internet/ansible-middleware.keycloak
3
0
Fork 0
mirror of https://github.com/ansible-middleware/keycloak.git synced 2026-03-27 13:53:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: internet:v0.0.2
Branches Tags
internet:main internet:gh-pages internet:feature/182_restart_handler internet:rhbk_mol_sudo
internet:3.0.3 internet:3.0.2 internet:3.0.1 internet:3.0.0 internet:2.4.3 internet:2.4.2 internet:2.4.1 internet:2.4.0 internet:2.3.0 internet:2.2.2 internet:2.2.1 internet:2.2.0 internet:2.1.2 internet:2.1.1 internet:2.1.0 internet:2.0.2 internet:2.0.1 internet:2.0.0 internet:1.3.0 internet:1.2.8 internet:1.2.7 internet:1.2.6 internet:1.2.5 internet:1.2.4 internet:1.2.1 internet:1.2.0 internet:1.1.1 internet:1.1.0 internet:1.0.7 internet:1.0.6 internet:1.0.5 internet:1.0.4 internet:1.0.3 internet:1.0.2 internet:1.0.1 internet:1.0.0 internet:v0.2.5 internet:v0.2.4 internet:v0.2.3 internet:0.2.2 internet:v0.2.1 internet:v0.2.0 internet:v0.1.8 internet:v0.1.7 internet:v0.1.6 internet:v0.1.5 internet:v0.1.4 internet:v0.1.3 internet:v0.1.2 internet:v0.1.1 internet:v0.1.0 internet:v0.0.4 internet:v0.0.3 internet:v0.0.2 internet:v0.0.1
...
compare: internet:1.0.1
Branches Tags
internet:main internet:gh-pages internet:feature/182_restart_handler internet:rhbk_mol_sudo
internet:3.0.3 internet:3.0.2 internet:3.0.1 internet:3.0.0 internet:2.4.3 internet:2.4.2 internet:2.4.1 internet:2.4.0 internet:2.3.0 internet:2.2.2 internet:2.2.1 internet:2.2.0 internet:2.1.2 internet:2.1.1 internet:2.1.0 internet:2.0.2 internet:2.0.1 internet:2.0.0 internet:1.3.0 internet:1.2.8 internet:1.2.7 internet:1.2.6 internet:1.2.5 internet:1.2.4 internet:1.2.1 internet:1.2.0 internet:1.1.1 internet:1.1.0 internet:1.0.7 internet:1.0.6 internet:1.0.5 internet:1.0.4 internet:1.0.3 internet:1.0.2 internet:1.0.1 internet:1.0.0 internet:v0.2.5 internet:v0.2.4 internet:v0.2.3 internet:0.2.2 internet:v0.2.1 internet:v0.2.0 internet:v0.1.8 internet:v0.1.7 internet:v0.1.6 internet:v0.1.5 internet:v0.1.4 internet:v0.1.3 internet:v0.1.2 internet:v0.1.1 internet:v0.1.0 internet:v0.0.4 internet:v0.0.3 internet:v0.0.2 internet:v0.0.1

122 Commits
v0.0.2 ... 1.0.1

Author SHA1 Message Date
Guido Grazioli
d5bf0a195a docs: fix typo 2022-03-11 15:31:48 +01:00
Guido Grazioli
c5b38e8bac docs: add testing and releasing contributor pages 2022-03-11 15:15:18 +01:00
Guido Grazioli
266f2bc00b Bump to v1.0.1 2022-03-11 15:11:21 +01:00
Guido Grazioli
cfdc043770 Update docs, fix patch apply steps and cli vars 2022-03-11 15:03:55 +01:00
Guido Grazioli
707d8cfb11 add rhsso_cli tasks, change shape of rhsso_rhn_ids 2022-03-11 15:03:55 +01:00
Guido Grazioli
f5cd6d8061 Merge pull request #17 from guidograzioli/replace_serial_with_runonce 
Replace use of serial with run_once
 2022-03-08 12:32:54 +01:00
Guido Grazioli
b88c43933c Replace use of serial with run_once 
run_once on first node when database config enabled (so the first
node creates the tables), then wakeup all other nodes
 2022-03-08 12:08:40 +01:00
Guido Grazioli
0bc81cc781 chore: add build ignores / fix release tag names 2022-03-01 19:05:28 +01:00
Guido Grazioli
60c5a42ae4 Merge pull request #16 from hcherukuri/main 
Bump version to 1.0.0 to satisfy Automation hub
 2022-03-01 19:00:38 +01:00
Harsha Cherukuri
2073c90e1d Bump version to 1.0.0 to statisfy Automation hub 2022-03-01 12:44:09 -05:00
Harsha Cherukuri
ffd146d392 Merge pull request #15 from guidograzioli/fqcn-builtins 
fix: use FQCN
 2022-03-01 12:42:09 -05:00
Guido Grazioli
78f225b10c chore: reword collection tags not accepted by galaxy 2022-03-01 10:46:06 +01:00
Guido Grazioli
a043021e48 docs: add automated doc generation 2022-03-01 10:22:12 +01:00
Guido Grazioli
a0ea9c62a7 update galaxy tags 2022-02-24 17:37:31 +01:00
Guido Grazioli
b90684a44a fix: use FQCN 2022-02-24 15:00:10 +01:00
Guido Grazioli
73bbca9fc1 drop ansible-lint offline option 2022-02-16 10:47:56 +01:00
Guido Grazioli
124c8ae0ad Fix linter errors 2022-02-16 10:47:56 +01:00
Guido Grazioli
bce963923d Update lint config and paths 2022-02-16 10:47:56 +01:00
Guido Grazioli
147ee5214e add lint skip_list and molecule setup 2022-02-16 10:47:56 +01:00
Guido Grazioli
042089d100 READMEs updated by helper scripts 2022-02-16 10:47:56 +01:00
Guido Grazioli
ac62d2e43d Merge pull request #11 from guidograzioli/polish_argument_specs 
document argument_specs
 2022-02-10 08:41:04 +01:00
Guido Grazioli
662918f5f8 Bump version to v0.2.4 2022-02-09 15:14:56 +01:00
Guido Grazioli
e0664d53a9 fix: copy from local only if target not existing 2022-02-09 15:06:40 +01:00
Guido Grazioli
20f321c628 document argument_specs 2022-02-09 11:19:49 +01:00
Guido Grazioli
9cafd431fb fix: add missing default 2022-02-08 16:46:18 +01:00
Guido Grazioli
f74d504b53 Add roles argument_specs.yml 2022-02-08 16:28:17 +01:00
Guido Grazioli
c853df5745 fix: ci 2022-02-08 15:25:36 +01:00
Guido Grazioli
a800517422 chore: update dep on jcliff -> wildfly 2022-02-08 15:15:27 +01:00
Guido Grazioli
cbb8ed4993 Start work on 0.2.3 2022-02-01 13:29:03 +01:00
Guido Grazioli
318bb10cbc bump version 0.2.2 2022-02-01 13:28:19 +01:00
Guido Grazioli
cc6ddd3959 Merge pull request #10 from motaparthipavankumar/user-federation 
User federation
 2022-02-01 12:50:04 +01:00
Guido Grazioli
d3887ae9bd move client roles check out of loop 2022-02-01 09:19:26 +01:00
root
81005141c5 User federation 2022-01-31 14:16:36 -06:00
Guido Grazioli
ce6982ad51 fix: typo 2022-01-31 17:21:57 +01:00
Guido Grazioli
c2314ad068 fix: dict check for client users 2022-01-31 17:02:49 +01:00
Guido Grazioli
47751a2f39 Merge pull request #9 from guidograzioli/prerelease_0.2.0 
Prerelease 0.2.0
 2022-01-28 15:45:49 +01:00
Guido Grazioli
b73f187930 fix: unpack archive only if needed 2022-01-28 15:18:49 +01:00
Guido Grazioli
99c14a79da fix: prefix match for alternate url download 2022-01-28 14:46:12 +01:00
Guido Grazioli
eaea4567cf Bump to 0.2.0 2022-01-27 16:34:52 +01:00
Guido Grazioli
dbad4ea086 Update documentation 2022-01-27 16:34:06 +01:00
Guido Grazioli
c5ee73cffc gitignore locally downloaded archives 2022-01-27 15:38:04 +01:00
Guido Grazioli
6a28da3736 simplify download logic, merge remaining install tasks 2022-01-27 15:38:03 +01:00
Guido Grazioli
0f02037746 move health url fact to variables 2022-01-27 15:38:03 +01:00
Guido Grazioli
8882b36c83 fix: template ports 2022-01-27 15:38:03 +01:00
Guido Grazioli
8895bc8e1f remove unused vars, document used vars 2022-01-27 15:38:03 +01:00
Guido Grazioli
34c18888c9 add ansible_managed macro to templates 2022-01-27 15:38:03 +01:00
Guido Grazioli
906ba3c577 refactor offline install, rhsso patch install 2022-01-27 15:38:03 +01:00
Guido Grazioli
11fb2cc43b rework docs, add python requirements 2022-01-27 15:38:03 +01:00
Guido Grazioli
44f0952afe setup demo repository triggers 2022-01-27 15:38:02 +01:00
Guido Grazioli
82fb60509b Merge pull request #8 from motaparthipavankumar/create-clients-enhancement 
Client Creation Enhancement
 2022-01-27 15:34:55 +01:00
root
2324d4070e Addressed review comments 2022-01-27 08:17:30 -06:00
Guido Grazioli
73a98ccfa6 Start work on v0.1.9 2022-01-20 21:04:37 +01:00
Guido Grazioli
3df7a1a2e1 fix: dblock for db migration / fix: ejb dist caches 2022-01-20 20:56:49 +01:00
root
0fdd89d571 Updated keycloak_realm/tasks/manage_client_roles.yml 2022-01-19 11:41:20 -06:00
Guido Grazioli
4a28e1914e Open jgroups port in firewall 2022-01-19 17:23:42 +01:00
root
bd84d99fd1 Updated keycloak_realm/tasks/main.yml 2022-01-19 10:14:00 -06:00
root
249e1840bb Updated molecule 2022-01-19 10:14:00 -06:00
root
8da1483354 Client Creation Enhancement 2022-01-19 10:13:55 -06:00
Guido Grazioli
18e002bf27 Merge pull request #7 from motaparthipavankumar/stable 
Local/Remote Source Support & User Federation Implementation
 2022-01-19 17:08:28 +01:00
Pavan Kumar Motaparthi
a309f7caae Merge branch 'ansible-middleware:main' into stable 2022-01-18 17:03:54 -06:00
Pavan Kumar Motaparthi
a1f483afe9 Merge pull request #4 from motaparthipavankumar/keycloak-realm-enhancement 
User Federation changes
 2022-01-18 11:23:00 -06:00
Pavan Kumar Motaparthi
59618c7c0c Merge pull request #3 from motaparthipavankumar/local-source-support 
Local path & source URL installation support
 2022-01-18 11:22:44 -06:00
root
247d8b8a22 User Federation changes 2022-01-17 15:53:16 -06:00
root
ce26ceeed0 Code review comments 2022-01-14 13:54:10 -06:00
Pavan Kumar Motaparthi
7b376e0681 Update README.md 
Co-authored-by: Andrew Block <andy.block@gmail.com>
 2022-01-14 09:42:29 -06:00
Pavan Kumar Motaparthi
9113cfe886 Update README.md 
Co-authored-by: Andrew Block <andy.block@gmail.com>
 2022-01-14 09:42:23 -06:00
Guido Grazioli
f1eec2596d Start work on v0.1.8 2022-01-14 14:14:38 +01:00
Guido Grazioli
ff77535293 Merge pull request #6 from ansible-middleware/keycloak_update_15_0_2 
Keycloak update 15 0 2
 2022-01-14 11:35:23 +01:00
Guido Grazioli
d4634fcebc update new download location 2022-01-14 11:10:08 +01:00
Guido Grazioli
d7597771cf Drop service logfile, symlink log directory instead 2022-01-14 10:14:24 +01:00
Guido Grazioli
94aecfcd87 Rename/merge templates and update install task 2022-01-14 10:09:10 +01:00
Guido Grazioli
7a989f7771 Move former templates and update docs 2022-01-14 10:06:43 +01:00
Guido Grazioli
5fa9243bcd fix: keycloak_frontend_url needs scheme 2022-01-14 09:54:26 +01:00
Guido Grazioli
1b44b47d1c Revert layout for collection sanity checks 2022-01-13 20:16:44 +01:00
Guido Grazioli
8a9cb79fa4 Update CI ansible collection download path 2022-01-13 20:08:41 +01:00
Guido Grazioli
4294746263 Update molecule dependency task to force correct path 2022-01-13 17:52:21 +01:00
Guido Grazioli
bcd82a5ae5 Add variable for frontendUrl (for revproxy scenario) 2022-01-13 17:38:11 +01:00
root
ef81faefdf Download source via url 2022-01-12 09:13:53 -06:00
root
4217ba6e7f Local path installation support 2022-01-11 09:28:02 -06:00
Guido Grazioli
ead4688ce6 Start work on v0.1.7 2022-01-10 17:50:28 +01:00
Guido Grazioli
406075df89 Bump and update README 2022-01-10 17:49:23 +01:00
Guido Grazioli
26be376b5c Template preferIPv4Stack, add health check after handler 2022-01-10 17:37:14 +01:00
Guido Grazioli
3cd69821c0 Bump version, document python3 netaddr dependency 2022-01-10 14:26:54 +01:00
Guido Grazioli
eba0d84a2b Add health port to keycloak-ispn, polish templates 2022-01-10 14:21:39 +01:00
Guido Grazioli
57f2472283 Update template versions in keycloak-ispn scenario 2022-01-10 11:43:08 +01:00
Guido Grazioli
c32b95898c Fix keycloak-infinispan standalone template versions 2022-01-10 09:53:55 +01:00
Guido Grazioli
0105924ec6 Merge pull request #5 from motaparthipavankumar/main 
Separate playbooks for installation and configuration
 2022-01-07 17:29:43 +01:00
motaparthipavankumar
249754f5f5 Merge pull request #2 from motaparthipavankumar/enhancement 
Removed anisble_hosts file & Updated README.md
 2022-01-07 10:09:55 -06:00
root
c78aaece81 Removed anisble_hosts file & Updated README.md 2022-01-07 10:09:25 -06:00
motaparthipavankumar
f748cf92b0 Merge pull request #1 from motaparthipavankumar/enhancement 
Separated Keycloak installation and configuration
 2022-01-07 09:17:46 -06:00
root
00e6b3601b Updated README.md 2022-01-07 09:16:38 -06:00
root
4cb021fe2c Separate playbooks for installation and configuration 2022-01-07 09:16:38 -06:00
Guido Grazioli
eb849021a9 Merge pull request #4 from sabre1041/roles-path 
Added roles path
 2022-01-07 10:01:01 +01:00
Andrew Block
2ccfc07f5d Added roles path 2022-01-05 23:33:28 -06:00
Guido Grazioli
c7e88e7cc2 Fix broken links in top README 2022-01-05 15:53:56 +01:00
Guido Grazioli
b5d2e9e236 Start work on v0.1.4 2022-01-05 15:24:53 +01:00
Guido Grazioli
53c5ef645a Parametrize jdbc driver version 2022-01-05 13:55:19 +01:00
Guido Grazioli
967d68898a JVM as variable, name all tasks, update README 2022-01-04 16:01:37 +01:00
Guido Grazioli
15d3411f45 Add configuration for hotrod TLS 2022-01-04 14:30:28 +01:00
Guido Grazioli
5eba1c12e4 Bind jgroups to any-address when ansible facts not defined 2021-12-31 12:31:08 +01:00
Guido Grazioli
52ca7083a4 Merge pull request #3 from ansible-middleware/refactor_standalone_xml 
Allow to change default standalone.xml path and name
 2021-12-30 16:47:16 +01:00
Romain Pelisse
cfb8f7c6fb Allow to change default standalone.xml path and name 2021-12-30 16:22:41 +01:00
Guido Grazioli
af157fd516 Start work on v0.1.3 2021-12-30 12:53:42 +01:00
Guido Grazioli
daa5396a47 Switch collection dep from jcliff to wildfly 2021-12-30 12:24:59 +01:00
Guido Grazioli
d663dea5c9 Merge pull request #2 from ansible-middleware/display_health_url 
Enhance wait message with keycloak healthcheck URL
 2021-12-30 10:47:33 +01:00
Romain Pelisse
543e82cb9f Enhance wait message with keycloak healthcheck URL 2021-12-29 18:30:58 +01:00
Guido Grazioli
496c902427 fix db init sql for postgresql 2021-12-29 16:30:36 +01:00
Guido Grazioli
c81976a0ce Start work on v0.1.2 2021-12-23 09:31:09 +01:00
Guido Grazioli
c061e664b3 Complete galaxy_info metadata 2021-12-23 09:30:13 +01:00
Guido Grazioli
434f92ae9b Start work on v0.1.1 2021-12-22 16:47:08 +01:00
Guido Grazioli
ad4f4cfa61 Bump to v0.1.0 2021-12-22 16:45:47 +01:00
Guido Grazioli
f5eaaf3650 Update READMEs 2021-12-22 14:02:13 +01:00
Guido Grazioli
702d09c731 Extract new keycloak_realm role out of keycloak 2021-12-22 10:05:48 +01:00
Guido Grazioli
1ded0a1cfe Variables polish pass 2021-12-22 08:49:55 +01:00
Guido Grazioli
1670ba060e Start work on v0.0.5 2021-12-20 16:14:22 +01:00
Guido Grazioli
70f13c4aba Disambiguate core-identifiers, set correct bind for jgroups 2021-12-20 15:55:52 +01:00
Guido Grazioli
f4b60dc764 Enable db by default when ha is enabled 2021-12-20 15:55:05 +01:00
Guido Grazioli
aaae00ad3a Update documentation 2021-12-20 15:54:24 +01:00
Guido Grazioli
6d4ff2d82a Start work on v0.0.4 2021-12-20 09:31:59 +01:00
Guido Grazioli
89a4c722b4 Add mysql module, bind jgroups to net 2021-12-19 15:43:26 +01:00
Guido Grazioli
9c97baf03b Add mariadb default, add config validation 2021-12-17 14:56:28 +01:00
Guido Grazioli
78adb450b2 Start work on v0.0.3 2021-12-16 15:36:08 +01:00
70 changed files with 3003 additions and 940 deletions
Expand all files Collapse all files

27
.ansible-lint Normal file
View File

@@ -0,0 +1,27 @@
# .ansible-lint
exclude_paths:
- .cache/
- .github/
- molecule/
- .ansible-lint
- .yamllint
rulesdir:
- ../../ansible-lint-custom-rules/rules/
enable_list:
- fqcn-builtins # opt-in
- no-log-password # opt-in
warn_list:
- role_vars_start_with_role_name
- vars_in_vars_files_have_valid_names
- vars_should_not_be_used
- experimental
- ignore-errors
- no-handler
- fqcn-builtins
- no-log-password
use_default_rules: true
parseable: true

48
.github/ISSUE_TEMPLATE/bug_report.md vendored Normal file
View File

@@ -0,0 +1,48 @@
---
name: 🐛 Bug report
about: Create a report to help us improve
---
##### SUMMARY
<!-- Explain the problem briefly -->
##### ISSUE TYPE
- Bug Report
##### ANSIBLE VERSION
<!-- Paste, BELOW THIS COMMENT, verbatim output from "ansible --version"-->
```
```
##### COLLECTION VERSION
<!-- Paste, BELOW THIS COMMENT, verbatim output from "ansible-galaxy collection list"-->
<!-- If using virtual environments or execution environments, remember to activate them-->
```
```
##### STEPS TO REPRODUCE
<!-- List the steps to reproduce the problem, using a minimal test-case. -->
<!-- Paste example playbook below -->
```yaml
```
##### EXPECTED RESULTS
<!-- What did you expect to happen when running the steps above? -->
##### ACTUAL RESULTS
<!-- What actually happened? If possible run with extra verbosity (-vvvv) and diff (--diff) -->
<!-- Please also include check mode (--check --diff) output if the API returns an error -->
<!-- Be sure to mask any sensitive information -->
<!--- Paste verbatim command output between quotes below -->
```
```

12
.github/ISSUE_TEMPLATE/feature_request.md vendored Normal file
View File

@@ -0,0 +1,12 @@
---
name: ✨ Feature request
about: Suggest an idea for this project
---
##### SUMMARY
<!--- Explain the problem briefly -->
##### ISSUE TYPE
- Feature Idea

12
.github/workflows/ci.yml vendored
View File

@@ -27,11 +27,17 @@ jobs:
run: |
python -m pip install --upgrade pip
pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous
pip install -r ansible_collections/middleware_automation/keycloak/requirements.txt
- name: Create default collection path symlink
- name: Install ansible-lint custom rules
uses: actions/checkout@v2
with:
repository: ansible-middleware/ansible-lint-custom-rules
path: ansible_collections/ansible-lint-custom-rules/
- name: Create default collection path
run: |
mkdir -p /home/runner/.ansible
ln -s /home/runner/work/middleware_automation/keycloak /home/runner/.ansible/collections
mkdir -p /home/runner/.ansible/collections/ansible_collections
- name: Run sanity tests
run: ansible-test sanity --docker -v --color --python ${{ matrix.python_version }}

75
.github/workflows/docs.yml vendored Normal file
View File

@@ -0,0 +1,75 @@
---
name: Documentation
on:
push:
branches:
- main
tags:
- "[0-9]+.[0-9]+.[0-9]+"
env:
COLORTERM: 'yes'
TERM: 'xterm-256color'
PYTEST_ADDOPTS: '--color=yes'
jobs:
docs:
runs-on: ubuntu-latest
if: github.repository == 'ansible-middleware/keycloak'
permissions:
actions: write
checks: write
contents: write
deployments: write
packages: write
pages: write
steps:
- name: Check out code
uses: actions/checkout@v2
with:
path: ansible_collections/middleware_automation/keycloak
fetch-depth: 0
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: 3.9
- name: Install doc dependencies
run: |
python -m pip install --upgrade pip
pip install -r ansible_collections/middleware_automation/keycloak/docs/requirements.txt
pip install -r ansible_collections/middleware_automation/keycloak/requirements.txt
- name: Create default collection path
run: |
mkdir -p /home/runner/.ansible/collections/ansible_collections
- name: Create doc directories and resources
run: |
mkdir -p ./docs/plugins ./docs/roles
cat ./docs/roles.rst.template > ./docs/roles/index.rst
antsibull-docs collection --use-current --squash-hierarchy --dest-dir docs/plugins middleware_automation.keycloak
for role_readme in roles/*/README.md; do ln -f -s ../../$role_readme ./docs/roles/$(basename $(dirname $role_readme)).md; echo " * :doc:\`$(basename $(dirname $role_readme))\`" >> ./docs/roles/index.rst; done
working-directory: ansible_collections/middleware_automation/keycloak
- name: Run sphinx
run: |
sphinx-build -M html . _build -v
working-directory: ansible_collections/middleware_automation/keycloak/docs/
- name: Commit docs
run: |
git config user.name github-actions
git config user.email github-actions@github.com
git checkout gh-pages
rm -rf $(basename ${GITHUB_REF})
mv docs/_build/html $(basename ${GITHUB_REF})
ln --force --no-dereference --symbolic main latest
git show origin/main:docs/_gh_include/header.inc > index.html
(echo main; echo latest; dirname *.*.*/index.html | sort --version-sort --reverse) | xargs -I@@ -n1 echo '<li class="toctree-l1"><a class="reference internal" href="@@/">@@</a></li>' >> index.html
git show origin/main:docs/_gh_include/footer.inc >> index.html
git add $(basename ${GITHUB_REF}) latest index.html
git commit -m "Update docs for $(basename ${GITHUB_REF})" || true
git push origin gh-pages
working-directory: ansible_collections/middleware_automation/keycloak/

25
.github/workflows/release.yml vendored
View File

@@ -1,15 +1,16 @@
---
name: Release collection
on:
push:
tags:
- "*.*.*"
- "[0-9]+.[0-9]+.[0-9]+"
jobs:
release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Checkout code
uses: actions/checkout@v2
- name: Set up Python
uses: actions/setup-python@v1
with:
@@ -30,9 +31,23 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
files: "*.tar.gz"
body: "Release ${{ steps.get_version.outputs.TAG_VERSION }}"
body: "Release v${{ steps.get_version.outputs.TAG_VERSION }}"
- name: Publish collection
env:
ANSIBLE_GALAXY_API_KEY: ${{ secrets.ANSIBLE_GALAXY_API_KEY }}
run: |
ansible-galaxy collection publish *.tar.gz --api-key $ANSIBLE_GALAXY_API_KEY
ansible-galaxy collection publish *.tar.gz --api-key $ANSIBLE_GALAXY_API_KEY
dispatch:
needs: release
strategy:
matrix:
repo: ['ansible-middleware/cross-dc-rhsso-demo', 'ansible-middleware/flange-demo']
runs-on: ubuntu-latest
steps:
- name: Repository Dispatch
uses: peter-evans/repository-dispatch@v1
with:
token: ${{ secrets.TRIGGERING_PAT }}
repository: ${{ matrix.repo }}
event-type: "Dependency released - Keycloak"
client-payload: '{ "github": ${{toJson(github)}} }'

11
.gitignore vendored
View File

@@ -1 +1,10 @@
*.tar.gz
*.tar.gz
*.zip
.tmp
.cache
docs/plugins/
docs/roles/
docs/_build/
.pytest_cache/
.mypy_cache/
*.retry

14
CONTRIBUTING.md Normal file
View File

@@ -0,0 +1,14 @@
## Contributor's Guidelines
- All YAML files named with `.yml` extension
- Use spaces around jinja variables. `{{ var }}` over `{{var}}`
- Variables that are internal to the role should be lowercase and start with the role name
- Keep roles self contained - Roles should avoid including tasks from other roles when possible
- Plays should do nothing more than include a list of roles, except where `pre_tasks` and `post_tasks` are required, when possible
- Separators - Use valid names, ie. underscores (e.g. `my_role` `my_playbook`) not dashes (`my-role`)
- Paths - When defining paths, do not include trailing slashes (e.g. `my_path: /foo` not `my_path: /foo/`); when concatenating paths, follow the same convention (e.g. `{{ my_path }}/bar` not `{{ my_path }}bar`)
- Indentation - Use 2 spaces for each indent
- `vars/` vs `defaults/` - internal or interpolated variables that don't need to change or be overridden by user go in `vars/`, those that a user would likely override, go under `defaults/` directory
- All role arguments have a specification in `meta/argument_specs.yml`
- All playbooks/roles should be focused on compatibility with Ansible Automation Platform

135
README.md
View File

@@ -1,4 +1,4 @@
# Ansible Collection - keycloak
# Ansible Collection - middleware_automation.keycloak
[![Build Status](https://github.com/ansible-middleware/keycloak/workflows/CI/badge.svg?branch=main)](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml)
@@ -13,7 +13,8 @@ This collection has been tested against following Ansible versions: **>=2.9.10**
Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions.
<!--end requires_ansible-->
## Installation and Usage
## Installation
### Installing the Collection from Ansible Galaxy
@@ -29,21 +30,139 @@ collections:
- name: middleware_automation.keycloak
```
### Choosing between Red Hat products and upstream project
The keycloak collection also depends on the following python packages to be present on the controller host:
The roles supports installing Red Hat Single Sign-On from the Customer Portal, when the following variables are defined:
* netaddr
```
A requirement file is provided to install:
pip install -r requirements.txt
### Included roles
* [`keycloak`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md): role for installing the service.
* [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, user federation(s), clients and users, in an installed service.
## Usage
### Install Playbook
* [`playbooks/keycloak.yml`](playbooks/keycloak.yml) installs the upstream(Keycloak) based on the defined variables.
* [`playbooks/rhsso.yml`](playbooks/rhsso.yml) installs Red Hat Single Sign-On(RHSSO) based on defined variables.
Both playbooks include the `keycloak` role, with different settings, as described in the following sections.
For full service configuration details, refer to the [keycloak role README](roles/keycloak/README.md).
### Choosing between upstream project (Keycloak) and Red Hat Single Sign-On (RHSSO)
The general flag `keycloak_rhsso_enable` controls what to install between upstream (Keycloak, when `False`) or Red Hat Single Sign-On (when `True`).
The default value for the flag if `True` when Red Hat Network credentials are defined, `False` otherwise.
#### Install upstream (Keycloak) from keycloak releases
This is the default approach when RHN credentials are not defined. Keycloak is downloaded from keycloak builds (hosted on github.com) locally, and distributed to target nodes.
#### Install RHSSO from the Red Hat Customer Support Portal
Define the credentials as follows, and the default behaviour is to download a fresh archive of RHSSO on the controller node, then distribute to target nodes.
```yaml
rhn_username: '<customer_portal_username>'
rhn_password: '<customer_portal_password>'
rhsso_rhn_id: '<sso_product_id>'
# (keycloak_rhsso_enable defaults to True)
```
where `sso_product_id` is the ID for the specific Red Hat Single Sign-On version, ie. _101971_ will install version _7.5_)
#### Install from controller node (local source)
Making the keycloak zip archive (or the RHSSO zip archive), available to the playbook repository root directory, and setting `keycloak_offline_install` to `True`, allows to skip
the download tasks. The local path for the archive matches the downloaded archive path, so it is also used as a cache when multiple hosts are provisioned in a cluster.
```yaml
keycloak_offline_install: True
```
And depending on `keycloak_rhsso_enable`:
* `True`: install RHSSO using file rh-sso-x.y.z-server-dist.zip
* `False`: install keycloak using file keycloak-x.y.zip
#### Install from alternate sources (like corporate Nexus, artifactory, proxy, etc)
For RHSSO:
```yaml
keycloak_rhsso_enable: True
keycloak_rhsso_download_url: "https://<internal-nexus.private.net>/<path>/<to>/rh-sso-x.y.z-server-dist.zip"
```
For keycloak:
```yaml
keycloak_rhsso_enable: False
keycloak_download_url: "https://<internal-nexus.private.net>/<path>/<to>/keycloak-x.y.zip"
```
### Example installation command
Execute the following command from the source root directory
```
ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e keycloak_admin_password=<changeme>
```
- `keycloak_admin_password` Password for the administration console user account.
- `ansible_hosts` is the inventory, below is an example inventory for deploying to localhost
```
[keycloak]
localhost ansible_connection=local
```
## Configuration
### Config Playbook
[`playbooks/keycloak_realm.yml`](playbooks/keycloak_realm.yml) creates or updates provided realm, user federation(s), client(s), client role(s) and client user(s).
### Example configuration command
Execute the following command from the source root directory:
```bash
ansible-playbook -i <ansible_hosts> playbooks/keycloak_realm.yml -e keycloak_admin_password=<changeme> -e keycloak_realm=test
```
- `keycloak_admin_password` password for the administration console user account.
- `keycloak_realm` name of the realm to be created/used.
- `ansible_hosts` is the inventory, below is an example inventory for deploying to localhost
```
[keycloak]
localhost ansible_connection=local
```
For full configuration details, refer to the [keycloak_realm role README](roles/keycloak_realm/README.md).
## Support
Keycloak collection v1.0.0 is a Beta release and for [Technical Preview](https://access.redhat.com/support/offerings/techpreview). If you have any issues or questions related to collection, please don't hesitate to contact us on Ansible-middleware-core@redhat.com or open an issue on https://github.com/ansible-middleware/keycloak/issues
## License
Apache License v2.0 or later
See [LICENCE](LICENSE) to view the full text.
See [LICENSE](LICENSE) to view the full text.

1
docs/README.md Symbolic link
View File

@@ -0,0 +1 @@
../README.md

21
docs/_gh_include/footer.inc Normal file
View File

@@ -0,0 +1,21 @@
</ul>
</div>
</section>
</div>
</div>
<footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
</div>
<hr/>
<div role="contentinfo">
<p>&#169; Copyright 2022, Red Hat, Inc.</p>
</div>
Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
<a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
</div>
</div>
</section>
</div>
</body>
</html>

43
docs/_gh_include/header.inc Normal file
View File

@@ -0,0 +1,43 @@
<!doctype html>
<html>
<head>
<title>Keycloak Ansible Collection documentation index</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<link rel="stylesheet" href="https://ansible-middleware.github.io/keycloak/main/_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="https://ansible-middleware.github.io/keycloak/main/_static/css/theme.css" type="text/css" />
<link rel="stylesheet" href="https://ansible-middleware.github.io/keycloak/main/_static/ansible-basic-sphinx-ext.css" type="text/css" />
<script data-url_root="./" id="documentation_options" src="https://ansible-middleware.github.io/keycloak/main/_static/documentation_options.js"></script>
<script src="https://ansible-middleware.github.io/keycloak/main/_static/jquery.js"></script>
<script src="https://ansible-middleware.github.io/keycloak/main/_static/underscore.js"></script>
<script src="https://ansible-middleware.github.io/keycloak/main/_static/doctools.js"></script>
<script src="https://ansible-middleware.github.io/keycloak/main/_static/js/theme.js"></script>
</head>
<body class="wy-body-for-nav">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search" >
<a href="#" class="icon icon-home"> Keycloak Ansible Collection</a>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="Page navigation">
<ul class="wy-breadcrumbs">
<li><a href="#" class="icon icon-home"></a> &raquo;</li>
<li>Welcome to Keycloak Collection documentation</li>
<li class="wy-breadcrumbs-aside"></li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<section id="welcome-to-keycloak-collection-documentation">
<h1>Welcome to Keycloak Collection documentation<a class="headerlink" href="#welcome-to-keycloak-collection-documentation" title="Permalink to this headline"></a></h1>
<div class="toctree-wrapper compound">
<p class="caption" role="heading"><span class="caption-text">Pick collection version:</span></p>
<ul>

170
docs/conf.py Normal file
View File

@@ -0,0 +1,170 @@
# -*- coding: utf-8 -*-
#
# Configuration file for the Sphinx documentation builder.
#
# This file does only contain a selection of the most common options. For a
# full list see the documentation:
# http://www.sphinx-doc.org/en/master/config
# -- Path setup --------------------------------------------------------------
# If extensions (or modules to document with autodoc) are in another directory,
# add these directories to sys.path here. If the directory is relative to the
# documentation root, use os.path.abspath to make it absolute, like shown here.
#
import datetime
import os
import sys
sys.path.insert(0, os.path.abspath('../plugins/module_utils/'))
# sys.path.insert(0, os.path.abspath('.'))
# -- Project information -----------------------------------------------------
project = 'Keycloak Ansible Collection'
copyright = '{y}, Red Hat, Inc.'.format(y=datetime.date.today().year)
author = 'Red Hat, Inc.'
# The short X.Y version
version = ''
# The full version, including alpha/beta/rc tags
release = ''
# -- General configuration ---------------------------------------------------
# If your documentation needs a minimal Sphinx version, state it here.
#
# needs_sphinx = '1.0'
# Add any Sphinx extension module names here, as strings. They can be
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
# ones.
extensions = [
'myst_parser',
'sphinx.ext.autodoc',
'sphinx.ext.intersphinx',
'ansible_basic_sphinx_ext',
]
# Add any paths that contain templates here, relative to this directory.
templates_path = ['_templates']
# The suffix(es) of source filenames.
# You can specify multiple suffix as a list of string:
#
# source_suffix = ['.rst', '.md']
source_suffix = ['.rst', '.md']
# The master toctree document.
master_doc = 'index'
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
#
# This is also used if you do content translation via gettext catalogs.
# Usually you set "language" from the command line for these cases.
language = None
# List of patterns, relative to source directory, that match files and
# directories to ignore when looking for source files.
# This pattern also affects html_static_path and html_extra_path .
exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store', '.tmp']
# The name of the Pygments (syntax highlighting) style to use.
pygments_style = 'sphinx'
highlight_language = 'YAML+Jinja'
# -- Options for HTML output -------------------------------------------------
html_theme_path = ['_themes']
# The theme to use for HTML and HTML Help pages. See the documentation for
# a list of builtin themes.
#
# html_theme = 'alabaster'
html_theme = 'sphinx_rtd_theme'
# Theme options are theme-specific and customize the look and feel of a theme
# further. For a list of options available for each theme, see the
# documentation.
#
# html_theme_options = {}
# Add any paths that contain custom static files (such as style sheets) here,
# relative to this directory. They are copied after the builtin static files,
# so a file named "default.css" will overwrite the builtin "default.css".
html_static_path = []
# Custom sidebar templates, must be a dictionary that maps document names
# to template names.
#
# The default sidebars (for documents that don't match any pattern) are
# defined by theme itself. Builtin themes are using these templates by
# default: ``['localtoc.html', 'relations.html', 'sourcelink.html',
# 'searchbox.html']``.
#
# html_sidebars = {}
# -- Options for HTMLHelp output ---------------------------------------------
# Output file base name for HTML help builder.
htmlhelp_basename = 'KeycloakCollectionDoc'
# -- Options for LaTeX output ------------------------------------------------
latex_elements = {
# The paper size ('letterpaper' or 'a4paper').
#
# 'papersize': 'letterpaper',
# The font size ('10pt', '11pt' or '12pt').
#
# 'pointsize': '10pt',
# Additional stuff for the LaTeX preamble.
#
# 'preamble': '',
# Latex figure (float) alignment
#
# 'figure_align': 'htbp',
}
# Grouping the document tree into LaTeX files. List of tuples
# (source start file, target name, title,
# author, documentclass [howto, manual, or own class]).
latex_documents = [
(master_doc, 'KeycloakCollection.tex', 'Red Hat Single Sign-On Ansible Collection Documentation',
'Red Hat, Inc.', 'manual'),
]
# -- Options for manual page output ------------------------------------------
# One entry per manual page. List of tuples
# (source start file, name, description, authors, manual section).
man_pages = [
(master_doc, 'keycloakcollection', 'Red Hat Single Sign-On Ansible Collection Documentation',
[author], 1)
]
# -- Options for Texinfo output ----------------------------------------------
# Grouping the document tree into Texinfo files. List of tuples
# (source start file, target name, title, author,
# dir menu entry, description, category)
texinfo_documents = [
(master_doc, 'KeycloakCollection', 'Red Hat Single Sign-On Ansible Collection Documentation',
author, 'KeycloakCollection', 'One line description of project.',
'Miscellaneous'),
]
# -- Extension configuration -------------------------------------------------
# -- Options for intersphinx extension ---------------------------------------
# Example configuration for intersphinx: refer to the Python standard library.
intersphinx_mapping = {'python': ('https://docs.python.org/2', None), 'ansible': ('https://docs.ansible.com/ansible/latest/', None)}

1
docs/developing.md Symbolic link
View File

@@ -0,0 +1 @@
../CONTRIBUTING.md

32
docs/index.rst Normal file
View File

@@ -0,0 +1,32 @@
.. Red Hat middleware_automation Keycloak Ansible Collection documentation main file
Welcome to Keycloak Collection documentation
============================================
.. toctree::
:maxdepth: 2
:caption: User documentation
README
plugins/index
roles/index
.. toctree::
:maxdepth: 2
:caption: Developer documentation
developing
testing
releasing
.. toctree::
:maxdepth: 2
:caption: General
Changelog <CHANGELOG>
Indices and tables
==================
* :ref:`genindex`
* :ref:`search`

61
docs/releasing.md Normal file
View File

@@ -0,0 +1,61 @@
# Collection Versioning Strategy
Each supported collection maintained by Ansible follows Semantic Versioning 2.0.0 (https://semver.org/), for example:
Given a version number MAJOR.MINOR.PATCH, the following is incremented:
MAJOR version: when making incompatible API changes (see Feature Release scenarios below for examples)
MINOR version: when adding features or functionality in a backwards compatible manner, or updating testing matrix and/or metadata (deprecation)
PATCH version: when adding backwards compatible bug fixes or security fixes (strict).
Additional labels for pre-release and build metadata are available as extensions to the MAJOR.MINOR.PATCH format.
The first version of a generally available supported collection on Ansible Automation Hub shall be version 1.0.0. NOTE: By default, all newly created collections may begin with a smaller default version of 0.1.0, and therefore a version of 1.0.0 should be explicitly stated by the collection maintainer.
## New content is added to an existing collection
Assuming the current release is 1.0.0, and a new module is ready to be added to the collection, the minor version would be incremented to 1.1.0. The change in the MINOR version indicates an additive change was made while maintaining backward compatibility for existing content within the collection.
## New feature to existing plugin or role within a collection (backwards compatible)
Assuming the current release is 1.0.0, and new features for an existing module are ready for release . We would increment the MINOR version to 1.1.0. The change in the MINOR version indicates an additive change was made while maintaining backward compatibility for existing content within the collection.
## Bug fix or security fix to existing content within a collection
Assuming the current release is 1.0.0 and a bug is fixed prior to the next minor release, the PATCH version would be incremented to 1.0.1. The patch indicates only a bug was fixed within a current version. The PATCH release does not contain new content, nor was functionality removed. Bug fixes may be included in a MINOR or MAJOR feature release if the timing allows, eliminating the need for a PATCH dedicated to the fix.
## Breaking change to any content within a collection
Assuming the current release is 1.0.0, and a breaking change (API or module) is introduced for a user or developer. The MAJOR version would be incremented to 2.0.0.
Examples of breaking changes within a collection may include but are not limited to:
- Argspec changes for a module that require either inventory structure or playbook changes.
- A change in the shape of either the inbound or returned payload of a filter plugin.
- Changes to a connection plugin that require additional inventory parameters or ansible.cfg entries.
- New functionality added to a module that changes the outcome of that module as released in previous versions.
- The removal of plugins from a collection.
## Content removed from a collection
Deleting a module or API is a breaking change. Please see the 'Breaking change' section for how to version this.
## A typographical error was fixed in the documentation for a collection
A correction to the README would be considered a bug fix and the PATCH incremented. See 'Bug fix' above.
## Documentation added/removed/modified within a collection
Only the PATCH version should be increased for a release that contains changes limited to revised documentation.
## Release automation
New releases are triggered by annotated git tags named after semantic versioning. The automation publishes the built artifacts to ansible-galaxy and github releases page.

5
docs/requirements.txt Normal file
View File

@@ -0,0 +1,5 @@
antsibull>=0.17.0
ansible-base>=2.10.12
sphinx-rtd-theme
git+https://github.com/felixfontein/ansible-basic-sphinx-ext
myst-parser

3
docs/roles.rst.template Normal file
View File

@@ -0,0 +1,3 @@
Role Index
==========

49
docs/testing.md Normal file
View File

@@ -0,0 +1,49 @@
# Testing
## Continuous integration
The collection is tested with a [molecule](https://github.com/ansible-community/molecule) setup covering the included roles and verifying correct installation and idempotency.
In order to run the molecule tests locally with python 3.9 available, after cloning the repository:
```
pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous
molecule test --all
```
## Integration testing
Demo repositories which depend on the collection, and aggregate functionality with other middleware_automation collections, are automatically rebuilt
at every collection release to ensure non-breaking changes and consistent behaviour.
The repository are:
- [Flange demo](https://github.com/ansible-middleware/flange-demo)
A deployment of Wildfly cluster integrated with keycloak and infinispan.
- [CrossDC keycloak demo](https://github.com/ansible-middleware/cross-dc-rhsso-demo)
A clustered multi-regional installation of keycloak with infinispan remote caches.
## Test playbooks
Sample playbooks are provided in the `playbooks/` directory; to run the playbooks locally (requires a rhel system with python 3.9+, ansible, and systemd) the steps are as follows:
```
# setup environment
pip install ansible-core
# clone the repository
git clone https://github.com/ansible-middleware/keycloak
cd keycloak
# install collection dependencies
ansible-galaxy collection install -r requirements.yml
# install collection python deps
pip install -r requirements.txt
# create inventory for localhost
cat << EOF > inventory
[keycloak]
localhost ansible_connection=local
EOF
# run the playbook
ansible-playbook -i inventory playbooks/keycloak.yml
```

19
galaxy.yml
View File

@@ -1,22 +1,33 @@
---
namespace: middleware_automation
name: keycloak
version: "0.0.2"
version: "1.0.1"
readme: README.md
authors:
- Romain Pelisse <rpelisse@redhat.com>
- Guido Grazioli <ggraziol@redhat.com>
- Pavan Kumar Motaparthi <pmotapar@redhat.com>
description: Install and configure a keycloak, or Red Hat Single Sign-on, service.
license_file: "LICENSE"
tags:
- keycloak
- redhat
- rhel
- rhn
- sso
- openid
- application
- identity
- security
- infrastructure
- authentication
dependencies:
"middleware_automation.redhat_csp_download": ">=1.2.1"
"middleware_automation.jcliff": ">=0.0.19"
"middleware_automation.wildfly": ">=0.0.6"
repository: https://github.com/ansible-middleware/keycloak
documentation: https://github.com/ansible-middleware/keycloak
documentation: https://ansible-middleware.github.io/keycloak
homepage: https://github.com/ansible-middleware/keycloak
issues: https://github.com/ansible-middleware/keycloak/issues
build_ignore:
- molecule
- docs
- .github

35
molecule/default/converge.yml
View File

@@ -7,4 +7,37 @@
include_role:
name: ../../roles/keycloak
vars:
keycloak_admin_password: "changeme"
keycloak_admin_password: "changeme"
- name: Keycloak Realm Role
include_role:
name: ../../roles/keycloak_realm
vars:
keycloak_admin_password: "changeme"
keycloak_client_default_roles:
- TestRoleAdmin
- TestRoleUser
keycloak_client_users:
- username: TestUser
password: password
client_roles:
- client: TestClient
role: TestRoleUser
realm: "{{ keycloak_realm }}"
- username: TestAdmin
password: password
client_roles:
- client: TestClient
role: TestRoleUser
realm: "{{ keycloak_realm }}"
- client: TestClient
role: TestRoleAdmin
realm: "{{ keycloak_realm }}"
keycloak_realm: TestRealm
keycloak_clients:
- name: TestClient
roles: "{{ keycloak_client_default_roles }}"
realm: "{{ keycloak_realm }}"
public_client: "{{ keycloak_client_public }}"
web_origins: "{{ keycloak_client_web_origins }}"
users: "{{ keycloak_client_users }}"
client_id: TestClient

6
molecule/default/molecule.yml
View File

@@ -1,8 +1,12 @@
---
dependency:
name: galaxy
name: shell
command: ansible-galaxy collection install -r molecule/default/requirements.yml -p $HOME/.ansible/collections --force-with-deps
driver:
name: docker
lint: |
ansible-lint --version
ansible-lint -v
platforms:
- name: instance
image: registry.access.redhat.com/ubi8/ubi-init:latest

8
molecule/default/prepare.yml
View File

@@ -2,7 +2,11 @@
- name: Prepare
hosts: all
tasks:
- name: Disable beta repos
ansible.builtin.command: yum config-manager --disable '*beta*'
ignore_errors: yes
- name: Install sudo
yum:
ansible.builtin.yum:
name: sudo
state: present
state: present

10
molecule/default/requirements.yml Normal file
View File

@@ -0,0 +1,10 @@
---
collections:
- name: middleware_automation.redhat_csp_download
version: ">=1.2.1"
- name: middleware_automation.wildfly
version: ">=0.0.5"
- name: community.general
- name: community.docker
version: ">=1.9.1"

2
molecule/default/verify.yml
View File

@@ -5,6 +5,6 @@
- name: Populate service facts
ansible.builtin.service_facts:
- name: Check if keycloak service started
assert:
ansible.builtin.assert:
that:
- ansible_facts.services["keycloak.service"]["state"] == "running"

10
playbooks/keycloak.yml
View File

@@ -2,12 +2,10 @@
- name: Playbook for Keycloak Hosts
hosts: keycloak
collections:
- middleware_automation.redhat_csp_download
roles:
- redhat_csp_download
- middleware_automation.keycloak
tasks:
- name: Keycloak Role
include_role:
name: keycloak
- name: Include keycloak role
ansible.builtin.include_role:
name: middleware_automation.keycloak.keycloak
vars:
keycloak_admin_password: "changeme"

67
playbooks/keycloak_realm.yml Normal file
View File

@@ -0,0 +1,67 @@
---
- name: Playbook for Keycloak Hosts
hosts: keycloak
tasks:
- name: Keycloak Realm Role
ansible.builtin.include_role:
name: middleware_automation.keycloak.keycloak_realm
vars:
keycloak_admin_password: "changeme"
keycloak_realm: TestRealm
keycloak_user_federation:
- realm: TestRealm
name: my-ldap
provider_id: ldap
provider_type: org.keycloak.storage.UserStorageProvider
config:
priority: '0'
enabled: true
cachePolicy: DEFAULT
batchSizeForSync: '1000'
editMode: READ_ONLY
importEnabled: true
syncRegistrations: false
vendor: other
usernameLDAPAttribute: uid
rdnLDAPAttribute: uid
uuidLDAPAttribute: entryUUID
userObjectClasses: inetOrgPerson, organizationalPerson
connectionUrl: ldaps://ldap.example.com:636
usersDn: ou=Users,dc=example,dc=com
authType: simple
bindDn: cn=directory reader
bindCredential: password
searchScope: '1'
validatePasswordPolicy: false
trustEmail: false
useTruststoreSpi: ldapsOnly
connectionPooling: true
pagination: true
allowKerberosAuthentication: false
debug: false
useKerberosForPasswordAuthentication: false
mappers:
- name: "full name"
providerId: "full-name-ldap-mapper"
providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
config:
ldap.full.name.attribute: cn
read.only: true
write.only: false
keycloak_clients:
- name: TestClient1
roles:
- TestClient1Admin
- TestClient1User
realm: "{{ keycloak_realm }}"
public_client: True
web_origins:
- http://testclient1origin/application
- http://testclient1origin/other
users:
- username: TestUser
password: password
client_roles:
- client: TestClient1
role: TestClient1User
realm: "{{ keycloak_realm }}"

14
playbooks/rhsso.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- name: Playbook for Keycloak Hosts
hosts: keycloak
collections:
- middleware_automation.redhat_csp_download
roles:
- middleware_automation.redhat_csp_download.redhat_csp_download
tasks:
- name: Keycloak Role
ansible.builtin.include_role:
name: middleware_automation.keycloak.keycloak
vars:
keycloak_admin_password: "changeme"
keycloak_rhsso_enable: True

1
playbooks/roles Symbolic link
View File

@@ -0,0 +1 @@
../roles

6
requirements.txt Normal file
View File

@@ -0,0 +1,6 @@
#################################################
# python dependencies required to be installed
# on the controller host with:
# pip install -r requirements.txt
#
netaddr

4
requirements.yml
View File

@@ -2,6 +2,6 @@
collections:
- name: middleware_automation.redhat_csp_download
version: ">=1.2.1"
- name: middleware_automation.jcliff
version: ">=0.0.19"
- name: middleware_automation.wildfly
version: ">=0.0.5"
- name: community.general

246
roles/keycloak/README.md
View File

@@ -4,35 +4,14 @@ keycloak
Install [keycloak](https://keycloak.org/) or [Red Hat Single Sing-On](https://access.redhat.com/products/red-hat-single-sign-on) server configurations.
Role Defaults
-------------
Requirements
------------
| Variable | Description | Default |
|:---------|:------------|:---------|
|`keycloak_ha_enabled`| enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
|`keycloak_admin_user`| Administration console user account | `admin` |
This role requires the `python3-netaddr` library installed on the controller node.
Role Variables
--------------
The following are a set of required variables for the role:
| Variable | Description |
|:---------|:------------|
|`keycloak_admin_password`| Password for the administration console user account |
The following variables are required when keycloak_ha_enabled is True:
| Variable | Description | Default |
|:---------|:------------|:---------|
|`keycloak_modcluster_url` | URL for the modcluster reverse proxy | `localhost` |
|`postgres_jdbc_url` | URL for the postgres backend database | `jdbc:postgresql://localhost:5432/keycloak` |
|`postgres_db_user` | username for connecting to postgres | `keycloak-user` |
|`postgres_db_pass` | password for connecting to postgres | `keycloak-pass` |
|`infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` |
|`infinispan_user` | username for connecting to infinispan | `supervisor` |
|`infinispan_pass` | password for connecting to infinispan | `supervisor` |
* to install via yum/dnf: `dnf install python3-netaddr`
* or via pip: `pip install netaddr==0.8.0`
* or via the collection: `pip install -r requirements.txt`
Dependencies
@@ -40,14 +19,137 @@ Dependencies
The roles depends on:
* the redhat_csp_download role of [middleware_automation.redhat_csp_download](https://github.com/ansible-middleware/redhat-csp-download) collection
* the jcliff role of [middleware_automation.jcliff](https://github.com/ansible-middleware/ansible_collections_jcliff) collection
* the `redhat_csp_download` role from [middleware_automation.redhat_csp_download](https://github.com/ansible-middleware/redhat-csp-download) collection if Red Hat Single Sign-on zip have to be downloaded from RHN.
* the `wildfly_driver` role from [middleware_automation.wildfly](https://github.com/ansible-middleware/wildfly) collection
Example Playbook
----------------
Versions
--------
The following is an example playbook that makes use of the role to install keycloak
| RH-SSO VERSION | Release Date | Keycloak Version | EAP Version | Notes |
|:---------------|:------------------|:-----------------|:------------|:----------------|
|`7.5.0 GA` |September 20, 2021 |`15.0.2` | `7.4.0` |[Release Notes](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/html/release_notes/index)|
Patching
--------
When variable `keycloak_rhsso_apply_patches` is `True` (default: `True`), the role will automatically apply the latest cumulative patch for the selected base version.
| RH-SSO VERSION | Release Date | RH-SSO LATEST CP | Notes |
|:---------------|:------------------|:-----------------|:----------------|
|`7.5.0 GA` |January 20, 2022 |`7.5.1 GA` |[Release Notes](https://access.redhat.com/articles/6646321)|
Role Defaults
-------------
* Service configuration
| Variable | Description | Default |
|:---------|:------------|:---------|
|`keycloak_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
|`keycloak_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_ha_enabled` is True, else `False` |
|`keycloak_admin_user`| Administration console user account | `admin` |
|`keycloak_bind_address`| Address for binding service ports | `0.0.0.0` |
|`keycloak_host`| hostname | `localhost` |
|`keycloak_http_port`| HTTP port | `8080` |
|`keycloak_https_port`| TLS HTTP port | `8443` |
|`keycloak_ajp_port`| AJP port | `8009` |
|`keycloak_jgroups_port`| jgroups cluster tcp port | `7600` |
|`keycloak_management_http_port`| Management port | `9990` |
|`keycloak_management_https_port`| TLS management port | `9993` |
|`keycloak_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
|`keycloak_prefer_ipv4`| Prefer IPv4 stack and addresses for port binding | `True` |
|`keycloak_config_standalone_xml`| filename for configuration | `keycloak.xml` |
|`keycloak_service_user`| posix account username | `keycloak` |
|`keycloak_service_group`| posix account group | `keycloak` |
|`keycloak_service_pidfile`| pid file path for service | `/run/keycloak.pid` |
|`jvm_package`| RHEL java package runtime | `java-1.8.0-openjdk-devel` |
* Install options
| Variable | Description | Default |
|:---------|:------------|:---------|
|`keycloak_rhsso_enable`| Enable Red Hat Single Sign-on installation | `False` |
|`keycloak_offline_install` | perform an offline install | `False`|
|`keycloak_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`|
|`keycloak_rhsso_download_url`| Download URL for RHSSO | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=<productID>`|
|`keycloak_version`| keycloak.org package version | `15.0.2` |
|`keycloak_rhsso_version`| RHSSO version | `7.5.0` |
|`keycloak_rhsso_apply_patches`| Install RHSSO more recent cumulative patch | `True` |
|`keycloak_dest`| Installation root path | `/opt/keycloak` |
|`keycloak_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}` |
|`keycloak_rhn_url` | Base download URI for customer portal | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=` |
|`keycloak_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
* Miscellaneous configuration
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_archive` | keycloak install archive filename | `keycloak-{{ keycloak_version }}.zip` |
|`keycloak_download_url_9x` | Download URL for keycloak (deprecated) | `https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}` |
|`keycloak_installdir` | Installation path | `{{ keycloak_dest }}/keycloak-{{ keycloak_version }}` |
|`keycloak_rhsso_archive` | Red Hat SSO install archive filename | `rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip` |
|`keycloak_rhsso_installdir`| Installation path for Red Hat SSO | `{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\.([0-9]*).*', '\1.\2') }}` |
|`keycloak_rhsso_download_url`| Full download URI for Red Hat SSO | `{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}` |
|`keycloak_jboss_home` | Installation work directory | `{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}` |
|`keycloak_config_dir` | Path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration` |
|`keycloak_config_path_to_standalone_xml` | Custom path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}` |
|`keycloak_auth_realm` | Name for rest authentication realm | `master` |
|`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` |
|`keycloak_force_install` | Remove pre-existing versions of service | `False` |
|`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` |
|`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` |
|`rhsso_rhn_id` | Customer Portal product ID for Red Hat SSO | `{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}` |
Role Variables
--------------
The following are a set of _required_ variables for the role:
| Variable | Description |
|:---------|:------------|
|`keycloak_admin_password`| Password for the administration console user account |
The following variables are _required_ only when `keycloak_ha_enabled` is True:
| Variable | Description | Default |
|:---------|:------------|:---------|
|`keycloak_modcluster_url` | URL for the modcluster reverse proxy | `localhost` |
|`keycloak_frontend_url` | frontend URL for keycloak endpoints when a reverse proxy is used | `http://localhost` |
|`keycloak_jdbc_engine` | backend database flavour when db is enabled: [ postgres, mariadb ] | `postgres` |
|`infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` |
|`infinispan_user` | username for connecting to infinispan | `supervisor` |
|`infinispan_pass` | password for connecting to infinispan | `supervisor` |
|`infinispan_sasl_mechanism`| Authentication type | `SCRAM-SHA-512` |
|`infinispan_use_ssl`| Enable hotrod TLS communication | `False` |
|`infinispan_trust_store_path`| Path to truststore with infinispan server certificate | `/etc/pki/java/cacerts` |
|`infinispan_trust_store_password`| Password for opening truststore | `changeit` |
The following variables are _required_ only when `keycloak_db_enabled` is True:
| Variable | Description | Default |
|:---------|:------------|:---------|
|`keycloak_jdbc_url` | URL for the postgres backend database | `jdbc:postgresql://localhost:5432/keycloak` |
|`keycloak_jdbc_driver_version`| Version for the JDBC driver to download | `9.4.1212` |
|`keycloak_db_user` | username for connecting to postgres | `keycloak-user` |
|`keycloak_db_pass` | password for connecting to postgres | `keycloak-pass` |
Example Playbooks
-----------------
_NOTE_: use ansible vaults or other security systems for storing credentials.
* The following is an example playbook that makes use of the role to install keycloak from remote:
```yaml
---
@@ -62,6 +164,83 @@ The following is an example playbook that makes use of the role to install keycl
keycloak_admin_password: "changeme"
```
* The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from RHN:
```yaml
---
- name: Playbook for RHSSO
hosts: keycloak
collections:
- middleware_automation.redhat_csp_download
roles:
- redhat_csp_download
tasks:
- name: Keycloak Role
include_role:
name: keycloak
vars:
keycloak_admin_password: "changeme"
keycloak_rhsso_enable: True
rhn_username: '<customer portal username>'
rhn_password: '<customer portal password>'
```
* The following example playbook makes use of the role to install keycloak from the controller node:
```yaml
---
- hosts: ...
collections:
- middleware_automation.keycloak
tasks:
- name: Include keycloak role
include_role:
name: keycloak
vars:
keycloak_admin_password: "changeme"
keycloak_offline_install: True
# This should be the filename of keycloak archive on Ansible node: keycloak-16.1.0.zip
```
* This playbook installs Red Hat Single Sign-On from an alternate url:
```yaml
---
- hosts: keycloak
collections:
- middleware_automation.keycloak
tasks:
- name: Keycloak Role
include_role:
name: keycloak
vars:
keycloak_admin_password: "changeme"
keycloak_rhsso_enable: True
keycloak_rhsso_download_url: "<REPLACE with download url>"
# This should be the full of remote source rhsso zip file and can contain basic authentication credentials
```
* The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from the controller node:
```yaml
---
- hosts: keycloak
collections:
- middleware_automation.keycloak
tasks:
- name: Keycloak Role
include_role:
name: keycloak
vars:
keycloak_admin_password: "changeme"
keycloak_rhsso_enable: True
keycloak_offline_install: True
# This should be the filename of rhsso zip file on Ansible node: rh-sso-7.5-server-dist.zip
```
License
-------
@@ -72,4 +251,5 @@ Author Information
------------------
* [Guido Grazioli](https://github.com/guidograzioli)
* [Romain Pelisse](https://github.com/rpelisse)
* [Romain Pelisse](https://github.com/rpelisse)
* [Pavan Kumar Motaparthi](https://github.com/motaparthipavankumar)

98
roles/keycloak/defaults/main.yml
View File

@@ -1,71 +1,87 @@
---
### Configuration specific to keycloak
keycloak_version: 9.0.2
keycloak_archive: keycloak-{{ keycloak_version }}.zip
keycloak_download_url: https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}
keycloak_local_download_dest: '{{ "~/keycloak_download" | expanduser }}'
keycloak_version: 15.0.2
keycloak_archive: "keycloak-{{ keycloak_version }}.zip"
keycloak_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"
keycloak_download_url_9x: "https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}"
keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
### Configuration specific to Red Hat Single Sing-On
keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined else False }}"
keycloak_rhsso_client_adapter_rhn_id: '101951'
keycloak_rhsso_saml_adapter_rhn_id: '101901'
keycloak_rhsso_version: 7.5
keycloak_rhsso_archive: rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip
keycloak_rhsso_installdir: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version }}"
keycloak_rhsso_base_url: 'https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId='
keycloak_rhsso_version: 7.5.0
rhsso_rhn_id: "{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}"
keycloak_rhsso_archive: "rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip"
keycloak_rhsso_installdir: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}"
keycloak_rhn_url: 'https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId='
keycloak_rhsso_download_url: "{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}"
keycloak_rhsso_apply_patches: True
### keycloak/rhsso choice: by default install rhsso if rhn credentials are defined
keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined and rhn_username is defined and rhn_password is defined else False }}"
# whether to install from local archive; filename must be keycloak_archive or keycloak_rhsso_archive depending on keycloak_rhsso_enable
keycloak_offline_install: False
### Install location and service settings
jvm_package: java-1.8.0-openjdk-devel
keycloak_dest: /opt/keycloak
keycloak_jboss_home: "{{ keycloak_rhsso_installdir if rhsso_rhn_id is defined else keycloak_installdir }}"
keycloak_jboss_home: "{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}"
keycloak_config_dir: "{{ keycloak_jboss_home }}/standalone/configuration"
keycloak_config_standalone_xml: "keycloak.xml"
keycloak_config_path_to_standalone_xml: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}"
keycloak_service_user: keycloak
keycloak_service_group: keycloak
keycloak_service_pidfile: "/run/keycloak.pid"
keycloak_service_logfile: "{{ keycloak_dest }}/keycloak.log"
keycloak_configure_firewalld: False
### Keycloak configuration settings
### Common configuration settings
keycloak_bind_address: 0.0.0.0
keycloak_host: localhost
keycloak_http_port: 8080
keycloak_https_port: 8443
keycloak_ajp_port: 8009
keycloak_jgroups_port: 7600
keycloak_management_http_port: 9990
keycloak_management_https_port: 9993
keycloak_java_opts: "-Xms1024m -Xmx20480m -XX:MaxPermSize=768m"
keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
# enable auto configuration for database backend, clustering and remote caches on infinispan
keycloak_java_opts: "-Xms1024m -Xmx2048m"
keycloak_prefer_ipv4: True
### Enable configuration for database backend, clustering and remote caches on infinispan
keycloak_ha_enabled: False
### Enable database configuration, must be enabled when HA is configured
keycloak_db_enabled: "{{ True if keycloak_ha_enabled else False }}"
# keycloak administration console user
### Keycloak administration console user
keycloak_admin_user: admin
keycloak_auth_realm: master
keycloak_auth_client: admin-cli
keycloak_force_install: False
keycloak_modcluster:
enabled: "{{ keycloak_ha_enabled }}"
reverse_proxy_url: "{{ keycloak_modcluster_url | default('localhost') }}"
### mod_cluster reverse proxy
keycloak_modcluster_url: localhost
keycloak_frontend_url: http://localhost
keycloak_remotecache:
enabled: "{{ keycloak_ha_enabled }}"
username: "{{ infinispan_user | default('supervisor') }}"
password: "{{ infinispan_pass | default('supervisor') }}"
realm: default
server_name: "{{ infinispan_url | default('localhost') }}"
trust_store_path: /path/to/jks/keystore
trust_store_password: changeme
### infinispan remote caches access (hotrod)
infinispan_user: supervisor
infinispan_pass: supervisor
infinispan_url: localhost
infinispan_sasl_mechanism: SCRAM-SHA-512
infinispan_use_ssl: False
# if ssl is enabled, import ispn server certificate here
infinispan_trust_store_path: /etc/pki/java/cacerts
infinispan_trust_store_password: changeit
keycloak_jdbc:
### database backend engine: values [ 'postgres', 'mariadb' ]
keycloak_jdbc_engine: postgres
### database backend credentials
keycloak_db_user: keycloak-user
keycloak_db_pass: keycloak-pass
keycloak_jdbc_url: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].url }}"
keycloak_jdbc_driver_version: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].version }}"
# override the variables above, following defaults show minimum supported versions
keycloak_default_jdbc:
postgres:
enabled: "{{ keycloak_ha_enabled }}"
driver_module_name: "org.postgresql"
driver_module_dir: "{{ keycloak_jboss_home }}/modules/org/postgresql/main"
driver_version: 9.4.1212
driver_jar_filename: "postgresql-9.4.1212.jar"
driver_jar_url: "https://repo.maven.apache.org/maven2/org/postgresql/postgresql/9.4.1212/postgresql-9.4.1212.jar"
connection_url: "{{ postgres_jdbc_url | default('jdbc:postgresql://localhost:5432/keycloak') }}"
db_user: "{{ postgres_db_user | default('keycloak-user') }}"
db_password: "{{ postgres_db_pass | default('keycloak-pass') }}"
url: 'jdbc:postgresql://localhost:5432/keycloak'
version: 9.4.1212
mariadb:
url: 'jdbc:mariadb://localhost:3306/keycloak'
version: 2.7.4

2
roles/keycloak/handlers/main.yml
View File

@@ -1,3 +1,3 @@
---
- name: restart keycloak
include_tasks: restart_keycloak.yml
ansible.builtin.include_tasks: restart_keycloak.yml

288
roles/keycloak/meta/argument_specs.yml Normal file
View File

@@ -0,0 +1,288 @@
argument_specs:
main:
options:
keycloak_version:
# line 3 of keycloak/defaults/main.yml
default: "15.0.2"
description: "keycloak.org package version"
type: "str"
keycloak_archive:
# line 4 of keycloak/defaults/main.yml
default: "keycloak-{{ keycloak_version }}.zip"
description: "keycloak install archive filename"
type: "str"
keycloak_configure_firewalld:
# line 33 of keycloak/defaults/main.yml
default: false
description: "Ensure firewalld is running and configure keycloak ports"
type: "bool"
keycloak_download_url:
# line 5 of keycloak/defaults/main.yml
default: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"
description: "Download URL for keycloak"
type: "str"
keycloak_download_url_9x:
# line 6 of keycloak/defaults/main.yml
default: "https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}"
description: "Download URL for keycloak (deprecated)"
type: "str"
keycloak_installdir:
# line 7 of keycloak/defaults/main.yml
default: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
description: "Installation path"
type: "str"
keycloak_rhsso_version:
# line 10 of keycloak/defaults/main.yml
default: "7.5.0"
description: "Red Hat Single Sign-On version"
type: "str"
rhsso_rhn_id:
# line 11 of keycloak/defaults/main.yml
default: "{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}"
description: "Customer Portal product ID for Red Hat SSO"
type: "str"
keycloak_rhsso_archive:
# line 12 of keycloak/defaults/main.yml
default: "rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip"
description: "ed Hat SSO install archive filename"
type: "str"
keycloak_rhsso_apply_patches:
# line 16 of keycloak/defaults/main.yml
default: true
description: "Install RHSSO more recent cumulative patch"
type: "bool"
keycloak_rhsso_installdir:
# line 13 of keycloak/defaults/main.yml
default: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}"
description: "Installation path for Red Hat SSO"
type: "str"
keycloak_rhn_url:
# line 14 of keycloak/defaults/main.yml
default: "https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId="
description: "Base download URI for customer portal"
type: "str"
keycloak_rhsso_download_url:
# line 15 of keycloak/defaults/main.yml
default: "{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}"
description: "Full download URI for Red Hat SSO"
type: "str"
keycloak_rhsso_enable:
# line 18 of keycloak/defaults/main.yml
default: "{{ True if rhsso_rhn_id is defined and rhn_username is defined and rhn_password is defined else False }}"
description: "Enable Red Hat Single Sign-on installation"
type: "str"
keycloak_offline_install:
# line 20 of keycloak/defaults/main.yml
default: false
description: "Perform an offline install"
type: "bool"
jvm_package:
# line 23 of keycloak/defaults/main.yml
default: "java-1.8.0-openjdk-devel"
description: "RHEL java package runtime rpm"
type: "str"
keycloak_dest:
# line 24 of keycloak/defaults/main.yml
default: "/opt/keycloak"
description: "Root installation directory"
type: "str"
keycloak_jboss_home:
# line 25 of keycloak/defaults/main.yml
default: "{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}"
description: "Installation work directory"
type: "str"
keycloak_config_dir:
# line 26 of keycloak/defaults/main.yml
default: "{{ keycloak_jboss_home }}/standalone/configuration"
description: "Path for configuration"
type: "str"
keycloak_config_standalone_xml:
# line 27 of keycloak/defaults/main.yml
default: "keycloak.xml"
description: "Service configuration filename"
type: "str"
keycloak_config_path_to_standalone_xml:
# line 28 of keycloak/defaults/main.yml
default: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}"
description: "Custom path for configuration"
type: "str"
keycloak_service_user:
# line 29 of keycloak/defaults/main.yml
default: "keycloak"
description: "posix account username"
type: "str"
keycloak_service_group:
# line 30 of keycloak/defaults/main.yml
default: "keycloak"
description: "posix account group"
type: "str"
keycloak_service_pidfile:
# line 31 of keycloak/defaults/main.yml
default: "/run/keycloak.pid"
description: "PID file path for service"
type: "str"
keycloak_bind_address:
# line 34 of keycloak/defaults/main.yml
default: "0.0.0.0"
description: "Address for binding service ports"
type: "str"
keycloak_host:
# line 35 of keycloak/defaults/main.yml
default: "localhost"
description: "Hostname for service"
type: "str"
keycloak_http_port:
# line 36 of keycloak/defaults/main.yml
default: 8080
description: "Listening HTTP port"
type: "int"
keycloak_https_port:
# line 37 of keycloak/defaults/main.yml
default: 8443
description: "Listening HTTPS port"
type: "int"
keycloak_ajp_port:
# line 38 of keycloak/defaults/main.yml
default: 8009
description: "Listening AJP port"
type: "int"
keycloak_jgroups_port:
# line 39 of keycloak/defaults/main.yml
default: 7600
description: "jgroups cluster tcp port"
type: "int"
keycloak_management_http_port:
# line 40 of keycloak/defaults/main.yml
default: 9990
description: "Management port (http)"
type: "int"
keycloak_management_https_port:
# line 41 of keycloak/defaults/main.yml
default: 9993
description: "Management port (https)"
type: "int"
keycloak_java_opts:
# line 42 of keycloak/defaults/main.yml
default: "-Xms1024m -Xmx2048m"
description: "Additional JVM options"
type: "str"
keycloak_prefer_ipv4:
# line 43 of keycloak/defaults/main.yml
default: true
description: "Prefer IPv4 stack and addresses for port binding"
type: "bool"
keycloak_ha_enabled:
# line 46 of keycloak/defaults/main.yml
default: false
description: "Enable auto configuration for database backend, clustering and remote caches on infinispan"
type: "bool"
keycloak_db_enabled:
# line 48 of keycloak/defaults/main.yml
default: "{{ True if keycloak_ha_enabled else False }}"
description: "Enable auto configuration for database backend"
type: "str"
keycloak_admin_user:
# line 51 of keycloak/defaults/main.yml
default: "admin"
description: "Administration console user account"
type: "str"
keycloak_auth_realm:
# line 52 of keycloak/defaults/main.yml
default: "master"
description: "Name for rest authentication realm"
type: "str"
keycloak_auth_client:
# line 53 of keycloak/defaults/main.yml
default: "admin-cli"
description: "Authentication client for configuration REST calls"
type: "str"
keycloak_force_install:
# line 55 of keycloak/defaults/main.yml
default: false
description: "Remove pre-existing versions of service"
type: "bool"
keycloak_modcluster_url:
# line 58 of keycloak/defaults/main.yml
default: "localhost"
description: "URL for the modcluster reverse proxy"
type: "str"
keycloak_frontend_url:
# line 59 of keycloak/defaults/main.yml
default: "http://localhost"
description: "Frontend URL for keycloak endpoints when a reverse proxy is used"
type: "str"
infinispan_user:
# line 62 of keycloak/defaults/main.yml
default: "supervisor"
description: "Username for connecting to infinispan"
type: "str"
infinispan_pass:
# line 63 of keycloak/defaults/main.yml
default: "supervisor"
description: "Password for connecting to infinispan"
type: "str"
infinispan_url:
# line 64 of keycloak/defaults/main.yml
default: "localhost"
description: "URL for the infinispan remote-cache server"
type: "str"
infinispan_sasl_mechanism:
# line 65 of keycloak/defaults/main.yml
default: "SCRAM-SHA-512"
description: "Authentication type to infinispan server"
type: "str"
infinispan_use_ssl:
# line 66 of keycloak/defaults/main.yml
default: false
description: "Enable hotrod client TLS communication"
type: "bool"
infinispan_trust_store_path:
# line 68 of keycloak/defaults/main.yml
default: "/etc/pki/java/cacerts"
description: "TODO document argument"
type: "str"
infinispan_trust_store_password:
# line 69 of keycloak/defaults/main.yml
default: "changeit"
description: "Path to truststore containing infinispan server certificate"
type: "str"
keycloak_jdbc_engine:
# line 72 of keycloak/defaults/main.yml
default: "postgres"
description: "Backend database flavour when db is enabled: [ postgres, mariadb ]"
type: "str"
keycloak_db_user:
# line 74 of keycloak/defaults/main.yml
default: "keycloak-user"
description: "Username for connecting to database"
type: "str"
keycloak_db_pass:
# line 75 of keycloak/defaults/main.yml
default: "keycloak-pass"
description: "Password for connecting to database"
type: "str"
keycloak_jdbc_url:
# line 76 of keycloak/defaults/main.yml
default: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].url }}"
description: "URL for connecting to backend database"
type: "str"
keycloak_jdbc_driver_version:
# line 77 of keycloak/defaults/main.yml
default: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].version }}"
description: "Version for the JDBC driver to download"
type: "str"
keycloak_admin_password:
# line 4 of keycloak/vars/main.yml
required: true
description: "Password for the administration console user account"
type: "str"
keycloak_url:
# line 12 of keycloak/vars/main.yml
default: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
description: "URL for configuration rest calls"
type: "str"
keycloak_management_url:
# line 13 of keycloak/vars/main.yml
default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
description: "URL for management console rest calls"
type: "str"

26
roles/keycloak/meta/main.yml
View File

@@ -1,3 +1,27 @@
---
collections:
- middleware_automation.redhat_csp_download
- middleware_automation.jcliff
- middleware_automation.wildfly
galaxy_info:
role_name: keycloak
namespace: middleware_automation
author: Romain Pelisse, Guido Grazioli, Pavan Kumar Motaparthi
description: Install keycloak or Red Hat Single Sing-On server configurations
company: Red Hat, Inc.
license: Apache License 2.0
min_ansible_version: "2.9"
platforms:
- name: EL
versions:
- 8
galaxy_tags:
- keycloak
- redhat
- rhel
- rhn
- sso

75
roles/keycloak/tasks/download_from_rhn.yml
View File

@@ -1,75 +0,0 @@
---
- assert:
that:
- zipfile_dest is defined
- rhn_id_file is defined
- rhn_username is defined
- rhn_password is defined
quiet: true
- set_fact:
rhn_download_url: "{{ keycloak_rhsso_base_url }}{{ rhn_id_file }}"
- name: "Check zipfile dest directory {{ zipfile_dest }}"
stat:
path: "{{ zipfile_dest }}"
register: archive_path
- name: "Install zipfile from RHN: {{ rhn_download_url }}"
redhat_csp_download:
url: "{{ rhn_download_url }}"
dest: "{{ zipfile_dest }}"
username: "{{ rhn_username }}"
password: "{{ rhn_password }}"
no_log: "{{ omit_rhn_output | default(true) }}"
when:
- archive_path is defined
- archive_path.stat is defined
- not archive_path.stat.exists
- name: "Check zipfile dest directory {{ zipfile_dest }}"
stat:
path: "{{ zipfile_dest }}"
register: path_to_downloaded_artefact
- block:
- file:
path: "{{ work_dir }}"
state: directory
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0750
- name: "Check directory {{ target_dir }}"
stat:
path: "{{ target_dir }}"
register: target_dir_state
- assert:
that:
- target_dir_state is defined
- target_dir_state.stat is defined
fail_msg: "Directory layout for {{ target_dir }} is invalid."
quiet: true
- name: "Decompress {{ zipfile_dest }} into {{ work_dir }} (results in {{ target_dir }}."
unarchive:
src: "{{ zipfile_dest }}"
dest: "{{ work_dir }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_user }}"
remote_src: yes
creates: "{{ target_dir }}"
when:
- not target_dir_state.stat.exists
- debug:
msg: "{{ target_dir }} already exists, skipping decompressing {{ zipfile_dest }}"
when:
- target_dir_state.stat.exists
when:
- path_to_downloaded_artefact is defined
- path_to_downloaded_artefact.stat is defined
- path_to_downloaded_artefact.stat.exists
- target_dir is defined
- work_dir is defined

6
roles/keycloak/tasks/fastpackages/check.yml
View File

@@ -1,14 +1,14 @@
---
- block:
- name: "Check if package {{ package_name }} is already installed"
command: rpm -q {{ package_name }}
ansible.builtin.command: rpm -q {{ package_name }}
args:
warn: no
register: rpm_info
changed_when: rpm_info.failed
rescue:
- name: "If package {{ package_name }} is missing, add it to the yum install list."
set_fact:
- name: "Add {{ package_name }} to the yum install list if missing"
ansible.builtin.set_fact:
packages_to_install: "{{ packages_to_install + [ package_name ] }}"
when: rpm_info.failed

7
roles/keycloak/tasks/fastpackages/install.yml
View File

@@ -1,17 +1,18 @@
---
- set_fact:
- name: Set facts
ansible.builtin.set_fact:
update_cache: true
packages_to_install: []
- name: "Check packages to be installed"
include_tasks: check.yml
ansible.builtin.include_tasks: check.yml
loop: "{{ packages_list | flatten }}"
loop_control:
loop_var: package_name
- name: "Install packages: {{ packages_to_install }}"
become: yes
yum:
ansible.builtin.yum:
name: "{{ packages_to_install }}"
state: present
when: packages_to_install | length > 0

7
roles/keycloak/tasks/firewalld.yml
View File

@@ -7,12 +7,12 @@
- name: Enable and start the firewalld service
become: yes
systemd:
ansible.builtin.systemd:
name: firewalld
enabled: yes
state: started
- name: Configure firewall for jdg ports
- name: Configure firewall for keycloak ports
become: yes
firewalld:
port: "{{ item }}"
@@ -24,4 +24,5 @@
- "{{ keycloak_https_port }}/tcp"
- "{{ keycloak_management_http_port }}/tcp"
- "{{ keycloak_management_https_port }}/tcp"
- "8009/tcp"
- "{{ keycloak_jgroups_port }}/tcp"
- "{{ keycloak_ajp_port }}/tcp"

222
roles/keycloak/tasks/install.yml
View File

@@ -1,5 +1,6 @@
---
- assert:
- name: Validate parameters
ansible.builtin.assert:
that:
- keycloak_jboss_home is defined
- keycloak_service_user is defined
@@ -9,39 +10,34 @@
- keycloak_version is defined
quiet: true
- set_fact:
keycloak_service_group: "{{ keycloak_service_user }}"
when:
- not keycloak_service_group is defined
- name: check for an existing deployment
- name: Check for an existing deployment
become: yes
stat:
ansible.builtin.stat:
path: "{{ keycloak_jboss_home }}"
register: existing_deploy
- block:
- name: stop the old keycloak service
- name: Stop the old keycloak service
become: yes
ignore_errors: yes
systemd:
ansible.builtin.systemd:
name: keycloak
state: stopped
- name: remove the old Keycloak deployment
- name: Remove the old Keycloak deployment
become: yes
file:
ansible.builtin.file:
path: "{{ keycloak_jboss_home }}"
state: absent
when: existing_deploy.stat.exists and keycloak_force_install|bool
- name: check for an existing deployment after possible forced removal
become: yes
stat:
ansible.builtin.stat:
path: "{{ keycloak_jboss_home }}"
- name: create Keycloak service user/group
become: yes
user:
ansible.builtin.user:
name: "{{ keycloak_service_user }}"
home: /opt/keycloak
system: yes
@@ -49,88 +45,146 @@
- name: create Keycloak install location
become: yes
file:
ansible.builtin.file:
dest: "{{ keycloak_dest }}"
state: directory
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0750
- block:
- set_fact:
archive: "{{ keycloak_dest }}/{{ keycloak_archive }}"
- name: "Check archive directory {{ archive }}"
stat:
path: "{{ archive }}"
register: archive_path
## check remote archive
- name: Set download archive path
ansible.builtin.set_fact:
archive: "{{ keycloak_dest }}/{{ keycloak.bundle }}"
- name: download Keycloak archive to target
get_url:
url: "{{ keycloak_download_url }}"
dest: "{{ keycloak_dest }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
when:
- archive_path is defined
- archive_path.stat is defined
- not archive_path.stat.exists
- name: Check download archive path
ansible.builtin.stat:
path: "{{ archive }}"
register: archive_path
- name: extract Keycloak archive on target
unarchive:
remote_src: yes
src: "{{ archive }}"
dest: "{{ keycloak_dest }}"
creates: "{{ keycloak_jboss_home }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
notify:
- restart keycloak
## download to controller
- name: Check local download archive path
ansible.builtin.stat:
path: "{{ lookup('env', 'PWD') }}"
register: local_path
delegate_to: localhost
- name: Download keycloak archive
ansible.builtin.get_url:
url: "{{ keycloak_download_url }}"
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
delegate_to: localhost
when:
- archive_path is defined
- archive_path.stat is defined
- not archive_path.stat.exists
- not keycloak_rhsso_enable
- not keycloak_offline_install
- name: Perform download from RHN
middleware_automation.redhat_csp_download.redhat_csp_download:
url: "{{ keycloak_rhsso_download_url }}"
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
username: "{{ rhn_username }}"
password: "{{ rhn_password }}"
no_log: "{{ omit_rhn_output | default(true) }}"
delegate_to: localhost
when:
- archive_path is defined
- archive_path.stat is defined
- not archive_path.stat.exists
- keycloak_rhsso_enable
- not keycloak_offline_install
- keycloak_rhn_url in keycloak_rhsso_download_url
- name: Download rhsso archive from alternate location
ansible.builtin.get_url:
url: "{{ keycloak_rhsso_download_url }}"
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
delegate_to: localhost
when:
- archive_path is defined
- archive_path.stat is defined
- not archive_path.stat.exists
- keycloak_rhsso_enable
- not keycloak_offline_install
- not keycloak_rhn_url in keycloak_rhsso_download_url
- name: Check downloaded archive
ansible.builtin.stat:
path: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
register: local_archive_path
delegate_to: localhost
## copy and unpack
- name: Copy archive to target nodes
ansible.builtin.copy:
src: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
dest: "{{ archive }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0750
register: new_version_downloaded
when:
- not archive_path.stat.exists
- local_archive_path.stat is defined
- local_archive_path.stat.exists
become: yes
when: not keycloak_rhsso_enable
- block:
- assert:
that:
- rhsso_rhn_id is defined
quiet: true
fail_msg: "Can't install RHSSO without RHN ID."
- name: create download directory
file:
path: /opt/apps
state: directory
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0750
- include_tasks: download_from_rhn.yml
vars:
rhn_id_file: "{{ rhsso_rhn_id }}"
zipfile_dest: "{{ keycloak_dest }}/{{ keycloak_rhsso_archive }}"
work_dir: "{{ keycloak_dest }}"
target_dir: "{{ keycloak_jboss_home }}"
- name: "Check target directory: {{ keycloak.home }}"
ansible.builtin.stat:
path: "{{ keycloak.home }}"
register: path_to_workdir
become: yes
when: keycloak_rhsso_enable
- name: "Install Postresql driver"
include_role:
name: wildfly_driver
tasks_from: jdbc_driver.yml
- name: "Extract {{ 'Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Keycloak' }} archive on target"
ansible.builtin.unarchive:
remote_src: yes
src: "{{ archive }}"
dest: "{{ keycloak_dest }}"
creates: "{{ keycloak.home }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
become: yes
when:
- new_version_downloaded.changed or not path_to_workdir.stat.exists
notify:
- restart keycloak
- name: Inform decompression was not executed
ansible.builtin.debug:
msg: "{{ keycloak.home }} already exists and version unchanged, skipping decompression"
when:
- not new_version_downloaded.changed and path_to_workdir.stat.exists
- name: "Reown installation directory to {{ keycloak_service_user }}"
ansible.builtin.file:
path: "{{ keycloak.home }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
recurse: true
become: yes
changed_when: false
# driver and configuration
- name: "Install {{ keycloak_jdbc_engine }} driver"
ansible.builtin.include_role:
name: middleware_automation.wildfly.wildfly_driver
vars:
wildfly_user: "{{ keycloak_service_user }}"
jdbc_driver_module_dir: "{{ keycloak_jdbc.postgres.driver_module_dir }}"
jdbc_driver_version: "{{ keycloak_jdbc.postgres.driver_version }}"
jdbc_driver_jar_filename: "{{ keycloak_jdbc.postgres.driver_jar_filename }}"
jdbc_driver_jar_url: "{{ keycloak_jdbc.postgres.driver_jar_url }}"
jdbc_driver_jar_installation_path: "{{ keycloak_jdbc.postgres.driver_module_dir }}/{{ keycloak_jdbc.postgres.driver_jar_filename }}"
jdbc_driver_module_name: "{{ keycloak_jdbc.postgres.driver_module_name }}"
when: keycloak_jdbc.postgres.enabled
jdbc_driver_module_dir: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}"
jdbc_driver_version: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_version }}"
jdbc_driver_jar_filename: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_jar_filename }}"
jdbc_driver_jar_url: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_jar_url }}"
jdbc_driver_jar_installation_path: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}/{{ keycloak_jdbc[keycloak_jdbc_engine].driver_jar_filename }}"
jdbc_driver_module_name: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}"
when: keycloak_jdbc[keycloak_jdbc_engine].enabled
- name: "Deploy Keycloak's standalone.xml"
- name: "Deploy {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}"
become: yes
template:
src: "{{ 'templates/standalone-rhsso.xml.j2' if keycloak_rhsso_enable else 'templates/standalone.xml.j2' }}"
dest: "{{ keycloak_jboss_home }}/standalone/configuration/standalone.xml"
ansible.builtin.template:
src: templates/standalone.xml.j2
dest: "{{ keycloak_config_path_to_standalone_xml }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0640
@@ -138,11 +192,11 @@
- restart keycloak
when: not keycloak_remotecache.enabled
- name: "Deploy Keycloak's standalone.xml with remote cache store"
- name: "Deploy {{ keycloak.service_name }} config with remote cache store to {{ keycloak_config_path_to_standalone_xml }}"
become: yes
template:
src: "{{ 'templates/standalone-rhsso-jdg.xml.j2' if keycloak_rhsso_enable else 'templates/standalone-infinispan.xml.j2' }}"
dest: "{{ keycloak_jboss_home }}/standalone/configuration/standalone.xml"
ansible.builtin.template:
src: templates/standalone-infinispan.xml.j2
dest: "{{ keycloak_config_path_to_standalone_xml }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0640

57
roles/keycloak/tasks/main.yml
View File

@@ -1,18 +1,43 @@
---
# tasks file for keycloak
- name: Prerequisites
include_tasks: prereqs.yml
- name: Check prerequisites
ansible.builtin.include_tasks: prereqs.yml
tags:
- prereqs
- include_tasks: tasks/install.yml
- name: Include firewall config tasks
ansible.builtin.include_tasks: firewalld.yml
when: keycloak_configure_firewalld
tags:
- firewall
- include_tasks: tasks/systemd.yml
- name: Include install tasks
ansible.builtin.include_tasks: install.yml
tags:
- install
- name: Include systemd tasks
ansible.builtin.include_tasks: systemd.yml
tags:
- systemd
- name: Include patch install tasks
ansible.builtin.include_tasks: rhsso_patch.yml
when: keycloak_rhsso_apply_patches and keycloak_rhsso_enable
tags:
- install
- patch
- name: Link default logs directory
ansible.builtin.file:
state: link
src: "{{ keycloak_jboss_home }}/standalone/log"
dest: /var/log/keycloak
- block:
- name: Check admin credentials by generating a token
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
method: POST
body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
@@ -22,14 +47,22 @@
retries: 2
delay: 2
rescue:
- name: create Keycloak admin user
command:
- name: "Create {{ keycloak.service_name }} admin user"
ansible.builtin.command:
args:
argv:
- "{{ keycloak_jboss_home }}/bin/add-user-keycloak.sh"
- -rmaster
- -u{{ keycloak_admin_user }}
- -p{{ keycloak_admin_password }}
- "-rmaster"
- "-u{{ keycloak_admin_user }}"
- "-p{{ keycloak_admin_password }}"
changed_when: yes
become: yes
- name: restart keycloak
include_tasks: tasks/restart_keycloak.yml
- name: "Restart {{ keycloak.service_name }}"
ansible.builtin.include_tasks: tasks/restart_keycloak.yml
- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
ansible.builtin.uri:
url: "{{ keycloak.health_url }}"
register: keycloak_status
until: keycloak_status.status == 200
retries: 25
delay: 10

73
roles/keycloak/tasks/manage_realm.yml
View File

@@ -1,73 +0,0 @@
---
- name: Generate keycloak auth token
uri:
url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
method: POST
body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
validate_certs: no
register: keycloak_auth_response
until: keycloak_auth_response.status == 200
retries: 5
delay: 2
- name: "Determine if realm exists"
uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}"
method: GET
status_code:
- 200
- 404
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
register: keycloak_realm_exists
- name: Create Realm
uri:
url: "{{ keycloak_url }}/auth/admin/realms"
method: POST
body: "{{ lookup('template','realm.json.j2') }}"
validate_certs: no
body_format: json
headers:
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
status_code: 201
when: keycloak_realm_exists.status == 404
- name: Create Client
community.general.keycloak_client:
auth_client_id: "{{ keycloak_auth_client }}"
auth_keycloak_url: "{{ keycloak_url }}/auth"
auth_realm: "{{ keycloak_auth_realm }}"
auth_username: "{{ keycloak_admin_user }}"
auth_password: "{{ keycloak_admin_password }}"
client_id: "{{ item.name }}"
realm: "{{ item.realm }}"
default_roles: "{{ item.roles | default(omit) }}"
root_url: "{{ item.root_url | default('') }}"
redirect_uris: "{{ demo_app_redirect_uris | default([]) }}"
public_client: "{{ item.public_client | default(False) }}"
web_origins: "{{ item.web_origins | default('+') }}"
state: present
register: create_client_result
loop: "{{ keycloak_clients | flatten }}"
- name: Create client roles
include_tasks: manage_client_roles.yml
when: keycloak_rhsso_enable
loop: "{{ keycloak_clients | flatten }}"
loop_control:
loop_var: client
- name: Manage Users
include_tasks: manage_user.yml
loop: "{{ keycloak_users }}"
loop_control:
loop_var: user
- name: Manage User Roles
include_tasks: manage_user_roles.yml
loop: "{{ keycloak_users | flatten }}"
loop_control:
loop_var: user
when: "'client_roles' in user"

24
roles/keycloak/tasks/prereqs.yml
View File

@@ -1,12 +1,30 @@
---
- set_fact:
- name: Validate configuration
ansible.builtin.assert:
that:
- (keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and not keycloak_db_enabled)
quiet: True
fail_msg: "Cannot install HA setup without a backend database service. Check keycloak_ha_enabled and keycloak_db_enabled"
success_msg: "{{ 'Configuring HA' if keycloak_ha_enabled else 'Configuring standalone' }}"
- name: Validate credentials
ansible.builtin.assert:
that:
- (rhn_username is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
- (rhn_password is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
quiet: True
fail_msg: "Cannot install Red Hat SSO without RHN credentials. Check rhn_username and rhn_password are defined"
success_msg: "{{ 'Installing Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Installing keycloak.org' }}"
- name: Set required packages facts
ansible.builtin.set_fact:
required_packages:
- "{{ jvm_package | default('java-1.8.0-openjdk-devel') }}"
- "{{ jvm_package }}"
- unzip
- procps-ng
- initscripts
- name: "Ensures required packages are installed"
- name: Ensures required packages are installed
ansible.builtin.include_tasks: fastpackages/install.yml
vars:
packages_list: "{{ required_packages }}"

2
roles/keycloak/tasks/restart_keycloak.yml
View File

@@ -1,6 +1,6 @@
---
- name: "Restart and enable keycloack service"
systemd:
ansible.builtin.systemd:
name: keycloak
enabled: yes
state: restarted

13
roles/keycloak/tasks/rhsso_cli.yml Normal file
View File

@@ -0,0 +1,13 @@
---
- name: Ensure required params for CLI have been provided
ansible.builtin.assert:
that:
- query is defined
fail_msg: "Missing required parameters to execute CLI."
quiet: true
- name: "Execute CLI query: {{ query }}"
ansible.builtin.command: >
{{ keycloak.cli_path }} --connect --command='{{ query }}' --controller={{ keycloak_host }}:{{ keycloak_management_http_port }}
changed_when: false
register: cli_result

87
roles/keycloak/tasks/rhsso_patch.yml Normal file
View File

@@ -0,0 +1,87 @@
---
## check remote patch archive
- name: Set download patch archive path
ansible.builtin.set_fact:
patch_archive: "{{ keycloak_dest }}/{{ keycloak.patch_bundle }}"
- name: Check download patch archive path
ansible.builtin.stat:
path: "{{ patch_archive }}"
register: patch_archive_path
- name: Perform download from RHN
middleware_automation.redhat_csp_download.redhat_csp_download:
url: "{{ keycloak_rhn_url }}{{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.id }}"
dest: "{{ local_path.stat.path }}/{{ keycloak.patch_bundle }}"
username: "{{ rhn_username }}"
password: "{{ rhn_password }}"
no_log: "{{ omit_rhn_output | default(true) }}"
delegate_to: localhost
when:
- patch_archive_path is defined
- patch_archive_path.stat is defined
- not patch_archive_path.stat.exists
- keycloak_rhsso_enable
- not keycloak_offline_install
## copy and unpack
- name: Copy patch archive to target nodes
ansible.builtin.copy:
src: "{{ local_path.stat.path }}/{{ keycloak.patch_bundle }}"
dest: "{{ patch_archive }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0750
register: new_version_downloaded
when:
- not patch_archive_path.stat.exists
- local_archive_path.stat is defined
- local_archive_path.stat.exists
become: yes
- name: "Check installed patches"
ansible.builtin.include_tasks: rhsso_cli.yml
vars:
query: "patch info"
- name: "Perform patching"
when:
- cli_result is defined
- cli_result.stdout is defined
- rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v not in cli_result.stdout
block:
- name: "Apply patch {{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }} to server"
ansible.builtin.include_tasks: rhsso_cli.yml
vars:
query: "patch apply {{ patch_archive }}"
- name: "Restart server to ensure patch content is running"
ansible.builtin.include_tasks: rhsso_cli.yml
vars:
query: "shutdown --restart"
when:
- cli_result.rc == 0
- name: "Wait until Keycloak becomes active {{ keycloak.health_url }}"
ansible.builtin.uri:
url: "{{ keycloak.health_url }}"
register: keycloak_status
until: keycloak_status.status == 200
retries: 25
delay: 10
- name: "Query installed patch after restart"
ansible.builtin.include_tasks: rhsso_cli.yml
vars:
query: "patch info"
- name: "Verify installed patch version"
ansible.builtin.assert:
that:
- rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v not in cli_result.stdout
fail_msg: "Patch installation failed"
success_msg: "Patch installation successful"
- name: "Skipping patch"
debug:
msg: "Latest cumulative patch {{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }} already installed, skipping patch installation."

15
roles/keycloak/tasks/start_keycloak.yml Normal file
View File

@@ -0,0 +1,15 @@
---
- name: start keycloak
ansible.builtin.systemd:
name: keycloak
enabled: yes
state: started
become: yes
- name: "Wait until Keycloak becomes active {{ keycloak.health_url }}"
ansible.builtin.uri:
url: "{{ keycloak.health_url }}"
register: keycloak_status
until: keycloak_status.status == 200
retries: 25
delay: 10

4
roles/keycloak/tasks/stop_keycloak.yml
View File

@@ -1,6 +1,6 @@
---
- name: "Stop SSO service"
systemd:
- name: Stop keycloak
ansible.builtin.systemd:
name: keycloak
enabled: yes
state: stopped

46
roles/keycloak/tasks/systemd.yml
View File

@@ -1,6 +1,6 @@
- name: configure keycloak service script wrapper
- name: Configure keycloak service script wrapper
become: yes
template:
ansible.builtin.template:
src: keycloak-service.sh.j2
dest: "{{ keycloak_dest }}/keycloak-service.sh"
owner: root
@@ -9,9 +9,9 @@
notify:
- restart keycloak
- name: configure sysconfig file for keycloak service
- name: Configure sysconfig file for keycloak service
become: yes
template:
ansible.builtin.template:
src: keycloak-sysconfig.j2
dest: /etc/sysconfig/keycloak
owner: root
@@ -20,8 +20,8 @@
notify:
- restart keycloak
- name: configure systemd unit file for keycloak service
template:
- name: Configure systemd unit file for keycloak service
ansible.builtin.template:
src: keycloak.service.j2
dest: /etc/systemd/system/keycloak.service
owner: root
@@ -32,34 +32,30 @@
notify:
- restart keycloak
- name: reload systemd
- name: Reload systemd
become: yes
systemd:
ansible.builtin.systemd:
daemon_reload: yes
when: systemdunit.changed
- name: start keycloak
systemd:
name: keycloak
enabled: yes
state: started
become: yes
- name: Start and wait for keycloak service (first node db)
ansible.builtin.include_tasks: start_keycloak.yml
run_once: yes
when: keycloak_db_enabled
- command: "systemctl status keycloak"
- name: Start and wait for keycloak service (remaining nodes)
ansible.builtin.include_tasks: start_keycloak.yml
- name: Check service status
ansible.builtin.command: "systemctl status keycloak"
register: keycloak_service_status
changed_when: False
- assert:
- name: Verify service status
ansible.builtin.assert:
that:
- keycloak_service_status is defined
- keycloak_service_status.stdout is defined
- meta: flush_handlers
- name: Wait until Keycloak becomes active
uri:
url: "{{ keycloak_management_url }}/health"
register: keycloak_status
until: keycloak_status.status == 200
retries: 20
delay: 10
- name: Flush handlers
ansible.builtin.meta: flush_handlers

124
roles/keycloak/templates/standalone-rhsso-jdg.xml.j2 → roles/keycloak/templates/9.0.2/standalone-infinispan.xml.j2
View File

@@ -1,6 +1,6 @@
<?xml version='1.0' encoding='UTF-8'?>
<server xmlns="urn:jboss:domain:16.0">
<server xmlns="urn:jboss:domain:10.0">
<extensions>
<extension module="org.jboss.as.clustering.infinispan"/>
<extension module="org.jboss.as.clustering.jgroups"/>
@@ -23,9 +23,10 @@
<extension module="org.wildfly.extension.bean-validation"/>
<extension module="org.wildfly.extension.core-management"/>
<extension module="org.wildfly.extension.elytron"/>
<extension module="org.wildfly.extension.health"/>
<extension module="org.wildfly.extension.io"/>
<extension module="org.wildfly.extension.metrics"/>
<extension module="org.wildfly.extension.microprofile.config-smallrye"/>
<extension module="org.wildfly.extension.microprofile.health-smallrye"/>
<extension module="org.wildfly.extension.microprofile.metrics-smallrye"/>
<extension module="org.wildfly.extension.request-controller"/>
<extension module="org.wildfly.extension.security.manager"/>
<extension module="org.wildfly.extension.undertow"/>
@@ -44,7 +45,8 @@
<security-realm name="ApplicationRealm">
<server-identities>
<ssl>
<keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
<keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password"
alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
</ssl>
</server-identities>
<authentication>
@@ -141,7 +143,7 @@
</subsystem>
<subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
<subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
<subsystem xmlns="urn:jboss:domain:datasources:6.0">
<subsystem xmlns="urn:jboss:domain:datasources:5.0">
<datasources>
<datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
<connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
@@ -187,7 +189,7 @@
<subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
<deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:ee:6.0">
<subsystem xmlns="urn:jboss:domain:ee:4.0">
<spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
<concurrent>
<context-services>
@@ -197,15 +199,17 @@
<managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/>
</managed-thread-factories>
<managed-executor-services>
<managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="5000"/>
<managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-threshold="60000" keepalive-time="5000"/>
</managed-executor-services>
<managed-scheduled-executor-services>
<managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="3000"/>
<managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-threshold="60000" keepalive-time="3000"/>
</managed-scheduled-executor-services>
</concurrent>
<default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
<default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS"
managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default"
managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:ejb3:9.0">
<subsystem xmlns="urn:jboss:domain:ejb3:6.0">
<session-bean>
<stateless>
<bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
@@ -232,7 +236,7 @@
<file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/>
</data-stores>
</timer-service>
<remote cluster="ejb" connectors="http-remoting-connector" thread-pool-name="default">
<remote cluster="ejb" connector-ref="http-remoting-connector" thread-pool-name="default">
<channel-creation-options>
<option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>
</channel-creation-options>
@@ -248,7 +252,7 @@
<statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
<log-system-exceptions value="true"/>
</subsystem>
<subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
<subsystem xmlns="urn:wildfly:elytron:8.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
<providers>
<aggregate-providers name="combined-providers">
<providers name="elytron"/>
@@ -357,7 +361,7 @@
</key-store>
</key-stores>
<key-managers>
<key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
<key-manager name="applicationKM" key-store="applicationKS">
<credential-reference clear-text="password"/>
</key-manager>
</key-managers>
@@ -366,22 +370,21 @@
</server-ssl-contexts>
</tls>
</subsystem>
<subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
<subsystem xmlns="urn:jboss:domain:infinispan:12.0">
<cache-container name="ejb" default-cache="passivation" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
<subsystem xmlns="urn:jboss:domain:infinispan:9.0">
<cache-container name="ejb" default-cache="passivation" aliases="sfsb" module="org.wildfly.clustering.ejb.infinispan">
<local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<file-store passivation="true" purge="false"/>
</local-cache>
</cache-container>
<cache-container name="keycloak" modules="org.keycloak.keycloak-model-infinispan">
<cache-container name="keycloak" module="org.keycloak.keycloak-model-infinispan">
<transport lock-timeout="60000"/>
<local-cache name="realms">
<heap-memory size="10000"/>
<object-memory size="10000"/>
</local-cache>
<local-cache name="users">
<heap-memory size="10000"/>
<object-memory size="10000"/>
</local-cache>
<local-cache name="authenticationSessions"/>
{% for cachename in [ "sessions", "offlineSessions", "clientSessions", "offlineClientSessions", "loginFailures", "actionTokens" ] %}
@@ -405,6 +408,7 @@
<property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path | default('/etc/truststore/truststore.jks') }}</property>
<property name="infinispan.client.hotrod.trust_store_type">JKS</property>
<property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password | default("changeme") }}</property>
<property name="infinispan.client.hotrod.client_intelligence">TOPOLOGY_AWARE</property>
</remote-store>
</distributed-cache>
{% endfor %}
@@ -428,22 +432,23 @@
<property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path | default('/etc/truststore/truststore.jks') }}</property>
<property name="infinispan.client.hotrod.trust_store_type">JKS</property>
<property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password | default("changeme") }}</property>
<property name="infinispan.client.hotrod.client_intelligence">TOPOLOGY_AWARE</property>
</remote-store>
</replicated-cache>
<local-cache name="authorization">
<heap-memory size="10000"/>
<object-memory size="10000"/>
</local-cache>
<local-cache name="keys">
<heap-memory size="1000"/>
<object-memory size="1000"/>
<expiration max-idle="3600000"/>
</local-cache>
</cache-container>
<cache-container name="server" default-cache="default" modules="org.wildfly.clustering.server">
<cache-container name="server" default-cache="default" module="org.wildfly.clustering.server">
<local-cache name="default">
<transaction mode="BATCH"/>
</local-cache>
</cache-container>
<cache-container name="web" default-cache="passivation" modules="org.wildfly.clustering.web.infinispan">
<cache-container name="web" default-cache="passivation" module="org.wildfly.clustering.web.infinispan">
<local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
@@ -455,13 +460,13 @@
</local-cache>
<local-cache name="routing"/>
</cache-container>
<cache-container name="hibernate" modules="org.infinispan.hibernate-cache">
<cache-container name="hibernate" module="org.infinispan.hibernate-cache">
<local-cache name="entity">
<heap-memory size="10000"/>
<object-memory size="10000"/>
<expiration max-idle="100000"/>
</local-cache>
<local-cache name="local-query">
<heap-memory size="10000"/>
<object-memory size="10000"/>
<expiration max-idle="100000"/>
</local-cache>
<local-cache name="timestamps"/>
@@ -471,7 +476,7 @@
<worker name="default"/>
<buffer-pool name="default"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/>
<subsystem xmlns="urn:jboss:domain:jaxrs:1.0"/>
<subsystem xmlns="urn:jboss:domain:jca:5.0">
<archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
<bean-validation enabled="true"/>
@@ -491,13 +496,34 @@
</default-workmanager>
<cached-connection-manager/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jgroups:8.0">
<subsystem xmlns="urn:jboss:domain:jgroups:7.0">
<channels default="ee">
<channel name="ee" stack="tcp" cluster="ejb"/>
</channels>
<stacks>
<stack name="tcp">
<transport site="${jboss.node.name}" type="TCP" socket-binding="jgroups-tcp"/>
{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
<protocol type="JDBC_PING">
<property name="datasource_jndi_name">java:jboss/datasources/KeycloakDS</property>
<property name="initialize_sql">{{ keycloak_jdbc[keycloak_jdbc_engine].initialize_db }}</property>
<property name="insert_single_sql">INSERT INTO JGROUPSPING (own_addr, cluster_name, ping_data) values (?, ?, ?)</property>
<property name="delete_single_sql">DELETE FROM JGROUPSPING WHERE own_addr=? AND cluster_name=?</property>
<property name="select_all_pingdata_sql">SELECT ping_data FROM JGROUPSPING WHERE cluster_name=?</property>
</protocol>
{% endif %}
<protocol type="MERGE3"/>
<protocol type="FD_SOCK"/>
<protocol type="FD_ALL"/>
<protocol type="VERIFY_SUSPECT"/>
<protocol type="pbcast.NAKACK2"/>
<protocol type="UNICAST3"/>
<protocol type="pbcast.STABLE"/>
<protocol type="pbcast.GMS">
<property name="join_timeout">30000</property>
</protocol>
<protocol type="MFC"/>
<protocol type="FRAG2"/>
</stack>
</stacks>
</subsystem>
@@ -507,7 +533,7 @@
<remoting-connector/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jpa:1.1">
<jpa default-extended-persistence-inheritance="DEEP"/>
<jpa default-datasource="" default-extended-persistence-inheritance="DEEP"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
<web-context>auth</web-context>
@@ -583,19 +609,18 @@
<default-provider>default</default-provider>
<provider name="default" enabled="true">
<properties>
<property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
<property name="forceBackendUrlToFrontendUrl" value="false"/>
<property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
<property name="forceBackendUrlToFrontendUrl" value="true"/>
</properties>
</provider>
</spi>
</subsystem>
<subsystem xmlns="urn:jboss:domain:mail:4.0">
<subsystem xmlns="urn:jboss:domain:mail:3.0">
<mail-session name="default" jndi-name="java:jboss/mail/Default">
<smtp-server outbound-socket-binding-ref="mail-smtp"/>
</mail-session>
</subsystem>
<subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
{% if keycloak_modcluster.enabled %}
{% if keycloak_modcluster.enabled %}
<subsystem xmlns="urn:jboss:domain:modcluster:5.0">
<proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
<dynamic-load-provider>
@@ -603,7 +628,7 @@
</dynamic-load-provider>
</proxy>
</subsystem>
{% endif %}
{% endif %}
<subsystem xmlns="urn:jboss:domain:naming:2.0">
<remote-naming/>
</subsystem>
@@ -650,8 +675,8 @@
</maximum-set>
</deployment-permissions>
</subsystem>
<subsystem xmlns="urn:jboss:domain:transactions:6.0">
<core-environment node-identifier="${jboss.tx.node.id:1}">
<subsystem xmlns="urn:jboss:domain:transactions:5.0">
<core-environment node-identifier="{{ inventory_hostname | default('${jboss.tx.node.id:1}') }}">
<process-id>
<uuid/>
</process-id>
@@ -660,7 +685,9 @@
<coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
<object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<subsystem xmlns="urn:jboss:domain:undertow:10.0" default-server="default-server" default-virtual-host="default-host"
default-servlet-container="default" default-security-domain="other"
statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/>
<server name="default-server">
<ajp-listener name="ajp" socket-binding="ajp"/>
@@ -685,11 +712,24 @@
</filters>
</subsystem>
<subsystem xmlns="urn:jboss:domain:weld:4.0"/>
</profile>
<subsystem xmlns="urn:wildfly:microprofile-config-smallrye:1.0"/>
<subsystem xmlns="urn:wildfly:microprofile-health-smallrye:2.0" security-enabled="false"
empty-liveness-checks-status="${env.MP_HEALTH_EMPTY_LIVENESS_CHECKS_STATUS:UP}"
empty-readiness-checks-status="${env.MP_HEALTH_EMPTY_READINESS_CHECKS_STATUS:UP}"/>
<subsystem xmlns="urn:wildfly:microprofile-metrics-smallrye:2.0" security-enabled="false"
exposed-subsystems="*" prefix="${wildfly.metrics.prefix:wildfly}"/>
</profile>
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>
<interface name="jgroups">
{% if ansible_default_ipv4 is defined %}
<subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ipaddr('net') }}"/>
{% else %}
<any-address />
{% endif %}
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:127.0.0.1}"/>
</interface>
@@ -700,18 +740,18 @@
<socket-binding name="https" port="${jboss.https.port:8443}"/>
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="jgroups-tcp" interface="management" port="7600"/>
<socket-binding name="jgroups-tcp" interface="jgroups" port="7600"/>
<socket-binding name="modcluster" multicast-address="${jboss.modcluster.multicast.address:224.0.1.105}" multicast-port="23364"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
</outbound-socket-binding>
{% if keycloak_modcluster.enabled %}
{% if keycloak_modcluster.enabled %}
<outbound-socket-binding name="proxy1">
<remote-destination host="{{ keycloak_modcluster.reverse_proxy_url | default('localhost') }}" port="6666"/>
</outbound-socket-binding>
{% endif %}
{% endif %}
<outbound-socket-binding name="remote-cache">
<remote-destination host="{{ keycloak_remotecache.server_name | default('localhost') }}" port="${remote.cache.port:11222}"/>
</outbound-socket-binding>

431
roles/keycloak/templates/standalone-rhsso.xml.j2 → roles/keycloak/templates/9.0.2/standalone.xml.j2
View File

@@ -1,6 +1,6 @@
<?xml version='1.0' encoding='UTF-8'?>
<server xmlns="urn:jboss:domain:16.0">
<server xmlns="urn:jboss:domain:10.0">
<extensions>
<extension module="org.jboss.as.clustering.infinispan"/>
<extension module="org.jboss.as.connector"/>
@@ -22,9 +22,10 @@
<extension module="org.wildfly.extension.bean-validation"/>
<extension module="org.wildfly.extension.core-management"/>
<extension module="org.wildfly.extension.elytron"/>
<extension module="org.wildfly.extension.health"/>
<extension module="org.wildfly.extension.io"/>
<extension module="org.wildfly.extension.metrics"/>
<extension module="org.wildfly.extension.microprofile.config-smallrye"/>
<extension module="org.wildfly.extension.microprofile.health-smallrye"/>
<extension module="org.wildfly.extension.microprofile.metrics-smallrye"/>
<extension module="org.wildfly.extension.request-controller"/>
<extension module="org.wildfly.extension.security.manager"/>
<extension module="org.wildfly.extension.undertow"/>
@@ -43,7 +44,8 @@
<security-realm name="ApplicationRealm">
<server-identities>
<ssl>
<keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
<keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password"
alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
</ssl>
</server-identities>
<authentication>
@@ -128,7 +130,7 @@
</subsystem>
<subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
<subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
<subsystem xmlns="urn:jboss:domain:datasources:6.0">
<subsystem xmlns="urn:jboss:domain:datasources:5.0">
<datasources>
<datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
<connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
@@ -156,7 +158,7 @@
<subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
<deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:ee:6.0">
<subsystem xmlns="urn:jboss:domain:ee:4.0">
<spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
<concurrent>
<context-services>
@@ -166,15 +168,17 @@
<managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/>
</managed-thread-factories>
<managed-executor-services>
<managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="5000"/>
<managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-threshold="60000" keepalive-time="5000"/>
</managed-executor-services>
<managed-scheduled-executor-services>
<managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="3000"/>
<managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-threshold="60000" keepalive-time="3000"/>
</managed-scheduled-executor-services>
</concurrent>
<default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
<default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS"
managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default"
managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:ejb3:9.0">
<subsystem xmlns="urn:jboss:domain:ejb3:6.0">
<session-bean>
<stateless>
<bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
@@ -201,7 +205,7 @@
<file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/>
</data-stores>
</timer-service>
<remote cluster="ejb" connectors="http-remoting-connector" thread-pool-name="default">
<remote connector-ref="http-remoting-connector" thread-pool-name="default">
<channel-creation-options>
<option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>
</channel-creation-options>
@@ -217,7 +221,130 @@
<statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
<log-system-exceptions value="true"/>
</subsystem>
<subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
<subsystem xmlns="urn:jboss:domain:io:3.0">
<worker name="default"/>
<buffer-pool name="default"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:infinispan:9.0">
<cache-container name="keycloak">
<local-cache name="realms">
<object-memory size="10000"/>
</local-cache>
<local-cache name="users">
<object-memory size="10000"/>
</local-cache>
<local-cache name="sessions"/>
<local-cache name="authenticationSessions"/>
<local-cache name="offlineSessions"/>
<local-cache name="clientSessions"/>
<local-cache name="offlineClientSessions"/>
<local-cache name="loginFailures"/>
<local-cache name="work"/>
<local-cache name="authorization">
<object-memory size="10000"/>
</local-cache>
<local-cache name="keys">
<object-memory size="1000"/>
<expiration max-idle="3600000"/>
</local-cache>
<local-cache name="actionTokens">
<object-memory size="-1"/>
<expiration max-idle="-1" interval="300000"/>
</local-cache>
</cache-container>
<cache-container name="server" default-cache="default" module="org.wildfly.clustering.server">
<local-cache name="default">
<transaction mode="BATCH"/>
</local-cache>
</cache-container>
<cache-container name="web" default-cache="passivation" module="org.wildfly.clustering.web.infinispan">
<local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<file-store passivation="true" purge="false"/>
</local-cache>
<local-cache name="sso">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
</local-cache>
<local-cache name="routing"/>
</cache-container>
<cache-container name="ejb" aliases="sfsb" default-cache="passivation" module="org.wildfly.clustering.ejb.infinispan">
<local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<file-store passivation="true" purge="false"/>
</local-cache>
</cache-container>
<cache-container name="hibernate" module="org.infinispan.hibernate-cache">
<local-cache name="entity">
<object-memory size="10000"/>
<expiration max-idle="100000"/>
</local-cache>
<local-cache name="local-query">
<object-memory size="10000"/>
<expiration max-idle="100000"/>
</local-cache>
<local-cache name="timestamps"/>
</cache-container>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jaxrs:1.0"/>
<subsystem xmlns="urn:jboss:domain:jca:5.0">
<archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
<bean-validation enabled="true"/>
<default-workmanager>
<short-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</short-running-threads>
<long-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</long-running-threads>
</default-workmanager>
<cached-connection-manager/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jmx:1.3">
<expose-resolved-model/>
<expose-expression-model/>
<remoting-connector/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jpa:1.1">
<jpa default-datasource="" default-extended-persistence-inheritance="DEEP"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:mail:3.0">
<mail-session name="default" jndi-name="java:jboss/mail/Default">
<smtp-server outbound-socket-binding-ref="mail-smtp"/>
</mail-session>
</subsystem>
{% if keycloak_modcluster.enabled %}
<subsystem xmlns="urn:jboss:domain:modcluster:5.0">
<proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
<dynamic-load-provider>
<load-metric type="cpu"/>
</dynamic-load-provider>
</proxy>
</subsystem>
{% endif %}
<subsystem xmlns="urn:jboss:domain:naming:2.0">
<remote-naming/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:remoting:4.0">
<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
<subsystem xmlns="urn:jboss:domain:security-manager:1.0">
<deployment-permissions>
<maximum-set>
<permission class="java.security.AllPermission"/>
</maximum-set>
</deployment-permissions>
</subsystem>
<subsystem xmlns="urn:wildfly:elytron:8.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
<providers>
<aggregate-providers name="combined-providers">
<providers name="elytron"/>
@@ -275,7 +402,6 @@
<permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
<permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
<permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
<permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
</permission-set>
</permission-sets>
<http>
@@ -317,126 +443,78 @@
</mechanism-provider-filtering-sasl-server-factory>
<provider-sasl-server-factory name="global"/>
</sasl>
<tls>
<key-stores>
<key-store name="applicationKS">
<credential-reference clear-text="password"/>
<implementation type="JKS"/>
<file path="application.keystore" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
<credential-reference clear-text="password"/>
</key-manager>
</key-managers>
<server-ssl-contexts>
<server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
</server-ssl-contexts>
</tls>
</subsystem>
<subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
<subsystem xmlns="urn:jboss:domain:infinispan:12.0">
<cache-container name="ejb" default-cache="passivation" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
<local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<file-store passivation="true" purge="false"/>
</local-cache>
</cache-container>
<cache-container name="keycloak" modules="org.keycloak.keycloak-model-infinispan">
<local-cache name="realms">
<heap-memory size="10000"/>
</local-cache>
<local-cache name="users">
<heap-memory size="10000"/>
</local-cache>
<local-cache name="sessions"/>
<local-cache name="authenticationSessions"/>
<local-cache name="offlineSessions"/>
<local-cache name="clientSessions"/>
<local-cache name="offlineClientSessions"/>
<local-cache name="loginFailures"/>
<local-cache name="work"/>
<local-cache name="authorization">
<heap-memory size="10000"/>
</local-cache>
<local-cache name="keys">
<heap-memory size="1000"/>
<expiration max-idle="3600000"/>
</local-cache>
<local-cache name="actionTokens">
<heap-memory size="-1"/>
<expiration interval="300000" max-idle="-1"/>
</local-cache>
</cache-container>
<cache-container name="server" default-cache="default" modules="org.wildfly.clustering.server">
<local-cache name="default">
<transaction mode="BATCH"/>
</local-cache>
</cache-container>
<cache-container name="web" default-cache="passivation" modules="org.wildfly.clustering.web.infinispan">
<local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<file-store passivation="true" purge="false"/>
</local-cache>
<local-cache name="sso">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
</local-cache>
<local-cache name="routing"/>
</cache-container>
<cache-container name="hibernate" modules="org.infinispan.hibernate-cache">
<local-cache name="entity">
<heap-memory size="10000"/>
<expiration max-idle="100000"/>
</local-cache>
<local-cache name="local-query">
<heap-memory size="10000"/>
<expiration max-idle="100000"/>
</local-cache>
<local-cache name="timestamps"/>
</cache-container>
<subsystem xmlns="urn:jboss:domain:security:2.0">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jaspitest" cache-type="default">
<authentication-jaspi>
<login-module-stack name="dummy">
<login-module code="Dummy" flag="optional"/>
</login-module-stack>
<auth-module code="Dummy"/>
</authentication-jaspi>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
</security-domains>
</subsystem>
<subsystem xmlns="urn:jboss:domain:io:3.0">
<worker name="default"/>
<buffer-pool name="default"/>
<subsystem xmlns="urn:jboss:domain:transactions:5.0">
<core-environment node-identifier="${jboss.tx.node.id:1}">
<process-id>
<uuid/>
</process-id>
</core-environment>
<recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
<coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
<object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/>
<subsystem xmlns="urn:jboss:domain:jca:5.0">
<archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
<bean-validation enabled="true"/>
<default-workmanager>
<short-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</short-running-threads>
<long-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</long-running-threads>
</default-workmanager>
<cached-connection-manager/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jmx:1.3">
<expose-resolved-model/>
<expose-expression-model/>
<remoting-connector/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jpa:1.1">
<jpa default-extended-persistence-inheritance="DEEP"/>
<subsystem xmlns="urn:jboss:domain:weld:4.0"/>
<subsystem xmlns="urn:wildfly:microprofile-config-smallrye:1.0"/>
<subsystem xmlns="urn:wildfly:microprofile-health-smallrye:2.0" security-enabled="false"
empty-liveness-checks-status="${env.MP_HEALTH_EMPTY_LIVENESS_CHECKS_STATUS:UP}" empty-readiness-checks-status="${env.MP_HEALTH_EMPTY_READINESS_CHECKS_STATUS:UP}"/>
<subsystem xmlns="urn:wildfly:microprofile-metrics-smallrye:2.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:wildfly}"/>
<subsystem xmlns="urn:jboss:domain:undertow:10.0" default-server="default-server" default-virtual-host="default-host"
default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/>
<server name="default-server">
<ajp-listener name="ajp" socket-binding="ajp"/>
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
</subsystem>
<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
<web-context>auth</web-context>
<providers>
<provider>
classpath:${jboss.home.dir}/providers/*
</provider>
<provider>classpath:${jboss.home.dir}/providers/*</provider>
</providers>
<master-realm-name>master</master-realm-name>
<scheduled-task-interval>900</scheduled-task-interval>
@@ -505,103 +583,12 @@
<default-provider>default</default-provider>
<provider name="default" enabled="true">
<properties>
<property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
<property name="forceBackendUrlToFrontendUrl" value="false"/>
<property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
<property name="forceBackendUrlToFrontendUrl" value="true"/>
</properties>
</provider>
</spi>
</subsystem>
<subsystem xmlns="urn:jboss:domain:mail:4.0">
<mail-session name="default" jndi-name="java:jboss/mail/Default">
<smtp-server outbound-socket-binding-ref="mail-smtp"/>
</mail-session>
</subsystem>
<subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
{% if keycloak_modcluster.enabled %}
<subsystem xmlns="urn:jboss:domain:modcluster:5.0">
<proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
<dynamic-load-provider>
<load-metric type="cpu"/>
</dynamic-load-provider>
</proxy>
</subsystem>
{% endif %}
<subsystem xmlns="urn:jboss:domain:naming:2.0">
<remote-naming/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:remoting:4.0">
<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
<subsystem xmlns="urn:jboss:domain:security:2.0">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jaspitest" cache-type="default">
<authentication-jaspi>
<login-module-stack name="dummy">
<login-module code="Dummy" flag="optional"/>
</login-module-stack>
<auth-module code="Dummy"/>
</authentication-jaspi>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
</security-domains>
</subsystem>
<subsystem xmlns="urn:jboss:domain:security-manager:1.0">
<deployment-permissions>
<maximum-set>
<permission class="java.security.AllPermission"/>
</maximum-set>
</deployment-permissions>
</subsystem>
<subsystem xmlns="urn:jboss:domain:transactions:6.0">
<core-environment node-identifier="${jboss.tx.node.id:1}">
<process-id>
<uuid/>
</process-id>
</core-environment>
<recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
<coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
<object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/>
<server name="default-server">
<ajp-listener name="ajp" socket-binding="ajp"/>
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
</subsystem>
<subsystem xmlns="urn:jboss:domain:weld:4.0"/>
</profile>
<interfaces>
<interface name="management">
@@ -621,12 +608,12 @@
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
{% if keycloak_modcluster.enabled %}
{% if keycloak_modcluster.enabled %}
<outbound-socket-binding name="proxy1">
<remote-destination host="{{ keycloak_modcluster.reverse_proxy_url | default('localhost') }}" port="6666"/>
</outbound-socket-binding>
{% endif %}
{% endif %}
</socket-binding-group>
</server>

7
roles/keycloak/templates/keycloak-service.sh.j2
View File

@@ -1,4 +1,5 @@
#!/bin/bash -eu
# {{ ansible_managed }}
set +u -o pipefail
@@ -22,7 +23,6 @@ readonly KEYCLOAK_HTTP_PORT=${KEYCLOAK_HTTP_PORT}
readonly KEYCLOAK_HTTPS_PORT=${KEYCLOAK_HTTPS_PORT}
readonly KEYCLOAK_MANAGEMENT_HTTP_PORT=${KEYCLOAK_MANAGEMENT_HTTP_PORT}
readonly KEYCLOAK_MANAGEMENT_HTTPS_PORT=${KEYCLOAK_MANAGEMENT_HTTPS_PORT}
readonly KEYCLOAK_LOGFILE={{ keycloak_service_logfile }}
readonly KEYCLOAK_PIDFILE={{ keycloak_service_pidfile }}
set -u
@@ -70,7 +70,6 @@ startKeycloak() {
checkEnvVar "${KEYCLOAK_HTTPS_PORT}" 'KEYCLOAK_HTTPS_PORT not provided' 5
checkEnvVar "${KEYCLOAK_MANAGEMENT_HTTP_PORT}" 'KEYCLOAK_MANAGEMENT_HTTP_PORT not provided' 6
checkEnvVar "${KEYCLOAK_MANAGEMENT_HTTPS_PORT}" 'KEYCLOAK_MANAGEMENT_HTTPS_PORT not provided' 7
checkEnvVar "${KEYCLOAK_LOGFILE}" 'KEYCLOAK_LOGFILE not provided' 8
if [ "$(isKeyCloakRunning)" -eq 1 ]; then
statusKeycloak
@@ -82,8 +81,8 @@ startKeycloak() {
-Djboss.management.http.port=${KEYCLOAK_MANAGEMENT_HTTP_PORT} \
-Djboss.management.https.port=${KEYCLOAK_MANAGEMENT_HTTPS_PORT} \
-Djboss.node.name={{ inventory_hostname }} \
{% if ansible_facts.virtualization_type in ['docker','oci','containerd'] %}-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true {% endif %}\
2>&1 >> "${KEYCLOAK_LOGFILE}" &
{% if keycloak_prefer_ipv4 %}-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true {% endif %}\
{% if keycloak_config_standalone_xml is defined %}--server-config={{ keycloak_config_standalone_xml }}{% endif %} &
while [ ! -f ${KEYCLOAK_PIDFILE} ]; do sleep 1; done
fi
}

1
roles/keycloak/templates/keycloak-sysconfig.j2
View File

@@ -1,3 +1,4 @@
# {{ ansible_managed }}
JAVA_OPTS='{{ keycloak_java_opts }}'
JBOSS_HOME={{ keycloak_jboss_home }}
KEYCLOAK_BIND_ADDRESS={{ keycloak_bind_address }}

1
roles/keycloak/templates/keycloak.service.j2
View File

@@ -1,3 +1,4 @@
# {{ ansible_managed }}
[Unit]
Description=Keycloak Server
After=network.target

152
roles/keycloak/templates/standalone-infinispan.xml.j2
View File

@@ -1,5 +1,5 @@
<?xml version='1.0' encoding='UTF-8'?>
<!-- {{ ansible_managed }} -->
<server xmlns="urn:jboss:domain:16.0">
<extensions>
<extension module="org.jboss.as.clustering.infinispan"/>
@@ -152,15 +152,15 @@
</security>
</datasource>
<datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
{% if keycloak_jdbc.postgres.enabled %}
<connection-url>{{ keycloak_jdbc.postgres.connection_url }}</connection-url>
<driver>{{ keycloak_jdbc.postgres.driver_module_name }}</driver>
{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
<connection-url>{{ keycloak_jdbc[keycloak_jdbc_engine].connection_url }}</connection-url>
<driver>{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}</driver>
<pool>
<max-pool-size>20</max-pool-size>
</pool>
<security>
<user-name>{{ keycloak_jdbc.postgres.db_user }}</user-name>
<password>{{ keycloak_jdbc.postgres.db_password }}</password>
<user-name>{{ keycloak_jdbc[keycloak_jdbc_engine].db_user }}</user-name>
<password>{{ keycloak_jdbc[keycloak_jdbc_engine].db_password }}</password>
</security>
{% else %}
<connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
@@ -172,10 +172,10 @@
{% endif %}
</datasource>
<drivers>
{% if keycloak_jdbc.postgres.enabled %}
<driver name="{{ keycloak_jdbc.postgres.driver_module_name }}" module="{{ keycloak_jdbc.postgres.driver_module_name }}">
<driver-class>org.postgresql.Driver</driver-class>
<xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
<driver name="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}" module="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}">
<driver-class>{{ keycloak_jdbc[keycloak_jdbc_engine].driver_class }}</driver-class>
<xa-datasource-class>{{ keycloak_jdbc[keycloak_jdbc_engine].xa_datasource_class }}</xa-datasource-class>
</driver>
{% endif %}
<driver name="h2" module="com.h2database.h2">
@@ -206,11 +206,11 @@
<default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:ejb3:9.0">
<session-bean>
<session-bean>
<stateless>
<bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
</stateless>
<stateful default-access-timeout="5000" cache-ref="simple" passivation-disabled-cache-ref="simple"/>
<stateful default-access-timeout="5000" cache-ref="distributable" passivation-disabled-cache-ref="simple"/>
<singleton default-access-timeout="5000"/>
</session-bean>
<pools>
@@ -368,12 +368,13 @@
</subsystem>
<subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
<subsystem xmlns="urn:jboss:domain:infinispan:12.0">
<cache-container name="ejb" default-cache="passivation" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
<local-cache name="passivation">
<cache-container name="ejb" default-cache="dist" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
<transport lock-timeout="60000"/>
<distributed-cache name="dist">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<file-store passivation="true" purge="false"/>
</local-cache>
<file-store/>
</distributed-cache>
</cache-container>
<cache-container name="keycloak" modules="org.keycloak.keycloak-model-infinispan">
<transport lock-timeout="60000"/>
@@ -383,8 +384,7 @@
<local-cache name="users">
<heap-memory size="10000"/>
</local-cache>
<local-cache name="authenticationSessions"/>
{% for cachename in [ "sessions", "offlineSessions", "clientSessions", "offlineClientSessions", "loginFailures", "actionTokens" ] %}
{% for cachename in [ "sessions", "offlineSessions", "clientSessions", "offlineClientSessions", "loginFailures", "actionTokens", "authenticationSessions" ] %}
<distributed-cache name="{{ cachename }}">
<remote-store cache="{{ cachename }}"
remote-servers="remote-cache"
@@ -400,14 +400,15 @@
<property name="infinispan.client.hotrod.auth_password">{{ keycloak_remotecache.password }}</property>
<property name="infinispan.client.hotrod.auth_realm">{{ keycloak_remotecache.realm | default('default') }}</property>
<property name="infinispan.client.hotrod.auth_server_name">{{ keycloak_remotecache.server_name }}</property>
<property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism | default('SCRAM-SHA-512') }}</property>
<property name="infinispan.client.hotrod.use_ssl">false</property>
<property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path | default('/etc/truststore/truststore.jks') }}</property>
<property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism }}</property>
<property name="infinispan.client.hotrod.use_ssl">{{ keycloak_remotecache.use_ssl }}</property>
<property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path }}</property>
<property name="infinispan.client.hotrod.trust_store_type">JKS</property>
<property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password | default("changeme") }}</property>
<property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password }}</property>
<property name="infinispan.client.hotrod.client_intelligence">TOPOLOGY_AWARE</property>
</remote-store>
</distributed-cache>
{% endfor %}
{% endfor %}
<replicated-cache name="work">
<remote-store cache="work"
remote-servers="remote-cache"
@@ -423,11 +424,12 @@
<property name="infinispan.client.hotrod.auth_password">{{ keycloak_remotecache.password }}</property>
<property name="infinispan.client.hotrod.auth_realm">{{ keycloak_remotecache.realm | default('default') }}</property>
<property name="infinispan.client.hotrod.auth_server_name">{{ keycloak_remotecache.server_name }}</property>
<property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism | default('SCRAM-SHA-512') }}</property>
<property name="infinispan.client.hotrod.use_ssl">false</property>
<property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path | default('/etc/truststore/truststore.jks') }}</property>
<property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism }}</property>
<property name="infinispan.client.hotrod.use_ssl">{{ keycloak_remotecache.use_ssl }}</property>
<property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path }}</property>
<property name="infinispan.client.hotrod.trust_store_type">JKS</property>
<property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password | default("changeme") }}</property>
<property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password }}</property>
<property name="infinispan.client.hotrod.client_intelligence">TOPOLOGY_AWARE</property>
</remote-store>
</replicated-cache>
<local-cache name="authorization">
@@ -438,33 +440,37 @@
<expiration max-idle="3600000"/>
</local-cache>
</cache-container>
<cache-container name="server" default-cache="default" modules="org.wildfly.clustering.server">
<local-cache name="default">
<cache-container name="server" default-cache="default" aliases="singleton cluster" modules="org.wildfly.clustering.server">
<transport lock-timeout="60000"/>
<replicated-cache name="default">
<transaction mode="BATCH"/>
</local-cache>
</replicated-cache>
</cache-container>
<cache-container name="web" default-cache="passivation" modules="org.wildfly.clustering.web.infinispan">
<local-cache name="passivation">
<cache-container name="web" default-cache="dist" modules="org.wildfly.clustering.web.infinispan">
<transport lock-timeout="60000"/>
<replicated-cache name="sso">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<file-store passivation="true" purge="false"/>
</local-cache>
<local-cache name="sso">
</replicated-cache>
<distributed-cache name="dist">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
</local-cache>
<local-cache name="routing"/>
<file-store/>
</distributed-cache>
<distributed-cache name="routing"/>
</cache-container>
<cache-container name="hibernate" modules="org.infinispan.hibernate-cache">
<local-cache name="entity">
<heap-memory size="10000"/>
<expiration max-idle="100000"/>
</local-cache>
<transport lock-timeout="60000"/>
<local-cache name="local-query">
<heap-memory size="10000"/>
<expiration max-idle="100000"/>
</local-cache>
<local-cache name="timestamps"/>
<invalidation-cache name="entity">
<transaction mode="NON_XA"/>
<heap-memory size="10000"/>
<expiration max-idle="100000"/>
</invalidation-cache>
<replicated-cache name="timestamps"/>
</cache-container>
</subsystem>
<subsystem xmlns="urn:jboss:domain:io:3.0">
@@ -498,6 +504,27 @@
<stacks>
<stack name="tcp">
<transport site="${jboss.node.name}" type="TCP" socket-binding="jgroups-tcp"/>
{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
<protocol type="JDBC_PING">
<property name="datasource_jndi_name">java:jboss/datasources/KeycloakDS</property>
<property name="initialize_sql">{{ keycloak_jdbc[keycloak_jdbc_engine].initialize_db }}</property>
<property name="insert_single_sql">INSERT INTO JGROUPSPING (own_addr, cluster_name, ping_data) values (?, ?, ?)</property>
<property name="delete_single_sql">DELETE FROM JGROUPSPING WHERE own_addr=? AND cluster_name=?</property>
<property name="select_all_pingdata_sql">SELECT ping_data FROM JGROUPSPING WHERE cluster_name=?</property>
</protocol>
{% endif %}
<protocol type="MERGE3"/>
<protocol type="FD_SOCK"/>
<protocol type="FD_ALL"/>
<protocol type="VERIFY_SUSPECT"/>
<protocol type="pbcast.NAKACK2"/>
<protocol type="UNICAST3"/>
<protocol type="pbcast.STABLE"/>
<protocol type="pbcast.GMS">
<property name="join_timeout">30000</property>
</protocol>
<protocol type="MFC"/>
<protocol type="FRAG2"/>
</stack>
</stacks>
</subsystem>
@@ -524,6 +551,15 @@
<cacheTemplates>true</cacheTemplates>
<dir>${jboss.home.dir}/themes</dir>
</theme>
{% if keycloak_ha_enabled %}
<spi name="dblock">
<provider name="jpa" enabled="true">
<properties>
<property name="lockWaitTimeout" value="900"/>
</properties>
</provider>
</spi>
{% endif %}
<spi name="eventsStore">
<provider name="jpa" enabled="true">
<properties>
@@ -583,8 +619,8 @@
<default-provider>default</default-provider>
<provider name="default" enabled="true">
<properties>
<property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
<property name="forceBackendUrlToFrontendUrl" value="false"/>
<property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
<property name="forceBackendUrlToFrontendUrl" value="true"/>
</properties>
</provider>
</spi>
@@ -595,9 +631,9 @@
</mail-session>
</subsystem>
<subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
{% if keycloak_modcluster.enabled %}
{% if keycloak_modcluster.enabled %}
<subsystem xmlns="urn:jboss:domain:modcluster:5.0">
<proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
<proxy name="default" advertise="false" listener="ajp" proxies="proxy1">
<dynamic-load-provider>
<load-metric type="cpu"/>
</dynamic-load-provider>
@@ -651,7 +687,7 @@
</deployment-permissions>
</subsystem>
<subsystem xmlns="urn:jboss:domain:transactions:6.0">
<core-environment node-identifier="${jboss.tx.node.id:1}">
<core-environment node-identifier="{{ inventory_hostname | default('${jboss.tx.node.id:1}') }}">
<process-id>
<uuid/>
</process-id>
@@ -690,24 +726,30 @@
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>
<interface name="jgroups">
{% if ansible_default_ipv4 is defined %}
<subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ipaddr('net') }}"/>
{% else %}
<any-address />
{% endif %}
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:127.0.0.1}"/>
</interface>
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="jgroups-tcp" interface="management" port="7600"/>
<socket-binding name="modcluster" multicast-address="${jboss.modcluster.multicast.address:224.0.1.105}" multicast-port="23364"/>
<socket-binding name="ajp" port="{{ keycloak_ajp_port }}"/>
<socket-binding name="http" port="{{ keycloak_http_port }}"/>
<socket-binding name="https" port="{{ keycloak_https_port }}"/>
<socket-binding name="management-http" interface="management" port="{{ keycloak_management_http_port }}"/>
<socket-binding name="management-https" interface="management" port="{{ keycloak_management_https_port }}"/>
<socket-binding name="jgroups-tcp" interface="jgroups" port="{{ keycloak_jgroups_port }}"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
</outbound-socket-binding>
{% if keycloak_modcluster.enabled %}
{% if keycloak_modcluster.enabled %}
<outbound-socket-binding name="proxy1">
<remote-destination host="{{ keycloak_modcluster.reverse_proxy_url | default('localhost') }}" port="6666"/>
</outbound-socket-binding>

460
roles/keycloak/templates/standalone.xml.j2
View File

@@ -1,6 +1,6 @@
<?xml version='1.0' encoding='UTF-8'?>
<server xmlns="urn:jboss:domain:10.0">
<!-- {{ ansible_managed }} -->
<server xmlns="urn:jboss:domain:16.0">
<extensions>
<extension module="org.jboss.as.clustering.infinispan"/>
<extension module="org.jboss.as.connector"/>
@@ -22,10 +22,9 @@
<extension module="org.wildfly.extension.bean-validation"/>
<extension module="org.wildfly.extension.core-management"/>
<extension module="org.wildfly.extension.elytron"/>
<extension module="org.wildfly.extension.health"/>
<extension module="org.wildfly.extension.io"/>
<extension module="org.wildfly.extension.microprofile.config-smallrye"/>
<extension module="org.wildfly.extension.microprofile.health-smallrye"/>
<extension module="org.wildfly.extension.microprofile.metrics-smallrye"/>
<extension module="org.wildfly.extension.metrics"/>
<extension module="org.wildfly.extension.request-controller"/>
<extension module="org.wildfly.extension.security.manager"/>
<extension module="org.wildfly.extension.undertow"/>
@@ -129,7 +128,7 @@
</subsystem>
<subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
<subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
<subsystem xmlns="urn:jboss:domain:datasources:5.0">
<subsystem xmlns="urn:jboss:domain:datasources:6.0">
<datasources>
<datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
<connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
@@ -140,14 +139,32 @@
</security>
</datasource>
<datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
<connection-url>{{ keycloak_jdbc[keycloak_jdbc_engine].connection_url }}</connection-url>
<driver>{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}</driver>
<pool>
<max-pool-size>20</max-pool-size>
</pool>
<security>
<user-name>{{ keycloak_jdbc[keycloak_jdbc_engine].db_user }}</user-name>
<password>{{ keycloak_jdbc[keycloak_jdbc_engine].db_password }}</password>
</security>
{% else %}
<connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
<driver>h2</driver>
<security>
<user-name>sa</user-name>
<password>sa</password>
</security>
{% endif %}
</datasource>
<drivers>
{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
<driver name="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}" module="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}">
<driver-class>{{ keycloak_jdbc[keycloak_jdbc_engine].driver_class }}</driver-class>
<xa-datasource-class>{{ keycloak_jdbc[keycloak_jdbc_engine].xa_datasource_class }}</xa-datasource-class>
</driver>
{% endif %}
<driver name="h2" module="com.h2database.h2">
<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
</driver>
@@ -157,7 +174,7 @@
<subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
<deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:ee:4.0">
<subsystem xmlns="urn:jboss:domain:ee:6.0">
<spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
<concurrent>
<context-services>
@@ -167,15 +184,15 @@
<managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/>
</managed-thread-factories>
<managed-executor-services>
<managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-threshold="60000" keepalive-time="5000"/>
<managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="5000"/>
</managed-executor-services>
<managed-scheduled-executor-services>
<managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-threshold="60000" keepalive-time="3000"/>
<managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="3000"/>
</managed-scheduled-executor-services>
</concurrent>
<default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:ejb3:6.0">
<subsystem xmlns="urn:jboss:domain:ejb3:9.0">
<session-bean>
<stateless>
<bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
@@ -202,7 +219,7 @@
<file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/>
</data-stores>
</timer-service>
<remote connector-ref="http-remoting-connector" thread-pool-name="default">
<remote cluster="ejb" connectors="http-remoting-connector" thread-pool-name="default">
<channel-creation-options>
<option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>
</channel-creation-options>
@@ -218,130 +235,7 @@
<statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
<log-system-exceptions value="true"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:io:3.0">
<worker name="default"/>
<buffer-pool name="default"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:infinispan:9.0">
<cache-container name="keycloak">
<local-cache name="realms">
<object-memory size="10000"/>
</local-cache>
<local-cache name="users">
<object-memory size="10000"/>
</local-cache>
<local-cache name="sessions"/>
<local-cache name="authenticationSessions"/>
<local-cache name="offlineSessions"/>
<local-cache name="clientSessions"/>
<local-cache name="offlineClientSessions"/>
<local-cache name="loginFailures"/>
<local-cache name="work"/>
<local-cache name="authorization">
<object-memory size="10000"/>
</local-cache>
<local-cache name="keys">
<object-memory size="1000"/>
<expiration max-idle="3600000"/>
</local-cache>
<local-cache name="actionTokens">
<object-memory size="-1"/>
<expiration max-idle="-1" interval="300000"/>
</local-cache>
</cache-container>
<cache-container name="server" default-cache="default" module="org.wildfly.clustering.server">
<local-cache name="default">
<transaction mode="BATCH"/>
</local-cache>
</cache-container>
<cache-container name="web" default-cache="passivation" module="org.wildfly.clustering.web.infinispan">
<local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<file-store passivation="true" purge="false"/>
</local-cache>
<local-cache name="sso">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
</local-cache>
<local-cache name="routing"/>
</cache-container>
<cache-container name="ejb" aliases="sfsb" default-cache="passivation" module="org.wildfly.clustering.ejb.infinispan">
<local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<file-store passivation="true" purge="false"/>
</local-cache>
</cache-container>
<cache-container name="hibernate" module="org.infinispan.hibernate-cache">
<local-cache name="entity">
<object-memory size="10000"/>
<expiration max-idle="100000"/>
</local-cache>
<local-cache name="local-query">
<object-memory size="10000"/>
<expiration max-idle="100000"/>
</local-cache>
<local-cache name="timestamps"/>
</cache-container>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jaxrs:1.0"/>
<subsystem xmlns="urn:jboss:domain:jca:5.0">
<archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
<bean-validation enabled="true"/>
<default-workmanager>
<short-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</short-running-threads>
<long-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</long-running-threads>
</default-workmanager>
<cached-connection-manager/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jmx:1.3">
<expose-resolved-model/>
<expose-expression-model/>
<remoting-connector/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jpa:1.1">
<jpa default-datasource="" default-extended-persistence-inheritance="DEEP"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:mail:3.0">
<mail-session name="default" jndi-name="java:jboss/mail/Default">
<smtp-server outbound-socket-binding-ref="mail-smtp"/>
</mail-session>
</subsystem>
{% if keycloak_modcluster.enabled %}
<subsystem xmlns="urn:jboss:domain:modcluster:5.0">
<proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
<dynamic-load-provider>
<load-metric type="cpu"/>
</dynamic-load-provider>
</proxy>
</subsystem>
{% endif %}
<subsystem xmlns="urn:jboss:domain:naming:2.0">
<remote-naming/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:remoting:4.0">
<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
<subsystem xmlns="urn:jboss:domain:security-manager:1.0">
<deployment-permissions>
<maximum-set>
<permission class="java.security.AllPermission"/>
</maximum-set>
</deployment-permissions>
</subsystem>
<subsystem xmlns="urn:wildfly:elytron:8.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
<subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
<providers>
<aggregate-providers name="combined-providers">
<providers name="elytron"/>
@@ -399,6 +293,7 @@
<permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
<permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
<permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
<permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
</permission-set>
</permission-sets>
<http>
@@ -440,76 +335,126 @@
</mechanism-provider-filtering-sasl-server-factory>
<provider-sasl-server-factory name="global"/>
</sasl>
<tls>
<key-stores>
<key-store name="applicationKS">
<credential-reference clear-text="password"/>
<implementation type="JKS"/>
<file path="application.keystore" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
<credential-reference clear-text="password"/>
</key-manager>
</key-managers>
<server-ssl-contexts>
<server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
</server-ssl-contexts>
</tls>
</subsystem>
<subsystem xmlns="urn:jboss:domain:security:2.0">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jaspitest" cache-type="default">
<authentication-jaspi>
<login-module-stack name="dummy">
<login-module code="Dummy" flag="optional"/>
</login-module-stack>
<auth-module code="Dummy"/>
</authentication-jaspi>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
</security-domains>
<subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
<subsystem xmlns="urn:jboss:domain:infinispan:12.0">
<cache-container name="ejb" default-cache="passivation" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
<local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<file-store passivation="true" purge="false"/>
</local-cache>
</cache-container>
<cache-container name="keycloak" modules="org.keycloak.keycloak-model-infinispan">
<local-cache name="realms">
<heap-memory size="10000"/>
</local-cache>
<local-cache name="users">
<heap-memory size="10000"/>
</local-cache>
<local-cache name="sessions"/>
<local-cache name="authenticationSessions"/>
<local-cache name="offlineSessions"/>
<local-cache name="clientSessions"/>
<local-cache name="offlineClientSessions"/>
<local-cache name="loginFailures"/>
<local-cache name="work"/>
<local-cache name="authorization">
<heap-memory size="10000"/>
</local-cache>
<local-cache name="keys">
<heap-memory size="1000"/>
<expiration max-idle="3600000"/>
</local-cache>
<local-cache name="actionTokens">
<heap-memory size="-1"/>
<expiration interval="300000" max-idle="-1"/>
</local-cache>
</cache-container>
<cache-container name="server" default-cache="default" modules="org.wildfly.clustering.server">
<local-cache name="default">
<transaction mode="BATCH"/>
</local-cache>
</cache-container>
<cache-container name="web" default-cache="passivation" modules="org.wildfly.clustering.web.infinispan">
<local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<file-store passivation="true" purge="false"/>
</local-cache>
<local-cache name="sso">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
</local-cache>
<local-cache name="routing"/>
</cache-container>
<cache-container name="hibernate" modules="org.infinispan.hibernate-cache">
<local-cache name="entity">
<heap-memory size="10000"/>
<expiration max-idle="100000"/>
</local-cache>
<local-cache name="local-query">
<heap-memory size="10000"/>
<expiration max-idle="100000"/>
</local-cache>
<local-cache name="timestamps"/>
</cache-container>
</subsystem>
<subsystem xmlns="urn:jboss:domain:transactions:5.0">
<core-environment node-identifier="${jboss.tx.node.id:1}">
<process-id>
<uuid/>
</process-id>
</core-environment>
<recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
<coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
<object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
<subsystem xmlns="urn:jboss:domain:io:3.0">
<worker name="default"/>
<buffer-pool name="default"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:weld:4.0"/>
<subsystem xmlns="urn:wildfly:microprofile-config-smallrye:1.0"/>
<subsystem xmlns="urn:wildfly:microprofile-health-smallrye:2.0" security-enabled="false" empty-liveness-checks-status="${env.MP_HEALTH_EMPTY_LIVENESS_CHECKS_STATUS:UP}" empty-readiness-checks-status="${env.MP_HEALTH_EMPTY_READINESS_CHECKS_STATUS:UP}"/>
<subsystem xmlns="urn:wildfly:microprofile-metrics-smallrye:2.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:wildfly}"/>
<subsystem xmlns="urn:jboss:domain:undertow:10.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/>
<server name="default-server">
<ajp-listener name="ajp" socket-binding="ajp"/>
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/>
<subsystem xmlns="urn:jboss:domain:jca:5.0">
<archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
<bean-validation enabled="true"/>
<default-workmanager>
<short-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</short-running-threads>
<long-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</long-running-threads>
</default-workmanager>
<cached-connection-manager/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jmx:1.3">
<expose-resolved-model/>
<expose-expression-model/>
<remoting-connector/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jpa:1.1">
<jpa default-extended-persistence-inheritance="DEEP"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
<web-context>auth</web-context>
<providers>
<provider>classpath:${jboss.home.dir}/providers/*</provider>
<provider>
classpath:${jboss.home.dir}/providers/*
</provider>
</providers>
<master-realm-name>master</master-realm-name>
<scheduled-task-interval>900</scheduled-task-interval>
@@ -519,6 +464,15 @@
<cacheTemplates>true</cacheTemplates>
<dir>${jboss.home.dir}/themes</dir>
</theme>
{% if keycloak_ha_enabled %}
<spi name="dblock">
<provider name="jpa" enabled="true">
<properties>
<property name="lockWaitTimeout" value="900"/>
</properties>
</provider>
</spi>
{% endif %}
<spi name="eventsStore">
<provider name="jpa" enabled="true">
<properties>
@@ -578,12 +532,103 @@
<default-provider>default</default-provider>
<provider name="default" enabled="true">
<properties>
<property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
<property name="forceBackendUrlToFrontendUrl" value="false"/>
<property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
<property name="forceBackendUrlToFrontendUrl" value="true"/>
</properties>
</provider>
</spi>
</subsystem>
<subsystem xmlns="urn:jboss:domain:mail:4.0">
<mail-session name="default" jndi-name="java:jboss/mail/Default">
<smtp-server outbound-socket-binding-ref="mail-smtp"/>
</mail-session>
</subsystem>
<subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
{% if keycloak_modcluster.enabled %}
<subsystem xmlns="urn:jboss:domain:modcluster:5.0">
<proxy name="default" advertise="false" listener="ajp" proxies="proxy1">
<dynamic-load-provider>
<load-metric type="cpu"/>
</dynamic-load-provider>
</proxy>
</subsystem>
{% endif %}
<subsystem xmlns="urn:jboss:domain:naming:2.0">
<remote-naming/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:remoting:4.0">
<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
<subsystem xmlns="urn:jboss:domain:security:2.0">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jaspitest" cache-type="default">
<authentication-jaspi>
<login-module-stack name="dummy">
<login-module code="Dummy" flag="optional"/>
</login-module-stack>
<auth-module code="Dummy"/>
</authentication-jaspi>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
</security-domains>
</subsystem>
<subsystem xmlns="urn:jboss:domain:security-manager:1.0">
<deployment-permissions>
<maximum-set>
<permission class="java.security.AllPermission"/>
</maximum-set>
</deployment-permissions>
</subsystem>
<subsystem xmlns="urn:jboss:domain:transactions:6.0">
<core-environment node-identifier="${jboss.tx.node.id:1}">
<process-id>
<uuid/>
</process-id>
</core-environment>
<recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
<coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
<object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/>
<server name="default-server">
<ajp-listener name="ajp" socket-binding="ajp"/>
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
</subsystem>
<subsystem xmlns="urn:jboss:domain:weld:4.0"/>
</profile>
<interfaces>
<interface name="management">
@@ -594,18 +639,17 @@
</interface>
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="modcluster" multicast-address="${jboss.modcluster.multicast.address:224.0.1.105}" multicast-port="23364"/>
<socket-binding name="ajp" port="{{ keycloak_ajp_port }}"/>
<socket-binding name="http" port="{{ keycloak_http_port }}"/>
<socket-binding name="https" port="{{ keycloak_https_port }}"/>
<socket-binding name="management-http" interface="management" port="{{ keycloak_management_http_port }}"/>
<socket-binding name="management-https" interface="management" port="{{ keycloak_management_https_port }}"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
<remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
</outbound-socket-binding>
{% if keycloak_modcluster.enabled %}
{% if keycloak_modcluster.enabled %}
<outbound-socket-binding name="proxy1">
<remote-destination host="{{ keycloak_modcluster.reverse_proxy_url | default('localhost') }}" port="6666"/>
</outbound-socket-binding>

87
roles/keycloak/vars/main.yml
View File

@@ -1,3 +1,86 @@
---
# vars file for keycloak
keycloak_admin_password:
# required variables for keycloak
# administrator console password
keycloak_admin_password:
# internal variables below
rhsso_rhn_ids:
'7.5.0':
id: '101971'
latest_cp:
id: '103836'
v: '7.5.1'
# locations
keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
keycloak:
home: "{{ keycloak_jboss_home }}"
config_dir: "{{ keycloak_config_dir }}"
bundle: "{{ keycloak_rhsso_archive if keycloak_rhsso_enable else keycloak_archive }}"
patch_bundle: "rh-sso-{{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }}-patch.zip"
service_name: "{{ 'rhsso' if keycloak_rhsso_enable else 'keycloak' }}"
health_url: "{{ keycloak_management_url }}/health"
cli_path: "{{ keycloak_jboss_home }}/bin/jboss-cli.sh"
# database
keycloak_jdbc:
postgres:
enabled: "{{ (keycloak_ha_enabled or keycloak_db_enabled) and keycloak_jdbc_engine == 'postgres' }}"
driver_class: org.postgresql.Driver
xa_datasource_class: org.postgresql.xa.PGXADataSource
driver_module_name: "org.postgresql"
driver_module_dir: "{{ keycloak_jboss_home }}/modules/org/postgresql/main"
driver_version: "{{ keycloak_jdbc_driver_version }}"
driver_jar_filename: "postgresql-{{ keycloak_jdbc_driver_version }}.jar"
driver_jar_url: "https://repo.maven.apache.org/maven2/org/postgresql/postgresql/{{ keycloak_jdbc_driver_version }}/postgresql-{{ keycloak_jdbc_driver_version }}.jar"
connection_url: "{{ keycloak_jdbc_url }}"
db_user: "{{ keycloak_db_user }}"
db_password: "{{ keycloak_db_pass }}"
initialize_db: >
CREATE TABLE IF NOT EXISTS JGROUPSPING (
own_addr varchar(200) NOT NULL,
cluster_name varchar(200) NOT NULL,
updated TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
ping_data BYTEA,
constraint PK_JGROUPSPING PRIMARY KEY (own_addr, cluster_name))
mariadb:
enabled: "{{ (keycloak_ha_enabled or keycloak_db_enabled) and keycloak_jdbc_engine == 'mariadb' }}"
driver_class: org.mariadb.jdbc.Driver
xa_datasource_class: org.mariadb.jdbc.MySQLDataSource
driver_module_name: "org.mariadb"
driver_module_dir: "{{ keycloak_jboss_home }}/modules/org/mariadb/main"
driver_version: "{{ keycloak_jdbc_driver_version }}"
driver_jar_filename: "mariadb-java-client-{{ keycloak_jdbc_driver_version }}.jar"
driver_jar_url: "https://repo1.maven.org/maven2/org/mariadb/jdbc/mariadb-java-client/{{ keycloak_jdbc_driver_version }}/mariadb-java-client-{{ keycloak_jdbc_driver_version }}.jar"
connection_url: "{{ keycloak_jdbc_url }}"
db_user: "{{ keycloak_db_user }}"
db_password: "{{ keycloak_db_pass }}"
initialize_db: >
CREATE TABLE IF NOT EXISTS JGROUPSPING (
own_addr varchar(200) NOT NULL,
cluster_name varchar(200) NOT NULL,
updated TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
ping_data varbinary(5000) DEFAULT NULL,
PRIMARY KEY (own_addr, cluster_name))
ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin
# reverse proxy mod_cluster
keycloak_modcluster:
enabled: "{{ keycloak_ha_enabled }}"
reverse_proxy_url: "{{ keycloak_modcluster_url }}"
frontend_url: "{{ keycloak_frontend_url }}"
# infinispan
keycloak_remotecache:
enabled: "{{ keycloak_ha_enabled }}"
username: "{{ infinispan_user }}"
password: "{{ infinispan_pass }}"
realm: default
sasl_mechanism: "{{ infinispan_sasl_mechanism }}"
server_name: "{{ infinispan_url }}"
use_ssl: "{{ infinispan_use_ssl }}"
trust_store_path: "{{ infinispan_trust_store_path }}"
trust_store_password: "{{ infinispan_trust_store_password }}"

134
roles/keycloak_realm/README.md Normal file
View File

@@ -0,0 +1,134 @@
keycloak_realm
==============
Create realms and clients in [keycloak](https://keycloak.org/) or [Red Hat Single Sing-On](https://access.redhat.com/products/red-hat-single-sign-on) services.
Role Defaults
-------------
| Variable | Description | Default |
|:---------|:------------|:---------|
|`keycloak_admin_user`| Administration console user account | `admin` |
|`keycloak_host`| hostname | `localhost` |
|`keycloak_http_port`| HTTP port | `8080` |
|`keycloak_https_port`| TLS HTTP port | `8443` |
|`keycloak_auth_realm`| Name of the main authentication realm | `master` |
|`keycloak_rhsso_enable`| Define service is an upstream(Keycloak) or RHSSO | `master` |
|`keycloak_management_http_port`| Management port | `9990` |
|`keycloak_auth_client`| Authentication client for configuration REST calls | `admin-cli` |
|`keycloak_client_public`| Configure a public realm client | `True` |
|`keycloak_client_web_origins`| Web origins for realm client | `+` |
|`keycloak_url`| URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` |
|`keycloak_management_url`| URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` |
Role Variables
--------------
The following are a set of _required_ variables for the role:
| Variable | Description |
|:---------|:------------|
|`keycloak_admin_password`| Password for the administration console user account |
|`keycloak_realm` | Name of the realm to be created |
The following variables are available for creating clients:
| Variable | Description | Default |
|:---------|:------------|:---------|
|`keycloak_clients` | List of _client_ declarations for the realm | `[]` |
|`keycloak_client_default_roles` | List of default role name for clients | `[]` |
|`keycloak_client_users` | List of user/role mappings for a client | `[]` |
The following variable are available for creating user federation:
| Variable | Description | Default |
|:---------|:------------|:---------|
|`keycloak_user_federation` | List of _keycloak_user_federation_ for the realm | `[]` |
Variable formats
----------------
* `keycloak_user_federation`, a list of:
```yaml
- realm: <name of the realm in which user federation should be configured, required>
name: <name of the user federation provider, required>
provider_id: <type of the user federation provider, required>
provider_type: <Provider Type, default is set to org.keycloak.storage.UserStorageProvider>
config: <dictionary of supported configuration values, required>
mappers: <list of supported configuration values, required>
```
Refer to [docs](https://docs.ansible.com/ansible/latest/collections/community/general/keycloak_user_federation_module.html) for information on supported variables.
* `keycloak_clients`, a list of:
```yaml
- name: <name of the client>
roles: <keycloak_client_default_roles>
realm: <name of the realm that contains the client>
public_client: <true for public, false for confidential>
web_origins: <list of allowed we origins for the client>
users: <keycloak_client_users>
```
* `keycloak_client_users`, a list of:
```yaml
- username: <username, required>
password: <password, required>
firstName: <firstName, optional>
lastName: <lastName, optional>
email: <email, optional>
client_roles: <list of client user/role mappings>
```
* Client user/role mappings, a list of:
```yaml
- client: <name of the client>
role: <name of the role>
realm: <name of the realm>
```
For a comprehensive example, refer to the [playbook](../../playbooks/keycloak_realm.yml).
Example Playbook
----------------
The following is an example playbook that makes use of the role to create a realm in keycloak.
```yaml
---
- hosts: ...
collections:
- middleware_automation.keycloak
tasks:
- name: Include keycloak role
include_role:
name: keycloak_realm
vars:
keycloak_admin_password: "changeme"
keycloak_realm: TestRealm
keycloak_clients: [...]
```
License
-------
Apache License 2.0
Author Information
------------------
* [Guido Grazioli](https://github.com/guidograzioli)
* [Romain Pelisse](https://github.com/rpelisse)

53
roles/keycloak_realm/defaults/main.yml Normal file
View File

@@ -0,0 +1,53 @@
---
### Keycloak configuration settings
keycloak_host: localhost
keycloak_http_port: 8080
keycloak_https_port: 8443
keycloak_management_http_port: 9990
keycloak_rhsso_enable: False
### Keycloak administration console user
keycloak_admin_user: admin
keycloak_auth_realm: master
keycloak_auth_client: admin-cli
### Keycloak realms, clients, roles, federation
# list of clients to create in the realm
#
# Refer to the playbook for a comprehensive example.
# Also refer to meta/argument_specs.yml for specifications.
#
# Each client has the form:
# { name: '', roles: [], realm: '', public_client: bool, web_origins: '', users: [] }
# where roles is a list of default role names for the client
# and users is a list of account, see below for the format definition
# an empty name will skip the creation of the client
#
#keycloak_clients:
# - name: ''
# roles: "{{ keycloak_client_default_roles }}"
# realm: "{{ keycloak_realm }}"
# public_client: "{{ keycloak_client_public }}"
# web_origins: "{{ keycloak_client_web_origins }}"
# users: "{{ keycloak_client_users }}"
keycloak_clients: []
# list of roles to create in the client
keycloak_client_default_roles: []
# if True, create a public client; otherwise, a confidetial client
keycloak_client_public: True
# allowed web origins for the client
keycloak_client_web_origins: '+'
# list of user and role mappings to create in the client
# Each user has the form:
# { username: '', password: '', email: '', firstName: '', lastName: '', client_roles: [] }
# where each client_role has the form:
# { client: '', role: '', realm: '' }
keycloak_client_users: []
### List of Keycloak User Federation
keycloak_user_federation: []

93
roles/keycloak_realm/meta/argument_specs.yml Normal file
View File

@@ -0,0 +1,93 @@
argument_specs:
main:
options:
keycloak_host:
# line 3 of keycloak_realm/defaults/main.yml
default: "localhost"
description: "hostname for rest calls"
type: "str"
keycloak_http_port:
# line 4 of keycloak_realm/defaults/main.yml
default: 8080
description: "HTTP port"
type: "int"
keycloak_https_port:
# line 5 of keycloak_realm/defaults/main.yml
default: 8443
description: "HTTPS port"
type: "int"
keycloak_management_http_port:
# line 6 of keycloak_realm/defaults/main.yml
default: 9990
description: "Management port"
type: "int"
keycloak_rhsso_enable:
# line 7 of keycloak_realm/defaults/main.yml
default: false
description: "Enable Red Hat Single Sign-on"
type: "bool"
keycloak_admin_user:
# line 10 of keycloak_realm/defaults/main.yml
default: "admin"
description: "Administration console user account"
type: "str"
keycloak_auth_realm:
# line 11 of keycloak_realm/defaults/main.yml
default: "master"
description: "Name of the main authentication realm"
type: "str"
keycloak_auth_client:
# line 12 of keycloak_realm/defaults/main.yml
default: "admin-cli"
description: "Authentication client for configuration REST calls"
type: "str"
keycloak_client_default_roles:
# line 36 of keycloak_realm/defaults/main.yml
default: "[]"
description: "List of roles to configure as client default"
type: "list"
keycloak_client_public:
# line 39 of keycloak_realm/defaults/main.yml
default: true
description: "Configure a public realm client"
type: "bool"
keycloak_client_web_origins:
# line 42 of keycloak_realm/defaults/main.yml
default: "+"
description: "Web origins for realm client"
type: "str"
keycloak_client_users:
# line 49 of keycloak_realm/defaults/main.yml
default: "[]"
description: "List of users to configure in the realm client"
type: "list"
keycloak_user_federation:
# line 52 of keycloak_realm/defaults/main.yml
default: "[]"
description: "List of user federations to configure in the realm"
type: "list"
keycloak_admin_password:
# line 5 of keycloak_realm/vars/main.yml
required: true
description: "Password for the administration console user account"
type: "str"
keycloak_realm:
# line 8 of keycloak_realm/vars/main.yml
required: true
description: "Name of the realm to be configured"
type: "str"
keycloak_clients:
# line 11 of keycloak_realm/vars/main.yml
default: "[]"
description: "List of client declarations for the realm"
type: "list"
keycloak_url:
# line 14 of keycloak_realm/vars/main.yml
default: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
description: "URL for configuration rest calls"
type: "str"
keycloak_management_url:
# line 15 of keycloak_realm/vars/main.yml
default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
description: "URL for management console rest calls"
type: "str"

23
roles/keycloak_realm/meta/main.yml Normal file
View File

@@ -0,0 +1,23 @@
---
galaxy_info:
role_name: keycloak_realm
namespace: middleware_automation
author: Romain Pelisse, Guido Grazioli
description: Create realms and clients in keycloak or Red Hat Single Sing-On
company: Red Hat, Inc.
license: Apache License 2.0
min_ansible_version: "2.9"
platforms:
- name: EL
versions:
- 8
galaxy_tags:
- keycloak
- redhat
- rhel
- rhn
- sso

100
roles/keycloak_realm/tasks/main.yml Normal file
View File

@@ -0,0 +1,100 @@
---
- name: Generate keycloak auth token
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
method: POST
body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
validate_certs: no
no_log: True
register: keycloak_auth_response
until: keycloak_auth_response.status == 200
retries: 5
delay: 2
- name: "Determine if realm exists"
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}"
method: GET
status_code:
- 200
- 404
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
register: keycloak_realm_exists
- name: Create Realm
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms"
method: POST
body: "{{ lookup('template','realm.json.j2') }}"
validate_certs: no
body_format: json
headers:
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
status_code: 201
when: keycloak_realm_exists.status == 404
- name: Create user federation
community.general.keycloak_user_federation:
auth_keycloak_url: "{{ keycloak_url }}/auth"
auth_realm: "{{ keycloak_auth_realm }}"
auth_username: "{{ keycloak_admin_user }}"
auth_password: "{{ keycloak_admin_password }}"
realm: "{{ item.realm }}"
name: "{{ item.name }}"
state: present
provider_id: "{{ item.provider_id }}"
provider_type: "{{ item.provider_type | default(org.keycloak.storage.UserStorageProvider) }}"
config: "{{ item.config }}"
mappers: "{{ item.mappers | default(omit) }}"
no_log: True
register: create_user_federation_result
loop: "{{ keycloak_user_federation | flatten }}"
when: keycloak_user_federation is defined
- name: Create or update a Keycloak client
community.general.keycloak_client:
auth_client_id: "{{ keycloak_auth_client }}"
auth_keycloak_url: "{{ keycloak_url }}/auth"
auth_realm: "{{ keycloak_auth_realm }}"
auth_username: "{{ keycloak_admin_user }}"
auth_password: "{{ keycloak_admin_password }}"
realm: "{{ item.realm }}"
default_roles: "{{ item.roles | default(omit) }}"
client_id: "{{ item.client_id | default(omit) }}"
id: "{{ item.id | default(omit) }}"
name: "{{ item.name | default(omit) }}"
description: "{{ item.description | default(omit) }}"
root_url: "{{ item.root_url | default('') }}"
admin_url: "{{ item.admin_url | default('') }}"
base_url: "{{ item.base_url | default('') }}"
enabled: "{{ item.enabled | default(True) }}"
redirect_uris: "{{ item.redirect_uris | default(omit) }}"
web_origins: "{{ item.web_origins | default('+') }}"
bearer_only: "{{ item.bearer_only | default(omit) }}"
standard_flow_enabled: "{{ item.standard_flow_enabled | default(omit) }}"
implicit_flow_enabled: "{{ item.implicit_flow_enabled | default(omit) }}"
direct_access_grants_enabled: "{{ item.direct_access_grants_enabled | default(omit) }}"
service_accounts_enabled: "{{ item.service_accounts_enabled | default(omit) }}"
public_client: "{{ item.public_client | default(False) }}"
protocol: "{{ item.protocol | default(omit) }}"
state: present
no_log: True
register: create_client_result
loop: "{{ keycloak_clients | flatten }}"
when: (item.name is defined and item.client_id is defined) or (item.name is defined and item.id is defined)
- name: Create client roles
ansible.builtin.include_tasks: manage_client_roles.yml
loop: "{{ keycloak_clients | flatten }}"
loop_control:
loop_var: client
when: "'roles' in client"
- name: Create client users
ansible.builtin.include_tasks: manage_client_users.yml
loop: "{{ keycloak_clients | flatten }}"
loop_control:
loop_var: client
when: "'users' in client"

1
roles/keycloak/tasks/manage_client_roles.yml → roles/keycloak_realm/tasks/manage_client_roles.yml
View File

@@ -10,3 +10,4 @@
auth_password: "{{ keycloak_admin_password }}"
state: present
loop: "{{ client.roles | flatten }}"
no_log: True

13
roles/keycloak_realm/tasks/manage_client_users.yml Normal file
View File

@@ -0,0 +1,13 @@
---
- name: Manage Users
ansible.builtin.include_tasks: manage_user.yml
loop: "{{ client.users | flatten }}"
loop_control:
loop_var: user
- name: Manage User Roles
ansible.builtin.include_tasks: manage_user_roles.yml
loop: "{{ client.users | flatten }}"
loop_control:
loop_var: user
when: "'client_roles' in user"

12
roles/keycloak/tasks/manage_user.yml → roles/keycloak_realm/tasks/manage_user.yml
View File

@@ -1,14 +1,14 @@
---
- name: "Check if User Already Exists"
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
validate_certs: no
headers:
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
register: keycloak_user_serach_result
register: keycloak_user_search_result
- name: "Create User"
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users"
method: POST
body:
@@ -23,10 +23,10 @@
headers:
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
status_code: 201
when: keycloak_user_serach_result.json | length == 0
when: keycloak_user_search_result.json | length == 0
- name: "Get User"
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
validate_certs: no
headers:
@@ -34,7 +34,7 @@
register: keycloak_user
- name: "Update User Password"
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users/{{ (keycloak_user.json | first).id }}/reset-password"
method: PUT
body:

6
roles/keycloak/tasks/manage_user_client_roles.yml → roles/keycloak_realm/tasks/manage_user_client_roles.yml
View File

@@ -1,6 +1,6 @@
---
- name: "Get Realm for role"
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ client_role.realm }}"
method: GET
status_code:
@@ -11,7 +11,7 @@
register: client_role_realm
- name: Check if Mapping is available
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ client_role.realm }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}/available"
method: GET
status_code:
@@ -22,7 +22,7 @@
register: client_role_user_available
- name: "Create Role Mapping"
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ client_role.realm }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}"
method: POST
body:

8
roles/keycloak/tasks/manage_user_roles.yml → roles/keycloak_realm/tasks/manage_user_roles.yml
View File

@@ -1,7 +1,6 @@
---
- name: "Get User {{ user.username }}"
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
headers:
validate_certs: no
@@ -9,18 +8,19 @@
register: keycloak_user
- name: Refresh keycloak auth token
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
method: POST
body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
validate_certs: no
register: keycloak_auth_response
no_log: True
until: keycloak_auth_response.status == 200
retries: 5
delay: 2
- name: "Manage Client Role Mapping for {{ user.username }}"
include_tasks: manage_user_client_roles.yml
ansible.builtin.include_tasks: manage_user_client_roles.yml
loop: "{{ user.client_roles | flatten }}"
loop_control:
loop_var: client_role

0
roles/keycloak/templates/realm.json.j2 → roles/keycloak_realm/templates/realm.json.j2
View File

12
roles/keycloak_realm/vars/main.yml Normal file
View File

@@ -0,0 +1,12 @@
---
# vars file for keycloak_realm
# administrator console password, this is a required variable
keycloak_admin_password:
# name of the realm to create, this is a required variable
keycloak_realm:
# other settings
keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"