Update changelog for release 3.0.4

Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>
Merge pull request #332 from cihlamar/AMW-522
2026-06-13 12:05:54 +00:00 · 2026-05-20 13:38:01 +00:00 · 2026-05-20 09:36:11 -04:00 · 2026-05-20 11:00:58 +02:00 · 2026-04-30 03:33:48 -04:00 · 2026-04-28 22:15:14 +05:30
123 changed files with 3986 additions and 452 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -40,4 +40,3 @@ skip_list:
  - var-naming[no-role-prefix]

 use_default_rules: true
-parseable: true
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,14 +6,20 @@ on:
      - main
  pull_request:
  workflow_dispatch:
+    inputs:
+      debug_verbosity:
+        description: 'ANSIBLE_VERBOSITY envvar value'
+        required: false
  schedule:
    - cron: '15 6 * * *'

 jobs:
  ci:
-    uses: ansible-middleware/github-actions/.github/workflows/ci.yml@main
+    uses: ansible-middleware/github-actions/.github/workflows/ci.yml@rootperm
    secrets: inherit
    with:
      fqcn: 'middleware_automation/keycloak'
+      root_permission_varname: 'keycloak_install_requires_become'
+      debug_verbosity: "${{ github.event.inputs.debug_verbosity }}"
      molecule_tests: >-
-          [ "default", "overridexml", "https_revproxy", "quarkus", "quarkus-devmode", "quarkus_upgrade", "debian", "quarkus_ha" ]
+        [ "debian", "quarkus", "quarkus_ha", "quarkus_ha_remote", "quarkus_ha_26.4_below", "default", "quarkus_devmode", "quarkus_upgrade" ]
--- a/.gitignore
+++ b/.gitignore
@@ -14,3 +14,4 @@ changelogs/.plugin-cache.yaml
 *.pem
 *.key
 *.p12
+.ansible/
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -6,6 +6,109 @@ middleware\_automation.keycloak Release Notes

 This changelog describes changes after version 0.2.6.

+v3.0.4
+======
+
+Major Changes
+-------------
+
+- AMW-467 Download keycloak binary from password protected HTTP location `#321 <https://github.com/ansible-middleware/keycloak/pull/321>`_
+- v26.4.x compability `#317 <https://github.com/ansible-middleware/keycloak/pull/317>`_
+
+Minor Changes
+-------------
+
+- AMW-518 Validating arguments against arg spec 'main' fails unexpectedly. `#324 <https://github.com/ansible-middleware/keycloak/pull/324>`_
+
+Bugfixes
+--------
+
+- Removing parseable from lint file as Additional properties are not allowed `#319 <https://github.com/ansible-middleware/keycloak/pull/319>`_
+
+v3.0.3
+======
+
+Major Changes
+-------------
+
+- Update to keycloak 26.3.0 `#293 <https://github.com/ansible-middleware/keycloak/pull/293>`_
+- ansible-core 2.19 compatibility `#310 <https://github.com/ansible-middleware/keycloak/pull/310>`_
+
+Minor Changes
+-------------
+
+- Allow to install provider jars from remote paths `#303 <https://github.com/ansible-middleware/keycloak/pull/303>`_
+- Declared proxy_mode as deprecated, updated quarkus and realm readme `#306 <https://github.com/ansible-middleware/keycloak/pull/306>`_
+- Fix config_key_store_file description to match variable name `#308 <https://github.com/ansible-middleware/keycloak/pull/308>`_
+
+Bugfixes
+--------
+
+- keycloak collection CI label is showing no status `#312 <https://github.com/ansible-middleware/keycloak/pull/312>`_
+- keycloak_realm: allow secret in keycloak_clients `#304 <https://github.com/ansible-middleware/keycloak/pull/304>`_
+
+v3.0.2
+======
+
+Minor Changes
+-------------
+
+- New ``checksum`` property for keycloak_quarkus_providers `#280 <https://github.com/ansible-middleware/keycloak/pull/280>`_
+- New parameter to set the jgroups host IP address `#281 <https://github.com/ansible-middleware/keycloak/pull/281>`_
+- Session storage / distributed caches `#287 <https://github.com/ansible-middleware/keycloak/pull/287>`_
+- Update keycloak/RHBK to v26.2.4 `#283 <https://github.com/ansible-middleware/keycloak/pull/283>`_
+
+Bugfixes
+--------
+
+- Fix ``keycloak_quarkus_force_install`` parameter being ignored by install `#296 <https://github.com/ansible-middleware/keycloak/pull/296>`_
+- Fix alternate download location being ignored (JBossNeworkAPI always used) `#298 <https://github.com/ansible-middleware/keycloak/pull/298>`_
+- Run config rebuild after SPI providers update `#285 <https://github.com/ansible-middleware/keycloak/pull/285>`_
+- Use jdk21 as default in debian `#289 <https://github.com/ansible-middleware/keycloak/pull/289>`_
+- keycloak_realm: federation default provider type should be a string `#302 <https://github.com/ansible-middleware/keycloak/pull/302>`_
+
+v3.0.1
+======
+
+Minor Changes
+-------------
+
+- Version update to 26.0.8 / rhbk 26.0.11 `#277 <https://github.com/ansible-middleware/keycloak/pull/277>`_
+
+Bugfixes
+--------
+
+- Trigger rebuild handler on envvars file change `#276 <https://github.com/ansible-middleware/keycloak/pull/276>`_
+
+v3.0.0
+======
+
+Minor Changes
+-------------
+
+- Add theme cache invalidation handler `#252 <https://github.com/ansible-middleware/keycloak/pull/252>`_
+- keycloak_realm: change url variables to defaults `#268 <https://github.com/ansible-middleware/keycloak/pull/268>`_
+
+Breaking Changes / Porting Guide
+--------------------------------
+
+- Bump major and ansible-core versions `#266 <https://github.com/ansible-middleware/keycloak/pull/266>`_
+- Rename parameters to follow upstream `#270 <https://github.com/ansible-middleware/keycloak/pull/270>`_
+- Update for keycloak v26 `#254 <https://github.com/ansible-middleware/keycloak/pull/254>`_
+
+Bugfixes
+--------
+
+- Access token lifespan is too short for ansible run `#251 <https://github.com/ansible-middleware/keycloak/pull/251>`_
+- Load environment vars during kc rebuild `#274 <https://github.com/ansible-middleware/keycloak/pull/274>`_
+- Rebuild config and restart service for local providers `#250 <https://github.com/ansible-middleware/keycloak/pull/250>`_
+- Rename and honour parameter ``keycloak_quarkus_http_host`` `#271 <https://github.com/ansible-middleware/keycloak/pull/271>`_
+
+New Modules
+-----------
+
+- middleware_automation.keycloak.keycloak_realm - Allows administration of Keycloak realm via Keycloak API
+
 v2.4.3
 ======

--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -24,7 +24,7 @@ virtualenv $PATH_TO_DEV_VIRTUALENV
 # activate the virtual env
 source $PATH_TO_DEV_VIRTUALENV/bin/activate
 # install ansible and tools onto the virtualenv
-pip install yamllint 'molecule>=6.0' 'molecule-plugins[docker]' 'ansible-core>=2.15' ansible-lint
+pip install yamllint 'molecule>=6.0' 'molecule-plugins[docker]' 'ansible-core>=2.16' ansible-lint
 # install collection dependencies
 ansible-galaxy collection install -r requirements.yml
 # install python dependencies
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 # Ansible Collection - middleware_automation.keycloak

 <!--start build_status -->
-[![Build Status](https://github.com/ansible-middleware/keycloak/workflows/CI/badge.svg?branch=main)](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml)
+[![Build Status](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml)

 > **_NOTE:_ If you are Red Hat customer, install `redhat.rhbk` (for Red Hat Build of Keycloak) or `redhat.sso` (for Red Hat Single Sign-On) from [Automation Hub](https://console.redhat.com/ansible/ansible-dashboard) as the certified version of this collection.**

@@ -12,7 +12,7 @@ Collection to install and configure [Keycloak](https://www.keycloak.org/) or [Re
 <!--start requires_ansible-->
 ## Ansible version compatibility

-This collection has been tested against following Ansible versions: **>=2.15.0**.
+This collection has been tested against following Ansible versions: **>=2.16.0**.

 Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions.
 <!--end requires_ansible-->
@@ -55,6 +55,15 @@ A requirement file is provided to install:

 <!--end roles_paths -->

+### Included modules
+
+* `keycloak_realm`: module for managing Keycloak realms (create/update/delete).
+* `keycloak_client`: module for managing Keycloak clients (create/update/delete).
+* `keycloak_role`: module for managing Keycloak roles — realm roles and client roles (create/update/delete).
+* `keycloak_user_federation`: module for managing user federations such as LDAP/AD (create/update/delete).
+* `keycloak_client_scope`: module for managing client scopes and protocol mappers (create/update/delete).
+* `keycloak_authentication_flow`: module for managing authentication flows and execution steps (create/delete, copy existing flows).
+
 ## Usage


@@ -109,10 +118,13 @@ Note: when deploying clustered configurations, all hosts belonging to the cluste
 ## Configuration


-### Config Playbook
+### Config Playbooks
 <!--start rhbk_realm_playbook -->
-[`playbooks/keycloak_realm.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_realm.yml) creates or updates provided realm, user federation(s), client(s), client role(s) and client user(s).
+* [`playbooks/keycloak_realm.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_realm.yml) creates or updates provided realm, user federation(s), client(s), client role(s) and client user(s).
 <!--end rhbk_realm_playbook -->
+* [`playbooks/keycloak_realm_client.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_realm_client.yml) creates a realm with clients, roles and users using the `keycloak_realm` role.
+* [`playbooks/keycloak_client_scope.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_client_scope.yml) creates a client scope with protocol mappers using the `keycloak_client_scope` module.
+* [`playbooks/keycloak_authentication_flow.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_authentication_flow.yml) creates a custom authentication flow with execution steps using the `keycloak_authentication_flow` module.

 ### Example configuration command

@@ -134,10 +146,21 @@ ansible-playbook -i <ansible_hosts> playbooks/keycloak_realm.yml -e keycloak_adm
 For full configuration details, refer to the [keycloak_realm role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md).
 <!--end rhbk_realm_readme -->

+
+## Support
+
 <!--start support -->
+
+For bug reports and feature requests, use [GitHub Issues](https://github.com/ansible-middleware/keycloak/issues).
+
 <!--end support -->


+## Release and Upgrade Notes
+
+For details on changes between versions, please see the [CHANGELOG](https://github.com/ansible-middleware/keycloak/blob/main/CHANGELOG.rst) for this collection.
+
+
 ## License

 Apache License v2.0 or later
--- a/changelogs/changelog.yaml
+++ b/changelogs/changelog.yaml
@@ -613,3 +613,171 @@ releases:
    fragments:
    - 241.yaml
    release_date: '2024-10-16'
+  3.0.0:
+    changes:
+      breaking_changes:
+      - 'Bump major and ansible-core versions `#266 <https://github.com/ansible-middleware/keycloak/pull/266>`_
+
+        '
+      - 'Rename parameters to follow upstream `#270 <https://github.com/ansible-middleware/keycloak/pull/270>`_
+
+        '
+      - 'Update for keycloak v26 `#254 <https://github.com/ansible-middleware/keycloak/pull/254>`_
+
+        '
+      bugfixes:
+      - 'Access token lifespan is too short for ansible run `#251 <https://github.com/ansible-middleware/keycloak/pull/251>`_
+
+        '
+      - 'Load environment vars during kc rebuild `#274 <https://github.com/ansible-middleware/keycloak/pull/274>`_
+
+        '
+      - 'Rebuild config and restart service for local providers `#250 <https://github.com/ansible-middleware/keycloak/pull/250>`_
+
+        '
+      - 'Rename and honour parameter ``keycloak_quarkus_http_host`` `#271 <https://github.com/ansible-middleware/keycloak/pull/271>`_
+
+        '
+      minor_changes:
+      - 'Add theme cache invalidation handler `#252 <https://github.com/ansible-middleware/keycloak/pull/252>`_
+
+        '
+      - 'keycloak_realm: change url variables to defaults `#268 <https://github.com/ansible-middleware/keycloak/pull/268>`_
+
+        '
+    fragments:
+    - 250.yaml
+    - 251.yaml
+    - 252.yaml
+    - 254.yaml
+    - 266.yaml
+    - 268.yaml
+    - 270.yaml
+    - 271.yaml
+    - 274.yaml
+    modules:
+    - description: Allows administration of Keycloak realm via Keycloak API
+      name: keycloak_realm
+      namespace: ''
+    release_date: '2025-04-23'
+  3.0.1:
+    changes:
+      bugfixes:
+      - 'Trigger rebuild handler on envvars file change `#276 <https://github.com/ansible-middleware/keycloak/pull/276>`_
+
+        '
+      minor_changes:
+      - 'Version update to 26.0.8 / rhbk 26.0.11 `#277 <https://github.com/ansible-middleware/keycloak/pull/277>`_
+
+        '
+    fragments:
+    - 276.yaml
+    - 277.yaml
+    release_date: '2025-05-02'
+  3.0.2:
+    changes:
+      bugfixes:
+      - 'Fix ``keycloak_quarkus_force_install`` parameter being ignored by install
+        `#296 <https://github.com/ansible-middleware/keycloak/pull/296>`_
+
+        '
+      - 'Fix alternate download location being ignored (JBossNeworkAPI always used)
+        `#298 <https://github.com/ansible-middleware/keycloak/pull/298>`_
+
+        '
+      - 'Run config rebuild after SPI providers update `#285 <https://github.com/ansible-middleware/keycloak/pull/285>`_
+
+        '
+      - 'Use jdk21 as default in debian `#289 <https://github.com/ansible-middleware/keycloak/pull/289>`_
+
+        '
+      - 'keycloak_realm: federation default provider type should be a string `#302
+        <https://github.com/ansible-middleware/keycloak/pull/302>`_
+
+        '
+      minor_changes:
+      - 'New ``checksum`` property for keycloak_quarkus_providers `#280 <https://github.com/ansible-middleware/keycloak/pull/280>`_
+
+        '
+      - 'New parameter to set the jgroups host IP address `#281 <https://github.com/ansible-middleware/keycloak/pull/281>`_
+
+        '
+      - 'Session storage / distributed caches `#287 <https://github.com/ansible-middleware/keycloak/pull/287>`_
+
+        '
+      - 'Update keycloak/RHBK to v26.2.4 `#283 <https://github.com/ansible-middleware/keycloak/pull/283>`_
+
+        '
+    fragments:
+    - 280.yaml
+    - 281.yaml
+    - 283.yaml
+    - 285.yaml
+    - 287.yaml
+    - 289.yaml
+    - 296.yaml
+    - 298.yaml
+    - 302.yaml
+    release_date: '2025-07-01'
+  3.0.3:
+    changes:
+      bugfixes:
+      - 'keycloak collection CI label is showing no status `#312 <https://github.com/ansible-middleware/keycloak/pull/312>`_
+
+        '
+      - 'keycloak_realm: allow secret in keycloak_clients `#304 <https://github.com/ansible-middleware/keycloak/pull/304>`_
+
+        '
+      major_changes:
+      - 'Update to keycloak 26.3.0 `#293 <https://github.com/ansible-middleware/keycloak/pull/293>`_
+
+        '
+      - 'ansible-core 2.19 compatibility `#310 <https://github.com/ansible-middleware/keycloak/pull/310>`_
+
+        '
+      minor_changes:
+      - 'Allow to install provider jars from remote paths `#303 <https://github.com/ansible-middleware/keycloak/pull/303>`_
+
+        '
+      - 'Declared proxy_mode as deprecated, updated quarkus and realm readme `#306
+        <https://github.com/ansible-middleware/keycloak/pull/306>`_
+
+        '
+      - 'Fix config_key_store_file description to match variable name `#308 <https://github.com/ansible-middleware/keycloak/pull/308>`_
+
+        '
+    fragments:
+    - 293.yaml
+    - 303.yaml
+    - 304.yaml
+    - 306.yaml
+    - 308.yaml
+    - 310.yaml
+    - 312.yaml
+    release_date: '2025-12-16'
+  3.0.4:
+    changes:
+      bugfixes:
+      - 'Removing parseable from lint file as Additional properties are not allowed
+        `#319 <https://github.com/ansible-middleware/keycloak/pull/319>`_
+
+        '
+      major_changes:
+      - 'AMW-467 Download keycloak binary from password protected HTTP location `#321
+        <https://github.com/ansible-middleware/keycloak/pull/321>`_
+
+        '
+      - 'v26.4.x compability `#317 <https://github.com/ansible-middleware/keycloak/pull/317>`_
+
+        '
+      minor_changes:
+      - 'AMW-518 Validating arguments against arg spec ''main'' fails unexpectedly.
+        `#324 <https://github.com/ansible-middleware/keycloak/pull/324>`_
+
+        '
+    fragments:
+    - 317.yaml
+    - 319.yaml
+    - 321.yaml
+    - 324.yaml
+    release_date: '2026-05-20'
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -64,7 +64,7 @@ master_doc = 'index'
 #
 # This is also used if you do content translation via gettext catalogs.
 # Usually you set "language" from the command line for these cases.
-language = None
+language = 'en'

 # List of patterns, relative to source directory, that match files and
 # directories to ignore when looking for source files.
--- a/docs/requirements.txt
+++ b/docs/requirements.txt
@@ -1,7 +1,9 @@
+# ansible_basic_sphinx_ext still imports pkg_resources (removed in setuptools 82+).
+setuptools>=70.0.0,<81.0.0
 antsibull>=0.17.0
 antsibull-docs
 antsibull-changelog
-ansible-core>=2.14.1
+ansible-core>=2.16.0
 ansible-pygments
 sphinx-rtd-theme
 git+https://github.com/felixfontein/ansible-basic-sphinx-ext
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -1,7 +1,7 @@
 ---
 namespace: middleware_automation
 name: keycloak
-version: "2.4.3"
+version: "3.0.4"
 readme: README.md
 authors:
  - Romain Pelisse <rpelisse@redhat.com>
@@ -35,7 +35,9 @@ issues: https://github.com/ansible-middleware/keycloak/issues
 build_ignore:
  - .gitignore
  - .github
+  - .ansible-lint
  - .yamllint
+  - .DS_Store
  - '*.tar.gz'
  - '*.zip'
  - molecule
--- a/meta/runtime.yml
+++ b/meta/runtime.yml
@@ -1,2 +1,2 @@
 ---
-requires_ansible: ">=2.15.0"
+requires_ansible: ">=2.16.0"
--- a/molecule/debian/converge.yml
+++ b/molecule/debian/converge.yml
@@ -1,18 +1,22 @@
 ---
 - name: Converge
  hosts: all
+  vars_files:
+    - ../group_vars/all/vars.yml
  vars:
    keycloak_quarkus_show_deprecation_warnings: false
-    keycloak_quarkus_admin_pass: "remembertochangeme"
-    keycloak_admin_password: "remembertochangeme"
-    keycloak_quarkus_host: instance
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
+    keycloak_quarkus_hostname: http://instance:8080
    keycloak_quarkus_log: file
    keycloak_quarkus_start_dev: true
    keycloak_quarkus_proxy_mode: none
  roles:
    - role: keycloak_quarkus
    - role: keycloak_realm
-      keycloak_context: ''
+      keycloak_url: "{{ keycloak_quarkus_hostname }}"
+      keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
+      keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
      keycloak_client_users:
        - username: TestUser
          password: password
--- a/molecule/debian/molecule.yml
+++ b/molecule/debian/molecule.yml
@@ -3,7 +3,7 @@ driver:
  name: docker
 platforms:
  - name: instance
-    image: ghcr.io/hspaans/molecule-containers:debian-11
+    image: ghcr.io/hspaans/molecule-containers:debian-13
    pre_build_image: true
    privileged: true
    port_bindings:
--- a/molecule/debian/prepare.yml
+++ b/molecule/debian/prepare.yml
@@ -1,11 +1,13 @@
 ---
 - name: Prepare
  hosts: all
+  vars_files:
+    - ../group_vars/all/vars.yml
  gather_facts: yes
  tasks:
    - name: Install sudo
      ansible.builtin.apt:
        name:
          - sudo
-          - openjdk-17-jdk-headless
-        state: present
+          - openjdk-21-jdk-headless
+          - iproute2
--- a/molecule/debian/verify.yml
+++ b/molecule/debian/verify.yml
@@ -2,7 +2,7 @@
 - name: Verify
  hosts: all
  vars:
-    keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
    keycloak_uri: "http://localhost:{{ 8080 + ( keycloak_jboss_port_offset | default(0) ) }}"
    keycloak_management_port: "http://localhost:{{ 9990 + ( keycloak_jboss_port_offset | default(0) ) }}"
    keycloak_jboss_port_offset: 10
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@@ -1,11 +1,13 @@
 ---
 - name: Converge
  hosts: all
+  vars_files:
+    - ../group_vars/all/vars.yml
  vars:
    keycloak_quarkus_show_deprecation_warnings: false
-    keycloak_quarkus_admin_pass: "remembertochangeme"
-    keycloak_admin_password: "remembertochangeme"
-    keycloak_quarkus_host: instance
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
+    keycloak_quarkus_hostname: http://instance:8080
    keycloak_quarkus_log: file
    keycloak_quarkus_log_level: debug
    keycloak_quarkus_log_target: /tmp/keycloak
@@ -13,10 +15,13 @@
    keycloak_quarkus_proxy_mode: none
    keycloak_quarkus_offline_install: true
    keycloak_quarkus_download_path: /tmp/keycloak/
+    keycloak_quarkus_java_heap_opts: "-Xms640m -Xmx640m "
  roles:
    - role: keycloak_quarkus
    - role: keycloak_realm
-      keycloak_context: ''
+      keycloak_url: "{{ keycloak_quarkus_hostname }}"
+      keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
+      keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
      keycloak_client_users:
        - username: TestUser
          password: password
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@@ -1,9 +1,9 @@
 ---
 driver:
-  name: docker
+  name: podman
 platforms:
  - name: instance
-    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
    privileged: true
    command: "/usr/sbin/init"
@@ -11,6 +11,7 @@ platforms:
      - "8080/tcp"
      - "8443/tcp"
      - "8009/tcp"
+      - "9000/tcp"
 provisioner:
  name: ansible
  config_options:
@@ -23,11 +24,16 @@ provisioner:
    converge: converge.yml
    verify: verify.yml
  inventory:
+    group_vars:
+      all:
+        keycloak_install_requires_become: true
    host_vars:
      localhost:
        ansible_python_interpreter: "{{ ansible_playbook_python }}"
  env:
    ANSIBLE_FORCE_COLOR: "true"
+    PROXY: "${PROXY}"
+    NO_PROXY: "${NO_PROXY}"
 verifier:
  name: ansible
 scenario:
--- a/molecule/default/prepare.yml
+++ b/molecule/default/prepare.yml
@@ -1,16 +1,14 @@
 ---
 - name: Prepare
  hosts: all
+  vars_files:
+    - ../group_vars/all/vars.yml
  gather_facts: yes
  vars:
    sudo_pkg_name: sudo
  tasks:
    - name: "Run preparation common to all scenario"
      ansible.builtin.include_tasks: ../prepare.yml
-      vars:
-        assets:
-          - "{{ assets_server }}/sso/7.6.0/rh-sso-7.6.0-server-dist.zip"
-          - "{{ assets_server }}/sso/7.6.1/rh-sso-7.6.1-patch.zip"

    - name: Create controller directory for downloads
      ansible.builtin.file: # noqa risky-file-permissions delegated, uses controller host user
@@ -22,7 +20,7 @@

    - name: Download keycloak archive to controller directory
      ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
-        url: https://github.com/keycloak/keycloak/releases/download/24.0.5/keycloak-24.0.5.zip
+        url: https://github.com/keycloak/keycloak/releases/download/26.4.7/keycloak-26.4.7.zip
        dest: /tmp/keycloak
        mode: '0640'
      delegate_to: localhost
--- a/molecule/default/verify.yml
+++ b/molecule/default/verify.yml
@@ -2,7 +2,8 @@
 - name: Verify
  hosts: all
  vars:
-    keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
    keycloak_uri: "http://localhost:8080"
  tasks:
    - name: Populate service facts
@@ -16,7 +17,7 @@
      ansible.builtin.uri:
        url: "{{ keycloak_uri }}/realms/master/protocol/openid-connect/token"
        method: POST
-        body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password"
+        body: "client_id=admin-cli&username={{ keycloak_quarkus_bootstrap_admin_user }}&password={{ keycloak_quarkus_bootstrap_admin_user }}&grant_type=password"
        validate_certs: no
      register: keycloak_auth_response
      until: keycloak_auth_response.status == 200
--- a/molecule/group_vars/all/vars.yml
+++ b/molecule/group_vars/all/vars.yml
@@ -0,0 +1,26 @@
+---
+keycloak_quarkus_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_quarkus_systemd_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_quarkus_install_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_quarkus_firewalld_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_quarkus_iptables_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_quarkus_jdbc_driver_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_quarkus_config_store_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_quarkus_restart_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_quarkus_start_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_quarkus_rebuild_config_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_quarkus_fastpackages_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_quarkus_bootstrapped_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_quarkus_invalidate_theme_cache_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_systemd_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_install_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_firewalld_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_iptables_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_jdbc_driver_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_restart_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_start_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_stop_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_fastpackages_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_rhsso_patch_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+molecule_prepare_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
--- a/molecule/https_revproxy/converge.yml
+++ b/molecule/https_revproxy/converge.yml
@@ -1,17 +1,18 @@
 ---
 - name: Converge
  hosts: all
+  vars_files:
+    - ../group_vars/all/vars.yml
  vars:
    keycloak_quarkus_show_deprecation_warnings: false
-    keycloak_quarkus_admin_pass: "remembertochangeme"
-    keycloak_admin_password: "remembertochangeme"
-    keycloak_realm: TestRealm
-    keycloak_quarkus_host: instance
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
+    keycloak_quarkus_hostname: https://proxy
    keycloak_quarkus_log: file
    keycloak_quarkus_http_enabled: True
    keycloak_quarkus_http_port: 8080
    keycloak_quarkus_proxy_mode: edge
    keycloak_quarkus_http_relative_path: /
-    keycloak_quarkus_frontend_url: https://proxy/
+    keycloak_quarkus_health_check_url: http://proxy:8080/realms/master/.well-known/openid-configuration
  roles:
    - role: keycloak_quarkus
--- a/molecule/https_revproxy/molecule.yml
+++ b/molecule/https_revproxy/molecule.yml
@@ -3,7 +3,7 @@ driver:
  name: docker
 platforms:
  - name: instance
-    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
    privileged: true
    command: "/usr/sbin/init"
@@ -14,7 +14,7 @@ platforms:
    published_ports:
      - 0.0.0.0:8080:8080/tcp
  - name: proxy
-    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
    privileged: true
    command: "/usr/sbin/init"
--- a/molecule/https_revproxy/prepare.yml
+++ b/molecule/https_revproxy/prepare.yml
@@ -1,6 +1,8 @@
 ---
 - name: Prepare
  hosts: all
+  vars_files:
+    - ../group_vars/all/vars.yml
  tasks:
    - name: Install sudo
      ansible.builtin.dnf:
@@ -27,6 +29,8 @@
  pre_tasks:
    - name: Create certificate request
      ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=proxy'
+      args:
+        chdir: "{{ playbook_dir }}"
      delegate_to: localhost
      changed_when: false
    - name: Make certificate directory
@@ -39,11 +43,11 @@
        src: "{{ item.name }}"
        dest: "{{ item.dest }}"
        mode: 0444
-      become: true
+      become: "{{ molecule_prepare_require_privilege_escalation }}"
      loop:
        - { name: 'cert.pem', dest: '/etc/nginx/tls/certificate.crt' }
        - { name: 'key.pem', dest: '/etc/nginx/tls/certificate.key' }
    - name: Update CA trust
      ansible.builtin.command: update-ca-trust
      changed_when: false
-      become: true
+      become: "{{ molecule_prepare_require_privilege_escalation }}"
--- a/molecule/overridexml/converge.yml
+++ b/molecule/overridexml/converge.yml
@@ -1,6 +1,8 @@
 ---
 - name: Converge
  hosts: all
+  vars_files:
+    - ../group_vars/all/vars.yml
  vars:
    keycloak_admin_password: "remembertochangeme"
    keycloak_config_override_template: custom.xml.j2
--- a/molecule/overridexml/molecule.yml
+++ b/molecule/overridexml/molecule.yml
@@ -3,7 +3,7 @@ driver:
  name: docker
 platforms:
  - name: instance
-    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
    privileged: true
    command: "/usr/sbin/init"
@@ -11,6 +11,7 @@ platforms:
      - "8080/tcp"
      - "8443/tcp"
      - "8009/tcp"
+      - "9000/tcp"
 provisioner:
  name: ansible
  config_options:
--- a/molecule/overridexml/prepare.yml
+++ b/molecule/overridexml/prepare.yml
@@ -1,6 +1,8 @@
 ---
 - name: Prepare
  hosts: all
+  vars_files:
+    - ../group_vars/all/vars.yml
  gather_facts: yes
  vars:
    sudo_pkg_name: sudo
--- a/molecule/prepare.yml
+++ b/molecule/prepare.yml
@@ -25,11 +25,12 @@
    fail_msg: "sudo is not installed on target system"

 - name: "Install iproute"
-  become: true
  ansible.builtin.yum:
    name:
      - iproute
    state: present
+  when:
+    - ansible_user_id == 'root'

 - name: "Retrieve assets server from env"
  ansible.builtin.set_fact:
--- a/molecule/quarkus/converge.yml
+++ b/molecule/quarkus/converge.yml
@@ -1,12 +1,14 @@
 ---
 - name: Converge
  hosts: all
+  vars_files:
+    - ../group_vars/all/vars.yml
  vars:
    keycloak_quarkus_show_deprecation_warnings: false
-    keycloak_quarkus_admin_pass: "remembertochangeme"
-    keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
    keycloak_realm: TestRealm
-    keycloak_quarkus_host: instance
+    keycloak_quarkus_hostname: https://instance:8443
    keycloak_quarkus_log: file
    keycloak_quarkus_log_level: debug # needed for the verify step
    keycloak_quarkus_https_key_file_enabled: true
@@ -22,6 +24,12 @@
    keycloak_quarkus_systemd_wait_for_timeout: 20
    keycloak_quarkus_systemd_wait_for_delay: 2
    keycloak_quarkus_systemd_wait_for_log: true
+    keycloak_quarkus_restart_health_check: false # would fail because of self-signed cert
+    keycloak_quarkus_version: 26.4.7
+    keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx1024m"
+    keycloak_quarkus_additional_env_vars:
+      - key: KC_FEATURES_DISABLED
+        value: impersonation,kerberos
    keycloak_quarkus_providers:
      - id: http-client
        spi: connections
@@ -32,26 +40,31 @@
            value: 10
      - id: spid-saml
        url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar
+      - id: spid-saml-w-checksum
+        url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar
+        checksum: sha256:fbb50e73739d7a6d35b5bff611b1c01668b29adf6f6259624b95e466a305f377
      - id: keycloak-kerberos-federation
        maven:
          repository_url: https://repo1.maven.org/maven2/ # https://mvnrepository.com/artifact/org.keycloak/keycloak-kerberos-federation/24.0.4
          group_id: org.keycloak
          artifact_id: keycloak-kerberos-federation
-          version: 24.0.5 # optional
+          version: 26.4.7 # optional
          # username: myUser # optional
          # password: myPAT # optional
      # - id: my-static-theme
      #   local_path: /tmp/my-static-theme.jar
    keycloak_quarkus_policies:
-      - name: "xato-net-10-million-passwords.txt"
-        url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt"
-      - name: "xato-net-10-million-passwords-10.txt"
-        url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords-10.txt"
+      - name: "cain-and-abel.txt"
+        url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/cain-and-abel.txt"
+      - name: "john-the-ripper.txt"
+        url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/john-the-ripper.txt"
        type: password-blacklists
  roles:
    - role: keycloak_quarkus
    - role: keycloak_realm
-      keycloak_context: ''
+      keycloak_url: http://instance:8080
+      keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
+      keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
      keycloak_client_default_roles:
        - TestRoleAdmin
        - TestRoleUser
--- a/molecule/quarkus/molecule.yml
+++ b/molecule/quarkus/molecule.yml
@@ -3,7 +3,7 @@ driver:
  name: docker
 platforms:
  - name: instance
-    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
    privileged: true
    command: "/usr/sbin/init"
@@ -11,6 +11,7 @@ platforms:
      - "8080/tcp"
      - "8443/tcp"
      - "8009/tcp"
+      - "9000/tcp"
    published_ports:
      - 0.0.0.0:8443:8443/tcp
 provisioner:
@@ -30,6 +31,9 @@ provisioner:
        ansible_python_interpreter: "{{ ansible_playbook_python }}"
  env:
    ANSIBLE_FORCE_COLOR: "true"
+    PYTHONHTTPSVERIFY: 0
+    PROXY: "${PROXY}"
+    NO_PROXY: "${NO_PROXY}"
 verifier:
  name: ansible
 scenario:
--- a/molecule/quarkus/prepare.yml
+++ b/molecule/quarkus/prepare.yml
@@ -1,6 +1,8 @@
 ---
 - name: Prepare
  hosts: all
+  vars_files:
+    - ../group_vars/all/vars.yml
  tasks:
    - name: "Display hera_home if defined."
      ansible.builtin.set_fact:
@@ -11,11 +13,13 @@

    - name: Create certificate request
      ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
+      args:
+        chdir: "{{ playbook_dir }}"
      delegate_to: localhost
      changed_when: false

    - name: Create vault directory
-      become: true
+      become: "{{ molecule_prepare_require_privilege_escalation }}"
      ansible.builtin.file:
        state: directory
        path: "/opt/keycloak/vault"
@@ -24,20 +28,22 @@
    - name: Make sure a jre is available (for keytool to prepare keystore)
      delegate_to: localhost
      ansible.builtin.package:
-        name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
+        name: java-21-openjdk-headless
        state: present
-      become: true
+      become: "{{ molecule_prepare_require_privilege_escalation }}"
      failed_when: false

    - name: Create vault keystore
      ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword
+      args:
+        chdir: "{{ playbook_dir }}"
      delegate_to: localhost
      register: keytool_cmd
      changed_when: False
      failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0

    - name: Copy certificates and vault
-      become: true
+      become: "{{ molecule_prepare_require_privilege_escalation }}"
      ansible.builtin.copy:
        src: keystore.p12
        dest: /opt/keycloak/vault/keystore.p12
--- a/molecule/quarkus/verify.yml
+++ b/molecule/quarkus/verify.yml
@@ -1,8 +1,11 @@
 ---
 - name: Verify
  hosts: all
+  vars_files:
+    - ../group_vars/all/vars.yml
  vars:
-     keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
  tasks:
    - name: Populate service facts
      ansible.builtin.service_facts:
@@ -35,10 +38,10 @@
        - name: Verify endpoint URLs
          ansible.builtin.assert:
            that:
-              - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance/realms/master/protocol/openid-connect/ext/ciba/auth'
-              - (openid_config.stdout | from_json)['issuer'] == 'https://instance/realms/master'
-              - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/auth'
-              - (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/token'
+              - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance:8443/realms/master/protocol/openid-connect/ext/ciba/auth'
+              - (openid_config.stdout | from_json)['issuer'] == 'https://instance:8443/realms/master'
+              - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/auth'
+              - (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/token'
          delegate_to: localhost

    - name: Check log folder
@@ -55,7 +58,7 @@
        fail_msg: "Service log symlink not correctly created"

    - name: Check log file
-      become: true
+      become: "{{ molecule_prepare_require_privilege_escalation }}"
      ansible.builtin.stat:
        path: /tmp/keycloak/keycloak.log
      register: keycloak_log_file
@@ -67,7 +70,7 @@
          - not keycloak_log_file.stat.isdir

    - name: Check default log folder
-      become: yes
+      become: "{{ molecule_prepare_require_privilege_escalation }}"
      ansible.builtin.stat:
        path: /var/log/keycloak
      register: keycloak_default_log_folder
@@ -79,7 +82,7 @@
          - not keycloak_default_log_folder.stat.exists

    - name: Verify vault SPI in logfile
-      become: true
+      become: "{{ molecule_prepare_require_privilege_escalation }}"
      ansible.builtin.shell: |
        set -o pipefail
        zgrep 'Configured KeystoreVaultProviderFactory with the keystore file' /opt/keycloak/keycloak-*/data/log/keycloak.log*zip
@@ -91,7 +94,7 @@
      ansible.builtin.uri:
        url: "https://instance:8443/realms/master/protocol/openid-connect/token"
        method: POST
-        body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password"
+        body: "client_id=admin-cli&username={{ keycloak_quarkus_bootstrap_admin_user }}&password={{ keycloak_quarkus_bootstrap_admin_password}}&grant_type=password"
        validate_certs: no
      register: keycloak_auth_response
      until: keycloak_auth_response.status == 200
@@ -101,8 +104,8 @@
    - name: "Get Clients"
      ansible.builtin.uri:
        url: "https://instance:8443/admin/realms/TestRealm/clients"
+        validate_certs: false
        headers:
-          validate_certs: false
          Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
      register: keycloak_clients

@@ -113,15 +116,15 @@
    - name: "Get Client {{ keycloak_client_uuid }}"
      ansible.builtin.uri:
        url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}"
+        validate_certs: false
        headers:
-          validate_certs: false
          Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
      register: keycloak_test_client

    - name: "Get Client roles"
      ansible.builtin.uri:
        url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}/roles"
+        validate_certs: false
        headers:
-          validate_certs: false
          Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
-      register: keycloak_test_client_roles
+      register: keycloak_test_client_roles
--- a/molecule/quarkus_devmode/converge.yml
+++ b/molecule/quarkus_devmode/converge.yml
@@ -1,20 +1,26 @@
 ---
 - name: Converge
  hosts: all
+  vars_files:
+    - ../group_vars/all/vars.yml
  vars:
    keycloak_quarkus_show_deprecation_warnings: false
-    keycloak_quarkus_admin_pass: "remembertochangeme"
-    keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
    keycloak_realm: TestRealm
    keycloak_quarkus_log: file
-    keycloak_quarkus_frontend_url: 'http://localhost:8080/'
+    keycloak_quarkus_hostname: 'http://localhost:8080'
    keycloak_quarkus_start_dev: True
    keycloak_quarkus_proxy_mode: none
    keycloak_quarkus_java_home: /opt/openjdk/
+    keycloak_quarkus_java_heap_opts: "-Xms640m -Xmx640m"
+
  roles:
    - role: keycloak_quarkus
    - role: keycloak_realm
-      keycloak_context: ''
+      keycloak_url: "{{ keycloak_quarkus_hostname }}"
+      keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
+      keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
      keycloak_client_default_roles:
        - TestRoleAdmin
        - TestRoleUser
--- a/molecule/quarkus_devmode/molecule.yml
+++ b/molecule/quarkus_devmode/molecule.yml
@@ -1,17 +1,19 @@
 ---
 driver:
-  name: docker
+  name: podman
 platforms:
  - name: instance
-    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
    privileged: true
    command: "/usr/sbin/init"
    port_bindings:
      - "8080/tcp"
      - "8009/tcp"
+      - "9000/tcp"
    published_ports:
      - 0.0.0.0:8080:8080/tcp
+      - 0.0.0.0:9000:9000/TCP
 provisioner:
  name: ansible
  config_options:
@@ -29,6 +31,8 @@ provisioner:
        ansible_python_interpreter: "{{ ansible_playbook_python }}"
  env:
    ANSIBLE_FORCE_COLOR: "true"
+    PROXY: "${PROXY}"
+    NO_PROXY: "${NO_PROXY}"
 verifier:
  name: ansible
 scenario:
--- a/molecule/quarkus_devmode/prepare.yml
+++ b/molecule/quarkus_devmode/prepare.yml
@@ -1,6 +1,8 @@
 ---
 - name: Prepare
  hosts: all
+  vars_files:
+    - ../group_vars/all/vars.yml
  tasks:
    - name: Install sudo
      ansible.builtin.apt:
@@ -15,7 +17,7 @@
      ansible.builtin.include_tasks: ../prepare.yml

    - name: Install JDK17
-      become: yes
+      become: "{{ molecule_prepare_require_privilege_escalation }}"
      ansible.builtin.yum:
        name:
          - java-17-openjdk-headless
@@ -24,7 +26,7 @@
        - ansible_facts.os_family == 'RedHat'

    - name: Link default logs directory
-      become: yes
+      become: "{{ molecule_prepare_require_privilege_escalation }}"
      ansible.builtin.file:
        state: link
        src: "{{ item }}"
--- a/molecule/quarkus_devmode/roles
+++ b/molecule/quarkus_devmode/roles
--- a/molecule/quarkus_devmode/verify.yml
+++ b/molecule/quarkus_devmode/verify.yml
--- a/molecule/quarkus_ha/converge.yml
+++ b/molecule/quarkus_ha/converge.yml
@@ -1,12 +1,13 @@
 ---
 - name: Converge
  hosts: keycloak
+  vars_files:
+    - ../group_vars/all/vars.yml
  vars:
    keycloak_quarkus_show_deprecation_warnings: false
-    keycloak_quarkus_admin_pass: "remembertochangeme"
-    keycloak_admin_password: "remembertochangeme"
-    keycloak_realm: TestRealm
-    keycloak_quarkus_host: "{{ inventory_hostname }}"
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
+    keycloak_quarkus_hostname: "http://{{ inventory_hostname }}:8080"
    keycloak_quarkus_log: file
    keycloak_quarkus_log_level: info
    keycloak_quarkus_https_key_file_enabled: true
@@ -25,6 +26,6 @@
    keycloak_quarkus_restart_strategy: restart/serial.yml
    keycloak_quarkus_db_user: keycloak
    keycloak_quarkus_db_pass: mysecretpass
-    keycloak_quarkus_jdbc_url: jdbc:postgresql://postgres:5432/keycloak
+    keycloak_quarkus_db_url: jdbc:postgresql://postgres:5432/keycloak
  roles:
    - role: keycloak_quarkus
--- a/molecule/quarkus_ha/molecule.yml
+++ b/molecule/quarkus_ha/molecule.yml
@@ -14,6 +14,7 @@ platforms:
    port_bindings:
      - "8080/tcp"
      - "8443/tcp"
+      - "9000/tcp"
  - name: instance2
    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
@@ -26,6 +27,7 @@ platforms:
    port_bindings:
      - "8080/tcp"
      - "8443/tcp"
+      - "9000/tcp"
  - name: postgres
    image: ubuntu/postgres:14-22.04_beta
    pre_build_image: true
@@ -40,7 +42,7 @@ platforms:
    mounts:
      - type: bind
        target: /etc/postgresql/postgresql.conf
-        source: ${PWD}/molecule/quarkus_ha/postgresql/postgresql.conf
+        source: ${MOLECULE_PROJECT_DIRECTORY}/molecule/quarkus_ha/postgresql/postgresql.conf
    env:
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: mysecretpass
@@ -63,6 +65,7 @@ provisioner:
        ansible_python_interpreter: "{{ ansible_playbook_python }}"
  env:
    ANSIBLE_FORCE_COLOR: "true"
+    PYTHONHTTPSVERIFY: 0
 verifier:
  name: ansible
 scenario:
--- a/molecule/quarkus_ha/prepare.yml
+++ b/molecule/quarkus_ha/prepare.yml
@@ -1,6 +1,8 @@
 ---
 - name: Prepare
  hosts: keycloak
+  vars_files:
+    - ../group_vars/all/vars.yml
  tasks:
    - name: "Display hera_home if defined."
      ansible.builtin.set_fact:
@@ -11,11 +13,13 @@

    - name: Create certificate request
      ansible.builtin.command: "openssl req -x509 -newkey rsa:4096 -keyout {{ inventory_hostname }}.key -out {{ inventory_hostname }}.pem -sha256 -days 365 -nodes -subj '/CN={{ inventory_hostname }}'"
+      args:
+        chdir: "{{ playbook_dir }}"
      delegate_to: localhost
      changed_when: False

    - name: Create vault directory
-      become: true
+      become: "{{ molecule_prepare_require_privilege_escalation }}"
      ansible.builtin.file:
        state: directory
        path: "/opt/keycloak/vault"
@@ -26,7 +30,7 @@
      ansible.builtin.package:
        name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
        state: present
-      become: true
+      become: "{{ molecule_prepare_require_privilege_escalation }}"
      failed_when: false

    - name: Create vault keystore
@@ -37,7 +41,7 @@
      failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0

    - name: Copy certificates and vault
-      become: true
+      become: "{{ molecule_prepare_require_privilege_escalation }}"
      ansible.builtin.copy:
        src: keystore.p12
        dest: /opt/keycloak/vault/keystore.p12
--- a/molecule/quarkus_ha/verify.yml
+++ b/molecule/quarkus_ha/verify.yml
@@ -1,6 +1,8 @@
 ---
 - name: Verify
  hosts: keycloak
+  vars_files:
+    - ../group_vars/all/vars.yml
  tasks:
    - name: Populate service facts
      ansible.builtin.service_facts:
@@ -17,7 +19,7 @@
        hera_home: "{{ lookup('env', 'HERA_HOME') }}"

    - name: Check log file
-      become: true
+      become: "{{ molecule_prepare_require_privilege_escalation }}"
      ansible.builtin.stat:
        path: /var/log/keycloak/keycloak.log
      register: keycloak_log_file
--- a/molecule/quarkus_ha_26.4_below/converge.yml
+++ b/molecule/quarkus_ha_26.4_below/converge.yml
@@ -0,0 +1,32 @@
+---
+- name: Converge
+  hosts: keycloak
+  vars_files:
+    - ../group_vars/all/vars.yml
+  vars:
+    keycloak_quarkus_show_deprecation_warnings: false
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
+    keycloak_quarkus_hostname: "http://{{ inventory_hostname }}:8080"
+    keycloak_quarkus_log: file
+    keycloak_quarkus_log_level: info
+    keycloak_quarkus_https_key_file_enabled: true
+    keycloak_quarkus_key_file_copy_enabled: true
+    keycloak_quarkus_key_content: "{{ lookup('file', inventory_hostname + '.key') }}"
+    keycloak_quarkus_cert_file_copy_enabled: true
+    keycloak_quarkus_cert_file_src: "{{ inventory_hostname }}.pem"
+    keycloak_quarkus_ks_vault_enabled: true
+    keycloak_quarkus_ks_vault_file: "/opt/keycloak/vault/keystore.p12"
+    keycloak_quarkus_ks_vault_pass: keystorepassword
+    keycloak_quarkus_systemd_wait_for_port: true
+    keycloak_quarkus_systemd_wait_for_timeout: 20
+    keycloak_quarkus_systemd_wait_for_delay: 2
+    keycloak_quarkus_systemd_wait_for_log: true
+    keycloak_quarkus_ha_enabled: true
+    keycloak_quarkus_restart_strategy: restart/serial.yml
+    keycloak_quarkus_db_user: keycloak
+    keycloak_quarkus_db_pass: mysecretpass
+    keycloak_quarkus_db_url: jdbc:postgresql://postgres:5432/keycloak
+    keycloak_quarkus_version: 26.3.5
+  roles:
+    - role: keycloak_quarkus
--- a/molecule/quarkus_ha_26.4_below/molecule.yml
+++ b/molecule/quarkus_ha_26.4_below/molecule.yml
@@ -0,0 +1,82 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: instance1
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    groups:
+      - keycloak
+    networks:
+      - name: rhbk
+    port_bindings:
+      - "8080/tcp"
+      - "8443/tcp"
+      - "9000/tcp"
+  - name: instance2
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    groups:
+      - keycloak
+    networks:
+      - name: rhbk
+    port_bindings:
+      - "8080/tcp"
+      - "8443/tcp"
+      - "9000/tcp"
+  - name: postgres
+    image: ubuntu/postgres:14-22.04_beta
+    pre_build_image: true
+    privileged: true
+    command: postgres
+    groups:
+      - database
+    networks:
+      - name: rhbk
+    port_bindings:
+      - "5432/tcp"
+    mounts:
+      - type: bind
+        target: /etc/postgresql/postgresql.conf
+        source: ${MOLECULE_PROJECT_DIRECTORY}/molecule/quarkus_ha/postgresql/postgresql.conf
+    env:
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD: mysecretpass
+      POSTGRES_DB: keycloak
+      POSTGRES_HOST_AUTH_METHOD: trust
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+    PYTHONHTTPSVERIFY: 0
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy
--- a/molecule/quarkus_ha_26.4_below/postgresql/postgresql.conf
+++ b/molecule/quarkus_ha_26.4_below/postgresql/postgresql.conf
@@ -0,0 +1,750 @@
+# -----------------------------
+# PostgreSQL configuration file
+# -----------------------------
+#
+# This file consists of lines of the form:
+#
+#   name = value
+#
+# (The "=" is optional.)  Whitespace may be used.  Comments are introduced with
+# "#" anywhere on a line.  The complete list of parameter names and allowed
+# values can be found in the PostgreSQL documentation.
+#
+# The commented-out settings shown in this file represent the default values.
+# Re-commenting a setting is NOT sufficient to revert it to the default value;
+# you need to reload the server.
+#
+# This file is read on server startup and when the server receives a SIGHUP
+# signal.  If you edit the file on a running system, you have to SIGHUP the
+# server for the changes to take effect, run "pg_ctl reload", or execute
+# "SELECT pg_reload_conf()".  Some parameters, which are marked below,
+# require a server shutdown and restart to take effect.
+#
+# Any parameter can also be given as a command-line option to the server, e.g.,
+# "postgres -c log_connections=on".  Some parameters can be changed at run time
+# with the "SET" SQL command.
+#
+# Memory units:  kB = kilobytes        Time units:  ms  = milliseconds
+#                MB = megabytes                     s   = seconds
+#                GB = gigabytes                     min = minutes
+#                TB = terabytes                     h   = hours
+#                                                   d   = days
+
+
+#------------------------------------------------------------------------------
+# FILE LOCATIONS
+#------------------------------------------------------------------------------
+
+# The default values of these variables are driven from the -D command-line
+# option or PGDATA environment variable, represented here as ConfigDir.
+
+#data_directory = 'ConfigDir'		# use data in another directory
+					# (change requires restart)
+#hba_file = 'ConfigDir/pg_hba.conf'	# host-based authentication file
+					# (change requires restart)
+#ident_file = 'ConfigDir/pg_ident.conf'	# ident configuration file
+					# (change requires restart)
+
+# If external_pid_file is not explicitly set, no extra PID file is written.
+#external_pid_file = ''			# write an extra PID file
+					# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# CONNECTIONS AND AUTHENTICATION
+#------------------------------------------------------------------------------
+
+# - Connection Settings -
+
+listen_addresses = '*'		# what IP address(es) to listen on;
+					# comma-separated list of addresses;
+					# defaults to 'localhost'; use '*' for all
+					# (change requires restart)
+#port = 5432				# (change requires restart)
+#max_connections = 100			# (change requires restart)
+#superuser_reserved_connections = 3	# (change requires restart)
+#unix_socket_directories = '/tmp'	# comma-separated list of directories
+					# (change requires restart)
+#unix_socket_group = ''			# (change requires restart)
+#unix_socket_permissions = 0777		# begin with 0 to use octal notation
+					# (change requires restart)
+#bonjour = off				# advertise server via Bonjour
+					# (change requires restart)
+#bonjour_name = ''			# defaults to the computer name
+					# (change requires restart)
+
+# - TCP settings -
+# see "man 7 tcp" for details
+
+#tcp_keepalives_idle = 0		# TCP_KEEPIDLE, in seconds;
+					# 0 selects the system default
+#tcp_keepalives_interval = 0		# TCP_KEEPINTVL, in seconds;
+					# 0 selects the system default
+#tcp_keepalives_count = 0		# TCP_KEEPCNT;
+					# 0 selects the system default
+#tcp_user_timeout = 0			# TCP_USER_TIMEOUT, in milliseconds;
+					# 0 selects the system default
+
+# - Authentication -
+
+#authentication_timeout = 1min		# 1s-600s
+#password_encryption = md5		# md5 or scram-sha-256
+#db_user_namespace = off
+
+# GSSAPI using Kerberos
+#krb_server_keyfile = ''
+#krb_caseins_users = off
+
+# - SSL -
+
+#ssl = off
+#ssl_ca_file = ''
+#ssl_cert_file = 'server.crt'
+#ssl_crl_file = ''
+#ssl_key_file = 'server.key'
+#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
+#ssl_prefer_server_ciphers = on
+#ssl_ecdh_curve = 'prime256v1'
+#ssl_min_protocol_version = 'TLSv1'
+#ssl_max_protocol_version = ''
+#ssl_dh_params_file = ''
+#ssl_passphrase_command = ''
+#ssl_passphrase_command_supports_reload = off
+
+
+#------------------------------------------------------------------------------
+# RESOURCE USAGE (except WAL)
+#------------------------------------------------------------------------------
+
+# - Memory -
+
+#shared_buffers = 32MB			# min 128kB
+					# (change requires restart)
+#huge_pages = try			# on, off, or try
+					# (change requires restart)
+#temp_buffers = 8MB			# min 800kB
+#max_prepared_transactions = 0		# zero disables the feature
+					# (change requires restart)
+# Caution: it is not advisable to set max_prepared_transactions nonzero unless
+# you actively intend to use prepared transactions.
+#work_mem = 4MB				# min 64kB
+#maintenance_work_mem = 64MB		# min 1MB
+#autovacuum_work_mem = -1		# min 1MB, or -1 to use maintenance_work_mem
+#max_stack_depth = 2MB			# min 100kB
+#shared_memory_type = mmap		# the default is the first option
+					# supported by the operating system:
+					#   mmap
+					#   sysv
+					#   windows
+					# (change requires restart)
+#dynamic_shared_memory_type = posix	# the default is the first option
+					# supported by the operating system:
+					#   posix
+					#   sysv
+					#   windows
+					#   mmap
+					# (change requires restart)
+
+# - Disk -
+
+#temp_file_limit = -1			# limits per-process temp file space
+					# in kB, or -1 for no limit
+
+# - Kernel Resources -
+
+#max_files_per_process = 1000		# min 25
+					# (change requires restart)
+
+# - Cost-Based Vacuum Delay -
+
+#vacuum_cost_delay = 0			# 0-100 milliseconds (0 disables)
+#vacuum_cost_page_hit = 1		# 0-10000 credits
+#vacuum_cost_page_miss = 10		# 0-10000 credits
+#vacuum_cost_page_dirty = 20		# 0-10000 credits
+#vacuum_cost_limit = 200		# 1-10000 credits
+
+# - Background Writer -
+
+#bgwriter_delay = 200ms			# 10-10000ms between rounds
+#bgwriter_lru_maxpages = 100		# max buffers written/round, 0 disables
+#bgwriter_lru_multiplier = 2.0		# 0-10.0 multiplier on buffers scanned/round
+#bgwriter_flush_after = 0		# measured in pages, 0 disables
+
+# - Asynchronous Behavior -
+
+#effective_io_concurrency = 1		# 1-1000; 0 disables prefetching
+#max_worker_processes = 8		# (change requires restart)
+#max_parallel_maintenance_workers = 2	# taken from max_parallel_workers
+#max_parallel_workers_per_gather = 2	# taken from max_parallel_workers
+#parallel_leader_participation = on
+#max_parallel_workers = 8		# maximum number of max_worker_processes that
+					# can be used in parallel operations
+#old_snapshot_threshold = -1		# 1min-60d; -1 disables; 0 is immediate
+					# (change requires restart)
+#backend_flush_after = 0		# measured in pages, 0 disables
+
+
+#------------------------------------------------------------------------------
+# WRITE-AHEAD LOG
+#------------------------------------------------------------------------------
+
+# - Settings -
+
+#wal_level = replica			# minimal, replica, or logical
+					# (change requires restart)
+#fsync = on				# flush data to disk for crash safety
+					# (turning this off can cause
+					# unrecoverable data corruption)
+#synchronous_commit = on		# synchronization level;
+					# off, local, remote_write, remote_apply, or on
+#wal_sync_method = fsync		# the default is the first option
+					# supported by the operating system:
+					#   open_datasync
+					#   fdatasync (default on Linux)
+					#   fsync
+					#   fsync_writethrough
+					#   open_sync
+#full_page_writes = on			# recover from partial page writes
+#wal_compression = off			# enable compression of full-page writes
+#wal_log_hints = off			# also do full page writes of non-critical updates
+					# (change requires restart)
+#wal_init_zero = on			# zero-fill new WAL files
+#wal_recycle = on			# recycle WAL files
+#wal_buffers = -1			# min 32kB, -1 sets based on shared_buffers
+					# (change requires restart)
+#wal_writer_delay = 200ms		# 1-10000 milliseconds
+#wal_writer_flush_after = 1MB		# measured in pages, 0 disables
+
+#commit_delay = 0			# range 0-100000, in microseconds
+#commit_siblings = 5			# range 1-1000
+
+# - Checkpoints -
+
+#checkpoint_timeout = 5min		# range 30s-1d
+#max_wal_size = 1GB
+#min_wal_size = 80MB
+#checkpoint_completion_target = 0.5	# checkpoint target duration, 0.0 - 1.0
+#checkpoint_flush_after = 0		# measured in pages, 0 disables
+#checkpoint_warning = 30s		# 0 disables
+
+# - Archiving -
+
+#archive_mode = off		# enables archiving; off, on, or always
+				# (change requires restart)
+#archive_command = ''		# command to use to archive a logfile segment
+				# placeholders: %p = path of file to archive
+				#               %f = file name only
+				# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
+#archive_timeout = 0		# force a logfile segment switch after this
+				# number of seconds; 0 disables
+
+# - Archive Recovery -
+
+# These are only used in recovery mode.
+
+#restore_command = ''		# command to use to restore an archived logfile segment
+				# placeholders: %p = path of file to restore
+				#               %f = file name only
+				# e.g. 'cp /mnt/server/archivedir/%f %p'
+				# (change requires restart)
+#archive_cleanup_command = ''	# command to execute at every restartpoint
+#recovery_end_command = ''	# command to execute at completion of recovery
+
+# - Recovery Target -
+
+# Set these only when performing a targeted recovery.
+
+#recovery_target = ''		# 'immediate' to end recovery as soon as a
+                                # consistent state is reached
+				# (change requires restart)
+#recovery_target_name = ''	# the named restore point to which recovery will proceed
+				# (change requires restart)
+#recovery_target_time = ''	# the time stamp up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_xid = ''	# the transaction ID up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_lsn = ''	# the WAL LSN up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_inclusive = on # Specifies whether to stop:
+				# just after the specified recovery target (on)
+				# just before the recovery target (off)
+				# (change requires restart)
+#recovery_target_timeline = 'latest'	# 'current', 'latest', or timeline ID
+				# (change requires restart)
+#recovery_target_action = 'pause'	# 'pause', 'promote', 'shutdown'
+				# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# REPLICATION
+#------------------------------------------------------------------------------
+
+# - Sending Servers -
+
+# Set these on the master and on any standby that will send replication data.
+
+#max_wal_senders = 10		# max number of walsender processes
+				# (change requires restart)
+#wal_keep_segments = 0		# in logfile segments; 0 disables
+#wal_sender_timeout = 60s	# in milliseconds; 0 disables
+
+#max_replication_slots = 10	# max number of replication slots
+				# (change requires restart)
+#track_commit_timestamp = off	# collect timestamp of transaction commit
+				# (change requires restart)
+
+# - Master Server -
+
+# These settings are ignored on a standby server.
+
+#synchronous_standby_names = ''	# standby servers that provide sync rep
+				# method to choose sync standbys, number of sync standbys,
+				# and comma-separated list of application_name
+				# from standby(s); '*' = all
+#vacuum_defer_cleanup_age = 0	# number of xacts by which cleanup is delayed
+
+# - Standby Servers -
+
+# These settings are ignored on a master server.
+
+#primary_conninfo = ''			# connection string to sending server
+					# (change requires restart)
+#primary_slot_name = ''			# replication slot on sending server
+					# (change requires restart)
+#promote_trigger_file = ''		# file name whose presence ends recovery
+#hot_standby = on			# "off" disallows queries during recovery
+					# (change requires restart)
+#max_standby_archive_delay = 30s	# max delay before canceling queries
+					# when reading WAL from archive;
+					# -1 allows indefinite delay
+#max_standby_streaming_delay = 30s	# max delay before canceling queries
+					# when reading streaming WAL;
+					# -1 allows indefinite delay
+#wal_receiver_status_interval = 10s	# send replies at least this often
+					# 0 disables
+#hot_standby_feedback = off		# send info from standby to prevent
+					# query conflicts
+#wal_receiver_timeout = 60s		# time that receiver waits for
+					# communication from master
+					# in milliseconds; 0 disables
+#wal_retrieve_retry_interval = 5s	# time to wait before retrying to
+					# retrieve WAL after a failed attempt
+#recovery_min_apply_delay = 0		# minimum delay for applying changes during recovery
+
+# - Subscribers -
+
+# These settings are ignored on a publisher.
+
+#max_logical_replication_workers = 4	# taken from max_worker_processes
+					# (change requires restart)
+#max_sync_workers_per_subscription = 2	# taken from max_logical_replication_workers
+
+
+#------------------------------------------------------------------------------
+# QUERY TUNING
+#------------------------------------------------------------------------------
+
+# - Planner Method Configuration -
+
+#enable_bitmapscan = on
+#enable_hashagg = on
+#enable_hashjoin = on
+#enable_indexscan = on
+#enable_indexonlyscan = on
+#enable_material = on
+#enable_mergejoin = on
+#enable_nestloop = on
+#enable_parallel_append = on
+#enable_seqscan = on
+#enable_sort = on
+#enable_tidscan = on
+#enable_partitionwise_join = off
+#enable_partitionwise_aggregate = off
+#enable_parallel_hash = on
+#enable_partition_pruning = on
+
+# - Planner Cost Constants -
+
+#seq_page_cost = 1.0			# measured on an arbitrary scale
+#random_page_cost = 4.0			# same scale as above
+#cpu_tuple_cost = 0.01			# same scale as above
+#cpu_index_tuple_cost = 0.005		# same scale as above
+#cpu_operator_cost = 0.0025		# same scale as above
+#parallel_tuple_cost = 0.1		# same scale as above
+#parallel_setup_cost = 1000.0	# same scale as above
+
+#jit_above_cost = 100000		# perform JIT compilation if available
+					# and query more expensive than this;
+					# -1 disables
+#jit_inline_above_cost = 500000		# inline small functions if query is
+					# more expensive than this; -1 disables
+#jit_optimize_above_cost = 500000	# use expensive JIT optimizations if
+					# query is more expensive than this;
+					# -1 disables
+
+#min_parallel_table_scan_size = 8MB
+#min_parallel_index_scan_size = 512kB
+#effective_cache_size = 4GB
+
+# - Genetic Query Optimizer -
+
+#geqo = on
+#geqo_threshold = 12
+#geqo_effort = 5			# range 1-10
+#geqo_pool_size = 0			# selects default based on effort
+#geqo_generations = 0			# selects default based on effort
+#geqo_selection_bias = 2.0		# range 1.5-2.0
+#geqo_seed = 0.0			# range 0.0-1.0
+
+# - Other Planner Options -
+
+#default_statistics_target = 100	# range 1-10000
+#constraint_exclusion = partition	# on, off, or partition
+#cursor_tuple_fraction = 0.1		# range 0.0-1.0
+#from_collapse_limit = 8
+#join_collapse_limit = 8		# 1 disables collapsing of explicit
+					# JOIN clauses
+#force_parallel_mode = off
+#jit = on				# allow JIT compilation
+#plan_cache_mode = auto			# auto, force_generic_plan or
+					# force_custom_plan
+
+
+#------------------------------------------------------------------------------
+# REPORTING AND LOGGING
+#------------------------------------------------------------------------------
+
+# - Where to Log -
+
+#log_destination = 'stderr'		# Valid values are combinations of
+					# stderr, csvlog, syslog, and eventlog,
+					# depending on platform.  csvlog
+					# requires logging_collector to be on.
+
+# This is used when logging to stderr:
+#logging_collector = off		# Enable capturing of stderr and csvlog
+					# into log files. Required to be on for
+					# csvlogs.
+					# (change requires restart)
+
+# These are only used if logging_collector is on:
+#log_directory = 'log'			# directory where log files are written,
+					# can be absolute or relative to PGDATA
+#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'	# log file name pattern,
+					# can include strftime() escapes
+#log_file_mode = 0600			# creation mode for log files,
+					# begin with 0 to use octal notation
+#log_truncate_on_rotation = off		# If on, an existing log file with the
+					# same name as the new log file will be
+					# truncated rather than appended to.
+					# But such truncation only occurs on
+					# time-driven rotation, not on restarts
+					# or size-driven rotation.  Default is
+					# off, meaning append to existing files
+					# in all cases.
+#log_rotation_age = 1d			# Automatic rotation of logfiles will
+					# happen after that time.  0 disables.
+#log_rotation_size = 10MB		# Automatic rotation of logfiles will
+					# happen after that much log output.
+					# 0 disables.
+
+# These are relevant when logging to syslog:
+#syslog_facility = 'LOCAL0'
+#syslog_ident = 'postgres'
+#syslog_sequence_numbers = on
+#syslog_split_messages = on
+
+# This is only relevant when logging to eventlog (win32):
+# (change requires restart)
+#event_source = 'PostgreSQL'
+
+# - When to Log -
+
+#log_min_messages = warning		# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   info
+					#   notice
+					#   warning
+					#   error
+					#   log
+					#   fatal
+					#   panic
+
+#log_min_error_statement = error	# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   info
+					#   notice
+					#   warning
+					#   error
+					#   log
+					#   fatal
+					#   panic (effectively off)
+
+#log_min_duration_statement = -1	# -1 is disabled, 0 logs all statements
+					# and their durations, > 0 logs only
+					# statements running at least this number
+					# of milliseconds
+
+#log_transaction_sample_rate = 0.0	# Fraction of transactions whose statements
+					# are logged regardless of their duration. 1.0 logs all
+					# statements from all transactions, 0.0 never logs.
+
+# - What to Log -
+
+#debug_print_parse = off
+#debug_print_rewritten = off
+#debug_print_plan = off
+#debug_pretty_print = on
+#log_checkpoints = off
+#log_connections = off
+#log_disconnections = off
+#log_duration = off
+#log_error_verbosity = default		# terse, default, or verbose messages
+#log_hostname = off
+#log_line_prefix = '%m [%p] '		# special values:
+					#   %a = application name
+					#   %u = user name
+					#   %d = database name
+					#   %r = remote host and port
+					#   %h = remote host
+					#   %p = process ID
+					#   %t = timestamp without milliseconds
+					#   %m = timestamp with milliseconds
+					#   %n = timestamp with milliseconds (as a Unix epoch)
+					#   %i = command tag
+					#   %e = SQL state
+					#   %c = session ID
+					#   %l = session line number
+					#   %s = session start timestamp
+					#   %v = virtual transaction ID
+					#   %x = transaction ID (0 if none)
+					#   %q = stop here in non-session
+					#        processes
+					#   %% = '%'
+					# e.g. '<%u%%%d> '
+#log_lock_waits = off			# log lock waits >= deadlock_timeout
+#log_statement = 'none'			# none, ddl, mod, all
+#log_replication_commands = off
+#log_temp_files = -1			# log temporary files equal or larger
+					# than the specified size in kilobytes;
+					# -1 disables, 0 logs all temp files
+#log_timezone = 'GMT'
+
+#------------------------------------------------------------------------------
+# PROCESS TITLE
+#------------------------------------------------------------------------------
+
+#cluster_name = ''			# added to process titles if nonempty
+					# (change requires restart)
+#update_process_title = on
+
+
+#------------------------------------------------------------------------------
+# STATISTICS
+#------------------------------------------------------------------------------
+
+# - Query and Index Statistics Collector -
+
+#track_activities = on
+#track_counts = on
+#track_io_timing = off
+#track_functions = none			# none, pl, all
+#track_activity_query_size = 1024	# (change requires restart)
+#stats_temp_directory = 'pg_stat_tmp'
+
+
+# - Monitoring -
+
+#log_parser_stats = off
+#log_planner_stats = off
+#log_executor_stats = off
+#log_statement_stats = off
+
+
+#------------------------------------------------------------------------------
+# AUTOVACUUM
+#------------------------------------------------------------------------------
+
+#autovacuum = on			# Enable autovacuum subprocess?  'on'
+					# requires track_counts to also be on.
+#log_autovacuum_min_duration = -1	# -1 disables, 0 logs all actions and
+					# their durations, > 0 logs only
+					# actions running at least this number
+					# of milliseconds.
+#autovacuum_max_workers = 3		# max number of autovacuum subprocesses
+					# (change requires restart)
+#autovacuum_naptime = 1min		# time between autovacuum runs
+#autovacuum_vacuum_threshold = 50	# min number of row updates before
+					# vacuum
+#autovacuum_analyze_threshold = 50	# min number of row updates before
+					# analyze
+#autovacuum_vacuum_scale_factor = 0.2	# fraction of table size before vacuum
+#autovacuum_analyze_scale_factor = 0.1	# fraction of table size before analyze
+#autovacuum_freeze_max_age = 200000000	# maximum XID age before forced vacuum
+					# (change requires restart)
+#autovacuum_multixact_freeze_max_age = 400000000	# maximum multixact age
+					# before forced vacuum
+					# (change requires restart)
+#autovacuum_vacuum_cost_delay = 2ms	# default vacuum cost delay for
+					# autovacuum, in milliseconds;
+					# -1 means use vacuum_cost_delay
+#autovacuum_vacuum_cost_limit = -1	# default vacuum cost limit for
+					# autovacuum, -1 means use
+					# vacuum_cost_limit
+
+
+#------------------------------------------------------------------------------
+# CLIENT CONNECTION DEFAULTS
+#------------------------------------------------------------------------------
+
+# - Statement Behavior -
+
+#client_min_messages = notice		# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   log
+					#   notice
+					#   warning
+					#   error
+#search_path = '"$user", public'	# schema names
+#row_security = on
+#default_tablespace = ''		# a tablespace name, '' uses the default
+#temp_tablespaces = ''			# a list of tablespace names, '' uses
+					# only default tablespace
+#default_table_access_method = 'heap'
+#check_function_bodies = on
+#default_transaction_isolation = 'read committed'
+#default_transaction_read_only = off
+#default_transaction_deferrable = off
+#session_replication_role = 'origin'
+#statement_timeout = 0			# in milliseconds, 0 is disabled
+#lock_timeout = 0			# in milliseconds, 0 is disabled
+#idle_in_transaction_session_timeout = 0	# in milliseconds, 0 is disabled
+#vacuum_freeze_min_age = 50000000
+#vacuum_freeze_table_age = 150000000
+#vacuum_multixact_freeze_min_age = 5000000
+#vacuum_multixact_freeze_table_age = 150000000
+#vacuum_cleanup_index_scale_factor = 0.1	# fraction of total number of tuples
+						# before index cleanup, 0 always performs
+						# index cleanup
+#bytea_output = 'hex'			# hex, escape
+#xmlbinary = 'base64'
+#xmloption = 'content'
+#gin_fuzzy_search_limit = 0
+#gin_pending_list_limit = 4MB
+
+# - Locale and Formatting -
+
+#datestyle = 'iso, mdy'
+#intervalstyle = 'postgres'
+#timezone = 'GMT'
+#timezone_abbreviations = 'Default'     # Select the set of available time zone
+					# abbreviations.  Currently, there are
+					#   Default
+					#   Australia (historical usage)
+					#   India
+					# You can create your own file in
+					# share/timezonesets/.
+#extra_float_digits = 1			# min -15, max 3; any value >0 actually
+					# selects precise output mode
+#client_encoding = sql_ascii		# actually, defaults to database
+					# encoding
+
+# These settings are initialized by initdb, but they can be changed.
+#lc_messages = 'C'			# locale for system error message
+					# strings
+#lc_monetary = 'C'			# locale for monetary formatting
+#lc_numeric = 'C'			# locale for number formatting
+#lc_time = 'C'				# locale for time formatting
+
+# default configuration for text search
+#default_text_search_config = 'pg_catalog.simple'
+
+# - Shared Library Preloading -
+
+#shared_preload_libraries = ''	# (change requires restart)
+#local_preload_libraries = ''
+#session_preload_libraries = ''
+#jit_provider = 'llvmjit'		# JIT library to use
+
+# - Other Defaults -
+
+#dynamic_library_path = '$libdir'
+
+
+#------------------------------------------------------------------------------
+# LOCK MANAGEMENT
+#------------------------------------------------------------------------------
+
+#deadlock_timeout = 1s
+#max_locks_per_transaction = 64		# min 10
+					# (change requires restart)
+#max_pred_locks_per_transaction = 64	# min 10
+					# (change requires restart)
+#max_pred_locks_per_relation = -2	# negative values mean
+					# (max_pred_locks_per_transaction
+					#  / -max_pred_locks_per_relation) - 1
+#max_pred_locks_per_page = 2            # min 0
+
+
+#------------------------------------------------------------------------------
+# VERSION AND PLATFORM COMPATIBILITY
+#------------------------------------------------------------------------------
+
+# - Previous PostgreSQL Versions -
+
+#array_nulls = on
+#backslash_quote = safe_encoding	# on, off, or safe_encoding
+#escape_string_warning = on
+#lo_compat_privileges = off
+#operator_precedence_warning = off
+#quote_all_identifiers = off
+#standard_conforming_strings = on
+#synchronize_seqscans = on
+
+# - Other Platforms and Clients -
+
+#transform_null_equals = off
+
+
+#------------------------------------------------------------------------------
+# ERROR HANDLING
+#------------------------------------------------------------------------------
+
+#exit_on_error = off			# terminate session on any error?
+#restart_after_crash = on		# reinitialize after backend crash?
+#data_sync_retry = off			# retry or panic on failure to fsync
+					# data?
+					# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# CONFIG FILE INCLUDES
+#------------------------------------------------------------------------------
+
+# These options allow settings to be loaded from files other than the
+# default postgresql.conf.  Note that these are directives, not variable
+# assignments, so they can usefully be given more than once.
+
+#include_dir = '...'			# include files ending in '.conf' from
+					# a directory, e.g., 'conf.d'
+#include_if_exists = '...'		# include file only if it exists
+#include = '...'			# include file
+
+
+#------------------------------------------------------------------------------
+# CUSTOMIZED OPTIONS
+#------------------------------------------------------------------------------
+
+# Add settings for extensions here
--- a/molecule/quarkus_ha_26.4_below/prepare.yml
+++ b/molecule/quarkus_ha_26.4_below/prepare.yml
@@ -0,0 +1,48 @@
+---
+- name: Prepare
+  hosts: keycloak
+  vars_files:
+    - ../group_vars/all/vars.yml
+  tasks:
+    - name: "Display hera_home if defined."
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+    - name: "Ensure common prepare phase are set."
+      ansible.builtin.include_tasks: ../prepare.yml
+
+    - name: Create certificate request
+      ansible.builtin.command: "openssl req -x509 -newkey rsa:4096 -keyout {{ inventory_hostname }}.key -out {{ inventory_hostname }}.pem -sha256 -days 365 -nodes -subj '/CN={{ inventory_hostname }}'"
+      args:
+        chdir: "{{ playbook_dir }}"
+      delegate_to: localhost
+      changed_when: False
+
+    - name: Create vault directory
+      become: "{{ molecule_prepare_require_privilege_escalation }}"
+      ansible.builtin.file:
+        state: directory
+        path: "/opt/keycloak/vault"
+        mode: 0755
+
+    - name: Make sure a jre is available (for keytool to prepare keystore)
+      delegate_to: localhost
+      ansible.builtin.package:
+        name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
+        state: present
+      become: "{{ molecule_prepare_require_privilege_escalation }}"
+      failed_when: false
+
+    - name: Create vault keystore
+      ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword
+      delegate_to: localhost
+      register: keytool_cmd
+      changed_when: False
+      failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
+
+    - name: Copy certificates and vault
+      become: "{{ molecule_prepare_require_privilege_escalation }}"
+      ansible.builtin.copy:
+        src: keystore.p12
+        dest: /opt/keycloak/vault/keystore.p12
+        mode: 0444
--- a/molecule/quarkus_ha_26.4_below/roles
+++ b/molecule/quarkus_ha_26.4_below/roles
@@ -0,0 +1 @@
+../../roles
--- a/molecule/quarkus_ha_26.4_below/verify.yml
+++ b/molecule/quarkus_ha_26.4_below/verify.yml
@@ -0,0 +1,31 @@
+---
+- name: Verify
+  hosts: keycloak
+  vars_files:
+    - ../group_vars/all/vars.yml
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+        fail_msg: "Service not running"
+
+    - name: Set internal envvar
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+    - name: Check log file
+      become: "{{ molecule_prepare_require_privilege_escalation }}"
+      ansible.builtin.stat:
+        path: /var/log/keycloak/keycloak.log
+      register: keycloak_log_file
+
+    - name: Check if keycloak file exists
+      ansible.builtin.assert:
+        that:
+          - keycloak_log_file.stat.exists
+          - not keycloak_log_file.stat.isdir
--- a/molecule/quarkus_ha_remote/converge.yml
+++ b/molecule/quarkus_ha_remote/converge.yml
@@ -0,0 +1,63 @@
+---
+- name: Converge
+  hosts: infinispan
+  vars_files:
+    - ../group_vars/all/vars.yml
+  vars:
+    ansible_become: "{{ keycloak_install_requires_become | default(true) }}"
+  roles:
+    - role: middleware_automation.infinispan.infinispan
+      infinispan_service_name: infinispan
+      infinispan_supervisor_password: remembertochangeme
+      infinispan_keycloak_caches: true
+      infinispan_keycloak_persistence: False
+      infinispan_jdbc_engine: postgres
+      infinispan_jdbc_url: jdbc:postgresql://postgres:5432/keycloak
+      infinispan_jdbc_driver_version: 9.4.1212
+      infinispan_jdbc_user: keycloak
+      infinispan_jdbc_pass: mysecretpass
+      infinispan_bind_address: "{{ ansible_default_ipv4.address }}"
+      infinispan_users:
+        - { name: 'testuser', password: 'test', roles: 'observer' }
+
+- name: Converge
+  hosts: keycloak
+  vars_files:
+    - ../group_vars/all/vars.yml
+  vars:
+    keycloak_quarkus_show_deprecation_warnings: false
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
+    keycloak_quarkus_hostname: "http://{{ inventory_hostname }}:8080"
+    keycloak_quarkus_log: file
+    keycloak_quarkus_log_level: info
+    keycloak_quarkus_https_key_file_enabled: true
+    keycloak_quarkus_key_file_copy_enabled: true
+    keycloak_quarkus_key_content: "{{ lookup('file', inventory_hostname + '.key') }}"
+    keycloak_quarkus_cert_file_copy_enabled: true
+    keycloak_quarkus_cert_file_src: "{{ inventory_hostname }}.pem"
+    keycloak_quarkus_ks_vault_enabled: true
+    keycloak_quarkus_ks_vault_file: "/opt/keycloak/vault/keystore.p12"
+    keycloak_quarkus_ks_vault_pass: keystorepassword
+    keycloak_quarkus_systemd_wait_for_port: true
+    keycloak_quarkus_systemd_wait_for_timeout: 20
+    keycloak_quarkus_systemd_wait_for_delay: 2
+    keycloak_quarkus_systemd_wait_for_log: true
+    keycloak_quarkus_ha_enabled: true
+    keycloak_quarkus_restart_strategy: restart/serial.yml
+    keycloak_quarkus_db_user: keycloak
+    keycloak_quarkus_db_pass: mysecretpass
+    keycloak_quarkus_db_url: jdbc:postgresql://postgres:5432/keycloak
+    keycloak_quarkus_cache_remote: true
+    keycloak_quarkus_cache_remote_username: supervisor
+    keycloak_quarkus_cache_remote_password: remembertochangeme
+    keycloak_quarkus_cache_remote_host: "infinispan1"
+    keycloak_quarkus_cache_remote_port: 11222
+    keycloak_quarkus_cache_remote_tls_enabled: false
+    keycloak_quarkus_additional_env_vars:
+      - key: KC_FEATURES
+        value: clusterless
+      - key: KC_FEATURES_DISABLED
+        value: persistent-user-sessions
+  roles:
+    - role: keycloak_quarkus
--- a/molecule/quarkus_ha_remote/molecule.yml
+++ b/molecule/quarkus_ha_remote/molecule.yml
@@ -0,0 +1,80 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: keycloak1
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    groups:
+      - keycloak
+    networks:
+      - name: rhbk
+    port_bindings:
+      - "8080/tcp"
+      - "8443/tcp"
+      - "9000/tcp"
+  - name: infinispan1
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    groups:
+      - infinispan
+    networks:
+      - name: rhbk
+    port_bindings:
+      - "11222/tcp"
+  - name: postgres
+    image: ubuntu/postgres:14-22.04_beta
+    pre_build_image: true
+    privileged: true
+    command: postgres
+    groups:
+      - database
+    networks:
+      - name: rhbk
+    port_bindings:
+      - "5432/tcp"
+    mounts:
+      - type: bind
+        target: /etc/postgresql/postgresql.conf
+        source: ${MOLECULE_PROJECT_DIRECTORY}/molecule/quarkus_ha/postgresql/postgresql.conf
+    env:
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD: mysecretpass
+      POSTGRES_DB: keycloak
+      POSTGRES_HOST_AUTH_METHOD: trust
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+    PYTHONHTTPSVERIFY: 0
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy
--- a/molecule/quarkus_ha_remote/postgresql/postgresql.conf
+++ b/molecule/quarkus_ha_remote/postgresql/postgresql.conf
@@ -0,0 +1,750 @@
+# -----------------------------
+# PostgreSQL configuration file
+# -----------------------------
+#
+# This file consists of lines of the form:
+#
+#   name = value
+#
+# (The "=" is optional.)  Whitespace may be used.  Comments are introduced with
+# "#" anywhere on a line.  The complete list of parameter names and allowed
+# values can be found in the PostgreSQL documentation.
+#
+# The commented-out settings shown in this file represent the default values.
+# Re-commenting a setting is NOT sufficient to revert it to the default value;
+# you need to reload the server.
+#
+# This file is read on server startup and when the server receives a SIGHUP
+# signal.  If you edit the file on a running system, you have to SIGHUP the
+# server for the changes to take effect, run "pg_ctl reload", or execute
+# "SELECT pg_reload_conf()".  Some parameters, which are marked below,
+# require a server shutdown and restart to take effect.
+#
+# Any parameter can also be given as a command-line option to the server, e.g.,
+# "postgres -c log_connections=on".  Some parameters can be changed at run time
+# with the "SET" SQL command.
+#
+# Memory units:  kB = kilobytes        Time units:  ms  = milliseconds
+#                MB = megabytes                     s   = seconds
+#                GB = gigabytes                     min = minutes
+#                TB = terabytes                     h   = hours
+#                                                   d   = days
+
+
+#------------------------------------------------------------------------------
+# FILE LOCATIONS
+#------------------------------------------------------------------------------
+
+# The default values of these variables are driven from the -D command-line
+# option or PGDATA environment variable, represented here as ConfigDir.
+
+#data_directory = 'ConfigDir'		# use data in another directory
+					# (change requires restart)
+#hba_file = 'ConfigDir/pg_hba.conf'	# host-based authentication file
+					# (change requires restart)
+#ident_file = 'ConfigDir/pg_ident.conf'	# ident configuration file
+					# (change requires restart)
+
+# If external_pid_file is not explicitly set, no extra PID file is written.
+#external_pid_file = ''			# write an extra PID file
+					# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# CONNECTIONS AND AUTHENTICATION
+#------------------------------------------------------------------------------
+
+# - Connection Settings -
+
+listen_addresses = '*'		# what IP address(es) to listen on;
+					# comma-separated list of addresses;
+					# defaults to 'localhost'; use '*' for all
+					# (change requires restart)
+#port = 5432				# (change requires restart)
+#max_connections = 100			# (change requires restart)
+#superuser_reserved_connections = 3	# (change requires restart)
+#unix_socket_directories = '/tmp'	# comma-separated list of directories
+					# (change requires restart)
+#unix_socket_group = ''			# (change requires restart)
+#unix_socket_permissions = 0777		# begin with 0 to use octal notation
+					# (change requires restart)
+#bonjour = off				# advertise server via Bonjour
+					# (change requires restart)
+#bonjour_name = ''			# defaults to the computer name
+					# (change requires restart)
+
+# - TCP settings -
+# see "man 7 tcp" for details
+
+#tcp_keepalives_idle = 0		# TCP_KEEPIDLE, in seconds;
+					# 0 selects the system default
+#tcp_keepalives_interval = 0		# TCP_KEEPINTVL, in seconds;
+					# 0 selects the system default
+#tcp_keepalives_count = 0		# TCP_KEEPCNT;
+					# 0 selects the system default
+#tcp_user_timeout = 0			# TCP_USER_TIMEOUT, in milliseconds;
+					# 0 selects the system default
+
+# - Authentication -
+
+#authentication_timeout = 1min		# 1s-600s
+#password_encryption = md5		# md5 or scram-sha-256
+#db_user_namespace = off
+
+# GSSAPI using Kerberos
+#krb_server_keyfile = ''
+#krb_caseins_users = off
+
+# - SSL -
+
+#ssl = off
+#ssl_ca_file = ''
+#ssl_cert_file = 'server.crt'
+#ssl_crl_file = ''
+#ssl_key_file = 'server.key'
+#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
+#ssl_prefer_server_ciphers = on
+#ssl_ecdh_curve = 'prime256v1'
+#ssl_min_protocol_version = 'TLSv1'
+#ssl_max_protocol_version = ''
+#ssl_dh_params_file = ''
+#ssl_passphrase_command = ''
+#ssl_passphrase_command_supports_reload = off
+
+
+#------------------------------------------------------------------------------
+# RESOURCE USAGE (except WAL)
+#------------------------------------------------------------------------------
+
+# - Memory -
+
+#shared_buffers = 32MB			# min 128kB
+					# (change requires restart)
+#huge_pages = try			# on, off, or try
+					# (change requires restart)
+#temp_buffers = 8MB			# min 800kB
+#max_prepared_transactions = 0		# zero disables the feature
+					# (change requires restart)
+# Caution: it is not advisable to set max_prepared_transactions nonzero unless
+# you actively intend to use prepared transactions.
+#work_mem = 4MB				# min 64kB
+#maintenance_work_mem = 64MB		# min 1MB
+#autovacuum_work_mem = -1		# min 1MB, or -1 to use maintenance_work_mem
+#max_stack_depth = 2MB			# min 100kB
+#shared_memory_type = mmap		# the default is the first option
+					# supported by the operating system:
+					#   mmap
+					#   sysv
+					#   windows
+					# (change requires restart)
+#dynamic_shared_memory_type = posix	# the default is the first option
+					# supported by the operating system:
+					#   posix
+					#   sysv
+					#   windows
+					#   mmap
+					# (change requires restart)
+
+# - Disk -
+
+#temp_file_limit = -1			# limits per-process temp file space
+					# in kB, or -1 for no limit
+
+# - Kernel Resources -
+
+#max_files_per_process = 1000		# min 25
+					# (change requires restart)
+
+# - Cost-Based Vacuum Delay -
+
+#vacuum_cost_delay = 0			# 0-100 milliseconds (0 disables)
+#vacuum_cost_page_hit = 1		# 0-10000 credits
+#vacuum_cost_page_miss = 10		# 0-10000 credits
+#vacuum_cost_page_dirty = 20		# 0-10000 credits
+#vacuum_cost_limit = 200		# 1-10000 credits
+
+# - Background Writer -
+
+#bgwriter_delay = 200ms			# 10-10000ms between rounds
+#bgwriter_lru_maxpages = 100		# max buffers written/round, 0 disables
+#bgwriter_lru_multiplier = 2.0		# 0-10.0 multiplier on buffers scanned/round
+#bgwriter_flush_after = 0		# measured in pages, 0 disables
+
+# - Asynchronous Behavior -
+
+#effective_io_concurrency = 1		# 1-1000; 0 disables prefetching
+#max_worker_processes = 8		# (change requires restart)
+#max_parallel_maintenance_workers = 2	# taken from max_parallel_workers
+#max_parallel_workers_per_gather = 2	# taken from max_parallel_workers
+#parallel_leader_participation = on
+#max_parallel_workers = 8		# maximum number of max_worker_processes that
+					# can be used in parallel operations
+#old_snapshot_threshold = -1		# 1min-60d; -1 disables; 0 is immediate
+					# (change requires restart)
+#backend_flush_after = 0		# measured in pages, 0 disables
+
+
+#------------------------------------------------------------------------------
+# WRITE-AHEAD LOG
+#------------------------------------------------------------------------------
+
+# - Settings -
+
+#wal_level = replica			# minimal, replica, or logical
+					# (change requires restart)
+#fsync = on				# flush data to disk for crash safety
+					# (turning this off can cause
+					# unrecoverable data corruption)
+#synchronous_commit = on		# synchronization level;
+					# off, local, remote_write, remote_apply, or on
+#wal_sync_method = fsync		# the default is the first option
+					# supported by the operating system:
+					#   open_datasync
+					#   fdatasync (default on Linux)
+					#   fsync
+					#   fsync_writethrough
+					#   open_sync
+#full_page_writes = on			# recover from partial page writes
+#wal_compression = off			# enable compression of full-page writes
+#wal_log_hints = off			# also do full page writes of non-critical updates
+					# (change requires restart)
+#wal_init_zero = on			# zero-fill new WAL files
+#wal_recycle = on			# recycle WAL files
+#wal_buffers = -1			# min 32kB, -1 sets based on shared_buffers
+					# (change requires restart)
+#wal_writer_delay = 200ms		# 1-10000 milliseconds
+#wal_writer_flush_after = 1MB		# measured in pages, 0 disables
+
+#commit_delay = 0			# range 0-100000, in microseconds
+#commit_siblings = 5			# range 1-1000
+
+# - Checkpoints -
+
+#checkpoint_timeout = 5min		# range 30s-1d
+#max_wal_size = 1GB
+#min_wal_size = 80MB
+#checkpoint_completion_target = 0.5	# checkpoint target duration, 0.0 - 1.0
+#checkpoint_flush_after = 0		# measured in pages, 0 disables
+#checkpoint_warning = 30s		# 0 disables
+
+# - Archiving -
+
+#archive_mode = off		# enables archiving; off, on, or always
+				# (change requires restart)
+#archive_command = ''		# command to use to archive a logfile segment
+				# placeholders: %p = path of file to archive
+				#               %f = file name only
+				# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
+#archive_timeout = 0		# force a logfile segment switch after this
+				# number of seconds; 0 disables
+
+# - Archive Recovery -
+
+# These are only used in recovery mode.
+
+#restore_command = ''		# command to use to restore an archived logfile segment
+				# placeholders: %p = path of file to restore
+				#               %f = file name only
+				# e.g. 'cp /mnt/server/archivedir/%f %p'
+				# (change requires restart)
+#archive_cleanup_command = ''	# command to execute at every restartpoint
+#recovery_end_command = ''	# command to execute at completion of recovery
+
+# - Recovery Target -
+
+# Set these only when performing a targeted recovery.
+
+#recovery_target = ''		# 'immediate' to end recovery as soon as a
+                                # consistent state is reached
+				# (change requires restart)
+#recovery_target_name = ''	# the named restore point to which recovery will proceed
+				# (change requires restart)
+#recovery_target_time = ''	# the time stamp up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_xid = ''	# the transaction ID up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_lsn = ''	# the WAL LSN up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_inclusive = on # Specifies whether to stop:
+				# just after the specified recovery target (on)
+				# just before the recovery target (off)
+				# (change requires restart)
+#recovery_target_timeline = 'latest'	# 'current', 'latest', or timeline ID
+				# (change requires restart)
+#recovery_target_action = 'pause'	# 'pause', 'promote', 'shutdown'
+				# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# REPLICATION
+#------------------------------------------------------------------------------
+
+# - Sending Servers -
+
+# Set these on the master and on any standby that will send replication data.
+
+#max_wal_senders = 10		# max number of walsender processes
+				# (change requires restart)
+#wal_keep_segments = 0		# in logfile segments; 0 disables
+#wal_sender_timeout = 60s	# in milliseconds; 0 disables
+
+#max_replication_slots = 10	# max number of replication slots
+				# (change requires restart)
+#track_commit_timestamp = off	# collect timestamp of transaction commit
+				# (change requires restart)
+
+# - Master Server -
+
+# These settings are ignored on a standby server.
+
+#synchronous_standby_names = ''	# standby servers that provide sync rep
+				# method to choose sync standbys, number of sync standbys,
+				# and comma-separated list of application_name
+				# from standby(s); '*' = all
+#vacuum_defer_cleanup_age = 0	# number of xacts by which cleanup is delayed
+
+# - Standby Servers -
+
+# These settings are ignored on a master server.
+
+#primary_conninfo = ''			# connection string to sending server
+					# (change requires restart)
+#primary_slot_name = ''			# replication slot on sending server
+					# (change requires restart)
+#promote_trigger_file = ''		# file name whose presence ends recovery
+#hot_standby = on			# "off" disallows queries during recovery
+					# (change requires restart)
+#max_standby_archive_delay = 30s	# max delay before canceling queries
+					# when reading WAL from archive;
+					# -1 allows indefinite delay
+#max_standby_streaming_delay = 30s	# max delay before canceling queries
+					# when reading streaming WAL;
+					# -1 allows indefinite delay
+#wal_receiver_status_interval = 10s	# send replies at least this often
+					# 0 disables
+#hot_standby_feedback = off		# send info from standby to prevent
+					# query conflicts
+#wal_receiver_timeout = 60s		# time that receiver waits for
+					# communication from master
+					# in milliseconds; 0 disables
+#wal_retrieve_retry_interval = 5s	# time to wait before retrying to
+					# retrieve WAL after a failed attempt
+#recovery_min_apply_delay = 0		# minimum delay for applying changes during recovery
+
+# - Subscribers -
+
+# These settings are ignored on a publisher.
+
+#max_logical_replication_workers = 4	# taken from max_worker_processes
+					# (change requires restart)
+#max_sync_workers_per_subscription = 2	# taken from max_logical_replication_workers
+
+
+#------------------------------------------------------------------------------
+# QUERY TUNING
+#------------------------------------------------------------------------------
+
+# - Planner Method Configuration -
+
+#enable_bitmapscan = on
+#enable_hashagg = on
+#enable_hashjoin = on
+#enable_indexscan = on
+#enable_indexonlyscan = on
+#enable_material = on
+#enable_mergejoin = on
+#enable_nestloop = on
+#enable_parallel_append = on
+#enable_seqscan = on
+#enable_sort = on
+#enable_tidscan = on
+#enable_partitionwise_join = off
+#enable_partitionwise_aggregate = off
+#enable_parallel_hash = on
+#enable_partition_pruning = on
+
+# - Planner Cost Constants -
+
+#seq_page_cost = 1.0			# measured on an arbitrary scale
+#random_page_cost = 4.0			# same scale as above
+#cpu_tuple_cost = 0.01			# same scale as above
+#cpu_index_tuple_cost = 0.005		# same scale as above
+#cpu_operator_cost = 0.0025		# same scale as above
+#parallel_tuple_cost = 0.1		# same scale as above
+#parallel_setup_cost = 1000.0	# same scale as above
+
+#jit_above_cost = 100000		# perform JIT compilation if available
+					# and query more expensive than this;
+					# -1 disables
+#jit_inline_above_cost = 500000		# inline small functions if query is
+					# more expensive than this; -1 disables
+#jit_optimize_above_cost = 500000	# use expensive JIT optimizations if
+					# query is more expensive than this;
+					# -1 disables
+
+#min_parallel_table_scan_size = 8MB
+#min_parallel_index_scan_size = 512kB
+#effective_cache_size = 4GB
+
+# - Genetic Query Optimizer -
+
+#geqo = on
+#geqo_threshold = 12
+#geqo_effort = 5			# range 1-10
+#geqo_pool_size = 0			# selects default based on effort
+#geqo_generations = 0			# selects default based on effort
+#geqo_selection_bias = 2.0		# range 1.5-2.0
+#geqo_seed = 0.0			# range 0.0-1.0
+
+# - Other Planner Options -
+
+#default_statistics_target = 100	# range 1-10000
+#constraint_exclusion = partition	# on, off, or partition
+#cursor_tuple_fraction = 0.1		# range 0.0-1.0
+#from_collapse_limit = 8
+#join_collapse_limit = 8		# 1 disables collapsing of explicit
+					# JOIN clauses
+#force_parallel_mode = off
+#jit = on				# allow JIT compilation
+#plan_cache_mode = auto			# auto, force_generic_plan or
+					# force_custom_plan
+
+
+#------------------------------------------------------------------------------
+# REPORTING AND LOGGING
+#------------------------------------------------------------------------------
+
+# - Where to Log -
+
+#log_destination = 'stderr'		# Valid values are combinations of
+					# stderr, csvlog, syslog, and eventlog,
+					# depending on platform.  csvlog
+					# requires logging_collector to be on.
+
+# This is used when logging to stderr:
+#logging_collector = off		# Enable capturing of stderr and csvlog
+					# into log files. Required to be on for
+					# csvlogs.
+					# (change requires restart)
+
+# These are only used if logging_collector is on:
+#log_directory = 'log'			# directory where log files are written,
+					# can be absolute or relative to PGDATA
+#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'	# log file name pattern,
+					# can include strftime() escapes
+#log_file_mode = 0600			# creation mode for log files,
+					# begin with 0 to use octal notation
+#log_truncate_on_rotation = off		# If on, an existing log file with the
+					# same name as the new log file will be
+					# truncated rather than appended to.
+					# But such truncation only occurs on
+					# time-driven rotation, not on restarts
+					# or size-driven rotation.  Default is
+					# off, meaning append to existing files
+					# in all cases.
+#log_rotation_age = 1d			# Automatic rotation of logfiles will
+					# happen after that time.  0 disables.
+#log_rotation_size = 10MB		# Automatic rotation of logfiles will
+					# happen after that much log output.
+					# 0 disables.
+
+# These are relevant when logging to syslog:
+#syslog_facility = 'LOCAL0'
+#syslog_ident = 'postgres'
+#syslog_sequence_numbers = on
+#syslog_split_messages = on
+
+# This is only relevant when logging to eventlog (win32):
+# (change requires restart)
+#event_source = 'PostgreSQL'
+
+# - When to Log -
+
+#log_min_messages = warning		# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   info
+					#   notice
+					#   warning
+					#   error
+					#   log
+					#   fatal
+					#   panic
+
+#log_min_error_statement = error	# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   info
+					#   notice
+					#   warning
+					#   error
+					#   log
+					#   fatal
+					#   panic (effectively off)
+
+#log_min_duration_statement = -1	# -1 is disabled, 0 logs all statements
+					# and their durations, > 0 logs only
+					# statements running at least this number
+					# of milliseconds
+
+#log_transaction_sample_rate = 0.0	# Fraction of transactions whose statements
+					# are logged regardless of their duration. 1.0 logs all
+					# statements from all transactions, 0.0 never logs.
+
+# - What to Log -
+
+#debug_print_parse = off
+#debug_print_rewritten = off
+#debug_print_plan = off
+#debug_pretty_print = on
+#log_checkpoints = off
+#log_connections = off
+#log_disconnections = off
+#log_duration = off
+#log_error_verbosity = default		# terse, default, or verbose messages
+#log_hostname = off
+#log_line_prefix = '%m [%p] '		# special values:
+					#   %a = application name
+					#   %u = user name
+					#   %d = database name
+					#   %r = remote host and port
+					#   %h = remote host
+					#   %p = process ID
+					#   %t = timestamp without milliseconds
+					#   %m = timestamp with milliseconds
+					#   %n = timestamp with milliseconds (as a Unix epoch)
+					#   %i = command tag
+					#   %e = SQL state
+					#   %c = session ID
+					#   %l = session line number
+					#   %s = session start timestamp
+					#   %v = virtual transaction ID
+					#   %x = transaction ID (0 if none)
+					#   %q = stop here in non-session
+					#        processes
+					#   %% = '%'
+					# e.g. '<%u%%%d> '
+#log_lock_waits = off			# log lock waits >= deadlock_timeout
+#log_statement = 'none'			# none, ddl, mod, all
+#log_replication_commands = off
+#log_temp_files = -1			# log temporary files equal or larger
+					# than the specified size in kilobytes;
+					# -1 disables, 0 logs all temp files
+#log_timezone = 'GMT'
+
+#------------------------------------------------------------------------------
+# PROCESS TITLE
+#------------------------------------------------------------------------------
+
+#cluster_name = ''			# added to process titles if nonempty
+					# (change requires restart)
+#update_process_title = on
+
+
+#------------------------------------------------------------------------------
+# STATISTICS
+#------------------------------------------------------------------------------
+
+# - Query and Index Statistics Collector -
+
+#track_activities = on
+#track_counts = on
+#track_io_timing = off
+#track_functions = none			# none, pl, all
+#track_activity_query_size = 1024	# (change requires restart)
+#stats_temp_directory = 'pg_stat_tmp'
+
+
+# - Monitoring -
+
+#log_parser_stats = off
+#log_planner_stats = off
+#log_executor_stats = off
+#log_statement_stats = off
+
+
+#------------------------------------------------------------------------------
+# AUTOVACUUM
+#------------------------------------------------------------------------------
+
+#autovacuum = on			# Enable autovacuum subprocess?  'on'
+					# requires track_counts to also be on.
+#log_autovacuum_min_duration = -1	# -1 disables, 0 logs all actions and
+					# their durations, > 0 logs only
+					# actions running at least this number
+					# of milliseconds.
+#autovacuum_max_workers = 3		# max number of autovacuum subprocesses
+					# (change requires restart)
+#autovacuum_naptime = 1min		# time between autovacuum runs
+#autovacuum_vacuum_threshold = 50	# min number of row updates before
+					# vacuum
+#autovacuum_analyze_threshold = 50	# min number of row updates before
+					# analyze
+#autovacuum_vacuum_scale_factor = 0.2	# fraction of table size before vacuum
+#autovacuum_analyze_scale_factor = 0.1	# fraction of table size before analyze
+#autovacuum_freeze_max_age = 200000000	# maximum XID age before forced vacuum
+					# (change requires restart)
+#autovacuum_multixact_freeze_max_age = 400000000	# maximum multixact age
+					# before forced vacuum
+					# (change requires restart)
+#autovacuum_vacuum_cost_delay = 2ms	# default vacuum cost delay for
+					# autovacuum, in milliseconds;
+					# -1 means use vacuum_cost_delay
+#autovacuum_vacuum_cost_limit = -1	# default vacuum cost limit for
+					# autovacuum, -1 means use
+					# vacuum_cost_limit
+
+
+#------------------------------------------------------------------------------
+# CLIENT CONNECTION DEFAULTS
+#------------------------------------------------------------------------------
+
+# - Statement Behavior -
+
+#client_min_messages = notice		# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   log
+					#   notice
+					#   warning
+					#   error
+#search_path = '"$user", public'	# schema names
+#row_security = on
+#default_tablespace = ''		# a tablespace name, '' uses the default
+#temp_tablespaces = ''			# a list of tablespace names, '' uses
+					# only default tablespace
+#default_table_access_method = 'heap'
+#check_function_bodies = on
+#default_transaction_isolation = 'read committed'
+#default_transaction_read_only = off
+#default_transaction_deferrable = off
+#session_replication_role = 'origin'
+#statement_timeout = 0			# in milliseconds, 0 is disabled
+#lock_timeout = 0			# in milliseconds, 0 is disabled
+#idle_in_transaction_session_timeout = 0	# in milliseconds, 0 is disabled
+#vacuum_freeze_min_age = 50000000
+#vacuum_freeze_table_age = 150000000
+#vacuum_multixact_freeze_min_age = 5000000
+#vacuum_multixact_freeze_table_age = 150000000
+#vacuum_cleanup_index_scale_factor = 0.1	# fraction of total number of tuples
+						# before index cleanup, 0 always performs
+						# index cleanup
+#bytea_output = 'hex'			# hex, escape
+#xmlbinary = 'base64'
+#xmloption = 'content'
+#gin_fuzzy_search_limit = 0
+#gin_pending_list_limit = 4MB
+
+# - Locale and Formatting -
+
+#datestyle = 'iso, mdy'
+#intervalstyle = 'postgres'
+#timezone = 'GMT'
+#timezone_abbreviations = 'Default'     # Select the set of available time zone
+					# abbreviations.  Currently, there are
+					#   Default
+					#   Australia (historical usage)
+					#   India
+					# You can create your own file in
+					# share/timezonesets/.
+#extra_float_digits = 1			# min -15, max 3; any value >0 actually
+					# selects precise output mode
+#client_encoding = sql_ascii		# actually, defaults to database
+					# encoding
+
+# These settings are initialized by initdb, but they can be changed.
+#lc_messages = 'C'			# locale for system error message
+					# strings
+#lc_monetary = 'C'			# locale for monetary formatting
+#lc_numeric = 'C'			# locale for number formatting
+#lc_time = 'C'				# locale for time formatting
+
+# default configuration for text search
+#default_text_search_config = 'pg_catalog.simple'
+
+# - Shared Library Preloading -
+
+#shared_preload_libraries = ''	# (change requires restart)
+#local_preload_libraries = ''
+#session_preload_libraries = ''
+#jit_provider = 'llvmjit'		# JIT library to use
+
+# - Other Defaults -
+
+#dynamic_library_path = '$libdir'
+
+
+#------------------------------------------------------------------------------
+# LOCK MANAGEMENT
+#------------------------------------------------------------------------------
+
+#deadlock_timeout = 1s
+#max_locks_per_transaction = 64		# min 10
+					# (change requires restart)
+#max_pred_locks_per_transaction = 64	# min 10
+					# (change requires restart)
+#max_pred_locks_per_relation = -2	# negative values mean
+					# (max_pred_locks_per_transaction
+					#  / -max_pred_locks_per_relation) - 1
+#max_pred_locks_per_page = 2            # min 0
+
+
+#------------------------------------------------------------------------------
+# VERSION AND PLATFORM COMPATIBILITY
+#------------------------------------------------------------------------------
+
+# - Previous PostgreSQL Versions -
+
+#array_nulls = on
+#backslash_quote = safe_encoding	# on, off, or safe_encoding
+#escape_string_warning = on
+#lo_compat_privileges = off
+#operator_precedence_warning = off
+#quote_all_identifiers = off
+#standard_conforming_strings = on
+#synchronize_seqscans = on
+
+# - Other Platforms and Clients -
+
+#transform_null_equals = off
+
+
+#------------------------------------------------------------------------------
+# ERROR HANDLING
+#------------------------------------------------------------------------------
+
+#exit_on_error = off			# terminate session on any error?
+#restart_after_crash = on		# reinitialize after backend crash?
+#data_sync_retry = off			# retry or panic on failure to fsync
+					# data?
+					# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# CONFIG FILE INCLUDES
+#------------------------------------------------------------------------------
+
+# These options allow settings to be loaded from files other than the
+# default postgresql.conf.  Note that these are directives, not variable
+# assignments, so they can usefully be given more than once.
+
+#include_dir = '...'			# include files ending in '.conf' from
+					# a directory, e.g., 'conf.d'
+#include_if_exists = '...'		# include file only if it exists
+#include = '...'			# include file
+
+
+#------------------------------------------------------------------------------
+# CUSTOMIZED OPTIONS
+#------------------------------------------------------------------------------
+
+# Add settings for extensions here
--- a/molecule/quarkus_ha_remote/prepare.yml
+++ b/molecule/quarkus_ha_remote/prepare.yml
@@ -0,0 +1,50 @@
+---
+- name: Prepare
+  hosts: 'keycloak:infinispan'
+  vars_files:
+    - ../group_vars/all/vars.yml
+  tasks:
+    - name: "Display hera_home if defined."
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+    - name: "Ensure common prepare phase are set."
+      ansible.builtin.include_tasks: ../prepare.yml
+
+    - name: Create certificate request
+      ansible.builtin.command: "openssl req -x509 -newkey rsa:4096 -keyout {{ inventory_hostname }}.key -out {{ inventory_hostname }}.pem -sha256 -days 365 -nodes -subj '/CN={{ inventory_hostname }}'"
+      args:
+        chdir: "{{ playbook_dir }}"
+      delegate_to: localhost
+      changed_when: False
+
+    - name: Create vault directory
+      become: "{{ molecule_prepare_require_privilege_escalation }}"
+      ansible.builtin.file:
+        state: directory
+        path: "/opt/keycloak/vault"
+        mode: 0755
+
+    - name: Make sure a jre is available (for keytool to prepare keystore)
+      delegate_to: localhost
+      ansible.builtin.package:
+        name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
+        state: present
+      become: "{{ molecule_prepare_require_privilege_escalation }}"
+      failed_when: false
+
+    - name: Create vault keystore
+      ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword
+      args:
+        chdir: "{{ playbook_dir }}"
+      delegate_to: localhost
+      register: keytool_cmd
+      changed_when: False
+      failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
+
+    - name: Copy certificates and vault
+      become: "{{ molecule_prepare_require_privilege_escalation }}"
+      ansible.builtin.copy:
+        src: keystore.p12
+        dest: /opt/keycloak/vault/keystore.p12
+        mode: 0444
--- a/molecule/quarkus_ha_remote/roles
+++ b/molecule/quarkus_ha_remote/roles
@@ -0,0 +1 @@
+../../roles
--- a/molecule/quarkus_ha_remote/verify.yml
+++ b/molecule/quarkus_ha_remote/verify.yml
@@ -0,0 +1,31 @@
+---
+- name: Verify
+  hosts: keycloak
+  vars_files:
+    - ../group_vars/all/vars.yml
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+        fail_msg: "Service not running"
+
+    - name: Set internal envvar
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+    - name: Check log file
+      become: "{{ molecule_prepare_require_privilege_escalation }}"
+      ansible.builtin.stat:
+        path: /var/log/keycloak/keycloak.log
+      register: keycloak_log_file
+
+    - name: Check if keycloak file exists
+      ansible.builtin.assert:
+        that:
+          - keycloak_log_file.stat.exists
+          - not keycloak_log_file.stat.isdir
--- a/molecule/quarkus_upgrade/converge.yml
+++ b/molecule/quarkus_upgrade/converge.yml
@@ -2,9 +2,13 @@
 - name: Converge
  hosts: all
  vars_files:
+    - ../group_vars/all/vars.yml
    - vars.yml
  vars:
    keycloak_quarkus_show_deprecation_warnings: false
-    keycloak_quarkus_version: 24.0.3
+    keycloak_quarkus_additional_env_vars:
+      - key: KC_FEATURES_DISABLED
+        value: ciba,device-flow,impersonation,kerberos,docker
+    keycloak_quarkus_version: 26.0.7
  roles:
    - role: keycloak_quarkus
--- a/molecule/quarkus_upgrade/molecule.yml
+++ b/molecule/quarkus_upgrade/molecule.yml
@@ -4,7 +4,7 @@ dependency:
  options:
    requirements-file: molecule/requirements.yml
 driver:
-  name: docker
+  name: podman
 platforms:
  - name: instance
    image: registry.access.redhat.com/ubi9/ubi-init:latest
@@ -13,8 +13,10 @@ platforms:
    privileged: true
    port_bindings:
      - 8080:8080
+      - "9000/tcp"
    published_ports:
      - 0.0.0.0:8080:8080/TCP
+      - 0.0.0.0:9000:9000/TCP
 provisioner:
  name: ansible
  playbooks:
@@ -25,6 +27,10 @@ provisioner:
    host_vars:
      localhost:
        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+    PROXY: "${PROXY}"
+    NO_PROXY: "${NO_PROXY}"
 verifier:
  name: ansible
 scenario:
--- a/molecule/quarkus_upgrade/prepare.yml
+++ b/molecule/quarkus_upgrade/prepare.yml
@@ -2,10 +2,14 @@
 - name: Prepare
  hosts: all
  vars_files:
+    - ../group_vars/all/vars.yml
    - vars.yml
  vars:
    sudo_pkg_name: sudo
-    keycloak_quarkus_version: 23.0.7
+    keycloak_quarkus_version: 26.0.4
+    keycloak_quarkus_additional_env_vars:
+      - key: KC_FEATURES_DISABLED
+        value: impersonation,kerberos
  pre_tasks:
    - name: Install sudo
      ansible.builtin.apt:
@@ -40,13 +44,16 @@

    - name: Create certificate request
      ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
+      args:
+        chdir: "{{ playbook_dir }}"
      delegate_to: localhost
      changed_when: false
  roles:
    - role: keycloak_quarkus
+
  post_tasks:
    - name: "Delete custom fact"
      ansible.builtin.file:
        path: /etc/ansible/facts.d/keycloak.fact
        state: absent
-      become: true
+      become: "{{ molecule_prepare_require_privilege_escalation }}"
--- a/molecule/quarkus_upgrade/vars.yml
+++ b/molecule/quarkus_upgrade/vars.yml
@@ -1,9 +1,8 @@
 ---
 keycloak_quarkus_offline_install: false
-keycloak_quarkus_admin_password: "remembertochangeme"
-keycloak_quarkus_admin_pass: "remembertochangeme"
+keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
 keycloak_quarkus_realm: TestRealm
-keycloak_quarkus_host: instance
+keycloak_quarkus_hostname: http://instance:8080
 keycloak_quarkus_log: file
 keycloak_quarkus_https_key_file_enabled: true
 keycloak_quarkus_log_target: /tmp/keycloak
--- a/molecule/quarkus_upgrade/verify.yml
+++ b/molecule/quarkus_upgrade/verify.yml
@@ -2,7 +2,7 @@
 - name: Verify
  hosts: instance
  vars:
-    keycloak_quarkus_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
    keycloak_quarkus_port: http://localhost:8080
  tasks:
    - name: Populate service facts
@@ -14,19 +14,18 @@
          - ansible_facts.services["keycloak.service"]["state"] == "running"
          - ansible_facts.services["keycloak.service"]["status"] == "enabled"

-    - name: Verify we are running on requested jvm
-      ansible.builtin.shell: |
-        set -eo pipefail
-        ps -ef | grep 'etc/alternatives/.*17' | grep -v grep
+    - name: Verify Java 21 runtime is installed (UBI/RHEL)
+      ansible.builtin.command:
+        cmd: rpm -q java-21-openjdk-headless
      changed_when: false

    - name: Verify token api call
      ansible.builtin.uri:
        url: "{{ keycloak_quarkus_port }}/realms/master/protocol/openid-connect/token"
        method: POST
-        body: "client_id=admin-cli&username=admin&password={{ keycloak_quarkus_admin_password }}&grant_type=password"
+        body: "client_id=admin-cli&username=admin&password={{ keycloak_quarkus_bootstrap_admin_password }}&grant_type=password"
        validate_certs: no
      register: keycloak_auth_response
      until: keycloak_auth_response.status == 200
-      retries: 2
-      delay: 2
+      retries: 45
+      delay: 5
--- a/molecule/requirements.yml
+++ b/molecule/requirements.yml
@@ -2,10 +2,13 @@
 collections:
  - name: middleware_automation.common
  - name: middleware_automation.jbcs
+  - name: middleware_automation.infinispan
  - name: community.general
  - name: ansible.posix
  - name: community.docker
    version: ">=3.8.0"
+  - name: containers.podman
+    version: ">=1.8.1"

 roles:
  - name: elan.simple_nginx_reverse_proxy
--- a/playbooks/keycloak_authentication_flow.yml
+++ b/playbooks/keycloak_authentication_flow.yml
@@ -0,0 +1,27 @@
+---
+- name: Playbook for Keycloak Authentication Flow Configuration
+  hosts: all
+  vars:
+    keycloak_admin_user: admin
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_url: "http://localhost:8080"
+    keycloak_realm: TestRealm
+  tasks:
+    - name: Create authentication flow with executions
+      middleware_automation.keycloak.keycloak_authentication_flow:
+        auth_keycloak_url: "{{ keycloak_url }}"
+        auth_realm: master
+        auth_username: "{{ keycloak_admin_user }}"
+        auth_password: "{{ keycloak_admin_password }}"
+        realm: "{{ keycloak_realm }}"
+        alias: my-browser-flow
+        description: "Custom browser authentication flow"
+        provider_id: basic-flow
+        executions:
+          - provider_id: auth-cookie
+            requirement: ALTERNATIVE
+          - provider_id: auth-password
+            requirement: REQUIRED
+          - provider_id: auth-otp-form
+            requirement: ALTERNATIVE
+        state: present
--- a/playbooks/keycloak_client_scope.yml
+++ b/playbooks/keycloak_client_scope.yml
@@ -0,0 +1,48 @@
+---
+- name: Playbook for Keycloak Client Scope Configuration
+  hosts: all
+  vars:
+    keycloak_admin_user: admin
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_url: "http://localhost:8080"
+    keycloak_realm: TestRealm
+  tasks:
+    - name: Create client scope with protocol mappers
+      middleware_automation.keycloak.keycloak_client_scope:
+        auth_keycloak_url: "{{ keycloak_url }}"
+        auth_realm: master
+        auth_username: "{{ keycloak_admin_user }}"
+        auth_password: "{{ keycloak_admin_password }}"
+        realm: "{{ keycloak_realm }}"
+        name: TestClientScope
+        description: "Client scope created via Ansible"
+        protocol: openid-connect
+        protocol_mappers:
+          - name: email
+            protocolMapper: oidc-usermodel-attribute-mapper
+            config:
+              user.attribute: email
+              claim.name: email
+              jsonType.label: String
+              id.token.claim: "true"
+              access.token.claim: "true"
+              userinfo.token.claim: "true"
+          - name: firstName
+            protocolMapper: oidc-usermodel-attribute-mapper
+            config:
+              user.attribute: firstName
+              claim.name: given_name
+              jsonType.label: String
+              id.token.claim: "true"
+              access.token.claim: "true"
+              userinfo.token.claim: "true"
+          - name: username
+            protocolMapper: oidc-usermodel-attribute-mapper
+            config:
+              user.attribute: username
+              claim.name: preferred_username
+              jsonType.label: String
+              id.token.claim: "true"
+              access.token.claim: "true"
+              userinfo.token.claim: "true"
+        state: present
--- a/playbooks/keycloak_quarkus.yml
+++ b/playbooks/keycloak_quarkus.yml
@@ -2,8 +2,8 @@
 - name: Playbook for Keycloak X Hosts with HTTPS enabled
  hosts: all
  vars:
-    keycloak_quarkus_admin_pass: "remembertochangeme"
-    keycloak_quarkus_host: localhost
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_hostname: http://localhost
    keycloak_quarkus_port: 8443
    keycloak_quarkus_log: file
    keycloak_quarkus_proxy_mode: none
--- a/playbooks/keycloak_quarkus_dev.yml
+++ b/playbooks/keycloak_quarkus_dev.yml
@@ -2,8 +2,8 @@
 - name: Playbook for Keycloak X Hosts in develop mode
  hosts: all
  vars:
-    keycloak_admin_password: "remembertochangeme"
-    keycloak_quarkus_host: localhost
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_hostname: http://localhost
    keycloak_quarkus_port: 8080
    keycloak_quarkus_log: file
    keycloak_quarkus_start_dev: true
--- a/playbooks/keycloak_realm_client.yml
+++ b/playbooks/keycloak_realm_client.yml
@@ -0,0 +1,39 @@
+---
+- name: Playbook for Keycloak Realm and Client Configuration
+  hosts: all
+  tasks:
+    - name: Keycloak Realm Role
+      ansible.builtin.include_role:
+        name: middleware_automation.keycloak.keycloak_realm
+      vars:
+        keycloak_admin_password: "remembertochangeme"
+        keycloak_realm: TestRealm
+        keycloak_client_default_roles:
+          - TestRoleAdmin
+          - TestRoleUser
+        keycloak_client_users:
+          - username: TestUser
+            password: password
+            client_roles:
+              - client: TestClient1
+                role: TestRoleUser
+                realm: TestRealm
+          - username: TestAdmin
+            password: password
+            client_roles:
+              - client: TestClient1
+                role: TestRoleUser
+                realm: TestRealm
+              - client: TestClient1
+                role: TestRoleAdmin
+                realm: TestRealm
+        keycloak_clients:
+          - name: TestClient1
+            client_id: TestClient1
+            roles: "{{ keycloak_client_default_roles }}"
+            realm: TestRealm
+            public_client: true
+            web_origins:
+              - http://testclient1origin/application
+              - http://testclient1origin/other
+            users: "{{ keycloak_client_users }}"
--- a/plugins/modules/keycloak_authentication_flow.py
+++ b/plugins/modules/keycloak_authentication_flow.py
@@ -0,0 +1,296 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Copyright (c) 2024, Contributors to the middleware_automation.keycloak collection
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+DOCUMENTATION = '''
+---
+module: keycloak_authentication_flow
+
+short_description: Allows administration of Keycloak authentication flows via Keycloak API
+
+description:
+    - This module allows you to add, remove or modify Keycloak authentication flows via the Keycloak REST API.
+      It requires access to the REST API via OpenID Connect; the user connecting and the client being
+      used must have the requisite access rights. In a default Keycloak installation, admin-cli
+      and an admin user would work, as would a separate client definition with the scope tailored
+      to your needs and a user having the expected roles.
+
+    - This module supports creating new top-level authentication flows, copying existing flows,
+      and adding execution steps to a flow.
+
+attributes:
+    check_mode:
+        support: full
+    diff_mode:
+        support: full
+
+options:
+    state:
+        description:
+            - State of the authentication flow.
+            - On V(present), the flow will be created if it does not yet exist.
+            - On V(absent), the flow will be removed if it exists.
+        default: 'present'
+        type: str
+        choices:
+            - present
+            - absent
+
+    alias:
+        type: str
+        required: true
+        description:
+            - Alias (name) of the authentication flow.
+
+    description:
+        type: str
+        description:
+            - Description of the authentication flow.
+        default: ''
+
+    realm:
+        type: str
+        description:
+            - The Keycloak realm under which this authentication flow resides.
+        default: 'master'
+
+    provider_id:
+        type: str
+        description:
+            - The provider ID for the flow.
+        default: 'basic-flow'
+        aliases:
+            - providerId
+
+    copy_from:
+        type: str
+        description:
+            - If set, the new flow is created as a copy of the flow with this alias.
+            - Cannot be used together with O(executions).
+        aliases:
+            - copyFrom
+
+    executions:
+        type: list
+        elements: dict
+        description:
+            - A list of executions (authenticator steps) to add to the flow.
+            - Each execution is a dict with keys C(provider_id) (or C(providerId)) and C(requirement).
+            - Executions are only added when the flow is first created.
+        default: []
+        suboptions:
+            provider_id:
+                type: str
+                required: true
+                description:
+                    - The authenticator provider ID (e.g. V(auth-cookie), V(auth-password), V(auth-otp-form)).
+                aliases:
+                    - providerId
+            requirement:
+                type: str
+                required: true
+                description:
+                    - The requirement level for this execution.
+                choices:
+                    - REQUIRED
+                    - ALTERNATIVE
+                    - DISABLED
+                    - CONDITIONAL
+
+extends_documentation_fragment:
+    - middleware_automation.keycloak.keycloak
+    - middleware_automation.keycloak.attributes
+
+author:
+    - Paulo Menon (@paulomenon)
+'''
+
+EXAMPLES = '''
+- name: Create an authentication flow with executions
+  middleware_automation.keycloak.keycloak_authentication_flow:
+    auth_keycloak_url: http://localhost:8080
+    auth_realm: master
+    auth_username: admin
+    auth_password: password
+    realm: TestRealm
+    alias: my-browser-flow
+    description: "Custom browser flow"
+    provider_id: basic-flow
+    executions:
+      - provider_id: auth-cookie
+        requirement: ALTERNATIVE
+      - provider_id: auth-password
+        requirement: REQUIRED
+      - provider_id: auth-otp-form
+        requirement: ALTERNATIVE
+    state: present
+  delegate_to: localhost
+
+- name: Create an authentication flow by copying an existing one
+  middleware_automation.keycloak.keycloak_authentication_flow:
+    auth_keycloak_url: http://localhost:8080
+    auth_realm: master
+    auth_username: admin
+    auth_password: password
+    realm: TestRealm
+    alias: my-copy-of-browser
+    copy_from: browser
+    state: present
+  delegate_to: localhost
+
+- name: Create a flow using token authentication
+  middleware_automation.keycloak.keycloak_authentication_flow:
+    auth_keycloak_url: http://localhost:8080
+    token: MY_TOKEN
+    realm: TestRealm
+    alias: my-flow
+    state: present
+  delegate_to: localhost
+
+- name: Delete an authentication flow
+  middleware_automation.keycloak.keycloak_authentication_flow:
+    auth_keycloak_url: http://localhost:8080
+    auth_realm: master
+    auth_username: admin
+    auth_password: password
+    realm: TestRealm
+    alias: my-browser-flow
+    state: absent
+  delegate_to: localhost
+'''
+
+RETURN = '''
+msg:
+    description: Message as to what action was taken.
+    returned: always
+    type: str
+    sample: "Authentication flow my-browser-flow has been created"
+
+end_state:
+    description: Representation of the authentication flow after module execution.
+    returned: on success
+    type: dict
+    sample: {
+        "id": "uuid-here",
+        "alias": "my-browser-flow",
+        "providerId": "basic-flow",
+        "topLevel": true,
+        "builtIn": false
+    }
+'''
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
+    keycloak_argument_spec, get_token, KeycloakError
+from ansible.module_utils.basic import AnsibleModule
+
+
+def main():
+    argument_spec = keycloak_argument_spec()
+
+    execution_spec = dict(
+        provider_id=dict(type='str', required=True, aliases=['providerId']),
+        requirement=dict(type='str', required=True, choices=['REQUIRED', 'ALTERNATIVE', 'DISABLED', 'CONDITIONAL']),
+    )
+
+    meta_args = dict(
+        state=dict(type='str', default='present', choices=['present', 'absent']),
+        alias=dict(type='str', required=True),
+        description=dict(type='str', default=''),
+        realm=dict(type='str', default='master'),
+        provider_id=dict(type='str', default='basic-flow', aliases=['providerId']),
+        copy_from=dict(type='str', aliases=['copyFrom']),
+        executions=dict(type='list', default=[], options=execution_spec, elements='dict'),
+    )
+
+    argument_spec.update(meta_args)
+
+    module = AnsibleModule(argument_spec=argument_spec,
+                           supports_check_mode=True,
+                           required_one_of=([['token', 'auth_realm', 'auth_username', 'auth_password']]),
+                           required_together=([['auth_realm', 'auth_username', 'auth_password']]),
+                           mutually_exclusive=[['copy_from', 'executions']])
+
+    result = dict(changed=False, msg='', diff={}, end_state={})
+
+    try:
+        connection_header = get_token(module.params)
+    except KeycloakError as e:
+        module.fail_json(msg=str(e))
+
+    kc = KeycloakAPI(module, connection_header)
+
+    realm = module.params.get('realm')
+    alias = module.params.get('alias')
+    state = module.params.get('state')
+    description = module.params.get('description')
+    provider_id = module.params.get('provider_id')
+    copy_from = module.params.get('copy_from')
+    executions = module.params.get('executions')
+
+    before_flow = kc.get_authentication_flow_by_alias(alias, realm=realm)
+    flow_exists = bool(before_flow)
+
+    if state == 'absent':
+        if flow_exists:
+            result['changed'] = True
+            if module._diff:
+                result['diff'] = dict(before=before_flow, after='')
+            if module.check_mode:
+                module.exit_json(**result)
+            kc.delete_authentication_flow_by_id(before_flow['id'], realm=realm)
+            result['msg'] = "Authentication flow {alias} has been deleted".format(alias=alias)
+        else:
+            result['msg'] = "Authentication flow {alias} does not exist, doing nothing".format(alias=alias)
+        result['end_state'] = {}
+        module.exit_json(**result)
+
+    if flow_exists:
+        result['changed'] = False
+        result['end_state'] = before_flow
+        result['msg'] = "Authentication flow {alias} already exists".format(alias=alias)
+        module.exit_json(**result)
+
+    result['changed'] = True
+
+    flow_config = {
+        'alias': alias,
+        'description': description,
+        'providerId': provider_id,
+    }
+
+    if module._diff:
+        result['diff'] = dict(before='', after=flow_config)
+
+    if module.check_mode:
+        module.exit_json(**result)
+
+    if copy_from:
+        flow_config['copyFrom'] = copy_from
+        after_flow = kc.copy_auth_flow(flow_config, realm=realm)
+        result['msg'] = "Authentication flow {alias} has been created (copied from {src})".format(alias=alias, src=copy_from)
+    else:
+        after_flow = kc.create_empty_auth_flow(flow_config, realm=realm)
+
+        if executions:
+            for execution in executions:
+                exec_rep = {
+                    'providerId': execution['provider_id'],
+                    'requirement': execution['requirement'],
+                }
+                kc.create_execution(exec_rep, alias, realm=realm)
+
+        result['msg'] = "Authentication flow {alias} has been created".format(alias=alias)
+
+    after_flow = kc.get_authentication_flow_by_alias(alias, realm=realm)
+    result['end_state'] = after_flow
+    module.exit_json(**result)
+
+
+if __name__ == '__main__':
+    main()
--- a/plugins/modules/keycloak_client_scope.py
+++ b/plugins/modules/keycloak_client_scope.py
@@ -0,0 +1,324 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Copyright (c) 2024, Contributors to the middleware_automation.keycloak collection
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+DOCUMENTATION = '''
+---
+module: keycloak_client_scope
+
+short_description: Allows administration of Keycloak client scopes via Keycloak API
+
+description:
+    - This module allows you to add, remove or modify Keycloak client scopes via the Keycloak REST API.
+      It requires access to the REST API via OpenID Connect; the user connecting and the client being
+      used must have the requisite access rights. In a default Keycloak installation, admin-cli
+      and an admin user would work, as would a separate client definition with the scope tailored
+      to your needs and a user having the expected roles.
+
+    - This module also supports managing protocol mappers within a client scope.
+
+attributes:
+    check_mode:
+        support: full
+    diff_mode:
+        support: full
+
+options:
+    state:
+        description:
+            - State of the client scope.
+            - On V(present), the client scope will be created if it does not yet exist, or updated with the parameters you provide.
+            - On V(absent), the client scope will be removed if it exists.
+        default: 'present'
+        type: str
+        choices:
+            - present
+            - absent
+
+    name:
+        type: str
+        required: true
+        description:
+            - Name of the client scope.
+
+    description:
+        type: str
+        default: ''
+        description:
+            - Description of the client scope.
+
+    realm:
+        type: str
+        description:
+            - The Keycloak realm under which this client scope resides.
+        default: 'master'
+
+    protocol:
+        type: str
+        description:
+            - The protocol associated with the client scope.
+        default: 'openid-connect'
+        choices:
+            - openid-connect
+            - saml
+
+    attributes:
+        type: dict
+        description:
+            - A dict of key/value pairs to set as attributes for the client scope.
+
+    protocol_mappers:
+        type: list
+        elements: dict
+        description:
+            - A list of protocol mappers to associate with the client scope.
+            - Each mapper is a dict with the keys C(name), C(protocol), C(protocolMapper), and C(config).
+        default: []
+        suboptions:
+            name:
+                type: str
+                required: true
+                description:
+                    - Name of the protocol mapper.
+            protocol:
+                type: str
+                description:
+                    - Protocol for the mapper.
+                default: 'openid-connect'
+            protocolMapper:
+                type: str
+                required: true
+                description:
+                    - The mapper type (e.g. V(oidc-usermodel-attribute-mapper), V(oidc-audience-mapper)).
+                aliases:
+                    - protocol_mapper_type
+            config:
+                type: dict
+                required: true
+                description:
+                    - Configuration for the protocol mapper.
+
+extends_documentation_fragment:
+    - middleware_automation.keycloak.keycloak
+    - middleware_automation.keycloak.attributes
+
+author:
+    - Paulo Menon (@paulomenon)
+'''
+
+EXAMPLES = '''
+- name: Create a client scope with protocol mappers
+  middleware_automation.keycloak.keycloak_client_scope:
+    auth_keycloak_url: http://localhost:8080
+    auth_realm: master
+    auth_username: admin
+    auth_password: password
+    realm: TestRealm
+    name: my-client-scope
+    description: "A custom client scope"
+    protocol: openid-connect
+    protocol_mappers:
+      - name: email
+        protocol: openid-connect
+        protocolMapper: oidc-usermodel-attribute-mapper
+        config:
+          user.attribute: email
+          claim.name: email
+          jsonType.label: String
+          id.token.claim: "true"
+          access.token.claim: "true"
+          userinfo.token.claim: "true"
+    state: present
+  delegate_to: localhost
+
+- name: Create a client scope using token authentication
+  middleware_automation.keycloak.keycloak_client_scope:
+    auth_keycloak_url: http://localhost:8080
+    token: MY_TOKEN
+    realm: TestRealm
+    name: my-scope
+    state: present
+  delegate_to: localhost
+
+- name: Delete a client scope
+  middleware_automation.keycloak.keycloak_client_scope:
+    auth_keycloak_url: http://localhost:8080
+    auth_realm: master
+    auth_username: admin
+    auth_password: password
+    realm: TestRealm
+    name: my-client-scope
+    state: absent
+  delegate_to: localhost
+'''
+
+RETURN = '''
+msg:
+    description: Message as to what action was taken.
+    returned: always
+    type: str
+    sample: "Client scope my-scope has been created"
+
+end_state:
+    description: Representation of the client scope after module execution.
+    returned: on success
+    type: dict
+    sample: {
+        "id": "uuid-here",
+        "name": "my-scope",
+        "protocol": "openid-connect",
+        "description": "A custom scope"
+    }
+'''
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
+    keycloak_argument_spec, get_token, KeycloakError
+from ansible.module_utils.basic import AnsibleModule
+
+
+def main():
+    argument_spec = keycloak_argument_spec()
+
+    mapper_spec = dict(
+        name=dict(type='str', required=True),
+        protocol=dict(type='str', default='openid-connect'),
+        protocolMapper=dict(type='str', required=True, aliases=['protocol_mapper_type']),
+        config=dict(type='dict', required=True),
+    )
+
+    meta_args = dict(
+        state=dict(type='str', default='present', choices=['present', 'absent']),
+        name=dict(type='str', required=True),
+        description=dict(type='str', default=''),
+        realm=dict(type='str', default='master'),
+        protocol=dict(type='str', default='openid-connect', choices=['openid-connect', 'saml']),
+        attributes=dict(type='dict'),
+        protocol_mappers=dict(type='list', default=[], options=mapper_spec, elements='dict'),
+    )
+
+    argument_spec.update(meta_args)
+
+    module = AnsibleModule(argument_spec=argument_spec,
+                           supports_check_mode=True,
+                           required_one_of=([['token', 'auth_realm', 'auth_username', 'auth_password']]),
+                           required_together=([['auth_realm', 'auth_username', 'auth_password']]))
+
+    result = dict(changed=False, msg='', diff={}, end_state={})
+
+    try:
+        connection_header = get_token(module.params)
+    except KeycloakError as e:
+        module.fail_json(msg=str(e))
+
+    kc = KeycloakAPI(module, connection_header)
+
+    realm = module.params.get('realm')
+    name = module.params.get('name')
+    state = module.params.get('state')
+    protocol = module.params.get('protocol')
+    description = module.params.get('description')
+    attributes = module.params.get('attributes')
+    protocol_mappers = module.params.get('protocol_mappers')
+
+    before_scope = kc.get_clientscope_by_name(name, realm=realm)
+
+    if state == 'absent':
+        if before_scope:
+            result['changed'] = True
+            if module._diff:
+                result['diff'] = dict(before=before_scope, after='')
+            if module.check_mode:
+                module.exit_json(**result)
+            kc.delete_clientscope(cid=before_scope['id'], realm=realm)
+            result['msg'] = "Client scope {name} has been deleted".format(name=name)
+        else:
+            result['msg'] = "Client scope {name} does not exist, doing nothing".format(name=name)
+        result['end_state'] = {}
+        module.exit_json(**result)
+
+    scope_rep = {
+        'name': name,
+        'protocol': protocol,
+        'description': description,
+    }
+    if attributes:
+        scope_rep['attributes'] = attributes
+
+    if not before_scope:
+        result['changed'] = True
+        if module._diff:
+            result['diff'] = dict(before='', after=scope_rep)
+        if module.check_mode:
+            module.exit_json(**result)
+
+        kc.create_clientscope(scope_rep, realm=realm)
+        after_scope = kc.get_clientscope_by_name(name, realm=realm)
+
+        if protocol_mappers:
+            for mapper in protocol_mappers:
+                mapper_rep = {
+                    'name': mapper['name'],
+                    'protocol': mapper.get('protocol', protocol),
+                    'protocolMapper': mapper['protocolMapper'],
+                    'config': mapper['config'],
+                }
+                kc.create_clientscope_protocolmapper(after_scope['id'], mapper_rep, realm=realm)
+            after_scope = kc.get_clientscope_by_name(name, realm=realm)
+
+        result['end_state'] = after_scope
+        result['msg'] = "Client scope {name} has been created".format(name=name)
+        module.exit_json(**result)
+
+    else:
+        changed = False
+        for key in ('protocol', 'description'):
+            if scope_rep.get(key) and scope_rep[key] != before_scope.get(key):
+                changed = True
+                break
+
+        if attributes and attributes != before_scope.get('attributes', {}):
+            changed = True
+
+        if changed:
+            result['changed'] = True
+            scope_rep['id'] = before_scope['id']
+            if module._diff:
+                result['diff'] = dict(before=before_scope, after=scope_rep)
+            if module.check_mode:
+                module.exit_json(**result)
+            kc.update_clientscope(scope_rep, realm=realm)
+
+        if protocol_mappers:
+            existing_mappers = kc.get_clientscope_protocolmappers(before_scope['id'], realm=realm)
+            existing_mapper_names = {m['name'] for m in existing_mappers}
+
+            for mapper in protocol_mappers:
+                if mapper['name'] not in existing_mapper_names:
+                    result['changed'] = True
+                    if not module.check_mode:
+                        mapper_rep = {
+                            'name': mapper['name'],
+                            'protocol': mapper.get('protocol', protocol),
+                            'protocolMapper': mapper['protocolMapper'],
+                            'config': mapper['config'],
+                        }
+                        kc.create_clientscope_protocolmapper(before_scope['id'], mapper_rep, realm=realm)
+
+        after_scope = kc.get_clientscope_by_name(name, realm=realm)
+        result['end_state'] = after_scope
+
+        if result['changed']:
+            result['msg'] = "Client scope {name} has been updated".format(name=name)
+        else:
+            result['msg'] = "No changes required to client scope {name}".format(name=name)
+        module.exit_json(**result)
+
+
+if __name__ == '__main__':
+    main()
--- a/roles/keycloak/defaults/main.yml
+++ b/roles/keycloak/defaults/main.yml
@@ -7,6 +7,10 @@ keycloak_download_url_9x: "https://downloads.jboss.org/keycloak/{{ keycloak_vers
 keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
 keycloak_offline_install: false

+# Authentication for Keycloak binary download (e.g. from internal artifact repository)
+keycloak_binary_download_user:
+keycloak_binary_download_pass:
+
 ### Install location and service settings
 keycloak_java_home:
 keycloak_dest: /opt/keycloak
@@ -118,3 +122,7 @@ keycloak_no_log: true

 ### logging configuration
 keycloak_log_target: /var/log/keycloak
+
+# locations
+keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}"
+keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}"
--- a/roles/keycloak/meta/argument_specs.yml
+++ b/roles/keycloak/meta/argument_specs.yml
@@ -333,6 +333,14 @@ argument_specs:
                default: true
                description: "Allow the option to ignore invalid certificates when downloading JDBC drivers from a custom URL"
                type: "bool"
+            keycloak_binary_download_user:
+                description: "Username for HTTP Basic Auth when downloading Keycloak binary"
+                type: "str"
+                required: false
+            keycloak_binary_download_pass:
+                description: "Password for HTTP Basic Auth when downloading Keycloak binary"
+                type: "str"
+                required: false
    downstream:
        options:
            sso_version:
--- a/roles/keycloak/meta/main.yml
+++ b/roles/keycloak/meta/main.yml
@@ -12,7 +12,7 @@ galaxy_info:

  license: Apache License 2.0

-  min_ansible_version: "2.15"
+  min_ansible_version: "2.16"

  platforms:
    - name: EL
--- a/roles/keycloak/tasks/debian.yml
+++ b/roles/keycloak/tasks/debian.yml
@@ -1,6 +1,10 @@
 ---
 - name: Include firewall config tasks
-  ansible.builtin.include_tasks: iptables.yml
+  ansible.builtin.include_tasks:
+    file: iptables.yml
+    apply:
+      tags:
+        - firewall
  when: keycloak_configure_iptables
  tags:
    - firewall
--- a/roles/keycloak/tasks/fastpackages.yml
+++ b/roles/keycloak/tasks/fastpackages.yml
@@ -13,7 +13,7 @@
  when: ansible_facts.os_family == "RedHat"

 - name: "Install packages: {{ packages_to_install }}"
-  become: true
+  become: "{{ keycloak_fastpackages_require_privilege_escalation }}"
  ansible.builtin.dnf:
    name: "{{ packages_to_install }}"
    state: present
@@ -22,7 +22,7 @@
    - ansible_facts.os_family == "RedHat"

 - name: "Install packages: {{ packages_list }}"
-  become: true
+  become: "{{ keycloak_fastpackages_require_privilege_escalation }}"
  ansible.builtin.package:
    name: "{{ packages_list }}"
    state: present
--- a/roles/keycloak/tasks/firewalld.yml
+++ b/roles/keycloak/tasks/firewalld.yml
@@ -6,14 +6,14 @@
      - firewalld

 - name: Enable and start the firewalld service
-  become: true
+  become: "{{ keycloak_firewalld_require_privilege_escalation }}"
  ansible.builtin.systemd:
    name: firewalld
    enabled: true
    state: started

 - name: "Configure firewall ports for {{ keycloak.service_name }}"
-  become: true
+  become: "{{ keycloak_firewalld_require_privilege_escalation }}"
  ansible.posix.firewalld:
    port: "{{ item }}"
    permanent: true
--- a/roles/keycloak/tasks/install.yml
+++ b/roles/keycloak/tasks/install.yml
@@ -11,7 +11,7 @@
    quiet: true

 - name: Check for an existing deployment
-  become: true
+  become: "{{ keycloak_install_require_privilege_escalation }}"
  ansible.builtin.stat:
    path: "{{ keycloak_jboss_home }}"
  register: existing_deploy
@@ -20,24 +20,24 @@
  when: existing_deploy.stat.exists and keycloak_force_install | bool
  block:
    - name: "Stop the old {{ keycloak.service_name }} service"
-      become: true
+      become: "{{ keycloak_install_require_privilege_escalation }}"
      failed_when: false
      ansible.builtin.systemd:
        name: keycloak
        state: stopped
    - name: "Remove the old {{ keycloak.service_name }} deployment"
-      become: true
+      become: "{{ keycloak_install_require_privilege_escalation }}"
      ansible.builtin.file:
        path: "{{ keycloak_jboss_home }}"
        state: absent

 - name: Check for an existing deployment after possible forced removal
-  become: true
+  become: "{{ keycloak_install_require_privilege_escalation }}"
  ansible.builtin.stat:
    path: "{{ keycloak_jboss_home }}"

 - name: "Create service user/group for {{ keycloak.service_name }}"
-  become: true
+  become: "{{ keycloak_install_require_privilege_escalation }}"
  ansible.builtin.user:
    name: "{{ keycloak_service_user }}"
    home: /opt/keycloak
@@ -45,7 +45,7 @@
    create_home: false

 - name: "Create install location for {{ keycloak.service_name }}"
-  become: true
+  become: "{{ keycloak_install_require_privilege_escalation }}"
  ansible.builtin.file:
    dest: "{{ keycloak_dest }}"
    state: directory
@@ -54,7 +54,7 @@
    mode: '0750'

 - name: Create pidfile folder
-  become: true
+  become: "{{ keycloak_install_require_privilege_escalation }}"
  ansible.builtin.file:
    dest: "{{ keycloak_service_pidfile | dirname }}"
    state: directory
@@ -68,7 +68,7 @@
    archive: "{{ keycloak_dest }}/{{ keycloak.bundle }}"

 - name: Check download archive path
-  become: true
+  become: "{{ keycloak_install_require_privilege_escalation }}"
  ansible.builtin.stat:
    path: "{{ archive }}"
  register: archive_path
@@ -85,6 +85,8 @@
    url: "{{ keycloak_download_url }}"
    dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
    mode: '0644'
+    url_username: "{{ keycloak_binary_download_user | default(omit) }}"
+    url_password: "{{ keycloak_binary_download_pass | default(omit) }}"
  delegate_to: localhost
  run_once: true
  when:
@@ -166,13 +168,13 @@
    - not archive_path.stat.exists
    - local_archive_path.stat is defined
    - local_archive_path.stat.exists
-  become: true
+  become: "{{ keycloak_install_require_privilege_escalation }}"

 - name: "Check target directory: {{ keycloak.home }}"
  ansible.builtin.stat:
    path: "{{ keycloak.home }}"
  register: path_to_workdir
-  become: true
+  become: "{{ keycloak_install_require_privilege_escalation }}"

 - name: "Extract {{ keycloak_service_desc }} archive on target"
  ansible.builtin.unarchive:
@@ -182,7 +184,7 @@
    creates: "{{ keycloak.home }}"
    owner: "{{ keycloak_service_user }}"
    group: "{{ keycloak_service_group }}"
-  become: true
+  become: "{{ keycloak_install_require_privilege_escalation }}"
  when:
    - new_version_downloaded.changed or not path_to_workdir.stat.exists
  notify:
@@ -200,13 +202,13 @@
    owner: "{{ keycloak_service_user }}"
    group: "{{ keycloak_service_group }}"
    recurse: true
-  become: true
+  become: "{{ keycloak_install_require_privilege_escalation }}"
  changed_when: false

 - name: Ensure permissions are correct on existing deploy
  ansible.builtin.command: chown -R "{{ keycloak_service_user }}:{{ keycloak_service_group }}" "{{ keycloak.home }}"
  when: keycloak_service_runas
-  become: true
+  become: "{{ keycloak_install_require_privilege_escalation }}"
  changed_when: false

 # driver and configuration
@@ -215,7 +217,7 @@
  when: keycloak_jdbc[keycloak_jdbc_engine].enabled

 - name: "Deploy custom {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }} from {{ keycloak_config_override_template }}"
-  become: true
+  become: "{{ keycloak_install_require_privilege_escalation }}"
  ansible.builtin.template:
    src: "templates/{{ keycloak_config_override_template }}"
    dest: "{{ keycloak_config_path_to_standalone_xml }}"
@@ -227,7 +229,7 @@
  when: keycloak_config_override_template | length > 0

 - name: "Deploy standalone {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}"
-  become: true
+  become: "{{ keycloak_install_require_privilege_escalation }}"
  ansible.builtin.template:
    src: templates/standalone.xml.j2
    dest: "{{ keycloak_config_path_to_standalone_xml }}"
@@ -255,7 +257,7 @@
  when: keycloak_ha_enabled and keycloak_ha_discovery == 'TCPPING'

 - name: "Deploy HA {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}"
-  become: true
+  become: "{{ keycloak_install_require_privilege_escalation }}"
  ansible.builtin.template:
    src: templates/standalone-ha.xml.j2
    dest: "{{ keycloak_config_path_to_standalone_xml }}"
@@ -270,7 +272,7 @@
    - keycloak_config_override_template | length == 0

 - name: "Deploy HA {{ keycloak.service_name }} config with infinispan remote cache store to {{ keycloak_config_path_to_standalone_xml }}"
-  become: true
+  become: "{{ keycloak_install_require_privilege_escalation }}"
  ansible.builtin.template:
    src: templates/standalone-infinispan.xml.j2
    dest: "{{ keycloak_config_path_to_standalone_xml }}"
@@ -285,7 +287,7 @@
    - keycloak_config_override_template | length == 0

 - name: "Deploy profile.properties file to {{ keycloak_config_path_to_properties }}"
-  become: true
+  become: "{{ keycloak_install_require_privilege_escalation }}"
  ansible.builtin.template:
    src: keycloak-profile.properties.j2
    dest: "{{ keycloak_config_path_to_properties }}"
--- a/roles/keycloak/tasks/iptables.yml
+++ b/roles/keycloak/tasks/iptables.yml
@@ -6,7 +6,7 @@
      - iptables

 - name: "Configure firewall ports for {{ keycloak.service_name }}"
-  become: true
+  become: "{{ keycloak_iptables_require_privilege_escalation }}"
  ansible.builtin.iptables:
    destination_port: "{{ item }}"
    action: "insert"
--- a/roles/keycloak/tasks/jdbc_driver.yml
+++ b/roles/keycloak/tasks/jdbc_driver.yml
@@ -3,7 +3,7 @@
  ansible.builtin.stat:
    path: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}"
  register: dest_path
-  become: true
+  become: "{{ keycloak_jdbc_driver_require_privilege_escalation }}"

 - name: "Set up module dir for JDBC Driver {{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}"
  ansible.builtin.file:
@@ -13,7 +13,7 @@
    owner: "{{ keycloak_service_user }}"
    group: "{{ keycloak_service_group }}"
    mode: '0750'
-  become: true
+  become: "{{ keycloak_jdbc_driver_require_privilege_escalation }}"
  when:
    - not dest_path.stat.exists
 - name: "Verify valid parameters for download credentials when specified"
@@ -34,7 +34,7 @@
    url_password: "{{ keycloak_jdbc_download_pass | default(omit) }}"
    validate_certs: "{{ keycloak_jdbc_download_validate_certs | default(omit) }}"
    mode: '0640'
-  become: true
+  become: "{{ keycloak_jdbc_driver_require_privilege_escalation }}"

 - name: "Deploy module.xml for JDBC Driver"
  ansible.builtin.template:
@@ -43,4 +43,4 @@
    group: "{{ keycloak_service_group }}"
    owner: "{{ keycloak_service_user }}"
    mode: '0640'
-  become: true
+  become: "{{ keycloak_jdbc_driver_require_privilege_escalation }}"
--- a/roles/keycloak/tasks/main.yml
+++ b/roles/keycloak/tasks/main.yml
@@ -1,22 +1,38 @@
 ---
 # tasks file for keycloak
 - name: Check prerequisites
-  ansible.builtin.include_tasks: prereqs.yml
+  ansible.builtin.include_tasks:
+    file: prereqs.yml
+    apply:
+      tags:
+        - prereqs
  tags:
    - prereqs

 - name: Distro specific tasks
-  ansible.builtin.include_tasks: "{{ ansible_os_family | lower }}.yml"
+  ansible.builtin.include_tasks:
+    file: "{{ ansible_os_family | lower }}.yml"
+    apply:
+      tags:
+        - unbound
  tags:
    - unbound

 - name: Include install tasks
-  ansible.builtin.include_tasks: install.yml
+  ansible.builtin.include_tasks:
+    file: install.yml
+    apply:
+      tags:
+        - install
  tags:
    - install

 - name: Include systemd tasks
-  ansible.builtin.include_tasks: systemd.yml
+  ansible.builtin.include_tasks:
+    file: systemd.yml
+    apply:
+      tags:
+        - systemd
  tags:
    - systemd

@@ -35,7 +51,7 @@
    state: link
    src: "{{ keycloak_jboss_home }}/standalone/log"
    dest: "{{ keycloak_log_target }}"
-  become: true
+  become: "{{ keycloak_require_privilege_escalation }}"

 - name: Set admin credentials and restart if not already created
  block:
@@ -59,7 +75,7 @@
          - "-u{{ keycloak_admin_user }}"
          - "-p{{ keycloak_admin_password }}"
      changed_when: true
-      become: true
+      become: "{{ keycloak_require_privilege_escalation }}"
    - name: "Restart {{ keycloak.service_name }}"
      ansible.builtin.include_tasks: tasks/restart_keycloak.yml
    - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
--- a/roles/keycloak/tasks/redhat.yml
+++ b/roles/keycloak/tasks/redhat.yml
@@ -1,6 +1,10 @@
 ---
 - name: Include firewall config tasks
-  ansible.builtin.include_tasks: firewalld.yml
+  ansible.builtin.include_tasks:
+    file: firewalld.yml
+    apply:
+      tags:
+        - firewall
  when: keycloak_configure_firewalld
  tags:
    - firewall
--- a/roles/keycloak/tasks/restart_keycloak.yml
+++ b/roles/keycloak/tasks/restart_keycloak.yml
@@ -5,7 +5,7 @@
    enabled: true
    state: restarted
    daemon_reload: true
-  become: true
+  become: "{{ keycloak_restart_require_privilege_escalation }}"
  delegate_to: "{{ ansible_play_hosts | first }}"
  run_once: true

@@ -24,5 +24,5 @@
    name: keycloak
    enabled: true
    state: restarted
-  become: true
+  become: "{{ keycloak_restart_require_privilege_escalation }}"
  when: inventory_hostname != ansible_play_hosts | first
--- a/roles/keycloak/tasks/rhsso_cli.yml
+++ b/roles/keycloak/tasks/rhsso_cli.yml
@@ -2,12 +2,12 @@
 - name: Ensure required params for CLI have been provided
  ansible.builtin.assert:
    that:
-      - query is defined
+      - cli_query is defined
    fail_msg: "Missing required parameters to execute CLI."
    quiet: true

- name: "Execute CLI query: {{ query }}"
+- name: "Execute CLI query: {{ cli_query }}"
  ansible.builtin.command: >
-    {{ keycloak.cli_path }} --connect --command='{{ query }}' --controller={{ keycloak_host }}:{{ keycloak_management_http_port }}
+    {{ keycloak.cli_path }} --connect --command='{{ cli_query }}' --controller={{ keycloak_host }}:{{ keycloak_management_http_port }}
  changed_when: false
  register: cli_result
--- a/roles/keycloak/tasks/rhsso_patch.yml
+++ b/roles/keycloak/tasks/rhsso_patch.yml
@@ -12,7 +12,7 @@
    path: "{{ patch_archive }}"
  register: patch_archive_path
  when: sso_patch_version is defined
-  become: true
+  become: "{{ keycloak_rhsso_patch_require_privilege_escalation }}"

 - name: Perform patch download from RHN via JBossNetwork API
  delegate_to: localhost
@@ -86,7 +86,7 @@
  ansible.builtin.stat:
    path: "{{ patch_archive }}"
  register: patch_archive_path
-  become: true
+  become: "{{ keycloak_rhsso_patch_require_privilege_escalation }}"

 ## copy and unpack
 - name: Copy patch archive to target nodes
@@ -101,15 +101,15 @@
    - not patch_archive_path.stat.exists
    - local_archive_path.stat is defined
    - local_archive_path.stat.exists
-  become: true
+  become: "{{ keycloak_rhsso_patch_require_privilege_escalation }}"

 - name: "Check installed patches"
  ansible.builtin.include_tasks: rhsso_cli.yml
  vars:
-    query: "patch info"
+    cli_query: "patch info"
  args:
    apply:
-      become: true
+      become: "{{ keycloak_rhsso_patch_require_privilege_escalation }}"
      become_user: "{{ keycloak_service_user }}"

 - name: "Perform patching"
@@ -121,21 +121,21 @@
    - name: "Apply patch {{ patch_version }} to server"
      ansible.builtin.include_tasks: rhsso_cli.yml
      vars:
-        query: "patch apply {{ patch_archive }}"
+        cli_query: "patch apply {{ patch_archive }}"
      args:
        apply:
-          become: true
+          become: "{{ keycloak_rhsso_patch_require_privilege_escalation }}"
          become_user: "{{ keycloak_service_user }}"

    - name: "Restart server to ensure patch content is running"
      ansible.builtin.include_tasks: rhsso_cli.yml
      vars:
-        query: "shutdown --restart"
+        cli_query: "shutdown --restart"
      when:
        - cli_result.rc == 0
      args:
        apply:
-          become: true
+          become: "{{ keycloak_rhsso_patch_require_privilege_escalation }}"
          become_user: "{{ keycloak_service_user }}"

    - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
@@ -149,10 +149,10 @@
    - name: "Query installed patch after restart"
      ansible.builtin.include_tasks: rhsso_cli.yml
      vars:
-        query: "patch info"
+        cli_query: "patch info"
      args:
        apply:
-          become: true
+          become: "{{ keycloak_rhsso_patch_require_privilege_escalation }}"
          become_user: "{{ keycloak_service_user }}"

    - name: "Verify installed patch version"
--- a/roles/keycloak/tasks/start_keycloak.yml
+++ b/roles/keycloak/tasks/start_keycloak.yml
@@ -5,7 +5,7 @@
    enabled: true
    state: started
    daemon_reload: true
-  become: true
+  become: "{{ keycloak_start_require_privilege_escalation }}"

 - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
  ansible.builtin.uri:
--- a/roles/keycloak/tasks/stop_keycloak.yml
+++ b/roles/keycloak/tasks/stop_keycloak.yml
@@ -4,4 +4,4 @@
    name: keycloak
    enabled: true
    state: stopped
-  become: true
+  become: "{{ keycloak_stop_require_privilege_escalation }}"
--- a/roles/keycloak/tasks/systemd.yml
+++ b/roles/keycloak/tasks/systemd.yml
@@ -1,6 +1,6 @@
 ---
 - name: "Configure {{ keycloak.service_name }} service script wrapper"
-  become: true
+  become: "{{ keycloak_systemd_require_privilege_escalation }}"
  ansible.builtin.template:
    src: keycloak-service.sh.j2
    dest: "{{ keycloak_dest }}/keycloak-service.sh"
@@ -11,7 +11,7 @@
    - restart keycloak

 - name: "Configure sysconfig file for {{ keycloak.service_name }} service"
-  become: true
+  become: "{{ keycloak_systemd_require_privilege_escalation }}"
  ansible.builtin.template:
    src: keycloak-sysconfig.j2
    dest: "{{ keycloak_sysconf_file }}"
@@ -28,7 +28,7 @@
    owner: root
    group: root
    mode: '0644'
-  become: true
+  become: "{{ keycloak_systemd_require_privilege_escalation }}"
  register: systemdunit
  notify:
    - restart keycloak
--- a/roles/keycloak/vars/main.yml
+++ b/roles/keycloak/vars/main.yml
@@ -1,9 +1,6 @@
 ---
 # internal variables below

-# locations
-keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}"
-keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}"


 keycloak:
--- a/roles/keycloak_quarkus/README.md
+++ b/roles/keycloak_quarkus/README.md
@@ -33,7 +33,7 @@ Role Defaults

 | Variable | Description | Default |
 |:---------|:------------|:--------|
-|`keycloak_quarkus_version`| keycloak.org package version | `24.0.5` |
+|`keycloak_quarkus_version`| keycloak.org package version | `26.4.7` |
 |`keycloak_quarkus_offline_install` | Perform an offline install | `False`|
 |`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` |
 |`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` |
@@ -44,47 +44,29 @@ Role Defaults

 | Variable | Description | Default |
 |:---------|:------------|:--------|
-|`keycloak_quarkus_admin_user`| Administration console user account | `admin` |
-|`keycloak_quarkus_bind_address`| Address for binding service ports | `0.0.0.0` |
-|`keycloak_quarkus_host`| Hostname for the Keycloak server | `localhost` |
-|`keycloak_quarkus_port`| The port used by the proxy when exposing the hostname | `-1` |
-|`keycloak_quarkus_path`| This should be set if proxy uses a different context-path for Keycloak | |
-|`keycloak_quarkus_http_port`| HTTP listening port | `8080` |
-|`keycloak_quarkus_https_port`| TLS HTTP listening port | `8443` |
-|`keycloak_quarkus_ajp_port`| AJP port | `8009` |
+|`keycloak_quarkus_bootstrap_admin_user`| Administration console user account | `admin` |
+|`keycloak_quarkus_admin_user`| Deprecated, use `keycloak_quarkus_bootstrap_admin_user` instead. | |
+|`keycloak_quarkus_bind_address`| Deprecated, use `keycloak_quarkus_http_host` instead |  `0.0.0.0` |
+|`keycloak_quarkus_host`| Deprecated, use `keycloak_quarkus_hostname` instead. | |
+|`keycloak_quarkus_port`| Deprecated, use `keycloak_quarkus_hostname` instead. | |
+|`keycloak_quarkus_path`| Deprecated, use `keycloak_quarkus_hostname` instead. | |
 |`keycloak_quarkus_service_user`| Posix account username | `keycloak` |
 |`keycloak_quarkus_service_group`| Posix account group | `keycloak` |
 |`keycloak_quarkus_service_restart_always`| systemd restart always behavior activation | `False` |
 |`keycloak_quarkus_service_restart_on_failure`| systemd restart on-failure behavior activation | `False` |
 |`keycloak_quarkus_service_restartsec`| systemd RestartSec | `10s` |
-|`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-17-openjdk-headless` |
+|`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-21-openjdk-headless` |
 |`keycloak_quarkus_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_quarkus_jvm_package RPM path | `None` |
 |`keycloak_quarkus_java_heap_opts`| Heap memory JVM setting | `-Xms1024m -Xmx2048m` |
 |`keycloak_quarkus_java_jvm_opts`| Other JVM settings | same as keycloak |
 |`keycloak_quarkus_java_opts`| JVM arguments; if overridden, it takes precedence over `keycloak_quarkus_java_*` | `{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}` |
-|`keycloak_quarkus_additional_env_vars` | List of additional env variables of { key: str, value: str} to be put in sysconfig file | `[]` |
-|`keycloak_quarkus_frontend_url`| Set the base URL for frontend URLs, including scheme, host, port and path | |
-|`keycloak_quarkus_admin_url`| Set the base URL for accessing the administration console, including scheme, host, port and path | |
-|`keycloak_quarkus_http_relative_path` | Set the path relative to / for serving resources. The path must start with a / | `/` |
-|`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` |
-|`keycloak_quarkus_health_check_url_path`| Path to the health check endpoint; scheme, host and keycloak_quarkus_http_relative_path will be prepended automatically | `realms/master/.well-known/openid-configuration` |
-|`keycloak_quarkus_https_key_file_enabled`| Enable listener on HTTPS port | `False` |
-|`keycloak_quarkus_key_file_copy_enabled`| Enable copy of key file to target host | `False` |
-|`keycloak_quarkus_key_content`| Content of the TLS private key. Use `"{{ lookup('file', 'server.key.pem') }}"` to lookup a file. | `""` |
-|`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `/etc/pki/tls/private/server.key.pem` |
-|`keycloak_quarkus_cert_file_copy_enabled`| Enable copy of cert file to target host | `False`|
-|`keycloak_quarkus_cert_file_src`| Set the source file path | `""` |
-|`keycloak_quarkus_cert_file`| The file path to a server certificate or certificate chain in PEM format | `/etc/pki/tls/certs/server.crt.pem` |
-|`keycloak_quarkus_https_key_store_enabled`| Enable configuration of HTTPS via a key store | `False` |
-|`keycloak_quarkus_key_store_file`| Deprecated, use `keycloak_quarkus_https_key_store_file` instead. ||
-|`keycloak_quarkus_key_store_password`| Deprecated, use `keycloak_quarkus_https_key_store_password` instead.||
-|`keycloak_quarkus_https_key_store_file`| The file path to the key store | `{{ keycloak.home }}/conf/key_store.p12` |
-|`keycloak_quarkus_https_key_store_password`| Password for the key store | `""` |
-|`keycloak_quarkus_https_trust_store_enabled`| Enable configuration of the https trust store | `False` |
-|`keycloak_quarkus_https_trust_store_file`| The file path to the trust store | `{{ keycloak.home }}/conf/trust_store.p12` |
-|`keycloak_quarkus_https_trust_store_password`| Password for the trust store | `""` |
+|`keycloak_quarkus_additional_env_vars` | List of additional env variables of { key: str, value: str} to be put in sysconfig file, see https://www.keycloak.org/server/all-config | `[]` |
+|`keycloak_quarkus_frontend_url`| Deprecated, use `keycloak_quarkus_hostname` instead. | |
+|`keycloak_quarkus_admin_url`| Deprecated, use `keycloak_quarkus_hostname_admin` instead. | |
+|`keycloak_quarkus_health_check_url`| Full URL (including scheme, host, path, fragment etc.) used for health check endpoint; keycloak_quarkus_hostname will NOT be prepended; helpful when health checks should happen against http port, but keycloak_quarkus_hostname uses https scheme per default | `` |
+|`keycloak_quarkus_health_check_url_path`| Path to the health check endpoint; keycloak_quarkus_hostname will be prepended automatically; Note that keycloak_quarkus_health_check_url takes precedence over this property | `realms/master/.well-known/openid-configuration` |
 |`keycloak_quarkus_proxy_headers`| Parse reverse proxy headers (`forwarded` or `xforwarded`) | `""` |
-|`keycloak_quarkus_config_key_store_file`| Path to the configuration key store; only used if `keycloak_quarkus_keystore_password` is not empty  | `{{ keycloak.home }}/conf/conf_store.p12` if `keycloak_quarkus_keystore_password != ''`, else `''` |
+|`keycloak_quarkus_config_key_store_file`| Path to the configuration key store; only used if `keycloak_quarkus_config_key_store_password` is not empty  | `{{ keycloak.home }}/conf/conf_store.p12` if `keycloak_quarkus_config_key_store_password != ''`, else `''` |
 |`keycloak_quarkus_config_key_store_password`| Password of the configuration keystore; if non-empty, `keycloak_quarkus_db_pass` will be saved to the keystore at `keycloak_quarkus_config_key_store_file` instead of being written to the configuration file in clear text | `""` |
 |`keycloak_quarkus_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
 |`keycloak_quarkus_configure_iptables` | Ensure iptables is configured for keycloak ports | `False` |
@@ -95,8 +77,9 @@ Role Defaults
 | Variable | Description | Default |
 |:---------|:------------|:--------|
 |`keycloak_quarkus_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
-|`keycloak_quarkus_ha_discovery`| Discovery protocol for HA cluster members | `TCPPING` |
+|`keycloak_quarkus_ha_discovery`| Discovery protocol for HA cluster members | `JDBCPING` |
 |`keycloak_quarkus_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_quarkus_ha_enabled` is True, else `False` |
+|`keycloak_quarkus_jgroups_ip`| Host jgroups IP.  If changing this variable you must make sure it is always set for all hosts in your cluster. | `{{ ansible_default_ipv4.address }}` |
 |`keycloak_quarkus_jgroups_port`| jgroups cluster tcp port | `7800` |
 |`keycloak_quarkus_systemd_wait_for_port` | Whether systemd unit should wait for keycloak port before returning | `{{ keycloak_quarkus_ha_enabled }}` |
 |`keycloak_quarkus_systemd_wait_for_port_number`| Which port the systemd unit should wait for | `{{ keycloak_quarkus_https_port }}` |
@@ -106,7 +89,7 @@ Role Defaults
 |`keycloak_quarkus_restart_strategy`| Strategy task file for restarting in HA (one of provided restart/['serial.yml','none.yml','serial_then_parallel.yml']) or path to file when providing custom strategy | `restart/serial.yml` |
 |`keycloak_quarkus_restart_health_check`| Whether to wait for successful health check after restart | `true` |
 |`keycloak_quarkus_restart_health_check_delay`| Seconds to let pass before starting healch checks | `10` |
-|`keycloak_quarkus_restart_health_check_reries`| Number of attempts for successful health check before failing | `25` |
+|`keycloak_quarkus_restart_health_check_retries`| Number of attempts for successful health check before failing | `25` |
 |`keycloak_quarkus_restart_pause`| Seconds to wait between restarts in HA strategy | `15` |


@@ -114,33 +97,89 @@ Role Defaults

 | Variable | Description | Default |
 |:---------|:------------|:--------|
-|`keycloak_quarkus_http_relative_path`| Set the path relative to / for serving resources. The path must start with a / | `/` |
+|`keycloak_quarkus_hostname`| Address at which is the server exposed. Can be a full URL, or just a hostname. When only hostname is provided, scheme, port and context path are resolved from the request. | |
+|`keycloak_quarkus_hostname_admin`| Set the base URL for accessing the administration console, including scheme, host, port and path | `` |
 |`keycloak_quarkus_hostname_strict`| Disables dynamically resolving the hostname from request headers | `true` |
-|`keycloak_quarkus_hostname_strict_backchannel`| By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all applications use the public URL this option should be enabled. | `false` |
+|`keycloak_quarkus_hostname_backchannel_dynamic`| Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path. Set to true if your application accesses Keycloak via a private network. If set to true, hostname option needs to be specified as a full URL. | `false` |
+|`keycloak_quarkus_hostname_strict_backchannel`| Deprecated, use (the inverted!)`keycloak_quarkus_hostname_backchannel_dynamic` instead. |  |


+#### HTTP(S) configuration
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_quarkus_http_relative_path`| Set the path relative to / for serving resources. The path must start with a / | `/` |
+|`keycloak_quarkus_http_host`| The http host, ie. the address used to bind the service |  `0.0.0.0` |
+|`keycloak_quarkus_http_port`| HTTP listening port | `8080` |
+|`keycloak_quarkus_https_port`| TLS HTTP listening port | `8443` |
+|`keycloak_quarkus_http_management_port`| Port of the management interface. Relevant only when something is exposed on the management interface - see the guide for details. | `9000` |
+|`keycloak_quarkus_https_key_store_file`| The file path to the key store | `{{ keycloak.home }}/conf/key_store.p12` |
+|`keycloak_quarkus_https_key_store_password`| Password for the key store | `""` |
+|`keycloak_quarkus_https_trust_store_enabled`| Enable configuration of the https trust store | `False` |
+|`keycloak_quarkus_https_trust_store_file`| The file path to the trust store | `{{ keycloak.home }}/conf/trust_store.p12` |
+|`keycloak_quarkus_https_trust_store_password`| Password for the trust store | `""` |
+|`keycloak_quarkus_https_key_file_enabled`| Enable listener on HTTPS port | `False` |
+|`keycloak_quarkus_key_file_copy_enabled`| Enable copy of key file to target host | `False` |
+|`keycloak_quarkus_key_content`| Content of the TLS private key. Use `"{{ lookup('file', 'server.key.pem') }}"` to lookup a file. | `""` |
+|`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `/etc/pki/tls/private/server.key.pem` |
+|`keycloak_quarkus_cert_file_copy_enabled`| Enable copy of cert file to target host | `False`|
+|`keycloak_quarkus_cert_file_src`| Set the source file path | `""` |
+|`keycloak_quarkus_cert_file`| The file path to a server certificate or certificate chain in PEM format | `/etc/pki/tls/certs/server.crt.pem` |
+|`keycloak_quarkus_https_key_store_enabled`| Enable configuration of HTTPS via a key store | `False` |
+|`keycloak_quarkus_key_store_file`| Deprecated, use `keycloak_quarkus_https_key_store_file` instead. ||
+|`keycloak_quarkus_key_store_password`| Deprecated, use `keycloak_quarkus_https_key_store_password` instead.||
+|`keycloak_quarkus_http_relative_path` | Set the path relative to / for serving resources. The path must start with a / | `/` |
+|`keycloak_quarkus_http_management_relative_path` | Set the path relative to / for serving resources from management interface. The path must start with a /. If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details. | `/` |
+|`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` |
+
+
+#### Infinispan configuration
+
+| Variable                                           | Description                     | Default                                                      |
+| :------------------------------------------------- | :------------------------------ | :----------------------------------------------------------- |
+| `keycloak_quarkus_cache_managed_infinispan_config` | Manage infinispan configuration | `"{{ keycloak_quarkus_version is version('26.4.0', '<') }}"` |
+| `keycloak_quarkus_cache_infinispan_template`       | Infinispan cache template file  | `cache-ispn.xml`                                             |
+
+As explained in the [official documentation](https://www.keycloak.org/server/caching#_modifying_cache_configuration_defaults), since version 26.4, it is recommended not to modify the XML configuration file but rather to configure the cache via the keycloak.properties file. By default, the role will no longer automatically deploy this file for versions higher than 26.4.
+
+For earlier versions, it is possible to override the given template to customize the cache using the `keycloak_quarkus_cache_infinispan_template` variable.
+
 #### Database configuration

 | Variable | Description | Default |
 |:---------|:------------|:--------|
-|`keycloak_quarkus_jdbc_engine` | Database engine [mariadb,postres,mssql] | `postgres` |
+|`keycloak_quarkus_db_engine` | Database engine [mariadb,postres,mssql] | `postgres` |
 |`keycloak_quarkus_db_user` | User for database connection | `keycloak-user` |
 |`keycloak_quarkus_db_pass` | Password for database connection | `keycloak-pass` |
-|`keycloak_quarkus_jdbc_url` | JDBC URL for connecting to database | `jdbc:postgresql://localhost:5432/keycloak` |
-|`keycloak_quarkus_jdbc_driver_version` | Version for JDBC driver | `9.4.1212` |
+|`keycloak_quarkus_db_url` | JDBC URL for connecting to database | `jdbc:postgresql://localhost:5432/keycloak` |
+|`keycloak_quarkus_db_driver_version` | Version for JDBC engine driver | `9.4.1212` |


-#### Remote caches configuration
+#### Cache configuration

 | Variable | Description | Default |
 |:---------|:------------|:--------|
-|`keycloak_quarkus_ispn_user` | Username for connecting to infinispan | `supervisor` |
-|`keycloak_quarkus_ispn_pass` | Password for connecting to infinispan | `supervisor` |
-|`keycloak_quarkus_ispn_hosts` | host name/port for connecting to infinispan, eg. host1:11222;host2:11222 | `localhost:11222` |
-|`keycloak_quarkus_ispn_sasl_mechanism` | Infinispan auth mechanism | `SCRAM-SHA-512` |
-|`keycloak_quarkus_ispn_use_ssl` | Whether infinispan uses TLS connection | `false` |
-|`keycloak_quarkus_ispn_trust_store_path` | Path to infinispan server trust certificate | `/etc/pki/java/cacerts` |
-|`keycloak_quarkus_ispn_trust_store_password` | Password for infinispan certificate keystore | `changeit` |
+|`keycloak_quarkus_cache_remote` | Whether to connect to remote cache infinispan server | `false` |
+|`keycloak_quarkus_cache_remote_username` | Username for connecting to infinispan | `supervisor` |
+|`keycloak_quarkus_cache_remote_password` | Password for connecting to infinispan | `supervisor` |
+|`keycloak_quarkus_cache_remote_host` | Hostname for connecting to infinispan | `localhost` |
+|`keycloak_quarkus_cache_remote_port`| Port for connecting to infinispan | `11222` |
+|`keycloak_quarkus_cache_remote_sasl_mechanism` | Infinispan auth mechanism | `SCRAM-SHA-512` |
+|`keycloak_quarkus_cache_remote_tls_enabled` | Whether infinispan uses TLS connection | `false` |
+|`keycloak_quarkus_cache_embedded_properties` | Embedded cache properties | `` |
+
+
+#### Logging configuration
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_quarkus_log`| Enable one or more log handlers in a comma-separated list | `file` |
+|`keycloak_quarkus_log_level`| The log level of the root category or a comma-separated list of individual categories and their levels | `info` |
+|`keycloak_quarkus_log_file`| Set the log file path and filename relative to keycloak home | `data/log/keycloak.log` |
+|`keycloak_quarkus_log_format`| Set a format specific to file log entries | `%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n` |
+|`keycloak_quarkus_log_target`| Set the destination of the keycloak log folder link | `/var/log/keycloak` |
+|`keycloak_quarkus_log_max_file_size`| Set the maximum log file size before a log rotation happens; A size configuration option recognises string in this format (shown as a regular expression): `[0-9]+[KkMmGgTtPpEeZzYy]?`. If no suffix is given, assume bytes. | `10M` |
+|`keycloak_quarkus_log_max_backup_index`| Set the maximum number of archived log files to keep | `10` |
+|`keycloak_quarkus_log_file_suffix`| Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix; Note: If the suffix ends with `.zip` or `.gz`, the rotation file will also be compressed. | `.yyyy-MM-dd.zip` |


 #### Miscellaneous configuration
@@ -148,31 +187,22 @@ Role Defaults
 | Variable | Description | Default |
 |:---------|:------------|:--------|
 |`keycloak_quarkus_metrics_enabled`| Whether to enable metrics | `False` |
-|`keycloak_quarkus_health_enabled`| If the server should expose health check endpoints | `True` |
+|`keycloak_quarkus_health_enabled`| If the server should expose health check endpoints on the management interface | `True` |
 |`keycloak_quarkus_archive` | keycloak install archive filename | `keycloak-{{ keycloak_quarkus_version }}.zip` |
 |`keycloak_quarkus_installdir` | Installation path | `{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}` |
 |`keycloak_quarkus_home` | Installation work directory | `{{ keycloak_quarkus_installdir }}` |
 |`keycloak_quarkus_config_dir` | Path for configuration | `{{ keycloak_quarkus_home }}/conf` |
 |`keycloak_quarkus_master_realm` | Name for rest authentication realm | `master` |
 |`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` |
-|`keycloak_force_install` | Remove pre-existing versions of service | `False` |
-|`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_quarkus_host }}:{{ keycloak_http_port }}` |
-|`keycloak_quarkus_log`| Enable one or more log handlers in a comma-separated list | `file` |
-|`keycloak_quarkus_log_level`| The log level of the root category or a comma-separated list of individual categories and their levels | `info` |
-|`keycloak_quarkus_log_file`| Set the log file path and filename relative to keycloak home | `data/log/keycloak.log` |
-|`keycloak_quarkus_log_format`| Set a format specific to file log entries | `%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n` |
-|`keycloak_quarkus_log_target`| Set the destination of the keycloak log folder link | `/var/log/keycloak` |
-|`keycloak_quarkus_log_max_file_size`| Set the maximum log file size before a log rotation happens; A size configuration option recognises string in this format (shown as a regular expression): `[0-9]+[KkMmGgTtPpEeZzYy]?`. If no suffix is given, assume bytes. | `10M` |
-|`keycloak_quarkus_log_max_backup_index`| Set the maximum number of archived log files to keep" | `10` |
-|`keycloak_quarkus_log_file_suffix`| Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix; Note: If the suffix ends with `.zip` or `.gz`, the rotation file will also be compressed. | `.yyyy-MM-dd.zip` |
-|`keycloak_quarkus_proxy_mode`| The proxy address forwarding mode if the server is behind a reverse proxy | `edge` |
+|`keycloak_quarkus_force_install` | Remove pre-existing versions of service | `False` |
+|`keycloak_quarkus_proxy_mode`| The proxy address forwarding mode if the server is behind a reverse proxy (deprecated) | `none` |
 |`keycloak_quarkus_start_dev`| Whether to start the service in development mode (start-dev) | `False` |
 |`keycloak_quarkus_transaction_xa_enabled`| Whether to use XA transactions | `True` |
 |`keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route`| If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy | `True` |
 |`keycloak_quarkus_show_deprecation_warnings`| Whether deprecation warnings should be shown | `True` |


-#### Vault SPI
+#### Vault configuration

 | Variable | Description | Default |
 |:---------|:------------|:--------|
@@ -200,9 +230,10 @@ keycloak_quarkus_providers:
  - id: http-client                         # required; "{{ id }}.jar" identifies the file name on RHBK
    spi: connections                        # required if neither url, local_path nor maven are specified; required for setting properties
    default: true                           # optional, whether to set default for spi, default false
-    restart: true                           # optional, whether to restart, default true
+    restart: true                           # optional, whether to rebuild config and restart the service after deploying, default true
    url: https://.../.../custom_spi.jar     # optional, url for download via http
    local_path: my_theme_spi.jar            # optional, path on local controller for SPI to be uploaded
+    remote: true                            # optional, whether to copy from localhost or remotely, see https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html#parameter-remote_src, default false
    maven:                                  # optional, for download using maven
      repository_url: https://maven.pkg.github.com/OWNER/REPOSITORY # optional, maven repo url
      group_id:  my.group                   # optional, maven group id
@@ -213,6 +244,10 @@ keycloak_quarkus_providers:
    properties:                             # optional, list of key-values
      - key: default-connection-pool-size
        value: 10
+    checksum: sha256:D98291AC[...]B6DC7B97  # optional, checksum used to verify integrity:
+                                            #  for `url` SPIs, use format: <algorithm>:<checksum|url>, cf. <https://docs.ansible.com/ansible/latest/collections/ansible/builtin/get_url_module.html#parameter-checksum>;
+                                            #  for `local_path` SPIs, use SHA1 format <https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html#parameter-checksum>
+                                            #  for `maven` SPIs, this field is ignored since maven has integrity verification methods enabled by default
 ```

 the definition above will generate the following build command:
@@ -232,9 +267,9 @@ Provider definition:

 ```yaml
 keycloak_quarkus_policies:
-  - name: xato-net-10-million-passwords.txt                                                                # required, resulting file name
-    url: https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt # required, url for download
-    type: password-blacklists                                                                              # optional, defaults to `password-blacklists`; supported values: [`password-blacklists`]
+  - name: john-the-ripper.txt                                                                          # required, resulting file name
+    url: https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/john-the-ripper.txt  # required, url for download
+    type: password-blacklists                                                                          # optional, defaults to `password-blacklists`; supported values: [`password-blacklists`]
 ```


@@ -243,9 +278,8 @@ Role Variables

 | Variable | Description | Required |
 |:---------|:------------|----------|
-|`keycloak_quarkus_admin_pass`| Password of console admin account | `yes` |
-|`keycloak_quarkus_frontend_url`| Base URL for frontend URLs, including scheme, host, port and path | `no` |
-|`keycloak_quarkus_admin_url`| Base URL for accessing the administration console, including scheme, host, port and path | `no` |
+|`keycloak_quarkus_bootstrap_admin_password`| Password of console admin account | `yes` |
+|`keycloak_quarkus_admin_pass`| Deprecated, use `keycloak_quarkus_bootstrap_admin_password` instead. | |
 |`keycloak_quarkus_ks_vault_pass`| The password for accessing the keystore vault SPI | `no` |
 |`keycloak_quarkus_alternate_download_url`| Alternate location with optional authentication for downloading RHBK | `no` |
 |`keycloak_quarkus_download_user`| Optional username for http authentication  | `no*` |
@@ -265,7 +299,7 @@ The role uses the following [custom facts](https://docs.ansible.com/ansible/late

 | Variable | Description |
 |:---------|:------------|
-|`general.bootstrapped` | A custom fact indicating whether this role has been used for bootstrapping keycloak on the respective host before; set to `false` (e.g., when starting off with a new, empty database) ensures that the initial admin user as defined by `keycloak_quarkus_admin_user[_pass]` gets created |
+|`general.bootstrapped` | A custom fact indicating whether this role has been used for bootstrapping keycloak on the respective host before; set to `false` (e.g., when starting off with a new, empty database) ensures that the initial admin user as defined by `keycloak_quarkus_bootstrap_admin_user[_password]` gets created |

 License
 -------
--- a/roles/keycloak_quarkus/defaults/main.yml
+++ b/roles/keycloak_quarkus/defaults/main.yml
@@ -1,10 +1,14 @@
 ---
 ### Configuration specific to keycloak
-keycloak_quarkus_version: 24.0.5
+keycloak_quarkus_version: 26.4.7
 keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip"
 keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"
 keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"

+# Authentication for Keycloak binary download (e.g. from internal artifact repository)
+keycloak_quarkus_binary_download_user:
+keycloak_quarkus_binary_download_pass:
+
 # whether to install from local archive
 keycloak_quarkus_offline_install: false

@@ -27,26 +31,32 @@ keycloak_quarkus_configure_firewalld: false
 keycloak_quarkus_configure_iptables: false

 ### administrator console password
-keycloak_quarkus_admin_user: admin
-keycloak_quarkus_admin_pass:
+keycloak_quarkus_bootstrap_admin_user: admin
+keycloak_quarkus_bootstrap_admin_password:
 keycloak_quarkus_master_realm: master

 ### Configuration settings
-keycloak_quarkus_bind_address: 0.0.0.0
-keycloak_quarkus_host: localhost
-keycloak_quarkus_port: -1
-keycloak_quarkus_path:
+keycloak_quarkus_bind_address: 0.0.0.0 # deprecated use keycloak_quarkus_http_host
+keycloak_quarkus_http_host: 0.0.0.0
 keycloak_quarkus_http_enabled: true
 keycloak_quarkus_http_port: 8080
 keycloak_quarkus_https_port: 8443
-keycloak_quarkus_ajp_port: 8009
+keycloak_quarkus_http_management_port: 9000
 keycloak_quarkus_jgroups_port: 7800
+keycloak_quarkus_jgroups_bind_address: "{{ ansible_default_ipv4.address }}"
+keycloak_quarkus_jgroups_external_addr: "{{ keycloak_quarkus_jgroups_bind_address }}"
+keycloak_quarkus_jgroups_external_port: "{{ keycloak_quarkus_jgroups_port }}"
 keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx2048m"
-keycloak_quarkus_java_jvm_opts: "-XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8
+keycloak_quarkus_java_jvm_opts: >
+  -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8
  -Dsun.err.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError
  -Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC -XX:GCTimeRatio=4
-  -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512"
-keycloak_quarkus_java_opts: "{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}"
+  -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512
+keycloak_quarkus_jgroups_opts: >
+  -Djgroups.bind.address={{ keycloak_quarkus_jgroups_bind_address }}
+  -Djgroups.external_port={{ keycloak_quarkus_jgroups_external_port }}
+  -Djgroups.external_addr={{ keycloak_quarkus_jgroups_external_addr }}
+keycloak_quarkus_java_opts: "{{ ' '.join((keycloak_quarkus_jgroups_opts, keycloak_quarkus_java_heap_opts, keycloak_quarkus_java_jvm_opts)) }}"
 keycloak_quarkus_additional_env_vars: []

 ### TLS/HTTPS configuration
@@ -71,7 +81,7 @@ keycloak_quarkus_config_key_store_password: ''

 ### Enable configuration for database backend, clustering and remote caches on infinispan
 keycloak_quarkus_ha_enabled: false
-keycloak_quarkus_ha_discovery: "TCPPING"
+keycloak_quarkus_ha_discovery: "JDBCPING"
 ### Enable database configuration, must be enabled when HA is configured
 keycloak_quarkus_db_enabled: "{{ keycloak_quarkus_ha_enabled }}"
 keycloak_quarkus_systemd_wait_for_port: "{{ keycloak_quarkus_ha_enabled }}"
@@ -81,8 +91,8 @@ keycloak_quarkus_systemd_wait_for_timeout: 60
 keycloak_quarkus_systemd_wait_for_delay: 10

 ### keycloak frontend url
-keycloak_quarkus_frontend_url:
-keycloak_quarkus_admin_url:
+keycloak_quarkus_hostname:
+keycloak_quarkus_hostname_admin: ""

 ### Set the path relative to / for serving resources. The path must start with a /
 ### (set to `/auth` for retrocompatibility with pre-quarkus releases)
@@ -91,15 +101,15 @@ keycloak_quarkus_http_relative_path: /
 # Disables dynamically resolving the hostname from request headers.
 # Should always be set to true in production, unless proxy verifies the Host header.
 keycloak_quarkus_hostname_strict: true
-# By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications.
-# If all applications use the public URL this option should be enabled.
-keycloak_quarkus_hostname_strict_backchannel: false
+# Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path.
+# Set to true if your application accesses Keycloak via a private network. If set to true, keycloak_quarkus_hostname option needs to be specified as a full URL.
+keycloak_quarkus_hostname_backchannel_dynamic: false

 # The proxy headers that should be accepted by the server. ['', 'forwarded', 'xforwarded']
 keycloak_quarkus_proxy_headers: ""

 # deprecated: proxy address forwarding mode if the server is behind a reverse proxy. [none, edge, reencrypt, passthrough]
-keycloak_quarkus_proxy_mode: edge
+keycloak_quarkus_proxy_mode: none

 # disable xa transactions
 keycloak_quarkus_transaction_xa_enabled: true
@@ -111,36 +121,46 @@ keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route: true
 keycloak_quarkus_metrics_enabled: false
 keycloak_quarkus_health_enabled: true

+### infinispan; must read: https://forum.keycloak.org/t/keycloak-26-4-7-ha/31202
+keycloak_quarkus_cache_managed_infinispan_config: "{{ keycloak_quarkus_version is version('26.4.0', '<') }}"
+keycloak_quarkus_cache_infinispan_template: cache-ispn.xml
+
+### caches; must read: https://www.keycloak.org/2024/12/storing-sessions-in-kc26
+### embedded caches
+# https://www.keycloak.org/server/caching
+keycloak_quarkus_cache_embedded_properties: ""
+
 ### infinispan remote caches access (hotrod)
-keycloak_quarkus_ispn_user: supervisor
-keycloak_quarkus_ispn_pass: supervisor
-keycloak_quarkus_ispn_hosts: "localhost:11222"
-keycloak_quarkus_ispn_sasl_mechanism: SCRAM-SHA-512
-keycloak_quarkus_ispn_use_ssl: false
-# if ssl is enabled, import ispn server certificate here
-keycloak_quarkus_ispn_trust_store_path: /etc/pki/java/cacerts
-keycloak_quarkus_ispn_trust_store_password: changeit
+# https://www.keycloak.org/server/caching#_remote_cache
+keycloak_quarkus_cache_remote: false
+keycloak_quarkus_cache_remote_username: supervisor
+keycloak_quarkus_cache_remote_password: supervisor
+keycloak_quarkus_cache_remote_host: localhost
+keycloak_quarkus_cache_remote_port: 11222
+keycloak_quarkus_cache_remote_tls_enabled: false
+keycloak_quarkus_cache_remote_sasl_mechanism: SCRAM-SHA-512
+

 ### database backend engine: values [ 'postgres', 'mariadb' ]
-keycloak_quarkus_jdbc_engine: postgres
+keycloak_quarkus_db_engine: postgres
 ### database backend credentials
 keycloak_quarkus_db_user: keycloak-user
 keycloak_quarkus_db_pass: keycloak-pass
-keycloak_quarkus_jdbc_url: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].url }}"
-keycloak_quarkus_jdbc_driver_version: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].version }}"
-# override the variables above, following defaults show minimum supported versions
+keycloak_quarkus_db_url: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].url }}"
+keycloak_quarkus_db_driver_version: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].version }}"
+# override the variables above, following defaults show recommended version as per
+# https://access.redhat.com/articles/7033107
 keycloak_quarkus_default_jdbc:
  postgres:
    url: 'jdbc:postgresql://localhost:5432/keycloak'
-    version: 9.4.1212
+    version: 42.7.7
  mariadb:
    url: 'jdbc:mariadb://localhost:3306/keycloak'
-    version: 2.7.4
+    version: 3.5.2
  mssql:
    url: 'jdbc:sqlserver://localhost:1433;databaseName=keycloak;'
-    version: 12.4.2
-    driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.4.2.jre11/mssql-jdbc-12.4.2.jre11.jar"
-    # cf. https://access.redhat.com/documentation/en-us/red_hat_build_of_keycloak/24.0/html/server_guide/db-#db-installing-the-microsoft-sql-server-driver
+    version: 13.2.0
+    driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/13.2.0.jre11/mssql-jdbc-13.2.0.jre11.jar"
 ### logging configuration
 keycloak_quarkus_log: file
 keycloak_quarkus_log_level: info
@@ -165,5 +185,7 @@ keycloak_quarkus_supported_policy_types: ['password-blacklists']
 keycloak_quarkus_restart_strategy: restart/serial.yml
 keycloak_quarkus_restart_health_check: true
 keycloak_quarkus_restart_health_check_delay: 10
-keycloak_quarkus_restart_health_check_reries: 25
+keycloak_quarkus_restart_health_check_retries: 25
 keycloak_quarkus_restart_pause: 15
+
+keycloak_quarkus_force_install: false
--- a/roles/keycloak_quarkus/handlers/main.yml
+++ b/roles/keycloak_quarkus/handlers/main.yml
@@ -1,4 +1,7 @@
 ---
+- name: "Invalidate {{ keycloak.service_name }} theme cache"
+  ansible.builtin.include_tasks: invalidate_theme_cache.yml
+  listen: "invalidate keycloak theme cache"
 # handler should be invoked anytime a [build configuration](https://www.keycloak.org/server/all-config?f=build) changes
 - name: "Rebuild {{ keycloak.service_name }} config"
  ansible.builtin.include_tasks: rebuild_config.yml
--- a/roles/keycloak_quarkus/meta/argument_specs.yml
+++ b/roles/keycloak_quarkus/meta/argument_specs.yml
@@ -2,7 +2,7 @@ argument_specs:
    main:
        options:
            keycloak_quarkus_version:
-                default: "24.0.5"
+                default: "26.4.7"
                description: "keycloak.org package version"
                type: "str"
            keycloak_quarkus_archive:
@@ -22,7 +22,7 @@ argument_specs:
                description: "Perform an offline install"
                type: "bool"
            keycloak_quarkus_jvm_package:
-                default: "java-11-openjdk-headless"
+                default: "java-21-openjdk-headless"
                description: "RHEL java package runtime"
                type: "str"
            keycloak_quarkus_java_home:
@@ -68,13 +68,17 @@ argument_specs:
                default: "10s"
                description: "systemd RestartSec for service"
                type: "str"
-            keycloak_quarkus_admin_user:
+            keycloak_quarkus_bootstrap_admin_user:
                default: "admin"
-                description: "Administration console user account"
+                description: "Administration user account, only for bootstrapping"
                type: "str"
-            keycloak_quarkus_admin_pass:
+            keycloak_quarkus_force_install:
+                default: false
+                description: "Remove pre-existing versions of service"
+                type: "bool"
+            keycloak_quarkus_bootstrap_admin_password:
                required: true
-                description: "Password of console admin account"
+                description: "Password of admin account, only for bootstrapping"
                type: "str"
            keycloak_quarkus_master_realm:
                default: "master"
@@ -82,31 +86,40 @@ argument_specs:
                type: "str"
            keycloak_quarkus_bind_address:
                default: "0.0.0.0"
-                description: "Address for binding service ports"
+                description: "Deprecated, use `keycloak_quarkus_http_host`"
+                type: "str"
+            keycloak_quarkus_hostname:
+                description: >-
+                    Address at which is the server exposed.
+                    Can be a full URL, or just a hostname. When only hostname is provided, scheme, port and context path are resolved from the request.
                type: "str"
            keycloak_quarkus_host:
-                default: "localhost"
-                description: "Hostname for the Keycloak server"
+                description: "Deprecated in v26, use keycloak_quarkus_hostname instead."
                type: "str"
            keycloak_quarkus_port:
-                default: -1
-                description: "The port used by the proxy when exposing the hostname"
+                description: "Deprecated in v26, use keycloak_quarkus_hostname instead."
                type: "int"
            keycloak_quarkus_path:
-                required: false
-                description: "This should be set if proxy uses a different context-path for Keycloak"
+                description: "Deprecated in v26, use keycloak_quarkus_hostname instead."
                type: "str"
            keycloak_quarkus_http_enabled:
                default: true
                description: "Enable listener on HTTP port"
                type: "bool"
+            keycloak_quarkus_http_host:
+                default: '0.0.0.0'
+                description: "HTTP host, address for binding service ports"
+                type: "str"
            keycloak_quarkus_http_port:
                default: 8080
                description: "HTTP port"
                type: "int"
+            keycloak_quarkus_health_check_url:
+                description: "Full URL (including scheme, host, path, fragment etc.) used for health check endpoint; keycloak_quarkus_hostname will NOT be prepended; helpful when health checks should happen against http port, but keycloak_quarkus_hostname uses https scheme per default"
+                type: "str"
            keycloak_quarkus_health_check_url_path:
                default: "realms/master/.well-known/openid-configuration"
-                description: "Path to the health check endpoint; scheme, host and keycloak_quarkus_http_relative_path will be prepended automatically"
+                description: "Path to the health check endpoint; keycloak_quarkus_hostname will be prepended automatically; Note that keycloak_quarkus_health_check_url takes precedence over this property"
                type: "str"
            keycloak_quarkus_https_key_file_enabled:
                default: false
@@ -170,7 +183,7 @@ argument_specs:
                type: "str"
            keycloak_quarkus_config_key_store_file:
                default: "{{ keycloak.home }}/conf/conf_store.p12"
-                description: "Path to the configuration key store; only used if `keycloak_quarkus_keystore_password` is not empty"
+                description: "Path to the configuration key store; only used if `keycloak_quarkus_config_key_store_password` is not empty"
                type: "str"
            keycloak_quarkus_config_key_store_password:
                default: ""
@@ -182,14 +195,30 @@ argument_specs:
                default: 8443
                description: "HTTPS port"
                type: "int"
-            keycloak_quarkus_ajp_port:
-                default: 8009
-                description: "AJP port"
+            keycloak_quarkus_http_management_port:
+                default: 9000
+                description: "Port of the management interface. Relevant only when something is exposed on the management interface - see the guide for details."
                type: "int"
            keycloak_quarkus_jgroups_port:
+                description: 'jgroups bind port'
                default: 7800
-                description: "jgroups cluster tcp port"
                type: "int"
+            keycloak_quarkus_jgroups_bind_address:
+                description: 'jgroups bind address'
+                default: "{{ ansible_default_ipv4.address }}"
+                type: "str"
+            keycloak_quarkus_jgroups_external_addr:
+                description: 'IP address that other instances in the Keycloak should use to contact this node'
+                default: "{{ keycloak_quarkus_jgroups_bind_address }}"
+                type: "str"
+            keycloak_quarkus_jgroups_external_port:
+                description: 'Port that other instances in the Keycloak cluster should use to contact this node'
+                default: "{{ keycloak_quarkus_jgroups_port }}"
+                type: "int"
+            keycloak_quarkus_jgroups_opts:
+                description: "JVM arguments for jgroups configuration"
+                default: "-Djgroups.bind.address={{ keycloak_quarkus_jgroups_bind_address }} -Djgroups.external_port={{ keycloak_quarkus_jgroups_external_port }} -Djgroups.external_addr={{ keycloak_quarkus_jgroups_external_addr }}"
+                type: "str"
            keycloak_quarkus_java_heap_opts:
                default: "-Xms1024m -Xmx2048m"
                description: "Heap memory JVM setting"
@@ -202,7 +231,7 @@ argument_specs:
                description: "Other JVM settings"
                type: "str"
            keycloak_quarkus_java_opts:
-                default: "{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}"
+                default: "{{ ' '.join((keycloak_quarkus_jgroups_opts, keycloak_quarkus_java_heap_opts, keycloak_quarkus_java_jvm_opts)) }}"
                description: "JVM arguments, by default heap_opts + jvm_opts, if overriden it takes precedence over them"
                type: "str"
            keycloak_quarkus_additional_env_vars:
@@ -226,13 +255,21 @@ argument_specs:
                default: /
                description: "Set the path relative to / for serving resources. The path must start with a /"
                type: "str"
+            keycloak_quarkus_http_management_relative_path:
+                required: false
+                description: "Set the path relative to / for serving resources from management interface. The path must start with a /. If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details."
+                type: "str"
            keycloak_quarkus_frontend_url:
                required: false
-                description: "Service public URL"
+                description: "Deprecated in v26, use keycloak_quarkus_hostname instead."
+                type: "str"
+            keycloak_quarkus_hostname_admin:
+                required: false
+                description: "Service URL for the admin console"
                type: "str"
            keycloak_quarkus_admin_url:
                required: false
-                description: "Service URL for the admin console"
+                description: "Deprecated in v26, use keycloak_quarkus_hostname_admin instead."
                type: "str"
            keycloak_quarkus_metrics_enabled:
                default: false
@@ -240,37 +277,37 @@ argument_specs:
                type: "bool"
            keycloak_quarkus_health_enabled:
                default: true
-                description: "If the server should expose health check endpoints"
+                description: "If the server should expose health check endpoints on the management interface"
                type: "bool"
-            keycloak_quarkus_ispn_user:
+            keycloak_quarkus_cache_remote:
+                description: "Whether to connect to remote cache infinispan server"
+                default: false
+                type: 'bool'
+            keycloak_quarkus_cache_remote_username:
                default: "supervisor"
                description: "Username for connecting to infinispan"
                type: "str"
-            keycloak_quarkus_ispn_pass:
+            keycloak_quarkus_cache_remote_password:
                default: "supervisor"
                description: "Password for connecting to infinispan"
                type: "str"
-            keycloak_quarkus_ispn_hosts:
-                default: "localhost:11222"
-                description: "host name/port for connecting to infinispan, eg. host1:11222;host2:11222"
+            keycloak_quarkus_cache_remote_host:
+                default: "localhost"
+                description: "Hostname for connecting to infinispan"
                type: "str"
-            keycloak_quarkus_ispn_sasl_mechanism:
+            keycloak_quarkus_cache_remote_port:
+                default: "11222"
+                description: "Port for connecting to infinispan"
+                type: "str"
+            keycloak_quarkus_cache_remote_sasl_mechanism:
                default: "SCRAM-SHA-512"
                description: "Infinispan auth mechanism"
                type: "str"
-            keycloak_quarkus_ispn_use_ssl:
+            keycloak_quarkus_cache_remote_tls_enabled:
                default: false
                description: "Whether infinispan uses TLS connection"
                type: "bool"
-            keycloak_quarkus_ispn_trust_store_path:
-                default: "/etc/pki/java/cacerts"
-                description: "Path to infinispan server trust certificate"
-                type: "str"
-            keycloak_quarkus_ispn_trust_store_password:
-                default: "changeit"
-                description: "Password for infinispan certificate keystore"
-                type: "str"
-            keycloak_quarkus_jdbc_engine:
+            keycloak_quarkus_db_engine:
                default: "postgres"
                description: "Database engine [mariadb,postres,mssql]"
                type: "str"
@@ -282,12 +319,12 @@ argument_specs:
                default: "keycloak-pass"
                description: "Password for database connection"
                type: "str"
-            keycloak_quarkus_jdbc_url:
-                default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].url }}"
+            keycloak_quarkus_db_url:
+                default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].url }}"
                description: "JDBC URL for connecting to database"
                type: "str"
-            keycloak_quarkus_jdbc_driver_version:
-                default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].version }}"
+            keycloak_quarkus_db_driver_version:
+                default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].version }}"
                description: "Version for JDBC driver"
                type: "str"
            keycloak_quarkus_log:
@@ -327,9 +364,9 @@ argument_specs:
                  Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix. Note: If the suffix ends
                  with .zip or .gz, the rotation file will also be compressed.
            keycloak_quarkus_proxy_mode:
-                default: 'edge'
+                default: 'none'
                type: "str"
-                description: "The proxy address forwarding mode if the server is behind a reverse proxy. Set to 'none' if not using a proxy"
+                description: "The proxy address forwarding mode if the server is behind a reverse proxy. Set to 'none' as it is deprecated according to Keycloak documentation"
            keycloak_quarkus_proxy_headers:
                default: ""
                type: "str"
@@ -348,24 +385,18 @@ argument_specs:
                description: >
                  Disables dynamically resolving the hostname from request headers. Should always be set to true in production, unless
                  proxy verifies the Host header.
-            keycloak_quarkus_hostname_strict_backchannel:
+            keycloak_quarkus_hostname_backchannel_dynamic:
                default: false
                type: "bool"
                description: >
-                  By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all
-                  applications use the public URL this option should be enabled.
+                    Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path.
+                    Set to true if your application accesses Keycloak via a private network. If set to true, hostname option needs to be specified as a full URL.
            keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route:
                default: true
                type: "bool"
                description: >
                  If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies
                  and we rely on the session affinity capabilities from reverse proxy
-            keycloak_quarkus_hostname_strict_https:
-                type: "bool"
-                required: false
-                description: >
-                  By default, Keycloak requires running using TLS/HTTPS. If the service MUST run without TLS/HTTPS, then set
-                  this option to "true"
            keycloak_quarkus_ks_vault_enabled:
                default: false
                type: "bool"
@@ -453,7 +484,7 @@ argument_specs:
                description: "Seconds to let pass before starting healch checks"
                default: 10
                type: 'int'
-            keycloak_quarkus_restart_health_check_reries:
+            keycloak_quarkus_restart_health_check_retries:
                description: "Number of attempts for successful health check before failing"
                default: 25
                type: 'int'
@@ -465,10 +496,30 @@ argument_specs:
                description: "Path local to controller for offline/download of install archives"
                default: "{{ lookup('env', 'PWD') }}"
                type: "str"
+            keycloak_quarkus_cache_managed_infinispan_config:
+                description: "Manage infinispan configuration"
+                default: "{{ keycloak_quarkus_version is version('26.4.0', '<') }}"
+                type: bool
+            keycloak_quarkus_cache_infinispan_template:
+                description: "Infinispan cache template file"
+                default: "cache-ispn.xml"
+                type: str
+            keycloak_quarkus_cache_embedded_properties:
+                description: Embedded cache properties
+                default: ""
+                type: str
+            keycloak_quarkus_binary_download_user:
+                description: "Username for HTTP Basic Auth when downloading Keycloak binary"
+                type: "str"
+                required: false
+            keycloak_quarkus_binary_download_pass:
+                description: "Password for HTTP Basic Auth when downloading Keycloak binary"
+                type: "str"
+                required: false
    downstream:
        options:
            rhbk_version:
-                default: "24.0.3"
+                default: "26.4.7"
                description: "Red Hat Build of Keycloak version"
                type: "str"
            rhbk_archive:
--- a/roles/keycloak_quarkus/meta/main.yml
+++ b/roles/keycloak_quarkus/meta/main.yml
@@ -8,7 +8,7 @@ galaxy_info:

  license: Apache License 2.0

-  min_ansible_version: "2.15"
+  min_ansible_version: "2.16"

  platforms:
    - name: EL
--- a/roles/keycloak_quarkus/tasks/bootstrapped.yml
+++ b/roles/keycloak_quarkus/tasks/bootstrapped.yml
@@ -1,6 +1,6 @@
 ---
 - name: Save ansible custom facts
-  become: true
+  become: "{{ keycloak_quarkus_bootstrapped_require_privilege_escalation }}"
  ansible.builtin.template:
    src: keycloak.fact.j2
    dest: /etc/ansible/facts.d/keycloak.fact
--- a/roles/keycloak_quarkus/tasks/config_store.yml
+++ b/roles/keycloak_quarkus/tasks/config_store.yml
@@ -6,7 +6,7 @@
        value: "{{ keycloak_quarkus_db_pass }}"

 - name: "Initialize empty configuration key store"
-  become: true
+  become: "{{ keycloak_quarkus_config_store_require_privilege_escalation }}"
  # keytool doesn't allow creating an empty key store, so this is a hacky way around it
  ansible.builtin.shell: | # noqa blocked_modules shell is necessary here
    set -o nounset   # abort on unbound variable
@@ -38,7 +38,7 @@
    echo {{ item.value | quote }} | keytool -noprompt -importpass -alias {{ item.key | quote }} -keystore {{ keycloak_quarkus_config_key_store_file | quote }} -storepass {{ keycloak_quarkus_config_key_store_password | quote }} -storetype PKCS12
  loop: "{{ store_items }}"
  no_log: true
-  become: true
+  become: "{{ keycloak_quarkus_config_store_require_privilege_escalation }}"
  changed_when: true
  notify:
    - restart keycloak
@@ -49,4 +49,4 @@
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
    mode: '0400'
-  become: true
+  become: "{{ keycloak_quarkus_config_store_require_privilege_escalation }}"
--- a/roles/keycloak_quarkus/tasks/debian.yml
+++ b/roles/keycloak_quarkus/tasks/debian.yml
@@ -1,6 +1,10 @@
 ---
 - name: Include firewall config tasks
-  ansible.builtin.include_tasks: iptables.yml
+  ansible.builtin.include_tasks:
+    file: iptables.yml
+    apply:
+      tags:
+        - firewall
  when: keycloak_quarkus_configure_iptables
  tags:
    - firewall
--- a/roles/keycloak_quarkus/tasks/deprecations.yml
+++ b/roles/keycloak_quarkus/tasks/deprecations.yml
@@ -49,5 +49,114 @@
  notify:
    - print deprecation warning

+# https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options
+- name: Check deprecation of keycloak_quarkus_frontend_url -> keycloak_quarkus_hostname
+  when:
+    - keycloak_quarkus_hostname is not defined
+    - keycloak_quarkus_frontend_url is defined
+    - keycloak_quarkus_frontend_url != ''
+  delegate_to: localhost
+  run_once: true
+  changed_when: keycloak_quarkus_show_deprecation_warnings
+  ansible.builtin.set_fact:
+    keycloak_quarkus_hostname: "{{ keycloak_quarkus_frontend_url }}"
+    deprecated_variable: "keycloak_quarkus_frontend_url" # read in deprecation handler
+  notify:
+    - print deprecation warning
+
+# https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options
+- name: Check deprecation of keycloak_quarkus_hostname_strict_https + keycloak_quarkus_host + keycloak_quarkus_port + keycloak_quarkus_path -> keycloak_quarkus_hostname
+  when:
+    - keycloak_quarkus_hostname is not defined
+    - keycloak_quarkus_hostname_strict_https is defined or keycloak_quarkus_frontend_url is defined or keycloak_quarkus_port is defined or keycloak_quarkus_path is defined
+  delegate_to: localhost
+  run_once: true
+  changed_when: keycloak_quarkus_show_deprecation_warnings
+  ansible.builtin.set_fact:
+    keycloak_quarkus_hostname: >-
+      {% set protocol = '' %}
+      {% if keycloak_quarkus_hostname_strict_https %}
+        {% set protocol = 'https://' %}
+      {% elif keycloak_quarkus_hostname_strict_https is defined and keycloak_quarkus_hostname_strict_https is False %}
+        {% set protocol = 'http://' %}
+      {% endif %}
+      {{ protocol }}{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_port }}/{{ keycloak_quarkus_path }}
+    deprecated_variable: "keycloak_quarkus_hostname_strict_https or keycloak_quarkus_frontend_url or keycloak_quarkus_frontend_url or keycloak_quarkus_hostname" # read in deprecation handler
+  notify:
+    - print deprecation warning
+
+# https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options
+- name: Check deprecation of keycloak_quarkus_admin_url -> keycloak_quarkus_hostname_admin
+  when:
+    - keycloak_quarkus_hostname_admin is not defined
+    - keycloak_quarkus_admin_url is defined
+    - keycloak_quarkus_admin_url != ''
+  delegate_to: localhost
+  run_once: true
+  changed_when: keycloak_quarkus_show_deprecation_warnings
+  ansible.builtin.set_fact:
+    keycloak_quarkus_hostname_admin: "{{ keycloak_quarkus_admin_url }}"
+    deprecated_variable: "keycloak_quarkus_admin_url" # read in deprecation handler
+  notify:
+    - print deprecation warning
+
+# https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options
+- name: Check deprecation of keycloak_quarkus_hostname_strict_backchannel -> keycloak_quarkus_hostname_backchannel_dynamic
+  when:
+    - keycloak_quarkus_hostname_backchannel_dynamic is not defined
+    - keycloak_quarkus_hostname_strict_backchannel is defined
+    - keycloak_quarkus_hostname_strict_backchannel != ''
+  delegate_to: localhost
+  run_once: true
+  changed_when: keycloak_quarkus_show_deprecation_warnings
+  ansible.builtin.set_fact:
+    keycloak_quarkus_hostname_backchannel_dynamic: "{{ keycloak_quarkus_hostname_strict_backchannel == False }}"
+    deprecated_variable: "keycloak_quarkus_hostname_backchannel_dynamic" # read in deprecation handler
+  notify:
+    - print deprecation warning
+
+# https://github.com/keycloak/keycloak/issues/30009
+- name: Check deprecation of keycloak_quarkus_admin_user -> keycloak_quarkus_bootstrap_admin_user
+  when:
+    - keycloak_quarkus_bootstrap_admin_user is not defined
+    - keycloak_quarkus_admin_user is defined
+    - keycloak_quarkus_admin_user != ''
+  delegate_to: localhost
+  run_once: true
+  changed_when: keycloak_quarkus_show_deprecation_warnings
+  ansible.builtin.set_fact:
+    keycloak_quarkus_bootstrap_admin_user: "{{ keycloak_quarkus_admin_user }}"
+    deprecated_variable: "keycloak_quarkus_admin_user" # read in deprecation handler
+  notify:
+    - print deprecation warning
+
+# https://github.com/keycloak/keycloak/issues/30009
+- name: Check deprecation of keycloak_quarkus_admin_pass -> keycloak_quarkus_bootstrap_admin_password
+  when:
+    - keycloak_quarkus_bootstrap_admin_password is not defined
+    - keycloak_quarkus_admin_pass is defined
+    - keycloak_quarkus_admin_pass != ''
+  delegate_to: localhost
+  run_once: true
+  changed_when: keycloak_quarkus_show_deprecation_warnings
+  ansible.builtin.set_fact:
+    keycloak_quarkus_bootstrap_admin_user: "{{ keycloak_quarkus_admin_pass }}"
+    deprecated_variable: "keycloak_quarkus_admin_pass" # read in deprecation handler
+  notify:
+    - print deprecation warning
+
+- name: Check deprecation of keycloak_quarkus_bind_address -> keycloak_quarkus_http_host
+  when:
+    - keycloak_quarkus_bind_address is defined
+    - keycloak_quarkus_bind_address != '0.0.0.0'
+  delegate_to: localhost
+  run_once: true
+  changed_when: keycloak_quarkus_show_deprecation_warnings
+  ansible.builtin.set_fact:
+    keycloak_quarkus_http_host: "{{ keycloak_quarkus_bind_address }}"
+    deprecated_variable: "keycloak_quarkus_bind_address" # read in deprecation handler
+  notify:
+    - print deprecation warning
+  
 - name: Flush handlers
  ansible.builtin.meta: flush_handlers
--- a/roles/keycloak_quarkus/tasks/fastpackages.yml
+++ b/roles/keycloak_quarkus/tasks/fastpackages.yml
@@ -13,7 +13,7 @@
  when: ansible_facts.os_family == "RedHat"

 - name: "Install packages: {{ packages_to_install }}"
-  become: true
+  become: "{{ keycloak_quarkus_fastpackages_require_privilege_escalation }}"
  ansible.builtin.dnf:
    name: "{{ packages_to_install }}"
    state: present
@@ -22,7 +22,7 @@
    - ansible_facts.os_family == "RedHat"

 - name: "Install packages: {{ packages_list }}"
-  become: true
+  become: "{{ keycloak_quarkus_fastpackages_require_privilege_escalation }}"
  ansible.builtin.package:
    name: "{{ packages_list }}"
    state: present
--- a/roles/keycloak_quarkus/tasks/firewalld.yml
+++ b/roles/keycloak_quarkus/tasks/firewalld.yml
@@ -6,14 +6,14 @@
      - firewalld

 - name: Enable and start the firewalld service
-  become: true
+  become: "{{ keycloak_quarkus_firewalld_require_privilege_escalation }}"
  ansible.builtin.systemd:
    name: firewalld
    enabled: true
    state: started

- name: "Configure firewall for {{ keycloak.service_name }} ports"
-  become: true
+- name: "Configure firewall for {{ keycloak.service_name }} http port"
+  become: "{{ keycloak_quarkus_firewalld_require_privilege_escalation }}"
  ansible.posix.firewalld:
    port: "{{ item }}"
    permanent: true
@@ -21,5 +21,16 @@
    immediate: true
  loop:
    - "{{ keycloak_quarkus_http_port }}/tcp"
+  when: keycloak_quarkus_http_enabled | bool
+
+- name: "Configure firewall for {{ keycloak.service_name }} ports"
+  become: "{{ keycloak_quarkus_firewalld_require_privilege_escalation }}"
+  ansible.posix.firewalld:
+    port: "{{ item }}"
+    permanent: true
+    state: enabled
+    immediate: true
+  loop:
    - "{{ keycloak_quarkus_https_port }}/tcp"
+    - "{{ keycloak_quarkus_http_management_port }}/tcp"
    - "{{ keycloak_quarkus_jgroups_port }}/tcp"
--- a/roles/keycloak_quarkus/tasks/install.yml
+++ b/roles/keycloak_quarkus/tasks/install.yml
@@ -12,13 +12,34 @@
    quiet: true

 - name: Check for an existing deployment
-  become: true
+  become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
  ansible.builtin.stat:
    path: "{{ keycloak.home }}"
  register: existing_deploy

+- name: Stop and restart if existing deployment exists and install forced
+  when: existing_deploy.stat.exists and keycloak_quarkus_force_install | bool
+  block:
+    - name: "Stop the old {{ keycloak.service_name }} service"
+      become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
+      failed_when: false
+      ansible.builtin.systemd:
+        name: keycloak
+        state: stopped
+    - name: "Remove the old {{ keycloak.service_name }} deployment"
+      become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
+      ansible.builtin.file:
+        path: "{{ keycloak_quarkus_home }}"
+        state: absent
+
+- name: Check for an existing deployment after possible forced removal
+  become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
+  ansible.builtin.stat:
+    path: "{{ keycloak_quarkus_home }}"
+  register: existing_deploy
+
 - name: "Create {{ keycloak.service_name }} service user/group"
-  become: true
+  become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
  ansible.builtin.user:
    name: "{{ keycloak.service_user }}"
    home: /opt/keycloak
@@ -26,7 +47,7 @@
    create_home: false

 - name: "Create {{ keycloak.service_name }} install location"
-  become: true
+  become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
  ansible.builtin.file:
    dest: "{{ keycloak_quarkus_dest }}"
    state: directory
@@ -35,7 +56,7 @@
    mode: '0750'

 - name: Create directory for ansible custom facts
-  become: true
+  become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
  ansible.builtin.file:
    state: directory
    recurse: true
@@ -47,7 +68,7 @@
    archive: "{{ keycloak_quarkus_dest }}/{{ keycloak.bundle }}"

 - name: Check download archive path
-  become: true
+  become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
  ansible.builtin.stat:
    path: "{{ archive }}"
  register: archive_path
@@ -58,6 +79,8 @@
    url: "{{ keycloak_quarkus_download_url }}"
    dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
    mode: '0640'
+    url_username: "{{ keycloak_quarkus_binary_download_user | default(omit) }}"
+    url_password: "{{ keycloak_quarkus_binary_download_pass | default(omit) }}"
  delegate_to: localhost
  become: false
  run_once: true
@@ -77,6 +100,7 @@
    - not archive_path.stat.exists
    - rhbk_enable is defined and rhbk_enable
    - not keycloak.offline_install
+    - keycloak_quarkus_alternate_download_url is undefined
  block:
    - name: Retrieve product download using JBoss Network API
      middleware_automation.common.product_search:
@@ -148,13 +172,13 @@
    - not archive_path.stat.exists
    - local_archive_path.stat is defined
    - local_archive_path.stat.exists
-  become: true
+  become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"

 - name: "Check target directory: {{ keycloak.home }}/bin/"
  ansible.builtin.stat:
    path: "{{ keycloak.home }}/bin/"
  register: path_to_workdir
-  become: true
+  become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"

 - name: "Extract Keycloak archive on target" # noqa no-handler need to run this here
  ansible.builtin.unarchive:
@@ -164,7 +188,7 @@
    creates: "{{ keycloak.home }}/bin/"
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
-  become: true
+  become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
  when:
    - (not path_to_workdir.stat.exists) or new_version_downloaded.changed
  notify:
@@ -183,7 +207,7 @@
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
    mode: '0640'
-  become: true
+  become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
  when:
    - keycloak_quarkus_https_key_file_enabled is defined and keycloak_quarkus_https_key_file_enabled
    - keycloak_quarkus_key_file_copy_enabled is defined and keycloak_quarkus_key_file_copy_enabled
@@ -196,17 +220,17 @@
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
    mode: '0644'
-  become: true
+  become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
  when:
    - keycloak_quarkus_https_key_file_enabled is defined and keycloak_quarkus_https_key_file_enabled
    - keycloak_quarkus_cert_file_copy_enabled is defined and keycloak_quarkus_cert_file_copy_enabled
    - keycloak_quarkus_cert_file_src | length > 0

- name: "Install {{ keycloak_quarkus_jdbc_engine }} JDBC driver"
+- name: "Install {{ keycloak_quarkus_db_engine }} JDBC driver"
  ansible.builtin.include_tasks: jdbc_driver.yml
  when:
    - rhbk_enable is defined and rhbk_enable
-    - keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url is defined
+    - keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].driver_jar_url is defined

 - name: "Download custom providers via http"
  ansible.builtin.get_url:
@@ -215,10 +239,11 @@
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
    mode: '0640'
-  become: true
+    checksum: "{{ item.checksum | default(omit) }}"
+  become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
  loop: "{{ keycloak_quarkus_providers }}"
  when: item.url is defined and item.url | length > 0
-  notify: "{{ ['rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or not item.restart else [] }}"
+  notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}"

 # this requires the `lxml` package to be installed; we redirect this step to localhost such that we do need to install it on the remote hosts
 - name: "Download custom providers to localhost using maven"
@@ -235,7 +260,6 @@
  loop: "{{ keycloak_quarkus_providers }}"
  when: item.maven is defined
  no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}"
-  notify: "{{ ['rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or not item.restart else [] }}"

 - name: "Copy maven providers"
  ansible.builtin.copy:
@@ -244,21 +268,25 @@
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
    mode: '0640'
-  become: true
+    checksum: "{{ item.checksum | default(omit) }}"
+  become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
  loop: "{{ keycloak_quarkus_providers }}"
  when: item.maven is defined
  no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}"
+  notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}"

- name: "Copy providers"
+- name: "Copy local providers"
  ansible.builtin.copy:
    src: "{{ item.local_path }}"
    dest: "{{ keycloak.home }}/providers/{{ item.id }}.jar"
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
    mode: '0640'
-  become: true
+    remote_src: "{{ item.remote | default(false) }}"
+  become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
  loop: "{{ keycloak_quarkus_providers }}"
  when: item.local_path is defined
+  notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}"

 - name: Ensure required folder structure for policies exists
  ansible.builtin.file:
@@ -267,7 +295,7 @@
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
    mode: '0750'
-  become: true
+  become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
  loop: "{{ keycloak_quarkus_supported_policy_types }}"

 - name: "Install custom policies"
@@ -277,7 +305,7 @@
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
    mode: '0640'
-  become: true
+  become: "{{ keycloak_quarkus_install_require_privilege_escalation }}"
  loop: "{{ keycloak_quarkus_policies }}"
  when: item.url is defined and item.url | length > 0
  notify: "restart keycloak"
--- a/roles/keycloak_quarkus/tasks/invalidate_theme_cache.yml
+++ b/roles/keycloak_quarkus/tasks/invalidate_theme_cache.yml
@@ -0,0 +1,11 @@
+---
+# From https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/24.0/html/server_developer_guide/themes#creating_a_theme:
+# If you want to manually delete the content of the themes cache,
+# you can do so by deleting the data/tmp/kc-gzip-cache directory of the server distribution
+# It can be useful for instance if you redeployed custom providers or custom themes without
+# disabling themes caching in the previous server executions.
+- name: "Delete {{ keycloak.service_name }} theme cache directory"
+  ansible.builtin.file:
+    path: "{{ keycloak.home }}/data/tmp/kc-gzip-cache"
+    state: absent
+  become: "{{ keycloak_quarkus_invalidate_theme_cache_require_privilege_escalation }}"
--- a/roles/keycloak_quarkus/tasks/iptables.yml
+++ b/roles/keycloak_quarkus/tasks/iptables.yml
@@ -6,7 +6,7 @@
      - iptables

 - name: "Configure firewall ports for {{ keycloak.service_name }}"
-  become: true
+  become: "{{ keycloak_quarkus_iptables_require_privilege_escalation }}"
  ansible.builtin.iptables:
    destination_port: "{{ item }}"
    action: "insert"
--- a/roles/keycloak_quarkus/tasks/jdbc_driver.yml
+++ b/roles/keycloak_quarkus/tasks/jdbc_driver.yml
@@ -7,9 +7,9 @@
    (keycloak_quarkus_jdbc_download_user is undefined and keycloak_quarkus_jdbc_download_pass is not undefined) or
    (keycloak_quarkus_jdbc_download_pass is undefined and keycloak_quarkus_jdbc_download_user is not undefined)

- name: "Retrieve JDBC Driver from {{ keycloak_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url) }}"
+- name: "Retrieve JDBC Driver from {{ keycloak_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].driver_jar_url) }}"
  ansible.builtin.get_url:
-    url: "{{ keycloak_quarkus_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url) }}"
+    url: "{{ keycloak_quarkus_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].driver_jar_url) }}"
    dest: "{{ keycloak.home }}/providers"
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
@@ -17,6 +17,6 @@
    url_password: "{{ keycloak_quarkus_jdbc_download_pass | default(omit) }}"
    validate_certs: "{{ keycloak_quarkus_jdbc_download_validate_certs | default(omit) }}"
    mode: '0640'
-  become: true
+  become: "{{ keycloak_quarkus_jdbc_driver_require_privilege_escalation }}"
  notify:
    - restart keycloak
--- a/roles/keycloak_quarkus/tasks/main.yml
+++ b/roles/keycloak_quarkus/tasks/main.yml
@@ -1,34 +1,58 @@
 ---
 # tasks file for keycloak
 - name: Check prerequisites
-  ansible.builtin.include_tasks: prereqs.yml
+  ansible.builtin.include_tasks:
+    file: prereqs.yml
+    apply:
+      tags:
+        - prereqs
  tags:
    - prereqs
    - always

 - name: Check for deprecations
-  ansible.builtin.include_tasks: deprecations.yml
+  ansible.builtin.include_tasks:
+    file: deprecations.yml
+    apply:
+      tags:
+        - always
  tags:
    - always

 - name: Distro specific tasks
-  ansible.builtin.include_tasks: "{{ ansible_os_family | lower }}.yml"
+  ansible.builtin.include_tasks:
+    file: "{{ ansible_os_family | lower }}.yml"
+    apply:
+      tags:
+        - unbound
  tags:
    - unbound

 - name: Include install tasks
-  ansible.builtin.include_tasks: install.yml
+  ansible.builtin.include_tasks:
+    file: install.yml
+    apply:
+      tags:
+        - install
  tags:
    - install

 - name: Include systemd tasks
-  ansible.builtin.include_tasks: systemd.yml
+  ansible.builtin.include_tasks:
+    file: systemd.yml
+    apply:
+      tags:
+        - systemd
  tags:
    - systemd

 - name: Include configuration key store tasks
+  ansible.builtin.include_tasks:
+    file: config_store.yml
+    apply:
+      tags:
+        - install
  when: keycloak.config_key_store_enabled
-  ansible.builtin.include_tasks: config_store.yml
  tags:
    - install

@@ -39,13 +63,18 @@
        {
          "name": item,
          "address": 'jgroups-' + item,
-          "inventory_host": hostvars[item].ansible_default_ipv4.address | default(item) + '[' + (keycloak_quarkus_jgroups_port | string) + ']',
-          "value": hostvars[item].ansible_default_ipv4.address | default(item)
+          "inventory_host": hostvars[item].keycloak_quarkus_jgroups_ip | default(item) + '[' + (keycloak_quarkus_jgroups_port | string) + ']',
+          "value": hostvars[item].keycloak_quarkus_jgroups_ip | default(item)
        }
      ] }}
  loop: "{{ ansible_play_batch }}"
  when: keycloak_quarkus_ha_enabled and keycloak_quarkus_ha_discovery == 'TCPPING'

+
+- name: Determine the config files
+  ansible.builtin.set_fact:
+    keycloak_quarkus_config_files: "{{ ['keycloak.conf', 'quarkus.properties'] + (keycloak_quarkus_cache_managed_infinispan_config | ternary([keycloak_quarkus_cache_infinispan_template], [])) }}"
+
 - name: "Configure config files for keycloak service"
  ansible.builtin.template:
    src: "{{ item }}.j2"
@@ -53,11 +82,8 @@
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
    mode: '0640'
-  become: true
-  loop:
-    - keycloak.conf
-    - quarkus.properties
-    - cache-ispn.xml
+  become: "{{ keycloak_quarkus_require_privilege_escalation }}"
+  loop: "{{ keycloak_quarkus_config_files }}" 
  notify:
    - rebuild keycloak config
    - restart keycloak
@@ -69,7 +95,16 @@
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
    mode: '0775'
-  become: true
+  become: "{{ keycloak_quarkus_require_privilege_escalation }}"
+
+- name: Ensure tmp-directory exists
+  ansible.builtin.file:
+    state: directory
+    path: "{{ keycloak.home }}/data/tmp"
+    owner: "{{ keycloak.service_user }}"
+    group: "{{ keycloak.service_group }}"
+    mode: '0755'
+  become: "{{ keycloak_quarkus_require_privilege_escalation }}"

 - name: Flush pending handlers
  ansible.builtin.meta: flush_handlers
@@ -83,7 +118,7 @@
    src: "{{ keycloak.log.file | dirname }}"
    dest: "{{ keycloak_quarkus_log_target }}"
    force: true
-  become: true
+  become: "{{ keycloak_quarkus_require_privilege_escalation }}"

 - name: Check service status
  ansible.builtin.systemd_service:
@@ -91,7 +126,7 @@
  register: keycloak_service_status
  changed_when: false

- name: "Notify to remove `keycloak_quarkus_admin_user[_pass]` env vars"
+- name: "Notify to remove `keycloak_quarkus_bootstrap_admin_user[_password]` env vars"
  when:
    - not ansible_local.keycloak.general.bootstrapped | default(false) | bool # it was not bootstrapped prior to the current role's execution
    - keycloak_service_status.status.ActiveState == "active"                  # but it is now
--- a/roles/keycloak_quarkus/tasks/prereqs.yml
+++ b/roles/keycloak_quarkus/tasks/prereqs.yml
@@ -2,12 +2,12 @@
 - name: Validate admin console password
  ansible.builtin.assert:
    that:
-      - keycloak_quarkus_admin_pass | length > 12
+      - keycloak_quarkus_bootstrap_admin_password | length > 12
    quiet: true
-    fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_admin_pass to a 12+ char long string"
+    fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_bootstrap_admin_password to a 12+ char long string"
    success_msg: "{{ 'Console administrator password OK' }}"

- name: Validate relative path
+- name: Validate http_relative_path
  ansible.builtin.assert:
    that:
      - keycloak_quarkus_http_relative_path is regex('^/.*')
@@ -15,6 +15,15 @@
    fail_msg: "The relative path for keycloak_quarkus_http_relative_path must begin with /"
    success_msg: "{{ 'Relative path OK' }}"

+- name: Validate http_management_relative_path
+  ansible.builtin.assert:
+    that:
+      - keycloak_quarkus_http_management_relative_path is regex('^/.*')
+    quiet: true
+    fail_msg: "The relative path for keycloak_quarkus_http_management_relative_path must begin with /"
+    success_msg: "{{ 'Relative mgmt path OK' }}"
+  when: keycloak_quarkus_http_management_relative_path is defined
+
 - name: Validate configuration
  ansible.builtin.assert:
    that:
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
ansible-middleware-core	c6e3337778	Update changelog for release 3.0.4 Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>	2026-05-20 13:38:01 +00:00
Harsha Cherukuri	d1b295f551	Merge pull request #332 from cihlamar/AMW-522 Fix certification requirements for Keycloak	2026-05-20 09:36:11 -04:00
Martin Cihlar	5e13f4ea50	Fix certification requirements for Keycloak - Add .ansible-lint, .DS_Store to build_ignore in galaxy.yml - Add Release and Upgrade Notes section to README [AMW-522](https://redhat.atlassian.net/browse/AMW-522)	2026-05-20 11:00:58 +02:00
Harsha Cherukuri	06cf664b08	Merge pull request #331 from RanabirChakraborty/SET-1341 SET-1341 Without ansible-core tag tests are failing in keycloak	2026-04-30 03:33:48 -04:00
Ranabir Chakraborty	e5690d7513	SET-1341 Without ansible-core tag tests are failing in keycloak	2026-04-28 22:15:14 +05:30
Ranabir Chakraborty	fb76736441	Merge pull request #330 from nwintering/main Check that `data/tmp` directory has correct ownership	2026-04-28 18:24:19 +05:30
nwintering	6d00dcff48	check that tmp directory has correct permissions	2026-04-27 15:35:03 +02:00
Harsha Cherukuri	eaf9964aab	Fix docs pipeline	2026-04-24 10:50:10 -04:00
Harsha Cherukuri	180f075a9f	Merge pull request #324 from RanabirChakraborty/AMW-518 AMW-518 Validating arguments against arg spec 'main' fails unexpectedly.	2026-04-24 10:34:55 -04:00
Harsha Cherukuri	1013a05f8c	Merge pull request #328 from hcherukuri/main Fix sanity and molecule tests	2026-04-24 10:26:26 -04:00
Harsha Cherukuri	22f1ce516d	Fix sanity and molecule tests	2026-04-24 10:07:24 -04:00
Harsha Cherukuri	7be872cc48	Merge pull request #326 from paulomenon/add/example-playbooks-client-scope-auth-flow Add/example playbooks client scope auth flow	2026-04-24 08:29:16 -04:00
Harsha Cherukuri	55248de9ae	Merge pull request #325 from paulomenon/fix/keycloak-context-default Fix keycloak_context default from /auth to empty string for Quarkus-based Keycloak	2026-04-24 08:29:00 -04:00
Harsha Cherukuri	c6d4dfb8bb	Merge pull request #327 from hcherukuri/main Fix CI	2026-04-24 08:16:25 -04:00
Harsha Cherukuri	c8f4065eb5	Fix CI	2026-04-24 08:00:45 -04:00
pamenon	06e096ac50	Add module documentation to collection and role READMEs Document all six modules (including the two new ones) in the main collection README under a new 'Included modules' section. Add the three new example playbooks to the Config Playbooks section. Update the keycloak_realm role README with a 'Related Modules' table and inline examples for keycloak_client_scope and keycloak_authentication_flow usage. Made-with: Cursor	2026-04-23 12:54:22 +01:00
pamenon	c6189bfc51	Add keycloak_client_scope and keycloak_authentication_flow modules with example playbooks The collection was missing modules for managing client scopes and authentication flows, forcing users to write raw uri calls against the Keycloak Admin REST API. This adds two new modules that leverage the existing KeycloakAPI helper methods: - keycloak_client_scope: create/update/delete client scopes with protocol mappers (supports check_mode and diff) - keycloak_authentication_flow: create/delete authentication flows with execution steps, or copy existing flows (supports check_mode and diff) Also adds three example playbooks using the new modules: - keycloak_client_scope.yml - keycloak_authentication_flow.yml - keycloak_realm_client.yml Made-with: Cursor	2026-04-23 12:53:03 +01:00
pamenon	03fffaaf5f	Fix keycloak_context default from /auth to empty string The /auth context path was used by legacy WildFly-based Keycloak but is no longer needed for Quarkus-based Keycloak (17+) or RHBK. The current default of /auth forces users to explicitly pass an empty keycloak_context to avoid broken API URLs. This changes the default to an empty string, updates argument_specs and README documentation, and removes the now-unnecessary keycloak_context: '' overrides from all molecule converge files. Users on legacy WildFly-based Keycloak can still set keycloak_context: /auth explicitly. Made-with: Cursor	2026-04-23 12:25:03 +01:00
Ranabir Chakraborty	a337a1d70c	AMW-518 Validating arguments against arg spec 'main' fails unexpectedly.	2026-04-17 19:24:46 +05:30
Ranabir Chakraborty	28168a9a4f	Merge pull request #307 from sgoericke/fix-client-id manage_client_roles.yml: use "client.id" instead of "client.name" to fix client role creation.	2026-04-09 23:37:31 +05:30
Helmut Wolf	64469b6fac	Merge pull request #320 from world-direct/fix/ispn_config fix: include ispn config file conditionally	2026-01-15 08:05:26 +01:00
Ranabir Chakraborty	75e308b710	Merge pull request #321 from RanabirChakraborty/AMW-467 AMW-467 Download keycloak binary from password protected HTTP location	2026-01-14 21:59:45 +05:30
Ranabir Chakraborty	9cdf24ce28	AMW-467 Download keycloak binary from password protected HTTP location	2026-01-13 23:48:01 +05:30
Helmut Wolf	a00a602c3c	fix: include ispn config file conditionally	2026-01-13 10:17:04 +01:00
Ranabir Chakraborty	a5a75c6d46	Merge pull request #317 from SLedunois/main v26.4.x compability	2026-01-12 23:34:28 +05:30
Helmut Wolf	7212e572cd	chore(defaults): raise default keycloak/rhbk versions to 26.4.7	2026-01-12 10:28:47 +01:00
Helmut Wolf	bc669ce0cd	chore(deps): Update default SQL driver versions As per https://access.redhat.com/articles/7027683	2026-01-12 10:28:47 +01:00
Simon LEDUNOIS	3c097ebf09	chore: add molecule test for quarkus ha 26.4-	2026-01-12 10:28:47 +01:00
Simon Ledunois	9562bf727e	chore: manage infinispan configuration file	2026-01-12 10:28:47 +01:00
Simon Ledunois	6c3e327294	chore: upgrade to 26.4.7	2026-01-12 10:28:47 +01:00
Ranabir Chakraborty	be0c8a4ae3	Merge pull request #319 from RanabirChakraborty/fixing-lint Removing parseable from lint file as Additional properties are not allowed	2026-01-09 22:16:00 +05:30
Ranabir Chakraborty	6bf10cc3e9	Removing parseable from lint file as Additional properties are not allowed	2026-01-09 22:14:03 +05:30
ansible-middleware-core	d0161dbeef	Bump version to 3.0.4	2025-12-16 15:53:14 +00:00
ansible-middleware-core	bf5c805fcd	Update changelog for release 3.0.3 Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>	2025-12-16 15:52:59 +00:00
Ranabir Chakraborty	2b1c07d87e	Merge pull request #306 from fxwgr/patch0 Declared proxy_mode as deprecated, updated quarkus and realm readme	2025-12-16 20:08:58 +05:30
Andreas Wagner	f1305e5aac	Updated quarkus and realm readme, declared proxy_mode as deprecated Updated argument_specs and declared keycloak_quarkus_proxy_mode as deprecated	2025-11-14 11:55:24 +01:00
Ranabir Chakraborty	412e17e9ea	Merge pull request #312 from RanabirChakraborty/ci_label_fix keycloak collection CI label is showing no status	2025-10-04 20:46:52 +05:30
Ranabir Chakraborty	fa87c004e3	keycloak collection CI label is showing no status	2025-10-04 20:19:09 +05:30
Ranabir Chakraborty	6c9bddbd61	Merge pull request #308 from tinsjourney/fix_config_key_store_password Fix config_key_store_file description to match variable name	2025-09-25 21:47:46 +05:30
Ranabir Chakraborty	4602d254cf	Merge pull request #310 from world-direct/fix/309 ansible-core 2.19 compatibility	2025-09-18 18:58:54 +05:30
Helmut Wolf	8b2ef22023	fix ansible-core v2.19.0: initialize keycloak_quarkus_hostname_admin to an empty string	2025-07-22 12:11:09 +02:00
Helmut Wolf	66228c3a13	ansible 2.19.0: fix error 'item' is undefined error, https://github.com/ansible-middleware/keycloak/issues/309#issuecomment-3101960407	2025-07-22 12:09:14 +02:00
Stephane Vigan	556d155533	Fix config_key_store_file description to match variable name	2025-07-21 16:15:59 +02:00
Sven Goericke	07063353b8	fixed wrong variable lookup	2025-07-16 13:50:07 +02:00
Guido Grazioli	c1bf9727f9	Merge pull request #293 from world-direct/fix/292 Update to keycloak 26.3.0	2025-07-09 11:38:56 +02:00
Helmut Wolf	f79fd227eb	chore: bump KC/RHBK to v26.3.0/v26.2.5	2025-07-07 11:09:35 +02:00
Helmut Wolf	19564987ca	fix(quarkus): update infinispan-client configuration to include port in server-list and hosts	2025-07-07 11:05:44 +02:00
Helmut Wolf	1ff25325a7	fix(ispn): use legacy JGroups stack configuration for < 26.2 only	2025-07-07 11:05:44 +02:00
Guido Grazioli	0099f1cf07	Merge pull request #303 from fxwgr/main Allow to install provider jars from remote paths	2025-07-04 12:47:10 +02:00
Guido Grazioli	725ec8e37b	Merge pull request #304 from SLedunois/client_secret keycloak_realm: allow secret in keycloak_clients	2025-07-04 12:46:40 +02:00
Andreas Wagner	bbe568baa5	Added support for copy remote_src function for providers	2025-07-02 16:39:49 +02:00
LEDUNOIS Simon	dcd448443f	feat: allow secret in keycloak_clients	2025-07-02 14:36:25 +00:00
ansible-middleware-core	3780a4e3c0	Bump version to 3.0.3	2025-07-01 16:56:26 +00:00
ansible-middleware-core	e60a5b7cf6	Update changelog for release 3.0.2 Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>	2025-07-01 16:56:10 +00:00
Guido Grazioli	6143ae25e2	Merge pull request #296 from RanabirChakraborty/keycloak_force_install_quarkus_role Fix `keycloak_quarkus_force_install` parameter being ignored by install	2025-07-01 18:45:34 +02:00
Ranabir Chakraborty	ef6d8890fb	keycloak_quarkus_force_install does not ignore bootstrapped	2025-07-01 21:55:39 +05:30
Guido Grazioli	55185a1439	Merge pull request #302 from tinsjourney/fix_federation_provider_type keycloak_realm: federation default provider type should be a string	2025-07-01 17:50:34 +02:00
Guido Grazioli	bb64b97e43	Merge pull request #298 from tinsjourney/alternate_download_fix Fix alternate download location being ignored (JBossNeworkAPI always used)	2025-07-01 16:10:35 +02:00
Stephane Vigan	a9c9e05569	Default provider type should be a string	2025-07-01 10:27:00 +02:00
Stephane Vigan	8b27cb0706	Fix case where archive is always downalod from JBoss Nework API Even is we set keycloak_quarkus_alternate_download_url previous block was run and we always try to download archive from JBoss Network Api.	2025-06-26 10:42:25 +02:00
Guido Grazioli	41127504dc	Merge pull request #287 from guidograzioli/kc_26_caches Session storage / distributed caches	2025-06-13 11:43:00 +02:00
Guido Grazioli	bcc961999c	implement Single site - Sessions stored in external Infinispan	2025-06-05 12:02:43 +02:00
Guido Grazioli	b8907d765d	Merge pull request #289 from guidograzioli/288_jdk_21 Use jdk21 as default in debian	2025-06-05 09:30:26 +02:00
Guido Grazioli	5c5e84b63e	Use jdk21 as default in debian	2025-06-04 20:53:28 +02:00
Guido Grazioli	3d4bd734f1	document new parameters	2025-05-29 22:20:08 +02:00
Guido Grazioli	3de96a6666	single site remote cache	2025-05-29 21:37:11 +02:00
Guido Grazioli	de0ea02272	ci: move intermittent test back	2025-05-29 21:03:03 +02:00
Guido Grazioli	b6e585f503	Merge pull request #284 from guidograzioli/caches Refactor test scenarios	2025-05-29 20:45:37 +02:00
Guido Grazioli	18de37706f	tune Xmx Xms jvm args	2025-05-29 20:37:39 +02:00
Guido Grazioli	b569e4e713	update remote cache test	2025-05-29 20:14:04 +02:00
Guido Grazioli	919d55f806	Merge pull request #286 from RanabirChakraborty/AMW-398 Use tags to decorate the role workflow	2025-05-27 11:12:07 +02:00
Guido Grazioli	476bc0ec0b	update test config	2025-05-23 14:59:50 +02:00
Helmut Wolf	2954bf81e8	Merge pull request #285 from world-direct/fix/keycloak_config_rebuild Run config rebuild after SPI providers update	2025-05-21 09:26:07 +02:00
Ranabir Chakraborty	0403939c03	AMW-398 Use tags to decorate the role workflow	2025-05-20 21:40:32 +05:30
Helmut Wolf	88e4ea8d99	fix: MVN provider invokes KC config rebuild	2025-05-20 13:53:56 +02:00
Guido Grazioli	0a5fc3ae25	restructure molecule tests	2025-05-20 10:35:01 +02:00
Guido Grazioli	f4a1798f26	Merge pull request #283 from world-direct/feature/282 RHBK v26.2 (#282)	2025-05-19 18:37:01 +02:00
Helmut Wolf	d23ae39c25	chore(molecule): RHBK v26.2 (#282 )	2025-05-19 14:44:34 +02:00
Helmut Wolf	8f95bcb9e6	feat(HA): Change default ispn discovery mechanism to JDBCPING as per v26.2.* (#282 )	2025-05-19 14:44:34 +02:00
Helmut Wolf	f8c75de5d5	chore: RHBK v26.2: Bump KC version to v26.2.4	2025-05-19 14:44:34 +02:00
Helmut Wolf	8093b1af2a	chore: RHBK v26.2: Bump RHBK version to v26.2.4	2025-05-19 14:12:22 +02:00
Helmut Wolf	a70aece0d9	chore: RHBK v26.2: Update recommended JDBC driver versions	2025-05-19 14:12:22 +02:00
Guido Grazioli	d427a6b721	Merge pull request #281 from jonathanspw/keycloak_quarkus_jgroups_ip New parameter to set the jgroups host IP address	2025-05-13 19:04:56 +02:00
Jonathan Wright	c614af127e	Add var to set the jgroups IP per host This is useful if the default route does not represent the network you want/need to use for cluster communication.	2025-05-13 09:48:46 -05:00
Guido Grazioli	0936d415c7	ci: update test linking removed url	2025-05-09 15:20:57 +02:00
Guido Grazioli	a120b1c9b5	Merge pull request #280 from world-direct/feature/279_provider_checksums New `checksum` property for keycloak_quarkus_providers	2025-05-06 17:49:41 +02:00
Helmut Wolf	5cd400b053	feat: introduce `checksum` for keycloak_quarkus_providers (#279 )	2025-05-06 15:16:50 +02:00
ansible-middleware-core	e0c4b1e1ff	Bump version to 3.0.2	2025-05-02 09:49:08 +00:00
ansible-middleware-core	88be789260	Update changelog for release 3.0.1 Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>	2025-05-02 09:48:54 +00:00
Guido Grazioli	868dac4f72	Merge pull request #277 from guidograzioli/26_0_11_update Version update to 26.0.8 / rhbk 26.0.11	2025-05-02 11:42:01 +02:00
Guido Grazioli	c45f7c0d60	Update remote cache default	2025-05-02 11:33:28 +02:00
Guido Grazioli	77c5b893b1	Merge pull request #276 from guidograzioli/275_envvars_handler Trigger rebuild handler on envvars file change	2025-05-02 11:25:27 +02:00
Guido Grazioli	9974ab2ee1	update molecule scenario	2025-05-02 11:18:57 +02:00
Guido Grazioli	b8a2ebc699	update keycloak version	2025-05-02 10:55:17 +02:00
Guido Grazioli	5beb5dcda4	Add trigger on envvars file change	2025-05-02 10:50:01 +02:00
ansible-middleware-core	d97044523d	Bump version to 3.0.1	2025-04-23 11:47:54 +00:00
ansible-middleware-core	2abc580041	Update changelog for release 3.0.0 Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>	2025-04-23 11:47:38 +00:00
Guido Grazioli	2379e10091	Merge pull request #274 from guidograzioli/273_extra_envvars_rebuild Load environment vars during kc rebuild	2025-04-23 10:47:36 +02:00
Guido Grazioli	c86dff66ba	double quote sysconfig envvars	2025-04-22 20:18:48 +02:00
Guido Grazioli	f750e93d02	Add bash to preinstalled packages	2025-04-22 14:51:15 +02:00
Guido Grazioli	1a4590b0b8	Load envvars in kc rebuild	2025-04-18 17:59:16 +02:00
Guido Grazioli	5e9535c866	Merge pull request #271 from guidograzioli/honor_http_host_setting Rename and honour parameter `keycloak_quarkus_http_host`	2025-04-18 09:11:11 +02:00
Guido Grazioli	b8028d376a	Rename and honor parameter keycloak_quarkus_http_host	2025-04-16 14:16:07 +02:00
Guido Grazioli	20797e4cad	Merge pull request #270 from guidograzioli/jdbc_params_rename Rename parameters to follow upstream	2025-04-16 13:55:19 +02:00
Guido Grazioli	70d61ce8de	rename ispn parameters	2025-04-16 11:58:04 +02:00
Guido Grazioli	69a947c0b6	rename _admin to _hostname_admin	2025-04-16 11:34:12 +02:00
Guido Grazioli	c7ce7be6c4	drop ajp port parameter	2025-04-16 10:42:07 +02:00
Guido Grazioli	e9061b29ef	Rename parameters from jdbc to db	2025-04-16 10:31:48 +02:00
Guido Grazioli	c92bf19720	Merge pull request #269 from Preskton/patch-1 Update example playbooks to use new `bootstrap` var	2025-04-14 12:52:51 +02:00
Guido Grazioli	1ca0b30a81	Merge pull request #268 from RanabirChakraborty/AMW-384 keycloak_realm: change url variables to defaults	2025-04-14 10:49:01 +02:00
Preston Doster	7738e0feb1	Update keycloak_quarkus_dev.yml	2025-04-13 10:18:27 -05:00
Preston Doster	671cf4eb53	Updating example playbooks to use `bootstrap` admin password It looks like the underlying `quarkus` provider has changed to use `keycloak_quarkus_bootstrap_admin_password`.	2025-04-13 10:17:22 -05:00
Ranabir Chakraborty	f146eb5fda	AMW-384 Keycloak realm variable keycloak_url with hard-coded http	2025-04-11 21:49:01 +05:30
Guido Grazioli	a10bc95bfc	Merge pull request #266 from guidograzioli/major_bump_3 Bump major and ansible-core versions	2025-04-09 20:28:52 +02:00
Guido Grazioli	314e2f26b2	Fix spell in parameter name	2025-04-09 18:08:18 +02:00
Guido Grazioli	f628b84fb0	disable restart health check because of selfsigned cert	2025-04-09 17:21:49 +02:00
Guido Grazioli	ac0ceca35f	Update to ubi9	2025-04-09 09:45:22 +02:00
Guido Grazioli	744766fe3b	update doc generation to 2.16	2025-04-08 15:36:38 +02:00
Guido Grazioli	7f980c44d2	Bump major and ansible-core versions	2025-04-08 11:58:47 +02:00
Guido Grazioli	532dc12a60	Merge pull request #254 from world-direct/feature/253_rhbk_v26 Role support for keycloak/RHBK v26	2025-04-08 11:47:35 +02:00
Guido Grazioli	173a85638f	Merge pull request #257 from NilsDeckert/main Skip certificate checking	2025-04-01 15:27:39 +02:00
Guido Grazioli	81f019f8b5	Merge pull request #264 from guidograzioli/linter_reserved_words Variables names must not be Ansible reserved names	2025-04-01 15:25:10 +02:00
Guido Grazioli	5db96afa56	Variables names must not be Ansible reserved names	2025-04-01 15:20:37 +02:00
Helmut Wolf	fa36721207	Improve string interpolation	2025-01-20 09:44:27 +01:00
Helmut Wolf	86284b12c2	Fix molecule tests	2025-01-09 12:17:07 +01:00
Nils Deckert	b3e93dd89b	Skip certificate checking	2024-12-20 17:21:49 +01:00
Helmut Wolf	e029e1c2fd	keycloak_quarkus: Introduce keycloak_quarkus_health_check_url	2024-12-13 12:12:02 +01:00
Helmut Wolf	d0f19b59dc	keycloak_quarkus: Add http_management_port and http_management_relative_path options RHBK v26 exposes health endpoints and metrics on this port moving forward. Note that the scheme of the MGMT interface is defined by the overall keycloak configuration: if https is enabled and configured, th MGMT interface is exposed via https and NOT via http; this might be breaking some configured load balancer health checks	2024-12-13 12:11:35 +01:00
Helmut Wolf	213449ec58	RHBK v26: Add hostname v2 (KC/RHBK v26 Support #253 ) Cf. https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options - especially the removed options	2024-12-13 12:11:35 +01:00
Helmut Wolf	277e1336ee	RHBK v26: Migrate to `keycloak_quarkus_bootstrap_admin_user[_password]` (Process for creation of admin account changed #248 )	2024-12-13 12:11:35 +01:00
Helmut Wolf	58233549a7	keycloak.conf: Remove `config-keystore-type` (KC/RHBK v26 Support #253 ) Cf. <https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#keystore_and_trust_store_default_format_change>	2024-12-13 12:11:35 +01:00
Helmut Wolf	0c58ae48ff	RHBK v26: Update ispn session usages (KC/RHBK v26 Support #253 ) Cf. <https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#restricting_the_size_of_session_caches>	2024-12-13 12:11:35 +01:00
Helmut Wolf	bf0bd9e1da	RHBK v26: Update mssqj jdbc driver (KC/RHBK v26 Support #253 ) As per <https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/server_configuration_guide/index#db-installing-the-microsoft-sql-server-driver>	2024-12-13 12:11:35 +01:00
Helmut Wolf	5d15d37890	RHBK v26: Raise default KC+RHBK versions to v26.x (#253 )	2024-12-13 12:11:35 +01:00
Guido Grazioli	910a2aa5d4	Merge pull request #252 from world-direct/feature/cache_buster Add theme cache invalidation handler	2024-12-12 09:36:18 +01:00
Helmut Wolf	5f534ca566	keycloak_quarkus: Add theme cache invalidation handler	2024-12-12 09:05:09 +01:00
Guido Grazioli	692fb59797	Merge pull request #251 from RanabirChakraborty/increase_access_token_lifespan Access token lifespan is too short for ansible run	2024-12-11 16:19:13 +01:00
Ranabir Chakraborty	d1859aaff2	Access token lifespan is too short for ansible run	2024-12-03 22:40:25 +05:30
Guido Grazioli	0d0e52f9ff	Merge pull request #250 from world-direct/feature/249 Rebuild config and restart service for local providers	2024-11-25 08:40:54 +01:00
Helmut Wolf	68a0f88423	keycloak_quarkus: Rebuild config and restart service for local providers (#249 )	2024-11-22 08:08:09 +01:00
ansible-middleware-core	333d55ad73	Bump version to 2.4.4	2024-10-16 07:24:57 +00:00