Update changelog for release 3.0.8

Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>

.ansible-lint

@@ -1,4 +1,6 @@
 # .ansible-lint
+profile: production
+
 exclude_paths:
   - .cache/
   - .github/

CHANGELOG.rst

@@ -6,6 +6,9 @@ middleware\_automation.keycloak Release Notes
 
 This changelog describes changes after version 0.2.6.
 
+v3.0.8
+======
+
 v3.0.7
 ======
 

README.md

@@ -49,9 +49,9 @@ A requirement file is provided to install:
 <!--start roles_paths -->
 ### Included roles
 
-* `keycloak_quarkus`: role for installing keycloak (>= 19.0.0, quarkus based).
+* [`keycloak_quarkus`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_quarkus/README.md): role for installing keycloak (>= 19.0.0, quarkus based).
-* `keycloak_realm`: role for configuring a realm, user federation(s), clients and users, in an installed service.
+* [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, user federation(s), clients and users, in an installed service.
-* `keycloak`: role for installing legacy keycloak (<= 19.0, wildfly based).
+* [`keycloak`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md): role for installing legacy keycloak (<= 19.0, wildfly based).
 
 <!--end roles_paths -->
 
@@ -220,5 +220,5 @@ For details on changes between versions, please see the [CHANGELOG](https://gith
 
 Apache License v2.0 or later
 <!--start license -->
-See [LICENSE](LICENSE) to view the full text.
+See [LICENSE](https://github.com/ansible-middleware/keycloak/blob/main/LICENSE) to view the full text.
 <!--end license -->

changelogs/changelog.yaml

@@ -825,3 +825,5 @@ releases:
     - 341.yaml
     - 343.yaml
     release_date: '2026-06-01'
+  3.0.8:
+    release_date: '2026-06-09'

molecule/quarkus/converge.yml

@@ -25,7 +25,7 @@
     keycloak_quarkus_systemd_wait_for_delay: 2
     keycloak_quarkus_systemd_wait_for_log: true
     keycloak_quarkus_restart_health_check: false # would fail because of self-signed cert
-    keycloak_quarkus_version: 26.6.2
+    keycloak_quarkus_version: 26.4.7
     keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx1024m"
     keycloak_quarkus_additional_env_vars:
       - key: KC_FEATURES_DISABLED
@@ -48,7 +48,7 @@
           repository_url: https://repo1.maven.org/maven2/ # https://mvnrepository.com/artifact/org.keycloak/keycloak-kerberos-federation/24.0.4
           group_id: org.keycloak
           artifact_id: keycloak-kerberos-federation
-          version: 26.6.2 # optional
+          version: 26.4.7 # optional
           # username: myUser # optional
           # password: myPAT # optional
       # - id: my-static-theme

molecule/quarkus_upgrade/converge.yml

@@ -9,6 +9,6 @@
     keycloak_quarkus_additional_env_vars:
       - key: KC_FEATURES_DISABLED
         value: ciba,device-flow,impersonation,kerberos,docker
-    keycloak_quarkus_version: 26.6.2
+    keycloak_quarkus_version: 26.0.7
   roles:
     - role: keycloak_quarkus

molecule/quarkus_upgrade/prepare.yml

@@ -6,7 +6,7 @@
     - vars.yml
   vars:
     sudo_pkg_name: sudo
-    keycloak_quarkus_version: 26.6.1
+    keycloak_quarkus_version: 26.0.4
     keycloak_quarkus_additional_env_vars:
       - key: KC_FEATURES_DISABLED
         value: impersonation,kerberos

plugins/module_utils/identity/keycloak/keycloak.py

@@ -154,18 +154,6 @@ URL_AUTHZ_CUSTOM_POLICY = "{url}/admin/realms/{realm}/clients/{client_id}/authz/
 URL_AUTHZ_CUSTOM_POLICIES = "{url}/admin/realms/{realm}/clients/{client_id}/authz/resource-server/policy"
 
 
-def normalize_keycloak_url(url: str) -> str:
-    """Normalize Keycloak base URL for Admin REST API access.
-
-    Keycloak 17+ (Quarkus) exposes the API at the server root without an /auth prefix.
-    WildFly-based Keycloak used /auth as the context path. Trailing slashes are removed.
-    """
-    url = url.rstrip("/")
-    if url.endswith("/auth"):
-        return url[:-5]
-    return url
-
-
 def keycloak_argument_spec() -> dict[str, t.Any]:
     """
     Returns argument_spec of options common to keycloak_*-modules
@@ -215,7 +203,7 @@ def _token_request(module_params: dict[str, t.Any], payload: dict[str, t.Any]) -
            'refresh_token' for type 'refresh_token'.
     :return: access token
     """
-    base_url = normalize_keycloak_url(module_params["auth_keycloak_url"])
+    base_url = module_params["auth_keycloak_url"]
     if not base_url.lower().startswith(("http", "https")):
         raise KeycloakError(f"auth_url '{base_url}' should either start with 'http' or 'https'.")
     auth_realm = module_params.get("auth_realm")
@@ -403,7 +391,7 @@ class KeycloakAPI:
 
     def __init__(self, module: AnsibleModule, connection_header: dict[str, str]) -> None:
         self.module = module
-        self.baseurl = normalize_keycloak_url(self.module.params.get("auth_keycloak_url"))
+        self.baseurl = self.module.params.get("auth_keycloak_url")
         self.validate_certs = self.module.params.get("validate_certs")
         self.connection_timeout = self.module.params.get("connection_timeout")
         self.restheaders = connection_header

roles/keycloak_quarkus/README.md

@@ -33,7 +33,7 @@ Role Defaults
 
 | Variable | Description | Default |
 |:---------|:------------|:--------|
-|`keycloak_quarkus_version`| keycloak.org package version | `26.6.2` |
+|`keycloak_quarkus_version`| keycloak.org package version | `26.4.7` |
 |`keycloak_quarkus_offline_install` | Perform an offline install | `False`|
 |`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` |
 |`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` |

roles/keycloak_quarkus/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 ### Configuration specific to keycloak
-keycloak_quarkus_version: 26.6.2
+keycloak_quarkus_version: 26.4.7
 keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip"
 keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"
 keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"

roles/keycloak_quarkus/meta/argument_specs.yml

@@ -2,7 +2,7 @@ argument_specs:
     main:
         options:
             keycloak_quarkus_version:
-                default: "26.6.2"
+                default: "26.4.7"
                 description: "keycloak.org package version"
                 type: "str"
             keycloak_quarkus_archive:
@@ -519,7 +519,7 @@ argument_specs:
     downstream:
         options:
             rhbk_version:
-                default: "26.4.11"
+                default: "26.4.7"
                 description: "Red Hat Build of Keycloak version"
                 type: "str"
             rhbk_archive:

roles/keycloak_quarkus/templates/rhbk-sysconfig.j2

@@ -1,15 +0,0 @@
-{{ ansible_managed | comment }}
-{% if not ansible_local.keycloak.general.bootstrapped | default(false) | bool %}
-KC_BOOTSTRAP_ADMIN_USERNAME={{ keycloak_quarkus_bootstrap_admin_user }}
-KC_BOOTSTRAP_ADMIN_PASSWORD='{{ keycloak_quarkus_bootstrap_admin_password }}'
-{% else %}
-{{ keycloak.bootstrap_mnemonic }}
-{% endif %}
-PATH="{{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-JAVA_HOME="{{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}"
-JAVA_OPTS="{{ keycloak_quarkus_java_opts }}"
-
-# Custom ENV variables
-{% for env in keycloak_quarkus_additional_env_vars %}
-{{ env.key }}={{ env.value }}
-{% endfor %}

roles/keycloak_quarkus/templates/rhbk.conf.j2

@@ -1,110 +0,0 @@
-{{ ansible_managed | comment }}
-
-{% if keycloak_quarkus_db_enabled %}
-# Database
-db={{ keycloak_quarkus_db_engine }}
-db-url={{ keycloak_quarkus_db_url }}
-db-username={{ keycloak_quarkus_db_user }}
-{% if not keycloak.config_key_store_enabled %}
-db-password={{ keycloak_quarkus_db_pass }}
-{% endif %}
-{% endif %}
-
-{% if keycloak.config_key_store_enabled %}
-# Config store
-config-keystore={{ keycloak_quarkus_config_key_store_file }}
-config-keystore-password={{ keycloak_quarkus_config_key_store_password }}
-{% endif %}
-
-# Observability
-metrics-enabled={{ keycloak_quarkus_metrics_enabled | lower }}
-health-enabled={{ keycloak_quarkus_health_enabled | lower }}
-
-# HTTP
-http-enabled={{ keycloak_quarkus_http_enabled | lower }}
-{% if keycloak_quarkus_http_enabled %}
-http-port={{ keycloak_quarkus_http_port }}
-{% endif %}
-http-relative-path={{ keycloak_quarkus_http_relative_path }}
-http-host={{ keycloak_quarkus_http_host }}
-
-# Management
-http-management-port={{ keycloak_quarkus_http_management_port }}
-{% if keycloak_quarkus_http_management_relative_path is defined and keycloak_quarkus_http_management_relative_path | length > 0 %}
-http-management-relative-path={{ keycloak_quarkus_http_management_relative_path }}
-{% endif %}
-
-# HTTPS
-https-port={{ keycloak_quarkus_https_port }}
-{% if keycloak_quarkus_https_key_file_enabled %}
-https-certificate-file={{ keycloak_quarkus_cert_file}}
-https-certificate-key-file={{ keycloak_quarkus_key_file }}
-{% endif %}
-{% if keycloak_quarkus_https_key_store_enabled %}
-https-key-store-file={{ keycloak_quarkus_https_key_store_file }}
-https-key-store-password={{ keycloak_quarkus_https_key_store_password }}
-{% endif %}
-{% if keycloak_quarkus_https_trust_store_enabled %}
-https-trust-store-file={{ keycloak_quarkus_https_trust_store_file }}
-https-trust-store-password={{ keycloak_quarkus_https_trust_store_password }}
-{% endif %}
-
-# Client URL configuration
-hostname={{ keycloak_quarkus_hostname }}
-hostname-admin={{ keycloak_quarkus_hostname_admin }}
-hostname-strict={{ keycloak_quarkus_hostname_strict | lower }}
-hostname-backchannel-dynamic={{ keycloak_quarkus_hostname_backchannel_dynamic | lower }}
-
-# Cluster
-{% if keycloak_quarkus_ha_enabled %}
-cache=ispn
-{% if keycloak_quarkus_cache_managed_infinispan_config %}
-cache-config-file=cache-ispn.xml
-{% endif %}
-{% if keycloak_quarkus_cache_remote %}
-cache-remote-username={{ keycloak_quarkus_cache_remote_username }}
-cache-remote-password={{ keycloak_quarkus_cache_remote_password }}
-cache-remote-host={{ keycloak_quarkus_cache_remote_host }}
-cache-remote-port={{ keycloak_quarkus_cache_remote_port }}
-cache-remote-tls-enabled={{ keycloak_quarkus_cache_remote_tls_enabled | lower }}
-{% endif %}
-{{ keycloak_quarkus_cache_embedded_properties }}
-{% endif %}
-
-{% if keycloak_quarkus_proxy_headers | length > 0 %}
-proxy-headers={{ keycloak_quarkus_proxy_headers | lower }}
-{% elif keycloak_quarkus_proxy_mode is defined and keycloak_quarkus_proxy_mode != "none" %}
-# Deprecated Proxy configuration
-proxy={{ keycloak_quarkus_proxy_mode }}
-{% endif %}
-
-spi-sticky-session-encoder-infinispan-should-attach-route={{ keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route | d(true) | lower }}
-
-# Transaction
-transaction-xa-enabled={{ keycloak_quarkus_transaction_xa_enabled | lower }}
-
-# Logging
-#log-format=%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n
-log={{ keycloak_quarkus_log }}
-log-level={{ keycloak.log.level }}
-log-file={{ keycloak.log.file }}
-log-file-format={{ keycloak.log.format }}
-
-# Vault
-{% if keycloak_quarkus_ks_vault_enabled %}
-vault=keystore
-vault-file={{ keycloak_quarkus_ks_vault_file }}
-vault-type={{ keycloak_quarkus_ks_vault_type }}
-vault-pass={{ keycloak_quarkus_ks_vault_pass }}
-{% endif %}
-
-
-# Providers
-{% for provider in keycloak_quarkus_providers %}
-{% if provider.default is defined and provider.default %}
-spi-{{ provider.spi }}-provider={{ provider.id }}
-{% endif %}
-{% if provider.properties is defined %}{% for property in provider.properties %}
-spi-{{ provider.spi }}-{{ provider.id }}-{{ property.key }}={{ property.value }}
-{% endfor %}{% endif %}
-{% endfor %}

roles/keycloak_quarkus/templates/rhbk.fact.j2

@@ -1,2 +0,0 @@
-[general]
-bootstrapped={{ bootstrapped | lower }}

roles/keycloak_quarkus/templates/rhbk.service.j2

@@ -1,33 +0,0 @@
-{{ ansible_managed | comment }}
-[Unit]
-Description=Keycloak Server
-After=network.target
-
-[Service]
-EnvironmentFile=-{{ keycloak_quarkus_sysconf_file }}
-{% if keycloak_quarkus_start_dev %}
-ExecStart={{ keycloak.home }}/bin/kc.sh start-dev
-{% else %}
-ExecStart={{ keycloak.home }}/bin/kc.sh start --optimized
-{% endif %}
-User={{ keycloak.service_user }}
-Group={{ keycloak.service_group }}
-SuccessExitStatus=0 143
-{% if keycloak_quarkus_service_restart_always %}
-Restart=always
-{% elif keycloak_quarkus_service_restart_on_failure %}
-Restart=on-failure
-{% endif %}
-RestartSec={{ keycloak_quarkus_service_restartsec }}
-{% if keycloak_quarkus_http_port | int < 1024 or keycloak_quarkus_https_port | int < 1024 %}
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-{% endif %}
-{% if keycloak_quarkus_systemd_wait_for_port %}
-ExecStartPost=/usr/bin/timeout {{ keycloak_quarkus_systemd_wait_for_timeout }} sh -c 'while ! ss -H -t -l -n sport = :{{ keycloak_quarkus_systemd_wait_for_port_number }} | grep -q "^LISTEN.*:{{ keycloak_quarkus_systemd_wait_for_port_number }}"; do sleep 1; done && /bin/sleep {{ keycloak_quarkus_systemd_wait_for_delay }}'
-{% endif %}
-{% if keycloak_quarkus_systemd_wait_for_log %}
-ExecStartPost=/usr/bin/timeout {{ keycloak_quarkus_systemd_wait_for_timeout }} sh -c 'cat {{ keycloak.log.file }} | sed "/Profile.*activated/ q" && /bin/sleep {{ keycloak_quarkus_systemd_wait_for_delay }}'
-{% endif %}
-
-[Install]
-WantedBy=multi-user.target