Merge pull request #116 from Footur/keystore

[keycloak_quarkus] Enable config of a key store and trust store
2025-04-05 18:30:27 -07:00 · 2023-11-13 11:37:36 +01:00 · 2023-11-13 11:37:36 +01:00 · cee02cfd36
commit cee02cfd36
parent ea086e8a62 e842462a22
6 changed files with 56 additions and 9 deletions
--- a/molecule/quarkus/converge.yml
+++ b/molecule/quarkus/converge.yml
@ -7,7 +7,7 @@
    keycloak_realm: TestRealm
    keycloak_quarkus_host: instance
    keycloak_quarkus_log: file
-    keycloak_quarkus_https_enabled: True
+    keycloak_quarkus_https_key_file_enabled: True
    keycloak_quarkus_key_file: "{{ keycloak.home }}/conf/key.pem"
    keycloak_quarkus_cert_file: "{{ keycloak.home }}/conf/cert.pem"
    keycloak_quarkus_log_target: /tmp/keycloak
--- a/playbooks/keycloak_quarkus.yml
+++ b/playbooks/keycloak_quarkus.yml
@ -7,7 +7,7 @@
    keycloak_quarkus_port: 8443
    keycloak_quarkus_http_relative_path: ''
    keycloak_quarkus_log: file
-    keycloak_quarkus_https_enabled: True
+    keycloak_quarkus_https_key_file_enabled: True
    keycloak_quarkus_key_file: conf/key.pem
    keycloak_quarkus_cert_file: conf/cert.pem
  roles:
--- a/roles/keycloak_quarkus/README.md
+++ b/roles/keycloak_quarkus/README.md
@ -39,9 +39,16 @@ Role Defaults
 |`keycloak_quarkus_admin_url`| Set the base URL for accessing the administration console, including scheme, host, port and path | |
 |`keycloak_quarkus_http_relative_path` | Set the path relative to / for serving resources. The path must start with a / | `/` |
 |`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` |
-|`keycloak_quarkus_https_enabled`| Enable listener on HTTPS port | `False` |
+|`keycloak_quarkus_https_key_file_enabled`| Enable listener on HTTPS port | `False` |
 |`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `{{ keycloak.home }}/conf/server.key.pem` |
 |`keycloak_quarkus_cert_file`| The file path to a server certificate or certificate chain in PEM format | `{{ keycloak.home }}/conf/server.crt.pem` |
+|`keycloak_quarkus_https_key_store_enabled`| Enable configuration of HTTPS via a key store | `False` |
+|`keycloak_quarkus_key_store_file`| The file pat to the key store | `{{ keycloak.home }}/conf/key_store.p12` |
+|`keycloak_quarkus_key_store_password`| Password for the key store | `""` |
+|`keycloak_quarkus_https_trust_store_enabled`| Enalbe confiugration of a trust store | `False` |
+|`keycloak_quarkus_trust_store_file`| The file pat to the trust store | `{{ keycloak.home }}/conf/trust_store.p12` |
+|`keycloak_quarkus_trust_store_password`| Password for the trust store | `""` |
+


 * Database configuration
--- a/roles/keycloak_quarkus/defaults/main.yml
+++ b/roles/keycloak_quarkus/defaults/main.yml
@ -2,7 +2,7 @@
 ### Configuration specific to keycloak
 keycloak_quarkus_version: 22.0.5
 keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip"
-keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"  
+keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"
 keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"

 # whether to install from local archive
@ -38,9 +38,17 @@ keycloak_quarkus_jgroups_port: 7600
 keycloak_quarkus_java_opts: "-Xms1024m -Xmx2048m"

 ### TLS/HTTPS configuration
-keycloak_quarkus_https_enabled: False
+keycloak_quarkus_https_key_file_enabled: False
 keycloak_quarkus_key_file: "{{ keycloak.home }}/conf/server.key.pem"
 keycloak_quarkus_cert_file: "{{ keycloak.home }}/conf/server.crt.pem"
+#### key store configuration
+keycloak_quarkus_https_key_store_enabled: False
+keycloak_quarkus_key_store_file: "{{ keycloak.home }}/conf/key_store.p12"
+keycloak_quarkus_key_store_password: ''
+##### trust store configuration
+keycloak_quarkus_https_trust_store_enabled: False
+keycloak_quarkus_trust_store_file: "{{ keycloak.home }}/conf/trust_store.p12"
+keycloak_quarkus_trust_store_password: ''

 ### Enable configuration for database backend, clustering and remote caches on infinispan
 keycloak_quarkus_ha_enabled: False
--- a/roles/keycloak_quarkus/meta/argument_specs.yml
+++ b/roles/keycloak_quarkus/meta/argument_specs.yml
@ -108,10 +108,10 @@ argument_specs:
                default: 8080
                description: "HTTP port"
                type: "int"
-            keycloak_quarkus_https_enabled:
+            keycloak_quarkus_https_key_file_enabled:
                default: false
-                description: "Enable listener on HTTPS port"
-                type: "bool" 
+                description: "Enable configuration of HTTPS via files in PEM format"
+                type: "bool"
            keycloak_quarkus_key_file:
                default: "{{ keycloak.home }}/conf/server.key.pem"
                description: "The file path to a private key in PEM format"
@ -120,6 +120,30 @@ argument_specs:
                default: "{{ keycloak.home }}/conf/server.crt.pem"
                description: "The file path to a server certificate or certificate chain in PEM format"
                type: "str"
+            keycloak_quarkus_https_key_store_enabled:
+                default: false
+                description: "Enable configuration of HTTPS via a key store"
+                type: "bool"
+            keycloak_quarkus_key_store_file:
+                default: "{{ keycloak.home }}/conf/key_store.p12"
+                description: "The file path to the key store"
+                type: "str"
+            keycloak_quarkus_key_store_password:
+                default: ""
+                description: "Password for the key store"
+                type: "str"
+            keycloak_quarkus_https_trust_store_enabled:
+                default: false
+                description: "Enalbe confiugration of a trust store"
+                type: "bool"
+            keycloak_quarkus_trust_store_file:
+                default: "{{ keycloak.home }}/conf/trust_store.p12"
+                description: "The file pat to the trust store"
+                type: "str"
+            keycloak_quarkus_trust_store_password:
+                 default: ""
+                 description: "Password for the trust store"
+                 type: "str"
            keycloak_quarkus_https_port:
                # line 30 of defaults/main.yml
                default: 8443
--- a/roles/keycloak_quarkus/templates/keycloak.conf.j2
+++ b/roles/keycloak_quarkus/templates/keycloak.conf.j2
@ -19,10 +19,18 @@ http-relative-path={{ keycloak_quarkus_http_relative_path }}

 # HTTPS
 https-port={{ keycloak_quarkus_https_port }}
-{% if keycloak_quarkus_https_enabled %}
+{% if keycloak_quarkus_https_key_file_enabled %}
 https-certificate-file={{ keycloak_quarkus_cert_file}}
 https-certificate-key-file={{ keycloak_quarkus_key_file }}
 {% endif %}
+{% if keycloak_quarkus_https_key_store_enabled %}
+https-key-store-file={{ keycloak_quarkus_key_store_file }}
+https-key-store-password={{ keycloak_quarkus_key_store_password }}
+{% endif %}
+{% if keycloak_quarkus_https_trust_store_enabled %}
+https-trust-store-file={{ keycloak_quarkus_trust_store_file }}
+https-trust-store-password={{ keycloak_quarkus_trust_store_password }}
+{% endif %}

 # Client URL configuration
 {% if keycloak_quarkus_frontend_url %}