Update changelog for release 3.0.3

Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>

CHANGELOG.rst

@@ -6,6 +6,28 @@ middleware\_automation.keycloak Release Notes
 
 This changelog describes changes after version 0.2.6.
 
+v3.0.3
+======
+
+Major Changes
+-------------
+
+- Update to keycloak 26.3.0 `#293 <https://github.com/ansible-middleware/keycloak/pull/293>`_
+- ansible-core 2.19 compatibility `#310 <https://github.com/ansible-middleware/keycloak/pull/310>`_
+
+Minor Changes
+-------------
+
+- Allow to install provider jars from remote paths `#303 <https://github.com/ansible-middleware/keycloak/pull/303>`_
+- Declared proxy_mode as deprecated, updated quarkus and realm readme `#306 <https://github.com/ansible-middleware/keycloak/pull/306>`_
+- Fix config_key_store_file description to match variable name `#308 <https://github.com/ansible-middleware/keycloak/pull/308>`_
+
+Bugfixes
+--------
+
+- keycloak collection CI label is showing no status `#312 <https://github.com/ansible-middleware/keycloak/pull/312>`_
+- keycloak_realm: allow secret in keycloak_clients `#304 <https://github.com/ansible-middleware/keycloak/pull/304>`_
+
 v3.0.2
 ======
 

README.md

@@ -1,7 +1,7 @@
 # Ansible Collection - middleware_automation.keycloak
 
 <!--start build_status -->
-[![Build Status](https://github.com/ansible-middleware/keycloak/workflows/CI/badge.svg?branch=main)](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml)
+[![Build Status](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml)
 
 > **_NOTE:_ If you are Red Hat customer, install `redhat.rhbk` (for Red Hat Build of Keycloak) or `redhat.sso` (for Red Hat Single Sign-On) from [Automation Hub](https://console.redhat.com/ansible/ansible-dashboard) as the certified version of this collection.**
 

changelogs/changelog.yaml

@@ -719,3 +719,39 @@ releases:
     - 298.yaml
     - 302.yaml
     release_date: '2025-07-01'
+  3.0.3:
+    changes:
+      bugfixes:
+      - 'keycloak collection CI label is showing no status `#312 <https://github.com/ansible-middleware/keycloak/pull/312>`_
+
+        '
+      - 'keycloak_realm: allow secret in keycloak_clients `#304 <https://github.com/ansible-middleware/keycloak/pull/304>`_
+
+        '
+      major_changes:
+      - 'Update to keycloak 26.3.0 `#293 <https://github.com/ansible-middleware/keycloak/pull/293>`_
+
+        '
+      - 'ansible-core 2.19 compatibility `#310 <https://github.com/ansible-middleware/keycloak/pull/310>`_
+
+        '
+      minor_changes:
+      - 'Allow to install provider jars from remote paths `#303 <https://github.com/ansible-middleware/keycloak/pull/303>`_
+
+        '
+      - 'Declared proxy_mode as deprecated, updated quarkus and realm readme `#306
+        <https://github.com/ansible-middleware/keycloak/pull/306>`_
+
+        '
+      - 'Fix config_key_store_file description to match variable name `#308 <https://github.com/ansible-middleware/keycloak/pull/308>`_
+
+        '
+    fragments:
+    - 293.yaml
+    - 303.yaml
+    - 304.yaml
+    - 306.yaml
+    - 308.yaml
+    - 310.yaml
+    - 312.yaml
+    release_date: '2025-12-16'

galaxy.yml

@@ -1,7 +1,7 @@
 ---
 namespace: middleware_automation
 name: keycloak
-version: "3.0.2"
+version: "3.0.3"
 readme: README.md
 authors:
   - Romain Pelisse <rpelisse@redhat.com>

molecule/default/prepare.yml

@@ -18,7 +18,7 @@
 
     - name: Download keycloak archive to controller directory
       ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
-        url: https://github.com/keycloak/keycloak/releases/download/26.2.4/keycloak-26.2.4.zip
+        url: https://github.com/keycloak/keycloak/releases/download/26.3.0/keycloak-26.3.0.zip
         dest: /tmp/keycloak
         mode: '0640'
       delegate_to: localhost

molecule/quarkus/converge.yml

@@ -23,7 +23,7 @@
     keycloak_quarkus_systemd_wait_for_delay: 2
     keycloak_quarkus_systemd_wait_for_log: true
     keycloak_quarkus_restart_health_check: false # would fail because of self-signed cert
-    keycloak_quarkus_version: 26.2.4
+    keycloak_quarkus_version: 26.3.0
     keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx1024m"
     keycloak_quarkus_additional_env_vars:
       - key: KC_FEATURES_DISABLED
@@ -46,7 +46,7 @@
           repository_url: https://repo1.maven.org/maven2/ # https://mvnrepository.com/artifact/org.keycloak/keycloak-kerberos-federation/24.0.4
           group_id: org.keycloak
           artifact_id: keycloak-kerberos-federation
-          version: 26.2.4 # optional
+          version: 26.3.0 # optional
           # username: myUser # optional
           # password: myPAT # optional
       # - id: my-static-theme

roles/keycloak_quarkus/README.md

@@ -33,7 +33,7 @@ Role Defaults
 
 | Variable | Description | Default |
 |:---------|:------------|:--------|
-|`keycloak_quarkus_version`| keycloak.org package version | `26.2.4` |
+|`keycloak_quarkus_version`| keycloak.org package version | `26.3.0` |
 |`keycloak_quarkus_offline_install` | Perform an offline install | `False`|
 |`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` |
 |`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` |
@@ -60,13 +60,13 @@ Role Defaults
 |`keycloak_quarkus_java_heap_opts`| Heap memory JVM setting | `-Xms1024m -Xmx2048m` |
 |`keycloak_quarkus_java_jvm_opts`| Other JVM settings | same as keycloak |
 |`keycloak_quarkus_java_opts`| JVM arguments; if overridden, it takes precedence over `keycloak_quarkus_java_*` | `{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}` |
-|`keycloak_quarkus_additional_env_vars` | List of additional env variables of { key: str, value: str} to be put in sysconfig file | `[]` |
+|`keycloak_quarkus_additional_env_vars` | List of additional env variables of { key: str, value: str} to be put in sysconfig file, see https://www.keycloak.org/server/all-config | `[]` |
 |`keycloak_quarkus_frontend_url`| Deprecated, use `keycloak_quarkus_hostname` instead. | |
 |`keycloak_quarkus_admin_url`| Deprecated, use `keycloak_quarkus_hostname_admin` instead. | |
 |`keycloak_quarkus_health_check_url`| Full URL (including scheme, host, path, fragment etc.) used for health check endpoint; keycloak_quarkus_hostname will NOT be prepended; helpful when health checks should happen against http port, but keycloak_quarkus_hostname uses https scheme per default | `` |
 |`keycloak_quarkus_health_check_url_path`| Path to the health check endpoint; keycloak_quarkus_hostname will be prepended automatically; Note that keycloak_quarkus_health_check_url takes precedence over this property | `realms/master/.well-known/openid-configuration` |
 |`keycloak_quarkus_proxy_headers`| Parse reverse proxy headers (`forwarded` or `xforwarded`) | `""` |
-|`keycloak_quarkus_config_key_store_file`| Path to the configuration key store; only used if `keycloak_quarkus_keystore_password` is not empty  | `{{ keycloak.home }}/conf/conf_store.p12` if `keycloak_quarkus_keystore_password != ''`, else `''` |
+|`keycloak_quarkus_config_key_store_file`| Path to the configuration key store; only used if `keycloak_quarkus_config_key_store_password` is not empty  | `{{ keycloak.home }}/conf/conf_store.p12` if `keycloak_quarkus_config_key_store_password != ''`, else `''` |
 |`keycloak_quarkus_config_key_store_password`| Password of the configuration keystore; if non-empty, `keycloak_quarkus_db_pass` will be saved to the keystore at `keycloak_quarkus_config_key_store_file` instead of being written to the configuration file in clear text | `""` |
 |`keycloak_quarkus_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
 |`keycloak_quarkus_configure_iptables` | Ensure iptables is configured for keycloak ports | `False` |
@@ -98,7 +98,7 @@ Role Defaults
 | Variable | Description | Default |
 |:---------|:------------|:--------|
 |`keycloak_quarkus_hostname`| Address at which is the server exposed. Can be a full URL, or just a hostname. When only hostname is provided, scheme, port and context path are resolved from the request. | |
-|`keycloak_quarkus_hostname_admin`| Set the base URL for accessing the administration console, including scheme, host, port and path | |
+|`keycloak_quarkus_hostname_admin`| Set the base URL for accessing the administration console, including scheme, host, port and path | `` |
 |`keycloak_quarkus_hostname_strict`| Disables dynamically resolving the hostname from request headers | `true` |
 |`keycloak_quarkus_hostname_backchannel_dynamic`| Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path. Set to true if your application accesses Keycloak via a private network. If set to true, hostname option needs to be specified as a full URL. | `false` |
 |`keycloak_quarkus_hostname_strict_backchannel`| Deprecated, use (the inverted!)`keycloak_quarkus_hostname_backchannel_dynamic` instead. |  |
@@ -166,7 +166,7 @@ Role Defaults
 |`keycloak_quarkus_log_format`| Set a format specific to file log entries | `%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n` |
 |`keycloak_quarkus_log_target`| Set the destination of the keycloak log folder link | `/var/log/keycloak` |
 |`keycloak_quarkus_log_max_file_size`| Set the maximum log file size before a log rotation happens; A size configuration option recognises string in this format (shown as a regular expression): `[0-9]+[KkMmGgTtPpEeZzYy]?`. If no suffix is given, assume bytes. | `10M` |
-|`keycloak_quarkus_log_max_backup_index`| Set the maximum number of archived log files to keep" | `10` |
+|`keycloak_quarkus_log_max_backup_index`| Set the maximum number of archived log files to keep | `10` |
 |`keycloak_quarkus_log_file_suffix`| Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix; Note: If the suffix ends with `.zip` or `.gz`, the rotation file will also be compressed. | `.yyyy-MM-dd.zip` |
 
 
@@ -183,7 +183,7 @@ Role Defaults
 |`keycloak_quarkus_master_realm` | Name for rest authentication realm | `master` |
 |`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` |
 |`keycloak_quarkus_force_install` | Remove pre-existing versions of service | `False` |
-|`keycloak_quarkus_proxy_mode`| The proxy address forwarding mode if the server is behind a reverse proxy | `edge` |
+|`keycloak_quarkus_proxy_mode`| The proxy address forwarding mode if the server is behind a reverse proxy (deprecated) | `none` |
 |`keycloak_quarkus_start_dev`| Whether to start the service in development mode (start-dev) | `False` |
 |`keycloak_quarkus_transaction_xa_enabled`| Whether to use XA transactions | `True` |
 |`keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route`| If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy | `True` |
@@ -221,6 +221,7 @@ keycloak_quarkus_providers:
     restart: true                           # optional, whether to rebuild config and restart the service after deploying, default true
     url: https://.../.../custom_spi.jar     # optional, url for download via http
     local_path: my_theme_spi.jar            # optional, path on local controller for SPI to be uploaded
+    remote: true                            # optional, whether to copy from localhost or remotely, see https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html#parameter-remote_src, default false
     maven:                                  # optional, for download using maven
       repository_url: https://maven.pkg.github.com/OWNER/REPOSITORY # optional, maven repo url
       group_id:  my.group                   # optional, maven group id

roles/keycloak_quarkus/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 ### Configuration specific to keycloak
-keycloak_quarkus_version: 26.2.4
+keycloak_quarkus_version: 26.3.0
 keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip"
 keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"
 keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"
@@ -88,7 +88,7 @@ keycloak_quarkus_systemd_wait_for_delay: 10
 
 ### keycloak frontend url
 keycloak_quarkus_hostname:
-keycloak_quarkus_hostname_admin:
+keycloak_quarkus_hostname_admin: ""
 
 ### Set the path relative to / for serving resources. The path must start with a /
 ### (set to `/auth` for retrocompatibility with pre-quarkus releases)
@@ -105,7 +105,7 @@ keycloak_quarkus_hostname_backchannel_dynamic: false
 keycloak_quarkus_proxy_headers: ""
 
 # deprecated: proxy address forwarding mode if the server is behind a reverse proxy. [none, edge, reencrypt, passthrough]
-keycloak_quarkus_proxy_mode: edge
+keycloak_quarkus_proxy_mode: none
 
 # disable xa transactions
 keycloak_quarkus_transaction_xa_enabled: true

roles/keycloak_quarkus/meta/argument_specs.yml

@@ -2,7 +2,7 @@ argument_specs:
     main:
         options:
             keycloak_quarkus_version:
-                default: "26.2.4"
+                default: "26.3.0"
                 description: "keycloak.org package version"
                 type: "str"
             keycloak_quarkus_archive:
@@ -183,7 +183,7 @@ argument_specs:
                 type: "str"
             keycloak_quarkus_config_key_store_file:
                 default: "{{ keycloak.home }}/conf/conf_store.p12"
-                description: "Path to the configuration key store; only used if `keycloak_quarkus_keystore_password` is not empty"
+                description: "Path to the configuration key store; only used if `keycloak_quarkus_config_key_store_password` is not empty"
                 type: "str"
             keycloak_quarkus_config_key_store_password:
                 default: ""
@@ -344,9 +344,9 @@ argument_specs:
                   Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix. Note: If the suffix ends
                   with .zip or .gz, the rotation file will also be compressed.
             keycloak_quarkus_proxy_mode:
-                default: 'edge'
+                default: 'none'
                 type: "str"
-                description: "The proxy address forwarding mode if the server is behind a reverse proxy. Set to 'none' if not using a proxy"
+                description: "The proxy address forwarding mode if the server is behind a reverse proxy. Set to 'none' as it is deprecated according to Keycloak documentation"
             keycloak_quarkus_proxy_headers:
                 default: ""
                 type: "str"
@@ -540,7 +540,7 @@ argument_specs:
                 description: 'The password to access the Truststore.'
                 default: ''
                 type: "str"
-            keycloak_quarkus_jgroups_port: 
+            keycloak_quarkus_jgroups_port:
                 description: 'jgroups bind port'
                 default: 7800
                 type: "int"
@@ -552,7 +552,7 @@ argument_specs:
                 description: 'IP address that other instances in the Keycloak should use to contact this node'
                 default: "{{ keycloak_quarkus_jgroups_bind_address }}"
                 type: "str"
-            keycloak_quarkus_jgroups_external_port: 
+            keycloak_quarkus_jgroups_external_port:
                 description: 'Port that other instances in the Keycloak cluster should use to contact this node'
                 default: "{{ keycloak_quarkus_jgroups_port }}"
                 type: "int"
@@ -563,7 +563,7 @@ argument_specs:
     downstream:
         options:
             rhbk_version:
-                default: "26.2.4"
+                default: "26.2.5"
                 description: "Red Hat Build of Keycloak version"
                 type: "str"
             rhbk_archive:

roles/keycloak_quarkus/tasks/install.yml

@@ -280,6 +280,7 @@
     owner: "{{ keycloak.service_user }}"
     group: "{{ keycloak.service_group }}"
     mode: '0640'
+    remote_src: "{{ item.remote | default(false) }}"
   become: true
   loop: "{{ keycloak_quarkus_providers }}"
   when: item.local_path is defined

roles/keycloak_quarkus/tasks/restart/serial.yml

@@ -2,7 +2,7 @@
 - name: "Restart services in serial, with optional healtch check (keycloak_quarkus_restart_health_check)"
   throttle: 1
   block:
-    - name: "Restart and enable {{ keycloak.service_name }} service on {{ item }}"
+    - name: "Restart and enable {{ keycloak.service_name }} service"
       ansible.builtin.include_tasks:
         file: restart.yml
         apply:

roles/keycloak_quarkus/templates/cache-ispn.xml.j2

@@ -22,6 +22,7 @@
         xmlns="urn:infinispan:config:15.0">
 
 {% set stack_expression='' %}
+{% if keycloak_quarkus_version is version_compare('26.2.0', '<') %}
 {% if keycloak_quarkus_ha_enabled %}
 {% if keycloak_quarkus_ha_discovery == 'TCPPING' %}
 {% set stack_expression='stack="tcpping"' %}
@@ -39,6 +40,7 @@
 {% elif keycloak_quarkus_ha_discovery == 'JDBCPING' %}
 {% set stack_expression='stack="JDBC_PING2"' %}
 {% endif %}
+{% endif %}
 {% endif %}
 
     <cache-container name="keycloak">

roles/keycloak_quarkus/templates/quarkus.properties.j2

@@ -1,11 +1,11 @@
 {{ ansible_managed | comment }}
 {% if keycloak_quarkus_ha_enabled %}
 {% if keycloak_quarkus_version.split('.')[0] | int < 22 %}
-quarkus.infinispan-client.server-list={{ keycloak_quarkus_cache_remote_host }}
+quarkus.infinispan-client.server-list={{ keycloak_quarkus_cache_remote_host }}:{{ keycloak_quarkus_cache_remote_port }}
 quarkus.infinispan-client.auth-username={{ keycloak_quarkus_cache_remote_username }}
 quarkus.infinispan-client.auth-password={{ keycloak_quarkus_cache_remote_password }}
 {% else %}
-quarkus.infinispan-client.hosts={{ keycloak_quarkus_cache_remote_host }}
+quarkus.infinispan-client.hosts={{ keycloak_quarkus_cache_remote_host }}:{{ keycloak_quarkus_cache_remote_port }}
 quarkus.infinispan-client.username={{ keycloak_quarkus_cache_remote_username }}
 quarkus.infinispan-client.password={{ keycloak_quarkus_cache_remote_password }}
 {% endif %}

roles/keycloak_realm/README.md

@@ -44,7 +44,7 @@ The following variables are available for creating clients:
 |`keycloak_client_users` | List of user/role mappings for a client | `[]` |
 
 
-The following variable are available for creating user federation:
+The following variables are available for creating user federation:
 
 | Variable | Description | Default |
 |:---------|:------------|:---------|
@@ -74,6 +74,7 @@ Refer to [docs](https://docs.ansible.com/ansible/latest/collections/community/ge
     - name: <name of the client>
       id: <id of the client>
       client_id: <id of the client>
+      secret: <secret of the client (Optional)>
       roles: <keycloak_client_default_roles>
       realm: <name of the realm that contains the client>
       public_client: <true for public, false for confidential>

roles/keycloak_realm/tasks/main.yml

@@ -76,6 +76,7 @@
     default_roles: "{{ item.roles | default(omit) }}"
     client_id: "{{ item.client_id | default(omit) }}"
     id: "{{ item.id | default(omit) }}"
+    secret: "{{ item.secret | default(omit) }}"
     name: "{{ item.name | default(omit) }}"
     description: "{{ item.description | default(omit) }}"
     root_url: "{{ item.root_url | default('') }}"