Add restart strategies, and allow custom task include

Co-authored-by: Helmut Wolf <hwo@world-direct.at> Co-authored-by: Guido Grazioli <ggraziol@redhat.com>
2025-07-29 08:01:33 -07:00 · 2024-05-15 13:34:29 +02:00 · 2024-05-15 13:34:29 +02:00 · 2d573c2b62
commit 2d573c2b62
parent 1e9a669dea
9 changed files with 104 additions and 45 deletions
--- a/roles/keycloak_quarkus/tasks/install.yml
+++ b/roles/keycloak_quarkus/tasks/install.yml
@ -258,7 +258,7 @@

 - name: "Upload local providers"
  ansible.builtin.copy:
-    src: "{{ item.local_path}}"
+    src: "{{ item.local_path }}"
    dest: "{{ keycloak.home }}/providers/{{ item.id }}.jar"
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
@ -280,7 +280,7 @@
 - name: "Install custom policies"
  ansible.builtin.get_url:
    url: "{{ item.url }}"
-    dest: "{{ keycloak.home }}/data/{{ item.type|default(keycloak_quarkus_supported_policy_types | first) | lower }}/{{ item.name }}"
+    dest: "{{ keycloak.home }}/data/{{ item.type | default(keycloak_quarkus_supported_policy_types | first) | lower }}/{{ item.name }}"
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
    mode: '0640'
--- a/roles/keycloak_quarkus/tasks/prereqs.yml
+++ b/roles/keycloak_quarkus/tasks/prereqs.yml
@ -59,11 +59,18 @@

 - name: "Validate providers"
  ansible.builtin.assert:
-    that:
-      - item.id is defined and item.id | length > 0
-      - (item.spi is defined and item.spi | length > 0) or (item.url is defined and item.url | length > 0) or (item.maven is defined and item.maven.repository_url is defined and item.maven.repository_url | length > 0 and item.maven.group_id is defined and item.maven.group_id | length > 0 and item.maven.artifact_id is defined and item.maven.artifact_id | length > 0) or (item.local_path is defined and item.local_path | length > 0)
+    that: >
+      item.id is defined and item.id | length > 0 and
+      ( (item.spi is defined and item.spi | length > 0) or
+        (item.url is defined and item.url | length > 0) or
+        ( item.maven is defined and item.maven.repository_url is defined and item.maven.repository_url | length > 0 and
+          item.maven.group_id is defined and item.maven.group_id | length > 0 and
+          item.maven.artifact_id is defined and item.maven.artifact_id | length > 0) or
+        (item.local_path is defined and item.local_path | length > 0)
+      )
    quiet: true
-    fail_msg: "Providers definition is incorrect; `id` and one of `spi`, `url`, `local_path`, or `maven` are mandatory. `key` and `value` are mandatory for each property"
+    fail_msg: >
+      Providers definition incorrect; `id` and one of `spi`, `url`, `local_path`, or `maven` are mandatory. `key` and `value` are mandatory for each property
  loop: "{{ keycloak_quarkus_providers }}"

 - name: "Validate policies"
@ -73,7 +80,8 @@
      - item.url is defined and item.url | length > 0
      - item.type is not defined or item.type | lower in keycloak_quarkus_supported_policy_types
    quiet: true
-    fail_msg: "Policy definition is incorrect: `name` and one of `url` are mandatory, `type` needs to be left empty or one of {{ keycloak_quarkus_supported_policy_types }}."
+    fail_msg: >
+      Policy definition is incorrect: `name` and one of `url` are mandatory, `type` needs to be left empty or one of {{ keycloak_quarkus_supported_policy_types }}.
  loop: "{{ keycloak_quarkus_policies }}"

 - name: "Validate additional env variables"
--- a/roles/keycloak_quarkus/tasks/restart.yml
+++ b/roles/keycloak_quarkus/tasks/restart.yml
@ -1,38 +1,17 @@
 ---
- name: Ensure only one service at a time gets rebooted, to ensure replication of distributed ispn caches
-  throttle: 1
-  block:
-    - name: "Restart and enable {{ keycloak.service_name }} service on first host"
-      ansible.builtin.systemd:
-        name: "{{ keycloak.service_name }}"
-        enabled: true
-        state: restarted
-        daemon_reload: true
-      become: true
-      delegate_to: "{{ ansible_play_hosts | first }}"
-      run_once: true
+- name: "Restart and enable {{ keycloak.service_name }} service"
+  ansible.builtin.systemd:
+    name: "{{ keycloak.service_name }}"
+    enabled: true
+    state: restarted
+    daemon_reload: true
+  become: true

-    - name: "Wait until {{ keycloak.service_name }} service becomes active {{ keycloak.health_url }}"
-      ansible.builtin.uri:
-        url: "{{ keycloak.health_url }}"
-      register: keycloak_status
-      until: keycloak_status.status == 200
-      retries: 25
-      delay: 10
-      delegate_to: "{{ ansible_play_hosts | first }}"
-      run_once: true
-
-    - name: Pause to give distributed ispn caches time to (re-)replicate back onto first host
-      ansible.builtin.pause:
-        seconds: 15
-      when:
-        - keycloak_quarkus_ha_enabled
-
-    - name: "Restart and enable {{ keycloak.service_name }} service on all other hosts"
-      ansible.builtin.systemd:
-        name: "{{ keycloak.service_name }}"
-        enabled: true
-        state: restarted
-        daemon_reload: true
-      become: true
-      when: inventory_hostname != ansible_play_hosts | first
+- name: "Wait until {{ keycloak.service_name }} service becomes active {{ keycloak.health_url }}"
+  ansible.builtin.uri:
+    url: "{{ keycloak.health_url }}"
+  register: keycloak_status
+  until: keycloak_status.status == 200
+  retries: 25
+  delay: 10
+  when: keycloak_quarkus_restart_health_check
--- a/roles/keycloak_quarkus/tasks/restart/none.yml
+++ b/roles/keycloak_quarkus/tasks/restart/none.yml
@ -0,0 +1,4 @@
+---
+- name: "Display message"
+  ansible.builtin.debug:
+    msg: "keycloak_quarkus_restart_strategy is none, skipping restart"
--- a/roles/keycloak_quarkus/tasks/restart/serial.yml
+++ b/roles/keycloak_quarkus/tasks/restart/serial.yml
@ -0,0 +1,8 @@
+---
+- name: "Restart services in serial, with optional healtch check (keycloak_quarkus_restart_health_check)"
+  throttle: 1
+  loop: "{{ ansible_play_hosts }}"
+  block:
+    - name: "Restart and enable {{ keycloak.service_name }} service on first host"
+      ansible.builtin.include_tasks: ../restart.yml
+      delegate_to: "{{ item }}"
--- a/roles/keycloak_quarkus/tasks/restart/verify_first.yml
+++ b/roles/keycloak_quarkus/tasks/restart/verify_first.yml
@ -0,0 +1,34 @@
+---
+- name: Verify first restarted service with health URL, then rest in parallel
+  block:
+    - name: "Restart and enable {{ keycloak.service_name }} service on first host"
+      ansible.builtin.systemd:
+        name: "{{ keycloak.service_name }}"
+        enabled: true
+        state: restarted
+        daemon_reload: true
+      become: true
+      delegate_to: "{{ ansible_play_hosts | first }}"
+      run_once: true
+
+    - name: "Wait until {{ keycloak.service_name }} service becomes active {{ keycloak.health_url }}"
+      ansible.builtin.uri:
+        url: "{{ keycloak.health_url }}"
+      register: keycloak_status
+      until: keycloak_status.status == 200
+      retries: 25
+      delay: 10
+      delegate_to: "{{ ansible_play_hosts | first }}"
+      run_once: true
+
+    - name: Pause to give distributed ispn caches time to (re-)replicate back onto first host
+      ansible.builtin.pause:
+        seconds: "{{ keycloak_quarkus_restart_pause }}"
+      when:
+        - keycloak_quarkus_ha_enabled
+
+    - name: "Restart and enable {{ keycloak.service_name }} service on other hosts"
+      ansible.builtin.include_tasks: ../restart.yml
+      delegate_to: "{{ item }}"
+      loop: "{{ ansible_play_hosts }}"
+      when: inventory_hostname != ansible_play_hosts | first