internet/ansible-middleware.keycloak
3
0
Fork 0
mirror of https://github.com/ansible-middleware/keycloak.git synced 2026-03-27 13:53:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: internet:2.2.2
Branches Tags
internet:main internet:gh-pages internet:feature/182_restart_handler internet:rhbk_mol_sudo
internet:3.0.3 internet:3.0.2 internet:3.0.1 internet:3.0.0 internet:2.4.3 internet:2.4.2 internet:2.4.1 internet:2.4.0 internet:2.3.0 internet:2.2.2 internet:2.2.1 internet:2.2.0 internet:2.1.2 internet:2.1.1 internet:2.1.0 internet:2.0.2 internet:2.0.1 internet:2.0.0 internet:1.3.0 internet:1.2.8 internet:1.2.7 internet:1.2.6 internet:1.2.5 internet:1.2.4 internet:1.2.1 internet:1.2.0 internet:1.1.1 internet:1.1.0 internet:1.0.7 internet:1.0.6 internet:1.0.5 internet:1.0.4 internet:1.0.3 internet:1.0.2 internet:1.0.1 internet:1.0.0 internet:v0.2.5 internet:v0.2.4 internet:v0.2.3 internet:0.2.2 internet:v0.2.1 internet:v0.2.0 internet:v0.1.8 internet:v0.1.7 internet:v0.1.6 internet:v0.1.5 internet:v0.1.4 internet:v0.1.3 internet:v0.1.2 internet:v0.1.1 internet:v0.1.0 internet:v0.0.4 internet:v0.0.3 internet:v0.0.2 internet:v0.0.1
...
compare: internet:2.4.2
Branches Tags
internet:main internet:gh-pages internet:feature/182_restart_handler internet:rhbk_mol_sudo
internet:3.0.3 internet:3.0.2 internet:3.0.1 internet:3.0.0 internet:2.4.3 internet:2.4.2 internet:2.4.1 internet:2.4.0 internet:2.3.0 internet:2.2.2 internet:2.2.1 internet:2.2.0 internet:2.1.2 internet:2.1.1 internet:2.1.0 internet:2.0.2 internet:2.0.1 internet:2.0.0 internet:1.3.0 internet:1.2.8 internet:1.2.7 internet:1.2.6 internet:1.2.5 internet:1.2.4 internet:1.2.1 internet:1.2.0 internet:1.1.1 internet:1.1.0 internet:1.0.7 internet:1.0.6 internet:1.0.5 internet:1.0.4 internet:1.0.3 internet:1.0.2 internet:1.0.1 internet:1.0.0 internet:v0.2.5 internet:v0.2.4 internet:v0.2.3 internet:0.2.2 internet:v0.2.1 internet:v0.2.0 internet:v0.1.8 internet:v0.1.7 internet:v0.1.6 internet:v0.1.5 internet:v0.1.4 internet:v0.1.3 internet:v0.1.2 internet:v0.1.1 internet:v0.1.0 internet:v0.0.4 internet:v0.0.3 internet:v0.0.2 internet:v0.0.1

79 Commits
2.2.2 ... 2.4.2

Author SHA1 Message Date
ansible-middleware-core
c8021f3102 Update changelog for release 2.4.2 
Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>
 2024-09-26 08:52:04 +00:00
Guido Grazioli
0386254073 Merge pull request #239 from guidograzioli/238_controller_download_path 
New parameter `keycloak_quarkus_download_path`
 2024-09-26 10:35:18 +02:00
Guido Grazioli
b2edea8777 linter 2024-09-26 10:22:54 +02:00
Guido Grazioli
fc0ee5a896 refactor default test for keycloak-quarkus offline 2024-09-26 10:22:42 +02:00
Guido Grazioli
eb66d4a412 update prereqs validation 2024-09-26 10:22:28 +02:00
Guido Grazioli
f170257205 Add local download path 2024-09-24 09:21:10 +02:00
Guido Grazioli
3f4617c32c Merge pull request #237 from guidograzioli/236_waitfor_port_number 
Add wait_for_port number parameter
 2024-07-31 17:30:35 +02:00
Guido Grazioli
34caf6a490 add wait_for_port number parameter 2024-07-31 17:18:30 +02:00
Guido Grazioli
fa6ac99b34 Merge pull request #235 from guidograzioli/keycloak_realm_test 
add verify steps for quarkus/keycloak_realm
 2024-07-31 15:04:35 +02:00
Guido Grazioli
a35c963a65 add verify steps for quarkus/keycloak_realm 2024-07-18 13:01:01 +02:00
Guido Grazioli
11aab0f5e2 add verify steps for quarkus/keycloak_realm 2024-07-18 12:53:49 +02:00
ansible-middleware-core
fa2319d5da Bump version to 2.4.2 2024-07-02 14:23:53 +00:00
ansible-middleware-core
7c520dcdd2 Update changelog for release 2.4.1 
Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>
 2024-07-02 14:23:37 +00:00
Guido Grazioli
35b3b090f6 ci: update READMEs 2024-07-02 15:59:16 +02:00
Guido Grazioli
94f1b8b355 ci: update README 2024-07-02 15:46:05 +02:00
Guido Grazioli
e40f554936 ci: add traffic wf 2024-06-27 11:02:32 +02:00
Guido Grazioli
64e2a95685 ci: add traffic wf 2024-06-27 11:01:38 +02:00
Guido Grazioli
c6fac7bb70 ci: add traffic wf 2024-06-27 11:00:29 +02:00
ansible-middleware-core
5f059e8d63 Bump version to 2.4.1 2024-06-04 15:44:35 +00:00
ansible-middleware-core
e927ddbb6c Update changelog for release 2.4.0 
Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>
 2024-06-04 15:44:20 +00:00
Guido Grazioli
a82bdfbbb6 Bump to 2.4.0 2024-06-04 17:36:20 +02:00
Guido Grazioli
c850484e67 Merge pull request #234 from gionn/fix-restart-health-check-default 
Enable by default health check on restart
 2024-06-04 17:25:52 +02:00
Giovanni Toraldo
a4deaa005a Enable by default health check on restart 2024-06-04 17:00:11 +02:00
Guido Grazioli
4fb44091d6 ci: fix missing symlink 2024-05-30 08:44:04 +02:00
Guido Grazioli
883127d280 Merge pull request #232 from guidograzioli/linter_ansible_215 
Update minimum ansible-core version > 2.15
 2024-05-22 10:04:41 +02:00
Guido Grazioli
e69e5b7ba4 readme 2024-05-21 12:41:31 +02:00
Guido Grazioli
bf1871182b linter 2024-05-21 12:35:33 +02:00
Guido Grazioli
adfee5f6e1 ci 2024-05-21 12:34:11 +02:00
Guido Grazioli
ef53ca545a update yamllint 2024-05-21 12:31:40 +02:00
Guido Grazioli
2092c2d23a Update minimum ansible-core version > 2.15 2024-05-21 12:27:45 +02:00
ansible-middleware-core
8ca73364e9 Bump version to 2.3.1 2024-05-20 10:22:09 +00:00
ansible-middleware-core
df1939e387 Update changelog for release 2.3.0 
Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>
 2024-05-20 10:21:55 +00:00
Guido Grazioli
0de0b654ee Merge pull request #227 from world-direct/feature/226 
`proxy-header` enhancement
 2024-05-16 16:49:06 +02:00
Helmut Wolf
62cbaa3596 Introduce keycloak_quarkus_show_deprecation_warnings, disabled in molecule tests 2024-05-16 16:30:57 +02:00
Helmut Wolf
92c24e49e7 #226: add proper default value for proxy-headers 2024-05-16 12:45:24 +02:00
Helmut Wolf
cc012767a4 #226 - add deprecation warning 2024-05-16 12:45:24 +02:00
Helmut Wolf
4d31117c16 Fix RHBK version 2024-05-16 12:45:24 +02:00
Helmut Wolf
0fd8eb52d2 #226: CR changes 2024-05-16 12:45:24 +02:00
Helmut Wolf
6f2ed4d53b Fix #226 - minor proxy-header enhancement 2024-05-16 12:45:24 +02:00
Guido Grazioli
1519d46f0e Merge pull request #231 from ansible-middleware/feature/182_restart_handler 
Restart handler strategy behaviour
 2024-05-16 11:25:02 +02:00
Guido Grazioli
4b21569f36 parameterize health check; refactor serial_then_parallel 2024-05-16 11:16:20 +02:00
Guido Grazioli
f63b20b9d4 Update verify steps 2024-05-15 20:01:58 +02:00
Guido Grazioli
fdcf1b2ed2 Add molecule scenario for HA restart 2024-05-15 19:53:33 +02:00
Guido Grazioli
c22389c86f address review reqs 2024-05-15 15:58:21 +02:00
Guido Grazioli
2d573c2b62 Add restart strategies, and allow custom task include 
Co-authored-by: Helmut Wolf <hwo@world-direct.at>
Co-authored-by: Guido Grazioli <ggraziol@redhat.com>
 2024-05-15 13:48:00 +02:00
Helmut Wolf
1e9a669dea #221 - add keycloak_quarkus_health_check_url_path config option 2024-05-15 10:28:46 +02:00
Helmut Wolf
db831fa339 #182 - CR changes 2024-05-15 10:17:32 +02:00
Helmut Wolf
d57be1f188 Close #182, #221: improve restart handler logic 2024-05-15 09:47:03 +02:00
Guido Grazioli
5adb28dcd8 Bump to 2.3.0 2024-05-15 09:22:45 +02:00
Guido Grazioli
477ce5eaa3 Merge pull request #223 from world-direct/feature/222_mvn_providers 
Feature/222  keycloak_quarkus: Add support for custom providers hosted on MVN
 2024-05-15 09:17:23 +02:00
Helmut Wolf
d2ece93c12 #222 Migrate to middleware_automation.common.maven_artifact 2024-05-14 20:33:29 +02:00
Guido Grazioli
1a23350a8f Merge pull request #229 from world-direct/feature/228_sysconfig_custom_env_variables 
Allow to add extra custom env vars in sysconfig file
 2024-05-14 17:06:49 +02:00
Helmut Wolf
26316ddc50 #222: add support for local providers to be uploaded 2024-05-14 11:59:16 +02:00
Helmut Wolf
6d01ffbb77 Close #228: add support for custom env vars in sysconfig file 2024-05-14 11:10:38 +02:00
Helmut Wolf
d87c8ca8ac wip 2024-05-14 10:14:43 +02:00
Helmut Wolf
d8e9620a8a #222: Molecule tests 2024-05-14 10:14:43 +02:00
Helmut Wolf
4b902adc8d #222: Add support for maven providers 2024-05-14 10:14:15 +02:00
Guido Grazioli
1b69191a6e Merge pull request #225 from world-direct/feature/224_policy_files 
#224:  keycloak_quarkus: Add support for policy files
 2024-05-14 09:11:51 +02:00
Helmut Wolf
6682853a2d #224: Add missing argument specs 2024-05-14 08:58:57 +02:00
Helmut Wolf
9f4623b05a #224: keycloak_quarkus: Add support for policy files 2024-05-14 08:36:55 +02:00
Guido Grazioli
599ce0179c Merge pull request #220 from guidograzioli/rhbk_alternate_download_location 
Download from alternate URL with optional http authentication
 2024-05-10 15:33:51 +02:00
Guido Grazioli
8f14be37d7 add functionality 2024-05-10 10:17:37 +02:00
Guido Grazioli
3076c3d5ce Merge pull request #218 from Footur/update-keycloak-v24.0.4 
Update Keycloak to version 24.0.4
 2024-05-09 11:08:47 +02:00
Guido Grazioli
6610a310ff Merge pull request #217 from guidograzioli/major_upgrade_test 
Port downstream upgrade
 2024-05-09 11:08:23 +02:00
Footur
fcf629d05e Update Keycloak to version 24.0.4 2024-05-09 09:24:47 +02:00
Guido Grazioli
4bbc8e0256 update systemd service name in verify 2024-05-08 19:14:04 +02:00
Guido Grazioli
4c96cbe7f6 use sane version to be upgraded 2024-05-08 19:09:59 +02:00
Guido Grazioli
22f5ad902f add test to github actions 2024-05-08 19:05:24 +02:00
Guido Grazioli
3c22417674 Port downstream upgrade 2024-05-08 19:03:30 +02:00
Guido Grazioli
cd36eacb07 Merge pull request #215 from world-direct/feature/214_sqlserver_jdbc_version 
Close #214: RHBK 24.*: Update sqlserver JDBC version
 2024-05-08 18:45:03 +02:00
Helmut Wolf
a019823871 Close #214: RHBK 24.*: Update sqlserver JDBC version 2024-05-08 17:15:50 +02:00
Guido Grazioli
3863508df5 Merge pull request #213 from guidograzioli/2_2_3_linter 
Linter warnings fix pass
 2024-05-07 10:30:16 +02:00
Guido Grazioli
1115ee409a Linter warnings fix pass 2024-05-07 10:18:43 +02:00
Guido Grazioli
b497e946cc Bump tp 2.2.3 2024-05-07 09:47:12 +02:00
Guido Grazioli
5067c03201 Merge pull request #211 from guidograzioli/keycloak_rebuild_java_home 
`kc.sh build` uses configured jdk
 2024-05-06 13:13:20 +02:00
Guido Grazioli
a45b18dc85 kc.sh build uses configured jdk 2024-05-06 13:08:41 +02:00
Guido Grazioli
70834ccf13 downstream: remove problematic owner of downloaded zipfile 2024-05-06 12:03:44 +02:00
Guido Grazioli
2a7395c444 downstream: update default to rhbk 24.0.3 2024-05-06 11:20:00 +02:00
ansible-middleware-core
4da0e83ae9 Bump version to 2.2.3 2024-05-06 08:11:28 +00:00
71 changed files with 1902 additions and 282 deletions
Expand all files Collapse all files

4
.ansible-lint
View File

@@ -28,14 +28,16 @@ warn_list:
- name[casing]
- fqcn[action]
- schema[meta]
- var-naming[no-role-prefix]
- key-order[task]
- blocked_modules
- run-once[task]
skip_list:
- vars_should_not_be_used
- file_is_small_enough
- file_has_valid_name
- name[template]
- var-naming[no-role-prefix]
use_default_rules: true
parseable: true

3
.github/workflows/ci.yml vendored
View File

@@ -5,6 +5,7 @@ on:
branches:
- main
pull_request:
workflow_dispatch:
schedule:
- cron: '15 6 * * *'
@@ -15,4 +16,4 @@ jobs:
with:
fqcn: 'middleware_automation/keycloak'
molecule_tests: >-
[ "default", "overridexml", "https_revproxy", "quarkus", "quarkus-devmode", "debian" ]
[ "default", "overridexml", "https_revproxy", "quarkus", "quarkus-devmode", "quarkus_upgrade", "debian", "quarkus_ha" ]

26
.github/workflows/traffic.yml vendored Normal file
View File

@@ -0,0 +1,26 @@
name: Collect traffic stats
on:
schedule:
- cron: "51 23 * * 0"
workflow_dispatch:
jobs:
traffic:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
ref: "gh-pages"
- name: GitHub traffic
uses: sangonzal/repository-traffic-action@v.0.1.6
env:
TRAFFIC_ACTION_TOKEN: ${{ secrets.TRIGGERING_PAT }}
- name: Commit changes
uses: EndBug/add-and-commit@v4
with:
author_name: Ansible Middleware
message: "GitHub traffic"
add: "./traffic/*"
ref: "gh-pages"

2
.gitignore vendored
View File

@@ -12,3 +12,5 @@ docs/_build/
*.retry
changelogs/.plugin-cache.yaml
*.pem
*.key
*.p12

9
.yamllint
View File

@@ -15,7 +15,8 @@ rules:
commas:
max-spaces-after: -1
level: error
comments: disable
comments:
min-spaces-from-content: 1
comments-indentation: disable
document-start: disable
empty-lines:
@@ -30,4 +31,8 @@ rules:
new-lines:
type: unix
trailing-spaces: disable
truthy: disable
truthy: disable
octal-values:
forbid-implicit-octal: true
forbid-explicit-octal: true

53
CHANGELOG.rst
View File

@@ -6,6 +6,59 @@ middleware\_automation.keycloak Release Notes
This changelog describes changes after version 0.2.6.
v2.4.2
======
Minor Changes
-------------
- New parameter ``keycloak_quarkus_download_path`` `#239 <https://github.com/ansible-middleware/keycloak/pull/239>`_
Bugfixes
--------
- Add wait_for_port number parameter `#237 <https://github.com/ansible-middleware/keycloak/pull/237>`_
v2.4.1
======
Release Summary
---------------
Internal release, documentation or test changes only.
v2.4.0
======
Major Changes
-------------
- Enable by default health check on restart `#234 <https://github.com/ansible-middleware/keycloak/pull/234>`_
- Update minimum ansible-core version > 2.15 `#232 <https://github.com/ansible-middleware/keycloak/pull/232>`_
v2.3.0
======
Major Changes
-------------
- Allow for custom providers hosted on maven repositories `#223 <https://github.com/ansible-middleware/keycloak/pull/223>`_
- Restart handler strategy behaviour `#231 <https://github.com/ansible-middleware/keycloak/pull/231>`_
Minor Changes
-------------
- Add support for policy files `#225 <https://github.com/ansible-middleware/keycloak/pull/225>`_
- Allow to add extra custom env vars in sysconfig file `#229 <https://github.com/ansible-middleware/keycloak/pull/229>`_
- Download from alternate URL with optional http authentication `#220 <https://github.com/ansible-middleware/keycloak/pull/220>`_
- Update Keycloak to version 24.0.4 `#218 <https://github.com/ansible-middleware/keycloak/pull/218>`_
- ``proxy-header`` enhancement `#227 <https://github.com/ansible-middleware/keycloak/pull/227>`_
Bugfixes
--------
- ``kc.sh build`` uses configured jdk `#211 <https://github.com/ansible-middleware/keycloak/pull/211>`_
v2.2.2
======

8
README.md
View File

@@ -6,12 +6,13 @@
> **_NOTE:_ If you are Red Hat customer, install `redhat.sso` (for Red Hat Single Sign-On) or `redhat.rhbk` (for Red Hat Build of Keycloak) from [Automation Hub](https://console.redhat.com/ansible/ansible-dashboard) as the certified version of this collection.**
<!--end build_status -->
<!--start description -->
Collection to install and configure [Keycloak](https://www.keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on) / [Red Hat Build of Keycloak](https://access.redhat.com/products/red-hat-build-of-keycloak).
<!--end description -->
<!--start requires_ansible-->
## Ansible version compatibility
This collection has been tested against following Ansible versions: **>=2.14.0**.
This collection has been tested against following Ansible versions: **>=2.15.0**.
Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions.
<!--end requires_ansible-->
@@ -39,6 +40,7 @@ collections:
The keycloak collection also depends on the following python packages to be present on the controller host:
* netaddr
* lxml
A requirement file is provided to install:
@@ -100,7 +102,7 @@ ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e
localhost ansible_connection=local
```
Note: when deploying clustered configurations, all hosts belonging to the cluster must be present in ansible_play_batch; ie. they must be targeted by the same ansible-playbook execution.
Note: when deploying clustered configurations, all hosts belonging to the cluster must be present in `ansible_play_batch`; ie. they must be targeted by the same ansible-playbook execution.
## Configuration

72
changelogs/changelog.yaml
View File

@@ -532,3 +532,75 @@ releases:
- 209.yaml
- 210.yaml
release_date: '2024-05-06'
2.3.0:
changes:
bugfixes:
- '``kc.sh build`` uses configured jdk `#211 <https://github.com/ansible-middleware/keycloak/pull/211>`_
'
major_changes:
- 'Allow for custom providers hosted on maven repositories `#223 <https://github.com/ansible-middleware/keycloak/pull/223>`_
'
- 'Restart handler strategy behaviour `#231 <https://github.com/ansible-middleware/keycloak/pull/231>`_
'
minor_changes:
- 'Add support for policy files `#225 <https://github.com/ansible-middleware/keycloak/pull/225>`_
'
- 'Allow to add extra custom env vars in sysconfig file `#229 <https://github.com/ansible-middleware/keycloak/pull/229>`_
'
- 'Download from alternate URL with optional http authentication `#220 <https://github.com/ansible-middleware/keycloak/pull/220>`_
'
- 'Update Keycloak to version 24.0.4 `#218 <https://github.com/ansible-middleware/keycloak/pull/218>`_
'
- '``proxy-header`` enhancement `#227 <https://github.com/ansible-middleware/keycloak/pull/227>`_
'
fragments:
- 211.yaml
- 218.yaml
- 220.yaml
- 223.yaml
- 225.yaml
- 227.yaml
- 229.yaml
- 231.yaml
release_date: '2024-05-20'
2.4.0:
changes:
major_changes:
- 'Enable by default health check on restart `#234 <https://github.com/ansible-middleware/keycloak/pull/234>`_
'
- 'Update minimum ansible-core version > 2.15 `#232 <https://github.com/ansible-middleware/keycloak/pull/232>`_
'
fragments:
- 232.yaml
- 234.yaml
release_date: '2024-06-04'
2.4.1:
changes:
release_summary: Internal release, documentation or test changes only.
fragments:
- v2.4.1-devel_summary.yaml
release_date: '2024-07-02'
2.4.2:
changes:
bugfixes:
- 'Add wait_for_port number parameter `#237 <https://github.com/ansible-middleware/keycloak/pull/237>`_
'
minor_changes:
- 'New parameter ``keycloak_quarkus_download_path`` `#239 <https://github.com/ansible-middleware/keycloak/pull/239>`_
'
fragments:
- 237.yaml
- 239.yaml
release_date: '2024-09-26'

32
changelogs/config.yaml
View File

@@ -11,22 +11,22 @@ notesdir: fragments
prelude_section_name: release_summary
prelude_section_title: Release Summary
sections:
- - major_changes
- Major Changes
- - minor_changes
- Minor Changes
- - breaking_changes
- Breaking Changes / Porting Guide
- - deprecated_features
- Deprecated Features
- - removed_features
- Removed Features
- - security_fixes
- Security Fixes
- - bugfixes
- Bugfixes
- - known_issues
- Known Issues
- - major_changes
- Major Changes
- - minor_changes
- Minor Changes
- - breaking_changes
- Breaking Changes / Porting Guide
- - deprecated_features
- Deprecated Features
- - removed_features
- Removed Features
- - security_fixes
- Security Fixes
- - bugfixes
- Bugfixes
- - known_issues
- Known Issues
title: middleware_automation.keycloak
trivial_section_name: trivial
use_fqcn: true

4
galaxy.yml
View File

@@ -1,7 +1,7 @@
---
namespace: middleware_automation
name: keycloak
version: "2.2.2"
version: "2.4.2"
readme: README.md
authors:
- Romain Pelisse <rpelisse@redhat.com>
@@ -26,7 +26,7 @@ tags:
- middleware
- a4mw
dependencies:
"middleware_automation.common": ">=1.1.0"
"middleware_automation.common": ">=1.2.1"
"ansible.posix": ">=1.4.0"
repository: https://github.com/ansible-middleware/keycloak
documentation: https://ansible-middleware.github.io/keycloak

0
github.json
View File

2
meta/runtime.yml
View File

@@ -1,2 +1,2 @@
---
requires_ansible: ">=2.14.0"
requires_ansible: ">=2.15.0"

1
molecule/debian/converge.yml
View File

@@ -2,6 +2,7 @@
- name: Converge
hosts: all
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_realm: TestRealm
keycloak_quarkus_log: file

97
molecule/default/converge.yml
View File

@@ -2,61 +2,46 @@
- name: Converge
hosts: all
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_admin_password: "remembertochangeme"
keycloak_jvm_package: java-11-openjdk-headless
keycloak_modcluster_enabled: True
keycloak_modcluster_urls:
- host: myhost1
port: 16667
- host: myhost2
port: 16668
keycloak_jboss_port_offset: 10
keycloak_log_target: /tmp/keycloak
keycloak_quarkus_host: instance
keycloak_quarkus_log: file
keycloak_quarkus_log_level: debug
keycloak_quarkus_log_target: /tmp/keycloak
keycloak_quarkus_start_dev: True
keycloak_quarkus_proxy_mode: none
keycloak_quarkus_offline_install: true
keycloak_quarkus_download_path: /tmp/keycloak/
roles:
- role: keycloak
tasks:
- name: Keycloak Realm Role
ansible.builtin.include_role:
name: keycloak_realm
vars:
keycloak_client_default_roles:
- TestRoleAdmin
- TestRoleUser
keycloak_client_users:
- username: TestUser
password: password
client_roles:
- client: TestClient
role: TestRoleUser
realm: "{{ keycloak_realm }}"
- username: TestAdmin
password: password
client_roles:
- client: TestClient
role: TestRoleUser
realm: "{{ keycloak_realm }}"
- client: TestClient
role: TestRoleAdmin
realm: "{{ keycloak_realm }}"
keycloak_realm: TestRealm
keycloak_clients:
- name: TestClient
roles: "{{ keycloak_client_default_roles }}"
realm: "{{ keycloak_realm }}"
public_client: "{{ keycloak_client_public }}"
web_origins: "{{ keycloak_client_web_origins }}"
users: "{{ keycloak_client_users }}"
client_id: TestClient
attributes:
post.logout.redirect.uris: '/public/logout'
pre_tasks:
- name: "Retrieve assets server from env"
ansible.builtin.set_fact:
assets_server: "{{ lookup('env', 'MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"
- name: "Set offline when assets server from env is defined"
ansible.builtin.set_fact:
sso_offline_install: True
when:
- assets_server is defined
- assets_server | length > 0
- role: keycloak_quarkus
- role: keycloak_realm
keycloak_context: ''
keycloak_client_default_roles:
- TestRoleAdmin
- TestRoleUser
keycloak_client_users:
- username: TestUser
password: password
client_roles:
- client: TestClient
role: TestRoleUser
realm: "{{ keycloak_realm }}"
- username: TestAdmin
password: password
client_roles:
- client: TestClient
role: TestRoleUser
realm: "{{ keycloak_realm }}"
- client: TestClient
role: TestRoleAdmin
realm: "{{ keycloak_realm }}"
keycloak_realm: TestRealm
keycloak_clients:
- name: TestClient
roles: "{{ keycloak_client_default_roles }}"
realm: "{{ keycloak_realm }}"
public_client: "{{ keycloak_client_public }}"
web_origins: "{{ keycloak_client_web_origins }}"
users: "{{ keycloak_client_users }}"
client_id: TestClient

28
molecule/default/prepare.yml
View File

@@ -12,18 +12,18 @@
- "{{ assets_server }}/sso/7.6.0/rh-sso-7.6.0-server-dist.zip"
- "{{ assets_server }}/sso/7.6.1/rh-sso-7.6.1-patch.zip"
- name: Install JDK8
become: yes
ansible.builtin.yum:
name:
- java-1.8.0-openjdk
state: present
when: ansible_facts['os_family'] == "RedHat"
- name: Create controller directory for downloads
ansible.builtin.file: # noqa risky-file-permissions delegated, uses controller host user
path: /tmp/keycloak
state: directory
mode: '0750'
delegate_to: localhost
run_once: true
- name: Install JDK8
become: yes
ansible.builtin.apt:
name:
- openjdk-8-jdk
state: present
when: ansible_facts['os_family'] == "Debian"
- name: Download keycloak archive to controller directory
ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
url: https://github.com/keycloak/keycloak/releases/download/24.0.4/keycloak-24.0.4.zip
dest: /tmp/keycloak
mode: '0640'
delegate_to: localhost
run_once: true

69
molecule/default/verify.yml
View File

@@ -3,10 +3,7 @@
hosts: all
vars:
keycloak_admin_password: "remembertochangeme"
keycloak_jvm_package: java-11-openjdk-headless
keycloak_uri: "http://localhost:{{ 8080 + ( keycloak_jboss_port_offset | default(0) ) }}"
keycloak_management_port: "http://localhost:{{ 9990 + ( keycloak_jboss_port_offset | default(0) ) }}"
keycloak_jboss_port_offset: 10
keycloak_uri: "http://localhost:8080"
tasks:
- name: Populate service facts
ansible.builtin.service_facts:
@@ -15,16 +12,9 @@
that:
- ansible_facts.services["keycloak.service"]["state"] == "running"
- ansible_facts.services["keycloak.service"]["status"] == "enabled"
- name: Verify we are running on requested jvm # noqa blocked_modules command-instead-of-module
ansible.builtin.shell: |
set -o pipefail
ps -ef | grep '/etc/alternatives/jre_11/' | grep -v grep
args:
executable: /bin/bash
changed_when: no
- name: Verify token api call
ansible.builtin.uri:
url: "{{ keycloak_uri }}/auth/realms/master/protocol/openid-connect/token"
url: "{{ keycloak_uri }}/realms/master/protocol/openid-connect/token"
method: POST
body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password"
validate_certs: no
@@ -32,58 +22,3 @@
until: keycloak_auth_response.status == 200
retries: 2
delay: 2
- name: Fetch openid-connect config
ansible.builtin.uri:
url: "{{ keycloak_uri }}/auth/realms/TestRealm/.well-known/openid-configuration"
method: GET
validate_certs: no
status_code: 200
register: keycloak_openid_config
- name: Verify expected config
ansible.builtin.assert:
that:
- keycloak_openid_config.json.registration_endpoint == 'http://localhost:8080/auth/realms/TestRealm/clients-registrations/openid-connect'
- name: Get test realm clients
ansible.builtin.uri:
url: "{{ keycloak_uri }}/auth/admin/realms/TestRealm/clients"
method: GET
validate_certs: no
status_code: 200
headers:
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
register: keycloak_query_clients
- name: Verify expected config
ansible.builtin.assert:
that:
- (keycloak_query_clients.json | selectattr('clientId','equalto','TestClient') | first)["attributes"]["post.logout.redirect.uris"] == '/public/logout'
- name: "Privilege escalation as some files/folders may requires it"
become: yes
block:
- name: Check log folder
ansible.builtin.stat:
path: "/tmp/keycloak"
register: keycloak_log_folder
- name: Check that keycloak log folder exists and is a link
ansible.builtin.assert:
that:
- keycloak_log_folder.stat.exists
- not keycloak_log_folder.stat.isdir
- keycloak_log_folder.stat.islnk
- name: Check log file
ansible.builtin.stat:
path: "/tmp/keycloak/server.log"
register: keycloak_log_file
- name: Check if keycloak file exists
ansible.builtin.assert:
that:
- keycloak_log_file.stat.exists
- not keycloak_log_file.stat.isdir
- name: Check default log folder
ansible.builtin.stat:
path: "/var/log/keycloak"
register: keycloak_default_log_folder
failed_when: false
- name: Check that default keycloak log folder doesn't exist
ansible.builtin.assert:
that:
- not keycloak_default_log_folder.stat.exists

3
molecule/https_revproxy/converge.yml
View File

@@ -1,7 +1,8 @@
---
- name: Converge
hosts: all
vars:
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_admin_password: "remembertochangeme"
keycloak_realm: TestRealm

3
molecule/quarkus-devmode/converge.yml
View File

@@ -1,7 +1,8 @@
---
- name: Converge
hosts: all
vars:
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_admin_password: "remembertochangeme"
keycloak_realm: TestRealm

19
molecule/quarkus/converge.yml
View File

@@ -2,12 +2,13 @@
- name: Converge
hosts: all
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_admin_password: "remembertochangeme"
keycloak_realm: TestRealm
keycloak_quarkus_host: instance
keycloak_quarkus_log: file
keycloak_quarkus_log_level: debug
keycloak_quarkus_log_level: debug # needed for the verify step
keycloak_quarkus_https_key_file_enabled: true
keycloak_quarkus_key_file_copy_enabled: true
keycloak_quarkus_key_content: "{{ lookup('file', 'key.pem') }}"
@@ -31,6 +32,22 @@
value: 10
- id: spid-saml
url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar
- id: keycloak-kerberos-federation
maven:
repository_url: https://repo1.maven.org/maven2/ # https://mvnrepository.com/artifact/org.keycloak/keycloak-kerberos-federation/24.0.4
group_id: org.keycloak
artifact_id: keycloak-kerberos-federation
version: 24.0.4 # optional
# username: myUser # optional
# password: myPAT # optional
# - id: my-static-theme
# local_path: /tmp/my-static-theme.jar
keycloak_quarkus_policies:
- name: "xato-net-10-million-passwords.txt"
url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt"
- name: "xato-net-10-million-passwords-10.txt"
url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords-10.txt"
type: password-blacklists
roles:
- role: keycloak_quarkus
- role: keycloak_realm

6
molecule/quarkus/prepare.yml
View File

@@ -12,14 +12,14 @@
- name: Create certificate request
ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
delegate_to: localhost
changed_when: False
changed_when: false
- name: Create vault directory
become: true
ansible.builtin.file:
state: directory
path: "/opt/keycloak/vault"
mode: 0755
mode: '0755'
- name: Make sure a jre is available (for keytool to prepare keystore)
delegate_to: localhost
@@ -41,4 +41,4 @@
ansible.builtin.copy:
src: keystore.p12
dest: /opt/keycloak/vault/keystore.p12
mode: 0444
mode: '0444'

41
molecule/quarkus/verify.yml
View File

@@ -1,6 +1,8 @@
---
- name: Verify
hosts: all
vars:
keycloak_admin_password: "remembertochangeme"
tasks:
- name: Populate service facts
ansible.builtin.service_facts:
@@ -84,3 +86,42 @@
changed_when: false
failed_when: slurped_log.rc != 0
register: slurped_log
- name: Verify token api call
ansible.builtin.uri:
url: "https://instance:8443/realms/master/protocol/openid-connect/token"
method: POST
body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password"
validate_certs: no
register: keycloak_auth_response
until: keycloak_auth_response.status == 200
retries: 2
delay: 2
- name: "Get Clients"
ansible.builtin.uri:
url: "https://instance:8443/admin/realms/TestRealm/clients"
headers:
validate_certs: false
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
register: keycloak_clients
- name: Get client uuid
ansible.builtin.set_fact:
keycloak_client_uuid: "{{ ((keycloak_clients.json | selectattr('clientId', '==', 'TestClient')) | first).id }}"
- name: "Get Client {{ keycloak_client_uuid }}"
ansible.builtin.uri:
url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}"
headers:
validate_certs: false
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
register: keycloak_test_client
- name: "Get Client roles"
ansible.builtin.uri:
url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}/roles"
headers:
validate_certs: false
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
register: keycloak_test_client_roles

30
molecule/quarkus_ha/converge.yml Normal file
View File

@@ -0,0 +1,30 @@
---
- name: Converge
hosts: keycloak
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_admin_password: "remembertochangeme"
keycloak_realm: TestRealm
keycloak_quarkus_host: "{{ inventory_hostname }}"
keycloak_quarkus_log: file
keycloak_quarkus_log_level: info
keycloak_quarkus_https_key_file_enabled: true
keycloak_quarkus_key_file_copy_enabled: true
keycloak_quarkus_key_content: "{{ lookup('file', inventory_hostname + '.key') }}"
keycloak_quarkus_cert_file_copy_enabled: true
keycloak_quarkus_cert_file_src: "{{ inventory_hostname }}.pem"
keycloak_quarkus_ks_vault_enabled: true
keycloak_quarkus_ks_vault_file: "/opt/keycloak/vault/keystore.p12"
keycloak_quarkus_ks_vault_pass: keystorepassword
keycloak_quarkus_systemd_wait_for_port: true
keycloak_quarkus_systemd_wait_for_timeout: 20
keycloak_quarkus_systemd_wait_for_delay: 2
keycloak_quarkus_systemd_wait_for_log: true
keycloak_quarkus_ha_enabled: true
keycloak_quarkus_restart_strategy: restart/serial.yml
keycloak_quarkus_db_user: keycloak
keycloak_quarkus_db_pass: mysecretpass
keycloak_quarkus_jdbc_url: jdbc:postgresql://postgres:5432/keycloak
roles:
- role: keycloak_quarkus

79
molecule/quarkus_ha/molecule.yml Normal file
View File

@@ -0,0 +1,79 @@
---
driver:
name: docker
platforms:
- name: instance1
image: registry.access.redhat.com/ubi9/ubi-init:latest
pre_build_image: true
privileged: true
command: "/usr/sbin/init"
groups:
- keycloak
networks:
- name: rhbk
port_bindings:
- "8080/tcp"
- "8443/tcp"
- name: instance2
image: registry.access.redhat.com/ubi9/ubi-init:latest
pre_build_image: true
privileged: true
command: "/usr/sbin/init"
groups:
- keycloak
networks:
- name: rhbk
port_bindings:
- "8080/tcp"
- "8443/tcp"
- name: postgres
image: ubuntu/postgres:14-22.04_beta
pre_build_image: true
privileged: true
command: postgres
groups:
- database
networks:
- name: rhbk
port_bindings:
- "5432/tcp"
mounts:
- type: bind
target: /etc/postgresql/postgresql.conf
source: ${PWD}/molecule/quarkus_ha/postgresql/postgresql.conf
env:
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: mysecretpass
POSTGRES_DB: keycloak
POSTGRES_HOST_AUTH_METHOD: trust
provisioner:
name: ansible
config_options:
defaults:
interpreter_python: auto_silent
ssh_connection:
pipelining: false
playbooks:
prepare: prepare.yml
converge: converge.yml
verify: verify.yml
inventory:
host_vars:
localhost:
ansible_python_interpreter: "{{ ansible_playbook_python }}"
env:
ANSIBLE_FORCE_COLOR: "true"
verifier:
name: ansible
scenario:
test_sequence:
- cleanup
- destroy
- create
- prepare
- converge
- idempotence
- side_effect
- verify
- cleanup
- destroy

750
molecule/quarkus_ha/postgresql/postgresql.conf Normal file
View File

@@ -0,0 +1,750 @@
# -----------------------------
# PostgreSQL configuration file
# -----------------------------
#
# This file consists of lines of the form:
#
# name = value
#
# (The "=" is optional.) Whitespace may be used. Comments are introduced with
# "#" anywhere on a line. The complete list of parameter names and allowed
# values can be found in the PostgreSQL documentation.
#
# The commented-out settings shown in this file represent the default values.
# Re-commenting a setting is NOT sufficient to revert it to the default value;
# you need to reload the server.
#
# This file is read on server startup and when the server receives a SIGHUP
# signal. If you edit the file on a running system, you have to SIGHUP the
# server for the changes to take effect, run "pg_ctl reload", or execute
# "SELECT pg_reload_conf()". Some parameters, which are marked below,
# require a server shutdown and restart to take effect.
#
# Any parameter can also be given as a command-line option to the server, e.g.,
# "postgres -c log_connections=on". Some parameters can be changed at run time
# with the "SET" SQL command.
#
# Memory units: kB = kilobytes Time units: ms = milliseconds
# MB = megabytes s = seconds
# GB = gigabytes min = minutes
# TB = terabytes h = hours
# d = days
#------------------------------------------------------------------------------
# FILE LOCATIONS
#------------------------------------------------------------------------------
# The default values of these variables are driven from the -D command-line
# option or PGDATA environment variable, represented here as ConfigDir.
#data_directory = 'ConfigDir' # use data in another directory
# (change requires restart)
#hba_file = 'ConfigDir/pg_hba.conf' # host-based authentication file
# (change requires restart)
#ident_file = 'ConfigDir/pg_ident.conf' # ident configuration file
# (change requires restart)
# If external_pid_file is not explicitly set, no extra PID file is written.
#external_pid_file = '' # write an extra PID file
# (change requires restart)
#------------------------------------------------------------------------------
# CONNECTIONS AND AUTHENTICATION
#------------------------------------------------------------------------------
# - Connection Settings -
listen_addresses = '*' # what IP address(es) to listen on;
# comma-separated list of addresses;
# defaults to 'localhost'; use '*' for all
# (change requires restart)
#port = 5432 # (change requires restart)
#max_connections = 100 # (change requires restart)
#superuser_reserved_connections = 3 # (change requires restart)
#unix_socket_directories = '/tmp' # comma-separated list of directories
# (change requires restart)
#unix_socket_group = '' # (change requires restart)
#unix_socket_permissions = 0777 # begin with 0 to use octal notation
# (change requires restart)
#bonjour = off # advertise server via Bonjour
# (change requires restart)
#bonjour_name = '' # defaults to the computer name
# (change requires restart)
# - TCP settings -
# see "man 7 tcp" for details
#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds;
# 0 selects the system default
#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
# 0 selects the system default
#tcp_keepalives_count = 0 # TCP_KEEPCNT;
# 0 selects the system default
#tcp_user_timeout = 0 # TCP_USER_TIMEOUT, in milliseconds;
# 0 selects the system default
# - Authentication -
#authentication_timeout = 1min # 1s-600s
#password_encryption = md5 # md5 or scram-sha-256
#db_user_namespace = off
# GSSAPI using Kerberos
#krb_server_keyfile = ''
#krb_caseins_users = off
# - SSL -
#ssl = off
#ssl_ca_file = ''
#ssl_cert_file = 'server.crt'
#ssl_crl_file = ''
#ssl_key_file = 'server.key'
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
#ssl_prefer_server_ciphers = on
#ssl_ecdh_curve = 'prime256v1'
#ssl_min_protocol_version = 'TLSv1'
#ssl_max_protocol_version = ''
#ssl_dh_params_file = ''
#ssl_passphrase_command = ''
#ssl_passphrase_command_supports_reload = off
#------------------------------------------------------------------------------
# RESOURCE USAGE (except WAL)
#------------------------------------------------------------------------------
# - Memory -
#shared_buffers = 32MB # min 128kB
# (change requires restart)
#huge_pages = try # on, off, or try
# (change requires restart)
#temp_buffers = 8MB # min 800kB
#max_prepared_transactions = 0 # zero disables the feature
# (change requires restart)
# Caution: it is not advisable to set max_prepared_transactions nonzero unless
# you actively intend to use prepared transactions.
#work_mem = 4MB # min 64kB
#maintenance_work_mem = 64MB # min 1MB
#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem
#max_stack_depth = 2MB # min 100kB
#shared_memory_type = mmap # the default is the first option
# supported by the operating system:
# mmap
# sysv
# windows
# (change requires restart)
#dynamic_shared_memory_type = posix # the default is the first option
# supported by the operating system:
# posix
# sysv
# windows
# mmap
# (change requires restart)
# - Disk -
#temp_file_limit = -1 # limits per-process temp file space
# in kB, or -1 for no limit
# - Kernel Resources -
#max_files_per_process = 1000 # min 25
# (change requires restart)
# - Cost-Based Vacuum Delay -
#vacuum_cost_delay = 0 # 0-100 milliseconds (0 disables)
#vacuum_cost_page_hit = 1 # 0-10000 credits
#vacuum_cost_page_miss = 10 # 0-10000 credits
#vacuum_cost_page_dirty = 20 # 0-10000 credits
#vacuum_cost_limit = 200 # 1-10000 credits
# - Background Writer -
#bgwriter_delay = 200ms # 10-10000ms between rounds
#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables
#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round
#bgwriter_flush_after = 0 # measured in pages, 0 disables
# - Asynchronous Behavior -
#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching
#max_worker_processes = 8 # (change requires restart)
#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers
#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers
#parallel_leader_participation = on
#max_parallel_workers = 8 # maximum number of max_worker_processes that
# can be used in parallel operations
#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate
# (change requires restart)
#backend_flush_after = 0 # measured in pages, 0 disables
#------------------------------------------------------------------------------
# WRITE-AHEAD LOG
#------------------------------------------------------------------------------
# - Settings -
#wal_level = replica # minimal, replica, or logical
# (change requires restart)
#fsync = on # flush data to disk for crash safety
# (turning this off can cause
# unrecoverable data corruption)
#synchronous_commit = on # synchronization level;
# off, local, remote_write, remote_apply, or on
#wal_sync_method = fsync # the default is the first option
# supported by the operating system:
# open_datasync
# fdatasync (default on Linux)
# fsync
# fsync_writethrough
# open_sync
#full_page_writes = on # recover from partial page writes
#wal_compression = off # enable compression of full-page writes
#wal_log_hints = off # also do full page writes of non-critical updates
# (change requires restart)
#wal_init_zero = on # zero-fill new WAL files
#wal_recycle = on # recycle WAL files
#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers
# (change requires restart)
#wal_writer_delay = 200ms # 1-10000 milliseconds
#wal_writer_flush_after = 1MB # measured in pages, 0 disables
#commit_delay = 0 # range 0-100000, in microseconds
#commit_siblings = 5 # range 1-1000
# - Checkpoints -
#checkpoint_timeout = 5min # range 30s-1d
#max_wal_size = 1GB
#min_wal_size = 80MB
#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0
#checkpoint_flush_after = 0 # measured in pages, 0 disables
#checkpoint_warning = 30s # 0 disables
# - Archiving -
#archive_mode = off # enables archiving; off, on, or always
# (change requires restart)
#archive_command = '' # command to use to archive a logfile segment
# placeholders: %p = path of file to archive
# %f = file name only
# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
#archive_timeout = 0 # force a logfile segment switch after this
# number of seconds; 0 disables
# - Archive Recovery -
# These are only used in recovery mode.
#restore_command = '' # command to use to restore an archived logfile segment
# placeholders: %p = path of file to restore
# %f = file name only
# e.g. 'cp /mnt/server/archivedir/%f %p'
# (change requires restart)
#archive_cleanup_command = '' # command to execute at every restartpoint
#recovery_end_command = '' # command to execute at completion of recovery
# - Recovery Target -
# Set these only when performing a targeted recovery.
#recovery_target = '' # 'immediate' to end recovery as soon as a
# consistent state is reached
# (change requires restart)
#recovery_target_name = '' # the named restore point to which recovery will proceed
# (change requires restart)
#recovery_target_time = '' # the time stamp up to which recovery will proceed
# (change requires restart)
#recovery_target_xid = '' # the transaction ID up to which recovery will proceed
# (change requires restart)
#recovery_target_lsn = '' # the WAL LSN up to which recovery will proceed
# (change requires restart)
#recovery_target_inclusive = on # Specifies whether to stop:
# just after the specified recovery target (on)
# just before the recovery target (off)
# (change requires restart)
#recovery_target_timeline = 'latest' # 'current', 'latest', or timeline ID
# (change requires restart)
#recovery_target_action = 'pause' # 'pause', 'promote', 'shutdown'
# (change requires restart)
#------------------------------------------------------------------------------
# REPLICATION
#------------------------------------------------------------------------------
# - Sending Servers -
# Set these on the master and on any standby that will send replication data.
#max_wal_senders = 10 # max number of walsender processes
# (change requires restart)
#wal_keep_segments = 0 # in logfile segments; 0 disables
#wal_sender_timeout = 60s # in milliseconds; 0 disables
#max_replication_slots = 10 # max number of replication slots
# (change requires restart)
#track_commit_timestamp = off # collect timestamp of transaction commit
# (change requires restart)
# - Master Server -
# These settings are ignored on a standby server.
#synchronous_standby_names = '' # standby servers that provide sync rep
# method to choose sync standbys, number of sync standbys,
# and comma-separated list of application_name
# from standby(s); '*' = all
#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed
# - Standby Servers -
# These settings are ignored on a master server.
#primary_conninfo = '' # connection string to sending server
# (change requires restart)
#primary_slot_name = '' # replication slot on sending server
# (change requires restart)
#promote_trigger_file = '' # file name whose presence ends recovery
#hot_standby = on # "off" disallows queries during recovery
# (change requires restart)
#max_standby_archive_delay = 30s # max delay before canceling queries
# when reading WAL from archive;
# -1 allows indefinite delay
#max_standby_streaming_delay = 30s # max delay before canceling queries
# when reading streaming WAL;
# -1 allows indefinite delay
#wal_receiver_status_interval = 10s # send replies at least this often
# 0 disables
#hot_standby_feedback = off # send info from standby to prevent
# query conflicts
#wal_receiver_timeout = 60s # time that receiver waits for
# communication from master
# in milliseconds; 0 disables
#wal_retrieve_retry_interval = 5s # time to wait before retrying to
# retrieve WAL after a failed attempt
#recovery_min_apply_delay = 0 # minimum delay for applying changes during recovery
# - Subscribers -
# These settings are ignored on a publisher.
#max_logical_replication_workers = 4 # taken from max_worker_processes
# (change requires restart)
#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers
#------------------------------------------------------------------------------
# QUERY TUNING
#------------------------------------------------------------------------------
# - Planner Method Configuration -
#enable_bitmapscan = on
#enable_hashagg = on
#enable_hashjoin = on
#enable_indexscan = on
#enable_indexonlyscan = on
#enable_material = on
#enable_mergejoin = on
#enable_nestloop = on
#enable_parallel_append = on
#enable_seqscan = on
#enable_sort = on
#enable_tidscan = on
#enable_partitionwise_join = off
#enable_partitionwise_aggregate = off
#enable_parallel_hash = on
#enable_partition_pruning = on
# - Planner Cost Constants -
#seq_page_cost = 1.0 # measured on an arbitrary scale
#random_page_cost = 4.0 # same scale as above
#cpu_tuple_cost = 0.01 # same scale as above
#cpu_index_tuple_cost = 0.005 # same scale as above
#cpu_operator_cost = 0.0025 # same scale as above
#parallel_tuple_cost = 0.1 # same scale as above
#parallel_setup_cost = 1000.0 # same scale as above
#jit_above_cost = 100000 # perform JIT compilation if available
# and query more expensive than this;
# -1 disables
#jit_inline_above_cost = 500000 # inline small functions if query is
# more expensive than this; -1 disables
#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if
# query is more expensive than this;
# -1 disables
#min_parallel_table_scan_size = 8MB
#min_parallel_index_scan_size = 512kB
#effective_cache_size = 4GB
# - Genetic Query Optimizer -
#geqo = on
#geqo_threshold = 12
#geqo_effort = 5 # range 1-10
#geqo_pool_size = 0 # selects default based on effort
#geqo_generations = 0 # selects default based on effort
#geqo_selection_bias = 2.0 # range 1.5-2.0
#geqo_seed = 0.0 # range 0.0-1.0
# - Other Planner Options -
#default_statistics_target = 100 # range 1-10000
#constraint_exclusion = partition # on, off, or partition
#cursor_tuple_fraction = 0.1 # range 0.0-1.0
#from_collapse_limit = 8
#join_collapse_limit = 8 # 1 disables collapsing of explicit
# JOIN clauses
#force_parallel_mode = off
#jit = on # allow JIT compilation
#plan_cache_mode = auto # auto, force_generic_plan or
# force_custom_plan
#------------------------------------------------------------------------------
# REPORTING AND LOGGING
#------------------------------------------------------------------------------
# - Where to Log -
#log_destination = 'stderr' # Valid values are combinations of
# stderr, csvlog, syslog, and eventlog,
# depending on platform. csvlog
# requires logging_collector to be on.
# This is used when logging to stderr:
#logging_collector = off # Enable capturing of stderr and csvlog
# into log files. Required to be on for
# csvlogs.
# (change requires restart)
# These are only used if logging_collector is on:
#log_directory = 'log' # directory where log files are written,
# can be absolute or relative to PGDATA
#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern,
# can include strftime() escapes
#log_file_mode = 0600 # creation mode for log files,
# begin with 0 to use octal notation
#log_truncate_on_rotation = off # If on, an existing log file with the
# same name as the new log file will be
# truncated rather than appended to.
# But such truncation only occurs on
# time-driven rotation, not on restarts
# or size-driven rotation. Default is
# off, meaning append to existing files
# in all cases.
#log_rotation_age = 1d # Automatic rotation of logfiles will
# happen after that time. 0 disables.
#log_rotation_size = 10MB # Automatic rotation of logfiles will
# happen after that much log output.
# 0 disables.
# These are relevant when logging to syslog:
#syslog_facility = 'LOCAL0'
#syslog_ident = 'postgres'
#syslog_sequence_numbers = on
#syslog_split_messages = on
# This is only relevant when logging to eventlog (win32):
# (change requires restart)
#event_source = 'PostgreSQL'
# - When to Log -
#log_min_messages = warning # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic
#log_min_error_statement = error # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic (effectively off)
#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements
# and their durations, > 0 logs only
# statements running at least this number
# of milliseconds
#log_transaction_sample_rate = 0.0 # Fraction of transactions whose statements
# are logged regardless of their duration. 1.0 logs all
# statements from all transactions, 0.0 never logs.
# - What to Log -
#debug_print_parse = off
#debug_print_rewritten = off
#debug_print_plan = off
#debug_pretty_print = on
#log_checkpoints = off
#log_connections = off
#log_disconnections = off
#log_duration = off
#log_error_verbosity = default # terse, default, or verbose messages
#log_hostname = off
#log_line_prefix = '%m [%p] ' # special values:
# %a = application name
# %u = user name
# %d = database name
# %r = remote host and port
# %h = remote host
# %p = process ID
# %t = timestamp without milliseconds
# %m = timestamp with milliseconds
# %n = timestamp with milliseconds (as a Unix epoch)
# %i = command tag
# %e = SQL state
# %c = session ID
# %l = session line number
# %s = session start timestamp
# %v = virtual transaction ID
# %x = transaction ID (0 if none)
# %q = stop here in non-session
# processes
# %% = '%'
# e.g. '<%u%%%d> '
#log_lock_waits = off # log lock waits >= deadlock_timeout
#log_statement = 'none' # none, ddl, mod, all
#log_replication_commands = off
#log_temp_files = -1 # log temporary files equal or larger
# than the specified size in kilobytes;
# -1 disables, 0 logs all temp files
#log_timezone = 'GMT'
#------------------------------------------------------------------------------
# PROCESS TITLE
#------------------------------------------------------------------------------
#cluster_name = '' # added to process titles if nonempty
# (change requires restart)
#update_process_title = on
#------------------------------------------------------------------------------
# STATISTICS
#------------------------------------------------------------------------------
# - Query and Index Statistics Collector -
#track_activities = on
#track_counts = on
#track_io_timing = off
#track_functions = none # none, pl, all
#track_activity_query_size = 1024 # (change requires restart)
#stats_temp_directory = 'pg_stat_tmp'
# - Monitoring -
#log_parser_stats = off
#log_planner_stats = off
#log_executor_stats = off
#log_statement_stats = off
#------------------------------------------------------------------------------
# AUTOVACUUM
#------------------------------------------------------------------------------
#autovacuum = on # Enable autovacuum subprocess? 'on'
# requires track_counts to also be on.
#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and
# their durations, > 0 logs only
# actions running at least this number
# of milliseconds.
#autovacuum_max_workers = 3 # max number of autovacuum subprocesses
# (change requires restart)
#autovacuum_naptime = 1min # time between autovacuum runs
#autovacuum_vacuum_threshold = 50 # min number of row updates before
# vacuum
#autovacuum_analyze_threshold = 50 # min number of row updates before
# analyze
#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum
#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze
#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum
# (change requires restart)
#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age
# before forced vacuum
# (change requires restart)
#autovacuum_vacuum_cost_delay = 2ms # default vacuum cost delay for
# autovacuum, in milliseconds;
# -1 means use vacuum_cost_delay
#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for
# autovacuum, -1 means use
# vacuum_cost_limit
#------------------------------------------------------------------------------
# CLIENT CONNECTION DEFAULTS
#------------------------------------------------------------------------------
# - Statement Behavior -
#client_min_messages = notice # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# log
# notice
# warning
# error
#search_path = '"$user", public' # schema names
#row_security = on
#default_tablespace = '' # a tablespace name, '' uses the default
#temp_tablespaces = '' # a list of tablespace names, '' uses
# only default tablespace
#default_table_access_method = 'heap'
#check_function_bodies = on
#default_transaction_isolation = 'read committed'
#default_transaction_read_only = off
#default_transaction_deferrable = off
#session_replication_role = 'origin'
#statement_timeout = 0 # in milliseconds, 0 is disabled
#lock_timeout = 0 # in milliseconds, 0 is disabled
#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled
#vacuum_freeze_min_age = 50000000
#vacuum_freeze_table_age = 150000000
#vacuum_multixact_freeze_min_age = 5000000
#vacuum_multixact_freeze_table_age = 150000000
#vacuum_cleanup_index_scale_factor = 0.1 # fraction of total number of tuples
# before index cleanup, 0 always performs
# index cleanup
#bytea_output = 'hex' # hex, escape
#xmlbinary = 'base64'
#xmloption = 'content'
#gin_fuzzy_search_limit = 0
#gin_pending_list_limit = 4MB
# - Locale and Formatting -
#datestyle = 'iso, mdy'
#intervalstyle = 'postgres'
#timezone = 'GMT'
#timezone_abbreviations = 'Default' # Select the set of available time zone
# abbreviations. Currently, there are
# Default
# Australia (historical usage)
# India
# You can create your own file in
# share/timezonesets/.
#extra_float_digits = 1 # min -15, max 3; any value >0 actually
# selects precise output mode
#client_encoding = sql_ascii # actually, defaults to database
# encoding
# These settings are initialized by initdb, but they can be changed.
#lc_messages = 'C' # locale for system error message
# strings
#lc_monetary = 'C' # locale for monetary formatting
#lc_numeric = 'C' # locale for number formatting
#lc_time = 'C' # locale for time formatting
# default configuration for text search
#default_text_search_config = 'pg_catalog.simple'
# - Shared Library Preloading -
#shared_preload_libraries = '' # (change requires restart)
#local_preload_libraries = ''
#session_preload_libraries = ''
#jit_provider = 'llvmjit' # JIT library to use
# - Other Defaults -
#dynamic_library_path = '$libdir'
#------------------------------------------------------------------------------
# LOCK MANAGEMENT
#------------------------------------------------------------------------------
#deadlock_timeout = 1s
#max_locks_per_transaction = 64 # min 10
# (change requires restart)
#max_pred_locks_per_transaction = 64 # min 10
# (change requires restart)
#max_pred_locks_per_relation = -2 # negative values mean
# (max_pred_locks_per_transaction
# / -max_pred_locks_per_relation) - 1
#max_pred_locks_per_page = 2 # min 0
#------------------------------------------------------------------------------
# VERSION AND PLATFORM COMPATIBILITY
#------------------------------------------------------------------------------
# - Previous PostgreSQL Versions -
#array_nulls = on
#backslash_quote = safe_encoding # on, off, or safe_encoding
#escape_string_warning = on
#lo_compat_privileges = off
#operator_precedence_warning = off
#quote_all_identifiers = off
#standard_conforming_strings = on
#synchronize_seqscans = on
# - Other Platforms and Clients -
#transform_null_equals = off
#------------------------------------------------------------------------------
# ERROR HANDLING
#------------------------------------------------------------------------------
#exit_on_error = off # terminate session on any error?
#restart_after_crash = on # reinitialize after backend crash?
#data_sync_retry = off # retry or panic on failure to fsync
# data?
# (change requires restart)
#------------------------------------------------------------------------------
# CONFIG FILE INCLUDES
#------------------------------------------------------------------------------
# These options allow settings to be loaded from files other than the
# default postgresql.conf. Note that these are directives, not variable
# assignments, so they can usefully be given more than once.
#include_dir = '...' # include files ending in '.conf' from
# a directory, e.g., 'conf.d'
#include_if_exists = '...' # include file only if it exists
#include = '...' # include file
#------------------------------------------------------------------------------
# CUSTOMIZED OPTIONS
#------------------------------------------------------------------------------
# Add settings for extensions here

44
molecule/quarkus_ha/prepare.yml Normal file
View File

@@ -0,0 +1,44 @@
---
- name: Prepare
hosts: keycloak
tasks:
- name: "Display hera_home if defined."
ansible.builtin.set_fact:
hera_home: "{{ lookup('env', 'HERA_HOME') }}"
- name: "Ensure common prepare phase are set."
ansible.builtin.include_tasks: ../prepare.yml
- name: Create certificate request
ansible.builtin.command: "openssl req -x509 -newkey rsa:4096 -keyout {{ inventory_hostname }}.key -out {{ inventory_hostname }}.pem -sha256 -days 365 -nodes -subj '/CN={{ inventory_hostname }}'"
delegate_to: localhost
changed_when: False
- name: Create vault directory
become: true
ansible.builtin.file:
state: directory
path: "/opt/keycloak/vault"
mode: 0755
- name: Make sure a jre is available (for keytool to prepare keystore)
delegate_to: localhost
ansible.builtin.package:
name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
state: present
become: true
failed_when: false
- name: Create vault keystore
ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword
delegate_to: localhost
register: keytool_cmd
changed_when: False
failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
- name: Copy certificates and vault
become: true
ansible.builtin.copy:
src: keystore.p12
dest: /opt/keycloak/vault/keystore.p12
mode: 0444

1
molecule/quarkus_ha/roles Symbolic link
View File

@@ -0,0 +1 @@
../../roles

29
molecule/quarkus_ha/verify.yml Normal file
View File

@@ -0,0 +1,29 @@
---
- name: Verify
hosts: keycloak
tasks:
- name: Populate service facts
ansible.builtin.service_facts:
- name: Check if keycloak service started
ansible.builtin.assert:
that:
- ansible_facts.services["keycloak.service"]["state"] == "running"
- ansible_facts.services["keycloak.service"]["status"] == "enabled"
fail_msg: "Service not running"
- name: Set internal envvar
ansible.builtin.set_fact:
hera_home: "{{ lookup('env', 'HERA_HOME') }}"
- name: Check log file
become: true
ansible.builtin.stat:
path: /var/log/keycloak/keycloak.log
register: keycloak_log_file
- name: Check if keycloak file exists
ansible.builtin.assert:
that:
- keycloak_log_file.stat.exists
- not keycloak_log_file.stat.isdir

10
molecule/quarkus_upgrade/converge.yml Normal file
View File

@@ -0,0 +1,10 @@
---
- name: Converge
hosts: all
vars_files:
- vars.yml
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_version: 24.0.3
roles:
- role: keycloak_quarkus

43
molecule/quarkus_upgrade/molecule.yml Normal file
View File

@@ -0,0 +1,43 @@
---
dependency:
name: galaxy
options:
requirements-file: molecule/requirements.yml
driver:
name: docker
platforms:
- name: instance
image: registry.access.redhat.com/ubi9/ubi-init:latest
command: "/usr/sbin/init"
pre_build_image: true
privileged: true
port_bindings:
- 8080:8080
published_ports:
- 0.0.0.0:8080:8080/TCP
provisioner:
name: ansible
playbooks:
prepare: prepare.yml
converge: converge.yml
verify: verify.yml
inventory:
host_vars:
localhost:
ansible_python_interpreter: "{{ ansible_playbook_python }}"
verifier:
name: ansible
scenario:
test_sequence:
- dependency
- cleanup
- destroy
- syntax
- create
- prepare
- converge
- idempotence
- side_effect
- verify
- cleanup
- destroy

52
molecule/quarkus_upgrade/prepare.yml Normal file
View File

@@ -0,0 +1,52 @@
---
- name: Prepare
hosts: all
vars_files:
- vars.yml
vars:
sudo_pkg_name: sudo
keycloak_quarkus_version: 23.0.7
pre_tasks:
- name: Install sudo
ansible.builtin.apt:
name:
- sudo
- openjdk-17-jdk-headless
state: present
when:
- ansible_facts.os_family == 'Debian'
- name: "Ensure common prepare phase are set."
ansible.builtin.include_tasks: ../prepare.yml
- name: Display Ansible version
ansible.builtin.debug:
msg: "Ansible version is {{ ansible_version.full }}"
- name: "Ensure {{ sudo_pkg_name }} is installed (if user is root)."
ansible.builtin.dnf:
name: "{{ sudo_pkg_name }}"
when:
- ansible_user_id == 'root'
- name: Gather the package facts
ansible.builtin.package_facts:
manager: auto
- name: "Check if {{ sudo_pkg_name }} is installed."
ansible.builtin.assert:
that:
- sudo_pkg_name in ansible_facts.packages
- name: Create certificate request
ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
delegate_to: localhost
changed_when: false
roles:
- role: keycloak_quarkus
post_tasks:
- name: "Delete custom fact"
ansible.builtin.file:
path: /etc/ansible/facts.d/keycloak.fact
state: absent
become: true

1
molecule/quarkus_upgrade/roles Symbolic link
View File

@@ -0,0 +1 @@
../../roles

14
molecule/quarkus_upgrade/vars.yml Normal file
View File

@@ -0,0 +1,14 @@
---
keycloak_quarkus_offline_install: false
keycloak_quarkus_admin_password: "remembertochangeme"
keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_quarkus_realm: TestRealm
keycloak_quarkus_host: instance
keycloak_quarkus_log: file
keycloak_quarkus_https_key_file_enabled: true
keycloak_quarkus_log_target: /tmp/keycloak
keycloak_quarkus_hostname_strict: false
keycloak_quarkus_cert_file_copy_enabled: true
keycloak_quarkus_key_file_copy_enabled: true
keycloak_quarkus_key_content: "{{ lookup('file', 'key.pem') }}"
keycloak_quarkus_cert_file_src: cert.pem

32
molecule/quarkus_upgrade/verify.yml Normal file
View File

@@ -0,0 +1,32 @@
---
- name: Verify
hosts: instance
vars:
keycloak_quarkus_admin_password: "remembertochangeme"
keycloak_quarkus_port: http://localhost:8080
tasks:
- name: Populate service facts
ansible.builtin.service_facts:
- name: Check if keycloak service started
ansible.builtin.assert:
that:
- ansible_facts.services["keycloak.service"]["state"] == "running"
- ansible_facts.services["keycloak.service"]["status"] == "enabled"
- name: Verify we are running on requested jvm
ansible.builtin.shell: |
set -eo pipefail
ps -ef | grep 'etc/alternatives/.*17' | grep -v grep
changed_when: false
- name: Verify token api call
ansible.builtin.uri:
url: "{{ keycloak_quarkus_port }}/realms/master/protocol/openid-connect/token"
method: POST
body: "client_id=admin-cli&username=admin&password={{ keycloak_quarkus_admin_password }}&grant_type=password"
validate_certs: no
register: keycloak_auth_response
until: keycloak_auth_response.status == 200
retries: 2
delay: 2

5
requirements.txt
View File

@@ -1,6 +1,7 @@
#################################################
# python dependencies required to be installed
# python dependencies required to be installed
# on the controller host with:
# pip install -r requirements.txt
#
netaddr
netaddr
lxml # for middleware_automation.common.maven_artifact

1
requirements.yml
View File

@@ -1,4 +1,5 @@
---
collections:
- name: middleware_automation.common
version: ">=1.2.1"
- name: ansible.posix

10
roles/keycloak/meta/argument_specs.yml
View File

@@ -86,7 +86,9 @@ argument_specs:
type: "str"
keycloak_features:
default: "[]"
description: "List of `name`/`status` pairs of features (also known as profiles on RH-SSO) to `enable` or `disable`, example: `[ { name: 'docker', status: 'enabled' } ]`"
description: >
List of `name`/`status` pairs of features (also known as profiles on RH-SSO) to `enable` or `disable`,
example: `[ { name: 'docker', status: 'enabled' } ]`
type: "list"
keycloak_bind_address:
default: "0.0.0.0"
@@ -310,7 +312,8 @@ argument_specs:
type: "str"
keycloak_jgroups_subnet:
required: false
description: "Override the subnet match for jgroups cluster formation; if not defined, it will be inferred from local machine route configuration"
description: >
Override the subnet match for jgroups cluster formation; if not defined, it will be inferred from local machine route configuration
type: "str"
keycloak_log_target:
default: '/var/log/keycloak'
@@ -323,7 +326,8 @@ argument_specs:
description: "Set a username with which to authenticate when downloading JDBC drivers from an alternative location"
type: "str"
keycloak_jdbc_download_pass:
description: "Set a password with which to authenticate when downloading JDBC drivers from an alternative location (requires keycloak_jdbc_download_user)"
description: >
Set a password with which to authenticate when downloading JDBC drivers from an alternative location (requires keycloak_jdbc_download_user)
type: "str"
keycloak_jdbc_download_validate_certs:
default: true

2
roles/keycloak/meta/main.yml
View File

@@ -12,7 +12,7 @@ galaxy_info:
license: Apache License 2.0
min_ansible_version: "2.14"
min_ansible_version: "2.15"
platforms:
- name: EL

9
roles/keycloak/tasks/fastpackages.yml
View File

@@ -8,17 +8,18 @@
- name: "Add missing packages to the yum install list"
ansible.builtin.set_fact:
packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | default([]) | flatten }}"
packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | \
map('regex_findall', 'package (.+) is not installed$') | default([]) | flatten }}"
when: ansible_facts.os_family == "RedHat"
- name: "Install packages: {{ packages_to_install }}"
become: true
ansible.builtin.yum:
ansible.builtin.dnf:
name: "{{ packages_to_install }}"
state: present
when:
- packages_to_install | default([]) | length > 0
- ansible_facts.os_family == "RedHat"
- packages_to_install | default([]) | length > 0
- ansible_facts.os_family == "RedHat"
- name: "Install packages: {{ packages_list }}"
become: true

24
roles/keycloak/tasks/install.yml
View File

@@ -41,8 +41,8 @@
ansible.builtin.user:
name: "{{ keycloak_service_user }}"
home: /opt/keycloak
system: yes
create_home: no
system: true
create_home: false
- name: "Create install location for {{ keycloak.service_name }}"
become: true
@@ -51,7 +51,7 @@
state: directory
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0750
mode: '0750'
- name: Create pidfile folder
become: true
@@ -60,7 +60,7 @@
state: directory
owner: "{{ keycloak_service_user if keycloak_service_runas else omit }}"
group: "{{ keycloak_service_group if keycloak_service_runas else omit }}"
mode: 0750
mode: '0750'
## check remote archive
- name: Set download archive path
@@ -84,7 +84,7 @@
ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
url: "{{ keycloak_download_url }}"
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
mode: 0644
mode: '0644'
delegate_to: localhost
run_once: true
when:
@@ -136,7 +136,7 @@
ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
url: "{{ keycloak_rhsso_download_url }}"
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
mode: 0644
mode: '0644'
delegate_to: localhost
run_once: true
when:
@@ -160,7 +160,7 @@
dest: "{{ archive }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0640
mode: '0640'
register: new_version_downloaded
when:
- not archive_path.stat.exists
@@ -221,7 +221,7 @@
dest: "{{ keycloak_config_path_to_standalone_xml }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0640
mode: '0640'
notify:
- restart keycloak
when: keycloak_config_override_template | length > 0
@@ -233,7 +233,7 @@
dest: "{{ keycloak_config_path_to_standalone_xml }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0640
mode: '0640'
notify:
- restart keycloak
when:
@@ -261,7 +261,7 @@
dest: "{{ keycloak_config_path_to_standalone_xml }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0640
mode: '0640'
notify:
- restart keycloak
when:
@@ -276,7 +276,7 @@
dest: "{{ keycloak_config_path_to_standalone_xml }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0640
mode: '0640'
notify:
- restart keycloak
when:
@@ -291,7 +291,7 @@
dest: "{{ keycloak_config_path_to_properties }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0640
mode: '0640'
notify:
- restart keycloak
when: keycloak_features | length > 0

11
roles/keycloak/tasks/jdbc_driver.yml
View File

@@ -12,7 +12,7 @@
recurse: true
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0750
mode: '0750'
become: true
when:
- not dest_path.stat.exists
@@ -20,8 +20,9 @@
ansible.builtin.fail:
msg: >-
When JDBC driver download credentials are set, both the username and the password MUST be set
when:
- (keycloak_jdbc_download_user is undefined and keycloak_jdbc_download_pass is not undefined) or (keycloak_jdbc_download_pass is undefined and keycloak_jdbc_download_user is not undefined)
when: >
(keycloak_jdbc_download_user is undefined and keycloak_jdbc_download_pass is not undefined) or
(keycloak_jdbc_download_pass is undefined and keycloak_jdbc_download_user is not undefined)
- name: "Retrieve JDBC Driver from {{ keycloak_jdbc[keycloak_jdbc_engine].driver_jar_url }}"
ansible.builtin.get_url:
@@ -32,7 +33,7 @@
url_username: "{{ keycloak_jdbc_download_user | default(omit) }}"
url_password: "{{ keycloak_jdbc_download_pass | default(omit) }}"
validate_certs: "{{ keycloak_jdbc_download_validate_certs | default(omit) }}"
mode: 0640
mode: '0640'
become: true
- name: "Deploy module.xml for JDBC Driver"
@@ -41,5 +42,5 @@
dest: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}/module.xml"
group: "{{ keycloak_service_group }}"
owner: "{{ keycloak_service_user }}"
mode: 0640
mode: '0640'
become: true

9
roles/keycloak/tasks/prereqs.yml
View File

@@ -4,13 +4,16 @@
that:
- keycloak_admin_password | length > 12
quiet: true
fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_admin_password variable to a 12+ char long string"
fail_msg: >
The console administrator password is empty or invalid. Please set the keycloak_admin_password variable to a 12+ char long string
success_msg: "{{ 'Console administrator password OK' }}"
- name: Validate configuration
ansible.builtin.assert:
that:
- (keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and not keycloak_db_enabled)
that: >
(keycloak_ha_enabled and keycloak_db_enabled) or
(not keycloak_ha_enabled and keycloak_db_enabled) or
(not keycloak_ha_enabled and not keycloak_db_enabled)
quiet: true
fail_msg: "Cannot install HA setup without a backend database service. Check keycloak_ha_enabled and keycloak_db_enabled"
success_msg: "{{ 'Configuring HA' if keycloak_ha_enabled else 'Configuring standalone' }}"

2
roles/keycloak/tasks/restart_keycloak.yml
View File

@@ -22,7 +22,7 @@
- name: "Restart and enable {{ keycloak.service_name }} service"
ansible.builtin.systemd:
name: keycloak
enabled: yes
enabled: true
state: restarted
become: true
when: inventory_hostname != ansible_play_hosts | first

2
roles/keycloak/tasks/rhsso_cli.yml
View File

@@ -10,4 +10,4 @@
ansible.builtin.command: >
{{ keycloak.cli_path }} --connect --command='{{ query }}' --controller={{ keycloak_host }}:{{ keycloak_management_http_port }}
changed_when: false
register: cli_result
register: cli_result

12
roles/keycloak/tasks/rhsso_patch.yml
View File

@@ -45,7 +45,7 @@
- name: Determine latest version
ansible.builtin.set_fact:
sso_latest_version: "{{ filtered_versions | middleware_automation.common.version_sort | last }}"
sso_latest_version: "{{ filtered_versions | middleware_automation.common.version_sort | last }}"
when: sso_patch_version is not defined or sso_patch_version | length == 0
delegate_to: localhost
run_once: true
@@ -95,7 +95,7 @@
dest: "{{ patch_archive }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0640
mode: '0640'
register: new_version_downloaded
when:
- not patch_archive_path.stat.exists
@@ -135,8 +135,8 @@
- cli_result.rc == 0
args:
apply:
become: true
become_user: "{{ keycloak_service_user }}"
become: true
become_user: "{{ keycloak_service_user }}"
- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
ansible.builtin.uri:
@@ -152,8 +152,8 @@
query: "patch info"
args:
apply:
become: true
become_user: "{{ keycloak_service_user }}"
become: true
become_user: "{{ keycloak_service_user }}"
- name: "Verify installed patch version"
ansible.builtin.assert:

6
roles/keycloak/tasks/systemd.yml
View File

@@ -6,7 +6,7 @@
dest: "{{ keycloak_dest }}/keycloak-service.sh"
owner: root
group: root
mode: 0755
mode: '0755'
notify:
- restart keycloak
@@ -17,7 +17,7 @@
dest: "{{ keycloak_sysconf_file }}"
owner: root
group: root
mode: 0644
mode: '0644'
notify:
- restart keycloak
@@ -27,7 +27,7 @@
dest: /etc/systemd/system/keycloak.service
owner: root
group: root
mode: 0644
mode: '0644'
become: true
register: systemdunit
notify:

5
roles/keycloak/vars/debian.yml
View File

@@ -6,6 +6,7 @@ keycloak_prereq_package_list:
- procps
- apt
- tzdata
keycloak_configure_iptables: True
keycloak_configure_iptables: true
keycloak_sysconf_file: /etc/default/keycloak
keycloak_pkg_java_home: "/usr/lib/jvm/java-{{ keycloak_varjvm_package | regex_search('(?!:openjdk-)[0-9.]+') }}-openjdk-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"
keycloak_pkg_java_home: "/usr/lib/jvm/java-{{ keycloak_varjvm_package | \
regex_search('(?!:openjdk-)[0-9.]+') }}-openjdk-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"

14
roles/keycloak/vars/main.yml
View File

@@ -13,7 +13,8 @@ keycloak:
service_name: "{{ keycloak_service_name }}"
health_url: "{{ keycloak_management_url }}/health"
cli_path: "{{ keycloak_jboss_home }}/bin/jboss-cli.sh"
config_template_source: "{{ keycloak_config_override_template if keycloak_config_override_template | length > 0 else 'standalone-ha.xml.j2' if keycloak_remote_cache_enabled else 'standalone.xml.j2' }}"
config_template_source: "{{ keycloak_config_override_template if keycloak_config_override_template | length > 0 \
else 'standalone-ha.xml.j2' if keycloak_remote_cache_enabled else 'standalone.xml.j2' }}"
features: "{{ keycloak_features }}"
# database
@@ -26,7 +27,8 @@ keycloak_jdbc:
driver_module_dir: "{{ keycloak_jboss_home }}/modules/org/postgresql/main"
driver_version: "{{ keycloak_jdbc_driver_version }}"
driver_jar_filename: "postgresql-{{ keycloak_jdbc_driver_version }}.jar"
driver_jar_url: "https://repo.maven.apache.org/maven2/org/postgresql/postgresql/{{ keycloak_jdbc_driver_version }}/postgresql-{{ keycloak_jdbc_driver_version }}.jar"
driver_jar_url: >
{{ keycloak_maven_central }}org/postgresql/postgresql/{{ keycloak_jdbc_driver_version }}/postgresql-{{ keycloak_jdbc_driver_version }}.jar
connection_url: "{{ keycloak_jdbc_url }}"
db_user: "{{ keycloak_db_user }}"
db_password: "{{ keycloak_db_pass }}"
@@ -46,7 +48,8 @@ keycloak_jdbc:
driver_module_dir: "{{ keycloak_jboss_home }}/modules/org/mariadb/main"
driver_version: "{{ keycloak_jdbc_driver_version }}"
driver_jar_filename: "mariadb-java-client-{{ keycloak_jdbc_driver_version }}.jar"
driver_jar_url: "https://repo1.maven.org/maven2/org/mariadb/jdbc/mariadb-java-client/{{ keycloak_jdbc_driver_version }}/mariadb-java-client-{{ keycloak_jdbc_driver_version }}.jar"
driver_jar_url: >
{{ keycloak_maven_central }}org/mariadb/jdbc/mariadb-java-client/{{ keycloak_jdbc_driver_version }}/mariadb-java-client-{{ keycloak_jdbc_driver_version }}.jar
connection_url: "{{ keycloak_jdbc_url }}"
db_user: "{{ keycloak_db_user }}"
db_password: "{{ keycloak_db_pass }}"
@@ -67,7 +70,8 @@ keycloak_jdbc:
driver_module_dir: "{{ keycloak_jboss_home }}/modules/com/microsoft/sqlserver/main"
driver_version: "{{ keycloak_jdbc_driver_version }}"
driver_jar_filename: "mssql-java-client-{{ keycloak_jdbc_driver_version }}.jar"
driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/{{ keycloak_jdbc_driver_version }}.jre11/mssql-jdbc-{{ keycloak_jdbc_driver_version }}.jre11.jar" # e.g., https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.2.0.jre11/mssql-jdbc-12.2.0.jre11.jar
driver_jar_url: >
{{ keycloak_maven_central }}com/microsoft/sqlserver/mssql-jdbc/{{ keycloak_jdbc_driver_version }}.jre11/mssql-jdbc-{{ keycloak_jdbc_driver_version }}.jre11.jar
connection_url: "{{ keycloak_jdbc_url }}"
db_user: "{{ keycloak_db_user }}"
db_password: "{{ keycloak_db_pass }}"
@@ -102,3 +106,5 @@ keycloak_remotecache:
use_ssl: "{{ keycloak_infinispan_use_ssl }}"
trust_store_path: "{{ keycloak_infinispan_trust_store_path }}"
trust_store_password: "{{ keycloak_infinispan_trust_store_password }}"
keycloak_maven_central: https://repo1.maven.org/maven2/

84
roles/keycloak_quarkus/README.md
View File

@@ -1,8 +1,30 @@
keycloak_quarkus
================
<!--start description -->
Install [keycloak](https://keycloak.org/) >= 20.0.0 (quarkus) server configurations.
<!--end description -->
Requirements
------------
This role requires the `python3-netaddr` and `lxml` library installed on the controller node.
* to install via yum/dnf: `dnf install python3-netaddr python3-lxml`
* to install via apt: `apt install python3-netaddr python3-lxml`
* or via the collection: `pip install -r requirements.txt`
Dependencies
------------
The roles depends on:
* [middleware_automation.common](https://github.com/ansible-middleware/common)
* [ansible-posix](https://docs.ansible.com/ansible/latest/collections/ansible/posix/index.html)
To install all the dependencies via galaxy:
ansible-galaxy collection install -r requirements.yml
Role Defaults
-------------
@@ -11,10 +33,11 @@ Role Defaults
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_version`| keycloak.org package version | `24.0.3` |
|`keycloak_quarkus_version`| keycloak.org package version | `24.0.4` |
|`keycloak_quarkus_offline_install` | Perform an offline install | `False`|
|`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` |
|`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` |
|`keycloak_quarkus_download_path`| Path local to controller for offline/download of install archives | `{{ lookup('env', 'PWD') }}` |
#### Service configuration
@@ -38,11 +61,13 @@ Role Defaults
|`keycloak_quarkus_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_quarkus_jvm_package RPM path | `None` |
|`keycloak_quarkus_java_heap_opts`| Heap memory JVM setting | `-Xms1024m -Xmx2048m` |
|`keycloak_quarkus_java_jvm_opts`| Other JVM settings | same as keycloak |
|`keycloak_quarkus_java_opts`| JVM arguments; if overriden, it takes precedence over `keycloak_quarkus_java_*` | `{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}` |
|`keycloak_quarkus_java_opts`| JVM arguments; if overridden, it takes precedence over `keycloak_quarkus_java_*` | `{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}` |
|`keycloak_quarkus_additional_env_vars` | List of additional env variables of { key: str, value: str} to be put in sysconfig file | `[]` |
|`keycloak_quarkus_frontend_url`| Set the base URL for frontend URLs, including scheme, host, port and path | |
|`keycloak_quarkus_admin_url`| Set the base URL for accessing the administration console, including scheme, host, port and path | |
|`keycloak_quarkus_http_relative_path` | Set the path relative to / for serving resources. The path must start with a / | `/` |
|`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` |
|`keycloak_quarkus_health_check_url_path`| Path to the health check endpoint; scheme, host and keycloak_quarkus_http_relative_path will be prepended automatically | `realms/master/.well-known/openid-configuration` |
|`keycloak_quarkus_https_key_file_enabled`| Enable listener on HTTPS port | `False` |
|`keycloak_quarkus_key_file_copy_enabled`| Enable copy of key file to target host | `False` |
|`keycloak_quarkus_key_content`| Content of the TLS private key. Use `"{{ lookup('file', 'server.key.pem') }}"` to lookup a file. | `""` |
@@ -74,9 +99,15 @@ Role Defaults
|`keycloak_quarkus_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_quarkus_ha_enabled` is True, else `False` |
|`keycloak_quarkus_jgroups_port`| jgroups cluster tcp port | `7800` |
|`keycloak_quarkus_systemd_wait_for_port` | Whether systemd unit should wait for keycloak port before returning | `{{ keycloak_quarkus_ha_enabled }}` |
|`keycloak_quarkus_systemd_wait_for_port_number`| Which port the systemd unit should wait for | `{{ keycloak_quarkus_https_port }}` |
|`keycloak_quarkus_systemd_wait_for_log` | Whether systemd unit should wait for service to be up in logs | `false` |
|`keycloak_quarkus_systemd_wait_for_timeout`| How long to wait for service to be alive (seconds) | `60` |
|`keycloak_quarkus_systemd_wait_for_delay`| Activation delay for service systemd unit (seconds) | `10` |
|`keycloak_quarkus_restart_strategy`| Strategy task file for restarting in HA (one of provided restart/['serial.yml','none.yml','serial_then_parallel.yml']) or path to file when providing custom strategy | `restart/serial.yml` |
|`keycloak_quarkus_restart_health_check`| Whether to wait for successful health check after restart | `true` |
|`keycloak_quarkus_restart_health_check_delay`| Seconds to let pass before starting healch checks | `10` |
|`keycloak_quarkus_restart_health_check_reries`| Number of attempts for successful health check before failing | `25` |
|`keycloak_quarkus_restart_pause`| Seconds to wait between restarts in HA strategy | `15` |
#### Hostname configuration
@@ -138,6 +169,7 @@ Role Defaults
|`keycloak_quarkus_start_dev`| Whether to start the service in development mode (start-dev) | `False` |
|`keycloak_quarkus_transaction_xa_enabled`| Whether to use XA transactions | `True` |
|`keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route`| If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy | `True` |
|`keycloak_quarkus_show_deprecation_warnings`| Whether deprecation warnings should be shown | `True` |
#### Vault SPI
@@ -155,15 +187,29 @@ Role Defaults
|:---------|:------------|:--------|
|`keycloak_quarkus_providers`| List of provider definitions; see below | `[]` |
Providers support different sources:
* `url`: http download for providers not requiring authentication
* `maven`: maven download for providers hosted publicly on Apache Maven Central or private Maven repositories like Github Maven requiring authentication
* `local_path`: static providers to be uploaded
Provider definition:
```yaml
keycloak_quarkus_providers:
- id: http-client # required
spi: connections # required if url is not specified
- id: http-client # required; "{{ id }}.jar" identifies the file name on RHBK
spi: connections # required if neither url, local_path nor maven are specified; required for setting properties
default: true # optional, whether to set default for spi, default false
restart: true # optional, whether to restart, default true
url: https://.../.../custom_spi.jar # optional, url for download
url: https://.../.../custom_spi.jar # optional, url for download via http
local_path: my_theme_spi.jar # optional, path on local controller for SPI to be uploaded
maven: # optional, for download using maven
repository_url: https://maven.pkg.github.com/OWNER/REPOSITORY # optional, maven repo url
group_id: my.group # optional, maven group id
artifact_id: artifact # optional, maven artifact id
version: 24.0.4 # optional, defaults to latest
username: user # optional, cf. https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry#authenticating-to-github-packages
password: pat # optional, provide a PAT for accessing Github's Apache Maven registry
properties: # optional, list of key-values
- key: default-connection-pool-size
value: 10
@@ -176,6 +222,22 @@ bin/kc.sh build --spi-connections-provider=http-client --spi-connections-http-cl
```
#### Configuring policies
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_policies`| List of policy definitions; see below | `[]` |
Provider definition:
```yaml
keycloak_quarkus_policies:
- name: xato-net-10-million-passwords.txt # required, resulting file name
url: https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt # required, url for download
type: password-blacklists # optional, defaults to `password-blacklists`; supported values: [`password-blacklists`]
```
Role Variables
--------------
@@ -185,6 +247,16 @@ Role Variables
|`keycloak_quarkus_frontend_url`| Base URL for frontend URLs, including scheme, host, port and path | `no` |
|`keycloak_quarkus_admin_url`| Base URL for accessing the administration console, including scheme, host, port and path | `no` |
|`keycloak_quarkus_ks_vault_pass`| The password for accessing the keystore vault SPI | `no` |
|`keycloak_quarkus_alternate_download_url`| Alternate location with optional authentication for downloading RHBK | `no` |
|`keycloak_quarkus_download_user`| Optional username for http authentication | `no*` |
|`keycloak_quarkus_download_pass`| Optional password for http authentication | `no*` |
|`keycloak_quarkus_download_validate_certs`| Whether to validate certs for URL `keycloak_quarkus_alternate_download_url` | `no` |
|`keycloak_quarkus_jdbc_download_user`| Optional username for http authentication | `no*` |
|`keycloak_quarkus_jdbc_download_pass`| Optional password for http authentication | `no*` |
|`keycloak_quarkus_jdbc_download_validate_certs`| Whether to validate certs for URL `keycloak_quarkus_download_validate_certs` | `no` |
`*` username/password authentication credentials must be both declared or both undefined
Role custom facts
-----------------

27
roles/keycloak_quarkus/defaults/main.yml
View File

@@ -1,6 +1,6 @@
---
### Configuration specific to keycloak
keycloak_quarkus_version: 24.0.3
keycloak_quarkus_version: 24.0.4
keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip"
keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"
keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"
@@ -8,11 +8,14 @@ keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_q
# whether to install from local archive
keycloak_quarkus_offline_install: false
keycloak_quarkus_show_deprecation_warnings: true
### Install location and service settings
keycloak_quarkus_java_home:
keycloak_quarkus_dest: /opt/keycloak
keycloak_quarkus_home: "{{ keycloak_quarkus_installdir }}"
keycloak_quarkus_config_dir: "{{ keycloak_quarkus_home }}/conf"
keycloak_quarkus_download_path: "{{ lookup('env', 'PWD') }}"
keycloak_quarkus_start_dev: false
keycloak_quarkus_service_user: keycloak
keycloak_quarkus_service_group: keycloak
@@ -44,6 +47,7 @@ keycloak_quarkus_java_jvm_opts: "-XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m
-Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC -XX:GCTimeRatio=4
-XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512"
keycloak_quarkus_java_opts: "{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}"
keycloak_quarkus_additional_env_vars: []
### TLS/HTTPS configuration
keycloak_quarkus_https_key_file_enabled: false
@@ -71,6 +75,7 @@ keycloak_quarkus_ha_discovery: "TCPPING"
### Enable database configuration, must be enabled when HA is configured
keycloak_quarkus_db_enabled: "{{ keycloak_quarkus_ha_enabled }}"
keycloak_quarkus_systemd_wait_for_port: "{{ keycloak_quarkus_ha_enabled }}"
keycloak_quarkus_systemd_wait_for_port_number: "{{ keycloak_quarkus_https_port }}"
keycloak_quarkus_systemd_wait_for_log: false
keycloak_quarkus_systemd_wait_for_timeout: 60
keycloak_quarkus_systemd_wait_for_delay: 10
@@ -90,7 +95,10 @@ keycloak_quarkus_hostname_strict: true
# If all applications use the public URL this option should be enabled.
keycloak_quarkus_hostname_strict_backchannel: false
# proxy address forwarding mode if the server is behind a reverse proxy. [none, edge, reencrypt, passthrough]
# The proxy headers that should be accepted by the server. ['', 'forwarded', 'xforwarded']
keycloak_quarkus_proxy_headers: ""
# deprecated: proxy address forwarding mode if the server is behind a reverse proxy. [none, edge, reencrypt, passthrough]
keycloak_quarkus_proxy_mode: edge
# disable xa transactions
@@ -130,9 +138,9 @@ keycloak_quarkus_default_jdbc:
version: 2.7.4
mssql:
url: 'jdbc:sqlserver://localhost:1433;databaseName=keycloak;'
version: 12.2.0
driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.2.0.jre11/mssql-jdbc-12.2.0.jre11.jar"
# cf. https://access.redhat.com/documentation/en-us/red_hat_build_of_keycloak/22.0/html/server_guide/db-#db-installing-the-microsoft-sql-server-driver
version: 12.4.2
driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.4.2.jre11/mssql-jdbc-12.4.2.jre11.jar"
# cf. https://access.redhat.com/documentation/en-us/red_hat_build_of_keycloak/24.0/html/server_guide/db-#db-installing-the-microsoft-sql-server-driver
### logging configuration
keycloak_quarkus_log: file
keycloak_quarkus_log_level: info
@@ -150,3 +158,12 @@ keycloak_quarkus_ks_vault_type: PKCS12
keycloak_quarkus_ks_vault_pass:
keycloak_quarkus_providers: []
keycloak_quarkus_policies: []
keycloak_quarkus_supported_policy_types: ['password-blacklists']
# files in restart directory (one of [ 'serial', 'none', 'serial_then_parallel' ]), or path to file when providing custom strategy
keycloak_quarkus_restart_strategy: restart/serial.yml
keycloak_quarkus_restart_health_check: true
keycloak_quarkus_restart_health_check_delay: 10
keycloak_quarkus_restart_health_check_reries: 25
keycloak_quarkus_restart_pause: 15

7
roles/keycloak_quarkus/handlers/main.yml
View File

@@ -7,11 +7,12 @@
ansible.builtin.include_tasks: bootstrapped.yml
listen: bootstrapped
- name: "Restart {{ keycloak.service_name }}"
ansible.builtin.include_tasks: restart.yml
ansible.builtin.include_tasks:
file: "{{ keycloak_quarkus_restart_strategy if keycloak_quarkus_ha_enabled else 'restart.yml' }}"
listen: "restart keycloak"
- name: "Print deprecation warning"
- name: "Display deprecation warning"
ansible.builtin.fail:
msg: "Deprecation warning: you are using the deprecated variable '{{ deprecated_variable | d('NotSet') }}', check docs on how to upgrade."
ignore_errors: true
failed_when: false
changed_when: true
listen: "print deprecation warning"

76
roles/keycloak_quarkus/meta/argument_specs.yml
View File

@@ -2,7 +2,7 @@ argument_specs:
main:
options:
keycloak_quarkus_version:
default: "24.0.3"
default: "24.0.4"
description: "keycloak.org package version"
type: "str"
keycloak_quarkus_archive:
@@ -56,15 +56,15 @@ argument_specs:
default: false
description: "Ensure firewalld is running and configure keycloak ports"
type: "bool"
keycloak_service_restart_always:
keycloak_quarkus_service_restart_always:
default: false
description: "systemd restart always behavior of service; takes precedence over keycloak_service_restart_on_failure if true"
type: "bool"
keycloak_service_restart_on_failure:
keycloak_quarkus_service_restart_on_failure:
default: false
description: "systemd restart on-failure behavior of service"
type: "bool"
keycloak_service_restartsec:
keycloak_quarkus_service_restartsec:
default: "10s"
description: "systemd RestartSec for service"
type: "str"
@@ -104,6 +104,10 @@ argument_specs:
default: 8080
description: "HTTP port"
type: "int"
keycloak_quarkus_health_check_url_path:
default: "realms/master/.well-known/openid-configuration"
description: "Path to the health check endpoint; scheme, host and keycloak_quarkus_http_relative_path will be prepended automatically"
type: "str"
keycloak_quarkus_https_key_file_enabled:
default: false
description: "Enable configuration of HTTPS via files in PEM format"
@@ -170,7 +174,9 @@ argument_specs:
type: "str"
keycloak_quarkus_config_key_store_password:
default: ""
description: "Password of the configuration key store; if non-empty, `keycloak_quarkus_db_pass` will be saved to the key store at `keycloak_quarkus_config_key_store_file` (instead of being written to the configuration file in clear text"
description: >
Password of the configuration key store; if non-empty, `keycloak_quarkus_db_pass` will be saved to the key store
at `keycloak_quarkus_config_key_store_file` (instead of being written to the configuration file in clear text)
type: "str"
keycloak_quarkus_https_port:
default: 8443
@@ -199,6 +205,10 @@ argument_specs:
default: "{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}"
description: "JVM arguments, by default heap_opts + jvm_opts, if overriden it takes precedence over them"
type: "str"
keycloak_quarkus_additional_env_vars:
default: "[]"
description: "List of additional env variables of { key: str, value: str} to be put in sysconfig file"
type: "list"
keycloak_quarkus_ha_enabled:
default: false
description: "Enable auto configuration for database backend, clustering and remote caches on infinispan"
@@ -376,6 +386,10 @@ argument_specs:
description: 'Whether systemd unit should wait for keycloak port before returning'
default: "{{ keycloak_quarkus_ha_enabled }}"
type: "bool"
keycloak_quarkus_systemd_wait_for_port_number:
default: "{{ keycloak_quarkus_https_port }}"
description: "The port the systemd unit should wait for, by default the https port"
type: "int"
keycloak_quarkus_systemd_wait_for_log:
description: 'Whether systemd unit should wait for service to be up in logs'
default: false
@@ -389,7 +403,21 @@ argument_specs:
default: 10
type: 'int'
keycloak_quarkus_providers:
description: "List of provider definition dicts: { 'id': str, 'spi': str, 'url': str, 'default': bool, 'properties': list of key/value }"
description: >
List of provider definition dicts: { 'id': str, 'spi': str, 'url': str, 'local_path': str,
'maven': {
'repository_url': str, 'group_id': str, 'artifact_id': str, 'version': str, 'username': str, optional, 'password': str, optional
},
'default': bool,
'properties': list of key/value }
default: []
type: "list"
keycloak_quarkus_supported_policy_types:
description: "List of str of supported policy types"
default: ['password-blacklists']
type: "list"
keycloak_quarkus_policies:
description: "List of policy definition dicts: { 'name': str, 'url': str, 'type': str }"
default: []
type: "list"
keycloak_quarkus_jdbc_download_url:
@@ -399,16 +427,48 @@ argument_specs:
description: "Set a username with which to authenticate when downloading JDBC drivers from an alternative location"
type: "str"
keycloak_quarkus_jdbc_download_pass:
description: "Set a password with which to authenticate when downloading JDBC drivers from an alternative location (requires keycloak_quarkus_jdbc_download_user)"
description: >
Set a password with which to authenticate when downloading JDBC drivers from an alternative location
(requires `keycloak_quarkus_jdbc_download_user``)
type: "str"
keycloak_quarkus_jdbc_download_validate_certs:
default: true
description: "Allow the option to ignore invalid certificates when downloading JDBC drivers from a custom URL"
type: "bool"
keycloak_quarkus_restart_health_check:
default: true
description: "Whether to wait for successful health check after restart"
type: "bool"
keycloak_quarkus_restart_strategy:
description: >
Strategy task file for restarting in HA, one of restart/[ 'serial', 'none', 'serial_then_parallel' ].yml, or path to
file when providing custom strategy; when keycloak_quarkus_ha_enabled and keycloak_quarkus_restart_health_check == true
default: "restart/serial.yml"
type: "str"
keycloak_quarkus_restart_pause:
description: "Seconds to wait between restarts in HA strategy"
default: 15
type: int
keycloak_quarkus_restart_health_check_delay:
description: "Seconds to let pass before starting healch checks"
default: 10
type: 'int'
keycloak_quarkus_restart_health_check_reries:
description: "Number of attempts for successful health check before failing"
default: 25
type: 'int'
keycloak_quarkus_show_deprecation_warnings:
default: true
description: "Whether or not deprecation warnings should be shown"
type: "bool"
keycloak_quarkus_download_path:
description: "Path local to controller for offline/download of install archives"
default: "{{ lookup('env', 'PWD') }}"
type: "str"
downstream:
options:
rhbk_version:
default: "22.0.10"
default: "24.0.3"
description: "Red Hat Build of Keycloak version"
type: "str"
rhbk_archive:

2
roles/keycloak_quarkus/meta/main.yml
View File

@@ -8,7 +8,7 @@ galaxy_info:
license: Apache License 2.0
min_ansible_version: "2.14"
min_ansible_version: "2.15"
platforms:
- name: EL

4
roles/keycloak_quarkus/tasks/bootstrapped.yml
View File

@@ -1,5 +1,5 @@
---
- name: Write ansible custom facts
- name: Save ansible custom facts
become: true
ansible.builtin.template:
src: keycloak.fact.j2
@@ -8,7 +8,7 @@
vars:
bootstrapped: true
- name: Re-read custom facts
- name: Refresh custom facts
ansible.builtin.setup:
filter: ansible_local

6
roles/keycloak_quarkus/tasks/config_store.yml
View File

@@ -8,7 +8,7 @@
- name: "Initialize empty configuration key store"
become: true
# keytool doesn't allow creating an empty key store, so this is a hacky way around it
ansible.builtin.shell: |
ansible.builtin.shell: | # noqa blocked_modules shell is necessary here
set -o nounset # abort on unbound variable
set -o pipefail # do not hide errors within pipes
set -o errexit # abort on nonzero exit status
@@ -19,7 +19,7 @@
creates: "{{ keycloak_quarkus_config_key_store_file }}"
- name: "Set configuration key store using keytool"
ansible.builtin.shell: |
ansible.builtin.shell: | # noqa blocked_modules shell is necessary here
set -o nounset # abort on unbound variable
set -o pipefail # do not hide errors within pipes
@@ -36,7 +36,7 @@
fi
echo {{ item.value | quote }} | keytool -noprompt -importpass -alias {{ item.key | quote }} -keystore {{ keycloak_quarkus_config_key_store_file | quote }} -storepass {{ keycloak_quarkus_config_key_store_password | quote }} -storetype PKCS12
with_items: "{{ store_items }}"
loop: "{{ store_items }}"
no_log: true
become: true
changed_when: true

21
roles/keycloak_quarkus/tasks/deprecations.yml
View File

@@ -10,7 +10,7 @@
- keycloak_quarkus_key_store_file is defined
- keycloak_quarkus_key_store_file != ''
- keycloak_quarkus_https_key_store_file == keycloak.home + "/conf/key_store.p12" # default value
changed_when: true
changed_when: keycloak_quarkus_show_deprecation_warnings
ansible.builtin.set_fact:
keycloak_quarkus_https_key_store_file: "{{ keycloak_quarkus_key_store_file }}"
deprecated_variable: "keycloak_quarkus_key_store_file" # read in deprecation handler
@@ -25,7 +25,7 @@
- keycloak_quarkus_key_store_password is defined
- keycloak_quarkus_key_store_password != ''
- keycloak_quarkus_https_key_store_password == "" # default value
changed_when: true
changed_when: keycloak_quarkus_show_deprecation_warnings
ansible.builtin.set_fact:
keycloak_quarkus_https_key_store_password: "{{ keycloak_quarkus_key_store_password }}"
deprecated_variable: "keycloak_quarkus_key_store_password" # read in deprecation handler
@@ -34,3 +34,20 @@
- name: Flush handlers
ansible.builtin.meta: flush_handlers
# https://access.redhat.com/documentation/en-us/red_hat_build_of_keycloak/24.0/html-single/upgrading_guide/index#deprecated_literal_proxy_literal_option
- name: Check deprecation of keycloak_quarkus_proxy_mode
when:
- keycloak_quarkus_proxy_mode is defined
- keycloak_quarkus_proxy_headers is defined and keycloak_quarkus_proxy_headers | length == 0
- keycloak_quarkus_version.split('.') | first | int >= 24
delegate_to: localhost
run_once: true
changed_when: keycloak_quarkus_show_deprecation_warnings
ansible.builtin.set_fact:
deprecated_variable: "keycloak_quarkus_proxy_mode" # read in deprecation handler
notify:
- print deprecation warning
- name: Flush handlers
ansible.builtin.meta: flush_handlers

97
roles/keycloak_quarkus/tasks/install.yml
View File

@@ -8,6 +8,7 @@
- keycloak_quarkus_archive is defined
- keycloak_quarkus_download_url is defined
- keycloak_quarkus_version is defined
- local_path is defined
quiet: true
- name: Check for an existing deployment
@@ -52,14 +53,6 @@
register: archive_path
## download to controller
- name: Check local download archive path
ansible.builtin.stat:
path: "{{ lookup('env', 'PWD') }}"
register: local_path
delegate_to: localhost
run_once: true
become: false
- name: Download keycloak archive
ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
url: "{{ keycloak_quarkus_download_url }}"
@@ -110,12 +103,30 @@
product_id: "{{ (rhn_filtered_products | first).id }}"
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
mode: '0640'
owner: "{{ lookup('env', 'USER') | default(omit) }}"
no_log: "{{ omit_rhn_output | default(true) }}"
delegate_to: localhost
run_once: true
become: false
- name: Perform download of RHBK from alternate download location
delegate_to: localhost
run_once: true
become: false
when:
- archive_path is defined
- archive_path.stat is defined
- not archive_path.stat.exists
- rhbk_enable is defined and rhbk_enable
- not keycloak.offline_install
- keycloak_quarkus_alternate_download_url is defined
ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
url: "{{ keycloak_quarkus_alternate_download_url }}"
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
mode: '0640'
url_username: "{{ keycloak_quarkus_download_user | default(omit) }}"
url_password: "{{ keycloak_quarkus_download_pass | default(omit) }}"
validate_certs: "{{ keycloak_quarkus_download_validate_certs | default(omit) }}"
- name: Check downloaded archive
ansible.builtin.stat:
path: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
@@ -171,7 +182,7 @@
dest: "{{ keycloak_quarkus_key_file }}"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: 0640
mode: '0640'
become: true
when:
- keycloak_quarkus_https_key_file_enabled is defined and keycloak_quarkus_https_key_file_enabled
@@ -184,7 +195,7 @@
dest: "{{ keycloak_quarkus_cert_file }}"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: 0644
mode: '0644'
become: true
when:
- keycloak_quarkus_https_key_file_enabled is defined and keycloak_quarkus_https_key_file_enabled
@@ -197,7 +208,7 @@
- rhbk_enable is defined and rhbk_enable
- keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url is defined
- name: "Download custom providers"
- name: "Download custom providers via http"
ansible.builtin.get_url:
url: "{{ item.url }}"
dest: "{{ keycloak.home }}/providers/{{ item.id }}.jar"
@@ -208,3 +219,65 @@
loop: "{{ keycloak_quarkus_providers }}"
when: item.url is defined and item.url | length > 0
notify: "{{ ['rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or not item.restart else [] }}"
# this requires the `lxml` package to be installed; we redirect this step to localhost such that we do need to install it on the remote hosts
- name: "Download custom providers to localhost using maven"
middleware_automation.common.maven_artifact:
repository_url: "{{ item.maven.repository_url }}"
group_id: "{{ item.maven.group_id }}"
artifact_id: "{{ item.maven.artifact_id }}"
version: "{{ item.maven.version | default(omit) }}"
username: "{{ item.maven.username | default(omit) }}"
password: "{{ item.maven.password | default(omit) }}"
dest: "{{ local_path.stat.path }}/{{ item.id }}.jar"
delegate_to: "localhost"
run_once: true
loop: "{{ keycloak_quarkus_providers }}"
when: item.maven is defined
no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}"
notify: "{{ ['rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or not item.restart else [] }}"
- name: "Copy maven providers"
ansible.builtin.copy:
src: "{{ local_path.stat.path }}/{{ item.id }}.jar"
dest: "{{ keycloak.home }}/providers/{{ item.id }}.jar"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: '0640'
become: true
loop: "{{ keycloak_quarkus_providers }}"
when: item.maven is defined
no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}"
- name: "Copy providers"
ansible.builtin.copy:
src: "{{ item.local_path }}"
dest: "{{ keycloak.home }}/providers/{{ item.id }}.jar"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: '0640'
become: true
loop: "{{ keycloak_quarkus_providers }}"
when: item.local_path is defined
- name: Ensure required folder structure for policies exists
ansible.builtin.file:
path: "{{ keycloak.home }}/data/{{ item | lower }}"
state: directory
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: '0750'
become: true
loop: "{{ keycloak_quarkus_supported_policy_types }}"
- name: "Install custom policies"
ansible.builtin.get_url:
url: "{{ item.url }}"
dest: "{{ keycloak.home }}/data/{{ item.type | default(keycloak_quarkus_supported_policy_types | first) | lower }}/{{ item.name }}"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: '0640'
become: true
loop: "{{ keycloak_quarkus_policies }}"
when: item.url is defined and item.url | length > 0
notify: "restart keycloak"

8
roles/keycloak_quarkus/tasks/jdbc_driver.yml
View File

@@ -3,9 +3,11 @@
ansible.builtin.fail:
msg: >-
When JDBC driver download credentials are set, both the username and the password MUST be set
when:
- (keycloak_quarkus_jdbc_download_user is undefined and keycloak_quarkus_jdbc_download_pass is not undefined) or (keycloak_quarkus_jdbc_download_pass is undefined and keycloak_quarkus_jdbc_download_user is not undefined)
- name: "Retrieve JDBC Driver from {{ keycloak_jdbc_download_user | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url) }}"
when: >
(keycloak_quarkus_jdbc_download_user is undefined and keycloak_quarkus_jdbc_download_pass is not undefined) or
(keycloak_quarkus_jdbc_download_pass is undefined and keycloak_quarkus_jdbc_download_user is not undefined)
- name: "Retrieve JDBC Driver from {{ keycloak_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url) }}"
ansible.builtin.get_url:
url: "{{ keycloak_quarkus_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url) }}"
dest: "{{ keycloak.home }}/providers"

2
roles/keycloak_quarkus/tasks/main.yml
View File

@@ -91,7 +91,7 @@
register: keycloak_service_status
changed_when: false
- name: "Trigger bootstrapped notification: remove `keycloak_quarkus_admin_user[_pass]` env vars"
- name: "Notify to remove `keycloak_quarkus_admin_user[_pass]` env vars"
when:
- not ansible_local.keycloak.general.bootstrapped | default(false) | bool # it was not bootstrapped prior to the current role's execution
- keycloak_service_status.status.ActiveState == "active" # but it is now

85
roles/keycloak_quarkus/tasks/prereqs.yml
View File

@@ -43,10 +43,50 @@
vars:
packages_list: "{{ keycloak_quarkus_prereq_package_list }}"
- name: Check local download archive path
ansible.builtin.stat:
path: "{{ keycloak_quarkus_download_path }}"
register: local_path
delegate_to: localhost
run_once: true
become: false
- name: Validate local download path
ansible.builtin.assert:
that:
- local_path.stat.exists
- local_path.stat.readable
- keycloak_quarkus_offline_install or local_path.stat.writeable
quiet: true
fail_msg: "Defined controller path for downloading resources is incorrect or unreadable: {{ keycloak_quarkus_download_path }}"
success_msg: "Will download resource to controller path: {{ keycloak_quarkus_download_path }}"
delegate_to: localhost
run_once: true
- name: Check downloaded archive if offline
ansible.builtin.stat:
path: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
when: keycloak_quarkus_offline_install
register: local_archive_path_check
delegate_to: localhost
run_once: true
- name: Validate local downloaded archive if offline
ansible.builtin.assert:
that:
- local_archive_path_check.stat.exists
- local_archive_path_check.stat.readable
quiet: true
fail_msg: "Configured for offline install but install archive not found at: {{ local_path.stat.path }}/{{ keycloak.bundle }}"
success_msg: "Will install offline with expected archive: {{ local_path.stat.path }}/{{ keycloak.bundle }}"
when: keycloak_quarkus_offline_install
delegate_to: localhost
run_once: true
- name: "Validate keytool"
when: keycloak_quarkus_config_key_store_password | length > 0
block:
- name: "Attempt to run keytool"
- name: "Check run keytool"
changed_when: false
ansible.builtin.command: keytool -help
register: keytool_check
@@ -59,9 +99,44 @@
- name: "Validate providers"
ansible.builtin.assert:
that:
- item.id is defined and item.id | length > 0
- (item.spi is defined and item.spi | length > 0) or (item.url is defined and item.url | length > 0)
that: >
item.id is defined and item.id | length > 0 and
( (item.spi is defined and item.spi | length > 0) or
(item.url is defined and item.url | length > 0) or
( item.maven is defined and item.maven.repository_url is defined and item.maven.repository_url | length > 0 and
item.maven.group_id is defined and item.maven.group_id | length > 0 and
item.maven.artifact_id is defined and item.maven.artifact_id | length > 0) or
(item.local_path is defined and item.local_path | length > 0)
)
quiet: true
fail_msg: "Providers definition is incorrect; `id` and one of `spi` or `url` are mandatory. `key` and `value` are mandatory for each property"
fail_msg: >
Providers definition incorrect; `id` and one of `spi`, `url`, `local_path`, or `maven` are mandatory. `key` and `value` are mandatory for each property
loop: "{{ keycloak_quarkus_providers }}"
- name: "Validate policies"
ansible.builtin.assert:
that:
- item.name is defined and item.name | length > 0
- item.url is defined and item.url | length > 0
- item.type is not defined or item.type | lower in keycloak_quarkus_supported_policy_types
quiet: true
fail_msg: >
Policy definition is incorrect: `name` and one of `url` are mandatory, `type` needs to be left empty or one of {{ keycloak_quarkus_supported_policy_types }}.
loop: "{{ keycloak_quarkus_policies }}"
- name: "Validate additional env variables"
ansible.builtin.assert:
that:
- item.key is defined and item.key | length > 0
- item.value is defined and item.value | length > 0
quiet: true
fail_msg: "Additional env variable definition is incorrect: `key` and `value` are mandatory."
no_log: true
loop: "{{ keycloak_quarkus_additional_env_vars }}"
- name: "Validate proxy-headers"
ansible.builtin.assert:
that:
- keycloak_quarkus_proxy_headers | lower in ['', 'forwarded', 'xforwarded']
quiet: true
fail_msg: "keycloak_quarkus_proxy_headers must be either '', 'forwarded' or 'xforwarded'"

5
roles/keycloak_quarkus/tasks/rebuild_config.yml
View File

@@ -1,7 +1,10 @@
---
# cf. https://www.keycloak.org/server/configuration#_optimize_the_keycloak_startup
- name: "Rebuild {{ keycloak.service_name }} config"
ansible.builtin.shell: |
ansible.builtin.shell: | # noqa blocked_modules shell is necessary here
{{ keycloak.home }}/bin/kc.sh build
environment:
PATH: "{{ keycloak_quarkus_java_home | default(keycloak_quarkus_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
JAVA_HOME: "{{ keycloak_quarkus_java_home | default(keycloak_quarkus_pkg_java_home, true) }}"
become: true
changed_when: true

18
roles/keycloak_quarkus/tasks/restart.yml
View File

@@ -1,9 +1,23 @@
---
- name: "Restart and enable {{ keycloak.service_name }} service"
throttle: 1
ansible.builtin.systemd:
name: keycloak
name: "{{ keycloak.service_name }}"
enabled: true
state: restarted
daemon_reload: true
become: true
- name: "Wait until {{ keycloak.service_name }} service becomes active {{ keycloak.health_url }}"
ansible.builtin.uri:
url: "{{ keycloak.health_url }}"
register: keycloak_status
until: keycloak_status.status == 200
retries: "{{ keycloak_quarkus_restart_health_check_reries }}"
delay: "{{ keycloak_quarkus_restart_health_check_delay }}"
when: internal_force_health_check | default(keycloak_quarkus_restart_health_check)
- name: Wait to give distributed ispn caches time to (re-)replicate back onto first host
ansible.builtin.pause:
seconds: "{{ keycloak_quarkus_restart_pause }}"
when:
- keycloak_quarkus_ha_enabled

4
roles/keycloak_quarkus/tasks/restart/none.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: "Display message"
ansible.builtin.debug:
msg: "keycloak_quarkus_restart_strategy is none, skipping restart"

11
roles/keycloak_quarkus/tasks/restart/serial.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: "Restart services in serial, with optional healtch check (keycloak_quarkus_restart_health_check)"
throttle: 1
block:
- name: "Restart and enable {{ keycloak.service_name }} service on {{ item }}"
ansible.builtin.include_tasks:
file: restart.yml
apply:
delegate_to: "{{ item }}"
run_once: true
loop: "{{ ansible_play_hosts }}"

20
roles/keycloak_quarkus/tasks/restart/serial_then_parallel.yml Normal file
View File

@@ -0,0 +1,20 @@
---
- name: Verify first restarted service with health URL, then rest restart in parallel
block:
- name: "Restart and enable {{ keycloak.service_name }} service on initial host"
ansible.builtin.include_tasks:
file: restart.yml
apply:
delegate_to: "{{ ansible_play_hosts | first }}"
run_once: true
vars:
internal_force_health_check: true
- name: "Restart and enable {{ keycloak.service_name }} service on other hosts"
ansible.builtin.systemd:
name: "{{ keycloak.service_name }}"
enabled: true
state: restarted
daemon_reload: true
become: true
when: inventory_hostname != ansible_play_hosts | first

5
roles/keycloak_quarkus/templates/keycloak-sysconfig.j2
View File

@@ -8,3 +8,8 @@ KEYCLOAK_ADMIN_PASSWORD='{{ keycloak_quarkus_admin_pass }}'
PATH={{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
JAVA_HOME={{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}
JAVA_OPTS={{ keycloak_quarkus_java_opts }}
# Custom ENV variables
{% for env in keycloak_quarkus_additional_env_vars %}
{{ env.key }}={{ env.value }}
{% endfor %}

8
roles/keycloak_quarkus/templates/keycloak.conf.j2
View File

@@ -69,14 +69,12 @@ cache-config-file=cache-ispn.xml
{% endif %}
{% endif %}
{% if keycloak_quarkus_proxy_mode is defined and keycloak_quarkus_proxy_mode != "none" %}
{% if keycloak_quarkus_proxy_headers | length > 0 %}
proxy-headers={{ keycloak_quarkus_proxy_headers | lower }}
{% elif keycloak_quarkus_proxy_mode is defined and keycloak_quarkus_proxy_mode != "none" %}
# Deprecated Proxy configuration
proxy={{ keycloak_quarkus_proxy_mode }}
{% endif %}
{% if keycloak_quarkus_proxy_headers is defined and keycloak_quarkus_proxy_headers != "none" %}
# Proxy
proxy-headers={{ keycloak_quarkus_proxy_headers }}
{% endif %}
spi-sticky-session-encoder-infinispan-should-attach-route={{ keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route | d(true) | lower }}

2
roles/keycloak_quarkus/templates/keycloak.service.j2
View File

@@ -23,7 +23,7 @@ RestartSec={{ keycloak_quarkus_service_restartsec }}
AmbientCapabilities=CAP_NET_BIND_SERVICE
{% endif %}
{% if keycloak_quarkus_systemd_wait_for_port %}
ExecStartPost=/usr/bin/timeout {{ keycloak_quarkus_systemd_wait_for_timeout }} sh -c 'while ! ss -H -t -l -n sport = :{{ keycloak_quarkus_https_port }} | grep -q "^LISTEN.*:{{ keycloak_quarkus_https_port }}"; do sleep 1; done && /bin/sleep {{ keycloak_quarkus_systemd_wait_for_delay }}'
ExecStartPost=/usr/bin/timeout {{ keycloak_quarkus_systemd_wait_for_timeout }} sh -c 'while ! ss -H -t -l -n sport = :{{ keycloak_quarkus_systemd_wait_for_port_number }} | grep -q "^LISTEN.*:{{ keycloak_quarkus_systemd_wait_for_port_number }}"; do sleep 1; done && /bin/sleep {{ keycloak_quarkus_systemd_wait_for_delay }}'
{% endif %}
{% if keycloak_quarkus_systemd_wait_for_log %}
ExecStartPost=/usr/bin/timeout {{ keycloak_quarkus_systemd_wait_for_timeout }} sh -c 'cat {{ keycloak.log.file }} | sed "/Profile.*activated/ q" && /bin/sleep {{ keycloak_quarkus_systemd_wait_for_delay }}'

2
roles/keycloak_quarkus/templates/quarkus.properties.j2
View File

@@ -1,6 +1,6 @@
{{ ansible_managed | comment }}
{% if keycloak_quarkus_ha_enabled %}
{% if not rhbk_enable or keycloak_quarkus_version.split('.')[0]|int < 22 %}
{% if keycloak_quarkus_version.split('.')[0] | int < 22 %}
quarkus.infinispan-client.server-list={{ keycloak_quarkus_ispn_hosts }}
quarkus.infinispan-client.auth-username={{ keycloak_quarkus_ispn_user }}
quarkus.infinispan-client.auth-password={{ keycloak_quarkus_ispn_pass }}

4
roles/keycloak_quarkus/vars/main.yml
View File

@@ -4,8 +4,8 @@ keycloak: # noqa var-naming this is an internal dict of interpolated values
config_dir: "{{ keycloak_quarkus_config_dir }}"
bundle: "{{ keycloak_quarkus_archive }}"
service_name: "keycloak"
health_url: "http://{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_http_port }}{{ keycloak_quarkus_http_relative_path }}{{ '/' \
if keycloak_quarkus_http_relative_path | length > 1 else '' }}realms/master/.well-known/openid-configuration"
health_url: "{{ 'https' if keycloak_quarkus_http_enabled == False else 'http' }}://{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_https_port if keycloak_quarkus_http_enabled == False else keycloak_quarkus_http_port }}{{ keycloak_quarkus_http_relative_path }}{{ '/' \
if keycloak_quarkus_http_relative_path | length > 1 else '' }}{{ keycloak_quarkus_health_check_url_path | default('realms/master/.well-known/openid-configuration') }}"
cli_path: "{{ keycloak_quarkus_home }}/bin/kcadm.sh"
service_user: "{{ keycloak_quarkus_service_user }}"
service_group: "{{ keycloak_quarkus_service_group }}"

5
roles/keycloak_realm/README.md
View File

@@ -1,8 +1,9 @@
keycloak_realm
==============
<!--start description_realm -->
Create realms and clients in [keycloak](https://keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on) services.
<!--end description_realm -->
Role Defaults
-------------
@@ -136,4 +137,4 @@ Author Information
------------------
* [Guido Grazioli](https://github.com/guidograzioli)
* [Romain Pelisse](https://github.com/rpelisse)
* [Romain Pelisse](https://github.com/rpelisse)

2
roles/keycloak_realm/meta/main.yml
View File

@@ -8,7 +8,7 @@ galaxy_info:
license: Apache License 2.0
min_ansible_version: "2.14"
min_ansible_version: "2.15"
platforms:
- name: EL