Enable copying of key material

This commit updates the configuration to use the standard Red Hat Enterprise Linux (RHEL) default path for TLS certificates, which is /etc/pki/tls. Also, it copies the private key and certificate to the target host.
2025-04-05 02:10:29 -07:00 · 2024-05-03 14:34:57 +00:00 · 2024-05-03 14:34:57 +00:00 · 9bc1ae69e9
commit 9bc1ae69e9
parent ba127153ff
4 changed files with 56 additions and 6 deletions
--- a/roles/keycloak_quarkus/README.md
+++ b/roles/keycloak_quarkus/README.md
@ -44,8 +44,12 @@ Role Defaults
 |`keycloak_quarkus_http_relative_path` | Set the path relative to / for serving resources. The path must start with a / | `/` |
 |`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` |
 |`keycloak_quarkus_https_key_file_enabled`| Enable listener on HTTPS port | `False` |
-|`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `{{ keycloak.home }}/conf/server.key.pem` |
-|`keycloak_quarkus_cert_file`| The file path to a server certificate or certificate chain in PEM format | `{{ keycloak.home }}/conf/server.crt.pem` |
+|`keycloak_quarkus_key_file_copy_enabled`| Enable copy of key file to target host | `False` |
+|`keycloak_quarkus_key_file_src`| Set the source file path | `""` |
+|`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `/etc/pki/tls/private/server.key.pem` |
+|`keycloak_quarkus_cert_file_copy_enabled`| Enable copy of cert file to target host | `False`|
+|`keycloak_quarkus_cert_file_src`| Set the source file path | `""` |
+|`keycloak_quarkus_cert_file`| The file path to a server certificate or certificate chain in PEM format | `/etc/pki/tls/certs/server.crt.pem` |
 |`keycloak_quarkus_https_key_store_enabled`| Enable configuration of HTTPS via a key store | `False` |
 |`keycloak_quarkus_key_store_file`| Deprecated, use `keycloak_quarkus_https_key_store_file` instead. ||
 |`keycloak_quarkus_key_store_password`| Deprecated, use `keycloak_quarkus_https_key_store_password` instead.||
--- a/roles/keycloak_quarkus/defaults/main.yml
+++ b/roles/keycloak_quarkus/defaults/main.yml
@ -47,8 +47,12 @@ keycloak_quarkus_java_opts: "{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak

 ### TLS/HTTPS configuration
 keycloak_quarkus_https_key_file_enabled: false
-keycloak_quarkus_key_file: "{{ keycloak.home }}/conf/server.key.pem"
-keycloak_quarkus_cert_file: "{{ keycloak.home }}/conf/server.crt.pem"
+keycloak_quarkus_key_file_copy_enabled: false
+keycloak_quarkus_key_file_src: ""
+keycloak_quarkus_key_file: "/etc/pki/tls/private/server.key.pem"
+keycloak_quarkus_cert_file_copy_enabled: false
+keycloak_quarkus_cert_file_src: ""
+keycloak_quarkus_cert_file: "/etc/pki/tls/certs/server.crt.pem"
 #### key store configuration
 keycloak_quarkus_https_key_store_enabled: false
 keycloak_quarkus_https_key_store_file: "{{ keycloak.home }}/conf/key_store.p12"
--- a/roles/keycloak_quarkus/meta/argument_specs.yml
+++ b/roles/keycloak_quarkus/meta/argument_specs.yml
@ -108,12 +108,28 @@ argument_specs:
                default: false
                description: "Enable configuration of HTTPS via files in PEM format"
                type: "bool"
+            keycloak_quarkus_key_file_copy_enabled:
+                default: false
+                description: "Enable copy of key file to target host"
+                type: "bool"
+            keycloak_quarkus_key_file_src:
+                default: ""
+                description: "Set the source file path"
+                type: "str"
            keycloak_quarkus_key_file:
-                default: "{{ keycloak.home }}/conf/server.key.pem"
+                default: "/etc/pki/tls/private/server.key.pem"
                description: "The file path to a private key in PEM format"
                type: "str"
+            keycloak_quarkus_cert_file_copy_enabled:
+                default: false
+                description: "Enable copy of cert file to target host"
+                type: "bool"
+            keycloak_quarkus_cert_file_src:
+                default: ""
+                description: "Set the source file path"
+                type: "str"
            keycloak_quarkus_cert_file:
-                default: "{{ keycloak.home }}/conf/server.crt.pem"
+                default: "/etc/pki/tls/certs/server.crt.pem"
                description: "The file path to a server certificate or certificate chain in PEM format"
                type: "str"
            keycloak_quarkus_https_key_store_enabled:
--- a/roles/keycloak_quarkus/tasks/install.yml
+++ b/roles/keycloak_quarkus/tasks/install.yml
@ -159,6 +159,32 @@
  when:
    - (not new_version_downloaded.changed) and path_to_workdir.stat.exists

+- name: "Copy private key to target"
+  ansible.builtin.copy:
+    src: "{{ keycloak_quarkus_key_file_src }}"
+    dest: "{{ keycloak_quarkus_key_file }}"
+    owner: "{{ keycloak.service_user }}"
+    group: "{{ keycloak.service_group }}"
+    mode: 0640
+  become: true
+  when:
+    - keycloak_quarkus_https_key_file_enabled is defined and keycloak_quarkus_https_key_file_enabled
+    - keycloak_quarkus_key_file_copy_enabled is defined and keycloak_quarkus_key_file_copy_enabled
+    - keycloak_quarkus_key_file_src | length > 0
+
+- name: "Copy certificate to target"
+  ansible.builtin.copy:
+    src: "{{ keycloak_quarkus_cert_file_src }}"
+    dest: "{{ keycloak_quarkus_cert_file }}"
+    owner: "{{ keycloak.service_user }}"
+    group: "{{ keycloak.service_group }}"
+    mode: 0644
+  become: true
+  when:
+    - keycloak_quarkus_https_key_file_enabled is defined and keycloak_quarkus_https_key_file_enabled
+    - keycloak_quarkus_cert_file_copy_enabled is defined and keycloak_quarkus_cert_file_copy_enabled
+    - keycloak_quarkus_cert_file_src | length > 0
+
 - name: "Install {{ keycloak_quarkus_jdbc_engine }} JDBC driver"
  ansible.builtin.include_tasks: jdbc_driver.yml
  when: