From 6f2ed4d53b9a20f5e613556bbb2136314cea6ebe Mon Sep 17 00:00:00 2001 From: Helmut Wolf Date: Tue, 14 May 2024 10:41:46 +0200 Subject: [PATCH 1/6] Fix #226 - minor proxy-header enhancement --- roles/keycloak_quarkus/templates/keycloak.conf.j2 | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/keycloak_quarkus/templates/keycloak.conf.j2 b/roles/keycloak_quarkus/templates/keycloak.conf.j2 index f55ee80..6291b38 100644 --- a/roles/keycloak_quarkus/templates/keycloak.conf.j2 +++ b/roles/keycloak_quarkus/templates/keycloak.conf.j2 @@ -69,13 +69,12 @@ cache-config-file=cache-ispn.xml {% endif %} {% endif %} -{% if keycloak_quarkus_proxy_mode is defined and keycloak_quarkus_proxy_mode != "none" %} -# Deprecated Proxy configuration -proxy={{ keycloak_quarkus_proxy_mode }} -{% endif %} {% if keycloak_quarkus_proxy_headers is defined and keycloak_quarkus_proxy_headers != "none" %} # Proxy proxy-headers={{ keycloak_quarkus_proxy_headers }} +{% elif keycloak_quarkus_proxy_mode is defined and keycloak_quarkus_proxy_mode != "none" %} +# Deprecated Proxy configuration +proxy={{ keycloak_quarkus_proxy_mode }} {% endif %} spi-sticky-session-encoder-infinispan-should-attach-route={{ keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route | d(true) | lower }} From 0fd8eb52d2920e16a3db9c229b32b358b775020b Mon Sep 17 00:00:00 2001 From: Helmut Wolf Date: Tue, 14 May 2024 20:05:14 +0200 Subject: [PATCH 2/6] #226: CR changes --- roles/keycloak_quarkus/tasks/prereqs.yml | 7 +++++++ roles/keycloak_quarkus/templates/keycloak.conf.j2 | 5 ++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/roles/keycloak_quarkus/tasks/prereqs.yml b/roles/keycloak_quarkus/tasks/prereqs.yml index 220f65b..503b308 100644 --- a/roles/keycloak_quarkus/tasks/prereqs.yml +++ b/roles/keycloak_quarkus/tasks/prereqs.yml @@ -93,3 +93,10 @@ fail_msg: "Additional env variable definition is incorrect: `key` and `value` are mandatory." no_log: true loop: "{{ keycloak_quarkus_additional_env_vars }}" + +- name: "Validate proxy-headers" + ansible.builtin.assert: + that: + - keycloak_quarkus_proxy_headers | lower in ['', 'forwarded', 'xforwarded'] + quiet: true + fail_msg: "keycloak_quarkus_proxy_headers must be either '', 'forwarded' or 'xforwarded'" diff --git a/roles/keycloak_quarkus/templates/keycloak.conf.j2 b/roles/keycloak_quarkus/templates/keycloak.conf.j2 index 6291b38..ab4024b 100644 --- a/roles/keycloak_quarkus/templates/keycloak.conf.j2 +++ b/roles/keycloak_quarkus/templates/keycloak.conf.j2 @@ -69,9 +69,8 @@ cache-config-file=cache-ispn.xml {% endif %} {% endif %} -{% if keycloak_quarkus_proxy_headers is defined and keycloak_quarkus_proxy_headers != "none" %} -# Proxy -proxy-headers={{ keycloak_quarkus_proxy_headers }} +{% if keycloak_quarkus_proxy_headers | length > 0 %} +proxy-headers={{ keycloak_quarkus_proxy_headers | lower }} {% elif keycloak_quarkus_proxy_mode is defined and keycloak_quarkus_proxy_mode != "none" %} # Deprecated Proxy configuration proxy={{ keycloak_quarkus_proxy_mode }} From 4d31117c16555c3ac6f46f0911d6ad7c85dfdec0 Mon Sep 17 00:00:00 2001 From: Helmut Wolf Date: Tue, 14 May 2024 20:15:51 +0200 Subject: [PATCH 3/6] Fix RHBK version --- roles/keycloak_quarkus/meta/argument_specs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/keycloak_quarkus/meta/argument_specs.yml b/roles/keycloak_quarkus/meta/argument_specs.yml index 57eea53..66cae79 100644 --- a/roles/keycloak_quarkus/meta/argument_specs.yml +++ b/roles/keycloak_quarkus/meta/argument_specs.yml @@ -456,7 +456,7 @@ argument_specs: downstream: options: rhbk_version: - default: "24.0.4" + default: "24.0.3" description: "Red Hat Build of Keycloak version" type: "str" rhbk_archive: From cc012767a4416a5348cea2038661dc4bb42feb38 Mon Sep 17 00:00:00 2001 From: Helmut Wolf Date: Tue, 14 May 2024 20:16:00 +0200 Subject: [PATCH 4/6] #226 - add deprecation warning --- roles/keycloak_quarkus/tasks/deprecations.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/roles/keycloak_quarkus/tasks/deprecations.yml b/roles/keycloak_quarkus/tasks/deprecations.yml index a81c808..556879a 100644 --- a/roles/keycloak_quarkus/tasks/deprecations.yml +++ b/roles/keycloak_quarkus/tasks/deprecations.yml @@ -34,3 +34,20 @@ - name: Flush handlers ansible.builtin.meta: flush_handlers + +# https://access.redhat.com/documentation/en-us/red_hat_build_of_keycloak/24.0/html-single/upgrading_guide/index#deprecated_literal_proxy_literal_option +- name: Check deprecation of keycloak_quarkus_proxy_mode + delegate_to: localhost + run_once: true + when: + - keycloak_quarkus_proxy_mode is defined + - keycloak_quarkus_proxy_headers is defined and keycloak_quarkus_proxy_headers | length == 0 + - keycloak_quarkus_version.split('.') | first | int >= 24 + changed_when: true + ansible.builtin.set_fact: + deprecated_variable: "keycloak_quarkus_proxy_mode" # read in deprecation handler + notify: + - print deprecation warning + +- name: Flush handlers + ansible.builtin.meta: flush_handlers From 92c24e49e7f1a1ad7e1683bb1ea3e8ac1741dbf5 Mon Sep 17 00:00:00 2001 From: Helmut Wolf Date: Wed, 15 May 2024 11:09:58 +0200 Subject: [PATCH 5/6] #226: add proper default value for proxy-headers --- roles/keycloak_quarkus/defaults/main.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/keycloak_quarkus/defaults/main.yml b/roles/keycloak_quarkus/defaults/main.yml index 46aca81..a0f6fa4 100644 --- a/roles/keycloak_quarkus/defaults/main.yml +++ b/roles/keycloak_quarkus/defaults/main.yml @@ -91,7 +91,10 @@ keycloak_quarkus_hostname_strict: true # If all applications use the public URL this option should be enabled. keycloak_quarkus_hostname_strict_backchannel: false -# proxy address forwarding mode if the server is behind a reverse proxy. [none, edge, reencrypt, passthrough] +# The proxy headers that should be accepted by the server. ['', 'forwarded', 'xforwarded'] +keycloak_quarkus_proxy_headers: "" + +# deprecated: proxy address forwarding mode if the server is behind a reverse proxy. [none, edge, reencrypt, passthrough] keycloak_quarkus_proxy_mode: edge # disable xa transactions From 62cbaa35966f7edfeeeb4f76497a4b87de840f7e Mon Sep 17 00:00:00 2001 From: Helmut Wolf Date: Thu, 16 May 2024 16:24:25 +0200 Subject: [PATCH 6/6] Introduce keycloak_quarkus_show_deprecation_warnings, disabled in molecule tests --- molecule/debian/converge.yml | 1 + molecule/https_revproxy/converge.yml | 3 ++- molecule/quarkus-devmode/converge.yml | 3 ++- molecule/quarkus/converge.yml | 1 + molecule/quarkus_ha/converge.yml | 1 + molecule/quarkus_upgrade/converge.yml | 1 + roles/keycloak_quarkus/README.md | 1 + roles/keycloak_quarkus/defaults/main.yml | 2 ++ roles/keycloak_quarkus/meta/argument_specs.yml | 4 ++++ roles/keycloak_quarkus/tasks/deprecations.yml | 10 +++++----- 10 files changed, 20 insertions(+), 7 deletions(-) diff --git a/molecule/debian/converge.yml b/molecule/debian/converge.yml index 17517b8..e6319b7 100644 --- a/molecule/debian/converge.yml +++ b/molecule/debian/converge.yml @@ -2,6 +2,7 @@ - name: Converge hosts: all vars: + keycloak_quarkus_show_deprecation_warnings: false keycloak_quarkus_admin_pass: "remembertochangeme" keycloak_realm: TestRealm keycloak_quarkus_log: file diff --git a/molecule/https_revproxy/converge.yml b/molecule/https_revproxy/converge.yml index b1eb7bc..b490721 100644 --- a/molecule/https_revproxy/converge.yml +++ b/molecule/https_revproxy/converge.yml @@ -1,7 +1,8 @@ --- - name: Converge hosts: all - vars: + vars: + keycloak_quarkus_show_deprecation_warnings: false keycloak_quarkus_admin_pass: "remembertochangeme" keycloak_admin_password: "remembertochangeme" keycloak_realm: TestRealm diff --git a/molecule/quarkus-devmode/converge.yml b/molecule/quarkus-devmode/converge.yml index 2a45189..2e5d351 100644 --- a/molecule/quarkus-devmode/converge.yml +++ b/molecule/quarkus-devmode/converge.yml @@ -1,7 +1,8 @@ --- - name: Converge hosts: all - vars: + vars: + keycloak_quarkus_show_deprecation_warnings: false keycloak_quarkus_admin_pass: "remembertochangeme" keycloak_admin_password: "remembertochangeme" keycloak_realm: TestRealm diff --git a/molecule/quarkus/converge.yml b/molecule/quarkus/converge.yml index b7430a1..7c86756 100644 --- a/molecule/quarkus/converge.yml +++ b/molecule/quarkus/converge.yml @@ -2,6 +2,7 @@ - name: Converge hosts: all vars: + keycloak_quarkus_show_deprecation_warnings: false keycloak_quarkus_admin_pass: "remembertochangeme" keycloak_admin_password: "remembertochangeme" keycloak_realm: TestRealm diff --git a/molecule/quarkus_ha/converge.yml b/molecule/quarkus_ha/converge.yml index 2434e65..00246b8 100644 --- a/molecule/quarkus_ha/converge.yml +++ b/molecule/quarkus_ha/converge.yml @@ -2,6 +2,7 @@ - name: Converge hosts: keycloak vars: + keycloak_quarkus_show_deprecation_warnings: false keycloak_quarkus_admin_pass: "remembertochangeme" keycloak_admin_password: "remembertochangeme" keycloak_realm: TestRealm diff --git a/molecule/quarkus_upgrade/converge.yml b/molecule/quarkus_upgrade/converge.yml index eb84589..6025b7c 100644 --- a/molecule/quarkus_upgrade/converge.yml +++ b/molecule/quarkus_upgrade/converge.yml @@ -4,6 +4,7 @@ vars_files: - vars.yml vars: + keycloak_quarkus_show_deprecation_warnings: false keycloak_quarkus_version: 24.0.3 roles: - role: keycloak_quarkus diff --git a/roles/keycloak_quarkus/README.md b/roles/keycloak_quarkus/README.md index ce94392..a20c760 100644 --- a/roles/keycloak_quarkus/README.md +++ b/roles/keycloak_quarkus/README.md @@ -167,6 +167,7 @@ Role Defaults |`keycloak_quarkus_start_dev`| Whether to start the service in development mode (start-dev) | `False` | |`keycloak_quarkus_transaction_xa_enabled`| Whether to use XA transactions | `True` | |`keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route`| If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy | `True` | +|`keycloak_quarkus_show_deprecation_warnings`| Whether deprecation warnings should be shown | `True` | #### Vault SPI diff --git a/roles/keycloak_quarkus/defaults/main.yml b/roles/keycloak_quarkus/defaults/main.yml index a0f6fa4..b3752c5 100644 --- a/roles/keycloak_quarkus/defaults/main.yml +++ b/roles/keycloak_quarkus/defaults/main.yml @@ -8,6 +8,8 @@ keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_q # whether to install from local archive keycloak_quarkus_offline_install: false +keycloak_quarkus_show_deprecation_warnings: true + ### Install location and service settings keycloak_quarkus_java_home: keycloak_quarkus_dest: /opt/keycloak diff --git a/roles/keycloak_quarkus/meta/argument_specs.yml b/roles/keycloak_quarkus/meta/argument_specs.yml index 66cae79..659e7f6 100644 --- a/roles/keycloak_quarkus/meta/argument_specs.yml +++ b/roles/keycloak_quarkus/meta/argument_specs.yml @@ -483,6 +483,10 @@ argument_specs: default: false description: "Perform an offline install" type: "bool" + keycloak_quarkus_show_deprecation_warnings: + default: true + description: "Whether deprecation warnings should be shown" + type: "bool" rhbk_service_name: default: "rhbk" description: "systemd service name for Red Hat Build of Keycloak" diff --git a/roles/keycloak_quarkus/tasks/deprecations.yml b/roles/keycloak_quarkus/tasks/deprecations.yml index 556879a..27ea6e3 100644 --- a/roles/keycloak_quarkus/tasks/deprecations.yml +++ b/roles/keycloak_quarkus/tasks/deprecations.yml @@ -10,7 +10,7 @@ - keycloak_quarkus_key_store_file is defined - keycloak_quarkus_key_store_file != '' - keycloak_quarkus_https_key_store_file == keycloak.home + "/conf/key_store.p12" # default value - changed_when: true + changed_when: keycloak_quarkus_show_deprecation_warnings ansible.builtin.set_fact: keycloak_quarkus_https_key_store_file: "{{ keycloak_quarkus_key_store_file }}" deprecated_variable: "keycloak_quarkus_key_store_file" # read in deprecation handler @@ -25,7 +25,7 @@ - keycloak_quarkus_key_store_password is defined - keycloak_quarkus_key_store_password != '' - keycloak_quarkus_https_key_store_password == "" # default value - changed_when: true + changed_when: keycloak_quarkus_show_deprecation_warnings ansible.builtin.set_fact: keycloak_quarkus_https_key_store_password: "{{ keycloak_quarkus_key_store_password }}" deprecated_variable: "keycloak_quarkus_key_store_password" # read in deprecation handler @@ -37,13 +37,13 @@ # https://access.redhat.com/documentation/en-us/red_hat_build_of_keycloak/24.0/html-single/upgrading_guide/index#deprecated_literal_proxy_literal_option - name: Check deprecation of keycloak_quarkus_proxy_mode - delegate_to: localhost - run_once: true when: - keycloak_quarkus_proxy_mode is defined - keycloak_quarkus_proxy_headers is defined and keycloak_quarkus_proxy_headers | length == 0 - keycloak_quarkus_version.split('.') | first | int >= 24 - changed_when: true + delegate_to: localhost + run_once: true + changed_when: keycloak_quarkus_show_deprecation_warnings ansible.builtin.set_fact: deprecated_variable: "keycloak_quarkus_proxy_mode" # read in deprecation handler notify: