parameterize health check; refactor serial_then_parallel

Co-authored-by: Helmut Wolf <hwo@world-direct.at>
Co-authored-by: Guido Grazioli <ggraziol@redhat.com>

.ansible-lint

@@ -21,19 +21,21 @@ warn_list:
   - experimental
   - ignore-errors
   - no-handler
-  - fqcn-builtins
   - no-log-password
   - jinja[spacing]
   - jinja[invalid]
   - meta-no-tags
-  - name[template]
   - name[casing]
   - fqcn[action]
   - schema[meta]
+  - key-order[task]
+  - blocked_modules
 
 skip_list:
   - vars_should_not_be_used
   - file_is_small_enough
+  - name[template]
+  - var-naming[no-role-prefix]
 
 use_default_rules: true
 parseable: true

.github/workflows/ci.yml

@@ -5,54 +5,14 @@ on:
     branches:
       - main
   pull_request:
-
+  schedule:
-env:
+    - cron: '15 6 * * *'
-  COLORTERM: 'yes'
-  TERM: 'xterm-256color'
-  PYTEST_ADDOPTS: '--color=yes'
 
 jobs:
   ci:
-    runs-on: ubuntu-latest
+    uses: ansible-middleware/github-actions/.github/workflows/ci.yml@main
-    strategy:
+    secrets: inherit
-      matrix:
-        python_version: ["3.10"]
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v2
     with:
-          path: ansible_collections/middleware_automation/keycloak
+      fqcn: 'middleware_automation/keycloak'
-
+      molecule_tests: >-
-      - name: Set up Python ${{ matrix.python_version }}
+          [ "default", "overridexml", "https_revproxy", "quarkus", "quarkus-devmode", "quarkus_upgrade", "debian", "quarkus_ha" ]
-        uses: actions/setup-python@v4
-        with:
-          python-version: ${{ matrix.python_version }}
-          cache: 'pip'
-
-      - name: Install yamllint, ansible and molecule
-        run: |
-          python -m pip install --upgrade pip
-          pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous
-          pip install -r ansible_collections/middleware_automation/keycloak/requirements.txt
-
-      - name: Create default collection path
-        run: |
-          mkdir -p /home/runner/.ansible/
-          ln -s /home/runner/work/keycloak/keycloak /home/runner/.ansible/collections
-
-      - name: Install ansible-lint custom rules
-        uses: actions/checkout@v2
-        with:
-          repository: ansible-middleware/ansible-lint-custom-rules
-          path: ansible_collections/ansible-lint-custom-rules/
-
-      - name: Run sanity tests
-        run: ansible-test sanity -v --color --python ${{ matrix.python_version }} --exclude changelogs/fragments/.gitignore --skip-test symlinks
-        working-directory: ./ansible_collections/middleware_automation/keycloak
-
-      - name: Run molecule test
-        run: molecule test --all
-        working-directory: ./ansible_collections/middleware_automation/keycloak
-        env:
-          PY_COLORS: '1'
-          ANSIBLE_FORCE_COLOR: '1'

.github/workflows/docs.yml

@@ -8,57 +8,11 @@ on:
       - "[0-9]+.[0-9]+.[0-9]+"
   workflow_dispatch:
 
-env:
-  COLORTERM: 'yes'
-  TERM: 'xterm-256color'
-  PYTEST_ADDOPTS: '--color=yes'
-
 jobs:
   docs:
-    runs-on: ubuntu-latest
+    uses: ansible-middleware/github-actions/.github/workflows/docs.yml@main
-    if: github.repository == 'ansible-middleware/keycloak'
+    secrets: inherit
-    permissions:
-      actions: write
-      checks: write
-      contents: write
-      deployments: write
-      packages: write
-      pages: write
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v2
     with:
-          path: ansible_collections/middleware_automation/keycloak
+      fqcn: 'middleware_automation/keycloak'
-          fetch-depth: 0
+      collection_fqcn: 'middleware_automation.keycloak'
-
+      historical_docs: 'false'
-      - name: Set up Python
-        uses: actions/setup-python@v4
-        with:
-          python-version: 3.9
-          cache: 'pip'
-
-      - name: Install doc dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install -r ansible_collections/middleware_automation/keycloak/docs/requirements.txt
-          pip install -r ansible_collections/middleware_automation/keycloak/requirements.txt
-          sudo apt --fix-missing update
-          sudo apt install -y sed hub
-
-      - name: Create default collection path
-        run: |
-          mkdir -p /home/runner/.ansible/
-          ln -s /home/runner/work/keycloak/keycloak /home/runner/.ansible/collections
-
-      - name: Create changelog and documentation
-        uses: ansible-middleware/collection-docs-action@main
-        with:
-          collection_fqcn: middleware_automation.keycloak
-          collection_repo: ansible-middleware/keycloak
-          dependencies: false
-          commit_changelog: false
-          commit_ghpages: true
-          changelog_release: false
-          generate_docs: true
-          path: ansible_collections/middleware_automation/keycloak
-          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yml

@@ -2,98 +2,27 @@
 name: Release collection
 on:
   workflow_dispatch:
+    inputs:
+      release_summary:
+        description: 'Optional release summary for changelogs'
+        required: false
 
 jobs:
   release:
-    runs-on: ubuntu-latest
+    uses: ansible-middleware/github-actions/.github/workflows/release.yml@main
-    if: github.repository == 'ansible-middleware/keycloak'
-    permissions:
-      actions: write
-      checks: write
-      contents: write
-      deployments: write
-      packages: write
-      pages: write
-    outputs:
-      tag_version: ${{ steps.get_version.outputs.TAG_VERSION }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
     with:
-          fetch-depth: 0
+      collection_fqcn: 'middleware_automation.keycloak'
-          token: ${{ secrets.TRIGGERING_PAT }}
+      downstream_name: 'rhbk'
-
+      release_summary: "${{ github.event.inputs.release_summary }}"
-      - name: Set up Python
+    secrets:
-        uses: actions/setup-python@v4
+      galaxy_token: ${{ secrets.ANSIBLE_GALAXY_API_KEY }}
-        with:
+      jira_webhook: ${{ secrets.JIRA_WEBHOOK_CREATE_VERSION }}
-          python-version: "3.x"
-          cache: 'pip'
-
-      - name: Get current version
-        id: get_version
-        run: echo "::set-output name=TAG_VERSION::$(grep version galaxy.yml | awk -F'"' '{ print $2 }')"
-
-      - name: Check if tag exists
-        id: check_tag
-        run: echo "::set-output name=TAG_EXISTS::$(git tag | grep ${{ steps.get_version.outputs.TAG_VERSION }})"
-
-      - name: Fail if tag exists
-        if: ${{ steps.get_version.outputs.TAG_VERSION == steps.check_tag.outputs.TAG_EXISTS }}
-        uses: actions/github-script@v3
-        with:
-          script: |
-              core.setFailed('Release tag already exists')
-
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install ansible-core antsibull
-          sudo apt --fix-missing update
-          sudo apt install -y sed hub
-
-      - name: Build collection
-        run: |
-          ansible-galaxy collection build .
-
-      - name: Create changelog and documentation
-        uses: ansible-middleware/collection-docs-action@main
-        with:
-          collection_fqcn: middleware_automation.keycloak
-          collection_repo: ansible-middleware/keycloak
-          dependencies: false
-          commit_changelog: true
-          commit_ghpages: false
-          changelog_release: true
-          generate_docs: false
-          token: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Publish collection
-        env:
-          ANSIBLE_GALAXY_API_KEY: ${{ secrets.ANSIBLE_GALAXY_API_KEY }}
-        run: |
-          ansible-galaxy collection publish *.tar.gz --api-key $ANSIBLE_GALAXY_API_KEY
-
-      - name: Create release tag
-        run: |
-          git config user.name github-actions
-          git config user.email github-actions@github.com
-          git tag -a ${{ steps.get_version.outputs.TAG_VERSION }} -m "Release v${{ steps.get_version.outputs.TAG_VERSION }}" || true
-          git push origin --tags
-
-      - name: Publish Release
-        uses: softprops/action-gh-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: ${{ steps.get_version.outputs.TAG_VERSION }}
-          files: "*.tar.gz"
-          body_path: gh-release.md
 
   dispatch:
     needs: release
     strategy:
       matrix:
-        repo: ['ansible-middleware/cross-dc-rhsso-demo', 'ansible-middleware/flange-demo', 'ansible-middleware/ansible-middleware-ee']
+        repo: ['ansible-middleware/ansible-middleware-ee']
     runs-on: ubuntu-latest
     steps:
       - name: Repository Dispatch

.gitignore

@@ -2,6 +2,8 @@
 *.zip
 .tmp
 .cache
+.vscode/
+__pycache__/
 docs/plugins/
 docs/roles/
 docs/_build/
@@ -10,3 +12,4 @@ docs/_build/
 *.retry
 changelogs/.plugin-cache.yaml
 *.pem
+*.key

CHANGELOG.rst

@@ -1,11 +1,225 @@
-============================================
+=============================================
-middleware_automation.keycloak Release Notes
+middleware\_automation.keycloak Release Notes
-============================================
+=============================================
 
 .. contents:: Topics
 
 This changelog describes changes after version 0.2.6.
 
+v2.2.2
+======
+
+Minor Changes
+-------------
+
+- Copying of key material for TLS configuration `#210 <https://github.com/ansible-middleware/keycloak/pull/210>`_
+- Validate certs parameter for JDBC driver downloads `#207 <https://github.com/ansible-middleware/keycloak/pull/207>`_
+
+Bugfixes
+--------
+
+- Turn off controller privilege escalation `#209 <https://github.com/ansible-middleware/keycloak/pull/209>`_
+
+v2.2.1
+======
+
+Release Summary
+---------------
+
+Internal release, documentation or test changes only.
+
+Bugfixes
+--------
+
+- JDBC provider: fix clause in argument validation `#204 <https://github.com/ansible-middleware/keycloak/pull/204>`_
+
+v2.2.0
+======
+
+Major Changes
+-------------
+
+- Support java keystore for configuration of sensitive options `#189 <https://github.com/ansible-middleware/keycloak/pull/189>`_
+
+Minor Changes
+-------------
+
+- Add ``wait_for_port`` and ``wait_for_log`` systemd unit logic `#199 <https://github.com/ansible-middleware/keycloak/pull/199>`_
+- Customize jdbc driver downloads, optional authentication `#202 <https://github.com/ansible-middleware/keycloak/pull/202>`_
+- Keystore-based vault SPI configuration `#196 <https://github.com/ansible-middleware/keycloak/pull/196>`_
+- New ``keycloak_quarkus_hostname_strict_https`` parameter `#195 <https://github.com/ansible-middleware/keycloak/pull/195>`_
+- Providers config and custom providers `#201 <https://github.com/ansible-middleware/keycloak/pull/201>`_
+- Remove administrator credentials from files once keycloak is bootstrapped `#197 <https://github.com/ansible-middleware/keycloak/pull/197>`_
+- Update keycloak to 24.0 `#194 <https://github.com/ansible-middleware/keycloak/pull/194>`_
+
+v2.1.2
+======
+
+Release Summary
+---------------
+
+Internal release, documentation or test changes only.
+
+v2.1.1
+======
+
+Minor Changes
+-------------
+
+- Add reverse ``proxy_headers`` config, supersedes ``proxy_mode`` `#187 <https://github.com/ansible-middleware/keycloak/pull/187>`_
+- Debian/Ubuntu compatibility `#178 <https://github.com/ansible-middleware/keycloak/pull/178>`_
+- Use ``keycloak_realm`` as default for sub-entities `#180 <https://github.com/ansible-middleware/keycloak/pull/180>`_
+
+Bugfixes
+--------
+
+- Fix permissions on controller-side downloaded artifacts `#184 <https://github.com/ansible-middleware/keycloak/pull/184>`_
+- JVM args moved to ``JAVA_OPTS`` envvar (instead of JAVA_OPTS_APPEND) `#186 <https://github.com/ansible-middleware/keycloak/pull/186>`_
+- Unrelax configuration file permissions `#191 <https://github.com/ansible-middleware/keycloak/pull/191>`_
+- Utilize comment filter for ``ansible_managed`` annotations `#176 <https://github.com/ansible-middleware/keycloak/pull/176>`_
+
+v2.1.0
+======
+
+Major Changes
+-------------
+
+- Implement infinispan TCPPING discovery protocol `#159 <https://github.com/ansible-middleware/keycloak/pull/159>`_
+
+Minor Changes
+-------------
+
+- Set enable-recovery when xa transactions are enabled `#167 <https://github.com/ansible-middleware/keycloak/pull/167>`_
+- keycloak_quarkus: Allow configuring log rotate options in quarkus configuration `#161 <https://github.com/ansible-middleware/keycloak/pull/161>`_
+- keycloak_quarkus: ``sticky-session`` for infinispan routes `#163 <https://github.com/ansible-middleware/keycloak/pull/163>`_
+
+Breaking Changes / Porting Guide
+--------------------------------
+
+- keycloak_quarkus: renamed infinispan host list configuration `#157 <https://github.com/ansible-middleware/keycloak/pull/157>`_
+
+Bugfixes
+--------
+
+- keycloak_quarkus: fix custom JAVA_HOME parameter name `#171 <https://github.com/ansible-middleware/keycloak/pull/171>`_
+
+v2.0.2
+======
+
+Minor Changes
+-------------
+
+- keycloak_quarkus: Add support for sqlserver jdbc driver `#148 <https://github.com/ansible-middleware/keycloak/pull/148>`_
+- keycloak_quarkus: allow configuration of ``hostname-strict-backchannel`` `#152 <https://github.com/ansible-middleware/keycloak/pull/152>`_
+- keycloak_quarkus: systemd restart behavior `#145 <https://github.com/ansible-middleware/keycloak/pull/145>`_
+
+Bugfixes
+--------
+
+- keycloak_quarkus: Use ``keycloak_quarkus_java_opts`` `#154 <https://github.com/ansible-middleware/keycloak/pull/154>`_
+- keycloak_quarkus: allow ports <1024 (e.g. :443) in systemd unit `#150 <https://github.com/ansible-middleware/keycloak/pull/150>`_
+
+v2.0.1
+======
+
+Minor Changes
+-------------
+
+- keycloak_quarkus: add hostname-strict parameter `#139 <https://github.com/ansible-middleware/keycloak/pull/139>`_
+- keycloak_quarkus: update to version 23.0.1 `#133 <https://github.com/ansible-middleware/keycloak/pull/133>`_
+
+Bugfixes
+--------
+
+- keycloak_quarkus: template requires lowercase boolean values `#138 <https://github.com/ansible-middleware/keycloak/pull/138>`_
+
+v2.0.0
+======
+
+Minor Changes
+-------------
+
+- Add new parameter for port offset configuration `#124 <https://github.com/ansible-middleware/keycloak/pull/124>`_
+- Update Keycloak to version 22.0.5 `#122 <https://github.com/ansible-middleware/keycloak/pull/122>`_
+
+Breaking Changes / Porting Guide
+--------------------------------
+
+- Add support for more http-related configs `#115 <https://github.com/ansible-middleware/keycloak/pull/115>`_
+- Update minimum ansible-core version > 2.14 `#119 <https://github.com/ansible-middleware/keycloak/pull/119>`_
+- keycloak_quarkus: enable config of key store and trust store `#116 <https://github.com/ansible-middleware/keycloak/pull/116>`_
+
+v1.3.0
+======
+
+Major Changes
+-------------
+
+- Run service as ``keycloak_service_user`` `#106 <https://github.com/ansible-middleware/keycloak/pull/106>`_
+
+Minor Changes
+-------------
+
+- keycloak_quarkus: Update Keycloak to version 22.0.3 `#112 <https://github.com/ansible-middleware/keycloak/pull/112>`_
+- keycloak_quarkus: fix admin console redirect when running locally `#111 <https://github.com/ansible-middleware/keycloak/pull/111>`_
+- keycloak_quarkus: skip proxy config if ``keycloak_quarkus_proxy_mode`` is ``none`` `#109 <https://github.com/ansible-middleware/keycloak/pull/109>`_
+
+Bugfixes
+--------
+
+- keycloak_quarkus: fix validation failure upon port configuration change `#113 <https://github.com/ansible-middleware/keycloak/pull/113>`_
+
+v1.2.8
+======
+
+Minor Changes
+-------------
+
+- keycloak_quarkus: set openjdk 17 as default `#103 <https://github.com/ansible-middleware/keycloak/pull/103>`_
+- keycloak_quarkus: update to version 22.0.1 `#107 <https://github.com/ansible-middleware/keycloak/pull/107>`_
+
+Bugfixes
+--------
+
+- Fix incorrect checks for ``keycloak_jgroups_subnet`` `#98 <https://github.com/ansible-middleware/keycloak/pull/98>`_
+- Undefine ``keycloak_db_valid_conn_sql`` default `#91 <https://github.com/ansible-middleware/keycloak/pull/91>`_
+- Update bindep.txt package python3-devel to support RHEL9 `#105 <https://github.com/ansible-middleware/keycloak/pull/105>`_
+
+v1.2.7
+======
+
+Minor Changes
+-------------
+
+- Allow to override jgroups subnet `#93 <https://github.com/ansible-middleware/keycloak/pull/93>`_
+- keycloak-quarkus: update keycloakx to v21.1.1 `#92 <https://github.com/ansible-middleware/keycloak/pull/92>`_
+
+v1.2.6
+======
+
+Minor Changes
+-------------
+
+- Add profile features enabling/disabling `#87 <https://github.com/ansible-middleware/keycloak/pull/87>`_
+- Improve service restart behavior configuration `#88 <https://github.com/ansible-middleware/keycloak/pull/88>`_
+- Update default xa_datasource_class value for mariadb jdbc configuration `#89 <https://github.com/ansible-middleware/keycloak/pull/89>`_
+
+Bugfixes
+--------
+
+- Handle WFLYCTL0117 when background validation millis is 0 `#90 <https://github.com/ansible-middleware/keycloak/pull/90>`_
+
+v1.2.5
+======
+
+Minor Changes
+-------------
+
+- Add configuration for database connection pool validation `#85 <https://github.com/ansible-middleware/keycloak/pull/85>`_
+- Allow to configure administration endpoint URL `#86 <https://github.com/ansible-middleware/keycloak/pull/86>`_
+- Allow to force backend URLs to frontend URLs `#84 <https://github.com/ansible-middleware/keycloak/pull/84>`_
+- Introduce systemd unit restart behavior `#81 <https://github.com/ansible-middleware/keycloak/pull/81>`_
+
 v1.2.4
 ======
 
@@ -112,6 +326,11 @@ Minor Changes
 v1.0.4
 ======
 
+Release Summary
+---------------
+
+Internal release, documentation or test changes only.
+
 v1.0.3
 ======
 
@@ -152,7 +371,6 @@ Release Summary
 
 Minor enhancements, bug and documentation fixes.
 
-
 Major Changes
 -------------
 
@@ -170,4 +388,3 @@ Release Summary
 ---------------
 
 This is the first stable release of the ``middleware_automation.keycloak`` collection.
-

README.md

@@ -3,13 +3,15 @@
 <!--start build_status -->
 [![Build Status](https://github.com/ansible-middleware/keycloak/workflows/CI/badge.svg?branch=main)](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml)
 
+> **_NOTE:_ If you are Red Hat customer, install `redhat.sso` (for Red Hat Single Sign-On) or `redhat.rhbk` (for Red Hat Build of Keycloak) from [Automation Hub](https://console.redhat.com/ansible/ansible-dashboard) as the certified version of this collection.**
+
 <!--end build_status -->
-Collection to install and configure [Keycloak](https://www.keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on). 
+Collection to install and configure [Keycloak](https://www.keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on) / [Red Hat Build of Keycloak](https://access.redhat.com/products/red-hat-build-of-keycloak).
 
 <!--start requires_ansible-->
 ## Ansible version compatibility
 
-This collection has been tested against following Ansible versions: **>=2.9.10**.
+This collection has been tested against following Ansible versions: **>=2.14.0**.
 
 Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions.
 <!--end requires_ansible-->
@@ -42,33 +44,34 @@ A requirement file is provided to install:
 
     pip install -r requirements.txt
 
-
+<!--start roles_paths -->
 ### Included roles
 
-* [`keycloak`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md): role for installing the service.
+* [`keycloak`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md): role for installing the service (keycloak <= 19.0).
 * [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, user federation(s), clients and users, in an installed service.
 * [`keycloak_quarkus`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_quarkus/README.md): role for installing the quarkus variant of keycloak (>= 17.0.0).
-
+<!--end roles_paths -->
 
 ## Usage
 
 
 ### Install Playbook
-
+<!--start rhbk_playbook -->
-* [`playbooks/keycloak.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak.yml) installs based on the defined variables (using most defaults).
+* [`playbooks/keycloak.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak.yml) installs keycloak legacy based on the defined variables (using most defaults).
+* [`playbooks/keycloak_quarkus.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_quarkus.yml) installs keycloak >= 17 based on the defined variables (using most defaults).
   
 Both playbooks include the `keycloak` role, with different settings, as described in the following sections.
 
 For full service configuration details, refer to the [keycloak role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md).
-
+<!--end rhbk_playbook -->
 
 #### Install from controller node (offline)
 
-Making the keycloak zip archive available to the playbook working directory, and setting `keycloak_offline_install` to `True`, allows to skip
+Making the keycloak zip archive available to the playbook working directory, and setting `keycloak_offline_install` to `true`, allows to skip
 the download tasks. The local path for the archive does match the downloaded archive path, so that it is also used as a cache when multiple hosts are provisioned in a cluster.
 
 ```yaml
-keycloak_offline_install: True
+keycloak_offline_install: true
 ```
 
 
@@ -104,9 +107,9 @@ Note: when deploying clustered configurations, all hosts belonging to the cluste
 
 
 ### Config Playbook
-
+<!--start rhbk_realm_playbook -->
 [`playbooks/keycloak_realm.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_realm.yml) creates or updates provided realm, user federation(s), client(s), client role(s) and client user(s).
-
+<!--end rhbk_realm_playbook -->
 
 ### Example configuration command
 
@@ -124,9 +127,9 @@ ansible-playbook -i <ansible_hosts> playbooks/keycloak_realm.yml -e keycloak_adm
   [keycloak]
   localhost ansible_connection=local
   ```
-
+<!--start rhbk_realm_readme -->
 For full configuration details, refer to the [keycloak_realm role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md).
-
+<!--end rhbk_realm_readme -->
 
 <!--start support -->
 <!--end support -->
@@ -135,6 +138,7 @@ For full configuration details, refer to the [keycloak_realm role README](https:
 ## License
 
 Apache License v2.0 or later
-
+<!--start license -->
 See [LICENSE](LICENSE) to view the full text.
+<!--end license -->
 

bindep.txt

@@ -1,7 +1,9 @@
-python39-devel [platform:rpm compile]
+python3-dev [compile platform:dpkg]
-git-lfs [platform:rpm]
+python3-devel [compile platform:rpm]
-python3-netaddr [platform:rpm]
+python39-devel [compile platform:centos-8 platform:rhel-8]
-python3-lxml [platform:rpm]
+git-lfs [platform:rpm platform:dpkg]
-python3-jmespath [platform:rpm]
+python3-netaddr [platform:rpm platform:dpkg]
-python3-requests [platform:rpm]
+python3-lxml [platform:rpm platform:dpkg]
+python3-jmespath [platform:rpm platform:dpkg]
+python3-requests [platform:rpm platform:dpkg]
 

changelogs/changelog.yaml

@@ -59,6 +59,10 @@ releases:
     - 31.yaml
     release_date: '2022-05-09'
   1.0.4:
+    changes:
+      release_summary: 'Internal release, documentation or test changes only.
+
+        '
     release_date: '2022-05-11'
   1.0.5:
     changes:
@@ -203,3 +207,328 @@ releases:
     - 77.yaml
     - 78.yaml
     release_date: '2023-05-09'
+  1.2.5:
+    changes:
+      minor_changes:
+      - 'Add configuration for database connection pool validation `#85 <https://github.com/ansible-middleware/keycloak/pull/85>`_
+
+        '
+      - 'Allow to configure administration endpoint URL `#86 <https://github.com/ansible-middleware/keycloak/pull/86>`_
+
+        '
+      - 'Allow to force backend URLs to frontend URLs `#84 <https://github.com/ansible-middleware/keycloak/pull/84>`_
+
+        '
+      - 'Introduce systemd unit restart behavior `#81 <https://github.com/ansible-middleware/keycloak/pull/81>`_
+
+        '
+    fragments:
+    - 81.yaml
+    - 84.yaml
+    - 85.yaml
+    - 86.yaml
+    release_date: '2023-05-26'
+  1.2.6:
+    changes:
+      bugfixes:
+      - 'Handle WFLYCTL0117 when background validation millis is 0 `#90 <https://github.com/ansible-middleware/keycloak/pull/90>`_
+
+        '
+      minor_changes:
+      - 'Add profile features enabling/disabling `#87 <https://github.com/ansible-middleware/keycloak/pull/87>`_
+
+        '
+      - 'Improve service restart behavior configuration `#88 <https://github.com/ansible-middleware/keycloak/pull/88>`_
+
+        '
+      - 'Update default xa_datasource_class value for mariadb jdbc configuration `#89
+        <https://github.com/ansible-middleware/keycloak/pull/89>`_
+
+        '
+    fragments:
+    - 87.yaml
+    - 88.yaml
+    - 89.yaml
+    - 90.yaml
+    release_date: '2023-06-07'
+  1.2.7:
+    changes:
+      minor_changes:
+      - 'Allow to override jgroups subnet `#93 <https://github.com/ansible-middleware/keycloak/pull/93>`_
+
+        '
+      - 'keycloak-quarkus: update keycloakx to v21.1.1 `#92 <https://github.com/ansible-middleware/keycloak/pull/92>`_
+
+        '
+    fragments:
+    - 92.yaml
+    - 93.yaml
+    release_date: '2023-06-19'
+  1.2.8:
+    changes:
+      bugfixes:
+      - 'Fix incorrect checks for ``keycloak_jgroups_subnet`` `#98 <https://github.com/ansible-middleware/keycloak/pull/98>`_
+
+        '
+      - 'Undefine ``keycloak_db_valid_conn_sql`` default `#91 <https://github.com/ansible-middleware/keycloak/pull/91>`_
+
+        '
+      - 'Update bindep.txt package python3-devel to support RHEL9 `#105 <https://github.com/ansible-middleware/keycloak/pull/105>`_
+
+        '
+      minor_changes:
+      - 'keycloak_quarkus: set openjdk 17 as default `#103 <https://github.com/ansible-middleware/keycloak/pull/103>`_
+
+        '
+      - 'keycloak_quarkus: update to version 22.0.1 `#107 <https://github.com/ansible-middleware/keycloak/pull/107>`_
+
+        '
+    fragments:
+    - 103.yaml
+    - 105.yaml
+    - 107.yaml
+    - 91.yaml
+    - 98.yaml
+    release_date: '2023-08-28'
+  1.3.0:
+    changes:
+      bugfixes:
+      - 'keycloak_quarkus: fix validation failure upon port configuration change `#113
+        <https://github.com/ansible-middleware/keycloak/pull/113>`_
+
+        '
+      major_changes:
+      - 'Run service as ``keycloak_service_user`` `#106 <https://github.com/ansible-middleware/keycloak/pull/106>`_
+
+        '
+      minor_changes:
+      - 'keycloak_quarkus: Update Keycloak to version 22.0.3 `#112 <https://github.com/ansible-middleware/keycloak/pull/112>`_
+
+        '
+      - 'keycloak_quarkus: fix admin console redirect when running locally `#111 <https://github.com/ansible-middleware/keycloak/pull/111>`_
+
+        '
+      - 'keycloak_quarkus: skip proxy config if ``keycloak_quarkus_proxy_mode`` is
+        ``none`` `#109 <https://github.com/ansible-middleware/keycloak/pull/109>`_
+
+        '
+    fragments:
+    - 106.yaml
+    - 109.yaml
+    - 111.yaml
+    - 112.yaml
+    - 113.yaml
+    release_date: '2023-09-25'
+  2.0.0:
+    changes:
+      breaking_changes:
+      - 'Add support for more http-related configs `#115 <https://github.com/ansible-middleware/keycloak/pull/115>`_
+
+        '
+      - 'Update minimum ansible-core version > 2.14 `#119 <https://github.com/ansible-middleware/keycloak/pull/119>`_
+
+        '
+      - 'keycloak_quarkus: enable config of key store and trust store `#116 <https://github.com/ansible-middleware/keycloak/pull/116>`_
+
+        '
+      minor_changes:
+      - 'Add new parameter for port offset configuration `#124 <https://github.com/ansible-middleware/keycloak/pull/124>`_
+
+        '
+      - 'Update Keycloak to version 22.0.5 `#122 <https://github.com/ansible-middleware/keycloak/pull/122>`_
+
+        '
+    fragments:
+    - 115.yaml
+    - 116.yaml
+    - 119.yaml
+    - 122.yaml
+    - 124.yaml
+    release_date: '2023-11-20'
+  2.0.1:
+    changes:
+      bugfixes:
+      - 'keycloak_quarkus: template requires lowercase boolean values `#138 <https://github.com/ansible-middleware/keycloak/pull/138>`_
+
+        '
+      minor_changes:
+      - 'keycloak_quarkus: add hostname-strict parameter `#139 <https://github.com/ansible-middleware/keycloak/pull/139>`_
+
+        '
+      - 'keycloak_quarkus: update to version 23.0.1 `#133 <https://github.com/ansible-middleware/keycloak/pull/133>`_
+
+        '
+    fragments:
+    - 133.yaml
+    - 138.yaml
+    - 139.yaml
+    release_date: '2023-12-07'
+  2.0.2:
+    changes:
+      bugfixes:
+      - 'keycloak_quarkus: Use ``keycloak_quarkus_java_opts`` `#154 <https://github.com/ansible-middleware/keycloak/pull/154>`_
+
+        '
+      - 'keycloak_quarkus: allow ports <1024 (e.g. :443) in systemd unit `#150 <https://github.com/ansible-middleware/keycloak/pull/150>`_
+
+        '
+      minor_changes:
+      - 'keycloak_quarkus: Add support for sqlserver jdbc driver `#148 <https://github.com/ansible-middleware/keycloak/pull/148>`_
+
+        '
+      - 'keycloak_quarkus: allow configuration of ``hostname-strict-backchannel``
+        `#152 <https://github.com/ansible-middleware/keycloak/pull/152>`_
+
+        '
+      - 'keycloak_quarkus: systemd restart behavior `#145 <https://github.com/ansible-middleware/keycloak/pull/145>`_
+
+        '
+    fragments:
+    - 145.yaml
+    - 148.yaml
+    - 150.yaml
+    - 152.yaml
+    - 154.yaml
+    release_date: '2024-01-17'
+  2.1.0:
+    changes:
+      breaking_changes:
+      - 'keycloak_quarkus: renamed infinispan host list configuration `#157 <https://github.com/ansible-middleware/keycloak/pull/157>`_
+
+        '
+      bugfixes:
+      - 'keycloak_quarkus: fix custom JAVA_HOME parameter name `#171 <https://github.com/ansible-middleware/keycloak/pull/171>`_
+
+        '
+      major_changes:
+      - 'Implement infinispan TCPPING discovery protocol `#159 <https://github.com/ansible-middleware/keycloak/pull/159>`_
+
+        '
+      minor_changes:
+      - 'Set enable-recovery when xa transactions are enabled `#167 <https://github.com/ansible-middleware/keycloak/pull/167>`_
+
+        '
+      - 'keycloak_quarkus: Allow configuring log rotate options in quarkus configuration
+        `#161 <https://github.com/ansible-middleware/keycloak/pull/161>`_
+
+        '
+      - 'keycloak_quarkus: ``sticky-session`` for infinispan routes `#163 <https://github.com/ansible-middleware/keycloak/pull/163>`_
+
+        '
+    fragments:
+    - 157.yaml
+    - 159.yaml
+    - 161.yaml
+    - 163.yaml
+    - 167.yaml
+    - 171.yaml
+    release_date: '2024-02-28'
+  2.1.1:
+    changes:
+      bugfixes:
+      - 'Fix permissions on controller-side downloaded artifacts `#184 <https://github.com/ansible-middleware/keycloak/pull/184>`_
+
+        '
+      - 'JVM args moved to ``JAVA_OPTS`` envvar (instead of JAVA_OPTS_APPEND) `#186
+        <https://github.com/ansible-middleware/keycloak/pull/186>`_
+
+        '
+      - 'Unrelax configuration file permissions `#191 <https://github.com/ansible-middleware/keycloak/pull/191>`_
+
+        '
+      - 'Utilize comment filter for ``ansible_managed`` annotations `#176 <https://github.com/ansible-middleware/keycloak/pull/176>`_
+
+        '
+      minor_changes:
+      - 'Add reverse ``proxy_headers`` config, supersedes ``proxy_mode`` `#187 <https://github.com/ansible-middleware/keycloak/pull/187>`_
+
+        '
+      - 'Debian/Ubuntu compatibility `#178 <https://github.com/ansible-middleware/keycloak/pull/178>`_
+
+        '
+      - 'Use ``keycloak_realm`` as default for sub-entities `#180 <https://github.com/ansible-middleware/keycloak/pull/180>`_
+
+        '
+    fragments:
+    - 176.yaml
+    - 178.yaml
+    - 180.yaml
+    - 184.yaml
+    - 186.yaml
+    - 187.yaml
+    - 191.yaml
+    release_date: '2024-04-17'
+  2.1.2:
+    changes:
+      release_summary: 'Internal release, documentation or test changes only.
+
+        '
+    release_date: '2024-04-17'
+  2.2.0:
+    changes:
+      major_changes:
+      - 'Support java keystore for configuration of sensitive options `#189 <https://github.com/ansible-middleware/keycloak/pull/189>`_
+
+        '
+      minor_changes:
+      - 'Add ``wait_for_port`` and ``wait_for_log`` systemd unit logic `#199 <https://github.com/ansible-middleware/keycloak/pull/199>`_
+
+        '
+      - 'Customize jdbc driver downloads, optional authentication `#202 <https://github.com/ansible-middleware/keycloak/pull/202>`_
+
+        '
+      - 'Keystore-based vault SPI configuration `#196 <https://github.com/ansible-middleware/keycloak/pull/196>`_
+
+        '
+      - 'New ``keycloak_quarkus_hostname_strict_https`` parameter `#195 <https://github.com/ansible-middleware/keycloak/pull/195>`_
+
+        '
+      - 'Providers config and custom providers `#201 <https://github.com/ansible-middleware/keycloak/pull/201>`_
+
+        '
+      - 'Remove administrator credentials from files once keycloak is bootstrapped
+        `#197 <https://github.com/ansible-middleware/keycloak/pull/197>`_
+
+        '
+      - 'Update keycloak to 24.0 `#194 <https://github.com/ansible-middleware/keycloak/pull/194>`_
+
+        '
+    fragments:
+    - 189.yaml
+    - 194.yaml
+    - 195.yaml
+    - 196.yaml
+    - 197.yaml
+    - 199.yaml
+    - 201.yaml
+    - 202.yaml
+    release_date: '2024-05-01'
+  2.2.1:
+    changes:
+      bugfixes:
+      - 'JDBC provider: fix clause in argument validation `#204 <https://github.com/ansible-middleware/keycloak/pull/204>`_
+
+        '
+      release_summary: Internal release, documentation or test changes only.
+    fragments:
+    - 204.yaml
+    - v2.2.1-devel_summary.yaml
+    release_date: '2024-05-02'
+  2.2.2:
+    changes:
+      bugfixes:
+      - 'Turn off controller privilege escalation `#209 <https://github.com/ansible-middleware/keycloak/pull/209>`_
+
+        '
+      minor_changes:
+      - 'Copying of key material for TLS configuration `#210 <https://github.com/ansible-middleware/keycloak/pull/210>`_
+
+        '
+      - 'Validate certs parameter for JDBC driver downloads `#207 <https://github.com/ansible-middleware/keycloak/pull/207>`_
+
+        '
+    fragments:
+    - 207.yaml
+    - 209.yaml
+    - 210.yaml
+    release_date: '2024-05-06'

changelogs/config.yaml

@@ -11,21 +11,21 @@ notesdir: fragments
 prelude_section_name: release_summary
 prelude_section_title: Release Summary
 sections:
-- - major_changes
+  - - major_changes
     - Major Changes
-- - minor_changes
+  - - minor_changes
     - Minor Changes
-- - breaking_changes
+  - - breaking_changes
     - Breaking Changes / Porting Guide
-- - deprecated_features
+  - - deprecated_features
     - Deprecated Features
-- - removed_features
+  - - removed_features
     - Removed Features
-- - security_fixes
+  - - security_fixes
     - Security Fixes
-- - bugfixes
+  - - bugfixes
     - Bugfixes
-- - known_issues
+  - - known_issues
     - Known Issues
 title: middleware_automation.keycloak
 trivial_section_name: trivial

docs/_gh_include/header.inc

@@ -24,14 +24,15 @@
         <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
             <p class="caption" role="heading"><span class="caption-text">Middleware Automation</span></p>
             <ul>
-              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/infinispan/">Infinispan / Red Hat Data Grid</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/infinispan/main/">Infinispan / Red Hat Data Grid</a></li>
-              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/keycloak/">Keycloak / Red Hat Single Sign-On</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/keycloak/main/">Keycloak / Red Hat Single Sign-On</a></li>
-              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/wildfly/">Wildfly / Red Hat JBoss EAP</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/wildfly/main/">Wildfly / Red Hat JBoss EAP</a></li>
-              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/jws/">Tomcat / Red Hat JWS</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/jws/main/">Tomcat / Red Hat JWS</a></li>
-              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/amq/">ActiveMQ / Red Hat AMQ Broker</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/amq/main/">ActiveMQ / Red Hat AMQ Broker</a></li>
-              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/amq_streams/">Kafka / Red Hat AMQ Streams</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/amq_streams/main/">Kafka / Red Hat AMQ Streams</a></li>
-              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/redhat-csp-download/">Red Hat CSP Download</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/common/main/">Ansible Middleware utilities</a></li>
-              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/ansible_collections_jcliff/">JCliff</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/redhat-csp-download/main/">Red Hat CSP Download</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/ansible_collections_jcliff/main/">JCliff</a></li>
             </ul>
         </div>
       </div>

docs/conf.py

@@ -43,6 +43,7 @@ extensions = [
     'myst_parser',
     'sphinx.ext.autodoc',
     'sphinx.ext.intersphinx',
+    'sphinx_antsibull_ext',
     'ansible_basic_sphinx_ext',
 ]
 
@@ -71,7 +72,7 @@ language = None
 exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store', '.tmp']
 
 # The name of the Pygments (syntax highlighting) style to use.
-pygments_style = 'sphinx'
+pygments_style = 'ansible'
 
 highlight_language = 'YAML+Jinja'
 

docs/index.rst

@@ -29,11 +29,12 @@ Welcome to Keycloak Collection documentation
    :maxdepth: 2
    :caption: Middleware collections
 
-   Infinispan / Red Hat Data Grid <https://ansible-middleware.github.io/infinispan/>
+   Infinispan / Red Hat Data Grid <https://ansible-middleware.github.io/infinispan/main/>
-   Keycloak / Red Hat Single Sign-On <https://ansible-middleware.github.io/keycloak/>
+   Keycloak / Red Hat Single Sign-On <https://ansible-middleware.github.io/keycloak/main/>
-   Wildfly / Red Hat JBoss EAP <https://ansible-middleware.github.io/wildfly/>
+   Wildfly / Red Hat JBoss EAP <https://ansible-middleware.github.io/wildfly/main/>
-   Tomcat / Red Hat JWS <https://ansible-middleware.github.io/jws/>
+   Tomcat / Red Hat JWS <https://ansible-middleware.github.io/jws/main/>
-   ActiveMQ / Red Hat AMQ Broker <https://ansible-middleware.github.io/amq/>
+   ActiveMQ / Red Hat AMQ Broker <https://ansible-middleware.github.io/amq/main/>
-   Kafka / Red Hat AMQ Streams <https://ansible-middleware.github.io/amq_streams/>
+   Kafka / Red Hat AMQ Streams <https://ansible-middleware.github.io/amq_streams/main/>
-   Red Hat CSP Download <https://ansible-middleware.github.io/redhat-csp-download/>
+   Ansible Middleware utilities <https://ansible-middleware.github.io/common/main/>
-   JCliff <https://ansible-middleware.github.io/ansible_collections_jcliff/>
+   Red Hat CSP Download <https://ansible-middleware.github.io/redhat-csp-download/main/>
+   JCliff <https://ansible-middleware.github.io/ansible_collections_jcliff/main/>

docs/requirements.txt

@@ -2,6 +2,7 @@ antsibull>=0.17.0
 antsibull-docs
 antsibull-changelog
 ansible-core>=2.14.1
+ansible-pygments
 sphinx-rtd-theme
 git+https://github.com/felixfontein/ansible-basic-sphinx-ext
 myst-parser

galaxy.yml

@@ -1,12 +1,13 @@
 ---
 namespace: middleware_automation
 name: keycloak
-version: "1.2.4"
+version: "2.3.0"
 readme: README.md
 authors:
   - Romain Pelisse <rpelisse@redhat.com>
   - Guido Grazioli <ggraziol@redhat.com>
   - Pavan Kumar Motaparthi <pmotapar@redhat.com>
+  - Helmut Wolf <hwo@world-direct.at>
 description: Install and configure a keycloak, or Red Hat Single Sign-on, service.
 license_file: "LICENSE"
 tags:
@@ -25,7 +26,7 @@ tags:
   - middleware
   - a4mw
 dependencies:
-  "middleware_automation.common": ">=1.0.0"
+  "middleware_automation.common": ">=1.2.1"
   "ansible.posix": ">=1.4.0"
 repository: https://github.com/ansible-middleware/keycloak
 documentation: https://ansible-middleware.github.io/keycloak
@@ -34,7 +35,6 @@ issues: https://github.com/ansible-middleware/keycloak/issues
 build_ignore:
   - .gitignore
   - .github
-  - .ansible-lint
   - .yamllint
   - '*.tar.gz'
   - '*.zip'

meta/runtime.yml

@@ -1,2 +1,2 @@
 ---
-requires_ansible: ">=2.9.10"
+requires_ansible: ">=2.14.0"

molecule/debian/converge.yml

@@ -0,0 +1,41 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    keycloak_quarkus_admin_pass: "remembertochangeme"
+    keycloak_realm: TestRealm
+    keycloak_quarkus_log: file
+    keycloak_quarkus_frontend_url: 'http://localhost:8080/'
+    keycloak_quarkus_start_dev: True
+    keycloak_quarkus_proxy_mode: none
+    keycloak_client_default_roles:
+      - TestRoleAdmin
+      - TestRoleUser
+    keycloak_client_users:
+      - username: TestUser
+        password: password
+        client_roles:
+          - client: TestClient
+            role: TestRoleUser
+      - username: TestAdmin
+        password: password
+        client_roles:
+          - client: TestClient
+            role: TestRoleUser
+          - client: TestClient
+            role: TestRoleAdmin
+    keycloak_clients:
+      - name: TestClient
+        roles: "{{ keycloak_client_default_roles }}"
+        public_client: "{{ keycloak_client_public }}"
+        web_origins: "{{ keycloak_client_web_origins }}"
+        users: "{{ keycloak_client_users }}"
+        client_id: TestClient
+        attributes:
+          post.logout.redirect.uris: '/public/logout'
+  roles:
+    - role: keycloak_quarkus
+    - role: keycloak_realm
+      keycloak_realm: TestRealm
+      keycloak_admin_password: "remembertochangeme"
+      keycloak_context: ''

molecule/debian/molecule.yml

@@ -0,0 +1,48 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: ghcr.io/hspaans/molecule-containers:debian-11
+    pre_build_image: true
+    privileged: true
+    port_bindings:
+      - "8080/tcp"
+      - "8443/tcp"
+      - "8009/tcp"
+    cgroupns_mode: host
+    command: "/lib/systemd/systemd"
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: /usr/bin/python3
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+    ANSIBLE_REMOTE_TMP: /tmp/.ansible/tmp
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy

molecule/debian/prepare.yml

@@ -0,0 +1,11 @@
+---
+- name: Prepare
+  hosts: all
+  gather_facts: yes
+  tasks:
+    - name: Install sudo
+      ansible.builtin.apt:
+        name:
+          - sudo
+          - openjdk-17-jdk-headless
+        state: present

molecule/debian/roles

@@ -0,0 +1 @@
+../../roles

molecule/debian/verify.yml

@@ -0,0 +1,40 @@
+---
+- name: Verify
+  hosts: all
+  vars:
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_uri: "http://localhost:{{ 8080 + ( keycloak_jboss_port_offset | default(0) ) }}"
+    keycloak_management_port: "http://localhost:{{ 9990 + ( keycloak_jboss_port_offset | default(0) ) }}"
+    keycloak_jboss_port_offset: 10
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+
+    - name: Verify openid config
+      block:
+        - name: Fetch openID config # noqa blocked_modules command-instead-of-module
+          ansible.builtin.shell: |
+            set -o pipefail
+            curl http://localhost:8080/realms/master/.well-known/openid-configuration -k | jq .
+          args:
+            executable: /bin/bash
+          delegate_to: localhost
+          register: openid_config
+          changed_when: False
+        - name: Verify endpoint URLs
+          ansible.builtin.assert:
+            that:
+              - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'http://localhost:8080/realms/master/protocol/openid-connect/ext/ciba/auth'
+              - (openid_config.stdout | from_json)['issuer'] == 'http://localhost:8080/realms/master'
+              - (openid_config.stdout | from_json)['authorization_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/auth'
+              - (openid_config.stdout | from_json)['token_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/token'
+          delegate_to: localhost
+      when:
+        - hera_home is defined
+        - hera_home | length == 0

molecule/default/converge.yml

@@ -10,6 +10,8 @@
         port: 16667
       - host: myhost2
         port: 16668
+    keycloak_jboss_port_offset: 10
+    keycloak_log_target: /tmp/keycloak
   roles:
     - role: keycloak
   tasks:
@@ -50,7 +52,7 @@
   pre_tasks:
     - name: "Retrieve assets server from env"
       ansible.builtin.set_fact:
-        assets_server: "{{ lookup('env','MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"
+        assets_server: "{{ lookup('env', 'MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"
 
     - name: "Set offline when assets server from env is defined"
       ansible.builtin.set_fact:

molecule/default/molecule.yml

@@ -1,12 +1,6 @@
 ---
-dependency:
-  name: shell
-  command: ansible-galaxy collection install -r molecule/requirements.yml -p $HOME/.ansible/collections --force-with-deps
 driver:
   name: docker
-lint: |
-  ansible-lint --version
-  ansible-lint -v
 platforms:
   - name: instance
     image: registry.access.redhat.com/ubi8/ubi-init:latest
@@ -38,11 +32,8 @@ verifier:
   name: ansible
 scenario:
   test_sequence:
-    - dependency
-    - lint
     - cleanup
     - destroy
-    - syntax
     - create
     - prepare
     - converge

molecule/default/prepare.yml

@@ -1,16 +1,9 @@
 ---
 - name: Prepare
   hosts: all
-  tasks:
+  gather_facts: yes
-    - name: Install sudo
+  vars:
-      ansible.builtin.yum:
+    sudo_pkg_name: sudo
-        name:
-          - sudo
-          - java-1.8.0-openjdk
-        state: present
-
-- name: Prepare
-  hosts: all
   tasks:
     - name: "Run preparation common to all scenario"
       ansible.builtin.include_tasks: ../prepare.yml
@@ -18,3 +11,19 @@
         assets:
           - "{{ assets_server }}/sso/7.6.0/rh-sso-7.6.0-server-dist.zip"
           - "{{ assets_server }}/sso/7.6.1/rh-sso-7.6.1-patch.zip"
+
+    - name: Install JDK8
+      become: yes
+      ansible.builtin.yum:
+        name:
+          - java-1.8.0-openjdk
+        state: present
+      when: ansible_facts['os_family'] == "RedHat"
+
+    - name: Install JDK8
+      become: yes
+      ansible.builtin.apt:
+        name:
+          - openjdk-8-jdk
+        state: present
+      when: ansible_facts['os_family'] == "Debian"

molecule/default/verify.yml

@@ -4,8 +4,9 @@
   vars:
     keycloak_admin_password: "remembertochangeme"
     keycloak_jvm_package: java-11-openjdk-headless
-    keycloak_uri: http://localhost:8080
+    keycloak_uri: "http://localhost:{{ 8080 + ( keycloak_jboss_port_offset | default(0) ) }}"
-    keycloak_management_port: http://localhost:9990
+    keycloak_management_port: "http://localhost:{{ 9990 + ( keycloak_jboss_port_offset | default(0) ) }}"
+    keycloak_jboss_port_offset: 10
   tasks:
     - name: Populate service facts
       ansible.builtin.service_facts:
@@ -14,9 +15,12 @@
         that:
           - ansible_facts.services["keycloak.service"]["state"] == "running"
           - ansible_facts.services["keycloak.service"]["status"] == "enabled"
-    - name: Verify we are running on requested jvm
+    - name: Verify we are running on requested jvm # noqa blocked_modules command-instead-of-module
-      shell: |
+      ansible.builtin.shell: |
-        ps -ef | grep /usr/lib/jvm/java-11 | grep -v grep
+        set -o pipefail
+        ps -ef | grep '/etc/alternatives/jre_11/' | grep -v grep
+      args:
+        executable: /bin/bash
       changed_when: no
     - name: Verify token api call
       ansible.builtin.uri:
@@ -48,9 +52,38 @@
         headers:
           Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
       register: keycloak_query_clients
-    - debug:
-        msg: "{{ keycloak_query_clients.json | selectattr('clientId','equalto','TestClient') }}"
     - name: Verify expected config
       ansible.builtin.assert:
         that:
           - (keycloak_query_clients.json | selectattr('clientId','equalto','TestClient') | first)["attributes"]["post.logout.redirect.uris"] == '/public/logout'
+    - name: "Privilege escalation as some files/folders may requires it"
+      become: yes
+      block:
+        - name: Check log folder
+          ansible.builtin.stat:
+            path: "/tmp/keycloak"
+          register: keycloak_log_folder
+        - name: Check that keycloak log folder exists and is a link
+          ansible.builtin.assert:
+            that:
+              - keycloak_log_folder.stat.exists
+              - not keycloak_log_folder.stat.isdir
+              - keycloak_log_folder.stat.islnk
+        - name: Check log file
+          ansible.builtin.stat:
+            path: "/tmp/keycloak/server.log"
+          register: keycloak_log_file
+        - name: Check if keycloak file exists
+          ansible.builtin.assert:
+            that:
+              - keycloak_log_file.stat.exists
+              - not keycloak_log_file.stat.isdir
+        - name: Check default log folder
+          ansible.builtin.stat:
+            path: "/var/log/keycloak"
+          register: keycloak_default_log_folder
+          failed_when: false
+        - name: Check that default keycloak log folder doesn't exist
+          ansible.builtin.assert:
+            that:
+              - not keycloak_default_log_folder.stat.exists

molecule/https_revproxy/converge.yml

@@ -0,0 +1,16 @@
+---
+- name: Converge
+  hosts: all
+  vars: 
+    keycloak_quarkus_admin_pass: "remembertochangeme"
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_realm: TestRealm
+    keycloak_quarkus_host: instance
+    keycloak_quarkus_log: file
+    keycloak_quarkus_http_enabled: True
+    keycloak_quarkus_http_port: 8080
+    keycloak_quarkus_proxy_mode: edge
+    keycloak_quarkus_http_relative_path: /
+    keycloak_quarkus_frontend_url: https://proxy/
+  roles:
+    - role: keycloak_quarkus

molecule/https_revproxy/molecule.yml

@@ -0,0 +1,57 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    networks:
+      - name: keycloak
+    port_bindings:
+      - "8080/tcp"
+    published_ports:
+      - 0.0.0.0:8080:8080/tcp
+  - name: proxy
+    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    networks:
+      - name: keycloak
+    port_bindings:
+      - "443/tcp"
+    published_ports:
+      - 0.0.0.0:443:443/tcp
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy

molecule/https_revproxy/prepare.yml

@@ -0,0 +1,49 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: Install sudo
+      ansible.builtin.dnf:
+        name: sudo
+        state: present
+
+    - name: "Display hera_home if defined."
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+- name: Prepare proxy
+  hosts: proxy
+  vars:
+    nginx_proxy: |
+      location / {
+          proxy_set_header        Host $host;
+          proxy_set_header        X-Real-IP $remote_addr;
+          proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header        X-Forwarded-Proto $scheme;
+          proxy_pass              http://instance:8080;
+      }
+  roles:
+    - elan.simple_nginx_reverse_proxy
+  pre_tasks:
+    - name: Create certificate request
+      ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=proxy'
+      delegate_to: localhost
+      changed_when: false
+    - name: Make certificate directory
+      ansible.builtin.file:
+        path: /etc/nginx/tls
+        state: directory
+        mode: 0755
+    - name: Copy certificates
+      ansible.builtin.copy:
+        src: "{{ item.name }}"
+        dest: "{{ item.dest }}"
+        mode: 0444
+      become: true
+      loop:
+        - { name: 'cert.pem', dest: '/etc/nginx/tls/certificate.crt' }
+        - { name: 'key.pem', dest: '/etc/nginx/tls/certificate.key' }
+    - name: Update CA trust
+      ansible.builtin.command: update-ca-trust
+      changed_when: false
+      become: true

molecule/https_revproxy/roles

@@ -0,0 +1 @@
+../../roles

molecule/https_revproxy/verify.yml

@@ -0,0 +1,28 @@
+---
+- name: Verify
+  hosts: instance
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+
+    - name: Verify openid config
+      block:
+        - name: Fetch openID config # noqa blocked_modules command-instead-of-module
+          ansible.builtin.uri:
+            url: http://localhost:8080/realms/master/.well-known/openid-configuration
+            validate_certs: false
+            headers:
+              Host: proxy
+          register: openid_config
+          changed_when: False
+        - name: Verify endpoint URLs
+          ansible.builtin.assert:
+            that:
+              - openid_config.json['issuer'] == 'https://proxy/realms/master'
+              - openid_config.json['authorization_endpoint'] == 'https://proxy/realms/master/protocol/openid-connect/auth'

molecule/overridexml/converge.yml

@@ -6,49 +6,6 @@
     keycloak_config_override_template: custom.xml.j2
     keycloak_http_port: 8081
     keycloak_management_http_port: 19990
+    keycloak_service_runas: True
   roles:
     - role: keycloak
-  tasks:
-    - name: Keycloak Realm Role
-      ansible.builtin.include_role:
-        name: keycloak_realm
-      vars:
-        keycloak_client_default_roles:
-          - TestRoleAdmin
-          - TestRoleUser
-        keycloak_client_users:
-          - username: TestUser
-            password: password
-            client_roles:
-              - client: TestClient
-                role: TestRoleUser
-                realm: "{{ keycloak_realm }}"
-          - username: TestAdmin
-            password: password
-            client_roles:
-              - client: TestClient
-                role: TestRoleUser
-                realm: "{{ keycloak_realm }}"
-              - client: TestClient
-                role: TestRoleAdmin
-                realm: "{{ keycloak_realm }}"
-        keycloak_realm: TestRealm
-        keycloak_clients:
-          - name: TestClient
-            roles: "{{ keycloak_client_default_roles }}"
-            realm: "{{ keycloak_realm }}"
-            public_client: "{{ keycloak_client_public }}"
-            web_origins: "{{ keycloak_client_web_origins }}"
-            users: "{{ keycloak_client_users }}"
-            client_id: TestClient
-  pre_tasks:
-    - name: "Retrieve assets server from env"
-      ansible.builtin.set_fact:
-        assets_server: "{{ lookup('env','MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"
-
-    - name: "Set offline when assets server from env is defined"
-      ansible.builtin.set_fact:
-        sso_offline_install: True
-      when:
-        - assets_server is defined
-        - assets_server | length > 0

molecule/overridexml/molecule.yml

@@ -1,12 +1,6 @@
 ---
-dependency:
-  name: shell
-  command: ansible-galaxy collection install -r molecule/requirements.yml -p $HOME/.ansible/collections --force-with-deps
 driver:
   name: docker
-lint: |
-  ansible-lint --version
-  ansible-lint -v
 platforms:
   - name: instance
     image: registry.access.redhat.com/ubi8/ubi-init:latest
@@ -38,11 +32,8 @@ verifier:
   name: ansible
 scenario:
   test_sequence:
-    - dependency
-    - lint
     - cleanup
     - destroy
-    - syntax
     - create
     - prepare
     - converge

molecule/overridexml/prepare.yml

@@ -1,6 +1,9 @@
 ---
 - name: Prepare
   hosts: all
+  gather_facts: yes
+  vars:
+    sudo_pkg_name: sudo
   tasks:
     - name: "Run preparation common to all scenario"
       ansible.builtin.include_tasks: ../prepare.yml

molecule/overridexml/templates/custom.xml.j2

@@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<!-- {{ ansible_managed }} -->
+<!-- this is a custom file -->
 <server xmlns="urn:jboss:domain:16.0">
     <extensions>
         <extension module="org.jboss.as.clustering.infinispan"/>
@@ -44,7 +44,7 @@
         </audit-log>
         <management-interfaces>
             <http-interface http-authentication-factory="management-http-authentication">
-                <http-upgrade enabled="true"/>
+                <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
                 <socket-binding http="management-http"/>
             </http-interface>
         </management-interfaces>
@@ -481,8 +481,8 @@
                 <default-provider>default</default-provider>
                 <provider name="default" enabled="true">
                     <properties>
-                        <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
+                        <property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
-                        <property name="forceBackendUrlToFrontendUrl" value="true"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="false"/>
                     </properties>
                 </provider>
             </spi>
@@ -520,7 +520,8 @@
         <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
             <buffer-cache name="default"/>
             <server name="default-server">
-                <http-listener name="default" socket-binding="http"/>
+                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
+                <https-listener name="https" socket-binding="https" ssl-context="applicationSSC" enable-http2="true"/>
                 <host name="default-host" alias="localhost">
                     <location name="/" handler="welcome-content"/>
                     <http-invoker http-authentication-factory="application-http-authentication"/>
@@ -533,20 +534,25 @@
             <handlers>
                 <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
             </handlers>
+            <application-security-domains>
+                <application-security-domain name="other" security-domain="ApplicationDomain"/>
+            </application-security-domains>
         </subsystem>
         <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
     </profile>
     <interfaces>
         <interface name="management">
-            <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
+            <inet-address value="127.0.0.1"/>
         </interface>
         <interface name="public">
-            <inet-address value="${jboss.bind.address:127.0.0.1}"/>
+            <inet-address value="127.0.0.1"/>
         </interface>
     </interfaces>
     <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
         <socket-binding name="http" port="8081"/>
+        <socket-binding name="https" port="8443"/>
         <socket-binding name="management-http" interface="management" port="19990"/>
+        <socket-binding name="management-https" interface="management" port="19991"/>
         <socket-binding name="txn-recovery-environment" port="4712"/>
         <socket-binding name="txn-status-manager" port="4713"/>
         <outbound-socket-binding name="mail-smtp">

molecule/overridexml/verify.yml

@@ -1,6 +1,10 @@
 ---
 - name: Verify
   hosts: all
+  vars:
+    keycloak_uri: "http://localhost:8081"
+    keycloak_management_port: "http://localhost:19990"
+    keycloak_admin_password: "remembertochangeme"
   tasks:
     - name: Populate service facts
       ansible.builtin.service_facts:
@@ -9,3 +13,20 @@
         that:
           - ansible_facts.services["keycloak.service"]["state"] == "running"
           - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+    - name: Verify we are running on requested jvm # noqa blocked_modules command-instead-of-module
+      ansible.builtin.shell: |
+        set -o pipefail
+        ps -ef | grep '/etc/alternatives/jre_1.8.0/' | grep -v grep
+      args:
+        executable: /bin/bash
+      changed_when: no
+    - name: Verify token api call
+      ansible.builtin.uri:
+        url: "{{ keycloak_uri }}/auth/realms/master/protocol/openid-connect/token"
+        method: POST
+        body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password"
+        validate_certs: no
+      register: keycloak_auth_response
+      until: keycloak_auth_response.status == 200
+      retries: 2
+      delay: 2

molecule/prepare.yml

@@ -3,33 +3,56 @@
   ansible.builtin.debug:
     msg: "Ansible version is  {{ ansible_version.full }}"
 
-- name: Install sudo
+- name: "Set package name for sudo"
+  ansible.builtin.set_fact:
+    sudo_pkg_name: sudo
+
+- name: "Ensure {{ sudo_pkg_name }} is installed (if user is root)."
+  ansible.builtin.yum:
+    name: "{{ sudo_pkg_name }}"
+    state: present
+  when:
+    - ansible_user_id == 'root'
+
+- name: Gather the package facts
+  ansible.builtin.package_facts:
+    manager: auto
+
+- name: "Check if sudo is installed."
+  ansible.builtin.assert:
+    that:
+      - sudo_pkg_name in ansible_facts.packages
+    fail_msg: "sudo is not installed on target system"
+
+- name: "Install iproute"
+  become: true
   ansible.builtin.yum:
     name:
-      - sudo
       - iproute
     state: present
 
 - name: "Retrieve assets server from env"
   ansible.builtin.set_fact:
-    assets_server: "{{ lookup('env','MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"
+    assets_server: "{{ lookup('env', 'MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"
 
-- name: "Set offline when assets server from env is defined"
+- name: "Download artefacts only if assets_server is set"
-  ansible.builtin.set_fact:
-    sso_offline_install: True
   when:
     - assets_server is defined
     - assets_server | length > 0
+    - assets is defined
+    - assets | length > 0
+  block:
+    - name: "Set offline when assets server from env is defined"
+      ansible.builtin.set_fact:
+        sso_offline_install: True
 
-- name: "Download and deploy zips from {{ assets_server }}"
+    - name: "Download and deploy zips from {{ assets_server }}"
       ansible.builtin.get_url:
         url: "{{ asset }}"
         dest: "{{ lookup('env', 'PWD') }}"
         validate_certs: no
+        mode: '0644'
       delegate_to: localhost
       loop: "{{ assets }}"
       loop_control:
         loop_var: asset
-  when:
-    - assets_server is defined
-    - assets_server | length > 0

molecule/quarkus-devmode/converge.yml

@@ -0,0 +1,44 @@
+---
+- name: Converge
+  hosts: all
+  vars: 
+    keycloak_quarkus_admin_pass: "remembertochangeme"
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_realm: TestRealm
+    keycloak_quarkus_log: file
+    keycloak_quarkus_frontend_url: 'http://localhost:8080/'
+    keycloak_quarkus_start_dev: True
+    keycloak_quarkus_proxy_mode: none
+    keycloak_quarkus_java_home: /opt/openjdk/
+  roles:
+    - role: keycloak_quarkus
+    - role: keycloak_realm
+      keycloak_context: ''
+      keycloak_client_default_roles:
+        - TestRoleAdmin
+        - TestRoleUser
+      keycloak_client_users:
+        - username: TestUser
+          password: password
+          client_roles:
+            - client: TestClient
+              role: TestRoleUser
+              realm: "{{ keycloak_realm }}"
+        - username: TestAdmin
+          password: password
+          client_roles:
+            - client: TestClient
+              role: TestRoleUser
+              realm: "{{ keycloak_realm }}"
+            - client: TestClient
+              role: TestRoleAdmin
+              realm: "{{ keycloak_realm }}"
+      keycloak_realm: TestRealm
+      keycloak_clients:
+        - name: TestClient
+          roles: "{{ keycloak_client_default_roles }}"
+          realm: "{{ keycloak_realm }}"
+          public_client: "{{ keycloak_client_public }}"
+          web_origins: "{{ keycloak_client_web_origins }}"
+          users: "{{ keycloak_client_users }}"
+          client_id: TestClient

molecule/quarkus-devmode/molecule.yml

@@ -0,0 +1,45 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    port_bindings:
+      - "8080/tcp"
+      - "8009/tcp"
+    published_ports:
+      - 0.0.0.0:8080:8080/tcp
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy

molecule/quarkus-devmode/prepare.yml

@@ -0,0 +1,49 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: Install sudo
+      ansible.builtin.apt:
+        name:
+          - sudo
+          - openjdk-17-jdk-headless
+        state: present
+      when:
+        - ansible_facts.os_family == 'Debian'
+
+    - name: "Ensure common prepare phase are set."
+      ansible.builtin.include_tasks: ../prepare.yml
+
+    - name: Install JDK17
+      become: yes
+      ansible.builtin.yum:
+        name:
+          - java-17-openjdk-headless
+        state: present
+      when:
+        - ansible_facts.os_family == 'RedHat'
+
+    - name: Link default logs directory
+      become: yes
+      ansible.builtin.file:
+        state: link
+        src: "{{ item }}"
+        dest: /opt/openjdk
+        force: true
+      with_fileglob:
+        - /usr/lib/jvm/java-17-openjdk*
+      when:
+        - ansible_facts.os_family == "Debian"
+
+    - name: Link default logs directory
+      ansible.builtin.file:
+        state: link
+        src: /usr/lib/jvm/jre-17-openjdk
+        dest: /opt/openjdk
+        force: true
+      when:
+        - ansible_facts.os_family == "RedHat"
+
+    - name: "Display hera_home if defined."
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"

molecule/quarkus-devmode/roles

@@ -0,0 +1 @@
+../../roles

molecule/quarkus-devmode/verify.yml

@@ -0,0 +1,47 @@
+---
+- name: Verify
+  hosts: all
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+
+    - name: Verify we are running on requested JAVA_HOME # noqa blocked_modules command-instead-of-module
+      ansible.builtin.shell: |
+        set -o pipefail
+        ps -ef | grep '/opt/openjdk' | grep -v grep
+      args:
+        executable: /bin/bash
+      changed_when: False
+
+    - name: Set internal envvar
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+    - name: Verify openid config
+      block:
+        - name: Fetch openID config # noqa blocked_modules command-instead-of-module
+          ansible.builtin.shell: |
+            set -o pipefail
+            curl http://localhost:8080/realms/master/.well-known/openid-configuration -k | jq .
+          args:
+            executable: /bin/bash
+          delegate_to: localhost
+          register: openid_config
+          changed_when: False
+        - name: Verify endpoint URLs
+          ansible.builtin.assert:
+            that:
+              - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'http://localhost:8080/realms/master/protocol/openid-connect/ext/ciba/auth'
+              - (openid_config.stdout | from_json)['issuer'] == 'http://localhost:8080/realms/master'
+              - (openid_config.stdout | from_json)['authorization_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/auth'
+              - (openid_config.stdout | from_json)['token_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/token'
+          delegate_to: localhost
+      when:
+        - hera_home is defined
+        - hera_home | length == 0

molecule/quarkus/converge.yml

@@ -6,11 +6,47 @@
     keycloak_admin_password: "remembertochangeme"
     keycloak_realm: TestRealm
     keycloak_quarkus_host: instance
-    keycloak_quarkus_http_relative_path: ''
     keycloak_quarkus_log: file
-    keycloak_quarkus_https_enabled: True
+    keycloak_quarkus_log_level: debug # needed for the verify step
-    keycloak_quarkus_key_file: "{{ keycloak.home }}/conf/key.pem"
+    keycloak_quarkus_https_key_file_enabled: true
-    keycloak_quarkus_cert_file: "{{ keycloak.home }}/conf/cert.pem"
+    keycloak_quarkus_key_file_copy_enabled: true
+    keycloak_quarkus_key_content: "{{ lookup('file', 'key.pem') }}"
+    keycloak_quarkus_cert_file_copy_enabled: true
+    keycloak_quarkus_cert_file_src: cert.pem
+    keycloak_quarkus_log_target: /tmp/keycloak
+    keycloak_quarkus_ks_vault_enabled: true
+    keycloak_quarkus_ks_vault_file: "/opt/keycloak/vault/keystore.p12"
+    keycloak_quarkus_ks_vault_pass: keystorepassword
+    keycloak_quarkus_systemd_wait_for_port: true
+    keycloak_quarkus_systemd_wait_for_timeout: 20
+    keycloak_quarkus_systemd_wait_for_delay: 2
+    keycloak_quarkus_systemd_wait_for_log: true
+    keycloak_quarkus_providers:
+      - id: http-client
+        spi: connections
+        default: true
+        restart: true
+        properties:
+          - key: default-connection-pool-size
+            value: 10
+      - id: spid-saml
+        url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar
+      - id: keycloak-kerberos-federation
+        maven:
+          repository_url: https://repo1.maven.org/maven2/ # https://mvnrepository.com/artifact/org.keycloak/keycloak-kerberos-federation/24.0.4
+          group_id: org.keycloak
+          artifact_id: keycloak-kerberos-federation
+          version: 24.0.4 # optional
+          # username: myUser # optional
+          # password: myPAT # optional
+      # - id: my-static-theme
+      #   local_path: /tmp/my-static-theme.jar
+    keycloak_quarkus_policies:
+      - name: "xato-net-10-million-passwords.txt"
+        url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt"
+      - name: "xato-net-10-million-passwords-10.txt"
+        url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords-10.txt"
+        type: password-blacklists
   roles:
     - role: keycloak_quarkus
     - role: keycloak_realm

molecule/quarkus/molecule.yml

@@ -1,12 +1,6 @@
 ---
-dependency:
-  name: shell
-  command: ansible-galaxy collection install -r molecule/requirements.yml -p $HOME/.ansible/collections --force-with-deps
 driver:
   name: docker
-lint: |
-  ansible-lint --version
-  ansible-lint -v
 platforms:
   - name: instance
     image: registry.access.redhat.com/ubi8/ubi-init:latest
@@ -40,11 +34,8 @@ verifier:
   name: ansible
 scenario:
   test_sequence:
-    - dependency
-    - lint
     - cleanup
     - destroy
-    - syntax
     - create
     - prepare
     - converge

molecule/quarkus/prepare.yml

@@ -2,37 +2,43 @@
 - name: Prepare
   hosts: all
   tasks:
-    - name: Install sudo
-      ansible.builtin.yum:
-        name: sudo
-        state: present
-
     - name: "Display hera_home if defined."
       ansible.builtin.set_fact:
         hera_home: "{{ lookup('env', 'HERA_HOME') }}"
 
-    - ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
+    - name: "Ensure common prepare phase are set."
-      delegate_to: localhost
+      ansible.builtin.include_tasks: ../prepare.yml
 
-    - block:
+    - name: Create certificate request
-        - ansible.builtin.lineinfile:
+      ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
-            dest: /etc/hosts
-            line: "127.0.0.1 instance"
-            state: present
       delegate_to: localhost
-          become: yes
+      changed_when: False
-      when:
-        - hera_home is defined
-        - hera_home | length == 0
 
-    - ansible.builtin.file:
+    - name: Create vault directory
+      become: true
+      ansible.builtin.file:
         state: directory
-        path: /opt/keycloak/keycloak-18.0.0/conf/
+        path: "/opt/keycloak/vault"
+        mode: 0755
 
-    - ansible.builtin.copy:
+    - name: Make sure a jre is available (for keytool to prepare keystore)
-        src: "{{ item }}"
+      delegate_to: localhost
-        dest: "/opt/keycloak/keycloak-18.0.0/conf/{{ item }}"
+      ansible.builtin.package:
+        name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
+        state: present
+      become: true
+      failed_when: false
+
+    - name: Create vault keystore
+      ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword
+      delegate_to: localhost
+      register: keytool_cmd
+      changed_when: False
+      failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
+
+    - name: Copy certificates and vault
+      become: true
+      ansible.builtin.copy:
+        src: keystore.p12
+        dest: /opt/keycloak/vault/keystore.p12
         mode: 0444
-      loop:
-        - cert.pem
-        - key.pem

molecule/quarkus/verify.yml

@@ -4,32 +4,83 @@
   tasks:
     - name: Populate service facts
       ansible.builtin.service_facts:
+
     - name: Check if keycloak service started
       ansible.builtin.assert:
         that:
           - ansible_facts.services["keycloak.service"]["state"] == "running"
           - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+        fail_msg: "Service not running"
 
-    - set_fact:
+    - name: Set internal envvar
+      ansible.builtin.set_fact:
         hera_home: "{{ lookup('env', 'HERA_HOME') }}"
 
-    - block:
+    - name: Verify openid config
-        - name: Fetch openID config
+      when:
-          shell: |
+        - hera_home is defined
-            curl https://instance:8443/realms/master/.well-known/openid-configuration -k | jq .
+        - hera_home | length == 0
+      block:
+        - name: Fetch openID config # noqa blocked_modules command-instead-of-module
+          ansible.builtin.shell: |
+            set -o pipefail
+            curl -H 'Host: instance' https://localhost:8443/realms/master/.well-known/openid-configuration -k | jq .
+          args:
+            executable: /bin/bash
           delegate_to: localhost
           register: openid_config
-        - debug:
+          changed_when: False
-            msg: " {{ openid_config.stdout | from_json }}"
-          delegate_to: localhost
         - name: Verify endpoint URLs
-          assert:
+          ansible.builtin.assert:
             that:
               - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance/realms/master/protocol/openid-connect/ext/ciba/auth'
               - (openid_config.stdout | from_json)['issuer'] == 'https://instance/realms/master'
               - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/auth'
               - (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/token'
           delegate_to: localhost
-      when:
+
-        - hera_home is defined
+    - name: Check log folder
-        - hera_home | length == 0
+      ansible.builtin.stat:
+        path: /tmp/keycloak
+      register: keycloak_log_folder
+
+    - name: Check that keycloak log folder exists and is a link
+      ansible.builtin.assert:
+        that:
+          - keycloak_log_folder.stat.exists
+          - not keycloak_log_folder.stat.isdir
+          - keycloak_log_folder.stat.islnk
+        fail_msg: "Service log symlink not correctly created"
+
+    - name: Check log file
+      become: true
+      ansible.builtin.stat:
+        path: /tmp/keycloak/keycloak.log
+      register: keycloak_log_file
+
+    - name: Check if keycloak file exists
+      ansible.builtin.assert:
+        that:
+          - keycloak_log_file.stat.exists
+          - not keycloak_log_file.stat.isdir
+
+    - name: Check default log folder
+      become: yes
+      ansible.builtin.stat:
+        path: /var/log/keycloak
+      register: keycloak_default_log_folder
+      failed_when: false
+
+    - name: Check that default keycloak log folder doesn't exist
+      ansible.builtin.assert:
+        that:
+          - not keycloak_default_log_folder.stat.exists
+
+    - name: Verify vault SPI in logfile
+      become: true
+      ansible.builtin.shell: |
+        set -o pipefail
+        zgrep 'Configured KeystoreVaultProviderFactory with the keystore file' /opt/keycloak/keycloak-*/data/log/keycloak.log*zip
+      changed_when: false
+      failed_when: slurped_log.rc != 0
+      register: slurped_log

molecule/quarkus_ha/converge.yml

@@ -0,0 +1,29 @@
+---
+- name: Converge
+  hosts: keycloak
+  vars:
+    keycloak_quarkus_admin_pass: "remembertochangeme"
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_realm: TestRealm
+    keycloak_quarkus_host: "{{ inventory_hostname }}"
+    keycloak_quarkus_log: file
+    keycloak_quarkus_log_level: info
+    keycloak_quarkus_https_key_file_enabled: true
+    keycloak_quarkus_key_file_copy_enabled: true
+    keycloak_quarkus_key_content: "{{ lookup('file', inventory_hostname + '.key') }}"
+    keycloak_quarkus_cert_file_copy_enabled: true
+    keycloak_quarkus_cert_file_src: "{{ inventory_hostname }}.pem"
+    keycloak_quarkus_ks_vault_enabled: true
+    keycloak_quarkus_ks_vault_file: "/opt/keycloak/vault/keystore.p12"
+    keycloak_quarkus_ks_vault_pass: keystorepassword
+    keycloak_quarkus_systemd_wait_for_port: true
+    keycloak_quarkus_systemd_wait_for_timeout: 20
+    keycloak_quarkus_systemd_wait_for_delay: 2
+    keycloak_quarkus_systemd_wait_for_log: true
+    keycloak_quarkus_ha_enabled: true
+    keycloak_quarkus_restart_strategy: restart/serial.yml
+    keycloak_quarkus_db_user: keycloak
+    keycloak_quarkus_db_pass: mysecretpass
+    keycloak_quarkus_jdbc_url: jdbc:postgresql://postgres:5432/keycloak
+  roles:
+    - role: keycloak_quarkus

molecule/quarkus_ha/molecule.yml

@@ -0,0 +1,79 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: instance1
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    groups:
+      - keycloak
+    networks:
+      - name: rhbk
+    port_bindings:
+      - "8080/tcp"
+      - "8443/tcp"
+  - name: instance2
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    groups:
+      - keycloak
+    networks:
+      - name: rhbk
+    port_bindings:
+      - "8080/tcp"
+      - "8443/tcp"
+  - name: postgres
+    image: ubuntu/postgres:14-22.04_beta
+    pre_build_image: true
+    privileged: true
+    command: postgres
+    groups:
+      - database
+    networks:
+      - name: rhbk
+    port_bindings:
+      - "5432/tcp"
+    mounts:
+      - type: bind
+        target: /etc/postgresql/postgresql.conf
+        source: ${PWD}/molecule/quarkus_ha/postgresql/postgresql.conf
+    env:
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD: mysecretpass
+      POSTGRES_DB: keycloak
+      POSTGRES_HOST_AUTH_METHOD: trust
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy

molecule/quarkus_ha/postgresql/postgresql.conf

@@ -0,0 +1,750 @@
+# -----------------------------
+# PostgreSQL configuration file
+# -----------------------------
+#
+# This file consists of lines of the form:
+#
+#   name = value
+#
+# (The "=" is optional.)  Whitespace may be used.  Comments are introduced with
+# "#" anywhere on a line.  The complete list of parameter names and allowed
+# values can be found in the PostgreSQL documentation.
+#
+# The commented-out settings shown in this file represent the default values.
+# Re-commenting a setting is NOT sufficient to revert it to the default value;
+# you need to reload the server.
+#
+# This file is read on server startup and when the server receives a SIGHUP
+# signal.  If you edit the file on a running system, you have to SIGHUP the
+# server for the changes to take effect, run "pg_ctl reload", or execute
+# "SELECT pg_reload_conf()".  Some parameters, which are marked below,
+# require a server shutdown and restart to take effect.
+#
+# Any parameter can also be given as a command-line option to the server, e.g.,
+# "postgres -c log_connections=on".  Some parameters can be changed at run time
+# with the "SET" SQL command.
+#
+# Memory units:  kB = kilobytes        Time units:  ms  = milliseconds
+#                MB = megabytes                     s   = seconds
+#                GB = gigabytes                     min = minutes
+#                TB = terabytes                     h   = hours
+#                                                   d   = days
+
+
+#------------------------------------------------------------------------------
+# FILE LOCATIONS
+#------------------------------------------------------------------------------
+
+# The default values of these variables are driven from the -D command-line
+# option or PGDATA environment variable, represented here as ConfigDir.
+
+#data_directory = 'ConfigDir'		# use data in another directory
+					# (change requires restart)
+#hba_file = 'ConfigDir/pg_hba.conf'	# host-based authentication file
+					# (change requires restart)
+#ident_file = 'ConfigDir/pg_ident.conf'	# ident configuration file
+					# (change requires restart)
+
+# If external_pid_file is not explicitly set, no extra PID file is written.
+#external_pid_file = ''			# write an extra PID file
+					# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# CONNECTIONS AND AUTHENTICATION
+#------------------------------------------------------------------------------
+
+# - Connection Settings -
+
+listen_addresses = '*'		# what IP address(es) to listen on;
+					# comma-separated list of addresses;
+					# defaults to 'localhost'; use '*' for all
+					# (change requires restart)
+#port = 5432				# (change requires restart)
+#max_connections = 100			# (change requires restart)
+#superuser_reserved_connections = 3	# (change requires restart)
+#unix_socket_directories = '/tmp'	# comma-separated list of directories
+					# (change requires restart)
+#unix_socket_group = ''			# (change requires restart)
+#unix_socket_permissions = 0777		# begin with 0 to use octal notation
+					# (change requires restart)
+#bonjour = off				# advertise server via Bonjour
+					# (change requires restart)
+#bonjour_name = ''			# defaults to the computer name
+					# (change requires restart)
+
+# - TCP settings -
+# see "man 7 tcp" for details
+
+#tcp_keepalives_idle = 0		# TCP_KEEPIDLE, in seconds;
+					# 0 selects the system default
+#tcp_keepalives_interval = 0		# TCP_KEEPINTVL, in seconds;
+					# 0 selects the system default
+#tcp_keepalives_count = 0		# TCP_KEEPCNT;
+					# 0 selects the system default
+#tcp_user_timeout = 0			# TCP_USER_TIMEOUT, in milliseconds;
+					# 0 selects the system default
+
+# - Authentication -
+
+#authentication_timeout = 1min		# 1s-600s
+#password_encryption = md5		# md5 or scram-sha-256
+#db_user_namespace = off
+
+# GSSAPI using Kerberos
+#krb_server_keyfile = ''
+#krb_caseins_users = off
+
+# - SSL -
+
+#ssl = off
+#ssl_ca_file = ''
+#ssl_cert_file = 'server.crt'
+#ssl_crl_file = ''
+#ssl_key_file = 'server.key'
+#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
+#ssl_prefer_server_ciphers = on
+#ssl_ecdh_curve = 'prime256v1'
+#ssl_min_protocol_version = 'TLSv1'
+#ssl_max_protocol_version = ''
+#ssl_dh_params_file = ''
+#ssl_passphrase_command = ''
+#ssl_passphrase_command_supports_reload = off
+
+
+#------------------------------------------------------------------------------
+# RESOURCE USAGE (except WAL)
+#------------------------------------------------------------------------------
+
+# - Memory -
+
+#shared_buffers = 32MB			# min 128kB
+					# (change requires restart)
+#huge_pages = try			# on, off, or try
+					# (change requires restart)
+#temp_buffers = 8MB			# min 800kB
+#max_prepared_transactions = 0		# zero disables the feature
+					# (change requires restart)
+# Caution: it is not advisable to set max_prepared_transactions nonzero unless
+# you actively intend to use prepared transactions.
+#work_mem = 4MB				# min 64kB
+#maintenance_work_mem = 64MB		# min 1MB
+#autovacuum_work_mem = -1		# min 1MB, or -1 to use maintenance_work_mem
+#max_stack_depth = 2MB			# min 100kB
+#shared_memory_type = mmap		# the default is the first option
+					# supported by the operating system:
+					#   mmap
+					#   sysv
+					#   windows
+					# (change requires restart)
+#dynamic_shared_memory_type = posix	# the default is the first option
+					# supported by the operating system:
+					#   posix
+					#   sysv
+					#   windows
+					#   mmap
+					# (change requires restart)
+
+# - Disk -
+
+#temp_file_limit = -1			# limits per-process temp file space
+					# in kB, or -1 for no limit
+
+# - Kernel Resources -
+
+#max_files_per_process = 1000		# min 25
+					# (change requires restart)
+
+# - Cost-Based Vacuum Delay -
+
+#vacuum_cost_delay = 0			# 0-100 milliseconds (0 disables)
+#vacuum_cost_page_hit = 1		# 0-10000 credits
+#vacuum_cost_page_miss = 10		# 0-10000 credits
+#vacuum_cost_page_dirty = 20		# 0-10000 credits
+#vacuum_cost_limit = 200		# 1-10000 credits
+
+# - Background Writer -
+
+#bgwriter_delay = 200ms			# 10-10000ms between rounds
+#bgwriter_lru_maxpages = 100		# max buffers written/round, 0 disables
+#bgwriter_lru_multiplier = 2.0		# 0-10.0 multiplier on buffers scanned/round
+#bgwriter_flush_after = 0		# measured in pages, 0 disables
+
+# - Asynchronous Behavior -
+
+#effective_io_concurrency = 1		# 1-1000; 0 disables prefetching
+#max_worker_processes = 8		# (change requires restart)
+#max_parallel_maintenance_workers = 2	# taken from max_parallel_workers
+#max_parallel_workers_per_gather = 2	# taken from max_parallel_workers
+#parallel_leader_participation = on
+#max_parallel_workers = 8		# maximum number of max_worker_processes that
+					# can be used in parallel operations
+#old_snapshot_threshold = -1		# 1min-60d; -1 disables; 0 is immediate
+					# (change requires restart)
+#backend_flush_after = 0		# measured in pages, 0 disables
+
+
+#------------------------------------------------------------------------------
+# WRITE-AHEAD LOG
+#------------------------------------------------------------------------------
+
+# - Settings -
+
+#wal_level = replica			# minimal, replica, or logical
+					# (change requires restart)
+#fsync = on				# flush data to disk for crash safety
+					# (turning this off can cause
+					# unrecoverable data corruption)
+#synchronous_commit = on		# synchronization level;
+					# off, local, remote_write, remote_apply, or on
+#wal_sync_method = fsync		# the default is the first option
+					# supported by the operating system:
+					#   open_datasync
+					#   fdatasync (default on Linux)
+					#   fsync
+					#   fsync_writethrough
+					#   open_sync
+#full_page_writes = on			# recover from partial page writes
+#wal_compression = off			# enable compression of full-page writes
+#wal_log_hints = off			# also do full page writes of non-critical updates
+					# (change requires restart)
+#wal_init_zero = on			# zero-fill new WAL files
+#wal_recycle = on			# recycle WAL files
+#wal_buffers = -1			# min 32kB, -1 sets based on shared_buffers
+					# (change requires restart)
+#wal_writer_delay = 200ms		# 1-10000 milliseconds
+#wal_writer_flush_after = 1MB		# measured in pages, 0 disables
+
+#commit_delay = 0			# range 0-100000, in microseconds
+#commit_siblings = 5			# range 1-1000
+
+# - Checkpoints -
+
+#checkpoint_timeout = 5min		# range 30s-1d
+#max_wal_size = 1GB
+#min_wal_size = 80MB
+#checkpoint_completion_target = 0.5	# checkpoint target duration, 0.0 - 1.0
+#checkpoint_flush_after = 0		# measured in pages, 0 disables
+#checkpoint_warning = 30s		# 0 disables
+
+# - Archiving -
+
+#archive_mode = off		# enables archiving; off, on, or always
+				# (change requires restart)
+#archive_command = ''		# command to use to archive a logfile segment
+				# placeholders: %p = path of file to archive
+				#               %f = file name only
+				# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
+#archive_timeout = 0		# force a logfile segment switch after this
+				# number of seconds; 0 disables
+
+# - Archive Recovery -
+
+# These are only used in recovery mode.
+
+#restore_command = ''		# command to use to restore an archived logfile segment
+				# placeholders: %p = path of file to restore
+				#               %f = file name only
+				# e.g. 'cp /mnt/server/archivedir/%f %p'
+				# (change requires restart)
+#archive_cleanup_command = ''	# command to execute at every restartpoint
+#recovery_end_command = ''	# command to execute at completion of recovery
+
+# - Recovery Target -
+
+# Set these only when performing a targeted recovery.
+
+#recovery_target = ''		# 'immediate' to end recovery as soon as a
+                                # consistent state is reached
+				# (change requires restart)
+#recovery_target_name = ''	# the named restore point to which recovery will proceed
+				# (change requires restart)
+#recovery_target_time = ''	# the time stamp up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_xid = ''	# the transaction ID up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_lsn = ''	# the WAL LSN up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_inclusive = on # Specifies whether to stop:
+				# just after the specified recovery target (on)
+				# just before the recovery target (off)
+				# (change requires restart)
+#recovery_target_timeline = 'latest'	# 'current', 'latest', or timeline ID
+				# (change requires restart)
+#recovery_target_action = 'pause'	# 'pause', 'promote', 'shutdown'
+				# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# REPLICATION
+#------------------------------------------------------------------------------
+
+# - Sending Servers -
+
+# Set these on the master and on any standby that will send replication data.
+
+#max_wal_senders = 10		# max number of walsender processes
+				# (change requires restart)
+#wal_keep_segments = 0		# in logfile segments; 0 disables
+#wal_sender_timeout = 60s	# in milliseconds; 0 disables
+
+#max_replication_slots = 10	# max number of replication slots
+				# (change requires restart)
+#track_commit_timestamp = off	# collect timestamp of transaction commit
+				# (change requires restart)
+
+# - Master Server -
+
+# These settings are ignored on a standby server.
+
+#synchronous_standby_names = ''	# standby servers that provide sync rep
+				# method to choose sync standbys, number of sync standbys,
+				# and comma-separated list of application_name
+				# from standby(s); '*' = all
+#vacuum_defer_cleanup_age = 0	# number of xacts by which cleanup is delayed
+
+# - Standby Servers -
+
+# These settings are ignored on a master server.
+
+#primary_conninfo = ''			# connection string to sending server
+					# (change requires restart)
+#primary_slot_name = ''			# replication slot on sending server
+					# (change requires restart)
+#promote_trigger_file = ''		# file name whose presence ends recovery
+#hot_standby = on			# "off" disallows queries during recovery
+					# (change requires restart)
+#max_standby_archive_delay = 30s	# max delay before canceling queries
+					# when reading WAL from archive;
+					# -1 allows indefinite delay
+#max_standby_streaming_delay = 30s	# max delay before canceling queries
+					# when reading streaming WAL;
+					# -1 allows indefinite delay
+#wal_receiver_status_interval = 10s	# send replies at least this often
+					# 0 disables
+#hot_standby_feedback = off		# send info from standby to prevent
+					# query conflicts
+#wal_receiver_timeout = 60s		# time that receiver waits for
+					# communication from master
+					# in milliseconds; 0 disables
+#wal_retrieve_retry_interval = 5s	# time to wait before retrying to
+					# retrieve WAL after a failed attempt
+#recovery_min_apply_delay = 0		# minimum delay for applying changes during recovery
+
+# - Subscribers -
+
+# These settings are ignored on a publisher.
+
+#max_logical_replication_workers = 4	# taken from max_worker_processes
+					# (change requires restart)
+#max_sync_workers_per_subscription = 2	# taken from max_logical_replication_workers
+
+
+#------------------------------------------------------------------------------
+# QUERY TUNING
+#------------------------------------------------------------------------------
+
+# - Planner Method Configuration -
+
+#enable_bitmapscan = on
+#enable_hashagg = on
+#enable_hashjoin = on
+#enable_indexscan = on
+#enable_indexonlyscan = on
+#enable_material = on
+#enable_mergejoin = on
+#enable_nestloop = on
+#enable_parallel_append = on
+#enable_seqscan = on
+#enable_sort = on
+#enable_tidscan = on
+#enable_partitionwise_join = off
+#enable_partitionwise_aggregate = off
+#enable_parallel_hash = on
+#enable_partition_pruning = on
+
+# - Planner Cost Constants -
+
+#seq_page_cost = 1.0			# measured on an arbitrary scale
+#random_page_cost = 4.0			# same scale as above
+#cpu_tuple_cost = 0.01			# same scale as above
+#cpu_index_tuple_cost = 0.005		# same scale as above
+#cpu_operator_cost = 0.0025		# same scale as above
+#parallel_tuple_cost = 0.1		# same scale as above
+#parallel_setup_cost = 1000.0	# same scale as above
+
+#jit_above_cost = 100000		# perform JIT compilation if available
+					# and query more expensive than this;
+					# -1 disables
+#jit_inline_above_cost = 500000		# inline small functions if query is
+					# more expensive than this; -1 disables
+#jit_optimize_above_cost = 500000	# use expensive JIT optimizations if
+					# query is more expensive than this;
+					# -1 disables
+
+#min_parallel_table_scan_size = 8MB
+#min_parallel_index_scan_size = 512kB
+#effective_cache_size = 4GB
+
+# - Genetic Query Optimizer -
+
+#geqo = on
+#geqo_threshold = 12
+#geqo_effort = 5			# range 1-10
+#geqo_pool_size = 0			# selects default based on effort
+#geqo_generations = 0			# selects default based on effort
+#geqo_selection_bias = 2.0		# range 1.5-2.0
+#geqo_seed = 0.0			# range 0.0-1.0
+
+# - Other Planner Options -
+
+#default_statistics_target = 100	# range 1-10000
+#constraint_exclusion = partition	# on, off, or partition
+#cursor_tuple_fraction = 0.1		# range 0.0-1.0
+#from_collapse_limit = 8
+#join_collapse_limit = 8		# 1 disables collapsing of explicit
+					# JOIN clauses
+#force_parallel_mode = off
+#jit = on				# allow JIT compilation
+#plan_cache_mode = auto			# auto, force_generic_plan or
+					# force_custom_plan
+
+
+#------------------------------------------------------------------------------
+# REPORTING AND LOGGING
+#------------------------------------------------------------------------------
+
+# - Where to Log -
+
+#log_destination = 'stderr'		# Valid values are combinations of
+					# stderr, csvlog, syslog, and eventlog,
+					# depending on platform.  csvlog
+					# requires logging_collector to be on.
+
+# This is used when logging to stderr:
+#logging_collector = off		# Enable capturing of stderr and csvlog
+					# into log files. Required to be on for
+					# csvlogs.
+					# (change requires restart)
+
+# These are only used if logging_collector is on:
+#log_directory = 'log'			# directory where log files are written,
+					# can be absolute or relative to PGDATA
+#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'	# log file name pattern,
+					# can include strftime() escapes
+#log_file_mode = 0600			# creation mode for log files,
+					# begin with 0 to use octal notation
+#log_truncate_on_rotation = off		# If on, an existing log file with the
+					# same name as the new log file will be
+					# truncated rather than appended to.
+					# But such truncation only occurs on
+					# time-driven rotation, not on restarts
+					# or size-driven rotation.  Default is
+					# off, meaning append to existing files
+					# in all cases.
+#log_rotation_age = 1d			# Automatic rotation of logfiles will
+					# happen after that time.  0 disables.
+#log_rotation_size = 10MB		# Automatic rotation of logfiles will
+					# happen after that much log output.
+					# 0 disables.
+
+# These are relevant when logging to syslog:
+#syslog_facility = 'LOCAL0'
+#syslog_ident = 'postgres'
+#syslog_sequence_numbers = on
+#syslog_split_messages = on
+
+# This is only relevant when logging to eventlog (win32):
+# (change requires restart)
+#event_source = 'PostgreSQL'
+
+# - When to Log -
+
+#log_min_messages = warning		# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   info
+					#   notice
+					#   warning
+					#   error
+					#   log
+					#   fatal
+					#   panic
+
+#log_min_error_statement = error	# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   info
+					#   notice
+					#   warning
+					#   error
+					#   log
+					#   fatal
+					#   panic (effectively off)
+
+#log_min_duration_statement = -1	# -1 is disabled, 0 logs all statements
+					# and their durations, > 0 logs only
+					# statements running at least this number
+					# of milliseconds
+
+#log_transaction_sample_rate = 0.0	# Fraction of transactions whose statements
+					# are logged regardless of their duration. 1.0 logs all
+					# statements from all transactions, 0.0 never logs.
+
+# - What to Log -
+
+#debug_print_parse = off
+#debug_print_rewritten = off
+#debug_print_plan = off
+#debug_pretty_print = on
+#log_checkpoints = off
+#log_connections = off
+#log_disconnections = off
+#log_duration = off
+#log_error_verbosity = default		# terse, default, or verbose messages
+#log_hostname = off
+#log_line_prefix = '%m [%p] '		# special values:
+					#   %a = application name
+					#   %u = user name
+					#   %d = database name
+					#   %r = remote host and port
+					#   %h = remote host
+					#   %p = process ID
+					#   %t = timestamp without milliseconds
+					#   %m = timestamp with milliseconds
+					#   %n = timestamp with milliseconds (as a Unix epoch)
+					#   %i = command tag
+					#   %e = SQL state
+					#   %c = session ID
+					#   %l = session line number
+					#   %s = session start timestamp
+					#   %v = virtual transaction ID
+					#   %x = transaction ID (0 if none)
+					#   %q = stop here in non-session
+					#        processes
+					#   %% = '%'
+					# e.g. '<%u%%%d> '
+#log_lock_waits = off			# log lock waits >= deadlock_timeout
+#log_statement = 'none'			# none, ddl, mod, all
+#log_replication_commands = off
+#log_temp_files = -1			# log temporary files equal or larger
+					# than the specified size in kilobytes;
+					# -1 disables, 0 logs all temp files
+#log_timezone = 'GMT'
+
+#------------------------------------------------------------------------------
+# PROCESS TITLE
+#------------------------------------------------------------------------------
+
+#cluster_name = ''			# added to process titles if nonempty
+					# (change requires restart)
+#update_process_title = on
+
+
+#------------------------------------------------------------------------------
+# STATISTICS
+#------------------------------------------------------------------------------
+
+# - Query and Index Statistics Collector -
+
+#track_activities = on
+#track_counts = on
+#track_io_timing = off
+#track_functions = none			# none, pl, all
+#track_activity_query_size = 1024	# (change requires restart)
+#stats_temp_directory = 'pg_stat_tmp'
+
+
+# - Monitoring -
+
+#log_parser_stats = off
+#log_planner_stats = off
+#log_executor_stats = off
+#log_statement_stats = off
+
+
+#------------------------------------------------------------------------------
+# AUTOVACUUM
+#------------------------------------------------------------------------------
+
+#autovacuum = on			# Enable autovacuum subprocess?  'on'
+					# requires track_counts to also be on.
+#log_autovacuum_min_duration = -1	# -1 disables, 0 logs all actions and
+					# their durations, > 0 logs only
+					# actions running at least this number
+					# of milliseconds.
+#autovacuum_max_workers = 3		# max number of autovacuum subprocesses
+					# (change requires restart)
+#autovacuum_naptime = 1min		# time between autovacuum runs
+#autovacuum_vacuum_threshold = 50	# min number of row updates before
+					# vacuum
+#autovacuum_analyze_threshold = 50	# min number of row updates before
+					# analyze
+#autovacuum_vacuum_scale_factor = 0.2	# fraction of table size before vacuum
+#autovacuum_analyze_scale_factor = 0.1	# fraction of table size before analyze
+#autovacuum_freeze_max_age = 200000000	# maximum XID age before forced vacuum
+					# (change requires restart)
+#autovacuum_multixact_freeze_max_age = 400000000	# maximum multixact age
+					# before forced vacuum
+					# (change requires restart)
+#autovacuum_vacuum_cost_delay = 2ms	# default vacuum cost delay for
+					# autovacuum, in milliseconds;
+					# -1 means use vacuum_cost_delay
+#autovacuum_vacuum_cost_limit = -1	# default vacuum cost limit for
+					# autovacuum, -1 means use
+					# vacuum_cost_limit
+
+
+#------------------------------------------------------------------------------
+# CLIENT CONNECTION DEFAULTS
+#------------------------------------------------------------------------------
+
+# - Statement Behavior -
+
+#client_min_messages = notice		# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   log
+					#   notice
+					#   warning
+					#   error
+#search_path = '"$user", public'	# schema names
+#row_security = on
+#default_tablespace = ''		# a tablespace name, '' uses the default
+#temp_tablespaces = ''			# a list of tablespace names, '' uses
+					# only default tablespace
+#default_table_access_method = 'heap'
+#check_function_bodies = on
+#default_transaction_isolation = 'read committed'
+#default_transaction_read_only = off
+#default_transaction_deferrable = off
+#session_replication_role = 'origin'
+#statement_timeout = 0			# in milliseconds, 0 is disabled
+#lock_timeout = 0			# in milliseconds, 0 is disabled
+#idle_in_transaction_session_timeout = 0	# in milliseconds, 0 is disabled
+#vacuum_freeze_min_age = 50000000
+#vacuum_freeze_table_age = 150000000
+#vacuum_multixact_freeze_min_age = 5000000
+#vacuum_multixact_freeze_table_age = 150000000
+#vacuum_cleanup_index_scale_factor = 0.1	# fraction of total number of tuples
+						# before index cleanup, 0 always performs
+						# index cleanup
+#bytea_output = 'hex'			# hex, escape
+#xmlbinary = 'base64'
+#xmloption = 'content'
+#gin_fuzzy_search_limit = 0
+#gin_pending_list_limit = 4MB
+
+# - Locale and Formatting -
+
+#datestyle = 'iso, mdy'
+#intervalstyle = 'postgres'
+#timezone = 'GMT'
+#timezone_abbreviations = 'Default'     # Select the set of available time zone
+					# abbreviations.  Currently, there are
+					#   Default
+					#   Australia (historical usage)
+					#   India
+					# You can create your own file in
+					# share/timezonesets/.
+#extra_float_digits = 1			# min -15, max 3; any value >0 actually
+					# selects precise output mode
+#client_encoding = sql_ascii		# actually, defaults to database
+					# encoding
+
+# These settings are initialized by initdb, but they can be changed.
+#lc_messages = 'C'			# locale for system error message
+					# strings
+#lc_monetary = 'C'			# locale for monetary formatting
+#lc_numeric = 'C'			# locale for number formatting
+#lc_time = 'C'				# locale for time formatting
+
+# default configuration for text search
+#default_text_search_config = 'pg_catalog.simple'
+
+# - Shared Library Preloading -
+
+#shared_preload_libraries = ''	# (change requires restart)
+#local_preload_libraries = ''
+#session_preload_libraries = ''
+#jit_provider = 'llvmjit'		# JIT library to use
+
+# - Other Defaults -
+
+#dynamic_library_path = '$libdir'
+
+
+#------------------------------------------------------------------------------
+# LOCK MANAGEMENT
+#------------------------------------------------------------------------------
+
+#deadlock_timeout = 1s
+#max_locks_per_transaction = 64		# min 10
+					# (change requires restart)
+#max_pred_locks_per_transaction = 64	# min 10
+					# (change requires restart)
+#max_pred_locks_per_relation = -2	# negative values mean
+					# (max_pred_locks_per_transaction
+					#  / -max_pred_locks_per_relation) - 1
+#max_pred_locks_per_page = 2            # min 0
+
+
+#------------------------------------------------------------------------------
+# VERSION AND PLATFORM COMPATIBILITY
+#------------------------------------------------------------------------------
+
+# - Previous PostgreSQL Versions -
+
+#array_nulls = on
+#backslash_quote = safe_encoding	# on, off, or safe_encoding
+#escape_string_warning = on
+#lo_compat_privileges = off
+#operator_precedence_warning = off
+#quote_all_identifiers = off
+#standard_conforming_strings = on
+#synchronize_seqscans = on
+
+# - Other Platforms and Clients -
+
+#transform_null_equals = off
+
+
+#------------------------------------------------------------------------------
+# ERROR HANDLING
+#------------------------------------------------------------------------------
+
+#exit_on_error = off			# terminate session on any error?
+#restart_after_crash = on		# reinitialize after backend crash?
+#data_sync_retry = off			# retry or panic on failure to fsync
+					# data?
+					# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# CONFIG FILE INCLUDES
+#------------------------------------------------------------------------------
+
+# These options allow settings to be loaded from files other than the
+# default postgresql.conf.  Note that these are directives, not variable
+# assignments, so they can usefully be given more than once.
+
+#include_dir = '...'			# include files ending in '.conf' from
+					# a directory, e.g., 'conf.d'
+#include_if_exists = '...'		# include file only if it exists
+#include = '...'			# include file
+
+
+#------------------------------------------------------------------------------
+# CUSTOMIZED OPTIONS
+#------------------------------------------------------------------------------
+
+# Add settings for extensions here

molecule/quarkus_ha/prepare.yml

@@ -0,0 +1,44 @@
+---
+- name: Prepare
+  hosts: keycloak
+  tasks:
+    - name: "Display hera_home if defined."
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+    - name: "Ensure common prepare phase are set."
+      ansible.builtin.include_tasks: ../prepare.yml
+
+    - name: Create certificate request
+      ansible.builtin.command: "openssl req -x509 -newkey rsa:4096 -keyout {{ inventory_hostname }}.key -out {{ inventory_hostname }}.pem -sha256 -days 365 -nodes -subj '/CN={{ inventory_hostname }}'"
+      delegate_to: localhost
+      changed_when: False
+
+    - name: Create vault directory
+      become: true
+      ansible.builtin.file:
+        state: directory
+        path: "/opt/keycloak/vault"
+        mode: 0755
+
+    - name: Make sure a jre is available (for keytool to prepare keystore)
+      delegate_to: localhost
+      ansible.builtin.package:
+        name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
+        state: present
+      become: true
+      failed_when: false
+
+    - name: Create vault keystore
+      ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword
+      delegate_to: localhost
+      register: keytool_cmd
+      changed_when: False
+      failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
+
+    - name: Copy certificates and vault
+      become: true
+      ansible.builtin.copy:
+        src: keystore.p12
+        dest: /opt/keycloak/vault/keystore.p12
+        mode: 0444

molecule/quarkus_ha/roles

@@ -0,0 +1 @@
+../../roles

molecule/quarkus_ha/verify.yml

@@ -0,0 +1,29 @@
+---
+- name: Verify
+  hosts: keycloak
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+        fail_msg: "Service not running"
+
+    - name: Set internal envvar
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+    - name: Check log file
+      become: true
+      ansible.builtin.stat:
+        path: /var/log/keycloak/keycloak.log
+      register: keycloak_log_file
+
+    - name: Check if keycloak file exists
+      ansible.builtin.assert:
+        that:
+          - keycloak_log_file.stat.exists
+          - not keycloak_log_file.stat.isdir

molecule/quarkus_upgrade/converge.yml

@@ -0,0 +1,9 @@
+---
+- name: Converge
+  hosts: all
+  vars_files:
+    - vars.yml
+  vars:
+    keycloak_quarkus_version: 24.0.3
+  roles:
+    - role: keycloak_quarkus

molecule/quarkus_upgrade/molecule.yml

@@ -0,0 +1,43 @@
+---
+dependency:
+  name: galaxy
+  options:
+    requirements-file: molecule/requirements.yml
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
+    command: "/usr/sbin/init"
+    pre_build_image: true
+    privileged: true
+    port_bindings:
+      - 8080:8080
+    published_ports:
+      - 0.0.0.0:8080:8080/TCP
+provisioner:
+  name: ansible
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - dependency
+    - cleanup
+    - destroy
+    - syntax
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy

molecule/quarkus_upgrade/prepare.yml

@@ -0,0 +1,52 @@
+---
+- name: Prepare
+  hosts: all
+  vars_files:
+    - vars.yml
+  vars:
+    sudo_pkg_name: sudo
+    keycloak_quarkus_version: 23.0.7
+  pre_tasks:
+    - name: Install sudo
+      ansible.builtin.apt:
+        name:
+          - sudo
+          - openjdk-17-jdk-headless
+        state: present
+      when:
+        - ansible_facts.os_family == 'Debian'
+
+    - name: "Ensure common prepare phase are set."
+      ansible.builtin.include_tasks: ../prepare.yml
+
+    - name: Display Ansible version
+      ansible.builtin.debug:
+        msg: "Ansible version is {{ ansible_version.full }}"
+
+    - name: "Ensure {{ sudo_pkg_name }} is installed (if user is root)."
+      ansible.builtin.dnf:
+        name: "{{ sudo_pkg_name }}"
+      when:
+        - ansible_user_id == 'root'
+
+    - name: Gather the package facts
+      ansible.builtin.package_facts:
+        manager: auto
+
+    - name: "Check if {{ sudo_pkg_name }} is installed."
+      ansible.builtin.assert:
+        that:
+          - sudo_pkg_name in ansible_facts.packages
+
+    - name: Create certificate request
+      ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
+      delegate_to: localhost
+      changed_when: false
+  roles:
+    - role: keycloak_quarkus
+  post_tasks:
+    - name: "Delete custom fact"
+      ansible.builtin.file:
+        path: /etc/ansible/facts.d/keycloak.fact
+        state: absent
+      become: true

molecule/quarkus_upgrade/vars.yml

@@ -0,0 +1,14 @@
+---
+keycloak_quarkus_offline_install: false
+keycloak_quarkus_admin_password: "remembertochangeme"
+keycloak_quarkus_admin_pass: "remembertochangeme"
+keycloak_quarkus_realm: TestRealm
+keycloak_quarkus_host: instance
+keycloak_quarkus_log: file
+keycloak_quarkus_https_key_file_enabled: true
+keycloak_quarkus_log_target: /tmp/keycloak
+keycloak_quarkus_hostname_strict: false
+keycloak_quarkus_cert_file_copy_enabled: true
+keycloak_quarkus_key_file_copy_enabled: true
+keycloak_quarkus_key_content: "{{ lookup('file', 'key.pem') }}"
+keycloak_quarkus_cert_file_src: cert.pem

molecule/quarkus_upgrade/verify.yml

@@ -0,0 +1,32 @@
+---
+- name: Verify
+  hosts: instance
+  vars:
+    keycloak_quarkus_admin_password: "remembertochangeme"
+    keycloak_quarkus_port: http://localhost:8080
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+
+    - name: Verify we are running on requested jvm
+      ansible.builtin.shell: |
+        set -eo pipefail
+        ps -ef | grep 'etc/alternatives/.*17' | grep -v grep
+      changed_when: false
+
+    - name: Verify token api call
+      ansible.builtin.uri:
+        url: "{{ keycloak_quarkus_port }}/realms/master/protocol/openid-connect/token"
+        method: POST
+        body: "client_id=admin-cli&username=admin&password={{ keycloak_quarkus_admin_password }}&grant_type=password"
+        validate_certs: no
+      register: keycloak_auth_response
+      until: keycloak_auth_response.status == 200
+      retries: 2
+      delay: 2

molecule/requirements.yml

@@ -1,8 +1,11 @@
 ---
 collections:
   - name: middleware_automation.common
+  - name: middleware_automation.jbcs
   - name: community.general
   - name: ansible.posix
   - name: community.docker
-    version: ">=1.9.1"
+    version: ">=3.8.0"
 
+roles:
+  - name: elan.simple_nginx_reverse_proxy

playbooks/keycloak_federation.yml

@@ -55,7 +55,7 @@
               - TestClient1Admin
               - TestClient1User
             realm: "{{ keycloak_realm }}"
-            public_client: True
+            public_client: true
             web_origins:
               - http://testclient1origin/application
               - http://testclient1origin/other

playbooks/keycloak_quarkus.yml

@@ -1,13 +1,11 @@
 ---
-- name: Playbook for Keycloak X Hosts
+- name: Playbook for Keycloak X Hosts with HTTPS enabled
   hosts: all
   vars:
-    keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_admin_pass: "remembertochangeme"
-    keycloak_quarkus_host: localhost:8443
+    keycloak_quarkus_host: localhost
-    keycloak_quarkus_http_relative_path: ''
+    keycloak_quarkus_port: 8443
     keycloak_quarkus_log: file
-    keycloak_quarkus_https_enabled: True
+    keycloak_quarkus_proxy_mode: none
-    keycloak_quarkus_key_file: conf/key.pem
-    keycloak_quarkus_cert_file: conf/cert.pem
   roles:
     - middleware_automation.keycloak.keycloak_quarkus

playbooks/keycloak_quarkus_dev.yml

@@ -0,0 +1,12 @@
+---
+- name: Playbook for Keycloak X Hosts in develop mode
+  hosts: all
+  vars:
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_host: localhost
+    keycloak_quarkus_port: 8080
+    keycloak_quarkus_log: file
+    keycloak_quarkus_start_dev: true
+    keycloak_quarkus_proxy_mode: none
+  roles:
+    - middleware_automation.keycloak.keycloak_quarkus

playbooks/keycloak_realm.yml

@@ -10,7 +10,7 @@
           - TestClient1Admin
           - TestClient1User
         realm: TestRealm
-        public_client: True
+        public_client: true
         web_origins:
           - http://testclient1origin/application
           - http://testclient1origin/other

playbooks/rhsso.yml

@@ -3,6 +3,6 @@
   hosts: sso
   vars:
     keycloak_admin_password: "remembertochangeme"
-    sso_enable: True
+    sso_enable: true
   roles:
     - middleware_automation.keycloak.keycloak

plugins/filter/version_sort.py

@@ -1,52 +0,0 @@
-# -*- coding: utf-8 -*-
-# Copyright (C) 2021 Eric Lavarde <elavarde@redhat.com>
-# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
-# SPDX-License-Identifier: GPL-3.0-or-later
-
-from __future__ import (absolute_import, division, print_function)
-__metaclass__ = type
-
-DOCUMENTATION = '''
-  name: version_sort
-  short_description: Sort a list according to version order instead of pure alphabetical one
-  version_added: 2.2.0
-  author: Eric L. (@ericzolf)
-  description:
-    - Sort a list according to version order instead of pure alphabetical one.
-  options:
-    _input:
-      description: A list of strings to sort.
-      type: list
-      elements: string
-      required: true
-'''
-
-EXAMPLES = '''
-- name: Convert list of tuples into dictionary
-  ansible.builtin.set_fact:
-    dictionary: "{{ ['2.1', '2.10', '2.9'] | middleware_automation.keycloak.version_sort }}"
-    # Result is ['2.1', '2.9', '2.10']
-'''
-
-RETURN = '''
-  _value:
-    description: The list of strings sorted by version.
-    type: list
-    elements: string
-'''
-
-from ansible_collections.middleware_automation.keycloak.plugins.module_utils.version import LooseVersion
-
-
-def version_sort(value, reverse=False):
-    '''Sort a list according to loose versions so that e.g. 2.9 is smaller than 2.10'''
-    return sorted(value, key=LooseVersion, reverse=reverse)
-
-
-class FilterModule(object):
-    ''' Version sort filter '''
-
-    def filters(self):
-        return {
-            'version_sort': version_sort
-        }

plugins/module_utils/version.py

@@ -1,22 +0,0 @@
-# -*- coding: utf-8 -*-
-
-# Copyright (c) 2021, Felix Fontein <felix@fontein.de>
-# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
-# SPDX-License-Identifier: GPL-3.0-or-later
-
-"""Provide version object to compare version numbers."""
-
-from __future__ import absolute_import, division, print_function
-__metaclass__ = type
-
-
-from ansible.module_utils.six import raise_from
-
-try:
-    from ansible.module_utils.compat.version import LooseVersion  # noqa: F401, pylint: disable=unused-import
-except ImportError:
-    try:
-        from distutils.version import LooseVersion  # noqa: F401, pylint: disable=unused-import
-    except ImportError as exc:
-        msg = 'To use this plugin or module with ansible-core 2.11, you need to use Python < 3.12 with distutils.version present'
-        raise_from(ImportError(msg), exc)

plugins/modules/keycloak_user_federation.py

@@ -475,7 +475,7 @@ author:
 '''
 
 EXAMPLES = '''
-  - name: Create LDAP user federation
+- name: Create LDAP user federation
   middleware_automation.keycloak.keycloak_user_federation:
     auth_keycloak_url: https://keycloak.example.com/auth
     auth_realm: master
@@ -522,7 +522,7 @@ EXAMPLES = '''
           read.only: true
           write.only: false
 
-  - name: Create Kerberos user federation
+- name: Create Kerberos user federation
   middleware_automation.keycloak.keycloak_user_federation:
     auth_keycloak_url: https://keycloak.example.com/auth
     auth_realm: master
@@ -543,7 +543,7 @@ EXAMPLES = '''
     allowPasswordAuthentication: false
     updateProfileFirstLogin: false
 
-  - name: Create sssd user federation
+- name: Create sssd user federation
   middleware_automation.keycloak.keycloak_user_federation:
     auth_keycloak_url: https://keycloak.example.com/auth
     auth_realm: master
@@ -559,7 +559,7 @@ EXAMPLES = '''
     enabled: true
     cachePolicy: DEFAULT
 
-  - name: Delete user federation
+- name: Delete user federation
   middleware_automation.keycloak.keycloak_user_federation:
     auth_keycloak_url: https://keycloak.example.com/auth
     auth_realm: master
@@ -568,7 +568,6 @@ EXAMPLES = '''
     realm: my-realm
     name: my-federation
     state: absent
-
 '''
 
 RETURN = '''

requirements.txt

@@ -4,3 +4,4 @@
 # pip install -r requirements.txt
 #
 netaddr
+lxml # for middleware_automation.common.maven_artifact

requirements.yml

@@ -1,4 +1,5 @@
 ---
 collections:
   - name: middleware_automation.common
+    version: ">=1.2.1"
   - name: ansible.posix

roles/keycloak/README.md

@@ -10,6 +10,7 @@ Requirements
 This role requires the `python3-netaddr` library installed on the controller node.
 
 * to install via yum/dnf: `dnf install python3-netaddr`
+* to install via apt: `apt install python3-netaddr`
 * or via pip: `pip install netaddr==0.8.0`
 * or via the collection: `pip install -r requirements.txt`
 
@@ -39,7 +40,7 @@ Versions
 Patching
 --------
 
-When variable `keycloak_rhsso_apply_patches` is `True` (default: `False`), the role will automatically apply the latest cumulative patch for the selected base version.
+When variable `keycloak_rhsso_apply_patches` is `true` (default: `false`), the role will automatically apply the latest cumulative patch for the selected base version.
 
 | RH-SSO VERSION | Release Date      | RH-SSO LATEST CP | Notes           |
 |:---------------|:------------------|:-----------------|:----------------|
@@ -55,7 +56,7 @@ Role Defaults
 | Variable | Description | Default |
 |:---------|:------------|:---------|
 |`keycloak_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
-|`keycloak_ha_discovery`| Discovery protocol for HA cluster members | `JDBC_PING` if keycloak_db_enabled else `TCPPING` |
+|`keycloak_ha_discovery`| Discovery protocol for HA cluster members | `JDBC_PING` if `keycloak_db_enabled` else `TCPPING` |
 |`keycloak_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_ha_enabled` is True, else `False` |
 |`keycloak_remote_cache_enabled`| Enable remote cache store when in clustered ha configurations | `True` if `keycloak_ha_enabled` else `False` |
 |`keycloak_admin_user`| Administration console user account | `admin` |
@@ -68,13 +69,19 @@ Role Defaults
 |`keycloak_jgroups_port`| jgroups cluster tcp port | `7600` |
 |`keycloak_management_http_port`| Management port | `9990` |
 |`keycloak_management_https_port`| TLS management port | `9993` |
-|`keycloak_prefer_ipv4`| Prefer IPv4 stack and addresses for port binding | `True` |
+|`keycloak_prefer_ipv4`| Prefer IPv4 stack and addresses for port binding | `true` |
 |`keycloak_config_standalone_xml`| filename for configuration | `keycloak.xml` |
 |`keycloak_service_user`| posix account username | `keycloak` |
 |`keycloak_service_group`| posix account group | `keycloak` |
-|`keycloak_service_pidfile`| pid file path for service | `/run/keycloak.pid` |
+|`keycloak_service_restart_always`| systemd restart always behavior activation | `False` |
+|`keycloak_service_restart_on_failure`| systemd restart on-failure behavior activation | `False` |
+|`keycloak_service_startlimitintervalsec`| systemd StartLimitIntervalSec | `300` |
+|`keycloak_service_startlimitburst`| systemd StartLimitBurst | `5` |
+|`keycloak_service_restartsec`| systemd RestartSec | `10s` |
+|`keycloak_service_pidfile`| pid file path for service | `/run/keycloak/keycloak.pid` |
+|`keycloak_features` | List of `name`/`status` pairs of features (also known as profiles on RH-SSO) to `enable` or `disable`, example: `[ { name: 'docker', status: 'enabled' } ]` | `[]`
 |`keycloak_jvm_package`| RHEL java package runtime | `java-1.8.0-openjdk-headless` |
-|`keycloak_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path | `None` |
+|`keycloak_java_home`| `JAVA_HOME` of installed JRE, leave empty for using RPM path at `keycloak_jvm_package` | `None` |
 |`keycloak_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
 
 
@@ -82,12 +89,12 @@ Role Defaults
 
 | Variable | Description | Default |
 |:---------|:------------|:---------|
-|`keycloak_offline_install` | perform an offline install | `False`|
+|`keycloak_offline_install` | perform an offline install | `false`|
 |`keycloak_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`|
 |`keycloak_version`| keycloak.org package version | `18.0.2` |
 |`keycloak_dest`| Installation root path | `/opt/keycloak` |
 |`keycloak_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}` |
-|`keycloak_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
+|`keycloak_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `false` |
 
 
 * Miscellaneous configuration
@@ -98,14 +105,21 @@ Role Defaults
 |`keycloak_download_url_9x` | Download URL for keycloak (deprecated) | `https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}` |
 |`keycloak_installdir` | Installation path | `{{ keycloak_dest }}/keycloak-{{ keycloak_version }}` |
 |`keycloak_jboss_home` | Installation work directory | `{{ keycloak_rhsso_installdir }}` |
+|`keycloak_jboss_port_offset` | Port offset for the JBoss socket binding | `0` |
 |`keycloak_config_dir` | Path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration` |
 |`keycloak_config_path_to_standalone_xml` | Custom path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}` |
 |`keycloak_config_override_template` | Path to custom template for standalone.xml configuration | `''` |
 |`keycloak_auth_realm` | Name for rest authentication realm | `master` |
 |`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` |
-|`keycloak_force_install` | Remove pre-existing versions of service | `False` |
+|`keycloak_force_install` | Remove pre-existing versions of service | `false` |
-|`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` |
+|`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}` |
-|`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` |
+|`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}` |
+|`keycloak_frontend_url_force` | Force backend requests to use the frontend URL | `false` |
+|`keycloak_db_background_validation` | Enable background validation of database connection | `false` |
+|`keycloak_db_background_validation_millis`| How frequenly the connection pool is validated in the background | `10000` if background validation enabled |
+|`keycloak_db_background_validate_on_match` | Enable validate on match for database connections | `false` |
+|`keycloak_frontend_url` | frontend URL for keycloak endpoint | `http://localhost:8080/auth/` |
+|`keycloak_log_target`| Set the destination of the keycloak log folder link | `/var/log/keycloak` |
 
 
 Role Variables
@@ -116,10 +130,10 @@ The following are a set of _required_ variables for the role:
 | Variable | Description |
 |:---------|:------------|
 |`keycloak_admin_password`| Password for the administration console user account (minimum 12 characters) |
-|`keycloak_frontend_url` | frontend URL for keycloak endpoint | `http://localhost:8080/auth` |
+|`keycloak_frontend_url` | frontend URL for keycloak endpoint | `http://localhost:8080/auth/` |
 
 
-The following variables are _required_ only when `keycloak_ha_enabled` is True:
+The following parameters are _required_ only when `keycloak_ha_enabled` is true:
 
 | Variable | Description | Default |
 |:---------|:------------|:--------|
@@ -137,7 +151,7 @@ The following variables are _required_ only when `keycloak_ha_enabled` is True:
 |`keycloak_infinispan_trust_store_password`| Password for opening truststore | `changeit` |
 
 
-The following variables are _required_ only when `keycloak_db_enabled` is True:
+The following parameters are _required_ only when `keycloak_db_enabled` is true:
 
 | Variable | Description | Default |
 |:---------|:------------|:---------|
@@ -147,6 +161,14 @@ The following variables are _required_ only when `keycloak_db_enabled` is True:
 |`keycloak_db_pass` | password for connecting to postgres | `keycloak-pass` |
 
 
+The following variables are _optional_:
+
+| Variable | Description |
+|:---------|:------------|
+|`keycloak_db_valid_conn_sql` | Override the default database connection validation query sql |
+|`keycloak_admin_url` | Override the default administration endpoint URL |
+|`keycloak_jgroups_subnet`| Override the subnet match for jgroups cluster formation; if not defined, it will be inferred from local machine route configuration |
+
 Example Playbook
 -----------------
 
@@ -157,8 +179,6 @@ Example Playbook
 - hosts: ...
       vars:
         keycloak_admin_password: "remembertochangeme"
-      collections:
-        - middleware_automation.keycloak
       roles:
         - middleware_automation.keycloak.keycloak
 ```
@@ -177,7 +197,7 @@ Example Playbook
             name: keycloak
           vars:
             keycloak_admin_password: "remembertochangeme"
-            keycloak_offline_install: True
+            keycloak_offline_install: true
             # This should be the filename of keycloak archive on Ansible node: keycloak-16.1.0.zip
 ```
 

roles/keycloak/defaults/main.yml

@@ -5,26 +5,34 @@ keycloak_archive: "keycloak-legacy-{{ keycloak_version }}.zip"
 keycloak_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"
 keycloak_download_url_9x: "https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}"
 keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
-keycloak_offline_install: False
+keycloak_offline_install: false
 
 ### Install location and service settings
-keycloak_jvm_package: java-1.8.0-openjdk-headless
 keycloak_java_home:
 keycloak_dest: /opt/keycloak
 keycloak_jboss_home: "{{ keycloak_installdir }}"
+keycloak_jboss_port_offset: 0
 keycloak_config_dir: "{{ keycloak_jboss_home }}/standalone/configuration"
 keycloak_config_standalone_xml: "keycloak.xml"
 keycloak_config_path_to_standalone_xml: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}"
 keycloak_config_override_template: ''
+keycloak_config_path_to_properties: "{{ keycloak_jboss_home }}/standalone/configuration/profile.properties"
+keycloak_service_runas: false
 keycloak_service_user: keycloak
 keycloak_service_group: keycloak
-keycloak_service_pidfile: "/run/keycloak.pid"
+keycloak_service_pidfile: "/run/keycloak/keycloak.pid"
 keycloak_service_name: keycloak
 keycloak_service_desc: Keycloak
 keycloak_service_start_delay: 10
 keycloak_service_start_retries: 25
+keycloak_service_restart_always: false
+keycloak_service_restart_on_failure: false
+keycloak_service_startlimitintervalsec: "300"
+keycloak_service_startlimitburst: "5"
+keycloak_service_restartsec: "10s"
 
-keycloak_configure_firewalld: False
+keycloak_configure_firewalld: false
+keycloak_configure_iptables: false
 
 ### administrator console password
 keycloak_admin_password: ''
@@ -36,14 +44,16 @@ keycloak_http_port: 8080
 keycloak_https_port: 8443
 keycloak_ajp_port: 8009
 keycloak_jgroups_port: 7600
+keycloak_jgroups_subnet:
 keycloak_management_port_bind_address: 127.0.0.1
 keycloak_management_http_port: 9990
 keycloak_management_https_port: 9993
 keycloak_java_opts: "-Xms1024m -Xmx2048m"
-keycloak_prefer_ipv4: True
+keycloak_prefer_ipv4: true
+keycloak_features: []
 
 ### Enable configuration for database backend, clustering and remote caches on infinispan
-keycloak_ha_enabled: False
+keycloak_ha_enabled: false
 ### Enable database configuration, must be enabled when HA is configured
 keycloak_db_enabled: "{{ True if keycloak_ha_enabled else False }}"
 ### Discovery protocol for ha cluster members, valus [ 'JDBC_PING', 'TCPPING' ]
@@ -56,7 +66,7 @@ keycloak_admin_user: admin
 keycloak_auth_realm: master
 keycloak_auth_client: admin-cli
 
-keycloak_force_install: False
+keycloak_force_install: false
 
 ### mod_cluster reverse proxy list
 keycloak_modcluster_enabled: "{{ True if keycloak_ha_enabled else False }}"
@@ -67,14 +77,16 @@ keycloak_modcluster_urls:
     port: "{{ keycloak_modcluster_port }}"
 
 ### keycloak frontend url
-keycloak_frontend_url: http://localhost:8080/auth
+keycloak_frontend_url: http://localhost:8080/auth/
+keycloak_frontend_url_force: false
+keycloak_admin_url:
 
 ### infinispan remote caches access (hotrod)
 keycloak_infinispan_user: supervisor
 keycloak_infinispan_pass: supervisor
 keycloak_infinispan_url: localhost
 keycloak_infinispan_sasl_mechanism: SCRAM-SHA-512
-keycloak_infinispan_use_ssl: False
+keycloak_infinispan_use_ssl: false
 # if ssl is enabled, import ispn server certificate here
 keycloak_infinispan_trust_store_path: /etc/pki/java/cacerts
 keycloak_infinispan_trust_store_password: changeit
@@ -84,6 +96,10 @@ keycloak_jdbc_engine: postgres
 ### database backend credentials
 keycloak_db_user: keycloak-user
 keycloak_db_pass: keycloak-pass
+## connection validation
+keycloak_db_background_validation: false
+keycloak_db_background_validation_millis: "{{ 10000 if keycloak_db_background_validation else 0 }}"
+keycloak_db_background_validate_on_match: false
 keycloak_jdbc_url: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].url }}"
 keycloak_jdbc_driver_version: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].version }}"
 # override the variables above, following defaults show minimum supported versions
@@ -98,4 +114,7 @@ keycloak_default_jdbc:
     url: 'jdbc:sqlserver://localhost:1433;databaseName=keycloak;'
     version: 12.2.0
 # role specific vars
-keycloak_no_log: True
+keycloak_no_log: true
+
+### logging configuration
+keycloak_log_target: /var/log/keycloak

roles/keycloak/meta/argument_specs.yml

@@ -2,42 +2,38 @@ argument_specs:
     main:
         options:
             keycloak_version:
-                # line 3 of keycloak/defaults/main.yml
                 default: "18.0.2"
                 description: "keycloak.org package version"
                 type: "str"
             keycloak_archive:
-                # line 4 of keycloak/defaults/main.yml
                 default: "keycloak-legacy-{{ keycloak_version }}.zip"
                 description: "keycloak install archive filename"
                 type: "str"
+            keycloak_configure_iptables:
+                default: false
+                description: "Ensure iptables is running and configure keycloak ports"
+                type: "bool"
             keycloak_configure_firewalld:
-                # line 33 of keycloak/defaults/main.yml
                 default: false
                 description: "Ensure firewalld is running and configure keycloak ports"
                 type: "bool"
             keycloak_download_url:
-                # line 5 of keycloak/defaults/main.yml
                 default: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"
                 description: "Download URL for keycloak"
                 type: "str"
             keycloak_download_url_9x:
-                # line 6 of keycloak/defaults/main.yml
                 default: "https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}"
                 description: "Download URL for keycloak (deprecated)"
                 type: "str"
             keycloak_installdir:
-                # line 7 of keycloak/defaults/main.yml
                 default: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
                 description: "Installation path"
                 type: "str"
             keycloak_offline_install:
-                # line 20 of keycloak/defaults/main.yml
                 default: false
                 description: "Perform an offline install"
                 type: "bool"
             keycloak_jvm_package:
-                # line 23 of keycloak/defaults/main.yml
                 default: "java-1.8.0-openjdk-headless"
                 description: "RHEL java package runtime rpm"
                 type: "str"
@@ -45,106 +41,100 @@ argument_specs:
                 description: "JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path"
                 type: "str"
             keycloak_dest:
-                # line 24 of keycloak/defaults/main.yml
                 default: "/opt/keycloak"
                 description: "Root installation directory"
                 type: "str"
             keycloak_jboss_home:
-                # line 25 of keycloak/defaults/main.yml
                 default: "{{ keycloak_installdir }}"
                 description: "Installation work directory"
                 type: "str"
+            keycloak_jboss_port_offset:
+                default: 0
+                description: "Port offset for the JBoss socket binding"
+                type: "int"
             keycloak_config_dir:
-                # line 26 of keycloak/defaults/main.yml
                 default: "{{ keycloak_jboss_home }}/standalone/configuration"
                 description: "Path for configuration"
                 type: "str"
             keycloak_config_standalone_xml:
-                # line 27 of keycloak/defaults/main.yml
                 default: "keycloak.xml"
                 description: "Service configuration filename"
                 type: "str"
             keycloak_config_path_to_standalone_xml:
-                # line 28 of keycloak/defaults/main.yml
                 default: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}"
                 description: "Custom path for configuration"
                 type: "str"
             keycloak_config_override_template:
-                # line 30 of keycloak/defaults/main.yml
                 default: ""
                 description: "Path to custom template for standalone.xml configuration"
                 type: "str"
+            keycloak_service_runas:
+                default: false
+                description: "Enable execution of service as `keycloak_service_user`"
+                type: "bool"
             keycloak_service_user:
-                # line 29 of keycloak/defaults/main.yml
                 default: "keycloak"
                 description: "posix account username"
                 type: "str"
             keycloak_service_group:
-                # line 30 of keycloak/defaults/main.yml
                 default: "keycloak"
                 description: "posix account group"
                 type: "str"
             keycloak_service_pidfile:
-                # line 31 of keycloak/defaults/main.yml
+                default: "/run/keycloak/keycloak.pid"
-                default: "/run/keycloak.pid"
                 description: "PID file path for service"
                 type: "str"
+            keycloak_features:
+                default: "[]"
+                description: >
+                  List of `name`/`status` pairs of features (also known as profiles on RH-SSO) to `enable` or `disable`,
+                  example: `[ { name: 'docker', status: 'enabled' } ]`
+                type: "list"
             keycloak_bind_address:
-                # line 34 of keycloak/defaults/main.yml
                 default: "0.0.0.0"
                 description: "Address for binding service ports"
                 type: "str"
             keycloak_management_port_bind_address:
                 default: "127.0.0.1"
-                description: "Address for binding the managemnt ports"
+                description: "Address for binding the management ports"
                 type: "str"
             keycloak_host:
-                # line 35 of keycloak/defaults/main.yml
                 default: "localhost"
                 description: "Hostname for service"
                 type: "str"
             keycloak_http_port:
-                # line 36 of keycloak/defaults/main.yml
                 default: 8080
                 description: "Listening HTTP port"
                 type: "int"
             keycloak_https_port:
-                # line 37 of keycloak/defaults/main.yml
                 default: 8443
                 description: "Listening HTTPS port"
                 type: "int"
             keycloak_ajp_port:
-                # line 38 of keycloak/defaults/main.yml
                 default: 8009
                 description: "Listening AJP port"
                 type: "int"
             keycloak_jgroups_port:
-                # line 39 of keycloak/defaults/main.yml
                 default: 7600
                 description: "jgroups cluster tcp port"
                 type: "int"
             keycloak_management_http_port:
-                # line 40 of keycloak/defaults/main.yml
                 default: 9990
                 description: "Management port (http)"
                 type: "int"
             keycloak_management_https_port:
-                # line 41 of keycloak/defaults/main.yml
                 default: 9993
                 description: "Management port (https)"
                 type: "int"
             keycloak_java_opts:
-                # line 42 of keycloak/defaults/main.yml
                 default: "-Xms1024m -Xmx2048m"
                 description: "Additional JVM options"
                 type: "str"
             keycloak_prefer_ipv4:
-                # line 43 of keycloak/defaults/main.yml
                 default: true
                 description: "Prefer IPv4 stack and addresses for port binding"
                 type: "bool"
             keycloak_ha_enabled:
-                # line 46 of keycloak/defaults/main.yml
                 default: false
                 description: "Enable auto configuration for database backend, clustering and remote caches on infinispan"
                 type: "bool"
@@ -153,27 +143,22 @@ argument_specs:
                 description: "Discovery protocol for HA cluster members"
                 type: "str"
             keycloak_db_enabled:
-                # line 48 of keycloak/defaults/main.yml
                 default: "{{ True if keycloak_ha_enabled else False }}"
                 description: "Enable auto configuration for database backend"
                 type: "bool"
             keycloak_admin_user:
-                # line 51 of keycloak/defaults/main.yml
                 default: "admin"
                 description: "Administration console user account"
                 type: "str"
             keycloak_auth_realm:
-                # line 52 of keycloak/defaults/main.yml
                 default: "master"
                 description: "Name for rest authentication realm"
                 type: "str"
             keycloak_auth_client:
-                # line 53 of keycloak/defaults/main.yml
                 default: "admin-cli"
                 description: "Authentication client for configuration REST calls"
                 type: "str"
             keycloak_force_install:
-                # line 55 of keycloak/defaults/main.yml
                 default: false
                 description: "Remove pre-existing versions of service"
                 type: "bool"
@@ -182,7 +167,6 @@ argument_specs:
                 description: "Enable configuration for modcluster subsystem"
                 type: "bool"
             keycloak_modcluster_url:
-                # line 58 of keycloak/defaults/main.yml
                 default: "localhost"
                 description: "URL for the modcluster reverse proxy"
                 type: "str"
@@ -195,83 +179,71 @@ argument_specs:
                 description: "List of modproxy node URLs in the format { host, port } for the modcluster reverse proxy"
                 type: "list"
             keycloak_frontend_url:
-                # line 59 of keycloak/defaults/main.yml
                 default: "http://localhost"
                 description: "Frontend URL for keycloak endpoints when a reverse proxy is used"
                 type: "str"
+            keycloak_frontend_url_force:
+                default: false
+                description: "Force backend requests to use the frontend URL"
+                type: "bool"
             keycloak_infinispan_user:
-                # line 62 of keycloak/defaults/main.yml
                 default: "supervisor"
                 description: "Username for connecting to infinispan"
                 type: "str"
             keycloak_infinispan_pass:
-                # line 63 of keycloak/defaults/main.yml
                 default: "supervisor"
                 description: "Password for connecting to infinispan"
                 type: "str"
             keycloak_infinispan_url:
-                # line 64 of keycloak/defaults/main.yml
                 default: "localhost"
                 description: "URL for the infinispan remote-cache server"
                 type: "str"
             keycloak_infinispan_sasl_mechanism:
-                # line 65 of keycloak/defaults/main.yml
                 default: "SCRAM-SHA-512"
                 description: "Authentication type to infinispan server"
                 type: "str"
             keycloak_infinispan_use_ssl:
-                # line 66 of keycloak/defaults/main.yml
                 default: false
                 description: "Enable hotrod client TLS communication"
                 type: "bool"
             keycloak_infinispan_trust_store_path:
-                # line 68 of keycloak/defaults/main.yml
                 default: "/etc/pki/java/cacerts"
                 description: "TODO document argument"
                 type: "str"
             keycloak_infinispan_trust_store_password:
-                # line 69 of keycloak/defaults/main.yml
                 default: "changeit"
                 description: "Path to truststore containing infinispan server certificate"
                 type: "str"
             keycloak_jdbc_engine:
-                # line 72 of keycloak/defaults/main.yml
                 default: "postgres"
                 description: "Backend database flavour when db is enabled: [ postgres, mariadb, sqlserver ]"
                 type: "str"
             keycloak_db_user:
-                # line 74 of keycloak/defaults/main.yml
                 default: "keycloak-user"
                 description: "Username for connecting to database"
                 type: "str"
             keycloak_db_pass:
-                # line 75 of keycloak/defaults/main.yml
                 default: "keycloak-pass"
                 description: "Password for connecting to database"
                 type: "str"
             keycloak_jdbc_url:
-                # line 76 of keycloak/defaults/main.yml
                 default: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].url }}"
                 description: "URL for connecting to backend database"
                 type: "str"
             keycloak_jdbc_driver_version:
-                # line 77 of keycloak/defaults/main.yml
                 default: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].version }}"
                 description: "Version for the JDBC driver to download"
                 type: "str"
             keycloak_admin_password:
-                # line 4 of keycloak/vars/main.yml
                 required: true
                 description: "Password for the administration console user account"
                 type: "str"
             keycloak_url:
-                # line 12 of keycloak/vars/main.yml
+                default: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}"
-                default: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
                 description: "URL for configuration rest calls"
                 type: "str"
             keycloak_management_url:
-                # line 13 of keycloak/vars/main.yml
+                default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}"
-                default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
                 description: "URL for management console rest calls"
                 type: "str"
             keycloak_service_name:
@@ -290,6 +262,26 @@ argument_specs:
                 default: "25"
                 description: "How many time should Ansible retry to connect to the service after it was started, before failing."
                 type: "int"
+            keycloak_service_restart_always:
+                default: false
+                description: "systemd restart always behavior activation for keycloak"
+                type: "bool"
+            keycloak_service_restart_on_failure:
+                default: false
+                description: "systemd restart on-failure behavior activation for keycloak"
+                type: "bool"
+            keycloak_service_startlimitintervalsec:
+                default: 300
+                description: "systemd StartLimitIntervalSec for keycloak"
+                type: "int"
+            keycloak_service_startlimitburst:
+                default: 5
+                description: "systemd StartLimitBurst for keycloak"
+                type: "int"
+            keycloak_service_restartsec:
+                default: "5s"
+                description: "systemd RestartSec for keycloak"
+                type: "str"
             keycloak_no_log:
                 default: true
                 type: "bool"
@@ -298,6 +290,49 @@ argument_specs:
                 default: "{{ True if keycloak_ha_enabled else False }}"
                 description: "Enable remote cache store when in clustered ha configurations"
                 type: "bool"
+            keycloak_db_background_validation:
+                default: false
+                description: "Enable background validation of database connection"
+                type: "bool"
+            keycloak_db_background_validation_millis:
+                default: "{{ 10000 if keycloak_db_background_validation else 0 }}"
+                description: "How frequenly the connection pool is validated in the background"
+                type: 'int'
+            keycloak_db_background_validate_on_match:
+                default: false
+                description: "Enable validate on match for database connections"
+                type: "bool"
+            keycloak_db_valid_conn_sql:
+                required: false
+                description: "Override the default database connection validation query sql"
+                type: "str"
+            keycloak_admin_url:
+                required: false
+                description: "Override the default administration endpoint URL"
+                type: "str"
+            keycloak_jgroups_subnet:
+                required: false
+                description: >
+                  Override the subnet match for jgroups cluster formation; if not defined, it will be inferred from local machine route configuration
+                type: "str"
+            keycloak_log_target:
+                default: '/var/log/keycloak'
+                type: "str"
+                description: "Set the destination of the keycloak log folder link"
+            keycloak_jdbc_download_url:
+                description: "Override the default Maven Central download URL for the JDBC driver"
+                type: "str"
+            keycloak_jdbc_download_user:
+                description: "Set a username with which to authenticate when downloading JDBC drivers from an alternative location"
+                type: "str"
+            keycloak_jdbc_download_pass:
+                description: >
+                  Set a password with which to authenticate when downloading JDBC drivers from an alternative location (requires keycloak_jdbc_download_user)
+                type: "str"
+            keycloak_jdbc_download_validate_certs:
+                default: true
+                description: "Allow the option to ignore invalid certificates when downloading JDBC drivers from a custom URL"
+                type: "bool"
     downstream:
         options:
             sso_version:
@@ -317,15 +352,15 @@ argument_specs:
                 description: "Installation path for Red Hat SSO"
                 type: "str"
             sso_apply_patches:
-                default: False
+                default: false
                 description: "Install Red Hat SSO most recent cumulative patch"
                 type: "bool"
             sso_enable:
-                default: True
+                default: true
                 description: "Enable Red Hat Single Sign-on installation"
                 type: "str"
             sso_offline_install:
-                default: False
+                default: false
                 description: "Perform an offline install"
                 type: "bool"
             sso_service_name:
@@ -337,7 +372,7 @@ argument_specs:
                 description: "systemd description for Red Hat Single Sign-On"
                 type: "str"
             sso_patch_version:
-                required: False
+                required: false
                 description: "Red Hat Single Sign-On latest cumulative patch version to apply; defaults to latest version when sso_apply_patches is True"
                 type: "str"
             sso_patch_bundle:

roles/keycloak/meta/main.yml

@@ -12,12 +12,12 @@ galaxy_info:
 
   license: Apache License 2.0
 
-  min_ansible_version: "2.9"
+  min_ansible_version: "2.14"
 
   platforms:
     - name: EL
       versions:
-     - 8
+        - "8"
 
   galaxy_tags:
     - keycloak

roles/keycloak/tasks/debian.yml

@@ -0,0 +1,6 @@
+---
+- name: Include firewall config tasks
+  ansible.builtin.include_tasks: iptables.yml
+  when: keycloak_configure_iptables
+  tags:
+    - firewall

roles/keycloak/tasks/fastpackages.yml

@@ -1,20 +1,31 @@
 ---
-- name: Check packages to be installed
+- name: "Check if packages are already installed" # noqa command-instead-of-module this runs faster
-  block:
-  - name: "Check if packages are already installed" # noqa command-instead-of-module this runs faster
   ansible.builtin.command: "rpm -q {{ packages_list | join(' ') }}"
   register: rpm_info
-    changed_when: rpm_info.failed
+  changed_when: false
+  failed_when: false
+  when: ansible_facts.os_family == "RedHat"
 
-  rescue:
+- name: "Add missing packages to the yum install list"
-    - name: "Add missing packages to the yum install list"
   ansible.builtin.set_fact:
-        packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | flatten }}"
+    packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | \
-      when: rpm_info.failed
+                          map('regex_findall', 'package (.+) is not installed$') | default([]) | flatten }}"
+  when: ansible_facts.os_family == "RedHat"
 
 - name: "Install packages: {{ packages_to_install }}"
-  become: yes
+  become: true
   ansible.builtin.yum:
     name: "{{ packages_to_install }}"
     state: present
-  when: packages_to_install | default([]) | length > 0
+  when:
+    - packages_to_install | default([]) | length > 0
+    - ansible_facts.os_family == "RedHat"
+
+- name: "Install packages: {{ packages_list }}"
+  become: true
+  ansible.builtin.package:
+    name: "{{ packages_list }}"
+    state: present
+  when:
+    - packages_list | default([]) | length > 0
+    - ansible_facts.os_family == "Debian"

roles/keycloak/tasks/firewalld.yml

@@ -6,19 +6,19 @@
       - firewalld
 
 - name: Enable and start the firewalld service
-  become: yes
+  become: true
   ansible.builtin.systemd:
     name: firewalld
-    enabled: yes
+    enabled: true
     state: started
 
-- name: "Configure firewall for {{ keycloak.service_name }} ports"
+- name: "Configure firewall ports for {{ keycloak.service_name }}"
-  become: yes
+  become: true
   ansible.posix.firewalld:
     port: "{{ item }}"
     permanent: true
     state: enabled
-    immediate: yes
+    immediate: true
   loop:
     - "{{ keycloak_http_port }}/tcp"
     - "{{ keycloak_https_port }}/tcp"

roles/keycloak/tasks/install.yml

@@ -11,7 +11,7 @@
     quiet: true
 
 - name: Check for an existing deployment
-  become: yes
+  become: true
   ansible.builtin.stat:
     path: "{{ keycloak_jboss_home }}"
   register: existing_deploy
@@ -20,38 +20,47 @@
   when: existing_deploy.stat.exists and keycloak_force_install | bool
   block:
     - name: "Stop the old {{ keycloak.service_name }} service"
-      become: yes
+      become: true
-      ignore_errors: yes
+      failed_when: false
       ansible.builtin.systemd:
         name: keycloak
         state: stopped
     - name: "Remove the old {{ keycloak.service_name }} deployment"
-      become: yes
+      become: true
       ansible.builtin.file:
         path: "{{ keycloak_jboss_home }}"
         state: absent
 
 - name: Check for an existing deployment after possible forced removal
-  become: yes
+  become: true
   ansible.builtin.stat:
     path: "{{ keycloak_jboss_home }}"
 
-- name: "Create {{ keycloak.service_name }} service user/group"
+- name: "Create service user/group for {{ keycloak.service_name }}"
-  become: yes
+  become: true
   ansible.builtin.user:
     name: "{{ keycloak_service_user }}"
     home: /opt/keycloak
-    system: yes
+    system: true
-    create_home: no
+    create_home: false
 
-- name: "Create {{ keycloak.service_name }} install location"
+- name: "Create install location for {{ keycloak.service_name }}"
-  become: yes
+  become: true
   ansible.builtin.file:
     dest: "{{ keycloak_dest }}"
     state: directory
     owner: "{{ keycloak_service_user }}"
     group: "{{ keycloak_service_group }}"
-    mode: 0750
+    mode: '0750'
+
+- name: Create pidfile folder
+  become: true
+  ansible.builtin.file:
+    dest: "{{ keycloak_service_pidfile | dirname }}"
+    state: directory
+    owner: "{{ keycloak_service_user if keycloak_service_runas else omit }}"
+    group: "{{ keycloak_service_group if keycloak_service_runas else omit }}"
+    mode: '0750'
 
 ## check remote archive
 - name: Set download archive path
@@ -59,7 +68,7 @@
     archive: "{{ keycloak_dest }}/{{ keycloak.bundle }}"
 
 - name: Check download archive path
-  become: yes
+  become: true
   ansible.builtin.stat:
     path: "{{ archive }}"
   register: archive_path
@@ -75,9 +84,9 @@
   ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
     url: "{{ keycloak_download_url }}"
     dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
-    mode: 0644
+    mode: '0644'
   delegate_to: localhost
-  run_once: yes
+  run_once: true
   when:
     - archive_path is defined
     - archive_path.stat is defined
@@ -87,7 +96,7 @@
 
 - name: Perform download from RHN using JBoss Network API
   delegate_to: localhost
-  run_once: yes
+  run_once: true
   when:
     - archive_path is defined
     - archive_path.stat is defined
@@ -105,13 +114,13 @@
       register: rhn_products
       no_log: "{{ omit_rhn_output | default(true) }}"
       delegate_to: localhost
-      run_once: yes
+      run_once: true
 
     - name: Determine install zipfile from search results
       ansible.builtin.set_fact:
         rhn_filtered_products: "{{ rhn_products.results | selectattr('file_path', 'match', '[^/]*/' + sso_archive + '$') }}"
       delegate_to: localhost
-      run_once: yes
+      run_once: true
 
     - name: Download Red Hat Single Sign-On
       middleware_automation.common.product_download: # noqa risky-file-permissions delegated, uses controller host user
@@ -121,15 +130,15 @@
         dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
       no_log: "{{ omit_rhn_output | default(true) }}"
       delegate_to: localhost
-      run_once: yes
+      run_once: true
 
 - name: Download rhsso archive from alternate location
   ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
     url: "{{ keycloak_rhsso_download_url }}"
     dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
-    mode: 0644
+    mode: '0644'
   delegate_to: localhost
-  run_once: yes
+  run_once: true
   when:
     - archive_path is defined
     - archive_path.stat is defined
@@ -151,29 +160,29 @@
     dest: "{{ archive }}"
     owner: "{{ keycloak_service_user }}"
     group: "{{ keycloak_service_group }}"
-    mode: 0640
+    mode: '0640'
   register: new_version_downloaded
   when:
     - not archive_path.stat.exists
     - local_archive_path.stat is defined
     - local_archive_path.stat.exists
-  become: yes
+  become: true
 
 - name: "Check target directory: {{ keycloak.home }}"
   ansible.builtin.stat:
     path: "{{ keycloak.home }}"
   register: path_to_workdir
-  become: yes
+  become: true
 
 - name: "Extract {{ keycloak_service_desc }} archive on target"
   ansible.builtin.unarchive:
-    remote_src: yes
+    remote_src: true
     src: "{{ archive }}"
     dest: "{{ keycloak_dest }}"
     creates: "{{ keycloak.home }}"
     owner: "{{ keycloak_service_user }}"
     group: "{{ keycloak_service_group }}"
-  become: yes
+  become: true
   when:
     - new_version_downloaded.changed or not path_to_workdir.stat.exists
   notify:
@@ -191,7 +200,13 @@
     owner: "{{ keycloak_service_user }}"
     group: "{{ keycloak_service_group }}"
     recurse: true
-  become: yes
+  become: true
+  changed_when: false
+
+- name: Ensure permissions are correct on existing deploy
+  ansible.builtin.command: chown -R "{{ keycloak_service_user }}:{{ keycloak_service_group }}" "{{ keycloak.home }}"
+  when: keycloak_service_runas
+  become: true
   changed_when: false
 
 # driver and configuration
@@ -200,25 +215,25 @@
   when: keycloak_jdbc[keycloak_jdbc_engine].enabled
 
 - name: "Deploy custom {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }} from {{ keycloak_config_override_template }}"
-  become: yes
+  become: true
   ansible.builtin.template:
     src: "templates/{{ keycloak_config_override_template }}"
     dest: "{{ keycloak_config_path_to_standalone_xml }}"
     owner: "{{ keycloak_service_user }}"
     group: "{{ keycloak_service_group }}"
-    mode: 0640
+    mode: '0640'
   notify:
     - restart keycloak
   when: keycloak_config_override_template | length > 0
 
 - name: "Deploy standalone {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}"
-  become: yes
+  become: true
   ansible.builtin.template:
     src: templates/standalone.xml.j2
     dest: "{{ keycloak_config_path_to_standalone_xml }}"
     owner: "{{ keycloak_service_user }}"
     group: "{{ keycloak_service_group }}"
-    mode: 0640
+    mode: '0640'
   notify:
     - restart keycloak
   when:
@@ -239,14 +254,14 @@
   loop: "{{ ansible_play_batch }}"
   when: keycloak_ha_enabled and keycloak_ha_discovery == 'TCPPING'
 
-- name: "Deploy HA {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }} from {{ keycloak.config_template_source }}"
+- name: "Deploy HA {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}"
-  become: yes
+  become: true
   ansible.builtin.template:
     src: templates/standalone-ha.xml.j2
     dest: "{{ keycloak_config_path_to_standalone_xml }}"
     owner: "{{ keycloak_service_user }}"
     group: "{{ keycloak_service_group }}"
-    mode: 0640
+    mode: '0640'
   notify:
     - restart keycloak
   when:
@@ -255,16 +270,28 @@
     - keycloak_config_override_template | length == 0
 
 - name: "Deploy HA {{ keycloak.service_name }} config with infinispan remote cache store to {{ keycloak_config_path_to_standalone_xml }}"
-  become: yes
+  become: true
   ansible.builtin.template:
     src: templates/standalone-infinispan.xml.j2
     dest: "{{ keycloak_config_path_to_standalone_xml }}"
     owner: "{{ keycloak_service_user }}"
     group: "{{ keycloak_service_group }}"
-    mode: 0640
+    mode: '0640'
   notify:
     - restart keycloak
   when:
     - keycloak_ha_enabled
     - keycloak_remote_cache_enabled
     - keycloak_config_override_template | length == 0
+
+- name: "Deploy profile.properties file to {{ keycloak_config_path_to_properties }}"
+  become: true
+  ansible.builtin.template:
+    src: keycloak-profile.properties.j2
+    dest: "{{ keycloak_config_path_to_properties }}"
+    owner: "{{ keycloak_service_user }}"
+    group: "{{ keycloak_service_group }}"
+    mode: '0640'
+  notify:
+    - restart keycloak
+  when: keycloak_features | length > 0

roles/keycloak/tasks/iptables.yml

@@ -0,0 +1,23 @@
+---
+- name: Ensure required package iptables are installed
+  ansible.builtin.include_tasks: fastpackages.yml
+  vars:
+    packages_list:
+      - iptables
+
+- name: "Configure firewall ports for {{ keycloak.service_name }}"
+  become: true
+  ansible.builtin.iptables:
+    destination_port: "{{ item }}"
+    action: "insert"
+    rule_num: 6 # magic number I forget why
+    chain: "INPUT"
+    policy: "ACCEPT"
+    protocol: tcp
+  loop:
+    - "{{ keycloak_http_port }}"
+    - "{{ keycloak_https_port }}"
+    - "{{ keycloak_management_http_port }}"
+    - "{{ keycloak_management_https_port }}"
+    - "{{ keycloak_jgroups_port }}"
+    - "{{ keycloak_ajp_port }}"

roles/keycloak/tasks/jdbc_driver.yml

@@ -3,19 +3,26 @@
   ansible.builtin.stat:
     path: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}"
   register: dest_path
-  become: yes
+  become: true
 
 - name: "Set up module dir for JDBC Driver {{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}"
   ansible.builtin.file:
     path: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}"
     state: directory
-    recurse: yes
+    recurse: true
     owner: "{{ keycloak_service_user }}"
     group: "{{ keycloak_service_group }}"
-    mode: 0750
+    mode: '0750'
-  become: yes
+  become: true
   when:
     - not dest_path.stat.exists
+- name: "Verify valid parameters for download credentials when specified"
+  ansible.builtin.fail:
+    msg: >-
+      When JDBC driver download credentials are set, both the username and the password MUST be set
+  when: >
+    (keycloak_jdbc_download_user is undefined and keycloak_jdbc_download_pass is not undefined) or
+    (keycloak_jdbc_download_pass is undefined and keycloak_jdbc_download_user is not undefined)
 
 - name: "Retrieve JDBC Driver from {{ keycloak_jdbc[keycloak_jdbc_engine].driver_jar_url }}"
   ansible.builtin.get_url:
@@ -23,8 +30,11 @@
     dest: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}/{{ keycloak_jdbc[keycloak_jdbc_engine].driver_jar_filename }}"
     group: "{{ keycloak_service_group }}"
     owner: "{{ keycloak_service_user }}"
-    mode: 0640
+    url_username: "{{ keycloak_jdbc_download_user | default(omit) }}"
-  become: yes
+    url_password: "{{ keycloak_jdbc_download_pass | default(omit) }}"
+    validate_certs: "{{ keycloak_jdbc_download_validate_certs | default(omit) }}"
+    mode: '0640'
+  become: true
 
 - name: "Deploy module.xml for JDBC Driver"
   ansible.builtin.template:
@@ -32,5 +42,5 @@
     dest: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}/module.xml"
     group: "{{ keycloak_service_group }}"
     owner: "{{ keycloak_service_user }}"
-    mode: 0640
+    mode: '0640'
-  become: yes
+  become: true

roles/keycloak/tasks/main.yml

@@ -5,11 +5,10 @@
   tags:
     - prereqs
 
-- name: Include firewall config tasks
+- name: Distro specific tasks
-  ansible.builtin.include_tasks: firewalld.yml
+  ansible.builtin.include_tasks: "{{ ansible_os_family | lower }}.yml"
-  when: keycloak_configure_firewalld
   tags:
-    - firewall
+    - unbound
 
 - name: Include install tasks
   ansible.builtin.include_tasks: install.yml
@@ -26,6 +25,7 @@
   when:
     - sso_apply_patches is defined and sso_apply_patches
     - sso_enable is defined and sso_enable
+    - ansible_facts.os_family == "RedHat"
   tags:
     - install
     - patch
@@ -34,8 +34,8 @@
   ansible.builtin.file:
     state: link
     src: "{{ keycloak_jboss_home }}/standalone/log"
-    dest: /var/log/keycloak
+    dest: "{{ keycloak_log_target }}"
-  become: yes
+  become: true
 
 - name: Set admin credentials and restart if not already created
   block:
@@ -44,7 +44,7 @@
         url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
         method: POST
         body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
-        validate_certs: no
+        validate_certs: false
       register: keycloak_auth_response
       until: keycloak_auth_response.status == 200
       retries: 2
@@ -58,8 +58,8 @@
           - "-rmaster"
           - "-u{{ keycloak_admin_user }}"
           - "-p{{ keycloak_admin_password }}"
-      changed_when: yes
+      changed_when: true
-      become: yes
+      become: true
     - name: "Restart {{ keycloak.service_name }}"
       ansible.builtin.include_tasks: tasks/restart_keycloak.yml
     - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"

roles/keycloak/tasks/prereqs.yml

@@ -3,15 +3,18 @@
   ansible.builtin.assert:
     that:
       - keycloak_admin_password | length > 12
-    quiet: True
+    quiet: true
-    fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_admin_password variable to a 12+ char long string"
+    fail_msg: >
+      The console administrator password is empty or invalid. Please set the keycloak_admin_password variable to a 12+ char long string
     success_msg: "{{ 'Console administrator password OK' }}"
 
 - name: Validate configuration
   ansible.builtin.assert:
-    that:
+    that: >
-      - (keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and not keycloak_db_enabled)
+      (keycloak_ha_enabled and keycloak_db_enabled) or
-    quiet: True
+      (not keycloak_ha_enabled and keycloak_db_enabled) or
+      (not keycloak_ha_enabled and not keycloak_db_enabled)
+    quiet: true
     fail_msg: "Cannot install HA setup without a backend database service. Check keycloak_ha_enabled and keycloak_db_enabled"
     success_msg: "{{ 'Configuring HA' if keycloak_ha_enabled else 'Configuring standalone' }}"
 
@@ -20,7 +23,7 @@
     that:
       - (rhn_username is defined and sso_enable is defined and sso_enable) or not sso_enable is defined or not sso_enable or keycloak_offline_install
       - (rhn_password is defined and sso_enable is defined and sso_enable) or not sso_enable is defined or not sso_enable or keycloak_offline_install
-    quiet: True
+    quiet: true
     fail_msg: "Cannot install Red Hat SSO without RHN credentials. Check rhn_username and rhn_password are defined"
     success_msg: "Installing {{ keycloak_service_desc }}"
 
@@ -31,16 +34,25 @@
       - keycloak_jdbc_url | length > 0
       - keycloak_db_user | length > 0
       - keycloak_db_pass | length > 0
-    quiet: True
+    quiet: true
     fail_msg: "Configuration for the JDBC persistence is invalid or incomplete"
     success_msg: "Configuring JDBC persistence using {{ keycloak_jdbc_engine }} database"
   when: keycloak_db_enabled
 
+- name: Validate OS family
+  ansible.builtin.assert:
+    that:
+      - ansible_os_family in ["RedHat", "Debian"]
+    quiet: true
+    fail_msg: "Can only install on RedHat or Debian OS families; found {{ ansible_os_family }}"
+    success_msg: "Installing on {{ ansible_os_family }}"
+
+- name: Load OS specific variables
+  ansible.builtin.include_vars: "vars/{{ ansible_os_family | lower }}.yml"
+  tags:
+    - always
+
 - name: Ensure required packages are installed
   ansible.builtin.include_tasks: fastpackages.yml
   vars:
-    packages_list:
+    packages_list: "{{ keycloak_prereq_package_list }}"
-      - "{{ keycloak_jvm_package }}"
-      - unzip
-      - procps-ng
-      - initscripts

roles/keycloak/tasks/redhat.yml

@@ -0,0 +1,6 @@
+---
+- name: Include firewall config tasks
+  ansible.builtin.include_tasks: firewalld.yml
+  when: keycloak_configure_firewalld
+  tags:
+    - firewall

roles/keycloak/tasks/restart_keycloak.yml

@@ -2,11 +2,12 @@
 - name: "Restart and enable {{ keycloak.service_name }} service"
   ansible.builtin.systemd:
     name: keycloak
-    enabled: yes
+    enabled: true
     state: restarted
-  become: yes
+    daemon_reload: true
+  become: true
   delegate_to: "{{ ansible_play_hosts | first }}"
-  run_once: True
+  run_once: true
 
 - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
   ansible.builtin.uri:
@@ -14,14 +15,14 @@
   register: keycloak_status
   until: keycloak_status.status == 200
   delegate_to: "{{ ansible_play_hosts | first }}"
-  run_once: True
+  run_once: true
   retries: "{{ keycloak_service_start_retries }}"
   delay: "{{ keycloak_service_start_delay }}"
 
 - name: "Restart and enable {{ keycloak.service_name }} service"
   ansible.builtin.systemd:
     name: keycloak
-    enabled: yes
+    enabled: true
     state: restarted
-  become: yes
+  become: true
   when: inventory_hostname != ansible_play_hosts | first

roles/keycloak/tasks/rhsso_patch.yml

@@ -12,11 +12,11 @@
     path: "{{ patch_archive }}"
   register: patch_archive_path
   when: sso_patch_version is defined
-  become: yes
+  become: true
 
 - name: Perform patch download from RHN via JBossNetwork API
   delegate_to: localhost
-  run_once: yes
+  run_once: true
   when:
     - sso_enable is defined and sso_enable
     - not keycloak_offline_install
@@ -32,21 +32,23 @@
       register: rhn_products
       no_log: "{{ omit_rhn_output | default(true) }}"
       delegate_to: localhost
-      run_once: yes
+      run_once: true
 
     - name: Determine patch versions list
-      set_fact:
+      ansible.builtin.set_fact:
-        filtered_versions: "{{ rhn_products.results | map(attribute='file_path') | select('match', '^[^/]*/rh-sso-.*[0-9]*[.][0-9]*[.][0-9]*.*$') | map('regex_replace','[^/]*/rh-sso-([0-9]*[.][0-9]*[.][0-9]*)-.*','\\1' ) | list | unique }}"
+        filtered_versions: "{{ rhn_products.results | map(attribute='file_path') | \
+                               select('match', '^[^/]*/rh-sso-.*[0-9]*[.][0-9]*[.][0-9]*.*$') | \
+                               map('regex_replace', '[^/]*/rh-sso-([0-9]*[.][0-9]*[.][0-9]*(-[0-9])?)-.*', '\\1') | list | unique }}"
       when: sso_patch_version is not defined or sso_patch_version | length == 0
       delegate_to: localhost
-      run_once: yes
+      run_once: true
 
     - name: Determine latest version
-      set_fact:
+      ansible.builtin.set_fact:
-         sso_latest_version: "{{ filtered_versions | middleware_automation.keycloak.version_sort | last }}"
+        sso_latest_version: "{{ filtered_versions | middleware_automation.common.version_sort | last }}"
       when: sso_patch_version is not defined or sso_patch_version | length == 0
       delegate_to: localhost
-      run_once: yes
+      run_once: true
 
     - name: Determine install zipfile from search results
       ansible.builtin.set_fact:
@@ -55,26 +57,26 @@
         patch_version: "{{ sso_latest_version }}"
       when: sso_patch_version is not defined or sso_patch_version | length == 0
       delegate_to: localhost
-      run_once: yes
+      run_once: true
 
     - name: "Determine selected patch from supplied version: {{ sso_patch_version }}"
-      set_fact:
+      ansible.builtin.set_fact:
         rhn_filtered_products: "{{ rhn_products.results | selectattr('file_path', 'match', '[^/]*/' + sso_patch_bundle + '$') }}"
         patch_bundle: "{{ sso_patch_bundle }}"
         patch_version: "{{ sso_patch_version }}"
       when: sso_patch_version is defined
       delegate_to: localhost
-      run_once: yes
+      run_once: true
 
     - name: Download Red Hat Single Sign-On patch
       middleware_automation.common.product_download: # noqa risky-file-permissions delegated, uses controller host user
         client_id: "{{ rhn_username }}"
         client_secret: "{{ rhn_password }}"
-        product_id: "{{ (rhn_filtered_products | first).id }}"
+        product_id: "{{ (rhn_filtered_products | sort | last).id }}"
         dest: "{{ local_path.stat.path }}/{{ patch_bundle }}"
       no_log: "{{ omit_rhn_output | default(true) }}"
       delegate_to: localhost
-      run_once: yes
+      run_once: true
 
 - name: Set download patch archive path
   ansible.builtin.set_fact:
@@ -84,7 +86,7 @@
   ansible.builtin.stat:
     path: "{{ patch_archive }}"
   register: patch_archive_path
-  become: yes
+  become: true
 
 ## copy and unpack
 - name: Copy patch archive to target nodes
@@ -93,13 +95,13 @@
     dest: "{{ patch_archive }}"
     owner: "{{ keycloak_service_user }}"
     group: "{{ keycloak_service_group }}"
-    mode: 0640
+    mode: '0640'
   register: new_version_downloaded
   when:
     - not patch_archive_path.stat.exists
     - local_archive_path.stat is defined
     - local_archive_path.stat.exists
-  become: yes
+  become: true
 
 - name: "Check installed patches"
   ansible.builtin.include_tasks: rhsso_cli.yml
@@ -107,14 +109,14 @@
     query: "patch info"
   args:
     apply:
-      become: yes
+      become: true
       become_user: "{{ keycloak_service_user }}"
 
 - name: "Perform patching"
   when:
     - cli_result is defined
     - cli_result.stdout is defined
-    - patch_version not in cli_result.stdout
+    - patch_version | regex_replace('-[0-9]$', '') not in cli_result.stdout
   block:
     - name: "Apply patch {{ patch_version }} to server"
       ansible.builtin.include_tasks: rhsso_cli.yml
@@ -122,7 +124,7 @@
         query: "patch apply {{ patch_archive }}"
       args:
         apply:
-          become: yes
+          become: true
           become_user: "{{ keycloak_service_user }}"
 
     - name: "Restart server to ensure patch content is running"
@@ -133,7 +135,7 @@
         - cli_result.rc == 0
       args:
         apply:
-            become: yes
+          become: true
           become_user: "{{ keycloak_service_user }}"
 
     - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
@@ -150,7 +152,7 @@
         query: "patch info"
       args:
         apply:
-            become: yes
+          become: true
           become_user: "{{ keycloak_service_user }}"
 
     - name: "Verify installed patch version"

roles/keycloak/tasks/start_keycloak.yml

@@ -2,9 +2,10 @@
 - name: "Start {{ keycloak.service_name }} service"
   ansible.builtin.systemd:
     name: keycloak
-    enabled: yes
+    enabled: true
     state: started
-  become: yes
+    daemon_reload: true
+  become: true
 
 - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
   ansible.builtin.uri:

roles/keycloak/tasks/stop_keycloak.yml

@@ -2,6 +2,6 @@
 - name: "Stop {{ keycloak.service_name }}"
   ansible.builtin.systemd:
     name: keycloak
-    enabled: yes
+    enabled: true
     state: stopped
-  become: yes
+  become: true

roles/keycloak/tasks/systemd.yml

@@ -1,34 +1,23 @@
 ---
 - name: "Configure {{ keycloak.service_name }} service script wrapper"
-  become: yes
+  become: true
   ansible.builtin.template:
     src: keycloak-service.sh.j2
     dest: "{{ keycloak_dest }}/keycloak-service.sh"
     owner: root
     group: root
-    mode: 0755
+    mode: '0755'
   notify:
     - restart keycloak
 
-- name: Determine JAVA_HOME for selected JVM RPM  # noqa blocked_modules
-  ansible.builtin.shell: |
-    set -o pipefail
-    rpm -ql {{ keycloak_jvm_package }} | grep -Po '/usr/lib/jvm/.*(?=/bin/java$)'
-  args:
-    executable: /bin/bash
-  changed_when: False
-  register: rpm_java_home
-
 - name: "Configure sysconfig file for {{ keycloak.service_name }} service"
-  become: yes
+  become: true
   ansible.builtin.template:
     src: keycloak-sysconfig.j2
-    dest: /etc/sysconfig/keycloak
+    dest: "{{ keycloak_sysconf_file }}"
     owner: root
     group: root
-    mode: 0644
+    mode: '0644'
-  vars:
-    keycloak_rpm_java_home: "{{ rpm_java_home.stdout }}"
   notify:
     - restart keycloak
 
@@ -38,21 +27,15 @@
     dest: /etc/systemd/system/keycloak.service
     owner: root
     group: root
-    mode: 0644
+    mode: '0644'
-  become: yes
+  become: true
   register: systemdunit
   notify:
     - restart keycloak
 
-- name: Reload systemd
-  become: yes
-  ansible.builtin.systemd:
-    daemon_reload: yes
-  when: systemdunit.changed
-
 - name: "Start and wait for {{ keycloak.service_name }} service (first node db)"
   ansible.builtin.include_tasks: start_keycloak.yml
-  run_once: yes
+  run_once: true
   when: keycloak_db_enabled
 
 - name: "Start and wait for {{ keycloak.service_name }} service (remaining nodes)"
@@ -61,7 +44,7 @@
 - name: Check service status
   ansible.builtin.command: "systemctl status keycloak"
   register: keycloak_service_status
-  changed_when: False
+  changed_when: false
 
 - name: Verify service status
   ansible.builtin.assert:

roles/keycloak/templates/15.0.8/standalone-infinispan.xml.j2

@@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<!-- {{ ansible_managed }} -->
+{{ ansible_managed | comment('xml') }}
 <server xmlns="urn:jboss:domain:16.0">
     <extensions>
         <extension module="org.jboss.as.clustering.infinispan"/>
@@ -737,7 +737,7 @@
             <inet-address value="{{ keycloak_bind_address }}"/>
         </interface>
     </interfaces>
-    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
+    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
         <socket-binding name="ajp" port="{{ keycloak_ajp_port }}"/>
         <socket-binding name="http" port="{{ keycloak_http_port }}"/>
         <socket-binding name="https" port="{{ keycloak_https_port }}"/>

roles/keycloak/templates/15.0.8/standalone.xml.j2

@@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<!-- {{ ansible_managed }} -->
+{{ ansible_managed | comment('xml') }}
 <server xmlns="urn:jboss:domain:16.0">
     <extensions>
         <extension module="org.jboss.as.clustering.infinispan"/>
@@ -638,7 +638,7 @@
             <inet-address value="{{ keycloak_bind_address }}"/>
         </interface>
     </interfaces>
-    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
+    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
         <socket-binding name="ajp" port="{{ keycloak_ajp_port }}"/>
         <socket-binding name="http" port="{{ keycloak_http_port }}"/>
         <socket-binding name="https" port="{{ keycloak_https_port }}"/>

roles/keycloak/templates/9.0.2/standalone-infinispan.xml.j2

@@ -734,7 +734,7 @@
             <inet-address value="${jboss.bind.address:127.0.0.1}"/>
         </interface>
     </interfaces>
-    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
+    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
         <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
         <socket-binding name="http" port="${jboss.http.port:8080}"/>
         <socket-binding name="https" port="${jboss.https.port:8443}"/>

roles/keycloak/templates/9.0.2/standalone.xml.j2

@@ -598,7 +598,7 @@
             <inet-address value="${jboss.bind.address:127.0.0.1}"/>
         </interface>
     </interfaces>
-    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
+    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
         <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
         <socket-binding name="http" port="${jboss.http.port:8080}"/>
         <socket-binding name="https" port="${jboss.https.port:8443}"/>

roles/keycloak/templates/keycloak-profile.properties.j2

@@ -0,0 +1,3 @@
+{% for feature in keycloak.features %}
+feature.{{ feature.name }}={{ feature.status | default('enabled') }}
+{% endfor %}

roles/keycloak/templates/keycloak-service.sh.j2

@@ -1,5 +1,5 @@
 #!/bin/bash -eu
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 
 set +u -o pipefail
 

roles/keycloak/templates/keycloak-sysconfig.j2

@@ -1,6 +1,6 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 JAVA_OPTS='{{ keycloak_java_opts }}'
-JAVA_HOME={{ keycloak_java_home  | default(keycloak_rpm_java_home, true) }}
+JAVA_HOME={{ keycloak_java_home | default(keycloak_pkg_java_home, true) }}
 JBOSS_HOME={{ keycloak.home }}
 KEYCLOAK_BIND_ADDRESS={{ keycloak_bind_address }}
 KEYCLOAK_HTTP_PORT={{ keycloak_http_port }}
@@ -8,4 +8,12 @@ KEYCLOAK_HTTPS_PORT={{ keycloak_https_port }}
 KEYCLOAK_MANAGEMENT_HTTP_PORT={{ keycloak_management_http_port }}
 KEYCLOAK_MANAGEMENT_HTTPS_PORT={{ keycloak_management_https_port }}
 JBOSS_PIDFILE='{{ keycloak_service_pidfile }}'
-LAUNCH_JBOSS_IN_BACKGROUND=1
+
+WILDFLY_OPTS=-Djboss.bind.address=${KEYCLOAK_BIND_ADDRESS} \
+        -Djboss.http.port=${KEYCLOAK_HTTP_PORT} \
+        -Djboss.https.port=${KEYCLOAK_HTTPS_PORT} \
+        -Djboss.management.http.port=${KEYCLOAK_MANAGEMENT_HTTP_PORT} \
+        -Djboss.management.https.port=${KEYCLOAK_MANAGEMENT_HTTPS_PORT} \
+        -Djboss.node.name={{ inventory_hostname }} \
+      {% if keycloak_prefer_ipv4 %}-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true {% endif %}\
+      {% if keycloak_config_standalone_xml is defined %}--server-config={{ keycloak_config_standalone_xml }}{% endif %}

roles/keycloak/templates/keycloak.service.j2

@@ -1,17 +1,29 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 [Unit]
 Description={{ keycloak.service_name }} Server
 After=network.target
+StartLimitIntervalSec={{ keycloak_service_startlimitintervalsec }}
+StartLimitBurst={{ keycloak_service_startlimitburst }}
+
 
 [Service]
-Type=forking
+{% if keycloak_service_runas %}
-EnvironmentFile=-/etc/sysconfig/keycloak
+User={{ keycloak_service_user }}
+Group={{ keycloak_service_group }}
+{% endif -%}
+EnvironmentFile=-{{ keycloak_sysconf_file }}
 PIDFile={{ keycloak_service_pidfile }}
-ExecStart={{ keycloak_dest }}/keycloak-service.sh start
+ExecStart={{ keycloak.home }}/bin/standalone.sh $WILDFLY_OPTS
-ExecStop={{ keycloak_dest }}/keycloak-service.sh stop
+WorkingDirectory={{ keycloak.home }}
 TimeoutStartSec=30
 TimeoutStopSec=30
 LimitNOFILE=102642
+{% if keycloak_service_restart_always %}
+Restart=always
+{% elif keycloak_service_restart_on_failure %}
+Restart=on-failure
+{% endif %}
+RestartSec={{ keycloak_service_restartsec }}
 
 [Install]
 WantedBy=multi-user.target

roles/keycloak/templates/standalone-ha.xml.j2

@@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<!-- {{ ansible_managed }} -->
+{{ ansible_managed | comment('xml') }}
 <server xmlns="urn:jboss:domain:16.0">
     <extensions>
         <extension module="org.jboss.as.clustering.infinispan"/>
@@ -136,6 +136,14 @@
                         <user-name>{{ keycloak_jdbc[keycloak_jdbc_engine].db_user }}</user-name>
                         <password>{{ keycloak_jdbc[keycloak_jdbc_engine].db_password }}</password>
                     </security>
+                    <validation>
+                        <check-valid-connection-sql>{{ keycloak_jdbc[keycloak_jdbc_engine].validate_query }}</check-valid-connection-sql>
+                        <validate-on-match>{{ keycloak_db_background_validate_on_match }}</validate-on-match>
+{% if keycloak_db_background_validation_millis | int > 0 or keycloak_db_background_validation %}
+                        <background-validation>{{ keycloak_db_background_validation }}</background-validation>
+                        <background-validation-millis>{{ keycloak_db_background_validation_millis }}</background-validation-millis>
+{% endif %}
+                    </validation>
 {% else %}
                     <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
                     <driver>h2</driver>
@@ -573,7 +581,10 @@
                 <provider name="default" enabled="true">
                     <properties>
                         <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
-                        <property name="forceBackendUrlToFrontendUrl" value="true"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="{{ keycloak_modcluster.force_frontend_url }}"/>
+{% if keycloak_modcluster.admin_url | length > 0 %}
+                        <property name="adminUrl" value="{{ keycloak_modcluster.admin_url }}" />
+{% endif %}
                     </properties>
                 </provider>
             </spi>
@@ -651,7 +662,9 @@
             <inet-address value="{{ keycloak_management_port_bind_address }}"/>
         </interface>
         <interface name="jgroups">
-{% if ansible_default_ipv4 is defined %}
+{% if keycloak_jgroups_subnet is defined and keycloak_jgroups_subnet is not none and keycloak_jgroups_subnet | string | length > 0 %}
+            <subnet-match value="{{ keycloak_jgroups_subnet | string }}"/>
+{% elif ansible_default_ipv4 is defined and (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') | length > 0 %}
             <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') }}"/>
 {% else %}
             <any-address />
@@ -661,7 +674,7 @@
             <inet-address value="{{ keycloak_bind_address }}"/>
         </interface>
     </interfaces>
-    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
+    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
         <socket-binding name="ajp" port="{{ keycloak_ajp_port }}"/>
         <socket-binding name="http" port="{{ keycloak_http_port }}"/>
         <socket-binding name="https" port="{{ keycloak_https_port }}"/>

roles/keycloak/templates/standalone-infinispan.xml.j2

@@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<!-- {{ ansible_managed }} -->
+{{ ansible_managed | comment('xml') }}
 <server xmlns="urn:jboss:domain:16.0">
     <extensions>
         <extension module="org.jboss.as.clustering.infinispan"/>
@@ -136,6 +136,14 @@
                         <user-name>{{ keycloak_jdbc[keycloak_jdbc_engine].db_user }}</user-name>
                         <password>{{ keycloak_jdbc[keycloak_jdbc_engine].db_password }}</password>
                     </security>
+                    <validation>
+                        <check-valid-connection-sql>{{ keycloak_jdbc[keycloak_jdbc_engine].validate_query }}</check-valid-connection-sql>
+                        <validate-on-match>{{ keycloak_db_background_validate_on_match }}</validate-on-match>
+{% if keycloak_db_background_validation_millis | int > 0 or keycloak_db_background_validation %}
+                        <background-validation>{{ keycloak_db_background_validation }}</background-validation>
+                        <background-validation-millis>{{ keycloak_db_background_validation_millis }}</background-validation-millis>
+{% endif %}
+                    </validation>
 {% else %}
                     <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
                     <driver>h2</driver>
@@ -611,7 +619,10 @@
                 <provider name="default" enabled="true">
                     <properties>
                         <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
-                        <property name="forceBackendUrlToFrontendUrl" value="true"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="{{ keycloak_modcluster.force_frontend_url }}"/>
+{% if keycloak_modcluster.admin_url | length > 0 %}
+                        <property name="adminUrl" value="{{ keycloak_modcluster.admin_url }}" />
+{% endif %}
                     </properties>
                 </provider>
             </spi>
@@ -689,7 +700,9 @@
             <inet-address value="{{ keycloak_management_port_bind_address }}"/>
         </interface>
         <interface name="jgroups">
-{% if ansible_default_ipv4 is defined %}
+{% if keycloak_jgroups_subnet is defined and keycloak_jgroups_subnet is not none and keycloak_jgroups_subnet | string | length > 0 %}
+            <subnet-match value="{{ keycloak_jgroups_subnet | string }}"/>
+{% elif ansible_default_ipv4 is defined and (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') | length > 0 %}
             <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') }}"/>
 {% else %}
             <any-address />
@@ -699,7 +712,7 @@
             <inet-address value="{{ keycloak_bind_address }}"/>
         </interface>
     </interfaces>
-    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
+    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
         <socket-binding name="ajp" port="{{ keycloak_ajp_port }}"/>
         <socket-binding name="http" port="{{ keycloak_http_port }}"/>
         <socket-binding name="https" port="{{ keycloak_https_port }}"/>

roles/keycloak/templates/standalone.xml.j2

@@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<!-- {{ ansible_managed }} -->
+{{ ansible_managed | comment('xml') }}
 <server xmlns="urn:jboss:domain:16.0">
     <extensions>
         <extension module="org.jboss.as.clustering.infinispan"/>
@@ -123,6 +123,14 @@
                         <user-name>{{ keycloak_jdbc[keycloak_jdbc_engine].db_user }}</user-name>
                         <password>{{ keycloak_jdbc[keycloak_jdbc_engine].db_password }}</password>
                     </security>
+                    <validation>
+                        <check-valid-connection-sql>{{ keycloak_jdbc[keycloak_jdbc_engine].validate_query }}</check-valid-connection-sql>
+                        <validate-on-match>{{ keycloak_db_background_validate_on_match }}</validate-on-match>
+{% if keycloak_db_background_validation_millis | int > 0 or keycloak_db_background_validation %}
+                        <background-validation>{{ keycloak_db_background_validation }}</background-validation>
+                        <background-validation-millis>{{ keycloak_db_background_validation_millis }}</background-validation-millis>
+{% endif %}
+                    </validation>
 {% else %}
                     <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
                     <driver>h2</driver>
@@ -517,7 +525,10 @@
                 <provider name="default" enabled="true">
                     <properties>
                         <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
-                        <property name="forceBackendUrlToFrontendUrl" value="true"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="{{ keycloak_modcluster.force_frontend_url }}"/>
+{% if keycloak_modcluster.admin_url | length > 0 %}
+                        <property name="adminUrl" value="{{ keycloak_modcluster.admin_url }}" />
+{% endif %}
                     </properties>
                 </provider>
             </spi>
@@ -593,7 +604,7 @@
             <inet-address value="{{ keycloak_bind_address }}"/>
         </interface>
     </interfaces>
-    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
+    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
         <socket-binding name="ajp" port="{{ keycloak_ajp_port }}"/>
         <socket-binding name="http" port="{{ keycloak_http_port }}"/>
         <socket-binding name="https" port="{{ keycloak_https_port }}"/>

roles/keycloak/vars/debian.yml

@@ -0,0 +1,12 @@
+---
+keycloak_varjvm_package: "{{ keycloak_jvm_package | default('openjdk-11-jdk-headless') }}"
+keycloak_prereq_package_list:
+      - "{{ keycloak_varjvm_package }}"
+      - unzip
+      - procps
+      - apt
+      - tzdata
+keycloak_configure_iptables: true
+keycloak_sysconf_file: /etc/default/keycloak
+keycloak_pkg_java_home: "/usr/lib/jvm/java-{{ keycloak_varjvm_package | \
+                         regex_search('(?!:openjdk-)[0-9.]+') }}-openjdk-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"

roles/keycloak/vars/main.yml

@@ -2,8 +2,8 @@
 # internal variables below
 
 # locations
-keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
+keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}"
-keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
+keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}"
 
 
 keycloak:
@@ -13,7 +13,9 @@ keycloak:
   service_name: "{{ keycloak_service_name }}"
   health_url: "{{ keycloak_management_url }}/health"
   cli_path: "{{ keycloak_jboss_home }}/bin/jboss-cli.sh"
-  config_template_source: "{{ keycloak_config_override_template if keycloak_config_override_template | length > 0 else 'standalone-ha.xml.j2' if keycloak_remote_cache_enabled else 'standalone.xml.j2' }}"
+  config_template_source: "{{ keycloak_config_override_template if keycloak_config_override_template | length > 0 \
+                              else 'standalone-ha.xml.j2' if keycloak_remote_cache_enabled else 'standalone.xml.j2' }}"
+  features: "{{ keycloak_features }}"
 
 # database
 keycloak_jdbc:
@@ -25,10 +27,12 @@ keycloak_jdbc:
     driver_module_dir: "{{ keycloak_jboss_home }}/modules/org/postgresql/main"
     driver_version: "{{ keycloak_jdbc_driver_version }}"
     driver_jar_filename: "postgresql-{{ keycloak_jdbc_driver_version }}.jar"
-    driver_jar_url: "https://repo.maven.apache.org/maven2/org/postgresql/postgresql/{{ keycloak_jdbc_driver_version }}/postgresql-{{ keycloak_jdbc_driver_version }}.jar"
+    driver_jar_url: >
+      {{ keycloak_maven_central }}org/postgresql/postgresql/{{ keycloak_jdbc_driver_version }}/postgresql-{{ keycloak_jdbc_driver_version }}.jar
     connection_url: "{{ keycloak_jdbc_url }}"
     db_user: "{{ keycloak_db_user }}"
     db_password: "{{ keycloak_db_pass }}"
+    validate_query: "{{ keycloak_db_valid_conn_sql | default('select 1') }}"
     initialize_db: >
       CREATE TABLE IF NOT EXISTS JGROUPSPING (
         own_addr varchar(200) NOT NULL,
@@ -39,15 +43,17 @@ keycloak_jdbc:
   mariadb:
     enabled: "{{ (keycloak_ha_enabled or keycloak_db_enabled) and keycloak_jdbc_engine == 'mariadb' }}"
     driver_class: org.mariadb.jdbc.Driver
-    xa_datasource_class: org.mariadb.jdbc.MySQLDataSource
+    xa_datasource_class: org.mariadb.jdbc.MariaDbDataSource
     driver_module_name: "org.mariadb"
     driver_module_dir: "{{ keycloak_jboss_home }}/modules/org/mariadb/main"
     driver_version: "{{ keycloak_jdbc_driver_version }}"
     driver_jar_filename: "mariadb-java-client-{{ keycloak_jdbc_driver_version }}.jar"
-    driver_jar_url: "https://repo1.maven.org/maven2/org/mariadb/jdbc/mariadb-java-client/{{ keycloak_jdbc_driver_version }}/mariadb-java-client-{{ keycloak_jdbc_driver_version }}.jar"
+    driver_jar_url: >
+      {{ keycloak_maven_central }}org/mariadb/jdbc/mariadb-java-client/{{ keycloak_jdbc_driver_version }}/mariadb-java-client-{{ keycloak_jdbc_driver_version }}.jar
     connection_url: "{{ keycloak_jdbc_url }}"
     db_user: "{{ keycloak_db_user }}"
     db_password: "{{ keycloak_db_pass }}"
+    validate_query: "{{ keycloak_db_valid_conn_sql | default('select 1') }}"
     initialize_db: >
       CREATE TABLE IF NOT EXISTS JGROUPSPING (
         own_addr varchar(200) NOT NULL,
@@ -64,10 +70,12 @@ keycloak_jdbc:
     driver_module_dir: "{{ keycloak_jboss_home }}/modules/com/microsoft/sqlserver/main"
     driver_version: "{{ keycloak_jdbc_driver_version }}"
     driver_jar_filename: "mssql-java-client-{{ keycloak_jdbc_driver_version }}.jar"
-    driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/{{ keycloak_jdbc_driver_version }}.jre11/mssql-jdbc-{{ keycloak_jdbc_driver_version }}.jre11.jar" # e.g., https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.2.0.jre11/mssql-jdbc-12.2.0.jre11.jar
+    driver_jar_url: >
+      {{ keycloak_maven_central }}com/microsoft/sqlserver/mssql-jdbc/{{ keycloak_jdbc_driver_version }}.jre11/mssql-jdbc-{{ keycloak_jdbc_driver_version }}.jre11.jar
     connection_url: "{{ keycloak_jdbc_url }}"
     db_user: "{{ keycloak_db_user }}"
     db_password: "{{ keycloak_db_pass }}"
+    validate_query: "{{ keycloak_db_valid_conn_sql | default('select 1') }}"
     initialize_db: >
       IF  NOT EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[JGROUPSPING]') AND type in (N'U'))
       BEGIN
@@ -84,6 +92,8 @@ keycloak_modcluster:
   enabled: "{{ keycloak_ha_enabled or keycloak_modcluster_enabled }}"
   reverse_proxy_urls: "{{ keycloak_modcluster_urls }}"
   frontend_url: "{{ keycloak_frontend_url }}"
+  force_frontend_url: "{{ keycloak_frontend_url_force }}"
+  admin_url: "{{ keycloak_admin_url | default('') }}"
 
 # infinispan
 keycloak_remotecache:
@@ -96,3 +106,5 @@ keycloak_remotecache:
   use_ssl: "{{ keycloak_infinispan_use_ssl }}"
   trust_store_path: "{{ keycloak_infinispan_trust_store_path }}"
   trust_store_password: "{{ keycloak_infinispan_trust_store_password }}"
+
+keycloak_maven_central: https://repo1.maven.org/maven2/

roles/keycloak/vars/redhat.yml

@@ -0,0 +1,10 @@
+---
+keycloak_varjvm_package: "{{ keycloak_jvm_package | default('java-1.8.0-openjdk-headless') }}"
+keycloak_prereq_package_list:
+      - "{{ keycloak_varjvm_package }}"
+      - unzip
+      - procps-ng
+      - initscripts
+      - tzdata-java
+keycloak_sysconf_file: /etc/sysconfig/keycloak
+keycloak_pkg_java_home: "/etc/alternatives/jre_{{ keycloak_varjvm_package | regex_search('(?<=java-)[0-9.]+') }}"

roles/keycloak_quarkus/README.md

@@ -1,83 +1,147 @@
 keycloak_quarkus
 ================
 
-Install [keycloak](https://keycloak.org/) >= 17.0.0 (quarkus) server configurations.
+Install [keycloak](https://keycloak.org/) >= 20.0.0 (quarkus) server configurations.
 
 
+Requirements
+------------
+
+This role requires the `python3-netaddr` and `lxml` library installed on the controller node.
+
+* to install via yum/dnf: `dnf install python3-netaddr python3-lxml`
+* to install via apt: `apt install python3-netaddr python3-lxml`
+* or via the collection: `pip install -r requirements.txt`
+
+
+Dependencies
+------------
+
+The roles depends on:
+
+* [middleware_automation.common](https://github.com/ansible-middleware/common)
+* [ansible-posix](https://docs.ansible.com/ansible/latest/collections/ansible/posix/index.html)
+
+To install all the dependencies via galaxy:
+
+    ansible-galaxy collection install -r requirements.yml
+
 Role Defaults
 -------------
 
-* Installation options
+#### Installation options
 
 | Variable | Description | Default |
 |:---------|:------------|:--------|
-|`keycloak_quarkus_version`| keycloak.org package version | `17.0.1` |
+|`keycloak_quarkus_version`| keycloak.org package version | `24.0.4` |
+|`keycloak_quarkus_offline_install` | Perform an offline install | `False`|
+|`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` |
+|`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` |
 
 
-* Service configuration
+#### Service configuration
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_quarkus_admin_user`| Administration console user account | `admin` |
+|`keycloak_quarkus_bind_address`| Address for binding service ports | `0.0.0.0` |
+|`keycloak_quarkus_host`| Hostname for the Keycloak server | `localhost` |
+|`keycloak_quarkus_port`| The port used by the proxy when exposing the hostname | `-1` |
+|`keycloak_quarkus_path`| This should be set if proxy uses a different context-path for Keycloak | |
+|`keycloak_quarkus_http_port`| HTTP listening port | `8080` |
+|`keycloak_quarkus_https_port`| TLS HTTP listening port | `8443` |
+|`keycloak_quarkus_ajp_port`| AJP port | `8009` |
+|`keycloak_quarkus_service_user`| Posix account username | `keycloak` |
+|`keycloak_quarkus_service_group`| Posix account group | `keycloak` |
+|`keycloak_quarkus_service_restart_always`| systemd restart always behavior activation | `False` |
+|`keycloak_quarkus_service_restart_on_failure`| systemd restart on-failure behavior activation | `False` |
+|`keycloak_quarkus_service_restartsec`| systemd RestartSec | `10s` |
+|`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-17-openjdk-headless` |
+|`keycloak_quarkus_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_quarkus_jvm_package RPM path | `None` |
+|`keycloak_quarkus_java_heap_opts`| Heap memory JVM setting | `-Xms1024m -Xmx2048m` |
+|`keycloak_quarkus_java_jvm_opts`| Other JVM settings | same as keycloak |
+|`keycloak_quarkus_java_opts`| JVM arguments; if overridden, it takes precedence over `keycloak_quarkus_java_*` | `{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}` |
+|`keycloak_quarkus_additional_env_vars` | List of additional env variables of { key: str, value: str} to be put in sysconfig file | `[]` |
+|`keycloak_quarkus_frontend_url`| Set the base URL for frontend URLs, including scheme, host, port and path | |
+|`keycloak_quarkus_admin_url`| Set the base URL for accessing the administration console, including scheme, host, port and path | |
+|`keycloak_quarkus_http_relative_path` | Set the path relative to / for serving resources. The path must start with a / | `/` |
+|`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` |
+|`keycloak_quarkus_health_check_url_path`| Path to the health check endpoint; scheme, host and keycloak_quarkus_http_relative_path will be prepended automatically | `realms/master/.well-known/openid-configuration` |
+|`keycloak_quarkus_https_key_file_enabled`| Enable listener on HTTPS port | `False` |
+|`keycloak_quarkus_key_file_copy_enabled`| Enable copy of key file to target host | `False` |
+|`keycloak_quarkus_key_content`| Content of the TLS private key. Use `"{{ lookup('file', 'server.key.pem') }}"` to lookup a file. | `""` |
+|`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `/etc/pki/tls/private/server.key.pem` |
+|`keycloak_quarkus_cert_file_copy_enabled`| Enable copy of cert file to target host | `False`|
+|`keycloak_quarkus_cert_file_src`| Set the source file path | `""` |
+|`keycloak_quarkus_cert_file`| The file path to a server certificate or certificate chain in PEM format | `/etc/pki/tls/certs/server.crt.pem` |
+|`keycloak_quarkus_https_key_store_enabled`| Enable configuration of HTTPS via a key store | `False` |
+|`keycloak_quarkus_key_store_file`| Deprecated, use `keycloak_quarkus_https_key_store_file` instead. ||
+|`keycloak_quarkus_key_store_password`| Deprecated, use `keycloak_quarkus_https_key_store_password` instead.||
+|`keycloak_quarkus_https_key_store_file`| The file path to the key store | `{{ keycloak.home }}/conf/key_store.p12` |
+|`keycloak_quarkus_https_key_store_password`| Password for the key store | `""` |
+|`keycloak_quarkus_https_trust_store_enabled`| Enable configuration of the https trust store | `False` |
+|`keycloak_quarkus_https_trust_store_file`| The file path to the trust store | `{{ keycloak.home }}/conf/trust_store.p12` |
+|`keycloak_quarkus_https_trust_store_password`| Password for the trust store | `""` |
+|`keycloak_quarkus_proxy_headers`| Parse reverse proxy headers (`forwarded` or `xforwarded`) | `""` |
+|`keycloak_quarkus_config_key_store_file`| Path to the configuration key store; only used if `keycloak_quarkus_keystore_password` is not empty  | `{{ keycloak.home }}/conf/conf_store.p12` if `keycloak_quarkus_keystore_password != ''`, else `''` |
+|`keycloak_quarkus_config_key_store_password`| Password of the configuration keystore; if non-empty, `keycloak_quarkus_db_pass` will be saved to the keystore at `keycloak_quarkus_config_key_store_file` instead of being written to the configuration file in clear text | `""` |
+|`keycloak_quarkus_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
+|`keycloak_quarkus_configure_iptables` | Ensure iptables is configured for keycloak ports | `False` |
+
+
+#### High-availability
 
 | Variable | Description | Default |
 |:---------|:------------|:--------|
 |`keycloak_quarkus_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
+|`keycloak_quarkus_ha_discovery`| Discovery protocol for HA cluster members | `TCPPING` |
 |`keycloak_quarkus_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_quarkus_ha_enabled` is True, else `False` |
-|`keycloak_quarkus_admin_user`| Administration console user account | `admin` |
+|`keycloak_quarkus_jgroups_port`| jgroups cluster tcp port | `7800` |
-|`keycloak_quarkus_bind_address`| Address for binding service ports | `0.0.0.0` |
+|`keycloak_quarkus_systemd_wait_for_port` | Whether systemd unit should wait for keycloak port before returning | `{{ keycloak_quarkus_ha_enabled }}` |
-|`keycloak_quarkus_host`| hostname | `localhost` |
+|`keycloak_quarkus_systemd_wait_for_log` | Whether systemd unit should wait for service to be up in logs | `false` |
-|`keycloak_quarkus_http_port`| HTTP port | `8080` |
+|`keycloak_quarkus_systemd_wait_for_timeout`| How long to wait for service to be alive (seconds) | `60` |
-|`keycloak_quarkus_https_port`| TLS HTTP port | `8443` |
+|`keycloak_quarkus_systemd_wait_for_delay`| Activation delay for service systemd unit (seconds) | `10` |
-|`keycloak_quarkus_ajp_port`| AJP port | `8009` |
+|`keycloak_quarkus_restart_strategy`| Strategy task file for restarting in HA (one of provided restart/['serial.yml','none.yml','serial_then_parallel.yml']) or path to file when providing custom strategy | `restart/serial.yml` |
-|`keycloak_quarkus_jgroups_port`| jgroups cluster tcp port | `7600` |
+|`keycloak_quarkus_restart_health_check`| Whether to wait for successful health check after restart | `{{ keycloak_quarkus_ha_enabled }}` |
-|`keycloak_quarkus_service_user`| Posix account username | `keycloak` |
+|`keycloak_quarkus_restart_health_check_delay`| Seconds to let pass before starting healch checks | `10` |
-|`keycloak_quarkus_service_group`| Posix account group | `keycloak` |
+|`keycloak_quarkus_restart_health_check_reries`| Number of attempts for successful health check before failing | `25` |
-|`keycloak_quarkus_service_pidfile`| Pid file path for service | `/run/keycloak.pid` |
+|`keycloak_quarkus_restart_pause`| Seconds to wait between restarts in HA strategy | `15` |
-|`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-11-openjdk-headless` |
-|`keycloak_quarkus_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_quarkus_jvm_package RPM path | `None` |
-|`keycloak_quarkus_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
-|`keycloak_quarkus_frontend_url`| Service public URL | `http://localhost:8080/auth` |
-|`keycloak_quarkus_http_relative_path` | Service context path | `auth` |
-|`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` |
-|`keycloak_quarkus_https_enabled`| Enable listener on HTTPS port | `False` |
-|`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `{{ keycloak.home }}/conf/server.key.pem` |
-|`keycloak_quarkus_cert_file`| The file path to a server certificate or certificate chain in PEM format | `{{ keycloak.home }}/conf/server.crt.pem` |
 
 
-* Database configuration
+#### Hostname configuration
 
 | Variable | Description | Default |
 |:---------|:------------|:--------|
-|`keycloak_quarkus_jdbc_engine` | Database engine [mariadb,postres] | `postgres` |
+|`keycloak_quarkus_http_relative_path`| Set the path relative to / for serving resources. The path must start with a / | `/` |
+|`keycloak_quarkus_hostname_strict`| Disables dynamically resolving the hostname from request headers | `true` |
+|`keycloak_quarkus_hostname_strict_backchannel`| By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all applications use the public URL this option should be enabled. | `false` |
+
+
+#### Database configuration
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_quarkus_jdbc_engine` | Database engine [mariadb,postres,mssql] | `postgres` |
 |`keycloak_quarkus_db_user` | User for database connection | `keycloak-user` |
 |`keycloak_quarkus_db_pass` | Password for database connection | `keycloak-pass` |
 |`keycloak_quarkus_jdbc_url` | JDBC URL for connecting to database | `jdbc:postgresql://localhost:5432/keycloak` |
 |`keycloak_quarkus_jdbc_driver_version` | Version for JDBC driver | `9.4.1212` |
 
 
-* Remote caches configuration
+#### Remote caches configuration
 
 | Variable | Description | Default |
 |:---------|:------------|:--------|
 |`keycloak_quarkus_ispn_user` | Username for connecting to infinispan | `supervisor` |
 |`keycloak_quarkus_ispn_pass` | Password for connecting to infinispan | `supervisor` |
-|`keycloak_quarkus_ispn_url` | URL for connecting to infinispan | `localhost` |
+|`keycloak_quarkus_ispn_hosts` | host name/port for connecting to infinispan, eg. host1:11222;host2:11222 | `localhost:11222` |
 |`keycloak_quarkus_ispn_sasl_mechanism` | Infinispan auth mechanism | `SCRAM-SHA-512` |
 |`keycloak_quarkus_ispn_use_ssl` | Whether infinispan uses TLS connection | `false` |
 |`keycloak_quarkus_ispn_trust_store_path` | Path to infinispan server trust certificate | `/etc/pki/java/cacerts` |
 |`keycloak_quarkus_ispn_trust_store_password` | Password for infinispan certificate keystore | `changeit` |
 
 
-* Install options
+#### Miscellaneous configuration
-
-| Variable | Description | Default |
-|:---------|:------------|:---------|
-|`keycloak_quarkus_offline_install` | Perform an offline install | `False`|
-|`keycloak_quarkus_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`| 
-|`keycloak_quarkus_version`| keycloak.org package version | `17.0.1` |
-|`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` |
-|`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` |
-|`keycloak_quarkus_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
-
-
-* Miscellaneous configuration
 
 | Variable | Description | Default |
 |:---------|:------------|:--------|
@@ -91,14 +155,84 @@ Role Defaults
 |`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` |
 |`keycloak_force_install` | Remove pre-existing versions of service | `False` |
 |`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_quarkus_host }}:{{ keycloak_http_port }}` |
-|`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_quarkus_host }}:{{ keycloak_management_http_port }}` |
 |`keycloak_quarkus_log`| Enable one or more log handlers in a comma-separated list | `file` |
 |`keycloak_quarkus_log_level`| The log level of the root category or a comma-separated list of individual categories and their levels | `info` |
 |`keycloak_quarkus_log_file`| Set the log file path and filename relative to keycloak home | `data/log/keycloak.log` |
 |`keycloak_quarkus_log_format`| Set a format specific to file log entries | `%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n` |
+|`keycloak_quarkus_log_target`| Set the destination of the keycloak log folder link | `/var/log/keycloak` |
+|`keycloak_quarkus_log_max_file_size`| Set the maximum log file size before a log rotation happens; A size configuration option recognises string in this format (shown as a regular expression): `[0-9]+[KkMmGgTtPpEeZzYy]?`. If no suffix is given, assume bytes. | `10M` |
+|`keycloak_quarkus_log_max_backup_index`| Set the maximum number of archived log files to keep" | `10` |
+|`keycloak_quarkus_log_file_suffix`| Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix; Note: If the suffix ends with `.zip` or `.gz`, the rotation file will also be compressed. | `.yyyy-MM-dd.zip` |
 |`keycloak_quarkus_proxy_mode`| The proxy address forwarding mode if the server is behind a reverse proxy | `edge` |
 |`keycloak_quarkus_start_dev`| Whether to start the service in development mode (start-dev) | `False` |
 |`keycloak_quarkus_transaction_xa_enabled`| Whether to use XA transactions | `True` |
+|`keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route`| If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy | `True` |
+
+
+#### Vault SPI
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_quarkus_ks_vault_enabled`| Whether to enable the vault SPI | `false` |
+|`keycloak_quarkus_ks_vault_file`| The keystore path for the vault SPI | `{{ keycloak_quarkus_config_dir }}/keystore.p12` |
+|`keycloak_quarkus_ks_vault_type`| Type of the keystore used for the vault SPI | `PKCS12` |
+
+
+#### Configuring providers
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_quarkus_providers`| List of provider definitions; see below | `[]` |
+
+Providers support different sources:
+
+* `url`: http download for providers not requiring authentication
+* `maven`: maven download for providers hosted publicly on Apache Maven Central or private Maven repositories like Github Maven requiring authentication
+* `local_path`: static providers to be uploaded
+
+Provider definition:
+
+```yaml
+keycloak_quarkus_providers:
+  - id: http-client                         # required; "{{ id }}.jar" identifies the file name on RHBK
+    spi: connections                        # required if neither url, local_path nor maven are specified; required for setting properties
+    default: true                           # optional, whether to set default for spi, default false
+    restart: true                           # optional, whether to restart, default true
+    url: https://.../.../custom_spi.jar     # optional, url for download via http
+    local_path: my_theme_spi.jar            # optional, path on local controller for SPI to be uploaded
+    maven:                                  # optional, for download using maven
+      repository_url: https://maven.pkg.github.com/OWNER/REPOSITORY # optional, maven repo url
+      group_id:  my.group                   # optional, maven group id
+      artifact_id: artifact                 # optional, maven artifact id
+      version: 24.0.4                       # optional, defaults to latest
+      username:  user                       # optional, cf. https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry#authenticating-to-github-packages
+      password: pat                         # optional, provide a PAT for accessing Github's Apache Maven registry
+    properties:                             # optional, list of key-values
+      - key: default-connection-pool-size
+        value: 10
+```
+
+the definition above will generate the following build command:
+
+```
+bin/kc.sh build --spi-connections-provider=http-client --spi-connections-http-client-default-connection-pool-size=10
+```
+
+
+#### Configuring policies
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_quarkus_policies`| List of policy definitions; see below | `[]` |
+
+Provider definition:
+
+```yaml
+keycloak_quarkus_policies:
+  - name: xato-net-10-million-passwords.txt                                                                # required, resulting file name
+    url: https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt # required, url for download
+    type: password-blacklists                                                                              # optional, defaults to `password-blacklists`; supported values: [`password-blacklists`]
+```
 
 
 Role Variables
@@ -107,7 +241,28 @@ Role Variables
 | Variable | Description | Required |
 |:---------|:------------|----------|
 |`keycloak_quarkus_admin_pass`| Password of console admin account | `yes` |
+|`keycloak_quarkus_frontend_url`| Base URL for frontend URLs, including scheme, host, port and path | `no` |
+|`keycloak_quarkus_admin_url`| Base URL for accessing the administration console, including scheme, host, port and path | `no` |
+|`keycloak_quarkus_ks_vault_pass`| The password for accessing the keystore vault SPI | `no` |
+|`keycloak_quarkus_alternate_download_url`| Alternate location with optional authentication for downloading RHBK | `no` |
+|`keycloak_quarkus_download_user`| Optional username for http authentication  | `no*` |
+|`keycloak_quarkus_download_pass`| Optional password for http authentication | `no*` |
+|`keycloak_quarkus_download_validate_certs`| Whether to validate certs for URL `keycloak_quarkus_alternate_download_url` | `no` |
+|`keycloak_quarkus_jdbc_download_user`| Optional username for http authentication | `no*` |
+|`keycloak_quarkus_jdbc_download_pass`| Optional password for http authentication | `no*` |
+|`keycloak_quarkus_jdbc_download_validate_certs`| Whether to validate certs for URL `keycloak_quarkus_download_validate_certs` | `no` |
 
+`*` username/password authentication credentials must be both declared or both undefined
+
+
+Role custom facts
+-----------------
+
+The role uses the following [custom facts](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_vars_facts.html#adding-custom-facts) found in `/etc/ansible/facts.d/keycloak.fact` (and thus identified by the `ansible_local.keycloak.` prefix):
+
+| Variable | Description |
+|:---------|:------------|
+|`general.bootstrapped` | A custom fact indicating whether this role has been used for bootstrapping keycloak on the respective host before; set to `false` (e.g., when starting off with a new, empty database) ensures that the initial admin user as defined by `keycloak_quarkus_admin_user[_pass]` gets created |
 
 License
 -------