Merge branch 'main' into ubuntu

2025-04-06 10:50:31 -07:00 · 2024-03-17 05:35:09 -04:00 · 2024-03-17 05:35:09 -04:00 · fdce0bd922
commit fdce0bd922
parent b9d9874a00 1cecf51f37
21 changed files with 79 additions and 78 deletions
--- a/molecule/overridexml/converge.yml
+++ b/molecule/overridexml/converge.yml
@ -1,7 +1,7 @@
 ---
 - name: Converge
  hosts: all
-  vars: 
+  vars:
    keycloak_admin_password: "remembertochangeme"
    keycloak_config_override_template: custom.xml.j2
    keycloak_http_port: 8081
@ -9,47 +9,3 @@
    keycloak_service_runas: True
  roles:
    - role: keycloak
  tasks:
    - name: Keycloak Realm Role
      ansible.builtin.include_role:
        name: keycloak_realm
      vars:
        keycloak_client_default_roles:
          - TestRoleAdmin
          - TestRoleUser
        keycloak_client_users:
          - username: TestUser
            password: password
            client_roles:
              - client: TestClient
                role: TestRoleUser
                realm: "{{ keycloak_realm }}"
          - username: TestAdmin
            password: password
            client_roles:
              - client: TestClient
                role: TestRoleUser
                realm: "{{ keycloak_realm }}"
              - client: TestClient
                role: TestRoleAdmin
                realm: "{{ keycloak_realm }}"
        keycloak_realm: TestRealm
        keycloak_clients:
          - name: TestClient
            roles: "{{ keycloak_client_default_roles }}"
            realm: "{{ keycloak_realm }}"
            public_client: "{{ keycloak_client_public }}"
            web_origins: "{{ keycloak_client_web_origins }}"
            users: "{{ keycloak_client_users }}"
            client_id: TestClient
  pre_tasks:
    - name: "Retrieve assets server from env"
      ansible.builtin.set_fact:
        assets_server: "{{ lookup('env','MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"
    - name: "Set offline when assets server from env is defined"
      ansible.builtin.set_fact:
        sso_offline_install: True
      when:
        - assets_server is defined
        - assets_server | length > 0
--- a/molecule/overridexml/templates/custom.xml.j2
+++ b/molecule/overridexml/templates/custom.xml.j2
@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<!-- {{ ansible_managed }} -->
+<!-- this is a custom file -->
 <server xmlns="urn:jboss:domain:16.0">
    <extensions>
        <extension module="org.jboss.as.clustering.infinispan"/>
@ -44,7 +44,7 @@
        </audit-log>
        <management-interfaces>
            <http-interface http-authentication-factory="management-http-authentication">
-                <http-upgrade enabled="true"/>
+                <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
                <socket-binding http="management-http"/>
            </http-interface>
        </management-interfaces>
@ -481,8 +481,8 @@
                <default-provider>default</default-provider>
                <provider name="default" enabled="true">
                    <properties>
-                        <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
+                        <property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
-                        <property name="forceBackendUrlToFrontendUrl" value="true"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="false"/>
                    </properties>
                </provider>
            </spi>
@ -520,7 +520,8 @@
        <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
            <buffer-cache name="default"/>
            <server name="default-server">
-                <http-listener name="default" socket-binding="http"/>
+                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
                <https-listener name="https" socket-binding="https" ssl-context="applicationSSC" enable-http2="true"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <http-invoker http-authentication-factory="application-http-authentication"/>
@ -533,20 +534,25 @@
            <handlers>
                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
            </handlers>
            <application-security-domains>
                <application-security-domain name="other" security-domain="ApplicationDomain"/>
            </application-security-domains>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
    </profile>
    <interfaces>
        <interface name="management">
-            <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
+            <inet-address value="127.0.0.1"/>
        </interface>
        <interface name="public">
-            <inet-address value="${jboss.bind.address:127.0.0.1}"/>
+            <inet-address value="127.0.0.1"/>
        </interface>
    </interfaces>
    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
        <socket-binding name="http" port="8081"/>
        <socket-binding name="https" port="8443"/>
        <socket-binding name="management-http" interface="management" port="19990"/>
        <socket-binding name="management-https" interface="management" port="19991"/>
        <socket-binding name="txn-recovery-environment" port="4712"/>
        <socket-binding name="txn-status-manager" port="4713"/>
        <outbound-socket-binding name="mail-smtp">
--- a/molecule/overridexml/verify.yml
+++ b/molecule/overridexml/verify.yml
@ -1,6 +1,10 @@
 ---
 - name: Verify
  hosts: all
  vars:
    keycloak_uri: "http://localhost:8081"
    keycloak_management_port: "http://localhost:19990"
    keycloak_admin_password: "remembertochangeme"
  tasks:
    - name: Populate service facts
      ansible.builtin.service_facts:
@ -9,3 +13,20 @@
        that:
          - ansible_facts.services["keycloak.service"]["state"] == "running"
          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
    - name: Verify we are running on requested jvm # noqa blocked_modules command-instead-of-module
      ansible.builtin.shell: |
        set -o pipefail
        ps -ef | grep '/etc/alternatives/jre_1.8.0/' | grep -v grep
      args:
        executable: /bin/bash
      changed_when: no
    - name: Verify token api call
      ansible.builtin.uri:
        url: "{{ keycloak_uri }}/auth/realms/master/protocol/openid-connect/token"
        method: POST
        body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password"
        validate_certs: no
      register: keycloak_auth_response
      until: keycloak_auth_response.status == 200
      retries: 2
      delay: 2
--- a/molecule/prepare.yml
+++ b/molecule/prepare.yml
@ -3,28 +3,31 @@
  ansible.builtin.debug:
    msg: "Ansible version is  {{ ansible_version.full }}"
 - name: "Set package name for sudo"
  ansible.builtin.set_fact:
    sudo_pkg_name: sudo
 - name: "Ensure {{ sudo_pkg_name }} is installed (if user is root)."
  ansible.builtin.yum:
    name: "{{ sudo_pkg_name }}"
    state: present
  when:
    - ansible_user_id == 'root'
 - name: Gather the package facts
  ansible.builtin.package_facts:
    manager: auto
- name: "Check if {{ sudo_pkg_name }} is installed."
+- name: "Check if sudo is installed."
  ansible.builtin.assert:
    that:
      - sudo_pkg_name in ansible_facts.packages
    fail_msg: "sudo is not installed on target system"
- name: Install sudo
+- name: "Install iproute"
  become: yes
  ansible.builtin.yum:
    name:
      - sudo
      - iproute
    state: present
@ -36,6 +39,8 @@
  when:
    - assets_server is defined
    - assets_server | length > 0
    - assets is defined
    - assets | length > 0
  block:
    - name: "Set offline when assets server from env is defined"
      ansible.builtin.set_fact:
--- a/molecule/quarkus-devmode/prepare.yml
+++ b/molecule/quarkus-devmode/prepare.yml
@ -11,16 +11,20 @@
      when:
        - ansible_facts.os_family == 'Debian'
-    - name: Install sudo
+    - name: "Ensure common prepare phase are set."
      ansible.builtin.include_tasks: ../prepare.yml
    - name: Install JDK17
      become: yes
      ansible.builtin.yum:
        name:
          - sudo
          - java-17-openjdk-headless
        state: present
      when:
        - ansible_facts.os_family == 'RedHat'
    - name: Link default logs directory
      become: yes
      ansible.builtin.file:
        state: link
        src: "{{ item }}"
--- a/molecule/quarkus/prepare.yml
+++ b/molecule/quarkus/prepare.yml
@ -10,6 +10,9 @@
    - name: "Display hera_home if defined."
      ansible.builtin.set_fact:
        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
    - name: "Ensure common prepare phase are set."
      ansible.builtin.include_tasks: ../prepare.yml
    - name: Create certificate request
      ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
@ -17,12 +20,14 @@
      changed_when: False
    - name: Create conf directory # risky-file-permissions in test user account does not exist yet
      become: yes
      ansible.builtin.file:
        state: directory
        path: "/opt/keycloak/certs/"
        mode: 0755
    - name: Copy certificates
      become: yes
      ansible.builtin.copy:
        src: "{{ item }}"
        dest: "/opt/keycloak/certs/{{ item }}"
--- a/molecule/quarkus/verify.yml
+++ b/molecule/quarkus/verify.yml
@ -49,8 +49,9 @@
          - keycloak_log_folder.stat.exists
          - not keycloak_log_folder.stat.isdir
          - keycloak_log_folder.stat.islnk
-          
+
    - name: Check log file
      become: yes
      ansible.builtin.stat:
        path: "/tmp/keycloak/keycloak.log"
      register: keycloak_log_file
@ -62,6 +63,7 @@
          - not keycloak_log_file.stat.isdir
    - name: Check default log folder
      become: yes
      ansible.builtin.stat:
        path: "/var/log/keycloak"
      register: keycloak_default_log_folder
--- a/roles/keycloak/tasks/rhsso_patch.yml
+++ b/roles/keycloak/tasks/rhsso_patch.yml
@ -36,7 +36,9 @@
    - name: Determine patch versions list
      ansible.builtin.set_fact:
-        filtered_versions: "{{ rhn_products.results | map(attribute='file_path') | select('match', '^[^/]*/rh-sso-.*[0-9]*[.][0-9]*[.][0-9]*.*$') | map('regex_replace', '[^/]*/rh-sso-([0-9]*[.][0-9]*[.][0-9]*)-.*', '\\1') | list | unique }}"
+        filtered_versions: "{{ rhn_products.results | map(attribute='file_path') | \
                               select('match', '^[^/]*/rh-sso-.*[0-9]*[.][0-9]*[.][0-9]*.*$') | \
                               map('regex_replace', '[^/]*/rh-sso-([0-9]*[.][0-9]*[.][0-9]*(-[0-9])?)-.*', '\\1') | list | unique }}"
      when: sso_patch_version is not defined or sso_patch_version | length == 0
      delegate_to: localhost
      run_once: true
@ -70,7 +72,7 @@
      middleware_automation.common.product_download: # noqa risky-file-permissions delegated, uses controller host user
        client_id: "{{ rhn_username }}"
        client_secret: "{{ rhn_password }}"
-        product_id: "{{ (rhn_filtered_products | first).id }}"
+        product_id: "{{ (rhn_filtered_products | sort | last).id }}"
        dest: "{{ local_path.stat.path }}/{{ patch_bundle }}"
      no_log: "{{ omit_rhn_output | default(true) }}"
      delegate_to: localhost
@ -114,7 +116,7 @@
  when:
    - cli_result is defined
    - cli_result.stdout is defined
-    - patch_version not in cli_result.stdout
+    - patch_version | regex_replace('-[0-9]$', '') not in cli_result.stdout
  block:
    - name: "Apply patch {{ patch_version }} to server"
      ansible.builtin.include_tasks: rhsso_cli.yml
--- a/roles/keycloak/templates/15.0.8/standalone-infinispan.xml.j2
+++ b/roles/keycloak/templates/15.0.8/standalone-infinispan.xml.j2
@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<!-- {{ ansible_managed }} -->
+{{ ansible_managed | comment('xml') }}
 <server xmlns="urn:jboss:domain:16.0">
    <extensions>
        <extension module="org.jboss.as.clustering.infinispan"/>
--- a/roles/keycloak/templates/15.0.8/standalone.xml.j2
+++ b/roles/keycloak/templates/15.0.8/standalone.xml.j2
@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<!-- {{ ansible_managed }} -->
+{{ ansible_managed | comment('xml') }}
 <server xmlns="urn:jboss:domain:16.0">
    <extensions>
        <extension module="org.jboss.as.clustering.infinispan"/>
--- a/roles/keycloak/templates/keycloak-service.sh.j2
+++ b/roles/keycloak/templates/keycloak-service.sh.j2
@ -1,5 +1,5 @@
 #!/bin/bash -eu
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 set +u -o pipefail
--- a/roles/keycloak/templates/keycloak-sysconfig.j2
+++ b/roles/keycloak/templates/keycloak-sysconfig.j2
@ -1,4 +1,4 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 JAVA_OPTS='{{ keycloak_java_opts }}'
 JAVA_HOME={{ keycloak_java_home  | default(keycloak_rpm_java_home, true) }}
 JBOSS_HOME={{ keycloak.home }}
--- a/roles/keycloak/templates/keycloak.service.j2
+++ b/roles/keycloak/templates/keycloak.service.j2
@ -1,4 +1,4 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 [Unit]
 Description={{ keycloak.service_name }} Server
 After=network.target
--- a/roles/keycloak/templates/standalone-ha.xml.j2
+++ b/roles/keycloak/templates/standalone-ha.xml.j2
@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<!-- {{ ansible_managed }} -->
+{{ ansible_managed | comment('xml') }}
 <server xmlns="urn:jboss:domain:16.0">
    <extensions>
        <extension module="org.jboss.as.clustering.infinispan"/>
--- a/roles/keycloak/templates/standalone-infinispan.xml.j2
+++ b/roles/keycloak/templates/standalone-infinispan.xml.j2
@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<!-- {{ ansible_managed }} -->
+{{ ansible_managed | comment('xml') }}
 <server xmlns="urn:jboss:domain:16.0">
    <extensions>
        <extension module="org.jboss.as.clustering.infinispan"/>
--- a/roles/keycloak/templates/standalone.xml.j2
+++ b/roles/keycloak/templates/standalone.xml.j2
@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<!-- {{ ansible_managed }} -->
+{{ ansible_managed | comment('xml') }}
 <server xmlns="urn:jboss:domain:16.0">
    <extensions>
        <extension module="org.jboss.as.clustering.infinispan"/>
@ -539,7 +539,7 @@
            </mail-session>
        </subsystem>
        <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
-{% if keycloak_modcluster.enabled %}        
+{% if keycloak_modcluster.enabled %}
        <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
            <proxy name="default" advertise="false" listener="ajp" proxies="{{ ['proxy_'] | product(keycloak_modcluster.reverse_proxy_urls | map(attribute='host')) | map('join') | list | join(' ') }}">
                <dynamic-load-provider>
@ -547,7 +547,7 @@
                </dynamic-load-provider>
            </proxy>
        </subsystem>
-{% endif %}        
+{% endif %}
        <subsystem xmlns="urn:jboss:domain:naming:2.0">
            <remote-naming/>
        </subsystem>
@ -621,6 +621,6 @@
            <remote-destination host="{{ modcluster.host }}" port="{{ modcluster.port }}"/>
        </outbound-socket-binding>
 {% endfor %}
-{% endif %}        
+{% endif %}
    </socket-binding-group>
 </server>
--- a/roles/keycloak_quarkus/templates/cache-ispn.xml.j2
+++ b/roles/keycloak_quarkus/templates/cache-ispn.xml.j2
@ -1,4 +1,4 @@
-<!-- {{ ansible_managed }} -->
+{{ ansible_managed | comment('xml') }}
 <!--
  ~ Copyright 2019 Red Hat, Inc. and/or its affiliates
  ~ and other contributors as indicated by the @author tags.
--- a/roles/keycloak_quarkus/templates/keycloak-sysconfig.j2
+++ b/roles/keycloak_quarkus/templates/keycloak-sysconfig.j2
@ -1,4 +1,4 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 KEYCLOAK_ADMIN={{ keycloak_quarkus_admin_user }}
 KEYCLOAK_ADMIN_PASSWORD='{{ keycloak_quarkus_admin_pass }}'
 PATH={{ keycloak_quarkus_java_home | default(keycloak_rpm_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
--- a/roles/keycloak_quarkus/templates/keycloak.conf.j2
+++ b/roles/keycloak_quarkus/templates/keycloak.conf.j2
@ -1,4 +1,4 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 {% if keycloak_quarkus_db_enabled %}
 # Database
--- a/roles/keycloak_quarkus/templates/keycloak.service.j2
+++ b/roles/keycloak_quarkus/templates/keycloak.service.j2
@ -1,4 +1,4 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 [Unit]
 Description=Keycloak Server
 After=network.target
--- a/roles/keycloak_quarkus/templates/quarkus.properties.j2
+++ b/roles/keycloak_quarkus/templates/quarkus.properties.j2
@ -1,4 +1,4 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 {% if keycloak_quarkus_ha_enabled %}
 {% if not rhbk_enable or keycloak_quarkus_version.split('.')[0]|int < 22 %}
 quarkus.infinispan-client.server-list={{ keycloak_quarkus_ispn_hosts }}