From 41c13066020450d2560a3935fee1a2c901353294 Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Wed, 25 Oct 2023 18:20:03 +0200 Subject: [PATCH 1/5] linter --- plugins/modules/keycloak_user_federation.py | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/modules/keycloak_user_federation.py b/plugins/modules/keycloak_user_federation.py index 96f04d7..bc84d8d 100644 --- a/plugins/modules/keycloak_user_federation.py +++ b/plugins/modules/keycloak_user_federation.py @@ -568,7 +568,6 @@ EXAMPLES = ''' realm: my-realm name: my-federation state: absent - ''' RETURN = ''' From e5f0a3efe10d3ac930b0eeb3981e7f3d1bf631ba Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Wed, 25 Oct 2023 16:40:25 +0200 Subject: [PATCH 2/5] molecule test for keycloakx with proxy --- .github/workflows/ci.yml | 2 +- molecule/https_revproxy/converge.yml | 16 ++++++++ molecule/https_revproxy/molecule.yml | 59 ++++++++++++++++++++++++++++ molecule/https_revproxy/prepare.yml | 49 +++++++++++++++++++++++ molecule/https_revproxy/roles | 1 + molecule/https_revproxy/verify.yml | 39 ++++++++++++++++++ molecule/requirements.yml | 2 +- 7 files changed, 166 insertions(+), 2 deletions(-) create mode 100644 molecule/https_revproxy/converge.yml create mode 100644 molecule/https_revproxy/molecule.yml create mode 100644 molecule/https_revproxy/prepare.yml create mode 120000 molecule/https_revproxy/roles create mode 100644 molecule/https_revproxy/verify.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 50e1fc4..6e5a542 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,4 +15,4 @@ jobs: with: fqcn: 'middleware_automation/keycloak' molecule_tests: >- - [ "default", "quarkus", "overridexml", "quarkus-devmode" ] + [ "default", "quarkus", "overridexml", "quarkus-devmode", "https_revproxy" ] diff --git a/molecule/https_revproxy/converge.yml b/molecule/https_revproxy/converge.yml new file mode 100644 index 0000000..b1eb7bc --- /dev/null +++ b/molecule/https_revproxy/converge.yml @@ -0,0 +1,16 @@ +--- +- name: Converge + hosts: all + vars: + keycloak_quarkus_admin_pass: "remembertochangeme" + keycloak_admin_password: "remembertochangeme" + keycloak_realm: TestRealm + keycloak_quarkus_host: instance + keycloak_quarkus_log: file + keycloak_quarkus_http_enabled: True + keycloak_quarkus_http_port: 8080 + keycloak_quarkus_proxy_mode: edge + keycloak_quarkus_http_relative_path: / + keycloak_quarkus_frontend_url: https://proxy/ + roles: + - role: keycloak_quarkus diff --git a/molecule/https_revproxy/molecule.yml b/molecule/https_revproxy/molecule.yml new file mode 100644 index 0000000..efdebf4 --- /dev/null +++ b/molecule/https_revproxy/molecule.yml @@ -0,0 +1,59 @@ +--- +driver: + name: docker +platforms: + - name: instance + image: registry.access.redhat.com/ubi8/ubi-init:latest + pre_build_image: true + privileged: true + command: "/usr/sbin/init" + networks: + - name: keycloak + port_bindings: + - "8080/tcp" + published_ports: + - 0.0.0.0:8080:8080/tcp + - name: proxy + image: registry.access.redhat.com/ubi8/ubi-init:latest + pre_build_image: true + privileged: true + command: "/usr/sbin/init" + networks: + - name: keycloak + port_bindings: + - "443/tcp" + published_ports: + - 0.0.0.0:443:443/tcp +provisioner: + name: ansible + config_options: + defaults: + interpreter_python: auto_silent + ssh_connection: + pipelining: false + playbooks: + prepare: prepare.yml + converge: converge.yml + verify: verify.yml + inventory: + host_vars: + localhost: + ansible_python_interpreter: "{{ ansible_playbook_python }}" + env: + ANSIBLE_FORCE_COLOR: "true" + REDHAT_PRODUCT_DOWNLOAD_CLIENT_ID: "${REDHAT_PRODUCT_DOWNLOAD_CLIENT_ID}" + REDHAT_PRODUCT_DOWNLOAD_CLIENT_SECRET: "${REDHAT_PRODUCT_DOWNLOAD_CLIENT_SECRET}" +verifier: + name: ansible +scenario: + test_sequence: + - cleanup + - destroy + - create + - prepare + - converge + - idempotence + - side_effect + - verify + - cleanup + - destroy diff --git a/molecule/https_revproxy/prepare.yml b/molecule/https_revproxy/prepare.yml new file mode 100644 index 0000000..5cdb135 --- /dev/null +++ b/molecule/https_revproxy/prepare.yml @@ -0,0 +1,49 @@ +--- +- name: Prepare + hosts: all + tasks: + - name: Install sudo + ansible.builtin.yum: + name: sudo + state: present + + - name: "Display hera_home if defined." + ansible.builtin.set_fact: + hera_home: "{{ lookup('env', 'HERA_HOME') }}" + +- name: Prepare proxy + hosts: proxy + vars: + jbcs_mod_cluster_enable: True + jbcs_configure_firewalld: False + jbcs_offline_install: False + jbcs_bind_address: '*' + jbcs_proxy_pass: + - path: / + url: http://instance:8080/ + reverse_path: / + reverse_url: http://instance:8080/ + external_domain_name: proxy + rhn_username: "{{ lookup('env', 'REDHAT_PRODUCT_DOWNLOAD_CLIENT_ID') }}" + rhn_password: "{{ lookup('env', 'REDHAT_PRODUCT_DOWNLOAD_CLIENT_SECRET') }}" + roles: + - middleware_automation.jbcs.jbcs + pre_tasks: + - name: Create certificate request + ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=proxy' + delegate_to: localhost + changed_when: False + + - name: Copy certificates + ansible.builtin.copy: + src: "{{ item.name }}" + dest: "{{ item.dest }}" + mode: 0444 + become: True + loop: + - { name: 'cert.pem', dest: '/etc/pki/tls/certs/proxy.crt' } + - { name: 'key.pem', dest: '/etc/pki/tls/private/proxy.key' } + + - name: update_ca_trust + command: update-ca-trust + become: True diff --git a/molecule/https_revproxy/roles b/molecule/https_revproxy/roles new file mode 120000 index 0000000..b741aa3 --- /dev/null +++ b/molecule/https_revproxy/roles @@ -0,0 +1 @@ +../../roles \ No newline at end of file diff --git a/molecule/https_revproxy/verify.yml b/molecule/https_revproxy/verify.yml new file mode 100644 index 0000000..9d355a6 --- /dev/null +++ b/molecule/https_revproxy/verify.yml @@ -0,0 +1,39 @@ +--- +- name: Verify + hosts: all + tasks: + - name: Populate service facts + ansible.builtin.service_facts: + + - name: Check if keycloak service started + ansible.builtin.assert: + that: + - ansible_facts.services["keycloak.service"]["state"] == "running" + - ansible_facts.services["keycloak.service"]["status"] == "enabled" + + - name: Set internal envvar + ansible.builtin.set_fact: + hera_home: "{{ lookup('env', 'HERA_HOME') }}" + + - name: Verify openid config + block: + - name: Fetch openID config # noqa blocked_modules command-instead-of-module + ansible.builtin.shell: | + set -o pipefail + curl https://localhost:443/realms/master/.well-known/openid-configuration -k | jq . + args: + executable: /bin/bash + register: openid_config + changed_when: False + delegate_to: localhost + - name: Verify endpoint URLs + ansible.builtin.assert: + that: + - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://proxy/realms/master/protocol/openid-connect/ext/ciba/auth' + - (openid_config.stdout | from_json)['issuer'] == 'https://proxy/realms/master' + - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://proxy/realms/master/protocol/openid-connect/auth' + - (openid_config.stdout | from_json)['token_endpoint'] == 'https://proxy/realms/master/protocol/openid-connect/token' + delegate_to: localhost + when: + - hera_home is defined + - hera_home | length == 0 diff --git a/molecule/requirements.yml b/molecule/requirements.yml index 2e0ae56..5e39b59 100644 --- a/molecule/requirements.yml +++ b/molecule/requirements.yml @@ -1,8 +1,8 @@ --- collections: - name: middleware_automation.common + - name: middleware_automation.jbcs - name: community.general - name: ansible.posix - name: community.docker version: ">=1.9.1" - From 697023620128485980f5d942fa28a39d7680a983 Mon Sep 17 00:00:00 2001 From: Antonio Costa Date: Wed, 25 Oct 2023 16:03:29 +0200 Subject: [PATCH 3/5] feat: add a destination variable for the log link docs: argument specs for the keycloak_quarkus_log_target docs: added parameter to the roles README fix: role variable is keycloak_log_target and not keycloak_quarkus_log_target --- molecule/default/converge.yml | 1 + molecule/default/verify.yml | 28 +++++++++++++++ molecule/quarkus/converge.yml | 1 + molecule/quarkus/verify.yml | 34 +++++++++++++++++++ roles/keycloak/README.md | 2 +- roles/keycloak/defaults/main.yml | 3 ++ roles/keycloak/meta/argument_specs.yml | 4 +++ roles/keycloak/tasks/main.yml | 2 +- roles/keycloak_quarkus/README.md | 1 + roles/keycloak_quarkus/defaults/main.yml | 1 + .../keycloak_quarkus/meta/argument_specs.yml | 4 +++ roles/keycloak_quarkus/tasks/main.yml | 2 +- 12 files changed, 80 insertions(+), 3 deletions(-) diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index d3742e7..afd6ea2 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -10,6 +10,7 @@ port: 16667 - host: myhost2 port: 16668 + keycloak_log_target: /tmp/keycloak roles: - role: keycloak tasks: diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 92a245e..36f49b1 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -55,3 +55,31 @@ ansible.builtin.assert: that: - (keycloak_query_clients.json | selectattr('clientId','equalto','TestClient') | first)["attributes"]["post.logout.redirect.uris"] == '/public/logout' + - name: Check log folder + ansible.builtin.stat: + path: "/tmp/keycloak" + register: keycloak_log_folder + - name: Check that keycloak log folder exists and is a link + ansible.builtin.assert: + that: + - keycloak_log_folder.stat.exists + - not keycloak_log_folder.stat.isdir + - keycloak_log_folder.stat.islnk + - name: Check log file + ansible.builtin.stat: + path: "/tmp/keycloak/server.log" + register: keycloak_log_file + - name: Check if keycloak file exists + ansible.builtin.assert: + that: + - keycloak_log_file.stat.exists + - not keycloak_log_file.stat.isdir + - name: Check default log folder + ansible.builtin.stat: + path: "/var/log/keycloak" + register: keycloak_default_log_folder + failed_when: false + - name: Check that default keycloak log folder doesn't exist + ansible.builtin.assert: + that: + - not keycloak_default_log_folder.stat.exists diff --git a/molecule/quarkus/converge.yml b/molecule/quarkus/converge.yml index 22f9ff4..cb35230 100644 --- a/molecule/quarkus/converge.yml +++ b/molecule/quarkus/converge.yml @@ -11,6 +11,7 @@ keycloak_quarkus_https_enabled: True keycloak_quarkus_key_file: "{{ keycloak.home }}/conf/key.pem" keycloak_quarkus_cert_file: "{{ keycloak.home }}/conf/cert.pem" + keycloak_quarkus_log_target: /tmp/keycloak roles: - role: keycloak_quarkus - role: keycloak_realm diff --git a/molecule/quarkus/verify.yml b/molecule/quarkus/verify.yml index e956ca6..2d75c32 100644 --- a/molecule/quarkus/verify.yml +++ b/molecule/quarkus/verify.yml @@ -37,3 +37,37 @@ - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/auth' - (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/token' delegate_to: localhost + + - name: Check log folder + ansible.builtin.stat: + path: "/tmp/keycloak" + register: keycloak_log_folder + + - name: Check that keycloak log folder exists and is a link + ansible.builtin.assert: + that: + - keycloak_log_folder.stat.exists + - not keycloak_log_folder.stat.isdir + - keycloak_log_folder.stat.islnk + + - name: Check log file + ansible.builtin.stat: + path: "/tmp/keycloak/keycloak.log" + register: keycloak_log_file + + - name: Check if keycloak file exists + ansible.builtin.assert: + that: + - keycloak_log_file.stat.exists + - not keycloak_log_file.stat.isdir + + - name: Check default log folder + ansible.builtin.stat: + path: "/var/log/keycloak" + register: keycloak_default_log_folder + failed_when: false + + - name: Check that default keycloak log folder doesn't exist + ansible.builtin.assert: + that: + - not keycloak_default_log_folder.stat.exists diff --git a/roles/keycloak/README.md b/roles/keycloak/README.md index aae309b..ed10963 100644 --- a/roles/keycloak/README.md +++ b/roles/keycloak/README.md @@ -117,7 +117,7 @@ Role Defaults |`keycloak_db_background_validation_millis`| How frequenly the connection pool is validated in the background | `10000` if background validation enabled | |`keycloak_db_background_validate_on_match` | Enable validate on match for database connections | `False` | |`keycloak_frontend_url` | frontend URL for keycloak endpoint | `http://localhost:8080/auth/` | - +|`keycloak_log_target`| Set the destination of the keycloak log folder link | `/var/log/keycloak` | Role Variables diff --git a/roles/keycloak/defaults/main.yml b/roles/keycloak/defaults/main.yml index 9e09804..124250e 100644 --- a/roles/keycloak/defaults/main.yml +++ b/roles/keycloak/defaults/main.yml @@ -114,3 +114,6 @@ keycloak_default_jdbc: version: 12.2.0 # role specific vars keycloak_no_log: True + +### logging configuration +keycloak_log_target: /var/log/keycloak diff --git a/roles/keycloak/meta/argument_specs.yml b/roles/keycloak/meta/argument_specs.yml index db73f3f..5b64fe9 100644 --- a/roles/keycloak/meta/argument_specs.yml +++ b/roles/keycloak/meta/argument_specs.yml @@ -356,6 +356,10 @@ argument_specs: required: False description: "Override the subnet match for jgroups cluster formation; if not defined, it will be inferred from local machine route configuration" type: "str" + keycloak_log_target: + default: '/var/log/keycloak' + type: "str" + description: "Set the destination of the keycloak log folder link" downstream: options: sso_version: diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml index 32aca04..7fe0222 100644 --- a/roles/keycloak/tasks/main.yml +++ b/roles/keycloak/tasks/main.yml @@ -34,7 +34,7 @@ ansible.builtin.file: state: link src: "{{ keycloak_jboss_home }}/standalone/log" - dest: /var/log/keycloak + dest: "{{ keycloak_log_target }}" become: yes - name: Set admin credentials and restart if not already created diff --git a/roles/keycloak_quarkus/README.md b/roles/keycloak_quarkus/README.md index f6e24cc..0ea2648 100644 --- a/roles/keycloak_quarkus/README.md +++ b/roles/keycloak_quarkus/README.md @@ -97,6 +97,7 @@ Role Defaults |`keycloak_quarkus_log_level`| The log level of the root category or a comma-separated list of individual categories and their levels | `info` | |`keycloak_quarkus_log_file`| Set the log file path and filename relative to keycloak home | `data/log/keycloak.log` | |`keycloak_quarkus_log_format`| Set a format specific to file log entries | `%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n` | +|`keycloak_quarkus_log_target`| Set the destination of the keycloak log folder link | `/var/log/keycloak` | |`keycloak_quarkus_proxy_mode`| The proxy address forwarding mode if the server is behind a reverse proxy | `edge` | |`keycloak_quarkus_start_dev`| Whether to start the service in development mode (start-dev) | `False` | |`keycloak_quarkus_transaction_xa_enabled`| Whether to use XA transactions | `True` | diff --git a/roles/keycloak_quarkus/defaults/main.yml b/roles/keycloak_quarkus/defaults/main.yml index 0ae35c1..7995d05 100644 --- a/roles/keycloak_quarkus/defaults/main.yml +++ b/roles/keycloak_quarkus/defaults/main.yml @@ -90,3 +90,4 @@ keycloak_quarkus_log: file keycloak_quarkus_log_level: info keycloak_quarkus_log_file: data/log/keycloak.log keycloak_quarkus_log_format: '%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n' +keycloak_quarkus_log_target: /var/log/keycloak diff --git a/roles/keycloak_quarkus/meta/argument_specs.yml b/roles/keycloak_quarkus/meta/argument_specs.yml index 59f3e50..32e550b 100644 --- a/roles/keycloak_quarkus/meta/argument_specs.yml +++ b/roles/keycloak_quarkus/meta/argument_specs.yml @@ -243,6 +243,10 @@ argument_specs: default: '%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n' type: "str" description: "Set a format specific to file log entries" + keycloak_quarkus_log_target: + default: '/var/log/keycloak' + type: "str" + description: "Set the destination of the keycloak log folder link" keycloak_quarkus_proxy_mode: default: 'edge' type: "str" diff --git a/roles/keycloak_quarkus/tasks/main.yml b/roles/keycloak_quarkus/tasks/main.yml index a86a4f5..43cbb38 100644 --- a/roles/keycloak_quarkus/tasks/main.yml +++ b/roles/keycloak_quarkus/tasks/main.yml @@ -67,6 +67,6 @@ ansible.builtin.file: state: link src: "{{ keycloak.log.file | dirname }}" - dest: /var/log/keycloak + dest: "{{ keycloak_quarkus_log_target }}" force: yes become: yes From 6f26fa3da42c0d92ebc5162be77fd32067a83df7 Mon Sep 17 00:00:00 2001 From: Footur <3769085+Footur@users.noreply.github.com> Date: Fri, 27 Oct 2023 15:32:15 +0200 Subject: [PATCH 4/5] Update Keycloak to version 22.0.5 --- molecule/quarkus/prepare.yml | 4 ++-- roles/keycloak_quarkus/README.md | 4 ++-- roles/keycloak_quarkus/defaults/main.yml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/molecule/quarkus/prepare.yml b/molecule/quarkus/prepare.yml index f9fe2b7..f90564c 100644 --- a/molecule/quarkus/prepare.yml +++ b/molecule/quarkus/prepare.yml @@ -19,13 +19,13 @@ - name: Create conf directory # risky-file-permissions in test user account does not exist yet ansible.builtin.file: state: directory - path: /opt/keycloak/keycloak-22.0.4/conf/ + path: /opt/keycloak/keycloak-22.0.5/conf/ mode: 0755 - name: Copy certificates ansible.builtin.copy: src: "{{ item }}" - dest: "/opt/keycloak/keycloak-22.0.4/conf/{{ item }}" + dest: "/opt/keycloak/keycloak-22.0.5/conf/{{ item }}" mode: 0444 loop: - cert.pem diff --git a/roles/keycloak_quarkus/README.md b/roles/keycloak_quarkus/README.md index f6e24cc..9e3e017 100644 --- a/roles/keycloak_quarkus/README.md +++ b/roles/keycloak_quarkus/README.md @@ -11,7 +11,7 @@ Role Defaults | Variable | Description | Default | |:---------|:------------|:--------| -|`keycloak_quarkus_version`| keycloak.org package version | `22.0.4` | +|`keycloak_quarkus_version`| keycloak.org package version | `22.0.5` | * Service configuration @@ -72,7 +72,7 @@ Role Defaults |:---------|:------------|:---------| |`keycloak_quarkus_offline_install` | Perform an offline install | `False`| |`keycloak_quarkus_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download//`| -|`keycloak_quarkus_version`| keycloak.org package version | `22.0.4` | +|`keycloak_quarkus_version`| keycloak.org package version | `22.0.5` | |`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` | |`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` | |`keycloak_quarkus_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` | diff --git a/roles/keycloak_quarkus/defaults/main.yml b/roles/keycloak_quarkus/defaults/main.yml index 0ae35c1..9aa5531 100644 --- a/roles/keycloak_quarkus/defaults/main.yml +++ b/roles/keycloak_quarkus/defaults/main.yml @@ -1,6 +1,6 @@ --- ### Configuration specific to keycloak -keycloak_quarkus_version: 22.0.4 +keycloak_quarkus_version: 22.0.5 keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip" keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}" keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}" From 363c5d9f9e9ed77f9480df292cfddd1c16234482 Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Fri, 3 Nov 2023 10:58:25 +0100 Subject: [PATCH 5/5] ddisable new test --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6e5a542..50e1fc4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,4 +15,4 @@ jobs: with: fqcn: 'middleware_automation/keycloak' molecule_tests: >- - [ "default", "quarkus", "overridexml", "quarkus-devmode", "https_revproxy" ] + [ "default", "quarkus", "overridexml", "quarkus-devmode" ]