Update changelog for release 2.2.1

Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>
Merge pull request #204 from InfoSec812/Issue_203-_-fix-input-validation-when-clause
2026-03-27 13:53:04 +00:00 · 2024-05-02 16:59:47 +00:00 · 2024-05-02 18:46:05 +02:00 · 2024-05-02 12:31:16 -04:00 · 2024-05-02 12:09:36 -04:00 · 2024-05-01 14:44:15 +00:00
40 changed files with 795 additions and 269 deletions
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -15,3 +15,4 @@ jobs:
    with:
      fqcn: 'middleware_automation/keycloak'
      collection_fqcn: 'middleware_automation.keycloak'
+      historical_docs: 'false'
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -2,20 +2,27 @@
 name: Release collection
 on:
  workflow_dispatch:
+    inputs:
+      release_summary:
+        description: 'Optional release summary for changelogs'
+        required: false

 jobs:
  release:
    uses: ansible-middleware/github-actions/.github/workflows/release.yml@main
    with:
      collection_fqcn: 'middleware_automation.keycloak'
+      downstream_name: 'rhbk'
+      release_summary: "${{ github.event.inputs.release_summary }}"
    secrets:
      galaxy_token: ${{ secrets.ANSIBLE_GALAXY_API_KEY }}
+      jira_webhook: ${{ secrets.JIRA_WEBHOOK_CREATE_VERSION }}

  dispatch:
    needs: release
    strategy:
      matrix:
-        repo: ['ansible-middleware/cross-dc-rhsso-demo', 'ansible-middleware/flange-demo', 'ansible-middleware/ansible-middleware-ee']
+        repo: ['ansible-middleware/ansible-middleware-ee']
    runs-on: ubuntu-latest
    steps:
      - name: Repository Dispatch
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -6,6 +6,46 @@ middleware\_automation.keycloak Release Notes

 This changelog describes changes after version 0.2.6.

+v2.2.1
+======
+
+Release Summary
+---------------
+
+Internal release, documentation or test changes only.
+
+Bugfixes
+--------
+
+- JDBC provider: fix clause in argument validation `#204 <https://github.com/ansible-middleware/keycloak/pull/204>`_
+
+v2.2.0
+======
+
+Major Changes
+-------------
+
+- Support java keystore for configuration of sensitive options `#189 <https://github.com/ansible-middleware/keycloak/pull/189>`_
+
+Minor Changes
+-------------
+
+- Add ``wait_for_port`` and ``wait_for_log`` systemd unit logic `#199 <https://github.com/ansible-middleware/keycloak/pull/199>`_
+- Customize jdbc driver downloads, optional authentication `#202 <https://github.com/ansible-middleware/keycloak/pull/202>`_
+- Keystore-based vault SPI configuration `#196 <https://github.com/ansible-middleware/keycloak/pull/196>`_
+- New ``keycloak_quarkus_hostname_strict_https`` parameter `#195 <https://github.com/ansible-middleware/keycloak/pull/195>`_
+- Providers config and custom providers `#201 <https://github.com/ansible-middleware/keycloak/pull/201>`_
+- Remove administrator credentials from files once keycloak is bootstrapped `#197 <https://github.com/ansible-middleware/keycloak/pull/197>`_
+- Update keycloak to 24.0 `#194 <https://github.com/ansible-middleware/keycloak/pull/194>`_
+
+v2.1.2
+======
+
+Release Summary
+---------------
+
+Internal release, documentation or test changes only.
+
 v2.1.1
 ======

@@ -272,6 +312,11 @@ Minor Changes
 v1.0.4
 ======

+Release Summary
+---------------
+
+Internal release, documentation or test changes only.
+
 v1.0.3
 ======

--- a/changelogs/changelog.yaml
+++ b/changelogs/changelog.yaml
@@ -59,6 +59,10 @@ releases:
    - 31.yaml
    release_date: '2022-05-09'
  1.0.4:
+    changes:
+      release_summary: 'Internal release, documentation or test changes only.
+
+        '
    release_date: '2022-05-11'
  1.0.5:
    changes:
@@ -454,3 +458,59 @@ releases:
    - 187.yaml
    - 191.yaml
    release_date: '2024-04-17'
+  2.1.2:
+    changes:
+      release_summary: 'Internal release, documentation or test changes only.
+
+        '
+    release_date: '2024-04-17'
+  2.2.0:
+    changes:
+      major_changes:
+      - 'Support java keystore for configuration of sensitive options `#189 <https://github.com/ansible-middleware/keycloak/pull/189>`_
+
+        '
+      minor_changes:
+      - 'Add ``wait_for_port`` and ``wait_for_log`` systemd unit logic `#199 <https://github.com/ansible-middleware/keycloak/pull/199>`_
+
+        '
+      - 'Customize jdbc driver downloads, optional authentication `#202 <https://github.com/ansible-middleware/keycloak/pull/202>`_
+
+        '
+      - 'Keystore-based vault SPI configuration `#196 <https://github.com/ansible-middleware/keycloak/pull/196>`_
+
+        '
+      - 'New ``keycloak_quarkus_hostname_strict_https`` parameter `#195 <https://github.com/ansible-middleware/keycloak/pull/195>`_
+
+        '
+      - 'Providers config and custom providers `#201 <https://github.com/ansible-middleware/keycloak/pull/201>`_
+
+        '
+      - 'Remove administrator credentials from files once keycloak is bootstrapped
+        `#197 <https://github.com/ansible-middleware/keycloak/pull/197>`_
+
+        '
+      - 'Update keycloak to 24.0 `#194 <https://github.com/ansible-middleware/keycloak/pull/194>`_
+
+        '
+    fragments:
+    - 189.yaml
+    - 194.yaml
+    - 195.yaml
+    - 196.yaml
+    - 197.yaml
+    - 199.yaml
+    - 201.yaml
+    - 202.yaml
+    release_date: '2024-05-01'
+  2.2.1:
+    changes:
+      bugfixes:
+      - 'JDBC provider: fix clause in argument validation `#204 <https://github.com/ansible-middleware/keycloak/pull/204>`_
+
+        '
+      release_summary: Internal release, documentation or test changes only.
+    fragments:
+    - 204.yaml
+    - v2.2.1-devel_summary.yaml
+    release_date: '2024-05-02'
--- a/docs/_gh_include/header.inc
+++ b/docs/_gh_include/header.inc
@@ -24,14 +24,15 @@
        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
            <p class="caption" role="heading"><span class="caption-text">Middleware Automation</span></p>
            <ul>
-              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/infinispan/">Infinispan / Red Hat Data Grid</a></li>
-              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/keycloak/">Keycloak / Red Hat Single Sign-On</a></li>
-              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/wildfly/">Wildfly / Red Hat JBoss EAP</a></li>
-              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/jws/">Tomcat / Red Hat JWS</a></li>
-              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/amq/">ActiveMQ / Red Hat AMQ Broker</a></li>
-              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/amq_streams/">Kafka / Red Hat AMQ Streams</a></li>
-              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/redhat-csp-download/">Red Hat CSP Download</a></li>
-              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/ansible_collections_jcliff/">JCliff</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/infinispan/main/">Infinispan / Red Hat Data Grid</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/keycloak/main/">Keycloak / Red Hat Single Sign-On</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/wildfly/main/">Wildfly / Red Hat JBoss EAP</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/jws/main/">Tomcat / Red Hat JWS</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/amq/main/">ActiveMQ / Red Hat AMQ Broker</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/amq_streams/main/">Kafka / Red Hat AMQ Streams</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/common/main/">Ansible Middleware utilities</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/redhat-csp-download/main/">Red Hat CSP Download</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/ansible_collections_jcliff/main/">JCliff</a></li>
            </ul>
        </div>
      </div>
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -29,11 +29,12 @@ Welcome to Keycloak Collection documentation
   :maxdepth: 2
   :caption: Middleware collections

-   Infinispan / Red Hat Data Grid <https://ansible-middleware.github.io/infinispan/>
-   Keycloak / Red Hat Single Sign-On <https://ansible-middleware.github.io/keycloak/>
-   Wildfly / Red Hat JBoss EAP <https://ansible-middleware.github.io/wildfly/>
-   Tomcat / Red Hat JWS <https://ansible-middleware.github.io/jws/>
-   ActiveMQ / Red Hat AMQ Broker <https://ansible-middleware.github.io/amq/>
-   Kafka / Red Hat AMQ Streams <https://ansible-middleware.github.io/amq_streams/>
-   Red Hat CSP Download <https://ansible-middleware.github.io/redhat-csp-download/>
-   JCliff <https://ansible-middleware.github.io/ansible_collections_jcliff/>
+   Infinispan / Red Hat Data Grid <https://ansible-middleware.github.io/infinispan/main/>
+   Keycloak / Red Hat Single Sign-On <https://ansible-middleware.github.io/keycloak/main/>
+   Wildfly / Red Hat JBoss EAP <https://ansible-middleware.github.io/wildfly/main/>
+   Tomcat / Red Hat JWS <https://ansible-middleware.github.io/jws/main/>
+   ActiveMQ / Red Hat AMQ Broker <https://ansible-middleware.github.io/amq/main/>
+   Kafka / Red Hat AMQ Streams <https://ansible-middleware.github.io/amq_streams/main/>
+   Ansible Middleware utilities <https://ansible-middleware.github.io/common/main/>
+   Red Hat CSP Download <https://ansible-middleware.github.io/redhat-csp-download/main/>
+   JCliff <https://ansible-middleware.github.io/ansible_collections_jcliff/main/>
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -1,7 +1,7 @@
 ---
 namespace: middleware_automation
 name: keycloak
-version: "2.1.1"
+version: "2.2.1"
 readme: README.md
 authors:
  - Romain Pelisse <rpelisse@redhat.com>
@@ -35,7 +35,6 @@ issues: https://github.com/ansible-middleware/keycloak/issues
 build_ignore:
  - .gitignore
  - .github
-  - .ansible-lint
  - .yamllint
  - '*.tar.gz'
  - '*.zip'
--- a/molecule/prepare.yml
+++ b/molecule/prepare.yml
@@ -25,7 +25,7 @@
    fail_msg: "sudo is not installed on target system"

 - name: "Install iproute"
-  become: yes
+  become: true
  ansible.builtin.yum:
    name:
      - iproute
@@ -33,7 +33,7 @@

 - name: "Retrieve assets server from env"
  ansible.builtin.set_fact:
-    assets_server: "{{ lookup('env','MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"
+    assets_server: "{{ lookup('env', 'MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"

 - name: "Download artefacts only if assets_server is set"
  when:
@@ -51,6 +51,7 @@
        url: "{{ asset }}"
        dest: "{{ lookup('env', 'PWD') }}"
        validate_certs: no
+        mode: '0644'
      delegate_to: localhost
      loop: "{{ assets }}"
      loop_control:
--- a/molecule/quarkus-devmode/prepare.yml
+++ b/molecule/quarkus-devmode/prepare.yml
@@ -30,11 +30,11 @@
        src: "{{ item }}"
        dest: /opt/openjdk
        force: true
-        with_fileglob:
-          - /usr/lib/jvm/java-17-openjdk*
+      with_fileglob:
+        - /usr/lib/jvm/java-17-openjdk*
      when:
        - ansible_facts.os_family == "Debian"
-          
+
    - name: Link default logs directory
      ansible.builtin.file:
        state: link
--- a/molecule/quarkus/converge.yml
+++ b/molecule/quarkus/converge.yml
@@ -1,16 +1,34 @@
 ---
 - name: Converge
  hosts: all
-  vars: 
+  vars:
    keycloak_quarkus_admin_pass: "remembertochangeme"
    keycloak_admin_password: "remembertochangeme"
    keycloak_realm: TestRealm
    keycloak_quarkus_host: instance
    keycloak_quarkus_log: file
-    keycloak_quarkus_https_key_file_enabled: True
+    keycloak_quarkus_log_level: debug
+    keycloak_quarkus_https_key_file_enabled: true
    keycloak_quarkus_key_file: "/opt/keycloak/certs/key.pem"
    keycloak_quarkus_cert_file: "/opt/keycloak/certs/cert.pem"
    keycloak_quarkus_log_target: /tmp/keycloak
+    keycloak_quarkus_ks_vault_enabled: true
+    keycloak_quarkus_ks_vault_file: "/opt/keycloak/certs/keystore.p12"
+    keycloak_quarkus_ks_vault_pass: keystorepassword
+    keycloak_quarkus_systemd_wait_for_port: true
+    keycloak_quarkus_systemd_wait_for_timeout: 20
+    keycloak_quarkus_systemd_wait_for_delay: 2
+    keycloak_quarkus_systemd_wait_for_log: true
+    keycloak_quarkus_providers:
+      - id: http-client
+        spi: connections
+        default: true
+        restart: true
+        properties:
+          - key: default-connection-pool-size
+            value: 10
+      - id: spid-saml
+        url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar
  roles:
    - role: keycloak_quarkus
    - role: keycloak_realm
--- a/molecule/quarkus/prepare.yml
+++ b/molecule/quarkus/prepare.yml
@@ -2,15 +2,10 @@
 - name: Prepare
  hosts: all
  tasks:
-    - name: Install sudo
-      ansible.builtin.package:
-        name: sudo
-        state: present
-
    - name: "Display hera_home if defined."
      ansible.builtin.set_fact:
        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
-        
+
    - name: "Ensure common prepare phase are set."
      ansible.builtin.include_tasks: ../prepare.yml

@@ -20,14 +15,29 @@
      changed_when: False

    - name: Create conf directory # risky-file-permissions in test user account does not exist yet
-      become: yes
+      become: true
      ansible.builtin.file:
        state: directory
        path: "/opt/keycloak/certs/"
        mode: 0755

-    - name: Copy certificates
-      become: yes
+    - name: Make sure a jre is available (for keytool to prepare keystore)
+      delegate_to: localhost
+      ansible.builtin.package:
+        name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
+        state: present
+      become: true
+      failed_when: false
+
+    - name: Create vault keystore
+      ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword
+      delegate_to: localhost
+      register: keytool_cmd
+      changed_when: False
+      failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
+
+    - name: Copy certificates and vault
+      become: true
      ansible.builtin.copy:
        src: "{{ item }}"
        dest: "/opt/keycloak/certs/{{ item }}"
@@ -35,3 +45,4 @@
      loop:
        - cert.pem
        - key.pem
+        - keystore.p12
--- a/molecule/quarkus/verify.yml
+++ b/molecule/quarkus/verify.yml
@@ -10,6 +10,7 @@
        that:
          - ansible_facts.services["keycloak.service"]["state"] == "running"
          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+        fail_msg: "Service not running"

    - name: Set internal envvar
      ansible.builtin.set_fact:
@@ -40,7 +41,7 @@

    - name: Check log folder
      ansible.builtin.stat:
-        path: "/tmp/keycloak"
+        path: /tmp/keycloak
      register: keycloak_log_folder

    - name: Check that keycloak log folder exists and is a link
@@ -49,11 +50,12 @@
          - keycloak_log_folder.stat.exists
          - not keycloak_log_folder.stat.isdir
          - keycloak_log_folder.stat.islnk
+        fail_msg: "Service log symlink not correctly created"

    - name: Check log file
-      become: yes
+      become: true
      ansible.builtin.stat:
-        path: "/tmp/keycloak/keycloak.log"
+        path: /tmp/keycloak/keycloak.log
      register: keycloak_log_file

    - name: Check if keycloak file exists
@@ -65,7 +67,7 @@
    - name: Check default log folder
      become: yes
      ansible.builtin.stat:
-        path: "/var/log/keycloak"
+        path: /var/log/keycloak
      register: keycloak_default_log_folder
      failed_when: false

@@ -73,3 +75,12 @@
      ansible.builtin.assert:
        that:
          - not keycloak_default_log_folder.stat.exists
+
+    - name: Verify vault SPI in logfile
+      become: true
+      ansible.builtin.shell: |
+        set -o pipefail
+        zgrep 'Configured KeystoreVaultProviderFactory with the keystore file' /opt/keycloak/keycloak-*/data/log/keycloak.log*zip
+      changed_when: false
+      failed_when: slurped_log.rc != 0
+      register: slurped_log
--- a/plugins/modules/keycloak_client.py
+++ b/plugins/modules/keycloak_client.py
@@ -637,7 +637,7 @@ EXAMPLES = '''
      - test01
      - test02
    authentication_flow_binding_overrides:
-        browser: 4c90336b-bf1d-4b87-916d-3677ba4e5fbb
+      browser: 4c90336b-bf1d-4b87-916d-3677ba4e5fbb
    protocol_mappers:
      - config:
          access.token.claim: true
--- a/plugins/modules/keycloak_role.py
+++ b/plugins/modules/keycloak_role.py
@@ -142,14 +142,14 @@ EXAMPLES = '''
    auth_password: PASSWORD
    name: my-new-role
    attributes:
-        attrib1: value1
-        attrib2: value2
-        attrib3:
-            - with
-            - numerous
-            - individual
-            - list
-            - items
+      attrib1: value1
+      attrib2: value2
+      attrib3:
+        - with
+        - numerous
+        - individual
+        - list
+        - items
  delegate_to: localhost
 '''

--- a/plugins/modules/keycloak_user_federation.py
+++ b/plugins/modules/keycloak_user_federation.py
@@ -475,99 +475,99 @@ author:
 '''

 EXAMPLES = '''
-  - name: Create LDAP user federation
-    middleware_automation.keycloak.keycloak_user_federation:
-      auth_keycloak_url: https://keycloak.example.com/auth
-      auth_realm: master
-      auth_username: admin
-      auth_password: password
-      realm: my-realm
-      name: my-ldap
-      state: present
-      provider_id: ldap
-      provider_type: org.keycloak.storage.UserStorageProvider
-      config:
-        priority: 0
-        enabled: true
-        cachePolicy: DEFAULT
-        batchSizeForSync: 1000
-        editMode: READ_ONLY
-        importEnabled: true
-        syncRegistrations: false
-        vendor: other
-        usernameLDAPAttribute: uid
-        rdnLDAPAttribute: uid
-        uuidLDAPAttribute: entryUUID
-        userObjectClasses: inetOrgPerson, organizationalPerson
-        connectionUrl: ldaps://ldap.example.com:636
-        usersDn: ou=Users,dc=example,dc=com
-        authType: simple
-        bindDn: cn=directory reader
-        bindCredential: password
-        searchScope: 1
-        validatePasswordPolicy: false
-        trustEmail: false
-        useTruststoreSpi: ldapsOnly
-        connectionPooling: true
-        pagination: true
-        allowKerberosAuthentication: false
-        debug: false
-        useKerberosForPasswordAuthentication: false
-      mappers:
-        - name: "full name"
-          providerId: "full-name-ldap-mapper"
-          providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
-          config:
-            ldap.full.name.attribute: cn
-            read.only: true
-            write.only: false
+- name: Create LDAP user federation
+  middleware_automation.keycloak.keycloak_user_federation:
+    auth_keycloak_url: https://keycloak.example.com/auth
+    auth_realm: master
+    auth_username: admin
+    auth_password: password
+    realm: my-realm
+    name: my-ldap
+    state: present
+    provider_id: ldap
+    provider_type: org.keycloak.storage.UserStorageProvider
+    config:
+    priority: 0
+    enabled: true
+    cachePolicy: DEFAULT
+    batchSizeForSync: 1000
+    editMode: READ_ONLY
+    importEnabled: true
+    syncRegistrations: false
+    vendor: other
+    usernameLDAPAttribute: uid
+    rdnLDAPAttribute: uid
+    uuidLDAPAttribute: entryUUID
+    userObjectClasses: inetOrgPerson, organizationalPerson
+    connectionUrl: ldaps://ldap.example.com:636
+    usersDn: ou=Users,dc=example,dc=com
+    authType: simple
+    bindDn: cn=directory reader
+    bindCredential: password
+    searchScope: 1
+    validatePasswordPolicy: false
+    trustEmail: false
+    useTruststoreSpi: ldapsOnly
+    connectionPooling: true
+    pagination: true
+    allowKerberosAuthentication: false
+    debug: false
+    useKerberosForPasswordAuthentication: false
+    mappers:
+      - name: "full name"
+        providerId: "full-name-ldap-mapper"
+        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+        config:
+          ldap.full.name.attribute: cn
+          read.only: true
+          write.only: false

-  - name: Create Kerberos user federation
-    middleware_automation.keycloak.keycloak_user_federation:
-      auth_keycloak_url: https://keycloak.example.com/auth
-      auth_realm: master
-      auth_username: admin
-      auth_password: password
-      realm: my-realm
-      name: my-kerberos
-      state: present
-      provider_id: kerberos
-      provider_type: org.keycloak.storage.UserStorageProvider
-      config:
-        priority: 0
-        enabled: true
-        cachePolicy: DEFAULT
-        kerberosRealm: EXAMPLE.COM
-        serverPrincipal: HTTP/host.example.com@EXAMPLE.COM
-        keyTab: keytab
-        allowPasswordAuthentication: false
-        updateProfileFirstLogin: false
+- name: Create Kerberos user federation
+  middleware_automation.keycloak.keycloak_user_federation:
+    auth_keycloak_url: https://keycloak.example.com/auth
+    auth_realm: master
+    auth_username: admin
+    auth_password: password
+    realm: my-realm
+    name: my-kerberos
+    state: present
+    provider_id: kerberos
+    provider_type: org.keycloak.storage.UserStorageProvider
+    config:
+    priority: 0
+    enabled: true
+    cachePolicy: DEFAULT
+    kerberosRealm: EXAMPLE.COM
+    serverPrincipal: HTTP/host.example.com@EXAMPLE.COM
+    keyTab: keytab
+    allowPasswordAuthentication: false
+    updateProfileFirstLogin: false

-  - name: Create sssd user federation
-    middleware_automation.keycloak.keycloak_user_federation:
-      auth_keycloak_url: https://keycloak.example.com/auth
-      auth_realm: master
-      auth_username: admin
-      auth_password: password
-      realm: my-realm
-      name: my-sssd
-      state: present
-      provider_id: sssd
-      provider_type: org.keycloak.storage.UserStorageProvider
-      config:
-        priority: 0
-        enabled: true
-        cachePolicy: DEFAULT
+- name: Create sssd user federation
+  middleware_automation.keycloak.keycloak_user_federation:
+    auth_keycloak_url: https://keycloak.example.com/auth
+    auth_realm: master
+    auth_username: admin
+    auth_password: password
+    realm: my-realm
+    name: my-sssd
+    state: present
+    provider_id: sssd
+    provider_type: org.keycloak.storage.UserStorageProvider
+    config:
+    priority: 0
+    enabled: true
+    cachePolicy: DEFAULT

-  - name: Delete user federation
-    middleware_automation.keycloak.keycloak_user_federation:
-      auth_keycloak_url: https://keycloak.example.com/auth
-      auth_realm: master
-      auth_username: admin
-      auth_password: password
-      realm: my-realm
-      name: my-federation
-      state: absent
+- name: Delete user federation
+  middleware_automation.keycloak.keycloak_user_federation:
+    auth_keycloak_url: https://keycloak.example.com/auth
+    auth_realm: master
+    auth_username: admin
+    auth_password: password
+    realm: my-realm
+    name: my-federation
+    state: absent
 '''

 RETURN = '''
--- a/roles/keycloak_quarkus/README.md
+++ b/roles/keycloak_quarkus/README.md
@@ -7,20 +7,20 @@ Install [keycloak](https://keycloak.org/) >= 20.0.0 (quarkus) server configurati
 Role Defaults
 -------------

-* Installation options
+#### Installation options

 | Variable | Description | Default |
 |:---------|:------------|:--------|
-|`keycloak_quarkus_version`| keycloak.org package version | `23.0.7` |
+|`keycloak_quarkus_version`| keycloak.org package version | `24.0.3` |
+|`keycloak_quarkus_offline_install` | Perform an offline install | `False`|
+|`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` |
+|`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` |


-* Service configuration
+#### Service configuration

 | Variable | Description | Default |
 |:---------|:------------|:--------|
-|`keycloak_quarkus_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
-|`keycloak_quarkus_ha_discovery`| Discovery protocol for HA cluster members | `TCPPING` |
-|`keycloak_quarkus_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_quarkus_ha_enabled` is True, else `False` |
 |`keycloak_quarkus_admin_user`| Administration console user account | `admin` |
 |`keycloak_quarkus_bind_address`| Address for binding service ports | `0.0.0.0` |
 |`keycloak_quarkus_host`| Hostname for the Keycloak server | `localhost` |
@@ -29,16 +29,14 @@ Role Defaults
 |`keycloak_quarkus_http_port`| HTTP listening port | `8080` |
 |`keycloak_quarkus_https_port`| TLS HTTP listening port | `8443` |
 |`keycloak_quarkus_ajp_port`| AJP port | `8009` |
-|`keycloak_quarkus_jgroups_port`| jgroups cluster tcp port | `7800` |
 |`keycloak_quarkus_service_user`| Posix account username | `keycloak` |
 |`keycloak_quarkus_service_group`| Posix account group | `keycloak` |
 |`keycloak_quarkus_service_restart_always`| systemd restart always behavior activation | `False` |
 |`keycloak_quarkus_service_restart_on_failure`| systemd restart on-failure behavior activation | `False` |
 |`keycloak_quarkus_service_restartsec`| systemd RestartSec | `10s` |
-|`keycloak_quarkus_service_pidfile`| Pid file path for service | `/run/keycloak.pid` |
 |`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-17-openjdk-headless` |
 |`keycloak_quarkus_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_quarkus_jvm_package RPM path | `None` |
-|`keycloak_quarkus_java_opts`| Heap memory JVM setting | `-Xms1024m -Xmx2048m` |
+|`keycloak_quarkus_java_heap_opts`| Heap memory JVM setting | `-Xms1024m -Xmx2048m` |
 |`keycloak_quarkus_java_jvm_opts`| Other JVM settings | same as keycloak |
 |`keycloak_quarkus_java_opts`| JVM arguments; if overriden, it takes precedence over `keycloak_quarkus_java_*` | `{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}` |
 |`keycloak_quarkus_frontend_url`| Set the base URL for frontend URLs, including scheme, host, port and path | |
@@ -49,14 +47,35 @@ Role Defaults
 |`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `{{ keycloak.home }}/conf/server.key.pem` |
 |`keycloak_quarkus_cert_file`| The file path to a server certificate or certificate chain in PEM format | `{{ keycloak.home }}/conf/server.crt.pem` |
 |`keycloak_quarkus_https_key_store_enabled`| Enable configuration of HTTPS via a key store | `False` |
-|`keycloak_quarkus_key_store_file`| The file pat to the key store | `{{ keycloak.home }}/conf/key_store.p12` |
-|`keycloak_quarkus_key_store_password`| Password for the key store | `""` |
-|`keycloak_quarkus_https_trust_store_enabled`| Enalbe confiugration of a trust store | `False` |
-|`keycloak_quarkus_trust_store_file`| The file pat to the trust store | `{{ keycloak.home }}/conf/trust_store.p12` |
-|`keycloak_quarkus_trust_store_password`| Password for the trust store | `""` |
-|`keycloak_quarkus_proxy_headers`| Parse reverse proxy headers (`forwarded` or `xforwardedPassword`) | `""` |
+|`keycloak_quarkus_key_store_file`| Deprecated, use `keycloak_quarkus_https_key_store_file` instead. ||
+|`keycloak_quarkus_key_store_password`| Deprecated, use `keycloak_quarkus_https_key_store_password` instead.||
+|`keycloak_quarkus_https_key_store_file`| The file path to the key store | `{{ keycloak.home }}/conf/key_store.p12` |
+|`keycloak_quarkus_https_key_store_password`| Password for the key store | `""` |
+|`keycloak_quarkus_https_trust_store_enabled`| Enable configuration of the https trust store | `False` |
+|`keycloak_quarkus_https_trust_store_file`| The file path to the trust store | `{{ keycloak.home }}/conf/trust_store.p12` |
+|`keycloak_quarkus_https_trust_store_password`| Password for the trust store | `""` |
+|`keycloak_quarkus_proxy_headers`| Parse reverse proxy headers (`forwarded` or `xforwarded`) | `""` |
+|`keycloak_quarkus_config_key_store_file`| Path to the configuration key store; only used if `keycloak_quarkus_keystore_password` is not empty  | `{{ keycloak.home }}/conf/conf_store.p12` if `keycloak_quarkus_keystore_password != ''`, else `''` |
+|`keycloak_quarkus_config_key_store_password`| Password of the configuration keystore; if non-empty, `keycloak_quarkus_db_pass` will be saved to the keystore at `keycloak_quarkus_config_key_store_file` instead of being written to the configuration file in clear text | `""` |
+|`keycloak_quarkus_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
+|`keycloak_quarkus_configure_iptables` | Ensure iptables is configured for keycloak ports | `False` |

-* Hostname configuration
+
+#### High-availability
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_quarkus_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
+|`keycloak_quarkus_ha_discovery`| Discovery protocol for HA cluster members | `TCPPING` |
+|`keycloak_quarkus_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_quarkus_ha_enabled` is True, else `False` |
+|`keycloak_quarkus_jgroups_port`| jgroups cluster tcp port | `7800` |
+|`keycloak_quarkus_systemd_wait_for_port` | Whether systemd unit should wait for keycloak port before returning | `{{ keycloak_quarkus_ha_enabled }}` |
+|`keycloak_quarkus_systemd_wait_for_log` | Whether systemd unit should wait for service to be up in logs | `false` |
+|`keycloak_quarkus_systemd_wait_for_timeout`| How long to wait for service to be alive (seconds) | `60` |
+|`keycloak_quarkus_systemd_wait_for_delay`| Activation delay for service systemd unit (seconds) | `10` |
+
+
+#### Hostname configuration

 | Variable | Description | Default |
 |:---------|:------------|:--------|
@@ -65,7 +84,7 @@ Role Defaults
 |`keycloak_quarkus_hostname_strict_backchannel`| By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all applications use the public URL this option should be enabled. | `false` |


-* Database configuration
+#### Database configuration

 | Variable | Description | Default |
 |:---------|:------------|:--------|
@@ -76,7 +95,7 @@ Role Defaults
 |`keycloak_quarkus_jdbc_driver_version` | Version for JDBC driver | `9.4.1212` |


-* Remote caches configuration
+#### Remote caches configuration

 | Variable | Description | Default |
 |:---------|:------------|:--------|
@@ -89,18 +108,7 @@ Role Defaults
 |`keycloak_quarkus_ispn_trust_store_password` | Password for infinispan certificate keystore | `changeit` |


-* Install options
-
-| Variable | Description | Default |
-|:---------|:------------|:---------|
-|`keycloak_quarkus_offline_install` | Perform an offline install | `False`|
-|`keycloak_quarkus_version`| keycloak.org package version | `23.0.7` |
-|`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` |
-|`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` |
-|`keycloak_quarkus_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
-
-
-* Miscellaneous configuration
+#### Miscellaneous configuration

 | Variable | Description | Default |
 |:---------|:------------|:--------|
@@ -127,6 +135,43 @@ Role Defaults
 |`keycloak_quarkus_transaction_xa_enabled`| Whether to use XA transactions | `True` |
 |`keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route`| If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy | `True` |

+
+#### Vault SPI
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_quarkus_ks_vault_enabled`| Whether to enable the vault SPI | `false` |
+|`keycloak_quarkus_ks_vault_file`| The keystore path for the vault SPI | `{{ keycloak_quarkus_config_dir }}/keystore.p12` |
+|`keycloak_quarkus_ks_vault_type`| Type of the keystore used for the vault SPI | `PKCS12` |
+
+
+#### Configuring providers
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_quarkus_providers`| List of provider definitions; see below | `[]` |
+
+Provider definition:
+
+```yaml
+keycloak_quarkus_providers:
+  - id: http-client                         # required
+    spi: connections                        # required if url is not specified
+    default: true                           # optional, whether to set default for spi, default false
+    restart: true                           # optional, whether to restart, default true
+    url: https://.../.../custom_spi.jar     # optional, url for download
+    properties:                             # optional, list of key-values
+      - key: default-connection-pool-size
+        value: 10
+```
+
+the definition above will generate the following build command:
+
+```
+bin/kc.sh build --spi-connections-provider=http-client --spi-connections-http-client-default-connection-pool-size=10
+```
+
+
 Role Variables
 --------------

@@ -135,7 +180,16 @@ Role Variables
 |`keycloak_quarkus_admin_pass`| Password of console admin account | `yes` |
 |`keycloak_quarkus_frontend_url`| Base URL for frontend URLs, including scheme, host, port and path | `no` |
 |`keycloak_quarkus_admin_url`| Base URL for accessing the administration console, including scheme, host, port and path | `no` |
+|`keycloak_quarkus_ks_vault_pass`| The password for accessing the keystore vault SPI | `no` |

+Role custom facts
+-----------------
+
+The role uses the following [custom facts](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_vars_facts.html#adding-custom-facts) found in `/etc/ansible/facts.d/keycloak.fact` (and thus identified by the `ansible_local.keycloak.` prefix):
+
+| Variable | Description |
+|:---------|:------------|
+|`general.bootstrapped` | A custom fact indicating whether this role has been used for bootstrapping keycloak on the respective host before; set to `false` (e.g., when starting off with a new, empty database) ensures that the initial admin user as defined by `keycloak_quarkus_admin_user[_pass]` gets created |

 License
 -------
--- a/roles/keycloak_quarkus/defaults/main.yml
+++ b/roles/keycloak_quarkus/defaults/main.yml
@@ -1,6 +1,6 @@
 ---
 ### Configuration specific to keycloak
-keycloak_quarkus_version: 23.0.7
+keycloak_quarkus_version: 24.0.3
 keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip"
 keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"
 keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"
@@ -16,7 +16,6 @@ keycloak_quarkus_config_dir: "{{ keycloak_quarkus_home }}/conf"
 keycloak_quarkus_start_dev: false
 keycloak_quarkus_service_user: keycloak
 keycloak_quarkus_service_group: keycloak
-keycloak_quarkus_service_pidfile: "/run/keycloak/keycloak.pid"
 keycloak_quarkus_service_restart_always: false
 keycloak_quarkus_service_restart_on_failure: false
 keycloak_quarkus_service_restartsec: "10s"
@@ -52,18 +51,25 @@ keycloak_quarkus_key_file: "{{ keycloak.home }}/conf/server.key.pem"
 keycloak_quarkus_cert_file: "{{ keycloak.home }}/conf/server.crt.pem"
 #### key store configuration
 keycloak_quarkus_https_key_store_enabled: false
-keycloak_quarkus_key_store_file: "{{ keycloak.home }}/conf/key_store.p12"
-keycloak_quarkus_key_store_password: ''
+keycloak_quarkus_https_key_store_file: "{{ keycloak.home }}/conf/key_store.p12"
+keycloak_quarkus_https_key_store_password: ''
 ##### trust store configuration
 keycloak_quarkus_https_trust_store_enabled: false
-keycloak_quarkus_trust_store_file: "{{ keycloak.home }}/conf/trust_store.p12"
-keycloak_quarkus_trust_store_password: ''
+keycloak_quarkus_https_trust_store_file: "{{ keycloak.home }}/conf/trust_store.p12"
+keycloak_quarkus_https_trust_store_password: ''
+### configuration key store configuration
+keycloak_quarkus_config_key_store_file: "{{ keycloak.home }}/conf/conf_store.p12"
+keycloak_quarkus_config_key_store_password: ''

 ### Enable configuration for database backend, clustering and remote caches on infinispan
 keycloak_quarkus_ha_enabled: false
 keycloak_quarkus_ha_discovery: "TCPPING"
 ### Enable database configuration, must be enabled when HA is configured
-keycloak_quarkus_db_enabled: "{{ True if keycloak_quarkus_ha_enabled else False }}"
+keycloak_quarkus_db_enabled: "{{ keycloak_quarkus_ha_enabled }}"
+keycloak_quarkus_systemd_wait_for_port: "{{ keycloak_quarkus_ha_enabled }}"
+keycloak_quarkus_systemd_wait_for_log: false
+keycloak_quarkus_systemd_wait_for_timeout: 60
+keycloak_quarkus_systemd_wait_for_delay: 10

 ### keycloak frontend url
 keycloak_quarkus_frontend_url:
@@ -86,7 +92,8 @@ keycloak_quarkus_proxy_mode: edge
 # disable xa transactions
 keycloak_quarkus_transaction_xa_enabled: true

-# If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy
+# If the route should be attached to cookies to reflect the node that owns a particular session.
+# If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy
 keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route: true

 keycloak_quarkus_metrics_enabled: false
@@ -120,7 +127,8 @@ keycloak_quarkus_default_jdbc:
  mssql:
    url: 'jdbc:sqlserver://localhost:1433;databaseName=keycloak;'
    version: 12.2.0
-    driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.2.0.jre11/mssql-jdbc-12.2.0.jre11.jar" # cf. https://access.redhat.com/documentation/en-us/red_hat_build_of_keycloak/22.0/html/server_guide/db-#db-installing-the-microsoft-sql-server-driver
+    driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.2.0.jre11/mssql-jdbc-12.2.0.jre11.jar"
+    # cf. https://access.redhat.com/documentation/en-us/red_hat_build_of_keycloak/22.0/html/server_guide/db-#db-installing-the-microsoft-sql-server-driver
 ### logging configuration
 keycloak_quarkus_log: file
 keycloak_quarkus_log_level: info
@@ -130,3 +138,11 @@ keycloak_quarkus_log_target: /var/log/keycloak
 keycloak_quarkus_log_max_file_size: 10M
 keycloak_quarkus_log_max_backup_index: 10
 keycloak_quarkus_log_file_suffix: '.yyyy-MM-dd.zip'
+
+# keystore-based vault
+keycloak_quarkus_ks_vault_enabled: false
+keycloak_quarkus_ks_vault_file: "{{ keycloak_quarkus_config_dir }}/keystore.p12"
+keycloak_quarkus_ks_vault_type: PKCS12
+keycloak_quarkus_ks_vault_pass:
+
+keycloak_quarkus_providers: []
--- a/roles/keycloak_quarkus/handlers/main.yml
+++ b/roles/keycloak_quarkus/handlers/main.yml
@@ -3,6 +3,15 @@
 - name: "Rebuild {{ keycloak.service_name }} config"
  ansible.builtin.include_tasks: rebuild_config.yml
  listen: "rebuild keycloak config"
+- name: "Bootstrapped"
+  ansible.builtin.include_tasks: bootstrapped.yml
+  listen: bootstrapped
 - name: "Restart {{ keycloak.service_name }}"
  ansible.builtin.include_tasks: restart.yml
-  listen: "restart keycloak"
+  listen: "restart keycloak"
+- name: "Print deprecation warning"
+  ansible.builtin.fail:
+    msg: "Deprecation warning: you are using the deprecated variable '{{ deprecated_variable | d('NotSet') }}', check docs on how to upgrade."
+  ignore_errors: true
+  failed_when: false
+  listen: "print deprecation warning"
--- a/roles/keycloak_quarkus/meta/argument_specs.yml
+++ b/roles/keycloak_quarkus/meta/argument_specs.yml
@@ -2,7 +2,7 @@ argument_specs:
    main:
        options:
            keycloak_quarkus_version:
-                default: "23.0.7"
+                default: "24.0.3"
                description: "keycloak.org package version"
                type: "str"
            keycloak_quarkus_archive:
@@ -48,10 +48,6 @@ argument_specs:
                default: "keycloak"
                description: "Posix account group"
                type: "str"
-            keycloak_quarkus_service_pidfile:
-                default: "/run/keycloak/keycloak.pid"
-                description: "Pid file path for service"
-                type: "str"
            keycloak_quarkus_configure_firewalld:
                default: false
                description: "Ensure firewalld is running and configure keycloak ports"
@@ -125,25 +121,41 @@ argument_specs:
                description: "Enable configuration of HTTPS via a key store"
                type: "bool"
            keycloak_quarkus_key_store_file:
+                default: ""
+                description: "Deprecated, use `keycloak_quarkus_https_key_store_file` instead."
+                type: "str"
+            keycloak_quarkus_key_store_password:
+                default: ""
+                description: "Deprecated, use `keycloak_quarkus_https_key_store_password` instead."
+                type: "str"
+            keycloak_quarkus_https_key_store_file:
                default: "{{ keycloak.home }}/conf/key_store.p12"
                description: "The file path to the key store"
                type: "str"
-            keycloak_quarkus_key_store_password:
+            keycloak_quarkus_https_key_store_password:
                default: ""
                description: "Password for the key store"
                type: "str"
            keycloak_quarkus_https_trust_store_enabled:
                default: false
-                description: "Enalbe confiugration of a trust store"
+                description: "Enable configuration of the https trust store"
                type: "bool"
-            keycloak_quarkus_trust_store_file:
+            keycloak_quarkus_https_trust_store_file:
                default: "{{ keycloak.home }}/conf/trust_store.p12"
                description: "The file path to the trust store"
                type: "str"
-            keycloak_quarkus_trust_store_password:
+            keycloak_quarkus_https_trust_store_password:
                default: ""
                description: "Password for the trust store"
                type: "str"
+            keycloak_quarkus_config_key_store_file:
+                default: "{{ keycloak.home }}/conf/conf_store.p12"
+                description: "Path to the configuration key store; only used if `keycloak_quarkus_keystore_password` is not empty"
+                type: "str"
+            keycloak_quarkus_config_key_store_password:
+                default: ""
+                description: "Password of the configuration key store; if non-empty, `keycloak_quarkus_db_pass` will be saved to the key store at `keycloak_quarkus_config_key_store_file` (instead of being written to the configuration file in clear text"
+                type: "str"
            keycloak_quarkus_https_port:
                default: 8443
                description: "HTTPS port"
@@ -161,7 +173,10 @@ argument_specs:
                description: "Heap memory JVM setting"
                type: "str"
            keycloak_quarkus_java_jvm_opts:
-                default: "-XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.err.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512"
+                default: >
+                  -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.err.encoding=UTF-8
+                  -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC
+                  -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512
                description: "Other JVM settings"
                type: "str"
            keycloak_quarkus_java_opts:
@@ -272,7 +287,9 @@ argument_specs:
            keycloak_quarkus_log_max_file_size:
                default: 10M
                type: "str"
-                description: "Set the maximum log file size before a log rotation happens; A size configuration option recognises string in this format (shown as a regular expression): [0-9]+[KkMmGgTtPpEeZzYy]?. If no suffix is given, assume bytes."
+                description: >
+                  Set the maximum log file size before a log rotation happens; A size configuration option recognises string in this format (shown as a regular
+                  expression): [0-9]+[KkMmGgTtPpEeZzYy]?. If no suffix is given, assume bytes.
            keycloak_quarkus_log_max_backup_index:
                default: 10
                type: "str"
@@ -280,7 +297,9 @@ argument_specs:
            keycloak_quarkus_log_file_suffix:
                default: '.yyyy-MM-dd.zip'
                type: "str"
-                description: "Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix; Note: If the suffix ends with .zip or .gz, the rotation file will also be compressed."
+                description: >
+                  Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix. Note: If the suffix ends
+                  with .zip or .gz, the rotation file will also be compressed.
            keycloak_quarkus_proxy_mode:
                default: 'edge'
                type: "str"
@@ -288,7 +307,7 @@ argument_specs:
            keycloak_quarkus_proxy_headers:
                default: ""
                type: "str"
-                description: "Parse reverse proxy headers (`forwarded` or `xforwardedPassword`), overrides the deprecated keycloak_quarkus_proxy_mode argument"
+                description: "Parse reverse proxy headers (`forwarded` or `xforwarded`), overrides the deprecated keycloak_quarkus_proxy_mode argument"
            keycloak_quarkus_start_dev:
                default: false
                type: "bool"
@@ -300,19 +319,76 @@ argument_specs:
            keycloak_quarkus_hostname_strict:
                default: true
                type: "bool"
-                description: "Disables dynamically resolving the hostname from request headers. Should always be set to true in production, unless proxy verifies the Host header."
+                description: >
+                  Disables dynamically resolving the hostname from request headers. Should always be set to true in production, unless
+                  proxy verifies the Host header.
            keycloak_quarkus_hostname_strict_backchannel:
                default: false
                type: "bool"
-                description: "By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all applications use the public URL this option should be enabled."
+                description: >
+                  By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all
+                  applications use the public URL this option should be enabled.
            keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route:
                default: true
                type: "bool"
-                description: "If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy"
+                description: >
+                  If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies
+                  and we rely on the session affinity capabilities from reverse proxy
+            keycloak_quarkus_hostname_strict_https:
+                type: "bool"
+                required: false
+                description: >
+                  By default, Keycloak requires running using TLS/HTTPS. If the service MUST run without TLS/HTTPS, then set
+                  this option to "true"
+            keycloak_quarkus_ks_vault_enabled:
+                default: false
+                type: "bool"
+                description: "Whether to enable vault SPI"
+            keycloak_quarkus_ks_vault_file:
+                default: "{{ keycloak_quarkus_config_dir }}/keystore.p12"
+                type: "str"
+                description: "The keystore path for the vault SPI"
+            keycloak_quarkus_ks_vault_type:
+                default: "PKCS12"
+                type: "str"
+                description: "Type of the keystore used for the vault SPI"
+            keycloak_quarkus_ks_vault_pass:
+                required: false
+                type: "str"
+                description: "The password for accessing the keystore vault SPI"
+            keycloak_quarkus_systemd_wait_for_port:
+                description: 'Whether systemd unit should wait for keycloak port before returning'
+                default: "{{ keycloak_quarkus_ha_enabled }}"
+                type: "bool"
+            keycloak_quarkus_systemd_wait_for_log:
+                description: 'Whether systemd unit should wait for service to be up in logs'
+                default: false
+                type: "bool"
+            keycloak_quarkus_systemd_wait_for_timeout:
+                description: "How long to wait for service to be alive (seconds)"
+                default: 60
+                type: 'int'
+            keycloak_quarkus_systemd_wait_for_delay:
+                description: "Activation delay for service systemd unit (seconds)"
+                default: 10
+                type: 'int'
+            keycloak_quarkus_providers:
+                description: "List of provider definition dicts: { 'id': str, 'spi': str, 'url': str, 'default': bool, 'properties': list of key/value }"
+                default: []
+                type: "list"
+            keycloak_quarkus_jdbc_download_url:
+                description: "Override the default Maven Central download URL for the JDBC driver"
+                type: "str"
+            keycloak_quarkus_jdbc_download_user:
+                description: "Set a username with which to authenticate when downloading JDBC drivers from an alternative location"
+                type: "str"
+            keycloak_quarkus_jdbc_download_pass:
+                description: "Set a password with which to authenticate when downloading JDBC drivers from an alternative location (requires keycloak_quarkus_jdbc_download_user)"
+                type: "str"
    downstream:
        options:
            rhbk_version:
-                default: "22.0.6"
+                default: "22.0.10"
                description: "Red Hat Build of Keycloak version"
                type: "str"
            rhbk_archive:
@@ -334,7 +410,7 @@ argument_specs:
            rhbk_enable:
                default: true
                description: "Enable Red Hat Build of Keycloak installation"
-                type: "str"
+                type: "bool"
            rhbk_offline_install:
                default: false
                description: "Perform an offline install"
--- a/roles/keycloak_quarkus/tasks/bootstrapped.yml
+++ b/roles/keycloak_quarkus/tasks/bootstrapped.yml
@@ -0,0 +1,16 @@
+---
+- name: Write ansible custom facts
+  become: true
+  ansible.builtin.template:
+    src: keycloak.fact.j2
+    dest: /etc/ansible/facts.d/keycloak.fact
+    mode: '0644'
+  vars:
+    bootstrapped: true
+
+- name: Re-read custom facts
+  ansible.builtin.setup:
+    filter: ansible_local
+
+- name: Ensure that `KEYCLOAK_ADMIN[_PASSWORD]` get purged
+  ansible.builtin.include_tasks: systemd.yml
--- a/roles/keycloak_quarkus/tasks/config_store.yml
+++ b/roles/keycloak_quarkus/tasks/config_store.yml
@@ -0,0 +1,52 @@
+---
+- name: "Initialize configuration key store variables to be written"
+  ansible.builtin.set_fact:
+    store_items:
+      - key: "kc.db-password"
+        value: "{{ keycloak_quarkus_db_pass }}"
+
+- name: "Initialize empty configuration key store"
+  become: true
+  # keytool doesn't allow creating an empty key store, so this is a hacky way around it
+  ansible.builtin.shell: |
+    set -o nounset   # abort on unbound variable
+    set -o pipefail  # do not hide errors within pipes
+    set -o errexit   # abort on nonzero exit status
+
+    echo dummy | keytool -noprompt -importpass -alias dummy -keystore {{ keycloak_quarkus_config_key_store_file | quote }} -storepass {{ keycloak_quarkus_config_key_store_password | quote }} -storetype PKCS12
+    keytool -delete -alias dummy -keystore {{ keycloak_quarkus_config_key_store_file | quote }} -storepass {{ keycloak_quarkus_config_key_store_password | quote }}
+  args:
+    creates: "{{ keycloak_quarkus_config_key_store_file }}"
+
+- name: "Set configuration key store using keytool"
+  ansible.builtin.shell: |
+    set -o nounset   # abort on unbound variable
+    set -o pipefail  # do not hide errors within pipes
+
+    keytool -list -alias {{ item.key | quote }} -keystore {{ keycloak_quarkus_config_key_store_file | quote }} -storepass {{ keycloak_quarkus_config_key_store_password | quote }}
+    retVal=$?
+
+    set -o errexit   # abort on nonzero exit status
+
+    if [ $retVal -eq 0 ]; then
+      # value is already in keystore, but keytool has no replace function: delete and re-create instead
+      # note that we can not read whether the value has changed either[^1], so we need to override it
+      # [^1]: https://stackoverflow.com/a/37491400
+      keytool -delete -alias {{ item.key | quote }} -keystore {{ keycloak_quarkus_config_key_store_file | quote }} -storepass {{ keycloak_quarkus_config_key_store_password | quote }}
+    fi
+
+    echo {{ item.value | quote }} | keytool -noprompt -importpass -alias {{ item.key | quote }} -keystore {{ keycloak_quarkus_config_key_store_file | quote }} -storepass {{ keycloak_quarkus_config_key_store_password | quote }} -storetype PKCS12
+  with_items: "{{ store_items }}"
+  no_log: true
+  become: true
+  changed_when: true
+  notify:
+    - restart keycloak
+
+- name: "Set owner of configuration key store {{ keycloak_quarkus_config_key_store_file }}"
+  ansible.builtin.file:
+    path: "{{ keycloak_quarkus_config_key_store_file }}"
+    owner: "{{ keycloak.service_user }}"
+    group: "{{ keycloak.service_group }}"
+    mode: '0400'
+  become: true
--- a/roles/keycloak_quarkus/tasks/deprecations.yml
+++ b/roles/keycloak_quarkus/tasks/deprecations.yml
@@ -0,0 +1,36 @@
+---
+- name: Check deprecation keycloak_quarkus_key_store -> keycloak_quarkus_http_key_store
+  delegate_to: localhost
+  run_once: true
+  when:
+    - keycloak_quarkus_https_key_store_enabled
+  block:
+    - name: Ensure backward compatibility for `keycloak_quarkus_key_store_file`, superseded by `keycloak_quarkus_https_key_store_file`
+      when:
+        - keycloak_quarkus_key_store_file is defined
+        - keycloak_quarkus_key_store_file != ''
+        - keycloak_quarkus_https_key_store_file == keycloak.home + "/conf/key_store.p12" # default value
+      changed_when: true
+      ansible.builtin.set_fact:
+        keycloak_quarkus_https_key_store_file: "{{ keycloak_quarkus_key_store_file }}"
+        deprecated_variable: "keycloak_quarkus_key_store_file" # read in deprecation handler
+      notify:
+        - print deprecation warning
+
+    - name: Flush handlers
+      ansible.builtin.meta: flush_handlers
+
+    - name: Ensure backward compatibility for `keycloak_quarkus_key_store_password`, superseded by `keycloak_quarkus_https_key_store_password`
+      when:
+        - keycloak_quarkus_key_store_password is defined
+        - keycloak_quarkus_key_store_password != ''
+        - keycloak_quarkus_https_key_store_password == "" # default value
+      changed_when: true
+      ansible.builtin.set_fact:
+        keycloak_quarkus_https_key_store_password: "{{ keycloak_quarkus_key_store_password }}"
+        deprecated_variable: "keycloak_quarkus_key_store_password" # read in deprecation handler
+      notify:
+        - print deprecation warning
+
+    - name: Flush handlers
+      ansible.builtin.meta: flush_handlers
--- a/roles/keycloak_quarkus/tasks/fastpackages.yml
+++ b/roles/keycloak_quarkus/tasks/fastpackages.yml
@@ -8,7 +8,8 @@

 - name: "Add missing packages to the yum install list"
  ansible.builtin.set_fact:
-    packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | default([]) | flatten }}"
+    packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | \
+                             map('regex_findall', 'package (.+) is not installed$') | default([]) | flatten }}"
  when: ansible_facts.os_family == "RedHat"

 - name: "Install packages: {{ packages_to_install }}"
@@ -17,8 +18,8 @@
    name: "{{ packages_to_install }}"
    state: present
  when:
-  - packages_to_install | default([]) | length > 0
-  - ansible_facts.os_family == "RedHat"
+    - packages_to_install | default([]) | length > 0
+    - ansible_facts.os_family == "RedHat"

 - name: "Install packages: {{ packages_list }}"
  become: true
--- a/roles/keycloak_quarkus/tasks/install.yml
+++ b/roles/keycloak_quarkus/tasks/install.yml
@@ -22,7 +22,7 @@
    name: "{{ keycloak.service_user }}"
    home: /opt/keycloak
    system: true
-    create_home: no
+    create_home: false

 - name: "Create {{ keycloak.service_name }} install location"
  become: true
@@ -33,6 +33,13 @@
    group: "{{ keycloak.service_group }}"
    mode: '0750'

+- name: Create directory for ansible custom facts
+  become: true
+  ansible.builtin.file:
+    state: directory
+    recurse: true
+    path: /etc/ansible/facts.d
+
 ## check remote archive
 - name: Set download archive path
  ansible.builtin.set_fact:
@@ -132,7 +139,7 @@
  register: path_to_workdir
  become: true

- name: "Extract Keycloak archive on target"
+- name: "Extract Keycloak archive on target" # noqa no-handler need to run this here
  ansible.builtin.unarchive:
    remote_src: true
    src: "{{ archive }}"
@@ -157,3 +164,15 @@
  when:
    - rhbk_enable is defined and rhbk_enable
    - keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url is defined
+
+- name: "Download custom providers"
+  ansible.builtin.get_url:
+    url: "{{ item.url }}"
+    dest: "{{ keycloak.home }}/providers/{{ item.id }}.jar"
+    owner: "{{ keycloak.service_user }}"
+    group: "{{ keycloak.service_group }}"
+    mode: '0640'
+  become: true
+  loop: "{{ keycloak_quarkus_providers }}"
+  when: item.url is defined and item.url | length > 0
+  notify: "{{ ['rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or not item.restart else [] }}"
--- a/roles/keycloak_quarkus/tasks/jdbc_driver.yml
+++ b/roles/keycloak_quarkus/tasks/jdbc_driver.yml
@@ -1,11 +1,18 @@
 ---
-
- name: "Retrieve JDBC Driver from {{ keycloak_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url }}"
+- name: "Verify valid parameters for download credentials when specified"
+  ansible.builtin.fail:
+    msg: >-
+      When JDBC driver download credentials are set, both the username and the password MUST be set
+  when:
+    - (keycloak_jdbc_download_user is undefined and keycloak_jdbc_download_pass is not undefined) or (keycloak_jdbc_download_pass is undefined and keycloak_jdbc_download_user is not undefined)
+- name: "Retrieve JDBC Driver from {{ keycloak_jdbc_download_user | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url) }}"
  ansible.builtin.get_url:
-    url: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url }}"
+    url: "{{ keycloak_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url) }}"
    dest: "{{ keycloak.home }}/providers"
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
+    url_username: "{{ keycloak_jdbc_download_user | default(omit) }}"
+    url_password: "{{ keycloak_jdbc_download_pass | default(omit) }}"
    mode: '0640'
  become: true
  notify:
--- a/roles/keycloak_quarkus/tasks/main.yml
+++ b/roles/keycloak_quarkus/tasks/main.yml
@@ -6,6 +6,11 @@
    - prereqs
    - always

+- name: Check for deprecations
+  ansible.builtin.include_tasks: deprecations.yml
+  tags:
+    - always
+
 - name: Distro specific tasks
  ansible.builtin.include_tasks: "{{ ansible_os_family | lower }}.yml"
  tags:
@@ -21,28 +26,11 @@
  tags:
    - systemd

- name: "Configure config for keycloak service"
-  ansible.builtin.template:
-    src: keycloak.conf.j2
-    dest: "{{ keycloak.home }}/conf/keycloak.conf"
-    owner: "{{ keycloak.service_user }}"
-    group: "{{ keycloak.service_group }}"
-    mode: '0640'
-  become: true
-  notify:
-    - rebuild keycloak config
-    - restart keycloak
-
- name: "Configure quarkus config for keycloak service"
-  ansible.builtin.template:
-    src: quarkus.properties.j2
-    dest: "{{ keycloak.home }}/conf/quarkus.properties"
-    owner: "{{ keycloak.service_user }}"
-    group: "{{ keycloak.service_group }}"
-    mode: '0640'
-  become: true
-  notify:
-    - restart keycloak
+- name: Include configuration key store tasks
+  when: keycloak.config_key_store_enabled
+  ansible.builtin.include_tasks: config_store.yml
+  tags:
+    - install

 - name: Create tcpping cluster node list
  ansible.builtin.set_fact:
@@ -58,14 +46,18 @@
  loop: "{{ ansible_play_batch }}"
  when: keycloak_quarkus_ha_enabled and keycloak_quarkus_ha_discovery == 'TCPPING'

- name: "Configure infinispan config for keycloak service"
+- name: "Configure config files for keycloak service"
  ansible.builtin.template:
-    src: cache-ispn.xml.j2
-    dest: "{{ keycloak.home }}/conf/cache-ispn.xml"
+    src: "{{ item }}.j2"
+    dest: "{{ keycloak.home }}/conf/{{ item }}"
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
    mode: '0640'
  become: true
+  loop:
+    - keycloak.conf
+    - quarkus.properties
+    - cache-ispn.xml
  notify:
    - rebuild keycloak config
    - restart keycloak
@@ -73,7 +65,7 @@
 - name: Ensure logdirectory exists
  ansible.builtin.file:
    state: directory
-    path:  "{{ keycloak.log.file | dirname }}"
+    path: "{{ keycloak.log.file | dirname }}"
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
    mode: '0775'
@@ -85,11 +77,6 @@
 - name: "Start and wait for keycloak service"
  ansible.builtin.include_tasks: start.yml

- name: Check service status
-  ansible.builtin.command: "systemctl status keycloak"
-  register: keycloak_service_status
-  changed_when: false
-
 - name: Link default logs directory
  ansible.builtin.file:
    state: link
@@ -97,3 +84,21 @@
    dest: "{{ keycloak_quarkus_log_target }}"
    force: true
  become: true
+
+- name: Check service status
+  ansible.builtin.systemd_service:
+    name: "{{ keycloak.service_name }}"
+  register: keycloak_service_status
+  changed_when: false
+
+- name: "Trigger bootstrapped notification: remove `keycloak_quarkus_admin_user[_pass]` env vars"
+  when:
+    - not ansible_local.keycloak.general.bootstrapped | default(false) | bool # it was not bootstrapped prior to the current role's execution
+    - keycloak_service_status.status.ActiveState == "active"                  # but it is now
+  ansible.builtin.assert: { that: true, quiet: true }
+  changed_when: true
+  notify:
+    - bootstrapped
+
+- name: Flush pending handlers
+  ansible.builtin.meta: flush_handlers
--- a/roles/keycloak_quarkus/tasks/prereqs.yml
+++ b/roles/keycloak_quarkus/tasks/prereqs.yml
@@ -4,7 +4,7 @@
    that:
      - keycloak_quarkus_admin_pass | length > 12
    quiet: true
-    fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_admin_pass variable to a 12+ char long string"
+    fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_admin_pass to a 12+ char long string"
    success_msg: "{{ 'Console administrator password OK' }}"

 - name: Validate relative path
@@ -12,15 +12,17 @@
    that:
      - keycloak_quarkus_http_relative_path is regex('^/.*')
    quiet: true
-    fail_msg: "the relative path must begin with /"
-    success_msg: "{{ 'relative path OK' }}"
+    fail_msg: "The relative path for keycloak_quarkus_http_relative_path must begin with /"
+    success_msg: "{{ 'Relative path OK' }}"

 - name: Validate configuration
  ansible.builtin.assert:
    that:
-      - (keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or (not keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or (not keycloak_quarkus_ha_enabled and not keycloak_quarkus_db_enabled)
+      - (keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or
+        (not keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or
+        (not keycloak_quarkus_ha_enabled and not keycloak_quarkus_db_enabled)
    quiet: true
-    fail_msg: "Cannot install HA setup without a backend database service. Check keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled"
+    fail_msg: "HA setup requires a backend database service. Check keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled"
    success_msg: "{{ 'Configuring HA' if keycloak_quarkus_ha_enabled else 'Configuring standalone' }}"

 - name: Validate OS family
@@ -40,3 +42,26 @@
  ansible.builtin.include_tasks: fastpackages.yml
  vars:
    packages_list: "{{ keycloak_quarkus_prereq_package_list }}"
+
+- name: "Validate keytool"
+  when: keycloak_quarkus_config_key_store_password | length > 0
+  block:
+    - name: "Attempt to run keytool"
+      changed_when: false
+      ansible.builtin.command: keytool -help
+      register: keytool_check
+      ignore_errors: true
+
+    - name: "Fail when no keytool found"
+      when: keytool_check.rc != 0
+      ansible.builtin.fail:
+        msg: "keytool NOT found in the PATH, but is required for setting up the configuration key store"
+
+- name: "Validate providers"
+  ansible.builtin.assert:
+    that:
+      - item.id is defined and item.id | length > 0
+      - (item.spi is defined and item.spi | length > 0) or (item.url is defined and item.url | length > 0)
+    quiet: true
+    fail_msg: "Providers definition is incorrect; `id` and one of `spi` or `url` are mandatory. `key` and `value` are mandatory for each property"
+  loop: "{{ keycloak_quarkus_providers }}"
--- a/roles/keycloak_quarkus/tasks/restart.yml
+++ b/roles/keycloak_quarkus/tasks/restart.yml
@@ -1,5 +1,6 @@
 ---
 - name: "Restart and enable {{ keycloak.service_name }} service"
+  throttle: 1
  ansible.builtin.systemd:
    name: keycloak
    enabled: true
--- a/roles/keycloak_quarkus/tasks/start.yml
+++ b/roles/keycloak_quarkus/tasks/start.yml
@@ -13,4 +13,4 @@
  register: keycloak_status
  until: keycloak_status.status == 200
  retries: 25
-  delay: 10
+  delay: 10
--- a/roles/keycloak_quarkus/tasks/systemd.yml
+++ b/roles/keycloak_quarkus/tasks/systemd.yml
@@ -8,7 +8,7 @@
    group: root
    mode: '0640'
  vars:
-    keycloak_pkg_java_home: "{{ keycloak_quarkus_pkg_java_home }}"
+    keycloak_sys_pkg_java_home: "{{ keycloak_quarkus_pkg_java_home }}"
  notify:
    - restart keycloak

--- a/roles/keycloak_quarkus/templates/keycloak-sysconfig.j2
+++ b/roles/keycloak_quarkus/templates/keycloak-sysconfig.j2
@@ -1,6 +1,10 @@
 {{ ansible_managed | comment }}
+{% if not ansible_local.keycloak.general.bootstrapped | default(false) | bool %}
 KEYCLOAK_ADMIN={{ keycloak_quarkus_admin_user }}
 KEYCLOAK_ADMIN_PASSWORD='{{ keycloak_quarkus_admin_pass }}'
-PATH={{ keycloak_quarkus_java_home | default(keycloak_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-JAVA_HOME={{ keycloak_quarkus_java_home | default(keycloak_pkg_java_home, true) }}
+{% else %}
+{{ keycloak.bootstrap_mnemonic }}
+{% endif %}
+PATH={{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+JAVA_HOME={{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}
 JAVA_OPTS={{ keycloak_quarkus_java_opts }}
--- a/roles/keycloak_quarkus/templates/keycloak.conf.j2
+++ b/roles/keycloak_quarkus/templates/keycloak.conf.j2
@@ -5,8 +5,24 @@
 db={{ keycloak_quarkus_jdbc_engine }}
 db-url={{ keycloak_quarkus_jdbc_url }}
 db-username={{ keycloak_quarkus_db_user }}
+{% if not keycloak.config_key_store_enabled %}
 db-password={{ keycloak_quarkus_db_pass }}
 {% endif %}
+{% endif %}
+
+{% if keycloak_quarkus_hostname_strict_https is defined and keycloak_quarkus_hostname_strict_https is sameas true -%}
+hostname-strict-https=true
+{% endif -%}
+{% if keycloak_quarkus_hostname_strict_https is defined and keycloak_quarkus_hostname_strict_https is sameas false -%}
+hostname-strict-https=false
+{% endif -%}
+
+{% if keycloak.config_key_store_enabled %}
+# Config store
+config-keystore={{ keycloak_quarkus_config_key_store_file }}
+config-keystore-password={{ keycloak_quarkus_config_key_store_password }}
+config-keystore-type=PKCS12
+{% endif %}

 # Observability
 metrics-enabled={{ keycloak_quarkus_metrics_enabled | lower }}
@@ -24,12 +40,12 @@ https-certificate-file={{ keycloak_quarkus_cert_file}}
 https-certificate-key-file={{ keycloak_quarkus_key_file }}
 {% endif %}
 {% if keycloak_quarkus_https_key_store_enabled %}
-https-key-store-file={{ keycloak_quarkus_key_store_file }}
-https-key-store-password={{ keycloak_quarkus_key_store_password }}
+https-key-store-file={{ keycloak_quarkus_https_key_store_file }}
+https-key-store-password={{ keycloak_quarkus_https_key_store_password }}
 {% endif %}
 {% if keycloak_quarkus_https_trust_store_enabled %}
-https-trust-store-file={{ keycloak_quarkus_trust_store_file }}
-https-trust-store-password={{ keycloak_quarkus_trust_store_password }}
+https-trust-store-file={{ keycloak_quarkus_https_trust_store_file }}
+https-trust-store-password={{ keycloak_quarkus_https_trust_store_password }}
 {% endif %}

 # Client URL configuration
@@ -73,3 +89,22 @@ log={{ keycloak_quarkus_log }}
 log-level={{ keycloak.log.level }}
 log-file={{ keycloak.log.file }}
 log-file-format={{ keycloak.log.format }}
+
+# Vault
+{% if keycloak_quarkus_ks_vault_enabled %}
+vault=keystore
+vault-file={{ keycloak_quarkus_ks_vault_file }}
+vault-type={{ keycloak_quarkus_ks_vault_type }}
+vault-pass={{ keycloak_quarkus_ks_vault_pass }}
+{% endif %}
+
+
+# Providers
+{% for provider in keycloak_quarkus_providers %}
+{% if provider.default is defined and provider.default %}
+spi-{{ provider.spi }}-provider={{ provider.id }}
+{% endif %}
+{% if provider.properties is defined %}{% for property in provider.properties %}
+spi-{{ provider.spi }}-{{ provider.id }}-{{ property.key }}={{ property.value }}
+{% endfor %}{% endif %}
+{% endfor %}
--- a/roles/keycloak_quarkus/templates/keycloak.fact.j2
+++ b/roles/keycloak_quarkus/templates/keycloak.fact.j2
@@ -0,0 +1,2 @@
+[general]
+bootstrapped={{ bootstrapped | lower }}
--- a/roles/keycloak_quarkus/templates/keycloak.service.j2
+++ b/roles/keycloak_quarkus/templates/keycloak.service.j2
@@ -4,9 +4,7 @@ Description=Keycloak Server
 After=network.target

 [Service]
-Type=simple
 EnvironmentFile=-{{ keycloak_quarkus_sysconf_file }}
-PIDFile={{ keycloak_quarkus_service_pidfile }}
 {% if keycloak_quarkus_start_dev %}
 ExecStart={{ keycloak.home }}/bin/kc.sh start-dev
 {% else %}
@@ -14,15 +12,22 @@ ExecStart={{ keycloak.home }}/bin/kc.sh start --optimized
 {% endif %}
 User={{ keycloak.service_user }}
 Group={{ keycloak.service_group }}
+SuccessExitStatus=0 143
 {% if keycloak_quarkus_service_restart_always %}
 Restart=always
 {% elif keycloak_quarkus_service_restart_on_failure %}
 Restart=on-failure
 {% endif %}
 RestartSec={{ keycloak_quarkus_service_restartsec }}
-{% if keycloak_quarkus_http_port|int < 1024 or keycloak_quarkus_https_port|int < 1024 %}
+{% if keycloak_quarkus_http_port | int < 1024 or keycloak_quarkus_https_port | int < 1024 %}
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 {% endif %}
+{% if keycloak_quarkus_systemd_wait_for_port %}
+ExecStartPost=/usr/bin/timeout {{ keycloak_quarkus_systemd_wait_for_timeout }} sh -c 'while ! ss -H -t -l -n sport = :{{ keycloak_quarkus_https_port }} | grep -q "^LISTEN.*:{{ keycloak_quarkus_https_port }}"; do sleep 1; done && /bin/sleep {{ keycloak_quarkus_systemd_wait_for_delay }}'
+{% endif %}
+{% if keycloak_quarkus_systemd_wait_for_log %}
+ExecStartPost=/usr/bin/timeout {{ keycloak_quarkus_systemd_wait_for_timeout }} sh -c 'cat {{ keycloak.log.file }} | sed "/Profile.*activated/ q" && /bin/sleep {{ keycloak_quarkus_systemd_wait_for_delay }}'
+{% endif %}

 [Install]
 WantedBy=multi-user.target
--- a/roles/keycloak_quarkus/vars/debian.yml
+++ b/roles/keycloak_quarkus/vars/debian.yml
@@ -1,10 +1,11 @@
 ---
 keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('openjdk-17-jdk-headless') }}"
 keycloak_quarkus_prereq_package_list:
-      - "{{ keycloak_quarkus_varjvm_package  }}"
+      - "{{ keycloak_quarkus_varjvm_package }}"
      - unzip
      - procps
      - apt
      - tzdata
 keycloak_quarkus_sysconf_file: /etc/default/keycloak
-keycloak_quarkus_pkg_java_home: "/usr/lib/jvm/java-{{ keycloak_quarkus_varjvm_package | regex_search('(?!:openjdk-)[0-9.]+') }}-openjdk-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"
+keycloak_quarkus_pkg_java_home: "/usr/lib/jvm/java-{{ keycloak_quarkus_varjvm_package | \
+                                 regex_search('(?!:openjdk-)[0-9.]+') }}-openjdk-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"
--- a/roles/keycloak_quarkus/vars/main.yml
+++ b/roles/keycloak_quarkus/vars/main.yml
@@ -1,15 +1,18 @@
 ---
-keycloak:
+keycloak: # noqa var-naming this is an internal dict of interpolated values
  home: "{{ keycloak_quarkus_home }}"
  config_dir: "{{ keycloak_quarkus_config_dir }}"
  bundle: "{{ keycloak_quarkus_archive }}"
  service_name: "keycloak"
-  health_url: "http://{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_http_port }}{{ keycloak_quarkus_http_relative_path }}{{ '/' if keycloak_quarkus_http_relative_path | length > 1 else '' }}realms/master/.well-known/openid-configuration"
+  health_url: "http://{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_http_port }}{{ keycloak_quarkus_http_relative_path }}{{ '/' \
+               if keycloak_quarkus_http_relative_path | length > 1 else '' }}realms/master/.well-known/openid-configuration"
  cli_path: "{{ keycloak_quarkus_home }}/bin/kcadm.sh"
  service_user: "{{ keycloak_quarkus_service_user }}"
  service_group: "{{ keycloak_quarkus_service_group }}"
  offline_install: "{{ keycloak_quarkus_offline_install }}"
+  config_key_store_enabled: "{{ keycloak_quarkus_config_key_store_password != '' }}"
  log:
    file: "{{ keycloak_quarkus_home }}/{{ keycloak_quarkus_log_file }}"
    level: "{{ keycloak_quarkus_log_level }}"
    format: "{{ keycloak_quarkus_log_format }}"
+  bootstrap_mnemonic: "# ansible-middleware/keycloak: bootstrapped"
--- a/roles/keycloak_realm/defaults/main.yml
+++ b/roles/keycloak_realm/defaults/main.yml
@@ -26,14 +26,14 @@ keycloak_admin_password: ''
 # and users is a list of account, see below for the format definition
 # an empty name will skip the creation of the client
 #
-#keycloak_clients:
-#  - name: ''
-#    roles: "{{ keycloak_client_default_roles }}"
-#    realm: "{{ keycloak_realm }}"
-#    public_client: "{{ keycloak_client_public }}"
-#    web_origins: "{{ keycloak_client_web_origins }}"
-#    redirect_uris: "{{ keycloak_client_redirect_uris }}"
-#    users: "{{ keycloak_client_users }}"
+# keycloak_clients:
+#   - name: ''
+#     roles: "{{ keycloak_client_default_roles }}"
+#     realm: "{{ keycloak_realm }}"
+#     public_client: "{{ keycloak_client_public }}"
+#     web_origins: "{{ keycloak_client_web_origins }}"
+#     redirect_uris: "{{ keycloak_client_redirect_uris }}"
+#     users: "{{ keycloak_client_users }}"
 keycloak_clients: []

 # list of roles to create in the client
--- a/roles/keycloak_realm/meta/argument_specs.yml
+++ b/roles/keycloak_realm/meta/argument_specs.yml
@@ -10,7 +10,7 @@ argument_specs:
                # line 5 of keycloak_realm/defaults/main.yml
                default: "/auth"
                description: "Context path for rest calls"
-                type: "str"                
+                type: "str"
            keycloak_http_port:
                # line 4 of keycloak_realm/defaults/main.yml
                default: 8080
@@ -112,7 +112,7 @@ argument_specs:
            sso_enable:
                default: true
                description: "Enable Red Hat Single Sign-on installation"
-                type: "str"
+                type: "bool"
            rhbk_version:
                default: "22.0.6"
                description: "Red Hat Build of Keycloak version"
@@ -132,4 +132,4 @@ argument_specs:
            rhbk_enable:
                default: true
                description: "Enable Red Hat Build of Keycloak installation"
-                type: "str"
+                type: "bool"
--- a/roles/keycloak_realm/tasks/manage_client_users.yml
+++ b/roles/keycloak_realm/tasks/manage_client_users.yml
@@ -10,4 +10,4 @@
  loop: "{{ client.users | flatten }}"
  loop_control:
    loop_var: user
-  when: "'client_roles' in user"
+  when: "'client_roles' in user"
--- a/roles/keycloak_realm/tasks/manage_user_client_roles.yml
+++ b/roles/keycloak_realm/tasks/manage_user_client_roles.yml
@@ -12,7 +12,9 @@

 - name: Check if Mapping is available
  ansible.builtin.uri:
-    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm | default(keycloak_realm) }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}/available"
+    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm | \
+          default(keycloak_realm) }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | \
+          selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}/available"
    method: GET
    status_code:
      - 200
@@ -23,7 +25,9 @@

 - name: "Create Role Mapping"
  ansible.builtin.uri:
-    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm | default(keycloak_realm) }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}"
+    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm | \
+          default(keycloak_realm) }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | \
+          selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}"
    method: POST
    body:
      - id: "{{ item.id }}"
Author	SHA1	Message	Date
ansible-middleware-core	1ab3ebc2a4	Update changelog for release 2.2.1 Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>	2024-05-02 16:59:47 +00:00
Guido Grazioli	d16c23faf9	Merge pull request #204 from InfoSec812/Issue_203-_-fix-input-validation-when-clause Fix logic in when clause	2024-05-02 18:46:05 +02:00
Deven Phillips	978494524f	Fix errors introduced	2024-05-02 12:31:16 -04:00
Deven Phillips	1a73c39a91	Fix logic in when clause	2024-05-02 12:09:36 -04:00
ansible-middleware-core	9e6a6f6076	Bump version to 2.2.1	2024-05-01 14:44:15 +00:00
ansible-middleware-core	55f6881b2f	Update changelog for release 2.2.0 Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>	2024-05-01 14:44:01 +00:00
Guido Grazioli	41cbcc41e8	Merge pull request #202 from InfoSec812/Issue_200-_-customize-jdbc-driver-downloads Customize jdbc driver downloads, optional authentication	2024-05-01 10:01:32 +02:00
Deven Phillips	c2904bf20d	Use FQCN for fail module	2024-04-30 14:48:10 -04:00
Deven Phillips	e76b33e1db	Merge remote-tracking branch 'upstream/main' into Issue_200-_-customize-jdbc-driver-downloads	2024-04-30 14:29:26 -04:00
Deven Phillips	a7b9f0ef97	Add option to override JDBC download parameters	2024-04-30 14:27:42 -04:00
Guido Grazioli	eafc4586d6	ci: turn historicized docs off	2024-04-30 13:09:27 +02:00
Guido Grazioli	8493adc5c8	Merge pull request #201 from guidograzioli/custom_providers Providers config and custom providers	2024-04-30 12:47:53 +02:00
Guido Grazioli	43b9ffcb64	Providers config and custom providers	2024-04-30 10:45:20 +02:00
Guido Grazioli	a33393a477	ci: downstream molecule fixes	2024-04-25 14:11:05 +02:00
Guido Grazioli	278a70d627	ci: downstream molecule fixes	2024-04-25 13:57:31 +02:00
Guido Grazioli	6967385c7f	ci: downstream molecule fixes	2024-04-25 13:03:03 +02:00
Guido Grazioli	ac23e04d6a	ci: downstream molecule fixes	2024-04-25 08:16:56 +02:00
Guido Grazioli	4c056d886e	ci: downstream molecule fixes	2024-04-24 21:20:16 +02:00
Guido Grazioli	213a9a0766	ci: downstream molecule fixes	2024-04-24 17:56:15 +02:00
Guido Grazioli	2925ea8cf1	Add wait_for systemd logic	2024-04-24 16:17:05 +02:00
Guido Grazioli	82498ab3f5	Merge pull request #195 from InfoSec812/Issue-193_-_add-option-for-hostname-strict-https Added hostname-strict-https option	2024-04-19 16:05:46 +02:00
Guido Grazioli	16accd5e30	Merge branch 'main' into Issue-193_-_add-option-for-hostname-strict-https	2024-04-19 16:00:09 +02:00
Deven Phillips	04bb465992	Added argument specs	2024-04-19 09:55:08 -04:00
Guido Grazioli	b978e8bb88	Merge pull request #197 from world-direct/feature/190_remove_KEYCLOAK_ADMIN_envs #190: remove `keycloak_quarkus_admin_user[_pass]` once keycloak is bootstrapped	2024-04-19 14:44:05 +02:00
Helmut Wolf	289b4767e0	#190 : remove `keycloak_quarkus_admin_user[_pass]` once keycloak is bootstrapped	2024-04-19 13:42:28 +02:00
Guido Grazioli	9a961f743b	Merge pull request #196 from guidograzioli/172_vaults Keystore based vault SPI	2024-04-19 09:06:38 +02:00
Deven Phillips	b8cba487ac	Add better error trapping for booleans	2024-04-18 13:15:46 -04:00
Guido Grazioli	ff198bcd3e	workaround debug logfile too long for slurp	2024-04-18 11:06:14 +02:00
Guido Grazioli	d06dcea998	Add argument specs, update README	2024-04-18 10:49:38 +02:00
Guido Grazioli	89db3fa36f	Implement vault config	2024-04-18 10:44:17 +02:00
Guido Grazioli	cd8d61afc3	Update molecule test for keystore vault	2024-04-18 10:43:48 +02:00
Deven Phillips	47e6644fdd	Ensure that value for keycloak_quarkus_hostname_strict_https is boolean, otherwise ignore it	2024-04-17 16:57:52 -04:00
Deven Phillips	3e28b3f4f7	Added hostname-strict-https option	2024-04-17 16:52:18 -04:00
Guido Grazioli	f7bcac79d0	Merge pull request #194 from guidograzioli/keycloak_24_update Update keycloak to 24.0	2024-04-17 18:16:34 +02:00
Guido Grazioli	10057262bc	'fix' changelog	2024-04-17 18:07:42 +02:00
Guido Grazioli	5808d055ae	Update keycloak to 24.0	2024-04-17 17:53:13 +02:00
Guido Grazioli	8060dd7fb8	Bump minor and start 2.2	2024-04-17 17:51:33 +02:00
Guido Grazioli	4f8ed5194c	Merge pull request #189 from world-direct/feature/188_config_keystore #188: add support for configuration key store	2024-04-17 17:50:30 +02:00
ansible-middleware-core	462389cf0f	Bump version to 2.1.3	2024-04-17 15:49:15 +00:00
ansible-middleware-core	903938ca16	Update changelog for release 2.1.2 Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>	2024-04-17 15:49:00 +00:00
Guido Grazioli	74636e8629	ci: final round of linting	2024-04-17 17:29:38 +02:00
Guido Grazioli	6706fd9bf5	ci: bump and fix final linter warnings	2024-04-17 17:24:57 +02:00
Helmut Wolf	e991bd32c8	Fix typos	2024-04-17 17:09:44 +02:00
Helmut Wolf	d469d389f3	Fix linter issues	2024-04-17 17:09:44 +02:00
Helmut Wolf	c38642e0cd	#188 : fail early when no `keytool` installed	2024-04-17 17:09:44 +02:00
Helmut Wolf	0ee29eb483	#188 : keycloak_quarkus: allow setting "sensitive options" using a Java KeyStore file #188	2024-04-17 17:09:44 +02:00
Helmut Wolf	60ca798e1a	Rename `keycloak_quarkus__store_` attributes	2024-04-17 17:09:44 +02:00
Helmut Wolf	921364b451	Fix docs	2024-04-17 17:09:44 +02:00
Guido Grazioli	50d189ee14	ci: more linter fixes	2024-04-17 16:56:56 +02:00
Guido Grazioli	5b459f3dde	ci: more linter fixes	2024-04-17 16:48:24 +02:00
Guido Grazioli	f0318b2ecf	Merge pull request #192 from guidograzioli/xxx_linter_1 Comprehensive linter warning fixes	2024-04-17 16:26:18 +02:00
Guido Grazioli	1f910bd400	Comprehensive linter warning fixes	2024-04-17 16:19:34 +02:00
Guido Grazioli	d17c364257	downstream: ci sudo workaround	2024-04-17 12:14:25 +02:00
Guido Grazioli	1ff6f237a9	Bump 2.1.1	2024-04-17 11:58:11 +02:00
Guido Grazioli	0c0c4e19ea	downstream: update rhbk to 2.0.10	2024-04-17 11:57:44 +02:00
Guido Grazioli	7bedb08f6e	ci: update release wf params	2024-04-17 11:14:38 +02:00
Guido Grazioli	5464a01a62	ci: update doc links, test triggers	2024-04-17 11:08:04 +02:00
ansible-middleware-core	2cf3e2470d	Bump version to 2.1.2	2024-04-17 08:58:56 +00:00