internet/ansible-middleware.keycloak
3
0
Fork 0
mirror of https://github.com/ansible-middleware/keycloak.git synced 2026-03-27 13:53:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: internet:2.4.3
Branches Tags
internet:main internet:gh-pages internet:feature/182_restart_handler internet:rhbk_mol_sudo
internet:3.0.3 internet:3.0.2 internet:3.0.1 internet:3.0.0 internet:2.4.3 internet:2.4.2 internet:2.4.1 internet:2.4.0 internet:2.3.0 internet:2.2.2 internet:2.2.1 internet:2.2.0 internet:2.1.2 internet:2.1.1 internet:2.1.0 internet:2.0.2 internet:2.0.1 internet:2.0.0 internet:1.3.0 internet:1.2.8 internet:1.2.7 internet:1.2.6 internet:1.2.5 internet:1.2.4 internet:1.2.1 internet:1.2.0 internet:1.1.1 internet:1.1.0 internet:1.0.7 internet:1.0.6 internet:1.0.5 internet:1.0.4 internet:1.0.3 internet:1.0.2 internet:1.0.1 internet:1.0.0 internet:v0.2.5 internet:v0.2.4 internet:v0.2.3 internet:0.2.2 internet:v0.2.1 internet:v0.2.0 internet:v0.1.8 internet:v0.1.7 internet:v0.1.6 internet:v0.1.5 internet:v0.1.4 internet:v0.1.3 internet:v0.1.2 internet:v0.1.1 internet:v0.1.0 internet:v0.0.4 internet:v0.0.3 internet:v0.0.2 internet:v0.0.1
...
compare: internet:main
Branches Tags
internet:main internet:gh-pages internet:feature/182_restart_handler internet:rhbk_mol_sudo
internet:3.0.3 internet:3.0.2 internet:3.0.1 internet:3.0.0 internet:2.4.3 internet:2.4.2 internet:2.4.1 internet:2.4.0 internet:2.3.0 internet:2.2.2 internet:2.2.1 internet:2.2.0 internet:2.1.2 internet:2.1.1 internet:2.1.0 internet:2.0.2 internet:2.0.1 internet:2.0.0 internet:1.3.0 internet:1.2.8 internet:1.2.7 internet:1.2.6 internet:1.2.5 internet:1.2.4 internet:1.2.1 internet:1.2.0 internet:1.1.1 internet:1.1.0 internet:1.0.7 internet:1.0.6 internet:1.0.5 internet:1.0.4 internet:1.0.3 internet:1.0.2 internet:1.0.1 internet:1.0.0 internet:v0.2.5 internet:v0.2.4 internet:v0.2.3 internet:0.2.2 internet:v0.2.1 internet:v0.2.0 internet:v0.1.8 internet:v0.1.7 internet:v0.1.6 internet:v0.1.5 internet:v0.1.4 internet:v0.1.3 internet:v0.1.2 internet:v0.1.1 internet:v0.1.0 internet:v0.0.4 internet:v0.0.3 internet:v0.0.2 internet:v0.0.1

120 Commits
2.4.3 ... main

Author SHA1 Message Date
Helmut Wolf
64469b6fac Merge pull request #320 from world-direct/fix/ispn_config 
fix: include ispn config file conditionally
 2026-01-15 08:05:26 +01:00
Ranabir Chakraborty
75e308b710 Merge pull request #321 from RanabirChakraborty/AMW-467 
AMW-467 Download keycloak binary from password protected HTTP location
 2026-01-14 21:59:45 +05:30
Ranabir Chakraborty
9cdf24ce28 AMW-467 Download keycloak binary from password protected HTTP location 2026-01-13 23:48:01 +05:30
Helmut Wolf
a00a602c3c fix: include ispn config file conditionally 2026-01-13 10:17:04 +01:00
Ranabir Chakraborty
a5a75c6d46 Merge pull request #317 from SLedunois/main 
v26.4.x compability
 2026-01-12 23:34:28 +05:30
Helmut Wolf
7212e572cd chore(defaults): raise default keycloak/rhbk versions to 26.4.7 2026-01-12 10:28:47 +01:00
Helmut Wolf
bc669ce0cd chore(deps): Update default SQL driver versions 
As per https://access.redhat.com/articles/7027683
 2026-01-12 10:28:47 +01:00
Simon LEDUNOIS
3c097ebf09 chore: add molecule test for quarkus ha 26.4- 2026-01-12 10:28:47 +01:00
Simon Ledunois
9562bf727e chore: manage infinispan configuration file 2026-01-12 10:28:47 +01:00
Simon Ledunois
6c3e327294 chore: upgrade to 26.4.7 2026-01-12 10:28:47 +01:00
Ranabir Chakraborty
be0c8a4ae3 Merge pull request #319 from RanabirChakraborty/fixing-lint 
Removing parseable from lint file as Additional properties are not allowed
 2026-01-09 22:16:00 +05:30
Ranabir Chakraborty
6bf10cc3e9 Removing parseable from lint file as Additional properties are not allowed 2026-01-09 22:14:03 +05:30
ansible-middleware-core
d0161dbeef Bump version to 3.0.4 2025-12-16 15:53:14 +00:00
ansible-middleware-core
bf5c805fcd Update changelog for release 3.0.3 
Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>
 2025-12-16 15:52:59 +00:00
Ranabir Chakraborty
2b1c07d87e Merge pull request #306 from fxwgr/patch0 
Declared proxy_mode as deprecated, updated quarkus and realm readme
 2025-12-16 20:08:58 +05:30
Andreas Wagner
f1305e5aac Updated quarkus and realm readme, declared proxy_mode as deprecated 
Updated argument_specs and declared keycloak_quarkus_proxy_mode as deprecated
 2025-11-14 11:55:24 +01:00
Ranabir Chakraborty
412e17e9ea Merge pull request #312 from RanabirChakraborty/ci_label_fix 
keycloak collection CI label is showing no status
 2025-10-04 20:46:52 +05:30
Ranabir Chakraborty
fa87c004e3 keycloak collection CI label is showing no status 2025-10-04 20:19:09 +05:30
Ranabir Chakraborty
6c9bddbd61 Merge pull request #308 from tinsjourney/fix_config_key_store_password 
Fix config_key_store_file description to match variable name
 2025-09-25 21:47:46 +05:30
Ranabir Chakraborty
4602d254cf Merge pull request #310 from world-direct/fix/309 
ansible-core 2.19 compatibility
 2025-09-18 18:58:54 +05:30
Helmut Wolf
8b2ef22023 fix ansible-core v2.19.0: initialize keycloak_quarkus_hostname_admin to an empty string 2025-07-22 12:11:09 +02:00
Helmut Wolf
66228c3a13 ansible 2.19.0: fix error 
'item' is undefined error, https://github.com/ansible-middleware/keycloak/issues/309#issuecomment-3101960407
 2025-07-22 12:09:14 +02:00
Stephane Vigan
556d155533 Fix config_key_store_file description to match variable name 2025-07-21 16:15:59 +02:00
Guido Grazioli
c1bf9727f9 Merge pull request #293 from world-direct/fix/292 
Update to keycloak 26.3.0
 2025-07-09 11:38:56 +02:00
Helmut Wolf
f79fd227eb chore: bump KC/RHBK to v26.3.0/v26.2.5 2025-07-07 11:09:35 +02:00
Helmut Wolf
19564987ca fix(quarkus): update infinispan-client configuration to include port in server-list and hosts 2025-07-07 11:05:44 +02:00
Helmut Wolf
1ff25325a7 fix(ispn): use legacy JGroups stack configuration for < 26.2 only 2025-07-07 11:05:44 +02:00
Guido Grazioli
0099f1cf07 Merge pull request #303 from fxwgr/main 
Allow to install provider jars from remote paths
 2025-07-04 12:47:10 +02:00
Guido Grazioli
725ec8e37b Merge pull request #304 from SLedunois/client_secret 
keycloak_realm: allow secret in keycloak_clients
 2025-07-04 12:46:40 +02:00
Andreas Wagner
bbe568baa5 Added support for copy remote_src function for providers 2025-07-02 16:39:49 +02:00
LEDUNOIS Simon
dcd448443f feat: allow secret in keycloak_clients 2025-07-02 14:36:25 +00:00
ansible-middleware-core
3780a4e3c0 Bump version to 3.0.3 2025-07-01 16:56:26 +00:00
ansible-middleware-core
e60a5b7cf6 Update changelog for release 3.0.2 
Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>
 2025-07-01 16:56:10 +00:00
Guido Grazioli
6143ae25e2 Merge pull request #296 from RanabirChakraborty/keycloak_force_install_quarkus_role 
Fix `keycloak_quarkus_force_install` parameter being ignored by install
 2025-07-01 18:45:34 +02:00
Ranabir Chakraborty
ef6d8890fb keycloak_quarkus_force_install does not ignore bootstrapped 2025-07-01 21:55:39 +05:30
Guido Grazioli
55185a1439 Merge pull request #302 from tinsjourney/fix_federation_provider_type 
keycloak_realm: federation default provider type should be a string
 2025-07-01 17:50:34 +02:00
Guido Grazioli
bb64b97e43 Merge pull request #298 from tinsjourney/alternate_download_fix 
Fix alternate download location being ignored (JBossNeworkAPI always used)
 2025-07-01 16:10:35 +02:00
Stephane Vigan
a9c9e05569 Default provider type should be a string 2025-07-01 10:27:00 +02:00
Stephane Vigan
8b27cb0706 Fix case where archive is always downalod from JBoss Nework API 
Even is we set keycloak_quarkus_alternate_download_url
previous block was run and we always try to download
archive from JBoss Network Api.
 2025-06-26 10:42:25 +02:00
Guido Grazioli
41127504dc Merge pull request #287 from guidograzioli/kc_26_caches 
Session storage / distributed caches
 2025-06-13 11:43:00 +02:00
Guido Grazioli
bcc961999c implement Single site - Sessions stored in external Infinispan 2025-06-05 12:02:43 +02:00
Guido Grazioli
b8907d765d Merge pull request #289 from guidograzioli/288_jdk_21 
Use jdk21 as default in debian
 2025-06-05 09:30:26 +02:00
Guido Grazioli
5c5e84b63e Use jdk21 as default in debian 2025-06-04 20:53:28 +02:00
Guido Grazioli
3d4bd734f1 document new parameters 2025-05-29 22:20:08 +02:00
Guido Grazioli
3de96a6666 single site remote cache 2025-05-29 21:37:11 +02:00
Guido Grazioli
de0ea02272 ci: move intermittent test back 2025-05-29 21:03:03 +02:00
Guido Grazioli
b6e585f503 Merge pull request #284 from guidograzioli/caches 
Refactor test scenarios
 2025-05-29 20:45:37 +02:00
Guido Grazioli
18de37706f tune Xmx Xms jvm args 2025-05-29 20:37:39 +02:00
Guido Grazioli
b569e4e713 update remote cache test 2025-05-29 20:14:04 +02:00
Guido Grazioli
919d55f806 Merge pull request #286 from RanabirChakraborty/AMW-398 
Use tags to decorate the role workflow
 2025-05-27 11:12:07 +02:00
Guido Grazioli
476bc0ec0b update test config 2025-05-23 14:59:50 +02:00
Helmut Wolf
2954bf81e8 Merge pull request #285 from world-direct/fix/keycloak_config_rebuild 
Run config rebuild after SPI providers update
 2025-05-21 09:26:07 +02:00
Ranabir Chakraborty
0403939c03 AMW-398 Use tags to decorate the role workflow 2025-05-20 21:40:32 +05:30
Helmut Wolf
88e4ea8d99 fix: MVN provider invokes KC config rebuild 2025-05-20 13:53:56 +02:00
Guido Grazioli
0a5fc3ae25 restructure molecule tests 2025-05-20 10:35:01 +02:00
Guido Grazioli
f4a1798f26 Merge pull request #283 from world-direct/feature/282 
RHBK v26.2 (#282)
 2025-05-19 18:37:01 +02:00
Helmut Wolf
d23ae39c25 chore(molecule): RHBK v26.2 (#282) 2025-05-19 14:44:34 +02:00
Helmut Wolf
8f95bcb9e6 feat(HA): Change default ispn discovery mechanism to JDBCPING as per v26.2.* (#282) 2025-05-19 14:44:34 +02:00
Helmut Wolf
f8c75de5d5 chore: RHBK v26.2: Bump KC version to v26.2.4 2025-05-19 14:44:34 +02:00
Helmut Wolf
8093b1af2a chore: RHBK v26.2: Bump RHBK version to v26.2.4 2025-05-19 14:12:22 +02:00
Helmut Wolf
a70aece0d9 chore: RHBK v26.2: Update recommended JDBC driver versions 2025-05-19 14:12:22 +02:00
Guido Grazioli
d427a6b721 Merge pull request #281 from jonathanspw/keycloak_quarkus_jgroups_ip 
New parameter to set the jgroups host IP address
 2025-05-13 19:04:56 +02:00
Jonathan Wright
c614af127e Add var to set the jgroups IP per host 
This is useful if the default route does not
represent the network you want/need to use for
cluster communication.
 2025-05-13 09:48:46 -05:00
Guido Grazioli
0936d415c7 ci: update test linking removed url 2025-05-09 15:20:57 +02:00
Guido Grazioli
a120b1c9b5 Merge pull request #280 from world-direct/feature/279_provider_checksums 
New `checksum` property for keycloak_quarkus_providers
 2025-05-06 17:49:41 +02:00
Helmut Wolf
5cd400b053 feat: introduce checksum for keycloak_quarkus_providers (#279) 2025-05-06 15:16:50 +02:00
ansible-middleware-core
e0c4b1e1ff Bump version to 3.0.2 2025-05-02 09:49:08 +00:00
ansible-middleware-core
88be789260 Update changelog for release 3.0.1 
Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>
 2025-05-02 09:48:54 +00:00
Guido Grazioli
868dac4f72 Merge pull request #277 from guidograzioli/26_0_11_update 
Version update to 26.0.8 / rhbk 26.0.11
 2025-05-02 11:42:01 +02:00
Guido Grazioli
c45f7c0d60 Update remote cache default 2025-05-02 11:33:28 +02:00
Guido Grazioli
77c5b893b1 Merge pull request #276 from guidograzioli/275_envvars_handler 
Trigger rebuild handler on envvars file change
 2025-05-02 11:25:27 +02:00
Guido Grazioli
9974ab2ee1 update molecule scenario 2025-05-02 11:18:57 +02:00
Guido Grazioli
b8a2ebc699 update keycloak version 2025-05-02 10:55:17 +02:00
Guido Grazioli
5beb5dcda4 Add trigger on envvars file change 2025-05-02 10:50:01 +02:00
ansible-middleware-core
d97044523d Bump version to 3.0.1 2025-04-23 11:47:54 +00:00
ansible-middleware-core
2abc580041 Update changelog for release 3.0.0 
Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>
 2025-04-23 11:47:38 +00:00
Guido Grazioli
2379e10091 Merge pull request #274 from guidograzioli/273_extra_envvars_rebuild 
Load environment vars during kc rebuild
 2025-04-23 10:47:36 +02:00
Guido Grazioli
c86dff66ba double quote sysconfig envvars 2025-04-22 20:18:48 +02:00
Guido Grazioli
f750e93d02 Add bash to preinstalled packages 2025-04-22 14:51:15 +02:00
Guido Grazioli
1a4590b0b8 Load envvars in kc rebuild 2025-04-18 17:59:16 +02:00
Guido Grazioli
5e9535c866 Merge pull request #271 from guidograzioli/honor_http_host_setting 
Rename and honour parameter `keycloak_quarkus_http_host`
 2025-04-18 09:11:11 +02:00
Guido Grazioli
b8028d376a Rename and honor parameter keycloak_quarkus_http_host 2025-04-16 14:16:07 +02:00
Guido Grazioli
20797e4cad Merge pull request #270 from guidograzioli/jdbc_params_rename 
Rename parameters to follow upstream
 2025-04-16 13:55:19 +02:00
Guido Grazioli
70d61ce8de rename ispn parameters 2025-04-16 11:58:04 +02:00
Guido Grazioli
69a947c0b6 rename _admin to _hostname_admin 2025-04-16 11:34:12 +02:00
Guido Grazioli
c7ce7be6c4 drop ajp port parameter 2025-04-16 10:42:07 +02:00
Guido Grazioli
e9061b29ef Rename parameters from jdbc to db 2025-04-16 10:31:48 +02:00
Guido Grazioli
c92bf19720 Merge pull request #269 from Preskton/patch-1 
Update example playbooks to use new `bootstrap` var
 2025-04-14 12:52:51 +02:00
Guido Grazioli
1ca0b30a81 Merge pull request #268 from RanabirChakraborty/AMW-384 
keycloak_realm: change url variables to defaults
 2025-04-14 10:49:01 +02:00
Preston Doster
7738e0feb1 Update keycloak_quarkus_dev.yml 2025-04-13 10:18:27 -05:00
Preston Doster
671cf4eb53 Updating example playbooks to use bootstrap admin password 
It looks like the underlying `quarkus` provider has changed to use `keycloak_quarkus_bootstrap_admin_password`.
 2025-04-13 10:17:22 -05:00
Ranabir Chakraborty
f146eb5fda AMW-384 Keycloak realm variable keycloak_url with hard-coded http 2025-04-11 21:49:01 +05:30
Guido Grazioli
a10bc95bfc Merge pull request #266 from guidograzioli/major_bump_3 
Bump major and ansible-core versions
 2025-04-09 20:28:52 +02:00
Guido Grazioli
314e2f26b2 Fix spell in parameter name 2025-04-09 18:08:18 +02:00
Guido Grazioli
f628b84fb0 disable restart health check because of selfsigned cert 2025-04-09 17:21:49 +02:00
Guido Grazioli
ac0ceca35f Update to ubi9 2025-04-09 09:45:22 +02:00
Guido Grazioli
744766fe3b update doc generation to 2.16 2025-04-08 15:36:38 +02:00
Guido Grazioli
7f980c44d2 Bump major and ansible-core versions 2025-04-08 11:58:47 +02:00
Guido Grazioli
532dc12a60 Merge pull request #254 from world-direct/feature/253_rhbk_v26 
Role support for keycloak/RHBK v26
 2025-04-08 11:47:35 +02:00
Guido Grazioli
173a85638f Merge pull request #257 from NilsDeckert/main 
Skip certificate checking
 2025-04-01 15:27:39 +02:00
Guido Grazioli
81f019f8b5 Merge pull request #264 from guidograzioli/linter_reserved_words 
Variables names must not be Ansible reserved names
 2025-04-01 15:25:10 +02:00
Guido Grazioli
5db96afa56 Variables names must not be Ansible reserved names 2025-04-01 15:20:37 +02:00
Helmut Wolf
fa36721207 Improve string interpolation 2025-01-20 09:44:27 +01:00
Helmut Wolf
86284b12c2 Fix molecule tests 2025-01-09 12:17:07 +01:00
Nils Deckert
b3e93dd89b Skip certificate checking 2024-12-20 17:21:49 +01:00
Helmut Wolf
e029e1c2fd keycloak_quarkus: Introduce keycloak_quarkus_health_check_url 2024-12-13 12:12:02 +01:00
Helmut Wolf
d0f19b59dc keycloak_quarkus: Add http_management_port and http_management_relative_path options 
RHBK v26 exposes health endpoints and metrics on this port moving forward.
Note that the scheme of the MGMT interface is defined by the overall keycloak configuration: if https is enabled and configured, th MGMT interface is exposed via https and NOT via http; this might be breaking some configured load balancer health checks
 2024-12-13 12:11:35 +01:00
Helmut Wolf
213449ec58 RHBK v26: Add hostname v2 (KC/RHBK v26 Support #253) 
Cf. https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options - especially the removed options
 2024-12-13 12:11:35 +01:00
Helmut Wolf
277e1336ee RHBK v26: Migrate to keycloak_quarkus_bootstrap_admin_user[_password] (Process for creation of admin account changed #248) 2024-12-13 12:11:35 +01:00
Helmut Wolf
58233549a7 keycloak.conf: Remove config-keystore-type (KC/RHBK v26 Support #253) 
Cf. <https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#keystore_and_trust_store_default_format_change>
 2024-12-13 12:11:35 +01:00
Helmut Wolf
0c58ae48ff RHBK v26: Update ispn session usages (KC/RHBK v26 Support #253) 
Cf. <https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#restricting_the_size_of_session_caches>
 2024-12-13 12:11:35 +01:00
Helmut Wolf
bf0bd9e1da RHBK v26: Update mssqj jdbc driver (KC/RHBK v26 Support #253) 
As per <https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/server_configuration_guide/index#db-installing-the-microsoft-sql-server-driver>
 2024-12-13 12:11:35 +01:00
Helmut Wolf
5d15d37890 RHBK v26: Raise default KC+RHBK versions to v26.x (#253) 2024-12-13 12:11:35 +01:00
Guido Grazioli
910a2aa5d4 Merge pull request #252 from world-direct/feature/cache_buster 
Add theme cache invalidation handler
 2024-12-12 09:36:18 +01:00
Helmut Wolf
5f534ca566 keycloak_quarkus: Add theme cache invalidation handler 2024-12-12 09:05:09 +01:00
Guido Grazioli
692fb59797 Merge pull request #251 from RanabirChakraborty/increase_access_token_lifespan 
Access token lifespan is too short for ansible run
 2024-12-11 16:19:13 +01:00
Ranabir Chakraborty
d1859aaff2 Access token lifespan is too short for ansible run 2024-12-03 22:40:25 +05:30
Guido Grazioli
0d0e52f9ff Merge pull request #250 from world-direct/feature/249 
Rebuild config and restart service for local providers
 2024-11-25 08:40:54 +01:00
Helmut Wolf
68a0f88423 keycloak_quarkus: Rebuild config and restart service for local providers (#249) 2024-11-22 08:08:09 +01:00
ansible-middleware-core
333d55ad73 Bump version to 2.4.4 2024-10-16 07:24:57 +00:00
94 changed files with 2917 additions and 344 deletions
Expand all files Collapse all files

1
.ansible-lint
View File

@@ -40,4 +40,3 @@ skip_list:
- var-naming[no-role-prefix]
use_default_rules: true
parseable: true

13
.github/workflows/ci.yml vendored
View File

@@ -6,14 +6,23 @@ on:
- main
pull_request:
workflow_dispatch:
inputs:
debug_verbosity:
description: 'ANSIBLE_VERBOSITY envvar value'
required: false
schedule:
- cron: '15 6 * * *'
jobs:
ci:
uses: ansible-middleware/github-actions/.github/workflows/ci.yml@main
uses: ansible-middleware/github-actions/.github/workflows/cish.yml@main
secrets: inherit
with:
fqcn: 'middleware_automation/keycloak'
debug_verbosity: "${{ github.event.inputs.debug_verbosity }}"
molecule_tests: >-
[ "default", "overridexml", "https_revproxy", "quarkus", "quarkus-devmode", "quarkus_upgrade", "debian", "quarkus_ha" ]
[ "debian", "quarkus", "quarkus_ha", "quarkus_ha_remote", "quarkus_ha_26.4_below" ]
podman_tests_current: >-
[ "default", "quarkus_devmode", "quarkus_upgrade" ]
podman_tests_next: >-
[ "default", "quarkus_devmode", "quarkus_upgrade" ]

84
CHANGELOG.rst
View File

@@ -6,6 +6,90 @@ middleware\_automation.keycloak Release Notes
This changelog describes changes after version 0.2.6.
v3.0.3
======
Major Changes
-------------
- Update to keycloak 26.3.0 `#293 <https://github.com/ansible-middleware/keycloak/pull/293>`_
- ansible-core 2.19 compatibility `#310 <https://github.com/ansible-middleware/keycloak/pull/310>`_
Minor Changes
-------------
- Allow to install provider jars from remote paths `#303 <https://github.com/ansible-middleware/keycloak/pull/303>`_
- Declared proxy_mode as deprecated, updated quarkus and realm readme `#306 <https://github.com/ansible-middleware/keycloak/pull/306>`_
- Fix config_key_store_file description to match variable name `#308 <https://github.com/ansible-middleware/keycloak/pull/308>`_
Bugfixes
--------
- keycloak collection CI label is showing no status `#312 <https://github.com/ansible-middleware/keycloak/pull/312>`_
- keycloak_realm: allow secret in keycloak_clients `#304 <https://github.com/ansible-middleware/keycloak/pull/304>`_
v3.0.2
======
Minor Changes
-------------
- New ``checksum`` property for keycloak_quarkus_providers `#280 <https://github.com/ansible-middleware/keycloak/pull/280>`_
- New parameter to set the jgroups host IP address `#281 <https://github.com/ansible-middleware/keycloak/pull/281>`_
- Session storage / distributed caches `#287 <https://github.com/ansible-middleware/keycloak/pull/287>`_
- Update keycloak/RHBK to v26.2.4 `#283 <https://github.com/ansible-middleware/keycloak/pull/283>`_
Bugfixes
--------
- Fix ``keycloak_quarkus_force_install`` parameter being ignored by install `#296 <https://github.com/ansible-middleware/keycloak/pull/296>`_
- Fix alternate download location being ignored (JBossNeworkAPI always used) `#298 <https://github.com/ansible-middleware/keycloak/pull/298>`_
- Run config rebuild after SPI providers update `#285 <https://github.com/ansible-middleware/keycloak/pull/285>`_
- Use jdk21 as default in debian `#289 <https://github.com/ansible-middleware/keycloak/pull/289>`_
- keycloak_realm: federation default provider type should be a string `#302 <https://github.com/ansible-middleware/keycloak/pull/302>`_
v3.0.1
======
Minor Changes
-------------
- Version update to 26.0.8 / rhbk 26.0.11 `#277 <https://github.com/ansible-middleware/keycloak/pull/277>`_
Bugfixes
--------
- Trigger rebuild handler on envvars file change `#276 <https://github.com/ansible-middleware/keycloak/pull/276>`_
v3.0.0
======
Minor Changes
-------------
- Add theme cache invalidation handler `#252 <https://github.com/ansible-middleware/keycloak/pull/252>`_
- keycloak_realm: change url variables to defaults `#268 <https://github.com/ansible-middleware/keycloak/pull/268>`_
Breaking Changes / Porting Guide
--------------------------------
- Bump major and ansible-core versions `#266 <https://github.com/ansible-middleware/keycloak/pull/266>`_
- Rename parameters to follow upstream `#270 <https://github.com/ansible-middleware/keycloak/pull/270>`_
- Update for keycloak v26 `#254 <https://github.com/ansible-middleware/keycloak/pull/254>`_
Bugfixes
--------
- Access token lifespan is too short for ansible run `#251 <https://github.com/ansible-middleware/keycloak/pull/251>`_
- Load environment vars during kc rebuild `#274 <https://github.com/ansible-middleware/keycloak/pull/274>`_
- Rebuild config and restart service for local providers `#250 <https://github.com/ansible-middleware/keycloak/pull/250>`_
- Rename and honour parameter ``keycloak_quarkus_http_host`` `#271 <https://github.com/ansible-middleware/keycloak/pull/271>`_
New Modules
-----------
- middleware_automation.keycloak.keycloak_realm - Allows administration of Keycloak realm via Keycloak API
v2.4.3
======

2
CONTRIBUTING.md
View File

@@ -24,7 +24,7 @@ virtualenv $PATH_TO_DEV_VIRTUALENV
# activate the virtual env
source $PATH_TO_DEV_VIRTUALENV/bin/activate
# install ansible and tools onto the virtualenv
pip install yamllint 'molecule>=6.0' 'molecule-plugins[docker]' 'ansible-core>=2.15' ansible-lint
pip install yamllint 'molecule>=6.0' 'molecule-plugins[docker]' 'ansible-core>=2.16' ansible-lint
# install collection dependencies
ansible-galaxy collection install -r requirements.yml
# install python dependencies

4
README.md
View File

@@ -1,7 +1,7 @@
# Ansible Collection - middleware_automation.keycloak
<!--start build_status -->
[![Build Status](https://github.com/ansible-middleware/keycloak/workflows/CI/badge.svg?branch=main)](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml)
[![Build Status](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml)
> **_NOTE:_ If you are Red Hat customer, install `redhat.rhbk` (for Red Hat Build of Keycloak) or `redhat.sso` (for Red Hat Single Sign-On) from [Automation Hub](https://console.redhat.com/ansible/ansible-dashboard) as the certified version of this collection.**
@@ -12,7 +12,7 @@ Collection to install and configure [Keycloak](https://www.keycloak.org/) or [Re
<!--start requires_ansible-->
## Ansible version compatibility
This collection has been tested against following Ansible versions: **>=2.15.0**.
This collection has been tested against following Ansible versions: **>=2.16.0**.
Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions.
<!--end requires_ansible-->

142
changelogs/changelog.yaml
View File

@@ -613,3 +613,145 @@ releases:
fragments:
- 241.yaml
release_date: '2024-10-16'
3.0.0:
changes:
breaking_changes:
- 'Bump major and ansible-core versions `#266 <https://github.com/ansible-middleware/keycloak/pull/266>`_
'
- 'Rename parameters to follow upstream `#270 <https://github.com/ansible-middleware/keycloak/pull/270>`_
'
- 'Update for keycloak v26 `#254 <https://github.com/ansible-middleware/keycloak/pull/254>`_
'
bugfixes:
- 'Access token lifespan is too short for ansible run `#251 <https://github.com/ansible-middleware/keycloak/pull/251>`_
'
- 'Load environment vars during kc rebuild `#274 <https://github.com/ansible-middleware/keycloak/pull/274>`_
'
- 'Rebuild config and restart service for local providers `#250 <https://github.com/ansible-middleware/keycloak/pull/250>`_
'
- 'Rename and honour parameter ``keycloak_quarkus_http_host`` `#271 <https://github.com/ansible-middleware/keycloak/pull/271>`_
'
minor_changes:
- 'Add theme cache invalidation handler `#252 <https://github.com/ansible-middleware/keycloak/pull/252>`_
'
- 'keycloak_realm: change url variables to defaults `#268 <https://github.com/ansible-middleware/keycloak/pull/268>`_
'
fragments:
- 250.yaml
- 251.yaml
- 252.yaml
- 254.yaml
- 266.yaml
- 268.yaml
- 270.yaml
- 271.yaml
- 274.yaml
modules:
- description: Allows administration of Keycloak realm via Keycloak API
name: keycloak_realm
namespace: ''
release_date: '2025-04-23'
3.0.1:
changes:
bugfixes:
- 'Trigger rebuild handler on envvars file change `#276 <https://github.com/ansible-middleware/keycloak/pull/276>`_
'
minor_changes:
- 'Version update to 26.0.8 / rhbk 26.0.11 `#277 <https://github.com/ansible-middleware/keycloak/pull/277>`_
'
fragments:
- 276.yaml
- 277.yaml
release_date: '2025-05-02'
3.0.2:
changes:
bugfixes:
- 'Fix ``keycloak_quarkus_force_install`` parameter being ignored by install
`#296 <https://github.com/ansible-middleware/keycloak/pull/296>`_
'
- 'Fix alternate download location being ignored (JBossNeworkAPI always used)
`#298 <https://github.com/ansible-middleware/keycloak/pull/298>`_
'
- 'Run config rebuild after SPI providers update `#285 <https://github.com/ansible-middleware/keycloak/pull/285>`_
'
- 'Use jdk21 as default in debian `#289 <https://github.com/ansible-middleware/keycloak/pull/289>`_
'
- 'keycloak_realm: federation default provider type should be a string `#302
<https://github.com/ansible-middleware/keycloak/pull/302>`_
'
minor_changes:
- 'New ``checksum`` property for keycloak_quarkus_providers `#280 <https://github.com/ansible-middleware/keycloak/pull/280>`_
'
- 'New parameter to set the jgroups host IP address `#281 <https://github.com/ansible-middleware/keycloak/pull/281>`_
'
- 'Session storage / distributed caches `#287 <https://github.com/ansible-middleware/keycloak/pull/287>`_
'
- 'Update keycloak/RHBK to v26.2.4 `#283 <https://github.com/ansible-middleware/keycloak/pull/283>`_
'
fragments:
- 280.yaml
- 281.yaml
- 283.yaml
- 285.yaml
- 287.yaml
- 289.yaml
- 296.yaml
- 298.yaml
- 302.yaml
release_date: '2025-07-01'
3.0.3:
changes:
bugfixes:
- 'keycloak collection CI label is showing no status `#312 <https://github.com/ansible-middleware/keycloak/pull/312>`_
'
- 'keycloak_realm: allow secret in keycloak_clients `#304 <https://github.com/ansible-middleware/keycloak/pull/304>`_
'
major_changes:
- 'Update to keycloak 26.3.0 `#293 <https://github.com/ansible-middleware/keycloak/pull/293>`_
'
- 'ansible-core 2.19 compatibility `#310 <https://github.com/ansible-middleware/keycloak/pull/310>`_
'
minor_changes:
- 'Allow to install provider jars from remote paths `#303 <https://github.com/ansible-middleware/keycloak/pull/303>`_
'
- 'Declared proxy_mode as deprecated, updated quarkus and realm readme `#306
<https://github.com/ansible-middleware/keycloak/pull/306>`_
'
- 'Fix config_key_store_file description to match variable name `#308 <https://github.com/ansible-middleware/keycloak/pull/308>`_
'
fragments:
- 293.yaml
- 303.yaml
- 304.yaml
- 306.yaml
- 308.yaml
- 310.yaml
- 312.yaml
release_date: '2025-12-16'

2
docs/requirements.txt
View File

@@ -1,7 +1,7 @@
antsibull>=0.17.0
antsibull-docs
antsibull-changelog
ansible-core>=2.14.1
ansible-core>=2.16.0
ansible-pygments
sphinx-rtd-theme
git+https://github.com/felixfontein/ansible-basic-sphinx-ext

2
galaxy.yml
View File

@@ -1,7 +1,7 @@
---
namespace: middleware_automation
name: keycloak
version: "2.4.3"
version: "3.0.4"
readme: README.md
authors:
- Romain Pelisse <rpelisse@redhat.com>

2
meta/runtime.yml
View File

@@ -1,2 +1,2 @@
---
requires_ansible: ">=2.15.0"
requires_ansible: ">=2.16.0"

9
molecule/debian/converge.yml
View File

@@ -3,16 +3,19 @@
hosts: all
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_admin_password: "remembertochangeme"
keycloak_quarkus_host: instance
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
keycloak_quarkus_hostname: http://instance:8080
keycloak_quarkus_log: file
keycloak_quarkus_start_dev: true
keycloak_quarkus_proxy_mode: none
roles:
- role: keycloak_quarkus
- role: keycloak_realm
keycloak_url: "{{ keycloak_quarkus_hostname }}"
keycloak_context: ''
keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
keycloak_client_users:
- username: TestUser
password: password

2
molecule/debian/molecule.yml
View File

@@ -3,7 +3,7 @@ driver:
name: docker
platforms:
- name: instance
image: ghcr.io/hspaans/molecule-containers:debian-11
image: ghcr.io/hspaans/molecule-containers:debian-13
pre_build_image: true
privileged: true
port_bindings:

4
molecule/debian/prepare.yml
View File

@@ -7,5 +7,5 @@
ansible.builtin.apt:
name:
- sudo
- openjdk-17-jdk-headless
state: present
- openjdk-21-jdk-headless
- iproute2

2
molecule/debian/verify.yml
View File

@@ -2,7 +2,7 @@
- name: Verify
hosts: all
vars:
keycloak_admin_password: "remembertochangeme"
keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
keycloak_uri: "http://localhost:{{ 8080 + ( keycloak_jboss_port_offset | default(0) ) }}"
keycloak_management_port: "http://localhost:{{ 9990 + ( keycloak_jboss_port_offset | default(0) ) }}"
keycloak_jboss_port_offset: 10

10
molecule/default/converge.yml
View File

@@ -3,9 +3,9 @@
hosts: all
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_admin_password: "remembertochangeme"
keycloak_quarkus_host: instance
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
keycloak_quarkus_hostname: http://instance:8080
keycloak_quarkus_log: file
keycloak_quarkus_log_level: debug
keycloak_quarkus_log_target: /tmp/keycloak
@@ -13,10 +13,14 @@
keycloak_quarkus_proxy_mode: none
keycloak_quarkus_offline_install: true
keycloak_quarkus_download_path: /tmp/keycloak/
keycloak_quarkus_java_heap_opts: "-Xms640m -Xmx640m "
roles:
- role: keycloak_quarkus
- role: keycloak_realm
keycloak_url: "{{ keycloak_quarkus_hostname }}"
keycloak_context: ''
keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
keycloak_client_users:
- username: TestUser
password: password

7
molecule/default/molecule.yml
View File

@@ -1,9 +1,9 @@
---
driver:
name: docker
name: podman
platforms:
- name: instance
image: registry.access.redhat.com/ubi8/ubi-init:latest
image: registry.access.redhat.com/ubi9/ubi-init:latest
pre_build_image: true
privileged: true
command: "/usr/sbin/init"
@@ -11,6 +11,7 @@ platforms:
- "8080/tcp"
- "8443/tcp"
- "8009/tcp"
- "9000/tcp"
provisioner:
name: ansible
config_options:
@@ -28,6 +29,8 @@ provisioner:
ansible_python_interpreter: "{{ ansible_playbook_python }}"
env:
ANSIBLE_FORCE_COLOR: "true"
PROXY: "${PROXY}"
NO_PROXY: "${NO_PROXY}"
verifier:
name: ansible
scenario:

6
molecule/default/prepare.yml
View File

@@ -7,10 +7,6 @@
tasks:
- name: "Run preparation common to all scenario"
ansible.builtin.include_tasks: ../prepare.yml
vars:
assets:
- "{{ assets_server }}/sso/7.6.0/rh-sso-7.6.0-server-dist.zip"
- "{{ assets_server }}/sso/7.6.1/rh-sso-7.6.1-patch.zip"
- name: Create controller directory for downloads
ansible.builtin.file: # noqa risky-file-permissions delegated, uses controller host user
@@ -22,7 +18,7 @@
- name: Download keycloak archive to controller directory
ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
url: https://github.com/keycloak/keycloak/releases/download/24.0.5/keycloak-24.0.5.zip
url: https://github.com/keycloak/keycloak/releases/download/26.4.7/keycloak-26.4.7.zip
dest: /tmp/keycloak
mode: '0640'
delegate_to: localhost

5
molecule/default/verify.yml
View File

@@ -2,7 +2,8 @@
- name: Verify
hosts: all
vars:
keycloak_admin_password: "remembertochangeme"
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
keycloak_uri: "http://localhost:8080"
tasks:
- name: Populate service facts
@@ -16,7 +17,7 @@
ansible.builtin.uri:
url: "{{ keycloak_uri }}/realms/master/protocol/openid-connect/token"
method: POST
body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password"
body: "client_id=admin-cli&username={{ keycloak_quarkus_bootstrap_admin_user }}&password={{ keycloak_quarkus_bootstrap_admin_user }}&grant_type=password"
validate_certs: no
register: keycloak_auth_response
until: keycloak_auth_response.status == 200

9
molecule/https_revproxy/converge.yml
View File

@@ -3,15 +3,14 @@
hosts: all
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_admin_password: "remembertochangeme"
keycloak_realm: TestRealm
keycloak_quarkus_host: instance
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
keycloak_quarkus_hostname: https://proxy
keycloak_quarkus_log: file
keycloak_quarkus_http_enabled: True
keycloak_quarkus_http_port: 8080
keycloak_quarkus_proxy_mode: edge
keycloak_quarkus_http_relative_path: /
keycloak_quarkus_frontend_url: https://proxy/
keycloak_quarkus_health_check_url: http://proxy:8080/realms/master/.well-known/openid-configuration
roles:
- role: keycloak_quarkus

4
molecule/https_revproxy/molecule.yml
View File

@@ -3,7 +3,7 @@ driver:
name: docker
platforms:
- name: instance
image: registry.access.redhat.com/ubi8/ubi-init:latest
image: registry.access.redhat.com/ubi9/ubi-init:latest
pre_build_image: true
privileged: true
command: "/usr/sbin/init"
@@ -14,7 +14,7 @@ platforms:
published_ports:
- 0.0.0.0:8080:8080/tcp
- name: proxy
image: registry.access.redhat.com/ubi8/ubi-init:latest
image: registry.access.redhat.com/ubi9/ubi-init:latest
pre_build_image: true
privileged: true
command: "/usr/sbin/init"

3
molecule/overridexml/molecule.yml
View File

@@ -3,7 +3,7 @@ driver:
name: docker
platforms:
- name: instance
image: registry.access.redhat.com/ubi8/ubi-init:latest
image: registry.access.redhat.com/ubi9/ubi-init:latest
pre_build_image: true
privileged: true
command: "/usr/sbin/init"
@@ -11,6 +11,7 @@ platforms:
- "8080/tcp"
- "8443/tcp"
- "8009/tcp"
- "9000/tcp"
provisioner:
name: ansible
config_options:

28
molecule/quarkus/converge.yml
View File

@@ -3,10 +3,10 @@
hosts: all
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_admin_password: "remembertochangeme"
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
keycloak_realm: TestRealm
keycloak_quarkus_host: instance
keycloak_quarkus_hostname: https://instance:8443
keycloak_quarkus_log: file
keycloak_quarkus_log_level: debug # needed for the verify step
keycloak_quarkus_https_key_file_enabled: true
@@ -22,6 +22,12 @@
keycloak_quarkus_systemd_wait_for_timeout: 20
keycloak_quarkus_systemd_wait_for_delay: 2
keycloak_quarkus_systemd_wait_for_log: true
keycloak_quarkus_restart_health_check: false # would fail because of self-signed cert
keycloak_quarkus_version: 26.4.7
keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx1024m"
keycloak_quarkus_additional_env_vars:
- key: KC_FEATURES_DISABLED
value: impersonation,kerberos
keycloak_quarkus_providers:
- id: http-client
spi: connections
@@ -32,26 +38,32 @@
value: 10
- id: spid-saml
url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar
- id: spid-saml-w-checksum
url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar
checksum: sha256:fbb50e73739d7a6d35b5bff611b1c01668b29adf6f6259624b95e466a305f377
- id: keycloak-kerberos-federation
maven:
repository_url: https://repo1.maven.org/maven2/ # https://mvnrepository.com/artifact/org.keycloak/keycloak-kerberos-federation/24.0.4
group_id: org.keycloak
artifact_id: keycloak-kerberos-federation
version: 24.0.5 # optional
version: 26.4.7 # optional
# username: myUser # optional
# password: myPAT # optional
# - id: my-static-theme
# local_path: /tmp/my-static-theme.jar
keycloak_quarkus_policies:
- name: "xato-net-10-million-passwords.txt"
url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt"
- name: "xato-net-10-million-passwords-10.txt"
url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords-10.txt"
- name: "cain-and-abel.txt"
url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/cain-and-abel.txt"
- name: "john-the-ripper.txt"
url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/john-the-ripper.txt"
type: password-blacklists
roles:
- role: keycloak_quarkus
- role: keycloak_realm
keycloak_url: http://instance:8080
keycloak_context: ''
keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
keycloak_client_default_roles:
- TestRoleAdmin
- TestRoleUser

6
molecule/quarkus/molecule.yml
View File

@@ -3,7 +3,7 @@ driver:
name: docker
platforms:
- name: instance
image: registry.access.redhat.com/ubi8/ubi-init:latest
image: registry.access.redhat.com/ubi9/ubi-init:latest
pre_build_image: true
privileged: true
command: "/usr/sbin/init"
@@ -11,6 +11,7 @@ platforms:
- "8080/tcp"
- "8443/tcp"
- "8009/tcp"
- "9000/tcp"
published_ports:
- 0.0.0.0:8443:8443/tcp
provisioner:
@@ -30,6 +31,9 @@ provisioner:
ansible_python_interpreter: "{{ ansible_playbook_python }}"
env:
ANSIBLE_FORCE_COLOR: "true"
PYTHONHTTPSVERIFY: 0
PROXY: "${PROXY}"
NO_PROXY: "${NO_PROXY}"
verifier:
name: ansible
scenario:

2
molecule/quarkus/prepare.yml
View File

@@ -24,7 +24,7 @@
- name: Make sure a jre is available (for keytool to prepare keystore)
delegate_to: localhost
ansible.builtin.package:
name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
name: java-21-openjdk-headless
state: present
become: true
failed_when: false

21
molecule/quarkus/verify.yml
View File

@@ -2,7 +2,8 @@
- name: Verify
hosts: all
vars:
keycloak_admin_password: "remembertochangeme"
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
tasks:
- name: Populate service facts
ansible.builtin.service_facts:
@@ -35,10 +36,10 @@
- name: Verify endpoint URLs
ansible.builtin.assert:
that:
- (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance/realms/master/protocol/openid-connect/ext/ciba/auth'
- (openid_config.stdout | from_json)['issuer'] == 'https://instance/realms/master'
- (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/auth'
- (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/token'
- (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance:8443/realms/master/protocol/openid-connect/ext/ciba/auth'
- (openid_config.stdout | from_json)['issuer'] == 'https://instance:8443/realms/master'
- (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/auth'
- (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/token'
delegate_to: localhost
- name: Check log folder
@@ -91,7 +92,7 @@
ansible.builtin.uri:
url: "https://instance:8443/realms/master/protocol/openid-connect/token"
method: POST
body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password"
body: "client_id=admin-cli&username={{ keycloak_quarkus_bootstrap_admin_user }}&password={{ keycloak_quarkus_bootstrap_admin_password}}&grant_type=password"
validate_certs: no
register: keycloak_auth_response
until: keycloak_auth_response.status == 200
@@ -101,8 +102,8 @@
- name: "Get Clients"
ansible.builtin.uri:
url: "https://instance:8443/admin/realms/TestRealm/clients"
validate_certs: false
headers:
validate_certs: false
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
register: keycloak_clients
@@ -113,15 +114,15 @@
- name: "Get Client {{ keycloak_client_uuid }}"
ansible.builtin.uri:
url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}"
validate_certs: false
headers:
validate_certs: false
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
register: keycloak_test_client
- name: "Get Client roles"
ansible.builtin.uri:
url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}/roles"
validate_certs: false
headers:
validate_certs: false
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
register: keycloak_test_client_roles
register: keycloak_test_client_roles

11
molecule/quarkus-devmode/converge.yml → molecule/quarkus_devmode/converge.yml
View File

@@ -3,18 +3,23 @@
hosts: all
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_admin_password: "remembertochangeme"
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
keycloak_realm: TestRealm
keycloak_quarkus_log: file
keycloak_quarkus_frontend_url: 'http://localhost:8080/'
keycloak_quarkus_hostname: 'http://localhost:8080'
keycloak_quarkus_start_dev: True
keycloak_quarkus_proxy_mode: none
keycloak_quarkus_java_home: /opt/openjdk/
keycloak_quarkus_java_heap_opts: "-Xms640m -Xmx640m"
roles:
- role: keycloak_quarkus
- role: keycloak_realm
keycloak_url: "{{ keycloak_quarkus_hostname }}"
keycloak_context: ''
keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
keycloak_client_default_roles:
- TestRoleAdmin
- TestRoleUser

8
molecule/quarkus-devmode/molecule.yml → molecule/quarkus_devmode/molecule.yml
View File

@@ -1,17 +1,19 @@
---
driver:
name: docker
name: podman
platforms:
- name: instance
image: registry.access.redhat.com/ubi8/ubi-init:latest
image: registry.access.redhat.com/ubi9/ubi-init:latest
pre_build_image: true
privileged: true
command: "/usr/sbin/init"
port_bindings:
- "8080/tcp"
- "8009/tcp"
- "9000/tcp"
published_ports:
- 0.0.0.0:8080:8080/tcp
- 0.0.0.0:9000:9000/TCP
provisioner:
name: ansible
config_options:
@@ -29,6 +31,8 @@ provisioner:
ansible_python_interpreter: "{{ ansible_playbook_python }}"
env:
ANSIBLE_FORCE_COLOR: "true"
PROXY: "${PROXY}"
NO_PROXY: "${NO_PROXY}"
verifier:
name: ansible
scenario:

0
molecule/quarkus-devmode/prepare.yml → molecule/quarkus_devmode/prepare.yml
View File

0
molecule/quarkus-devmode/roles → molecule/quarkus_devmode/roles
View File

0
molecule/quarkus-devmode/verify.yml → molecule/quarkus_devmode/verify.yml
View File

9
molecule/quarkus_ha/converge.yml
View File

@@ -3,10 +3,9 @@
hosts: keycloak
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_admin_password: "remembertochangeme"
keycloak_realm: TestRealm
keycloak_quarkus_host: "{{ inventory_hostname }}"
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
keycloak_quarkus_hostname: "http://{{ inventory_hostname }}:8080"
keycloak_quarkus_log: file
keycloak_quarkus_log_level: info
keycloak_quarkus_https_key_file_enabled: true
@@ -25,6 +24,6 @@
keycloak_quarkus_restart_strategy: restart/serial.yml
keycloak_quarkus_db_user: keycloak
keycloak_quarkus_db_pass: mysecretpass
keycloak_quarkus_jdbc_url: jdbc:postgresql://postgres:5432/keycloak
keycloak_quarkus_db_url: jdbc:postgresql://postgres:5432/keycloak
roles:
- role: keycloak_quarkus

3
molecule/quarkus_ha/molecule.yml
View File

@@ -14,6 +14,7 @@ platforms:
port_bindings:
- "8080/tcp"
- "8443/tcp"
- "9000/tcp"
- name: instance2
image: registry.access.redhat.com/ubi9/ubi-init:latest
pre_build_image: true
@@ -26,6 +27,7 @@ platforms:
port_bindings:
- "8080/tcp"
- "8443/tcp"
- "9000/tcp"
- name: postgres
image: ubuntu/postgres:14-22.04_beta
pre_build_image: true
@@ -63,6 +65,7 @@ provisioner:
ansible_python_interpreter: "{{ ansible_playbook_python }}"
env:
ANSIBLE_FORCE_COLOR: "true"
PYTHONHTTPSVERIFY: 0
verifier:
name: ansible
scenario:

30
molecule/quarkus_ha_26.4_below/converge.yml Normal file
View File

@@ -0,0 +1,30 @@
---
- name: Converge
hosts: keycloak
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
keycloak_quarkus_hostname: "http://{{ inventory_hostname }}:8080"
keycloak_quarkus_log: file
keycloak_quarkus_log_level: info
keycloak_quarkus_https_key_file_enabled: true
keycloak_quarkus_key_file_copy_enabled: true
keycloak_quarkus_key_content: "{{ lookup('file', inventory_hostname + '.key') }}"
keycloak_quarkus_cert_file_copy_enabled: true
keycloak_quarkus_cert_file_src: "{{ inventory_hostname }}.pem"
keycloak_quarkus_ks_vault_enabled: true
keycloak_quarkus_ks_vault_file: "/opt/keycloak/vault/keystore.p12"
keycloak_quarkus_ks_vault_pass: keystorepassword
keycloak_quarkus_systemd_wait_for_port: true
keycloak_quarkus_systemd_wait_for_timeout: 20
keycloak_quarkus_systemd_wait_for_delay: 2
keycloak_quarkus_systemd_wait_for_log: true
keycloak_quarkus_ha_enabled: true
keycloak_quarkus_restart_strategy: restart/serial.yml
keycloak_quarkus_db_user: keycloak
keycloak_quarkus_db_pass: mysecretpass
keycloak_quarkus_db_url: jdbc:postgresql://postgres:5432/keycloak
keycloak_quarkus_version: 26.3.5
roles:
- role: keycloak_quarkus

82
molecule/quarkus_ha_26.4_below/molecule.yml Normal file
View File

@@ -0,0 +1,82 @@
---
driver:
name: docker
platforms:
- name: instance1
image: registry.access.redhat.com/ubi9/ubi-init:latest
pre_build_image: true
privileged: true
command: "/usr/sbin/init"
groups:
- keycloak
networks:
- name: rhbk
port_bindings:
- "8080/tcp"
- "8443/tcp"
- "9000/tcp"
- name: instance2
image: registry.access.redhat.com/ubi9/ubi-init:latest
pre_build_image: true
privileged: true
command: "/usr/sbin/init"
groups:
- keycloak
networks:
- name: rhbk
port_bindings:
- "8080/tcp"
- "8443/tcp"
- "9000/tcp"
- name: postgres
image: ubuntu/postgres:14-22.04_beta
pre_build_image: true
privileged: true
command: postgres
groups:
- database
networks:
- name: rhbk
port_bindings:
- "5432/tcp"
mounts:
- type: bind
target: /etc/postgresql/postgresql.conf
source: ${PWD}/molecule/quarkus_ha/postgresql/postgresql.conf
env:
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: mysecretpass
POSTGRES_DB: keycloak
POSTGRES_HOST_AUTH_METHOD: trust
provisioner:
name: ansible
config_options:
defaults:
interpreter_python: auto_silent
ssh_connection:
pipelining: false
playbooks:
prepare: prepare.yml
converge: converge.yml
verify: verify.yml
inventory:
host_vars:
localhost:
ansible_python_interpreter: "{{ ansible_playbook_python }}"
env:
ANSIBLE_FORCE_COLOR: "true"
PYTHONHTTPSVERIFY: 0
verifier:
name: ansible
scenario:
test_sequence:
- cleanup
- destroy
- create
- prepare
- converge
- idempotence
- side_effect
- verify
- cleanup
- destroy

750
molecule/quarkus_ha_26.4_below/postgresql/postgresql.conf Normal file
View File

@@ -0,0 +1,750 @@
# -----------------------------
# PostgreSQL configuration file
# -----------------------------
#
# This file consists of lines of the form:
#
# name = value
#
# (The "=" is optional.) Whitespace may be used. Comments are introduced with
# "#" anywhere on a line. The complete list of parameter names and allowed
# values can be found in the PostgreSQL documentation.
#
# The commented-out settings shown in this file represent the default values.
# Re-commenting a setting is NOT sufficient to revert it to the default value;
# you need to reload the server.
#
# This file is read on server startup and when the server receives a SIGHUP
# signal. If you edit the file on a running system, you have to SIGHUP the
# server for the changes to take effect, run "pg_ctl reload", or execute
# "SELECT pg_reload_conf()". Some parameters, which are marked below,
# require a server shutdown and restart to take effect.
#
# Any parameter can also be given as a command-line option to the server, e.g.,
# "postgres -c log_connections=on". Some parameters can be changed at run time
# with the "SET" SQL command.
#
# Memory units: kB = kilobytes Time units: ms = milliseconds
# MB = megabytes s = seconds
# GB = gigabytes min = minutes
# TB = terabytes h = hours
# d = days
#------------------------------------------------------------------------------
# FILE LOCATIONS
#------------------------------------------------------------------------------
# The default values of these variables are driven from the -D command-line
# option or PGDATA environment variable, represented here as ConfigDir.
#data_directory = 'ConfigDir' # use data in another directory
# (change requires restart)
#hba_file = 'ConfigDir/pg_hba.conf' # host-based authentication file
# (change requires restart)
#ident_file = 'ConfigDir/pg_ident.conf' # ident configuration file
# (change requires restart)
# If external_pid_file is not explicitly set, no extra PID file is written.
#external_pid_file = '' # write an extra PID file
# (change requires restart)
#------------------------------------------------------------------------------
# CONNECTIONS AND AUTHENTICATION
#------------------------------------------------------------------------------
# - Connection Settings -
listen_addresses = '*' # what IP address(es) to listen on;
# comma-separated list of addresses;
# defaults to 'localhost'; use '*' for all
# (change requires restart)
#port = 5432 # (change requires restart)
#max_connections = 100 # (change requires restart)
#superuser_reserved_connections = 3 # (change requires restart)
#unix_socket_directories = '/tmp' # comma-separated list of directories
# (change requires restart)
#unix_socket_group = '' # (change requires restart)
#unix_socket_permissions = 0777 # begin with 0 to use octal notation
# (change requires restart)
#bonjour = off # advertise server via Bonjour
# (change requires restart)
#bonjour_name = '' # defaults to the computer name
# (change requires restart)
# - TCP settings -
# see "man 7 tcp" for details
#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds;
# 0 selects the system default
#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
# 0 selects the system default
#tcp_keepalives_count = 0 # TCP_KEEPCNT;
# 0 selects the system default
#tcp_user_timeout = 0 # TCP_USER_TIMEOUT, in milliseconds;
# 0 selects the system default
# - Authentication -
#authentication_timeout = 1min # 1s-600s
#password_encryption = md5 # md5 or scram-sha-256
#db_user_namespace = off
# GSSAPI using Kerberos
#krb_server_keyfile = ''
#krb_caseins_users = off
# - SSL -
#ssl = off
#ssl_ca_file = ''
#ssl_cert_file = 'server.crt'
#ssl_crl_file = ''
#ssl_key_file = 'server.key'
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
#ssl_prefer_server_ciphers = on
#ssl_ecdh_curve = 'prime256v1'
#ssl_min_protocol_version = 'TLSv1'
#ssl_max_protocol_version = ''
#ssl_dh_params_file = ''
#ssl_passphrase_command = ''
#ssl_passphrase_command_supports_reload = off
#------------------------------------------------------------------------------
# RESOURCE USAGE (except WAL)
#------------------------------------------------------------------------------
# - Memory -
#shared_buffers = 32MB # min 128kB
# (change requires restart)
#huge_pages = try # on, off, or try
# (change requires restart)
#temp_buffers = 8MB # min 800kB
#max_prepared_transactions = 0 # zero disables the feature
# (change requires restart)
# Caution: it is not advisable to set max_prepared_transactions nonzero unless
# you actively intend to use prepared transactions.
#work_mem = 4MB # min 64kB
#maintenance_work_mem = 64MB # min 1MB
#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem
#max_stack_depth = 2MB # min 100kB
#shared_memory_type = mmap # the default is the first option
# supported by the operating system:
# mmap
# sysv
# windows
# (change requires restart)
#dynamic_shared_memory_type = posix # the default is the first option
# supported by the operating system:
# posix
# sysv
# windows
# mmap
# (change requires restart)
# - Disk -
#temp_file_limit = -1 # limits per-process temp file space
# in kB, or -1 for no limit
# - Kernel Resources -
#max_files_per_process = 1000 # min 25
# (change requires restart)
# - Cost-Based Vacuum Delay -
#vacuum_cost_delay = 0 # 0-100 milliseconds (0 disables)
#vacuum_cost_page_hit = 1 # 0-10000 credits
#vacuum_cost_page_miss = 10 # 0-10000 credits
#vacuum_cost_page_dirty = 20 # 0-10000 credits
#vacuum_cost_limit = 200 # 1-10000 credits
# - Background Writer -
#bgwriter_delay = 200ms # 10-10000ms between rounds
#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables
#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round
#bgwriter_flush_after = 0 # measured in pages, 0 disables
# - Asynchronous Behavior -
#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching
#max_worker_processes = 8 # (change requires restart)
#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers
#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers
#parallel_leader_participation = on
#max_parallel_workers = 8 # maximum number of max_worker_processes that
# can be used in parallel operations
#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate
# (change requires restart)
#backend_flush_after = 0 # measured in pages, 0 disables
#------------------------------------------------------------------------------
# WRITE-AHEAD LOG
#------------------------------------------------------------------------------
# - Settings -
#wal_level = replica # minimal, replica, or logical
# (change requires restart)
#fsync = on # flush data to disk for crash safety
# (turning this off can cause
# unrecoverable data corruption)
#synchronous_commit = on # synchronization level;
# off, local, remote_write, remote_apply, or on
#wal_sync_method = fsync # the default is the first option
# supported by the operating system:
# open_datasync
# fdatasync (default on Linux)
# fsync
# fsync_writethrough
# open_sync
#full_page_writes = on # recover from partial page writes
#wal_compression = off # enable compression of full-page writes
#wal_log_hints = off # also do full page writes of non-critical updates
# (change requires restart)
#wal_init_zero = on # zero-fill new WAL files
#wal_recycle = on # recycle WAL files
#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers
# (change requires restart)
#wal_writer_delay = 200ms # 1-10000 milliseconds
#wal_writer_flush_after = 1MB # measured in pages, 0 disables
#commit_delay = 0 # range 0-100000, in microseconds
#commit_siblings = 5 # range 1-1000
# - Checkpoints -
#checkpoint_timeout = 5min # range 30s-1d
#max_wal_size = 1GB
#min_wal_size = 80MB
#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0
#checkpoint_flush_after = 0 # measured in pages, 0 disables
#checkpoint_warning = 30s # 0 disables
# - Archiving -
#archive_mode = off # enables archiving; off, on, or always
# (change requires restart)
#archive_command = '' # command to use to archive a logfile segment
# placeholders: %p = path of file to archive
# %f = file name only
# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
#archive_timeout = 0 # force a logfile segment switch after this
# number of seconds; 0 disables
# - Archive Recovery -
# These are only used in recovery mode.
#restore_command = '' # command to use to restore an archived logfile segment
# placeholders: %p = path of file to restore
# %f = file name only
# e.g. 'cp /mnt/server/archivedir/%f %p'
# (change requires restart)
#archive_cleanup_command = '' # command to execute at every restartpoint
#recovery_end_command = '' # command to execute at completion of recovery
# - Recovery Target -
# Set these only when performing a targeted recovery.
#recovery_target = '' # 'immediate' to end recovery as soon as a
# consistent state is reached
# (change requires restart)
#recovery_target_name = '' # the named restore point to which recovery will proceed
# (change requires restart)
#recovery_target_time = '' # the time stamp up to which recovery will proceed
# (change requires restart)
#recovery_target_xid = '' # the transaction ID up to which recovery will proceed
# (change requires restart)
#recovery_target_lsn = '' # the WAL LSN up to which recovery will proceed
# (change requires restart)
#recovery_target_inclusive = on # Specifies whether to stop:
# just after the specified recovery target (on)
# just before the recovery target (off)
# (change requires restart)
#recovery_target_timeline = 'latest' # 'current', 'latest', or timeline ID
# (change requires restart)
#recovery_target_action = 'pause' # 'pause', 'promote', 'shutdown'
# (change requires restart)
#------------------------------------------------------------------------------
# REPLICATION
#------------------------------------------------------------------------------
# - Sending Servers -
# Set these on the master and on any standby that will send replication data.
#max_wal_senders = 10 # max number of walsender processes
# (change requires restart)
#wal_keep_segments = 0 # in logfile segments; 0 disables
#wal_sender_timeout = 60s # in milliseconds; 0 disables
#max_replication_slots = 10 # max number of replication slots
# (change requires restart)
#track_commit_timestamp = off # collect timestamp of transaction commit
# (change requires restart)
# - Master Server -
# These settings are ignored on a standby server.
#synchronous_standby_names = '' # standby servers that provide sync rep
# method to choose sync standbys, number of sync standbys,
# and comma-separated list of application_name
# from standby(s); '*' = all
#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed
# - Standby Servers -
# These settings are ignored on a master server.
#primary_conninfo = '' # connection string to sending server
# (change requires restart)
#primary_slot_name = '' # replication slot on sending server
# (change requires restart)
#promote_trigger_file = '' # file name whose presence ends recovery
#hot_standby = on # "off" disallows queries during recovery
# (change requires restart)
#max_standby_archive_delay = 30s # max delay before canceling queries
# when reading WAL from archive;
# -1 allows indefinite delay
#max_standby_streaming_delay = 30s # max delay before canceling queries
# when reading streaming WAL;
# -1 allows indefinite delay
#wal_receiver_status_interval = 10s # send replies at least this often
# 0 disables
#hot_standby_feedback = off # send info from standby to prevent
# query conflicts
#wal_receiver_timeout = 60s # time that receiver waits for
# communication from master
# in milliseconds; 0 disables
#wal_retrieve_retry_interval = 5s # time to wait before retrying to
# retrieve WAL after a failed attempt
#recovery_min_apply_delay = 0 # minimum delay for applying changes during recovery
# - Subscribers -
# These settings are ignored on a publisher.
#max_logical_replication_workers = 4 # taken from max_worker_processes
# (change requires restart)
#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers
#------------------------------------------------------------------------------
# QUERY TUNING
#------------------------------------------------------------------------------
# - Planner Method Configuration -
#enable_bitmapscan = on
#enable_hashagg = on
#enable_hashjoin = on
#enable_indexscan = on
#enable_indexonlyscan = on
#enable_material = on
#enable_mergejoin = on
#enable_nestloop = on
#enable_parallel_append = on
#enable_seqscan = on
#enable_sort = on
#enable_tidscan = on
#enable_partitionwise_join = off
#enable_partitionwise_aggregate = off
#enable_parallel_hash = on
#enable_partition_pruning = on
# - Planner Cost Constants -
#seq_page_cost = 1.0 # measured on an arbitrary scale
#random_page_cost = 4.0 # same scale as above
#cpu_tuple_cost = 0.01 # same scale as above
#cpu_index_tuple_cost = 0.005 # same scale as above
#cpu_operator_cost = 0.0025 # same scale as above
#parallel_tuple_cost = 0.1 # same scale as above
#parallel_setup_cost = 1000.0 # same scale as above
#jit_above_cost = 100000 # perform JIT compilation if available
# and query more expensive than this;
# -1 disables
#jit_inline_above_cost = 500000 # inline small functions if query is
# more expensive than this; -1 disables
#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if
# query is more expensive than this;
# -1 disables
#min_parallel_table_scan_size = 8MB
#min_parallel_index_scan_size = 512kB
#effective_cache_size = 4GB
# - Genetic Query Optimizer -
#geqo = on
#geqo_threshold = 12
#geqo_effort = 5 # range 1-10
#geqo_pool_size = 0 # selects default based on effort
#geqo_generations = 0 # selects default based on effort
#geqo_selection_bias = 2.0 # range 1.5-2.0
#geqo_seed = 0.0 # range 0.0-1.0
# - Other Planner Options -
#default_statistics_target = 100 # range 1-10000
#constraint_exclusion = partition # on, off, or partition
#cursor_tuple_fraction = 0.1 # range 0.0-1.0
#from_collapse_limit = 8
#join_collapse_limit = 8 # 1 disables collapsing of explicit
# JOIN clauses
#force_parallel_mode = off
#jit = on # allow JIT compilation
#plan_cache_mode = auto # auto, force_generic_plan or
# force_custom_plan
#------------------------------------------------------------------------------
# REPORTING AND LOGGING
#------------------------------------------------------------------------------
# - Where to Log -
#log_destination = 'stderr' # Valid values are combinations of
# stderr, csvlog, syslog, and eventlog,
# depending on platform. csvlog
# requires logging_collector to be on.
# This is used when logging to stderr:
#logging_collector = off # Enable capturing of stderr and csvlog
# into log files. Required to be on for
# csvlogs.
# (change requires restart)
# These are only used if logging_collector is on:
#log_directory = 'log' # directory where log files are written,
# can be absolute or relative to PGDATA
#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern,
# can include strftime() escapes
#log_file_mode = 0600 # creation mode for log files,
# begin with 0 to use octal notation
#log_truncate_on_rotation = off # If on, an existing log file with the
# same name as the new log file will be
# truncated rather than appended to.
# But such truncation only occurs on
# time-driven rotation, not on restarts
# or size-driven rotation. Default is
# off, meaning append to existing files
# in all cases.
#log_rotation_age = 1d # Automatic rotation of logfiles will
# happen after that time. 0 disables.
#log_rotation_size = 10MB # Automatic rotation of logfiles will
# happen after that much log output.
# 0 disables.
# These are relevant when logging to syslog:
#syslog_facility = 'LOCAL0'
#syslog_ident = 'postgres'
#syslog_sequence_numbers = on
#syslog_split_messages = on
# This is only relevant when logging to eventlog (win32):
# (change requires restart)
#event_source = 'PostgreSQL'
# - When to Log -
#log_min_messages = warning # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic
#log_min_error_statement = error # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic (effectively off)
#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements
# and their durations, > 0 logs only
# statements running at least this number
# of milliseconds
#log_transaction_sample_rate = 0.0 # Fraction of transactions whose statements
# are logged regardless of their duration. 1.0 logs all
# statements from all transactions, 0.0 never logs.
# - What to Log -
#debug_print_parse = off
#debug_print_rewritten = off
#debug_print_plan = off
#debug_pretty_print = on
#log_checkpoints = off
#log_connections = off
#log_disconnections = off
#log_duration = off
#log_error_verbosity = default # terse, default, or verbose messages
#log_hostname = off
#log_line_prefix = '%m [%p] ' # special values:
# %a = application name
# %u = user name
# %d = database name
# %r = remote host and port
# %h = remote host
# %p = process ID
# %t = timestamp without milliseconds
# %m = timestamp with milliseconds
# %n = timestamp with milliseconds (as a Unix epoch)
# %i = command tag
# %e = SQL state
# %c = session ID
# %l = session line number
# %s = session start timestamp
# %v = virtual transaction ID
# %x = transaction ID (0 if none)
# %q = stop here in non-session
# processes
# %% = '%'
# e.g. '<%u%%%d> '
#log_lock_waits = off # log lock waits >= deadlock_timeout
#log_statement = 'none' # none, ddl, mod, all
#log_replication_commands = off
#log_temp_files = -1 # log temporary files equal or larger
# than the specified size in kilobytes;
# -1 disables, 0 logs all temp files
#log_timezone = 'GMT'
#------------------------------------------------------------------------------
# PROCESS TITLE
#------------------------------------------------------------------------------
#cluster_name = '' # added to process titles if nonempty
# (change requires restart)
#update_process_title = on
#------------------------------------------------------------------------------
# STATISTICS
#------------------------------------------------------------------------------
# - Query and Index Statistics Collector -
#track_activities = on
#track_counts = on
#track_io_timing = off
#track_functions = none # none, pl, all
#track_activity_query_size = 1024 # (change requires restart)
#stats_temp_directory = 'pg_stat_tmp'
# - Monitoring -
#log_parser_stats = off
#log_planner_stats = off
#log_executor_stats = off
#log_statement_stats = off
#------------------------------------------------------------------------------
# AUTOVACUUM
#------------------------------------------------------------------------------
#autovacuum = on # Enable autovacuum subprocess? 'on'
# requires track_counts to also be on.
#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and
# their durations, > 0 logs only
# actions running at least this number
# of milliseconds.
#autovacuum_max_workers = 3 # max number of autovacuum subprocesses
# (change requires restart)
#autovacuum_naptime = 1min # time between autovacuum runs
#autovacuum_vacuum_threshold = 50 # min number of row updates before
# vacuum
#autovacuum_analyze_threshold = 50 # min number of row updates before
# analyze
#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum
#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze
#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum
# (change requires restart)
#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age
# before forced vacuum
# (change requires restart)
#autovacuum_vacuum_cost_delay = 2ms # default vacuum cost delay for
# autovacuum, in milliseconds;
# -1 means use vacuum_cost_delay
#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for
# autovacuum, -1 means use
# vacuum_cost_limit
#------------------------------------------------------------------------------
# CLIENT CONNECTION DEFAULTS
#------------------------------------------------------------------------------
# - Statement Behavior -
#client_min_messages = notice # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# log
# notice
# warning
# error
#search_path = '"$user", public' # schema names
#row_security = on
#default_tablespace = '' # a tablespace name, '' uses the default
#temp_tablespaces = '' # a list of tablespace names, '' uses
# only default tablespace
#default_table_access_method = 'heap'
#check_function_bodies = on
#default_transaction_isolation = 'read committed'
#default_transaction_read_only = off
#default_transaction_deferrable = off
#session_replication_role = 'origin'
#statement_timeout = 0 # in milliseconds, 0 is disabled
#lock_timeout = 0 # in milliseconds, 0 is disabled
#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled
#vacuum_freeze_min_age = 50000000
#vacuum_freeze_table_age = 150000000
#vacuum_multixact_freeze_min_age = 5000000
#vacuum_multixact_freeze_table_age = 150000000
#vacuum_cleanup_index_scale_factor = 0.1 # fraction of total number of tuples
# before index cleanup, 0 always performs
# index cleanup
#bytea_output = 'hex' # hex, escape
#xmlbinary = 'base64'
#xmloption = 'content'
#gin_fuzzy_search_limit = 0
#gin_pending_list_limit = 4MB
# - Locale and Formatting -
#datestyle = 'iso, mdy'
#intervalstyle = 'postgres'
#timezone = 'GMT'
#timezone_abbreviations = 'Default' # Select the set of available time zone
# abbreviations. Currently, there are
# Default
# Australia (historical usage)
# India
# You can create your own file in
# share/timezonesets/.
#extra_float_digits = 1 # min -15, max 3; any value >0 actually
# selects precise output mode
#client_encoding = sql_ascii # actually, defaults to database
# encoding
# These settings are initialized by initdb, but they can be changed.
#lc_messages = 'C' # locale for system error message
# strings
#lc_monetary = 'C' # locale for monetary formatting
#lc_numeric = 'C' # locale for number formatting
#lc_time = 'C' # locale for time formatting
# default configuration for text search
#default_text_search_config = 'pg_catalog.simple'
# - Shared Library Preloading -
#shared_preload_libraries = '' # (change requires restart)
#local_preload_libraries = ''
#session_preload_libraries = ''
#jit_provider = 'llvmjit' # JIT library to use
# - Other Defaults -
#dynamic_library_path = '$libdir'
#------------------------------------------------------------------------------
# LOCK MANAGEMENT
#------------------------------------------------------------------------------
#deadlock_timeout = 1s
#max_locks_per_transaction = 64 # min 10
# (change requires restart)
#max_pred_locks_per_transaction = 64 # min 10
# (change requires restart)
#max_pred_locks_per_relation = -2 # negative values mean
# (max_pred_locks_per_transaction
# / -max_pred_locks_per_relation) - 1
#max_pred_locks_per_page = 2 # min 0
#------------------------------------------------------------------------------
# VERSION AND PLATFORM COMPATIBILITY
#------------------------------------------------------------------------------
# - Previous PostgreSQL Versions -
#array_nulls = on
#backslash_quote = safe_encoding # on, off, or safe_encoding
#escape_string_warning = on
#lo_compat_privileges = off
#operator_precedence_warning = off
#quote_all_identifiers = off
#standard_conforming_strings = on
#synchronize_seqscans = on
# - Other Platforms and Clients -
#transform_null_equals = off
#------------------------------------------------------------------------------
# ERROR HANDLING
#------------------------------------------------------------------------------
#exit_on_error = off # terminate session on any error?
#restart_after_crash = on # reinitialize after backend crash?
#data_sync_retry = off # retry or panic on failure to fsync
# data?
# (change requires restart)
#------------------------------------------------------------------------------
# CONFIG FILE INCLUDES
#------------------------------------------------------------------------------
# These options allow settings to be loaded from files other than the
# default postgresql.conf. Note that these are directives, not variable
# assignments, so they can usefully be given more than once.
#include_dir = '...' # include files ending in '.conf' from
# a directory, e.g., 'conf.d'
#include_if_exists = '...' # include file only if it exists
#include = '...' # include file
#------------------------------------------------------------------------------
# CUSTOMIZED OPTIONS
#------------------------------------------------------------------------------
# Add settings for extensions here

44
molecule/quarkus_ha_26.4_below/prepare.yml Normal file
View File

@@ -0,0 +1,44 @@
---
- name: Prepare
hosts: keycloak
tasks:
- name: "Display hera_home if defined."
ansible.builtin.set_fact:
hera_home: "{{ lookup('env', 'HERA_HOME') }}"
- name: "Ensure common prepare phase are set."
ansible.builtin.include_tasks: ../prepare.yml
- name: Create certificate request
ansible.builtin.command: "openssl req -x509 -newkey rsa:4096 -keyout {{ inventory_hostname }}.key -out {{ inventory_hostname }}.pem -sha256 -days 365 -nodes -subj '/CN={{ inventory_hostname }}'"
delegate_to: localhost
changed_when: False
- name: Create vault directory
become: true
ansible.builtin.file:
state: directory
path: "/opt/keycloak/vault"
mode: 0755
- name: Make sure a jre is available (for keytool to prepare keystore)
delegate_to: localhost
ansible.builtin.package:
name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
state: present
become: true
failed_when: false
- name: Create vault keystore
ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword
delegate_to: localhost
register: keytool_cmd
changed_when: False
failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
- name: Copy certificates and vault
become: true
ansible.builtin.copy:
src: keystore.p12
dest: /opt/keycloak/vault/keystore.p12
mode: 0444

1
molecule/quarkus_ha_26.4_below/roles Symbolic link
View File

@@ -0,0 +1 @@
../../roles

29
molecule/quarkus_ha_26.4_below/verify.yml Normal file
View File

@@ -0,0 +1,29 @@
---
- name: Verify
hosts: keycloak
tasks:
- name: Populate service facts
ansible.builtin.service_facts:
- name: Check if keycloak service started
ansible.builtin.assert:
that:
- ansible_facts.services["keycloak.service"]["state"] == "running"
- ansible_facts.services["keycloak.service"]["status"] == "enabled"
fail_msg: "Service not running"
- name: Set internal envvar
ansible.builtin.set_fact:
hera_home: "{{ lookup('env', 'HERA_HOME') }}"
- name: Check log file
become: true
ansible.builtin.stat:
path: /var/log/keycloak/keycloak.log
register: keycloak_log_file
- name: Check if keycloak file exists
ansible.builtin.assert:
that:
- keycloak_log_file.stat.exists
- not keycloak_log_file.stat.isdir

57
molecule/quarkus_ha_remote/converge.yml Normal file
View File

@@ -0,0 +1,57 @@
---
- name: Converge
hosts: infinispan
roles:
- role: middleware_automation.infinispan.infinispan
infinispan_service_name: infinispan
infinispan_supervisor_password: remembertochangeme
infinispan_keycloak_caches: true
infinispan_keycloak_persistence: False
infinispan_jdbc_engine: postgres
infinispan_jdbc_url: jdbc:postgresql://postgres:5432/keycloak
infinispan_jdbc_driver_version: 9.4.1212
infinispan_jdbc_user: keycloak
infinispan_jdbc_pass: mysecretpass
infinispan_bind_address: "{{ ansible_default_ipv4.address }}"
infinispan_users:
- { name: 'testuser', password: 'test', roles: 'observer' }
- name: Converge
hosts: keycloak
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
keycloak_quarkus_hostname: "http://{{ inventory_hostname }}:8080"
keycloak_quarkus_log: file
keycloak_quarkus_log_level: info
keycloak_quarkus_https_key_file_enabled: true
keycloak_quarkus_key_file_copy_enabled: true
keycloak_quarkus_key_content: "{{ lookup('file', inventory_hostname + '.key') }}"
keycloak_quarkus_cert_file_copy_enabled: true
keycloak_quarkus_cert_file_src: "{{ inventory_hostname }}.pem"
keycloak_quarkus_ks_vault_enabled: true
keycloak_quarkus_ks_vault_file: "/opt/keycloak/vault/keystore.p12"
keycloak_quarkus_ks_vault_pass: keystorepassword
keycloak_quarkus_systemd_wait_for_port: true
keycloak_quarkus_systemd_wait_for_timeout: 20
keycloak_quarkus_systemd_wait_for_delay: 2
keycloak_quarkus_systemd_wait_for_log: true
keycloak_quarkus_ha_enabled: true
keycloak_quarkus_restart_strategy: restart/serial.yml
keycloak_quarkus_db_user: keycloak
keycloak_quarkus_db_pass: mysecretpass
keycloak_quarkus_db_url: jdbc:postgresql://postgres:5432/keycloak
keycloak_quarkus_cache_remote: true
keycloak_quarkus_cache_remote_username: supervisor
keycloak_quarkus_cache_remote_password: remembertochangeme
keycloak_quarkus_cache_remote_host: "infinispan1"
keycloak_quarkus_cache_remote_port: 11222
keycloak_quarkus_cache_remote_tls_enabled: false
keycloak_quarkus_additional_env_vars:
- key: KC_FEATURES
value: clusterless
- key: KC_FEATURES_DISABLED
value: persistent-user-sessions
roles:
- role: keycloak_quarkus

80
molecule/quarkus_ha_remote/molecule.yml Normal file
View File

@@ -0,0 +1,80 @@
---
driver:
name: docker
platforms:
- name: keycloak1
image: registry.access.redhat.com/ubi9/ubi-init:latest
pre_build_image: true
privileged: true
command: "/usr/sbin/init"
groups:
- keycloak
networks:
- name: rhbk
port_bindings:
- "8080/tcp"
- "8443/tcp"
- "9000/tcp"
- name: infinispan1
image: registry.access.redhat.com/ubi9/ubi-init:latest
pre_build_image: true
privileged: true
command: "/usr/sbin/init"
groups:
- infinispan
networks:
- name: rhbk
port_bindings:
- "11222/tcp"
- name: postgres
image: ubuntu/postgres:14-22.04_beta
pre_build_image: true
privileged: true
command: postgres
groups:
- database
networks:
- name: rhbk
port_bindings:
- "5432/tcp"
mounts:
- type: bind
target: /etc/postgresql/postgresql.conf
source: ${PWD}/molecule/quarkus_ha/postgresql/postgresql.conf
env:
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: mysecretpass
POSTGRES_DB: keycloak
POSTGRES_HOST_AUTH_METHOD: trust
provisioner:
name: ansible
config_options:
defaults:
interpreter_python: auto_silent
ssh_connection:
pipelining: false
playbooks:
prepare: prepare.yml
converge: converge.yml
verify: verify.yml
inventory:
host_vars:
localhost:
ansible_python_interpreter: "{{ ansible_playbook_python }}"
env:
ANSIBLE_FORCE_COLOR: "true"
PYTHONHTTPSVERIFY: 0
verifier:
name: ansible
scenario:
test_sequence:
- cleanup
- destroy
- create
- prepare
- converge
- idempotence
- side_effect
- verify
- cleanup
- destroy

750
molecule/quarkus_ha_remote/postgresql/postgresql.conf Normal file
View File

@@ -0,0 +1,750 @@
# -----------------------------
# PostgreSQL configuration file
# -----------------------------
#
# This file consists of lines of the form:
#
# name = value
#
# (The "=" is optional.) Whitespace may be used. Comments are introduced with
# "#" anywhere on a line. The complete list of parameter names and allowed
# values can be found in the PostgreSQL documentation.
#
# The commented-out settings shown in this file represent the default values.
# Re-commenting a setting is NOT sufficient to revert it to the default value;
# you need to reload the server.
#
# This file is read on server startup and when the server receives a SIGHUP
# signal. If you edit the file on a running system, you have to SIGHUP the
# server for the changes to take effect, run "pg_ctl reload", or execute
# "SELECT pg_reload_conf()". Some parameters, which are marked below,
# require a server shutdown and restart to take effect.
#
# Any parameter can also be given as a command-line option to the server, e.g.,
# "postgres -c log_connections=on". Some parameters can be changed at run time
# with the "SET" SQL command.
#
# Memory units: kB = kilobytes Time units: ms = milliseconds
# MB = megabytes s = seconds
# GB = gigabytes min = minutes
# TB = terabytes h = hours
# d = days
#------------------------------------------------------------------------------
# FILE LOCATIONS
#------------------------------------------------------------------------------
# The default values of these variables are driven from the -D command-line
# option or PGDATA environment variable, represented here as ConfigDir.
#data_directory = 'ConfigDir' # use data in another directory
# (change requires restart)
#hba_file = 'ConfigDir/pg_hba.conf' # host-based authentication file
# (change requires restart)
#ident_file = 'ConfigDir/pg_ident.conf' # ident configuration file
# (change requires restart)
# If external_pid_file is not explicitly set, no extra PID file is written.
#external_pid_file = '' # write an extra PID file
# (change requires restart)
#------------------------------------------------------------------------------
# CONNECTIONS AND AUTHENTICATION
#------------------------------------------------------------------------------
# - Connection Settings -
listen_addresses = '*' # what IP address(es) to listen on;
# comma-separated list of addresses;
# defaults to 'localhost'; use '*' for all
# (change requires restart)
#port = 5432 # (change requires restart)
#max_connections = 100 # (change requires restart)
#superuser_reserved_connections = 3 # (change requires restart)
#unix_socket_directories = '/tmp' # comma-separated list of directories
# (change requires restart)
#unix_socket_group = '' # (change requires restart)
#unix_socket_permissions = 0777 # begin with 0 to use octal notation
# (change requires restart)
#bonjour = off # advertise server via Bonjour
# (change requires restart)
#bonjour_name = '' # defaults to the computer name
# (change requires restart)
# - TCP settings -
# see "man 7 tcp" for details
#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds;
# 0 selects the system default
#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
# 0 selects the system default
#tcp_keepalives_count = 0 # TCP_KEEPCNT;
# 0 selects the system default
#tcp_user_timeout = 0 # TCP_USER_TIMEOUT, in milliseconds;
# 0 selects the system default
# - Authentication -
#authentication_timeout = 1min # 1s-600s
#password_encryption = md5 # md5 or scram-sha-256
#db_user_namespace = off
# GSSAPI using Kerberos
#krb_server_keyfile = ''
#krb_caseins_users = off
# - SSL -
#ssl = off
#ssl_ca_file = ''
#ssl_cert_file = 'server.crt'
#ssl_crl_file = ''
#ssl_key_file = 'server.key'
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
#ssl_prefer_server_ciphers = on
#ssl_ecdh_curve = 'prime256v1'
#ssl_min_protocol_version = 'TLSv1'
#ssl_max_protocol_version = ''
#ssl_dh_params_file = ''
#ssl_passphrase_command = ''
#ssl_passphrase_command_supports_reload = off
#------------------------------------------------------------------------------
# RESOURCE USAGE (except WAL)
#------------------------------------------------------------------------------
# - Memory -
#shared_buffers = 32MB # min 128kB
# (change requires restart)
#huge_pages = try # on, off, or try
# (change requires restart)
#temp_buffers = 8MB # min 800kB
#max_prepared_transactions = 0 # zero disables the feature
# (change requires restart)
# Caution: it is not advisable to set max_prepared_transactions nonzero unless
# you actively intend to use prepared transactions.
#work_mem = 4MB # min 64kB
#maintenance_work_mem = 64MB # min 1MB
#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem
#max_stack_depth = 2MB # min 100kB
#shared_memory_type = mmap # the default is the first option
# supported by the operating system:
# mmap
# sysv
# windows
# (change requires restart)
#dynamic_shared_memory_type = posix # the default is the first option
# supported by the operating system:
# posix
# sysv
# windows
# mmap
# (change requires restart)
# - Disk -
#temp_file_limit = -1 # limits per-process temp file space
# in kB, or -1 for no limit
# - Kernel Resources -
#max_files_per_process = 1000 # min 25
# (change requires restart)
# - Cost-Based Vacuum Delay -
#vacuum_cost_delay = 0 # 0-100 milliseconds (0 disables)
#vacuum_cost_page_hit = 1 # 0-10000 credits
#vacuum_cost_page_miss = 10 # 0-10000 credits
#vacuum_cost_page_dirty = 20 # 0-10000 credits
#vacuum_cost_limit = 200 # 1-10000 credits
# - Background Writer -
#bgwriter_delay = 200ms # 10-10000ms between rounds
#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables
#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round
#bgwriter_flush_after = 0 # measured in pages, 0 disables
# - Asynchronous Behavior -
#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching
#max_worker_processes = 8 # (change requires restart)
#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers
#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers
#parallel_leader_participation = on
#max_parallel_workers = 8 # maximum number of max_worker_processes that
# can be used in parallel operations
#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate
# (change requires restart)
#backend_flush_after = 0 # measured in pages, 0 disables
#------------------------------------------------------------------------------
# WRITE-AHEAD LOG
#------------------------------------------------------------------------------
# - Settings -
#wal_level = replica # minimal, replica, or logical
# (change requires restart)
#fsync = on # flush data to disk for crash safety
# (turning this off can cause
# unrecoverable data corruption)
#synchronous_commit = on # synchronization level;
# off, local, remote_write, remote_apply, or on
#wal_sync_method = fsync # the default is the first option
# supported by the operating system:
# open_datasync
# fdatasync (default on Linux)
# fsync
# fsync_writethrough
# open_sync
#full_page_writes = on # recover from partial page writes
#wal_compression = off # enable compression of full-page writes
#wal_log_hints = off # also do full page writes of non-critical updates
# (change requires restart)
#wal_init_zero = on # zero-fill new WAL files
#wal_recycle = on # recycle WAL files
#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers
# (change requires restart)
#wal_writer_delay = 200ms # 1-10000 milliseconds
#wal_writer_flush_after = 1MB # measured in pages, 0 disables
#commit_delay = 0 # range 0-100000, in microseconds
#commit_siblings = 5 # range 1-1000
# - Checkpoints -
#checkpoint_timeout = 5min # range 30s-1d
#max_wal_size = 1GB
#min_wal_size = 80MB
#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0
#checkpoint_flush_after = 0 # measured in pages, 0 disables
#checkpoint_warning = 30s # 0 disables
# - Archiving -
#archive_mode = off # enables archiving; off, on, or always
# (change requires restart)
#archive_command = '' # command to use to archive a logfile segment
# placeholders: %p = path of file to archive
# %f = file name only
# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
#archive_timeout = 0 # force a logfile segment switch after this
# number of seconds; 0 disables
# - Archive Recovery -
# These are only used in recovery mode.
#restore_command = '' # command to use to restore an archived logfile segment
# placeholders: %p = path of file to restore
# %f = file name only
# e.g. 'cp /mnt/server/archivedir/%f %p'
# (change requires restart)
#archive_cleanup_command = '' # command to execute at every restartpoint
#recovery_end_command = '' # command to execute at completion of recovery
# - Recovery Target -
# Set these only when performing a targeted recovery.
#recovery_target = '' # 'immediate' to end recovery as soon as a
# consistent state is reached
# (change requires restart)
#recovery_target_name = '' # the named restore point to which recovery will proceed
# (change requires restart)
#recovery_target_time = '' # the time stamp up to which recovery will proceed
# (change requires restart)
#recovery_target_xid = '' # the transaction ID up to which recovery will proceed
# (change requires restart)
#recovery_target_lsn = '' # the WAL LSN up to which recovery will proceed
# (change requires restart)
#recovery_target_inclusive = on # Specifies whether to stop:
# just after the specified recovery target (on)
# just before the recovery target (off)
# (change requires restart)
#recovery_target_timeline = 'latest' # 'current', 'latest', or timeline ID
# (change requires restart)
#recovery_target_action = 'pause' # 'pause', 'promote', 'shutdown'
# (change requires restart)
#------------------------------------------------------------------------------
# REPLICATION
#------------------------------------------------------------------------------
# - Sending Servers -
# Set these on the master and on any standby that will send replication data.
#max_wal_senders = 10 # max number of walsender processes
# (change requires restart)
#wal_keep_segments = 0 # in logfile segments; 0 disables
#wal_sender_timeout = 60s # in milliseconds; 0 disables
#max_replication_slots = 10 # max number of replication slots
# (change requires restart)
#track_commit_timestamp = off # collect timestamp of transaction commit
# (change requires restart)
# - Master Server -
# These settings are ignored on a standby server.
#synchronous_standby_names = '' # standby servers that provide sync rep
# method to choose sync standbys, number of sync standbys,
# and comma-separated list of application_name
# from standby(s); '*' = all
#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed
# - Standby Servers -
# These settings are ignored on a master server.
#primary_conninfo = '' # connection string to sending server
# (change requires restart)
#primary_slot_name = '' # replication slot on sending server
# (change requires restart)
#promote_trigger_file = '' # file name whose presence ends recovery
#hot_standby = on # "off" disallows queries during recovery
# (change requires restart)
#max_standby_archive_delay = 30s # max delay before canceling queries
# when reading WAL from archive;
# -1 allows indefinite delay
#max_standby_streaming_delay = 30s # max delay before canceling queries
# when reading streaming WAL;
# -1 allows indefinite delay
#wal_receiver_status_interval = 10s # send replies at least this often
# 0 disables
#hot_standby_feedback = off # send info from standby to prevent
# query conflicts
#wal_receiver_timeout = 60s # time that receiver waits for
# communication from master
# in milliseconds; 0 disables
#wal_retrieve_retry_interval = 5s # time to wait before retrying to
# retrieve WAL after a failed attempt
#recovery_min_apply_delay = 0 # minimum delay for applying changes during recovery
# - Subscribers -
# These settings are ignored on a publisher.
#max_logical_replication_workers = 4 # taken from max_worker_processes
# (change requires restart)
#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers
#------------------------------------------------------------------------------
# QUERY TUNING
#------------------------------------------------------------------------------
# - Planner Method Configuration -
#enable_bitmapscan = on
#enable_hashagg = on
#enable_hashjoin = on
#enable_indexscan = on
#enable_indexonlyscan = on
#enable_material = on
#enable_mergejoin = on
#enable_nestloop = on
#enable_parallel_append = on
#enable_seqscan = on
#enable_sort = on
#enable_tidscan = on
#enable_partitionwise_join = off
#enable_partitionwise_aggregate = off
#enable_parallel_hash = on
#enable_partition_pruning = on
# - Planner Cost Constants -
#seq_page_cost = 1.0 # measured on an arbitrary scale
#random_page_cost = 4.0 # same scale as above
#cpu_tuple_cost = 0.01 # same scale as above
#cpu_index_tuple_cost = 0.005 # same scale as above
#cpu_operator_cost = 0.0025 # same scale as above
#parallel_tuple_cost = 0.1 # same scale as above
#parallel_setup_cost = 1000.0 # same scale as above
#jit_above_cost = 100000 # perform JIT compilation if available
# and query more expensive than this;
# -1 disables
#jit_inline_above_cost = 500000 # inline small functions if query is
# more expensive than this; -1 disables
#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if
# query is more expensive than this;
# -1 disables
#min_parallel_table_scan_size = 8MB
#min_parallel_index_scan_size = 512kB
#effective_cache_size = 4GB
# - Genetic Query Optimizer -
#geqo = on
#geqo_threshold = 12
#geqo_effort = 5 # range 1-10
#geqo_pool_size = 0 # selects default based on effort
#geqo_generations = 0 # selects default based on effort
#geqo_selection_bias = 2.0 # range 1.5-2.0
#geqo_seed = 0.0 # range 0.0-1.0
# - Other Planner Options -
#default_statistics_target = 100 # range 1-10000
#constraint_exclusion = partition # on, off, or partition
#cursor_tuple_fraction = 0.1 # range 0.0-1.0
#from_collapse_limit = 8
#join_collapse_limit = 8 # 1 disables collapsing of explicit
# JOIN clauses
#force_parallel_mode = off
#jit = on # allow JIT compilation
#plan_cache_mode = auto # auto, force_generic_plan or
# force_custom_plan
#------------------------------------------------------------------------------
# REPORTING AND LOGGING
#------------------------------------------------------------------------------
# - Where to Log -
#log_destination = 'stderr' # Valid values are combinations of
# stderr, csvlog, syslog, and eventlog,
# depending on platform. csvlog
# requires logging_collector to be on.
# This is used when logging to stderr:
#logging_collector = off # Enable capturing of stderr and csvlog
# into log files. Required to be on for
# csvlogs.
# (change requires restart)
# These are only used if logging_collector is on:
#log_directory = 'log' # directory where log files are written,
# can be absolute or relative to PGDATA
#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern,
# can include strftime() escapes
#log_file_mode = 0600 # creation mode for log files,
# begin with 0 to use octal notation
#log_truncate_on_rotation = off # If on, an existing log file with the
# same name as the new log file will be
# truncated rather than appended to.
# But such truncation only occurs on
# time-driven rotation, not on restarts
# or size-driven rotation. Default is
# off, meaning append to existing files
# in all cases.
#log_rotation_age = 1d # Automatic rotation of logfiles will
# happen after that time. 0 disables.
#log_rotation_size = 10MB # Automatic rotation of logfiles will
# happen after that much log output.
# 0 disables.
# These are relevant when logging to syslog:
#syslog_facility = 'LOCAL0'
#syslog_ident = 'postgres'
#syslog_sequence_numbers = on
#syslog_split_messages = on
# This is only relevant when logging to eventlog (win32):
# (change requires restart)
#event_source = 'PostgreSQL'
# - When to Log -
#log_min_messages = warning # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic
#log_min_error_statement = error # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic (effectively off)
#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements
# and their durations, > 0 logs only
# statements running at least this number
# of milliseconds
#log_transaction_sample_rate = 0.0 # Fraction of transactions whose statements
# are logged regardless of their duration. 1.0 logs all
# statements from all transactions, 0.0 never logs.
# - What to Log -
#debug_print_parse = off
#debug_print_rewritten = off
#debug_print_plan = off
#debug_pretty_print = on
#log_checkpoints = off
#log_connections = off
#log_disconnections = off
#log_duration = off
#log_error_verbosity = default # terse, default, or verbose messages
#log_hostname = off
#log_line_prefix = '%m [%p] ' # special values:
# %a = application name
# %u = user name
# %d = database name
# %r = remote host and port
# %h = remote host
# %p = process ID
# %t = timestamp without milliseconds
# %m = timestamp with milliseconds
# %n = timestamp with milliseconds (as a Unix epoch)
# %i = command tag
# %e = SQL state
# %c = session ID
# %l = session line number
# %s = session start timestamp
# %v = virtual transaction ID
# %x = transaction ID (0 if none)
# %q = stop here in non-session
# processes
# %% = '%'
# e.g. '<%u%%%d> '
#log_lock_waits = off # log lock waits >= deadlock_timeout
#log_statement = 'none' # none, ddl, mod, all
#log_replication_commands = off
#log_temp_files = -1 # log temporary files equal or larger
# than the specified size in kilobytes;
# -1 disables, 0 logs all temp files
#log_timezone = 'GMT'
#------------------------------------------------------------------------------
# PROCESS TITLE
#------------------------------------------------------------------------------
#cluster_name = '' # added to process titles if nonempty
# (change requires restart)
#update_process_title = on
#------------------------------------------------------------------------------
# STATISTICS
#------------------------------------------------------------------------------
# - Query and Index Statistics Collector -
#track_activities = on
#track_counts = on
#track_io_timing = off
#track_functions = none # none, pl, all
#track_activity_query_size = 1024 # (change requires restart)
#stats_temp_directory = 'pg_stat_tmp'
# - Monitoring -
#log_parser_stats = off
#log_planner_stats = off
#log_executor_stats = off
#log_statement_stats = off
#------------------------------------------------------------------------------
# AUTOVACUUM
#------------------------------------------------------------------------------
#autovacuum = on # Enable autovacuum subprocess? 'on'
# requires track_counts to also be on.
#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and
# their durations, > 0 logs only
# actions running at least this number
# of milliseconds.
#autovacuum_max_workers = 3 # max number of autovacuum subprocesses
# (change requires restart)
#autovacuum_naptime = 1min # time between autovacuum runs
#autovacuum_vacuum_threshold = 50 # min number of row updates before
# vacuum
#autovacuum_analyze_threshold = 50 # min number of row updates before
# analyze
#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum
#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze
#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum
# (change requires restart)
#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age
# before forced vacuum
# (change requires restart)
#autovacuum_vacuum_cost_delay = 2ms # default vacuum cost delay for
# autovacuum, in milliseconds;
# -1 means use vacuum_cost_delay
#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for
# autovacuum, -1 means use
# vacuum_cost_limit
#------------------------------------------------------------------------------
# CLIENT CONNECTION DEFAULTS
#------------------------------------------------------------------------------
# - Statement Behavior -
#client_min_messages = notice # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# log
# notice
# warning
# error
#search_path = '"$user", public' # schema names
#row_security = on
#default_tablespace = '' # a tablespace name, '' uses the default
#temp_tablespaces = '' # a list of tablespace names, '' uses
# only default tablespace
#default_table_access_method = 'heap'
#check_function_bodies = on
#default_transaction_isolation = 'read committed'
#default_transaction_read_only = off
#default_transaction_deferrable = off
#session_replication_role = 'origin'
#statement_timeout = 0 # in milliseconds, 0 is disabled
#lock_timeout = 0 # in milliseconds, 0 is disabled
#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled
#vacuum_freeze_min_age = 50000000
#vacuum_freeze_table_age = 150000000
#vacuum_multixact_freeze_min_age = 5000000
#vacuum_multixact_freeze_table_age = 150000000
#vacuum_cleanup_index_scale_factor = 0.1 # fraction of total number of tuples
# before index cleanup, 0 always performs
# index cleanup
#bytea_output = 'hex' # hex, escape
#xmlbinary = 'base64'
#xmloption = 'content'
#gin_fuzzy_search_limit = 0
#gin_pending_list_limit = 4MB
# - Locale and Formatting -
#datestyle = 'iso, mdy'
#intervalstyle = 'postgres'
#timezone = 'GMT'
#timezone_abbreviations = 'Default' # Select the set of available time zone
# abbreviations. Currently, there are
# Default
# Australia (historical usage)
# India
# You can create your own file in
# share/timezonesets/.
#extra_float_digits = 1 # min -15, max 3; any value >0 actually
# selects precise output mode
#client_encoding = sql_ascii # actually, defaults to database
# encoding
# These settings are initialized by initdb, but they can be changed.
#lc_messages = 'C' # locale for system error message
# strings
#lc_monetary = 'C' # locale for monetary formatting
#lc_numeric = 'C' # locale for number formatting
#lc_time = 'C' # locale for time formatting
# default configuration for text search
#default_text_search_config = 'pg_catalog.simple'
# - Shared Library Preloading -
#shared_preload_libraries = '' # (change requires restart)
#local_preload_libraries = ''
#session_preload_libraries = ''
#jit_provider = 'llvmjit' # JIT library to use
# - Other Defaults -
#dynamic_library_path = '$libdir'
#------------------------------------------------------------------------------
# LOCK MANAGEMENT
#------------------------------------------------------------------------------
#deadlock_timeout = 1s
#max_locks_per_transaction = 64 # min 10
# (change requires restart)
#max_pred_locks_per_transaction = 64 # min 10
# (change requires restart)
#max_pred_locks_per_relation = -2 # negative values mean
# (max_pred_locks_per_transaction
# / -max_pred_locks_per_relation) - 1
#max_pred_locks_per_page = 2 # min 0
#------------------------------------------------------------------------------
# VERSION AND PLATFORM COMPATIBILITY
#------------------------------------------------------------------------------
# - Previous PostgreSQL Versions -
#array_nulls = on
#backslash_quote = safe_encoding # on, off, or safe_encoding
#escape_string_warning = on
#lo_compat_privileges = off
#operator_precedence_warning = off
#quote_all_identifiers = off
#standard_conforming_strings = on
#synchronize_seqscans = on
# - Other Platforms and Clients -
#transform_null_equals = off
#------------------------------------------------------------------------------
# ERROR HANDLING
#------------------------------------------------------------------------------
#exit_on_error = off # terminate session on any error?
#restart_after_crash = on # reinitialize after backend crash?
#data_sync_retry = off # retry or panic on failure to fsync
# data?
# (change requires restart)
#------------------------------------------------------------------------------
# CONFIG FILE INCLUDES
#------------------------------------------------------------------------------
# These options allow settings to be loaded from files other than the
# default postgresql.conf. Note that these are directives, not variable
# assignments, so they can usefully be given more than once.
#include_dir = '...' # include files ending in '.conf' from
# a directory, e.g., 'conf.d'
#include_if_exists = '...' # include file only if it exists
#include = '...' # include file
#------------------------------------------------------------------------------
# CUSTOMIZED OPTIONS
#------------------------------------------------------------------------------
# Add settings for extensions here

44
molecule/quarkus_ha_remote/prepare.yml Normal file
View File

@@ -0,0 +1,44 @@
---
- name: Prepare
hosts: 'keycloak:infinispan'
tasks:
- name: "Display hera_home if defined."
ansible.builtin.set_fact:
hera_home: "{{ lookup('env', 'HERA_HOME') }}"
- name: "Ensure common prepare phase are set."
ansible.builtin.include_tasks: ../prepare.yml
- name: Create certificate request
ansible.builtin.command: "openssl req -x509 -newkey rsa:4096 -keyout {{ inventory_hostname }}.key -out {{ inventory_hostname }}.pem -sha256 -days 365 -nodes -subj '/CN={{ inventory_hostname }}'"
delegate_to: localhost
changed_when: False
- name: Create vault directory
become: true
ansible.builtin.file:
state: directory
path: "/opt/keycloak/vault"
mode: 0755
- name: Make sure a jre is available (for keytool to prepare keystore)
delegate_to: localhost
ansible.builtin.package:
name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
state: present
become: true
failed_when: false
- name: Create vault keystore
ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword
delegate_to: localhost
register: keytool_cmd
changed_when: False
failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
- name: Copy certificates and vault
become: true
ansible.builtin.copy:
src: keystore.p12
dest: /opt/keycloak/vault/keystore.p12
mode: 0444

1
molecule/quarkus_ha_remote/roles Symbolic link
View File

@@ -0,0 +1 @@
../../roles

29
molecule/quarkus_ha_remote/verify.yml Normal file
View File

@@ -0,0 +1,29 @@
---
- name: Verify
hosts: keycloak
tasks:
- name: Populate service facts
ansible.builtin.service_facts:
- name: Check if keycloak service started
ansible.builtin.assert:
that:
- ansible_facts.services["keycloak.service"]["state"] == "running"
- ansible_facts.services["keycloak.service"]["status"] == "enabled"
fail_msg: "Service not running"
- name: Set internal envvar
ansible.builtin.set_fact:
hera_home: "{{ lookup('env', 'HERA_HOME') }}"
- name: Check log file
become: true
ansible.builtin.stat:
path: /var/log/keycloak/keycloak.log
register: keycloak_log_file
- name: Check if keycloak file exists
ansible.builtin.assert:
that:
- keycloak_log_file.stat.exists
- not keycloak_log_file.stat.isdir

5
molecule/quarkus_upgrade/converge.yml
View File

@@ -5,6 +5,9 @@
- vars.yml
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_version: 24.0.3
keycloak_quarkus_additional_env_vars:
- key: KC_FEATURES_DISABLED
value: ciba,device-flow,impersonation,kerberos,docker
keycloak_quarkus_version: 26.0.7
roles:
- role: keycloak_quarkus

8
molecule/quarkus_upgrade/molecule.yml
View File

@@ -4,7 +4,7 @@ dependency:
options:
requirements-file: molecule/requirements.yml
driver:
name: docker
name: podman
platforms:
- name: instance
image: registry.access.redhat.com/ubi9/ubi-init:latest
@@ -13,8 +13,10 @@ platforms:
privileged: true
port_bindings:
- 8080:8080
- "9000/tcp"
published_ports:
- 0.0.0.0:8080:8080/TCP
- 0.0.0.0:9000:9000/TCP
provisioner:
name: ansible
playbooks:
@@ -25,6 +27,10 @@ provisioner:
host_vars:
localhost:
ansible_python_interpreter: "{{ ansible_playbook_python }}"
env:
ANSIBLE_FORCE_COLOR: "true"
PROXY: "${PROXY}"
NO_PROXY: "${NO_PROXY}"
verifier:
name: ansible
scenario:

6
molecule/quarkus_upgrade/prepare.yml
View File

@@ -5,7 +5,10 @@
- vars.yml
vars:
sudo_pkg_name: sudo
keycloak_quarkus_version: 23.0.7
keycloak_quarkus_version: 26.0.4
keycloak_quarkus_additional_env_vars:
- key: KC_FEATURES_DISABLED
value: impersonation,kerberos
pre_tasks:
- name: Install sudo
ansible.builtin.apt:
@@ -44,6 +47,7 @@
changed_when: false
roles:
- role: keycloak_quarkus
post_tasks:
- name: "Delete custom fact"
ansible.builtin.file:

5
molecule/quarkus_upgrade/vars.yml
View File

@@ -1,9 +1,8 @@
---
keycloak_quarkus_offline_install: false
keycloak_quarkus_admin_password: "remembertochangeme"
keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
keycloak_quarkus_realm: TestRealm
keycloak_quarkus_host: instance
keycloak_quarkus_hostname: http://instance:8080
keycloak_quarkus_log: file
keycloak_quarkus_https_key_file_enabled: true
keycloak_quarkus_log_target: /tmp/keycloak

6
molecule/quarkus_upgrade/verify.yml
View File

@@ -2,7 +2,7 @@
- name: Verify
hosts: instance
vars:
keycloak_quarkus_admin_password: "remembertochangeme"
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
keycloak_quarkus_port: http://localhost:8080
tasks:
- name: Populate service facts
@@ -17,14 +17,14 @@
- name: Verify we are running on requested jvm
ansible.builtin.shell: |
set -eo pipefail
ps -ef | grep 'etc/alternatives/.*17' | grep -v grep
ps -ef | grep 'etc/alternatives/.*21' | grep -v grep
changed_when: false
- name: Verify token api call
ansible.builtin.uri:
url: "{{ keycloak_quarkus_port }}/realms/master/protocol/openid-connect/token"
method: POST
body: "client_id=admin-cli&username=admin&password={{ keycloak_quarkus_admin_password }}&grant_type=password"
body: "client_id=admin-cli&username=admin&password={{ keycloak_quarkus_bootstrap_admin_password }}&grant_type=password"
validate_certs: no
register: keycloak_auth_response
until: keycloak_auth_response.status == 200

1
molecule/requirements.yml
View File

@@ -2,6 +2,7 @@
collections:
- name: middleware_automation.common
- name: middleware_automation.jbcs
- name: middleware_automation.infinispan
- name: community.general
- name: ansible.posix
- name: community.docker

4
playbooks/keycloak_quarkus.yml
View File

@@ -2,8 +2,8 @@
- name: Playbook for Keycloak X Hosts with HTTPS enabled
hosts: all
vars:
keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_quarkus_host: localhost
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
keycloak_quarkus_hostname: http://localhost
keycloak_quarkus_port: 8443
keycloak_quarkus_log: file
keycloak_quarkus_proxy_mode: none

4
playbooks/keycloak_quarkus_dev.yml
View File

@@ -2,8 +2,8 @@
- name: Playbook for Keycloak X Hosts in develop mode
hosts: all
vars:
keycloak_admin_password: "remembertochangeme"
keycloak_quarkus_host: localhost
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
keycloak_quarkus_hostname: http://localhost
keycloak_quarkus_port: 8080
keycloak_quarkus_log: file
keycloak_quarkus_start_dev: true

8
roles/keycloak/defaults/main.yml
View File

@@ -7,6 +7,10 @@ keycloak_download_url_9x: "https://downloads.jboss.org/keycloak/{{ keycloak_vers
keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
keycloak_offline_install: false
# Authentication for Keycloak binary download (e.g. from internal artifact repository)
keycloak_binary_download_user:
keycloak_binary_download_pass:
### Install location and service settings
keycloak_java_home:
keycloak_dest: /opt/keycloak
@@ -118,3 +122,7 @@ keycloak_no_log: true
### logging configuration
keycloak_log_target: /var/log/keycloak
# locations
keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}"
keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}"

8
roles/keycloak/meta/argument_specs.yml
View File

@@ -333,6 +333,14 @@ argument_specs:
default: true
description: "Allow the option to ignore invalid certificates when downloading JDBC drivers from a custom URL"
type: "bool"
keycloak_binary_download_user:
description: "Username for HTTP Basic Auth when downloading Keycloak binary"
type: "str"
required: false
keycloak_binary_download_pass:
description: "Password for HTTP Basic Auth when downloading Keycloak binary"
type: "str"
required: false
downstream:
options:
sso_version:

2
roles/keycloak/meta/main.yml
View File

@@ -12,7 +12,7 @@ galaxy_info:
license: Apache License 2.0
min_ansible_version: "2.15"
min_ansible_version: "2.16"
platforms:
- name: EL

6
roles/keycloak/tasks/debian.yml
View File

@@ -1,6 +1,10 @@
---
- name: Include firewall config tasks
ansible.builtin.include_tasks: iptables.yml
ansible.builtin.include_tasks:
file: iptables.yml
apply:
tags:
- firewall
when: keycloak_configure_iptables
tags:
- firewall

2
roles/keycloak/tasks/install.yml
View File

@@ -85,6 +85,8 @@
url: "{{ keycloak_download_url }}"
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
mode: '0644'
url_username: "{{ keycloak_binary_download_user | default(omit) }}"
url_password: "{{ keycloak_binary_download_pass | default(omit) }}"
delegate_to: localhost
run_once: true
when:

24
roles/keycloak/tasks/main.yml
View File

@@ -1,22 +1,38 @@
---
# tasks file for keycloak
- name: Check prerequisites
ansible.builtin.include_tasks: prereqs.yml
ansible.builtin.include_tasks:
file: prereqs.yml
apply:
tags:
- prereqs
tags:
- prereqs
- name: Distro specific tasks
ansible.builtin.include_tasks: "{{ ansible_os_family | lower }}.yml"
ansible.builtin.include_tasks:
file: "{{ ansible_os_family | lower }}.yml"
apply:
tags:
- unbound
tags:
- unbound
- name: Include install tasks
ansible.builtin.include_tasks: install.yml
ansible.builtin.include_tasks:
file: install.yml
apply:
tags:
- install
tags:
- install
- name: Include systemd tasks
ansible.builtin.include_tasks: systemd.yml
ansible.builtin.include_tasks:
file: systemd.yml
apply:
tags:
- systemd
tags:
- systemd

6
roles/keycloak/tasks/redhat.yml
View File

@@ -1,6 +1,10 @@
---
- name: Include firewall config tasks
ansible.builtin.include_tasks: firewalld.yml
ansible.builtin.include_tasks:
file: firewalld.yml
apply:
tags:
- firewall
when: keycloak_configure_firewalld
tags:
- firewall

6
roles/keycloak/tasks/rhsso_cli.yml
View File

@@ -2,12 +2,12 @@
- name: Ensure required params for CLI have been provided
ansible.builtin.assert:
that:
- query is defined
- cli_query is defined
fail_msg: "Missing required parameters to execute CLI."
quiet: true
- name: "Execute CLI query: {{ query }}"
- name: "Execute CLI query: {{ cli_query }}"
ansible.builtin.command: >
{{ keycloak.cli_path }} --connect --command='{{ query }}' --controller={{ keycloak_host }}:{{ keycloak_management_http_port }}
{{ keycloak.cli_path }} --connect --command='{{ cli_query }}' --controller={{ keycloak_host }}:{{ keycloak_management_http_port }}
changed_when: false
register: cli_result

8
roles/keycloak/tasks/rhsso_patch.yml
View File

@@ -106,7 +106,7 @@
- name: "Check installed patches"
ansible.builtin.include_tasks: rhsso_cli.yml
vars:
query: "patch info"
cli_query: "patch info"
args:
apply:
become: true
@@ -121,7 +121,7 @@
- name: "Apply patch {{ patch_version }} to server"
ansible.builtin.include_tasks: rhsso_cli.yml
vars:
query: "patch apply {{ patch_archive }}"
cli_query: "patch apply {{ patch_archive }}"
args:
apply:
become: true
@@ -130,7 +130,7 @@
- name: "Restart server to ensure patch content is running"
ansible.builtin.include_tasks: rhsso_cli.yml
vars:
query: "shutdown --restart"
cli_query: "shutdown --restart"
when:
- cli_result.rc == 0
args:
@@ -149,7 +149,7 @@
- name: "Query installed patch after restart"
ansible.builtin.include_tasks: rhsso_cli.yml
vars:
query: "patch info"
cli_query: "patch info"
args:
apply:
become: true

3
roles/keycloak/vars/main.yml
View File

@@ -1,9 +1,6 @@
---
# internal variables below
# locations
keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}"
keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}"
keycloak:

170
roles/keycloak_quarkus/README.md
View File

@@ -33,7 +33,7 @@ Role Defaults
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_version`| keycloak.org package version | `24.0.5` |
|`keycloak_quarkus_version`| keycloak.org package version | `26.4.7` |
|`keycloak_quarkus_offline_install` | Perform an offline install | `False`|
|`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` |
|`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` |
@@ -44,47 +44,29 @@ Role Defaults
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_admin_user`| Administration console user account | `admin` |
|`keycloak_quarkus_bind_address`| Address for binding service ports | `0.0.0.0` |
|`keycloak_quarkus_host`| Hostname for the Keycloak server | `localhost` |
|`keycloak_quarkus_port`| The port used by the proxy when exposing the hostname | `-1` |
|`keycloak_quarkus_path`| This should be set if proxy uses a different context-path for Keycloak | |
|`keycloak_quarkus_http_port`| HTTP listening port | `8080` |
|`keycloak_quarkus_https_port`| TLS HTTP listening port | `8443` |
|`keycloak_quarkus_ajp_port`| AJP port | `8009` |
|`keycloak_quarkus_bootstrap_admin_user`| Administration console user account | `admin` |
|`keycloak_quarkus_admin_user`| Deprecated, use `keycloak_quarkus_bootstrap_admin_user` instead. | |
|`keycloak_quarkus_bind_address`| Deprecated, use `keycloak_quarkus_http_host` instead | `0.0.0.0` |
|`keycloak_quarkus_host`| Deprecated, use `keycloak_quarkus_hostname` instead. | |
|`keycloak_quarkus_port`| Deprecated, use `keycloak_quarkus_hostname` instead. | |
|`keycloak_quarkus_path`| Deprecated, use `keycloak_quarkus_hostname` instead. | |
|`keycloak_quarkus_service_user`| Posix account username | `keycloak` |
|`keycloak_quarkus_service_group`| Posix account group | `keycloak` |
|`keycloak_quarkus_service_restart_always`| systemd restart always behavior activation | `False` |
|`keycloak_quarkus_service_restart_on_failure`| systemd restart on-failure behavior activation | `False` |
|`keycloak_quarkus_service_restartsec`| systemd RestartSec | `10s` |
|`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-17-openjdk-headless` |
|`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-21-openjdk-headless` |
|`keycloak_quarkus_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_quarkus_jvm_package RPM path | `None` |
|`keycloak_quarkus_java_heap_opts`| Heap memory JVM setting | `-Xms1024m -Xmx2048m` |
|`keycloak_quarkus_java_jvm_opts`| Other JVM settings | same as keycloak |
|`keycloak_quarkus_java_opts`| JVM arguments; if overridden, it takes precedence over `keycloak_quarkus_java_*` | `{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}` |
|`keycloak_quarkus_additional_env_vars` | List of additional env variables of { key: str, value: str} to be put in sysconfig file | `[]` |
|`keycloak_quarkus_frontend_url`| Set the base URL for frontend URLs, including scheme, host, port and path | |
|`keycloak_quarkus_admin_url`| Set the base URL for accessing the administration console, including scheme, host, port and path | |
|`keycloak_quarkus_http_relative_path` | Set the path relative to / for serving resources. The path must start with a / | `/` |
|`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` |
|`keycloak_quarkus_health_check_url_path`| Path to the health check endpoint; scheme, host and keycloak_quarkus_http_relative_path will be prepended automatically | `realms/master/.well-known/openid-configuration` |
|`keycloak_quarkus_https_key_file_enabled`| Enable listener on HTTPS port | `False` |
|`keycloak_quarkus_key_file_copy_enabled`| Enable copy of key file to target host | `False` |
|`keycloak_quarkus_key_content`| Content of the TLS private key. Use `"{{ lookup('file', 'server.key.pem') }}"` to lookup a file. | `""` |
|`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `/etc/pki/tls/private/server.key.pem` |
|`keycloak_quarkus_cert_file_copy_enabled`| Enable copy of cert file to target host | `False`|
|`keycloak_quarkus_cert_file_src`| Set the source file path | `""` |
|`keycloak_quarkus_cert_file`| The file path to a server certificate or certificate chain in PEM format | `/etc/pki/tls/certs/server.crt.pem` |
|`keycloak_quarkus_https_key_store_enabled`| Enable configuration of HTTPS via a key store | `False` |
|`keycloak_quarkus_key_store_file`| Deprecated, use `keycloak_quarkus_https_key_store_file` instead. ||
|`keycloak_quarkus_key_store_password`| Deprecated, use `keycloak_quarkus_https_key_store_password` instead.||
|`keycloak_quarkus_https_key_store_file`| The file path to the key store | `{{ keycloak.home }}/conf/key_store.p12` |
|`keycloak_quarkus_https_key_store_password`| Password for the key store | `""` |
|`keycloak_quarkus_https_trust_store_enabled`| Enable configuration of the https trust store | `False` |
|`keycloak_quarkus_https_trust_store_file`| The file path to the trust store | `{{ keycloak.home }}/conf/trust_store.p12` |
|`keycloak_quarkus_https_trust_store_password`| Password for the trust store | `""` |
|`keycloak_quarkus_additional_env_vars` | List of additional env variables of { key: str, value: str} to be put in sysconfig file, see https://www.keycloak.org/server/all-config | `[]` |
|`keycloak_quarkus_frontend_url`| Deprecated, use `keycloak_quarkus_hostname` instead. | |
|`keycloak_quarkus_admin_url`| Deprecated, use `keycloak_quarkus_hostname_admin` instead. | |
|`keycloak_quarkus_health_check_url`| Full URL (including scheme, host, path, fragment etc.) used for health check endpoint; keycloak_quarkus_hostname will NOT be prepended; helpful when health checks should happen against http port, but keycloak_quarkus_hostname uses https scheme per default | `` |
|`keycloak_quarkus_health_check_url_path`| Path to the health check endpoint; keycloak_quarkus_hostname will be prepended automatically; Note that keycloak_quarkus_health_check_url takes precedence over this property | `realms/master/.well-known/openid-configuration` |
|`keycloak_quarkus_proxy_headers`| Parse reverse proxy headers (`forwarded` or `xforwarded`) | `""` |
|`keycloak_quarkus_config_key_store_file`| Path to the configuration key store; only used if `keycloak_quarkus_keystore_password` is not empty | `{{ keycloak.home }}/conf/conf_store.p12` if `keycloak_quarkus_keystore_password != ''`, else `''` |
|`keycloak_quarkus_config_key_store_file`| Path to the configuration key store; only used if `keycloak_quarkus_config_key_store_password` is not empty | `{{ keycloak.home }}/conf/conf_store.p12` if `keycloak_quarkus_config_key_store_password != ''`, else `''` |
|`keycloak_quarkus_config_key_store_password`| Password of the configuration keystore; if non-empty, `keycloak_quarkus_db_pass` will be saved to the keystore at `keycloak_quarkus_config_key_store_file` instead of being written to the configuration file in clear text | `""` |
|`keycloak_quarkus_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
|`keycloak_quarkus_configure_iptables` | Ensure iptables is configured for keycloak ports | `False` |
@@ -95,8 +77,9 @@ Role Defaults
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
|`keycloak_quarkus_ha_discovery`| Discovery protocol for HA cluster members | `TCPPING` |
|`keycloak_quarkus_ha_discovery`| Discovery protocol for HA cluster members | `JDBCPING` |
|`keycloak_quarkus_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_quarkus_ha_enabled` is True, else `False` |
|`keycloak_quarkus_jgroups_ip`| Host jgroups IP. If changing this variable you must make sure it is always set for all hosts in your cluster. | `{{ ansible_default_ipv4.address }}` |
|`keycloak_quarkus_jgroups_port`| jgroups cluster tcp port | `7800` |
|`keycloak_quarkus_systemd_wait_for_port` | Whether systemd unit should wait for keycloak port before returning | `{{ keycloak_quarkus_ha_enabled }}` |
|`keycloak_quarkus_systemd_wait_for_port_number`| Which port the systemd unit should wait for | `{{ keycloak_quarkus_https_port }}` |
@@ -106,7 +89,7 @@ Role Defaults
|`keycloak_quarkus_restart_strategy`| Strategy task file for restarting in HA (one of provided restart/['serial.yml','none.yml','serial_then_parallel.yml']) or path to file when providing custom strategy | `restart/serial.yml` |
|`keycloak_quarkus_restart_health_check`| Whether to wait for successful health check after restart | `true` |
|`keycloak_quarkus_restart_health_check_delay`| Seconds to let pass before starting healch checks | `10` |
|`keycloak_quarkus_restart_health_check_reries`| Number of attempts for successful health check before failing | `25` |
|`keycloak_quarkus_restart_health_check_retries`| Number of attempts for successful health check before failing | `25` |
|`keycloak_quarkus_restart_pause`| Seconds to wait between restarts in HA strategy | `15` |
@@ -114,33 +97,89 @@ Role Defaults
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_http_relative_path`| Set the path relative to / for serving resources. The path must start with a / | `/` |
|`keycloak_quarkus_hostname`| Address at which is the server exposed. Can be a full URL, or just a hostname. When only hostname is provided, scheme, port and context path are resolved from the request. | |
|`keycloak_quarkus_hostname_admin`| Set the base URL for accessing the administration console, including scheme, host, port and path | `` |
|`keycloak_quarkus_hostname_strict`| Disables dynamically resolving the hostname from request headers | `true` |
|`keycloak_quarkus_hostname_strict_backchannel`| By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all applications use the public URL this option should be enabled. | `false` |
|`keycloak_quarkus_hostname_backchannel_dynamic`| Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path. Set to true if your application accesses Keycloak via a private network. If set to true, hostname option needs to be specified as a full URL. | `false` |
|`keycloak_quarkus_hostname_strict_backchannel`| Deprecated, use (the inverted!)`keycloak_quarkus_hostname_backchannel_dynamic` instead. | |
#### HTTP(S) configuration
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_http_relative_path`| Set the path relative to / for serving resources. The path must start with a / | `/` |
|`keycloak_quarkus_http_host`| The http host, ie. the address used to bind the service | `0.0.0.0` |
|`keycloak_quarkus_http_port`| HTTP listening port | `8080` |
|`keycloak_quarkus_https_port`| TLS HTTP listening port | `8443` |
|`keycloak_quarkus_http_management_port`| Port of the management interface. Relevant only when something is exposed on the management interface - see the guide for details. | `9000` |
|`keycloak_quarkus_https_key_store_file`| The file path to the key store | `{{ keycloak.home }}/conf/key_store.p12` |
|`keycloak_quarkus_https_key_store_password`| Password for the key store | `""` |
|`keycloak_quarkus_https_trust_store_enabled`| Enable configuration of the https trust store | `False` |
|`keycloak_quarkus_https_trust_store_file`| The file path to the trust store | `{{ keycloak.home }}/conf/trust_store.p12` |
|`keycloak_quarkus_https_trust_store_password`| Password for the trust store | `""` |
|`keycloak_quarkus_https_key_file_enabled`| Enable listener on HTTPS port | `False` |
|`keycloak_quarkus_key_file_copy_enabled`| Enable copy of key file to target host | `False` |
|`keycloak_quarkus_key_content`| Content of the TLS private key. Use `"{{ lookup('file', 'server.key.pem') }}"` to lookup a file. | `""` |
|`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `/etc/pki/tls/private/server.key.pem` |
|`keycloak_quarkus_cert_file_copy_enabled`| Enable copy of cert file to target host | `False`|
|`keycloak_quarkus_cert_file_src`| Set the source file path | `""` |
|`keycloak_quarkus_cert_file`| The file path to a server certificate or certificate chain in PEM format | `/etc/pki/tls/certs/server.crt.pem` |
|`keycloak_quarkus_https_key_store_enabled`| Enable configuration of HTTPS via a key store | `False` |
|`keycloak_quarkus_key_store_file`| Deprecated, use `keycloak_quarkus_https_key_store_file` instead. ||
|`keycloak_quarkus_key_store_password`| Deprecated, use `keycloak_quarkus_https_key_store_password` instead.||
|`keycloak_quarkus_http_relative_path` | Set the path relative to / for serving resources. The path must start with a / | `/` |
|`keycloak_quarkus_http_management_relative_path` | Set the path relative to / for serving resources from management interface. The path must start with a /. If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details. | `/` |
|`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` |
#### Infinispan configuration
| Variable | Description | Default |
| :------------------------------------------------- | :------------------------------ | :----------------------------------------------------------- |
| `keycloak_quarkus_cache_managed_infinispan_config` | Manage infinispan configuration | `"{{ keycloak_quarkus_version is version('26.4.0', '<') }}"` |
| `keycloak_quarkus_cache_infinispan_template` | Infinispan cache template file | `cache-ispn.xml` |
As explained in the [official documentation](https://www.keycloak.org/server/caching#_modifying_cache_configuration_defaults), since version 26.4, it is recommended not to modify the XML configuration file but rather to configure the cache via the keycloak.properties file. By default, the role will no longer automatically deploy this file for versions higher than 26.4.
For earlier versions, it is possible to override the given template to customize the cache using the `keycloak_quarkus_cache_infinispan_template` variable.
#### Database configuration
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_jdbc_engine` | Database engine [mariadb,postres,mssql] | `postgres` |
|`keycloak_quarkus_db_engine` | Database engine [mariadb,postres,mssql] | `postgres` |
|`keycloak_quarkus_db_user` | User for database connection | `keycloak-user` |
|`keycloak_quarkus_db_pass` | Password for database connection | `keycloak-pass` |
|`keycloak_quarkus_jdbc_url` | JDBC URL for connecting to database | `jdbc:postgresql://localhost:5432/keycloak` |
|`keycloak_quarkus_jdbc_driver_version` | Version for JDBC driver | `9.4.1212` |
|`keycloak_quarkus_db_url` | JDBC URL for connecting to database | `jdbc:postgresql://localhost:5432/keycloak` |
|`keycloak_quarkus_db_driver_version` | Version for JDBC engine driver | `9.4.1212` |
#### Remote caches configuration
#### Cache configuration
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_ispn_user` | Username for connecting to infinispan | `supervisor` |
|`keycloak_quarkus_ispn_pass` | Password for connecting to infinispan | `supervisor` |
|`keycloak_quarkus_ispn_hosts` | host name/port for connecting to infinispan, eg. host1:11222;host2:11222 | `localhost:11222` |
|`keycloak_quarkus_ispn_sasl_mechanism` | Infinispan auth mechanism | `SCRAM-SHA-512` |
|`keycloak_quarkus_ispn_use_ssl` | Whether infinispan uses TLS connection | `false` |
|`keycloak_quarkus_ispn_trust_store_path` | Path to infinispan server trust certificate | `/etc/pki/java/cacerts` |
|`keycloak_quarkus_ispn_trust_store_password` | Password for infinispan certificate keystore | `changeit` |
|`keycloak_quarkus_cache_remote` | Whether to connect to remote cache infinispan server | `false` |
|`keycloak_quarkus_cache_remote_username` | Username for connecting to infinispan | `supervisor` |
|`keycloak_quarkus_cache_remote_password` | Password for connecting to infinispan | `supervisor` |
|`keycloak_quarkus_cache_remote_host` | Hostname for connecting to infinispan | `localhost` |
|`keycloak_quarkus_cache_remote_port`| Port for connecting to infinispan | `11222` |
|`keycloak_quarkus_cache_remote_sasl_mechanism` | Infinispan auth mechanism | `SCRAM-SHA-512` |
|`keycloak_quarkus_cache_remote_tls_enabled` | Whether infinispan uses TLS connection | `false` |
|`keycloak_quarkus_cache_embedded_properties` | Embedded cache properties | `` |
#### Logging configuration
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_log`| Enable one or more log handlers in a comma-separated list | `file` |
|`keycloak_quarkus_log_level`| The log level of the root category or a comma-separated list of individual categories and their levels | `info` |
|`keycloak_quarkus_log_file`| Set the log file path and filename relative to keycloak home | `data/log/keycloak.log` |
|`keycloak_quarkus_log_format`| Set a format specific to file log entries | `%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n` |
|`keycloak_quarkus_log_target`| Set the destination of the keycloak log folder link | `/var/log/keycloak` |
|`keycloak_quarkus_log_max_file_size`| Set the maximum log file size before a log rotation happens; A size configuration option recognises string in this format (shown as a regular expression): `[0-9]+[KkMmGgTtPpEeZzYy]?`. If no suffix is given, assume bytes. | `10M` |
|`keycloak_quarkus_log_max_backup_index`| Set the maximum number of archived log files to keep | `10` |
|`keycloak_quarkus_log_file_suffix`| Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix; Note: If the suffix ends with `.zip` or `.gz`, the rotation file will also be compressed. | `.yyyy-MM-dd.zip` |
#### Miscellaneous configuration
@@ -148,31 +187,22 @@ Role Defaults
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_metrics_enabled`| Whether to enable metrics | `False` |
|`keycloak_quarkus_health_enabled`| If the server should expose health check endpoints | `True` |
|`keycloak_quarkus_health_enabled`| If the server should expose health check endpoints on the management interface | `True` |
|`keycloak_quarkus_archive` | keycloak install archive filename | `keycloak-{{ keycloak_quarkus_version }}.zip` |
|`keycloak_quarkus_installdir` | Installation path | `{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}` |
|`keycloak_quarkus_home` | Installation work directory | `{{ keycloak_quarkus_installdir }}` |
|`keycloak_quarkus_config_dir` | Path for configuration | `{{ keycloak_quarkus_home }}/conf` |
|`keycloak_quarkus_master_realm` | Name for rest authentication realm | `master` |
|`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` |
|`keycloak_force_install` | Remove pre-existing versions of service | `False` |
|`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_quarkus_host }}:{{ keycloak_http_port }}` |
|`keycloak_quarkus_log`| Enable one or more log handlers in a comma-separated list | `file` |
|`keycloak_quarkus_log_level`| The log level of the root category or a comma-separated list of individual categories and their levels | `info` |
|`keycloak_quarkus_log_file`| Set the log file path and filename relative to keycloak home | `data/log/keycloak.log` |
|`keycloak_quarkus_log_format`| Set a format specific to file log entries | `%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n` |
|`keycloak_quarkus_log_target`| Set the destination of the keycloak log folder link | `/var/log/keycloak` |
|`keycloak_quarkus_log_max_file_size`| Set the maximum log file size before a log rotation happens; A size configuration option recognises string in this format (shown as a regular expression): `[0-9]+[KkMmGgTtPpEeZzYy]?`. If no suffix is given, assume bytes. | `10M` |
|`keycloak_quarkus_log_max_backup_index`| Set the maximum number of archived log files to keep" | `10` |
|`keycloak_quarkus_log_file_suffix`| Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix; Note: If the suffix ends with `.zip` or `.gz`, the rotation file will also be compressed. | `.yyyy-MM-dd.zip` |
|`keycloak_quarkus_proxy_mode`| The proxy address forwarding mode if the server is behind a reverse proxy | `edge` |
|`keycloak_quarkus_force_install` | Remove pre-existing versions of service | `False` |
|`keycloak_quarkus_proxy_mode`| The proxy address forwarding mode if the server is behind a reverse proxy (deprecated) | `none` |
|`keycloak_quarkus_start_dev`| Whether to start the service in development mode (start-dev) | `False` |
|`keycloak_quarkus_transaction_xa_enabled`| Whether to use XA transactions | `True` |
|`keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route`| If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy | `True` |
|`keycloak_quarkus_show_deprecation_warnings`| Whether deprecation warnings should be shown | `True` |
#### Vault SPI
#### Vault configuration
| Variable | Description | Default |
|:---------|:------------|:--------|
@@ -200,9 +230,10 @@ keycloak_quarkus_providers:
- id: http-client # required; "{{ id }}.jar" identifies the file name on RHBK
spi: connections # required if neither url, local_path nor maven are specified; required for setting properties
default: true # optional, whether to set default for spi, default false
restart: true # optional, whether to restart, default true
restart: true # optional, whether to rebuild config and restart the service after deploying, default true
url: https://.../.../custom_spi.jar # optional, url for download via http
local_path: my_theme_spi.jar # optional, path on local controller for SPI to be uploaded
remote: true # optional, whether to copy from localhost or remotely, see https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html#parameter-remote_src, default false
maven: # optional, for download using maven
repository_url: https://maven.pkg.github.com/OWNER/REPOSITORY # optional, maven repo url
group_id: my.group # optional, maven group id
@@ -213,6 +244,10 @@ keycloak_quarkus_providers:
properties: # optional, list of key-values
- key: default-connection-pool-size
value: 10
checksum: sha256:D98291AC[...]B6DC7B97 # optional, checksum used to verify integrity:
# for `url` SPIs, use format: <algorithm>:<checksum|url>, cf. <https://docs.ansible.com/ansible/latest/collections/ansible/builtin/get_url_module.html#parameter-checksum>;
# for `local_path` SPIs, use SHA1 format <https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html#parameter-checksum>
# for `maven` SPIs, this field is ignored since maven has integrity verification methods enabled by default
```
the definition above will generate the following build command:
@@ -232,9 +267,9 @@ Provider definition:
```yaml
keycloak_quarkus_policies:
- name: xato-net-10-million-passwords.txt # required, resulting file name
url: https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt # required, url for download
type: password-blacklists # optional, defaults to `password-blacklists`; supported values: [`password-blacklists`]
- name: john-the-ripper.txt # required, resulting file name
url: https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/john-the-ripper.txt # required, url for download
type: password-blacklists # optional, defaults to `password-blacklists`; supported values: [`password-blacklists`]
```
@@ -243,9 +278,8 @@ Role Variables
| Variable | Description | Required |
|:---------|:------------|----------|
|`keycloak_quarkus_admin_pass`| Password of console admin account | `yes` |
|`keycloak_quarkus_frontend_url`| Base URL for frontend URLs, including scheme, host, port and path | `no` |
|`keycloak_quarkus_admin_url`| Base URL for accessing the administration console, including scheme, host, port and path | `no` |
|`keycloak_quarkus_bootstrap_admin_password`| Password of console admin account | `yes` |
|`keycloak_quarkus_admin_pass`| Deprecated, use `keycloak_quarkus_bootstrap_admin_password` instead. | |
|`keycloak_quarkus_ks_vault_pass`| The password for accessing the keystore vault SPI | `no` |
|`keycloak_quarkus_alternate_download_url`| Alternate location with optional authentication for downloading RHBK | `no` |
|`keycloak_quarkus_download_user`| Optional username for http authentication | `no*` |
@@ -265,7 +299,7 @@ The role uses the following [custom facts](https://docs.ansible.com/ansible/late
| Variable | Description |
|:---------|:------------|
|`general.bootstrapped` | A custom fact indicating whether this role has been used for bootstrapping keycloak on the respective host before; set to `false` (e.g., when starting off with a new, empty database) ensures that the initial admin user as defined by `keycloak_quarkus_admin_user[_pass]` gets created |
|`general.bootstrapped` | A custom fact indicating whether this role has been used for bootstrapping keycloak on the respective host before; set to `false` (e.g., when starting off with a new, empty database) ensures that the initial admin user as defined by `keycloak_quarkus_bootstrap_admin_user[_password]` gets created |
License
-------

94
roles/keycloak_quarkus/defaults/main.yml
View File

@@ -1,10 +1,14 @@
---
### Configuration specific to keycloak
keycloak_quarkus_version: 24.0.5
keycloak_quarkus_version: 26.4.7
keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip"
keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"
keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"
# Authentication for Keycloak binary download (e.g. from internal artifact repository)
keycloak_quarkus_binary_download_user:
keycloak_quarkus_binary_download_pass:
# whether to install from local archive
keycloak_quarkus_offline_install: false
@@ -27,26 +31,32 @@ keycloak_quarkus_configure_firewalld: false
keycloak_quarkus_configure_iptables: false
### administrator console password
keycloak_quarkus_admin_user: admin
keycloak_quarkus_admin_pass:
keycloak_quarkus_bootstrap_admin_user: admin
keycloak_quarkus_bootstrap_admin_password:
keycloak_quarkus_master_realm: master
### Configuration settings
keycloak_quarkus_bind_address: 0.0.0.0
keycloak_quarkus_host: localhost
keycloak_quarkus_port: -1
keycloak_quarkus_path:
keycloak_quarkus_bind_address: 0.0.0.0 # deprecated use keycloak_quarkus_http_host
keycloak_quarkus_http_host: 0.0.0.0
keycloak_quarkus_http_enabled: true
keycloak_quarkus_http_port: 8080
keycloak_quarkus_https_port: 8443
keycloak_quarkus_ajp_port: 8009
keycloak_quarkus_http_management_port: 9000
keycloak_quarkus_jgroups_port: 7800
keycloak_quarkus_jgroups_bind_address: "{{ ansible_default_ipv4.address }}"
keycloak_quarkus_jgroups_external_addr: "{{ keycloak_quarkus_jgroups_bind_address }}"
keycloak_quarkus_jgroups_external_port: "{{ keycloak_quarkus_jgroups_port }}"
keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx2048m"
keycloak_quarkus_java_jvm_opts: "-XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8
keycloak_quarkus_java_jvm_opts: >
-XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8
-Dsun.err.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError
-Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC -XX:GCTimeRatio=4
-XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512"
keycloak_quarkus_java_opts: "{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}"
-XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512
keycloak_quarkus_jgroups_opts: >
-Djgroups.bind.address={{ keycloak_quarkus_jgroups_bind_address }}
-Djgroups.external_port={{ keycloak_quarkus_jgroups_external_port }}
-Djgroups.external_addr={{ keycloak_quarkus_jgroups_external_addr }}
keycloak_quarkus_java_opts: "{{ ' '.join((keycloak_quarkus_jgroups_opts, keycloak_quarkus_java_heap_opts, keycloak_quarkus_java_jvm_opts)) }}"
keycloak_quarkus_additional_env_vars: []
### TLS/HTTPS configuration
@@ -71,7 +81,7 @@ keycloak_quarkus_config_key_store_password: ''
### Enable configuration for database backend, clustering and remote caches on infinispan
keycloak_quarkus_ha_enabled: false
keycloak_quarkus_ha_discovery: "TCPPING"
keycloak_quarkus_ha_discovery: "JDBCPING"
### Enable database configuration, must be enabled when HA is configured
keycloak_quarkus_db_enabled: "{{ keycloak_quarkus_ha_enabled }}"
keycloak_quarkus_systemd_wait_for_port: "{{ keycloak_quarkus_ha_enabled }}"
@@ -81,8 +91,8 @@ keycloak_quarkus_systemd_wait_for_timeout: 60
keycloak_quarkus_systemd_wait_for_delay: 10
### keycloak frontend url
keycloak_quarkus_frontend_url:
keycloak_quarkus_admin_url:
keycloak_quarkus_hostname:
keycloak_quarkus_hostname_admin: ""
### Set the path relative to / for serving resources. The path must start with a /
### (set to `/auth` for retrocompatibility with pre-quarkus releases)
@@ -91,15 +101,15 @@ keycloak_quarkus_http_relative_path: /
# Disables dynamically resolving the hostname from request headers.
# Should always be set to true in production, unless proxy verifies the Host header.
keycloak_quarkus_hostname_strict: true
# By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications.
# If all applications use the public URL this option should be enabled.
keycloak_quarkus_hostname_strict_backchannel: false
# Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path.
# Set to true if your application accesses Keycloak via a private network. If set to true, keycloak_quarkus_hostname option needs to be specified as a full URL.
keycloak_quarkus_hostname_backchannel_dynamic: false
# The proxy headers that should be accepted by the server. ['', 'forwarded', 'xforwarded']
keycloak_quarkus_proxy_headers: ""
# deprecated: proxy address forwarding mode if the server is behind a reverse proxy. [none, edge, reencrypt, passthrough]
keycloak_quarkus_proxy_mode: edge
keycloak_quarkus_proxy_mode: none
# disable xa transactions
keycloak_quarkus_transaction_xa_enabled: true
@@ -111,36 +121,46 @@ keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route: true
keycloak_quarkus_metrics_enabled: false
keycloak_quarkus_health_enabled: true
### infinispan; must read: https://forum.keycloak.org/t/keycloak-26-4-7-ha/31202
keycloak_quarkus_cache_managed_infinispan_config: "{{ keycloak_quarkus_version is version('26.4.0', '<') }}"
keycloak_quarkus_cache_infinispan_template: cache-ispn.xml
### caches; must read: https://www.keycloak.org/2024/12/storing-sessions-in-kc26
### embedded caches
# https://www.keycloak.org/server/caching
keycloak_quarkus_cache_embedded_properties: ""
### infinispan remote caches access (hotrod)
keycloak_quarkus_ispn_user: supervisor
keycloak_quarkus_ispn_pass: supervisor
keycloak_quarkus_ispn_hosts: "localhost:11222"
keycloak_quarkus_ispn_sasl_mechanism: SCRAM-SHA-512
keycloak_quarkus_ispn_use_ssl: false
# if ssl is enabled, import ispn server certificate here
keycloak_quarkus_ispn_trust_store_path: /etc/pki/java/cacerts
keycloak_quarkus_ispn_trust_store_password: changeit
# https://www.keycloak.org/server/caching#_remote_cache
keycloak_quarkus_cache_remote: false
keycloak_quarkus_cache_remote_username: supervisor
keycloak_quarkus_cache_remote_password: supervisor
keycloak_quarkus_cache_remote_host: localhost
keycloak_quarkus_cache_remote_port: 11222
keycloak_quarkus_cache_remote_tls_enabled: false
keycloak_quarkus_cache_remote_sasl_mechanism: SCRAM-SHA-512
### database backend engine: values [ 'postgres', 'mariadb' ]
keycloak_quarkus_jdbc_engine: postgres
keycloak_quarkus_db_engine: postgres
### database backend credentials
keycloak_quarkus_db_user: keycloak-user
keycloak_quarkus_db_pass: keycloak-pass
keycloak_quarkus_jdbc_url: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].url }}"
keycloak_quarkus_jdbc_driver_version: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].version }}"
# override the variables above, following defaults show minimum supported versions
keycloak_quarkus_db_url: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].url }}"
keycloak_quarkus_db_driver_version: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].version }}"
# override the variables above, following defaults show recommended version as per
# https://access.redhat.com/articles/7033107
keycloak_quarkus_default_jdbc:
postgres:
url: 'jdbc:postgresql://localhost:5432/keycloak'
version: 9.4.1212
version: 42.7.7
mariadb:
url: 'jdbc:mariadb://localhost:3306/keycloak'
version: 2.7.4
version: 3.5.2
mssql:
url: 'jdbc:sqlserver://localhost:1433;databaseName=keycloak;'
version: 12.4.2
driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.4.2.jre11/mssql-jdbc-12.4.2.jre11.jar"
# cf. https://access.redhat.com/documentation/en-us/red_hat_build_of_keycloak/24.0/html/server_guide/db-#db-installing-the-microsoft-sql-server-driver
version: 13.2.0
driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/13.2.0.jre11/mssql-jdbc-13.2.0.jre11.jar"
### logging configuration
keycloak_quarkus_log: file
keycloak_quarkus_log_level: info
@@ -165,5 +185,7 @@ keycloak_quarkus_supported_policy_types: ['password-blacklists']
keycloak_quarkus_restart_strategy: restart/serial.yml
keycloak_quarkus_restart_health_check: true
keycloak_quarkus_restart_health_check_delay: 10
keycloak_quarkus_restart_health_check_reries: 25
keycloak_quarkus_restart_health_check_retries: 25
keycloak_quarkus_restart_pause: 15
keycloak_quarkus_force_install: false

3
roles/keycloak_quarkus/handlers/main.yml
View File

@@ -1,4 +1,7 @@
---
- name: "Invalidate {{ keycloak.service_name }} theme cache"
ansible.builtin.include_tasks: invalidate_theme_cache.yml
listen: "invalidate keycloak theme cache"
# handler should be invoked anytime a [build configuration](https://www.keycloak.org/server/all-config?f=build) changes
- name: "Rebuild {{ keycloak.service_name }} config"
ansible.builtin.include_tasks: rebuild_config.yml

169
roles/keycloak_quarkus/meta/argument_specs.yml
View File

@@ -2,7 +2,7 @@ argument_specs:
main:
options:
keycloak_quarkus_version:
default: "24.0.5"
default: "26.4.7"
description: "keycloak.org package version"
type: "str"
keycloak_quarkus_archive:
@@ -22,7 +22,7 @@ argument_specs:
description: "Perform an offline install"
type: "bool"
keycloak_quarkus_jvm_package:
default: "java-11-openjdk-headless"
default: "java-21-openjdk-headless"
description: "RHEL java package runtime"
type: "str"
keycloak_quarkus_java_home:
@@ -68,13 +68,17 @@ argument_specs:
default: "10s"
description: "systemd RestartSec for service"
type: "str"
keycloak_quarkus_admin_user:
keycloak_quarkus_bootstrap_admin_user:
default: "admin"
description: "Administration console user account"
description: "Administration user account, only for bootstrapping"
type: "str"
keycloak_quarkus_admin_pass:
keycloak_quarkus_force_install:
default: false
description: "Remove pre-existing versions of service"
type: "bool"
keycloak_quarkus_bootstrap_admin_password:
required: true
description: "Password of console admin account"
description: "Password of admin account, only for bootstrapping"
type: "str"
keycloak_quarkus_master_realm:
default: "master"
@@ -82,31 +86,40 @@ argument_specs:
type: "str"
keycloak_quarkus_bind_address:
default: "0.0.0.0"
description: "Address for binding service ports"
description: "Deprecated, use `keycloak_quarkus_http_host`"
type: "str"
keycloak_quarkus_hostname:
description: >-
Address at which is the server exposed.
Can be a full URL, or just a hostname. When only hostname is provided, scheme, port and context path are resolved from the request.
type: "str"
keycloak_quarkus_host:
default: "localhost"
description: "Hostname for the Keycloak server"
description: "Deprecated in v26, use keycloak_quarkus_hostname instead."
type: "str"
keycloak_quarkus_port:
default: -1
description: "The port used by the proxy when exposing the hostname"
description: "Deprecated in v26, use keycloak_quarkus_hostname instead."
type: "int"
keycloak_quarkus_path:
required: false
description: "This should be set if proxy uses a different context-path for Keycloak"
description: "Deprecated in v26, use keycloak_quarkus_hostname instead."
type: "str"
keycloak_quarkus_http_enabled:
default: true
description: "Enable listener on HTTP port"
type: "bool"
keycloak_quarkus_http_host:
default: '0.0.0.0'
description: "HTTP host, address for binding service ports"
type: "str"
keycloak_quarkus_http_port:
default: 8080
description: "HTTP port"
type: "int"
keycloak_quarkus_health_check_url:
description: "Full URL (including scheme, host, path, fragment etc.) used for health check endpoint; keycloak_quarkus_hostname will NOT be prepended; helpful when health checks should happen against http port, but keycloak_quarkus_hostname uses https scheme per default"
type: "str"
keycloak_quarkus_health_check_url_path:
default: "realms/master/.well-known/openid-configuration"
description: "Path to the health check endpoint; scheme, host and keycloak_quarkus_http_relative_path will be prepended automatically"
description: "Path to the health check endpoint; keycloak_quarkus_hostname will be prepended automatically; Note that keycloak_quarkus_health_check_url takes precedence over this property"
type: "str"
keycloak_quarkus_https_key_file_enabled:
default: false
@@ -170,7 +183,7 @@ argument_specs:
type: "str"
keycloak_quarkus_config_key_store_file:
default: "{{ keycloak.home }}/conf/conf_store.p12"
description: "Path to the configuration key store; only used if `keycloak_quarkus_keystore_password` is not empty"
description: "Path to the configuration key store; only used if `keycloak_quarkus_config_key_store_password` is not empty"
type: "str"
keycloak_quarkus_config_key_store_password:
default: ""
@@ -182,13 +195,9 @@ argument_specs:
default: 8443
description: "HTTPS port"
type: "int"
keycloak_quarkus_ajp_port:
default: 8009
description: "AJP port"
type: "int"
keycloak_quarkus_jgroups_port:
default: 7800
description: "jgroups cluster tcp port"
keycloak_quarkus_http_management_port:
default: 9000
description: "Port of the management interface. Relevant only when something is exposed on the management interface - see the guide for details."
type: "int"
keycloak_quarkus_java_heap_opts:
default: "-Xms1024m -Xmx2048m"
@@ -202,7 +211,7 @@ argument_specs:
description: "Other JVM settings"
type: "str"
keycloak_quarkus_java_opts:
default: "{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}"
default: "{{ ' '.join((keycloak_quarkus_jgroups_opts, keycloak_quarkus_java_heap_opts, keycloak_quarkus_java_jvm_opts)) }}"
description: "JVM arguments, by default heap_opts + jvm_opts, if overriden it takes precedence over them"
type: "str"
keycloak_quarkus_additional_env_vars:
@@ -226,13 +235,21 @@ argument_specs:
default: /
description: "Set the path relative to / for serving resources. The path must start with a /"
type: "str"
keycloak_quarkus_http_management_relative_path:
required: false
description: "Set the path relative to / for serving resources from management interface. The path must start with a /. If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details."
type: "str"
keycloak_quarkus_frontend_url:
required: false
description: "Service public URL"
description: "Deprecated in v26, use keycloak_quarkus_hostname instead."
type: "str"
keycloak_quarkus_hostname_admin:
required: false
description: "Service URL for the admin console"
type: "str"
keycloak_quarkus_admin_url:
required: false
description: "Service URL for the admin console"
description: "Deprecated in v26, use keycloak_quarkus_hostname_admin instead."
type: "str"
keycloak_quarkus_metrics_enabled:
default: false
@@ -240,37 +257,37 @@ argument_specs:
type: "bool"
keycloak_quarkus_health_enabled:
default: true
description: "If the server should expose health check endpoints"
description: "If the server should expose health check endpoints on the management interface"
type: "bool"
keycloak_quarkus_ispn_user:
keycloak_quarkus_cache_remote:
description: "Whether to connect to remote cache infinispan server"
default: false
type: 'bool'
keycloak_quarkus_cache_remote_username:
default: "supervisor"
description: "Username for connecting to infinispan"
type: "str"
keycloak_quarkus_ispn_pass:
keycloak_quarkus_cache_remote_password:
default: "supervisor"
description: "Password for connecting to infinispan"
type: "str"
keycloak_quarkus_ispn_hosts:
default: "localhost:11222"
description: "host name/port for connecting to infinispan, eg. host1:11222;host2:11222"
keycloak_quarkus_cache_remote_host:
default: "localhost"
description: "Hostname for connecting to infinispan"
type: "str"
keycloak_quarkus_ispn_sasl_mechanism:
keycloak_quarkus_cache_remote_port:
default: "11222"
description: "Port for connecting to infinispan"
type: "str"
keycloak_quarkus_cache_remote_sasl_mechanism:
default: "SCRAM-SHA-512"
description: "Infinispan auth mechanism"
type: "str"
keycloak_quarkus_ispn_use_ssl:
keycloak_quarkus_cache_remote_tls_enabled:
default: false
description: "Whether infinispan uses TLS connection"
type: "bool"
keycloak_quarkus_ispn_trust_store_path:
default: "/etc/pki/java/cacerts"
description: "Path to infinispan server trust certificate"
type: "str"
keycloak_quarkus_ispn_trust_store_password:
default: "changeit"
description: "Password for infinispan certificate keystore"
type: "str"
keycloak_quarkus_jdbc_engine:
keycloak_quarkus_db_engine:
default: "postgres"
description: "Database engine [mariadb,postres,mssql]"
type: "str"
@@ -282,12 +299,12 @@ argument_specs:
default: "keycloak-pass"
description: "Password for database connection"
type: "str"
keycloak_quarkus_jdbc_url:
default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].url }}"
keycloak_quarkus_db_url:
default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].url }}"
description: "JDBC URL for connecting to database"
type: "str"
keycloak_quarkus_jdbc_driver_version:
default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].version }}"
keycloak_quarkus_db_driver_version:
default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].version }}"
description: "Version for JDBC driver"
type: "str"
keycloak_quarkus_log:
@@ -327,9 +344,9 @@ argument_specs:
Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix. Note: If the suffix ends
with .zip or .gz, the rotation file will also be compressed.
keycloak_quarkus_proxy_mode:
default: 'edge'
default: 'none'
type: "str"
description: "The proxy address forwarding mode if the server is behind a reverse proxy. Set to 'none' if not using a proxy"
description: "The proxy address forwarding mode if the server is behind a reverse proxy. Set to 'none' as it is deprecated according to Keycloak documentation"
keycloak_quarkus_proxy_headers:
default: ""
type: "str"
@@ -348,24 +365,18 @@ argument_specs:
description: >
Disables dynamically resolving the hostname from request headers. Should always be set to true in production, unless
proxy verifies the Host header.
keycloak_quarkus_hostname_strict_backchannel:
keycloak_quarkus_hostname_backchannel_dynamic:
default: false
type: "bool"
description: >
By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all
applications use the public URL this option should be enabled.
Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path.
Set to true if your application accesses Keycloak via a private network. If set to true, hostname option needs to be specified as a full URL.
keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route:
default: true
type: "bool"
description: >
If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies
and we rely on the session affinity capabilities from reverse proxy
keycloak_quarkus_hostname_strict_https:
type: "bool"
required: false
description: >
By default, Keycloak requires running using TLS/HTTPS. If the service MUST run without TLS/HTTPS, then set
this option to "true"
keycloak_quarkus_ks_vault_enabled:
default: false
type: "bool"
@@ -453,7 +464,7 @@ argument_specs:
description: "Seconds to let pass before starting healch checks"
default: 10
type: 'int'
keycloak_quarkus_restart_health_check_reries:
keycloak_quarkus_restart_health_check_retries:
description: "Number of attempts for successful health check before failing"
default: 25
type: 'int'
@@ -465,10 +476,50 @@ argument_specs:
description: "Path local to controller for offline/download of install archives"
default: "{{ lookup('env', 'PWD') }}"
type: "str"
keycloak_quarkus_jgroups_port:
description: 'jgroups bind port'
default: 7800
type: "int"
keycloak_quarkus_jgroups_bind_address:
description: 'jgroups bind address'
default: "{{ ansible_default_ipv4.address }}"
type: "str"
keycloak_quarkus_jgroups_external_addr:
description: 'IP address that other instances in the Keycloak should use to contact this node'
default: "{{ keycloak_quarkus_jgroups_bind_address }}"
type: "str"
keycloak_quarkus_jgroups_external_port:
description: 'Port that other instances in the Keycloak cluster should use to contact this node'
default: "{{ keycloak_quarkus_jgroups_port }}"
type: "int"
keycloak_quarkus_jgroups_opts:
description: "JVM arguments for jgroups configuration"
default: "-Djgroups.bind.address={{ keycloak_quarkus_jgroups_bind_address }} -Djgroups.external_port={{ keycloak_quarkus_jgroups_external_port }} -Djgroups.external_addr={{ keycloak_quarkus_jgroups_external_addr }}"
type: "str"
keycloak_quarkus_cache_managed_infinispan_config:
description: "Manage infinispan configuration"
default: "{{ keycloak_quarkus_version is version('26.4.0', '<') }}"
type: bool
keycloak_quarkus_cache_infinispan_template:
description: "Infinispan cache template file"
default: "cache-ispn.xml"
type: str
keycloak_quarkus_cache_embedded_properties:
description: Embedded cache properties
default: ""
type: str
keycloak_quarkus_binary_download_user:
description: "Username for HTTP Basic Auth when downloading Keycloak binary"
type: "str"
required: false
keycloak_quarkus_binary_download_pass:
description: "Password for HTTP Basic Auth when downloading Keycloak binary"
type: "str"
required: false
downstream:
options:
rhbk_version:
default: "24.0.3"
default: "26.4.7"
description: "Red Hat Build of Keycloak version"
type: "str"
rhbk_archive:

2
roles/keycloak_quarkus/meta/main.yml
View File

@@ -8,7 +8,7 @@ galaxy_info:
license: Apache License 2.0
min_ansible_version: "2.15"
min_ansible_version: "2.16"
platforms:
- name: EL

6
roles/keycloak_quarkus/tasks/debian.yml
View File

@@ -1,6 +1,10 @@
---
- name: Include firewall config tasks
ansible.builtin.include_tasks: iptables.yml
ansible.builtin.include_tasks:
file: iptables.yml
apply:
tags:
- firewall
when: keycloak_quarkus_configure_iptables
tags:
- firewall

109
roles/keycloak_quarkus/tasks/deprecations.yml
View File

@@ -49,5 +49,114 @@
notify:
- print deprecation warning
# https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options
- name: Check deprecation of keycloak_quarkus_frontend_url -> keycloak_quarkus_hostname
when:
- keycloak_quarkus_hostname is not defined
- keycloak_quarkus_frontend_url is defined
- keycloak_quarkus_frontend_url != ''
delegate_to: localhost
run_once: true
changed_when: keycloak_quarkus_show_deprecation_warnings
ansible.builtin.set_fact:
keycloak_quarkus_hostname: "{{ keycloak_quarkus_frontend_url }}"
deprecated_variable: "keycloak_quarkus_frontend_url" # read in deprecation handler
notify:
- print deprecation warning
# https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options
- name: Check deprecation of keycloak_quarkus_hostname_strict_https + keycloak_quarkus_host + keycloak_quarkus_port + keycloak_quarkus_path -> keycloak_quarkus_hostname
when:
- keycloak_quarkus_hostname is not defined
- keycloak_quarkus_hostname_strict_https is defined or keycloak_quarkus_frontend_url is defined or keycloak_quarkus_port is defined or keycloak_quarkus_path is defined
delegate_to: localhost
run_once: true
changed_when: keycloak_quarkus_show_deprecation_warnings
ansible.builtin.set_fact:
keycloak_quarkus_hostname: >-
{% set protocol = '' %}
{% if keycloak_quarkus_hostname_strict_https %}
{% set protocol = 'https://' %}
{% elif keycloak_quarkus_hostname_strict_https is defined and keycloak_quarkus_hostname_strict_https is False %}
{% set protocol = 'http://' %}
{% endif %}
{{ protocol }}{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_port }}/{{ keycloak_quarkus_path }}
deprecated_variable: "keycloak_quarkus_hostname_strict_https or keycloak_quarkus_frontend_url or keycloak_quarkus_frontend_url or keycloak_quarkus_hostname" # read in deprecation handler
notify:
- print deprecation warning
# https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options
- name: Check deprecation of keycloak_quarkus_admin_url -> keycloak_quarkus_hostname_admin
when:
- keycloak_quarkus_hostname_admin is not defined
- keycloak_quarkus_admin_url is defined
- keycloak_quarkus_admin_url != ''
delegate_to: localhost
run_once: true
changed_when: keycloak_quarkus_show_deprecation_warnings
ansible.builtin.set_fact:
keycloak_quarkus_hostname_admin: "{{ keycloak_quarkus_admin_url }}"
deprecated_variable: "keycloak_quarkus_admin_url" # read in deprecation handler
notify:
- print deprecation warning
# https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options
- name: Check deprecation of keycloak_quarkus_hostname_strict_backchannel -> keycloak_quarkus_hostname_backchannel_dynamic
when:
- keycloak_quarkus_hostname_backchannel_dynamic is not defined
- keycloak_quarkus_hostname_strict_backchannel is defined
- keycloak_quarkus_hostname_strict_backchannel != ''
delegate_to: localhost
run_once: true
changed_when: keycloak_quarkus_show_deprecation_warnings
ansible.builtin.set_fact:
keycloak_quarkus_hostname_backchannel_dynamic: "{{ keycloak_quarkus_hostname_strict_backchannel == False }}"
deprecated_variable: "keycloak_quarkus_hostname_backchannel_dynamic" # read in deprecation handler
notify:
- print deprecation warning
# https://github.com/keycloak/keycloak/issues/30009
- name: Check deprecation of keycloak_quarkus_admin_user -> keycloak_quarkus_bootstrap_admin_user
when:
- keycloak_quarkus_bootstrap_admin_user is not defined
- keycloak_quarkus_admin_user is defined
- keycloak_quarkus_admin_user != ''
delegate_to: localhost
run_once: true
changed_when: keycloak_quarkus_show_deprecation_warnings
ansible.builtin.set_fact:
keycloak_quarkus_bootstrap_admin_user: "{{ keycloak_quarkus_admin_user }}"
deprecated_variable: "keycloak_quarkus_admin_user" # read in deprecation handler
notify:
- print deprecation warning
# https://github.com/keycloak/keycloak/issues/30009
- name: Check deprecation of keycloak_quarkus_admin_pass -> keycloak_quarkus_bootstrap_admin_password
when:
- keycloak_quarkus_bootstrap_admin_password is not defined
- keycloak_quarkus_admin_pass is defined
- keycloak_quarkus_admin_pass != ''
delegate_to: localhost
run_once: true
changed_when: keycloak_quarkus_show_deprecation_warnings
ansible.builtin.set_fact:
keycloak_quarkus_bootstrap_admin_user: "{{ keycloak_quarkus_admin_pass }}"
deprecated_variable: "keycloak_quarkus_admin_pass" # read in deprecation handler
notify:
- print deprecation warning
- name: Check deprecation of keycloak_quarkus_bind_address -> keycloak_quarkus_http_host
when:
- keycloak_quarkus_bind_address is defined
- keycloak_quarkus_bind_address != '0.0.0.0'
delegate_to: localhost
run_once: true
changed_when: keycloak_quarkus_show_deprecation_warnings
ansible.builtin.set_fact:
keycloak_quarkus_http_host: "{{ keycloak_quarkus_bind_address }}"
deprecated_variable: "keycloak_quarkus_bind_address" # read in deprecation handler
notify:
- print deprecation warning
- name: Flush handlers
ansible.builtin.meta: flush_handlers

13
roles/keycloak_quarkus/tasks/firewalld.yml
View File

@@ -12,7 +12,7 @@
enabled: true
state: started
- name: "Configure firewall for {{ keycloak.service_name }} ports"
- name: "Configure firewall for {{ keycloak.service_name }} http port"
become: true
ansible.posix.firewalld:
port: "{{ item }}"
@@ -21,5 +21,16 @@
immediate: true
loop:
- "{{ keycloak_quarkus_http_port }}/tcp"
when: keycloak_quarkus_http_enabled | bool
- name: "Configure firewall for {{ keycloak.service_name }} ports"
become: true
ansible.posix.firewalld:
port: "{{ item }}"
permanent: true
state: enabled
immediate: true
loop:
- "{{ keycloak_quarkus_https_port }}/tcp"
- "{{ keycloak_quarkus_http_management_port }}/tcp"
- "{{ keycloak_quarkus_jgroups_port }}/tcp"

38
roles/keycloak_quarkus/tasks/install.yml
View File

@@ -17,6 +17,27 @@
path: "{{ keycloak.home }}"
register: existing_deploy
- name: Stop and restart if existing deployment exists and install forced
when: existing_deploy.stat.exists and keycloak_quarkus_force_install | bool
block:
- name: "Stop the old {{ keycloak.service_name }} service"
become: true
failed_when: false
ansible.builtin.systemd:
name: keycloak
state: stopped
- name: "Remove the old {{ keycloak.service_name }} deployment"
become: true
ansible.builtin.file:
path: "{{ keycloak_quarkus_home }}"
state: absent
- name: Check for an existing deployment after possible forced removal
become: true
ansible.builtin.stat:
path: "{{ keycloak_quarkus_home }}"
register: existing_deploy
- name: "Create {{ keycloak.service_name }} service user/group"
become: true
ansible.builtin.user:
@@ -58,6 +79,8 @@
url: "{{ keycloak_quarkus_download_url }}"
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
mode: '0640'
url_username: "{{ keycloak_quarkus_binary_download_user | default(omit) }}"
url_password: "{{ keycloak_quarkus_binary_download_pass | default(omit) }}"
delegate_to: localhost
become: false
run_once: true
@@ -77,6 +100,7 @@
- not archive_path.stat.exists
- rhbk_enable is defined and rhbk_enable
- not keycloak.offline_install
- keycloak_quarkus_alternate_download_url is undefined
block:
- name: Retrieve product download using JBoss Network API
middleware_automation.common.product_search:
@@ -202,11 +226,11 @@
- keycloak_quarkus_cert_file_copy_enabled is defined and keycloak_quarkus_cert_file_copy_enabled
- keycloak_quarkus_cert_file_src | length > 0
- name: "Install {{ keycloak_quarkus_jdbc_engine }} JDBC driver"
- name: "Install {{ keycloak_quarkus_db_engine }} JDBC driver"
ansible.builtin.include_tasks: jdbc_driver.yml
when:
- rhbk_enable is defined and rhbk_enable
- keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url is defined
- keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].driver_jar_url is defined
- name: "Download custom providers via http"
ansible.builtin.get_url:
@@ -215,10 +239,11 @@
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: '0640'
checksum: "{{ item.checksum | default(omit) }}"
become: true
loop: "{{ keycloak_quarkus_providers }}"
when: item.url is defined and item.url | length > 0
notify: "{{ ['rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or not item.restart else [] }}"
notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}"
# this requires the `lxml` package to be installed; we redirect this step to localhost such that we do need to install it on the remote hosts
- name: "Download custom providers to localhost using maven"
@@ -235,7 +260,6 @@
loop: "{{ keycloak_quarkus_providers }}"
when: item.maven is defined
no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}"
notify: "{{ ['rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or not item.restart else [] }}"
- name: "Copy maven providers"
ansible.builtin.copy:
@@ -244,21 +268,25 @@
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: '0640'
checksum: "{{ item.checksum | default(omit) }}"
become: true
loop: "{{ keycloak_quarkus_providers }}"
when: item.maven is defined
no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}"
notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}"
- name: "Copy providers"
- name: "Copy local providers"
ansible.builtin.copy:
src: "{{ item.local_path }}"
dest: "{{ keycloak.home }}/providers/{{ item.id }}.jar"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: '0640'
remote_src: "{{ item.remote | default(false) }}"
become: true
loop: "{{ keycloak_quarkus_providers }}"
when: item.local_path is defined
notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}"
- name: Ensure required folder structure for policies exists
ansible.builtin.file:

11
roles/keycloak_quarkus/tasks/invalidate_theme_cache.yml Normal file
View File

@@ -0,0 +1,11 @@
---
# From https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/24.0/html/server_developer_guide/themes#creating_a_theme:
# If you want to manually delete the content of the themes cache,
# you can do so by deleting the data/tmp/kc-gzip-cache directory of the server distribution
# It can be useful for instance if you redeployed custom providers or custom themes without
# disabling themes caching in the previous server executions.
- name: "Delete {{ keycloak.service_name }} theme cache directory"
ansible.builtin.file:
path: "{{ keycloak.home }}/data/tmp/kc-gzip-cache"
state: absent
become: true

4
roles/keycloak_quarkus/tasks/jdbc_driver.yml
View File

@@ -7,9 +7,9 @@
(keycloak_quarkus_jdbc_download_user is undefined and keycloak_quarkus_jdbc_download_pass is not undefined) or
(keycloak_quarkus_jdbc_download_pass is undefined and keycloak_quarkus_jdbc_download_user is not undefined)
- name: "Retrieve JDBC Driver from {{ keycloak_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url) }}"
- name: "Retrieve JDBC Driver from {{ keycloak_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].driver_jar_url) }}"
ansible.builtin.get_url:
url: "{{ keycloak_quarkus_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url) }}"
url: "{{ keycloak_quarkus_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].driver_jar_url) }}"
dest: "{{ keycloak.home }}/providers"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"

52
roles/keycloak_quarkus/tasks/main.yml
View File

@@ -1,34 +1,58 @@
---
# tasks file for keycloak
- name: Check prerequisites
ansible.builtin.include_tasks: prereqs.yml
ansible.builtin.include_tasks:
file: prereqs.yml
apply:
tags:
- prereqs
tags:
- prereqs
- always
- name: Check for deprecations
ansible.builtin.include_tasks: deprecations.yml
ansible.builtin.include_tasks:
file: deprecations.yml
apply:
tags:
- always
tags:
- always
- name: Distro specific tasks
ansible.builtin.include_tasks: "{{ ansible_os_family | lower }}.yml"
ansible.builtin.include_tasks:
file: "{{ ansible_os_family | lower }}.yml"
apply:
tags:
- unbound
tags:
- unbound
- name: Include install tasks
ansible.builtin.include_tasks: install.yml
ansible.builtin.include_tasks:
file: install.yml
apply:
tags:
- install
tags:
- install
- name: Include systemd tasks
ansible.builtin.include_tasks: systemd.yml
ansible.builtin.include_tasks:
file: systemd.yml
apply:
tags:
- systemd
tags:
- systemd
- name: Include configuration key store tasks
ansible.builtin.include_tasks:
file: config_store.yml
apply:
tags:
- install
when: keycloak.config_key_store_enabled
ansible.builtin.include_tasks: config_store.yml
tags:
- install
@@ -39,13 +63,18 @@
{
"name": item,
"address": 'jgroups-' + item,
"inventory_host": hostvars[item].ansible_default_ipv4.address | default(item) + '[' + (keycloak_quarkus_jgroups_port | string) + ']',
"value": hostvars[item].ansible_default_ipv4.address | default(item)
"inventory_host": hostvars[item].keycloak_quarkus_jgroups_ip | default(item) + '[' + (keycloak_quarkus_jgroups_port | string) + ']',
"value": hostvars[item].keycloak_quarkus_jgroups_ip | default(item)
}
] }}
loop: "{{ ansible_play_batch }}"
when: keycloak_quarkus_ha_enabled and keycloak_quarkus_ha_discovery == 'TCPPING'
- name: Determine the config files
ansible.builtin.set_fact:
keycloak_quarkus_config_files: "{{ ['keycloak.conf', 'quarkus.properties'] + (keycloak_quarkus_cache_managed_infinispan_config | ternary([keycloak_quarkus_cache_infinispan_template], [])) }}"
- name: "Configure config files for keycloak service"
ansible.builtin.template:
src: "{{ item }}.j2"
@@ -54,10 +83,7 @@
group: "{{ keycloak.service_group }}"
mode: '0640'
become: true
loop:
- keycloak.conf
- quarkus.properties
- cache-ispn.xml
loop: "{{ keycloak_quarkus_config_files }}"
notify:
- rebuild keycloak config
- restart keycloak
@@ -91,7 +117,7 @@
register: keycloak_service_status
changed_when: false
- name: "Notify to remove `keycloak_quarkus_admin_user[_pass]` env vars"
- name: "Notify to remove `keycloak_quarkus_bootstrap_admin_user[_password]` env vars"
when:
- not ansible_local.keycloak.general.bootstrapped | default(false) | bool # it was not bootstrapped prior to the current role's execution
- keycloak_service_status.status.ActiveState == "active" # but it is now

15
roles/keycloak_quarkus/tasks/prereqs.yml
View File

@@ -2,12 +2,12 @@
- name: Validate admin console password
ansible.builtin.assert:
that:
- keycloak_quarkus_admin_pass | length > 12
- keycloak_quarkus_bootstrap_admin_password | length > 12
quiet: true
fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_admin_pass to a 12+ char long string"
fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_bootstrap_admin_password to a 12+ char long string"
success_msg: "{{ 'Console administrator password OK' }}"
- name: Validate relative path
- name: Validate http_relative_path
ansible.builtin.assert:
that:
- keycloak_quarkus_http_relative_path is regex('^/.*')
@@ -15,6 +15,15 @@
fail_msg: "The relative path for keycloak_quarkus_http_relative_path must begin with /"
success_msg: "{{ 'Relative path OK' }}"
- name: Validate http_management_relative_path
ansible.builtin.assert:
that:
- keycloak_quarkus_http_management_relative_path is regex('^/.*')
quiet: true
fail_msg: "The relative path for keycloak_quarkus_http_management_relative_path must begin with /"
success_msg: "{{ 'Relative mgmt path OK' }}"
when: keycloak_quarkus_http_management_relative_path is defined
- name: Validate configuration
ansible.builtin.assert:
that:

5
roles/keycloak_quarkus/tasks/rebuild_config.yml
View File

@@ -2,9 +2,6 @@
# cf. https://www.keycloak.org/server/configuration#_optimize_the_keycloak_startup
- name: "Rebuild {{ keycloak.service_name }} config"
ansible.builtin.shell: | # noqa blocked_modules shell is necessary here
{{ keycloak.home }}/bin/kc.sh build
environment:
PATH: "{{ keycloak_quarkus_java_home | default(keycloak_quarkus_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
JAVA_HOME: "{{ keycloak_quarkus_java_home | default(keycloak_quarkus_pkg_java_home, true) }}"
env -i bash -c "set -a ; source {{ keycloak_quarkus_sysconf_file }} ; {{ keycloak.home }}/bin/kc.sh build "
become: true
changed_when: true

6
roles/keycloak_quarkus/tasks/redhat.yml
View File

@@ -1,6 +1,10 @@
---
- name: Include firewall config tasks
ansible.builtin.include_tasks: firewalld.yml
ansible.builtin.include_tasks:
file: firewalld.yml
apply:
tags:
- firewall
when: keycloak_quarkus_configure_firewalld
tags:
- firewall

2
roles/keycloak_quarkus/tasks/restart.yml
View File

@@ -12,7 +12,7 @@
url: "{{ keycloak.health_url }}"
register: keycloak_status
until: keycloak_status.status == 200
retries: "{{ keycloak_quarkus_restart_health_check_reries }}"
retries: "{{ keycloak_quarkus_restart_health_check_retries }}"
delay: "{{ keycloak_quarkus_restart_health_check_delay }}"
when: internal_force_health_check | default(keycloak_quarkus_restart_health_check)

2
roles/keycloak_quarkus/tasks/restart/serial.yml
View File

@@ -2,7 +2,7 @@
- name: "Restart services in serial, with optional healtch check (keycloak_quarkus_restart_health_check)"
throttle: 1
block:
- name: "Restart and enable {{ keycloak.service_name }} service on {{ item }}"
- name: "Restart and enable {{ keycloak.service_name }} service"
ansible.builtin.include_tasks:
file: restart.yml
apply:

1
roles/keycloak_quarkus/tasks/start.yml
View File

@@ -14,3 +14,4 @@
until: keycloak_status.status == 200
retries: 25
delay: 10
when: internal_force_health_check | default(keycloak_quarkus_restart_health_check)

2
roles/keycloak_quarkus/tasks/systemd.yml
View File

@@ -10,6 +10,7 @@
vars:
keycloak_sys_pkg_java_home: "{{ keycloak_quarkus_pkg_java_home }}"
notify:
- rebuild keycloak config
- restart keycloak
- name: "Configure systemd unit file for keycloak service"
@@ -22,4 +23,5 @@
become: true
register: systemdunit
notify:
- rebuild keycloak config
- restart keycloak

28
roles/keycloak_quarkus/templates/cache-ispn.xml.j2
View File

@@ -18,15 +18,17 @@
<infinispan
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:infinispan:config:14.0 http://www.infinispan.org/schemas/infinispan-config-14.0.xsd"
xmlns="urn:infinispan:config:14.0">
xsi:schemaLocation="urn:infinispan:config:15.0 http://www.infinispan.org/schemas/infinispan-config-15.0.xsd"
xmlns="urn:infinispan:config:15.0">
{% set stack_expression='' %}
{% if keycloak_quarkus_ha_enabled and keycloak_quarkus_ha_discovery == 'TCPPING' %}
{% if keycloak_quarkus_version is version_compare('26.2.0', '<') %}
{% if keycloak_quarkus_ha_enabled %}
{% if keycloak_quarkus_ha_discovery == 'TCPPING' %}
{% set stack_expression='stack="tcpping"' %}
<jgroups>
<stack name="tcpping" extends="tcp">
<!-- <TCP external_addr="${env.KC_EXTERNAL_ADDR}" bind_addr="{{ keycloak_quarkus_bind_address }}" bind_port="{{ keycloak_quarkus_jgroups_port }}" /> -->
<!-- <TCP external_addr="${env.KC_EXTERNAL_ADDR}" bind_addr="{{ keycloak_quarkus_http_host }}" bind_port="{{ keycloak_quarkus_jgroups_port }}" /> -->
<TCPPING
initial_hosts="{{ keycloak_quarkus_cluster_nodes | map(attribute='inventory_host') | join (',') }}"
port_range="0"
@@ -35,6 +37,10 @@
/>
</stack>
</jgroups>
{% elif keycloak_quarkus_ha_discovery == 'JDBCPING' %}
{% set stack_expression='stack="JDBC_PING2"' %}
{% endif %}
{% endif %}
{% endif %}
<cache-container name="keycloak">
@@ -55,18 +61,22 @@
</local-cache>
<distributed-cache name="sessions" owners="2">
<expiration lifespan="-1"/>
<memory max-count="10000"/>
</distributed-cache>
<distributed-cache name="authenticationSessions" owners="2">
<expiration lifespan="-1"/>
</distributed-cache>
<distributed-cache name="offlineSessions" owners="2">
<expiration lifespan="-1"/>
<memory max-count="10000"/>
</distributed-cache>
<distributed-cache name="clientSessions" owners="2">
<expiration lifespan="-1"/>
<memory max-count="10000"/>
</distributed-cache>
<distributed-cache name="offlineClientSessions" owners="2">
<expiration lifespan="-1"/>
<memory max-count="10000"/>
</distributed-cache>
<distributed-cache name="loginFailures" owners="2">
<expiration lifespan="-1"/>
@@ -89,6 +99,14 @@
<expiration max-idle="3600000"/>
<memory max-count="1000"/>
</local-cache>
<local-cache name="crl" simple-cache="true">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
<expiration lifespan="-1"/>
<memory max-count="1000"/>
</local-cache>
<distributed-cache name="actionTokens" owners="2">
<encoding>
<key media-type="application/x-java-object"/>
@@ -98,4 +116,4 @@
<memory max-count="-1"/>
</distributed-cache>
</cache-container>
</infinispan>
</infinispan>

10
roles/keycloak_quarkus/templates/keycloak-sysconfig.j2
View File

@@ -1,13 +1,13 @@
{{ ansible_managed | comment }}
{% if not ansible_local.keycloak.general.bootstrapped | default(false) | bool %}
KEYCLOAK_ADMIN={{ keycloak_quarkus_admin_user }}
KEYCLOAK_ADMIN_PASSWORD='{{ keycloak_quarkus_admin_pass }}'
KC_BOOTSTRAP_ADMIN_USERNAME={{ keycloak_quarkus_bootstrap_admin_user }}
KC_BOOTSTRAP_ADMIN_PASSWORD='{{ keycloak_quarkus_bootstrap_admin_password }}'
{% else %}
{{ keycloak.bootstrap_mnemonic }}
{% endif %}
PATH={{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
JAVA_HOME={{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}
JAVA_OPTS={{ keycloak_quarkus_java_opts }}
PATH="{{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
JAVA_HOME="{{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}"
JAVA_OPTS="{{ keycloak_quarkus_java_opts }}"
# Custom ENV variables
{% for env in keycloak_quarkus_additional_env_vars %}

44
roles/keycloak_quarkus/templates/keycloak.conf.j2
View File

@@ -2,26 +2,18 @@
{% if keycloak_quarkus_db_enabled %}
# Database
db={{ keycloak_quarkus_jdbc_engine }}
db-url={{ keycloak_quarkus_jdbc_url }}
db={{ keycloak_quarkus_db_engine }}
db-url={{ keycloak_quarkus_db_url }}
db-username={{ keycloak_quarkus_db_user }}
{% if not keycloak.config_key_store_enabled %}
db-password={{ keycloak_quarkus_db_pass }}
{% endif %}
{% endif %}
{% if keycloak_quarkus_hostname_strict_https is defined and keycloak_quarkus_hostname_strict_https is sameas true -%}
hostname-strict-https=true
{% endif -%}
{% if keycloak_quarkus_hostname_strict_https is defined and keycloak_quarkus_hostname_strict_https is sameas false -%}
hostname-strict-https=false
{% endif -%}
{% if keycloak.config_key_store_enabled %}
# Config store
config-keystore={{ keycloak_quarkus_config_key_store_file }}
config-keystore-password={{ keycloak_quarkus_config_key_store_password }}
config-keystore-type=PKCS12
{% endif %}
# Observability
@@ -30,8 +22,17 @@ health-enabled={{ keycloak_quarkus_health_enabled | lower }}
# HTTP
http-enabled={{ keycloak_quarkus_http_enabled | lower }}
{% if keycloak_quarkus_http_enabled %}
http-port={{ keycloak_quarkus_http_port }}
{% endif %}
http-relative-path={{ keycloak_quarkus_http_relative_path }}
http-host={{ keycloak_quarkus_http_host }}
# Management
http-management-port={{ keycloak_quarkus_http_management_port }}
{% if keycloak_quarkus_http_management_relative_path is defined and keycloak_quarkus_http_management_relative_path | length > 0 %}
http-management-relative-path={{ keycloak_quarkus_http_management_relative_path }}
{% endif %}
# HTTPS
https-port={{ keycloak_quarkus_https_port }}
@@ -49,24 +50,25 @@ https-trust-store-password={{ keycloak_quarkus_https_trust_store_password }}
{% endif %}
# Client URL configuration
{% if keycloak_quarkus_frontend_url %}
hostname-url={{ keycloak_quarkus_frontend_url }}
{% else %}
hostname={{ keycloak_quarkus_host }}
hostname-port={{ keycloak_quarkus_port }}
hostname-path={{ keycloak_quarkus_path }}
{% endif %}
hostname-admin-url={{ keycloak_quarkus_admin_url }}
hostname={{ keycloak_quarkus_hostname }}
hostname-admin={{ keycloak_quarkus_hostname_admin }}
hostname-strict={{ keycloak_quarkus_hostname_strict | lower }}
hostname-strict-backchannel={{ keycloak_quarkus_hostname_strict_backchannel | lower }}
hostname-backchannel-dynamic={{ keycloak_quarkus_hostname_backchannel_dynamic | lower }}
# Cluster
{% if keycloak_quarkus_ha_enabled %}
cache=ispn
{% if keycloak_quarkus_cache_managed_infinispan_config %}
cache-config-file=cache-ispn.xml
{% if keycloak_quarkus_ha_enabled and keycloak_quarkus_ha_discovery == 'TCPPING' %}
# cache-stack=tcp # configured directly in `cache-ispn.xml`
{% endif %}
{% if keycloak_quarkus_cache_remote %}
cache-remote-username={{ keycloak_quarkus_cache_remote_username }}
cache-remote-password={{ keycloak_quarkus_cache_remote_password }}
cache-remote-host={{ keycloak_quarkus_cache_remote_host }}
cache-remote-port={{ keycloak_quarkus_cache_remote_port }}
cache-remote-tls-enabled={{ keycloak_quarkus_cache_remote_tls_enabled | lower }}
{% endif %}
{{ keycloak_quarkus_cache_embedded_properties }}
{% endif %}
{% if keycloak_quarkus_proxy_headers | length > 0 %}

20
roles/keycloak_quarkus/templates/quarkus.properties.j2
View File

@@ -1,22 +1,22 @@
{{ ansible_managed | comment }}
{% if keycloak_quarkus_ha_enabled %}
{% if keycloak_quarkus_version.split('.')[0] | int < 22 %}
quarkus.infinispan-client.server-list={{ keycloak_quarkus_ispn_hosts }}
quarkus.infinispan-client.auth-username={{ keycloak_quarkus_ispn_user }}
quarkus.infinispan-client.auth-password={{ keycloak_quarkus_ispn_pass }}
quarkus.infinispan-client.server-list={{ keycloak_quarkus_cache_remote_host }}:{{ keycloak_quarkus_cache_remote_port }}
quarkus.infinispan-client.auth-username={{ keycloak_quarkus_cache_remote_username }}
quarkus.infinispan-client.auth-password={{ keycloak_quarkus_cache_remote_password }}
{% else %}
quarkus.infinispan-client.hosts={{ keycloak_quarkus_ispn_hosts }}
quarkus.infinispan-client.username={{ keycloak_quarkus_ispn_user }}
quarkus.infinispan-client.password={{ keycloak_quarkus_ispn_pass }}
quarkus.infinispan-client.hosts={{ keycloak_quarkus_cache_remote_host }}:{{ keycloak_quarkus_cache_remote_port }}
quarkus.infinispan-client.username={{ keycloak_quarkus_cache_remote_username }}
quarkus.infinispan-client.password={{ keycloak_quarkus_cache_remote_password }}
{% endif %}
quarkus.infinispan-client.client-intelligence=HASH_DISTRIBUTION_AWARE
quarkus.infinispan-client.use-auth=true
quarkus.infinispan-client.auth-realm=default
quarkus.infinispan-client.auth-server-name=infinispan
quarkus.infinispan-client.sasl-mechanism={{ keycloak_quarkus_ispn_sasl_mechanism }}
{% if keycloak_quarkus_ispn_use_ssl %}
quarkus.infinispan-client.trust-store={{ keycloak_quarkus_ispn_trust_store_path }}
quarkus.infinispan-client.trust-store-password={{ keycloak_quarkus_ispn_trust_store_password }}
quarkus.infinispan-client.sasl-mechanism={{ keycloak_quarkus_cache_remote_sasl_mechanism }}
{% if keycloak_quarkus_cache_remote_tls_enabled %}
quarkus.infinispan-client.trust-store={{ keycloak_quarkus_https_trust_store_file }}
quarkus.infinispan-client.trust-store-password={{ keycloak_quarkus_https_trust_store_password }}
quarkus.infinispan-client.trust-store-type=jks
{% endif %}
#quarkus.infinispan-client.use-schema-registration=true

3
roles/keycloak_quarkus/vars/debian.yml
View File

@@ -1,7 +1,8 @@
---
keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('openjdk-17-jdk-headless') }}"
keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('openjdk-21-jdk-headless') }}"
keycloak_quarkus_prereq_package_list:
- "{{ keycloak_quarkus_varjvm_package }}"
- bash
- unzip
- procps
- apt

3
roles/keycloak_quarkus/vars/main.yml
View File

@@ -4,8 +4,7 @@ keycloak: # noqa var-naming this is an internal dict of interpolated values
config_dir: "{{ keycloak_quarkus_config_dir }}"
bundle: "{{ keycloak_quarkus_archive }}"
service_name: "keycloak"
health_url: "{{ 'https' if keycloak_quarkus_http_enabled == False else 'http' }}://{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_https_port if keycloak_quarkus_http_enabled == False else keycloak_quarkus_http_port }}{{ keycloak_quarkus_http_relative_path }}{{ '/' \
if keycloak_quarkus_http_relative_path | length > 1 else '' }}{{ keycloak_quarkus_health_check_url_path | default('realms/master/.well-known/openid-configuration') }}"
health_url: "{{ keycloak_quarkus_health_check_url | default(keycloak_quarkus_hostname ~ '/' ~ (keycloak_quarkus_health_check_url_path | default('realms/master/.well-known/openid-configuration'))) }}"
cli_path: "{{ keycloak_quarkus_home }}/bin/kcadm.sh"
service_user: "{{ keycloak_quarkus_service_user }}"
service_group: "{{ keycloak_quarkus_service_group }}"

3
roles/keycloak_quarkus/vars/redhat.yml
View File

@@ -1,7 +1,8 @@
---
keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('java-17-openjdk-headless') }}"
keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('java-21-openjdk-headless') }}"
keycloak_quarkus_prereq_package_list:
- "{{ keycloak_quarkus_varjvm_package }}"
- bash
- unzip
- procps-ng
- initscripts

3
roles/keycloak_realm/README.md
View File

@@ -44,7 +44,7 @@ The following variables are available for creating clients:
|`keycloak_client_users` | List of user/role mappings for a client | `[]` |
The following variable are available for creating user federation:
The following variables are available for creating user federation:
| Variable | Description | Default |
|:---------|:------------|:---------|
@@ -74,6 +74,7 @@ Refer to [docs](https://docs.ansible.com/ansible/latest/collections/community/ge
- name: <name of the client>
id: <id of the client>
client_id: <id of the client>
secret: <secret of the client (Optional)>
roles: <keycloak_client_default_roles>
realm: <name of the realm that contains the client>
public_client: <true for public, false for confidential>

4
roles/keycloak_realm/defaults/main.yml
View File

@@ -54,3 +54,7 @@ keycloak_client_users: []
### List of Keycloak User Federation
keycloak_user_federation: []
# other settings
keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + (keycloak_jboss_port_offset | default(0)) }}"
keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + (keycloak_jboss_port_offset | default(0)) }}"

2
roles/keycloak_realm/meta/main.yml
View File

@@ -8,7 +8,7 @@ galaxy_info:
license: Apache License 2.0
min_ansible_version: "2.15"
min_ansible_version: "2.16"
platforms:
- name: EL

7
roles/keycloak_realm/tasks/main.yml
View File

@@ -15,6 +15,7 @@
ansible.builtin.uri:
url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}"
method: GET
validate_certs: false
status_code:
- 200
- 404
@@ -45,7 +46,7 @@
name: "{{ item.name }}"
state: present
provider_id: "{{ item.provider_id }}"
provider_type: "{{ item.provider_type | default(org.keycloak.storage.UserStorageProvider) }}"
provider_type: "{{ item.provider_type | default('org.keycloak.storage.UserStorageProvider') }}"
config: "{{ item.config }}"
mappers: "{{ item.mappers | default(omit) }}"
no_log: "{{ keycloak_no_log | default('True') }}"
@@ -75,6 +76,7 @@
default_roles: "{{ item.roles | default(omit) }}"
client_id: "{{ item.client_id | default(omit) }}"
id: "{{ item.id | default(omit) }}"
secret: "{{ item.secret | default(omit) }}"
name: "{{ item.name | default(omit) }}"
description: "{{ item.description | default(omit) }}"
root_url: "{{ item.root_url | default('') }}"
@@ -110,3 +112,6 @@
loop_control:
loop_var: client
when: "'users' in client"
- name: Provide Access token lifespan
ansible.builtin.include_tasks: manage_token_lifespan.yml

14
roles/keycloak_realm/tasks/manage_token_lifespan.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- name: "Update Access token lifespan"
ansible.builtin.uri:
url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}"
method: PUT
body:
accessTokenLifespan: 300
validate_certs: false
body_format: json
status_code:
- 200
- 204
headers:
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"

2
roles/keycloak_realm/tasks/manage_user_client_roles.yml
View File

@@ -3,6 +3,7 @@
ansible.builtin.uri:
url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm | default(keycloak_realm) }}"
method: GET
validate_certs: false
status_code:
- 200
headers:
@@ -16,6 +17,7 @@
default(keycloak_realm) }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | \
selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}/available"
method: GET
validate_certs: false
status_code:
- 200
headers:

4
roles/keycloak_realm/vars/main.yml
View File

@@ -3,7 +3,3 @@
# name of the realm to create, this is a required variable
keycloak_realm:
# other settings
keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + (keycloak_jboss_port_offset | default(0)) }}"
keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + (keycloak_jboss_port_offset | default(0)) }}"