Update changelog for release 2.0.0

Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>

.github/workflows/ci.yml

@@ -15,4 +15,4 @@ jobs:
     with:
       fqcn: 'middleware_automation/keycloak'
       molecule_tests: >-
-          [ "default", "quarkus", "overridexml" ]
+          [ "default", "quarkus", "overridexml", "quarkus-devmode", "https_revproxy" ]

.github/workflows/release.yml

@@ -6,9 +6,10 @@ on:
 jobs:
   release:
     uses: ansible-middleware/github-actions/.github/workflows/release.yml@main
-    secrets: inherit
     with:
       collection_fqcn: 'middleware_automation.keycloak'
+    secrets:
+      galaxy_token: ${{ secrets.ANSIBLE_GALAXY_API_KEY }}
 
   dispatch:
     needs: release

CHANGELOG.rst

@@ -6,6 +6,42 @@ middleware_automation.keycloak Release Notes
 
 This changelog describes changes after version 0.2.6.
 
+v2.0.0
+======
+
+Minor Changes
+-------------
+
+- Add new parameter for port offset configuration `#124 <https://github.com/ansible-middleware/keycloak/pull/124>`_
+- Update Keycloak to version 22.0.5 `#122 <https://github.com/ansible-middleware/keycloak/pull/122>`_
+
+Breaking Changes / Porting Guide
+--------------------------------
+
+- Add support for more http-related configs `#115 <https://github.com/ansible-middleware/keycloak/pull/115>`_
+- Update minimum ansible-core version > 2.14 `#119 <https://github.com/ansible-middleware/keycloak/pull/119>`_
+- keycloak_quarkus: enable config of key store and trust store `#116 <https://github.com/ansible-middleware/keycloak/pull/116>`_
+
+v1.3.0
+======
+
+Major Changes
+-------------
+
+- Run service as ``keycloak_service_user`` `#106 <https://github.com/ansible-middleware/keycloak/pull/106>`_
+
+Minor Changes
+-------------
+
+- keycloak_quarkus: Update Keycloak to version 22.0.3 `#112 <https://github.com/ansible-middleware/keycloak/pull/112>`_
+- keycloak_quarkus: fix admin console redirect when running locally `#111 <https://github.com/ansible-middleware/keycloak/pull/111>`_
+- keycloak_quarkus: skip proxy config if ``keycloak_quarkus_proxy_mode`` is ``none`` `#109 <https://github.com/ansible-middleware/keycloak/pull/109>`_
+
+Bugfixes
+--------
+
+- keycloak_quarkus: fix validation failure upon port configuration change `#113 <https://github.com/ansible-middleware/keycloak/pull/113>`_
+
 v1.2.8
 ======
 

README.md

@@ -11,7 +11,7 @@ Collection to install and configure [Keycloak](https://www.keycloak.org/) or [Re
 <!--start requires_ansible-->
 ## Ansible version compatibility
 
-This collection has been tested against following Ansible versions: **>=2.9.10**.
+This collection has been tested against following Ansible versions: **>=2.14.0**.
 
 Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions.
 <!--end requires_ansible-->
@@ -44,13 +44,13 @@ A requirement file is provided to install:
 
     pip install -r requirements.txt
 
-
+<!--start roles_paths -->
 ### Included roles
 
 * [`keycloak`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md): role for installing the service.
 * [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, user federation(s), clients and users, in an installed service.
 * [`keycloak_quarkus`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_quarkus/README.md): role for installing the quarkus variant of keycloak (>= 17.0.0).
-
+<!--end roles_paths -->
 
 ## Usage
 

changelogs/changelog.yaml

@@ -286,3 +286,58 @@ releases:
     - 91.yaml
     - 98.yaml
     release_date: '2023-08-28'
+  1.3.0:
+    changes:
+      bugfixes:
+      - 'keycloak_quarkus: fix validation failure upon port configuration change `#113
+        <https://github.com/ansible-middleware/keycloak/pull/113>`_
+
+        '
+      major_changes:
+      - 'Run service as ``keycloak_service_user`` `#106 <https://github.com/ansible-middleware/keycloak/pull/106>`_
+
+        '
+      minor_changes:
+      - 'keycloak_quarkus: Update Keycloak to version 22.0.3 `#112 <https://github.com/ansible-middleware/keycloak/pull/112>`_
+
+        '
+      - 'keycloak_quarkus: fix admin console redirect when running locally `#111 <https://github.com/ansible-middleware/keycloak/pull/111>`_
+
+        '
+      - 'keycloak_quarkus: skip proxy config if ``keycloak_quarkus_proxy_mode`` is
+        ``none`` `#109 <https://github.com/ansible-middleware/keycloak/pull/109>`_
+
+        '
+    fragments:
+    - 106.yaml
+    - 109.yaml
+    - 111.yaml
+    - 112.yaml
+    - 113.yaml
+    release_date: '2023-09-25'
+  2.0.0:
+    changes:
+      breaking_changes:
+      - 'Add support for more http-related configs `#115 <https://github.com/ansible-middleware/keycloak/pull/115>`_
+
+        '
+      - 'Update minimum ansible-core version > 2.14 `#119 <https://github.com/ansible-middleware/keycloak/pull/119>`_
+
+        '
+      - 'keycloak_quarkus: enable config of key store and trust store `#116 <https://github.com/ansible-middleware/keycloak/pull/116>`_
+
+        '
+      minor_changes:
+      - 'Add new parameter for port offset configuration `#124 <https://github.com/ansible-middleware/keycloak/pull/124>`_
+
+        '
+      - 'Update Keycloak to version 22.0.5 `#122 <https://github.com/ansible-middleware/keycloak/pull/122>`_
+
+        '
+    fragments:
+    - 115.yaml
+    - 116.yaml
+    - 119.yaml
+    - 122.yaml
+    - 124.yaml
+    release_date: '2023-11-20'

galaxy.yml

@@ -1,7 +1,7 @@
 ---
 namespace: middleware_automation
 name: keycloak
-version: "1.2.8"
+version: "2.0.0"
 readme: README.md
 authors:
   - Romain Pelisse <rpelisse@redhat.com>

meta/runtime.yml

@@ -1,2 +1,2 @@
 ---
-requires_ansible: ">=2.9.10"
+requires_ansible: ">=2.14.0"

molecule/default/converge.yml

@@ -10,6 +10,8 @@
         port: 16667
       - host: myhost2
         port: 16668
+    keycloak_jboss_port_offset: 10
+    keycloak_log_target: /tmp/keycloak
   roles:
     - role: keycloak
   tasks:

molecule/default/molecule.yml

@@ -28,7 +28,6 @@ provisioner:
         ansible_python_interpreter: "{{ ansible_playbook_python }}"
   env:
     ANSIBLE_FORCE_COLOR: "true"
-    ANSIBLE_VERBOSITY: 3
 verifier:
   name: ansible
 scenario:

molecule/default/verify.yml

@@ -4,8 +4,9 @@
   vars:
     keycloak_admin_password: "remembertochangeme"
     keycloak_jvm_package: java-11-openjdk-headless
-    keycloak_uri: http://localhost:8080
-    keycloak_management_port: http://localhost:9990
+    keycloak_uri: "http://localhost:{{ 8080 + ( keycloak_jboss_port_offset | default(0) ) }}"
+    keycloak_management_port: "http://localhost:{{ 9990 + ( keycloak_jboss_port_offset | default(0) ) }}"
+    keycloak_jboss_port_offset: 10
   tasks:
     - name: Populate service facts
       ansible.builtin.service_facts:
@@ -55,3 +56,31 @@
       ansible.builtin.assert:
         that:
           - (keycloak_query_clients.json | selectattr('clientId','equalto','TestClient') | first)["attributes"]["post.logout.redirect.uris"] == '/public/logout'
+    - name: Check log folder
+      ansible.builtin.stat:
+        path: "/tmp/keycloak"
+      register: keycloak_log_folder
+    - name: Check that keycloak log folder exists and is a link
+      ansible.builtin.assert:
+        that:
+          - keycloak_log_folder.stat.exists
+          - not keycloak_log_folder.stat.isdir
+          - keycloak_log_folder.stat.islnk
+    - name: Check log file
+      ansible.builtin.stat:
+        path: "/tmp/keycloak/server.log"
+      register: keycloak_log_file
+    - name: Check if keycloak file exists
+      ansible.builtin.assert:
+        that:
+          - keycloak_log_file.stat.exists
+          - not keycloak_log_file.stat.isdir
+    - name: Check default log folder
+      ansible.builtin.stat:
+        path: "/var/log/keycloak"
+      register: keycloak_default_log_folder
+      failed_when: false
+    - name: Check that default keycloak log folder doesn't exist
+      ansible.builtin.assert:
+        that:
+          - not keycloak_default_log_folder.stat.exists

molecule/https_revproxy/converge.yml

@@ -0,0 +1,16 @@
+---
+- name: Converge
+  hosts: all
+  vars: 
+    keycloak_quarkus_admin_pass: "remembertochangeme"
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_realm: TestRealm
+    keycloak_quarkus_host: instance
+    keycloak_quarkus_log: file
+    keycloak_quarkus_http_enabled: True
+    keycloak_quarkus_http_port: 8080
+    keycloak_quarkus_proxy_mode: edge
+    keycloak_quarkus_http_relative_path: /
+    keycloak_quarkus_frontend_url: https://proxy/
+  roles:
+    - role: keycloak_quarkus

molecule/https_revproxy/molecule.yml

@@ -0,0 +1,59 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    networks:
+      - name: keycloak
+    port_bindings:
+      - "8080/tcp"
+    published_ports:
+      - 0.0.0.0:8080:8080/tcp
+  - name: proxy
+    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    networks:
+      - name: keycloak
+    port_bindings:
+      - "443/tcp"
+    published_ports:
+      - 0.0.0.0:443:443/tcp
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+    REDHAT_PRODUCT_DOWNLOAD_CLIENT_ID: "${PROD_JBOSSNETWORK_API_CLIENTID}"
+    REDHAT_PRODUCT_DOWNLOAD_CLIENT_SECRET: "${PROD_JBOSSNETWORK_API_SECRET}"
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy

molecule/https_revproxy/prepare.yml

@@ -0,0 +1,49 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: Install sudo
+      ansible.builtin.yum:
+        name: sudo
+        state: present
+
+    - name: "Display hera_home if defined."
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+- name: Prepare proxy
+  hosts: proxy
+  vars:
+    jbcs_mod_cluster_enable: True
+    jbcs_configure_firewalld: False
+    jbcs_offline_install: False
+    jbcs_bind_address: '*'
+    jbcs_proxy_pass:
+      - path: /
+        url: http://instance:8080/
+        reverse_path: /
+        reverse_url: http://instance:8080/
+    external_domain_name: proxy
+    rhn_username: "{{ lookup('env', 'REDHAT_PRODUCT_DOWNLOAD_CLIENT_ID') }}"
+    rhn_password: "{{ lookup('env', 'REDHAT_PRODUCT_DOWNLOAD_CLIENT_SECRET') }}"
+  roles:
+    - middleware_automation.jbcs.jbcs
+  pre_tasks:
+    - name: Create certificate request
+      ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=proxy'
+      delegate_to: localhost
+      changed_when: False
+
+    - name: Copy certificates
+      ansible.builtin.copy:
+        src: "{{ item.name }}"
+        dest: "{{ item.dest }}"
+        mode: 0444
+      become: True
+      loop:
+        - { name: 'cert.pem', dest: '/etc/pki/tls/certs/proxy.crt' }
+        - { name: 'key.pem', dest: '/etc/pki/tls/private/proxy.key' }
+
+    - name: update_ca_trust
+      command: update-ca-trust
+      become: True

molecule/https_revproxy/roles

@@ -0,0 +1 @@
+../../roles

molecule/https_revproxy/verify.yml

@@ -0,0 +1,28 @@
+---
+- name: Verify
+  hosts: instance
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+
+    - name: Verify openid config
+      block:
+        - name: Fetch openID config # noqa blocked_modules command-instead-of-module
+          ansible.builtin.uri:
+            url: http://localhost:8080/realms/master/.well-known/openid-configuration
+            validate_certs: false
+            headers:
+              Host: proxy
+          register: openid_config
+          changed_when: False
+        - name: Verify endpoint URLs
+          ansible.builtin.assert:
+            that:
+              - openid_config.json['issuer'] == 'https://proxy/realms/master'
+              - openid_config.json['authorization_endpoint'] == 'https://proxy/realms/master/protocol/openid-connect/auth'

molecule/overridexml/converge.yml

@@ -6,6 +6,7 @@
     keycloak_config_override_template: custom.xml.j2
     keycloak_http_port: 8081
     keycloak_management_http_port: 19990
+    keycloak_service_runas: True
   roles:
     - role: keycloak
   tasks:
@@ -51,4 +52,4 @@
         sso_offline_install: True
       when:
         - assets_server is defined
-        - assets_server | length > 0
+        - assets_server | length > 0

molecule/quarkus-devmode/converge.yml

@@ -0,0 +1,43 @@
+---
+- name: Converge
+  hosts: all
+  vars: 
+    keycloak_quarkus_admin_pass: "remembertochangeme"
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_realm: TestRealm
+    keycloak_quarkus_log: file
+    keycloak_quarkus_frontend_url: 'http://localhost:8080/'
+    keycloak_quarkus_start_dev: True
+    keycloak_quarkus_proxy_mode: none
+  roles:
+    - role: keycloak_quarkus
+    - role: keycloak_realm
+      keycloak_context: ''
+      keycloak_client_default_roles:
+        - TestRoleAdmin
+        - TestRoleUser
+      keycloak_client_users:
+        - username: TestUser
+          password: password
+          client_roles:
+            - client: TestClient
+              role: TestRoleUser
+              realm: "{{ keycloak_realm }}"
+        - username: TestAdmin
+          password: password
+          client_roles:
+            - client: TestClient
+              role: TestRoleUser
+              realm: "{{ keycloak_realm }}"
+            - client: TestClient
+              role: TestRoleAdmin
+              realm: "{{ keycloak_realm }}"
+      keycloak_realm: TestRealm
+      keycloak_clients:
+        - name: TestClient
+          roles: "{{ keycloak_client_default_roles }}"
+          realm: "{{ keycloak_realm }}"
+          public_client: "{{ keycloak_client_public }}"
+          web_origins: "{{ keycloak_client_web_origins }}"
+          users: "{{ keycloak_client_users }}"
+          client_id: TestClient

molecule/quarkus-devmode/molecule.yml

@@ -0,0 +1,45 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    port_bindings:
+      - "8080/tcp"
+      - "8009/tcp"
+    published_ports:
+      - 0.0.0.0:8080:8080/tcp
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy

molecule/quarkus-devmode/prepare.yml

@@ -0,0 +1,12 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: Install sudo
+      ansible.builtin.yum:
+        name: sudo
+        state: present
+
+    - name: "Display hera_home if defined."
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"

molecule/quarkus-devmode/roles

@@ -0,0 +1 @@
+../../roles

molecule/quarkus-devmode/verify.yml

@@ -0,0 +1,39 @@
+---
+- name: Verify
+  hosts: all
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+
+    - name: Set internal envvar
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+    - name: Verify openid config
+      block:
+        - name: Fetch openID config # noqa blocked_modules command-instead-of-module
+          ansible.builtin.shell: |
+            set -o pipefail
+            curl http://localhost:8080/realms/master/.well-known/openid-configuration -k | jq .
+          args:
+            executable: /bin/bash
+          delegate_to: localhost
+          register: openid_config
+          changed_when: False
+        - name: Verify endpoint URLs
+          ansible.builtin.assert:
+            that:
+              - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'http://localhost:8080/realms/master/protocol/openid-connect/ext/ciba/auth'
+              - (openid_config.stdout | from_json)['issuer'] == 'http://localhost:8080/realms/master'
+              - (openid_config.stdout | from_json)['authorization_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/auth'
+              - (openid_config.stdout | from_json)['token_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/token'
+          delegate_to: localhost
+      when:
+        - hera_home is defined
+        - hera_home | length == 0

molecule/quarkus/converge.yml

@@ -6,11 +6,11 @@
     keycloak_admin_password: "remembertochangeme"
     keycloak_realm: TestRealm
     keycloak_quarkus_host: instance
-    keycloak_quarkus_http_relative_path: ''
     keycloak_quarkus_log: file
-    keycloak_quarkus_https_enabled: True
+    keycloak_quarkus_https_key_file_enabled: True
     keycloak_quarkus_key_file: "{{ keycloak.home }}/conf/key.pem"
     keycloak_quarkus_cert_file: "{{ keycloak.home }}/conf/cert.pem"
+    keycloak_quarkus_log_target: /tmp/keycloak
   roles:
     - role: keycloak_quarkus
     - role: keycloak_realm

molecule/quarkus/prepare.yml

@@ -16,27 +16,16 @@
       delegate_to: localhost
       changed_when: False
 
-    - name: Set /etc/hosts
-      ansible.builtin.lineinfile:
-        dest: /etc/hosts
-        line: "127.0.0.1 instance"
-        state: present
-      delegate_to: localhost
-      become: yes
-      when:
-        - hera_home is defined
-        - hera_home | length == 0
-
     - name: Create conf directory # risky-file-permissions in test user account does not exist yet
       ansible.builtin.file:
         state: directory
-        path: /opt/keycloak/keycloak-22.0.1/conf/
+        path: /opt/keycloak/keycloak-22.0.5/conf/
         mode: 0755
 
     - name: Copy certificates
       ansible.builtin.copy:
         src: "{{ item }}"
-        dest: "/opt/keycloak/keycloak-22.0.1/conf/{{ item }}"
+        dest: "/opt/keycloak/keycloak-22.0.5/conf/{{ item }}"
         mode: 0444
       loop:
         - cert.pem

molecule/quarkus/verify.yml

@@ -16,11 +16,14 @@
         hera_home: "{{ lookup('env', 'HERA_HOME') }}"
 
     - name: Verify openid config
+      when:
+        - hera_home is defined
+        - hera_home | length == 0
       block:
         - name: Fetch openID config # noqa blocked_modules command-instead-of-module
           ansible.builtin.shell: |
             set -o pipefail
-            curl https://instance:8443/realms/master/.well-known/openid-configuration -k | jq .
+            curl -H 'Host: instance' https://localhost:8443/realms/master/.well-known/openid-configuration -k | jq .
           args:
             executable: /bin/bash
           delegate_to: localhost
@@ -34,6 +37,37 @@
               - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/auth'
               - (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/token'
           delegate_to: localhost
-      when:
-        - hera_home is defined
-        - hera_home | length == 0
+
+    - name: Check log folder
+      ansible.builtin.stat:
+        path: "/tmp/keycloak"
+      register: keycloak_log_folder
+
+    - name: Check that keycloak log folder exists and is a link
+      ansible.builtin.assert:
+        that:
+          - keycloak_log_folder.stat.exists
+          - not keycloak_log_folder.stat.isdir
+          - keycloak_log_folder.stat.islnk
+          
+    - name: Check log file
+      ansible.builtin.stat:
+        path: "/tmp/keycloak/keycloak.log"
+      register: keycloak_log_file
+
+    - name: Check if keycloak file exists
+      ansible.builtin.assert:
+        that:
+          - keycloak_log_file.stat.exists
+          - not keycloak_log_file.stat.isdir
+
+    - name: Check default log folder
+      ansible.builtin.stat:
+        path: "/var/log/keycloak"
+      register: keycloak_default_log_folder
+      failed_when: false
+
+    - name: Check that default keycloak log folder doesn't exist
+      ansible.builtin.assert:
+        that:
+          - not keycloak_default_log_folder.stat.exists

molecule/requirements.yml

@@ -1,8 +1,8 @@
 ---
 collections:
   - name: middleware_automation.common
+  - name: middleware_automation.jbcs
   - name: community.general
   - name: ansible.posix
   - name: community.docker
     version: ">=1.9.1"
-    

playbooks/keycloak_quarkus.yml

@@ -1,12 +1,13 @@
 ---
-- name: Playbook for Keycloak X Hosts
+- name: Playbook for Keycloak X Hosts with HTTPS enabled
   hosts: all
   vars:
-    keycloak_admin_password: "remembertochangeme"
-    keycloak_quarkus_host: localhost:8443
+    keycloak_quarkus_admin_pass: "remembertochangeme"
+    keycloak_quarkus_host: localhost
+    keycloak_quarkus_port: 8443
     keycloak_quarkus_http_relative_path: ''
     keycloak_quarkus_log: file
-    keycloak_quarkus_https_enabled: True
+    keycloak_quarkus_https_key_file_enabled: True
     keycloak_quarkus_key_file: conf/key.pem
     keycloak_quarkus_cert_file: conf/cert.pem
   roles:

playbooks/keycloak_quarkus_dev.yml

@@ -0,0 +1,13 @@
+---
+- name: Playbook for Keycloak X Hosts in develop mode
+  hosts: all
+  vars:
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_host: localhost
+    keycloak_quarkus_port: 8080
+    keycloak_quarkus_http_relative_path: ''
+    keycloak_quarkus_log: file
+    keycloak_quarkus_start_dev: true
+    keycloak_quarkus_proxy_mode: none
+  roles:
+    - middleware_automation.keycloak.keycloak_quarkus

plugins/modules/keycloak_user_federation.py

@@ -568,7 +568,6 @@ EXAMPLES = '''
       realm: my-realm
       name: my-federation
       state: absent
-
 '''
 
 RETURN = '''

roles/keycloak/README.md

@@ -77,7 +77,7 @@ Role Defaults
 |`keycloak_service_startlimitintervalsec`| systemd StartLimitIntervalSec | `300` |
 |`keycloak_service_startlimitburst`| systemd StartLimitBurst | `5` |
 |`keycloak_service_restartsec`| systemd RestartSec | `10s` |
-|`keycloak_service_pidfile`| pid file path for service | `/run/keycloak.pid` |
+|`keycloak_service_pidfile`| pid file path for service | `/run/keycloak/keycloak.pid` |
 |`keycloak_features` | List of `name`/`status` pairs of features (also known as profiles on RH-SSO) to `enable` or `disable`, example: `[ { name: 'docker', status: 'enabled' } ]` | `[]`
 |`keycloak_jvm_package`| RHEL java package runtime | `java-1.8.0-openjdk-headless` |
 |`keycloak_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path | `None` |
@@ -104,20 +104,21 @@ Role Defaults
 |`keycloak_download_url_9x` | Download URL for keycloak (deprecated) | `https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}` |
 |`keycloak_installdir` | Installation path | `{{ keycloak_dest }}/keycloak-{{ keycloak_version }}` |
 |`keycloak_jboss_home` | Installation work directory | `{{ keycloak_rhsso_installdir }}` |
+|`keycloak_jboss_port_offset` | Port offset for the JBoss socket binding | `0` |
 |`keycloak_config_dir` | Path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration` |
 |`keycloak_config_path_to_standalone_xml` | Custom path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}` |
 |`keycloak_config_override_template` | Path to custom template for standalone.xml configuration | `''` |
 |`keycloak_auth_realm` | Name for rest authentication realm | `master` |
 |`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` |
 |`keycloak_force_install` | Remove pre-existing versions of service | `False` |
-|`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` |
-|`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` |
+|`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}` |
+|`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}` |
 |`keycloak_frontend_url_force` | Force backend requests to use the frontend URL | `False` |
 |`keycloak_db_background_validation` | Enable background validation of database connection | `False` |
 |`keycloak_db_background_validation_millis`| How frequenly the connection pool is validated in the background | `10000` if background validation enabled |
 |`keycloak_db_background_validate_on_match` | Enable validate on match for database connections | `False` |
 |`keycloak_frontend_url` | frontend URL for keycloak endpoint | `http://localhost:8080/auth/` |
-
+|`keycloak_log_target`| Set the destination of the keycloak log folder link | `/var/log/keycloak` |
 
 
 Role Variables

roles/keycloak/defaults/main.yml

@@ -12,14 +12,16 @@ keycloak_jvm_package: java-1.8.0-openjdk-headless
 keycloak_java_home:
 keycloak_dest: /opt/keycloak
 keycloak_jboss_home: "{{ keycloak_installdir }}"
+keycloak_jboss_port_offset: 0
 keycloak_config_dir: "{{ keycloak_jboss_home }}/standalone/configuration"
 keycloak_config_standalone_xml: "keycloak.xml"
 keycloak_config_path_to_standalone_xml: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}"
 keycloak_config_override_template: ''
 keycloak_config_path_to_properties: "{{ keycloak_jboss_home }}/standalone/configuration/profile.properties"
+keycloak_service_runas: false
 keycloak_service_user: keycloak
 keycloak_service_group: keycloak
-keycloak_service_pidfile: "/run/keycloak.pid"
+keycloak_service_pidfile: "/run/keycloak/keycloak.pid"
 keycloak_service_name: keycloak
 keycloak_service_desc: Keycloak
 keycloak_service_start_delay: 10
@@ -113,3 +115,6 @@ keycloak_default_jdbc:
     version: 12.2.0
 # role specific vars
 keycloak_no_log: True
+
+### logging configuration
+keycloak_log_target: /var/log/keycloak

roles/keycloak/meta/argument_specs.yml

@@ -54,6 +54,10 @@ argument_specs:
                 default: "{{ keycloak_installdir }}"
                 description: "Installation work directory"
                 type: "str"
+            keycloak_jboss_port_offset:
+                default: 0
+                description: "Port offset for the JBoss socket binding"
+                type: "int"
             keycloak_config_dir:
                 # line 26 of keycloak/defaults/main.yml
                 default: "{{ keycloak_jboss_home }}/standalone/configuration"
@@ -74,6 +78,11 @@ argument_specs:
                 default: ""
                 description: "Path to custom template for standalone.xml configuration"
                 type: "str"
+            keycloak_service_runas: 
+                # line 20 of keycloak/defaults/main.yml
+                default: false
+                description: "Enable execution of service as `keycloak_service_user`"
+                type: "bool"
             keycloak_service_user:
                 # line 29 of keycloak/defaults/main.yml
                 default: "keycloak"
@@ -86,7 +95,7 @@ argument_specs:
                 type: "str"
             keycloak_service_pidfile:
                 # line 31 of keycloak/defaults/main.yml
-                default: "/run/keycloak.pid"
+                default: "/run/keycloak/keycloak.pid"
                 description: "PID file path for service"
                 type: "str"
             keycloak_features:
@@ -275,12 +284,12 @@ argument_specs:
                 type: "str"
             keycloak_url:
                 # line 12 of keycloak/vars/main.yml
-                default: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
+                default: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}"
                 description: "URL for configuration rest calls"
                 type: "str"
             keycloak_management_url:
                 # line 13 of keycloak/vars/main.yml
-                default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
+                default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}"
                 description: "URL for management console rest calls"
                 type: "str"
             keycloak_service_name:
@@ -351,6 +360,10 @@ argument_specs:
                 required: False
                 description: "Override the subnet match for jgroups cluster formation; if not defined, it will be inferred from local machine route configuration"
                 type: "str"
+            keycloak_log_target:
+                default: '/var/log/keycloak'
+                type: "str"
+                description: "Set the destination of the keycloak log folder link"
     downstream:
         options:
             sso_version:

roles/keycloak/meta/main.yml

@@ -12,12 +12,12 @@ galaxy_info:
 
   license: Apache License 2.0
 
-  min_ansible_version: "2.9"
+  min_ansible_version: "2.14"
 
   platforms:
    - name: EL
      versions:
-     - 8
+     - "8"
 
   galaxy_tags:
     - keycloak

roles/keycloak/tasks/fastpackages.yml

@@ -1,19 +1,16 @@
 ---
-- name: Check packages to be installed
-  block:
-  - name: "Check if packages are already installed" # noqa command-instead-of-module this runs faster
-    ansible.builtin.command: "rpm -q {{ packages_list | join(' ') }}"
-    register: rpm_info
-    changed_when: rpm_info.failed
+- name: "Check if packages are already installed" # noqa command-instead-of-module this runs faster
+  ansible.builtin.command: "rpm -q {{ packages_list | join(' ') }}"
+  register: rpm_info
+  changed_when: False
+  failed_when: False
 
-  rescue:
-    - name: "Add missing packages to the yum install list"
-      ansible.builtin.set_fact:
-        packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | flatten }}"
-      when: rpm_info.failed
+- name: "Add missing packages to the yum install list"
+  ansible.builtin.set_fact:
+    packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | default([]) | flatten }}"
 
 - name: "Install packages: {{ packages_to_install }}"
-  become: yes
+  become: True
   ansible.builtin.yum:
     name: "{{ packages_to_install }}"
     state: present

roles/keycloak/tasks/install.yml

@@ -53,6 +53,15 @@
     group: "{{ keycloak_service_group }}"
     mode: 0750
 
+- name: Create pidfile folder
+  become: yes
+  ansible.builtin.file:
+    dest: "{{ keycloak_service_pidfile | dirname }}"
+    state: directory
+    owner: "{{ keycloak_service_user if keycloak_service_runas else omit }}"
+    group: "{{ keycloak_service_group if keycloak_service_runas else omit }}"
+    mode: 0750
+
 ## check remote archive
 - name: Set download archive path
   ansible.builtin.set_fact:
@@ -194,6 +203,12 @@
   become: yes
   changed_when: false
 
+- name: Ensure permissions are correct on existing deploy
+  ansible.builtin.command: chown -R "{{ keycloak_service_user }}:{{ keycloak_service_group }}" "{{ keycloak.home }}"
+  when: keycloak_service_runas
+  become: yes
+  changed_when: false
+
 # driver and configuration
 - name: "Install {{ keycloak_jdbc_engine }} driver"
   ansible.builtin.include_tasks: jdbc_driver.yml

roles/keycloak/tasks/main.yml

@@ -34,7 +34,7 @@
   ansible.builtin.file:
     state: link
     src: "{{ keycloak_jboss_home }}/standalone/log"
-    dest: /var/log/keycloak
+    dest: "{{ keycloak_log_target }}"
   become: yes
 
 - name: Set admin credentials and restart if not already created

roles/keycloak/templates/15.0.8/standalone-infinispan.xml.j2

@@ -737,7 +737,7 @@
             <inet-address value="{{ keycloak_bind_address }}"/>
         </interface>
     </interfaces>
-    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
+    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
         <socket-binding name="ajp" port="{{ keycloak_ajp_port }}"/>
         <socket-binding name="http" port="{{ keycloak_http_port }}"/>
         <socket-binding name="https" port="{{ keycloak_https_port }}"/>

roles/keycloak/templates/15.0.8/standalone.xml.j2

@@ -638,7 +638,7 @@
             <inet-address value="{{ keycloak_bind_address }}"/>
         </interface>
     </interfaces>
-    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
+    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
         <socket-binding name="ajp" port="{{ keycloak_ajp_port }}"/>
         <socket-binding name="http" port="{{ keycloak_http_port }}"/>
         <socket-binding name="https" port="{{ keycloak_https_port }}"/>

roles/keycloak/templates/9.0.2/standalone-infinispan.xml.j2

@@ -734,7 +734,7 @@
             <inet-address value="${jboss.bind.address:127.0.0.1}"/>
         </interface>
     </interfaces>
-    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
+    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
         <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
         <socket-binding name="http" port="${jboss.http.port:8080}"/>
         <socket-binding name="https" port="${jboss.https.port:8443}"/>

roles/keycloak/templates/9.0.2/standalone.xml.j2

@@ -598,7 +598,7 @@
             <inet-address value="${jboss.bind.address:127.0.0.1}"/>
         </interface>
     </interfaces>
-    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
+    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
         <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
         <socket-binding name="http" port="${jboss.http.port:8080}"/>
         <socket-binding name="https" port="${jboss.https.port:8443}"/>

roles/keycloak/templates/keycloak-sysconfig.j2

@@ -8,4 +8,12 @@ KEYCLOAK_HTTPS_PORT={{ keycloak_https_port }}
 KEYCLOAK_MANAGEMENT_HTTP_PORT={{ keycloak_management_http_port }}
 KEYCLOAK_MANAGEMENT_HTTPS_PORT={{ keycloak_management_https_port }}
 JBOSS_PIDFILE='{{ keycloak_service_pidfile }}'
-LAUNCH_JBOSS_IN_BACKGROUND=1
+
+WILDFLY_OPTS=-Djboss.bind.address=${KEYCLOAK_BIND_ADDRESS} \
+        -Djboss.http.port=${KEYCLOAK_HTTP_PORT} \
+        -Djboss.https.port=${KEYCLOAK_HTTPS_PORT} \
+        -Djboss.management.http.port=${KEYCLOAK_MANAGEMENT_HTTP_PORT} \
+        -Djboss.management.https.port=${KEYCLOAK_MANAGEMENT_HTTPS_PORT} \
+        -Djboss.node.name={{ inventory_hostname }} \
+      {% if keycloak_prefer_ipv4 %}-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true {% endif %}\
+      {% if keycloak_config_standalone_xml is defined %}--server-config={{ keycloak_config_standalone_xml }}{% endif %}

roles/keycloak/templates/keycloak.service.j2

@@ -7,11 +7,14 @@ StartLimitBurst={{ keycloak_service_startlimitburst }}
 
 
 [Service]
-Type=forking
+{% if keycloak_service_runas %}
+User={{ keycloak_service_user }}
+Group={{ keycloak_service_group }}
+{% endif -%}
 EnvironmentFile=-/etc/sysconfig/keycloak
 PIDFile={{ keycloak_service_pidfile }}
-ExecStart={{ keycloak_dest }}/keycloak-service.sh start
-ExecStop={{ keycloak_dest }}/keycloak-service.sh stop
+ExecStart={{ keycloak.home }}/bin/standalone.sh $WILDFLY_OPTS
+WorkingDirectory={{ keycloak.home }}
 TimeoutStartSec=30
 TimeoutStopSec=30
 LimitNOFILE=102642

roles/keycloak/templates/standalone-ha.xml.j2

@@ -674,7 +674,7 @@
             <inet-address value="{{ keycloak_bind_address }}"/>
         </interface>
     </interfaces>
-    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
+    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
         <socket-binding name="ajp" port="{{ keycloak_ajp_port }}"/>
         <socket-binding name="http" port="{{ keycloak_http_port }}"/>
         <socket-binding name="https" port="{{ keycloak_https_port }}"/>

roles/keycloak/templates/standalone-infinispan.xml.j2

@@ -712,7 +712,7 @@
             <inet-address value="{{ keycloak_bind_address }}"/>
         </interface>
     </interfaces>
-    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
+    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
         <socket-binding name="ajp" port="{{ keycloak_ajp_port }}"/>
         <socket-binding name="http" port="{{ keycloak_http_port }}"/>
         <socket-binding name="https" port="{{ keycloak_https_port }}"/>

roles/keycloak/templates/standalone.xml.j2

@@ -604,7 +604,7 @@
             <inet-address value="{{ keycloak_bind_address }}"/>
         </interface>
     </interfaces>
-    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
+    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:{{ keycloak_jboss_port_offset }}}">
         <socket-binding name="ajp" port="{{ keycloak_ajp_port }}"/>
         <socket-binding name="http" port="{{ keycloak_http_port }}"/>
         <socket-binding name="https" port="{{ keycloak_https_port }}"/>

roles/keycloak/vars/main.yml

@@ -2,8 +2,8 @@
 # internal variables below
 
 # locations
-keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
-keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
+keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}"
+keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}"
 
 
 keycloak:

roles/keycloak_quarkus/README.md

@@ -11,7 +11,7 @@ Role Defaults
 
 | Variable | Description | Default |
 |:---------|:------------|:--------|
-|`keycloak_quarkus_version`| keycloak.org package version | `22.0.1` |
+|`keycloak_quarkus_version`| keycloak.org package version | `22.0.5` |
 
 
 * Service configuration
@@ -22,9 +22,11 @@ Role Defaults
 |`keycloak_quarkus_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_quarkus_ha_enabled` is True, else `False` |
 |`keycloak_quarkus_admin_user`| Administration console user account | `admin` |
 |`keycloak_quarkus_bind_address`| Address for binding service ports | `0.0.0.0` |
-|`keycloak_quarkus_host`| hostname | `localhost` |
-|`keycloak_quarkus_http_port`| HTTP port | `8080` |
-|`keycloak_quarkus_https_port`| TLS HTTP port | `8443` |
+|`keycloak_quarkus_host`| Hostname for the Keycloak server | `localhost` |
+|`keycloak_quarkus_port`| The port used by the proxy when exposing the hostname | `-1` |
+|`keycloak_quarkus_path`| This should be set if proxy uses a different context-path for Keycloak | |
+|`keycloak_quarkus_http_port`| HTTP listening port | `8080` |
+|`keycloak_quarkus_https_port`| TLS HTTP listening port | `8443` |
 |`keycloak_quarkus_ajp_port`| AJP port | `8009` |
 |`keycloak_quarkus_jgroups_port`| jgroups cluster tcp port | `7600` |
 |`keycloak_quarkus_service_user`| Posix account username | `keycloak` |
@@ -33,12 +35,20 @@ Role Defaults
 |`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-17-openjdk-headless` |
 |`keycloak_quarkus_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_quarkus_jvm_package RPM path | `None` |
 |`keycloak_quarkus_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
-|`keycloak_quarkus_frontend_url`| Service public URL | `http://localhost:8080/auth` |
-|`keycloak_quarkus_http_relative_path` | Service context path | `auth` |
+|`keycloak_quarkus_frontend_url`| Set the base URL for frontend URLs, including scheme, host, port and path | |
+|`keycloak_quarkus_admin_url`| Set the base URL for accessing the administration console, including scheme, host, port and path | |
+|`keycloak_quarkus_http_relative_path` | Set the path relative to / for serving resources. The path must start with a / | `/` |
 |`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` |
-|`keycloak_quarkus_https_enabled`| Enable listener on HTTPS port | `False` |
+|`keycloak_quarkus_https_key_file_enabled`| Enable listener on HTTPS port | `False` |
 |`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `{{ keycloak.home }}/conf/server.key.pem` |
 |`keycloak_quarkus_cert_file`| The file path to a server certificate or certificate chain in PEM format | `{{ keycloak.home }}/conf/server.crt.pem` |
+|`keycloak_quarkus_https_key_store_enabled`| Enable configuration of HTTPS via a key store | `False` |
+|`keycloak_quarkus_key_store_file`| The file pat to the key store | `{{ keycloak.home }}/conf/key_store.p12` |
+|`keycloak_quarkus_key_store_password`| Password for the key store | `""` |
+|`keycloak_quarkus_https_trust_store_enabled`| Enalbe confiugration of a trust store | `False` |
+|`keycloak_quarkus_trust_store_file`| The file pat to the trust store | `{{ keycloak.home }}/conf/trust_store.p12` |
+|`keycloak_quarkus_trust_store_password`| Password for the trust store | `""` |
+
 
 
 * Database configuration
@@ -71,7 +81,7 @@ Role Defaults
 |:---------|:------------|:---------|
 |`keycloak_quarkus_offline_install` | Perform an offline install | `False`|
 |`keycloak_quarkus_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`| 
-|`keycloak_quarkus_version`| keycloak.org package version | `22.0.1` |
+|`keycloak_quarkus_version`| keycloak.org package version | `22.0.5` |
 |`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` |
 |`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` |
 |`keycloak_quarkus_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
@@ -96,6 +106,7 @@ Role Defaults
 |`keycloak_quarkus_log_level`| The log level of the root category or a comma-separated list of individual categories and their levels | `info` |
 |`keycloak_quarkus_log_file`| Set the log file path and filename relative to keycloak home | `data/log/keycloak.log` |
 |`keycloak_quarkus_log_format`| Set a format specific to file log entries | `%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n` |
+|`keycloak_quarkus_log_target`| Set the destination of the keycloak log folder link | `/var/log/keycloak` |
 |`keycloak_quarkus_proxy_mode`| The proxy address forwarding mode if the server is behind a reverse proxy | `edge` |
 |`keycloak_quarkus_start_dev`| Whether to start the service in development mode (start-dev) | `False` |
 |`keycloak_quarkus_transaction_xa_enabled`| Whether to use XA transactions | `True` |

roles/keycloak_quarkus/defaults/main.yml

@@ -1,8 +1,8 @@
 ---
 ### Configuration specific to keycloak
-keycloak_quarkus_version: 22.0.1
+keycloak_quarkus_version: 22.0.5
 keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip"
-keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"  
+keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"
 keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"
 
 # whether to install from local archive
@@ -17,17 +17,19 @@ keycloak_quarkus_config_dir: "{{ keycloak_quarkus_home }}/conf"
 keycloak_quarkus_start_dev: False
 keycloak_quarkus_service_user: keycloak
 keycloak_quarkus_service_group: keycloak
-keycloak_quarkus_service_pidfile: "/run/keycloak.pid"
+keycloak_quarkus_service_pidfile: "/run/keycloak/keycloak.pid"
 keycloak_quarkus_configure_firewalld: False
 
 ### administrator console password
 keycloak_quarkus_admin_user: admin
-keycloak_quarkus_admin_pass: ''
+keycloak_quarkus_admin_pass:
 keycloak_quarkus_master_realm: master
 
 ### Configuration settings
 keycloak_quarkus_bind_address: 0.0.0.0
 keycloak_quarkus_host: localhost
+keycloak_quarkus_port: -1
+keycloak_quarkus_path:
 keycloak_quarkus_http_enabled: True
 keycloak_quarkus_http_port: 8080
 keycloak_quarkus_https_port: 8443
@@ -36,9 +38,17 @@ keycloak_quarkus_jgroups_port: 7600
 keycloak_quarkus_java_opts: "-Xms1024m -Xmx2048m"
 
 ### TLS/HTTPS configuration
-keycloak_quarkus_https_enabled: False
+keycloak_quarkus_https_key_file_enabled: False
 keycloak_quarkus_key_file: "{{ keycloak.home }}/conf/server.key.pem"
 keycloak_quarkus_cert_file: "{{ keycloak.home }}/conf/server.crt.pem"
+#### key store configuration
+keycloak_quarkus_https_key_store_enabled: False
+keycloak_quarkus_key_store_file: "{{ keycloak.home }}/conf/key_store.p12"
+keycloak_quarkus_key_store_password: ''
+##### trust store configuration
+keycloak_quarkus_https_trust_store_enabled: False
+keycloak_quarkus_trust_store_file: "{{ keycloak.home }}/conf/trust_store.p12"
+keycloak_quarkus_trust_store_password: ''
 
 ### Enable configuration for database backend, clustering and remote caches on infinispan
 keycloak_quarkus_ha_enabled: False
@@ -46,10 +56,14 @@ keycloak_quarkus_ha_enabled: False
 keycloak_quarkus_db_enabled: "{{ True if keycloak_quarkus_ha_enabled else False }}"
 
 ### keycloak frontend url
-keycloak_quarkus_http_relative_path: auth
-keycloak_quarkus_frontend_url: http://localhost:8080/auth
+keycloak_quarkus_frontend_url:
+keycloak_quarkus_admin_url:
 
-# proxy address forwarding mode if the server is behind a reverse proxy. [edge, reencrypt, passthrough]
+### Set the path relative to / for serving resources. The path must start with a /
+### (set to `/auth` for retrocompatibility with pre-quarkus releases)
+keycloak_quarkus_http_relative_path: /
+
+# proxy address forwarding mode if the server is behind a reverse proxy. [none, edge, reencrypt, passthrough]
 keycloak_quarkus_proxy_mode: edge
 
 # disable xa transactions
@@ -89,3 +103,4 @@ keycloak_quarkus_log: file
 keycloak_quarkus_log_level: info
 keycloak_quarkus_log_file: data/log/keycloak.log
 keycloak_quarkus_log_format: '%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n'
+keycloak_quarkus_log_target: /var/log/keycloak

roles/keycloak_quarkus/meta/argument_specs.yml

@@ -61,7 +61,7 @@ argument_specs:
                 type: "str"
             keycloak_quarkus_service_pidfile:
                 # line 18 of defaults/main.yml
-                default: "/run/keycloak.pid"
+                default: "/run/keycloak/keycloak.pid"
                 description: "Pid file path for service"
                 type: "str"
             keycloak_quarkus_configure_firewalld:
@@ -70,13 +70,11 @@ argument_specs:
                 description: "Ensure firewalld is running and configure keycloak ports"
                 type: "bool"
             keycloak_quarkus_admin_user:
-                # line 22 of defaults/main.yml
                 default: "admin"
                 description: "Administration console user account"
                 type: "str"
             keycloak_quarkus_admin_pass:
-                # line 23 of defaults/main.yml
-                default: ""
+                required: true
                 description: "Password of console admin account"
                 type: "str"
             keycloak_quarkus_master_realm:
@@ -90,23 +88,30 @@ argument_specs:
                 description: "Address for binding service ports"
                 type: "str"
             keycloak_quarkus_host:
-                # line 28 of defaults/main.yml
                 default: "localhost"
-                description: "hostname"
+                description: "Hostname for the Keycloak server"
+                type: "str"
+            keycloak_quarkus_port:
+                default: -1
+                description: "The port used by the proxy when exposing the hostname"
+                type: "int"
+            keycloak_quarkus_path:
+                required: false
+                description: "This should be set if proxy uses a different context-path for Keycloak"
                 type: "str"
             keycloak_quarkus_http_enabled:
                 default: true
                 description: "Enable listener on HTTP port"
-                type: "bool"                
+                type: "bool"
             keycloak_quarkus_http_port:
                 # line 29 of defaults/main.yml
                 default: 8080
                 description: "HTTP port"
                 type: "int"
-            keycloak_quarkus_https_enabled:
+            keycloak_quarkus_https_key_file_enabled:
                 default: false
-                description: "Enable listener on HTTPS port"
-                type: "bool" 
+                description: "Enable configuration of HTTPS via files in PEM format"
+                type: "bool"
             keycloak_quarkus_key_file:
                 default: "{{ keycloak.home }}/conf/server.key.pem"
                 description: "The file path to a private key in PEM format"
@@ -115,6 +120,30 @@ argument_specs:
                 default: "{{ keycloak.home }}/conf/server.crt.pem"
                 description: "The file path to a server certificate or certificate chain in PEM format"
                 type: "str"
+            keycloak_quarkus_https_key_store_enabled:
+                default: false
+                description: "Enable configuration of HTTPS via a key store"
+                type: "bool"
+            keycloak_quarkus_key_store_file:
+                default: "{{ keycloak.home }}/conf/key_store.p12"
+                description: "The file path to the key store"
+                type: "str"
+            keycloak_quarkus_key_store_password:
+                default: ""
+                description: "Password for the key store"
+                type: "str"
+            keycloak_quarkus_https_trust_store_enabled:
+                default: false
+                description: "Enalbe confiugration of a trust store"
+                type: "bool"
+            keycloak_quarkus_trust_store_file:
+                default: "{{ keycloak.home }}/conf/trust_store.p12"
+                description: "The file pat to the trust store"
+                type: "str"
+            keycloak_quarkus_trust_store_password:
+                 default: ""
+                 description: "Password for the trust store"
+                 type: "str"
             keycloak_quarkus_https_port:
                 # line 30 of defaults/main.yml
                 default: 8443
@@ -146,15 +175,18 @@ argument_specs:
                 description: "Enable auto configuration for database backend"
                 type: "str"
             keycloak_quarkus_http_relative_path:
-                # line 41 of defaults/main.yml
-                default: "auth"
-                description: "Service context path"
+                required: false
+                default: /
+                description: "Set the path relative to / for serving resources. The path must start with a /"
                 type: "str"
             keycloak_quarkus_frontend_url:
-                # line 41 of defaults/main.yml
-                default: "http://localhost:8080/auth"
+                required: false
                 description: "Service public URL"
                 type: "str"
+            keycloak_quarkus_admin_url:
+                required: false
+                description: "Service URL for the admin console"
+                type: "str"
             keycloak_quarkus_metrics_enabled:
                 # line 43 of defaults/main.yml
                 default: false
@@ -240,10 +272,14 @@ argument_specs:
                 default: '%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n'
                 type: "str"
                 description: "Set a format specific to file log entries"
+            keycloak_quarkus_log_target:
+                default: '/var/log/keycloak'
+                type: "str"
+                description: "Set the destination of the keycloak log folder link"
             keycloak_quarkus_proxy_mode:
                 default: 'edge'
                 type: "str"
-                description: "The proxy address forwarding mode if the server is behind a reverse proxy"
+                description: "The proxy address forwarding mode if the server is behind a reverse proxy. Set to 'none' if not using a proxy"
             keycloak_quarkus_start_dev:
                 default: False
                 type: "bool"

roles/keycloak_quarkus/meta/main.yml

@@ -8,12 +8,12 @@ galaxy_info:
 
   license: Apache License 2.0
 
-  min_ansible_version: "2.9"
+  min_ansible_version: "2.14"
 
   platforms:
    - name: EL
      versions:
-     - 8
+     - "8"
 
   galaxy_tags:
     - keycloak

roles/keycloak_quarkus/tasks/fastpackages.yml

@@ -1,19 +1,16 @@
 ---
-- name: Check packages to be installed
-  block:
-  - name: "Check if packages are already installed" # noqa command-instead-of-module this runs faster
-    ansible.builtin.command: "rpm -q {{ packages_list | join(' ') }}"
-    register: rpm_info
-    changed_when: rpm_info.failed
+- name: "Check if packages are already installed" # noqa command-instead-of-module this runs faster
+  ansible.builtin.command: "rpm -q {{ packages_list | join(' ') }}"
+  register: rpm_info
+  changed_when: False
+  failed_when: False
 
-  rescue:
-    - name: "Add missing packages to the yum install list"
-      ansible.builtin.set_fact:
-        packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | flatten }}"
-      when: rpm_info.failed
+- name: "Add missing packages to the yum install list"
+  ansible.builtin.set_fact:
+    packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | default([]) | flatten }}"
 
-- name: "Install packages: {{ packages_to_install | join(',') }}"
-  become: yes
+- name: "Install packages: {{ packages_to_install }}"
+  become: True
   ansible.builtin.yum:
     name: "{{ packages_to_install }}"
     state: present

roles/keycloak_quarkus/tasks/main.yml

@@ -52,6 +52,9 @@
     mode: 0775
   become: yes
 
+- name: Flush pending handlers
+  ansible.builtin.meta: flush_handlers
+
 - name: "Start and wait for keycloak service"
   ansible.builtin.include_tasks: start.yml
 
@@ -64,6 +67,6 @@
   ansible.builtin.file:
     state: link
     src: "{{ keycloak.log.file | dirname }}"
-    dest: /var/log/keycloak
+    dest: "{{ keycloak_quarkus_log_target }}"
     force: yes
   become: yes

roles/keycloak_quarkus/templates/keycloak.conf.j2

@@ -15,17 +15,32 @@ health-enabled={{ keycloak_quarkus_health_enabled }}
 # HTTP
 http-enabled={{ keycloak_quarkus_http_enabled }}
 http-port={{ keycloak_quarkus_http_port }}
+http-relative-path={{ keycloak_quarkus_http_relative_path }}
 
 # HTTPS
 https-port={{ keycloak_quarkus_https_port }}
-{% if keycloak_quarkus_https_enabled %}
+{% if keycloak_quarkus_https_key_file_enabled %}
 https-certificate-file={{ keycloak_quarkus_cert_file}}
 https-certificate-key-file={{ keycloak_quarkus_key_file }}
 {% endif %}
+{% if keycloak_quarkus_https_key_store_enabled %}
+https-key-store-file={{ keycloak_quarkus_key_store_file }}
+https-key-store-password={{ keycloak_quarkus_key_store_password }}
+{% endif %}
+{% if keycloak_quarkus_https_trust_store_enabled %}
+https-trust-store-file={{ keycloak_quarkus_trust_store_file }}
+https-trust-store-password={{ keycloak_quarkus_trust_store_password }}
+{% endif %}
 
-# Hostname for the Keycloak server.
+# Client URL configuration
+{% if keycloak_quarkus_frontend_url %}
+hostname-url={{ keycloak_quarkus_frontend_url }}
+{% else %}
 hostname={{ keycloak_quarkus_host }}
-hostname-path={{ keycloak_quarkus_http_relative_path }}
+hostname-port={{ keycloak_quarkus_port }}
+hostname-path={{ keycloak_quarkus_path }}
+{% endif %}
+hostname-admin-url={{ keycloak_quarkus_admin_url }}
 
 # Cluster
 {% if keycloak_quarkus_ha_enabled %}
@@ -34,8 +49,10 @@ cache-config-file=cache-ispn.xml
 cache-stack=tcp
 {% endif %}
 
+{% if keycloak_quarkus_proxy_mode is defined and keycloak_quarkus_proxy_mode != "none" %}
 # Proxy
 proxy={{ keycloak_quarkus_proxy_mode }}
+{% endif %}
 # Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy
 #spi-sticky-session-encoder-infinispan-should-attach-route=false
 

roles/keycloak_quarkus/vars/main.yml

@@ -4,7 +4,7 @@ keycloak:
   config_dir: "{{ keycloak_quarkus_config_dir }}"
   bundle: "{{ keycloak_quarkus_archive }}"
   service_name: "keycloak"
-  health_url: "http://{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_http_port }}/realms/master/.well-known/openid-configuration"
+  health_url: "http://{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_http_port }}{{ keycloak_quarkus_http_relative_path }}{{ '/' if keycloak_quarkus_http_relative_path | length > 1 else '' }}realms/master/.well-known/openid-configuration"
   cli_path: "{{ keycloak_quarkus_home }}/bin/kcadm.sh"
   service_user: "{{ keycloak_quarkus_service_user }}"
   service_group: "{{ keycloak_quarkus_service_group }}"

roles/keycloak_realm/meta/argument_specs.yml

@@ -83,12 +83,12 @@ argument_specs:
                 type: "list"
             keycloak_url:
                 # line 14 of keycloak_realm/vars/main.yml
-                default: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
+                default: "http://{{ keycloak_host }}:{{ keycloak_http_port + ( keycloak_jboss_port_offset | default(0) ) }}"
                 description: "URL for configuration rest calls"
                 type: "str"
             keycloak_management_url:
                 # line 15 of keycloak_realm/vars/main.yml
-                default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
+                default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + ( keycloak_jboss_port_offset | default(0) ) }}"
                 description: "URL for management console rest calls"
                 type: "str"
     downstream:

roles/keycloak_realm/meta/main.yml

@@ -8,12 +8,12 @@ galaxy_info:
 
   license: Apache License 2.0
 
-  min_ansible_version: "2.9"
+  min_ansible_version: "2.14"
 
   platforms:
    - name: EL
      versions:
-     - 8
+     - "8"
 
   galaxy_tags:
     - keycloak

roles/keycloak_realm/vars/main.yml

@@ -5,5 +5,5 @@
 keycloak_realm:
 
 # other settings
-keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
-keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
+keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + ( keycloak_jboss_port_offset | default(0) ) }}"
+keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + ( keycloak_jboss_port_offset | default(0) ) }}"