internet/ansible-middleware.keycloak
3
0
Fork 0
mirror of https://github.com/ansible-middleware/keycloak.git synced 2026-03-27 13:53:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: internet:rhbk_mol_sudo
Branches Tags
internet:main internet:gh-pages internet:feature/182_restart_handler internet:rhbk_mol_sudo
internet:3.0.3 internet:3.0.2 internet:3.0.1 internet:3.0.0 internet:2.4.3 internet:2.4.2 internet:2.4.1 internet:2.4.0 internet:2.3.0 internet:2.2.2 internet:2.2.1 internet:2.2.0 internet:2.1.2 internet:2.1.1 internet:2.1.0 internet:2.0.2 internet:2.0.1 internet:2.0.0 internet:1.3.0 internet:1.2.8 internet:1.2.7 internet:1.2.6 internet:1.2.5 internet:1.2.4 internet:1.2.1 internet:1.2.0 internet:1.1.1 internet:1.1.0 internet:1.0.7 internet:1.0.6 internet:1.0.5 internet:1.0.4 internet:1.0.3 internet:1.0.2 internet:1.0.1 internet:1.0.0 internet:v0.2.5 internet:v0.2.4 internet:v0.2.3 internet:0.2.2 internet:v0.2.1 internet:v0.2.0 internet:v0.1.8 internet:v0.1.7 internet:v0.1.6 internet:v0.1.5 internet:v0.1.4 internet:v0.1.3 internet:v0.1.2 internet:v0.1.1 internet:v0.1.0 internet:v0.0.4 internet:v0.0.3 internet:v0.0.2 internet:v0.0.1
..
compare: internet:2.4.1
Branches Tags
internet:main internet:gh-pages internet:feature/182_restart_handler internet:rhbk_mol_sudo
internet:3.0.3 internet:3.0.2 internet:3.0.1 internet:3.0.0 internet:2.4.3 internet:2.4.2 internet:2.4.1 internet:2.4.0 internet:2.3.0 internet:2.2.2 internet:2.2.1 internet:2.2.0 internet:2.1.2 internet:2.1.1 internet:2.1.0 internet:2.0.2 internet:2.0.1 internet:2.0.0 internet:1.3.0 internet:1.2.8 internet:1.2.7 internet:1.2.6 internet:1.2.5 internet:1.2.4 internet:1.2.1 internet:1.2.0 internet:1.1.1 internet:1.1.0 internet:1.0.7 internet:1.0.6 internet:1.0.5 internet:1.0.4 internet:1.0.3 internet:1.0.2 internet:1.0.1 internet:1.0.0 internet:v0.2.5 internet:v0.2.4 internet:v0.2.3 internet:0.2.2 internet:v0.2.1 internet:v0.2.0 internet:v0.1.8 internet:v0.1.7 internet:v0.1.6 internet:v0.1.5 internet:v0.1.4 internet:v0.1.3 internet:v0.1.2 internet:v0.1.1 internet:v0.1.0 internet:v0.0.4 internet:v0.0.3 internet:v0.0.2 internet:v0.0.1

168 Commits
rhbk_mol_s ... 2.4.1

Author SHA1 Message Date
ansible-middleware-core
7c520dcdd2 Update changelog for release 2.4.1 
Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>
 2024-07-02 14:23:37 +00:00
Guido Grazioli
35b3b090f6 ci: update READMEs 2024-07-02 15:59:16 +02:00
Guido Grazioli
94f1b8b355 ci: update README 2024-07-02 15:46:05 +02:00
Guido Grazioli
e40f554936 ci: add traffic wf 2024-06-27 11:02:32 +02:00
Guido Grazioli
64e2a95685 ci: add traffic wf 2024-06-27 11:01:38 +02:00
Guido Grazioli
c6fac7bb70 ci: add traffic wf 2024-06-27 11:00:29 +02:00
ansible-middleware-core
5f059e8d63 Bump version to 2.4.1 2024-06-04 15:44:35 +00:00
ansible-middleware-core
e927ddbb6c Update changelog for release 2.4.0 
Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>
 2024-06-04 15:44:20 +00:00
Guido Grazioli
a82bdfbbb6 Bump to 2.4.0 2024-06-04 17:36:20 +02:00
Guido Grazioli
c850484e67 Merge pull request #234 from gionn/fix-restart-health-check-default 
Enable by default health check on restart
 2024-06-04 17:25:52 +02:00
Giovanni Toraldo
a4deaa005a Enable by default health check on restart 2024-06-04 17:00:11 +02:00
Guido Grazioli
4fb44091d6 ci: fix missing symlink 2024-05-30 08:44:04 +02:00
Guido Grazioli
883127d280 Merge pull request #232 from guidograzioli/linter_ansible_215 
Update minimum ansible-core version > 2.15
 2024-05-22 10:04:41 +02:00
Guido Grazioli
e69e5b7ba4 readme 2024-05-21 12:41:31 +02:00
Guido Grazioli
bf1871182b linter 2024-05-21 12:35:33 +02:00
Guido Grazioli
adfee5f6e1 ci 2024-05-21 12:34:11 +02:00
Guido Grazioli
ef53ca545a update yamllint 2024-05-21 12:31:40 +02:00
Guido Grazioli
2092c2d23a Update minimum ansible-core version > 2.15 2024-05-21 12:27:45 +02:00
ansible-middleware-core
8ca73364e9 Bump version to 2.3.1 2024-05-20 10:22:09 +00:00
ansible-middleware-core
df1939e387 Update changelog for release 2.3.0 
Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>
 2024-05-20 10:21:55 +00:00
Guido Grazioli
0de0b654ee Merge pull request #227 from world-direct/feature/226 
`proxy-header` enhancement
 2024-05-16 16:49:06 +02:00
Helmut Wolf
62cbaa3596 Introduce keycloak_quarkus_show_deprecation_warnings, disabled in molecule tests 2024-05-16 16:30:57 +02:00
Helmut Wolf
92c24e49e7 #226: add proper default value for proxy-headers 2024-05-16 12:45:24 +02:00
Helmut Wolf
cc012767a4 #226 - add deprecation warning 2024-05-16 12:45:24 +02:00
Helmut Wolf
4d31117c16 Fix RHBK version 2024-05-16 12:45:24 +02:00
Helmut Wolf
0fd8eb52d2 #226: CR changes 2024-05-16 12:45:24 +02:00
Helmut Wolf
6f2ed4d53b Fix #226 - minor proxy-header enhancement 2024-05-16 12:45:24 +02:00
Guido Grazioli
1519d46f0e Merge pull request #231 from ansible-middleware/feature/182_restart_handler 
Restart handler strategy behaviour
 2024-05-16 11:25:02 +02:00
Guido Grazioli
4b21569f36 parameterize health check; refactor serial_then_parallel 2024-05-16 11:16:20 +02:00
Guido Grazioli
f63b20b9d4 Update verify steps 2024-05-15 20:01:58 +02:00
Guido Grazioli
fdcf1b2ed2 Add molecule scenario for HA restart 2024-05-15 19:53:33 +02:00
Guido Grazioli
c22389c86f address review reqs 2024-05-15 15:58:21 +02:00
Guido Grazioli
2d573c2b62 Add restart strategies, and allow custom task include 
Co-authored-by: Helmut Wolf <hwo@world-direct.at>
Co-authored-by: Guido Grazioli <ggraziol@redhat.com>
 2024-05-15 13:48:00 +02:00
Helmut Wolf
1e9a669dea #221 - add keycloak_quarkus_health_check_url_path config option 2024-05-15 10:28:46 +02:00
Helmut Wolf
db831fa339 #182 - CR changes 2024-05-15 10:17:32 +02:00
Helmut Wolf
d57be1f188 Close #182, #221: improve restart handler logic 2024-05-15 09:47:03 +02:00
Guido Grazioli
5adb28dcd8 Bump to 2.3.0 2024-05-15 09:22:45 +02:00
Guido Grazioli
477ce5eaa3 Merge pull request #223 from world-direct/feature/222_mvn_providers 
Feature/222  keycloak_quarkus: Add support for custom providers hosted on MVN
 2024-05-15 09:17:23 +02:00
Helmut Wolf
d2ece93c12 #222 Migrate to middleware_automation.common.maven_artifact 2024-05-14 20:33:29 +02:00
Guido Grazioli
1a23350a8f Merge pull request #229 from world-direct/feature/228_sysconfig_custom_env_variables 
Allow to add extra custom env vars in sysconfig file
 2024-05-14 17:06:49 +02:00
Helmut Wolf
26316ddc50 #222: add support for local providers to be uploaded 2024-05-14 11:59:16 +02:00
Helmut Wolf
6d01ffbb77 Close #228: add support for custom env vars in sysconfig file 2024-05-14 11:10:38 +02:00
Helmut Wolf
d87c8ca8ac wip 2024-05-14 10:14:43 +02:00
Helmut Wolf
d8e9620a8a #222: Molecule tests 2024-05-14 10:14:43 +02:00
Helmut Wolf
4b902adc8d #222: Add support for maven providers 2024-05-14 10:14:15 +02:00
Guido Grazioli
1b69191a6e Merge pull request #225 from world-direct/feature/224_policy_files 
#224:  keycloak_quarkus: Add support for policy files
 2024-05-14 09:11:51 +02:00
Helmut Wolf
6682853a2d #224: Add missing argument specs 2024-05-14 08:58:57 +02:00
Helmut Wolf
9f4623b05a #224: keycloak_quarkus: Add support for policy files 2024-05-14 08:36:55 +02:00
Guido Grazioli
599ce0179c Merge pull request #220 from guidograzioli/rhbk_alternate_download_location 
Download from alternate URL with optional http authentication
 2024-05-10 15:33:51 +02:00
Guido Grazioli
8f14be37d7 add functionality 2024-05-10 10:17:37 +02:00
Guido Grazioli
3076c3d5ce Merge pull request #218 from Footur/update-keycloak-v24.0.4 
Update Keycloak to version 24.0.4
 2024-05-09 11:08:47 +02:00
Guido Grazioli
6610a310ff Merge pull request #217 from guidograzioli/major_upgrade_test 
Port downstream upgrade
 2024-05-09 11:08:23 +02:00
Footur
fcf629d05e Update Keycloak to version 24.0.4 2024-05-09 09:24:47 +02:00
Guido Grazioli
4bbc8e0256 update systemd service name in verify 2024-05-08 19:14:04 +02:00
Guido Grazioli
4c96cbe7f6 use sane version to be upgraded 2024-05-08 19:09:59 +02:00
Guido Grazioli
22f5ad902f add test to github actions 2024-05-08 19:05:24 +02:00
Guido Grazioli
3c22417674 Port downstream upgrade 2024-05-08 19:03:30 +02:00
Guido Grazioli
cd36eacb07 Merge pull request #215 from world-direct/feature/214_sqlserver_jdbc_version 
Close #214: RHBK 24.*: Update sqlserver JDBC version
 2024-05-08 18:45:03 +02:00
Helmut Wolf
a019823871 Close #214: RHBK 24.*: Update sqlserver JDBC version 2024-05-08 17:15:50 +02:00
Guido Grazioli
3863508df5 Merge pull request #213 from guidograzioli/2_2_3_linter 
Linter warnings fix pass
 2024-05-07 10:30:16 +02:00
Guido Grazioli
1115ee409a Linter warnings fix pass 2024-05-07 10:18:43 +02:00
Guido Grazioli
b497e946cc Bump tp 2.2.3 2024-05-07 09:47:12 +02:00
Guido Grazioli
5067c03201 Merge pull request #211 from guidograzioli/keycloak_rebuild_java_home 
`kc.sh build` uses configured jdk
 2024-05-06 13:13:20 +02:00
Guido Grazioli
a45b18dc85 kc.sh build uses configured jdk 2024-05-06 13:08:41 +02:00
Guido Grazioli
70834ccf13 downstream: remove problematic owner of downloaded zipfile 2024-05-06 12:03:44 +02:00
Guido Grazioli
2a7395c444 downstream: update default to rhbk 24.0.3 2024-05-06 11:20:00 +02:00
ansible-middleware-core
4da0e83ae9 Bump version to 2.2.3 2024-05-06 08:11:28 +00:00
ansible-middleware-core
b427cb8a24 Update changelog for release 2.2.2 
Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>
 2024-05-06 08:11:11 +00:00
Guido Grazioli
fa39e9b824 Merge pull request #210 from Footur/copy-key-material 
Enable copying of key material
 2024-05-06 08:28:09 +02:00
Footur
320a5f0d9a Copy the TLS private key from memory 
This change should avoid storing plain private keys on disk due to
security risks. It also makes it easier to encrypt the data with SOPS.
 2024-05-05 13:58:19 +02:00
Footur
7141e1c9b2 Test: Installation of key material via Ansible role 2024-05-05 12:11:51 +02:00
Footur
9bc1ae69e9 Enable copying of key material 
This commit updates the configuration to use the standard Red Hat
Enterprise Linux (RHEL) default path for TLS certificates, which is
/etc/pki/tls.

Also, it copies the private key and certificate to the target host.
 2024-05-03 16:34:57 +02:00
Guido Grazioli
bfbbacc72b Merge pull request #209 from guidograzioli/205_controller_become 
controller priv escalation
 2024-05-03 14:45:55 +02:00
Guido Grazioli
feec4d9f8b controller priv escalation 2024-05-03 13:03:18 +02:00
Guido Grazioli
ba127153ff Merge pull request #207 from InfoSec812/Issue_206-_-fix-misnamed-params-and-allow-invalid-certs 
jdbc_download and validate_certs params update
 2024-05-03 08:47:38 +02:00
Deven Phillips
b14d75dfab jdbc_download and validate_certs params update 
- Added jdbc_download customization to both keycloak releases
- Added option to allow invalid certificates to download JDBC drivers
 2024-05-02 14:33:36 -04:00
ansible-middleware-core
1d6a6eb7ee Bump version to 2.2.2 2024-05-02 17:00:01 +00:00
ansible-middleware-core
1ab3ebc2a4 Update changelog for release 2.2.1 
Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>
 2024-05-02 16:59:47 +00:00
Guido Grazioli
d16c23faf9 Merge pull request #204 from InfoSec812/Issue_203-_-fix-input-validation-when-clause 
Fix logic in when clause
 2024-05-02 18:46:05 +02:00
Deven Phillips
978494524f Fix errors introduced 2024-05-02 12:31:16 -04:00
Deven Phillips
1a73c39a91 Fix logic in when clause 2024-05-02 12:09:36 -04:00
ansible-middleware-core
9e6a6f6076 Bump version to 2.2.1 2024-05-01 14:44:15 +00:00
ansible-middleware-core
55f6881b2f Update changelog for release 2.2.0 
Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>
 2024-05-01 14:44:01 +00:00
Guido Grazioli
41cbcc41e8 Merge pull request #202 from InfoSec812/Issue_200-_-customize-jdbc-driver-downloads 
Customize jdbc driver downloads, optional authentication
 2024-05-01 10:01:32 +02:00
Deven Phillips
c2904bf20d Use FQCN for fail module 2024-04-30 14:48:10 -04:00
Deven Phillips
e76b33e1db Merge remote-tracking branch 'upstream/main' into Issue_200-_-customize-jdbc-driver-downloads 2024-04-30 14:29:26 -04:00
Deven Phillips
a7b9f0ef97 Add option to override JDBC download parameters 2024-04-30 14:27:42 -04:00
Guido Grazioli
eafc4586d6 ci: turn historicized docs off 2024-04-30 13:09:27 +02:00
Guido Grazioli
8493adc5c8 Merge pull request #201 from guidograzioli/custom_providers 
Providers config and custom providers
 2024-04-30 12:47:53 +02:00
Guido Grazioli
43b9ffcb64 Providers config and custom providers 2024-04-30 10:45:20 +02:00
Guido Grazioli
a33393a477 ci: downstream molecule fixes 2024-04-25 14:11:05 +02:00
Guido Grazioli
278a70d627 ci: downstream molecule fixes 2024-04-25 13:57:31 +02:00
Guido Grazioli
6967385c7f ci: downstream molecule fixes 2024-04-25 13:03:03 +02:00
Guido Grazioli
ac23e04d6a ci: downstream molecule fixes 2024-04-25 08:16:56 +02:00
Guido Grazioli
4c056d886e ci: downstream molecule fixes 2024-04-24 21:20:16 +02:00
Guido Grazioli
213a9a0766 ci: downstream molecule fixes 2024-04-24 17:56:15 +02:00
Guido Grazioli
2925ea8cf1 Add wait_for systemd logic 2024-04-24 16:17:05 +02:00
Guido Grazioli
82498ab3f5 Merge pull request #195 from InfoSec812/Issue-193_-_add-option-for-hostname-strict-https 
Added hostname-strict-https option
 2024-04-19 16:05:46 +02:00
Guido Grazioli
16accd5e30 Merge branch 'main' into Issue-193_-_add-option-for-hostname-strict-https 2024-04-19 16:00:09 +02:00
Deven Phillips
04bb465992 Added argument specs 2024-04-19 09:55:08 -04:00
Guido Grazioli
b978e8bb88 Merge pull request #197 from world-direct/feature/190_remove_KEYCLOAK_ADMIN_envs 
#190: remove `keycloak_quarkus_admin_user[_pass]` once keycloak is bootstrapped
 2024-04-19 14:44:05 +02:00
Helmut Wolf
289b4767e0 #190: remove keycloak_quarkus_admin_user[_pass] once keycloak is bootstrapped 2024-04-19 13:42:28 +02:00
Guido Grazioli
9a961f743b Merge pull request #196 from guidograzioli/172_vaults 
Keystore based vault SPI
 2024-04-19 09:06:38 +02:00
Deven Phillips
b8cba487ac Add better error trapping for booleans 2024-04-18 13:15:46 -04:00
Guido Grazioli
ff198bcd3e workaround debug logfile too long for slurp 2024-04-18 11:06:14 +02:00
Guido Grazioli
d06dcea998 Add argument specs, update README 2024-04-18 10:49:38 +02:00
Guido Grazioli
89db3fa36f Implement vault config 2024-04-18 10:44:17 +02:00
Guido Grazioli
cd8d61afc3 Update molecule test for keystore vault 2024-04-18 10:43:48 +02:00
Deven Phillips
47e6644fdd Ensure that value for keycloak_quarkus_hostname_strict_https is boolean, otherwise ignore it 2024-04-17 16:57:52 -04:00
Deven Phillips
3e28b3f4f7 Added hostname-strict-https option 2024-04-17 16:52:18 -04:00
Guido Grazioli
f7bcac79d0 Merge pull request #194 from guidograzioli/keycloak_24_update 
Update keycloak to 24.0
 2024-04-17 18:16:34 +02:00
Guido Grazioli
10057262bc 'fix' changelog 2024-04-17 18:07:42 +02:00
Guido Grazioli
5808d055ae Update keycloak to 24.0 2024-04-17 17:53:13 +02:00
Guido Grazioli
8060dd7fb8 Bump minor and start 2.2 2024-04-17 17:51:33 +02:00
Guido Grazioli
4f8ed5194c Merge pull request #189 from world-direct/feature/188_config_keystore 
#188: add support for configuration key store
 2024-04-17 17:50:30 +02:00
ansible-middleware-core
462389cf0f Bump version to 2.1.3 2024-04-17 15:49:15 +00:00
ansible-middleware-core
903938ca16 Update changelog for release 2.1.2 
Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>
 2024-04-17 15:49:00 +00:00
Guido Grazioli
74636e8629 ci: final round of linting 2024-04-17 17:29:38 +02:00
Guido Grazioli
6706fd9bf5 ci: bump and fix final linter warnings 2024-04-17 17:24:57 +02:00
Helmut Wolf
e991bd32c8 Fix typos 2024-04-17 17:09:44 +02:00
Helmut Wolf
d469d389f3 Fix linter issues 2024-04-17 17:09:44 +02:00
Helmut Wolf
c38642e0cd #188: fail early when no keytool installed 2024-04-17 17:09:44 +02:00
Helmut Wolf
0ee29eb483 #188: keycloak_quarkus: allow setting "sensitive options" using a Java KeyStore file #188 2024-04-17 17:09:44 +02:00
Helmut Wolf
60ca798e1a Rename keycloak_quarkus_*_store_* attributes 2024-04-17 17:09:44 +02:00
Helmut Wolf
921364b451 Fix docs 2024-04-17 17:09:44 +02:00
Guido Grazioli
50d189ee14 ci: more linter fixes 2024-04-17 16:56:56 +02:00
Guido Grazioli
5b459f3dde ci: more linter fixes 2024-04-17 16:48:24 +02:00
Guido Grazioli
f0318b2ecf Merge pull request #192 from guidograzioli/xxx_linter_1 
Comprehensive linter warning fixes
 2024-04-17 16:26:18 +02:00
Guido Grazioli
1f910bd400 Comprehensive linter warning fixes 2024-04-17 16:19:34 +02:00
Guido Grazioli
d17c364257 downstream: ci sudo workaround 2024-04-17 12:14:25 +02:00
Guido Grazioli
1ff6f237a9 Bump 2.1.1 2024-04-17 11:58:11 +02:00
Guido Grazioli
0c0c4e19ea downstream: update rhbk to 2.0.10 2024-04-17 11:57:44 +02:00
Guido Grazioli
7bedb08f6e ci: update release wf params 2024-04-17 11:14:38 +02:00
Guido Grazioli
5464a01a62 ci: update doc links, test triggers 2024-04-17 11:08:04 +02:00
ansible-middleware-core
2cf3e2470d Bump version to 2.1.2 2024-04-17 08:58:56 +00:00
ansible-middleware-core
ad6021c29a Update changelog for release 2.1.1 
Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>
 2024-04-17 08:58:43 +00:00
Guido Grazioli
05ebd90121 Merge pull request #191 from guidograzioli/190_sysconfig_worldreadable 
Unrelax configuration file permissions
 2024-04-17 10:51:45 +02:00
Guido Grazioli
1229a0b023 Unrelax configuration file permissions 2024-04-17 10:46:23 +02:00
Guido Grazioli
4ba9014edb Merge pull request #187 from roumano/parse_proxy_headers 
Permit parse reverse proxy headers
 2024-04-17 10:36:50 +02:00
Christian Iuga
ea57f8b689 remove unwanted extra code 2024-04-16 13:41:09 +02:00
Christian Iuga
3fbae4882e move keycloak_quarkus_proxy_headers into keycloak.conf 2024-04-16 13:39:33 +02:00
Christian Iuga
27717d7b4e Avoid cmd-line arguments 
Fix https://github.com/ansible-middleware/keycloak/pull/187#discussion_r1565779164
 2024-04-15 15:50:55 +02:00
Christian Iuga
4aa862101c Add new variable keycloak_quarkus_proxy_headers into meta/argument_specs.yml 
Fix comment https://github.com/ansible-middleware/keycloak/pull/187#discussion_r1565772058
 2024-04-15 15:48:02 +02:00
Christian Iuga
8e2f3eb77f Permit parse reverse proxy headers 
- Via created a new optional variable : keycloak_quarkus_proxy_headers
- Fix enhancement #183
- see https://www.keycloak.org/server/reverseproxy about the official documentation
 2024-04-15 14:41:56 +02:00
Guido Grazioli
10d4cb8db7 Merge pull request #186 from guidograzioli/185_java_heap_options 
JVM arguments go in JAVA_OPTS
 2024-04-09 17:16:17 +02:00
Guido Grazioli
8f8de33350 JVM arguments go IN JAVA_OPTS 2024-04-08 16:47:49 +02:00
Guido Grazioli
7dceb7f819 Merge pull request #184 from avskor/issue-125 
Fix permissions on controller-side downloaded artifacts
 2024-04-08 09:15:52 +02:00
avskor
c2e456e1d5 Fix #125. Permission error when the become variable is set to true in the playbook 2024-04-04 11:22:18 +03:00
Guido Grazioli
4421375dd5 Merge pull request #181 from guidograzioli/multi_distro_refactor 
Multi distro refactor
 2024-03-25 16:42:29 +01:00
Guido Grazioli
2bbf7d9cc4 revert JVM var that cannot be overridden 2024-03-25 16:30:13 +01:00
Guido Grazioli
467cfda0f7 same changes for keycloak-legacy 2024-03-25 16:00:18 +01:00
Guido Grazioli
e17505fe42 update molecule for debian container 2024-03-25 15:37:02 +01:00
Guido Grazioli
0e4df659f4 add test 2024-03-25 14:35:28 +01:00
Guido Grazioli
3400b64b10 add to ci 2024-03-25 14:34:25 +01:00
Guido Grazioli
3b1534d700 refactor 2024-03-25 10:19:28 +01:00
Guido Grazioli
dd6171f024 Add ansible_family based vars loading 2024-03-25 10:19:08 +01:00
Guido Grazioli
c1da6ea38d Merge pull request #180 from guidograzioli/keycloak_realm_default 
Use `keycloak_realm` as default for sub-entities
 2024-03-25 09:40:30 +01:00
Guido Grazioli
56e4a43cf9 add keycloak_realm default to sub entities 2024-03-25 09:30:25 +01:00
Guido Grazioli
7a0a99a31c Merge pull request #178 from Aeyk/ubuntu 
Ubuntu compatibility
 2024-03-18 09:09:07 +01:00
aeyk
fdce0bd922 Merge branch 'main' into ubuntu 2024-03-17 05:35:09 -04:00
Malik Kennedy
b9d9874a00 feat: ubuntu compatibility 2024-03-17 09:15:38 +00:00
Guido Grazioli
1cecf51f37 downstream: more updates to custom xml 2024-03-14 11:41:52 +01:00
Guido Grazioli
0cea03dfc0 downstream: simplify overridexml test 2024-03-14 10:37:09 +01:00
Guido Grazioli
0c079740e1 downstream: molecule custom xml that works with rhsso 2024-03-14 10:13:46 +01:00
Guido Grazioli
96804d8086 downstream: rhsso has new patch filename pattern 2024-03-13 17:55:30 +01:00
Guido Grazioli
a875166fe0 Merge pull request #176 from growi/templates_comment_filter 
Utilize comment filter for `ansible_managed` annotations
 2024-03-13 14:24:19 +01:00
Björn Großewinkelmann
a97c349f41 Utilize comment filter for {{ ansible_maanged }} annotations 
Signed-off-by: Björn Großewinkelmann <bgrossew@redhat.com>
 2024-03-13 00:19:42 +01:00
Romain Pelisse
a59a1fb8dd Rework Molecule prepare phase to install sudo only if root on target 2024-03-12 12:48:46 +01:00
118 changed files with 3127 additions and 585 deletions
Expand all files Collapse all files

2
.ansible-lint
View File

@@ -28,7 +28,6 @@ warn_list:
- name[casing]
- fqcn[action]
- schema[meta]
- var-naming[no-role-prefix]
- key-order[task]
- blocked_modules
@@ -36,6 +35,7 @@ skip_list:
- vars_should_not_be_used
- file_is_small_enough
- name[template]
- var-naming[no-role-prefix]
use_default_rules: true
parseable: true

3
.github/workflows/ci.yml vendored
View File

@@ -5,6 +5,7 @@ on:
branches:
- main
pull_request:
workflow_dispatch:
schedule:
- cron: '15 6 * * *'
@@ -15,4 +16,4 @@ jobs:
with:
fqcn: 'middleware_automation/keycloak'
molecule_tests: >-
[ "default", "overridexml", "https_revproxy", "quarkus", "quarkus-devmode" ]
[ "default", "overridexml", "https_revproxy", "quarkus", "quarkus-devmode", "quarkus_upgrade", "debian", "quarkus_ha" ]

1
.github/workflows/docs.yml vendored
View File

@@ -15,3 +15,4 @@ jobs:
with:
fqcn: 'middleware_automation/keycloak'
collection_fqcn: 'middleware_automation.keycloak'
historical_docs: 'false'

9
.github/workflows/release.yml vendored
View File

@@ -2,20 +2,27 @@
name: Release collection
on:
workflow_dispatch:
inputs:
release_summary:
description: 'Optional release summary for changelogs'
required: false
jobs:
release:
uses: ansible-middleware/github-actions/.github/workflows/release.yml@main
with:
collection_fqcn: 'middleware_automation.keycloak'
downstream_name: 'rhbk'
release_summary: "${{ github.event.inputs.release_summary }}"
secrets:
galaxy_token: ${{ secrets.ANSIBLE_GALAXY_API_KEY }}
jira_webhook: ${{ secrets.JIRA_WEBHOOK_CREATE_VERSION }}
dispatch:
needs: release
strategy:
matrix:
repo: ['ansible-middleware/cross-dc-rhsso-demo', 'ansible-middleware/flange-demo', 'ansible-middleware/ansible-middleware-ee']
repo: ['ansible-middleware/ansible-middleware-ee']
runs-on: ubuntu-latest
steps:
- name: Repository Dispatch

26
.github/workflows/traffic.yml vendored Normal file
View File

@@ -0,0 +1,26 @@
name: Collect traffic stats
on:
schedule:
- cron: "51 23 * * 0"
workflow_dispatch:
jobs:
traffic:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
ref: "gh-pages"
- name: GitHub traffic
uses: sangonzal/repository-traffic-action@v.0.1.6
env:
TRAFFIC_ACTION_TOKEN: ${{ secrets.TRIGGERING_PAT }}
- name: Commit changes
uses: EndBug/add-and-commit@v4
with:
author_name: Ansible Middleware
message: "GitHub traffic"
add: "./traffic/*"
ref: "gh-pages"

1
.gitignore vendored
View File

@@ -12,3 +12,4 @@ docs/_build/
*.retry
changelogs/.plugin-cache.yaml
*.pem
*.key

9
.yamllint
View File

@@ -15,7 +15,8 @@ rules:
commas:
max-spaces-after: -1
level: error
comments: disable
comments:
min-spaces-from-content: 1
comments-indentation: disable
document-start: disable
empty-lines:
@@ -30,4 +31,8 @@ rules:
new-lines:
type: unix
trailing-spaces: disable
truthy: disable
truthy: disable
octal-values:
forbid-implicit-octal: true
forbid-explicit-octal: true

117
CHANGELOG.rst
View File

@@ -6,6 +6,118 @@ middleware\_automation.keycloak Release Notes
This changelog describes changes after version 0.2.6.
v2.4.1
======
Release Summary
---------------
Internal release, documentation or test changes only.
v2.4.0
======
Major Changes
-------------
- Enable by default health check on restart `#234 <https://github.com/ansible-middleware/keycloak/pull/234>`_
- Update minimum ansible-core version > 2.15 `#232 <https://github.com/ansible-middleware/keycloak/pull/232>`_
v2.3.0
======
Major Changes
-------------
- Allow for custom providers hosted on maven repositories `#223 <https://github.com/ansible-middleware/keycloak/pull/223>`_
- Restart handler strategy behaviour `#231 <https://github.com/ansible-middleware/keycloak/pull/231>`_
Minor Changes
-------------
- Add support for policy files `#225 <https://github.com/ansible-middleware/keycloak/pull/225>`_
- Allow to add extra custom env vars in sysconfig file `#229 <https://github.com/ansible-middleware/keycloak/pull/229>`_
- Download from alternate URL with optional http authentication `#220 <https://github.com/ansible-middleware/keycloak/pull/220>`_
- Update Keycloak to version 24.0.4 `#218 <https://github.com/ansible-middleware/keycloak/pull/218>`_
- ``proxy-header`` enhancement `#227 <https://github.com/ansible-middleware/keycloak/pull/227>`_
Bugfixes
--------
- ``kc.sh build`` uses configured jdk `#211 <https://github.com/ansible-middleware/keycloak/pull/211>`_
v2.2.2
======
Minor Changes
-------------
- Copying of key material for TLS configuration `#210 <https://github.com/ansible-middleware/keycloak/pull/210>`_
- Validate certs parameter for JDBC driver downloads `#207 <https://github.com/ansible-middleware/keycloak/pull/207>`_
Bugfixes
--------
- Turn off controller privilege escalation `#209 <https://github.com/ansible-middleware/keycloak/pull/209>`_
v2.2.1
======
Release Summary
---------------
Internal release, documentation or test changes only.
Bugfixes
--------
- JDBC provider: fix clause in argument validation `#204 <https://github.com/ansible-middleware/keycloak/pull/204>`_
v2.2.0
======
Major Changes
-------------
- Support java keystore for configuration of sensitive options `#189 <https://github.com/ansible-middleware/keycloak/pull/189>`_
Minor Changes
-------------
- Add ``wait_for_port`` and ``wait_for_log`` systemd unit logic `#199 <https://github.com/ansible-middleware/keycloak/pull/199>`_
- Customize jdbc driver downloads, optional authentication `#202 <https://github.com/ansible-middleware/keycloak/pull/202>`_
- Keystore-based vault SPI configuration `#196 <https://github.com/ansible-middleware/keycloak/pull/196>`_
- New ``keycloak_quarkus_hostname_strict_https`` parameter `#195 <https://github.com/ansible-middleware/keycloak/pull/195>`_
- Providers config and custom providers `#201 <https://github.com/ansible-middleware/keycloak/pull/201>`_
- Remove administrator credentials from files once keycloak is bootstrapped `#197 <https://github.com/ansible-middleware/keycloak/pull/197>`_
- Update keycloak to 24.0 `#194 <https://github.com/ansible-middleware/keycloak/pull/194>`_
v2.1.2
======
Release Summary
---------------
Internal release, documentation or test changes only.
v2.1.1
======
Minor Changes
-------------
- Add reverse ``proxy_headers`` config, supersedes ``proxy_mode`` `#187 <https://github.com/ansible-middleware/keycloak/pull/187>`_
- Debian/Ubuntu compatibility `#178 <https://github.com/ansible-middleware/keycloak/pull/178>`_
- Use ``keycloak_realm`` as default for sub-entities `#180 <https://github.com/ansible-middleware/keycloak/pull/180>`_
Bugfixes
--------
- Fix permissions on controller-side downloaded artifacts `#184 <https://github.com/ansible-middleware/keycloak/pull/184>`_
- JVM args moved to ``JAVA_OPTS`` envvar (instead of JAVA_OPTS_APPEND) `#186 <https://github.com/ansible-middleware/keycloak/pull/186>`_
- Unrelax configuration file permissions `#191 <https://github.com/ansible-middleware/keycloak/pull/191>`_
- Utilize comment filter for ``ansible_managed`` annotations `#176 <https://github.com/ansible-middleware/keycloak/pull/176>`_
v2.1.0
======
@@ -254,6 +366,11 @@ Minor Changes
v1.0.4
======
Release Summary
---------------
Internal release, documentation or test changes only.
v1.0.3
======

8
README.md
View File

@@ -6,12 +6,13 @@
> **_NOTE:_ If you are Red Hat customer, install `redhat.sso` (for Red Hat Single Sign-On) or `redhat.rhbk` (for Red Hat Build of Keycloak) from [Automation Hub](https://console.redhat.com/ansible/ansible-dashboard) as the certified version of this collection.**
<!--end build_status -->
<!--start description -->
Collection to install and configure [Keycloak](https://www.keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on) / [Red Hat Build of Keycloak](https://access.redhat.com/products/red-hat-build-of-keycloak).
<!--end description -->
<!--start requires_ansible-->
## Ansible version compatibility
This collection has been tested against following Ansible versions: **>=2.14.0**.
This collection has been tested against following Ansible versions: **>=2.15.0**.
Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions.
<!--end requires_ansible-->
@@ -39,6 +40,7 @@ collections:
The keycloak collection also depends on the following python packages to be present on the controller host:
* netaddr
* lxml
A requirement file is provided to install:
@@ -100,7 +102,7 @@ ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e
localhost ansible_connection=local
```
Note: when deploying clustered configurations, all hosts belonging to the cluster must be present in ansible_play_batch; ie. they must be targeted by the same ansible-playbook execution.
Note: when deploying clustered configurations, all hosts belonging to the cluster must be present in `ansible_play_batch`; ie. they must be targeted by the same ansible-playbook execution.
## Configuration

11
bindep.txt
View File

@@ -1,8 +1,9 @@
python3-dev [compile platform:dpkg]
python3-devel [compile platform:rpm]
python39-devel [compile platform:centos-8 platform:rhel-8]
git-lfs [platform:rpm]
python3-netaddr [platform:rpm]
python3-lxml [platform:rpm]
python3-jmespath [platform:rpm]
python3-requests [platform:rpm]
git-lfs [platform:rpm platform:dpkg]
python3-netaddr [platform:rpm platform:dpkg]
python3-lxml [platform:rpm platform:dpkg]
python3-jmespath [platform:rpm platform:dpkg]
python3-requests [platform:rpm platform:dpkg]

171
changelogs/changelog.yaml
View File

@@ -59,6 +59,10 @@ releases:
- 31.yaml
release_date: '2022-05-09'
1.0.4:
changes:
release_summary: 'Internal release, documentation or test changes only.
'
release_date: '2022-05-11'
1.0.5:
changes:
@@ -419,3 +423,170 @@ releases:
- 167.yaml
- 171.yaml
release_date: '2024-02-28'
2.1.1:
changes:
bugfixes:
- 'Fix permissions on controller-side downloaded artifacts `#184 <https://github.com/ansible-middleware/keycloak/pull/184>`_
'
- 'JVM args moved to ``JAVA_OPTS`` envvar (instead of JAVA_OPTS_APPEND) `#186
<https://github.com/ansible-middleware/keycloak/pull/186>`_
'
- 'Unrelax configuration file permissions `#191 <https://github.com/ansible-middleware/keycloak/pull/191>`_
'
- 'Utilize comment filter for ``ansible_managed`` annotations `#176 <https://github.com/ansible-middleware/keycloak/pull/176>`_
'
minor_changes:
- 'Add reverse ``proxy_headers`` config, supersedes ``proxy_mode`` `#187 <https://github.com/ansible-middleware/keycloak/pull/187>`_
'
- 'Debian/Ubuntu compatibility `#178 <https://github.com/ansible-middleware/keycloak/pull/178>`_
'
- 'Use ``keycloak_realm`` as default for sub-entities `#180 <https://github.com/ansible-middleware/keycloak/pull/180>`_
'
fragments:
- 176.yaml
- 178.yaml
- 180.yaml
- 184.yaml
- 186.yaml
- 187.yaml
- 191.yaml
release_date: '2024-04-17'
2.1.2:
changes:
release_summary: 'Internal release, documentation or test changes only.
'
release_date: '2024-04-17'
2.2.0:
changes:
major_changes:
- 'Support java keystore for configuration of sensitive options `#189 <https://github.com/ansible-middleware/keycloak/pull/189>`_
'
minor_changes:
- 'Add ``wait_for_port`` and ``wait_for_log`` systemd unit logic `#199 <https://github.com/ansible-middleware/keycloak/pull/199>`_
'
- 'Customize jdbc driver downloads, optional authentication `#202 <https://github.com/ansible-middleware/keycloak/pull/202>`_
'
- 'Keystore-based vault SPI configuration `#196 <https://github.com/ansible-middleware/keycloak/pull/196>`_
'
- 'New ``keycloak_quarkus_hostname_strict_https`` parameter `#195 <https://github.com/ansible-middleware/keycloak/pull/195>`_
'
- 'Providers config and custom providers `#201 <https://github.com/ansible-middleware/keycloak/pull/201>`_
'
- 'Remove administrator credentials from files once keycloak is bootstrapped
`#197 <https://github.com/ansible-middleware/keycloak/pull/197>`_
'
- 'Update keycloak to 24.0 `#194 <https://github.com/ansible-middleware/keycloak/pull/194>`_
'
fragments:
- 189.yaml
- 194.yaml
- 195.yaml
- 196.yaml
- 197.yaml
- 199.yaml
- 201.yaml
- 202.yaml
release_date: '2024-05-01'
2.2.1:
changes:
bugfixes:
- 'JDBC provider: fix clause in argument validation `#204 <https://github.com/ansible-middleware/keycloak/pull/204>`_
'
release_summary: Internal release, documentation or test changes only.
fragments:
- 204.yaml
- v2.2.1-devel_summary.yaml
release_date: '2024-05-02'
2.2.2:
changes:
bugfixes:
- 'Turn off controller privilege escalation `#209 <https://github.com/ansible-middleware/keycloak/pull/209>`_
'
minor_changes:
- 'Copying of key material for TLS configuration `#210 <https://github.com/ansible-middleware/keycloak/pull/210>`_
'
- 'Validate certs parameter for JDBC driver downloads `#207 <https://github.com/ansible-middleware/keycloak/pull/207>`_
'
fragments:
- 207.yaml
- 209.yaml
- 210.yaml
release_date: '2024-05-06'
2.3.0:
changes:
bugfixes:
- '``kc.sh build`` uses configured jdk `#211 <https://github.com/ansible-middleware/keycloak/pull/211>`_
'
major_changes:
- 'Allow for custom providers hosted on maven repositories `#223 <https://github.com/ansible-middleware/keycloak/pull/223>`_
'
- 'Restart handler strategy behaviour `#231 <https://github.com/ansible-middleware/keycloak/pull/231>`_
'
minor_changes:
- 'Add support for policy files `#225 <https://github.com/ansible-middleware/keycloak/pull/225>`_
'
- 'Allow to add extra custom env vars in sysconfig file `#229 <https://github.com/ansible-middleware/keycloak/pull/229>`_
'
- 'Download from alternate URL with optional http authentication `#220 <https://github.com/ansible-middleware/keycloak/pull/220>`_
'
- 'Update Keycloak to version 24.0.4 `#218 <https://github.com/ansible-middleware/keycloak/pull/218>`_
'
- '``proxy-header`` enhancement `#227 <https://github.com/ansible-middleware/keycloak/pull/227>`_
'
fragments:
- 211.yaml
- 218.yaml
- 220.yaml
- 223.yaml
- 225.yaml
- 227.yaml
- 229.yaml
- 231.yaml
release_date: '2024-05-20'
2.4.0:
changes:
major_changes:
- 'Enable by default health check on restart `#234 <https://github.com/ansible-middleware/keycloak/pull/234>`_
'
- 'Update minimum ansible-core version > 2.15 `#232 <https://github.com/ansible-middleware/keycloak/pull/232>`_
'
fragments:
- 232.yaml
- 234.yaml
release_date: '2024-06-04'
2.4.1:
changes:
release_summary: Internal release, documentation or test changes only.
fragments:
- v2.4.1-devel_summary.yaml
release_date: '2024-07-02'

32
changelogs/config.yaml
View File

@@ -11,22 +11,22 @@ notesdir: fragments
prelude_section_name: release_summary
prelude_section_title: Release Summary
sections:
- - major_changes
- Major Changes
- - minor_changes
- Minor Changes
- - breaking_changes
- Breaking Changes / Porting Guide
- - deprecated_features
- Deprecated Features
- - removed_features
- Removed Features
- - security_fixes
- Security Fixes
- - bugfixes
- Bugfixes
- - known_issues
- Known Issues
- - major_changes
- Major Changes
- - minor_changes
- Minor Changes
- - breaking_changes
- Breaking Changes / Porting Guide
- - deprecated_features
- Deprecated Features
- - removed_features
- Removed Features
- - security_fixes
- Security Fixes
- - bugfixes
- Bugfixes
- - known_issues
- Known Issues
title: middleware_automation.keycloak
trivial_section_name: trivial
use_fqcn: true

17
docs/_gh_include/header.inc
View File

@@ -24,14 +24,15 @@
<div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
<p class="caption" role="heading"><span class="caption-text">Middleware Automation</span></p>
<ul>
<li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/infinispan/">Infinispan / Red Hat Data Grid</a></li>
<li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/keycloak/">Keycloak / Red Hat Single Sign-On</a></li>
<li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/wildfly/">Wildfly / Red Hat JBoss EAP</a></li>
<li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/jws/">Tomcat / Red Hat JWS</a></li>
<li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/amq/">ActiveMQ / Red Hat AMQ Broker</a></li>
<li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/amq_streams/">Kafka / Red Hat AMQ Streams</a></li>
<li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/redhat-csp-download/">Red Hat CSP Download</a></li>
<li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/ansible_collections_jcliff/">JCliff</a></li>
<li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/infinispan/main/">Infinispan / Red Hat Data Grid</a></li>
<li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/keycloak/main/">Keycloak / Red Hat Single Sign-On</a></li>
<li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/wildfly/main/">Wildfly / Red Hat JBoss EAP</a></li>
<li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/jws/main/">Tomcat / Red Hat JWS</a></li>
<li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/amq/main/">ActiveMQ / Red Hat AMQ Broker</a></li>
<li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/amq_streams/main/">Kafka / Red Hat AMQ Streams</a></li>
<li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/common/main/">Ansible Middleware utilities</a></li>
<li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/redhat-csp-download/main/">Red Hat CSP Download</a></li>
<li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/ansible_collections_jcliff/main/">JCliff</a></li>
</ul>
</div>
</div>

17
docs/index.rst
View File

@@ -29,11 +29,12 @@ Welcome to Keycloak Collection documentation
:maxdepth: 2
:caption: Middleware collections
Infinispan / Red Hat Data Grid <https://ansible-middleware.github.io/infinispan/>
Keycloak / Red Hat Single Sign-On <https://ansible-middleware.github.io/keycloak/>
Wildfly / Red Hat JBoss EAP <https://ansible-middleware.github.io/wildfly/>
Tomcat / Red Hat JWS <https://ansible-middleware.github.io/jws/>
ActiveMQ / Red Hat AMQ Broker <https://ansible-middleware.github.io/amq/>
Kafka / Red Hat AMQ Streams <https://ansible-middleware.github.io/amq_streams/>
Red Hat CSP Download <https://ansible-middleware.github.io/redhat-csp-download/>
JCliff <https://ansible-middleware.github.io/ansible_collections_jcliff/>
Infinispan / Red Hat Data Grid <https://ansible-middleware.github.io/infinispan/main/>
Keycloak / Red Hat Single Sign-On <https://ansible-middleware.github.io/keycloak/main/>
Wildfly / Red Hat JBoss EAP <https://ansible-middleware.github.io/wildfly/main/>
Tomcat / Red Hat JWS <https://ansible-middleware.github.io/jws/main/>
ActiveMQ / Red Hat AMQ Broker <https://ansible-middleware.github.io/amq/main/>
Kafka / Red Hat AMQ Streams <https://ansible-middleware.github.io/amq_streams/main/>
Ansible Middleware utilities <https://ansible-middleware.github.io/common/main/>
Red Hat CSP Download <https://ansible-middleware.github.io/redhat-csp-download/main/>
JCliff <https://ansible-middleware.github.io/ansible_collections_jcliff/main/>

5
galaxy.yml
View File

@@ -1,7 +1,7 @@
---
namespace: middleware_automation
name: keycloak
version: "2.1.1"
version: "2.4.1"
readme: README.md
authors:
- Romain Pelisse <rpelisse@redhat.com>
@@ -26,7 +26,7 @@ tags:
- middleware
- a4mw
dependencies:
"middleware_automation.common": ">=1.1.0"
"middleware_automation.common": ">=1.2.1"
"ansible.posix": ">=1.4.0"
repository: https://github.com/ansible-middleware/keycloak
documentation: https://ansible-middleware.github.io/keycloak
@@ -35,7 +35,6 @@ issues: https://github.com/ansible-middleware/keycloak/issues
build_ignore:
- .gitignore
- .github
- .ansible-lint
- .yamllint
- '*.tar.gz'
- '*.zip'

2
meta/runtime.yml
View File

@@ -1,2 +1,2 @@
---
requires_ansible: ">=2.14.0"
requires_ansible: ">=2.15.0"

42
molecule/debian/converge.yml Normal file
View File

@@ -0,0 +1,42 @@
---
- name: Converge
hosts: all
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_realm: TestRealm
keycloak_quarkus_log: file
keycloak_quarkus_frontend_url: 'http://localhost:8080/'
keycloak_quarkus_start_dev: True
keycloak_quarkus_proxy_mode: none
keycloak_client_default_roles:
- TestRoleAdmin
- TestRoleUser
keycloak_client_users:
- username: TestUser
password: password
client_roles:
- client: TestClient
role: TestRoleUser
- username: TestAdmin
password: password
client_roles:
- client: TestClient
role: TestRoleUser
- client: TestClient
role: TestRoleAdmin
keycloak_clients:
- name: TestClient
roles: "{{ keycloak_client_default_roles }}"
public_client: "{{ keycloak_client_public }}"
web_origins: "{{ keycloak_client_web_origins }}"
users: "{{ keycloak_client_users }}"
client_id: TestClient
attributes:
post.logout.redirect.uris: '/public/logout'
roles:
- role: keycloak_quarkus
- role: keycloak_realm
keycloak_realm: TestRealm
keycloak_admin_password: "remembertochangeme"
keycloak_context: ''

48
molecule/debian/molecule.yml Normal file
View File

@@ -0,0 +1,48 @@
---
driver:
name: docker
platforms:
- name: instance
image: ghcr.io/hspaans/molecule-containers:debian-11
pre_build_image: true
privileged: true
port_bindings:
- "8080/tcp"
- "8443/tcp"
- "8009/tcp"
cgroupns_mode: host
command: "/lib/systemd/systemd"
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
provisioner:
name: ansible
config_options:
defaults:
interpreter_python: auto_silent
ssh_connection:
pipelining: false
playbooks:
prepare: prepare.yml
converge: converge.yml
verify: verify.yml
inventory:
host_vars:
localhost:
ansible_python_interpreter: /usr/bin/python3
env:
ANSIBLE_FORCE_COLOR: "true"
ANSIBLE_REMOTE_TMP: /tmp/.ansible/tmp
verifier:
name: ansible
scenario:
test_sequence:
- cleanup
- destroy
- create
- prepare
- converge
- idempotence
- side_effect
- verify
- cleanup
- destroy

11
molecule/debian/prepare.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: Prepare
hosts: all
gather_facts: yes
tasks:
- name: Install sudo
ansible.builtin.apt:
name:
- sudo
- openjdk-17-jdk-headless
state: present

1
molecule/debian/roles Symbolic link
View File

@@ -0,0 +1 @@
../../roles

40
molecule/debian/verify.yml Normal file
View File

@@ -0,0 +1,40 @@
---
- name: Verify
hosts: all
vars:
keycloak_admin_password: "remembertochangeme"
keycloak_uri: "http://localhost:{{ 8080 + ( keycloak_jboss_port_offset | default(0) ) }}"
keycloak_management_port: "http://localhost:{{ 9990 + ( keycloak_jboss_port_offset | default(0) ) }}"
keycloak_jboss_port_offset: 10
tasks:
- name: Populate service facts
ansible.builtin.service_facts:
- name: Check if keycloak service started
ansible.builtin.assert:
that:
- ansible_facts.services["keycloak.service"]["state"] == "running"
- ansible_facts.services["keycloak.service"]["status"] == "enabled"
- name: Verify openid config
block:
- name: Fetch openID config # noqa blocked_modules command-instead-of-module
ansible.builtin.shell: |
set -o pipefail
curl http://localhost:8080/realms/master/.well-known/openid-configuration -k | jq .
args:
executable: /bin/bash
delegate_to: localhost
register: openid_config
changed_when: False
- name: Verify endpoint URLs
ansible.builtin.assert:
that:
- (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'http://localhost:8080/realms/master/protocol/openid-connect/ext/ciba/auth'
- (openid_config.stdout | from_json)['issuer'] == 'http://localhost:8080/realms/master'
- (openid_config.stdout | from_json)['authorization_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/auth'
- (openid_config.stdout | from_json)['token_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/token'
delegate_to: localhost
when:
- hera_home is defined
- hera_home | length == 0

4
molecule/default/converge.yml
View File

@@ -1,7 +1,7 @@
---
- name: Converge
hosts: all
vars:
vars:
keycloak_admin_password: "remembertochangeme"
keycloak_jvm_package: java-11-openjdk-headless
keycloak_modcluster_enabled: True
@@ -52,7 +52,7 @@
pre_tasks:
- name: "Retrieve assets server from env"
ansible.builtin.set_fact:
assets_server: "{{ lookup('env','MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"
assets_server: "{{ lookup('env', 'MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"
- name: "Set offline when assets server from env is defined"
ansible.builtin.set_fact:

9
molecule/default/prepare.yml
View File

@@ -18,5 +18,12 @@
name:
- java-1.8.0-openjdk
state: present
when: ansible_facts['os_family'] == "RedHat"
- name: Install JDK8
become: yes
ansible.builtin.apt:
name:
- openjdk-8-jdk
state: present
when: ansible_facts['os_family'] == "Debian"

3
molecule/https_revproxy/converge.yml
View File

@@ -1,7 +1,8 @@
---
- name: Converge
hosts: all
vars:
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_admin_password: "remembertochangeme"
keycloak_realm: TestRealm

46
molecule/overridexml/converge.yml
View File

@@ -1,7 +1,7 @@
---
- name: Converge
hosts: all
vars:
vars:
keycloak_admin_password: "remembertochangeme"
keycloak_config_override_template: custom.xml.j2
keycloak_http_port: 8081
@@ -9,47 +9,3 @@
keycloak_service_runas: True
roles:
- role: keycloak
tasks:
- name: Keycloak Realm Role
ansible.builtin.include_role:
name: keycloak_realm
vars:
keycloak_client_default_roles:
- TestRoleAdmin
- TestRoleUser
keycloak_client_users:
- username: TestUser
password: password
client_roles:
- client: TestClient
role: TestRoleUser
realm: "{{ keycloak_realm }}"
- username: TestAdmin
password: password
client_roles:
- client: TestClient
role: TestRoleUser
realm: "{{ keycloak_realm }}"
- client: TestClient
role: TestRoleAdmin
realm: "{{ keycloak_realm }}"
keycloak_realm: TestRealm
keycloak_clients:
- name: TestClient
roles: "{{ keycloak_client_default_roles }}"
realm: "{{ keycloak_realm }}"
public_client: "{{ keycloak_client_public }}"
web_origins: "{{ keycloak_client_web_origins }}"
users: "{{ keycloak_client_users }}"
client_id: TestClient
pre_tasks:
- name: "Retrieve assets server from env"
ansible.builtin.set_fact:
assets_server: "{{ lookup('env','MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"
- name: "Set offline when assets server from env is defined"
ansible.builtin.set_fact:
sso_offline_install: True
when:
- assets_server is defined
- assets_server | length > 0

20
molecule/overridexml/templates/custom.xml.j2
View File

@@ -1,5 +1,5 @@
<?xml version='1.0' encoding='UTF-8'?>
<!-- {{ ansible_managed }} -->
<!-- this is a custom file -->
<server xmlns="urn:jboss:domain:16.0">
<extensions>
<extension module="org.jboss.as.clustering.infinispan"/>
@@ -44,7 +44,7 @@
</audit-log>
<management-interfaces>
<http-interface http-authentication-factory="management-http-authentication">
<http-upgrade enabled="true"/>
<http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
<socket-binding http="management-http"/>
</http-interface>
</management-interfaces>
@@ -481,8 +481,8 @@
<default-provider>default</default-provider>
<provider name="default" enabled="true">
<properties>
<property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
<property name="forceBackendUrlToFrontendUrl" value="true"/>
<property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
<property name="forceBackendUrlToFrontendUrl" value="false"/>
</properties>
</provider>
</spi>
@@ -520,7 +520,8 @@
<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http"/>
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" ssl-context="applicationSSC" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker http-authentication-factory="application-http-authentication"/>
@@ -533,20 +534,25 @@
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<application-security-domains>
<application-security-domain name="other" security-domain="ApplicationDomain"/>
</application-security-domains>
</subsystem>
<subsystem xmlns="urn:jboss:domain:weld:4.0"/>
</profile>
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
<inet-address value="127.0.0.1"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:127.0.0.1}"/>
<inet-address value="127.0.0.1"/>
</interface>
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="http" port="8081"/>
<socket-binding name="https" port="8443"/>
<socket-binding name="management-http" interface="management" port="19990"/>
<socket-binding name="management-https" interface="management" port="19991"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">

21
molecule/overridexml/verify.yml
View File

@@ -1,6 +1,10 @@
---
- name: Verify
hosts: all
vars:
keycloak_uri: "http://localhost:8081"
keycloak_management_port: "http://localhost:19990"
keycloak_admin_password: "remembertochangeme"
tasks:
- name: Populate service facts
ansible.builtin.service_facts:
@@ -9,3 +13,20 @@
that:
- ansible_facts.services["keycloak.service"]["state"] == "running"
- ansible_facts.services["keycloak.service"]["status"] == "enabled"
- name: Verify we are running on requested jvm # noqa blocked_modules command-instead-of-module
ansible.builtin.shell: |
set -o pipefail
ps -ef | grep '/etc/alternatives/jre_1.8.0/' | grep -v grep
args:
executable: /bin/bash
changed_when: no
- name: Verify token api call
ansible.builtin.uri:
url: "{{ keycloak_uri }}/auth/realms/master/protocol/openid-connect/token"
method: POST
body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password"
validate_certs: no
register: keycloak_auth_response
until: keycloak_auth_response.status == 200
retries: 2
delay: 2

18
molecule/prepare.yml
View File

@@ -3,39 +3,44 @@
ansible.builtin.debug:
msg: "Ansible version is {{ ansible_version.full }}"
- name: "Set package name for sudo"
ansible.builtin.set_fact:
sudo_pkg_name: sudo
- name: "Ensure {{ sudo_pkg_name }} is installed (if user is root)."
ansible.builtin.yum:
name: "{{ sudo_pkg_name }}"
state: present
when:
- ansible_user_id == 'root'
- name: Gather the package facts
ansible.builtin.package_facts:
manager: auto
- name: "Check if {{ sudo_pkg_name }} is installed."
- name: "Check if sudo is installed."
ansible.builtin.assert:
that:
- sudo_pkg_name in ansible_facts.packages
fail_msg: "sudo is not installed on target system"
- name: Install sudo
become: yes
- name: "Install iproute"
become: true
ansible.builtin.yum:
name:
- sudo
- iproute
state: present
- name: "Retrieve assets server from env"
ansible.builtin.set_fact:
assets_server: "{{ lookup('env','MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"
assets_server: "{{ lookup('env', 'MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"
- name: "Download artefacts only if assets_server is set"
when:
- assets_server is defined
- assets_server | length > 0
- assets is defined
- assets | length > 0
block:
- name: "Set offline when assets server from env is defined"
ansible.builtin.set_fact:
@@ -46,6 +51,7 @@
url: "{{ asset }}"
dest: "{{ lookup('env', 'PWD') }}"
validate_certs: no
mode: '0644'
delegate_to: localhost
loop: "{{ assets }}"
loop_control:

3
molecule/quarkus-devmode/converge.yml
View File

@@ -1,7 +1,8 @@
---
- name: Converge
hosts: all
vars:
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_admin_password: "remembertochangeme"
keycloak_realm: TestRealm

31
molecule/quarkus-devmode/prepare.yml
View File

@@ -1,14 +1,39 @@
---
- name: Prepare
hosts: all
become: yes
tasks:
- name: Install sudo
ansible.builtin.yum:
ansible.builtin.apt:
name:
- sudo
- openjdk-17-jdk-headless
state: present
when:
- ansible_facts.os_family == 'Debian'
- name: "Ensure common prepare phase are set."
ansible.builtin.include_tasks: ../prepare.yml
- name: Install JDK17
become: yes
ansible.builtin.yum:
name:
- java-17-openjdk-headless
state: present
when:
- ansible_facts.os_family == 'RedHat'
- name: Link default logs directory
become: yes
ansible.builtin.file:
state: link
src: "{{ item }}"
dest: /opt/openjdk
force: true
with_fileglob:
- /usr/lib/jvm/java-17-openjdk*
when:
- ansible_facts.os_family == "Debian"
- name: Link default logs directory
ansible.builtin.file:
@@ -16,6 +41,8 @@
src: /usr/lib/jvm/jre-17-openjdk
dest: /opt/openjdk
force: true
when:
- ansible_facts.os_family == "RedHat"
- name: "Display hera_home if defined."
ansible.builtin.set_fact:

45
molecule/quarkus/converge.yml
View File

@@ -1,16 +1,53 @@
---
- name: Converge
hosts: all
vars:
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_admin_password: "remembertochangeme"
keycloak_realm: TestRealm
keycloak_quarkus_host: instance
keycloak_quarkus_log: file
keycloak_quarkus_https_key_file_enabled: True
keycloak_quarkus_key_file: "/opt/keycloak/certs/key.pem"
keycloak_quarkus_cert_file: "/opt/keycloak/certs/cert.pem"
keycloak_quarkus_log_level: debug # needed for the verify step
keycloak_quarkus_https_key_file_enabled: true
keycloak_quarkus_key_file_copy_enabled: true
keycloak_quarkus_key_content: "{{ lookup('file', 'key.pem') }}"
keycloak_quarkus_cert_file_copy_enabled: true
keycloak_quarkus_cert_file_src: cert.pem
keycloak_quarkus_log_target: /tmp/keycloak
keycloak_quarkus_ks_vault_enabled: true
keycloak_quarkus_ks_vault_file: "/opt/keycloak/vault/keystore.p12"
keycloak_quarkus_ks_vault_pass: keystorepassword
keycloak_quarkus_systemd_wait_for_port: true
keycloak_quarkus_systemd_wait_for_timeout: 20
keycloak_quarkus_systemd_wait_for_delay: 2
keycloak_quarkus_systemd_wait_for_log: true
keycloak_quarkus_providers:
- id: http-client
spi: connections
default: true
restart: true
properties:
- key: default-connection-pool-size
value: 10
- id: spid-saml
url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar
- id: keycloak-kerberos-federation
maven:
repository_url: https://repo1.maven.org/maven2/ # https://mvnrepository.com/artifact/org.keycloak/keycloak-kerberos-federation/24.0.4
group_id: org.keycloak
artifact_id: keycloak-kerberos-federation
version: 24.0.4 # optional
# username: myUser # optional
# password: myPAT # optional
# - id: my-static-theme
# local_path: /tmp/my-static-theme.jar
keycloak_quarkus_policies:
- name: "xato-net-10-million-passwords.txt"
url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt"
- name: "xato-net-10-million-passwords-10.txt"
url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords-10.txt"
type: password-blacklists
roles:
- role: keycloak_quarkus
- role: keycloak_realm

40
molecule/quarkus/prepare.yml
View File

@@ -2,33 +2,43 @@
- name: Prepare
hosts: all
tasks:
- name: Install sudo
become: yes
ansible.builtin.yum:
name: sudo
state: present
- name: "Display hera_home if defined."
ansible.builtin.set_fact:
hera_home: "{{ lookup('env', 'HERA_HOME') }}"
- name: "Ensure common prepare phase are set."
ansible.builtin.include_tasks: ../prepare.yml
- name: Create certificate request
ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
delegate_to: localhost
changed_when: False
- name: Create conf directory # risky-file-permissions in test user account does not exist yet
- name: Create vault directory
become: true
ansible.builtin.file:
state: directory
path: "/opt/keycloak/certs/"
path: "/opt/keycloak/vault"
mode: 0755
- name: Copy certificates
become: yes
- name: Make sure a jre is available (for keytool to prepare keystore)
delegate_to: localhost
ansible.builtin.package:
name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
state: present
become: true
failed_when: false
- name: Create vault keystore
ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword
delegate_to: localhost
register: keytool_cmd
changed_when: False
failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
- name: Copy certificates and vault
become: true
ansible.builtin.copy:
src: "{{ item }}"
dest: "/opt/keycloak/certs/{{ item }}"
src: keystore.p12
dest: /opt/keycloak/vault/keystore.p12
mode: 0444
loop:
- cert.pem
- key.pem

21
molecule/quarkus/verify.yml
View File

@@ -10,6 +10,7 @@
that:
- ansible_facts.services["keycloak.service"]["state"] == "running"
- ansible_facts.services["keycloak.service"]["status"] == "enabled"
fail_msg: "Service not running"
- name: Set internal envvar
ansible.builtin.set_fact:
@@ -40,7 +41,7 @@
- name: Check log folder
ansible.builtin.stat:
path: "/tmp/keycloak"
path: /tmp/keycloak
register: keycloak_log_folder
- name: Check that keycloak log folder exists and is a link
@@ -49,10 +50,12 @@
- keycloak_log_folder.stat.exists
- not keycloak_log_folder.stat.isdir
- keycloak_log_folder.stat.islnk
fail_msg: "Service log symlink not correctly created"
- name: Check log file
become: true
ansible.builtin.stat:
path: "/tmp/keycloak/keycloak.log"
path: /tmp/keycloak/keycloak.log
register: keycloak_log_file
- name: Check if keycloak file exists
@@ -62,8 +65,9 @@
- not keycloak_log_file.stat.isdir
- name: Check default log folder
become: yes
ansible.builtin.stat:
path: "/var/log/keycloak"
path: /var/log/keycloak
register: keycloak_default_log_folder
failed_when: false
@@ -71,3 +75,12 @@
ansible.builtin.assert:
that:
- not keycloak_default_log_folder.stat.exists
- name: Verify vault SPI in logfile
become: true
ansible.builtin.shell: |
set -o pipefail
zgrep 'Configured KeystoreVaultProviderFactory with the keystore file' /opt/keycloak/keycloak-*/data/log/keycloak.log*zip
changed_when: false
failed_when: slurped_log.rc != 0
register: slurped_log

30
molecule/quarkus_ha/converge.yml Normal file
View File

@@ -0,0 +1,30 @@
---
- name: Converge
hosts: keycloak
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_admin_password: "remembertochangeme"
keycloak_realm: TestRealm
keycloak_quarkus_host: "{{ inventory_hostname }}"
keycloak_quarkus_log: file
keycloak_quarkus_log_level: info
keycloak_quarkus_https_key_file_enabled: true
keycloak_quarkus_key_file_copy_enabled: true
keycloak_quarkus_key_content: "{{ lookup('file', inventory_hostname + '.key') }}"
keycloak_quarkus_cert_file_copy_enabled: true
keycloak_quarkus_cert_file_src: "{{ inventory_hostname }}.pem"
keycloak_quarkus_ks_vault_enabled: true
keycloak_quarkus_ks_vault_file: "/opt/keycloak/vault/keystore.p12"
keycloak_quarkus_ks_vault_pass: keystorepassword
keycloak_quarkus_systemd_wait_for_port: true
keycloak_quarkus_systemd_wait_for_timeout: 20
keycloak_quarkus_systemd_wait_for_delay: 2
keycloak_quarkus_systemd_wait_for_log: true
keycloak_quarkus_ha_enabled: true
keycloak_quarkus_restart_strategy: restart/serial.yml
keycloak_quarkus_db_user: keycloak
keycloak_quarkus_db_pass: mysecretpass
keycloak_quarkus_jdbc_url: jdbc:postgresql://postgres:5432/keycloak
roles:
- role: keycloak_quarkus

79
molecule/quarkus_ha/molecule.yml Normal file
View File

@@ -0,0 +1,79 @@
---
driver:
name: docker
platforms:
- name: instance1
image: registry.access.redhat.com/ubi9/ubi-init:latest
pre_build_image: true
privileged: true
command: "/usr/sbin/init"
groups:
- keycloak
networks:
- name: rhbk
port_bindings:
- "8080/tcp"
- "8443/tcp"
- name: instance2
image: registry.access.redhat.com/ubi9/ubi-init:latest
pre_build_image: true
privileged: true
command: "/usr/sbin/init"
groups:
- keycloak
networks:
- name: rhbk
port_bindings:
- "8080/tcp"
- "8443/tcp"
- name: postgres
image: ubuntu/postgres:14-22.04_beta
pre_build_image: true
privileged: true
command: postgres
groups:
- database
networks:
- name: rhbk
port_bindings:
- "5432/tcp"
mounts:
- type: bind
target: /etc/postgresql/postgresql.conf
source: ${PWD}/molecule/quarkus_ha/postgresql/postgresql.conf
env:
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: mysecretpass
POSTGRES_DB: keycloak
POSTGRES_HOST_AUTH_METHOD: trust
provisioner:
name: ansible
config_options:
defaults:
interpreter_python: auto_silent
ssh_connection:
pipelining: false
playbooks:
prepare: prepare.yml
converge: converge.yml
verify: verify.yml
inventory:
host_vars:
localhost:
ansible_python_interpreter: "{{ ansible_playbook_python }}"
env:
ANSIBLE_FORCE_COLOR: "true"
verifier:
name: ansible
scenario:
test_sequence:
- cleanup
- destroy
- create
- prepare
- converge
- idempotence
- side_effect
- verify
- cleanup
- destroy

750
molecule/quarkus_ha/postgresql/postgresql.conf Normal file
View File

@@ -0,0 +1,750 @@
# -----------------------------
# PostgreSQL configuration file
# -----------------------------
#
# This file consists of lines of the form:
#
# name = value
#
# (The "=" is optional.) Whitespace may be used. Comments are introduced with
# "#" anywhere on a line. The complete list of parameter names and allowed
# values can be found in the PostgreSQL documentation.
#
# The commented-out settings shown in this file represent the default values.
# Re-commenting a setting is NOT sufficient to revert it to the default value;
# you need to reload the server.
#
# This file is read on server startup and when the server receives a SIGHUP
# signal. If you edit the file on a running system, you have to SIGHUP the
# server for the changes to take effect, run "pg_ctl reload", or execute
# "SELECT pg_reload_conf()". Some parameters, which are marked below,
# require a server shutdown and restart to take effect.
#
# Any parameter can also be given as a command-line option to the server, e.g.,
# "postgres -c log_connections=on". Some parameters can be changed at run time
# with the "SET" SQL command.
#
# Memory units: kB = kilobytes Time units: ms = milliseconds
# MB = megabytes s = seconds
# GB = gigabytes min = minutes
# TB = terabytes h = hours
# d = days
#------------------------------------------------------------------------------
# FILE LOCATIONS
#------------------------------------------------------------------------------
# The default values of these variables are driven from the -D command-line
# option or PGDATA environment variable, represented here as ConfigDir.
#data_directory = 'ConfigDir' # use data in another directory
# (change requires restart)
#hba_file = 'ConfigDir/pg_hba.conf' # host-based authentication file
# (change requires restart)
#ident_file = 'ConfigDir/pg_ident.conf' # ident configuration file
# (change requires restart)
# If external_pid_file is not explicitly set, no extra PID file is written.
#external_pid_file = '' # write an extra PID file
# (change requires restart)
#------------------------------------------------------------------------------
# CONNECTIONS AND AUTHENTICATION
#------------------------------------------------------------------------------
# - Connection Settings -
listen_addresses = '*' # what IP address(es) to listen on;
# comma-separated list of addresses;
# defaults to 'localhost'; use '*' for all
# (change requires restart)
#port = 5432 # (change requires restart)
#max_connections = 100 # (change requires restart)
#superuser_reserved_connections = 3 # (change requires restart)
#unix_socket_directories = '/tmp' # comma-separated list of directories
# (change requires restart)
#unix_socket_group = '' # (change requires restart)
#unix_socket_permissions = 0777 # begin with 0 to use octal notation
# (change requires restart)
#bonjour = off # advertise server via Bonjour
# (change requires restart)
#bonjour_name = '' # defaults to the computer name
# (change requires restart)
# - TCP settings -
# see "man 7 tcp" for details
#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds;
# 0 selects the system default
#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
# 0 selects the system default
#tcp_keepalives_count = 0 # TCP_KEEPCNT;
# 0 selects the system default
#tcp_user_timeout = 0 # TCP_USER_TIMEOUT, in milliseconds;
# 0 selects the system default
# - Authentication -
#authentication_timeout = 1min # 1s-600s
#password_encryption = md5 # md5 or scram-sha-256
#db_user_namespace = off
# GSSAPI using Kerberos
#krb_server_keyfile = ''
#krb_caseins_users = off
# - SSL -
#ssl = off
#ssl_ca_file = ''
#ssl_cert_file = 'server.crt'
#ssl_crl_file = ''
#ssl_key_file = 'server.key'
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
#ssl_prefer_server_ciphers = on
#ssl_ecdh_curve = 'prime256v1'
#ssl_min_protocol_version = 'TLSv1'
#ssl_max_protocol_version = ''
#ssl_dh_params_file = ''
#ssl_passphrase_command = ''
#ssl_passphrase_command_supports_reload = off
#------------------------------------------------------------------------------
# RESOURCE USAGE (except WAL)
#------------------------------------------------------------------------------
# - Memory -
#shared_buffers = 32MB # min 128kB
# (change requires restart)
#huge_pages = try # on, off, or try
# (change requires restart)
#temp_buffers = 8MB # min 800kB
#max_prepared_transactions = 0 # zero disables the feature
# (change requires restart)
# Caution: it is not advisable to set max_prepared_transactions nonzero unless
# you actively intend to use prepared transactions.
#work_mem = 4MB # min 64kB
#maintenance_work_mem = 64MB # min 1MB
#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem
#max_stack_depth = 2MB # min 100kB
#shared_memory_type = mmap # the default is the first option
# supported by the operating system:
# mmap
# sysv
# windows
# (change requires restart)
#dynamic_shared_memory_type = posix # the default is the first option
# supported by the operating system:
# posix
# sysv
# windows
# mmap
# (change requires restart)
# - Disk -
#temp_file_limit = -1 # limits per-process temp file space
# in kB, or -1 for no limit
# - Kernel Resources -
#max_files_per_process = 1000 # min 25
# (change requires restart)
# - Cost-Based Vacuum Delay -
#vacuum_cost_delay = 0 # 0-100 milliseconds (0 disables)
#vacuum_cost_page_hit = 1 # 0-10000 credits
#vacuum_cost_page_miss = 10 # 0-10000 credits
#vacuum_cost_page_dirty = 20 # 0-10000 credits
#vacuum_cost_limit = 200 # 1-10000 credits
# - Background Writer -
#bgwriter_delay = 200ms # 10-10000ms between rounds
#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables
#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round
#bgwriter_flush_after = 0 # measured in pages, 0 disables
# - Asynchronous Behavior -
#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching
#max_worker_processes = 8 # (change requires restart)
#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers
#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers
#parallel_leader_participation = on
#max_parallel_workers = 8 # maximum number of max_worker_processes that
# can be used in parallel operations
#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate
# (change requires restart)
#backend_flush_after = 0 # measured in pages, 0 disables
#------------------------------------------------------------------------------
# WRITE-AHEAD LOG
#------------------------------------------------------------------------------
# - Settings -
#wal_level = replica # minimal, replica, or logical
# (change requires restart)
#fsync = on # flush data to disk for crash safety
# (turning this off can cause
# unrecoverable data corruption)
#synchronous_commit = on # synchronization level;
# off, local, remote_write, remote_apply, or on
#wal_sync_method = fsync # the default is the first option
# supported by the operating system:
# open_datasync
# fdatasync (default on Linux)
# fsync
# fsync_writethrough
# open_sync
#full_page_writes = on # recover from partial page writes
#wal_compression = off # enable compression of full-page writes
#wal_log_hints = off # also do full page writes of non-critical updates
# (change requires restart)
#wal_init_zero = on # zero-fill new WAL files
#wal_recycle = on # recycle WAL files
#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers
# (change requires restart)
#wal_writer_delay = 200ms # 1-10000 milliseconds
#wal_writer_flush_after = 1MB # measured in pages, 0 disables
#commit_delay = 0 # range 0-100000, in microseconds
#commit_siblings = 5 # range 1-1000
# - Checkpoints -
#checkpoint_timeout = 5min # range 30s-1d
#max_wal_size = 1GB
#min_wal_size = 80MB
#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0
#checkpoint_flush_after = 0 # measured in pages, 0 disables
#checkpoint_warning = 30s # 0 disables
# - Archiving -
#archive_mode = off # enables archiving; off, on, or always
# (change requires restart)
#archive_command = '' # command to use to archive a logfile segment
# placeholders: %p = path of file to archive
# %f = file name only
# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
#archive_timeout = 0 # force a logfile segment switch after this
# number of seconds; 0 disables
# - Archive Recovery -
# These are only used in recovery mode.
#restore_command = '' # command to use to restore an archived logfile segment
# placeholders: %p = path of file to restore
# %f = file name only
# e.g. 'cp /mnt/server/archivedir/%f %p'
# (change requires restart)
#archive_cleanup_command = '' # command to execute at every restartpoint
#recovery_end_command = '' # command to execute at completion of recovery
# - Recovery Target -
# Set these only when performing a targeted recovery.
#recovery_target = '' # 'immediate' to end recovery as soon as a
# consistent state is reached
# (change requires restart)
#recovery_target_name = '' # the named restore point to which recovery will proceed
# (change requires restart)
#recovery_target_time = '' # the time stamp up to which recovery will proceed
# (change requires restart)
#recovery_target_xid = '' # the transaction ID up to which recovery will proceed
# (change requires restart)
#recovery_target_lsn = '' # the WAL LSN up to which recovery will proceed
# (change requires restart)
#recovery_target_inclusive = on # Specifies whether to stop:
# just after the specified recovery target (on)
# just before the recovery target (off)
# (change requires restart)
#recovery_target_timeline = 'latest' # 'current', 'latest', or timeline ID
# (change requires restart)
#recovery_target_action = 'pause' # 'pause', 'promote', 'shutdown'
# (change requires restart)
#------------------------------------------------------------------------------
# REPLICATION
#------------------------------------------------------------------------------
# - Sending Servers -
# Set these on the master and on any standby that will send replication data.
#max_wal_senders = 10 # max number of walsender processes
# (change requires restart)
#wal_keep_segments = 0 # in logfile segments; 0 disables
#wal_sender_timeout = 60s # in milliseconds; 0 disables
#max_replication_slots = 10 # max number of replication slots
# (change requires restart)
#track_commit_timestamp = off # collect timestamp of transaction commit
# (change requires restart)
# - Master Server -
# These settings are ignored on a standby server.
#synchronous_standby_names = '' # standby servers that provide sync rep
# method to choose sync standbys, number of sync standbys,
# and comma-separated list of application_name
# from standby(s); '*' = all
#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed
# - Standby Servers -
# These settings are ignored on a master server.
#primary_conninfo = '' # connection string to sending server
# (change requires restart)
#primary_slot_name = '' # replication slot on sending server
# (change requires restart)
#promote_trigger_file = '' # file name whose presence ends recovery
#hot_standby = on # "off" disallows queries during recovery
# (change requires restart)
#max_standby_archive_delay = 30s # max delay before canceling queries
# when reading WAL from archive;
# -1 allows indefinite delay
#max_standby_streaming_delay = 30s # max delay before canceling queries
# when reading streaming WAL;
# -1 allows indefinite delay
#wal_receiver_status_interval = 10s # send replies at least this often
# 0 disables
#hot_standby_feedback = off # send info from standby to prevent
# query conflicts
#wal_receiver_timeout = 60s # time that receiver waits for
# communication from master
# in milliseconds; 0 disables
#wal_retrieve_retry_interval = 5s # time to wait before retrying to
# retrieve WAL after a failed attempt
#recovery_min_apply_delay = 0 # minimum delay for applying changes during recovery
# - Subscribers -
# These settings are ignored on a publisher.
#max_logical_replication_workers = 4 # taken from max_worker_processes
# (change requires restart)
#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers
#------------------------------------------------------------------------------
# QUERY TUNING
#------------------------------------------------------------------------------
# - Planner Method Configuration -
#enable_bitmapscan = on
#enable_hashagg = on
#enable_hashjoin = on
#enable_indexscan = on
#enable_indexonlyscan = on
#enable_material = on
#enable_mergejoin = on
#enable_nestloop = on
#enable_parallel_append = on
#enable_seqscan = on
#enable_sort = on
#enable_tidscan = on
#enable_partitionwise_join = off
#enable_partitionwise_aggregate = off
#enable_parallel_hash = on
#enable_partition_pruning = on
# - Planner Cost Constants -
#seq_page_cost = 1.0 # measured on an arbitrary scale
#random_page_cost = 4.0 # same scale as above
#cpu_tuple_cost = 0.01 # same scale as above
#cpu_index_tuple_cost = 0.005 # same scale as above
#cpu_operator_cost = 0.0025 # same scale as above
#parallel_tuple_cost = 0.1 # same scale as above
#parallel_setup_cost = 1000.0 # same scale as above
#jit_above_cost = 100000 # perform JIT compilation if available
# and query more expensive than this;
# -1 disables
#jit_inline_above_cost = 500000 # inline small functions if query is
# more expensive than this; -1 disables
#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if
# query is more expensive than this;
# -1 disables
#min_parallel_table_scan_size = 8MB
#min_parallel_index_scan_size = 512kB
#effective_cache_size = 4GB
# - Genetic Query Optimizer -
#geqo = on
#geqo_threshold = 12
#geqo_effort = 5 # range 1-10
#geqo_pool_size = 0 # selects default based on effort
#geqo_generations = 0 # selects default based on effort
#geqo_selection_bias = 2.0 # range 1.5-2.0
#geqo_seed = 0.0 # range 0.0-1.0
# - Other Planner Options -
#default_statistics_target = 100 # range 1-10000
#constraint_exclusion = partition # on, off, or partition
#cursor_tuple_fraction = 0.1 # range 0.0-1.0
#from_collapse_limit = 8
#join_collapse_limit = 8 # 1 disables collapsing of explicit
# JOIN clauses
#force_parallel_mode = off
#jit = on # allow JIT compilation
#plan_cache_mode = auto # auto, force_generic_plan or
# force_custom_plan
#------------------------------------------------------------------------------
# REPORTING AND LOGGING
#------------------------------------------------------------------------------
# - Where to Log -
#log_destination = 'stderr' # Valid values are combinations of
# stderr, csvlog, syslog, and eventlog,
# depending on platform. csvlog
# requires logging_collector to be on.
# This is used when logging to stderr:
#logging_collector = off # Enable capturing of stderr and csvlog
# into log files. Required to be on for
# csvlogs.
# (change requires restart)
# These are only used if logging_collector is on:
#log_directory = 'log' # directory where log files are written,
# can be absolute or relative to PGDATA
#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern,
# can include strftime() escapes
#log_file_mode = 0600 # creation mode for log files,
# begin with 0 to use octal notation
#log_truncate_on_rotation = off # If on, an existing log file with the
# same name as the new log file will be
# truncated rather than appended to.
# But such truncation only occurs on
# time-driven rotation, not on restarts
# or size-driven rotation. Default is
# off, meaning append to existing files
# in all cases.
#log_rotation_age = 1d # Automatic rotation of logfiles will
# happen after that time. 0 disables.
#log_rotation_size = 10MB # Automatic rotation of logfiles will
# happen after that much log output.
# 0 disables.
# These are relevant when logging to syslog:
#syslog_facility = 'LOCAL0'
#syslog_ident = 'postgres'
#syslog_sequence_numbers = on
#syslog_split_messages = on
# This is only relevant when logging to eventlog (win32):
# (change requires restart)
#event_source = 'PostgreSQL'
# - When to Log -
#log_min_messages = warning # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic
#log_min_error_statement = error # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic (effectively off)
#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements
# and their durations, > 0 logs only
# statements running at least this number
# of milliseconds
#log_transaction_sample_rate = 0.0 # Fraction of transactions whose statements
# are logged regardless of their duration. 1.0 logs all
# statements from all transactions, 0.0 never logs.
# - What to Log -
#debug_print_parse = off
#debug_print_rewritten = off
#debug_print_plan = off
#debug_pretty_print = on
#log_checkpoints = off
#log_connections = off
#log_disconnections = off
#log_duration = off
#log_error_verbosity = default # terse, default, or verbose messages
#log_hostname = off
#log_line_prefix = '%m [%p] ' # special values:
# %a = application name
# %u = user name
# %d = database name
# %r = remote host and port
# %h = remote host
# %p = process ID
# %t = timestamp without milliseconds
# %m = timestamp with milliseconds
# %n = timestamp with milliseconds (as a Unix epoch)
# %i = command tag
# %e = SQL state
# %c = session ID
# %l = session line number
# %s = session start timestamp
# %v = virtual transaction ID
# %x = transaction ID (0 if none)
# %q = stop here in non-session
# processes
# %% = '%'
# e.g. '<%u%%%d> '
#log_lock_waits = off # log lock waits >= deadlock_timeout
#log_statement = 'none' # none, ddl, mod, all
#log_replication_commands = off
#log_temp_files = -1 # log temporary files equal or larger
# than the specified size in kilobytes;
# -1 disables, 0 logs all temp files
#log_timezone = 'GMT'
#------------------------------------------------------------------------------
# PROCESS TITLE
#------------------------------------------------------------------------------
#cluster_name = '' # added to process titles if nonempty
# (change requires restart)
#update_process_title = on
#------------------------------------------------------------------------------
# STATISTICS
#------------------------------------------------------------------------------
# - Query and Index Statistics Collector -
#track_activities = on
#track_counts = on
#track_io_timing = off
#track_functions = none # none, pl, all
#track_activity_query_size = 1024 # (change requires restart)
#stats_temp_directory = 'pg_stat_tmp'
# - Monitoring -
#log_parser_stats = off
#log_planner_stats = off
#log_executor_stats = off
#log_statement_stats = off
#------------------------------------------------------------------------------
# AUTOVACUUM
#------------------------------------------------------------------------------
#autovacuum = on # Enable autovacuum subprocess? 'on'
# requires track_counts to also be on.
#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and
# their durations, > 0 logs only
# actions running at least this number
# of milliseconds.
#autovacuum_max_workers = 3 # max number of autovacuum subprocesses
# (change requires restart)
#autovacuum_naptime = 1min # time between autovacuum runs
#autovacuum_vacuum_threshold = 50 # min number of row updates before
# vacuum
#autovacuum_analyze_threshold = 50 # min number of row updates before
# analyze
#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum
#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze
#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum
# (change requires restart)
#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age
# before forced vacuum
# (change requires restart)
#autovacuum_vacuum_cost_delay = 2ms # default vacuum cost delay for
# autovacuum, in milliseconds;
# -1 means use vacuum_cost_delay
#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for
# autovacuum, -1 means use
# vacuum_cost_limit
#------------------------------------------------------------------------------
# CLIENT CONNECTION DEFAULTS
#------------------------------------------------------------------------------
# - Statement Behavior -
#client_min_messages = notice # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# log
# notice
# warning
# error
#search_path = '"$user", public' # schema names
#row_security = on
#default_tablespace = '' # a tablespace name, '' uses the default
#temp_tablespaces = '' # a list of tablespace names, '' uses
# only default tablespace
#default_table_access_method = 'heap'
#check_function_bodies = on
#default_transaction_isolation = 'read committed'
#default_transaction_read_only = off
#default_transaction_deferrable = off
#session_replication_role = 'origin'
#statement_timeout = 0 # in milliseconds, 0 is disabled
#lock_timeout = 0 # in milliseconds, 0 is disabled
#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled
#vacuum_freeze_min_age = 50000000
#vacuum_freeze_table_age = 150000000
#vacuum_multixact_freeze_min_age = 5000000
#vacuum_multixact_freeze_table_age = 150000000
#vacuum_cleanup_index_scale_factor = 0.1 # fraction of total number of tuples
# before index cleanup, 0 always performs
# index cleanup
#bytea_output = 'hex' # hex, escape
#xmlbinary = 'base64'
#xmloption = 'content'
#gin_fuzzy_search_limit = 0
#gin_pending_list_limit = 4MB
# - Locale and Formatting -
#datestyle = 'iso, mdy'
#intervalstyle = 'postgres'
#timezone = 'GMT'
#timezone_abbreviations = 'Default' # Select the set of available time zone
# abbreviations. Currently, there are
# Default
# Australia (historical usage)
# India
# You can create your own file in
# share/timezonesets/.
#extra_float_digits = 1 # min -15, max 3; any value >0 actually
# selects precise output mode
#client_encoding = sql_ascii # actually, defaults to database
# encoding
# These settings are initialized by initdb, but they can be changed.
#lc_messages = 'C' # locale for system error message
# strings
#lc_monetary = 'C' # locale for monetary formatting
#lc_numeric = 'C' # locale for number formatting
#lc_time = 'C' # locale for time formatting
# default configuration for text search
#default_text_search_config = 'pg_catalog.simple'
# - Shared Library Preloading -
#shared_preload_libraries = '' # (change requires restart)
#local_preload_libraries = ''
#session_preload_libraries = ''
#jit_provider = 'llvmjit' # JIT library to use
# - Other Defaults -
#dynamic_library_path = '$libdir'
#------------------------------------------------------------------------------
# LOCK MANAGEMENT
#------------------------------------------------------------------------------
#deadlock_timeout = 1s
#max_locks_per_transaction = 64 # min 10
# (change requires restart)
#max_pred_locks_per_transaction = 64 # min 10
# (change requires restart)
#max_pred_locks_per_relation = -2 # negative values mean
# (max_pred_locks_per_transaction
# / -max_pred_locks_per_relation) - 1
#max_pred_locks_per_page = 2 # min 0
#------------------------------------------------------------------------------
# VERSION AND PLATFORM COMPATIBILITY
#------------------------------------------------------------------------------
# - Previous PostgreSQL Versions -
#array_nulls = on
#backslash_quote = safe_encoding # on, off, or safe_encoding
#escape_string_warning = on
#lo_compat_privileges = off
#operator_precedence_warning = off
#quote_all_identifiers = off
#standard_conforming_strings = on
#synchronize_seqscans = on
# - Other Platforms and Clients -
#transform_null_equals = off
#------------------------------------------------------------------------------
# ERROR HANDLING
#------------------------------------------------------------------------------
#exit_on_error = off # terminate session on any error?
#restart_after_crash = on # reinitialize after backend crash?
#data_sync_retry = off # retry or panic on failure to fsync
# data?
# (change requires restart)
#------------------------------------------------------------------------------
# CONFIG FILE INCLUDES
#------------------------------------------------------------------------------
# These options allow settings to be loaded from files other than the
# default postgresql.conf. Note that these are directives, not variable
# assignments, so they can usefully be given more than once.
#include_dir = '...' # include files ending in '.conf' from
# a directory, e.g., 'conf.d'
#include_if_exists = '...' # include file only if it exists
#include = '...' # include file
#------------------------------------------------------------------------------
# CUSTOMIZED OPTIONS
#------------------------------------------------------------------------------
# Add settings for extensions here

44
molecule/quarkus_ha/prepare.yml Normal file
View File

@@ -0,0 +1,44 @@
---
- name: Prepare
hosts: keycloak
tasks:
- name: "Display hera_home if defined."
ansible.builtin.set_fact:
hera_home: "{{ lookup('env', 'HERA_HOME') }}"
- name: "Ensure common prepare phase are set."
ansible.builtin.include_tasks: ../prepare.yml
- name: Create certificate request
ansible.builtin.command: "openssl req -x509 -newkey rsa:4096 -keyout {{ inventory_hostname }}.key -out {{ inventory_hostname }}.pem -sha256 -days 365 -nodes -subj '/CN={{ inventory_hostname }}'"
delegate_to: localhost
changed_when: False
- name: Create vault directory
become: true
ansible.builtin.file:
state: directory
path: "/opt/keycloak/vault"
mode: 0755
- name: Make sure a jre is available (for keytool to prepare keystore)
delegate_to: localhost
ansible.builtin.package:
name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
state: present
become: true
failed_when: false
- name: Create vault keystore
ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword
delegate_to: localhost
register: keytool_cmd
changed_when: False
failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
- name: Copy certificates and vault
become: true
ansible.builtin.copy:
src: keystore.p12
dest: /opt/keycloak/vault/keystore.p12
mode: 0444

1
molecule/quarkus_ha/roles Symbolic link
View File

@@ -0,0 +1 @@
../../roles

29
molecule/quarkus_ha/verify.yml Normal file
View File

@@ -0,0 +1,29 @@
---
- name: Verify
hosts: keycloak
tasks:
- name: Populate service facts
ansible.builtin.service_facts:
- name: Check if keycloak service started
ansible.builtin.assert:
that:
- ansible_facts.services["keycloak.service"]["state"] == "running"
- ansible_facts.services["keycloak.service"]["status"] == "enabled"
fail_msg: "Service not running"
- name: Set internal envvar
ansible.builtin.set_fact:
hera_home: "{{ lookup('env', 'HERA_HOME') }}"
- name: Check log file
become: true
ansible.builtin.stat:
path: /var/log/keycloak/keycloak.log
register: keycloak_log_file
- name: Check if keycloak file exists
ansible.builtin.assert:
that:
- keycloak_log_file.stat.exists
- not keycloak_log_file.stat.isdir

10
molecule/quarkus_upgrade/converge.yml Normal file
View File

@@ -0,0 +1,10 @@
---
- name: Converge
hosts: all
vars_files:
- vars.yml
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_version: 24.0.3
roles:
- role: keycloak_quarkus

43
molecule/quarkus_upgrade/molecule.yml Normal file
View File

@@ -0,0 +1,43 @@
---
dependency:
name: galaxy
options:
requirements-file: molecule/requirements.yml
driver:
name: docker
platforms:
- name: instance
image: registry.access.redhat.com/ubi9/ubi-init:latest
command: "/usr/sbin/init"
pre_build_image: true
privileged: true
port_bindings:
- 8080:8080
published_ports:
- 0.0.0.0:8080:8080/TCP
provisioner:
name: ansible
playbooks:
prepare: prepare.yml
converge: converge.yml
verify: verify.yml
inventory:
host_vars:
localhost:
ansible_python_interpreter: "{{ ansible_playbook_python }}"
verifier:
name: ansible
scenario:
test_sequence:
- dependency
- cleanup
- destroy
- syntax
- create
- prepare
- converge
- idempotence
- side_effect
- verify
- cleanup
- destroy

52
molecule/quarkus_upgrade/prepare.yml Normal file
View File

@@ -0,0 +1,52 @@
---
- name: Prepare
hosts: all
vars_files:
- vars.yml
vars:
sudo_pkg_name: sudo
keycloak_quarkus_version: 23.0.7
pre_tasks:
- name: Install sudo
ansible.builtin.apt:
name:
- sudo
- openjdk-17-jdk-headless
state: present
when:
- ansible_facts.os_family == 'Debian'
- name: "Ensure common prepare phase are set."
ansible.builtin.include_tasks: ../prepare.yml
- name: Display Ansible version
ansible.builtin.debug:
msg: "Ansible version is {{ ansible_version.full }}"
- name: "Ensure {{ sudo_pkg_name }} is installed (if user is root)."
ansible.builtin.dnf:
name: "{{ sudo_pkg_name }}"
when:
- ansible_user_id == 'root'
- name: Gather the package facts
ansible.builtin.package_facts:
manager: auto
- name: "Check if {{ sudo_pkg_name }} is installed."
ansible.builtin.assert:
that:
- sudo_pkg_name in ansible_facts.packages
- name: Create certificate request
ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
delegate_to: localhost
changed_when: false
roles:
- role: keycloak_quarkus
post_tasks:
- name: "Delete custom fact"
ansible.builtin.file:
path: /etc/ansible/facts.d/keycloak.fact
state: absent
become: true

1
molecule/quarkus_upgrade/roles Symbolic link
View File

@@ -0,0 +1 @@
../../roles

14
molecule/quarkus_upgrade/vars.yml Normal file
View File

@@ -0,0 +1,14 @@
---
keycloak_quarkus_offline_install: false
keycloak_quarkus_admin_password: "remembertochangeme"
keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_quarkus_realm: TestRealm
keycloak_quarkus_host: instance
keycloak_quarkus_log: file
keycloak_quarkus_https_key_file_enabled: true
keycloak_quarkus_log_target: /tmp/keycloak
keycloak_quarkus_hostname_strict: false
keycloak_quarkus_cert_file_copy_enabled: true
keycloak_quarkus_key_file_copy_enabled: true
keycloak_quarkus_key_content: "{{ lookup('file', 'key.pem') }}"
keycloak_quarkus_cert_file_src: cert.pem

32
molecule/quarkus_upgrade/verify.yml Normal file
View File

@@ -0,0 +1,32 @@
---
- name: Verify
hosts: instance
vars:
keycloak_quarkus_admin_password: "remembertochangeme"
keycloak_quarkus_port: http://localhost:8080
tasks:
- name: Populate service facts
ansible.builtin.service_facts:
- name: Check if keycloak service started
ansible.builtin.assert:
that:
- ansible_facts.services["keycloak.service"]["state"] == "running"
- ansible_facts.services["keycloak.service"]["status"] == "enabled"
- name: Verify we are running on requested jvm
ansible.builtin.shell: |
set -eo pipefail
ps -ef | grep 'etc/alternatives/.*17' | grep -v grep
changed_when: false
- name: Verify token api call
ansible.builtin.uri:
url: "{{ keycloak_quarkus_port }}/realms/master/protocol/openid-connect/token"
method: POST
body: "client_id=admin-cli&username=admin&password={{ keycloak_quarkus_admin_password }}&grant_type=password"
validate_certs: no
register: keycloak_auth_response
until: keycloak_auth_response.status == 200
retries: 2
delay: 2

2
molecule/requirements.yml
View File

@@ -5,7 +5,7 @@ collections:
- name: community.general
- name: ansible.posix
- name: community.docker
version: ">=1.9.1"
version: ">=3.8.0"
roles:
- name: elan.simple_nginx_reverse_proxy

2
plugins/modules/keycloak_client.py
View File

@@ -637,7 +637,7 @@ EXAMPLES = '''
- test01
- test02
authentication_flow_binding_overrides:
browser: 4c90336b-bf1d-4b87-916d-3677ba4e5fbb
browser: 4c90336b-bf1d-4b87-916d-3677ba4e5fbb
protocol_mappers:
- config:
access.token.claim: true

16
plugins/modules/keycloak_role.py
View File

@@ -142,14 +142,14 @@ EXAMPLES = '''
auth_password: PASSWORD
name: my-new-role
attributes:
attrib1: value1
attrib2: value2
attrib3:
- with
- numerous
- individual
- list
- items
attrib1: value1
attrib2: value2
attrib3:
- with
- numerous
- individual
- list
- items
delegate_to: localhost
'''

180
plugins/modules/keycloak_user_federation.py
View File

@@ -475,99 +475,99 @@ author:
'''
EXAMPLES = '''
- name: Create LDAP user federation
middleware_automation.keycloak.keycloak_user_federation:
auth_keycloak_url: https://keycloak.example.com/auth
auth_realm: master
auth_username: admin
auth_password: password
realm: my-realm
name: my-ldap
state: present
provider_id: ldap
provider_type: org.keycloak.storage.UserStorageProvider
config:
priority: 0
enabled: true
cachePolicy: DEFAULT
batchSizeForSync: 1000
editMode: READ_ONLY
importEnabled: true
syncRegistrations: false
vendor: other
usernameLDAPAttribute: uid
rdnLDAPAttribute: uid
uuidLDAPAttribute: entryUUID
userObjectClasses: inetOrgPerson, organizationalPerson
connectionUrl: ldaps://ldap.example.com:636
usersDn: ou=Users,dc=example,dc=com
authType: simple
bindDn: cn=directory reader
bindCredential: password
searchScope: 1
validatePasswordPolicy: false
trustEmail: false
useTruststoreSpi: ldapsOnly
connectionPooling: true
pagination: true
allowKerberosAuthentication: false
debug: false
useKerberosForPasswordAuthentication: false
mappers:
- name: "full name"
providerId: "full-name-ldap-mapper"
providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
config:
ldap.full.name.attribute: cn
read.only: true
write.only: false
- name: Create LDAP user federation
middleware_automation.keycloak.keycloak_user_federation:
auth_keycloak_url: https://keycloak.example.com/auth
auth_realm: master
auth_username: admin
auth_password: password
realm: my-realm
name: my-ldap
state: present
provider_id: ldap
provider_type: org.keycloak.storage.UserStorageProvider
config:
priority: 0
enabled: true
cachePolicy: DEFAULT
batchSizeForSync: 1000
editMode: READ_ONLY
importEnabled: true
syncRegistrations: false
vendor: other
usernameLDAPAttribute: uid
rdnLDAPAttribute: uid
uuidLDAPAttribute: entryUUID
userObjectClasses: inetOrgPerson, organizationalPerson
connectionUrl: ldaps://ldap.example.com:636
usersDn: ou=Users,dc=example,dc=com
authType: simple
bindDn: cn=directory reader
bindCredential: password
searchScope: 1
validatePasswordPolicy: false
trustEmail: false
useTruststoreSpi: ldapsOnly
connectionPooling: true
pagination: true
allowKerberosAuthentication: false
debug: false
useKerberosForPasswordAuthentication: false
mappers:
- name: "full name"
providerId: "full-name-ldap-mapper"
providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
config:
ldap.full.name.attribute: cn
read.only: true
write.only: false
- name: Create Kerberos user federation
middleware_automation.keycloak.keycloak_user_federation:
auth_keycloak_url: https://keycloak.example.com/auth
auth_realm: master
auth_username: admin
auth_password: password
realm: my-realm
name: my-kerberos
state: present
provider_id: kerberos
provider_type: org.keycloak.storage.UserStorageProvider
config:
priority: 0
enabled: true
cachePolicy: DEFAULT
kerberosRealm: EXAMPLE.COM
serverPrincipal: HTTP/host.example.com@EXAMPLE.COM
keyTab: keytab
allowPasswordAuthentication: false
updateProfileFirstLogin: false
- name: Create Kerberos user federation
middleware_automation.keycloak.keycloak_user_federation:
auth_keycloak_url: https://keycloak.example.com/auth
auth_realm: master
auth_username: admin
auth_password: password
realm: my-realm
name: my-kerberos
state: present
provider_id: kerberos
provider_type: org.keycloak.storage.UserStorageProvider
config:
priority: 0
enabled: true
cachePolicy: DEFAULT
kerberosRealm: EXAMPLE.COM
serverPrincipal: HTTP/host.example.com@EXAMPLE.COM
keyTab: keytab
allowPasswordAuthentication: false
updateProfileFirstLogin: false
- name: Create sssd user federation
middleware_automation.keycloak.keycloak_user_federation:
auth_keycloak_url: https://keycloak.example.com/auth
auth_realm: master
auth_username: admin
auth_password: password
realm: my-realm
name: my-sssd
state: present
provider_id: sssd
provider_type: org.keycloak.storage.UserStorageProvider
config:
priority: 0
enabled: true
cachePolicy: DEFAULT
- name: Create sssd user federation
middleware_automation.keycloak.keycloak_user_federation:
auth_keycloak_url: https://keycloak.example.com/auth
auth_realm: master
auth_username: admin
auth_password: password
realm: my-realm
name: my-sssd
state: present
provider_id: sssd
provider_type: org.keycloak.storage.UserStorageProvider
config:
priority: 0
enabled: true
cachePolicy: DEFAULT
- name: Delete user federation
middleware_automation.keycloak.keycloak_user_federation:
auth_keycloak_url: https://keycloak.example.com/auth
auth_realm: master
auth_username: admin
auth_password: password
realm: my-realm
name: my-federation
state: absent
- name: Delete user federation
middleware_automation.keycloak.keycloak_user_federation:
auth_keycloak_url: https://keycloak.example.com/auth
auth_realm: master
auth_username: admin
auth_password: password
realm: my-realm
name: my-federation
state: absent
'''
RETURN = '''

5
requirements.txt
View File

@@ -1,6 +1,7 @@
#################################################
# python dependencies required to be installed
# python dependencies required to be installed
# on the controller host with:
# pip install -r requirements.txt
#
netaddr
netaddr
lxml # for middleware_automation.common.maven_artifact

1
requirements.yml
View File

@@ -1,4 +1,5 @@
---
collections:
- name: middleware_automation.common
version: ">=1.2.1"
- name: ansible.posix

1
roles/keycloak/README.md
View File

@@ -10,6 +10,7 @@ Requirements
This role requires the `python3-netaddr` library installed on the controller node.
* to install via yum/dnf: `dnf install python3-netaddr`
* to install via apt: `apt install python3-netaddr`
* or via pip: `pip install netaddr==0.8.0`
* or via the collection: `pip install -r requirements.txt`

2
roles/keycloak/defaults/main.yml
View File

@@ -8,7 +8,6 @@ keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
keycloak_offline_install: false
### Install location and service settings
keycloak_jvm_package: java-1.8.0-openjdk-headless
keycloak_java_home:
keycloak_dest: /opt/keycloak
keycloak_jboss_home: "{{ keycloak_installdir }}"
@@ -33,6 +32,7 @@ keycloak_service_startlimitburst: "5"
keycloak_service_restartsec: "10s"
keycloak_configure_firewalld: false
keycloak_configure_iptables: false
### administrator console password
keycloak_admin_password: ''

79
roles/keycloak/meta/argument_specs.yml
View File

@@ -2,42 +2,38 @@ argument_specs:
main:
options:
keycloak_version:
# line 3 of keycloak/defaults/main.yml
default: "18.0.2"
description: "keycloak.org package version"
type: "str"
keycloak_archive:
# line 4 of keycloak/defaults/main.yml
default: "keycloak-legacy-{{ keycloak_version }}.zip"
description: "keycloak install archive filename"
type: "str"
keycloak_configure_iptables:
default: false
description: "Ensure iptables is running and configure keycloak ports"
type: "bool"
keycloak_configure_firewalld:
# line 33 of keycloak/defaults/main.yml
default: false
description: "Ensure firewalld is running and configure keycloak ports"
type: "bool"
keycloak_download_url:
# line 5 of keycloak/defaults/main.yml
default: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"
description: "Download URL for keycloak"
type: "str"
keycloak_download_url_9x:
# line 6 of keycloak/defaults/main.yml
default: "https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}"
description: "Download URL for keycloak (deprecated)"
type: "str"
keycloak_installdir:
# line 7 of keycloak/defaults/main.yml
default: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
description: "Installation path"
type: "str"
keycloak_offline_install:
# line 20 of keycloak/defaults/main.yml
default: false
description: "Perform an offline install"
type: "bool"
keycloak_jvm_package:
# line 23 of keycloak/defaults/main.yml
default: "java-1.8.0-openjdk-headless"
description: "RHEL java package runtime rpm"
type: "str"
@@ -45,12 +41,10 @@ argument_specs:
description: "JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path"
type: "str"
keycloak_dest:
# line 24 of keycloak/defaults/main.yml
default: "/opt/keycloak"
description: "Root installation directory"
type: "str"
keycloak_jboss_home:
# line 25 of keycloak/defaults/main.yml
default: "{{ keycloak_installdir }}"
description: "Installation work directory"
type: "str"
@@ -59,52 +53,44 @@ argument_specs:
description: "Port offset for the JBoss socket binding"
type: "int"
keycloak_config_dir:
# line 26 of keycloak/defaults/main.yml
default: "{{ keycloak_jboss_home }}/standalone/configuration"
description: "Path for configuration"
type: "str"
keycloak_config_standalone_xml:
# line 27 of keycloak/defaults/main.yml
default: "keycloak.xml"
description: "Service configuration filename"
type: "str"
keycloak_config_path_to_standalone_xml:
# line 28 of keycloak/defaults/main.yml
default: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}"
description: "Custom path for configuration"
type: "str"
keycloak_config_override_template:
# line 30 of keycloak/defaults/main.yml
default: ""
description: "Path to custom template for standalone.xml configuration"
type: "str"
keycloak_service_runas:
# line 20 of keycloak/defaults/main.yml
keycloak_service_runas:
default: false
description: "Enable execution of service as `keycloak_service_user`"
type: "bool"
keycloak_service_user:
# line 29 of keycloak/defaults/main.yml
default: "keycloak"
description: "posix account username"
type: "str"
keycloak_service_group:
# line 30 of keycloak/defaults/main.yml
default: "keycloak"
description: "posix account group"
type: "str"
keycloak_service_pidfile:
# line 31 of keycloak/defaults/main.yml
default: "/run/keycloak/keycloak.pid"
description: "PID file path for service"
type: "str"
keycloak_features:
# line 17 of keycloak/defaults/main.yml
default: "[]"
description: "List of `name`/`status` pairs of features (also known as profiles on RH-SSO) to `enable` or `disable`, example: `[ { name: 'docker', status: 'enabled' } ]`"
description: >
List of `name`/`status` pairs of features (also known as profiles on RH-SSO) to `enable` or `disable`,
example: `[ { name: 'docker', status: 'enabled' } ]`
type: "list"
keycloak_bind_address:
# line 34 of keycloak/defaults/main.yml
default: "0.0.0.0"
description: "Address for binding service ports"
type: "str"
@@ -113,52 +99,42 @@ argument_specs:
description: "Address for binding the management ports"
type: "str"
keycloak_host:
# line 35 of keycloak/defaults/main.yml
default: "localhost"
description: "Hostname for service"
type: "str"
keycloak_http_port:
# line 36 of keycloak/defaults/main.yml
default: 8080
description: "Listening HTTP port"
type: "int"
keycloak_https_port:
# line 37 of keycloak/defaults/main.yml
default: 8443
description: "Listening HTTPS port"
type: "int"
keycloak_ajp_port:
# line 38 of keycloak/defaults/main.yml
default: 8009
description: "Listening AJP port"
type: "int"
keycloak_jgroups_port:
# line 39 of keycloak/defaults/main.yml
default: 7600
description: "jgroups cluster tcp port"
type: "int"
keycloak_management_http_port:
# line 40 of keycloak/defaults/main.yml
default: 9990
description: "Management port (http)"
type: "int"
keycloak_management_https_port:
# line 41 of keycloak/defaults/main.yml
default: 9993
description: "Management port (https)"
type: "int"
keycloak_java_opts:
# line 42 of keycloak/defaults/main.yml
default: "-Xms1024m -Xmx2048m"
description: "Additional JVM options"
type: "str"
keycloak_prefer_ipv4:
# line 43 of keycloak/defaults/main.yml
default: true
description: "Prefer IPv4 stack and addresses for port binding"
type: "bool"
keycloak_ha_enabled:
# line 46 of keycloak/defaults/main.yml
default: false
description: "Enable auto configuration for database backend, clustering and remote caches on infinispan"
type: "bool"
@@ -167,27 +143,22 @@ argument_specs:
description: "Discovery protocol for HA cluster members"
type: "str"
keycloak_db_enabled:
# line 48 of keycloak/defaults/main.yml
default: "{{ True if keycloak_ha_enabled else False }}"
description: "Enable auto configuration for database backend"
type: "bool"
keycloak_admin_user:
# line 51 of keycloak/defaults/main.yml
default: "admin"
description: "Administration console user account"
type: "str"
keycloak_auth_realm:
# line 52 of keycloak/defaults/main.yml
default: "master"
description: "Name for rest authentication realm"
type: "str"
keycloak_auth_client:
# line 53 of keycloak/defaults/main.yml
default: "admin-cli"
description: "Authentication client for configuration REST calls"
type: "str"
keycloak_force_install:
# line 55 of keycloak/defaults/main.yml
default: false
description: "Remove pre-existing versions of service"
type: "bool"
@@ -196,7 +167,6 @@ argument_specs:
description: "Enable configuration for modcluster subsystem"
type: "bool"
keycloak_modcluster_url:
# line 58 of keycloak/defaults/main.yml
default: "localhost"
description: "URL for the modcluster reverse proxy"
type: "str"
@@ -209,7 +179,6 @@ argument_specs:
description: "List of modproxy node URLs in the format { host, port } for the modcluster reverse proxy"
type: "list"
keycloak_frontend_url:
# line 59 of keycloak/defaults/main.yml
default: "http://localhost"
description: "Frontend URL for keycloak endpoints when a reverse proxy is used"
type: "str"
@@ -218,77 +187,62 @@ argument_specs:
description: "Force backend requests to use the frontend URL"
type: "bool"
keycloak_infinispan_user:
# line 62 of keycloak/defaults/main.yml
default: "supervisor"
description: "Username for connecting to infinispan"
type: "str"
keycloak_infinispan_pass:
# line 63 of keycloak/defaults/main.yml
default: "supervisor"
description: "Password for connecting to infinispan"
type: "str"
keycloak_infinispan_url:
# line 64 of keycloak/defaults/main.yml
default: "localhost"
description: "URL for the infinispan remote-cache server"
type: "str"
keycloak_infinispan_sasl_mechanism:
# line 65 of keycloak/defaults/main.yml
default: "SCRAM-SHA-512"
description: "Authentication type to infinispan server"
type: "str"
keycloak_infinispan_use_ssl:
# line 66 of keycloak/defaults/main.yml
default: false
description: "Enable hotrod client TLS communication"
type: "bool"
keycloak_infinispan_trust_store_path:
# line 68 of keycloak/defaults/main.yml
default: "/etc/pki/java/cacerts"
description: "TODO document argument"
type: "str"
keycloak_infinispan_trust_store_password:
# line 69 of keycloak/defaults/main.yml
default: "changeit"
description: "Path to truststore containing infinispan server certificate"
type: "str"
keycloak_jdbc_engine:
# line 72 of keycloak/defaults/main.yml
default: "postgres"
description: "Backend database flavour when db is enabled: [ postgres, mariadb, sqlserver ]"
type: "str"
keycloak_db_user:
# line 74 of keycloak/defaults/main.yml
default: "keycloak-user"
description: "Username for connecting to database"
type: "str"
keycloak_db_pass:
# line 75 of keycloak/defaults/main.yml
default: "keycloak-pass"
description: "Password for connecting to database"
type: "str"
keycloak_jdbc_url:
# line 76 of keycloak/defaults/main.yml
default: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].url }}"
description: "URL for connecting to backend database"
type: "str"
keycloak_jdbc_driver_version:
# line 77 of keycloak/defaults/main.yml
default: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].version }}"
description: "Version for the JDBC driver to download"
type: "str"
keycloak_admin_password:
# line 4 of keycloak/vars/main.yml
required: true
description: "Password for the administration console user account"
type: "str"
keycloak_url:
# line 12 of keycloak/vars/main.yml
default: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}"
description: "URL for configuration rest calls"
type: "str"
keycloak_management_url:
# line 13 of keycloak/vars/main.yml
default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}"
description: "URL for management console rest calls"
type: "str"
@@ -358,12 +312,27 @@ argument_specs:
type: "str"
keycloak_jgroups_subnet:
required: false
description: "Override the subnet match for jgroups cluster formation; if not defined, it will be inferred from local machine route configuration"
description: >
Override the subnet match for jgroups cluster formation; if not defined, it will be inferred from local machine route configuration
type: "str"
keycloak_log_target:
default: '/var/log/keycloak'
type: "str"
description: "Set the destination of the keycloak log folder link"
keycloak_jdbc_download_url:
description: "Override the default Maven Central download URL for the JDBC driver"
type: "str"
keycloak_jdbc_download_user:
description: "Set a username with which to authenticate when downloading JDBC drivers from an alternative location"
type: "str"
keycloak_jdbc_download_pass:
description: >
Set a password with which to authenticate when downloading JDBC drivers from an alternative location (requires keycloak_jdbc_download_user)
type: "str"
keycloak_jdbc_download_validate_certs:
default: true
description: "Allow the option to ignore invalid certificates when downloading JDBC drivers from a custom URL"
type: "bool"
downstream:
options:
sso_version:

2
roles/keycloak/meta/main.yml
View File

@@ -12,7 +12,7 @@ galaxy_info:
license: Apache License 2.0
min_ansible_version: "2.14"
min_ansible_version: "2.15"
platforms:
- name: EL

6
roles/keycloak/tasks/debian.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: Include firewall config tasks
ansible.builtin.include_tasks: iptables.yml
when: keycloak_configure_iptables
tags:
- firewall

20
roles/keycloak/tasks/fastpackages.yml
View File

@@ -4,14 +4,28 @@
register: rpm_info
changed_when: false
failed_when: false
when: ansible_facts.os_family == "RedHat"
- name: "Add missing packages to the yum install list"
ansible.builtin.set_fact:
packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | default([]) | flatten }}"
packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | \
map('regex_findall', 'package (.+) is not installed$') | default([]) | flatten }}"
when: ansible_facts.os_family == "RedHat"
- name: "Install packages: {{ packages_to_install }}"
become: true
ansible.builtin.yum:
ansible.builtin.dnf:
name: "{{ packages_to_install }}"
state: present
when: packages_to_install | default([]) | length > 0
when:
- packages_to_install | default([]) | length > 0
- ansible_facts.os_family == "RedHat"
- name: "Install packages: {{ packages_list }}"
become: true
ansible.builtin.package:
name: "{{ packages_list }}"
state: present
when:
- packages_list | default([]) | length > 0
- ansible_facts.os_family == "Debian"

24
roles/keycloak/tasks/install.yml
View File

@@ -41,8 +41,8 @@
ansible.builtin.user:
name: "{{ keycloak_service_user }}"
home: /opt/keycloak
system: yes
create_home: no
system: true
create_home: false
- name: "Create install location for {{ keycloak.service_name }}"
become: true
@@ -51,7 +51,7 @@
state: directory
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0750
mode: '0750'
- name: Create pidfile folder
become: true
@@ -60,7 +60,7 @@
state: directory
owner: "{{ keycloak_service_user if keycloak_service_runas else omit }}"
group: "{{ keycloak_service_group if keycloak_service_runas else omit }}"
mode: 0750
mode: '0750'
## check remote archive
- name: Set download archive path
@@ -84,7 +84,7 @@
ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
url: "{{ keycloak_download_url }}"
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
mode: 0644
mode: '0644'
delegate_to: localhost
run_once: true
when:
@@ -136,7 +136,7 @@
ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
url: "{{ keycloak_rhsso_download_url }}"
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
mode: 0644
mode: '0644'
delegate_to: localhost
run_once: true
when:
@@ -160,7 +160,7 @@
dest: "{{ archive }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0640
mode: '0640'
register: new_version_downloaded
when:
- not archive_path.stat.exists
@@ -221,7 +221,7 @@
dest: "{{ keycloak_config_path_to_standalone_xml }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0640
mode: '0640'
notify:
- restart keycloak
when: keycloak_config_override_template | length > 0
@@ -233,7 +233,7 @@
dest: "{{ keycloak_config_path_to_standalone_xml }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0640
mode: '0640'
notify:
- restart keycloak
when:
@@ -261,7 +261,7 @@
dest: "{{ keycloak_config_path_to_standalone_xml }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0640
mode: '0640'
notify:
- restart keycloak
when:
@@ -276,7 +276,7 @@
dest: "{{ keycloak_config_path_to_standalone_xml }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0640
mode: '0640'
notify:
- restart keycloak
when:
@@ -291,7 +291,7 @@
dest: "{{ keycloak_config_path_to_properties }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0640
mode: '0640'
notify:
- restart keycloak
when: keycloak_features | length > 0

23
roles/keycloak/tasks/iptables.yml Normal file
View File

@@ -0,0 +1,23 @@
---
- name: Ensure required package iptables are installed
ansible.builtin.include_tasks: fastpackages.yml
vars:
packages_list:
- iptables
- name: "Configure firewall ports for {{ keycloak.service_name }}"
become: true
ansible.builtin.iptables:
destination_port: "{{ item }}"
action: "insert"
rule_num: 6 # magic number I forget why
chain: "INPUT"
policy: "ACCEPT"
protocol: tcp
loop:
- "{{ keycloak_http_port }}"
- "{{ keycloak_https_port }}"
- "{{ keycloak_management_http_port }}"
- "{{ keycloak_management_https_port }}"
- "{{ keycloak_jgroups_port }}"
- "{{ keycloak_ajp_port }}"

16
roles/keycloak/tasks/jdbc_driver.yml
View File

@@ -12,10 +12,17 @@
recurse: true
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0750
mode: '0750'
become: true
when:
- not dest_path.stat.exists
- name: "Verify valid parameters for download credentials when specified"
ansible.builtin.fail:
msg: >-
When JDBC driver download credentials are set, both the username and the password MUST be set
when: >
(keycloak_jdbc_download_user is undefined and keycloak_jdbc_download_pass is not undefined) or
(keycloak_jdbc_download_pass is undefined and keycloak_jdbc_download_user is not undefined)
- name: "Retrieve JDBC Driver from {{ keycloak_jdbc[keycloak_jdbc_engine].driver_jar_url }}"
ansible.builtin.get_url:
@@ -23,7 +30,10 @@
dest: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}/{{ keycloak_jdbc[keycloak_jdbc_engine].driver_jar_filename }}"
group: "{{ keycloak_service_group }}"
owner: "{{ keycloak_service_user }}"
mode: 0640
url_username: "{{ keycloak_jdbc_download_user | default(omit) }}"
url_password: "{{ keycloak_jdbc_download_pass | default(omit) }}"
validate_certs: "{{ keycloak_jdbc_download_validate_certs | default(omit) }}"
mode: '0640'
become: true
- name: "Deploy module.xml for JDBC Driver"
@@ -32,5 +42,5 @@
dest: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}/module.xml"
group: "{{ keycloak_service_group }}"
owner: "{{ keycloak_service_user }}"
mode: 0640
mode: '0640'
become: true

8
roles/keycloak/tasks/main.yml
View File

@@ -5,11 +5,10 @@
tags:
- prereqs
- name: Include firewall config tasks
ansible.builtin.include_tasks: firewalld.yml
when: keycloak_configure_firewalld
- name: Distro specific tasks
ansible.builtin.include_tasks: "{{ ansible_os_family | lower }}.yml"
tags:
- firewall
- unbound
- name: Include install tasks
ansible.builtin.include_tasks: install.yml
@@ -26,6 +25,7 @@
when:
- sso_apply_patches is defined and sso_apply_patches
- sso_enable is defined and sso_enable
- ansible_facts.os_family == "RedHat"
tags:
- install
- patch

29
roles/keycloak/tasks/prereqs.yml
View File

@@ -4,13 +4,16 @@
that:
- keycloak_admin_password | length > 12
quiet: true
fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_admin_password variable to a 12+ char long string"
fail_msg: >
The console administrator password is empty or invalid. Please set the keycloak_admin_password variable to a 12+ char long string
success_msg: "{{ 'Console administrator password OK' }}"
- name: Validate configuration
ansible.builtin.assert:
that:
- (keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and not keycloak_db_enabled)
that: >
(keycloak_ha_enabled and keycloak_db_enabled) or
(not keycloak_ha_enabled and keycloak_db_enabled) or
(not keycloak_ha_enabled and not keycloak_db_enabled)
quiet: true
fail_msg: "Cannot install HA setup without a backend database service. Check keycloak_ha_enabled and keycloak_db_enabled"
success_msg: "{{ 'Configuring HA' if keycloak_ha_enabled else 'Configuring standalone' }}"
@@ -36,12 +39,20 @@
success_msg: "Configuring JDBC persistence using {{ keycloak_jdbc_engine }} database"
when: keycloak_db_enabled
- name: Validate OS family
ansible.builtin.assert:
that:
- ansible_os_family in ["RedHat", "Debian"]
quiet: true
fail_msg: "Can only install on RedHat or Debian OS families; found {{ ansible_os_family }}"
success_msg: "Installing on {{ ansible_os_family }}"
- name: Load OS specific variables
ansible.builtin.include_vars: "vars/{{ ansible_os_family | lower }}.yml"
tags:
- always
- name: Ensure required packages are installed
ansible.builtin.include_tasks: fastpackages.yml
vars:
packages_list:
- "{{ keycloak_jvm_package }}"
- unzip
- procps-ng
- initscripts
- tzdata-java
packages_list: "{{ keycloak_prereq_package_list }}"

6
roles/keycloak/tasks/redhat.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: Include firewall config tasks
ansible.builtin.include_tasks: firewalld.yml
when: keycloak_configure_firewalld
tags:
- firewall

2
roles/keycloak/tasks/restart_keycloak.yml
View File

@@ -22,7 +22,7 @@
- name: "Restart and enable {{ keycloak.service_name }} service"
ansible.builtin.systemd:
name: keycloak
enabled: yes
enabled: true
state: restarted
become: true
when: inventory_hostname != ansible_play_hosts | first

2
roles/keycloak/tasks/rhsso_cli.yml
View File

@@ -10,4 +10,4 @@
ansible.builtin.command: >
{{ keycloak.cli_path }} --connect --command='{{ query }}' --controller={{ keycloak_host }}:{{ keycloak_management_http_port }}
changed_when: false
register: cli_result
register: cli_result

20
roles/keycloak/tasks/rhsso_patch.yml
View File

@@ -36,14 +36,16 @@
- name: Determine patch versions list
ansible.builtin.set_fact:
filtered_versions: "{{ rhn_products.results | map(attribute='file_path') | select('match', '^[^/]*/rh-sso-.*[0-9]*[.][0-9]*[.][0-9]*.*$') | map('regex_replace', '[^/]*/rh-sso-([0-9]*[.][0-9]*[.][0-9]*)-.*', '\\1') | list | unique }}"
filtered_versions: "{{ rhn_products.results | map(attribute='file_path') | \
select('match', '^[^/]*/rh-sso-.*[0-9]*[.][0-9]*[.][0-9]*.*$') | \
map('regex_replace', '[^/]*/rh-sso-([0-9]*[.][0-9]*[.][0-9]*(-[0-9])?)-.*', '\\1') | list | unique }}"
when: sso_patch_version is not defined or sso_patch_version | length == 0
delegate_to: localhost
run_once: true
- name: Determine latest version
ansible.builtin.set_fact:
sso_latest_version: "{{ filtered_versions | middleware_automation.common.version_sort | last }}"
sso_latest_version: "{{ filtered_versions | middleware_automation.common.version_sort | last }}"
when: sso_patch_version is not defined or sso_patch_version | length == 0
delegate_to: localhost
run_once: true
@@ -70,7 +72,7 @@
middleware_automation.common.product_download: # noqa risky-file-permissions delegated, uses controller host user
client_id: "{{ rhn_username }}"
client_secret: "{{ rhn_password }}"
product_id: "{{ (rhn_filtered_products | first).id }}"
product_id: "{{ (rhn_filtered_products | sort | last).id }}"
dest: "{{ local_path.stat.path }}/{{ patch_bundle }}"
no_log: "{{ omit_rhn_output | default(true) }}"
delegate_to: localhost
@@ -93,7 +95,7 @@
dest: "{{ patch_archive }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0640
mode: '0640'
register: new_version_downloaded
when:
- not patch_archive_path.stat.exists
@@ -114,7 +116,7 @@
when:
- cli_result is defined
- cli_result.stdout is defined
- patch_version not in cli_result.stdout
- patch_version | regex_replace('-[0-9]$', '') not in cli_result.stdout
block:
- name: "Apply patch {{ patch_version }} to server"
ansible.builtin.include_tasks: rhsso_cli.yml
@@ -133,8 +135,8 @@
- cli_result.rc == 0
args:
apply:
become: true
become_user: "{{ keycloak_service_user }}"
become: true
become_user: "{{ keycloak_service_user }}"
- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
ansible.builtin.uri:
@@ -150,8 +152,8 @@
query: "patch info"
args:
apply:
become: true
become_user: "{{ keycloak_service_user }}"
become: true
become_user: "{{ keycloak_service_user }}"
- name: "Verify installed patch version"
ansible.builtin.assert:

14
roles/keycloak/tasks/systemd.yml
View File

@@ -6,24 +6,18 @@
dest: "{{ keycloak_dest }}/keycloak-service.sh"
owner: root
group: root
mode: 0755
mode: '0755'
notify:
- restart keycloak
- name: Determine JAVA_HOME for selected JVM RPM
ansible.builtin.set_fact:
rpm_java_home: "/etc/alternatives/jre_{{ keycloak_jvm_package | regex_search('(?<=java-)[0-9.]+') }}"
- name: "Configure sysconfig file for {{ keycloak.service_name }} service"
become: true
ansible.builtin.template:
src: keycloak-sysconfig.j2
dest: /etc/sysconfig/keycloak
dest: "{{ keycloak_sysconf_file }}"
owner: root
group: root
mode: 0644
vars:
keycloak_rpm_java_home: "{{ rpm_java_home }}"
mode: '0644'
notify:
- restart keycloak
@@ -33,7 +27,7 @@
dest: /etc/systemd/system/keycloak.service
owner: root
group: root
mode: 0644
mode: '0644'
become: true
register: systemdunit
notify:

2
roles/keycloak/templates/15.0.8/standalone-infinispan.xml.j2
View File

@@ -1,5 +1,5 @@
<?xml version='1.0' encoding='UTF-8'?>
<!-- {{ ansible_managed }} -->
{{ ansible_managed | comment('xml') }}
<server xmlns="urn:jboss:domain:16.0">
<extensions>
<extension module="org.jboss.as.clustering.infinispan"/>

2
roles/keycloak/templates/15.0.8/standalone.xml.j2
View File

@@ -1,5 +1,5 @@
<?xml version='1.0' encoding='UTF-8'?>
<!-- {{ ansible_managed }} -->
{{ ansible_managed | comment('xml') }}
<server xmlns="urn:jboss:domain:16.0">
<extensions>
<extension module="org.jboss.as.clustering.infinispan"/>

2
roles/keycloak/templates/keycloak-service.sh.j2
View File

@@ -1,5 +1,5 @@
#!/bin/bash -eu
# {{ ansible_managed }}
{{ ansible_managed | comment }}
set +u -o pipefail

4
roles/keycloak/templates/keycloak-sysconfig.j2
View File

@@ -1,6 +1,6 @@
# {{ ansible_managed }}
{{ ansible_managed | comment }}
JAVA_OPTS='{{ keycloak_java_opts }}'
JAVA_HOME={{ keycloak_java_home | default(keycloak_rpm_java_home, true) }}
JAVA_HOME={{ keycloak_java_home | default(keycloak_pkg_java_home, true) }}
JBOSS_HOME={{ keycloak.home }}
KEYCLOAK_BIND_ADDRESS={{ keycloak_bind_address }}
KEYCLOAK_HTTP_PORT={{ keycloak_http_port }}

4
roles/keycloak/templates/keycloak.service.j2
View File

@@ -1,4 +1,4 @@
# {{ ansible_managed }}
{{ ansible_managed | comment }}
[Unit]
Description={{ keycloak.service_name }} Server
After=network.target
@@ -11,7 +11,7 @@ StartLimitBurst={{ keycloak_service_startlimitburst }}
User={{ keycloak_service_user }}
Group={{ keycloak_service_group }}
{% endif -%}
EnvironmentFile=-/etc/sysconfig/keycloak
EnvironmentFile=-{{ keycloak_sysconf_file }}
PIDFile={{ keycloak_service_pidfile }}
ExecStart={{ keycloak.home }}/bin/standalone.sh $WILDFLY_OPTS
WorkingDirectory={{ keycloak.home }}

2
roles/keycloak/templates/standalone-ha.xml.j2
View File

@@ -1,5 +1,5 @@
<?xml version='1.0' encoding='UTF-8'?>
<!-- {{ ansible_managed }} -->
{{ ansible_managed | comment('xml') }}
<server xmlns="urn:jboss:domain:16.0">
<extensions>
<extension module="org.jboss.as.clustering.infinispan"/>

2
roles/keycloak/templates/standalone-infinispan.xml.j2
View File

@@ -1,5 +1,5 @@
<?xml version='1.0' encoding='UTF-8'?>
<!-- {{ ansible_managed }} -->
{{ ansible_managed | comment('xml') }}
<server xmlns="urn:jboss:domain:16.0">
<extensions>
<extension module="org.jboss.as.clustering.infinispan"/>

8
roles/keycloak/templates/standalone.xml.j2
View File

@@ -1,5 +1,5 @@
<?xml version='1.0' encoding='UTF-8'?>
<!-- {{ ansible_managed }} -->
{{ ansible_managed | comment('xml') }}
<server xmlns="urn:jboss:domain:16.0">
<extensions>
<extension module="org.jboss.as.clustering.infinispan"/>
@@ -539,7 +539,7 @@
</mail-session>
</subsystem>
<subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
{% if keycloak_modcluster.enabled %}
{% if keycloak_modcluster.enabled %}
<subsystem xmlns="urn:jboss:domain:modcluster:5.0">
<proxy name="default" advertise="false" listener="ajp" proxies="{{ ['proxy_'] | product(keycloak_modcluster.reverse_proxy_urls | map(attribute='host')) | map('join') | list | join(' ') }}">
<dynamic-load-provider>
@@ -547,7 +547,7 @@
</dynamic-load-provider>
</proxy>
</subsystem>
{% endif %}
{% endif %}
<subsystem xmlns="urn:jboss:domain:naming:2.0">
<remote-naming/>
</subsystem>
@@ -621,6 +621,6 @@
<remote-destination host="{{ modcluster.host }}" port="{{ modcluster.port }}"/>
</outbound-socket-binding>
{% endfor %}
{% endif %}
{% endif %}
</socket-binding-group>
</server>

12
roles/keycloak/vars/debian.yml Normal file
View File

@@ -0,0 +1,12 @@
---
keycloak_varjvm_package: "{{ keycloak_jvm_package | default('openjdk-11-jdk-headless') }}"
keycloak_prereq_package_list:
- "{{ keycloak_varjvm_package }}"
- unzip
- procps
- apt
- tzdata
keycloak_configure_iptables: true
keycloak_sysconf_file: /etc/default/keycloak
keycloak_pkg_java_home: "/usr/lib/jvm/java-{{ keycloak_varjvm_package | \
regex_search('(?!:openjdk-)[0-9.]+') }}-openjdk-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"

14
roles/keycloak/vars/main.yml
View File

@@ -13,7 +13,8 @@ keycloak:
service_name: "{{ keycloak_service_name }}"
health_url: "{{ keycloak_management_url }}/health"
cli_path: "{{ keycloak_jboss_home }}/bin/jboss-cli.sh"
config_template_source: "{{ keycloak_config_override_template if keycloak_config_override_template | length > 0 else 'standalone-ha.xml.j2' if keycloak_remote_cache_enabled else 'standalone.xml.j2' }}"
config_template_source: "{{ keycloak_config_override_template if keycloak_config_override_template | length > 0 \
else 'standalone-ha.xml.j2' if keycloak_remote_cache_enabled else 'standalone.xml.j2' }}"
features: "{{ keycloak_features }}"
# database
@@ -26,7 +27,8 @@ keycloak_jdbc:
driver_module_dir: "{{ keycloak_jboss_home }}/modules/org/postgresql/main"
driver_version: "{{ keycloak_jdbc_driver_version }}"
driver_jar_filename: "postgresql-{{ keycloak_jdbc_driver_version }}.jar"
driver_jar_url: "https://repo.maven.apache.org/maven2/org/postgresql/postgresql/{{ keycloak_jdbc_driver_version }}/postgresql-{{ keycloak_jdbc_driver_version }}.jar"
driver_jar_url: >
{{ keycloak_maven_central }}org/postgresql/postgresql/{{ keycloak_jdbc_driver_version }}/postgresql-{{ keycloak_jdbc_driver_version }}.jar
connection_url: "{{ keycloak_jdbc_url }}"
db_user: "{{ keycloak_db_user }}"
db_password: "{{ keycloak_db_pass }}"
@@ -46,7 +48,8 @@ keycloak_jdbc:
driver_module_dir: "{{ keycloak_jboss_home }}/modules/org/mariadb/main"
driver_version: "{{ keycloak_jdbc_driver_version }}"
driver_jar_filename: "mariadb-java-client-{{ keycloak_jdbc_driver_version }}.jar"
driver_jar_url: "https://repo1.maven.org/maven2/org/mariadb/jdbc/mariadb-java-client/{{ keycloak_jdbc_driver_version }}/mariadb-java-client-{{ keycloak_jdbc_driver_version }}.jar"
driver_jar_url: >
{{ keycloak_maven_central }}org/mariadb/jdbc/mariadb-java-client/{{ keycloak_jdbc_driver_version }}/mariadb-java-client-{{ keycloak_jdbc_driver_version }}.jar
connection_url: "{{ keycloak_jdbc_url }}"
db_user: "{{ keycloak_db_user }}"
db_password: "{{ keycloak_db_pass }}"
@@ -67,7 +70,8 @@ keycloak_jdbc:
driver_module_dir: "{{ keycloak_jboss_home }}/modules/com/microsoft/sqlserver/main"
driver_version: "{{ keycloak_jdbc_driver_version }}"
driver_jar_filename: "mssql-java-client-{{ keycloak_jdbc_driver_version }}.jar"
driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/{{ keycloak_jdbc_driver_version }}.jre11/mssql-jdbc-{{ keycloak_jdbc_driver_version }}.jre11.jar" # e.g., https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.2.0.jre11/mssql-jdbc-12.2.0.jre11.jar
driver_jar_url: >
{{ keycloak_maven_central }}com/microsoft/sqlserver/mssql-jdbc/{{ keycloak_jdbc_driver_version }}.jre11/mssql-jdbc-{{ keycloak_jdbc_driver_version }}.jre11.jar
connection_url: "{{ keycloak_jdbc_url }}"
db_user: "{{ keycloak_db_user }}"
db_password: "{{ keycloak_db_pass }}"
@@ -102,3 +106,5 @@ keycloak_remotecache:
use_ssl: "{{ keycloak_infinispan_use_ssl }}"
trust_store_path: "{{ keycloak_infinispan_trust_store_path }}"
trust_store_password: "{{ keycloak_infinispan_trust_store_password }}"
keycloak_maven_central: https://repo1.maven.org/maven2/

10
roles/keycloak/vars/redhat.yml Normal file
View File

@@ -0,0 +1,10 @@
---
keycloak_varjvm_package: "{{ keycloak_jvm_package | default('java-1.8.0-openjdk-headless') }}"
keycloak_prereq_package_list:
- "{{ keycloak_varjvm_package }}"
- unzip
- procps-ng
- initscripts
- tzdata-java
keycloak_sysconf_file: /etc/sysconfig/keycloak
keycloak_pkg_java_home: "/etc/alternatives/jre_{{ keycloak_varjvm_package | regex_search('(?<=java-)[0-9.]+') }}"

194
roles/keycloak_quarkus/README.md
View File

@@ -1,26 +1,48 @@
keycloak_quarkus
================
<!--start description -->
Install [keycloak](https://keycloak.org/) >= 20.0.0 (quarkus) server configurations.
<!--end description -->
Requirements
------------
This role requires the `python3-netaddr` and `lxml` library installed on the controller node.
* to install via yum/dnf: `dnf install python3-netaddr python3-lxml`
* to install via apt: `apt install python3-netaddr python3-lxml`
* or via the collection: `pip install -r requirements.txt`
Dependencies
------------
The roles depends on:
* [middleware_automation.common](https://github.com/ansible-middleware/common)
* [ansible-posix](https://docs.ansible.com/ansible/latest/collections/ansible/posix/index.html)
To install all the dependencies via galaxy:
ansible-galaxy collection install -r requirements.yml
Role Defaults
-------------
* Installation options
#### Installation options
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_version`| keycloak.org package version | `23.0.7` |
|`keycloak_quarkus_version`| keycloak.org package version | `24.0.4` |
|`keycloak_quarkus_offline_install` | Perform an offline install | `False`|
|`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` |
|`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` |
* Service configuration
#### Service configuration
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
|`keycloak_quarkus_ha_discovery`| Discovery protocol for HA cluster members | `TCPPING` |
|`keycloak_quarkus_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_quarkus_ha_enabled` is True, else `False` |
|`keycloak_quarkus_admin_user`| Administration console user account | `admin` |
|`keycloak_quarkus_bind_address`| Address for binding service ports | `0.0.0.0` |
|`keycloak_quarkus_host`| Hostname for the Keycloak server | `localhost` |
@@ -29,32 +51,64 @@ Role Defaults
|`keycloak_quarkus_http_port`| HTTP listening port | `8080` |
|`keycloak_quarkus_https_port`| TLS HTTP listening port | `8443` |
|`keycloak_quarkus_ajp_port`| AJP port | `8009` |
|`keycloak_quarkus_jgroups_port`| jgroups cluster tcp port | `7800` |
|`keycloak_quarkus_service_user`| Posix account username | `keycloak` |
|`keycloak_quarkus_service_group`| Posix account group | `keycloak` |
|`keycloak_quarkus_service_restart_always`| systemd restart always behavior activation | `False` |
|`keycloak_quarkus_service_restart_on_failure`| systemd restart on-failure behavior activation | `False` |
|`keycloak_quarkus_service_restartsec`| systemd RestartSec | `10s` |
|`keycloak_quarkus_service_pidfile`| Pid file path for service | `/run/keycloak.pid` |
|`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-17-openjdk-headless` |
|`keycloak_quarkus_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_quarkus_jvm_package RPM path | `None` |
|`keycloak_quarkus_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
|`keycloak_quarkus_java_heap_opts`| Heap memory JVM setting | `-Xms1024m -Xmx2048m` |
|`keycloak_quarkus_java_jvm_opts`| Other JVM settings | same as keycloak |
|`keycloak_quarkus_java_opts`| JVM arguments; if overridden, it takes precedence over `keycloak_quarkus_java_*` | `{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}` |
|`keycloak_quarkus_additional_env_vars` | List of additional env variables of { key: str, value: str} to be put in sysconfig file | `[]` |
|`keycloak_quarkus_frontend_url`| Set the base URL for frontend URLs, including scheme, host, port and path | |
|`keycloak_quarkus_admin_url`| Set the base URL for accessing the administration console, including scheme, host, port and path | |
|`keycloak_quarkus_http_relative_path` | Set the path relative to / for serving resources. The path must start with a / | `/` |
|`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` |
|`keycloak_quarkus_health_check_url_path`| Path to the health check endpoint; scheme, host and keycloak_quarkus_http_relative_path will be prepended automatically | `realms/master/.well-known/openid-configuration` |
|`keycloak_quarkus_https_key_file_enabled`| Enable listener on HTTPS port | `False` |
|`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `{{ keycloak.home }}/conf/server.key.pem` |
|`keycloak_quarkus_cert_file`| The file path to a server certificate or certificate chain in PEM format | `{{ keycloak.home }}/conf/server.crt.pem` |
|`keycloak_quarkus_key_file_copy_enabled`| Enable copy of key file to target host | `False` |
|`keycloak_quarkus_key_content`| Content of the TLS private key. Use `"{{ lookup('file', 'server.key.pem') }}"` to lookup a file. | `""` |
|`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `/etc/pki/tls/private/server.key.pem` |
|`keycloak_quarkus_cert_file_copy_enabled`| Enable copy of cert file to target host | `False`|
|`keycloak_quarkus_cert_file_src`| Set the source file path | `""` |
|`keycloak_quarkus_cert_file`| The file path to a server certificate or certificate chain in PEM format | `/etc/pki/tls/certs/server.crt.pem` |
|`keycloak_quarkus_https_key_store_enabled`| Enable configuration of HTTPS via a key store | `False` |
|`keycloak_quarkus_key_store_file`| The file pat to the key store | `{{ keycloak.home }}/conf/key_store.p12` |
|`keycloak_quarkus_key_store_password`| Password for the key store | `""` |
|`keycloak_quarkus_https_trust_store_enabled`| Enalbe confiugration of a trust store | `False` |
|`keycloak_quarkus_trust_store_file`| The file pat to the trust store | `{{ keycloak.home }}/conf/trust_store.p12` |
|`keycloak_quarkus_trust_store_password`| Password for the trust store | `""` |
|`keycloak_quarkus_key_store_file`| Deprecated, use `keycloak_quarkus_https_key_store_file` instead. ||
|`keycloak_quarkus_key_store_password`| Deprecated, use `keycloak_quarkus_https_key_store_password` instead.||
|`keycloak_quarkus_https_key_store_file`| The file path to the key store | `{{ keycloak.home }}/conf/key_store.p12` |
|`keycloak_quarkus_https_key_store_password`| Password for the key store | `""` |
|`keycloak_quarkus_https_trust_store_enabled`| Enable configuration of the https trust store | `False` |
|`keycloak_quarkus_https_trust_store_file`| The file path to the trust store | `{{ keycloak.home }}/conf/trust_store.p12` |
|`keycloak_quarkus_https_trust_store_password`| Password for the trust store | `""` |
|`keycloak_quarkus_proxy_headers`| Parse reverse proxy headers (`forwarded` or `xforwarded`) | `""` |
|`keycloak_quarkus_config_key_store_file`| Path to the configuration key store; only used if `keycloak_quarkus_keystore_password` is not empty | `{{ keycloak.home }}/conf/conf_store.p12` if `keycloak_quarkus_keystore_password != ''`, else `''` |
|`keycloak_quarkus_config_key_store_password`| Password of the configuration keystore; if non-empty, `keycloak_quarkus_db_pass` will be saved to the keystore at `keycloak_quarkus_config_key_store_file` instead of being written to the configuration file in clear text | `""` |
|`keycloak_quarkus_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
|`keycloak_quarkus_configure_iptables` | Ensure iptables is configured for keycloak ports | `False` |
* Hostname configuration
#### High-availability
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
|`keycloak_quarkus_ha_discovery`| Discovery protocol for HA cluster members | `TCPPING` |
|`keycloak_quarkus_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_quarkus_ha_enabled` is True, else `False` |
|`keycloak_quarkus_jgroups_port`| jgroups cluster tcp port | `7800` |
|`keycloak_quarkus_systemd_wait_for_port` | Whether systemd unit should wait for keycloak port before returning | `{{ keycloak_quarkus_ha_enabled }}` |
|`keycloak_quarkus_systemd_wait_for_log` | Whether systemd unit should wait for service to be up in logs | `false` |
|`keycloak_quarkus_systemd_wait_for_timeout`| How long to wait for service to be alive (seconds) | `60` |
|`keycloak_quarkus_systemd_wait_for_delay`| Activation delay for service systemd unit (seconds) | `10` |
|`keycloak_quarkus_restart_strategy`| Strategy task file for restarting in HA (one of provided restart/['serial.yml','none.yml','serial_then_parallel.yml']) or path to file when providing custom strategy | `restart/serial.yml` |
|`keycloak_quarkus_restart_health_check`| Whether to wait for successful health check after restart | `true` |
|`keycloak_quarkus_restart_health_check_delay`| Seconds to let pass before starting healch checks | `10` |
|`keycloak_quarkus_restart_health_check_reries`| Number of attempts for successful health check before failing | `25` |
|`keycloak_quarkus_restart_pause`| Seconds to wait between restarts in HA strategy | `15` |
#### Hostname configuration
| Variable | Description | Default |
|:---------|:------------|:--------|
@@ -63,7 +117,7 @@ Role Defaults
|`keycloak_quarkus_hostname_strict_backchannel`| By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all applications use the public URL this option should be enabled. | `false` |
* Database configuration
#### Database configuration
| Variable | Description | Default |
|:---------|:------------|:--------|
@@ -74,7 +128,7 @@ Role Defaults
|`keycloak_quarkus_jdbc_driver_version` | Version for JDBC driver | `9.4.1212` |
* Remote caches configuration
#### Remote caches configuration
| Variable | Description | Default |
|:---------|:------------|:--------|
@@ -87,18 +141,7 @@ Role Defaults
|`keycloak_quarkus_ispn_trust_store_password` | Password for infinispan certificate keystore | `changeit` |
* Install options
| Variable | Description | Default |
|:---------|:------------|:---------|
|`keycloak_quarkus_offline_install` | Perform an offline install | `False`|
|`keycloak_quarkus_version`| keycloak.org package version | `23.0.7` |
|`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` |
|`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` |
|`keycloak_quarkus_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
* Miscellaneous configuration
#### Miscellaneous configuration
| Variable | Description | Default |
|:---------|:------------|:--------|
@@ -124,6 +167,74 @@ Role Defaults
|`keycloak_quarkus_start_dev`| Whether to start the service in development mode (start-dev) | `False` |
|`keycloak_quarkus_transaction_xa_enabled`| Whether to use XA transactions | `True` |
|`keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route`| If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy | `True` |
|`keycloak_quarkus_show_deprecation_warnings`| Whether deprecation warnings should be shown | `True` |
#### Vault SPI
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_ks_vault_enabled`| Whether to enable the vault SPI | `false` |
|`keycloak_quarkus_ks_vault_file`| The keystore path for the vault SPI | `{{ keycloak_quarkus_config_dir }}/keystore.p12` |
|`keycloak_quarkus_ks_vault_type`| Type of the keystore used for the vault SPI | `PKCS12` |
#### Configuring providers
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_providers`| List of provider definitions; see below | `[]` |
Providers support different sources:
* `url`: http download for providers not requiring authentication
* `maven`: maven download for providers hosted publicly on Apache Maven Central or private Maven repositories like Github Maven requiring authentication
* `local_path`: static providers to be uploaded
Provider definition:
```yaml
keycloak_quarkus_providers:
- id: http-client # required; "{{ id }}.jar" identifies the file name on RHBK
spi: connections # required if neither url, local_path nor maven are specified; required for setting properties
default: true # optional, whether to set default for spi, default false
restart: true # optional, whether to restart, default true
url: https://.../.../custom_spi.jar # optional, url for download via http
local_path: my_theme_spi.jar # optional, path on local controller for SPI to be uploaded
maven: # optional, for download using maven
repository_url: https://maven.pkg.github.com/OWNER/REPOSITORY # optional, maven repo url
group_id: my.group # optional, maven group id
artifact_id: artifact # optional, maven artifact id
version: 24.0.4 # optional, defaults to latest
username: user # optional, cf. https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry#authenticating-to-github-packages
password: pat # optional, provide a PAT for accessing Github's Apache Maven registry
properties: # optional, list of key-values
- key: default-connection-pool-size
value: 10
```
the definition above will generate the following build command:
```
bin/kc.sh build --spi-connections-provider=http-client --spi-connections-http-client-default-connection-pool-size=10
```
#### Configuring policies
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_policies`| List of policy definitions; see below | `[]` |
Provider definition:
```yaml
keycloak_quarkus_policies:
- name: xato-net-10-million-passwords.txt # required, resulting file name
url: https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt # required, url for download
type: password-blacklists # optional, defaults to `password-blacklists`; supported values: [`password-blacklists`]
```
Role Variables
--------------
@@ -133,7 +244,26 @@ Role Variables
|`keycloak_quarkus_admin_pass`| Password of console admin account | `yes` |
|`keycloak_quarkus_frontend_url`| Base URL for frontend URLs, including scheme, host, port and path | `no` |
|`keycloak_quarkus_admin_url`| Base URL for accessing the administration console, including scheme, host, port and path | `no` |
|`keycloak_quarkus_ks_vault_pass`| The password for accessing the keystore vault SPI | `no` |
|`keycloak_quarkus_alternate_download_url`| Alternate location with optional authentication for downloading RHBK | `no` |
|`keycloak_quarkus_download_user`| Optional username for http authentication | `no*` |
|`keycloak_quarkus_download_pass`| Optional password for http authentication | `no*` |
|`keycloak_quarkus_download_validate_certs`| Whether to validate certs for URL `keycloak_quarkus_alternate_download_url` | `no` |
|`keycloak_quarkus_jdbc_download_user`| Optional username for http authentication | `no*` |
|`keycloak_quarkus_jdbc_download_pass`| Optional password for http authentication | `no*` |
|`keycloak_quarkus_jdbc_download_validate_certs`| Whether to validate certs for URL `keycloak_quarkus_download_validate_certs` | `no` |
`*` username/password authentication credentials must be both declared or both undefined
Role custom facts
-----------------
The role uses the following [custom facts](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_vars_facts.html#adding-custom-facts) found in `/etc/ansible/facts.d/keycloak.fact` (and thus identified by the `ansible_local.keycloak.` prefix):
| Variable | Description |
|:---------|:------------|
|`general.bootstrapped` | A custom fact indicating whether this role has been used for bootstrapping keycloak on the respective host before; set to `false` (e.g., when starting off with a new, empty database) ensures that the initial admin user as defined by `keycloak_quarkus_admin_user[_pass]` gets created |
License
-------

73
roles/keycloak_quarkus/defaults/main.yml
View File

@@ -1,6 +1,6 @@
---
### Configuration specific to keycloak
keycloak_quarkus_version: 23.0.7
keycloak_quarkus_version: 24.0.4
keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip"
keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"
keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"
@@ -8,8 +8,9 @@ keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_q
# whether to install from local archive
keycloak_quarkus_offline_install: false
keycloak_quarkus_show_deprecation_warnings: true
### Install location and service settings
keycloak_quarkus_jvm_package: java-17-openjdk-headless
keycloak_quarkus_java_home:
keycloak_quarkus_dest: /opt/keycloak
keycloak_quarkus_home: "{{ keycloak_quarkus_installdir }}"
@@ -17,12 +18,13 @@ keycloak_quarkus_config_dir: "{{ keycloak_quarkus_home }}/conf"
keycloak_quarkus_start_dev: false
keycloak_quarkus_service_user: keycloak
keycloak_quarkus_service_group: keycloak
keycloak_quarkus_service_pidfile: "/run/keycloak/keycloak.pid"
keycloak_quarkus_configure_firewalld: false
keycloak_quarkus_service_restart_always: false
keycloak_quarkus_service_restart_on_failure: false
keycloak_quarkus_service_restartsec: "10s"
keycloak_quarkus_configure_firewalld: false
keycloak_quarkus_configure_iptables: false
### administrator console password
keycloak_quarkus_admin_user: admin
keycloak_quarkus_admin_pass:
@@ -38,26 +40,43 @@ keycloak_quarkus_http_port: 8080
keycloak_quarkus_https_port: 8443
keycloak_quarkus_ajp_port: 8009
keycloak_quarkus_jgroups_port: 7800
keycloak_quarkus_java_opts: "-Xms1024m -Xmx2048m"
keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx2048m"
keycloak_quarkus_java_jvm_opts: "-XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8
-Dsun.err.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError
-Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC -XX:GCTimeRatio=4
-XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512"
keycloak_quarkus_java_opts: "{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}"
keycloak_quarkus_additional_env_vars: []
### TLS/HTTPS configuration
keycloak_quarkus_https_key_file_enabled: false
keycloak_quarkus_key_file: "{{ keycloak.home }}/conf/server.key.pem"
keycloak_quarkus_cert_file: "{{ keycloak.home }}/conf/server.crt.pem"
keycloak_quarkus_key_file_copy_enabled: false
keycloak_quarkus_key_content: ""
keycloak_quarkus_key_file: "/etc/pki/tls/private/server.key.pem"
keycloak_quarkus_cert_file_copy_enabled: false
keycloak_quarkus_cert_file_src: ""
keycloak_quarkus_cert_file: "/etc/pki/tls/certs/server.crt.pem"
#### key store configuration
keycloak_quarkus_https_key_store_enabled: false
keycloak_quarkus_key_store_file: "{{ keycloak.home }}/conf/key_store.p12"
keycloak_quarkus_key_store_password: ''
keycloak_quarkus_https_key_store_file: "{{ keycloak.home }}/conf/key_store.p12"
keycloak_quarkus_https_key_store_password: ''
##### trust store configuration
keycloak_quarkus_https_trust_store_enabled: false
keycloak_quarkus_trust_store_file: "{{ keycloak.home }}/conf/trust_store.p12"
keycloak_quarkus_trust_store_password: ''
keycloak_quarkus_https_trust_store_file: "{{ keycloak.home }}/conf/trust_store.p12"
keycloak_quarkus_https_trust_store_password: ''
### configuration key store configuration
keycloak_quarkus_config_key_store_file: "{{ keycloak.home }}/conf/conf_store.p12"
keycloak_quarkus_config_key_store_password: ''
### Enable configuration for database backend, clustering and remote caches on infinispan
keycloak_quarkus_ha_enabled: false
keycloak_quarkus_ha_discovery: "TCPPING"
### Enable database configuration, must be enabled when HA is configured
keycloak_quarkus_db_enabled: "{{ True if keycloak_quarkus_ha_enabled else False }}"
keycloak_quarkus_db_enabled: "{{ keycloak_quarkus_ha_enabled }}"
keycloak_quarkus_systemd_wait_for_port: "{{ keycloak_quarkus_ha_enabled }}"
keycloak_quarkus_systemd_wait_for_log: false
keycloak_quarkus_systemd_wait_for_timeout: 60
keycloak_quarkus_systemd_wait_for_delay: 10
### keycloak frontend url
keycloak_quarkus_frontend_url:
@@ -74,13 +93,17 @@ keycloak_quarkus_hostname_strict: true
# If all applications use the public URL this option should be enabled.
keycloak_quarkus_hostname_strict_backchannel: false
# proxy address forwarding mode if the server is behind a reverse proxy. [none, edge, reencrypt, passthrough]
# The proxy headers that should be accepted by the server. ['', 'forwarded', 'xforwarded']
keycloak_quarkus_proxy_headers: ""
# deprecated: proxy address forwarding mode if the server is behind a reverse proxy. [none, edge, reencrypt, passthrough]
keycloak_quarkus_proxy_mode: edge
# disable xa transactions
keycloak_quarkus_transaction_xa_enabled: true
# If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy
# If the route should be attached to cookies to reflect the node that owns a particular session.
# If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy
keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route: true
keycloak_quarkus_metrics_enabled: false
@@ -113,8 +136,9 @@ keycloak_quarkus_default_jdbc:
version: 2.7.4
mssql:
url: 'jdbc:sqlserver://localhost:1433;databaseName=keycloak;'
version: 12.2.0
driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.2.0.jre11/mssql-jdbc-12.2.0.jre11.jar" # cf. https://access.redhat.com/documentation/en-us/red_hat_build_of_keycloak/22.0/html/server_guide/db-#db-installing-the-microsoft-sql-server-driver
version: 12.4.2
driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.4.2.jre11/mssql-jdbc-12.4.2.jre11.jar"
# cf. https://access.redhat.com/documentation/en-us/red_hat_build_of_keycloak/24.0/html/server_guide/db-#db-installing-the-microsoft-sql-server-driver
### logging configuration
keycloak_quarkus_log: file
keycloak_quarkus_log_level: info
@@ -124,3 +148,20 @@ keycloak_quarkus_log_target: /var/log/keycloak
keycloak_quarkus_log_max_file_size: 10M
keycloak_quarkus_log_max_backup_index: 10
keycloak_quarkus_log_file_suffix: '.yyyy-MM-dd.zip'
# keystore-based vault
keycloak_quarkus_ks_vault_enabled: false
keycloak_quarkus_ks_vault_file: "{{ keycloak_quarkus_config_dir }}/keystore.p12"
keycloak_quarkus_ks_vault_type: PKCS12
keycloak_quarkus_ks_vault_pass:
keycloak_quarkus_providers: []
keycloak_quarkus_policies: []
keycloak_quarkus_supported_policy_types: ['password-blacklists']
# files in restart directory (one of [ 'serial', 'none', 'serial_then_parallel' ]), or path to file when providing custom strategy
keycloak_quarkus_restart_strategy: restart/serial.yml
keycloak_quarkus_restart_health_check: true
keycloak_quarkus_restart_health_check_delay: 10
keycloak_quarkus_restart_health_check_reries: 25
keycloak_quarkus_restart_pause: 15

14
roles/keycloak_quarkus/handlers/main.yml
View File

@@ -3,6 +3,16 @@
- name: "Rebuild {{ keycloak.service_name }} config"
ansible.builtin.include_tasks: rebuild_config.yml
listen: "rebuild keycloak config"
- name: "Bootstrapped"
ansible.builtin.include_tasks: bootstrapped.yml
listen: bootstrapped
- name: "Restart {{ keycloak.service_name }}"
ansible.builtin.include_tasks: restart.yml
listen: "restart keycloak"
ansible.builtin.include_tasks:
file: "{{ keycloak_quarkus_restart_strategy if keycloak_quarkus_ha_enabled else 'restart.yml' }}"
listen: "restart keycloak"
- name: "Print deprecation warning"
ansible.builtin.fail:
msg: "Deprecation warning: you are using the deprecated variable '{{ deprecated_variable | d('NotSet') }}', check docs on how to upgrade."
failed_when: false
changed_when: true
listen: "print deprecation warning"

239
roles/keycloak_quarkus/meta/argument_specs.yml
View File

@@ -2,32 +2,26 @@ argument_specs:
main:
options:
keycloak_quarkus_version:
# line 3 of defaults/main.yml
default: "17.0.1"
default: "24.0.4"
description: "keycloak.org package version"
type: "str"
keycloak_quarkus_archive:
# line 4 of defaults/main.yml
default: "keycloak-{{ keycloak_quarkus_version }}.zip"
description: "keycloak install archive filename"
type: "str"
keycloak_quarkus_download_url:
# line 5 of defaults/main.yml
default: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"
description: "Download URL for keycloak"
type: "str"
keycloak_quarkus_installdir:
# line 6 of defaults/main.yml
default: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"
description: "Installation path"
type: "str"
keycloak_quarkus_offline_install:
# line 9 of defaults/main.yml
default: false
description: "Perform an offline install"
type: "bool"
keycloak_quarkus_jvm_package:
# line 12 of defaults/main.yml
default: "java-11-openjdk-headless"
description: "RHEL java package runtime"
type: "str"
@@ -35,37 +29,30 @@ argument_specs:
description: "JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path"
type: "str"
keycloak_quarkus_dest:
# line 13 of defaults/main.yml
default: "/opt/keycloak"
description: "Installation root path"
type: "str"
keycloak_quarkus_home:
# line 14 of defaults/main.yml
default: "{{ keycloak_quarkus_installdir }}"
description: "Installation work directory"
type: "str"
keycloak_quarkus_config_dir:
# line 15 of defaults/main.yml
default: "{{ keycloak_quarkus_home }}/conf"
description: "Path for configuration"
type: "str"
keycloak_quarkus_service_user:
# line 16 of defaults/main.yml
default: "keycloak"
description: "Posix account username"
type: "str"
keycloak_quarkus_service_group:
# line 17 of defaults/main.yml
default: "keycloak"
description: "Posix account group"
type: "str"
keycloak_quarkus_service_pidfile:
# line 18 of defaults/main.yml
default: "/run/keycloak/keycloak.pid"
description: "Pid file path for service"
type: "str"
keycloak_quarkus_configure_firewalld:
# line 19 of defaults/main.yml
default: false
description: "Ensure firewalld is running and configure keycloak ports"
type: "bool"
keycloak_quarkus_configure_iptables:
default: false
description: "Ensure firewalld is running and configure keycloak ports"
type: "bool"
@@ -90,12 +77,10 @@ argument_specs:
description: "Password of console admin account"
type: "str"
keycloak_quarkus_master_realm:
# line 24 of defaults/main.yml
default: "master"
description: "Name for rest authentication realm"
type: "str"
keycloak_quarkus_bind_address:
# line 27 of defaults/main.yml
default: "0.0.0.0"
description: "Address for binding service ports"
type: "str"
@@ -116,20 +101,39 @@ argument_specs:
description: "Enable listener on HTTP port"
type: "bool"
keycloak_quarkus_http_port:
# line 29 of defaults/main.yml
default: 8080
description: "HTTP port"
type: "int"
keycloak_quarkus_health_check_url_path:
default: "realms/master/.well-known/openid-configuration"
description: "Path to the health check endpoint; scheme, host and keycloak_quarkus_http_relative_path will be prepended automatically"
type: "str"
keycloak_quarkus_https_key_file_enabled:
default: false
description: "Enable configuration of HTTPS via files in PEM format"
type: "bool"
keycloak_quarkus_key_file_copy_enabled:
default: false
description: "Enable copy of key file to target host"
type: "bool"
keycloak_quarkus_key_content:
default: ""
description: "Content of the TLS private key"
type: "str"
keycloak_quarkus_key_file:
default: "{{ keycloak.home }}/conf/server.key.pem"
default: "/etc/pki/tls/private/server.key.pem"
description: "The file path to a private key in PEM format"
type: "str"
keycloak_quarkus_cert_file_copy_enabled:
default: false
description: "Enable copy of cert file to target host"
type: "bool"
keycloak_quarkus_cert_file_src:
default: ""
description: "Set the source file path"
type: "str"
keycloak_quarkus_cert_file:
default: "{{ keycloak.home }}/conf/server.crt.pem"
default: "/etc/pki/tls/certs/server.crt.pem"
description: "The file path to a server certificate or certificate chain in PEM format"
type: "str"
keycloak_quarkus_https_key_store_enabled:
@@ -137,47 +141,75 @@ argument_specs:
description: "Enable configuration of HTTPS via a key store"
type: "bool"
keycloak_quarkus_key_store_file:
default: ""
description: "Deprecated, use `keycloak_quarkus_https_key_store_file` instead."
type: "str"
keycloak_quarkus_key_store_password:
default: ""
description: "Deprecated, use `keycloak_quarkus_https_key_store_password` instead."
type: "str"
keycloak_quarkus_https_key_store_file:
default: "{{ keycloak.home }}/conf/key_store.p12"
description: "The file path to the key store"
type: "str"
keycloak_quarkus_key_store_password:
keycloak_quarkus_https_key_store_password:
default: ""
description: "Password for the key store"
type: "str"
keycloak_quarkus_https_trust_store_enabled:
default: false
description: "Enalbe confiugration of a trust store"
description: "Enable configuration of the https trust store"
type: "bool"
keycloak_quarkus_trust_store_file:
keycloak_quarkus_https_trust_store_file:
default: "{{ keycloak.home }}/conf/trust_store.p12"
description: "The file path to the trust store"
type: "str"
keycloak_quarkus_trust_store_password:
keycloak_quarkus_https_trust_store_password:
default: ""
description: "Password for the trust store"
type: "str"
keycloak_quarkus_config_key_store_file:
default: "{{ keycloak.home }}/conf/conf_store.p12"
description: "Path to the configuration key store; only used if `keycloak_quarkus_keystore_password` is not empty"
type: "str"
keycloak_quarkus_config_key_store_password:
default: ""
description: >
Password of the configuration key store; if non-empty, `keycloak_quarkus_db_pass` will be saved to the key store
at `keycloak_quarkus_config_key_store_file` (instead of being written to the configuration file in clear text)
type: "str"
keycloak_quarkus_https_port:
# line 30 of defaults/main.yml
default: 8443
description: "HTTPS port"
type: "int"
keycloak_quarkus_ajp_port:
# line 31 of defaults/main.yml
default: 8009
description: "AJP port"
type: "int"
keycloak_quarkus_jgroups_port:
# line 32 of defaults/main.yml
default: 7800
description: "jgroups cluster tcp port"
type: "int"
keycloak_quarkus_java_opts:
# line 33 of defaults/main.yml
keycloak_quarkus_java_heap_opts:
default: "-Xms1024m -Xmx2048m"
description: "Additional JVM options"
description: "Heap memory JVM setting"
type: "str"
keycloak_quarkus_java_jvm_opts:
default: >
-XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.err.encoding=UTF-8
-Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC
-XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512
description: "Other JVM settings"
type: "str"
keycloak_quarkus_java_opts:
default: "{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}"
description: "JVM arguments, by default heap_opts + jvm_opts, if overriden it takes precedence over them"
type: "str"
keycloak_quarkus_additional_env_vars:
default: "[]"
description: "List of additional env variables of { key: str, value: str} to be put in sysconfig file"
type: "list"
keycloak_quarkus_ha_enabled:
# line 36 of defaults/main.yml
default: false
description: "Enable auto configuration for database backend, clustering and remote caches on infinispan"
type: "bool"
@@ -186,7 +218,6 @@ argument_specs:
description: "Discovery protocol for HA cluster members"
type: "str"
keycloak_quarkus_db_enabled:
# line 38 of defaults/main.yml
default: "{{ True if keycloak_quarkus_ha_enabled else False }}"
description: "Enable auto configuration for database backend"
type: "str"
@@ -204,7 +235,6 @@ argument_specs:
description: "Service URL for the admin console"
type: "str"
keycloak_quarkus_metrics_enabled:
# line 43 of defaults/main.yml
default: false
description: "Whether to enable metrics"
type: "bool"
@@ -213,62 +243,50 @@ argument_specs:
description: "If the server should expose health check endpoints"
type: "bool"
keycloak_quarkus_ispn_user:
# line 46 of defaults/main.yml
default: "supervisor"
description: "Username for connecting to infinispan"
type: "str"
keycloak_quarkus_ispn_pass:
# line 47 of defaults/main.yml
default: "supervisor"
description: "Password for connecting to infinispan"
type: "str"
keycloak_quarkus_ispn_hosts:
# line 48 of defaults/main.yml
default: "localhost:11222"
description: "host name/port for connecting to infinispan, eg. host1:11222;host2:11222"
type: "str"
keycloak_quarkus_ispn_sasl_mechanism:
# line 49 of defaults/main.yml
default: "SCRAM-SHA-512"
description: "Infinispan auth mechanism"
type: "str"
keycloak_quarkus_ispn_use_ssl:
# line 50 of defaults/main.yml
default: false
description: "Whether infinispan uses TLS connection"
type: "bool"
keycloak_quarkus_ispn_trust_store_path:
# line 52 of defaults/main.yml
default: "/etc/pki/java/cacerts"
description: "Path to infinispan server trust certificate"
type: "str"
keycloak_quarkus_ispn_trust_store_password:
# line 53 of defaults/main.yml
default: "changeit"
description: "Password for infinispan certificate keystore"
type: "str"
keycloak_quarkus_jdbc_engine:
# line 56 of defaults/main.yml
default: "postgres"
description: "Database engine [mariadb,postres,mssql]"
type: "str"
keycloak_quarkus_db_user:
# line 58 of defaults/main.yml
default: "keycloak-user"
description: "User for database connection"
type: "str"
keycloak_quarkus_db_pass:
# line 59 of defaults/main.yml
default: "keycloak-pass"
description: "Password for database connection"
type: "str"
keycloak_quarkus_jdbc_url:
# line 60 of defaults/main.yml
default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].url }}"
description: "JDBC URL for connecting to database"
type: "str"
keycloak_quarkus_jdbc_driver_version:
# line 61 of defaults/main.yml
default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].version }}"
description: "Version for JDBC driver"
type: "str"
@@ -295,7 +313,9 @@ argument_specs:
keycloak_quarkus_log_max_file_size:
default: 10M
type: "str"
description: "Set the maximum log file size before a log rotation happens; A size configuration option recognises string in this format (shown as a regular expression): [0-9]+[KkMmGgTtPpEeZzYy]?. If no suffix is given, assume bytes."
description: >
Set the maximum log file size before a log rotation happens; A size configuration option recognises string in this format (shown as a regular
expression): [0-9]+[KkMmGgTtPpEeZzYy]?. If no suffix is given, assume bytes.
keycloak_quarkus_log_max_backup_index:
default: 10
type: "str"
@@ -303,11 +323,17 @@ argument_specs:
keycloak_quarkus_log_file_suffix:
default: '.yyyy-MM-dd.zip'
type: "str"
description: "Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix; Note: If the suffix ends with .zip or .gz, the rotation file will also be compressed."
description: >
Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix. Note: If the suffix ends
with .zip or .gz, the rotation file will also be compressed.
keycloak_quarkus_proxy_mode:
default: 'edge'
type: "str"
description: "The proxy address forwarding mode if the server is behind a reverse proxy. Set to 'none' if not using a proxy"
keycloak_quarkus_proxy_headers:
default: ""
type: "str"
description: "Parse reverse proxy headers (`forwarded` or `xforwarded`), overrides the deprecated keycloak_quarkus_proxy_mode argument"
keycloak_quarkus_start_dev:
default: false
type: "bool"
@@ -319,19 +345,118 @@ argument_specs:
keycloak_quarkus_hostname_strict:
default: true
type: "bool"
description: "Disables dynamically resolving the hostname from request headers. Should always be set to true in production, unless proxy verifies the Host header."
description: >
Disables dynamically resolving the hostname from request headers. Should always be set to true in production, unless
proxy verifies the Host header.
keycloak_quarkus_hostname_strict_backchannel:
default: false
type: "bool"
description: "By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all applications use the public URL this option should be enabled."
description: >
By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all
applications use the public URL this option should be enabled.
keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route:
default: true
type: "bool"
description: "If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy"
description: >
If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies
and we rely on the session affinity capabilities from reverse proxy
keycloak_quarkus_hostname_strict_https:
type: "bool"
required: false
description: >
By default, Keycloak requires running using TLS/HTTPS. If the service MUST run without TLS/HTTPS, then set
this option to "true"
keycloak_quarkus_ks_vault_enabled:
default: false
type: "bool"
description: "Whether to enable vault SPI"
keycloak_quarkus_ks_vault_file:
default: "{{ keycloak_quarkus_config_dir }}/keystore.p12"
type: "str"
description: "The keystore path for the vault SPI"
keycloak_quarkus_ks_vault_type:
default: "PKCS12"
type: "str"
description: "Type of the keystore used for the vault SPI"
keycloak_quarkus_ks_vault_pass:
required: false
type: "str"
description: "The password for accessing the keystore vault SPI"
keycloak_quarkus_systemd_wait_for_port:
description: 'Whether systemd unit should wait for keycloak port before returning'
default: "{{ keycloak_quarkus_ha_enabled }}"
type: "bool"
keycloak_quarkus_systemd_wait_for_log:
description: 'Whether systemd unit should wait for service to be up in logs'
default: false
type: "bool"
keycloak_quarkus_systemd_wait_for_timeout:
description: "How long to wait for service to be alive (seconds)"
default: 60
type: 'int'
keycloak_quarkus_systemd_wait_for_delay:
description: "Activation delay for service systemd unit (seconds)"
default: 10
type: 'int'
keycloak_quarkus_providers:
description: >
List of provider definition dicts: { 'id': str, 'spi': str, 'url': str, 'local_path': str,
'maven': {
'repository_url': str, 'group_id': str, 'artifact_id': str, 'version': str, 'username': str, optional, 'password': str, optional
},
'default': bool,
'properties': list of key/value }
default: []
type: "list"
keycloak_quarkus_supported_policy_types:
description: "List of str of supported policy types"
default: ['password-blacklists']
type: "list"
keycloak_quarkus_policies:
description: "List of policy definition dicts: { 'name': str, 'url': str, 'type': str }"
default: []
type: "list"
keycloak_quarkus_jdbc_download_url:
description: "Override the default Maven Central download URL for the JDBC driver"
type: "str"
keycloak_quarkus_jdbc_download_user:
description: "Set a username with which to authenticate when downloading JDBC drivers from an alternative location"
type: "str"
keycloak_quarkus_jdbc_download_pass:
description: >
Set a password with which to authenticate when downloading JDBC drivers from an alternative location
(requires `keycloak_quarkus_jdbc_download_user``)
type: "str"
keycloak_quarkus_jdbc_download_validate_certs:
default: true
description: "Allow the option to ignore invalid certificates when downloading JDBC drivers from a custom URL"
type: "bool"
keycloak_quarkus_restart_health_check:
default: true
description: "Whether to wait for successful health check after restart"
type: "bool"
keycloak_quarkus_restart_strategy:
description: >
Strategy task file for restarting in HA, one of restart/[ 'serial', 'none', 'serial_then_parallel' ].yml, or path to
file when providing custom strategy; when keycloak_quarkus_ha_enabled and keycloak_quarkus_restart_health_check == true
default: "restart/serial.yml"
type: "str"
keycloak_quarkus_restart_pause:
description: "Seconds to wait between restarts in HA strategy"
default: 15
type: int
keycloak_quarkus_restart_health_check_delay:
description: "Seconds to let pass before starting healch checks"
default: 10
type: 'int'
keycloak_quarkus_restart_health_check_reries:
description: "Number of attempts for successful health check before failing"
default: 25
type: 'int'
downstream:
options:
rhbk_version:
default: "22.0.6"
default: "24.0.3"
description: "Red Hat Build of Keycloak version"
type: "str"
rhbk_archive:
@@ -353,11 +478,15 @@ argument_specs:
rhbk_enable:
default: true
description: "Enable Red Hat Build of Keycloak installation"
type: "str"
type: "bool"
rhbk_offline_install:
default: false
description: "Perform an offline install"
type: "bool"
keycloak_quarkus_show_deprecation_warnings:
default: true
description: "Whether deprecation warnings should be shown"
type: "bool"
rhbk_service_name:
default: "rhbk"
description: "systemd service name for Red Hat Build of Keycloak"

8
roles/keycloak_quarkus/meta/main.yml
View File

@@ -8,12 +8,17 @@ galaxy_info:
license: Apache License 2.0
min_ansible_version: "2.14"
min_ansible_version: "2.15"
platforms:
- name: EL
versions:
- "8"
- "9"
- name: Fedora
- name: Debian
- name: Ubuntu
galaxy_tags:
- keycloak
@@ -25,3 +30,4 @@ galaxy_info:
- identity
- security
- rhbk
- debian

16
roles/keycloak_quarkus/tasks/bootstrapped.yml Normal file
View File

@@ -0,0 +1,16 @@
---
- name: Write ansible custom facts
become: true
ansible.builtin.template:
src: keycloak.fact.j2
dest: /etc/ansible/facts.d/keycloak.fact
mode: '0644'
vars:
bootstrapped: true
- name: Re-read custom facts
ansible.builtin.setup:
filter: ansible_local
- name: Ensure that `KEYCLOAK_ADMIN[_PASSWORD]` get purged
ansible.builtin.include_tasks: systemd.yml

52
roles/keycloak_quarkus/tasks/config_store.yml Normal file
View File

@@ -0,0 +1,52 @@
---
- name: "Initialize configuration key store variables to be written"
ansible.builtin.set_fact:
store_items:
- key: "kc.db-password"
value: "{{ keycloak_quarkus_db_pass }}"
- name: "Initialize empty configuration key store"
become: true
# keytool doesn't allow creating an empty key store, so this is a hacky way around it
ansible.builtin.shell: |
set -o nounset # abort on unbound variable
set -o pipefail # do not hide errors within pipes
set -o errexit # abort on nonzero exit status
echo dummy | keytool -noprompt -importpass -alias dummy -keystore {{ keycloak_quarkus_config_key_store_file | quote }} -storepass {{ keycloak_quarkus_config_key_store_password | quote }} -storetype PKCS12
keytool -delete -alias dummy -keystore {{ keycloak_quarkus_config_key_store_file | quote }} -storepass {{ keycloak_quarkus_config_key_store_password | quote }}
args:
creates: "{{ keycloak_quarkus_config_key_store_file }}"
- name: "Set configuration key store using keytool"
ansible.builtin.shell: |
set -o nounset # abort on unbound variable
set -o pipefail # do not hide errors within pipes
keytool -list -alias {{ item.key | quote }} -keystore {{ keycloak_quarkus_config_key_store_file | quote }} -storepass {{ keycloak_quarkus_config_key_store_password | quote }}
retVal=$?
set -o errexit # abort on nonzero exit status
if [ $retVal -eq 0 ]; then
# value is already in keystore, but keytool has no replace function: delete and re-create instead
# note that we can not read whether the value has changed either[^1], so we need to override it
# [^1]: https://stackoverflow.com/a/37491400
keytool -delete -alias {{ item.key | quote }} -keystore {{ keycloak_quarkus_config_key_store_file | quote }} -storepass {{ keycloak_quarkus_config_key_store_password | quote }}
fi
echo {{ item.value | quote }} | keytool -noprompt -importpass -alias {{ item.key | quote }} -keystore {{ keycloak_quarkus_config_key_store_file | quote }} -storepass {{ keycloak_quarkus_config_key_store_password | quote }} -storetype PKCS12
with_items: "{{ store_items }}"
no_log: true
become: true
changed_when: true
notify:
- restart keycloak
- name: "Set owner of configuration key store {{ keycloak_quarkus_config_key_store_file }}"
ansible.builtin.file:
path: "{{ keycloak_quarkus_config_key_store_file }}"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: '0400'
become: true

6
roles/keycloak_quarkus/tasks/debian.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: Include firewall config tasks
ansible.builtin.include_tasks: iptables.yml
when: keycloak_quarkus_configure_iptables
tags:
- firewall

53
roles/keycloak_quarkus/tasks/deprecations.yml Normal file
View File

@@ -0,0 +1,53 @@
---
- name: Check deprecation keycloak_quarkus_key_store -> keycloak_quarkus_http_key_store
delegate_to: localhost
run_once: true
when:
- keycloak_quarkus_https_key_store_enabled
block:
- name: Ensure backward compatibility for `keycloak_quarkus_key_store_file`, superseded by `keycloak_quarkus_https_key_store_file`
when:
- keycloak_quarkus_key_store_file is defined
- keycloak_quarkus_key_store_file != ''
- keycloak_quarkus_https_key_store_file == keycloak.home + "/conf/key_store.p12" # default value
changed_when: keycloak_quarkus_show_deprecation_warnings
ansible.builtin.set_fact:
keycloak_quarkus_https_key_store_file: "{{ keycloak_quarkus_key_store_file }}"
deprecated_variable: "keycloak_quarkus_key_store_file" # read in deprecation handler
notify:
- print deprecation warning
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Ensure backward compatibility for `keycloak_quarkus_key_store_password`, superseded by `keycloak_quarkus_https_key_store_password`
when:
- keycloak_quarkus_key_store_password is defined
- keycloak_quarkus_key_store_password != ''
- keycloak_quarkus_https_key_store_password == "" # default value
changed_when: keycloak_quarkus_show_deprecation_warnings
ansible.builtin.set_fact:
keycloak_quarkus_https_key_store_password: "{{ keycloak_quarkus_key_store_password }}"
deprecated_variable: "keycloak_quarkus_key_store_password" # read in deprecation handler
notify:
- print deprecation warning
- name: Flush handlers
ansible.builtin.meta: flush_handlers
# https://access.redhat.com/documentation/en-us/red_hat_build_of_keycloak/24.0/html-single/upgrading_guide/index#deprecated_literal_proxy_literal_option
- name: Check deprecation of keycloak_quarkus_proxy_mode
when:
- keycloak_quarkus_proxy_mode is defined
- keycloak_quarkus_proxy_headers is defined and keycloak_quarkus_proxy_headers | length == 0
- keycloak_quarkus_version.split('.') | first | int >= 24
delegate_to: localhost
run_once: true
changed_when: keycloak_quarkus_show_deprecation_warnings
ansible.builtin.set_fact:
deprecated_variable: "keycloak_quarkus_proxy_mode" # read in deprecation handler
notify:
- print deprecation warning
- name: Flush handlers
ansible.builtin.meta: flush_handlers

20
roles/keycloak_quarkus/tasks/fastpackages.yml
View File

@@ -4,14 +4,28 @@
register: rpm_info
changed_when: false
failed_when: false
when: ansible_facts.os_family == "RedHat"
- name: "Add missing packages to the yum install list"
ansible.builtin.set_fact:
packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | default([]) | flatten }}"
packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | \
map('regex_findall', 'package (.+) is not installed$') | default([]) | flatten }}"
when: ansible_facts.os_family == "RedHat"
- name: "Install packages: {{ packages_to_install }}"
become: true
ansible.builtin.yum:
ansible.builtin.dnf:
name: "{{ packages_to_install }}"
state: present
when: packages_to_install | default([]) | length > 0
when:
- packages_to_install | default([]) | length > 0
- ansible_facts.os_family == "RedHat"
- name: "Install packages: {{ packages_list }}"
become: true
ansible.builtin.package:
name: "{{ packages_list }}"
state: present
when:
- packages_list | default([]) | length > 0
- ansible_facts.os_family == "Debian"

143
roles/keycloak_quarkus/tasks/install.yml
View File

@@ -22,7 +22,7 @@
name: "{{ keycloak.service_user }}"
home: /opt/keycloak
system: true
create_home: no
create_home: false
- name: "Create {{ keycloak.service_name }} install location"
become: true
@@ -31,7 +31,14 @@
state: directory
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: 0750
mode: '0750'
- name: Create directory for ansible custom facts
become: true
ansible.builtin.file:
state: directory
recurse: true
path: /etc/ansible/facts.d
## check remote archive
- name: Set download archive path
@@ -50,13 +57,16 @@
path: "{{ lookup('env', 'PWD') }}"
register: local_path
delegate_to: localhost
run_once: true
become: false
- name: Download keycloak archive
ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
url: "{{ keycloak_quarkus_download_url }}"
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
mode: 0640
mode: '0640'
delegate_to: localhost
become: false
run_once: true
when:
- archive_path is defined
@@ -99,15 +109,38 @@
client_secret: "{{ rhn_password }}"
product_id: "{{ (rhn_filtered_products | first).id }}"
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
mode: '0640'
no_log: "{{ omit_rhn_output | default(true) }}"
delegate_to: localhost
run_once: true
become: false
- name: Perform download of RHBK from alternate download location
delegate_to: localhost
run_once: true
become: false
when:
- archive_path is defined
- archive_path.stat is defined
- not archive_path.stat.exists
- rhbk_enable is defined and rhbk_enable
- not keycloak.offline_install
- keycloak_quarkus_alternate_download_url is defined
ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
url: "{{ keycloak_quarkus_alternate_download_url }}"
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
mode: '0640'
url_username: "{{ keycloak_quarkus_download_user | default(omit) }}"
url_password: "{{ keycloak_quarkus_download_pass | default(omit) }}"
validate_certs: "{{ keycloak_quarkus_download_validate_certs | default(omit) }}"
- name: Check downloaded archive
ansible.builtin.stat:
path: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
register: local_archive_path
delegate_to: localhost
become: false
run_once: true
## copy and unpack
- name: Copy archive to target nodes
@@ -116,7 +149,7 @@
dest: "{{ archive }}"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: 0640
mode: '0640'
register: new_version_downloaded
when:
- not archive_path.stat.exists
@@ -130,7 +163,7 @@
register: path_to_workdir
become: true
- name: "Extract Keycloak archive on target"
- name: "Extract Keycloak archive on target" # noqa no-handler need to run this here
ansible.builtin.unarchive:
remote_src: true
src: "{{ archive }}"
@@ -150,8 +183,108 @@
when:
- (not new_version_downloaded.changed) and path_to_workdir.stat.exists
- name: "Copy private key to target"
ansible.builtin.copy:
content: "{{ keycloak_quarkus_key_content }}"
dest: "{{ keycloak_quarkus_key_file }}"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: '0640'
become: true
when:
- keycloak_quarkus_https_key_file_enabled is defined and keycloak_quarkus_https_key_file_enabled
- keycloak_quarkus_key_file_copy_enabled is defined and keycloak_quarkus_key_file_copy_enabled
- keycloak_quarkus_key_content | length > 0
- name: "Copy certificate to target"
ansible.builtin.copy:
src: "{{ keycloak_quarkus_cert_file_src }}"
dest: "{{ keycloak_quarkus_cert_file }}"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: '0644'
become: true
when:
- keycloak_quarkus_https_key_file_enabled is defined and keycloak_quarkus_https_key_file_enabled
- keycloak_quarkus_cert_file_copy_enabled is defined and keycloak_quarkus_cert_file_copy_enabled
- keycloak_quarkus_cert_file_src | length > 0
- name: "Install {{ keycloak_quarkus_jdbc_engine }} JDBC driver"
ansible.builtin.include_tasks: jdbc_driver.yml
when:
- rhbk_enable is defined and rhbk_enable
- keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url is defined
- name: "Download custom providers via http"
ansible.builtin.get_url:
url: "{{ item.url }}"
dest: "{{ keycloak.home }}/providers/{{ item.id }}.jar"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: '0640'
become: true
loop: "{{ keycloak_quarkus_providers }}"
when: item.url is defined and item.url | length > 0
notify: "{{ ['rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or not item.restart else [] }}"
# this requires the `lxml` package to be installed; we redirect this step to localhost such that we do need to install it on the remote hosts
- name: "Download custom providers to localhost using maven"
middleware_automation.common.maven_artifact:
repository_url: "{{ item.maven.repository_url }}"
group_id: "{{ item.maven.group_id }}"
artifact_id: "{{ item.maven.artifact_id }}"
version: "{{ item.maven.version | default(omit) }}"
username: "{{ item.maven.username | default(omit) }}"
password: "{{ item.maven.password | default(omit) }}"
dest: "{{ local_path.stat.path }}/{{ item.id }}.jar"
delegate_to: "localhost"
run_once: true
loop: "{{ keycloak_quarkus_providers }}"
when: item.maven is defined
no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}"
notify: "{{ ['rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or not item.restart else [] }}"
- name: "Upload local maven providers"
ansible.builtin.copy:
src: "{{ local_path.stat.path }}/{{ item.id }}.jar"
dest: "{{ keycloak.home }}/providers/{{ item.id }}.jar"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: '0640'
become: true
loop: "{{ keycloak_quarkus_providers }}"
when: item.maven is defined
no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}"
- name: "Upload local providers"
ansible.builtin.copy:
src: "{{ item.local_path }}"
dest: "{{ keycloak.home }}/providers/{{ item.id }}.jar"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: '0640'
become: true
loop: "{{ keycloak_quarkus_providers }}"
when: item.local_path is defined
- name: Ensure required folder structure for policies exists
ansible.builtin.file:
path: "{{ keycloak.home }}/data/{{ item | lower }}"
state: directory
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: '0750'
become: true
loop: "{{ keycloak_quarkus_supported_policy_types }}"
- name: "Install custom policies"
ansible.builtin.get_url:
url: "{{ item.url }}"
dest: "{{ keycloak.home }}/data/{{ item.type | default(keycloak_quarkus_supported_policy_types | first) | lower }}/{{ item.name }}"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: '0640'
become: true
loop: "{{ keycloak_quarkus_policies }}"
when: item.url is defined and item.url | length > 0
notify: "restart keycloak"

20
roles/keycloak_quarkus/tasks/iptables.yml Normal file
View File

@@ -0,0 +1,20 @@
---
- name: Ensure required package iptables are installed
ansible.builtin.include_tasks: fastpackages.yml
vars:
packages_list:
- iptables
- name: "Configure firewall ports for {{ keycloak.service_name }}"
become: true
ansible.builtin.iptables:
destination_port: "{{ item }}"
action: "insert"
rule_num: 6 # magic number I forget why
chain: "INPUT"
policy: "ACCEPT"
protocol: tcp
loop:
- "{{ keycloak_quarkus_http_port }}"
- "{{ keycloak_quarkus_https_port }}"
- "{{ keycloak_quarkus_jgroups_port }}"

16
roles/keycloak_quarkus/tasks/jdbc_driver.yml
View File

@@ -1,12 +1,22 @@
---
- name: "Verify valid parameters for download credentials when specified"
ansible.builtin.fail:
msg: >-
When JDBC driver download credentials are set, both the username and the password MUST be set
when: >
(keycloak_quarkus_jdbc_download_user is undefined and keycloak_quarkus_jdbc_download_pass is not undefined) or
(keycloak_quarkus_jdbc_download_pass is undefined and keycloak_quarkus_jdbc_download_user is not undefined)
- name: "Retrieve JDBC Driver from {{ keycloak_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url }}"
- name: "Retrieve JDBC Driver from {{ keycloak_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url) }}"
ansible.builtin.get_url:
url: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url }}"
url: "{{ keycloak_quarkus_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url) }}"
dest: "{{ keycloak.home }}/providers"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: 0640
url_username: "{{ keycloak_quarkus_jdbc_download_user | default(omit) }}"
url_password: "{{ keycloak_quarkus_jdbc_download_pass | default(omit) }}"
validate_certs: "{{ keycloak_quarkus_jdbc_download_validate_certs | default(omit) }}"
mode: '0640'
become: true
notify:
- restart keycloak

79
roles/keycloak_quarkus/tasks/main.yml
View File

@@ -4,12 +4,17 @@
ansible.builtin.include_tasks: prereqs.yml
tags:
- prereqs
- always
- name: Include firewall config tasks
ansible.builtin.include_tasks: firewalld.yml
when: keycloak_quarkus_configure_firewalld
- name: Check for deprecations
ansible.builtin.include_tasks: deprecations.yml
tags:
- firewall
- always
- name: Distro specific tasks
ansible.builtin.include_tasks: "{{ ansible_os_family | lower }}.yml"
tags:
- unbound
- name: Include install tasks
ansible.builtin.include_tasks: install.yml
@@ -21,28 +26,11 @@
tags:
- systemd
- name: "Configure config for keycloak service"
ansible.builtin.template:
src: keycloak.conf.j2
dest: "{{ keycloak.home }}/conf/keycloak.conf"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: 0644
become: true
notify:
- rebuild keycloak config
- restart keycloak
- name: "Configure quarkus config for keycloak service"
ansible.builtin.template:
src: quarkus.properties.j2
dest: "{{ keycloak.home }}/conf/quarkus.properties"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: 0644
become: true
notify:
- restart keycloak
- name: Include configuration key store tasks
when: keycloak.config_key_store_enabled
ansible.builtin.include_tasks: config_store.yml
tags:
- install
- name: Create tcpping cluster node list
ansible.builtin.set_fact:
@@ -58,14 +46,18 @@
loop: "{{ ansible_play_batch }}"
when: keycloak_quarkus_ha_enabled and keycloak_quarkus_ha_discovery == 'TCPPING'
- name: "Configure infinispan config for keycloak service"
- name: "Configure config files for keycloak service"
ansible.builtin.template:
src: cache-ispn.xml.j2
dest: "{{ keycloak.home }}/conf/cache-ispn.xml"
src: "{{ item }}.j2"
dest: "{{ keycloak.home }}/conf/{{ item }}"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: 0644
mode: '0640'
become: true
loop:
- keycloak.conf
- quarkus.properties
- cache-ispn.xml
notify:
- rebuild keycloak config
- restart keycloak
@@ -73,10 +65,10 @@
- name: Ensure logdirectory exists
ansible.builtin.file:
state: directory
path: "{{ keycloak.log.file | dirname }}"
path: "{{ keycloak.log.file | dirname }}"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: 0775
mode: '0775'
become: true
- name: Flush pending handlers
@@ -85,11 +77,6 @@
- name: "Start and wait for keycloak service"
ansible.builtin.include_tasks: start.yml
- name: Check service status
ansible.builtin.command: "systemctl status keycloak"
register: keycloak_service_status
changed_when: false
- name: Link default logs directory
ansible.builtin.file:
state: link
@@ -97,3 +84,21 @@
dest: "{{ keycloak_quarkus_log_target }}"
force: true
become: true
- name: Check service status
ansible.builtin.systemd_service:
name: "{{ keycloak.service_name }}"
register: keycloak_service_status
changed_when: false
- name: "Trigger bootstrapped notification: remove `keycloak_quarkus_admin_user[_pass]` env vars"
when:
- not ansible_local.keycloak.general.bootstrapped | default(false) | bool # it was not bootstrapped prior to the current role's execution
- keycloak_service_status.status.ActiveState == "active" # but it is now
ansible.builtin.assert: { that: true, quiet: true }
changed_when: true
notify:
- bootstrapped
- name: Flush pending handlers
ansible.builtin.meta: flush_handlers

92
roles/keycloak_quarkus/tasks/prereqs.yml
View File

@@ -4,31 +4,99 @@
that:
- keycloak_quarkus_admin_pass | length > 12
quiet: true
fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_admin_pass variable to a 12+ char long string"
fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_admin_pass to a 12+ char long string"
success_msg: "{{ 'Console administrator password OK' }}"
- name: Validate relative path
ansible.builtin.assert:
that:
- keycloak_quarkus_http_relative_path is regex('^/.*')
quiet: true
fail_msg: "the relative path must begin with /"
success_msg: "{{ 'relative path OK' }}"
fail_msg: "The relative path for keycloak_quarkus_http_relative_path must begin with /"
success_msg: "{{ 'Relative path OK' }}"
- name: Validate configuration
ansible.builtin.assert:
that:
- (keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or (not keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or (not keycloak_quarkus_ha_enabled and not keycloak_quarkus_db_enabled)
- (keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or
(not keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or
(not keycloak_quarkus_ha_enabled and not keycloak_quarkus_db_enabled)
quiet: true
fail_msg: "Cannot install HA setup without a backend database service. Check keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled"
fail_msg: "HA setup requires a backend database service. Check keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled"
success_msg: "{{ 'Configuring HA' if keycloak_quarkus_ha_enabled else 'Configuring standalone' }}"
- name: Validate OS family
ansible.builtin.assert:
that:
- ansible_os_family in ["RedHat", "Debian"]
quiet: true
fail_msg: "Can only install on RedHat or Debian OS families; found {{ ansible_os_family }}"
success_msg: "Installing on {{ ansible_os_family }}"
- name: Load OS specific variables
ansible.builtin.include_vars: "vars/{{ ansible_os_family | lower }}.yml"
tags:
- always
- name: Ensure required packages are installed
ansible.builtin.include_tasks: fastpackages.yml
vars:
packages_list:
- "{{ keycloak_quarkus_jvm_package }}"
- unzip
- procps-ng
- initscripts
- tzdata-java
packages_list: "{{ keycloak_quarkus_prereq_package_list }}"
- name: "Validate keytool"
when: keycloak_quarkus_config_key_store_password | length > 0
block:
- name: "Attempt to run keytool"
changed_when: false
ansible.builtin.command: keytool -help
register: keytool_check
ignore_errors: true
- name: "Fail when no keytool found"
when: keytool_check.rc != 0
ansible.builtin.fail:
msg: "keytool NOT found in the PATH, but is required for setting up the configuration key store"
- name: "Validate providers"
ansible.builtin.assert:
that: >
item.id is defined and item.id | length > 0 and
( (item.spi is defined and item.spi | length > 0) or
(item.url is defined and item.url | length > 0) or
( item.maven is defined and item.maven.repository_url is defined and item.maven.repository_url | length > 0 and
item.maven.group_id is defined and item.maven.group_id | length > 0 and
item.maven.artifact_id is defined and item.maven.artifact_id | length > 0) or
(item.local_path is defined and item.local_path | length > 0)
)
quiet: true
fail_msg: >
Providers definition incorrect; `id` and one of `spi`, `url`, `local_path`, or `maven` are mandatory. `key` and `value` are mandatory for each property
loop: "{{ keycloak_quarkus_providers }}"
- name: "Validate policies"
ansible.builtin.assert:
that:
- item.name is defined and item.name | length > 0
- item.url is defined and item.url | length > 0
- item.type is not defined or item.type | lower in keycloak_quarkus_supported_policy_types
quiet: true
fail_msg: >
Policy definition is incorrect: `name` and one of `url` are mandatory, `type` needs to be left empty or one of {{ keycloak_quarkus_supported_policy_types }}.
loop: "{{ keycloak_quarkus_policies }}"
- name: "Validate additional env variables"
ansible.builtin.assert:
that:
- item.key is defined and item.key | length > 0
- item.value is defined and item.value | length > 0
quiet: true
fail_msg: "Additional env variable definition is incorrect: `key` and `value` are mandatory."
no_log: true
loop: "{{ keycloak_quarkus_additional_env_vars }}"
- name: "Validate proxy-headers"
ansible.builtin.assert:
that:
- keycloak_quarkus_proxy_headers | lower in ['', 'forwarded', 'xforwarded']
quiet: true
fail_msg: "keycloak_quarkus_proxy_headers must be either '', 'forwarded' or 'xforwarded'"

3
roles/keycloak_quarkus/tasks/rebuild_config.yml
View File

@@ -3,5 +3,8 @@
- name: "Rebuild {{ keycloak.service_name }} config"
ansible.builtin.shell: |
{{ keycloak.home }}/bin/kc.sh build
environment:
PATH: "{{ keycloak_quarkus_java_home | default(keycloak_quarkus_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
JAVA_HOME: "{{ keycloak_quarkus_java_home | default(keycloak_quarkus_pkg_java_home, true) }}"
become: true
changed_when: true

6
roles/keycloak_quarkus/tasks/redhat.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: Include firewall config tasks
ansible.builtin.include_tasks: firewalld.yml
when: keycloak_quarkus_configure_firewalld
tags:
- firewall

17
roles/keycloak_quarkus/tasks/restart.yml
View File

@@ -1,8 +1,23 @@
---
- name: "Restart and enable {{ keycloak.service_name }} service"
ansible.builtin.systemd:
name: keycloak
name: "{{ keycloak.service_name }}"
enabled: true
state: restarted
daemon_reload: true
become: true
- name: "Wait until {{ keycloak.service_name }} service becomes active {{ keycloak.health_url }}"
ansible.builtin.uri:
url: "{{ keycloak.health_url }}"
register: keycloak_status
until: keycloak_status.status == 200
retries: "{{ keycloak_quarkus_restart_health_check_reries }}"
delay: "{{ keycloak_quarkus_restart_health_check_delay }}"
when: internal_force_health_check | default(keycloak_quarkus_restart_health_check)
- name: Pause to give distributed ispn caches time to (re-)replicate back onto first host
ansible.builtin.pause:
seconds: "{{ keycloak_quarkus_restart_pause }}"
when:
- keycloak_quarkus_ha_enabled

4
roles/keycloak_quarkus/tasks/restart/none.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: "Display message"
ansible.builtin.debug:
msg: "keycloak_quarkus_restart_strategy is none, skipping restart"

11
roles/keycloak_quarkus/tasks/restart/serial.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: "Restart services in serial, with optional healtch check (keycloak_quarkus_restart_health_check)"
throttle: 1
block:
- name: "Restart and enable {{ keycloak.service_name }} service on {{ item }}"
ansible.builtin.include_tasks:
file: restart.yml
apply:
delegate_to: "{{ item }}"
run_once: true
loop: "{{ ansible_play_hosts }}"

20
roles/keycloak_quarkus/tasks/restart/serial_then_parallel.yml Normal file
View File

@@ -0,0 +1,20 @@
---
- name: Verify first restarted service with health URL, then rest restart in parallel
block:
- name: "Restart and enable {{ keycloak.service_name }} service on initial host"
ansible.builtin.include_tasks:
file: restart.yml
apply:
delegate_to: "{{ ansible_play_hosts | first }}"
run_once: true
vars:
internal_force_health_check: true
- name: "Restart and enable {{ keycloak.service_name }} service on other hosts"
ansible.builtin.systemd:
name: "{{ keycloak.service_name }}"
enabled: true
state: restarted
daemon_reload: true
become: true
when: inventory_hostname != ansible_play_hosts | first

2
roles/keycloak_quarkus/tasks/start.yml
View File

@@ -13,4 +13,4 @@
register: keycloak_status
until: keycloak_status.status == 200
retries: 25
delay: 10
delay: 10

Some files were not shown because too many files have changed in this diff Show More