Update changelog for release 1.2.7

add certified collection notice

.github/workflows/ci.yml

@@ -32,7 +32,7 @@ jobs:
       - name: Install yamllint, ansible and molecule
         run: |
           python -m pip install --upgrade pip
-          pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous
+          pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint==6.17.0 voluptuous
           pip install -r ansible_collections/middleware_automation/keycloak/requirements.txt
 
       - name: Create default collection path

CHANGELOG.rst

@@ -6,6 +6,30 @@ middleware_automation.keycloak Release Notes
 
 This changelog describes changes after version 0.2.6.
 
+v1.2.7
+======
+
+Minor Changes
+-------------
+
+- Allow to override jgroups subnet `#93 <https://github.com/ansible-middleware/keycloak/pull/93>`_
+- keycloak-quarkus: update keycloakx to v21.1.1 `#92 <https://github.com/ansible-middleware/keycloak/pull/92>`_
+
+v1.2.6
+======
+
+Minor Changes
+-------------
+
+- Add profile features enabling/disabling `#87 <https://github.com/ansible-middleware/keycloak/pull/87>`_
+- Improve service restart behavior configuration `#88 <https://github.com/ansible-middleware/keycloak/pull/88>`_
+- Update default xa_datasource_class value for mariadb jdbc configuration `#89 <https://github.com/ansible-middleware/keycloak/pull/89>`_
+
+Bugfixes
+--------
+
+- Handle WFLYCTL0117 when background validation millis is 0 `#90 <https://github.com/ansible-middleware/keycloak/pull/90>`_
+
 v1.2.5
 ======
 

README.md

@@ -3,6 +3,8 @@
 <!--start build_status -->
 [![Build Status](https://github.com/ansible-middleware/keycloak/workflows/CI/badge.svg?branch=main)](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml)
 
+If you are Red Hat customer, install `redhat.sso` from [Automation Hub](https://console.redhat.com/ansible/ansible-dashboard) as the certified version of this collection.
+
 <!--end build_status -->
 Collection to install and configure [Keycloak](https://www.keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on). 
 

changelogs/changelog.yaml

@@ -224,3 +224,39 @@ releases:
     - 85.yaml
     - 86.yaml
     release_date: '2023-05-26'
+  1.2.6:
+    changes:
+      bugfixes:
+      - 'Handle WFLYCTL0117 when background validation millis is 0 `#90 <https://github.com/ansible-middleware/keycloak/pull/90>`_
+
+        '
+      minor_changes:
+      - 'Add profile features enabling/disabling `#87 <https://github.com/ansible-middleware/keycloak/pull/87>`_
+
+        '
+      - 'Improve service restart behavior configuration `#88 <https://github.com/ansible-middleware/keycloak/pull/88>`_
+
+        '
+      - 'Update default xa_datasource_class value for mariadb jdbc configuration `#89
+        <https://github.com/ansible-middleware/keycloak/pull/89>`_
+
+        '
+    fragments:
+    - 87.yaml
+    - 88.yaml
+    - 89.yaml
+    - 90.yaml
+    release_date: '2023-06-07'
+  1.2.7:
+    changes:
+      minor_changes:
+      - 'Allow to override jgroups subnet `#93 <https://github.com/ansible-middleware/keycloak/pull/93>`_
+
+        '
+      - 'keycloak-quarkus: update keycloakx to v21.1.1 `#92 <https://github.com/ansible-middleware/keycloak/pull/92>`_
+
+        '
+    fragments:
+    - 92.yaml
+    - 93.yaml
+    release_date: '2023-06-19'

galaxy.yml

@@ -1,7 +1,7 @@
 ---
 namespace: middleware_automation
 name: keycloak
-version: "1.2.5"
+version: "1.2.7"
 readme: README.md
 authors:
   - Romain Pelisse <rpelisse@redhat.com>

molecule/default/molecule.yml

@@ -34,6 +34,7 @@ provisioner:
         ansible_python_interpreter: "{{ ansible_playbook_python }}"
   env:
     ANSIBLE_FORCE_COLOR: "true"
+    ANSIBLE_VERBOSITY: 3
 verifier:
   name: ansible
 scenario:

molecule/quarkus/prepare.yml

@@ -30,13 +30,13 @@
     - name: Create conf directory # risky-file-permissions in test user account does not exist yet
       ansible.builtin.file:
         state: directory
-        path: /opt/keycloak/keycloak-18.0.0/conf/
+        path: /opt/keycloak/keycloak-21.1.1/conf/
         mode: 0755
 
     - name: Copy certificates
       ansible.builtin.copy:
         src: "{{ item }}"
-        dest: "/opt/keycloak/keycloak-18.0.0/conf/{{ item }}"
+        dest: "/opt/keycloak/keycloak-21.1.1/conf/{{ item }}"
         mode: 0444
       loop:
         - cert.pem

roles/keycloak/README.md

@@ -72,11 +72,13 @@ Role Defaults
 |`keycloak_config_standalone_xml`| filename for configuration | `keycloak.xml` |
 |`keycloak_service_user`| posix account username | `keycloak` |
 |`keycloak_service_group`| posix account group | `keycloak` |
-|`keycloak_service_restart_on_failure`| systemd restart-on-failure behavior activation |True
-|`keycloak_service_startlimitintervalsec`| systemd StartLimitIntervalSec | `300` if `keycloak_service_restart_on_failure` else `` |
-|`keycloak_service_startlimitburst`| systemd StartLimitBurst | `5` if `keycloak_service_restart_on_failure` else `` |
-|`keycloak_service_restartsec`| systemd RestartSec | `10s` if `keycloak_service_restart_on_failure` else `` |
+|`keycloak_service_restart_always`| systemd restart always behavior activation | `False`
+|`keycloak_service_restart_on_failure`| systemd restart on-failure behavior activation | `False`
+|`keycloak_service_startlimitintervalsec`| systemd StartLimitIntervalSec | `300` |
+|`keycloak_service_startlimitburst`| systemd StartLimitBurst | `5` |
+|`keycloak_service_restartsec`| systemd RestartSec | `10s` |
 |`keycloak_service_pidfile`| pid file path for service | `/run/keycloak.pid` |
+|`keycloak_features` | List of `name`/`status` pairs of features (also known as profiles on RH-SSO) to `enable` or `disable`, example: `[ { name: 'docker', status: 'enabled' } ]` | `[]`
 |`keycloak_jvm_package`| RHEL java package runtime | `java-1.8.0-openjdk-headless` |
 |`keycloak_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path | `None` |
 |`keycloak_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
@@ -163,7 +165,7 @@ The following variables are _optional_:
 |:---------|:------------|
 |`keycloak_db_valid_conn_sql` | Override the default database connection validation query sql |
 |`keycloak_admin_url` | Override the default administration endpoint URL |
-
+|`keycloak_jgroups_subnet`| Override the subnet match for jgroups cluster formation; if not defined, it will be inferred from local machine route configuration |
 
 Example Playbook
 -----------------

roles/keycloak/defaults/main.yml

@@ -16,6 +16,7 @@ keycloak_config_dir: "{{ keycloak_jboss_home }}/standalone/configuration"
 keycloak_config_standalone_xml: "keycloak.xml"
 keycloak_config_path_to_standalone_xml: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}"
 keycloak_config_override_template: ''
+keycloak_config_path_to_properties: "{{ keycloak_jboss_home }}/standalone/configuration/profile.properties"
 keycloak_service_user: keycloak
 keycloak_service_group: keycloak
 keycloak_service_pidfile: "/run/keycloak.pid"
@@ -23,10 +24,11 @@ keycloak_service_name: keycloak
 keycloak_service_desc: Keycloak
 keycloak_service_start_delay: 10
 keycloak_service_start_retries: 25
-keycloak_service_restart_on_failure: True
-keycloak_service_startlimitintervalsec: "{{ 300 if keycloak_service_restart_on_failure else '' }}"
-keycloak_service_startlimitburst: "{{ 5 if keycloak_service_restart_on_failure else '' }}"
-keycloak_service_restartsec: "{{ '10s' if keycloak_service_restart_on_failure else '' }}"
+keycloak_service_restart_always: False
+keycloak_service_restart_on_failure: False
+keycloak_service_startlimitintervalsec: "300"
+keycloak_service_startlimitburst: "5"
+keycloak_service_restartsec: "10s"
 
 keycloak_configure_firewalld: False
 
@@ -40,11 +42,13 @@ keycloak_http_port: 8080
 keycloak_https_port: 8443
 keycloak_ajp_port: 8009
 keycloak_jgroups_port: 7600
+keycloak_jgroups_subnet:
 keycloak_management_port_bind_address: 127.0.0.1
 keycloak_management_http_port: 9990
 keycloak_management_https_port: 9993
 keycloak_java_opts: "-Xms1024m -Xmx2048m"
 keycloak_prefer_ipv4: True
+keycloak_features: []
 
 ### Enable configuration for database backend, clustering and remote caches on infinispan
 keycloak_ha_enabled: False

roles/keycloak/meta/argument_specs.yml

@@ -89,6 +89,11 @@ argument_specs:
                 default: "/run/keycloak.pid"
                 description: "PID file path for service"
                 type: "str"
+            keycloak_features:
+                # line 17 of keycloak/defaults/main.yml
+                default: "[]"
+                description: "List of `name`/`status` pairs of features (also known as profiles on RH-SSO) to `enable` or `disable`, example: `[ { name: 'docker', status: 'enabled' } ]`"
+                type: "list"
             keycloak_bind_address:
                 # line 34 of keycloak/defaults/main.yml
                 default: "0.0.0.0"
@@ -96,7 +101,7 @@ argument_specs:
                 type: "str"
             keycloak_management_port_bind_address:
                 default: "127.0.0.1"
-                description: "Address for binding the managemnt ports"
+                description: "Address for binding the management ports"
                 type: "str"
             keycloak_host:
                 # line 35 of keycloak/defaults/main.yml
@@ -294,9 +299,13 @@ argument_specs:
                 default: "25"
                 description: "How many time should Ansible retry to connect to the service after it was started, before failing."
                 type: "int"
+            keycloak_service_restart_always:
+                default: false
+                description: "systemd restart always behavior activation for keycloak"
+                type: "bool"
             keycloak_service_restart_on_failure:
-                default: true
-                description: "systemd restart-on-failure behavior activation for keycloak"
+                default: false
+                description: "systemd restart on-failure behavior activation for keycloak"
                 type: "bool"
             keycloak_service_startlimitintervalsec:
                 default: 300
@@ -318,7 +327,7 @@ argument_specs:
                 default: "{{ True if keycloak_ha_enabled else False }}"
                 description: "Enable remote cache store when in clustered ha configurations"
                 type: "bool"
-            keycloak_db_background_validation: 
+            keycloak_db_background_validation:
                 default: False
                 description: "Enable background validation of database connection"
                 type: "bool"
@@ -338,6 +347,10 @@ argument_specs:
                 required: False
                 description: "Override the default administration endpoint URL"
                 type: "str"
+            keycloak_jgroups_subnet:
+                required: False
+                description: "Override the subnet match for jgroups cluster formation; if not defined, it will be inferred from local machine route configuration"
+                type: "str"
     downstream:
         options:
             sso_version:

roles/keycloak/tasks/install.yml

@@ -239,7 +239,7 @@
   loop: "{{ ansible_play_batch }}"
   when: keycloak_ha_enabled and keycloak_ha_discovery == 'TCPPING'
 
-- name: "Deploy HA {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }} from {{ keycloak.config_template_source }}"
+- name: "Deploy HA {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}"
   become: yes
   ansible.builtin.template:
     src: templates/standalone-ha.xml.j2
@@ -268,3 +268,15 @@
     - keycloak_ha_enabled
     - keycloak_remote_cache_enabled
     - keycloak_config_override_template | length == 0
+
+- name: "Deploy profile.properties file to {{ keycloak_config_path_to_properties }}"
+  become: yes
+  ansible.builtin.template:
+    src: keycloak-profile.properties.j2
+    dest: "{{ keycloak_config_path_to_properties }}"
+    owner: "{{ keycloak_service_user }}"
+    group: "{{ keycloak_service_group }}"
+    mode: 0640
+  notify:
+    - restart keycloak
+  when: keycloak_features | length > 0

roles/keycloak/templates/keycloak-profile.properties.j2

@@ -0,0 +1,3 @@
+{% for feature in keycloak.features %}
+feature.{{ feature.name }}={{ feature.status | default('enabled') }}
+{% endfor %}

roles/keycloak/templates/keycloak.service.j2

@@ -2,10 +2,8 @@
 [Unit]
 Description={{ keycloak.service_name }} Server
 After=network.target
-{% if keycloak_service_restart_on_failure %}
 StartLimitIntervalSec={{ keycloak_service_startlimitintervalsec }}
 StartLimitBurst={{ keycloak_service_startlimitburst }}
-{% endif %}
 
 
 [Service]
@@ -17,10 +15,12 @@ ExecStop={{ keycloak_dest }}/keycloak-service.sh stop
 TimeoutStartSec=30
 TimeoutStopSec=30
 LimitNOFILE=102642
-{% if keycloak_service_restart_on_failure %}
+{% if keycloak_service_restart_always %}
+Restart=always
+{% elif keycloak_service_restart_on_failure %}
 Restart=on-failure
-RestartSec={{ keycloak_service_restartsec }}
 {% endif %}
+RestartSec={{ keycloak_service_restartsec }}
 
 [Install]
 WantedBy=multi-user.target

roles/keycloak/templates/standalone-ha.xml.j2

@@ -139,8 +139,10 @@
                     <validation>
                         <check-valid-connection-sql>{{ keycloak_jdbc[keycloak_jdbc_engine].validate_query }}</check-valid-connection-sql>
                         <validate-on-match>{{ keycloak_db_background_validate_on_match }}</validate-on-match>
+{% if keycloak_db_background_validation_millis | int > 0 or keycloak_db_background_validation %}
                         <background-validation>{{ keycloak_db_background_validation }}</background-validation>
                         <background-validation-millis>{{ keycloak_db_background_validation_millis }}</background-validation-millis>
+{% endif %}
                     </validation>
 {% else %}
                     <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
@@ -660,7 +662,9 @@
             <inet-address value="{{ keycloak_management_port_bind_address }}"/>
         </interface>
         <interface name="jgroups">
-{% if ansible_default_ipv4 is defined %}
+{% if keycloak_jgroups_subnet is defined and keycloak_jgroups_subnet | string | length > 0 %}
+            <subnet-match value="{{ keycloak_jgroups_subnet | string }}"/>
+{% elif ansible_default_ipv4 is defined and (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') | length > 0 %}
             <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') }}"/>
 {% else %}
             <any-address />

roles/keycloak/templates/standalone-infinispan.xml.j2

@@ -139,8 +139,10 @@
                     <validation>
                         <check-valid-connection-sql>{{ keycloak_jdbc[keycloak_jdbc_engine].validate_query }}</check-valid-connection-sql>
                         <validate-on-match>{{ keycloak_db_background_validate_on_match }}</validate-on-match>
+{% if keycloak_db_background_validation_millis | int > 0 or keycloak_db_background_validation %}
                         <background-validation>{{ keycloak_db_background_validation }}</background-validation>
                         <background-validation-millis>{{ keycloak_db_background_validation_millis }}</background-validation-millis>
+{% endif %}
                     </validation>
 {% else %}
                     <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
@@ -698,7 +700,9 @@
             <inet-address value="{{ keycloak_management_port_bind_address }}"/>
         </interface>
         <interface name="jgroups">
-{% if ansible_default_ipv4 is defined %}
+{% if keycloak_jgroups_subnet is defined and keycloak_jgroups_subnet | string | length > 0 %}
+            <subnet-match value="{{ keycloak_jgroups_subnet | string }}"/>
+{% elif ansible_default_ipv4 is defined and (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') | length > 0 %}
             <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') }}"/>
 {% else %}
             <any-address />

roles/keycloak/templates/standalone.xml.j2

@@ -126,8 +126,10 @@
                     <validation>
                         <check-valid-connection-sql>{{ keycloak_jdbc[keycloak_jdbc_engine].validate_query }}</check-valid-connection-sql>
                         <validate-on-match>{{ keycloak_db_background_validate_on_match }}</validate-on-match>
+{% if keycloak_db_background_validation_millis | int > 0 or keycloak_db_background_validation %}
                         <background-validation>{{ keycloak_db_background_validation }}</background-validation>
                         <background-validation-millis>{{ keycloak_db_background_validation_millis }}</background-validation-millis>
+{% endif %}
                     </validation>
 {% else %}
                     <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>

roles/keycloak/vars/main.yml

@@ -14,6 +14,7 @@ keycloak:
   health_url: "{{ keycloak_management_url }}/health"
   cli_path: "{{ keycloak_jboss_home }}/bin/jboss-cli.sh"
   config_template_source: "{{ keycloak_config_override_template if keycloak_config_override_template | length > 0 else 'standalone-ha.xml.j2' if keycloak_remote_cache_enabled else 'standalone.xml.j2' }}"
+  features: "{{ keycloak_features }}"
 
 # database
 keycloak_jdbc:
@@ -40,7 +41,7 @@ keycloak_jdbc:
   mariadb:
     enabled: "{{ (keycloak_ha_enabled or keycloak_db_enabled) and keycloak_jdbc_engine == 'mariadb' }}"
     driver_class: org.mariadb.jdbc.Driver
-    xa_datasource_class: org.mariadb.jdbc.MySQLDataSource
+    xa_datasource_class: org.mariadb.jdbc.MariaDbDataSource
     driver_module_name: "org.mariadb"
     driver_module_dir: "{{ keycloak_jboss_home }}/modules/org/mariadb/main"
     driver_version: "{{ keycloak_jdbc_driver_version }}"
@@ -100,4 +101,4 @@ keycloak_remotecache:
   server_name: "{{ keycloak_infinispan_url }}"
   use_ssl: "{{ keycloak_infinispan_use_ssl }}"
   trust_store_path: "{{ keycloak_infinispan_trust_store_path }}"
-  trust_store_password: "{{ keycloak_infinispan_trust_store_password }}"
+  trust_store_password: "{{ keycloak_infinispan_trust_store_password }}"

roles/keycloak_quarkus/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 ### Configuration specific to keycloak
-keycloak_quarkus_version: 18.0.0
+keycloak_quarkus_version: 21.1.1
 keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip"
 keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"  
 keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"

roles/keycloak_quarkus/templates/keycloak.service.j2

@@ -10,7 +10,7 @@ PIDFile={{ keycloak_quarkus_service_pidfile }}
 {% if keycloak_quarkus_start_dev %}
 ExecStart={{ keycloak.home }}/bin/kc.sh start-dev
 {% else %}
-ExecStart={{ keycloak.home }}/bin/kc.sh start --auto-build --log={{ keycloak_quarkus_log }}
+ExecStart={{ keycloak.home }}/bin/kc.sh start --log={{ keycloak_quarkus_log }}
 {% endif %}
 User={{ keycloak.service_user }}