mirror of
				https://github.com/ansible-middleware/keycloak.git
				synced 2025-10-25 21:44:10 -07:00 
			
		
		
		
	Compare commits
	
		
			112 commits
		
	
	
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
|  | 412e17e9ea | ||
|  | fa87c004e3 | ||
|  | 6c9bddbd61 | ||
|  | 4602d254cf | ||
|  | 8b2ef22023 | ||
|  | 66228c3a13 | ||
|  | 556d155533 | ||
|  | c1bf9727f9 | ||
|  | f79fd227eb | ||
|  | 19564987ca | ||
|  | 1ff25325a7 | ||
|  | 0099f1cf07 | ||
|  | 725ec8e37b | ||
|  | bbe568baa5 | ||
|  | dcd448443f | ||
|  | 3780a4e3c0 | ||
|  | e60a5b7cf6 | ||
|  | 6143ae25e2 | ||
|  | ef6d8890fb | ||
|  | 55185a1439 | ||
|  | bb64b97e43 | ||
|  | a9c9e05569 | ||
|  | 8b27cb0706 | ||
|  | 41127504dc | ||
|  | bcc961999c | ||
|  | b8907d765d | ||
|  | 5c5e84b63e | ||
|  | 3d4bd734f1 | ||
|  | 3de96a6666 | ||
|  | de0ea02272 | ||
|  | b6e585f503 | ||
|  | 18de37706f | ||
|  | b569e4e713 | ||
|  | 919d55f806 | ||
|  | 476bc0ec0b | ||
|  | 2954bf81e8 | ||
|  | 0403939c03 | ||
|  | 88e4ea8d99 | ||
|  | 0a5fc3ae25 | ||
|  | f4a1798f26 | ||
|  | d23ae39c25 | ||
|  | 8f95bcb9e6 | ||
|  | f8c75de5d5 | ||
|  | 8093b1af2a | ||
|  | a70aece0d9 | ||
|  | d427a6b721 | ||
|  | c614af127e | ||
|  | 0936d415c7 | ||
|  | a120b1c9b5 | ||
|  | 5cd400b053 | ||
|  | e0c4b1e1ff | ||
|  | 88be789260 | ||
|  | 868dac4f72 | ||
|  | c45f7c0d60 | ||
|  | 77c5b893b1 | ||
|  | 9974ab2ee1 | ||
|  | b8a2ebc699 | ||
|  | 5beb5dcda4 | ||
|  | d97044523d | ||
|  | 2abc580041 | ||
|  | 2379e10091 | ||
|  | c86dff66ba | ||
|  | f750e93d02 | ||
|  | 1a4590b0b8 | ||
|  | 5e9535c866 | ||
|  | b8028d376a | ||
|  | 20797e4cad | ||
|  | 70d61ce8de | ||
|  | 69a947c0b6 | ||
|  | c7ce7be6c4 | ||
|  | e9061b29ef | ||
|  | c92bf19720 | ||
|  | 1ca0b30a81 | ||
|  | 7738e0feb1 | ||
|  | 671cf4eb53 | ||
|  | f146eb5fda | ||
|  | a10bc95bfc | ||
|  | 314e2f26b2 | ||
|  | f628b84fb0 | ||
|  | ac0ceca35f | ||
|  | 744766fe3b | ||
|  | 7f980c44d2 | ||
|  | 532dc12a60 | ||
|  | 173a85638f | ||
|  | 81f019f8b5 | ||
|  | 5db96afa56 | ||
|  | fa36721207 | ||
|  | 86284b12c2 | ||
|  | b3e93dd89b | ||
|  | e029e1c2fd | ||
|  | d0f19b59dc | ||
|  | 213449ec58 | ||
|  | 277e1336ee | ||
|  | 58233549a7 | ||
|  | 0c58ae48ff | ||
|  | bf0bd9e1da | ||
|  | 5d15d37890 | ||
|  | 910a2aa5d4 | ||
|  | 5f534ca566 | ||
|  | 692fb59797 | ||
|  | d1859aaff2 | ||
|  | 0d0e52f9ff | ||
|  | 68a0f88423 | ||
|  | 333d55ad73 | ||
|  | f6fdae4aa8 | ||
|  | b8c11f3ca8 | ||
|  | 1279937bb0 | ||
|  | c57753f608 | ||
|  | be19ec1289 | ||
|  | 5f1b43f37b | ||
|  | c6bb815979 | ||
|  | ac4511bea9 | 
					 95 changed files with 4492 additions and 715 deletions
				
			
		
							
								
								
									
										13
									
								
								.github/workflows/ci.yml
									
										
									
									
										vendored
									
									
								
							
							
						
						
									
										13
									
								
								.github/workflows/ci.yml
									
										
									
									
										vendored
									
									
								
							|  | @ -6,14 +6,23 @@ on: | ||||||
|       - main |       - main | ||||||
|   pull_request: |   pull_request: | ||||||
|   workflow_dispatch: |   workflow_dispatch: | ||||||
|  |     inputs: | ||||||
|  |       debug_verbosity: | ||||||
|  |         description: 'ANSIBLE_VERBOSITY envvar value' | ||||||
|  |         required: false | ||||||
|   schedule: |   schedule: | ||||||
|     - cron: '15 6 * * *' |     - cron: '15 6 * * *' | ||||||
| 
 | 
 | ||||||
| jobs: | jobs: | ||||||
|   ci: |   ci: | ||||||
|     uses: ansible-middleware/github-actions/.github/workflows/ci.yml@main |     uses: ansible-middleware/github-actions/.github/workflows/cish.yml@main | ||||||
|     secrets: inherit |     secrets: inherit | ||||||
|     with: |     with: | ||||||
|       fqcn: 'middleware_automation/keycloak' |       fqcn: 'middleware_automation/keycloak' | ||||||
|  |       debug_verbosity: "${{ github.event.inputs.debug_verbosity }}" | ||||||
|       molecule_tests: >- |       molecule_tests: >- | ||||||
|           [ "default", "overridexml", "https_revproxy", "quarkus", "quarkus-devmode", "quarkus_upgrade", "debian", "quarkus_ha" ] |         [ "debian", "quarkus", "quarkus_ha", "quarkus_ha_remote" ] | ||||||
|  |       podman_tests_current: >- | ||||||
|  |         [ "default", "quarkus_devmode", "quarkus_upgrade" ] | ||||||
|  |       podman_tests_next: >- | ||||||
|  |         [ "default", "quarkus_devmode", "quarkus_upgrade" ] | ||||||
|  |  | ||||||
|  | @ -6,6 +6,76 @@ middleware\_automation.keycloak Release Notes | ||||||
| 
 | 
 | ||||||
| This changelog describes changes after version 0.2.6. | This changelog describes changes after version 0.2.6. | ||||||
| 
 | 
 | ||||||
|  | v3.0.2 | ||||||
|  | ====== | ||||||
|  | 
 | ||||||
|  | Minor Changes | ||||||
|  | ------------- | ||||||
|  | 
 | ||||||
|  | - New ``checksum`` property for keycloak_quarkus_providers `#280 <https://github.com/ansible-middleware/keycloak/pull/280>`_ | ||||||
|  | - New parameter to set the jgroups host IP address `#281 <https://github.com/ansible-middleware/keycloak/pull/281>`_ | ||||||
|  | - Session storage / distributed caches `#287 <https://github.com/ansible-middleware/keycloak/pull/287>`_ | ||||||
|  | - Update keycloak/RHBK to v26.2.4 `#283 <https://github.com/ansible-middleware/keycloak/pull/283>`_ | ||||||
|  | 
 | ||||||
|  | Bugfixes | ||||||
|  | -------- | ||||||
|  | 
 | ||||||
|  | - Fix ``keycloak_quarkus_force_install`` parameter being ignored by install `#296 <https://github.com/ansible-middleware/keycloak/pull/296>`_ | ||||||
|  | - Fix alternate download location being ignored (JBossNeworkAPI always used) `#298 <https://github.com/ansible-middleware/keycloak/pull/298>`_ | ||||||
|  | - Run config rebuild after SPI providers update `#285 <https://github.com/ansible-middleware/keycloak/pull/285>`_ | ||||||
|  | - Use jdk21 as default in debian `#289 <https://github.com/ansible-middleware/keycloak/pull/289>`_ | ||||||
|  | - keycloak_realm: federation default provider type should be a string `#302 <https://github.com/ansible-middleware/keycloak/pull/302>`_ | ||||||
|  | 
 | ||||||
|  | v3.0.1 | ||||||
|  | ====== | ||||||
|  | 
 | ||||||
|  | Minor Changes | ||||||
|  | ------------- | ||||||
|  | 
 | ||||||
|  | - Version update to 26.0.8 / rhbk 26.0.11 `#277 <https://github.com/ansible-middleware/keycloak/pull/277>`_ | ||||||
|  | 
 | ||||||
|  | Bugfixes | ||||||
|  | -------- | ||||||
|  | 
 | ||||||
|  | - Trigger rebuild handler on envvars file change `#276 <https://github.com/ansible-middleware/keycloak/pull/276>`_ | ||||||
|  | 
 | ||||||
|  | v3.0.0 | ||||||
|  | ====== | ||||||
|  | 
 | ||||||
|  | Minor Changes | ||||||
|  | ------------- | ||||||
|  | 
 | ||||||
|  | - Add theme cache invalidation handler `#252 <https://github.com/ansible-middleware/keycloak/pull/252>`_ | ||||||
|  | - keycloak_realm: change url variables to defaults `#268 <https://github.com/ansible-middleware/keycloak/pull/268>`_ | ||||||
|  | 
 | ||||||
|  | Breaking Changes / Porting Guide | ||||||
|  | -------------------------------- | ||||||
|  | 
 | ||||||
|  | - Bump major and ansible-core versions `#266 <https://github.com/ansible-middleware/keycloak/pull/266>`_ | ||||||
|  | - Rename parameters to follow upstream `#270 <https://github.com/ansible-middleware/keycloak/pull/270>`_ | ||||||
|  | - Update for keycloak v26 `#254 <https://github.com/ansible-middleware/keycloak/pull/254>`_ | ||||||
|  | 
 | ||||||
|  | Bugfixes | ||||||
|  | -------- | ||||||
|  | 
 | ||||||
|  | - Access token lifespan is too short for ansible run `#251 <https://github.com/ansible-middleware/keycloak/pull/251>`_ | ||||||
|  | - Load environment vars during kc rebuild `#274 <https://github.com/ansible-middleware/keycloak/pull/274>`_ | ||||||
|  | - Rebuild config and restart service for local providers `#250 <https://github.com/ansible-middleware/keycloak/pull/250>`_ | ||||||
|  | - Rename and honour parameter ``keycloak_quarkus_http_host`` `#271 <https://github.com/ansible-middleware/keycloak/pull/271>`_ | ||||||
|  | 
 | ||||||
|  | New Modules | ||||||
|  | ----------- | ||||||
|  | 
 | ||||||
|  | - middleware_automation.keycloak.keycloak_realm - Allows administration of Keycloak realm via Keycloak API | ||||||
|  | 
 | ||||||
|  | v2.4.3 | ||||||
|  | ====== | ||||||
|  | 
 | ||||||
|  | Minor Changes | ||||||
|  | ------------- | ||||||
|  | 
 | ||||||
|  | - Update keycloak to 24.0.5 `#241 <https://github.com/ansible-middleware/keycloak/pull/241>`_ | ||||||
|  | 
 | ||||||
| v2.4.2 | v2.4.2 | ||||||
| ====== | ====== | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -1,3 +1,37 @@ | ||||||
|  | ## Developing | ||||||
|  | 
 | ||||||
|  | ### Build and install locally | ||||||
|  | 
 | ||||||
|  | Clone the repository, checkout the tag you want to build, or pick the main branch for the development version; then: | ||||||
|  | 
 | ||||||
|  |     ansible-galaxy collection build . | ||||||
|  |     ansible-galaxy collection install middleware_automation-keycloak-*.tar.gz | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | ### Development environment | ||||||
|  | 
 | ||||||
|  | Make sure your development machine has avilable: | ||||||
|  | 
 | ||||||
|  | * python 3.11+ | ||||||
|  | * virtualenv | ||||||
|  | * docker (or podman) | ||||||
|  | 
 | ||||||
|  | In order to run setup the development environment and run the molecule tests locally, after cloning the repository: | ||||||
|  | 
 | ||||||
|  | ``` | ||||||
|  | # create new virtualenv using python 3 | ||||||
|  | virtualenv $PATH_TO_DEV_VIRTUALENV | ||||||
|  | # activate the virtual env | ||||||
|  | source $PATH_TO_DEV_VIRTUALENV/bin/activate | ||||||
|  | # install ansible and tools onto the virtualenv | ||||||
|  | pip install yamllint 'molecule>=6.0' 'molecule-plugins[docker]' 'ansible-core>=2.16' ansible-lint | ||||||
|  | # install collection dependencies | ||||||
|  | ansible-galaxy collection install -r requirements.yml | ||||||
|  | # install python dependencies | ||||||
|  | pip install -r requirements.txt molecule/requirements.txt | ||||||
|  | # execute the tests (replace --all with -s subdirectory to run a single test) | ||||||
|  | molecule test --all | ||||||
|  | ``` | ||||||
| 
 | 
 | ||||||
| ## Contributor's Guidelines | ## Contributor's Guidelines | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
							
								
								
									
										16
									
								
								README.md
									
										
									
									
									
								
							
							
						
						
									
										16
									
								
								README.md
									
										
									
									
									
								
							|  | @ -1,9 +1,9 @@ | ||||||
| # Ansible Collection - middleware_automation.keycloak | # Ansible Collection - middleware_automation.keycloak | ||||||
| 
 | 
 | ||||||
| <!--start build_status --> | <!--start build_status --> | ||||||
| [](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml) | [](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml) | ||||||
| 
 | 
 | ||||||
| > **_NOTE:_ If you are Red Hat customer, install `redhat.sso` (for Red Hat Single Sign-On) or `redhat.rhbk` (for Red Hat Build of Keycloak) from [Automation Hub](https://console.redhat.com/ansible/ansible-dashboard) as the certified version of this collection.** | > **_NOTE:_ If you are Red Hat customer, install `redhat.rhbk` (for Red Hat Build of Keycloak) or `redhat.sso` (for Red Hat Single Sign-On) from [Automation Hub](https://console.redhat.com/ansible/ansible-dashboard) as the certified version of this collection.** | ||||||
| 
 | 
 | ||||||
| <!--end build_status --> | <!--end build_status --> | ||||||
| <!--start description --> | <!--start description --> | ||||||
|  | @ -12,7 +12,7 @@ Collection to install and configure [Keycloak](https://www.keycloak.org/) or [Re | ||||||
| <!--start requires_ansible--> | <!--start requires_ansible--> | ||||||
| ## Ansible version compatibility | ## Ansible version compatibility | ||||||
| 
 | 
 | ||||||
| This collection has been tested against following Ansible versions: **>=2.15.0**. | This collection has been tested against following Ansible versions: **>=2.16.0**. | ||||||
| 
 | 
 | ||||||
| Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions. | Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions. | ||||||
| <!--end requires_ansible--> | <!--end requires_ansible--> | ||||||
|  | @ -49,9 +49,10 @@ A requirement file is provided to install: | ||||||
| <!--start roles_paths --> | <!--start roles_paths --> | ||||||
| ### Included roles | ### Included roles | ||||||
| 
 | 
 | ||||||
| * [`keycloak`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md): role for installing the service (keycloak <= 19.0). | * `keycloak_quarkus`: role for installing keycloak (>= 19.0.0, quarkus based). | ||||||
| * [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, user federation(s), clients and users, in an installed service. | * `keycloak_realm`: role for configuring a realm, user federation(s), clients and users, in an installed service. | ||||||
| * [`keycloak_quarkus`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_quarkus/README.md): role for installing the quarkus variant of keycloak (>= 17.0.0). | * `keycloak`: role for installing legacy keycloak (<= 19.0, wildfly based). | ||||||
|  | 
 | ||||||
| <!--end roles_paths --> | <!--end roles_paths --> | ||||||
| 
 | 
 | ||||||
| ## Usage | ## Usage | ||||||
|  | @ -59,8 +60,8 @@ A requirement file is provided to install: | ||||||
| 
 | 
 | ||||||
| ### Install Playbook | ### Install Playbook | ||||||
| <!--start rhbk_playbook --> | <!--start rhbk_playbook --> | ||||||
| * [`playbooks/keycloak.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak.yml) installs keycloak legacy based on the defined variables (using most defaults). |  | ||||||
| * [`playbooks/keycloak_quarkus.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_quarkus.yml) installs keycloak >= 17 based on the defined variables (using most defaults). | * [`playbooks/keycloak_quarkus.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_quarkus.yml) installs keycloak >= 17 based on the defined variables (using most defaults). | ||||||
|  | * [`playbooks/keycloak.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak.yml) installs keycloak legacy based on the defined variables (using most defaults). | ||||||
| 
 | 
 | ||||||
| Both playbooks include the `keycloak` role, with different settings, as described in the following sections. | Both playbooks include the `keycloak` role, with different settings, as described in the following sections. | ||||||
| 
 | 
 | ||||||
|  | @ -143,4 +144,3 @@ Apache License v2.0 or later | ||||||
| <!--start license --> | <!--start license --> | ||||||
| See [LICENSE](LICENSE) to view the full text. | See [LICENSE](LICENSE) to view the full text. | ||||||
| <!--end license --> | <!--end license --> | ||||||
| 
 |  | ||||||
|  |  | ||||||
|  | @ -604,3 +604,118 @@ releases: | ||||||
|     - 237.yaml |     - 237.yaml | ||||||
|     - 239.yaml |     - 239.yaml | ||||||
|     release_date: '2024-09-26' |     release_date: '2024-09-26' | ||||||
|  |   2.4.3: | ||||||
|  |     changes: | ||||||
|  |       minor_changes: | ||||||
|  |       - 'Update keycloak to 24.0.5 `#241 <https://github.com/ansible-middleware/keycloak/pull/241>`_ | ||||||
|  | 
 | ||||||
|  |         ' | ||||||
|  |     fragments: | ||||||
|  |     - 241.yaml | ||||||
|  |     release_date: '2024-10-16' | ||||||
|  |   3.0.0: | ||||||
|  |     changes: | ||||||
|  |       breaking_changes: | ||||||
|  |       - 'Bump major and ansible-core versions `#266 <https://github.com/ansible-middleware/keycloak/pull/266>`_ | ||||||
|  | 
 | ||||||
|  |         ' | ||||||
|  |       - 'Rename parameters to follow upstream `#270 <https://github.com/ansible-middleware/keycloak/pull/270>`_ | ||||||
|  | 
 | ||||||
|  |         ' | ||||||
|  |       - 'Update for keycloak v26 `#254 <https://github.com/ansible-middleware/keycloak/pull/254>`_ | ||||||
|  | 
 | ||||||
|  |         ' | ||||||
|  |       bugfixes: | ||||||
|  |       - 'Access token lifespan is too short for ansible run `#251 <https://github.com/ansible-middleware/keycloak/pull/251>`_ | ||||||
|  | 
 | ||||||
|  |         ' | ||||||
|  |       - 'Load environment vars during kc rebuild `#274 <https://github.com/ansible-middleware/keycloak/pull/274>`_ | ||||||
|  | 
 | ||||||
|  |         ' | ||||||
|  |       - 'Rebuild config and restart service for local providers `#250 <https://github.com/ansible-middleware/keycloak/pull/250>`_ | ||||||
|  | 
 | ||||||
|  |         ' | ||||||
|  |       - 'Rename and honour parameter ``keycloak_quarkus_http_host`` `#271 <https://github.com/ansible-middleware/keycloak/pull/271>`_ | ||||||
|  | 
 | ||||||
|  |         ' | ||||||
|  |       minor_changes: | ||||||
|  |       - 'Add theme cache invalidation handler `#252 <https://github.com/ansible-middleware/keycloak/pull/252>`_ | ||||||
|  | 
 | ||||||
|  |         ' | ||||||
|  |       - 'keycloak_realm: change url variables to defaults `#268 <https://github.com/ansible-middleware/keycloak/pull/268>`_ | ||||||
|  | 
 | ||||||
|  |         ' | ||||||
|  |     fragments: | ||||||
|  |     - 250.yaml | ||||||
|  |     - 251.yaml | ||||||
|  |     - 252.yaml | ||||||
|  |     - 254.yaml | ||||||
|  |     - 266.yaml | ||||||
|  |     - 268.yaml | ||||||
|  |     - 270.yaml | ||||||
|  |     - 271.yaml | ||||||
|  |     - 274.yaml | ||||||
|  |     modules: | ||||||
|  |     - description: Allows administration of Keycloak realm via Keycloak API | ||||||
|  |       name: keycloak_realm | ||||||
|  |       namespace: '' | ||||||
|  |     release_date: '2025-04-23' | ||||||
|  |   3.0.1: | ||||||
|  |     changes: | ||||||
|  |       bugfixes: | ||||||
|  |       - 'Trigger rebuild handler on envvars file change `#276 <https://github.com/ansible-middleware/keycloak/pull/276>`_ | ||||||
|  | 
 | ||||||
|  |         ' | ||||||
|  |       minor_changes: | ||||||
|  |       - 'Version update to 26.0.8 / rhbk 26.0.11 `#277 <https://github.com/ansible-middleware/keycloak/pull/277>`_ | ||||||
|  | 
 | ||||||
|  |         ' | ||||||
|  |     fragments: | ||||||
|  |     - 276.yaml | ||||||
|  |     - 277.yaml | ||||||
|  |     release_date: '2025-05-02' | ||||||
|  |   3.0.2: | ||||||
|  |     changes: | ||||||
|  |       bugfixes: | ||||||
|  |       - 'Fix ``keycloak_quarkus_force_install`` parameter being ignored by install | ||||||
|  |         `#296 <https://github.com/ansible-middleware/keycloak/pull/296>`_ | ||||||
|  | 
 | ||||||
|  |         ' | ||||||
|  |       - 'Fix alternate download location being ignored (JBossNeworkAPI always used) | ||||||
|  |         `#298 <https://github.com/ansible-middleware/keycloak/pull/298>`_ | ||||||
|  | 
 | ||||||
|  |         ' | ||||||
|  |       - 'Run config rebuild after SPI providers update `#285 <https://github.com/ansible-middleware/keycloak/pull/285>`_ | ||||||
|  | 
 | ||||||
|  |         ' | ||||||
|  |       - 'Use jdk21 as default in debian `#289 <https://github.com/ansible-middleware/keycloak/pull/289>`_ | ||||||
|  | 
 | ||||||
|  |         ' | ||||||
|  |       - 'keycloak_realm: federation default provider type should be a string `#302 | ||||||
|  |         <https://github.com/ansible-middleware/keycloak/pull/302>`_ | ||||||
|  | 
 | ||||||
|  |         ' | ||||||
|  |       minor_changes: | ||||||
|  |       - 'New ``checksum`` property for keycloak_quarkus_providers `#280 <https://github.com/ansible-middleware/keycloak/pull/280>`_ | ||||||
|  | 
 | ||||||
|  |         ' | ||||||
|  |       - 'New parameter to set the jgroups host IP address `#281 <https://github.com/ansible-middleware/keycloak/pull/281>`_ | ||||||
|  | 
 | ||||||
|  |         ' | ||||||
|  |       - 'Session storage / distributed caches `#287 <https://github.com/ansible-middleware/keycloak/pull/287>`_ | ||||||
|  | 
 | ||||||
|  |         ' | ||||||
|  |       - 'Update keycloak/RHBK to v26.2.4 `#283 <https://github.com/ansible-middleware/keycloak/pull/283>`_ | ||||||
|  | 
 | ||||||
|  |         ' | ||||||
|  |     fragments: | ||||||
|  |     - 280.yaml | ||||||
|  |     - 281.yaml | ||||||
|  |     - 283.yaml | ||||||
|  |     - 285.yaml | ||||||
|  |     - 287.yaml | ||||||
|  |     - 289.yaml | ||||||
|  |     - 296.yaml | ||||||
|  |     - 298.yaml | ||||||
|  |     - 302.yaml | ||||||
|  |     release_date: '2025-07-01' | ||||||
|  |  | ||||||
|  | @ -7,7 +7,7 @@ | ||||||
|       </div> |       </div> | ||||||
|       <hr/> |       <hr/> | ||||||
|       <div role="contentinfo"> |       <div role="contentinfo"> | ||||||
|         <p>© Copyright 2022, Red Hat, Inc.</p>
 |         <p>© Copyright 2024, Red Hat, Inc.</p>
 | ||||||
|       </div> |       </div> | ||||||
|       Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a |       Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a | ||||||
|         <a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a> |         <a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a> | ||||||
|  |  | ||||||
|  | @ -10,31 +10,25 @@ Welcome to Keycloak Collection documentation | ||||||
|    README |    README | ||||||
|    plugins/index |    plugins/index | ||||||
|    roles/index |    roles/index | ||||||
|  |    Changelog <CHANGELOG> | ||||||
| 
 | 
 | ||||||
| .. toctree:: | .. toctree:: | ||||||
|    :maxdepth: 2 |    :maxdepth: 2 | ||||||
|    :caption: Developer documentation |    :caption: Developer documentation | ||||||
| 
 | 
 | ||||||
|    testing |    Developing <developing> | ||||||
|    developing |    Testing <testing> | ||||||
|    releasing |    Releasing <releasing> | ||||||
| 
 |  | ||||||
| .. toctree:: |  | ||||||
|    :maxdepth: 2 |  | ||||||
|    :caption: General |  | ||||||
| 
 |  | ||||||
|    Changelog <CHANGELOG> |  | ||||||
| 
 | 
 | ||||||
| .. toctree:: | .. toctree:: | ||||||
|    :maxdepth: 2 |    :maxdepth: 2 | ||||||
|    :caption: Middleware collections |    :caption: Middleware collections | ||||||
| 
 | 
 | ||||||
|    Infinispan / Red Hat Data Grid <https://ansible-middleware.github.io/infinispan/main/> |  | ||||||
|    Keycloak / Red Hat Single Sign-On <https://ansible-middleware.github.io/keycloak/main/> |    Keycloak / Red Hat Single Sign-On <https://ansible-middleware.github.io/keycloak/main/> | ||||||
|  |    Infinispan / Red Hat Data Grid <https://ansible-middleware.github.io/infinispan/main/> | ||||||
|    Wildfly / Red Hat JBoss EAP <https://ansible-middleware.github.io/wildfly/main/> |    Wildfly / Red Hat JBoss EAP <https://ansible-middleware.github.io/wildfly/main/> | ||||||
|    Tomcat / Red Hat JWS <https://ansible-middleware.github.io/jws/main/> |    Tomcat / Red Hat JWS <https://ansible-middleware.github.io/jws/main/> | ||||||
|    ActiveMQ / Red Hat AMQ Broker <https://ansible-middleware.github.io/amq/main/> |    ActiveMQ / Red Hat AMQ Broker <https://ansible-middleware.github.io/amq/main/> | ||||||
|    Kafka / Red Hat AMQ Streams <https://ansible-middleware.github.io/amq_streams/main/> |    Kafka / Red Hat AMQ Streams <https://ansible-middleware.github.io/amq_streams/main/> | ||||||
|    Ansible Middleware utilities <https://ansible-middleware.github.io/common/main/> |    Ansible Middleware utilities <https://ansible-middleware.github.io/common/main/> | ||||||
|    Red Hat CSP Download <https://ansible-middleware.github.io/redhat-csp-download/main/> |  | ||||||
|    JCliff <https://ansible-middleware.github.io/ansible_collections_jcliff/main/> |    JCliff <https://ansible-middleware.github.io/ansible_collections_jcliff/main/> | ||||||
|  |  | ||||||
|  | @ -1,7 +1,7 @@ | ||||||
| antsibull>=0.17.0 | antsibull>=0.17.0 | ||||||
| antsibull-docs | antsibull-docs | ||||||
| antsibull-changelog | antsibull-changelog | ||||||
| ansible-core>=2.14.1 | ansible-core>=2.16.0 | ||||||
| ansible-pygments | ansible-pygments | ||||||
| sphinx-rtd-theme | sphinx-rtd-theme | ||||||
| git+https://github.com/felixfontein/ansible-basic-sphinx-ext | git+https://github.com/felixfontein/ansible-basic-sphinx-ext | ||||||
|  |  | ||||||
|  | @ -4,24 +4,7 @@ | ||||||
| 
 | 
 | ||||||
| The collection is tested with a [molecule](https://github.com/ansible-community/molecule) setup covering the included roles and verifying correct installation and idempotency. | The collection is tested with a [molecule](https://github.com/ansible-community/molecule) setup covering the included roles and verifying correct installation and idempotency. | ||||||
| In order to run the molecule tests locally with python 3.9 available, after cloning the repository: | In order to run the molecule tests locally with python 3.9 available, after cloning the repository: | ||||||
| 
 | The test scenarios are available on the source code repository each on his own subdirectory under [molecule/](https://github.com/ansible-middleware/keycloak/molecule). | ||||||
| ``` |  | ||||||
| pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous |  | ||||||
| molecule test --all |  | ||||||
| ``` |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| ## Integration testing |  | ||||||
| 
 |  | ||||||
| Demo repositories which depend on the collection, and aggregate functionality with other middleware_automation collections, are automatically rebuilt |  | ||||||
| at every collection release to ensure non-breaking changes and consistent behaviour. |  | ||||||
| 
 |  | ||||||
| The repository are: |  | ||||||
| 
 |  | ||||||
|  - [Flange demo](https://github.com/ansible-middleware/flange-demo) |  | ||||||
|    A deployment of Wildfly cluster integrated with keycloak and infinispan. |  | ||||||
|  - [CrossDC keycloak demo](https://github.com/ansible-middleware/cross-dc-rhsso-demo) |  | ||||||
|    A clustered multi-regional installation of keycloak with infinispan remote caches. |  | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| ## Test playbooks | ## Test playbooks | ||||||
|  | @ -29,15 +12,7 @@ The repository are: | ||||||
| Sample playbooks are provided in the `playbooks/` directory; to run the playbooks locally (requires a rhel system with python 3.9+, ansible, and systemd) the steps are as follows: | Sample playbooks are provided in the `playbooks/` directory; to run the playbooks locally (requires a rhel system with python 3.9+, ansible, and systemd) the steps are as follows: | ||||||
| 
 | 
 | ||||||
| ``` | ``` | ||||||
| # setup environment | # setup environment as in developing | ||||||
| pip install ansible-core |  | ||||||
| # clone the repository |  | ||||||
| git clone https://github.com/ansible-middleware/keycloak |  | ||||||
| cd keycloak |  | ||||||
| # install collection dependencies |  | ||||||
| ansible-galaxy collection install -r requirements.yml |  | ||||||
| # install collection python deps |  | ||||||
| pip install -r requirements.txt |  | ||||||
| # create inventory for localhost | # create inventory for localhost | ||||||
| cat << EOF > inventory | cat << EOF > inventory | ||||||
| [keycloak] | [keycloak] | ||||||
|  |  | ||||||
|  | @ -1,7 +1,7 @@ | ||||||
| --- | --- | ||||||
| namespace: middleware_automation | namespace: middleware_automation | ||||||
| name: keycloak | name: keycloak | ||||||
| version: "2.4.2" | version: "3.0.3" | ||||||
| readme: README.md | readme: README.md | ||||||
| authors: | authors: | ||||||
|   - Romain Pelisse <rpelisse@redhat.com> |   - Romain Pelisse <rpelisse@redhat.com> | ||||||
|  |  | ||||||
|  | @ -1,2 +1,2 @@ | ||||||
| --- | --- | ||||||
| requires_ansible: ">=2.15.0" | requires_ansible: ">=2.16.0" | ||||||
|  |  | ||||||
|  | @ -3,40 +3,42 @@ | ||||||
|   hosts: all |   hosts: all | ||||||
|   vars: |   vars: | ||||||
|     keycloak_quarkus_show_deprecation_warnings: false |     keycloak_quarkus_show_deprecation_warnings: false | ||||||
|     keycloak_quarkus_admin_pass: "remembertochangeme" |     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" | ||||||
|     keycloak_realm: TestRealm |     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" | ||||||
|  |     keycloak_quarkus_hostname: http://instance:8080 | ||||||
|     keycloak_quarkus_log: file |     keycloak_quarkus_log: file | ||||||
|     keycloak_quarkus_frontend_url: 'http://localhost:8080/' |     keycloak_quarkus_start_dev: true | ||||||
|     keycloak_quarkus_start_dev: True |  | ||||||
|     keycloak_quarkus_proxy_mode: none |     keycloak_quarkus_proxy_mode: none | ||||||
|     keycloak_client_default_roles: |   roles: | ||||||
|       - TestRoleAdmin |     - role: keycloak_quarkus | ||||||
|       - TestRoleUser |     - role: keycloak_realm | ||||||
|  |       keycloak_url: "{{ keycloak_quarkus_hostname }}" | ||||||
|  |       keycloak_context: '' | ||||||
|  |       keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}" | ||||||
|  |       keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}" | ||||||
|       keycloak_client_users: |       keycloak_client_users: | ||||||
|         - username: TestUser |         - username: TestUser | ||||||
|           password: password |           password: password | ||||||
|           client_roles: |           client_roles: | ||||||
|             - client: TestClient |             - client: TestClient | ||||||
|               role: TestRoleUser |               role: TestRoleUser | ||||||
|  |               realm: "{{ keycloak_realm }}" | ||||||
|         - username: TestAdmin |         - username: TestAdmin | ||||||
|           password: password |           password: password | ||||||
|           client_roles: |           client_roles: | ||||||
|             - client: TestClient |             - client: TestClient | ||||||
|               role: TestRoleUser |               role: TestRoleUser | ||||||
|  |               realm: "{{ keycloak_realm }}" | ||||||
|             - client: TestClient |             - client: TestClient | ||||||
|               role: TestRoleAdmin |               role: TestRoleAdmin | ||||||
|  |               realm: "{{ keycloak_realm }}" | ||||||
|  |       keycloak_realm: TestRealm | ||||||
|       keycloak_clients: |       keycloak_clients: | ||||||
|         - name: TestClient |         - name: TestClient | ||||||
|         roles: "{{ keycloak_client_default_roles }}" |           realm: "{{ keycloak_realm }}" | ||||||
|           public_client: "{{ keycloak_client_public }}" |           public_client: "{{ keycloak_client_public }}" | ||||||
|           web_origins: "{{ keycloak_client_web_origins }}" |           web_origins: "{{ keycloak_client_web_origins }}" | ||||||
|           users: "{{ keycloak_client_users }}" |           users: "{{ keycloak_client_users }}" | ||||||
|           client_id: TestClient |           client_id: TestClient | ||||||
|           attributes: |           attributes: | ||||||
|             post.logout.redirect.uris: '/public/logout' |             post.logout.redirect.uris: '/public/logout' | ||||||
|   roles: |  | ||||||
|     - role: keycloak_quarkus |  | ||||||
|     - role: keycloak_realm |  | ||||||
|       keycloak_realm: TestRealm |  | ||||||
|       keycloak_admin_password: "remembertochangeme" |  | ||||||
|       keycloak_context: '' |  | ||||||
|  |  | ||||||
|  | @ -3,7 +3,7 @@ driver: | ||||||
|   name: docker |   name: docker | ||||||
| platforms: | platforms: | ||||||
|   - name: instance |   - name: instance | ||||||
|     image: ghcr.io/hspaans/molecule-containers:debian-11 |     image: ghcr.io/hspaans/molecule-containers:debian-13 | ||||||
|     pre_build_image: true |     pre_build_image: true | ||||||
|     privileged: true |     privileged: true | ||||||
|     port_bindings: |     port_bindings: | ||||||
|  |  | ||||||
|  | @ -7,5 +7,5 @@ | ||||||
|       ansible.builtin.apt: |       ansible.builtin.apt: | ||||||
|         name: |         name: | ||||||
|           - sudo |           - sudo | ||||||
|           - openjdk-17-jdk-headless |           - openjdk-21-jdk-headless | ||||||
|         state: present |           - iproute2 | ||||||
|  |  | ||||||
|  | @ -2,7 +2,7 @@ | ||||||
| - name: Verify | - name: Verify | ||||||
|   hosts: all |   hosts: all | ||||||
|   vars: |   vars: | ||||||
|     keycloak_admin_password: "remembertochangeme" |     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" | ||||||
|     keycloak_uri: "http://localhost:{{ 8080 + ( keycloak_jboss_port_offset | default(0) ) }}" |     keycloak_uri: "http://localhost:{{ 8080 + ( keycloak_jboss_port_offset | default(0) ) }}" | ||||||
|     keycloak_management_port: "http://localhost:{{ 9990 + ( keycloak_jboss_port_offset | default(0) ) }}" |     keycloak_management_port: "http://localhost:{{ 9990 + ( keycloak_jboss_port_offset | default(0) ) }}" | ||||||
|     keycloak_jboss_port_offset: 10 |     keycloak_jboss_port_offset: 10 | ||||||
|  |  | ||||||
|  | @ -3,23 +3,24 @@ | ||||||
|   hosts: all |   hosts: all | ||||||
|   vars: |   vars: | ||||||
|     keycloak_quarkus_show_deprecation_warnings: false |     keycloak_quarkus_show_deprecation_warnings: false | ||||||
|     keycloak_quarkus_admin_pass: "remembertochangeme" |     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" | ||||||
|     keycloak_admin_password: "remembertochangeme" |     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" | ||||||
|     keycloak_quarkus_host: instance |     keycloak_quarkus_hostname: http://instance:8080 | ||||||
|     keycloak_quarkus_log: file |     keycloak_quarkus_log: file | ||||||
|     keycloak_quarkus_log_level: debug |     keycloak_quarkus_log_level: debug | ||||||
|     keycloak_quarkus_log_target: /tmp/keycloak |     keycloak_quarkus_log_target: /tmp/keycloak | ||||||
|     keycloak_quarkus_start_dev: True |     keycloak_quarkus_start_dev: true | ||||||
|     keycloak_quarkus_proxy_mode: none |     keycloak_quarkus_proxy_mode: none | ||||||
|     keycloak_quarkus_offline_install: true |     keycloak_quarkus_offline_install: true | ||||||
|     keycloak_quarkus_download_path: /tmp/keycloak/ |     keycloak_quarkus_download_path: /tmp/keycloak/ | ||||||
|  |     keycloak_quarkus_java_heap_opts: "-Xms640m -Xmx640m " | ||||||
|   roles: |   roles: | ||||||
|     - role: keycloak_quarkus |     - role: keycloak_quarkus | ||||||
|     - role: keycloak_realm |     - role: keycloak_realm | ||||||
|  |       keycloak_url: "{{ keycloak_quarkus_hostname }}" | ||||||
|       keycloak_context: '' |       keycloak_context: '' | ||||||
|       keycloak_client_default_roles: |       keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}" | ||||||
|         - TestRoleAdmin |       keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}" | ||||||
|         - TestRoleUser |  | ||||||
|       keycloak_client_users: |       keycloak_client_users: | ||||||
|         - username: TestUser |         - username: TestUser | ||||||
|           password: password |           password: password | ||||||
|  | @ -39,7 +40,6 @@ | ||||||
|       keycloak_realm: TestRealm |       keycloak_realm: TestRealm | ||||||
|       keycloak_clients: |       keycloak_clients: | ||||||
|         - name: TestClient |         - name: TestClient | ||||||
|           roles: "{{ keycloak_client_default_roles }}" |  | ||||||
|           realm: "{{ keycloak_realm }}" |           realm: "{{ keycloak_realm }}" | ||||||
|           public_client: "{{ keycloak_client_public }}" |           public_client: "{{ keycloak_client_public }}" | ||||||
|           web_origins: "{{ keycloak_client_web_origins }}" |           web_origins: "{{ keycloak_client_web_origins }}" | ||||||
|  |  | ||||||
|  | @ -1,9 +1,9 @@ | ||||||
| --- | --- | ||||||
| driver: | driver: | ||||||
|   name: docker |   name: podman | ||||||
| platforms: | platforms: | ||||||
|   - name: instance |   - name: instance | ||||||
|     image: registry.access.redhat.com/ubi8/ubi-init:latest |     image: registry.access.redhat.com/ubi9/ubi-init:latest | ||||||
|     pre_build_image: true |     pre_build_image: true | ||||||
|     privileged: true |     privileged: true | ||||||
|     command: "/usr/sbin/init" |     command: "/usr/sbin/init" | ||||||
|  | @ -11,6 +11,7 @@ platforms: | ||||||
|       - "8080/tcp" |       - "8080/tcp" | ||||||
|       - "8443/tcp" |       - "8443/tcp" | ||||||
|       - "8009/tcp" |       - "8009/tcp" | ||||||
|  |       - "9000/tcp" | ||||||
| provisioner: | provisioner: | ||||||
|   name: ansible |   name: ansible | ||||||
|   config_options: |   config_options: | ||||||
|  | @ -28,6 +29,8 @@ provisioner: | ||||||
|         ansible_python_interpreter: "{{ ansible_playbook_python }}" |         ansible_python_interpreter: "{{ ansible_playbook_python }}" | ||||||
|   env: |   env: | ||||||
|     ANSIBLE_FORCE_COLOR: "true" |     ANSIBLE_FORCE_COLOR: "true" | ||||||
|  |     PROXY: "${PROXY}" | ||||||
|  |     NO_PROXY: "${NO_PROXY}" | ||||||
| verifier: | verifier: | ||||||
|   name: ansible |   name: ansible | ||||||
| scenario: | scenario: | ||||||
|  |  | ||||||
|  | @ -7,10 +7,6 @@ | ||||||
|   tasks: |   tasks: | ||||||
|     - name: "Run preparation common to all scenario" |     - name: "Run preparation common to all scenario" | ||||||
|       ansible.builtin.include_tasks: ../prepare.yml |       ansible.builtin.include_tasks: ../prepare.yml | ||||||
|       vars: |  | ||||||
|         assets: |  | ||||||
|           - "{{ assets_server }}/sso/7.6.0/rh-sso-7.6.0-server-dist.zip" |  | ||||||
|           - "{{ assets_server }}/sso/7.6.1/rh-sso-7.6.1-patch.zip" |  | ||||||
| 
 | 
 | ||||||
|     - name: Create controller directory for downloads |     - name: Create controller directory for downloads | ||||||
|       ansible.builtin.file: # noqa risky-file-permissions delegated, uses controller host user |       ansible.builtin.file: # noqa risky-file-permissions delegated, uses controller host user | ||||||
|  | @ -22,7 +18,7 @@ | ||||||
| 
 | 
 | ||||||
|     - name: Download keycloak archive to controller directory |     - name: Download keycloak archive to controller directory | ||||||
|       ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user |       ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user | ||||||
|         url: https://github.com/keycloak/keycloak/releases/download/24.0.4/keycloak-24.0.4.zip |         url: https://github.com/keycloak/keycloak/releases/download/26.3.0/keycloak-26.3.0.zip | ||||||
|         dest: /tmp/keycloak |         dest: /tmp/keycloak | ||||||
|         mode: '0640' |         mode: '0640' | ||||||
|       delegate_to: localhost |       delegate_to: localhost | ||||||
|  |  | ||||||
|  | @ -2,7 +2,8 @@ | ||||||
| - name: Verify | - name: Verify | ||||||
|   hosts: all |   hosts: all | ||||||
|   vars: |   vars: | ||||||
|     keycloak_admin_password: "remembertochangeme" |     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" | ||||||
|  |     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" | ||||||
|     keycloak_uri: "http://localhost:8080" |     keycloak_uri: "http://localhost:8080" | ||||||
|   tasks: |   tasks: | ||||||
|     - name: Populate service facts |     - name: Populate service facts | ||||||
|  | @ -16,7 +17,7 @@ | ||||||
|       ansible.builtin.uri: |       ansible.builtin.uri: | ||||||
|         url: "{{ keycloak_uri }}/realms/master/protocol/openid-connect/token" |         url: "{{ keycloak_uri }}/realms/master/protocol/openid-connect/token" | ||||||
|         method: POST |         method: POST | ||||||
|         body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password" |         body: "client_id=admin-cli&username={{ keycloak_quarkus_bootstrap_admin_user }}&password={{ keycloak_quarkus_bootstrap_admin_user }}&grant_type=password" | ||||||
|         validate_certs: no |         validate_certs: no | ||||||
|       register: keycloak_auth_response |       register: keycloak_auth_response | ||||||
|       until: keycloak_auth_response.status == 200 |       until: keycloak_auth_response.status == 200 | ||||||
|  |  | ||||||
|  | @ -3,15 +3,14 @@ | ||||||
|   hosts: all |   hosts: all | ||||||
|   vars: |   vars: | ||||||
|     keycloak_quarkus_show_deprecation_warnings: false |     keycloak_quarkus_show_deprecation_warnings: false | ||||||
|     keycloak_quarkus_admin_pass: "remembertochangeme" |     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" | ||||||
|     keycloak_admin_password: "remembertochangeme" |     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" | ||||||
|     keycloak_realm: TestRealm |     keycloak_quarkus_hostname: https://proxy | ||||||
|     keycloak_quarkus_host: instance |  | ||||||
|     keycloak_quarkus_log: file |     keycloak_quarkus_log: file | ||||||
|     keycloak_quarkus_http_enabled: True |     keycloak_quarkus_http_enabled: True | ||||||
|     keycloak_quarkus_http_port: 8080 |     keycloak_quarkus_http_port: 8080 | ||||||
|     keycloak_quarkus_proxy_mode: edge |     keycloak_quarkus_proxy_mode: edge | ||||||
|     keycloak_quarkus_http_relative_path: / |     keycloak_quarkus_http_relative_path: / | ||||||
|     keycloak_quarkus_frontend_url: https://proxy/ |     keycloak_quarkus_health_check_url: http://proxy:8080/realms/master/.well-known/openid-configuration | ||||||
|   roles: |   roles: | ||||||
|     - role: keycloak_quarkus |     - role: keycloak_quarkus | ||||||
|  |  | ||||||
|  | @ -3,7 +3,7 @@ driver: | ||||||
|   name: docker |   name: docker | ||||||
| platforms: | platforms: | ||||||
|   - name: instance |   - name: instance | ||||||
|     image: registry.access.redhat.com/ubi8/ubi-init:latest |     image: registry.access.redhat.com/ubi9/ubi-init:latest | ||||||
|     pre_build_image: true |     pre_build_image: true | ||||||
|     privileged: true |     privileged: true | ||||||
|     command: "/usr/sbin/init" |     command: "/usr/sbin/init" | ||||||
|  | @ -14,7 +14,7 @@ platforms: | ||||||
|     published_ports: |     published_ports: | ||||||
|       - 0.0.0.0:8080:8080/tcp |       - 0.0.0.0:8080:8080/tcp | ||||||
|   - name: proxy |   - name: proxy | ||||||
|     image: registry.access.redhat.com/ubi8/ubi-init:latest |     image: registry.access.redhat.com/ubi9/ubi-init:latest | ||||||
|     pre_build_image: true |     pre_build_image: true | ||||||
|     privileged: true |     privileged: true | ||||||
|     command: "/usr/sbin/init" |     command: "/usr/sbin/init" | ||||||
|  |  | ||||||
|  | @ -3,7 +3,7 @@ driver: | ||||||
|   name: docker |   name: docker | ||||||
| platforms: | platforms: | ||||||
|   - name: instance |   - name: instance | ||||||
|     image: registry.access.redhat.com/ubi8/ubi-init:latest |     image: registry.access.redhat.com/ubi9/ubi-init:latest | ||||||
|     pre_build_image: true |     pre_build_image: true | ||||||
|     privileged: true |     privileged: true | ||||||
|     command: "/usr/sbin/init" |     command: "/usr/sbin/init" | ||||||
|  | @ -11,6 +11,7 @@ platforms: | ||||||
|       - "8080/tcp" |       - "8080/tcp" | ||||||
|       - "8443/tcp" |       - "8443/tcp" | ||||||
|       - "8009/tcp" |       - "8009/tcp" | ||||||
|  |       - "9000/tcp" | ||||||
| provisioner: | provisioner: | ||||||
|   name: ansible |   name: ansible | ||||||
|   config_options: |   config_options: | ||||||
|  |  | ||||||
|  | @ -3,10 +3,10 @@ | ||||||
|   hosts: all |   hosts: all | ||||||
|   vars: |   vars: | ||||||
|     keycloak_quarkus_show_deprecation_warnings: false |     keycloak_quarkus_show_deprecation_warnings: false | ||||||
|     keycloak_quarkus_admin_pass: "remembertochangeme" |     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" | ||||||
|     keycloak_admin_password: "remembertochangeme" |     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" | ||||||
|     keycloak_realm: TestRealm |     keycloak_realm: TestRealm | ||||||
|     keycloak_quarkus_host: instance |     keycloak_quarkus_hostname: https://instance:8443 | ||||||
|     keycloak_quarkus_log: file |     keycloak_quarkus_log: file | ||||||
|     keycloak_quarkus_log_level: debug # needed for the verify step |     keycloak_quarkus_log_level: debug # needed for the verify step | ||||||
|     keycloak_quarkus_https_key_file_enabled: true |     keycloak_quarkus_https_key_file_enabled: true | ||||||
|  | @ -22,6 +22,12 @@ | ||||||
|     keycloak_quarkus_systemd_wait_for_timeout: 20 |     keycloak_quarkus_systemd_wait_for_timeout: 20 | ||||||
|     keycloak_quarkus_systemd_wait_for_delay: 2 |     keycloak_quarkus_systemd_wait_for_delay: 2 | ||||||
|     keycloak_quarkus_systemd_wait_for_log: true |     keycloak_quarkus_systemd_wait_for_log: true | ||||||
|  |     keycloak_quarkus_restart_health_check: false # would fail because of self-signed cert | ||||||
|  |     keycloak_quarkus_version: 26.3.0 | ||||||
|  |     keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx1024m" | ||||||
|  |     keycloak_quarkus_additional_env_vars: | ||||||
|  |       - key: KC_FEATURES_DISABLED | ||||||
|  |         value: impersonation,kerberos | ||||||
|     keycloak_quarkus_providers: |     keycloak_quarkus_providers: | ||||||
|       - id: http-client |       - id: http-client | ||||||
|         spi: connections |         spi: connections | ||||||
|  | @ -32,26 +38,32 @@ | ||||||
|             value: 10 |             value: 10 | ||||||
|       - id: spid-saml |       - id: spid-saml | ||||||
|         url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar |         url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar | ||||||
|  |       - id: spid-saml-w-checksum | ||||||
|  |         url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar | ||||||
|  |         checksum: sha256:fbb50e73739d7a6d35b5bff611b1c01668b29adf6f6259624b95e466a305f377 | ||||||
|       - id: keycloak-kerberos-federation |       - id: keycloak-kerberos-federation | ||||||
|         maven: |         maven: | ||||||
|           repository_url: https://repo1.maven.org/maven2/ # https://mvnrepository.com/artifact/org.keycloak/keycloak-kerberos-federation/24.0.4 |           repository_url: https://repo1.maven.org/maven2/ # https://mvnrepository.com/artifact/org.keycloak/keycloak-kerberos-federation/24.0.4 | ||||||
|           group_id: org.keycloak |           group_id: org.keycloak | ||||||
|           artifact_id: keycloak-kerberos-federation |           artifact_id: keycloak-kerberos-federation | ||||||
|           version: 24.0.4 # optional |           version: 26.3.0 # optional | ||||||
|           # username: myUser # optional |           # username: myUser # optional | ||||||
|           # password: myPAT # optional |           # password: myPAT # optional | ||||||
|       # - id: my-static-theme |       # - id: my-static-theme | ||||||
|       #   local_path: /tmp/my-static-theme.jar |       #   local_path: /tmp/my-static-theme.jar | ||||||
|     keycloak_quarkus_policies: |     keycloak_quarkus_policies: | ||||||
|       - name: "xato-net-10-million-passwords.txt" |       - name: "cain-and-abel.txt" | ||||||
|         url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt" |         url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/cain-and-abel.txt" | ||||||
|       - name: "xato-net-10-million-passwords-10.txt" |       - name: "john-the-ripper.txt" | ||||||
|         url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords-10.txt" |         url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/john-the-ripper.txt" | ||||||
|         type: password-blacklists |         type: password-blacklists | ||||||
|   roles: |   roles: | ||||||
|     - role: keycloak_quarkus |     - role: keycloak_quarkus | ||||||
|     - role: keycloak_realm |     - role: keycloak_realm | ||||||
|  |       keycloak_url: http://instance:8080 | ||||||
|       keycloak_context: '' |       keycloak_context: '' | ||||||
|  |       keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}" | ||||||
|  |       keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}" | ||||||
|       keycloak_client_default_roles: |       keycloak_client_default_roles: | ||||||
|         - TestRoleAdmin |         - TestRoleAdmin | ||||||
|         - TestRoleUser |         - TestRoleUser | ||||||
|  |  | ||||||
|  | @ -3,7 +3,7 @@ driver: | ||||||
|   name: docker |   name: docker | ||||||
| platforms: | platforms: | ||||||
|   - name: instance |   - name: instance | ||||||
|     image: registry.access.redhat.com/ubi8/ubi-init:latest |     image: registry.access.redhat.com/ubi9/ubi-init:latest | ||||||
|     pre_build_image: true |     pre_build_image: true | ||||||
|     privileged: true |     privileged: true | ||||||
|     command: "/usr/sbin/init" |     command: "/usr/sbin/init" | ||||||
|  | @ -11,6 +11,7 @@ platforms: | ||||||
|       - "8080/tcp" |       - "8080/tcp" | ||||||
|       - "8443/tcp" |       - "8443/tcp" | ||||||
|       - "8009/tcp" |       - "8009/tcp" | ||||||
|  |       - "9000/tcp" | ||||||
|     published_ports: |     published_ports: | ||||||
|       - 0.0.0.0:8443:8443/tcp |       - 0.0.0.0:8443:8443/tcp | ||||||
| provisioner: | provisioner: | ||||||
|  | @ -30,6 +31,9 @@ provisioner: | ||||||
|         ansible_python_interpreter: "{{ ansible_playbook_python }}" |         ansible_python_interpreter: "{{ ansible_playbook_python }}" | ||||||
|   env: |   env: | ||||||
|     ANSIBLE_FORCE_COLOR: "true" |     ANSIBLE_FORCE_COLOR: "true" | ||||||
|  |     PYTHONHTTPSVERIFY: 0 | ||||||
|  |     PROXY: "${PROXY}" | ||||||
|  |     NO_PROXY: "${NO_PROXY}" | ||||||
| verifier: | verifier: | ||||||
|   name: ansible |   name: ansible | ||||||
| scenario: | scenario: | ||||||
|  |  | ||||||
|  | @ -24,7 +24,7 @@ | ||||||
|     - name: Make sure a jre is available (for keytool to prepare keystore) |     - name: Make sure a jre is available (for keytool to prepare keystore) | ||||||
|       delegate_to: localhost |       delegate_to: localhost | ||||||
|       ansible.builtin.package: |       ansible.builtin.package: | ||||||
|         name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}" |         name: java-21-openjdk-headless | ||||||
|         state: present |         state: present | ||||||
|       become: true |       become: true | ||||||
|       failed_when: false |       failed_when: false | ||||||
|  |  | ||||||
|  | @ -2,7 +2,8 @@ | ||||||
| - name: Verify | - name: Verify | ||||||
|   hosts: all |   hosts: all | ||||||
|   vars: |   vars: | ||||||
|      keycloak_admin_password: "remembertochangeme" |     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" | ||||||
|  |     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" | ||||||
|   tasks: |   tasks: | ||||||
|     - name: Populate service facts |     - name: Populate service facts | ||||||
|       ansible.builtin.service_facts: |       ansible.builtin.service_facts: | ||||||
|  | @ -35,10 +36,10 @@ | ||||||
|         - name: Verify endpoint URLs |         - name: Verify endpoint URLs | ||||||
|           ansible.builtin.assert: |           ansible.builtin.assert: | ||||||
|             that: |             that: | ||||||
|               - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance/realms/master/protocol/openid-connect/ext/ciba/auth' |               - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance:8443/realms/master/protocol/openid-connect/ext/ciba/auth' | ||||||
|               - (openid_config.stdout | from_json)['issuer'] == 'https://instance/realms/master' |               - (openid_config.stdout | from_json)['issuer'] == 'https://instance:8443/realms/master' | ||||||
|               - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/auth' |               - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/auth' | ||||||
|               - (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/token' |               - (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/token' | ||||||
|           delegate_to: localhost |           delegate_to: localhost | ||||||
| 
 | 
 | ||||||
|     - name: Check log folder |     - name: Check log folder | ||||||
|  | @ -91,7 +92,7 @@ | ||||||
|       ansible.builtin.uri: |       ansible.builtin.uri: | ||||||
|         url: "https://instance:8443/realms/master/protocol/openid-connect/token" |         url: "https://instance:8443/realms/master/protocol/openid-connect/token" | ||||||
|         method: POST |         method: POST | ||||||
|         body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password" |         body: "client_id=admin-cli&username={{ keycloak_quarkus_bootstrap_admin_user }}&password={{ keycloak_quarkus_bootstrap_admin_password}}&grant_type=password" | ||||||
|         validate_certs: no |         validate_certs: no | ||||||
|       register: keycloak_auth_response |       register: keycloak_auth_response | ||||||
|       until: keycloak_auth_response.status == 200 |       until: keycloak_auth_response.status == 200 | ||||||
|  | @ -101,8 +102,8 @@ | ||||||
|     - name: "Get Clients" |     - name: "Get Clients" | ||||||
|       ansible.builtin.uri: |       ansible.builtin.uri: | ||||||
|         url: "https://instance:8443/admin/realms/TestRealm/clients" |         url: "https://instance:8443/admin/realms/TestRealm/clients" | ||||||
|         headers: |  | ||||||
|         validate_certs: false |         validate_certs: false | ||||||
|  |         headers: | ||||||
|           Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}" |           Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}" | ||||||
|       register: keycloak_clients |       register: keycloak_clients | ||||||
| 
 | 
 | ||||||
|  | @ -113,15 +114,15 @@ | ||||||
|     - name: "Get Client {{ keycloak_client_uuid }}" |     - name: "Get Client {{ keycloak_client_uuid }}" | ||||||
|       ansible.builtin.uri: |       ansible.builtin.uri: | ||||||
|         url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}" |         url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}" | ||||||
|         headers: |  | ||||||
|         validate_certs: false |         validate_certs: false | ||||||
|  |         headers: | ||||||
|           Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}" |           Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}" | ||||||
|       register: keycloak_test_client |       register: keycloak_test_client | ||||||
| 
 | 
 | ||||||
|     - name: "Get Client roles" |     - name: "Get Client roles" | ||||||
|       ansible.builtin.uri: |       ansible.builtin.uri: | ||||||
|         url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}/roles" |         url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}/roles" | ||||||
|         headers: |  | ||||||
|         validate_certs: false |         validate_certs: false | ||||||
|  |         headers: | ||||||
|           Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}" |           Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}" | ||||||
|       register: keycloak_test_client_roles |       register: keycloak_test_client_roles | ||||||
|  | @ -3,18 +3,23 @@ | ||||||
|   hosts: all |   hosts: all | ||||||
|   vars: |   vars: | ||||||
|     keycloak_quarkus_show_deprecation_warnings: false |     keycloak_quarkus_show_deprecation_warnings: false | ||||||
|     keycloak_quarkus_admin_pass: "remembertochangeme" |     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" | ||||||
|     keycloak_admin_password: "remembertochangeme" |     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" | ||||||
|     keycloak_realm: TestRealm |     keycloak_realm: TestRealm | ||||||
|     keycloak_quarkus_log: file |     keycloak_quarkus_log: file | ||||||
|     keycloak_quarkus_frontend_url: 'http://localhost:8080/' |     keycloak_quarkus_hostname: 'http://localhost:8080' | ||||||
|     keycloak_quarkus_start_dev: True |     keycloak_quarkus_start_dev: True | ||||||
|     keycloak_quarkus_proxy_mode: none |     keycloak_quarkus_proxy_mode: none | ||||||
|     keycloak_quarkus_java_home: /opt/openjdk/ |     keycloak_quarkus_java_home: /opt/openjdk/ | ||||||
|  |     keycloak_quarkus_java_heap_opts: "-Xms640m -Xmx640m" | ||||||
|  | 
 | ||||||
|   roles: |   roles: | ||||||
|     - role: keycloak_quarkus |     - role: keycloak_quarkus | ||||||
|     - role: keycloak_realm |     - role: keycloak_realm | ||||||
|  |       keycloak_url: "{{ keycloak_quarkus_hostname }}" | ||||||
|       keycloak_context: '' |       keycloak_context: '' | ||||||
|  |       keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}" | ||||||
|  |       keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}" | ||||||
|       keycloak_client_default_roles: |       keycloak_client_default_roles: | ||||||
|         - TestRoleAdmin |         - TestRoleAdmin | ||||||
|         - TestRoleUser |         - TestRoleUser | ||||||
|  | @ -1,17 +1,19 @@ | ||||||
| --- | --- | ||||||
| driver: | driver: | ||||||
|   name: docker |   name: podman | ||||||
| platforms: | platforms: | ||||||
|   - name: instance |   - name: instance | ||||||
|     image: registry.access.redhat.com/ubi8/ubi-init:latest |     image: registry.access.redhat.com/ubi9/ubi-init:latest | ||||||
|     pre_build_image: true |     pre_build_image: true | ||||||
|     privileged: true |     privileged: true | ||||||
|     command: "/usr/sbin/init" |     command: "/usr/sbin/init" | ||||||
|     port_bindings: |     port_bindings: | ||||||
|       - "8080/tcp" |       - "8080/tcp" | ||||||
|       - "8009/tcp" |       - "8009/tcp" | ||||||
|  |       - "9000/tcp" | ||||||
|     published_ports: |     published_ports: | ||||||
|       - 0.0.0.0:8080:8080/tcp |       - 0.0.0.0:8080:8080/tcp | ||||||
|  |       - 0.0.0.0:9000:9000/TCP | ||||||
| provisioner: | provisioner: | ||||||
|   name: ansible |   name: ansible | ||||||
|   config_options: |   config_options: | ||||||
|  | @ -29,6 +31,8 @@ provisioner: | ||||||
|         ansible_python_interpreter: "{{ ansible_playbook_python }}" |         ansible_python_interpreter: "{{ ansible_playbook_python }}" | ||||||
|   env: |   env: | ||||||
|     ANSIBLE_FORCE_COLOR: "true" |     ANSIBLE_FORCE_COLOR: "true" | ||||||
|  |     PROXY: "${PROXY}" | ||||||
|  |     NO_PROXY: "${NO_PROXY}" | ||||||
| verifier: | verifier: | ||||||
|   name: ansible |   name: ansible | ||||||
| scenario: | scenario: | ||||||
|  | @ -3,10 +3,9 @@ | ||||||
|   hosts: keycloak |   hosts: keycloak | ||||||
|   vars: |   vars: | ||||||
|     keycloak_quarkus_show_deprecation_warnings: false |     keycloak_quarkus_show_deprecation_warnings: false | ||||||
|     keycloak_quarkus_admin_pass: "remembertochangeme" |     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" | ||||||
|     keycloak_admin_password: "remembertochangeme" |     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" | ||||||
|     keycloak_realm: TestRealm |     keycloak_quarkus_hostname: "http://{{ inventory_hostname }}:8080" | ||||||
|     keycloak_quarkus_host: "{{ inventory_hostname }}" |  | ||||||
|     keycloak_quarkus_log: file |     keycloak_quarkus_log: file | ||||||
|     keycloak_quarkus_log_level: info |     keycloak_quarkus_log_level: info | ||||||
|     keycloak_quarkus_https_key_file_enabled: true |     keycloak_quarkus_https_key_file_enabled: true | ||||||
|  | @ -25,6 +24,6 @@ | ||||||
|     keycloak_quarkus_restart_strategy: restart/serial.yml |     keycloak_quarkus_restart_strategy: restart/serial.yml | ||||||
|     keycloak_quarkus_db_user: keycloak |     keycloak_quarkus_db_user: keycloak | ||||||
|     keycloak_quarkus_db_pass: mysecretpass |     keycloak_quarkus_db_pass: mysecretpass | ||||||
|     keycloak_quarkus_jdbc_url: jdbc:postgresql://postgres:5432/keycloak |     keycloak_quarkus_db_url: jdbc:postgresql://postgres:5432/keycloak | ||||||
|   roles: |   roles: | ||||||
|     - role: keycloak_quarkus |     - role: keycloak_quarkus | ||||||
|  |  | ||||||
|  | @ -14,6 +14,7 @@ platforms: | ||||||
|     port_bindings: |     port_bindings: | ||||||
|       - "8080/tcp" |       - "8080/tcp" | ||||||
|       - "8443/tcp" |       - "8443/tcp" | ||||||
|  |       - "9000/tcp" | ||||||
|   - name: instance2 |   - name: instance2 | ||||||
|     image: registry.access.redhat.com/ubi9/ubi-init:latest |     image: registry.access.redhat.com/ubi9/ubi-init:latest | ||||||
|     pre_build_image: true |     pre_build_image: true | ||||||
|  | @ -26,6 +27,7 @@ platforms: | ||||||
|     port_bindings: |     port_bindings: | ||||||
|       - "8080/tcp" |       - "8080/tcp" | ||||||
|       - "8443/tcp" |       - "8443/tcp" | ||||||
|  |       - "9000/tcp" | ||||||
|   - name: postgres |   - name: postgres | ||||||
|     image: ubuntu/postgres:14-22.04_beta |     image: ubuntu/postgres:14-22.04_beta | ||||||
|     pre_build_image: true |     pre_build_image: true | ||||||
|  | @ -63,6 +65,7 @@ provisioner: | ||||||
|         ansible_python_interpreter: "{{ ansible_playbook_python }}" |         ansible_python_interpreter: "{{ ansible_playbook_python }}" | ||||||
|   env: |   env: | ||||||
|     ANSIBLE_FORCE_COLOR: "true" |     ANSIBLE_FORCE_COLOR: "true" | ||||||
|  |     PYTHONHTTPSVERIFY: 0 | ||||||
| verifier: | verifier: | ||||||
|   name: ansible |   name: ansible | ||||||
| scenario: | scenario: | ||||||
|  |  | ||||||
							
								
								
									
										57
									
								
								molecule/quarkus_ha_remote/converge.yml
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										57
									
								
								molecule/quarkus_ha_remote/converge.yml
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,57 @@ | ||||||
|  | --- | ||||||
|  | - name: Converge | ||||||
|  |   hosts: infinispan | ||||||
|  |   roles: | ||||||
|  |     - role: middleware_automation.infinispan.infinispan | ||||||
|  |       infinispan_service_name: infinispan | ||||||
|  |       infinispan_supervisor_password: remembertochangeme | ||||||
|  |       infinispan_keycloak_caches: true | ||||||
|  |       infinispan_keycloak_persistence: False | ||||||
|  |       infinispan_jdbc_engine: postgres | ||||||
|  |       infinispan_jdbc_url: jdbc:postgresql://postgres:5432/keycloak | ||||||
|  |       infinispan_jdbc_driver_version: 9.4.1212 | ||||||
|  |       infinispan_jdbc_user: keycloak | ||||||
|  |       infinispan_jdbc_pass: mysecretpass | ||||||
|  |       infinispan_bind_address: "{{ ansible_default_ipv4.address }}" | ||||||
|  |       infinispan_users: | ||||||
|  |         - { name: 'testuser', password: 'test', roles: 'observer' } | ||||||
|  | 
 | ||||||
|  | - name: Converge | ||||||
|  |   hosts: keycloak | ||||||
|  |   vars: | ||||||
|  |     keycloak_quarkus_show_deprecation_warnings: false | ||||||
|  |     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" | ||||||
|  |     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" | ||||||
|  |     keycloak_quarkus_hostname: "http://{{ inventory_hostname }}:8080" | ||||||
|  |     keycloak_quarkus_log: file | ||||||
|  |     keycloak_quarkus_log_level: info | ||||||
|  |     keycloak_quarkus_https_key_file_enabled: true | ||||||
|  |     keycloak_quarkus_key_file_copy_enabled: true | ||||||
|  |     keycloak_quarkus_key_content: "{{ lookup('file', inventory_hostname + '.key') }}" | ||||||
|  |     keycloak_quarkus_cert_file_copy_enabled: true | ||||||
|  |     keycloak_quarkus_cert_file_src: "{{ inventory_hostname }}.pem" | ||||||
|  |     keycloak_quarkus_ks_vault_enabled: true | ||||||
|  |     keycloak_quarkus_ks_vault_file: "/opt/keycloak/vault/keystore.p12" | ||||||
|  |     keycloak_quarkus_ks_vault_pass: keystorepassword | ||||||
|  |     keycloak_quarkus_systemd_wait_for_port: true | ||||||
|  |     keycloak_quarkus_systemd_wait_for_timeout: 20 | ||||||
|  |     keycloak_quarkus_systemd_wait_for_delay: 2 | ||||||
|  |     keycloak_quarkus_systemd_wait_for_log: true | ||||||
|  |     keycloak_quarkus_ha_enabled: true | ||||||
|  |     keycloak_quarkus_restart_strategy: restart/serial.yml | ||||||
|  |     keycloak_quarkus_db_user: keycloak | ||||||
|  |     keycloak_quarkus_db_pass: mysecretpass | ||||||
|  |     keycloak_quarkus_db_url: jdbc:postgresql://postgres:5432/keycloak | ||||||
|  |     keycloak_quarkus_cache_remote: true | ||||||
|  |     keycloak_quarkus_cache_remote_username: supervisor | ||||||
|  |     keycloak_quarkus_cache_remote_password: remembertochangeme | ||||||
|  |     keycloak_quarkus_cache_remote_host: "infinispan1" | ||||||
|  |     keycloak_quarkus_cache_remote_port: 11222 | ||||||
|  |     keycloak_quarkus_cache_remote_tls_enabled: false | ||||||
|  |     keycloak_quarkus_additional_env_vars: | ||||||
|  |       - key: KC_FEATURES | ||||||
|  |         value: clusterless | ||||||
|  |       - key: KC_FEATURES_DISABLED | ||||||
|  |         value: persistent-user-sessions | ||||||
|  |   roles: | ||||||
|  |     - role: keycloak_quarkus | ||||||
							
								
								
									
										80
									
								
								molecule/quarkus_ha_remote/molecule.yml
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										80
									
								
								molecule/quarkus_ha_remote/molecule.yml
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,80 @@ | ||||||
|  | --- | ||||||
|  | driver: | ||||||
|  |   name: docker | ||||||
|  | platforms: | ||||||
|  |   - name: keycloak1 | ||||||
|  |     image: registry.access.redhat.com/ubi9/ubi-init:latest | ||||||
|  |     pre_build_image: true | ||||||
|  |     privileged: true | ||||||
|  |     command: "/usr/sbin/init" | ||||||
|  |     groups: | ||||||
|  |       - keycloak | ||||||
|  |     networks: | ||||||
|  |       - name: rhbk | ||||||
|  |     port_bindings: | ||||||
|  |       - "8080/tcp" | ||||||
|  |       - "8443/tcp" | ||||||
|  |       - "9000/tcp" | ||||||
|  |   - name: infinispan1 | ||||||
|  |     image: registry.access.redhat.com/ubi9/ubi-init:latest | ||||||
|  |     pre_build_image: true | ||||||
|  |     privileged: true | ||||||
|  |     command: "/usr/sbin/init" | ||||||
|  |     groups: | ||||||
|  |       - infinispan | ||||||
|  |     networks: | ||||||
|  |       - name: rhbk | ||||||
|  |     port_bindings: | ||||||
|  |       - "11222/tcp" | ||||||
|  |   - name: postgres | ||||||
|  |     image: ubuntu/postgres:14-22.04_beta | ||||||
|  |     pre_build_image: true | ||||||
|  |     privileged: true | ||||||
|  |     command: postgres | ||||||
|  |     groups: | ||||||
|  |       - database | ||||||
|  |     networks: | ||||||
|  |       - name: rhbk | ||||||
|  |     port_bindings: | ||||||
|  |       - "5432/tcp" | ||||||
|  |     mounts: | ||||||
|  |       - type: bind | ||||||
|  |         target: /etc/postgresql/postgresql.conf | ||||||
|  |         source: ${PWD}/molecule/quarkus_ha/postgresql/postgresql.conf | ||||||
|  |     env: | ||||||
|  |       POSTGRES_USER: keycloak | ||||||
|  |       POSTGRES_PASSWORD: mysecretpass | ||||||
|  |       POSTGRES_DB: keycloak | ||||||
|  |       POSTGRES_HOST_AUTH_METHOD: trust | ||||||
|  | provisioner: | ||||||
|  |   name: ansible | ||||||
|  |   config_options: | ||||||
|  |     defaults: | ||||||
|  |       interpreter_python: auto_silent | ||||||
|  |     ssh_connection: | ||||||
|  |       pipelining: false | ||||||
|  |   playbooks: | ||||||
|  |     prepare: prepare.yml | ||||||
|  |     converge: converge.yml | ||||||
|  |     verify: verify.yml | ||||||
|  |   inventory: | ||||||
|  |     host_vars: | ||||||
|  |       localhost: | ||||||
|  |         ansible_python_interpreter: "{{ ansible_playbook_python }}" | ||||||
|  |   env: | ||||||
|  |     ANSIBLE_FORCE_COLOR: "true" | ||||||
|  |     PYTHONHTTPSVERIFY: 0 | ||||||
|  | verifier: | ||||||
|  |   name: ansible | ||||||
|  | scenario: | ||||||
|  |   test_sequence: | ||||||
|  |     - cleanup | ||||||
|  |     - destroy | ||||||
|  |     - create | ||||||
|  |     - prepare | ||||||
|  |     - converge | ||||||
|  |     - idempotence | ||||||
|  |     - side_effect | ||||||
|  |     - verify | ||||||
|  |     - cleanup | ||||||
|  |     - destroy | ||||||
							
								
								
									
										750
									
								
								molecule/quarkus_ha_remote/postgresql/postgresql.conf
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										750
									
								
								molecule/quarkus_ha_remote/postgresql/postgresql.conf
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,750 @@ | ||||||
|  | # ----------------------------- | ||||||
|  | # PostgreSQL configuration file | ||||||
|  | # ----------------------------- | ||||||
|  | # | ||||||
|  | # This file consists of lines of the form: | ||||||
|  | # | ||||||
|  | #   name = value | ||||||
|  | # | ||||||
|  | # (The "=" is optional.)  Whitespace may be used.  Comments are introduced with | ||||||
|  | # "#" anywhere on a line.  The complete list of parameter names and allowed | ||||||
|  | # values can be found in the PostgreSQL documentation. | ||||||
|  | # | ||||||
|  | # The commented-out settings shown in this file represent the default values. | ||||||
|  | # Re-commenting a setting is NOT sufficient to revert it to the default value; | ||||||
|  | # you need to reload the server. | ||||||
|  | # | ||||||
|  | # This file is read on server startup and when the server receives a SIGHUP | ||||||
|  | # signal.  If you edit the file on a running system, you have to SIGHUP the | ||||||
|  | # server for the changes to take effect, run "pg_ctl reload", or execute | ||||||
|  | # "SELECT pg_reload_conf()".  Some parameters, which are marked below, | ||||||
|  | # require a server shutdown and restart to take effect. | ||||||
|  | # | ||||||
|  | # Any parameter can also be given as a command-line option to the server, e.g., | ||||||
|  | # "postgres -c log_connections=on".  Some parameters can be changed at run time | ||||||
|  | # with the "SET" SQL command. | ||||||
|  | # | ||||||
|  | # Memory units:  kB = kilobytes        Time units:  ms  = milliseconds | ||||||
|  | #                MB = megabytes                     s   = seconds | ||||||
|  | #                GB = gigabytes                     min = minutes | ||||||
|  | #                TB = terabytes                     h   = hours | ||||||
|  | #                                                   d   = days | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | # FILE LOCATIONS | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | 
 | ||||||
|  | # The default values of these variables are driven from the -D command-line | ||||||
|  | # option or PGDATA environment variable, represented here as ConfigDir. | ||||||
|  | 
 | ||||||
|  | #data_directory = 'ConfigDir'		# use data in another directory | ||||||
|  | 					# (change requires restart) | ||||||
|  | #hba_file = 'ConfigDir/pg_hba.conf'	# host-based authentication file | ||||||
|  | 					# (change requires restart) | ||||||
|  | #ident_file = 'ConfigDir/pg_ident.conf'	# ident configuration file | ||||||
|  | 					# (change requires restart) | ||||||
|  | 
 | ||||||
|  | # If external_pid_file is not explicitly set, no extra PID file is written. | ||||||
|  | #external_pid_file = ''			# write an extra PID file | ||||||
|  | 					# (change requires restart) | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | # CONNECTIONS AND AUTHENTICATION | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | 
 | ||||||
|  | # - Connection Settings - | ||||||
|  | 
 | ||||||
|  | listen_addresses = '*'		# what IP address(es) to listen on; | ||||||
|  | 					# comma-separated list of addresses; | ||||||
|  | 					# defaults to 'localhost'; use '*' for all | ||||||
|  | 					# (change requires restart) | ||||||
|  | #port = 5432				# (change requires restart) | ||||||
|  | #max_connections = 100			# (change requires restart) | ||||||
|  | #superuser_reserved_connections = 3	# (change requires restart) | ||||||
|  | #unix_socket_directories = '/tmp'	# comma-separated list of directories | ||||||
|  | 					# (change requires restart) | ||||||
|  | #unix_socket_group = ''			# (change requires restart) | ||||||
|  | #unix_socket_permissions = 0777		# begin with 0 to use octal notation | ||||||
|  | 					# (change requires restart) | ||||||
|  | #bonjour = off				# advertise server via Bonjour | ||||||
|  | 					# (change requires restart) | ||||||
|  | #bonjour_name = ''			# defaults to the computer name | ||||||
|  | 					# (change requires restart) | ||||||
|  | 
 | ||||||
|  | # - TCP settings - | ||||||
|  | # see "man 7 tcp" for details | ||||||
|  | 
 | ||||||
|  | #tcp_keepalives_idle = 0		# TCP_KEEPIDLE, in seconds; | ||||||
|  | 					# 0 selects the system default | ||||||
|  | #tcp_keepalives_interval = 0		# TCP_KEEPINTVL, in seconds; | ||||||
|  | 					# 0 selects the system default | ||||||
|  | #tcp_keepalives_count = 0		# TCP_KEEPCNT; | ||||||
|  | 					# 0 selects the system default | ||||||
|  | #tcp_user_timeout = 0			# TCP_USER_TIMEOUT, in milliseconds; | ||||||
|  | 					# 0 selects the system default | ||||||
|  | 
 | ||||||
|  | # - Authentication - | ||||||
|  | 
 | ||||||
|  | #authentication_timeout = 1min		# 1s-600s | ||||||
|  | #password_encryption = md5		# md5 or scram-sha-256 | ||||||
|  | #db_user_namespace = off | ||||||
|  | 
 | ||||||
|  | # GSSAPI using Kerberos | ||||||
|  | #krb_server_keyfile = '' | ||||||
|  | #krb_caseins_users = off | ||||||
|  | 
 | ||||||
|  | # - SSL - | ||||||
|  | 
 | ||||||
|  | #ssl = off | ||||||
|  | #ssl_ca_file = '' | ||||||
|  | #ssl_cert_file = 'server.crt' | ||||||
|  | #ssl_crl_file = '' | ||||||
|  | #ssl_key_file = 'server.key' | ||||||
|  | #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers | ||||||
|  | #ssl_prefer_server_ciphers = on | ||||||
|  | #ssl_ecdh_curve = 'prime256v1' | ||||||
|  | #ssl_min_protocol_version = 'TLSv1' | ||||||
|  | #ssl_max_protocol_version = '' | ||||||
|  | #ssl_dh_params_file = '' | ||||||
|  | #ssl_passphrase_command = '' | ||||||
|  | #ssl_passphrase_command_supports_reload = off | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | # RESOURCE USAGE (except WAL) | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | 
 | ||||||
|  | # - Memory - | ||||||
|  | 
 | ||||||
|  | #shared_buffers = 32MB			# min 128kB | ||||||
|  | 					# (change requires restart) | ||||||
|  | #huge_pages = try			# on, off, or try | ||||||
|  | 					# (change requires restart) | ||||||
|  | #temp_buffers = 8MB			# min 800kB | ||||||
|  | #max_prepared_transactions = 0		# zero disables the feature | ||||||
|  | 					# (change requires restart) | ||||||
|  | # Caution: it is not advisable to set max_prepared_transactions nonzero unless | ||||||
|  | # you actively intend to use prepared transactions. | ||||||
|  | #work_mem = 4MB				# min 64kB | ||||||
|  | #maintenance_work_mem = 64MB		# min 1MB | ||||||
|  | #autovacuum_work_mem = -1		# min 1MB, or -1 to use maintenance_work_mem | ||||||
|  | #max_stack_depth = 2MB			# min 100kB | ||||||
|  | #shared_memory_type = mmap		# the default is the first option | ||||||
|  | 					# supported by the operating system: | ||||||
|  | 					#   mmap | ||||||
|  | 					#   sysv | ||||||
|  | 					#   windows | ||||||
|  | 					# (change requires restart) | ||||||
|  | #dynamic_shared_memory_type = posix	# the default is the first option | ||||||
|  | 					# supported by the operating system: | ||||||
|  | 					#   posix | ||||||
|  | 					#   sysv | ||||||
|  | 					#   windows | ||||||
|  | 					#   mmap | ||||||
|  | 					# (change requires restart) | ||||||
|  | 
 | ||||||
|  | # - Disk - | ||||||
|  | 
 | ||||||
|  | #temp_file_limit = -1			# limits per-process temp file space | ||||||
|  | 					# in kB, or -1 for no limit | ||||||
|  | 
 | ||||||
|  | # - Kernel Resources - | ||||||
|  | 
 | ||||||
|  | #max_files_per_process = 1000		# min 25 | ||||||
|  | 					# (change requires restart) | ||||||
|  | 
 | ||||||
|  | # - Cost-Based Vacuum Delay - | ||||||
|  | 
 | ||||||
|  | #vacuum_cost_delay = 0			# 0-100 milliseconds (0 disables) | ||||||
|  | #vacuum_cost_page_hit = 1		# 0-10000 credits | ||||||
|  | #vacuum_cost_page_miss = 10		# 0-10000 credits | ||||||
|  | #vacuum_cost_page_dirty = 20		# 0-10000 credits | ||||||
|  | #vacuum_cost_limit = 200		# 1-10000 credits | ||||||
|  | 
 | ||||||
|  | # - Background Writer - | ||||||
|  | 
 | ||||||
|  | #bgwriter_delay = 200ms			# 10-10000ms between rounds | ||||||
|  | #bgwriter_lru_maxpages = 100		# max buffers written/round, 0 disables | ||||||
|  | #bgwriter_lru_multiplier = 2.0		# 0-10.0 multiplier on buffers scanned/round | ||||||
|  | #bgwriter_flush_after = 0		# measured in pages, 0 disables | ||||||
|  | 
 | ||||||
|  | # - Asynchronous Behavior - | ||||||
|  | 
 | ||||||
|  | #effective_io_concurrency = 1		# 1-1000; 0 disables prefetching | ||||||
|  | #max_worker_processes = 8		# (change requires restart) | ||||||
|  | #max_parallel_maintenance_workers = 2	# taken from max_parallel_workers | ||||||
|  | #max_parallel_workers_per_gather = 2	# taken from max_parallel_workers | ||||||
|  | #parallel_leader_participation = on | ||||||
|  | #max_parallel_workers = 8		# maximum number of max_worker_processes that | ||||||
|  | 					# can be used in parallel operations | ||||||
|  | #old_snapshot_threshold = -1		# 1min-60d; -1 disables; 0 is immediate | ||||||
|  | 					# (change requires restart) | ||||||
|  | #backend_flush_after = 0		# measured in pages, 0 disables | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | # WRITE-AHEAD LOG | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | 
 | ||||||
|  | # - Settings - | ||||||
|  | 
 | ||||||
|  | #wal_level = replica			# minimal, replica, or logical | ||||||
|  | 					# (change requires restart) | ||||||
|  | #fsync = on				# flush data to disk for crash safety | ||||||
|  | 					# (turning this off can cause | ||||||
|  | 					# unrecoverable data corruption) | ||||||
|  | #synchronous_commit = on		# synchronization level; | ||||||
|  | 					# off, local, remote_write, remote_apply, or on | ||||||
|  | #wal_sync_method = fsync		# the default is the first option | ||||||
|  | 					# supported by the operating system: | ||||||
|  | 					#   open_datasync | ||||||
|  | 					#   fdatasync (default on Linux) | ||||||
|  | 					#   fsync | ||||||
|  | 					#   fsync_writethrough | ||||||
|  | 					#   open_sync | ||||||
|  | #full_page_writes = on			# recover from partial page writes | ||||||
|  | #wal_compression = off			# enable compression of full-page writes | ||||||
|  | #wal_log_hints = off			# also do full page writes of non-critical updates | ||||||
|  | 					# (change requires restart) | ||||||
|  | #wal_init_zero = on			# zero-fill new WAL files | ||||||
|  | #wal_recycle = on			# recycle WAL files | ||||||
|  | #wal_buffers = -1			# min 32kB, -1 sets based on shared_buffers | ||||||
|  | 					# (change requires restart) | ||||||
|  | #wal_writer_delay = 200ms		# 1-10000 milliseconds | ||||||
|  | #wal_writer_flush_after = 1MB		# measured in pages, 0 disables | ||||||
|  | 
 | ||||||
|  | #commit_delay = 0			# range 0-100000, in microseconds | ||||||
|  | #commit_siblings = 5			# range 1-1000 | ||||||
|  | 
 | ||||||
|  | # - Checkpoints - | ||||||
|  | 
 | ||||||
|  | #checkpoint_timeout = 5min		# range 30s-1d | ||||||
|  | #max_wal_size = 1GB | ||||||
|  | #min_wal_size = 80MB | ||||||
|  | #checkpoint_completion_target = 0.5	# checkpoint target duration, 0.0 - 1.0 | ||||||
|  | #checkpoint_flush_after = 0		# measured in pages, 0 disables | ||||||
|  | #checkpoint_warning = 30s		# 0 disables | ||||||
|  | 
 | ||||||
|  | # - Archiving - | ||||||
|  | 
 | ||||||
|  | #archive_mode = off		# enables archiving; off, on, or always | ||||||
|  | 				# (change requires restart) | ||||||
|  | #archive_command = ''		# command to use to archive a logfile segment | ||||||
|  | 				# placeholders: %p = path of file to archive | ||||||
|  | 				#               %f = file name only | ||||||
|  | 				# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f' | ||||||
|  | #archive_timeout = 0		# force a logfile segment switch after this | ||||||
|  | 				# number of seconds; 0 disables | ||||||
|  | 
 | ||||||
|  | # - Archive Recovery - | ||||||
|  | 
 | ||||||
|  | # These are only used in recovery mode. | ||||||
|  | 
 | ||||||
|  | #restore_command = ''		# command to use to restore an archived logfile segment | ||||||
|  | 				# placeholders: %p = path of file to restore | ||||||
|  | 				#               %f = file name only | ||||||
|  | 				# e.g. 'cp /mnt/server/archivedir/%f %p' | ||||||
|  | 				# (change requires restart) | ||||||
|  | #archive_cleanup_command = ''	# command to execute at every restartpoint | ||||||
|  | #recovery_end_command = ''	# command to execute at completion of recovery | ||||||
|  | 
 | ||||||
|  | # - Recovery Target - | ||||||
|  | 
 | ||||||
|  | # Set these only when performing a targeted recovery. | ||||||
|  | 
 | ||||||
|  | #recovery_target = ''		# 'immediate' to end recovery as soon as a | ||||||
|  |                                 # consistent state is reached | ||||||
|  | 				# (change requires restart) | ||||||
|  | #recovery_target_name = ''	# the named restore point to which recovery will proceed | ||||||
|  | 				# (change requires restart) | ||||||
|  | #recovery_target_time = ''	# the time stamp up to which recovery will proceed | ||||||
|  | 				# (change requires restart) | ||||||
|  | #recovery_target_xid = ''	# the transaction ID up to which recovery will proceed | ||||||
|  | 				# (change requires restart) | ||||||
|  | #recovery_target_lsn = ''	# the WAL LSN up to which recovery will proceed | ||||||
|  | 				# (change requires restart) | ||||||
|  | #recovery_target_inclusive = on # Specifies whether to stop: | ||||||
|  | 				# just after the specified recovery target (on) | ||||||
|  | 				# just before the recovery target (off) | ||||||
|  | 				# (change requires restart) | ||||||
|  | #recovery_target_timeline = 'latest'	# 'current', 'latest', or timeline ID | ||||||
|  | 				# (change requires restart) | ||||||
|  | #recovery_target_action = 'pause'	# 'pause', 'promote', 'shutdown' | ||||||
|  | 				# (change requires restart) | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | # REPLICATION | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | 
 | ||||||
|  | # - Sending Servers - | ||||||
|  | 
 | ||||||
|  | # Set these on the master and on any standby that will send replication data. | ||||||
|  | 
 | ||||||
|  | #max_wal_senders = 10		# max number of walsender processes | ||||||
|  | 				# (change requires restart) | ||||||
|  | #wal_keep_segments = 0		# in logfile segments; 0 disables | ||||||
|  | #wal_sender_timeout = 60s	# in milliseconds; 0 disables | ||||||
|  | 
 | ||||||
|  | #max_replication_slots = 10	# max number of replication slots | ||||||
|  | 				# (change requires restart) | ||||||
|  | #track_commit_timestamp = off	# collect timestamp of transaction commit | ||||||
|  | 				# (change requires restart) | ||||||
|  | 
 | ||||||
|  | # - Master Server - | ||||||
|  | 
 | ||||||
|  | # These settings are ignored on a standby server. | ||||||
|  | 
 | ||||||
|  | #synchronous_standby_names = ''	# standby servers that provide sync rep | ||||||
|  | 				# method to choose sync standbys, number of sync standbys, | ||||||
|  | 				# and comma-separated list of application_name | ||||||
|  | 				# from standby(s); '*' = all | ||||||
|  | #vacuum_defer_cleanup_age = 0	# number of xacts by which cleanup is delayed | ||||||
|  | 
 | ||||||
|  | # - Standby Servers - | ||||||
|  | 
 | ||||||
|  | # These settings are ignored on a master server. | ||||||
|  | 
 | ||||||
|  | #primary_conninfo = ''			# connection string to sending server | ||||||
|  | 					# (change requires restart) | ||||||
|  | #primary_slot_name = ''			# replication slot on sending server | ||||||
|  | 					# (change requires restart) | ||||||
|  | #promote_trigger_file = ''		# file name whose presence ends recovery | ||||||
|  | #hot_standby = on			# "off" disallows queries during recovery | ||||||
|  | 					# (change requires restart) | ||||||
|  | #max_standby_archive_delay = 30s	# max delay before canceling queries | ||||||
|  | 					# when reading WAL from archive; | ||||||
|  | 					# -1 allows indefinite delay | ||||||
|  | #max_standby_streaming_delay = 30s	# max delay before canceling queries | ||||||
|  | 					# when reading streaming WAL; | ||||||
|  | 					# -1 allows indefinite delay | ||||||
|  | #wal_receiver_status_interval = 10s	# send replies at least this often | ||||||
|  | 					# 0 disables | ||||||
|  | #hot_standby_feedback = off		# send info from standby to prevent | ||||||
|  | 					# query conflicts | ||||||
|  | #wal_receiver_timeout = 60s		# time that receiver waits for | ||||||
|  | 					# communication from master | ||||||
|  | 					# in milliseconds; 0 disables | ||||||
|  | #wal_retrieve_retry_interval = 5s	# time to wait before retrying to | ||||||
|  | 					# retrieve WAL after a failed attempt | ||||||
|  | #recovery_min_apply_delay = 0		# minimum delay for applying changes during recovery | ||||||
|  | 
 | ||||||
|  | # - Subscribers - | ||||||
|  | 
 | ||||||
|  | # These settings are ignored on a publisher. | ||||||
|  | 
 | ||||||
|  | #max_logical_replication_workers = 4	# taken from max_worker_processes | ||||||
|  | 					# (change requires restart) | ||||||
|  | #max_sync_workers_per_subscription = 2	# taken from max_logical_replication_workers | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | # QUERY TUNING | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | 
 | ||||||
|  | # - Planner Method Configuration - | ||||||
|  | 
 | ||||||
|  | #enable_bitmapscan = on | ||||||
|  | #enable_hashagg = on | ||||||
|  | #enable_hashjoin = on | ||||||
|  | #enable_indexscan = on | ||||||
|  | #enable_indexonlyscan = on | ||||||
|  | #enable_material = on | ||||||
|  | #enable_mergejoin = on | ||||||
|  | #enable_nestloop = on | ||||||
|  | #enable_parallel_append = on | ||||||
|  | #enable_seqscan = on | ||||||
|  | #enable_sort = on | ||||||
|  | #enable_tidscan = on | ||||||
|  | #enable_partitionwise_join = off | ||||||
|  | #enable_partitionwise_aggregate = off | ||||||
|  | #enable_parallel_hash = on | ||||||
|  | #enable_partition_pruning = on | ||||||
|  | 
 | ||||||
|  | # - Planner Cost Constants - | ||||||
|  | 
 | ||||||
|  | #seq_page_cost = 1.0			# measured on an arbitrary scale | ||||||
|  | #random_page_cost = 4.0			# same scale as above | ||||||
|  | #cpu_tuple_cost = 0.01			# same scale as above | ||||||
|  | #cpu_index_tuple_cost = 0.005		# same scale as above | ||||||
|  | #cpu_operator_cost = 0.0025		# same scale as above | ||||||
|  | #parallel_tuple_cost = 0.1		# same scale as above | ||||||
|  | #parallel_setup_cost = 1000.0	# same scale as above | ||||||
|  | 
 | ||||||
|  | #jit_above_cost = 100000		# perform JIT compilation if available | ||||||
|  | 					# and query more expensive than this; | ||||||
|  | 					# -1 disables | ||||||
|  | #jit_inline_above_cost = 500000		# inline small functions if query is | ||||||
|  | 					# more expensive than this; -1 disables | ||||||
|  | #jit_optimize_above_cost = 500000	# use expensive JIT optimizations if | ||||||
|  | 					# query is more expensive than this; | ||||||
|  | 					# -1 disables | ||||||
|  | 
 | ||||||
|  | #min_parallel_table_scan_size = 8MB | ||||||
|  | #min_parallel_index_scan_size = 512kB | ||||||
|  | #effective_cache_size = 4GB | ||||||
|  | 
 | ||||||
|  | # - Genetic Query Optimizer - | ||||||
|  | 
 | ||||||
|  | #geqo = on | ||||||
|  | #geqo_threshold = 12 | ||||||
|  | #geqo_effort = 5			# range 1-10 | ||||||
|  | #geqo_pool_size = 0			# selects default based on effort | ||||||
|  | #geqo_generations = 0			# selects default based on effort | ||||||
|  | #geqo_selection_bias = 2.0		# range 1.5-2.0 | ||||||
|  | #geqo_seed = 0.0			# range 0.0-1.0 | ||||||
|  | 
 | ||||||
|  | # - Other Planner Options - | ||||||
|  | 
 | ||||||
|  | #default_statistics_target = 100	# range 1-10000 | ||||||
|  | #constraint_exclusion = partition	# on, off, or partition | ||||||
|  | #cursor_tuple_fraction = 0.1		# range 0.0-1.0 | ||||||
|  | #from_collapse_limit = 8 | ||||||
|  | #join_collapse_limit = 8		# 1 disables collapsing of explicit | ||||||
|  | 					# JOIN clauses | ||||||
|  | #force_parallel_mode = off | ||||||
|  | #jit = on				# allow JIT compilation | ||||||
|  | #plan_cache_mode = auto			# auto, force_generic_plan or | ||||||
|  | 					# force_custom_plan | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | # REPORTING AND LOGGING | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | 
 | ||||||
|  | # - Where to Log - | ||||||
|  | 
 | ||||||
|  | #log_destination = 'stderr'		# Valid values are combinations of | ||||||
|  | 					# stderr, csvlog, syslog, and eventlog, | ||||||
|  | 					# depending on platform.  csvlog | ||||||
|  | 					# requires logging_collector to be on. | ||||||
|  | 
 | ||||||
|  | # This is used when logging to stderr: | ||||||
|  | #logging_collector = off		# Enable capturing of stderr and csvlog | ||||||
|  | 					# into log files. Required to be on for | ||||||
|  | 					# csvlogs. | ||||||
|  | 					# (change requires restart) | ||||||
|  | 
 | ||||||
|  | # These are only used if logging_collector is on: | ||||||
|  | #log_directory = 'log'			# directory where log files are written, | ||||||
|  | 					# can be absolute or relative to PGDATA | ||||||
|  | #log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'	# log file name pattern, | ||||||
|  | 					# can include strftime() escapes | ||||||
|  | #log_file_mode = 0600			# creation mode for log files, | ||||||
|  | 					# begin with 0 to use octal notation | ||||||
|  | #log_truncate_on_rotation = off		# If on, an existing log file with the | ||||||
|  | 					# same name as the new log file will be | ||||||
|  | 					# truncated rather than appended to. | ||||||
|  | 					# But such truncation only occurs on | ||||||
|  | 					# time-driven rotation, not on restarts | ||||||
|  | 					# or size-driven rotation.  Default is | ||||||
|  | 					# off, meaning append to existing files | ||||||
|  | 					# in all cases. | ||||||
|  | #log_rotation_age = 1d			# Automatic rotation of logfiles will | ||||||
|  | 					# happen after that time.  0 disables. | ||||||
|  | #log_rotation_size = 10MB		# Automatic rotation of logfiles will | ||||||
|  | 					# happen after that much log output. | ||||||
|  | 					# 0 disables. | ||||||
|  | 
 | ||||||
|  | # These are relevant when logging to syslog: | ||||||
|  | #syslog_facility = 'LOCAL0' | ||||||
|  | #syslog_ident = 'postgres' | ||||||
|  | #syslog_sequence_numbers = on | ||||||
|  | #syslog_split_messages = on | ||||||
|  | 
 | ||||||
|  | # This is only relevant when logging to eventlog (win32): | ||||||
|  | # (change requires restart) | ||||||
|  | #event_source = 'PostgreSQL' | ||||||
|  | 
 | ||||||
|  | # - When to Log - | ||||||
|  | 
 | ||||||
|  | #log_min_messages = warning		# values in order of decreasing detail: | ||||||
|  | 					#   debug5 | ||||||
|  | 					#   debug4 | ||||||
|  | 					#   debug3 | ||||||
|  | 					#   debug2 | ||||||
|  | 					#   debug1 | ||||||
|  | 					#   info | ||||||
|  | 					#   notice | ||||||
|  | 					#   warning | ||||||
|  | 					#   error | ||||||
|  | 					#   log | ||||||
|  | 					#   fatal | ||||||
|  | 					#   panic | ||||||
|  | 
 | ||||||
|  | #log_min_error_statement = error	# values in order of decreasing detail: | ||||||
|  | 					#   debug5 | ||||||
|  | 					#   debug4 | ||||||
|  | 					#   debug3 | ||||||
|  | 					#   debug2 | ||||||
|  | 					#   debug1 | ||||||
|  | 					#   info | ||||||
|  | 					#   notice | ||||||
|  | 					#   warning | ||||||
|  | 					#   error | ||||||
|  | 					#   log | ||||||
|  | 					#   fatal | ||||||
|  | 					#   panic (effectively off) | ||||||
|  | 
 | ||||||
|  | #log_min_duration_statement = -1	# -1 is disabled, 0 logs all statements | ||||||
|  | 					# and their durations, > 0 logs only | ||||||
|  | 					# statements running at least this number | ||||||
|  | 					# of milliseconds | ||||||
|  | 
 | ||||||
|  | #log_transaction_sample_rate = 0.0	# Fraction of transactions whose statements | ||||||
|  | 					# are logged regardless of their duration. 1.0 logs all | ||||||
|  | 					# statements from all transactions, 0.0 never logs. | ||||||
|  | 
 | ||||||
|  | # - What to Log - | ||||||
|  | 
 | ||||||
|  | #debug_print_parse = off | ||||||
|  | #debug_print_rewritten = off | ||||||
|  | #debug_print_plan = off | ||||||
|  | #debug_pretty_print = on | ||||||
|  | #log_checkpoints = off | ||||||
|  | #log_connections = off | ||||||
|  | #log_disconnections = off | ||||||
|  | #log_duration = off | ||||||
|  | #log_error_verbosity = default		# terse, default, or verbose messages | ||||||
|  | #log_hostname = off | ||||||
|  | #log_line_prefix = '%m [%p] '		# special values: | ||||||
|  | 					#   %a = application name | ||||||
|  | 					#   %u = user name | ||||||
|  | 					#   %d = database name | ||||||
|  | 					#   %r = remote host and port | ||||||
|  | 					#   %h = remote host | ||||||
|  | 					#   %p = process ID | ||||||
|  | 					#   %t = timestamp without milliseconds | ||||||
|  | 					#   %m = timestamp with milliseconds | ||||||
|  | 					#   %n = timestamp with milliseconds (as a Unix epoch) | ||||||
|  | 					#   %i = command tag | ||||||
|  | 					#   %e = SQL state | ||||||
|  | 					#   %c = session ID | ||||||
|  | 					#   %l = session line number | ||||||
|  | 					#   %s = session start timestamp | ||||||
|  | 					#   %v = virtual transaction ID | ||||||
|  | 					#   %x = transaction ID (0 if none) | ||||||
|  | 					#   %q = stop here in non-session | ||||||
|  | 					#        processes | ||||||
|  | 					#   %% = '%' | ||||||
|  | 					# e.g. '<%u%%%d> ' | ||||||
|  | #log_lock_waits = off			# log lock waits >= deadlock_timeout | ||||||
|  | #log_statement = 'none'			# none, ddl, mod, all | ||||||
|  | #log_replication_commands = off | ||||||
|  | #log_temp_files = -1			# log temporary files equal or larger | ||||||
|  | 					# than the specified size in kilobytes; | ||||||
|  | 					# -1 disables, 0 logs all temp files | ||||||
|  | #log_timezone = 'GMT' | ||||||
|  | 
 | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | # PROCESS TITLE | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | 
 | ||||||
|  | #cluster_name = ''			# added to process titles if nonempty | ||||||
|  | 					# (change requires restart) | ||||||
|  | #update_process_title = on | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | # STATISTICS | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | 
 | ||||||
|  | # - Query and Index Statistics Collector - | ||||||
|  | 
 | ||||||
|  | #track_activities = on | ||||||
|  | #track_counts = on | ||||||
|  | #track_io_timing = off | ||||||
|  | #track_functions = none			# none, pl, all | ||||||
|  | #track_activity_query_size = 1024	# (change requires restart) | ||||||
|  | #stats_temp_directory = 'pg_stat_tmp' | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | # - Monitoring - | ||||||
|  | 
 | ||||||
|  | #log_parser_stats = off | ||||||
|  | #log_planner_stats = off | ||||||
|  | #log_executor_stats = off | ||||||
|  | #log_statement_stats = off | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | # AUTOVACUUM | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | 
 | ||||||
|  | #autovacuum = on			# Enable autovacuum subprocess?  'on' | ||||||
|  | 					# requires track_counts to also be on. | ||||||
|  | #log_autovacuum_min_duration = -1	# -1 disables, 0 logs all actions and | ||||||
|  | 					# their durations, > 0 logs only | ||||||
|  | 					# actions running at least this number | ||||||
|  | 					# of milliseconds. | ||||||
|  | #autovacuum_max_workers = 3		# max number of autovacuum subprocesses | ||||||
|  | 					# (change requires restart) | ||||||
|  | #autovacuum_naptime = 1min		# time between autovacuum runs | ||||||
|  | #autovacuum_vacuum_threshold = 50	# min number of row updates before | ||||||
|  | 					# vacuum | ||||||
|  | #autovacuum_analyze_threshold = 50	# min number of row updates before | ||||||
|  | 					# analyze | ||||||
|  | #autovacuum_vacuum_scale_factor = 0.2	# fraction of table size before vacuum | ||||||
|  | #autovacuum_analyze_scale_factor = 0.1	# fraction of table size before analyze | ||||||
|  | #autovacuum_freeze_max_age = 200000000	# maximum XID age before forced vacuum | ||||||
|  | 					# (change requires restart) | ||||||
|  | #autovacuum_multixact_freeze_max_age = 400000000	# maximum multixact age | ||||||
|  | 					# before forced vacuum | ||||||
|  | 					# (change requires restart) | ||||||
|  | #autovacuum_vacuum_cost_delay = 2ms	# default vacuum cost delay for | ||||||
|  | 					# autovacuum, in milliseconds; | ||||||
|  | 					# -1 means use vacuum_cost_delay | ||||||
|  | #autovacuum_vacuum_cost_limit = -1	# default vacuum cost limit for | ||||||
|  | 					# autovacuum, -1 means use | ||||||
|  | 					# vacuum_cost_limit | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | # CLIENT CONNECTION DEFAULTS | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | 
 | ||||||
|  | # - Statement Behavior - | ||||||
|  | 
 | ||||||
|  | #client_min_messages = notice		# values in order of decreasing detail: | ||||||
|  | 					#   debug5 | ||||||
|  | 					#   debug4 | ||||||
|  | 					#   debug3 | ||||||
|  | 					#   debug2 | ||||||
|  | 					#   debug1 | ||||||
|  | 					#   log | ||||||
|  | 					#   notice | ||||||
|  | 					#   warning | ||||||
|  | 					#   error | ||||||
|  | #search_path = '"$user", public'	# schema names | ||||||
|  | #row_security = on | ||||||
|  | #default_tablespace = ''		# a tablespace name, '' uses the default | ||||||
|  | #temp_tablespaces = ''			# a list of tablespace names, '' uses | ||||||
|  | 					# only default tablespace | ||||||
|  | #default_table_access_method = 'heap' | ||||||
|  | #check_function_bodies = on | ||||||
|  | #default_transaction_isolation = 'read committed' | ||||||
|  | #default_transaction_read_only = off | ||||||
|  | #default_transaction_deferrable = off | ||||||
|  | #session_replication_role = 'origin' | ||||||
|  | #statement_timeout = 0			# in milliseconds, 0 is disabled | ||||||
|  | #lock_timeout = 0			# in milliseconds, 0 is disabled | ||||||
|  | #idle_in_transaction_session_timeout = 0	# in milliseconds, 0 is disabled | ||||||
|  | #vacuum_freeze_min_age = 50000000 | ||||||
|  | #vacuum_freeze_table_age = 150000000 | ||||||
|  | #vacuum_multixact_freeze_min_age = 5000000 | ||||||
|  | #vacuum_multixact_freeze_table_age = 150000000 | ||||||
|  | #vacuum_cleanup_index_scale_factor = 0.1	# fraction of total number of tuples | ||||||
|  | 						# before index cleanup, 0 always performs | ||||||
|  | 						# index cleanup | ||||||
|  | #bytea_output = 'hex'			# hex, escape | ||||||
|  | #xmlbinary = 'base64' | ||||||
|  | #xmloption = 'content' | ||||||
|  | #gin_fuzzy_search_limit = 0 | ||||||
|  | #gin_pending_list_limit = 4MB | ||||||
|  | 
 | ||||||
|  | # - Locale and Formatting - | ||||||
|  | 
 | ||||||
|  | #datestyle = 'iso, mdy' | ||||||
|  | #intervalstyle = 'postgres' | ||||||
|  | #timezone = 'GMT' | ||||||
|  | #timezone_abbreviations = 'Default'     # Select the set of available time zone | ||||||
|  | 					# abbreviations.  Currently, there are | ||||||
|  | 					#   Default | ||||||
|  | 					#   Australia (historical usage) | ||||||
|  | 					#   India | ||||||
|  | 					# You can create your own file in | ||||||
|  | 					# share/timezonesets/. | ||||||
|  | #extra_float_digits = 1			# min -15, max 3; any value >0 actually | ||||||
|  | 					# selects precise output mode | ||||||
|  | #client_encoding = sql_ascii		# actually, defaults to database | ||||||
|  | 					# encoding | ||||||
|  | 
 | ||||||
|  | # These settings are initialized by initdb, but they can be changed. | ||||||
|  | #lc_messages = 'C'			# locale for system error message | ||||||
|  | 					# strings | ||||||
|  | #lc_monetary = 'C'			# locale for monetary formatting | ||||||
|  | #lc_numeric = 'C'			# locale for number formatting | ||||||
|  | #lc_time = 'C'				# locale for time formatting | ||||||
|  | 
 | ||||||
|  | # default configuration for text search | ||||||
|  | #default_text_search_config = 'pg_catalog.simple' | ||||||
|  | 
 | ||||||
|  | # - Shared Library Preloading - | ||||||
|  | 
 | ||||||
|  | #shared_preload_libraries = ''	# (change requires restart) | ||||||
|  | #local_preload_libraries = '' | ||||||
|  | #session_preload_libraries = '' | ||||||
|  | #jit_provider = 'llvmjit'		# JIT library to use | ||||||
|  | 
 | ||||||
|  | # - Other Defaults - | ||||||
|  | 
 | ||||||
|  | #dynamic_library_path = '$libdir' | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | # LOCK MANAGEMENT | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | 
 | ||||||
|  | #deadlock_timeout = 1s | ||||||
|  | #max_locks_per_transaction = 64		# min 10 | ||||||
|  | 					# (change requires restart) | ||||||
|  | #max_pred_locks_per_transaction = 64	# min 10 | ||||||
|  | 					# (change requires restart) | ||||||
|  | #max_pred_locks_per_relation = -2	# negative values mean | ||||||
|  | 					# (max_pred_locks_per_transaction | ||||||
|  | 					#  / -max_pred_locks_per_relation) - 1 | ||||||
|  | #max_pred_locks_per_page = 2            # min 0 | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | # VERSION AND PLATFORM COMPATIBILITY | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | 
 | ||||||
|  | # - Previous PostgreSQL Versions - | ||||||
|  | 
 | ||||||
|  | #array_nulls = on | ||||||
|  | #backslash_quote = safe_encoding	# on, off, or safe_encoding | ||||||
|  | #escape_string_warning = on | ||||||
|  | #lo_compat_privileges = off | ||||||
|  | #operator_precedence_warning = off | ||||||
|  | #quote_all_identifiers = off | ||||||
|  | #standard_conforming_strings = on | ||||||
|  | #synchronize_seqscans = on | ||||||
|  | 
 | ||||||
|  | # - Other Platforms and Clients - | ||||||
|  | 
 | ||||||
|  | #transform_null_equals = off | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | # ERROR HANDLING | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | 
 | ||||||
|  | #exit_on_error = off			# terminate session on any error? | ||||||
|  | #restart_after_crash = on		# reinitialize after backend crash? | ||||||
|  | #data_sync_retry = off			# retry or panic on failure to fsync | ||||||
|  | 					# data? | ||||||
|  | 					# (change requires restart) | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | # CONFIG FILE INCLUDES | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | 
 | ||||||
|  | # These options allow settings to be loaded from files other than the | ||||||
|  | # default postgresql.conf.  Note that these are directives, not variable | ||||||
|  | # assignments, so they can usefully be given more than once. | ||||||
|  | 
 | ||||||
|  | #include_dir = '...'			# include files ending in '.conf' from | ||||||
|  | 					# a directory, e.g., 'conf.d' | ||||||
|  | #include_if_exists = '...'		# include file only if it exists | ||||||
|  | #include = '...'			# include file | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | # CUSTOMIZED OPTIONS | ||||||
|  | #------------------------------------------------------------------------------ | ||||||
|  | 
 | ||||||
|  | # Add settings for extensions here | ||||||
							
								
								
									
										44
									
								
								molecule/quarkus_ha_remote/prepare.yml
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										44
									
								
								molecule/quarkus_ha_remote/prepare.yml
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,44 @@ | ||||||
|  | --- | ||||||
|  | - name: Prepare | ||||||
|  |   hosts: 'keycloak:infinispan' | ||||||
|  |   tasks: | ||||||
|  |     - name: "Display hera_home if defined." | ||||||
|  |       ansible.builtin.set_fact: | ||||||
|  |         hera_home: "{{ lookup('env', 'HERA_HOME') }}" | ||||||
|  | 
 | ||||||
|  |     - name: "Ensure common prepare phase are set." | ||||||
|  |       ansible.builtin.include_tasks: ../prepare.yml | ||||||
|  | 
 | ||||||
|  |     - name: Create certificate request | ||||||
|  |       ansible.builtin.command: "openssl req -x509 -newkey rsa:4096 -keyout {{ inventory_hostname }}.key -out {{ inventory_hostname }}.pem -sha256 -days 365 -nodes -subj '/CN={{ inventory_hostname }}'" | ||||||
|  |       delegate_to: localhost | ||||||
|  |       changed_when: False | ||||||
|  | 
 | ||||||
|  |     - name: Create vault directory | ||||||
|  |       become: true | ||||||
|  |       ansible.builtin.file: | ||||||
|  |         state: directory | ||||||
|  |         path: "/opt/keycloak/vault" | ||||||
|  |         mode: 0755 | ||||||
|  | 
 | ||||||
|  |     - name: Make sure a jre is available (for keytool to prepare keystore) | ||||||
|  |       delegate_to: localhost | ||||||
|  |       ansible.builtin.package: | ||||||
|  |         name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}" | ||||||
|  |         state: present | ||||||
|  |       become: true | ||||||
|  |       failed_when: false | ||||||
|  | 
 | ||||||
|  |     - name: Create vault keystore | ||||||
|  |       ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword | ||||||
|  |       delegate_to: localhost | ||||||
|  |       register: keytool_cmd | ||||||
|  |       changed_when: False | ||||||
|  |       failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0 | ||||||
|  | 
 | ||||||
|  |     - name: Copy certificates and vault | ||||||
|  |       become: true | ||||||
|  |       ansible.builtin.copy: | ||||||
|  |         src: keystore.p12 | ||||||
|  |         dest: /opt/keycloak/vault/keystore.p12 | ||||||
|  |         mode: 0444 | ||||||
							
								
								
									
										1
									
								
								molecule/quarkus_ha_remote/roles
									
										
									
									
									
										Symbolic link
									
								
							
							
						
						
									
										1
									
								
								molecule/quarkus_ha_remote/roles
									
										
									
									
									
										Symbolic link
									
								
							|  | @ -0,0 +1 @@ | ||||||
|  | ../../roles | ||||||
							
								
								
									
										29
									
								
								molecule/quarkus_ha_remote/verify.yml
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										29
									
								
								molecule/quarkus_ha_remote/verify.yml
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,29 @@ | ||||||
|  | --- | ||||||
|  | - name: Verify | ||||||
|  |   hosts: keycloak | ||||||
|  |   tasks: | ||||||
|  |     - name: Populate service facts | ||||||
|  |       ansible.builtin.service_facts: | ||||||
|  | 
 | ||||||
|  |     - name: Check if keycloak service started | ||||||
|  |       ansible.builtin.assert: | ||||||
|  |         that: | ||||||
|  |           - ansible_facts.services["keycloak.service"]["state"] == "running" | ||||||
|  |           - ansible_facts.services["keycloak.service"]["status"] == "enabled" | ||||||
|  |         fail_msg: "Service not running" | ||||||
|  | 
 | ||||||
|  |     - name: Set internal envvar | ||||||
|  |       ansible.builtin.set_fact: | ||||||
|  |         hera_home: "{{ lookup('env', 'HERA_HOME') }}" | ||||||
|  | 
 | ||||||
|  |     - name: Check log file | ||||||
|  |       become: true | ||||||
|  |       ansible.builtin.stat: | ||||||
|  |         path: /var/log/keycloak/keycloak.log | ||||||
|  |       register: keycloak_log_file | ||||||
|  | 
 | ||||||
|  |     - name: Check if keycloak file exists | ||||||
|  |       ansible.builtin.assert: | ||||||
|  |         that: | ||||||
|  |           - keycloak_log_file.stat.exists | ||||||
|  |           - not keycloak_log_file.stat.isdir | ||||||
|  | @ -5,6 +5,9 @@ | ||||||
|     - vars.yml |     - vars.yml | ||||||
|   vars: |   vars: | ||||||
|     keycloak_quarkus_show_deprecation_warnings: false |     keycloak_quarkus_show_deprecation_warnings: false | ||||||
|     keycloak_quarkus_version: 24.0.3 |     keycloak_quarkus_additional_env_vars: | ||||||
|  |       - key: KC_FEATURES_DISABLED | ||||||
|  |         value: ciba,device-flow,impersonation,kerberos,docker | ||||||
|  |     keycloak_quarkus_version: 26.0.7 | ||||||
|   roles: |   roles: | ||||||
|     - role: keycloak_quarkus |     - role: keycloak_quarkus | ||||||
|  |  | ||||||
|  | @ -4,7 +4,7 @@ dependency: | ||||||
|   options: |   options: | ||||||
|     requirements-file: molecule/requirements.yml |     requirements-file: molecule/requirements.yml | ||||||
| driver: | driver: | ||||||
|   name: docker |   name: podman | ||||||
| platforms: | platforms: | ||||||
|   - name: instance |   - name: instance | ||||||
|     image: registry.access.redhat.com/ubi9/ubi-init:latest |     image: registry.access.redhat.com/ubi9/ubi-init:latest | ||||||
|  | @ -13,8 +13,10 @@ platforms: | ||||||
|     privileged: true |     privileged: true | ||||||
|     port_bindings: |     port_bindings: | ||||||
|       - 8080:8080 |       - 8080:8080 | ||||||
|  |       - "9000/tcp" | ||||||
|     published_ports: |     published_ports: | ||||||
|       - 0.0.0.0:8080:8080/TCP |       - 0.0.0.0:8080:8080/TCP | ||||||
|  |       - 0.0.0.0:9000:9000/TCP | ||||||
| provisioner: | provisioner: | ||||||
|   name: ansible |   name: ansible | ||||||
|   playbooks: |   playbooks: | ||||||
|  | @ -25,6 +27,10 @@ provisioner: | ||||||
|     host_vars: |     host_vars: | ||||||
|       localhost: |       localhost: | ||||||
|         ansible_python_interpreter: "{{ ansible_playbook_python }}" |         ansible_python_interpreter: "{{ ansible_playbook_python }}" | ||||||
|  |   env: | ||||||
|  |     ANSIBLE_FORCE_COLOR: "true" | ||||||
|  |     PROXY: "${PROXY}" | ||||||
|  |     NO_PROXY: "${NO_PROXY}" | ||||||
| verifier: | verifier: | ||||||
|   name: ansible |   name: ansible | ||||||
| scenario: | scenario: | ||||||
|  |  | ||||||
|  | @ -5,7 +5,10 @@ | ||||||
|     - vars.yml |     - vars.yml | ||||||
|   vars: |   vars: | ||||||
|     sudo_pkg_name: sudo |     sudo_pkg_name: sudo | ||||||
|     keycloak_quarkus_version: 23.0.7 |     keycloak_quarkus_version: 26.0.4 | ||||||
|  |     keycloak_quarkus_additional_env_vars: | ||||||
|  |       - key: KC_FEATURES_DISABLED | ||||||
|  |         value: impersonation,kerberos | ||||||
|   pre_tasks: |   pre_tasks: | ||||||
|     - name: Install sudo |     - name: Install sudo | ||||||
|       ansible.builtin.apt: |       ansible.builtin.apt: | ||||||
|  | @ -44,6 +47,7 @@ | ||||||
|       changed_when: false |       changed_when: false | ||||||
|   roles: |   roles: | ||||||
|     - role: keycloak_quarkus |     - role: keycloak_quarkus | ||||||
|  | 
 | ||||||
|   post_tasks: |   post_tasks: | ||||||
|     - name: "Delete custom fact" |     - name: "Delete custom fact" | ||||||
|       ansible.builtin.file: |       ansible.builtin.file: | ||||||
|  |  | ||||||
|  | @ -1,9 +1,8 @@ | ||||||
| --- | --- | ||||||
| keycloak_quarkus_offline_install: false | keycloak_quarkus_offline_install: false | ||||||
| keycloak_quarkus_admin_password: "remembertochangeme" | keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" | ||||||
| keycloak_quarkus_admin_pass: "remembertochangeme" |  | ||||||
| keycloak_quarkus_realm: TestRealm | keycloak_quarkus_realm: TestRealm | ||||||
| keycloak_quarkus_host: instance | keycloak_quarkus_hostname: http://instance:8080 | ||||||
| keycloak_quarkus_log: file | keycloak_quarkus_log: file | ||||||
| keycloak_quarkus_https_key_file_enabled: true | keycloak_quarkus_https_key_file_enabled: true | ||||||
| keycloak_quarkus_log_target: /tmp/keycloak | keycloak_quarkus_log_target: /tmp/keycloak | ||||||
|  |  | ||||||
|  | @ -2,7 +2,7 @@ | ||||||
| - name: Verify | - name: Verify | ||||||
|   hosts: instance |   hosts: instance | ||||||
|   vars: |   vars: | ||||||
|     keycloak_quarkus_admin_password: "remembertochangeme" |     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" | ||||||
|     keycloak_quarkus_port: http://localhost:8080 |     keycloak_quarkus_port: http://localhost:8080 | ||||||
|   tasks: |   tasks: | ||||||
|     - name: Populate service facts |     - name: Populate service facts | ||||||
|  | @ -17,14 +17,14 @@ | ||||||
|     - name: Verify we are running on requested jvm |     - name: Verify we are running on requested jvm | ||||||
|       ansible.builtin.shell: | |       ansible.builtin.shell: | | ||||||
|         set -eo pipefail |         set -eo pipefail | ||||||
|         ps -ef | grep 'etc/alternatives/.*17' | grep -v grep |         ps -ef | grep 'etc/alternatives/.*21' | grep -v grep | ||||||
|       changed_when: false |       changed_when: false | ||||||
| 
 | 
 | ||||||
|     - name: Verify token api call |     - name: Verify token api call | ||||||
|       ansible.builtin.uri: |       ansible.builtin.uri: | ||||||
|         url: "{{ keycloak_quarkus_port }}/realms/master/protocol/openid-connect/token" |         url: "{{ keycloak_quarkus_port }}/realms/master/protocol/openid-connect/token" | ||||||
|         method: POST |         method: POST | ||||||
|         body: "client_id=admin-cli&username=admin&password={{ keycloak_quarkus_admin_password }}&grant_type=password" |         body: "client_id=admin-cli&username=admin&password={{ keycloak_quarkus_bootstrap_admin_password }}&grant_type=password" | ||||||
|         validate_certs: no |         validate_certs: no | ||||||
|       register: keycloak_auth_response |       register: keycloak_auth_response | ||||||
|       until: keycloak_auth_response.status == 200 |       until: keycloak_auth_response.status == 200 | ||||||
|  |  | ||||||
|  | @ -2,6 +2,7 @@ | ||||||
| collections: | collections: | ||||||
|   - name: middleware_automation.common |   - name: middleware_automation.common | ||||||
|   - name: middleware_automation.jbcs |   - name: middleware_automation.jbcs | ||||||
|  |   - name: middleware_automation.infinispan | ||||||
|   - name: community.general |   - name: community.general | ||||||
|   - name: ansible.posix |   - name: ansible.posix | ||||||
|   - name: community.docker |   - name: community.docker | ||||||
|  |  | ||||||
|  | @ -2,8 +2,8 @@ | ||||||
| - name: Playbook for Keycloak X Hosts with HTTPS enabled | - name: Playbook for Keycloak X Hosts with HTTPS enabled | ||||||
|   hosts: all |   hosts: all | ||||||
|   vars: |   vars: | ||||||
|     keycloak_quarkus_admin_pass: "remembertochangeme" |     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" | ||||||
|     keycloak_quarkus_host: localhost |     keycloak_quarkus_hostname: http://localhost | ||||||
|     keycloak_quarkus_port: 8443 |     keycloak_quarkus_port: 8443 | ||||||
|     keycloak_quarkus_log: file |     keycloak_quarkus_log: file | ||||||
|     keycloak_quarkus_proxy_mode: none |     keycloak_quarkus_proxy_mode: none | ||||||
|  |  | ||||||
|  | @ -2,8 +2,8 @@ | ||||||
| - name: Playbook for Keycloak X Hosts in develop mode | - name: Playbook for Keycloak X Hosts in develop mode | ||||||
|   hosts: all |   hosts: all | ||||||
|   vars: |   vars: | ||||||
|     keycloak_admin_password: "remembertochangeme" |     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" | ||||||
|     keycloak_quarkus_host: localhost |     keycloak_quarkus_hostname: http://localhost | ||||||
|     keycloak_quarkus_port: 8080 |     keycloak_quarkus_port: 8080 | ||||||
|     keycloak_quarkus_log: file |     keycloak_quarkus_log: file | ||||||
|     keycloak_quarkus_start_dev: true |     keycloak_quarkus_start_dev: true | ||||||
|  |  | ||||||
										
											
												File diff suppressed because it is too large
												Load diff
											
										
									
								
							|  | @ -40,8 +40,8 @@ options: | ||||||
|     state: |     state: | ||||||
|         description: |         description: | ||||||
|             - State of the client |             - State of the client | ||||||
|             - On C(present), the client will be created (or updated if it exists already). |             - On V(present), the client will be created (or updated if it exists already). | ||||||
|             - On C(absent), the client will be removed if it exists |             - On V(absent), the client will be removed if it exists | ||||||
|         choices: ['present', 'absent'] |         choices: ['present', 'absent'] | ||||||
|         default: 'present' |         default: 'present' | ||||||
|         type: str |         type: str | ||||||
|  | @ -55,7 +55,7 @@ options: | ||||||
|     client_id: |     client_id: | ||||||
|         description: |         description: | ||||||
|             - Client id of client to be worked on. This is usually an alphanumeric name chosen by |             - Client id of client to be worked on. This is usually an alphanumeric name chosen by | ||||||
|               you. Either this or I(id) is required. If you specify both, I(id) takes precedence. |               you. Either this or O(id) is required. If you specify both, O(id) takes precedence. | ||||||
|               This is 'clientId' in the Keycloak REST API. |               This is 'clientId' in the Keycloak REST API. | ||||||
|         aliases: |         aliases: | ||||||
|             - clientId |             - clientId | ||||||
|  | @ -63,13 +63,13 @@ options: | ||||||
| 
 | 
 | ||||||
|     id: |     id: | ||||||
|         description: |         description: | ||||||
|             - Id of client to be worked on. This is usually an UUID. Either this or I(client_id) |             - Id of client to be worked on. This is usually an UUID. Either this or O(client_id) | ||||||
|               is required. If you specify both, this takes precedence. |               is required. If you specify both, this takes precedence. | ||||||
|         type: str |         type: str | ||||||
| 
 | 
 | ||||||
|     name: |     name: | ||||||
|         description: |         description: | ||||||
|             - Name of the client (this is not the same as I(client_id)). |             - Name of the client (this is not the same as O(client_id)). | ||||||
|         type: str |         type: str | ||||||
| 
 | 
 | ||||||
|     description: |     description: | ||||||
|  | @ -108,20 +108,21 @@ options: | ||||||
| 
 | 
 | ||||||
|     client_authenticator_type: |     client_authenticator_type: | ||||||
|         description: |         description: | ||||||
|             - How do clients authenticate with the auth server? Either C(client-secret) or |             - How do clients authenticate with the auth server? Either V(client-secret), | ||||||
|               C(client-jwt) can be chosen. When using C(client-secret), the module parameter |               V(client-jwt), or V(client-x509) can be chosen. When using V(client-secret), the module parameter | ||||||
|               I(secret) can set it, while for C(client-jwt), you can use the keys C(use.jwks.url), |               O(secret) can set it, for V(client-jwt), you can use the keys C(use.jwks.url), | ||||||
|               C(jwks.url), and C(jwt.credential.certificate) in the I(attributes) module parameter |               C(jwks.url), and C(jwt.credential.certificate) in the O(attributes) module parameter | ||||||
|               to configure its behavior. |               to configure its behavior. For V(client-x509) you can use the keys C(x509.allow.regex.pattern.comparison) | ||||||
|               This is 'clientAuthenticatorType' in the Keycloak REST API. |               and C(x509.subjectdn) in the O(attributes) module parameter to configure which certificate(s) to accept. | ||||||
|         choices: ['client-secret', 'client-jwt'] |             - This is 'clientAuthenticatorType' in the Keycloak REST API. | ||||||
|  |         choices: ['client-secret', 'client-jwt', 'client-x509'] | ||||||
|         aliases: |         aliases: | ||||||
|             - clientAuthenticatorType |             - clientAuthenticatorType | ||||||
|         type: str |         type: str | ||||||
| 
 | 
 | ||||||
|     secret: |     secret: | ||||||
|         description: |         description: | ||||||
|             - When using I(client_authenticator_type) C(client-secret) (the default), you can |             - When using O(client_authenticator_type=client-secret) (the default), you can | ||||||
|               specify a secret here (otherwise one will be generated if it does not exit). If |               specify a secret here (otherwise one will be generated if it does not exit). If | ||||||
|               changing this secret, the module will not register a change currently (but the |               changing this secret, the module will not register a change currently (but the | ||||||
|               changed secret will be saved). |               changed secret will be saved). | ||||||
|  | @ -246,9 +247,11 @@ options: | ||||||
| 
 | 
 | ||||||
|     protocol: |     protocol: | ||||||
|         description: |         description: | ||||||
|             - Type of client (either C(openid-connect) or C(saml). |             - Type of client. | ||||||
|  |             - At creation only, default value will be V(openid-connect) if O(protocol) is omitted. | ||||||
|  |             - The V(docker-v2) value was added in community.general 8.6.0. | ||||||
|         type: str |         type: str | ||||||
|         choices: ['openid-connect', 'saml'] |         choices: ['openid-connect', 'saml', 'docker-v2'] | ||||||
| 
 | 
 | ||||||
|     full_scope_allowed: |     full_scope_allowed: | ||||||
|         description: |         description: | ||||||
|  | @ -286,7 +289,7 @@ options: | ||||||
| 
 | 
 | ||||||
|     use_template_config: |     use_template_config: | ||||||
|         description: |         description: | ||||||
|             - Whether or not to use configuration from the I(client_template). |             - Whether or not to use configuration from the O(client_template). | ||||||
|               This is 'useTemplateConfig' in the Keycloak REST API. |               This is 'useTemplateConfig' in the Keycloak REST API. | ||||||
|         aliases: |         aliases: | ||||||
|             - useTemplateConfig |             - useTemplateConfig | ||||||
|  | @ -294,7 +297,7 @@ options: | ||||||
| 
 | 
 | ||||||
|     use_template_scope: |     use_template_scope: | ||||||
|         description: |         description: | ||||||
|             - Whether or not to use scope configuration from the I(client_template). |             - Whether or not to use scope configuration from the O(client_template). | ||||||
|               This is 'useTemplateScope' in the Keycloak REST API. |               This is 'useTemplateScope' in the Keycloak REST API. | ||||||
|         aliases: |         aliases: | ||||||
|             - useTemplateScope |             - useTemplateScope | ||||||
|  | @ -302,7 +305,7 @@ options: | ||||||
| 
 | 
 | ||||||
|     use_template_mappers: |     use_template_mappers: | ||||||
|         description: |         description: | ||||||
|             - Whether or not to use mapper configuration from the I(client_template). |             - Whether or not to use mapper configuration from the O(client_template). | ||||||
|               This is 'useTemplateMappers' in the Keycloak REST API. |               This is 'useTemplateMappers' in the Keycloak REST API. | ||||||
|         aliases: |         aliases: | ||||||
|             - useTemplateMappers |             - useTemplateMappers | ||||||
|  | @ -338,6 +341,42 @@ options: | ||||||
|         description: |         description: | ||||||
|             - Override realm authentication flow bindings. |             - Override realm authentication flow bindings. | ||||||
|         type: dict |         type: dict | ||||||
|  |         suboptions: | ||||||
|  |             browser: | ||||||
|  |                 description: | ||||||
|  |                     - Flow ID of the browser authentication flow. | ||||||
|  |                     - O(authentication_flow_binding_overrides.browser) | ||||||
|  |                       and O(authentication_flow_binding_overrides.browser_name) are mutually exclusive. | ||||||
|  |                 type: str | ||||||
|  | 
 | ||||||
|  |             browser_name: | ||||||
|  |                 description: | ||||||
|  |                     - Flow name of the browser authentication flow. | ||||||
|  |                     - O(authentication_flow_binding_overrides.browser) | ||||||
|  |                       and O(authentication_flow_binding_overrides.browser_name) are mutually exclusive. | ||||||
|  |                 aliases: | ||||||
|  |                     - browserName | ||||||
|  |                 type: str | ||||||
|  |                 version_added: 9.1.0 | ||||||
|  | 
 | ||||||
|  |             direct_grant: | ||||||
|  |                 description: | ||||||
|  |                     - Flow ID of the direct grant authentication flow. | ||||||
|  |                     - O(authentication_flow_binding_overrides.direct_grant) | ||||||
|  |                       and O(authentication_flow_binding_overrides.direct_grant_name) are mutually exclusive. | ||||||
|  |                 aliases: | ||||||
|  |                     - directGrant | ||||||
|  |                 type: str | ||||||
|  | 
 | ||||||
|  |             direct_grant_name: | ||||||
|  |                 description: | ||||||
|  |                     - Flow name of the direct grant authentication flow. | ||||||
|  |                     - O(authentication_flow_binding_overrides.direct_grant) | ||||||
|  |                       and O(authentication_flow_binding_overrides.direct_grant_name) are mutually exclusive. | ||||||
|  |                 aliases: | ||||||
|  |                     - directGrantName | ||||||
|  |                 type: str | ||||||
|  |                 version_added: 9.1.0 | ||||||
|         aliases: |         aliases: | ||||||
|             - authenticationFlowBindingOverrides |             - authenticationFlowBindingOverrides | ||||||
|         version_added: 3.4.0 |         version_added: 3.4.0 | ||||||
|  | @ -391,38 +430,37 @@ options: | ||||||
| 
 | 
 | ||||||
|             protocol: |             protocol: | ||||||
|                 description: |                 description: | ||||||
|                     - This is either C(openid-connect) or C(saml), this specifies for which protocol this protocol mapper. |                     - This specifies for which protocol this protocol mapper is active. | ||||||
|                       is active. |                 choices: ['openid-connect', 'saml', 'docker-v2'] | ||||||
|                 choices: ['openid-connect', 'saml'] |  | ||||||
|                 type: str |                 type: str | ||||||
| 
 | 
 | ||||||
|             protocolMapper: |             protocolMapper: | ||||||
|                 description: |                 description: | ||||||
|                     - The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is |                     - "The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is | ||||||
|                       impossible to provide since this may be extended through SPIs by the user of Keycloak, |                       impossible to provide since this may be extended through SPIs by the user of Keycloak, | ||||||
|                       by default Keycloak as of 3.4 ships with at least |                       by default Keycloak as of 3.4 ships with at least:" | ||||||
|                     - C(docker-v2-allow-all-mapper) |                     - V(docker-v2-allow-all-mapper) | ||||||
|                     - C(oidc-address-mapper) |                     - V(oidc-address-mapper) | ||||||
|                     - C(oidc-full-name-mapper) |                     - V(oidc-full-name-mapper) | ||||||
|                     - C(oidc-group-membership-mapper) |                     - V(oidc-group-membership-mapper) | ||||||
|                     - C(oidc-hardcoded-claim-mapper) |                     - V(oidc-hardcoded-claim-mapper) | ||||||
|                     - C(oidc-hardcoded-role-mapper) |                     - V(oidc-hardcoded-role-mapper) | ||||||
|                     - C(oidc-role-name-mapper) |                     - V(oidc-role-name-mapper) | ||||||
|                     - C(oidc-script-based-protocol-mapper) |                     - V(oidc-script-based-protocol-mapper) | ||||||
|                     - C(oidc-sha256-pairwise-sub-mapper) |                     - V(oidc-sha256-pairwise-sub-mapper) | ||||||
|                     - C(oidc-usermodel-attribute-mapper) |                     - V(oidc-usermodel-attribute-mapper) | ||||||
|                     - C(oidc-usermodel-client-role-mapper) |                     - V(oidc-usermodel-client-role-mapper) | ||||||
|                     - C(oidc-usermodel-property-mapper) |                     - V(oidc-usermodel-property-mapper) | ||||||
|                     - C(oidc-usermodel-realm-role-mapper) |                     - V(oidc-usermodel-realm-role-mapper) | ||||||
|                     - C(oidc-usersessionmodel-note-mapper) |                     - V(oidc-usersessionmodel-note-mapper) | ||||||
|                     - C(saml-group-membership-mapper) |                     - V(saml-group-membership-mapper) | ||||||
|                     - C(saml-hardcode-attribute-mapper) |                     - V(saml-hardcode-attribute-mapper) | ||||||
|                     - C(saml-hardcode-role-mapper) |                     - V(saml-hardcode-role-mapper) | ||||||
|                     - C(saml-role-list-mapper) |                     - V(saml-role-list-mapper) | ||||||
|                     - C(saml-role-name-mapper) |                     - V(saml-role-name-mapper) | ||||||
|                     - C(saml-user-attribute-mapper) |                     - V(saml-user-attribute-mapper) | ||||||
|                     - C(saml-user-property-mapper) |                     - V(saml-user-property-mapper) | ||||||
|                     - C(saml-user-session-note-mapper) |                     - V(saml-user-session-note-mapper) | ||||||
|                     - An exhaustive list of available mappers on your installation can be obtained on |                     - An exhaustive list of available mappers on your installation can be obtained on | ||||||
|                       the admin console by going to Server Info -> Providers and looking under |                       the admin console by going to Server Info -> Providers and looking under | ||||||
|                       'protocol-mapper'. |                       'protocol-mapper'. | ||||||
|  | @ -431,10 +469,10 @@ options: | ||||||
|             config: |             config: | ||||||
|                 description: |                 description: | ||||||
|                     - Dict specifying the configuration options for the protocol mapper; the |                     - Dict specifying the configuration options for the protocol mapper; the | ||||||
|                       contents differ depending on the value of I(protocolMapper) and are not documented |                       contents differ depending on the value of O(protocol_mappers[].protocolMapper) and are not documented | ||||||
|                       other than by the source of the mappers and its parent class(es). An example is given |                       other than by the source of the mappers and its parent class(es). An example is given | ||||||
|                       below. It is easiest to obtain valid config values by dumping an already-existing |                       below. It is easiest to obtain valid config values by dumping an already-existing | ||||||
|                       protocol mapper configuration through check-mode in the I(existing) field. |                       protocol mapper configuration through check-mode in the RV(existing) field. | ||||||
|                 type: dict |                 type: dict | ||||||
| 
 | 
 | ||||||
|     attributes: |     attributes: | ||||||
|  | @ -478,7 +516,7 @@ options: | ||||||
| 
 | 
 | ||||||
|             saml.signature.algorithm: |             saml.signature.algorithm: | ||||||
|                 description: |                 description: | ||||||
|                     - Signature algorithm used to sign SAML documents. One of C(RSA_SHA256), C(RSA_SHA1), C(RSA_SHA512), or C(DSA_SHA1). |                     - Signature algorithm used to sign SAML documents. One of V(RSA_SHA256), V(RSA_SHA1), V(RSA_SHA512), or V(DSA_SHA1). | ||||||
| 
 | 
 | ||||||
|             saml.signing.certificate: |             saml.signing.certificate: | ||||||
|                 description: |                 description: | ||||||
|  | @ -496,22 +534,21 @@ options: | ||||||
|                 description: |                 description: | ||||||
|                     - SAML Redirect Binding URL for the client's assertion consumer service (login responses). |                     - SAML Redirect Binding URL for the client's assertion consumer service (login responses). | ||||||
| 
 | 
 | ||||||
| 
 |  | ||||||
|             saml_force_name_id_format: |             saml_force_name_id_format: | ||||||
|                 description: |                 description: | ||||||
|                     - For SAML clients, Boolean specifying whether to ignore requested NameID subject format and using the configured one instead. |                     - For SAML clients, Boolean specifying whether to ignore requested NameID subject format and using the configured one instead. | ||||||
| 
 | 
 | ||||||
|             saml_name_id_format: |             saml_name_id_format: | ||||||
|                 description: |                 description: | ||||||
|                     - For SAML clients, the NameID format to use (one of C(username), C(email), C(transient), or C(persistent)) |                     - For SAML clients, the NameID format to use (one of V(username), V(email), V(transient), or V(persistent)) | ||||||
| 
 | 
 | ||||||
|             saml_signature_canonicalization_method: |             saml_signature_canonicalization_method: | ||||||
|                 description: |                 description: | ||||||
|                     - SAML signature canonicalization method. This is one of four values, namely |                     - SAML signature canonicalization method. This is one of four values, namely | ||||||
|                       C(http://www.w3.org/2001/10/xml-exc-c14n#) for EXCLUSIVE, |                       V(http://www.w3.org/2001/10/xml-exc-c14n#) for EXCLUSIVE, | ||||||
|                       C(http://www.w3.org/2001/10/xml-exc-c14n#WithComments) for EXCLUSIVE_WITH_COMMENTS, |                       V(http://www.w3.org/2001/10/xml-exc-c14n#WithComments) for EXCLUSIVE_WITH_COMMENTS, | ||||||
|                       C(http://www.w3.org/TR/2001/REC-xml-c14n-20010315) for INCLUSIVE, and |                       V(http://www.w3.org/TR/2001/REC-xml-c14n-20010315) for INCLUSIVE, and | ||||||
|                       C(http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments) for INCLUSIVE_WITH_COMMENTS. |                       V(http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments) for INCLUSIVE_WITH_COMMENTS. | ||||||
| 
 | 
 | ||||||
|             saml_single_logout_service_url_post: |             saml_single_logout_service_url_post: | ||||||
|                 description: |                 description: | ||||||
|  | @ -523,12 +560,12 @@ options: | ||||||
| 
 | 
 | ||||||
|             user.info.response.signature.alg: |             user.info.response.signature.alg: | ||||||
|                 description: |                 description: | ||||||
|                     - For OpenID-Connect clients, JWA algorithm for signed UserInfo-endpoint responses. One of C(RS256) or C(unsigned). |                     - For OpenID-Connect clients, JWA algorithm for signed UserInfo-endpoint responses. One of V(RS256) or V(unsigned). | ||||||
| 
 | 
 | ||||||
|             request.object.signature.alg: |             request.object.signature.alg: | ||||||
|                 description: |                 description: | ||||||
|                     - For OpenID-Connect clients, JWA algorithm which the client needs to use when sending |                     - For OpenID-Connect clients, JWA algorithm which the client needs to use when sending | ||||||
|                       OIDC request object. One of C(any), C(none), C(RS256). |                       OIDC request object. One of V(any), V(none), V(RS256). | ||||||
| 
 | 
 | ||||||
|             use.jwks.url: |             use.jwks.url: | ||||||
|                 description: |                 description: | ||||||
|  | @ -544,6 +581,18 @@ options: | ||||||
|                     - For OpenID-Connect clients, client certificate for validating JWT issued by |                     - For OpenID-Connect clients, client certificate for validating JWT issued by | ||||||
|                       client and signed by its key, base64-encoded. |                       client and signed by its key, base64-encoded. | ||||||
| 
 | 
 | ||||||
|  |             x509.subjectdn: | ||||||
|  |                 description: | ||||||
|  |                     - For OpenID-Connect clients, subject which will be used to authenticate the client. | ||||||
|  |                 type: str | ||||||
|  |                 version_added: 9.5.0 | ||||||
|  | 
 | ||||||
|  |             x509.allow.regex.pattern.comparison: | ||||||
|  |                 description: | ||||||
|  |                     - For OpenID-Connect clients, boolean specifying whether to allow C(x509.subjectdn) as regular expression. | ||||||
|  |                 type: bool | ||||||
|  |                 version_added: 9.5.0 | ||||||
|  | 
 | ||||||
| extends_documentation_fragment: | extends_documentation_fragment: | ||||||
|    - middleware_automation.keycloak.keycloak |    - middleware_automation.keycloak.keycloak | ||||||
|    - middleware_automation.keycloak.attributes |    - middleware_automation.keycloak.attributes | ||||||
|  | @ -587,6 +636,22 @@ EXAMPLES = ''' | ||||||
|   delegate_to: localhost |   delegate_to: localhost | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
|  | - name: Create or update a Keycloak client (minimal example), with x509 authentication | ||||||
|  |   middleware_automation.keycloak.keycloak_client: | ||||||
|  |     auth_client_id: admin-cli | ||||||
|  |     auth_keycloak_url: https://auth.example.com/auth | ||||||
|  |     auth_realm: master | ||||||
|  |     auth_username: USERNAME | ||||||
|  |     auth_password: PASSWORD | ||||||
|  |     realm: master | ||||||
|  |     state: present | ||||||
|  |     client_id: test | ||||||
|  |     client_authenticator_type: client-x509 | ||||||
|  |     attributes: | ||||||
|  |       x509.subjectdn: "CN=client" | ||||||
|  |       x509.allow.regex.pattern.comparison: false | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
| - name: Create or update a Keycloak client (with all the bells and whistles) | - name: Create or update a Keycloak client (with all the bells and whistles) | ||||||
|   middleware_automation.keycloak.keycloak_client: |   middleware_automation.keycloak.keycloak_client: | ||||||
|     auth_client_id: admin-cli |     auth_client_id: admin-cli | ||||||
|  | @ -717,11 +782,17 @@ end_state: | ||||||
| ''' | ''' | ||||||
| 
 | 
 | ||||||
| from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ | from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ | ||||||
|     keycloak_argument_spec, get_token, KeycloakError |     keycloak_argument_spec, get_token, KeycloakError, is_struct_included | ||||||
| from ansible.module_utils.basic import AnsibleModule | from ansible.module_utils.basic import AnsibleModule | ||||||
| import copy | import copy | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
|  | PROTOCOL_OPENID_CONNECT = 'openid-connect' | ||||||
|  | PROTOCOL_SAML = 'saml' | ||||||
|  | PROTOCOL_DOCKER_V2 = 'docker-v2' | ||||||
|  | CLIENT_META_DATA = ['authorizationServicesEnabled'] | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
| def normalise_cr(clientrep, remove_ids=False): | def normalise_cr(clientrep, remove_ids=False): | ||||||
|     """ Re-sorts any properties where the order so that diff's is minimised, and adds default values where appropriate so that the |     """ Re-sorts any properties where the order so that diff's is minimised, and adds default values where appropriate so that the | ||||||
|     the change detection is more effective. |     the change detection is more effective. | ||||||
|  | @ -737,6 +808,12 @@ def normalise_cr(clientrep, remove_ids=False): | ||||||
|     if 'attributes' in clientrep: |     if 'attributes' in clientrep: | ||||||
|         clientrep['attributes'] = list(sorted(clientrep['attributes'])) |         clientrep['attributes'] = list(sorted(clientrep['attributes'])) | ||||||
| 
 | 
 | ||||||
|  |     if 'defaultClientScopes' in clientrep: | ||||||
|  |         clientrep['defaultClientScopes'] = list(sorted(clientrep['defaultClientScopes'])) | ||||||
|  | 
 | ||||||
|  |     if 'optionalClientScopes' in clientrep: | ||||||
|  |         clientrep['optionalClientScopes'] = list(sorted(clientrep['optionalClientScopes'])) | ||||||
|  | 
 | ||||||
|     if 'redirectUris' in clientrep: |     if 'redirectUris' in clientrep: | ||||||
|         clientrep['redirectUris'] = list(sorted(clientrep['redirectUris'])) |         clientrep['redirectUris'] = list(sorted(clientrep['redirectUris'])) | ||||||
| 
 | 
 | ||||||
|  | @ -762,11 +839,70 @@ def sanitize_cr(clientrep): | ||||||
|     if 'secret' in result: |     if 'secret' in result: | ||||||
|         result['secret'] = 'no_log' |         result['secret'] = 'no_log' | ||||||
|     if 'attributes' in result: |     if 'attributes' in result: | ||||||
|         if 'saml.signing.private.key' in result['attributes']: |         attributes = result['attributes'] | ||||||
|             result['attributes']['saml.signing.private.key'] = 'no_log' |         if isinstance(attributes, dict) and 'saml.signing.private.key' in attributes: | ||||||
|  |             attributes['saml.signing.private.key'] = 'no_log' | ||||||
|     return normalise_cr(result) |     return normalise_cr(result) | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
|  | def get_authentication_flow_id(flow_name, realm, kc): | ||||||
|  |     """ Get the authentication flow ID based on the flow name, realm, and Keycloak client. | ||||||
|  | 
 | ||||||
|  |     Args: | ||||||
|  |         flow_name (str): The name of the authentication flow. | ||||||
|  |         realm (str): The name of the realm. | ||||||
|  |         kc (KeycloakClient): The Keycloak client instance. | ||||||
|  | 
 | ||||||
|  |     Returns: | ||||||
|  |         str: The ID of the authentication flow. | ||||||
|  | 
 | ||||||
|  |     Raises: | ||||||
|  |         KeycloakAPIException: If the authentication flow with the given name is not found in the realm. | ||||||
|  |     """ | ||||||
|  |     flow = kc.get_authentication_flow_by_alias(flow_name, realm) | ||||||
|  |     if flow: | ||||||
|  |         return flow["id"] | ||||||
|  |     kc.module.fail_json(msg='Authentification flow %s not found in realm %s' % (flow_name, realm)) | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | def flow_binding_from_dict_to_model(newClientFlowBinding, realm, kc): | ||||||
|  |     """ Convert a dictionary representing client flow bindings to a model representation. | ||||||
|  | 
 | ||||||
|  |     Args: | ||||||
|  |         newClientFlowBinding (dict): A dictionary containing client flow bindings. | ||||||
|  |         realm (str): The name of the realm. | ||||||
|  |         kc (KeycloakClient): An instance of the KeycloakClient class. | ||||||
|  | 
 | ||||||
|  |     Returns: | ||||||
|  |         dict: A dictionary representing the model flow bindings. The dictionary has two keys: | ||||||
|  |             - "browser" (str or None): The ID of the browser authentication flow binding, or None if not provided. | ||||||
|  |             - "direct_grant" (str or None): The ID of the direct grant authentication flow binding, or None if not provided. | ||||||
|  | 
 | ||||||
|  |     Raises: | ||||||
|  |         KeycloakAPIException: If the authentication flow with the given name is not found in the realm. | ||||||
|  | 
 | ||||||
|  |     """ | ||||||
|  | 
 | ||||||
|  |     modelFlow = { | ||||||
|  |         "browser": None, | ||||||
|  |         "direct_grant": None | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|  |     for k, v in newClientFlowBinding.items(): | ||||||
|  |         if not v: | ||||||
|  |             continue | ||||||
|  |         if k == "browser": | ||||||
|  |             modelFlow["browser"] = v | ||||||
|  |         elif k == "browser_name": | ||||||
|  |             modelFlow["browser"] = get_authentication_flow_id(v, realm, kc) | ||||||
|  |         elif k == "direct_grant": | ||||||
|  |             modelFlow["direct_grant"] = v | ||||||
|  |         elif k == "direct_grant_name": | ||||||
|  |             modelFlow["direct_grant"] = get_authentication_flow_id(v, realm, kc) | ||||||
|  | 
 | ||||||
|  |     return modelFlow | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
| def main(): | def main(): | ||||||
|     """ |     """ | ||||||
|     Module execution |     Module execution | ||||||
|  | @ -780,11 +916,18 @@ def main(): | ||||||
|         consentText=dict(type='str'), |         consentText=dict(type='str'), | ||||||
|         id=dict(type='str'), |         id=dict(type='str'), | ||||||
|         name=dict(type='str'), |         name=dict(type='str'), | ||||||
|         protocol=dict(type='str', choices=['openid-connect', 'saml']), |         protocol=dict(type='str', choices=[PROTOCOL_OPENID_CONNECT, PROTOCOL_SAML, PROTOCOL_DOCKER_V2]), | ||||||
|         protocolMapper=dict(type='str'), |         protocolMapper=dict(type='str'), | ||||||
|         config=dict(type='dict'), |         config=dict(type='dict'), | ||||||
|     ) |     ) | ||||||
| 
 | 
 | ||||||
|  |     authentication_flow_spec = dict( | ||||||
|  |         browser=dict(type='str'), | ||||||
|  |         browser_name=dict(type='str', aliases=['browserName']), | ||||||
|  |         direct_grant=dict(type='str', aliases=['directGrant']), | ||||||
|  |         direct_grant_name=dict(type='str', aliases=['directGrantName']), | ||||||
|  |     ) | ||||||
|  | 
 | ||||||
|     meta_args = dict( |     meta_args = dict( | ||||||
|         state=dict(default='present', choices=['present', 'absent']), |         state=dict(default='present', choices=['present', 'absent']), | ||||||
|         realm=dict(type='str', default='master'), |         realm=dict(type='str', default='master'), | ||||||
|  | @ -798,7 +941,7 @@ def main(): | ||||||
|         base_url=dict(type='str', aliases=['baseUrl']), |         base_url=dict(type='str', aliases=['baseUrl']), | ||||||
|         surrogate_auth_required=dict(type='bool', aliases=['surrogateAuthRequired']), |         surrogate_auth_required=dict(type='bool', aliases=['surrogateAuthRequired']), | ||||||
|         enabled=dict(type='bool'), |         enabled=dict(type='bool'), | ||||||
|         client_authenticator_type=dict(type='str', choices=['client-secret', 'client-jwt'], aliases=['clientAuthenticatorType']), |         client_authenticator_type=dict(type='str', choices=['client-secret', 'client-jwt', 'client-x509'], aliases=['clientAuthenticatorType']), | ||||||
|         secret=dict(type='str', no_log=True), |         secret=dict(type='str', no_log=True), | ||||||
|         registration_access_token=dict(type='str', aliases=['registrationAccessToken'], no_log=True), |         registration_access_token=dict(type='str', aliases=['registrationAccessToken'], no_log=True), | ||||||
|         default_roles=dict(type='list', elements='str', aliases=['defaultRoles']), |         default_roles=dict(type='list', elements='str', aliases=['defaultRoles']), | ||||||
|  | @ -814,7 +957,7 @@ def main(): | ||||||
|         authorization_services_enabled=dict(type='bool', aliases=['authorizationServicesEnabled']), |         authorization_services_enabled=dict(type='bool', aliases=['authorizationServicesEnabled']), | ||||||
|         public_client=dict(type='bool', aliases=['publicClient']), |         public_client=dict(type='bool', aliases=['publicClient']), | ||||||
|         frontchannel_logout=dict(type='bool', aliases=['frontchannelLogout']), |         frontchannel_logout=dict(type='bool', aliases=['frontchannelLogout']), | ||||||
|         protocol=dict(type='str', choices=['openid-connect', 'saml']), |         protocol=dict(type='str', choices=[PROTOCOL_OPENID_CONNECT, PROTOCOL_SAML, PROTOCOL_DOCKER_V2]), | ||||||
|         attributes=dict(type='dict'), |         attributes=dict(type='dict'), | ||||||
|         full_scope_allowed=dict(type='bool', aliases=['fullScopeAllowed']), |         full_scope_allowed=dict(type='bool', aliases=['fullScopeAllowed']), | ||||||
|         node_re_registration_timeout=dict(type='int', aliases=['nodeReRegistrationTimeout']), |         node_re_registration_timeout=dict(type='int', aliases=['nodeReRegistrationTimeout']), | ||||||
|  | @ -824,7 +967,13 @@ def main(): | ||||||
|         use_template_scope=dict(type='bool', aliases=['useTemplateScope']), |         use_template_scope=dict(type='bool', aliases=['useTemplateScope']), | ||||||
|         use_template_mappers=dict(type='bool', aliases=['useTemplateMappers']), |         use_template_mappers=dict(type='bool', aliases=['useTemplateMappers']), | ||||||
|         always_display_in_console=dict(type='bool', aliases=['alwaysDisplayInConsole']), |         always_display_in_console=dict(type='bool', aliases=['alwaysDisplayInConsole']), | ||||||
|         authentication_flow_binding_overrides=dict(type='dict', aliases=['authenticationFlowBindingOverrides']), |         authentication_flow_binding_overrides=dict( | ||||||
|  |             type='dict', | ||||||
|  |             aliases=['authenticationFlowBindingOverrides'], | ||||||
|  |             options=authentication_flow_spec, | ||||||
|  |             required_one_of=[['browser', 'direct_grant', 'browser_name', 'direct_grant_name']], | ||||||
|  |             mutually_exclusive=[['browser', 'browser_name'], ['direct_grant', 'direct_grant_name']], | ||||||
|  |         ), | ||||||
|         protocol_mappers=dict(type='list', elements='dict', options=protmapper_spec, aliases=['protocolMappers']), |         protocol_mappers=dict(type='list', elements='dict', options=protmapper_spec, aliases=['protocolMappers']), | ||||||
|         authorization_settings=dict(type='dict', aliases=['authorizationSettings']), |         authorization_settings=dict(type='dict', aliases=['authorizationSettings']), | ||||||
|         default_client_scopes=dict(type='list', elements='str', aliases=['defaultClientScopes']), |         default_client_scopes=dict(type='list', elements='str', aliases=['defaultClientScopes']), | ||||||
|  | @ -885,7 +1034,9 @@ def main(): | ||||||
|         # Unfortunately, the ansible argument spec checker introduces variables with null values when |         # Unfortunately, the ansible argument spec checker introduces variables with null values when | ||||||
|         # they are not specified |         # they are not specified | ||||||
|         if client_param == 'protocol_mappers': |         if client_param == 'protocol_mappers': | ||||||
|             new_param_value = [dict((k, v) for k, v in x.items() if x[k] is not None) for x in new_param_value] |             new_param_value = [{k: v for k, v in x.items() if v is not None} for x in new_param_value] | ||||||
|  |         elif client_param == 'authentication_flow_binding_overrides': | ||||||
|  |             new_param_value = flow_binding_from_dict_to_model(new_param_value, realm, kc) | ||||||
| 
 | 
 | ||||||
|         changeset[camel(client_param)] = new_param_value |         changeset[camel(client_param)] = new_param_value | ||||||
| 
 | 
 | ||||||
|  | @ -912,6 +1063,8 @@ def main(): | ||||||
| 
 | 
 | ||||||
|         if 'clientId' not in desired_client: |         if 'clientId' not in desired_client: | ||||||
|             module.fail_json(msg='client_id needs to be specified when creating a new client') |             module.fail_json(msg='client_id needs to be specified when creating a new client') | ||||||
|  |         if 'protocol' not in desired_client: | ||||||
|  |             desired_client['protocol'] = PROTOCOL_OPENID_CONNECT | ||||||
| 
 | 
 | ||||||
|         if module._diff: |         if module._diff: | ||||||
|             result['diff'] = dict(before='', after=sanitize_cr(desired_client)) |             result['diff'] = dict(before='', after=sanitize_cr(desired_client)) | ||||||
|  | @ -940,7 +1093,7 @@ def main(): | ||||||
|                 if module._diff: |                 if module._diff: | ||||||
|                     result['diff'] = dict(before=sanitize_cr(before_norm), |                     result['diff'] = dict(before=sanitize_cr(before_norm), | ||||||
|                                           after=sanitize_cr(desired_norm)) |                                           after=sanitize_cr(desired_norm)) | ||||||
|                 result['changed'] = (before_norm != desired_norm) |                 result['changed'] = not is_struct_included(desired_norm, before_norm, CLIENT_META_DATA) | ||||||
| 
 | 
 | ||||||
|                 module.exit_json(**result) |                 module.exit_json(**result) | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
							
								
								
									
										848
									
								
								plugins/modules/keycloak_realm.py
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										848
									
								
								plugins/modules/keycloak_realm.py
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,848 @@ | ||||||
|  | #!/usr/bin/python | ||||||
|  | # -*- coding: utf-8 -*- | ||||||
|  | 
 | ||||||
|  | # Copyright (c) 2017, Eike Frost <ei@kefro.st> | ||||||
|  | # Copyright (c) 2021, Christophe Gilles <christophe.gilles54@gmail.com> | ||||||
|  | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) | ||||||
|  | # SPDX-License-Identifier: GPL-3.0-or-later | ||||||
|  | 
 | ||||||
|  | from __future__ import absolute_import, division, print_function | ||||||
|  | __metaclass__ = type | ||||||
|  | 
 | ||||||
|  | DOCUMENTATION = ''' | ||||||
|  | --- | ||||||
|  | module: keycloak_realm | ||||||
|  | 
 | ||||||
|  | short_description: Allows administration of Keycloak realm via Keycloak API | ||||||
|  | 
 | ||||||
|  | version_added: 3.0.0 | ||||||
|  | 
 | ||||||
|  | description: | ||||||
|  |     - This module allows the administration of Keycloak realm via the Keycloak REST API. It | ||||||
|  |       requires access to the REST API via OpenID Connect; the user connecting and the realm being | ||||||
|  |       used must have the requisite access rights. In a default Keycloak installation, admin-cli | ||||||
|  |       and an admin user would work, as would a separate realm definition with the scope tailored | ||||||
|  |       to your needs and a user having the expected roles. | ||||||
|  | 
 | ||||||
|  |     - The names of module options are snake_cased versions of the camelCase ones found in the | ||||||
|  |       Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). | ||||||
|  |       Aliases are provided so camelCased versions can be used as well. | ||||||
|  | 
 | ||||||
|  |     - The Keycloak API does not always sanity check inputs e.g. you can set | ||||||
|  |       SAML-specific settings on an OpenID Connect client for instance and vice versa. Be careful. | ||||||
|  |       If you do not specify a setting, usually a sensible default is chosen. | ||||||
|  | 
 | ||||||
|  | attributes: | ||||||
|  |     check_mode: | ||||||
|  |         support: full | ||||||
|  |     diff_mode: | ||||||
|  |         support: full | ||||||
|  | 
 | ||||||
|  | options: | ||||||
|  |     state: | ||||||
|  |         description: | ||||||
|  |             - State of the realm. | ||||||
|  |             - On V(present), the realm will be created (or updated if it exists already). | ||||||
|  |             - On V(absent), the realm will be removed if it exists. | ||||||
|  |         choices: ['present', 'absent'] | ||||||
|  |         default: 'present' | ||||||
|  |         type: str | ||||||
|  | 
 | ||||||
|  |     id: | ||||||
|  |         description: | ||||||
|  |             - The realm to create. | ||||||
|  |         type: str | ||||||
|  |     realm: | ||||||
|  |         description: | ||||||
|  |             - The realm name. | ||||||
|  |         type: str | ||||||
|  |     access_code_lifespan: | ||||||
|  |         description: | ||||||
|  |             - The realm access code lifespan. | ||||||
|  |         aliases: | ||||||
|  |             - accessCodeLifespan | ||||||
|  |         type: int | ||||||
|  |     access_code_lifespan_login: | ||||||
|  |         description: | ||||||
|  |             - The realm access code lifespan login. | ||||||
|  |         aliases: | ||||||
|  |             - accessCodeLifespanLogin | ||||||
|  |         type: int | ||||||
|  |     access_code_lifespan_user_action: | ||||||
|  |         description: | ||||||
|  |             - The realm access code lifespan user action. | ||||||
|  |         aliases: | ||||||
|  |             - accessCodeLifespanUserAction | ||||||
|  |         type: int | ||||||
|  |     access_token_lifespan: | ||||||
|  |         description: | ||||||
|  |             - The realm access token lifespan. | ||||||
|  |         aliases: | ||||||
|  |             - accessTokenLifespan | ||||||
|  |         type: int | ||||||
|  |     access_token_lifespan_for_implicit_flow: | ||||||
|  |         description: | ||||||
|  |             - The realm access token lifespan for implicit flow. | ||||||
|  |         aliases: | ||||||
|  |             - accessTokenLifespanForImplicitFlow | ||||||
|  |         type: int | ||||||
|  |     account_theme: | ||||||
|  |         description: | ||||||
|  |             - The realm account theme. | ||||||
|  |         aliases: | ||||||
|  |             - accountTheme | ||||||
|  |         type: str | ||||||
|  |     action_token_generated_by_admin_lifespan: | ||||||
|  |         description: | ||||||
|  |             - The realm action token generated by admin lifespan. | ||||||
|  |         aliases: | ||||||
|  |             - actionTokenGeneratedByAdminLifespan | ||||||
|  |         type: int | ||||||
|  |     action_token_generated_by_user_lifespan: | ||||||
|  |         description: | ||||||
|  |             - The realm action token generated by user lifespan. | ||||||
|  |         aliases: | ||||||
|  |             - actionTokenGeneratedByUserLifespan | ||||||
|  |         type: int | ||||||
|  |     admin_events_details_enabled: | ||||||
|  |         description: | ||||||
|  |             - The realm admin events details enabled. | ||||||
|  |         aliases: | ||||||
|  |             - adminEventsDetailsEnabled | ||||||
|  |         type: bool | ||||||
|  |     admin_events_enabled: | ||||||
|  |         description: | ||||||
|  |             - The realm admin events enabled. | ||||||
|  |         aliases: | ||||||
|  |             - adminEventsEnabled | ||||||
|  |         type: bool | ||||||
|  |     admin_theme: | ||||||
|  |         description: | ||||||
|  |             - The realm admin theme. | ||||||
|  |         aliases: | ||||||
|  |             - adminTheme | ||||||
|  |         type: str | ||||||
|  |     attributes: | ||||||
|  |         description: | ||||||
|  |             - The realm attributes. | ||||||
|  |         type: dict | ||||||
|  |     browser_flow: | ||||||
|  |         description: | ||||||
|  |             - The realm browser flow. | ||||||
|  |         aliases: | ||||||
|  |             - browserFlow | ||||||
|  |         type: str | ||||||
|  |     browser_security_headers: | ||||||
|  |         description: | ||||||
|  |             - The realm browser security headers. | ||||||
|  |         aliases: | ||||||
|  |             - browserSecurityHeaders | ||||||
|  |         type: dict | ||||||
|  |     brute_force_protected: | ||||||
|  |         description: | ||||||
|  |             - The realm brute force protected. | ||||||
|  |         aliases: | ||||||
|  |             - bruteForceProtected | ||||||
|  |         type: bool | ||||||
|  |     client_authentication_flow: | ||||||
|  |         description: | ||||||
|  |             - The realm client authentication flow. | ||||||
|  |         aliases: | ||||||
|  |             - clientAuthenticationFlow | ||||||
|  |         type: str | ||||||
|  |     client_scope_mappings: | ||||||
|  |         description: | ||||||
|  |             - The realm client scope mappings. | ||||||
|  |         aliases: | ||||||
|  |             - clientScopeMappings | ||||||
|  |         type: dict | ||||||
|  |     default_default_client_scopes: | ||||||
|  |         description: | ||||||
|  |             - The realm default default client scopes. | ||||||
|  |         aliases: | ||||||
|  |             - defaultDefaultClientScopes | ||||||
|  |         type: list | ||||||
|  |         elements: str | ||||||
|  |     default_groups: | ||||||
|  |         description: | ||||||
|  |             - The realm default groups. | ||||||
|  |         aliases: | ||||||
|  |             - defaultGroups | ||||||
|  |         type: list | ||||||
|  |         elements: str | ||||||
|  |     default_locale: | ||||||
|  |         description: | ||||||
|  |             - The realm default locale. | ||||||
|  |         aliases: | ||||||
|  |             - defaultLocale | ||||||
|  |         type: str | ||||||
|  |     default_optional_client_scopes: | ||||||
|  |         description: | ||||||
|  |             - The realm default optional client scopes. | ||||||
|  |         aliases: | ||||||
|  |             - defaultOptionalClientScopes | ||||||
|  |         type: list | ||||||
|  |         elements: str | ||||||
|  |     default_roles: | ||||||
|  |         description: | ||||||
|  |             - The realm default roles. | ||||||
|  |         aliases: | ||||||
|  |             - defaultRoles | ||||||
|  |         type: list | ||||||
|  |         elements: str | ||||||
|  |     default_signature_algorithm: | ||||||
|  |         description: | ||||||
|  |             - The realm default signature algorithm. | ||||||
|  |         aliases: | ||||||
|  |             - defaultSignatureAlgorithm | ||||||
|  |         type: str | ||||||
|  |     direct_grant_flow: | ||||||
|  |         description: | ||||||
|  |             - The realm direct grant flow. | ||||||
|  |         aliases: | ||||||
|  |             - directGrantFlow | ||||||
|  |         type: str | ||||||
|  |     display_name: | ||||||
|  |         description: | ||||||
|  |             - The realm display name. | ||||||
|  |         aliases: | ||||||
|  |             - displayName | ||||||
|  |         type: str | ||||||
|  |     display_name_html: | ||||||
|  |         description: | ||||||
|  |             - The realm display name HTML. | ||||||
|  |         aliases: | ||||||
|  |             - displayNameHtml | ||||||
|  |         type: str | ||||||
|  |     docker_authentication_flow: | ||||||
|  |         description: | ||||||
|  |             - The realm docker authentication flow. | ||||||
|  |         aliases: | ||||||
|  |             - dockerAuthenticationFlow | ||||||
|  |         type: str | ||||||
|  |     duplicate_emails_allowed: | ||||||
|  |         description: | ||||||
|  |             - The realm duplicate emails allowed option. | ||||||
|  |         aliases: | ||||||
|  |             - duplicateEmailsAllowed | ||||||
|  |         type: bool | ||||||
|  |     edit_username_allowed: | ||||||
|  |         description: | ||||||
|  |             - The realm edit username allowed option. | ||||||
|  |         aliases: | ||||||
|  |             - editUsernameAllowed | ||||||
|  |         type: bool | ||||||
|  |     email_theme: | ||||||
|  |         description: | ||||||
|  |             - The realm email theme. | ||||||
|  |         aliases: | ||||||
|  |             - emailTheme | ||||||
|  |         type: str | ||||||
|  |     enabled: | ||||||
|  |         description: | ||||||
|  |             - The realm enabled option. | ||||||
|  |         type: bool | ||||||
|  |     enabled_event_types: | ||||||
|  |         description: | ||||||
|  |             - The realm enabled event types. | ||||||
|  |         aliases: | ||||||
|  |             - enabledEventTypes | ||||||
|  |         type: list | ||||||
|  |         elements: str | ||||||
|  |     events_enabled: | ||||||
|  |         description: | ||||||
|  |             - Enables or disables login events for this realm. | ||||||
|  |         aliases: | ||||||
|  |             - eventsEnabled | ||||||
|  |         type: bool | ||||||
|  |         version_added: 3.6.0 | ||||||
|  |     events_expiration: | ||||||
|  |         description: | ||||||
|  |             - The realm events expiration. | ||||||
|  |         aliases: | ||||||
|  |             - eventsExpiration | ||||||
|  |         type: int | ||||||
|  |     events_listeners: | ||||||
|  |         description: | ||||||
|  |             - The realm events listeners. | ||||||
|  |         aliases: | ||||||
|  |             - eventsListeners | ||||||
|  |         type: list | ||||||
|  |         elements: str | ||||||
|  |     failure_factor: | ||||||
|  |         description: | ||||||
|  |             - The realm failure factor. | ||||||
|  |         aliases: | ||||||
|  |             - failureFactor | ||||||
|  |         type: int | ||||||
|  |     internationalization_enabled: | ||||||
|  |         description: | ||||||
|  |             - The realm internationalization enabled option. | ||||||
|  |         aliases: | ||||||
|  |             - internationalizationEnabled | ||||||
|  |         type: bool | ||||||
|  |     login_theme: | ||||||
|  |         description: | ||||||
|  |             - The realm login theme. | ||||||
|  |         aliases: | ||||||
|  |             - loginTheme | ||||||
|  |         type: str | ||||||
|  |     login_with_email_allowed: | ||||||
|  |         description: | ||||||
|  |             - The realm login with email allowed option. | ||||||
|  |         aliases: | ||||||
|  |             - loginWithEmailAllowed | ||||||
|  |         type: bool | ||||||
|  |     max_delta_time_seconds: | ||||||
|  |         description: | ||||||
|  |             - The realm max delta time in seconds. | ||||||
|  |         aliases: | ||||||
|  |             - maxDeltaTimeSeconds | ||||||
|  |         type: int | ||||||
|  |     max_failure_wait_seconds: | ||||||
|  |         description: | ||||||
|  |             - The realm max failure wait in seconds. | ||||||
|  |         aliases: | ||||||
|  |             - maxFailureWaitSeconds | ||||||
|  |         type: int | ||||||
|  |     minimum_quick_login_wait_seconds: | ||||||
|  |         description: | ||||||
|  |             - The realm minimum quick login wait in seconds. | ||||||
|  |         aliases: | ||||||
|  |             - minimumQuickLoginWaitSeconds | ||||||
|  |         type: int | ||||||
|  |     not_before: | ||||||
|  |         description: | ||||||
|  |             - The realm not before. | ||||||
|  |         aliases: | ||||||
|  |             - notBefore | ||||||
|  |         type: int | ||||||
|  |     offline_session_idle_timeout: | ||||||
|  |         description: | ||||||
|  |             - The realm offline session idle timeout. | ||||||
|  |         aliases: | ||||||
|  |             - offlineSessionIdleTimeout | ||||||
|  |         type: int | ||||||
|  |     offline_session_max_lifespan: | ||||||
|  |         description: | ||||||
|  |             - The realm offline session max lifespan. | ||||||
|  |         aliases: | ||||||
|  |             - offlineSessionMaxLifespan | ||||||
|  |         type: int | ||||||
|  |     offline_session_max_lifespan_enabled: | ||||||
|  |         description: | ||||||
|  |             - The realm offline session max lifespan enabled option. | ||||||
|  |         aliases: | ||||||
|  |             - offlineSessionMaxLifespanEnabled | ||||||
|  |         type: bool | ||||||
|  |     otp_policy_algorithm: | ||||||
|  |         description: | ||||||
|  |             - The realm otp policy algorithm. | ||||||
|  |         aliases: | ||||||
|  |             - otpPolicyAlgorithm | ||||||
|  |         type: str | ||||||
|  |     otp_policy_digits: | ||||||
|  |         description: | ||||||
|  |             - The realm otp policy digits. | ||||||
|  |         aliases: | ||||||
|  |             - otpPolicyDigits | ||||||
|  |         type: int | ||||||
|  |     otp_policy_initial_counter: | ||||||
|  |         description: | ||||||
|  |             - The realm otp policy initial counter. | ||||||
|  |         aliases: | ||||||
|  |             - otpPolicyInitialCounter | ||||||
|  |         type: int | ||||||
|  |     otp_policy_look_ahead_window: | ||||||
|  |         description: | ||||||
|  |             - The realm otp policy look ahead window. | ||||||
|  |         aliases: | ||||||
|  |             - otpPolicyLookAheadWindow | ||||||
|  |         type: int | ||||||
|  |     otp_policy_period: | ||||||
|  |         description: | ||||||
|  |             - The realm otp policy period. | ||||||
|  |         aliases: | ||||||
|  |             - otpPolicyPeriod | ||||||
|  |         type: int | ||||||
|  |     otp_policy_type: | ||||||
|  |         description: | ||||||
|  |             - The realm otp policy type. | ||||||
|  |         aliases: | ||||||
|  |             - otpPolicyType | ||||||
|  |         type: str | ||||||
|  |     otp_supported_applications: | ||||||
|  |         description: | ||||||
|  |             - The realm otp supported applications. | ||||||
|  |         aliases: | ||||||
|  |             - otpSupportedApplications | ||||||
|  |         type: list | ||||||
|  |         elements: str | ||||||
|  |     password_policy: | ||||||
|  |         description: | ||||||
|  |             - The realm password policy. | ||||||
|  |         aliases: | ||||||
|  |             - passwordPolicy | ||||||
|  |         type: str | ||||||
|  |     permanent_lockout: | ||||||
|  |         description: | ||||||
|  |             - The realm permanent lockout. | ||||||
|  |         aliases: | ||||||
|  |             - permanentLockout | ||||||
|  |         type: bool | ||||||
|  |     quick_login_check_milli_seconds: | ||||||
|  |         description: | ||||||
|  |             - The realm quick login check in milliseconds. | ||||||
|  |         aliases: | ||||||
|  |             - quickLoginCheckMilliSeconds | ||||||
|  |         type: int | ||||||
|  |     refresh_token_max_reuse: | ||||||
|  |         description: | ||||||
|  |             - The realm refresh token max reuse. | ||||||
|  |         aliases: | ||||||
|  |             - refreshTokenMaxReuse | ||||||
|  |         type: int | ||||||
|  |     registration_allowed: | ||||||
|  |         description: | ||||||
|  |             - The realm registration allowed option. | ||||||
|  |         aliases: | ||||||
|  |             - registrationAllowed | ||||||
|  |         type: bool | ||||||
|  |     registration_email_as_username: | ||||||
|  |         description: | ||||||
|  |             - The realm registration email as username option. | ||||||
|  |         aliases: | ||||||
|  |             - registrationEmailAsUsername | ||||||
|  |         type: bool | ||||||
|  |     registration_flow: | ||||||
|  |         description: | ||||||
|  |             - The realm registration flow. | ||||||
|  |         aliases: | ||||||
|  |             - registrationFlow | ||||||
|  |         type: str | ||||||
|  |     remember_me: | ||||||
|  |         description: | ||||||
|  |             - The realm remember me option. | ||||||
|  |         aliases: | ||||||
|  |             - rememberMe | ||||||
|  |         type: bool | ||||||
|  |     reset_credentials_flow: | ||||||
|  |         description: | ||||||
|  |             - The realm reset credentials flow. | ||||||
|  |         aliases: | ||||||
|  |             - resetCredentialsFlow | ||||||
|  |         type: str | ||||||
|  |     reset_password_allowed: | ||||||
|  |         description: | ||||||
|  |             - The realm reset password allowed option. | ||||||
|  |         aliases: | ||||||
|  |             - resetPasswordAllowed | ||||||
|  |         type: bool | ||||||
|  |     revoke_refresh_token: | ||||||
|  |         description: | ||||||
|  |             - The realm revoke refresh token option. | ||||||
|  |         aliases: | ||||||
|  |             - revokeRefreshToken | ||||||
|  |         type: bool | ||||||
|  |     smtp_server: | ||||||
|  |         description: | ||||||
|  |             - The realm smtp server. | ||||||
|  |         aliases: | ||||||
|  |             - smtpServer | ||||||
|  |         type: dict | ||||||
|  |     ssl_required: | ||||||
|  |         description: | ||||||
|  |             - The realm ssl required option. | ||||||
|  |         choices: ['all', 'external', 'none'] | ||||||
|  |         aliases: | ||||||
|  |             - sslRequired | ||||||
|  |         type: str | ||||||
|  |     sso_session_idle_timeout: | ||||||
|  |         description: | ||||||
|  |             - The realm sso session idle timeout. | ||||||
|  |         aliases: | ||||||
|  |             - ssoSessionIdleTimeout | ||||||
|  |         type: int | ||||||
|  |     sso_session_idle_timeout_remember_me: | ||||||
|  |         description: | ||||||
|  |             - The realm sso session idle timeout remember me. | ||||||
|  |         aliases: | ||||||
|  |             - ssoSessionIdleTimeoutRememberMe | ||||||
|  |         type: int | ||||||
|  |     sso_session_max_lifespan: | ||||||
|  |         description: | ||||||
|  |             - The realm sso session max lifespan. | ||||||
|  |         aliases: | ||||||
|  |             - ssoSessionMaxLifespan | ||||||
|  |         type: int | ||||||
|  |     sso_session_max_lifespan_remember_me: | ||||||
|  |         description: | ||||||
|  |             - The realm sso session max lifespan remember me. | ||||||
|  |         aliases: | ||||||
|  |             - ssoSessionMaxLifespanRememberMe | ||||||
|  |         type: int | ||||||
|  |     supported_locales: | ||||||
|  |         description: | ||||||
|  |             - The realm supported locales. | ||||||
|  |         aliases: | ||||||
|  |             - supportedLocales | ||||||
|  |         type: list | ||||||
|  |         elements: str | ||||||
|  |     user_managed_access_allowed: | ||||||
|  |         description: | ||||||
|  |             - The realm user managed access allowed option. | ||||||
|  |         aliases: | ||||||
|  |             - userManagedAccessAllowed | ||||||
|  |         type: bool | ||||||
|  |     verify_email: | ||||||
|  |         description: | ||||||
|  |             - The realm verify email option. | ||||||
|  |         aliases: | ||||||
|  |             - verifyEmail | ||||||
|  |         type: bool | ||||||
|  |     wait_increment_seconds: | ||||||
|  |         description: | ||||||
|  |             - The realm wait increment in seconds. | ||||||
|  |         aliases: | ||||||
|  |             - waitIncrementSeconds | ||||||
|  |         type: int | ||||||
|  | 
 | ||||||
|  | extends_documentation_fragment: | ||||||
|  |     - middleware_automation.keycloak.keycloak | ||||||
|  |     - middleware_automation.keycloak.attributes | ||||||
|  | 
 | ||||||
|  | author: | ||||||
|  |     - Christophe Gilles (@kris2kris) | ||||||
|  | ''' | ||||||
|  | 
 | ||||||
|  | EXAMPLES = ''' | ||||||
|  | - name: Create or update Keycloak realm (minimal example) | ||||||
|  |   middleware_automation.keycloak.keycloak_realm: | ||||||
|  |     auth_client_id: admin-cli | ||||||
|  |     auth_keycloak_url: https://auth.example.com/auth | ||||||
|  |     auth_realm: master | ||||||
|  |     auth_username: USERNAME | ||||||
|  |     auth_password: PASSWORD | ||||||
|  |     id: realm | ||||||
|  |     realm: realm | ||||||
|  |     state: present | ||||||
|  | 
 | ||||||
|  | - name: Delete a Keycloak realm | ||||||
|  |   middleware_automation.keycloak.keycloak_realm: | ||||||
|  |     auth_client_id: admin-cli | ||||||
|  |     auth_keycloak_url: https://auth.example.com/auth | ||||||
|  |     auth_realm: master | ||||||
|  |     auth_username: USERNAME | ||||||
|  |     auth_password: PASSWORD | ||||||
|  |     id: test | ||||||
|  |     state: absent | ||||||
|  | ''' | ||||||
|  | 
 | ||||||
|  | RETURN = ''' | ||||||
|  | msg: | ||||||
|  |     description: Message as to what action was taken. | ||||||
|  |     returned: always | ||||||
|  |     type: str | ||||||
|  |     sample: "Realm testrealm has been updated" | ||||||
|  | 
 | ||||||
|  | proposed: | ||||||
|  |     description: Representation of proposed realm. | ||||||
|  |     returned: always | ||||||
|  |     type: dict | ||||||
|  |     sample: { | ||||||
|  |       id: "test" | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|  | existing: | ||||||
|  |     description: Representation of existing realm (sample is truncated). | ||||||
|  |     returned: always | ||||||
|  |     type: dict | ||||||
|  |     sample: { | ||||||
|  |         "adminUrl": "http://www.example.com/admin_url", | ||||||
|  |         "attributes": { | ||||||
|  |             "request.object.signature.alg": "RS256", | ||||||
|  |         } | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|  | end_state: | ||||||
|  |     description: Representation of realm after module execution (sample is truncated). | ||||||
|  |     returned: on success | ||||||
|  |     type: dict | ||||||
|  |     sample: { | ||||||
|  |         "adminUrl": "http://www.example.com/admin_url", | ||||||
|  |         "attributes": { | ||||||
|  |             "request.object.signature.alg": "RS256", | ||||||
|  |         } | ||||||
|  |     } | ||||||
|  | ''' | ||||||
|  | 
 | ||||||
|  | from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ | ||||||
|  |     keycloak_argument_spec, get_token, KeycloakError | ||||||
|  | from ansible.module_utils.basic import AnsibleModule | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | def normalise_cr(realmrep): | ||||||
|  |     """ Re-sorts any properties where the order is important so that diff's is minimised and the change detection is more effective. | ||||||
|  | 
 | ||||||
|  |     :param realmrep: the realmrep dict to be sanitized | ||||||
|  |     :return: normalised realmrep dict | ||||||
|  |     """ | ||||||
|  |     # Avoid the dict passed in to be modified | ||||||
|  |     realmrep = realmrep.copy() | ||||||
|  | 
 | ||||||
|  |     if 'enabledEventTypes' in realmrep: | ||||||
|  |         realmrep['enabledEventTypes'] = list(sorted(realmrep['enabledEventTypes'])) | ||||||
|  | 
 | ||||||
|  |     if 'otpSupportedApplications' in realmrep: | ||||||
|  |         realmrep['otpSupportedApplications'] = list(sorted(realmrep['otpSupportedApplications'])) | ||||||
|  | 
 | ||||||
|  |     if 'supportedLocales' in realmrep: | ||||||
|  |         realmrep['supportedLocales'] = list(sorted(realmrep['supportedLocales'])) | ||||||
|  | 
 | ||||||
|  |     return realmrep | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | def sanitize_cr(realmrep): | ||||||
|  |     """ Removes probably sensitive details from a realm representation. | ||||||
|  | 
 | ||||||
|  |     :param realmrep: the realmrep dict to be sanitized | ||||||
|  |     :return: sanitized realmrep dict | ||||||
|  |     """ | ||||||
|  |     result = realmrep.copy() | ||||||
|  |     if 'secret' in result: | ||||||
|  |         result['secret'] = '********' | ||||||
|  |     if 'attributes' in result: | ||||||
|  |         if 'saml.signing.private.key' in result['attributes']: | ||||||
|  |             result['attributes'] = result['attributes'].copy() | ||||||
|  |             result['attributes']['saml.signing.private.key'] = '********' | ||||||
|  |     return normalise_cr(result) | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | def main(): | ||||||
|  |     """ | ||||||
|  |     Module execution | ||||||
|  | 
 | ||||||
|  |     :return: | ||||||
|  |     """ | ||||||
|  |     argument_spec = keycloak_argument_spec() | ||||||
|  | 
 | ||||||
|  |     meta_args = dict( | ||||||
|  |         state=dict(default='present', choices=['present', 'absent']), | ||||||
|  | 
 | ||||||
|  |         id=dict(type='str'), | ||||||
|  |         realm=dict(type='str'), | ||||||
|  |         access_code_lifespan=dict(type='int', aliases=['accessCodeLifespan']), | ||||||
|  |         access_code_lifespan_login=dict(type='int', aliases=['accessCodeLifespanLogin']), | ||||||
|  |         access_code_lifespan_user_action=dict(type='int', aliases=['accessCodeLifespanUserAction']), | ||||||
|  |         access_token_lifespan=dict(type='int', aliases=['accessTokenLifespan'], no_log=False), | ||||||
|  |         access_token_lifespan_for_implicit_flow=dict(type='int', aliases=['accessTokenLifespanForImplicitFlow'], no_log=False), | ||||||
|  |         account_theme=dict(type='str', aliases=['accountTheme']), | ||||||
|  |         action_token_generated_by_admin_lifespan=dict(type='int', aliases=['actionTokenGeneratedByAdminLifespan'], no_log=False), | ||||||
|  |         action_token_generated_by_user_lifespan=dict(type='int', aliases=['actionTokenGeneratedByUserLifespan'], no_log=False), | ||||||
|  |         admin_events_details_enabled=dict(type='bool', aliases=['adminEventsDetailsEnabled']), | ||||||
|  |         admin_events_enabled=dict(type='bool', aliases=['adminEventsEnabled']), | ||||||
|  |         admin_theme=dict(type='str', aliases=['adminTheme']), | ||||||
|  |         attributes=dict(type='dict'), | ||||||
|  |         browser_flow=dict(type='str', aliases=['browserFlow']), | ||||||
|  |         browser_security_headers=dict(type='dict', aliases=['browserSecurityHeaders']), | ||||||
|  |         brute_force_protected=dict(type='bool', aliases=['bruteForceProtected']), | ||||||
|  |         client_authentication_flow=dict(type='str', aliases=['clientAuthenticationFlow']), | ||||||
|  |         client_scope_mappings=dict(type='dict', aliases=['clientScopeMappings']), | ||||||
|  |         default_default_client_scopes=dict(type='list', elements='str', aliases=['defaultDefaultClientScopes']), | ||||||
|  |         default_groups=dict(type='list', elements='str', aliases=['defaultGroups']), | ||||||
|  |         default_locale=dict(type='str', aliases=['defaultLocale']), | ||||||
|  |         default_optional_client_scopes=dict(type='list', elements='str', aliases=['defaultOptionalClientScopes']), | ||||||
|  |         default_roles=dict(type='list', elements='str', aliases=['defaultRoles']), | ||||||
|  |         default_signature_algorithm=dict(type='str', aliases=['defaultSignatureAlgorithm']), | ||||||
|  |         direct_grant_flow=dict(type='str', aliases=['directGrantFlow']), | ||||||
|  |         display_name=dict(type='str', aliases=['displayName']), | ||||||
|  |         display_name_html=dict(type='str', aliases=['displayNameHtml']), | ||||||
|  |         docker_authentication_flow=dict(type='str', aliases=['dockerAuthenticationFlow']), | ||||||
|  |         duplicate_emails_allowed=dict(type='bool', aliases=['duplicateEmailsAllowed']), | ||||||
|  |         edit_username_allowed=dict(type='bool', aliases=['editUsernameAllowed']), | ||||||
|  |         email_theme=dict(type='str', aliases=['emailTheme']), | ||||||
|  |         enabled=dict(type='bool'), | ||||||
|  |         enabled_event_types=dict(type='list', elements='str', aliases=['enabledEventTypes']), | ||||||
|  |         events_enabled=dict(type='bool', aliases=['eventsEnabled']), | ||||||
|  |         events_expiration=dict(type='int', aliases=['eventsExpiration']), | ||||||
|  |         events_listeners=dict(type='list', elements='str', aliases=['eventsListeners']), | ||||||
|  |         failure_factor=dict(type='int', aliases=['failureFactor']), | ||||||
|  |         internationalization_enabled=dict(type='bool', aliases=['internationalizationEnabled']), | ||||||
|  |         login_theme=dict(type='str', aliases=['loginTheme']), | ||||||
|  |         login_with_email_allowed=dict(type='bool', aliases=['loginWithEmailAllowed']), | ||||||
|  |         max_delta_time_seconds=dict(type='int', aliases=['maxDeltaTimeSeconds']), | ||||||
|  |         max_failure_wait_seconds=dict(type='int', aliases=['maxFailureWaitSeconds']), | ||||||
|  |         minimum_quick_login_wait_seconds=dict(type='int', aliases=['minimumQuickLoginWaitSeconds']), | ||||||
|  |         not_before=dict(type='int', aliases=['notBefore']), | ||||||
|  |         offline_session_idle_timeout=dict(type='int', aliases=['offlineSessionIdleTimeout']), | ||||||
|  |         offline_session_max_lifespan=dict(type='int', aliases=['offlineSessionMaxLifespan']), | ||||||
|  |         offline_session_max_lifespan_enabled=dict(type='bool', aliases=['offlineSessionMaxLifespanEnabled']), | ||||||
|  |         otp_policy_algorithm=dict(type='str', aliases=['otpPolicyAlgorithm']), | ||||||
|  |         otp_policy_digits=dict(type='int', aliases=['otpPolicyDigits']), | ||||||
|  |         otp_policy_initial_counter=dict(type='int', aliases=['otpPolicyInitialCounter']), | ||||||
|  |         otp_policy_look_ahead_window=dict(type='int', aliases=['otpPolicyLookAheadWindow']), | ||||||
|  |         otp_policy_period=dict(type='int', aliases=['otpPolicyPeriod']), | ||||||
|  |         otp_policy_type=dict(type='str', aliases=['otpPolicyType']), | ||||||
|  |         otp_supported_applications=dict(type='list', elements='str', aliases=['otpSupportedApplications']), | ||||||
|  |         password_policy=dict(type='str', aliases=['passwordPolicy'], no_log=False), | ||||||
|  |         permanent_lockout=dict(type='bool', aliases=['permanentLockout']), | ||||||
|  |         quick_login_check_milli_seconds=dict(type='int', aliases=['quickLoginCheckMilliSeconds']), | ||||||
|  |         refresh_token_max_reuse=dict(type='int', aliases=['refreshTokenMaxReuse'], no_log=False), | ||||||
|  |         registration_allowed=dict(type='bool', aliases=['registrationAllowed']), | ||||||
|  |         registration_email_as_username=dict(type='bool', aliases=['registrationEmailAsUsername']), | ||||||
|  |         registration_flow=dict(type='str', aliases=['registrationFlow']), | ||||||
|  |         remember_me=dict(type='bool', aliases=['rememberMe']), | ||||||
|  |         reset_credentials_flow=dict(type='str', aliases=['resetCredentialsFlow']), | ||||||
|  |         reset_password_allowed=dict(type='bool', aliases=['resetPasswordAllowed'], no_log=False), | ||||||
|  |         revoke_refresh_token=dict(type='bool', aliases=['revokeRefreshToken']), | ||||||
|  |         smtp_server=dict(type='dict', aliases=['smtpServer']), | ||||||
|  |         ssl_required=dict(choices=["external", "all", "none"], aliases=['sslRequired']), | ||||||
|  |         sso_session_idle_timeout=dict(type='int', aliases=['ssoSessionIdleTimeout']), | ||||||
|  |         sso_session_idle_timeout_remember_me=dict(type='int', aliases=['ssoSessionIdleTimeoutRememberMe']), | ||||||
|  |         sso_session_max_lifespan=dict(type='int', aliases=['ssoSessionMaxLifespan']), | ||||||
|  |         sso_session_max_lifespan_remember_me=dict(type='int', aliases=['ssoSessionMaxLifespanRememberMe']), | ||||||
|  |         supported_locales=dict(type='list', elements='str', aliases=['supportedLocales']), | ||||||
|  |         user_managed_access_allowed=dict(type='bool', aliases=['userManagedAccessAllowed']), | ||||||
|  |         verify_email=dict(type='bool', aliases=['verifyEmail']), | ||||||
|  |         wait_increment_seconds=dict(type='int', aliases=['waitIncrementSeconds']), | ||||||
|  |     ) | ||||||
|  | 
 | ||||||
|  |     argument_spec.update(meta_args) | ||||||
|  | 
 | ||||||
|  |     module = AnsibleModule(argument_spec=argument_spec, | ||||||
|  |                            supports_check_mode=True, | ||||||
|  |                            required_one_of=([['id', 'realm', 'enabled'], | ||||||
|  |                                              ['token', 'auth_realm', 'auth_username', 'auth_password']]), | ||||||
|  |                            required_together=([['auth_realm', 'auth_username', 'auth_password']])) | ||||||
|  | 
 | ||||||
|  |     result = dict(changed=False, msg='', diff={}, proposed={}, existing={}, end_state={}) | ||||||
|  | 
 | ||||||
|  |     # Obtain access token, initialize API | ||||||
|  |     try: | ||||||
|  |         connection_header = get_token(module.params) | ||||||
|  |     except KeycloakError as e: | ||||||
|  |         module.fail_json(msg=str(e)) | ||||||
|  | 
 | ||||||
|  |     kc = KeycloakAPI(module, connection_header) | ||||||
|  | 
 | ||||||
|  |     realm = module.params.get('realm') | ||||||
|  |     state = module.params.get('state') | ||||||
|  | 
 | ||||||
|  |     # convert module parameters to realm representation parameters (if they belong in there) | ||||||
|  |     params_to_ignore = list(keycloak_argument_spec().keys()) + ['state'] | ||||||
|  | 
 | ||||||
|  |     # Filter and map the parameters names that apply to the role | ||||||
|  |     realm_params = [x for x in module.params | ||||||
|  |                     if x not in params_to_ignore and | ||||||
|  |                     module.params.get(x) is not None] | ||||||
|  | 
 | ||||||
|  |     # See whether the realm already exists in Keycloak | ||||||
|  |     before_realm = kc.get_realm_by_id(realm=realm) | ||||||
|  | 
 | ||||||
|  |     if before_realm is None: | ||||||
|  |         before_realm = {} | ||||||
|  | 
 | ||||||
|  |     # Build a proposed changeset from parameters given to this module | ||||||
|  |     changeset = {} | ||||||
|  | 
 | ||||||
|  |     for realm_param in realm_params: | ||||||
|  |         new_param_value = module.params.get(realm_param) | ||||||
|  |         changeset[camel(realm_param)] = new_param_value | ||||||
|  | 
 | ||||||
|  |     # Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis) | ||||||
|  |     desired_realm = before_realm.copy() | ||||||
|  |     desired_realm.update(changeset) | ||||||
|  | 
 | ||||||
|  |     result['proposed'] = sanitize_cr(changeset) | ||||||
|  |     before_realm_sanitized = sanitize_cr(before_realm) | ||||||
|  |     result['existing'] = before_realm_sanitized | ||||||
|  | 
 | ||||||
|  |     # Cater for when it doesn't exist (an empty dict) | ||||||
|  |     if not before_realm: | ||||||
|  |         if state == 'absent': | ||||||
|  |             # Do nothing and exit | ||||||
|  |             if module._diff: | ||||||
|  |                 result['diff'] = dict(before='', after='') | ||||||
|  |             result['changed'] = False | ||||||
|  |             result['end_state'] = {} | ||||||
|  |             result['msg'] = 'Realm does not exist, doing nothing.' | ||||||
|  |             module.exit_json(**result) | ||||||
|  | 
 | ||||||
|  |         # Process a creation | ||||||
|  |         result['changed'] = True | ||||||
|  | 
 | ||||||
|  |         if 'id' not in desired_realm: | ||||||
|  |             module.fail_json(msg='id needs to be specified when creating a new realm') | ||||||
|  | 
 | ||||||
|  |         if module._diff: | ||||||
|  |             result['diff'] = dict(before='', after=sanitize_cr(desired_realm)) | ||||||
|  | 
 | ||||||
|  |         if module.check_mode: | ||||||
|  |             module.exit_json(**result) | ||||||
|  | 
 | ||||||
|  |         # create it | ||||||
|  |         kc.create_realm(desired_realm) | ||||||
|  |         after_realm = kc.get_realm_by_id(desired_realm['id']) | ||||||
|  | 
 | ||||||
|  |         result['end_state'] = sanitize_cr(after_realm) | ||||||
|  | 
 | ||||||
|  |         result['msg'] = 'Realm %s has been created.' % desired_realm['id'] | ||||||
|  |         module.exit_json(**result) | ||||||
|  | 
 | ||||||
|  |     else: | ||||||
|  |         if state == 'present': | ||||||
|  |             # Process an update | ||||||
|  | 
 | ||||||
|  |             # doing an update | ||||||
|  |             result['changed'] = True | ||||||
|  |             if module.check_mode: | ||||||
|  |                 # We can only compare the current realm with the proposed updates we have | ||||||
|  |                 before_norm = normalise_cr(before_realm) | ||||||
|  |                 desired_norm = normalise_cr(desired_realm) | ||||||
|  |                 if module._diff: | ||||||
|  |                     result['diff'] = dict(before=sanitize_cr(before_norm), | ||||||
|  |                                           after=sanitize_cr(desired_norm)) | ||||||
|  |                 result['changed'] = (before_norm != desired_norm) | ||||||
|  | 
 | ||||||
|  |                 module.exit_json(**result) | ||||||
|  | 
 | ||||||
|  |             # do the update | ||||||
|  |             kc.update_realm(desired_realm, realm=realm) | ||||||
|  | 
 | ||||||
|  |             after_realm = kc.get_realm_by_id(realm=realm) | ||||||
|  | 
 | ||||||
|  |             if before_realm == after_realm: | ||||||
|  |                 result['changed'] = False | ||||||
|  | 
 | ||||||
|  |             result['end_state'] = sanitize_cr(after_realm) | ||||||
|  | 
 | ||||||
|  |             if module._diff: | ||||||
|  |                 result['diff'] = dict(before=before_realm_sanitized, | ||||||
|  |                                       after=sanitize_cr(after_realm)) | ||||||
|  | 
 | ||||||
|  |             result['msg'] = 'Realm %s has been updated.' % desired_realm['id'] | ||||||
|  |             module.exit_json(**result) | ||||||
|  | 
 | ||||||
|  |         else: | ||||||
|  |             # Process a deletion (because state was not 'present') | ||||||
|  |             result['changed'] = True | ||||||
|  | 
 | ||||||
|  |             if module._diff: | ||||||
|  |                 result['diff'] = dict(before=before_realm_sanitized, after='') | ||||||
|  | 
 | ||||||
|  |             if module.check_mode: | ||||||
|  |                 module.exit_json(**result) | ||||||
|  | 
 | ||||||
|  |             # delete it | ||||||
|  |             kc.delete_realm(realm=realm) | ||||||
|  | 
 | ||||||
|  |             result['proposed'] = {} | ||||||
|  |             result['end_state'] = {} | ||||||
|  | 
 | ||||||
|  |             result['msg'] = 'Realm %s has been deleted.' % before_realm['id'] | ||||||
|  | 
 | ||||||
|  |     module.exit_json(**result) | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | if __name__ == '__main__': | ||||||
|  |     main() | ||||||
|  | @ -40,8 +40,8 @@ options: | ||||||
|     state: |     state: | ||||||
|         description: |         description: | ||||||
|             - State of the role. |             - State of the role. | ||||||
|             - On C(present), the role will be created if it does not yet exist, or updated with the parameters you provide. |             - On V(present), the role will be created if it does not yet exist, or updated with the parameters you provide. | ||||||
|             - On C(absent), the role will be removed if it exists. |             - On V(absent), the role will be removed if it exists. | ||||||
|         default: 'present' |         default: 'present' | ||||||
|         type: str |         type: str | ||||||
|         choices: |         choices: | ||||||
|  | @ -77,6 +77,42 @@ options: | ||||||
|         description: |         description: | ||||||
|             - A dict of key/value pairs to set as custom attributes for the role. |             - A dict of key/value pairs to set as custom attributes for the role. | ||||||
|             - Values may be single values (e.g. a string) or a list of strings. |             - Values may be single values (e.g. a string) or a list of strings. | ||||||
|  |     composite: | ||||||
|  |         description: | ||||||
|  |             - If V(true), the role is a composition of other realm and/or client role. | ||||||
|  |         default: false | ||||||
|  |         type: bool | ||||||
|  |         version_added: 7.1.0 | ||||||
|  |     composites: | ||||||
|  |         description: | ||||||
|  |             - List of roles to include to the composite realm role. | ||||||
|  |             - If the composite role is a client role, the C(clientId) (not ID of the client) must be specified. | ||||||
|  |         default: [] | ||||||
|  |         type: list | ||||||
|  |         elements: dict | ||||||
|  |         version_added: 7.1.0 | ||||||
|  |         suboptions: | ||||||
|  |             name: | ||||||
|  |                 description: | ||||||
|  |                     - Name of the role. This can be the name of a REALM role or a client role. | ||||||
|  |                 type: str | ||||||
|  |                 required: true | ||||||
|  |             client_id: | ||||||
|  |                 description: | ||||||
|  |                     - Client ID if the role is a client role. Do not include this option for a REALM role. | ||||||
|  |                     - Use the client ID you can see in the Keycloak console, not the technical ID of the client. | ||||||
|  |                 type: str | ||||||
|  |                 required: false | ||||||
|  |                 aliases: | ||||||
|  |                     - clientId | ||||||
|  |             state: | ||||||
|  |                 description: | ||||||
|  |                     - Create the composite if present, remove it if absent. | ||||||
|  |                 type: str | ||||||
|  |                 choices: | ||||||
|  |                     - present | ||||||
|  |                     - absent | ||||||
|  |                 default: present | ||||||
| 
 | 
 | ||||||
| extends_documentation_fragment: | extends_documentation_fragment: | ||||||
|     - middleware_automation.keycloak.keycloak |     - middleware_automation.keycloak.keycloak | ||||||
|  | @ -198,8 +234,9 @@ end_state: | ||||||
| ''' | ''' | ||||||
| 
 | 
 | ||||||
| from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ | from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ | ||||||
|     keycloak_argument_spec, get_token, KeycloakError |     keycloak_argument_spec, get_token, KeycloakError, is_struct_included | ||||||
| from ansible.module_utils.basic import AnsibleModule | from ansible.module_utils.basic import AnsibleModule | ||||||
|  | import copy | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| def main(): | def main(): | ||||||
|  | @ -210,6 +247,12 @@ def main(): | ||||||
|     """ |     """ | ||||||
|     argument_spec = keycloak_argument_spec() |     argument_spec = keycloak_argument_spec() | ||||||
| 
 | 
 | ||||||
|  |     composites_spec = dict( | ||||||
|  |         name=dict(type='str', required=True), | ||||||
|  |         client_id=dict(type='str', aliases=['clientId'], required=False), | ||||||
|  |         state=dict(type='str', default='present', choices=['present', 'absent']) | ||||||
|  |     ) | ||||||
|  | 
 | ||||||
|     meta_args = dict( |     meta_args = dict( | ||||||
|         state=dict(type='str', default='present', choices=['present', 'absent']), |         state=dict(type='str', default='present', choices=['present', 'absent']), | ||||||
|         name=dict(type='str', required=True), |         name=dict(type='str', required=True), | ||||||
|  | @ -217,6 +260,8 @@ def main(): | ||||||
|         realm=dict(type='str', default='master'), |         realm=dict(type='str', default='master'), | ||||||
|         client_id=dict(type='str'), |         client_id=dict(type='str'), | ||||||
|         attributes=dict(type='dict'), |         attributes=dict(type='dict'), | ||||||
|  |         composites=dict(type='list', default=[], options=composites_spec, elements='dict'), | ||||||
|  |         composite=dict(type='bool', default=False), | ||||||
|     ) |     ) | ||||||
| 
 | 
 | ||||||
|     argument_spec.update(meta_args) |     argument_spec.update(meta_args) | ||||||
|  | @ -250,7 +295,7 @@ def main(): | ||||||
| 
 | 
 | ||||||
|     # Filter and map the parameters names that apply to the role |     # Filter and map the parameters names that apply to the role | ||||||
|     role_params = [x for x in module.params |     role_params = [x for x in module.params | ||||||
|                    if x not in list(keycloak_argument_spec().keys()) + ['state', 'realm', 'client_id', 'composites'] and |                    if x not in list(keycloak_argument_spec().keys()) + ['state', 'realm', 'client_id'] and | ||||||
|                    module.params.get(x) is not None] |                    module.params.get(x) is not None] | ||||||
| 
 | 
 | ||||||
|     # See if it already exists in Keycloak |     # See if it already exists in Keycloak | ||||||
|  | @ -269,10 +314,10 @@ def main(): | ||||||
|         new_param_value = module.params.get(param) |         new_param_value = module.params.get(param) | ||||||
|         old_value = before_role[param] if param in before_role else None |         old_value = before_role[param] if param in before_role else None | ||||||
|         if new_param_value != old_value: |         if new_param_value != old_value: | ||||||
|             changeset[camel(param)] = new_param_value |             changeset[camel(param)] = copy.deepcopy(new_param_value) | ||||||
| 
 | 
 | ||||||
|     # Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis) |     # Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis) | ||||||
|     desired_role = before_role.copy() |     desired_role = copy.deepcopy(before_role) | ||||||
|     desired_role.update(changeset) |     desired_role.update(changeset) | ||||||
| 
 | 
 | ||||||
|     result['proposed'] = changeset |     result['proposed'] = changeset | ||||||
|  | @ -309,6 +354,9 @@ def main(): | ||||||
|             kc.create_client_role(desired_role, clientid, realm) |             kc.create_client_role(desired_role, clientid, realm) | ||||||
|             after_role = kc.get_client_role(name, clientid, realm) |             after_role = kc.get_client_role(name, clientid, realm) | ||||||
| 
 | 
 | ||||||
|  |         if after_role['composite']: | ||||||
|  |             after_role['composites'] = kc.get_role_composites(rolerep=after_role, clientid=clientid, realm=realm) | ||||||
|  | 
 | ||||||
|         result['end_state'] = after_role |         result['end_state'] = after_role | ||||||
| 
 | 
 | ||||||
|         result['msg'] = 'Role {name} has been created'.format(name=name) |         result['msg'] = 'Role {name} has been created'.format(name=name) | ||||||
|  | @ -316,10 +364,25 @@ def main(): | ||||||
| 
 | 
 | ||||||
|     else: |     else: | ||||||
|         if state == 'present': |         if state == 'present': | ||||||
|  |             compare_exclude = [] | ||||||
|  |             if 'composites' in desired_role and isinstance(desired_role['composites'], list) and len(desired_role['composites']) > 0: | ||||||
|  |                 composites = kc.get_role_composites(rolerep=before_role, clientid=clientid, realm=realm) | ||||||
|  |                 before_role['composites'] = [] | ||||||
|  |                 for composite in composites: | ||||||
|  |                     before_composite = {} | ||||||
|  |                     if composite['clientRole']: | ||||||
|  |                         composite_client = kc.get_client_by_id(id=composite['containerId'], realm=realm) | ||||||
|  |                         before_composite['client_id'] = composite_client['clientId'] | ||||||
|  |                     else: | ||||||
|  |                         before_composite['client_id'] = None | ||||||
|  |                     before_composite['name'] = composite['name'] | ||||||
|  |                     before_composite['state'] = 'present' | ||||||
|  |                     before_role['composites'].append(before_composite) | ||||||
|  |             else: | ||||||
|  |                 compare_exclude.append('composites') | ||||||
|             # Process an update |             # Process an update | ||||||
| 
 |  | ||||||
|             # no changes |             # no changes | ||||||
|             if desired_role == before_role: |             if is_struct_included(desired_role, before_role, exclude=compare_exclude): | ||||||
|                 result['changed'] = False |                 result['changed'] = False | ||||||
|                 result['end_state'] = desired_role |                 result['end_state'] = desired_role | ||||||
|                 result['msg'] = "No changes required to role {name}.".format(name=name) |                 result['msg'] = "No changes required to role {name}.".format(name=name) | ||||||
|  | @ -341,6 +404,8 @@ def main(): | ||||||
|             else: |             else: | ||||||
|                 kc.update_client_role(desired_role, clientid, realm) |                 kc.update_client_role(desired_role, clientid, realm) | ||||||
|                 after_role = kc.get_client_role(name, clientid, realm) |                 after_role = kc.get_client_role(name, clientid, realm) | ||||||
|  |             if after_role['composite']: | ||||||
|  |                 after_role['composites'] = kc.get_role_composites(rolerep=after_role, clientid=clientid, realm=realm) | ||||||
| 
 | 
 | ||||||
|             result['end_state'] = after_role |             result['end_state'] = after_role | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -36,9 +36,9 @@ options: | ||||||
|     state: |     state: | ||||||
|         description: |         description: | ||||||
|             - State of the user federation. |             - State of the user federation. | ||||||
|             - On C(present), the user federation will be created if it does not yet exist, or updated with |             - On V(present), the user federation will be created if it does not yet exist, or updated with | ||||||
|               the parameters you provide. |               the parameters you provide. | ||||||
|             - On C(absent), the user federation will be removed if it exists. |             - On V(absent), the user federation will be removed if it exists. | ||||||
|         default: 'present' |         default: 'present' | ||||||
|         type: str |         type: str | ||||||
|         choices: |         choices: | ||||||
|  | @ -54,7 +54,7 @@ options: | ||||||
|     id: |     id: | ||||||
|         description: |         description: | ||||||
|             - The unique ID for this user federation. If left empty, the user federation will be searched |             - The unique ID for this user federation. If left empty, the user federation will be searched | ||||||
|               by its I(name). |               by its O(name). | ||||||
|         type: str |         type: str | ||||||
| 
 | 
 | ||||||
|     name: |     name: | ||||||
|  | @ -64,18 +64,15 @@ options: | ||||||
| 
 | 
 | ||||||
|     provider_id: |     provider_id: | ||||||
|         description: |         description: | ||||||
|             - Provider for this user federation. |             - Provider for this user federation. Built-in providers are V(ldap), V(kerberos), and V(sssd). | ||||||
|  |               Custom user storage providers can also be used. | ||||||
|         aliases: |         aliases: | ||||||
|             - providerId |             - providerId | ||||||
|         type: str |         type: str | ||||||
|         choices: |  | ||||||
|             - ldap |  | ||||||
|             - kerberos |  | ||||||
|             - sssd |  | ||||||
| 
 | 
 | ||||||
|     provider_type: |     provider_type: | ||||||
|         description: |         description: | ||||||
|             - Component type for user federation (only supported value is C(org.keycloak.storage.UserStorageProvider)). |             - Component type for user federation (only supported value is V(org.keycloak.storage.UserStorageProvider)). | ||||||
|         aliases: |         aliases: | ||||||
|             - providerType |             - providerType | ||||||
|         default: org.keycloak.storage.UserStorageProvider |         default: org.keycloak.storage.UserStorageProvider | ||||||
|  | @ -88,13 +85,37 @@ options: | ||||||
|             - parentId |             - parentId | ||||||
|         type: str |         type: str | ||||||
| 
 | 
 | ||||||
|  |     remove_unspecified_mappers: | ||||||
|  |         description: | ||||||
|  |             - Remove mappers that are not specified in the configuration for this federation. | ||||||
|  |             - Set to V(false) to keep mappers that are not listed in O(mappers). | ||||||
|  |         type: bool | ||||||
|  |         default: true | ||||||
|  | 
 | ||||||
|  |     bind_credential_update_mode: | ||||||
|  |         description: | ||||||
|  |             - The value of the config parameter O(config.bindCredential) is redacted in the Keycloak responses. | ||||||
|  |               Comparing the redacted value with the desired value always evaluates to not equal. This means | ||||||
|  |               the before and desired states are never equal if the parameter is set. | ||||||
|  |             - Set to V(always) to include O(config.bindCredential) in the comparison of before and desired state. | ||||||
|  |               Because of the redacted value returned by Keycloak the module will always detect a change | ||||||
|  |               and make an update if a O(config.bindCredential) value is set. | ||||||
|  |             - Set to V(only_indirect) to exclude O(config.bindCredential) when comparing the before state with the | ||||||
|  |               desired state. The value of O(config.bindCredential) will only be updated if there are other changes | ||||||
|  |               to the user federation that require an update. | ||||||
|  |         type: str | ||||||
|  |         default: always | ||||||
|  |         choices: | ||||||
|  |             - always | ||||||
|  |             - only_indirect | ||||||
|  | 
 | ||||||
|     config: |     config: | ||||||
|         description: |         description: | ||||||
|             - Dict specifying the configuration options for the provider; the contents differ depending on |             - Dict specifying the configuration options for the provider; the contents differ depending on | ||||||
|               the value of I(provider_id). Examples are given below for C(ldap), C(kerberos) and C(sssd). |               the value of O(provider_id). Examples are given below for V(ldap), V(kerberos) and V(sssd). | ||||||
|               It is easiest to obtain valid config values by dumping an already-existing user federation |               It is easiest to obtain valid config values by dumping an already-existing user federation | ||||||
|               configuration through check-mode in the I(existing) field. |               configuration through check-mode in the RV(existing) field. | ||||||
|             - The value C(sssd) has been supported since middleware_automation.keycloak 1.0.0. |             - The value V(sssd) has been supported since middleware_automation.keycloak 2.0.0. | ||||||
|         type: dict |         type: dict | ||||||
|         suboptions: |         suboptions: | ||||||
|             enabled: |             enabled: | ||||||
|  | @ -111,15 +132,15 @@ options: | ||||||
| 
 | 
 | ||||||
|             importEnabled: |             importEnabled: | ||||||
|                 description: |                 description: | ||||||
|                     - If C(true), LDAP users will be imported into Keycloak DB and synced by the configured |                     - If V(true), LDAP users will be imported into Keycloak DB and synced by the configured | ||||||
|                       sync policies. |                       sync policies. | ||||||
|                 default: true |                 default: true | ||||||
|                 type: bool |                 type: bool | ||||||
| 
 | 
 | ||||||
|             editMode: |             editMode: | ||||||
|                 description: |                 description: | ||||||
|                     - C(READ_ONLY) is a read-only LDAP store. C(WRITABLE) means data will be synced back to LDAP |                     - V(READ_ONLY) is a read-only LDAP store. V(WRITABLE) means data will be synced back to LDAP | ||||||
|                       on demand. C(UNSYNCED) means user data will be imported, but not synced back to LDAP. |                       on demand. V(UNSYNCED) means user data will be imported, but not synced back to LDAP. | ||||||
|                 type: str |                 type: str | ||||||
|                 choices: |                 choices: | ||||||
|                     - READ_ONLY |                     - READ_ONLY | ||||||
|  | @ -136,13 +157,13 @@ options: | ||||||
|             vendor: |             vendor: | ||||||
|                 description: |                 description: | ||||||
|                     - LDAP vendor (provider). |                     - LDAP vendor (provider). | ||||||
|                     - Use short name. For instance, write C(rhds) for "Red Hat Directory Server". |                     - Use short name. For instance, write V(rhds) for "Red Hat Directory Server". | ||||||
|                 type: str |                 type: str | ||||||
| 
 | 
 | ||||||
|             usernameLDAPAttribute: |             usernameLDAPAttribute: | ||||||
|                 description: |                 description: | ||||||
|                     - Name of LDAP attribute, which is mapped as Keycloak username. For many LDAP server |                     - Name of LDAP attribute, which is mapped as Keycloak username. For many LDAP server | ||||||
|                       vendors it can be C(uid). For Active directory it can be C(sAMAccountName) or C(cn). |                       vendors it can be V(uid). For Active directory it can be V(sAMAccountName) or V(cn). | ||||||
|                       The attribute should be filled for all LDAP user records you want to import from |                       The attribute should be filled for all LDAP user records you want to import from | ||||||
|                       LDAP to Keycloak. |                       LDAP to Keycloak. | ||||||
|                 type: str |                 type: str | ||||||
|  | @ -151,15 +172,15 @@ options: | ||||||
|                 description: |                 description: | ||||||
|                     - Name of LDAP attribute, which is used as RDN (top attribute) of typical user DN. |                     - Name of LDAP attribute, which is used as RDN (top attribute) of typical user DN. | ||||||
|                       Usually it's the same as Username LDAP attribute, however it is not required. For |                       Usually it's the same as Username LDAP attribute, however it is not required. For | ||||||
|                       example for Active directory, it is common to use C(cn) as RDN attribute when |                       example for Active directory, it is common to use V(cn) as RDN attribute when | ||||||
|                       username attribute might be C(sAMAccountName). |                       username attribute might be V(sAMAccountName). | ||||||
|                 type: str |                 type: str | ||||||
| 
 | 
 | ||||||
|             uuidLDAPAttribute: |             uuidLDAPAttribute: | ||||||
|                 description: |                 description: | ||||||
|                     - Name of LDAP attribute, which is used as unique object identifier (UUID) for objects |                     - Name of LDAP attribute, which is used as unique object identifier (UUID) for objects | ||||||
|                       in LDAP. For many LDAP server vendors, it is C(entryUUID); however some are different. |                       in LDAP. For many LDAP server vendors, it is V(entryUUID); however some are different. | ||||||
|                       For example for Active directory it should be C(objectGUID). If your LDAP server does |                       For example for Active directory it should be V(objectGUID). If your LDAP server does | ||||||
|                       not support the notion of UUID, you can use any other attribute that is supposed to |                       not support the notion of UUID, you can use any other attribute that is supposed to | ||||||
|                       be unique among LDAP users in tree. |                       be unique among LDAP users in tree. | ||||||
|                 type: str |                 type: str | ||||||
|  | @ -167,7 +188,7 @@ options: | ||||||
|             userObjectClasses: |             userObjectClasses: | ||||||
|                 description: |                 description: | ||||||
|                     - All values of LDAP objectClass attribute for users in LDAP divided by comma. |                     - All values of LDAP objectClass attribute for users in LDAP divided by comma. | ||||||
|                       For example C(inetOrgPerson, organizationalPerson). Newly created Keycloak users |                       For example V(inetOrgPerson, organizationalPerson). Newly created Keycloak users | ||||||
|                       will be written to LDAP with all those object classes and existing LDAP user records |                       will be written to LDAP with all those object classes and existing LDAP user records | ||||||
|                       are found just if they contain all those object classes. |                       are found just if they contain all those object classes. | ||||||
|                 type: str |                 type: str | ||||||
|  | @ -251,8 +272,8 @@ options: | ||||||
|             useTruststoreSpi: |             useTruststoreSpi: | ||||||
|                 description: |                 description: | ||||||
|                     - Specifies whether LDAP connection will use the truststore SPI with the truststore |                     - Specifies whether LDAP connection will use the truststore SPI with the truststore | ||||||
|                       configured in standalone.xml/domain.xml. C(Always) means that it will always use it. |                       configured in standalone.xml/domain.xml. V(always) means that it will always use it. | ||||||
|                       C(Never) means that it will not use it. C(Only for ldaps) means that it will use if |                       V(never) means that it will not use it. V(ldapsOnly) means that it will use if | ||||||
|                       your connection URL use ldaps. Note even if standalone.xml/domain.xml is not |                       your connection URL use ldaps. Note even if standalone.xml/domain.xml is not | ||||||
|                       configured, the default Java cacerts or certificate specified by |                       configured, the default Java cacerts or certificate specified by | ||||||
|                       C(javax.net.ssl.trustStore) property will be used. |                       C(javax.net.ssl.trustStore) property will be used. | ||||||
|  | @ -297,7 +318,7 @@ options: | ||||||
|             connectionPoolingDebug: |             connectionPoolingDebug: | ||||||
|                 description: |                 description: | ||||||
|                     - A string that indicates the level of debug output to produce. Example valid values are |                     - A string that indicates the level of debug output to produce. Example valid values are | ||||||
|                       C(fine) (trace connection creation and removal) and C(all) (all debugging information). |                       V(fine) (trace connection creation and removal) and V(all) (all debugging information). | ||||||
|                 type: str |                 type: str | ||||||
| 
 | 
 | ||||||
|             connectionPoolingInitSize: |             connectionPoolingInitSize: | ||||||
|  | @ -321,7 +342,7 @@ options: | ||||||
|             connectionPoolingProtocol: |             connectionPoolingProtocol: | ||||||
|                 description: |                 description: | ||||||
|                     - A list of space-separated protocol types of connections that may be pooled. |                     - A list of space-separated protocol types of connections that may be pooled. | ||||||
|                       Valid types are C(plain) and C(ssl). |                       Valid types are V(plain) and V(ssl). | ||||||
|                 type: str |                 type: str | ||||||
| 
 | 
 | ||||||
|             connectionPoolingTimeout: |             connectionPoolingTimeout: | ||||||
|  | @ -342,17 +363,26 @@ options: | ||||||
|                     - Name of kerberos realm. |                     - Name of kerberos realm. | ||||||
|                 type: str |                 type: str | ||||||
| 
 | 
 | ||||||
|  |             krbPrincipalAttribute: | ||||||
|  |                 description: | ||||||
|  |                     - Name of the LDAP attribute, which refers to Kerberos principal. | ||||||
|  |                       This is used to lookup appropriate LDAP user after successful Kerberos/SPNEGO authentication in Keycloak. | ||||||
|  |                       When this is empty, the LDAP user will be looked based on LDAP username corresponding | ||||||
|  |                       to the first part of his Kerberos principal. For instance, for principal C(john@KEYCLOAK.ORG), | ||||||
|  |                       it will assume that LDAP username is V(john). | ||||||
|  |                 type: str | ||||||
|  | 
 | ||||||
|             serverPrincipal: |             serverPrincipal: | ||||||
|                 description: |                 description: | ||||||
|                     - Full name of server principal for HTTP service including server and domain name. For |                     - Full name of server principal for HTTP service including server and domain name. For | ||||||
|                       example C(HTTP/host.foo.org@FOO.ORG). Use C(*) to accept any service principal in the |                       example V(HTTP/host.foo.org@FOO.ORG). Use V(*) to accept any service principal in the | ||||||
|                       KeyTab file. |                       KeyTab file. | ||||||
|                 type: str |                 type: str | ||||||
| 
 | 
 | ||||||
|             keyTab: |             keyTab: | ||||||
|                 description: |                 description: | ||||||
|                     - Location of Kerberos KeyTab file containing the credentials of server principal. For |                     - Location of Kerberos KeyTab file containing the credentials of server principal. For | ||||||
|                       example C(/etc/krb5.keytab). |                       example V(/etc/krb5.keytab). | ||||||
|                 type: str |                 type: str | ||||||
| 
 | 
 | ||||||
|             debug: |             debug: | ||||||
|  | @ -427,6 +457,16 @@ options: | ||||||
|                     - Max lifespan of cache entry in milliseconds. |                     - Max lifespan of cache entry in milliseconds. | ||||||
|                 type: int |                 type: int | ||||||
| 
 | 
 | ||||||
|  |             referral: | ||||||
|  |                 description: | ||||||
|  |                     - Specifies if LDAP referrals should be followed or ignored. Please note that enabling | ||||||
|  |                       referrals can slow down authentication as it allows the LDAP server to decide which other | ||||||
|  |                       LDAP servers to use. This could potentially include untrusted servers. | ||||||
|  |                 type: str | ||||||
|  |                 choices: | ||||||
|  |                     - ignore | ||||||
|  |                     - follow | ||||||
|  | 
 | ||||||
|     mappers: |     mappers: | ||||||
|         description: |         description: | ||||||
|             - A list of dicts defining mappers associated with this Identity Provider. |             - A list of dicts defining mappers associated with this Identity Provider. | ||||||
|  | @ -451,7 +491,7 @@ options: | ||||||
| 
 | 
 | ||||||
|             providerId: |             providerId: | ||||||
|                 description: |                 description: | ||||||
|                     - The mapper type for this mapper (for instance C(user-attribute-ldap-mapper)). |                     - The mapper type for this mapper (for instance V(user-attribute-ldap-mapper)). | ||||||
|                 type: str |                 type: str | ||||||
| 
 | 
 | ||||||
|             providerType: |             providerType: | ||||||
|  | @ -704,16 +744,27 @@ from ansible.module_utils.six.moves.urllib.parse import urlencode | ||||||
| from copy import deepcopy | from copy import deepcopy | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
|  | def normalize_kc_comp(comp): | ||||||
|  |     if 'config' in comp: | ||||||
|  |         # kc completely removes the parameter `krbPrincipalAttribute` if it is set to `''`; the unset kc parameter is equivalent to `''`; | ||||||
|  |         # to make change detection and diff more accurate we set it again in the kc responses | ||||||
|  |         if 'krbPrincipalAttribute' not in comp['config']: | ||||||
|  |             comp['config']['krbPrincipalAttribute'] = [''] | ||||||
|  | 
 | ||||||
|  |         # kc stores a timestamp of the last sync in `lastSync` to time the periodic sync, it is removed to minimize diff/changes | ||||||
|  |         comp['config'].pop('lastSync', None) | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
| def sanitize(comp): | def sanitize(comp): | ||||||
|     compcopy = deepcopy(comp) |     compcopy = deepcopy(comp) | ||||||
|     if 'config' in compcopy: |     if 'config' in compcopy: | ||||||
|         compcopy['config'] = dict((k, v[0]) for k, v in compcopy['config'].items()) |         compcopy['config'] = {k: v[0] for k, v in compcopy['config'].items()} | ||||||
|         if 'bindCredential' in compcopy['config']: |         if 'bindCredential' in compcopy['config']: | ||||||
|             compcopy['config']['bindCredential'] = '**********' |             compcopy['config']['bindCredential'] = '**********' | ||||||
|     if 'mappers' in compcopy: |     if 'mappers' in compcopy: | ||||||
|         for mapper in compcopy['mappers']: |         for mapper in compcopy['mappers']: | ||||||
|             if 'config' in mapper: |             if 'config' in mapper: | ||||||
|                 mapper['config'] = dict((k, v[0]) for k, v in mapper['config'].items()) |                 mapper['config'] = {k: v[0] for k, v in mapper['config'].items()} | ||||||
|     return compcopy |     return compcopy | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
|  | @ -760,8 +811,10 @@ def main(): | ||||||
|         priority=dict(type='int', default=0), |         priority=dict(type='int', default=0), | ||||||
|         rdnLDAPAttribute=dict(type='str'), |         rdnLDAPAttribute=dict(type='str'), | ||||||
|         readTimeout=dict(type='int'), |         readTimeout=dict(type='int'), | ||||||
|  |         referral=dict(type='str', choices=['ignore', 'follow']), | ||||||
|         searchScope=dict(type='str', choices=['1', '2'], default='1'), |         searchScope=dict(type='str', choices=['1', '2'], default='1'), | ||||||
|         serverPrincipal=dict(type='str'), |         serverPrincipal=dict(type='str'), | ||||||
|  |         krbPrincipalAttribute=dict(type='str'), | ||||||
|         startTls=dict(type='bool', default=False), |         startTls=dict(type='bool', default=False), | ||||||
|         syncRegistrations=dict(type='bool', default=False), |         syncRegistrations=dict(type='bool', default=False), | ||||||
|         trustEmail=dict(type='bool', default=False), |         trustEmail=dict(type='bool', default=False), | ||||||
|  | @ -792,9 +845,11 @@ def main(): | ||||||
|         realm=dict(type='str', default='master'), |         realm=dict(type='str', default='master'), | ||||||
|         id=dict(type='str'), |         id=dict(type='str'), | ||||||
|         name=dict(type='str'), |         name=dict(type='str'), | ||||||
|         provider_id=dict(type='str', aliases=['providerId'], choices=['ldap', 'kerberos', 'sssd']), |         provider_id=dict(type='str', aliases=['providerId']), | ||||||
|         provider_type=dict(type='str', aliases=['providerType'], default='org.keycloak.storage.UserStorageProvider'), |         provider_type=dict(type='str', aliases=['providerType'], default='org.keycloak.storage.UserStorageProvider'), | ||||||
|         parent_id=dict(type='str', aliases=['parentId']), |         parent_id=dict(type='str', aliases=['parentId']), | ||||||
|  |         remove_unspecified_mappers=dict(type='bool', default=True), | ||||||
|  |         bind_credential_update_mode=dict(type='str', default='always', choices=['always', 'only_indirect']), | ||||||
|         mappers=dict(type='list', elements='dict', options=mapper_spec), |         mappers=dict(type='list', elements='dict', options=mapper_spec), | ||||||
|     ) |     ) | ||||||
| 
 | 
 | ||||||
|  | @ -825,19 +880,26 @@ def main(): | ||||||
| 
 | 
 | ||||||
|     # Keycloak API expects config parameters to be arrays containing a single string element |     # Keycloak API expects config parameters to be arrays containing a single string element | ||||||
|     if config is not None: |     if config is not None: | ||||||
|         module.params['config'] = dict((k, [str(v).lower() if not isinstance(v, str) else v]) |         module.params['config'] = { | ||||||
|                                        for k, v in config.items() if config[k] is not None) |             k: [str(v).lower() if not isinstance(v, str) else v] | ||||||
|  |             for k, v in config.items() | ||||||
|  |             if config[k] is not None | ||||||
|  |         } | ||||||
| 
 | 
 | ||||||
|     if mappers is not None: |     if mappers is not None: | ||||||
|         for mapper in mappers: |         for mapper in mappers: | ||||||
|             if mapper.get('config') is not None: |             if mapper.get('config') is not None: | ||||||
|                 mapper['config'] = dict((k, [str(v).lower() if not isinstance(v, str) else v]) |                 mapper['config'] = { | ||||||
|                                         for k, v in mapper['config'].items() if mapper['config'][k] is not None) |                     k: [str(v).lower() if not isinstance(v, str) else v] | ||||||
|  |                     for k, v in mapper['config'].items() | ||||||
|  |                     if mapper['config'][k] is not None | ||||||
|  |                 } | ||||||
| 
 | 
 | ||||||
|     # Filter and map the parameters names that apply |     # Filter and map the parameters names that apply | ||||||
|     comp_params = [x for x in module.params |     comp_params = [x for x in module.params | ||||||
|                    if x not in list(keycloak_argument_spec().keys()) + ['state', 'realm', 'mappers'] and |                    if x not in list(keycloak_argument_spec().keys()) | ||||||
|                    module.params.get(x) is not None] |                    + ['state', 'realm', 'mappers', 'remove_unspecified_mappers', 'bind_credential_update_mode'] | ||||||
|  |                    and module.params.get(x) is not None] | ||||||
| 
 | 
 | ||||||
|     # See if it already exists in Keycloak |     # See if it already exists in Keycloak | ||||||
|     if cid is None: |     if cid is None: | ||||||
|  | @ -855,7 +917,9 @@ def main(): | ||||||
| 
 | 
 | ||||||
|     # if user federation exists, get associated mappers |     # if user federation exists, get associated mappers | ||||||
|     if cid is not None and before_comp: |     if cid is not None and before_comp: | ||||||
|         before_comp['mappers'] = sorted(kc.get_components(urlencode(dict(parent=cid)), realm), key=lambda x: x.get('name')) |         before_comp['mappers'] = sorted(kc.get_components(urlencode(dict(parent=cid)), realm), key=lambda x: x.get('name') or '') | ||||||
|  | 
 | ||||||
|  |     normalize_kc_comp(before_comp) | ||||||
| 
 | 
 | ||||||
|     # Build a proposed changeset from parameters given to this module |     # Build a proposed changeset from parameters given to this module | ||||||
|     changeset = {} |     changeset = {} | ||||||
|  | @ -864,7 +928,7 @@ def main(): | ||||||
|         new_param_value = module.params.get(param) |         new_param_value = module.params.get(param) | ||||||
|         old_value = before_comp[camel(param)] if camel(param) in before_comp else None |         old_value = before_comp[camel(param)] if camel(param) in before_comp else None | ||||||
|         if param == 'mappers': |         if param == 'mappers': | ||||||
|             new_param_value = [dict((k, v) for k, v in x.items() if x[k] is not None) for x in new_param_value] |             new_param_value = [{k: v for k, v in x.items() if v is not None} for x in new_param_value] | ||||||
|         if new_param_value != old_value: |         if new_param_value != old_value: | ||||||
|             changeset[camel(param)] = new_param_value |             changeset[camel(param)] = new_param_value | ||||||
| 
 | 
 | ||||||
|  | @ -873,17 +937,17 @@ def main(): | ||||||
|         if module.params['provider_id'] in ['kerberos', 'sssd']: |         if module.params['provider_id'] in ['kerberos', 'sssd']: | ||||||
|             module.fail_json(msg='Cannot configure mappers for {type} provider.'.format(type=module.params['provider_id'])) |             module.fail_json(msg='Cannot configure mappers for {type} provider.'.format(type=module.params['provider_id'])) | ||||||
|         for change in module.params['mappers']: |         for change in module.params['mappers']: | ||||||
|             change = dict((k, v) for k, v in change.items() if change[k] is not None) |             change = {k: v for k, v in change.items() if v is not None} | ||||||
|             if change.get('id') is None and change.get('name') is None: |             if change.get('id') is None and change.get('name') is None: | ||||||
|                 module.fail_json(msg='Either `name` or `id` has to be specified on each mapper.') |                 module.fail_json(msg='Either `name` or `id` has to be specified on each mapper.') | ||||||
|             if cid is None: |             if cid is None: | ||||||
|                 old_mapper = {} |                 old_mapper = {} | ||||||
|             elif change.get('id') is not None: |             elif change.get('id') is not None: | ||||||
|                 old_mapper = kc.get_component(change['id'], realm) |                 old_mapper = next((before_mapper for before_mapper in before_comp.get('mappers', []) if before_mapper["id"] == change['id']), None) | ||||||
|                 if old_mapper is None: |                 if old_mapper is None: | ||||||
|                     old_mapper = {} |                     old_mapper = {} | ||||||
|             else: |             else: | ||||||
|                 found = kc.get_components(urlencode(dict(parent=cid, name=change['name'])), realm) |                 found = [before_mapper for before_mapper in before_comp.get('mappers', []) if before_mapper['name'] == change['name']] | ||||||
|                 if len(found) > 1: |                 if len(found) > 1: | ||||||
|                     module.fail_json(msg='Found multiple mappers with name `{name}`. Cannot continue.'.format(name=change['name'])) |                     module.fail_json(msg='Found multiple mappers with name `{name}`. Cannot continue.'.format(name=change['name'])) | ||||||
|                 if len(found) == 1: |                 if len(found) == 1: | ||||||
|  | @ -892,10 +956,16 @@ def main(): | ||||||
|                     old_mapper = {} |                     old_mapper = {} | ||||||
|             new_mapper = old_mapper.copy() |             new_mapper = old_mapper.copy() | ||||||
|             new_mapper.update(change) |             new_mapper.update(change) | ||||||
|             if new_mapper != old_mapper: |             # changeset contains all desired mappers: those existing, to update or to create | ||||||
|             if changeset.get('mappers') is None: |             if changeset.get('mappers') is None: | ||||||
|                 changeset['mappers'] = list() |                 changeset['mappers'] = list() | ||||||
|             changeset['mappers'].append(new_mapper) |             changeset['mappers'].append(new_mapper) | ||||||
|  |         changeset['mappers'] = sorted(changeset['mappers'], key=lambda x: x.get('name') or '') | ||||||
|  | 
 | ||||||
|  |         # to keep unspecified existing mappers we add them to the desired mappers list, unless they're already present | ||||||
|  |         if not module.params['remove_unspecified_mappers'] and 'mappers' in before_comp: | ||||||
|  |             changeset_mapper_ids = [mapper['id'] for mapper in changeset['mappers'] if 'id' in mapper] | ||||||
|  |             changeset['mappers'].extend([mapper for mapper in before_comp['mappers'] if mapper['id'] not in changeset_mapper_ids]) | ||||||
| 
 | 
 | ||||||
|     # Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis) |     # Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis) | ||||||
|     desired_comp = before_comp.copy() |     desired_comp = before_comp.copy() | ||||||
|  | @ -918,50 +988,68 @@ def main(): | ||||||
|         # Process a creation |         # Process a creation | ||||||
|         result['changed'] = True |         result['changed'] = True | ||||||
| 
 | 
 | ||||||
|  |         if module.check_mode: | ||||||
|             if module._diff: |             if module._diff: | ||||||
|                 result['diff'] = dict(before='', after=sanitize(desired_comp)) |                 result['diff'] = dict(before='', after=sanitize(desired_comp)) | ||||||
| 
 |  | ||||||
|         if module.check_mode: |  | ||||||
|             module.exit_json(**result) |             module.exit_json(**result) | ||||||
| 
 | 
 | ||||||
|         # create it |         # create it | ||||||
|         desired_comp = desired_comp.copy() |         desired_mappers = desired_comp.pop('mappers', []) | ||||||
|         updated_mappers = desired_comp.pop('mappers', []) |  | ||||||
|         after_comp = kc.create_component(desired_comp, realm) |         after_comp = kc.create_component(desired_comp, realm) | ||||||
| 
 |  | ||||||
|         cid = after_comp['id'] |         cid = after_comp['id'] | ||||||
|  |         updated_mappers = [] | ||||||
|  |         # when creating a user federation, keycloak automatically creates default mappers | ||||||
|  |         default_mappers = kc.get_components(urlencode(dict(parent=cid)), realm) | ||||||
| 
 | 
 | ||||||
|         for mapper in updated_mappers: |         # create new mappers or update existing default mappers | ||||||
|             found = kc.get_components(urlencode(dict(parent=cid, name=mapper['name'])), realm) |         for desired_mapper in desired_mappers: | ||||||
|  |             found = [default_mapper for default_mapper in default_mappers if default_mapper['name'] == desired_mapper['name']] | ||||||
|             if len(found) > 1: |             if len(found) > 1: | ||||||
|                 module.fail_json(msg='Found multiple mappers with name `{name}`. Cannot continue.'.format(name=mapper['name'])) |                 module.fail_json(msg='Found multiple mappers with name `{name}`. Cannot continue.'.format(name=desired_mapper['name'])) | ||||||
|             if len(found) == 1: |             if len(found) == 1: | ||||||
|                 old_mapper = found[0] |                 old_mapper = found[0] | ||||||
|             else: |             else: | ||||||
|                 old_mapper = {} |                 old_mapper = {} | ||||||
| 
 | 
 | ||||||
|             new_mapper = old_mapper.copy() |             new_mapper = old_mapper.copy() | ||||||
|             new_mapper.update(mapper) |             new_mapper.update(desired_mapper) | ||||||
| 
 | 
 | ||||||
|             if new_mapper.get('id') is not None: |             if new_mapper.get('id') is not None: | ||||||
|                 kc.update_component(new_mapper, realm) |                 kc.update_component(new_mapper, realm) | ||||||
|  |                 updated_mappers.append(new_mapper) | ||||||
|             else: |             else: | ||||||
|                 if new_mapper.get('parentId') is None: |                 if new_mapper.get('parentId') is None: | ||||||
|                     new_mapper['parentId'] = after_comp['id'] |                     new_mapper['parentId'] = cid | ||||||
|                 mapper = kc.create_component(new_mapper, realm) |                 updated_mappers.append(kc.create_component(new_mapper, realm)) | ||||||
| 
 | 
 | ||||||
|         after_comp['mappers'] = updated_mappers |         if module.params['remove_unspecified_mappers']: | ||||||
|  |             # we remove all unwanted default mappers | ||||||
|  |             # we use ids so we dont accidently remove one of the previously updated default mapper | ||||||
|  |             for default_mapper in default_mappers: | ||||||
|  |                 if not default_mapper['id'] in [x['id'] for x in updated_mappers]: | ||||||
|  |                     kc.delete_component(default_mapper['id'], realm) | ||||||
|  | 
 | ||||||
|  |         after_comp['mappers'] = kc.get_components(urlencode(dict(parent=cid)), realm) | ||||||
|  |         normalize_kc_comp(after_comp) | ||||||
|  |         if module._diff: | ||||||
|  |             result['diff'] = dict(before='', after=sanitize(after_comp)) | ||||||
|         result['end_state'] = sanitize(after_comp) |         result['end_state'] = sanitize(after_comp) | ||||||
| 
 |         result['msg'] = "User federation {id} has been created".format(id=cid) | ||||||
|         result['msg'] = "User federation {id} has been created".format(id=after_comp['id']) |  | ||||||
|         module.exit_json(**result) |         module.exit_json(**result) | ||||||
| 
 | 
 | ||||||
|     else: |     else: | ||||||
|         if state == 'present': |         if state == 'present': | ||||||
|             # Process an update |             # Process an update | ||||||
| 
 | 
 | ||||||
|  |             desired_copy = deepcopy(desired_comp) | ||||||
|  |             before_copy = deepcopy(before_comp) | ||||||
|  |             # exclude bindCredential when checking wether an update is required, therefore | ||||||
|  |             # updating it only if there are other changes | ||||||
|  |             if module.params['bind_credential_update_mode'] == 'only_indirect': | ||||||
|  |                 desired_copy.get('config', []).pop('bindCredential', None) | ||||||
|  |                 before_copy.get('config', []).pop('bindCredential', None) | ||||||
|             # no changes |             # no changes | ||||||
|             if desired_comp == before_comp: |             if desired_copy == before_copy: | ||||||
|                 result['changed'] = False |                 result['changed'] = False | ||||||
|                 result['end_state'] = sanitize(desired_comp) |                 result['end_state'] = sanitize(desired_comp) | ||||||
|                 result['msg'] = "No changes required to user federation {id}.".format(id=cid) |                 result['msg'] = "No changes required to user federation {id}.".format(id=cid) | ||||||
|  | @ -977,22 +1065,33 @@ def main(): | ||||||
|                 module.exit_json(**result) |                 module.exit_json(**result) | ||||||
| 
 | 
 | ||||||
|             # do the update |             # do the update | ||||||
|             desired_comp = desired_comp.copy() |             desired_mappers = desired_comp.pop('mappers', []) | ||||||
|             updated_mappers = desired_comp.pop('mappers', []) |  | ||||||
|             kc.update_component(desired_comp, realm) |             kc.update_component(desired_comp, realm) | ||||||
|             after_comp = kc.get_component(cid, realm) |  | ||||||
| 
 | 
 | ||||||
|             for mapper in updated_mappers: |             for before_mapper in before_comp.get('mappers', []): | ||||||
|  |                 # remove unwanted existing mappers that will not be updated | ||||||
|  |                 if not before_mapper['id'] in [x['id'] for x in desired_mappers if 'id' in x]: | ||||||
|  |                     kc.delete_component(before_mapper['id'], realm) | ||||||
|  | 
 | ||||||
|  |             for mapper in desired_mappers: | ||||||
|  |                 if mapper in before_comp.get('mappers', []): | ||||||
|  |                     continue | ||||||
|                 if mapper.get('id') is not None: |                 if mapper.get('id') is not None: | ||||||
|                     kc.update_component(mapper, realm) |                     kc.update_component(mapper, realm) | ||||||
|                 else: |                 else: | ||||||
|                     if mapper.get('parentId') is None: |                     if mapper.get('parentId') is None: | ||||||
|                         mapper['parentId'] = desired_comp['id'] |                         mapper['parentId'] = desired_comp['id'] | ||||||
|                     mapper = kc.create_component(mapper, realm) |                     kc.create_component(mapper, realm) | ||||||
| 
 |  | ||||||
|             after_comp['mappers'] = updated_mappers |  | ||||||
|             result['end_state'] = sanitize(after_comp) |  | ||||||
| 
 | 
 | ||||||
|  |             after_comp = kc.get_component(cid, realm) | ||||||
|  |             after_comp['mappers'] = sorted(kc.get_components(urlencode(dict(parent=cid)), realm), key=lambda x: x.get('name') or '') | ||||||
|  |             normalize_kc_comp(after_comp) | ||||||
|  |             after_comp_sanitized = sanitize(after_comp) | ||||||
|  |             before_comp_sanitized = sanitize(before_comp) | ||||||
|  |             result['end_state'] = after_comp_sanitized | ||||||
|  |             if module._diff: | ||||||
|  |                 result['diff'] = dict(before=before_comp_sanitized, after=after_comp_sanitized) | ||||||
|  |             result['changed'] = before_comp_sanitized != after_comp_sanitized | ||||||
|             result['msg'] = "User federation {id} has been updated".format(id=cid) |             result['msg'] = "User federation {id} has been updated".format(id=cid) | ||||||
|             module.exit_json(**result) |             module.exit_json(**result) | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -118,3 +118,7 @@ keycloak_no_log: true | ||||||
| 
 | 
 | ||||||
| ### logging configuration | ### logging configuration | ||||||
| keycloak_log_target: /var/log/keycloak | keycloak_log_target: /var/log/keycloak | ||||||
|  | 
 | ||||||
|  | # locations | ||||||
|  | keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}" | ||||||
|  | keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}" | ||||||
|  |  | ||||||
|  | @ -12,7 +12,7 @@ galaxy_info: | ||||||
| 
 | 
 | ||||||
|   license: Apache License 2.0 |   license: Apache License 2.0 | ||||||
| 
 | 
 | ||||||
|   min_ansible_version: "2.15" |   min_ansible_version: "2.16" | ||||||
| 
 | 
 | ||||||
|   platforms: |   platforms: | ||||||
|     - name: EL |     - name: EL | ||||||
|  |  | ||||||
|  | @ -1,6 +1,10 @@ | ||||||
| --- | --- | ||||||
| - name: Include firewall config tasks | - name: Include firewall config tasks | ||||||
|   ansible.builtin.include_tasks: iptables.yml |   ansible.builtin.include_tasks: | ||||||
|  |     file: iptables.yml | ||||||
|  |     apply: | ||||||
|  |       tags: | ||||||
|  |         - firewall | ||||||
|   when: keycloak_configure_iptables |   when: keycloak_configure_iptables | ||||||
|   tags: |   tags: | ||||||
|     - firewall |     - firewall | ||||||
|  |  | ||||||
|  | @ -1,22 +1,38 @@ | ||||||
| --- | --- | ||||||
| # tasks file for keycloak | # tasks file for keycloak | ||||||
| - name: Check prerequisites | - name: Check prerequisites | ||||||
|   ansible.builtin.include_tasks: prereqs.yml |   ansible.builtin.include_tasks: | ||||||
|  |     file: prereqs.yml | ||||||
|  |     apply: | ||||||
|  |       tags: | ||||||
|  |         - prereqs | ||||||
|   tags: |   tags: | ||||||
|     - prereqs |     - prereqs | ||||||
| 
 | 
 | ||||||
| - name: Distro specific tasks | - name: Distro specific tasks | ||||||
|   ansible.builtin.include_tasks: "{{ ansible_os_family | lower }}.yml" |   ansible.builtin.include_tasks: | ||||||
|  |     file: "{{ ansible_os_family | lower }}.yml" | ||||||
|  |     apply: | ||||||
|  |       tags: | ||||||
|  |         - unbound | ||||||
|   tags: |   tags: | ||||||
|     - unbound |     - unbound | ||||||
| 
 | 
 | ||||||
| - name: Include install tasks | - name: Include install tasks | ||||||
|   ansible.builtin.include_tasks: install.yml |   ansible.builtin.include_tasks: | ||||||
|  |     file: install.yml | ||||||
|  |     apply: | ||||||
|  |       tags: | ||||||
|  |         - install | ||||||
|   tags: |   tags: | ||||||
|     - install |     - install | ||||||
| 
 | 
 | ||||||
| - name: Include systemd tasks | - name: Include systemd tasks | ||||||
|   ansible.builtin.include_tasks: systemd.yml |   ansible.builtin.include_tasks: | ||||||
|  |     file: systemd.yml | ||||||
|  |     apply: | ||||||
|  |       tags: | ||||||
|  |         - systemd | ||||||
|   tags: |   tags: | ||||||
|     - systemd |     - systemd | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -1,6 +1,10 @@ | ||||||
| --- | --- | ||||||
| - name: Include firewall config tasks | - name: Include firewall config tasks | ||||||
|   ansible.builtin.include_tasks: firewalld.yml |   ansible.builtin.include_tasks: | ||||||
|  |     file: firewalld.yml | ||||||
|  |     apply: | ||||||
|  |       tags: | ||||||
|  |         - firewall | ||||||
|   when: keycloak_configure_firewalld |   when: keycloak_configure_firewalld | ||||||
|   tags: |   tags: | ||||||
|     - firewall |     - firewall | ||||||
|  |  | ||||||
|  | @ -2,12 +2,12 @@ | ||||||
| - name: Ensure required params for CLI have been provided | - name: Ensure required params for CLI have been provided | ||||||
|   ansible.builtin.assert: |   ansible.builtin.assert: | ||||||
|     that: |     that: | ||||||
|       - query is defined |       - cli_query is defined | ||||||
|     fail_msg: "Missing required parameters to execute CLI." |     fail_msg: "Missing required parameters to execute CLI." | ||||||
|     quiet: true |     quiet: true | ||||||
| 
 | 
 | ||||||
| - name: "Execute CLI query: {{ query }}" | - name: "Execute CLI query: {{ cli_query }}" | ||||||
|   ansible.builtin.command: > |   ansible.builtin.command: > | ||||||
|     {{ keycloak.cli_path }} --connect --command='{{ query }}' --controller={{ keycloak_host }}:{{ keycloak_management_http_port }} |     {{ keycloak.cli_path }} --connect --command='{{ cli_query }}' --controller={{ keycloak_host }}:{{ keycloak_management_http_port }} | ||||||
|   changed_when: false |   changed_when: false | ||||||
|   register: cli_result |   register: cli_result | ||||||
|  |  | ||||||
|  | @ -106,7 +106,7 @@ | ||||||
| - name: "Check installed patches" | - name: "Check installed patches" | ||||||
|   ansible.builtin.include_tasks: rhsso_cli.yml |   ansible.builtin.include_tasks: rhsso_cli.yml | ||||||
|   vars: |   vars: | ||||||
|     query: "patch info" |     cli_query: "patch info" | ||||||
|   args: |   args: | ||||||
|     apply: |     apply: | ||||||
|       become: true |       become: true | ||||||
|  | @ -121,7 +121,7 @@ | ||||||
|     - name: "Apply patch {{ patch_version }} to server" |     - name: "Apply patch {{ patch_version }} to server" | ||||||
|       ansible.builtin.include_tasks: rhsso_cli.yml |       ansible.builtin.include_tasks: rhsso_cli.yml | ||||||
|       vars: |       vars: | ||||||
|         query: "patch apply {{ patch_archive }}" |         cli_query: "patch apply {{ patch_archive }}" | ||||||
|       args: |       args: | ||||||
|         apply: |         apply: | ||||||
|           become: true |           become: true | ||||||
|  | @ -130,7 +130,7 @@ | ||||||
|     - name: "Restart server to ensure patch content is running" |     - name: "Restart server to ensure patch content is running" | ||||||
|       ansible.builtin.include_tasks: rhsso_cli.yml |       ansible.builtin.include_tasks: rhsso_cli.yml | ||||||
|       vars: |       vars: | ||||||
|         query: "shutdown --restart" |         cli_query: "shutdown --restart" | ||||||
|       when: |       when: | ||||||
|         - cli_result.rc == 0 |         - cli_result.rc == 0 | ||||||
|       args: |       args: | ||||||
|  | @ -149,7 +149,7 @@ | ||||||
|     - name: "Query installed patch after restart" |     - name: "Query installed patch after restart" | ||||||
|       ansible.builtin.include_tasks: rhsso_cli.yml |       ansible.builtin.include_tasks: rhsso_cli.yml | ||||||
|       vars: |       vars: | ||||||
|         query: "patch info" |         cli_query: "patch info" | ||||||
|       args: |       args: | ||||||
|         apply: |         apply: | ||||||
|           become: true |           become: true | ||||||
|  |  | ||||||
|  | @ -1,9 +1,6 @@ | ||||||
| --- | --- | ||||||
| # internal variables below | # internal variables below | ||||||
| 
 | 
 | ||||||
| # locations |  | ||||||
| keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}" |  | ||||||
| keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}" |  | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| keycloak: | keycloak: | ||||||
|  |  | ||||||
|  | @ -33,7 +33,7 @@ Role Defaults | ||||||
| 
 | 
 | ||||||
| | Variable | Description | Default | | | Variable | Description | Default | | ||||||
| |:---------|:------------|:--------| | |:---------|:------------|:--------| | ||||||
| |`keycloak_quarkus_version`| keycloak.org package version | `24.0.4` | | |`keycloak_quarkus_version`| keycloak.org package version | `26.3.0` | | ||||||
| |`keycloak_quarkus_offline_install` | Perform an offline install | `False`| | |`keycloak_quarkus_offline_install` | Perform an offline install | `False`| | ||||||
| |`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` | | |`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` | | ||||||
| |`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` | | |`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` | | ||||||
|  | @ -44,47 +44,29 @@ Role Defaults | ||||||
| 
 | 
 | ||||||
| | Variable | Description | Default | | | Variable | Description | Default | | ||||||
| |:---------|:------------|:--------| | |:---------|:------------|:--------| | ||||||
| |`keycloak_quarkus_admin_user`| Administration console user account | `admin` | | |`keycloak_quarkus_bootstrap_admin_user`| Administration console user account | `admin` | | ||||||
| |`keycloak_quarkus_bind_address`| Address for binding service ports | `0.0.0.0` | | |`keycloak_quarkus_admin_user`| Deprecated, use `keycloak_quarkus_bootstrap_admin_user` instead. | | | ||||||
| |`keycloak_quarkus_host`| Hostname for the Keycloak server | `localhost` | | |`keycloak_quarkus_bind_address`| Deprecated, use `keycloak_quarkus_http_host` instead |  `0.0.0.0` | | ||||||
| |`keycloak_quarkus_port`| The port used by the proxy when exposing the hostname | `-1` | | |`keycloak_quarkus_host`| Deprecated, use `keycloak_quarkus_hostname` instead. | | | ||||||
| |`keycloak_quarkus_path`| This should be set if proxy uses a different context-path for Keycloak | | | |`keycloak_quarkus_port`| Deprecated, use `keycloak_quarkus_hostname` instead. | | | ||||||
| |`keycloak_quarkus_http_port`| HTTP listening port | `8080` | | |`keycloak_quarkus_path`| Deprecated, use `keycloak_quarkus_hostname` instead. | | | ||||||
| |`keycloak_quarkus_https_port`| TLS HTTP listening port | `8443` | |  | ||||||
| |`keycloak_quarkus_ajp_port`| AJP port | `8009` | |  | ||||||
| |`keycloak_quarkus_service_user`| Posix account username | `keycloak` | | |`keycloak_quarkus_service_user`| Posix account username | `keycloak` | | ||||||
| |`keycloak_quarkus_service_group`| Posix account group | `keycloak` | | |`keycloak_quarkus_service_group`| Posix account group | `keycloak` | | ||||||
| |`keycloak_quarkus_service_restart_always`| systemd restart always behavior activation | `False` | | |`keycloak_quarkus_service_restart_always`| systemd restart always behavior activation | `False` | | ||||||
| |`keycloak_quarkus_service_restart_on_failure`| systemd restart on-failure behavior activation | `False` | | |`keycloak_quarkus_service_restart_on_failure`| systemd restart on-failure behavior activation | `False` | | ||||||
| |`keycloak_quarkus_service_restartsec`| systemd RestartSec | `10s` | | |`keycloak_quarkus_service_restartsec`| systemd RestartSec | `10s` | | ||||||
| |`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-17-openjdk-headless` | | |`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-21-openjdk-headless` | | ||||||
| |`keycloak_quarkus_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_quarkus_jvm_package RPM path | `None` | | |`keycloak_quarkus_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_quarkus_jvm_package RPM path | `None` | | ||||||
| |`keycloak_quarkus_java_heap_opts`| Heap memory JVM setting | `-Xms1024m -Xmx2048m` | | |`keycloak_quarkus_java_heap_opts`| Heap memory JVM setting | `-Xms1024m -Xmx2048m` | | ||||||
| |`keycloak_quarkus_java_jvm_opts`| Other JVM settings | same as keycloak | | |`keycloak_quarkus_java_jvm_opts`| Other JVM settings | same as keycloak | | ||||||
| |`keycloak_quarkus_java_opts`| JVM arguments; if overridden, it takes precedence over `keycloak_quarkus_java_*` | `{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}` | | |`keycloak_quarkus_java_opts`| JVM arguments; if overridden, it takes precedence over `keycloak_quarkus_java_*` | `{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}` | | ||||||
| |`keycloak_quarkus_additional_env_vars` | List of additional env variables of { key: str, value: str} to be put in sysconfig file | `[]` | | |`keycloak_quarkus_additional_env_vars` | List of additional env variables of { key: str, value: str} to be put in sysconfig file | `[]` | | ||||||
| |`keycloak_quarkus_frontend_url`| Set the base URL for frontend URLs, including scheme, host, port and path | | | |`keycloak_quarkus_frontend_url`| Deprecated, use `keycloak_quarkus_hostname` instead. | | | ||||||
| |`keycloak_quarkus_admin_url`| Set the base URL for accessing the administration console, including scheme, host, port and path | | | |`keycloak_quarkus_admin_url`| Deprecated, use `keycloak_quarkus_hostname_admin` instead. | | | ||||||
| |`keycloak_quarkus_http_relative_path` | Set the path relative to / for serving resources. The path must start with a / | `/` | | |`keycloak_quarkus_health_check_url`| Full URL (including scheme, host, path, fragment etc.) used for health check endpoint; keycloak_quarkus_hostname will NOT be prepended; helpful when health checks should happen against http port, but keycloak_quarkus_hostname uses https scheme per default | `` | | ||||||
| |`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` | | |`keycloak_quarkus_health_check_url_path`| Path to the health check endpoint; keycloak_quarkus_hostname will be prepended automatically; Note that keycloak_quarkus_health_check_url takes precedence over this property | `realms/master/.well-known/openid-configuration` | | ||||||
| |`keycloak_quarkus_health_check_url_path`| Path to the health check endpoint; scheme, host and keycloak_quarkus_http_relative_path will be prepended automatically | `realms/master/.well-known/openid-configuration` | |  | ||||||
| |`keycloak_quarkus_https_key_file_enabled`| Enable listener on HTTPS port | `False` | |  | ||||||
| |`keycloak_quarkus_key_file_copy_enabled`| Enable copy of key file to target host | `False` | |  | ||||||
| |`keycloak_quarkus_key_content`| Content of the TLS private key. Use `"{{ lookup('file', 'server.key.pem') }}"` to lookup a file. | `""` | |  | ||||||
| |`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `/etc/pki/tls/private/server.key.pem` | |  | ||||||
| |`keycloak_quarkus_cert_file_copy_enabled`| Enable copy of cert file to target host | `False`| |  | ||||||
| |`keycloak_quarkus_cert_file_src`| Set the source file path | `""` | |  | ||||||
| |`keycloak_quarkus_cert_file`| The file path to a server certificate or certificate chain in PEM format | `/etc/pki/tls/certs/server.crt.pem` | |  | ||||||
| |`keycloak_quarkus_https_key_store_enabled`| Enable configuration of HTTPS via a key store | `False` | |  | ||||||
| |`keycloak_quarkus_key_store_file`| Deprecated, use `keycloak_quarkus_https_key_store_file` instead. || |  | ||||||
| |`keycloak_quarkus_key_store_password`| Deprecated, use `keycloak_quarkus_https_key_store_password` instead.|| |  | ||||||
| |`keycloak_quarkus_https_key_store_file`| The file path to the key store | `{{ keycloak.home }}/conf/key_store.p12` | |  | ||||||
| |`keycloak_quarkus_https_key_store_password`| Password for the key store | `""` | |  | ||||||
| |`keycloak_quarkus_https_trust_store_enabled`| Enable configuration of the https trust store | `False` | |  | ||||||
| |`keycloak_quarkus_https_trust_store_file`| The file path to the trust store | `{{ keycloak.home }}/conf/trust_store.p12` | |  | ||||||
| |`keycloak_quarkus_https_trust_store_password`| Password for the trust store | `""` | |  | ||||||
| |`keycloak_quarkus_proxy_headers`| Parse reverse proxy headers (`forwarded` or `xforwarded`) | `""` | | |`keycloak_quarkus_proxy_headers`| Parse reverse proxy headers (`forwarded` or `xforwarded`) | `""` | | ||||||
| |`keycloak_quarkus_config_key_store_file`| Path to the configuration key store; only used if `keycloak_quarkus_keystore_password` is not empty  | `{{ keycloak.home }}/conf/conf_store.p12` if `keycloak_quarkus_keystore_password != ''`, else `''` | | |`keycloak_quarkus_config_key_store_file`| Path to the configuration key store; only used if `keycloak_quarkus_config_key_store_password` is not empty  | `{{ keycloak.home }}/conf/conf_store.p12` if `keycloak_quarkus_config_key_store_password != ''`, else `''` | | ||||||
| |`keycloak_quarkus_config_key_store_password`| Password of the configuration keystore; if non-empty, `keycloak_quarkus_db_pass` will be saved to the keystore at `keycloak_quarkus_config_key_store_file` instead of being written to the configuration file in clear text | `""` | | |`keycloak_quarkus_config_key_store_password`| Password of the configuration keystore; if non-empty, `keycloak_quarkus_db_pass` will be saved to the keystore at `keycloak_quarkus_config_key_store_file` instead of being written to the configuration file in clear text | `""` | | ||||||
| |`keycloak_quarkus_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` | | |`keycloak_quarkus_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` | | ||||||
| |`keycloak_quarkus_configure_iptables` | Ensure iptables is configured for keycloak ports | `False` | | |`keycloak_quarkus_configure_iptables` | Ensure iptables is configured for keycloak ports | `False` | | ||||||
|  | @ -95,8 +77,9 @@ Role Defaults | ||||||
| | Variable | Description | Default | | | Variable | Description | Default | | ||||||
| |:---------|:------------|:--------| | |:---------|:------------|:--------| | ||||||
| |`keycloak_quarkus_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` | | |`keycloak_quarkus_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` | | ||||||
| |`keycloak_quarkus_ha_discovery`| Discovery protocol for HA cluster members | `TCPPING` | | |`keycloak_quarkus_ha_discovery`| Discovery protocol for HA cluster members | `JDBCPING` | | ||||||
| |`keycloak_quarkus_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_quarkus_ha_enabled` is True, else `False` | | |`keycloak_quarkus_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_quarkus_ha_enabled` is True, else `False` | | ||||||
|  | |`keycloak_quarkus_jgroups_ip`| Host jgroups IP.  If changing this variable you must make sure it is always set for all hosts in your cluster. | `{{ ansible_default_ipv4.address }}` | | ||||||
| |`keycloak_quarkus_jgroups_port`| jgroups cluster tcp port | `7800` | | |`keycloak_quarkus_jgroups_port`| jgroups cluster tcp port | `7800` | | ||||||
| |`keycloak_quarkus_systemd_wait_for_port` | Whether systemd unit should wait for keycloak port before returning | `{{ keycloak_quarkus_ha_enabled }}` | | |`keycloak_quarkus_systemd_wait_for_port` | Whether systemd unit should wait for keycloak port before returning | `{{ keycloak_quarkus_ha_enabled }}` | | ||||||
| |`keycloak_quarkus_systemd_wait_for_port_number`| Which port the systemd unit should wait for | `{{ keycloak_quarkus_https_port }}` | | |`keycloak_quarkus_systemd_wait_for_port_number`| Which port the systemd unit should wait for | `{{ keycloak_quarkus_https_port }}` | | ||||||
|  | @ -106,7 +89,7 @@ Role Defaults | ||||||
| |`keycloak_quarkus_restart_strategy`| Strategy task file for restarting in HA (one of provided restart/['serial.yml','none.yml','serial_then_parallel.yml']) or path to file when providing custom strategy | `restart/serial.yml` | | |`keycloak_quarkus_restart_strategy`| Strategy task file for restarting in HA (one of provided restart/['serial.yml','none.yml','serial_then_parallel.yml']) or path to file when providing custom strategy | `restart/serial.yml` | | ||||||
| |`keycloak_quarkus_restart_health_check`| Whether to wait for successful health check after restart | `true` | | |`keycloak_quarkus_restart_health_check`| Whether to wait for successful health check after restart | `true` | | ||||||
| |`keycloak_quarkus_restart_health_check_delay`| Seconds to let pass before starting healch checks | `10` | | |`keycloak_quarkus_restart_health_check_delay`| Seconds to let pass before starting healch checks | `10` | | ||||||
| |`keycloak_quarkus_restart_health_check_reries`| Number of attempts for successful health check before failing | `25` | | |`keycloak_quarkus_restart_health_check_retries`| Number of attempts for successful health check before failing | `25` | | ||||||
| |`keycloak_quarkus_restart_pause`| Seconds to wait between restarts in HA strategy | `15` | | |`keycloak_quarkus_restart_pause`| Seconds to wait between restarts in HA strategy | `15` | | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
|  | @ -114,49 +97,69 @@ Role Defaults | ||||||
| 
 | 
 | ||||||
| | Variable | Description | Default | | | Variable | Description | Default | | ||||||
| |:---------|:------------|:--------| | |:---------|:------------|:--------| | ||||||
| |`keycloak_quarkus_http_relative_path`| Set the path relative to / for serving resources. The path must start with a / | `/` | | |`keycloak_quarkus_hostname`| Address at which is the server exposed. Can be a full URL, or just a hostname. When only hostname is provided, scheme, port and context path are resolved from the request. | | | ||||||
|  | |`keycloak_quarkus_hostname_admin`| Set the base URL for accessing the administration console, including scheme, host, port and path | `` | | ||||||
| |`keycloak_quarkus_hostname_strict`| Disables dynamically resolving the hostname from request headers | `true` | | |`keycloak_quarkus_hostname_strict`| Disables dynamically resolving the hostname from request headers | `true` | | ||||||
| |`keycloak_quarkus_hostname_strict_backchannel`| By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all applications use the public URL this option should be enabled. | `false` | | |`keycloak_quarkus_hostname_backchannel_dynamic`| Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path. Set to true if your application accesses Keycloak via a private network. If set to true, hostname option needs to be specified as a full URL. | `false` | | ||||||
|  | |`keycloak_quarkus_hostname_strict_backchannel`| Deprecated, use (the inverted!)`keycloak_quarkus_hostname_backchannel_dynamic` instead. |  | | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | #### HTTP(S) configuration | ||||||
|  | | Variable | Description | Default | | ||||||
|  | |:---------|:------------|:--------| | ||||||
|  | |`keycloak_quarkus_http_relative_path`| Set the path relative to / for serving resources. The path must start with a / | `/` | | ||||||
|  | |`keycloak_quarkus_http_host`| The http host, ie. the address used to bind the service |  `0.0.0.0` | | ||||||
|  | |`keycloak_quarkus_http_port`| HTTP listening port | `8080` | | ||||||
|  | |`keycloak_quarkus_https_port`| TLS HTTP listening port | `8443` | | ||||||
|  | |`keycloak_quarkus_http_management_port`| Port of the management interface. Relevant only when something is exposed on the management interface - see the guide for details. | `9000` | | ||||||
|  | |`keycloak_quarkus_https_key_store_file`| The file path to the key store | `{{ keycloak.home }}/conf/key_store.p12` | | ||||||
|  | |`keycloak_quarkus_https_key_store_password`| Password for the key store | `""` | | ||||||
|  | |`keycloak_quarkus_https_trust_store_enabled`| Enable configuration of the https trust store | `False` | | ||||||
|  | |`keycloak_quarkus_https_trust_store_file`| The file path to the trust store | `{{ keycloak.home }}/conf/trust_store.p12` | | ||||||
|  | |`keycloak_quarkus_https_trust_store_password`| Password for the trust store | `""` | | ||||||
|  | |`keycloak_quarkus_https_key_file_enabled`| Enable listener on HTTPS port | `False` | | ||||||
|  | |`keycloak_quarkus_key_file_copy_enabled`| Enable copy of key file to target host | `False` | | ||||||
|  | |`keycloak_quarkus_key_content`| Content of the TLS private key. Use `"{{ lookup('file', 'server.key.pem') }}"` to lookup a file. | `""` | | ||||||
|  | |`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `/etc/pki/tls/private/server.key.pem` | | ||||||
|  | |`keycloak_quarkus_cert_file_copy_enabled`| Enable copy of cert file to target host | `False`| | ||||||
|  | |`keycloak_quarkus_cert_file_src`| Set the source file path | `""` | | ||||||
|  | |`keycloak_quarkus_cert_file`| The file path to a server certificate or certificate chain in PEM format | `/etc/pki/tls/certs/server.crt.pem` | | ||||||
|  | |`keycloak_quarkus_https_key_store_enabled`| Enable configuration of HTTPS via a key store | `False` | | ||||||
|  | |`keycloak_quarkus_key_store_file`| Deprecated, use `keycloak_quarkus_https_key_store_file` instead. || | ||||||
|  | |`keycloak_quarkus_key_store_password`| Deprecated, use `keycloak_quarkus_https_key_store_password` instead.|| | ||||||
|  | |`keycloak_quarkus_http_relative_path` | Set the path relative to / for serving resources. The path must start with a / | `/` | | ||||||
|  | |`keycloak_quarkus_http_management_relative_path` | Set the path relative to / for serving resources from management interface. The path must start with a /. If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details. | `/` | | ||||||
|  | |`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` | | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| #### Database configuration | #### Database configuration | ||||||
| 
 | 
 | ||||||
| | Variable | Description | Default | | | Variable | Description | Default | | ||||||
| |:---------|:------------|:--------| | |:---------|:------------|:--------| | ||||||
| |`keycloak_quarkus_jdbc_engine` | Database engine [mariadb,postres,mssql] | `postgres` | | |`keycloak_quarkus_db_engine` | Database engine [mariadb,postres,mssql] | `postgres` | | ||||||
| |`keycloak_quarkus_db_user` | User for database connection | `keycloak-user` | | |`keycloak_quarkus_db_user` | User for database connection | `keycloak-user` | | ||||||
| |`keycloak_quarkus_db_pass` | Password for database connection | `keycloak-pass` | | |`keycloak_quarkus_db_pass` | Password for database connection | `keycloak-pass` | | ||||||
| |`keycloak_quarkus_jdbc_url` | JDBC URL for connecting to database | `jdbc:postgresql://localhost:5432/keycloak` | | |`keycloak_quarkus_db_url` | JDBC URL for connecting to database | `jdbc:postgresql://localhost:5432/keycloak` | | ||||||
| |`keycloak_quarkus_jdbc_driver_version` | Version for JDBC driver | `9.4.1212` | | |`keycloak_quarkus_db_driver_version` | Version for JDBC engine driver | `9.4.1212` | | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| #### Remote caches configuration | #### Cache configuration | ||||||
| 
 | 
 | ||||||
| | Variable | Description | Default | | | Variable | Description | Default | | ||||||
| |:---------|:------------|:--------| | |:---------|:------------|:--------| | ||||||
| |`keycloak_quarkus_ispn_user` | Username for connecting to infinispan | `supervisor` | | |`keycloak_quarkus_cache_remote` | Whether to connect to remote cache infinispan server | `false` | | ||||||
| |`keycloak_quarkus_ispn_pass` | Password for connecting to infinispan | `supervisor` | | |`keycloak_quarkus_cache_remote_username` | Username for connecting to infinispan | `supervisor` | | ||||||
| |`keycloak_quarkus_ispn_hosts` | host name/port for connecting to infinispan, eg. host1:11222;host2:11222 | `localhost:11222` | | |`keycloak_quarkus_cache_remote_password` | Password for connecting to infinispan | `supervisor` | | ||||||
| |`keycloak_quarkus_ispn_sasl_mechanism` | Infinispan auth mechanism | `SCRAM-SHA-512` | | |`keycloak_quarkus_cache_remote_host` | Hostname for connecting to infinispan | `localhost` | | ||||||
| |`keycloak_quarkus_ispn_use_ssl` | Whether infinispan uses TLS connection | `false` | | |`keycloak_quarkus_cache_remote_port`| Port for connecting to infinispan | `11222` | | ||||||
| |`keycloak_quarkus_ispn_trust_store_path` | Path to infinispan server trust certificate | `/etc/pki/java/cacerts` | | |`keycloak_quarkus_cache_remote_sasl_mechanism` | Infinispan auth mechanism | `SCRAM-SHA-512` | | ||||||
| |`keycloak_quarkus_ispn_trust_store_password` | Password for infinispan certificate keystore | `changeit` | | |`keycloak_quarkus_cache_remote_tls_enabled` | Whether infinispan uses TLS connection | `false` | | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| #### Miscellaneous configuration | #### Logging configuration | ||||||
| 
 | 
 | ||||||
| | Variable | Description | Default | | | Variable | Description | Default | | ||||||
| |:---------|:------------|:--------| | |:---------|:------------|:--------| | ||||||
| |`keycloak_quarkus_metrics_enabled`| Whether to enable metrics | `False` | |  | ||||||
| |`keycloak_quarkus_health_enabled`| If the server should expose health check endpoints | `True` | |  | ||||||
| |`keycloak_quarkus_archive` | keycloak install archive filename | `keycloak-{{ keycloak_quarkus_version }}.zip` | |  | ||||||
| |`keycloak_quarkus_installdir` | Installation path | `{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}` | |  | ||||||
| |`keycloak_quarkus_home` | Installation work directory | `{{ keycloak_quarkus_installdir }}` | |  | ||||||
| |`keycloak_quarkus_config_dir` | Path for configuration | `{{ keycloak_quarkus_home }}/conf` | |  | ||||||
| |`keycloak_quarkus_master_realm` | Name for rest authentication realm | `master` | |  | ||||||
| |`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` | |  | ||||||
| |`keycloak_force_install` | Remove pre-existing versions of service | `False` | |  | ||||||
| |`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_quarkus_host }}:{{ keycloak_http_port }}` | |  | ||||||
| |`keycloak_quarkus_log`| Enable one or more log handlers in a comma-separated list | `file` | | |`keycloak_quarkus_log`| Enable one or more log handlers in a comma-separated list | `file` | | ||||||
| |`keycloak_quarkus_log_level`| The log level of the root category or a comma-separated list of individual categories and their levels | `info` | | |`keycloak_quarkus_log_level`| The log level of the root category or a comma-separated list of individual categories and their levels | `info` | | ||||||
| |`keycloak_quarkus_log_file`| Set the log file path and filename relative to keycloak home | `data/log/keycloak.log` | | |`keycloak_quarkus_log_file`| Set the log file path and filename relative to keycloak home | `data/log/keycloak.log` | | ||||||
|  | @ -165,6 +168,21 @@ Role Defaults | ||||||
| |`keycloak_quarkus_log_max_file_size`| Set the maximum log file size before a log rotation happens; A size configuration option recognises string in this format (shown as a regular expression): `[0-9]+[KkMmGgTtPpEeZzYy]?`. If no suffix is given, assume bytes. | `10M` | | |`keycloak_quarkus_log_max_file_size`| Set the maximum log file size before a log rotation happens; A size configuration option recognises string in this format (shown as a regular expression): `[0-9]+[KkMmGgTtPpEeZzYy]?`. If no suffix is given, assume bytes. | `10M` | | ||||||
| |`keycloak_quarkus_log_max_backup_index`| Set the maximum number of archived log files to keep" | `10` | | |`keycloak_quarkus_log_max_backup_index`| Set the maximum number of archived log files to keep" | `10` | | ||||||
| |`keycloak_quarkus_log_file_suffix`| Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix; Note: If the suffix ends with `.zip` or `.gz`, the rotation file will also be compressed. | `.yyyy-MM-dd.zip` | | |`keycloak_quarkus_log_file_suffix`| Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix; Note: If the suffix ends with `.zip` or `.gz`, the rotation file will also be compressed. | `.yyyy-MM-dd.zip` | | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | #### Miscellaneous configuration | ||||||
|  | 
 | ||||||
|  | | Variable | Description | Default | | ||||||
|  | |:---------|:------------|:--------| | ||||||
|  | |`keycloak_quarkus_metrics_enabled`| Whether to enable metrics | `False` | | ||||||
|  | |`keycloak_quarkus_health_enabled`| If the server should expose health check endpoints on the management interface | `True` | | ||||||
|  | |`keycloak_quarkus_archive` | keycloak install archive filename | `keycloak-{{ keycloak_quarkus_version }}.zip` | | ||||||
|  | |`keycloak_quarkus_installdir` | Installation path | `{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}` | | ||||||
|  | |`keycloak_quarkus_home` | Installation work directory | `{{ keycloak_quarkus_installdir }}` | | ||||||
|  | |`keycloak_quarkus_config_dir` | Path for configuration | `{{ keycloak_quarkus_home }}/conf` | | ||||||
|  | |`keycloak_quarkus_master_realm` | Name for rest authentication realm | `master` | | ||||||
|  | |`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` | | ||||||
|  | |`keycloak_quarkus_force_install` | Remove pre-existing versions of service | `False` | | ||||||
| |`keycloak_quarkus_proxy_mode`| The proxy address forwarding mode if the server is behind a reverse proxy | `edge` | | |`keycloak_quarkus_proxy_mode`| The proxy address forwarding mode if the server is behind a reverse proxy | `edge` | | ||||||
| |`keycloak_quarkus_start_dev`| Whether to start the service in development mode (start-dev) | `False` | | |`keycloak_quarkus_start_dev`| Whether to start the service in development mode (start-dev) | `False` | | ||||||
| |`keycloak_quarkus_transaction_xa_enabled`| Whether to use XA transactions | `True` | | |`keycloak_quarkus_transaction_xa_enabled`| Whether to use XA transactions | `True` | | ||||||
|  | @ -172,7 +190,7 @@ Role Defaults | ||||||
| |`keycloak_quarkus_show_deprecation_warnings`| Whether deprecation warnings should be shown | `True` | | |`keycloak_quarkus_show_deprecation_warnings`| Whether deprecation warnings should be shown | `True` | | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| #### Vault SPI | #### Vault configuration | ||||||
| 
 | 
 | ||||||
| | Variable | Description | Default | | | Variable | Description | Default | | ||||||
| |:---------|:------------|:--------| | |:---------|:------------|:--------| | ||||||
|  | @ -200,19 +218,24 @@ keycloak_quarkus_providers: | ||||||
|   - id: http-client                         # required; "{{ id }}.jar" identifies the file name on RHBK |   - id: http-client                         # required; "{{ id }}.jar" identifies the file name on RHBK | ||||||
|     spi: connections                        # required if neither url, local_path nor maven are specified; required for setting properties |     spi: connections                        # required if neither url, local_path nor maven are specified; required for setting properties | ||||||
|     default: true                           # optional, whether to set default for spi, default false |     default: true                           # optional, whether to set default for spi, default false | ||||||
|     restart: true                           # optional, whether to restart, default true |     restart: true                           # optional, whether to rebuild config and restart the service after deploying, default true | ||||||
|     url: https://.../.../custom_spi.jar     # optional, url for download via http |     url: https://.../.../custom_spi.jar     # optional, url for download via http | ||||||
|     local_path: my_theme_spi.jar            # optional, path on local controller for SPI to be uploaded |     local_path: my_theme_spi.jar            # optional, path on local controller for SPI to be uploaded | ||||||
|  |     remote: true                            # optional, whether to copy from localhost or remotely, see https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html#parameter-remote_src, default false | ||||||
|     maven:                                  # optional, for download using maven |     maven:                                  # optional, for download using maven | ||||||
|       repository_url: https://maven.pkg.github.com/OWNER/REPOSITORY # optional, maven repo url |       repository_url: https://maven.pkg.github.com/OWNER/REPOSITORY # optional, maven repo url | ||||||
|       group_id:  my.group                   # optional, maven group id |       group_id:  my.group                   # optional, maven group id | ||||||
|       artifact_id: artifact                 # optional, maven artifact id |       artifact_id: artifact                 # optional, maven artifact id | ||||||
|       version: 24.0.4                       # optional, defaults to latest |       version: 24.0.5                       # optional, defaults to latest | ||||||
|       username:  user                       # optional, cf. https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry#authenticating-to-github-packages |       username:  user                       # optional, cf. https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry#authenticating-to-github-packages | ||||||
|       password: pat                         # optional, provide a PAT for accessing Github's Apache Maven registry |       password: pat                         # optional, provide a PAT for accessing Github's Apache Maven registry | ||||||
|     properties:                             # optional, list of key-values |     properties:                             # optional, list of key-values | ||||||
|       - key: default-connection-pool-size |       - key: default-connection-pool-size | ||||||
|         value: 10 |         value: 10 | ||||||
|  |     checksum: sha256:D98291AC[...]B6DC7B97  # optional, checksum used to verify integrity: | ||||||
|  |                                             #  for `url` SPIs, use format: <algorithm>:<checksum|url>, cf. <https://docs.ansible.com/ansible/latest/collections/ansible/builtin/get_url_module.html#parameter-checksum>; | ||||||
|  |                                             #  for `local_path` SPIs, use SHA1 format <https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html#parameter-checksum> | ||||||
|  |                                             #  for `maven` SPIs, this field is ignored since maven has integrity verification methods enabled by default | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
| the definition above will generate the following build command: | the definition above will generate the following build command: | ||||||
|  | @ -232,8 +255,8 @@ Provider definition: | ||||||
| 
 | 
 | ||||||
| ```yaml | ```yaml | ||||||
| keycloak_quarkus_policies: | keycloak_quarkus_policies: | ||||||
|   - name: xato-net-10-million-passwords.txt                                                                # required, resulting file name |   - name: john-the-ripper.txt                                                                          # required, resulting file name | ||||||
|     url: https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt # required, url for download |     url: https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/john-the-ripper.txt  # required, url for download | ||||||
|     type: password-blacklists                                                                          # optional, defaults to `password-blacklists`; supported values: [`password-blacklists`] |     type: password-blacklists                                                                          # optional, defaults to `password-blacklists`; supported values: [`password-blacklists`] | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
|  | @ -243,9 +266,8 @@ Role Variables | ||||||
| 
 | 
 | ||||||
| | Variable | Description | Required | | | Variable | Description | Required | | ||||||
| |:---------|:------------|----------| | |:---------|:------------|----------| | ||||||
| |`keycloak_quarkus_admin_pass`| Password of console admin account | `yes` | | |`keycloak_quarkus_bootstrap_admin_password`| Password of console admin account | `yes` | | ||||||
| |`keycloak_quarkus_frontend_url`| Base URL for frontend URLs, including scheme, host, port and path | `no` | | |`keycloak_quarkus_admin_pass`| Deprecated, use `keycloak_quarkus_bootstrap_admin_password` instead. | | | ||||||
| |`keycloak_quarkus_admin_url`| Base URL for accessing the administration console, including scheme, host, port and path | `no` | |  | ||||||
| |`keycloak_quarkus_ks_vault_pass`| The password for accessing the keystore vault SPI | `no` | | |`keycloak_quarkus_ks_vault_pass`| The password for accessing the keystore vault SPI | `no` | | ||||||
| |`keycloak_quarkus_alternate_download_url`| Alternate location with optional authentication for downloading RHBK | `no` | | |`keycloak_quarkus_alternate_download_url`| Alternate location with optional authentication for downloading RHBK | `no` | | ||||||
| |`keycloak_quarkus_download_user`| Optional username for http authentication  | `no*` | | |`keycloak_quarkus_download_user`| Optional username for http authentication  | `no*` | | ||||||
|  | @ -265,7 +287,7 @@ The role uses the following [custom facts](https://docs.ansible.com/ansible/late | ||||||
| 
 | 
 | ||||||
| | Variable | Description | | | Variable | Description | | ||||||
| |:---------|:------------| | |:---------|:------------| | ||||||
| |`general.bootstrapped` | A custom fact indicating whether this role has been used for bootstrapping keycloak on the respective host before; set to `false` (e.g., when starting off with a new, empty database) ensures that the initial admin user as defined by `keycloak_quarkus_admin_user[_pass]` gets created | | |`general.bootstrapped` | A custom fact indicating whether this role has been used for bootstrapping keycloak on the respective host before; set to `false` (e.g., when starting off with a new, empty database) ensures that the initial admin user as defined by `keycloak_quarkus_bootstrap_admin_user[_password]` gets created | | ||||||
| 
 | 
 | ||||||
| License | License | ||||||
| ------- | ------- | ||||||
|  |  | ||||||
|  | @ -1,6 +1,6 @@ | ||||||
| --- | --- | ||||||
| ### Configuration specific to keycloak | ### Configuration specific to keycloak | ||||||
| keycloak_quarkus_version: 24.0.4 | keycloak_quarkus_version: 26.3.0 | ||||||
| keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip" | keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip" | ||||||
| keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}" | keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}" | ||||||
| keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}" | keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}" | ||||||
|  | @ -27,26 +27,32 @@ keycloak_quarkus_configure_firewalld: false | ||||||
| keycloak_quarkus_configure_iptables: false | keycloak_quarkus_configure_iptables: false | ||||||
| 
 | 
 | ||||||
| ### administrator console password | ### administrator console password | ||||||
| keycloak_quarkus_admin_user: admin | keycloak_quarkus_bootstrap_admin_user: admin | ||||||
| keycloak_quarkus_admin_pass: | keycloak_quarkus_bootstrap_admin_password: | ||||||
| keycloak_quarkus_master_realm: master | keycloak_quarkus_master_realm: master | ||||||
| 
 | 
 | ||||||
| ### Configuration settings | ### Configuration settings | ||||||
| keycloak_quarkus_bind_address: 0.0.0.0 | keycloak_quarkus_bind_address: 0.0.0.0 # deprecated use keycloak_quarkus_http_host | ||||||
| keycloak_quarkus_host: localhost | keycloak_quarkus_http_host: 0.0.0.0 | ||||||
| keycloak_quarkus_port: -1 |  | ||||||
| keycloak_quarkus_path: |  | ||||||
| keycloak_quarkus_http_enabled: true | keycloak_quarkus_http_enabled: true | ||||||
| keycloak_quarkus_http_port: 8080 | keycloak_quarkus_http_port: 8080 | ||||||
| keycloak_quarkus_https_port: 8443 | keycloak_quarkus_https_port: 8443 | ||||||
| keycloak_quarkus_ajp_port: 8009 | keycloak_quarkus_http_management_port: 9000 | ||||||
| keycloak_quarkus_jgroups_port: 7800 | keycloak_quarkus_jgroups_port: 7800 | ||||||
|  | keycloak_quarkus_jgroups_bind_address: "{{ ansible_default_ipv4.address }}" | ||||||
|  | keycloak_quarkus_jgroups_external_addr: "{{ keycloak_quarkus_jgroups_bind_address }}" | ||||||
|  | keycloak_quarkus_jgroups_external_port: "{{ keycloak_quarkus_jgroups_port }}" | ||||||
| keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx2048m" | keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx2048m" | ||||||
| keycloak_quarkus_java_jvm_opts: "-XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 | keycloak_quarkus_java_jvm_opts: > | ||||||
|  |   -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 | ||||||
|   -Dsun.err.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError |   -Dsun.err.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError | ||||||
|   -Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC -XX:GCTimeRatio=4 |   -Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC -XX:GCTimeRatio=4 | ||||||
|   -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512" |   -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512 | ||||||
| keycloak_quarkus_java_opts: "{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}" | keycloak_quarkus_jgroups_opts: > | ||||||
|  |   -Djgroups.bind.address={{ keycloak_quarkus_jgroups_bind_address }} | ||||||
|  |   -Djgroups.external_port={{ keycloak_quarkus_jgroups_external_port }} | ||||||
|  |   -Djgroups.external_addr={{ keycloak_quarkus_jgroups_external_addr }} | ||||||
|  | keycloak_quarkus_java_opts: "{{ ' '.join((keycloak_quarkus_jgroups_opts, keycloak_quarkus_java_heap_opts, keycloak_quarkus_java_jvm_opts)) }}" | ||||||
| keycloak_quarkus_additional_env_vars: [] | keycloak_quarkus_additional_env_vars: [] | ||||||
| 
 | 
 | ||||||
| ### TLS/HTTPS configuration | ### TLS/HTTPS configuration | ||||||
|  | @ -71,7 +77,7 @@ keycloak_quarkus_config_key_store_password: '' | ||||||
| 
 | 
 | ||||||
| ### Enable configuration for database backend, clustering and remote caches on infinispan | ### Enable configuration for database backend, clustering and remote caches on infinispan | ||||||
| keycloak_quarkus_ha_enabled: false | keycloak_quarkus_ha_enabled: false | ||||||
| keycloak_quarkus_ha_discovery: "TCPPING" | keycloak_quarkus_ha_discovery: "JDBCPING" | ||||||
| ### Enable database configuration, must be enabled when HA is configured | ### Enable database configuration, must be enabled when HA is configured | ||||||
| keycloak_quarkus_db_enabled: "{{ keycloak_quarkus_ha_enabled }}" | keycloak_quarkus_db_enabled: "{{ keycloak_quarkus_ha_enabled }}" | ||||||
| keycloak_quarkus_systemd_wait_for_port: "{{ keycloak_quarkus_ha_enabled }}" | keycloak_quarkus_systemd_wait_for_port: "{{ keycloak_quarkus_ha_enabled }}" | ||||||
|  | @ -81,8 +87,8 @@ keycloak_quarkus_systemd_wait_for_timeout: 60 | ||||||
| keycloak_quarkus_systemd_wait_for_delay: 10 | keycloak_quarkus_systemd_wait_for_delay: 10 | ||||||
| 
 | 
 | ||||||
| ### keycloak frontend url | ### keycloak frontend url | ||||||
| keycloak_quarkus_frontend_url: | keycloak_quarkus_hostname: | ||||||
| keycloak_quarkus_admin_url: | keycloak_quarkus_hostname_admin: "" | ||||||
| 
 | 
 | ||||||
| ### Set the path relative to / for serving resources. The path must start with a / | ### Set the path relative to / for serving resources. The path must start with a / | ||||||
| ### (set to `/auth` for retrocompatibility with pre-quarkus releases) | ### (set to `/auth` for retrocompatibility with pre-quarkus releases) | ||||||
|  | @ -91,9 +97,9 @@ keycloak_quarkus_http_relative_path: / | ||||||
| # Disables dynamically resolving the hostname from request headers. | # Disables dynamically resolving the hostname from request headers. | ||||||
| # Should always be set to true in production, unless proxy verifies the Host header. | # Should always be set to true in production, unless proxy verifies the Host header. | ||||||
| keycloak_quarkus_hostname_strict: true | keycloak_quarkus_hostname_strict: true | ||||||
| # By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. | # Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path. | ||||||
| # If all applications use the public URL this option should be enabled. | # Set to true if your application accesses Keycloak via a private network. If set to true, keycloak_quarkus_hostname option needs to be specified as a full URL. | ||||||
| keycloak_quarkus_hostname_strict_backchannel: false | keycloak_quarkus_hostname_backchannel_dynamic: false | ||||||
| 
 | 
 | ||||||
| # The proxy headers that should be accepted by the server. ['', 'forwarded', 'xforwarded'] | # The proxy headers that should be accepted by the server. ['', 'forwarded', 'xforwarded'] | ||||||
| keycloak_quarkus_proxy_headers: "" | keycloak_quarkus_proxy_headers: "" | ||||||
|  | @ -111,36 +117,57 @@ keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route: true | ||||||
| keycloak_quarkus_metrics_enabled: false | keycloak_quarkus_metrics_enabled: false | ||||||
| keycloak_quarkus_health_enabled: true | keycloak_quarkus_health_enabled: true | ||||||
| 
 | 
 | ||||||
|  | ### caches; must read: https://www.keycloak.org/2024/12/storing-sessions-in-kc26 | ||||||
|  | ### embedded caches | ||||||
|  | # https://www.keycloak.org/server/caching | ||||||
|  | keycloak_quarkus_cache_metrics_enabled: false | ||||||
|  | keycloak_quarkus_cache_embedded_authorization_max_count: | ||||||
|  | keycloak_quarkus_cache_embedded_client_sessions_max_count: | ||||||
|  | keycloak_quarkus_cache_embedded_crl_max_count: | ||||||
|  | keycloak_quarkus_cache_embedded_keys_max_count: | ||||||
|  | keycloak_quarkus_cache_embedded_offline_client_sessions_max_count: | ||||||
|  | keycloak_quarkus_cache_embedded_offline_sessions_max_count: | ||||||
|  | keycloak_quarkus_cache_embedded_realms_max_count: | ||||||
|  | keycloak_quarkus_cache_embedded_sessions_max_count: | ||||||
|  | keycloak_quarkus_cache_embedded_users_max_count: | ||||||
|  | keycloak_quarkus_cache_embedded_mtls_enabled: true | ||||||
|  | keycloak_quarkus_cache_embedded_mtls_key_store_file: "{{ keycloak.home }}/conf/cache_key_store.p12" | ||||||
|  | keycloak_quarkus_cache_embedded_mtls_key_store_password: '' | ||||||
|  | keycloak_quarkus_cache_embedded_mtls_rotation_interval_days: 30 | ||||||
|  | keycloak_quarkus_cache_embedded_mtls_trust_store_file: "{{ keycloak.home }}/conf/cache_trust_store.p12" | ||||||
|  | keycloak_quarkus_cache_embedded_mtls_trust_store_password: '' | ||||||
|  | 
 | ||||||
| ### infinispan remote caches access (hotrod) | ### infinispan remote caches access (hotrod) | ||||||
| keycloak_quarkus_ispn_user: supervisor | # https://www.keycloak.org/server/caching#_remote_cache | ||||||
| keycloak_quarkus_ispn_pass: supervisor | keycloak_quarkus_cache_remote: false | ||||||
| keycloak_quarkus_ispn_hosts: "localhost:11222" | keycloak_quarkus_cache_remote_username: supervisor | ||||||
| keycloak_quarkus_ispn_sasl_mechanism: SCRAM-SHA-512 | keycloak_quarkus_cache_remote_password: supervisor | ||||||
| keycloak_quarkus_ispn_use_ssl: false | keycloak_quarkus_cache_remote_host: localhost | ||||||
| # if ssl is enabled, import ispn server certificate here | keycloak_quarkus_cache_remote_port: 11222 | ||||||
| keycloak_quarkus_ispn_trust_store_path: /etc/pki/java/cacerts | keycloak_quarkus_cache_remote_tls_enabled: false | ||||||
| keycloak_quarkus_ispn_trust_store_password: changeit | keycloak_quarkus_cache_remote_sasl_mechanism: SCRAM-SHA-512 | ||||||
|  | 
 | ||||||
| 
 | 
 | ||||||
| ### database backend engine: values [ 'postgres', 'mariadb' ] | ### database backend engine: values [ 'postgres', 'mariadb' ] | ||||||
| keycloak_quarkus_jdbc_engine: postgres | keycloak_quarkus_db_engine: postgres | ||||||
| ### database backend credentials | ### database backend credentials | ||||||
| keycloak_quarkus_db_user: keycloak-user | keycloak_quarkus_db_user: keycloak-user | ||||||
| keycloak_quarkus_db_pass: keycloak-pass | keycloak_quarkus_db_pass: keycloak-pass | ||||||
| keycloak_quarkus_jdbc_url: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].url }}" | keycloak_quarkus_db_url: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].url }}" | ||||||
| keycloak_quarkus_jdbc_driver_version: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].version }}" | keycloak_quarkus_db_driver_version: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].version }}" | ||||||
| # override the variables above, following defaults show minimum supported versions | # override the variables above, following defaults show recommended version as per | ||||||
|  | # https://access.redhat.com/articles/7033107 | ||||||
| keycloak_quarkus_default_jdbc: | keycloak_quarkus_default_jdbc: | ||||||
|   postgres: |   postgres: | ||||||
|     url: 'jdbc:postgresql://localhost:5432/keycloak' |     url: 'jdbc:postgresql://localhost:5432/keycloak' | ||||||
|     version: 9.4.1212 |     version: 42.7.5 | ||||||
|   mariadb: |   mariadb: | ||||||
|     url: 'jdbc:mariadb://localhost:3306/keycloak' |     url: 'jdbc:mariadb://localhost:3306/keycloak' | ||||||
|     version: 2.7.4 |     version: 3.5.2 | ||||||
|   mssql: |   mssql: | ||||||
|     url: 'jdbc:sqlserver://localhost:1433;databaseName=keycloak;' |     url: 'jdbc:sqlserver://localhost:1433;databaseName=keycloak;' | ||||||
|     version: 12.4.2 |     version: 12.8.1 | ||||||
|     driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.4.2.jre11/mssql-jdbc-12.4.2.jre11.jar" |     driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.8.1.jre11/mssql-jdbc-12.8.1.jre11.jar" | ||||||
|     # cf. https://access.redhat.com/documentation/en-us/red_hat_build_of_keycloak/24.0/html/server_guide/db-#db-installing-the-microsoft-sql-server-driver |  | ||||||
| ### logging configuration | ### logging configuration | ||||||
| keycloak_quarkus_log: file | keycloak_quarkus_log: file | ||||||
| keycloak_quarkus_log_level: info | keycloak_quarkus_log_level: info | ||||||
|  | @ -165,5 +192,7 @@ keycloak_quarkus_supported_policy_types: ['password-blacklists'] | ||||||
| keycloak_quarkus_restart_strategy: restart/serial.yml | keycloak_quarkus_restart_strategy: restart/serial.yml | ||||||
| keycloak_quarkus_restart_health_check: true | keycloak_quarkus_restart_health_check: true | ||||||
| keycloak_quarkus_restart_health_check_delay: 10 | keycloak_quarkus_restart_health_check_delay: 10 | ||||||
| keycloak_quarkus_restart_health_check_reries: 25 | keycloak_quarkus_restart_health_check_retries: 25 | ||||||
| keycloak_quarkus_restart_pause: 15 | keycloak_quarkus_restart_pause: 15 | ||||||
|  | 
 | ||||||
|  | keycloak_quarkus_force_install: false | ||||||
|  |  | ||||||
|  | @ -1,4 +1,7 @@ | ||||||
| --- | --- | ||||||
|  | - name: "Invalidate {{ keycloak.service_name }} theme cache" | ||||||
|  |   ansible.builtin.include_tasks: invalidate_theme_cache.yml | ||||||
|  |   listen: "invalidate keycloak theme cache" | ||||||
| # handler should be invoked anytime a [build configuration](https://www.keycloak.org/server/all-config?f=build) changes | # handler should be invoked anytime a [build configuration](https://www.keycloak.org/server/all-config?f=build) changes | ||||||
| - name: "Rebuild {{ keycloak.service_name }} config" | - name: "Rebuild {{ keycloak.service_name }} config" | ||||||
|   ansible.builtin.include_tasks: rebuild_config.yml |   ansible.builtin.include_tasks: rebuild_config.yml | ||||||
|  |  | ||||||
|  | @ -2,7 +2,7 @@ argument_specs: | ||||||
|     main: |     main: | ||||||
|         options: |         options: | ||||||
|             keycloak_quarkus_version: |             keycloak_quarkus_version: | ||||||
|                 default: "24.0.4" |                 default: "26.3.0" | ||||||
|                 description: "keycloak.org package version" |                 description: "keycloak.org package version" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_archive: |             keycloak_quarkus_archive: | ||||||
|  | @ -22,7 +22,7 @@ argument_specs: | ||||||
|                 description: "Perform an offline install" |                 description: "Perform an offline install" | ||||||
|                 type: "bool" |                 type: "bool" | ||||||
|             keycloak_quarkus_jvm_package: |             keycloak_quarkus_jvm_package: | ||||||
|                 default: "java-11-openjdk-headless" |                 default: "java-21-openjdk-headless" | ||||||
|                 description: "RHEL java package runtime" |                 description: "RHEL java package runtime" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_java_home: |             keycloak_quarkus_java_home: | ||||||
|  | @ -68,13 +68,17 @@ argument_specs: | ||||||
|                 default: "10s" |                 default: "10s" | ||||||
|                 description: "systemd RestartSec for service" |                 description: "systemd RestartSec for service" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_admin_user: |             keycloak_quarkus_bootstrap_admin_user: | ||||||
|                 default: "admin" |                 default: "admin" | ||||||
|                 description: "Administration console user account" |                 description: "Administration user account, only for bootstrapping" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_admin_pass: |             keycloak_quarkus_force_install: | ||||||
|  |                 default: false | ||||||
|  |                 description: "Remove pre-existing versions of service" | ||||||
|  |                 type: "bool" | ||||||
|  |             keycloak_quarkus_bootstrap_admin_password: | ||||||
|                 required: true |                 required: true | ||||||
|                 description: "Password of console admin account" |                 description: "Password of admin account, only for bootstrapping" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_master_realm: |             keycloak_quarkus_master_realm: | ||||||
|                 default: "master" |                 default: "master" | ||||||
|  | @ -82,31 +86,40 @@ argument_specs: | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_bind_address: |             keycloak_quarkus_bind_address: | ||||||
|                 default: "0.0.0.0" |                 default: "0.0.0.0" | ||||||
|                 description: "Address for binding service ports" |                 description: "Deprecated, use `keycloak_quarkus_http_host`" | ||||||
|  |                 type: "str" | ||||||
|  |             keycloak_quarkus_hostname: | ||||||
|  |                 description: >- | ||||||
|  |                     Address at which is the server exposed. | ||||||
|  |                     Can be a full URL, or just a hostname. When only hostname is provided, scheme, port and context path are resolved from the request. | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_host: |             keycloak_quarkus_host: | ||||||
|                 default: "localhost" |                 description: "Deprecated in v26, use keycloak_quarkus_hostname instead." | ||||||
|                 description: "Hostname for the Keycloak server" |  | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_port: |             keycloak_quarkus_port: | ||||||
|                 default: -1 |                 description: "Deprecated in v26, use keycloak_quarkus_hostname instead." | ||||||
|                 description: "The port used by the proxy when exposing the hostname" |  | ||||||
|                 type: "int" |                 type: "int" | ||||||
|             keycloak_quarkus_path: |             keycloak_quarkus_path: | ||||||
|                 required: false |                 description: "Deprecated in v26, use keycloak_quarkus_hostname instead." | ||||||
|                 description: "This should be set if proxy uses a different context-path for Keycloak" |  | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_http_enabled: |             keycloak_quarkus_http_enabled: | ||||||
|                 default: true |                 default: true | ||||||
|                 description: "Enable listener on HTTP port" |                 description: "Enable listener on HTTP port" | ||||||
|                 type: "bool" |                 type: "bool" | ||||||
|  |             keycloak_quarkus_http_host: | ||||||
|  |                 default: '0.0.0.0' | ||||||
|  |                 description: "HTTP host, address for binding service ports" | ||||||
|  |                 type: "str" | ||||||
|             keycloak_quarkus_http_port: |             keycloak_quarkus_http_port: | ||||||
|                 default: 8080 |                 default: 8080 | ||||||
|                 description: "HTTP port" |                 description: "HTTP port" | ||||||
|                 type: "int" |                 type: "int" | ||||||
|  |             keycloak_quarkus_health_check_url: | ||||||
|  |                 description: "Full URL (including scheme, host, path, fragment etc.) used for health check endpoint; keycloak_quarkus_hostname will NOT be prepended; helpful when health checks should happen against http port, but keycloak_quarkus_hostname uses https scheme per default" | ||||||
|  |                 type: "str" | ||||||
|             keycloak_quarkus_health_check_url_path: |             keycloak_quarkus_health_check_url_path: | ||||||
|                 default: "realms/master/.well-known/openid-configuration" |                 default: "realms/master/.well-known/openid-configuration" | ||||||
|                 description: "Path to the health check endpoint; scheme, host and keycloak_quarkus_http_relative_path will be prepended automatically" |                 description: "Path to the health check endpoint; keycloak_quarkus_hostname will be prepended automatically; Note that keycloak_quarkus_health_check_url takes precedence over this property" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_https_key_file_enabled: |             keycloak_quarkus_https_key_file_enabled: | ||||||
|                 default: false |                 default: false | ||||||
|  | @ -170,7 +183,7 @@ argument_specs: | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_config_key_store_file: |             keycloak_quarkus_config_key_store_file: | ||||||
|                 default: "{{ keycloak.home }}/conf/conf_store.p12" |                 default: "{{ keycloak.home }}/conf/conf_store.p12" | ||||||
|                 description: "Path to the configuration key store; only used if `keycloak_quarkus_keystore_password` is not empty" |                 description: "Path to the configuration key store; only used if `keycloak_quarkus_config_key_store_password` is not empty" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_config_key_store_password: |             keycloak_quarkus_config_key_store_password: | ||||||
|                 default: "" |                 default: "" | ||||||
|  | @ -182,13 +195,9 @@ argument_specs: | ||||||
|                 default: 8443 |                 default: 8443 | ||||||
|                 description: "HTTPS port" |                 description: "HTTPS port" | ||||||
|                 type: "int" |                 type: "int" | ||||||
|             keycloak_quarkus_ajp_port: |             keycloak_quarkus_http_management_port: | ||||||
|                 default: 8009 |                 default: 9000 | ||||||
|                 description: "AJP port" |                 description: "Port of the management interface. Relevant only when something is exposed on the management interface - see the guide for details." | ||||||
|                 type: "int" |  | ||||||
|             keycloak_quarkus_jgroups_port: |  | ||||||
|                 default: 7800 |  | ||||||
|                 description: "jgroups cluster tcp port" |  | ||||||
|                 type: "int" |                 type: "int" | ||||||
|             keycloak_quarkus_java_heap_opts: |             keycloak_quarkus_java_heap_opts: | ||||||
|                 default: "-Xms1024m -Xmx2048m" |                 default: "-Xms1024m -Xmx2048m" | ||||||
|  | @ -202,7 +211,7 @@ argument_specs: | ||||||
|                 description: "Other JVM settings" |                 description: "Other JVM settings" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_java_opts: |             keycloak_quarkus_java_opts: | ||||||
|                 default: "{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}" |                 default: "{{ ' '.join((keycloak_quarkus_jgroups_opts, keycloak_quarkus_java_heap_opts, keycloak_quarkus_java_jvm_opts)) }}" | ||||||
|                 description: "JVM arguments, by default heap_opts + jvm_opts, if overriden it takes precedence over them" |                 description: "JVM arguments, by default heap_opts + jvm_opts, if overriden it takes precedence over them" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_additional_env_vars: |             keycloak_quarkus_additional_env_vars: | ||||||
|  | @ -226,13 +235,21 @@ argument_specs: | ||||||
|                 default: / |                 default: / | ||||||
|                 description: "Set the path relative to / for serving resources. The path must start with a /" |                 description: "Set the path relative to / for serving resources. The path must start with a /" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|  |             keycloak_quarkus_http_management_relative_path: | ||||||
|  |                 required: false | ||||||
|  |                 description: "Set the path relative to / for serving resources from management interface. The path must start with a /. If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details." | ||||||
|  |                 type: "str" | ||||||
|             keycloak_quarkus_frontend_url: |             keycloak_quarkus_frontend_url: | ||||||
|                 required: false |                 required: false | ||||||
|                 description: "Service public URL" |                 description: "Deprecated in v26, use keycloak_quarkus_hostname instead." | ||||||
|  |                 type: "str" | ||||||
|  |             keycloak_quarkus_hostname_admin: | ||||||
|  |                 required: false | ||||||
|  |                 description: "Service URL for the admin console" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_admin_url: |             keycloak_quarkus_admin_url: | ||||||
|                 required: false |                 required: false | ||||||
|                 description: "Service URL for the admin console" |                 description: "Deprecated in v26, use keycloak_quarkus_hostname_admin instead." | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_metrics_enabled: |             keycloak_quarkus_metrics_enabled: | ||||||
|                 default: false |                 default: false | ||||||
|  | @ -240,37 +257,37 @@ argument_specs: | ||||||
|                 type: "bool" |                 type: "bool" | ||||||
|             keycloak_quarkus_health_enabled: |             keycloak_quarkus_health_enabled: | ||||||
|                 default: true |                 default: true | ||||||
|                 description: "If the server should expose health check endpoints" |                 description: "If the server should expose health check endpoints on the management interface" | ||||||
|                 type: "bool" |                 type: "bool" | ||||||
|             keycloak_quarkus_ispn_user: |             keycloak_quarkus_cache_remote: | ||||||
|  |                 description: "Whether to connect to remote cache infinispan server" | ||||||
|  |                 default: false | ||||||
|  |                 type: 'bool' | ||||||
|  |             keycloak_quarkus_cache_remote_username: | ||||||
|                 default: "supervisor" |                 default: "supervisor" | ||||||
|                 description: "Username for connecting to infinispan" |                 description: "Username for connecting to infinispan" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_ispn_pass: |             keycloak_quarkus_cache_remote_password: | ||||||
|                 default: "supervisor" |                 default: "supervisor" | ||||||
|                 description: "Password for connecting to infinispan" |                 description: "Password for connecting to infinispan" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_ispn_hosts: |             keycloak_quarkus_cache_remote_host: | ||||||
|                 default: "localhost:11222" |                 default: "localhost" | ||||||
|                 description: "host name/port for connecting to infinispan, eg. host1:11222;host2:11222" |                 description: "Hostname for connecting to infinispan" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_ispn_sasl_mechanism: |             keycloak_quarkus_cache_remote_port: | ||||||
|  |                 default: "11222" | ||||||
|  |                 description: "Port for connecting to infinispan" | ||||||
|  |                 type: "str" | ||||||
|  |             keycloak_quarkus_cache_remote_sasl_mechanism: | ||||||
|                 default: "SCRAM-SHA-512" |                 default: "SCRAM-SHA-512" | ||||||
|                 description: "Infinispan auth mechanism" |                 description: "Infinispan auth mechanism" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_ispn_use_ssl: |             keycloak_quarkus_cache_remote_tls_enabled: | ||||||
|                 default: false |                 default: false | ||||||
|                 description: "Whether infinispan uses TLS connection" |                 description: "Whether infinispan uses TLS connection" | ||||||
|                 type: "bool" |                 type: "bool" | ||||||
|             keycloak_quarkus_ispn_trust_store_path: |             keycloak_quarkus_db_engine: | ||||||
|                 default: "/etc/pki/java/cacerts" |  | ||||||
|                 description: "Path to infinispan server trust certificate" |  | ||||||
|                 type: "str" |  | ||||||
|             keycloak_quarkus_ispn_trust_store_password: |  | ||||||
|                 default: "changeit" |  | ||||||
|                 description: "Password for infinispan certificate keystore" |  | ||||||
|                 type: "str" |  | ||||||
|             keycloak_quarkus_jdbc_engine: |  | ||||||
|                 default: "postgres" |                 default: "postgres" | ||||||
|                 description: "Database engine [mariadb,postres,mssql]" |                 description: "Database engine [mariadb,postres,mssql]" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|  | @ -282,12 +299,12 @@ argument_specs: | ||||||
|                 default: "keycloak-pass" |                 default: "keycloak-pass" | ||||||
|                 description: "Password for database connection" |                 description: "Password for database connection" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_jdbc_url: |             keycloak_quarkus_db_url: | ||||||
|                 default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].url }}" |                 default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].url }}" | ||||||
|                 description: "JDBC URL for connecting to database" |                 description: "JDBC URL for connecting to database" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_jdbc_driver_version: |             keycloak_quarkus_db_driver_version: | ||||||
|                 default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].version }}" |                 default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].version }}" | ||||||
|                 description: "Version for JDBC driver" |                 description: "Version for JDBC driver" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_log: |             keycloak_quarkus_log: | ||||||
|  | @ -348,24 +365,18 @@ argument_specs: | ||||||
|                 description: > |                 description: > | ||||||
|                   Disables dynamically resolving the hostname from request headers. Should always be set to true in production, unless |                   Disables dynamically resolving the hostname from request headers. Should always be set to true in production, unless | ||||||
|                   proxy verifies the Host header. |                   proxy verifies the Host header. | ||||||
|             keycloak_quarkus_hostname_strict_backchannel: |             keycloak_quarkus_hostname_backchannel_dynamic: | ||||||
|                 default: false |                 default: false | ||||||
|                 type: "bool" |                 type: "bool" | ||||||
|                 description: > |                 description: > | ||||||
|                   By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all |                     Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path. | ||||||
|                   applications use the public URL this option should be enabled. |                     Set to true if your application accesses Keycloak via a private network. If set to true, hostname option needs to be specified as a full URL. | ||||||
|             keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route: |             keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route: | ||||||
|                 default: true |                 default: true | ||||||
|                 type: "bool" |                 type: "bool" | ||||||
|                 description: > |                 description: > | ||||||
|                   If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies |                   If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies | ||||||
|                   and we rely on the session affinity capabilities from reverse proxy |                   and we rely on the session affinity capabilities from reverse proxy | ||||||
|             keycloak_quarkus_hostname_strict_https: |  | ||||||
|                 type: "bool" |  | ||||||
|                 required: false |  | ||||||
|                 description: > |  | ||||||
|                   By default, Keycloak requires running using TLS/HTTPS. If the service MUST run without TLS/HTTPS, then set |  | ||||||
|                   this option to "true" |  | ||||||
|             keycloak_quarkus_ks_vault_enabled: |             keycloak_quarkus_ks_vault_enabled: | ||||||
|                 default: false |                 default: false | ||||||
|                 type: "bool" |                 type: "bool" | ||||||
|  | @ -453,7 +464,7 @@ argument_specs: | ||||||
|                 description: "Seconds to let pass before starting healch checks" |                 description: "Seconds to let pass before starting healch checks" | ||||||
|                 default: 10 |                 default: 10 | ||||||
|                 type: 'int' |                 type: 'int' | ||||||
|             keycloak_quarkus_restart_health_check_reries: |             keycloak_quarkus_restart_health_check_retries: | ||||||
|                 description: "Number of attempts for successful health check before failing" |                 description: "Number of attempts for successful health check before failing" | ||||||
|                 default: 25 |                 default: 25 | ||||||
|                 type: 'int' |                 type: 'int' | ||||||
|  | @ -465,10 +476,94 @@ argument_specs: | ||||||
|                 description: "Path local to controller for offline/download of install archives" |                 description: "Path local to controller for offline/download of install archives" | ||||||
|                 default: "{{ lookup('env', 'PWD') }}" |                 default: "{{ lookup('env', 'PWD') }}" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|  |             keycloak_quarkus_cache_metrics_enabled: | ||||||
|  |                 description: 'Enable histograms for metrics for the embedded caches' | ||||||
|  |                 default: false | ||||||
|  |                 type: 'bool' | ||||||
|  |             keycloak_quarkus_cache_embedded_authorization_max_count: | ||||||
|  |                 description: 'The maximum number of entries that can be stored in-memory by the authorization cache' | ||||||
|  |                 required: false | ||||||
|  |                 type: "int" | ||||||
|  |             keycloak_quarkus_cache_embedded_client_sessions_max_count: | ||||||
|  |                 description: 'The maximum number of entries that can be stored in-memory by the clientSessions cache' | ||||||
|  |                 required: false | ||||||
|  |                 type: "int" | ||||||
|  |             keycloak_quarkus_cache_embedded_crl_max_count: | ||||||
|  |                 description: 'The maximum number of entries that can be stored in-memory by the crl cache' | ||||||
|  |                 required: false | ||||||
|  |                 type: "int" | ||||||
|  |             keycloak_quarkus_cache_embedded_keys_max_count: | ||||||
|  |                 description: 'The maximum number of entries that can be stored in-memory by the keys cache' | ||||||
|  |                 required: false | ||||||
|  |                 type: "int" | ||||||
|  |             keycloak_quarkus_cache_embedded_offline_client_sessions_max_count: | ||||||
|  |                 description: 'The maximum number of entries that can be stored in-memory by the offlineClientSessions cache' | ||||||
|  |                 required: false | ||||||
|  |                 type: "int" | ||||||
|  |             keycloak_quarkus_cache_embedded_offline_sessions_max_count: | ||||||
|  |                 description: 'The maximum number of entries that can be stored in-memory by the offlineSessions cache' | ||||||
|  |                 required: false | ||||||
|  |                 type: "int" | ||||||
|  |             keycloak_quarkus_cache_embedded_realms_max_count: | ||||||
|  |                 description: 'The maximum number of entries that can be stored in-memory by the realms cache' | ||||||
|  |                 required: false | ||||||
|  |                 type: "int" | ||||||
|  |             keycloak_quarkus_cache_embedded_sessions_max_count: | ||||||
|  |                 description: 'The maximum number of entries that can be stored in-memory by the sessions cache' | ||||||
|  |                 required: false | ||||||
|  |                 type: "int" | ||||||
|  |             keycloak_quarkus_cache_embedded_users_max_count: | ||||||
|  |                 description: 'The maximum number of entries that can be stored in-memory by the users cache' | ||||||
|  |                 required: false | ||||||
|  |                 type: 'int' | ||||||
|  |             keycloak_quarkus_cache_embedded_mtls_enabled: | ||||||
|  |                 description: 'Encrypts the network communication between Keycloak servers' | ||||||
|  |                 default: true | ||||||
|  |                 type: 'bool' | ||||||
|  |             keycloak_quarkus_cache_embedded_mtls_key_store_file: | ||||||
|  |                 description: 'The Keystore file path' | ||||||
|  |                 default: "{{ keycloak.home }}/conf/cache_key_store.p12" | ||||||
|  |                 type: "str" | ||||||
|  |             keycloak_quarkus_cache_embedded_mtls_key_store_password: | ||||||
|  |                 description: 'The password to access the Keystore' | ||||||
|  |                 default: '' | ||||||
|  |                 type: "str" | ||||||
|  |             keycloak_quarkus_cache_embedded_mtls_rotation_interval_days: | ||||||
|  |                 description: 'Rotation period in days of automatic JGroups MTLS certificates' | ||||||
|  |                 default: 30 | ||||||
|  |                 type: 'int' | ||||||
|  |             keycloak_quarkus_cache_embedded_mtls_trust_store_file: | ||||||
|  |                 description: 'The Truststore file path' | ||||||
|  |                 default: "{{ keycloak.home }}/conf/cache_trust_store.p12" | ||||||
|  |                 type: "str" | ||||||
|  |             keycloak_quarkus_cache_embedded_mtls_trust_store_password: | ||||||
|  |                 description: 'The password to access the Truststore.' | ||||||
|  |                 default: '' | ||||||
|  |                 type: "str" | ||||||
|  |             keycloak_quarkus_jgroups_port: | ||||||
|  |                 description: 'jgroups bind port' | ||||||
|  |                 default: 7800 | ||||||
|  |                 type: "int" | ||||||
|  |             keycloak_quarkus_jgroups_bind_address: | ||||||
|  |                 description: 'jgroups bind address' | ||||||
|  |                 default: "{{ ansible_default_ipv4.address }}" | ||||||
|  |                 type: "str" | ||||||
|  |             keycloak_quarkus_jgroups_external_addr: | ||||||
|  |                 description: 'IP address that other instances in the Keycloak should use to contact this node' | ||||||
|  |                 default: "{{ keycloak_quarkus_jgroups_bind_address }}" | ||||||
|  |                 type: "str" | ||||||
|  |             keycloak_quarkus_jgroups_external_port: | ||||||
|  |                 description: 'Port that other instances in the Keycloak cluster should use to contact this node' | ||||||
|  |                 default: "{{ keycloak_quarkus_jgroups_port }}" | ||||||
|  |                 type: "int" | ||||||
|  |             keycloak_quarkus_jgroups_opts: | ||||||
|  |                 description: "JVM arguments for jgroups configuration" | ||||||
|  |                 default: "-Djgroups.bind.address={{ keycloak_quarkus_jgroups_bind_address }} -Djgroups.external_port={{ keycloak_quarkus_jgroups_external_port }} -Djgroups.external_addr={{ keycloak_quarkus_jgroups_external_addr }}" | ||||||
|  |                 type: "str" | ||||||
|     downstream: |     downstream: | ||||||
|         options: |         options: | ||||||
|             rhbk_version: |             rhbk_version: | ||||||
|                 default: "24.0.3" |                 default: "26.2.5" | ||||||
|                 description: "Red Hat Build of Keycloak version" |                 description: "Red Hat Build of Keycloak version" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             rhbk_archive: |             rhbk_archive: | ||||||
|  |  | ||||||
|  | @ -8,7 +8,7 @@ galaxy_info: | ||||||
| 
 | 
 | ||||||
|   license: Apache License 2.0 |   license: Apache License 2.0 | ||||||
| 
 | 
 | ||||||
|   min_ansible_version: "2.15" |   min_ansible_version: "2.16" | ||||||
| 
 | 
 | ||||||
|   platforms: |   platforms: | ||||||
|     - name: EL |     - name: EL | ||||||
|  |  | ||||||
|  | @ -1,6 +1,10 @@ | ||||||
| --- | --- | ||||||
| - name: Include firewall config tasks | - name: Include firewall config tasks | ||||||
|   ansible.builtin.include_tasks: iptables.yml |   ansible.builtin.include_tasks: | ||||||
|  |     file: iptables.yml | ||||||
|  |     apply: | ||||||
|  |       tags: | ||||||
|  |         - firewall | ||||||
|   when: keycloak_quarkus_configure_iptables |   when: keycloak_quarkus_configure_iptables | ||||||
|   tags: |   tags: | ||||||
|     - firewall |     - firewall | ||||||
|  |  | ||||||
|  | @ -49,5 +49,114 @@ | ||||||
|   notify: |   notify: | ||||||
|     - print deprecation warning |     - print deprecation warning | ||||||
| 
 | 
 | ||||||
|  | # https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options | ||||||
|  | - name: Check deprecation of keycloak_quarkus_frontend_url -> keycloak_quarkus_hostname | ||||||
|  |   when: | ||||||
|  |     - keycloak_quarkus_hostname is not defined | ||||||
|  |     - keycloak_quarkus_frontend_url is defined | ||||||
|  |     - keycloak_quarkus_frontend_url != '' | ||||||
|  |   delegate_to: localhost | ||||||
|  |   run_once: true | ||||||
|  |   changed_when: keycloak_quarkus_show_deprecation_warnings | ||||||
|  |   ansible.builtin.set_fact: | ||||||
|  |     keycloak_quarkus_hostname: "{{ keycloak_quarkus_frontend_url }}" | ||||||
|  |     deprecated_variable: "keycloak_quarkus_frontend_url" # read in deprecation handler | ||||||
|  |   notify: | ||||||
|  |     - print deprecation warning | ||||||
|  | 
 | ||||||
|  | # https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options | ||||||
|  | - name: Check deprecation of keycloak_quarkus_hostname_strict_https + keycloak_quarkus_host + keycloak_quarkus_port + keycloak_quarkus_path -> keycloak_quarkus_hostname | ||||||
|  |   when: | ||||||
|  |     - keycloak_quarkus_hostname is not defined | ||||||
|  |     - keycloak_quarkus_hostname_strict_https is defined or keycloak_quarkus_frontend_url is defined or keycloak_quarkus_port is defined or keycloak_quarkus_path is defined | ||||||
|  |   delegate_to: localhost | ||||||
|  |   run_once: true | ||||||
|  |   changed_when: keycloak_quarkus_show_deprecation_warnings | ||||||
|  |   ansible.builtin.set_fact: | ||||||
|  |     keycloak_quarkus_hostname: >- | ||||||
|  |       {% set protocol = '' %} | ||||||
|  |       {% if keycloak_quarkus_hostname_strict_https %} | ||||||
|  |         {% set protocol = 'https://' %} | ||||||
|  |       {% elif keycloak_quarkus_hostname_strict_https is defined and keycloak_quarkus_hostname_strict_https is False %} | ||||||
|  |         {% set protocol = 'http://' %} | ||||||
|  |       {% endif %} | ||||||
|  |       {{ protocol }}{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_port }}/{{ keycloak_quarkus_path }} | ||||||
|  |     deprecated_variable: "keycloak_quarkus_hostname_strict_https or keycloak_quarkus_frontend_url or keycloak_quarkus_frontend_url or keycloak_quarkus_hostname" # read in deprecation handler | ||||||
|  |   notify: | ||||||
|  |     - print deprecation warning | ||||||
|  | 
 | ||||||
|  | # https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options | ||||||
|  | - name: Check deprecation of keycloak_quarkus_admin_url -> keycloak_quarkus_hostname_admin | ||||||
|  |   when: | ||||||
|  |     - keycloak_quarkus_hostname_admin is not defined | ||||||
|  |     - keycloak_quarkus_admin_url is defined | ||||||
|  |     - keycloak_quarkus_admin_url != '' | ||||||
|  |   delegate_to: localhost | ||||||
|  |   run_once: true | ||||||
|  |   changed_when: keycloak_quarkus_show_deprecation_warnings | ||||||
|  |   ansible.builtin.set_fact: | ||||||
|  |     keycloak_quarkus_hostname_admin: "{{ keycloak_quarkus_admin_url }}" | ||||||
|  |     deprecated_variable: "keycloak_quarkus_admin_url" # read in deprecation handler | ||||||
|  |   notify: | ||||||
|  |     - print deprecation warning | ||||||
|  | 
 | ||||||
|  | # https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options | ||||||
|  | - name: Check deprecation of keycloak_quarkus_hostname_strict_backchannel -> keycloak_quarkus_hostname_backchannel_dynamic | ||||||
|  |   when: | ||||||
|  |     - keycloak_quarkus_hostname_backchannel_dynamic is not defined | ||||||
|  |     - keycloak_quarkus_hostname_strict_backchannel is defined | ||||||
|  |     - keycloak_quarkus_hostname_strict_backchannel != '' | ||||||
|  |   delegate_to: localhost | ||||||
|  |   run_once: true | ||||||
|  |   changed_when: keycloak_quarkus_show_deprecation_warnings | ||||||
|  |   ansible.builtin.set_fact: | ||||||
|  |     keycloak_quarkus_hostname_backchannel_dynamic: "{{ keycloak_quarkus_hostname_strict_backchannel == False }}" | ||||||
|  |     deprecated_variable: "keycloak_quarkus_hostname_backchannel_dynamic" # read in deprecation handler | ||||||
|  |   notify: | ||||||
|  |     - print deprecation warning | ||||||
|  | 
 | ||||||
|  | # https://github.com/keycloak/keycloak/issues/30009 | ||||||
|  | - name: Check deprecation of keycloak_quarkus_admin_user -> keycloak_quarkus_bootstrap_admin_user | ||||||
|  |   when: | ||||||
|  |     - keycloak_quarkus_bootstrap_admin_user is not defined | ||||||
|  |     - keycloak_quarkus_admin_user is defined | ||||||
|  |     - keycloak_quarkus_admin_user != '' | ||||||
|  |   delegate_to: localhost | ||||||
|  |   run_once: true | ||||||
|  |   changed_when: keycloak_quarkus_show_deprecation_warnings | ||||||
|  |   ansible.builtin.set_fact: | ||||||
|  |     keycloak_quarkus_bootstrap_admin_user: "{{ keycloak_quarkus_admin_user }}" | ||||||
|  |     deprecated_variable: "keycloak_quarkus_admin_user" # read in deprecation handler | ||||||
|  |   notify: | ||||||
|  |     - print deprecation warning | ||||||
|  | 
 | ||||||
|  | # https://github.com/keycloak/keycloak/issues/30009 | ||||||
|  | - name: Check deprecation of keycloak_quarkus_admin_pass -> keycloak_quarkus_bootstrap_admin_password | ||||||
|  |   when: | ||||||
|  |     - keycloak_quarkus_bootstrap_admin_password is not defined | ||||||
|  |     - keycloak_quarkus_admin_pass is defined | ||||||
|  |     - keycloak_quarkus_admin_pass != '' | ||||||
|  |   delegate_to: localhost | ||||||
|  |   run_once: true | ||||||
|  |   changed_when: keycloak_quarkus_show_deprecation_warnings | ||||||
|  |   ansible.builtin.set_fact: | ||||||
|  |     keycloak_quarkus_bootstrap_admin_user: "{{ keycloak_quarkus_admin_pass }}" | ||||||
|  |     deprecated_variable: "keycloak_quarkus_admin_pass" # read in deprecation handler | ||||||
|  |   notify: | ||||||
|  |     - print deprecation warning | ||||||
|  | 
 | ||||||
|  | - name: Check deprecation of keycloak_quarkus_bind_address -> keycloak_quarkus_http_host | ||||||
|  |   when: | ||||||
|  |     - keycloak_quarkus_bind_address is defined | ||||||
|  |     - keycloak_quarkus_bind_address != '0.0.0.0' | ||||||
|  |   delegate_to: localhost | ||||||
|  |   run_once: true | ||||||
|  |   changed_when: keycloak_quarkus_show_deprecation_warnings | ||||||
|  |   ansible.builtin.set_fact: | ||||||
|  |     keycloak_quarkus_http_host: "{{ keycloak_quarkus_bind_address }}" | ||||||
|  |     deprecated_variable: "keycloak_quarkus_bind_address" # read in deprecation handler | ||||||
|  |   notify: | ||||||
|  |     - print deprecation warning | ||||||
|  |    | ||||||
| - name: Flush handlers | - name: Flush handlers | ||||||
|   ansible.builtin.meta: flush_handlers |   ansible.builtin.meta: flush_handlers | ||||||
|  |  | ||||||
|  | @ -12,7 +12,7 @@ | ||||||
|     enabled: true |     enabled: true | ||||||
|     state: started |     state: started | ||||||
| 
 | 
 | ||||||
| - name: "Configure firewall for {{ keycloak.service_name }} ports" | - name: "Configure firewall for {{ keycloak.service_name }} http port" | ||||||
|   become: true |   become: true | ||||||
|   ansible.posix.firewalld: |   ansible.posix.firewalld: | ||||||
|     port: "{{ item }}" |     port: "{{ item }}" | ||||||
|  | @ -21,5 +21,16 @@ | ||||||
|     immediate: true |     immediate: true | ||||||
|   loop: |   loop: | ||||||
|     - "{{ keycloak_quarkus_http_port }}/tcp" |     - "{{ keycloak_quarkus_http_port }}/tcp" | ||||||
|  |   when: keycloak_quarkus_http_enabled | bool | ||||||
|  | 
 | ||||||
|  | - name: "Configure firewall for {{ keycloak.service_name }} ports" | ||||||
|  |   become: true | ||||||
|  |   ansible.posix.firewalld: | ||||||
|  |     port: "{{ item }}" | ||||||
|  |     permanent: true | ||||||
|  |     state: enabled | ||||||
|  |     immediate: true | ||||||
|  |   loop: | ||||||
|     - "{{ keycloak_quarkus_https_port }}/tcp" |     - "{{ keycloak_quarkus_https_port }}/tcp" | ||||||
|  |     - "{{ keycloak_quarkus_http_management_port }}/tcp" | ||||||
|     - "{{ keycloak_quarkus_jgroups_port }}/tcp" |     - "{{ keycloak_quarkus_jgroups_port }}/tcp" | ||||||
|  |  | ||||||
|  | @ -17,6 +17,27 @@ | ||||||
|     path: "{{ keycloak.home }}" |     path: "{{ keycloak.home }}" | ||||||
|   register: existing_deploy |   register: existing_deploy | ||||||
| 
 | 
 | ||||||
|  | - name: Stop and restart if existing deployment exists and install forced | ||||||
|  |   when: existing_deploy.stat.exists and keycloak_quarkus_force_install | bool | ||||||
|  |   block: | ||||||
|  |     - name: "Stop the old {{ keycloak.service_name }} service" | ||||||
|  |       become: true | ||||||
|  |       failed_when: false | ||||||
|  |       ansible.builtin.systemd: | ||||||
|  |         name: keycloak | ||||||
|  |         state: stopped | ||||||
|  |     - name: "Remove the old {{ keycloak.service_name }} deployment" | ||||||
|  |       become: true | ||||||
|  |       ansible.builtin.file: | ||||||
|  |         path: "{{ keycloak_quarkus_home }}" | ||||||
|  |         state: absent | ||||||
|  | 
 | ||||||
|  | - name: Check for an existing deployment after possible forced removal | ||||||
|  |   become: true | ||||||
|  |   ansible.builtin.stat: | ||||||
|  |     path: "{{ keycloak_quarkus_home }}" | ||||||
|  |   register: existing_deploy | ||||||
|  | 
 | ||||||
| - name: "Create {{ keycloak.service_name }} service user/group" | - name: "Create {{ keycloak.service_name }} service user/group" | ||||||
|   become: true |   become: true | ||||||
|   ansible.builtin.user: |   ansible.builtin.user: | ||||||
|  | @ -77,6 +98,7 @@ | ||||||
|     - not archive_path.stat.exists |     - not archive_path.stat.exists | ||||||
|     - rhbk_enable is defined and rhbk_enable |     - rhbk_enable is defined and rhbk_enable | ||||||
|     - not keycloak.offline_install |     - not keycloak.offline_install | ||||||
|  |     - keycloak_quarkus_alternate_download_url is undefined | ||||||
|   block: |   block: | ||||||
|     - name: Retrieve product download using JBoss Network API |     - name: Retrieve product download using JBoss Network API | ||||||
|       middleware_automation.common.product_search: |       middleware_automation.common.product_search: | ||||||
|  | @ -202,11 +224,11 @@ | ||||||
|     - keycloak_quarkus_cert_file_copy_enabled is defined and keycloak_quarkus_cert_file_copy_enabled |     - keycloak_quarkus_cert_file_copy_enabled is defined and keycloak_quarkus_cert_file_copy_enabled | ||||||
|     - keycloak_quarkus_cert_file_src | length > 0 |     - keycloak_quarkus_cert_file_src | length > 0 | ||||||
| 
 | 
 | ||||||
| - name: "Install {{ keycloak_quarkus_jdbc_engine }} JDBC driver" | - name: "Install {{ keycloak_quarkus_db_engine }} JDBC driver" | ||||||
|   ansible.builtin.include_tasks: jdbc_driver.yml |   ansible.builtin.include_tasks: jdbc_driver.yml | ||||||
|   when: |   when: | ||||||
|     - rhbk_enable is defined and rhbk_enable |     - rhbk_enable is defined and rhbk_enable | ||||||
|     - keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url is defined |     - keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].driver_jar_url is defined | ||||||
| 
 | 
 | ||||||
| - name: "Download custom providers via http" | - name: "Download custom providers via http" | ||||||
|   ansible.builtin.get_url: |   ansible.builtin.get_url: | ||||||
|  | @ -215,10 +237,11 @@ | ||||||
|     owner: "{{ keycloak.service_user }}" |     owner: "{{ keycloak.service_user }}" | ||||||
|     group: "{{ keycloak.service_group }}" |     group: "{{ keycloak.service_group }}" | ||||||
|     mode: '0640' |     mode: '0640' | ||||||
|  |     checksum: "{{ item.checksum | default(omit) }}" | ||||||
|   become: true |   become: true | ||||||
|   loop: "{{ keycloak_quarkus_providers }}" |   loop: "{{ keycloak_quarkus_providers }}" | ||||||
|   when: item.url is defined and item.url | length > 0 |   when: item.url is defined and item.url | length > 0 | ||||||
|   notify: "{{ ['rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or not item.restart else [] }}" |   notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}" | ||||||
| 
 | 
 | ||||||
| # this requires the `lxml` package to be installed; we redirect this step to localhost such that we do need to install it on the remote hosts | # this requires the `lxml` package to be installed; we redirect this step to localhost such that we do need to install it on the remote hosts | ||||||
| - name: "Download custom providers to localhost using maven" | - name: "Download custom providers to localhost using maven" | ||||||
|  | @ -235,7 +258,6 @@ | ||||||
|   loop: "{{ keycloak_quarkus_providers }}" |   loop: "{{ keycloak_quarkus_providers }}" | ||||||
|   when: item.maven is defined |   when: item.maven is defined | ||||||
|   no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}" |   no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}" | ||||||
|   notify: "{{ ['rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or not item.restart else [] }}" |  | ||||||
| 
 | 
 | ||||||
| - name: "Copy maven providers" | - name: "Copy maven providers" | ||||||
|   ansible.builtin.copy: |   ansible.builtin.copy: | ||||||
|  | @ -244,21 +266,25 @@ | ||||||
|     owner: "{{ keycloak.service_user }}" |     owner: "{{ keycloak.service_user }}" | ||||||
|     group: "{{ keycloak.service_group }}" |     group: "{{ keycloak.service_group }}" | ||||||
|     mode: '0640' |     mode: '0640' | ||||||
|  |     checksum: "{{ item.checksum | default(omit) }}" | ||||||
|   become: true |   become: true | ||||||
|   loop: "{{ keycloak_quarkus_providers }}" |   loop: "{{ keycloak_quarkus_providers }}" | ||||||
|   when: item.maven is defined |   when: item.maven is defined | ||||||
|   no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}" |   no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}" | ||||||
|  |   notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}" | ||||||
| 
 | 
 | ||||||
| - name: "Copy providers" | - name: "Copy local providers" | ||||||
|   ansible.builtin.copy: |   ansible.builtin.copy: | ||||||
|     src: "{{ item.local_path }}" |     src: "{{ item.local_path }}" | ||||||
|     dest: "{{ keycloak.home }}/providers/{{ item.id }}.jar" |     dest: "{{ keycloak.home }}/providers/{{ item.id }}.jar" | ||||||
|     owner: "{{ keycloak.service_user }}" |     owner: "{{ keycloak.service_user }}" | ||||||
|     group: "{{ keycloak.service_group }}" |     group: "{{ keycloak.service_group }}" | ||||||
|     mode: '0640' |     mode: '0640' | ||||||
|  |     remote_src: "{{ item.remote | default(false) }}" | ||||||
|   become: true |   become: true | ||||||
|   loop: "{{ keycloak_quarkus_providers }}" |   loop: "{{ keycloak_quarkus_providers }}" | ||||||
|   when: item.local_path is defined |   when: item.local_path is defined | ||||||
|  |   notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}" | ||||||
| 
 | 
 | ||||||
| - name: Ensure required folder structure for policies exists | - name: Ensure required folder structure for policies exists | ||||||
|   ansible.builtin.file: |   ansible.builtin.file: | ||||||
|  |  | ||||||
							
								
								
									
										11
									
								
								roles/keycloak_quarkus/tasks/invalidate_theme_cache.yml
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										11
									
								
								roles/keycloak_quarkus/tasks/invalidate_theme_cache.yml
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,11 @@ | ||||||
|  | --- | ||||||
|  | # From https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/24.0/html/server_developer_guide/themes#creating_a_theme: | ||||||
|  | # If you want to manually delete the content of the themes cache, | ||||||
|  | # you can do so by deleting the data/tmp/kc-gzip-cache directory of the server distribution | ||||||
|  | # It can be useful for instance if you redeployed custom providers or custom themes without | ||||||
|  | # disabling themes caching in the previous server executions. | ||||||
|  | - name: "Delete {{ keycloak.service_name }} theme cache directory" | ||||||
|  |   ansible.builtin.file: | ||||||
|  |     path: "{{ keycloak.home }}/data/tmp/kc-gzip-cache" | ||||||
|  |     state: absent | ||||||
|  |   become: true | ||||||
|  | @ -7,9 +7,9 @@ | ||||||
|     (keycloak_quarkus_jdbc_download_user is undefined and keycloak_quarkus_jdbc_download_pass is not undefined) or |     (keycloak_quarkus_jdbc_download_user is undefined and keycloak_quarkus_jdbc_download_pass is not undefined) or | ||||||
|     (keycloak_quarkus_jdbc_download_pass is undefined and keycloak_quarkus_jdbc_download_user is not undefined) |     (keycloak_quarkus_jdbc_download_pass is undefined and keycloak_quarkus_jdbc_download_user is not undefined) | ||||||
| 
 | 
 | ||||||
| - name: "Retrieve JDBC Driver from {{ keycloak_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url) }}" | - name: "Retrieve JDBC Driver from {{ keycloak_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].driver_jar_url) }}" | ||||||
|   ansible.builtin.get_url: |   ansible.builtin.get_url: | ||||||
|     url: "{{ keycloak_quarkus_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url) }}" |     url: "{{ keycloak_quarkus_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].driver_jar_url) }}" | ||||||
|     dest: "{{ keycloak.home }}/providers" |     dest: "{{ keycloak.home }}/providers" | ||||||
|     owner: "{{ keycloak.service_user }}" |     owner: "{{ keycloak.service_user }}" | ||||||
|     group: "{{ keycloak.service_group }}" |     group: "{{ keycloak.service_group }}" | ||||||
|  |  | ||||||
|  | @ -1,34 +1,58 @@ | ||||||
| --- | --- | ||||||
| # tasks file for keycloak | # tasks file for keycloak | ||||||
| - name: Check prerequisites | - name: Check prerequisites | ||||||
|   ansible.builtin.include_tasks: prereqs.yml |   ansible.builtin.include_tasks: | ||||||
|  |     file: prereqs.yml | ||||||
|  |     apply: | ||||||
|  |       tags: | ||||||
|  |         - prereqs | ||||||
|   tags: |   tags: | ||||||
|     - prereqs |     - prereqs | ||||||
|     - always |     - always | ||||||
| 
 | 
 | ||||||
| - name: Check for deprecations | - name: Check for deprecations | ||||||
|   ansible.builtin.include_tasks: deprecations.yml |   ansible.builtin.include_tasks: | ||||||
|  |     file: deprecations.yml | ||||||
|  |     apply: | ||||||
|  |       tags: | ||||||
|  |         - always | ||||||
|   tags: |   tags: | ||||||
|     - always |     - always | ||||||
| 
 | 
 | ||||||
| - name: Distro specific tasks | - name: Distro specific tasks | ||||||
|   ansible.builtin.include_tasks: "{{ ansible_os_family | lower }}.yml" |   ansible.builtin.include_tasks: | ||||||
|  |     file: "{{ ansible_os_family | lower }}.yml" | ||||||
|  |     apply: | ||||||
|  |       tags: | ||||||
|  |         - unbound | ||||||
|   tags: |   tags: | ||||||
|     - unbound |     - unbound | ||||||
| 
 | 
 | ||||||
| - name: Include install tasks | - name: Include install tasks | ||||||
|   ansible.builtin.include_tasks: install.yml |   ansible.builtin.include_tasks: | ||||||
|  |     file: install.yml | ||||||
|  |     apply: | ||||||
|  |       tags: | ||||||
|  |         - install | ||||||
|   tags: |   tags: | ||||||
|     - install |     - install | ||||||
| 
 | 
 | ||||||
| - name: Include systemd tasks | - name: Include systemd tasks | ||||||
|   ansible.builtin.include_tasks: systemd.yml |   ansible.builtin.include_tasks: | ||||||
|  |     file: systemd.yml | ||||||
|  |     apply: | ||||||
|  |       tags: | ||||||
|  |         - systemd | ||||||
|   tags: |   tags: | ||||||
|     - systemd |     - systemd | ||||||
| 
 | 
 | ||||||
| - name: Include configuration key store tasks | - name: Include configuration key store tasks | ||||||
|  |   ansible.builtin.include_tasks: | ||||||
|  |     file: config_store.yml | ||||||
|  |     apply: | ||||||
|  |       tags: | ||||||
|  |         - install | ||||||
|   when: keycloak.config_key_store_enabled |   when: keycloak.config_key_store_enabled | ||||||
|   ansible.builtin.include_tasks: config_store.yml |  | ||||||
|   tags: |   tags: | ||||||
|     - install |     - install | ||||||
| 
 | 
 | ||||||
|  | @ -39,8 +63,8 @@ | ||||||
|         { |         { | ||||||
|           "name": item, |           "name": item, | ||||||
|           "address": 'jgroups-' + item, |           "address": 'jgroups-' + item, | ||||||
|           "inventory_host": hostvars[item].ansible_default_ipv4.address | default(item) + '[' + (keycloak_quarkus_jgroups_port | string) + ']', |           "inventory_host": hostvars[item].keycloak_quarkus_jgroups_ip | default(item) + '[' + (keycloak_quarkus_jgroups_port | string) + ']', | ||||||
|           "value": hostvars[item].ansible_default_ipv4.address | default(item) |           "value": hostvars[item].keycloak_quarkus_jgroups_ip | default(item) | ||||||
|         } |         } | ||||||
|       ] }} |       ] }} | ||||||
|   loop: "{{ ansible_play_batch }}" |   loop: "{{ ansible_play_batch }}" | ||||||
|  | @ -91,7 +115,7 @@ | ||||||
|   register: keycloak_service_status |   register: keycloak_service_status | ||||||
|   changed_when: false |   changed_when: false | ||||||
| 
 | 
 | ||||||
| - name: "Notify to remove `keycloak_quarkus_admin_user[_pass]` env vars" | - name: "Notify to remove `keycloak_quarkus_bootstrap_admin_user[_password]` env vars" | ||||||
|   when: |   when: | ||||||
|     - not ansible_local.keycloak.general.bootstrapped | default(false) | bool # it was not bootstrapped prior to the current role's execution |     - not ansible_local.keycloak.general.bootstrapped | default(false) | bool # it was not bootstrapped prior to the current role's execution | ||||||
|     - keycloak_service_status.status.ActiveState == "active"                  # but it is now |     - keycloak_service_status.status.ActiveState == "active"                  # but it is now | ||||||
|  |  | ||||||
|  | @ -2,12 +2,12 @@ | ||||||
| - name: Validate admin console password | - name: Validate admin console password | ||||||
|   ansible.builtin.assert: |   ansible.builtin.assert: | ||||||
|     that: |     that: | ||||||
|       - keycloak_quarkus_admin_pass | length > 12 |       - keycloak_quarkus_bootstrap_admin_password | length > 12 | ||||||
|     quiet: true |     quiet: true | ||||||
|     fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_admin_pass to a 12+ char long string" |     fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_bootstrap_admin_password to a 12+ char long string" | ||||||
|     success_msg: "{{ 'Console administrator password OK' }}" |     success_msg: "{{ 'Console administrator password OK' }}" | ||||||
| 
 | 
 | ||||||
| - name: Validate relative path | - name: Validate http_relative_path | ||||||
|   ansible.builtin.assert: |   ansible.builtin.assert: | ||||||
|     that: |     that: | ||||||
|       - keycloak_quarkus_http_relative_path is regex('^/.*') |       - keycloak_quarkus_http_relative_path is regex('^/.*') | ||||||
|  | @ -15,6 +15,15 @@ | ||||||
|     fail_msg: "The relative path for keycloak_quarkus_http_relative_path must begin with /" |     fail_msg: "The relative path for keycloak_quarkus_http_relative_path must begin with /" | ||||||
|     success_msg: "{{ 'Relative path OK' }}" |     success_msg: "{{ 'Relative path OK' }}" | ||||||
| 
 | 
 | ||||||
|  | - name: Validate http_management_relative_path | ||||||
|  |   ansible.builtin.assert: | ||||||
|  |     that: | ||||||
|  |       - keycloak_quarkus_http_management_relative_path is regex('^/.*') | ||||||
|  |     quiet: true | ||||||
|  |     fail_msg: "The relative path for keycloak_quarkus_http_management_relative_path must begin with /" | ||||||
|  |     success_msg: "{{ 'Relative mgmt path OK' }}" | ||||||
|  |   when: keycloak_quarkus_http_management_relative_path is defined | ||||||
|  | 
 | ||||||
| - name: Validate configuration | - name: Validate configuration | ||||||
|   ansible.builtin.assert: |   ansible.builtin.assert: | ||||||
|     that: |     that: | ||||||
|  |  | ||||||
|  | @ -2,9 +2,6 @@ | ||||||
| # cf. https://www.keycloak.org/server/configuration#_optimize_the_keycloak_startup | # cf. https://www.keycloak.org/server/configuration#_optimize_the_keycloak_startup | ||||||
| - name: "Rebuild {{ keycloak.service_name }} config" | - name: "Rebuild {{ keycloak.service_name }} config" | ||||||
|   ansible.builtin.shell: | # noqa blocked_modules shell is necessary here |   ansible.builtin.shell: | # noqa blocked_modules shell is necessary here | ||||||
|     {{ keycloak.home }}/bin/kc.sh build |     env -i bash -c "set -a ; source {{ keycloak_quarkus_sysconf_file }} ; {{ keycloak.home }}/bin/kc.sh build " | ||||||
|   environment: |  | ||||||
|     PATH: "{{ keycloak_quarkus_java_home | default(keycloak_quarkus_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" |  | ||||||
|     JAVA_HOME: "{{ keycloak_quarkus_java_home | default(keycloak_quarkus_pkg_java_home, true) }}" |  | ||||||
|   become: true |   become: true | ||||||
|   changed_when: true |   changed_when: true | ||||||
|  |  | ||||||
|  | @ -1,6 +1,10 @@ | ||||||
| --- | --- | ||||||
| - name: Include firewall config tasks | - name: Include firewall config tasks | ||||||
|   ansible.builtin.include_tasks: firewalld.yml |   ansible.builtin.include_tasks: | ||||||
|  |     file: firewalld.yml | ||||||
|  |     apply: | ||||||
|  |       tags: | ||||||
|  |         - firewall | ||||||
|   when: keycloak_quarkus_configure_firewalld |   when: keycloak_quarkus_configure_firewalld | ||||||
|   tags: |   tags: | ||||||
|     - firewall |     - firewall | ||||||
|  |  | ||||||
|  | @ -12,7 +12,7 @@ | ||||||
|     url: "{{ keycloak.health_url }}" |     url: "{{ keycloak.health_url }}" | ||||||
|   register: keycloak_status |   register: keycloak_status | ||||||
|   until: keycloak_status.status == 200 |   until: keycloak_status.status == 200 | ||||||
|   retries: "{{ keycloak_quarkus_restart_health_check_reries }}" |   retries: "{{ keycloak_quarkus_restart_health_check_retries }}" | ||||||
|   delay: "{{ keycloak_quarkus_restart_health_check_delay }}" |   delay: "{{ keycloak_quarkus_restart_health_check_delay }}" | ||||||
|   when: internal_force_health_check | default(keycloak_quarkus_restart_health_check) |   when: internal_force_health_check | default(keycloak_quarkus_restart_health_check) | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -2,7 +2,7 @@ | ||||||
| - name: "Restart services in serial, with optional healtch check (keycloak_quarkus_restart_health_check)" | - name: "Restart services in serial, with optional healtch check (keycloak_quarkus_restart_health_check)" | ||||||
|   throttle: 1 |   throttle: 1 | ||||||
|   block: |   block: | ||||||
|     - name: "Restart and enable {{ keycloak.service_name }} service on {{ item }}" |     - name: "Restart and enable {{ keycloak.service_name }} service" | ||||||
|       ansible.builtin.include_tasks: |       ansible.builtin.include_tasks: | ||||||
|         file: restart.yml |         file: restart.yml | ||||||
|         apply: |         apply: | ||||||
|  |  | ||||||
|  | @ -14,3 +14,4 @@ | ||||||
|   until: keycloak_status.status == 200 |   until: keycloak_status.status == 200 | ||||||
|   retries: 25 |   retries: 25 | ||||||
|   delay: 10 |   delay: 10 | ||||||
|  |   when: internal_force_health_check | default(keycloak_quarkus_restart_health_check) | ||||||
|  |  | ||||||
|  | @ -10,6 +10,7 @@ | ||||||
|   vars: |   vars: | ||||||
|     keycloak_sys_pkg_java_home: "{{ keycloak_quarkus_pkg_java_home }}" |     keycloak_sys_pkg_java_home: "{{ keycloak_quarkus_pkg_java_home }}" | ||||||
|   notify: |   notify: | ||||||
|  |     - rebuild keycloak config | ||||||
|     - restart keycloak |     - restart keycloak | ||||||
| 
 | 
 | ||||||
| - name: "Configure systemd unit file for keycloak service" | - name: "Configure systemd unit file for keycloak service" | ||||||
|  | @ -22,4 +23,5 @@ | ||||||
|   become: true |   become: true | ||||||
|   register: systemdunit |   register: systemdunit | ||||||
|   notify: |   notify: | ||||||
|  |     - rebuild keycloak config | ||||||
|     - restart keycloak |     - restart keycloak | ||||||
|  |  | ||||||
|  | @ -18,15 +18,17 @@ | ||||||
| 
 | 
 | ||||||
| <infinispan | <infinispan | ||||||
|         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||||||
|         xsi:schemaLocation="urn:infinispan:config:14.0 http://www.infinispan.org/schemas/infinispan-config-14.0.xsd" |         xsi:schemaLocation="urn:infinispan:config:15.0 http://www.infinispan.org/schemas/infinispan-config-15.0.xsd" | ||||||
|         xmlns="urn:infinispan:config:14.0"> |         xmlns="urn:infinispan:config:15.0"> | ||||||
| 
 | 
 | ||||||
| {% set stack_expression='' %} | {% set stack_expression='' %} | ||||||
| {% if keycloak_quarkus_ha_enabled and keycloak_quarkus_ha_discovery == 'TCPPING' %} | {% if keycloak_quarkus_version is version_compare('26.2.0', '<') %} | ||||||
|  | {% if keycloak_quarkus_ha_enabled %} | ||||||
|  | {% if keycloak_quarkus_ha_discovery == 'TCPPING' %} | ||||||
| {% set stack_expression='stack="tcpping"' %} | {% set stack_expression='stack="tcpping"' %} | ||||||
|     <jgroups> |     <jgroups> | ||||||
|         <stack name="tcpping" extends="tcp"> |         <stack name="tcpping" extends="tcp"> | ||||||
|             <!-- <TCP external_addr="${env.KC_EXTERNAL_ADDR}" bind_addr="{{ keycloak_quarkus_bind_address }}" bind_port="{{ keycloak_quarkus_jgroups_port }}" /> --> |             <!-- <TCP external_addr="${env.KC_EXTERNAL_ADDR}" bind_addr="{{ keycloak_quarkus_http_host }}" bind_port="{{ keycloak_quarkus_jgroups_port }}" /> --> | ||||||
|             <TCPPING |             <TCPPING | ||||||
|                 initial_hosts="{{ keycloak_quarkus_cluster_nodes | map(attribute='inventory_host') | join (',') }}" |                 initial_hosts="{{ keycloak_quarkus_cluster_nodes | map(attribute='inventory_host') | join (',') }}" | ||||||
|                 port_range="0" |                 port_range="0" | ||||||
|  | @ -35,6 +37,10 @@ | ||||||
|             /> |             /> | ||||||
|         </stack> |         </stack> | ||||||
|     </jgroups> |     </jgroups> | ||||||
|  | {% elif keycloak_quarkus_ha_discovery == 'JDBCPING' %} | ||||||
|  | {% set stack_expression='stack="JDBC_PING2"' %} | ||||||
|  | {% endif %} | ||||||
|  | {% endif %} | ||||||
| {% endif %} | {% endif %} | ||||||
| 
 | 
 | ||||||
|     <cache-container name="keycloak"> |     <cache-container name="keycloak"> | ||||||
|  | @ -55,18 +61,22 @@ | ||||||
|         </local-cache> |         </local-cache> | ||||||
|         <distributed-cache name="sessions" owners="2"> |         <distributed-cache name="sessions" owners="2"> | ||||||
|             <expiration lifespan="-1"/> |             <expiration lifespan="-1"/> | ||||||
|  |             <memory max-count="10000"/> | ||||||
|         </distributed-cache> |         </distributed-cache> | ||||||
|         <distributed-cache name="authenticationSessions" owners="2"> |         <distributed-cache name="authenticationSessions" owners="2"> | ||||||
|             <expiration lifespan="-1"/> |             <expiration lifespan="-1"/> | ||||||
|         </distributed-cache> |         </distributed-cache> | ||||||
|         <distributed-cache name="offlineSessions" owners="2"> |         <distributed-cache name="offlineSessions" owners="2"> | ||||||
|             <expiration lifespan="-1"/> |             <expiration lifespan="-1"/> | ||||||
|  |             <memory max-count="10000"/> | ||||||
|         </distributed-cache> |         </distributed-cache> | ||||||
|         <distributed-cache name="clientSessions" owners="2"> |         <distributed-cache name="clientSessions" owners="2"> | ||||||
|             <expiration lifespan="-1"/> |             <expiration lifespan="-1"/> | ||||||
|  |             <memory max-count="10000"/> | ||||||
|         </distributed-cache> |         </distributed-cache> | ||||||
|         <distributed-cache name="offlineClientSessions" owners="2"> |         <distributed-cache name="offlineClientSessions" owners="2"> | ||||||
|             <expiration lifespan="-1"/> |             <expiration lifespan="-1"/> | ||||||
|  |             <memory max-count="10000"/> | ||||||
|         </distributed-cache> |         </distributed-cache> | ||||||
|         <distributed-cache name="loginFailures" owners="2"> |         <distributed-cache name="loginFailures" owners="2"> | ||||||
|             <expiration lifespan="-1"/> |             <expiration lifespan="-1"/> | ||||||
|  | @ -89,6 +99,14 @@ | ||||||
|             <expiration max-idle="3600000"/> |             <expiration max-idle="3600000"/> | ||||||
|             <memory max-count="1000"/> |             <memory max-count="1000"/> | ||||||
|         </local-cache> |         </local-cache> | ||||||
|  |         <local-cache name="crl" simple-cache="true"> | ||||||
|  |             <encoding> | ||||||
|  |                 <key media-type="application/x-java-object"/> | ||||||
|  |                 <value media-type="application/x-java-object"/> | ||||||
|  |             </encoding> | ||||||
|  |             <expiration lifespan="-1"/> | ||||||
|  |             <memory max-count="1000"/> | ||||||
|  |         </local-cache> | ||||||
|         <distributed-cache name="actionTokens" owners="2"> |         <distributed-cache name="actionTokens" owners="2"> | ||||||
|             <encoding> |             <encoding> | ||||||
|                 <key media-type="application/x-java-object"/> |                 <key media-type="application/x-java-object"/> | ||||||
|  |  | ||||||
|  | @ -1,13 +1,13 @@ | ||||||
| {{ ansible_managed | comment }} | {{ ansible_managed | comment }} | ||||||
| {% if not ansible_local.keycloak.general.bootstrapped | default(false) | bool %} | {% if not ansible_local.keycloak.general.bootstrapped | default(false) | bool %} | ||||||
| KEYCLOAK_ADMIN={{ keycloak_quarkus_admin_user }} | KC_BOOTSTRAP_ADMIN_USERNAME={{ keycloak_quarkus_bootstrap_admin_user }} | ||||||
| KEYCLOAK_ADMIN_PASSWORD='{{ keycloak_quarkus_admin_pass }}' | KC_BOOTSTRAP_ADMIN_PASSWORD='{{ keycloak_quarkus_bootstrap_admin_password }}' | ||||||
| {% else %} | {% else %} | ||||||
| {{ keycloak.bootstrap_mnemonic }} | {{ keycloak.bootstrap_mnemonic }} | ||||||
| {% endif %} | {% endif %} | ||||||
| PATH={{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin | PATH="{{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" | ||||||
| JAVA_HOME={{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }} | JAVA_HOME="{{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}" | ||||||
| JAVA_OPTS={{ keycloak_quarkus_java_opts }} | JAVA_OPTS="{{ keycloak_quarkus_java_opts }}" | ||||||
| 
 | 
 | ||||||
| # Custom ENV variables | # Custom ENV variables | ||||||
| {% for env in keycloak_quarkus_additional_env_vars %} | {% for env in keycloak_quarkus_additional_env_vars %} | ||||||
|  |  | ||||||
|  | @ -2,26 +2,18 @@ | ||||||
| 
 | 
 | ||||||
| {% if keycloak_quarkus_db_enabled %} | {% if keycloak_quarkus_db_enabled %} | ||||||
| # Database | # Database | ||||||
| db={{ keycloak_quarkus_jdbc_engine }} | db={{ keycloak_quarkus_db_engine }} | ||||||
| db-url={{ keycloak_quarkus_jdbc_url }} | db-url={{ keycloak_quarkus_db_url }} | ||||||
| db-username={{ keycloak_quarkus_db_user }} | db-username={{ keycloak_quarkus_db_user }} | ||||||
| {% if not keycloak.config_key_store_enabled %} | {% if not keycloak.config_key_store_enabled %} | ||||||
| db-password={{ keycloak_quarkus_db_pass }} | db-password={{ keycloak_quarkus_db_pass }} | ||||||
| {% endif %} | {% endif %} | ||||||
| {% endif %} | {% endif %} | ||||||
| 
 | 
 | ||||||
| {% if keycloak_quarkus_hostname_strict_https is defined and keycloak_quarkus_hostname_strict_https is sameas true -%} |  | ||||||
| hostname-strict-https=true |  | ||||||
| {% endif -%} |  | ||||||
| {% if keycloak_quarkus_hostname_strict_https is defined and keycloak_quarkus_hostname_strict_https is sameas false -%} |  | ||||||
| hostname-strict-https=false |  | ||||||
| {% endif -%} |  | ||||||
| 
 |  | ||||||
| {% if keycloak.config_key_store_enabled %} | {% if keycloak.config_key_store_enabled %} | ||||||
| # Config store | # Config store | ||||||
| config-keystore={{ keycloak_quarkus_config_key_store_file }} | config-keystore={{ keycloak_quarkus_config_key_store_file }} | ||||||
| config-keystore-password={{ keycloak_quarkus_config_key_store_password }} | config-keystore-password={{ keycloak_quarkus_config_key_store_password }} | ||||||
| config-keystore-type=PKCS12 |  | ||||||
| {% endif %} | {% endif %} | ||||||
| 
 | 
 | ||||||
| # Observability | # Observability | ||||||
|  | @ -30,8 +22,17 @@ health-enabled={{ keycloak_quarkus_health_enabled | lower }} | ||||||
| 
 | 
 | ||||||
| # HTTP | # HTTP | ||||||
| http-enabled={{ keycloak_quarkus_http_enabled | lower }} | http-enabled={{ keycloak_quarkus_http_enabled | lower }} | ||||||
|  | {% if keycloak_quarkus_http_enabled %} | ||||||
| http-port={{ keycloak_quarkus_http_port }} | http-port={{ keycloak_quarkus_http_port }} | ||||||
|  | {% endif %} | ||||||
| http-relative-path={{ keycloak_quarkus_http_relative_path }} | http-relative-path={{ keycloak_quarkus_http_relative_path }} | ||||||
|  | http-host={{ keycloak_quarkus_http_host }} | ||||||
|  | 
 | ||||||
|  | # Management | ||||||
|  | http-management-port={{ keycloak_quarkus_http_management_port }} | ||||||
|  | {% if keycloak_quarkus_http_management_relative_path is defined and keycloak_quarkus_http_management_relative_path | length > 0 %} | ||||||
|  | http-management-relative-path={{ keycloak_quarkus_http_management_relative_path }} | ||||||
|  | {% endif %} | ||||||
| 
 | 
 | ||||||
| # HTTPS | # HTTPS | ||||||
| https-port={{ keycloak_quarkus_https_port }} | https-port={{ keycloak_quarkus_https_port }} | ||||||
|  | @ -49,23 +50,21 @@ https-trust-store-password={{ keycloak_quarkus_https_trust_store_password }} | ||||||
| {% endif %} | {% endif %} | ||||||
| 
 | 
 | ||||||
| # Client URL configuration | # Client URL configuration | ||||||
| {% if keycloak_quarkus_frontend_url %} | hostname={{ keycloak_quarkus_hostname }} | ||||||
| hostname-url={{ keycloak_quarkus_frontend_url }} | hostname-admin={{ keycloak_quarkus_hostname_admin }} | ||||||
| {% else %} |  | ||||||
| hostname={{ keycloak_quarkus_host }} |  | ||||||
| hostname-port={{ keycloak_quarkus_port }} |  | ||||||
| hostname-path={{ keycloak_quarkus_path }} |  | ||||||
| {% endif %} |  | ||||||
| hostname-admin-url={{ keycloak_quarkus_admin_url }} |  | ||||||
| hostname-strict={{ keycloak_quarkus_hostname_strict | lower }} | hostname-strict={{ keycloak_quarkus_hostname_strict | lower }} | ||||||
| hostname-strict-backchannel={{ keycloak_quarkus_hostname_strict_backchannel | lower }} | hostname-backchannel-dynamic={{ keycloak_quarkus_hostname_backchannel_dynamic | lower }} | ||||||
| 
 | 
 | ||||||
| # Cluster | # Cluster | ||||||
| {% if keycloak_quarkus_ha_enabled %} | {% if keycloak_quarkus_ha_enabled %} | ||||||
| cache=ispn | cache=ispn | ||||||
| cache-config-file=cache-ispn.xml | cache-config-file=cache-ispn.xml | ||||||
| {% if keycloak_quarkus_ha_enabled and keycloak_quarkus_ha_discovery == 'TCPPING' %} | {% if keycloak_quarkus_cache_remote %} | ||||||
| # cache-stack=tcp # configured directly in `cache-ispn.xml` | cache-remote-username={{ keycloak_quarkus_cache_remote_username }} | ||||||
|  | cache-remote-password={{ keycloak_quarkus_cache_remote_password }} | ||||||
|  | cache-remote-host={{ keycloak_quarkus_cache_remote_host }} | ||||||
|  | cache-remote-port={{ keycloak_quarkus_cache_remote_port }} | ||||||
|  | cache-remote-tls-enabled={{ keycloak_quarkus_cache_remote_tls_enabled | lower }} | ||||||
| {% endif %} | {% endif %} | ||||||
| {% endif %} | {% endif %} | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -1,22 +1,22 @@ | ||||||
| {{ ansible_managed | comment }} | {{ ansible_managed | comment }} | ||||||
| {% if keycloak_quarkus_ha_enabled %} | {% if keycloak_quarkus_ha_enabled %} | ||||||
| {% if keycloak_quarkus_version.split('.')[0] | int < 22 %} | {% if keycloak_quarkus_version.split('.')[0] | int < 22 %} | ||||||
| quarkus.infinispan-client.server-list={{ keycloak_quarkus_ispn_hosts }} | quarkus.infinispan-client.server-list={{ keycloak_quarkus_cache_remote_host }}:{{ keycloak_quarkus_cache_remote_port }} | ||||||
| quarkus.infinispan-client.auth-username={{ keycloak_quarkus_ispn_user }} | quarkus.infinispan-client.auth-username={{ keycloak_quarkus_cache_remote_username }} | ||||||
| quarkus.infinispan-client.auth-password={{ keycloak_quarkus_ispn_pass }} | quarkus.infinispan-client.auth-password={{ keycloak_quarkus_cache_remote_password }} | ||||||
| {% else %} | {% else %} | ||||||
| quarkus.infinispan-client.hosts={{ keycloak_quarkus_ispn_hosts }} | quarkus.infinispan-client.hosts={{ keycloak_quarkus_cache_remote_host }}:{{ keycloak_quarkus_cache_remote_port }} | ||||||
| quarkus.infinispan-client.username={{ keycloak_quarkus_ispn_user }} | quarkus.infinispan-client.username={{ keycloak_quarkus_cache_remote_username }} | ||||||
| quarkus.infinispan-client.password={{ keycloak_quarkus_ispn_pass }} | quarkus.infinispan-client.password={{ keycloak_quarkus_cache_remote_password }} | ||||||
| {% endif %} | {% endif %} | ||||||
| quarkus.infinispan-client.client-intelligence=HASH_DISTRIBUTION_AWARE | quarkus.infinispan-client.client-intelligence=HASH_DISTRIBUTION_AWARE | ||||||
| quarkus.infinispan-client.use-auth=true | quarkus.infinispan-client.use-auth=true | ||||||
| quarkus.infinispan-client.auth-realm=default | quarkus.infinispan-client.auth-realm=default | ||||||
| quarkus.infinispan-client.auth-server-name=infinispan | quarkus.infinispan-client.auth-server-name=infinispan | ||||||
| quarkus.infinispan-client.sasl-mechanism={{ keycloak_quarkus_ispn_sasl_mechanism }} | quarkus.infinispan-client.sasl-mechanism={{ keycloak_quarkus_cache_remote_sasl_mechanism }} | ||||||
| {% if keycloak_quarkus_ispn_use_ssl %} | {% if keycloak_quarkus_cache_remote_tls_enabled %} | ||||||
| quarkus.infinispan-client.trust-store={{ keycloak_quarkus_ispn_trust_store_path }} | quarkus.infinispan-client.trust-store={{ keycloak_quarkus_https_trust_store_file }} | ||||||
| quarkus.infinispan-client.trust-store-password={{ keycloak_quarkus_ispn_trust_store_password }} | quarkus.infinispan-client.trust-store-password={{ keycloak_quarkus_https_trust_store_password }} | ||||||
| quarkus.infinispan-client.trust-store-type=jks | quarkus.infinispan-client.trust-store-type=jks | ||||||
| {% endif %} | {% endif %} | ||||||
| #quarkus.infinispan-client.use-schema-registration=true | #quarkus.infinispan-client.use-schema-registration=true | ||||||
|  |  | ||||||
|  | @ -1,7 +1,8 @@ | ||||||
| --- | --- | ||||||
| keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('openjdk-17-jdk-headless') }}" | keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('openjdk-21-jdk-headless') }}" | ||||||
| keycloak_quarkus_prereq_package_list: | keycloak_quarkus_prereq_package_list: | ||||||
|       - "{{ keycloak_quarkus_varjvm_package }}" |       - "{{ keycloak_quarkus_varjvm_package }}" | ||||||
|  |       - bash | ||||||
|       - unzip |       - unzip | ||||||
|       - procps |       - procps | ||||||
|       - apt |       - apt | ||||||
|  |  | ||||||
|  | @ -4,8 +4,7 @@ keycloak: # noqa var-naming this is an internal dict of interpolated values | ||||||
|   config_dir: "{{ keycloak_quarkus_config_dir }}" |   config_dir: "{{ keycloak_quarkus_config_dir }}" | ||||||
|   bundle: "{{ keycloak_quarkus_archive }}" |   bundle: "{{ keycloak_quarkus_archive }}" | ||||||
|   service_name: "keycloak" |   service_name: "keycloak" | ||||||
|   health_url: "{{ 'https' if keycloak_quarkus_http_enabled == False else 'http' }}://{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_https_port if keycloak_quarkus_http_enabled == False else keycloak_quarkus_http_port }}{{ keycloak_quarkus_http_relative_path }}{{ '/' \ |   health_url: "{{ keycloak_quarkus_health_check_url | default(keycloak_quarkus_hostname ~ '/' ~ (keycloak_quarkus_health_check_url_path | default('realms/master/.well-known/openid-configuration'))) }}" | ||||||
|                if keycloak_quarkus_http_relative_path | length > 1 else '' }}{{ keycloak_quarkus_health_check_url_path | default('realms/master/.well-known/openid-configuration') }}" |  | ||||||
|   cli_path: "{{ keycloak_quarkus_home }}/bin/kcadm.sh" |   cli_path: "{{ keycloak_quarkus_home }}/bin/kcadm.sh" | ||||||
|   service_user: "{{ keycloak_quarkus_service_user }}" |   service_user: "{{ keycloak_quarkus_service_user }}" | ||||||
|   service_group: "{{ keycloak_quarkus_service_group }}" |   service_group: "{{ keycloak_quarkus_service_group }}" | ||||||
|  |  | ||||||
|  | @ -1,7 +1,8 @@ | ||||||
| --- | --- | ||||||
| keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('java-17-openjdk-headless') }}" | keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('java-21-openjdk-headless') }}" | ||||||
| keycloak_quarkus_prereq_package_list: | keycloak_quarkus_prereq_package_list: | ||||||
|       - "{{ keycloak_quarkus_varjvm_package }}" |       - "{{ keycloak_quarkus_varjvm_package }}" | ||||||
|  |       - bash | ||||||
|       - unzip |       - unzip | ||||||
|       - procps-ng |       - procps-ng | ||||||
|       - initscripts |       - initscripts | ||||||
|  |  | ||||||
|  | @ -19,7 +19,7 @@ Role Defaults | ||||||
| |`keycloak_management_http_port`| Management port | `9990` | | |`keycloak_management_http_port`| Management port | `9990` | | ||||||
| |`keycloak_auth_client`| Authentication client for configuration REST calls | `admin-cli` | | |`keycloak_auth_client`| Authentication client for configuration REST calls | `admin-cli` | | ||||||
| |`keycloak_client_public`| Configure a public realm client | `True` | | |`keycloak_client_public`| Configure a public realm client | `True` | | ||||||
| |`keycloak_client_web_origins`| Web origins for realm client | `+` | | |`keycloak_client_web_origins`| Web origins for realm client | `/*` | | ||||||
| |`keycloak_url`| URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` | | |`keycloak_url`| URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` | | ||||||
| |`keycloak_management_url`| URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` | | |`keycloak_management_url`| URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` | | ||||||
| 
 | 
 | ||||||
|  | @ -74,6 +74,7 @@ Refer to [docs](https://docs.ansible.com/ansible/latest/collections/community/ge | ||||||
|     - name: <name of the client> |     - name: <name of the client> | ||||||
|       id: <id of the client> |       id: <id of the client> | ||||||
|       client_id: <id of the client> |       client_id: <id of the client> | ||||||
|  |       secret: <secret of the client (Optional)> | ||||||
|       roles: <keycloak_client_default_roles> |       roles: <keycloak_client_default_roles> | ||||||
|       realm: <name of the realm that contains the client> |       realm: <name of the realm that contains the client> | ||||||
|       public_client: <true for public, false for confidential> |       public_client: <true for public, false for confidential> | ||||||
|  |  | ||||||
|  | @ -43,7 +43,7 @@ keycloak_client_default_roles: [] | ||||||
| keycloak_client_public: true | keycloak_client_public: true | ||||||
| 
 | 
 | ||||||
| # allowed web origins for the client | # allowed web origins for the client | ||||||
| keycloak_client_web_origins: '+' | keycloak_client_web_origins: '/*' | ||||||
| 
 | 
 | ||||||
| # list of user and role mappings to create in the client | # list of user and role mappings to create in the client | ||||||
| # Each user has the form: | # Each user has the form: | ||||||
|  | @ -54,3 +54,7 @@ keycloak_client_users: [] | ||||||
| 
 | 
 | ||||||
| ### List of Keycloak User Federation | ### List of Keycloak User Federation | ||||||
| keycloak_user_federation: [] | keycloak_user_federation: [] | ||||||
|  | 
 | ||||||
|  | # other settings | ||||||
|  | keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + (keycloak_jboss_port_offset | default(0)) }}" | ||||||
|  | keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + (keycloak_jboss_port_offset | default(0)) }}" | ||||||
|  |  | ||||||
|  | @ -53,7 +53,7 @@ argument_specs: | ||||||
|                 type: "bool" |                 type: "bool" | ||||||
|             keycloak_client_web_origins: |             keycloak_client_web_origins: | ||||||
|                 # line 42 of keycloak_realm/defaults/main.yml |                 # line 42 of keycloak_realm/defaults/main.yml | ||||||
|                 default: "+" |                 default: "/*" | ||||||
|                 description: "Web origins for realm client" |                 description: "Web origins for realm client" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_client_users: |             keycloak_client_users: | ||||||
|  |  | ||||||
|  | @ -8,7 +8,7 @@ galaxy_info: | ||||||
| 
 | 
 | ||||||
|   license: Apache License 2.0 |   license: Apache License 2.0 | ||||||
| 
 | 
 | ||||||
|   min_ansible_version: "2.15" |   min_ansible_version: "2.16" | ||||||
| 
 | 
 | ||||||
|   platforms: |   platforms: | ||||||
|     - name: EL |     - name: EL | ||||||
|  |  | ||||||
|  | @ -15,6 +15,7 @@ | ||||||
|   ansible.builtin.uri: |   ansible.builtin.uri: | ||||||
|     url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}" |     url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}" | ||||||
|     method: GET |     method: GET | ||||||
|  |     validate_certs: false | ||||||
|     status_code: |     status_code: | ||||||
|       - 200 |       - 200 | ||||||
|       - 404 |       - 404 | ||||||
|  | @ -45,7 +46,7 @@ | ||||||
|     name: "{{ item.name }}" |     name: "{{ item.name }}" | ||||||
|     state: present |     state: present | ||||||
|     provider_id: "{{ item.provider_id }}" |     provider_id: "{{ item.provider_id }}" | ||||||
|     provider_type: "{{ item.provider_type | default(org.keycloak.storage.UserStorageProvider) }}" |     provider_type: "{{ item.provider_type | default('org.keycloak.storage.UserStorageProvider') }}" | ||||||
|     config: "{{ item.config }}" |     config: "{{ item.config }}" | ||||||
|     mappers: "{{ item.mappers | default(omit) }}" |     mappers: "{{ item.mappers | default(omit) }}" | ||||||
|   no_log: "{{ keycloak_no_log | default('True') }}" |   no_log: "{{ keycloak_no_log | default('True') }}" | ||||||
|  | @ -75,6 +76,7 @@ | ||||||
|     default_roles: "{{ item.roles | default(omit) }}" |     default_roles: "{{ item.roles | default(omit) }}" | ||||||
|     client_id: "{{ item.client_id | default(omit) }}" |     client_id: "{{ item.client_id | default(omit) }}" | ||||||
|     id: "{{ item.id | default(omit) }}" |     id: "{{ item.id | default(omit) }}" | ||||||
|  |     secret: "{{ item.secret | default(omit) }}" | ||||||
|     name: "{{ item.name | default(omit) }}" |     name: "{{ item.name | default(omit) }}" | ||||||
|     description: "{{ item.description | default(omit) }}" |     description: "{{ item.description | default(omit) }}" | ||||||
|     root_url: "{{ item.root_url | default('') }}" |     root_url: "{{ item.root_url | default('') }}" | ||||||
|  | @ -82,7 +84,7 @@ | ||||||
|     base_url: "{{ item.base_url | default('') }}" |     base_url: "{{ item.base_url | default('') }}" | ||||||
|     enabled: "{{ item.enabled | default(True) }}" |     enabled: "{{ item.enabled | default(True) }}" | ||||||
|     redirect_uris: "{{ item.redirect_uris | default(omit) }}" |     redirect_uris: "{{ item.redirect_uris | default(omit) }}" | ||||||
|     web_origins: "{{ item.web_origins | default('+') }}" |     web_origins: "{{ item.web_origins | default(omit) }}" | ||||||
|     bearer_only: "{{ item.bearer_only | default(omit) }}" |     bearer_only: "{{ item.bearer_only | default(omit) }}" | ||||||
|     standard_flow_enabled: "{{ item.standard_flow_enabled | default(omit) }}" |     standard_flow_enabled: "{{ item.standard_flow_enabled | default(omit) }}" | ||||||
|     implicit_flow_enabled: "{{ item.implicit_flow_enabled | default(omit) }}" |     implicit_flow_enabled: "{{ item.implicit_flow_enabled | default(omit) }}" | ||||||
|  | @ -92,7 +94,7 @@ | ||||||
|     protocol: "{{ item.protocol | default(omit) }}" |     protocol: "{{ item.protocol | default(omit) }}" | ||||||
|     attributes: "{{ item.attributes | default(omit) }}" |     attributes: "{{ item.attributes | default(omit) }}" | ||||||
|     state: present |     state: present | ||||||
|   no_log: "{{ keycloak_no_log | default('True') }}" |   no_log: "{{ keycloak_no_log | default('false') }}" | ||||||
|   register: create_client_result |   register: create_client_result | ||||||
|   loop: "{{ keycloak_clients | flatten }}" |   loop: "{{ keycloak_clients | flatten }}" | ||||||
|   when: (item.name is defined and item.client_id is defined) or (item.name is defined and item.id is defined) |   when: (item.name is defined and item.client_id is defined) or (item.name is defined and item.id is defined) | ||||||
|  | @ -110,3 +112,6 @@ | ||||||
|   loop_control: |   loop_control: | ||||||
|     loop_var: client |     loop_var: client | ||||||
|   when: "'users' in client" |   when: "'users' in client" | ||||||
|  |    | ||||||
|  | - name: Provide Access token lifespan | ||||||
|  |   ansible.builtin.include_tasks: manage_token_lifespan.yml | ||||||
|  |  | ||||||
							
								
								
									
										14
									
								
								roles/keycloak_realm/tasks/manage_token_lifespan.yml
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										14
									
								
								roles/keycloak_realm/tasks/manage_token_lifespan.yml
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,14 @@ | ||||||
|  | --- | ||||||
|  | - name: "Update Access token lifespan" | ||||||
|  |   ansible.builtin.uri: | ||||||
|  |     url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}" | ||||||
|  |     method: PUT | ||||||
|  |     body: | ||||||
|  |       accessTokenLifespan: 300 | ||||||
|  |     validate_certs: false | ||||||
|  |     body_format: json | ||||||
|  |     status_code: | ||||||
|  |       - 200 | ||||||
|  |       - 204 | ||||||
|  |     headers: | ||||||
|  |       Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}" | ||||||
|  | @ -3,6 +3,7 @@ | ||||||
|   ansible.builtin.uri: |   ansible.builtin.uri: | ||||||
|     url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm | default(keycloak_realm) }}" |     url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm | default(keycloak_realm) }}" | ||||||
|     method: GET |     method: GET | ||||||
|  |     validate_certs: false | ||||||
|     status_code: |     status_code: | ||||||
|       - 200 |       - 200 | ||||||
|     headers: |     headers: | ||||||
|  | @ -16,6 +17,7 @@ | ||||||
|           default(keycloak_realm) }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | \ |           default(keycloak_realm) }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | \ | ||||||
|           selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}/available" |           selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}/available" | ||||||
|     method: GET |     method: GET | ||||||
|  |     validate_certs: false | ||||||
|     status_code: |     status_code: | ||||||
|       - 200 |       - 200 | ||||||
|     headers: |     headers: | ||||||
|  |  | ||||||
|  | @ -3,7 +3,3 @@ | ||||||
| 
 | 
 | ||||||
| # name of the realm to create, this is a required variable | # name of the realm to create, this is a required variable | ||||||
| keycloak_realm: | keycloak_realm: | ||||||
| 
 |  | ||||||
| # other settings |  | ||||||
| keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + (keycloak_jboss_port_offset | default(0)) }}" |  | ||||||
| keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + (keycloak_jboss_port_offset | default(0)) }}" |  | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue