Update changelog for release 2.2.2

Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>

.ansible-lint

@@ -0,0 +1,41 @@
+# .ansible-lint
+exclude_paths:
+  - .cache/
+  - .github/
+  - molecule/
+  - .ansible-lint
+  - .yamllint
+  - meta/
+  - playbooks/roles/
+
+rulesdir:
+   - ../../ansible-lint-custom-rules/rules/
+
+enable_list:
+  - fqcn-builtins  # opt-in
+  - no-log-password  # opt-in
+
+warn_list:
+  - role_vars_start_with_role_name
+  - vars_in_vars_files_have_valid_names
+  - experimental
+  - ignore-errors
+  - no-handler
+  - no-log-password
+  - jinja[spacing]
+  - jinja[invalid]
+  - meta-no-tags
+  - name[casing]
+  - fqcn[action]
+  - schema[meta]
+  - var-naming[no-role-prefix]
+  - key-order[task]
+  - blocked_modules
+
+skip_list:
+  - vars_should_not_be_used
+  - file_is_small_enough
+  - name[template]
+
+use_default_rules: true
+parseable: true

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,48 @@
+---
+name: 🐛 Bug report
+about: Create a report to help us improve
+
+---
+
+##### SUMMARY
+<!-- Explain the problem briefly -->
+
+
+##### ISSUE TYPE
+ - Bug Report
+
+
+##### ANSIBLE VERSION
+<!-- Paste, BELOW THIS COMMENT, verbatim output from "ansible --version"-->
+```
+
+```
+
+##### COLLECTION VERSION
+<!-- Paste, BELOW THIS COMMENT, verbatim output from "ansible-galaxy collection list"-->
+<!-- If using virtual environments or execution environments, remember to activate them-->
+```
+
+```
+
+##### STEPS TO REPRODUCE
+<!-- List the steps to reproduce the problem, using a minimal test-case. -->
+
+<!-- Paste example playbook below -->
+```yaml
+
+```
+
+##### EXPECTED RESULTS
+<!-- What did you expect to happen when running the steps above? -->
+
+
+##### ACTUAL RESULTS
+<!-- What actually happened? If possible run with extra verbosity (-vvvv) and diff (--diff) -->
+<!-- Please also include check mode (--check --diff) output if the API returns an error -->
+<!-- Be sure to mask any sensitive information -->
+
+<!--- Paste verbatim command output between quotes below -->
+```
+
+```

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,12 @@
+---
+name: ✨ Feature request
+about: Suggest an idea for this project
+
+---
+
+##### SUMMARY
+<!--- Explain the problem briefly -->
+
+
+##### ISSUE TYPE
+ - Feature Idea

.github/workflows/ci.yml

@@ -1,45 +1,18 @@
 ---
 name: CI
-"on":
+on:
   push:
     branches:
       - main
   pull_request:
+  schedule:
+    - cron: '15 6 * * *'
 
 jobs:
   ci:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        python_version: ["3.9"]
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v2
-        with:
-          path: ansible_collections/middleware_automation/keycloak
-
-      - name: Set up Python ${{ matrix.python_version }}
-        uses: actions/setup-python@v1
-        with:
-          python-version: ${{ matrix.python_version }}
-
-      - name: Install yamllint, ansible and molecule
-        run: |
-          python -m pip install --upgrade pip
-          pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous
-
-      - name: Create default collection path symlink
-        run: |
-          mkdir -p /home/runner/.ansible
-          ln -s /home/runner/work/middleware_automation/keycloak /home/runner/.ansible/collections
-
-      - name: Run sanity tests
-        run: ansible-test sanity --docker -v --color --python ${{ matrix.python_version }}
-        working-directory: ./ansible_collections/middleware_automation/keycloak
-
-      - name: Run molecule test
-        run: molecule test --all
-        working-directory: ./ansible_collections/middleware_automation/keycloak
-        env:
-          PY_COLORS: '1'
-          ANSIBLE_FORCE_COLOR: '1'
+    uses: ansible-middleware/github-actions/.github/workflows/ci.yml@main
+    secrets: inherit
+    with:
+      fqcn: 'middleware_automation/keycloak'
+      molecule_tests: >-
+          [ "default", "overridexml", "https_revproxy", "quarkus", "quarkus-devmode", "debian" ]

.github/workflows/docs.yml

@@ -0,0 +1,18 @@
+---
+name: Documentation
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - "[0-9]+.[0-9]+.[0-9]+"
+  workflow_dispatch:
+
+jobs:
+  docs:
+    uses: ansible-middleware/github-actions/.github/workflows/docs.yml@main
+    secrets: inherit
+    with:
+      fqcn: 'middleware_automation/keycloak'
+      collection_fqcn: 'middleware_automation.keycloak'
+      historical_docs: 'false'

.github/workflows/release.yml

@@ -1,38 +1,34 @@
+---
 name: Release collection
-
 on:
-  push:
-    tags:
-      - "*.*.*"
+  workflow_dispatch:
+    inputs:
+      release_summary:
+        description: 'Optional release summary for changelogs'
+        required: false
 
 jobs:
   release:
+    uses: ansible-middleware/github-actions/.github/workflows/release.yml@main
+    with:
+      collection_fqcn: 'middleware_automation.keycloak'
+      downstream_name: 'rhbk'
+      release_summary: "${{ github.event.inputs.release_summary }}"
+    secrets:
+      galaxy_token: ${{ secrets.ANSIBLE_GALAXY_API_KEY }}
+      jira_webhook: ${{ secrets.JIRA_WEBHOOK_CREATE_VERSION }}
+
+  dispatch:
+    needs: release
+    strategy:
+      matrix:
+        repo: ['ansible-middleware/ansible-middleware-ee']
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - name: Set up Python
-        uses: actions/setup-python@v1
+      - name: Repository Dispatch
+        uses: peter-evans/repository-dispatch@v1
         with:
-          python-version: "3.x"
-      - name: Get Tag Version
-        id: get_version
-        run: echo ::set-output name=TAG_VERSION::${GITHUB_REF#refs/tags/}
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install ansible-core
-      - name: Build collection
-        run: |
-          ansible-galaxy collection build .
-      - name: Publish Release
-        uses: softprops/action-gh-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          files: "*.tar.gz"
-          body: "Release ${{ steps.get_version.outputs.TAG_VERSION }}"
-      - name: Publish collection
-        env:
-          ANSIBLE_GALAXY_API_KEY: ${{ secrets.ANSIBLE_GALAXY_API_KEY }}
-        run: |
-          ansible-galaxy collection publish *.tar.gz --api-key $ANSIBLE_GALAXY_API_KEY
+          token: ${{ secrets.TRIGGERING_PAT }}
+          repository: ${{ matrix.repo }}
+          event-type: "Dependency released - Keycloak v${{ needs.release.outputs.tag_version }}"
+          client-payload: '{ "github": ${{toJson(github)}} }'

.gitignore

@@ -1 +1,14 @@
-*.tar.gz
+*.tar.gz
+*.zip
+.tmp
+.cache
+.vscode/
+__pycache__/
+docs/plugins/
+docs/roles/
+docs/_build/
+.pytest_cache/
+.mypy_cache/
+*.retry
+changelogs/.plugin-cache.yaml
+*.pem

CHANGELOG.rst

@@ -0,0 +1,390 @@
+=============================================
+middleware\_automation.keycloak Release Notes
+=============================================
+
+.. contents:: Topics
+
+This changelog describes changes after version 0.2.6.
+
+v2.2.2
+======
+
+Minor Changes
+-------------
+
+- Copying of key material for TLS configuration `#210 <https://github.com/ansible-middleware/keycloak/pull/210>`_
+- Validate certs parameter for JDBC driver downloads `#207 <https://github.com/ansible-middleware/keycloak/pull/207>`_
+
+Bugfixes
+--------
+
+- Turn off controller privilege escalation `#209 <https://github.com/ansible-middleware/keycloak/pull/209>`_
+
+v2.2.1
+======
+
+Release Summary
+---------------
+
+Internal release, documentation or test changes only.
+
+Bugfixes
+--------
+
+- JDBC provider: fix clause in argument validation `#204 <https://github.com/ansible-middleware/keycloak/pull/204>`_
+
+v2.2.0
+======
+
+Major Changes
+-------------
+
+- Support java keystore for configuration of sensitive options `#189 <https://github.com/ansible-middleware/keycloak/pull/189>`_
+
+Minor Changes
+-------------
+
+- Add ``wait_for_port`` and ``wait_for_log`` systemd unit logic `#199 <https://github.com/ansible-middleware/keycloak/pull/199>`_
+- Customize jdbc driver downloads, optional authentication `#202 <https://github.com/ansible-middleware/keycloak/pull/202>`_
+- Keystore-based vault SPI configuration `#196 <https://github.com/ansible-middleware/keycloak/pull/196>`_
+- New ``keycloak_quarkus_hostname_strict_https`` parameter `#195 <https://github.com/ansible-middleware/keycloak/pull/195>`_
+- Providers config and custom providers `#201 <https://github.com/ansible-middleware/keycloak/pull/201>`_
+- Remove administrator credentials from files once keycloak is bootstrapped `#197 <https://github.com/ansible-middleware/keycloak/pull/197>`_
+- Update keycloak to 24.0 `#194 <https://github.com/ansible-middleware/keycloak/pull/194>`_
+
+v2.1.2
+======
+
+Release Summary
+---------------
+
+Internal release, documentation or test changes only.
+
+v2.1.1
+======
+
+Minor Changes
+-------------
+
+- Add reverse ``proxy_headers`` config, supersedes ``proxy_mode`` `#187 <https://github.com/ansible-middleware/keycloak/pull/187>`_
+- Debian/Ubuntu compatibility `#178 <https://github.com/ansible-middleware/keycloak/pull/178>`_
+- Use ``keycloak_realm`` as default for sub-entities `#180 <https://github.com/ansible-middleware/keycloak/pull/180>`_
+
+Bugfixes
+--------
+
+- Fix permissions on controller-side downloaded artifacts `#184 <https://github.com/ansible-middleware/keycloak/pull/184>`_
+- JVM args moved to ``JAVA_OPTS`` envvar (instead of JAVA_OPTS_APPEND) `#186 <https://github.com/ansible-middleware/keycloak/pull/186>`_
+- Unrelax configuration file permissions `#191 <https://github.com/ansible-middleware/keycloak/pull/191>`_
+- Utilize comment filter for ``ansible_managed`` annotations `#176 <https://github.com/ansible-middleware/keycloak/pull/176>`_
+
+v2.1.0
+======
+
+Major Changes
+-------------
+
+- Implement infinispan TCPPING discovery protocol `#159 <https://github.com/ansible-middleware/keycloak/pull/159>`_
+
+Minor Changes
+-------------
+
+- Set enable-recovery when xa transactions are enabled `#167 <https://github.com/ansible-middleware/keycloak/pull/167>`_
+- keycloak_quarkus: Allow configuring log rotate options in quarkus configuration `#161 <https://github.com/ansible-middleware/keycloak/pull/161>`_
+- keycloak_quarkus: ``sticky-session`` for infinispan routes `#163 <https://github.com/ansible-middleware/keycloak/pull/163>`_
+
+Breaking Changes / Porting Guide
+--------------------------------
+
+- keycloak_quarkus: renamed infinispan host list configuration `#157 <https://github.com/ansible-middleware/keycloak/pull/157>`_
+
+Bugfixes
+--------
+
+- keycloak_quarkus: fix custom JAVA_HOME parameter name `#171 <https://github.com/ansible-middleware/keycloak/pull/171>`_
+
+v2.0.2
+======
+
+Minor Changes
+-------------
+
+- keycloak_quarkus: Add support for sqlserver jdbc driver `#148 <https://github.com/ansible-middleware/keycloak/pull/148>`_
+- keycloak_quarkus: allow configuration of ``hostname-strict-backchannel`` `#152 <https://github.com/ansible-middleware/keycloak/pull/152>`_
+- keycloak_quarkus: systemd restart behavior `#145 <https://github.com/ansible-middleware/keycloak/pull/145>`_
+
+Bugfixes
+--------
+
+- keycloak_quarkus: Use ``keycloak_quarkus_java_opts`` `#154 <https://github.com/ansible-middleware/keycloak/pull/154>`_
+- keycloak_quarkus: allow ports <1024 (e.g. :443) in systemd unit `#150 <https://github.com/ansible-middleware/keycloak/pull/150>`_
+
+v2.0.1
+======
+
+Minor Changes
+-------------
+
+- keycloak_quarkus: add hostname-strict parameter `#139 <https://github.com/ansible-middleware/keycloak/pull/139>`_
+- keycloak_quarkus: update to version 23.0.1 `#133 <https://github.com/ansible-middleware/keycloak/pull/133>`_
+
+Bugfixes
+--------
+
+- keycloak_quarkus: template requires lowercase boolean values `#138 <https://github.com/ansible-middleware/keycloak/pull/138>`_
+
+v2.0.0
+======
+
+Minor Changes
+-------------
+
+- Add new parameter for port offset configuration `#124 <https://github.com/ansible-middleware/keycloak/pull/124>`_
+- Update Keycloak to version 22.0.5 `#122 <https://github.com/ansible-middleware/keycloak/pull/122>`_
+
+Breaking Changes / Porting Guide
+--------------------------------
+
+- Add support for more http-related configs `#115 <https://github.com/ansible-middleware/keycloak/pull/115>`_
+- Update minimum ansible-core version > 2.14 `#119 <https://github.com/ansible-middleware/keycloak/pull/119>`_
+- keycloak_quarkus: enable config of key store and trust store `#116 <https://github.com/ansible-middleware/keycloak/pull/116>`_
+
+v1.3.0
+======
+
+Major Changes
+-------------
+
+- Run service as ``keycloak_service_user`` `#106 <https://github.com/ansible-middleware/keycloak/pull/106>`_
+
+Minor Changes
+-------------
+
+- keycloak_quarkus: Update Keycloak to version 22.0.3 `#112 <https://github.com/ansible-middleware/keycloak/pull/112>`_
+- keycloak_quarkus: fix admin console redirect when running locally `#111 <https://github.com/ansible-middleware/keycloak/pull/111>`_
+- keycloak_quarkus: skip proxy config if ``keycloak_quarkus_proxy_mode`` is ``none`` `#109 <https://github.com/ansible-middleware/keycloak/pull/109>`_
+
+Bugfixes
+--------
+
+- keycloak_quarkus: fix validation failure upon port configuration change `#113 <https://github.com/ansible-middleware/keycloak/pull/113>`_
+
+v1.2.8
+======
+
+Minor Changes
+-------------
+
+- keycloak_quarkus: set openjdk 17 as default `#103 <https://github.com/ansible-middleware/keycloak/pull/103>`_
+- keycloak_quarkus: update to version 22.0.1 `#107 <https://github.com/ansible-middleware/keycloak/pull/107>`_
+
+Bugfixes
+--------
+
+- Fix incorrect checks for ``keycloak_jgroups_subnet`` `#98 <https://github.com/ansible-middleware/keycloak/pull/98>`_
+- Undefine ``keycloak_db_valid_conn_sql`` default `#91 <https://github.com/ansible-middleware/keycloak/pull/91>`_
+- Update bindep.txt package python3-devel to support RHEL9 `#105 <https://github.com/ansible-middleware/keycloak/pull/105>`_
+
+v1.2.7
+======
+
+Minor Changes
+-------------
+
+- Allow to override jgroups subnet `#93 <https://github.com/ansible-middleware/keycloak/pull/93>`_
+- keycloak-quarkus: update keycloakx to v21.1.1 `#92 <https://github.com/ansible-middleware/keycloak/pull/92>`_
+
+v1.2.6
+======
+
+Minor Changes
+-------------
+
+- Add profile features enabling/disabling `#87 <https://github.com/ansible-middleware/keycloak/pull/87>`_
+- Improve service restart behavior configuration `#88 <https://github.com/ansible-middleware/keycloak/pull/88>`_
+- Update default xa_datasource_class value for mariadb jdbc configuration `#89 <https://github.com/ansible-middleware/keycloak/pull/89>`_
+
+Bugfixes
+--------
+
+- Handle WFLYCTL0117 when background validation millis is 0 `#90 <https://github.com/ansible-middleware/keycloak/pull/90>`_
+
+v1.2.5
+======
+
+Minor Changes
+-------------
+
+- Add configuration for database connection pool validation `#85 <https://github.com/ansible-middleware/keycloak/pull/85>`_
+- Allow to configure administration endpoint URL `#86 <https://github.com/ansible-middleware/keycloak/pull/86>`_
+- Allow to force backend URLs to frontend URLs `#84 <https://github.com/ansible-middleware/keycloak/pull/84>`_
+- Introduce systemd unit restart behavior `#81 <https://github.com/ansible-middleware/keycloak/pull/81>`_
+
+v1.2.4
+======
+
+Minor Changes
+-------------
+
+- Add ``sqlserver`` to keycloak role jdbc configurations `#78 <https://github.com/ansible-middleware/keycloak/pull/78>`_
+- Add configurability for XA transactions `#73 <https://github.com/ansible-middleware/keycloak/pull/73>`_
+
+Bugfixes
+--------
+
+- Fix deprecation warning for ``ipaddr`` `#77 <https://github.com/ansible-middleware/keycloak/pull/77>`_
+- Fix undefined facts when offline patching sso `#71 <https://github.com/ansible-middleware/keycloak/pull/71>`_
+
+v1.2.1
+======
+
+Minor Changes
+-------------
+
+- Allow to setup keycloak HA cluster without remote cache store `#68 <https://github.com/ansible-middleware/keycloak/pull/68>`_
+
+Bugfixes
+--------
+
+- Pass attributes to realm clients `#69 <https://github.com/ansible-middleware/keycloak/pull/69>`_
+
+v1.2.0
+======
+
+Major Changes
+-------------
+
+- Provide config for multiple modcluster proxies `#60 <https://github.com/ansible-middleware/keycloak/pull/60>`_
+
+Minor Changes
+-------------
+
+- Allow to configure TCPPING for cluster discovery `#62 <https://github.com/ansible-middleware/keycloak/pull/62>`_
+- Drop community.general from dependencies `#61 <https://github.com/ansible-middleware/keycloak/pull/61>`_
+- Switch middleware_automation.redhat_csp_download for middleware_automation.common `#63 <https://github.com/ansible-middleware/keycloak/pull/63>`_
+- Switch to middleware_automation.common for rh-sso patching `#64 <https://github.com/ansible-middleware/keycloak/pull/64>`_
+
+v1.1.1
+======
+
+Bugfixes
+--------
+
+- keycloak-quarkus: fix ``cache-config-file`` path in keycloak.conf.j2 template `#53 <https://github.com/ansible-middleware/keycloak/pull/53>`_
+
+v1.1.0
+======
+
+Minor Changes
+-------------
+
+- Update keycloak to 18.0.2 - sso to 7.6.1 `#46 <https://github.com/ansible-middleware/keycloak/pull/46>`_
+- Variable ``keycloak_no_log`` controls ansible ``no_log`` parameter (for debugging purposes) `#47 <https://github.com/ansible-middleware/keycloak/pull/47>`_
+- Variables to override service start retries and delay `#51 <https://github.com/ansible-middleware/keycloak/pull/51>`_
+- keycloak_quarkus: variable to enable development mode `#45 <https://github.com/ansible-middleware/keycloak/pull/45>`_
+
+Breaking Changes / Porting Guide
+--------------------------------
+
+- Rename variables from ``infinispan_`` prefix to ``keycloak_infinispan_`` `#42 <https://github.com/ansible-middleware/keycloak/pull/42>`_
+
+Bugfixes
+--------
+
+- keycloak_quarkus: fix /var/log/keycloak symlink to keycloak log directory `#44 <https://github.com/ansible-middleware/keycloak/pull/44>`_
+
+v1.0.7
+======
+
+Breaking Changes / Porting Guide
+--------------------------------
+
+- keycloak_quarkus: use absolute path for certificate files `#39 <https://github.com/ansible-middleware/keycloak/pull/39>`_
+
+Bugfixes
+--------
+
+- keycloak_quarkus: use become for tasks that will otherwise fail `#38 <https://github.com/ansible-middleware/keycloak/pull/38>`_
+
+v1.0.6
+======
+
+Bugfixes
+--------
+
+- keycloak_quarkus: add selected java to PATH in systemd unit `#34 <https://github.com/ansible-middleware/keycloak/pull/34>`_
+- keycloak_quarkus: set logfile path correctly under keycloak home `#35 <https://github.com/ansible-middleware/keycloak/pull/35>`_
+
+v1.0.5
+======
+
+Minor Changes
+-------------
+
+- Update config options: keycloak and quarkus `#32 <https://github.com/ansible-middleware/keycloak/pull/32>`_
+
+v1.0.4
+======
+
+Release Summary
+---------------
+
+Internal release, documentation or test changes only.
+
+v1.0.3
+======
+
+Major Changes
+-------------
+
+- New role for installing keycloak >= 17.0.0 (quarkus) `#29 <https://github.com/ansible-middleware/keycloak/pull/29>`_
+
+Minor Changes
+-------------
+
+- Add ``keycloak_config_override_template`` parameter for passing a custom xml config template `#30 <https://github.com/ansible-middleware/keycloak/pull/30>`_
+
+Bugfixes
+--------
+
+- Make sure systemd unit starts with selected java JVM `#31 <https://github.com/ansible-middleware/keycloak/pull/31>`_
+
+v1.0.2
+======
+
+Minor Changes
+-------------
+
+- Make ``keycloak_admin_password`` a default with assert (was: role variable) `#26 <https://github.com/ansible-middleware/keycloak/pull/26>`_
+- Simplify dependency install logic and reduce play execution time `#19 <https://github.com/ansible-middleware/keycloak/pull/19>`_
+
+Bugfixes
+--------
+
+- Set ``keycloak_frontend_url`` default according to other defaults `#25 <https://github.com/ansible-middleware/keycloak/pull/25>`_
+
+v1.0.1
+======
+
+Release Summary
+---------------
+
+Minor enhancements, bug and documentation fixes.
+
+Major Changes
+-------------
+
+- Apply latest cumulative patch of RH-SSO automatically when new parameter ``keycloak_rhsso_apply_patches`` is ``true`` `#18 <https://github.com/ansible-middleware/keycloak/pull/18>`_
+
+Minor Changes
+-------------
+
+- Clustered installs now perform database initialization on first node to avoid locking issues `#17 <https://github.com/ansible-middleware/keycloak/pull/17>`_
+
+v1.0.0
+======
+
+Release Summary
+---------------
+
+This is the first stable release of the ``middleware_automation.keycloak`` collection.

CONTRIBUTING.md

@@ -0,0 +1,14 @@
+
+## Contributor's Guidelines
+
+- All YAML files named with `.yml` extension
+- Use spaces around jinja variables. `{{ var }}` over `{{var}}`
+- Variables that are internal to the role should be lowercase and start with the role name
+- Keep roles self contained - Roles should avoid including tasks from other roles when possible
+- Plays should do nothing more than include a list of roles, except where `pre_tasks` and `post_tasks` are required, when possible
+- Separators - Use valid names, ie. underscores (e.g. `my_role` `my_playbook`) not dashes (`my-role`)
+- Paths - When defining paths, do not include trailing slashes (e.g. `my_path: /foo` not `my_path: /foo/`); when concatenating paths, follow the same convention (e.g. `{{ my_path }}/bar` not `{{ my_path }}bar`)
+- Indentation - Use 2 spaces for each indent
+- `vars/` vs `defaults/` - internal or interpolated variables that don't need to change or be overridden by user go in `vars/`, those that a user would likely override, go under `defaults/` directory
+- All role arguments have a specification in `meta/argument_specs.yml`
+- All playbooks/roles should be focused on compatibility with Ansible Automation Platform

README.md

@@ -1,26 +1,33 @@
-# Ansible Collection - keycloak
+# Ansible Collection - middleware_automation.keycloak
 
+<!--start build_status -->
 [![Build Status](https://github.com/ansible-middleware/keycloak/workflows/CI/badge.svg?branch=main)](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml)
 
+> **_NOTE:_ If you are Red Hat customer, install `redhat.sso` (for Red Hat Single Sign-On) or `redhat.rhbk` (for Red Hat Build of Keycloak) from [Automation Hub](https://console.redhat.com/ansible/ansible-dashboard) as the certified version of this collection.**
 
-Collection to install and configure [Keycloak](https://www.keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on). 
+<!--end build_status -->
+Collection to install and configure [Keycloak](https://www.keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on) / [Red Hat Build of Keycloak](https://access.redhat.com/products/red-hat-build-of-keycloak).
 
 <!--start requires_ansible-->
 ## Ansible version compatibility
 
-This collection has been tested against following Ansible versions: **>=2.9.10**.
+This collection has been tested against following Ansible versions: **>=2.14.0**.
 
 Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions.
 <!--end requires_ansible-->
 
-## Installation and Usage
 
+## Installation
+
+<!--start galaxy_download -->
 ### Installing the Collection from Ansible Galaxy
 
 Before using the collection, you need to install it with the Ansible Galaxy CLI:
 
     ansible-galaxy collection install middleware_automation.keycloak
 
+<!--end galaxy_download -->
+
 You can also include it in a `requirements.yml` file and install it via `ansible-galaxy collection install -r requirements.yml`, using the format:
 
 ```yaml
@@ -29,28 +36,109 @@ collections:
   - name: middleware_automation.keycloak
 ```
 
-### Choosing between Red Hat products and upstream project
+The keycloak collection also depends on the following python packages to be present on the controller host:
 
-The roles supports installing Red Hat Single Sign-On from the Customer Portal, when the following variables are defined:
+* netaddr
 
-```
-rhn_username: '<customer_portal_username>'
-rhn_password: '<customer_portal_password>'
-rhsso_rhn_id: '<sso_product_id>'
+A requirement file is provided to install:
+
+    pip install -r requirements.txt
+
+<!--start roles_paths -->
+### Included roles
+
+* [`keycloak`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md): role for installing the service (keycloak <= 19.0).
+* [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, user federation(s), clients and users, in an installed service.
+* [`keycloak_quarkus`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_quarkus/README.md): role for installing the quarkus variant of keycloak (>= 17.0.0).
+<!--end roles_paths -->
+
+## Usage
+
+
+### Install Playbook
+<!--start rhbk_playbook -->
+* [`playbooks/keycloak.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak.yml) installs keycloak legacy based on the defined variables (using most defaults).
+* [`playbooks/keycloak_quarkus.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_quarkus.yml) installs keycloak >= 17 based on the defined variables (using most defaults).
+  
+Both playbooks include the `keycloak` role, with different settings, as described in the following sections.
+
+For full service configuration details, refer to the [keycloak role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md).
+<!--end rhbk_playbook -->
+
+#### Install from controller node (offline)
+
+Making the keycloak zip archive available to the playbook working directory, and setting `keycloak_offline_install` to `true`, allows to skip
+the download tasks. The local path for the archive does match the downloaded archive path, so that it is also used as a cache when multiple hosts are provisioned in a cluster.
+
+```yaml
+keycloak_offline_install: true
 ```
 
-where `sso_product_id` is the ID for the specific Red Hat Single Sign-On version, ie. _101971_ will install version _7.5_)
+
+<!--start rhn_credentials -->
+<!--end rhn_credentials -->
 
 
-## Included roles
+#### Install from alternate sources (like corporate Nexus, artifactory, proxy, etc)
 
-* `keycloak`: role for installing the service.
-* `keycloak_realm`: role for configuring a realm, with clients and users, in an installed service.
+It is possible to perform downloads from alternate sources, using the `keycloak_download_url` variable; make sure the final downloaded filename matches with the source filename (ie. keycloak-legacy-x.y.zip or rh-sso-x.y.z-server-dist.zip).
+
+
+### Example installation command
+
+Execute the following command from the source root directory
+
+```
+ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e keycloak_admin_password=<changeme>
+``` 
+
+- `keycloak_admin_password` Password for the administration console user account.
+- `ansible_hosts` is the inventory, below is an example inventory for deploying to localhost
+
+  ```
+  [keycloak]
+  localhost ansible_connection=local
+  ```
+
+Note: when deploying clustered configurations, all hosts belonging to the cluster must be present in ansible_play_batch; ie. they must be targeted by the same ansible-playbook execution.
+
+
+## Configuration
+
+
+### Config Playbook
+<!--start rhbk_realm_playbook -->
+[`playbooks/keycloak_realm.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_realm.yml) creates or updates provided realm, user federation(s), client(s), client role(s) and client user(s).
+<!--end rhbk_realm_playbook -->
+
+### Example configuration command
+
+Execute the following command from the source root directory:
+
+```bash
+ansible-playbook -i <ansible_hosts> playbooks/keycloak_realm.yml -e keycloak_admin_password=<changeme> -e keycloak_realm=test
+```
+
+- `keycloak_admin_password` password for the administration console user account.
+- `keycloak_realm` name of the realm to be created/used.
+- `ansible_hosts` is the inventory, below is an example inventory for deploying to localhost
+
+  ```
+  [keycloak]
+  localhost ansible_connection=local
+  ```
+<!--start rhbk_realm_readme -->
+For full configuration details, refer to the [keycloak_realm role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md).
+<!--end rhbk_realm_readme -->
+
+<!--start support -->
+<!--end support -->
 
 
 ## License
 
 Apache License v2.0 or later
-
-See [LICENCE](LICENSE) to view the full text.
+<!--start license -->
+See [LICENSE](LICENSE) to view the full text.
+<!--end license -->
 

bindep.txt

@@ -0,0 +1,9 @@
+python3-dev [compile platform:dpkg]
+python3-devel [compile platform:rpm]
+python39-devel [compile platform:centos-8 platform:rhel-8]
+git-lfs [platform:rpm platform:dpkg]
+python3-netaddr [platform:rpm platform:dpkg]
+python3-lxml [platform:rpm platform:dpkg]
+python3-jmespath [platform:rpm platform:dpkg]
+python3-requests [platform:rpm platform:dpkg]
+

changelogs/changelog.yaml

@@ -0,0 +1,534 @@
+ancestor: 0.2.6
+releases:
+  1.0.0:
+    changes:
+      release_summary: 'This is the first stable release of the ``middleware_automation.keycloak``
+        collection.
+
+        '
+    release_date: '2022-03-04'
+  1.0.1:
+    changes:
+      major_changes:
+      - Apply latest cumulative patch of RH-SSO automatically when new parameter ``keycloak_rhsso_apply_patches``
+        is ``true`` `#18 <https://github.com/ansible-middleware/keycloak/pull/18>`_
+      minor_changes:
+      - Clustered installs now perform database initialization on first node to avoid
+        locking issues `#17 <https://github.com/ansible-middleware/keycloak/pull/17>`_
+      release_summary: 'Minor enhancements, bug and documentation fixes.
+
+        '
+    release_date: '2022-03-11'
+  1.0.2:
+    changes:
+      bugfixes:
+      - 'Set ``keycloak_frontend_url`` default according to other defaults `#25 <https://github.com/ansible-middleware/keycloak/pull/25>`_
+
+        '
+      minor_changes:
+      - 'Make ``keycloak_admin_password`` a default with assert (was: role variable)
+        `#26 <https://github.com/ansible-middleware/keycloak/pull/26>`_
+
+        '
+      - 'Simplify dependency install logic and reduce play execution time `#19 <https://github.com/ansible-middleware/keycloak/pull/19>`_
+
+        '
+    fragments:
+    - 19.yaml
+    - 25.yaml
+    - 26.yaml
+    release_date: '2022-04-01'
+  1.0.3:
+    changes:
+      bugfixes:
+      - 'Make sure systemd unit starts with selected java JVM `#31 <https://github.com/ansible-middleware/keycloak/pull/31>`_
+
+        '
+      major_changes:
+      - 'New role for installing keycloak >= 17.0.0 (quarkus) `#29 <https://github.com/ansible-middleware/keycloak/pull/29>`_
+
+        '
+      minor_changes:
+      - 'Add ``keycloak_config_override_template`` parameter for passing a custom
+        xml config template `#30 <https://github.com/ansible-middleware/keycloak/pull/30>`_
+
+        '
+    fragments:
+    - 29.yaml
+    - 30.yaml
+    - 31.yaml
+    release_date: '2022-05-09'
+  1.0.4:
+    changes:
+      release_summary: 'Internal release, documentation or test changes only.
+
+        '
+    release_date: '2022-05-11'
+  1.0.5:
+    changes:
+      minor_changes:
+      - 'Update config options: keycloak and quarkus `#32 <https://github.com/ansible-middleware/keycloak/pull/32>`_
+
+        '
+    fragments:
+    - 32.yaml
+    release_date: '2022-05-25'
+  1.0.6:
+    changes:
+      bugfixes:
+      - 'keycloak_quarkus: add selected java to PATH in systemd unit `#34 <https://github.com/ansible-middleware/keycloak/pull/34>`_
+
+        '
+      - 'keycloak_quarkus: set logfile path correctly under keycloak home `#35 <https://github.com/ansible-middleware/keycloak/pull/35>`_
+
+        '
+    fragments:
+    - 34.yaml
+    - 35.yaml
+    release_date: '2022-06-01'
+  1.0.7:
+    changes:
+      breaking_changes:
+      - 'keycloak_quarkus: use absolute path for certificate files `#39 <https://github.com/ansible-middleware/keycloak/pull/39>`_
+
+        '
+      bugfixes:
+      - 'keycloak_quarkus: use become for tasks that will otherwise fail `#38 <https://github.com/ansible-middleware/keycloak/pull/38>`_
+
+        '
+    fragments:
+    - 38.yaml
+    - 39.yaml
+    release_date: '2022-07-06'
+  1.1.0:
+    changes:
+      breaking_changes:
+      - 'Rename variables from ``infinispan_`` prefix to ``keycloak_infinispan_``
+        `#42 <https://github.com/ansible-middleware/keycloak/pull/42>`_
+
+        '
+      bugfixes:
+      - 'keycloak_quarkus: fix /var/log/keycloak symlink to keycloak log directory
+        `#44 <https://github.com/ansible-middleware/keycloak/pull/44>`_
+
+        '
+      minor_changes:
+      - 'Update keycloak to 18.0.2 - sso to 7.6.1 `#46 <https://github.com/ansible-middleware/keycloak/pull/46>`_
+
+        '
+      - 'Variable ``keycloak_no_log`` controls ansible ``no_log`` parameter (for debugging
+        purposes) `#47 <https://github.com/ansible-middleware/keycloak/pull/47>`_
+
+        '
+      - 'Variables to override service start retries and delay `#51 <https://github.com/ansible-middleware/keycloak/pull/51>`_
+
+        '
+      - 'keycloak_quarkus: variable to enable development mode `#45 <https://github.com/ansible-middleware/keycloak/pull/45>`_
+
+        '
+    fragments:
+    - 42.yaml
+    - 44.yaml
+    - 45.yaml
+    - 46.yaml
+    - 47.yaml
+    - 51.yaml
+    release_date: '2023-01-09'
+  1.1.1:
+    changes:
+      bugfixes:
+      - 'keycloak-quarkus: fix ``cache-config-file`` path in keycloak.conf.j2 template
+        `#53 <https://github.com/ansible-middleware/keycloak/pull/53>`_
+
+        '
+    fragments:
+    - 53.yaml
+    release_date: '2023-03-07'
+  1.2.0:
+    changes:
+      major_changes:
+      - 'Provide config for multiple modcluster proxies `#60 <https://github.com/ansible-middleware/keycloak/pull/60>`_
+
+        '
+      minor_changes:
+      - 'Allow to configure TCPPING for cluster discovery `#62 <https://github.com/ansible-middleware/keycloak/pull/62>`_
+
+        '
+      - 'Drop community.general from dependencies `#61 <https://github.com/ansible-middleware/keycloak/pull/61>`_
+
+        '
+      - 'Switch middleware_automation.redhat_csp_download for middleware_automation.common
+        `#63 <https://github.com/ansible-middleware/keycloak/pull/63>`_
+
+        '
+      - 'Switch to middleware_automation.common for rh-sso patching `#64 <https://github.com/ansible-middleware/keycloak/pull/64>`_
+
+        '
+    fragments:
+    - 60.yaml
+    - 61.yaml
+    - 62.yaml
+    - 63.yaml
+    - 64.yaml
+    release_date: '2023-03-16'
+  1.2.1:
+    changes:
+      bugfixes:
+      - 'Pass attributes to realm clients `#69 <https://github.com/ansible-middleware/keycloak/pull/69>`_
+
+        '
+      minor_changes:
+      - 'Allow to setup keycloak HA cluster without remote cache store `#68 <https://github.com/ansible-middleware/keycloak/pull/68>`_
+
+        '
+    fragments:
+    - 68.yaml
+    - 69.yaml
+    release_date: '2023-04-11'
+  1.2.4:
+    changes:
+      bugfixes:
+      - 'Fix deprecation warning for ``ipaddr`` `#77 <https://github.com/ansible-middleware/keycloak/pull/77>`_
+
+        '
+      - 'Fix undefined facts when offline patching sso `#71 <https://github.com/ansible-middleware/keycloak/pull/71>`_
+
+        '
+      minor_changes:
+      - 'Add ``sqlserver`` to keycloak role jdbc configurations `#78 <https://github.com/ansible-middleware/keycloak/pull/78>`_
+
+        '
+      - 'Add configurability for XA transactions `#73 <https://github.com/ansible-middleware/keycloak/pull/73>`_
+
+        '
+    fragments:
+    - 71.yaml
+    - 73.yaml
+    - 77.yaml
+    - 78.yaml
+    release_date: '2023-05-09'
+  1.2.5:
+    changes:
+      minor_changes:
+      - 'Add configuration for database connection pool validation `#85 <https://github.com/ansible-middleware/keycloak/pull/85>`_
+
+        '
+      - 'Allow to configure administration endpoint URL `#86 <https://github.com/ansible-middleware/keycloak/pull/86>`_
+
+        '
+      - 'Allow to force backend URLs to frontend URLs `#84 <https://github.com/ansible-middleware/keycloak/pull/84>`_
+
+        '
+      - 'Introduce systemd unit restart behavior `#81 <https://github.com/ansible-middleware/keycloak/pull/81>`_
+
+        '
+    fragments:
+    - 81.yaml
+    - 84.yaml
+    - 85.yaml
+    - 86.yaml
+    release_date: '2023-05-26'
+  1.2.6:
+    changes:
+      bugfixes:
+      - 'Handle WFLYCTL0117 when background validation millis is 0 `#90 <https://github.com/ansible-middleware/keycloak/pull/90>`_
+
+        '
+      minor_changes:
+      - 'Add profile features enabling/disabling `#87 <https://github.com/ansible-middleware/keycloak/pull/87>`_
+
+        '
+      - 'Improve service restart behavior configuration `#88 <https://github.com/ansible-middleware/keycloak/pull/88>`_
+
+        '
+      - 'Update default xa_datasource_class value for mariadb jdbc configuration `#89
+        <https://github.com/ansible-middleware/keycloak/pull/89>`_
+
+        '
+    fragments:
+    - 87.yaml
+    - 88.yaml
+    - 89.yaml
+    - 90.yaml
+    release_date: '2023-06-07'
+  1.2.7:
+    changes:
+      minor_changes:
+      - 'Allow to override jgroups subnet `#93 <https://github.com/ansible-middleware/keycloak/pull/93>`_
+
+        '
+      - 'keycloak-quarkus: update keycloakx to v21.1.1 `#92 <https://github.com/ansible-middleware/keycloak/pull/92>`_
+
+        '
+    fragments:
+    - 92.yaml
+    - 93.yaml
+    release_date: '2023-06-19'
+  1.2.8:
+    changes:
+      bugfixes:
+      - 'Fix incorrect checks for ``keycloak_jgroups_subnet`` `#98 <https://github.com/ansible-middleware/keycloak/pull/98>`_
+
+        '
+      - 'Undefine ``keycloak_db_valid_conn_sql`` default `#91 <https://github.com/ansible-middleware/keycloak/pull/91>`_
+
+        '
+      - 'Update bindep.txt package python3-devel to support RHEL9 `#105 <https://github.com/ansible-middleware/keycloak/pull/105>`_
+
+        '
+      minor_changes:
+      - 'keycloak_quarkus: set openjdk 17 as default `#103 <https://github.com/ansible-middleware/keycloak/pull/103>`_
+
+        '
+      - 'keycloak_quarkus: update to version 22.0.1 `#107 <https://github.com/ansible-middleware/keycloak/pull/107>`_
+
+        '
+    fragments:
+    - 103.yaml
+    - 105.yaml
+    - 107.yaml
+    - 91.yaml
+    - 98.yaml
+    release_date: '2023-08-28'
+  1.3.0:
+    changes:
+      bugfixes:
+      - 'keycloak_quarkus: fix validation failure upon port configuration change `#113
+        <https://github.com/ansible-middleware/keycloak/pull/113>`_
+
+        '
+      major_changes:
+      - 'Run service as ``keycloak_service_user`` `#106 <https://github.com/ansible-middleware/keycloak/pull/106>`_
+
+        '
+      minor_changes:
+      - 'keycloak_quarkus: Update Keycloak to version 22.0.3 `#112 <https://github.com/ansible-middleware/keycloak/pull/112>`_
+
+        '
+      - 'keycloak_quarkus: fix admin console redirect when running locally `#111 <https://github.com/ansible-middleware/keycloak/pull/111>`_
+
+        '
+      - 'keycloak_quarkus: skip proxy config if ``keycloak_quarkus_proxy_mode`` is
+        ``none`` `#109 <https://github.com/ansible-middleware/keycloak/pull/109>`_
+
+        '
+    fragments:
+    - 106.yaml
+    - 109.yaml
+    - 111.yaml
+    - 112.yaml
+    - 113.yaml
+    release_date: '2023-09-25'
+  2.0.0:
+    changes:
+      breaking_changes:
+      - 'Add support for more http-related configs `#115 <https://github.com/ansible-middleware/keycloak/pull/115>`_
+
+        '
+      - 'Update minimum ansible-core version > 2.14 `#119 <https://github.com/ansible-middleware/keycloak/pull/119>`_
+
+        '
+      - 'keycloak_quarkus: enable config of key store and trust store `#116 <https://github.com/ansible-middleware/keycloak/pull/116>`_
+
+        '
+      minor_changes:
+      - 'Add new parameter for port offset configuration `#124 <https://github.com/ansible-middleware/keycloak/pull/124>`_
+
+        '
+      - 'Update Keycloak to version 22.0.5 `#122 <https://github.com/ansible-middleware/keycloak/pull/122>`_
+
+        '
+    fragments:
+    - 115.yaml
+    - 116.yaml
+    - 119.yaml
+    - 122.yaml
+    - 124.yaml
+    release_date: '2023-11-20'
+  2.0.1:
+    changes:
+      bugfixes:
+      - 'keycloak_quarkus: template requires lowercase boolean values `#138 <https://github.com/ansible-middleware/keycloak/pull/138>`_
+
+        '
+      minor_changes:
+      - 'keycloak_quarkus: add hostname-strict parameter `#139 <https://github.com/ansible-middleware/keycloak/pull/139>`_
+
+        '
+      - 'keycloak_quarkus: update to version 23.0.1 `#133 <https://github.com/ansible-middleware/keycloak/pull/133>`_
+
+        '
+    fragments:
+    - 133.yaml
+    - 138.yaml
+    - 139.yaml
+    release_date: '2023-12-07'
+  2.0.2:
+    changes:
+      bugfixes:
+      - 'keycloak_quarkus: Use ``keycloak_quarkus_java_opts`` `#154 <https://github.com/ansible-middleware/keycloak/pull/154>`_
+
+        '
+      - 'keycloak_quarkus: allow ports <1024 (e.g. :443) in systemd unit `#150 <https://github.com/ansible-middleware/keycloak/pull/150>`_
+
+        '
+      minor_changes:
+      - 'keycloak_quarkus: Add support for sqlserver jdbc driver `#148 <https://github.com/ansible-middleware/keycloak/pull/148>`_
+
+        '
+      - 'keycloak_quarkus: allow configuration of ``hostname-strict-backchannel``
+        `#152 <https://github.com/ansible-middleware/keycloak/pull/152>`_
+
+        '
+      - 'keycloak_quarkus: systemd restart behavior `#145 <https://github.com/ansible-middleware/keycloak/pull/145>`_
+
+        '
+    fragments:
+    - 145.yaml
+    - 148.yaml
+    - 150.yaml
+    - 152.yaml
+    - 154.yaml
+    release_date: '2024-01-17'
+  2.1.0:
+    changes:
+      breaking_changes:
+      - 'keycloak_quarkus: renamed infinispan host list configuration `#157 <https://github.com/ansible-middleware/keycloak/pull/157>`_
+
+        '
+      bugfixes:
+      - 'keycloak_quarkus: fix custom JAVA_HOME parameter name `#171 <https://github.com/ansible-middleware/keycloak/pull/171>`_
+
+        '
+      major_changes:
+      - 'Implement infinispan TCPPING discovery protocol `#159 <https://github.com/ansible-middleware/keycloak/pull/159>`_
+
+        '
+      minor_changes:
+      - 'Set enable-recovery when xa transactions are enabled `#167 <https://github.com/ansible-middleware/keycloak/pull/167>`_
+
+        '
+      - 'keycloak_quarkus: Allow configuring log rotate options in quarkus configuration
+        `#161 <https://github.com/ansible-middleware/keycloak/pull/161>`_
+
+        '
+      - 'keycloak_quarkus: ``sticky-session`` for infinispan routes `#163 <https://github.com/ansible-middleware/keycloak/pull/163>`_
+
+        '
+    fragments:
+    - 157.yaml
+    - 159.yaml
+    - 161.yaml
+    - 163.yaml
+    - 167.yaml
+    - 171.yaml
+    release_date: '2024-02-28'
+  2.1.1:
+    changes:
+      bugfixes:
+      - 'Fix permissions on controller-side downloaded artifacts `#184 <https://github.com/ansible-middleware/keycloak/pull/184>`_
+
+        '
+      - 'JVM args moved to ``JAVA_OPTS`` envvar (instead of JAVA_OPTS_APPEND) `#186
+        <https://github.com/ansible-middleware/keycloak/pull/186>`_
+
+        '
+      - 'Unrelax configuration file permissions `#191 <https://github.com/ansible-middleware/keycloak/pull/191>`_
+
+        '
+      - 'Utilize comment filter for ``ansible_managed`` annotations `#176 <https://github.com/ansible-middleware/keycloak/pull/176>`_
+
+        '
+      minor_changes:
+      - 'Add reverse ``proxy_headers`` config, supersedes ``proxy_mode`` `#187 <https://github.com/ansible-middleware/keycloak/pull/187>`_
+
+        '
+      - 'Debian/Ubuntu compatibility `#178 <https://github.com/ansible-middleware/keycloak/pull/178>`_
+
+        '
+      - 'Use ``keycloak_realm`` as default for sub-entities `#180 <https://github.com/ansible-middleware/keycloak/pull/180>`_
+
+        '
+    fragments:
+    - 176.yaml
+    - 178.yaml
+    - 180.yaml
+    - 184.yaml
+    - 186.yaml
+    - 187.yaml
+    - 191.yaml
+    release_date: '2024-04-17'
+  2.1.2:
+    changes:
+      release_summary: 'Internal release, documentation or test changes only.
+
+        '
+    release_date: '2024-04-17'
+  2.2.0:
+    changes:
+      major_changes:
+      - 'Support java keystore for configuration of sensitive options `#189 <https://github.com/ansible-middleware/keycloak/pull/189>`_
+
+        '
+      minor_changes:
+      - 'Add ``wait_for_port`` and ``wait_for_log`` systemd unit logic `#199 <https://github.com/ansible-middleware/keycloak/pull/199>`_
+
+        '
+      - 'Customize jdbc driver downloads, optional authentication `#202 <https://github.com/ansible-middleware/keycloak/pull/202>`_
+
+        '
+      - 'Keystore-based vault SPI configuration `#196 <https://github.com/ansible-middleware/keycloak/pull/196>`_
+
+        '
+      - 'New ``keycloak_quarkus_hostname_strict_https`` parameter `#195 <https://github.com/ansible-middleware/keycloak/pull/195>`_
+
+        '
+      - 'Providers config and custom providers `#201 <https://github.com/ansible-middleware/keycloak/pull/201>`_
+
+        '
+      - 'Remove administrator credentials from files once keycloak is bootstrapped
+        `#197 <https://github.com/ansible-middleware/keycloak/pull/197>`_
+
+        '
+      - 'Update keycloak to 24.0 `#194 <https://github.com/ansible-middleware/keycloak/pull/194>`_
+
+        '
+    fragments:
+    - 189.yaml
+    - 194.yaml
+    - 195.yaml
+    - 196.yaml
+    - 197.yaml
+    - 199.yaml
+    - 201.yaml
+    - 202.yaml
+    release_date: '2024-05-01'
+  2.2.1:
+    changes:
+      bugfixes:
+      - 'JDBC provider: fix clause in argument validation `#204 <https://github.com/ansible-middleware/keycloak/pull/204>`_
+
+        '
+      release_summary: Internal release, documentation or test changes only.
+    fragments:
+    - 204.yaml
+    - v2.2.1-devel_summary.yaml
+    release_date: '2024-05-02'
+  2.2.2:
+    changes:
+      bugfixes:
+      - 'Turn off controller privilege escalation `#209 <https://github.com/ansible-middleware/keycloak/pull/209>`_
+
+        '
+      minor_changes:
+      - 'Copying of key material for TLS configuration `#210 <https://github.com/ansible-middleware/keycloak/pull/210>`_
+
+        '
+      - 'Validate certs parameter for JDBC driver downloads `#207 <https://github.com/ansible-middleware/keycloak/pull/207>`_
+
+        '
+    fragments:
+    - 207.yaml
+    - 209.yaml
+    - 210.yaml
+    release_date: '2024-05-06'

changelogs/config.yaml

@@ -0,0 +1,32 @@
+---
+changelog_filename_template: ../CHANGELOG.rst
+changelog_filename_version_depth: 0
+changes_file: changelog.yaml
+changes_format: combined
+ignore_other_fragment_extensions: true
+keep_fragments: false
+mention_ancestor: true
+new_plugins_after_name: removed_features
+notesdir: fragments
+prelude_section_name: release_summary
+prelude_section_title: Release Summary
+sections:
+- - major_changes
+  - Major Changes
+- - minor_changes
+  - Minor Changes
+- - breaking_changes
+  - Breaking Changes / Porting Guide
+- - deprecated_features
+  - Deprecated Features
+- - removed_features
+  - Removed Features
+- - security_fixes
+  - Security Fixes
+- - bugfixes
+  - Bugfixes
+- - known_issues
+  - Known Issues
+title: middleware_automation.keycloak
+trivial_section_name: trivial
+use_fqcn: true

changelogs/fragments/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

docs/CHANGELOG.rst

@@ -0,0 +1 @@
+../CHANGELOG.rst

docs/README.md

@@ -0,0 +1 @@
+../README.md

docs/_gh_include/footer.inc

@@ -0,0 +1,21 @@
+              </ul>
+            </div>
+          </section>
+        </div>
+      </div>
+      <footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
+      </div>
+      <hr/>
+      <div role="contentinfo">
+        <p>&#169; Copyright 2022, Red Hat, Inc.</p>
+      </div>
+      Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
+        <a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
+        provided by <a href="https://readthedocs.org">Read the Docs</a>.
+      </footer>
+    </div>
+  </div>
+</section>
+</div>
+</body>
+</html>

docs/_gh_include/header.inc

@@ -0,0 +1,57 @@
+<!doctype html>
+<html>
+  <head>
+    <title>Keycloak Ansible Collection documentation index</title>
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <link rel="stylesheet" href="https://ansible-middleware.github.io/keycloak/main/_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="https://ansible-middleware.github.io/keycloak/main/_static/css/theme.css" type="text/css" />
+    <link rel="stylesheet" href="https://ansible-middleware.github.io/keycloak/main/_static/ansible-basic-sphinx-ext.css" type="text/css" />
+    <script data-url_root="./" id="documentation_options" src="https://ansible-middleware.github.io/keycloak/main/_static/documentation_options.js"></script>
+    <script src="https://ansible-middleware.github.io/keycloak/main/_static/jquery.js"></script>
+    <script src="https://ansible-middleware.github.io/keycloak/main/_static/underscore.js"></script>
+    <script src="https://ansible-middleware.github.io/keycloak/main/_static/doctools.js"></script>
+    <script src="https://ansible-middleware.github.io/keycloak/main/_static/js/theme.js"></script>
+  </head>
+
+<body class="wy-body-for-nav">
+  <div class="wy-grid-for-nav">
+    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
+      <div class="wy-side-scroll">
+        <div class="wy-side-nav-search" >
+            <a href="#" class="icon icon-home"> Keycloak Ansible Collection</a>
+        </div>
+        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
+            <p class="caption" role="heading"><span class="caption-text">Middleware Automation</span></p>
+            <ul>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/infinispan/main/">Infinispan / Red Hat Data Grid</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/keycloak/main/">Keycloak / Red Hat Single Sign-On</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/wildfly/main/">Wildfly / Red Hat JBoss EAP</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/jws/main/">Tomcat / Red Hat JWS</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/amq/main/">ActiveMQ / Red Hat AMQ Broker</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/amq_streams/main/">Kafka / Red Hat AMQ Streams</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/common/main/">Ansible Middleware utilities</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/redhat-csp-download/main/">Red Hat CSP Download</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/ansible_collections_jcliff/main/">JCliff</a></li>
+            </ul>
+        </div>
+      </div>
+    </nav>
+    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
+      <div class="wy-nav-content">
+          <div class="rst-content">
+            <div role="navigation" aria-label="Page navigation">
+              <ul class="wy-breadcrumbs">
+                  <li><a href="#" class="icon icon-home"></a> &raquo;</li>
+                  <li>Welcome to Keycloak Collection documentation</li>
+                  <li class="wy-breadcrumbs-aside"></li>
+              </ul>
+              <hr/>
+            </div>
+          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
+             <div itemprop="articleBody">
+                <section id="welcome-to-keycloak-collection-documentation">
+                  <h1>Welcome to Keycloak Collection documentation<a class="headerlink" href="#welcome-to-keycloak-collection-documentation" title="Permalink to this headline"></a></h1>
+                    <div class="toctree-wrapper compound">
+                      <p class="caption" role="heading"><span class="caption-text">Pick collection version:</span></p>
+                        <ul>

docs/conf.py

@@ -0,0 +1,171 @@
+# -*- coding: utf-8 -*-
+#
+# Configuration file for the Sphinx documentation builder.
+#
+# This file does only contain a selection of the most common options. For a
+# full list see the documentation:
+# http://www.sphinx-doc.org/en/master/config
+
+# -- Path setup --------------------------------------------------------------
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+#
+import datetime
+import os
+import sys
+sys.path.insert(0, os.path.abspath('../plugins/module_utils/'))
+# sys.path.insert(0, os.path.abspath('.'))
+
+# -- Project information -----------------------------------------------------
+
+project = 'Keycloak Ansible Collection'
+copyright = '{y}, Red Hat, Inc.'.format(y=datetime.date.today().year)
+author = 'Red Hat, Inc.'
+
+# The short X.Y version
+version = ''
+# The full version, including alpha/beta/rc tags
+release = ''
+
+
+# -- General configuration ---------------------------------------------------
+
+# If your documentation needs a minimal Sphinx version, state it here.
+#
+# needs_sphinx = '1.0'
+
+# Add any Sphinx extension module names here, as strings. They can be
+# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
+# ones.
+extensions = [
+    'myst_parser',
+    'sphinx.ext.autodoc',
+    'sphinx.ext.intersphinx',
+    'sphinx_antsibull_ext',
+    'ansible_basic_sphinx_ext',
+]
+
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ['_templates']
+
+# The suffix(es) of source filenames.
+# You can specify multiple suffix as a list of string:
+#
+# source_suffix = ['.rst', '.md']
+source_suffix = ['.rst', '.md']
+
+# The master toctree document.
+master_doc = 'index'
+
+# The language for content autogenerated by Sphinx. Refer to documentation
+# for a list of supported languages.
+#
+# This is also used if you do content translation via gettext catalogs.
+# Usually you set "language" from the command line for these cases.
+language = None
+
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+# This pattern also affects html_static_path and html_extra_path .
+exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store', '.tmp']
+
+# The name of the Pygments (syntax highlighting) style to use.
+pygments_style = 'ansible'
+
+highlight_language = 'YAML+Jinja'
+
+# -- Options for HTML output -------------------------------------------------
+html_theme_path = ['_themes']
+# The theme to use for HTML and HTML Help pages.  See the documentation for
+# a list of builtin themes.
+#
+# html_theme = 'alabaster'
+html_theme = 'sphinx_rtd_theme'
+
+# Theme options are theme-specific and customize the look and feel of a theme
+# further.  For a list of options available for each theme, see the
+# documentation.
+#
+# html_theme_options = {}
+
+# Add any paths that contain custom static files (such as style sheets) here,
+# relative to this directory. They are copied after the builtin static files,
+# so a file named "default.css" will overwrite the builtin "default.css".
+html_static_path = []
+
+# Custom sidebar templates, must be a dictionary that maps document names
+# to template names.
+#
+# The default sidebars (for documents that don't match any pattern) are
+# defined by theme itself.  Builtin themes are using these templates by
+# default: ``['localtoc.html', 'relations.html', 'sourcelink.html',
+# 'searchbox.html']``.
+#
+# html_sidebars = {}
+
+
+# -- Options for HTMLHelp output ---------------------------------------------
+
+# Output file base name for HTML help builder.
+htmlhelp_basename = 'KeycloakCollectionDoc'
+
+
+# -- Options for LaTeX output ------------------------------------------------
+
+latex_elements = {
+    # The paper size ('letterpaper' or 'a4paper').
+    #
+    # 'papersize': 'letterpaper',
+
+    # The font size ('10pt', '11pt' or '12pt').
+    #
+    # 'pointsize': '10pt',
+
+    # Additional stuff for the LaTeX preamble.
+    #
+    # 'preamble': '',
+
+    # Latex figure (float) alignment
+    #
+    # 'figure_align': 'htbp',
+}
+
+# Grouping the document tree into LaTeX files. List of tuples
+# (source start file, target name, title,
+#  author, documentclass [howto, manual, or own class]).
+latex_documents = [
+    (master_doc, 'KeycloakCollection.tex', 'Red Hat Single Sign-On Ansible Collection Documentation',
+     'Red Hat, Inc.', 'manual'),
+]
+
+
+# -- Options for manual page output ------------------------------------------
+
+# One entry per manual page. List of tuples
+# (source start file, name, description, authors, manual section).
+man_pages = [
+    (master_doc, 'keycloakcollection', 'Red Hat Single Sign-On Ansible Collection Documentation',
+     [author], 1)
+]
+
+
+# -- Options for Texinfo output ----------------------------------------------
+
+# Grouping the document tree into Texinfo files. List of tuples
+# (source start file, target name, title, author,
+#  dir menu entry, description, category)
+texinfo_documents = [
+    (master_doc, 'KeycloakCollection', 'Red Hat Single Sign-On Ansible Collection Documentation',
+     author, 'KeycloakCollection', 'One line description of project.',
+     'Miscellaneous'),
+]
+
+
+# -- Extension configuration -------------------------------------------------
+
+# -- Options for intersphinx extension ---------------------------------------
+
+# Example configuration for intersphinx: refer to the Python standard library.
+intersphinx_mapping = {'python': ('https://docs.python.org/2', None), 'ansible': ('https://docs.ansible.com/ansible/latest/', None)}

docs/developing.md

@@ -0,0 +1 @@
+../CONTRIBUTING.md

docs/index.rst

@@ -0,0 +1,40 @@
+.. Red Hat middleware_automation Keycloak Ansible Collection documentation main file
+
+Welcome to Keycloak Collection documentation
+============================================
+
+.. toctree::
+   :maxdepth: 2
+   :caption: User documentation
+
+   README
+   plugins/index
+   roles/index
+
+.. toctree::
+   :maxdepth: 2
+   :caption: Developer documentation
+
+   testing
+   developing
+   releasing
+
+.. toctree::
+   :maxdepth: 2
+   :caption: General
+
+   Changelog <CHANGELOG>
+
+.. toctree::
+   :maxdepth: 2
+   :caption: Middleware collections
+
+   Infinispan / Red Hat Data Grid <https://ansible-middleware.github.io/infinispan/main/>
+   Keycloak / Red Hat Single Sign-On <https://ansible-middleware.github.io/keycloak/main/>
+   Wildfly / Red Hat JBoss EAP <https://ansible-middleware.github.io/wildfly/main/>
+   Tomcat / Red Hat JWS <https://ansible-middleware.github.io/jws/main/>
+   ActiveMQ / Red Hat AMQ Broker <https://ansible-middleware.github.io/amq/main/>
+   Kafka / Red Hat AMQ Streams <https://ansible-middleware.github.io/amq_streams/main/>
+   Ansible Middleware utilities <https://ansible-middleware.github.io/common/main/>
+   Red Hat CSP Download <https://ansible-middleware.github.io/redhat-csp-download/main/>
+   JCliff <https://ansible-middleware.github.io/ansible_collections_jcliff/main/>

docs/releasing.md

@@ -0,0 +1,61 @@
+# Collection Versioning Strategy
+
+Each supported collection maintained by Ansible follows Semantic Versioning 2.0.0 (https://semver.org/), for example:
+Given a version number MAJOR.MINOR.PATCH, the following is incremented:
+
+MAJOR version: when making incompatible API changes (see Feature Release scenarios below for examples)
+
+MINOR version: when adding features or functionality in a backwards compatible manner, or updating testing matrix and/or metadata (deprecation)
+
+PATCH version: when adding backwards compatible bug fixes or security fixes (strict).
+
+Additional labels for pre-release and build metadata are available as extensions to the MAJOR.MINOR.PATCH format.
+
+The first version of a generally available supported collection on Ansible Automation Hub shall be version 1.0.0. NOTE: By default, all newly created collections may begin with a smaller default version of 0.1.0, and therefore a version of 1.0.0 should be explicitly stated by the collection maintainer.
+
+## New content is added to an existing collection
+
+Assuming the current release is 1.0.0, and a new module is ready to be added to the collection, the minor version would be incremented to 1.1.0. The change in the MINOR version indicates an additive change was made while maintaining backward compatibility for existing content within the collection.
+
+
+## New feature to existing plugin or role within a collection (backwards compatible)
+
+Assuming the current release is 1.0.0, and new features for an existing module are ready for release . We would increment the MINOR version to 1.1.0. The change in the MINOR version indicates an additive change was made while maintaining backward compatibility for existing content within the collection.
+
+
+## Bug fix or security fix to existing content within a collection
+
+Assuming the current release is 1.0.0 and a bug is fixed prior to the next minor release, the PATCH version would be incremented to 1.0.1. The patch indicates only a bug was fixed within a current version. The PATCH release does not contain new content, nor was functionality removed. Bug fixes may be included in a MINOR or MAJOR feature release if the timing allows, eliminating the need for a PATCH dedicated to the fix.
+
+
+## Breaking change to any content within a collection
+
+Assuming the current release is 1.0.0, and a breaking change (API or module) is introduced for a user or developer. The MAJOR version would be incremented to 2.0.0.
+
+Examples of breaking changes within a collection may include but are not limited to:
+
+ - Argspec changes for a module that require either inventory structure or playbook changes.
+ - A change in the shape of either the inbound or returned payload of a filter plugin.
+ - Changes to a connection plugin that require additional inventory parameters or ansible.cfg entries.
+ - New functionality added to a module that changes the outcome of that module as released in previous versions.
+ - The removal of plugins from a collection.
+
+
+## Content removed from a collection
+
+Deleting a module or API is a breaking change. Please see the 'Breaking change' section for how to version this.
+
+
+## A typographical error was fixed in the documentation for a collection
+
+A correction to the README would be considered a bug fix and the PATCH incremented. See 'Bug fix' above.
+
+
+## Documentation added/removed/modified within a collection
+
+Only the PATCH version should be increased for a release that contains changes limited to revised documentation.
+
+
+## Release automation
+
+New releases are triggered by annotated git tags named after semantic versioning. The automation publishes the built artifacts to ansible-galaxy and github releases page.

docs/requirements.txt

@@ -0,0 +1,8 @@
+antsibull>=0.17.0
+antsibull-docs
+antsibull-changelog
+ansible-core>=2.14.1
+ansible-pygments
+sphinx-rtd-theme
+git+https://github.com/felixfontein/ansible-basic-sphinx-ext
+myst-parser

docs/roles.rst.template

@@ -0,0 +1,4 @@
+Role Index
+==========
+
+.. toctree::

docs/testing.md

@@ -0,0 +1,48 @@
+# Testing
+
+## Continuous integration
+
+The collection is tested with a [molecule](https://github.com/ansible-community/molecule) setup covering the included roles and verifying correct installation and idempotency.
+In order to run the molecule tests locally with python 3.9 available, after cloning the repository:
+
+```
+pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous
+molecule test --all
+```
+
+
+## Integration testing
+
+Demo repositories which depend on the collection, and aggregate functionality with other middleware_automation collections, are automatically rebuilt
+at every collection release to ensure non-breaking changes and consistent behaviour.
+
+The repository are:
+
+ - [Flange demo](https://github.com/ansible-middleware/flange-demo)
+   A deployment of Wildfly cluster integrated with keycloak and infinispan.
+ - [CrossDC keycloak demo](https://github.com/ansible-middleware/cross-dc-rhsso-demo)
+   A clustered multi-regional installation of keycloak with infinispan remote caches.
+
+
+## Test playbooks
+
+Sample playbooks are provided in the `playbooks/` directory; to run the playbooks locally (requires a rhel system with python 3.9+, ansible, and systemd) the steps are as follows:
+
+```
+# setup environment
+pip install ansible-core
+# clone the repository
+git clone https://github.com/ansible-middleware/keycloak
+cd keycloak
+# install collection dependencies
+ansible-galaxy collection install -r requirements.yml
+# install collection python deps
+pip install -r requirements.txt
+# create inventory for localhost
+cat << EOF > inventory
+[keycloak]
+localhost ansible_connection=local
+EOF
+# run the playbook
+ansible-playbook -i inventory playbooks/keycloak.yml
+```

galaxy.yml

@@ -1,22 +1,46 @@
+---
 namespace: middleware_automation
 name: keycloak
-version: "0.1.0"
+version: "2.2.2"
 readme: README.md
 authors:
   - Romain Pelisse <rpelisse@redhat.com>
   - Guido Grazioli <ggraziol@redhat.com>
+  - Pavan Kumar Motaparthi <pmotapar@redhat.com>
+  - Helmut Wolf <hwo@world-direct.at>
 description: Install and configure a keycloak, or Red Hat Single Sign-on, service.
 license_file: "LICENSE"
 tags:
   - keycloak
   - redhat
   - rhel
-  - rhn
   - sso
+  - openid
+  - application
+  - identity
+  - security
+  - infrastructure
+  - authentication
+  - java
+  - runtimes
+  - middleware
+  - a4mw
 dependencies:
-  "middleware_automation.redhat_csp_download": ">=1.2.1"
-  "middleware_automation.jcliff": ">=0.0.19"
+  "middleware_automation.common": ">=1.1.0"
+  "ansible.posix": ">=1.4.0"
 repository: https://github.com/ansible-middleware/keycloak
-documentation: https://github.com/ansible-middleware/keycloak
+documentation: https://ansible-middleware.github.io/keycloak
 homepage: https://github.com/ansible-middleware/keycloak
 issues: https://github.com/ansible-middleware/keycloak/issues
+build_ignore:
+  - .gitignore
+  - .github
+  - .yamllint
+  - '*.tar.gz'
+  - '*.zip'
+  - molecule
+  - changelogs
+  - docs/_gh_include
+  - docs/conf.py
+  - docs/roles.rst.template
+  - docs/requirements.yml

meta/execution-environment.yml

@@ -0,0 +1,11 @@
+---
+version: 1
+build_arg_defaults:
+  EE_BASE_IMAGE: 'quay.io/ansible/ansible-runner:stable-2.12-devel'
+dependencies:
+  galaxy: requirements.yml
+  python: requirements.txt
+  system: bindep.txt
+additional_build_steps:
+  append:
+    - RUN alternatives --set python /usr/bin/python3

meta/runtime.yml

@@ -1,2 +1,2 @@
 ---
-requires_ansible: ">=2.9.10"
+requires_ansible: ">=2.14.0"

molecule/debian/converge.yml

@@ -0,0 +1,41 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    keycloak_quarkus_admin_pass: "remembertochangeme"
+    keycloak_realm: TestRealm
+    keycloak_quarkus_log: file
+    keycloak_quarkus_frontend_url: 'http://localhost:8080/'
+    keycloak_quarkus_start_dev: True
+    keycloak_quarkus_proxy_mode: none
+    keycloak_client_default_roles:
+      - TestRoleAdmin
+      - TestRoleUser
+    keycloak_client_users:
+      - username: TestUser
+        password: password
+        client_roles:
+          - client: TestClient
+            role: TestRoleUser
+      - username: TestAdmin
+        password: password
+        client_roles:
+          - client: TestClient
+            role: TestRoleUser
+          - client: TestClient
+            role: TestRoleAdmin
+    keycloak_clients:
+      - name: TestClient
+        roles: "{{ keycloak_client_default_roles }}"
+        public_client: "{{ keycloak_client_public }}"
+        web_origins: "{{ keycloak_client_web_origins }}"
+        users: "{{ keycloak_client_users }}"
+        client_id: TestClient
+        attributes:
+          post.logout.redirect.uris: '/public/logout'
+  roles:
+    - role: keycloak_quarkus
+    - role: keycloak_realm
+      keycloak_realm: TestRealm
+      keycloak_admin_password: "remembertochangeme"
+      keycloak_context: ''

molecule/debian/molecule.yml

@@ -0,0 +1,48 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: ghcr.io/hspaans/molecule-containers:debian-11
+    pre_build_image: true
+    privileged: true
+    port_bindings:
+      - "8080/tcp"
+      - "8443/tcp"
+      - "8009/tcp"
+    cgroupns_mode: host
+    command: "/lib/systemd/systemd"
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: /usr/bin/python3
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+    ANSIBLE_REMOTE_TMP: /tmp/.ansible/tmp
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy

molecule/debian/prepare.yml

@@ -0,0 +1,11 @@
+---
+- name: Prepare
+  hosts: all
+  gather_facts: yes
+  tasks:
+    - name: Install sudo
+      ansible.builtin.apt:
+        name:
+          - sudo
+          - openjdk-17-jdk-headless
+        state: present

molecule/debian/roles

@@ -0,0 +1 @@
+../../roles

molecule/debian/verify.yml

@@ -0,0 +1,40 @@
+---
+- name: Verify
+  hosts: all
+  vars:
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_uri: "http://localhost:{{ 8080 + ( keycloak_jboss_port_offset | default(0) ) }}"
+    keycloak_management_port: "http://localhost:{{ 9990 + ( keycloak_jboss_port_offset | default(0) ) }}"
+    keycloak_jboss_port_offset: 10
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+
+    - name: Verify openid config
+      block:
+        - name: Fetch openID config # noqa blocked_modules command-instead-of-module
+          ansible.builtin.shell: |
+            set -o pipefail
+            curl http://localhost:8080/realms/master/.well-known/openid-configuration -k | jq .
+          args:
+            executable: /bin/bash
+          delegate_to: localhost
+          register: openid_config
+          changed_when: False
+        - name: Verify endpoint URLs
+          ansible.builtin.assert:
+            that:
+              - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'http://localhost:8080/realms/master/protocol/openid-connect/ext/ciba/auth'
+              - (openid_config.stdout | from_json)['issuer'] == 'http://localhost:8080/realms/master'
+              - (openid_config.stdout | from_json)['authorization_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/auth'
+              - (openid_config.stdout | from_json)['token_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/token'
+          delegate_to: localhost
+      when:
+        - hera_home is defined
+        - hera_home | length == 0

molecule/default/converge.yml

@@ -1,18 +1,24 @@
 ---
 - name: Converge
   hosts: all
-  vars: 
+  vars:
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_jvm_package: java-11-openjdk-headless
+    keycloak_modcluster_enabled: True
+    keycloak_modcluster_urls:
+      - host: myhost1
+        port: 16667
+      - host: myhost2
+        port: 16668
+    keycloak_jboss_port_offset: 10
+    keycloak_log_target: /tmp/keycloak
+  roles:
+    - role: keycloak
   tasks:
-    - name: Include keycloak role
-      include_role:
-        name: ../../roles/keycloak
-      vars:
-        keycloak_admin_password: "changeme"
     - name: Keycloak Realm Role
-      include_role:
-        name: ../../roles/keycloak_realm
+      ansible.builtin.include_role:
+        name: keycloak_realm
       vars:
-        keycloak_admin_password: "changeme"
         keycloak_client_default_roles:
           - TestRoleAdmin
           - TestRoleUser
@@ -40,3 +46,17 @@
             public_client: "{{ keycloak_client_public }}"
             web_origins: "{{ keycloak_client_web_origins }}"
             users: "{{ keycloak_client_users }}"
+            client_id: TestClient
+            attributes:
+              post.logout.redirect.uris: '/public/logout'
+  pre_tasks:
+    - name: "Retrieve assets server from env"
+      ansible.builtin.set_fact:
+        assets_server: "{{ lookup('env', 'MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"
+
+    - name: "Set offline when assets server from env is defined"
+      ansible.builtin.set_fact:
+        sso_offline_install: True
+      when:
+        - assets_server is defined
+        - assets_server | length > 0

molecule/default/molecule.yml

@@ -1,6 +1,4 @@
 ---
-dependency:
-  name: galaxy
 driver:
   name: docker
 platforms:
@@ -12,7 +10,7 @@ platforms:
     port_bindings:
       - "8080/tcp"
       - "8443/tcp"
-      - "8009/tcp"      
+      - "8009/tcp"
 provisioner:
   name: ansible
   config_options:
@@ -29,16 +27,13 @@ provisioner:
       localhost:
         ansible_python_interpreter: "{{ ansible_playbook_python }}"
   env:
-    ANSIBLE_FORCE_COLOR: "true"        
+    ANSIBLE_FORCE_COLOR: "true"
 verifier:
   name: ansible
 scenario:
   test_sequence:
-    - dependency
-    - lint
     - cleanup
     - destroy
-    - syntax
     - create
     - prepare
     - converge

molecule/default/prepare.yml

@@ -1,8 +1,29 @@
 ---
 - name: Prepare
   hosts: all
+  gather_facts: yes
+  vars:
+    sudo_pkg_name: sudo
   tasks:
-    - name: Install sudo
-      yum:
-        name: sudo
-        state: present
+    - name: "Run preparation common to all scenario"
+      ansible.builtin.include_tasks: ../prepare.yml
+      vars:
+        assets:
+          - "{{ assets_server }}/sso/7.6.0/rh-sso-7.6.0-server-dist.zip"
+          - "{{ assets_server }}/sso/7.6.1/rh-sso-7.6.1-patch.zip"
+
+    - name: Install JDK8
+      become: yes
+      ansible.builtin.yum:
+        name:
+          - java-1.8.0-openjdk
+        state: present
+      when: ansible_facts['os_family'] == "RedHat"
+
+    - name: Install JDK8
+      become: yes
+      ansible.builtin.apt:
+        name:
+          - openjdk-8-jdk
+        state: present
+      when: ansible_facts['os_family'] == "Debian"

molecule/default/roles

@@ -0,0 +1 @@
+../../roles

molecule/default/verify.yml

@@ -1,10 +1,89 @@
 ---
 - name: Verify
   hosts: all
+  vars:
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_jvm_package: java-11-openjdk-headless
+    keycloak_uri: "http://localhost:{{ 8080 + ( keycloak_jboss_port_offset | default(0) ) }}"
+    keycloak_management_port: "http://localhost:{{ 9990 + ( keycloak_jboss_port_offset | default(0) ) }}"
+    keycloak_jboss_port_offset: 10
   tasks:
     - name: Populate service facts
       ansible.builtin.service_facts:
     - name: Check if keycloak service started
-      assert:
+      ansible.builtin.assert:
         that:
           - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+    - name: Verify we are running on requested jvm # noqa blocked_modules command-instead-of-module
+      ansible.builtin.shell: |
+        set -o pipefail
+        ps -ef | grep '/etc/alternatives/jre_11/' | grep -v grep
+      args:
+        executable: /bin/bash
+      changed_when: no
+    - name: Verify token api call
+      ansible.builtin.uri:
+        url: "{{ keycloak_uri }}/auth/realms/master/protocol/openid-connect/token"
+        method: POST
+        body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password"
+        validate_certs: no
+      register: keycloak_auth_response
+      until: keycloak_auth_response.status == 200
+      retries: 2
+      delay: 2
+    - name: Fetch openid-connect config
+      ansible.builtin.uri:
+        url: "{{ keycloak_uri }}/auth/realms/TestRealm/.well-known/openid-configuration"
+        method: GET
+        validate_certs: no
+        status_code: 200
+      register: keycloak_openid_config
+    - name: Verify expected config
+      ansible.builtin.assert:
+        that:
+          - keycloak_openid_config.json.registration_endpoint == 'http://localhost:8080/auth/realms/TestRealm/clients-registrations/openid-connect'
+    - name: Get test realm clients
+      ansible.builtin.uri:
+        url: "{{ keycloak_uri }}/auth/admin/realms/TestRealm/clients"
+        method: GET
+        validate_certs: no
+        status_code: 200
+        headers:
+          Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
+      register: keycloak_query_clients
+    - name: Verify expected config
+      ansible.builtin.assert:
+        that:
+          - (keycloak_query_clients.json | selectattr('clientId','equalto','TestClient') | first)["attributes"]["post.logout.redirect.uris"] == '/public/logout'
+    - name: "Privilege escalation as some files/folders may requires it"
+      become: yes
+      block:
+        - name: Check log folder
+          ansible.builtin.stat:
+            path: "/tmp/keycloak"
+          register: keycloak_log_folder
+        - name: Check that keycloak log folder exists and is a link
+          ansible.builtin.assert:
+            that:
+              - keycloak_log_folder.stat.exists
+              - not keycloak_log_folder.stat.isdir
+              - keycloak_log_folder.stat.islnk
+        - name: Check log file
+          ansible.builtin.stat:
+            path: "/tmp/keycloak/server.log"
+          register: keycloak_log_file
+        - name: Check if keycloak file exists
+          ansible.builtin.assert:
+            that:
+              - keycloak_log_file.stat.exists
+              - not keycloak_log_file.stat.isdir
+        - name: Check default log folder
+          ansible.builtin.stat:
+            path: "/var/log/keycloak"
+          register: keycloak_default_log_folder
+          failed_when: false
+        - name: Check that default keycloak log folder doesn't exist
+          ansible.builtin.assert:
+            that:
+              - not keycloak_default_log_folder.stat.exists

molecule/https_revproxy/converge.yml

@@ -0,0 +1,16 @@
+---
+- name: Converge
+  hosts: all
+  vars: 
+    keycloak_quarkus_admin_pass: "remembertochangeme"
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_realm: TestRealm
+    keycloak_quarkus_host: instance
+    keycloak_quarkus_log: file
+    keycloak_quarkus_http_enabled: True
+    keycloak_quarkus_http_port: 8080
+    keycloak_quarkus_proxy_mode: edge
+    keycloak_quarkus_http_relative_path: /
+    keycloak_quarkus_frontend_url: https://proxy/
+  roles:
+    - role: keycloak_quarkus

molecule/https_revproxy/molecule.yml

@@ -0,0 +1,57 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    networks:
+      - name: keycloak
+    port_bindings:
+      - "8080/tcp"
+    published_ports:
+      - 0.0.0.0:8080:8080/tcp
+  - name: proxy
+    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    networks:
+      - name: keycloak
+    port_bindings:
+      - "443/tcp"
+    published_ports:
+      - 0.0.0.0:443:443/tcp
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy

molecule/https_revproxy/prepare.yml

@@ -0,0 +1,49 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: Install sudo
+      ansible.builtin.dnf:
+        name: sudo
+        state: present
+
+    - name: "Display hera_home if defined."
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+- name: Prepare proxy
+  hosts: proxy
+  vars:
+    nginx_proxy: |
+      location / {
+          proxy_set_header        Host $host;
+          proxy_set_header        X-Real-IP $remote_addr;
+          proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header        X-Forwarded-Proto $scheme;
+          proxy_pass              http://instance:8080;
+      }
+  roles:
+    - elan.simple_nginx_reverse_proxy
+  pre_tasks:
+    - name: Create certificate request
+      ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=proxy'
+      delegate_to: localhost
+      changed_when: false
+    - name: Make certificate directory
+      ansible.builtin.file:
+        path: /etc/nginx/tls
+        state: directory
+        mode: 0755
+    - name: Copy certificates
+      ansible.builtin.copy:
+        src: "{{ item.name }}"
+        dest: "{{ item.dest }}"
+        mode: 0444
+      become: true
+      loop:
+        - { name: 'cert.pem', dest: '/etc/nginx/tls/certificate.crt' }
+        - { name: 'key.pem', dest: '/etc/nginx/tls/certificate.key' }
+    - name: Update CA trust
+      ansible.builtin.command: update-ca-trust
+      changed_when: false
+      become: true

molecule/https_revproxy/roles

@@ -0,0 +1 @@
+../../roles

molecule/https_revproxy/verify.yml

@@ -0,0 +1,28 @@
+---
+- name: Verify
+  hosts: instance
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+
+    - name: Verify openid config
+      block:
+        - name: Fetch openID config # noqa blocked_modules command-instead-of-module
+          ansible.builtin.uri:
+            url: http://localhost:8080/realms/master/.well-known/openid-configuration
+            validate_certs: false
+            headers:
+              Host: proxy
+          register: openid_config
+          changed_when: False
+        - name: Verify endpoint URLs
+          ansible.builtin.assert:
+            that:
+              - openid_config.json['issuer'] == 'https://proxy/realms/master'
+              - openid_config.json['authorization_endpoint'] == 'https://proxy/realms/master/protocol/openid-connect/auth'

molecule/overridexml/converge.yml

@@ -0,0 +1,11 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_config_override_template: custom.xml.j2
+    keycloak_http_port: 8081
+    keycloak_management_http_port: 19990
+    keycloak_service_runas: True
+  roles:
+    - role: keycloak

molecule/overridexml/molecule.yml

@@ -0,0 +1,44 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    port_bindings:
+      - "8080/tcp"
+      - "8443/tcp"
+      - "8009/tcp"
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy

molecule/overridexml/prepare.yml

@@ -0,0 +1,12 @@
+---
+- name: Prepare
+  hosts: all
+  gather_facts: yes
+  vars:
+    sudo_pkg_name: sudo
+  tasks:
+    - name: "Run preparation common to all scenario"
+      ansible.builtin.include_tasks: ../prepare.yml
+      vars:
+        assets:
+          - "{{ assets_server }}/sso/7.6.0/rh-sso-7.6.0-server-dist.zip"

molecule/overridexml/roles

@@ -0,0 +1 @@
+../../roles

molecule/overridexml/templates/custom.xml.j2

@@ -0,0 +1,562 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!-- this is a custom file -->
+<server xmlns="urn:jboss:domain:16.0">
+    <extensions>
+        <extension module="org.jboss.as.clustering.infinispan"/>
+        <extension module="org.jboss.as.connector"/>
+        <extension module="org.jboss.as.deployment-scanner"/>
+        <extension module="org.jboss.as.ee"/>
+        <extension module="org.jboss.as.ejb3"/>
+        <extension module="org.jboss.as.jaxrs"/>
+        <extension module="org.jboss.as.jmx"/>
+        <extension module="org.jboss.as.jpa"/>
+        <extension module="org.jboss.as.logging"/>
+        <extension module="org.jboss.as.mail"/>
+        <extension module="org.jboss.as.modcluster"/>
+        <extension module="org.jboss.as.naming"/>
+        <extension module="org.jboss.as.remoting"/>
+        <extension module="org.jboss.as.transactions"/>
+        <extension module="org.jboss.as.weld"/>
+        <extension module="org.keycloak.keycloak-server-subsystem"/>
+        <extension module="org.wildfly.extension.bean-validation"/>
+        <extension module="org.wildfly.extension.core-management"/>
+        <extension module="org.wildfly.extension.elytron"/>
+        <extension module="org.wildfly.extension.health"/>
+        <extension module="org.wildfly.extension.io"/>
+        <extension module="org.wildfly.extension.metrics"/>
+        <extension module="org.wildfly.extension.request-controller"/>
+        <extension module="org.wildfly.extension.security.manager"/>
+        <extension module="org.wildfly.extension.undertow"/>
+    </extensions>
+    <management>
+        <audit-log>
+            <formatters>
+                <json-formatter name="json-formatter"/>
+            </formatters>
+            <handlers>
+                <file-handler name="file" formatter="json-formatter" path="audit-log.log" relative-to="jboss.server.data.dir"/>
+            </handlers>
+            <logger log-boot="true" log-read-only="false" enabled="false">
+                <handlers>
+                    <handler name="file"/>
+                </handlers>
+            </logger>
+        </audit-log>
+        <management-interfaces>
+            <http-interface http-authentication-factory="management-http-authentication">
+                <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
+                <socket-binding http="management-http"/>
+            </http-interface>
+        </management-interfaces>
+        <access-control provider="simple">
+            <role-mapping>
+                <role name="SuperUser">
+                    <include>
+                        <user name="$local"/>
+                    </include>
+                </role>
+            </role-mapping>
+        </access-control>
+    </management>
+    <profile>
+        <subsystem xmlns="urn:jboss:domain:logging:8.0">
+            <console-handler name="CONSOLE">
+                <level name="INFO"/>
+                <formatter>
+                    <named-formatter name="COLOR-PATTERN"/>
+                </formatter>
+            </console-handler>
+            <periodic-rotating-file-handler name="FILE" autoflush="true">
+                <formatter>
+                    <named-formatter name="PATTERN"/>
+                </formatter>
+                <file relative-to="jboss.server.log.dir" path="server.log"/>
+                <suffix value=".yyyy-MM-dd"/>
+                <append value="true"/>
+            </periodic-rotating-file-handler>
+            <logger category="com.arjuna">
+                <level name="WARN"/>
+            </logger>
+            <logger category="io.jaegertracing.Configuration">
+                <level name="WARN"/>
+            </logger>
+            <logger category="org.jboss.as.config">
+                <level name="DEBUG"/>
+            </logger>
+            <logger category="sun.rmi">
+                <level name="WARN"/>
+            </logger>
+            <root-logger>
+                <level name="INFO"/>
+                <handlers>
+                    <handler name="CONSOLE"/>
+                    <handler name="FILE"/>
+                </handlers>
+            </root-logger>
+            <formatter name="PATTERN">
+                <pattern-formatter pattern="%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
+            </formatter>
+            <formatter name="COLOR-PATTERN">
+                <pattern-formatter pattern="%K{level}%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
+            </formatter>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:datasources:6.0">
+            <datasources>
+                <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
+                    <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
+                    <driver>h2</driver>
+                    <security>
+                        <user-name>sa</user-name>
+                        <password>sa</password>
+                    </security>
+                </datasource>
+                <drivers>
+                    <driver name="h2" module="com.h2database.h2">
+                        <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
+                    </driver>
+                </drivers>
+            </datasources>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
+            <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:ee:6.0">
+            <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
+            <concurrent>
+                <context-services>
+                    <context-service name="default" jndi-name="java:jboss/ee/concurrency/context/default" use-transaction-setup-provider="true"/>
+                </context-services>
+                <managed-thread-factories>
+                    <managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/>
+                </managed-thread-factories>
+                <managed-executor-services>
+                    <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="5000"/>
+                </managed-executor-services>
+                <managed-scheduled-executor-services>
+                    <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="3000"/>
+                </managed-scheduled-executor-services>
+            </concurrent>
+            <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/KeycloakDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:ejb3:9.0">
+            <session-bean>
+                <stateless>
+                    <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
+                </stateless>
+                <stateful default-access-timeout="5000" cache-ref="simple" passivation-disabled-cache-ref="simple"/>
+                <singleton default-access-timeout="5000"/>
+            </session-bean>
+            <pools>
+                <bean-instance-pools>
+                    <strict-max-pool name="mdb-strict-max-pool" derive-size="from-cpu-count" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
+                    <strict-max-pool name="slsb-strict-max-pool" derive-size="from-worker-pools" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
+                </bean-instance-pools>
+            </pools>
+            <caches>
+                <cache name="simple"/>
+                <cache name="distributable" passivation-store-ref="infinispan" aliases="passivating clustered"/>
+            </caches>
+            <passivation-stores>
+                <passivation-store name="infinispan" cache-container="ejb" max-size="10000"/>
+            </passivation-stores>
+            <async thread-pool-name="default"/>
+            <timer-service thread-pool-name="default" default-data-store="default-file-store">
+                <data-stores>
+                    <file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/>
+                </data-stores>
+            </timer-service>
+            <remote cluster="ejb" connectors="http-remoting-connector" thread-pool-name="default">
+                <channel-creation-options>
+                    <option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>
+                </channel-creation-options>
+            </remote>
+            <thread-pools>
+                <thread-pool name="default">
+                    <max-threads count="10"/>
+                    <keepalive-time time="60" unit="seconds"/>
+                </thread-pool>
+            </thread-pools>
+            <default-security-domain value="other"/>
+            <application-security-domains>
+                <application-security-domain name="other" security-domain="ApplicationDomain"/>
+            </application-security-domains>
+            <default-missing-method-permissions-deny-access value="true"/>
+            <statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
+            <log-system-exceptions value="true"/>
+        </subsystem>
+        <subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
+            <providers>
+                <aggregate-providers name="combined-providers">
+                    <providers name="elytron"/>
+                    <providers name="openssl"/>
+                </aggregate-providers>
+                <provider-loader name="elytron" module="org.wildfly.security.elytron"/>
+                <provider-loader name="openssl" module="org.wildfly.openssl"/>
+            </providers>
+            <audit-logging>
+                <file-audit-log name="local-audit" path="audit.log" relative-to="jboss.server.log.dir" format="JSON"/>
+            </audit-logging>
+            <security-domains>
+                <security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">
+                    <realm name="ApplicationRealm" role-decoder="groups-to-roles"/>
+                    <realm name="local"/>
+                </security-domain>
+                <security-domain name="ManagementDomain" default-realm="ManagementRealm" permission-mapper="default-permission-mapper">
+                    <realm name="ManagementRealm" role-decoder="groups-to-roles"/>
+                    <realm name="local" role-mapper="super-user-mapper"/>
+                </security-domain>
+            </security-domains>
+            <security-realms>
+                <identity-realm name="local" identity="$local"/>
+                <properties-realm name="ApplicationRealm">
+                    <users-properties path="application-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ApplicationRealm"/>
+                    <groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
+                </properties-realm>
+                <properties-realm name="ManagementRealm">
+                    <users-properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ManagementRealm"/>
+                    <groups-properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
+                </properties-realm>
+            </security-realms>
+            <mappers>
+                <simple-permission-mapper name="default-permission-mapper" mapping-mode="first">
+                    <permission-mapping>
+                        <principal name="anonymous"/>
+                        <permission-set name="default-permissions"/>
+                    </permission-mapping>
+                    <permission-mapping match-all="true">
+                        <permission-set name="login-permission"/>
+                        <permission-set name="default-permissions"/>
+                    </permission-mapping>
+                </simple-permission-mapper>
+                <constant-realm-mapper name="local" realm-name="local"/>
+                <simple-role-decoder name="groups-to-roles" attribute="groups"/>
+                <constant-role-mapper name="super-user-mapper">
+                    <role name="SuperUser"/>
+                </constant-role-mapper>
+            </mappers>
+            <permission-sets>
+                <permission-set name="login-permission">
+                    <permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
+                </permission-set>
+                <permission-set name="default-permissions">
+                    <permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
+                    <permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
+                    <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
+                    <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
+                </permission-set>
+            </permission-sets>
+            <http>
+                <http-authentication-factory name="management-http-authentication" security-domain="ManagementDomain" http-server-mechanism-factory="global">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="DIGEST">
+                            <mechanism-realm realm-name="ManagementRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </http-authentication-factory>
+                <http-authentication-factory name="application-http-authentication" security-domain="ApplicationDomain" http-server-mechanism-factory="global">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="BASIC">
+                            <mechanism-realm realm-name="ApplicationRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </http-authentication-factory>
+                <provider-http-server-mechanism-factory name="global"/>
+            </http>
+            <sasl>
+                <sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
+                        <mechanism mechanism-name="DIGEST-MD5">
+                            <mechanism-realm realm-name="ApplicationRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </sasl-authentication-factory>
+                <sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" security-domain="ManagementDomain">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
+                        <mechanism mechanism-name="DIGEST-MD5">
+                            <mechanism-realm realm-name="ManagementRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </sasl-authentication-factory>
+                <configurable-sasl-server-factory name="configured" sasl-server-factory="elytron">
+                    <properties>
+                        <property name="wildfly.sasl.local-user.default-user" value="$local"/>
+                    </properties>
+                </configurable-sasl-server-factory>
+                <mechanism-provider-filtering-sasl-server-factory name="elytron" sasl-server-factory="global">
+                    <filters>
+                        <filter provider-name="WildFlyElytron"/>
+                    </filters>
+                </mechanism-provider-filtering-sasl-server-factory>
+                <provider-sasl-server-factory name="global"/>
+            </sasl>
+            <tls>
+                <key-stores>
+                    <key-store name="applicationKS">
+                        <credential-reference clear-text="password"/>
+                        <implementation type="JKS"/>
+                        <file path="application.keystore" relative-to="jboss.server.config.dir"/>
+                    </key-store>
+                </key-stores>
+                <key-managers>
+                    <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
+                        <credential-reference clear-text="password"/>
+                    </key-manager>
+                </key-managers>
+                <server-ssl-contexts>
+                    <server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
+                </server-ssl-contexts>
+            </tls>
+        </subsystem>
+        <subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
+        <subsystem xmlns="urn:jboss:domain:infinispan:12.0">
+            <cache-container name="ejb" default-cache="passivation" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
+                <local-cache name="passivation">
+                    <locking isolation="REPEATABLE_READ"/>
+                    <transaction mode="BATCH"/>
+                    <file-store passivation="true" purge="false"/>
+                </local-cache>
+            </cache-container>
+            <cache-container name="keycloak" modules="org.keycloak.keycloak-model-infinispan">
+                <local-cache name="realms">
+                    <heap-memory size="10000"/>
+                </local-cache>
+                <local-cache name="users">
+                    <heap-memory size="10000"/>
+                </local-cache>
+                <local-cache name="sessions"/>
+                <local-cache name="authenticationSessions"/>
+                <local-cache name="offlineSessions"/>
+                <local-cache name="clientSessions"/>
+                <local-cache name="offlineClientSessions"/>
+                <local-cache name="loginFailures"/>
+                <local-cache name="work"/>
+                <local-cache name="authorization">
+                    <heap-memory size="10000"/>
+                </local-cache>
+                <local-cache name="keys">
+                    <heap-memory size="1000"/>
+                    <expiration max-idle="3600000"/>
+                </local-cache>
+                <local-cache name="actionTokens">
+                    <heap-memory size="-1"/>
+                    <expiration interval="300000" max-idle="-1"/>
+                </local-cache>
+            </cache-container>
+            <cache-container name="server" default-cache="default" modules="org.wildfly.clustering.server">
+                <local-cache name="default">
+                    <transaction mode="BATCH"/>
+                </local-cache>
+            </cache-container>
+            <cache-container name="web" default-cache="passivation" modules="org.wildfly.clustering.web.infinispan">
+                <local-cache name="passivation">
+                    <locking isolation="REPEATABLE_READ"/>
+                    <transaction mode="BATCH"/>
+                    <file-store passivation="true" purge="false"/>
+                </local-cache>
+                <local-cache name="sso">
+                    <locking isolation="REPEATABLE_READ"/>
+                    <transaction mode="BATCH"/>
+                </local-cache>
+                <local-cache name="routing"/>
+            </cache-container>
+            <cache-container name="hibernate" modules="org.infinispan.hibernate-cache">
+                <local-cache name="entity">
+                    <heap-memory size="10000"/>
+                    <expiration max-idle="100000"/>
+                </local-cache>
+                <local-cache name="local-query">
+                    <heap-memory size="10000"/>
+                    <expiration max-idle="100000"/>
+                </local-cache>
+                <local-cache name="timestamps"/>
+            </cache-container>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:io:3.0">
+            <worker name="default"/>
+            <buffer-pool name="default"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/>
+        <subsystem xmlns="urn:jboss:domain:jca:5.0">
+            <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
+            <bean-validation enabled="true"/>
+            <default-workmanager>
+                <short-running-threads>
+                    <core-threads count="50"/>
+                    <queue-length count="50"/>
+                    <max-threads count="50"/>
+                    <keepalive-time time="10" unit="seconds"/>
+                </short-running-threads>
+                <long-running-threads>
+                    <core-threads count="50"/>
+                    <queue-length count="50"/>
+                    <max-threads count="50"/>
+                    <keepalive-time time="10" unit="seconds"/>
+                </long-running-threads>
+            </default-workmanager>
+            <cached-connection-manager/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jmx:1.3">
+            <expose-resolved-model/>
+            <expose-expression-model/>
+            <remoting-connector/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jpa:1.1">
+            <jpa default-extended-persistence-inheritance="DEEP"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
+            <web-context>auth</web-context>
+            <providers>
+                <provider>
+                    classpath:${jboss.home.dir}/providers/*
+                </provider>
+            </providers>
+            <master-realm-name>master</master-realm-name>
+            <scheduled-task-interval>900</scheduled-task-interval>
+            <theme>
+                <staticMaxAge>2592000</staticMaxAge>
+                <cacheThemes>true</cacheThemes>
+                <cacheTemplates>true</cacheTemplates>
+                <dir>${jboss.home.dir}/themes</dir>
+            </theme>
+            <spi name="eventsStore">
+                <provider name="jpa" enabled="true">
+                    <properties>
+                        <property name="exclude-events" value="[&quot;REFRESH_TOKEN&quot;]"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="userCache">
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="userSessionPersister">
+                <default-provider>jpa</default-provider>
+            </spi>
+            <spi name="timer">
+                <default-provider>basic</default-provider>
+            </spi>
+            <spi name="connectionsHttpClient">
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="connectionsJpa">
+                <provider name="default" enabled="true">
+                    <properties>
+                        <property name="dataSource" value="java:jboss/datasources/KeycloakDS"/>
+                        <property name="initializeEmpty" value="true"/>
+                        <property name="migrationStrategy" value="update"/>
+                        <property name="migrationExport" value="${jboss.home.dir}/keycloak-database-update.sql"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="realmCache">
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="connectionsInfinispan">
+                <default-provider>default</default-provider>
+                <provider name="default" enabled="true">
+                    <properties>
+                        <property name="cacheContainer" value="java:jboss/infinispan/container/keycloak"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="jta-lookup">
+                <default-provider>${keycloak.jta.lookup.provider:jboss}</default-provider>
+                <provider name="jboss" enabled="true"/>
+            </spi>
+            <spi name="publicKeyStorage">
+                <provider name="infinispan" enabled="true">
+                    <properties>
+                        <property name="minTimeBetweenRequests" value="10"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="x509cert-lookup">
+                <default-provider>${keycloak.x509cert.lookup.provider:default}</default-provider>
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="hostname">
+                <default-provider>default</default-provider>
+                <provider name="default" enabled="true">
+                    <properties>
+                        <property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="false"/>
+                    </properties>
+                </provider>
+            </spi>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:mail:4.0">
+            <mail-session name="default" jndi-name="java:jboss/mail/Default">
+                <smtp-server outbound-socket-binding-ref="mail-smtp"/>
+            </mail-session>
+        </subsystem>
+        <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
+        <subsystem xmlns="urn:jboss:domain:naming:2.0">
+            <remote-naming/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:remoting:4.0">
+            <http-connector name="http-remoting-connector" connector-ref="default" sasl-authentication-factory="application-sasl-authentication"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
+            <deployment-permissions>
+                <maximum-set>
+                    <permission class="java.security.AllPermission"/>
+                </maximum-set>
+            </deployment-permissions>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:transactions:6.0">
+            <core-environment node-identifier="${jboss.tx.node.id:1}">
+                <process-id>
+                    <uuid/>
+                </process-id>
+            </core-environment>
+            <recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
+            <coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
+            <object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
+            <buffer-cache name="default"/>
+            <server name="default-server">
+                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
+                <https-listener name="https" socket-binding="https" ssl-context="applicationSSC" enable-http2="true"/>
+                <host name="default-host" alias="localhost">
+                    <location name="/" handler="welcome-content"/>
+                    <http-invoker http-authentication-factory="application-http-authentication"/>
+                </host>
+            </server>
+            <servlet-container name="default">
+                <jsp-config/>
+                <websockets/>
+            </servlet-container>
+            <handlers>
+                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
+            </handlers>
+            <application-security-domains>
+                <application-security-domain name="other" security-domain="ApplicationDomain"/>
+            </application-security-domains>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
+    </profile>
+    <interfaces>
+        <interface name="management">
+            <inet-address value="127.0.0.1"/>
+        </interface>
+        <interface name="public">
+            <inet-address value="127.0.0.1"/>
+        </interface>
+    </interfaces>
+    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
+        <socket-binding name="http" port="8081"/>
+        <socket-binding name="https" port="8443"/>
+        <socket-binding name="management-http" interface="management" port="19990"/>
+        <socket-binding name="management-https" interface="management" port="19991"/>
+        <socket-binding name="txn-recovery-environment" port="4712"/>
+        <socket-binding name="txn-status-manager" port="4713"/>
+        <outbound-socket-binding name="mail-smtp">
+            <remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
+        </outbound-socket-binding>
+    </socket-binding-group>
+</server>

molecule/overridexml/verify.yml

@@ -0,0 +1,32 @@
+---
+- name: Verify
+  hosts: all
+  vars:
+    keycloak_uri: "http://localhost:8081"
+    keycloak_management_port: "http://localhost:19990"
+    keycloak_admin_password: "remembertochangeme"
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+    - name: Verify we are running on requested jvm # noqa blocked_modules command-instead-of-module
+      ansible.builtin.shell: |
+        set -o pipefail
+        ps -ef | grep '/etc/alternatives/jre_1.8.0/' | grep -v grep
+      args:
+        executable: /bin/bash
+      changed_when: no
+    - name: Verify token api call
+      ansible.builtin.uri:
+        url: "{{ keycloak_uri }}/auth/realms/master/protocol/openid-connect/token"
+        method: POST
+        body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password"
+        validate_certs: no
+      register: keycloak_auth_response
+      until: keycloak_auth_response.status == 200
+      retries: 2
+      delay: 2

molecule/prepare.yml

@@ -0,0 +1,58 @@
+---
+- name: Display Ansible version
+  ansible.builtin.debug:
+    msg: "Ansible version is  {{ ansible_version.full }}"
+
+- name: "Set package name for sudo"
+  ansible.builtin.set_fact:
+    sudo_pkg_name: sudo
+
+- name: "Ensure {{ sudo_pkg_name }} is installed (if user is root)."
+  ansible.builtin.yum:
+    name: "{{ sudo_pkg_name }}"
+    state: present
+  when:
+    - ansible_user_id == 'root'
+
+- name: Gather the package facts
+  ansible.builtin.package_facts:
+    manager: auto
+
+- name: "Check if sudo is installed."
+  ansible.builtin.assert:
+    that:
+      - sudo_pkg_name in ansible_facts.packages
+    fail_msg: "sudo is not installed on target system"
+
+- name: "Install iproute"
+  become: true
+  ansible.builtin.yum:
+    name:
+      - iproute
+    state: present
+
+- name: "Retrieve assets server from env"
+  ansible.builtin.set_fact:
+    assets_server: "{{ lookup('env', 'MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"
+
+- name: "Download artefacts only if assets_server is set"
+  when:
+    - assets_server is defined
+    - assets_server | length > 0
+    - assets is defined
+    - assets | length > 0
+  block:
+    - name: "Set offline when assets server from env is defined"
+      ansible.builtin.set_fact:
+        sso_offline_install: True
+
+    - name: "Download and deploy zips from {{ assets_server }}"
+      ansible.builtin.get_url:
+        url: "{{ asset }}"
+        dest: "{{ lookup('env', 'PWD') }}"
+        validate_certs: no
+        mode: '0644'
+      delegate_to: localhost
+      loop: "{{ assets }}"
+      loop_control:
+        loop_var: asset

molecule/quarkus-devmode/converge.yml

@@ -0,0 +1,44 @@
+---
+- name: Converge
+  hosts: all
+  vars: 
+    keycloak_quarkus_admin_pass: "remembertochangeme"
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_realm: TestRealm
+    keycloak_quarkus_log: file
+    keycloak_quarkus_frontend_url: 'http://localhost:8080/'
+    keycloak_quarkus_start_dev: True
+    keycloak_quarkus_proxy_mode: none
+    keycloak_quarkus_java_home: /opt/openjdk/
+  roles:
+    - role: keycloak_quarkus
+    - role: keycloak_realm
+      keycloak_context: ''
+      keycloak_client_default_roles:
+        - TestRoleAdmin
+        - TestRoleUser
+      keycloak_client_users:
+        - username: TestUser
+          password: password
+          client_roles:
+            - client: TestClient
+              role: TestRoleUser
+              realm: "{{ keycloak_realm }}"
+        - username: TestAdmin
+          password: password
+          client_roles:
+            - client: TestClient
+              role: TestRoleUser
+              realm: "{{ keycloak_realm }}"
+            - client: TestClient
+              role: TestRoleAdmin
+              realm: "{{ keycloak_realm }}"
+      keycloak_realm: TestRealm
+      keycloak_clients:
+        - name: TestClient
+          roles: "{{ keycloak_client_default_roles }}"
+          realm: "{{ keycloak_realm }}"
+          public_client: "{{ keycloak_client_public }}"
+          web_origins: "{{ keycloak_client_web_origins }}"
+          users: "{{ keycloak_client_users }}"
+          client_id: TestClient

molecule/quarkus-devmode/molecule.yml

@@ -0,0 +1,45 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    port_bindings:
+      - "8080/tcp"
+      - "8009/tcp"
+    published_ports:
+      - 0.0.0.0:8080:8080/tcp
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy

molecule/quarkus-devmode/prepare.yml

@@ -0,0 +1,49 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: Install sudo
+      ansible.builtin.apt:
+        name:
+          - sudo
+          - openjdk-17-jdk-headless
+        state: present
+      when:
+        - ansible_facts.os_family == 'Debian'
+
+    - name: "Ensure common prepare phase are set."
+      ansible.builtin.include_tasks: ../prepare.yml
+
+    - name: Install JDK17
+      become: yes
+      ansible.builtin.yum:
+        name:
+          - java-17-openjdk-headless
+        state: present
+      when:
+        - ansible_facts.os_family == 'RedHat'
+
+    - name: Link default logs directory
+      become: yes
+      ansible.builtin.file:
+        state: link
+        src: "{{ item }}"
+        dest: /opt/openjdk
+        force: true
+      with_fileglob:
+        - /usr/lib/jvm/java-17-openjdk*
+      when:
+        - ansible_facts.os_family == "Debian"
+
+    - name: Link default logs directory
+      ansible.builtin.file:
+        state: link
+        src: /usr/lib/jvm/jre-17-openjdk
+        dest: /opt/openjdk
+        force: true
+      when:
+        - ansible_facts.os_family == "RedHat"
+
+    - name: "Display hera_home if defined."
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"

molecule/quarkus-devmode/roles

@@ -0,0 +1 @@
+../../roles

molecule/quarkus-devmode/verify.yml

@@ -0,0 +1,47 @@
+---
+- name: Verify
+  hosts: all
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+
+    - name: Verify we are running on requested JAVA_HOME # noqa blocked_modules command-instead-of-module
+      ansible.builtin.shell: |
+        set -o pipefail
+        ps -ef | grep '/opt/openjdk' | grep -v grep
+      args:
+        executable: /bin/bash
+      changed_when: False
+
+    - name: Set internal envvar
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+    - name: Verify openid config
+      block:
+        - name: Fetch openID config # noqa blocked_modules command-instead-of-module
+          ansible.builtin.shell: |
+            set -o pipefail
+            curl http://localhost:8080/realms/master/.well-known/openid-configuration -k | jq .
+          args:
+            executable: /bin/bash
+          delegate_to: localhost
+          register: openid_config
+          changed_when: False
+        - name: Verify endpoint URLs
+          ansible.builtin.assert:
+            that:
+              - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'http://localhost:8080/realms/master/protocol/openid-connect/ext/ciba/auth'
+              - (openid_config.stdout | from_json)['issuer'] == 'http://localhost:8080/realms/master'
+              - (openid_config.stdout | from_json)['authorization_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/auth'
+              - (openid_config.stdout | from_json)['token_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/token'
+          delegate_to: localhost
+      when:
+        - hera_home is defined
+        - hera_home | length == 0

molecule/quarkus/converge.yml

@@ -0,0 +1,65 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    keycloak_quarkus_admin_pass: "remembertochangeme"
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_realm: TestRealm
+    keycloak_quarkus_host: instance
+    keycloak_quarkus_log: file
+    keycloak_quarkus_log_level: debug
+    keycloak_quarkus_https_key_file_enabled: true
+    keycloak_quarkus_key_file_copy_enabled: true
+    keycloak_quarkus_key_content: "{{ lookup('file', 'key.pem') }}"
+    keycloak_quarkus_cert_file_copy_enabled: true
+    keycloak_quarkus_cert_file_src: cert.pem
+    keycloak_quarkus_log_target: /tmp/keycloak
+    keycloak_quarkus_ks_vault_enabled: true
+    keycloak_quarkus_ks_vault_file: "/opt/keycloak/vault/keystore.p12"
+    keycloak_quarkus_ks_vault_pass: keystorepassword
+    keycloak_quarkus_systemd_wait_for_port: true
+    keycloak_quarkus_systemd_wait_for_timeout: 20
+    keycloak_quarkus_systemd_wait_for_delay: 2
+    keycloak_quarkus_systemd_wait_for_log: true
+    keycloak_quarkus_providers:
+      - id: http-client
+        spi: connections
+        default: true
+        restart: true
+        properties:
+          - key: default-connection-pool-size
+            value: 10
+      - id: spid-saml
+        url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar
+  roles:
+    - role: keycloak_quarkus
+    - role: keycloak_realm
+      keycloak_context: ''
+      keycloak_client_default_roles:
+        - TestRoleAdmin
+        - TestRoleUser
+      keycloak_client_users:
+        - username: TestUser
+          password: password
+          client_roles:
+            - client: TestClient
+              role: TestRoleUser
+              realm: "{{ keycloak_realm }}"
+        - username: TestAdmin
+          password: password
+          client_roles:
+            - client: TestClient
+              role: TestRoleUser
+              realm: "{{ keycloak_realm }}"
+            - client: TestClient
+              role: TestRoleAdmin
+              realm: "{{ keycloak_realm }}"
+      keycloak_realm: TestRealm
+      keycloak_clients:
+        - name: TestClient
+          roles: "{{ keycloak_client_default_roles }}"
+          realm: "{{ keycloak_realm }}"
+          public_client: "{{ keycloak_client_public }}"
+          web_origins: "{{ keycloak_client_web_origins }}"
+          users: "{{ keycloak_client_users }}"
+          client_id: TestClient

molecule/quarkus/molecule.yml

@@ -0,0 +1,46 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    port_bindings:
+      - "8080/tcp"
+      - "8443/tcp"
+      - "8009/tcp"
+    published_ports:
+      - 0.0.0.0:8443:8443/tcp
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy

molecule/quarkus/prepare.yml

@@ -0,0 +1,44 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: "Display hera_home if defined."
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+    - name: "Ensure common prepare phase are set."
+      ansible.builtin.include_tasks: ../prepare.yml
+
+    - name: Create certificate request
+      ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
+      delegate_to: localhost
+      changed_when: False
+
+    - name: Create vault directory
+      become: true
+      ansible.builtin.file:
+        state: directory
+        path: "/opt/keycloak/vault"
+        mode: 0755
+
+    - name: Make sure a jre is available (for keytool to prepare keystore)
+      delegate_to: localhost
+      ansible.builtin.package:
+        name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
+        state: present
+      become: true
+      failed_when: false
+
+    - name: Create vault keystore
+      ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword
+      delegate_to: localhost
+      register: keytool_cmd
+      changed_when: False
+      failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
+
+    - name: Copy certificates and vault
+      become: true
+      ansible.builtin.copy:
+        src: keystore.p12
+        dest: /opt/keycloak/vault/keystore.p12
+        mode: 0444

molecule/quarkus/roles

@@ -0,0 +1 @@
+../../roles

molecule/quarkus/verify.yml

@@ -0,0 +1,86 @@
+---
+- name: Verify
+  hosts: all
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+        fail_msg: "Service not running"
+
+    - name: Set internal envvar
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+    - name: Verify openid config
+      when:
+        - hera_home is defined
+        - hera_home | length == 0
+      block:
+        - name: Fetch openID config # noqa blocked_modules command-instead-of-module
+          ansible.builtin.shell: |
+            set -o pipefail
+            curl -H 'Host: instance' https://localhost:8443/realms/master/.well-known/openid-configuration -k | jq .
+          args:
+            executable: /bin/bash
+          delegate_to: localhost
+          register: openid_config
+          changed_when: False
+        - name: Verify endpoint URLs
+          ansible.builtin.assert:
+            that:
+              - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance/realms/master/protocol/openid-connect/ext/ciba/auth'
+              - (openid_config.stdout | from_json)['issuer'] == 'https://instance/realms/master'
+              - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/auth'
+              - (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/token'
+          delegate_to: localhost
+
+    - name: Check log folder
+      ansible.builtin.stat:
+        path: /tmp/keycloak
+      register: keycloak_log_folder
+
+    - name: Check that keycloak log folder exists and is a link
+      ansible.builtin.assert:
+        that:
+          - keycloak_log_folder.stat.exists
+          - not keycloak_log_folder.stat.isdir
+          - keycloak_log_folder.stat.islnk
+        fail_msg: "Service log symlink not correctly created"
+
+    - name: Check log file
+      become: true
+      ansible.builtin.stat:
+        path: /tmp/keycloak/keycloak.log
+      register: keycloak_log_file
+
+    - name: Check if keycloak file exists
+      ansible.builtin.assert:
+        that:
+          - keycloak_log_file.stat.exists
+          - not keycloak_log_file.stat.isdir
+
+    - name: Check default log folder
+      become: yes
+      ansible.builtin.stat:
+        path: /var/log/keycloak
+      register: keycloak_default_log_folder
+      failed_when: false
+
+    - name: Check that default keycloak log folder doesn't exist
+      ansible.builtin.assert:
+        that:
+          - not keycloak_default_log_folder.stat.exists
+
+    - name: Verify vault SPI in logfile
+      become: true
+      ansible.builtin.shell: |
+        set -o pipefail
+        zgrep 'Configured KeystoreVaultProviderFactory with the keystore file' /opt/keycloak/keycloak-*/data/log/keycloak.log*zip
+      changed_when: false
+      failed_when: slurped_log.rc != 0
+      register: slurped_log

molecule/requirements.yml

@@ -0,0 +1,11 @@
+---
+collections:
+  - name: middleware_automation.common
+  - name: middleware_automation.jbcs
+  - name: community.general
+  - name: ansible.posix
+  - name: community.docker
+    version: ">=3.8.0"
+
+roles:
+  - name: elan.simple_nginx_reverse_proxy

playbooks/keycloak.yml

@@ -1,36 +1,7 @@
 ---
 - name: Playbook for Keycloak Hosts
-  hosts: keycloak
-  collections:
-    - middleware_automation.redhat_csp_download
+  hosts: all
+  vars:
+    keycloak_admin_password: "remembertochangeme"
   roles:
-    - redhat_csp_download
-  tasks:
-    - name: Keycloak Role
-      include_role:
-        name: keycloak
-      vars:
-        keycloak_admin_password: "changeme"
-    - name: Keycloak Realm Role
-      include_role:
-        name: keycloak_realm
-      vars:
-        keycloak_admin_password: "changeme"
-        keycloak_realm: TestRealm
-        keycloak_clients:
-          - name: TestClient1
-            roles:
-              - TestClient1Admin
-              - TestClient1User
-            realm: "{{ keycloak_realm }}"
-            public_client: True
-            web_origins:
-              - http://testclient1origin/application
-              - http://testclient1origin/other
-            users:
-            - username: TestUser
-              password: password
-              client_roles:
-                - client: TestClient1
-                  role: TestClient1User
-                  realm: "{{ keycloak_realm }}"
+    - middleware_automation.keycloak.keycloak

playbooks/keycloak_federation.yml

@@ -0,0 +1,68 @@
+---
+- name: Playbook for Keycloak Hosts
+  hosts: all
+  tasks:
+    - name: Keycloak Realm Role
+      ansible.builtin.include_role:
+        name: keycloak_realm
+      vars:
+        keycloak_admin_password: "remembertochangeme"
+        keycloak_realm: TestRealm
+        keycloak_user_federation:
+          - realm: TestRealm
+            name: my-ldap
+            provider_id: ldap
+            provider_type: org.keycloak.storage.UserStorageProvider
+            config:
+              priority: '0'
+              enabled: true
+              cachePolicy: DEFAULT
+              batchSizeForSync: '1000'
+              editMode: READ_ONLY
+              importEnabled: true
+              syncRegistrations: false
+              vendor: other
+              usernameLDAPAttribute: uid
+              rdnLDAPAttribute: uid
+              uuidLDAPAttribute: entryUUID
+              userObjectClasses: inetOrgPerson, organizationalPerson
+              connectionUrl: ldaps://ldap.example.com:636
+              usersDn: ou=Users,dc=example,dc=com
+              authType: simple
+              bindDn: cn=directory reader
+              bindCredential: password
+              searchScope: '1'
+              validatePasswordPolicy: false
+              trustEmail: false
+              useTruststoreSpi: ldapsOnly
+              connectionPooling: true
+              pagination: true
+              allowKerberosAuthentication: false
+              debug: false
+              useKerberosForPasswordAuthentication: false
+            mappers:
+              - name: "full name"
+                providerId: "full-name-ldap-mapper"
+                providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+                config:
+                  ldap.full.name.attribute: cn
+                  read.only: true
+                  write.only: false
+        keycloak_clients:
+          - name: TestClient1
+            client_id: TestClient1
+            roles:
+              - TestClient1Admin
+              - TestClient1User
+            realm: "{{ keycloak_realm }}"
+            public_client: true
+            web_origins:
+              - http://testclient1origin/application
+              - http://testclient1origin/other
+            users:
+              - username: TestUser
+                password: password
+                client_roles:
+                  - client: TestClient1
+                    role: TestClient1User
+                    realm: "{{ keycloak_realm }}"

playbooks/keycloak_quarkus.yml

@@ -0,0 +1,11 @@
+---
+- name: Playbook for Keycloak X Hosts with HTTPS enabled
+  hosts: all
+  vars:
+    keycloak_quarkus_admin_pass: "remembertochangeme"
+    keycloak_quarkus_host: localhost
+    keycloak_quarkus_port: 8443
+    keycloak_quarkus_log: file
+    keycloak_quarkus_proxy_mode: none
+  roles:
+    - middleware_automation.keycloak.keycloak_quarkus

playbooks/keycloak_quarkus_dev.yml

@@ -0,0 +1,12 @@
+---
+- name: Playbook for Keycloak X Hosts in develop mode
+  hosts: all
+  vars:
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_host: localhost
+    keycloak_quarkus_port: 8080
+    keycloak_quarkus_log: file
+    keycloak_quarkus_start_dev: true
+    keycloak_quarkus_proxy_mode: none
+  roles:
+    - middleware_automation.keycloak.keycloak_quarkus

playbooks/keycloak_realm.yml

@@ -0,0 +1,26 @@
+---
+- name: Playbook for Keycloak Hosts
+  hosts: all
+  vars:
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_clients:
+      - name: TestClient1
+        client_id: TestClient1
+        roles:
+          - TestClient1Admin
+          - TestClient1User
+        realm: TestRealm
+        public_client: true
+        web_origins:
+          - http://testclient1origin/application
+          - http://testclient1origin/other
+        users:
+          - username: TestUser
+            password: password
+            client_roles:
+              - client: TestClient1
+                role: TestClient1User
+                realm: TestRealm
+  roles:
+    - role: middleware_automation.keycloak.keycloak_realm
+      keycloak_realm: TestRealm

playbooks/rhsso.yml

@@ -0,0 +1,8 @@
+---
+- name: Playbook for Red Hat SSO Hosts
+  hosts: sso
+  vars:
+    keycloak_admin_password: "remembertochangeme"
+    sso_enable: true
+  roles:
+    - middleware_automation.keycloak.keycloak

playbooks/roles

@@ -0,0 +1 @@
+../roles

plugins/doc_fragments/attributes.py

@@ -0,0 +1,93 @@
+# -*- coding: utf-8 -*-
+
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+
+class ModuleDocFragment(object):
+
+    # Standard documentation fragment
+    DOCUMENTATION = r'''
+options: {}
+attributes:
+    check_mode:
+      description: Can run in C(check_mode) and return changed status prediction without modifying target.
+    diff_mode:
+      description: Will return details on what has changed (or possibly needs changing in C(check_mode)), when in diff mode.
+'''
+
+    PLATFORM = r'''
+options: {}
+attributes:
+    platform:
+      description: Target OS/families that can be operated against.
+      support: N/A
+'''
+
+    # Should be used together with the standard fragment
+    INFO_MODULE = r'''
+options: {}
+attributes:
+    check_mode:
+      support: full
+      details:
+        - This action does not modify state.
+    diff_mode:
+      support: N/A
+      details:
+        - This action does not modify state.
+'''
+
+    CONN = r'''
+options: {}
+attributes:
+    become:
+      description: Is usable alongside C(become) keywords.
+    connection:
+      description: Uses the target's configured connection information to execute code on it.
+    delegation:
+      description: Can be used in conjunction with C(delegate_to) and related keywords.
+'''
+
+    FACTS = r'''
+options: {}
+attributes:
+    facts:
+      description: Action returns an C(ansible_facts) dictionary that will update existing host facts.
+'''
+
+    # Should be used together with the standard fragment and the FACTS fragment
+    FACTS_MODULE = r'''
+options: {}
+attributes:
+    check_mode:
+      support: full
+      details:
+        - This action does not modify state.
+    diff_mode:
+      support: N/A
+      details:
+        - This action does not modify state.
+    facts:
+      support: full
+'''
+
+    FILES = r'''
+options: {}
+attributes:
+    safe_file_operations:
+      description: Uses Ansible's strict file operation functions to ensure proper permissions and avoid data corruption.
+'''
+
+    FLOW = r'''
+options: {}
+attributes:
+    action:
+      description: Indicates this has a corresponding action plugin so some parts of the options can be executed on the controller.
+    async:
+      description: Supports being used with the C(async) keyword.
+'''

plugins/doc_fragments/keycloak.py

@@ -0,0 +1,78 @@
+# -*- coding: utf-8 -*-
+
+# Copyright (c) 2017, Eike Frost <ei@kefro.st>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+
+class ModuleDocFragment(object):
+
+    # Standard documentation fragment
+    DOCUMENTATION = r'''
+options:
+    auth_keycloak_url:
+        description:
+            - URL to the Keycloak instance.
+        type: str
+        required: true
+        aliases:
+          - url
+
+    auth_client_id:
+        description:
+            - OpenID Connect I(client_id) to authenticate to the API with.
+        type: str
+        default: admin-cli
+
+    auth_realm:
+        description:
+            - Keycloak realm name to authenticate to for API access.
+        type: str
+
+    auth_client_secret:
+        description:
+            - Client Secret to use in conjunction with I(auth_client_id) (if required).
+        type: str
+
+    auth_username:
+        description:
+            - Username to authenticate for API access with.
+        type: str
+        aliases:
+          - username
+
+    auth_password:
+        description:
+            - Password to authenticate for API access with.
+        type: str
+        aliases:
+          - password
+
+    token:
+        description:
+            - Authentication token for Keycloak API.
+        type: str
+        version_added: 3.0.0
+
+    validate_certs:
+        description:
+            - Verify TLS certificates (do not disable this in production).
+        type: bool
+        default: true
+
+    connection_timeout:
+        description:
+            - Controls the HTTP connections timeout period (in seconds) to Keycloak API.
+        type: int
+        default: 10
+        version_added: 4.5.0
+    http_agent:
+        description:
+            - Configures the HTTP User-Agent header.
+        type: str
+        default: Ansible
+        version_added: 5.4.0
+'''

plugins/modules/keycloak_client.py

@@ -0,0 +1,984 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Copyright (c) 2017, Eike Frost <ei@kefro.st>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+DOCUMENTATION = '''
+---
+module: keycloak_client
+
+short_description: Allows administration of Keycloak clients via Keycloak API
+
+
+description:
+    - This module allows the administration of Keycloak clients via the Keycloak REST API. It
+      requires access to the REST API via OpenID Connect; the user connecting and the client being
+      used must have the requisite access rights. In a default Keycloak installation, admin-cli
+      and an admin user would work, as would a separate client definition with the scope tailored
+      to your needs and a user having the expected roles.
+
+    - The names of module options are snake_cased versions of the camelCase ones found in the
+      Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
+      Aliases are provided so camelCased versions can be used as well.
+
+    - The Keycloak API does not always sanity check inputs e.g. you can set
+      SAML-specific settings on an OpenID Connect client for instance and vice versa. Be careful.
+      If you do not specify a setting, usually a sensible default is chosen.
+
+attributes:
+    check_mode:
+        support: full
+    diff_mode:
+        support: full
+
+options:
+    state:
+        description:
+            - State of the client
+            - On C(present), the client will be created (or updated if it exists already).
+            - On C(absent), the client will be removed if it exists
+        choices: ['present', 'absent']
+        default: 'present'
+        type: str
+
+    realm:
+        description:
+            - The realm to create the client in.
+        type: str
+        default: master
+
+    client_id:
+        description:
+            - Client id of client to be worked on. This is usually an alphanumeric name chosen by
+              you. Either this or I(id) is required. If you specify both, I(id) takes precedence.
+              This is 'clientId' in the Keycloak REST API.
+        aliases:
+            - clientId
+        type: str
+
+    id:
+        description:
+            - Id of client to be worked on. This is usually an UUID. Either this or I(client_id)
+              is required. If you specify both, this takes precedence.
+        type: str
+
+    name:
+        description:
+            - Name of the client (this is not the same as I(client_id)).
+        type: str
+
+    description:
+        description:
+            - Description of the client in Keycloak.
+        type: str
+
+    root_url:
+        description:
+            - Root URL appended to relative URLs for this client.
+              This is 'rootUrl' in the Keycloak REST API.
+        aliases:
+            - rootUrl
+        type: str
+
+    admin_url:
+        description:
+            - URL to the admin interface of the client.
+              This is 'adminUrl' in the Keycloak REST API.
+        aliases:
+            - adminUrl
+        type: str
+
+    base_url:
+        description:
+            - Default URL to use when the auth server needs to redirect or link back to the client
+              This is 'baseUrl' in the Keycloak REST API.
+        aliases:
+            - baseUrl
+        type: str
+
+    enabled:
+        description:
+            - Is this client enabled or not?
+        type: bool
+
+    client_authenticator_type:
+        description:
+            - How do clients authenticate with the auth server? Either C(client-secret) or
+              C(client-jwt) can be chosen. When using C(client-secret), the module parameter
+              I(secret) can set it, while for C(client-jwt), you can use the keys C(use.jwks.url),
+              C(jwks.url), and C(jwt.credential.certificate) in the I(attributes) module parameter
+              to configure its behavior.
+              This is 'clientAuthenticatorType' in the Keycloak REST API.
+        choices: ['client-secret', 'client-jwt']
+        aliases:
+            - clientAuthenticatorType
+        type: str
+
+    secret:
+        description:
+            - When using I(client_authenticator_type) C(client-secret) (the default), you can
+              specify a secret here (otherwise one will be generated if it does not exit). If
+              changing this secret, the module will not register a change currently (but the
+              changed secret will be saved).
+        type: str
+
+    registration_access_token:
+        description:
+            - The registration access token provides access for clients to the client registration
+              service.
+              This is 'registrationAccessToken' in the Keycloak REST API.
+        aliases:
+            - registrationAccessToken
+        type: str
+
+    default_roles:
+        description:
+            - list of default roles for this client. If the client roles referenced do not exist
+              yet, they will be created.
+              This is 'defaultRoles' in the Keycloak REST API.
+        aliases:
+            - defaultRoles
+        type: list
+        elements: str
+
+    redirect_uris:
+        description:
+            - Acceptable redirect URIs for this client.
+              This is 'redirectUris' in the Keycloak REST API.
+        aliases:
+            - redirectUris
+        type: list
+        elements: str
+
+    web_origins:
+        description:
+            - List of allowed CORS origins.
+              This is 'webOrigins' in the Keycloak REST API.
+        aliases:
+            - webOrigins
+        type: list
+        elements: str
+
+    not_before:
+        description:
+            - Revoke any tokens issued before this date for this client (this is a UNIX timestamp).
+              This is 'notBefore' in the Keycloak REST API.
+        type: int
+        aliases:
+            - notBefore
+
+    bearer_only:
+        description:
+            - The access type of this client is bearer-only.
+              This is 'bearerOnly' in the Keycloak REST API.
+        aliases:
+            - bearerOnly
+        type: bool
+
+    consent_required:
+        description:
+            - If enabled, users have to consent to client access.
+              This is 'consentRequired' in the Keycloak REST API.
+        aliases:
+            - consentRequired
+        type: bool
+
+    standard_flow_enabled:
+        description:
+            - Enable standard flow for this client or not (OpenID connect).
+              This is 'standardFlowEnabled' in the Keycloak REST API.
+        aliases:
+            - standardFlowEnabled
+        type: bool
+
+    implicit_flow_enabled:
+        description:
+            - Enable implicit flow for this client or not (OpenID connect).
+              This is 'implicitFlowEnabled' in the Keycloak REST API.
+        aliases:
+            - implicitFlowEnabled
+        type: bool
+
+    direct_access_grants_enabled:
+        description:
+            - Are direct access grants enabled for this client or not (OpenID connect).
+              This is 'directAccessGrantsEnabled' in the Keycloak REST API.
+        aliases:
+            - directAccessGrantsEnabled
+        type: bool
+
+    service_accounts_enabled:
+        description:
+            - Are service accounts enabled for this client or not (OpenID connect).
+              This is 'serviceAccountsEnabled' in the Keycloak REST API.
+        aliases:
+            - serviceAccountsEnabled
+        type: bool
+
+    authorization_services_enabled:
+        description:
+            - Are authorization services enabled for this client or not (OpenID connect).
+              This is 'authorizationServicesEnabled' in the Keycloak REST API.
+        aliases:
+            - authorizationServicesEnabled
+        type: bool
+
+    public_client:
+        description:
+            - Is the access type for this client public or not.
+              This is 'publicClient' in the Keycloak REST API.
+        aliases:
+            - publicClient
+        type: bool
+
+    frontchannel_logout:
+        description:
+            - Is frontchannel logout enabled for this client or not.
+              This is 'frontchannelLogout' in the Keycloak REST API.
+        aliases:
+            - frontchannelLogout
+        type: bool
+
+    protocol:
+        description:
+            - Type of client (either C(openid-connect) or C(saml).
+        type: str
+        choices: ['openid-connect', 'saml']
+
+    full_scope_allowed:
+        description:
+            - Is the "Full Scope Allowed" feature set for this client or not.
+              This is 'fullScopeAllowed' in the Keycloak REST API.
+        aliases:
+            - fullScopeAllowed
+        type: bool
+
+    node_re_registration_timeout:
+        description:
+            - Cluster node re-registration timeout for this client.
+              This is 'nodeReRegistrationTimeout' in the Keycloak REST API.
+        type: int
+        aliases:
+            - nodeReRegistrationTimeout
+
+    registered_nodes:
+        description:
+            - dict of registered cluster nodes (with C(nodename) as the key and last registration
+              time as the value).
+              This is 'registeredNodes' in the Keycloak REST API.
+        type: dict
+        aliases:
+            - registeredNodes
+
+    client_template:
+        description:
+            - Client template to use for this client. If it does not exist this field will silently
+              be dropped.
+              This is 'clientTemplate' in the Keycloak REST API.
+        type: str
+        aliases:
+            - clientTemplate
+
+    use_template_config:
+        description:
+            - Whether or not to use configuration from the I(client_template).
+              This is 'useTemplateConfig' in the Keycloak REST API.
+        aliases:
+            - useTemplateConfig
+        type: bool
+
+    use_template_scope:
+        description:
+            - Whether or not to use scope configuration from the I(client_template).
+              This is 'useTemplateScope' in the Keycloak REST API.
+        aliases:
+            - useTemplateScope
+        type: bool
+
+    use_template_mappers:
+        description:
+            - Whether or not to use mapper configuration from the I(client_template).
+              This is 'useTemplateMappers' in the Keycloak REST API.
+        aliases:
+            - useTemplateMappers
+        type: bool
+
+    always_display_in_console:
+        description:
+            - Whether or not to display this client in account console, even if the
+              user does not have an active session.
+        aliases:
+            - alwaysDisplayInConsole
+        type: bool
+        version_added: 4.7.0
+
+    surrogate_auth_required:
+        description:
+            - Whether or not surrogate auth is required.
+              This is 'surrogateAuthRequired' in the Keycloak REST API.
+        aliases:
+            - surrogateAuthRequired
+        type: bool
+
+    authorization_settings:
+        description:
+            - a data structure defining the authorization settings for this client. For reference,
+              please see the Keycloak API docs at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html#_resourceserverrepresentation).
+              This is 'authorizationSettings' in the Keycloak REST API.
+        type: dict
+        aliases:
+            - authorizationSettings
+
+    authentication_flow_binding_overrides:
+        description:
+            - Override realm authentication flow bindings.
+        type: dict
+        aliases:
+            - authenticationFlowBindingOverrides
+        version_added: 3.4.0
+
+    default_client_scopes:
+        description:
+            - List of default client scopes.
+        aliases:
+            - defaultClientScopes
+        type: list
+        elements: str
+        version_added: 4.7.0
+
+    optional_client_scopes:
+        description:
+            - List of optional client scopes.
+        aliases:
+            - optionalClientScopes
+        type: list
+        elements: str
+        version_added: 4.7.0
+
+    protocol_mappers:
+        description:
+            - a list of dicts defining protocol mappers for this client.
+              This is 'protocolMappers' in the Keycloak REST API.
+        aliases:
+            - protocolMappers
+        type: list
+        elements: dict
+        suboptions:
+            consentRequired:
+                description:
+                    - Specifies whether a user needs to provide consent to a client for this mapper to be active.
+                type: bool
+
+            consentText:
+                description:
+                    - The human-readable name of the consent the user is presented to accept.
+                type: str
+
+            id:
+                description:
+                    - Usually a UUID specifying the internal ID of this protocol mapper instance.
+                type: str
+
+            name:
+                description:
+                    - The name of this protocol mapper.
+                type: str
+
+            protocol:
+                description:
+                    - This is either C(openid-connect) or C(saml), this specifies for which protocol this protocol mapper.
+                      is active.
+                choices: ['openid-connect', 'saml']
+                type: str
+
+            protocolMapper:
+                description:
+                    - The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is
+                      impossible to provide since this may be extended through SPIs by the user of Keycloak,
+                      by default Keycloak as of 3.4 ships with at least
+                    - C(docker-v2-allow-all-mapper)
+                    - C(oidc-address-mapper)
+                    - C(oidc-full-name-mapper)
+                    - C(oidc-group-membership-mapper)
+                    - C(oidc-hardcoded-claim-mapper)
+                    - C(oidc-hardcoded-role-mapper)
+                    - C(oidc-role-name-mapper)
+                    - C(oidc-script-based-protocol-mapper)
+                    - C(oidc-sha256-pairwise-sub-mapper)
+                    - C(oidc-usermodel-attribute-mapper)
+                    - C(oidc-usermodel-client-role-mapper)
+                    - C(oidc-usermodel-property-mapper)
+                    - C(oidc-usermodel-realm-role-mapper)
+                    - C(oidc-usersessionmodel-note-mapper)
+                    - C(saml-group-membership-mapper)
+                    - C(saml-hardcode-attribute-mapper)
+                    - C(saml-hardcode-role-mapper)
+                    - C(saml-role-list-mapper)
+                    - C(saml-role-name-mapper)
+                    - C(saml-user-attribute-mapper)
+                    - C(saml-user-property-mapper)
+                    - C(saml-user-session-note-mapper)
+                    - An exhaustive list of available mappers on your installation can be obtained on
+                      the admin console by going to Server Info -> Providers and looking under
+                      'protocol-mapper'.
+                type: str
+
+            config:
+                description:
+                    - Dict specifying the configuration options for the protocol mapper; the
+                      contents differ depending on the value of I(protocolMapper) and are not documented
+                      other than by the source of the mappers and its parent class(es). An example is given
+                      below. It is easiest to obtain valid config values by dumping an already-existing
+                      protocol mapper configuration through check-mode in the I(existing) field.
+                type: dict
+
+    attributes:
+        description:
+            - A dict of further attributes for this client. This can contain various configuration
+              settings; an example is given in the examples section. While an exhaustive list of
+              permissible options is not available; possible options as of Keycloak 3.4 are listed below. The Keycloak
+              API does not validate whether a given option is appropriate for the protocol used; if specified
+              anyway, Keycloak will simply not use it.
+        type: dict
+        suboptions:
+            saml.authnstatement:
+                description:
+                    - For SAML clients, boolean specifying whether or not a statement containing method and timestamp
+                      should be included in the login response.
+
+            saml.client.signature:
+                description:
+                    - For SAML clients, boolean specifying whether a client signature is required and validated.
+
+            saml.encrypt:
+                description:
+                    - Boolean specifying whether SAML assertions should be encrypted with the client's public key.
+
+            saml.force.post.binding:
+                description:
+                    - For SAML clients, boolean specifying whether always to use POST binding for responses.
+
+            saml.onetimeuse.condition:
+                description:
+                    - For SAML clients, boolean specifying whether a OneTimeUse condition should be included in login responses.
+
+            saml.server.signature:
+                description:
+                    - Boolean specifying whether SAML documents should be signed by the realm.
+
+            saml.server.signature.keyinfo.ext:
+                description:
+                    - For SAML clients, boolean specifying whether REDIRECT signing key lookup should be optimized through inclusion
+                      of the signing key id in the SAML Extensions element.
+
+            saml.signature.algorithm:
+                description:
+                    - Signature algorithm used to sign SAML documents. One of C(RSA_SHA256), C(RSA_SHA1), C(RSA_SHA512), or C(DSA_SHA1).
+
+            saml.signing.certificate:
+                description:
+                    - SAML signing key certificate, base64-encoded.
+
+            saml.signing.private.key:
+                description:
+                    - SAML signing key private key, base64-encoded.
+
+            saml_assertion_consumer_url_post:
+                description:
+                    - SAML POST Binding URL for the client's assertion consumer service (login responses).
+
+            saml_assertion_consumer_url_redirect:
+                description:
+                    - SAML Redirect Binding URL for the client's assertion consumer service (login responses).
+
+
+            saml_force_name_id_format:
+                description:
+                    - For SAML clients, Boolean specifying whether to ignore requested NameID subject format and using the configured one instead.
+
+            saml_name_id_format:
+                description:
+                    - For SAML clients, the NameID format to use (one of C(username), C(email), C(transient), or C(persistent))
+
+            saml_signature_canonicalization_method:
+                description:
+                    - SAML signature canonicalization method. This is one of four values, namely
+                      C(http://www.w3.org/2001/10/xml-exc-c14n#) for EXCLUSIVE,
+                      C(http://www.w3.org/2001/10/xml-exc-c14n#WithComments) for EXCLUSIVE_WITH_COMMENTS,
+                      C(http://www.w3.org/TR/2001/REC-xml-c14n-20010315) for INCLUSIVE, and
+                      C(http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments) for INCLUSIVE_WITH_COMMENTS.
+
+            saml_single_logout_service_url_post:
+                description:
+                    - SAML POST binding url for the client's single logout service.
+
+            saml_single_logout_service_url_redirect:
+                description:
+                    - SAML redirect binding url for the client's single logout service.
+
+            user.info.response.signature.alg:
+                description:
+                    - For OpenID-Connect clients, JWA algorithm for signed UserInfo-endpoint responses. One of C(RS256) or C(unsigned).
+
+            request.object.signature.alg:
+                description:
+                    - For OpenID-Connect clients, JWA algorithm which the client needs to use when sending
+                      OIDC request object. One of C(any), C(none), C(RS256).
+
+            use.jwks.url:
+                description:
+                    - For OpenID-Connect clients, boolean specifying whether to use a JWKS URL to obtain client
+                      public keys.
+
+            jwks.url:
+                description:
+                    - For OpenID-Connect clients, URL where client keys in JWK are stored.
+
+            jwt.credential.certificate:
+                description:
+                    - For OpenID-Connect clients, client certificate for validating JWT issued by
+                      client and signed by its key, base64-encoded.
+
+extends_documentation_fragment:
+    - middleware_automation.keycloak.keycloak
+    - middleware_automation.keycloak.attributes
+
+author:
+    - Eike Frost (@eikef)
+'''
+
+EXAMPLES = '''
+- name: Create or update Keycloak client (minimal example), authentication with credentials
+  middleware_automation.keycloak.keycloak_client:
+    auth_keycloak_url: https://auth.example.com/auth
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    client_id: test
+    state: present
+  delegate_to: localhost
+
+
+- name: Create or update Keycloak client (minimal example), authentication with token
+  middleware_automation.keycloak.keycloak_client:
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com/auth
+    auth_realm: master
+    token: TOKEN
+    client_id: test
+    state: present
+  delegate_to: localhost
+
+
+- name: Delete a Keycloak client
+  middleware_automation.keycloak.keycloak_client:
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com/auth
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    client_id: test
+    state: absent
+  delegate_to: localhost
+
+
+- name: Create or update a Keycloak client (with all the bells and whistles)
+  middleware_automation.keycloak.keycloak_client:
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com/auth
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    state: present
+    realm: master
+    client_id: test
+    id: d8b127a3-31f6-44c8-a7e4-4ab9a3e78d95
+    name: this_is_a_test
+    description: Description of this wonderful client
+    root_url: https://www.example.com/
+    admin_url: https://www.example.com/admin_url
+    base_url: basepath
+    enabled: true
+    client_authenticator_type: client-secret
+    secret: REALLYWELLKEPTSECRET
+    redirect_uris:
+      - https://www.example.com/*
+      - http://localhost:8888/
+    web_origins:
+      - https://www.example.com/*
+    not_before: 1507825725
+    bearer_only: false
+    consent_required: false
+    standard_flow_enabled: true
+    implicit_flow_enabled: false
+    direct_access_grants_enabled: false
+    service_accounts_enabled: false
+    authorization_services_enabled: false
+    public_client: false
+    frontchannel_logout: false
+    protocol: openid-connect
+    full_scope_allowed: false
+    node_re_registration_timeout: -1
+    client_template: test
+    use_template_config: false
+    use_template_scope: false
+    use_template_mappers: false
+    always_display_in_console: true
+    registered_nodes:
+      node01.example.com: 1507828202
+    registration_access_token: eyJWT_TOKEN
+    surrogate_auth_required: false
+    default_roles:
+      - test01
+      - test02
+    authentication_flow_binding_overrides:
+      browser: 4c90336b-bf1d-4b87-916d-3677ba4e5fbb
+    protocol_mappers:
+      - config:
+          access.token.claim: true
+          claim.name: "family_name"
+          id.token.claim: true
+          jsonType.label: String
+          user.attribute: lastName
+          userinfo.token.claim: true
+        consentRequired: true
+        consentText: "${familyName}"
+        name: family name
+        protocol: openid-connect
+        protocolMapper: oidc-usermodel-property-mapper
+      - config:
+          attribute.name: Role
+          attribute.nameformat: Basic
+          single: false
+        consentRequired: false
+        name: role list
+        protocol: saml
+        protocolMapper: saml-role-list-mapper
+    attributes:
+      saml.authnstatement: true
+      saml.client.signature: true
+      saml.force.post.binding: true
+      saml.server.signature: true
+      saml.signature.algorithm: RSA_SHA256
+      saml.signing.certificate: CERTIFICATEHERE
+      saml.signing.private.key: PRIVATEKEYHERE
+      saml_force_name_id_format: false
+      saml_name_id_format: username
+      saml_signature_canonicalization_method: "http://www.w3.org/2001/10/xml-exc-c14n#"
+      user.info.response.signature.alg: RS256
+      request.object.signature.alg: RS256
+      use.jwks.url: true
+      jwks.url: JWKS_URL_FOR_CLIENT_AUTH_JWT
+      jwt.credential.certificate: JWT_CREDENTIAL_CERTIFICATE_FOR_CLIENT_AUTH
+  delegate_to: localhost
+'''
+
+RETURN = '''
+msg:
+    description: Message as to what action was taken.
+    returned: always
+    type: str
+    sample: "Client testclient has been updated"
+
+proposed:
+    description: Representation of proposed client.
+    returned: always
+    type: dict
+    sample: {
+      clientId: "test"
+    }
+
+existing:
+    description: Representation of existing client (sample is truncated).
+    returned: always
+    type: dict
+    sample: {
+        "adminUrl": "http://www.example.com/admin_url",
+        "attributes": {
+            "request.object.signature.alg": "RS256",
+        }
+    }
+
+end_state:
+    description: Representation of client after module execution (sample is truncated).
+    returned: on success
+    type: dict
+    sample: {
+        "adminUrl": "http://www.example.com/admin_url",
+        "attributes": {
+            "request.object.signature.alg": "RS256",
+        }
+    }
+'''
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
+    keycloak_argument_spec, get_token, KeycloakError
+from ansible.module_utils.basic import AnsibleModule
+import copy
+
+
+def normalise_cr(clientrep, remove_ids=False):
+    """ Re-sorts any properties where the order so that diff's is minimised, and adds default values where appropriate so that the
+    the change detection is more effective.
+
+    :param clientrep: the clientrep dict to be sanitized
+    :param remove_ids: If set to true, then the unique ID's of objects is removed to make the diff and checks for changed
+                       not alert when the ID's of objects are not usually known, (e.g. for protocol_mappers)
+    :return: normalised clientrep dict
+    """
+    # Avoid the dict passed in to be modified
+    clientrep = clientrep.copy()
+
+    if 'attributes' in clientrep:
+        clientrep['attributes'] = list(sorted(clientrep['attributes']))
+
+    if 'redirectUris' in clientrep:
+        clientrep['redirectUris'] = list(sorted(clientrep['redirectUris']))
+
+    if 'protocolMappers' in clientrep:
+        clientrep['protocolMappers'] = sorted(clientrep['protocolMappers'], key=lambda x: (x.get('name'), x.get('protocol'), x.get('protocolMapper')))
+        for mapper in clientrep['protocolMappers']:
+            if remove_ids:
+                mapper.pop('id', None)
+
+            # Set to a default value.
+            mapper['consentRequired'] = mapper.get('consentRequired', False)
+
+    return clientrep
+
+
+def sanitize_cr(clientrep):
+    """ Removes probably sensitive details from a client representation.
+
+    :param clientrep: the clientrep dict to be sanitized
+    :return: sanitized clientrep dict
+    """
+    result = copy.deepcopy(clientrep)
+    if 'secret' in result:
+        result['secret'] = 'no_log'
+    if 'attributes' in result:
+        if 'saml.signing.private.key' in result['attributes']:
+            result['attributes']['saml.signing.private.key'] = 'no_log'
+    return normalise_cr(result)
+
+
+def main():
+    """
+    Module execution
+
+    :return:
+    """
+    argument_spec = keycloak_argument_spec()
+
+    protmapper_spec = dict(
+        consentRequired=dict(type='bool'),
+        consentText=dict(type='str'),
+        id=dict(type='str'),
+        name=dict(type='str'),
+        protocol=dict(type='str', choices=['openid-connect', 'saml']),
+        protocolMapper=dict(type='str'),
+        config=dict(type='dict'),
+    )
+
+    meta_args = dict(
+        state=dict(default='present', choices=['present', 'absent']),
+        realm=dict(type='str', default='master'),
+
+        id=dict(type='str'),
+        client_id=dict(type='str', aliases=['clientId']),
+        name=dict(type='str'),
+        description=dict(type='str'),
+        root_url=dict(type='str', aliases=['rootUrl']),
+        admin_url=dict(type='str', aliases=['adminUrl']),
+        base_url=dict(type='str', aliases=['baseUrl']),
+        surrogate_auth_required=dict(type='bool', aliases=['surrogateAuthRequired']),
+        enabled=dict(type='bool'),
+        client_authenticator_type=dict(type='str', choices=['client-secret', 'client-jwt'], aliases=['clientAuthenticatorType']),
+        secret=dict(type='str', no_log=True),
+        registration_access_token=dict(type='str', aliases=['registrationAccessToken'], no_log=True),
+        default_roles=dict(type='list', elements='str', aliases=['defaultRoles']),
+        redirect_uris=dict(type='list', elements='str', aliases=['redirectUris']),
+        web_origins=dict(type='list', elements='str', aliases=['webOrigins']),
+        not_before=dict(type='int', aliases=['notBefore']),
+        bearer_only=dict(type='bool', aliases=['bearerOnly']),
+        consent_required=dict(type='bool', aliases=['consentRequired']),
+        standard_flow_enabled=dict(type='bool', aliases=['standardFlowEnabled']),
+        implicit_flow_enabled=dict(type='bool', aliases=['implicitFlowEnabled']),
+        direct_access_grants_enabled=dict(type='bool', aliases=['directAccessGrantsEnabled']),
+        service_accounts_enabled=dict(type='bool', aliases=['serviceAccountsEnabled']),
+        authorization_services_enabled=dict(type='bool', aliases=['authorizationServicesEnabled']),
+        public_client=dict(type='bool', aliases=['publicClient']),
+        frontchannel_logout=dict(type='bool', aliases=['frontchannelLogout']),
+        protocol=dict(type='str', choices=['openid-connect', 'saml']),
+        attributes=dict(type='dict'),
+        full_scope_allowed=dict(type='bool', aliases=['fullScopeAllowed']),
+        node_re_registration_timeout=dict(type='int', aliases=['nodeReRegistrationTimeout']),
+        registered_nodes=dict(type='dict', aliases=['registeredNodes']),
+        client_template=dict(type='str', aliases=['clientTemplate']),
+        use_template_config=dict(type='bool', aliases=['useTemplateConfig']),
+        use_template_scope=dict(type='bool', aliases=['useTemplateScope']),
+        use_template_mappers=dict(type='bool', aliases=['useTemplateMappers']),
+        always_display_in_console=dict(type='bool', aliases=['alwaysDisplayInConsole']),
+        authentication_flow_binding_overrides=dict(type='dict', aliases=['authenticationFlowBindingOverrides']),
+        protocol_mappers=dict(type='list', elements='dict', options=protmapper_spec, aliases=['protocolMappers']),
+        authorization_settings=dict(type='dict', aliases=['authorizationSettings']),
+        default_client_scopes=dict(type='list', elements='str', aliases=['defaultClientScopes']),
+        optional_client_scopes=dict(type='list', elements='str', aliases=['optionalClientScopes']),
+    )
+
+    argument_spec.update(meta_args)
+
+    module = AnsibleModule(argument_spec=argument_spec,
+                           supports_check_mode=True,
+                           required_one_of=([['client_id', 'id'],
+                                             ['token', 'auth_realm', 'auth_username', 'auth_password']]),
+                           required_together=([['auth_realm', 'auth_username', 'auth_password']]))
+
+    result = dict(changed=False, msg='', diff={}, proposed={}, existing={}, end_state={})
+
+    # Obtain access token, initialize API
+    try:
+        connection_header = get_token(module.params)
+    except KeycloakError as e:
+        module.fail_json(msg=str(e))
+
+    kc = KeycloakAPI(module, connection_header)
+
+    realm = module.params.get('realm')
+    cid = module.params.get('id')
+    state = module.params.get('state')
+
+    # Filter and map the parameters names that apply to the client
+    client_params = [x for x in module.params
+                     if x not in list(keycloak_argument_spec().keys()) + ['state', 'realm'] and
+                     module.params.get(x) is not None]
+
+    # See if it already exists in Keycloak
+    if cid is None:
+        before_client = kc.get_client_by_clientid(module.params.get('client_id'), realm=realm)
+        if before_client is not None:
+            cid = before_client['id']
+    else:
+        before_client = kc.get_client_by_id(cid, realm=realm)
+
+    if before_client is None:
+        before_client = {}
+
+    # Build a proposed changeset from parameters given to this module
+    changeset = {}
+
+    for client_param in client_params:
+        new_param_value = module.params.get(client_param)
+
+        # some lists in the Keycloak API are sorted, some are not.
+        if isinstance(new_param_value, list):
+            if client_param in ['attributes']:
+                try:
+                    new_param_value = sorted(new_param_value)
+                except TypeError:
+                    pass
+        # Unfortunately, the ansible argument spec checker introduces variables with null values when
+        # they are not specified
+        if client_param == 'protocol_mappers':
+            new_param_value = [dict((k, v) for k, v in x.items() if x[k] is not None) for x in new_param_value]
+
+        changeset[camel(client_param)] = new_param_value
+
+    # Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis)
+    desired_client = before_client.copy()
+    desired_client.update(changeset)
+
+    result['proposed'] = sanitize_cr(changeset)
+    result['existing'] = sanitize_cr(before_client)
+
+    # Cater for when it doesn't exist (an empty dict)
+    if not before_client:
+        if state == 'absent':
+            # Do nothing and exit
+            if module._diff:
+                result['diff'] = dict(before='', after='')
+            result['changed'] = False
+            result['end_state'] = {}
+            result['msg'] = 'Client does not exist; doing nothing.'
+            module.exit_json(**result)
+
+        # Process a creation
+        result['changed'] = True
+
+        if 'clientId' not in desired_client:
+            module.fail_json(msg='client_id needs to be specified when creating a new client')
+
+        if module._diff:
+            result['diff'] = dict(before='', after=sanitize_cr(desired_client))
+
+        if module.check_mode:
+            module.exit_json(**result)
+
+        # create it
+        kc.create_client(desired_client, realm=realm)
+        after_client = kc.get_client_by_clientid(desired_client['clientId'], realm=realm)
+
+        result['end_state'] = sanitize_cr(after_client)
+
+        result['msg'] = 'Client %s has been created.' % desired_client['clientId']
+        module.exit_json(**result)
+
+    else:
+        if state == 'present':
+            # Process an update
+            result['changed'] = True
+
+            if module.check_mode:
+                # We can only compare the current client with the proposed updates we have
+                before_norm = normalise_cr(before_client, remove_ids=True)
+                desired_norm = normalise_cr(desired_client, remove_ids=True)
+                if module._diff:
+                    result['diff'] = dict(before=sanitize_cr(before_norm),
+                                          after=sanitize_cr(desired_norm))
+                result['changed'] = (before_norm != desired_norm)
+
+                module.exit_json(**result)
+
+            # do the update
+            kc.update_client(cid, desired_client, realm=realm)
+
+            after_client = kc.get_client_by_id(cid, realm=realm)
+            if before_client == after_client:
+                result['changed'] = False
+            if module._diff:
+                result['diff'] = dict(before=sanitize_cr(before_client),
+                                      after=sanitize_cr(after_client))
+
+            result['end_state'] = sanitize_cr(after_client)
+
+            result['msg'] = 'Client %s has been updated.' % desired_client['clientId']
+            module.exit_json(**result)
+
+        else:
+            # Process a deletion (because state was not 'present')
+            result['changed'] = True
+
+            if module._diff:
+                result['diff'] = dict(before=sanitize_cr(before_client), after='')
+
+            if module.check_mode:
+                module.exit_json(**result)
+
+            # delete it
+            kc.delete_client(cid, realm=realm)
+            result['proposed'] = {}
+
+            result['end_state'] = {}
+
+            result['msg'] = 'Client %s has been deleted.' % before_client['clientId']
+
+    module.exit_json(**result)
+
+
+if __name__ == '__main__':
+    main()

plugins/modules/keycloak_role.py

@@ -0,0 +1,374 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Copyright (c) 2019, Adam Goossens <adam.goossens@gmail.com>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+DOCUMENTATION = '''
+---
+module: keycloak_role
+
+short_description: Allows administration of Keycloak roles via Keycloak API
+
+version_added: 3.4.0
+
+description:
+    - This module allows you to add, remove or modify Keycloak roles via the Keycloak REST API.
+      It requires access to the REST API via OpenID Connect; the user connecting and the client being
+      used must have the requisite access rights. In a default Keycloak installation, admin-cli
+      and an admin user would work, as would a separate client definition with the scope tailored
+      to your needs and a user having the expected roles.
+
+    - The names of module options are snake_cased versions of the camelCase ones found in the
+      Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
+
+    - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
+      be returned that way by this module. You may pass single values for attributes when calling the module,
+      and this will be translated into a list suitable for the API.
+
+attributes:
+    check_mode:
+        support: full
+    diff_mode:
+        support: full
+
+options:
+    state:
+        description:
+            - State of the role.
+            - On C(present), the role will be created if it does not yet exist, or updated with the parameters you provide.
+            - On C(absent), the role will be removed if it exists.
+        default: 'present'
+        type: str
+        choices:
+            - present
+            - absent
+
+    name:
+        type: str
+        required: true
+        description:
+            - Name of the role.
+            - This parameter is required.
+
+    description:
+        type: str
+        description:
+            - The role description.
+
+    realm:
+        type: str
+        description:
+            - The Keycloak realm under which this role resides.
+        default: 'master'
+
+    client_id:
+        type: str
+        description:
+            - If the role is a client role, the client id under which it resides.
+            - If this parameter is absent, the role is considered a realm role.
+
+    attributes:
+        type: dict
+        description:
+            - A dict of key/value pairs to set as custom attributes for the role.
+            - Values may be single values (e.g. a string) or a list of strings.
+
+extends_documentation_fragment:
+    - middleware_automation.keycloak.keycloak
+    - middleware_automation.keycloak.attributes
+
+author:
+    - Laurent Paumier (@laurpaum)
+'''
+
+EXAMPLES = '''
+- name: Create a Keycloak realm role, authentication with credentials
+  middleware_automation.keycloak.keycloak_role:
+    name: my-new-kc-role
+    realm: MyCustomRealm
+    state: present
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com/auth
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+  delegate_to: localhost
+
+- name: Create a Keycloak realm role, authentication with token
+  middleware_automation.keycloak.keycloak_role:
+    name: my-new-kc-role
+    realm: MyCustomRealm
+    state: present
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com/auth
+    token: TOKEN
+  delegate_to: localhost
+
+- name: Create a Keycloak client role
+  middleware_automation.keycloak.keycloak_role:
+    name: my-new-kc-role
+    realm: MyCustomRealm
+    client_id: MyClient
+    state: present
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com/auth
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+  delegate_to: localhost
+
+- name: Delete a Keycloak role
+  middleware_automation.keycloak.keycloak_role:
+    name: my-role-for-deletion
+    state: absent
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com/auth
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+  delegate_to: localhost
+
+- name: Create a keycloak role with some custom attributes
+  middleware_automation.keycloak.keycloak_role:
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com/auth
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    name: my-new-role
+    attributes:
+      attrib1: value1
+      attrib2: value2
+      attrib3:
+        - with
+        - numerous
+        - individual
+        - list
+        - items
+  delegate_to: localhost
+'''
+
+RETURN = '''
+msg:
+    description: Message as to what action was taken.
+    returned: always
+    type: str
+    sample: "Role myrole has been updated"
+
+proposed:
+    description: Representation of proposed role.
+    returned: always
+    type: dict
+    sample: {
+        "description": "My updated test description"
+    }
+
+existing:
+    description: Representation of existing role.
+    returned: always
+    type: dict
+    sample: {
+        "attributes": {},
+        "clientRole": true,
+        "composite": false,
+        "containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a",
+        "description": "My client test role",
+        "id": "561703dd-0f38-45ff-9a5a-0c978f794547",
+        "name": "myrole"
+    }
+
+end_state:
+    description: Representation of role after module execution (sample is truncated).
+    returned: on success
+    type: dict
+    sample: {
+        "attributes": {},
+        "clientRole": true,
+        "composite": false,
+        "containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a",
+        "description": "My updated client test role",
+        "id": "561703dd-0f38-45ff-9a5a-0c978f794547",
+        "name": "myrole"
+    }
+'''
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
+    keycloak_argument_spec, get_token, KeycloakError
+from ansible.module_utils.basic import AnsibleModule
+
+
+def main():
+    """
+    Module execution
+
+    :return:
+    """
+    argument_spec = keycloak_argument_spec()
+
+    meta_args = dict(
+        state=dict(type='str', default='present', choices=['present', 'absent']),
+        name=dict(type='str', required=True),
+        description=dict(type='str'),
+        realm=dict(type='str', default='master'),
+        client_id=dict(type='str'),
+        attributes=dict(type='dict'),
+    )
+
+    argument_spec.update(meta_args)
+
+    module = AnsibleModule(argument_spec=argument_spec,
+                           supports_check_mode=True,
+                           required_one_of=([['token', 'auth_realm', 'auth_username', 'auth_password']]),
+                           required_together=([['auth_realm', 'auth_username', 'auth_password']]))
+
+    result = dict(changed=False, msg='', diff={}, proposed={}, existing={}, end_state={})
+
+    # Obtain access token, initialize API
+    try:
+        connection_header = get_token(module.params)
+    except KeycloakError as e:
+        module.fail_json(msg=str(e))
+
+    kc = KeycloakAPI(module, connection_header)
+
+    realm = module.params.get('realm')
+    clientid = module.params.get('client_id')
+    name = module.params.get('name')
+    state = module.params.get('state')
+
+    # attributes in Keycloak have their values returned as lists
+    # via the API. attributes is a dict, so we'll transparently convert
+    # the values to lists.
+    if module.params.get('attributes') is not None:
+        for key, val in module.params['attributes'].items():
+            module.params['attributes'][key] = [val] if not isinstance(val, list) else val
+
+    # Filter and map the parameters names that apply to the role
+    role_params = [x for x in module.params
+                   if x not in list(keycloak_argument_spec().keys()) + ['state', 'realm', 'client_id', 'composites'] and
+                   module.params.get(x) is not None]
+
+    # See if it already exists in Keycloak
+    if clientid is None:
+        before_role = kc.get_realm_role(name, realm)
+    else:
+        before_role = kc.get_client_role(name, clientid, realm)
+
+    if before_role is None:
+        before_role = {}
+
+    # Build a proposed changeset from parameters given to this module
+    changeset = {}
+
+    for param in role_params:
+        new_param_value = module.params.get(param)
+        old_value = before_role[param] if param in before_role else None
+        if new_param_value != old_value:
+            changeset[camel(param)] = new_param_value
+
+    # Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis)
+    desired_role = before_role.copy()
+    desired_role.update(changeset)
+
+    result['proposed'] = changeset
+    result['existing'] = before_role
+
+    # Cater for when it doesn't exist (an empty dict)
+    if not before_role:
+        if state == 'absent':
+            # Do nothing and exit
+            if module._diff:
+                result['diff'] = dict(before='', after='')
+            result['changed'] = False
+            result['end_state'] = {}
+            result['msg'] = 'Role does not exist, doing nothing.'
+            module.exit_json(**result)
+
+        # Process a creation
+        result['changed'] = True
+
+        if name is None:
+            module.fail_json(msg='name must be specified when creating a new role')
+
+        if module._diff:
+            result['diff'] = dict(before='', after=desired_role)
+
+        if module.check_mode:
+            module.exit_json(**result)
+
+        # create it
+        if clientid is None:
+            kc.create_realm_role(desired_role, realm)
+            after_role = kc.get_realm_role(name, realm)
+        else:
+            kc.create_client_role(desired_role, clientid, realm)
+            after_role = kc.get_client_role(name, clientid, realm)
+
+        result['end_state'] = after_role
+
+        result['msg'] = 'Role {name} has been created'.format(name=name)
+        module.exit_json(**result)
+
+    else:
+        if state == 'present':
+            # Process an update
+
+            # no changes
+            if desired_role == before_role:
+                result['changed'] = False
+                result['end_state'] = desired_role
+                result['msg'] = "No changes required to role {name}.".format(name=name)
+                module.exit_json(**result)
+
+            # doing an update
+            result['changed'] = True
+
+            if module._diff:
+                result['diff'] = dict(before=before_role, after=desired_role)
+
+            if module.check_mode:
+                module.exit_json(**result)
+
+            # do the update
+            if clientid is None:
+                kc.update_realm_role(desired_role, realm)
+                after_role = kc.get_realm_role(name, realm)
+            else:
+                kc.update_client_role(desired_role, clientid, realm)
+                after_role = kc.get_client_role(name, clientid, realm)
+
+            result['end_state'] = after_role
+
+            result['msg'] = "Role {name} has been updated".format(name=name)
+            module.exit_json(**result)
+
+        else:
+            # Process a deletion (because state was not 'present')
+            result['changed'] = True
+
+            if module._diff:
+                result['diff'] = dict(before=before_role, after='')
+
+            if module.check_mode:
+                module.exit_json(**result)
+
+            # delete it
+            if clientid is None:
+                kc.delete_realm_role(name, realm)
+            else:
+                kc.delete_client_role(name, clientid, realm)
+
+            result['end_state'] = {}
+
+            result['msg'] = "Role {name} has been deleted".format(name=name)
+
+    module.exit_json(**result)
+
+
+if __name__ == '__main__':
+    main()

requirements.txt

@@ -0,0 +1,6 @@
+#################################################
+# python dependencies required to be installed 
+# on the controller host with:
+# pip install -r requirements.txt
+#
+netaddr

requirements.yml

@@ -1,7 +1,4 @@
 ---
 collections:
-  - name: middleware_automation.redhat_csp_download
-    version: ">=1.2.1"
-  - name: middleware_automation.jcliff
-    version: ">=0.0.19"
-  - name: community.general
+  - name: middleware_automation.common
+  - name: ansible.posix

roles/keycloak/README.md

@@ -1,24 +1,126 @@
 keycloak
 ========
 
-Install [keycloak](https://keycloak.org/) or [Red Hat Single Sing-On](https://access.redhat.com/products/red-hat-single-sign-on) server configurations.
+Install [keycloak](https://keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on) server configurations.
+
+
+Requirements
+------------
+
+This role requires the `python3-netaddr` library installed on the controller node.
+
+* to install via yum/dnf: `dnf install python3-netaddr`
+* to install via apt: `apt install python3-netaddr`
+* or via pip: `pip install netaddr==0.8.0`
+* or via the collection: `pip install -r requirements.txt`
+
+
+Dependencies
+------------
+
+The roles depends on:
+
+* [middleware_automation.common](https://github.com/ansible-middleware/common)
+* [ansible-posix](https://docs.ansible.com/ansible/latest/collections/ansible/posix/index.html)
+
+To install all the dependencies via galaxy:
+
+    ansible-galaxy collection install -r requirements.yml
+
+
+Versions
+--------
+
+| RH-SSO VERSION | Release Date      | Keycloak Version | EAP Version | Notes           |
+|:---------------|:------------------|:-----------------|:------------|:----------------|
+|`7.5.0 GA`      |September 20, 2021 |`15.0.2`          | `7.4.6`     |[Release Notes](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/html/release_notes/index)|
+|`7.6.0 GA`      |June 30, 2022      |`18.0.3`          | `7.4.6`     |[Release Notes](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html-single/release_notes/index)|
+
+
+Patching
+--------
+
+When variable `keycloak_rhsso_apply_patches` is `true` (default: `false`), the role will automatically apply the latest cumulative patch for the selected base version.
+
+| RH-SSO VERSION | Release Date      | RH-SSO LATEST CP | Notes           |
+|:---------------|:------------------|:-----------------|:----------------|
+|`7.5.0 GA`      |January 20, 2022   |`7.5.3 GA`        |[Release Notes](https://access.redhat.com/articles/6646321)|
+|`7.6.0 GA`      |November 11, 2022  |`7.6.1 GA`        |[Release Notes](https://access.redhat.com/articles/6982711)|
 
 
 Role Defaults
 -------------
 
+* Service configuration
+
 | Variable | Description | Default |
 |:---------|:------------|:---------|
-|`keycloak_ha_enabled`| enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
-|`keycloak_db_enabled`| enable auto configuration for database backend | `True` if keycloak_ha_enabled is True, else `False` |
+|`keycloak_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
+|`keycloak_ha_discovery`| Discovery protocol for HA cluster members | `JDBC_PING` if `keycloak_db_enabled` else `TCPPING` |
+|`keycloak_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_ha_enabled` is True, else `False` |
+|`keycloak_remote_cache_enabled`| Enable remote cache store when in clustered ha configurations | `True` if `keycloak_ha_enabled` else `False` |
 |`keycloak_admin_user`| Administration console user account | `admin` |
-|`keycloak_bind_address`| address for binding service ports | `0.0.0.0`
-|`keycloak_host`| hostname | `localhost`
-|`keycloak_http_port`| HTTP port | `8080`
-|`keycloak_https_port`| TLS HTTP port | `8443`
-|`keycloak_management_http_port`| management port | `9990`
-|`keycloak_management_https_port`| TLS management port | `9993`
-|`keycloak_java_opts`| | `-Xms1024m -Xmx20480m -XX:MaxPermSize=768m`
+|`keycloak_bind_address`| Address for binding service ports | `0.0.0.0` |
+|`keycloak_management_port_bind_address`| Address for binding management ports | `127.0.0.1` |
+|`keycloak_host`| hostname | `localhost` |
+|`keycloak_http_port`| HTTP port | `8080` |
+|`keycloak_https_port`| TLS HTTP port | `8443` |
+|`keycloak_ajp_port`| AJP port | `8009` |
+|`keycloak_jgroups_port`| jgroups cluster tcp port | `7600` |
+|`keycloak_management_http_port`| Management port | `9990` |
+|`keycloak_management_https_port`| TLS management port | `9993` |
+|`keycloak_prefer_ipv4`| Prefer IPv4 stack and addresses for port binding | `true` |
+|`keycloak_config_standalone_xml`| filename for configuration | `keycloak.xml` |
+|`keycloak_service_user`| posix account username | `keycloak` |
+|`keycloak_service_group`| posix account group | `keycloak` |
+|`keycloak_service_restart_always`| systemd restart always behavior activation | `False` |
+|`keycloak_service_restart_on_failure`| systemd restart on-failure behavior activation | `False` |
+|`keycloak_service_startlimitintervalsec`| systemd StartLimitIntervalSec | `300` |
+|`keycloak_service_startlimitburst`| systemd StartLimitBurst | `5` |
+|`keycloak_service_restartsec`| systemd RestartSec | `10s` |
+|`keycloak_service_pidfile`| pid file path for service | `/run/keycloak/keycloak.pid` |
+|`keycloak_features` | List of `name`/`status` pairs of features (also known as profiles on RH-SSO) to `enable` or `disable`, example: `[ { name: 'docker', status: 'enabled' } ]` | `[]`
+|`keycloak_jvm_package`| RHEL java package runtime | `java-1.8.0-openjdk-headless` |
+|`keycloak_java_home`| `JAVA_HOME` of installed JRE, leave empty for using RPM path at `keycloak_jvm_package` | `None` |
+|`keycloak_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
+
+
+* Install options
+
+| Variable | Description | Default |
+|:---------|:------------|:---------|
+|`keycloak_offline_install` | perform an offline install | `false`|
+|`keycloak_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`|
+|`keycloak_version`| keycloak.org package version | `18.0.2` |
+|`keycloak_dest`| Installation root path | `/opt/keycloak` |
+|`keycloak_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}` |
+|`keycloak_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `false` |
+
+
+* Miscellaneous configuration
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_archive` | keycloak install archive filename | `keycloak-legacy-{{ keycloak_version }}.zip` |
+|`keycloak_download_url_9x` | Download URL for keycloak (deprecated) | `https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}` |
+|`keycloak_installdir` | Installation path | `{{ keycloak_dest }}/keycloak-{{ keycloak_version }}` |
+|`keycloak_jboss_home` | Installation work directory | `{{ keycloak_rhsso_installdir }}` |
+|`keycloak_jboss_port_offset` | Port offset for the JBoss socket binding | `0` |
+|`keycloak_config_dir` | Path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration` |
+|`keycloak_config_path_to_standalone_xml` | Custom path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}` |
+|`keycloak_config_override_template` | Path to custom template for standalone.xml configuration | `''` |
+|`keycloak_auth_realm` | Name for rest authentication realm | `master` |
+|`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` |
+|`keycloak_force_install` | Remove pre-existing versions of service | `false` |
+|`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}` |
+|`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}` |
+|`keycloak_frontend_url_force` | Force backend requests to use the frontend URL | `false` |
+|`keycloak_db_background_validation` | Enable background validation of database connection | `false` |
+|`keycloak_db_background_validation_millis`| How frequenly the connection pool is validated in the background | `10000` if background validation enabled |
+|`keycloak_db_background_validate_on_match` | Enable validate on match for database connections | `false` |
+|`keycloak_frontend_url` | frontend URL for keycloak endpoint | `http://localhost:8080/auth/` |
+|`keycloak_log_target`| Set the destination of the keycloak log folder link | `/var/log/keycloak` |
+
 
 Role Variables
 --------------
@@ -27,51 +129,62 @@ The following are a set of _required_ variables for the role:
 
 | Variable | Description |
 |:---------|:------------|
-|`keycloak_admin_password`| Password for the administration console user account |
+|`keycloak_admin_password`| Password for the administration console user account (minimum 12 characters) |
+|`keycloak_frontend_url` | frontend URL for keycloak endpoint | `http://localhost:8080/auth/` |
 
 
-The following variables are _required_ only when keycloak_ha_enabled is True:
+The following parameters are _required_ only when `keycloak_ha_enabled` is true:
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_modcluster_enabled`| Enable configuration for modcluster subsystem | `True` if `keycloak_ha_enabled` is True, else `False` |
+|`keycloak_modcluster_url` | _deprecated_ Host for the modcluster reverse proxy | `localhost` |
+|`keycloak_modcluster_port` | _deprecated_ Port for the modcluster reverse proxy | `6666` |
+|`keycloak_modcluster_urls` | List of {host,port} dicts for the modcluster reverse proxies | `[ { localhost:6666 } ]` |
+|`keycloak_jdbc_engine` | backend database engine when db is enabled: [ postgres, mariadb, sqlserver ] | `postgres` |
+|`keycloak_infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` |
+|`keycloak_infinispan_user` | username for connecting to infinispan | `supervisor` |
+|`keycloak_infinispan_pass` | password for connecting to infinispan | `supervisor` |
+|`keycloak_infinispan_sasl_mechanism`| Authentication type | `SCRAM-SHA-512` |
+|`keycloak_infinispan_use_ssl`| Enable hotrod TLS communication | `False` |
+|`keycloak_infinispan_trust_store_path`| Path to truststore with infinispan server certificate | `/etc/pki/java/cacerts` |
+|`keycloak_infinispan_trust_store_password`| Password for opening truststore | `changeit` |
+
+
+The following parameters are _required_ only when `keycloak_db_enabled` is true:
 
 | Variable | Description | Default |
 |:---------|:------------|:---------|
-|`keycloak_modcluster_url` | URL for the modcluster reverse proxy | `localhost` |
-|`keycloak_jdbc_engine` | backend database flavour when db is enabled: [ postgres, mariadb ] | `postgres` |
-|`infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` |
-|`infinispan_user` | username for connecting to infinispan | `supervisor` |
-|`infinispan_pass` | password for connecting to infinispan | `supervisor` |
+|`keycloak_jdbc_url` | URL for the postgres backend database | `jdbc:postgresql://localhost:5432/keycloak` |
+|`keycloak_jdbc_driver_version`| Version for the JDBC driver to download | `9.4.1212` |
+|`keycloak_db_user` | username for connecting to postgres | `keycloak-user` |
+|`keycloak_db_pass` | password for connecting to postgres | `keycloak-pass` |
 
 
-The following variables are _required_ only when keycloak_db_enabled is True and keycloak_jdbc_engine is postgres:
-
-| Variable | Description | Default |
-|:---------|:------------|:---------|
-|`postgres_jdbc_url` | URL for the postgres backend database | `jdbc:postgresql://localhost:5432/keycloak` |
-|`postgres_db_user` | username for connecting to postgres | `keycloak-user` |
-|`postgres_db_pass` | password for connecting to postgres | `keycloak-pass` |
-
-
-The following variables are _required_ only when keycloak_db_enabled is True and keycloak_jdbc_engine is mariadb:
-
-| Variable | Description | Default |
-|:---------|:------------|:---------|
-|`mariadb_jdbc_url` | URL for the mariadb backend database | `jdbc:mariadb://localhost:3306/keycloak` |
-|`mariadb_db_user` | username for connecting to mariadb | `keycloak-user` |
-|`mariadb_db_pass` | password for connecting to mariadb | `keycloak-pass` |
-
-
-Dependencies
-------------
-
-The roles depends on:
-
-* the redhat_csp_download role from [middleware_automation.redhat_csp_download](https://github.com/ansible-middleware/redhat-csp-download) collection
-* the wildfly_driver role from [middleware_automation.jcliff](https://github.com/ansible-middleware/ansible_collections_jcliff) collection
+The following variables are _optional_:
 
+| Variable | Description |
+|:---------|:------------|
+|`keycloak_db_valid_conn_sql` | Override the default database connection validation query sql |
+|`keycloak_admin_url` | Override the default administration endpoint URL |
+|`keycloak_jgroups_subnet`| Override the subnet match for jgroups cluster formation; if not defined, it will be inferred from local machine route configuration |
 
 Example Playbook
-----------------
+-----------------
 
-The following is an example playbook that makes use of the role to install keycloak
+* The following is an example playbook that makes use of the role to install keycloak from remote:
+
+```yaml
+---
+- hosts: ...
+      vars:
+        keycloak_admin_password: "remembertochangeme"
+      roles:
+        - middleware_automation.keycloak.keycloak
+```
+
+
+* The following example playbook makes use of the role to install keycloak from the controller node:
 
 ```yaml
 ---
@@ -83,7 +196,9 @@ The following is an example playbook that makes use of the role to install keycl
           include_role:
             name: keycloak
           vars:
-            keycloak_admin_password: "changeme"
+            keycloak_admin_password: "remembertochangeme"
+            keycloak_offline_install: true
+            # This should be the filename of keycloak archive on Ansible node: keycloak-16.1.0.zip
 ```
 
 License
@@ -96,4 +211,5 @@ Author Information
 ------------------
 
 * [Guido Grazioli](https://github.com/guidograzioli)
-* [Romain Pelisse](https://github.com/rpelisse)
+* [Romain Pelisse](https://github.com/rpelisse)
+* [Pavan Kumar Motaparthi](https://github.com/motaparthipavankumar)

roles/keycloak/defaults/main.yml

@@ -1,61 +1,120 @@
 ---
 ### Configuration specific to keycloak
-keycloak_version: 9.0.2
-keycloak_archive: keycloak-{{ keycloak_version }}.zip
-keycloak_download_url: https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}
+keycloak_version: 18.0.2
+keycloak_archive: "keycloak-legacy-{{ keycloak_version }}.zip"
+keycloak_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"
+keycloak_download_url_9x: "https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}"
 keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
-
-### Configuration specific to Red Hat Single Sing-On
-keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined else False }}"
-keycloak_rhsso_version: 7.5
-keycloak_rhsso_archive: rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip
-keycloak_rhsso_installdir: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version }}"
-keycloak_rhsso_base_url: 'https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId='
+keycloak_offline_install: false
 
 ### Install location and service settings
+keycloak_java_home:
 keycloak_dest: /opt/keycloak
-keycloak_jboss_home: "{{ keycloak_rhsso_installdir if rhsso_rhn_id is defined else keycloak_installdir }}"
+keycloak_jboss_home: "{{ keycloak_installdir }}"
+keycloak_jboss_port_offset: 0
 keycloak_config_dir: "{{ keycloak_jboss_home }}/standalone/configuration"
+keycloak_config_standalone_xml: "keycloak.xml"
+keycloak_config_path_to_standalone_xml: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}"
+keycloak_config_override_template: ''
+keycloak_config_path_to_properties: "{{ keycloak_jboss_home }}/standalone/configuration/profile.properties"
+keycloak_service_runas: false
 keycloak_service_user: keycloak
 keycloak_service_group: keycloak
-keycloak_service_pidfile: "/run/keycloak.pid"
-keycloak_service_logfile: "{{ keycloak_dest }}/keycloak.log"
+keycloak_service_pidfile: "/run/keycloak/keycloak.pid"
+keycloak_service_name: keycloak
+keycloak_service_desc: Keycloak
+keycloak_service_start_delay: 10
+keycloak_service_start_retries: 25
+keycloak_service_restart_always: false
+keycloak_service_restart_on_failure: false
+keycloak_service_startlimitintervalsec: "300"
+keycloak_service_startlimitburst: "5"
+keycloak_service_restartsec: "10s"
 
-### Keycloak configuration settings
+keycloak_configure_firewalld: false
+keycloak_configure_iptables: false
+
+### administrator console password
+keycloak_admin_password: ''
+
+### Common configuration settings
 keycloak_bind_address: 0.0.0.0
 keycloak_host: localhost
 keycloak_http_port: 8080
 keycloak_https_port: 8443
+keycloak_ajp_port: 8009
+keycloak_jgroups_port: 7600
+keycloak_jgroups_subnet:
+keycloak_management_port_bind_address: 127.0.0.1
 keycloak_management_http_port: 9990
 keycloak_management_https_port: 9993
-keycloak_java_opts: "-Xms1024m -Xmx20480m -XX:MaxPermSize=768m"
+keycloak_java_opts: "-Xms1024m -Xmx2048m"
+keycloak_prefer_ipv4: true
+keycloak_features: []
 
 ### Enable configuration for database backend, clustering and remote caches on infinispan
-keycloak_ha_enabled: False
+keycloak_ha_enabled: false
 ### Enable database configuration, must be enabled when HA is configured
 keycloak_db_enabled: "{{ True if keycloak_ha_enabled else False }}"
+### Discovery protocol for ha cluster members, valus [ 'JDBC_PING', 'TCPPING' ]
+keycloak_ha_discovery: "{{ 'JDBC_PING' if keycloak_db_enabled else 'TCPPING' }}"
+### Remote cache store on infinispan cluster
+keycloak_remote_cache_enabled: "{{ True if keycloak_ha_enabled else False }}"
 
 ### Keycloak administration console user
 keycloak_admin_user: admin
 keycloak_auth_realm: master
 keycloak_auth_client: admin-cli
 
-keycloak_force_install: False
+keycloak_force_install: false
 
-### mod_cluster reverse proxy
+### mod_cluster reverse proxy list
+keycloak_modcluster_enabled: "{{ True if keycloak_ha_enabled else False }}"
 keycloak_modcluster_url: localhost
+keycloak_modcluster_port: 6666
+keycloak_modcluster_urls:
+  - host: "{{ keycloak_modcluster_url }}"
+    port: "{{ keycloak_modcluster_port }}"
 
-### infinispan remote caches access
-infinispan_user: supervisor
-infinispan_pass: supervisor
-infinispan_url: localhost
+### keycloak frontend url
+keycloak_frontend_url: http://localhost:8080/auth/
+keycloak_frontend_url_force: false
+keycloak_admin_url:
 
-### database backend engine: values [ 'postgres', 'mariadb' ]
+### infinispan remote caches access (hotrod)
+keycloak_infinispan_user: supervisor
+keycloak_infinispan_pass: supervisor
+keycloak_infinispan_url: localhost
+keycloak_infinispan_sasl_mechanism: SCRAM-SHA-512
+keycloak_infinispan_use_ssl: false
+# if ssl is enabled, import ispn server certificate here
+keycloak_infinispan_trust_store_path: /etc/pki/java/cacerts
+keycloak_infinispan_trust_store_password: changeit
+
+### database backend engine: values [ 'postgres', 'mariadb', 'sqlserver' ]
 keycloak_jdbc_engine: postgres
 ### database backend credentials
-postgres_jdbc_url: 'jdbc:postgresql://localhost:5432/keycloak'
-postgres_db_user: keycloak-user
-postgres_db_pass: keycloak-pass
-mariadb_jdbc_url: 'jdbc:mariadb://localhost:3306/keycloak'
-mariadb_db_user: keycloak-user
-mariadb_db_pass: keycloak-pass
+keycloak_db_user: keycloak-user
+keycloak_db_pass: keycloak-pass
+## connection validation
+keycloak_db_background_validation: false
+keycloak_db_background_validation_millis: "{{ 10000 if keycloak_db_background_validation else 0 }}"
+keycloak_db_background_validate_on_match: false
+keycloak_jdbc_url: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].url }}"
+keycloak_jdbc_driver_version: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].version }}"
+# override the variables above, following defaults show minimum supported versions
+keycloak_default_jdbc:
+  postgres:
+    url: 'jdbc:postgresql://localhost:5432/keycloak'
+    version: 9.4.1212
+  mariadb:
+    url: 'jdbc:mariadb://localhost:3306/keycloak'
+    version: 2.7.4
+  sqlserver:
+    url: 'jdbc:sqlserver://localhost:1433;databaseName=keycloak;'
+    version: 12.2.0
+# role specific vars
+keycloak_no_log: true
+
+### logging configuration
+keycloak_log_target: /var/log/keycloak

roles/keycloak/handlers/main.yml

@@ -1,3 +1,4 @@
 ---
-- name: restart keycloak
-  include_tasks: restart_keycloak.yml
+- name: "Restart handler"
+  ansible.builtin.include_tasks: restart_keycloak.yml
+  listen: "restart keycloak"

roles/keycloak/meta/argument_specs.yml

@@ -0,0 +1,381 @@
+argument_specs:
+    main:
+        options:
+            keycloak_version:
+                default: "18.0.2"
+                description: "keycloak.org package version"
+                type: "str"
+            keycloak_archive:
+                default: "keycloak-legacy-{{ keycloak_version }}.zip"
+                description: "keycloak install archive filename"
+                type: "str"
+            keycloak_configure_iptables:
+                default: false
+                description: "Ensure iptables is running and configure keycloak ports"
+                type: "bool"
+            keycloak_configure_firewalld:
+                default: false
+                description: "Ensure firewalld is running and configure keycloak ports"
+                type: "bool"
+            keycloak_download_url:
+                default: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"
+                description: "Download URL for keycloak"
+                type: "str"
+            keycloak_download_url_9x:
+                default: "https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}"
+                description: "Download URL for keycloak (deprecated)"
+                type: "str"
+            keycloak_installdir:
+                default: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
+                description: "Installation path"
+                type: "str"
+            keycloak_offline_install:
+                default: false
+                description: "Perform an offline install"
+                type: "bool"
+            keycloak_jvm_package:
+                default: "java-1.8.0-openjdk-headless"
+                description: "RHEL java package runtime rpm"
+                type: "str"
+            keycloak_java_home:
+                description: "JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path"
+                type: "str"
+            keycloak_dest:
+                default: "/opt/keycloak"
+                description: "Root installation directory"
+                type: "str"
+            keycloak_jboss_home:
+                default: "{{ keycloak_installdir }}"
+                description: "Installation work directory"
+                type: "str"
+            keycloak_jboss_port_offset:
+                default: 0
+                description: "Port offset for the JBoss socket binding"
+                type: "int"
+            keycloak_config_dir:
+                default: "{{ keycloak_jboss_home }}/standalone/configuration"
+                description: "Path for configuration"
+                type: "str"
+            keycloak_config_standalone_xml:
+                default: "keycloak.xml"
+                description: "Service configuration filename"
+                type: "str"
+            keycloak_config_path_to_standalone_xml:
+                default: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}"
+                description: "Custom path for configuration"
+                type: "str"
+            keycloak_config_override_template:
+                default: ""
+                description: "Path to custom template for standalone.xml configuration"
+                type: "str"
+            keycloak_service_runas:
+                default: false
+                description: "Enable execution of service as `keycloak_service_user`"
+                type: "bool"
+            keycloak_service_user:
+                default: "keycloak"
+                description: "posix account username"
+                type: "str"
+            keycloak_service_group:
+                default: "keycloak"
+                description: "posix account group"
+                type: "str"
+            keycloak_service_pidfile:
+                default: "/run/keycloak/keycloak.pid"
+                description: "PID file path for service"
+                type: "str"
+            keycloak_features:
+                default: "[]"
+                description: "List of `name`/`status` pairs of features (also known as profiles on RH-SSO) to `enable` or `disable`, example: `[ { name: 'docker', status: 'enabled' } ]`"
+                type: "list"
+            keycloak_bind_address:
+                default: "0.0.0.0"
+                description: "Address for binding service ports"
+                type: "str"
+            keycloak_management_port_bind_address:
+                default: "127.0.0.1"
+                description: "Address for binding the management ports"
+                type: "str"
+            keycloak_host:
+                default: "localhost"
+                description: "Hostname for service"
+                type: "str"
+            keycloak_http_port:
+                default: 8080
+                description: "Listening HTTP port"
+                type: "int"
+            keycloak_https_port:
+                default: 8443
+                description: "Listening HTTPS port"
+                type: "int"
+            keycloak_ajp_port:
+                default: 8009
+                description: "Listening AJP port"
+                type: "int"
+            keycloak_jgroups_port:
+                default: 7600
+                description: "jgroups cluster tcp port"
+                type: "int"
+            keycloak_management_http_port:
+                default: 9990
+                description: "Management port (http)"
+                type: "int"
+            keycloak_management_https_port:
+                default: 9993
+                description: "Management port (https)"
+                type: "int"
+            keycloak_java_opts:
+                default: "-Xms1024m -Xmx2048m"
+                description: "Additional JVM options"
+                type: "str"
+            keycloak_prefer_ipv4:
+                default: true
+                description: "Prefer IPv4 stack and addresses for port binding"
+                type: "bool"
+            keycloak_ha_enabled:
+                default: false
+                description: "Enable auto configuration for database backend, clustering and remote caches on infinispan"
+                type: "bool"
+            keycloak_ha_discovery:
+                default: "{{ 'JDBC_PING' if keycloak_db_enabled else 'TCPPING' }}"
+                description: "Discovery protocol for HA cluster members"
+                type: "str"
+            keycloak_db_enabled:
+                default: "{{ True if keycloak_ha_enabled else False }}"
+                description: "Enable auto configuration for database backend"
+                type: "bool"
+            keycloak_admin_user:
+                default: "admin"
+                description: "Administration console user account"
+                type: "str"
+            keycloak_auth_realm:
+                default: "master"
+                description: "Name for rest authentication realm"
+                type: "str"
+            keycloak_auth_client:
+                default: "admin-cli"
+                description: "Authentication client for configuration REST calls"
+                type: "str"
+            keycloak_force_install:
+                default: false
+                description: "Remove pre-existing versions of service"
+                type: "bool"
+            keycloak_modcluster_enabled:
+                default: "{{ True if keycloak_ha_enabled else False }}"
+                description: "Enable configuration for modcluster subsystem"
+                type: "bool"
+            keycloak_modcluster_url:
+                default: "localhost"
+                description: "URL for the modcluster reverse proxy"
+                type: "str"
+            keycloak_modcluster_port:
+                default: 6666
+                description: "Port for the modcluster reverse proxy"
+                type: "int"
+            keycloak_modcluster_urls:
+                default: "[ { host: 'localhost', port: 6666 } ]"
+                description: "List of modproxy node URLs in the format { host, port } for the modcluster reverse proxy"
+                type: "list"
+            keycloak_frontend_url:
+                default: "http://localhost"
+                description: "Frontend URL for keycloak endpoints when a reverse proxy is used"
+                type: "str"
+            keycloak_frontend_url_force:
+                default: false
+                description: "Force backend requests to use the frontend URL"
+                type: "bool"
+            keycloak_infinispan_user:
+                default: "supervisor"
+                description: "Username for connecting to infinispan"
+                type: "str"
+            keycloak_infinispan_pass:
+                default: "supervisor"
+                description: "Password for connecting to infinispan"
+                type: "str"
+            keycloak_infinispan_url:
+                default: "localhost"
+                description: "URL for the infinispan remote-cache server"
+                type: "str"
+            keycloak_infinispan_sasl_mechanism:
+                default: "SCRAM-SHA-512"
+                description: "Authentication type to infinispan server"
+                type: "str"
+            keycloak_infinispan_use_ssl:
+                default: false
+                description: "Enable hotrod client TLS communication"
+                type: "bool"
+            keycloak_infinispan_trust_store_path:
+                default: "/etc/pki/java/cacerts"
+                description: "TODO document argument"
+                type: "str"
+            keycloak_infinispan_trust_store_password:
+                default: "changeit"
+                description: "Path to truststore containing infinispan server certificate"
+                type: "str"
+            keycloak_jdbc_engine:
+                default: "postgres"
+                description: "Backend database flavour when db is enabled: [ postgres, mariadb, sqlserver ]"
+                type: "str"
+            keycloak_db_user:
+                default: "keycloak-user"
+                description: "Username for connecting to database"
+                type: "str"
+            keycloak_db_pass:
+                default: "keycloak-pass"
+                description: "Password for connecting to database"
+                type: "str"
+            keycloak_jdbc_url:
+                default: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].url }}"
+                description: "URL for connecting to backend database"
+                type: "str"
+            keycloak_jdbc_driver_version:
+                default: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].version }}"
+                description: "Version for the JDBC driver to download"
+                type: "str"
+            keycloak_admin_password:
+                required: true
+                description: "Password for the administration console user account"
+                type: "str"
+            keycloak_url:
+                default: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}"
+                description: "URL for configuration rest calls"
+                type: "str"
+            keycloak_management_url:
+                default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}"
+                description: "URL for management console rest calls"
+                type: "str"
+            keycloak_service_name:
+                default: "keycloak"
+                description: "systemd service name for keycloak"
+                type: "str"
+            keycloak_service_desc:
+                default: "Keycloak"
+                description: "systemd description for keycloak"
+                type: "str"
+            keycloak_service_start_delay:
+                default: "10"
+                description: "Expected delay in ms before the service is expected to be available after start."
+                type: "int"
+            keycloak_service_start_retries:
+                default: "25"
+                description: "How many time should Ansible retry to connect to the service after it was started, before failing."
+                type: "int"
+            keycloak_service_restart_always:
+                default: false
+                description: "systemd restart always behavior activation for keycloak"
+                type: "bool"
+            keycloak_service_restart_on_failure:
+                default: false
+                description: "systemd restart on-failure behavior activation for keycloak"
+                type: "bool"
+            keycloak_service_startlimitintervalsec:
+                default: 300
+                description: "systemd StartLimitIntervalSec for keycloak"
+                type: "int"
+            keycloak_service_startlimitburst:
+                default: 5
+                description: "systemd StartLimitBurst for keycloak"
+                type: "int"
+            keycloak_service_restartsec:
+                default: "5s"
+                description: "systemd RestartSec for keycloak"
+                type: "str"
+            keycloak_no_log:
+                default: true
+                type: "bool"
+                description: "Changes default behavior for no_log for debugging purpose, do not change for production system."
+            keycloak_remote_cache_enabled:
+                default: "{{ True if keycloak_ha_enabled else False }}"
+                description: "Enable remote cache store when in clustered ha configurations"
+                type: "bool"
+            keycloak_db_background_validation:
+                default: false
+                description: "Enable background validation of database connection"
+                type: "bool"
+            keycloak_db_background_validation_millis:
+                default: "{{ 10000 if keycloak_db_background_validation else 0 }}"
+                description: "How frequenly the connection pool is validated in the background"
+                type: 'int'
+            keycloak_db_background_validate_on_match:
+                default: false
+                description: "Enable validate on match for database connections"
+                type: "bool"
+            keycloak_db_valid_conn_sql:
+                required: false
+                description: "Override the default database connection validation query sql"
+                type: "str"
+            keycloak_admin_url:
+                required: false
+                description: "Override the default administration endpoint URL"
+                type: "str"
+            keycloak_jgroups_subnet:
+                required: false
+                description: "Override the subnet match for jgroups cluster formation; if not defined, it will be inferred from local machine route configuration"
+                type: "str"
+            keycloak_log_target:
+                default: '/var/log/keycloak'
+                type: "str"
+                description: "Set the destination of the keycloak log folder link"
+            keycloak_jdbc_download_url:
+                description: "Override the default Maven Central download URL for the JDBC driver"
+                type: "str"
+            keycloak_jdbc_download_user:
+                description: "Set a username with which to authenticate when downloading JDBC drivers from an alternative location"
+                type: "str"
+            keycloak_jdbc_download_pass:
+                description: "Set a password with which to authenticate when downloading JDBC drivers from an alternative location (requires keycloak_jdbc_download_user)"
+                type: "str"
+            keycloak_jdbc_download_validate_certs:
+                default: true
+                description: "Allow the option to ignore invalid certificates when downloading JDBC drivers from a custom URL"
+                type: "bool"
+    downstream:
+        options:
+            sso_version:
+                default: "7.6.0"
+                description: "Red Hat Single Sign-On version"
+                type: "str"
+            sso_archive:
+                default: "rh-sso-{{ sso_version }}-server-dist.zip"
+                description: "Red Hat SSO install archive filename"
+                type: "str"
+            sso_dest:
+                default: "/opt/sso"
+                description: "Root installation directory"
+                type: "str"
+            sso_installdir:
+                default: "{{ sso_dest }}/rh-sso-{{ sso_version.split('.')[0] }}.{{ sso_version.split('.')[1] }}"
+                description: "Installation path for Red Hat SSO"
+                type: "str"
+            sso_apply_patches:
+                default: false
+                description: "Install Red Hat SSO most recent cumulative patch"
+                type: "bool"
+            sso_enable:
+                default: true
+                description: "Enable Red Hat Single Sign-on installation"
+                type: "str"
+            sso_offline_install:
+                default: false
+                description: "Perform an offline install"
+                type: "bool"
+            sso_service_name:
+                default: "sso"
+                description: "systemd service name for Single Sign-On"
+                type: "str"
+            sso_service_desc:
+                default: "Red Hat Single Sign-On"
+                description: "systemd description for Red Hat Single Sign-On"
+                type: "str"
+            sso_patch_version:
+                required: false
+                description: "Red Hat Single Sign-On latest cumulative patch version to apply; defaults to latest version when sso_apply_patches is True"
+                type: "str"
+            sso_patch_bundle:
+                default: "rh-sso-{{ sso_patch_version | default('[0-9]+[.][0-9]+[.][0-9]+') }}-patch.zip"
+                description: "Red Hat SSO patch archive filename"
+                type: "str"
+            sso_product_category:
+                default: "core.service.rhsso"
+                description: "JBossNetwork API category for Single Sign-On"
+                type: "str"

roles/keycloak/meta/main.yml

@@ -1,3 +1,29 @@
+---
 collections:
-  - middleware_automation.redhat_csp_download
-  - middleware_automation.jcliff
+  - middleware_automation.common
+  - ansible.posix
+
+galaxy_info:
+  role_name: keycloak
+  namespace: middleware_automation
+  author: Romain Pelisse, Guido Grazioli, Pavan Kumar Motaparthi
+  description: Install keycloak or Red Hat Single Sign-On server configurations
+  company: Red Hat, Inc.
+
+  license: Apache License 2.0
+
+  min_ansible_version: "2.14"
+
+  platforms:
+    - name: EL
+      versions:
+        - "8"
+
+  galaxy_tags:
+    - keycloak
+    - redhat
+    - rhel
+    - sso
+    - authentication
+    - identity
+    - security

roles/keycloak/tasks/debian.yml

@@ -0,0 +1,6 @@
+---
+- name: Include firewall config tasks
+  ansible.builtin.include_tasks: iptables.yml
+  when: keycloak_configure_iptables
+  tags:
+    - firewall

roles/keycloak/tasks/download_from_rhn.yml

@@ -1,75 +0,0 @@
----
-- assert:
-    that:
-      - zipfile_dest is defined
-      - rhn_id_file is defined
-      - rhn_username is defined
-      - rhn_password is defined
-    quiet: true
-
-- set_fact:
-    rhn_download_url: "{{ keycloak_rhsso_base_url }}{{ rhn_id_file }}"
-
-- name: "Check zipfile dest directory {{ zipfile_dest }}"
-  stat:
-    path: "{{ zipfile_dest }}"
-  register: archive_path
-
-- name: "Install zipfile from RHN: {{ rhn_download_url }}"
-  redhat_csp_download:
-    url: "{{ rhn_download_url }}"
-    dest: "{{ zipfile_dest }}"
-    username: "{{ rhn_username }}"
-    password: "{{ rhn_password }}"
-  no_log: "{{ omit_rhn_output | default(true) }}"
-  when:
-    - archive_path is defined
-    - archive_path.stat is defined
-    - not archive_path.stat.exists
-    
-- name: "Check zipfile dest directory {{ zipfile_dest }}"
-  stat:
-    path: "{{ zipfile_dest }}"
-  register: path_to_downloaded_artefact
-
-- block:
-    - file:
-        path: "{{ work_dir }}"
-        state: directory
-        owner: "{{ keycloak_service_user }}"
-        group: "{{ keycloak_service_group }}"
-        mode: 0750
-
-    - name: "Check directory {{ target_dir }}"
-      stat:
-        path: "{{ target_dir }}"
-      register: target_dir_state
-
-    - assert:
-        that:
-          - target_dir_state is defined
-          - target_dir_state.stat is defined
-        fail_msg: "Directory layout for {{ target_dir }} is invalid."
-        quiet: true
-
-    - name: "Decompress {{ zipfile_dest }} into {{ work_dir }} (results in {{ target_dir }}."
-      unarchive:
-        src: "{{ zipfile_dest }}"
-        dest: "{{ work_dir }}"
-        owner: "{{ keycloak_service_user }}"
-        group: "{{ keycloak_service_user }}"
-        remote_src: yes
-        creates: "{{ target_dir }}"
-      when:
-        - not target_dir_state.stat.exists
-
-    - debug:
-        msg: "{{ target_dir }} already exists, skipping decompressing {{ zipfile_dest }}"
-      when:
-        - target_dir_state.stat.exists
-  when:
-    - path_to_downloaded_artefact is defined
-    - path_to_downloaded_artefact.stat is defined
-    - path_to_downloaded_artefact.stat.exists
-    - target_dir is defined
-    - work_dir is defined

roles/keycloak/tasks/fastpackages.yml

@@ -0,0 +1,30 @@
+---
+- name: "Check if packages are already installed" # noqa command-instead-of-module this runs faster
+  ansible.builtin.command: "rpm -q {{ packages_list | join(' ') }}"
+  register: rpm_info
+  changed_when: false
+  failed_when: false
+  when: ansible_facts.os_family == "RedHat"
+
+- name: "Add missing packages to the yum install list"
+  ansible.builtin.set_fact:
+    packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | default([]) | flatten }}"
+  when: ansible_facts.os_family == "RedHat"
+
+- name: "Install packages: {{ packages_to_install }}"
+  become: true
+  ansible.builtin.yum:
+    name: "{{ packages_to_install }}"
+    state: present
+  when:
+  - packages_to_install | default([]) | length > 0
+  - ansible_facts.os_family == "RedHat"
+
+- name: "Install packages: {{ packages_list }}"
+  become: true
+  ansible.builtin.package:
+    name: "{{ packages_list }}"
+    state: present
+  when:
+    - packages_list | default([]) | length > 0
+    - ansible_facts.os_family == "Debian"

roles/keycloak/tasks/fastpackages/check.yml

@@ -1,14 +0,0 @@
----
-- block:
-  - name: "Check if package {{ package_name }} is already installed"
-    command: rpm -q {{ package_name }}
-    args:
-      warn: no
-    register: rpm_info
-    changed_when: rpm_info.failed
-
-  rescue:
-    - name: "If package {{ package_name }} is missing, add it to the yum install list."
-      set_fact:
-        packages_to_install: "{{ packages_to_install + [ package_name ] }}"
-      when: rpm_info.failed

roles/keycloak/tasks/fastpackages/install.yml

@@ -1,17 +0,0 @@
----
-- set_fact:
-    update_cache: true
-    packages_to_install: []
-
-- name: "Check packages to be installed"
-  include_tasks: check.yml
-  loop: "{{ packages_list | flatten }}"
-  loop_control:
-    loop_var: package_name
-
-- name: "Install packages: {{ packages_to_install }}"
-  become: yes
-  yum:
-    name: "{{ packages_to_install }}"
-    state: present
-  when: packages_to_install | length > 0

roles/keycloak/tasks/firewalld.yml

@@ -1,27 +1,28 @@
 ---
-- name: Ensures required package firewalld are installed
-  ansible.builtin.include_tasks: fastpackages/install.yml
+- name: Ensure required package firewalld are installed
+  ansible.builtin.include_tasks: fastpackages.yml
   vars:
     packages_list:
       - firewalld
 
 - name: Enable and start the firewalld service
-  become: yes
-  systemd:
+  become: true
+  ansible.builtin.systemd:
     name: firewalld
-    enabled: yes
+    enabled: true
     state: started
 
-- name: Configure firewall for jdg ports
-  become: yes
-  firewalld:
+- name: "Configure firewall ports for {{ keycloak.service_name }}"
+  become: true
+  ansible.posix.firewalld:
     port: "{{ item }}"
     permanent: true
     state: enabled
-    immediate: yes
+    immediate: true
   loop:
     - "{{ keycloak_http_port }}/tcp"
     - "{{ keycloak_https_port }}/tcp"
     - "{{ keycloak_management_http_port }}/tcp"
     - "{{ keycloak_management_https_port }}/tcp"
-    - "8009/tcp"
+    - "{{ keycloak_jgroups_port }}/tcp"
+    - "{{ keycloak_ajp_port }}/tcp"

roles/keycloak/tasks/install.yml

@@ -1,5 +1,6 @@
 ---
-- assert:
+- name: Validate parameters
+  ansible.builtin.assert:
     that:
       - keycloak_jboss_home is defined
       - keycloak_service_user is defined
@@ -9,143 +10,288 @@
       - keycloak_version is defined
     quiet: true
 
-- set_fact:
-    keycloak_service_group: "{{ keycloak_service_user }}"
-  when:
-    - not keycloak_service_group is defined
-
-- name: check for an existing deployment
-  become: yes
-  stat:
+- name: Check for an existing deployment
+  become: true
+  ansible.builtin.stat:
     path: "{{ keycloak_jboss_home }}"
   register: existing_deploy
 
-- block:
-    - name: stop the old keycloak service
-      become: yes
-      ignore_errors: yes
-      systemd:
+- name: Stop and restart if existing deployment exists and install forced
+  when: existing_deploy.stat.exists and keycloak_force_install | bool
+  block:
+    - name: "Stop the old {{ keycloak.service_name }} service"
+      become: true
+      failed_when: false
+      ansible.builtin.systemd:
         name: keycloak
         state: stopped
-    - name: remove the old Keycloak deployment
-      become: yes
-      file:
+    - name: "Remove the old {{ keycloak.service_name }} deployment"
+      become: true
+      ansible.builtin.file:
         path: "{{ keycloak_jboss_home }}"
         state: absent
-  when: existing_deploy.stat.exists and keycloak_force_install|bool
 
-- name: check for an existing deployment after possible forced removal
-  become: yes
-  stat:
+- name: Check for an existing deployment after possible forced removal
+  become: true
+  ansible.builtin.stat:
     path: "{{ keycloak_jboss_home }}"
 
-- name: create Keycloak service user/group
-  become: yes
-  user:
+- name: "Create service user/group for {{ keycloak.service_name }}"
+  become: true
+  ansible.builtin.user:
     name: "{{ keycloak_service_user }}"
     home: /opt/keycloak
     system: yes
     create_home: no
 
-- name: create Keycloak install location
-  become: yes
-  file:
+- name: "Create install location for {{ keycloak.service_name }}"
+  become: true
+  ansible.builtin.file:
     dest: "{{ keycloak_dest }}"
     state: directory
     owner: "{{ keycloak_service_user }}"
     group: "{{ keycloak_service_group }}"
     mode: 0750
 
-- block:
-    - set_fact:
-        archive: "{{ keycloak_dest }}/{{ keycloak_archive }}"
-    - name: "Check archive directory {{ archive }}"
-      stat:
-        path: "{{ archive }}"
-      register: archive_path
+- name: Create pidfile folder
+  become: true
+  ansible.builtin.file:
+    dest: "{{ keycloak_service_pidfile | dirname }}"
+    state: directory
+    owner: "{{ keycloak_service_user if keycloak_service_runas else omit }}"
+    group: "{{ keycloak_service_group if keycloak_service_runas else omit }}"
+    mode: 0750
 
-    - name: download Keycloak archive to target
-      get_url:
-        url: "{{ keycloak_download_url }}"
-        dest: "{{ keycloak_dest }}"
-        owner: "{{ keycloak_service_user }}"
-        group: "{{ keycloak_service_group }}"
-      when:
-        - archive_path is defined
-        - archive_path.stat is defined
-        - not archive_path.stat.exists
+## check remote archive
+- name: Set download archive path
+  ansible.builtin.set_fact:
+    archive: "{{ keycloak_dest }}/{{ keycloak.bundle }}"
 
-    - name: extract Keycloak archive on target
-      unarchive:
-        remote_src: yes
-        src: "{{ archive }}"
-        dest: "{{ keycloak_dest }}"
-        creates: "{{ keycloak_jboss_home }}"
-        owner: "{{ keycloak_service_user }}"
-        group: "{{ keycloak_service_group }}"
-      notify:
-        - restart keycloak
-  become: yes
-  when: not keycloak_rhsso_enable
+- name: Check download archive path
+  become: true
+  ansible.builtin.stat:
+    path: "{{ archive }}"
+  register: archive_path
 
-- block:
-    - assert:
-        that:
-          - rhsso_rhn_id is defined
-        quiet: true
-        fail_msg: "Can't install RHSSO without RHN ID."
+## download to controller
+- name: Check local download archive path
+  ansible.builtin.stat:
+    path: "{{ lookup('env', 'PWD') }}"
+  register: local_path
+  delegate_to: localhost
 
-    - name: create download directory
-      file:
-        path: /opt/apps
-        state: directory
-        owner: "{{ keycloak_service_user }}"
-        group: "{{ keycloak_service_group }}"
-        mode: 0750
+- name: Download keycloak archive
+  ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
+    url: "{{ keycloak_download_url }}"
+    dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
+    mode: 0644
+  delegate_to: localhost
+  run_once: true
+  when:
+    - archive_path is defined
+    - archive_path.stat is defined
+    - not archive_path.stat.exists
+    - not sso_enable is defined or not sso_enable
+    - not keycloak_offline_install
 
-    - include_tasks: download_from_rhn.yml
-      vars:
-        rhn_id_file: "{{ rhsso_rhn_id }}"
-        zipfile_dest: "{{ keycloak_dest }}/{{ keycloak_rhsso_archive }}"
-        work_dir: "{{ keycloak_dest }}"
-        target_dir: "{{ keycloak_jboss_home }}"
-  become: yes
-  when: keycloak_rhsso_enable
+- name: Perform download from RHN using JBoss Network API
+  delegate_to: localhost
+  run_once: true
+  when:
+    - archive_path is defined
+    - archive_path.stat is defined
+    - not archive_path.stat.exists
+    - sso_enable is defined and sso_enable
+    - not keycloak_offline_install
+  block:
+    - name: Retrieve product download using JBoss Network API
+      middleware_automation.common.product_search:
+        client_id: "{{ rhn_username }}"
+        client_secret: "{{ rhn_password }}"
+        product_type: DISTRIBUTION
+        product_version: "{{ sso_version.split('.')[:2] | join('.') }}"
+        product_category: "{{ sso_product_category }}"
+      register: rhn_products
+      no_log: "{{ omit_rhn_output | default(true) }}"
+      delegate_to: localhost
+      run_once: true
 
+    - name: Determine install zipfile from search results
+      ansible.builtin.set_fact:
+        rhn_filtered_products: "{{ rhn_products.results | selectattr('file_path', 'match', '[^/]*/' + sso_archive + '$') }}"
+      delegate_to: localhost
+      run_once: true
+
+    - name: Download Red Hat Single Sign-On
+      middleware_automation.common.product_download: # noqa risky-file-permissions delegated, uses controller host user
+        client_id: "{{ rhn_username }}"
+        client_secret: "{{ rhn_password }}"
+        product_id: "{{ (rhn_filtered_products | first).id }}"
+        dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
+      no_log: "{{ omit_rhn_output | default(true) }}"
+      delegate_to: localhost
+      run_once: true
+
+- name: Download rhsso archive from alternate location
+  ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
+    url: "{{ keycloak_rhsso_download_url }}"
+    dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
+    mode: 0644
+  delegate_to: localhost
+  run_once: true
+  when:
+    - archive_path is defined
+    - archive_path.stat is defined
+    - not archive_path.stat.exists
+    - sso_enable is defined and sso_enable
+    - not keycloak_offline_install
+    - keycloak_rhsso_download_url is defined
+
+- name: Check downloaded archive
+  ansible.builtin.stat:
+    path: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
+  register: local_archive_path
+  delegate_to: localhost
+
+## copy and unpack
+- name: Copy archive to target nodes
+  ansible.builtin.copy:
+    src: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
+    dest: "{{ archive }}"
+    owner: "{{ keycloak_service_user }}"
+    group: "{{ keycloak_service_group }}"
+    mode: 0640
+  register: new_version_downloaded
+  when:
+    - not archive_path.stat.exists
+    - local_archive_path.stat is defined
+    - local_archive_path.stat.exists
+  become: true
+
+- name: "Check target directory: {{ keycloak.home }}"
+  ansible.builtin.stat:
+    path: "{{ keycloak.home }}"
+  register: path_to_workdir
+  become: true
+
+- name: "Extract {{ keycloak_service_desc }} archive on target"
+  ansible.builtin.unarchive:
+    remote_src: true
+    src: "{{ archive }}"
+    dest: "{{ keycloak_dest }}"
+    creates: "{{ keycloak.home }}"
+    owner: "{{ keycloak_service_user }}"
+    group: "{{ keycloak_service_group }}"
+  become: true
+  when:
+    - new_version_downloaded.changed or not path_to_workdir.stat.exists
+  notify:
+    - restart keycloak
+
+- name: Inform decompression was not executed
+  ansible.builtin.debug:
+    msg: "{{ keycloak.home }} already exists and version unchanged, skipping decompression"
+  when:
+    - not new_version_downloaded.changed and path_to_workdir.stat.exists
+
+- name: "Reown installation directory to {{ keycloak_service_user }}"
+  ansible.builtin.file:
+    path: "{{ keycloak.home }}"
+    owner: "{{ keycloak_service_user }}"
+    group: "{{ keycloak_service_group }}"
+    recurse: true
+  become: true
+  changed_when: false
+
+- name: Ensure permissions are correct on existing deploy
+  ansible.builtin.command: chown -R "{{ keycloak_service_user }}:{{ keycloak_service_group }}" "{{ keycloak.home }}"
+  when: keycloak_service_runas
+  become: true
+  changed_when: false
+
+# driver and configuration
 - name: "Install {{ keycloak_jdbc_engine }} driver"
-  include_role:
-    name: wildfly_driver
-    tasks_from: jdbc_driver.yml
-  vars:
-      wildfly_user: "{{ keycloak_service_user }}"
-      jdbc_driver_module_dir: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}"
-      jdbc_driver_version: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_version }}"
-      jdbc_driver_jar_filename: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_jar_filename }}"
-      jdbc_driver_jar_url: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_jar_url }}"
-      jdbc_driver_jar_installation_path: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}/{{ keycloak_jdbc[keycloak_jdbc_engine].driver_jar_filename }}"
-      jdbc_driver_module_name: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}"
+  ansible.builtin.include_tasks: jdbc_driver.yml
   when: keycloak_jdbc[keycloak_jdbc_engine].enabled
 
-- name: "Deploy Keycloak's standalone.xml"
-  become: yes
-  template:
-    src: "{{ 'templates/standalone-rhsso.xml.j2' if keycloak_rhsso_enable else 'templates/standalone.xml.j2' }}"
-    dest: "{{ keycloak_jboss_home }}/standalone/configuration/standalone.xml"
+- name: "Deploy custom {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }} from {{ keycloak_config_override_template }}"
+  become: true
+  ansible.builtin.template:
+    src: "templates/{{ keycloak_config_override_template }}"
+    dest: "{{ keycloak_config_path_to_standalone_xml }}"
     owner: "{{ keycloak_service_user }}"
     group: "{{ keycloak_service_group }}"
     mode: 0640
   notify:
     - restart keycloak
-  when: not keycloak_remotecache.enabled
+  when: keycloak_config_override_template | length > 0
 
-- name: "Deploy Keycloak's standalone.xml with remote cache store"
-  become: yes
-  template:
-    src: "{{ 'templates/standalone-rhsso-jdg.xml.j2' if keycloak_rhsso_enable else 'templates/standalone-infinispan.xml.j2' }}"
-    dest: "{{ keycloak_jboss_home }}/standalone/configuration/standalone.xml"
+- name: "Deploy standalone {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}"
+  become: true
+  ansible.builtin.template:
+    src: templates/standalone.xml.j2
+    dest: "{{ keycloak_config_path_to_standalone_xml }}"
     owner: "{{ keycloak_service_user }}"
     group: "{{ keycloak_service_group }}"
     mode: 0640
   notify:
     - restart keycloak
-  when: keycloak_remotecache.enabled
+  when:
+    - not keycloak_ha_enabled
+    - keycloak_config_override_template | length == 0
+
+- name: Create tcpping cluster node list
+  ansible.builtin.set_fact:
+    keycloak_cluster_nodes: >
+      {{ keycloak_cluster_nodes | default([]) + [
+        {
+          "name": item,
+          "address": 'jgroups-' + item,
+          "inventory_host": hostvars[item].ansible_default_ipv4.address | default(item) + '[' + (keycloak_jgroups_port | string) + ']',
+          "value": hostvars[item].ansible_default_ipv4.address | default(item)
+        }
+      ] }}
+  loop: "{{ ansible_play_batch }}"
+  when: keycloak_ha_enabled and keycloak_ha_discovery == 'TCPPING'
+
+- name: "Deploy HA {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}"
+  become: true
+  ansible.builtin.template:
+    src: templates/standalone-ha.xml.j2
+    dest: "{{ keycloak_config_path_to_standalone_xml }}"
+    owner: "{{ keycloak_service_user }}"
+    group: "{{ keycloak_service_group }}"
+    mode: 0640
+  notify:
+    - restart keycloak
+  when:
+    - keycloak_ha_enabled
+    - not keycloak_remote_cache_enabled
+    - keycloak_config_override_template | length == 0
+
+- name: "Deploy HA {{ keycloak.service_name }} config with infinispan remote cache store to {{ keycloak_config_path_to_standalone_xml }}"
+  become: true
+  ansible.builtin.template:
+    src: templates/standalone-infinispan.xml.j2
+    dest: "{{ keycloak_config_path_to_standalone_xml }}"
+    owner: "{{ keycloak_service_user }}"
+    group: "{{ keycloak_service_group }}"
+    mode: 0640
+  notify:
+    - restart keycloak
+  when:
+    - keycloak_ha_enabled
+    - keycloak_remote_cache_enabled
+    - keycloak_config_override_template | length == 0
+
+- name: "Deploy profile.properties file to {{ keycloak_config_path_to_properties }}"
+  become: true
+  ansible.builtin.template:
+    src: keycloak-profile.properties.j2
+    dest: "{{ keycloak_config_path_to_properties }}"
+    owner: "{{ keycloak_service_user }}"
+    group: "{{ keycloak_service_group }}"
+    mode: 0640
+  notify:
+    - restart keycloak
+  when: keycloak_features | length > 0

roles/keycloak/tasks/iptables.yml

@@ -0,0 +1,23 @@
+---
+- name: Ensure required package iptables are installed
+  ansible.builtin.include_tasks: fastpackages.yml
+  vars:
+    packages_list:
+      - iptables
+
+- name: "Configure firewall ports for {{ keycloak.service_name }}"
+  become: true
+  ansible.builtin.iptables:
+    destination_port: "{{ item }}"
+    action: "insert"
+    rule_num: 6 # magic number I forget why
+    chain: "INPUT"
+    policy: "ACCEPT"
+    protocol: tcp
+  loop:
+    - "{{ keycloak_http_port }}"
+    - "{{ keycloak_https_port }}"
+    - "{{ keycloak_management_http_port }}"
+    - "{{ keycloak_management_https_port }}"
+    - "{{ keycloak_jgroups_port }}"
+    - "{{ keycloak_ajp_port }}"

roles/keycloak/tasks/jdbc_driver.yml

@@ -0,0 +1,45 @@
+---
+- name: "Check module directory: {{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}"
+  ansible.builtin.stat:
+    path: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}"
+  register: dest_path
+  become: true
+
+- name: "Set up module dir for JDBC Driver {{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}"
+  ansible.builtin.file:
+    path: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}"
+    state: directory
+    recurse: true
+    owner: "{{ keycloak_service_user }}"
+    group: "{{ keycloak_service_group }}"
+    mode: 0750
+  become: true
+  when:
+    - not dest_path.stat.exists
+- name: "Verify valid parameters for download credentials when specified"
+  ansible.builtin.fail:
+    msg: >-
+      When JDBC driver download credentials are set, both the username and the password MUST be set
+  when:
+    - (keycloak_jdbc_download_user is undefined and keycloak_jdbc_download_pass is not undefined) or (keycloak_jdbc_download_pass is undefined and keycloak_jdbc_download_user is not undefined)
+
+- name: "Retrieve JDBC Driver from {{ keycloak_jdbc[keycloak_jdbc_engine].driver_jar_url }}"
+  ansible.builtin.get_url:
+    url: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_jar_url }}"
+    dest: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}/{{ keycloak_jdbc[keycloak_jdbc_engine].driver_jar_filename }}"
+    group: "{{ keycloak_service_group }}"
+    owner: "{{ keycloak_service_user }}"
+    url_username: "{{ keycloak_jdbc_download_user | default(omit) }}"
+    url_password: "{{ keycloak_jdbc_download_pass | default(omit) }}"
+    validate_certs: "{{ keycloak_jdbc_download_validate_certs | default(omit) }}"
+    mode: 0640
+  become: true
+
+- name: "Deploy module.xml for JDBC Driver"
+  ansible.builtin.template:
+    src: "templates/jdbc_driver_module.xml.j2"
+    dest: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}/module.xml"
+    group: "{{ keycloak_service_group }}"
+    owner: "{{ keycloak_service_user }}"
+    mode: 0640
+  become: true

roles/keycloak/tasks/main.yml

@@ -1,35 +1,71 @@
 ---
 # tasks file for keycloak
-
-- name: Prerequisites
-  include_tasks: prereqs.yml
+- name: Check prerequisites
+  ansible.builtin.include_tasks: prereqs.yml
   tags:
     - prereqs
 
-- include_tasks: tasks/install.yml
+- name: Distro specific tasks
+  ansible.builtin.include_tasks: "{{ ansible_os_family | lower }}.yml"
+  tags:
+    - unbound
 
-- include_tasks: tasks/systemd.yml
+- name: Include install tasks
+  ansible.builtin.include_tasks: install.yml
+  tags:
+    - install
 
-- block:
-    - name: Check admin credentials by generating a token
-      uri:
+- name: Include systemd tasks
+  ansible.builtin.include_tasks: systemd.yml
+  tags:
+    - systemd
+
+- name: Include patch install tasks
+  ansible.builtin.include_tasks: rhsso_patch.yml
+  when:
+    - sso_apply_patches is defined and sso_apply_patches
+    - sso_enable is defined and sso_enable
+    - ansible_facts.os_family == "RedHat"
+  tags:
+    - install
+    - patch
+
+- name: Link default logs directory
+  ansible.builtin.file:
+    state: link
+    src: "{{ keycloak_jboss_home }}/standalone/log"
+    dest: "{{ keycloak_log_target }}"
+  become: true
+
+- name: Set admin credentials and restart if not already created
+  block:
+    - name: Check admin credentials by generating a token (supposed to fail on first installation)
+      ansible.builtin.uri:
         url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
         method: POST
         body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
-        validate_certs: no
+        validate_certs: false
       register: keycloak_auth_response
       until: keycloak_auth_response.status == 200
       retries: 2
       delay: 2
   rescue:
-    - name: create Keycloak admin user
-      command:
+    - name: "Create {{ keycloak.service_name }} admin user"
+      ansible.builtin.command:
       args:
         argv:
           - "{{ keycloak_jboss_home }}/bin/add-user-keycloak.sh"
-          - -rmaster
-          - -u{{ keycloak_admin_user }}
-          - -p{{ keycloak_admin_password }}
-      become: yes
-    - name: restart keycloak
-      include_tasks: tasks/restart_keycloak.yml
+          - "-rmaster"
+          - "-u{{ keycloak_admin_user }}"
+          - "-p{{ keycloak_admin_password }}"
+      changed_when: true
+      become: true
+    - name: "Restart {{ keycloak.service_name }}"
+      ansible.builtin.include_tasks: tasks/restart_keycloak.yml
+    - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
+      ansible.builtin.uri:
+        url: "{{ keycloak.health_url }}"
+      register: keycloak_status
+      until: keycloak_status.status == 200
+      retries: 25
+      delay: 10

roles/keycloak/tasks/prereqs.yml

@@ -1,29 +1,55 @@
 ---
-- name: "Validate configuration"
-  assert:
+- name: Validate admin console password
+  ansible.builtin.assert:
+    that:
+      - keycloak_admin_password | length > 12
+    quiet: true
+    fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_admin_password variable to a 12+ char long string"
+    success_msg: "{{ 'Console administrator password OK' }}"
+
+- name: Validate configuration
+  ansible.builtin.assert:
     that:
       - (keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and not keycloak_db_enabled)
-    quiet: True
+    quiet: true
     fail_msg: "Cannot install HA setup without a backend database service. Check keycloak_ha_enabled and keycloak_db_enabled"
     success_msg: "{{ 'Configuring HA' if keycloak_ha_enabled else 'Configuring standalone' }}"
 
-- name: "Validate credentials"
-  assert:
+- name: Validate credentials
+  ansible.builtin.assert:
     that:
-      - (rhn_username is defined and rhsso_rhn_id is defined) or rhsso_rhn_id is not defined
-      - (rhn_password is defined and rhsso_rhn_id is defined) or rhsso_rhn_id is not defined
-    quiet: True
+      - (rhn_username is defined and sso_enable is defined and sso_enable) or not sso_enable is defined or not sso_enable or keycloak_offline_install
+      - (rhn_password is defined and sso_enable is defined and sso_enable) or not sso_enable is defined or not sso_enable or keycloak_offline_install
+    quiet: true
     fail_msg: "Cannot install Red Hat SSO without RHN credentials. Check rhn_username and rhn_password are defined"
-    success_msg: "{{ 'Installing Red Hat Single Sign-On' if rhsso_rhn_id is defined else 'Installing keycloak.org' }}"
+    success_msg: "Installing {{ keycloak_service_desc }}"
 
-- set_fact:
-    required_packages:
-    - "{{ jvm_package | default('java-1.8.0-openjdk-devel') }}"
-    - unzip
-    - procps-ng
-    - initscripts
+- name: Validate persistence configuration
+  ansible.builtin.assert:
+    that:
+      - keycloak_jdbc_engine is defined and keycloak_jdbc_engine in [ 'postgres', 'mariadb', 'sqlserver' ]
+      - keycloak_jdbc_url | length > 0
+      - keycloak_db_user | length > 0
+      - keycloak_db_pass | length > 0
+    quiet: true
+    fail_msg: "Configuration for the JDBC persistence is invalid or incomplete"
+    success_msg: "Configuring JDBC persistence using {{ keycloak_jdbc_engine }} database"
+  when: keycloak_db_enabled
 
-- name: "Ensures required packages are installed"
-  ansible.builtin.include_tasks: fastpackages/install.yml
+- name: Validate OS family
+  ansible.builtin.assert:
+    that:
+      - ansible_os_family in ["RedHat", "Debian"]
+    quiet: true
+    fail_msg: "Can only install on RedHat or Debian OS families; found {{ ansible_os_family }}"
+    success_msg: "Installing on {{ ansible_os_family }}"
+
+- name: Load OS specific variables
+  ansible.builtin.include_vars: "vars/{{ ansible_os_family | lower }}.yml"
+  tags:
+    - always
+
+- name: Ensure required packages are installed
+  ansible.builtin.include_tasks: fastpackages.yml
   vars:
-    packages_list: "{{ required_packages }}"
+    packages_list: "{{ keycloak_prereq_package_list }}"

roles/keycloak/tasks/redhat.yml

@@ -0,0 +1,6 @@
+---
+- name: Include firewall config tasks
+  ansible.builtin.include_tasks: firewalld.yml
+  when: keycloak_configure_firewalld
+  tags:
+    - firewall

roles/keycloak/tasks/restart_keycloak.yml

@@ -1,7 +1,28 @@
 ---
-- name: "Restart and enable keycloack service"
-  systemd:
+- name: "Restart and enable {{ keycloak.service_name }} service"
+  ansible.builtin.systemd:
+    name: keycloak
+    enabled: true
+    state: restarted
+    daemon_reload: true
+  become: true
+  delegate_to: "{{ ansible_play_hosts | first }}"
+  run_once: true
+
+- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
+  ansible.builtin.uri:
+    url: "{{ keycloak.health_url }}"
+  register: keycloak_status
+  until: keycloak_status.status == 200
+  delegate_to: "{{ ansible_play_hosts | first }}"
+  run_once: true
+  retries: "{{ keycloak_service_start_retries }}"
+  delay: "{{ keycloak_service_start_delay }}"
+
+- name: "Restart and enable {{ keycloak.service_name }} service"
+  ansible.builtin.systemd:
     name: keycloak
     enabled: yes
     state: restarted
-  become: yes
+  become: true
+  when: inventory_hostname != ansible_play_hosts | first

roles/keycloak/tasks/rhsso_cli.yml

@@ -0,0 +1,13 @@
+---
+- name: Ensure required params for CLI have been provided
+  ansible.builtin.assert:
+    that:
+      - query is defined
+    fail_msg: "Missing required parameters to execute CLI."
+    quiet: true
+
+- name: "Execute CLI query: {{ query }}"
+  ansible.builtin.command: >
+    {{ keycloak.cli_path }} --connect --command='{{ query }}' --controller={{ keycloak_host }}:{{ keycloak_management_http_port }}
+  changed_when: false
+  register: cli_result

roles/keycloak/tasks/rhsso_patch.yml

@@ -0,0 +1,171 @@
+---
+## check remote patch archive
+- name: Set download patch archive path
+  ansible.builtin.set_fact:
+    patch_archive: "{{ keycloak_dest }}/{{ sso_patch_bundle }}"
+    patch_bundle: "{{ sso_patch_bundle }}"
+    patch_version: "{{ sso_patch_version }}"
+  when: sso_patch_version is defined
+
+- name: Check download patch archive path
+  ansible.builtin.stat:
+    path: "{{ patch_archive }}"
+  register: patch_archive_path
+  when: sso_patch_version is defined
+  become: true
+
+- name: Perform patch download from RHN via JBossNetwork API
+  delegate_to: localhost
+  run_once: true
+  when:
+    - sso_enable is defined and sso_enable
+    - not keycloak_offline_install
+    - sso_apply_patches
+  block:
+    - name: Retrieve product download using JBossNetwork API
+      middleware_automation.common.product_search:
+        client_id: "{{ rhn_username }}"
+        client_secret: "{{ rhn_password }}"
+        product_type: BUGFIX
+        product_version: "{{ sso_version.split('.')[:2] | join('.') }}"
+        product_category: "{{ sso_product_category }}"
+      register: rhn_products
+      no_log: "{{ omit_rhn_output | default(true) }}"
+      delegate_to: localhost
+      run_once: true
+
+    - name: Determine patch versions list
+      ansible.builtin.set_fact:
+        filtered_versions: "{{ rhn_products.results | map(attribute='file_path') | \
+                               select('match', '^[^/]*/rh-sso-.*[0-9]*[.][0-9]*[.][0-9]*.*$') | \
+                               map('regex_replace', '[^/]*/rh-sso-([0-9]*[.][0-9]*[.][0-9]*(-[0-9])?)-.*', '\\1') | list | unique }}"
+      when: sso_patch_version is not defined or sso_patch_version | length == 0
+      delegate_to: localhost
+      run_once: true
+
+    - name: Determine latest version
+      ansible.builtin.set_fact:
+         sso_latest_version: "{{ filtered_versions | middleware_automation.common.version_sort | last }}"
+      when: sso_patch_version is not defined or sso_patch_version | length == 0
+      delegate_to: localhost
+      run_once: true
+
+    - name: Determine install zipfile from search results
+      ansible.builtin.set_fact:
+        rhn_filtered_products: "{{ rhn_products.results | selectattr('file_path', 'match', '[^/]*/rh-sso-' + sso_latest_version + '-patch.zip$') }}"
+        patch_bundle: "rh-sso-{{ sso_latest_version }}-patch.zip"
+        patch_version: "{{ sso_latest_version }}"
+      when: sso_patch_version is not defined or sso_patch_version | length == 0
+      delegate_to: localhost
+      run_once: true
+
+    - name: "Determine selected patch from supplied version: {{ sso_patch_version }}"
+      ansible.builtin.set_fact:
+        rhn_filtered_products: "{{ rhn_products.results | selectattr('file_path', 'match', '[^/]*/' + sso_patch_bundle + '$') }}"
+        patch_bundle: "{{ sso_patch_bundle }}"
+        patch_version: "{{ sso_patch_version }}"
+      when: sso_patch_version is defined
+      delegate_to: localhost
+      run_once: true
+
+    - name: Download Red Hat Single Sign-On patch
+      middleware_automation.common.product_download: # noqa risky-file-permissions delegated, uses controller host user
+        client_id: "{{ rhn_username }}"
+        client_secret: "{{ rhn_password }}"
+        product_id: "{{ (rhn_filtered_products | sort | last).id }}"
+        dest: "{{ local_path.stat.path }}/{{ patch_bundle }}"
+      no_log: "{{ omit_rhn_output | default(true) }}"
+      delegate_to: localhost
+      run_once: true
+
+- name: Set download patch archive path
+  ansible.builtin.set_fact:
+    patch_archive: "{{ keycloak_dest }}/{{ patch_bundle }}"
+
+- name: Check download patch archive path
+  ansible.builtin.stat:
+    path: "{{ patch_archive }}"
+  register: patch_archive_path
+  become: true
+
+## copy and unpack
+- name: Copy patch archive to target nodes
+  ansible.builtin.copy:
+    src: "{{ local_path.stat.path }}/{{ patch_bundle }}"
+    dest: "{{ patch_archive }}"
+    owner: "{{ keycloak_service_user }}"
+    group: "{{ keycloak_service_group }}"
+    mode: 0640
+  register: new_version_downloaded
+  when:
+    - not patch_archive_path.stat.exists
+    - local_archive_path.stat is defined
+    - local_archive_path.stat.exists
+  become: true
+
+- name: "Check installed patches"
+  ansible.builtin.include_tasks: rhsso_cli.yml
+  vars:
+    query: "patch info"
+  args:
+    apply:
+      become: true
+      become_user: "{{ keycloak_service_user }}"
+
+- name: "Perform patching"
+  when:
+    - cli_result is defined
+    - cli_result.stdout is defined
+    - patch_version | regex_replace('-[0-9]$', '') not in cli_result.stdout
+  block:
+    - name: "Apply patch {{ patch_version }} to server"
+      ansible.builtin.include_tasks: rhsso_cli.yml
+      vars:
+        query: "patch apply {{ patch_archive }}"
+      args:
+        apply:
+          become: true
+          become_user: "{{ keycloak_service_user }}"
+
+    - name: "Restart server to ensure patch content is running"
+      ansible.builtin.include_tasks: rhsso_cli.yml
+      vars:
+        query: "shutdown --restart"
+      when:
+        - cli_result.rc == 0
+      args:
+        apply:
+            become: true
+            become_user: "{{ keycloak_service_user }}"
+
+    - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
+      ansible.builtin.uri:
+        url: "{{ keycloak.health_url }}"
+      register: keycloak_status
+      until: keycloak_status.status == 200
+      retries: 25
+      delay: 10
+
+    - name: "Query installed patch after restart"
+      ansible.builtin.include_tasks: rhsso_cli.yml
+      vars:
+        query: "patch info"
+      args:
+        apply:
+            become: true
+            become_user: "{{ keycloak_service_user }}"
+
+    - name: "Verify installed patch version"
+      ansible.builtin.assert:
+        that:
+          - patch_version not in cli_result.stdout
+        fail_msg: "Patch installation failed"
+        success_msg: "Patch installation successful"
+
+- name: "Skipping patch"
+  ansible.builtin.debug:
+    msg: "Cumulative patch {{ patch_version }} already installed, skipping patch installation."
+  when:
+    - cli_result is defined
+    - cli_result.stdout is defined
+    - patch_version in cli_result.stdout

roles/keycloak/tasks/start_keycloak.yml

@@ -0,0 +1,16 @@
+---
+- name: "Start {{ keycloak.service_name }} service"
+  ansible.builtin.systemd:
+    name: keycloak
+    enabled: true
+    state: started
+    daemon_reload: true
+  become: true
+
+- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
+  ansible.builtin.uri:
+    url: "{{ keycloak.health_url }}"
+  register: keycloak_status
+  until: keycloak_status.status == 200
+  retries: "{{ keycloak_service_start_retries }}"
+  delay: "{{ keycloak_service_start_delay }}"

roles/keycloak/tasks/stop_keycloak.yml

@@ -1,7 +1,7 @@
 ---
-- name: "Stop SSO service"
-  systemd:
+- name: "Stop {{ keycloak.service_name }}"
+  ansible.builtin.systemd:
     name: keycloak
-    enabled: yes
+    enabled: true
     state: stopped
-  become: yes
+  become: true

roles/keycloak/tasks/systemd.yml

@@ -1,6 +1,7 @@
-- name: configure keycloak service script wrapper
-  become: yes
-  template:
+---
+- name: "Configure {{ keycloak.service_name }} service script wrapper"
+  become: true
+  ansible.builtin.template:
     src: keycloak-service.sh.j2
     dest: "{{ keycloak_dest }}/keycloak-service.sh"
     owner: root
@@ -9,57 +10,47 @@
   notify:
     - restart keycloak
 
-- name: configure sysconfig file for keycloak service
-  become: yes
-  template:
+- name: "Configure sysconfig file for {{ keycloak.service_name }} service"
+  become: true
+  ansible.builtin.template:
     src: keycloak-sysconfig.j2
-    dest: /etc/sysconfig/keycloak
+    dest: "{{ keycloak_sysconf_file }}"
     owner: root
     group: root
     mode: 0644
   notify:
     - restart keycloak
 
-- name: configure systemd unit file for keycloak service
-  template:
+- name: "Configure systemd unit file for {{ keycloak.service_name }} service"
+  ansible.builtin.template:
     src: keycloak.service.j2
     dest: /etc/systemd/system/keycloak.service
     owner: root
     group: root
     mode: 0644
-  become: yes
+  become: true
   register: systemdunit
   notify:
     - restart keycloak
 
-- name: reload systemd
-  become: yes
-  systemd:
-    daemon_reload: yes
-  when: systemdunit.changed
+- name: "Start and wait for {{ keycloak.service_name }} service (first node db)"
+  ansible.builtin.include_tasks: start_keycloak.yml
+  run_once: true
+  when: keycloak_db_enabled
 
-- name: start keycloak
-  systemd:
-    name: keycloak
-    enabled: yes
-    state: started
-  become: yes
+- name: "Start and wait for {{ keycloak.service_name }} service (remaining nodes)"
+  ansible.builtin.include_tasks: start_keycloak.yml
 
-- command: "systemctl status keycloak"
+- name: Check service status
+  ansible.builtin.command: "systemctl status keycloak"
   register: keycloak_service_status
-  changed_when: False
+  changed_when: false
 
-- assert:
+- name: Verify service status
+  ansible.builtin.assert:
     that:
       - keycloak_service_status is defined
       - keycloak_service_status.stdout is defined
 
-- meta: flush_handlers
-
-- name: Wait until Keycloak becomes active
-  uri:
-    url: "{{ keycloak_management_url }}/health"
-  register: keycloak_status
-  until: keycloak_status.status == 200
-  retries: 20
-  delay: 10
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers