ansible-collections/middleware_automation.keycloak
1
0
Fork 0
mirror of https://github.com/ansible-middleware/keycloak.git synced 2025-04-06 10:50:31 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge pull request #134 from guidograzioli/linter_yaml_2

Browse source 
Linter yaml 2
This commit is contained in:
Guido Grazioli 2023-12-01 12:42:10 +01:00 committed by GitHub
commit fea7ae0c6f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
41 changed files with 213 additions and 221 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/ci.yml vendored
View file

@ -4,7 +4,7 @@ on:
push:
branches:
- main
pull_request:
pull_request_target:
schedule:
- cron: '0 6 * * *'

4
README.md
View file

@ -66,11 +66,11 @@ For full service configuration details, refer to the [keycloak role README](http
#### Install from controller node (offline)
Making the keycloak zip archive available to the playbook working directory, and setting `keycloak_offline_install` to `True`, allows to skip
Making the keycloak zip archive available to the playbook working directory, and setting `keycloak_offline_install` to `true`, allows to skip
the download tasks. The local path for the archive does match the downloaded archive path, so that it is also used as a cache when multiple hosts are provisioned in a cluster.
```yaml
keycloak_offline_install: True
keycloak_offline_install: true
```

2
meta/runtime.yml
View file

@ -1,2 +1,2 @@
---
requires_ansible: ">=2.14.0"
requires_ansible: ">=2.14.0"

14
playbooks/keycloak_federation.yml
View file

@ -55,14 +55,14 @@
- TestClient1Admin
- TestClient1User
realm: "{{ keycloak_realm }}"
public_client: True
public_client: true
web_origins:
- http://testclient1origin/application
- http://testclient1origin/other
users:
- username: TestUser
password: password
client_roles:
- client: TestClient1
role: TestClient1User
realm: "{{ keycloak_realm }}"
- username: TestUser
password: password
client_roles:
- client: TestClient1
role: TestClient1User
realm: "{{ keycloak_realm }}"

2
playbooks/keycloak_quarkus.yml
View file

@ -7,7 +7,7 @@
keycloak_quarkus_port: 8443
keycloak_quarkus_http_relative_path: ''
keycloak_quarkus_log: file
keycloak_quarkus_https_key_file_enabled: True
keycloak_quarkus_https_key_file_enabled: true
keycloak_quarkus_key_file: conf/key.pem
keycloak_quarkus_cert_file: conf/cert.pem
roles:

14
playbooks/keycloak_realm.yml
View file

@ -10,17 +10,17 @@
- TestClient1Admin
- TestClient1User
realm: TestRealm
public_client: True
public_client: true
web_origins:
- http://testclient1origin/application
- http://testclient1origin/other
users:
- username: TestUser
password: password
client_roles:
- client: TestClient1
role: TestClient1User
realm: TestRealm
- username: TestUser
password: password
client_roles:
- client: TestClient1
role: TestClient1User
realm: TestRealm
roles:
- role: middleware_automation.keycloak.keycloak_realm
keycloak_realm: TestRealm

2
playbooks/rhsso.yml
View file

@ -3,6 +3,6 @@
hosts: sso
vars:
keycloak_admin_password: "remembertochangeme"
sso_enable: True
sso_enable: true
roles:
- middleware_automation.keycloak.keycloak

30
roles/keycloak/README.md
View file

@ -39,7 +39,7 @@ Versions
Patching
--------
When variable `keycloak_rhsso_apply_patches` is `True` (default: `False`), the role will automatically apply the latest cumulative patch for the selected base version.
When variable `keycloak_rhsso_apply_patches` is `true` (default: `false`), the role will automatically apply the latest cumulative patch for the selected base version.
| RH-SSO VERSION | Release Date | RH-SSO LATEST CP | Notes |
|:---------------|:------------------|:-----------------|:----------------|
@ -55,7 +55,7 @@ Role Defaults
| Variable | Description | Default |
|:---------|:------------|:---------|
|`keycloak_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
|`keycloak_ha_discovery`| Discovery protocol for HA cluster members | `JDBC_PING` if keycloak_db_enabled else `TCPPING` |
|`keycloak_ha_discovery`| Discovery protocol for HA cluster members | `JDBC_PING` if `keycloak_db_enabled` else `TCPPING` |
|`keycloak_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_ha_enabled` is True, else `False` |
|`keycloak_remote_cache_enabled`| Enable remote cache store when in clustered ha configurations | `True` if `keycloak_ha_enabled` else `False` |
|`keycloak_admin_user`| Administration console user account | `admin` |
@ -68,19 +68,19 @@ Role Defaults
|`keycloak_jgroups_port`| jgroups cluster tcp port | `7600` |
|`keycloak_management_http_port`| Management port | `9990` |
|`keycloak_management_https_port`| TLS management port | `9993` |
|`keycloak_prefer_ipv4`| Prefer IPv4 stack and addresses for port binding | `True` |
|`keycloak_prefer_ipv4`| Prefer IPv4 stack and addresses for port binding | `true` |
|`keycloak_config_standalone_xml`| filename for configuration | `keycloak.xml` |
|`keycloak_service_user`| posix account username | `keycloak` |
|`keycloak_service_group`| posix account group | `keycloak` |
|`keycloak_service_restart_always`| systemd restart always behavior activation | `False`
|`keycloak_service_restart_on_failure`| systemd restart on-failure behavior activation | `False`
|`keycloak_service_restart_always`| systemd restart always behavior activation | `False` |
|`keycloak_service_restart_on_failure`| systemd restart on-failure behavior activation | `False` |
|`keycloak_service_startlimitintervalsec`| systemd StartLimitIntervalSec | `300` |
|`keycloak_service_startlimitburst`| systemd StartLimitBurst | `5` |
|`keycloak_service_restartsec`| systemd RestartSec | `10s` |
|`keycloak_service_pidfile`| pid file path for service | `/run/keycloak/keycloak.pid` |
|`keycloak_features` | List of `name`/`status` pairs of features (also known as profiles on RH-SSO) to `enable` or `disable`, example: `[ { name: 'docker', status: 'enabled' } ]` | `[]`
|`keycloak_jvm_package`| RHEL java package runtime | `java-1.8.0-openjdk-headless` |
|`keycloak_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path | `None` |
|`keycloak_java_home`| `JAVA_HOME` of installed JRE, leave empty for using RPM path at `keycloak_jvm_package` | `None` |
|`keycloak_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
@ -88,12 +88,12 @@ Role Defaults
| Variable | Description | Default |
|:---------|:------------|:---------|
|`keycloak_offline_install` | perform an offline install | `False`|
|`keycloak_offline_install` | perform an offline install | `false`|
|`keycloak_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`|
|`keycloak_version`| keycloak.org package version | `18.0.2` |
|`keycloak_dest`| Installation root path | `/opt/keycloak` |
|`keycloak_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}` |
|`keycloak_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
|`keycloak_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `false` |
* Miscellaneous configuration
@ -110,13 +110,13 @@ Role Defaults
|`keycloak_config_override_template` | Path to custom template for standalone.xml configuration | `''` |
|`keycloak_auth_realm` | Name for rest authentication realm | `master` |
|`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` |
|`keycloak_force_install` | Remove pre-existing versions of service | `False` |
|`keycloak_force_install` | Remove pre-existing versions of service | `false` |
|`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}` |
|`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}` |
|`keycloak_frontend_url_force` | Force backend requests to use the frontend URL | `False` |
|`keycloak_db_background_validation` | Enable background validation of database connection | `False` |
|`keycloak_frontend_url_force` | Force backend requests to use the frontend URL | `false` |
|`keycloak_db_background_validation` | Enable background validation of database connection | `false` |
|`keycloak_db_background_validation_millis`| How frequenly the connection pool is validated in the background | `10000` if background validation enabled |
|`keycloak_db_background_validate_on_match` | Enable validate on match for database connections | `False` |
|`keycloak_db_background_validate_on_match` | Enable validate on match for database connections | `false` |
|`keycloak_frontend_url` | frontend URL for keycloak endpoint | `http://localhost:8080/auth/` |
|`keycloak_log_target`| Set the destination of the keycloak log folder link | `/var/log/keycloak` |
@ -132,7 +132,7 @@ The following are a set of _required_ variables for the role:
|`keycloak_frontend_url` | frontend URL for keycloak endpoint | `http://localhost:8080/auth/` |
The following parameters are _required_ only when `keycloak_ha_enabled` is True:
The following parameters are _required_ only when `keycloak_ha_enabled` is true:
| Variable | Description | Default |
|:---------|:------------|:--------|
@ -150,7 +150,7 @@ The following parameters are _required_ only when `keycloak_ha_enabled` is True:
|`keycloak_infinispan_trust_store_password`| Password for opening truststore | `changeit` |
The following parameters are _required_ only when `keycloak_db_enabled` is True:
The following parameters are _required_ only when `keycloak_db_enabled` is true:
| Variable | Description | Default |
|:---------|:------------|:---------|
@ -196,7 +196,7 @@ Example Playbook
name: keycloak
vars:
keycloak_admin_password: "remembertochangeme"
keycloak_offline_install: True
keycloak_offline_install: true
# This should be the filename of keycloak archive on Ansible node: keycloak-16.1.0.zip
```

24
roles/keycloak/defaults/main.yml
View file

@ -5,7 +5,7 @@ keycloak_archive: "keycloak-legacy-{{ keycloak_version }}.zip"
keycloak_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"
keycloak_download_url_9x: "https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}"
keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
keycloak_offline_install: False
keycloak_offline_install: false
### Install location and service settings
keycloak_jvm_package: java-1.8.0-openjdk-headless
@ -26,13 +26,13 @@ keycloak_service_name: keycloak
keycloak_service_desc: Keycloak
keycloak_service_start_delay: 10
keycloak_service_start_retries: 25
keycloak_service_restart_always: False
keycloak_service_restart_on_failure: False
keycloak_service_restart_always: false
keycloak_service_restart_on_failure: false
keycloak_service_startlimitintervalsec: "300"
keycloak_service_startlimitburst: "5"
keycloak_service_restartsec: "10s"
keycloak_configure_firewalld: False
keycloak_configure_firewalld: false
### administrator console password
keycloak_admin_password: ''
@ -49,11 +49,11 @@ keycloak_management_port_bind_address: 127.0.0.1
keycloak_management_http_port: 9990
keycloak_management_https_port: 9993
keycloak_java_opts: "-Xms1024m -Xmx2048m"
keycloak_prefer_ipv4: True
keycloak_prefer_ipv4: true
keycloak_features: []
### Enable configuration for database backend, clustering and remote caches on infinispan
keycloak_ha_enabled: False
keycloak_ha_enabled: false
### Enable database configuration, must be enabled when HA is configured
keycloak_db_enabled: "{{ True if keycloak_ha_enabled else False }}"
### Discovery protocol for ha cluster members, valus [ 'JDBC_PING', 'TCPPING' ]
@ -66,7 +66,7 @@ keycloak_admin_user: admin
keycloak_auth_realm: master
keycloak_auth_client: admin-cli
keycloak_force_install: False
keycloak_force_install: false
### mod_cluster reverse proxy list
keycloak_modcluster_enabled: "{{ True if keycloak_ha_enabled else False }}"
@ -78,7 +78,7 @@ keycloak_modcluster_urls:
### keycloak frontend url
keycloak_frontend_url: http://localhost:8080/auth/
keycloak_frontend_url_force: False
keycloak_frontend_url_force: false
keycloak_admin_url:
### infinispan remote caches access (hotrod)
@ -86,7 +86,7 @@ keycloak_infinispan_user: supervisor
keycloak_infinispan_pass: supervisor
keycloak_infinispan_url: localhost
keycloak_infinispan_sasl_mechanism: SCRAM-SHA-512
keycloak_infinispan_use_ssl: False
keycloak_infinispan_use_ssl: false
# if ssl is enabled, import ispn server certificate here
keycloak_infinispan_trust_store_path: /etc/pki/java/cacerts
keycloak_infinispan_trust_store_password: changeit
@ -97,9 +97,9 @@ keycloak_jdbc_engine: postgres
keycloak_db_user: keycloak-user
keycloak_db_pass: keycloak-pass
## connection validation
keycloak_db_background_validation: False
keycloak_db_background_validation: false
keycloak_db_background_validation_millis: "{{ 10000 if keycloak_db_background_validation else 0 }}"
keycloak_db_background_validate_on_match: False
keycloak_db_background_validate_on_match: false
keycloak_jdbc_url: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].url }}"
keycloak_jdbc_driver_version: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].version }}"
# override the variables above, following defaults show minimum supported versions
@ -114,7 +114,7 @@ keycloak_default_jdbc:
url: 'jdbc:sqlserver://localhost:1433;databaseName=keycloak;'
version: 12.2.0
# role specific vars
keycloak_no_log: True
keycloak_no_log: true
### logging configuration
keycloak_log_target: /var/log/keycloak

20
roles/keycloak/meta/argument_specs.yml
View file

@ -214,7 +214,7 @@ argument_specs:
description: "Frontend URL for keycloak endpoints when a reverse proxy is used"
type: "str"
keycloak_frontend_url_force:
default: False
default: false
description: "Force backend requests to use the frontend URL"
type: "bool"
keycloak_infinispan_user:
@ -337,7 +337,7 @@ argument_specs:
description: "Enable remote cache store when in clustered ha configurations"
type: "bool"
keycloak_db_background_validation:
default: False
default: false
description: "Enable background validation of database connection"
type: "bool"
keycloak_db_background_validation_millis:
@ -345,19 +345,19 @@ argument_specs:
description: "How frequenly the connection pool is validated in the background"
type: 'int'
keycloak_db_background_validate_on_match:
default: False
default: false
description: "Enable validate on match for database connections"
type: "bool"
keycloak_db_valid_conn_sql:
required: False
required: false
description: "Override the default database connection validation query sql"
type: "str"
keycloak_admin_url:
required: False
required: false
description: "Override the default administration endpoint URL"
type: "str"
keycloak_jgroups_subnet:
required: False
required: false
description: "Override the subnet match for jgroups cluster formation; if not defined, it will be inferred from local machine route configuration"
type: "str"
keycloak_log_target:
@ -383,15 +383,15 @@ argument_specs:
description: "Installation path for Red Hat SSO"
type: "str"
sso_apply_patches:
default: False
default: false
description: "Install Red Hat SSO most recent cumulative patch"
type: "bool"
sso_enable:
default: True
default: true
description: "Enable Red Hat Single Sign-on installation"
type: "str"
sso_offline_install:
default: False
default: false
description: "Perform an offline install"
type: "bool"
sso_service_name:
@ -403,7 +403,7 @@ argument_specs:
description: "systemd description for Red Hat Single Sign-On"
type: "str"
sso_patch_version:
required: False
required: false
description: "Red Hat Single Sign-On latest cumulative patch version to apply; defaults to latest version when sso_apply_patches is True"
type: "str"
sso_patch_bundle:

6
roles/keycloak/meta/main.yml
View file

@ -15,9 +15,9 @@ galaxy_info:
min_ansible_version: "2.14"
platforms:
- name: EL
versions:
- "8"
- name: EL
versions:
- "8"
galaxy_tags:
- keycloak

6
roles/keycloak/tasks/fastpackages.yml
View file

@ -2,15 +2,15 @@
- name: "Check if packages are already installed" # noqa command-instead-of-module this runs faster
ansible.builtin.command: "rpm -q {{ packages_list | join(' ') }}"
register: rpm_info
changed_when: False
failed_when: False
changed_when: false
failed_when: false
- name: "Add missing packages to the yum install list"
ansible.builtin.set_fact:
packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | default([]) | flatten }}"
- name: "Install packages: {{ packages_to_install }}"
become: True
become: true
ansible.builtin.yum:
name: "{{ packages_to_install }}"
state: present

10
roles/keycloak/tasks/firewalld.yml
View file

@ -6,19 +6,19 @@
- firewalld
- name: Enable and start the firewalld service
become: yes
become: true
ansible.builtin.systemd:
name: firewalld
enabled: yes
enabled: true
state: started
- name: "Configure firewall for {{ keycloak.service_name }} ports"
become: yes
- name: "Configure firewall ports for {{ keycloak.service_name }}"
become: true
ansible.posix.firewalld:
port: "{{ item }}"
permanent: true
state: enabled
immediate: yes
immediate: true
loop:
- "{{ keycloak_http_port }}/tcp"
- "{{ keycloak_https_port }}/tcp"

56
roles/keycloak/tasks/install.yml
View file

@ -11,7 +11,7 @@
quiet: true
- name: Check for an existing deployment
become: yes
become: true
ansible.builtin.stat:
path: "{{ keycloak_jboss_home }}"
register: existing_deploy
@ -20,32 +20,32 @@
when: existing_deploy.stat.exists and keycloak_force_install | bool
block:
- name: "Stop the old {{ keycloak.service_name }} service"
become: yes
ignore_errors: yes
become: true
failed_when: false
ansible.builtin.systemd:
name: keycloak
state: stopped
- name: "Remove the old {{ keycloak.service_name }} deployment"
become: yes
become: true
ansible.builtin.file:
path: "{{ keycloak_jboss_home }}"
state: absent
- name: Check for an existing deployment after possible forced removal
become: yes
become: true
ansible.builtin.stat:
path: "{{ keycloak_jboss_home }}"
- name: "Create {{ keycloak.service_name }} service user/group"
become: yes
- name: "Create service user/group for {{ keycloak.service_name }}"
become: true
ansible.builtin.user:
name: "{{ keycloak_service_user }}"
home: /opt/keycloak
system: yes
create_home: no
- name: "Create {{ keycloak.service_name }} install location"
become: yes
- name: "Create install location for {{ keycloak.service_name }}"
become: true
ansible.builtin.file:
dest: "{{ keycloak_dest }}"
state: directory
@ -54,7 +54,7 @@
mode: 0750
- name: Create pidfile folder
become: yes
become: true
ansible.builtin.file:
dest: "{{ keycloak_service_pidfile | dirname }}"
state: directory
@ -68,7 +68,7 @@
archive: "{{ keycloak_dest }}/{{ keycloak.bundle }}"
- name: Check download archive path
become: yes
become: true
ansible.builtin.stat:
path: "{{ archive }}"
register: archive_path
@ -86,7 +86,7 @@
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
mode: 0644
delegate_to: localhost
run_once: yes
run_once: true
when:
- archive_path is defined
- archive_path.stat is defined
@ -96,7 +96,7 @@
- name: Perform download from RHN using JBoss Network API
delegate_to: localhost
run_once: yes
run_once: true
when:
- archive_path is defined
- archive_path.stat is defined
@ -114,13 +114,13 @@
register: rhn_products
no_log: "{{ omit_rhn_output | default(true) }}"
delegate_to: localhost
run_once: yes
run_once: true
- name: Determine install zipfile from search results
ansible.builtin.set_fact:
rhn_filtered_products: "{{ rhn_products.results | selectattr('file_path', 'match', '[^/]*/' + sso_archive + '$') }}"
delegate_to: localhost
run_once: yes
run_once: true
- name: Download Red Hat Single Sign-On
middleware_automation.common.product_download: # noqa risky-file-permissions delegated, uses controller host user
@ -130,7 +130,7 @@
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
no_log: "{{ omit_rhn_output | default(true) }}"
delegate_to: localhost
run_once: yes
run_once: true
- name: Download rhsso archive from alternate location
ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
@ -138,7 +138,7 @@
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
mode: 0644
delegate_to: localhost
run_once: yes
run_once: true
when:
- archive_path is defined
- archive_path.stat is defined
@ -166,23 +166,23 @@
- not archive_path.stat.exists
- local_archive_path.stat is defined
- local_archive_path.stat.exists
become: yes
become: true
- name: "Check target directory: {{ keycloak.home }}"
ansible.builtin.stat:
path: "{{ keycloak.home }}"
register: path_to_workdir
become: yes
become: true
- name: "Extract {{ keycloak_service_desc }} archive on target"
ansible.builtin.unarchive:
remote_src: yes
remote_src: true
src: "{{ archive }}"
dest: "{{ keycloak_dest }}"
creates: "{{ keycloak.home }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
become: yes
become: true
when:
- new_version_downloaded.changed or not path_to_workdir.stat.exists
notify:
@ -200,13 +200,13 @@
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
recurse: true
become: yes
become: true
changed_when: false
- name: Ensure permissions are correct on existing deploy
ansible.builtin.command: chown -R "{{ keycloak_service_user }}:{{ keycloak_service_group }}" "{{ keycloak.home }}"
when: keycloak_service_runas
become: yes
become: true
changed_when: false
# driver and configuration
@ -215,7 +215,7 @@
when: keycloak_jdbc[keycloak_jdbc_engine].enabled
- name: "Deploy custom {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }} from {{ keycloak_config_override_template }}"
become: yes
become: true
ansible.builtin.template:
src: "templates/{{ keycloak_config_override_template }}"
dest: "{{ keycloak_config_path_to_standalone_xml }}"
@ -227,7 +227,7 @@
when: keycloak_config_override_template | length > 0
- name: "Deploy standalone {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}"
become: yes
become: true
ansible.builtin.template:
src: templates/standalone.xml.j2
dest: "{{ keycloak_config_path_to_standalone_xml }}"
@ -255,7 +255,7 @@
when: keycloak_ha_enabled and keycloak_ha_discovery == 'TCPPING'
- name: "Deploy HA {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}"
become: yes
become: true
ansible.builtin.template:
src: templates/standalone-ha.xml.j2
dest: "{{ keycloak_config_path_to_standalone_xml }}"
@ -270,7 +270,7 @@
- keycloak_config_override_template | length == 0
- name: "Deploy HA {{ keycloak.service_name }} config with infinispan remote cache store to {{ keycloak_config_path_to_standalone_xml }}"
become: yes
become: true
ansible.builtin.template:
src: templates/standalone-infinispan.xml.j2
dest: "{{ keycloak_config_path_to_standalone_xml }}"
@ -285,7 +285,7 @@
- keycloak_config_override_template | length == 0
- name: "Deploy profile.properties file to {{ keycloak_config_path_to_properties }}"
become: yes
become: true
ansible.builtin.template:
src: keycloak-profile.properties.j2
dest: "{{ keycloak_config_path_to_properties }}"

10
roles/keycloak/tasks/jdbc_driver.yml
View file

@ -3,17 +3,17 @@
ansible.builtin.stat:
path: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}"
register: dest_path
become: yes
become: true
- name: "Set up module dir for JDBC Driver {{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}"
ansible.builtin.file:
path: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}"
state: directory
recurse: yes
recurse: true
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
mode: 0750
become: yes
become: true
when:
- not dest_path.stat.exists
@ -24,7 +24,7 @@
group: "{{ keycloak_service_group }}"
owner: "{{ keycloak_service_user }}"
mode: 0640
become: yes
become: true
- name: "Deploy module.xml for JDBC Driver"
ansible.builtin.template:
@ -33,4 +33,4 @@
group: "{{ keycloak_service_group }}"
owner: "{{ keycloak_service_user }}"
mode: 0640
become: yes
become: true

8
roles/keycloak/tasks/main.yml
View file

@ -35,7 +35,7 @@
state: link
src: "{{ keycloak_jboss_home }}/standalone/log"
dest: "{{ keycloak_log_target }}"
become: yes
become: true
- name: Set admin credentials and restart if not already created
block:
@ -44,7 +44,7 @@
url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
method: POST
body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
validate_certs: no
validate_certs: false
register: keycloak_auth_response
until: keycloak_auth_response.status == 200
retries: 2
@ -58,8 +58,8 @@
- "-rmaster"
- "-u{{ keycloak_admin_user }}"
- "-p{{ keycloak_admin_password }}"
changed_when: yes
become: yes
changed_when: true
become: true
- name: "Restart {{ keycloak.service_name }}"
ansible.builtin.include_tasks: tasks/restart_keycloak.yml
- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"

8
roles/keycloak/tasks/prereqs.yml
View file

@ -3,7 +3,7 @@
ansible.builtin.assert:
that:
- keycloak_admin_password | length > 12
quiet: True
quiet: true
fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_admin_password variable to a 12+ char long string"
success_msg: "{{ 'Console administrator password OK' }}"
@ -11,7 +11,7 @@
ansible.builtin.assert:
that:
- (keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and not keycloak_db_enabled)
quiet: True
quiet: true
fail_msg: "Cannot install HA setup without a backend database service. Check keycloak_ha_enabled and keycloak_db_enabled"
success_msg: "{{ 'Configuring HA' if keycloak_ha_enabled else 'Configuring standalone' }}"
@ -20,7 +20,7 @@
that:
- (rhn_username is defined and sso_enable is defined and sso_enable) or not sso_enable is defined or not sso_enable or keycloak_offline_install
- (rhn_password is defined and sso_enable is defined and sso_enable) or not sso_enable is defined or not sso_enable or keycloak_offline_install
quiet: True
quiet: true
fail_msg: "Cannot install Red Hat SSO without RHN credentials. Check rhn_username and rhn_password are defined"
success_msg: "Installing {{ keycloak_service_desc }}"
@ -31,7 +31,7 @@
- keycloak_jdbc_url | length > 0
- keycloak_db_user | length > 0
- keycloak_db_pass | length > 0
quiet: True
quiet: true
fail_msg: "Configuration for the JDBC persistence is invalid or incomplete"
success_msg: "Configuring JDBC persistence using {{ keycloak_jdbc_engine }} database"
when: keycloak_db_enabled

11
roles/keycloak/tasks/restart_keycloak.yml
View file

@ -2,11 +2,12 @@
- name: "Restart and enable {{ keycloak.service_name }} service"
ansible.builtin.systemd:
name: keycloak
enabled: yes
enabled: true
state: restarted
become: yes
daemon_reload: true
become: true
delegate_to: "{{ ansible_play_hosts | first }}"
run_once: True
run_once: true
- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
ansible.builtin.uri:
@ -14,7 +15,7 @@
register: keycloak_status
until: keycloak_status.status == 200
delegate_to: "{{ ansible_play_hosts | first }}"
run_once: True
run_once: true
retries: "{{ keycloak_service_start_retries }}"
delay: "{{ keycloak_service_start_delay }}"
@ -23,5 +24,5 @@
name: keycloak
enabled: yes
state: restarted
become: yes
become: true
when: inventory_hostname != ansible_play_hosts | first

30
roles/keycloak/tasks/rhsso_patch.yml
View file

@ -12,11 +12,11 @@
path: "{{ patch_archive }}"
register: patch_archive_path
when: sso_patch_version is defined
become: yes
become: true
- name: Perform patch download from RHN via JBossNetwork API
delegate_to: localhost
run_once: yes
run_once: true
when:
- sso_enable is defined and sso_enable
- not keycloak_offline_install
@ -32,21 +32,21 @@
register: rhn_products
no_log: "{{ omit_rhn_output | default(true) }}"
delegate_to: localhost
run_once: yes
run_once: true
- name: Determine patch versions list
ansible.builtin.set_fact:
filtered_versions: "{{ rhn_products.results | map(attribute='file_path') | select('match', '^[^/]*/rh-sso-.*[0-9]*[.][0-9]*[.][0-9]*.*$') | map('regex_replace','[^/]*/rh-sso-([0-9]*[.][0-9]*[.][0-9]*)-.*','\\1' ) | list | unique }}"
filtered_versions: "{{ rhn_products.results | map(attribute='file_path') | select('match', '^[^/]*/rh-sso-.*[0-9]*[.][0-9]*[.][0-9]*.*$') | map('regex_replace', '[^/]*/rh-sso-([0-9]*[.][0-9]*[.][0-9]*)-.*', '\\1') | list | unique }}"
when: sso_patch_version is not defined or sso_patch_version | length == 0
delegate_to: localhost
run_once: yes
run_once: true
- name: Determine latest version
ansible.builtin.set_fact:
sso_latest_version: "{{ filtered_versions | middleware_automation.common.version_sort | last }}"
when: sso_patch_version is not defined or sso_patch_version | length == 0
delegate_to: localhost
run_once: yes
run_once: true
- name: Determine install zipfile from search results
ansible.builtin.set_fact:
@ -55,7 +55,7 @@
patch_version: "{{ sso_latest_version }}"
when: sso_patch_version is not defined or sso_patch_version | length == 0
delegate_to: localhost
run_once: yes
run_once: true
- name: "Determine selected patch from supplied version: {{ sso_patch_version }}"
ansible.builtin.set_fact:
@ -64,7 +64,7 @@
patch_version: "{{ sso_patch_version }}"
when: sso_patch_version is defined
delegate_to: localhost
run_once: yes
run_once: true
- name: Download Red Hat Single Sign-On patch
middleware_automation.common.product_download: # noqa risky-file-permissions delegated, uses controller host user
@ -74,7 +74,7 @@
dest: "{{ local_path.stat.path }}/{{ patch_bundle }}"
no_log: "{{ omit_rhn_output | default(true) }}"
delegate_to: localhost
run_once: yes
run_once: true
- name: Set download patch archive path
ansible.builtin.set_fact:
@ -84,7 +84,7 @@
ansible.builtin.stat:
path: "{{ patch_archive }}"
register: patch_archive_path
become: yes
become: true
## copy and unpack
- name: Copy patch archive to target nodes
@ -99,7 +99,7 @@
- not patch_archive_path.stat.exists
- local_archive_path.stat is defined
- local_archive_path.stat.exists
become: yes
become: true
- name: "Check installed patches"
ansible.builtin.include_tasks: rhsso_cli.yml
@ -107,7 +107,7 @@
query: "patch info"
args:
apply:
become: yes
become: true
become_user: "{{ keycloak_service_user }}"
- name: "Perform patching"
@ -122,7 +122,7 @@
query: "patch apply {{ patch_archive }}"
args:
apply:
become: yes
become: true
become_user: "{{ keycloak_service_user }}"
- name: "Restart server to ensure patch content is running"
@ -133,7 +133,7 @@
- cli_result.rc == 0
args:
apply:
become: yes
become: true
become_user: "{{ keycloak_service_user }}"
- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
@ -150,7 +150,7 @@
query: "patch info"
args:
apply:
become: yes
become: true
become_user: "{{ keycloak_service_user }}"
- name: "Verify installed patch version"

5
roles/keycloak/tasks/start_keycloak.yml
View file

@ -2,9 +2,10 @@
- name: "Start {{ keycloak.service_name }} service"
ansible.builtin.systemd:
name: keycloak
enabled: yes
enabled: true
state: started
become: yes
daemon_reload: true
become: true
- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
ansible.builtin.uri:

4
roles/keycloak/tasks/stop_keycloak.yml
View file

@ -2,6 +2,6 @@
- name: "Stop {{ keycloak.service_name }}"
ansible.builtin.systemd:
name: keycloak
enabled: yes
enabled: true
state: stopped
become: yes
become: true

16
roles/keycloak/tasks/systemd.yml
View file

@ -1,6 +1,6 @@
---
- name: "Configure {{ keycloak.service_name }} service script wrapper"
become: yes
become: true
ansible.builtin.template:
src: keycloak-service.sh.j2
dest: "{{ keycloak_dest }}/keycloak-service.sh"
@ -15,7 +15,7 @@
rpm_java_home: "/etc/alternatives/jre_{{ keycloak_jvm_package | regex_search('(?<=java-)[0-9.]+') }}"
- name: "Configure sysconfig file for {{ keycloak.service_name }} service"
become: yes
become: true
ansible.builtin.template:
src: keycloak-sysconfig.j2
dest: /etc/sysconfig/keycloak
@ -34,20 +34,14 @@
owner: root
group: root
mode: 0644
become: yes
become: true
register: systemdunit
notify:
- restart keycloak
- name: Reload systemd
become: yes
ansible.builtin.systemd:
daemon_reload: yes
when: systemdunit.changed
- name: "Start and wait for {{ keycloak.service_name }} service (first node db)"
ansible.builtin.include_tasks: start_keycloak.yml
run_once: yes
run_once: true
when: keycloak_db_enabled
- name: "Start and wait for {{ keycloak.service_name }} service (remaining nodes)"
@ -56,7 +50,7 @@
- name: Check service status
ansible.builtin.command: "systemctl status keycloak"
register: keycloak_service_status
changed_when: False
changed_when: false
- name: Verify service status
ansible.builtin.assert:

24
roles/keycloak_quarkus/defaults/main.yml
View file

@ -6,7 +6,7 @@ keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/do
keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"
# whether to install from local archive
keycloak_quarkus_offline_install: False
keycloak_quarkus_offline_install: false
### Install location and service settings
keycloak_quarkus_jvm_package: java-17-openjdk-headless
@ -14,11 +14,11 @@ keycloak_quarkus_java_home:
keycloak_quarkus_dest: /opt/keycloak
keycloak_quarkus_home: "{{ keycloak_quarkus_installdir }}"
keycloak_quarkus_config_dir: "{{ keycloak_quarkus_home }}/conf"
keycloak_quarkus_start_dev: False
keycloak_quarkus_start_dev: false
keycloak_quarkus_service_user: keycloak
keycloak_quarkus_service_group: keycloak
keycloak_quarkus_service_pidfile: "/run/keycloak/keycloak.pid"
keycloak_quarkus_configure_firewalld: False
keycloak_quarkus_configure_firewalld: false
### administrator console password
keycloak_quarkus_admin_user: admin
@ -30,7 +30,7 @@ keycloak_quarkus_bind_address: 0.0.0.0
keycloak_quarkus_host: localhost
keycloak_quarkus_port: -1
keycloak_quarkus_path:
keycloak_quarkus_http_enabled: True
keycloak_quarkus_http_enabled: true
keycloak_quarkus_http_port: 8080
keycloak_quarkus_https_port: 8443
keycloak_quarkus_ajp_port: 8009
@ -38,20 +38,20 @@ keycloak_quarkus_jgroups_port: 7600
keycloak_quarkus_java_opts: "-Xms1024m -Xmx2048m"
### TLS/HTTPS configuration
keycloak_quarkus_https_key_file_enabled: False
keycloak_quarkus_https_key_file_enabled: false
keycloak_quarkus_key_file: "{{ keycloak.home }}/conf/server.key.pem"
keycloak_quarkus_cert_file: "{{ keycloak.home }}/conf/server.crt.pem"
#### key store configuration
keycloak_quarkus_https_key_store_enabled: False
keycloak_quarkus_https_key_store_enabled: false
keycloak_quarkus_key_store_file: "{{ keycloak.home }}/conf/key_store.p12"
keycloak_quarkus_key_store_password: ''
##### trust store configuration
keycloak_quarkus_https_trust_store_enabled: False
keycloak_quarkus_https_trust_store_enabled: false
keycloak_quarkus_trust_store_file: "{{ keycloak.home }}/conf/trust_store.p12"
keycloak_quarkus_trust_store_password: ''
### Enable configuration for database backend, clustering and remote caches on infinispan
keycloak_quarkus_ha_enabled: False
keycloak_quarkus_ha_enabled: false
### Enable database configuration, must be enabled when HA is configured
keycloak_quarkus_db_enabled: "{{ True if keycloak_quarkus_ha_enabled else False }}"
@ -67,17 +67,17 @@ keycloak_quarkus_http_relative_path: /
keycloak_quarkus_proxy_mode: edge
# disable xa transactions
keycloak_quarkus_transaction_xa_enabled: True
keycloak_quarkus_transaction_xa_enabled: true
keycloak_quarkus_metrics_enabled: False
keycloak_quarkus_health_enabled: True
keycloak_quarkus_metrics_enabled: false
keycloak_quarkus_health_enabled: true
### infinispan remote caches access (hotrod)
keycloak_quarkus_ispn_user: supervisor
keycloak_quarkus_ispn_pass: supervisor
keycloak_quarkus_ispn_url: localhost
keycloak_quarkus_ispn_sasl_mechanism: SCRAM-SHA-512
keycloak_quarkus_ispn_use_ssl: False
keycloak_quarkus_ispn_use_ssl: false
# if ssl is enabled, import ispn server certificate here
keycloak_quarkus_ispn_trust_store_path: /etc/pki/java/cacerts
keycloak_quarkus_ispn_trust_store_password: changeit

12
roles/keycloak_quarkus/meta/argument_specs.yml
View file

@ -138,12 +138,12 @@ argument_specs:
type: "bool"
keycloak_quarkus_trust_store_file:
default: "{{ keycloak.home }}/conf/trust_store.p12"
description: "The file pat to the trust store"
description: "The file path to the trust store"
type: "str"
keycloak_quarkus_trust_store_password:
default: ""
description: "Password for the trust store"
type: "str"
default: ""
description: "Password for the trust store"
type: "str"
keycloak_quarkus_https_port:
# line 30 of defaults/main.yml
default: 8443
@ -281,10 +281,10 @@ argument_specs:
type: "str"
description: "The proxy address forwarding mode if the server is behind a reverse proxy. Set to 'none' if not using a proxy"
keycloak_quarkus_start_dev:
default: False
default: false
type: "bool"
description: "Whether to start the service in development mode (start-dev)"
keycloak_quarkus_transaction_xa_enabled:
default: True
default: true
type: "bool"
description: "Enable or disable XA transactions which may not be supported by some DBMS"

6
roles/keycloak_quarkus/meta/main.yml
View file

@ -11,9 +11,9 @@ galaxy_info:
min_ansible_version: "2.14"
platforms:
- name: EL
versions:
- "8"
- name: EL
versions:
- "8"
galaxy_tags:
- keycloak

6
roles/keycloak_quarkus/tasks/fastpackages.yml
View file

@ -2,15 +2,15 @@
- name: "Check if packages are already installed" # noqa command-instead-of-module this runs faster
ansible.builtin.command: "rpm -q {{ packages_list | join(' ') }}"
register: rpm_info
changed_when: False
failed_when: False
changed_when: false
failed_when: false
- name: "Add missing packages to the yum install list"
ansible.builtin.set_fact:
packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | default([]) | flatten }}"
- name: "Install packages: {{ packages_to_install }}"
become: True
become: true
ansible.builtin.yum:
name: "{{ packages_to_install }}"
state: present

8
roles/keycloak_quarkus/tasks/firewalld.yml
View file

@ -6,19 +6,19 @@
- firewalld
- name: Enable and start the firewalld service
become: yes
become: true
ansible.builtin.systemd:
name: firewalld
enabled: yes
enabled: true
state: started
- name: "Configure firewall for {{ keycloak.service_name }} ports"
become: yes
become: true
ansible.posix.firewalld:
port: "{{ item }}"
permanent: true
state: enabled
immediate: yes
immediate: true
loop:
- "{{ keycloak_quarkus_http_port }}/tcp"
- "{{ keycloak_quarkus_https_port }}/tcp"

18
roles/keycloak_quarkus/tasks/install.yml
View file

@ -11,21 +11,21 @@
quiet: true
- name: Check for an existing deployment
become: yes
become: true
ansible.builtin.stat:
path: "{{ keycloak.home }}"
register: existing_deploy
- name: "Create {{ keycloak.service_name }} service user/group"
become: yes
become: true
ansible.builtin.user:
name: "{{ keycloak.service_user }}"
home: /opt/keycloak
system: yes
system: true
create_home: no
- name: "Create {{ keycloak.service_name }} install location"
become: yes
become: true
ansible.builtin.file:
dest: "{{ keycloak_quarkus_dest }}"
state: directory
@ -39,7 +39,7 @@
archive: "{{ keycloak_quarkus_dest }}/{{ keycloak.bundle }}"
- name: Check download archive path
become: yes
become: true
ansible.builtin.stat:
path: "{{ archive }}"
register: archive_path
@ -82,23 +82,23 @@
- not archive_path.stat.exists
- local_archive_path.stat is defined
- local_archive_path.stat.exists
become: yes
become: true
- name: "Check target directory: {{ keycloak.home }}/bin/"
ansible.builtin.stat:
path: "{{ keycloak.home }}/bin/"
register: path_to_workdir
become: yes
become: true
- name: "Extract Keycloak archive on target"
ansible.builtin.unarchive:
remote_src: yes
remote_src: true
src: "{{ archive }}"
dest: "{{ keycloak_quarkus_dest }}"
creates: "{{ keycloak.home }}/bin/"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
become: yes
become: true
when:
- (not path_to_workdir.stat.exists) or new_version_downloaded.changed
notify:

12
roles/keycloak_quarkus/tasks/main.yml
View file

@ -28,7 +28,7 @@
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: 0644
become: yes
become: true
notify:
- restart keycloak
@ -39,7 +39,7 @@
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: 0644
become: yes
become: true
notify:
- restart keycloak
@ -50,7 +50,7 @@
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: 0775
become: yes
become: true
- name: Flush pending handlers
ansible.builtin.meta: flush_handlers
@ -61,12 +61,12 @@
- name: Check service status
ansible.builtin.command: "systemctl status keycloak"
register: keycloak_service_status
changed_when: False
changed_when: false
- name: Link default logs directory
ansible.builtin.file:
state: link
src: "{{ keycloak.log.file | dirname }}"
dest: "{{ keycloak_quarkus_log_target }}"
force: yes
become: yes
force: true
become: true

6
roles/keycloak_quarkus/tasks/prereqs.yml
View file

@ -3,7 +3,7 @@
ansible.builtin.assert:
that:
- keycloak_quarkus_admin_pass | length > 12
quiet: True
quiet: true
fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_admin_pass variable to a 12+ char long string"
success_msg: "{{ 'Console administrator password OK' }}"
@ -11,7 +11,7 @@
ansible.builtin.assert:
that:
- keycloak_quarkus_http_relative_path is regex('^/.*')
quiet: True
quiet: true
fail_msg: "the relative path must begin with /"
success_msg: "{{ 'relative path OK' }}"
@ -19,7 +19,7 @@
ansible.builtin.assert:
that:
- (keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or (not keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or (not keycloak_quarkus_ha_enabled and not keycloak_quarkus_db_enabled)
quiet: True
quiet: true
fail_msg: "Cannot install HA setup without a backend database service. Check keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled"
success_msg: "{{ 'Configuring HA' if keycloak_quarkus_ha_enabled else 'Configuring standalone' }}"

5
roles/keycloak_quarkus/tasks/restart.yml
View file

@ -2,6 +2,7 @@
- name: "Restart and enable {{ keycloak.service_name }} service"
ansible.builtin.systemd:
name: keycloak
enabled: yes
enabled: true
state: restarted
become: yes
daemon_reload: true
become: true

5
roles/keycloak_quarkus/tasks/start.yml
View file

@ -2,9 +2,10 @@
- name: "Start {{ keycloak.service_name }} service"
ansible.builtin.systemd:
name: keycloak
enabled: yes
enabled: true
state: started
become: yes
daemon_reload: true
become: true
- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
ansible.builtin.uri:

10
roles/keycloak_quarkus/tasks/systemd.yml
View file

@ -4,7 +4,7 @@
rpm_java_home: "/etc/alternatives/jre_{{ keycloak_quarkus_jvm_package | regex_search('(?<=java-)[0-9.]+') }}"
- name: "Configure sysconfig file for keycloak service"
become: yes
become: true
ansible.builtin.template:
src: keycloak-sysconfig.j2
dest: /etc/sysconfig/keycloak
@ -23,13 +23,7 @@
owner: root
group: root
mode: 0644
become: yes
become: true
register: systemdunit
notify:
- restart keycloak
- name: Reload systemd
become: yes
ansible.builtin.systemd:
daemon_reload: yes
when: systemdunit.changed

2
roles/keycloak_realm/defaults/main.yml
View file

@ -40,7 +40,7 @@ keycloak_clients: []
keycloak_client_default_roles: []
# if True, create a public client; otherwise, a confidetial client
keycloak_client_public: True
keycloak_client_public: true
# allowed web origins for the client
keycloak_client_web_origins: '+'

6
roles/keycloak_realm/meta/argument_specs.yml
View file

@ -94,7 +94,7 @@ argument_specs:
downstream:
options:
sso_version:
default: "7.5.0"
default: "7.6.0"
description: "Red Hat Single Sign-On version"
type: "str"
sso_dest:
@ -106,10 +106,10 @@ argument_specs:
description: "Installation path for Red Hat SSO"
type: "str"
sso_apply_patches:
default: False
default: false
description: "Install Red Hat SSO most recent cumulative patch"
type: "bool"
sso_enable:
default: True
default: true
description: "Enable Red Hat Single Sign-on installation"
type: "str"

6
roles/keycloak_realm/meta/main.yml
View file

@ -11,9 +11,9 @@ galaxy_info:
min_ansible_version: "2.14"
platforms:
- name: EL
versions:
- "8"
- name: EL
versions:
- "8"
galaxy_tags:
- keycloak

6
roles/keycloak_realm/tasks/main.yml
View file

@ -4,7 +4,7 @@
url: "{{ keycloak_url }}{{ keycloak_context }}/realms/master/protocol/openid-connect/token"
method: POST
body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
validate_certs: no
validate_certs: false
no_log: "{{ keycloak_no_log | default('True') }}"
register: keycloak_auth_response
until: keycloak_auth_response.status == 200
@ -28,7 +28,7 @@
url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms"
method: POST
body: "{{ lookup('template', 'realm.json.j2') }}"
validate_certs: no
validate_certs: false
body_format: json
headers:
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
@ -59,7 +59,7 @@
- item.name is defined and item.name | length > 0
- (item.client_id is defined and item.client_id | length > 0) or (item.id is defined and item.id | length > 0)
fail_msg: "For each keycloak client, attributes `name` and either `id` or `client_id` is required"
quiet: True
quiet: true
loop: "{{ keycloak_clients | flatten }}"
loop_control:
label: "{{ item.name | default('unnamed client') }}"

8
roles/keycloak_realm/tasks/manage_user.yml
View file

@ -2,7 +2,7 @@
- name: "Check if User Already Exists"
ansible.builtin.uri:
url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
validate_certs: no
validate_certs: false
headers:
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
register: keycloak_user_search_result
@ -18,7 +18,7 @@
email: "{{ user.email | default(omit) }}"
firstName: "{{ user.firstName | default(omit) }}"
lastName: "{{ user.lastName | default(omit) }}"
validate_certs: no
validate_certs: false
body_format: json
headers:
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
@ -28,7 +28,7 @@
- name: "Get User"
ansible.builtin.uri:
url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
validate_certs: no
validate_certs: false
headers:
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
register: keycloak_user
@ -41,7 +41,7 @@
type: password
temporary: false
value: "{{ user.password }}"
validate_certs: no
validate_certs: false
body_format: json
status_code:
- 200

2
roles/keycloak_realm/tasks/manage_user_client_roles.yml
View file

@ -31,7 +31,7 @@
containerId: "{{ item.containerId }}"
name: "{{ item.name }}"
composite: "{{ item.composite }}"
validate_certs: False
validate_certs: false
body_format: json
headers:
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"

4
roles/keycloak_realm/tasks/manage_user_roles.yml
View file

@ -3,7 +3,7 @@
ansible.builtin.uri:
url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
headers:
validate_certs: no
validate_certs: false
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
register: keycloak_user
@ -12,7 +12,7 @@
url: "{{ keycloak_url }}{{ keycloak_context }}/realms/master/protocol/openid-connect/token"
method: POST
body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
validate_certs: no
validate_certs: false
register: keycloak_auth_response
no_log: "{{ keycloak_no_log | default('True') }}"
until: keycloak_auth_response.status == 200

4
roles/keycloak_realm/vars/main.yml
View file

@ -5,5 +5,5 @@
keycloak_realm:
# other settings
keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + ( keycloak_jboss_port_offset | default(0) ) }}"
keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + ( keycloak_jboss_port_offset | default(0) ) }}"
keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + (keycloak_jboss_port_offset | default(0)) }}"
keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + (keycloak_jboss_port_offset | default(0)) }}"