Rework Molecule prepare phase to install sudo only if root on target

2026-05-14 21:42:04 +00:00 · 2024-03-04 21:30:23 +01:00 · 2024-03-04 21:13:06 +01:00
76 changed files with 408 additions and 759 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -15,4 +15,4 @@ jobs:
    with:
      fqcn: 'middleware_automation/keycloak'
      molecule_tests: >-
-          [ "default", "overridexml", "https_revproxy", "quarkus", "quarkus-devmode", "debian" ]
+          [ "default", "overridexml", "https_revproxy", "quarkus", "quarkus-devmode" ]
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -2,27 +2,20 @@
 name: Release collection
 on:
  workflow_dispatch:
    inputs:
      release_summary:
        description: 'Optional release summary for changelogs'
        required: false
 jobs:
  release:
    uses: ansible-middleware/github-actions/.github/workflows/release.yml@main
    with:
      collection_fqcn: 'middleware_automation.keycloak'
      downstream_name: 'rhbk'
      release_summary: "${{ github.event.inputs.release_summary }}"
    secrets:
      galaxy_token: ${{ secrets.ANSIBLE_GALAXY_API_KEY }}
      jira_webhook: ${{ secrets.JIRA_WEBHOOK_CREATE_VERSION }}
  dispatch:
    needs: release
    strategy:
      matrix:
-        repo: ['ansible-middleware/ansible-middleware-ee']
+        repo: ['ansible-middleware/cross-dc-rhsso-demo', 'ansible-middleware/flange-demo', 'ansible-middleware/ansible-middleware-ee']
    runs-on: ubuntu-latest
    steps:
      - name: Repository Dispatch
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -6,27 +6,6 @@ middleware\_automation.keycloak Release Notes
 This changelog describes changes after version 0.2.6.
 v2.1.2
 ======
 v2.1.1
 ======
 Minor Changes
 -------------
 - Add reverse ``proxy_headers`` config, supersedes ``proxy_mode`` `#187 <https://github.com/ansible-middleware/keycloak/pull/187>`_
 - Debian/Ubuntu compatibility `#178 <https://github.com/ansible-middleware/keycloak/pull/178>`_
 - Use ``keycloak_realm`` as default for sub-entities `#180 <https://github.com/ansible-middleware/keycloak/pull/180>`_
 Bugfixes
 --------
 - Fix permissions on controller-side downloaded artifacts `#184 <https://github.com/ansible-middleware/keycloak/pull/184>`_
 - JVM args moved to ``JAVA_OPTS`` envvar (instead of JAVA_OPTS_APPEND) `#186 <https://github.com/ansible-middleware/keycloak/pull/186>`_
 - Unrelax configuration file permissions `#191 <https://github.com/ansible-middleware/keycloak/pull/191>`_
 - Utilize comment filter for ``ansible_managed`` annotations `#176 <https://github.com/ansible-middleware/keycloak/pull/176>`_
 v2.1.0
 ======
--- a/bindep.txt
+++ b/bindep.txt
@@ -1,9 +1,8 @@
 python3-dev [compile platform:dpkg]
 python3-devel [compile platform:rpm]
 python39-devel [compile platform:centos-8 platform:rhel-8]
-git-lfs [platform:rpm platform:dpkg]
+git-lfs [platform:rpm]
-python3-netaddr [platform:rpm platform:dpkg]
+python3-netaddr [platform:rpm]
-python3-lxml [platform:rpm platform:dpkg]
+python3-lxml [platform:rpm]
-python3-jmespath [platform:rpm platform:dpkg]
+python3-jmespath [platform:rpm]
-python3-requests [platform:rpm platform:dpkg]
+python3-requests [platform:rpm]
--- a/changelogs/changelog.yaml
+++ b/changelogs/changelog.yaml
@@ -419,40 +419,3 @@ releases:
    - 167.yaml
    - 171.yaml
    release_date: '2024-02-28'
  2.1.1:
    changes:
      bugfixes:
      - 'Fix permissions on controller-side downloaded artifacts `#184 <https://github.com/ansible-middleware/keycloak/pull/184>`_
        '
      - 'JVM args moved to ``JAVA_OPTS`` envvar (instead of JAVA_OPTS_APPEND) `#186
        <https://github.com/ansible-middleware/keycloak/pull/186>`_
        '
      - 'Unrelax configuration file permissions `#191 <https://github.com/ansible-middleware/keycloak/pull/191>`_
        '
      - 'Utilize comment filter for ``ansible_managed`` annotations `#176 <https://github.com/ansible-middleware/keycloak/pull/176>`_
        '
      minor_changes:
      - 'Add reverse ``proxy_headers`` config, supersedes ``proxy_mode`` `#187 <https://github.com/ansible-middleware/keycloak/pull/187>`_
        '
      - 'Debian/Ubuntu compatibility `#178 <https://github.com/ansible-middleware/keycloak/pull/178>`_
        '
      - 'Use ``keycloak_realm`` as default for sub-entities `#180 <https://github.com/ansible-middleware/keycloak/pull/180>`_
        '
    fragments:
    - 176.yaml
    - 178.yaml
    - 180.yaml
    - 184.yaml
    - 186.yaml
    - 187.yaml
    - 191.yaml
    release_date: '2024-04-17'
  2.1.2:
    release_date: '2024-04-17'
--- a/docs/_gh_include/header.inc
+++ b/docs/_gh_include/header.inc
@@ -24,15 +24,14 @@
        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
            <p class="caption" role="heading"><span class="caption-text">Middleware Automation</span></p>
            <ul>
-              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/infinispan/main/">Infinispan / Red Hat Data Grid</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/infinispan/">Infinispan / Red Hat Data Grid</a></li>
-              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/keycloak/main/">Keycloak / Red Hat Single Sign-On</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/keycloak/">Keycloak / Red Hat Single Sign-On</a></li>
-              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/wildfly/main/">Wildfly / Red Hat JBoss EAP</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/wildfly/">Wildfly / Red Hat JBoss EAP</a></li>
-              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/jws/main/">Tomcat / Red Hat JWS</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/jws/">Tomcat / Red Hat JWS</a></li>
-              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/amq/main/">ActiveMQ / Red Hat AMQ Broker</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/amq/">ActiveMQ / Red Hat AMQ Broker</a></li>
-              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/amq_streams/main/">Kafka / Red Hat AMQ Streams</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/amq_streams/">Kafka / Red Hat AMQ Streams</a></li>
-              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/common/main/">Ansible Middleware utilities</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/redhat-csp-download/">Red Hat CSP Download</a></li>
-              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/redhat-csp-download/main/">Red Hat CSP Download</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/ansible_collections_jcliff/">JCliff</a></li>
              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/ansible_collections_jcliff/main/">JCliff</a></li>
            </ul>
        </div>
      </div>
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -29,12 +29,11 @@ Welcome to Keycloak Collection documentation
   :maxdepth: 2
   :caption: Middleware collections
-   Infinispan / Red Hat Data Grid <https://ansible-middleware.github.io/infinispan/main/>
+   Infinispan / Red Hat Data Grid <https://ansible-middleware.github.io/infinispan/>
-   Keycloak / Red Hat Single Sign-On <https://ansible-middleware.github.io/keycloak/main/>
+   Keycloak / Red Hat Single Sign-On <https://ansible-middleware.github.io/keycloak/>
-   Wildfly / Red Hat JBoss EAP <https://ansible-middleware.github.io/wildfly/main/>
+   Wildfly / Red Hat JBoss EAP <https://ansible-middleware.github.io/wildfly/>
-   Tomcat / Red Hat JWS <https://ansible-middleware.github.io/jws/main/>
+   Tomcat / Red Hat JWS <https://ansible-middleware.github.io/jws/>
-   ActiveMQ / Red Hat AMQ Broker <https://ansible-middleware.github.io/amq/main/>
+   ActiveMQ / Red Hat AMQ Broker <https://ansible-middleware.github.io/amq/>
-   Kafka / Red Hat AMQ Streams <https://ansible-middleware.github.io/amq_streams/main/>
+   Kafka / Red Hat AMQ Streams <https://ansible-middleware.github.io/amq_streams/>
-   Ansible Middleware utilities <https://ansible-middleware.github.io/common/main/>
+   Red Hat CSP Download <https://ansible-middleware.github.io/redhat-csp-download/>
-   Red Hat CSP Download <https://ansible-middleware.github.io/redhat-csp-download/main/>
+   JCliff <https://ansible-middleware.github.io/ansible_collections_jcliff/>
   JCliff <https://ansible-middleware.github.io/ansible_collections_jcliff/main/>
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -1,7 +1,7 @@
 ---
 namespace: middleware_automation
 name: keycloak
-version: "2.1.2"
+version: "2.1.1"
 readme: README.md
 authors:
  - Romain Pelisse <rpelisse@redhat.com>
@@ -35,6 +35,7 @@ issues: https://github.com/ansible-middleware/keycloak/issues
 build_ignore:
  - .gitignore
  - .github
  - .ansible-lint
  - .yamllint
  - '*.tar.gz'
  - '*.zip'
--- a/molecule/debian/converge.yml
+++ b/molecule/debian/converge.yml
@@ -1,41 +0,0 @@
 ---
 - name: Converge
  hosts: all
  vars:
    keycloak_quarkus_admin_pass: "remembertochangeme"
    keycloak_realm: TestRealm
    keycloak_quarkus_log: file
    keycloak_quarkus_frontend_url: 'http://localhost:8080/'
    keycloak_quarkus_start_dev: True
    keycloak_quarkus_proxy_mode: none
    keycloak_client_default_roles:
      - TestRoleAdmin
      - TestRoleUser
    keycloak_client_users:
      - username: TestUser
        password: password
        client_roles:
          - client: TestClient
            role: TestRoleUser
      - username: TestAdmin
        password: password
        client_roles:
          - client: TestClient
            role: TestRoleUser
          - client: TestClient
            role: TestRoleAdmin
    keycloak_clients:
      - name: TestClient
        roles: "{{ keycloak_client_default_roles }}"
        public_client: "{{ keycloak_client_public }}"
        web_origins: "{{ keycloak_client_web_origins }}"
        users: "{{ keycloak_client_users }}"
        client_id: TestClient
        attributes:
          post.logout.redirect.uris: '/public/logout'
  roles:
    - role: keycloak_quarkus
    - role: keycloak_realm
      keycloak_realm: TestRealm
      keycloak_admin_password: "remembertochangeme"
      keycloak_context: ''
--- a/molecule/debian/molecule.yml
+++ b/molecule/debian/molecule.yml
@@ -1,48 +0,0 @@
 ---
 driver:
  name: docker
 platforms:
  - name: instance
    image: ghcr.io/hspaans/molecule-containers:debian-11
    pre_build_image: true
    privileged: true
    port_bindings:
      - "8080/tcp"
      - "8443/tcp"
      - "8009/tcp"
    cgroupns_mode: host
    command: "/lib/systemd/systemd"
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:rw
 provisioner:
  name: ansible
  config_options:
    defaults:
      interpreter_python: auto_silent
    ssh_connection:
      pipelining: false
  playbooks:
    prepare: prepare.yml
    converge: converge.yml
    verify: verify.yml
  inventory:
    host_vars:
      localhost:
        ansible_python_interpreter: /usr/bin/python3
  env:
    ANSIBLE_FORCE_COLOR: "true"
    ANSIBLE_REMOTE_TMP: /tmp/.ansible/tmp
 verifier:
  name: ansible
 scenario:
  test_sequence:
    - cleanup
    - destroy
    - create
    - prepare
    - converge
    - idempotence
    - side_effect
    - verify
    - cleanup
    - destroy
--- a/molecule/debian/prepare.yml
+++ b/molecule/debian/prepare.yml
@@ -1,11 +0,0 @@
 ---
 - name: Prepare
  hosts: all
  gather_facts: yes
  tasks:
    - name: Install sudo
      ansible.builtin.apt:
        name:
          - sudo
          - openjdk-17-jdk-headless
        state: present
--- a/molecule/debian/roles
+++ b/molecule/debian/roles
@@ -1 +0,0 @@
 ../../roles
--- a/molecule/debian/verify.yml
+++ b/molecule/debian/verify.yml
@@ -1,40 +0,0 @@
 ---
 - name: Verify
  hosts: all
  vars:
    keycloak_admin_password: "remembertochangeme"
    keycloak_uri: "http://localhost:{{ 8080 + ( keycloak_jboss_port_offset | default(0) ) }}"
    keycloak_management_port: "http://localhost:{{ 9990 + ( keycloak_jboss_port_offset | default(0) ) }}"
    keycloak_jboss_port_offset: 10
  tasks:
    - name: Populate service facts
      ansible.builtin.service_facts:
    - name: Check if keycloak service started
      ansible.builtin.assert:
        that:
          - ansible_facts.services["keycloak.service"]["state"] == "running"
          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
    - name: Verify openid config
      block:
        - name: Fetch openID config # noqa blocked_modules command-instead-of-module
          ansible.builtin.shell: |
            set -o pipefail
            curl http://localhost:8080/realms/master/.well-known/openid-configuration -k | jq .
          args:
            executable: /bin/bash
          delegate_to: localhost
          register: openid_config
          changed_when: False
        - name: Verify endpoint URLs
          ansible.builtin.assert:
            that:
              - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'http://localhost:8080/realms/master/protocol/openid-connect/ext/ciba/auth'
              - (openid_config.stdout | from_json)['issuer'] == 'http://localhost:8080/realms/master'
              - (openid_config.stdout | from_json)['authorization_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/auth'
              - (openid_config.stdout | from_json)['token_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/token'
          delegate_to: localhost
      when:
        - hera_home is defined
        - hera_home | length == 0
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@@ -52,7 +52,7 @@
  pre_tasks:
    - name: "Retrieve assets server from env"
      ansible.builtin.set_fact:
-        assets_server: "{{ lookup('env', 'MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"
+        assets_server: "{{ lookup('env','MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"
    - name: "Set offline when assets server from env is defined"
      ansible.builtin.set_fact:
--- a/molecule/default/prepare.yml
+++ b/molecule/default/prepare.yml
@@ -18,12 +18,5 @@
        name:
          - java-1.8.0-openjdk
        state: present
      when: ansible_facts['os_family'] == "RedHat"
-    - name: Install JDK8
+
      become: yes
      ansible.builtin.apt:
        name:
          - openjdk-8-jdk
        state: present
      when: ansible_facts['os_family'] == "Debian"
--- a/molecule/overridexml/converge.yml
+++ b/molecule/overridexml/converge.yml
@@ -9,3 +9,47 @@
    keycloak_service_runas: True
  roles:
    - role: keycloak
  tasks:
    - name: Keycloak Realm Role
      ansible.builtin.include_role:
        name: keycloak_realm
      vars:
        keycloak_client_default_roles:
          - TestRoleAdmin
          - TestRoleUser
        keycloak_client_users:
          - username: TestUser
            password: password
            client_roles:
              - client: TestClient
                role: TestRoleUser
                realm: "{{ keycloak_realm }}"
          - username: TestAdmin
            password: password
            client_roles:
              - client: TestClient
                role: TestRoleUser
                realm: "{{ keycloak_realm }}"
              - client: TestClient
                role: TestRoleAdmin
                realm: "{{ keycloak_realm }}"
        keycloak_realm: TestRealm
        keycloak_clients:
          - name: TestClient
            roles: "{{ keycloak_client_default_roles }}"
            realm: "{{ keycloak_realm }}"
            public_client: "{{ keycloak_client_public }}"
            web_origins: "{{ keycloak_client_web_origins }}"
            users: "{{ keycloak_client_users }}"
            client_id: TestClient
  pre_tasks:
    - name: "Retrieve assets server from env"
      ansible.builtin.set_fact:
        assets_server: "{{ lookup('env','MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"
    - name: "Set offline when assets server from env is defined"
      ansible.builtin.set_fact:
        sso_offline_install: True
      when:
        - assets_server is defined
        - assets_server | length > 0
--- a/molecule/overridexml/templates/custom.xml.j2
+++ b/molecule/overridexml/templates/custom.xml.j2
@@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<!-- this is a custom file -->
+<!-- {{ ansible_managed }} -->
 <server xmlns="urn:jboss:domain:16.0">
    <extensions>
        <extension module="org.jboss.as.clustering.infinispan"/>
@@ -44,7 +44,7 @@
        </audit-log>
        <management-interfaces>
            <http-interface http-authentication-factory="management-http-authentication">
-                <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
+                <http-upgrade enabled="true"/>
                <socket-binding http="management-http"/>
            </http-interface>
        </management-interfaces>
@@ -481,8 +481,8 @@
                <default-provider>default</default-provider>
                <provider name="default" enabled="true">
                    <properties>
-                        <property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
+                        <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
-                        <property name="forceBackendUrlToFrontendUrl" value="false"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="true"/>
                    </properties>
                </provider>
            </spi>
@@ -520,8 +520,7 @@
        <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
            <buffer-cache name="default"/>
            <server name="default-server">
-                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
+                <http-listener name="default" socket-binding="http"/>
                <https-listener name="https" socket-binding="https" ssl-context="applicationSSC" enable-http2="true"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <http-invoker http-authentication-factory="application-http-authentication"/>
@@ -534,25 +533,20 @@
            <handlers>
                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
            </handlers>
            <application-security-domains>
                <application-security-domain name="other" security-domain="ApplicationDomain"/>
            </application-security-domains>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
    </profile>
    <interfaces>
        <interface name="management">
-            <inet-address value="127.0.0.1"/>
+            <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
        </interface>
        <interface name="public">
-            <inet-address value="127.0.0.1"/>
+            <inet-address value="${jboss.bind.address:127.0.0.1}"/>
        </interface>
    </interfaces>
    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
        <socket-binding name="http" port="8081"/>
        <socket-binding name="https" port="8443"/>
        <socket-binding name="management-http" interface="management" port="19990"/>
        <socket-binding name="management-https" interface="management" port="19991"/>
        <socket-binding name="txn-recovery-environment" port="4712"/>
        <socket-binding name="txn-status-manager" port="4713"/>
        <outbound-socket-binding name="mail-smtp">
--- a/molecule/overridexml/verify.yml
+++ b/molecule/overridexml/verify.yml
@@ -1,10 +1,6 @@
 ---
 - name: Verify
  hosts: all
  vars:
    keycloak_uri: "http://localhost:8081"
    keycloak_management_port: "http://localhost:19990"
    keycloak_admin_password: "remembertochangeme"
  tasks:
    - name: Populate service facts
      ansible.builtin.service_facts:
@@ -13,20 +9,3 @@
        that:
          - ansible_facts.services["keycloak.service"]["state"] == "running"
          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
    - name: Verify we are running on requested jvm # noqa blocked_modules command-instead-of-module
      ansible.builtin.shell: |
        set -o pipefail
        ps -ef | grep '/etc/alternatives/jre_1.8.0/' | grep -v grep
      args:
        executable: /bin/bash
      changed_when: no
    - name: Verify token api call
      ansible.builtin.uri:
        url: "{{ keycloak_uri }}/auth/realms/master/protocol/openid-connect/token"
        method: POST
        body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password"
        validate_certs: no
      register: keycloak_auth_response
      until: keycloak_auth_response.status == 200
      retries: 2
      delay: 2
--- a/molecule/prepare.yml
+++ b/molecule/prepare.yml
@@ -3,44 +3,39 @@
  ansible.builtin.debug:
    msg: "Ansible version is  {{ ansible_version.full }}"
 - name: "Set package name for sudo"
  ansible.builtin.set_fact:
    sudo_pkg_name: sudo
 - name: "Ensure {{ sudo_pkg_name }} is installed (if user is root)."
  ansible.builtin.yum:
    name: "{{ sudo_pkg_name }}"
    state: present
  when:
    - ansible_user_id == 'root'
 - name: Gather the package facts
  ansible.builtin.package_facts:
    manager: auto
- name: "Check if sudo is installed."
+- name: "Check if {{ sudo_pkg_name }} is installed."
  ansible.builtin.assert:
    that:
      - sudo_pkg_name in ansible_facts.packages
    fail_msg: "sudo is not installed on target system"
- name: "Install iproute"
+- name: Install sudo
-  become: true
+  become: yes
  ansible.builtin.yum:
    name:
      - sudo
      - iproute
    state: present
 - name: "Retrieve assets server from env"
  ansible.builtin.set_fact:
-    assets_server: "{{ lookup('env', 'MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"
+    assets_server: "{{ lookup('env','MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"
 - name: "Download artefacts only if assets_server is set"
  when:
    - assets_server is defined
    - assets_server | length > 0
    - assets is defined
    - assets | length > 0
  block:
    - name: "Set offline when assets server from env is defined"
      ansible.builtin.set_fact:
@@ -51,7 +46,6 @@
        url: "{{ asset }}"
        dest: "{{ lookup('env', 'PWD') }}"
        validate_certs: no
        mode: '0644'
      delegate_to: localhost
      loop: "{{ assets }}"
      loop_control:
--- a/molecule/quarkus-devmode/prepare.yml
+++ b/molecule/quarkus-devmode/prepare.yml
@@ -1,39 +1,14 @@
 ---
 - name: Prepare
  hosts: all
  become: yes
  tasks:
    - name: Install sudo
      ansible.builtin.apt:
        name:
          - sudo
          - openjdk-17-jdk-headless
        state: present
      when:
        - ansible_facts.os_family == 'Debian'
    - name: "Ensure common prepare phase are set."
      ansible.builtin.include_tasks: ../prepare.yml
    - name: Install JDK17
      become: yes
      ansible.builtin.yum:
        name:
          - sudo
          - java-17-openjdk-headless
        state: present
      when:
        - ansible_facts.os_family == 'RedHat'
    - name: Link default logs directory
      become: yes
      ansible.builtin.file:
        state: link
        src: "{{ item }}"
        dest: /opt/openjdk
        force: true
      with_fileglob:
        - /usr/lib/jvm/java-17-openjdk*
      when:
        - ansible_facts.os_family == "Debian"
    - name: Link default logs directory
      ansible.builtin.file:
@@ -41,8 +16,6 @@
        src: /usr/lib/jvm/jre-17-openjdk
        dest: /opt/openjdk
        force: true
      when:
        - ansible_facts.os_family == "RedHat"
    - name: "Display hera_home if defined."
      ansible.builtin.set_fact:
--- a/molecule/quarkus/prepare.yml
+++ b/molecule/quarkus/prepare.yml
@@ -2,20 +2,22 @@
 - name: Prepare
  hosts: all
  tasks:
    - name: Install sudo
      become: yes
      ansible.builtin.yum:
        name: sudo
        state: present
    - name: "Display hera_home if defined."
      ansible.builtin.set_fact:
        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
    - name: "Ensure common prepare phase are set."
      ansible.builtin.include_tasks: ../prepare.yml
    - name: Create certificate request
      ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
      delegate_to: localhost
      changed_when: False
    - name: Create conf directory # risky-file-permissions in test user account does not exist yet
      become: yes
      ansible.builtin.file:
        state: directory
        path: "/opt/keycloak/certs/"
--- a/molecule/quarkus/verify.yml
+++ b/molecule/quarkus/verify.yml
@@ -51,7 +51,6 @@
          - keycloak_log_folder.stat.islnk
    - name: Check log file
      become: yes
      ansible.builtin.stat:
        path: "/tmp/keycloak/keycloak.log"
      register: keycloak_log_file
@@ -63,7 +62,6 @@
          - not keycloak_log_file.stat.isdir
    - name: Check default log folder
      become: yes
      ansible.builtin.stat:
        path: "/var/log/keycloak"
      register: keycloak_default_log_folder
--- a/molecule/requirements.yml
+++ b/molecule/requirements.yml
@@ -5,7 +5,7 @@ collections:
  - name: community.general
  - name: ansible.posix
  - name: community.docker
-    version: ">=3.8.0"
+    version: ">=1.9.1"
 roles:
  - name: elan.simple_nginx_reverse_proxy
--- a/plugins/modules/keycloak_user_federation.py
+++ b/plugins/modules/keycloak_user_federation.py
@@ -475,7 +475,7 @@ author:
 '''
 EXAMPLES = '''
- name: Create LDAP user federation
+  - name: Create LDAP user federation
    middleware_automation.keycloak.keycloak_user_federation:
      auth_keycloak_url: https://keycloak.example.com/auth
      auth_realm: master
@@ -522,7 +522,7 @@ EXAMPLES = '''
            read.only: true
            write.only: false
- name: Create Kerberos user federation
+  - name: Create Kerberos user federation
    middleware_automation.keycloak.keycloak_user_federation:
      auth_keycloak_url: https://keycloak.example.com/auth
      auth_realm: master
@@ -543,7 +543,7 @@ EXAMPLES = '''
        allowPasswordAuthentication: false
        updateProfileFirstLogin: false
- name: Create sssd user federation
+  - name: Create sssd user federation
    middleware_automation.keycloak.keycloak_user_federation:
      auth_keycloak_url: https://keycloak.example.com/auth
      auth_realm: master
@@ -559,7 +559,7 @@ EXAMPLES = '''
        enabled: true
        cachePolicy: DEFAULT
- name: Delete user federation
+  - name: Delete user federation
    middleware_automation.keycloak.keycloak_user_federation:
      auth_keycloak_url: https://keycloak.example.com/auth
      auth_realm: master
--- a/roles/keycloak/README.md
+++ b/roles/keycloak/README.md
@@ -10,7 +10,6 @@ Requirements
 This role requires the `python3-netaddr` library installed on the controller node.
 * to install via yum/dnf: `dnf install python3-netaddr`
 * to install via apt: `apt install python3-netaddr`
 * or via pip: `pip install netaddr==0.8.0`
 * or via the collection: `pip install -r requirements.txt`
--- a/roles/keycloak/defaults/main.yml
+++ b/roles/keycloak/defaults/main.yml
@@ -8,6 +8,7 @@ keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
 keycloak_offline_install: false
 ### Install location and service settings
 keycloak_jvm_package: java-1.8.0-openjdk-headless
 keycloak_java_home:
 keycloak_dest: /opt/keycloak
 keycloak_jboss_home: "{{ keycloak_installdir }}"
@@ -32,7 +33,6 @@ keycloak_service_startlimitburst: "5"
 keycloak_service_restartsec: "10s"
 keycloak_configure_firewalld: false
 keycloak_configure_iptables: false
 ### administrator console password
 keycloak_admin_password: ''
--- a/roles/keycloak/meta/argument_specs.yml
+++ b/roles/keycloak/meta/argument_specs.yml
@@ -2,38 +2,42 @@ argument_specs:
    main:
        options:
            keycloak_version:
                # line 3 of keycloak/defaults/main.yml
                default: "18.0.2"
                description: "keycloak.org package version"
                type: "str"
            keycloak_archive:
                # line 4 of keycloak/defaults/main.yml
                default: "keycloak-legacy-{{ keycloak_version }}.zip"
                description: "keycloak install archive filename"
                type: "str"
            keycloak_configure_iptables:
                default: false
                description: "Ensure iptables is running and configure keycloak ports"
                type: "bool"
            keycloak_configure_firewalld:
                # line 33 of keycloak/defaults/main.yml
                default: false
                description: "Ensure firewalld is running and configure keycloak ports"
                type: "bool"
            keycloak_download_url:
                # line 5 of keycloak/defaults/main.yml
                default: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"
                description: "Download URL for keycloak"
                type: "str"
            keycloak_download_url_9x:
                # line 6 of keycloak/defaults/main.yml
                default: "https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}"
                description: "Download URL for keycloak (deprecated)"
                type: "str"
            keycloak_installdir:
                # line 7 of keycloak/defaults/main.yml
                default: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
                description: "Installation path"
                type: "str"
            keycloak_offline_install:
                # line 20 of keycloak/defaults/main.yml
                default: false
                description: "Perform an offline install"
                type: "bool"
            keycloak_jvm_package:
                # line 23 of keycloak/defaults/main.yml
                default: "java-1.8.0-openjdk-headless"
                description: "RHEL java package runtime rpm"
                type: "str"
@@ -41,10 +45,12 @@ argument_specs:
                description: "JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path"
                type: "str"
            keycloak_dest:
                # line 24 of keycloak/defaults/main.yml
                default: "/opt/keycloak"
                description: "Root installation directory"
                type: "str"
            keycloak_jboss_home:
                # line 25 of keycloak/defaults/main.yml
                default: "{{ keycloak_installdir }}"
                description: "Installation work directory"
                type: "str"
@@ -53,42 +59,52 @@ argument_specs:
                description: "Port offset for the JBoss socket binding"
                type: "int"
            keycloak_config_dir:
                # line 26 of keycloak/defaults/main.yml
                default: "{{ keycloak_jboss_home }}/standalone/configuration"
                description: "Path for configuration"
                type: "str"
            keycloak_config_standalone_xml:
                # line 27 of keycloak/defaults/main.yml
                default: "keycloak.xml"
                description: "Service configuration filename"
                type: "str"
            keycloak_config_path_to_standalone_xml:
                # line 28 of keycloak/defaults/main.yml
                default: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}"
                description: "Custom path for configuration"
                type: "str"
            keycloak_config_override_template:
                # line 30 of keycloak/defaults/main.yml
                default: ""
                description: "Path to custom template for standalone.xml configuration"
                type: "str"
            keycloak_service_runas: 
                # line 20 of keycloak/defaults/main.yml
                default: false
                description: "Enable execution of service as `keycloak_service_user`"
                type: "bool"
            keycloak_service_user:
                # line 29 of keycloak/defaults/main.yml
                default: "keycloak"
                description: "posix account username"
                type: "str"
            keycloak_service_group:
                # line 30 of keycloak/defaults/main.yml
                default: "keycloak"
                description: "posix account group"
                type: "str"
            keycloak_service_pidfile:
                # line 31 of keycloak/defaults/main.yml
                default: "/run/keycloak/keycloak.pid"
                description: "PID file path for service"
                type: "str"
            keycloak_features:
                # line 17 of keycloak/defaults/main.yml
                default: "[]"
                description: "List of `name`/`status` pairs of features (also known as profiles on RH-SSO) to `enable` or `disable`, example: `[ { name: 'docker', status: 'enabled' } ]`"
                type: "list"
            keycloak_bind_address:
                # line 34 of keycloak/defaults/main.yml
                default: "0.0.0.0"
                description: "Address for binding service ports"
                type: "str"
@@ -97,42 +113,52 @@ argument_specs:
                description: "Address for binding the management ports"
                type: "str"
            keycloak_host:
                # line 35 of keycloak/defaults/main.yml
                default: "localhost"
                description: "Hostname for service"
                type: "str"
            keycloak_http_port:
                # line 36 of keycloak/defaults/main.yml
                default: 8080
                description: "Listening HTTP port"
                type: "int"
            keycloak_https_port:
                # line 37 of keycloak/defaults/main.yml
                default: 8443
                description: "Listening HTTPS port"
                type: "int"
            keycloak_ajp_port:
                # line 38 of keycloak/defaults/main.yml
                default: 8009
                description: "Listening AJP port"
                type: "int"
            keycloak_jgroups_port:
                # line 39 of keycloak/defaults/main.yml
                default: 7600
                description: "jgroups cluster tcp port"
                type: "int"
            keycloak_management_http_port:
                # line 40 of keycloak/defaults/main.yml
                default: 9990
                description: "Management port (http)"
                type: "int"
            keycloak_management_https_port:
                # line 41 of keycloak/defaults/main.yml
                default: 9993
                description: "Management port (https)"
                type: "int"
            keycloak_java_opts:
                # line 42 of keycloak/defaults/main.yml
                default: "-Xms1024m -Xmx2048m"
                description: "Additional JVM options"
                type: "str"
            keycloak_prefer_ipv4:
                # line 43 of keycloak/defaults/main.yml
                default: true
                description: "Prefer IPv4 stack and addresses for port binding"
                type: "bool"
            keycloak_ha_enabled:
                # line 46 of keycloak/defaults/main.yml
                default: false
                description: "Enable auto configuration for database backend, clustering and remote caches on infinispan"
                type: "bool"
@@ -141,22 +167,27 @@ argument_specs:
                description: "Discovery protocol for HA cluster members"
                type: "str"
            keycloak_db_enabled:
                # line 48 of keycloak/defaults/main.yml
                default: "{{ True if keycloak_ha_enabled else False }}"
                description: "Enable auto configuration for database backend"
                type: "bool"
            keycloak_admin_user:
                # line 51 of keycloak/defaults/main.yml
                default: "admin"
                description: "Administration console user account"
                type: "str"
            keycloak_auth_realm:
                # line 52 of keycloak/defaults/main.yml
                default: "master"
                description: "Name for rest authentication realm"
                type: "str"
            keycloak_auth_client:
                # line 53 of keycloak/defaults/main.yml
                default: "admin-cli"
                description: "Authentication client for configuration REST calls"
                type: "str"
            keycloak_force_install:
                # line 55 of keycloak/defaults/main.yml
                default: false
                description: "Remove pre-existing versions of service"
                type: "bool"
@@ -165,6 +196,7 @@ argument_specs:
                description: "Enable configuration for modcluster subsystem"
                type: "bool"
            keycloak_modcluster_url:
                # line 58 of keycloak/defaults/main.yml
                default: "localhost"
                description: "URL for the modcluster reverse proxy"
                type: "str"
@@ -177,6 +209,7 @@ argument_specs:
                description: "List of modproxy node URLs in the format { host, port } for the modcluster reverse proxy"
                type: "list"
            keycloak_frontend_url:
                # line 59 of keycloak/defaults/main.yml
                default: "http://localhost"
                description: "Frontend URL for keycloak endpoints when a reverse proxy is used"
                type: "str"
@@ -185,62 +218,77 @@ argument_specs:
                description: "Force backend requests to use the frontend URL"
                type: "bool"
            keycloak_infinispan_user:
                # line 62 of keycloak/defaults/main.yml
                default: "supervisor"
                description: "Username for connecting to infinispan"
                type: "str"
            keycloak_infinispan_pass:
                # line 63 of keycloak/defaults/main.yml
                default: "supervisor"
                description: "Password for connecting to infinispan"
                type: "str"
            keycloak_infinispan_url:
                # line 64 of keycloak/defaults/main.yml
                default: "localhost"
                description: "URL for the infinispan remote-cache server"
                type: "str"
            keycloak_infinispan_sasl_mechanism:
                # line 65 of keycloak/defaults/main.yml
                default: "SCRAM-SHA-512"
                description: "Authentication type to infinispan server"
                type: "str"
            keycloak_infinispan_use_ssl:
                # line 66 of keycloak/defaults/main.yml
                default: false
                description: "Enable hotrod client TLS communication"
                type: "bool"
            keycloak_infinispan_trust_store_path:
                # line 68 of keycloak/defaults/main.yml
                default: "/etc/pki/java/cacerts"
                description: "TODO document argument"
                type: "str"
            keycloak_infinispan_trust_store_password:
                # line 69 of keycloak/defaults/main.yml
                default: "changeit"
                description: "Path to truststore containing infinispan server certificate"
                type: "str"
            keycloak_jdbc_engine:
                # line 72 of keycloak/defaults/main.yml
                default: "postgres"
                description: "Backend database flavour when db is enabled: [ postgres, mariadb, sqlserver ]"
                type: "str"
            keycloak_db_user:
                # line 74 of keycloak/defaults/main.yml
                default: "keycloak-user"
                description: "Username for connecting to database"
                type: "str"
            keycloak_db_pass:
                # line 75 of keycloak/defaults/main.yml
                default: "keycloak-pass"
                description: "Password for connecting to database"
                type: "str"
            keycloak_jdbc_url:
                # line 76 of keycloak/defaults/main.yml
                default: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].url }}"
                description: "URL for connecting to backend database"
                type: "str"
            keycloak_jdbc_driver_version:
                # line 77 of keycloak/defaults/main.yml
                default: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].version }}"
                description: "Version for the JDBC driver to download"
                type: "str"
            keycloak_admin_password:
                # line 4 of keycloak/vars/main.yml
                required: true
                description: "Password for the administration console user account"
                type: "str"
            keycloak_url:
                # line 12 of keycloak/vars/main.yml
                default: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}"
                description: "URL for configuration rest calls"
                type: "str"
            keycloak_management_url:
                # line 13 of keycloak/vars/main.yml
                default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}"
                description: "URL for management console rest calls"
                type: "str"
--- a/roles/keycloak/tasks/debian.yml
+++ b/roles/keycloak/tasks/debian.yml
@@ -1,6 +0,0 @@
 ---
 - name: Include firewall config tasks
  ansible.builtin.include_tasks: iptables.yml
  when: keycloak_configure_iptables
  tags:
    - firewall
--- a/roles/keycloak/tasks/fastpackages.yml
+++ b/roles/keycloak/tasks/fastpackages.yml
@@ -4,27 +4,14 @@
  register: rpm_info
  changed_when: false
  failed_when: false
  when: ansible_facts.os_family == "RedHat"
 - name: "Add missing packages to the yum install list"
  ansible.builtin.set_fact:
    packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | default([]) | flatten }}"
  when: ansible_facts.os_family == "RedHat"
 - name: "Install packages: {{ packages_to_install }}"
  become: true
  ansible.builtin.yum:
    name: "{{ packages_to_install }}"
    state: present
-  when:
+  when: packages_to_install | default([]) | length > 0
  - packages_to_install | default([]) | length > 0
  - ansible_facts.os_family == "RedHat"
 - name: "Install packages: {{ packages_list }}"
  become: true
  ansible.builtin.package:
    name: "{{ packages_list }}"
    state: present
  when:
    - packages_list | default([]) | length > 0
    - ansible_facts.os_family == "Debian"
--- a/roles/keycloak/tasks/iptables.yml
+++ b/roles/keycloak/tasks/iptables.yml
@@ -1,23 +0,0 @@
 ---
 - name: Ensure required package iptables are installed
  ansible.builtin.include_tasks: fastpackages.yml
  vars:
    packages_list:
      - iptables
 - name: "Configure firewall ports for {{ keycloak.service_name }}"
  become: true
  ansible.builtin.iptables:
    destination_port: "{{ item }}"
    action: "insert"
    rule_num: 6 # magic number I forget why
    chain: "INPUT"
    policy: "ACCEPT"
    protocol: tcp
  loop:
    - "{{ keycloak_http_port }}"
    - "{{ keycloak_https_port }}"
    - "{{ keycloak_management_http_port }}"
    - "{{ keycloak_management_https_port }}"
    - "{{ keycloak_jgroups_port }}"
    - "{{ keycloak_ajp_port }}"
--- a/roles/keycloak/tasks/main.yml
+++ b/roles/keycloak/tasks/main.yml
@@ -5,10 +5,11 @@
  tags:
    - prereqs
- name: Distro specific tasks
+- name: Include firewall config tasks
-  ansible.builtin.include_tasks: "{{ ansible_os_family | lower }}.yml"
+  ansible.builtin.include_tasks: firewalld.yml
  when: keycloak_configure_firewalld
  tags:
-    - unbound
+    - firewall
 - name: Include install tasks
  ansible.builtin.include_tasks: install.yml
@@ -25,7 +26,6 @@
  when:
    - sso_apply_patches is defined and sso_apply_patches
    - sso_enable is defined and sso_enable
    - ansible_facts.os_family == "RedHat"
  tags:
    - install
    - patch
--- a/roles/keycloak/tasks/prereqs.yml
+++ b/roles/keycloak/tasks/prereqs.yml
@@ -36,20 +36,12 @@
    success_msg: "Configuring JDBC persistence using {{ keycloak_jdbc_engine }} database"
  when: keycloak_db_enabled
 - name: Validate OS family
  ansible.builtin.assert:
    that:
      - ansible_os_family in ["RedHat", "Debian"]
    quiet: true
    fail_msg: "Can only install on RedHat or Debian OS families; found {{ ansible_os_family }}"
    success_msg: "Installing on {{ ansible_os_family }}"
 - name: Load OS specific variables
  ansible.builtin.include_vars: "vars/{{ ansible_os_family | lower }}.yml"
  tags:
    - always
 - name: Ensure required packages are installed
  ansible.builtin.include_tasks: fastpackages.yml
  vars:
-    packages_list: "{{ keycloak_prereq_package_list }}"
+    packages_list:
      - "{{ keycloak_jvm_package }}"
      - unzip
      - procps-ng
      - initscripts
      - tzdata-java
--- a/roles/keycloak/tasks/redhat.yml
+++ b/roles/keycloak/tasks/redhat.yml
@@ -1,6 +0,0 @@
 ---
 - name: Include firewall config tasks
  ansible.builtin.include_tasks: firewalld.yml
  when: keycloak_configure_firewalld
  tags:
    - firewall
--- a/roles/keycloak/tasks/rhsso_patch.yml
+++ b/roles/keycloak/tasks/rhsso_patch.yml
@@ -36,9 +36,7 @@
    - name: Determine patch versions list
      ansible.builtin.set_fact:
-        filtered_versions: "{{ rhn_products.results | map(attribute='file_path') | \
+        filtered_versions: "{{ rhn_products.results | map(attribute='file_path') | select('match', '^[^/]*/rh-sso-.*[0-9]*[.][0-9]*[.][0-9]*.*$') | map('regex_replace', '[^/]*/rh-sso-([0-9]*[.][0-9]*[.][0-9]*)-.*', '\\1') | list | unique }}"
                               select('match', '^[^/]*/rh-sso-.*[0-9]*[.][0-9]*[.][0-9]*.*$') | \
                               map('regex_replace', '[^/]*/rh-sso-([0-9]*[.][0-9]*[.][0-9]*(-[0-9])?)-.*', '\\1') | list | unique }}"
      when: sso_patch_version is not defined or sso_patch_version | length == 0
      delegate_to: localhost
      run_once: true
@@ -72,7 +70,7 @@
      middleware_automation.common.product_download: # noqa risky-file-permissions delegated, uses controller host user
        client_id: "{{ rhn_username }}"
        client_secret: "{{ rhn_password }}"
-        product_id: "{{ (rhn_filtered_products | sort | last).id }}"
+        product_id: "{{ (rhn_filtered_products | first).id }}"
        dest: "{{ local_path.stat.path }}/{{ patch_bundle }}"
      no_log: "{{ omit_rhn_output | default(true) }}"
      delegate_to: localhost
@@ -116,7 +114,7 @@
  when:
    - cli_result is defined
    - cli_result.stdout is defined
-    - patch_version | regex_replace('-[0-9]$', '') not in cli_result.stdout
+    - patch_version not in cli_result.stdout
  block:
    - name: "Apply patch {{ patch_version }} to server"
      ansible.builtin.include_tasks: rhsso_cli.yml
--- a/roles/keycloak/tasks/systemd.yml
+++ b/roles/keycloak/tasks/systemd.yml
@@ -10,14 +10,20 @@
  notify:
    - restart keycloak
 - name: Determine JAVA_HOME for selected JVM RPM
  ansible.builtin.set_fact:
    rpm_java_home: "/etc/alternatives/jre_{{ keycloak_jvm_package | regex_search('(?<=java-)[0-9.]+') }}"
 - name: "Configure sysconfig file for {{ keycloak.service_name }} service"
  become: true
  ansible.builtin.template:
    src: keycloak-sysconfig.j2
-    dest: "{{ keycloak_sysconf_file }}"
+    dest: /etc/sysconfig/keycloak
    owner: root
    group: root
    mode: 0644
  vars:
    keycloak_rpm_java_home: "{{ rpm_java_home }}"
  notify:
    - restart keycloak
--- a/roles/keycloak/templates/15.0.8/standalone-infinispan.xml.j2
+++ b/roles/keycloak/templates/15.0.8/standalone-infinispan.xml.j2
@@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-{{ ansible_managed | comment('xml') }}
+<!-- {{ ansible_managed }} -->
 <server xmlns="urn:jboss:domain:16.0">
    <extensions>
        <extension module="org.jboss.as.clustering.infinispan"/>
--- a/roles/keycloak/templates/15.0.8/standalone.xml.j2
+++ b/roles/keycloak/templates/15.0.8/standalone.xml.j2
@@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-{{ ansible_managed | comment('xml') }}
+<!-- {{ ansible_managed }} -->
 <server xmlns="urn:jboss:domain:16.0">
    <extensions>
        <extension module="org.jboss.as.clustering.infinispan"/>
--- a/roles/keycloak/templates/keycloak-service.sh.j2
+++ b/roles/keycloak/templates/keycloak-service.sh.j2
@@ -1,5 +1,5 @@
 #!/bin/bash -eu
-{{ ansible_managed | comment }}
+# {{ ansible_managed }}
 set +u -o pipefail
--- a/roles/keycloak/templates/keycloak-sysconfig.j2
+++ b/roles/keycloak/templates/keycloak-sysconfig.j2
@@ -1,6 +1,6 @@
-{{ ansible_managed | comment }}
+# {{ ansible_managed }}
 JAVA_OPTS='{{ keycloak_java_opts }}'
-JAVA_HOME={{ keycloak_java_home | default(keycloak_pkg_java_home, true) }}
+JAVA_HOME={{ keycloak_java_home  | default(keycloak_rpm_java_home, true) }}
 JBOSS_HOME={{ keycloak.home }}
 KEYCLOAK_BIND_ADDRESS={{ keycloak_bind_address }}
 KEYCLOAK_HTTP_PORT={{ keycloak_http_port }}
--- a/roles/keycloak/templates/keycloak.service.j2
+++ b/roles/keycloak/templates/keycloak.service.j2
@@ -1,4 +1,4 @@
-{{ ansible_managed | comment }}
+# {{ ansible_managed }}
 [Unit]
 Description={{ keycloak.service_name }} Server
 After=network.target
@@ -11,7 +11,7 @@ StartLimitBurst={{ keycloak_service_startlimitburst }}
 User={{ keycloak_service_user }}
 Group={{ keycloak_service_group }}
 {% endif -%}
-EnvironmentFile=-{{ keycloak_sysconf_file }}
+EnvironmentFile=-/etc/sysconfig/keycloak
 PIDFile={{ keycloak_service_pidfile }}
 ExecStart={{ keycloak.home }}/bin/standalone.sh $WILDFLY_OPTS
 WorkingDirectory={{ keycloak.home }}
--- a/roles/keycloak/templates/standalone-ha.xml.j2
+++ b/roles/keycloak/templates/standalone-ha.xml.j2
@@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-{{ ansible_managed | comment('xml') }}
+<!-- {{ ansible_managed }} -->
 <server xmlns="urn:jboss:domain:16.0">
    <extensions>
        <extension module="org.jboss.as.clustering.infinispan"/>
--- a/roles/keycloak/templates/standalone-infinispan.xml.j2
+++ b/roles/keycloak/templates/standalone-infinispan.xml.j2
@@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-{{ ansible_managed | comment('xml') }}
+<!-- {{ ansible_managed }} -->
 <server xmlns="urn:jboss:domain:16.0">
    <extensions>
        <extension module="org.jboss.as.clustering.infinispan"/>
--- a/roles/keycloak/templates/standalone.xml.j2
+++ b/roles/keycloak/templates/standalone.xml.j2
@@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-{{ ansible_managed | comment('xml') }}
+<!-- {{ ansible_managed }} -->
 <server xmlns="urn:jboss:domain:16.0">
    <extensions>
        <extension module="org.jboss.as.clustering.infinispan"/>
--- a/roles/keycloak/vars/debian.yml
+++ b/roles/keycloak/vars/debian.yml
@@ -1,11 +0,0 @@
 ---
 keycloak_varjvm_package: "{{ keycloak_jvm_package | default('openjdk-11-jdk-headless') }}"
 keycloak_prereq_package_list:
      - "{{ keycloak_varjvm_package }}"
      - unzip
      - procps
      - apt
      - tzdata
 keycloak_configure_iptables: True
 keycloak_sysconf_file: /etc/default/keycloak
 keycloak_pkg_java_home: "/usr/lib/jvm/java-{{ keycloak_varjvm_package | regex_search('(?!:openjdk-)[0-9.]+') }}-openjdk-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"
--- a/roles/keycloak/vars/redhat.yml
+++ b/roles/keycloak/vars/redhat.yml
@@ -1,10 +0,0 @@
 ---
 keycloak_varjvm_package: "{{ keycloak_jvm_package | default('java-1.8.0-openjdk-headless') }}"
 keycloak_prereq_package_list:
      - "{{ keycloak_varjvm_package }}"
      - unzip
      - procps-ng
      - initscripts
      - tzdata-java
 keycloak_sysconf_file: /etc/sysconfig/keycloak
 keycloak_pkg_java_home: "/etc/alternatives/jre_{{ keycloak_varjvm_package | regex_search('(?<=java-)[0-9.]+') }}"
--- a/roles/keycloak_quarkus/README.md
+++ b/roles/keycloak_quarkus/README.md
@@ -38,9 +38,7 @@ Role Defaults
 |`keycloak_quarkus_service_pidfile`| Pid file path for service | `/run/keycloak.pid` |
 |`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-17-openjdk-headless` |
 |`keycloak_quarkus_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_quarkus_jvm_package RPM path | `None` |
-|`keycloak_quarkus_java_opts`| Heap memory JVM setting | `-Xms1024m -Xmx2048m` |
+|`keycloak_quarkus_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
 |`keycloak_quarkus_java_jvm_opts`| Other JVM settings | same as keycloak |
 |`keycloak_quarkus_java_opts`| JVM arguments; if overriden, it takes precedence over `keycloak_quarkus_java_*` | `{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}` |
 |`keycloak_quarkus_frontend_url`| Set the base URL for frontend URLs, including scheme, host, port and path | |
 |`keycloak_quarkus_admin_url`| Set the base URL for accessing the administration console, including scheme, host, port and path | |
 |`keycloak_quarkus_http_relative_path` | Set the path relative to / for serving resources. The path must start with a / | `/` |
@@ -54,7 +52,7 @@ Role Defaults
 |`keycloak_quarkus_https_trust_store_enabled`| Enalbe confiugration of a trust store | `False` |
 |`keycloak_quarkus_trust_store_file`| The file pat to the trust store | `{{ keycloak.home }}/conf/trust_store.p12` |
 |`keycloak_quarkus_trust_store_password`| Password for the trust store | `""` |
-|`keycloak_quarkus_proxy_headers`| Parse reverse proxy headers (`forwarded` or `xforwardedPassword`) | `""` |
+
 * Hostname configuration
--- a/roles/keycloak_quarkus/defaults/main.yml
+++ b/roles/keycloak_quarkus/defaults/main.yml
@@ -9,6 +9,7 @@ keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_q
 keycloak_quarkus_offline_install: false
 ### Install location and service settings
 keycloak_quarkus_jvm_package: java-17-openjdk-headless
 keycloak_quarkus_java_home:
 keycloak_quarkus_dest: /opt/keycloak
 keycloak_quarkus_home: "{{ keycloak_quarkus_installdir }}"
@@ -17,13 +18,11 @@ keycloak_quarkus_start_dev: false
 keycloak_quarkus_service_user: keycloak
 keycloak_quarkus_service_group: keycloak
 keycloak_quarkus_service_pidfile: "/run/keycloak/keycloak.pid"
 keycloak_quarkus_configure_firewalld: false
 keycloak_quarkus_service_restart_always: false
 keycloak_quarkus_service_restart_on_failure: false
 keycloak_quarkus_service_restartsec: "10s"
 keycloak_quarkus_configure_firewalld: false
 keycloak_quarkus_configure_iptables: false
 ### administrator console password
 keycloak_quarkus_admin_user: admin
 keycloak_quarkus_admin_pass:
@@ -39,12 +38,7 @@ keycloak_quarkus_http_port: 8080
 keycloak_quarkus_https_port: 8443
 keycloak_quarkus_ajp_port: 8009
 keycloak_quarkus_jgroups_port: 7800
-keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx2048m"
+keycloak_quarkus_java_opts: "-Xms1024m -Xmx2048m"
 keycloak_quarkus_java_jvm_opts: "-XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8
  -Dsun.err.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError
  -Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC -XX:GCTimeRatio=4
  -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512"
 keycloak_quarkus_java_opts: "{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}"
 ### TLS/HTTPS configuration
 keycloak_quarkus_https_key_file_enabled: false
@@ -86,8 +80,7 @@ keycloak_quarkus_proxy_mode: edge
 # disable xa transactions
 keycloak_quarkus_transaction_xa_enabled: true
-# If the route should be attached to cookies to reflect the node that owns a particular session.
+# If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy
 # If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy
 keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route: true
 keycloak_quarkus_metrics_enabled: false
@@ -121,8 +114,7 @@ keycloak_quarkus_default_jdbc:
  mssql:
    url: 'jdbc:sqlserver://localhost:1433;databaseName=keycloak;'
    version: 12.2.0
-    driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.2.0.jre11/mssql-jdbc-12.2.0.jre11.jar"
+    driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.2.0.jre11/mssql-jdbc-12.2.0.jre11.jar" # cf. https://access.redhat.com/documentation/en-us/red_hat_build_of_keycloak/22.0/html/server_guide/db-#db-installing-the-microsoft-sql-server-driver
    # cf. https://access.redhat.com/documentation/en-us/red_hat_build_of_keycloak/22.0/html/server_guide/db-#db-installing-the-microsoft-sql-server-driver
 ### logging configuration
 keycloak_quarkus_log: file
 keycloak_quarkus_log_level: info
--- a/roles/keycloak_quarkus/meta/argument_specs.yml
+++ b/roles/keycloak_quarkus/meta/argument_specs.yml
@@ -2,26 +2,32 @@ argument_specs:
    main:
        options:
            keycloak_quarkus_version:
-                default: "23.0.7"
+                # line 3 of defaults/main.yml
                default: "17.0.1"
                description: "keycloak.org package version"
                type: "str"
            keycloak_quarkus_archive:
                # line 4 of defaults/main.yml
                default: "keycloak-{{ keycloak_quarkus_version }}.zip"
                description: "keycloak install archive filename"
                type: "str"
            keycloak_quarkus_download_url:
                # line 5 of defaults/main.yml
                default: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"
                description: "Download URL for keycloak"
                type: "str"
            keycloak_quarkus_installdir:
                # line 6 of defaults/main.yml
                default: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"
                description: "Installation path"
                type: "str"
            keycloak_quarkus_offline_install:
                # line 9 of defaults/main.yml
                default: false
                description: "Perform an offline install"
                type: "bool"
            keycloak_quarkus_jvm_package:
                # line 12 of defaults/main.yml
                default: "java-11-openjdk-headless"
                description: "RHEL java package runtime"
                type: "str"
@@ -29,34 +35,37 @@ argument_specs:
                description: "JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path"
                type: "str"
            keycloak_quarkus_dest:
                # line 13 of defaults/main.yml
                default: "/opt/keycloak"
                description: "Installation root path"
                type: "str"
            keycloak_quarkus_home:
                # line 14 of defaults/main.yml
                default: "{{ keycloak_quarkus_installdir }}"
                description: "Installation work directory"
                type: "str"
            keycloak_quarkus_config_dir:
                # line 15 of defaults/main.yml
                default: "{{ keycloak_quarkus_home }}/conf"
                description: "Path for configuration"
                type: "str"
            keycloak_quarkus_service_user:
                # line 16 of defaults/main.yml
                default: "keycloak"
                description: "Posix account username"
                type: "str"
            keycloak_quarkus_service_group:
                # line 17 of defaults/main.yml
                default: "keycloak"
                description: "Posix account group"
                type: "str"
            keycloak_quarkus_service_pidfile:
                # line 18 of defaults/main.yml
                default: "/run/keycloak/keycloak.pid"
                description: "Pid file path for service"
                type: "str"
            keycloak_quarkus_configure_firewalld:
-                default: false
+                # line 19 of defaults/main.yml
                description: "Ensure firewalld is running and configure keycloak ports"
                type: "bool"
            keycloak_quarkus_configure_iptables:
                default: false
                description: "Ensure firewalld is running and configure keycloak ports"
                type: "bool"
@@ -81,10 +90,12 @@ argument_specs:
                description: "Password of console admin account"
                type: "str"
            keycloak_quarkus_master_realm:
                # line 24 of defaults/main.yml
                default: "master"
                description: "Name for rest authentication realm"
                type: "str"
            keycloak_quarkus_bind_address:
                # line 27 of defaults/main.yml
                default: "0.0.0.0"
                description: "Address for binding service ports"
                type: "str"
@@ -105,6 +116,7 @@ argument_specs:
                description: "Enable listener on HTTP port"
                type: "bool"
            keycloak_quarkus_http_port:
                # line 29 of defaults/main.yml
                default: 8080
                description: "HTTP port"
                type: "int"
@@ -145,33 +157,27 @@ argument_specs:
                description: "Password for the trust store"
                type: "str"
            keycloak_quarkus_https_port:
                # line 30 of defaults/main.yml
                default: 8443
                description: "HTTPS port"
                type: "int"
            keycloak_quarkus_ajp_port:
                # line 31 of defaults/main.yml
                default: 8009
                description: "AJP port"
                type: "int"
            keycloak_quarkus_jgroups_port:
                # line 32 of defaults/main.yml
                default: 7800
                description: "jgroups cluster tcp port"
                type: "int"
            keycloak_quarkus_java_heap_opts:
                default: "-Xms1024m -Xmx2048m"
                description: "Heap memory JVM setting"
                type: "str"
            keycloak_quarkus_java_jvm_opts:
                default: >
                  -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.err.encoding=UTF-8
                  -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC
                  -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512
                description: "Other JVM settings"
                type: "str"
            keycloak_quarkus_java_opts:
-                default: "{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}"
+                # line 33 of defaults/main.yml
-                description: "JVM arguments, by default heap_opts + jvm_opts, if overriden it takes precedence over them"
+                default: "-Xms1024m -Xmx2048m"
                description: "Additional JVM options"
                type: "str"
            keycloak_quarkus_ha_enabled:
                # line 36 of defaults/main.yml
                default: false
                description: "Enable auto configuration for database backend, clustering and remote caches on infinispan"
                type: "bool"
@@ -180,6 +186,7 @@ argument_specs:
                description: "Discovery protocol for HA cluster members"
                type: "str"
            keycloak_quarkus_db_enabled:
                # line 38 of defaults/main.yml
                default: "{{ True if keycloak_quarkus_ha_enabled else False }}"
                description: "Enable auto configuration for database backend"
                type: "str"
@@ -197,6 +204,7 @@ argument_specs:
                description: "Service URL for the admin console"
                type: "str"
            keycloak_quarkus_metrics_enabled:
                # line 43 of defaults/main.yml
                default: false
                description: "Whether to enable metrics"
                type: "bool"
@@ -205,50 +213,62 @@ argument_specs:
                description: "If the server should expose health check endpoints"
                type: "bool"
            keycloak_quarkus_ispn_user:
                # line 46 of defaults/main.yml
                default: "supervisor"
                description: "Username for connecting to infinispan"
                type: "str"
            keycloak_quarkus_ispn_pass:
                # line 47 of defaults/main.yml
                default: "supervisor"
                description: "Password for connecting to infinispan"
                type: "str"
            keycloak_quarkus_ispn_hosts:
                # line 48 of defaults/main.yml
                default: "localhost:11222"
                description: "host name/port for connecting to infinispan, eg. host1:11222;host2:11222"
                type: "str"
            keycloak_quarkus_ispn_sasl_mechanism:
                # line 49 of defaults/main.yml
                default: "SCRAM-SHA-512"
                description: "Infinispan auth mechanism"
                type: "str"
            keycloak_quarkus_ispn_use_ssl:
                # line 50 of defaults/main.yml
                default: false
                description: "Whether infinispan uses TLS connection"
                type: "bool"
            keycloak_quarkus_ispn_trust_store_path:
                # line 52 of defaults/main.yml
                default: "/etc/pki/java/cacerts"
                description: "Path to infinispan server trust certificate"
                type: "str"
            keycloak_quarkus_ispn_trust_store_password:
                # line 53 of defaults/main.yml
                default: "changeit"
                description: "Password for infinispan certificate keystore"
                type: "str"
            keycloak_quarkus_jdbc_engine:
                # line 56 of defaults/main.yml
                default: "postgres"
                description: "Database engine [mariadb,postres,mssql]"
                type: "str"
            keycloak_quarkus_db_user:
                # line 58 of defaults/main.yml
                default: "keycloak-user"
                description: "User for database connection"
                type: "str"
            keycloak_quarkus_db_pass:
                # line 59 of defaults/main.yml
                default: "keycloak-pass"
                description: "Password for database connection"
                type: "str"
            keycloak_quarkus_jdbc_url:
                # line 60 of defaults/main.yml
                default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].url }}"
                description: "JDBC URL for connecting to database"
                type: "str"
            keycloak_quarkus_jdbc_driver_version:
                # line 61 of defaults/main.yml
                default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].version }}"
                description: "Version for JDBC driver"
                type: "str"
@@ -275,9 +295,7 @@ argument_specs:
            keycloak_quarkus_log_max_file_size:
                default: 10M
                type: "str"
-                description: >
+                description: "Set the maximum log file size before a log rotation happens; A size configuration option recognises string in this format (shown as a regular expression): [0-9]+[KkMmGgTtPpEeZzYy]?. If no suffix is given, assume bytes."
                  Set the maximum log file size before a log rotation happens; A size configuration option recognises string in this format (shown as a regular
                  expression): [0-9]+[KkMmGgTtPpEeZzYy]?. If no suffix is given, assume bytes.
            keycloak_quarkus_log_max_backup_index:
                default: 10
                type: "str"
@@ -285,17 +303,11 @@ argument_specs:
            keycloak_quarkus_log_file_suffix:
                default: '.yyyy-MM-dd.zip'
                type: "str"
-                description: >
+                description: "Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix; Note: If the suffix ends with .zip or .gz, the rotation file will also be compressed."
                  Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix. Note: If the suffix ends
                  with .zip or .gz, the rotation file will also be compressed.
            keycloak_quarkus_proxy_mode:
                default: 'edge'
                type: "str"
                description: "The proxy address forwarding mode if the server is behind a reverse proxy. Set to 'none' if not using a proxy"
            keycloak_quarkus_proxy_headers:
                default: ""
                type: "str"
                description: "Parse reverse proxy headers (`forwarded` or `xforwardedPassword`), overrides the deprecated keycloak_quarkus_proxy_mode argument"
            keycloak_quarkus_start_dev:
                default: false
                type: "bool"
@@ -307,25 +319,19 @@ argument_specs:
            keycloak_quarkus_hostname_strict:
                default: true
                type: "bool"
-                description: >
+                description: "Disables dynamically resolving the hostname from request headers. Should always be set to true in production, unless proxy verifies the Host header."
                  Disables dynamically resolving the hostname from request headers. Should always be set to true in production, unless
                  proxy verifies the Host header.
            keycloak_quarkus_hostname_strict_backchannel:
                default: false
                type: "bool"
-                description: >
+                description: "By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all applications use the public URL this option should be enabled."
                  By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all
                  applications use the public URL this option should be enabled.
            keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route:
                default: true
                type: "bool"
-                description: >
+                description: "If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy"
                  If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies
                  and we rely on the session affinity capabilities from reverse proxy
    downstream:
        options:
            rhbk_version:
-                default: "22.0.10"
+                default: "22.0.6"
                description: "Red Hat Build of Keycloak version"
                type: "str"
            rhbk_archive:
@@ -347,7 +353,7 @@ argument_specs:
            rhbk_enable:
                default: true
                description: "Enable Red Hat Build of Keycloak installation"
-                type: "bool"
+                type: "str"
            rhbk_offline_install:
                default: false
                description: "Perform an offline install"
--- a/roles/keycloak_quarkus/meta/main.yml
+++ b/roles/keycloak_quarkus/meta/main.yml
@@ -14,11 +14,6 @@ galaxy_info:
    - name: EL
      versions:
        - "8"
        - "9"
    - name: Fedora
    - name: Debian
    - name: Ubuntu
  galaxy_tags:
    - keycloak
@@ -30,4 +25,3 @@ galaxy_info:
    - identity
    - security
    - rhbk
    - debian
--- a/roles/keycloak_quarkus/tasks/debian.yml
+++ b/roles/keycloak_quarkus/tasks/debian.yml
@@ -1,6 +0,0 @@
 ---
 - name: Include firewall config tasks
  ansible.builtin.include_tasks: iptables.yml
  when: keycloak_quarkus_configure_iptables
  tags:
    - firewall
--- a/roles/keycloak_quarkus/tasks/fastpackages.yml
+++ b/roles/keycloak_quarkus/tasks/fastpackages.yml
@@ -4,28 +4,14 @@
  register: rpm_info
  changed_when: false
  failed_when: false
  when: ansible_facts.os_family == "RedHat"
 - name: "Add missing packages to the yum install list"
  ansible.builtin.set_fact:
-    packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | \
+    packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | default([]) | flatten }}"
                             map('regex_findall', 'package (.+) is not installed$') | default([]) | flatten }}"
  when: ansible_facts.os_family == "RedHat"
 - name: "Install packages: {{ packages_to_install }}"
  become: true
-  ansible.builtin.dnf:
+  ansible.builtin.yum:
    name: "{{ packages_to_install }}"
    state: present
-  when:
+  when: packages_to_install | default([]) | length > 0
    - packages_to_install | default([]) | length > 0
    - ansible_facts.os_family == "RedHat"
 - name: "Install packages: {{ packages_list }}"
  become: true
  ansible.builtin.package:
    name: "{{ packages_list }}"
    state: present
  when:
    - packages_list | default([]) | length > 0
    - ansible_facts.os_family == "Debian"
--- a/roles/keycloak_quarkus/tasks/install.yml
+++ b/roles/keycloak_quarkus/tasks/install.yml
@@ -22,7 +22,7 @@
    name: "{{ keycloak.service_user }}"
    home: /opt/keycloak
    system: true
-    create_home: false
+    create_home: no
 - name: "Create {{ keycloak.service_name }} install location"
  become: true
@@ -31,7 +31,7 @@
    state: directory
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
-    mode: '0750'
+    mode: 0750
 ## check remote archive
 - name: Set download archive path
@@ -50,15 +50,13 @@
    path: "{{ lookup('env', 'PWD') }}"
  register: local_path
  delegate_to: localhost
  become: false
 - name: Download keycloak archive
  ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
    url: "{{ keycloak_quarkus_download_url }}"
    dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
-    mode: '0640'
+    mode: 0640
  delegate_to: localhost
  become: false
  run_once: true
  when:
    - archive_path is defined
@@ -118,7 +116,7 @@
    dest: "{{ archive }}"
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
-    mode: '0640'
+    mode: 0640
  register: new_version_downloaded
  when:
    - not archive_path.stat.exists
@@ -132,7 +130,7 @@
  register: path_to_workdir
  become: true
- name: "Extract Keycloak archive on target" # noqa no-handler need to run this here
+- name: "Extract Keycloak archive on target"
  ansible.builtin.unarchive:
    remote_src: true
    src: "{{ archive }}"
--- a/roles/keycloak_quarkus/tasks/iptables.yml
+++ b/roles/keycloak_quarkus/tasks/iptables.yml
@@ -1,20 +0,0 @@
 ---
 - name: Ensure required package iptables are installed
  ansible.builtin.include_tasks: fastpackages.yml
  vars:
    packages_list:
      - iptables
 - name: "Configure firewall ports for {{ keycloak.service_name }}"
  become: true
  ansible.builtin.iptables:
    destination_port: "{{ item }}"
    action: "insert"
    rule_num: 6 # magic number I forget why
    chain: "INPUT"
    policy: "ACCEPT"
    protocol: tcp
  loop:
    - "{{ keycloak_quarkus_http_port }}"
    - "{{ keycloak_quarkus_https_port }}"
    - "{{ keycloak_quarkus_jgroups_port }}"
--- a/roles/keycloak_quarkus/tasks/jdbc_driver.yml
+++ b/roles/keycloak_quarkus/tasks/jdbc_driver.yml
@@ -1,11 +1,12 @@
 ---
 - name: "Retrieve JDBC Driver from {{ keycloak_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url }}"
  ansible.builtin.get_url:
    url: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url }}"
    dest: "{{ keycloak.home }}/providers"
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
-    mode: '0640'
+    mode: 0640
  become: true
  notify:
    - restart keycloak
--- a/roles/keycloak_quarkus/tasks/main.yml
+++ b/roles/keycloak_quarkus/tasks/main.yml
@@ -4,12 +4,12 @@
  ansible.builtin.include_tasks: prereqs.yml
  tags:
    - prereqs
    - always
- name: Distro specific tasks
+- name: Include firewall config tasks
-  ansible.builtin.include_tasks: "{{ ansible_os_family | lower }}.yml"
+  ansible.builtin.include_tasks: firewalld.yml
  when: keycloak_quarkus_configure_firewalld
  tags:
-    - unbound
+    - firewall
 - name: Include install tasks
  ansible.builtin.include_tasks: install.yml
@@ -27,7 +27,7 @@
    dest: "{{ keycloak.home }}/conf/keycloak.conf"
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
-    mode: '0640'
+    mode: 0644
  become: true
  notify:
    - rebuild keycloak config
@@ -39,7 +39,7 @@
    dest: "{{ keycloak.home }}/conf/quarkus.properties"
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
-    mode: '0640'
+    mode: 0644
  become: true
  notify:
    - restart keycloak
@@ -64,7 +64,7 @@
    dest: "{{ keycloak.home }}/conf/cache-ispn.xml"
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
-    mode: '0640'
+    mode: 0644
  become: true
  notify:
    - rebuild keycloak config
@@ -76,7 +76,7 @@
    path:  "{{ keycloak.log.file | dirname }}"
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
-    mode: '0775'
+    mode: 0775
  become: true
 - name: Flush pending handlers
--- a/roles/keycloak_quarkus/tasks/prereqs.yml
+++ b/roles/keycloak_quarkus/tasks/prereqs.yml
@@ -4,7 +4,7 @@
    that:
      - keycloak_quarkus_admin_pass | length > 12
    quiet: true
-    fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_admin_pass to a 12+ char long string"
+    fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_admin_pass variable to a 12+ char long string"
    success_msg: "{{ 'Console administrator password OK' }}"
 - name: Validate relative path
@@ -12,33 +12,23 @@
    that:
      - keycloak_quarkus_http_relative_path is regex('^/.*')
    quiet: true
-    fail_msg: "The relative path for keycloak_quarkus_http_relative_path must begin with /"
+    fail_msg: "the relative path must begin with /"
-    success_msg: "{{ 'Relative path OK' }}"
+    success_msg: "{{ 'relative path OK' }}"
 - name: Validate configuration
  ansible.builtin.assert:
    that:
-      - (keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or
+      - (keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or (not keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or (not keycloak_quarkus_ha_enabled and not keycloak_quarkus_db_enabled)
        (not keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or
        (not keycloak_quarkus_ha_enabled and not keycloak_quarkus_db_enabled)
    quiet: true
-    fail_msg: "HA setup requires a backend database service. Check keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled"
+    fail_msg: "Cannot install HA setup without a backend database service. Check keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled"
    success_msg: "{{ 'Configuring HA' if keycloak_quarkus_ha_enabled else 'Configuring standalone' }}"
 - name: Validate OS family
  ansible.builtin.assert:
    that:
      - ansible_os_family in ["RedHat", "Debian"]
    quiet: true
    fail_msg: "Can only install on RedHat or Debian OS families; found {{ ansible_os_family }}"
    success_msg: "Installing on {{ ansible_os_family }}"
 - name: Load OS specific variables
  ansible.builtin.include_vars: "vars/{{ ansible_os_family | lower }}.yml"
  tags:
    - always
 - name: Ensure required packages are installed
  ansible.builtin.include_tasks: fastpackages.yml
  vars:
-    packages_list: "{{ keycloak_quarkus_prereq_package_list }}"
+    packages_list:
      - "{{ keycloak_quarkus_jvm_package }}"
      - unzip
      - procps-ng
      - initscripts
      - tzdata-java
--- a/roles/keycloak_quarkus/tasks/redhat.yml
+++ b/roles/keycloak_quarkus/tasks/redhat.yml
@@ -1,6 +0,0 @@
 ---
 - name: Include firewall config tasks
  ansible.builtin.include_tasks: firewalld.yml
  when: keycloak_quarkus_configure_firewalld
  tags:
    - firewall
--- a/roles/keycloak_quarkus/tasks/systemd.yml
+++ b/roles/keycloak_quarkus/tasks/systemd.yml
@@ -1,14 +1,18 @@
 ---
- name: "Configure sysconfig file for {{ keycloak.service_name }} service"
+- name: Determine JAVA_HOME for selected JVM RPM
  ansible.builtin.set_fact:
    rpm_java_home: "/etc/alternatives/jre_{{ keycloak_quarkus_jvm_package | regex_search('(?<=java-)[0-9.]+') }}"
 - name: "Configure sysconfig file for keycloak service"
  become: true
  ansible.builtin.template:
    src: keycloak-sysconfig.j2
-    dest: "{{ keycloak_quarkus_sysconf_file }}"
+    dest: /etc/sysconfig/keycloak
    owner: root
    group: root
-    mode: '0640'
+    mode: 0644
  vars:
-    keycloak_sys_pkg_java_home: "{{ keycloak_quarkus_pkg_java_home }}"
+    keycloak_rpm_java_home: "{{ rpm_java_home }}"
  notify:
    - restart keycloak
@@ -18,7 +22,7 @@
    dest: /etc/systemd/system/keycloak.service
    owner: root
    group: root
-    mode: '0644'
+    mode: 0644
  become: true
  register: systemdunit
  notify:
--- a/roles/keycloak_quarkus/templates/cache-ispn.xml.j2
+++ b/roles/keycloak_quarkus/templates/cache-ispn.xml.j2
@@ -1,4 +1,4 @@
-{{ ansible_managed | comment('xml') }}
+<!-- {{ ansible_managed }} -->
 <!--
  ~ Copyright 2019 Red Hat, Inc. and/or its affiliates
  ~ and other contributors as indicated by the @author tags.
--- a/roles/keycloak_quarkus/templates/keycloak-sysconfig.j2
+++ b/roles/keycloak_quarkus/templates/keycloak-sysconfig.j2
@@ -1,6 +1,6 @@
-{{ ansible_managed | comment }}
+# {{ ansible_managed }}
 KEYCLOAK_ADMIN={{ keycloak_quarkus_admin_user }}
 KEYCLOAK_ADMIN_PASSWORD='{{ keycloak_quarkus_admin_pass }}'
-PATH={{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+PATH={{ keycloak_quarkus_java_home | default(keycloak_rpm_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-JAVA_HOME={{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}
+JAVA_HOME={{ keycloak_quarkus_java_home | default(keycloak_rpm_java_home, true) }}
-JAVA_OPTS={{ keycloak_quarkus_java_opts }}
+JAVA_OPTS_APPEND={{ keycloak_quarkus_java_opts }}
--- a/roles/keycloak_quarkus/templates/keycloak.conf.j2
+++ b/roles/keycloak_quarkus/templates/keycloak.conf.j2
@@ -1,4 +1,4 @@
-{{ ansible_managed | comment }}
+# {{ ansible_managed }}
 {% if keycloak_quarkus_db_enabled %}
 # Database
@@ -54,14 +54,9 @@ cache-config-file=cache-ispn.xml
 {% endif %}
 {% if keycloak_quarkus_proxy_mode is defined and keycloak_quarkus_proxy_mode != "none" %}
-# Deprecated Proxy configuration
+# Proxy
 proxy={{ keycloak_quarkus_proxy_mode }}
 {% endif %}
 {% if keycloak_quarkus_proxy_headers is defined and keycloak_quarkus_proxy_headers != "none" %}
 # Proxy
 proxy-headers={{ keycloak_quarkus_proxy_headers }}
 {% endif %}
 spi-sticky-session-encoder-infinispan-should-attach-route={{ keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route | d(true) | lower }}
 # Transaction
--- a/roles/keycloak_quarkus/templates/keycloak.service.j2
+++ b/roles/keycloak_quarkus/templates/keycloak.service.j2
@@ -1,11 +1,11 @@
-{{ ansible_managed | comment }}
+# {{ ansible_managed }}
 [Unit]
 Description=Keycloak Server
 After=network.target
 [Service]
 Type=simple
-EnvironmentFile=-{{ keycloak_quarkus_sysconf_file }}
+EnvironmentFile=-/etc/sysconfig/keycloak
 PIDFile={{ keycloak_quarkus_service_pidfile }}
 {% if keycloak_quarkus_start_dev %}
 ExecStart={{ keycloak.home }}/bin/kc.sh start-dev
--- a/roles/keycloak_quarkus/templates/quarkus.properties.j2
+++ b/roles/keycloak_quarkus/templates/quarkus.properties.j2
@@ -1,4 +1,4 @@
-{{ ansible_managed | comment }}
+# {{ ansible_managed }}
 {% if keycloak_quarkus_ha_enabled %}
 {% if not rhbk_enable or keycloak_quarkus_version.split('.')[0]|int < 22 %}
 quarkus.infinispan-client.server-list={{ keycloak_quarkus_ispn_hosts }}
--- a/roles/keycloak_quarkus/vars/debian.yml
+++ b/roles/keycloak_quarkus/vars/debian.yml
@@ -1,11 +0,0 @@
 ---
 keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('openjdk-17-jdk-headless') }}"
 keycloak_quarkus_prereq_package_list:
      - "{{ keycloak_quarkus_varjvm_package }}"
      - unzip
      - procps
      - apt
      - tzdata
 keycloak_quarkus_sysconf_file: /etc/default/keycloak
 keycloak_quarkus_pkg_java_home: "/usr/lib/jvm/java-{{ keycloak_quarkus_varjvm_package | \
                                 regex_search('(?!:openjdk-)[0-9.]+') }}-openjdk-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"
--- a/roles/keycloak_quarkus/vars/main.yml
+++ b/roles/keycloak_quarkus/vars/main.yml
@@ -1,11 +1,10 @@
 ---
-keycloak: # noqa var-naming this is an internal dict of interpolated values
+keycloak:
  home: "{{ keycloak_quarkus_home }}"
  config_dir: "{{ keycloak_quarkus_config_dir }}"
  bundle: "{{ keycloak_quarkus_archive }}"
  service_name: "keycloak"
-  health_url: "http://{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_http_port }}{{ keycloak_quarkus_http_relative_path }}{{ '/' \
+  health_url: "http://{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_http_port }}{{ keycloak_quarkus_http_relative_path }}{{ '/' if keycloak_quarkus_http_relative_path | length > 1 else '' }}realms/master/.well-known/openid-configuration"
               if keycloak_quarkus_http_relative_path | length > 1 else '' }}realms/master/.well-known/openid-configuration"
  cli_path: "{{ keycloak_quarkus_home }}/bin/kcadm.sh"
  service_user: "{{ keycloak_quarkus_service_user }}"
  service_group: "{{ keycloak_quarkus_service_group }}"
--- a/roles/keycloak_quarkus/vars/redhat.yml
+++ b/roles/keycloak_quarkus/vars/redhat.yml
@@ -1,10 +0,0 @@
 ---
 keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('java-17-openjdk-headless') }}"
 keycloak_quarkus_prereq_package_list:
      - "{{ keycloak_quarkus_varjvm_package }}"
      - unzip
      - procps-ng
      - initscripts
      - tzdata-java
 keycloak_quarkus_sysconf_file: /etc/sysconfig/keycloak
 keycloak_quarkus_pkg_java_home: "/etc/alternatives/jre_{{ keycloak_quarkus_varjvm_package | regex_search('(?<=java-)[0-9.]+') }}"
--- a/roles/keycloak_realm/defaults/main.yml
+++ b/roles/keycloak_realm/defaults/main.yml
@@ -26,7 +26,7 @@ keycloak_admin_password: ''
 # and users is a list of account, see below for the format definition
 # an empty name will skip the creation of the client
 #
-# keycloak_clients:
+#keycloak_clients:
 #  - name: ''
 #    roles: "{{ keycloak_client_default_roles }}"
 #    realm: "{{ keycloak_realm }}"
--- a/roles/keycloak_realm/meta/argument_specs.yml
+++ b/roles/keycloak_realm/meta/argument_specs.yml
@@ -112,7 +112,7 @@ argument_specs:
            sso_enable:
                default: true
                description: "Enable Red Hat Single Sign-on installation"
-                type: "bool"
+                type: "str"
            rhbk_version:
                default: "22.0.6"
                description: "Red Hat Build of Keycloak version"
@@ -132,4 +132,4 @@ argument_specs:
            rhbk_enable:
                default: true
                description: "Enable Red Hat Build of Keycloak installation"
-                type: "bool"
+                type: "str"
--- a/roles/keycloak_realm/tasks/main.yml
+++ b/roles/keycloak_realm/tasks/main.yml
@@ -41,7 +41,7 @@
    auth_realm: "{{ keycloak_auth_realm }}"
    auth_username: "{{ keycloak_admin_user }}"
    auth_password: "{{ keycloak_admin_password }}"
-    realm: "{{ item.realm | default(keycloak_realm) }}"
+    realm: "{{ item.realm }}"
    name: "{{ item.name }}"
    state: present
    provider_id: "{{ item.provider_id }}"
@@ -71,7 +71,7 @@
    auth_realm: "{{ keycloak_auth_realm }}"
    auth_username: "{{ keycloak_admin_user }}"
    auth_password: "{{ keycloak_admin_password }}"
-    realm: "{{ item.realm | default(keycloak_realm) }}"
+    realm: "{{ item.realm }}"
    default_roles: "{{ item.roles | default(omit) }}"
    client_id: "{{ item.client_id | default(omit) }}"
    id: "{{ item.id | default(omit) }}"
--- a/roles/keycloak_realm/tasks/manage_client_roles.yml
+++ b/roles/keycloak_realm/tasks/manage_client_roles.yml
@@ -1,7 +1,7 @@
 - name: Create client roles
  middleware_automation.keycloak.keycloak_role:
    name: "{{ item }}"
-    realm: "{{ client.realm | default(keycloak_realm) }}"
+    realm: "{{ client.realm }}"
    client_id: "{{ client.name }}"
    auth_client_id: "{{ keycloak_auth_client }}"
    auth_keycloak_url: "{{ keycloak_url }}{{ keycloak_context }}"
--- a/roles/keycloak_realm/tasks/manage_user_client_roles.yml
+++ b/roles/keycloak_realm/tasks/manage_user_client_roles.yml
@@ -1,7 +1,7 @@
 ---
 - name: "Get Realm for role"
  ansible.builtin.uri:
-    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm | default(keycloak_realm) }}"
+    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm }}"
    method: GET
    status_code:
      - 200
@@ -12,9 +12,7 @@
 - name: Check if Mapping is available
  ansible.builtin.uri:
-    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm | \
+    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}/available"
          default(keycloak_realm) }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | \
          selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}/available"
    method: GET
    status_code:
      - 200
@@ -25,9 +23,7 @@
 - name: "Create Role Mapping"
  ansible.builtin.uri:
-    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm | \
+    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}"
          default(keycloak_realm) }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | \
          selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}"
    method: POST
    body:
      - id: "{{ item.id }}"
Author	SHA1	Message	Date
Romain Pelisse	57b3cb380b	Rework Molecule prepare phase to install sudo only if root on target	2024-03-04 21:30:23 +01:00
Romain Pelisse	d8286dfca7	Rework Molecule prepare phase to install sudo only if root on target	2024-03-04 21:13:06 +01:00