ansible-collections/middleware_automation.keycloak
1
0
Fork 0
mirror of https://github.com/ansible-middleware/keycloak.git synced 2025-04-08 20:00:29 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

keycloak_quarkus: Add http_management_port and http_management_relative_path options

Browse source 
RHBK v26 exposes health endpoints and metrics on this port moving forward.
Note that the scheme of the MGMT interface is defined by the overall keycloak configuration: if https is enabled and configured, th MGMT interface is exposed via https and NOT via http; this might be breaking some configured load balancer health checks
This commit is contained in:
Helmut Wolf 2024-12-10 14:14:18 +01:00
parent 213449ec58
commit d0f19b59dc
6 changed files with 44 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
roles/keycloak_quarkus/README.md
View file

@ -52,6 +52,7 @@ Role Defaults
|`keycloak_quarkus_path`| Deprecated, use `keycloak_quarkus_hostname` instead. | | |`keycloak_quarkus_path`| Deprecated, use `keycloak_quarkus_hostname` instead. | |
|`keycloak_quarkus_http_port`| HTTP listening port | `8080` | |`keycloak_quarkus_http_port`| HTTP listening port | `8080` |
|`keycloak_quarkus_https_port`| TLS HTTP listening port | `8443` | |`keycloak_quarkus_https_port`| TLS HTTP listening port | `8443` |
|`keycloak_quarkus_http_management_port`| Port of the management interface. Relevant only when something is exposed on the management interface - see the guide for details. | `9000` |
|`keycloak_quarkus_ajp_port`| AJP port | `8009` | |`keycloak_quarkus_ajp_port`| AJP port | `8009` |
|`keycloak_quarkus_service_user`| Posix account username | `keycloak` | |`keycloak_quarkus_service_user`| Posix account username | `keycloak` |
|`keycloak_quarkus_service_group`| Posix account group | `keycloak` | |`keycloak_quarkus_service_group`| Posix account group | `keycloak` |
@ -69,6 +70,7 @@ Role Defaults
|`keycloak_quarkus_admin`| Set the base URL for accessing the administration console, including scheme, host, port and path | | |`keycloak_quarkus_admin`| Set the base URL for accessing the administration console, including scheme, host, port and path | |
|`keycloak_quarkus_admin_url`| Deprecated, use `keycloak_quarkus_admin` instead. | | |`keycloak_quarkus_admin_url`| Deprecated, use `keycloak_quarkus_admin` instead. | |
|`keycloak_quarkus_http_relative_path` | Set the path relative to / for serving resources. The path must start with a / | `/` | |`keycloak_quarkus_http_relative_path` | Set the path relative to / for serving resources. The path must start with a / | `/` |
|`keycloak_quarkus_http_management_relative_path` | Set the path relative to / for serving resources from management interface. The path must start with a /. If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details. | `/` |
|`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` | |`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` |
|`keycloak_quarkus_health_check_url_path`| Path to the health check endpoint; scheme, host and keycloak_quarkus_http_relative_path will be prepended automatically | `realms/master/.well-known/openid-configuration` | |`keycloak_quarkus_health_check_url_path`| Path to the health check endpoint; scheme, host and keycloak_quarkus_http_relative_path will be prepended automatically | `realms/master/.well-known/openid-configuration` |
|`keycloak_quarkus_https_key_file_enabled`| Enable listener on HTTPS port | `False` | |`keycloak_quarkus_https_key_file_enabled`| Enable listener on HTTPS port | `False` |
@ -152,7 +154,7 @@ Role Defaults
| Variable | Description | Default | | Variable | Description | Default |
|:---------|:------------|:--------| |:---------|:------------|:--------|
|`keycloak_quarkus_metrics_enabled`| Whether to enable metrics | `False` | |`keycloak_quarkus_metrics_enabled`| Whether to enable metrics | `False` |
|`keycloak_quarkus_health_enabled`| If the server should expose health check endpoints | `True` | |`keycloak_quarkus_health_enabled`| If the server should expose health check endpoints on the management interface | `True` |
|`keycloak_quarkus_archive` | keycloak install archive filename | `keycloak-{{ keycloak_quarkus_version }}.zip` | |`keycloak_quarkus_archive` | keycloak install archive filename | `keycloak-{{ keycloak_quarkus_version }}.zip` |
|`keycloak_quarkus_installdir` | Installation path | `{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}` | |`keycloak_quarkus_installdir` | Installation path | `{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}` |
|`keycloak_quarkus_home` | Installation work directory | `{{ keycloak_quarkus_installdir }}` | |`keycloak_quarkus_home` | Installation work directory | `{{ keycloak_quarkus_installdir }}` |

1
roles/keycloak_quarkus/defaults/main.yml
View file

@ -36,6 +36,7 @@ keycloak_quarkus_bind_address: 0.0.0.0
keycloak_quarkus_http_enabled: true keycloak_quarkus_http_enabled: true
keycloak_quarkus_http_port: 8080 keycloak_quarkus_http_port: 8080
keycloak_quarkus_https_port: 8443 keycloak_quarkus_https_port: 8443
keycloak_quarkus_http_management_port: 9000
keycloak_quarkus_ajp_port: 8009 keycloak_quarkus_ajp_port: 8009
keycloak_quarkus_jgroups_port: 7800 keycloak_quarkus_jgroups_port: 7800
keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx2048m" keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx2048m"

12
roles/keycloak_quarkus/meta/argument_specs.yml
View file

@ -108,7 +108,7 @@ argument_specs:
type: "int" type: "int"
keycloak_quarkus_health_check_url_path: keycloak_quarkus_health_check_url_path:
default: "realms/master/.well-known/openid-configuration" default: "realms/master/.well-known/openid-configuration"
description: "Path to the health check endpoint; scheme, host and keycloak_quarkus_http_relative_path will be prepended automatically" description: "Path to the health check endpoint; scheme, hostname will be prepended automatically"
type: "str" type: "str"
keycloak_quarkus_https_key_file_enabled: keycloak_quarkus_https_key_file_enabled:
default: false default: false
@ -184,6 +184,10 @@ argument_specs:
default: 8443 default: 8443
description: "HTTPS port" description: "HTTPS port"
type: "int" type: "int"
keycloak_quarkus_http_management_port:
default: 9000
description: "Port of the management interface. Relevant only when something is exposed on the management interface - see the guide for details."
type: "int"
keycloak_quarkus_ajp_port: keycloak_quarkus_ajp_port:
default: 8009 default: 8009
description: "AJP port" description: "AJP port"
@ -228,6 +232,10 @@ argument_specs:
default: / default: /
description: "Set the path relative to / for serving resources. The path must start with a /" description: "Set the path relative to / for serving resources. The path must start with a /"
type: "str" type: "str"
keycloak_quarkus_http_management_relative_path:
required: false
description: "Set the path relative to / for serving resources from management interface. The path must start with a /. If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details."
type: "str"
keycloak_quarkus_frontend_url: keycloak_quarkus_frontend_url:
required: false required: false
description: "Deprecated in v26, use keycloak_quarkus_hostname instead." description: "Deprecated in v26, use keycloak_quarkus_hostname instead."
@ -246,7 +254,7 @@ argument_specs:
type: "bool" type: "bool"
keycloak_quarkus_health_enabled: keycloak_quarkus_health_enabled:
default: true default: true
description: "If the server should expose health check endpoints" description: "If the server should expose health check endpoints on the management interface"
type: "bool" type: "bool"
keycloak_quarkus_ispn_user: keycloak_quarkus_ispn_user:
default: "supervisor" default: "supervisor"

13
roles/keycloak_quarkus/tasks/firewalld.yml
View file

@ -12,7 +12,7 @@
enabled: true enabled: true
state: started state: started
- name: "Configure firewall for {{ keycloak.service_name }} ports" - name: "Configure firewall for {{ keycloak.service_name }} http port"
become: true become: true
ansible.posix.firewalld: ansible.posix.firewalld:
port: "{{ item }}" port: "{{ item }}"
@ -21,5 +21,16 @@
immediate: true immediate: true
loop: loop:
- "{{ keycloak_quarkus_http_port }}/tcp" - "{{ keycloak_quarkus_http_port }}/tcp"
when: keycloak_quarkus_http_enabled | bool
- name: "Configure firewall for {{ keycloak.service_name }} ports"
become: true
ansible.posix.firewalld:
port: "{{ item }}"
permanent: true
state: enabled
immediate: true
loop:
- "{{ keycloak_quarkus_https_port }}/tcp" - "{{ keycloak_quarkus_https_port }}/tcp"
- "{{ keycloak_quarkus_http_management_port }}/tcp"
- "{{ keycloak_quarkus_jgroups_port }}/tcp" - "{{ keycloak_quarkus_jgroups_port }}/tcp"

11
roles/keycloak_quarkus/tasks/prereqs.yml
View file

@ -7,7 +7,7 @@
fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_bootstrap_admin_password to a 12+ char long string" fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_bootstrap_admin_password to a 12+ char long string"
success_msg: "{{ 'Console administrator password OK' }}" success_msg: "{{ 'Console administrator password OK' }}"
- name: Validate relative path - name: Validate http_relative_path
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- keycloak_quarkus_http_relative_path is regex('^/.*') - keycloak_quarkus_http_relative_path is regex('^/.*')
@ -15,6 +15,15 @@
fail_msg: "The relative path for keycloak_quarkus_http_relative_path must begin with /" fail_msg: "The relative path for keycloak_quarkus_http_relative_path must begin with /"
success_msg: "{{ 'Relative path OK' }}" success_msg: "{{ 'Relative path OK' }}"
- name: Validate http_management_relative_path
ansible.builtin.assert:
that:
- keycloak_quarkus_http_management_relative_path is regex('^/.*')
quiet: true
fail_msg: "The relative path for keycloak_quarkus_http_management_relative_path must begin with /"
success_msg: "{{ 'Relative mgmt path OK' }}"
when: keycloak_quarkus_http_management_relative_path is defined
- name: Validate configuration - name: Validate configuration
ansible.builtin.assert: ansible.builtin.assert:
that: that:

8
roles/keycloak_quarkus/templates/keycloak.conf.j2
View file

@ -22,9 +22,17 @@ health-enabled={{ keycloak_quarkus_health_enabled | lower }}
# HTTP # HTTP
http-enabled={{ keycloak_quarkus_http_enabled | lower }} http-enabled={{ keycloak_quarkus_http_enabled | lower }}
{% if keycloak_quarkus_http_enabled %}
http-port={{ keycloak_quarkus_http_port }} http-port={{ keycloak_quarkus_http_port }}
{% endif %}
http-relative-path={{ keycloak_quarkus_http_relative_path }} http-relative-path={{ keycloak_quarkus_http_relative_path }}
# Management
http-management-port={{ keycloak_quarkus_http_management_port }}
{% if keycloak_quarkus_http_management_relative_path is defined and keycloak_quarkus_http_management_relative_path | length > 0 %}
http-management-relative-path={{ keycloak_quarkus_http_management_relative_path }}
{% endif %}
# HTTPS # HTTPS
https-port={{ keycloak_quarkus_https_port }} https-port={{ keycloak_quarkus_https_port }}
{% if keycloak_quarkus_https_key_file_enabled %} {% if keycloak_quarkus_https_key_file_enabled %}