
description: "Enable Red Hat Build of Keycloak installation"
type: "str"
rhbk_offline_install:
default: false
description: "Perform an offline install"
type: "bool"
rhbk_service_name:
default: "rhbk"
description: "systemd service name for Red Hat Build of Keycloak"
type: "str"
rhbk_service_desc:
default: "Red Hat Build of Keycloak"
description: "systemd description for Red Hat Build of Keycloak"
type: "str"
rhbk_patch_version:
required: false
description: "Red Hat Build of Keycloak latest cumulative patch version to apply; defaults to latest version when rhbk_apply_patches is True"
type: "str"
rhbk_patch_bundle:
default: "rhbk-{{ rhbk_patch_version | default('[0-9]+[.][0-9]+[.][0-9]+') }}-patch.zip"
description: "Red Hat Build of Keycloak patch archive filename"
type: "str"
rhbk_product_category:
default: "rhbk"
description: "JBossNetwork API category for Red Hat Build of Keycloak"
type: "str"

9
roles/keycloak_quarkus/meta/main.yml
View File

@@ -8,12 +8,12 @@ galaxy_info:
license: Apache License 2.0
min_ansible_version: "2.9"
min_ansible_version: "2.14"
platforms:
- name: EL
versions:
- 8
- name: EL
versions:
- "8"
galaxy_tags:
- keycloak
@@ -24,3 +24,4 @@ galaxy_info:
- authentication
- identity
- security
- rhbk

23
roles/keycloak_quarkus/tasks/fastpackages.yml
View File

@@ -1,19 +1,16 @@
---
- name: Check packages to be installed
block:
- name: "Check if packages are already installed" # noqa command-instead-of-module this runs faster
ansible.builtin.command: "rpm -q {{ packages_list | join(' ') }}"
register: rpm_info
changed_when: rpm_info.failed
- name: "Check if packages are already installed" # noqa command-instead-of-module this runs faster
ansible.builtin.command: "rpm -q {{ packages_list | join(' ') }}"
register: rpm_info
changed_when: false
failed_when: false
rescue:
- name: "Add missing packages to the yum install list"
ansible.builtin.set_fact:
packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | flatten }}"
when: rpm_info.failed
- name: "Add missing packages to the yum install list"
ansible.builtin.set_fact:
packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | default([]) | flatten }}"
- name: "Install packages: {{ packages_to_install | join(',') }}"
become: yes
- name: "Install packages: {{ packages_to_install }}"
become: true
ansible.builtin.yum:
name: "{{ packages_to_install }}"
state: present

8
roles/keycloak_quarkus/tasks/firewalld.yml
View File

@@ -6,19 +6,19 @@
- firewalld
- name: Enable and start the firewalld service
become: yes
become: true
ansible.builtin.systemd:
name: firewalld
enabled: yes
enabled: true
state: started
- name: "Configure firewall for {{ keycloak.service_name }} ports"
become: yes
become: true
ansible.posix.firewalld:
port: "{{ item }}"
permanent: true
state: enabled
immediate: yes
immediate: true
loop:
- "{{ keycloak_quarkus_http_port }}/tcp"
- "{{ keycloak_quarkus_https_port }}/tcp"

66
roles/keycloak_quarkus/tasks/install.yml
View File

@@ -11,21 +11,21 @@
quiet: true
- name: Check for an existing deployment
become: yes
become: true
ansible.builtin.stat:
path: "{{ keycloak.home }}"
register: existing_deploy
- name: "Create {{ keycloak.service_name }} service user/group"
become: yes
become: true
ansible.builtin.user:
name: "{{ keycloak.service_user }}"
home: /opt/keycloak
system: yes
system: true
create_home: no
- name: "Create {{ keycloak.service_name }} install location"
become: yes
become: true
ansible.builtin.file:
dest: "{{ keycloak_quarkus_dest }}"
state: directory
@@ -39,7 +39,7 @@
archive: "{{ keycloak_quarkus_dest }}/{{ keycloak.bundle }}"
- name: Check download archive path
become: yes
become: true
ansible.builtin.stat:
path: "{{ archive }}"
register: archive_path
@@ -57,11 +57,51 @@
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
mode: 0640
delegate_to: localhost
run_once: true
when:
- archive_path is defined
- archive_path.stat is defined
- not archive_path.stat.exists
- not keycloak.offline_install
- not rhbk_enable is defined or not rhbk_enable
- name: Perform download from RHN using JBoss Network API
delegate_to: localhost
run_once: true
when:
- archive_path is defined
- archive_path.stat is defined
- not archive_path.stat.exists
- rhbk_enable is defined and rhbk_enable
- not keycloak.offline_install
block:
- name: Retrieve product download using JBoss Network API
middleware_automation.common.product_search:
client_id: "{{ rhn_username }}"
client_secret: "{{ rhn_password }}"
product_type: DISTRIBUTION
product_version: "{{ rhbk_version }}"
product_category: "{{ rhbk_product_category }}"
register: rhn_products
no_log: "{{ omit_rhn_output | default(true) }}"
delegate_to: localhost
run_once: true
- name: Determine install zipfile from search results
ansible.builtin.set_fact:
rhn_filtered_products: "{{ rhn_products.results | selectattr('file_path', 'match', '[^/]*/' + rhbk_archive + '$') }}"
delegate_to: localhost
run_once: true
- name: Download Red Hat Build of Keycloak
middleware_automation.common.product_download: # noqa risky-file-permissions delegated, uses controller host user
client_id: "{{ rhn_username }}"
client_secret: "{{ rhn_password }}"
product_id: "{{ (rhn_filtered_products | first).id }}"
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
no_log: "{{ omit_rhn_output | default(true) }}"
delegate_to: localhost
run_once: true
- name: Check downloaded archive
ansible.builtin.stat:
@@ -76,29 +116,29 @@
dest: "{{ archive }}"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: 0750
mode: 0640
register: new_version_downloaded
when:
- not archive_path.stat.exists
- local_archive_path.stat is defined
- local_archive_path.stat.exists
become: yes
become: true
- name: "Check target directory: {{ keycloak.home }}/bin/"
ansible.builtin.stat:
path: "{{ keycloak.home }}/bin/"
register: path_to_workdir
become: yes
become: true
- name: "Extract Keycloak archive on target"
ansible.builtin.unarchive:
remote_src: yes
remote_src: true
src: "{{ archive }}"
dest: "{{ keycloak_quarkus_dest }}"
creates: "{{ keycloak.home }}/bin/"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
become: yes
become: true
when:
- (not path_to_workdir.stat.exists) or new_version_downloaded.changed
notify:
@@ -109,3 +149,9 @@
msg: "{{ keycloak.home }} already exists and version unchanged, skipping decompression"
when:
- (not new_version_downloaded.changed) and path_to_workdir.stat.exists
- name: "Install {{ keycloak_quarkus_jdbc_engine }} JDBC driver"
ansible.builtin.include_tasks: jdbc_driver.yml
when:
- rhbk_enable is defined and rhbk_enable
- keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url is defined

12
roles/keycloak_quarkus/tasks/jdbc_driver.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- name: "Retrieve JDBC Driver from {{ keycloak_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url }}"
ansible.builtin.get_url:
url: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url }}"
dest: "{{ keycloak.home }}/providers"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: 0640
become: true
notify:
- restart keycloak

19
roles/keycloak_quarkus/tasks/main.yml
View File

@@ -28,7 +28,7 @@
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: 0644
become: yes
become: true
notify:
- restart keycloak
@@ -39,9 +39,9 @@
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: 0644
become: yes
become: true
notify:
- restart keycloak
- restart keycloak
- name: Ensure logdirectory exists
ansible.builtin.file:
@@ -50,7 +50,10 @@
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: 0775
become: yes
become: true
- name: Flush pending handlers
ansible.builtin.meta: flush_handlers
- name: "Start and wait for keycloak service"
ansible.builtin.include_tasks: start.yml
@@ -58,12 +61,12 @@
- name: Check service status
ansible.builtin.command: "systemctl status keycloak"
register: keycloak_service_status
changed_when: False
changed_when: false
- name: Link default logs directory
ansible.builtin.file:
state: link
src: "{{ keycloak.log.file | dirname }}"
dest: /var/log/keycloak
force: yes
become: yes
dest: "{{ keycloak_quarkus_log_target }}"
force: true
become: true

15
roles/keycloak_quarkus/tasks/prereqs.yml
View File

@@ -3,15 +3,23 @@
ansible.builtin.assert:
that:
- keycloak_quarkus_admin_pass | length > 12
quiet: True
quiet: true
fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_admin_pass variable to a 12+ char long string"
success_msg: "{{ 'Console administrator password OK' }}"
- name: Validate relative path
ansible.builtin.assert:
that:
- keycloak_quarkus_http_relative_path is regex('^/.*')
quiet: true
fail_msg: "the relative path must begin with /"
success_msg: "{{ 'relative path OK' }}"
- name: Validate configuration
ansible.builtin.assert:
that:
- (keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or (not keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or (not keycloak_quarkus_ha_enabled and not keycloak_quarkus_db_enabled)
quiet: True
quiet: true
fail_msg: "Cannot install HA setup without a backend database service. Check keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled"
success_msg: "{{ 'Configuring HA' if keycloak_quarkus_ha_enabled else 'Configuring standalone' }}"
@@ -22,4 +30,5 @@
- "{{ keycloak_quarkus_jvm_package }}"
- unzip
- procps-ng
- initscripts
- initscripts
- tzdata-java

5
roles/keycloak_quarkus/tasks/restart.yml
View File

@@ -2,6 +2,7 @@
- name: "Restart and enable {{ keycloak.service_name }} service"
ansible.builtin.systemd:
name: keycloak
enabled: yes
enabled: true
state: restarted
become: yes
daemon_reload: true
become: true

5
roles/keycloak_quarkus/tasks/start.yml
View File

@@ -2,9 +2,10 @@
- name: "Start {{ keycloak.service_name }} service"
ansible.builtin.systemd:
name: keycloak
enabled: yes
enabled: true
state: started
become: yes
daemon_reload: true
become: true
- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
ansible.builtin.uri:

23
roles/keycloak_quarkus/tasks/systemd.yml
View File

@@ -1,15 +1,10 @@
---
- name: Determine JAVA_HOME for selected JVM RPM # noqa blocked_modules
ansible.builtin.shell: |
set -o pipefail
rpm -ql {{ keycloak_quarkus_jvm_package }} | grep -Po '/usr/lib/jvm/.*(?=/bin/java$)'
args:
executable: /bin/bash
changed_when: False
register: rpm_java_home
- name: Determine JAVA_HOME for selected JVM RPM
ansible.builtin.set_fact:
rpm_java_home: "/etc/alternatives/jre_{{ keycloak_quarkus_jvm_package | regex_search('(?<=java-)[0-9.]+') }}"
- name: "Configure sysconfig file for keycloak service"
become: yes
become: true
ansible.builtin.template:
src: keycloak-sysconfig.j2
dest: /etc/sysconfig/keycloak
@@ -17,7 +12,7 @@
group: root
mode: 0644
vars:
keycloak_rpm_java_home: "{{ rpm_java_home.stdout }}"
keycloak_rpm_java_home: "{{ rpm_java_home }}"
notify:
- restart keycloak
@@ -28,13 +23,7 @@
owner: root
group: root
mode: 0644
become: yes
become: true
register: systemdunit
notify:
- restart keycloak
- name: Reload systemd
become: yes
ansible.builtin.systemd:
daemon_reload: yes
when: systemdunit.changed

1
roles/keycloak_quarkus/templates/keycloak-sysconfig.j2
View File

@@ -3,3 +3,4 @@ KEYCLOAK_ADMIN={{ keycloak_quarkus_admin_user }}
KEYCLOAK_ADMIN_PASSWORD='{{ keycloak_quarkus_admin_pass }}'
PATH={{ keycloak_java_home | default(keycloak_rpm_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
JAVA_HOME={{ keycloak_java_home | default(keycloak_rpm_java_home, true) }}
JAVA_OPTS_APPEND={{ keycloak_quarkus_java_opts }}

34
roles/keycloak_quarkus/templates/keycloak.conf.j2
View File

@@ -9,23 +9,40 @@ db-password={{ keycloak_quarkus_db_pass }}
{% endif %}
# Observability
metrics-enabled={{ keycloak_quarkus_metrics_enabled }}
health-enabled={{ keycloak_quarkus_health_enabled }}
metrics-enabled={{ keycloak_quarkus_metrics_enabled | lower }}
health-enabled={{ keycloak_quarkus_health_enabled | lower }}
# HTTP
http-enabled={{ keycloak_quarkus_http_enabled }}
http-enabled={{ keycloak_quarkus_http_enabled | lower }}
http-port={{ keycloak_quarkus_http_port }}
http-relative-path={{ keycloak_quarkus_http_relative_path }}
# HTTPS
https-port={{ keycloak_quarkus_https_port }}
{% if keycloak_quarkus_https_enabled %}
{% if keycloak_quarkus_https_key_file_enabled %}
https-certificate-file={{ keycloak_quarkus_cert_file}}
https-certificate-key-file={{ keycloak_quarkus_key_file }}
{% endif %}
{% if keycloak_quarkus_https_key_store_enabled %}
https-key-store-file={{ keycloak_quarkus_key_store_file }}
https-key-store-password={{ keycloak_quarkus_key_store_password }}
{% endif %}
{% if keycloak_quarkus_https_trust_store_enabled %}
https-trust-store-file={{ keycloak_quarkus_trust_store_file }}
https-trust-store-password={{ keycloak_quarkus_trust_store_password }}
{% endif %}
# Hostname for the Keycloak server.
# Client URL configuration
{% if keycloak_quarkus_frontend_url %}
hostname-url={{ keycloak_quarkus_frontend_url }}
{% else %}
hostname={{ keycloak_quarkus_host }}
hostname-path={{ keycloak_quarkus_http_relative_path }}
hostname-port={{ keycloak_quarkus_port }}
hostname-path={{ keycloak_quarkus_path }}
{% endif %}
hostname-admin-url={{ keycloak_quarkus_admin_url }}
hostname-strict={{ keycloak_quarkus_hostname_strict | lower }}
hostname-strict-backchannel={{ keycloak_quarkus_hostname_strict_backchannel | lower }}
# Cluster
{% if keycloak_quarkus_ha_enabled %}
@@ -34,11 +51,16 @@ cache-config-file=cache-ispn.xml
cache-stack=tcp
{% endif %}
{% if keycloak_quarkus_proxy_mode is defined and keycloak_quarkus_proxy_mode != "none" %}
# Proxy
proxy={{ keycloak_quarkus_proxy_mode }}
{% endif %}
# Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy
#spi-sticky-session-encoder-infinispan-should-attach-route=false
# Transaction
transaction-xa-enabled={{ keycloak_quarkus_transaction_xa_enabled | lower }}
# Logging
#log-format=%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n
log={{ keycloak_quarkus_log }}

12
roles/keycloak_quarkus/templates/keycloak.service.j2
View File

@@ -10,9 +10,19 @@ PIDFile={{ keycloak_quarkus_service_pidfile }}
{% if keycloak_quarkus_start_dev %}
ExecStart={{ keycloak.home }}/bin/kc.sh start-dev
{% else %}
ExecStart={{ keycloak.home }}/bin/kc.sh start --auto-build --log={{ keycloak_quarkus_log }}
ExecStart={{ keycloak.home }}/bin/kc.sh start --log={{ keycloak_quarkus_log }}
{% endif %}
User={{ keycloak.service_user }}
Group={{ keycloak.service_group }}
{% if keycloak_quarkus_service_restart_always %}
Restart=always
{% elif keycloak_quarkus_service_restart_on_failure %}
Restart=on-failure
{% endif %}
RestartSec={{ keycloak_quarkus_service_restartsec }}
{% if keycloak_quarkus_http_port|int < 1024 or keycloak_quarkus_https_port|int < 1024 %}
AmbientCapabilities=CAP_NET_BIND_SERVICE
{% endif %}
[Install]
WantedBy=multi-user.target

2
roles/keycloak_quarkus/vars/main.yml
View File

@@ -4,7 +4,7 @@ keycloak:
config_dir: "{{ keycloak_quarkus_config_dir }}"
bundle: "{{ keycloak_quarkus_archive }}"
service_name: "keycloak"
health_url: "http://{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_http_port }}/realms/master/.well-known/openid-configuration"
health_url: "http://{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_http_port }}{{ keycloak_quarkus_http_relative_path }}{{ '/' if keycloak_quarkus_http_relative_path | length > 1 else '' }}realms/master/.well-known/openid-configuration"
cli_path: "{{ keycloak_quarkus_home }}/bin/kcadm.sh"
service_user: "{{ keycloak_quarkus_service_user }}"
service_group: "{{ keycloak_quarkus_service_group }}"

3
roles/keycloak_realm/defaults/main.yml
View File

@@ -32,6 +32,7 @@ keycloak_admin_password: ''
# realm: "{{ keycloak_realm }}"
# public_client: "{{ keycloak_client_public }}"
# web_origins: "{{ keycloak_client_web_origins }}"
# redirect_uris: "{{ keycloak_client_redirect_uris }}"
# users: "{{ keycloak_client_users }}"
keycloak_clients: []
@@ -39,7 +40,7 @@ keycloak_clients: []
keycloak_client_default_roles: []
# if True, create a public client; otherwise, a confidetial client
keycloak_client_public: True
keycloak_client_public: true
# allowed web origins for the client
keycloak_client_web_origins: '+'

30
roles/keycloak_realm/meta/argument_specs.yml
View File

@@ -83,18 +83,18 @@ argument_specs:
type: "list"
keycloak_url:
# line 14 of keycloak_realm/vars/main.yml
default: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
default: "http://{{ keycloak_host }}:{{ keycloak_http_port + ( keycloak_jboss_port_offset | default(0) ) }}"
description: "URL for configuration rest calls"
type: "str"
keycloak_management_url:
# line 15 of keycloak_realm/vars/main.yml
default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + ( keycloak_jboss_port_offset | default(0) ) }}"
description: "URL for management console rest calls"
type: "str"
downstream:
options:
sso_version:
default: "7.5.0"
default: "7.6.0"
description: "Red Hat Single Sign-On version"
type: "str"
sso_dest:
@@ -106,10 +106,30 @@ argument_specs:
description: "Installation path for Red Hat SSO"
type: "str"
sso_apply_patches:
default: False
default: false
description: "Install Red Hat SSO most recent cumulative patch"
type: "bool"
sso_enable:
default: True
default: true
description: "Enable Red Hat Single Sign-on installation"
type: "str"
rhbk_version:
default: "22.0.6"
description: "Red Hat Build of Keycloak version"
type: "str"
rhbk_archive:
default: "rhbk-{{ rhbk_version }}.zip"
description: "Red Hat Build of Keycloak install archive filename"
type: "str"
rhbk_dest:
default: "/opt/rhbk"
description: "Root installation directory"
type: "str"
rhbk_installdir:
default: "{{ rhbk_dest }}/rhbk-{{ rhbk_version.split('.')[0] }}.{{ rhbk_version.split('.')[1] }}"
description: "Installation path for Red Hat Build of Keycloak"
type: "str"
rhbk_enable:
default: true
description: "Enable Red Hat Build of Keycloak installation"
type: "str"

8
roles/keycloak_realm/meta/main.yml
View File

@@ -8,12 +8,12 @@ galaxy_info:
license: Apache License 2.0
min_ansible_version: "2.9"
min_ansible_version: "2.14"
platforms:
- name: EL
versions:
- 8
- name: EL
versions:
- "8"
galaxy_tags:
- keycloak

6
roles/keycloak_realm/tasks/main.yml
View File

@@ -4,7 +4,7 @@
url: "{{ keycloak_url }}{{ keycloak_context }}/realms/master/protocol/openid-connect/token"
method: POST
body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
validate_certs: no
validate_certs: false
no_log: "{{ keycloak_no_log | default('True') }}"
register: keycloak_auth_response
until: keycloak_auth_response.status == 200
@@ -28,7 +28,7 @@
url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms"
method: POST
body: "{{ lookup('template', 'realm.json.j2') }}"
validate_certs: no
validate_certs: false
body_format: json
headers:
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
@@ -59,7 +59,7 @@
- item.name is defined and item.name | length > 0
- (item.client_id is defined and item.client_id | length > 0) or (item.id is defined and item.id | length > 0)
fail_msg: "For each keycloak client, attributes `name` and either `id` or `client_id` is required"
quiet: True
quiet: true
loop: "{{ keycloak_clients | flatten }}"
loop_control:
label: "{{ item.name | default('unnamed client') }}"

8
roles/keycloak_realm/tasks/manage_user.yml
View File

@@ -2,7 +2,7 @@
- name: "Check if User Already Exists"
ansible.builtin.uri:
url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
validate_certs: no
validate_certs: false
headers:
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
register: keycloak_user_search_result
@@ -18,7 +18,7 @@
email: "{{ user.email | default(omit) }}"
firstName: "{{ user.firstName | default(omit) }}"
lastName: "{{ user.lastName | default(omit) }}"
validate_certs: no
validate_certs: false
body_format: json
headers:
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
@@ -28,7 +28,7 @@
- name: "Get User"
ansible.builtin.uri:
url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
validate_certs: no
validate_certs: false
headers:
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
register: keycloak_user
@@ -41,7 +41,7 @@
type: password
temporary: false
value: "{{ user.password }}"
validate_certs: no
validate_certs: false
body_format: json
status_code:
- 200

2
roles/keycloak_realm/tasks/manage_user_client_roles.yml
View File

@@ -31,7 +31,7 @@
containerId: "{{ item.containerId }}"
name: "{{ item.name }}"
composite: "{{ item.composite }}"
validate_certs: False
validate_certs: false
body_format: json
headers:
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"

4
roles/keycloak_realm/tasks/manage_user_roles.yml
View File

@@ -3,7 +3,7 @@
ansible.builtin.uri:
url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
headers:
validate_certs: no
validate_certs: false
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
register: keycloak_user
@@ -12,7 +12,7 @@
url: "{{ keycloak_url }}{{ keycloak_context }}/realms/master/protocol/openid-connect/token"
method: POST
body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
validate_certs: no
validate_certs: false
register: keycloak_auth_response
no_log: "{{ keycloak_no_log | default('True') }}"
until: keycloak_auth_response.status == 200

4
roles/keycloak_realm/vars/main.yml
View File

@@ -5,5 +5,5 @@
keycloak_realm:
# other settings
keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + (keycloak_jboss_port_offset | default(0)) }}"
keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + (keycloak_jboss_port_offset | default(0)) }}"