Copy the TLS private key from memory

This change should avoid storing plain private keys on disk due to
security risks. It also makes it easier to encrypt the data with SOPS.

molecule/quarkus/converge.yml

@@ -10,7 +10,7 @@
     keycloak_quarkus_log_level: debug
     keycloak_quarkus_https_key_file_enabled: true
     keycloak_quarkus_key_file_copy_enabled: true
-    keycloak_quarkus_key_file_src: key.pem
+    keycloak_quarkus_key_content: "{{ lookup('file', 'key.pem') }}"
     keycloak_quarkus_cert_file_copy_enabled: true
     keycloak_quarkus_cert_file_src: cert.pem
     keycloak_quarkus_log_target: /tmp/keycloak

roles/keycloak_quarkus/README.md

@@ -45,7 +45,7 @@ Role Defaults
 |`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` |
 |`keycloak_quarkus_https_key_file_enabled`| Enable listener on HTTPS port | `False` |
 |`keycloak_quarkus_key_file_copy_enabled`| Enable copy of key file to target host | `False` |
-|`keycloak_quarkus_key_file_src`| Set the source file path | `""` |
+|`keycloak_quarkus_key_content`| Content of the TLS private key. Use `"{{ lookup('file', 'server.key.pem') }}"` to lookup a file. | `""` |
 |`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `/etc/pki/tls/private/server.key.pem` |
 |`keycloak_quarkus_cert_file_copy_enabled`| Enable copy of cert file to target host | `False`|
 |`keycloak_quarkus_cert_file_src`| Set the source file path | `""` |

roles/keycloak_quarkus/defaults/main.yml

@@ -48,7 +48,7 @@ keycloak_quarkus_java_opts: "{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak
 ### TLS/HTTPS configuration
 keycloak_quarkus_https_key_file_enabled: false
 keycloak_quarkus_key_file_copy_enabled: false
-keycloak_quarkus_key_file_src: ""
+keycloak_quarkus_key_content: ""
 keycloak_quarkus_key_file: "/etc/pki/tls/private/server.key.pem"
 keycloak_quarkus_cert_file_copy_enabled: false
 keycloak_quarkus_cert_file_src: ""

roles/keycloak_quarkus/meta/argument_specs.yml

@@ -112,9 +112,9 @@ argument_specs:
                 default: false
                 description: "Enable copy of key file to target host"
                 type: "bool"
-            keycloak_quarkus_key_file_src:
+            keycloak_quarkus_key_content:
                 default: ""
-                description: "Set the source file path"
+                description: "Content of the TLS private key"
                 type: "str"
             keycloak_quarkus_key_file:
                 default: "/etc/pki/tls/private/server.key.pem"

roles/keycloak_quarkus/tasks/install.yml

@@ -161,7 +161,7 @@
 
 - name: "Copy private key to target"
   ansible.builtin.copy:
-    src: "{{ keycloak_quarkus_key_file_src }}"
+    content: "{{ keycloak_quarkus_key_content }}"
     dest: "{{ keycloak_quarkus_key_file }}"
     owner: "{{ keycloak.service_user }}"
     group: "{{ keycloak.service_group }}"
@@ -170,7 +170,7 @@
   when:
     - keycloak_quarkus_https_key_file_enabled is defined and keycloak_quarkus_https_key_file_enabled
     - keycloak_quarkus_key_file_copy_enabled is defined and keycloak_quarkus_key_file_copy_enabled
-    - keycloak_quarkus_key_file_src | length > 0
+    - keycloak_quarkus_key_content | length > 0
 
 - name: "Copy certificate to target"
   ansible.builtin.copy: