From 320a5f0d9a171aeb9dbe4bf6914dcedd42596d07 Mon Sep 17 00:00:00 2001
From: Footur <3769085+Footur@users.noreply.github.com>
Date: Sun, 5 May 2024 11:58:19 +0000
Subject: [PATCH] Copy the TLS private key from memory

This change should avoid storing plain private keys on disk due to
security risks. It also makes it easier to encrypt the data with SOPS.
---
 molecule/quarkus/converge.yml                  | 2 +-
 roles/keycloak_quarkus/README.md               | 2 +-
 roles/keycloak_quarkus/defaults/main.yml       | 2 +-
 roles/keycloak_quarkus/meta/argument_specs.yml | 4 ++--
 roles/keycloak_quarkus/tasks/install.yml       | 4 ++--
 5 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/molecule/quarkus/converge.yml b/molecule/quarkus/converge.yml
index 5971a93..9e74aa6 100644
--- a/molecule/quarkus/converge.yml
+++ b/molecule/quarkus/converge.yml
@@ -10,7 +10,7 @@
     keycloak_quarkus_log_level: debug
     keycloak_quarkus_https_key_file_enabled: true
     keycloak_quarkus_key_file_copy_enabled: true
-    keycloak_quarkus_key_file_src: key.pem
+    keycloak_quarkus_key_content: "{{ lookup('file', 'key.pem') }}"
     keycloak_quarkus_cert_file_copy_enabled: true
     keycloak_quarkus_cert_file_src: cert.pem
     keycloak_quarkus_log_target: /tmp/keycloak
diff --git a/roles/keycloak_quarkus/README.md b/roles/keycloak_quarkus/README.md
index 17f2bc8..ccb9e75 100644
--- a/roles/keycloak_quarkus/README.md
+++ b/roles/keycloak_quarkus/README.md
@@ -45,7 +45,7 @@ Role Defaults
 |`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` |
 |`keycloak_quarkus_https_key_file_enabled`| Enable listener on HTTPS port | `False` |
 |`keycloak_quarkus_key_file_copy_enabled`| Enable copy of key file to target host | `False` |
-|`keycloak_quarkus_key_file_src`| Set the source file path | `""` |
+|`keycloak_quarkus_key_content`| Content of the TLS private key. Use `"{{ lookup('file', 'server.key.pem') }}"` to lookup a file. | `""` |
 |`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `/etc/pki/tls/private/server.key.pem` |
 |`keycloak_quarkus_cert_file_copy_enabled`| Enable copy of cert file to target host | `False`|
 |`keycloak_quarkus_cert_file_src`| Set the source file path | `""` |
diff --git a/roles/keycloak_quarkus/defaults/main.yml b/roles/keycloak_quarkus/defaults/main.yml
index fcd02a5..a54e6c7 100644
--- a/roles/keycloak_quarkus/defaults/main.yml
+++ b/roles/keycloak_quarkus/defaults/main.yml
@@ -48,7 +48,7 @@ keycloak_quarkus_java_opts: "{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak
 ### TLS/HTTPS configuration
 keycloak_quarkus_https_key_file_enabled: false
 keycloak_quarkus_key_file_copy_enabled: false
-keycloak_quarkus_key_file_src: ""
+keycloak_quarkus_key_content: ""
 keycloak_quarkus_key_file: "/etc/pki/tls/private/server.key.pem"
 keycloak_quarkus_cert_file_copy_enabled: false
 keycloak_quarkus_cert_file_src: ""
diff --git a/roles/keycloak_quarkus/meta/argument_specs.yml b/roles/keycloak_quarkus/meta/argument_specs.yml
index 768b3e9..094a46b 100644
--- a/roles/keycloak_quarkus/meta/argument_specs.yml
+++ b/roles/keycloak_quarkus/meta/argument_specs.yml
@@ -112,9 +112,9 @@ argument_specs:
                 default: false
                 description: "Enable copy of key file to target host"
                 type: "bool"
-            keycloak_quarkus_key_file_src:
+            keycloak_quarkus_key_content:
                 default: ""
-                description: "Set the source file path"
+                description: "Content of the TLS private key"
                 type: "str"
             keycloak_quarkus_key_file:
                 default: "/etc/pki/tls/private/server.key.pem"
diff --git a/roles/keycloak_quarkus/tasks/install.yml b/roles/keycloak_quarkus/tasks/install.yml
index b4b566a..5a385e2 100644
--- a/roles/keycloak_quarkus/tasks/install.yml
+++ b/roles/keycloak_quarkus/tasks/install.yml
@@ -161,7 +161,7 @@
 
 - name: "Copy private key to target"
   ansible.builtin.copy:
-    src: "{{ keycloak_quarkus_key_file_src }}"
+    content: "{{ keycloak_quarkus_key_content }}"
     dest: "{{ keycloak_quarkus_key_file }}"
     owner: "{{ keycloak.service_user }}"
     group: "{{ keycloak.service_group }}"
@@ -170,7 +170,7 @@
   when:
     - keycloak_quarkus_https_key_file_enabled is defined and keycloak_quarkus_https_key_file_enabled
     - keycloak_quarkus_key_file_copy_enabled is defined and keycloak_quarkus_key_file_copy_enabled
-    - keycloak_quarkus_key_file_src | length > 0
+    - keycloak_quarkus_key_content | length > 0
 
 - name: "Copy certificate to target"
   ansible.builtin.copy: