Update changelog for release 1.0.3

Make sure systemd unit starts with selected java JVM

.ansible-lint

@@ -0,0 +1,27 @@
+# .ansible-lint
+exclude_paths:
+  - .cache/
+  - .github/
+  - molecule/
+  - .ansible-lint
+  - .yamllint
+
+rulesdir:
+   - ../../ansible-lint-custom-rules/rules/
+
+enable_list:
+  - fqcn-builtins  # opt-in
+  - no-log-password  # opt-in
+
+warn_list:
+  - role_vars_start_with_role_name
+  - vars_in_vars_files_have_valid_names
+  - vars_should_not_be_used
+  - experimental
+  - ignore-errors
+  - no-handler
+  - fqcn-builtins
+  - no-log-password
+
+use_default_rules: true
+parseable: true

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,48 @@
+---
+name: 🐛 Bug report
+about: Create a report to help us improve
+
+---
+
+##### SUMMARY
+<!-- Explain the problem briefly -->
+
+
+##### ISSUE TYPE
+ - Bug Report
+
+
+##### ANSIBLE VERSION
+<!-- Paste, BELOW THIS COMMENT, verbatim output from "ansible --version"-->
+```
+
+```
+
+##### COLLECTION VERSION
+<!-- Paste, BELOW THIS COMMENT, verbatim output from "ansible-galaxy collection list"-->
+<!-- If using virtual environments or execution environments, remember to activate them-->
+```
+
+```
+
+##### STEPS TO REPRODUCE
+<!-- List the steps to reproduce the problem, using a minimal test-case. -->
+
+<!-- Paste example playbook below -->
+```yaml
+
+```
+
+##### EXPECTED RESULTS
+<!-- What did you expect to happen when running the steps above? -->
+
+
+##### ACTUAL RESULTS
+<!-- What actually happened? If possible run with extra verbosity (-vvvv) and diff (--diff) -->
+<!-- Please also include check mode (--check --diff) output if the API returns an error -->
+<!-- Be sure to mask any sensitive information -->
+
+<!--- Paste verbatim command output between quotes below -->
+```
+
+```

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,12 @@
+---
+name: ✨ Feature request
+about: Suggest an idea for this project
+
+---
+
+##### SUMMARY
+<!--- Explain the problem briefly -->
+
+
+##### ISSUE TYPE
+ - Feature Idea

.github/workflows/ci.yml

@@ -27,14 +27,20 @@ jobs:
         run: |
           python -m pip install --upgrade pip
           pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous
+          pip install -r ansible_collections/middleware_automation/keycloak/requirements.txt
 
-      - name: Create default collection path symlink
+      - name: Install ansible-lint custom rules
+        uses: actions/checkout@v2
+        with:
+          repository: ansible-middleware/ansible-lint-custom-rules
+          path: ansible_collections/ansible-lint-custom-rules/
+
+      - name: Create default collection path
         run: |
-          mkdir -p /home/runner/.ansible
-          ln -s /home/runner/work/middleware_automation/keycloak /home/runner/.ansible/collections
+          mkdir -p /home/runner/.ansible/collections/ansible_collections
 
       - name: Run sanity tests
-        run: ansible-test sanity --docker -v --color --python ${{ matrix.python_version }}
+        run: ansible-test sanity --docker -v --color --python ${{ matrix.python_version }} --exclude changelogs/fragments/.gitignore
         working-directory: ./ansible_collections/middleware_automation/keycloak
 
       - name: Run molecule test

.github/workflows/docs.yml

@@ -0,0 +1,61 @@
+---
+name: Documentation
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - "[0-9]+.[0-9]+.[0-9]+"
+  workflow_dispatch:
+
+env:
+  COLORTERM: 'yes'
+  TERM: 'xterm-256color'
+  PYTEST_ADDOPTS: '--color=yes'
+
+jobs:
+  docs:
+    runs-on: ubuntu-latest
+    if: github.repository == 'ansible-middleware/keycloak'
+    permissions:
+      actions: write
+      checks: write
+      contents: write
+      deployments: write
+      packages: write
+      pages: write
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          path: ansible_collections/middleware_automation/keycloak
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.9
+
+      - name: Install doc dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r ansible_collections/middleware_automation/keycloak/docs/requirements.txt
+          pip install -r ansible_collections/middleware_automation/keycloak/requirements.txt
+          sudo apt install -y sed hub
+
+      - name: Create default collection path
+        run: |
+          mkdir -p /home/runner/.ansible/collections/ansible_collections
+
+      - name: Create changelog and documentation
+        uses: ansible-middleware/collection-docs-action@main
+        with:
+          collection_fqcn: middleware_automation.keycloak
+          collection_repo: ansible-middleware/keycloak
+          dependencies: false
+          commit_changelog: false
+          commit_ghpages: true
+          changelog_release: false
+          generate_docs: true
+          path: ansible_collections/middleware_automation/keycloak
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yml

@@ -1,38 +1,103 @@
+---
 name: Release collection
-
 on:
-  push:
-    tags:
-      - "*.*.*"
+  workflow_dispatch:
 
 jobs:
   release:
     runs-on: ubuntu-latest
+    if: github.repository == 'ansible-middleware/keycloak'
+    permissions:
+      actions: write
+      checks: write
+      contents: write
+      deployments: write
+      packages: write
+      pages: write
+    outputs:
+      tag_version: ${{ steps.get_version.outputs.TAG_VERSION }}
     steps:
-      - uses: actions/checkout@v2
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.TRIGGERING_PAT }}
+
       - name: Set up Python
         uses: actions/setup-python@v1
         with:
           python-version: "3.x"
-      - name: Get Tag Version
+
+      - name: Get current version
         id: get_version
-        run: echo ::set-output name=TAG_VERSION::${GITHUB_REF#refs/tags/}
+        run: echo "::set-output name=TAG_VERSION::$(grep version galaxy.yml | awk -F'"' '{ print $2 }')"
+
+      - name: Check if tag exists
+        id: check_tag
+        run: echo "::set-output name=TAG_EXISTS::$(git tag | grep ${{ steps.get_version.outputs.TAG_VERSION }})"
+
+      - name: Fail if tag exists
+        if: ${{ steps.get_version.outputs.TAG_VERSION == steps.check_tag.outputs.TAG_EXISTS }}
+        uses: actions/github-script@v3
+        with:
+          script: |
+              core.setFailed('Release tag already exists')
+
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
-          pip install ansible-core
+          pip install ansible-core antsibull
+          sudo apt install -y sed hub
+
       - name: Build collection
         run: |
           ansible-galaxy collection build .
+
+      - name: Create changelog and documentation
+        uses: ansible-middleware/collection-docs-action@main
+        with:
+          collection_fqcn: middleware_automation.keycloak
+          collection_repo: ansible-middleware/keycloak
+          dependencies: false
+          commit_changelog: true
+          commit_ghpages: false
+          changelog_release: true
+          generate_docs: false
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Publish collection
+        env:
+          ANSIBLE_GALAXY_API_KEY: ${{ secrets.ANSIBLE_GALAXY_API_KEY }}
+        run: |
+          ansible-galaxy collection publish *.tar.gz --api-key $ANSIBLE_GALAXY_API_KEY
+
+      - name: Create release tag
+        run: |
+          git config user.name github-actions
+          git config user.email github-actions@github.com
+          git tag -a ${{ steps.get_version.outputs.TAG_VERSION }} -m "Release v${{ steps.get_version.outputs.TAG_VERSION }}" || true
+          git push origin --tags
+
       - name: Publish Release
         uses: softprops/action-gh-release@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
+          tag_name: ${{ steps.get_version.outputs.TAG_VERSION }}
           files: "*.tar.gz"
-          body: "Release ${{ steps.get_version.outputs.TAG_VERSION }}"
-      - name: Publish collection
-        env:
-          ANSIBLE_GALAXY_API_KEY: ${{ secrets.ANSIBLE_GALAXY_API_KEY }}
-        run: |
-          ansible-galaxy collection publish *.tar.gz --api-key $ANSIBLE_GALAXY_API_KEY
+          body_path: gh-release.md
+
+  dispatch:
+    needs: release
+    strategy:
+      matrix:
+        repo: ['ansible-middleware/cross-dc-rhsso-demo', 'ansible-middleware/flange-demo', 'ansible-middleware/ansible-middleware-ee']
+    runs-on: ubuntu-latest
+    steps:
+      - name: Repository Dispatch
+        uses: peter-evans/repository-dispatch@v1
+        with:
+          token: ${{ secrets.TRIGGERING_PAT }}
+          repository: ${{ matrix.repo }}
+          event-type: "Dependency released - Keycloak v${{ needs.release.outputs.tag_version }}"
+          client-payload: '{ "github": ${{toJson(github)}} }'

.gitignore

@@ -1 +1,11 @@
-*.tar.gz
+*.tar.gz
+*.zip
+.tmp
+.cache
+docs/plugins/
+docs/roles/
+docs/_build/
+.pytest_cache/
+.mypy_cache/
+*.retry
+changelogs/.plugin-cache.yaml

CHANGELOG.rst

@@ -0,0 +1,67 @@
+============================================
+middleware_automation.keycloak Release Notes
+============================================
+
+.. contents:: Topics
+
+This changelog describes changes after version 0.2.6.
+
+v1.0.3
+======
+
+Major Changes
+-------------
+
+- New role for installing keycloak >= 17.0.0 (quarkus) `#29 <https://github.com/ansible-middleware/keycloak/pull/29>`_
+
+Minor Changes
+-------------
+
+- Add ``keycloak_config_override_template`` parameter for passing a custom xml config template `#30 <https://github.com/ansible-middleware/keycloak/pull/30>`_
+
+Bugfixes
+--------
+
+- Make sure systemd unit starts with selected java JVM `#31 <https://github.com/ansible-middleware/keycloak/pull/31>`_
+
+v1.0.2
+======
+
+Minor Changes
+-------------
+
+- Make ``keycloak_admin_password`` a default with assert (was: role variable) `#26 <https://github.com/ansible-middleware/keycloak/pull/26>`_
+- Simplify dependency install logic and reduce play execution time `#19 <https://github.com/ansible-middleware/keycloak/pull/19>`_
+
+Bugfixes
+--------
+
+- Set ``keycloak_frontend_url`` default according to other defaults `#25 <https://github.com/ansible-middleware/keycloak/pull/25>`_
+
+v1.0.1
+======
+
+Release Summary
+---------------
+
+Minor enhancements, bug and documentation fixes.
+
+
+Major Changes
+-------------
+
+- Apply latest cumulative patch of RH-SSO automatically when new parameter ``keycloak_rhsso_apply_patches`` is ``true`` `#18 <https://github.com/ansible-middleware/keycloak/pull/18>`_
+
+Minor Changes
+-------------
+
+- Clustered installs now perform database initialization on first node to avoid locking issues `#17 <https://github.com/ansible-middleware/keycloak/pull/17>`_
+
+v1.0.0
+======
+
+Release Summary
+---------------
+
+This is the first stable release of the ``middleware_automation.keycloak`` collection.
+

CONTRIBUTING.md

@@ -0,0 +1,14 @@
+
+## Contributor's Guidelines
+
+- All YAML files named with `.yml` extension
+- Use spaces around jinja variables. `{{ var }}` over `{{var}}`
+- Variables that are internal to the role should be lowercase and start with the role name
+- Keep roles self contained - Roles should avoid including tasks from other roles when possible
+- Plays should do nothing more than include a list of roles, except where `pre_tasks` and `post_tasks` are required, when possible
+- Separators - Use valid names, ie. underscores (e.g. `my_role` `my_playbook`) not dashes (`my-role`)
+- Paths - When defining paths, do not include trailing slashes (e.g. `my_path: /foo` not `my_path: /foo/`); when concatenating paths, follow the same convention (e.g. `{{ my_path }}/bar` not `{{ my_path }}bar`)
+- Indentation - Use 2 spaces for each indent
+- `vars/` vs `defaults/` - internal or interpolated variables that don't need to change or be overridden by user go in `vars/`, those that a user would likely override, go under `defaults/` directory
+- All role arguments have a specification in `meta/argument_specs.yml`
+- All playbooks/roles should be focused on compatibility with Ansible Automation Platform

README.md

@@ -1,4 +1,4 @@
-# Ansible Collection - keycloak
+# Ansible Collection - middleware_automation.keycloak
 
 [![Build Status](https://github.com/ansible-middleware/keycloak/workflows/CI/badge.svg?branch=main)](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml)
 
@@ -13,7 +13,8 @@ This collection has been tested against following Ansible versions: **>=2.9.10**
 Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions.
 <!--end requires_ansible-->
 
-## Installation and Usage
+
+## Installation
 
 ### Installing the Collection from Ansible Galaxy
 
@@ -29,21 +30,140 @@ collections:
   - name: middleware_automation.keycloak
 ```
 
-### Choosing between Red Hat products and upstream project
+The keycloak collection also depends on the following python packages to be present on the controller host:
 
-The roles supports installing Red Hat Single Sign-On from the Customer Portal, when the following variables are defined:
+* netaddr
 
-```
+A requirement file is provided to install:
+
+    pip install -r requirements.txt
+
+
+### Included roles
+
+* [`keycloak`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md): role for installing the service.
+* [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, user federation(s), clients and users, in an installed service.
+* [`keycloak_quarkus`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_quarkus/README.md): role for installing the quarkus variant of keycloak (>= 17.0.0).
+
+
+## Usage
+
+
+### Install Playbook
+
+* [`playbooks/keycloak.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak.yml) installs the upstream(Keycloak) based on the defined variables.
+* [`playbooks/rhsso.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/rhsso.yml) installs Red Hat Single Sign-On(RHSSO) based on defined variables.
+
+Both playbooks include the `keycloak` role, with different settings, as described in the following sections.
+
+For full service configuration details, refer to the [keycloak role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md).
+
+
+### Choosing between upstream project (Keycloak) and Red Hat Single Sign-On (RHSSO)
+
+The general flag `keycloak_rhsso_enable` controls what to install between upstream (Keycloak, when `False`) or Red Hat Single Sign-On (when `True`).
+The default value for the flag if `True` when Red Hat Network credentials are defined, `False` otherwise.
+
+
+#### Install upstream (Keycloak) from keycloak releases
+
+This is the default approach when RHN credentials are not defined. Keycloak is downloaded from keycloak builds (hosted on github.com) locally, and distributed to target nodes.
+
+
+#### Install RHSSO from the Red Hat Customer Support Portal
+
+Define the credentials as follows, and the default behaviour is to download a fresh archive of RHSSO on the controller node, then distribute to target nodes.
+
+```yaml
 rhn_username: '<customer_portal_username>'
 rhn_password: '<customer_portal_password>'
-rhsso_rhn_id: '<sso_product_id>'
+# (keycloak_rhsso_enable defaults to True)
 ```
 
-where `sso_product_id` is the ID for the specific Red Hat Single Sign-On version, ie. _101971_ will install version _7.5_)
+
+#### Install from controller node (local source)
+
+Making the keycloak zip archive (or the RHSSO zip archive), available to the playbook repository root directory, and setting `keycloak_offline_install` to `True`, allows to skip
+the download tasks. The local path for the archive matches the downloaded archive path, so it is also used as a cache when multiple hosts are provisioned in a cluster.
+
+```yaml
+keycloak_offline_install: True
+```
+
+And depending on `keycloak_rhsso_enable`:
+
+* `True`: install RHSSO using file rh-sso-x.y.z-server-dist.zip
+* `False`: install keycloak using file keycloak-x.y.zip
+
+
+#### Install from alternate sources (like corporate Nexus, artifactory, proxy, etc)
+
+For RHSSO:
+
+```yaml
+keycloak_rhsso_enable: True
+keycloak_rhsso_download_url: "https://<internal-nexus.private.net>/<path>/<to>/rh-sso-x.y.z-server-dist.zip"
+```
+
+For keycloak:
+
+```yaml
+keycloak_rhsso_enable: False
+keycloak_download_url: "https://<internal-nexus.private.net>/<path>/<to>/keycloak-x.y.zip"
+```
+
+
+### Example installation command
+
+Execute the following command from the source root directory 
+
+```
+ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e keycloak_admin_password=<changeme>
+``` 
+
+- `keycloak_admin_password` Password for the administration console user account.
+- `ansible_hosts` is the inventory, below is an example inventory for deploying to localhost
+
+  ```
+  [keycloak]
+  localhost ansible_connection=local
+  ```
+
+
+## Configuration
+
+
+### Config Playbook
+
+[`playbooks/keycloak_realm.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_realm.yml) creates or updates provided realm, user federation(s), client(s), client role(s) and client user(s).
+
+
+### Example configuration command
+
+Execute the following command from the source root directory:
+
+```bash
+ansible-playbook -i <ansible_hosts> playbooks/keycloak_realm.yml -e keycloak_admin_password=<changeme> -e keycloak_realm=test
+```
+
+- `keycloak_admin_password` password for the administration console user account.
+- `keycloak_realm` name of the realm to be created/used.
+- `ansible_hosts` is the inventory, below is an example inventory for deploying to localhost
+
+  ```
+  [keycloak]
+  localhost ansible_connection=local
+  ```
+
+For full configuration details, refer to the [keycloak_realm role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md).
+
+## Support
+
+Keycloak collection v1.0.0 is a Beta release and for [Technical Preview](https://access.redhat.com/support/offerings/techpreview). If you have any issues or questions related to collection, please don't hesitate to contact us on Ansible-middleware-core@redhat.com or open an issue on https://github.com/ansible-middleware/keycloak/issues
 
 ## License
 
 Apache License v2.0 or later
 
-See [LICENCE](LICENSE) to view the full text.
+See [LICENSE](LICENSE) to view the full text.
 

changelogs/changelog.yaml

@@ -0,0 +1,60 @@
+ancestor: 0.2.6
+releases:
+  1.0.0:
+    changes:
+      release_summary: 'This is the first stable release of the ``middleware_automation.keycloak``
+        collection.
+
+        '
+    release_date: '2022-03-04'
+  1.0.1:
+    changes:
+      major_changes:
+      - Apply latest cumulative patch of RH-SSO automatically when new parameter ``keycloak_rhsso_apply_patches``
+        is ``true`` `#18 <https://github.com/ansible-middleware/keycloak/pull/18>`_
+      minor_changes:
+      - Clustered installs now perform database initialization on first node to avoid
+        locking issues `#17 <https://github.com/ansible-middleware/keycloak/pull/17>`_
+      release_summary: 'Minor enhancements, bug and documentation fixes.
+
+        '
+    release_date: '2022-03-11'
+  1.0.2:
+    changes:
+      bugfixes:
+      - 'Set ``keycloak_frontend_url`` default according to other defaults `#25 <https://github.com/ansible-middleware/keycloak/pull/25>`_
+
+        '
+      minor_changes:
+      - 'Make ``keycloak_admin_password`` a default with assert (was: role variable)
+        `#26 <https://github.com/ansible-middleware/keycloak/pull/26>`_
+
+        '
+      - 'Simplify dependency install logic and reduce play execution time `#19 <https://github.com/ansible-middleware/keycloak/pull/19>`_
+
+        '
+    fragments:
+    - 19.yaml
+    - 25.yaml
+    - 26.yaml
+    release_date: '2022-04-01'
+  1.0.3:
+    changes:
+      bugfixes:
+      - 'Make sure systemd unit starts with selected java JVM `#31 <https://github.com/ansible-middleware/keycloak/pull/31>`_
+
+        '
+      major_changes:
+      - 'New role for installing keycloak >= 17.0.0 (quarkus) `#29 <https://github.com/ansible-middleware/keycloak/pull/29>`_
+
+        '
+      minor_changes:
+      - 'Add ``keycloak_config_override_template`` parameter for passing a custom
+        xml config template `#30 <https://github.com/ansible-middleware/keycloak/pull/30>`_
+
+        '
+    fragments:
+    - 29.yaml
+    - 30.yaml
+    - 31.yaml
+    release_date: '2022-05-09'

changelogs/config.yaml

@@ -0,0 +1,32 @@
+---
+changelog_filename_template: ../CHANGELOG.rst
+changelog_filename_version_depth: 0
+changes_file: changelog.yaml
+changes_format: combined
+ignore_other_fragment_extensions: true
+keep_fragments: false
+mention_ancestor: true
+new_plugins_after_name: removed_features
+notesdir: fragments
+prelude_section_name: release_summary
+prelude_section_title: Release Summary
+sections:
+- - major_changes
+  - Major Changes
+- - minor_changes
+  - Minor Changes
+- - breaking_changes
+  - Breaking Changes / Porting Guide
+- - deprecated_features
+  - Deprecated Features
+- - removed_features
+  - Removed Features
+- - security_fixes
+  - Security Fixes
+- - bugfixes
+  - Bugfixes
+- - known_issues
+  - Known Issues
+title: middleware_automation.keycloak
+trivial_section_name: trivial
+use_fqcn: true

changelogs/fragments/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

docs/CHANGELOG.rst

@@ -0,0 +1 @@
+../CHANGELOG.rst

docs/README.md

@@ -0,0 +1 @@
+../README.md

docs/_gh_include/footer.inc

@@ -0,0 +1,21 @@
+              </ul>
+            </div>
+          </section>
+        </div>
+      </div>
+      <footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
+      </div>
+      <hr/>
+      <div role="contentinfo">
+        <p>&#169; Copyright 2022, Red Hat, Inc.</p>
+      </div>
+      Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
+        <a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
+        provided by <a href="https://readthedocs.org">Read the Docs</a>.
+      </footer>
+    </div>
+  </div>
+</section>
+</div>
+</body>
+</html>

docs/_gh_include/header.inc

@@ -0,0 +1,43 @@
+<!doctype html>
+<html>
+  <head>
+    <title>Keycloak Ansible Collection documentation index</title>
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <link rel="stylesheet" href="https://ansible-middleware.github.io/keycloak/main/_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="https://ansible-middleware.github.io/keycloak/main/_static/css/theme.css" type="text/css" />
+    <link rel="stylesheet" href="https://ansible-middleware.github.io/keycloak/main/_static/ansible-basic-sphinx-ext.css" type="text/css" />
+    <script data-url_root="./" id="documentation_options" src="https://ansible-middleware.github.io/keycloak/main/_static/documentation_options.js"></script>
+    <script src="https://ansible-middleware.github.io/keycloak/main/_static/jquery.js"></script>
+    <script src="https://ansible-middleware.github.io/keycloak/main/_static/underscore.js"></script>
+    <script src="https://ansible-middleware.github.io/keycloak/main/_static/doctools.js"></script>
+    <script src="https://ansible-middleware.github.io/keycloak/main/_static/js/theme.js"></script>
+  </head>
+
+<body class="wy-body-for-nav">
+  <div class="wy-grid-for-nav">
+    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
+      <div class="wy-side-scroll">
+        <div class="wy-side-nav-search" >
+            <a href="#" class="icon icon-home"> Keycloak Ansible Collection</a>
+        </div>
+      </div>
+    </nav>
+    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
+      <div class="wy-nav-content">
+          <div class="rst-content">
+            <div role="navigation" aria-label="Page navigation">
+              <ul class="wy-breadcrumbs">
+                  <li><a href="#" class="icon icon-home"></a> &raquo;</li>
+                  <li>Welcome to Keycloak Collection documentation</li>
+                  <li class="wy-breadcrumbs-aside"></li>
+              </ul>
+              <hr/>
+            </div>
+          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
+             <div itemprop="articleBody">
+                <section id="welcome-to-keycloak-collection-documentation">
+                  <h1>Welcome to Keycloak Collection documentation<a class="headerlink" href="#welcome-to-keycloak-collection-documentation" title="Permalink to this headline"></a></h1>
+                    <div class="toctree-wrapper compound">
+                      <p class="caption" role="heading"><span class="caption-text">Pick collection version:</span></p>
+                        <ul>

docs/conf.py

@@ -0,0 +1,170 @@
+# -*- coding: utf-8 -*-
+#
+# Configuration file for the Sphinx documentation builder.
+#
+# This file does only contain a selection of the most common options. For a
+# full list see the documentation:
+# http://www.sphinx-doc.org/en/master/config
+
+# -- Path setup --------------------------------------------------------------
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+#
+import datetime
+import os
+import sys
+sys.path.insert(0, os.path.abspath('../plugins/module_utils/'))
+# sys.path.insert(0, os.path.abspath('.'))
+
+# -- Project information -----------------------------------------------------
+
+project = 'Keycloak Ansible Collection'
+copyright = '{y}, Red Hat, Inc.'.format(y=datetime.date.today().year)
+author = 'Red Hat, Inc.'
+
+# The short X.Y version
+version = ''
+# The full version, including alpha/beta/rc tags
+release = ''
+
+
+# -- General configuration ---------------------------------------------------
+
+# If your documentation needs a minimal Sphinx version, state it here.
+#
+# needs_sphinx = '1.0'
+
+# Add any Sphinx extension module names here, as strings. They can be
+# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
+# ones.
+extensions = [
+    'myst_parser',
+    'sphinx.ext.autodoc',
+    'sphinx.ext.intersphinx',
+    'ansible_basic_sphinx_ext',
+]
+
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ['_templates']
+
+# The suffix(es) of source filenames.
+# You can specify multiple suffix as a list of string:
+#
+# source_suffix = ['.rst', '.md']
+source_suffix = ['.rst', '.md']
+
+# The master toctree document.
+master_doc = 'index'
+
+# The language for content autogenerated by Sphinx. Refer to documentation
+# for a list of supported languages.
+#
+# This is also used if you do content translation via gettext catalogs.
+# Usually you set "language" from the command line for these cases.
+language = None
+
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+# This pattern also affects html_static_path and html_extra_path .
+exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store', '.tmp']
+
+# The name of the Pygments (syntax highlighting) style to use.
+pygments_style = 'sphinx'
+
+highlight_language = 'YAML+Jinja'
+
+# -- Options for HTML output -------------------------------------------------
+html_theme_path = ['_themes']
+# The theme to use for HTML and HTML Help pages.  See the documentation for
+# a list of builtin themes.
+#
+# html_theme = 'alabaster'
+html_theme = 'sphinx_rtd_theme'
+
+# Theme options are theme-specific and customize the look and feel of a theme
+# further.  For a list of options available for each theme, see the
+# documentation.
+#
+# html_theme_options = {}
+
+# Add any paths that contain custom static files (such as style sheets) here,
+# relative to this directory. They are copied after the builtin static files,
+# so a file named "default.css" will overwrite the builtin "default.css".
+html_static_path = []
+
+# Custom sidebar templates, must be a dictionary that maps document names
+# to template names.
+#
+# The default sidebars (for documents that don't match any pattern) are
+# defined by theme itself.  Builtin themes are using these templates by
+# default: ``['localtoc.html', 'relations.html', 'sourcelink.html',
+# 'searchbox.html']``.
+#
+# html_sidebars = {}
+
+
+# -- Options for HTMLHelp output ---------------------------------------------
+
+# Output file base name for HTML help builder.
+htmlhelp_basename = 'KeycloakCollectionDoc'
+
+
+# -- Options for LaTeX output ------------------------------------------------
+
+latex_elements = {
+    # The paper size ('letterpaper' or 'a4paper').
+    #
+    # 'papersize': 'letterpaper',
+
+    # The font size ('10pt', '11pt' or '12pt').
+    #
+    # 'pointsize': '10pt',
+
+    # Additional stuff for the LaTeX preamble.
+    #
+    # 'preamble': '',
+
+    # Latex figure (float) alignment
+    #
+    # 'figure_align': 'htbp',
+}
+
+# Grouping the document tree into LaTeX files. List of tuples
+# (source start file, target name, title,
+#  author, documentclass [howto, manual, or own class]).
+latex_documents = [
+    (master_doc, 'KeycloakCollection.tex', 'Red Hat Single Sign-On Ansible Collection Documentation',
+     'Red Hat, Inc.', 'manual'),
+]
+
+
+# -- Options for manual page output ------------------------------------------
+
+# One entry per manual page. List of tuples
+# (source start file, name, description, authors, manual section).
+man_pages = [
+    (master_doc, 'keycloakcollection', 'Red Hat Single Sign-On Ansible Collection Documentation',
+     [author], 1)
+]
+
+
+# -- Options for Texinfo output ----------------------------------------------
+
+# Grouping the document tree into Texinfo files. List of tuples
+# (source start file, target name, title, author,
+#  dir menu entry, description, category)
+texinfo_documents = [
+    (master_doc, 'KeycloakCollection', 'Red Hat Single Sign-On Ansible Collection Documentation',
+     author, 'KeycloakCollection', 'One line description of project.',
+     'Miscellaneous'),
+]
+
+
+# -- Extension configuration -------------------------------------------------
+
+# -- Options for intersphinx extension ---------------------------------------
+
+# Example configuration for intersphinx: refer to the Python standard library.
+intersphinx_mapping = {'python': ('https://docs.python.org/2', None), 'ansible': ('https://docs.ansible.com/ansible/latest/', None)}

docs/developing.md

@@ -0,0 +1 @@
+../CONTRIBUTING.md

docs/index.rst

@@ -0,0 +1,32 @@
+.. Red Hat middleware_automation Keycloak Ansible Collection documentation main file
+
+Welcome to Keycloak Collection documentation
+============================================
+
+.. toctree::
+   :maxdepth: 2
+   :caption: User documentation
+
+   README
+   plugins/index
+   roles/index
+
+.. toctree::
+   :maxdepth: 2
+   :caption: Developer documentation
+
+   testing
+   developing
+   releasing
+
+.. toctree::
+   :maxdepth: 2
+   :caption: General
+
+   Changelog <CHANGELOG>
+
+Indices and tables
+==================
+
+* :ref:`genindex`
+* :ref:`search`

docs/releasing.md

@@ -0,0 +1,61 @@
+# Collection Versioning Strategy
+
+Each supported collection maintained by Ansible follows Semantic Versioning 2.0.0 (https://semver.org/), for example:
+Given a version number MAJOR.MINOR.PATCH, the following is incremented:
+
+MAJOR version: when making incompatible API changes (see Feature Release scenarios below for examples)
+
+MINOR version: when adding features or functionality in a backwards compatible manner, or updating testing matrix and/or metadata (deprecation)
+
+PATCH version: when adding backwards compatible bug fixes or security fixes (strict).
+
+Additional labels for pre-release and build metadata are available as extensions to the MAJOR.MINOR.PATCH format.
+
+The first version of a generally available supported collection on Ansible Automation Hub shall be version 1.0.0. NOTE: By default, all newly created collections may begin with a smaller default version of 0.1.0, and therefore a version of 1.0.0 should be explicitly stated by the collection maintainer.
+
+## New content is added to an existing collection
+
+Assuming the current release is 1.0.0, and a new module is ready to be added to the collection, the minor version would be incremented to 1.1.0. The change in the MINOR version indicates an additive change was made while maintaining backward compatibility for existing content within the collection.
+
+
+## New feature to existing plugin or role within a collection (backwards compatible)
+
+Assuming the current release is 1.0.0, and new features for an existing module are ready for release . We would increment the MINOR version to 1.1.0. The change in the MINOR version indicates an additive change was made while maintaining backward compatibility for existing content within the collection.
+
+
+## Bug fix or security fix to existing content within a collection
+
+Assuming the current release is 1.0.0 and a bug is fixed prior to the next minor release, the PATCH version would be incremented to 1.0.1. The patch indicates only a bug was fixed within a current version. The PATCH release does not contain new content, nor was functionality removed. Bug fixes may be included in a MINOR or MAJOR feature release if the timing allows, eliminating the need for a PATCH dedicated to the fix.
+
+
+## Breaking change to any content within a collection
+
+Assuming the current release is 1.0.0, and a breaking change (API or module) is introduced for a user or developer. The MAJOR version would be incremented to 2.0.0.
+
+Examples of breaking changes within a collection may include but are not limited to:
+
+ - Argspec changes for a module that require either inventory structure or playbook changes.
+ - A change in the shape of either the inbound or returned payload of a filter plugin.
+ - Changes to a connection plugin that require additional inventory parameters or ansible.cfg entries.
+ - New functionality added to a module that changes the outcome of that module as released in previous versions.
+ - The removal of plugins from a collection.
+
+
+## Content removed from a collection
+
+Deleting a module or API is a breaking change. Please see the 'Breaking change' section for how to version this.
+
+
+## A typographical error was fixed in the documentation for a collection
+
+A correction to the README would be considered a bug fix and the PATCH incremented. See 'Bug fix' above.
+
+
+## Documentation added/removed/modified within a collection
+
+Only the PATCH version should be increased for a release that contains changes limited to revised documentation.
+
+
+## Release automation
+
+New releases are triggered by annotated git tags named after semantic versioning. The automation publishes the built artifacts to ansible-galaxy and github releases page.

docs/requirements.txt

@@ -0,0 +1,5 @@
+antsibull>=0.17.0
+ansible-base>=2.10.12
+sphinx-rtd-theme
+git+https://github.com/felixfontein/ansible-basic-sphinx-ext
+myst-parser

docs/roles.rst.template

@@ -0,0 +1,4 @@
+Role Index
+==========
+
+.. toctree::

docs/testing.md

@@ -0,0 +1,49 @@
+# Testing
+
+## Continuous integration
+
+The collection is tested with a [molecule](https://github.com/ansible-community/molecule) setup covering the included roles and verifying correct installation and idempotency.
+In order to run the molecule tests locally with python 3.9 available, after cloning the repository:
+
+```
+pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous
+molecule test --all
+```
+
+
+## Integration testing
+
+Demo repositories which depend on the collection, and aggregate functionality with other middleware_automation collections, are automatically rebuilt
+at every collection release to ensure non-breaking changes and consistent behaviour.
+
+The repository are:
+
+ - [Flange demo](https://github.com/ansible-middleware/flange-demo)
+   A deployment of Wildfly cluster integrated with keycloak and infinispan.
+ - [CrossDC keycloak demo](https://github.com/ansible-middleware/cross-dc-rhsso-demo)
+   A clustered multi-regional installation of keycloak with infinispan remote caches.
+
+
+## Test playbooks
+
+Sample playbooks are provided in the `playbooks/` directory; to run the playbooks locally (requires a rhel system with python 3.9+, ansible, and systemd) the steps are as follows:
+
+```
+# setup environment
+pip install ansible-core
+# clone the repository
+git clone https://github.com/ansible-middleware/keycloak
+cd keycloak
+# install collection dependencies
+ansible-galaxy collection install -r requirements.yml
+# install collection python deps
+pip install -r requirements.txt
+# create inventory for localhost
+cat << EOF > inventory
+[keycloak]
+localhost ansible_connection=local
+EOF
+# run the playbook
+ansible-playbook -i inventory playbooks/keycloak.yml
+```
+

galaxy.yml

@@ -1,22 +1,34 @@
+---
 namespace: middleware_automation
 name: keycloak
-version: "0.0.3"
+version: "1.0.3"
 readme: README.md
 authors:
   - Romain Pelisse <rpelisse@redhat.com>
   - Guido Grazioli <ggraziol@redhat.com>
+  - Pavan Kumar Motaparthi <pmotapar@redhat.com>
 description: Install and configure a keycloak, or Red Hat Single Sign-on, service.
 license_file: "LICENSE"
 tags:
   - keycloak
   - redhat
   - rhel
-  - rhn
   - sso
+  - openid
+  - application
+  - identity
+  - security
+  - infrastructure
+  - authentication
 dependencies:
   "middleware_automation.redhat_csp_download": ">=1.2.1"
-  "middleware_automation.jcliff": ">=0.0.19"
+  "middleware_automation.wildfly": ">=1.0.0"
 repository: https://github.com/ansible-middleware/keycloak
-documentation: https://github.com/ansible-middleware/keycloak
+documentation: https://ansible-middleware.github.io/keycloak
 homepage: https://github.com/ansible-middleware/keycloak
 issues: https://github.com/ansible-middleware/keycloak/issues
+build_ignore:
+  - molecule
+  - .github
+  - '*.tar.gz'
+  - '*.zip'

molecule/default/converge.yml

@@ -2,9 +2,40 @@
 - name: Converge
   hosts: all
   vars: 
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_jvm_package: java-11-openjdk-headless
+  roles:
+    - role: keycloak
   tasks:
-    - name: Include keycloak role
-      include_role:
-        name: ../../roles/keycloak
+    - name: Keycloak Realm Role
+      ansible.builtin.include_role:
+        name: keycloak_realm
       vars:
-        keycloak_admin_password: "changeme"
+        keycloak_client_default_roles:
+          - TestRoleAdmin
+          - TestRoleUser
+        keycloak_client_users:
+          - username: TestUser
+            password: password
+            client_roles:
+              - client: TestClient
+                role: TestRoleUser
+                realm: "{{ keycloak_realm }}"
+          - username: TestAdmin
+            password: password
+            client_roles:
+              - client: TestClient
+                role: TestRoleUser
+                realm: "{{ keycloak_realm }}"
+              - client: TestClient
+                role: TestRoleAdmin
+                realm: "{{ keycloak_realm }}"
+        keycloak_realm: TestRealm
+        keycloak_clients:
+          - name: TestClient
+            roles: "{{ keycloak_client_default_roles }}"
+            realm: "{{ keycloak_realm }}"
+            public_client: "{{ keycloak_client_public }}"
+            web_origins: "{{ keycloak_client_web_origins }}"
+            users: "{{ keycloak_client_users }}"
+            client_id: TestClient

molecule/default/molecule.yml

@@ -1,8 +1,12 @@
 ---
 dependency:
-  name: galaxy
+  name: shell
+  command: ansible-galaxy collection install -r molecule/default/requirements.yml -p $HOME/.ansible/collections --force-with-deps
 driver:
   name: docker
+lint: |
+  ansible-lint --version
+  ansible-lint -v
 platforms:
   - name: instance
     image: registry.access.redhat.com/ubi8/ubi-init:latest

molecule/default/prepare.yml

@@ -2,7 +2,13 @@
 - name: Prepare
   hosts: all
   tasks:
+    - name: Disable beta repos
+      ansible.builtin.command: yum config-manager --disable '*beta*'
+      ignore_errors: yes
+
     - name: Install sudo
-      yum:
-        name: sudo
-        state: present
+      ansible.builtin.yum:
+        name:
+          - sudo
+          - java-1.8.0-openjdk
+        state: present

molecule/default/requirements.yml

@@ -0,0 +1,10 @@
+---
+collections:
+  - name: middleware_automation.redhat_csp_download
+    version: ">=1.2.1"
+  - name: middleware_automation.wildfly
+    version: ">=0.0.5"
+  - name: community.general
+  - name: community.docker
+    version: ">=1.9.1"
+    

molecule/default/roles

@@ -0,0 +1 @@
+../../roles

molecule/default/verify.yml

@@ -1,10 +1,29 @@
 ---
 - name: Verify
   hosts: all
+  vars:
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_jvm_package: java-11-openjdk-headless
+    keycloak_port: http://localhost:8080
+    keycloak_management_port: http://localhost:9990
   tasks:
     - name: Populate service facts
       ansible.builtin.service_facts:
     - name: Check if keycloak service started
-      assert:
+      ansible.builtin.assert:
         that:
           - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+    - name: Verify we are running on requested jvm
+      shell: |
+        ps -ef | grep /usr/lib/jvm/java-11 | grep -v grep
+    - name: Verify token api call
+      ansible.builtin.uri:
+        url: "{{ keycloak_port }}/auth/realms/master/protocol/openid-connect/token"
+        method: POST
+        body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password"
+        validate_certs: no
+      register: keycloak_auth_response
+      until: keycloak_auth_response.status == 200
+      retries: 2
+      delay: 2

molecule/overridexml/converge.yml

@@ -0,0 +1,43 @@
+---
+- name: Converge
+  hosts: all
+  vars: 
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_config_override_template: custom.xml.j2
+    keycloak_http_port: 8081
+    keycloak_management_http_port: 19990
+  roles:
+    - role: keycloak
+  tasks:
+    - name: Keycloak Realm Role
+      ansible.builtin.include_role:
+        name: keycloak_realm
+      vars:
+        keycloak_client_default_roles:
+          - TestRoleAdmin
+          - TestRoleUser
+        keycloak_client_users:
+          - username: TestUser
+            password: password
+            client_roles:
+              - client: TestClient
+                role: TestRoleUser
+                realm: "{{ keycloak_realm }}"
+          - username: TestAdmin
+            password: password
+            client_roles:
+              - client: TestClient
+                role: TestRoleUser
+                realm: "{{ keycloak_realm }}"
+              - client: TestClient
+                role: TestRoleAdmin
+                realm: "{{ keycloak_realm }}"
+        keycloak_realm: TestRealm
+        keycloak_clients:
+          - name: TestClient
+            roles: "{{ keycloak_client_default_roles }}"
+            realm: "{{ keycloak_realm }}"
+            public_client: "{{ keycloak_client_public }}"
+            web_origins: "{{ keycloak_client_web_origins }}"
+            users: "{{ keycloak_client_users }}"
+            client_id: TestClient

molecule/overridexml/molecule.yml

@@ -0,0 +1,53 @@
+---
+dependency:
+  name: shell
+  command: ansible-galaxy collection install -r molecule/default/requirements.yml -p $HOME/.ansible/collections --force-with-deps
+driver:
+  name: docker
+lint: |
+  ansible-lint --version
+  ansible-lint -v
+platforms:
+  - name: instance
+    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    port_bindings:
+      - "8080/tcp"
+      - "8443/tcp"
+      - "8009/tcp"      
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"        
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - dependency
+    - lint
+    - cleanup
+    - destroy
+    - syntax
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy

molecule/overridexml/prepare.yml

@@ -0,0 +1,12 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: Disable beta repos
+      ansible.builtin.command: yum config-manager --disable '*beta*'
+      ignore_errors: yes
+
+    - name: Install sudo
+      ansible.builtin.yum:
+        name: sudo
+        state: present

molecule/overridexml/requirements.yml

@@ -0,0 +1,10 @@
+---
+collections:
+  - name: middleware_automation.redhat_csp_download
+    version: ">=1.2.1"
+  - name: middleware_automation.wildfly
+    version: ">=0.0.5"
+  - name: community.general
+  - name: community.docker
+    version: ">=1.9.1"
+    

molecule/overridexml/roles

@@ -0,0 +1 @@
+../../roles

molecule/overridexml/templates/custom.xml.j2

@@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-
+<!-- {{ ansible_managed }} -->
 <server xmlns="urn:jboss:domain:16.0">
     <extensions>
         <extension module="org.jboss.as.clustering.infinispan"/>
@@ -130,16 +130,8 @@
         <subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
         <subsystem xmlns="urn:jboss:domain:datasources:6.0">
             <datasources>
-                <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
-                    <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
-                    <driver>h2</driver>
-                    <security>
-                        <user-name>sa</user-name>
-                        <password>sa</password>
-                    </security>
-                </datasource>
                 <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
-                    <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
+                    <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
                     <driver>h2</driver>
                     <security>
                         <user-name>sa</user-name>
@@ -172,7 +164,7 @@
                     <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="3000"/>
                 </managed-scheduled-executor-services>
             </concurrent>
-            <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
+            <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/KeycloakDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
         </subsystem>
         <subsystem xmlns="urn:jboss:domain:ejb3:9.0">
             <session-bean>
@@ -505,8 +497,8 @@
                 <default-provider>default</default-provider>
                 <provider name="default" enabled="true">
                     <properties>
-                        <property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
-                        <property name="forceBackendUrlToFrontendUrl" value="false"/>
+                        <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="true"/>
                     </properties>
                 </provider>
             </spi>
@@ -517,15 +509,6 @@
             </mail-session>
         </subsystem>
         <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
-{% if keycloak_modcluster.enabled %}        
-        <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
-            <proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
-                <dynamic-load-provider>
-                    <load-metric type="cpu"/>
-                </dynamic-load-provider>
-            </proxy>
-        </subsystem>
-{% endif %}        
         <subsystem xmlns="urn:jboss:domain:naming:2.0">
             <remote-naming/>
         </subsystem>
@@ -585,9 +568,7 @@
         <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
             <buffer-cache name="default"/>
             <server name="default-server">
-                <ajp-listener name="ajp" socket-binding="ajp"/>
-                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
-                <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
+                <http-listener name="default" socket-binding="http"/>
                 <host name="default-host" alias="localhost">
                     <location name="/" handler="welcome-content"/>
                     <http-invoker security-realm="ApplicationRealm"/>
@@ -612,21 +593,12 @@
         </interface>
     </interfaces>
     <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
-        <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
-        <socket-binding name="http" port="${jboss.http.port:8080}"/>
-        <socket-binding name="https" port="${jboss.https.port:8443}"/>
-        <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
-        <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
-        <socket-binding name="modcluster" multicast-address="${jboss.modcluster.multicast.address:224.0.1.105}" multicast-port="23364"/>
+        <socket-binding name="http" port="8081"/>
+        <socket-binding name="management-http" interface="management" port="19990"/>
         <socket-binding name="txn-recovery-environment" port="4712"/>
         <socket-binding name="txn-status-manager" port="4713"/>
         <outbound-socket-binding name="mail-smtp">
             <remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
         </outbound-socket-binding>
-{% if keycloak_modcluster.enabled %}        
-        <outbound-socket-binding name="proxy1">
-            <remote-destination host="{{ keycloak_modcluster.reverse_proxy_url | default('localhost') }}" port="6666"/>
-        </outbound-socket-binding>
-{% endif %}        
     </socket-binding-group>
 </server>

molecule/overridexml/verify.yml

@@ -0,0 +1,11 @@
+---
+- name: Verify
+  hosts: all
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"

molecule/quarkus/converge.yml

@@ -0,0 +1,39 @@
+---
+- name: Converge
+  hosts: all
+  vars: 
+    keycloak_quarkus_admin_pass: "remembertochangeme"
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_realm: TestRealm
+  roles:
+    - role: keycloak_quarkus
+    - role: keycloak_realm
+      keycloak_context: ''
+      keycloak_client_default_roles:
+        - TestRoleAdmin
+        - TestRoleUser
+      keycloak_client_users:
+        - username: TestUser
+          password: password
+          client_roles:
+            - client: TestClient
+              role: TestRoleUser
+              realm: "{{ keycloak_realm }}"
+        - username: TestAdmin
+          password: password
+          client_roles:
+            - client: TestClient
+              role: TestRoleUser
+              realm: "{{ keycloak_realm }}"
+            - client: TestClient
+              role: TestRoleAdmin
+              realm: "{{ keycloak_realm }}"
+      keycloak_realm: TestRealm
+      keycloak_clients:
+        - name: TestClient
+          roles: "{{ keycloak_client_default_roles }}"
+          realm: "{{ keycloak_realm }}"
+          public_client: "{{ keycloak_client_public }}"
+          web_origins: "{{ keycloak_client_web_origins }}"
+          users: "{{ keycloak_client_users }}"
+          client_id: TestClient

molecule/quarkus/molecule.yml

@@ -0,0 +1,53 @@
+---
+dependency:
+  name: shell
+  command: ansible-galaxy collection install -r molecule/default/requirements.yml -p $HOME/.ansible/collections --force-with-deps
+driver:
+  name: docker
+lint: |
+  ansible-lint --version
+  ansible-lint -v
+platforms:
+  - name: instance
+    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    port_bindings:
+      - "8080/tcp"
+      - "8443/tcp"
+      - "8009/tcp"      
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"        
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - dependency
+    - lint
+    - cleanup
+    - destroy
+    - syntax
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy

molecule/quarkus/prepare.yml

@@ -0,0 +1,12 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: Disable beta repos
+      ansible.builtin.command: yum config-manager --disable '*beta*'
+      ignore_errors: yes
+
+    - name: Install sudo
+      ansible.builtin.yum:
+        name: sudo
+        state: present

molecule/quarkus/requirements.yml

@@ -0,0 +1,10 @@
+---
+collections:
+  - name: middleware_automation.redhat_csp_download
+    version: ">=1.2.1"
+  - name: middleware_automation.wildfly
+    version: ">=0.0.5"
+  - name: community.general
+  - name: community.docker
+    version: ">=1.9.1"
+    

molecule/quarkus/roles

@@ -0,0 +1 @@
+../../roles

molecule/quarkus/verify.yml

@@ -0,0 +1,11 @@
+---
+- name: Verify
+  hosts: all
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"

playbooks/keycloak.yml

@@ -1,13 +1,9 @@
 ---
 - name: Playbook for Keycloak Hosts
-  hosts: keycloak
+  hosts: all
+  vars:
+    keycloak_admin_password: "remembertochangeme"
   collections:
-    - middleware_automation.redhat_csp_download
+    - middleware_automation.keycloak
   roles:
-    - redhat_csp_download
-  tasks:
-    - name: Keycloak Role
-      include_role:
-        name: keycloak
-      vars:
-        keycloak_admin_password: "changeme"
+    - keycloak

playbooks/keycloak_realm.yml

@@ -0,0 +1,67 @@
+---
+- name: Playbook for Keycloak Hosts
+  hosts: all
+  tasks:
+    - name: Keycloak Realm Role
+      ansible.builtin.include_role:
+        name: middleware_automation.keycloak.keycloak_realm
+      vars:
+        keycloak_admin_password: "remembertochangeme"
+        keycloak_realm: TestRealm
+        keycloak_user_federation:
+          - realm: TestRealm
+            name: my-ldap
+            provider_id: ldap
+            provider_type: org.keycloak.storage.UserStorageProvider
+            config:
+              priority: '0'
+              enabled: true
+              cachePolicy: DEFAULT
+              batchSizeForSync: '1000'
+              editMode: READ_ONLY
+              importEnabled: true
+              syncRegistrations: false
+              vendor: other
+              usernameLDAPAttribute: uid
+              rdnLDAPAttribute: uid
+              uuidLDAPAttribute: entryUUID
+              userObjectClasses: inetOrgPerson, organizationalPerson
+              connectionUrl: ldaps://ldap.example.com:636
+              usersDn: ou=Users,dc=example,dc=com
+              authType: simple
+              bindDn: cn=directory reader
+              bindCredential: password
+              searchScope: '1'
+              validatePasswordPolicy: false
+              trustEmail: false
+              useTruststoreSpi: ldapsOnly
+              connectionPooling: true
+              pagination: true
+              allowKerberosAuthentication: false
+              debug: false
+              useKerberosForPasswordAuthentication: false
+            mappers:
+              - name: "full name"
+                providerId: "full-name-ldap-mapper"
+                providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+                config:
+                  ldap.full.name.attribute: cn
+                  read.only: true
+                  write.only: false
+        keycloak_clients:
+          - name: TestClient1
+            roles:
+              - TestClient1Admin
+              - TestClient1User
+            realm: "{{ keycloak_realm }}"
+            public_client: True
+            web_origins:
+              - http://testclient1origin/application
+              - http://testclient1origin/other
+            users:
+            - username: TestUser
+              password: password
+              client_roles:
+                - client: TestClient1
+                  role: TestClient1User
+                  realm: "{{ keycloak_realm }}"

playbooks/rhsso.yml

@@ -0,0 +1,12 @@
+---
+- name: Playbook for Keycloak Hosts
+  hosts: keycloak
+  vars:
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_rhsso_enable: True
+  collections:
+    - middleware_automation.redhat_csp_download
+    - middleware_automation.keycloak
+  roles:
+    - middleware_automation.redhat_csp_download.redhat_csp_download
+    - middleware_automation.keycloak.keycloak

playbooks/roles

@@ -0,0 +1 @@
+../roles

requirements.txt

@@ -0,0 +1,6 @@
+#################################################
+# python dependencies required to be installed 
+# on the controller host with:
+# pip install -r requirements.txt
+#
+netaddr

requirements.yml

@@ -2,6 +2,6 @@
 collections:
   - name: middleware_automation.redhat_csp_download
     version: ">=1.2.1"
-  - name: middleware_automation.jcliff
-    version: ">=0.0.19"
+  - name: middleware_automation.wildfly
+    version: ">=0.0.5"
   - name: community.general

roles/keycloak/README.md

@@ -1,38 +1,17 @@
 keycloak
 ========
 
-Install [keycloak](https://keycloak.org/) or [Red Hat Single Sing-On](https://access.redhat.com/products/red-hat-single-sign-on) server configurations.
+Install [keycloak](https://keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on) server configurations.
 
 
-Role Defaults
--------------
+Requirements
+------------
 
-| Variable | Description | Default |
-|:---------|:------------|:---------|
-|`keycloak_ha_enabled`| enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
-|`keycloak_admin_user`| Administration console user account | `admin` |
+This role requires the `python3-netaddr` library installed on the controller node.
 
-
-Role Variables
---------------
-
-The following are a set of required variables for the role:
-
-| Variable | Description |
-|:---------|:------------|
-|`keycloak_admin_password`| Password for the administration console user account |
-
-The following variables are required when keycloak_ha_enabled is True:
-
-| Variable | Description | Default |
-|:---------|:------------|:---------|
-|`keycloak_modcluster_url` | URL for the modcluster reverse proxy | `localhost` |
-|`postgres_jdbc_url` | URL for the postgres backend database | `jdbc:postgresql://localhost:5432/keycloak` |
-|`postgres_db_user` | username for connecting to postgres | `keycloak-user` |
-|`postgres_db_pass` | password for connecting to postgres | `keycloak-pass` |
-|`infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` |
-|`infinispan_user` | username for connecting to infinispan | `supervisor` |
-|`infinispan_pass` | password for connecting to infinispan | `supervisor` |
+* to install via yum/dnf: `dnf install python3-netaddr`
+* or via pip: `pip install netaddr==0.8.0`
+* or via the collection: `pip install -r requirements.txt`
 
 
 Dependencies
@@ -40,14 +19,174 @@ Dependencies
 
 The roles depends on:
 
-* the redhat_csp_download role of [middleware_automation.redhat_csp_download](https://github.com/ansible-middleware/redhat-csp-download) collection
-* the jcliff role of [middleware_automation.jcliff](https://github.com/ansible-middleware/ansible_collections_jcliff) collection
+* the `redhat_csp_download` role from [middleware_automation.redhat_csp_download](https://github.com/ansible-middleware/redhat-csp-download) collection if Red Hat Single Sign-on zip have to be downloaded from RHN.
+* the `wildfly_driver` role from [middleware_automation.wildfly](https://github.com/ansible-middleware/wildfly) collection
 
 
-Example Playbook
-----------------
+Versions
+--------
 
-The following is an example playbook that makes use of the role to install keycloak
+| RH-SSO VERSION | Release Date      | Keycloak Version | EAP Version | Notes           |
+|:---------------|:------------------|:-----------------|:------------|:----------------|
+|`7.5.0 GA`      |September 20, 2021 |`15.0.2`          | `7.4.0`     |[Release Notes](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/html/release_notes/index)|
+
+
+Patching
+--------
+
+When variable `keycloak_rhsso_apply_patches` is `True` (default: `False`), the role will automatically apply the latest cumulative patch for the selected base version.
+
+| RH-SSO VERSION | Release Date      | RH-SSO LATEST CP | Notes           |
+|:---------------|:------------------|:-----------------|:----------------|
+|`7.5.0 GA`      |January 20, 2022   |`7.5.1 GA`        |[Release Notes](https://access.redhat.com/articles/6646321)|
+
+
+
+Role Defaults
+-------------
+
+* Service configuration
+
+| Variable | Description | Default |
+|:---------|:------------|:---------|
+|`keycloak_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
+|`keycloak_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_ha_enabled` is True, else `False` |
+|`keycloak_admin_user`| Administration console user account | `admin` |
+|`keycloak_bind_address`| Address for binding service ports | `0.0.0.0` |
+|`keycloak_host`| hostname | `localhost` |
+|`keycloak_http_port`| HTTP port | `8080` |
+|`keycloak_https_port`| TLS HTTP port | `8443` |
+|`keycloak_ajp_port`| AJP port | `8009` |
+|`keycloak_jgroups_port`| jgroups cluster tcp port | `7600` |
+|`keycloak_management_http_port`| Management port | `9990` |
+|`keycloak_management_https_port`| TLS management port | `9993` |
+|`keycloak_prefer_ipv4`| Prefer IPv4 stack and addresses for port binding | `True` |
+|`keycloak_config_standalone_xml`| filename for configuration | `keycloak.xml` |
+|`keycloak_service_user`| posix account username | `keycloak` |
+|`keycloak_service_group`| posix account group | `keycloak` |
+|`keycloak_service_pidfile`| pid file path for service | `/run/keycloak.pid` |
+|`keycloak_jvm_package`| RHEL java package runtime | `java-1.8.0-openjdk-headless` |
+|`keycloak_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path | `None` |
+|`keycloak_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
+
+
+* Install options
+
+| Variable | Description | Default |
+|:---------|:------------|:---------|
+|`keycloak_rhsso_enable`| Enable Red Hat Single Sign-on installation | `False` |
+|`keycloak_offline_install` | perform an offline install | `False`|
+|`keycloak_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`| 
+|`keycloak_rhsso_download_url`| Download URL for RHSSO | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=<productID>`|
+|`keycloak_version`| keycloak.org package version | `15.0.2` |
+|`keycloak_rhsso_version`| RHSSO version | `7.5.0` |
+|`keycloak_rhsso_apply_patches`| Install RHSSO more recent cumulative patch | `False` |
+|`keycloak_dest`| Installation root path | `/opt/keycloak` |
+|`keycloak_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}` |
+|`keycloak_rhn_url` | Base download URI for customer portal | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=` |
+|`keycloak_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
+
+
+* Miscellaneous configuration
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_archive` | keycloak install archive filename | `keycloak-{{ keycloak_version }}.zip` |
+|`keycloak_download_url_9x` | Download URL for keycloak (deprecated) | `https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}` |
+|`keycloak_installdir` | Installation path | `{{ keycloak_dest }}/keycloak-{{ keycloak_version }}` |
+|`keycloak_rhsso_archive` | Red Hat SSO install archive filename | `rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip` |
+|`keycloak_rhsso_installdir`| Installation path for Red Hat SSO | `{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\.([0-9]*).*', '\1.\2') }}` |
+|`keycloak_rhsso_download_url`| Full download URI for Red Hat SSO | `{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}` |
+|`keycloak_jboss_home` | Installation work directory | `{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}` |
+|`keycloak_config_dir` | Path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration` |
+|`keycloak_config_path_to_standalone_xml` | Custom path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}` |
+|`keycloak_config_override_template` | Path to custom template for standalone.xml configuration | `''` |
+|`keycloak_auth_realm` | Name for rest authentication realm | `master` |
+|`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` |
+|`keycloak_force_install` | Remove pre-existing versions of service | `False` |
+|`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` |
+|`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` |
+|`rhsso_rhn_id` | Customer Portal product ID for Red Hat SSO | `{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}` |
+
+
+Role Variables
+--------------
+
+The following are a set of _required_ variables for the role:
+
+| Variable | Description |
+|:---------|:------------|
+|`keycloak_admin_password`| Password for the administration console user account (minimum 12 characters) |
+|`keycloak_frontend_url` | frontend URL for keycloak endpoint | `http://localhost:8080/auth` |
+
+
+The following variables are _required_ only when `keycloak_ha_enabled` is True:
+
+| Variable | Description | Default |
+|:---------|:------------|:---------|
+|`keycloak_modcluster_url` | URL for the modcluster reverse proxy | `localhost` |
+|`keycloak_jdbc_engine` | backend database engine when db is enabled: [ postgres, mariadb ] | `postgres` |
+|`infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` |
+|`infinispan_user` | username for connecting to infinispan | `supervisor` |
+|`infinispan_pass` | password for connecting to infinispan | `supervisor` |
+|`infinispan_sasl_mechanism`| Authentication type | `SCRAM-SHA-512` |
+|`infinispan_use_ssl`| Enable hotrod TLS communication | `False` |
+|`infinispan_trust_store_path`| Path to truststore with infinispan server certificate | `/etc/pki/java/cacerts` |
+|`infinispan_trust_store_password`| Password for opening truststore | `changeit` |
+
+
+The following variables are _required_ only when `keycloak_db_enabled` is True:
+
+| Variable | Description | Default |
+|:---------|:------------|:---------|
+|`keycloak_jdbc_url` | URL for the postgres backend database | `jdbc:postgresql://localhost:5432/keycloak` |
+|`keycloak_jdbc_driver_version`| Version for the JDBC driver to download | `9.4.1212` |
+|`keycloak_db_user` | username for connecting to postgres | `keycloak-user` |
+|`keycloak_db_pass` | password for connecting to postgres | `keycloak-pass` |
+
+
+Example Playbooks
+-----------------
+
+_NOTE_: use ansible vaults or other security systems for storing credentials.
+
+
+* The following is an example playbook that makes use of the role to install keycloak from remote:
+
+```yaml
+---
+- hosts: ...
+      vars:
+        keycloak_admin_password: "remembertochangeme"
+      collections:
+        - middleware_automation.keycloak
+      roles:
+        - middleware_automation.keycloak.keycloak
+```
+
+* The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from RHN:
+
+```yaml
+---
+- name: Playbook for RHSSO
+  hosts: keycloak
+  collections:
+    - middleware_automation.redhat_csp_download
+  roles:
+    - redhat_csp_download
+  tasks:
+    - name: Keycloak Role
+      include_role:
+        name: keycloak
+      vars:
+        keycloak_admin_password: "remembertochangeme"
+        keycloak_rhsso_enable: True
+        rhn_username: '<customer portal username>'
+        rhn_password: '<customer portal password>'
+```
+
+
+* The following example playbook makes use of the role to install keycloak from the controller node:
 
 ```yaml
 ---
@@ -59,7 +198,48 @@ The following is an example playbook that makes use of the role to install keycl
           include_role:
             name: keycloak
           vars:
-            keycloak_admin_password: "changeme"
+            keycloak_admin_password: "remembertochangeme"
+            keycloak_offline_install: True
+            # This should be the filename of keycloak archive on Ansible node: keycloak-16.1.0.zip
+```
+
+
+* This playbook installs Red Hat Single Sign-On from an alternate url:
+
+```yaml
+---
+- hosts: keycloak
+  collections:
+    - middleware_automation.keycloak
+  tasks:
+    - name: Keycloak Role
+      include_role:
+        name: keycloak
+      vars:
+        keycloak_admin_password: "remembertochangeme"
+        keycloak_rhsso_enable: True
+        keycloak_rhsso_download_url: "<REPLACE with download url>"
+        # This should be the full of remote source rhsso zip file and can contain basic authentication credentials
+```
+
+
+* The following is an example playbook that makes use of the role to install Red Hat Single Sign-On offline from the controller node, and apply latest cumulative patch:
+
+```yaml
+---
+- hosts: keycloak
+  collections:
+    - middleware_automation.keycloak
+  tasks:
+    - name: Keycloak Role
+      include_role:
+        name: keycloak
+      vars:
+        keycloak_admin_password: "remembertochangeme"
+        keycloak_rhsso_enable: True
+        keycloak_offline_install: True
+        keycloak_rhsso_apply_patches: True
+        # This should be the filename of rhsso zip file on Ansible node: rh-sso-7.5-server-dist.zip
 ```
 
 License
@@ -72,4 +252,5 @@ Author Information
 ------------------
 
 * [Guido Grazioli](https://github.com/guidograzioli)
-* [Romain Pelisse](https://github.com/rpelisse)
+* [Romain Pelisse](https://github.com/rpelisse)
+* [Pavan Kumar Motaparthi](https://github.com/motaparthipavankumar)

roles/keycloak/defaults/main.yml

@@ -1,87 +1,94 @@
 ---
 ### Configuration specific to keycloak
-keycloak_version: 9.0.2
-keycloak_archive: keycloak-{{ keycloak_version }}.zip
-keycloak_download_url: https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}
-keycloak_local_download_dest: '{{ "~/keycloak_download" | expanduser }}'
+keycloak_version: 15.0.2
+keycloak_archive: "keycloak-{{ keycloak_version }}.zip"
+keycloak_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"  
+keycloak_download_url_9x: "https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}"
 keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
 
-### Configuration specific to Red Hat Single Sing-On
-keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined else False }}"
-keycloak_rhsso_client_adapter_rhn_id: '101951'
-keycloak_rhsso_saml_adapter_rhn_id: '101901'
-keycloak_rhsso_version: 7.5
-keycloak_rhsso_archive: rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip
-keycloak_rhsso_installdir: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version }}"
-keycloak_rhsso_base_url: 'https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId='
+### Configuration specific to Red Hat Single Sign-On
+keycloak_rhsso_version: 7.5.0
+rhsso_rhn_id: "{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}"
+keycloak_rhsso_archive: "rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip"
+keycloak_rhsso_installdir: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}"
+keycloak_rhn_url: 'https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId='
+keycloak_rhsso_download_url: "{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}"
+keycloak_rhsso_apply_patches: False
+
+### keycloak/rhsso choice: by default install rhsso if rhn credentials are defined
+keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined and rhn_username is defined and rhn_password is defined else False }}"
+# whether to install from local archive; filename must be keycloak_archive or keycloak_rhsso_archive depending on keycloak_rhsso_enable
+keycloak_offline_install: False
 
 ### Install location and service settings
+keycloak_jvm_package: java-1.8.0-openjdk-headless
+keycloak_java_home:
 keycloak_dest: /opt/keycloak
-keycloak_jboss_home: "{{ keycloak_rhsso_installdir if rhsso_rhn_id is defined else keycloak_installdir }}"
+keycloak_jboss_home: "{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}"
 keycloak_config_dir: "{{ keycloak_jboss_home }}/standalone/configuration"
+keycloak_config_standalone_xml: "keycloak.xml"
+keycloak_config_path_to_standalone_xml: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}"
+keycloak_config_override_template: ''
 keycloak_service_user: keycloak
 keycloak_service_group: keycloak
 keycloak_service_pidfile: "/run/keycloak.pid"
-keycloak_service_logfile: "{{ keycloak_dest }}/keycloak.log"
+keycloak_configure_firewalld: False
 
-### Keycloak configuration settings
+### administrator console password
+keycloak_admin_password: ''
+
+### Common configuration settings
 keycloak_bind_address: 0.0.0.0
 keycloak_host: localhost
 keycloak_http_port: 8080
 keycloak_https_port: 8443
+keycloak_ajp_port: 8009
+keycloak_jgroups_port: 7600
 keycloak_management_http_port: 9990
 keycloak_management_https_port: 9993
-keycloak_java_opts: "-Xms1024m -Xmx20480m -XX:MaxPermSize=768m"
-keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
-keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
-# enable auto configuration for database backend, clustering and remote caches on infinispan
+keycloak_java_opts: "-Xms1024m -Xmx2048m"
+keycloak_prefer_ipv4: True
+
+### Enable configuration for database backend, clustering and remote caches on infinispan
 keycloak_ha_enabled: False
-keycloak_db_enabled: False
+### Enable database configuration, must be enabled when HA is configured
+keycloak_db_enabled: "{{ True if keycloak_ha_enabled else False }}"
 
-# keycloak administration console user
+### Keycloak administration console user
 keycloak_admin_user: admin
-
 keycloak_auth_realm: master
 keycloak_auth_client: admin-cli
 
 keycloak_force_install: False
 
-keycloak_modcluster:
-  enabled: "{{ keycloak_ha_enabled }}"
-  reverse_proxy_url: "{{ keycloak_modcluster_url | default('localhost') }}"
+### mod_cluster reverse proxy
+keycloak_modcluster_url: localhost
 
-keycloak_remotecache:
-  enabled: "{{ keycloak_ha_enabled }}"
-  username: "{{ infinispan_user | default('supervisor') }}"
-  password: "{{ infinispan_pass | default('supervisor') }}"
-  realm: default
-  server_name: "{{ infinispan_url | default('localhost') }}"
-  trust_store_path: /path/to/jks/keystore
-  trust_store_password: changeme
+### keycloak frontend url
+keycloak_frontend_url: http://localhost:8080/auth
 
+### infinispan remote caches access (hotrod)
+infinispan_user: supervisor
+infinispan_pass: supervisor
+infinispan_url: localhost
+infinispan_sasl_mechanism: SCRAM-SHA-512
+infinispan_use_ssl: False
+# if ssl is enabled, import ispn server certificate here
+infinispan_trust_store_path: /etc/pki/java/cacerts
+infinispan_trust_store_password: changeit
+
+### database backend engine: values [ 'postgres', 'mariadb' ]
 keycloak_jdbc_engine: postgres
-keycloak_jdbc:
+### database backend credentials
+keycloak_db_user: keycloak-user
+keycloak_db_pass: keycloak-pass
+keycloak_jdbc_url: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].url }}"
+keycloak_jdbc_driver_version: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].version }}"
+# override the variables above, following defaults show minimum supported versions
+keycloak_default_jdbc:
   postgres:
-    enabled: "{{ keycloak_ha_enabled and keycloak_jdbc_engine == 'postgres' }}"
-    driver_class: org.postgresql.Driver
-    xa_datasource_class: org.postgresql.xa.PGXADataSource
-    driver_module_name: "org.postgresql"
-    driver_module_dir: "{{ keycloak_jboss_home }}/modules/org/postgresql/main"
-    driver_version: 9.4.1212
-    driver_jar_filename: "postgresql-9.4.1212.jar"
-    driver_jar_url: "https://repo.maven.apache.org/maven2/org/postgresql/postgresql/9.4.1212/postgresql-9.4.1212.jar"
-    connection_url: "{{ postgres_jdbc_url | default('jdbc:postgresql://localhost:5432/keycloak') }}"
-    db_user: "{{ postgres_db_user | default('keycloak-user') }}"
-    db_password: "{{ postgres_db_pass | default('keycloak-pass') }}"
+    url: 'jdbc:postgresql://localhost:5432/keycloak'
+    version: 9.4.1212
   mariadb:
-    enabled: "{{ keycloak_ha_enabled and keycloak_jdbc_engine == 'mariadb' }}"
-    driver_class: org.mariadb.jdbc.Driver
-    xa_datasource_class: org.mariadb.jdbc.MySQLDataSource
-    driver_module_name: "org.mariadb"
-    driver_module_dir: "{{ keycloak_jboss_home }}/modules/org/mariadb/main"
-    driver_version: 2.7.4
-    driver_jar_filename: "mariadb-java-client-2.7.4.jar"
-    driver_jar_url: "https://repo1.maven.org/maven2/org/mariadb/jdbc/mariadb-java-client/2.7.4/mariadb-java-client-2.7.4.jar"
-    connection_url: "{{ mariadb_jdbc_url | default('jdbc:mariadb://localhost:3306/keycloak') }}"
-    db_user: "{{ mariadb_db_user | default('keycloak-user') }}"
-    db_password: "{{ mariadb_db_pass | default('keycloak-pass') }}"
+    url: 'jdbc:mariadb://localhost:3306/keycloak'
+    version: 2.7.4

roles/keycloak/handlers/main.yml

@@ -1,3 +1,4 @@
 ---
-- name: restart keycloak
-  include_tasks: restart_keycloak.yml
+- name: "Restart handler"
+  ansible.builtin.include_tasks: restart_keycloak.yml
+  listen: "restart keycloak"

roles/keycloak/meta/argument_specs.yml

@@ -0,0 +1,296 @@
+argument_specs:
+    main:
+        options:
+            keycloak_version:
+                # line 3 of keycloak/defaults/main.yml
+                default: "15.0.2"
+                description: "keycloak.org package version"
+                type: "str"
+            keycloak_archive:
+                # line 4 of keycloak/defaults/main.yml
+                default: "keycloak-{{ keycloak_version }}.zip"
+                description: "keycloak install archive filename"
+                type: "str"
+            keycloak_configure_firewalld:
+                # line 33 of keycloak/defaults/main.yml
+                default: false
+                description: "Ensure firewalld is running and configure keycloak ports"
+                type: "bool"
+            keycloak_download_url:
+                # line 5 of keycloak/defaults/main.yml
+                default: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"
+                description: "Download URL for keycloak"
+                type: "str"
+            keycloak_download_url_9x:
+                # line 6 of keycloak/defaults/main.yml
+                default: "https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}"
+                description: "Download URL for keycloak (deprecated)"
+                type: "str"
+            keycloak_installdir:
+                # line 7 of keycloak/defaults/main.yml
+                default: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
+                description: "Installation path"
+                type: "str"
+            keycloak_rhsso_version:
+                # line 10 of keycloak/defaults/main.yml
+                default: "7.5.0"
+                description: "Red Hat Single Sign-On version"
+                type: "str"
+            rhsso_rhn_id:
+                # line 11 of keycloak/defaults/main.yml
+                default: "{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}"
+                description: "Customer Portal product ID for Red Hat SSO"
+                type: "str"
+            keycloak_rhsso_archive:
+                # line 12 of keycloak/defaults/main.yml
+                default: "rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip"
+                description: "ed Hat SSO install archive filename"
+                type: "str"
+            keycloak_rhsso_apply_patches:
+                # line 16 of keycloak/defaults/main.yml
+                default: false
+                description: "Install RHSSO more recent cumulative patch"
+                type: "bool"
+            keycloak_rhsso_installdir:
+                # line 13 of keycloak/defaults/main.yml
+                default: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}"
+                description: "Installation path for Red Hat SSO"
+                type: "str"
+            keycloak_rhn_url:
+                # line 14 of keycloak/defaults/main.yml
+                default: "https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId="
+                description: "Base download URI for customer portal"
+                type: "str"
+            keycloak_rhsso_download_url:
+                # line 15 of keycloak/defaults/main.yml
+                default: "{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}"
+                description: "Full download URI for Red Hat SSO"
+                type: "str"
+            keycloak_rhsso_enable:
+                # line 18 of keycloak/defaults/main.yml
+                default: "{{ True if rhsso_rhn_id is defined and rhn_username is defined and rhn_password is defined else False }}"
+                description: "Enable Red Hat Single Sign-on installation"
+                type: "str"
+            keycloak_offline_install:
+                # line 20 of keycloak/defaults/main.yml
+                default: false
+                description: "Perform an offline install"
+                type: "bool"
+            keycloak_jvm_package:
+                # line 23 of keycloak/defaults/main.yml
+                default: "java-1.8.0-openjdk-headless"
+                description: "RHEL java package runtime rpm"
+                type: "str"
+            keycloak_java_home:
+                description: "JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path"
+                type: "str"
+            keycloak_dest:
+                # line 24 of keycloak/defaults/main.yml
+                default: "/opt/keycloak"
+                description: "Root installation directory"
+                type: "str"
+            keycloak_jboss_home:
+                # line 25 of keycloak/defaults/main.yml
+                default: "{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}"
+                description: "Installation work directory"
+                type: "str"
+            keycloak_config_dir:
+                # line 26 of keycloak/defaults/main.yml
+                default: "{{ keycloak_jboss_home }}/standalone/configuration"
+                description: "Path for configuration"
+                type: "str"
+            keycloak_config_standalone_xml:
+                # line 27 of keycloak/defaults/main.yml
+                default: "keycloak.xml"
+                description: "Service configuration filename"
+                type: "str"
+            keycloak_config_path_to_standalone_xml:
+                # line 28 of keycloak/defaults/main.yml
+                default: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}"
+                description: "Custom path for configuration"
+                type: "str"
+            keycloak_config_override_template:
+                # line 30 of keycloak/defaults/main.yml
+                default: ""
+                description: "Path to custom template for standalone.xml configuration"
+                type: "str"
+            keycloak_service_user:
+                # line 29 of keycloak/defaults/main.yml
+                default: "keycloak"
+                description: "posix account username"
+                type: "str"
+            keycloak_service_group:
+                # line 30 of keycloak/defaults/main.yml
+                default: "keycloak"
+                description: "posix account group"
+                type: "str"
+            keycloak_service_pidfile:
+                # line 31 of keycloak/defaults/main.yml
+                default: "/run/keycloak.pid"
+                description: "PID file path for service"
+                type: "str"
+            keycloak_bind_address:
+                # line 34 of keycloak/defaults/main.yml
+                default: "0.0.0.0"
+                description: "Address for binding service ports"
+                type: "str"
+            keycloak_host:
+                # line 35 of keycloak/defaults/main.yml
+                default: "localhost"
+                description: "Hostname for service"
+                type: "str"
+            keycloak_http_port:
+                # line 36 of keycloak/defaults/main.yml
+                default: 8080
+                description: "Listening HTTP port"
+                type: "int"
+            keycloak_https_port:
+                # line 37 of keycloak/defaults/main.yml
+                default: 8443
+                description: "Listening HTTPS port"
+                type: "int"
+            keycloak_ajp_port:
+                # line 38 of keycloak/defaults/main.yml
+                default: 8009
+                description: "Listening AJP port"
+                type: "int"
+            keycloak_jgroups_port:
+                # line 39 of keycloak/defaults/main.yml
+                default: 7600
+                description: "jgroups cluster tcp port"
+                type: "int"
+            keycloak_management_http_port:
+                # line 40 of keycloak/defaults/main.yml
+                default: 9990
+                description: "Management port (http)"
+                type: "int"
+            keycloak_management_https_port:
+                # line 41 of keycloak/defaults/main.yml
+                default: 9993
+                description: "Management port (https)"
+                type: "int"
+            keycloak_java_opts:
+                # line 42 of keycloak/defaults/main.yml
+                default: "-Xms1024m -Xmx2048m"
+                description: "Additional JVM options"
+                type: "str"
+            keycloak_prefer_ipv4:
+                # line 43 of keycloak/defaults/main.yml
+                default: true
+                description: "Prefer IPv4 stack and addresses for port binding"
+                type: "bool"
+            keycloak_ha_enabled:
+                # line 46 of keycloak/defaults/main.yml
+                default: false
+                description: "Enable auto configuration for database backend, clustering and remote caches on infinispan"
+                type: "bool"
+            keycloak_db_enabled:
+                # line 48 of keycloak/defaults/main.yml
+                default: "{{ True if keycloak_ha_enabled else False }}"
+                description: "Enable auto configuration for database backend"
+                type: "str"
+            keycloak_admin_user:
+                # line 51 of keycloak/defaults/main.yml
+                default: "admin"
+                description: "Administration console user account"
+                type: "str"
+            keycloak_auth_realm:
+                # line 52 of keycloak/defaults/main.yml
+                default: "master"
+                description: "Name for rest authentication realm"
+                type: "str"
+            keycloak_auth_client:
+                # line 53 of keycloak/defaults/main.yml
+                default: "admin-cli"
+                description: "Authentication client for configuration REST calls"
+                type: "str"
+            keycloak_force_install:
+                # line 55 of keycloak/defaults/main.yml
+                default: false
+                description: "Remove pre-existing versions of service"
+                type: "bool"
+            keycloak_modcluster_url:
+                # line 58 of keycloak/defaults/main.yml
+                default: "localhost"
+                description: "URL for the modcluster reverse proxy"
+                type: "str"
+            keycloak_frontend_url:
+                # line 59 of keycloak/defaults/main.yml
+                default: "http://localhost"
+                description: "Frontend URL for keycloak endpoints when a reverse proxy is used"
+                type: "str"
+            infinispan_user:
+                # line 62 of keycloak/defaults/main.yml
+                default: "supervisor"
+                description: "Username for connecting to infinispan"
+                type: "str"
+            infinispan_pass:
+                # line 63 of keycloak/defaults/main.yml
+                default: "supervisor"
+                description: "Password for connecting to infinispan"
+                type: "str"
+            infinispan_url:
+                # line 64 of keycloak/defaults/main.yml
+                default: "localhost"
+                description: "URL for the infinispan remote-cache server"
+                type: "str"
+            infinispan_sasl_mechanism:
+                # line 65 of keycloak/defaults/main.yml
+                default: "SCRAM-SHA-512"
+                description: "Authentication type to infinispan server"
+                type: "str"
+            infinispan_use_ssl:
+                # line 66 of keycloak/defaults/main.yml
+                default: false
+                description: "Enable hotrod client TLS communication"
+                type: "bool"
+            infinispan_trust_store_path:
+                # line 68 of keycloak/defaults/main.yml
+                default: "/etc/pki/java/cacerts"
+                description: "TODO document argument"
+                type: "str"
+            infinispan_trust_store_password:
+                # line 69 of keycloak/defaults/main.yml
+                default: "changeit"
+                description: "Path to truststore containing infinispan server certificate"
+                type: "str"
+            keycloak_jdbc_engine:
+                # line 72 of keycloak/defaults/main.yml
+                default: "postgres"
+                description: "Backend database flavour when db is enabled: [ postgres, mariadb ]"
+                type: "str"
+            keycloak_db_user:
+                # line 74 of keycloak/defaults/main.yml
+                default: "keycloak-user"
+                description: "Username for connecting to database"
+                type: "str"
+            keycloak_db_pass:
+                # line 75 of keycloak/defaults/main.yml
+                default: "keycloak-pass"
+                description: "Password for connecting to database"
+                type: "str"
+            keycloak_jdbc_url:
+                # line 76 of keycloak/defaults/main.yml
+                default: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].url }}"
+                description: "URL for connecting to backend database"
+                type: "str"
+            keycloak_jdbc_driver_version:
+                # line 77 of keycloak/defaults/main.yml
+                default: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].version }}"
+                description: "Version for the JDBC driver to download"
+                type: "str"
+            keycloak_admin_password:
+                # line 4 of keycloak/vars/main.yml
+                required: true
+                description: "Password for the administration console user account"
+                type: "str"
+            keycloak_url:
+                # line 12 of keycloak/vars/main.yml
+                default: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
+                description: "URL for configuration rest calls"
+                type: "str"
+            keycloak_management_url:
+                # line 13 of keycloak/vars/main.yml
+                default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
+                description: "URL for management console rest calls"
+                type: "str"

roles/keycloak/meta/main.yml

@@ -1,3 +1,29 @@
+---
 collections:
   - middleware_automation.redhat_csp_download
-  - middleware_automation.jcliff
+  - middleware_automation.wildfly
+
+galaxy_info:
+  role_name: keycloak
+  namespace: middleware_automation
+  author: Romain Pelisse, Guido Grazioli, Pavan Kumar Motaparthi
+  description: Install keycloak or Red Hat Single Sign-On server configurations
+  company: Red Hat, Inc.
+
+  license: Apache License 2.0
+
+  min_ansible_version: "2.9"
+
+  platforms:
+   - name: EL
+     versions:
+     - 8
+
+  galaxy_tags:
+    - keycloak
+    - redhat
+    - rhel
+    - sso
+    - authentication
+    - identity
+    - security

roles/keycloak/tasks/download_from_rhn.yml

@@ -1,75 +0,0 @@
----
-- assert:
-    that:
-      - zipfile_dest is defined
-      - rhn_id_file is defined
-      - rhn_username is defined
-      - rhn_password is defined
-    quiet: true
-
-- set_fact:
-    rhn_download_url: "{{ keycloak_rhsso_base_url }}{{ rhn_id_file }}"
-
-- name: "Check zipfile dest directory {{ zipfile_dest }}"
-  stat:
-    path: "{{ zipfile_dest }}"
-  register: archive_path
-
-- name: "Install zipfile from RHN: {{ rhn_download_url }}"
-  redhat_csp_download:
-    url: "{{ rhn_download_url }}"
-    dest: "{{ zipfile_dest }}"
-    username: "{{ rhn_username }}"
-    password: "{{ rhn_password }}"
-  no_log: "{{ omit_rhn_output | default(true) }}"
-  when:
-    - archive_path is defined
-    - archive_path.stat is defined
-    - not archive_path.stat.exists
-    
-- name: "Check zipfile dest directory {{ zipfile_dest }}"
-  stat:
-    path: "{{ zipfile_dest }}"
-  register: path_to_downloaded_artefact
-
-- block:
-    - file:
-        path: "{{ work_dir }}"
-        state: directory
-        owner: "{{ keycloak_service_user }}"
-        group: "{{ keycloak_service_group }}"
-        mode: 0750
-
-    - name: "Check directory {{ target_dir }}"
-      stat:
-        path: "{{ target_dir }}"
-      register: target_dir_state
-
-    - assert:
-        that:
-          - target_dir_state is defined
-          - target_dir_state.stat is defined
-        fail_msg: "Directory layout for {{ target_dir }} is invalid."
-        quiet: true
-
-    - name: "Decompress {{ zipfile_dest }} into {{ work_dir }} (results in {{ target_dir }}."
-      unarchive:
-        src: "{{ zipfile_dest }}"
-        dest: "{{ work_dir }}"
-        owner: "{{ keycloak_service_user }}"
-        group: "{{ keycloak_service_user }}"
-        remote_src: yes
-        creates: "{{ target_dir }}"
-      when:
-        - not target_dir_state.stat.exists
-
-    - debug:
-        msg: "{{ target_dir }} already exists, skipping decompressing {{ zipfile_dest }}"
-      when:
-        - target_dir_state.stat.exists
-  when:
-    - path_to_downloaded_artefact is defined
-    - path_to_downloaded_artefact.stat is defined
-    - path_to_downloaded_artefact.stat.exists
-    - target_dir is defined
-    - work_dir is defined

roles/keycloak/tasks/fastpackages.yml

@@ -0,0 +1,21 @@
+---
+- block:
+  - name: "Check if packages are already installed"
+    ansible.builtin.command: "rpm -q {{ packages_list | join(' ') }}"
+    args:
+      warn: no
+    register: rpm_info
+    changed_when: rpm_info.failed
+
+  rescue:
+    - name: "Add missing packages to the yum install list"
+      ansible.builtin.set_fact:
+        packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | flatten }}"
+      when: rpm_info.failed
+
+- name: "Install packages: {{ packages_to_install }}"
+  become: yes
+  ansible.builtin.yum:
+    name: "{{ packages_to_install }}"
+    state: present
+  when: packages_to_install | default([]) | length > 0

roles/keycloak/tasks/fastpackages/check.yml

@@ -1,14 +0,0 @@
----
-- block:
-  - name: "Check if package {{ package_name }} is already installed"
-    command: rpm -q {{ package_name }}
-    args:
-      warn: no
-    register: rpm_info
-    changed_when: rpm_info.failed
-
-  rescue:
-    - name: "If package {{ package_name }} is missing, add it to the yum install list."
-      set_fact:
-        packages_to_install: "{{ packages_to_install + [ package_name ] }}"
-      when: rpm_info.failed

roles/keycloak/tasks/fastpackages/install.yml

@@ -1,17 +0,0 @@
----
-- set_fact:
-    update_cache: true
-    packages_to_install: []
-
-- name: "Check packages to be installed"
-  include_tasks: check.yml
-  loop: "{{ packages_list | flatten }}"
-  loop_control:
-    loop_var: package_name
-
-- name: "Install packages: {{ packages_to_install }}"
-  become: yes
-  yum:
-    name: "{{ packages_to_install }}"
-    state: present
-  when: packages_to_install | length > 0

roles/keycloak/tasks/firewalld.yml

@@ -1,18 +1,18 @@
 ---
-- name: Ensures required package firewalld are installed
-  ansible.builtin.include_tasks: fastpackages/install.yml
+- name: Ensure required package firewalld are installed
+  ansible.builtin.include_tasks: fastpackages.yml
   vars:
     packages_list:
       - firewalld
 
 - name: Enable and start the firewalld service
   become: yes
-  systemd:
+  ansible.builtin.systemd:
     name: firewalld
     enabled: yes
     state: started
 
-- name: Configure firewall for jdg ports
+- name: "Configure firewall for {{ keycloak.service_name }} ports"
   become: yes
   firewalld:
     port: "{{ item }}"
@@ -24,4 +24,5 @@
     - "{{ keycloak_https_port }}/tcp"
     - "{{ keycloak_management_http_port }}/tcp"
     - "{{ keycloak_management_https_port }}/tcp"
-    - "8009/tcp"
+    - "{{ keycloak_jgroups_port }}/tcp"
+    - "{{ keycloak_ajp_port }}/tcp"

roles/keycloak/tasks/install.yml

@@ -1,5 +1,6 @@
 ---
-- assert:
+- name: Validate parameters
+  ansible.builtin.assert:
     that:
       - keycloak_jboss_home is defined
       - keycloak_service_user is defined
@@ -9,113 +10,169 @@
       - keycloak_version is defined
     quiet: true
 
-- set_fact:
-    keycloak_service_group: "{{ keycloak_service_user }}"
-  when:
-    - not keycloak_service_group is defined
-
-- name: check for an existing deployment
+- name: Check for an existing deployment
   become: yes
-  stat:
+  ansible.builtin.stat:
     path: "{{ keycloak_jboss_home }}"
   register: existing_deploy
 
 - block:
-    - name: stop the old keycloak service
+    - name: "Stop the old {{ keycloak.service_name }} service"
       become: yes
       ignore_errors: yes
-      systemd:
+      ansible.builtin.systemd:
         name: keycloak
         state: stopped
-    - name: remove the old Keycloak deployment
+    - name: "Remove the old {{ keycloak.service_name }} deployment"
       become: yes
-      file:
+      ansible.builtin.file:
         path: "{{ keycloak_jboss_home }}"
         state: absent
   when: existing_deploy.stat.exists and keycloak_force_install|bool
 
-- name: check for an existing deployment after possible forced removal
+- name: Check for an existing deployment after possible forced removal
   become: yes
-  stat:
+  ansible.builtin.stat:
     path: "{{ keycloak_jboss_home }}"
 
-- name: create Keycloak service user/group
+- name: "Create {{ keycloak.service_name }} service user/group"
   become: yes
-  user:
+  ansible.builtin.user:
     name: "{{ keycloak_service_user }}"
     home: /opt/keycloak
     system: yes
     create_home: no
 
-- name: create Keycloak install location
+- name: "Create {{ keycloak.service_name }} install location"
   become: yes
-  file:
+  ansible.builtin.file:
     dest: "{{ keycloak_dest }}"
     state: directory
     owner: "{{ keycloak_service_user }}"
     group: "{{ keycloak_service_group }}"
     mode: 0750
 
-- block:
-    - set_fact:
-        archive: "{{ keycloak_dest }}/{{ keycloak_archive }}"
-    - name: "Check archive directory {{ archive }}"
-      stat:
-        path: "{{ archive }}"
-      register: archive_path
+## check remote archive
+- name: Set download archive path
+  ansible.builtin.set_fact:
+    archive: "{{ keycloak_dest }}/{{ keycloak.bundle }}"
 
-    - name: download Keycloak archive to target
-      get_url:
-        url: "{{ keycloak_download_url }}"
-        dest: "{{ keycloak_dest }}"
-        owner: "{{ keycloak_service_user }}"
-        group: "{{ keycloak_service_group }}"
-      when:
-        - archive_path is defined
-        - archive_path.stat is defined
-        - not archive_path.stat.exists
-
-    - name: extract Keycloak archive on target
-      unarchive:
-        remote_src: yes
-        src: "{{ archive }}"
-        dest: "{{ keycloak_dest }}"
-        creates: "{{ keycloak_jboss_home }}"
-        owner: "{{ keycloak_service_user }}"
-        group: "{{ keycloak_service_group }}"
-      notify:
-        - restart keycloak
+- name: Check download archive path
   become: yes
-  when: not keycloak_rhsso_enable
+  ansible.builtin.stat:
+    path: "{{ archive }}"
+  register: archive_path
 
-- block:
-    - assert:
-        that:
-          - rhsso_rhn_id is defined
-        quiet: true
-        fail_msg: "Can't install RHSSO without RHN ID."
+## download to controller
+- name: Check local download archive path
+  ansible.builtin.stat:
+    path: "{{ lookup('env', 'PWD') }}"
+  register: local_path
+  delegate_to: localhost
 
-    - name: create download directory
-      file:
-        path: /opt/apps
-        state: directory
-        owner: "{{ keycloak_service_user }}"
-        group: "{{ keycloak_service_group }}"
-        mode: 0750
+- name: Download keycloak archive
+  ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
+    url: "{{ keycloak_download_url }}"
+    dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
+    mode: 0640
+  delegate_to: localhost
+  when:
+    - archive_path is defined
+    - archive_path.stat is defined
+    - not archive_path.stat.exists
+    - not keycloak_rhsso_enable
+    - not keycloak_offline_install
 
-    - include_tasks: download_from_rhn.yml
-      vars:
-        rhn_id_file: "{{ rhsso_rhn_id }}"
-        zipfile_dest: "{{ keycloak_dest }}/{{ keycloak_rhsso_archive }}"
-        work_dir: "{{ keycloak_dest }}"
-        target_dir: "{{ keycloak_jboss_home }}"
+- name: Perform download from RHN
+  middleware_automation.redhat_csp_download.redhat_csp_download:
+    url: "{{ keycloak_rhsso_download_url }}"
+    dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
+    username: "{{ rhn_username }}"
+    password: "{{ rhn_password }}"
+  no_log: "{{ omit_rhn_output | default(true) }}"
+  delegate_to: localhost
+  when:
+    - archive_path is defined
+    - archive_path.stat is defined
+    - not archive_path.stat.exists
+    - keycloak_rhsso_enable
+    - not keycloak_offline_install
+    - keycloak_rhn_url in keycloak_rhsso_download_url
+
+- name: Download rhsso archive from alternate location
+  ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
+    url: "{{ keycloak_rhsso_download_url }}"
+    dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
+    mode: 0640
+  delegate_to: localhost
+  when:
+    - archive_path is defined
+    - archive_path.stat is defined
+    - not archive_path.stat.exists
+    - keycloak_rhsso_enable
+    - not keycloak_offline_install
+    - not keycloak_rhn_url in keycloak_rhsso_download_url
+
+- name: Check downloaded archive
+  ansible.builtin.stat:
+    path: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
+  register: local_archive_path
+  delegate_to: localhost
+
+## copy and unpack
+- name: Copy archive to target nodes
+  ansible.builtin.copy:
+    src: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
+    dest: "{{ archive }}"
+    owner: "{{ keycloak_service_user }}"
+    group: "{{ keycloak_service_group }}"
+    mode: 0750
+  register: new_version_downloaded
+  when:
+    - not archive_path.stat.exists
+    - local_archive_path.stat is defined
+    - local_archive_path.stat.exists
   become: yes
-  when: keycloak_rhsso_enable
 
+- name: "Check target directory: {{ keycloak.home }}"
+  ansible.builtin.stat:
+    path: "{{ keycloak.home }}"
+  register: path_to_workdir
+  become: yes
+
+- name: "Extract {{ 'Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Keycloak' }} archive on target"
+  ansible.builtin.unarchive:
+    remote_src: yes
+    src: "{{ archive }}"
+    dest: "{{ keycloak_dest }}"
+    creates: "{{ keycloak.home }}"
+    owner: "{{ keycloak_service_user }}"
+    group: "{{ keycloak_service_group }}"
+  become: yes
+  when:
+    - new_version_downloaded.changed or not path_to_workdir.stat.exists
+  notify:
+    - restart keycloak
+
+- name: Inform decompression was not executed
+  ansible.builtin.debug:
+    msg: "{{ keycloak.home }} already exists and version unchanged, skipping decompression"
+  when:
+    - not new_version_downloaded.changed and path_to_workdir.stat.exists
+
+- name: "Reown installation directory to {{ keycloak_service_user }}"
+  ansible.builtin.file:
+    path: "{{ keycloak.home }}"
+    owner: "{{ keycloak_service_user }}"
+    group: "{{ keycloak_service_group }}"
+    recurse: true
+  become: yes
+  changed_when: false
+
+# driver and configuration
 - name: "Install {{ keycloak_jdbc_engine }} driver"
-  include_role:
-    name: wildfly_driver
-    tasks_from: jdbc_driver.yml
+  ansible.builtin.include_role:
+    name: middleware_automation.wildfly.wildfly_driver
   vars:
       wildfly_user: "{{ keycloak_service_user }}"
       jdbc_driver_module_dir: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}"
@@ -126,23 +183,23 @@
       jdbc_driver_module_name: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}"
   when: keycloak_jdbc[keycloak_jdbc_engine].enabled
 
-- name: "Deploy Keycloak's standalone.xml"
+- name: "Deploy {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }} from {{ keycloak.config_template_source }}"
   become: yes
-  template:
-    src: "{{ 'templates/standalone-rhsso.xml.j2' if keycloak_rhsso_enable else 'templates/standalone.xml.j2' }}"
-    dest: "{{ keycloak_jboss_home }}/standalone/configuration/standalone.xml"
+  ansible.builtin.template:
+    src: "templates/{{ keycloak.config_template_source }}"
+    dest: "{{ keycloak_config_path_to_standalone_xml }}"
     owner: "{{ keycloak_service_user }}"
     group: "{{ keycloak_service_group }}"
     mode: 0640
   notify:
     - restart keycloak
-  when: not keycloak_remotecache.enabled
+  when: not keycloak_remotecache.enabled or keycloak_config_override_template|length > 0
 
-- name: "Deploy Keycloak's standalone.xml with remote cache store"
+- name: "Deploy {{ keycloak.service_name }} config with remote cache store to {{ keycloak_config_path_to_standalone_xml }}"
   become: yes
-  template:
-    src: "{{ 'templates/standalone-rhsso-jdg.xml.j2' if keycloak_rhsso_enable else 'templates/standalone-infinispan.xml.j2' }}"
-    dest: "{{ keycloak_jboss_home }}/standalone/configuration/standalone.xml"
+  ansible.builtin.template:
+    src: templates/standalone-infinispan.xml.j2
+    dest: "{{ keycloak_config_path_to_standalone_xml }}"
     owner: "{{ keycloak_service_user }}"
     group: "{{ keycloak_service_group }}"
     mode: 0640

roles/keycloak/tasks/main.yml

@@ -1,18 +1,43 @@
 ---
 # tasks file for keycloak
 
-- name: Prerequisites
-  include_tasks: prereqs.yml
+- name: Check prerequisites
+  ansible.builtin.include_tasks: prereqs.yml
   tags:
     - prereqs
 
-- include_tasks: tasks/install.yml
+- name: Include firewall config tasks
+  ansible.builtin.include_tasks: firewalld.yml
+  when: keycloak_configure_firewalld
+  tags:
+    - firewall
 
-- include_tasks: tasks/systemd.yml
+- name: Include install tasks
+  ansible.builtin.include_tasks: install.yml
+  tags:
+    - install
+
+- name: Include systemd tasks
+  ansible.builtin.include_tasks: systemd.yml
+  tags:
+    - systemd
+
+- name: Include patch install tasks
+  ansible.builtin.include_tasks: rhsso_patch.yml
+  when: keycloak_rhsso_apply_patches and keycloak_rhsso_enable
+  tags:
+    - install
+    - patch
+
+- name: Link default logs directory
+  ansible.builtin.file:
+    state: link
+    src: "{{ keycloak_jboss_home }}/standalone/log"
+    dest: /var/log/keycloak
 
 - block:
-    - name: Check admin credentials by generating a token
-      uri:
+    - name: Check admin credentials by generating a token (supposed to fail on first installation)
+      ansible.builtin.uri:
         url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
         method: POST
         body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
@@ -22,14 +47,22 @@
       retries: 2
       delay: 2
   rescue:
-    - name: create Keycloak admin user
-      command:
+    - name: "Create {{ keycloak.service_name }} admin user"
+      ansible.builtin.command:
       args:
         argv:
           - "{{ keycloak_jboss_home }}/bin/add-user-keycloak.sh"
-          - -rmaster
-          - -u{{ keycloak_admin_user }}
-          - -p{{ keycloak_admin_password }}
+          - "-rmaster"
+          - "-u{{ keycloak_admin_user }}"
+          - "-p{{ keycloak_admin_password }}"
+      changed_when: yes
       become: yes
-    - name: restart keycloak
-      include_tasks: tasks/restart_keycloak.yml
+    - name: "Restart {{ keycloak.service_name }}"
+      ansible.builtin.include_tasks: tasks/restart_keycloak.yml
+    - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
+      ansible.builtin.uri:
+        url: "{{ keycloak.health_url }}"
+      register: keycloak_status
+      until: keycloak_status.status == 200
+      retries: 25
+      delay: 10

roles/keycloak/tasks/manage_realm.yml

@@ -1,73 +0,0 @@
----
-- name: Generate keycloak auth token
-  uri:
-    url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
-    method: POST
-    body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
-    validate_certs: no
-  register: keycloak_auth_response
-  until: keycloak_auth_response.status == 200
-  retries: 5
-  delay: 2
-
-- name: "Determine if realm exists"
-  uri:
-    url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}"
-    method: GET
-    status_code:
-      - 200
-      - 404
-    headers:
-      Accept: "application/json"
-      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
-  register: keycloak_realm_exists
-
-- name: Create Realm
-  uri:
-    url: "{{ keycloak_url }}/auth/admin/realms"
-    method: POST
-    body: "{{ lookup('template','realm.json.j2') }}"
-    validate_certs: no
-    body_format: json
-    headers:
-      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
-    status_code: 201
-  when: keycloak_realm_exists.status == 404
-
-- name: Create Client
-  community.general.keycloak_client:
-    auth_client_id: "{{ keycloak_auth_client }}"
-    auth_keycloak_url: "{{ keycloak_url }}/auth"
-    auth_realm: "{{ keycloak_auth_realm }}"
-    auth_username: "{{ keycloak_admin_user }}"
-    auth_password: "{{ keycloak_admin_password }}"
-    client_id: "{{ item.name }}"
-    realm: "{{ item.realm }}"
-    default_roles: "{{ item.roles | default(omit) }}"
-    root_url: "{{ item.root_url | default('') }}"
-    redirect_uris: "{{ demo_app_redirect_uris | default([]) }}"
-    public_client: "{{ item.public_client | default(False) }}"
-    web_origins: "{{ item.web_origins | default('+') }}"
-    state: present
-  register: create_client_result
-  loop: "{{ keycloak_clients | flatten }}"
-
-- name: Create client roles
-  include_tasks: manage_client_roles.yml
-  when: keycloak_rhsso_enable
-  loop: "{{ keycloak_clients | flatten }}"
-  loop_control:
-    loop_var: client
-
-- name: Manage Users
-  include_tasks: manage_user.yml
-  loop: "{{ keycloak_users }}"
-  loop_control:
-    loop_var: user
-
-- name: Manage User Roles
-  include_tasks: manage_user_roles.yml
-  loop: "{{ keycloak_users | flatten }}"
-  loop_control:
-    loop_var: user
-  when: "'client_roles' in user"

roles/keycloak/tasks/prereqs.yml

@@ -1,29 +1,46 @@
 ---
-- name: "Validate configuration"
-  assert:
+- name: Validate admin console password
+  ansible.builtin.assert:
+    that:
+      - keycloak_admin_password | length > 12
+    quiet: True
+    fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_admin_password variable to a 12+ char long string"
+    success_msg: "{{ 'Console administrator password OK' }}"
+
+- name: Validate configuration
+  ansible.builtin.assert:
     that:
       - (keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and not keycloak_db_enabled)
     quiet: True
-    fail_msg: "Cannot install HA setup without a backend database service. Check keycloak_ha_enabled and keycloak_ha_enabled"
+    fail_msg: "Cannot install HA setup without a backend database service. Check keycloak_ha_enabled and keycloak_db_enabled"
     success_msg: "{{ 'Configuring HA' if keycloak_ha_enabled else 'Configuring standalone' }}"
 
-- name: "Validate credentials"
-  assert:
+- name: Validate credentials
+  ansible.builtin.assert:
     that:
-      - (rhn_username is defined and rhsso_rhn_id is defined) or rhsso_rhn_id is not defined
-      - (rhn_password is defined and rhsso_rhn_id is defined) or rhsso_rhn_id is not defined
+      - (rhn_username is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
+      - (rhn_password is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
     quiet: True
     fail_msg: "Cannot install Red Hat SSO without RHN credentials. Check rhn_username and rhn_password are defined"
-    success_msg: "{{ 'Installing Red Hat Single Sign-On' if rhsso_rhn_id is defined else 'Installing keycloak.org' }}"
+    success_msg: "{{ 'Installing Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Installing keycloak.org' }}"
 
-- set_fact:
-    required_packages:
-    - "{{ jvm_package | default('java-1.8.0-openjdk-devel') }}"
-    - unzip
-    - procps-ng
-    - initscripts
+- name: Validate persistence configuration
+  ansible.builtin.assert:
+    that:
+      - keycloak_jdbc_engine is defined and keycloak_jdbc_engine in [ 'postgres', 'mariadb' ]
+      - keycloak_jdbc_url | length > 0
+      - keycloak_db_user | length > 0
+      - keycloak_db_pass | length > 0
+    quiet: True
+    fail_msg: "Configuration for the JDBC persistence is invalid or incomplete"
+    success_msg: "Configuring JDBC persistence using {{ keycloak_jdbc_engine }} database"
+  when: keycloak_db_enabled
 
-- name: "Ensures required packages are installed"
-  ansible.builtin.include_tasks: fastpackages/install.yml
+- name: Ensure required packages are installed
+  ansible.builtin.include_tasks: fastpackages.yml
   vars:
-    packages_list: "{{ required_packages }}"
+    packages_list:
+      - "{{ keycloak_jvm_package }}"
+      - unzip
+      - procps-ng
+      - initscripts

roles/keycloak/tasks/restart_keycloak.yml

@@ -1,6 +1,6 @@
 ---
-- name: "Restart and enable keycloack service"
-  systemd:
+- name: "Restart and enable {{ keycloak.service_name }} service"
+  ansible.builtin.systemd:
     name: keycloak
     enabled: yes
     state: restarted

roles/keycloak/tasks/rhsso_cli.yml

@@ -0,0 +1,13 @@
+---
+- name: Ensure required params for CLI have been provided
+  ansible.builtin.assert:
+    that:
+      - query is defined
+    fail_msg: "Missing required parameters to execute CLI."
+    quiet: true
+
+- name: "Execute CLI query: {{ query }}"
+  ansible.builtin.command: >
+    {{ keycloak.cli_path }} --connect --command='{{ query }}' --controller={{ keycloak_host }}:{{ keycloak_management_http_port }}
+  changed_when: false
+  register: cli_result

roles/keycloak/tasks/rhsso_patch.yml

@@ -0,0 +1,87 @@
+---
+## check remote patch archive
+- name: Set download patch archive path
+  ansible.builtin.set_fact:
+    patch_archive: "{{ keycloak_dest }}/{{ keycloak.patch_bundle }}"
+
+- name: Check download patch archive path
+  ansible.builtin.stat:
+    path: "{{ patch_archive }}"
+  register: patch_archive_path
+
+- name: Perform download from RHN
+  middleware_automation.redhat_csp_download.redhat_csp_download:
+    url: "{{ keycloak_rhn_url }}{{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.id }}"
+    dest: "{{ local_path.stat.path }}/{{ keycloak.patch_bundle }}"
+    username: "{{ rhn_username }}"
+    password: "{{ rhn_password }}"
+  no_log: "{{ omit_rhn_output | default(true) }}"
+  delegate_to: localhost
+  when:
+    - patch_archive_path is defined
+    - patch_archive_path.stat is defined
+    - not patch_archive_path.stat.exists
+    - keycloak_rhsso_enable
+    - not keycloak_offline_install
+
+## copy and unpack
+- name: Copy patch archive to target nodes
+  ansible.builtin.copy:
+    src: "{{ local_path.stat.path }}/{{ keycloak.patch_bundle }}"
+    dest: "{{ patch_archive }}"
+    owner: "{{ keycloak_service_user }}"
+    group: "{{ keycloak_service_group }}"
+    mode: 0640
+  register: new_version_downloaded
+  when:
+    - not patch_archive_path.stat.exists
+    - local_archive_path.stat is defined
+    - local_archive_path.stat.exists
+  become: yes
+
+- name: "Check installed patches"
+  ansible.builtin.include_tasks: rhsso_cli.yml
+  vars:
+    query: "patch info"
+
+- name: "Perform patching"
+  when: 
+    - cli_result is defined
+    - cli_result.stdout is defined
+    - rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v not in cli_result.stdout
+  block:
+    - name: "Apply patch {{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }} to server"
+      ansible.builtin.include_tasks: rhsso_cli.yml
+      vars:
+        query: "patch apply {{ patch_archive }}"
+
+    - name: "Restart server to ensure patch content is running"
+      ansible.builtin.include_tasks: rhsso_cli.yml
+      vars:
+        query: "shutdown --restart"
+      when:
+        - cli_result.rc == 0
+
+    - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
+      ansible.builtin.uri:
+        url: "{{ keycloak.health_url }}"
+      register: keycloak_status
+      until: keycloak_status.status == 200
+      retries: 25
+      delay: 10
+
+    - name: "Query installed patch after restart"
+      ansible.builtin.include_tasks: rhsso_cli.yml
+      vars:
+        query: "patch info"
+  
+    - name: "Verify installed patch version"
+      ansible.builtin.assert:
+        that:
+          - rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v not in cli_result.stdout
+        fail_msg: "Patch installation failed"
+        success_msg: "Patch installation successful"
+
+- name: "Skipping patch"
+  ansible.builtin.debug:
+    msg: "Latest cumulative patch {{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }} already installed, skipping patch installation."

roles/keycloak/tasks/start_keycloak.yml

@@ -0,0 +1,15 @@
+---
+- name: "Start {{ keycloak.service_name }} service"
+  ansible.builtin.systemd:
+    name: keycloak
+    enabled: yes
+    state: started
+  become: yes
+
+- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
+  ansible.builtin.uri:
+    url: "{{ keycloak.health_url }}"
+  register: keycloak_status
+  until: keycloak_status.status == 200
+  retries: 25
+  delay: 10

roles/keycloak/tasks/stop_keycloak.yml

@@ -1,6 +1,6 @@
 ---
-- name: "Stop SSO service"
-  systemd:
+- name: "Stop {{ keycloak.service_name }}"
+  ansible.builtin.systemd:
     name: keycloak
     enabled: yes
     state: stopped

roles/keycloak/tasks/systemd.yml

@@ -1,6 +1,7 @@
-- name: configure keycloak service script wrapper
+---
+- name: "Configure {{ keycloak.service_name }} service script wrapper"
   become: yes
-  template:
+  ansible.builtin.template:
     src: keycloak-service.sh.j2
     dest: "{{ keycloak_dest }}/keycloak-service.sh"
     owner: root
@@ -9,19 +10,30 @@
   notify:
     - restart keycloak
 
-- name: configure sysconfig file for keycloak service
+- name: Determine JAVA_HOME for selected JVM RPM  # noqa blocked_modules
+  ansible.builtin.shell: |
+    set -o pipefail
+    rpm -ql {{ keycloak_jvm_package }} | grep -Po '/usr/lib/jvm/.*(?=/bin/java$)'
+  args:
+    executable: /bin/bash
+  changed_when: False
+  register: rpm_java_home
+
+- name: "Configure sysconfig file for {{ keycloak.service_name }} service"
   become: yes
-  template:
+  ansible.builtin.template:
     src: keycloak-sysconfig.j2
     dest: /etc/sysconfig/keycloak
     owner: root
     group: root
     mode: 0644
+  vars:
+    keycloak_rpm_java_home: "{{ rpm_java_home.stdout }}"
   notify:
     - restart keycloak
 
-- name: configure systemd unit file for keycloak service
-  template:
+- name: "Configure systemd unit file for {{ keycloak.service_name }} service"
+  ansible.builtin.template:
     src: keycloak.service.j2
     dest: /etc/systemd/system/keycloak.service
     owner: root
@@ -32,34 +44,30 @@
   notify:
     - restart keycloak
 
-- name: reload systemd
+- name: Reload systemd
   become: yes
-  systemd:
+  ansible.builtin.systemd:
     daemon_reload: yes
   when: systemdunit.changed
 
-- name: start keycloak
-  systemd:
-    name: keycloak
-    enabled: yes
-    state: started
-  become: yes
+- name: "Start and wait for {{ keycloak.service_name }} service (first node db)"
+  ansible.builtin.include_tasks: start_keycloak.yml
+  run_once: yes
+  when: keycloak_db_enabled
 
-- command: "systemctl status keycloak"
+- name: "Start and wait for {{ keycloak.service_name }} service (remaining nodes)"
+  ansible.builtin.include_tasks: start_keycloak.yml
+
+- name: Check service status
+  ansible.builtin.command: "systemctl status keycloak"
   register: keycloak_service_status
   changed_when: False
 
-- assert:
+- name: Verify service status
+  ansible.builtin.assert:
     that:
       - keycloak_service_status is defined
       - keycloak_service_status.stdout is defined
 
-- meta: flush_handlers
-
-- name: Wait until Keycloak becomes active
-  uri:
-    url: "{{ keycloak_management_url }}/health"
-  register: keycloak_status
-  until: keycloak_status.status == 200
-  retries: 20
-  delay: 10
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers

roles/keycloak/templates/9.0.2/standalone-infinispan.xml.j2

@@ -1,6 +1,6 @@
 <?xml version='1.0' encoding='UTF-8'?>
 
-<server xmlns="urn:jboss:domain:16.0">
+<server xmlns="urn:jboss:domain:10.0">
     <extensions>
         <extension module="org.jboss.as.clustering.infinispan"/>
         <extension module="org.jboss.as.clustering.jgroups"/>
@@ -23,9 +23,10 @@
         <extension module="org.wildfly.extension.bean-validation"/>
         <extension module="org.wildfly.extension.core-management"/>
         <extension module="org.wildfly.extension.elytron"/>
-        <extension module="org.wildfly.extension.health"/>
         <extension module="org.wildfly.extension.io"/>
-        <extension module="org.wildfly.extension.metrics"/>
+        <extension module="org.wildfly.extension.microprofile.config-smallrye"/>
+        <extension module="org.wildfly.extension.microprofile.health-smallrye"/>
+        <extension module="org.wildfly.extension.microprofile.metrics-smallrye"/>
         <extension module="org.wildfly.extension.request-controller"/>
         <extension module="org.wildfly.extension.security.manager"/>
         <extension module="org.wildfly.extension.undertow"/>
@@ -44,7 +45,8 @@
             <security-realm name="ApplicationRealm">
                 <server-identities>
                     <ssl>
-                        <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
+                        <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password"
+                                  alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
                     </ssl>
                 </server-identities>
                 <authentication>
@@ -141,7 +143,7 @@
         </subsystem>
         <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
         <subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
-        <subsystem xmlns="urn:jboss:domain:datasources:6.0">
+        <subsystem xmlns="urn:jboss:domain:datasources:5.0">
             <datasources>
                 <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
                     <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
@@ -152,15 +154,15 @@
                     </security>
                 </datasource>
                 <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
-{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
-                    <connection-url>{{ keycloak_jdbc[keycloak_jdbc_engine].connection_url }}</connection-url>
-                    <driver>{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}</driver>
+{% if keycloak_jdbc.postgres.enabled %}
+                    <connection-url>{{ keycloak_jdbc.postgres.connection_url }}</connection-url>
+                    <driver>{{ keycloak_jdbc.postgres.driver_module_name }}</driver>
                     <pool>
                        <max-pool-size>20</max-pool-size>
                     </pool>
                     <security>
-                        <user-name>{{ keycloak_jdbc[keycloak_jdbc_engine].db_user }}</user-name>
-                        <password>{{ keycloak_jdbc[keycloak_jdbc_engine].db_password }}</password>
+                        <user-name>{{ keycloak_jdbc.postgres.db_user }}</user-name>
+                        <password>{{ keycloak_jdbc.postgres.db_password }}</password>
                     </security>
 {% else %}
                     <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
@@ -172,10 +174,10 @@
 {% endif %}
                 </datasource>
                 <drivers>
-{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
-                    <driver name="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}" module="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}">
-                        <driver-class>{{ keycloak_jdbc[keycloak_jdbc_engine].driver_class }}</driver-class>
-                        <xa-datasource-class>{{ keycloak_jdbc[keycloak_jdbc_engine].xa_datasource_class }}</xa-datasource-class>
+{% if keycloak_jdbc.postgres.enabled %}
+                    <driver name="{{ keycloak_jdbc.postgres.driver_module_name }}" module="{{ keycloak_jdbc.postgres.driver_module_name }}">
+                         <driver-class>org.postgresql.Driver</driver-class>
+                        <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
                     </driver>
 {% endif %}
                     <driver name="h2" module="com.h2database.h2">
@@ -187,7 +189,7 @@
         <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
             <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
         </subsystem>
-        <subsystem xmlns="urn:jboss:domain:ee:6.0">
+        <subsystem xmlns="urn:jboss:domain:ee:4.0">
             <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
             <concurrent>
                 <context-services>
@@ -197,15 +199,17 @@
                     <managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/>
                 </managed-thread-factories>
                 <managed-executor-services>
-                    <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="5000"/>
+                    <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-threshold="60000" keepalive-time="5000"/>
                 </managed-executor-services>
                 <managed-scheduled-executor-services>
-                    <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="3000"/>
+                    <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-threshold="60000" keepalive-time="3000"/>
                 </managed-scheduled-executor-services>
             </concurrent>
-            <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
+            <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS"
+                              managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default"
+                              managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
         </subsystem>
-        <subsystem xmlns="urn:jboss:domain:ejb3:9.0">
+        <subsystem xmlns="urn:jboss:domain:ejb3:6.0">
             <session-bean>
                 <stateless>
                     <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
@@ -232,7 +236,7 @@
                     <file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/>
                 </data-stores>
             </timer-service>
-            <remote cluster="ejb" connectors="http-remoting-connector" thread-pool-name="default">
+            <remote cluster="ejb" connector-ref="http-remoting-connector" thread-pool-name="default">
                 <channel-creation-options>
                     <option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>
                 </channel-creation-options>
@@ -248,7 +252,7 @@
             <statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
             <log-system-exceptions value="true"/>
         </subsystem>
-        <subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
+        <subsystem xmlns="urn:wildfly:elytron:8.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
             <providers>
                 <aggregate-providers name="combined-providers">
                     <providers name="elytron"/>
@@ -357,7 +361,7 @@
                     </key-store>
                 </key-stores>
                 <key-managers>
-                    <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
+                    <key-manager name="applicationKM" key-store="applicationKS">
                         <credential-reference clear-text="password"/>
                     </key-manager>
                 </key-managers>
@@ -366,22 +370,21 @@
                 </server-ssl-contexts>
             </tls>
         </subsystem>
-        <subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
-        <subsystem xmlns="urn:jboss:domain:infinispan:12.0">
-            <cache-container name="ejb" default-cache="passivation" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
+        <subsystem xmlns="urn:jboss:domain:infinispan:9.0">
+            <cache-container name="ejb" default-cache="passivation" aliases="sfsb" module="org.wildfly.clustering.ejb.infinispan">
                 <local-cache name="passivation">
                     <locking isolation="REPEATABLE_READ"/>
                     <transaction mode="BATCH"/>
                     <file-store passivation="true" purge="false"/>
                 </local-cache>
             </cache-container>
-            <cache-container name="keycloak" modules="org.keycloak.keycloak-model-infinispan">
+            <cache-container name="keycloak" module="org.keycloak.keycloak-model-infinispan">
                 <transport lock-timeout="60000"/>
                 <local-cache name="realms">
-                    <heap-memory size="10000"/>
+                    <object-memory size="10000"/>
                 </local-cache>
                 <local-cache name="users">
-                    <heap-memory size="10000"/>
+                    <object-memory size="10000"/>
                 </local-cache>
                 <local-cache name="authenticationSessions"/>
                 {% for cachename in [ "sessions", "offlineSessions", "clientSessions", "offlineClientSessions", "loginFailures", "actionTokens" ] %}
@@ -405,6 +408,7 @@
                         <property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path | default('/etc/truststore/truststore.jks') }}</property>
                         <property name="infinispan.client.hotrod.trust_store_type">JKS</property>
                         <property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password | default("changeme") }}</property>
+                        <property name="infinispan.client.hotrod.client_intelligence">TOPOLOGY_AWARE</property>
                     </remote-store>
                 </distributed-cache>
                 {% endfor %}
@@ -428,22 +432,23 @@
                         <property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path | default('/etc/truststore/truststore.jks') }}</property>
                         <property name="infinispan.client.hotrod.trust_store_type">JKS</property>
                         <property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password | default("changeme") }}</property>
+                        <property name="infinispan.client.hotrod.client_intelligence">TOPOLOGY_AWARE</property>
                     </remote-store>
                 </replicated-cache>
                 <local-cache name="authorization">
-                    <heap-memory size="10000"/>
+                    <object-memory size="10000"/>
                 </local-cache>
                 <local-cache name="keys">
-                    <heap-memory size="1000"/>
+                    <object-memory size="1000"/>
                     <expiration max-idle="3600000"/>
                 </local-cache>
             </cache-container>
-            <cache-container name="server" default-cache="default" modules="org.wildfly.clustering.server">
+            <cache-container name="server" default-cache="default" module="org.wildfly.clustering.server">
                 <local-cache name="default">
                     <transaction mode="BATCH"/>
                 </local-cache>
             </cache-container>
-            <cache-container name="web" default-cache="passivation" modules="org.wildfly.clustering.web.infinispan">
+            <cache-container name="web" default-cache="passivation" module="org.wildfly.clustering.web.infinispan">
                 <local-cache name="passivation">
                     <locking isolation="REPEATABLE_READ"/>
                     <transaction mode="BATCH"/>
@@ -455,13 +460,13 @@
                 </local-cache>
                 <local-cache name="routing"/>
             </cache-container>
-            <cache-container name="hibernate" modules="org.infinispan.hibernate-cache">
+            <cache-container name="hibernate" module="org.infinispan.hibernate-cache">
                 <local-cache name="entity">
-                    <heap-memory size="10000"/>
+                    <object-memory size="10000"/>
                     <expiration max-idle="100000"/>
                 </local-cache>
                 <local-cache name="local-query">
-                    <heap-memory size="10000"/>
+                    <object-memory size="10000"/>
                     <expiration max-idle="100000"/>
                 </local-cache>
                 <local-cache name="timestamps"/>
@@ -471,7 +476,7 @@
             <worker name="default"/>
             <buffer-pool name="default"/>
         </subsystem>
-        <subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/>
+        <subsystem xmlns="urn:jboss:domain:jaxrs:1.0"/>
         <subsystem xmlns="urn:jboss:domain:jca:5.0">
             <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
             <bean-validation enabled="true"/>
@@ -491,25 +496,22 @@
             </default-workmanager>
             <cached-connection-manager/>
         </subsystem>
-        <subsystem xmlns="urn:jboss:domain:jgroups:8.0">
+        <subsystem xmlns="urn:jboss:domain:jgroups:7.0">
             <channels default="ee">
                 <channel name="ee" stack="tcp" cluster="ejb"/>
             </channels>
             <stacks>
                 <stack name="tcp">
                     <transport site="${jboss.node.name}" type="TCP" socket-binding="jgroups-tcp"/>
+{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
                     <protocol type="JDBC_PING">
                         <property name="datasource_jndi_name">java:jboss/datasources/KeycloakDS</property>
-                        <property name="initialize_sql">
-                            CREATE TABLE IF NOT EXISTS JGROUPSPING (
-                            own_addr varchar(200) NOT NULL,
-                            cluster_name varchar(200) NOT NULL,
-                            updated TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
-                            ping_data varbinary(5000) DEFAULT NULL,
-                            PRIMARY KEY (own_addr, cluster_name))
-                            ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin
-                        </property>
+                        <property name="initialize_sql">{{ keycloak_jdbc[keycloak_jdbc_engine].initialize_db }}</property>
+                        <property name="insert_single_sql">INSERT INTO JGROUPSPING (own_addr, cluster_name, ping_data) values (?, ?, ?)</property>
+                        <property name="delete_single_sql">DELETE FROM JGROUPSPING WHERE own_addr=? AND cluster_name=?</property>
+                        <property name="select_all_pingdata_sql">SELECT ping_data FROM JGROUPSPING WHERE cluster_name=?</property>
                     </protocol>
+{% endif %}
                     <protocol type="MERGE3"/>
                     <protocol type="FD_SOCK"/>
                     <protocol type="FD_ALL"/>
@@ -531,7 +533,7 @@
             <remoting-connector/>
         </subsystem>
         <subsystem xmlns="urn:jboss:domain:jpa:1.1">
-            <jpa default-extended-persistence-inheritance="DEEP"/>
+            <jpa default-datasource="" default-extended-persistence-inheritance="DEEP"/>
         </subsystem>
         <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
             <web-context>auth</web-context>
@@ -607,19 +609,18 @@
                 <default-provider>default</default-provider>
                 <provider name="default" enabled="true">
                     <properties>
-                        <property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
-                        <property name="forceBackendUrlToFrontendUrl" value="false"/>
+                        <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="true"/>
                     </properties>
                 </provider>
             </spi>
         </subsystem>
-        <subsystem xmlns="urn:jboss:domain:mail:4.0">
+        <subsystem xmlns="urn:jboss:domain:mail:3.0">
             <mail-session name="default" jndi-name="java:jboss/mail/Default">
                 <smtp-server outbound-socket-binding-ref="mail-smtp"/>
             </mail-session>
         </subsystem>
-        <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
-{% if keycloak_modcluster.enabled %}    
+{% if keycloak_modcluster.enabled %}
         <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
             <proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
                 <dynamic-load-provider>
@@ -627,7 +628,7 @@
                 </dynamic-load-provider>
             </proxy>
         </subsystem>
-{% endif %}        
+{% endif %}
         <subsystem xmlns="urn:jboss:domain:naming:2.0">
             <remote-naming/>
         </subsystem>
@@ -674,8 +675,8 @@
                 </maximum-set>
             </deployment-permissions>
         </subsystem>
-        <subsystem xmlns="urn:jboss:domain:transactions:6.0">
-            <core-environment node-identifier="${jboss.tx.node.id:1}">
+        <subsystem xmlns="urn:jboss:domain:transactions:5.0">
+            <core-environment node-identifier="{{ inventory_hostname | default('${jboss.tx.node.id:1}') }}">
                 <process-id>
                     <uuid/>
                 </process-id>
@@ -684,7 +685,9 @@
             <coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
             <object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
         </subsystem>
-        <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
+        <subsystem xmlns="urn:jboss:domain:undertow:10.0" default-server="default-server" default-virtual-host="default-host"
+                   default-servlet-container="default" default-security-domain="other"
+                   statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
             <buffer-cache name="default"/>
             <server name="default-server">
                 <ajp-listener name="ajp" socket-binding="ajp"/>
@@ -709,13 +712,23 @@
             </filters>
         </subsystem>
         <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
-    </profile>
+        <subsystem xmlns="urn:wildfly:microprofile-config-smallrye:1.0"/>
+        <subsystem xmlns="urn:wildfly:microprofile-health-smallrye:2.0" security-enabled="false"
+                   empty-liveness-checks-status="${env.MP_HEALTH_EMPTY_LIVENESS_CHECKS_STATUS:UP}"
+                   empty-readiness-checks-status="${env.MP_HEALTH_EMPTY_READINESS_CHECKS_STATUS:UP}"/>
+        <subsystem xmlns="urn:wildfly:microprofile-metrics-smallrye:2.0" security-enabled="false"
+                   exposed-subsystems="*" prefix="${wildfly.metrics.prefix:wildfly}"/>
+   </profile>
     <interfaces>
         <interface name="management">
             <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
         </interface>
         <interface name="jgroups">
-            <subnet-match value="{{ (ansible_default_ipv4.address + '/' + ansible_default_ipv4.netmask) | ipaddr('prefix') }}"/>
+{% if ansible_default_ipv4 is defined %}
+            <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ipaddr('net') }}"/>
+{% else %}
+            <any-address />
+{% endif %}
         </interface>
         <interface name="public">
             <inet-address value="${jboss.bind.address:127.0.0.1}"/>
@@ -734,11 +747,11 @@
         <outbound-socket-binding name="mail-smtp">
             <remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
         </outbound-socket-binding>
-{% if keycloak_modcluster.enabled %}            
+{% if keycloak_modcluster.enabled %}
         <outbound-socket-binding name="proxy1">
             <remote-destination host="{{ keycloak_modcluster.reverse_proxy_url | default('localhost') }}" port="6666"/>
         </outbound-socket-binding>
-{% endif %}        
+{% endif %}
         <outbound-socket-binding name="remote-cache">
             <remote-destination host="{{ keycloak_remotecache.server_name | default('localhost') }}" port="${remote.cache.port:11222}"/>
         </outbound-socket-binding>

roles/keycloak/templates/9.0.2/standalone.xml.j2

@@ -0,0 +1,619 @@
+<?xml version='1.0' encoding='UTF-8'?>
+
+<server xmlns="urn:jboss:domain:10.0">
+    <extensions>
+        <extension module="org.jboss.as.clustering.infinispan"/>
+        <extension module="org.jboss.as.connector"/>
+        <extension module="org.jboss.as.deployment-scanner"/>
+        <extension module="org.jboss.as.ee"/>
+        <extension module="org.jboss.as.ejb3"/>
+        <extension module="org.jboss.as.jaxrs"/>
+        <extension module="org.jboss.as.jmx"/>
+        <extension module="org.jboss.as.jpa"/>
+        <extension module="org.jboss.as.logging"/>
+        <extension module="org.jboss.as.mail"/>
+        <extension module="org.jboss.as.modcluster"/>
+        <extension module="org.jboss.as.naming"/>
+        <extension module="org.jboss.as.remoting"/>
+        <extension module="org.jboss.as.security"/>
+        <extension module="org.jboss.as.transactions"/>
+        <extension module="org.jboss.as.weld"/>
+        <extension module="org.keycloak.keycloak-server-subsystem"/>
+        <extension module="org.wildfly.extension.bean-validation"/>
+        <extension module="org.wildfly.extension.core-management"/>
+        <extension module="org.wildfly.extension.elytron"/>
+        <extension module="org.wildfly.extension.io"/>
+        <extension module="org.wildfly.extension.microprofile.config-smallrye"/>
+        <extension module="org.wildfly.extension.microprofile.health-smallrye"/>
+        <extension module="org.wildfly.extension.microprofile.metrics-smallrye"/>
+        <extension module="org.wildfly.extension.request-controller"/>
+        <extension module="org.wildfly.extension.security.manager"/>
+        <extension module="org.wildfly.extension.undertow"/>
+    </extensions>
+    <management>
+        <security-realms>
+            <security-realm name="ManagementRealm">
+                <authentication>
+                    <local default-user="$local" skip-group-loading="true"/>
+                    <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
+                </authentication>
+                <authorization map-groups-to-roles="false">
+                    <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
+                </authorization>
+            </security-realm>
+            <security-realm name="ApplicationRealm">
+                <server-identities>
+                    <ssl>
+                        <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password"
+                                  alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
+                    </ssl>
+                </server-identities>
+                <authentication>
+                    <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
+                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
+                </authentication>
+                <authorization>
+                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
+                </authorization>
+            </security-realm>
+        </security-realms>
+        <audit-log>
+            <formatters>
+                <json-formatter name="json-formatter"/>
+            </formatters>
+            <handlers>
+                <file-handler name="file" formatter="json-formatter" path="audit-log.log" relative-to="jboss.server.data.dir"/>
+            </handlers>
+            <logger log-boot="true" log-read-only="false" enabled="false">
+                <handlers>
+                    <handler name="file"/>
+                </handlers>
+            </logger>
+        </audit-log>
+        <management-interfaces>
+            <http-interface security-realm="ManagementRealm">
+                <http-upgrade enabled="true"/>
+                <socket-binding http="management-http"/>
+            </http-interface>
+        </management-interfaces>
+        <access-control provider="simple">
+            <role-mapping>
+                <role name="SuperUser">
+                    <include>
+                        <user name="$local"/>
+                    </include>
+                </role>
+            </role-mapping>
+        </access-control>
+    </management>
+    <profile>
+        <subsystem xmlns="urn:jboss:domain:logging:8.0">
+            <console-handler name="CONSOLE">
+                <level name="INFO"/>
+                <formatter>
+                    <named-formatter name="COLOR-PATTERN"/>
+                </formatter>
+            </console-handler>
+            <periodic-rotating-file-handler name="FILE" autoflush="true">
+                <formatter>
+                    <named-formatter name="PATTERN"/>
+                </formatter>
+                <file relative-to="jboss.server.log.dir" path="server.log"/>
+                <suffix value=".yyyy-MM-dd"/>
+                <append value="true"/>
+            </periodic-rotating-file-handler>
+            <logger category="com.arjuna">
+                <level name="WARN"/>
+            </logger>
+            <logger category="io.jaegertracing.Configuration">
+                <level name="WARN"/>
+            </logger>
+            <logger category="org.jboss.as.config">
+                <level name="DEBUG"/>
+            </logger>
+            <logger category="sun.rmi">
+                <level name="WARN"/>
+            </logger>
+            <root-logger>
+                <level name="INFO"/>
+                <handlers>
+                    <handler name="CONSOLE"/>
+                    <handler name="FILE"/>
+                </handlers>
+            </root-logger>
+            <formatter name="PATTERN">
+                <pattern-formatter pattern="%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
+            </formatter>
+            <formatter name="COLOR-PATTERN">
+                <pattern-formatter pattern="%K{level}%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
+            </formatter>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:datasources:5.0">
+            <datasources>
+                <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
+                    <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
+                    <driver>h2</driver>
+                    <security>
+                        <user-name>sa</user-name>
+                        <password>sa</password>
+                    </security>
+                </datasource>
+                <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
+                    <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
+                    <driver>h2</driver>
+                    <security>
+                        <user-name>sa</user-name>
+                        <password>sa</password>
+                    </security>
+                </datasource>
+                <drivers>
+                    <driver name="h2" module="com.h2database.h2">
+                        <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
+                    </driver>
+                </drivers>
+            </datasources>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
+            <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:ee:4.0">
+            <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
+            <concurrent>
+                <context-services>
+                    <context-service name="default" jndi-name="java:jboss/ee/concurrency/context/default" use-transaction-setup-provider="true"/>
+                </context-services>
+                <managed-thread-factories>
+                    <managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/>
+                </managed-thread-factories>
+                <managed-executor-services>
+                    <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-threshold="60000" keepalive-time="5000"/>
+                </managed-executor-services>
+                <managed-scheduled-executor-services>
+                    <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-threshold="60000" keepalive-time="3000"/>
+                </managed-scheduled-executor-services>
+            </concurrent>
+            <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS"
+                              managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default"
+                              managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:ejb3:6.0">
+            <session-bean>
+                <stateless>
+                    <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
+                </stateless>
+                <stateful default-access-timeout="5000" cache-ref="simple" passivation-disabled-cache-ref="simple"/>
+                <singleton default-access-timeout="5000"/>
+            </session-bean>
+            <pools>
+                <bean-instance-pools>
+                    <strict-max-pool name="mdb-strict-max-pool" derive-size="from-cpu-count" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
+                    <strict-max-pool name="slsb-strict-max-pool" derive-size="from-worker-pools" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
+                </bean-instance-pools>
+            </pools>
+            <caches>
+                <cache name="simple"/>
+                <cache name="distributable" passivation-store-ref="infinispan" aliases="passivating clustered"/>
+            </caches>
+            <passivation-stores>
+                <passivation-store name="infinispan" cache-container="ejb" max-size="10000"/>
+            </passivation-stores>
+            <async thread-pool-name="default"/>
+            <timer-service thread-pool-name="default" default-data-store="default-file-store">
+                <data-stores>
+                    <file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/>
+                </data-stores>
+            </timer-service>
+            <remote connector-ref="http-remoting-connector" thread-pool-name="default">
+                <channel-creation-options>
+                    <option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>
+                </channel-creation-options>
+            </remote>
+            <thread-pools>
+                <thread-pool name="default">
+                    <max-threads count="10"/>
+                    <keepalive-time time="60" unit="seconds"/>
+                </thread-pool>
+            </thread-pools>
+            <default-security-domain value="other"/>
+            <default-missing-method-permissions-deny-access value="true"/>
+            <statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
+            <log-system-exceptions value="true"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:io:3.0">
+            <worker name="default"/>
+            <buffer-pool name="default"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:infinispan:9.0">
+            <cache-container name="keycloak">
+                <local-cache name="realms">
+                    <object-memory size="10000"/>
+                </local-cache>
+                <local-cache name="users">
+                    <object-memory size="10000"/>
+                </local-cache>
+                <local-cache name="sessions"/>
+                <local-cache name="authenticationSessions"/>
+                <local-cache name="offlineSessions"/>
+                <local-cache name="clientSessions"/>
+                <local-cache name="offlineClientSessions"/>
+                <local-cache name="loginFailures"/>
+                <local-cache name="work"/>
+                <local-cache name="authorization">
+                    <object-memory size="10000"/>
+                </local-cache>
+                <local-cache name="keys">
+                    <object-memory size="1000"/>
+                    <expiration max-idle="3600000"/>
+                </local-cache>
+                <local-cache name="actionTokens">
+                    <object-memory size="-1"/>
+                    <expiration max-idle="-1" interval="300000"/>
+                </local-cache>
+            </cache-container>
+            <cache-container name="server" default-cache="default" module="org.wildfly.clustering.server">
+                <local-cache name="default">
+                    <transaction mode="BATCH"/>
+                </local-cache>
+            </cache-container>
+            <cache-container name="web" default-cache="passivation" module="org.wildfly.clustering.web.infinispan">
+                <local-cache name="passivation">
+                    <locking isolation="REPEATABLE_READ"/>
+                    <transaction mode="BATCH"/>
+                    <file-store passivation="true" purge="false"/>
+                </local-cache>
+                <local-cache name="sso">
+                    <locking isolation="REPEATABLE_READ"/>
+                    <transaction mode="BATCH"/>
+                </local-cache>
+                <local-cache name="routing"/>
+            </cache-container>
+            <cache-container name="ejb" aliases="sfsb" default-cache="passivation" module="org.wildfly.clustering.ejb.infinispan">
+                <local-cache name="passivation">
+                    <locking isolation="REPEATABLE_READ"/>
+                    <transaction mode="BATCH"/>
+                    <file-store passivation="true" purge="false"/>
+                </local-cache>
+            </cache-container>
+            <cache-container name="hibernate" module="org.infinispan.hibernate-cache">
+                <local-cache name="entity">
+                    <object-memory size="10000"/>
+                    <expiration max-idle="100000"/>
+                </local-cache>
+                <local-cache name="local-query">
+                    <object-memory size="10000"/>
+                    <expiration max-idle="100000"/>
+                </local-cache>
+                <local-cache name="timestamps"/>
+            </cache-container>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jaxrs:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:jca:5.0">
+            <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
+            <bean-validation enabled="true"/>
+            <default-workmanager>
+                <short-running-threads>
+                    <core-threads count="50"/>
+                    <queue-length count="50"/>
+                    <max-threads count="50"/>
+                    <keepalive-time time="10" unit="seconds"/>
+                </short-running-threads>
+                <long-running-threads>
+                    <core-threads count="50"/>
+                    <queue-length count="50"/>
+                    <max-threads count="50"/>
+                    <keepalive-time time="10" unit="seconds"/>
+                </long-running-threads>
+            </default-workmanager>
+            <cached-connection-manager/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jmx:1.3">
+            <expose-resolved-model/>
+            <expose-expression-model/>
+            <remoting-connector/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jpa:1.1">
+            <jpa default-datasource="" default-extended-persistence-inheritance="DEEP"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:mail:3.0">
+            <mail-session name="default" jndi-name="java:jboss/mail/Default">
+                <smtp-server outbound-socket-binding-ref="mail-smtp"/>
+            </mail-session>
+        </subsystem>
+{% if keycloak_modcluster.enabled %}
+        <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
+            <proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
+                <dynamic-load-provider>
+                    <load-metric type="cpu"/>
+                </dynamic-load-provider>
+            </proxy>
+        </subsystem>
+{% endif %}
+        <subsystem xmlns="urn:jboss:domain:naming:2.0">
+            <remote-naming/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:remoting:4.0">
+            <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
+            <deployment-permissions>
+                <maximum-set>
+                    <permission class="java.security.AllPermission"/>
+                </maximum-set>
+            </deployment-permissions>
+        </subsystem>
+        <subsystem xmlns="urn:wildfly:elytron:8.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
+            <providers>
+                <aggregate-providers name="combined-providers">
+                    <providers name="elytron"/>
+                    <providers name="openssl"/>
+                </aggregate-providers>
+                <provider-loader name="elytron" module="org.wildfly.security.elytron"/>
+                <provider-loader name="openssl" module="org.wildfly.openssl"/>
+            </providers>
+            <audit-logging>
+                <file-audit-log name="local-audit" path="audit.log" relative-to="jboss.server.log.dir" format="JSON"/>
+            </audit-logging>
+            <security-domains>
+                <security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">
+                    <realm name="ApplicationRealm" role-decoder="groups-to-roles"/>
+                    <realm name="local"/>
+                </security-domain>
+                <security-domain name="ManagementDomain" default-realm="ManagementRealm" permission-mapper="default-permission-mapper">
+                    <realm name="ManagementRealm" role-decoder="groups-to-roles"/>
+                    <realm name="local" role-mapper="super-user-mapper"/>
+                </security-domain>
+            </security-domains>
+            <security-realms>
+                <identity-realm name="local" identity="$local"/>
+                <properties-realm name="ApplicationRealm">
+                    <users-properties path="application-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ApplicationRealm"/>
+                    <groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
+                </properties-realm>
+                <properties-realm name="ManagementRealm">
+                    <users-properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ManagementRealm"/>
+                    <groups-properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
+                </properties-realm>
+            </security-realms>
+            <mappers>
+                <simple-permission-mapper name="default-permission-mapper" mapping-mode="first">
+                    <permission-mapping>
+                        <principal name="anonymous"/>
+                        <permission-set name="default-permissions"/>
+                    </permission-mapping>
+                    <permission-mapping match-all="true">
+                        <permission-set name="login-permission"/>
+                        <permission-set name="default-permissions"/>
+                    </permission-mapping>
+                </simple-permission-mapper>
+                <constant-realm-mapper name="local" realm-name="local"/>
+                <simple-role-decoder name="groups-to-roles" attribute="groups"/>
+                <constant-role-mapper name="super-user-mapper">
+                    <role name="SuperUser"/>
+                </constant-role-mapper>
+            </mappers>
+            <permission-sets>
+                <permission-set name="login-permission">
+                    <permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
+                </permission-set>
+                <permission-set name="default-permissions">
+                    <permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
+                    <permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
+                    <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
+                </permission-set>
+            </permission-sets>
+            <http>
+                <http-authentication-factory name="management-http-authentication" security-domain="ManagementDomain" http-server-mechanism-factory="global">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="DIGEST">
+                            <mechanism-realm realm-name="ManagementRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </http-authentication-factory>
+                <provider-http-server-mechanism-factory name="global"/>
+            </http>
+            <sasl>
+                <sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
+                        <mechanism mechanism-name="DIGEST-MD5">
+                            <mechanism-realm realm-name="ApplicationRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </sasl-authentication-factory>
+                <sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" security-domain="ManagementDomain">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
+                        <mechanism mechanism-name="DIGEST-MD5">
+                            <mechanism-realm realm-name="ManagementRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </sasl-authentication-factory>
+                <configurable-sasl-server-factory name="configured" sasl-server-factory="elytron">
+                    <properties>
+                        <property name="wildfly.sasl.local-user.default-user" value="$local"/>
+                    </properties>
+                </configurable-sasl-server-factory>
+                <mechanism-provider-filtering-sasl-server-factory name="elytron" sasl-server-factory="global">
+                    <filters>
+                        <filter provider-name="WildFlyElytron"/>
+                    </filters>
+                </mechanism-provider-filtering-sasl-server-factory>
+                <provider-sasl-server-factory name="global"/>
+            </sasl>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:security:2.0">
+            <security-domains>
+                <security-domain name="other" cache-type="default">
+                    <authentication>
+                        <login-module code="Remoting" flag="optional">
+                            <module-option name="password-stacking" value="useFirstPass"/>
+                        </login-module>
+                        <login-module code="RealmDirect" flag="required">
+                            <module-option name="password-stacking" value="useFirstPass"/>
+                        </login-module>
+                    </authentication>
+                </security-domain>
+                <security-domain name="jboss-web-policy" cache-type="default">
+                    <authorization>
+                        <policy-module code="Delegating" flag="required"/>
+                    </authorization>
+                </security-domain>
+                <security-domain name="jaspitest" cache-type="default">
+                    <authentication-jaspi>
+                        <login-module-stack name="dummy">
+                            <login-module code="Dummy" flag="optional"/>
+                        </login-module-stack>
+                        <auth-module code="Dummy"/>
+                    </authentication-jaspi>
+                </security-domain>
+                <security-domain name="jboss-ejb-policy" cache-type="default">
+                    <authorization>
+                        <policy-module code="Delegating" flag="required"/>
+                    </authorization>
+                </security-domain>
+            </security-domains>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:transactions:5.0">
+            <core-environment node-identifier="${jboss.tx.node.id:1}">
+                <process-id>
+                    <uuid/>
+                </process-id>
+            </core-environment>
+            <recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
+            <coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
+            <object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
+        <subsystem xmlns="urn:wildfly:microprofile-config-smallrye:1.0"/>
+        <subsystem xmlns="urn:wildfly:microprofile-health-smallrye:2.0" security-enabled="false"
+                   empty-liveness-checks-status="${env.MP_HEALTH_EMPTY_LIVENESS_CHECKS_STATUS:UP}" empty-readiness-checks-status="${env.MP_HEALTH_EMPTY_READINESS_CHECKS_STATUS:UP}"/>
+        <subsystem xmlns="urn:wildfly:microprofile-metrics-smallrye:2.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:wildfly}"/>
+        <subsystem xmlns="urn:jboss:domain:undertow:10.0" default-server="default-server" default-virtual-host="default-host"
+                   default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
+            <buffer-cache name="default"/>
+            <server name="default-server">
+                <ajp-listener name="ajp" socket-binding="ajp"/>
+                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
+                <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
+                <host name="default-host" alias="localhost">
+                    <location name="/" handler="welcome-content"/>
+                    <http-invoker security-realm="ApplicationRealm"/>
+                </host>
+            </server>
+            <servlet-container name="default">
+                <jsp-config/>
+                <websockets/>
+            </servlet-container>
+            <handlers>
+                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
+            </handlers>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
+            <web-context>auth</web-context>
+            <providers>
+                <provider>classpath:${jboss.home.dir}/providers/*</provider>
+            </providers>
+            <master-realm-name>master</master-realm-name>
+            <scheduled-task-interval>900</scheduled-task-interval>
+            <theme>
+                <staticMaxAge>2592000</staticMaxAge>
+                <cacheThemes>true</cacheThemes>
+                <cacheTemplates>true</cacheTemplates>
+                <dir>${jboss.home.dir}/themes</dir>
+            </theme>
+            <spi name="eventsStore">
+                <provider name="jpa" enabled="true">
+                    <properties>
+                        <property name="exclude-events" value="[&quot;REFRESH_TOKEN&quot;]"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="userCache">
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="userSessionPersister">
+                <default-provider>jpa</default-provider>
+            </spi>
+            <spi name="timer">
+                <default-provider>basic</default-provider>
+            </spi>
+            <spi name="connectionsHttpClient">
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="connectionsJpa">
+                <provider name="default" enabled="true">
+                    <properties>
+                        <property name="dataSource" value="java:jboss/datasources/KeycloakDS"/>
+                        <property name="initializeEmpty" value="true"/>
+                        <property name="migrationStrategy" value="update"/>
+                        <property name="migrationExport" value="${jboss.home.dir}/keycloak-database-update.sql"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="realmCache">
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="connectionsInfinispan">
+                <default-provider>default</default-provider>
+                <provider name="default" enabled="true">
+                    <properties>
+                        <property name="cacheContainer" value="java:jboss/infinispan/container/keycloak"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="jta-lookup">
+                <default-provider>${keycloak.jta.lookup.provider:jboss}</default-provider>
+                <provider name="jboss" enabled="true"/>
+            </spi>
+            <spi name="publicKeyStorage">
+                <provider name="infinispan" enabled="true">
+                    <properties>
+                        <property name="minTimeBetweenRequests" value="10"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="x509cert-lookup">
+                <default-provider>${keycloak.x509cert.lookup.provider:default}</default-provider>
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="hostname">
+                <default-provider>default</default-provider>
+                <provider name="default" enabled="true">
+                    <properties>
+                        <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="true"/>
+                    </properties>
+                </provider>
+            </spi>
+        </subsystem>
+    </profile>
+    <interfaces>
+        <interface name="management">
+            <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
+        </interface>
+        <interface name="public">
+            <inet-address value="${jboss.bind.address:127.0.0.1}"/>
+        </interface>
+    </interfaces>
+    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
+        <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
+        <socket-binding name="http" port="${jboss.http.port:8080}"/>
+        <socket-binding name="https" port="${jboss.https.port:8443}"/>
+        <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
+        <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
+        <socket-binding name="modcluster" multicast-address="${jboss.modcluster.multicast.address:224.0.1.105}" multicast-port="23364"/>
+        <socket-binding name="txn-recovery-environment" port="4712"/>
+        <socket-binding name="txn-status-manager" port="4713"/>
+        <outbound-socket-binding name="mail-smtp">
+            <remote-destination host="localhost" port="25"/>
+        </outbound-socket-binding>
+{% if keycloak_modcluster.enabled %}
+        <outbound-socket-binding name="proxy1">
+            <remote-destination host="{{ keycloak_modcluster.reverse_proxy_url | default('localhost') }}" port="6666"/>
+        </outbound-socket-binding>
+{% endif %}
+    </socket-binding-group>
+</server>

roles/keycloak/templates/keycloak-service.sh.j2

@@ -1,4 +1,5 @@
 #!/bin/bash -eu
+# {{ ansible_managed }}
 
 set +u -o pipefail
 
@@ -16,18 +17,17 @@ checkEnvVar() {
 #  for testing outside systemd
 . /etc/sysconfig/keycloak
 
-readonly KEYCLOAK_HOME={{ keycloak_jboss_home }}
+readonly KEYCLOAK_HOME={{ keycloak.home }}
 readonly KEYCLOAK_BIND_ADDRESS=${KEYCLOAK_BIND_ADDRESS}
 readonly KEYCLOAK_HTTP_PORT=${KEYCLOAK_HTTP_PORT}
 readonly KEYCLOAK_HTTPS_PORT=${KEYCLOAK_HTTPS_PORT}
 readonly KEYCLOAK_MANAGEMENT_HTTP_PORT=${KEYCLOAK_MANAGEMENT_HTTP_PORT}
 readonly KEYCLOAK_MANAGEMENT_HTTPS_PORT=${KEYCLOAK_MANAGEMENT_HTTPS_PORT}
-readonly KEYCLOAK_LOGFILE={{ keycloak_service_logfile }}
 readonly KEYCLOAK_PIDFILE={{ keycloak_service_pidfile }}
 
 set -u
 if [ ! -d "${KEYCLOAK_HOME}" ]; then
-  echo "KEYCLOAK_HOME (${KEYCLOAK_HOME}) is not a director or does not exists."
+  echo "KEYCLOAK_HOME (${KEYCLOAK_HOME}) is not a directory or does not exists."
   exit 1
 fi
 
@@ -70,7 +70,6 @@ startKeycloak() {
   checkEnvVar "${KEYCLOAK_HTTPS_PORT}"   'KEYCLOAK_HTTPS_PORT not provided' 5
   checkEnvVar "${KEYCLOAK_MANAGEMENT_HTTP_PORT}" 'KEYCLOAK_MANAGEMENT_HTTP_PORT not provided' 6
   checkEnvVar "${KEYCLOAK_MANAGEMENT_HTTPS_PORT}" 'KEYCLOAK_MANAGEMENT_HTTPS_PORT not provided' 7
-  checkEnvVar "${KEYCLOAK_LOGFILE}" 'KEYCLOAK_LOGFILE not provided' 8
 
   if [ "$(isKeyCloakRunning)" -eq 1 ]; then
     statusKeycloak
@@ -82,8 +81,8 @@ startKeycloak() {
         -Djboss.management.http.port=${KEYCLOAK_MANAGEMENT_HTTP_PORT} \
         -Djboss.management.https.port=${KEYCLOAK_MANAGEMENT_HTTPS_PORT} \
         -Djboss.node.name={{ inventory_hostname }} \
-      {% if ansible_facts.virtualization_type in ['docker','oci','containerd'] %}-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true {% endif %}\
-      2>&1 >> "${KEYCLOAK_LOGFILE}" &
+      {% if keycloak_prefer_ipv4 %}-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true {% endif %}\
+      {% if keycloak_config_standalone_xml is defined %}--server-config={{ keycloak_config_standalone_xml }}{% endif %} &
     while [ ! -f ${KEYCLOAK_PIDFILE} ]; do sleep 1; done
   fi
 }

roles/keycloak/templates/keycloak-sysconfig.j2

@@ -1,5 +1,7 @@
+# {{ ansible_managed }}
 JAVA_OPTS='{{ keycloak_java_opts }}'
-JBOSS_HOME={{ keycloak_jboss_home }}
+JAVA_HOME={{ keycloak_java_home  | default(keycloak_rpm_java_home, true) }}
+JBOSS_HOME={{ keycloak.home }}
 KEYCLOAK_BIND_ADDRESS={{ keycloak_bind_address }}
 KEYCLOAK_HTTP_PORT={{ keycloak_http_port }}
 KEYCLOAK_HTTPS_PORT={{ keycloak_https_port }}

roles/keycloak/templates/keycloak.service.j2

@@ -1,5 +1,6 @@
+# {{ ansible_managed }}
 [Unit]
-Description=Keycloak Server
+Description={{ keycloak.service_name }} Server
 After=network.target
 
 [Service]

roles/keycloak/templates/standalone-infinispan.xml.j2

@@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-
+<!-- {{ ansible_managed }} -->
 <server xmlns="urn:jboss:domain:16.0">
     <extensions>
         <extension module="org.jboss.as.clustering.infinispan"/>
@@ -152,15 +152,15 @@
                     </security>
                 </datasource>
                 <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
-{% if keycloak_jdbc.postgres.enabled %}
-                    <connection-url>{{ keycloak_jdbc.postgres.connection_url }}</connection-url>
-                    <driver>{{ keycloak_jdbc.postgres.driver_module_name }}</driver>
+{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
+                    <connection-url>{{ keycloak_jdbc[keycloak_jdbc_engine].connection_url }}</connection-url>
+                    <driver>{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}</driver>
                     <pool>
                        <max-pool-size>20</max-pool-size>
                     </pool>
                     <security>
-                        <user-name>{{ keycloak_jdbc.postgres.db_user }}</user-name>
-                        <password>{{ keycloak_jdbc.postgres.db_password }}</password>
+                        <user-name>{{ keycloak_jdbc[keycloak_jdbc_engine].db_user }}</user-name>
+                        <password>{{ keycloak_jdbc[keycloak_jdbc_engine].db_password }}</password>
                     </security>
 {% else %}
                     <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
@@ -172,10 +172,10 @@
 {% endif %}
                 </datasource>
                 <drivers>
-{% if keycloak_jdbc.postgres.enabled %}
-                    <driver name="{{ keycloak_jdbc.postgres.driver_module_name }}" module="{{ keycloak_jdbc.postgres.driver_module_name }}">
-                         <driver-class>org.postgresql.Driver</driver-class>
-                        <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
+{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
+                    <driver name="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}" module="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}">
+                        <driver-class>{{ keycloak_jdbc[keycloak_jdbc_engine].driver_class }}</driver-class>
+                        <xa-datasource-class>{{ keycloak_jdbc[keycloak_jdbc_engine].xa_datasource_class }}</xa-datasource-class>
                     </driver>
 {% endif %}
                     <driver name="h2" module="com.h2database.h2">
@@ -206,11 +206,11 @@
             <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
         </subsystem>
         <subsystem xmlns="urn:jboss:domain:ejb3:9.0">
-            <session-bean>
+             <session-bean>
                 <stateless>
                     <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
                 </stateless>
-                <stateful default-access-timeout="5000" cache-ref="simple" passivation-disabled-cache-ref="simple"/>
+                <stateful default-access-timeout="5000" cache-ref="distributable" passivation-disabled-cache-ref="simple"/>
                 <singleton default-access-timeout="5000"/>
             </session-bean>
             <pools>
@@ -368,12 +368,13 @@
         </subsystem>
         <subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
         <subsystem xmlns="urn:jboss:domain:infinispan:12.0">
-            <cache-container name="ejb" default-cache="passivation" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
-                <local-cache name="passivation">
+            <cache-container name="ejb" default-cache="dist" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
+                <transport lock-timeout="60000"/>
+                <distributed-cache name="dist">
                     <locking isolation="REPEATABLE_READ"/>
                     <transaction mode="BATCH"/>
-                    <file-store passivation="true" purge="false"/>
-                </local-cache>
+                    <file-store/>
+                </distributed-cache>
             </cache-container>
             <cache-container name="keycloak" modules="org.keycloak.keycloak-model-infinispan">
                 <transport lock-timeout="60000"/>
@@ -383,8 +384,7 @@
                 <local-cache name="users">
                     <heap-memory size="10000"/>
                 </local-cache>
-                <local-cache name="authenticationSessions"/>
-                {% for cachename in [ "sessions", "offlineSessions", "clientSessions", "offlineClientSessions", "loginFailures", "actionTokens" ] %}
+{% for cachename in [ "sessions", "offlineSessions", "clientSessions", "offlineClientSessions", "loginFailures", "actionTokens", "authenticationSessions" ] %}
                 <distributed-cache name="{{ cachename }}">
                     <remote-store cache="{{ cachename }}"
                                   remote-servers="remote-cache"
@@ -400,14 +400,15 @@
                         <property name="infinispan.client.hotrod.auth_password">{{ keycloak_remotecache.password }}</property>
                         <property name="infinispan.client.hotrod.auth_realm">{{ keycloak_remotecache.realm | default('default') }}</property>
                         <property name="infinispan.client.hotrod.auth_server_name">{{ keycloak_remotecache.server_name }}</property>
-                        <property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism | default('SCRAM-SHA-512') }}</property>
-                        <property name="infinispan.client.hotrod.use_ssl">false</property>
-                        <property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path | default('/etc/truststore/truststore.jks') }}</property>
+                        <property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism }}</property>
+                        <property name="infinispan.client.hotrod.use_ssl">{{ keycloak_remotecache.use_ssl }}</property>
+                        <property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path }}</property>
                         <property name="infinispan.client.hotrod.trust_store_type">JKS</property>
-                        <property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password | default("changeme") }}</property>
+                        <property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password }}</property>
+                        <property name="infinispan.client.hotrod.client_intelligence">TOPOLOGY_AWARE</property>
                     </remote-store>
                 </distributed-cache>
-                {% endfor %}
+{% endfor %}
                 <replicated-cache name="work">
                     <remote-store cache="work"
                                   remote-servers="remote-cache"
@@ -423,11 +424,12 @@
                         <property name="infinispan.client.hotrod.auth_password">{{ keycloak_remotecache.password }}</property>
                         <property name="infinispan.client.hotrod.auth_realm">{{ keycloak_remotecache.realm | default('default') }}</property>
                         <property name="infinispan.client.hotrod.auth_server_name">{{ keycloak_remotecache.server_name }}</property>
-                        <property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism | default('SCRAM-SHA-512') }}</property>
-                        <property name="infinispan.client.hotrod.use_ssl">false</property>
-                        <property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path | default('/etc/truststore/truststore.jks') }}</property>
+                        <property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism }}</property>
+                        <property name="infinispan.client.hotrod.use_ssl">{{ keycloak_remotecache.use_ssl }}</property>
+                        <property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path }}</property>
                         <property name="infinispan.client.hotrod.trust_store_type">JKS</property>
-                        <property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password | default("changeme") }}</property>
+                        <property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password }}</property>
+                        <property name="infinispan.client.hotrod.client_intelligence">TOPOLOGY_AWARE</property>
                     </remote-store>
                 </replicated-cache>
                 <local-cache name="authorization">
@@ -438,33 +440,37 @@
                     <expiration max-idle="3600000"/>
                 </local-cache>
             </cache-container>
-            <cache-container name="server" default-cache="default" modules="org.wildfly.clustering.server">
-                <local-cache name="default">
+            <cache-container name="server" default-cache="default" aliases="singleton cluster" modules="org.wildfly.clustering.server">
+                <transport lock-timeout="60000"/>
+                <replicated-cache name="default">
                     <transaction mode="BATCH"/>
-                </local-cache>
+                </replicated-cache>
             </cache-container>
-            <cache-container name="web" default-cache="passivation" modules="org.wildfly.clustering.web.infinispan">
-                <local-cache name="passivation">
+            <cache-container name="web" default-cache="dist" modules="org.wildfly.clustering.web.infinispan">
+                <transport lock-timeout="60000"/>
+                <replicated-cache name="sso">
                     <locking isolation="REPEATABLE_READ"/>
                     <transaction mode="BATCH"/>
-                    <file-store passivation="true" purge="false"/>
-                </local-cache>
-                <local-cache name="sso">
+                </replicated-cache>
+                <distributed-cache name="dist">
                     <locking isolation="REPEATABLE_READ"/>
                     <transaction mode="BATCH"/>
-                </local-cache>
-                <local-cache name="routing"/>
+                    <file-store/>
+                </distributed-cache>
+                <distributed-cache name="routing"/>
             </cache-container>
             <cache-container name="hibernate" modules="org.infinispan.hibernate-cache">
-                <local-cache name="entity">
-                    <heap-memory size="10000"/>
-                    <expiration max-idle="100000"/>
-                </local-cache>
+                <transport lock-timeout="60000"/>
                 <local-cache name="local-query">
                     <heap-memory size="10000"/>
                     <expiration max-idle="100000"/>
                 </local-cache>
-                <local-cache name="timestamps"/>
+                <invalidation-cache name="entity">
+                    <transaction mode="NON_XA"/>
+                    <heap-memory size="10000"/>
+                    <expiration max-idle="100000"/>
+                </invalidation-cache>
+                <replicated-cache name="timestamps"/>
             </cache-container>
         </subsystem>
         <subsystem xmlns="urn:jboss:domain:io:3.0">
@@ -498,18 +504,15 @@
             <stacks>
                 <stack name="tcp">
                     <transport site="${jboss.node.name}" type="TCP" socket-binding="jgroups-tcp"/>
+{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
                     <protocol type="JDBC_PING">
                         <property name="datasource_jndi_name">java:jboss/datasources/KeycloakDS</property>
-                        <property name="initialize_sql">
-                            CREATE TABLE IF NOT EXISTS JGROUPSPING (
-                            own_addr varchar(200) NOT NULL,
-                            cluster_name varchar(200) NOT NULL,
-                            updated TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
-                            ping_data varbinary(5000) DEFAULT NULL,
-                            PRIMARY KEY (own_addr, cluster_name))
-                            ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin
-                        </property>
+                        <property name="initialize_sql">{{ keycloak_jdbc[keycloak_jdbc_engine].initialize_db }}</property>
+                        <property name="insert_single_sql">INSERT INTO JGROUPSPING (own_addr, cluster_name, ping_data) values (?, ?, ?)</property>
+                        <property name="delete_single_sql">DELETE FROM JGROUPSPING WHERE own_addr=? AND cluster_name=?</property>
+                        <property name="select_all_pingdata_sql">SELECT ping_data FROM JGROUPSPING WHERE cluster_name=?</property>
                     </protocol>
+{% endif %}
                     <protocol type="MERGE3"/>
                     <protocol type="FD_SOCK"/>
                     <protocol type="FD_ALL"/>
@@ -548,6 +551,15 @@
                 <cacheTemplates>true</cacheTemplates>
                 <dir>${jboss.home.dir}/themes</dir>
             </theme>
+{% if keycloak_ha_enabled %}
+            <spi name="dblock">
+                <provider name="jpa" enabled="true">
+                    <properties>
+                        <property name="lockWaitTimeout" value="900"/>
+                    </properties>
+                </provider>
+            </spi>
+{% endif %}
             <spi name="eventsStore">
                 <provider name="jpa" enabled="true">
                     <properties>
@@ -607,8 +619,8 @@
                 <default-provider>default</default-provider>
                 <provider name="default" enabled="true">
                     <properties>
-                        <property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
-                        <property name="forceBackendUrlToFrontendUrl" value="false"/>
+                        <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="true"/>
                     </properties>
                 </provider>
             </spi>
@@ -619,9 +631,9 @@
             </mail-session>
         </subsystem>
         <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
-{% if keycloak_modcluster.enabled %}        
+{% if keycloak_modcluster.enabled %}    
         <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
-            <proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
+            <proxy name="default" advertise="false" listener="ajp" proxies="proxy1">
                 <dynamic-load-provider>
                     <load-metric type="cpu"/>
                 </dynamic-load-provider>
@@ -675,7 +687,7 @@
             </deployment-permissions>
         </subsystem>
         <subsystem xmlns="urn:jboss:domain:transactions:6.0">
-            <core-environment node-identifier="${jboss.tx.node.id:1}">
+            <core-environment node-identifier="{{ inventory_hostname | default('${jboss.tx.node.id:1}') }}">
                 <process-id>
                     <uuid/>
                 </process-id>
@@ -715,20 +727,23 @@
             <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
         </interface>
         <interface name="jgroups">
-            <subnet-match value="{{ (ansible_default_ipv4.address + '/' + ansible_default_ipv4.netmask) | ipaddr('prefix') }}"/>
+{% if ansible_default_ipv4 is defined %}
+            <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ipaddr('net') }}"/>
+{% else %}
+            <any-address />
+{% endif %}
         </interface>
         <interface name="public">
             <inet-address value="${jboss.bind.address:127.0.0.1}"/>
         </interface>
     </interfaces>
     <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
-        <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
-        <socket-binding name="http" port="${jboss.http.port:8080}"/>
-        <socket-binding name="https" port="${jboss.https.port:8443}"/>
-        <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
-        <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
-        <socket-binding name="jgroups-tcp" interface="jgroups" port="7600"/>
-        <socket-binding name="modcluster" multicast-address="${jboss.modcluster.multicast.address:224.0.1.105}" multicast-port="23364"/>
+        <socket-binding name="ajp" port="{{ keycloak_ajp_port }}"/>
+        <socket-binding name="http" port="{{ keycloak_http_port }}"/>
+        <socket-binding name="https" port="{{ keycloak_https_port }}"/>
+        <socket-binding name="management-http" interface="management" port="{{ keycloak_management_http_port }}"/>
+        <socket-binding name="management-https" interface="management" port="{{ keycloak_management_https_port }}"/>
+        <socket-binding name="jgroups-tcp" interface="jgroups" port="{{ keycloak_jgroups_port }}"/>
         <socket-binding name="txn-recovery-environment" port="4712"/>
         <socket-binding name="txn-status-manager" port="4713"/>
         <outbound-socket-binding name="mail-smtp">

roles/keycloak/templates/standalone.xml.j2

@@ -1,6 +1,6 @@
 <?xml version='1.0' encoding='UTF-8'?>
-
-<server xmlns="urn:jboss:domain:10.0">
+<!-- {{ ansible_managed }} -->
+<server xmlns="urn:jboss:domain:16.0">
     <extensions>
         <extension module="org.jboss.as.clustering.infinispan"/>
         <extension module="org.jboss.as.connector"/>
@@ -22,10 +22,9 @@
         <extension module="org.wildfly.extension.bean-validation"/>
         <extension module="org.wildfly.extension.core-management"/>
         <extension module="org.wildfly.extension.elytron"/>
+        <extension module="org.wildfly.extension.health"/>
         <extension module="org.wildfly.extension.io"/>
-        <extension module="org.wildfly.extension.microprofile.config-smallrye"/>
-        <extension module="org.wildfly.extension.microprofile.health-smallrye"/>
-        <extension module="org.wildfly.extension.microprofile.metrics-smallrye"/>
+        <extension module="org.wildfly.extension.metrics"/>
         <extension module="org.wildfly.extension.request-controller"/>
         <extension module="org.wildfly.extension.security.manager"/>
         <extension module="org.wildfly.extension.undertow"/>
@@ -129,7 +128,7 @@
         </subsystem>
         <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
         <subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
-        <subsystem xmlns="urn:jboss:domain:datasources:5.0">
+        <subsystem xmlns="urn:jboss:domain:datasources:6.0">
             <datasources>
                 <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
                     <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
@@ -140,14 +139,32 @@
                     </security>
                 </datasource>
                 <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
+{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
+                    <connection-url>{{ keycloak_jdbc[keycloak_jdbc_engine].connection_url }}</connection-url>
+                    <driver>{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}</driver>
+                    <pool>
+                       <max-pool-size>20</max-pool-size>
+                    </pool>
+                    <security>
+                        <user-name>{{ keycloak_jdbc[keycloak_jdbc_engine].db_user }}</user-name>
+                        <password>{{ keycloak_jdbc[keycloak_jdbc_engine].db_password }}</password>
+                    </security>
+{% else %}
                     <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
                     <driver>h2</driver>
                     <security>
                         <user-name>sa</user-name>
                         <password>sa</password>
                     </security>
+{% endif %}
                 </datasource>
                 <drivers>
+{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
+                    <driver name="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}" module="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}">
+                        <driver-class>{{ keycloak_jdbc[keycloak_jdbc_engine].driver_class }}</driver-class>
+                        <xa-datasource-class>{{ keycloak_jdbc[keycloak_jdbc_engine].xa_datasource_class }}</xa-datasource-class>
+                    </driver>
+{% endif %}
                     <driver name="h2" module="com.h2database.h2">
                         <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
                     </driver>
@@ -157,7 +174,7 @@
         <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
             <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
         </subsystem>
-        <subsystem xmlns="urn:jboss:domain:ee:4.0">
+        <subsystem xmlns="urn:jboss:domain:ee:6.0">
             <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
             <concurrent>
                 <context-services>
@@ -167,15 +184,15 @@
                     <managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/>
                 </managed-thread-factories>
                 <managed-executor-services>
-                    <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-threshold="60000" keepalive-time="5000"/>
+                    <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="5000"/>
                 </managed-executor-services>
                 <managed-scheduled-executor-services>
-                    <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-threshold="60000" keepalive-time="3000"/>
+                    <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="3000"/>
                 </managed-scheduled-executor-services>
             </concurrent>
             <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
         </subsystem>
-        <subsystem xmlns="urn:jboss:domain:ejb3:6.0">
+        <subsystem xmlns="urn:jboss:domain:ejb3:9.0">
             <session-bean>
                 <stateless>
                     <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
@@ -202,7 +219,7 @@
                     <file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/>
                 </data-stores>
             </timer-service>
-            <remote connector-ref="http-remoting-connector" thread-pool-name="default">
+            <remote cluster="ejb" connectors="http-remoting-connector" thread-pool-name="default">
                 <channel-creation-options>
                     <option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>
                 </channel-creation-options>
@@ -218,130 +235,7 @@
             <statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
             <log-system-exceptions value="true"/>
         </subsystem>
-        <subsystem xmlns="urn:jboss:domain:io:3.0">
-            <worker name="default"/>
-            <buffer-pool name="default"/>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:infinispan:9.0">
-            <cache-container name="keycloak">
-                <local-cache name="realms">
-                    <object-memory size="10000"/>
-                </local-cache>
-                <local-cache name="users">
-                    <object-memory size="10000"/>
-                </local-cache>
-                <local-cache name="sessions"/>
-                <local-cache name="authenticationSessions"/>
-                <local-cache name="offlineSessions"/>
-                <local-cache name="clientSessions"/>
-                <local-cache name="offlineClientSessions"/>
-                <local-cache name="loginFailures"/>
-                <local-cache name="work"/>
-                <local-cache name="authorization">
-                    <object-memory size="10000"/>
-                </local-cache>
-                <local-cache name="keys">
-                    <object-memory size="1000"/>
-                    <expiration max-idle="3600000"/>
-                </local-cache>
-                <local-cache name="actionTokens">
-                    <object-memory size="-1"/>
-                    <expiration max-idle="-1" interval="300000"/>
-                </local-cache>
-            </cache-container>
-            <cache-container name="server" default-cache="default" module="org.wildfly.clustering.server">
-                <local-cache name="default">
-                    <transaction mode="BATCH"/>
-                </local-cache>
-            </cache-container>
-            <cache-container name="web" default-cache="passivation" module="org.wildfly.clustering.web.infinispan">
-                <local-cache name="passivation">
-                    <locking isolation="REPEATABLE_READ"/>
-                    <transaction mode="BATCH"/>
-                    <file-store passivation="true" purge="false"/>
-                </local-cache>
-                <local-cache name="sso">
-                    <locking isolation="REPEATABLE_READ"/>
-                    <transaction mode="BATCH"/>
-                </local-cache>
-                <local-cache name="routing"/>
-            </cache-container>
-            <cache-container name="ejb" aliases="sfsb" default-cache="passivation" module="org.wildfly.clustering.ejb.infinispan">
-                <local-cache name="passivation">
-                    <locking isolation="REPEATABLE_READ"/>
-                    <transaction mode="BATCH"/>
-                    <file-store passivation="true" purge="false"/>
-                </local-cache>
-            </cache-container>
-            <cache-container name="hibernate" module="org.infinispan.hibernate-cache">
-                <local-cache name="entity">
-                    <object-memory size="10000"/>
-                    <expiration max-idle="100000"/>
-                </local-cache>
-                <local-cache name="local-query">
-                    <object-memory size="10000"/>
-                    <expiration max-idle="100000"/>
-                </local-cache>
-                <local-cache name="timestamps"/>
-            </cache-container>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:jaxrs:1.0"/>
-        <subsystem xmlns="urn:jboss:domain:jca:5.0">
-            <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
-            <bean-validation enabled="true"/>
-            <default-workmanager>
-                <short-running-threads>
-                    <core-threads count="50"/>
-                    <queue-length count="50"/>
-                    <max-threads count="50"/>
-                    <keepalive-time time="10" unit="seconds"/>
-                </short-running-threads>
-                <long-running-threads>
-                    <core-threads count="50"/>
-                    <queue-length count="50"/>
-                    <max-threads count="50"/>
-                    <keepalive-time time="10" unit="seconds"/>
-                </long-running-threads>
-            </default-workmanager>
-            <cached-connection-manager/>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:jmx:1.3">
-            <expose-resolved-model/>
-            <expose-expression-model/>
-            <remoting-connector/>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:jpa:1.1">
-            <jpa default-datasource="" default-extended-persistence-inheritance="DEEP"/>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:mail:3.0">
-            <mail-session name="default" jndi-name="java:jboss/mail/Default">
-                <smtp-server outbound-socket-binding-ref="mail-smtp"/>
-            </mail-session>
-        </subsystem>
-{% if keycloak_modcluster.enabled %}
-        <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
-            <proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
-                <dynamic-load-provider>
-                    <load-metric type="cpu"/>
-                </dynamic-load-provider>
-            </proxy>
-        </subsystem>
-{% endif %}        
-        <subsystem xmlns="urn:jboss:domain:naming:2.0">
-            <remote-naming/>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:remoting:4.0">
-            <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
-        <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
-            <deployment-permissions>
-                <maximum-set>
-                    <permission class="java.security.AllPermission"/>
-                </maximum-set>
-            </deployment-permissions>
-        </subsystem>
-        <subsystem xmlns="urn:wildfly:elytron:8.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
+        <subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
             <providers>
                 <aggregate-providers name="combined-providers">
                     <providers name="elytron"/>
@@ -399,6 +293,7 @@
                     <permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
                     <permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
                     <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
+                    <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
                 </permission-set>
             </permission-sets>
             <http>
@@ -440,76 +335,126 @@
                 </mechanism-provider-filtering-sasl-server-factory>
                 <provider-sasl-server-factory name="global"/>
             </sasl>
+            <tls>
+                <key-stores>
+                    <key-store name="applicationKS">
+                        <credential-reference clear-text="password"/>
+                        <implementation type="JKS"/>
+                        <file path="application.keystore" relative-to="jboss.server.config.dir"/>
+                    </key-store>
+                </key-stores>
+                <key-managers>
+                    <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
+                        <credential-reference clear-text="password"/>
+                    </key-manager>
+                </key-managers>
+                <server-ssl-contexts>
+                    <server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
+                </server-ssl-contexts>
+            </tls>
         </subsystem>
-        <subsystem xmlns="urn:jboss:domain:security:2.0">
-            <security-domains>
-                <security-domain name="other" cache-type="default">
-                    <authentication>
-                        <login-module code="Remoting" flag="optional">
-                            <module-option name="password-stacking" value="useFirstPass"/>
-                        </login-module>
-                        <login-module code="RealmDirect" flag="required">
-                            <module-option name="password-stacking" value="useFirstPass"/>
-                        </login-module>
-                    </authentication>
-                </security-domain>
-                <security-domain name="jboss-web-policy" cache-type="default">
-                    <authorization>
-                        <policy-module code="Delegating" flag="required"/>
-                    </authorization>
-                </security-domain>
-                <security-domain name="jaspitest" cache-type="default">
-                    <authentication-jaspi>
-                        <login-module-stack name="dummy">
-                            <login-module code="Dummy" flag="optional"/>
-                        </login-module-stack>
-                        <auth-module code="Dummy"/>
-                    </authentication-jaspi>
-                </security-domain>
-                <security-domain name="jboss-ejb-policy" cache-type="default">
-                    <authorization>
-                        <policy-module code="Delegating" flag="required"/>
-                    </authorization>
-                </security-domain>
-            </security-domains>
+        <subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
+        <subsystem xmlns="urn:jboss:domain:infinispan:12.0">
+            <cache-container name="ejb" default-cache="passivation" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
+                <local-cache name="passivation">
+                    <locking isolation="REPEATABLE_READ"/>
+                    <transaction mode="BATCH"/>
+                    <file-store passivation="true" purge="false"/>
+                </local-cache>
+            </cache-container>
+            <cache-container name="keycloak" modules="org.keycloak.keycloak-model-infinispan">
+                <local-cache name="realms">
+                    <heap-memory size="10000"/>
+                </local-cache>
+                <local-cache name="users">
+                    <heap-memory size="10000"/>
+                </local-cache>
+                <local-cache name="sessions"/>
+                <local-cache name="authenticationSessions"/>
+                <local-cache name="offlineSessions"/>
+                <local-cache name="clientSessions"/>
+                <local-cache name="offlineClientSessions"/>
+                <local-cache name="loginFailures"/>
+                <local-cache name="work"/>
+                <local-cache name="authorization">
+                    <heap-memory size="10000"/>
+                </local-cache>
+                <local-cache name="keys">
+                    <heap-memory size="1000"/>
+                    <expiration max-idle="3600000"/>
+                </local-cache>
+                <local-cache name="actionTokens">
+                    <heap-memory size="-1"/>
+                    <expiration interval="300000" max-idle="-1"/>
+                </local-cache>
+            </cache-container>
+            <cache-container name="server" default-cache="default" modules="org.wildfly.clustering.server">
+                <local-cache name="default">
+                    <transaction mode="BATCH"/>
+                </local-cache>
+            </cache-container>
+            <cache-container name="web" default-cache="passivation" modules="org.wildfly.clustering.web.infinispan">
+                <local-cache name="passivation">
+                    <locking isolation="REPEATABLE_READ"/>
+                    <transaction mode="BATCH"/>
+                    <file-store passivation="true" purge="false"/>
+                </local-cache>
+                <local-cache name="sso">
+                    <locking isolation="REPEATABLE_READ"/>
+                    <transaction mode="BATCH"/>
+                </local-cache>
+                <local-cache name="routing"/>
+            </cache-container>
+            <cache-container name="hibernate" modules="org.infinispan.hibernate-cache">
+                <local-cache name="entity">
+                    <heap-memory size="10000"/>
+                    <expiration max-idle="100000"/>
+                </local-cache>
+                <local-cache name="local-query">
+                    <heap-memory size="10000"/>
+                    <expiration max-idle="100000"/>
+                </local-cache>
+                <local-cache name="timestamps"/>
+            </cache-container>
         </subsystem>
-        <subsystem xmlns="urn:jboss:domain:transactions:5.0">
-            <core-environment node-identifier="${jboss.tx.node.id:1}">
-                <process-id>
-                    <uuid/>
-                </process-id>
-            </core-environment>
-            <recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
-            <coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
-            <object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
+        <subsystem xmlns="urn:jboss:domain:io:3.0">
+            <worker name="default"/>
+            <buffer-pool name="default"/>
         </subsystem>
-        <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
-        <subsystem xmlns="urn:wildfly:microprofile-config-smallrye:1.0"/>
-        <subsystem xmlns="urn:wildfly:microprofile-health-smallrye:2.0" security-enabled="false" empty-liveness-checks-status="${env.MP_HEALTH_EMPTY_LIVENESS_CHECKS_STATUS:UP}" empty-readiness-checks-status="${env.MP_HEALTH_EMPTY_READINESS_CHECKS_STATUS:UP}"/>
-        <subsystem xmlns="urn:wildfly:microprofile-metrics-smallrye:2.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:wildfly}"/>
-        <subsystem xmlns="urn:jboss:domain:undertow:10.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
-            <buffer-cache name="default"/>
-            <server name="default-server">
-                <ajp-listener name="ajp" socket-binding="ajp"/>
-                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
-                <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
-                <host name="default-host" alias="localhost">
-                    <location name="/" handler="welcome-content"/>
-                    <http-invoker security-realm="ApplicationRealm"/>
-                </host>
-            </server>
-            <servlet-container name="default">
-                <jsp-config/>
-                <websockets/>
-            </servlet-container>
-            <handlers>
-                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
-            </handlers>
+        <subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/>
+        <subsystem xmlns="urn:jboss:domain:jca:5.0">
+            <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
+            <bean-validation enabled="true"/>
+            <default-workmanager>
+                <short-running-threads>
+                    <core-threads count="50"/>
+                    <queue-length count="50"/>
+                    <max-threads count="50"/>
+                    <keepalive-time time="10" unit="seconds"/>
+                </short-running-threads>
+                <long-running-threads>
+                    <core-threads count="50"/>
+                    <queue-length count="50"/>
+                    <max-threads count="50"/>
+                    <keepalive-time time="10" unit="seconds"/>
+                </long-running-threads>
+            </default-workmanager>
+            <cached-connection-manager/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jmx:1.3">
+            <expose-resolved-model/>
+            <expose-expression-model/>
+            <remoting-connector/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jpa:1.1">
+            <jpa default-extended-persistence-inheritance="DEEP"/>
         </subsystem>
         <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
             <web-context>auth</web-context>
             <providers>
-                <provider>classpath:${jboss.home.dir}/providers/*</provider>
+                <provider>
+                    classpath:${jboss.home.dir}/providers/*
+                </provider>
             </providers>
             <master-realm-name>master</master-realm-name>
             <scheduled-task-interval>900</scheduled-task-interval>
@@ -519,6 +464,15 @@
                 <cacheTemplates>true</cacheTemplates>
                 <dir>${jboss.home.dir}/themes</dir>
             </theme>
+{% if keycloak_ha_enabled %}
+            <spi name="dblock">
+                <provider name="jpa" enabled="true">
+                    <properties>
+                        <property name="lockWaitTimeout" value="900"/>
+                    </properties>
+                </provider>
+            </spi>
+{% endif %}
             <spi name="eventsStore">
                 <provider name="jpa" enabled="true">
                     <properties>
@@ -578,12 +532,103 @@
                 <default-provider>default</default-provider>
                 <provider name="default" enabled="true">
                     <properties>
-                        <property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
-                        <property name="forceBackendUrlToFrontendUrl" value="false"/>
+                        <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="true"/>
                     </properties>
                 </provider>
             </spi>
         </subsystem>
+        <subsystem xmlns="urn:jboss:domain:mail:4.0">
+            <mail-session name="default" jndi-name="java:jboss/mail/Default">
+                <smtp-server outbound-socket-binding-ref="mail-smtp"/>
+            </mail-session>
+        </subsystem>
+        <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
+{% if keycloak_modcluster.enabled %}        
+        <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
+            <proxy name="default" advertise="false" listener="ajp" proxies="proxy1">
+                <dynamic-load-provider>
+                    <load-metric type="cpu"/>
+                </dynamic-load-provider>
+            </proxy>
+        </subsystem>
+{% endif %}        
+        <subsystem xmlns="urn:jboss:domain:naming:2.0">
+            <remote-naming/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:remoting:4.0">
+            <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:security:2.0">
+            <security-domains>
+                <security-domain name="other" cache-type="default">
+                    <authentication>
+                        <login-module code="Remoting" flag="optional">
+                            <module-option name="password-stacking" value="useFirstPass"/>
+                        </login-module>
+                        <login-module code="RealmDirect" flag="required">
+                            <module-option name="password-stacking" value="useFirstPass"/>
+                        </login-module>
+                    </authentication>
+                </security-domain>
+                <security-domain name="jboss-web-policy" cache-type="default">
+                    <authorization>
+                        <policy-module code="Delegating" flag="required"/>
+                    </authorization>
+                </security-domain>
+                <security-domain name="jaspitest" cache-type="default">
+                    <authentication-jaspi>
+                        <login-module-stack name="dummy">
+                            <login-module code="Dummy" flag="optional"/>
+                        </login-module-stack>
+                        <auth-module code="Dummy"/>
+                    </authentication-jaspi>
+                </security-domain>
+                <security-domain name="jboss-ejb-policy" cache-type="default">
+                    <authorization>
+                        <policy-module code="Delegating" flag="required"/>
+                    </authorization>
+                </security-domain>
+            </security-domains>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
+            <deployment-permissions>
+                <maximum-set>
+                    <permission class="java.security.AllPermission"/>
+                </maximum-set>
+            </deployment-permissions>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:transactions:6.0">
+            <core-environment node-identifier="${jboss.tx.node.id:1}">
+                <process-id>
+                    <uuid/>
+                </process-id>
+            </core-environment>
+            <recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
+            <coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
+            <object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
+            <buffer-cache name="default"/>
+            <server name="default-server">
+                <ajp-listener name="ajp" socket-binding="ajp"/>
+                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
+                <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
+                <host name="default-host" alias="localhost">
+                    <location name="/" handler="welcome-content"/>
+                    <http-invoker security-realm="ApplicationRealm"/>
+                </host>
+            </server>
+            <servlet-container name="default">
+                <jsp-config/>
+                <websockets/>
+            </servlet-container>
+            <handlers>
+                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
+            </handlers>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
     </profile>
     <interfaces>
         <interface name="management">
@@ -594,18 +639,17 @@
         </interface>
     </interfaces>
     <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
-        <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
-        <socket-binding name="http" port="${jboss.http.port:8080}"/>
-        <socket-binding name="https" port="${jboss.https.port:8443}"/>
-        <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
-        <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
-        <socket-binding name="modcluster" multicast-address="${jboss.modcluster.multicast.address:224.0.1.105}" multicast-port="23364"/>
+        <socket-binding name="ajp" port="{{ keycloak_ajp_port }}"/>
+        <socket-binding name="http" port="{{ keycloak_http_port }}"/>
+        <socket-binding name="https" port="{{ keycloak_https_port }}"/>
+        <socket-binding name="management-http" interface="management" port="{{ keycloak_management_http_port }}"/>
+        <socket-binding name="management-https" interface="management" port="{{ keycloak_management_https_port }}"/>
         <socket-binding name="txn-recovery-environment" port="4712"/>
         <socket-binding name="txn-status-manager" port="4713"/>
         <outbound-socket-binding name="mail-smtp">
-            <remote-destination host="localhost" port="25"/>
+            <remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
         </outbound-socket-binding>
-{% if keycloak_modcluster.enabled %}
+{% if keycloak_modcluster.enabled %}        
         <outbound-socket-binding name="proxy1">
             <remote-destination host="{{ keycloak_modcluster.reverse_proxy_url | default('localhost') }}" port="6666"/>
         </outbound-socket-binding>

roles/keycloak/vars/main.yml

@@ -1,3 +1,83 @@
 ---
-# vars file for keycloak
-keycloak_admin_password:
+# internal variables below
+rhsso_rhn_ids:
+  '7.5.0':
+    id: '101971'
+    latest_cp:
+      id: '103836'
+      v: '7.5.1'
+
+# locations
+keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
+keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
+
+
+keycloak:
+  home: "{{ keycloak_jboss_home }}"
+  config_dir: "{{ keycloak_config_dir }}"
+  bundle: "{{ keycloak_rhsso_archive if keycloak_rhsso_enable else keycloak_archive }}"
+  patch_bundle: "rh-sso-{{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }}-patch.zip"
+  service_name: "{{ 'rhsso' if keycloak_rhsso_enable else 'keycloak' }}"
+  health_url: "{{ keycloak_management_url }}/health"
+  cli_path: "{{ keycloak_jboss_home }}/bin/jboss-cli.sh"
+  config_template_source: "{{ keycloak_config_override_template if keycloak_config_override_template | length > 0 else 'standalone.xml.j2' }}"
+
+# database
+keycloak_jdbc:
+  postgres:
+    enabled: "{{ (keycloak_ha_enabled or keycloak_db_enabled) and keycloak_jdbc_engine == 'postgres' }}"
+    driver_class: org.postgresql.Driver
+    xa_datasource_class: org.postgresql.xa.PGXADataSource
+    driver_module_name: "org.postgresql"
+    driver_module_dir: "{{ keycloak_jboss_home }}/modules/org/postgresql/main"
+    driver_version: "{{ keycloak_jdbc_driver_version }}"
+    driver_jar_filename: "postgresql-{{ keycloak_jdbc_driver_version }}.jar"
+    driver_jar_url: "https://repo.maven.apache.org/maven2/org/postgresql/postgresql/{{ keycloak_jdbc_driver_version }}/postgresql-{{ keycloak_jdbc_driver_version }}.jar"
+    connection_url: "{{ keycloak_jdbc_url }}"
+    db_user: "{{ keycloak_db_user }}"
+    db_password: "{{ keycloak_db_pass }}"
+    initialize_db: >
+      CREATE TABLE IF NOT EXISTS JGROUPSPING (
+        own_addr varchar(200) NOT NULL,
+        cluster_name varchar(200) NOT NULL,
+        updated TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+        ping_data BYTEA,
+        constraint PK_JGROUPSPING PRIMARY KEY (own_addr, cluster_name))
+  mariadb:
+    enabled: "{{ (keycloak_ha_enabled or keycloak_db_enabled) and keycloak_jdbc_engine == 'mariadb' }}"
+    driver_class: org.mariadb.jdbc.Driver
+    xa_datasource_class: org.mariadb.jdbc.MySQLDataSource
+    driver_module_name: "org.mariadb"
+    driver_module_dir: "{{ keycloak_jboss_home }}/modules/org/mariadb/main"
+    driver_version: "{{ keycloak_jdbc_driver_version }}"
+    driver_jar_filename: "mariadb-java-client-{{ keycloak_jdbc_driver_version }}.jar"
+    driver_jar_url: "https://repo1.maven.org/maven2/org/mariadb/jdbc/mariadb-java-client/{{ keycloak_jdbc_driver_version }}/mariadb-java-client-{{ keycloak_jdbc_driver_version }}.jar"
+    connection_url: "{{ keycloak_jdbc_url }}"
+    db_user: "{{ keycloak_db_user  }}"
+    db_password: "{{ keycloak_db_pass }}"
+    initialize_db: >
+      CREATE TABLE IF NOT EXISTS JGROUPSPING (
+        own_addr varchar(200) NOT NULL,
+        cluster_name varchar(200) NOT NULL,
+        updated TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
+        ping_data varbinary(5000) DEFAULT NULL,
+        PRIMARY KEY (own_addr, cluster_name))
+      ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin
+
+# reverse proxy mod_cluster
+keycloak_modcluster:
+  enabled: "{{ keycloak_ha_enabled }}"
+  reverse_proxy_url: "{{ keycloak_modcluster_url }}"
+  frontend_url: "{{ keycloak_frontend_url }}"
+
+# infinispan
+keycloak_remotecache:
+  enabled: "{{ keycloak_ha_enabled }}"
+  username: "{{ infinispan_user }}"
+  password: "{{ infinispan_pass }}"
+  realm: default
+  sasl_mechanism: "{{ infinispan_sasl_mechanism }}"
+  server_name: "{{ infinispan_url }}"
+  use_ssl: "{{ infinispan_use_ssl }}"
+  trust_store_path: "{{ infinispan_trust_store_path }}"
+  trust_store_password: "{{ infinispan_trust_store_password }}"

roles/keycloak_quarkus/README.md

@@ -0,0 +1,101 @@
+keycloak_quarkus
+================
+
+Install [keycloak](https://keycloak.org/) >= 17.0.0 (quarkus) server configurations.
+
+
+Role Defaults
+-------------
+
+* Service configuration
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_quarkus_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
+|`keycloak_quarkus_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_quarkus_ha_enabled` is True, else `False` |
+|`keycloak_quarkus_admin_user`| Administration console user account | `admin` |
+|`keycloak_quarkus_bind_address`| Address for binding service ports | `0.0.0.0` |
+|`keycloak_quarkus_host`| hostname | `localhost` |
+|`keycloak_quarkus_http_port`| HTTP port | `8080` |
+|`keycloak_quarkus_https_port`| TLS HTTP port | `8443` |
+|`keycloak_quarkus_ajp_port`| AJP port | `8009` |
+|`keycloak_quarkus_jgroups_port`| jgroups cluster tcp port | `7600` |
+|`keycloak_quarkus_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
+|`keycloak_quarkus_service_user`| Posix account username | `keycloak` |
+|`keycloak_quarkus_service_group`| Posix account group | `keycloak` |
+|`keycloak_quarkus_service_pidfile`| Pid file path for service | `/run/keycloak.pid` |
+|`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-11-openjdk-headless` |
+|`keycloak_quarkus_frontend_url`| Service public URL | `http://localhost:8080/auth` |
+|`keycloak_quarkus_http_relative_path` | Service context path | `auth` |
+
+
+* Database configuration
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_quarkus_jdbc_engine` | Database engine [mariadb,postres] | `postgres` |
+|`keycloak_quarkus_db_user` | User for database connection | `keycloak-user` |
+|`keycloak_quarkus_db_pass` | Password for database connection | `keycloak-pass` |
+|`keycloak_quarkus_jdbc_url` | JDBC URL for connecting to database | `jdbc:postgresql://localhost:5432/keycloak` |
+|`keycloak_quarkus_jdbc_driver_version` | Version for JDBC driver | `9.4.1212` |
+
+
+* Remote caches configuration
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_quarkus_ispn_user` | Username for connecting to infinispan | `supervisor` |
+|`keycloak_quarkus_ispn_pass` | Password for connecting to infinispan | `supervisor` |
+|`keycloak_quarkus_ispn_url` | URL for connecting to infinispan | `localhost` |
+|`keycloak_quarkus_ispn_sasl_mechanism` | Infinispan auth mechanism | `SCRAM-SHA-512` |
+|`keycloak_quarkus_ispn_use_ssl` | Whether infinispan uses TLS connection | `false` |
+|`keycloak_quarkus_ispn_trust_store_path` | Path to infinispan server trust certificate | `/etc/pki/java/cacerts` |
+|`keycloak_quarkus_ispn_trust_store_password` | Password for infinispan certificate keystore | `changeit` | 
+
+
+* Install options
+
+| Variable | Description | Default |
+|:---------|:------------|:---------|
+|`keycloak_quarkus_offline_install` | Perform an offline install | `False`|
+|`keycloak_quarkus_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`| 
+|`keycloak_quarkus_version`| keycloak.org package version | `17.0.1` |
+|`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` |
+|`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` |
+|`keycloak_quarkus_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
+
+
+* Miscellaneous configuration
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_quarkus_metrics_enabled`| Whether to enable metrics | `False` |
+|`keycloak_quarkus_archive` | keycloak install archive filename | `keycloak-{{ keycloak_quarkus_version }}.zip` |
+|`keycloak_quarkus_installdir` | Installation path | `{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}` |
+|`keycloak_quarkus_home` | Installation work directory | `{{ keycloak_quarkus_installdir }}` |
+|`keycloak_quarkus_config_dir` | Path for configuration | `{{ keycloak_quarkus_home }}/conf` |
+|`keycloak_quarkus_master_realm` | Name for rest authentication realm | `master` |
+|`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` |
+|`keycloak_force_install` | Remove pre-existing versions of service | `False` |
+|`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_quarkus_host }}:{{ keycloak_http_port }}` |
+|`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_quarkus_host }}:{{ keycloak_management_http_port }}` |
+
+
+Role Variables
+--------------
+
+| Variable | Description |
+|:---------|:------------|
+|`keycloak_quarkus_admin_pass`| Password of console admin account |
+
+
+License
+-------
+
+Apache License 2.0
+
+
+Author Information
+------------------
+
+* [Guido Grazioli](https://github.com/guidograzioli)

roles/keycloak_quarkus/defaults/main.yml

@@ -0,0 +1,70 @@
+---
+### Configuration specific to keycloak
+keycloak_quarkus_version: 17.0.1
+keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip"
+keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"  
+keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"
+
+# whether to install from local archive
+keycloak_quarkus_offline_install: False
+
+### Install location and service settings
+keycloak_quarkus_jvm_package: java-11-openjdk-headless
+keycloak_quarkus_dest: /opt/keycloak
+keycloak_quarkus_home: "{{ keycloak_quarkus_installdir }}"
+keycloak_quarkus_config_dir: "{{ keycloak_quarkus_home }}/conf"
+keycloak_quarkus_service_user: keycloak
+keycloak_quarkus_service_group: keycloak
+keycloak_quarkus_service_pidfile: "/run/keycloak.pid"
+keycloak_quarkus_configure_firewalld: False
+
+### administrator console password
+keycloak_quarkus_admin_user: admin
+keycloak_quarkus_admin_pass: ''
+keycloak_quarkus_master_realm: master
+
+### Configuration settings
+keycloak_quarkus_bind_address: 0.0.0.0
+keycloak_quarkus_host: localhost
+keycloak_quarkus_http_port: 8080
+keycloak_quarkus_https_port: 8443
+keycloak_quarkus_ajp_port: 8009
+keycloak_quarkus_jgroups_port: 7600
+keycloak_quarkus_java_opts: "-Xms1024m -Xmx2048m"
+
+### Enable configuration for database backend, clustering and remote caches on infinispan
+keycloak_quarkus_ha_enabled: False
+### Enable database configuration, must be enabled when HA is configured
+keycloak_quarkus_db_enabled: "{{ True if keycloak_quarkus_ha_enabled else False }}"
+
+### keycloak frontend url
+keycloak_quarkus_http_relative_path: auth
+keycloak_quarkus_frontend_url: http://localhost:8080/auth
+
+keycloak_quarkus_metrics_enabled: False
+
+### infinispan remote caches access (hotrod)
+keycloak_quarkus_ispn_user: supervisor
+keycloak_quarkus_ispn_pass: supervisor
+keycloak_quarkus_ispn_url: localhost
+keycloak_quarkus_ispn_sasl_mechanism: SCRAM-SHA-512
+keycloak_quarkus_ispn_use_ssl: False
+# if ssl is enabled, import ispn server certificate here
+keycloak_quarkus_ispn_trust_store_path: /etc/pki/java/cacerts
+keycloak_quarkus_ispn_trust_store_password: changeit
+
+### database backend engine: values [ 'postgres', 'mariadb' ]
+keycloak_quarkus_jdbc_engine: postgres
+### database backend credentials
+keycloak_quarkus_db_user: keycloak-user
+keycloak_quarkus_db_pass: keycloak-pass
+keycloak_quarkus_jdbc_url: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].url }}"
+keycloak_quarkus_jdbc_driver_version: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].version }}"
+# override the variables above, following defaults show minimum supported versions
+keycloak_quarkus_default_jdbc:
+  postgres:
+    url: 'jdbc:postgresql://localhost:5432/keycloak'
+    version: 9.4.1212
+  mariadb:
+    url: 'jdbc:mariadb://localhost:3306/keycloak'
+    version: 2.7.4

roles/keycloak_quarkus/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+- name: "Restart {{ keycloak.service_name }}"
+  ansible.builtin.include_tasks: restart.yml
+  listen: "restart keycloak"

roles/keycloak_quarkus/meta/argument_specs.yml

@@ -0,0 +1,203 @@
+argument_specs:
+    main:
+        options:
+            keycloak_quarkus_version:
+                # line 3 of defaults/main.yml
+                default: "17.0.1"
+                description: "keycloak.org package version"
+                type: "str"
+            keycloak_quarkus_archive:
+                # line 4 of defaults/main.yml
+                default: "keycloak-{{ keycloak_quarkus_version }}.zip"
+                description: "keycloak install archive filename"
+                type: "str"
+            keycloak_quarkus_download_url:
+                # line 5 of defaults/main.yml
+                default: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"
+                description: "Download URL for keycloak"
+                type: "str"
+            keycloak_quarkus_installdir:
+                # line 6 of defaults/main.yml
+                default: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"
+                description: "Installation path"
+                type: "str"
+            keycloak_quarkus_offline_install:
+                # line 9 of defaults/main.yml
+                default: false
+                description: "Perform an offline install"
+                type: "bool"
+            keycloak_quarkus_jvm_package:
+                # line 12 of defaults/main.yml
+                default: "java-11-openjdk-headless"
+                description: "RHEL java package runtime"
+                type: "str"
+            keycloak_quarkus_dest:
+                # line 13 of defaults/main.yml
+                default: "/opt/keycloak"
+                description: "Installation root path"
+                type: "str"
+            keycloak_quarkus_home:
+                # line 14 of defaults/main.yml
+                default: "{{ keycloak_quarkus_installdir }}"
+                description: "Installation work directory"
+                type: "str"
+            keycloak_quarkus_config_dir:
+                # line 15 of defaults/main.yml
+                default: "{{ keycloak_quarkus_home }}/conf"
+                description: "Path for configuration"
+                type: "str"
+            keycloak_quarkus_service_user:
+                # line 16 of defaults/main.yml
+                default: "keycloak"
+                description: "Posix account username"
+                type: "str"
+            keycloak_quarkus_service_group:
+                # line 17 of defaults/main.yml
+                default: "keycloak"
+                description: "Posix account group"
+                type: "str"
+            keycloak_quarkus_service_pidfile:
+                # line 18 of defaults/main.yml
+                default: "/run/keycloak.pid"
+                description: "Pid file path for service"
+                type: "str"
+            keycloak_quarkus_configure_firewalld:
+                # line 19 of defaults/main.yml
+                default: false
+                description: "Ensure firewalld is running and configure keycloak ports"
+                type: "bool"
+            keycloak_quarkus_admin_user:
+                # line 22 of defaults/main.yml
+                default: "admin"
+                description: "Administration console user account"
+                type: "str"
+            keycloak_quarkus_admin_pass:
+                # line 23 of defaults/main.yml
+                default: ""
+                description: "Password of console admin account"
+                type: "str"
+            keycloak_quarkus_master_realm:
+                # line 24 of defaults/main.yml
+                default: "master"
+                description: "Name for rest authentication realm"
+                type: "str"
+            keycloak_quarkus_bind_address:
+                # line 27 of defaults/main.yml
+                default: "0.0.0.0"
+                description: "Address for binding service ports"
+                type: "str"
+            keycloak_quarkus_host:
+                # line 28 of defaults/main.yml
+                default: "localhost"
+                description: "hostname"
+                type: "str"
+            keycloak_quarkus_http_port:
+                # line 29 of defaults/main.yml
+                default: 8080
+                description: "HTTP port"
+                type: "int"
+            keycloak_quarkus_https_port:
+                # line 30 of defaults/main.yml
+                default: 8443
+                description: "HTTPS port"
+                type: "int"
+            keycloak_quarkus_ajp_port:
+                # line 31 of defaults/main.yml
+                default: 8009
+                description: "AJP port"
+                type: "int"
+            keycloak_quarkus_jgroups_port:
+                # line 32 of defaults/main.yml
+                default: 7600
+                description: "jgroups cluster tcp port"
+                type: "int"
+            keycloak_quarkus_java_opts:
+                # line 33 of defaults/main.yml
+                default: "-Xms1024m -Xmx2048m"
+                description: "Additional JVM options"
+                type: "str"
+            keycloak_quarkus_ha_enabled:
+                # line 36 of defaults/main.yml
+                default: false
+                description: "Enable auto configuration for database backend, clustering and remote caches on infinispan"
+                type: "bool"
+            keycloak_quarkus_db_enabled:
+                # line 38 of defaults/main.yml
+                default: "{{ True if keycloak_quarkus_ha_enabled else False }}"
+                description: "Enable auto configuration for database backend"
+                type: "str"
+            keycloak_quarkus_http_relative_path:
+                # line 41 of defaults/main.yml
+                default: "auth"
+                description: "Service context path"
+                type: "str"
+            keycloak_quarkus_frontend_url:
+                # line 41 of defaults/main.yml
+                default: "http://localhost:8080/auth"
+                description: "Service public URL"
+                type: "str"
+            keycloak_quarkus_metrics_enabled:
+                # line 43 of defaults/main.yml
+                default: false
+                description: "Whether to enable metrics"
+                type: "bool"
+            keycloak_quarkus_ispn_user:
+                # line 46 of defaults/main.yml
+                default: "supervisor"
+                description: "Username for connecting to infinispan"
+                type: "str"
+            keycloak_quarkus_ispn_pass:
+                # line 47 of defaults/main.yml
+                default: "supervisor"
+                description: "Password for connecting to infinispan"
+                type: "str"
+            keycloak_quarkus_ispn_url:
+                # line 48 of defaults/main.yml
+                default: "localhost"
+                description: "URL for connecting to infinispan"
+                type: "str"
+            keycloak_quarkus_ispn_sasl_mechanism:
+                # line 49 of defaults/main.yml
+                default: "SCRAM-SHA-512"
+                description: "Infinispan auth mechanism"
+                type: "str"
+            keycloak_quarkus_ispn_use_ssl:
+                # line 50 of defaults/main.yml
+                default: false
+                description: "Whether infinispan uses TLS connection"
+                type: "bool"
+            keycloak_quarkus_ispn_trust_store_path:
+                # line 52 of defaults/main.yml
+                default: "/etc/pki/java/cacerts"
+                description: "Path to infinispan server trust certificate"
+                type: "str"
+            keycloak_quarkus_ispn_trust_store_password:
+                # line 53 of defaults/main.yml
+                default: "changeit"
+                description: "Password for infinispan certificate keystore"
+                type: "str"
+            keycloak_quarkus_jdbc_engine:
+                # line 56 of defaults/main.yml
+                default: "postgres"
+                description: "Database engine [mariadb,postres]"
+                type: "str"
+            keycloak_quarkus_db_user:
+                # line 58 of defaults/main.yml
+                default: "keycloak-user"
+                description: "User for database connection"
+                type: "str"
+            keycloak_quarkus_db_pass:
+                # line 59 of defaults/main.yml
+                default: "keycloak-pass"
+                description: "Password for database connection"
+                type: "str"
+            keycloak_quarkus_jdbc_url:
+                # line 60 of defaults/main.yml
+                default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].url }}"
+                description: "JDBC URL for connecting to database"
+                type: "str"
+            keycloak_quarkus_jdbc_driver_version:
+                # line 61 of defaults/main.yml
+                default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].version }}"
+                description: "Version for JDBC driver"
+                type: "str"

roles/keycloak_quarkus/meta/main.yml

@@ -0,0 +1,28 @@
+---
+collections:
+
+galaxy_info:
+  role_name: keycloak_quarkus
+  namespace: middleware_automation
+  author: Guido Grazioli
+  description: Install keycloak on quarkus server configurations
+  company: Red Hat, Inc.
+
+  license: Apache License 2.0
+
+  min_ansible_version: "2.9"
+
+  platforms:
+   - name: EL
+     versions:
+     - 8
+
+  galaxy_tags:
+    - keycloak
+    - quarkus
+    - redhat
+    - rhel
+    - sso
+    - authentication
+    - identity
+    - security

roles/keycloak_quarkus/tasks/fastpackages.yml

@@ -0,0 +1,21 @@
+---
+- block:
+  - name: "Check if packages are already installed"
+    ansible.builtin.command: "rpm -q {{ packages_list | join(' ') }}"
+    args:
+      warn: no
+    register: rpm_info
+    changed_when: rpm_info.failed
+
+  rescue:
+    - name: "Add missing packages to the yum install list"
+      ansible.builtin.set_fact:
+        packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | flatten }}"
+      when: rpm_info.failed
+
+- name: "Install packages: {{ packages_to_install }}"
+  become: yes
+  ansible.builtin.yum:
+    name: "{{ packages_to_install }}"
+    state: present
+  when: packages_to_install | default([]) | length > 0

roles/keycloak_quarkus/tasks/firewalld.yml

@@ -0,0 +1,25 @@
+---
+- name: Ensure required package firewalld are installed
+  ansible.builtin.include_tasks: fastpackages.yml
+  vars:
+    packages_list:
+      - firewalld
+
+- name: Enable and start the firewalld service
+  become: yes
+  ansible.builtin.systemd:
+    name: firewalld
+    enabled: yes
+    state: started
+
+- name: "Configure firewall for {{ keycloak.service_name }} ports"
+  become: yes
+  firewalld:
+    port: "{{ item }}"
+    permanent: true
+    state: enabled
+    immediate: yes
+  loop:
+    - "{{ keycloak_quarkus_http_port }}/tcp"
+    - "{{ keycloak_quarkus_https_port }}/tcp"
+    - "{{ keycloak_quarkus_jgroups_port }}/tcp"

roles/keycloak_quarkus/tasks/install.yml

@@ -0,0 +1,111 @@
+---
+- name: Validate parameters
+  ansible.builtin.assert:
+    that:
+      - keycloak.home is defined
+      - keycloak_quarkus_service_user is defined
+      - keycloak_quarkus_dest is defined
+      - keycloak_quarkus_archive is defined
+      - keycloak_quarkus_download_url is defined
+      - keycloak_quarkus_version is defined
+    quiet: true
+
+- name: Check for an existing deployment
+  become: yes
+  ansible.builtin.stat:
+    path: "{{ keycloak.home }}"
+  register: existing_deploy
+
+- name: "Create {{ keycloak.service_name }} service user/group"
+  become: yes
+  ansible.builtin.user:
+    name: "{{ keycloak.service_user }}"
+    home: /opt/keycloak
+    system: yes
+    create_home: no
+
+- name: "Create {{ keycloak.service_name }} install location"
+  become: yes
+  ansible.builtin.file:
+    dest: "{{ keycloak_quarkus_dest }}"
+    state: directory
+    owner: "{{ keycloak.service_user }}"
+    group: "{{ keycloak.service_group }}"
+    mode: 0750
+
+## check remote archive
+- name: Set download archive path
+  ansible.builtin.set_fact:
+    archive: "{{ keycloak_quarkus_dest }}/{{ keycloak.bundle }}"
+
+- name: Check download archive path
+  become: yes
+  ansible.builtin.stat:
+    path: "{{ archive }}"
+  register: archive_path
+
+## download to controller
+- name: Check local download archive path
+  ansible.builtin.stat:
+    path: "{{ lookup('env', 'PWD') }}"
+  register: local_path
+  delegate_to: localhost
+
+- name: Download keycloak archive
+  ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
+    url: "{{ keycloak_quarkus_download_url }}"
+    dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
+    mode: 0640
+  delegate_to: localhost
+  when:
+    - archive_path is defined
+    - archive_path.stat is defined
+    - not archive_path.stat.exists
+    - not keycloak.offline_install
+
+- name: Check downloaded archive
+  ansible.builtin.stat:
+    path: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
+  register: local_archive_path
+  delegate_to: localhost
+
+## copy and unpack
+- name: Copy archive to target nodes
+  ansible.builtin.copy:
+    src: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
+    dest: "{{ archive }}"
+    owner: "{{ keycloak.service_user }}"
+    group: "{{ keycloak.service_group }}"
+    mode: 0750
+  register: new_version_downloaded
+  when:
+    - not archive_path.stat.exists
+    - local_archive_path.stat is defined
+    - local_archive_path.stat.exists
+  become: yes
+
+- name: "Check target directory: {{ keycloak.home }}"
+  ansible.builtin.stat:
+    path: "{{ keycloak.home }}"
+  register: path_to_workdir
+  become: yes
+
+- name: "Extract Keycloak archive on target"
+  ansible.builtin.unarchive:
+    remote_src: yes
+    src: "{{ archive }}"
+    dest: "{{ keycloak_quarkus_dest }}"
+    creates: "{{ keycloak.home }}"
+    owner: "{{ keycloak.service_user }}"
+    group: "{{ keycloak.service_group }}"
+  become: yes
+  when:
+    - new_version_downloaded.changed or not path_to_workdir.stat.exists
+  notify:
+    - restart keycloak
+
+- name: Inform decompression was not executed
+  ansible.builtin.debug:
+    msg: "{{ keycloak.home }} already exists and version unchanged, skipping decompression"
+  when:
+    - not new_version_downloaded.changed and path_to_workdir.stat.exists

roles/keycloak_quarkus/tasks/main.yml

@@ -0,0 +1,41 @@
+---
+# tasks file for keycloak
+
+- name: Check prerequisites
+  ansible.builtin.include_tasks: prereqs.yml
+  tags:
+    - prereqs
+
+- name: Include firewall config tasks
+  ansible.builtin.include_tasks: firewalld.yml
+  when: keycloak_quarkus_configure_firewalld
+  tags:
+    - firewall
+
+- name: Include install tasks
+  ansible.builtin.include_tasks: install.yml
+  tags:
+    - install
+
+- name: Include systemd tasks
+  ansible.builtin.include_tasks: systemd.yml
+  tags:
+    - systemd
+
+- name: "Configure config for keycloak service"
+  ansible.builtin.template:
+    src: keycloak.conf.j2
+    dest: "{{ keycloak.home }}/conf/keycloak.conf"
+    owner: "{{ keycloak.service_user }}"
+    group: "{{ keycloak.service_group }}"
+    mode: 0644
+  notify:
+    - restart keycloak
+
+- name: "Start and wait for keycloak service"
+  ansible.builtin.include_tasks: start.yml
+
+- name: Check service status
+  ansible.builtin.command: "systemctl status keycloak"
+  register: keycloak_service_status
+  changed_when: False

roles/keycloak_quarkus/tasks/prereqs.yml

@@ -0,0 +1,34 @@
+---
+- name: Validate admin console password
+  ansible.builtin.assert:
+    that:
+      - keycloak_quarkus_admin_pass | length > 12
+    quiet: True
+    fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_admin_pass variable to a 12+ char long string"
+    success_msg: "{{ 'Console administrator password OK' }}"
+
+- name: Validate configuration
+  ansible.builtin.assert:
+    that:
+      - (keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or (not keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or (not keycloak_quarkus_ha_enabled and not keycloak_quarkus_db_enabled)
+    quiet: True
+    fail_msg: "Cannot install HA setup without a backend database service. Check keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled"
+    success_msg: "{{ 'Configuring HA' if keycloak_quarkus_ha_enabled else 'Configuring standalone' }}"
+
+# - name: Validate credentials
+#   ansible.builtin.assert:
+#     that:
+#       - (rhn_username is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
+#       - (rhn_password is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
+#     quiet: True
+#     fail_msg: "Cannot install Red Hat SSO without RHN credentials. Check rhn_username and rhn_password are defined"
+#     success_msg: "{{ 'Installing Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Installing keycloak.org' }}"
+
+- name: Ensure required packages are installed
+  ansible.builtin.include_tasks: fastpackages.yml
+  vars:
+    packages_list:
+      - "{{ keycloak_quarkus_jvm_package }}"
+      - unzip
+      - procps-ng
+      - initscripts

roles/keycloak_quarkus/tasks/restart.yml

@@ -0,0 +1,7 @@
+---
+- name: "Restart and enable {{ keycloak.service_name }} service"
+  ansible.builtin.systemd:
+    name: keycloak
+    enabled: yes
+    state: restarted
+  become: yes

roles/keycloak_quarkus/tasks/start.yml

@@ -0,0 +1,15 @@
+---
+- name: "Start {{ keycloak.service_name }} service"
+  ansible.builtin.systemd:
+    name: keycloak
+    enabled: yes
+    state: started
+  become: yes
+
+- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
+  ansible.builtin.uri:
+    url: "{{ keycloak.health_url }}"
+  register: keycloak_status
+  until: keycloak_status.status == 200
+  retries: 25
+  delay: 10

roles/keycloak_quarkus/tasks/systemd.yml

@@ -0,0 +1,29 @@
+---
+- name: "Configure sysconfig file for keycloak service"
+  become: yes
+  ansible.builtin.template:
+    src: keycloak-sysconfig.j2
+    dest: /etc/sysconfig/keycloak
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - restart keycloak
+
+- name: "Configure systemd unit file for keycloak service"
+  ansible.builtin.template:
+    src: keycloak.service.j2
+    dest: /etc/systemd/system/keycloak.service
+    owner: root
+    group: root
+    mode: 0644
+  become: yes
+  register: systemdunit
+  notify:
+    - restart keycloak
+
+- name: Reload systemd
+  become: yes
+  ansible.builtin.systemd:
+    daemon_reload: yes
+  when: systemdunit.changed

roles/keycloak_quarkus/templates/keycloak-sysconfig.j2

@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+KEYCLOAK_ADMIN={{ keycloak_quarkus_admin_user }}
+KEYCLOAK_ADMIN_PASSWORD='{{ keycloak_quarkus_admin_pass }}'

roles/keycloak_quarkus/templates/keycloak.conf.j2

@@ -0,0 +1,51 @@
+# {{ ansible_managed }}
+
+# Database
+# Database vendor [dev-file, dev-mem, mariadb, mssql, mysql, oracle, postgres]
+#db=postgres
+# The username of the database user.
+#db-username=keycloak
+# The password of the database user.
+#db-password=password
+# The full database JDBC URL. If not provided, a default URL is set based on the selected database vendor.
+#db-url=jdbc:postgresql://localhost/keycloak
+
+# Observability
+# If the server should expose metrics and healthcheck endpoints.
+#metrics-enabled=true
+
+# HTTP
+http-enabled=true
+http-port=8080
+https-port=8443
+# The file path to a server certificate or certificate chain in PEM format.
+#https-certificate-file=${kc.home.dir}conf/server.crt.pem
+# The file path to a private key in PEM format.
+#https-certificate-key-file=${kc.home.dir}conf/server.key.pem
+# The proxy address forwarding mode if the server is behind a reverse proxy.
+#proxy=reencrypt
+# Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy
+#spi-sticky-session-encoder-infinispan-should-attach-route=false
+
+# Hostname for the Keycloak server.
+hostname={{ keycloak_quarkus_host }}
+hostname-path={{ keycloak_quarkus_http_relative_path }}
+
+# Cluster
+#cache=ispn
+#Defines the cache mechanism for high-availability. [local, ispn]
+#cache-config-file=conf/cache-ispn.xml
+#Defines the file from which cache configuration should be loaded from.
+#cache-stack=tcp
+#Define the default stack to use for cluster communication and node discovery. [tcp, udp, kubernetes, ec2, azure, google]
+
+# Proxy
+# The proxy address forwarding mode if the server is behind a reverse proxy. [edge, reencrypt, passthrough]
+#proxy=
+
+# Logging
+# The format of log entries.
+#log-format=%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n
+# The log level of the root category or a comma-separated list of individual categories and their levels.
+#log-level=info
+

roles/keycloak_quarkus/templates/keycloak.service.j2

@@ -0,0 +1,14 @@
+# {{ ansible_managed }}
+[Unit]
+Description=Keycloak Server
+After=network.target
+
+[Service]
+Type=simple
+EnvironmentFile=-/etc/sysconfig/keycloak
+PIDFile={{ keycloak_quarkus_service_pidfile }}
+ExecStart={{ keycloak.home }}/bin/kc.sh start 
+#--http-relative-path={{ keycloak_quarkus_http_relative_path }}
+
+[Install]
+WantedBy=multi-user.target

roles/keycloak_quarkus/vars/main.yml

@@ -0,0 +1,11 @@
+---
+keycloak:
+  home: "{{ keycloak_quarkus_home }}"
+  config_dir: "{{ keycloak_quarkus_config_dir }}"
+  bundle: "{{ keycloak_quarkus_archive }}"
+  service_name: "keycloak"
+  health_url: "http://localhost:8080/realms/master/.well-known/openid-configuration"
+  cli_path: "{{ keycloak_quarkus_home }}/bin/kcadm.sh"
+  service_user: "{{ keycloak_quarkus_service_user }}"
+  service_group: "{{ keycloak_quarkus_service_group }}"
+  offline_install: "{{ keycloak_quarkus_offline_install }}"

roles/keycloak_realm/README.md

@@ -0,0 +1,134 @@
+keycloak_realm
+==============
+
+Create realms and clients in [keycloak](https://keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on) services.
+
+
+Role Defaults
+-------------
+
+| Variable | Description | Default |
+|:---------|:------------|:---------|
+|`keycloak_admin_user`| Administration console user account | `admin` |
+|`keycloak_host`| hostname | `localhost` |
+|`keycloak_http_port`| HTTP port | `8080` |
+|`keycloak_https_port`| TLS HTTP port | `8443` |
+|`keycloak_auth_realm`| Name of the main authentication realm | `master` |
+|`keycloak_rhsso_enable`| Define service is an upstream(Keycloak) or RHSSO | `master` |
+|`keycloak_management_http_port`| Management port | `9990` |
+|`keycloak_auth_client`| Authentication client for configuration REST calls | `admin-cli` |
+|`keycloak_client_public`| Configure a public realm client | `True` |
+|`keycloak_client_web_origins`| Web origins for realm client | `+` |
+|`keycloak_url`| URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` |
+|`keycloak_management_url`| URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` |
+
+
+Role Variables
+--------------
+
+The following are a set of _required_ variables for the role:
+
+| Variable | Description |
+|:---------|:------------|
+|`keycloak_realm` | Name of the realm to be created |
+|`keycloak_admin_password`| Password for the administration console user account |
+
+
+The following variables are available for creating clients:
+
+| Variable | Description | Default |
+|:---------|:------------|:---------|
+|`keycloak_clients` | List of _client_ declarations for the realm | `[]` |
+|`keycloak_client_default_roles` | List of default role name for clients | `[]` |
+|`keycloak_client_users` | List of user/role mappings for a client | `[]` |
+
+
+The following variable are available for creating user federation:
+
+| Variable | Description | Default |
+|:---------|:------------|:---------|
+|`keycloak_user_federation` | List of _keycloak_user_federation_ for the realm | `[]` |
+
+
+Variable formats
+----------------
+
+* `keycloak_user_federation`, a list of:
+
+```yaml
+    - realm:  <name of the realm in which user federation should be configured, required>
+      name: <name of the user federation provider, required>
+      provider_id: <type of the user federation provider, required>
+      provider_type: <Provider Type, default is set to org.keycloak.storage.UserStorageProvider>
+      config: <dictionary of supported configuration values, required>
+      mappers: <list of supported configuration values, required>
+```
+
+Refer to [docs](https://docs.ansible.com/ansible/latest/collections/community/general/keycloak_user_federation_module.html) for information on supported variables.
+
+
+* `keycloak_clients`, a list of:
+
+```yaml
+    - name: <name of the client>
+      roles: <keycloak_client_default_roles>
+      realm: <name of the realm that contains the client>
+      public_client: <true for public, false for confidential>
+      web_origins: <list of allowed we origins for the client>
+      users: <keycloak_client_users>
+```
+
+* `keycloak_client_users`, a list of:
+
+```yaml
+    - username: <username, required>
+      password: <password, required>
+      firstName: <firstName, optional>
+      lastName: <lastName, optional>
+      email: <email, optional>
+      client_roles: <list of client user/role mappings>
+```
+
+* Client user/role mappings, a list of:
+
+```yaml
+    - client: <name of the client>
+      role: <name of the role>
+      realm: <name of the realm>
+```
+
+For a comprehensive example, refer to the [playbook](../../playbooks/keycloak_realm.yml).
+
+
+Example Playbook
+----------------
+
+The following is an example playbook that makes use of the role to create a realm in keycloak.
+
+```yaml
+---
+- hosts: ...
+      collections:
+        - middleware_automation.keycloak
+      tasks:
+        - name: Include keycloak role
+          include_role:
+            name: keycloak_realm
+          vars:
+            keycloak_admin_password: "changeme"
+            keycloak_realm: TestRealm
+            keycloak_clients: [...]
+```
+
+
+License
+-------
+
+Apache License 2.0
+
+
+Author Information
+------------------
+
+* [Guido Grazioli](https://github.com/guidograzioli)
+* [Romain Pelisse](https://github.com/rpelisse)

roles/keycloak_realm/defaults/main.yml

@@ -0,0 +1,56 @@
+---
+### Keycloak configuration settings
+keycloak_host: localhost
+keycloak_http_port: 8080
+keycloak_https_port: 8443
+keycloak_management_http_port: 9990
+keycloak_rhsso_enable: False
+
+### Keycloak administration console user
+keycloak_admin_user: admin
+keycloak_auth_realm: master
+keycloak_auth_client: admin-cli
+keycloak_context: /auth
+
+# administrator console password, this is a required variable
+keycloak_admin_password: ''
+
+### Keycloak realms, clients, roles, federation
+# list of clients to create in the realm
+#
+# Refer to the playbook for a comprehensive example.
+# Also refer to meta/argument_specs.yml for specifications.
+#
+# Each client has the form:
+#    { name: '', roles: [], realm: '', public_client: bool, web_origins: '', users: [] }
+# where roles is a list of default role names for the client
+# and users is a list of account, see below for the format definition
+# an empty name will skip the creation of the client
+#
+#keycloak_clients:
+#  - name: ''
+#    roles: "{{ keycloak_client_default_roles }}"
+#    realm: "{{ keycloak_realm }}"
+#    public_client: "{{ keycloak_client_public }}"
+#    web_origins: "{{ keycloak_client_web_origins }}"
+#    users: "{{ keycloak_client_users }}"
+keycloak_clients: []
+
+# list of roles to create in the client
+keycloak_client_default_roles: []
+
+# if True, create a public client; otherwise, a confidetial client
+keycloak_client_public: True
+
+# allowed web origins for the client
+keycloak_client_web_origins: '+'
+
+# list of user and role mappings to create in the client
+# Each user has the form:
+#    { username: '', password: '', email: '', firstName: '', lastName: '', client_roles: [] }
+# where each client_role has the form:
+#    { client: '', role: '', realm: '' }
+keycloak_client_users: []
+
+### List of Keycloak User Federation
+keycloak_user_federation: []

roles/keycloak_realm/meta/argument_specs.yml

@@ -0,0 +1,98 @@
+argument_specs:
+    main:
+        options:
+            keycloak_host:
+                # line 3 of keycloak_realm/defaults/main.yml
+                default: "localhost"
+                description: "Hostname for rest calls"
+                type: "str"
+            keycloak_context:
+                # line 5 of keycloak_realm/defaults/main.yml
+                default: "/auth"
+                description: "Context path for rest calls"
+                type: "str"                
+            keycloak_http_port:
+                # line 4 of keycloak_realm/defaults/main.yml
+                default: 8080
+                description: "HTTP port"
+                type: "int"
+            keycloak_https_port:
+                # line 5 of keycloak_realm/defaults/main.yml
+                default: 8443
+                description: "HTTPS port"
+                type: "int"
+            keycloak_management_http_port:
+                # line 6 of keycloak_realm/defaults/main.yml
+                default: 9990
+                description: "Management port"
+                type: "int"
+            keycloak_rhsso_enable:
+                # line 7 of keycloak_realm/defaults/main.yml
+                default: false
+                description: "Enable Red Hat Single Sign-on"
+                type: "bool"
+            keycloak_admin_user:
+                # line 10 of keycloak_realm/defaults/main.yml
+                default: "admin"
+                description: "Administration console user account"
+                type: "str"
+            keycloak_auth_realm:
+                # line 11 of keycloak_realm/defaults/main.yml
+                default: "master"
+                description: "Name of the main authentication realm"
+                type: "str"
+            keycloak_auth_client:
+                # line 12 of keycloak_realm/defaults/main.yml
+                default: "admin-cli"
+                description: "Authentication client for configuration REST calls"
+                type: "str"
+            keycloak_client_default_roles:
+                # line 36 of keycloak_realm/defaults/main.yml
+                default: "[]"
+                description: "List of roles to configure as client default"
+                type: "list"
+            keycloak_client_public:
+                # line 39 of keycloak_realm/defaults/main.yml
+                default: true
+                description: "Configure a public realm client"
+                type: "bool"
+            keycloak_client_web_origins:
+                # line 42 of keycloak_realm/defaults/main.yml
+                default: "+"
+                description: "Web origins for realm client"
+                type: "str"
+            keycloak_client_users:
+                # line 49 of keycloak_realm/defaults/main.yml
+                default: "[]"
+                description: "List of users to configure in the realm client"
+                type: "list"
+            keycloak_user_federation:
+                # line 52 of keycloak_realm/defaults/main.yml
+                default: "[]"
+                description: "List of user federations to configure in the realm"
+                type: "list"
+            keycloak_admin_password:
+                # line 5 of keycloak_realm/vars/main.yml
+                required: true
+                description: "Password for the administration console user account"
+                type: "str"
+            keycloak_realm:
+                # line 8 of keycloak_realm/vars/main.yml
+                required: true
+                description: "Name of the realm to be configured"
+                type: "str"
+            keycloak_clients:
+                # line 11 of keycloak_realm/vars/main.yml
+                default: "[]"
+                description: "List of client declarations for the realm"
+                type: "list"
+            keycloak_url:
+                # line 14 of keycloak_realm/vars/main.yml
+                default: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
+                description: "URL for configuration rest calls"
+                type: "str"
+            keycloak_management_url:
+                # line 15 of keycloak_realm/vars/main.yml
+                default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
+                description: "URL for management console rest calls"
+                type: "str"

roles/keycloak_realm/meta/main.yml

@@ -0,0 +1,23 @@
+---
+galaxy_info:
+  role_name: keycloak_realm
+  namespace: middleware_automation
+  author: Romain Pelisse, Guido Grazioli
+  description: Create realms and clients in keycloak or Red Hat Single Sign-On
+  company: Red Hat, Inc.
+
+  license: Apache License 2.0
+
+  min_ansible_version: "2.9"
+
+  platforms:
+   - name: EL
+     versions:
+     - 8
+
+  galaxy_tags:
+    - keycloak
+    - redhat
+    - rhel
+    - rhn
+    - sso

roles/keycloak_realm/tasks/main.yml

@@ -0,0 +1,100 @@
+---
+- name: Generate keycloak auth token
+  ansible.builtin.uri:
+    url: "{{ keycloak_url }}{{ keycloak_context }}/realms/master/protocol/openid-connect/token"
+    method: POST
+    body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
+    validate_certs: no
+  no_log: True
+  register: keycloak_auth_response
+  until: keycloak_auth_response.status == 200
+  retries: 5
+  delay: 2
+
+- name: "Determine if realm exists"
+  ansible.builtin.uri:
+    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}"
+    method: GET
+    status_code:
+      - 200
+      - 404
+    headers:
+      Accept: "application/json"
+      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
+  register: keycloak_realm_exists
+
+- name: Create Realm
+  ansible.builtin.uri:
+    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms"
+    method: POST
+    body: "{{ lookup('template','realm.json.j2') }}"
+    validate_certs: no
+    body_format: json
+    headers:
+      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
+    status_code: 201
+  when: keycloak_realm_exists.status == 404
+
+- name: Create user federation
+  community.general.keycloak_user_federation:
+    auth_keycloak_url: "{{ keycloak_url }}{{ keycloak_context }}"
+    auth_realm: "{{ keycloak_auth_realm }}"
+    auth_username: "{{ keycloak_admin_user }}"
+    auth_password: "{{ keycloak_admin_password }}"
+    realm: "{{ item.realm }}"
+    name: "{{ item.name }}"
+    state: present
+    provider_id: "{{ item.provider_id }}"
+    provider_type: "{{ item.provider_type | default(org.keycloak.storage.UserStorageProvider) }}" 
+    config: "{{ item.config }}"
+    mappers: "{{ item.mappers | default(omit) }}"
+  no_log: True
+  register: create_user_federation_result
+  loop: "{{ keycloak_user_federation | flatten }}"
+  when: keycloak_user_federation is defined
+
+- name: Create or update a Keycloak client
+  community.general.keycloak_client:
+    auth_client_id: "{{ keycloak_auth_client }}"
+    auth_keycloak_url: "{{ keycloak_url }}{{ keycloak_context }}"
+    auth_realm: "{{ keycloak_auth_realm }}"
+    auth_username: "{{ keycloak_admin_user }}"
+    auth_password: "{{ keycloak_admin_password }}"
+    realm: "{{ item.realm }}"
+    default_roles: "{{ item.roles | default(omit) }}"
+    client_id: "{{ item.client_id | default(omit) }}"
+    id: "{{ item.id | default(omit) }}"
+    name: "{{ item.name | default(omit) }}"
+    description: "{{ item.description | default(omit) }}"
+    root_url: "{{ item.root_url | default('') }}"
+    admin_url: "{{ item.admin_url | default('') }}"
+    base_url: "{{ item.base_url | default('') }}"
+    enabled: "{{ item.enabled | default(True) }}"
+    redirect_uris: "{{ item.redirect_uris | default(omit) }}"
+    web_origins: "{{ item.web_origins | default('+') }}"
+    bearer_only: "{{ item.bearer_only | default(omit) }}"
+    standard_flow_enabled: "{{ item.standard_flow_enabled | default(omit) }}"
+    implicit_flow_enabled: "{{ item.implicit_flow_enabled | default(omit) }}"
+    direct_access_grants_enabled: "{{ item.direct_access_grants_enabled | default(omit) }}"
+    service_accounts_enabled: "{{ item.service_accounts_enabled | default(omit) }}"
+    public_client: "{{ item.public_client | default(False) }}"
+    protocol: "{{ item.protocol | default(omit) }}"
+    state: present
+  no_log: True
+  register: create_client_result
+  loop: "{{ keycloak_clients | flatten }}"
+  when: (item.name is defined and item.client_id is defined) or (item.name is defined and item.id is defined)
+
+- name: Create client roles
+  ansible.builtin.include_tasks: manage_client_roles.yml
+  loop: "{{ keycloak_clients | flatten }}"
+  loop_control:
+    loop_var: client
+  when: "'roles' in client"
+
+- name: Create client users
+  ansible.builtin.include_tasks: manage_client_users.yml
+  loop: "{{ keycloak_clients | flatten }}"
+  loop_control:
+    loop_var: client
+  when: "'users' in client"