Update changelog for release 1.0.5

Update config options: keycloak and quarkus

.ansible-lint

@@ -0,0 +1,29 @@
+# .ansible-lint
+exclude_paths:
+  - .cache/
+  - .github/
+  - molecule/
+  - .ansible-lint
+  - .yamllint
+
+rulesdir:
+   - ../../ansible-lint-custom-rules/rules/
+
+enable_list:
+  - fqcn-builtins  # opt-in
+  - no-log-password  # opt-in
+
+warn_list:
+  - role_vars_start_with_role_name
+  - vars_in_vars_files_have_valid_names
+  - experimental
+  - ignore-errors
+  - no-handler
+  - fqcn-builtins
+  - no-log-password
+
+skip_list:
+  - vars_should_not_be_used
+
+use_default_rules: true
+parseable: true

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,48 @@
+---
+name: 🐛 Bug report
+about: Create a report to help us improve
+
+---
+
+##### SUMMARY
+<!-- Explain the problem briefly -->
+
+
+##### ISSUE TYPE
+ - Bug Report
+
+
+##### ANSIBLE VERSION
+<!-- Paste, BELOW THIS COMMENT, verbatim output from "ansible --version"-->
+```
+
+```
+
+##### COLLECTION VERSION
+<!-- Paste, BELOW THIS COMMENT, verbatim output from "ansible-galaxy collection list"-->
+<!-- If using virtual environments or execution environments, remember to activate them-->
+```
+
+```
+
+##### STEPS TO REPRODUCE
+<!-- List the steps to reproduce the problem, using a minimal test-case. -->
+
+<!-- Paste example playbook below -->
+```yaml
+
+```
+
+##### EXPECTED RESULTS
+<!-- What did you expect to happen when running the steps above? -->
+
+
+##### ACTUAL RESULTS
+<!-- What actually happened? If possible run with extra verbosity (-vvvv) and diff (--diff) -->
+<!-- Please also include check mode (--check --diff) output if the API returns an error -->
+<!-- Be sure to mask any sensitive information -->
+
+<!--- Paste verbatim command output between quotes below -->
+```
+
+```

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,12 @@
+---
+name: ✨ Feature request
+about: Suggest an idea for this project
+
+---
+
+##### SUMMARY
+<!--- Explain the problem briefly -->
+
+
+##### ISSUE TYPE
+ - Feature Idea

.github/workflows/ci.yml

@@ -29,12 +29,18 @@ jobs:
           pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous
           pip install -r ansible_collections/middleware_automation/keycloak/requirements.txt
 
+      - name: Install ansible-lint custom rules
+        uses: actions/checkout@v2
+        with:
+          repository: ansible-middleware/ansible-lint-custom-rules
+          path: ansible_collections/ansible-lint-custom-rules/
+
       - name: Create default collection path
         run: |
           mkdir -p /home/runner/.ansible/collections/ansible_collections
 
       - name: Run sanity tests
-        run: ansible-test sanity --docker -v --color --python ${{ matrix.python_version }}
+        run: ansible-test sanity --docker -v --color --python ${{ matrix.python_version }} --exclude changelogs/fragments/.gitignore
         working-directory: ./ansible_collections/middleware_automation/keycloak
 
       - name: Run molecule test

.github/workflows/docs.yml

@@ -0,0 +1,61 @@
+---
+name: Documentation
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - "[0-9]+.[0-9]+.[0-9]+"
+  workflow_dispatch:
+
+env:
+  COLORTERM: 'yes'
+  TERM: 'xterm-256color'
+  PYTEST_ADDOPTS: '--color=yes'
+
+jobs:
+  docs:
+    runs-on: ubuntu-latest
+    if: github.repository == 'ansible-middleware/keycloak'
+    permissions:
+      actions: write
+      checks: write
+      contents: write
+      deployments: write
+      packages: write
+      pages: write
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          path: ansible_collections/middleware_automation/keycloak
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.9
+
+      - name: Install doc dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r ansible_collections/middleware_automation/keycloak/docs/requirements.txt
+          pip install -r ansible_collections/middleware_automation/keycloak/requirements.txt
+          sudo apt install -y sed hub
+
+      - name: Create default collection path
+        run: |
+          mkdir -p /home/runner/.ansible/collections/ansible_collections
+
+      - name: Create changelog and documentation
+        uses: ansible-middleware/collection-docs-action@main
+        with:
+          collection_fqcn: middleware_automation.keycloak
+          collection_repo: ansible-middleware/keycloak
+          dependencies: false
+          commit_changelog: false
+          commit_ghpages: true
+          changelog_release: false
+          generate_docs: true
+          path: ansible_collections/middleware_automation/keycloak
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yml

@@ -1,47 +1,97 @@
+---
 name: Release collection
-
 on:
-  push:
-    tags:
-      - "*.*.*"
+  workflow_dispatch:
 
 jobs:
   release:
     runs-on: ubuntu-latest
+    if: github.repository == 'ansible-middleware/keycloak'
+    permissions:
+      actions: write
+      checks: write
+      contents: write
+      deployments: write
+      packages: write
+      pages: write
+    outputs:
+      tag_version: ${{ steps.get_version.outputs.TAG_VERSION }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.TRIGGERING_PAT }}
+
       - name: Set up Python
         uses: actions/setup-python@v1
         with:
           python-version: "3.x"
-      - name: Get Tag Version
+
+      - name: Get current version
         id: get_version
-        run: echo ::set-output name=TAG_VERSION::${GITHUB_REF#refs/tags/}
+        run: echo "::set-output name=TAG_VERSION::$(grep version galaxy.yml | awk -F'"' '{ print $2 }')"
+
+      - name: Check if tag exists
+        id: check_tag
+        run: echo "::set-output name=TAG_EXISTS::$(git tag | grep ${{ steps.get_version.outputs.TAG_VERSION }})"
+
+      - name: Fail if tag exists
+        if: ${{ steps.get_version.outputs.TAG_VERSION == steps.check_tag.outputs.TAG_EXISTS }}
+        uses: actions/github-script@v3
+        with:
+          script: |
+              core.setFailed('Release tag already exists')
+
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
-          pip install ansible-core
+          pip install ansible-core antsibull
+          sudo apt install -y sed hub
+
       - name: Build collection
         run: |
           ansible-galaxy collection build .
-      - name: Publish Release
-        uses: softprops/action-gh-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Create changelog and documentation
+        uses: ansible-middleware/collection-docs-action@main
         with:
-          files: "*.tar.gz"
-          body: "Release ${{ steps.get_version.outputs.TAG_VERSION }}"
+          collection_fqcn: middleware_automation.keycloak
+          collection_repo: ansible-middleware/keycloak
+          dependencies: false
+          commit_changelog: true
+          commit_ghpages: false
+          changelog_release: true
+          generate_docs: false
+          token: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Publish collection
         env:
           ANSIBLE_GALAXY_API_KEY: ${{ secrets.ANSIBLE_GALAXY_API_KEY }}
         run: |
           ansible-galaxy collection publish *.tar.gz --api-key $ANSIBLE_GALAXY_API_KEY
+
+      - name: Create release tag
+        run: |
+          git config user.name github-actions
+          git config user.email github-actions@github.com
+          git tag -a ${{ steps.get_version.outputs.TAG_VERSION }} -m "Release v${{ steps.get_version.outputs.TAG_VERSION }}" || true
+          git push origin --tags
+
+      - name: Publish Release
+        uses: softprops/action-gh-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ steps.get_version.outputs.TAG_VERSION }}
+          files: "*.tar.gz"
+          body_path: gh-release.md
+
   dispatch:
     needs: release
     strategy:
       matrix:
-        repo: ['ansible-middleware/cross-dc-rhsso-demo', 'ansible-middleware/flange-demo']
+        repo: ['ansible-middleware/cross-dc-rhsso-demo', 'ansible-middleware/flange-demo', 'ansible-middleware/ansible-middleware-ee']
     runs-on: ubuntu-latest
     steps:
       - name: Repository Dispatch
@@ -49,5 +99,5 @@ jobs:
         with:
           token: ${{ secrets.TRIGGERING_PAT }}
           repository: ${{ matrix.repo }}
-          event-type: "Dependency released - Keycloak"
+          event-type: "Dependency released - Keycloak v${{ needs.release.outputs.tag_version }}"
           client-payload: '{ "github": ${{toJson(github)}} }'

.gitignore

@@ -1,2 +1,11 @@
 *.tar.gz
 *.zip
+.tmp
+.cache
+docs/plugins/
+docs/roles/
+docs/_build/
+.pytest_cache/
+.mypy_cache/
+*.retry
+changelogs/.plugin-cache.yaml

CHANGELOG.rst

@@ -0,0 +1,78 @@
+============================================
+middleware_automation.keycloak Release Notes
+============================================
+
+.. contents:: Topics
+
+This changelog describes changes after version 0.2.6.
+
+v1.0.5
+======
+
+Minor Changes
+-------------
+
+- Update config options: keycloak and quarkus `#32 <https://github.com/ansible-middleware/keycloak/pull/32>`_
+
+v1.0.4
+======
+
+v1.0.3
+======
+
+Major Changes
+-------------
+
+- New role for installing keycloak >= 17.0.0 (quarkus) `#29 <https://github.com/ansible-middleware/keycloak/pull/29>`_
+
+Minor Changes
+-------------
+
+- Add ``keycloak_config_override_template`` parameter for passing a custom xml config template `#30 <https://github.com/ansible-middleware/keycloak/pull/30>`_
+
+Bugfixes
+--------
+
+- Make sure systemd unit starts with selected java JVM `#31 <https://github.com/ansible-middleware/keycloak/pull/31>`_
+
+v1.0.2
+======
+
+Minor Changes
+-------------
+
+- Make ``keycloak_admin_password`` a default with assert (was: role variable) `#26 <https://github.com/ansible-middleware/keycloak/pull/26>`_
+- Simplify dependency install logic and reduce play execution time `#19 <https://github.com/ansible-middleware/keycloak/pull/19>`_
+
+Bugfixes
+--------
+
+- Set ``keycloak_frontend_url`` default according to other defaults `#25 <https://github.com/ansible-middleware/keycloak/pull/25>`_
+
+v1.0.1
+======
+
+Release Summary
+---------------
+
+Minor enhancements, bug and documentation fixes.
+
+
+Major Changes
+-------------
+
+- Apply latest cumulative patch of RH-SSO automatically when new parameter ``keycloak_rhsso_apply_patches`` is ``true`` `#18 <https://github.com/ansible-middleware/keycloak/pull/18>`_
+
+Minor Changes
+-------------
+
+- Clustered installs now perform database initialization on first node to avoid locking issues `#17 <https://github.com/ansible-middleware/keycloak/pull/17>`_
+
+v1.0.0
+======
+
+Release Summary
+---------------
+
+This is the first stable release of the ``middleware_automation.keycloak`` collection.
+

CONTRIBUTING.md

@@ -1,14 +1,14 @@
 
 ## Contributor's Guidelines
 
-- All YAML files named with '.yml' extension
+- All YAML files named with `.yml` extension
 - Use spaces around jinja variables. `{{ var }}` over `{{var}}`
 - Variables that are internal to the role should be lowercase and start with the role name
 - Keep roles self contained - Roles should avoid including tasks from other roles when possible
-- Plays should do nothing more than include a list of roles except where `pre_tasks` and `post_tasks` are required when possible
-- Separators - Use valid name, ie. underscores (e.g. `my_role` `my_playbook`) not dashes (`my-role`)
-- Paths - When defining paths, do not include trailing slashes (e.g. `my_path: /foo` not `my_path: /foo/`). When concatenating paths, follow the same convention (e.g. `{{ my_path }}/bar` not `{{ my_path }}bar`)
+- Plays should do nothing more than include a list of roles, except where `pre_tasks` and `post_tasks` are required, when possible
+- Separators - Use valid names, ie. underscores (e.g. `my_role` `my_playbook`) not dashes (`my-role`)
+- Paths - When defining paths, do not include trailing slashes (e.g. `my_path: /foo` not `my_path: /foo/`); when concatenating paths, follow the same convention (e.g. `{{ my_path }}/bar` not `{{ my_path }}bar`)
 - Indentation - Use 2 spaces for each indent
 - `vars/` vs `defaults/` - internal or interpolated variables that don't need to change or be overridden by user go in `vars/`, those that a user would likely override, go under `defaults/` directory
-- All arguments have a specification in `meta/argument_specs.yml`
-- All playbooks/roles should be focused on compatibility with Ansible Tower
+- All role arguments have a specification in `meta/argument_specs.yml`
+- All playbooks/roles should be focused on compatibility with Ansible Automation Platform

README.md

@@ -1,4 +1,4 @@
-# Ansible Collection - keycloak
+# Ansible Collection - middleware_automation.keycloak
 
 [![Build Status](https://github.com/ansible-middleware/keycloak/workflows/CI/badge.svg?branch=main)](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml)
 
@@ -13,6 +13,7 @@ This collection has been tested against following Ansible versions: **>=2.9.10**
 Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions.
 <!--end requires_ansible-->
 
+
 ## Installation
 
 ### Installing the Collection from Ansible Galaxy
@@ -42,6 +43,7 @@ A requirement file is provided to install:
 
 * [`keycloak`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md): role for installing the service.
 * [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, user federation(s), clients and users, in an installed service.
+* [`keycloak_quarkus`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_quarkus/README.md): role for installing the quarkus variant of keycloak (>= 17.0.0).
 
 
 ## Usage
@@ -49,17 +51,17 @@ A requirement file is provided to install:
 
 ### Install Playbook
 
-* [`playbooks/keycloak.yml`](playbooks/keycloak.yml) installs the upstream(Keycloak) based on the defined variables.
-* [`playbooks/rhsso.yml`](playbooks/rhsso.yml) installs Red Hat Single Sign-On(RHSSO) based on defined variables.
+* [`playbooks/keycloak.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak.yml) installs the upstream(Keycloak) based on the defined variables.
+* [`playbooks/rhsso.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/rhsso.yml) installs Red Hat Single Sign-On(RHSSO) based on defined variables.
 
 Both playbooks include the `keycloak` role, with different settings, as described in the following sections.
 
-For service configuration details, refer to the [keycloak role README](roles/keycloak/README.md).
+For full service configuration details, refer to the [keycloak role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md).
 
 
 ### Choosing between upstream project (Keycloak) and Red Hat Single Sign-On (RHSSO)
 
-The general flag `keycloak_rhsso_enable` controls what to install between upstream(Keycloak, when `False`) or Red Hat Single Sign-On (when `True`).
+The general flag `keycloak_rhsso_enable` controls what to install between upstream (Keycloak, when `False`) or Red Hat Single Sign-On (when `True`).
 The default value for the flag if `True` when Red Hat Network credentials are defined, `False` otherwise.
 
 
@@ -133,15 +135,15 @@ ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e
 
 ### Config Playbook
 
-[`playbooks/keycloak-realm.yml`](playbooks/keycloak-realm.yml) creates provided realm, user federation(s), client(s), client role(s) and client user(s) if they don't exist.
+[`playbooks/keycloak_realm.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_realm.yml) creates or updates provided realm, user federation(s), client(s), client role(s) and client user(s).
 
 
 ### Example configuration command
 
-Execute the following command from the source root directory
+Execute the following command from the source root directory:
 
 ```bash
-ansible-playbook -i <ansible_hosts> playbooks/keycloak-realm.yml -e keycloak_admin_password=<changeme> -e keycloak_realm=test
+ansible-playbook -i <ansible_hosts> playbooks/keycloak_realm.yml -e keycloak_admin_password=<changeme> -e keycloak_realm=test
 ```
 
 - `keycloak_admin_password` password for the administration console user account.
@@ -153,8 +155,11 @@ ansible-playbook -i <ansible_hosts> playbooks/keycloak-realm.yml -e keycloak_adm
   localhost ansible_connection=local
   ```
 
-For configuration details, refer to the [keycloak_realm role README](roles/keycloak_realm/README.md).
+For full configuration details, refer to the [keycloak_realm role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md).
 
+## Support
+
+Keycloak collection v1.0.0 is a Beta release and for [Technical Preview](https://access.redhat.com/support/offerings/techpreview). If you have any issues or questions related to collection, please don't hesitate to contact us on Ansible-middleware-core@redhat.com or open an issue on https://github.com/ansible-middleware/keycloak/issues
 
 ## License
 

bindep.txt

@@ -0,0 +1,7 @@
+python39-devel [platform:rpm compile]
+git-lfs [platform:rpm]
+python3-netaddr [platform:rpm]
+python3-lxml [platform:rpm]
+python3-jmespath [platform:rpm]
+python3-requests [platform:rpm]
+

changelogs/changelog.yaml

@@ -0,0 +1,71 @@
+ancestor: 0.2.6
+releases:
+  1.0.0:
+    changes:
+      release_summary: 'This is the first stable release of the ``middleware_automation.keycloak``
+        collection.
+
+        '
+    release_date: '2022-03-04'
+  1.0.1:
+    changes:
+      major_changes:
+      - Apply latest cumulative patch of RH-SSO automatically when new parameter ``keycloak_rhsso_apply_patches``
+        is ``true`` `#18 <https://github.com/ansible-middleware/keycloak/pull/18>`_
+      minor_changes:
+      - Clustered installs now perform database initialization on first node to avoid
+        locking issues `#17 <https://github.com/ansible-middleware/keycloak/pull/17>`_
+      release_summary: 'Minor enhancements, bug and documentation fixes.
+
+        '
+    release_date: '2022-03-11'
+  1.0.2:
+    changes:
+      bugfixes:
+      - 'Set ``keycloak_frontend_url`` default according to other defaults `#25 <https://github.com/ansible-middleware/keycloak/pull/25>`_
+
+        '
+      minor_changes:
+      - 'Make ``keycloak_admin_password`` a default with assert (was: role variable)
+        `#26 <https://github.com/ansible-middleware/keycloak/pull/26>`_
+
+        '
+      - 'Simplify dependency install logic and reduce play execution time `#19 <https://github.com/ansible-middleware/keycloak/pull/19>`_
+
+        '
+    fragments:
+    - 19.yaml
+    - 25.yaml
+    - 26.yaml
+    release_date: '2022-04-01'
+  1.0.3:
+    changes:
+      bugfixes:
+      - 'Make sure systemd unit starts with selected java JVM `#31 <https://github.com/ansible-middleware/keycloak/pull/31>`_
+
+        '
+      major_changes:
+      - 'New role for installing keycloak >= 17.0.0 (quarkus) `#29 <https://github.com/ansible-middleware/keycloak/pull/29>`_
+
+        '
+      minor_changes:
+      - 'Add ``keycloak_config_override_template`` parameter for passing a custom
+        xml config template `#30 <https://github.com/ansible-middleware/keycloak/pull/30>`_
+
+        '
+    fragments:
+    - 29.yaml
+    - 30.yaml
+    - 31.yaml
+    release_date: '2022-05-09'
+  1.0.4:
+    release_date: '2022-05-11'
+  1.0.5:
+    changes:
+      minor_changes:
+      - 'Update config options: keycloak and quarkus `#32 <https://github.com/ansible-middleware/keycloak/pull/32>`_
+
+        '
+    fragments:
+    - 32.yaml
+    release_date: '2022-05-25'

changelogs/config.yaml

@@ -0,0 +1,32 @@
+---
+changelog_filename_template: ../CHANGELOG.rst
+changelog_filename_version_depth: 0
+changes_file: changelog.yaml
+changes_format: combined
+ignore_other_fragment_extensions: true
+keep_fragments: false
+mention_ancestor: true
+new_plugins_after_name: removed_features
+notesdir: fragments
+prelude_section_name: release_summary
+prelude_section_title: Release Summary
+sections:
+- - major_changes
+  - Major Changes
+- - minor_changes
+  - Minor Changes
+- - breaking_changes
+  - Breaking Changes / Porting Guide
+- - deprecated_features
+  - Deprecated Features
+- - removed_features
+  - Removed Features
+- - security_fixes
+  - Security Fixes
+- - bugfixes
+  - Bugfixes
+- - known_issues
+  - Known Issues
+title: middleware_automation.keycloak
+trivial_section_name: trivial
+use_fqcn: true

changelogs/fragments/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

docs/CHANGELOG.rst

@@ -0,0 +1 @@
+../CHANGELOG.rst

docs/README.md

@@ -0,0 +1 @@
+../README.md

docs/_gh_include/footer.inc

@@ -0,0 +1,21 @@
+              </ul>
+            </div>
+          </section>
+        </div>
+      </div>
+      <footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
+      </div>
+      <hr/>
+      <div role="contentinfo">
+        <p>&#169; Copyright 2022, Red Hat, Inc.</p>
+      </div>
+      Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
+        <a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
+        provided by <a href="https://readthedocs.org">Read the Docs</a>.
+      </footer>
+    </div>
+  </div>
+</section>
+</div>
+</body>
+</html>

docs/_gh_include/header.inc

@@ -0,0 +1,43 @@
+<!doctype html>
+<html>
+  <head>
+    <title>Keycloak Ansible Collection documentation index</title>
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <link rel="stylesheet" href="https://ansible-middleware.github.io/keycloak/main/_static/pygments.css" type="text/css" />
+    <link rel="stylesheet" href="https://ansible-middleware.github.io/keycloak/main/_static/css/theme.css" type="text/css" />
+    <link rel="stylesheet" href="https://ansible-middleware.github.io/keycloak/main/_static/ansible-basic-sphinx-ext.css" type="text/css" />
+    <script data-url_root="./" id="documentation_options" src="https://ansible-middleware.github.io/keycloak/main/_static/documentation_options.js"></script>
+    <script src="https://ansible-middleware.github.io/keycloak/main/_static/jquery.js"></script>
+    <script src="https://ansible-middleware.github.io/keycloak/main/_static/underscore.js"></script>
+    <script src="https://ansible-middleware.github.io/keycloak/main/_static/doctools.js"></script>
+    <script src="https://ansible-middleware.github.io/keycloak/main/_static/js/theme.js"></script>
+  </head>
+
+<body class="wy-body-for-nav">
+  <div class="wy-grid-for-nav">
+    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
+      <div class="wy-side-scroll">
+        <div class="wy-side-nav-search" >
+            <a href="#" class="icon icon-home"> Keycloak Ansible Collection</a>
+        </div>
+      </div>
+    </nav>
+    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
+      <div class="wy-nav-content">
+          <div class="rst-content">
+            <div role="navigation" aria-label="Page navigation">
+              <ul class="wy-breadcrumbs">
+                  <li><a href="#" class="icon icon-home"></a> &raquo;</li>
+                  <li>Welcome to Keycloak Collection documentation</li>
+                  <li class="wy-breadcrumbs-aside"></li>
+              </ul>
+              <hr/>
+            </div>
+          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
+             <div itemprop="articleBody">
+                <section id="welcome-to-keycloak-collection-documentation">
+                  <h1>Welcome to Keycloak Collection documentation<a class="headerlink" href="#welcome-to-keycloak-collection-documentation" title="Permalink to this headline"></a></h1>
+                    <div class="toctree-wrapper compound">
+                      <p class="caption" role="heading"><span class="caption-text">Pick collection version:</span></p>
+                        <ul>

docs/conf.py

@@ -0,0 +1,170 @@
+# -*- coding: utf-8 -*-
+#
+# Configuration file for the Sphinx documentation builder.
+#
+# This file does only contain a selection of the most common options. For a
+# full list see the documentation:
+# http://www.sphinx-doc.org/en/master/config
+
+# -- Path setup --------------------------------------------------------------
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+#
+import datetime
+import os
+import sys
+sys.path.insert(0, os.path.abspath('../plugins/module_utils/'))
+# sys.path.insert(0, os.path.abspath('.'))
+
+# -- Project information -----------------------------------------------------
+
+project = 'Keycloak Ansible Collection'
+copyright = '{y}, Red Hat, Inc.'.format(y=datetime.date.today().year)
+author = 'Red Hat, Inc.'
+
+# The short X.Y version
+version = ''
+# The full version, including alpha/beta/rc tags
+release = ''
+
+
+# -- General configuration ---------------------------------------------------
+
+# If your documentation needs a minimal Sphinx version, state it here.
+#
+# needs_sphinx = '1.0'
+
+# Add any Sphinx extension module names here, as strings. They can be
+# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
+# ones.
+extensions = [
+    'myst_parser',
+    'sphinx.ext.autodoc',
+    'sphinx.ext.intersphinx',
+    'ansible_basic_sphinx_ext',
+]
+
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ['_templates']
+
+# The suffix(es) of source filenames.
+# You can specify multiple suffix as a list of string:
+#
+# source_suffix = ['.rst', '.md']
+source_suffix = ['.rst', '.md']
+
+# The master toctree document.
+master_doc = 'index'
+
+# The language for content autogenerated by Sphinx. Refer to documentation
+# for a list of supported languages.
+#
+# This is also used if you do content translation via gettext catalogs.
+# Usually you set "language" from the command line for these cases.
+language = None
+
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+# This pattern also affects html_static_path and html_extra_path .
+exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store', '.tmp']
+
+# The name of the Pygments (syntax highlighting) style to use.
+pygments_style = 'sphinx'
+
+highlight_language = 'YAML+Jinja'
+
+# -- Options for HTML output -------------------------------------------------
+html_theme_path = ['_themes']
+# The theme to use for HTML and HTML Help pages.  See the documentation for
+# a list of builtin themes.
+#
+# html_theme = 'alabaster'
+html_theme = 'sphinx_rtd_theme'
+
+# Theme options are theme-specific and customize the look and feel of a theme
+# further.  For a list of options available for each theme, see the
+# documentation.
+#
+# html_theme_options = {}
+
+# Add any paths that contain custom static files (such as style sheets) here,
+# relative to this directory. They are copied after the builtin static files,
+# so a file named "default.css" will overwrite the builtin "default.css".
+html_static_path = []
+
+# Custom sidebar templates, must be a dictionary that maps document names
+# to template names.
+#
+# The default sidebars (for documents that don't match any pattern) are
+# defined by theme itself.  Builtin themes are using these templates by
+# default: ``['localtoc.html', 'relations.html', 'sourcelink.html',
+# 'searchbox.html']``.
+#
+# html_sidebars = {}
+
+
+# -- Options for HTMLHelp output ---------------------------------------------
+
+# Output file base name for HTML help builder.
+htmlhelp_basename = 'KeycloakCollectionDoc'
+
+
+# -- Options for LaTeX output ------------------------------------------------
+
+latex_elements = {
+    # The paper size ('letterpaper' or 'a4paper').
+    #
+    # 'papersize': 'letterpaper',
+
+    # The font size ('10pt', '11pt' or '12pt').
+    #
+    # 'pointsize': '10pt',
+
+    # Additional stuff for the LaTeX preamble.
+    #
+    # 'preamble': '',
+
+    # Latex figure (float) alignment
+    #
+    # 'figure_align': 'htbp',
+}
+
+# Grouping the document tree into LaTeX files. List of tuples
+# (source start file, target name, title,
+#  author, documentclass [howto, manual, or own class]).
+latex_documents = [
+    (master_doc, 'KeycloakCollection.tex', 'Red Hat Single Sign-On Ansible Collection Documentation',
+     'Red Hat, Inc.', 'manual'),
+]
+
+
+# -- Options for manual page output ------------------------------------------
+
+# One entry per manual page. List of tuples
+# (source start file, name, description, authors, manual section).
+man_pages = [
+    (master_doc, 'keycloakcollection', 'Red Hat Single Sign-On Ansible Collection Documentation',
+     [author], 1)
+]
+
+
+# -- Options for Texinfo output ----------------------------------------------
+
+# Grouping the document tree into Texinfo files. List of tuples
+# (source start file, target name, title, author,
+#  dir menu entry, description, category)
+texinfo_documents = [
+    (master_doc, 'KeycloakCollection', 'Red Hat Single Sign-On Ansible Collection Documentation',
+     author, 'KeycloakCollection', 'One line description of project.',
+     'Miscellaneous'),
+]
+
+
+# -- Extension configuration -------------------------------------------------
+
+# -- Options for intersphinx extension ---------------------------------------
+
+# Example configuration for intersphinx: refer to the Python standard library.
+intersphinx_mapping = {'python': ('https://docs.python.org/2', None), 'ansible': ('https://docs.ansible.com/ansible/latest/', None)}

docs/developing.md

@@ -0,0 +1 @@
+../CONTRIBUTING.md

docs/index.rst

@@ -0,0 +1,32 @@
+.. Red Hat middleware_automation Keycloak Ansible Collection documentation main file
+
+Welcome to Keycloak Collection documentation
+============================================
+
+.. toctree::
+   :maxdepth: 2
+   :caption: User documentation
+
+   README
+   plugins/index
+   roles/index
+
+.. toctree::
+   :maxdepth: 2
+   :caption: Developer documentation
+
+   testing
+   developing
+   releasing
+
+.. toctree::
+   :maxdepth: 2
+   :caption: General
+
+   Changelog <CHANGELOG>
+
+Indices and tables
+==================
+
+* :ref:`genindex`
+* :ref:`search`

docs/releasing.md

@@ -0,0 +1,61 @@
+# Collection Versioning Strategy
+
+Each supported collection maintained by Ansible follows Semantic Versioning 2.0.0 (https://semver.org/), for example:
+Given a version number MAJOR.MINOR.PATCH, the following is incremented:
+
+MAJOR version: when making incompatible API changes (see Feature Release scenarios below for examples)
+
+MINOR version: when adding features or functionality in a backwards compatible manner, or updating testing matrix and/or metadata (deprecation)
+
+PATCH version: when adding backwards compatible bug fixes or security fixes (strict).
+
+Additional labels for pre-release and build metadata are available as extensions to the MAJOR.MINOR.PATCH format.
+
+The first version of a generally available supported collection on Ansible Automation Hub shall be version 1.0.0. NOTE: By default, all newly created collections may begin with a smaller default version of 0.1.0, and therefore a version of 1.0.0 should be explicitly stated by the collection maintainer.
+
+## New content is added to an existing collection
+
+Assuming the current release is 1.0.0, and a new module is ready to be added to the collection, the minor version would be incremented to 1.1.0. The change in the MINOR version indicates an additive change was made while maintaining backward compatibility for existing content within the collection.
+
+
+## New feature to existing plugin or role within a collection (backwards compatible)
+
+Assuming the current release is 1.0.0, and new features for an existing module are ready for release . We would increment the MINOR version to 1.1.0. The change in the MINOR version indicates an additive change was made while maintaining backward compatibility for existing content within the collection.
+
+
+## Bug fix or security fix to existing content within a collection
+
+Assuming the current release is 1.0.0 and a bug is fixed prior to the next minor release, the PATCH version would be incremented to 1.0.1. The patch indicates only a bug was fixed within a current version. The PATCH release does not contain new content, nor was functionality removed. Bug fixes may be included in a MINOR or MAJOR feature release if the timing allows, eliminating the need for a PATCH dedicated to the fix.
+
+
+## Breaking change to any content within a collection
+
+Assuming the current release is 1.0.0, and a breaking change (API or module) is introduced for a user or developer. The MAJOR version would be incremented to 2.0.0.
+
+Examples of breaking changes within a collection may include but are not limited to:
+
+ - Argspec changes for a module that require either inventory structure or playbook changes.
+ - A change in the shape of either the inbound or returned payload of a filter plugin.
+ - Changes to a connection plugin that require additional inventory parameters or ansible.cfg entries.
+ - New functionality added to a module that changes the outcome of that module as released in previous versions.
+ - The removal of plugins from a collection.
+
+
+## Content removed from a collection
+
+Deleting a module or API is a breaking change. Please see the 'Breaking change' section for how to version this.
+
+
+## A typographical error was fixed in the documentation for a collection
+
+A correction to the README would be considered a bug fix and the PATCH incremented. See 'Bug fix' above.
+
+
+## Documentation added/removed/modified within a collection
+
+Only the PATCH version should be increased for a release that contains changes limited to revised documentation.
+
+
+## Release automation
+
+New releases are triggered by annotated git tags named after semantic versioning. The automation publishes the built artifacts to ansible-galaxy and github releases page.

docs/requirements.txt

@@ -0,0 +1,5 @@
+antsibull>=0.17.0
+ansible-base>=2.10.12
+sphinx-rtd-theme
+git+https://github.com/felixfontein/ansible-basic-sphinx-ext
+myst-parser

docs/roles.rst.template

@@ -0,0 +1,4 @@
+Role Index
+==========
+
+.. toctree::

docs/testing.md

@@ -0,0 +1,49 @@
+# Testing
+
+## Continuous integration
+
+The collection is tested with a [molecule](https://github.com/ansible-community/molecule) setup covering the included roles and verifying correct installation and idempotency.
+In order to run the molecule tests locally with python 3.9 available, after cloning the repository:
+
+```
+pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous
+molecule test --all
+```
+
+
+## Integration testing
+
+Demo repositories which depend on the collection, and aggregate functionality with other middleware_automation collections, are automatically rebuilt
+at every collection release to ensure non-breaking changes and consistent behaviour.
+
+The repository are:
+
+ - [Flange demo](https://github.com/ansible-middleware/flange-demo)
+   A deployment of Wildfly cluster integrated with keycloak and infinispan.
+ - [CrossDC keycloak demo](https://github.com/ansible-middleware/cross-dc-rhsso-demo)
+   A clustered multi-regional installation of keycloak with infinispan remote caches.
+
+
+## Test playbooks
+
+Sample playbooks are provided in the `playbooks/` directory; to run the playbooks locally (requires a rhel system with python 3.9+, ansible, and systemd) the steps are as follows:
+
+```
+# setup environment
+pip install ansible-core
+# clone the repository
+git clone https://github.com/ansible-middleware/keycloak
+cd keycloak
+# install collection dependencies
+ansible-galaxy collection install -r requirements.yml
+# install collection python deps
+pip install -r requirements.txt
+# create inventory for localhost
+cat << EOF > inventory
+[keycloak]
+localhost ansible_connection=local
+EOF
+# run the playbook
+ansible-playbook -i inventory playbooks/keycloak.yml
+```
+

galaxy.yml

@@ -1,6 +1,7 @@
+---
 namespace: middleware_automation
 name: keycloak
-version: "0.2.3"
+version: "1.0.5"
 readme: README.md
 authors:
   - Romain Pelisse <rpelisse@redhat.com>
@@ -12,12 +13,22 @@ tags:
   - keycloak
   - redhat
   - rhel
-  - rhn
   - sso
+  - openid
+  - application
+  - identity
+  - security
+  - infrastructure
+  - authentication
 dependencies:
   "middleware_automation.redhat_csp_download": ">=1.2.1"
-  "middleware_automation.wildfly": ">=0.0.4"
+  "middleware_automation.wildfly": ">=1.0.0"
 repository: https://github.com/ansible-middleware/keycloak
-documentation: https://github.com/ansible-middleware/keycloak
+documentation: https://ansible-middleware.github.io/keycloak
 homepage: https://github.com/ansible-middleware/keycloak
 issues: https://github.com/ansible-middleware/keycloak/issues
+build_ignore:
+  - molecule
+  - .github
+  - '*.tar.gz'
+  - '*.zip'

meta/execution-environment.yml

@@ -0,0 +1,11 @@
+---
+version: 1
+build_arg_defaults:
+  EE_BASE_IMAGE: 'quay.io/ansible/ansible-runner:stable-2.12-devel'
+dependencies:
+  galaxy: requirements.yml
+  python: requirements.txt
+  system: bindep.txt
+additional_build_steps:
+  append:
+    - RUN alternatives --set python /usr/bin/python3

molecule/default/converge.yml

@@ -2,17 +2,15 @@
 - name: Converge
   hosts: all
   vars: 
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_jvm_package: java-11-openjdk-headless
+  roles:
+    - role: keycloak
   tasks:
-    - name: Include keycloak role
-      include_role:
-        name: ../../roles/keycloak
-      vars:
-        keycloak_admin_password: "changeme"
     - name: Keycloak Realm Role
-      include_role:
-        name: ../../roles/keycloak_realm
+      ansible.builtin.include_role:
+        name: keycloak_realm
       vars:
-        keycloak_admin_password: "changeme"
         keycloak_client_default_roles:
           - TestRoleAdmin
           - TestRoleUser

molecule/default/molecule.yml

@@ -4,6 +4,9 @@ dependency:
   command: ansible-galaxy collection install -r molecule/default/requirements.yml -p $HOME/.ansible/collections --force-with-deps
 driver:
   name: docker
+lint: |
+  ansible-lint --version
+  ansible-lint -v
 platforms:
   - name: instance
     image: registry.access.redhat.com/ubi8/ubi-init:latest

molecule/default/prepare.yml

@@ -3,10 +3,12 @@
   hosts: all
   tasks:
     - name: Disable beta repos
-      command: yum config-manager --disable '*beta*'
+      ansible.builtin.command: yum config-manager --disable '*beta*'
       ignore_errors: yes
 
     - name: Install sudo
-      yum:
-        name: sudo
+      ansible.builtin.yum:
+        name:
+          - sudo
+          - java-1.8.0-openjdk
         state: present

molecule/default/roles

@@ -0,0 +1 @@
+../../roles

molecule/default/verify.yml

@@ -1,10 +1,29 @@
 ---
 - name: Verify
   hosts: all
+  vars:
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_jvm_package: java-11-openjdk-headless
+    keycloak_port: http://localhost:8080
+    keycloak_management_port: http://localhost:9990
   tasks:
     - name: Populate service facts
       ansible.builtin.service_facts:
     - name: Check if keycloak service started
-      assert:
+      ansible.builtin.assert:
         that:
           - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+    - name: Verify we are running on requested jvm
+      shell: |
+        ps -ef | grep /usr/lib/jvm/java-11 | grep -v grep
+    - name: Verify token api call
+      ansible.builtin.uri:
+        url: "{{ keycloak_port }}/auth/realms/master/protocol/openid-connect/token"
+        method: POST
+        body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password"
+        validate_certs: no
+      register: keycloak_auth_response
+      until: keycloak_auth_response.status == 200
+      retries: 2
+      delay: 2

molecule/overridexml/converge.yml

@@ -0,0 +1,43 @@
+---
+- name: Converge
+  hosts: all
+  vars: 
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_config_override_template: custom.xml.j2
+    keycloak_http_port: 8081
+    keycloak_management_http_port: 19990
+  roles:
+    - role: keycloak
+  tasks:
+    - name: Keycloak Realm Role
+      ansible.builtin.include_role:
+        name: keycloak_realm
+      vars:
+        keycloak_client_default_roles:
+          - TestRoleAdmin
+          - TestRoleUser
+        keycloak_client_users:
+          - username: TestUser
+            password: password
+            client_roles:
+              - client: TestClient
+                role: TestRoleUser
+                realm: "{{ keycloak_realm }}"
+          - username: TestAdmin
+            password: password
+            client_roles:
+              - client: TestClient
+                role: TestRoleUser
+                realm: "{{ keycloak_realm }}"
+              - client: TestClient
+                role: TestRoleAdmin
+                realm: "{{ keycloak_realm }}"
+        keycloak_realm: TestRealm
+        keycloak_clients:
+          - name: TestClient
+            roles: "{{ keycloak_client_default_roles }}"
+            realm: "{{ keycloak_realm }}"
+            public_client: "{{ keycloak_client_public }}"
+            web_origins: "{{ keycloak_client_web_origins }}"
+            users: "{{ keycloak_client_users }}"
+            client_id: TestClient

molecule/overridexml/molecule.yml

@@ -0,0 +1,53 @@
+---
+dependency:
+  name: shell
+  command: ansible-galaxy collection install -r molecule/default/requirements.yml -p $HOME/.ansible/collections --force-with-deps
+driver:
+  name: docker
+lint: |
+  ansible-lint --version
+  ansible-lint -v
+platforms:
+  - name: instance
+    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    port_bindings:
+      - "8080/tcp"
+      - "8443/tcp"
+      - "8009/tcp"      
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"        
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - dependency
+    - lint
+    - cleanup
+    - destroy
+    - syntax
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy

molecule/overridexml/prepare.yml

@@ -0,0 +1,12 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: Disable beta repos
+      ansible.builtin.command: yum config-manager --disable '*beta*'
+      ignore_errors: yes
+
+    - name: Install sudo
+      ansible.builtin.yum:
+        name: sudo
+        state: present

molecule/overridexml/requirements.yml

@@ -0,0 +1,10 @@
+---
+collections:
+  - name: middleware_automation.redhat_csp_download
+    version: ">=1.2.1"
+  - name: middleware_automation.wildfly
+    version: ">=0.0.5"
+  - name: community.general
+  - name: community.docker
+    version: ">=1.9.1"
+    

molecule/overridexml/roles

@@ -0,0 +1 @@
+../../roles

molecule/overridexml/templates/custom.xml.j2

@@ -0,0 +1,604 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!-- {{ ansible_managed }} -->
+<server xmlns="urn:jboss:domain:16.0">
+    <extensions>
+        <extension module="org.jboss.as.clustering.infinispan"/>
+        <extension module="org.jboss.as.connector"/>
+        <extension module="org.jboss.as.deployment-scanner"/>
+        <extension module="org.jboss.as.ee"/>
+        <extension module="org.jboss.as.ejb3"/>
+        <extension module="org.jboss.as.jaxrs"/>
+        <extension module="org.jboss.as.jmx"/>
+        <extension module="org.jboss.as.jpa"/>
+        <extension module="org.jboss.as.logging"/>
+        <extension module="org.jboss.as.mail"/>
+        <extension module="org.jboss.as.modcluster"/>
+        <extension module="org.jboss.as.naming"/>
+        <extension module="org.jboss.as.remoting"/>
+        <extension module="org.jboss.as.security"/>
+        <extension module="org.jboss.as.transactions"/>
+        <extension module="org.jboss.as.weld"/>
+        <extension module="org.keycloak.keycloak-server-subsystem"/>
+        <extension module="org.wildfly.extension.bean-validation"/>
+        <extension module="org.wildfly.extension.core-management"/>
+        <extension module="org.wildfly.extension.elytron"/>
+        <extension module="org.wildfly.extension.health"/>
+        <extension module="org.wildfly.extension.io"/>
+        <extension module="org.wildfly.extension.metrics"/>
+        <extension module="org.wildfly.extension.request-controller"/>
+        <extension module="org.wildfly.extension.security.manager"/>
+        <extension module="org.wildfly.extension.undertow"/>
+    </extensions>
+    <management>
+        <security-realms>
+            <security-realm name="ManagementRealm">
+                <authentication>
+                    <local default-user="$local" skip-group-loading="true"/>
+                    <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
+                </authentication>
+                <authorization map-groups-to-roles="false">
+                    <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
+                </authorization>
+            </security-realm>
+            <security-realm name="ApplicationRealm">
+                <server-identities>
+                    <ssl>
+                        <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
+                    </ssl>
+                </server-identities>
+                <authentication>
+                    <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
+                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
+                </authentication>
+                <authorization>
+                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
+                </authorization>
+            </security-realm>
+        </security-realms>
+        <audit-log>
+            <formatters>
+                <json-formatter name="json-formatter"/>
+            </formatters>
+            <handlers>
+                <file-handler name="file" formatter="json-formatter" path="audit-log.log" relative-to="jboss.server.data.dir"/>
+            </handlers>
+            <logger log-boot="true" log-read-only="false" enabled="false">
+                <handlers>
+                    <handler name="file"/>
+                </handlers>
+            </logger>
+        </audit-log>
+        <management-interfaces>
+            <http-interface security-realm="ManagementRealm">
+                <http-upgrade enabled="true"/>
+                <socket-binding http="management-http"/>
+            </http-interface>
+        </management-interfaces>
+        <access-control provider="simple">
+            <role-mapping>
+                <role name="SuperUser">
+                    <include>
+                        <user name="$local"/>
+                    </include>
+                </role>
+            </role-mapping>
+        </access-control>
+    </management>
+    <profile>
+        <subsystem xmlns="urn:jboss:domain:logging:8.0">
+            <console-handler name="CONSOLE">
+                <level name="INFO"/>
+                <formatter>
+                    <named-formatter name="COLOR-PATTERN"/>
+                </formatter>
+            </console-handler>
+            <periodic-rotating-file-handler name="FILE" autoflush="true">
+                <formatter>
+                    <named-formatter name="PATTERN"/>
+                </formatter>
+                <file relative-to="jboss.server.log.dir" path="server.log"/>
+                <suffix value=".yyyy-MM-dd"/>
+                <append value="true"/>
+            </periodic-rotating-file-handler>
+            <logger category="com.arjuna">
+                <level name="WARN"/>
+            </logger>
+            <logger category="io.jaegertracing.Configuration">
+                <level name="WARN"/>
+            </logger>
+            <logger category="org.jboss.as.config">
+                <level name="DEBUG"/>
+            </logger>
+            <logger category="sun.rmi">
+                <level name="WARN"/>
+            </logger>
+            <root-logger>
+                <level name="INFO"/>
+                <handlers>
+                    <handler name="CONSOLE"/>
+                    <handler name="FILE"/>
+                </handlers>
+            </root-logger>
+            <formatter name="PATTERN">
+                <pattern-formatter pattern="%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
+            </formatter>
+            <formatter name="COLOR-PATTERN">
+                <pattern-formatter pattern="%K{level}%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
+            </formatter>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:datasources:6.0">
+            <datasources>
+                <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
+                    <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
+                    <driver>h2</driver>
+                    <security>
+                        <user-name>sa</user-name>
+                        <password>sa</password>
+                    </security>
+                </datasource>
+                <drivers>
+                    <driver name="h2" module="com.h2database.h2">
+                        <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
+                    </driver>
+                </drivers>
+            </datasources>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
+            <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:ee:6.0">
+            <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
+            <concurrent>
+                <context-services>
+                    <context-service name="default" jndi-name="java:jboss/ee/concurrency/context/default" use-transaction-setup-provider="true"/>
+                </context-services>
+                <managed-thread-factories>
+                    <managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/>
+                </managed-thread-factories>
+                <managed-executor-services>
+                    <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="5000"/>
+                </managed-executor-services>
+                <managed-scheduled-executor-services>
+                    <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="3000"/>
+                </managed-scheduled-executor-services>
+            </concurrent>
+            <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/KeycloakDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:ejb3:9.0">
+            <session-bean>
+                <stateless>
+                    <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
+                </stateless>
+                <stateful default-access-timeout="5000" cache-ref="simple" passivation-disabled-cache-ref="simple"/>
+                <singleton default-access-timeout="5000"/>
+            </session-bean>
+            <pools>
+                <bean-instance-pools>
+                    <strict-max-pool name="mdb-strict-max-pool" derive-size="from-cpu-count" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
+                    <strict-max-pool name="slsb-strict-max-pool" derive-size="from-worker-pools" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
+                </bean-instance-pools>
+            </pools>
+            <caches>
+                <cache name="simple"/>
+                <cache name="distributable" passivation-store-ref="infinispan" aliases="passivating clustered"/>
+            </caches>
+            <passivation-stores>
+                <passivation-store name="infinispan" cache-container="ejb" max-size="10000"/>
+            </passivation-stores>
+            <async thread-pool-name="default"/>
+            <timer-service thread-pool-name="default" default-data-store="default-file-store">
+                <data-stores>
+                    <file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/>
+                </data-stores>
+            </timer-service>
+            <remote cluster="ejb" connectors="http-remoting-connector" thread-pool-name="default">
+                <channel-creation-options>
+                    <option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>
+                </channel-creation-options>
+            </remote>
+            <thread-pools>
+                <thread-pool name="default">
+                    <max-threads count="10"/>
+                    <keepalive-time time="60" unit="seconds"/>
+                </thread-pool>
+            </thread-pools>
+            <default-security-domain value="other"/>
+            <default-missing-method-permissions-deny-access value="true"/>
+            <statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
+            <log-system-exceptions value="true"/>
+        </subsystem>
+        <subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
+            <providers>
+                <aggregate-providers name="combined-providers">
+                    <providers name="elytron"/>
+                    <providers name="openssl"/>
+                </aggregate-providers>
+                <provider-loader name="elytron" module="org.wildfly.security.elytron"/>
+                <provider-loader name="openssl" module="org.wildfly.openssl"/>
+            </providers>
+            <audit-logging>
+                <file-audit-log name="local-audit" path="audit.log" relative-to="jboss.server.log.dir" format="JSON"/>
+            </audit-logging>
+            <security-domains>
+                <security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">
+                    <realm name="ApplicationRealm" role-decoder="groups-to-roles"/>
+                    <realm name="local"/>
+                </security-domain>
+                <security-domain name="ManagementDomain" default-realm="ManagementRealm" permission-mapper="default-permission-mapper">
+                    <realm name="ManagementRealm" role-decoder="groups-to-roles"/>
+                    <realm name="local" role-mapper="super-user-mapper"/>
+                </security-domain>
+            </security-domains>
+            <security-realms>
+                <identity-realm name="local" identity="$local"/>
+                <properties-realm name="ApplicationRealm">
+                    <users-properties path="application-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ApplicationRealm"/>
+                    <groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
+                </properties-realm>
+                <properties-realm name="ManagementRealm">
+                    <users-properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ManagementRealm"/>
+                    <groups-properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
+                </properties-realm>
+            </security-realms>
+            <mappers>
+                <simple-permission-mapper name="default-permission-mapper" mapping-mode="first">
+                    <permission-mapping>
+                        <principal name="anonymous"/>
+                        <permission-set name="default-permissions"/>
+                    </permission-mapping>
+                    <permission-mapping match-all="true">
+                        <permission-set name="login-permission"/>
+                        <permission-set name="default-permissions"/>
+                    </permission-mapping>
+                </simple-permission-mapper>
+                <constant-realm-mapper name="local" realm-name="local"/>
+                <simple-role-decoder name="groups-to-roles" attribute="groups"/>
+                <constant-role-mapper name="super-user-mapper">
+                    <role name="SuperUser"/>
+                </constant-role-mapper>
+            </mappers>
+            <permission-sets>
+                <permission-set name="login-permission">
+                    <permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
+                </permission-set>
+                <permission-set name="default-permissions">
+                    <permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
+                    <permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
+                    <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
+                    <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
+                </permission-set>
+            </permission-sets>
+            <http>
+                <http-authentication-factory name="management-http-authentication" security-domain="ManagementDomain" http-server-mechanism-factory="global">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="DIGEST">
+                            <mechanism-realm realm-name="ManagementRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </http-authentication-factory>
+                <provider-http-server-mechanism-factory name="global"/>
+            </http>
+            <sasl>
+                <sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
+                        <mechanism mechanism-name="DIGEST-MD5">
+                            <mechanism-realm realm-name="ApplicationRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </sasl-authentication-factory>
+                <sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" security-domain="ManagementDomain">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
+                        <mechanism mechanism-name="DIGEST-MD5">
+                            <mechanism-realm realm-name="ManagementRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </sasl-authentication-factory>
+                <configurable-sasl-server-factory name="configured" sasl-server-factory="elytron">
+                    <properties>
+                        <property name="wildfly.sasl.local-user.default-user" value="$local"/>
+                    </properties>
+                </configurable-sasl-server-factory>
+                <mechanism-provider-filtering-sasl-server-factory name="elytron" sasl-server-factory="global">
+                    <filters>
+                        <filter provider-name="WildFlyElytron"/>
+                    </filters>
+                </mechanism-provider-filtering-sasl-server-factory>
+                <provider-sasl-server-factory name="global"/>
+            </sasl>
+            <tls>
+                <key-stores>
+                    <key-store name="applicationKS">
+                        <credential-reference clear-text="password"/>
+                        <implementation type="JKS"/>
+                        <file path="application.keystore" relative-to="jboss.server.config.dir"/>
+                    </key-store>
+                </key-stores>
+                <key-managers>
+                    <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
+                        <credential-reference clear-text="password"/>
+                    </key-manager>
+                </key-managers>
+                <server-ssl-contexts>
+                    <server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
+                </server-ssl-contexts>
+            </tls>
+        </subsystem>
+        <subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
+        <subsystem xmlns="urn:jboss:domain:infinispan:12.0">
+            <cache-container name="ejb" default-cache="passivation" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
+                <local-cache name="passivation">
+                    <locking isolation="REPEATABLE_READ"/>
+                    <transaction mode="BATCH"/>
+                    <file-store passivation="true" purge="false"/>
+                </local-cache>
+            </cache-container>
+            <cache-container name="keycloak" modules="org.keycloak.keycloak-model-infinispan">
+                <local-cache name="realms">
+                    <heap-memory size="10000"/>
+                </local-cache>
+                <local-cache name="users">
+                    <heap-memory size="10000"/>
+                </local-cache>
+                <local-cache name="sessions"/>
+                <local-cache name="authenticationSessions"/>
+                <local-cache name="offlineSessions"/>
+                <local-cache name="clientSessions"/>
+                <local-cache name="offlineClientSessions"/>
+                <local-cache name="loginFailures"/>
+                <local-cache name="work"/>
+                <local-cache name="authorization">
+                    <heap-memory size="10000"/>
+                </local-cache>
+                <local-cache name="keys">
+                    <heap-memory size="1000"/>
+                    <expiration max-idle="3600000"/>
+                </local-cache>
+                <local-cache name="actionTokens">
+                    <heap-memory size="-1"/>
+                    <expiration interval="300000" max-idle="-1"/>
+                </local-cache>
+            </cache-container>
+            <cache-container name="server" default-cache="default" modules="org.wildfly.clustering.server">
+                <local-cache name="default">
+                    <transaction mode="BATCH"/>
+                </local-cache>
+            </cache-container>
+            <cache-container name="web" default-cache="passivation" modules="org.wildfly.clustering.web.infinispan">
+                <local-cache name="passivation">
+                    <locking isolation="REPEATABLE_READ"/>
+                    <transaction mode="BATCH"/>
+                    <file-store passivation="true" purge="false"/>
+                </local-cache>
+                <local-cache name="sso">
+                    <locking isolation="REPEATABLE_READ"/>
+                    <transaction mode="BATCH"/>
+                </local-cache>
+                <local-cache name="routing"/>
+            </cache-container>
+            <cache-container name="hibernate" modules="org.infinispan.hibernate-cache">
+                <local-cache name="entity">
+                    <heap-memory size="10000"/>
+                    <expiration max-idle="100000"/>
+                </local-cache>
+                <local-cache name="local-query">
+                    <heap-memory size="10000"/>
+                    <expiration max-idle="100000"/>
+                </local-cache>
+                <local-cache name="timestamps"/>
+            </cache-container>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:io:3.0">
+            <worker name="default"/>
+            <buffer-pool name="default"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/>
+        <subsystem xmlns="urn:jboss:domain:jca:5.0">
+            <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
+            <bean-validation enabled="true"/>
+            <default-workmanager>
+                <short-running-threads>
+                    <core-threads count="50"/>
+                    <queue-length count="50"/>
+                    <max-threads count="50"/>
+                    <keepalive-time time="10" unit="seconds"/>
+                </short-running-threads>
+                <long-running-threads>
+                    <core-threads count="50"/>
+                    <queue-length count="50"/>
+                    <max-threads count="50"/>
+                    <keepalive-time time="10" unit="seconds"/>
+                </long-running-threads>
+            </default-workmanager>
+            <cached-connection-manager/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jmx:1.3">
+            <expose-resolved-model/>
+            <expose-expression-model/>
+            <remoting-connector/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jpa:1.1">
+            <jpa default-extended-persistence-inheritance="DEEP"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
+            <web-context>auth</web-context>
+            <providers>
+                <provider>
+                    classpath:${jboss.home.dir}/providers/*
+                </provider>
+            </providers>
+            <master-realm-name>master</master-realm-name>
+            <scheduled-task-interval>900</scheduled-task-interval>
+            <theme>
+                <staticMaxAge>2592000</staticMaxAge>
+                <cacheThemes>true</cacheThemes>
+                <cacheTemplates>true</cacheTemplates>
+                <dir>${jboss.home.dir}/themes</dir>
+            </theme>
+            <spi name="eventsStore">
+                <provider name="jpa" enabled="true">
+                    <properties>
+                        <property name="exclude-events" value="[&quot;REFRESH_TOKEN&quot;]"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="userCache">
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="userSessionPersister">
+                <default-provider>jpa</default-provider>
+            </spi>
+            <spi name="timer">
+                <default-provider>basic</default-provider>
+            </spi>
+            <spi name="connectionsHttpClient">
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="connectionsJpa">
+                <provider name="default" enabled="true">
+                    <properties>
+                        <property name="dataSource" value="java:jboss/datasources/KeycloakDS"/>
+                        <property name="initializeEmpty" value="true"/>
+                        <property name="migrationStrategy" value="update"/>
+                        <property name="migrationExport" value="${jboss.home.dir}/keycloak-database-update.sql"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="realmCache">
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="connectionsInfinispan">
+                <default-provider>default</default-provider>
+                <provider name="default" enabled="true">
+                    <properties>
+                        <property name="cacheContainer" value="java:jboss/infinispan/container/keycloak"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="jta-lookup">
+                <default-provider>${keycloak.jta.lookup.provider:jboss}</default-provider>
+                <provider name="jboss" enabled="true"/>
+            </spi>
+            <spi name="publicKeyStorage">
+                <provider name="infinispan" enabled="true">
+                    <properties>
+                        <property name="minTimeBetweenRequests" value="10"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="x509cert-lookup">
+                <default-provider>${keycloak.x509cert.lookup.provider:default}</default-provider>
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="hostname">
+                <default-provider>default</default-provider>
+                <provider name="default" enabled="true">
+                    <properties>
+                        <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="true"/>
+                    </properties>
+                </provider>
+            </spi>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:mail:4.0">
+            <mail-session name="default" jndi-name="java:jboss/mail/Default">
+                <smtp-server outbound-socket-binding-ref="mail-smtp"/>
+            </mail-session>
+        </subsystem>
+        <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
+        <subsystem xmlns="urn:jboss:domain:naming:2.0">
+            <remote-naming/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:remoting:4.0">
+            <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:security:2.0">
+            <security-domains>
+                <security-domain name="other" cache-type="default">
+                    <authentication>
+                        <login-module code="Remoting" flag="optional">
+                            <module-option name="password-stacking" value="useFirstPass"/>
+                        </login-module>
+                        <login-module code="RealmDirect" flag="required">
+                            <module-option name="password-stacking" value="useFirstPass"/>
+                        </login-module>
+                    </authentication>
+                </security-domain>
+                <security-domain name="jboss-web-policy" cache-type="default">
+                    <authorization>
+                        <policy-module code="Delegating" flag="required"/>
+                    </authorization>
+                </security-domain>
+                <security-domain name="jaspitest" cache-type="default">
+                    <authentication-jaspi>
+                        <login-module-stack name="dummy">
+                            <login-module code="Dummy" flag="optional"/>
+                        </login-module-stack>
+                        <auth-module code="Dummy"/>
+                    </authentication-jaspi>
+                </security-domain>
+                <security-domain name="jboss-ejb-policy" cache-type="default">
+                    <authorization>
+                        <policy-module code="Delegating" flag="required"/>
+                    </authorization>
+                </security-domain>
+            </security-domains>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
+            <deployment-permissions>
+                <maximum-set>
+                    <permission class="java.security.AllPermission"/>
+                </maximum-set>
+            </deployment-permissions>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:transactions:6.0">
+            <core-environment node-identifier="${jboss.tx.node.id:1}">
+                <process-id>
+                    <uuid/>
+                </process-id>
+            </core-environment>
+            <recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
+            <coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
+            <object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
+            <buffer-cache name="default"/>
+            <server name="default-server">
+                <http-listener name="default" socket-binding="http"/>
+                <host name="default-host" alias="localhost">
+                    <location name="/" handler="welcome-content"/>
+                    <http-invoker security-realm="ApplicationRealm"/>
+                </host>
+            </server>
+            <servlet-container name="default">
+                <jsp-config/>
+                <websockets/>
+            </servlet-container>
+            <handlers>
+                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
+            </handlers>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
+    </profile>
+    <interfaces>
+        <interface name="management">
+            <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
+        </interface>
+        <interface name="public">
+            <inet-address value="${jboss.bind.address:127.0.0.1}"/>
+        </interface>
+    </interfaces>
+    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
+        <socket-binding name="http" port="8081"/>
+        <socket-binding name="management-http" interface="management" port="19990"/>
+        <socket-binding name="txn-recovery-environment" port="4712"/>
+        <socket-binding name="txn-status-manager" port="4713"/>
+        <outbound-socket-binding name="mail-smtp">
+            <remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
+        </outbound-socket-binding>
+    </socket-binding-group>
+</server>

molecule/overridexml/verify.yml

@@ -0,0 +1,11 @@
+---
+- name: Verify
+  hosts: all
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"

molecule/quarkus/converge.yml

@@ -0,0 +1,39 @@
+---
+- name: Converge
+  hosts: all
+  vars: 
+    keycloak_quarkus_admin_pass: "remembertochangeme"
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_realm: TestRealm
+  roles:
+    - role: keycloak_quarkus
+    - role: keycloak_realm
+      keycloak_context: ''
+      keycloak_client_default_roles:
+        - TestRoleAdmin
+        - TestRoleUser
+      keycloak_client_users:
+        - username: TestUser
+          password: password
+          client_roles:
+            - client: TestClient
+              role: TestRoleUser
+              realm: "{{ keycloak_realm }}"
+        - username: TestAdmin
+          password: password
+          client_roles:
+            - client: TestClient
+              role: TestRoleUser
+              realm: "{{ keycloak_realm }}"
+            - client: TestClient
+              role: TestRoleAdmin
+              realm: "{{ keycloak_realm }}"
+      keycloak_realm: TestRealm
+      keycloak_clients:
+        - name: TestClient
+          roles: "{{ keycloak_client_default_roles }}"
+          realm: "{{ keycloak_realm }}"
+          public_client: "{{ keycloak_client_public }}"
+          web_origins: "{{ keycloak_client_web_origins }}"
+          users: "{{ keycloak_client_users }}"
+          client_id: TestClient

molecule/quarkus/molecule.yml

@@ -0,0 +1,53 @@
+---
+dependency:
+  name: shell
+  command: ansible-galaxy collection install -r molecule/default/requirements.yml -p $HOME/.ansible/collections --force-with-deps
+driver:
+  name: docker
+lint: |
+  ansible-lint --version
+  ansible-lint -v
+platforms:
+  - name: instance
+    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    port_bindings:
+      - "8080/tcp"
+      - "8443/tcp"
+      - "8009/tcp"      
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"        
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - dependency
+    - lint
+    - cleanup
+    - destroy
+    - syntax
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy

molecule/quarkus/prepare.yml

@@ -0,0 +1,12 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: Disable beta repos
+      ansible.builtin.command: yum config-manager --disable '*beta*'
+      ignore_errors: yes
+
+    - name: Install sudo
+      ansible.builtin.yum:
+        name: sudo
+        state: present

molecule/quarkus/requirements.yml

@@ -0,0 +1,10 @@
+---
+collections:
+  - name: middleware_automation.redhat_csp_download
+    version: ">=1.2.1"
+  - name: middleware_automation.wildfly
+    version: ">=0.0.5"
+  - name: community.general
+  - name: community.docker
+    version: ">=1.9.1"
+    

molecule/quarkus/roles

@@ -0,0 +1 @@
+../../roles

molecule/quarkus/verify.yml

@@ -0,0 +1,11 @@
+---
+- name: Verify
+  hosts: all
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"

playbooks/keycloak.yml

@@ -1,11 +1,9 @@
 ---
 - name: Playbook for Keycloak Hosts
-  hosts: keycloak
+  hosts: all
+  vars:
+    keycloak_admin_password: "remembertochangeme"
   collections:
     - middleware_automation.keycloak
-  tasks:
-    - name: Include keycloak role
-      include_role:
-        name: keycloak
-      vars:
-        keycloak_admin_password: "changeme"
+  roles:
+    - keycloak

playbooks/keycloak_realm.yml

@@ -1,12 +1,12 @@
 ---
 - name: Playbook for Keycloak Hosts
-  hosts: keycloak
+  hosts: all
   tasks:
     - name: Keycloak Realm Role
-      include_role:
-        name: keycloak_realm
+      ansible.builtin.include_role:
+        name: middleware_automation.keycloak.keycloak_realm
       vars:
-        keycloak_admin_password: "changeme"
+        keycloak_admin_password: "remembertochangeme"
         keycloak_realm: TestRealm
         keycloak_user_federation:
           - realm: TestRealm

playbooks/keyclock_quarkus.yml

@@ -0,0 +1,9 @@
+---
+- name: Playbook for Keycloak X Hosts
+  hosts: all
+  vars:
+    keycloak_admin_password: "remembertochangeme"
+  collections:
+    - middleware_automation.keycloak
+  roles:
+    - keycloak_quarkus

playbooks/rhsso.yml

@@ -1,14 +1,12 @@
 ---
 - name: Playbook for Keycloak Hosts
   hosts: keycloak
+  vars:
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_rhsso_enable: True
   collections:
     - middleware_automation.redhat_csp_download
+    - middleware_automation.keycloak
   roles:
-    - redhat_csp_download
-  tasks:
-    - name: Keycloak Role
-      include_role:
-        name: keycloak
-      vars:
-        keycloak_admin_password: "changeme"
-        keycloak_rhsso_enable: True
+    - middleware_automation.redhat_csp_download.redhat_csp_download
+    - middleware_automation.keycloak.keycloak

roles/keycloak/README.md

@@ -1,7 +1,7 @@
 keycloak
 ========
 
-Install [keycloak](https://keycloak.org/) or [Red Hat Single Sing-On](https://access.redhat.com/products/red-hat-single-sign-on) server configurations.
+Install [keycloak](https://keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on) server configurations.
 
 
 Requirements
@@ -31,6 +31,17 @@ Versions
 |`7.5.0 GA`      |September 20, 2021 |`15.0.2`          | `7.4.0`     |[Release Notes](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/html/release_notes/index)|
 
 
+Patching
+--------
+
+When variable `keycloak_rhsso_apply_patches` is `True` (default: `False`), the role will automatically apply the latest cumulative patch for the selected base version.
+
+| RH-SSO VERSION | Release Date      | RH-SSO LATEST CP | Notes           |
+|:---------------|:------------------|:-----------------|:----------------|
+|`7.5.0 GA`      |January 20, 2022   |`7.5.1 GA`        |[Release Notes](https://access.redhat.com/articles/6646321)|
+
+
+
 Role Defaults
 -------------
 
@@ -49,26 +60,53 @@ Role Defaults
 |`keycloak_jgroups_port`| jgroups cluster tcp port | `7600` |
 |`keycloak_management_http_port`| Management port | `9990` |
 |`keycloak_management_https_port`| TLS management port | `9993` |
-|`keycloak_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
 |`keycloak_prefer_ipv4`| Prefer IPv4 stack and addresses for port binding | `True` |
 |`keycloak_config_standalone_xml`| filename for configuration | `keycloak.xml` |
 |`keycloak_service_user`| posix account username | `keycloak` |
 |`keycloak_service_group`| posix account group | `keycloak` |
 |`keycloak_service_pidfile`| pid file path for service | `/run/keycloak.pid` |
-|`jvm_package`| RHEL java package runtime | `java-1.8.0-openjdk-devel` |
+|`keycloak_jvm_package`| RHEL java package runtime | `java-1.8.0-openjdk-headless` |
+|`keycloak_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path | `None` |
+|`keycloak_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
 
 
 * Install options
 
 | Variable | Description | Default |
 |:---------|:------------|:---------|
-|`keycloak_rhsso_enable`| Enable Red Hat Single Sign-on installation  | `False` |
+|`keycloak_rhsso_enable`| Enable Red Hat Single Sign-on installation | `False` |
 |`keycloak_offline_install` | perform an offline install | `False`|
 |`keycloak_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`| 
 |`keycloak_rhsso_download_url`| Download URL for RHSSO | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=<productID>`|
 |`keycloak_version`| keycloak.org package version | `15.0.2` |
 |`keycloak_rhsso_version`| RHSSO version | `7.5.0` |
+|`keycloak_rhsso_apply_patches`| Install RHSSO more recent cumulative patch | `False` |
 |`keycloak_dest`| Installation root path | `/opt/keycloak` |
+|`keycloak_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}` |
+|`keycloak_rhn_url` | Base download URI for customer portal | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=` |
+|`keycloak_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
+
+
+* Miscellaneous configuration
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_archive` | keycloak install archive filename | `keycloak-{{ keycloak_version }}.zip` |
+|`keycloak_download_url_9x` | Download URL for keycloak (deprecated) | `https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}` |
+|`keycloak_installdir` | Installation path | `{{ keycloak_dest }}/keycloak-{{ keycloak_version }}` |
+|`keycloak_rhsso_archive` | Red Hat SSO install archive filename | `rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip` |
+|`keycloak_rhsso_installdir`| Installation path for Red Hat SSO | `{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\.([0-9]*).*', '\1.\2') }}` |
+|`keycloak_rhsso_download_url`| Full download URI for Red Hat SSO | `{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}` |
+|`keycloak_jboss_home` | Installation work directory | `{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}` |
+|`keycloak_config_dir` | Path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration` |
+|`keycloak_config_path_to_standalone_xml` | Custom path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}` |
+|`keycloak_config_override_template` | Path to custom template for standalone.xml configuration | `''` |
+|`keycloak_auth_realm` | Name for rest authentication realm | `master` |
+|`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` |
+|`keycloak_force_install` | Remove pre-existing versions of service | `False` |
+|`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` |
+|`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` |
+|`rhsso_rhn_id` | Customer Portal product ID for Red Hat SSO | `{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}` |
 
 
 Role Variables
@@ -78,7 +116,8 @@ The following are a set of _required_ variables for the role:
 
 | Variable | Description |
 |:---------|:------------|
-|`keycloak_admin_password`| Password for the administration console user account |
+|`keycloak_admin_password`| Password for the administration console user account (minimum 12 characters) |
+|`keycloak_frontend_url` | frontend URL for keycloak endpoint | `http://localhost:8080/auth` |
 
 
 The following variables are _required_ only when `keycloak_ha_enabled` is True:
@@ -86,8 +125,7 @@ The following variables are _required_ only when `keycloak_ha_enabled` is True:
 | Variable | Description | Default |
 |:---------|:------------|:---------|
 |`keycloak_modcluster_url` | URL for the modcluster reverse proxy | `localhost` |
-|`keycloak_frontend_url` | frontend URL for keycloak endpoints when a reverse proxy is used | `http://localhost` |
-|`keycloak_jdbc_engine` | backend database flavour when db is enabled: [ postgres, mariadb ] | `postgres` |
+|`keycloak_jdbc_engine` | backend database engine when db is enabled: [ postgres, mariadb ] | `postgres` |
 |`infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` |
 |`infinispan_user` | username for connecting to infinispan | `supervisor` |
 |`infinispan_pass` | password for connecting to infinispan | `supervisor` |
@@ -118,14 +156,12 @@ _NOTE_: use ansible vaults or other security systems for storing credentials.
 ```yaml
 ---
 - hosts: ...
+      vars:
+        keycloak_admin_password: "remembertochangeme"
       collections:
         - middleware_automation.keycloak
-      tasks:
-        - name: Include keycloak role
-          include_role:
-            name: keycloak
-          vars:
-            keycloak_admin_password: "changeme"
+      roles:
+        - middleware_automation.keycloak.keycloak
 ```
 
 * The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from RHN:
@@ -143,7 +179,7 @@ _NOTE_: use ansible vaults or other security systems for storing credentials.
       include_role:
         name: keycloak
       vars:
-        keycloak_admin_password: "changeme"
+        keycloak_admin_password: "remembertochangeme"
         keycloak_rhsso_enable: True
         rhn_username: '<customer portal username>'
         rhn_password: '<customer portal password>'
@@ -162,7 +198,7 @@ _NOTE_: use ansible vaults or other security systems for storing credentials.
           include_role:
             name: keycloak
           vars:
-            keycloak_admin_password: "changeme"
+            keycloak_admin_password: "remembertochangeme"
             keycloak_offline_install: True
             # This should be the filename of keycloak archive on Ansible node: keycloak-16.1.0.zip
 ```
@@ -180,14 +216,14 @@ _NOTE_: use ansible vaults or other security systems for storing credentials.
       include_role:
         name: keycloak
       vars:
-        keycloak_admin_password: "changeme"
+        keycloak_admin_password: "remembertochangeme"
         keycloak_rhsso_enable: True
         keycloak_rhsso_download_url: "<REPLACE with download url>"
         # This should be the full of remote source rhsso zip file and can contain basic authentication credentials
 ```
 
 
-* The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from the controller node:
+* The following is an example playbook that makes use of the role to install Red Hat Single Sign-On offline from the controller node, and apply latest cumulative patch:
 
 ```yaml
 ---
@@ -199,9 +235,10 @@ _NOTE_: use ansible vaults or other security systems for storing credentials.
       include_role:
         name: keycloak
       vars:
-        keycloak_admin_password: "changeme"
+        keycloak_admin_password: "remembertochangeme"
         keycloak_rhsso_enable: True
         keycloak_offline_install: True
+        keycloak_rhsso_apply_patches: True
         # This should be the filename of rhsso zip file on Ansible node: rh-sso-7.5-server-dist.zip
 ```
 

roles/keycloak/defaults/main.yml

@@ -6,13 +6,14 @@ keycloak_download_url: "https://github.com/keycloak/keycloak/releases/download/{
 keycloak_download_url_9x: "https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}"
 keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
 
-### Configuration specific to Red Hat Single Sing-On
+### Configuration specific to Red Hat Single Sign-On
 keycloak_rhsso_version: 7.5.0
-rhsso_rhn_id: "{{ rhsso_rhn_ids[keycloak_rhsso_version] }}"
+rhsso_rhn_id: "{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}"
 keycloak_rhsso_archive: "rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip"
 keycloak_rhsso_installdir: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}"
 keycloak_rhn_url: 'https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId='
 keycloak_rhsso_download_url: "{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}"
+keycloak_rhsso_apply_patches: False
 
 ### keycloak/rhsso choice: by default install rhsso if rhn credentials are defined
 keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined and rhn_username is defined and rhn_password is defined else False }}"
@@ -20,15 +21,21 @@ keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined and rhn_username is d
 keycloak_offline_install: False
 
 ### Install location and service settings
-jvm_package: java-1.8.0-openjdk-devel
+keycloak_jvm_package: java-1.8.0-openjdk-headless
+keycloak_java_home:
 keycloak_dest: /opt/keycloak
 keycloak_jboss_home: "{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}"
 keycloak_config_dir: "{{ keycloak_jboss_home }}/standalone/configuration"
 keycloak_config_standalone_xml: "keycloak.xml"
 keycloak_config_path_to_standalone_xml: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}"
+keycloak_config_override_template: ''
 keycloak_service_user: keycloak
 keycloak_service_group: keycloak
 keycloak_service_pidfile: "/run/keycloak.pid"
+keycloak_configure_firewalld: False
+
+### administrator console password
+keycloak_admin_password: ''
 
 ### Common configuration settings
 keycloak_bind_address: 0.0.0.0
@@ -56,7 +63,9 @@ keycloak_force_install: False
 
 ### mod_cluster reverse proxy
 keycloak_modcluster_url: localhost
-keycloak_frontend_url: http://localhost
+
+### keycloak frontend url
+keycloak_frontend_url: http://localhost:8080/auth
 
 ### infinispan remote caches access (hotrod)
 infinispan_user: supervisor

roles/keycloak/handlers/main.yml

@@ -1,3 +1,4 @@
 ---
-- name: restart keycloak
-  include_tasks: restart_keycloak.yml
+- name: "Restart handler"
+  ansible.builtin.include_tasks: restart_keycloak.yml
+  listen: "restart keycloak"

roles/keycloak/meta/argument_specs.yml

@@ -4,162 +4,180 @@ argument_specs:
             keycloak_version:
                 # line 3 of keycloak/defaults/main.yml
                 default: "15.0.2"
-                description: "TODO document argument"
+                description: "keycloak.org package version"
                 type: "str"
             keycloak_archive:
                 # line 4 of keycloak/defaults/main.yml
                 default: "keycloak-{{ keycloak_version }}.zip"
-                description: "TODO document argument"
+                description: "keycloak install archive filename"
                 type: "str"
+            keycloak_configure_firewalld:
+                # line 33 of keycloak/defaults/main.yml
+                default: false
+                description: "Ensure firewalld is running and configure keycloak ports"
+                type: "bool"
             keycloak_download_url:
                 # line 5 of keycloak/defaults/main.yml
                 default: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"
-                description: "TODO document argument"
+                description: "Download URL for keycloak"
                 type: "str"
             keycloak_download_url_9x:
                 # line 6 of keycloak/defaults/main.yml
                 default: "https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}"
-                description: "TODO document argument"
+                description: "Download URL for keycloak (deprecated)"
                 type: "str"
             keycloak_installdir:
                 # line 7 of keycloak/defaults/main.yml
                 default: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
-                description: "TODO document argument"
+                description: "Installation path"
                 type: "str"
             keycloak_rhsso_version:
                 # line 10 of keycloak/defaults/main.yml
                 default: "7.5.0"
-                description: "TODO document argument"
+                description: "Red Hat Single Sign-On version"
                 type: "str"
             rhsso_rhn_id:
                 # line 11 of keycloak/defaults/main.yml
-                default: "{{ rhsso_rhn_ids[keycloak_rhsso_version] }}"
-                description: "TODO document argument"
+                default: "{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}"
+                description: "Customer Portal product ID for Red Hat SSO"
                 type: "str"
             keycloak_rhsso_archive:
                 # line 12 of keycloak/defaults/main.yml
                 default: "rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip"
-                description: "TODO document argument"
+                description: "ed Hat SSO install archive filename"
                 type: "str"
+            keycloak_rhsso_apply_patches:
+                # line 16 of keycloak/defaults/main.yml
+                default: false
+                description: "Install RHSSO more recent cumulative patch"
+                type: "bool"
             keycloak_rhsso_installdir:
                 # line 13 of keycloak/defaults/main.yml
                 default: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}"
-                description: "TODO document argument"
+                description: "Installation path for Red Hat SSO"
                 type: "str"
             keycloak_rhn_url:
                 # line 14 of keycloak/defaults/main.yml
                 default: "https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId="
-                description: "TODO document argument"
+                description: "Base download URI for customer portal"
                 type: "str"
             keycloak_rhsso_download_url:
                 # line 15 of keycloak/defaults/main.yml
                 default: "{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}"
-                description: "TODO document argument"
+                description: "Full download URI for Red Hat SSO"
                 type: "str"
             keycloak_rhsso_enable:
                 # line 18 of keycloak/defaults/main.yml
                 default: "{{ True if rhsso_rhn_id is defined and rhn_username is defined and rhn_password is defined else False }}"
-                description: "TODO document argument"
+                description: "Enable Red Hat Single Sign-on installation"
                 type: "str"
             keycloak_offline_install:
                 # line 20 of keycloak/defaults/main.yml
                 default: false
-                description: "TODO document argument"
+                description: "Perform an offline install"
                 type: "bool"
-            jvm_package:
+            keycloak_jvm_package:
                 # line 23 of keycloak/defaults/main.yml
-                default: "java-1.8.0-openjdk-devel"
-                description: "TODO document argument"
+                default: "java-1.8.0-openjdk-headless"
+                description: "RHEL java package runtime rpm"
+                type: "str"
+            keycloak_java_home:
+                description: "JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path"
                 type: "str"
             keycloak_dest:
                 # line 24 of keycloak/defaults/main.yml
                 default: "/opt/keycloak"
-                description: "TODO document argument"
+                description: "Root installation directory"
                 type: "str"
             keycloak_jboss_home:
                 # line 25 of keycloak/defaults/main.yml
                 default: "{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}"
-                description: "TODO document argument"
+                description: "Installation work directory"
                 type: "str"
             keycloak_config_dir:
                 # line 26 of keycloak/defaults/main.yml
                 default: "{{ keycloak_jboss_home }}/standalone/configuration"
-                description: "TODO document argument"
+                description: "Path for configuration"
                 type: "str"
             keycloak_config_standalone_xml:
                 # line 27 of keycloak/defaults/main.yml
                 default: "keycloak.xml"
-                description: "TODO document argument"
+                description: "Service configuration filename"
                 type: "str"
             keycloak_config_path_to_standalone_xml:
                 # line 28 of keycloak/defaults/main.yml
                 default: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}"
-                description: "TODO document argument"
+                description: "Custom path for configuration"
+                type: "str"
+            keycloak_config_override_template:
+                # line 30 of keycloak/defaults/main.yml
+                default: ""
+                description: "Path to custom template for standalone.xml configuration"
                 type: "str"
             keycloak_service_user:
                 # line 29 of keycloak/defaults/main.yml
                 default: "keycloak"
-                description: "TODO document argument"
+                description: "posix account username"
                 type: "str"
             keycloak_service_group:
                 # line 30 of keycloak/defaults/main.yml
                 default: "keycloak"
-                description: "TODO document argument"
+                description: "posix account group"
                 type: "str"
             keycloak_service_pidfile:
                 # line 31 of keycloak/defaults/main.yml
                 default: "/run/keycloak.pid"
-                description: "TODO document argument"
+                description: "PID file path for service"
                 type: "str"
             keycloak_bind_address:
                 # line 34 of keycloak/defaults/main.yml
                 default: "0.0.0.0"
-                description: "TODO document argument"
+                description: "Address for binding service ports"
                 type: "str"
             keycloak_host:
                 # line 35 of keycloak/defaults/main.yml
                 default: "localhost"
-                description: "TODO document argument"
+                description: "Hostname for service"
                 type: "str"
             keycloak_http_port:
                 # line 36 of keycloak/defaults/main.yml
                 default: 8080
-                description: "TODO document argument"
+                description: "Listening HTTP port"
                 type: "int"
             keycloak_https_port:
                 # line 37 of keycloak/defaults/main.yml
                 default: 8443
-                description: "TODO document argument"
+                description: "Listening HTTPS port"
                 type: "int"
             keycloak_ajp_port:
                 # line 38 of keycloak/defaults/main.yml
                 default: 8009
-                description: "TODO document argument"
+                description: "Listening AJP port"
                 type: "int"
             keycloak_jgroups_port:
                 # line 39 of keycloak/defaults/main.yml
                 default: 7600
-                description: "TODO document argument"
+                description: "jgroups cluster tcp port"
                 type: "int"
             keycloak_management_http_port:
                 # line 40 of keycloak/defaults/main.yml
                 default: 9990
-                description: "TODO document argument"
+                description: "Management port (http)"
                 type: "int"
             keycloak_management_https_port:
                 # line 41 of keycloak/defaults/main.yml
                 default: 9993
-                description: "TODO document argument"
+                description: "Management port (https)"
                 type: "int"
             keycloak_java_opts:
                 # line 42 of keycloak/defaults/main.yml
                 default: "-Xms1024m -Xmx2048m"
-                description: "TODO document argument"
+                description: "Additional JVM options"
                 type: "str"
             keycloak_prefer_ipv4:
                 # line 43 of keycloak/defaults/main.yml
                 default: true
-                description: "TODO document argument"
+                description: "Prefer IPv4 stack and addresses for port binding"
                 type: "bool"
             keycloak_ha_enabled:
                 # line 46 of keycloak/defaults/main.yml
@@ -179,52 +197,52 @@ argument_specs:
             keycloak_auth_realm:
                 # line 52 of keycloak/defaults/main.yml
                 default: "master"
-                description: "TODO document argument"
+                description: "Name for rest authentication realm"
                 type: "str"
             keycloak_auth_client:
                 # line 53 of keycloak/defaults/main.yml
                 default: "admin-cli"
-                description: "TODO document argument"
+                description: "Authentication client for configuration REST calls"
                 type: "str"
             keycloak_force_install:
                 # line 55 of keycloak/defaults/main.yml
                 default: false
-                description: "TODO document argument"
+                description: "Remove pre-existing versions of service"
                 type: "bool"
             keycloak_modcluster_url:
                 # line 58 of keycloak/defaults/main.yml
                 default: "localhost"
-                description: "TODO document argument"
+                description: "URL for the modcluster reverse proxy"
                 type: "str"
             keycloak_frontend_url:
                 # line 59 of keycloak/defaults/main.yml
                 default: "http://localhost"
-                description: "TODO document argument"
+                description: "Frontend URL for keycloak endpoints when a reverse proxy is used"
                 type: "str"
             infinispan_user:
                 # line 62 of keycloak/defaults/main.yml
                 default: "supervisor"
-                description: "TODO document argument"
+                description: "Username for connecting to infinispan"
                 type: "str"
             infinispan_pass:
                 # line 63 of keycloak/defaults/main.yml
                 default: "supervisor"
-                description: "TODO document argument"
+                description: "Password for connecting to infinispan"
                 type: "str"
             infinispan_url:
                 # line 64 of keycloak/defaults/main.yml
                 default: "localhost"
-                description: "TODO document argument"
+                description: "URL for the infinispan remote-cache server"
                 type: "str"
             infinispan_sasl_mechanism:
                 # line 65 of keycloak/defaults/main.yml
                 default: "SCRAM-SHA-512"
-                description: "TODO document argument"
+                description: "Authentication type to infinispan server"
                 type: "str"
             infinispan_use_ssl:
                 # line 66 of keycloak/defaults/main.yml
                 default: false
-                description: "TODO document argument"
+                description: "Enable hotrod client TLS communication"
                 type: "bool"
             infinispan_trust_store_path:
                 # line 68 of keycloak/defaults/main.yml
@@ -234,45 +252,45 @@ argument_specs:
             infinispan_trust_store_password:
                 # line 69 of keycloak/defaults/main.yml
                 default: "changeit"
-                description: "TODO document argument"
+                description: "Path to truststore containing infinispan server certificate"
                 type: "str"
             keycloak_jdbc_engine:
                 # line 72 of keycloak/defaults/main.yml
                 default: "postgres"
-                description: "TODO document argument"
+                description: "Backend database flavour when db is enabled: [ postgres, mariadb ]"
                 type: "str"
             keycloak_db_user:
                 # line 74 of keycloak/defaults/main.yml
                 default: "keycloak-user"
-                description: "TODO document argument"
+                description: "Username for connecting to database"
                 type: "str"
             keycloak_db_pass:
                 # line 75 of keycloak/defaults/main.yml
                 default: "keycloak-pass"
-                description: "TODO document argument"
+                description: "Password for connecting to database"
                 type: "str"
             keycloak_jdbc_url:
                 # line 76 of keycloak/defaults/main.yml
                 default: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].url }}"
-                description: "TODO document argument"
+                description: "URL for connecting to backend database"
                 type: "str"
             keycloak_jdbc_driver_version:
                 # line 77 of keycloak/defaults/main.yml
                 default: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].version }}"
-                description: "TODO document argument"
+                description: "Version for the JDBC driver to download"
                 type: "str"
             keycloak_admin_password:
                 # line 4 of keycloak/vars/main.yml
                 required: true
-                description: "TODO document argument"
+                description: "Password for the administration console user account"
                 type: "str"
             keycloak_url:
                 # line 12 of keycloak/vars/main.yml
                 default: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
-                description: "TODO document argument"
+                description: "URL for configuration rest calls"
                 type: "str"
             keycloak_management_url:
                 # line 13 of keycloak/vars/main.yml
                 default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
-                description: "TODO document argument"
+                description: "URL for management console rest calls"
                 type: "str"

roles/keycloak/meta/main.yml

@@ -6,8 +6,8 @@ collections:
 galaxy_info:
   role_name: keycloak
   namespace: middleware_automation
-  author: Romain Pelisse, Guido Grazioli
-  description: Install keycloak or Red Hat Single Sing-On server configurations
+  author: Romain Pelisse, Guido Grazioli, Pavan Kumar Motaparthi
+  description: Install keycloak or Red Hat Single Sign-On server configurations
   company: Red Hat, Inc.
 
   license: Apache License 2.0
@@ -17,12 +17,13 @@ galaxy_info:
   platforms:
    - name: EL
      versions:
-     - 7
      - 8
 
   galaxy_tags:
     - keycloak
     - redhat
     - rhel
-    - rhn
-    - sso
+    - sso
+    - authentication
+    - identity
+    - security

roles/keycloak/tasks/fastpackages.yml

@@ -0,0 +1,22 @@
+---
+- name: Check packages to be installed
+  block:
+  - name: "Check if packages are already installed"
+    ansible.builtin.command: "rpm -q {{ packages_list | join(' ') }}"
+    args:
+      warn: no
+    register: rpm_info
+    changed_when: rpm_info.failed
+
+  rescue:
+    - name: "Add missing packages to the yum install list"
+      ansible.builtin.set_fact:
+        packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | flatten }}"
+      when: rpm_info.failed
+
+- name: "Install packages: {{ packages_to_install }}"
+  become: yes
+  ansible.builtin.yum:
+    name: "{{ packages_to_install }}"
+    state: present
+  when: packages_to_install | default([]) | length > 0

roles/keycloak/tasks/fastpackages/check.yml

@@ -1,14 +0,0 @@
----
-- block:
-  - name: "Check if package {{ package_name }} is already installed"
-    command: rpm -q {{ package_name }}
-    args:
-      warn: no
-    register: rpm_info
-    changed_when: rpm_info.failed
-
-  rescue:
-    - name: "If package {{ package_name }} is missing, add it to the yum install list."
-      set_fact:
-        packages_to_install: "{{ packages_to_install + [ package_name ] }}"
-      when: rpm_info.failed

roles/keycloak/tasks/fastpackages/install.yml

@@ -1,17 +0,0 @@
----
-- set_fact:
-    update_cache: true
-    packages_to_install: []
-
-- name: "Check packages to be installed"
-  include_tasks: check.yml
-  loop: "{{ packages_list | flatten }}"
-  loop_control:
-    loop_var: package_name
-
-- name: "Install packages: {{ packages_to_install }}"
-  become: yes
-  yum:
-    name: "{{ packages_to_install }}"
-    state: present
-  when: packages_to_install | length > 0

roles/keycloak/tasks/firewalld.yml

@@ -1,18 +1,18 @@
 ---
-- name: Ensures required package firewalld are installed
-  ansible.builtin.include_tasks: fastpackages/install.yml
+- name: Ensure required package firewalld are installed
+  ansible.builtin.include_tasks: fastpackages.yml
   vars:
     packages_list:
       - firewalld
 
 - name: Enable and start the firewalld service
   become: yes
-  systemd:
+  ansible.builtin.systemd:
     name: firewalld
     enabled: yes
     state: started
 
-- name: Configure firewall for keycloak ports
+- name: "Configure firewall for {{ keycloak.service_name }} ports"
   become: yes
   firewalld:
     port: "{{ item }}"

roles/keycloak/tasks/install.yml

@@ -1,6 +1,6 @@
 ---
 - name: Validate parameters
-  assert:
+  ansible.builtin.assert:
     that:
       - keycloak_jboss_home is defined
       - keycloak_service_user is defined
@@ -12,40 +12,41 @@
 
 - name: Check for an existing deployment
   become: yes
-  stat:
+  ansible.builtin.stat:
     path: "{{ keycloak_jboss_home }}"
   register: existing_deploy
 
-- block:
-    - name: Stop the old keycloak service
+- name: Stop and restart if existing deployment exists and install forced
+  block:
+    - name: "Stop the old {{ keycloak.service_name }} service"
       become: yes
       ignore_errors: yes
-      systemd:
+      ansible.builtin.systemd:
         name: keycloak
         state: stopped
-    - name: Remove the old Keycloak deployment
+    - name: "Remove the old {{ keycloak.service_name }} deployment"
       become: yes
-      file:
+      ansible.builtin.file:
         path: "{{ keycloak_jboss_home }}"
         state: absent
   when: existing_deploy.stat.exists and keycloak_force_install|bool
 
-- name: check for an existing deployment after possible forced removal
+- name: Check for an existing deployment after possible forced removal
   become: yes
-  stat:
+  ansible.builtin.stat:
     path: "{{ keycloak_jboss_home }}"
 
-- name: create Keycloak service user/group
+- name: "Create {{ keycloak.service_name }} service user/group"
   become: yes
-  user:
+  ansible.builtin.user:
     name: "{{ keycloak_service_user }}"
     home: /opt/keycloak
     system: yes
     create_home: no
 
-- name: create Keycloak install location
+- name: "Create {{ keycloak.service_name }} install location"
   become: yes
-  file:
+  ansible.builtin.file:
     dest: "{{ keycloak_dest }}"
     state: directory
     owner: "{{ keycloak_service_user }}"
@@ -54,25 +55,27 @@
 
 ## check remote archive
 - name: Set download archive path
-  set_fact:
+  ansible.builtin.set_fact:
     archive: "{{ keycloak_dest }}/{{ keycloak.bundle }}"
 
 - name: Check download archive path
-  stat:
+  become: yes
+  ansible.builtin.stat:
     path: "{{ archive }}"
   register: archive_path
 
 ## download to controller
-- name: Check load download archive path
-  stat:
+- name: Check local download archive path
+  ansible.builtin.stat:
     path: "{{ lookup('env', 'PWD') }}"
   register: local_path
   delegate_to: localhost
 
 - name: Download keycloak archive
-  get_url:
+  ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
     url: "{{ keycloak_download_url }}"
     dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
+    mode: 0644
   delegate_to: localhost
   when:
     - archive_path is defined
@@ -81,8 +84,8 @@
     - not keycloak_rhsso_enable
     - not keycloak_offline_install
 
-- name: Performing download from RHN
-  redhat_csp_download:
+- name: Perform download from RHN
+  middleware_automation.redhat_csp_download.redhat_csp_download:
     url: "{{ keycloak_rhsso_download_url }}"
     dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
     username: "{{ rhn_username }}"
@@ -98,9 +101,10 @@
     - keycloak_rhn_url in keycloak_rhsso_download_url
 
 - name: Download rhsso archive from alternate location
-  get_url:
+  ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
     url: "{{ keycloak_rhsso_download_url }}"
     dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
+    mode: 0644
   delegate_to: localhost
   when:
     - archive_path is defined
@@ -110,25 +114,35 @@
     - not keycloak_offline_install
     - not keycloak_rhn_url in keycloak_rhsso_download_url
 
+- name: Check downloaded archive
+  ansible.builtin.stat:
+    path: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
+  register: local_archive_path
+  delegate_to: localhost
+
 ## copy and unpack
 - name: Copy archive to target nodes
-  copy:
+  ansible.builtin.copy:
     src: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
     dest: "{{ archive }}"
     owner: "{{ keycloak_service_user }}"
     group: "{{ keycloak_service_group }}"
-    mode: 0750
+    mode: 0640
   register: new_version_downloaded
+  when:
+    - not archive_path.stat.exists
+    - local_archive_path.stat is defined
+    - local_archive_path.stat.exists
   become: yes
 
 - name: "Check target directory: {{ keycloak.home }}"
-  stat:
+  ansible.builtin.stat:
     path: "{{ keycloak.home }}"
   register: path_to_workdir
   become: yes
 
 - name: "Extract {{ 'Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Keycloak' }} archive on target"
-  unarchive:
+  ansible.builtin.unarchive:
     remote_src: yes
     src: "{{ archive }}"
     dest: "{{ keycloak_dest }}"
@@ -142,13 +156,13 @@
     - restart keycloak
 
 - name: Inform decompression was not executed
-  debug:
+  ansible.builtin.debug:
     msg: "{{ keycloak.home }} already exists and version unchanged, skipping decompression"
   when:
     - not new_version_downloaded.changed and path_to_workdir.stat.exists
 
 - name: "Reown installation directory to {{ keycloak_service_user }}"
-  file:
+  ansible.builtin.file:
     path: "{{ keycloak.home }}"
     owner: "{{ keycloak_service_user }}"
     group: "{{ keycloak_service_group }}"
@@ -158,8 +172,8 @@
 
 # driver and configuration
 - name: "Install {{ keycloak_jdbc_engine }} driver"
-  include_role:
-    name: wildfly_driver
+  ansible.builtin.include_role:
+    name: middleware_automation.wildfly.wildfly_driver
   vars:
       wildfly_user: "{{ keycloak_service_user }}"
       jdbc_driver_module_dir: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}"
@@ -170,21 +184,21 @@
       jdbc_driver_module_name: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}"
   when: keycloak_jdbc[keycloak_jdbc_engine].enabled
 
-- name: "Deploy {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}"
+- name: "Deploy {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }} from {{ keycloak.config_template_source }}"
   become: yes
-  template:
-    src: templates/standalone.xml.j2
+  ansible.builtin.template:
+    src: "templates/{{ keycloak.config_template_source }}"
     dest: "{{ keycloak_config_path_to_standalone_xml }}"
     owner: "{{ keycloak_service_user }}"
     group: "{{ keycloak_service_group }}"
     mode: 0640
   notify:
     - restart keycloak
-  when: not keycloak_remotecache.enabled
+  when: not keycloak_remotecache.enabled or keycloak_config_override_template|length > 0
 
 - name: "Deploy {{ keycloak.service_name }} config with remote cache store to {{ keycloak_config_path_to_standalone_xml }}"
   become: yes
-  template:
+  ansible.builtin.template:
     src: templates/standalone-infinispan.xml.j2
     dest: "{{ keycloak_config_path_to_standalone_xml }}"
     owner: "{{ keycloak_service_user }}"

roles/keycloak/tasks/main.yml

@@ -1,26 +1,44 @@
 ---
 # tasks file for keycloak
 
-- name: Prerequisites
-  include_tasks: prereqs.yml
+- name: Check prerequisites
+  ansible.builtin.include_tasks: prereqs.yml
   tags:
     - prereqs
 
+- name: Include firewall config tasks
+  ansible.builtin.include_tasks: firewalld.yml
+  when: keycloak_configure_firewalld
+  tags:
+    - firewall
+
 - name: Include install tasks
-  include_tasks: tasks/install.yml
+  ansible.builtin.include_tasks: install.yml
+  tags:
+    - install
 
 - name: Include systemd tasks
-  include_tasks: tasks/systemd.yml
+  ansible.builtin.include_tasks: systemd.yml
+  tags:
+    - systemd
+
+- name: Include patch install tasks
+  ansible.builtin.include_tasks: rhsso_patch.yml
+  when: keycloak_rhsso_apply_patches and keycloak_rhsso_enable
+  tags:
+    - install
+    - patch
 
 - name: Link default logs directory
-  file:
+  ansible.builtin.file:
     state: link
     src: "{{ keycloak_jboss_home }}/standalone/log"
     dest: /var/log/keycloak
 
-- block:
-    - name: Check admin credentials by generating a token
-      uri:
+- name: Set admin credentials and restart if not already created
+  block:
+    - name: Check admin credentials by generating a token (supposed to fail on first installation)
+      ansible.builtin.uri:
         url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
         method: POST
         body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
@@ -31,18 +49,19 @@
       delay: 2
   rescue:
     - name: "Create {{ keycloak.service_name }} admin user"
-      command:
+      ansible.builtin.command:
       args:
         argv:
           - "{{ keycloak_jboss_home }}/bin/add-user-keycloak.sh"
           - "-rmaster"
           - "-u{{ keycloak_admin_user }}"
           - "-p{{ keycloak_admin_password }}"
+      changed_when: yes
       become: yes
     - name: "Restart {{ keycloak.service_name }}"
-      include_tasks: tasks/restart_keycloak.yml
+      ansible.builtin.include_tasks: tasks/restart_keycloak.yml
     - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
-      uri:
+      ansible.builtin.uri:
         url: "{{ keycloak.health_url }}"
       register: keycloak_status
       until: keycloak_status.status == 200

roles/keycloak/tasks/prereqs.yml

@@ -1,6 +1,14 @@
 ---
+- name: Validate admin console password
+  ansible.builtin.assert:
+    that:
+      - keycloak_admin_password | length > 12
+    quiet: True
+    fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_admin_password variable to a 12+ char long string"
+    success_msg: "{{ 'Console administrator password OK' }}"
+
 - name: Validate configuration
-  assert:
+  ansible.builtin.assert:
     that:
       - (keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and not keycloak_db_enabled)
     quiet: True
@@ -8,7 +16,7 @@
     success_msg: "{{ 'Configuring HA' if keycloak_ha_enabled else 'Configuring standalone' }}"
 
 - name: Validate credentials
-  assert:
+  ansible.builtin.assert:
     that:
       - (rhn_username is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
       - (rhn_password is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
@@ -16,15 +24,23 @@
     fail_msg: "Cannot install Red Hat SSO without RHN credentials. Check rhn_username and rhn_password are defined"
     success_msg: "{{ 'Installing Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Installing keycloak.org' }}"
 
-- name: Set required packages facts
-  set_fact:
-    required_packages:
-    - "{{ jvm_package }}"
-    - unzip
-    - procps-ng
-    - initscripts
+- name: Validate persistence configuration
+  ansible.builtin.assert:
+    that:
+      - keycloak_jdbc_engine is defined and keycloak_jdbc_engine in [ 'postgres', 'mariadb' ]
+      - keycloak_jdbc_url | length > 0
+      - keycloak_db_user | length > 0
+      - keycloak_db_pass | length > 0
+    quiet: True
+    fail_msg: "Configuration for the JDBC persistence is invalid or incomplete"
+    success_msg: "Configuring JDBC persistence using {{ keycloak_jdbc_engine }} database"
+  when: keycloak_db_enabled
 
-- name: Ensures required packages are installed
-  ansible.builtin.include_tasks: fastpackages/install.yml
+- name: Ensure required packages are installed
+  ansible.builtin.include_tasks: fastpackages.yml
   vars:
-    packages_list: "{{ required_packages }}"
+    packages_list:
+      - "{{ keycloak_jvm_package }}"
+      - unzip
+      - procps-ng
+      - initscripts

roles/keycloak/tasks/restart_keycloak.yml

@@ -1,6 +1,6 @@
 ---
-- name: "Restart and enable keycloack service"
-  systemd:
+- name: "Restart and enable {{ keycloak.service_name }} service"
+  ansible.builtin.systemd:
     name: keycloak
     enabled: yes
     state: restarted

roles/keycloak/tasks/rhsso_cli.yml

@@ -0,0 +1,13 @@
+---
+- name: Ensure required params for CLI have been provided
+  ansible.builtin.assert:
+    that:
+      - query is defined
+    fail_msg: "Missing required parameters to execute CLI."
+    quiet: true
+
+- name: "Execute CLI query: {{ query }}"
+  ansible.builtin.command: >
+    {{ keycloak.cli_path }} --connect --command='{{ query }}' --controller={{ keycloak_host }}:{{ keycloak_management_http_port }}
+  changed_when: false
+  register: cli_result

roles/keycloak/tasks/rhsso_patch.yml

@@ -0,0 +1,87 @@
+---
+## check remote patch archive
+- name: Set download patch archive path
+  ansible.builtin.set_fact:
+    patch_archive: "{{ keycloak_dest }}/{{ keycloak.patch_bundle }}"
+
+- name: Check download patch archive path
+  ansible.builtin.stat:
+    path: "{{ patch_archive }}"
+  register: patch_archive_path
+
+- name: Perform download from RHN
+  middleware_automation.redhat_csp_download.redhat_csp_download:
+    url: "{{ keycloak_rhn_url }}{{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.id }}"
+    dest: "{{ local_path.stat.path }}/{{ keycloak.patch_bundle }}"
+    username: "{{ rhn_username }}"
+    password: "{{ rhn_password }}"
+  no_log: "{{ omit_rhn_output | default(true) }}"
+  delegate_to: localhost
+  when:
+    - patch_archive_path is defined
+    - patch_archive_path.stat is defined
+    - not patch_archive_path.stat.exists
+    - keycloak_rhsso_enable
+    - not keycloak_offline_install
+
+## copy and unpack
+- name: Copy patch archive to target nodes
+  ansible.builtin.copy:
+    src: "{{ local_path.stat.path }}/{{ keycloak.patch_bundle }}"
+    dest: "{{ patch_archive }}"
+    owner: "{{ keycloak_service_user }}"
+    group: "{{ keycloak_service_group }}"
+    mode: 0640
+  register: new_version_downloaded
+  when:
+    - not patch_archive_path.stat.exists
+    - local_archive_path.stat is defined
+    - local_archive_path.stat.exists
+  become: yes
+
+- name: "Check installed patches"
+  ansible.builtin.include_tasks: rhsso_cli.yml
+  vars:
+    query: "patch info"
+
+- name: "Perform patching"
+  when: 
+    - cli_result is defined
+    - cli_result.stdout is defined
+    - rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v not in cli_result.stdout
+  block:
+    - name: "Apply patch {{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }} to server"
+      ansible.builtin.include_tasks: rhsso_cli.yml
+      vars:
+        query: "patch apply {{ patch_archive }}"
+
+    - name: "Restart server to ensure patch content is running"
+      ansible.builtin.include_tasks: rhsso_cli.yml
+      vars:
+        query: "shutdown --restart"
+      when:
+        - cli_result.rc == 0
+
+    - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
+      ansible.builtin.uri:
+        url: "{{ keycloak.health_url }}"
+      register: keycloak_status
+      until: keycloak_status.status == 200
+      retries: 25
+      delay: 10
+
+    - name: "Query installed patch after restart"
+      ansible.builtin.include_tasks: rhsso_cli.yml
+      vars:
+        query: "patch info"
+  
+    - name: "Verify installed patch version"
+      ansible.builtin.assert:
+        that:
+          - rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v not in cli_result.stdout
+        fail_msg: "Patch installation failed"
+        success_msg: "Patch installation successful"
+
+- name: "Skipping patch"
+  ansible.builtin.debug:
+    msg: "Latest cumulative patch {{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }} already installed, skipping patch installation."

roles/keycloak/tasks/start_keycloak.yml

@@ -0,0 +1,15 @@
+---
+- name: "Start {{ keycloak.service_name }} service"
+  ansible.builtin.systemd:
+    name: keycloak
+    enabled: yes
+    state: started
+  become: yes
+
+- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
+  ansible.builtin.uri:
+    url: "{{ keycloak.health_url }}"
+  register: keycloak_status
+  until: keycloak_status.status == 200
+  retries: 25
+  delay: 10

roles/keycloak/tasks/stop_keycloak.yml

@@ -1,6 +1,6 @@
 ---
-- name: "Stop SSO service"
-  systemd:
+- name: "Stop {{ keycloak.service_name }}"
+  ansible.builtin.systemd:
     name: keycloak
     enabled: yes
     state: stopped

roles/keycloak/tasks/systemd.yml

@@ -1,6 +1,7 @@
-- name: configure keycloak service script wrapper
+---
+- name: "Configure {{ keycloak.service_name }} service script wrapper"
   become: yes
-  template:
+  ansible.builtin.template:
     src: keycloak-service.sh.j2
     dest: "{{ keycloak_dest }}/keycloak-service.sh"
     owner: root
@@ -9,19 +10,30 @@
   notify:
     - restart keycloak
 
-- name: configure sysconfig file for keycloak service
+- name: Determine JAVA_HOME for selected JVM RPM  # noqa blocked_modules
+  ansible.builtin.shell: |
+    set -o pipefail
+    rpm -ql {{ keycloak_jvm_package }} | grep -Po '/usr/lib/jvm/.*(?=/bin/java$)'
+  args:
+    executable: /bin/bash
+  changed_when: False
+  register: rpm_java_home
+
+- name: "Configure sysconfig file for {{ keycloak.service_name }} service"
   become: yes
-  template:
+  ansible.builtin.template:
     src: keycloak-sysconfig.j2
     dest: /etc/sysconfig/keycloak
     owner: root
     group: root
     mode: 0644
+  vars:
+    keycloak_rpm_java_home: "{{ rpm_java_home.stdout }}"
   notify:
     - restart keycloak
 
-- name: configure systemd unit file for keycloak service
-  template:
+- name: "Configure systemd unit file for {{ keycloak.service_name }} service"
+  ansible.builtin.template:
     src: keycloak.service.j2
     dest: /etc/systemd/system/keycloak.service
     owner: root
@@ -32,36 +44,30 @@
   notify:
     - restart keycloak
 
-- name: reload systemd
+- name: Reload systemd
   become: yes
-  systemd:
+  ansible.builtin.systemd:
     daemon_reload: yes
   when: systemdunit.changed
 
-- name: start keycloak
-  systemd:
-    name: keycloak
-    enabled: yes
-    state: started
-  become: yes
+- name: "Start and wait for {{ keycloak.service_name }} service (first node db)"
+  ansible.builtin.include_tasks: start_keycloak.yml
+  run_once: yes
+  when: keycloak_db_enabled
+
+- name: "Start and wait for {{ keycloak.service_name }} service (remaining nodes)"
+  ansible.builtin.include_tasks: start_keycloak.yml
 
 - name: Check service status
-  command: "systemctl status keycloak"
+  ansible.builtin.command: "systemctl status keycloak"
   register: keycloak_service_status
   changed_when: False
 
 - name: Verify service status
-  assert:
+  ansible.builtin.assert:
     that:
       - keycloak_service_status is defined
       - keycloak_service_status.stdout is defined
 
-- meta: flush_handlers
-
-- name: "Wait until Keycloak becomes active {{ keycloak.health_url }}"
-  uri:
-    url: "{{ keycloak.health_url }}"
-  register: keycloak_status
-  until: keycloak_status.status == 200
-  retries: 25
-  delay: 10
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers

roles/keycloak/templates/keycloak-service.sh.j2

@@ -17,7 +17,7 @@ checkEnvVar() {
 #  for testing outside systemd
 . /etc/sysconfig/keycloak
 
-readonly KEYCLOAK_HOME={{ keycloak_jboss_home }}
+readonly KEYCLOAK_HOME={{ keycloak.home }}
 readonly KEYCLOAK_BIND_ADDRESS=${KEYCLOAK_BIND_ADDRESS}
 readonly KEYCLOAK_HTTP_PORT=${KEYCLOAK_HTTP_PORT}
 readonly KEYCLOAK_HTTPS_PORT=${KEYCLOAK_HTTPS_PORT}
@@ -27,7 +27,7 @@ readonly KEYCLOAK_PIDFILE={{ keycloak_service_pidfile }}
 
 set -u
 if [ ! -d "${KEYCLOAK_HOME}" ]; then
-  echo "KEYCLOAK_HOME (${KEYCLOAK_HOME}) is not a director or does not exists."
+  echo "KEYCLOAK_HOME (${KEYCLOAK_HOME}) is not a directory or does not exists."
   exit 1
 fi
 

roles/keycloak/templates/keycloak-sysconfig.j2

@@ -1,6 +1,7 @@
 # {{ ansible_managed }}
 JAVA_OPTS='{{ keycloak_java_opts }}'
-JBOSS_HOME={{ keycloak_jboss_home }}
+JAVA_HOME={{ keycloak_java_home  | default(keycloak_rpm_java_home, true) }}
+JBOSS_HOME={{ keycloak.home }}
 KEYCLOAK_BIND_ADDRESS={{ keycloak_bind_address }}
 KEYCLOAK_HTTP_PORT={{ keycloak_http_port }}
 KEYCLOAK_HTTPS_PORT={{ keycloak_https_port }}

roles/keycloak/templates/keycloak.service.j2

@@ -1,6 +1,6 @@
 # {{ ansible_managed }}
 [Unit]
-Description=Keycloak Server
+Description={{ keycloak.service_name }} Server
 After=network.target
 
 [Service]

roles/keycloak/templates/standalone-infinispan.xml.j2

@@ -633,7 +633,7 @@
         <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
 {% if keycloak_modcluster.enabled %}    
         <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
-            <proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
+            <proxy name="default" advertise="false" listener="ajp" proxies="proxy1">
                 <dynamic-load-provider>
                     <load-metric type="cpu"/>
                 </dynamic-load-provider>
@@ -726,7 +726,7 @@
         <interface name="management">
             <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
         </interface>
-	    <interface name="jgroups">
+        <interface name="jgroups">
 {% if ansible_default_ipv4 is defined %}
             <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ipaddr('net') }}"/>
 {% else %}
@@ -744,7 +744,6 @@
         <socket-binding name="management-http" interface="management" port="{{ keycloak_management_http_port }}"/>
         <socket-binding name="management-https" interface="management" port="{{ keycloak_management_https_port }}"/>
         <socket-binding name="jgroups-tcp" interface="jgroups" port="{{ keycloak_jgroups_port }}"/>
-        <socket-binding name="modcluster" multicast-address="${jboss.modcluster.multicast.address:224.0.1.105}" multicast-port="23364"/>
         <socket-binding name="txn-recovery-environment" port="4712"/>
         <socket-binding name="txn-status-manager" port="4713"/>
         <outbound-socket-binding name="mail-smtp">

roles/keycloak/templates/standalone.xml.j2

@@ -546,7 +546,7 @@
         <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
 {% if keycloak_modcluster.enabled %}        
         <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
-            <proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
+            <proxy name="default" advertise="false" listener="ajp" proxies="proxy1">
                 <dynamic-load-provider>
                     <load-metric type="cpu"/>
                 </dynamic-load-provider>
@@ -644,7 +644,6 @@
         <socket-binding name="https" port="{{ keycloak_https_port }}"/>
         <socket-binding name="management-http" interface="management" port="{{ keycloak_management_http_port }}"/>
         <socket-binding name="management-https" interface="management" port="{{ keycloak_management_https_port }}"/>
-        <socket-binding name="modcluster" multicast-address="${jboss.modcluster.multicast.address:224.0.1.105}" multicast-port="23364"/>
         <socket-binding name="txn-recovery-environment" port="4712"/>
         <socket-binding name="txn-status-manager" port="4713"/>
         <outbound-socket-binding name="mail-smtp">

roles/keycloak/vars/main.yml

@@ -1,12 +1,11 @@
 ---
-# required variables for keycloak
-# administrator console password
-keycloak_admin_password:
-
 # internal variables below
 rhsso_rhn_ids:
-  '7.5.0': '101971'
-  '7.5.1': '103836'
+  '7.5.0': # noqa vars_in_vars_files_have_valid_names
+    id: '101971'
+    latest_cp:
+      id: '103836'
+      v: '7.5.1'
 
 # locations
 keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
@@ -17,8 +16,11 @@ keycloak:
   home: "{{ keycloak_jboss_home }}"
   config_dir: "{{ keycloak_config_dir }}"
   bundle: "{{ keycloak_rhsso_archive if keycloak_rhsso_enable else keycloak_archive }}"
+  patch_bundle: "rh-sso-{{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }}-patch.zip"
   service_name: "{{ 'rhsso' if keycloak_rhsso_enable else 'keycloak' }}"
   health_url: "{{ keycloak_management_url }}/health"
+  cli_path: "{{ keycloak_jboss_home }}/bin/jboss-cli.sh"
+  config_template_source: "{{ keycloak_config_override_template if keycloak_config_override_template | length > 0 else 'standalone.xml.j2' }}"
 
 # database
 keycloak_jdbc:

roles/keycloak_quarkus/README.md

@@ -0,0 +1,119 @@
+keycloak_quarkus
+================
+
+Install [keycloak](https://keycloak.org/) >= 17.0.0 (quarkus) server configurations.
+
+
+Role Defaults
+-------------
+
+* Installation options
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_quarkus_version`| keycloak.org package version | `17.0.1` |
+
+
+* Service configuration
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_quarkus_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
+|`keycloak_quarkus_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_quarkus_ha_enabled` is True, else `False` |
+|`keycloak_quarkus_admin_user`| Administration console user account | `admin` |
+|`keycloak_quarkus_bind_address`| Address for binding service ports | `0.0.0.0` |
+|`keycloak_quarkus_host`| hostname | `localhost` |
+|`keycloak_quarkus_http_port`| HTTP port | `8080` |
+|`keycloak_quarkus_https_port`| TLS HTTP port | `8443` |
+|`keycloak_quarkus_ajp_port`| AJP port | `8009` |
+|`keycloak_quarkus_jgroups_port`| jgroups cluster tcp port | `7600` |
+|`keycloak_quarkus_service_user`| Posix account username | `keycloak` |
+|`keycloak_quarkus_service_group`| Posix account group | `keycloak` |
+|`keycloak_quarkus_service_pidfile`| Pid file path for service | `/run/keycloak.pid` |
+|`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-11-openjdk-headless` |
+|`keycloak_quarkus_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_quarkus_jvm_package RPM path | `None` |
+|`keycloak_quarkus_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
+|`keycloak_quarkus_frontend_url`| Service public URL | `http://localhost:8080/auth` |
+|`keycloak_quarkus_http_relative_path` | Service context path | `auth` |
+|`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` |
+|`keycloak_quarkus_https_enabled`| Enable listener on HTTPS port | `False` |
+|`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `conf/server.key.pem` |
+|`keycloak_quarkus_cert_file`| The file path to a server certificate or certificate chain in PEM format | `conf/server.crt.pem` |
+
+
+* Database configuration
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_quarkus_jdbc_engine` | Database engine [mariadb,postres] | `postgres` |
+|`keycloak_quarkus_db_user` | User for database connection | `keycloak-user` |
+|`keycloak_quarkus_db_pass` | Password for database connection | `keycloak-pass` |
+|`keycloak_quarkus_jdbc_url` | JDBC URL for connecting to database | `jdbc:postgresql://localhost:5432/keycloak` |
+|`keycloak_quarkus_jdbc_driver_version` | Version for JDBC driver | `9.4.1212` |
+
+
+* Remote caches configuration
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_quarkus_ispn_user` | Username for connecting to infinispan | `supervisor` |
+|`keycloak_quarkus_ispn_pass` | Password for connecting to infinispan | `supervisor` |
+|`keycloak_quarkus_ispn_url` | URL for connecting to infinispan | `localhost` |
+|`keycloak_quarkus_ispn_sasl_mechanism` | Infinispan auth mechanism | `SCRAM-SHA-512` |
+|`keycloak_quarkus_ispn_use_ssl` | Whether infinispan uses TLS connection | `false` |
+|`keycloak_quarkus_ispn_trust_store_path` | Path to infinispan server trust certificate | `/etc/pki/java/cacerts` |
+|`keycloak_quarkus_ispn_trust_store_password` | Password for infinispan certificate keystore | `changeit` | 
+
+
+* Install options
+
+| Variable | Description | Default |
+|:---------|:------------|:---------|
+|`keycloak_quarkus_offline_install` | Perform an offline install | `False`|
+|`keycloak_quarkus_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`| 
+|`keycloak_quarkus_version`| keycloak.org package version | `17.0.1` |
+|`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` |
+|`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` |
+|`keycloak_quarkus_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
+
+
+* Miscellaneous configuration
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+|`keycloak_quarkus_metrics_enabled`| Whether to enable metrics | `False` |
+|`keycloak_quarkus_health_enabled`| If the server should expose health check endpoints | `True` |
+|`keycloak_quarkus_archive` | keycloak install archive filename | `keycloak-{{ keycloak_quarkus_version }}.zip` |
+|`keycloak_quarkus_installdir` | Installation path | `{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}` |
+|`keycloak_quarkus_home` | Installation work directory | `{{ keycloak_quarkus_installdir }}` |
+|`keycloak_quarkus_config_dir` | Path for configuration | `{{ keycloak_quarkus_home }}/conf` |
+|`keycloak_quarkus_master_realm` | Name for rest authentication realm | `master` |
+|`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` |
+|`keycloak_force_install` | Remove pre-existing versions of service | `False` |
+|`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_quarkus_host }}:{{ keycloak_http_port }}` |
+|`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_quarkus_host }}:{{ keycloak_management_http_port }}` |
+|`keycloak_quarkus_log`| Enable one or more log handlers in a comma-separated list | `file` |
+|`keycloak_quarkus_log_level`| The log level of the root category or a comma-separated list of individual categories and their levels | `info` |
+|`keycloak_quarkus_log_file`| Set the log file path and filename relative to keycloak home | `data/log/keycloak.log` |
+|`keycloak_quarkus_log_format`| Set a format specific to file log entries | `%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n` |
+|`keycloak_quarkus_proxy_mode`| The proxy address forwarding mode if the server is behind a reverse proxy | `edge` |
+
+
+Role Variables
+--------------
+
+| Variable | Description | Required |
+|:---------|:------------|----------|
+|`keycloak_quarkus_admin_pass`| Password of console admin account | `yes` |
+
+
+License
+-------
+
+Apache License 2.0
+
+
+Author Information
+------------------
+
+* [Guido Grazioli](https://github.com/guidograzioli)

roles/keycloak_quarkus/defaults/main.yml

@@ -0,0 +1,87 @@
+---
+### Configuration specific to keycloak
+keycloak_quarkus_version: 18.0.0
+keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip"
+keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"  
+keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"
+
+# whether to install from local archive
+keycloak_quarkus_offline_install: False
+
+### Install location and service settings
+keycloak_quarkus_jvm_package: java-11-openjdk-headless
+keycloak_quarkus_java_home:
+keycloak_quarkus_dest: /opt/keycloak
+keycloak_quarkus_home: "{{ keycloak_quarkus_installdir }}"
+keycloak_quarkus_config_dir: "{{ keycloak_quarkus_home }}/conf"
+keycloak_quarkus_service_user: keycloak
+keycloak_quarkus_service_group: keycloak
+keycloak_quarkus_service_pidfile: "/run/keycloak.pid"
+keycloak_quarkus_configure_firewalld: False
+
+### administrator console password
+keycloak_quarkus_admin_user: admin
+keycloak_quarkus_admin_pass: ''
+keycloak_quarkus_master_realm: master
+
+### Configuration settings
+keycloak_quarkus_bind_address: 0.0.0.0
+keycloak_quarkus_host: localhost
+keycloak_quarkus_http_enabled: True
+keycloak_quarkus_http_port: 8080
+keycloak_quarkus_https_port: 8443
+keycloak_quarkus_ajp_port: 8009
+keycloak_quarkus_jgroups_port: 7600
+keycloak_quarkus_java_opts: "-Xms1024m -Xmx2048m"
+
+### TLS/HTTPS configuration
+keycloak_quarkus_https_enabled: False
+keycloak_quarkus_key_file: conf/server.key.pem
+keycloak_quarkus_cert_file: conf/server.crt.pem
+
+### Enable configuration for database backend, clustering and remote caches on infinispan
+keycloak_quarkus_ha_enabled: False
+### Enable database configuration, must be enabled when HA is configured
+keycloak_quarkus_db_enabled: "{{ True if keycloak_quarkus_ha_enabled else False }}"
+
+### keycloak frontend url
+keycloak_quarkus_http_relative_path: auth
+keycloak_quarkus_frontend_url: http://localhost:8080/auth
+
+# proxy address forwarding mode if the server is behind a reverse proxy. [edge, reencrypt, passthrough]
+keycloak_quarkus_proxy_mode: edge
+
+keycloak_quarkus_metrics_enabled: False
+keycloak_quarkus_health_enabled: True
+
+### infinispan remote caches access (hotrod)
+keycloak_quarkus_ispn_user: supervisor
+keycloak_quarkus_ispn_pass: supervisor
+keycloak_quarkus_ispn_url: localhost
+keycloak_quarkus_ispn_sasl_mechanism: SCRAM-SHA-512
+keycloak_quarkus_ispn_use_ssl: False
+# if ssl is enabled, import ispn server certificate here
+keycloak_quarkus_ispn_trust_store_path: /etc/pki/java/cacerts
+keycloak_quarkus_ispn_trust_store_password: changeit
+
+### database backend engine: values [ 'postgres', 'mariadb' ]
+keycloak_quarkus_jdbc_engine: postgres
+### database backend credentials
+keycloak_quarkus_db_user: keycloak-user
+keycloak_quarkus_db_pass: keycloak-pass
+keycloak_quarkus_jdbc_url: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].url }}"
+keycloak_quarkus_jdbc_driver_version: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].version }}"
+# override the variables above, following defaults show minimum supported versions
+keycloak_quarkus_default_jdbc:
+  postgres:
+    url: 'jdbc:postgresql://localhost:5432/keycloak'
+    version: 9.4.1212
+  mariadb:
+    url: 'jdbc:mariadb://localhost:3306/keycloak'
+    version: 2.7.4
+
+### logging configuration
+keycloak_quarkus_log: file
+keycloak_quarkus_log_level: info
+keycloak_quarkus_log_file: data/log/keycloak.log
+keycloak_quarkus_log_format: '%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n'

roles/keycloak_quarkus/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+- name: "Restart {{ keycloak.service_name }}"
+  ansible.builtin.include_tasks: restart.yml
+  listen: "restart keycloak"

roles/keycloak_quarkus/meta/argument_specs.yml

@@ -0,0 +1,246 @@
+argument_specs:
+    main:
+        options:
+            keycloak_quarkus_version:
+                # line 3 of defaults/main.yml
+                default: "17.0.1"
+                description: "keycloak.org package version"
+                type: "str"
+            keycloak_quarkus_archive:
+                # line 4 of defaults/main.yml
+                default: "keycloak-{{ keycloak_quarkus_version }}.zip"
+                description: "keycloak install archive filename"
+                type: "str"
+            keycloak_quarkus_download_url:
+                # line 5 of defaults/main.yml
+                default: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"
+                description: "Download URL for keycloak"
+                type: "str"
+            keycloak_quarkus_installdir:
+                # line 6 of defaults/main.yml
+                default: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"
+                description: "Installation path"
+                type: "str"
+            keycloak_quarkus_offline_install:
+                # line 9 of defaults/main.yml
+                default: false
+                description: "Perform an offline install"
+                type: "bool"
+            keycloak_quarkus_jvm_package:
+                # line 12 of defaults/main.yml
+                default: "java-11-openjdk-headless"
+                description: "RHEL java package runtime"
+                type: "str"
+            keycloak_quarkus_java_home:
+                description: "JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path"
+                type: "str"
+            keycloak_quarkus_dest:
+                # line 13 of defaults/main.yml
+                default: "/opt/keycloak"
+                description: "Installation root path"
+                type: "str"
+            keycloak_quarkus_home:
+                # line 14 of defaults/main.yml
+                default: "{{ keycloak_quarkus_installdir }}"
+                description: "Installation work directory"
+                type: "str"
+            keycloak_quarkus_config_dir:
+                # line 15 of defaults/main.yml
+                default: "{{ keycloak_quarkus_home }}/conf"
+                description: "Path for configuration"
+                type: "str"
+            keycloak_quarkus_service_user:
+                # line 16 of defaults/main.yml
+                default: "keycloak"
+                description: "Posix account username"
+                type: "str"
+            keycloak_quarkus_service_group:
+                # line 17 of defaults/main.yml
+                default: "keycloak"
+                description: "Posix account group"
+                type: "str"
+            keycloak_quarkus_service_pidfile:
+                # line 18 of defaults/main.yml
+                default: "/run/keycloak.pid"
+                description: "Pid file path for service"
+                type: "str"
+            keycloak_quarkus_configure_firewalld:
+                # line 19 of defaults/main.yml
+                default: false
+                description: "Ensure firewalld is running and configure keycloak ports"
+                type: "bool"
+            keycloak_quarkus_admin_user:
+                # line 22 of defaults/main.yml
+                default: "admin"
+                description: "Administration console user account"
+                type: "str"
+            keycloak_quarkus_admin_pass:
+                # line 23 of defaults/main.yml
+                default: ""
+                description: "Password of console admin account"
+                type: "str"
+            keycloak_quarkus_master_realm:
+                # line 24 of defaults/main.yml
+                default: "master"
+                description: "Name for rest authentication realm"
+                type: "str"
+            keycloak_quarkus_bind_address:
+                # line 27 of defaults/main.yml
+                default: "0.0.0.0"
+                description: "Address for binding service ports"
+                type: "str"
+            keycloak_quarkus_host:
+                # line 28 of defaults/main.yml
+                default: "localhost"
+                description: "hostname"
+                type: "str"
+            keycloak_quarkus_http_enabled:
+                default: true
+                description: "Enable listener on HTTP port"
+                type: "bool"                
+            keycloak_quarkus_http_port:
+                # line 29 of defaults/main.yml
+                default: 8080
+                description: "HTTP port"
+                type: "int"
+            keycloak_quarkus_https_enabled:
+                default: false
+                description: "Enable listener on HTTPS port"
+                type: "bool" 
+            keycloak_quarkus_key_file:
+                default: "conf/server.key.pem"
+                description: "The file path to a private key in PEM format"
+                type: "str"
+            keycloak_quarkus_cert_file:
+                default: "conf/server.crt.pem"
+                description: "The file path to a server certificate or certificate chain in PEM format"
+                type: "str"
+            keycloak_quarkus_https_port:
+                # line 30 of defaults/main.yml
+                default: 8443
+                description: "HTTPS port"
+                type: "int"
+            keycloak_quarkus_ajp_port:
+                # line 31 of defaults/main.yml
+                default: 8009
+                description: "AJP port"
+                type: "int"
+            keycloak_quarkus_jgroups_port:
+                # line 32 of defaults/main.yml
+                default: 7600
+                description: "jgroups cluster tcp port"
+                type: "int"
+            keycloak_quarkus_java_opts:
+                # line 33 of defaults/main.yml
+                default: "-Xms1024m -Xmx2048m"
+                description: "Additional JVM options"
+                type: "str"
+            keycloak_quarkus_ha_enabled:
+                # line 36 of defaults/main.yml
+                default: false
+                description: "Enable auto configuration for database backend, clustering and remote caches on infinispan"
+                type: "bool"
+            keycloak_quarkus_db_enabled:
+                # line 38 of defaults/main.yml
+                default: "{{ True if keycloak_quarkus_ha_enabled else False }}"
+                description: "Enable auto configuration for database backend"
+                type: "str"
+            keycloak_quarkus_http_relative_path:
+                # line 41 of defaults/main.yml
+                default: "auth"
+                description: "Service context path"
+                type: "str"
+            keycloak_quarkus_frontend_url:
+                # line 41 of defaults/main.yml
+                default: "http://localhost:8080/auth"
+                description: "Service public URL"
+                type: "str"
+            keycloak_quarkus_metrics_enabled:
+                # line 43 of defaults/main.yml
+                default: false
+                description: "Whether to enable metrics"
+                type: "bool"
+            keycloak_quarkus_health_enabled:
+                default: true
+                description: "If the server should expose health check endpoints"
+                type: "bool"
+            keycloak_quarkus_ispn_user:
+                # line 46 of defaults/main.yml
+                default: "supervisor"
+                description: "Username for connecting to infinispan"
+                type: "str"
+            keycloak_quarkus_ispn_pass:
+                # line 47 of defaults/main.yml
+                default: "supervisor"
+                description: "Password for connecting to infinispan"
+                type: "str"
+            keycloak_quarkus_ispn_url:
+                # line 48 of defaults/main.yml
+                default: "localhost"
+                description: "URL for connecting to infinispan"
+                type: "str"
+            keycloak_quarkus_ispn_sasl_mechanism:
+                # line 49 of defaults/main.yml
+                default: "SCRAM-SHA-512"
+                description: "Infinispan auth mechanism"
+                type: "str"
+            keycloak_quarkus_ispn_use_ssl:
+                # line 50 of defaults/main.yml
+                default: false
+                description: "Whether infinispan uses TLS connection"
+                type: "bool"
+            keycloak_quarkus_ispn_trust_store_path:
+                # line 52 of defaults/main.yml
+                default: "/etc/pki/java/cacerts"
+                description: "Path to infinispan server trust certificate"
+                type: "str"
+            keycloak_quarkus_ispn_trust_store_password:
+                # line 53 of defaults/main.yml
+                default: "changeit"
+                description: "Password for infinispan certificate keystore"
+                type: "str"
+            keycloak_quarkus_jdbc_engine:
+                # line 56 of defaults/main.yml
+                default: "postgres"
+                description: "Database engine [mariadb,postres]"
+                type: "str"
+            keycloak_quarkus_db_user:
+                # line 58 of defaults/main.yml
+                default: "keycloak-user"
+                description: "User for database connection"
+                type: "str"
+            keycloak_quarkus_db_pass:
+                # line 59 of defaults/main.yml
+                default: "keycloak-pass"
+                description: "Password for database connection"
+                type: "str"
+            keycloak_quarkus_jdbc_url:
+                # line 60 of defaults/main.yml
+                default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].url }}"
+                description: "JDBC URL for connecting to database"
+                type: "str"
+            keycloak_quarkus_jdbc_driver_version:
+                # line 61 of defaults/main.yml
+                default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].version }}"
+                description: "Version for JDBC driver"
+                type: "str"
+            keycloak_quarkus_log:
+                default: "file"
+                type: "str"
+                description: "Enable one or more log handlers in a comma-separated list"
+            keycloak_quarkus_log_level:
+                default: "info"
+                type: "str"
+                description: "The log level of the root category or a comma-separated list of individual categories and their levels"
+            keycloak_quarkus_log_file:
+                default: "data/log/keycloak.log"
+                type: "str"
+                description: "Set the log file path and filename relative to keycloak home"
+            keycloak_quarkus_log_format:
+                default: '%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n'
+                type: "str"
+                description: "Set a format specific to file log entries"
+            keycloak_quarkus_proxy_mode:
+                default: 'edge'
+                type: "str"
+                description: "The proxy address forwarding mode if the server is behind a reverse proxy"

roles/keycloak_quarkus/meta/main.yml

@@ -0,0 +1,28 @@
+---
+collections:
+
+galaxy_info:
+  role_name: keycloak_quarkus
+  namespace: middleware_automation
+  author: Guido Grazioli
+  description: Install keycloak on quarkus server configurations
+  company: Red Hat, Inc.
+
+  license: Apache License 2.0
+
+  min_ansible_version: "2.9"
+
+  platforms:
+   - name: EL
+     versions:
+     - 8
+
+  galaxy_tags:
+    - keycloak
+    - quarkus
+    - redhat
+    - rhel
+    - sso
+    - authentication
+    - identity
+    - security

roles/keycloak_quarkus/tasks/fastpackages.yml

@@ -0,0 +1,22 @@
+---
+- name: Check packages to be installed
+  block:
+  - name: "Check if packages are already installed"
+    ansible.builtin.command: "rpm -q {{ packages_list | join(' ') }}"
+    args:
+      warn: no
+    register: rpm_info
+    changed_when: rpm_info.failed
+
+  rescue:
+    - name: "Add missing packages to the yum install list"
+      ansible.builtin.set_fact:
+        packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | flatten }}"
+      when: rpm_info.failed
+
+- name: "Install packages: {{ packages_to_install | join(',') }}"
+  become: yes
+  ansible.builtin.yum:
+    name: "{{ packages_to_install }}"
+    state: present
+  when: packages_to_install | default([]) | length > 0

roles/keycloak_quarkus/tasks/firewalld.yml

@@ -0,0 +1,25 @@
+---
+- name: Ensure required package firewalld are installed
+  ansible.builtin.include_tasks: fastpackages.yml
+  vars:
+    packages_list:
+      - firewalld
+
+- name: Enable and start the firewalld service
+  become: yes
+  ansible.builtin.systemd:
+    name: firewalld
+    enabled: yes
+    state: started
+
+- name: "Configure firewall for {{ keycloak.service_name }} ports"
+  become: yes
+  firewalld:
+    port: "{{ item }}"
+    permanent: true
+    state: enabled
+    immediate: yes
+  loop:
+    - "{{ keycloak_quarkus_http_port }}/tcp"
+    - "{{ keycloak_quarkus_https_port }}/tcp"
+    - "{{ keycloak_quarkus_jgroups_port }}/tcp"

roles/keycloak_quarkus/tasks/install.yml

@@ -0,0 +1,111 @@
+---
+- name: Validate parameters
+  ansible.builtin.assert:
+    that:
+      - keycloak.home is defined
+      - keycloak_quarkus_service_user is defined
+      - keycloak_quarkus_dest is defined
+      - keycloak_quarkus_archive is defined
+      - keycloak_quarkus_download_url is defined
+      - keycloak_quarkus_version is defined
+    quiet: true
+
+- name: Check for an existing deployment
+  become: yes
+  ansible.builtin.stat:
+    path: "{{ keycloak.home }}"
+  register: existing_deploy
+
+- name: "Create {{ keycloak.service_name }} service user/group"
+  become: yes
+  ansible.builtin.user:
+    name: "{{ keycloak.service_user }}"
+    home: /opt/keycloak
+    system: yes
+    create_home: no
+
+- name: "Create {{ keycloak.service_name }} install location"
+  become: yes
+  ansible.builtin.file:
+    dest: "{{ keycloak_quarkus_dest }}"
+    state: directory
+    owner: "{{ keycloak.service_user }}"
+    group: "{{ keycloak.service_group }}"
+    mode: 0750
+
+## check remote archive
+- name: Set download archive path
+  ansible.builtin.set_fact:
+    archive: "{{ keycloak_quarkus_dest }}/{{ keycloak.bundle }}"
+
+- name: Check download archive path
+  become: yes
+  ansible.builtin.stat:
+    path: "{{ archive }}"
+  register: archive_path
+
+## download to controller
+- name: Check local download archive path
+  ansible.builtin.stat:
+    path: "{{ lookup('env', 'PWD') }}"
+  register: local_path
+  delegate_to: localhost
+
+- name: Download keycloak archive
+  ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
+    url: "{{ keycloak_quarkus_download_url }}"
+    dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
+    mode: 0640
+  delegate_to: localhost
+  when:
+    - archive_path is defined
+    - archive_path.stat is defined
+    - not archive_path.stat.exists
+    - not keycloak.offline_install
+
+- name: Check downloaded archive
+  ansible.builtin.stat:
+    path: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
+  register: local_archive_path
+  delegate_to: localhost
+
+## copy and unpack
+- name: Copy archive to target nodes
+  ansible.builtin.copy:
+    src: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
+    dest: "{{ archive }}"
+    owner: "{{ keycloak.service_user }}"
+    group: "{{ keycloak.service_group }}"
+    mode: 0750
+  register: new_version_downloaded
+  when:
+    - not archive_path.stat.exists
+    - local_archive_path.stat is defined
+    - local_archive_path.stat.exists
+  become: yes
+
+- name: "Check target directory: {{ keycloak.home }}"
+  ansible.builtin.stat:
+    path: "{{ keycloak.home }}"
+  register: path_to_workdir
+  become: yes
+
+- name: "Extract Keycloak archive on target"
+  ansible.builtin.unarchive:
+    remote_src: yes
+    src: "{{ archive }}"
+    dest: "{{ keycloak_quarkus_dest }}"
+    creates: "{{ keycloak.home }}"
+    owner: "{{ keycloak.service_user }}"
+    group: "{{ keycloak.service_group }}"
+  become: yes
+  when:
+    - new_version_downloaded.changed or not path_to_workdir.stat.exists
+  notify:
+    - restart keycloak
+
+- name: Inform decompression was not executed
+  ansible.builtin.debug:
+    msg: "{{ keycloak.home }} already exists and version unchanged, skipping decompression"
+  when:
+    - not new_version_downloaded.changed and path_to_workdir.stat.exists

roles/keycloak_quarkus/tasks/main.yml

@@ -0,0 +1,57 @@
+---
+# tasks file for keycloak
+- name: Check prerequisites
+  ansible.builtin.include_tasks: prereqs.yml
+  tags:
+    - prereqs
+
+- name: Include firewall config tasks
+  ansible.builtin.include_tasks: firewalld.yml
+  when: keycloak_quarkus_configure_firewalld
+  tags:
+    - firewall
+
+- name: Include install tasks
+  ansible.builtin.include_tasks: install.yml
+  tags:
+    - install
+
+- name: Include systemd tasks
+  ansible.builtin.include_tasks: systemd.yml
+  tags:
+    - systemd
+
+- name: "Configure config for keycloak service"
+  ansible.builtin.template:
+    src: keycloak.conf.j2
+    dest: "{{ keycloak.home }}/conf/keycloak.conf"
+    owner: "{{ keycloak.service_user }}"
+    group: "{{ keycloak.service_group }}"
+    mode: 0644
+  notify:
+    - restart keycloak
+
+- name: "Configure quarkus config for keycloak service"
+  ansible.builtin.template:
+    src: quarkus.properties.j2
+    dest: "{{ keycloak.home }}/conf/quarkus.properties"
+    owner: "{{ keycloak.service_user }}"
+    group: "{{ keycloak.service_group }}"
+    mode: 0644
+  notify:
+    - restart keycloak    
+
+- name: "Start and wait for keycloak service"
+  ansible.builtin.include_tasks: start.yml
+
+- name: Check service status
+  ansible.builtin.command: "systemctl status keycloak"
+  register: keycloak_service_status
+  changed_when: False
+
+- name: Link default logs directory
+  ansible.builtin.file:
+    state: link
+    src: "{{ keycloak.home }}/{{ keycloak.log.file }}"
+    dest: /var/log/keycloak
+    force: yes

roles/keycloak_quarkus/tasks/prereqs.yml

@@ -0,0 +1,34 @@
+---
+- name: Validate admin console password
+  ansible.builtin.assert:
+    that:
+      - keycloak_quarkus_admin_pass | length > 12
+    quiet: True
+    fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_admin_pass variable to a 12+ char long string"
+    success_msg: "{{ 'Console administrator password OK' }}"
+
+- name: Validate configuration
+  ansible.builtin.assert:
+    that:
+      - (keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or (not keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or (not keycloak_quarkus_ha_enabled and not keycloak_quarkus_db_enabled)
+    quiet: True
+    fail_msg: "Cannot install HA setup without a backend database service. Check keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled"
+    success_msg: "{{ 'Configuring HA' if keycloak_quarkus_ha_enabled else 'Configuring standalone' }}"
+
+# - name: Validate credentials
+#   ansible.builtin.assert:
+#     that:
+#       - (rhn_username is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
+#       - (rhn_password is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
+#     quiet: True
+#     fail_msg: "Cannot install Red Hat SSO without RHN credentials. Check rhn_username and rhn_password are defined"
+#     success_msg: "{{ 'Installing Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Installing keycloak.org' }}"
+
+- name: Ensure required packages are installed
+  ansible.builtin.include_tasks: fastpackages.yml
+  vars:
+    packages_list:
+      - "{{ keycloak_quarkus_jvm_package }}"
+      - unzip
+      - procps-ng
+      - initscripts

roles/keycloak_quarkus/tasks/restart.yml

@@ -0,0 +1,7 @@
+---
+- name: "Restart and enable {{ keycloak.service_name }} service"
+  ansible.builtin.systemd:
+    name: keycloak
+    enabled: yes
+    state: restarted
+  become: yes

roles/keycloak_quarkus/tasks/start.yml

@@ -0,0 +1,15 @@
+---
+- name: "Start {{ keycloak.service_name }} service"
+  ansible.builtin.systemd:
+    name: keycloak
+    enabled: yes
+    state: started
+  become: yes
+
+- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
+  ansible.builtin.uri:
+    url: "{{ keycloak.health_url }}"
+  register: keycloak_status
+  until: keycloak_status.status == 200
+  retries: 25
+  delay: 10

roles/keycloak_quarkus/tasks/systemd.yml

@@ -0,0 +1,40 @@
+---
+- name: Determine JAVA_HOME for selected JVM RPM  # noqa blocked_modules
+  ansible.builtin.shell: |
+    set -o pipefail
+    rpm -ql {{ keycloak_quarkus_jvm_package }} | grep -Po '/usr/lib/jvm/.*(?=/bin/java$)'
+  args:
+    executable: /bin/bash
+  changed_when: False
+  register: rpm_java_home
+
+- name: "Configure sysconfig file for keycloak service"
+  become: yes
+  ansible.builtin.template:
+    src: keycloak-sysconfig.j2
+    dest: /etc/sysconfig/keycloak
+    owner: root
+    group: root
+    mode: 0644
+  vars:
+    keycloak_rpm_java_home: "{{ rpm_java_home.stdout }}"
+  notify:
+    - restart keycloak
+
+- name: "Configure systemd unit file for keycloak service"
+  ansible.builtin.template:
+    src: keycloak.service.j2
+    dest: /etc/systemd/system/keycloak.service
+    owner: root
+    group: root
+    mode: 0644
+  become: yes
+  register: systemdunit
+  notify:
+    - restart keycloak
+
+- name: Reload systemd
+  become: yes
+  ansible.builtin.systemd:
+    daemon_reload: yes
+  when: systemdunit.changed

roles/keycloak_quarkus/templates/keycloak-sysconfig.j2

@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+KEYCLOAK_ADMIN={{ keycloak_quarkus_admin_user }}
+KEYCLOAK_ADMIN_PASSWORD='{{ keycloak_quarkus_admin_pass }}'
+JAVA_HOME={{ keycloak_java_home  | default(keycloak_rpm_java_home, true) }}

roles/keycloak_quarkus/templates/keycloak.conf.j2

@@ -0,0 +1,47 @@
+# {{ ansible_managed }}
+
+{% if keycloak_quarkus_db_enabled %}
+# Database
+db={{ keycloak_quarkus_jdbc_engine }}
+db-url={{ keycloak_quarkus_jdbc_url }}
+db-username={{ keycloak_quarkus_db_user }}
+db-password={{ keycloak_quarkus_db_pass }}
+{% endif %}
+
+# Observability
+metrics-enabled={{ keycloak_quarkus_metrics_enabled }}
+health-enabled={{ keycloak_quarkus_health_enabled }}
+
+# HTTP
+http-enabled={{ keycloak_quarkus_http_enabled }}
+http-port={{ keycloak_quarkus_http_port }}
+
+# HTTPS
+https-port={{ keycloak_quarkus_https_port }}
+{% if keycloak_quarkus_https_enabled %}
+https-certificate-file={{ keycloak.home }}/{{ keycloak_quarkus_cert_file}}
+https-certificate-key-file={{ keycloak.home }}/{{ keycloak_quarkus_key_file }}
+{% endif %}
+
+# Hostname for the Keycloak server.
+hostname={{ keycloak_quarkus_host }}
+hostname-path={{ keycloak_quarkus_http_relative_path }}
+
+# Cluster
+{% if keycloak_quarkus_ha_enabled %}
+cache=ispn
+cache-config-file=conf/cache-ispn.xml
+cache-stack=tcp
+{% endif %}
+
+# Proxy
+proxy={{ keycloak_quarkus_proxy_mode }}
+# Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy
+#spi-sticky-session-encoder-infinispan-should-attach-route=false
+
+# Logging
+#log-format=%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n
+log={{ keycloak_quarkus_log }}
+log-level={{ keycloak.log.level }}
+log-file={{ keycloak.log.file }}
+log-file-format={{ keycloak.log.format }}

roles/keycloak_quarkus/templates/keycloak.service.j2

@@ -0,0 +1,14 @@
+# {{ ansible_managed }}
+[Unit]
+Description=Keycloak Server
+After=network.target
+
+[Service]
+Type=simple
+EnvironmentFile=-/etc/sysconfig/keycloak
+PIDFile={{ keycloak_quarkus_service_pidfile }}
+ExecStart={{ keycloak.home }}/bin/kc.sh start --auto-build --log={{ keycloak_quarkus_log }}
+User={{ keycloak.service_user }}
+
+[Install]
+WantedBy=multi-user.target

roles/keycloak_quarkus/templates/quarkus.properties.j2

@@ -0,0 +1,19 @@
+# {{ ansible_managed }}
+{% if keycloak_quarkus_ha_enabled %}
+quarkus.infinispan-client.server-list={{ keycloak_quarkus_ispn_url }}
+quarkus.infinispan-client.client-intelligence=HASH_DISTRIBUTION_AWARE
+quarkus.infinispan-client.use-auth=true
+quarkus.infinispan-client.auth-username={{ keycloak_quarkus_ispn_user }}
+quarkus.infinispan-client.auth-password={{ keycloak_quarkus_ispn_pass }}
+quarkus.infinispan-client.auth-realm=default
+quarkus.infinispan-client.auth-server-name=infinispan
+quarkus.infinispan-client.sasl-mechanism={{ keycloak_quarkus_ispn_sasl_mechanism }}
+{% if keycloak_quarkus_ispn_use_ssl %}
+quarkus.infinispan-client.trust-store={{ keycloak_quarkus_ispn_trust_store_path }}
+quarkus.infinispan-client.trust-store-password={{ keycloak_quarkus_ispn_trust_store_password }}
+quarkus.infinispan-client.trust-store-type=jks
+{% endif %}
+#quarkus.infinispan-client.use-schema-registration=true
+#quarkus.infinispan-client.auth-client-subject
+#quarkus.infinispan-client.auth-callback-handler
+{% endif %}

roles/keycloak_quarkus/vars/main.yml

@@ -0,0 +1,15 @@
+---
+keycloak:
+  home: "{{ keycloak_quarkus_home }}"
+  config_dir: "{{ keycloak_quarkus_config_dir }}"
+  bundle: "{{ keycloak_quarkus_archive }}"
+  service_name: "keycloak"
+  health_url: "http://localhost:8080/realms/master/.well-known/openid-configuration"
+  cli_path: "{{ keycloak_quarkus_home }}/bin/kcadm.sh"
+  service_user: "{{ keycloak_quarkus_service_user }}"
+  service_group: "{{ keycloak_quarkus_service_group }}"
+  offline_install: "{{ keycloak_quarkus_offline_install }}"
+  log:
+    file: "{{ keycloak_quarkus_log_file }}"
+    level: "{{ keycloak_quarkus_log_level }}"
+    format: "{{ keycloak_quarkus_log_format }}"

roles/keycloak_realm/README.md

@@ -1,21 +1,27 @@
 keycloak_realm
 ==============
 
-Create realms and clients in [keycloak](https://keycloak.org/) or [Red Hat Single Sing-On](https://access.redhat.com/products/red-hat-single-sign-on) services.
+Create realms and clients in [keycloak](https://keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on) services.
 
 
 Role Defaults
 -------------
 
 | Variable | Description | Default |
-|:---------|:------------|:---------|
-|`keycloak_admin_user` | Administration console user account | `admin` |
-|`keycloak_host` | hostname | `localhost` |
-|`keycloak_http_port` | HTTP port | `8080` |
-|`keycloak_https_port` | TLS HTTP port | `8443` |
-|`keycloak_auth_realm` | Name of the main authentication realm | `master` |
-|`keycloak_rhsso_enable` | Define service is an upstream(Keycloak) or RHSSO | `master` |
-
+|:---------|:------------|:--------|
+|`keycloak_admin_user`| Administration console user account | `admin` |
+|`keycloak_host`| hostname | `localhost` |
+|`keycloak_context`| Context path for rest calls | `/auth` |
+|`keycloak_http_port`| HTTP port | `8080` |
+|`keycloak_https_port`| TLS HTTP port | `8443` |
+|`keycloak_auth_realm`| Name of the main authentication realm | `master` |
+|`keycloak_rhsso_enable`| Define service is an upstream(Keycloak) or RHSSO | `master` |
+|`keycloak_management_http_port`| Management port | `9990` |
+|`keycloak_auth_client`| Authentication client for configuration REST calls | `admin-cli` |
+|`keycloak_client_public`| Configure a public realm client | `True` |
+|`keycloak_client_web_origins`| Web origins for realm client | `+` |
+|`keycloak_url`| URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` |
+|`keycloak_management_url`| URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` |
 
 
 Role Variables
@@ -25,8 +31,8 @@ The following are a set of _required_ variables for the role:
 
 | Variable | Description |
 |:---------|:------------|
-|`keycloak_admin_password`| Password for the administration console user account |
 |`keycloak_realm` | Name of the realm to be created |
+|`keycloak_admin_password`| Password for the administration console user account |
 
 
 The following variables are available for creating clients:
@@ -37,6 +43,7 @@ The following variables are available for creating clients:
 |`keycloak_client_default_roles` | List of default role name for clients | `[]` |
 |`keycloak_client_users` | List of user/role mappings for a client | `[]` |
 
+
 The following variable are available for creating user federation:
 
 | Variable | Description | Default |
@@ -52,14 +59,15 @@ Variable formats
 ```yaml
     - realm:  <name of the realm in which user federation should be configured, required>
       name: <name of the user federation provider, required>
-      provider_id: <Type of the user federation provider, required>
-      provider_type: < Provider Type, default is set to org.keycloak.storage.UserStorageProvider>
-      config: <Dictionary of supported configuration values, required>
-      mappers: <List of supported configuration values, required>
+      provider_id: <type of the user federation provider, required>
+      provider_type: <Provider Type, default is set to org.keycloak.storage.UserStorageProvider>
+      config: <dictionary of supported configuration values, required>
+      mappers: <list of supported configuration values, required>
 ```
 
 Refer to [docs](https://docs.ansible.com/ansible/latest/collections/community/general/keycloak_user_federation_module.html) for information on supported variables.
 
+
 * `keycloak_clients`, a list of:
 
 ```yaml
@@ -90,7 +98,8 @@ Refer to [docs](https://docs.ansible.com/ansible/latest/collections/community/ge
       realm: <name of the realm>
 ```
 
-For a comprehensive example, refer to the [playbook](playbooks/keycloak.yml).
+For a comprehensive example, refer to the [playbook](../../playbooks/keycloak_realm.yml).
+
 
 Example Playbook
 ----------------

roles/keycloak_realm/defaults/main.yml

@@ -10,7 +10,10 @@ keycloak_rhsso_enable: False
 keycloak_admin_user: admin
 keycloak_auth_realm: master
 keycloak_auth_client: admin-cli
+keycloak_context: /auth
 
+# administrator console password, this is a required variable
+keycloak_admin_password: ''
 
 ### Keycloak realms, clients, roles, federation
 # list of clients to create in the realm
@@ -31,6 +34,7 @@ keycloak_auth_client: admin-cli
 #    public_client: "{{ keycloak_client_public }}"
 #    web_origins: "{{ keycloak_client_web_origins }}"
 #    users: "{{ keycloak_client_users }}"
+keycloak_clients: []
 
 # list of roles to create in the client
 keycloak_client_default_roles: []

roles/keycloak_realm/meta/argument_specs.yml

@@ -4,90 +4,95 @@ argument_specs:
             keycloak_host:
                 # line 3 of keycloak_realm/defaults/main.yml
                 default: "localhost"
-                description: "TODO document argument"
+                description: "Hostname for rest calls"
                 type: "str"
+            keycloak_context:
+                # line 5 of keycloak_realm/defaults/main.yml
+                default: "/auth"
+                description: "Context path for rest calls"
+                type: "str"                
             keycloak_http_port:
                 # line 4 of keycloak_realm/defaults/main.yml
                 default: 8080
-                description: "TODO document argument"
+                description: "HTTP port"
                 type: "int"
             keycloak_https_port:
                 # line 5 of keycloak_realm/defaults/main.yml
                 default: 8443
-                description: "TODO document argument"
+                description: "HTTPS port"
                 type: "int"
             keycloak_management_http_port:
                 # line 6 of keycloak_realm/defaults/main.yml
                 default: 9990
-                description: "TODO document argument"
+                description: "Management port"
                 type: "int"
             keycloak_rhsso_enable:
                 # line 7 of keycloak_realm/defaults/main.yml
                 default: false
-                description: "TODO document argument"
+                description: "Enable Red Hat Single Sign-on"
                 type: "bool"
             keycloak_admin_user:
                 # line 10 of keycloak_realm/defaults/main.yml
                 default: "admin"
-                description: "TODO document argument"
+                description: "Administration console user account"
                 type: "str"
             keycloak_auth_realm:
                 # line 11 of keycloak_realm/defaults/main.yml
                 default: "master"
-                description: "TODO document argument"
+                description: "Name of the main authentication realm"
                 type: "str"
             keycloak_auth_client:
                 # line 12 of keycloak_realm/defaults/main.yml
                 default: "admin-cli"
-                description: "TODO document argument"
+                description: "Authentication client for configuration REST calls"
                 type: "str"
             keycloak_client_default_roles:
                 # line 36 of keycloak_realm/defaults/main.yml
                 default: "[]"
-                description: "TODO document argument"
+                description: "List of roles to configure as client default"
                 type: "list"
             keycloak_client_public:
                 # line 39 of keycloak_realm/defaults/main.yml
                 default: true
-                description: "TODO document argument"
+                description: "Configure a public realm client"
                 type: "bool"
             keycloak_client_web_origins:
                 # line 42 of keycloak_realm/defaults/main.yml
                 default: "+"
-                description: "TODO document argument"
+                description: "Web origins for realm client"
                 type: "str"
             keycloak_client_users:
                 # line 49 of keycloak_realm/defaults/main.yml
                 default: "[]"
-                description: "TODO document argument"
+                description: "List of users to configure in the realm client"
                 type: "list"
             keycloak_user_federation:
                 # line 52 of keycloak_realm/defaults/main.yml
                 default: "[]"
-                description: "TODO document argument"
+                description: "List of user federations to configure in the realm"
                 type: "list"
             keycloak_admin_password:
                 # line 5 of keycloak_realm/vars/main.yml
                 required: true
-                description: "TODO document argument"
+                description: "Password for the administration console user account"
                 type: "str"
             keycloak_realm:
                 # line 8 of keycloak_realm/vars/main.yml
                 required: true
-                description: "TODO document argument"
+                description: "Name of the realm to be configured"
                 type: "str"
             keycloak_clients:
                 # line 11 of keycloak_realm/vars/main.yml
-                required: true
-                description: "TODO document argument"
-                type: "str"
+                default: "[]"
+                description: "List of client declarations for the realm"
+                type: "list"
             keycloak_url:
                 # line 14 of keycloak_realm/vars/main.yml
                 default: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
-                description: "TODO document argument"
+                description: "URL for configuration rest calls"
                 type: "str"
             keycloak_management_url:
                 # line 15 of keycloak_realm/vars/main.yml
                 default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
-                description: "TODO document argument"
+                description: "URL for management console rest calls"
                 type: "str"

roles/keycloak_realm/meta/main.yml

@@ -3,7 +3,7 @@ galaxy_info:
   role_name: keycloak_realm
   namespace: middleware_automation
   author: Romain Pelisse, Guido Grazioli
-  description: Create realms and clients in keycloak or Red Hat Single Sing-On
+  description: Create realms and clients in keycloak or Red Hat Single Sign-On
   company: Red Hat, Inc.
 
   license: Apache License 2.0
@@ -13,7 +13,6 @@ galaxy_info:
   platforms:
    - name: EL
      versions:
-     - 7
      - 8
 
   galaxy_tags:

roles/keycloak_realm/tasks/main.yml

@@ -1,18 +1,19 @@
 ---
 - name: Generate keycloak auth token
-  uri:
-    url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
+  ansible.builtin.uri:
+    url: "{{ keycloak_url }}{{ keycloak_context }}/realms/master/protocol/openid-connect/token"
     method: POST
     body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
     validate_certs: no
+  no_log: True
   register: keycloak_auth_response
   until: keycloak_auth_response.status == 200
   retries: 5
   delay: 2
 
 - name: "Determine if realm exists"
-  uri:
-    url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}"
+  ansible.builtin.uri:
+    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}"
     method: GET
     status_code:
       - 200
@@ -23,8 +24,8 @@
   register: keycloak_realm_exists
 
 - name: Create Realm
-  uri:
-    url: "{{ keycloak_url }}/auth/admin/realms"
+  ansible.builtin.uri:
+    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms"
     method: POST
     body: "{{ lookup('template','realm.json.j2') }}"
     validate_certs: no
@@ -36,7 +37,7 @@
 
 - name: Create user federation
   community.general.keycloak_user_federation:
-    auth_keycloak_url: "{{ keycloak_url }}/auth"
+    auth_keycloak_url: "{{ keycloak_url }}{{ keycloak_context }}"
     auth_realm: "{{ keycloak_auth_realm }}"
     auth_username: "{{ keycloak_admin_user }}"
     auth_password: "{{ keycloak_admin_password }}"
@@ -47,6 +48,7 @@
     provider_type: "{{ item.provider_type | default(org.keycloak.storage.UserStorageProvider) }}" 
     config: "{{ item.config }}"
     mappers: "{{ item.mappers | default(omit) }}"
+  no_log: True
   register: create_user_federation_result
   loop: "{{ keycloak_user_federation | flatten }}"
   when: keycloak_user_federation is defined
@@ -54,7 +56,7 @@
 - name: Create or update a Keycloak client
   community.general.keycloak_client:
     auth_client_id: "{{ keycloak_auth_client }}"
-    auth_keycloak_url: "{{ keycloak_url }}/auth"
+    auth_keycloak_url: "{{ keycloak_url }}{{ keycloak_context }}"
     auth_realm: "{{ keycloak_auth_realm }}"
     auth_username: "{{ keycloak_admin_user }}"
     auth_password: "{{ keycloak_admin_password }}"
@@ -78,19 +80,20 @@
     public_client: "{{ item.public_client | default(False) }}"
     protocol: "{{ item.protocol | default(omit) }}"
     state: present
+  no_log: True
   register: create_client_result
   loop: "{{ keycloak_clients | flatten }}"
   when: (item.name is defined and item.client_id is defined) or (item.name is defined and item.id is defined)
 
 - name: Create client roles
-  include_tasks: manage_client_roles.yml
+  ansible.builtin.include_tasks: manage_client_roles.yml
   loop: "{{ keycloak_clients | flatten }}"
   loop_control:
     loop_var: client
   when: "'roles' in client"
 
 - name: Create client users
-  include_tasks: manage_client_users.yml
+  ansible.builtin.include_tasks: manage_client_users.yml
   loop: "{{ keycloak_clients | flatten }}"
   loop_control:
     loop_var: client

roles/keycloak_realm/tasks/manage_client_roles.yml

@@ -4,9 +4,10 @@
     realm: "{{ client.realm }}"
     client_id: "{{ client.name }}"
     auth_client_id: "{{ keycloak_auth_client }}"
-    auth_keycloak_url: "{{ keycloak_url }}/auth"
+    auth_keycloak_url: "{{ keycloak_url }}{{ keycloak_context }}"
     auth_realm: "{{ keycloak_auth_realm }}"
     auth_username: "{{ keycloak_admin_user }}"
     auth_password: "{{ keycloak_admin_password }}"
     state: present
   loop: "{{ client.roles | flatten }}"
+  no_log: True

roles/keycloak_realm/tasks/manage_client_users.yml

@@ -1,12 +1,12 @@
 ---
 - name: Manage Users
-  include_tasks: manage_user.yml
+  ansible.builtin.include_tasks: manage_user.yml
   loop: "{{ client.users | flatten }}"
   loop_control:
     loop_var: user
 
 - name: Manage User Roles
-  include_tasks: manage_user_roles.yml
+  ansible.builtin.include_tasks: manage_user_roles.yml
   loop: "{{ client.users | flatten }}"
   loop_control:
     loop_var: user

roles/keycloak_realm/tasks/manage_user.yml

@@ -1,15 +1,15 @@
 ---
 - name: "Check if User Already Exists"
-  uri:
-    url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
+  ansible.builtin.uri:
+    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
     validate_certs: no
     headers:
       Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
   register: keycloak_user_search_result
 
 - name: "Create User"
-  uri:
-    url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users"
+  ansible.builtin.uri:
+    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}/users"
     method: POST
     body:
       enabled: true
@@ -26,16 +26,16 @@
   when: keycloak_user_search_result.json | length == 0
 
 - name: "Get User"
-  uri:
-    url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
+  ansible.builtin.uri:
+    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
     validate_certs: no
     headers:
       Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
   register: keycloak_user
 
 - name: "Update User Password"
-  uri:
-    url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users/{{ (keycloak_user.json | first).id }}/reset-password"
+  ansible.builtin.uri:
+    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}/users/{{ (keycloak_user.json | first).id }}/reset-password"
     method: PUT
     body:
       type: password

roles/keycloak_realm/tasks/manage_user_client_roles.yml

@@ -1,7 +1,7 @@
 ---
 - name: "Get Realm for role"
-  uri:
-    url: "{{ keycloak_url }}/auth/admin/realms/{{ client_role.realm }}"
+  ansible.builtin.uri:
+    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm }}"
     method: GET
     status_code:
       - 200
@@ -11,8 +11,8 @@
   register: client_role_realm
 
 - name: Check if Mapping is available
-  uri:
-    url: "{{ keycloak_url }}/auth/admin/realms/{{ client_role.realm }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}/available"
+  ansible.builtin.uri:
+    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}/available"
     method: GET
     status_code:
       - 200
@@ -22,8 +22,8 @@
   register: client_role_user_available
 
 - name: "Create Role Mapping"
-  uri:
-    url: "{{ keycloak_url }}/auth/admin/realms/{{ client_role.realm }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}"
+  ansible.builtin.uri:
+    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}"
     method: POST
     body:
       - id: "{{ item.id }}"