Update changelog for release 2.4.1

Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>

.github/workflows/ci.yml

@@ -5,6 +5,7 @@ on:
     branches:
       - main
   pull_request:
+  workflow_dispatch:
   schedule:
     - cron: '15 6 * * *'
 

.github/workflows/traffic.yml

@@ -0,0 +1,26 @@
+name: Collect traffic stats
+on:
+  schedule: 
+    - cron: "51 23 * * 0"
+  workflow_dispatch: 
+    
+jobs:
+  traffic:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          ref: "gh-pages"
+    
+      - name: GitHub traffic 
+        uses: sangonzal/repository-traffic-action@v.0.1.6
+        env:
+          TRAFFIC_ACTION_TOKEN: ${{ secrets.TRIGGERING_PAT }} 
+     
+      - name: Commit changes
+        uses: EndBug/add-and-commit@v4
+        with:
+          author_name: Ansible Middleware
+          message: "GitHub traffic"
+          add: "./traffic/*"
+          ref: "gh-pages"

.yamllint

@@ -15,7 +15,8 @@ rules:
   commas:
     max-spaces-after: -1
     level: error
-  comments: disable
+  comments:
+    min-spaces-from-content: 1
   comments-indentation: disable
   document-start: disable
   empty-lines:
@@ -30,4 +31,8 @@ rules:
   new-lines:
     type: unix
   trailing-spaces: disable
-  truthy: disable
+  truthy: disable
+  octal-values:
+    forbid-implicit-octal: true
+    forbid-explicit-octal: true
+

CHANGELOG.rst

@@ -6,6 +6,46 @@ middleware\_automation.keycloak Release Notes
 
 This changelog describes changes after version 0.2.6.
 
+v2.4.1
+======
+
+Release Summary
+---------------
+
+Internal release, documentation or test changes only.
+
+v2.4.0
+======
+
+Major Changes
+-------------
+
+- Enable by default health check on restart `#234 <https://github.com/ansible-middleware/keycloak/pull/234>`_
+- Update minimum ansible-core version > 2.15 `#232 <https://github.com/ansible-middleware/keycloak/pull/232>`_
+
+v2.3.0
+======
+
+Major Changes
+-------------
+
+- Allow for custom providers hosted on maven repositories `#223 <https://github.com/ansible-middleware/keycloak/pull/223>`_
+- Restart handler strategy behaviour `#231 <https://github.com/ansible-middleware/keycloak/pull/231>`_
+
+Minor Changes
+-------------
+
+- Add support for policy files `#225 <https://github.com/ansible-middleware/keycloak/pull/225>`_
+- Allow to add extra custom env vars in sysconfig file `#229 <https://github.com/ansible-middleware/keycloak/pull/229>`_
+- Download from alternate URL with optional http authentication `#220 <https://github.com/ansible-middleware/keycloak/pull/220>`_
+- Update Keycloak to version 24.0.4 `#218 <https://github.com/ansible-middleware/keycloak/pull/218>`_
+- ``proxy-header`` enhancement `#227 <https://github.com/ansible-middleware/keycloak/pull/227>`_
+
+Bugfixes
+--------
+
+- ``kc.sh build`` uses configured jdk `#211 <https://github.com/ansible-middleware/keycloak/pull/211>`_
+
 v2.2.2
 ======
 

README.md

@@ -6,12 +6,13 @@
 > **_NOTE:_ If you are Red Hat customer, install `redhat.sso` (for Red Hat Single Sign-On) or `redhat.rhbk` (for Red Hat Build of Keycloak) from [Automation Hub](https://console.redhat.com/ansible/ansible-dashboard) as the certified version of this collection.**
 
 <!--end build_status -->
+<!--start description -->
 Collection to install and configure [Keycloak](https://www.keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on) / [Red Hat Build of Keycloak](https://access.redhat.com/products/red-hat-build-of-keycloak).
-
+<!--end description -->
 <!--start requires_ansible-->
 ## Ansible version compatibility
 
-This collection has been tested against following Ansible versions: **>=2.14.0**.
+This collection has been tested against following Ansible versions: **>=2.15.0**.
 
 Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions.
 <!--end requires_ansible-->
@@ -39,6 +40,7 @@ collections:
 The keycloak collection also depends on the following python packages to be present on the controller host:
 
 * netaddr
+* lxml
 
 A requirement file is provided to install:
 
@@ -100,7 +102,7 @@ ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e
   localhost ansible_connection=local
   ```
 
-Note: when deploying clustered configurations, all hosts belonging to the cluster must be present in ansible_play_batch; ie. they must be targeted by the same ansible-playbook execution.
+Note: when deploying clustered configurations, all hosts belonging to the cluster must be present in `ansible_play_batch`; ie. they must be targeted by the same ansible-playbook execution.
 
 
 ## Configuration

changelogs/changelog.yaml

@@ -532,3 +532,61 @@ releases:
     - 209.yaml
     - 210.yaml
     release_date: '2024-05-06'
+  2.3.0:
+    changes:
+      bugfixes:
+      - '``kc.sh build`` uses configured jdk `#211 <https://github.com/ansible-middleware/keycloak/pull/211>`_
+
+        '
+      major_changes:
+      - 'Allow for custom providers hosted on maven repositories `#223 <https://github.com/ansible-middleware/keycloak/pull/223>`_
+
+        '
+      - 'Restart handler strategy behaviour `#231 <https://github.com/ansible-middleware/keycloak/pull/231>`_
+
+        '
+      minor_changes:
+      - 'Add support for policy files `#225 <https://github.com/ansible-middleware/keycloak/pull/225>`_
+
+        '
+      - 'Allow to add extra custom env vars in sysconfig file `#229 <https://github.com/ansible-middleware/keycloak/pull/229>`_
+
+        '
+      - 'Download from alternate URL with optional http authentication `#220 <https://github.com/ansible-middleware/keycloak/pull/220>`_
+
+        '
+      - 'Update Keycloak to version 24.0.4 `#218 <https://github.com/ansible-middleware/keycloak/pull/218>`_
+
+        '
+      - '``proxy-header`` enhancement `#227 <https://github.com/ansible-middleware/keycloak/pull/227>`_
+
+        '
+    fragments:
+    - 211.yaml
+    - 218.yaml
+    - 220.yaml
+    - 223.yaml
+    - 225.yaml
+    - 227.yaml
+    - 229.yaml
+    - 231.yaml
+    release_date: '2024-05-20'
+  2.4.0:
+    changes:
+      major_changes:
+      - 'Enable by default health check on restart `#234 <https://github.com/ansible-middleware/keycloak/pull/234>`_
+
+        '
+      - 'Update minimum ansible-core version > 2.15 `#232 <https://github.com/ansible-middleware/keycloak/pull/232>`_
+
+        '
+    fragments:
+    - 232.yaml
+    - 234.yaml
+    release_date: '2024-06-04'
+  2.4.1:
+    changes:
+      release_summary: Internal release, documentation or test changes only.
+    fragments:
+    - v2.4.1-devel_summary.yaml
+    release_date: '2024-07-02'

galaxy.yml

@@ -1,7 +1,7 @@
 ---
 namespace: middleware_automation
 name: keycloak
-version: "2.3.0"
+version: "2.4.1"
 readme: README.md
 authors:
   - Romain Pelisse <rpelisse@redhat.com>

meta/runtime.yml

@@ -1,2 +1,2 @@
 ---
-requires_ansible: ">=2.14.0"
+requires_ansible: ">=2.15.0"

molecule/debian/converge.yml

@@ -2,6 +2,7 @@
 - name: Converge
   hosts: all
   vars:
+    keycloak_quarkus_show_deprecation_warnings: false
     keycloak_quarkus_admin_pass: "remembertochangeme"
     keycloak_realm: TestRealm
     keycloak_quarkus_log: file

molecule/https_revproxy/converge.yml

@@ -1,7 +1,8 @@
 ---
 - name: Converge
   hosts: all
-  vars: 
+  vars:
+    keycloak_quarkus_show_deprecation_warnings: false
     keycloak_quarkus_admin_pass: "remembertochangeme"
     keycloak_admin_password: "remembertochangeme"
     keycloak_realm: TestRealm

molecule/quarkus-devmode/converge.yml

@@ -1,7 +1,8 @@
 ---
 - name: Converge
   hosts: all
-  vars: 
+  vars:
+    keycloak_quarkus_show_deprecation_warnings: false
     keycloak_quarkus_admin_pass: "remembertochangeme"
     keycloak_admin_password: "remembertochangeme"
     keycloak_realm: TestRealm

molecule/quarkus/converge.yml

@@ -2,6 +2,7 @@
 - name: Converge
   hosts: all
   vars:
+    keycloak_quarkus_show_deprecation_warnings: false
     keycloak_quarkus_admin_pass: "remembertochangeme"
     keycloak_admin_password: "remembertochangeme"
     keycloak_realm: TestRealm

molecule/quarkus_ha/converge.yml

@@ -2,6 +2,7 @@
 - name: Converge
   hosts: keycloak
   vars:
+    keycloak_quarkus_show_deprecation_warnings: false
     keycloak_quarkus_admin_pass: "remembertochangeme"
     keycloak_admin_password: "remembertochangeme"
     keycloak_realm: TestRealm

molecule/quarkus_upgrade/converge.yml

@@ -4,6 +4,7 @@
   vars_files:
     - vars.yml
   vars:
+    keycloak_quarkus_show_deprecation_warnings: false
     keycloak_quarkus_version: 24.0.3
   roles:
     - role: keycloak_quarkus

molecule/quarkus_upgrade/roles

@@ -0,0 +1 @@
+../../roles

roles/keycloak/meta/main.yml

@@ -12,7 +12,7 @@ galaxy_info:
 
   license: Apache License 2.0
 
-  min_ansible_version: "2.14"
+  min_ansible_version: "2.15"
 
   platforms:
     - name: EL

roles/keycloak/tasks/fastpackages.yml

@@ -14,7 +14,7 @@
 
 - name: "Install packages: {{ packages_to_install }}"
   become: true
-  ansible.builtin.yum:
+  ansible.builtin.dnf:
     name: "{{ packages_to_install }}"
     state: present
   when:

roles/keycloak_quarkus/README.md

@@ -1,8 +1,8 @@
 keycloak_quarkus
 ================
-
+<!--start description -->
 Install [keycloak](https://keycloak.org/) >= 20.0.0 (quarkus) server configurations.
-
+<!--end description -->
 
 Requirements
 ------------
@@ -102,7 +102,7 @@ Role Defaults
 |`keycloak_quarkus_systemd_wait_for_timeout`| How long to wait for service to be alive (seconds) | `60` |
 |`keycloak_quarkus_systemd_wait_for_delay`| Activation delay for service systemd unit (seconds) | `10` |
 |`keycloak_quarkus_restart_strategy`| Strategy task file for restarting in HA (one of provided restart/['serial.yml','none.yml','serial_then_parallel.yml']) or path to file when providing custom strategy | `restart/serial.yml` |
-|`keycloak_quarkus_restart_health_check`| Whether to wait for successful health check after restart | `{{ keycloak_quarkus_ha_enabled }}` |
+|`keycloak_quarkus_restart_health_check`| Whether to wait for successful health check after restart | `true` |
 |`keycloak_quarkus_restart_health_check_delay`| Seconds to let pass before starting healch checks | `10` |
 |`keycloak_quarkus_restart_health_check_reries`| Number of attempts for successful health check before failing | `25` |
 |`keycloak_quarkus_restart_pause`| Seconds to wait between restarts in HA strategy | `15` |
@@ -167,6 +167,7 @@ Role Defaults
 |`keycloak_quarkus_start_dev`| Whether to start the service in development mode (start-dev) | `False` |
 |`keycloak_quarkus_transaction_xa_enabled`| Whether to use XA transactions | `True` |
 |`keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route`| If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy | `True` |
+|`keycloak_quarkus_show_deprecation_warnings`| Whether deprecation warnings should be shown | `True` |
 
 
 #### Vault SPI

roles/keycloak_quarkus/defaults/main.yml

@@ -8,6 +8,8 @@ keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_q
 # whether to install from local archive
 keycloak_quarkus_offline_install: false
 
+keycloak_quarkus_show_deprecation_warnings: true
+
 ### Install location and service settings
 keycloak_quarkus_java_home:
 keycloak_quarkus_dest: /opt/keycloak
@@ -91,7 +93,10 @@ keycloak_quarkus_hostname_strict: true
 # If all applications use the public URL this option should be enabled.
 keycloak_quarkus_hostname_strict_backchannel: false
 
-# proxy address forwarding mode if the server is behind a reverse proxy. [none, edge, reencrypt, passthrough]
+# The proxy headers that should be accepted by the server. ['', 'forwarded', 'xforwarded']
+keycloak_quarkus_proxy_headers: ""
+
+# deprecated: proxy address forwarding mode if the server is behind a reverse proxy. [none, edge, reencrypt, passthrough]
 keycloak_quarkus_proxy_mode: edge
 
 # disable xa transactions
@@ -156,7 +161,7 @@ keycloak_quarkus_supported_policy_types: ['password-blacklists']
 
 # files in restart directory (one of [ 'serial', 'none', 'serial_then_parallel' ]), or path to file when providing custom strategy
 keycloak_quarkus_restart_strategy: restart/serial.yml
-keycloak_quarkus_restart_health_check: "{{ keycloak_quarkus_ha_enabled }}"
+keycloak_quarkus_restart_health_check: true
 keycloak_quarkus_restart_health_check_delay: 10
 keycloak_quarkus_restart_health_check_reries: 25
 keycloak_quarkus_restart_pause: 15

roles/keycloak_quarkus/meta/argument_specs.yml

@@ -432,7 +432,7 @@ argument_specs:
                 description: "Allow the option to ignore invalid certificates when downloading JDBC drivers from a custom URL"
                 type: "bool"
             keycloak_quarkus_restart_health_check:
-                default: "{{ keycloak_quarkus_ha_enabled }}"
+                default: true
                 description: "Whether to wait for successful health check after restart"
                 type: "bool"
             keycloak_quarkus_restart_strategy:
@@ -456,7 +456,7 @@ argument_specs:
     downstream:
         options:
             rhbk_version:
-                default: "24.0.4"
+                default: "24.0.3"
                 description: "Red Hat Build of Keycloak version"
                 type: "str"
             rhbk_archive:
@@ -483,6 +483,10 @@ argument_specs:
                 default: false
                 description: "Perform an offline install"
                 type: "bool"
+            keycloak_quarkus_show_deprecation_warnings:
+                default: true
+                description: "Whether deprecation warnings should be shown"
+                type: "bool"
             rhbk_service_name:
                 default: "rhbk"
                 description: "systemd service name for Red Hat Build of Keycloak"

roles/keycloak_quarkus/meta/main.yml

@@ -8,7 +8,7 @@ galaxy_info:
 
   license: Apache License 2.0
 
-  min_ansible_version: "2.14"
+  min_ansible_version: "2.15"
 
   platforms:
     - name: EL

roles/keycloak_quarkus/tasks/deprecations.yml

@@ -10,7 +10,7 @@
         - keycloak_quarkus_key_store_file is defined
         - keycloak_quarkus_key_store_file != ''
         - keycloak_quarkus_https_key_store_file == keycloak.home + "/conf/key_store.p12" # default value
-      changed_when: true
+      changed_when: keycloak_quarkus_show_deprecation_warnings
       ansible.builtin.set_fact:
         keycloak_quarkus_https_key_store_file: "{{ keycloak_quarkus_key_store_file }}"
         deprecated_variable: "keycloak_quarkus_key_store_file" # read in deprecation handler
@@ -25,7 +25,7 @@
         - keycloak_quarkus_key_store_password is defined
         - keycloak_quarkus_key_store_password != ''
         - keycloak_quarkus_https_key_store_password == "" # default value
-      changed_when: true
+      changed_when: keycloak_quarkus_show_deprecation_warnings
       ansible.builtin.set_fact:
         keycloak_quarkus_https_key_store_password: "{{ keycloak_quarkus_key_store_password }}"
         deprecated_variable: "keycloak_quarkus_key_store_password" # read in deprecation handler
@@ -34,3 +34,20 @@
 
     - name: Flush handlers
       ansible.builtin.meta: flush_handlers
+
+# https://access.redhat.com/documentation/en-us/red_hat_build_of_keycloak/24.0/html-single/upgrading_guide/index#deprecated_literal_proxy_literal_option
+- name: Check deprecation of keycloak_quarkus_proxy_mode
+  when:
+    - keycloak_quarkus_proxy_mode is defined
+    - keycloak_quarkus_proxy_headers is defined and keycloak_quarkus_proxy_headers | length == 0
+    - keycloak_quarkus_version.split('.') | first | int >= 24
+  delegate_to: localhost
+  run_once: true
+  changed_when: keycloak_quarkus_show_deprecation_warnings
+  ansible.builtin.set_fact:
+    deprecated_variable: "keycloak_quarkus_proxy_mode" # read in deprecation handler
+  notify:
+    - print deprecation warning
+
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers

roles/keycloak_quarkus/tasks/prereqs.yml

@@ -93,3 +93,10 @@
     fail_msg: "Additional env variable definition is incorrect: `key` and `value` are mandatory."
   no_log: true
   loop: "{{ keycloak_quarkus_additional_env_vars }}"
+
+- name: "Validate proxy-headers"
+  ansible.builtin.assert:
+    that:
+      - keycloak_quarkus_proxy_headers | lower in ['', 'forwarded', 'xforwarded']
+    quiet: true
+    fail_msg: "keycloak_quarkus_proxy_headers must be either '', 'forwarded' or 'xforwarded'"

roles/keycloak_quarkus/templates/keycloak.conf.j2

@@ -69,14 +69,12 @@ cache-config-file=cache-ispn.xml
 {% endif %}
 {% endif %}
 
-{% if keycloak_quarkus_proxy_mode is defined and keycloak_quarkus_proxy_mode != "none" %}
+{% if keycloak_quarkus_proxy_headers | length > 0 %}
+proxy-headers={{ keycloak_quarkus_proxy_headers | lower }}
+{% elif keycloak_quarkus_proxy_mode is defined and keycloak_quarkus_proxy_mode != "none" %}
 # Deprecated Proxy configuration
 proxy={{ keycloak_quarkus_proxy_mode }}
 {% endif %}
-{% if keycloak_quarkus_proxy_headers is defined and keycloak_quarkus_proxy_headers != "none" %}
-# Proxy
-proxy-headers={{ keycloak_quarkus_proxy_headers }}
-{% endif %}
 
 spi-sticky-session-encoder-infinispan-should-attach-route={{ keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route | d(true) | lower }}
 

roles/keycloak_realm/README.md

@@ -1,8 +1,9 @@
 keycloak_realm
 ==============
+<!--start description_realm -->
 
 Create realms and clients in [keycloak](https://keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on) services.
-
+<!--end description_realm -->
 
 Role Defaults
 -------------
@@ -136,4 +137,4 @@ Author Information
 ------------------
 
 * [Guido Grazioli](https://github.com/guidograzioli)
-* [Romain Pelisse](https://github.com/rpelisse)
+* [Romain Pelisse](https://github.com/rpelisse)

roles/keycloak_realm/meta/main.yml

@@ -8,7 +8,7 @@ galaxy_info:
 
   license: Apache License 2.0
 
-  min_ansible_version: "2.14"
+  min_ansible_version: "2.15"
 
   platforms:
     - name: EL