From 9ddd6d7d5e37b13d8ff8fa37f4dd029cbb568af4 Mon Sep 17 00:00:00 2001 From: Antonio Costa Date: Mon, 30 Oct 2023 09:27:30 +0100 Subject: [PATCH 1/7] feat: jboss port offset configuration --- molecule/default/converge.yml | 1 + molecule/default/verify.yml | 5 +++-- roles/keycloak/README.md | 5 +++-- roles/keycloak/defaults/main.yml | 1 + roles/keycloak/meta/argument_specs.yml | 8 ++++++-- .../templates/15.0.8/standalone-infinispan.xml.j2 | 2 +- roles/keycloak/templates/15.0.8/standalone.xml.j2 | 2 +- .../keycloak/templates/9.0.2/standalone-infinispan.xml.j2 | 2 +- roles/keycloak/templates/9.0.2/standalone.xml.j2 | 2 +- roles/keycloak/templates/standalone-ha.xml.j2 | 2 +- roles/keycloak/templates/standalone-infinispan.xml.j2 | 2 +- roles/keycloak/templates/standalone.xml.j2 | 2 +- roles/keycloak/vars/main.yml | 4 ++-- roles/keycloak_realm/meta/argument_specs.yml | 4 ++-- roles/keycloak_realm/vars/main.yml | 4 ++-- 15 files changed, 27 insertions(+), 19 deletions(-) diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index d3742e7..e7fd4e0 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -10,6 +10,7 @@ port: 16667 - host: myhost2 port: 16668 + keycloak_jboss_port_offset: 10 roles: - role: keycloak tasks: diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 92a245e..2dfd6a7 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -4,8 +4,9 @@ vars: keycloak_admin_password: "remembertochangeme" keycloak_jvm_package: java-11-openjdk-headless - keycloak_uri: http://localhost:8080 - keycloak_management_port: http://localhost:9990 + keycloak_uri: "http://localhost:{{ 8080 + ( keycloak_jboss_port_offset | default(0) ) }}" + keycloak_management_port: "http://localhost:{{ 9990 + ( keycloak_jboss_port_offset | default(0) ) }}" + keycloak_jboss_port_offset: 10 tasks: - name: Populate service facts ansible.builtin.service_facts: diff --git a/roles/keycloak/README.md b/roles/keycloak/README.md index aae309b..13adf35 100644 --- a/roles/keycloak/README.md +++ b/roles/keycloak/README.md @@ -104,14 +104,15 @@ Role Defaults |`keycloak_download_url_9x` | Download URL for keycloak (deprecated) | `https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}` | |`keycloak_installdir` | Installation path | `{{ keycloak_dest }}/keycloak-{{ keycloak_version }}` | |`keycloak_jboss_home` | Installation work directory | `{{ keycloak_rhsso_installdir }}` | +|`keycloak_jboss_port_offset` | Port offset for the JBoss socket binding | `0` | |`keycloak_config_dir` | Path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration` | |`keycloak_config_path_to_standalone_xml` | Custom path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}` | |`keycloak_config_override_template` | Path to custom template for standalone.xml configuration | `''` | |`keycloak_auth_realm` | Name for rest authentication realm | `master` | |`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` | |`keycloak_force_install` | Remove pre-existing versions of service | `False` | -|`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` | -|`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` | +|`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}` | +|`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}` | |`keycloak_frontend_url_force` | Force backend requests to use the frontend URL | `False` | |`keycloak_db_background_validation` | Enable background validation of database connection | `False` | |`keycloak_db_background_validation_millis`| How frequenly the connection pool is validated in the background | `10000` if background validation enabled | diff --git a/roles/keycloak/defaults/main.yml b/roles/keycloak/defaults/main.yml index 9e09804..228d1e6 100644 --- a/roles/keycloak/defaults/main.yml +++ b/roles/keycloak/defaults/main.yml @@ -12,6 +12,7 @@ keycloak_jvm_package: java-1.8.0-openjdk-headless keycloak_java_home: keycloak_dest: /opt/keycloak keycloak_jboss_home: "{{ keycloak_installdir }}" +keycloak_jboss_port_offset: 0 keycloak_config_dir: "{{ keycloak_jboss_home }}/standalone/configuration" keycloak_config_standalone_xml: "keycloak.xml" keycloak_config_path_to_standalone_xml: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}" diff --git a/roles/keycloak/meta/argument_specs.yml b/roles/keycloak/meta/argument_specs.yml index db73f3f..b28be78 100644 --- a/roles/keycloak/meta/argument_specs.yml +++ b/roles/keycloak/meta/argument_specs.yml @@ -54,6 +54,10 @@ argument_specs: default: "{{ keycloak_installdir }}" description: "Installation work directory" type: "str" + keycloak_jboss_port_offset: + default: 0 + description: "Port offset for the JBoss socket binding" + type: "int" keycloak_config_dir: # line 26 of keycloak/defaults/main.yml default: "{{ keycloak_jboss_home }}/standalone/configuration" @@ -280,12 +284,12 @@ argument_specs: type: "str" keycloak_url: # line 12 of keycloak/vars/main.yml - default: "http://{{ keycloak_host }}:{{ keycloak_http_port }}" + default: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}" description: "URL for configuration rest calls" type: "str" keycloak_management_url: # line 13 of keycloak/vars/main.yml - default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}" + default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}" description: "URL for management console rest calls" type: "str" keycloak_service_name: diff --git a/roles/keycloak/templates/15.0.8/standalone-infinispan.xml.j2 b/roles/keycloak/templates/15.0.8/standalone-infinispan.xml.j2 index be61837..2d84f3f 100644 --- a/roles/keycloak/templates/15.0.8/standalone-infinispan.xml.j2 +++ b/roles/keycloak/templates/15.0.8/standalone-infinispan.xml.j2 @@ -737,7 +737,7 @@ - + diff --git a/roles/keycloak/templates/15.0.8/standalone.xml.j2 b/roles/keycloak/templates/15.0.8/standalone.xml.j2 index e2f6a76..de175f2 100644 --- a/roles/keycloak/templates/15.0.8/standalone.xml.j2 +++ b/roles/keycloak/templates/15.0.8/standalone.xml.j2 @@ -638,7 +638,7 @@ - + diff --git a/roles/keycloak/templates/9.0.2/standalone-infinispan.xml.j2 b/roles/keycloak/templates/9.0.2/standalone-infinispan.xml.j2 index 9e0ae66..4f90ad8 100644 --- a/roles/keycloak/templates/9.0.2/standalone-infinispan.xml.j2 +++ b/roles/keycloak/templates/9.0.2/standalone-infinispan.xml.j2 @@ -734,7 +734,7 @@ - + diff --git a/roles/keycloak/templates/9.0.2/standalone.xml.j2 b/roles/keycloak/templates/9.0.2/standalone.xml.j2 index 823357f..4188e92 100644 --- a/roles/keycloak/templates/9.0.2/standalone.xml.j2 +++ b/roles/keycloak/templates/9.0.2/standalone.xml.j2 @@ -598,7 +598,7 @@ - + diff --git a/roles/keycloak/templates/standalone-ha.xml.j2 b/roles/keycloak/templates/standalone-ha.xml.j2 index 98e26f6..99399f3 100644 --- a/roles/keycloak/templates/standalone-ha.xml.j2 +++ b/roles/keycloak/templates/standalone-ha.xml.j2 @@ -674,7 +674,7 @@ - + diff --git a/roles/keycloak/templates/standalone-infinispan.xml.j2 b/roles/keycloak/templates/standalone-infinispan.xml.j2 index 38fbfec..0b0c8af 100644 --- a/roles/keycloak/templates/standalone-infinispan.xml.j2 +++ b/roles/keycloak/templates/standalone-infinispan.xml.j2 @@ -712,7 +712,7 @@ - + diff --git a/roles/keycloak/templates/standalone.xml.j2 b/roles/keycloak/templates/standalone.xml.j2 index bf2d528..72fe4d6 100644 --- a/roles/keycloak/templates/standalone.xml.j2 +++ b/roles/keycloak/templates/standalone.xml.j2 @@ -604,7 +604,7 @@ - + diff --git a/roles/keycloak/vars/main.yml b/roles/keycloak/vars/main.yml index 5fe498d..b03a1a5 100644 --- a/roles/keycloak/vars/main.yml +++ b/roles/keycloak/vars/main.yml @@ -2,8 +2,8 @@ # internal variables below # locations -keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}" -keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}" +keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}" +keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}" keycloak: diff --git a/roles/keycloak_realm/meta/argument_specs.yml b/roles/keycloak_realm/meta/argument_specs.yml index 4345af6..da3eca1 100644 --- a/roles/keycloak_realm/meta/argument_specs.yml +++ b/roles/keycloak_realm/meta/argument_specs.yml @@ -83,12 +83,12 @@ argument_specs: type: "list" keycloak_url: # line 14 of keycloak_realm/vars/main.yml - default: "http://{{ keycloak_host }}:{{ keycloak_http_port }}" + default: "http://{{ keycloak_host }}:{{ keycloak_http_port + ( keycloak_jboss_port_offset | default(0) ) }}" description: "URL for configuration rest calls" type: "str" keycloak_management_url: # line 15 of keycloak_realm/vars/main.yml - default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}" + default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + ( keycloak_jboss_port_offset | default(0) ) }}" description: "URL for management console rest calls" type: "str" downstream: diff --git a/roles/keycloak_realm/vars/main.yml b/roles/keycloak_realm/vars/main.yml index 076a8a9..cbb9435 100644 --- a/roles/keycloak_realm/vars/main.yml +++ b/roles/keycloak_realm/vars/main.yml @@ -5,5 +5,5 @@ keycloak_realm: # other settings -keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}" -keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}" +keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + ( keycloak_jboss_port_offset | default(0) ) }}" +keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + ( keycloak_jboss_port_offset | default(0) ) }}" From 12147b47696c0deae714b06b0678b558f29d3cef Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Wed, 25 Oct 2023 18:20:03 +0200 Subject: [PATCH 2/7] linter --- plugins/modules/keycloak_user_federation.py | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/modules/keycloak_user_federation.py b/plugins/modules/keycloak_user_federation.py index 96f04d7..bc84d8d 100644 --- a/plugins/modules/keycloak_user_federation.py +++ b/plugins/modules/keycloak_user_federation.py @@ -568,7 +568,6 @@ EXAMPLES = ''' realm: my-realm name: my-federation state: absent - ''' RETURN = ''' From a538828f0de9af3afbe8ae06ea84d87d41498ee0 Mon Sep 17 00:00:00 2001 From: Antonio Costa Date: Wed, 25 Oct 2023 16:03:29 +0200 Subject: [PATCH 3/7] feat: add a destination variable for the log link docs: argument specs for the keycloak_quarkus_log_target docs: added parameter to the roles README fix: role variable is keycloak_log_target and not keycloak_quarkus_log_target --- molecule/default/converge.yml | 1 + molecule/default/verify.yml | 28 +++++++++++++++ molecule/quarkus/converge.yml | 1 + molecule/quarkus/verify.yml | 34 +++++++++++++++++++ roles/keycloak/README.md | 2 +- roles/keycloak/defaults/main.yml | 3 ++ roles/keycloak/meta/argument_specs.yml | 4 +++ roles/keycloak/tasks/main.yml | 2 +- roles/keycloak_quarkus/README.md | 1 + roles/keycloak_quarkus/defaults/main.yml | 1 + .../keycloak_quarkus/meta/argument_specs.yml | 4 +++ roles/keycloak_quarkus/tasks/main.yml | 2 +- 12 files changed, 80 insertions(+), 3 deletions(-) diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index e7fd4e0..ace4743 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -11,6 +11,7 @@ - host: myhost2 port: 16668 keycloak_jboss_port_offset: 10 + keycloak_log_target: /tmp/keycloak roles: - role: keycloak tasks: diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 2dfd6a7..ba0e01f 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -56,3 +56,31 @@ ansible.builtin.assert: that: - (keycloak_query_clients.json | selectattr('clientId','equalto','TestClient') | first)["attributes"]["post.logout.redirect.uris"] == '/public/logout' + - name: Check log folder + ansible.builtin.stat: + path: "/tmp/keycloak" + register: keycloak_log_folder + - name: Check that keycloak log folder exists and is a link + ansible.builtin.assert: + that: + - keycloak_log_folder.stat.exists + - not keycloak_log_folder.stat.isdir + - keycloak_log_folder.stat.islnk + - name: Check log file + ansible.builtin.stat: + path: "/tmp/keycloak/server.log" + register: keycloak_log_file + - name: Check if keycloak file exists + ansible.builtin.assert: + that: + - keycloak_log_file.stat.exists + - not keycloak_log_file.stat.isdir + - name: Check default log folder + ansible.builtin.stat: + path: "/var/log/keycloak" + register: keycloak_default_log_folder + failed_when: false + - name: Check that default keycloak log folder doesn't exist + ansible.builtin.assert: + that: + - not keycloak_default_log_folder.stat.exists diff --git a/molecule/quarkus/converge.yml b/molecule/quarkus/converge.yml index 22f9ff4..cb35230 100644 --- a/molecule/quarkus/converge.yml +++ b/molecule/quarkus/converge.yml @@ -11,6 +11,7 @@ keycloak_quarkus_https_enabled: True keycloak_quarkus_key_file: "{{ keycloak.home }}/conf/key.pem" keycloak_quarkus_cert_file: "{{ keycloak.home }}/conf/cert.pem" + keycloak_quarkus_log_target: /tmp/keycloak roles: - role: keycloak_quarkus - role: keycloak_realm diff --git a/molecule/quarkus/verify.yml b/molecule/quarkus/verify.yml index e956ca6..2d75c32 100644 --- a/molecule/quarkus/verify.yml +++ b/molecule/quarkus/verify.yml @@ -37,3 +37,37 @@ - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/auth' - (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/token' delegate_to: localhost + + - name: Check log folder + ansible.builtin.stat: + path: "/tmp/keycloak" + register: keycloak_log_folder + + - name: Check that keycloak log folder exists and is a link + ansible.builtin.assert: + that: + - keycloak_log_folder.stat.exists + - not keycloak_log_folder.stat.isdir + - keycloak_log_folder.stat.islnk + + - name: Check log file + ansible.builtin.stat: + path: "/tmp/keycloak/keycloak.log" + register: keycloak_log_file + + - name: Check if keycloak file exists + ansible.builtin.assert: + that: + - keycloak_log_file.stat.exists + - not keycloak_log_file.stat.isdir + + - name: Check default log folder + ansible.builtin.stat: + path: "/var/log/keycloak" + register: keycloak_default_log_folder + failed_when: false + + - name: Check that default keycloak log folder doesn't exist + ansible.builtin.assert: + that: + - not keycloak_default_log_folder.stat.exists diff --git a/roles/keycloak/README.md b/roles/keycloak/README.md index 13adf35..17149f7 100644 --- a/roles/keycloak/README.md +++ b/roles/keycloak/README.md @@ -118,7 +118,7 @@ Role Defaults |`keycloak_db_background_validation_millis`| How frequenly the connection pool is validated in the background | `10000` if background validation enabled | |`keycloak_db_background_validate_on_match` | Enable validate on match for database connections | `False` | |`keycloak_frontend_url` | frontend URL for keycloak endpoint | `http://localhost:8080/auth/` | - +|`keycloak_log_target`| Set the destination of the keycloak log folder link | `/var/log/keycloak` | Role Variables diff --git a/roles/keycloak/defaults/main.yml b/roles/keycloak/defaults/main.yml index 228d1e6..2b5cc35 100644 --- a/roles/keycloak/defaults/main.yml +++ b/roles/keycloak/defaults/main.yml @@ -115,3 +115,6 @@ keycloak_default_jdbc: version: 12.2.0 # role specific vars keycloak_no_log: True + +### logging configuration +keycloak_log_target: /var/log/keycloak diff --git a/roles/keycloak/meta/argument_specs.yml b/roles/keycloak/meta/argument_specs.yml index b28be78..2e93667 100644 --- a/roles/keycloak/meta/argument_specs.yml +++ b/roles/keycloak/meta/argument_specs.yml @@ -360,6 +360,10 @@ argument_specs: required: False description: "Override the subnet match for jgroups cluster formation; if not defined, it will be inferred from local machine route configuration" type: "str" + keycloak_log_target: + default: '/var/log/keycloak' + type: "str" + description: "Set the destination of the keycloak log folder link" downstream: options: sso_version: diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml index 32aca04..7fe0222 100644 --- a/roles/keycloak/tasks/main.yml +++ b/roles/keycloak/tasks/main.yml @@ -34,7 +34,7 @@ ansible.builtin.file: state: link src: "{{ keycloak_jboss_home }}/standalone/log" - dest: /var/log/keycloak + dest: "{{ keycloak_log_target }}" become: yes - name: Set admin credentials and restart if not already created diff --git a/roles/keycloak_quarkus/README.md b/roles/keycloak_quarkus/README.md index f6e24cc..0ea2648 100644 --- a/roles/keycloak_quarkus/README.md +++ b/roles/keycloak_quarkus/README.md @@ -97,6 +97,7 @@ Role Defaults |`keycloak_quarkus_log_level`| The log level of the root category or a comma-separated list of individual categories and their levels | `info` | |`keycloak_quarkus_log_file`| Set the log file path and filename relative to keycloak home | `data/log/keycloak.log` | |`keycloak_quarkus_log_format`| Set a format specific to file log entries | `%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n` | +|`keycloak_quarkus_log_target`| Set the destination of the keycloak log folder link | `/var/log/keycloak` | |`keycloak_quarkus_proxy_mode`| The proxy address forwarding mode if the server is behind a reverse proxy | `edge` | |`keycloak_quarkus_start_dev`| Whether to start the service in development mode (start-dev) | `False` | |`keycloak_quarkus_transaction_xa_enabled`| Whether to use XA transactions | `True` | diff --git a/roles/keycloak_quarkus/defaults/main.yml b/roles/keycloak_quarkus/defaults/main.yml index 0ae35c1..7995d05 100644 --- a/roles/keycloak_quarkus/defaults/main.yml +++ b/roles/keycloak_quarkus/defaults/main.yml @@ -90,3 +90,4 @@ keycloak_quarkus_log: file keycloak_quarkus_log_level: info keycloak_quarkus_log_file: data/log/keycloak.log keycloak_quarkus_log_format: '%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n' +keycloak_quarkus_log_target: /var/log/keycloak diff --git a/roles/keycloak_quarkus/meta/argument_specs.yml b/roles/keycloak_quarkus/meta/argument_specs.yml index 59f3e50..32e550b 100644 --- a/roles/keycloak_quarkus/meta/argument_specs.yml +++ b/roles/keycloak_quarkus/meta/argument_specs.yml @@ -243,6 +243,10 @@ argument_specs: default: '%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n' type: "str" description: "Set a format specific to file log entries" + keycloak_quarkus_log_target: + default: '/var/log/keycloak' + type: "str" + description: "Set the destination of the keycloak log folder link" keycloak_quarkus_proxy_mode: default: 'edge' type: "str" diff --git a/roles/keycloak_quarkus/tasks/main.yml b/roles/keycloak_quarkus/tasks/main.yml index a86a4f5..43cbb38 100644 --- a/roles/keycloak_quarkus/tasks/main.yml +++ b/roles/keycloak_quarkus/tasks/main.yml @@ -67,6 +67,6 @@ ansible.builtin.file: state: link src: "{{ keycloak.log.file | dirname }}" - dest: /var/log/keycloak + dest: "{{ keycloak_quarkus_log_target }}" force: yes become: yes From 62e5380d383dea6e2d195340d89fd53a5f2c9cbc Mon Sep 17 00:00:00 2001 From: Footur <3769085+Footur@users.noreply.github.com> Date: Fri, 27 Oct 2023 15:32:15 +0200 Subject: [PATCH 4/7] Update Keycloak to version 22.0.5 --- molecule/quarkus/prepare.yml | 4 ++-- roles/keycloak_quarkus/README.md | 4 ++-- roles/keycloak_quarkus/defaults/main.yml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/molecule/quarkus/prepare.yml b/molecule/quarkus/prepare.yml index f9fe2b7..f90564c 100644 --- a/molecule/quarkus/prepare.yml +++ b/molecule/quarkus/prepare.yml @@ -19,13 +19,13 @@ - name: Create conf directory # risky-file-permissions in test user account does not exist yet ansible.builtin.file: state: directory - path: /opt/keycloak/keycloak-22.0.4/conf/ + path: /opt/keycloak/keycloak-22.0.5/conf/ mode: 0755 - name: Copy certificates ansible.builtin.copy: src: "{{ item }}" - dest: "/opt/keycloak/keycloak-22.0.4/conf/{{ item }}" + dest: "/opt/keycloak/keycloak-22.0.5/conf/{{ item }}" mode: 0444 loop: - cert.pem diff --git a/roles/keycloak_quarkus/README.md b/roles/keycloak_quarkus/README.md index 0ea2648..1a50a00 100644 --- a/roles/keycloak_quarkus/README.md +++ b/roles/keycloak_quarkus/README.md @@ -11,7 +11,7 @@ Role Defaults | Variable | Description | Default | |:---------|:------------|:--------| -|`keycloak_quarkus_version`| keycloak.org package version | `22.0.4` | +|`keycloak_quarkus_version`| keycloak.org package version | `22.0.5` | * Service configuration @@ -72,7 +72,7 @@ Role Defaults |:---------|:------------|:---------| |`keycloak_quarkus_offline_install` | Perform an offline install | `False`| |`keycloak_quarkus_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download//`| -|`keycloak_quarkus_version`| keycloak.org package version | `22.0.4` | +|`keycloak_quarkus_version`| keycloak.org package version | `22.0.5` | |`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` | |`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` | |`keycloak_quarkus_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` | diff --git a/roles/keycloak_quarkus/defaults/main.yml b/roles/keycloak_quarkus/defaults/main.yml index 7995d05..d769a85 100644 --- a/roles/keycloak_quarkus/defaults/main.yml +++ b/roles/keycloak_quarkus/defaults/main.yml @@ -1,6 +1,6 @@ --- ### Configuration specific to keycloak -keycloak_quarkus_version: 22.0.4 +keycloak_quarkus_version: 22.0.5 keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip" keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}" keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}" From 03175e283b50f4d1e21ce5dfb7cad78650f0e9d7 Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Wed, 25 Oct 2023 16:40:25 +0200 Subject: [PATCH 5/7] molecule test for keycloakx with proxy --- .github/workflows/ci.yml | 2 +- molecule/https_revproxy/converge.yml | 16 ++++++++ molecule/https_revproxy/molecule.yml | 59 ++++++++++++++++++++++++++++ molecule/https_revproxy/prepare.yml | 49 +++++++++++++++++++++++ molecule/https_revproxy/roles | 1 + molecule/https_revproxy/verify.yml | 39 ++++++++++++++++++ molecule/requirements.yml | 2 +- 7 files changed, 166 insertions(+), 2 deletions(-) create mode 100644 molecule/https_revproxy/converge.yml create mode 100644 molecule/https_revproxy/molecule.yml create mode 100644 molecule/https_revproxy/prepare.yml create mode 120000 molecule/https_revproxy/roles create mode 100644 molecule/https_revproxy/verify.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 50e1fc4..6e5a542 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,4 +15,4 @@ jobs: with: fqcn: 'middleware_automation/keycloak' molecule_tests: >- - [ "default", "quarkus", "overridexml", "quarkus-devmode" ] + [ "default", "quarkus", "overridexml", "quarkus-devmode", "https_revproxy" ] diff --git a/molecule/https_revproxy/converge.yml b/molecule/https_revproxy/converge.yml new file mode 100644 index 0000000..b1eb7bc --- /dev/null +++ b/molecule/https_revproxy/converge.yml @@ -0,0 +1,16 @@ +--- +- name: Converge + hosts: all + vars: + keycloak_quarkus_admin_pass: "remembertochangeme" + keycloak_admin_password: "remembertochangeme" + keycloak_realm: TestRealm + keycloak_quarkus_host: instance + keycloak_quarkus_log: file + keycloak_quarkus_http_enabled: True + keycloak_quarkus_http_port: 8080 + keycloak_quarkus_proxy_mode: edge + keycloak_quarkus_http_relative_path: / + keycloak_quarkus_frontend_url: https://proxy/ + roles: + - role: keycloak_quarkus diff --git a/molecule/https_revproxy/molecule.yml b/molecule/https_revproxy/molecule.yml new file mode 100644 index 0000000..efdebf4 --- /dev/null +++ b/molecule/https_revproxy/molecule.yml @@ -0,0 +1,59 @@ +--- +driver: + name: docker +platforms: + - name: instance + image: registry.access.redhat.com/ubi8/ubi-init:latest + pre_build_image: true + privileged: true + command: "/usr/sbin/init" + networks: + - name: keycloak + port_bindings: + - "8080/tcp" + published_ports: + - 0.0.0.0:8080:8080/tcp + - name: proxy + image: registry.access.redhat.com/ubi8/ubi-init:latest + pre_build_image: true + privileged: true + command: "/usr/sbin/init" + networks: + - name: keycloak + port_bindings: + - "443/tcp" + published_ports: + - 0.0.0.0:443:443/tcp +provisioner: + name: ansible + config_options: + defaults: + interpreter_python: auto_silent + ssh_connection: + pipelining: false + playbooks: + prepare: prepare.yml + converge: converge.yml + verify: verify.yml + inventory: + host_vars: + localhost: + ansible_python_interpreter: "{{ ansible_playbook_python }}" + env: + ANSIBLE_FORCE_COLOR: "true" + REDHAT_PRODUCT_DOWNLOAD_CLIENT_ID: "${REDHAT_PRODUCT_DOWNLOAD_CLIENT_ID}" + REDHAT_PRODUCT_DOWNLOAD_CLIENT_SECRET: "${REDHAT_PRODUCT_DOWNLOAD_CLIENT_SECRET}" +verifier: + name: ansible +scenario: + test_sequence: + - cleanup + - destroy + - create + - prepare + - converge + - idempotence + - side_effect + - verify + - cleanup + - destroy diff --git a/molecule/https_revproxy/prepare.yml b/molecule/https_revproxy/prepare.yml new file mode 100644 index 0000000..5cdb135 --- /dev/null +++ b/molecule/https_revproxy/prepare.yml @@ -0,0 +1,49 @@ +--- +- name: Prepare + hosts: all + tasks: + - name: Install sudo + ansible.builtin.yum: + name: sudo + state: present + + - name: "Display hera_home if defined." + ansible.builtin.set_fact: + hera_home: "{{ lookup('env', 'HERA_HOME') }}" + +- name: Prepare proxy + hosts: proxy + vars: + jbcs_mod_cluster_enable: True + jbcs_configure_firewalld: False + jbcs_offline_install: False + jbcs_bind_address: '*' + jbcs_proxy_pass: + - path: / + url: http://instance:8080/ + reverse_path: / + reverse_url: http://instance:8080/ + external_domain_name: proxy + rhn_username: "{{ lookup('env', 'REDHAT_PRODUCT_DOWNLOAD_CLIENT_ID') }}" + rhn_password: "{{ lookup('env', 'REDHAT_PRODUCT_DOWNLOAD_CLIENT_SECRET') }}" + roles: + - middleware_automation.jbcs.jbcs + pre_tasks: + - name: Create certificate request + ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=proxy' + delegate_to: localhost + changed_when: False + + - name: Copy certificates + ansible.builtin.copy: + src: "{{ item.name }}" + dest: "{{ item.dest }}" + mode: 0444 + become: True + loop: + - { name: 'cert.pem', dest: '/etc/pki/tls/certs/proxy.crt' } + - { name: 'key.pem', dest: '/etc/pki/tls/private/proxy.key' } + + - name: update_ca_trust + command: update-ca-trust + become: True diff --git a/molecule/https_revproxy/roles b/molecule/https_revproxy/roles new file mode 120000 index 0000000..b741aa3 --- /dev/null +++ b/molecule/https_revproxy/roles @@ -0,0 +1 @@ +../../roles \ No newline at end of file diff --git a/molecule/https_revproxy/verify.yml b/molecule/https_revproxy/verify.yml new file mode 100644 index 0000000..9d355a6 --- /dev/null +++ b/molecule/https_revproxy/verify.yml @@ -0,0 +1,39 @@ +--- +- name: Verify + hosts: all + tasks: + - name: Populate service facts + ansible.builtin.service_facts: + + - name: Check if keycloak service started + ansible.builtin.assert: + that: + - ansible_facts.services["keycloak.service"]["state"] == "running" + - ansible_facts.services["keycloak.service"]["status"] == "enabled" + + - name: Set internal envvar + ansible.builtin.set_fact: + hera_home: "{{ lookup('env', 'HERA_HOME') }}" + + - name: Verify openid config + block: + - name: Fetch openID config # noqa blocked_modules command-instead-of-module + ansible.builtin.shell: | + set -o pipefail + curl https://localhost:443/realms/master/.well-known/openid-configuration -k | jq . + args: + executable: /bin/bash + register: openid_config + changed_when: False + delegate_to: localhost + - name: Verify endpoint URLs + ansible.builtin.assert: + that: + - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://proxy/realms/master/protocol/openid-connect/ext/ciba/auth' + - (openid_config.stdout | from_json)['issuer'] == 'https://proxy/realms/master' + - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://proxy/realms/master/protocol/openid-connect/auth' + - (openid_config.stdout | from_json)['token_endpoint'] == 'https://proxy/realms/master/protocol/openid-connect/token' + delegate_to: localhost + when: + - hera_home is defined + - hera_home | length == 0 diff --git a/molecule/requirements.yml b/molecule/requirements.yml index 2e0ae56..5e39b59 100644 --- a/molecule/requirements.yml +++ b/molecule/requirements.yml @@ -1,8 +1,8 @@ --- collections: - name: middleware_automation.common + - name: middleware_automation.jbcs - name: community.general - name: ansible.posix - name: community.docker version: ">=1.9.1" - From 61730b981b7b18f138d7e16d30890240fc57113b Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Fri, 3 Nov 2023 10:58:25 +0100 Subject: [PATCH 6/7] ddisable new test --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6e5a542..50e1fc4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,4 +15,4 @@ jobs: with: fqcn: 'middleware_automation/keycloak' molecule_tests: >- - [ "default", "quarkus", "overridexml", "quarkus-devmode", "https_revproxy" ] + [ "default", "quarkus", "overridexml", "quarkus-devmode" ] From 5543217c6a71df77818b0ffd5553e059dbfab7b4 Mon Sep 17 00:00:00 2001 From: Antonio Costa Date: Mon, 6 Nov 2023 15:00:51 +0100 Subject: [PATCH 7/7] rebase for changes made in PR 120 --- molecule/default/converge.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index ace4743..1e817f6 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -12,6 +12,7 @@ port: 16668 keycloak_jboss_port_offset: 10 keycloak_log_target: /tmp/keycloak + keycloak_jboss_port_offset: 10 roles: - role: keycloak tasks: