Fixing downstream rhbk version

2026-06-13 12:05:54 +00:00 · 2026-06-03 20:46:30 +05:30
12 changed files with 181 additions and 16 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -1,6 +1,4 @@
 # .ansible-lint
 profile: production
 exclude_paths:
  - .cache/
  - .github/
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -6,9 +6,6 @@ middleware\_automation.keycloak Release Notes
 This changelog describes changes after version 0.2.6.
 v3.0.8
 ======
 v3.0.7
 ======
--- a/README.md
+++ b/README.md
@@ -49,9 +49,9 @@ A requirement file is provided to install:
 <!--start roles_paths -->
 ### Included roles
-* [`keycloak_quarkus`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_quarkus/README.md): role for installing keycloak (>= 19.0.0, quarkus based).
+* `keycloak_quarkus`: role for installing keycloak (>= 19.0.0, quarkus based).
-* [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, user federation(s), clients and users, in an installed service.
+* `keycloak_realm`: role for configuring a realm, user federation(s), clients and users, in an installed service.
-* [`keycloak`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md): role for installing legacy keycloak (<= 19.0, wildfly based).
+* `keycloak`: role for installing legacy keycloak (<= 19.0, wildfly based).
 <!--end roles_paths -->
@@ -220,5 +220,5 @@ For details on changes between versions, please see the [CHANGELOG](https://gith
 Apache License v2.0 or later
 <!--start license -->
-See [LICENSE](https://github.com/ansible-middleware/keycloak/blob/main/LICENSE) to view the full text.
+See [LICENSE](LICENSE) to view the full text.
 <!--end license -->
--- a/changelogs/changelog.yaml
+++ b/changelogs/changelog.yaml
@@ -825,5 +825,3 @@ releases:
    - 341.yaml
    - 343.yaml
    release_date: '2026-06-01'
  3.0.8:
    release_date: '2026-06-09'
--- a/molecule/quarkus_upgrade/converge.yml
+++ b/molecule/quarkus_upgrade/converge.yml
@@ -9,6 +9,6 @@
    keycloak_quarkus_additional_env_vars:
      - key: KC_FEATURES_DISABLED
        value: ciba,device-flow,impersonation,kerberos,docker
-    keycloak_quarkus_version: 26.0.7
+    keycloak_quarkus_version: 26.6.2
  roles:
    - role: keycloak_quarkus
--- a/molecule/quarkus_upgrade/prepare.yml
+++ b/molecule/quarkus_upgrade/prepare.yml
@@ -6,7 +6,7 @@
    - vars.yml
  vars:
    sudo_pkg_name: sudo
-    keycloak_quarkus_version: 26.0.4
+    keycloak_quarkus_version: 26.6.1
    keycloak_quarkus_additional_env_vars:
      - key: KC_FEATURES_DISABLED
        value: impersonation,kerberos
--- a/plugins/module_utils/identity/keycloak/keycloak.py
+++ b/plugins/module_utils/identity/keycloak/keycloak.py
@@ -154,6 +154,18 @@ URL_AUTHZ_CUSTOM_POLICY = "{url}/admin/realms/{realm}/clients/{client_id}/authz/
 URL_AUTHZ_CUSTOM_POLICIES = "{url}/admin/realms/{realm}/clients/{client_id}/authz/resource-server/policy"
 def normalize_keycloak_url(url: str) -> str:
    """Normalize Keycloak base URL for Admin REST API access.
    Keycloak 17+ (Quarkus) exposes the API at the server root without an /auth prefix.
    WildFly-based Keycloak used /auth as the context path. Trailing slashes are removed.
    """
    url = url.rstrip("/")
    if url.endswith("/auth"):
        return url[:-5]
    return url
 def keycloak_argument_spec() -> dict[str, t.Any]:
    """
    Returns argument_spec of options common to keycloak_*-modules
@@ -203,7 +215,7 @@ def _token_request(module_params: dict[str, t.Any], payload: dict[str, t.Any]) -
           'refresh_token' for type 'refresh_token'.
    :return: access token
    """
-    base_url = module_params["auth_keycloak_url"]
+    base_url = normalize_keycloak_url(module_params["auth_keycloak_url"])
    if not base_url.lower().startswith(("http", "https")):
        raise KeycloakError(f"auth_url '{base_url}' should either start with 'http' or 'https'.")
    auth_realm = module_params.get("auth_realm")
@@ -391,7 +403,7 @@ class KeycloakAPI:
    def __init__(self, module: AnsibleModule, connection_header: dict[str, str]) -> None:
        self.module = module
-        self.baseurl = self.module.params.get("auth_keycloak_url")
+        self.baseurl = normalize_keycloak_url(self.module.params.get("auth_keycloak_url"))
        self.validate_certs = self.module.params.get("validate_certs")
        self.connection_timeout = self.module.params.get("connection_timeout")
        self.restheaders = connection_header
--- a/roles/keycloak_quarkus/meta/argument_specs.yml
+++ b/roles/keycloak_quarkus/meta/argument_specs.yml
@@ -519,7 +519,7 @@ argument_specs:
    downstream:
        options:
            rhbk_version:
-                default: "26.4.7"
+                default: "26.4.11"
                description: "Red Hat Build of Keycloak version"
                type: "str"
            rhbk_archive:
--- a/roles/keycloak_quarkus/templates/rhbk-sysconfig.j2
+++ b/roles/keycloak_quarkus/templates/rhbk-sysconfig.j2
@@ -0,0 +1,15 @@
 {{ ansible_managed | comment }}
 {% if not ansible_local.keycloak.general.bootstrapped | default(false) | bool %}
 KC_BOOTSTRAP_ADMIN_USERNAME={{ keycloak_quarkus_bootstrap_admin_user }}
 KC_BOOTSTRAP_ADMIN_PASSWORD='{{ keycloak_quarkus_bootstrap_admin_password }}'
 {% else %}
 {{ keycloak.bootstrap_mnemonic }}
 {% endif %}
 PATH="{{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 JAVA_HOME="{{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}"
 JAVA_OPTS="{{ keycloak_quarkus_java_opts }}"
 # Custom ENV variables
 {% for env in keycloak_quarkus_additional_env_vars %}
 {{ env.key }}={{ env.value }}
 {% endfor %}
--- a/roles/keycloak_quarkus/templates/rhbk.conf.j2
+++ b/roles/keycloak_quarkus/templates/rhbk.conf.j2
@@ -0,0 +1,110 @@
 {{ ansible_managed | comment }}
 {% if keycloak_quarkus_db_enabled %}
 # Database
 db={{ keycloak_quarkus_db_engine }}
 db-url={{ keycloak_quarkus_db_url }}
 db-username={{ keycloak_quarkus_db_user }}
 {% if not keycloak.config_key_store_enabled %}
 db-password={{ keycloak_quarkus_db_pass }}
 {% endif %}
 {% endif %}
 {% if keycloak.config_key_store_enabled %}
 # Config store
 config-keystore={{ keycloak_quarkus_config_key_store_file }}
 config-keystore-password={{ keycloak_quarkus_config_key_store_password }}
 {% endif %}
 # Observability
 metrics-enabled={{ keycloak_quarkus_metrics_enabled | lower }}
 health-enabled={{ keycloak_quarkus_health_enabled | lower }}
 # HTTP
 http-enabled={{ keycloak_quarkus_http_enabled | lower }}
 {% if keycloak_quarkus_http_enabled %}
 http-port={{ keycloak_quarkus_http_port }}
 {% endif %}
 http-relative-path={{ keycloak_quarkus_http_relative_path }}
 http-host={{ keycloak_quarkus_http_host }}
 # Management
 http-management-port={{ keycloak_quarkus_http_management_port }}
 {% if keycloak_quarkus_http_management_relative_path is defined and keycloak_quarkus_http_management_relative_path | length > 0 %}
 http-management-relative-path={{ keycloak_quarkus_http_management_relative_path }}
 {% endif %}
 # HTTPS
 https-port={{ keycloak_quarkus_https_port }}
 {% if keycloak_quarkus_https_key_file_enabled %}
 https-certificate-file={{ keycloak_quarkus_cert_file}}
 https-certificate-key-file={{ keycloak_quarkus_key_file }}
 {% endif %}
 {% if keycloak_quarkus_https_key_store_enabled %}
 https-key-store-file={{ keycloak_quarkus_https_key_store_file }}
 https-key-store-password={{ keycloak_quarkus_https_key_store_password }}
 {% endif %}
 {% if keycloak_quarkus_https_trust_store_enabled %}
 https-trust-store-file={{ keycloak_quarkus_https_trust_store_file }}
 https-trust-store-password={{ keycloak_quarkus_https_trust_store_password }}
 {% endif %}
 # Client URL configuration
 hostname={{ keycloak_quarkus_hostname }}
 hostname-admin={{ keycloak_quarkus_hostname_admin }}
 hostname-strict={{ keycloak_quarkus_hostname_strict | lower }}
 hostname-backchannel-dynamic={{ keycloak_quarkus_hostname_backchannel_dynamic | lower }}
 # Cluster
 {% if keycloak_quarkus_ha_enabled %}
 cache=ispn
 {% if keycloak_quarkus_cache_managed_infinispan_config %}
 cache-config-file=cache-ispn.xml
 {% endif %}
 {% if keycloak_quarkus_cache_remote %}
 cache-remote-username={{ keycloak_quarkus_cache_remote_username }}
 cache-remote-password={{ keycloak_quarkus_cache_remote_password }}
 cache-remote-host={{ keycloak_quarkus_cache_remote_host }}
 cache-remote-port={{ keycloak_quarkus_cache_remote_port }}
 cache-remote-tls-enabled={{ keycloak_quarkus_cache_remote_tls_enabled | lower }}
 {% endif %}
 {{ keycloak_quarkus_cache_embedded_properties }}
 {% endif %}
 {% if keycloak_quarkus_proxy_headers | length > 0 %}
 proxy-headers={{ keycloak_quarkus_proxy_headers | lower }}
 {% elif keycloak_quarkus_proxy_mode is defined and keycloak_quarkus_proxy_mode != "none" %}
 # Deprecated Proxy configuration
 proxy={{ keycloak_quarkus_proxy_mode }}
 {% endif %}
 spi-sticky-session-encoder-infinispan-should-attach-route={{ keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route | d(true) | lower }}
 # Transaction
 transaction-xa-enabled={{ keycloak_quarkus_transaction_xa_enabled | lower }}
 # Logging
 #log-format=%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n
 log={{ keycloak_quarkus_log }}
 log-level={{ keycloak.log.level }}
 log-file={{ keycloak.log.file }}
 log-file-format={{ keycloak.log.format }}
 # Vault
 {% if keycloak_quarkus_ks_vault_enabled %}
 vault=keystore
 vault-file={{ keycloak_quarkus_ks_vault_file }}
 vault-type={{ keycloak_quarkus_ks_vault_type }}
 vault-pass={{ keycloak_quarkus_ks_vault_pass }}
 {% endif %}
 # Providers
 {% for provider in keycloak_quarkus_providers %}
 {% if provider.default is defined and provider.default %}
 spi-{{ provider.spi }}-provider={{ provider.id }}
 {% endif %}
 {% if provider.properties is defined %}{% for property in provider.properties %}
 spi-{{ provider.spi }}-{{ provider.id }}-{{ property.key }}={{ property.value }}
 {% endfor %}{% endif %}
 {% endfor %}
--- a/roles/keycloak_quarkus/templates/rhbk.fact.j2
+++ b/roles/keycloak_quarkus/templates/rhbk.fact.j2
@@ -0,0 +1,2 @@
 [general]
 bootstrapped={{ bootstrapped | lower }}
--- a/roles/keycloak_quarkus/templates/rhbk.service.j2
+++ b/roles/keycloak_quarkus/templates/rhbk.service.j2
@@ -0,0 +1,33 @@
 {{ ansible_managed | comment }}
 [Unit]
 Description=Keycloak Server
 After=network.target
 [Service]
 EnvironmentFile=-{{ keycloak_quarkus_sysconf_file }}
 {% if keycloak_quarkus_start_dev %}
 ExecStart={{ keycloak.home }}/bin/kc.sh start-dev
 {% else %}
 ExecStart={{ keycloak.home }}/bin/kc.sh start --optimized
 {% endif %}
 User={{ keycloak.service_user }}
 Group={{ keycloak.service_group }}
 SuccessExitStatus=0 143
 {% if keycloak_quarkus_service_restart_always %}
 Restart=always
 {% elif keycloak_quarkus_service_restart_on_failure %}
 Restart=on-failure
 {% endif %}
 RestartSec={{ keycloak_quarkus_service_restartsec }}
 {% if keycloak_quarkus_http_port | int < 1024 or keycloak_quarkus_https_port | int < 1024 %}
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 {% endif %}
 {% if keycloak_quarkus_systemd_wait_for_port %}
 ExecStartPost=/usr/bin/timeout {{ keycloak_quarkus_systemd_wait_for_timeout }} sh -c 'while ! ss -H -t -l -n sport = :{{ keycloak_quarkus_systemd_wait_for_port_number }} | grep -q "^LISTEN.*:{{ keycloak_quarkus_systemd_wait_for_port_number }}"; do sleep 1; done && /bin/sleep {{ keycloak_quarkus_systemd_wait_for_delay }}'
 {% endif %}
 {% if keycloak_quarkus_systemd_wait_for_log %}
 ExecStartPost=/usr/bin/timeout {{ keycloak_quarkus_systemd_wait_for_timeout }} sh -c 'cat {{ keycloak.log.file }} | sed "/Profile.*activated/ q" && /bin/sleep {{ keycloak_quarkus_systemd_wait_for_delay }}'
 {% endif %}
 [Install]
 WantedBy=multi-user.target
		`@@ -0,0 +1,2 @@`
							`[general]`
							`bootstrapped={{ bootstrapped \| lower }}`