ansible-collections/middleware_automation.keycloak
1
0
Fork 0
mirror of https://github.com/ansible-middleware/keycloak.git synced 2025-04-06 10:50:31 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

AMW-365 Keycloak collection GitHub action molecule pipelines are breaking because of sudo permission issue

Browse source
This commit is contained in:
Ranabir Chakraborty 2025-02-14 22:03:26 +05:30
parent 910a2aa5d4
commit e8bed51fb9
34 changed files with 100 additions and 99 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.github/workflows/ci.yml vendored
View file

@ -11,9 +11,10 @@ on:
jobs: jobs:
ci: ci:
uses: ansible-middleware/github-actions/.github/workflows/ci.yml@main uses: ansible-middleware/github-actions/.github/workflows/ci.yml@rootperm
secrets: inherit secrets: inherit
with: with:
fqcn: 'middleware_automation/keycloak' fqcn: 'middleware_automation/keycloak'
root_permission_varname: 'keycloak_install_requires_become'
molecule_tests: >- molecule_tests: >-
[ "default", "overridexml", "https_revproxy", "quarkus", "quarkus-devmode", "quarkus_upgrade", "debian", "quarkus_ha" ] [ "default", "overridexml", "https_revproxy", "quarkus", "quarkus-devmode", "quarkus_upgrade", "debian", "quarkus_ha" ]

4
molecule/https_revproxy/prepare.yml
View file

@ -39,11 +39,11 @@
src: "{{ item.name }}" src: "{{ item.name }}"
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
mode: 0444 mode: 0444
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
loop: loop:
- { name: 'cert.pem', dest: '/etc/nginx/tls/certificate.crt' } - { name: 'cert.pem', dest: '/etc/nginx/tls/certificate.crt' }
- { name: 'key.pem', dest: '/etc/nginx/tls/certificate.key' } - { name: 'key.pem', dest: '/etc/nginx/tls/certificate.key' }
- name: Update CA trust - name: Update CA trust
ansible.builtin.command: update-ca-trust ansible.builtin.command: update-ca-trust
changed_when: false changed_when: false
become: true become: "{{ keycloak_install_requires_become | default(true) }}"

2
molecule/prepare.yml
View file

@ -25,7 +25,7 @@
fail_msg: "sudo is not installed on target system" fail_msg: "sudo is not installed on target system"
- name: "Install iproute" - name: "Install iproute"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.yum: ansible.builtin.yum:
name: name:
- iproute - iproute

4
molecule/quarkus-devmode/prepare.yml
View file

@ -15,7 +15,7 @@
ansible.builtin.include_tasks: ../prepare.yml ansible.builtin.include_tasks: ../prepare.yml
- name: Install JDK17 - name: Install JDK17
become: yes become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.yum: ansible.builtin.yum:
name: name:
- java-17-openjdk-headless - java-17-openjdk-headless
@ -24,7 +24,7 @@
- ansible_facts.os_family == 'RedHat' - ansible_facts.os_family == 'RedHat'
- name: Link default logs directory - name: Link default logs directory
become: yes become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.file: ansible.builtin.file:
state: link state: link
src: "{{ item }}" src: "{{ item }}"

6
molecule/quarkus/prepare.yml
View file

@ -15,7 +15,7 @@
changed_when: false changed_when: false
- name: Create vault directory - name: Create vault directory
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.file: ansible.builtin.file:
state: directory state: directory
path: "/opt/keycloak/vault" path: "/opt/keycloak/vault"
@ -26,7 +26,7 @@
ansible.builtin.package: ansible.builtin.package:
name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}" name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
state: present state: present
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
failed_when: false failed_when: false
- name: Create vault keystore - name: Create vault keystore
@ -37,7 +37,7 @@
failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0 failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
- name: Copy certificates and vault - name: Copy certificates and vault
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.copy: ansible.builtin.copy:
src: keystore.p12 src: keystore.p12
dest: /opt/keycloak/vault/keystore.p12 dest: /opt/keycloak/vault/keystore.p12

6
molecule/quarkus/verify.yml
View file

@ -55,7 +55,7 @@
fail_msg: "Service log symlink not correctly created" fail_msg: "Service log symlink not correctly created"
- name: Check log file - name: Check log file
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.stat: ansible.builtin.stat:
path: /tmp/keycloak/keycloak.log path: /tmp/keycloak/keycloak.log
register: keycloak_log_file register: keycloak_log_file
@ -67,7 +67,7 @@
- not keycloak_log_file.stat.isdir - not keycloak_log_file.stat.isdir
- name: Check default log folder - name: Check default log folder
become: yes become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.stat: ansible.builtin.stat:
path: /var/log/keycloak path: /var/log/keycloak
register: keycloak_default_log_folder register: keycloak_default_log_folder
@ -79,7 +79,7 @@
- not keycloak_default_log_folder.stat.exists - not keycloak_default_log_folder.stat.exists
- name: Verify vault SPI in logfile - name: Verify vault SPI in logfile
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.shell: | ansible.builtin.shell: |
set -o pipefail set -o pipefail
zgrep 'Configured KeystoreVaultProviderFactory with the keystore file' /opt/keycloak/keycloak-*/data/log/keycloak.log*zip zgrep 'Configured KeystoreVaultProviderFactory with the keystore file' /opt/keycloak/keycloak-*/data/log/keycloak.log*zip

6
molecule/quarkus_ha/prepare.yml
View file

@ -15,7 +15,7 @@
changed_when: False changed_when: False
- name: Create vault directory - name: Create vault directory
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.file: ansible.builtin.file:
state: directory state: directory
path: "/opt/keycloak/vault" path: "/opt/keycloak/vault"
@ -26,7 +26,7 @@
ansible.builtin.package: ansible.builtin.package:
name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}" name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
state: present state: present
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
failed_when: false failed_when: false
- name: Create vault keystore - name: Create vault keystore
@ -37,7 +37,7 @@
failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0 failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
- name: Copy certificates and vault - name: Copy certificates and vault
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.copy: ansible.builtin.copy:
src: keystore.p12 src: keystore.p12
dest: /opt/keycloak/vault/keystore.p12 dest: /opt/keycloak/vault/keystore.p12

2
molecule/quarkus_ha/verify.yml
View file

@ -17,7 +17,7 @@
hera_home: "{{ lookup('env', 'HERA_HOME') }}" hera_home: "{{ lookup('env', 'HERA_HOME') }}"
- name: Check log file - name: Check log file
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.stat: ansible.builtin.stat:
path: /var/log/keycloak/keycloak.log path: /var/log/keycloak/keycloak.log
register: keycloak_log_file register: keycloak_log_file

2
molecule/quarkus_upgrade/prepare.yml
View file

@ -49,4 +49,4 @@
ansible.builtin.file: ansible.builtin.file:
path: /etc/ansible/facts.d/keycloak.fact path: /etc/ansible/facts.d/keycloak.fact
state: absent state: absent
become: true become: "{{ keycloak_install_requires_become | default(true) }}"

4
roles/keycloak/tasks/fastpackages.yml
View file

@ -13,7 +13,7 @@
when: ansible_facts.os_family == "RedHat" when: ansible_facts.os_family == "RedHat"
- name: "Install packages: {{ packages_to_install }}" - name: "Install packages: {{ packages_to_install }}"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.dnf: ansible.builtin.dnf:
name: "{{ packages_to_install }}" name: "{{ packages_to_install }}"
state: present state: present
@ -22,7 +22,7 @@
- ansible_facts.os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- name: "Install packages: {{ packages_list }}" - name: "Install packages: {{ packages_list }}"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.package: ansible.builtin.package:
name: "{{ packages_list }}" name: "{{ packages_list }}"
state: present state: present

4
roles/keycloak/tasks/firewalld.yml
View file

@ -6,14 +6,14 @@
- firewalld - firewalld
- name: Enable and start the firewalld service - name: Enable and start the firewalld service
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.systemd: ansible.builtin.systemd:
name: firewalld name: firewalld
enabled: true enabled: true
state: started state: started
- name: "Configure firewall ports for {{ keycloak.service_name }}" - name: "Configure firewall ports for {{ keycloak.service_name }}"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.posix.firewalld: ansible.posix.firewalld:
port: "{{ item }}" port: "{{ item }}"
permanent: true permanent: true

36
roles/keycloak/tasks/install.yml
View file

@ -11,7 +11,7 @@
quiet: true quiet: true
- name: Check for an existing deployment - name: Check for an existing deployment
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.stat: ansible.builtin.stat:
path: "{{ keycloak_jboss_home }}" path: "{{ keycloak_jboss_home }}"
register: existing_deploy register: existing_deploy
@ -20,24 +20,24 @@
when: existing_deploy.stat.exists and keycloak_force_install | bool when: existing_deploy.stat.exists and keycloak_force_install | bool
block: block:
- name: "Stop the old {{ keycloak.service_name }} service" - name: "Stop the old {{ keycloak.service_name }} service"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
failed_when: false failed_when: false
ansible.builtin.systemd: ansible.builtin.systemd:
name: keycloak name: keycloak
state: stopped state: stopped
- name: "Remove the old {{ keycloak.service_name }} deployment" - name: "Remove the old {{ keycloak.service_name }} deployment"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.file: ansible.builtin.file:
path: "{{ keycloak_jboss_home }}" path: "{{ keycloak_jboss_home }}"
state: absent state: absent
- name: Check for an existing deployment after possible forced removal - name: Check for an existing deployment after possible forced removal
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.stat: ansible.builtin.stat:
path: "{{ keycloak_jboss_home }}" path: "{{ keycloak_jboss_home }}"
- name: "Create service user/group for {{ keycloak.service_name }}" - name: "Create service user/group for {{ keycloak.service_name }}"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.user: ansible.builtin.user:
name: "{{ keycloak_service_user }}" name: "{{ keycloak_service_user }}"
home: /opt/keycloak home: /opt/keycloak
@ -45,7 +45,7 @@
create_home: false create_home: false
- name: "Create install location for {{ keycloak.service_name }}" - name: "Create install location for {{ keycloak.service_name }}"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.file: ansible.builtin.file:
dest: "{{ keycloak_dest }}" dest: "{{ keycloak_dest }}"
state: directory state: directory
@ -54,7 +54,7 @@
mode: '0750' mode: '0750'
- name: Create pidfile folder - name: Create pidfile folder
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.file: ansible.builtin.file:
dest: "{{ keycloak_service_pidfile | dirname }}" dest: "{{ keycloak_service_pidfile | dirname }}"
state: directory state: directory
@ -68,7 +68,7 @@
archive: "{{ keycloak_dest }}/{{ keycloak.bundle }}" archive: "{{ keycloak_dest }}/{{ keycloak.bundle }}"
- name: Check download archive path - name: Check download archive path
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.stat: ansible.builtin.stat:
path: "{{ archive }}" path: "{{ archive }}"
register: archive_path register: archive_path
@ -166,13 +166,13 @@
- not archive_path.stat.exists - not archive_path.stat.exists
- local_archive_path.stat is defined - local_archive_path.stat is defined
- local_archive_path.stat.exists - local_archive_path.stat.exists
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
- name: "Check target directory: {{ keycloak.home }}" - name: "Check target directory: {{ keycloak.home }}"
ansible.builtin.stat: ansible.builtin.stat:
path: "{{ keycloak.home }}" path: "{{ keycloak.home }}"
register: path_to_workdir register: path_to_workdir
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
- name: "Extract {{ keycloak_service_desc }} archive on target" - name: "Extract {{ keycloak_service_desc }} archive on target"
ansible.builtin.unarchive: ansible.builtin.unarchive:
@ -182,7 +182,7 @@
creates: "{{ keycloak.home }}" creates: "{{ keycloak.home }}"
owner: "{{ keycloak_service_user }}" owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}" group: "{{ keycloak_service_group }}"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
when: when:
- new_version_downloaded.changed or not path_to_workdir.stat.exists - new_version_downloaded.changed or not path_to_workdir.stat.exists
notify: notify:
@ -200,13 +200,13 @@
owner: "{{ keycloak_service_user }}" owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}" group: "{{ keycloak_service_group }}"
recurse: true recurse: true
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
changed_when: false changed_when: false
- name: Ensure permissions are correct on existing deploy - name: Ensure permissions are correct on existing deploy
ansible.builtin.command: chown -R "{{ keycloak_service_user }}:{{ keycloak_service_group }}" "{{ keycloak.home }}" ansible.builtin.command: chown -R "{{ keycloak_service_user }}:{{ keycloak_service_group }}" "{{ keycloak.home }}"
when: keycloak_service_runas when: keycloak_service_runas
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
changed_when: false changed_when: false
# driver and configuration # driver and configuration
@ -215,7 +215,7 @@
when: keycloak_jdbc[keycloak_jdbc_engine].enabled when: keycloak_jdbc[keycloak_jdbc_engine].enabled
- name: "Deploy custom {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }} from {{ keycloak_config_override_template }}" - name: "Deploy custom {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }} from {{ keycloak_config_override_template }}"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.template: ansible.builtin.template:
src: "templates/{{ keycloak_config_override_template }}" src: "templates/{{ keycloak_config_override_template }}"
dest: "{{ keycloak_config_path_to_standalone_xml }}" dest: "{{ keycloak_config_path_to_standalone_xml }}"
@ -227,7 +227,7 @@
when: keycloak_config_override_template | length > 0 when: keycloak_config_override_template | length > 0
- name: "Deploy standalone {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}" - name: "Deploy standalone {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.template: ansible.builtin.template:
src: templates/standalone.xml.j2 src: templates/standalone.xml.j2
dest: "{{ keycloak_config_path_to_standalone_xml }}" dest: "{{ keycloak_config_path_to_standalone_xml }}"
@ -255,7 +255,7 @@
when: keycloak_ha_enabled and keycloak_ha_discovery == 'TCPPING' when: keycloak_ha_enabled and keycloak_ha_discovery == 'TCPPING'
- name: "Deploy HA {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}" - name: "Deploy HA {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.template: ansible.builtin.template:
src: templates/standalone-ha.xml.j2 src: templates/standalone-ha.xml.j2
dest: "{{ keycloak_config_path_to_standalone_xml }}" dest: "{{ keycloak_config_path_to_standalone_xml }}"
@ -270,7 +270,7 @@
- keycloak_config_override_template | length == 0 - keycloak_config_override_template | length == 0
- name: "Deploy HA {{ keycloak.service_name }} config with infinispan remote cache store to {{ keycloak_config_path_to_standalone_xml }}" - name: "Deploy HA {{ keycloak.service_name }} config with infinispan remote cache store to {{ keycloak_config_path_to_standalone_xml }}"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.template: ansible.builtin.template:
src: templates/standalone-infinispan.xml.j2 src: templates/standalone-infinispan.xml.j2
dest: "{{ keycloak_config_path_to_standalone_xml }}" dest: "{{ keycloak_config_path_to_standalone_xml }}"
@ -285,7 +285,7 @@
- keycloak_config_override_template | length == 0 - keycloak_config_override_template | length == 0
- name: "Deploy profile.properties file to {{ keycloak_config_path_to_properties }}" - name: "Deploy profile.properties file to {{ keycloak_config_path_to_properties }}"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.template: ansible.builtin.template:
src: keycloak-profile.properties.j2 src: keycloak-profile.properties.j2
dest: "{{ keycloak_config_path_to_properties }}" dest: "{{ keycloak_config_path_to_properties }}"

2
roles/keycloak/tasks/iptables.yml
View file

@ -6,7 +6,7 @@
- iptables - iptables
- name: "Configure firewall ports for {{ keycloak.service_name }}" - name: "Configure firewall ports for {{ keycloak.service_name }}"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.iptables: ansible.builtin.iptables:
destination_port: "{{ item }}" destination_port: "{{ item }}"
action: "insert" action: "insert"

8
roles/keycloak/tasks/jdbc_driver.yml
View file

@ -3,7 +3,7 @@
ansible.builtin.stat: ansible.builtin.stat:
path: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}" path: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}"
register: dest_path register: dest_path
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
- name: "Set up module dir for JDBC Driver {{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}" - name: "Set up module dir for JDBC Driver {{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}"
ansible.builtin.file: ansible.builtin.file:
@ -13,7 +13,7 @@
owner: "{{ keycloak_service_user }}" owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}" group: "{{ keycloak_service_group }}"
mode: '0750' mode: '0750'
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
when: when:
- not dest_path.stat.exists - not dest_path.stat.exists
- name: "Verify valid parameters for download credentials when specified" - name: "Verify valid parameters for download credentials when specified"
@ -34,7 +34,7 @@
url_password: "{{ keycloak_jdbc_download_pass | default(omit) }}" url_password: "{{ keycloak_jdbc_download_pass | default(omit) }}"
validate_certs: "{{ keycloak_jdbc_download_validate_certs | default(omit) }}" validate_certs: "{{ keycloak_jdbc_download_validate_certs | default(omit) }}"
mode: '0640' mode: '0640'
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
- name: "Deploy module.xml for JDBC Driver" - name: "Deploy module.xml for JDBC Driver"
ansible.builtin.template: ansible.builtin.template:
@ -43,4 +43,4 @@
group: "{{ keycloak_service_group }}" group: "{{ keycloak_service_group }}"
owner: "{{ keycloak_service_user }}" owner: "{{ keycloak_service_user }}"
mode: '0640' mode: '0640'
become: true become: "{{ keycloak_install_requires_become | default(true) }}"

4
roles/keycloak/tasks/main.yml
View file

@ -35,7 +35,7 @@
state: link state: link
src: "{{ keycloak_jboss_home }}/standalone/log" src: "{{ keycloak_jboss_home }}/standalone/log"
dest: "{{ keycloak_log_target }}" dest: "{{ keycloak_log_target }}"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
- name: Set admin credentials and restart if not already created - name: Set admin credentials and restart if not already created
block: block:
@ -59,7 +59,7 @@
- "-u{{ keycloak_admin_user }}" - "-u{{ keycloak_admin_user }}"
- "-p{{ keycloak_admin_password }}" - "-p{{ keycloak_admin_password }}"
changed_when: true changed_when: true
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
- name: "Restart {{ keycloak.service_name }}" - name: "Restart {{ keycloak.service_name }}"
ansible.builtin.include_tasks: tasks/restart_keycloak.yml ansible.builtin.include_tasks: tasks/restart_keycloak.yml
- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}" - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"

4
roles/keycloak/tasks/restart_keycloak.yml
View file

@ -5,7 +5,7 @@
enabled: true enabled: true
state: restarted state: restarted
daemon_reload: true daemon_reload: true
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
delegate_to: "{{ ansible_play_hosts | first }}" delegate_to: "{{ ansible_play_hosts | first }}"
run_once: true run_once: true
@ -24,5 +24,5 @@
name: keycloak name: keycloak
enabled: true enabled: true
state: restarted state: restarted
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
when: inventory_hostname != ansible_play_hosts | first when: inventory_hostname != ansible_play_hosts | first

22
roles/keycloak/tasks/rhsso_patch.yml
View file

@ -12,7 +12,7 @@
path: "{{ patch_archive }}" path: "{{ patch_archive }}"
register: patch_archive_path register: patch_archive_path
when: sso_patch_version is defined when: sso_patch_version is defined
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
- name: Perform patch download from RHN via JBossNetwork API - name: Perform patch download from RHN via JBossNetwork API
delegate_to: localhost delegate_to: localhost
@ -86,7 +86,7 @@
ansible.builtin.stat: ansible.builtin.stat:
path: "{{ patch_archive }}" path: "{{ patch_archive }}"
register: patch_archive_path register: patch_archive_path
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
## copy and unpack ## copy and unpack
- name: Copy patch archive to target nodes - name: Copy patch archive to target nodes
@ -101,15 +101,15 @@
- not patch_archive_path.stat.exists - not patch_archive_path.stat.exists
- local_archive_path.stat is defined - local_archive_path.stat is defined
- local_archive_path.stat.exists - local_archive_path.stat.exists
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
- name: "Check installed patches" - name: "Check installed patches"
ansible.builtin.include_tasks: rhsso_cli.yml ansible.builtin.include_tasks: rhsso_cli.yml
vars: vars:
query: "patch info" patch_query: "patch info"
args: args:
apply: apply:
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
become_user: "{{ keycloak_service_user }}" become_user: "{{ keycloak_service_user }}"
- name: "Perform patching" - name: "Perform patching"
@ -121,21 +121,21 @@
- name: "Apply patch {{ patch_version }} to server" - name: "Apply patch {{ patch_version }} to server"
ansible.builtin.include_tasks: rhsso_cli.yml ansible.builtin.include_tasks: rhsso_cli.yml
vars: vars:
query: "patch apply {{ patch_archive }}" patch_query: "patch apply {{ patch_archive }}"
args: args:
apply: apply:
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
become_user: "{{ keycloak_service_user }}" become_user: "{{ keycloak_service_user }}"
- name: "Restart server to ensure patch content is running" - name: "Restart server to ensure patch content is running"
ansible.builtin.include_tasks: rhsso_cli.yml ansible.builtin.include_tasks: rhsso_cli.yml
vars: vars:
query: "shutdown --restart" patch_query: "shutdown --restart"
when: when:
- cli_result.rc == 0 - cli_result.rc == 0
args: args:
apply: apply:
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
become_user: "{{ keycloak_service_user }}" become_user: "{{ keycloak_service_user }}"
- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}" - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
@ -149,10 +149,10 @@
- name: "Query installed patch after restart" - name: "Query installed patch after restart"
ansible.builtin.include_tasks: rhsso_cli.yml ansible.builtin.include_tasks: rhsso_cli.yml
vars: vars:
query: "patch info" patch_query: "patch info"
args: args:
apply: apply:
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
become_user: "{{ keycloak_service_user }}" become_user: "{{ keycloak_service_user }}"
- name: "Verify installed patch version" - name: "Verify installed patch version"

2
roles/keycloak/tasks/start_keycloak.yml
View file

@ -5,7 +5,7 @@
enabled: true enabled: true
state: started state: started
daemon_reload: true daemon_reload: true
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}" - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
ansible.builtin.uri: ansible.builtin.uri:

2
roles/keycloak/tasks/stop_keycloak.yml
View file

@ -4,4 +4,4 @@
name: keycloak name: keycloak
enabled: true enabled: true
state: stopped state: stopped
become: true become: "{{ keycloak_install_requires_become | default(true) }}"

6
roles/keycloak/tasks/systemd.yml
View file

@ -1,6 +1,6 @@
--- ---
- name: "Configure {{ keycloak.service_name }} service script wrapper" - name: "Configure {{ keycloak.service_name }} service script wrapper"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.template: ansible.builtin.template:
src: keycloak-service.sh.j2 src: keycloak-service.sh.j2
dest: "{{ keycloak_dest }}/keycloak-service.sh" dest: "{{ keycloak_dest }}/keycloak-service.sh"
@ -11,7 +11,7 @@
- restart keycloak - restart keycloak
- name: "Configure sysconfig file for {{ keycloak.service_name }} service" - name: "Configure sysconfig file for {{ keycloak.service_name }} service"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.template: ansible.builtin.template:
src: keycloak-sysconfig.j2 src: keycloak-sysconfig.j2
dest: "{{ keycloak_sysconf_file }}" dest: "{{ keycloak_sysconf_file }}"
@ -28,7 +28,7 @@
owner: root owner: root
group: root group: root
mode: '0644' mode: '0644'
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
register: systemdunit register: systemdunit
notify: notify:
- restart keycloak - restart keycloak

2
roles/keycloak_quarkus/tasks/bootstrapped.yml
View file

@ -1,6 +1,6 @@
--- ---
- name: Save ansible custom facts - name: Save ansible custom facts
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.template: ansible.builtin.template:
src: keycloak.fact.j2 src: keycloak.fact.j2
dest: /etc/ansible/facts.d/keycloak.fact dest: /etc/ansible/facts.d/keycloak.fact

6
roles/keycloak_quarkus/tasks/config_store.yml
View file

@ -6,7 +6,7 @@
value: "{{ keycloak_quarkus_db_pass }}" value: "{{ keycloak_quarkus_db_pass }}"
- name: "Initialize empty configuration key store" - name: "Initialize empty configuration key store"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
# keytool doesn't allow creating an empty key store, so this is a hacky way around it # keytool doesn't allow creating an empty key store, so this is a hacky way around it
ansible.builtin.shell: | # noqa blocked_modules shell is necessary here ansible.builtin.shell: | # noqa blocked_modules shell is necessary here
set -o nounset # abort on unbound variable set -o nounset # abort on unbound variable
@ -38,7 +38,7 @@
echo {{ item.value | quote }} | keytool -noprompt -importpass -alias {{ item.key | quote }} -keystore {{ keycloak_quarkus_config_key_store_file | quote }} -storepass {{ keycloak_quarkus_config_key_store_password | quote }} -storetype PKCS12 echo {{ item.value | quote }} | keytool -noprompt -importpass -alias {{ item.key | quote }} -keystore {{ keycloak_quarkus_config_key_store_file | quote }} -storepass {{ keycloak_quarkus_config_key_store_password | quote }} -storetype PKCS12
loop: "{{ store_items }}" loop: "{{ store_items }}"
no_log: true no_log: true
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
changed_when: true changed_when: true
notify: notify:
- restart keycloak - restart keycloak
@ -49,4 +49,4 @@
owner: "{{ keycloak.service_user }}" owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}" group: "{{ keycloak.service_group }}"
mode: '0400' mode: '0400'
become: true become: "{{ keycloak_install_requires_become | default(true) }}"

4
roles/keycloak_quarkus/tasks/fastpackages.yml
View file

@ -13,7 +13,7 @@
when: ansible_facts.os_family == "RedHat" when: ansible_facts.os_family == "RedHat"
- name: "Install packages: {{ packages_to_install }}" - name: "Install packages: {{ packages_to_install }}"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.dnf: ansible.builtin.dnf:
name: "{{ packages_to_install }}" name: "{{ packages_to_install }}"
state: present state: present
@ -22,7 +22,7 @@
- ansible_facts.os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- name: "Install packages: {{ packages_list }}" - name: "Install packages: {{ packages_list }}"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.package: ansible.builtin.package:
name: "{{ packages_list }}" name: "{{ packages_list }}"
state: present state: present

4
roles/keycloak_quarkus/tasks/firewalld.yml
View file

@ -6,14 +6,14 @@
- firewalld - firewalld
- name: Enable and start the firewalld service - name: Enable and start the firewalld service
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.systemd: ansible.builtin.systemd:
name: firewalld name: firewalld
enabled: true enabled: true
state: started state: started
- name: "Configure firewall for {{ keycloak.service_name }} ports" - name: "Configure firewall for {{ keycloak.service_name }} ports"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.posix.firewalld: ansible.posix.firewalld:
port: "{{ item }}" port: "{{ item }}"
permanent: true permanent: true

30
roles/keycloak_quarkus/tasks/install.yml
View file

@ -12,13 +12,13 @@
quiet: true quiet: true
- name: Check for an existing deployment - name: Check for an existing deployment
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.stat: ansible.builtin.stat:
path: "{{ keycloak.home }}" path: "{{ keycloak.home }}"
register: existing_deploy register: existing_deploy
- name: "Create {{ keycloak.service_name }} service user/group" - name: "Create {{ keycloak.service_name }} service user/group"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.user: ansible.builtin.user:
name: "{{ keycloak.service_user }}" name: "{{ keycloak.service_user }}"
home: /opt/keycloak home: /opt/keycloak
@ -26,7 +26,7 @@
create_home: false create_home: false
- name: "Create {{ keycloak.service_name }} install location" - name: "Create {{ keycloak.service_name }} install location"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.file: ansible.builtin.file:
dest: "{{ keycloak_quarkus_dest }}" dest: "{{ keycloak_quarkus_dest }}"
state: directory state: directory
@ -35,7 +35,7 @@
mode: '0750' mode: '0750'
- name: Create directory for ansible custom facts - name: Create directory for ansible custom facts
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.file: ansible.builtin.file:
state: directory state: directory
recurse: true recurse: true
@ -47,7 +47,7 @@
archive: "{{ keycloak_quarkus_dest }}/{{ keycloak.bundle }}" archive: "{{ keycloak_quarkus_dest }}/{{ keycloak.bundle }}"
- name: Check download archive path - name: Check download archive path
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.stat: ansible.builtin.stat:
path: "{{ archive }}" path: "{{ archive }}"
register: archive_path register: archive_path
@ -148,13 +148,13 @@
- not archive_path.stat.exists - not archive_path.stat.exists
- local_archive_path.stat is defined - local_archive_path.stat is defined
- local_archive_path.stat.exists - local_archive_path.stat.exists
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
- name: "Check target directory: {{ keycloak.home }}/bin/" - name: "Check target directory: {{ keycloak.home }}/bin/"
ansible.builtin.stat: ansible.builtin.stat:
path: "{{ keycloak.home }}/bin/" path: "{{ keycloak.home }}/bin/"
register: path_to_workdir register: path_to_workdir
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
- name: "Extract Keycloak archive on target" # noqa no-handler need to run this here - name: "Extract Keycloak archive on target" # noqa no-handler need to run this here
ansible.builtin.unarchive: ansible.builtin.unarchive:
@ -164,7 +164,7 @@
creates: "{{ keycloak.home }}/bin/" creates: "{{ keycloak.home }}/bin/"
owner: "{{ keycloak.service_user }}" owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}" group: "{{ keycloak.service_group }}"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
when: when:
- (not path_to_workdir.stat.exists) or new_version_downloaded.changed - (not path_to_workdir.stat.exists) or new_version_downloaded.changed
notify: notify:
@ -183,7 +183,7 @@
owner: "{{ keycloak.service_user }}" owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}" group: "{{ keycloak.service_group }}"
mode: '0640' mode: '0640'
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
when: when:
- keycloak_quarkus_https_key_file_enabled is defined and keycloak_quarkus_https_key_file_enabled - keycloak_quarkus_https_key_file_enabled is defined and keycloak_quarkus_https_key_file_enabled
- keycloak_quarkus_key_file_copy_enabled is defined and keycloak_quarkus_key_file_copy_enabled - keycloak_quarkus_key_file_copy_enabled is defined and keycloak_quarkus_key_file_copy_enabled
@ -196,7 +196,7 @@
owner: "{{ keycloak.service_user }}" owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}" group: "{{ keycloak.service_group }}"
mode: '0644' mode: '0644'
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
when: when:
- keycloak_quarkus_https_key_file_enabled is defined and keycloak_quarkus_https_key_file_enabled - keycloak_quarkus_https_key_file_enabled is defined and keycloak_quarkus_https_key_file_enabled
- keycloak_quarkus_cert_file_copy_enabled is defined and keycloak_quarkus_cert_file_copy_enabled - keycloak_quarkus_cert_file_copy_enabled is defined and keycloak_quarkus_cert_file_copy_enabled
@ -215,7 +215,7 @@
owner: "{{ keycloak.service_user }}" owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}" group: "{{ keycloak.service_group }}"
mode: '0640' mode: '0640'
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
loop: "{{ keycloak_quarkus_providers }}" loop: "{{ keycloak_quarkus_providers }}"
when: item.url is defined and item.url | length > 0 when: item.url is defined and item.url | length > 0
notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}" notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}"
@ -244,7 +244,7 @@
owner: "{{ keycloak.service_user }}" owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}" group: "{{ keycloak.service_group }}"
mode: '0640' mode: '0640'
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
loop: "{{ keycloak_quarkus_providers }}" loop: "{{ keycloak_quarkus_providers }}"
when: item.maven is defined when: item.maven is defined
no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}" no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}"
@ -256,7 +256,7 @@
owner: "{{ keycloak.service_user }}" owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}" group: "{{ keycloak.service_group }}"
mode: '0640' mode: '0640'
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
loop: "{{ keycloak_quarkus_providers }}" loop: "{{ keycloak_quarkus_providers }}"
when: item.local_path is defined when: item.local_path is defined
notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}" notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}"
@ -268,7 +268,7 @@
owner: "{{ keycloak.service_user }}" owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}" group: "{{ keycloak.service_group }}"
mode: '0750' mode: '0750'
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
loop: "{{ keycloak_quarkus_supported_policy_types }}" loop: "{{ keycloak_quarkus_supported_policy_types }}"
- name: "Install custom policies" - name: "Install custom policies"
@ -278,7 +278,7 @@
owner: "{{ keycloak.service_user }}" owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}" group: "{{ keycloak.service_group }}"
mode: '0640' mode: '0640'
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
loop: "{{ keycloak_quarkus_policies }}" loop: "{{ keycloak_quarkus_policies }}"
when: item.url is defined and item.url | length > 0 when: item.url is defined and item.url | length > 0
notify: "restart keycloak" notify: "restart keycloak"

2
roles/keycloak_quarkus/tasks/invalidate_theme_cache.yml
View file

@ -8,4 +8,4 @@
ansible.builtin.file: ansible.builtin.file:
path: "{{ keycloak.home }}/data/tmp/kc-gzip-cache" path: "{{ keycloak.home }}/data/tmp/kc-gzip-cache"
state: absent state: absent
become: true become: "{{ keycloak_install_requires_become | default(true) }}"

2
roles/keycloak_quarkus/tasks/iptables.yml
View file

@ -6,7 +6,7 @@
- iptables - iptables
- name: "Configure firewall ports for {{ keycloak.service_name }}" - name: "Configure firewall ports for {{ keycloak.service_name }}"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.iptables: ansible.builtin.iptables:
destination_port: "{{ item }}" destination_port: "{{ item }}"
action: "insert" action: "insert"

2
roles/keycloak_quarkus/tasks/jdbc_driver.yml
View file

@ -17,6 +17,6 @@
url_password: "{{ keycloak_quarkus_jdbc_download_pass | default(omit) }}" url_password: "{{ keycloak_quarkus_jdbc_download_pass | default(omit) }}"
validate_certs: "{{ keycloak_quarkus_jdbc_download_validate_certs | default(omit) }}" validate_certs: "{{ keycloak_quarkus_jdbc_download_validate_certs | default(omit) }}"
mode: '0640' mode: '0640'
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
notify: notify:
- restart keycloak - restart keycloak

6
roles/keycloak_quarkus/tasks/main.yml
View file

@ -53,7 +53,7 @@
owner: "{{ keycloak.service_user }}" owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}" group: "{{ keycloak.service_group }}"
mode: '0640' mode: '0640'
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
loop: loop:
- keycloak.conf - keycloak.conf
- quarkus.properties - quarkus.properties
@ -69,7 +69,7 @@
owner: "{{ keycloak.service_user }}" owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}" group: "{{ keycloak.service_group }}"
mode: '0775' mode: '0775'
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
- name: Flush pending handlers - name: Flush pending handlers
ansible.builtin.meta: flush_handlers ansible.builtin.meta: flush_handlers
@ -83,7 +83,7 @@
src: "{{ keycloak.log.file | dirname }}" src: "{{ keycloak.log.file | dirname }}"
dest: "{{ keycloak_quarkus_log_target }}" dest: "{{ keycloak_quarkus_log_target }}"
force: true force: true
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
- name: Check service status - name: Check service status
ansible.builtin.systemd_service: ansible.builtin.systemd_service:

2
roles/keycloak_quarkus/tasks/rebuild_config.yml
View file

@ -6,5 +6,5 @@
environment: environment:
PATH: "{{ keycloak_quarkus_java_home | default(keycloak_quarkus_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" PATH: "{{ keycloak_quarkus_java_home | default(keycloak_quarkus_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
JAVA_HOME: "{{ keycloak_quarkus_java_home | default(keycloak_quarkus_pkg_java_home, true) }}" JAVA_HOME: "{{ keycloak_quarkus_java_home | default(keycloak_quarkus_pkg_java_home, true) }}"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
changed_when: true changed_when: true

2
roles/keycloak_quarkus/tasks/restart.yml
View file

@ -5,7 +5,7 @@
enabled: true enabled: true
state: restarted state: restarted
daemon_reload: true daemon_reload: true
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
- name: "Wait until {{ keycloak.service_name }} service becomes active {{ keycloak.health_url }}" - name: "Wait until {{ keycloak.service_name }} service becomes active {{ keycloak.health_url }}"
ansible.builtin.uri: ansible.builtin.uri:

2
roles/keycloak_quarkus/tasks/restart/serial_then_parallel.yml
View file

@ -16,5 +16,5 @@
enabled: true enabled: true
state: restarted state: restarted
daemon_reload: true daemon_reload: true
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
when: inventory_hostname != ansible_play_hosts | first when: inventory_hostname != ansible_play_hosts | first

2
roles/keycloak_quarkus/tasks/start.yml
View file

@ -5,7 +5,7 @@
enabled: true enabled: true
state: started state: started
daemon_reload: true daemon_reload: true
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}" - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
ansible.builtin.uri: ansible.builtin.uri:

4
roles/keycloak_quarkus/tasks/systemd.yml
View file

@ -1,6 +1,6 @@
--- ---
- name: "Configure sysconfig file for {{ keycloak.service_name }} service" - name: "Configure sysconfig file for {{ keycloak.service_name }} service"
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
ansible.builtin.template: ansible.builtin.template:
src: keycloak-sysconfig.j2 src: keycloak-sysconfig.j2
dest: "{{ keycloak_quarkus_sysconf_file }}" dest: "{{ keycloak_quarkus_sysconf_file }}"
@ -19,7 +19,7 @@
owner: root owner: root
group: root group: root
mode: '0644' mode: '0644'
become: true become: "{{ keycloak_install_requires_become | default(true) }}"
register: systemdunit register: systemdunit
notify: notify:
- restart keycloak - restart keycloak