keycloak_quarkus: Add http_management_port and http_management_relative_path options

RHBK v26 exposes health endpoints and metrics on this port moving forward. Note that the scheme of the MGMT interface is defined by the overall keycloak configuration: if https is enabled and configured, th MGMT interface is exposed via https and NOT via http; this might be breaking some configured load balancer health checks
2025-07-30 16:41:30 -07:00 · 2024-12-10 14:14:18 +01:00 · 2024-12-10 14:14:18 +01:00 · d0f19b59dc
commit d0f19b59dc
parent 213449ec58
6 changed files with 44 additions and 5 deletions
--- a/roles/keycloak_quarkus/tasks/firewalld.yml
+++ b/roles/keycloak_quarkus/tasks/firewalld.yml
@ -12,7 +12,7 @@
    enabled: true
    state: started

- name: "Configure firewall for {{ keycloak.service_name }} ports"
+- name: "Configure firewall for {{ keycloak.service_name }} http port"
  become: true
  ansible.posix.firewalld:
    port: "{{ item }}"
@ -21,5 +21,16 @@
    immediate: true
  loop:
    - "{{ keycloak_quarkus_http_port }}/tcp"
+  when: keycloak_quarkus_http_enabled | bool
+
+- name: "Configure firewall for {{ keycloak.service_name }} ports"
+  become: true
+  ansible.posix.firewalld:
+    port: "{{ item }}"
+    permanent: true
+    state: enabled
+    immediate: true
+  loop:
    - "{{ keycloak_quarkus_https_port }}/tcp"
+    - "{{ keycloak_quarkus_http_management_port }}/tcp"
    - "{{ keycloak_quarkus_jgroups_port }}/tcp"
--- a/roles/keycloak_quarkus/tasks/prereqs.yml
+++ b/roles/keycloak_quarkus/tasks/prereqs.yml
@ -7,7 +7,7 @@
    fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_bootstrap_admin_password to a 12+ char long string"
    success_msg: "{{ 'Console administrator password OK' }}"

- name: Validate relative path
+- name: Validate http_relative_path
  ansible.builtin.assert:
    that:
      - keycloak_quarkus_http_relative_path is regex('^/.*')
@ -15,6 +15,15 @@
    fail_msg: "The relative path for keycloak_quarkus_http_relative_path must begin with /"
    success_msg: "{{ 'Relative path OK' }}"

+- name: Validate http_management_relative_path
+  ansible.builtin.assert:
+    that:
+      - keycloak_quarkus_http_management_relative_path is regex('^/.*')
+    quiet: true
+    fail_msg: "The relative path for keycloak_quarkus_http_management_relative_path must begin with /"
+    success_msg: "{{ 'Relative mgmt path OK' }}"
+  when: keycloak_quarkus_http_management_relative_path is defined
+
 - name: Validate configuration
  ansible.builtin.assert:
    that: