Update changelog for release 1.2.7

add certified collection notice

.ansible-lint

@@ -21,19 +21,21 @@ warn_list:
   - experimental
   - ignore-errors
   - no-handler
-  - fqcn-builtins
   - no-log-password
   - jinja[spacing]
   - jinja[invalid]
   - meta-no-tags
-  - name[template]
   - name[casing]
   - fqcn[action]
   - schema[meta]
+  - var-naming[no-role-prefix]
+  - key-order[task]
+  - blocked_modules
 
 skip_list:
   - vars_should_not_be_used
   - file_is_small_enough
+  - name[template]
 
 use_default_rules: true
 parseable: true

.github/workflows/ci.yml

@@ -32,7 +32,7 @@ jobs:
       - name: Install yamllint, ansible and molecule
         run: |
           python -m pip install --upgrade pip
-          pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous
+          pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint==6.17.0 voluptuous
           pip install -r ansible_collections/middleware_automation/keycloak/requirements.txt
 
       - name: Create default collection path

.gitignore

@@ -2,6 +2,8 @@
 *.zip
 .tmp
 .cache
+.vscode/
+__pycache__/
 docs/plugins/
 docs/roles/
 docs/_build/

CHANGELOG.rst

@@ -6,6 +6,41 @@ middleware_automation.keycloak Release Notes
 
 This changelog describes changes after version 0.2.6.
 
+v1.2.7
+======
+
+Minor Changes
+-------------
+
+- Allow to override jgroups subnet `#93 <https://github.com/ansible-middleware/keycloak/pull/93>`_
+- keycloak-quarkus: update keycloakx to v21.1.1 `#92 <https://github.com/ansible-middleware/keycloak/pull/92>`_
+
+v1.2.6
+======
+
+Minor Changes
+-------------
+
+- Add profile features enabling/disabling `#87 <https://github.com/ansible-middleware/keycloak/pull/87>`_
+- Improve service restart behavior configuration `#88 <https://github.com/ansible-middleware/keycloak/pull/88>`_
+- Update default xa_datasource_class value for mariadb jdbc configuration `#89 <https://github.com/ansible-middleware/keycloak/pull/89>`_
+
+Bugfixes
+--------
+
+- Handle WFLYCTL0117 when background validation millis is 0 `#90 <https://github.com/ansible-middleware/keycloak/pull/90>`_
+
+v1.2.5
+======
+
+Minor Changes
+-------------
+
+- Add configuration for database connection pool validation `#85 <https://github.com/ansible-middleware/keycloak/pull/85>`_
+- Allow to configure administration endpoint URL `#86 <https://github.com/ansible-middleware/keycloak/pull/86>`_
+- Allow to force backend URLs to frontend URLs `#84 <https://github.com/ansible-middleware/keycloak/pull/84>`_
+- Introduce systemd unit restart behavior `#81 <https://github.com/ansible-middleware/keycloak/pull/81>`_
+
 v1.2.4
 ======
 

README.md

@@ -3,6 +3,8 @@
 <!--start build_status -->
 [![Build Status](https://github.com/ansible-middleware/keycloak/workflows/CI/badge.svg?branch=main)](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml)
 
+If you are Red Hat customer, install `redhat.sso` from [Automation Hub](https://console.redhat.com/ansible/ansible-dashboard) as the certified version of this collection.
+
 <!--end build_status -->
 Collection to install and configure [Keycloak](https://www.keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on). 
 

changelogs/changelog.yaml

@@ -203,3 +203,60 @@ releases:
     - 77.yaml
     - 78.yaml
     release_date: '2023-05-09'
+  1.2.5:
+    changes:
+      minor_changes:
+      - 'Add configuration for database connection pool validation `#85 <https://github.com/ansible-middleware/keycloak/pull/85>`_
+
+        '
+      - 'Allow to configure administration endpoint URL `#86 <https://github.com/ansible-middleware/keycloak/pull/86>`_
+
+        '
+      - 'Allow to force backend URLs to frontend URLs `#84 <https://github.com/ansible-middleware/keycloak/pull/84>`_
+
+        '
+      - 'Introduce systemd unit restart behavior `#81 <https://github.com/ansible-middleware/keycloak/pull/81>`_
+
+        '
+    fragments:
+    - 81.yaml
+    - 84.yaml
+    - 85.yaml
+    - 86.yaml
+    release_date: '2023-05-26'
+  1.2.6:
+    changes:
+      bugfixes:
+      - 'Handle WFLYCTL0117 when background validation millis is 0 `#90 <https://github.com/ansible-middleware/keycloak/pull/90>`_
+
+        '
+      minor_changes:
+      - 'Add profile features enabling/disabling `#87 <https://github.com/ansible-middleware/keycloak/pull/87>`_
+
+        '
+      - 'Improve service restart behavior configuration `#88 <https://github.com/ansible-middleware/keycloak/pull/88>`_
+
+        '
+      - 'Update default xa_datasource_class value for mariadb jdbc configuration `#89
+        <https://github.com/ansible-middleware/keycloak/pull/89>`_
+
+        '
+    fragments:
+    - 87.yaml
+    - 88.yaml
+    - 89.yaml
+    - 90.yaml
+    release_date: '2023-06-07'
+  1.2.7:
+    changes:
+      minor_changes:
+      - 'Allow to override jgroups subnet `#93 <https://github.com/ansible-middleware/keycloak/pull/93>`_
+
+        '
+      - 'keycloak-quarkus: update keycloakx to v21.1.1 `#92 <https://github.com/ansible-middleware/keycloak/pull/92>`_
+
+        '
+    fragments:
+    - 92.yaml
+    - 93.yaml
+    release_date: '2023-06-19'

galaxy.yml

@@ -1,7 +1,7 @@
 ---
 namespace: middleware_automation
 name: keycloak
-version: "1.2.4"
+version: "1.2.7"
 readme: README.md
 authors:
   - Romain Pelisse <rpelisse@redhat.com>
@@ -25,7 +25,7 @@ tags:
   - middleware
   - a4mw
 dependencies:
-  "middleware_automation.common": ">=1.0.0"
+  "middleware_automation.common": ">=1.1.0"
   "ansible.posix": ">=1.4.0"
 repository: https://github.com/ansible-middleware/keycloak
 documentation: https://ansible-middleware.github.io/keycloak

molecule/default/molecule.yml

@@ -34,6 +34,7 @@ provisioner:
         ansible_python_interpreter: "{{ ansible_playbook_python }}"
   env:
     ANSIBLE_FORCE_COLOR: "true"
+    ANSIBLE_VERBOSITY: 3
 verifier:
   name: ansible
 scenario:

molecule/default/verify.yml

@@ -14,9 +14,12 @@
         that:
           - ansible_facts.services["keycloak.service"]["state"] == "running"
           - ansible_facts.services["keycloak.service"]["status"] == "enabled"
-    - name: Verify we are running on requested jvm
-      shell: |
+    - name: Verify we are running on requested jvm # noqa blocked_modules command-instead-of-module
+      ansible.builtin.shell: |
+        set -o pipefail
         ps -ef | grep /usr/lib/jvm/java-11 | grep -v grep
+      args:
+        executable: /bin/bash
       changed_when: no
     - name: Verify token api call
       ansible.builtin.uri:
@@ -48,8 +51,6 @@
         headers:
           Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
       register: keycloak_query_clients
-    - debug:
-        msg: "{{ keycloak_query_clients.json | selectattr('clientId','equalto','TestClient') }}"
     - name: Verify expected config
       ansible.builtin.assert:
         that:

molecule/quarkus/prepare.yml

@@ -11,27 +11,32 @@
       ansible.builtin.set_fact:
         hera_home: "{{ lookup('env', 'HERA_HOME') }}"
 
-    - ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
+    - name: Create certificate request
+      ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
       delegate_to: localhost
+      changed_when: False
 
-    - block:
-        - ansible.builtin.lineinfile:
-            dest: /etc/hosts
-            line: "127.0.0.1 instance"
-            state: present
-          delegate_to: localhost
-          become: yes
+    - name: Set /etc/hosts
+      ansible.builtin.lineinfile:
+        dest: /etc/hosts
+        line: "127.0.0.1 instance"
+        state: present
+      delegate_to: localhost
+      become: yes
       when:
         - hera_home is defined
         - hera_home | length == 0
 
-    - ansible.builtin.file:
+    - name: Create conf directory # risky-file-permissions in test user account does not exist yet
+      ansible.builtin.file:
         state: directory
-        path: /opt/keycloak/keycloak-18.0.0/conf/
+        path: /opt/keycloak/keycloak-21.1.1/conf/
+        mode: 0755
 
-    - ansible.builtin.copy:
+    - name: Copy certificates
+      ansible.builtin.copy:
         src: "{{ item }}"
-        dest: "/opt/keycloak/keycloak-18.0.0/conf/{{ item }}"
+        dest: "/opt/keycloak/keycloak-21.1.1/conf/{{ item }}"
         mode: 0444
       loop:
         - cert.pem

molecule/quarkus/verify.yml

@@ -4,26 +4,30 @@
   tasks:
     - name: Populate service facts
       ansible.builtin.service_facts:
+
     - name: Check if keycloak service started
       ansible.builtin.assert:
         that:
           - ansible_facts.services["keycloak.service"]["state"] == "running"
           - ansible_facts.services["keycloak.service"]["status"] == "enabled"
 
-    - set_fact:
+    - name: Set internal envvar
+      ansible.builtin.set_fact:
         hera_home: "{{ lookup('env', 'HERA_HOME') }}"
 
-    - block:
-        - name: Fetch openID config
-          shell: |
+    - name: Verify openid config
+      block:
+        - name: Fetch openID config # noqa blocked_modules command-instead-of-module
+          ansible.builtin.shell: |
+            set -o pipefail
             curl https://instance:8443/realms/master/.well-known/openid-configuration -k | jq .
+          args:
+            executable: /bin/bash
           delegate_to: localhost
           register: openid_config
-        - debug:
-            msg: " {{ openid_config.stdout | from_json }}"
-          delegate_to: localhost
+          changed_when: False
         - name: Verify endpoint URLs
-          assert:
+          ansible.builtin.assert:
             that:
               - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance/realms/master/protocol/openid-connect/ext/ciba/auth'
               - (openid_config.stdout | from_json)['issuer'] == 'https://instance/realms/master'

plugins/filter/version_sort.py

@@ -1,52 +0,0 @@
-# -*- coding: utf-8 -*-
-# Copyright (C) 2021 Eric Lavarde <elavarde@redhat.com>
-# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
-# SPDX-License-Identifier: GPL-3.0-or-later
-
-from __future__ import (absolute_import, division, print_function)
-__metaclass__ = type
-
-DOCUMENTATION = '''
-  name: version_sort
-  short_description: Sort a list according to version order instead of pure alphabetical one
-  version_added: 2.2.0
-  author: Eric L. (@ericzolf)
-  description:
-    - Sort a list according to version order instead of pure alphabetical one.
-  options:
-    _input:
-      description: A list of strings to sort.
-      type: list
-      elements: string
-      required: true
-'''
-
-EXAMPLES = '''
-- name: Convert list of tuples into dictionary
-  ansible.builtin.set_fact:
-    dictionary: "{{ ['2.1', '2.10', '2.9'] | middleware_automation.keycloak.version_sort }}"
-    # Result is ['2.1', '2.9', '2.10']
-'''
-
-RETURN = '''
-  _value:
-    description: The list of strings sorted by version.
-    type: list
-    elements: string
-'''
-
-from ansible_collections.middleware_automation.keycloak.plugins.module_utils.version import LooseVersion
-
-
-def version_sort(value, reverse=False):
-    '''Sort a list according to loose versions so that e.g. 2.9 is smaller than 2.10'''
-    return sorted(value, key=LooseVersion, reverse=reverse)
-
-
-class FilterModule(object):
-    ''' Version sort filter '''
-
-    def filters(self):
-        return {
-            'version_sort': version_sort
-        }

plugins/module_utils/version.py

@@ -1,22 +0,0 @@
-# -*- coding: utf-8 -*-
-
-# Copyright (c) 2021, Felix Fontein <felix@fontein.de>
-# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
-# SPDX-License-Identifier: GPL-3.0-or-later
-
-"""Provide version object to compare version numbers."""
-
-from __future__ import absolute_import, division, print_function
-__metaclass__ = type
-
-
-from ansible.module_utils.six import raise_from
-
-try:
-    from ansible.module_utils.compat.version import LooseVersion  # noqa: F401, pylint: disable=unused-import
-except ImportError:
-    try:
-        from distutils.version import LooseVersion  # noqa: F401, pylint: disable=unused-import
-    except ImportError as exc:
-        msg = 'To use this plugin or module with ansible-core 2.11, you need to use Python < 3.12 with distutils.version present'
-        raise_from(ImportError(msg), exc)

roles/keycloak/README.md

@@ -72,7 +72,13 @@ Role Defaults
 |`keycloak_config_standalone_xml`| filename for configuration | `keycloak.xml` |
 |`keycloak_service_user`| posix account username | `keycloak` |
 |`keycloak_service_group`| posix account group | `keycloak` |
+|`keycloak_service_restart_always`| systemd restart always behavior activation | `False`
+|`keycloak_service_restart_on_failure`| systemd restart on-failure behavior activation | `False`
+|`keycloak_service_startlimitintervalsec`| systemd StartLimitIntervalSec | `300` |
+|`keycloak_service_startlimitburst`| systemd StartLimitBurst | `5` |
+|`keycloak_service_restartsec`| systemd RestartSec | `10s` |
 |`keycloak_service_pidfile`| pid file path for service | `/run/keycloak.pid` |
+|`keycloak_features` | List of `name`/`status` pairs of features (also known as profiles on RH-SSO) to `enable` or `disable`, example: `[ { name: 'docker', status: 'enabled' } ]` | `[]`
 |`keycloak_jvm_package`| RHEL java package runtime | `java-1.8.0-openjdk-headless` |
 |`keycloak_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path | `None` |
 |`keycloak_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
@@ -106,6 +112,12 @@ Role Defaults
 |`keycloak_force_install` | Remove pre-existing versions of service | `False` |
 |`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` |
 |`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` |
+|`keycloak_frontend_url_force` | Force backend requests to use the frontend URL | `False` |
+|`keycloak_db_background_validation` | Enable background validation of database connection | `False` |
+|`keycloak_db_background_validation_millis`| How frequenly the connection pool is validated in the background | `10000` if background validation enabled |
+|`keycloak_db_background_validate_on_match` | Enable validate on match for database connections | `False` |
+|`keycloak_frontend_url` | frontend URL for keycloak endpoint | `http://localhost:8080/auth/` |
+
 
 
 Role Variables
@@ -116,10 +128,10 @@ The following are a set of _required_ variables for the role:
 | Variable | Description |
 |:---------|:------------|
 |`keycloak_admin_password`| Password for the administration console user account (minimum 12 characters) |
-|`keycloak_frontend_url` | frontend URL for keycloak endpoint | `http://localhost:8080/auth` |
+|`keycloak_frontend_url` | frontend URL for keycloak endpoint | `http://localhost:8080/auth/` |
 
 
-The following variables are _required_ only when `keycloak_ha_enabled` is True:
+The following parameters are _required_ only when `keycloak_ha_enabled` is True:
 
 | Variable | Description | Default |
 |:---------|:------------|:--------|
@@ -137,7 +149,7 @@ The following variables are _required_ only when `keycloak_ha_enabled` is True:
 |`keycloak_infinispan_trust_store_password`| Password for opening truststore | `changeit` |
 
 
-The following variables are _required_ only when `keycloak_db_enabled` is True:
+The following parameters are _required_ only when `keycloak_db_enabled` is True:
 
 | Variable | Description | Default |
 |:---------|:------------|:---------|
@@ -147,6 +159,14 @@ The following variables are _required_ only when `keycloak_db_enabled` is True:
 |`keycloak_db_pass` | password for connecting to postgres | `keycloak-pass` |
 
 
+The following variables are _optional_:
+
+| Variable | Description |
+|:---------|:------------|
+|`keycloak_db_valid_conn_sql` | Override the default database connection validation query sql |
+|`keycloak_admin_url` | Override the default administration endpoint URL |
+|`keycloak_jgroups_subnet`| Override the subnet match for jgroups cluster formation; if not defined, it will be inferred from local machine route configuration |
+
 Example Playbook
 -----------------
 
@@ -157,8 +177,6 @@ Example Playbook
 - hosts: ...
       vars:
         keycloak_admin_password: "remembertochangeme"
-      collections:
-        - middleware_automation.keycloak
       roles:
         - middleware_automation.keycloak.keycloak
 ```

roles/keycloak/defaults/main.yml

@@ -16,6 +16,7 @@ keycloak_config_dir: "{{ keycloak_jboss_home }}/standalone/configuration"
 keycloak_config_standalone_xml: "keycloak.xml"
 keycloak_config_path_to_standalone_xml: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}"
 keycloak_config_override_template: ''
+keycloak_config_path_to_properties: "{{ keycloak_jboss_home }}/standalone/configuration/profile.properties"
 keycloak_service_user: keycloak
 keycloak_service_group: keycloak
 keycloak_service_pidfile: "/run/keycloak.pid"
@@ -23,6 +24,11 @@ keycloak_service_name: keycloak
 keycloak_service_desc: Keycloak
 keycloak_service_start_delay: 10
 keycloak_service_start_retries: 25
+keycloak_service_restart_always: False
+keycloak_service_restart_on_failure: False
+keycloak_service_startlimitintervalsec: "300"
+keycloak_service_startlimitburst: "5"
+keycloak_service_restartsec: "10s"
 
 keycloak_configure_firewalld: False
 
@@ -36,11 +42,13 @@ keycloak_http_port: 8080
 keycloak_https_port: 8443
 keycloak_ajp_port: 8009
 keycloak_jgroups_port: 7600
+keycloak_jgroups_subnet:
 keycloak_management_port_bind_address: 127.0.0.1
 keycloak_management_http_port: 9990
 keycloak_management_https_port: 9993
 keycloak_java_opts: "-Xms1024m -Xmx2048m"
 keycloak_prefer_ipv4: True
+keycloak_features: []
 
 ### Enable configuration for database backend, clustering and remote caches on infinispan
 keycloak_ha_enabled: False
@@ -67,7 +75,9 @@ keycloak_modcluster_urls:
     port: "{{ keycloak_modcluster_port }}"
 
 ### keycloak frontend url
-keycloak_frontend_url: http://localhost:8080/auth
+keycloak_frontend_url: http://localhost:8080/auth/
+keycloak_frontend_url_force: False
+keycloak_admin_url:
 
 ### infinispan remote caches access (hotrod)
 keycloak_infinispan_user: supervisor
@@ -84,6 +94,12 @@ keycloak_jdbc_engine: postgres
 ### database backend credentials
 keycloak_db_user: keycloak-user
 keycloak_db_pass: keycloak-pass
+## connection validation
+keycloak_db_background_validation: False
+keycloak_db_background_validation_millis: "{{ 10000 if keycloak_db_background_validation else 0 }}"
+keycloak_db_background_validate_on_match: False
+# variable to override database connection validation query
+keycloak_db_valid_conn_sql:
 keycloak_jdbc_url: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].url }}"
 keycloak_jdbc_driver_version: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].version }}"
 # override the variables above, following defaults show minimum supported versions

roles/keycloak/meta/argument_specs.yml

@@ -89,6 +89,11 @@ argument_specs:
                 default: "/run/keycloak.pid"
                 description: "PID file path for service"
                 type: "str"
+            keycloak_features:
+                # line 17 of keycloak/defaults/main.yml
+                default: "[]"
+                description: "List of `name`/`status` pairs of features (also known as profiles on RH-SSO) to `enable` or `disable`, example: `[ { name: 'docker', status: 'enabled' } ]`"
+                type: "list"
             keycloak_bind_address:
                 # line 34 of keycloak/defaults/main.yml
                 default: "0.0.0.0"
@@ -96,7 +101,7 @@ argument_specs:
                 type: "str"
             keycloak_management_port_bind_address:
                 default: "127.0.0.1"
-                description: "Address for binding the managemnt ports"
+                description: "Address for binding the management ports"
                 type: "str"
             keycloak_host:
                 # line 35 of keycloak/defaults/main.yml
@@ -199,6 +204,10 @@ argument_specs:
                 default: "http://localhost"
                 description: "Frontend URL for keycloak endpoints when a reverse proxy is used"
                 type: "str"
+            keycloak_frontend_url_force:
+                default: False
+                description: "Force backend requests to use the frontend URL"
+                type: "bool"
             keycloak_infinispan_user:
                 # line 62 of keycloak/defaults/main.yml
                 default: "supervisor"
@@ -290,6 +299,26 @@ argument_specs:
                 default: "25"
                 description: "How many time should Ansible retry to connect to the service after it was started, before failing."
                 type: "int"
+            keycloak_service_restart_always:
+                default: false
+                description: "systemd restart always behavior activation for keycloak"
+                type: "bool"
+            keycloak_service_restart_on_failure:
+                default: false
+                description: "systemd restart on-failure behavior activation for keycloak"
+                type: "bool"
+            keycloak_service_startlimitintervalsec:
+                default: 300
+                description: "systemd StartLimitIntervalSec for keycloak"
+                type: "int"
+            keycloak_service_startlimitburst:
+                default: 5
+                description: "systemd StartLimitBurst for keycloak"
+                type: "int"
+            keycloak_service_restartsec:
+                default: "5s"
+                description: "systemd RestartSec for keycloak"
+                type: "str"
             keycloak_no_log:
                 default: true
                 type: "bool"
@@ -298,6 +327,30 @@ argument_specs:
                 default: "{{ True if keycloak_ha_enabled else False }}"
                 description: "Enable remote cache store when in clustered ha configurations"
                 type: "bool"
+            keycloak_db_background_validation:
+                default: False
+                description: "Enable background validation of database connection"
+                type: "bool"
+            keycloak_db_background_validation_millis:
+                default: "{{ 10000 if keycloak_db_background_validation else 0 }}"
+                description: "How frequenly the connection pool is validated in the background"
+                type: 'int'
+            keycloak_db_background_validate_on_match:
+                default: False
+                description: "Enable validate on match for database connections"
+                type: "bool"
+            keycloak_db_valid_conn_sql:
+                required: False
+                description: "Override the default database connection validation query sql"
+                type: "str"
+            keycloak_admin_url:
+                required: False
+                description: "Override the default administration endpoint URL"
+                type: "str"
+            keycloak_jgroups_subnet:
+                required: False
+                description: "Override the subnet match for jgroups cluster formation; if not defined, it will be inferred from local machine route configuration"
+                type: "str"
     downstream:
         options:
             sso_version:

roles/keycloak/tasks/install.yml

@@ -239,7 +239,7 @@
   loop: "{{ ansible_play_batch }}"
   when: keycloak_ha_enabled and keycloak_ha_discovery == 'TCPPING'
 
-- name: "Deploy HA {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }} from {{ keycloak.config_template_source }}"
+- name: "Deploy HA {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}"
   become: yes
   ansible.builtin.template:
     src: templates/standalone-ha.xml.j2
@@ -266,5 +266,17 @@
     - restart keycloak
   when:
     - keycloak_ha_enabled
-    - keycloak_remote_cache_enabled    
+    - keycloak_remote_cache_enabled
     - keycloak_config_override_template | length == 0
+
+- name: "Deploy profile.properties file to {{ keycloak_config_path_to_properties }}"
+  become: yes
+  ansible.builtin.template:
+    src: keycloak-profile.properties.j2
+    dest: "{{ keycloak_config_path_to_properties }}"
+    owner: "{{ keycloak_service_user }}"
+    group: "{{ keycloak_service_group }}"
+    mode: 0640
+  notify:
+    - restart keycloak
+  when: keycloak_features | length > 0

roles/keycloak/tasks/rhsso_patch.yml

@@ -35,15 +35,15 @@
       run_once: yes
 
     - name: Determine patch versions list
-      set_fact:
+      ansible.builtin.set_fact:
         filtered_versions: "{{ rhn_products.results | map(attribute='file_path') | select('match', '^[^/]*/rh-sso-.*[0-9]*[.][0-9]*[.][0-9]*.*$') | map('regex_replace','[^/]*/rh-sso-([0-9]*[.][0-9]*[.][0-9]*)-.*','\\1' ) | list | unique }}"
       when: sso_patch_version is not defined or sso_patch_version | length == 0
       delegate_to: localhost
       run_once: yes
 
     - name: Determine latest version
-      set_fact:
-         sso_latest_version: "{{ filtered_versions | middleware_automation.keycloak.version_sort | last }}"
+      ansible.builtin.set_fact:
+         sso_latest_version: "{{ filtered_versions | middleware_automation.common.version_sort | last }}"
       when: sso_patch_version is not defined or sso_patch_version | length == 0
       delegate_to: localhost
       run_once: yes
@@ -58,7 +58,7 @@
       run_once: yes
 
     - name: "Determine selected patch from supplied version: {{ sso_patch_version }}"
-      set_fact:
+      ansible.builtin.set_fact:
         rhn_filtered_products: "{{ rhn_products.results | selectattr('file_path', 'match', '[^/]*/' + sso_patch_bundle + '$') }}"
         patch_bundle: "{{ sso_patch_bundle }}"
         patch_version: "{{ sso_patch_version }}"

roles/keycloak/templates/keycloak-profile.properties.j2

@@ -0,0 +1,3 @@
+{% for feature in keycloak.features %}
+feature.{{ feature.name }}={{ feature.status | default('enabled') }}
+{% endfor %}

roles/keycloak/templates/keycloak.service.j2

@@ -2,6 +2,9 @@
 [Unit]
 Description={{ keycloak.service_name }} Server
 After=network.target
+StartLimitIntervalSec={{ keycloak_service_startlimitintervalsec }}
+StartLimitBurst={{ keycloak_service_startlimitburst }}
+
 
 [Service]
 Type=forking
@@ -12,6 +15,12 @@ ExecStop={{ keycloak_dest }}/keycloak-service.sh stop
 TimeoutStartSec=30
 TimeoutStopSec=30
 LimitNOFILE=102642
+{% if keycloak_service_restart_always %}
+Restart=always
+{% elif keycloak_service_restart_on_failure %}
+Restart=on-failure
+{% endif %}
+RestartSec={{ keycloak_service_restartsec }}
 
 [Install]
 WantedBy=multi-user.target

roles/keycloak/templates/standalone-ha.xml.j2

@@ -136,6 +136,14 @@
                         <user-name>{{ keycloak_jdbc[keycloak_jdbc_engine].db_user }}</user-name>
                         <password>{{ keycloak_jdbc[keycloak_jdbc_engine].db_password }}</password>
                     </security>
+                    <validation>
+                        <check-valid-connection-sql>{{ keycloak_jdbc[keycloak_jdbc_engine].validate_query }}</check-valid-connection-sql>
+                        <validate-on-match>{{ keycloak_db_background_validate_on_match }}</validate-on-match>
+{% if keycloak_db_background_validation_millis | int > 0 or keycloak_db_background_validation %}
+                        <background-validation>{{ keycloak_db_background_validation }}</background-validation>
+                        <background-validation-millis>{{ keycloak_db_background_validation_millis }}</background-validation-millis>
+{% endif %}
+                    </validation>
 {% else %}
                     <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
                     <driver>h2</driver>
@@ -573,7 +581,10 @@
                 <provider name="default" enabled="true">
                     <properties>
                         <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
-                        <property name="forceBackendUrlToFrontendUrl" value="true"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="{{ keycloak_modcluster.force_frontend_url }}"/>
+{% if keycloak_modcluster.admin_url | length > 0 %}
+                        <property name="adminUrl" value="{{ keycloak_modcluster.admin_url }}" />
+{% endif %}
                     </properties>
                 </provider>
             </spi>
@@ -651,7 +662,9 @@
             <inet-address value="{{ keycloak_management_port_bind_address }}"/>
         </interface>
         <interface name="jgroups">
-{% if ansible_default_ipv4 is defined %}
+{% if keycloak_jgroups_subnet is defined and keycloak_jgroups_subnet | string | length > 0 %}
+            <subnet-match value="{{ keycloak_jgroups_subnet | string }}"/>
+{% elif ansible_default_ipv4 is defined and (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') | length > 0 %}
             <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') }}"/>
 {% else %}
             <any-address />

roles/keycloak/templates/standalone-infinispan.xml.j2

@@ -136,6 +136,14 @@
                         <user-name>{{ keycloak_jdbc[keycloak_jdbc_engine].db_user }}</user-name>
                         <password>{{ keycloak_jdbc[keycloak_jdbc_engine].db_password }}</password>
                     </security>
+                    <validation>
+                        <check-valid-connection-sql>{{ keycloak_jdbc[keycloak_jdbc_engine].validate_query }}</check-valid-connection-sql>
+                        <validate-on-match>{{ keycloak_db_background_validate_on_match }}</validate-on-match>
+{% if keycloak_db_background_validation_millis | int > 0 or keycloak_db_background_validation %}
+                        <background-validation>{{ keycloak_db_background_validation }}</background-validation>
+                        <background-validation-millis>{{ keycloak_db_background_validation_millis }}</background-validation-millis>
+{% endif %}
+                    </validation>
 {% else %}
                     <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
                     <driver>h2</driver>
@@ -611,7 +619,10 @@
                 <provider name="default" enabled="true">
                     <properties>
                         <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
-                        <property name="forceBackendUrlToFrontendUrl" value="true"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="{{ keycloak_modcluster.force_frontend_url }}"/>
+{% if keycloak_modcluster.admin_url | length > 0 %}
+                        <property name="adminUrl" value="{{ keycloak_modcluster.admin_url }}" />
+{% endif %}
                     </properties>
                 </provider>
             </spi>
@@ -689,7 +700,9 @@
             <inet-address value="{{ keycloak_management_port_bind_address }}"/>
         </interface>
         <interface name="jgroups">
-{% if ansible_default_ipv4 is defined %}
+{% if keycloak_jgroups_subnet is defined and keycloak_jgroups_subnet | string | length > 0 %}
+            <subnet-match value="{{ keycloak_jgroups_subnet | string }}"/>
+{% elif ansible_default_ipv4 is defined and (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') | length > 0 %}
             <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') }}"/>
 {% else %}
             <any-address />

roles/keycloak/templates/standalone.xml.j2

@@ -123,6 +123,14 @@
                         <user-name>{{ keycloak_jdbc[keycloak_jdbc_engine].db_user }}</user-name>
                         <password>{{ keycloak_jdbc[keycloak_jdbc_engine].db_password }}</password>
                     </security>
+                    <validation>
+                        <check-valid-connection-sql>{{ keycloak_jdbc[keycloak_jdbc_engine].validate_query }}</check-valid-connection-sql>
+                        <validate-on-match>{{ keycloak_db_background_validate_on_match }}</validate-on-match>
+{% if keycloak_db_background_validation_millis | int > 0 or keycloak_db_background_validation %}
+                        <background-validation>{{ keycloak_db_background_validation }}</background-validation>
+                        <background-validation-millis>{{ keycloak_db_background_validation_millis }}</background-validation-millis>
+{% endif %}
+                    </validation>
 {% else %}
                     <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
                     <driver>h2</driver>
@@ -517,7 +525,10 @@
                 <provider name="default" enabled="true">
                     <properties>
                         <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
-                        <property name="forceBackendUrlToFrontendUrl" value="true"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="{{ keycloak_modcluster.force_frontend_url }}"/>
+{% if keycloak_modcluster.admin_url | length > 0 %}
+                        <property name="adminUrl" value="{{ keycloak_modcluster.admin_url }}" />
+{% endif %}
                     </properties>
                 </provider>
             </spi>

roles/keycloak/vars/main.yml

@@ -14,6 +14,7 @@ keycloak:
   health_url: "{{ keycloak_management_url }}/health"
   cli_path: "{{ keycloak_jboss_home }}/bin/jboss-cli.sh"
   config_template_source: "{{ keycloak_config_override_template if keycloak_config_override_template | length > 0 else 'standalone-ha.xml.j2' if keycloak_remote_cache_enabled else 'standalone.xml.j2' }}"
+  features: "{{ keycloak_features }}"
 
 # database
 keycloak_jdbc:
@@ -29,6 +30,7 @@ keycloak_jdbc:
     connection_url: "{{ keycloak_jdbc_url }}"
     db_user: "{{ keycloak_db_user }}"
     db_password: "{{ keycloak_db_pass }}"
+    validate_query: "{{ keycloak_db_valid_conn_sql | default('select 1') }}"
     initialize_db: >
       CREATE TABLE IF NOT EXISTS JGROUPSPING (
         own_addr varchar(200) NOT NULL,
@@ -39,7 +41,7 @@ keycloak_jdbc:
   mariadb:
     enabled: "{{ (keycloak_ha_enabled or keycloak_db_enabled) and keycloak_jdbc_engine == 'mariadb' }}"
     driver_class: org.mariadb.jdbc.Driver
-    xa_datasource_class: org.mariadb.jdbc.MySQLDataSource
+    xa_datasource_class: org.mariadb.jdbc.MariaDbDataSource
     driver_module_name: "org.mariadb"
     driver_module_dir: "{{ keycloak_jboss_home }}/modules/org/mariadb/main"
     driver_version: "{{ keycloak_jdbc_driver_version }}"
@@ -48,6 +50,7 @@ keycloak_jdbc:
     connection_url: "{{ keycloak_jdbc_url }}"
     db_user: "{{ keycloak_db_user }}"
     db_password: "{{ keycloak_db_pass }}"
+    validate_query: "{{ keycloak_db_valid_conn_sql | default('select 1') }}"
     initialize_db: >
       CREATE TABLE IF NOT EXISTS JGROUPSPING (
         own_addr varchar(200) NOT NULL,
@@ -68,6 +71,7 @@ keycloak_jdbc:
     connection_url: "{{ keycloak_jdbc_url }}"
     db_user: "{{ keycloak_db_user }}"
     db_password: "{{ keycloak_db_pass }}"
+    validate_query: "{{ keycloak_db_valid_conn_sql | default('select 1') }}"
     initialize_db: >
       IF  NOT EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[JGROUPSPING]') AND type in (N'U'))
       BEGIN
@@ -84,6 +88,8 @@ keycloak_modcluster:
   enabled: "{{ keycloak_ha_enabled or keycloak_modcluster_enabled }}"
   reverse_proxy_urls: "{{ keycloak_modcluster_urls }}"
   frontend_url: "{{ keycloak_frontend_url }}"
+  force_frontend_url: "{{ keycloak_frontend_url_force }}"
+  admin_url: "{{ keycloak_admin_url | default('') }}"
 
 # infinispan
 keycloak_remotecache:
@@ -95,4 +101,4 @@ keycloak_remotecache:
   server_name: "{{ keycloak_infinispan_url }}"
   use_ssl: "{{ keycloak_infinispan_use_ssl }}"
   trust_store_path: "{{ keycloak_infinispan_trust_store_path }}"
-  trust_store_password: "{{ keycloak_infinispan_trust_store_password }}"
+  trust_store_password: "{{ keycloak_infinispan_trust_store_password }}"

roles/keycloak_quarkus/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 ### Configuration specific to keycloak
-keycloak_quarkus_version: 18.0.0
+keycloak_quarkus_version: 21.1.1
 keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip"
 keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"  
 keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"

roles/keycloak_quarkus/templates/keycloak.service.j2

@@ -10,7 +10,7 @@ PIDFile={{ keycloak_quarkus_service_pidfile }}
 {% if keycloak_quarkus_start_dev %}
 ExecStart={{ keycloak.home }}/bin/kc.sh start-dev
 {% else %}
-ExecStart={{ keycloak.home }}/bin/kc.sh start --auto-build --log={{ keycloak_quarkus_log }}
+ExecStart={{ keycloak.home }}/bin/kc.sh start --log={{ keycloak_quarkus_log }}
 {% endif %}
 User={{ keycloak.service_user }}