internet/ansible-middleware.keycloak
3
0
Fork 0
mirror of https://github.com/ansible-middleware/keycloak.git synced 2026-03-27 13:53:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: internet:v0.2.3
Branches Tags
internet:main internet:gh-pages internet:feature/182_restart_handler internet:rhbk_mol_sudo
internet:3.0.3 internet:3.0.2 internet:3.0.1 internet:3.0.0 internet:2.4.3 internet:2.4.2 internet:2.4.1 internet:2.4.0 internet:2.3.0 internet:2.2.2 internet:2.2.1 internet:2.2.0 internet:2.1.2 internet:2.1.1 internet:2.1.0 internet:2.0.2 internet:2.0.1 internet:2.0.0 internet:1.3.0 internet:1.2.8 internet:1.2.7 internet:1.2.6 internet:1.2.5 internet:1.2.4 internet:1.2.1 internet:1.2.0 internet:1.1.1 internet:1.1.0 internet:1.0.7 internet:1.0.6 internet:1.0.5 internet:1.0.4 internet:1.0.3 internet:1.0.2 internet:1.0.1 internet:1.0.0 internet:v0.2.5 internet:v0.2.4 internet:v0.2.3 internet:0.2.2 internet:v0.2.1 internet:v0.2.0 internet:v0.1.8 internet:v0.1.7 internet:v0.1.6 internet:v0.1.5 internet:v0.1.4 internet:v0.1.3 internet:v0.1.2 internet:v0.1.1 internet:v0.1.0 internet:v0.0.4 internet:v0.0.3 internet:v0.0.2 internet:v0.0.1
...
compare: internet:1.0.1
Branches Tags
internet:main internet:gh-pages internet:feature/182_restart_handler internet:rhbk_mol_sudo
internet:3.0.3 internet:3.0.2 internet:3.0.1 internet:3.0.0 internet:2.4.3 internet:2.4.2 internet:2.4.1 internet:2.4.0 internet:2.3.0 internet:2.2.2 internet:2.2.1 internet:2.2.0 internet:2.1.2 internet:2.1.1 internet:2.1.0 internet:2.0.2 internet:2.0.1 internet:2.0.0 internet:1.3.0 internet:1.2.8 internet:1.2.7 internet:1.2.6 internet:1.2.5 internet:1.2.4 internet:1.2.1 internet:1.2.0 internet:1.1.1 internet:1.1.0 internet:1.0.7 internet:1.0.6 internet:1.0.5 internet:1.0.4 internet:1.0.3 internet:1.0.2 internet:1.0.1 internet:1.0.0 internet:v0.2.5 internet:v0.2.4 internet:v0.2.3 internet:0.2.2 internet:v0.2.1 internet:v0.2.0 internet:v0.1.8 internet:v0.1.7 internet:v0.1.6 internet:v0.1.5 internet:v0.1.4 internet:v0.1.3 internet:v0.1.2 internet:v0.1.1 internet:v0.1.0 internet:v0.0.4 internet:v0.0.3 internet:v0.0.2 internet:v0.0.1

24 Commits
v0.2.3 ... 1.0.1

Author SHA1 Message Date
Guido Grazioli
d5bf0a195a docs: fix typo 2022-03-11 15:31:48 +01:00
Guido Grazioli
c5b38e8bac docs: add testing and releasing contributor pages 2022-03-11 15:15:18 +01:00
Guido Grazioli
266f2bc00b Bump to v1.0.1 2022-03-11 15:11:21 +01:00
Guido Grazioli
cfdc043770 Update docs, fix patch apply steps and cli vars 2022-03-11 15:03:55 +01:00
Guido Grazioli
707d8cfb11 add rhsso_cli tasks, change shape of rhsso_rhn_ids 2022-03-11 15:03:55 +01:00
Guido Grazioli
f5cd6d8061 Merge pull request #17 from guidograzioli/replace_serial_with_runonce 
Replace use of serial with run_once
 2022-03-08 12:32:54 +01:00
Guido Grazioli
b88c43933c Replace use of serial with run_once 
run_once on first node when database config enabled (so the first
node creates the tables), then wakeup all other nodes
 2022-03-08 12:08:40 +01:00
Guido Grazioli
0bc81cc781 chore: add build ignores / fix release tag names 2022-03-01 19:05:28 +01:00
Guido Grazioli
60c5a42ae4 Merge pull request #16 from hcherukuri/main 
Bump version to 1.0.0 to satisfy Automation hub
 2022-03-01 19:00:38 +01:00
Harsha Cherukuri
2073c90e1d Bump version to 1.0.0 to statisfy Automation hub 2022-03-01 12:44:09 -05:00
Harsha Cherukuri
ffd146d392 Merge pull request #15 from guidograzioli/fqcn-builtins 
fix: use FQCN
 2022-03-01 12:42:09 -05:00
Guido Grazioli
78f225b10c chore: reword collection tags not accepted by galaxy 2022-03-01 10:46:06 +01:00
Guido Grazioli
a043021e48 docs: add automated doc generation 2022-03-01 10:22:12 +01:00
Guido Grazioli
a0ea9c62a7 update galaxy tags 2022-02-24 17:37:31 +01:00
Guido Grazioli
b90684a44a fix: use FQCN 2022-02-24 15:00:10 +01:00
Guido Grazioli
73bbca9fc1 drop ansible-lint offline option 2022-02-16 10:47:56 +01:00
Guido Grazioli
124c8ae0ad Fix linter errors 2022-02-16 10:47:56 +01:00
Guido Grazioli
bce963923d Update lint config and paths 2022-02-16 10:47:56 +01:00
Guido Grazioli
147ee5214e add lint skip_list and molecule setup 2022-02-16 10:47:56 +01:00
Guido Grazioli
042089d100 READMEs updated by helper scripts 2022-02-16 10:47:56 +01:00
Guido Grazioli
ac62d2e43d Merge pull request #11 from guidograzioli/polish_argument_specs 
document argument_specs
 2022-02-10 08:41:04 +01:00
Guido Grazioli
662918f5f8 Bump version to v0.2.4 2022-02-09 15:14:56 +01:00
Guido Grazioli
e0664d53a9 fix: copy from local only if target not existing 2022-02-09 15:06:40 +01:00
Guido Grazioli
20f321c628 document argument_specs 2022-02-09 11:19:49 +01:00
57 changed files with 995 additions and 218 deletions
Expand all files Collapse all files

27
.ansible-lint Normal file
View File

@@ -0,0 +1,27 @@
# .ansible-lint
exclude_paths:
- .cache/
- .github/
- molecule/
- .ansible-lint
- .yamllint
rulesdir:
- ../../ansible-lint-custom-rules/rules/
enable_list:
- fqcn-builtins # opt-in
- no-log-password # opt-in
warn_list:
- role_vars_start_with_role_name
- vars_in_vars_files_have_valid_names
- vars_should_not_be_used
- experimental
- ignore-errors
- no-handler
- fqcn-builtins
- no-log-password
use_default_rules: true
parseable: true

48
.github/ISSUE_TEMPLATE/bug_report.md vendored Normal file
View File

@@ -0,0 +1,48 @@
---
name: 🐛 Bug report
about: Create a report to help us improve
---
##### SUMMARY
<!-- Explain the problem briefly -->
##### ISSUE TYPE
- Bug Report
##### ANSIBLE VERSION
<!-- Paste, BELOW THIS COMMENT, verbatim output from "ansible --version"-->
```
```
##### COLLECTION VERSION
<!-- Paste, BELOW THIS COMMENT, verbatim output from "ansible-galaxy collection list"-->
<!-- If using virtual environments or execution environments, remember to activate them-->
```
```
##### STEPS TO REPRODUCE
<!-- List the steps to reproduce the problem, using a minimal test-case. -->
<!-- Paste example playbook below -->
```yaml
```
##### EXPECTED RESULTS
<!-- What did you expect to happen when running the steps above? -->
##### ACTUAL RESULTS
<!-- What actually happened? If possible run with extra verbosity (-vvvv) and diff (--diff) -->
<!-- Please also include check mode (--check --diff) output if the API returns an error -->
<!-- Be sure to mask any sensitive information -->
<!--- Paste verbatim command output between quotes below -->
```
```

12
.github/ISSUE_TEMPLATE/feature_request.md vendored Normal file
View File

@@ -0,0 +1,12 @@
---
name: ✨ Feature request
about: Suggest an idea for this project
---
##### SUMMARY
<!--- Explain the problem briefly -->
##### ISSUE TYPE
- Feature Idea

6
.github/workflows/ci.yml vendored
View File

@@ -29,6 +29,12 @@ jobs:
pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous
pip install -r ansible_collections/middleware_automation/keycloak/requirements.txt
- name: Install ansible-lint custom rules
uses: actions/checkout@v2
with:
repository: ansible-middleware/ansible-lint-custom-rules
path: ansible_collections/ansible-lint-custom-rules/
- name: Create default collection path
run: |
mkdir -p /home/runner/.ansible/collections/ansible_collections

75
.github/workflows/docs.yml vendored Normal file
View File

@@ -0,0 +1,75 @@
---
name: Documentation
on:
push:
branches:
- main
tags:
- "[0-9]+.[0-9]+.[0-9]+"
env:
COLORTERM: 'yes'
TERM: 'xterm-256color'
PYTEST_ADDOPTS: '--color=yes'
jobs:
docs:
runs-on: ubuntu-latest
if: github.repository == 'ansible-middleware/keycloak'
permissions:
actions: write
checks: write
contents: write
deployments: write
packages: write
pages: write
steps:
- name: Check out code
uses: actions/checkout@v2
with:
path: ansible_collections/middleware_automation/keycloak
fetch-depth: 0
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: 3.9
- name: Install doc dependencies
run: |
python -m pip install --upgrade pip
pip install -r ansible_collections/middleware_automation/keycloak/docs/requirements.txt
pip install -r ansible_collections/middleware_automation/keycloak/requirements.txt
- name: Create default collection path
run: |
mkdir -p /home/runner/.ansible/collections/ansible_collections
- name: Create doc directories and resources
run: |
mkdir -p ./docs/plugins ./docs/roles
cat ./docs/roles.rst.template > ./docs/roles/index.rst
antsibull-docs collection --use-current --squash-hierarchy --dest-dir docs/plugins middleware_automation.keycloak
for role_readme in roles/*/README.md; do ln -f -s ../../$role_readme ./docs/roles/$(basename $(dirname $role_readme)).md; echo " * :doc:\`$(basename $(dirname $role_readme))\`" >> ./docs/roles/index.rst; done
working-directory: ansible_collections/middleware_automation/keycloak
- name: Run sphinx
run: |
sphinx-build -M html . _build -v
working-directory: ansible_collections/middleware_automation/keycloak/docs/
- name: Commit docs
run: |
git config user.name github-actions
git config user.email github-actions@github.com
git checkout gh-pages
rm -rf $(basename ${GITHUB_REF})
mv docs/_build/html $(basename ${GITHUB_REF})
ln --force --no-dereference --symbolic main latest
git show origin/main:docs/_gh_include/header.inc > index.html
(echo main; echo latest; dirname *.*.*/index.html | sort --version-sort --reverse) | xargs -I@@ -n1 echo '<li class="toctree-l1"><a class="reference internal" href="@@/">@@</a></li>' >> index.html
git show origin/main:docs/_gh_include/footer.inc >> index.html
git add $(basename ${GITHUB_REF}) latest index.html
git commit -m "Update docs for $(basename ${GITHUB_REF})" || true
git push origin gh-pages
working-directory: ansible_collections/middleware_automation/keycloak/

6
.github/workflows/release.yml vendored
View File

@@ -1,9 +1,9 @@
---
name: Release collection
on:
push:
tags:
- "*.*.*"
- "[0-9]+.[0-9]+.[0-9]+"
jobs:
release:
@@ -31,7 +31,7 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
files: "*.tar.gz"
body: "Release ${{ steps.get_version.outputs.TAG_VERSION }}"
body: "Release v${{ steps.get_version.outputs.TAG_VERSION }}"
- name: Publish collection
env:
ANSIBLE_GALAXY_API_KEY: ${{ secrets.ANSIBLE_GALAXY_API_KEY }}

8
.gitignore vendored
View File

@@ -1,2 +1,10 @@
*.tar.gz
*.zip
.tmp
.cache
docs/plugins/
docs/roles/
docs/_build/
.pytest_cache/
.mypy_cache/
*.retry

12
CONTRIBUTING.md
View File

@@ -1,14 +1,14 @@
## Contributor's Guidelines
- All YAML files named with '.yml' extension
- All YAML files named with `.yml` extension
- Use spaces around jinja variables. `{{ var }}` over `{{var}}`
- Variables that are internal to the role should be lowercase and start with the role name
- Keep roles self contained - Roles should avoid including tasks from other roles when possible
- Plays should do nothing more than include a list of roles except where `pre_tasks` and `post_tasks` are required when possible
- Separators - Use valid name, ie. underscores (e.g. `my_role` `my_playbook`) not dashes (`my-role`)
- Paths - When defining paths, do not include trailing slashes (e.g. `my_path: /foo` not `my_path: /foo/`). When concatenating paths, follow the same convention (e.g. `{{ my_path }}/bar` not `{{ my_path }}bar`)
- Plays should do nothing more than include a list of roles, except where `pre_tasks` and `post_tasks` are required, when possible
- Separators - Use valid names, ie. underscores (e.g. `my_role` `my_playbook`) not dashes (`my-role`)
- Paths - When defining paths, do not include trailing slashes (e.g. `my_path: /foo` not `my_path: /foo/`); when concatenating paths, follow the same convention (e.g. `{{ my_path }}/bar` not `{{ my_path }}bar`)
- Indentation - Use 2 spaces for each indent
- `vars/` vs `defaults/` - internal or interpolated variables that don't need to change or be overridden by user go in `vars/`, those that a user would likely override, go under `defaults/` directory
- All arguments have a specification in `meta/argument_specs.yml`
- All playbooks/roles should be focused on compatibility with Ansible Tower
- All role arguments have a specification in `meta/argument_specs.yml`
- All playbooks/roles should be focused on compatibility with Ansible Automation Platform

18
README.md
View File

@@ -1,4 +1,4 @@
# Ansible Collection - keycloak
# Ansible Collection - middleware_automation.keycloak
[![Build Status](https://github.com/ansible-middleware/keycloak/workflows/CI/badge.svg?branch=main)](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml)
@@ -13,6 +13,7 @@ This collection has been tested against following Ansible versions: **>=2.9.10**
Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions.
<!--end requires_ansible-->
## Installation
### Installing the Collection from Ansible Galaxy
@@ -54,12 +55,12 @@ A requirement file is provided to install:
Both playbooks include the `keycloak` role, with different settings, as described in the following sections.
For service configuration details, refer to the [keycloak role README](roles/keycloak/README.md).
For full service configuration details, refer to the [keycloak role README](roles/keycloak/README.md).
### Choosing between upstream project (Keycloak) and Red Hat Single Sign-On (RHSSO)
The general flag `keycloak_rhsso_enable` controls what to install between upstream(Keycloak, when `False`) or Red Hat Single Sign-On (when `True`).
The general flag `keycloak_rhsso_enable` controls what to install between upstream (Keycloak, when `False`) or Red Hat Single Sign-On (when `True`).
The default value for the flag if `True` when Red Hat Network credentials are defined, `False` otherwise.
@@ -133,15 +134,15 @@ ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e
### Config Playbook
[`playbooks/keycloak-realm.yml`](playbooks/keycloak-realm.yml) creates provided realm, user federation(s), client(s), client role(s) and client user(s) if they don't exist.
[`playbooks/keycloak_realm.yml`](playbooks/keycloak_realm.yml) creates or updates provided realm, user federation(s), client(s), client role(s) and client user(s).
### Example configuration command
Execute the following command from the source root directory
Execute the following command from the source root directory:
```bash
ansible-playbook -i <ansible_hosts> playbooks/keycloak-realm.yml -e keycloak_admin_password=<changeme> -e keycloak_realm=test
ansible-playbook -i <ansible_hosts> playbooks/keycloak_realm.yml -e keycloak_admin_password=<changeme> -e keycloak_realm=test
```
- `keycloak_admin_password` password for the administration console user account.
@@ -153,8 +154,11 @@ ansible-playbook -i <ansible_hosts> playbooks/keycloak-realm.yml -e keycloak_adm
localhost ansible_connection=local
```
For configuration details, refer to the [keycloak_realm role README](roles/keycloak_realm/README.md).
For full configuration details, refer to the [keycloak_realm role README](roles/keycloak_realm/README.md).
## Support
Keycloak collection v1.0.0 is a Beta release and for [Technical Preview](https://access.redhat.com/support/offerings/techpreview). If you have any issues or questions related to collection, please don't hesitate to contact us on Ansible-middleware-core@redhat.com or open an issue on https://github.com/ansible-middleware/keycloak/issues
## License

1
docs/README.md Symbolic link
View File

@@ -0,0 +1 @@
../README.md

21
docs/_gh_include/footer.inc Normal file
View File

@@ -0,0 +1,21 @@
</ul>
</div>
</section>
</div>
</div>
<footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
</div>
<hr/>
<div role="contentinfo">
<p>&#169; Copyright 2022, Red Hat, Inc.</p>
</div>
Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
<a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
</div>
</div>
</section>
</div>
</body>
</html>

43
docs/_gh_include/header.inc Normal file
View File

@@ -0,0 +1,43 @@
<!doctype html>
<html>
<head>
<title>Keycloak Ansible Collection documentation index</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<link rel="stylesheet" href="https://ansible-middleware.github.io/keycloak/main/_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="https://ansible-middleware.github.io/keycloak/main/_static/css/theme.css" type="text/css" />
<link rel="stylesheet" href="https://ansible-middleware.github.io/keycloak/main/_static/ansible-basic-sphinx-ext.css" type="text/css" />
<script data-url_root="./" id="documentation_options" src="https://ansible-middleware.github.io/keycloak/main/_static/documentation_options.js"></script>
<script src="https://ansible-middleware.github.io/keycloak/main/_static/jquery.js"></script>
<script src="https://ansible-middleware.github.io/keycloak/main/_static/underscore.js"></script>
<script src="https://ansible-middleware.github.io/keycloak/main/_static/doctools.js"></script>
<script src="https://ansible-middleware.github.io/keycloak/main/_static/js/theme.js"></script>
</head>
<body class="wy-body-for-nav">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search" >
<a href="#" class="icon icon-home"> Keycloak Ansible Collection</a>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="Page navigation">
<ul class="wy-breadcrumbs">
<li><a href="#" class="icon icon-home"></a> &raquo;</li>
<li>Welcome to Keycloak Collection documentation</li>
<li class="wy-breadcrumbs-aside"></li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<section id="welcome-to-keycloak-collection-documentation">
<h1>Welcome to Keycloak Collection documentation<a class="headerlink" href="#welcome-to-keycloak-collection-documentation" title="Permalink to this headline"></a></h1>
<div class="toctree-wrapper compound">
<p class="caption" role="heading"><span class="caption-text">Pick collection version:</span></p>
<ul>

170
docs/conf.py Normal file
View File

@@ -0,0 +1,170 @@
# -*- coding: utf-8 -*-
#
# Configuration file for the Sphinx documentation builder.
#
# This file does only contain a selection of the most common options. For a
# full list see the documentation:
# http://www.sphinx-doc.org/en/master/config
# -- Path setup --------------------------------------------------------------
# If extensions (or modules to document with autodoc) are in another directory,
# add these directories to sys.path here. If the directory is relative to the
# documentation root, use os.path.abspath to make it absolute, like shown here.
#
import datetime
import os
import sys
sys.path.insert(0, os.path.abspath('../plugins/module_utils/'))
# sys.path.insert(0, os.path.abspath('.'))
# -- Project information -----------------------------------------------------
project = 'Keycloak Ansible Collection'
copyright = '{y}, Red Hat, Inc.'.format(y=datetime.date.today().year)
author = 'Red Hat, Inc.'
# The short X.Y version
version = ''
# The full version, including alpha/beta/rc tags
release = ''
# -- General configuration ---------------------------------------------------
# If your documentation needs a minimal Sphinx version, state it here.
#
# needs_sphinx = '1.0'
# Add any Sphinx extension module names here, as strings. They can be
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
# ones.
extensions = [
'myst_parser',
'sphinx.ext.autodoc',
'sphinx.ext.intersphinx',
'ansible_basic_sphinx_ext',
]
# Add any paths that contain templates here, relative to this directory.
templates_path = ['_templates']
# The suffix(es) of source filenames.
# You can specify multiple suffix as a list of string:
#
# source_suffix = ['.rst', '.md']
source_suffix = ['.rst', '.md']
# The master toctree document.
master_doc = 'index'
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
#
# This is also used if you do content translation via gettext catalogs.
# Usually you set "language" from the command line for these cases.
language = None
# List of patterns, relative to source directory, that match files and
# directories to ignore when looking for source files.
# This pattern also affects html_static_path and html_extra_path .
exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store', '.tmp']
# The name of the Pygments (syntax highlighting) style to use.
pygments_style = 'sphinx'
highlight_language = 'YAML+Jinja'
# -- Options for HTML output -------------------------------------------------
html_theme_path = ['_themes']
# The theme to use for HTML and HTML Help pages. See the documentation for
# a list of builtin themes.
#
# html_theme = 'alabaster'
html_theme = 'sphinx_rtd_theme'
# Theme options are theme-specific and customize the look and feel of a theme
# further. For a list of options available for each theme, see the
# documentation.
#
# html_theme_options = {}
# Add any paths that contain custom static files (such as style sheets) here,
# relative to this directory. They are copied after the builtin static files,
# so a file named "default.css" will overwrite the builtin "default.css".
html_static_path = []
# Custom sidebar templates, must be a dictionary that maps document names
# to template names.
#
# The default sidebars (for documents that don't match any pattern) are
# defined by theme itself. Builtin themes are using these templates by
# default: ``['localtoc.html', 'relations.html', 'sourcelink.html',
# 'searchbox.html']``.
#
# html_sidebars = {}
# -- Options for HTMLHelp output ---------------------------------------------
# Output file base name for HTML help builder.
htmlhelp_basename = 'KeycloakCollectionDoc'
# -- Options for LaTeX output ------------------------------------------------
latex_elements = {
# The paper size ('letterpaper' or 'a4paper').
#
# 'papersize': 'letterpaper',
# The font size ('10pt', '11pt' or '12pt').
#
# 'pointsize': '10pt',
# Additional stuff for the LaTeX preamble.
#
# 'preamble': '',
# Latex figure (float) alignment
#
# 'figure_align': 'htbp',
}
# Grouping the document tree into LaTeX files. List of tuples
# (source start file, target name, title,
# author, documentclass [howto, manual, or own class]).
latex_documents = [
(master_doc, 'KeycloakCollection.tex', 'Red Hat Single Sign-On Ansible Collection Documentation',
'Red Hat, Inc.', 'manual'),
]
# -- Options for manual page output ------------------------------------------
# One entry per manual page. List of tuples
# (source start file, name, description, authors, manual section).
man_pages = [
(master_doc, 'keycloakcollection', 'Red Hat Single Sign-On Ansible Collection Documentation',
[author], 1)
]
# -- Options for Texinfo output ----------------------------------------------
# Grouping the document tree into Texinfo files. List of tuples
# (source start file, target name, title, author,
# dir menu entry, description, category)
texinfo_documents = [
(master_doc, 'KeycloakCollection', 'Red Hat Single Sign-On Ansible Collection Documentation',
author, 'KeycloakCollection', 'One line description of project.',
'Miscellaneous'),
]
# -- Extension configuration -------------------------------------------------
# -- Options for intersphinx extension ---------------------------------------
# Example configuration for intersphinx: refer to the Python standard library.
intersphinx_mapping = {'python': ('https://docs.python.org/2', None), 'ansible': ('https://docs.ansible.com/ansible/latest/', None)}

1
docs/developing.md Symbolic link
View File

@@ -0,0 +1 @@
../CONTRIBUTING.md

32
docs/index.rst Normal file
View File

@@ -0,0 +1,32 @@
.. Red Hat middleware_automation Keycloak Ansible Collection documentation main file
Welcome to Keycloak Collection documentation
============================================
.. toctree::
:maxdepth: 2
:caption: User documentation
README
plugins/index
roles/index
.. toctree::
:maxdepth: 2
:caption: Developer documentation
developing
testing
releasing
.. toctree::
:maxdepth: 2
:caption: General
Changelog <CHANGELOG>
Indices and tables
==================
* :ref:`genindex`
* :ref:`search`

61
docs/releasing.md Normal file
View File

@@ -0,0 +1,61 @@
# Collection Versioning Strategy
Each supported collection maintained by Ansible follows Semantic Versioning 2.0.0 (https://semver.org/), for example:
Given a version number MAJOR.MINOR.PATCH, the following is incremented:
MAJOR version: when making incompatible API changes (see Feature Release scenarios below for examples)
MINOR version: when adding features or functionality in a backwards compatible manner, or updating testing matrix and/or metadata (deprecation)
PATCH version: when adding backwards compatible bug fixes or security fixes (strict).
Additional labels for pre-release and build metadata are available as extensions to the MAJOR.MINOR.PATCH format.
The first version of a generally available supported collection on Ansible Automation Hub shall be version 1.0.0. NOTE: By default, all newly created collections may begin with a smaller default version of 0.1.0, and therefore a version of 1.0.0 should be explicitly stated by the collection maintainer.
## New content is added to an existing collection
Assuming the current release is 1.0.0, and a new module is ready to be added to the collection, the minor version would be incremented to 1.1.0. The change in the MINOR version indicates an additive change was made while maintaining backward compatibility for existing content within the collection.
## New feature to existing plugin or role within a collection (backwards compatible)
Assuming the current release is 1.0.0, and new features for an existing module are ready for release . We would increment the MINOR version to 1.1.0. The change in the MINOR version indicates an additive change was made while maintaining backward compatibility for existing content within the collection.
## Bug fix or security fix to existing content within a collection
Assuming the current release is 1.0.0 and a bug is fixed prior to the next minor release, the PATCH version would be incremented to 1.0.1. The patch indicates only a bug was fixed within a current version. The PATCH release does not contain new content, nor was functionality removed. Bug fixes may be included in a MINOR or MAJOR feature release if the timing allows, eliminating the need for a PATCH dedicated to the fix.
## Breaking change to any content within a collection
Assuming the current release is 1.0.0, and a breaking change (API or module) is introduced for a user or developer. The MAJOR version would be incremented to 2.0.0.
Examples of breaking changes within a collection may include but are not limited to:
- Argspec changes for a module that require either inventory structure or playbook changes.
- A change in the shape of either the inbound or returned payload of a filter plugin.
- Changes to a connection plugin that require additional inventory parameters or ansible.cfg entries.
- New functionality added to a module that changes the outcome of that module as released in previous versions.
- The removal of plugins from a collection.
## Content removed from a collection
Deleting a module or API is a breaking change. Please see the 'Breaking change' section for how to version this.
## A typographical error was fixed in the documentation for a collection
A correction to the README would be considered a bug fix and the PATCH incremented. See 'Bug fix' above.
## Documentation added/removed/modified within a collection
Only the PATCH version should be increased for a release that contains changes limited to revised documentation.
## Release automation
New releases are triggered by annotated git tags named after semantic versioning. The automation publishes the built artifacts to ansible-galaxy and github releases page.

5
docs/requirements.txt Normal file
View File

@@ -0,0 +1,5 @@
antsibull>=0.17.0
ansible-base>=2.10.12
sphinx-rtd-theme
git+https://github.com/felixfontein/ansible-basic-sphinx-ext
myst-parser

3
docs/roles.rst.template Normal file
View File

@@ -0,0 +1,3 @@
Role Index
==========

49
docs/testing.md Normal file
View File

@@ -0,0 +1,49 @@
# Testing
## Continuous integration
The collection is tested with a [molecule](https://github.com/ansible-community/molecule) setup covering the included roles and verifying correct installation and idempotency.
In order to run the molecule tests locally with python 3.9 available, after cloning the repository:
```
pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous
molecule test --all
```
## Integration testing
Demo repositories which depend on the collection, and aggregate functionality with other middleware_automation collections, are automatically rebuilt
at every collection release to ensure non-breaking changes and consistent behaviour.
The repository are:
- [Flange demo](https://github.com/ansible-middleware/flange-demo)
A deployment of Wildfly cluster integrated with keycloak and infinispan.
- [CrossDC keycloak demo](https://github.com/ansible-middleware/cross-dc-rhsso-demo)
A clustered multi-regional installation of keycloak with infinispan remote caches.
## Test playbooks
Sample playbooks are provided in the `playbooks/` directory; to run the playbooks locally (requires a rhel system with python 3.9+, ansible, and systemd) the steps are as follows:
```
# setup environment
pip install ansible-core
# clone the repository
git clone https://github.com/ansible-middleware/keycloak
cd keycloak
# install collection dependencies
ansible-galaxy collection install -r requirements.yml
# install collection python deps
pip install -r requirements.txt
# create inventory for localhost
cat << EOF > inventory
[keycloak]
localhost ansible_connection=local
EOF
# run the playbook
ansible-playbook -i inventory playbooks/keycloak.yml
```

18
galaxy.yml
View File

@@ -1,6 +1,7 @@
---
namespace: middleware_automation
name: keycloak
version: "0.2.3"
version: "1.0.1"
readme: README.md
authors:
- Romain Pelisse <rpelisse@redhat.com>
@@ -12,12 +13,21 @@ tags:
- keycloak
- redhat
- rhel
- rhn
- sso
- openid
- application
- identity
- security
- infrastructure
- authentication
dependencies:
"middleware_automation.redhat_csp_download": ">=1.2.1"
"middleware_automation.wildfly": ">=0.0.4"
"middleware_automation.wildfly": ">=0.0.6"
repository: https://github.com/ansible-middleware/keycloak
documentation: https://github.com/ansible-middleware/keycloak
documentation: https://ansible-middleware.github.io/keycloak
homepage: https://github.com/ansible-middleware/keycloak
issues: https://github.com/ansible-middleware/keycloak/issues
build_ignore:
- molecule
- docs
- .github

3
molecule/default/molecule.yml
View File

@@ -4,6 +4,9 @@ dependency:
command: ansible-galaxy collection install -r molecule/default/requirements.yml -p $HOME/.ansible/collections --force-with-deps
driver:
name: docker
lint: |
ansible-lint --version
ansible-lint -v
platforms:
- name: instance
image: registry.access.redhat.com/ubi8/ubi-init:latest

4
molecule/default/prepare.yml
View File

@@ -3,10 +3,10 @@
hosts: all
tasks:
- name: Disable beta repos
command: yum config-manager --disable '*beta*'
ansible.builtin.command: yum config-manager --disable '*beta*'
ignore_errors: yes
- name: Install sudo
yum:
ansible.builtin.yum:
name: sudo
state: present

2
molecule/default/verify.yml
View File

@@ -5,6 +5,6 @@
- name: Populate service facts
ansible.builtin.service_facts:
- name: Check if keycloak service started
assert:
ansible.builtin.assert:
that:
- ansible_facts.services["keycloak.service"]["state"] == "running"

4
playbooks/keycloak.yml
View File

@@ -5,7 +5,7 @@
- middleware_automation.keycloak
tasks:
- name: Include keycloak role
include_role:
name: keycloak
ansible.builtin.include_role:
name: middleware_automation.keycloak.keycloak
vars:
keycloak_admin_password: "changeme"

4
playbooks/keycloak-realm.yml → playbooks/keycloak_realm.yml
View File

@@ -3,8 +3,8 @@
hosts: keycloak
tasks:
- name: Keycloak Realm Role
include_role:
name: keycloak_realm
ansible.builtin.include_role:
name: middleware_automation.keycloak.keycloak_realm
vars:
keycloak_admin_password: "changeme"
keycloak_realm: TestRealm

6
playbooks/rhsso.yml
View File

@@ -4,11 +4,11 @@
collections:
- middleware_automation.redhat_csp_download
roles:
- redhat_csp_download
- middleware_automation.redhat_csp_download.redhat_csp_download
tasks:
- name: Keycloak Role
include_role:
name: keycloak
ansible.builtin.include_role:
name: middleware_automation.keycloak.keycloak
vars:
keycloak_admin_password: "changeme"
keycloak_rhsso_enable: True

38
roles/keycloak/README.md
View File

@@ -31,6 +31,17 @@ Versions
|`7.5.0 GA` |September 20, 2021 |`15.0.2` | `7.4.0` |[Release Notes](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/html/release_notes/index)|
Patching
--------
When variable `keycloak_rhsso_apply_patches` is `True` (default: `True`), the role will automatically apply the latest cumulative patch for the selected base version.
| RH-SSO VERSION | Release Date | RH-SSO LATEST CP | Notes |
|:---------------|:------------------|:-----------------|:----------------|
|`7.5.0 GA` |January 20, 2022 |`7.5.1 GA` |[Release Notes](https://access.redhat.com/articles/6646321)|
Role Defaults
-------------
@@ -62,13 +73,38 @@ Role Defaults
| Variable | Description | Default |
|:---------|:------------|:---------|
|`keycloak_rhsso_enable`| Enable Red Hat Single Sign-on installation | `False` |
|`keycloak_rhsso_enable`| Enable Red Hat Single Sign-on installation | `False` |
|`keycloak_offline_install` | perform an offline install | `False`|
|`keycloak_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`|
|`keycloak_rhsso_download_url`| Download URL for RHSSO | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=<productID>`|
|`keycloak_version`| keycloak.org package version | `15.0.2` |
|`keycloak_rhsso_version`| RHSSO version | `7.5.0` |
|`keycloak_rhsso_apply_patches`| Install RHSSO more recent cumulative patch | `True` |
|`keycloak_dest`| Installation root path | `/opt/keycloak` |
|`keycloak_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}` |
|`keycloak_rhn_url` | Base download URI for customer portal | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=` |
|`keycloak_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
* Miscellaneous configuration
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_archive` | keycloak install archive filename | `keycloak-{{ keycloak_version }}.zip` |
|`keycloak_download_url_9x` | Download URL for keycloak (deprecated) | `https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}` |
|`keycloak_installdir` | Installation path | `{{ keycloak_dest }}/keycloak-{{ keycloak_version }}` |
|`keycloak_rhsso_archive` | Red Hat SSO install archive filename | `rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip` |
|`keycloak_rhsso_installdir`| Installation path for Red Hat SSO | `{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\.([0-9]*).*', '\1.\2') }}` |
|`keycloak_rhsso_download_url`| Full download URI for Red Hat SSO | `{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}` |
|`keycloak_jboss_home` | Installation work directory | `{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}` |
|`keycloak_config_dir` | Path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration` |
|`keycloak_config_path_to_standalone_xml` | Custom path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}` |
|`keycloak_auth_realm` | Name for rest authentication realm | `master` |
|`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` |
|`keycloak_force_install` | Remove pre-existing versions of service | `False` |
|`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` |
|`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` |
|`rhsso_rhn_id` | Customer Portal product ID for Red Hat SSO | `{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}` |
Role Variables

4
roles/keycloak/defaults/main.yml
View File

@@ -8,11 +8,12 @@ keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
### Configuration specific to Red Hat Single Sing-On
keycloak_rhsso_version: 7.5.0
rhsso_rhn_id: "{{ rhsso_rhn_ids[keycloak_rhsso_version] }}"
rhsso_rhn_id: "{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}"
keycloak_rhsso_archive: "rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip"
keycloak_rhsso_installdir: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}"
keycloak_rhn_url: 'https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId='
keycloak_rhsso_download_url: "{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}"
keycloak_rhsso_apply_patches: True
### keycloak/rhsso choice: by default install rhsso if rhn credentials are defined
keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined and rhn_username is defined and rhn_password is defined else False }}"
@@ -29,6 +30,7 @@ keycloak_config_path_to_standalone_xml: "{{ keycloak_jboss_home }}/standalone/co
keycloak_service_user: keycloak
keycloak_service_group: keycloak
keycloak_service_pidfile: "/run/keycloak.pid"
keycloak_configure_firewalld: False
### Common configuration settings
keycloak_bind_address: 0.0.0.0

2
roles/keycloak/handlers/main.yml
View File

@@ -1,3 +1,3 @@
---
- name: restart keycloak
include_tasks: restart_keycloak.yml
ansible.builtin.include_tasks: restart_keycloak.yml

114
roles/keycloak/meta/argument_specs.yml
View File

@@ -4,162 +4,172 @@ argument_specs:
keycloak_version:
# line 3 of keycloak/defaults/main.yml
default: "15.0.2"
description: "TODO document argument"
description: "keycloak.org package version"
type: "str"
keycloak_archive:
# line 4 of keycloak/defaults/main.yml
default: "keycloak-{{ keycloak_version }}.zip"
description: "TODO document argument"
description: "keycloak install archive filename"
type: "str"
keycloak_configure_firewalld:
# line 33 of keycloak/defaults/main.yml
default: false
description: "Ensure firewalld is running and configure keycloak ports"
type: "bool"
keycloak_download_url:
# line 5 of keycloak/defaults/main.yml
default: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"
description: "TODO document argument"
description: "Download URL for keycloak"
type: "str"
keycloak_download_url_9x:
# line 6 of keycloak/defaults/main.yml
default: "https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}"
description: "TODO document argument"
description: "Download URL for keycloak (deprecated)"
type: "str"
keycloak_installdir:
# line 7 of keycloak/defaults/main.yml
default: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
description: "TODO document argument"
description: "Installation path"
type: "str"
keycloak_rhsso_version:
# line 10 of keycloak/defaults/main.yml
default: "7.5.0"
description: "TODO document argument"
description: "Red Hat Single Sign-On version"
type: "str"
rhsso_rhn_id:
# line 11 of keycloak/defaults/main.yml
default: "{{ rhsso_rhn_ids[keycloak_rhsso_version] }}"
description: "TODO document argument"
default: "{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}"
description: "Customer Portal product ID for Red Hat SSO"
type: "str"
keycloak_rhsso_archive:
# line 12 of keycloak/defaults/main.yml
default: "rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip"
description: "TODO document argument"
description: "ed Hat SSO install archive filename"
type: "str"
keycloak_rhsso_apply_patches:
# line 16 of keycloak/defaults/main.yml
default: true
description: "Install RHSSO more recent cumulative patch"
type: "bool"
keycloak_rhsso_installdir:
# line 13 of keycloak/defaults/main.yml
default: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}"
description: "TODO document argument"
description: "Installation path for Red Hat SSO"
type: "str"
keycloak_rhn_url:
# line 14 of keycloak/defaults/main.yml
default: "https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId="
description: "TODO document argument"
description: "Base download URI for customer portal"
type: "str"
keycloak_rhsso_download_url:
# line 15 of keycloak/defaults/main.yml
default: "{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}"
description: "TODO document argument"
description: "Full download URI for Red Hat SSO"
type: "str"
keycloak_rhsso_enable:
# line 18 of keycloak/defaults/main.yml
default: "{{ True if rhsso_rhn_id is defined and rhn_username is defined and rhn_password is defined else False }}"
description: "TODO document argument"
description: "Enable Red Hat Single Sign-on installation"
type: "str"
keycloak_offline_install:
# line 20 of keycloak/defaults/main.yml
default: false
description: "TODO document argument"
description: "Perform an offline install"
type: "bool"
jvm_package:
# line 23 of keycloak/defaults/main.yml
default: "java-1.8.0-openjdk-devel"
description: "TODO document argument"
description: "RHEL java package runtime rpm"
type: "str"
keycloak_dest:
# line 24 of keycloak/defaults/main.yml
default: "/opt/keycloak"
description: "TODO document argument"
description: "Root installation directory"
type: "str"
keycloak_jboss_home:
# line 25 of keycloak/defaults/main.yml
default: "{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}"
description: "TODO document argument"
description: "Installation work directory"
type: "str"
keycloak_config_dir:
# line 26 of keycloak/defaults/main.yml
default: "{{ keycloak_jboss_home }}/standalone/configuration"
description: "TODO document argument"
description: "Path for configuration"
type: "str"
keycloak_config_standalone_xml:
# line 27 of keycloak/defaults/main.yml
default: "keycloak.xml"
description: "TODO document argument"
description: "Service configuration filename"
type: "str"
keycloak_config_path_to_standalone_xml:
# line 28 of keycloak/defaults/main.yml
default: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}"
description: "TODO document argument"
description: "Custom path for configuration"
type: "str"
keycloak_service_user:
# line 29 of keycloak/defaults/main.yml
default: "keycloak"
description: "TODO document argument"
description: "posix account username"
type: "str"
keycloak_service_group:
# line 30 of keycloak/defaults/main.yml
default: "keycloak"
description: "TODO document argument"
description: "posix account group"
type: "str"
keycloak_service_pidfile:
# line 31 of keycloak/defaults/main.yml
default: "/run/keycloak.pid"
description: "TODO document argument"
description: "PID file path for service"
type: "str"
keycloak_bind_address:
# line 34 of keycloak/defaults/main.yml
default: "0.0.0.0"
description: "TODO document argument"
description: "Address for binding service ports"
type: "str"
keycloak_host:
# line 35 of keycloak/defaults/main.yml
default: "localhost"
description: "TODO document argument"
description: "Hostname for service"
type: "str"
keycloak_http_port:
# line 36 of keycloak/defaults/main.yml
default: 8080
description: "TODO document argument"
description: "Listening HTTP port"
type: "int"
keycloak_https_port:
# line 37 of keycloak/defaults/main.yml
default: 8443
description: "TODO document argument"
description: "Listening HTTPS port"
type: "int"
keycloak_ajp_port:
# line 38 of keycloak/defaults/main.yml
default: 8009
description: "TODO document argument"
description: "Listening AJP port"
type: "int"
keycloak_jgroups_port:
# line 39 of keycloak/defaults/main.yml
default: 7600
description: "TODO document argument"
description: "jgroups cluster tcp port"
type: "int"
keycloak_management_http_port:
# line 40 of keycloak/defaults/main.yml
default: 9990
description: "TODO document argument"
description: "Management port (http)"
type: "int"
keycloak_management_https_port:
# line 41 of keycloak/defaults/main.yml
default: 9993
description: "TODO document argument"
description: "Management port (https)"
type: "int"
keycloak_java_opts:
# line 42 of keycloak/defaults/main.yml
default: "-Xms1024m -Xmx2048m"
description: "TODO document argument"
description: "Additional JVM options"
type: "str"
keycloak_prefer_ipv4:
# line 43 of keycloak/defaults/main.yml
default: true
description: "TODO document argument"
description: "Prefer IPv4 stack and addresses for port binding"
type: "bool"
keycloak_ha_enabled:
# line 46 of keycloak/defaults/main.yml
@@ -179,52 +189,52 @@ argument_specs:
keycloak_auth_realm:
# line 52 of keycloak/defaults/main.yml
default: "master"
description: "TODO document argument"
description: "Name for rest authentication realm"
type: "str"
keycloak_auth_client:
# line 53 of keycloak/defaults/main.yml
default: "admin-cli"
description: "TODO document argument"
description: "Authentication client for configuration REST calls"
type: "str"
keycloak_force_install:
# line 55 of keycloak/defaults/main.yml
default: false
description: "TODO document argument"
description: "Remove pre-existing versions of service"
type: "bool"
keycloak_modcluster_url:
# line 58 of keycloak/defaults/main.yml
default: "localhost"
description: "TODO document argument"
description: "URL for the modcluster reverse proxy"
type: "str"
keycloak_frontend_url:
# line 59 of keycloak/defaults/main.yml
default: "http://localhost"
description: "TODO document argument"
description: "Frontend URL for keycloak endpoints when a reverse proxy is used"
type: "str"
infinispan_user:
# line 62 of keycloak/defaults/main.yml
default: "supervisor"
description: "TODO document argument"
description: "Username for connecting to infinispan"
type: "str"
infinispan_pass:
# line 63 of keycloak/defaults/main.yml
default: "supervisor"
description: "TODO document argument"
description: "Password for connecting to infinispan"
type: "str"
infinispan_url:
# line 64 of keycloak/defaults/main.yml
default: "localhost"
description: "TODO document argument"
description: "URL for the infinispan remote-cache server"
type: "str"
infinispan_sasl_mechanism:
# line 65 of keycloak/defaults/main.yml
default: "SCRAM-SHA-512"
description: "TODO document argument"
description: "Authentication type to infinispan server"
type: "str"
infinispan_use_ssl:
# line 66 of keycloak/defaults/main.yml
default: false
description: "TODO document argument"
description: "Enable hotrod client TLS communication"
type: "bool"
infinispan_trust_store_path:
# line 68 of keycloak/defaults/main.yml
@@ -234,45 +244,45 @@ argument_specs:
infinispan_trust_store_password:
# line 69 of keycloak/defaults/main.yml
default: "changeit"
description: "TODO document argument"
description: "Path to truststore containing infinispan server certificate"
type: "str"
keycloak_jdbc_engine:
# line 72 of keycloak/defaults/main.yml
default: "postgres"
description: "TODO document argument"
description: "Backend database flavour when db is enabled: [ postgres, mariadb ]"
type: "str"
keycloak_db_user:
# line 74 of keycloak/defaults/main.yml
default: "keycloak-user"
description: "TODO document argument"
description: "Username for connecting to database"
type: "str"
keycloak_db_pass:
# line 75 of keycloak/defaults/main.yml
default: "keycloak-pass"
description: "TODO document argument"
description: "Password for connecting to database"
type: "str"
keycloak_jdbc_url:
# line 76 of keycloak/defaults/main.yml
default: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].url }}"
description: "TODO document argument"
description: "URL for connecting to backend database"
type: "str"
keycloak_jdbc_driver_version:
# line 77 of keycloak/defaults/main.yml
default: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].version }}"
description: "TODO document argument"
description: "Version for the JDBC driver to download"
type: "str"
keycloak_admin_password:
# line 4 of keycloak/vars/main.yml
required: true
description: "TODO document argument"
description: "Password for the administration console user account"
type: "str"
keycloak_url:
# line 12 of keycloak/vars/main.yml
default: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
description: "TODO document argument"
description: "URL for configuration rest calls"
type: "str"
keycloak_management_url:
# line 13 of keycloak/vars/main.yml
default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
description: "TODO document argument"
description: "URL for management console rest calls"
type: "str"

3
roles/keycloak/meta/main.yml
View File

@@ -6,7 +6,7 @@ collections:
galaxy_info:
role_name: keycloak
namespace: middleware_automation
author: Romain Pelisse, Guido Grazioli
author: Romain Pelisse, Guido Grazioli, Pavan Kumar Motaparthi
description: Install keycloak or Red Hat Single Sing-On server configurations
company: Red Hat, Inc.
@@ -17,7 +17,6 @@ galaxy_info:
platforms:
- name: EL
versions:
- 7
- 8
galaxy_tags:

6
roles/keycloak/tasks/fastpackages/check.yml
View File

@@ -1,14 +1,14 @@
---
- block:
- name: "Check if package {{ package_name }} is already installed"
command: rpm -q {{ package_name }}
ansible.builtin.command: rpm -q {{ package_name }}
args:
warn: no
register: rpm_info
changed_when: rpm_info.failed
rescue:
- name: "If package {{ package_name }} is missing, add it to the yum install list."
set_fact:
- name: "Add {{ package_name }} to the yum install list if missing"
ansible.builtin.set_fact:
packages_to_install: "{{ packages_to_install + [ package_name ] }}"
when: rpm_info.failed

7
roles/keycloak/tasks/fastpackages/install.yml
View File

@@ -1,17 +1,18 @@
---
- set_fact:
- name: Set facts
ansible.builtin.set_fact:
update_cache: true
packages_to_install: []
- name: "Check packages to be installed"
include_tasks: check.yml
ansible.builtin.include_tasks: check.yml
loop: "{{ packages_list | flatten }}"
loop_control:
loop_var: package_name
- name: "Install packages: {{ packages_to_install }}"
become: yes
yum:
ansible.builtin.yum:
name: "{{ packages_to_install }}"
state: present
when: packages_to_install | length > 0

2
roles/keycloak/tasks/firewalld.yml
View File

@@ -7,7 +7,7 @@
- name: Enable and start the firewalld service
become: yes
systemd:
ansible.builtin.systemd:
name: firewalld
enabled: yes
state: started

58
roles/keycloak/tasks/install.yml
View File

@@ -1,6 +1,6 @@
---
- name: Validate parameters
assert:
ansible.builtin.assert:
that:
- keycloak_jboss_home is defined
- keycloak_service_user is defined
@@ -12,7 +12,7 @@
- name: Check for an existing deployment
become: yes
stat:
ansible.builtin.stat:
path: "{{ keycloak_jboss_home }}"
register: existing_deploy
@@ -20,24 +20,24 @@
- name: Stop the old keycloak service
become: yes
ignore_errors: yes
systemd:
ansible.builtin.systemd:
name: keycloak
state: stopped
- name: Remove the old Keycloak deployment
become: yes
file:
ansible.builtin.file:
path: "{{ keycloak_jboss_home }}"
state: absent
when: existing_deploy.stat.exists and keycloak_force_install|bool
- name: check for an existing deployment after possible forced removal
become: yes
stat:
ansible.builtin.stat:
path: "{{ keycloak_jboss_home }}"
- name: create Keycloak service user/group
become: yes
user:
ansible.builtin.user:
name: "{{ keycloak_service_user }}"
home: /opt/keycloak
system: yes
@@ -45,7 +45,7 @@
- name: create Keycloak install location
become: yes
file:
ansible.builtin.file:
dest: "{{ keycloak_dest }}"
state: directory
owner: "{{ keycloak_service_user }}"
@@ -54,23 +54,23 @@
## check remote archive
- name: Set download archive path
set_fact:
ansible.builtin.set_fact:
archive: "{{ keycloak_dest }}/{{ keycloak.bundle }}"
- name: Check download archive path
stat:
ansible.builtin.stat:
path: "{{ archive }}"
register: archive_path
## download to controller
- name: Check load download archive path
stat:
- name: Check local download archive path
ansible.builtin.stat:
path: "{{ lookup('env', 'PWD') }}"
register: local_path
delegate_to: localhost
- name: Download keycloak archive
get_url:
ansible.builtin.get_url:
url: "{{ keycloak_download_url }}"
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
delegate_to: localhost
@@ -81,8 +81,8 @@
- not keycloak_rhsso_enable
- not keycloak_offline_install
- name: Performing download from RHN
redhat_csp_download:
- name: Perform download from RHN
middleware_automation.redhat_csp_download.redhat_csp_download:
url: "{{ keycloak_rhsso_download_url }}"
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
username: "{{ rhn_username }}"
@@ -98,7 +98,7 @@
- keycloak_rhn_url in keycloak_rhsso_download_url
- name: Download rhsso archive from alternate location
get_url:
ansible.builtin.get_url:
url: "{{ keycloak_rhsso_download_url }}"
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
delegate_to: localhost
@@ -110,25 +110,35 @@
- not keycloak_offline_install
- not keycloak_rhn_url in keycloak_rhsso_download_url
- name: Check downloaded archive
ansible.builtin.stat:
path: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
register: local_archive_path
delegate_to: localhost
## copy and unpack
- name: Copy archive to target nodes
copy:
ansible.builtin.copy:
src: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
dest: "{{ archive }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0750
register: new_version_downloaded
when:
- not archive_path.stat.exists
- local_archive_path.stat is defined
- local_archive_path.stat.exists
become: yes
- name: "Check target directory: {{ keycloak.home }}"
stat:
ansible.builtin.stat:
path: "{{ keycloak.home }}"
register: path_to_workdir
become: yes
- name: "Extract {{ 'Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Keycloak' }} archive on target"
unarchive:
ansible.builtin.unarchive:
remote_src: yes
src: "{{ archive }}"
dest: "{{ keycloak_dest }}"
@@ -142,13 +152,13 @@
- restart keycloak
- name: Inform decompression was not executed
debug:
ansible.builtin.debug:
msg: "{{ keycloak.home }} already exists and version unchanged, skipping decompression"
when:
- not new_version_downloaded.changed and path_to_workdir.stat.exists
- name: "Reown installation directory to {{ keycloak_service_user }}"
file:
ansible.builtin.file:
path: "{{ keycloak.home }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
@@ -158,8 +168,8 @@
# driver and configuration
- name: "Install {{ keycloak_jdbc_engine }} driver"
include_role:
name: wildfly_driver
ansible.builtin.include_role:
name: middleware_automation.wildfly.wildfly_driver
vars:
wildfly_user: "{{ keycloak_service_user }}"
jdbc_driver_module_dir: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}"
@@ -172,7 +182,7 @@
- name: "Deploy {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}"
become: yes
template:
ansible.builtin.template:
src: templates/standalone.xml.j2
dest: "{{ keycloak_config_path_to_standalone_xml }}"
owner: "{{ keycloak_service_user }}"
@@ -184,7 +194,7 @@
- name: "Deploy {{ keycloak.service_name }} config with remote cache store to {{ keycloak_config_path_to_standalone_xml }}"
become: yes
template:
ansible.builtin.template:
src: templates/standalone-infinispan.xml.j2
dest: "{{ keycloak_config_path_to_standalone_xml }}"
owner: "{{ keycloak_service_user }}"

36
roles/keycloak/tasks/main.yml
View File

@@ -1,26 +1,43 @@
---
# tasks file for keycloak
- name: Prerequisites
include_tasks: prereqs.yml
- name: Check prerequisites
ansible.builtin.include_tasks: prereqs.yml
tags:
- prereqs
- name: Include firewall config tasks
ansible.builtin.include_tasks: firewalld.yml
when: keycloak_configure_firewalld
tags:
- firewall
- name: Include install tasks
include_tasks: tasks/install.yml
ansible.builtin.include_tasks: install.yml
tags:
- install
- name: Include systemd tasks
include_tasks: tasks/systemd.yml
ansible.builtin.include_tasks: systemd.yml
tags:
- systemd
- name: Include patch install tasks
ansible.builtin.include_tasks: rhsso_patch.yml
when: keycloak_rhsso_apply_patches and keycloak_rhsso_enable
tags:
- install
- patch
- name: Link default logs directory
file:
ansible.builtin.file:
state: link
src: "{{ keycloak_jboss_home }}/standalone/log"
dest: /var/log/keycloak
- block:
- name: Check admin credentials by generating a token
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
method: POST
body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
@@ -31,18 +48,19 @@
delay: 2
rescue:
- name: "Create {{ keycloak.service_name }} admin user"
command:
ansible.builtin.command:
args:
argv:
- "{{ keycloak_jboss_home }}/bin/add-user-keycloak.sh"
- "-rmaster"
- "-u{{ keycloak_admin_user }}"
- "-p{{ keycloak_admin_password }}"
changed_when: yes
become: yes
- name: "Restart {{ keycloak.service_name }}"
include_tasks: tasks/restart_keycloak.yml
ansible.builtin.include_tasks: tasks/restart_keycloak.yml
- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
uri:
ansible.builtin.uri:
url: "{{ keycloak.health_url }}"
register: keycloak_status
until: keycloak_status.status == 200

6
roles/keycloak/tasks/prereqs.yml
View File

@@ -1,6 +1,6 @@
---
- name: Validate configuration
assert:
ansible.builtin.assert:
that:
- (keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and not keycloak_db_enabled)
quiet: True
@@ -8,7 +8,7 @@
success_msg: "{{ 'Configuring HA' if keycloak_ha_enabled else 'Configuring standalone' }}"
- name: Validate credentials
assert:
ansible.builtin.assert:
that:
- (rhn_username is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
- (rhn_password is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
@@ -17,7 +17,7 @@
success_msg: "{{ 'Installing Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Installing keycloak.org' }}"
- name: Set required packages facts
set_fact:
ansible.builtin.set_fact:
required_packages:
- "{{ jvm_package }}"
- unzip

2
roles/keycloak/tasks/restart_keycloak.yml
View File

@@ -1,6 +1,6 @@
---
- name: "Restart and enable keycloack service"
systemd:
ansible.builtin.systemd:
name: keycloak
enabled: yes
state: restarted

13
roles/keycloak/tasks/rhsso_cli.yml Normal file
View File

@@ -0,0 +1,13 @@
---
- name: Ensure required params for CLI have been provided
ansible.builtin.assert:
that:
- query is defined
fail_msg: "Missing required parameters to execute CLI."
quiet: true
- name: "Execute CLI query: {{ query }}"
ansible.builtin.command: >
{{ keycloak.cli_path }} --connect --command='{{ query }}' --controller={{ keycloak_host }}:{{ keycloak_management_http_port }}
changed_when: false
register: cli_result

87
roles/keycloak/tasks/rhsso_patch.yml Normal file
View File

@@ -0,0 +1,87 @@
---
## check remote patch archive
- name: Set download patch archive path
ansible.builtin.set_fact:
patch_archive: "{{ keycloak_dest }}/{{ keycloak.patch_bundle }}"
- name: Check download patch archive path
ansible.builtin.stat:
path: "{{ patch_archive }}"
register: patch_archive_path
- name: Perform download from RHN
middleware_automation.redhat_csp_download.redhat_csp_download:
url: "{{ keycloak_rhn_url }}{{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.id }}"
dest: "{{ local_path.stat.path }}/{{ keycloak.patch_bundle }}"
username: "{{ rhn_username }}"
password: "{{ rhn_password }}"
no_log: "{{ omit_rhn_output | default(true) }}"
delegate_to: localhost
when:
- patch_archive_path is defined
- patch_archive_path.stat is defined
- not patch_archive_path.stat.exists
- keycloak_rhsso_enable
- not keycloak_offline_install
## copy and unpack
- name: Copy patch archive to target nodes
ansible.builtin.copy:
src: "{{ local_path.stat.path }}/{{ keycloak.patch_bundle }}"
dest: "{{ patch_archive }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0750
register: new_version_downloaded
when:
- not patch_archive_path.stat.exists
- local_archive_path.stat is defined
- local_archive_path.stat.exists
become: yes
- name: "Check installed patches"
ansible.builtin.include_tasks: rhsso_cli.yml
vars:
query: "patch info"
- name: "Perform patching"
when:
- cli_result is defined
- cli_result.stdout is defined
- rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v not in cli_result.stdout
block:
- name: "Apply patch {{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }} to server"
ansible.builtin.include_tasks: rhsso_cli.yml
vars:
query: "patch apply {{ patch_archive }}"
- name: "Restart server to ensure patch content is running"
ansible.builtin.include_tasks: rhsso_cli.yml
vars:
query: "shutdown --restart"
when:
- cli_result.rc == 0
- name: "Wait until Keycloak becomes active {{ keycloak.health_url }}"
ansible.builtin.uri:
url: "{{ keycloak.health_url }}"
register: keycloak_status
until: keycloak_status.status == 200
retries: 25
delay: 10
- name: "Query installed patch after restart"
ansible.builtin.include_tasks: rhsso_cli.yml
vars:
query: "patch info"
- name: "Verify installed patch version"
ansible.builtin.assert:
that:
- rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v not in cli_result.stdout
fail_msg: "Patch installation failed"
success_msg: "Patch installation successful"
- name: "Skipping patch"
debug:
msg: "Latest cumulative patch {{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }} already installed, skipping patch installation."

15
roles/keycloak/tasks/start_keycloak.yml Normal file
View File

@@ -0,0 +1,15 @@
---
- name: start keycloak
ansible.builtin.systemd:
name: keycloak
enabled: yes
state: started
become: yes
- name: "Wait until Keycloak becomes active {{ keycloak.health_url }}"
ansible.builtin.uri:
url: "{{ keycloak.health_url }}"
register: keycloak_status
until: keycloak_status.status == 200
retries: 25
delay: 10

4
roles/keycloak/tasks/stop_keycloak.yml
View File

@@ -1,6 +1,6 @@
---
- name: "Stop SSO service"
systemd:
- name: Stop keycloak
ansible.builtin.systemd:
name: keycloak
enabled: yes
state: stopped

44
roles/keycloak/tasks/systemd.yml
View File

@@ -1,6 +1,6 @@
- name: configure keycloak service script wrapper
- name: Configure keycloak service script wrapper
become: yes
template:
ansible.builtin.template:
src: keycloak-service.sh.j2
dest: "{{ keycloak_dest }}/keycloak-service.sh"
owner: root
@@ -9,9 +9,9 @@
notify:
- restart keycloak
- name: configure sysconfig file for keycloak service
- name: Configure sysconfig file for keycloak service
become: yes
template:
ansible.builtin.template:
src: keycloak-sysconfig.j2
dest: /etc/sysconfig/keycloak
owner: root
@@ -20,8 +20,8 @@
notify:
- restart keycloak
- name: configure systemd unit file for keycloak service
template:
- name: Configure systemd unit file for keycloak service
ansible.builtin.template:
src: keycloak.service.j2
dest: /etc/systemd/system/keycloak.service
owner: root
@@ -32,36 +32,30 @@
notify:
- restart keycloak
- name: reload systemd
- name: Reload systemd
become: yes
systemd:
ansible.builtin.systemd:
daemon_reload: yes
when: systemdunit.changed
- name: start keycloak
systemd:
name: keycloak
enabled: yes
state: started
become: yes
- name: Start and wait for keycloak service (first node db)
ansible.builtin.include_tasks: start_keycloak.yml
run_once: yes
when: keycloak_db_enabled
- name: Start and wait for keycloak service (remaining nodes)
ansible.builtin.include_tasks: start_keycloak.yml
- name: Check service status
command: "systemctl status keycloak"
ansible.builtin.command: "systemctl status keycloak"
register: keycloak_service_status
changed_when: False
- name: Verify service status
assert:
ansible.builtin.assert:
that:
- keycloak_service_status is defined
- keycloak_service_status.stdout is defined
- meta: flush_handlers
- name: "Wait until Keycloak becomes active {{ keycloak.health_url }}"
uri:
url: "{{ keycloak.health_url }}"
register: keycloak_status
until: keycloak_status.status == 200
retries: 25
delay: 10
- name: Flush handlers
ansible.builtin.meta: flush_handlers

5
roles/keycloak/templates/standalone-infinispan.xml.j2
View File

@@ -633,7 +633,7 @@
<subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
{% if keycloak_modcluster.enabled %}
<subsystem xmlns="urn:jboss:domain:modcluster:5.0">
<proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
<proxy name="default" advertise="false" listener="ajp" proxies="proxy1">
<dynamic-load-provider>
<load-metric type="cpu"/>
</dynamic-load-provider>
@@ -726,7 +726,7 @@
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>
<interface name="jgroups">
<interface name="jgroups">
{% if ansible_default_ipv4 is defined %}
<subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ipaddr('net') }}"/>
{% else %}
@@ -744,7 +744,6 @@
<socket-binding name="management-http" interface="management" port="{{ keycloak_management_http_port }}"/>
<socket-binding name="management-https" interface="management" port="{{ keycloak_management_https_port }}"/>
<socket-binding name="jgroups-tcp" interface="jgroups" port="{{ keycloak_jgroups_port }}"/>
<socket-binding name="modcluster" multicast-address="${jboss.modcluster.multicast.address:224.0.1.105}" multicast-port="23364"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">

3
roles/keycloak/templates/standalone.xml.j2
View File

@@ -546,7 +546,7 @@
<subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
{% if keycloak_modcluster.enabled %}
<subsystem xmlns="urn:jboss:domain:modcluster:5.0">
<proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
<proxy name="default" advertise="false" listener="ajp" proxies="proxy1">
<dynamic-load-provider>
<load-metric type="cpu"/>
</dynamic-load-provider>
@@ -644,7 +644,6 @@
<socket-binding name="https" port="{{ keycloak_https_port }}"/>
<socket-binding name="management-http" interface="management" port="{{ keycloak_management_http_port }}"/>
<socket-binding name="management-https" interface="management" port="{{ keycloak_management_https_port }}"/>
<socket-binding name="modcluster" multicast-address="${jboss.modcluster.multicast.address:224.0.1.105}" multicast-port="23364"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">

9
roles/keycloak/vars/main.yml
View File

@@ -5,8 +5,11 @@ keycloak_admin_password:
# internal variables below
rhsso_rhn_ids:
'7.5.0': '101971'
'7.5.1': '103836'
'7.5.0':
id: '101971'
latest_cp:
id: '103836'
v: '7.5.1'
# locations
keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
@@ -17,8 +20,10 @@ keycloak:
home: "{{ keycloak_jboss_home }}"
config_dir: "{{ keycloak_config_dir }}"
bundle: "{{ keycloak_rhsso_archive if keycloak_rhsso_enable else keycloak_archive }}"
patch_bundle: "rh-sso-{{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }}-patch.zip"
service_name: "{{ 'rhsso' if keycloak_rhsso_enable else 'keycloak' }}"
health_url: "{{ keycloak_management_url }}/health"
cli_path: "{{ keycloak_jboss_home }}/bin/jboss-cli.sh"
# database
keycloak_jdbc:

32
roles/keycloak_realm/README.md
View File

@@ -9,13 +9,18 @@ Role Defaults
| Variable | Description | Default |
|:---------|:------------|:---------|
|`keycloak_admin_user` | Administration console user account | `admin` |
|`keycloak_host` | hostname | `localhost` |
|`keycloak_http_port` | HTTP port | `8080` |
|`keycloak_https_port` | TLS HTTP port | `8443` |
|`keycloak_auth_realm` | Name of the main authentication realm | `master` |
|`keycloak_rhsso_enable` | Define service is an upstream(Keycloak) or RHSSO | `master` |
|`keycloak_admin_user`| Administration console user account | `admin` |
|`keycloak_host`| hostname | `localhost` |
|`keycloak_http_port`| HTTP port | `8080` |
|`keycloak_https_port`| TLS HTTP port | `8443` |
|`keycloak_auth_realm`| Name of the main authentication realm | `master` |
|`keycloak_rhsso_enable`| Define service is an upstream(Keycloak) or RHSSO | `master` |
|`keycloak_management_http_port`| Management port | `9990` |
|`keycloak_auth_client`| Authentication client for configuration REST calls | `admin-cli` |
|`keycloak_client_public`| Configure a public realm client | `True` |
|`keycloak_client_web_origins`| Web origins for realm client | `+` |
|`keycloak_url`| URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` |
|`keycloak_management_url`| URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` |
Role Variables
@@ -37,6 +42,7 @@ The following variables are available for creating clients:
|`keycloak_client_default_roles` | List of default role name for clients | `[]` |
|`keycloak_client_users` | List of user/role mappings for a client | `[]` |
The following variable are available for creating user federation:
| Variable | Description | Default |
@@ -52,14 +58,15 @@ Variable formats
```yaml
- realm: <name of the realm in which user federation should be configured, required>
name: <name of the user federation provider, required>
provider_id: <Type of the user federation provider, required>
provider_type: < Provider Type, default is set to org.keycloak.storage.UserStorageProvider>
config: <Dictionary of supported configuration values, required>
mappers: <List of supported configuration values, required>
provider_id: <type of the user federation provider, required>
provider_type: <Provider Type, default is set to org.keycloak.storage.UserStorageProvider>
config: <dictionary of supported configuration values, required>
mappers: <list of supported configuration values, required>
```
Refer to [docs](https://docs.ansible.com/ansible/latest/collections/community/general/keycloak_user_federation_module.html) for information on supported variables.
* `keycloak_clients`, a list of:
```yaml
@@ -90,7 +97,8 @@ Refer to [docs](https://docs.ansible.com/ansible/latest/collections/community/ge
realm: <name of the realm>
```
For a comprehensive example, refer to the [playbook](playbooks/keycloak.yml).
For a comprehensive example, refer to the [playbook](../../playbooks/keycloak_realm.yml).
Example Playbook
----------------

1
roles/keycloak_realm/defaults/main.yml
View File

@@ -31,6 +31,7 @@ keycloak_auth_client: admin-cli
# public_client: "{{ keycloak_client_public }}"
# web_origins: "{{ keycloak_client_web_origins }}"
# users: "{{ keycloak_client_users }}"
keycloak_clients: []
# list of roles to create in the client
keycloak_client_default_roles: []

40
roles/keycloak_realm/meta/argument_specs.yml
View File

@@ -4,90 +4,90 @@ argument_specs:
keycloak_host:
# line 3 of keycloak_realm/defaults/main.yml
default: "localhost"
description: "TODO document argument"
description: "hostname for rest calls"
type: "str"
keycloak_http_port:
# line 4 of keycloak_realm/defaults/main.yml
default: 8080
description: "TODO document argument"
description: "HTTP port"
type: "int"
keycloak_https_port:
# line 5 of keycloak_realm/defaults/main.yml
default: 8443
description: "TODO document argument"
description: "HTTPS port"
type: "int"
keycloak_management_http_port:
# line 6 of keycloak_realm/defaults/main.yml
default: 9990
description: "TODO document argument"
description: "Management port"
type: "int"
keycloak_rhsso_enable:
# line 7 of keycloak_realm/defaults/main.yml
default: false
description: "TODO document argument"
description: "Enable Red Hat Single Sign-on"
type: "bool"
keycloak_admin_user:
# line 10 of keycloak_realm/defaults/main.yml
default: "admin"
description: "TODO document argument"
description: "Administration console user account"
type: "str"
keycloak_auth_realm:
# line 11 of keycloak_realm/defaults/main.yml
default: "master"
description: "TODO document argument"
description: "Name of the main authentication realm"
type: "str"
keycloak_auth_client:
# line 12 of keycloak_realm/defaults/main.yml
default: "admin-cli"
description: "TODO document argument"
description: "Authentication client for configuration REST calls"
type: "str"
keycloak_client_default_roles:
# line 36 of keycloak_realm/defaults/main.yml
default: "[]"
description: "TODO document argument"
description: "List of roles to configure as client default"
type: "list"
keycloak_client_public:
# line 39 of keycloak_realm/defaults/main.yml
default: true
description: "TODO document argument"
description: "Configure a public realm client"
type: "bool"
keycloak_client_web_origins:
# line 42 of keycloak_realm/defaults/main.yml
default: "+"
description: "TODO document argument"
description: "Web origins for realm client"
type: "str"
keycloak_client_users:
# line 49 of keycloak_realm/defaults/main.yml
default: "[]"
description: "TODO document argument"
description: "List of users to configure in the realm client"
type: "list"
keycloak_user_federation:
# line 52 of keycloak_realm/defaults/main.yml
default: "[]"
description: "TODO document argument"
description: "List of user federations to configure in the realm"
type: "list"
keycloak_admin_password:
# line 5 of keycloak_realm/vars/main.yml
required: true
description: "TODO document argument"
description: "Password for the administration console user account"
type: "str"
keycloak_realm:
# line 8 of keycloak_realm/vars/main.yml
required: true
description: "TODO document argument"
description: "Name of the realm to be configured"
type: "str"
keycloak_clients:
# line 11 of keycloak_realm/vars/main.yml
required: true
description: "TODO document argument"
type: "str"
default: "[]"
description: "List of client declarations for the realm"
type: "list"
keycloak_url:
# line 14 of keycloak_realm/vars/main.yml
default: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
description: "TODO document argument"
description: "URL for configuration rest calls"
type: "str"
keycloak_management_url:
# line 15 of keycloak_realm/vars/main.yml
default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
description: "TODO document argument"
description: "URL for management console rest calls"
type: "str"

1
roles/keycloak_realm/meta/main.yml
View File

@@ -13,7 +13,6 @@ galaxy_info:
platforms:
- name: EL
versions:
- 7
- 8
galaxy_tags:

13
roles/keycloak_realm/tasks/main.yml
View File

@@ -1,17 +1,18 @@
---
- name: Generate keycloak auth token
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
method: POST
body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
validate_certs: no
no_log: True
register: keycloak_auth_response
until: keycloak_auth_response.status == 200
retries: 5
delay: 2
- name: "Determine if realm exists"
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}"
method: GET
status_code:
@@ -23,7 +24,7 @@
register: keycloak_realm_exists
- name: Create Realm
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms"
method: POST
body: "{{ lookup('template','realm.json.j2') }}"
@@ -47,6 +48,7 @@
provider_type: "{{ item.provider_type | default(org.keycloak.storage.UserStorageProvider) }}"
config: "{{ item.config }}"
mappers: "{{ item.mappers | default(omit) }}"
no_log: True
register: create_user_federation_result
loop: "{{ keycloak_user_federation | flatten }}"
when: keycloak_user_federation is defined
@@ -78,19 +80,20 @@
public_client: "{{ item.public_client | default(False) }}"
protocol: "{{ item.protocol | default(omit) }}"
state: present
no_log: True
register: create_client_result
loop: "{{ keycloak_clients | flatten }}"
when: (item.name is defined and item.client_id is defined) or (item.name is defined and item.id is defined)
- name: Create client roles
include_tasks: manage_client_roles.yml
ansible.builtin.include_tasks: manage_client_roles.yml
loop: "{{ keycloak_clients | flatten }}"
loop_control:
loop_var: client
when: "'roles' in client"
- name: Create client users
include_tasks: manage_client_users.yml
ansible.builtin.include_tasks: manage_client_users.yml
loop: "{{ keycloak_clients | flatten }}"
loop_control:
loop_var: client

1
roles/keycloak_realm/tasks/manage_client_roles.yml
View File

@@ -10,3 +10,4 @@
auth_password: "{{ keycloak_admin_password }}"
state: present
loop: "{{ client.roles | flatten }}"
no_log: True

4
roles/keycloak_realm/tasks/manage_client_users.yml
View File

@@ -1,12 +1,12 @@
---
- name: Manage Users
include_tasks: manage_user.yml
ansible.builtin.include_tasks: manage_user.yml
loop: "{{ client.users | flatten }}"
loop_control:
loop_var: user
- name: Manage User Roles
include_tasks: manage_user_roles.yml
ansible.builtin.include_tasks: manage_user_roles.yml
loop: "{{ client.users | flatten }}"
loop_control:
loop_var: user

8
roles/keycloak_realm/tasks/manage_user.yml
View File

@@ -1,6 +1,6 @@
---
- name: "Check if User Already Exists"
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
validate_certs: no
headers:
@@ -8,7 +8,7 @@
register: keycloak_user_search_result
- name: "Create User"
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users"
method: POST
body:
@@ -26,7 +26,7 @@
when: keycloak_user_search_result.json | length == 0
- name: "Get User"
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
validate_certs: no
headers:
@@ -34,7 +34,7 @@
register: keycloak_user
- name: "Update User Password"
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users/{{ (keycloak_user.json | first).id }}/reset-password"
method: PUT
body:

6
roles/keycloak_realm/tasks/manage_user_client_roles.yml
View File

@@ -1,6 +1,6 @@
---
- name: "Get Realm for role"
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ client_role.realm }}"
method: GET
status_code:
@@ -11,7 +11,7 @@
register: client_role_realm
- name: Check if Mapping is available
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ client_role.realm }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}/available"
method: GET
status_code:
@@ -22,7 +22,7 @@
register: client_role_user_available
- name: "Create Role Mapping"
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ client_role.realm }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}"
method: POST
body:

7
roles/keycloak_realm/tasks/manage_user_roles.yml
View File

@@ -1,6 +1,6 @@
---
- name: "Get User {{ user.username }}"
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
headers:
validate_certs: no
@@ -8,18 +8,19 @@
register: keycloak_user
- name: Refresh keycloak auth token
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
method: POST
body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
validate_certs: no
register: keycloak_auth_response
no_log: True
until: keycloak_auth_response.status == 200
retries: 5
delay: 2
- name: "Manage Client Role Mapping for {{ user.username }}"
include_tasks: manage_user_client_roles.yml
ansible.builtin.include_tasks: manage_user_client_roles.yml
loop: "{{ user.client_roles | flatten }}"
loop_control:
loop_var: client_role

3
roles/keycloak_realm/vars/main.yml
View File

@@ -7,9 +7,6 @@ keycloak_admin_password:
# name of the realm to create, this is a required variable
keycloak_realm:
# keycloak realm clients, this is a required variable
keycloak_clients:
# other settings
keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"