Update changelog for release 1.2.4

Close #74 - add `sqlserver` support to keycloak role

.github/workflows/ci.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python_version: ["3.9"]
+        python_version: ["3.10"]
     steps:
       - name: Check out code
         uses: actions/checkout@v2
@@ -24,9 +24,10 @@ jobs:
           path: ansible_collections/middleware_automation/keycloak
 
       - name: Set up Python ${{ matrix.python_version }}
-        uses: actions/setup-python@v1
+        uses: actions/setup-python@v4
         with:
           python-version: ${{ matrix.python_version }}
+          cache: 'pip'
 
       - name: Install yamllint, ansible and molecule
         run: |

.github/workflows/docs.yml

@@ -32,15 +32,17 @@ jobs:
           fetch-depth: 0
 
       - name: Set up Python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v4
         with:
           python-version: 3.9
+          cache: 'pip'
 
       - name: Install doc dependencies
         run: |
           python -m pip install --upgrade pip
           pip install -r ansible_collections/middleware_automation/keycloak/docs/requirements.txt
           pip install -r ansible_collections/middleware_automation/keycloak/requirements.txt
+          sudo apt --fix-missing update
           sudo apt install -y sed hub
 
       - name: Create default collection path

.github/workflows/release.yml

@@ -24,9 +24,10 @@ jobs:
           token: ${{ secrets.TRIGGERING_PAT }}
 
       - name: Set up Python
-        uses: actions/setup-python@v1
+        uses: actions/setup-python@v4
         with:
           python-version: "3.x"
+          cache: 'pip'
 
       - name: Get current version
         id: get_version
@@ -47,6 +48,7 @@ jobs:
         run: |
           python -m pip install --upgrade pip
           pip install ansible-core antsibull
+          sudo apt --fix-missing update
           sudo apt install -y sed hub
 
       - name: Build collection

CHANGELOG.rst

@@ -6,6 +6,21 @@ middleware_automation.keycloak Release Notes
 
 This changelog describes changes after version 0.2.6.
 
+v1.2.4
+======
+
+Minor Changes
+-------------
+
+- Add ``sqlserver`` to keycloak role jdbc configurations `#78 <https://github.com/ansible-middleware/keycloak/pull/78>`_
+- Add configurability for XA transactions `#73 <https://github.com/ansible-middleware/keycloak/pull/73>`_
+
+Bugfixes
+--------
+
+- Fix deprecation warning for ``ipaddr`` `#77 <https://github.com/ansible-middleware/keycloak/pull/77>`_
+- Fix undefined facts when offline patching sso `#71 <https://github.com/ansible-middleware/keycloak/pull/71>`_
+
 v1.2.1
 ======
 

changelogs/changelog.yaml

@@ -181,3 +181,25 @@ releases:
     - 68.yaml
     - 69.yaml
     release_date: '2023-04-11'
+  1.2.4:
+    changes:
+      bugfixes:
+      - 'Fix deprecation warning for ``ipaddr`` `#77 <https://github.com/ansible-middleware/keycloak/pull/77>`_
+
+        '
+      - 'Fix undefined facts when offline patching sso `#71 <https://github.com/ansible-middleware/keycloak/pull/71>`_
+
+        '
+      minor_changes:
+      - 'Add ``sqlserver`` to keycloak role jdbc configurations `#78 <https://github.com/ansible-middleware/keycloak/pull/78>`_
+
+        '
+      - 'Add configurability for XA transactions `#73 <https://github.com/ansible-middleware/keycloak/pull/73>`_
+
+        '
+    fragments:
+    - 71.yaml
+    - 73.yaml
+    - 77.yaml
+    - 78.yaml
+    release_date: '2023-05-09'

galaxy.yml

@@ -1,7 +1,7 @@
 ---
 namespace: middleware_automation
 name: keycloak
-version: "1.2.1"
+version: "1.2.4"
 readme: README.md
 authors:
   - Romain Pelisse <rpelisse@redhat.com>
@@ -21,6 +21,9 @@ tags:
   - infrastructure
   - authentication
   - java
+  - runtimes
+  - middleware
+  - a4mw
 dependencies:
   "middleware_automation.common": ">=1.0.0"
   "ansible.posix": ">=1.4.0"

roles/keycloak/README.md

@@ -83,7 +83,7 @@ Role Defaults
 | Variable | Description | Default |
 |:---------|:------------|:---------|
 |`keycloak_offline_install` | perform an offline install | `False`|
-|`keycloak_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`| 
+|`keycloak_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`|
 |`keycloak_version`| keycloak.org package version | `18.0.2` |
 |`keycloak_dest`| Installation root path | `/opt/keycloak` |
 |`keycloak_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}` |
@@ -127,7 +127,7 @@ The following variables are _required_ only when `keycloak_ha_enabled` is True:
 |`keycloak_modcluster_url` | _deprecated_ Host for the modcluster reverse proxy | `localhost` |
 |`keycloak_modcluster_port` | _deprecated_ Port for the modcluster reverse proxy | `6666` |
 |`keycloak_modcluster_urls` | List of {host,port} dicts for the modcluster reverse proxies | `[ { localhost:6666 } ]` |
-|`keycloak_jdbc_engine` | backend database engine when db is enabled: [ postgres, mariadb ] | `postgres` |
+|`keycloak_jdbc_engine` | backend database engine when db is enabled: [ postgres, mariadb, sqlserver ] | `postgres` |
 |`keycloak_infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` |
 |`keycloak_infinispan_user` | username for connecting to infinispan | `supervisor` |
 |`keycloak_infinispan_pass` | password for connecting to infinispan | `supervisor` |

roles/keycloak/defaults/main.yml

@@ -79,7 +79,7 @@ keycloak_infinispan_use_ssl: False
 keycloak_infinispan_trust_store_path: /etc/pki/java/cacerts
 keycloak_infinispan_trust_store_password: changeit
 
-### database backend engine: values [ 'postgres', 'mariadb' ]
+### database backend engine: values [ 'postgres', 'mariadb', 'sqlserver' ]
 keycloak_jdbc_engine: postgres
 ### database backend credentials
 keycloak_db_user: keycloak-user
@@ -94,5 +94,8 @@ keycloak_default_jdbc:
   mariadb:
     url: 'jdbc:mariadb://localhost:3306/keycloak'
     version: 2.7.4
+  sqlserver:
+    url: 'jdbc:sqlserver://localhost:1433;databaseName=keycloak;'
+    version: 12.2.0
 # role specific vars
 keycloak_no_log: True

roles/keycloak/meta/argument_specs.yml

@@ -237,7 +237,7 @@ argument_specs:
             keycloak_jdbc_engine:
                 # line 72 of keycloak/defaults/main.yml
                 default: "postgres"
-                description: "Backend database flavour when db is enabled: [ postgres, mariadb ]"
+                description: "Backend database flavour when db is enabled: [ postgres, mariadb, sqlserver ]"
                 type: "str"
             keycloak_db_user:
                 # line 74 of keycloak/defaults/main.yml

roles/keycloak/tasks/install.yml

@@ -232,11 +232,11 @@
         {
           "name": item,
           "address": 'jgroups-' + item,
-          "inventory_host": hostvars[item].ansible_default_ipv4.address | default(item) + '[' + keycloak_jgroups_port + ']',
+          "inventory_host": hostvars[item].ansible_default_ipv4.address | default(item) + '[' + (keycloak_jgroups_port | string) + ']',
           "value": hostvars[item].ansible_default_ipv4.address | default(item)
         }
       ] }}
-    loop: "{{ ansible_play_batch }}"
+  loop: "{{ ansible_play_batch }}"
   when: keycloak_ha_enabled and keycloak_ha_discovery == 'TCPPING'
 
 - name: "Deploy HA {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }} from {{ keycloak.config_template_source }}"

roles/keycloak/tasks/prereqs.yml

@@ -15,14 +15,6 @@
     fail_msg: "Cannot install HA setup without a backend database service. Check keycloak_ha_enabled and keycloak_db_enabled"
     success_msg: "{{ 'Configuring HA' if keycloak_ha_enabled else 'Configuring standalone' }}"
 
-- name: Validate remote cache store configuration
-  ansible.builtin.assert:
-    that:
-      - (keycloak_remote_cache_enabled and keycloak_ha_enabled) or (not keycloak_ha_enabled)
-    quiet: True
-    fail_msg: "Cannot deploy with remote cache storage on infinispan when keycloak_ha_enabled is false"
-    success_msg: "{{ 'Configuring HA with infinispan remote cache storage' if keycloak_ha_enabled else 'Configuring standalone' }}"
-
 - name: Validate credentials
   ansible.builtin.assert:
     that:
@@ -35,7 +27,7 @@
 - name: Validate persistence configuration
   ansible.builtin.assert:
     that:
-      - keycloak_jdbc_engine is defined and keycloak_jdbc_engine in [ 'postgres', 'mariadb' ]
+      - keycloak_jdbc_engine is defined and keycloak_jdbc_engine in [ 'postgres', 'mariadb', 'sqlserver' ]
       - keycloak_jdbc_url | length > 0
       - keycloak_db_user | length > 0
       - keycloak_db_pass | length > 0

roles/keycloak/tasks/rhsso_patch.yml

@@ -3,6 +3,8 @@
 - name: Set download patch archive path
   ansible.builtin.set_fact:
     patch_archive: "{{ keycloak_dest }}/{{ sso_patch_bundle }}"
+    patch_bundle: "{{ sso_patch_bundle }}"
+    patch_version: "{{ sso_patch_version }}"
   when: sso_patch_version is defined
 
 - name: Check download patch archive path
@@ -10,6 +12,7 @@
     path: "{{ patch_archive }}"
   register: patch_archive_path
   when: sso_patch_version is defined
+  become: yes
 
 - name: Perform patch download from RHN via JBossNetwork API
   delegate_to: localhost

roles/keycloak/templates/15.0.8/standalone-infinispan.xml.j2

@@ -631,7 +631,7 @@
             </mail-session>
         </subsystem>
         <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
-{% if keycloak_modcluster.enabled %}    
+{% if keycloak_modcluster.enabled %}
         <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
             <proxy name="default" advertise="false" listener="ajp" proxies="proxy1">
                 <dynamic-load-provider>
@@ -639,7 +639,7 @@
                 </dynamic-load-provider>
             </proxy>
         </subsystem>
-{% endif %}        
+{% endif %}
         <subsystem xmlns="urn:jboss:domain:naming:2.0">
             <remote-naming/>
         </subsystem>
@@ -728,7 +728,7 @@
         </interface>
         <interface name="jgroups">
 {% if ansible_default_ipv4 is defined %}
-            <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ipaddr('net') }}"/>
+            <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') }}"/>
 {% else %}
             <any-address />
 {% endif %}

roles/keycloak/templates/9.0.2/standalone-infinispan.xml.j2

@@ -725,7 +725,7 @@
         </interface>
         <interface name="jgroups">
 {% if ansible_default_ipv4 is defined %}
-            <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ipaddr('net') }}"/>
+            <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') }}"/>
 {% else %}
             <any-address />
 {% endif %}

roles/keycloak/templates/standalone-ha.xml.j2

@@ -376,7 +376,6 @@
                 <distributed-cache name="offlineClientSessions" owners="2"/>
                 <distributed-cache name="loginFailures" owners="2"/>
                 <distributed-cache name="actionTokens" owners="2">
-                    <object-memory size="-1"/>
                     <expiration interval="300000" max-idle="-1"/>
                 </distributed-cache>
                 <local-cache name="authorization">
@@ -585,7 +584,7 @@
             </mail-session>
         </subsystem>
         <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
-{% if keycloak_modcluster.enabled %}    
+{% if keycloak_modcluster.enabled %}
         <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
             <proxy name="default" advertise="false" listener="ajp" proxies="{{ ['proxy_'] | product(keycloak_modcluster.reverse_proxy_urls | map(attribute='host')) | map('join') | list | join(' ') }}">
                 <dynamic-load-provider>
@@ -593,7 +592,7 @@
                 </dynamic-load-provider>
             </proxy>
         </subsystem>
-{% endif %}        
+{% endif %}
         <subsystem xmlns="urn:jboss:domain:naming:2.0">
             <remote-naming/>
         </subsystem>
@@ -639,7 +638,7 @@
             </handlers>
             <application-security-domains>
                 <application-security-domain name="other" security-domain="ApplicationDomain"/>
-            </application-security-domains>            
+            </application-security-domains>
             <filters>
                 <filter name="proxy-peer" module="io.undertow.core"
                         class-name="io.undertow.server.handlers.ProxyPeerAddressHandler"/>
@@ -653,7 +652,7 @@
         </interface>
         <interface name="jgroups">
 {% if ansible_default_ipv4 is defined %}
-            <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ipaddr('net') }}"/>
+            <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') }}"/>
 {% else %}
             <any-address />
 {% endif %}

roles/keycloak/templates/standalone-infinispan.xml.j2

@@ -622,7 +622,7 @@
             </mail-session>
         </subsystem>
         <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
-{% if keycloak_modcluster.enabled %}    
+{% if keycloak_modcluster.enabled %}
         <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
             <proxy name="default" advertise="false" listener="ajp" proxies="{{ ['proxy_'] | product(keycloak_modcluster.reverse_proxy_urls | map(attribute='host')) | map('join') | list | join(' ') }}">
                 <dynamic-load-provider>
@@ -630,7 +630,7 @@
                 </dynamic-load-provider>
             </proxy>
         </subsystem>
-{% endif %}        
+{% endif %}
         <subsystem xmlns="urn:jboss:domain:naming:2.0">
             <remote-naming/>
         </subsystem>
@@ -676,7 +676,7 @@
             </handlers>
             <application-security-domains>
                 <application-security-domain name="other" security-domain="ApplicationDomain"/>
-            </application-security-domains>            
+            </application-security-domains>
             <filters>
                 <filter name="proxy-peer" module="io.undertow.core"
                         class-name="io.undertow.server.handlers.ProxyPeerAddressHandler"/>
@@ -690,7 +690,7 @@
         </interface>
         <interface name="jgroups">
 {% if ansible_default_ipv4 is defined %}
-            <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ipaddr('net') }}"/>
+            <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') }}"/>
 {% else %}
             <any-address />
 {% endif %}

roles/keycloak/vars/main.yml

@@ -56,6 +56,28 @@ keycloak_jdbc:
         ping_data varbinary(5000) DEFAULT NULL,
         PRIMARY KEY (own_addr, cluster_name))
       ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin
+  sqlserver:
+    enabled: "{{ (keycloak_ha_enabled or keycloak_db_enabled) and keycloak_jdbc_engine == 'sqlserver' }}"
+    driver_class: com.microsoft.sqlserver.jdbc.SQLServerDriver
+    xa_datasource_class: com.microsoft.sqlserver.jdbc.SQLServerXADataSource
+    driver_module_name: "com.microsoft.sqlserver"
+    driver_module_dir: "{{ keycloak_jboss_home }}/modules/com/microsoft/sqlserver/main"
+    driver_version: "{{ keycloak_jdbc_driver_version }}"
+    driver_jar_filename: "mssql-java-client-{{ keycloak_jdbc_driver_version }}.jar"
+    driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/{{ keycloak_jdbc_driver_version }}.jre11/mssql-jdbc-{{ keycloak_jdbc_driver_version }}.jre11.jar" # e.g., https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.2.0.jre11/mssql-jdbc-12.2.0.jre11.jar
+    connection_url: "{{ keycloak_jdbc_url }}"
+    db_user: "{{ keycloak_db_user }}"
+    db_password: "{{ keycloak_db_pass }}"
+    initialize_db: >
+      IF  NOT EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[JGROUPSPING]') AND type in (N'U'))
+      BEGIN
+        CREATE TABLE JGROUPSPING (
+          own_addr varchar(200) NOT NULL,
+          cluster_name varchar(200) NOT NULL,
+          updated DATETIME2 DEFAULT SYSUTCDATETIME(),
+          ping_data varbinary(5000) DEFAULT NULL,
+          PRIMARY KEY (own_addr, cluster_name))
+      END
 
 # reverse proxy mod_cluster
 keycloak_modcluster:

roles/keycloak_quarkus/README.md

@@ -98,6 +98,7 @@ Role Defaults
 |`keycloak_quarkus_log_format`| Set a format specific to file log entries | `%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n` |
 |`keycloak_quarkus_proxy_mode`| The proxy address forwarding mode if the server is behind a reverse proxy | `edge` |
 |`keycloak_quarkus_start_dev`| Whether to start the service in development mode (start-dev) | `False` |
+|`keycloak_quarkus_transaction_xa_enabled`| Whether to use XA transactions | `True` |
 
 
 Role Variables

roles/keycloak_quarkus/defaults/main.yml

@@ -52,6 +52,9 @@ keycloak_quarkus_frontend_url: http://localhost:8080/auth
 # proxy address forwarding mode if the server is behind a reverse proxy. [edge, reencrypt, passthrough]
 keycloak_quarkus_proxy_mode: edge
 
+# disable xa transactions
+keycloak_quarkus_transaction_xa_enabled: True
+
 keycloak_quarkus_metrics_enabled: False
 keycloak_quarkus_health_enabled: True
 

roles/keycloak_quarkus/meta/argument_specs.yml

@@ -248,3 +248,7 @@ argument_specs:
                 default: False
                 type: "bool"
                 description: "Whether to start the service in development mode (start-dev)"
+            keycloak_quarkus_transaction_xa_enabled:
+                default: True
+                type: "bool"
+                description: "Enable or disable XA transactions which may not be supported by some DBMS"

roles/keycloak_quarkus/templates/keycloak.conf.j2

@@ -39,6 +39,9 @@ proxy={{ keycloak_quarkus_proxy_mode }}
 # Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy
 #spi-sticky-session-encoder-infinispan-should-attach-route=false
 
+# Transaction
+transaction-xa-enabled={{ keycloak_quarkus_transaction_xa_enabled }}
+
 # Logging
 #log-format=%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n
 log={{ keycloak_quarkus_log }}