mirror of
				https://github.com/ansible-middleware/keycloak.git
				synced 2025-10-25 21:44:10 -07:00 
			
		
		
		
	Compare commits
	
		
			112 commits
		
	
	
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
|  | 412e17e9ea | ||
|  | fa87c004e3 | ||
|  | 6c9bddbd61 | ||
|  | 4602d254cf | ||
|  | 8b2ef22023 | ||
|  | 66228c3a13 | ||
|  | 556d155533 | ||
|  | c1bf9727f9 | ||
|  | f79fd227eb | ||
|  | 19564987ca | ||
|  | 1ff25325a7 | ||
|  | 0099f1cf07 | ||
|  | 725ec8e37b | ||
|  | bbe568baa5 | ||
|  | dcd448443f | ||
|  | 3780a4e3c0 | ||
|  | e60a5b7cf6 | ||
|  | 6143ae25e2 | ||
|  | ef6d8890fb | ||
|  | 55185a1439 | ||
|  | bb64b97e43 | ||
|  | a9c9e05569 | ||
|  | 8b27cb0706 | ||
|  | 41127504dc | ||
|  | bcc961999c | ||
|  | b8907d765d | ||
|  | 5c5e84b63e | ||
|  | 3d4bd734f1 | ||
|  | 3de96a6666 | ||
|  | de0ea02272 | ||
|  | b6e585f503 | ||
|  | 18de37706f | ||
|  | b569e4e713 | ||
|  | 919d55f806 | ||
|  | 476bc0ec0b | ||
|  | 2954bf81e8 | ||
|  | 0403939c03 | ||
|  | 88e4ea8d99 | ||
|  | 0a5fc3ae25 | ||
|  | f4a1798f26 | ||
|  | d23ae39c25 | ||
|  | 8f95bcb9e6 | ||
|  | f8c75de5d5 | ||
|  | 8093b1af2a | ||
|  | a70aece0d9 | ||
|  | d427a6b721 | ||
|  | c614af127e | ||
|  | 0936d415c7 | ||
|  | a120b1c9b5 | ||
|  | 5cd400b053 | ||
|  | e0c4b1e1ff | ||
|  | 88be789260 | ||
|  | 868dac4f72 | ||
|  | c45f7c0d60 | ||
|  | 77c5b893b1 | ||
|  | 9974ab2ee1 | ||
|  | b8a2ebc699 | ||
|  | 5beb5dcda4 | ||
|  | d97044523d | ||
|  | 2abc580041 | ||
|  | 2379e10091 | ||
|  | c86dff66ba | ||
|  | f750e93d02 | ||
|  | 1a4590b0b8 | ||
|  | 5e9535c866 | ||
|  | b8028d376a | ||
|  | 20797e4cad | ||
|  | 70d61ce8de | ||
|  | 69a947c0b6 | ||
|  | c7ce7be6c4 | ||
|  | e9061b29ef | ||
|  | c92bf19720 | ||
|  | 1ca0b30a81 | ||
|  | 7738e0feb1 | ||
|  | 671cf4eb53 | ||
|  | f146eb5fda | ||
|  | a10bc95bfc | ||
|  | 314e2f26b2 | ||
|  | f628b84fb0 | ||
|  | ac0ceca35f | ||
|  | 744766fe3b | ||
|  | 7f980c44d2 | ||
|  | 532dc12a60 | ||
|  | 173a85638f | ||
|  | 81f019f8b5 | ||
|  | 5db96afa56 | ||
|  | fa36721207 | ||
|  | 86284b12c2 | ||
|  | b3e93dd89b | ||
|  | e029e1c2fd | ||
|  | d0f19b59dc | ||
|  | 213449ec58 | ||
|  | 277e1336ee | ||
|  | 58233549a7 | ||
|  | 0c58ae48ff | ||
|  | bf0bd9e1da | ||
|  | 5d15d37890 | ||
|  | 910a2aa5d4 | ||
|  | 5f534ca566 | ||
|  | 692fb59797 | ||
|  | d1859aaff2 | ||
|  | 0d0e52f9ff | ||
|  | 68a0f88423 | ||
|  | 333d55ad73 | ||
|  | f6fdae4aa8 | ||
|  | b8c11f3ca8 | ||
|  | 1279937bb0 | ||
|  | c57753f608 | ||
|  | be19ec1289 | ||
|  | 5f1b43f37b | ||
|  | c6bb815979 | ||
|  | ac4511bea9 | 
					 95 changed files with 4492 additions and 715 deletions
				
			
		
							
								
								
									
										13
									
								
								.github/workflows/ci.yml
									
										
									
									
										vendored
									
									
								
							
							
						
						
									
										13
									
								
								.github/workflows/ci.yml
									
										
									
									
										vendored
									
									
								
							|  | @ -6,14 +6,23 @@ on: | |||
|       - main | ||||
|   pull_request: | ||||
|   workflow_dispatch: | ||||
|     inputs: | ||||
|       debug_verbosity: | ||||
|         description: 'ANSIBLE_VERBOSITY envvar value' | ||||
|         required: false | ||||
|   schedule: | ||||
|     - cron: '15 6 * * *' | ||||
| 
 | ||||
| jobs: | ||||
|   ci: | ||||
|     uses: ansible-middleware/github-actions/.github/workflows/ci.yml@main | ||||
|     uses: ansible-middleware/github-actions/.github/workflows/cish.yml@main | ||||
|     secrets: inherit | ||||
|     with: | ||||
|       fqcn: 'middleware_automation/keycloak' | ||||
|       debug_verbosity: "${{ github.event.inputs.debug_verbosity }}" | ||||
|       molecule_tests: >- | ||||
|           [ "default", "overridexml", "https_revproxy", "quarkus", "quarkus-devmode", "quarkus_upgrade", "debian", "quarkus_ha" ] | ||||
|         [ "debian", "quarkus", "quarkus_ha", "quarkus_ha_remote" ] | ||||
|       podman_tests_current: >- | ||||
|         [ "default", "quarkus_devmode", "quarkus_upgrade" ] | ||||
|       podman_tests_next: >- | ||||
|         [ "default", "quarkus_devmode", "quarkus_upgrade" ] | ||||
|  |  | |||
|  | @ -6,6 +6,76 @@ middleware\_automation.keycloak Release Notes | |||
| 
 | ||||
| This changelog describes changes after version 0.2.6. | ||||
| 
 | ||||
| v3.0.2 | ||||
| ====== | ||||
| 
 | ||||
| Minor Changes | ||||
| ------------- | ||||
| 
 | ||||
| - New ``checksum`` property for keycloak_quarkus_providers `#280 <https://github.com/ansible-middleware/keycloak/pull/280>`_ | ||||
| - New parameter to set the jgroups host IP address `#281 <https://github.com/ansible-middleware/keycloak/pull/281>`_ | ||||
| - Session storage / distributed caches `#287 <https://github.com/ansible-middleware/keycloak/pull/287>`_ | ||||
| - Update keycloak/RHBK to v26.2.4 `#283 <https://github.com/ansible-middleware/keycloak/pull/283>`_ | ||||
| 
 | ||||
| Bugfixes | ||||
| -------- | ||||
| 
 | ||||
| - Fix ``keycloak_quarkus_force_install`` parameter being ignored by install `#296 <https://github.com/ansible-middleware/keycloak/pull/296>`_ | ||||
| - Fix alternate download location being ignored (JBossNeworkAPI always used) `#298 <https://github.com/ansible-middleware/keycloak/pull/298>`_ | ||||
| - Run config rebuild after SPI providers update `#285 <https://github.com/ansible-middleware/keycloak/pull/285>`_ | ||||
| - Use jdk21 as default in debian `#289 <https://github.com/ansible-middleware/keycloak/pull/289>`_ | ||||
| - keycloak_realm: federation default provider type should be a string `#302 <https://github.com/ansible-middleware/keycloak/pull/302>`_ | ||||
| 
 | ||||
| v3.0.1 | ||||
| ====== | ||||
| 
 | ||||
| Minor Changes | ||||
| ------------- | ||||
| 
 | ||||
| - Version update to 26.0.8 / rhbk 26.0.11 `#277 <https://github.com/ansible-middleware/keycloak/pull/277>`_ | ||||
| 
 | ||||
| Bugfixes | ||||
| -------- | ||||
| 
 | ||||
| - Trigger rebuild handler on envvars file change `#276 <https://github.com/ansible-middleware/keycloak/pull/276>`_ | ||||
| 
 | ||||
| v3.0.0 | ||||
| ====== | ||||
| 
 | ||||
| Minor Changes | ||||
| ------------- | ||||
| 
 | ||||
| - Add theme cache invalidation handler `#252 <https://github.com/ansible-middleware/keycloak/pull/252>`_ | ||||
| - keycloak_realm: change url variables to defaults `#268 <https://github.com/ansible-middleware/keycloak/pull/268>`_ | ||||
| 
 | ||||
| Breaking Changes / Porting Guide | ||||
| -------------------------------- | ||||
| 
 | ||||
| - Bump major and ansible-core versions `#266 <https://github.com/ansible-middleware/keycloak/pull/266>`_ | ||||
| - Rename parameters to follow upstream `#270 <https://github.com/ansible-middleware/keycloak/pull/270>`_ | ||||
| - Update for keycloak v26 `#254 <https://github.com/ansible-middleware/keycloak/pull/254>`_ | ||||
| 
 | ||||
| Bugfixes | ||||
| -------- | ||||
| 
 | ||||
| - Access token lifespan is too short for ansible run `#251 <https://github.com/ansible-middleware/keycloak/pull/251>`_ | ||||
| - Load environment vars during kc rebuild `#274 <https://github.com/ansible-middleware/keycloak/pull/274>`_ | ||||
| - Rebuild config and restart service for local providers `#250 <https://github.com/ansible-middleware/keycloak/pull/250>`_ | ||||
| - Rename and honour parameter ``keycloak_quarkus_http_host`` `#271 <https://github.com/ansible-middleware/keycloak/pull/271>`_ | ||||
| 
 | ||||
| New Modules | ||||
| ----------- | ||||
| 
 | ||||
| - middleware_automation.keycloak.keycloak_realm - Allows administration of Keycloak realm via Keycloak API | ||||
| 
 | ||||
| v2.4.3 | ||||
| ====== | ||||
| 
 | ||||
| Minor Changes | ||||
| ------------- | ||||
| 
 | ||||
| - Update keycloak to 24.0.5 `#241 <https://github.com/ansible-middleware/keycloak/pull/241>`_ | ||||
| 
 | ||||
| v2.4.2 | ||||
| ====== | ||||
| 
 | ||||
|  |  | |||
|  | @ -1,3 +1,37 @@ | |||
| ## Developing | ||||
| 
 | ||||
| ### Build and install locally | ||||
| 
 | ||||
| Clone the repository, checkout the tag you want to build, or pick the main branch for the development version; then: | ||||
| 
 | ||||
|     ansible-galaxy collection build . | ||||
|     ansible-galaxy collection install middleware_automation-keycloak-*.tar.gz | ||||
| 
 | ||||
| 
 | ||||
| ### Development environment | ||||
| 
 | ||||
| Make sure your development machine has avilable: | ||||
| 
 | ||||
| * python 3.11+ | ||||
| * virtualenv | ||||
| * docker (or podman) | ||||
| 
 | ||||
| In order to run setup the development environment and run the molecule tests locally, after cloning the repository: | ||||
| 
 | ||||
| ``` | ||||
| # create new virtualenv using python 3 | ||||
| virtualenv $PATH_TO_DEV_VIRTUALENV | ||||
| # activate the virtual env | ||||
| source $PATH_TO_DEV_VIRTUALENV/bin/activate | ||||
| # install ansible and tools onto the virtualenv | ||||
| pip install yamllint 'molecule>=6.0' 'molecule-plugins[docker]' 'ansible-core>=2.16' ansible-lint | ||||
| # install collection dependencies | ||||
| ansible-galaxy collection install -r requirements.yml | ||||
| # install python dependencies | ||||
| pip install -r requirements.txt molecule/requirements.txt | ||||
| # execute the tests (replace --all with -s subdirectory to run a single test) | ||||
| molecule test --all | ||||
| ``` | ||||
| 
 | ||||
| ## Contributor's Guidelines | ||||
| 
 | ||||
|  |  | |||
							
								
								
									
										16
									
								
								README.md
									
										
									
									
									
								
							
							
						
						
									
										16
									
								
								README.md
									
										
									
									
									
								
							|  | @ -1,9 +1,9 @@ | |||
| # Ansible Collection - middleware_automation.keycloak | ||||
| 
 | ||||
| <!--start build_status --> | ||||
| [](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml) | ||||
| [](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml) | ||||
| 
 | ||||
| > **_NOTE:_ If you are Red Hat customer, install `redhat.sso` (for Red Hat Single Sign-On) or `redhat.rhbk` (for Red Hat Build of Keycloak) from [Automation Hub](https://console.redhat.com/ansible/ansible-dashboard) as the certified version of this collection.** | ||||
| > **_NOTE:_ If you are Red Hat customer, install `redhat.rhbk` (for Red Hat Build of Keycloak) or `redhat.sso` (for Red Hat Single Sign-On) from [Automation Hub](https://console.redhat.com/ansible/ansible-dashboard) as the certified version of this collection.** | ||||
| 
 | ||||
| <!--end build_status --> | ||||
| <!--start description --> | ||||
|  | @ -12,7 +12,7 @@ Collection to install and configure [Keycloak](https://www.keycloak.org/) or [Re | |||
| <!--start requires_ansible--> | ||||
| ## Ansible version compatibility | ||||
| 
 | ||||
| This collection has been tested against following Ansible versions: **>=2.15.0**. | ||||
| This collection has been tested against following Ansible versions: **>=2.16.0**. | ||||
| 
 | ||||
| Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions. | ||||
| <!--end requires_ansible--> | ||||
|  | @ -49,9 +49,10 @@ A requirement file is provided to install: | |||
| <!--start roles_paths --> | ||||
| ### Included roles | ||||
| 
 | ||||
| * [`keycloak`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md): role for installing the service (keycloak <= 19.0). | ||||
| * [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, user federation(s), clients and users, in an installed service. | ||||
| * [`keycloak_quarkus`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_quarkus/README.md): role for installing the quarkus variant of keycloak (>= 17.0.0). | ||||
| * `keycloak_quarkus`: role for installing keycloak (>= 19.0.0, quarkus based). | ||||
| * `keycloak_realm`: role for configuring a realm, user federation(s), clients and users, in an installed service. | ||||
| * `keycloak`: role for installing legacy keycloak (<= 19.0, wildfly based). | ||||
| 
 | ||||
| <!--end roles_paths --> | ||||
| 
 | ||||
| ## Usage | ||||
|  | @ -59,8 +60,8 @@ A requirement file is provided to install: | |||
| 
 | ||||
| ### Install Playbook | ||||
| <!--start rhbk_playbook --> | ||||
| * [`playbooks/keycloak.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak.yml) installs keycloak legacy based on the defined variables (using most defaults). | ||||
| * [`playbooks/keycloak_quarkus.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_quarkus.yml) installs keycloak >= 17 based on the defined variables (using most defaults). | ||||
| * [`playbooks/keycloak.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak.yml) installs keycloak legacy based on the defined variables (using most defaults). | ||||
| 
 | ||||
| Both playbooks include the `keycloak` role, with different settings, as described in the following sections. | ||||
| 
 | ||||
|  | @ -143,4 +144,3 @@ Apache License v2.0 or later | |||
| <!--start license --> | ||||
| See [LICENSE](LICENSE) to view the full text. | ||||
| <!--end license --> | ||||
| 
 | ||||
|  |  | |||
|  | @ -604,3 +604,118 @@ releases: | |||
|     - 237.yaml | ||||
|     - 239.yaml | ||||
|     release_date: '2024-09-26' | ||||
|   2.4.3: | ||||
|     changes: | ||||
|       minor_changes: | ||||
|       - 'Update keycloak to 24.0.5 `#241 <https://github.com/ansible-middleware/keycloak/pull/241>`_ | ||||
| 
 | ||||
|         ' | ||||
|     fragments: | ||||
|     - 241.yaml | ||||
|     release_date: '2024-10-16' | ||||
|   3.0.0: | ||||
|     changes: | ||||
|       breaking_changes: | ||||
|       - 'Bump major and ansible-core versions `#266 <https://github.com/ansible-middleware/keycloak/pull/266>`_ | ||||
| 
 | ||||
|         ' | ||||
|       - 'Rename parameters to follow upstream `#270 <https://github.com/ansible-middleware/keycloak/pull/270>`_ | ||||
| 
 | ||||
|         ' | ||||
|       - 'Update for keycloak v26 `#254 <https://github.com/ansible-middleware/keycloak/pull/254>`_ | ||||
| 
 | ||||
|         ' | ||||
|       bugfixes: | ||||
|       - 'Access token lifespan is too short for ansible run `#251 <https://github.com/ansible-middleware/keycloak/pull/251>`_ | ||||
| 
 | ||||
|         ' | ||||
|       - 'Load environment vars during kc rebuild `#274 <https://github.com/ansible-middleware/keycloak/pull/274>`_ | ||||
| 
 | ||||
|         ' | ||||
|       - 'Rebuild config and restart service for local providers `#250 <https://github.com/ansible-middleware/keycloak/pull/250>`_ | ||||
| 
 | ||||
|         ' | ||||
|       - 'Rename and honour parameter ``keycloak_quarkus_http_host`` `#271 <https://github.com/ansible-middleware/keycloak/pull/271>`_ | ||||
| 
 | ||||
|         ' | ||||
|       minor_changes: | ||||
|       - 'Add theme cache invalidation handler `#252 <https://github.com/ansible-middleware/keycloak/pull/252>`_ | ||||
| 
 | ||||
|         ' | ||||
|       - 'keycloak_realm: change url variables to defaults `#268 <https://github.com/ansible-middleware/keycloak/pull/268>`_ | ||||
| 
 | ||||
|         ' | ||||
|     fragments: | ||||
|     - 250.yaml | ||||
|     - 251.yaml | ||||
|     - 252.yaml | ||||
|     - 254.yaml | ||||
|     - 266.yaml | ||||
|     - 268.yaml | ||||
|     - 270.yaml | ||||
|     - 271.yaml | ||||
|     - 274.yaml | ||||
|     modules: | ||||
|     - description: Allows administration of Keycloak realm via Keycloak API | ||||
|       name: keycloak_realm | ||||
|       namespace: '' | ||||
|     release_date: '2025-04-23' | ||||
|   3.0.1: | ||||
|     changes: | ||||
|       bugfixes: | ||||
|       - 'Trigger rebuild handler on envvars file change `#276 <https://github.com/ansible-middleware/keycloak/pull/276>`_ | ||||
| 
 | ||||
|         ' | ||||
|       minor_changes: | ||||
|       - 'Version update to 26.0.8 / rhbk 26.0.11 `#277 <https://github.com/ansible-middleware/keycloak/pull/277>`_ | ||||
| 
 | ||||
|         ' | ||||
|     fragments: | ||||
|     - 276.yaml | ||||
|     - 277.yaml | ||||
|     release_date: '2025-05-02' | ||||
|   3.0.2: | ||||
|     changes: | ||||
|       bugfixes: | ||||
|       - 'Fix ``keycloak_quarkus_force_install`` parameter being ignored by install | ||||
|         `#296 <https://github.com/ansible-middleware/keycloak/pull/296>`_ | ||||
| 
 | ||||
|         ' | ||||
|       - 'Fix alternate download location being ignored (JBossNeworkAPI always used) | ||||
|         `#298 <https://github.com/ansible-middleware/keycloak/pull/298>`_ | ||||
| 
 | ||||
|         ' | ||||
|       - 'Run config rebuild after SPI providers update `#285 <https://github.com/ansible-middleware/keycloak/pull/285>`_ | ||||
| 
 | ||||
|         ' | ||||
|       - 'Use jdk21 as default in debian `#289 <https://github.com/ansible-middleware/keycloak/pull/289>`_ | ||||
| 
 | ||||
|         ' | ||||
|       - 'keycloak_realm: federation default provider type should be a string `#302 | ||||
|         <https://github.com/ansible-middleware/keycloak/pull/302>`_ | ||||
| 
 | ||||
|         ' | ||||
|       minor_changes: | ||||
|       - 'New ``checksum`` property for keycloak_quarkus_providers `#280 <https://github.com/ansible-middleware/keycloak/pull/280>`_ | ||||
| 
 | ||||
|         ' | ||||
|       - 'New parameter to set the jgroups host IP address `#281 <https://github.com/ansible-middleware/keycloak/pull/281>`_ | ||||
| 
 | ||||
|         ' | ||||
|       - 'Session storage / distributed caches `#287 <https://github.com/ansible-middleware/keycloak/pull/287>`_ | ||||
| 
 | ||||
|         ' | ||||
|       - 'Update keycloak/RHBK to v26.2.4 `#283 <https://github.com/ansible-middleware/keycloak/pull/283>`_ | ||||
| 
 | ||||
|         ' | ||||
|     fragments: | ||||
|     - 280.yaml | ||||
|     - 281.yaml | ||||
|     - 283.yaml | ||||
|     - 285.yaml | ||||
|     - 287.yaml | ||||
|     - 289.yaml | ||||
|     - 296.yaml | ||||
|     - 298.yaml | ||||
|     - 302.yaml | ||||
|     release_date: '2025-07-01' | ||||
|  |  | |||
|  | @ -7,7 +7,7 @@ | |||
|       </div> | ||||
|       <hr/> | ||||
|       <div role="contentinfo"> | ||||
|         <p>© Copyright 2022, Red Hat, Inc.</p>
 | ||||
|         <p>© Copyright 2024, Red Hat, Inc.</p>
 | ||||
|       </div> | ||||
|       Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a | ||||
|         <a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a> | ||||
|  |  | |||
|  | @ -10,31 +10,25 @@ Welcome to Keycloak Collection documentation | |||
|    README | ||||
|    plugins/index | ||||
|    roles/index | ||||
|    Changelog <CHANGELOG> | ||||
| 
 | ||||
| .. toctree:: | ||||
|    :maxdepth: 2 | ||||
|    :caption: Developer documentation | ||||
| 
 | ||||
|    testing | ||||
|    developing | ||||
|    releasing | ||||
| 
 | ||||
| .. toctree:: | ||||
|    :maxdepth: 2 | ||||
|    :caption: General | ||||
| 
 | ||||
|    Changelog <CHANGELOG> | ||||
|    Developing <developing> | ||||
|    Testing <testing> | ||||
|    Releasing <releasing> | ||||
| 
 | ||||
| .. toctree:: | ||||
|    :maxdepth: 2 | ||||
|    :caption: Middleware collections | ||||
| 
 | ||||
|    Infinispan / Red Hat Data Grid <https://ansible-middleware.github.io/infinispan/main/> | ||||
|    Keycloak / Red Hat Single Sign-On <https://ansible-middleware.github.io/keycloak/main/> | ||||
|    Infinispan / Red Hat Data Grid <https://ansible-middleware.github.io/infinispan/main/> | ||||
|    Wildfly / Red Hat JBoss EAP <https://ansible-middleware.github.io/wildfly/main/> | ||||
|    Tomcat / Red Hat JWS <https://ansible-middleware.github.io/jws/main/> | ||||
|    ActiveMQ / Red Hat AMQ Broker <https://ansible-middleware.github.io/amq/main/> | ||||
|    Kafka / Red Hat AMQ Streams <https://ansible-middleware.github.io/amq_streams/main/> | ||||
|    Ansible Middleware utilities <https://ansible-middleware.github.io/common/main/> | ||||
|    Red Hat CSP Download <https://ansible-middleware.github.io/redhat-csp-download/main/> | ||||
|    JCliff <https://ansible-middleware.github.io/ansible_collections_jcliff/main/> | ||||
|  |  | |||
|  | @ -1,7 +1,7 @@ | |||
| antsibull>=0.17.0 | ||||
| antsibull-docs | ||||
| antsibull-changelog | ||||
| ansible-core>=2.14.1 | ||||
| ansible-core>=2.16.0 | ||||
| ansible-pygments | ||||
| sphinx-rtd-theme | ||||
| git+https://github.com/felixfontein/ansible-basic-sphinx-ext | ||||
|  |  | |||
|  | @ -4,24 +4,7 @@ | |||
| 
 | ||||
| The collection is tested with a [molecule](https://github.com/ansible-community/molecule) setup covering the included roles and verifying correct installation and idempotency. | ||||
| In order to run the molecule tests locally with python 3.9 available, after cloning the repository: | ||||
| 
 | ||||
| ``` | ||||
| pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous | ||||
| molecule test --all | ||||
| ``` | ||||
| 
 | ||||
| 
 | ||||
| ## Integration testing | ||||
| 
 | ||||
| Demo repositories which depend on the collection, and aggregate functionality with other middleware_automation collections, are automatically rebuilt | ||||
| at every collection release to ensure non-breaking changes and consistent behaviour. | ||||
| 
 | ||||
| The repository are: | ||||
| 
 | ||||
|  - [Flange demo](https://github.com/ansible-middleware/flange-demo) | ||||
|    A deployment of Wildfly cluster integrated with keycloak and infinispan. | ||||
|  - [CrossDC keycloak demo](https://github.com/ansible-middleware/cross-dc-rhsso-demo) | ||||
|    A clustered multi-regional installation of keycloak with infinispan remote caches. | ||||
| The test scenarios are available on the source code repository each on his own subdirectory under [molecule/](https://github.com/ansible-middleware/keycloak/molecule). | ||||
| 
 | ||||
| 
 | ||||
| ## Test playbooks | ||||
|  | @ -29,15 +12,7 @@ The repository are: | |||
| Sample playbooks are provided in the `playbooks/` directory; to run the playbooks locally (requires a rhel system with python 3.9+, ansible, and systemd) the steps are as follows: | ||||
| 
 | ||||
| ``` | ||||
| # setup environment | ||||
| pip install ansible-core | ||||
| # clone the repository | ||||
| git clone https://github.com/ansible-middleware/keycloak | ||||
| cd keycloak | ||||
| # install collection dependencies | ||||
| ansible-galaxy collection install -r requirements.yml | ||||
| # install collection python deps | ||||
| pip install -r requirements.txt | ||||
| # setup environment as in developing | ||||
| # create inventory for localhost | ||||
| cat << EOF > inventory | ||||
| [keycloak] | ||||
|  |  | |||
|  | @ -1,7 +1,7 @@ | |||
| --- | ||||
| namespace: middleware_automation | ||||
| name: keycloak | ||||
| version: "2.4.2" | ||||
| version: "3.0.3" | ||||
| readme: README.md | ||||
| authors: | ||||
|   - Romain Pelisse <rpelisse@redhat.com> | ||||
|  |  | |||
|  | @ -1,2 +1,2 @@ | |||
| --- | ||||
| requires_ansible: ">=2.15.0" | ||||
| requires_ansible: ">=2.16.0" | ||||
|  |  | |||
|  | @ -3,40 +3,42 @@ | |||
|   hosts: all | ||||
|   vars: | ||||
|     keycloak_quarkus_show_deprecation_warnings: false | ||||
|     keycloak_quarkus_admin_pass: "remembertochangeme" | ||||
|     keycloak_realm: TestRealm | ||||
|     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" | ||||
|     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" | ||||
|     keycloak_quarkus_hostname: http://instance:8080 | ||||
|     keycloak_quarkus_log: file | ||||
|     keycloak_quarkus_frontend_url: 'http://localhost:8080/' | ||||
|     keycloak_quarkus_start_dev: True | ||||
|     keycloak_quarkus_start_dev: true | ||||
|     keycloak_quarkus_proxy_mode: none | ||||
|     keycloak_client_default_roles: | ||||
|       - TestRoleAdmin | ||||
|       - TestRoleUser | ||||
|     keycloak_client_users: | ||||
|       - username: TestUser | ||||
|         password: password | ||||
|         client_roles: | ||||
|           - client: TestClient | ||||
|             role: TestRoleUser | ||||
|       - username: TestAdmin | ||||
|         password: password | ||||
|         client_roles: | ||||
|           - client: TestClient | ||||
|             role: TestRoleUser | ||||
|           - client: TestClient | ||||
|             role: TestRoleAdmin | ||||
|     keycloak_clients: | ||||
|       - name: TestClient | ||||
|         roles: "{{ keycloak_client_default_roles }}" | ||||
|         public_client: "{{ keycloak_client_public }}" | ||||
|         web_origins: "{{ keycloak_client_web_origins }}" | ||||
|         users: "{{ keycloak_client_users }}" | ||||
|         client_id: TestClient | ||||
|         attributes: | ||||
|           post.logout.redirect.uris: '/public/logout' | ||||
|   roles: | ||||
|     - role: keycloak_quarkus | ||||
|     - role: keycloak_realm | ||||
|       keycloak_realm: TestRealm | ||||
|       keycloak_admin_password: "remembertochangeme" | ||||
|       keycloak_url: "{{ keycloak_quarkus_hostname }}" | ||||
|       keycloak_context: '' | ||||
|       keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}" | ||||
|       keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}" | ||||
|       keycloak_client_users: | ||||
|         - username: TestUser | ||||
|           password: password | ||||
|           client_roles: | ||||
|             - client: TestClient | ||||
|               role: TestRoleUser | ||||
|               realm: "{{ keycloak_realm }}" | ||||
|         - username: TestAdmin | ||||
|           password: password | ||||
|           client_roles: | ||||
|             - client: TestClient | ||||
|               role: TestRoleUser | ||||
|               realm: "{{ keycloak_realm }}" | ||||
|             - client: TestClient | ||||
|               role: TestRoleAdmin | ||||
|               realm: "{{ keycloak_realm }}" | ||||
|       keycloak_realm: TestRealm | ||||
|       keycloak_clients: | ||||
|         - name: TestClient | ||||
|           realm: "{{ keycloak_realm }}" | ||||
|           public_client: "{{ keycloak_client_public }}" | ||||
|           web_origins: "{{ keycloak_client_web_origins }}" | ||||
|           users: "{{ keycloak_client_users }}" | ||||
|           client_id: TestClient | ||||
|           attributes: | ||||
|             post.logout.redirect.uris: '/public/logout' | ||||
|  |  | |||
|  | @ -3,7 +3,7 @@ driver: | |||
|   name: docker | ||||
| platforms: | ||||
|   - name: instance | ||||
|     image: ghcr.io/hspaans/molecule-containers:debian-11 | ||||
|     image: ghcr.io/hspaans/molecule-containers:debian-13 | ||||
|     pre_build_image: true | ||||
|     privileged: true | ||||
|     port_bindings: | ||||
|  |  | |||
|  | @ -7,5 +7,5 @@ | |||
|       ansible.builtin.apt: | ||||
|         name: | ||||
|           - sudo | ||||
|           - openjdk-17-jdk-headless | ||||
|         state: present | ||||
|           - openjdk-21-jdk-headless | ||||
|           - iproute2 | ||||
|  |  | |||
|  | @ -2,7 +2,7 @@ | |||
| - name: Verify | ||||
|   hosts: all | ||||
|   vars: | ||||
|     keycloak_admin_password: "remembertochangeme" | ||||
|     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" | ||||
|     keycloak_uri: "http://localhost:{{ 8080 + ( keycloak_jboss_port_offset | default(0) ) }}" | ||||
|     keycloak_management_port: "http://localhost:{{ 9990 + ( keycloak_jboss_port_offset | default(0) ) }}" | ||||
|     keycloak_jboss_port_offset: 10 | ||||
|  |  | |||
|  | @ -3,23 +3,24 @@ | |||
|   hosts: all | ||||
|   vars: | ||||
|     keycloak_quarkus_show_deprecation_warnings: false | ||||
|     keycloak_quarkus_admin_pass: "remembertochangeme" | ||||
|     keycloak_admin_password: "remembertochangeme" | ||||
|     keycloak_quarkus_host: instance | ||||
|     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" | ||||
|     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" | ||||
|     keycloak_quarkus_hostname: http://instance:8080 | ||||
|     keycloak_quarkus_log: file | ||||
|     keycloak_quarkus_log_level: debug | ||||
|     keycloak_quarkus_log_target: /tmp/keycloak | ||||
|     keycloak_quarkus_start_dev: True | ||||
|     keycloak_quarkus_start_dev: true | ||||
|     keycloak_quarkus_proxy_mode: none | ||||
|     keycloak_quarkus_offline_install: true | ||||
|     keycloak_quarkus_download_path: /tmp/keycloak/ | ||||
|     keycloak_quarkus_java_heap_opts: "-Xms640m -Xmx640m " | ||||
|   roles: | ||||
|     - role: keycloak_quarkus | ||||
|     - role: keycloak_realm | ||||
|       keycloak_url: "{{ keycloak_quarkus_hostname }}" | ||||
|       keycloak_context: '' | ||||
|       keycloak_client_default_roles: | ||||
|         - TestRoleAdmin | ||||
|         - TestRoleUser | ||||
|       keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}" | ||||
|       keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}" | ||||
|       keycloak_client_users: | ||||
|         - username: TestUser | ||||
|           password: password | ||||
|  | @ -39,7 +40,6 @@ | |||
|       keycloak_realm: TestRealm | ||||
|       keycloak_clients: | ||||
|         - name: TestClient | ||||
|           roles: "{{ keycloak_client_default_roles }}" | ||||
|           realm: "{{ keycloak_realm }}" | ||||
|           public_client: "{{ keycloak_client_public }}" | ||||
|           web_origins: "{{ keycloak_client_web_origins }}" | ||||
|  |  | |||
|  | @ -1,9 +1,9 @@ | |||
| --- | ||||
| driver: | ||||
|   name: docker | ||||
|   name: podman | ||||
| platforms: | ||||
|   - name: instance | ||||
|     image: registry.access.redhat.com/ubi8/ubi-init:latest | ||||
|     image: registry.access.redhat.com/ubi9/ubi-init:latest | ||||
|     pre_build_image: true | ||||
|     privileged: true | ||||
|     command: "/usr/sbin/init" | ||||
|  | @ -11,6 +11,7 @@ platforms: | |||
|       - "8080/tcp" | ||||
|       - "8443/tcp" | ||||
|       - "8009/tcp" | ||||
|       - "9000/tcp" | ||||
| provisioner: | ||||
|   name: ansible | ||||
|   config_options: | ||||
|  | @ -28,6 +29,8 @@ provisioner: | |||
|         ansible_python_interpreter: "{{ ansible_playbook_python }}" | ||||
|   env: | ||||
|     ANSIBLE_FORCE_COLOR: "true" | ||||
|     PROXY: "${PROXY}" | ||||
|     NO_PROXY: "${NO_PROXY}" | ||||
| verifier: | ||||
|   name: ansible | ||||
| scenario: | ||||
|  |  | |||
|  | @ -7,10 +7,6 @@ | |||
|   tasks: | ||||
|     - name: "Run preparation common to all scenario" | ||||
|       ansible.builtin.include_tasks: ../prepare.yml | ||||
|       vars: | ||||
|         assets: | ||||
|           - "{{ assets_server }}/sso/7.6.0/rh-sso-7.6.0-server-dist.zip" | ||||
|           - "{{ assets_server }}/sso/7.6.1/rh-sso-7.6.1-patch.zip" | ||||
| 
 | ||||
|     - name: Create controller directory for downloads | ||||
|       ansible.builtin.file: # noqa risky-file-permissions delegated, uses controller host user | ||||
|  | @ -22,7 +18,7 @@ | |||
| 
 | ||||
|     - name: Download keycloak archive to controller directory | ||||
|       ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user | ||||
|         url: https://github.com/keycloak/keycloak/releases/download/24.0.4/keycloak-24.0.4.zip | ||||
|         url: https://github.com/keycloak/keycloak/releases/download/26.3.0/keycloak-26.3.0.zip | ||||
|         dest: /tmp/keycloak | ||||
|         mode: '0640' | ||||
|       delegate_to: localhost | ||||
|  |  | |||
|  | @ -2,7 +2,8 @@ | |||
| - name: Verify | ||||
|   hosts: all | ||||
|   vars: | ||||
|     keycloak_admin_password: "remembertochangeme" | ||||
|     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" | ||||
|     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" | ||||
|     keycloak_uri: "http://localhost:8080" | ||||
|   tasks: | ||||
|     - name: Populate service facts | ||||
|  | @ -16,7 +17,7 @@ | |||
|       ansible.builtin.uri: | ||||
|         url: "{{ keycloak_uri }}/realms/master/protocol/openid-connect/token" | ||||
|         method: POST | ||||
|         body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password" | ||||
|         body: "client_id=admin-cli&username={{ keycloak_quarkus_bootstrap_admin_user }}&password={{ keycloak_quarkus_bootstrap_admin_user }}&grant_type=password" | ||||
|         validate_certs: no | ||||
|       register: keycloak_auth_response | ||||
|       until: keycloak_auth_response.status == 200 | ||||
|  |  | |||
|  | @ -3,15 +3,14 @@ | |||
|   hosts: all | ||||
|   vars: | ||||
|     keycloak_quarkus_show_deprecation_warnings: false | ||||
|     keycloak_quarkus_admin_pass: "remembertochangeme" | ||||
|     keycloak_admin_password: "remembertochangeme" | ||||
|     keycloak_realm: TestRealm | ||||
|     keycloak_quarkus_host: instance | ||||
|     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" | ||||
|     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" | ||||
|     keycloak_quarkus_hostname: https://proxy | ||||
|     keycloak_quarkus_log: file | ||||
|     keycloak_quarkus_http_enabled: True | ||||
|     keycloak_quarkus_http_port: 8080 | ||||
|     keycloak_quarkus_proxy_mode: edge | ||||
|     keycloak_quarkus_http_relative_path: / | ||||
|     keycloak_quarkus_frontend_url: https://proxy/ | ||||
|     keycloak_quarkus_health_check_url: http://proxy:8080/realms/master/.well-known/openid-configuration | ||||
|   roles: | ||||
|     - role: keycloak_quarkus | ||||
|  |  | |||
|  | @ -3,7 +3,7 @@ driver: | |||
|   name: docker | ||||
| platforms: | ||||
|   - name: instance | ||||
|     image: registry.access.redhat.com/ubi8/ubi-init:latest | ||||
|     image: registry.access.redhat.com/ubi9/ubi-init:latest | ||||
|     pre_build_image: true | ||||
|     privileged: true | ||||
|     command: "/usr/sbin/init" | ||||
|  | @ -14,7 +14,7 @@ platforms: | |||
|     published_ports: | ||||
|       - 0.0.0.0:8080:8080/tcp | ||||
|   - name: proxy | ||||
|     image: registry.access.redhat.com/ubi8/ubi-init:latest | ||||
|     image: registry.access.redhat.com/ubi9/ubi-init:latest | ||||
|     pre_build_image: true | ||||
|     privileged: true | ||||
|     command: "/usr/sbin/init" | ||||
|  |  | |||
|  | @ -3,7 +3,7 @@ driver: | |||
|   name: docker | ||||
| platforms: | ||||
|   - name: instance | ||||
|     image: registry.access.redhat.com/ubi8/ubi-init:latest | ||||
|     image: registry.access.redhat.com/ubi9/ubi-init:latest | ||||
|     pre_build_image: true | ||||
|     privileged: true | ||||
|     command: "/usr/sbin/init" | ||||
|  | @ -11,6 +11,7 @@ platforms: | |||
|       - "8080/tcp" | ||||
|       - "8443/tcp" | ||||
|       - "8009/tcp" | ||||
|       - "9000/tcp" | ||||
| provisioner: | ||||
|   name: ansible | ||||
|   config_options: | ||||
|  |  | |||
|  | @ -3,10 +3,10 @@ | |||
|   hosts: all | ||||
|   vars: | ||||
|     keycloak_quarkus_show_deprecation_warnings: false | ||||
|     keycloak_quarkus_admin_pass: "remembertochangeme" | ||||
|     keycloak_admin_password: "remembertochangeme" | ||||
|     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" | ||||
|     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" | ||||
|     keycloak_realm: TestRealm | ||||
|     keycloak_quarkus_host: instance | ||||
|     keycloak_quarkus_hostname: https://instance:8443 | ||||
|     keycloak_quarkus_log: file | ||||
|     keycloak_quarkus_log_level: debug # needed for the verify step | ||||
|     keycloak_quarkus_https_key_file_enabled: true | ||||
|  | @ -22,6 +22,12 @@ | |||
|     keycloak_quarkus_systemd_wait_for_timeout: 20 | ||||
|     keycloak_quarkus_systemd_wait_for_delay: 2 | ||||
|     keycloak_quarkus_systemd_wait_for_log: true | ||||
|     keycloak_quarkus_restart_health_check: false # would fail because of self-signed cert | ||||
|     keycloak_quarkus_version: 26.3.0 | ||||
|     keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx1024m" | ||||
|     keycloak_quarkus_additional_env_vars: | ||||
|       - key: KC_FEATURES_DISABLED | ||||
|         value: impersonation,kerberos | ||||
|     keycloak_quarkus_providers: | ||||
|       - id: http-client | ||||
|         spi: connections | ||||
|  | @ -32,26 +38,32 @@ | |||
|             value: 10 | ||||
|       - id: spid-saml | ||||
|         url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar | ||||
|       - id: spid-saml-w-checksum | ||||
|         url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar | ||||
|         checksum: sha256:fbb50e73739d7a6d35b5bff611b1c01668b29adf6f6259624b95e466a305f377 | ||||
|       - id: keycloak-kerberos-federation | ||||
|         maven: | ||||
|           repository_url: https://repo1.maven.org/maven2/ # https://mvnrepository.com/artifact/org.keycloak/keycloak-kerberos-federation/24.0.4 | ||||
|           group_id: org.keycloak | ||||
|           artifact_id: keycloak-kerberos-federation | ||||
|           version: 24.0.4 # optional | ||||
|           version: 26.3.0 # optional | ||||
|           # username: myUser # optional | ||||
|           # password: myPAT # optional | ||||
|       # - id: my-static-theme | ||||
|       #   local_path: /tmp/my-static-theme.jar | ||||
|     keycloak_quarkus_policies: | ||||
|       - name: "xato-net-10-million-passwords.txt" | ||||
|         url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt" | ||||
|       - name: "xato-net-10-million-passwords-10.txt" | ||||
|         url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords-10.txt" | ||||
|       - name: "cain-and-abel.txt" | ||||
|         url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/cain-and-abel.txt" | ||||
|       - name: "john-the-ripper.txt" | ||||
|         url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/john-the-ripper.txt" | ||||
|         type: password-blacklists | ||||
|   roles: | ||||
|     - role: keycloak_quarkus | ||||
|     - role: keycloak_realm | ||||
|       keycloak_url: http://instance:8080 | ||||
|       keycloak_context: '' | ||||
|       keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}" | ||||
|       keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}" | ||||
|       keycloak_client_default_roles: | ||||
|         - TestRoleAdmin | ||||
|         - TestRoleUser | ||||
|  |  | |||
|  | @ -3,7 +3,7 @@ driver: | |||
|   name: docker | ||||
| platforms: | ||||
|   - name: instance | ||||
|     image: registry.access.redhat.com/ubi8/ubi-init:latest | ||||
|     image: registry.access.redhat.com/ubi9/ubi-init:latest | ||||
|     pre_build_image: true | ||||
|     privileged: true | ||||
|     command: "/usr/sbin/init" | ||||
|  | @ -11,6 +11,7 @@ platforms: | |||
|       - "8080/tcp" | ||||
|       - "8443/tcp" | ||||
|       - "8009/tcp" | ||||
|       - "9000/tcp" | ||||
|     published_ports: | ||||
|       - 0.0.0.0:8443:8443/tcp | ||||
| provisioner: | ||||
|  | @ -30,6 +31,9 @@ provisioner: | |||
|         ansible_python_interpreter: "{{ ansible_playbook_python }}" | ||||
|   env: | ||||
|     ANSIBLE_FORCE_COLOR: "true" | ||||
|     PYTHONHTTPSVERIFY: 0 | ||||
|     PROXY: "${PROXY}" | ||||
|     NO_PROXY: "${NO_PROXY}" | ||||
| verifier: | ||||
|   name: ansible | ||||
| scenario: | ||||
|  |  | |||
|  | @ -24,7 +24,7 @@ | |||
|     - name: Make sure a jre is available (for keytool to prepare keystore) | ||||
|       delegate_to: localhost | ||||
|       ansible.builtin.package: | ||||
|         name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}" | ||||
|         name: java-21-openjdk-headless | ||||
|         state: present | ||||
|       become: true | ||||
|       failed_when: false | ||||
|  |  | |||
|  | @ -2,7 +2,8 @@ | |||
| - name: Verify | ||||
|   hosts: all | ||||
|   vars: | ||||
|      keycloak_admin_password: "remembertochangeme" | ||||
|     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" | ||||
|     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" | ||||
|   tasks: | ||||
|     - name: Populate service facts | ||||
|       ansible.builtin.service_facts: | ||||
|  | @ -35,10 +36,10 @@ | |||
|         - name: Verify endpoint URLs | ||||
|           ansible.builtin.assert: | ||||
|             that: | ||||
|               - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance/realms/master/protocol/openid-connect/ext/ciba/auth' | ||||
|               - (openid_config.stdout | from_json)['issuer'] == 'https://instance/realms/master' | ||||
|               - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/auth' | ||||
|               - (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/token' | ||||
|               - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance:8443/realms/master/protocol/openid-connect/ext/ciba/auth' | ||||
|               - (openid_config.stdout | from_json)['issuer'] == 'https://instance:8443/realms/master' | ||||
|               - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/auth' | ||||
|               - (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/token' | ||||
|           delegate_to: localhost | ||||
| 
 | ||||
|     - name: Check log folder | ||||
|  | @ -91,7 +92,7 @@ | |||
|       ansible.builtin.uri: | ||||
|         url: "https://instance:8443/realms/master/protocol/openid-connect/token" | ||||
|         method: POST | ||||
|         body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password" | ||||
|         body: "client_id=admin-cli&username={{ keycloak_quarkus_bootstrap_admin_user }}&password={{ keycloak_quarkus_bootstrap_admin_password}}&grant_type=password" | ||||
|         validate_certs: no | ||||
|       register: keycloak_auth_response | ||||
|       until: keycloak_auth_response.status == 200 | ||||
|  | @ -101,8 +102,8 @@ | |||
|     - name: "Get Clients" | ||||
|       ansible.builtin.uri: | ||||
|         url: "https://instance:8443/admin/realms/TestRealm/clients" | ||||
|         validate_certs: false | ||||
|         headers: | ||||
|           validate_certs: false | ||||
|           Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}" | ||||
|       register: keycloak_clients | ||||
| 
 | ||||
|  | @ -113,15 +114,15 @@ | |||
|     - name: "Get Client {{ keycloak_client_uuid }}" | ||||
|       ansible.builtin.uri: | ||||
|         url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}" | ||||
|         validate_certs: false | ||||
|         headers: | ||||
|           validate_certs: false | ||||
|           Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}" | ||||
|       register: keycloak_test_client | ||||
| 
 | ||||
|     - name: "Get Client roles" | ||||
|       ansible.builtin.uri: | ||||
|         url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}/roles" | ||||
|         validate_certs: false | ||||
|         headers: | ||||
|           validate_certs: false | ||||
|           Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}" | ||||
|       register: keycloak_test_client_roles | ||||
|  | @ -3,18 +3,23 @@ | |||
|   hosts: all | ||||
|   vars: | ||||
|     keycloak_quarkus_show_deprecation_warnings: false | ||||
|     keycloak_quarkus_admin_pass: "remembertochangeme" | ||||
|     keycloak_admin_password: "remembertochangeme" | ||||
|     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" | ||||
|     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" | ||||
|     keycloak_realm: TestRealm | ||||
|     keycloak_quarkus_log: file | ||||
|     keycloak_quarkus_frontend_url: 'http://localhost:8080/' | ||||
|     keycloak_quarkus_hostname: 'http://localhost:8080' | ||||
|     keycloak_quarkus_start_dev: True | ||||
|     keycloak_quarkus_proxy_mode: none | ||||
|     keycloak_quarkus_java_home: /opt/openjdk/ | ||||
|     keycloak_quarkus_java_heap_opts: "-Xms640m -Xmx640m" | ||||
| 
 | ||||
|   roles: | ||||
|     - role: keycloak_quarkus | ||||
|     - role: keycloak_realm | ||||
|       keycloak_url: "{{ keycloak_quarkus_hostname }}" | ||||
|       keycloak_context: '' | ||||
|       keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}" | ||||
|       keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}" | ||||
|       keycloak_client_default_roles: | ||||
|         - TestRoleAdmin | ||||
|         - TestRoleUser | ||||
|  | @ -1,17 +1,19 @@ | |||
| --- | ||||
| driver: | ||||
|   name: docker | ||||
|   name: podman | ||||
| platforms: | ||||
|   - name: instance | ||||
|     image: registry.access.redhat.com/ubi8/ubi-init:latest | ||||
|     image: registry.access.redhat.com/ubi9/ubi-init:latest | ||||
|     pre_build_image: true | ||||
|     privileged: true | ||||
|     command: "/usr/sbin/init" | ||||
|     port_bindings: | ||||
|       - "8080/tcp" | ||||
|       - "8009/tcp" | ||||
|       - "9000/tcp" | ||||
|     published_ports: | ||||
|       - 0.0.0.0:8080:8080/tcp | ||||
|       - 0.0.0.0:9000:9000/TCP | ||||
| provisioner: | ||||
|   name: ansible | ||||
|   config_options: | ||||
|  | @ -29,6 +31,8 @@ provisioner: | |||
|         ansible_python_interpreter: "{{ ansible_playbook_python }}" | ||||
|   env: | ||||
|     ANSIBLE_FORCE_COLOR: "true" | ||||
|     PROXY: "${PROXY}" | ||||
|     NO_PROXY: "${NO_PROXY}" | ||||
| verifier: | ||||
|   name: ansible | ||||
| scenario: | ||||
|  | @ -3,10 +3,9 @@ | |||
|   hosts: keycloak | ||||
|   vars: | ||||
|     keycloak_quarkus_show_deprecation_warnings: false | ||||
|     keycloak_quarkus_admin_pass: "remembertochangeme" | ||||
|     keycloak_admin_password: "remembertochangeme" | ||||
|     keycloak_realm: TestRealm | ||||
|     keycloak_quarkus_host: "{{ inventory_hostname }}" | ||||
|     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" | ||||
|     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" | ||||
|     keycloak_quarkus_hostname: "http://{{ inventory_hostname }}:8080" | ||||
|     keycloak_quarkus_log: file | ||||
|     keycloak_quarkus_log_level: info | ||||
|     keycloak_quarkus_https_key_file_enabled: true | ||||
|  | @ -25,6 +24,6 @@ | |||
|     keycloak_quarkus_restart_strategy: restart/serial.yml | ||||
|     keycloak_quarkus_db_user: keycloak | ||||
|     keycloak_quarkus_db_pass: mysecretpass | ||||
|     keycloak_quarkus_jdbc_url: jdbc:postgresql://postgres:5432/keycloak | ||||
|     keycloak_quarkus_db_url: jdbc:postgresql://postgres:5432/keycloak | ||||
|   roles: | ||||
|     - role: keycloak_quarkus | ||||
|  |  | |||
|  | @ -14,6 +14,7 @@ platforms: | |||
|     port_bindings: | ||||
|       - "8080/tcp" | ||||
|       - "8443/tcp" | ||||
|       - "9000/tcp" | ||||
|   - name: instance2 | ||||
|     image: registry.access.redhat.com/ubi9/ubi-init:latest | ||||
|     pre_build_image: true | ||||
|  | @ -26,6 +27,7 @@ platforms: | |||
|     port_bindings: | ||||
|       - "8080/tcp" | ||||
|       - "8443/tcp" | ||||
|       - "9000/tcp" | ||||
|   - name: postgres | ||||
|     image: ubuntu/postgres:14-22.04_beta | ||||
|     pre_build_image: true | ||||
|  | @ -63,6 +65,7 @@ provisioner: | |||
|         ansible_python_interpreter: "{{ ansible_playbook_python }}" | ||||
|   env: | ||||
|     ANSIBLE_FORCE_COLOR: "true" | ||||
|     PYTHONHTTPSVERIFY: 0 | ||||
| verifier: | ||||
|   name: ansible | ||||
| scenario: | ||||
|  |  | |||
							
								
								
									
										57
									
								
								molecule/quarkus_ha_remote/converge.yml
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										57
									
								
								molecule/quarkus_ha_remote/converge.yml
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,57 @@ | |||
| --- | ||||
| - name: Converge | ||||
|   hosts: infinispan | ||||
|   roles: | ||||
|     - role: middleware_automation.infinispan.infinispan | ||||
|       infinispan_service_name: infinispan | ||||
|       infinispan_supervisor_password: remembertochangeme | ||||
|       infinispan_keycloak_caches: true | ||||
|       infinispan_keycloak_persistence: False | ||||
|       infinispan_jdbc_engine: postgres | ||||
|       infinispan_jdbc_url: jdbc:postgresql://postgres:5432/keycloak | ||||
|       infinispan_jdbc_driver_version: 9.4.1212 | ||||
|       infinispan_jdbc_user: keycloak | ||||
|       infinispan_jdbc_pass: mysecretpass | ||||
|       infinispan_bind_address: "{{ ansible_default_ipv4.address }}" | ||||
|       infinispan_users: | ||||
|         - { name: 'testuser', password: 'test', roles: 'observer' } | ||||
| 
 | ||||
| - name: Converge | ||||
|   hosts: keycloak | ||||
|   vars: | ||||
|     keycloak_quarkus_show_deprecation_warnings: false | ||||
|     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" | ||||
|     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" | ||||
|     keycloak_quarkus_hostname: "http://{{ inventory_hostname }}:8080" | ||||
|     keycloak_quarkus_log: file | ||||
|     keycloak_quarkus_log_level: info | ||||
|     keycloak_quarkus_https_key_file_enabled: true | ||||
|     keycloak_quarkus_key_file_copy_enabled: true | ||||
|     keycloak_quarkus_key_content: "{{ lookup('file', inventory_hostname + '.key') }}" | ||||
|     keycloak_quarkus_cert_file_copy_enabled: true | ||||
|     keycloak_quarkus_cert_file_src: "{{ inventory_hostname }}.pem" | ||||
|     keycloak_quarkus_ks_vault_enabled: true | ||||
|     keycloak_quarkus_ks_vault_file: "/opt/keycloak/vault/keystore.p12" | ||||
|     keycloak_quarkus_ks_vault_pass: keystorepassword | ||||
|     keycloak_quarkus_systemd_wait_for_port: true | ||||
|     keycloak_quarkus_systemd_wait_for_timeout: 20 | ||||
|     keycloak_quarkus_systemd_wait_for_delay: 2 | ||||
|     keycloak_quarkus_systemd_wait_for_log: true | ||||
|     keycloak_quarkus_ha_enabled: true | ||||
|     keycloak_quarkus_restart_strategy: restart/serial.yml | ||||
|     keycloak_quarkus_db_user: keycloak | ||||
|     keycloak_quarkus_db_pass: mysecretpass | ||||
|     keycloak_quarkus_db_url: jdbc:postgresql://postgres:5432/keycloak | ||||
|     keycloak_quarkus_cache_remote: true | ||||
|     keycloak_quarkus_cache_remote_username: supervisor | ||||
|     keycloak_quarkus_cache_remote_password: remembertochangeme | ||||
|     keycloak_quarkus_cache_remote_host: "infinispan1" | ||||
|     keycloak_quarkus_cache_remote_port: 11222 | ||||
|     keycloak_quarkus_cache_remote_tls_enabled: false | ||||
|     keycloak_quarkus_additional_env_vars: | ||||
|       - key: KC_FEATURES | ||||
|         value: clusterless | ||||
|       - key: KC_FEATURES_DISABLED | ||||
|         value: persistent-user-sessions | ||||
|   roles: | ||||
|     - role: keycloak_quarkus | ||||
							
								
								
									
										80
									
								
								molecule/quarkus_ha_remote/molecule.yml
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										80
									
								
								molecule/quarkus_ha_remote/molecule.yml
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,80 @@ | |||
| --- | ||||
| driver: | ||||
|   name: docker | ||||
| platforms: | ||||
|   - name: keycloak1 | ||||
|     image: registry.access.redhat.com/ubi9/ubi-init:latest | ||||
|     pre_build_image: true | ||||
|     privileged: true | ||||
|     command: "/usr/sbin/init" | ||||
|     groups: | ||||
|       - keycloak | ||||
|     networks: | ||||
|       - name: rhbk | ||||
|     port_bindings: | ||||
|       - "8080/tcp" | ||||
|       - "8443/tcp" | ||||
|       - "9000/tcp" | ||||
|   - name: infinispan1 | ||||
|     image: registry.access.redhat.com/ubi9/ubi-init:latest | ||||
|     pre_build_image: true | ||||
|     privileged: true | ||||
|     command: "/usr/sbin/init" | ||||
|     groups: | ||||
|       - infinispan | ||||
|     networks: | ||||
|       - name: rhbk | ||||
|     port_bindings: | ||||
|       - "11222/tcp" | ||||
|   - name: postgres | ||||
|     image: ubuntu/postgres:14-22.04_beta | ||||
|     pre_build_image: true | ||||
|     privileged: true | ||||
|     command: postgres | ||||
|     groups: | ||||
|       - database | ||||
|     networks: | ||||
|       - name: rhbk | ||||
|     port_bindings: | ||||
|       - "5432/tcp" | ||||
|     mounts: | ||||
|       - type: bind | ||||
|         target: /etc/postgresql/postgresql.conf | ||||
|         source: ${PWD}/molecule/quarkus_ha/postgresql/postgresql.conf | ||||
|     env: | ||||
|       POSTGRES_USER: keycloak | ||||
|       POSTGRES_PASSWORD: mysecretpass | ||||
|       POSTGRES_DB: keycloak | ||||
|       POSTGRES_HOST_AUTH_METHOD: trust | ||||
| provisioner: | ||||
|   name: ansible | ||||
|   config_options: | ||||
|     defaults: | ||||
|       interpreter_python: auto_silent | ||||
|     ssh_connection: | ||||
|       pipelining: false | ||||
|   playbooks: | ||||
|     prepare: prepare.yml | ||||
|     converge: converge.yml | ||||
|     verify: verify.yml | ||||
|   inventory: | ||||
|     host_vars: | ||||
|       localhost: | ||||
|         ansible_python_interpreter: "{{ ansible_playbook_python }}" | ||||
|   env: | ||||
|     ANSIBLE_FORCE_COLOR: "true" | ||||
|     PYTHONHTTPSVERIFY: 0 | ||||
| verifier: | ||||
|   name: ansible | ||||
| scenario: | ||||
|   test_sequence: | ||||
|     - cleanup | ||||
|     - destroy | ||||
|     - create | ||||
|     - prepare | ||||
|     - converge | ||||
|     - idempotence | ||||
|     - side_effect | ||||
|     - verify | ||||
|     - cleanup | ||||
|     - destroy | ||||
							
								
								
									
										750
									
								
								molecule/quarkus_ha_remote/postgresql/postgresql.conf
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										750
									
								
								molecule/quarkus_ha_remote/postgresql/postgresql.conf
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,750 @@ | |||
| # ----------------------------- | ||||
| # PostgreSQL configuration file | ||||
| # ----------------------------- | ||||
| # | ||||
| # This file consists of lines of the form: | ||||
| # | ||||
| #   name = value | ||||
| # | ||||
| # (The "=" is optional.)  Whitespace may be used.  Comments are introduced with | ||||
| # "#" anywhere on a line.  The complete list of parameter names and allowed | ||||
| # values can be found in the PostgreSQL documentation. | ||||
| # | ||||
| # The commented-out settings shown in this file represent the default values. | ||||
| # Re-commenting a setting is NOT sufficient to revert it to the default value; | ||||
| # you need to reload the server. | ||||
| # | ||||
| # This file is read on server startup and when the server receives a SIGHUP | ||||
| # signal.  If you edit the file on a running system, you have to SIGHUP the | ||||
| # server for the changes to take effect, run "pg_ctl reload", or execute | ||||
| # "SELECT pg_reload_conf()".  Some parameters, which are marked below, | ||||
| # require a server shutdown and restart to take effect. | ||||
| # | ||||
| # Any parameter can also be given as a command-line option to the server, e.g., | ||||
| # "postgres -c log_connections=on".  Some parameters can be changed at run time | ||||
| # with the "SET" SQL command. | ||||
| # | ||||
| # Memory units:  kB = kilobytes        Time units:  ms  = milliseconds | ||||
| #                MB = megabytes                     s   = seconds | ||||
| #                GB = gigabytes                     min = minutes | ||||
| #                TB = terabytes                     h   = hours | ||||
| #                                                   d   = days | ||||
| 
 | ||||
| 
 | ||||
| #------------------------------------------------------------------------------ | ||||
| # FILE LOCATIONS | ||||
| #------------------------------------------------------------------------------ | ||||
| 
 | ||||
| # The default values of these variables are driven from the -D command-line | ||||
| # option or PGDATA environment variable, represented here as ConfigDir. | ||||
| 
 | ||||
| #data_directory = 'ConfigDir'		# use data in another directory | ||||
| 					# (change requires restart) | ||||
| #hba_file = 'ConfigDir/pg_hba.conf'	# host-based authentication file | ||||
| 					# (change requires restart) | ||||
| #ident_file = 'ConfigDir/pg_ident.conf'	# ident configuration file | ||||
| 					# (change requires restart) | ||||
| 
 | ||||
| # If external_pid_file is not explicitly set, no extra PID file is written. | ||||
| #external_pid_file = ''			# write an extra PID file | ||||
| 					# (change requires restart) | ||||
| 
 | ||||
| 
 | ||||
| #------------------------------------------------------------------------------ | ||||
| # CONNECTIONS AND AUTHENTICATION | ||||
| #------------------------------------------------------------------------------ | ||||
| 
 | ||||
| # - Connection Settings - | ||||
| 
 | ||||
| listen_addresses = '*'		# what IP address(es) to listen on; | ||||
| 					# comma-separated list of addresses; | ||||
| 					# defaults to 'localhost'; use '*' for all | ||||
| 					# (change requires restart) | ||||
| #port = 5432				# (change requires restart) | ||||
| #max_connections = 100			# (change requires restart) | ||||
| #superuser_reserved_connections = 3	# (change requires restart) | ||||
| #unix_socket_directories = '/tmp'	# comma-separated list of directories | ||||
| 					# (change requires restart) | ||||
| #unix_socket_group = ''			# (change requires restart) | ||||
| #unix_socket_permissions = 0777		# begin with 0 to use octal notation | ||||
| 					# (change requires restart) | ||||
| #bonjour = off				# advertise server via Bonjour | ||||
| 					# (change requires restart) | ||||
| #bonjour_name = ''			# defaults to the computer name | ||||
| 					# (change requires restart) | ||||
| 
 | ||||
| # - TCP settings - | ||||
| # see "man 7 tcp" for details | ||||
| 
 | ||||
| #tcp_keepalives_idle = 0		# TCP_KEEPIDLE, in seconds; | ||||
| 					# 0 selects the system default | ||||
| #tcp_keepalives_interval = 0		# TCP_KEEPINTVL, in seconds; | ||||
| 					# 0 selects the system default | ||||
| #tcp_keepalives_count = 0		# TCP_KEEPCNT; | ||||
| 					# 0 selects the system default | ||||
| #tcp_user_timeout = 0			# TCP_USER_TIMEOUT, in milliseconds; | ||||
| 					# 0 selects the system default | ||||
| 
 | ||||
| # - Authentication - | ||||
| 
 | ||||
| #authentication_timeout = 1min		# 1s-600s | ||||
| #password_encryption = md5		# md5 or scram-sha-256 | ||||
| #db_user_namespace = off | ||||
| 
 | ||||
| # GSSAPI using Kerberos | ||||
| #krb_server_keyfile = '' | ||||
| #krb_caseins_users = off | ||||
| 
 | ||||
| # - SSL - | ||||
| 
 | ||||
| #ssl = off | ||||
| #ssl_ca_file = '' | ||||
| #ssl_cert_file = 'server.crt' | ||||
| #ssl_crl_file = '' | ||||
| #ssl_key_file = 'server.key' | ||||
| #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers | ||||
| #ssl_prefer_server_ciphers = on | ||||
| #ssl_ecdh_curve = 'prime256v1' | ||||
| #ssl_min_protocol_version = 'TLSv1' | ||||
| #ssl_max_protocol_version = '' | ||||
| #ssl_dh_params_file = '' | ||||
| #ssl_passphrase_command = '' | ||||
| #ssl_passphrase_command_supports_reload = off | ||||
| 
 | ||||
| 
 | ||||
| #------------------------------------------------------------------------------ | ||||
| # RESOURCE USAGE (except WAL) | ||||
| #------------------------------------------------------------------------------ | ||||
| 
 | ||||
| # - Memory - | ||||
| 
 | ||||
| #shared_buffers = 32MB			# min 128kB | ||||
| 					# (change requires restart) | ||||
| #huge_pages = try			# on, off, or try | ||||
| 					# (change requires restart) | ||||
| #temp_buffers = 8MB			# min 800kB | ||||
| #max_prepared_transactions = 0		# zero disables the feature | ||||
| 					# (change requires restart) | ||||
| # Caution: it is not advisable to set max_prepared_transactions nonzero unless | ||||
| # you actively intend to use prepared transactions. | ||||
| #work_mem = 4MB				# min 64kB | ||||
| #maintenance_work_mem = 64MB		# min 1MB | ||||
| #autovacuum_work_mem = -1		# min 1MB, or -1 to use maintenance_work_mem | ||||
| #max_stack_depth = 2MB			# min 100kB | ||||
| #shared_memory_type = mmap		# the default is the first option | ||||
| 					# supported by the operating system: | ||||
| 					#   mmap | ||||
| 					#   sysv | ||||
| 					#   windows | ||||
| 					# (change requires restart) | ||||
| #dynamic_shared_memory_type = posix	# the default is the first option | ||||
| 					# supported by the operating system: | ||||
| 					#   posix | ||||
| 					#   sysv | ||||
| 					#   windows | ||||
| 					#   mmap | ||||
| 					# (change requires restart) | ||||
| 
 | ||||
| # - Disk - | ||||
| 
 | ||||
| #temp_file_limit = -1			# limits per-process temp file space | ||||
| 					# in kB, or -1 for no limit | ||||
| 
 | ||||
| # - Kernel Resources - | ||||
| 
 | ||||
| #max_files_per_process = 1000		# min 25 | ||||
| 					# (change requires restart) | ||||
| 
 | ||||
| # - Cost-Based Vacuum Delay - | ||||
| 
 | ||||
| #vacuum_cost_delay = 0			# 0-100 milliseconds (0 disables) | ||||
| #vacuum_cost_page_hit = 1		# 0-10000 credits | ||||
| #vacuum_cost_page_miss = 10		# 0-10000 credits | ||||
| #vacuum_cost_page_dirty = 20		# 0-10000 credits | ||||
| #vacuum_cost_limit = 200		# 1-10000 credits | ||||
| 
 | ||||
| # - Background Writer - | ||||
| 
 | ||||
| #bgwriter_delay = 200ms			# 10-10000ms between rounds | ||||
| #bgwriter_lru_maxpages = 100		# max buffers written/round, 0 disables | ||||
| #bgwriter_lru_multiplier = 2.0		# 0-10.0 multiplier on buffers scanned/round | ||||
| #bgwriter_flush_after = 0		# measured in pages, 0 disables | ||||
| 
 | ||||
| # - Asynchronous Behavior - | ||||
| 
 | ||||
| #effective_io_concurrency = 1		# 1-1000; 0 disables prefetching | ||||
| #max_worker_processes = 8		# (change requires restart) | ||||
| #max_parallel_maintenance_workers = 2	# taken from max_parallel_workers | ||||
| #max_parallel_workers_per_gather = 2	# taken from max_parallel_workers | ||||
| #parallel_leader_participation = on | ||||
| #max_parallel_workers = 8		# maximum number of max_worker_processes that | ||||
| 					# can be used in parallel operations | ||||
| #old_snapshot_threshold = -1		# 1min-60d; -1 disables; 0 is immediate | ||||
| 					# (change requires restart) | ||||
| #backend_flush_after = 0		# measured in pages, 0 disables | ||||
| 
 | ||||
| 
 | ||||
| #------------------------------------------------------------------------------ | ||||
| # WRITE-AHEAD LOG | ||||
| #------------------------------------------------------------------------------ | ||||
| 
 | ||||
| # - Settings - | ||||
| 
 | ||||
| #wal_level = replica			# minimal, replica, or logical | ||||
| 					# (change requires restart) | ||||
| #fsync = on				# flush data to disk for crash safety | ||||
| 					# (turning this off can cause | ||||
| 					# unrecoverable data corruption) | ||||
| #synchronous_commit = on		# synchronization level; | ||||
| 					# off, local, remote_write, remote_apply, or on | ||||
| #wal_sync_method = fsync		# the default is the first option | ||||
| 					# supported by the operating system: | ||||
| 					#   open_datasync | ||||
| 					#   fdatasync (default on Linux) | ||||
| 					#   fsync | ||||
| 					#   fsync_writethrough | ||||
| 					#   open_sync | ||||
| #full_page_writes = on			# recover from partial page writes | ||||
| #wal_compression = off			# enable compression of full-page writes | ||||
| #wal_log_hints = off			# also do full page writes of non-critical updates | ||||
| 					# (change requires restart) | ||||
| #wal_init_zero = on			# zero-fill new WAL files | ||||
| #wal_recycle = on			# recycle WAL files | ||||
| #wal_buffers = -1			# min 32kB, -1 sets based on shared_buffers | ||||
| 					# (change requires restart) | ||||
| #wal_writer_delay = 200ms		# 1-10000 milliseconds | ||||
| #wal_writer_flush_after = 1MB		# measured in pages, 0 disables | ||||
| 
 | ||||
| #commit_delay = 0			# range 0-100000, in microseconds | ||||
| #commit_siblings = 5			# range 1-1000 | ||||
| 
 | ||||
| # - Checkpoints - | ||||
| 
 | ||||
| #checkpoint_timeout = 5min		# range 30s-1d | ||||
| #max_wal_size = 1GB | ||||
| #min_wal_size = 80MB | ||||
| #checkpoint_completion_target = 0.5	# checkpoint target duration, 0.0 - 1.0 | ||||
| #checkpoint_flush_after = 0		# measured in pages, 0 disables | ||||
| #checkpoint_warning = 30s		# 0 disables | ||||
| 
 | ||||
| # - Archiving - | ||||
| 
 | ||||
| #archive_mode = off		# enables archiving; off, on, or always | ||||
| 				# (change requires restart) | ||||
| #archive_command = ''		# command to use to archive a logfile segment | ||||
| 				# placeholders: %p = path of file to archive | ||||
| 				#               %f = file name only | ||||
| 				# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f' | ||||
| #archive_timeout = 0		# force a logfile segment switch after this | ||||
| 				# number of seconds; 0 disables | ||||
| 
 | ||||
| # - Archive Recovery - | ||||
| 
 | ||||
| # These are only used in recovery mode. | ||||
| 
 | ||||
| #restore_command = ''		# command to use to restore an archived logfile segment | ||||
| 				# placeholders: %p = path of file to restore | ||||
| 				#               %f = file name only | ||||
| 				# e.g. 'cp /mnt/server/archivedir/%f %p' | ||||
| 				# (change requires restart) | ||||
| #archive_cleanup_command = ''	# command to execute at every restartpoint | ||||
| #recovery_end_command = ''	# command to execute at completion of recovery | ||||
| 
 | ||||
| # - Recovery Target - | ||||
| 
 | ||||
| # Set these only when performing a targeted recovery. | ||||
| 
 | ||||
| #recovery_target = ''		# 'immediate' to end recovery as soon as a | ||||
|                                 # consistent state is reached | ||||
| 				# (change requires restart) | ||||
| #recovery_target_name = ''	# the named restore point to which recovery will proceed | ||||
| 				# (change requires restart) | ||||
| #recovery_target_time = ''	# the time stamp up to which recovery will proceed | ||||
| 				# (change requires restart) | ||||
| #recovery_target_xid = ''	# the transaction ID up to which recovery will proceed | ||||
| 				# (change requires restart) | ||||
| #recovery_target_lsn = ''	# the WAL LSN up to which recovery will proceed | ||||
| 				# (change requires restart) | ||||
| #recovery_target_inclusive = on # Specifies whether to stop: | ||||
| 				# just after the specified recovery target (on) | ||||
| 				# just before the recovery target (off) | ||||
| 				# (change requires restart) | ||||
| #recovery_target_timeline = 'latest'	# 'current', 'latest', or timeline ID | ||||
| 				# (change requires restart) | ||||
| #recovery_target_action = 'pause'	# 'pause', 'promote', 'shutdown' | ||||
| 				# (change requires restart) | ||||
| 
 | ||||
| 
 | ||||
| #------------------------------------------------------------------------------ | ||||
| # REPLICATION | ||||
| #------------------------------------------------------------------------------ | ||||
| 
 | ||||
| # - Sending Servers - | ||||
| 
 | ||||
| # Set these on the master and on any standby that will send replication data. | ||||
| 
 | ||||
| #max_wal_senders = 10		# max number of walsender processes | ||||
| 				# (change requires restart) | ||||
| #wal_keep_segments = 0		# in logfile segments; 0 disables | ||||
| #wal_sender_timeout = 60s	# in milliseconds; 0 disables | ||||
| 
 | ||||
| #max_replication_slots = 10	# max number of replication slots | ||||
| 				# (change requires restart) | ||||
| #track_commit_timestamp = off	# collect timestamp of transaction commit | ||||
| 				# (change requires restart) | ||||
| 
 | ||||
| # - Master Server - | ||||
| 
 | ||||
| # These settings are ignored on a standby server. | ||||
| 
 | ||||
| #synchronous_standby_names = ''	# standby servers that provide sync rep | ||||
| 				# method to choose sync standbys, number of sync standbys, | ||||
| 				# and comma-separated list of application_name | ||||
| 				# from standby(s); '*' = all | ||||
| #vacuum_defer_cleanup_age = 0	# number of xacts by which cleanup is delayed | ||||
| 
 | ||||
| # - Standby Servers - | ||||
| 
 | ||||
| # These settings are ignored on a master server. | ||||
| 
 | ||||
| #primary_conninfo = ''			# connection string to sending server | ||||
| 					# (change requires restart) | ||||
| #primary_slot_name = ''			# replication slot on sending server | ||||
| 					# (change requires restart) | ||||
| #promote_trigger_file = ''		# file name whose presence ends recovery | ||||
| #hot_standby = on			# "off" disallows queries during recovery | ||||
| 					# (change requires restart) | ||||
| #max_standby_archive_delay = 30s	# max delay before canceling queries | ||||
| 					# when reading WAL from archive; | ||||
| 					# -1 allows indefinite delay | ||||
| #max_standby_streaming_delay = 30s	# max delay before canceling queries | ||||
| 					# when reading streaming WAL; | ||||
| 					# -1 allows indefinite delay | ||||
| #wal_receiver_status_interval = 10s	# send replies at least this often | ||||
| 					# 0 disables | ||||
| #hot_standby_feedback = off		# send info from standby to prevent | ||||
| 					# query conflicts | ||||
| #wal_receiver_timeout = 60s		# time that receiver waits for | ||||
| 					# communication from master | ||||
| 					# in milliseconds; 0 disables | ||||
| #wal_retrieve_retry_interval = 5s	# time to wait before retrying to | ||||
| 					# retrieve WAL after a failed attempt | ||||
| #recovery_min_apply_delay = 0		# minimum delay for applying changes during recovery | ||||
| 
 | ||||
| # - Subscribers - | ||||
| 
 | ||||
| # These settings are ignored on a publisher. | ||||
| 
 | ||||
| #max_logical_replication_workers = 4	# taken from max_worker_processes | ||||
| 					# (change requires restart) | ||||
| #max_sync_workers_per_subscription = 2	# taken from max_logical_replication_workers | ||||
| 
 | ||||
| 
 | ||||
| #------------------------------------------------------------------------------ | ||||
| # QUERY TUNING | ||||
| #------------------------------------------------------------------------------ | ||||
| 
 | ||||
| # - Planner Method Configuration - | ||||
| 
 | ||||
| #enable_bitmapscan = on | ||||
| #enable_hashagg = on | ||||
| #enable_hashjoin = on | ||||
| #enable_indexscan = on | ||||
| #enable_indexonlyscan = on | ||||
| #enable_material = on | ||||
| #enable_mergejoin = on | ||||
| #enable_nestloop = on | ||||
| #enable_parallel_append = on | ||||
| #enable_seqscan = on | ||||
| #enable_sort = on | ||||
| #enable_tidscan = on | ||||
| #enable_partitionwise_join = off | ||||
| #enable_partitionwise_aggregate = off | ||||
| #enable_parallel_hash = on | ||||
| #enable_partition_pruning = on | ||||
| 
 | ||||
| # - Planner Cost Constants - | ||||
| 
 | ||||
| #seq_page_cost = 1.0			# measured on an arbitrary scale | ||||
| #random_page_cost = 4.0			# same scale as above | ||||
| #cpu_tuple_cost = 0.01			# same scale as above | ||||
| #cpu_index_tuple_cost = 0.005		# same scale as above | ||||
| #cpu_operator_cost = 0.0025		# same scale as above | ||||
| #parallel_tuple_cost = 0.1		# same scale as above | ||||
| #parallel_setup_cost = 1000.0	# same scale as above | ||||
| 
 | ||||
| #jit_above_cost = 100000		# perform JIT compilation if available | ||||
| 					# and query more expensive than this; | ||||
| 					# -1 disables | ||||
| #jit_inline_above_cost = 500000		# inline small functions if query is | ||||
| 					# more expensive than this; -1 disables | ||||
| #jit_optimize_above_cost = 500000	# use expensive JIT optimizations if | ||||
| 					# query is more expensive than this; | ||||
| 					# -1 disables | ||||
| 
 | ||||
| #min_parallel_table_scan_size = 8MB | ||||
| #min_parallel_index_scan_size = 512kB | ||||
| #effective_cache_size = 4GB | ||||
| 
 | ||||
| # - Genetic Query Optimizer - | ||||
| 
 | ||||
| #geqo = on | ||||
| #geqo_threshold = 12 | ||||
| #geqo_effort = 5			# range 1-10 | ||||
| #geqo_pool_size = 0			# selects default based on effort | ||||
| #geqo_generations = 0			# selects default based on effort | ||||
| #geqo_selection_bias = 2.0		# range 1.5-2.0 | ||||
| #geqo_seed = 0.0			# range 0.0-1.0 | ||||
| 
 | ||||
| # - Other Planner Options - | ||||
| 
 | ||||
| #default_statistics_target = 100	# range 1-10000 | ||||
| #constraint_exclusion = partition	# on, off, or partition | ||||
| #cursor_tuple_fraction = 0.1		# range 0.0-1.0 | ||||
| #from_collapse_limit = 8 | ||||
| #join_collapse_limit = 8		# 1 disables collapsing of explicit | ||||
| 					# JOIN clauses | ||||
| #force_parallel_mode = off | ||||
| #jit = on				# allow JIT compilation | ||||
| #plan_cache_mode = auto			# auto, force_generic_plan or | ||||
| 					# force_custom_plan | ||||
| 
 | ||||
| 
 | ||||
| #------------------------------------------------------------------------------ | ||||
| # REPORTING AND LOGGING | ||||
| #------------------------------------------------------------------------------ | ||||
| 
 | ||||
| # - Where to Log - | ||||
| 
 | ||||
| #log_destination = 'stderr'		# Valid values are combinations of | ||||
| 					# stderr, csvlog, syslog, and eventlog, | ||||
| 					# depending on platform.  csvlog | ||||
| 					# requires logging_collector to be on. | ||||
| 
 | ||||
| # This is used when logging to stderr: | ||||
| #logging_collector = off		# Enable capturing of stderr and csvlog | ||||
| 					# into log files. Required to be on for | ||||
| 					# csvlogs. | ||||
| 					# (change requires restart) | ||||
| 
 | ||||
| # These are only used if logging_collector is on: | ||||
| #log_directory = 'log'			# directory where log files are written, | ||||
| 					# can be absolute or relative to PGDATA | ||||
| #log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'	# log file name pattern, | ||||
| 					# can include strftime() escapes | ||||
| #log_file_mode = 0600			# creation mode for log files, | ||||
| 					# begin with 0 to use octal notation | ||||
| #log_truncate_on_rotation = off		# If on, an existing log file with the | ||||
| 					# same name as the new log file will be | ||||
| 					# truncated rather than appended to. | ||||
| 					# But such truncation only occurs on | ||||
| 					# time-driven rotation, not on restarts | ||||
| 					# or size-driven rotation.  Default is | ||||
| 					# off, meaning append to existing files | ||||
| 					# in all cases. | ||||
| #log_rotation_age = 1d			# Automatic rotation of logfiles will | ||||
| 					# happen after that time.  0 disables. | ||||
| #log_rotation_size = 10MB		# Automatic rotation of logfiles will | ||||
| 					# happen after that much log output. | ||||
| 					# 0 disables. | ||||
| 
 | ||||
| # These are relevant when logging to syslog: | ||||
| #syslog_facility = 'LOCAL0' | ||||
| #syslog_ident = 'postgres' | ||||
| #syslog_sequence_numbers = on | ||||
| #syslog_split_messages = on | ||||
| 
 | ||||
| # This is only relevant when logging to eventlog (win32): | ||||
| # (change requires restart) | ||||
| #event_source = 'PostgreSQL' | ||||
| 
 | ||||
| # - When to Log - | ||||
| 
 | ||||
| #log_min_messages = warning		# values in order of decreasing detail: | ||||
| 					#   debug5 | ||||
| 					#   debug4 | ||||
| 					#   debug3 | ||||
| 					#   debug2 | ||||
| 					#   debug1 | ||||
| 					#   info | ||||
| 					#   notice | ||||
| 					#   warning | ||||
| 					#   error | ||||
| 					#   log | ||||
| 					#   fatal | ||||
| 					#   panic | ||||
| 
 | ||||
| #log_min_error_statement = error	# values in order of decreasing detail: | ||||
| 					#   debug5 | ||||
| 					#   debug4 | ||||
| 					#   debug3 | ||||
| 					#   debug2 | ||||
| 					#   debug1 | ||||
| 					#   info | ||||
| 					#   notice | ||||
| 					#   warning | ||||
| 					#   error | ||||
| 					#   log | ||||
| 					#   fatal | ||||
| 					#   panic (effectively off) | ||||
| 
 | ||||
| #log_min_duration_statement = -1	# -1 is disabled, 0 logs all statements | ||||
| 					# and their durations, > 0 logs only | ||||
| 					# statements running at least this number | ||||
| 					# of milliseconds | ||||
| 
 | ||||
| #log_transaction_sample_rate = 0.0	# Fraction of transactions whose statements | ||||
| 					# are logged regardless of their duration. 1.0 logs all | ||||
| 					# statements from all transactions, 0.0 never logs. | ||||
| 
 | ||||
| # - What to Log - | ||||
| 
 | ||||
| #debug_print_parse = off | ||||
| #debug_print_rewritten = off | ||||
| #debug_print_plan = off | ||||
| #debug_pretty_print = on | ||||
| #log_checkpoints = off | ||||
| #log_connections = off | ||||
| #log_disconnections = off | ||||
| #log_duration = off | ||||
| #log_error_verbosity = default		# terse, default, or verbose messages | ||||
| #log_hostname = off | ||||
| #log_line_prefix = '%m [%p] '		# special values: | ||||
| 					#   %a = application name | ||||
| 					#   %u = user name | ||||
| 					#   %d = database name | ||||
| 					#   %r = remote host and port | ||||
| 					#   %h = remote host | ||||
| 					#   %p = process ID | ||||
| 					#   %t = timestamp without milliseconds | ||||
| 					#   %m = timestamp with milliseconds | ||||
| 					#   %n = timestamp with milliseconds (as a Unix epoch) | ||||
| 					#   %i = command tag | ||||
| 					#   %e = SQL state | ||||
| 					#   %c = session ID | ||||
| 					#   %l = session line number | ||||
| 					#   %s = session start timestamp | ||||
| 					#   %v = virtual transaction ID | ||||
| 					#   %x = transaction ID (0 if none) | ||||
| 					#   %q = stop here in non-session | ||||
| 					#        processes | ||||
| 					#   %% = '%' | ||||
| 					# e.g. '<%u%%%d> ' | ||||
| #log_lock_waits = off			# log lock waits >= deadlock_timeout | ||||
| #log_statement = 'none'			# none, ddl, mod, all | ||||
| #log_replication_commands = off | ||||
| #log_temp_files = -1			# log temporary files equal or larger | ||||
| 					# than the specified size in kilobytes; | ||||
| 					# -1 disables, 0 logs all temp files | ||||
| #log_timezone = 'GMT' | ||||
| 
 | ||||
| #------------------------------------------------------------------------------ | ||||
| # PROCESS TITLE | ||||
| #------------------------------------------------------------------------------ | ||||
| 
 | ||||
| #cluster_name = ''			# added to process titles if nonempty | ||||
| 					# (change requires restart) | ||||
| #update_process_title = on | ||||
| 
 | ||||
| 
 | ||||
| #------------------------------------------------------------------------------ | ||||
| # STATISTICS | ||||
| #------------------------------------------------------------------------------ | ||||
| 
 | ||||
| # - Query and Index Statistics Collector - | ||||
| 
 | ||||
| #track_activities = on | ||||
| #track_counts = on | ||||
| #track_io_timing = off | ||||
| #track_functions = none			# none, pl, all | ||||
| #track_activity_query_size = 1024	# (change requires restart) | ||||
| #stats_temp_directory = 'pg_stat_tmp' | ||||
| 
 | ||||
| 
 | ||||
| # - Monitoring - | ||||
| 
 | ||||
| #log_parser_stats = off | ||||
| #log_planner_stats = off | ||||
| #log_executor_stats = off | ||||
| #log_statement_stats = off | ||||
| 
 | ||||
| 
 | ||||
| #------------------------------------------------------------------------------ | ||||
| # AUTOVACUUM | ||||
| #------------------------------------------------------------------------------ | ||||
| 
 | ||||
| #autovacuum = on			# Enable autovacuum subprocess?  'on' | ||||
| 					# requires track_counts to also be on. | ||||
| #log_autovacuum_min_duration = -1	# -1 disables, 0 logs all actions and | ||||
| 					# their durations, > 0 logs only | ||||
| 					# actions running at least this number | ||||
| 					# of milliseconds. | ||||
| #autovacuum_max_workers = 3		# max number of autovacuum subprocesses | ||||
| 					# (change requires restart) | ||||
| #autovacuum_naptime = 1min		# time between autovacuum runs | ||||
| #autovacuum_vacuum_threshold = 50	# min number of row updates before | ||||
| 					# vacuum | ||||
| #autovacuum_analyze_threshold = 50	# min number of row updates before | ||||
| 					# analyze | ||||
| #autovacuum_vacuum_scale_factor = 0.2	# fraction of table size before vacuum | ||||
| #autovacuum_analyze_scale_factor = 0.1	# fraction of table size before analyze | ||||
| #autovacuum_freeze_max_age = 200000000	# maximum XID age before forced vacuum | ||||
| 					# (change requires restart) | ||||
| #autovacuum_multixact_freeze_max_age = 400000000	# maximum multixact age | ||||
| 					# before forced vacuum | ||||
| 					# (change requires restart) | ||||
| #autovacuum_vacuum_cost_delay = 2ms	# default vacuum cost delay for | ||||
| 					# autovacuum, in milliseconds; | ||||
| 					# -1 means use vacuum_cost_delay | ||||
| #autovacuum_vacuum_cost_limit = -1	# default vacuum cost limit for | ||||
| 					# autovacuum, -1 means use | ||||
| 					# vacuum_cost_limit | ||||
| 
 | ||||
| 
 | ||||
| #------------------------------------------------------------------------------ | ||||
| # CLIENT CONNECTION DEFAULTS | ||||
| #------------------------------------------------------------------------------ | ||||
| 
 | ||||
| # - Statement Behavior - | ||||
| 
 | ||||
| #client_min_messages = notice		# values in order of decreasing detail: | ||||
| 					#   debug5 | ||||
| 					#   debug4 | ||||
| 					#   debug3 | ||||
| 					#   debug2 | ||||
| 					#   debug1 | ||||
| 					#   log | ||||
| 					#   notice | ||||
| 					#   warning | ||||
| 					#   error | ||||
| #search_path = '"$user", public'	# schema names | ||||
| #row_security = on | ||||
| #default_tablespace = ''		# a tablespace name, '' uses the default | ||||
| #temp_tablespaces = ''			# a list of tablespace names, '' uses | ||||
| 					# only default tablespace | ||||
| #default_table_access_method = 'heap' | ||||
| #check_function_bodies = on | ||||
| #default_transaction_isolation = 'read committed' | ||||
| #default_transaction_read_only = off | ||||
| #default_transaction_deferrable = off | ||||
| #session_replication_role = 'origin' | ||||
| #statement_timeout = 0			# in milliseconds, 0 is disabled | ||||
| #lock_timeout = 0			# in milliseconds, 0 is disabled | ||||
| #idle_in_transaction_session_timeout = 0	# in milliseconds, 0 is disabled | ||||
| #vacuum_freeze_min_age = 50000000 | ||||
| #vacuum_freeze_table_age = 150000000 | ||||
| #vacuum_multixact_freeze_min_age = 5000000 | ||||
| #vacuum_multixact_freeze_table_age = 150000000 | ||||
| #vacuum_cleanup_index_scale_factor = 0.1	# fraction of total number of tuples | ||||
| 						# before index cleanup, 0 always performs | ||||
| 						# index cleanup | ||||
| #bytea_output = 'hex'			# hex, escape | ||||
| #xmlbinary = 'base64' | ||||
| #xmloption = 'content' | ||||
| #gin_fuzzy_search_limit = 0 | ||||
| #gin_pending_list_limit = 4MB | ||||
| 
 | ||||
| # - Locale and Formatting - | ||||
| 
 | ||||
| #datestyle = 'iso, mdy' | ||||
| #intervalstyle = 'postgres' | ||||
| #timezone = 'GMT' | ||||
| #timezone_abbreviations = 'Default'     # Select the set of available time zone | ||||
| 					# abbreviations.  Currently, there are | ||||
| 					#   Default | ||||
| 					#   Australia (historical usage) | ||||
| 					#   India | ||||
| 					# You can create your own file in | ||||
| 					# share/timezonesets/. | ||||
| #extra_float_digits = 1			# min -15, max 3; any value >0 actually | ||||
| 					# selects precise output mode | ||||
| #client_encoding = sql_ascii		# actually, defaults to database | ||||
| 					# encoding | ||||
| 
 | ||||
| # These settings are initialized by initdb, but they can be changed. | ||||
| #lc_messages = 'C'			# locale for system error message | ||||
| 					# strings | ||||
| #lc_monetary = 'C'			# locale for monetary formatting | ||||
| #lc_numeric = 'C'			# locale for number formatting | ||||
| #lc_time = 'C'				# locale for time formatting | ||||
| 
 | ||||
| # default configuration for text search | ||||
| #default_text_search_config = 'pg_catalog.simple' | ||||
| 
 | ||||
| # - Shared Library Preloading - | ||||
| 
 | ||||
| #shared_preload_libraries = ''	# (change requires restart) | ||||
| #local_preload_libraries = '' | ||||
| #session_preload_libraries = '' | ||||
| #jit_provider = 'llvmjit'		# JIT library to use | ||||
| 
 | ||||
| # - Other Defaults - | ||||
| 
 | ||||
| #dynamic_library_path = '$libdir' | ||||
| 
 | ||||
| 
 | ||||
| #------------------------------------------------------------------------------ | ||||
| # LOCK MANAGEMENT | ||||
| #------------------------------------------------------------------------------ | ||||
| 
 | ||||
| #deadlock_timeout = 1s | ||||
| #max_locks_per_transaction = 64		# min 10 | ||||
| 					# (change requires restart) | ||||
| #max_pred_locks_per_transaction = 64	# min 10 | ||||
| 					# (change requires restart) | ||||
| #max_pred_locks_per_relation = -2	# negative values mean | ||||
| 					# (max_pred_locks_per_transaction | ||||
| 					#  / -max_pred_locks_per_relation) - 1 | ||||
| #max_pred_locks_per_page = 2            # min 0 | ||||
| 
 | ||||
| 
 | ||||
| #------------------------------------------------------------------------------ | ||||
| # VERSION AND PLATFORM COMPATIBILITY | ||||
| #------------------------------------------------------------------------------ | ||||
| 
 | ||||
| # - Previous PostgreSQL Versions - | ||||
| 
 | ||||
| #array_nulls = on | ||||
| #backslash_quote = safe_encoding	# on, off, or safe_encoding | ||||
| #escape_string_warning = on | ||||
| #lo_compat_privileges = off | ||||
| #operator_precedence_warning = off | ||||
| #quote_all_identifiers = off | ||||
| #standard_conforming_strings = on | ||||
| #synchronize_seqscans = on | ||||
| 
 | ||||
| # - Other Platforms and Clients - | ||||
| 
 | ||||
| #transform_null_equals = off | ||||
| 
 | ||||
| 
 | ||||
| #------------------------------------------------------------------------------ | ||||
| # ERROR HANDLING | ||||
| #------------------------------------------------------------------------------ | ||||
| 
 | ||||
| #exit_on_error = off			# terminate session on any error? | ||||
| #restart_after_crash = on		# reinitialize after backend crash? | ||||
| #data_sync_retry = off			# retry or panic on failure to fsync | ||||
| 					# data? | ||||
| 					# (change requires restart) | ||||
| 
 | ||||
| 
 | ||||
| #------------------------------------------------------------------------------ | ||||
| # CONFIG FILE INCLUDES | ||||
| #------------------------------------------------------------------------------ | ||||
| 
 | ||||
| # These options allow settings to be loaded from files other than the | ||||
| # default postgresql.conf.  Note that these are directives, not variable | ||||
| # assignments, so they can usefully be given more than once. | ||||
| 
 | ||||
| #include_dir = '...'			# include files ending in '.conf' from | ||||
| 					# a directory, e.g., 'conf.d' | ||||
| #include_if_exists = '...'		# include file only if it exists | ||||
| #include = '...'			# include file | ||||
| 
 | ||||
| 
 | ||||
| #------------------------------------------------------------------------------ | ||||
| # CUSTOMIZED OPTIONS | ||||
| #------------------------------------------------------------------------------ | ||||
| 
 | ||||
| # Add settings for extensions here | ||||
							
								
								
									
										44
									
								
								molecule/quarkus_ha_remote/prepare.yml
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										44
									
								
								molecule/quarkus_ha_remote/prepare.yml
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,44 @@ | |||
| --- | ||||
| - name: Prepare | ||||
|   hosts: 'keycloak:infinispan' | ||||
|   tasks: | ||||
|     - name: "Display hera_home if defined." | ||||
|       ansible.builtin.set_fact: | ||||
|         hera_home: "{{ lookup('env', 'HERA_HOME') }}" | ||||
| 
 | ||||
|     - name: "Ensure common prepare phase are set." | ||||
|       ansible.builtin.include_tasks: ../prepare.yml | ||||
| 
 | ||||
|     - name: Create certificate request | ||||
|       ansible.builtin.command: "openssl req -x509 -newkey rsa:4096 -keyout {{ inventory_hostname }}.key -out {{ inventory_hostname }}.pem -sha256 -days 365 -nodes -subj '/CN={{ inventory_hostname }}'" | ||||
|       delegate_to: localhost | ||||
|       changed_when: False | ||||
| 
 | ||||
|     - name: Create vault directory | ||||
|       become: true | ||||
|       ansible.builtin.file: | ||||
|         state: directory | ||||
|         path: "/opt/keycloak/vault" | ||||
|         mode: 0755 | ||||
| 
 | ||||
|     - name: Make sure a jre is available (for keytool to prepare keystore) | ||||
|       delegate_to: localhost | ||||
|       ansible.builtin.package: | ||||
|         name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}" | ||||
|         state: present | ||||
|       become: true | ||||
|       failed_when: false | ||||
| 
 | ||||
|     - name: Create vault keystore | ||||
|       ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword | ||||
|       delegate_to: localhost | ||||
|       register: keytool_cmd | ||||
|       changed_when: False | ||||
|       failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0 | ||||
| 
 | ||||
|     - name: Copy certificates and vault | ||||
|       become: true | ||||
|       ansible.builtin.copy: | ||||
|         src: keystore.p12 | ||||
|         dest: /opt/keycloak/vault/keystore.p12 | ||||
|         mode: 0444 | ||||
							
								
								
									
										1
									
								
								molecule/quarkus_ha_remote/roles
									
										
									
									
									
										Symbolic link
									
								
							
							
						
						
									
										1
									
								
								molecule/quarkus_ha_remote/roles
									
										
									
									
									
										Symbolic link
									
								
							|  | @ -0,0 +1 @@ | |||
| ../../roles | ||||
							
								
								
									
										29
									
								
								molecule/quarkus_ha_remote/verify.yml
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										29
									
								
								molecule/quarkus_ha_remote/verify.yml
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,29 @@ | |||
| --- | ||||
| - name: Verify | ||||
|   hosts: keycloak | ||||
|   tasks: | ||||
|     - name: Populate service facts | ||||
|       ansible.builtin.service_facts: | ||||
| 
 | ||||
|     - name: Check if keycloak service started | ||||
|       ansible.builtin.assert: | ||||
|         that: | ||||
|           - ansible_facts.services["keycloak.service"]["state"] == "running" | ||||
|           - ansible_facts.services["keycloak.service"]["status"] == "enabled" | ||||
|         fail_msg: "Service not running" | ||||
| 
 | ||||
|     - name: Set internal envvar | ||||
|       ansible.builtin.set_fact: | ||||
|         hera_home: "{{ lookup('env', 'HERA_HOME') }}" | ||||
| 
 | ||||
|     - name: Check log file | ||||
|       become: true | ||||
|       ansible.builtin.stat: | ||||
|         path: /var/log/keycloak/keycloak.log | ||||
|       register: keycloak_log_file | ||||
| 
 | ||||
|     - name: Check if keycloak file exists | ||||
|       ansible.builtin.assert: | ||||
|         that: | ||||
|           - keycloak_log_file.stat.exists | ||||
|           - not keycloak_log_file.stat.isdir | ||||
|  | @ -5,6 +5,9 @@ | |||
|     - vars.yml | ||||
|   vars: | ||||
|     keycloak_quarkus_show_deprecation_warnings: false | ||||
|     keycloak_quarkus_version: 24.0.3 | ||||
|     keycloak_quarkus_additional_env_vars: | ||||
|       - key: KC_FEATURES_DISABLED | ||||
|         value: ciba,device-flow,impersonation,kerberos,docker | ||||
|     keycloak_quarkus_version: 26.0.7 | ||||
|   roles: | ||||
|     - role: keycloak_quarkus | ||||
|  |  | |||
|  | @ -4,7 +4,7 @@ dependency: | |||
|   options: | ||||
|     requirements-file: molecule/requirements.yml | ||||
| driver: | ||||
|   name: docker | ||||
|   name: podman | ||||
| platforms: | ||||
|   - name: instance | ||||
|     image: registry.access.redhat.com/ubi9/ubi-init:latest | ||||
|  | @ -13,8 +13,10 @@ platforms: | |||
|     privileged: true | ||||
|     port_bindings: | ||||
|       - 8080:8080 | ||||
|       - "9000/tcp" | ||||
|     published_ports: | ||||
|       - 0.0.0.0:8080:8080/TCP | ||||
|       - 0.0.0.0:9000:9000/TCP | ||||
| provisioner: | ||||
|   name: ansible | ||||
|   playbooks: | ||||
|  | @ -25,6 +27,10 @@ provisioner: | |||
|     host_vars: | ||||
|       localhost: | ||||
|         ansible_python_interpreter: "{{ ansible_playbook_python }}" | ||||
|   env: | ||||
|     ANSIBLE_FORCE_COLOR: "true" | ||||
|     PROXY: "${PROXY}" | ||||
|     NO_PROXY: "${NO_PROXY}" | ||||
| verifier: | ||||
|   name: ansible | ||||
| scenario: | ||||
|  |  | |||
|  | @ -5,7 +5,10 @@ | |||
|     - vars.yml | ||||
|   vars: | ||||
|     sudo_pkg_name: sudo | ||||
|     keycloak_quarkus_version: 23.0.7 | ||||
|     keycloak_quarkus_version: 26.0.4 | ||||
|     keycloak_quarkus_additional_env_vars: | ||||
|       - key: KC_FEATURES_DISABLED | ||||
|         value: impersonation,kerberos | ||||
|   pre_tasks: | ||||
|     - name: Install sudo | ||||
|       ansible.builtin.apt: | ||||
|  | @ -44,6 +47,7 @@ | |||
|       changed_when: false | ||||
|   roles: | ||||
|     - role: keycloak_quarkus | ||||
| 
 | ||||
|   post_tasks: | ||||
|     - name: "Delete custom fact" | ||||
|       ansible.builtin.file: | ||||
|  |  | |||
|  | @ -1,9 +1,8 @@ | |||
| --- | ||||
| keycloak_quarkus_offline_install: false | ||||
| keycloak_quarkus_admin_password: "remembertochangeme" | ||||
| keycloak_quarkus_admin_pass: "remembertochangeme" | ||||
| keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" | ||||
| keycloak_quarkus_realm: TestRealm | ||||
| keycloak_quarkus_host: instance | ||||
| keycloak_quarkus_hostname: http://instance:8080 | ||||
| keycloak_quarkus_log: file | ||||
| keycloak_quarkus_https_key_file_enabled: true | ||||
| keycloak_quarkus_log_target: /tmp/keycloak | ||||
|  |  | |||
|  | @ -2,7 +2,7 @@ | |||
| - name: Verify | ||||
|   hosts: instance | ||||
|   vars: | ||||
|     keycloak_quarkus_admin_password: "remembertochangeme" | ||||
|     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" | ||||
|     keycloak_quarkus_port: http://localhost:8080 | ||||
|   tasks: | ||||
|     - name: Populate service facts | ||||
|  | @ -17,14 +17,14 @@ | |||
|     - name: Verify we are running on requested jvm | ||||
|       ansible.builtin.shell: | | ||||
|         set -eo pipefail | ||||
|         ps -ef | grep 'etc/alternatives/.*17' | grep -v grep | ||||
|         ps -ef | grep 'etc/alternatives/.*21' | grep -v grep | ||||
|       changed_when: false | ||||
| 
 | ||||
|     - name: Verify token api call | ||||
|       ansible.builtin.uri: | ||||
|         url: "{{ keycloak_quarkus_port }}/realms/master/protocol/openid-connect/token" | ||||
|         method: POST | ||||
|         body: "client_id=admin-cli&username=admin&password={{ keycloak_quarkus_admin_password }}&grant_type=password" | ||||
|         body: "client_id=admin-cli&username=admin&password={{ keycloak_quarkus_bootstrap_admin_password }}&grant_type=password" | ||||
|         validate_certs: no | ||||
|       register: keycloak_auth_response | ||||
|       until: keycloak_auth_response.status == 200 | ||||
|  |  | |||
|  | @ -2,6 +2,7 @@ | |||
| collections: | ||||
|   - name: middleware_automation.common | ||||
|   - name: middleware_automation.jbcs | ||||
|   - name: middleware_automation.infinispan | ||||
|   - name: community.general | ||||
|   - name: ansible.posix | ||||
|   - name: community.docker | ||||
|  |  | |||
|  | @ -2,8 +2,8 @@ | |||
| - name: Playbook for Keycloak X Hosts with HTTPS enabled | ||||
|   hosts: all | ||||
|   vars: | ||||
|     keycloak_quarkus_admin_pass: "remembertochangeme" | ||||
|     keycloak_quarkus_host: localhost | ||||
|     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" | ||||
|     keycloak_quarkus_hostname: http://localhost | ||||
|     keycloak_quarkus_port: 8443 | ||||
|     keycloak_quarkus_log: file | ||||
|     keycloak_quarkus_proxy_mode: none | ||||
|  |  | |||
|  | @ -2,8 +2,8 @@ | |||
| - name: Playbook for Keycloak X Hosts in develop mode | ||||
|   hosts: all | ||||
|   vars: | ||||
|     keycloak_admin_password: "remembertochangeme" | ||||
|     keycloak_quarkus_host: localhost | ||||
|     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" | ||||
|     keycloak_quarkus_hostname: http://localhost | ||||
|     keycloak_quarkus_port: 8080 | ||||
|     keycloak_quarkus_log: file | ||||
|     keycloak_quarkus_start_dev: true | ||||
|  |  | |||
										
											
												File diff suppressed because it is too large
												Load diff
											
										
									
								
							|  | @ -40,8 +40,8 @@ options: | |||
|     state: | ||||
|         description: | ||||
|             - State of the client | ||||
|             - On C(present), the client will be created (or updated if it exists already). | ||||
|             - On C(absent), the client will be removed if it exists | ||||
|             - On V(present), the client will be created (or updated if it exists already). | ||||
|             - On V(absent), the client will be removed if it exists | ||||
|         choices: ['present', 'absent'] | ||||
|         default: 'present' | ||||
|         type: str | ||||
|  | @ -55,7 +55,7 @@ options: | |||
|     client_id: | ||||
|         description: | ||||
|             - Client id of client to be worked on. This is usually an alphanumeric name chosen by | ||||
|               you. Either this or I(id) is required. If you specify both, I(id) takes precedence. | ||||
|               you. Either this or O(id) is required. If you specify both, O(id) takes precedence. | ||||
|               This is 'clientId' in the Keycloak REST API. | ||||
|         aliases: | ||||
|             - clientId | ||||
|  | @ -63,13 +63,13 @@ options: | |||
| 
 | ||||
|     id: | ||||
|         description: | ||||
|             - Id of client to be worked on. This is usually an UUID. Either this or I(client_id) | ||||
|             - Id of client to be worked on. This is usually an UUID. Either this or O(client_id) | ||||
|               is required. If you specify both, this takes precedence. | ||||
|         type: str | ||||
| 
 | ||||
|     name: | ||||
|         description: | ||||
|             - Name of the client (this is not the same as I(client_id)). | ||||
|             - Name of the client (this is not the same as O(client_id)). | ||||
|         type: str | ||||
| 
 | ||||
|     description: | ||||
|  | @ -108,20 +108,21 @@ options: | |||
| 
 | ||||
|     client_authenticator_type: | ||||
|         description: | ||||
|             - How do clients authenticate with the auth server? Either C(client-secret) or | ||||
|               C(client-jwt) can be chosen. When using C(client-secret), the module parameter | ||||
|               I(secret) can set it, while for C(client-jwt), you can use the keys C(use.jwks.url), | ||||
|               C(jwks.url), and C(jwt.credential.certificate) in the I(attributes) module parameter | ||||
|               to configure its behavior. | ||||
|               This is 'clientAuthenticatorType' in the Keycloak REST API. | ||||
|         choices: ['client-secret', 'client-jwt'] | ||||
|             - How do clients authenticate with the auth server? Either V(client-secret), | ||||
|               V(client-jwt), or V(client-x509) can be chosen. When using V(client-secret), the module parameter | ||||
|               O(secret) can set it, for V(client-jwt), you can use the keys C(use.jwks.url), | ||||
|               C(jwks.url), and C(jwt.credential.certificate) in the O(attributes) module parameter | ||||
|               to configure its behavior. For V(client-x509) you can use the keys C(x509.allow.regex.pattern.comparison) | ||||
|               and C(x509.subjectdn) in the O(attributes) module parameter to configure which certificate(s) to accept. | ||||
|             - This is 'clientAuthenticatorType' in the Keycloak REST API. | ||||
|         choices: ['client-secret', 'client-jwt', 'client-x509'] | ||||
|         aliases: | ||||
|             - clientAuthenticatorType | ||||
|         type: str | ||||
| 
 | ||||
|     secret: | ||||
|         description: | ||||
|             - When using I(client_authenticator_type) C(client-secret) (the default), you can | ||||
|             - When using O(client_authenticator_type=client-secret) (the default), you can | ||||
|               specify a secret here (otherwise one will be generated if it does not exit). If | ||||
|               changing this secret, the module will not register a change currently (but the | ||||
|               changed secret will be saved). | ||||
|  | @ -246,9 +247,11 @@ options: | |||
| 
 | ||||
|     protocol: | ||||
|         description: | ||||
|             - Type of client (either C(openid-connect) or C(saml). | ||||
|             - Type of client. | ||||
|             - At creation only, default value will be V(openid-connect) if O(protocol) is omitted. | ||||
|             - The V(docker-v2) value was added in community.general 8.6.0. | ||||
|         type: str | ||||
|         choices: ['openid-connect', 'saml'] | ||||
|         choices: ['openid-connect', 'saml', 'docker-v2'] | ||||
| 
 | ||||
|     full_scope_allowed: | ||||
|         description: | ||||
|  | @ -286,7 +289,7 @@ options: | |||
| 
 | ||||
|     use_template_config: | ||||
|         description: | ||||
|             - Whether or not to use configuration from the I(client_template). | ||||
|             - Whether or not to use configuration from the O(client_template). | ||||
|               This is 'useTemplateConfig' in the Keycloak REST API. | ||||
|         aliases: | ||||
|             - useTemplateConfig | ||||
|  | @ -294,7 +297,7 @@ options: | |||
| 
 | ||||
|     use_template_scope: | ||||
|         description: | ||||
|             - Whether or not to use scope configuration from the I(client_template). | ||||
|             - Whether or not to use scope configuration from the O(client_template). | ||||
|               This is 'useTemplateScope' in the Keycloak REST API. | ||||
|         aliases: | ||||
|             - useTemplateScope | ||||
|  | @ -302,7 +305,7 @@ options: | |||
| 
 | ||||
|     use_template_mappers: | ||||
|         description: | ||||
|             - Whether or not to use mapper configuration from the I(client_template). | ||||
|             - Whether or not to use mapper configuration from the O(client_template). | ||||
|               This is 'useTemplateMappers' in the Keycloak REST API. | ||||
|         aliases: | ||||
|             - useTemplateMappers | ||||
|  | @ -338,6 +341,42 @@ options: | |||
|         description: | ||||
|             - Override realm authentication flow bindings. | ||||
|         type: dict | ||||
|         suboptions: | ||||
|             browser: | ||||
|                 description: | ||||
|                     - Flow ID of the browser authentication flow. | ||||
|                     - O(authentication_flow_binding_overrides.browser) | ||||
|                       and O(authentication_flow_binding_overrides.browser_name) are mutually exclusive. | ||||
|                 type: str | ||||
| 
 | ||||
|             browser_name: | ||||
|                 description: | ||||
|                     - Flow name of the browser authentication flow. | ||||
|                     - O(authentication_flow_binding_overrides.browser) | ||||
|                       and O(authentication_flow_binding_overrides.browser_name) are mutually exclusive. | ||||
|                 aliases: | ||||
|                     - browserName | ||||
|                 type: str | ||||
|                 version_added: 9.1.0 | ||||
| 
 | ||||
|             direct_grant: | ||||
|                 description: | ||||
|                     - Flow ID of the direct grant authentication flow. | ||||
|                     - O(authentication_flow_binding_overrides.direct_grant) | ||||
|                       and O(authentication_flow_binding_overrides.direct_grant_name) are mutually exclusive. | ||||
|                 aliases: | ||||
|                     - directGrant | ||||
|                 type: str | ||||
| 
 | ||||
|             direct_grant_name: | ||||
|                 description: | ||||
|                     - Flow name of the direct grant authentication flow. | ||||
|                     - O(authentication_flow_binding_overrides.direct_grant) | ||||
|                       and O(authentication_flow_binding_overrides.direct_grant_name) are mutually exclusive. | ||||
|                 aliases: | ||||
|                     - directGrantName | ||||
|                 type: str | ||||
|                 version_added: 9.1.0 | ||||
|         aliases: | ||||
|             - authenticationFlowBindingOverrides | ||||
|         version_added: 3.4.0 | ||||
|  | @ -391,38 +430,37 @@ options: | |||
| 
 | ||||
|             protocol: | ||||
|                 description: | ||||
|                     - This is either C(openid-connect) or C(saml), this specifies for which protocol this protocol mapper. | ||||
|                       is active. | ||||
|                 choices: ['openid-connect', 'saml'] | ||||
|                     - This specifies for which protocol this protocol mapper is active. | ||||
|                 choices: ['openid-connect', 'saml', 'docker-v2'] | ||||
|                 type: str | ||||
| 
 | ||||
|             protocolMapper: | ||||
|                 description: | ||||
|                     - The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is | ||||
|                     - "The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is | ||||
|                       impossible to provide since this may be extended through SPIs by the user of Keycloak, | ||||
|                       by default Keycloak as of 3.4 ships with at least | ||||
|                     - C(docker-v2-allow-all-mapper) | ||||
|                     - C(oidc-address-mapper) | ||||
|                     - C(oidc-full-name-mapper) | ||||
|                     - C(oidc-group-membership-mapper) | ||||
|                     - C(oidc-hardcoded-claim-mapper) | ||||
|                     - C(oidc-hardcoded-role-mapper) | ||||
|                     - C(oidc-role-name-mapper) | ||||
|                     - C(oidc-script-based-protocol-mapper) | ||||
|                     - C(oidc-sha256-pairwise-sub-mapper) | ||||
|                     - C(oidc-usermodel-attribute-mapper) | ||||
|                     - C(oidc-usermodel-client-role-mapper) | ||||
|                     - C(oidc-usermodel-property-mapper) | ||||
|                     - C(oidc-usermodel-realm-role-mapper) | ||||
|                     - C(oidc-usersessionmodel-note-mapper) | ||||
|                     - C(saml-group-membership-mapper) | ||||
|                     - C(saml-hardcode-attribute-mapper) | ||||
|                     - C(saml-hardcode-role-mapper) | ||||
|                     - C(saml-role-list-mapper) | ||||
|                     - C(saml-role-name-mapper) | ||||
|                     - C(saml-user-attribute-mapper) | ||||
|                     - C(saml-user-property-mapper) | ||||
|                     - C(saml-user-session-note-mapper) | ||||
|                       by default Keycloak as of 3.4 ships with at least:" | ||||
|                     - V(docker-v2-allow-all-mapper) | ||||
|                     - V(oidc-address-mapper) | ||||
|                     - V(oidc-full-name-mapper) | ||||
|                     - V(oidc-group-membership-mapper) | ||||
|                     - V(oidc-hardcoded-claim-mapper) | ||||
|                     - V(oidc-hardcoded-role-mapper) | ||||
|                     - V(oidc-role-name-mapper) | ||||
|                     - V(oidc-script-based-protocol-mapper) | ||||
|                     - V(oidc-sha256-pairwise-sub-mapper) | ||||
|                     - V(oidc-usermodel-attribute-mapper) | ||||
|                     - V(oidc-usermodel-client-role-mapper) | ||||
|                     - V(oidc-usermodel-property-mapper) | ||||
|                     - V(oidc-usermodel-realm-role-mapper) | ||||
|                     - V(oidc-usersessionmodel-note-mapper) | ||||
|                     - V(saml-group-membership-mapper) | ||||
|                     - V(saml-hardcode-attribute-mapper) | ||||
|                     - V(saml-hardcode-role-mapper) | ||||
|                     - V(saml-role-list-mapper) | ||||
|                     - V(saml-role-name-mapper) | ||||
|                     - V(saml-user-attribute-mapper) | ||||
|                     - V(saml-user-property-mapper) | ||||
|                     - V(saml-user-session-note-mapper) | ||||
|                     - An exhaustive list of available mappers on your installation can be obtained on | ||||
|                       the admin console by going to Server Info -> Providers and looking under | ||||
|                       'protocol-mapper'. | ||||
|  | @ -431,10 +469,10 @@ options: | |||
|             config: | ||||
|                 description: | ||||
|                     - Dict specifying the configuration options for the protocol mapper; the | ||||
|                       contents differ depending on the value of I(protocolMapper) and are not documented | ||||
|                       contents differ depending on the value of O(protocol_mappers[].protocolMapper) and are not documented | ||||
|                       other than by the source of the mappers and its parent class(es). An example is given | ||||
|                       below. It is easiest to obtain valid config values by dumping an already-existing | ||||
|                       protocol mapper configuration through check-mode in the I(existing) field. | ||||
|                       protocol mapper configuration through check-mode in the RV(existing) field. | ||||
|                 type: dict | ||||
| 
 | ||||
|     attributes: | ||||
|  | @ -478,7 +516,7 @@ options: | |||
| 
 | ||||
|             saml.signature.algorithm: | ||||
|                 description: | ||||
|                     - Signature algorithm used to sign SAML documents. One of C(RSA_SHA256), C(RSA_SHA1), C(RSA_SHA512), or C(DSA_SHA1). | ||||
|                     - Signature algorithm used to sign SAML documents. One of V(RSA_SHA256), V(RSA_SHA1), V(RSA_SHA512), or V(DSA_SHA1). | ||||
| 
 | ||||
|             saml.signing.certificate: | ||||
|                 description: | ||||
|  | @ -496,22 +534,21 @@ options: | |||
|                 description: | ||||
|                     - SAML Redirect Binding URL for the client's assertion consumer service (login responses). | ||||
| 
 | ||||
| 
 | ||||
|             saml_force_name_id_format: | ||||
|                 description: | ||||
|                     - For SAML clients, Boolean specifying whether to ignore requested NameID subject format and using the configured one instead. | ||||
| 
 | ||||
|             saml_name_id_format: | ||||
|                 description: | ||||
|                     - For SAML clients, the NameID format to use (one of C(username), C(email), C(transient), or C(persistent)) | ||||
|                     - For SAML clients, the NameID format to use (one of V(username), V(email), V(transient), or V(persistent)) | ||||
| 
 | ||||
|             saml_signature_canonicalization_method: | ||||
|                 description: | ||||
|                     - SAML signature canonicalization method. This is one of four values, namely | ||||
|                       C(http://www.w3.org/2001/10/xml-exc-c14n#) for EXCLUSIVE, | ||||
|                       C(http://www.w3.org/2001/10/xml-exc-c14n#WithComments) for EXCLUSIVE_WITH_COMMENTS, | ||||
|                       C(http://www.w3.org/TR/2001/REC-xml-c14n-20010315) for INCLUSIVE, and | ||||
|                       C(http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments) for INCLUSIVE_WITH_COMMENTS. | ||||
|                       V(http://www.w3.org/2001/10/xml-exc-c14n#) for EXCLUSIVE, | ||||
|                       V(http://www.w3.org/2001/10/xml-exc-c14n#WithComments) for EXCLUSIVE_WITH_COMMENTS, | ||||
|                       V(http://www.w3.org/TR/2001/REC-xml-c14n-20010315) for INCLUSIVE, and | ||||
|                       V(http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments) for INCLUSIVE_WITH_COMMENTS. | ||||
| 
 | ||||
|             saml_single_logout_service_url_post: | ||||
|                 description: | ||||
|  | @ -523,12 +560,12 @@ options: | |||
| 
 | ||||
|             user.info.response.signature.alg: | ||||
|                 description: | ||||
|                     - For OpenID-Connect clients, JWA algorithm for signed UserInfo-endpoint responses. One of C(RS256) or C(unsigned). | ||||
|                     - For OpenID-Connect clients, JWA algorithm for signed UserInfo-endpoint responses. One of V(RS256) or V(unsigned). | ||||
| 
 | ||||
|             request.object.signature.alg: | ||||
|                 description: | ||||
|                     - For OpenID-Connect clients, JWA algorithm which the client needs to use when sending | ||||
|                       OIDC request object. One of C(any), C(none), C(RS256). | ||||
|                       OIDC request object. One of V(any), V(none), V(RS256). | ||||
| 
 | ||||
|             use.jwks.url: | ||||
|                 description: | ||||
|  | @ -544,9 +581,21 @@ options: | |||
|                     - For OpenID-Connect clients, client certificate for validating JWT issued by | ||||
|                       client and signed by its key, base64-encoded. | ||||
| 
 | ||||
|             x509.subjectdn: | ||||
|                 description: | ||||
|                     - For OpenID-Connect clients, subject which will be used to authenticate the client. | ||||
|                 type: str | ||||
|                 version_added: 9.5.0 | ||||
| 
 | ||||
|             x509.allow.regex.pattern.comparison: | ||||
|                 description: | ||||
|                     - For OpenID-Connect clients, boolean specifying whether to allow C(x509.subjectdn) as regular expression. | ||||
|                 type: bool | ||||
|                 version_added: 9.5.0 | ||||
| 
 | ||||
| extends_documentation_fragment: | ||||
|     - middleware_automation.keycloak.keycloak | ||||
|     - middleware_automation.keycloak.attributes | ||||
|    - middleware_automation.keycloak.keycloak | ||||
|    - middleware_automation.keycloak.attributes | ||||
| 
 | ||||
| author: | ||||
|     - Eike Frost (@eikef) | ||||
|  | @ -587,6 +636,22 @@ EXAMPLES = ''' | |||
|   delegate_to: localhost | ||||
| 
 | ||||
| 
 | ||||
| - name: Create or update a Keycloak client (minimal example), with x509 authentication | ||||
|   middleware_automation.keycloak.keycloak_client: | ||||
|     auth_client_id: admin-cli | ||||
|     auth_keycloak_url: https://auth.example.com/auth | ||||
|     auth_realm: master | ||||
|     auth_username: USERNAME | ||||
|     auth_password: PASSWORD | ||||
|     realm: master | ||||
|     state: present | ||||
|     client_id: test | ||||
|     client_authenticator_type: client-x509 | ||||
|     attributes: | ||||
|       x509.subjectdn: "CN=client" | ||||
|       x509.allow.regex.pattern.comparison: false | ||||
| 
 | ||||
| 
 | ||||
| - name: Create or update a Keycloak client (with all the bells and whistles) | ||||
|   middleware_automation.keycloak.keycloak_client: | ||||
|     auth_client_id: admin-cli | ||||
|  | @ -637,7 +702,7 @@ EXAMPLES = ''' | |||
|       - test01 | ||||
|       - test02 | ||||
|     authentication_flow_binding_overrides: | ||||
|       browser: 4c90336b-bf1d-4b87-916d-3677ba4e5fbb | ||||
|         browser: 4c90336b-bf1d-4b87-916d-3677ba4e5fbb | ||||
|     protocol_mappers: | ||||
|       - config: | ||||
|           access.token.claim: true | ||||
|  | @ -717,11 +782,17 @@ end_state: | |||
| ''' | ||||
| 
 | ||||
| from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ | ||||
|     keycloak_argument_spec, get_token, KeycloakError | ||||
|     keycloak_argument_spec, get_token, KeycloakError, is_struct_included | ||||
| from ansible.module_utils.basic import AnsibleModule | ||||
| import copy | ||||
| 
 | ||||
| 
 | ||||
| PROTOCOL_OPENID_CONNECT = 'openid-connect' | ||||
| PROTOCOL_SAML = 'saml' | ||||
| PROTOCOL_DOCKER_V2 = 'docker-v2' | ||||
| CLIENT_META_DATA = ['authorizationServicesEnabled'] | ||||
| 
 | ||||
| 
 | ||||
| def normalise_cr(clientrep, remove_ids=False): | ||||
|     """ Re-sorts any properties where the order so that diff's is minimised, and adds default values where appropriate so that the | ||||
|     the change detection is more effective. | ||||
|  | @ -737,6 +808,12 @@ def normalise_cr(clientrep, remove_ids=False): | |||
|     if 'attributes' in clientrep: | ||||
|         clientrep['attributes'] = list(sorted(clientrep['attributes'])) | ||||
| 
 | ||||
|     if 'defaultClientScopes' in clientrep: | ||||
|         clientrep['defaultClientScopes'] = list(sorted(clientrep['defaultClientScopes'])) | ||||
| 
 | ||||
|     if 'optionalClientScopes' in clientrep: | ||||
|         clientrep['optionalClientScopes'] = list(sorted(clientrep['optionalClientScopes'])) | ||||
| 
 | ||||
|     if 'redirectUris' in clientrep: | ||||
|         clientrep['redirectUris'] = list(sorted(clientrep['redirectUris'])) | ||||
| 
 | ||||
|  | @ -762,11 +839,70 @@ def sanitize_cr(clientrep): | |||
|     if 'secret' in result: | ||||
|         result['secret'] = 'no_log' | ||||
|     if 'attributes' in result: | ||||
|         if 'saml.signing.private.key' in result['attributes']: | ||||
|             result['attributes']['saml.signing.private.key'] = 'no_log' | ||||
|         attributes = result['attributes'] | ||||
|         if isinstance(attributes, dict) and 'saml.signing.private.key' in attributes: | ||||
|             attributes['saml.signing.private.key'] = 'no_log' | ||||
|     return normalise_cr(result) | ||||
| 
 | ||||
| 
 | ||||
| def get_authentication_flow_id(flow_name, realm, kc): | ||||
|     """ Get the authentication flow ID based on the flow name, realm, and Keycloak client. | ||||
| 
 | ||||
|     Args: | ||||
|         flow_name (str): The name of the authentication flow. | ||||
|         realm (str): The name of the realm. | ||||
|         kc (KeycloakClient): The Keycloak client instance. | ||||
| 
 | ||||
|     Returns: | ||||
|         str: The ID of the authentication flow. | ||||
| 
 | ||||
|     Raises: | ||||
|         KeycloakAPIException: If the authentication flow with the given name is not found in the realm. | ||||
|     """ | ||||
|     flow = kc.get_authentication_flow_by_alias(flow_name, realm) | ||||
|     if flow: | ||||
|         return flow["id"] | ||||
|     kc.module.fail_json(msg='Authentification flow %s not found in realm %s' % (flow_name, realm)) | ||||
| 
 | ||||
| 
 | ||||
| def flow_binding_from_dict_to_model(newClientFlowBinding, realm, kc): | ||||
|     """ Convert a dictionary representing client flow bindings to a model representation. | ||||
| 
 | ||||
|     Args: | ||||
|         newClientFlowBinding (dict): A dictionary containing client flow bindings. | ||||
|         realm (str): The name of the realm. | ||||
|         kc (KeycloakClient): An instance of the KeycloakClient class. | ||||
| 
 | ||||
|     Returns: | ||||
|         dict: A dictionary representing the model flow bindings. The dictionary has two keys: | ||||
|             - "browser" (str or None): The ID of the browser authentication flow binding, or None if not provided. | ||||
|             - "direct_grant" (str or None): The ID of the direct grant authentication flow binding, or None if not provided. | ||||
| 
 | ||||
|     Raises: | ||||
|         KeycloakAPIException: If the authentication flow with the given name is not found in the realm. | ||||
| 
 | ||||
|     """ | ||||
| 
 | ||||
|     modelFlow = { | ||||
|         "browser": None, | ||||
|         "direct_grant": None | ||||
|     } | ||||
| 
 | ||||
|     for k, v in newClientFlowBinding.items(): | ||||
|         if not v: | ||||
|             continue | ||||
|         if k == "browser": | ||||
|             modelFlow["browser"] = v | ||||
|         elif k == "browser_name": | ||||
|             modelFlow["browser"] = get_authentication_flow_id(v, realm, kc) | ||||
|         elif k == "direct_grant": | ||||
|             modelFlow["direct_grant"] = v | ||||
|         elif k == "direct_grant_name": | ||||
|             modelFlow["direct_grant"] = get_authentication_flow_id(v, realm, kc) | ||||
| 
 | ||||
|     return modelFlow | ||||
| 
 | ||||
| 
 | ||||
| def main(): | ||||
|     """ | ||||
|     Module execution | ||||
|  | @ -780,11 +916,18 @@ def main(): | |||
|         consentText=dict(type='str'), | ||||
|         id=dict(type='str'), | ||||
|         name=dict(type='str'), | ||||
|         protocol=dict(type='str', choices=['openid-connect', 'saml']), | ||||
|         protocol=dict(type='str', choices=[PROTOCOL_OPENID_CONNECT, PROTOCOL_SAML, PROTOCOL_DOCKER_V2]), | ||||
|         protocolMapper=dict(type='str'), | ||||
|         config=dict(type='dict'), | ||||
|     ) | ||||
| 
 | ||||
|     authentication_flow_spec = dict( | ||||
|         browser=dict(type='str'), | ||||
|         browser_name=dict(type='str', aliases=['browserName']), | ||||
|         direct_grant=dict(type='str', aliases=['directGrant']), | ||||
|         direct_grant_name=dict(type='str', aliases=['directGrantName']), | ||||
|     ) | ||||
| 
 | ||||
|     meta_args = dict( | ||||
|         state=dict(default='present', choices=['present', 'absent']), | ||||
|         realm=dict(type='str', default='master'), | ||||
|  | @ -798,7 +941,7 @@ def main(): | |||
|         base_url=dict(type='str', aliases=['baseUrl']), | ||||
|         surrogate_auth_required=dict(type='bool', aliases=['surrogateAuthRequired']), | ||||
|         enabled=dict(type='bool'), | ||||
|         client_authenticator_type=dict(type='str', choices=['client-secret', 'client-jwt'], aliases=['clientAuthenticatorType']), | ||||
|         client_authenticator_type=dict(type='str', choices=['client-secret', 'client-jwt', 'client-x509'], aliases=['clientAuthenticatorType']), | ||||
|         secret=dict(type='str', no_log=True), | ||||
|         registration_access_token=dict(type='str', aliases=['registrationAccessToken'], no_log=True), | ||||
|         default_roles=dict(type='list', elements='str', aliases=['defaultRoles']), | ||||
|  | @ -814,7 +957,7 @@ def main(): | |||
|         authorization_services_enabled=dict(type='bool', aliases=['authorizationServicesEnabled']), | ||||
|         public_client=dict(type='bool', aliases=['publicClient']), | ||||
|         frontchannel_logout=dict(type='bool', aliases=['frontchannelLogout']), | ||||
|         protocol=dict(type='str', choices=['openid-connect', 'saml']), | ||||
|         protocol=dict(type='str', choices=[PROTOCOL_OPENID_CONNECT, PROTOCOL_SAML, PROTOCOL_DOCKER_V2]), | ||||
|         attributes=dict(type='dict'), | ||||
|         full_scope_allowed=dict(type='bool', aliases=['fullScopeAllowed']), | ||||
|         node_re_registration_timeout=dict(type='int', aliases=['nodeReRegistrationTimeout']), | ||||
|  | @ -824,7 +967,13 @@ def main(): | |||
|         use_template_scope=dict(type='bool', aliases=['useTemplateScope']), | ||||
|         use_template_mappers=dict(type='bool', aliases=['useTemplateMappers']), | ||||
|         always_display_in_console=dict(type='bool', aliases=['alwaysDisplayInConsole']), | ||||
|         authentication_flow_binding_overrides=dict(type='dict', aliases=['authenticationFlowBindingOverrides']), | ||||
|         authentication_flow_binding_overrides=dict( | ||||
|             type='dict', | ||||
|             aliases=['authenticationFlowBindingOverrides'], | ||||
|             options=authentication_flow_spec, | ||||
|             required_one_of=[['browser', 'direct_grant', 'browser_name', 'direct_grant_name']], | ||||
|             mutually_exclusive=[['browser', 'browser_name'], ['direct_grant', 'direct_grant_name']], | ||||
|         ), | ||||
|         protocol_mappers=dict(type='list', elements='dict', options=protmapper_spec, aliases=['protocolMappers']), | ||||
|         authorization_settings=dict(type='dict', aliases=['authorizationSettings']), | ||||
|         default_client_scopes=dict(type='list', elements='str', aliases=['defaultClientScopes']), | ||||
|  | @ -885,7 +1034,9 @@ def main(): | |||
|         # Unfortunately, the ansible argument spec checker introduces variables with null values when | ||||
|         # they are not specified | ||||
|         if client_param == 'protocol_mappers': | ||||
|             new_param_value = [dict((k, v) for k, v in x.items() if x[k] is not None) for x in new_param_value] | ||||
|             new_param_value = [{k: v for k, v in x.items() if v is not None} for x in new_param_value] | ||||
|         elif client_param == 'authentication_flow_binding_overrides': | ||||
|             new_param_value = flow_binding_from_dict_to_model(new_param_value, realm, kc) | ||||
| 
 | ||||
|         changeset[camel(client_param)] = new_param_value | ||||
| 
 | ||||
|  | @ -912,6 +1063,8 @@ def main(): | |||
| 
 | ||||
|         if 'clientId' not in desired_client: | ||||
|             module.fail_json(msg='client_id needs to be specified when creating a new client') | ||||
|         if 'protocol' not in desired_client: | ||||
|             desired_client['protocol'] = PROTOCOL_OPENID_CONNECT | ||||
| 
 | ||||
|         if module._diff: | ||||
|             result['diff'] = dict(before='', after=sanitize_cr(desired_client)) | ||||
|  | @ -940,7 +1093,7 @@ def main(): | |||
|                 if module._diff: | ||||
|                     result['diff'] = dict(before=sanitize_cr(before_norm), | ||||
|                                           after=sanitize_cr(desired_norm)) | ||||
|                 result['changed'] = (before_norm != desired_norm) | ||||
|                 result['changed'] = not is_struct_included(desired_norm, before_norm, CLIENT_META_DATA) | ||||
| 
 | ||||
|                 module.exit_json(**result) | ||||
| 
 | ||||
|  |  | |||
							
								
								
									
										848
									
								
								plugins/modules/keycloak_realm.py
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										848
									
								
								plugins/modules/keycloak_realm.py
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,848 @@ | |||
| #!/usr/bin/python | ||||
| # -*- coding: utf-8 -*- | ||||
| 
 | ||||
| # Copyright (c) 2017, Eike Frost <ei@kefro.st> | ||||
| # Copyright (c) 2021, Christophe Gilles <christophe.gilles54@gmail.com> | ||||
| # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) | ||||
| # SPDX-License-Identifier: GPL-3.0-or-later | ||||
| 
 | ||||
| from __future__ import absolute_import, division, print_function | ||||
| __metaclass__ = type | ||||
| 
 | ||||
| DOCUMENTATION = ''' | ||||
| --- | ||||
| module: keycloak_realm | ||||
| 
 | ||||
| short_description: Allows administration of Keycloak realm via Keycloak API | ||||
| 
 | ||||
| version_added: 3.0.0 | ||||
| 
 | ||||
| description: | ||||
|     - This module allows the administration of Keycloak realm via the Keycloak REST API. It | ||||
|       requires access to the REST API via OpenID Connect; the user connecting and the realm being | ||||
|       used must have the requisite access rights. In a default Keycloak installation, admin-cli | ||||
|       and an admin user would work, as would a separate realm definition with the scope tailored | ||||
|       to your needs and a user having the expected roles. | ||||
| 
 | ||||
|     - The names of module options are snake_cased versions of the camelCase ones found in the | ||||
|       Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). | ||||
|       Aliases are provided so camelCased versions can be used as well. | ||||
| 
 | ||||
|     - The Keycloak API does not always sanity check inputs e.g. you can set | ||||
|       SAML-specific settings on an OpenID Connect client for instance and vice versa. Be careful. | ||||
|       If you do not specify a setting, usually a sensible default is chosen. | ||||
| 
 | ||||
| attributes: | ||||
|     check_mode: | ||||
|         support: full | ||||
|     diff_mode: | ||||
|         support: full | ||||
| 
 | ||||
| options: | ||||
|     state: | ||||
|         description: | ||||
|             - State of the realm. | ||||
|             - On V(present), the realm will be created (or updated if it exists already). | ||||
|             - On V(absent), the realm will be removed if it exists. | ||||
|         choices: ['present', 'absent'] | ||||
|         default: 'present' | ||||
|         type: str | ||||
| 
 | ||||
|     id: | ||||
|         description: | ||||
|             - The realm to create. | ||||
|         type: str | ||||
|     realm: | ||||
|         description: | ||||
|             - The realm name. | ||||
|         type: str | ||||
|     access_code_lifespan: | ||||
|         description: | ||||
|             - The realm access code lifespan. | ||||
|         aliases: | ||||
|             - accessCodeLifespan | ||||
|         type: int | ||||
|     access_code_lifespan_login: | ||||
|         description: | ||||
|             - The realm access code lifespan login. | ||||
|         aliases: | ||||
|             - accessCodeLifespanLogin | ||||
|         type: int | ||||
|     access_code_lifespan_user_action: | ||||
|         description: | ||||
|             - The realm access code lifespan user action. | ||||
|         aliases: | ||||
|             - accessCodeLifespanUserAction | ||||
|         type: int | ||||
|     access_token_lifespan: | ||||
|         description: | ||||
|             - The realm access token lifespan. | ||||
|         aliases: | ||||
|             - accessTokenLifespan | ||||
|         type: int | ||||
|     access_token_lifespan_for_implicit_flow: | ||||
|         description: | ||||
|             - The realm access token lifespan for implicit flow. | ||||
|         aliases: | ||||
|             - accessTokenLifespanForImplicitFlow | ||||
|         type: int | ||||
|     account_theme: | ||||
|         description: | ||||
|             - The realm account theme. | ||||
|         aliases: | ||||
|             - accountTheme | ||||
|         type: str | ||||
|     action_token_generated_by_admin_lifespan: | ||||
|         description: | ||||
|             - The realm action token generated by admin lifespan. | ||||
|         aliases: | ||||
|             - actionTokenGeneratedByAdminLifespan | ||||
|         type: int | ||||
|     action_token_generated_by_user_lifespan: | ||||
|         description: | ||||
|             - The realm action token generated by user lifespan. | ||||
|         aliases: | ||||
|             - actionTokenGeneratedByUserLifespan | ||||
|         type: int | ||||
|     admin_events_details_enabled: | ||||
|         description: | ||||
|             - The realm admin events details enabled. | ||||
|         aliases: | ||||
|             - adminEventsDetailsEnabled | ||||
|         type: bool | ||||
|     admin_events_enabled: | ||||
|         description: | ||||
|             - The realm admin events enabled. | ||||
|         aliases: | ||||
|             - adminEventsEnabled | ||||
|         type: bool | ||||
|     admin_theme: | ||||
|         description: | ||||
|             - The realm admin theme. | ||||
|         aliases: | ||||
|             - adminTheme | ||||
|         type: str | ||||
|     attributes: | ||||
|         description: | ||||
|             - The realm attributes. | ||||
|         type: dict | ||||
|     browser_flow: | ||||
|         description: | ||||
|             - The realm browser flow. | ||||
|         aliases: | ||||
|             - browserFlow | ||||
|         type: str | ||||
|     browser_security_headers: | ||||
|         description: | ||||
|             - The realm browser security headers. | ||||
|         aliases: | ||||
|             - browserSecurityHeaders | ||||
|         type: dict | ||||
|     brute_force_protected: | ||||
|         description: | ||||
|             - The realm brute force protected. | ||||
|         aliases: | ||||
|             - bruteForceProtected | ||||
|         type: bool | ||||
|     client_authentication_flow: | ||||
|         description: | ||||
|             - The realm client authentication flow. | ||||
|         aliases: | ||||
|             - clientAuthenticationFlow | ||||
|         type: str | ||||
|     client_scope_mappings: | ||||
|         description: | ||||
|             - The realm client scope mappings. | ||||
|         aliases: | ||||
|             - clientScopeMappings | ||||
|         type: dict | ||||
|     default_default_client_scopes: | ||||
|         description: | ||||
|             - The realm default default client scopes. | ||||
|         aliases: | ||||
|             - defaultDefaultClientScopes | ||||
|         type: list | ||||
|         elements: str | ||||
|     default_groups: | ||||
|         description: | ||||
|             - The realm default groups. | ||||
|         aliases: | ||||
|             - defaultGroups | ||||
|         type: list | ||||
|         elements: str | ||||
|     default_locale: | ||||
|         description: | ||||
|             - The realm default locale. | ||||
|         aliases: | ||||
|             - defaultLocale | ||||
|         type: str | ||||
|     default_optional_client_scopes: | ||||
|         description: | ||||
|             - The realm default optional client scopes. | ||||
|         aliases: | ||||
|             - defaultOptionalClientScopes | ||||
|         type: list | ||||
|         elements: str | ||||
|     default_roles: | ||||
|         description: | ||||
|             - The realm default roles. | ||||
|         aliases: | ||||
|             - defaultRoles | ||||
|         type: list | ||||
|         elements: str | ||||
|     default_signature_algorithm: | ||||
|         description: | ||||
|             - The realm default signature algorithm. | ||||
|         aliases: | ||||
|             - defaultSignatureAlgorithm | ||||
|         type: str | ||||
|     direct_grant_flow: | ||||
|         description: | ||||
|             - The realm direct grant flow. | ||||
|         aliases: | ||||
|             - directGrantFlow | ||||
|         type: str | ||||
|     display_name: | ||||
|         description: | ||||
|             - The realm display name. | ||||
|         aliases: | ||||
|             - displayName | ||||
|         type: str | ||||
|     display_name_html: | ||||
|         description: | ||||
|             - The realm display name HTML. | ||||
|         aliases: | ||||
|             - displayNameHtml | ||||
|         type: str | ||||
|     docker_authentication_flow: | ||||
|         description: | ||||
|             - The realm docker authentication flow. | ||||
|         aliases: | ||||
|             - dockerAuthenticationFlow | ||||
|         type: str | ||||
|     duplicate_emails_allowed: | ||||
|         description: | ||||
|             - The realm duplicate emails allowed option. | ||||
|         aliases: | ||||
|             - duplicateEmailsAllowed | ||||
|         type: bool | ||||
|     edit_username_allowed: | ||||
|         description: | ||||
|             - The realm edit username allowed option. | ||||
|         aliases: | ||||
|             - editUsernameAllowed | ||||
|         type: bool | ||||
|     email_theme: | ||||
|         description: | ||||
|             - The realm email theme. | ||||
|         aliases: | ||||
|             - emailTheme | ||||
|         type: str | ||||
|     enabled: | ||||
|         description: | ||||
|             - The realm enabled option. | ||||
|         type: bool | ||||
|     enabled_event_types: | ||||
|         description: | ||||
|             - The realm enabled event types. | ||||
|         aliases: | ||||
|             - enabledEventTypes | ||||
|         type: list | ||||
|         elements: str | ||||
|     events_enabled: | ||||
|         description: | ||||
|             - Enables or disables login events for this realm. | ||||
|         aliases: | ||||
|             - eventsEnabled | ||||
|         type: bool | ||||
|         version_added: 3.6.0 | ||||
|     events_expiration: | ||||
|         description: | ||||
|             - The realm events expiration. | ||||
|         aliases: | ||||
|             - eventsExpiration | ||||
|         type: int | ||||
|     events_listeners: | ||||
|         description: | ||||
|             - The realm events listeners. | ||||
|         aliases: | ||||
|             - eventsListeners | ||||
|         type: list | ||||
|         elements: str | ||||
|     failure_factor: | ||||
|         description: | ||||
|             - The realm failure factor. | ||||
|         aliases: | ||||
|             - failureFactor | ||||
|         type: int | ||||
|     internationalization_enabled: | ||||
|         description: | ||||
|             - The realm internationalization enabled option. | ||||
|         aliases: | ||||
|             - internationalizationEnabled | ||||
|         type: bool | ||||
|     login_theme: | ||||
|         description: | ||||
|             - The realm login theme. | ||||
|         aliases: | ||||
|             - loginTheme | ||||
|         type: str | ||||
|     login_with_email_allowed: | ||||
|         description: | ||||
|             - The realm login with email allowed option. | ||||
|         aliases: | ||||
|             - loginWithEmailAllowed | ||||
|         type: bool | ||||
|     max_delta_time_seconds: | ||||
|         description: | ||||
|             - The realm max delta time in seconds. | ||||
|         aliases: | ||||
|             - maxDeltaTimeSeconds | ||||
|         type: int | ||||
|     max_failure_wait_seconds: | ||||
|         description: | ||||
|             - The realm max failure wait in seconds. | ||||
|         aliases: | ||||
|             - maxFailureWaitSeconds | ||||
|         type: int | ||||
|     minimum_quick_login_wait_seconds: | ||||
|         description: | ||||
|             - The realm minimum quick login wait in seconds. | ||||
|         aliases: | ||||
|             - minimumQuickLoginWaitSeconds | ||||
|         type: int | ||||
|     not_before: | ||||
|         description: | ||||
|             - The realm not before. | ||||
|         aliases: | ||||
|             - notBefore | ||||
|         type: int | ||||
|     offline_session_idle_timeout: | ||||
|         description: | ||||
|             - The realm offline session idle timeout. | ||||
|         aliases: | ||||
|             - offlineSessionIdleTimeout | ||||
|         type: int | ||||
|     offline_session_max_lifespan: | ||||
|         description: | ||||
|             - The realm offline session max lifespan. | ||||
|         aliases: | ||||
|             - offlineSessionMaxLifespan | ||||
|         type: int | ||||
|     offline_session_max_lifespan_enabled: | ||||
|         description: | ||||
|             - The realm offline session max lifespan enabled option. | ||||
|         aliases: | ||||
|             - offlineSessionMaxLifespanEnabled | ||||
|         type: bool | ||||
|     otp_policy_algorithm: | ||||
|         description: | ||||
|             - The realm otp policy algorithm. | ||||
|         aliases: | ||||
|             - otpPolicyAlgorithm | ||||
|         type: str | ||||
|     otp_policy_digits: | ||||
|         description: | ||||
|             - The realm otp policy digits. | ||||
|         aliases: | ||||
|             - otpPolicyDigits | ||||
|         type: int | ||||
|     otp_policy_initial_counter: | ||||
|         description: | ||||
|             - The realm otp policy initial counter. | ||||
|         aliases: | ||||
|             - otpPolicyInitialCounter | ||||
|         type: int | ||||
|     otp_policy_look_ahead_window: | ||||
|         description: | ||||
|             - The realm otp policy look ahead window. | ||||
|         aliases: | ||||
|             - otpPolicyLookAheadWindow | ||||
|         type: int | ||||
|     otp_policy_period: | ||||
|         description: | ||||
|             - The realm otp policy period. | ||||
|         aliases: | ||||
|             - otpPolicyPeriod | ||||
|         type: int | ||||
|     otp_policy_type: | ||||
|         description: | ||||
|             - The realm otp policy type. | ||||
|         aliases: | ||||
|             - otpPolicyType | ||||
|         type: str | ||||
|     otp_supported_applications: | ||||
|         description: | ||||
|             - The realm otp supported applications. | ||||
|         aliases: | ||||
|             - otpSupportedApplications | ||||
|         type: list | ||||
|         elements: str | ||||
|     password_policy: | ||||
|         description: | ||||
|             - The realm password policy. | ||||
|         aliases: | ||||
|             - passwordPolicy | ||||
|         type: str | ||||
|     permanent_lockout: | ||||
|         description: | ||||
|             - The realm permanent lockout. | ||||
|         aliases: | ||||
|             - permanentLockout | ||||
|         type: bool | ||||
|     quick_login_check_milli_seconds: | ||||
|         description: | ||||
|             - The realm quick login check in milliseconds. | ||||
|         aliases: | ||||
|             - quickLoginCheckMilliSeconds | ||||
|         type: int | ||||
|     refresh_token_max_reuse: | ||||
|         description: | ||||
|             - The realm refresh token max reuse. | ||||
|         aliases: | ||||
|             - refreshTokenMaxReuse | ||||
|         type: int | ||||
|     registration_allowed: | ||||
|         description: | ||||
|             - The realm registration allowed option. | ||||
|         aliases: | ||||
|             - registrationAllowed | ||||
|         type: bool | ||||
|     registration_email_as_username: | ||||
|         description: | ||||
|             - The realm registration email as username option. | ||||
|         aliases: | ||||
|             - registrationEmailAsUsername | ||||
|         type: bool | ||||
|     registration_flow: | ||||
|         description: | ||||
|             - The realm registration flow. | ||||
|         aliases: | ||||
|             - registrationFlow | ||||
|         type: str | ||||
|     remember_me: | ||||
|         description: | ||||
|             - The realm remember me option. | ||||
|         aliases: | ||||
|             - rememberMe | ||||
|         type: bool | ||||
|     reset_credentials_flow: | ||||
|         description: | ||||
|             - The realm reset credentials flow. | ||||
|         aliases: | ||||
|             - resetCredentialsFlow | ||||
|         type: str | ||||
|     reset_password_allowed: | ||||
|         description: | ||||
|             - The realm reset password allowed option. | ||||
|         aliases: | ||||
|             - resetPasswordAllowed | ||||
|         type: bool | ||||
|     revoke_refresh_token: | ||||
|         description: | ||||
|             - The realm revoke refresh token option. | ||||
|         aliases: | ||||
|             - revokeRefreshToken | ||||
|         type: bool | ||||
|     smtp_server: | ||||
|         description: | ||||
|             - The realm smtp server. | ||||
|         aliases: | ||||
|             - smtpServer | ||||
|         type: dict | ||||
|     ssl_required: | ||||
|         description: | ||||
|             - The realm ssl required option. | ||||
|         choices: ['all', 'external', 'none'] | ||||
|         aliases: | ||||
|             - sslRequired | ||||
|         type: str | ||||
|     sso_session_idle_timeout: | ||||
|         description: | ||||
|             - The realm sso session idle timeout. | ||||
|         aliases: | ||||
|             - ssoSessionIdleTimeout | ||||
|         type: int | ||||
|     sso_session_idle_timeout_remember_me: | ||||
|         description: | ||||
|             - The realm sso session idle timeout remember me. | ||||
|         aliases: | ||||
|             - ssoSessionIdleTimeoutRememberMe | ||||
|         type: int | ||||
|     sso_session_max_lifespan: | ||||
|         description: | ||||
|             - The realm sso session max lifespan. | ||||
|         aliases: | ||||
|             - ssoSessionMaxLifespan | ||||
|         type: int | ||||
|     sso_session_max_lifespan_remember_me: | ||||
|         description: | ||||
|             - The realm sso session max lifespan remember me. | ||||
|         aliases: | ||||
|             - ssoSessionMaxLifespanRememberMe | ||||
|         type: int | ||||
|     supported_locales: | ||||
|         description: | ||||
|             - The realm supported locales. | ||||
|         aliases: | ||||
|             - supportedLocales | ||||
|         type: list | ||||
|         elements: str | ||||
|     user_managed_access_allowed: | ||||
|         description: | ||||
|             - The realm user managed access allowed option. | ||||
|         aliases: | ||||
|             - userManagedAccessAllowed | ||||
|         type: bool | ||||
|     verify_email: | ||||
|         description: | ||||
|             - The realm verify email option. | ||||
|         aliases: | ||||
|             - verifyEmail | ||||
|         type: bool | ||||
|     wait_increment_seconds: | ||||
|         description: | ||||
|             - The realm wait increment in seconds. | ||||
|         aliases: | ||||
|             - waitIncrementSeconds | ||||
|         type: int | ||||
| 
 | ||||
| extends_documentation_fragment: | ||||
|     - middleware_automation.keycloak.keycloak | ||||
|     - middleware_automation.keycloak.attributes | ||||
| 
 | ||||
| author: | ||||
|     - Christophe Gilles (@kris2kris) | ||||
| ''' | ||||
| 
 | ||||
| EXAMPLES = ''' | ||||
| - name: Create or update Keycloak realm (minimal example) | ||||
|   middleware_automation.keycloak.keycloak_realm: | ||||
|     auth_client_id: admin-cli | ||||
|     auth_keycloak_url: https://auth.example.com/auth | ||||
|     auth_realm: master | ||||
|     auth_username: USERNAME | ||||
|     auth_password: PASSWORD | ||||
|     id: realm | ||||
|     realm: realm | ||||
|     state: present | ||||
| 
 | ||||
| - name: Delete a Keycloak realm | ||||
|   middleware_automation.keycloak.keycloak_realm: | ||||
|     auth_client_id: admin-cli | ||||
|     auth_keycloak_url: https://auth.example.com/auth | ||||
|     auth_realm: master | ||||
|     auth_username: USERNAME | ||||
|     auth_password: PASSWORD | ||||
|     id: test | ||||
|     state: absent | ||||
| ''' | ||||
| 
 | ||||
| RETURN = ''' | ||||
| msg: | ||||
|     description: Message as to what action was taken. | ||||
|     returned: always | ||||
|     type: str | ||||
|     sample: "Realm testrealm has been updated" | ||||
| 
 | ||||
| proposed: | ||||
|     description: Representation of proposed realm. | ||||
|     returned: always | ||||
|     type: dict | ||||
|     sample: { | ||||
|       id: "test" | ||||
|     } | ||||
| 
 | ||||
| existing: | ||||
|     description: Representation of existing realm (sample is truncated). | ||||
|     returned: always | ||||
|     type: dict | ||||
|     sample: { | ||||
|         "adminUrl": "http://www.example.com/admin_url", | ||||
|         "attributes": { | ||||
|             "request.object.signature.alg": "RS256", | ||||
|         } | ||||
|     } | ||||
| 
 | ||||
| end_state: | ||||
|     description: Representation of realm after module execution (sample is truncated). | ||||
|     returned: on success | ||||
|     type: dict | ||||
|     sample: { | ||||
|         "adminUrl": "http://www.example.com/admin_url", | ||||
|         "attributes": { | ||||
|             "request.object.signature.alg": "RS256", | ||||
|         } | ||||
|     } | ||||
| ''' | ||||
| 
 | ||||
| from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ | ||||
|     keycloak_argument_spec, get_token, KeycloakError | ||||
| from ansible.module_utils.basic import AnsibleModule | ||||
| 
 | ||||
| 
 | ||||
| def normalise_cr(realmrep): | ||||
|     """ Re-sorts any properties where the order is important so that diff's is minimised and the change detection is more effective. | ||||
| 
 | ||||
|     :param realmrep: the realmrep dict to be sanitized | ||||
|     :return: normalised realmrep dict | ||||
|     """ | ||||
|     # Avoid the dict passed in to be modified | ||||
|     realmrep = realmrep.copy() | ||||
| 
 | ||||
|     if 'enabledEventTypes' in realmrep: | ||||
|         realmrep['enabledEventTypes'] = list(sorted(realmrep['enabledEventTypes'])) | ||||
| 
 | ||||
|     if 'otpSupportedApplications' in realmrep: | ||||
|         realmrep['otpSupportedApplications'] = list(sorted(realmrep['otpSupportedApplications'])) | ||||
| 
 | ||||
|     if 'supportedLocales' in realmrep: | ||||
|         realmrep['supportedLocales'] = list(sorted(realmrep['supportedLocales'])) | ||||
| 
 | ||||
|     return realmrep | ||||
| 
 | ||||
| 
 | ||||
| def sanitize_cr(realmrep): | ||||
|     """ Removes probably sensitive details from a realm representation. | ||||
| 
 | ||||
|     :param realmrep: the realmrep dict to be sanitized | ||||
|     :return: sanitized realmrep dict | ||||
|     """ | ||||
|     result = realmrep.copy() | ||||
|     if 'secret' in result: | ||||
|         result['secret'] = '********' | ||||
|     if 'attributes' in result: | ||||
|         if 'saml.signing.private.key' in result['attributes']: | ||||
|             result['attributes'] = result['attributes'].copy() | ||||
|             result['attributes']['saml.signing.private.key'] = '********' | ||||
|     return normalise_cr(result) | ||||
| 
 | ||||
| 
 | ||||
| def main(): | ||||
|     """ | ||||
|     Module execution | ||||
| 
 | ||||
|     :return: | ||||
|     """ | ||||
|     argument_spec = keycloak_argument_spec() | ||||
| 
 | ||||
|     meta_args = dict( | ||||
|         state=dict(default='present', choices=['present', 'absent']), | ||||
| 
 | ||||
|         id=dict(type='str'), | ||||
|         realm=dict(type='str'), | ||||
|         access_code_lifespan=dict(type='int', aliases=['accessCodeLifespan']), | ||||
|         access_code_lifespan_login=dict(type='int', aliases=['accessCodeLifespanLogin']), | ||||
|         access_code_lifespan_user_action=dict(type='int', aliases=['accessCodeLifespanUserAction']), | ||||
|         access_token_lifespan=dict(type='int', aliases=['accessTokenLifespan'], no_log=False), | ||||
|         access_token_lifespan_for_implicit_flow=dict(type='int', aliases=['accessTokenLifespanForImplicitFlow'], no_log=False), | ||||
|         account_theme=dict(type='str', aliases=['accountTheme']), | ||||
|         action_token_generated_by_admin_lifespan=dict(type='int', aliases=['actionTokenGeneratedByAdminLifespan'], no_log=False), | ||||
|         action_token_generated_by_user_lifespan=dict(type='int', aliases=['actionTokenGeneratedByUserLifespan'], no_log=False), | ||||
|         admin_events_details_enabled=dict(type='bool', aliases=['adminEventsDetailsEnabled']), | ||||
|         admin_events_enabled=dict(type='bool', aliases=['adminEventsEnabled']), | ||||
|         admin_theme=dict(type='str', aliases=['adminTheme']), | ||||
|         attributes=dict(type='dict'), | ||||
|         browser_flow=dict(type='str', aliases=['browserFlow']), | ||||
|         browser_security_headers=dict(type='dict', aliases=['browserSecurityHeaders']), | ||||
|         brute_force_protected=dict(type='bool', aliases=['bruteForceProtected']), | ||||
|         client_authentication_flow=dict(type='str', aliases=['clientAuthenticationFlow']), | ||||
|         client_scope_mappings=dict(type='dict', aliases=['clientScopeMappings']), | ||||
|         default_default_client_scopes=dict(type='list', elements='str', aliases=['defaultDefaultClientScopes']), | ||||
|         default_groups=dict(type='list', elements='str', aliases=['defaultGroups']), | ||||
|         default_locale=dict(type='str', aliases=['defaultLocale']), | ||||
|         default_optional_client_scopes=dict(type='list', elements='str', aliases=['defaultOptionalClientScopes']), | ||||
|         default_roles=dict(type='list', elements='str', aliases=['defaultRoles']), | ||||
|         default_signature_algorithm=dict(type='str', aliases=['defaultSignatureAlgorithm']), | ||||
|         direct_grant_flow=dict(type='str', aliases=['directGrantFlow']), | ||||
|         display_name=dict(type='str', aliases=['displayName']), | ||||
|         display_name_html=dict(type='str', aliases=['displayNameHtml']), | ||||
|         docker_authentication_flow=dict(type='str', aliases=['dockerAuthenticationFlow']), | ||||
|         duplicate_emails_allowed=dict(type='bool', aliases=['duplicateEmailsAllowed']), | ||||
|         edit_username_allowed=dict(type='bool', aliases=['editUsernameAllowed']), | ||||
|         email_theme=dict(type='str', aliases=['emailTheme']), | ||||
|         enabled=dict(type='bool'), | ||||
|         enabled_event_types=dict(type='list', elements='str', aliases=['enabledEventTypes']), | ||||
|         events_enabled=dict(type='bool', aliases=['eventsEnabled']), | ||||
|         events_expiration=dict(type='int', aliases=['eventsExpiration']), | ||||
|         events_listeners=dict(type='list', elements='str', aliases=['eventsListeners']), | ||||
|         failure_factor=dict(type='int', aliases=['failureFactor']), | ||||
|         internationalization_enabled=dict(type='bool', aliases=['internationalizationEnabled']), | ||||
|         login_theme=dict(type='str', aliases=['loginTheme']), | ||||
|         login_with_email_allowed=dict(type='bool', aliases=['loginWithEmailAllowed']), | ||||
|         max_delta_time_seconds=dict(type='int', aliases=['maxDeltaTimeSeconds']), | ||||
|         max_failure_wait_seconds=dict(type='int', aliases=['maxFailureWaitSeconds']), | ||||
|         minimum_quick_login_wait_seconds=dict(type='int', aliases=['minimumQuickLoginWaitSeconds']), | ||||
|         not_before=dict(type='int', aliases=['notBefore']), | ||||
|         offline_session_idle_timeout=dict(type='int', aliases=['offlineSessionIdleTimeout']), | ||||
|         offline_session_max_lifespan=dict(type='int', aliases=['offlineSessionMaxLifespan']), | ||||
|         offline_session_max_lifespan_enabled=dict(type='bool', aliases=['offlineSessionMaxLifespanEnabled']), | ||||
|         otp_policy_algorithm=dict(type='str', aliases=['otpPolicyAlgorithm']), | ||||
|         otp_policy_digits=dict(type='int', aliases=['otpPolicyDigits']), | ||||
|         otp_policy_initial_counter=dict(type='int', aliases=['otpPolicyInitialCounter']), | ||||
|         otp_policy_look_ahead_window=dict(type='int', aliases=['otpPolicyLookAheadWindow']), | ||||
|         otp_policy_period=dict(type='int', aliases=['otpPolicyPeriod']), | ||||
|         otp_policy_type=dict(type='str', aliases=['otpPolicyType']), | ||||
|         otp_supported_applications=dict(type='list', elements='str', aliases=['otpSupportedApplications']), | ||||
|         password_policy=dict(type='str', aliases=['passwordPolicy'], no_log=False), | ||||
|         permanent_lockout=dict(type='bool', aliases=['permanentLockout']), | ||||
|         quick_login_check_milli_seconds=dict(type='int', aliases=['quickLoginCheckMilliSeconds']), | ||||
|         refresh_token_max_reuse=dict(type='int', aliases=['refreshTokenMaxReuse'], no_log=False), | ||||
|         registration_allowed=dict(type='bool', aliases=['registrationAllowed']), | ||||
|         registration_email_as_username=dict(type='bool', aliases=['registrationEmailAsUsername']), | ||||
|         registration_flow=dict(type='str', aliases=['registrationFlow']), | ||||
|         remember_me=dict(type='bool', aliases=['rememberMe']), | ||||
|         reset_credentials_flow=dict(type='str', aliases=['resetCredentialsFlow']), | ||||
|         reset_password_allowed=dict(type='bool', aliases=['resetPasswordAllowed'], no_log=False), | ||||
|         revoke_refresh_token=dict(type='bool', aliases=['revokeRefreshToken']), | ||||
|         smtp_server=dict(type='dict', aliases=['smtpServer']), | ||||
|         ssl_required=dict(choices=["external", "all", "none"], aliases=['sslRequired']), | ||||
|         sso_session_idle_timeout=dict(type='int', aliases=['ssoSessionIdleTimeout']), | ||||
|         sso_session_idle_timeout_remember_me=dict(type='int', aliases=['ssoSessionIdleTimeoutRememberMe']), | ||||
|         sso_session_max_lifespan=dict(type='int', aliases=['ssoSessionMaxLifespan']), | ||||
|         sso_session_max_lifespan_remember_me=dict(type='int', aliases=['ssoSessionMaxLifespanRememberMe']), | ||||
|         supported_locales=dict(type='list', elements='str', aliases=['supportedLocales']), | ||||
|         user_managed_access_allowed=dict(type='bool', aliases=['userManagedAccessAllowed']), | ||||
|         verify_email=dict(type='bool', aliases=['verifyEmail']), | ||||
|         wait_increment_seconds=dict(type='int', aliases=['waitIncrementSeconds']), | ||||
|     ) | ||||
| 
 | ||||
|     argument_spec.update(meta_args) | ||||
| 
 | ||||
|     module = AnsibleModule(argument_spec=argument_spec, | ||||
|                            supports_check_mode=True, | ||||
|                            required_one_of=([['id', 'realm', 'enabled'], | ||||
|                                              ['token', 'auth_realm', 'auth_username', 'auth_password']]), | ||||
|                            required_together=([['auth_realm', 'auth_username', 'auth_password']])) | ||||
| 
 | ||||
|     result = dict(changed=False, msg='', diff={}, proposed={}, existing={}, end_state={}) | ||||
| 
 | ||||
|     # Obtain access token, initialize API | ||||
|     try: | ||||
|         connection_header = get_token(module.params) | ||||
|     except KeycloakError as e: | ||||
|         module.fail_json(msg=str(e)) | ||||
| 
 | ||||
|     kc = KeycloakAPI(module, connection_header) | ||||
| 
 | ||||
|     realm = module.params.get('realm') | ||||
|     state = module.params.get('state') | ||||
| 
 | ||||
|     # convert module parameters to realm representation parameters (if they belong in there) | ||||
|     params_to_ignore = list(keycloak_argument_spec().keys()) + ['state'] | ||||
| 
 | ||||
|     # Filter and map the parameters names that apply to the role | ||||
|     realm_params = [x for x in module.params | ||||
|                     if x not in params_to_ignore and | ||||
|                     module.params.get(x) is not None] | ||||
| 
 | ||||
|     # See whether the realm already exists in Keycloak | ||||
|     before_realm = kc.get_realm_by_id(realm=realm) | ||||
| 
 | ||||
|     if before_realm is None: | ||||
|         before_realm = {} | ||||
| 
 | ||||
|     # Build a proposed changeset from parameters given to this module | ||||
|     changeset = {} | ||||
| 
 | ||||
|     for realm_param in realm_params: | ||||
|         new_param_value = module.params.get(realm_param) | ||||
|         changeset[camel(realm_param)] = new_param_value | ||||
| 
 | ||||
|     # Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis) | ||||
|     desired_realm = before_realm.copy() | ||||
|     desired_realm.update(changeset) | ||||
| 
 | ||||
|     result['proposed'] = sanitize_cr(changeset) | ||||
|     before_realm_sanitized = sanitize_cr(before_realm) | ||||
|     result['existing'] = before_realm_sanitized | ||||
| 
 | ||||
|     # Cater for when it doesn't exist (an empty dict) | ||||
|     if not before_realm: | ||||
|         if state == 'absent': | ||||
|             # Do nothing and exit | ||||
|             if module._diff: | ||||
|                 result['diff'] = dict(before='', after='') | ||||
|             result['changed'] = False | ||||
|             result['end_state'] = {} | ||||
|             result['msg'] = 'Realm does not exist, doing nothing.' | ||||
|             module.exit_json(**result) | ||||
| 
 | ||||
|         # Process a creation | ||||
|         result['changed'] = True | ||||
| 
 | ||||
|         if 'id' not in desired_realm: | ||||
|             module.fail_json(msg='id needs to be specified when creating a new realm') | ||||
| 
 | ||||
|         if module._diff: | ||||
|             result['diff'] = dict(before='', after=sanitize_cr(desired_realm)) | ||||
| 
 | ||||
|         if module.check_mode: | ||||
|             module.exit_json(**result) | ||||
| 
 | ||||
|         # create it | ||||
|         kc.create_realm(desired_realm) | ||||
|         after_realm = kc.get_realm_by_id(desired_realm['id']) | ||||
| 
 | ||||
|         result['end_state'] = sanitize_cr(after_realm) | ||||
| 
 | ||||
|         result['msg'] = 'Realm %s has been created.' % desired_realm['id'] | ||||
|         module.exit_json(**result) | ||||
| 
 | ||||
|     else: | ||||
|         if state == 'present': | ||||
|             # Process an update | ||||
| 
 | ||||
|             # doing an update | ||||
|             result['changed'] = True | ||||
|             if module.check_mode: | ||||
|                 # We can only compare the current realm with the proposed updates we have | ||||
|                 before_norm = normalise_cr(before_realm) | ||||
|                 desired_norm = normalise_cr(desired_realm) | ||||
|                 if module._diff: | ||||
|                     result['diff'] = dict(before=sanitize_cr(before_norm), | ||||
|                                           after=sanitize_cr(desired_norm)) | ||||
|                 result['changed'] = (before_norm != desired_norm) | ||||
| 
 | ||||
|                 module.exit_json(**result) | ||||
| 
 | ||||
|             # do the update | ||||
|             kc.update_realm(desired_realm, realm=realm) | ||||
| 
 | ||||
|             after_realm = kc.get_realm_by_id(realm=realm) | ||||
| 
 | ||||
|             if before_realm == after_realm: | ||||
|                 result['changed'] = False | ||||
| 
 | ||||
|             result['end_state'] = sanitize_cr(after_realm) | ||||
| 
 | ||||
|             if module._diff: | ||||
|                 result['diff'] = dict(before=before_realm_sanitized, | ||||
|                                       after=sanitize_cr(after_realm)) | ||||
| 
 | ||||
|             result['msg'] = 'Realm %s has been updated.' % desired_realm['id'] | ||||
|             module.exit_json(**result) | ||||
| 
 | ||||
|         else: | ||||
|             # Process a deletion (because state was not 'present') | ||||
|             result['changed'] = True | ||||
| 
 | ||||
|             if module._diff: | ||||
|                 result['diff'] = dict(before=before_realm_sanitized, after='') | ||||
| 
 | ||||
|             if module.check_mode: | ||||
|                 module.exit_json(**result) | ||||
| 
 | ||||
|             # delete it | ||||
|             kc.delete_realm(realm=realm) | ||||
| 
 | ||||
|             result['proposed'] = {} | ||||
|             result['end_state'] = {} | ||||
| 
 | ||||
|             result['msg'] = 'Realm %s has been deleted.' % before_realm['id'] | ||||
| 
 | ||||
|     module.exit_json(**result) | ||||
| 
 | ||||
| 
 | ||||
| if __name__ == '__main__': | ||||
|     main() | ||||
|  | @ -40,8 +40,8 @@ options: | |||
|     state: | ||||
|         description: | ||||
|             - State of the role. | ||||
|             - On C(present), the role will be created if it does not yet exist, or updated with the parameters you provide. | ||||
|             - On C(absent), the role will be removed if it exists. | ||||
|             - On V(present), the role will be created if it does not yet exist, or updated with the parameters you provide. | ||||
|             - On V(absent), the role will be removed if it exists. | ||||
|         default: 'present' | ||||
|         type: str | ||||
|         choices: | ||||
|  | @ -77,6 +77,42 @@ options: | |||
|         description: | ||||
|             - A dict of key/value pairs to set as custom attributes for the role. | ||||
|             - Values may be single values (e.g. a string) or a list of strings. | ||||
|     composite: | ||||
|         description: | ||||
|             - If V(true), the role is a composition of other realm and/or client role. | ||||
|         default: false | ||||
|         type: bool | ||||
|         version_added: 7.1.0 | ||||
|     composites: | ||||
|         description: | ||||
|             - List of roles to include to the composite realm role. | ||||
|             - If the composite role is a client role, the C(clientId) (not ID of the client) must be specified. | ||||
|         default: [] | ||||
|         type: list | ||||
|         elements: dict | ||||
|         version_added: 7.1.0 | ||||
|         suboptions: | ||||
|             name: | ||||
|                 description: | ||||
|                     - Name of the role. This can be the name of a REALM role or a client role. | ||||
|                 type: str | ||||
|                 required: true | ||||
|             client_id: | ||||
|                 description: | ||||
|                     - Client ID if the role is a client role. Do not include this option for a REALM role. | ||||
|                     - Use the client ID you can see in the Keycloak console, not the technical ID of the client. | ||||
|                 type: str | ||||
|                 required: false | ||||
|                 aliases: | ||||
|                     - clientId | ||||
|             state: | ||||
|                 description: | ||||
|                     - Create the composite if present, remove it if absent. | ||||
|                 type: str | ||||
|                 choices: | ||||
|                     - present | ||||
|                     - absent | ||||
|                 default: present | ||||
| 
 | ||||
| extends_documentation_fragment: | ||||
|     - middleware_automation.keycloak.keycloak | ||||
|  | @ -142,14 +178,14 @@ EXAMPLES = ''' | |||
|     auth_password: PASSWORD | ||||
|     name: my-new-role | ||||
|     attributes: | ||||
|       attrib1: value1 | ||||
|       attrib2: value2 | ||||
|       attrib3: | ||||
|         - with | ||||
|         - numerous | ||||
|         - individual | ||||
|         - list | ||||
|         - items | ||||
|         attrib1: value1 | ||||
|         attrib2: value2 | ||||
|         attrib3: | ||||
|             - with | ||||
|             - numerous | ||||
|             - individual | ||||
|             - list | ||||
|             - items | ||||
|   delegate_to: localhost | ||||
| ''' | ||||
| 
 | ||||
|  | @ -198,8 +234,9 @@ end_state: | |||
| ''' | ||||
| 
 | ||||
| from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ | ||||
|     keycloak_argument_spec, get_token, KeycloakError | ||||
|     keycloak_argument_spec, get_token, KeycloakError, is_struct_included | ||||
| from ansible.module_utils.basic import AnsibleModule | ||||
| import copy | ||||
| 
 | ||||
| 
 | ||||
| def main(): | ||||
|  | @ -210,6 +247,12 @@ def main(): | |||
|     """ | ||||
|     argument_spec = keycloak_argument_spec() | ||||
| 
 | ||||
|     composites_spec = dict( | ||||
|         name=dict(type='str', required=True), | ||||
|         client_id=dict(type='str', aliases=['clientId'], required=False), | ||||
|         state=dict(type='str', default='present', choices=['present', 'absent']) | ||||
|     ) | ||||
| 
 | ||||
|     meta_args = dict( | ||||
|         state=dict(type='str', default='present', choices=['present', 'absent']), | ||||
|         name=dict(type='str', required=True), | ||||
|  | @ -217,6 +260,8 @@ def main(): | |||
|         realm=dict(type='str', default='master'), | ||||
|         client_id=dict(type='str'), | ||||
|         attributes=dict(type='dict'), | ||||
|         composites=dict(type='list', default=[], options=composites_spec, elements='dict'), | ||||
|         composite=dict(type='bool', default=False), | ||||
|     ) | ||||
| 
 | ||||
|     argument_spec.update(meta_args) | ||||
|  | @ -250,7 +295,7 @@ def main(): | |||
| 
 | ||||
|     # Filter and map the parameters names that apply to the role | ||||
|     role_params = [x for x in module.params | ||||
|                    if x not in list(keycloak_argument_spec().keys()) + ['state', 'realm', 'client_id', 'composites'] and | ||||
|                    if x not in list(keycloak_argument_spec().keys()) + ['state', 'realm', 'client_id'] and | ||||
|                    module.params.get(x) is not None] | ||||
| 
 | ||||
|     # See if it already exists in Keycloak | ||||
|  | @ -269,10 +314,10 @@ def main(): | |||
|         new_param_value = module.params.get(param) | ||||
|         old_value = before_role[param] if param in before_role else None | ||||
|         if new_param_value != old_value: | ||||
|             changeset[camel(param)] = new_param_value | ||||
|             changeset[camel(param)] = copy.deepcopy(new_param_value) | ||||
| 
 | ||||
|     # Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis) | ||||
|     desired_role = before_role.copy() | ||||
|     desired_role = copy.deepcopy(before_role) | ||||
|     desired_role.update(changeset) | ||||
| 
 | ||||
|     result['proposed'] = changeset | ||||
|  | @ -309,6 +354,9 @@ def main(): | |||
|             kc.create_client_role(desired_role, clientid, realm) | ||||
|             after_role = kc.get_client_role(name, clientid, realm) | ||||
| 
 | ||||
|         if after_role['composite']: | ||||
|             after_role['composites'] = kc.get_role_composites(rolerep=after_role, clientid=clientid, realm=realm) | ||||
| 
 | ||||
|         result['end_state'] = after_role | ||||
| 
 | ||||
|         result['msg'] = 'Role {name} has been created'.format(name=name) | ||||
|  | @ -316,10 +364,25 @@ def main(): | |||
| 
 | ||||
|     else: | ||||
|         if state == 'present': | ||||
|             compare_exclude = [] | ||||
|             if 'composites' in desired_role and isinstance(desired_role['composites'], list) and len(desired_role['composites']) > 0: | ||||
|                 composites = kc.get_role_composites(rolerep=before_role, clientid=clientid, realm=realm) | ||||
|                 before_role['composites'] = [] | ||||
|                 for composite in composites: | ||||
|                     before_composite = {} | ||||
|                     if composite['clientRole']: | ||||
|                         composite_client = kc.get_client_by_id(id=composite['containerId'], realm=realm) | ||||
|                         before_composite['client_id'] = composite_client['clientId'] | ||||
|                     else: | ||||
|                         before_composite['client_id'] = None | ||||
|                     before_composite['name'] = composite['name'] | ||||
|                     before_composite['state'] = 'present' | ||||
|                     before_role['composites'].append(before_composite) | ||||
|             else: | ||||
|                 compare_exclude.append('composites') | ||||
|             # Process an update | ||||
| 
 | ||||
|             # no changes | ||||
|             if desired_role == before_role: | ||||
|             if is_struct_included(desired_role, before_role, exclude=compare_exclude): | ||||
|                 result['changed'] = False | ||||
|                 result['end_state'] = desired_role | ||||
|                 result['msg'] = "No changes required to role {name}.".format(name=name) | ||||
|  | @ -341,6 +404,8 @@ def main(): | |||
|             else: | ||||
|                 kc.update_client_role(desired_role, clientid, realm) | ||||
|                 after_role = kc.get_client_role(name, clientid, realm) | ||||
|             if after_role['composite']: | ||||
|                 after_role['composites'] = kc.get_role_composites(rolerep=after_role, clientid=clientid, realm=realm) | ||||
| 
 | ||||
|             result['end_state'] = after_role | ||||
| 
 | ||||
|  |  | |||
|  | @ -36,9 +36,9 @@ options: | |||
|     state: | ||||
|         description: | ||||
|             - State of the user federation. | ||||
|             - On C(present), the user federation will be created if it does not yet exist, or updated with | ||||
|             - On V(present), the user federation will be created if it does not yet exist, or updated with | ||||
|               the parameters you provide. | ||||
|             - On C(absent), the user federation will be removed if it exists. | ||||
|             - On V(absent), the user federation will be removed if it exists. | ||||
|         default: 'present' | ||||
|         type: str | ||||
|         choices: | ||||
|  | @ -54,7 +54,7 @@ options: | |||
|     id: | ||||
|         description: | ||||
|             - The unique ID for this user federation. If left empty, the user federation will be searched | ||||
|               by its I(name). | ||||
|               by its O(name). | ||||
|         type: str | ||||
| 
 | ||||
|     name: | ||||
|  | @ -64,18 +64,15 @@ options: | |||
| 
 | ||||
|     provider_id: | ||||
|         description: | ||||
|             - Provider for this user federation. | ||||
|             - Provider for this user federation. Built-in providers are V(ldap), V(kerberos), and V(sssd). | ||||
|               Custom user storage providers can also be used. | ||||
|         aliases: | ||||
|             - providerId | ||||
|         type: str | ||||
|         choices: | ||||
|             - ldap | ||||
|             - kerberos | ||||
|             - sssd | ||||
| 
 | ||||
|     provider_type: | ||||
|         description: | ||||
|             - Component type for user federation (only supported value is C(org.keycloak.storage.UserStorageProvider)). | ||||
|             - Component type for user federation (only supported value is V(org.keycloak.storage.UserStorageProvider)). | ||||
|         aliases: | ||||
|             - providerType | ||||
|         default: org.keycloak.storage.UserStorageProvider | ||||
|  | @ -88,13 +85,37 @@ options: | |||
|             - parentId | ||||
|         type: str | ||||
| 
 | ||||
|     remove_unspecified_mappers: | ||||
|         description: | ||||
|             - Remove mappers that are not specified in the configuration for this federation. | ||||
|             - Set to V(false) to keep mappers that are not listed in O(mappers). | ||||
|         type: bool | ||||
|         default: true | ||||
| 
 | ||||
|     bind_credential_update_mode: | ||||
|         description: | ||||
|             - The value of the config parameter O(config.bindCredential) is redacted in the Keycloak responses. | ||||
|               Comparing the redacted value with the desired value always evaluates to not equal. This means | ||||
|               the before and desired states are never equal if the parameter is set. | ||||
|             - Set to V(always) to include O(config.bindCredential) in the comparison of before and desired state. | ||||
|               Because of the redacted value returned by Keycloak the module will always detect a change | ||||
|               and make an update if a O(config.bindCredential) value is set. | ||||
|             - Set to V(only_indirect) to exclude O(config.bindCredential) when comparing the before state with the | ||||
|               desired state. The value of O(config.bindCredential) will only be updated if there are other changes | ||||
|               to the user federation that require an update. | ||||
|         type: str | ||||
|         default: always | ||||
|         choices: | ||||
|             - always | ||||
|             - only_indirect | ||||
| 
 | ||||
|     config: | ||||
|         description: | ||||
|             - Dict specifying the configuration options for the provider; the contents differ depending on | ||||
|               the value of I(provider_id). Examples are given below for C(ldap), C(kerberos) and C(sssd). | ||||
|               the value of O(provider_id). Examples are given below for V(ldap), V(kerberos) and V(sssd). | ||||
|               It is easiest to obtain valid config values by dumping an already-existing user federation | ||||
|               configuration through check-mode in the I(existing) field. | ||||
|             - The value C(sssd) has been supported since middleware_automation.keycloak 1.0.0. | ||||
|               configuration through check-mode in the RV(existing) field. | ||||
|             - The value V(sssd) has been supported since middleware_automation.keycloak 2.0.0. | ||||
|         type: dict | ||||
|         suboptions: | ||||
|             enabled: | ||||
|  | @ -111,15 +132,15 @@ options: | |||
| 
 | ||||
|             importEnabled: | ||||
|                 description: | ||||
|                     - If C(true), LDAP users will be imported into Keycloak DB and synced by the configured | ||||
|                     - If V(true), LDAP users will be imported into Keycloak DB and synced by the configured | ||||
|                       sync policies. | ||||
|                 default: true | ||||
|                 type: bool | ||||
| 
 | ||||
|             editMode: | ||||
|                 description: | ||||
|                     - C(READ_ONLY) is a read-only LDAP store. C(WRITABLE) means data will be synced back to LDAP | ||||
|                       on demand. C(UNSYNCED) means user data will be imported, but not synced back to LDAP. | ||||
|                     - V(READ_ONLY) is a read-only LDAP store. V(WRITABLE) means data will be synced back to LDAP | ||||
|                       on demand. V(UNSYNCED) means user data will be imported, but not synced back to LDAP. | ||||
|                 type: str | ||||
|                 choices: | ||||
|                     - READ_ONLY | ||||
|  | @ -136,13 +157,13 @@ options: | |||
|             vendor: | ||||
|                 description: | ||||
|                     - LDAP vendor (provider). | ||||
|                     - Use short name. For instance, write C(rhds) for "Red Hat Directory Server". | ||||
|                     - Use short name. For instance, write V(rhds) for "Red Hat Directory Server". | ||||
|                 type: str | ||||
| 
 | ||||
|             usernameLDAPAttribute: | ||||
|                 description: | ||||
|                     - Name of LDAP attribute, which is mapped as Keycloak username. For many LDAP server | ||||
|                       vendors it can be C(uid). For Active directory it can be C(sAMAccountName) or C(cn). | ||||
|                       vendors it can be V(uid). For Active directory it can be V(sAMAccountName) or V(cn). | ||||
|                       The attribute should be filled for all LDAP user records you want to import from | ||||
|                       LDAP to Keycloak. | ||||
|                 type: str | ||||
|  | @ -151,15 +172,15 @@ options: | |||
|                 description: | ||||
|                     - Name of LDAP attribute, which is used as RDN (top attribute) of typical user DN. | ||||
|                       Usually it's the same as Username LDAP attribute, however it is not required. For | ||||
|                       example for Active directory, it is common to use C(cn) as RDN attribute when | ||||
|                       username attribute might be C(sAMAccountName). | ||||
|                       example for Active directory, it is common to use V(cn) as RDN attribute when | ||||
|                       username attribute might be V(sAMAccountName). | ||||
|                 type: str | ||||
| 
 | ||||
|             uuidLDAPAttribute: | ||||
|                 description: | ||||
|                     - Name of LDAP attribute, which is used as unique object identifier (UUID) for objects | ||||
|                       in LDAP. For many LDAP server vendors, it is C(entryUUID); however some are different. | ||||
|                       For example for Active directory it should be C(objectGUID). If your LDAP server does | ||||
|                       in LDAP. For many LDAP server vendors, it is V(entryUUID); however some are different. | ||||
|                       For example for Active directory it should be V(objectGUID). If your LDAP server does | ||||
|                       not support the notion of UUID, you can use any other attribute that is supposed to | ||||
|                       be unique among LDAP users in tree. | ||||
|                 type: str | ||||
|  | @ -167,7 +188,7 @@ options: | |||
|             userObjectClasses: | ||||
|                 description: | ||||
|                     - All values of LDAP objectClass attribute for users in LDAP divided by comma. | ||||
|                       For example C(inetOrgPerson, organizationalPerson). Newly created Keycloak users | ||||
|                       For example V(inetOrgPerson, organizationalPerson). Newly created Keycloak users | ||||
|                       will be written to LDAP with all those object classes and existing LDAP user records | ||||
|                       are found just if they contain all those object classes. | ||||
|                 type: str | ||||
|  | @ -251,8 +272,8 @@ options: | |||
|             useTruststoreSpi: | ||||
|                 description: | ||||
|                     - Specifies whether LDAP connection will use the truststore SPI with the truststore | ||||
|                       configured in standalone.xml/domain.xml. C(Always) means that it will always use it. | ||||
|                       C(Never) means that it will not use it. C(Only for ldaps) means that it will use if | ||||
|                       configured in standalone.xml/domain.xml. V(always) means that it will always use it. | ||||
|                       V(never) means that it will not use it. V(ldapsOnly) means that it will use if | ||||
|                       your connection URL use ldaps. Note even if standalone.xml/domain.xml is not | ||||
|                       configured, the default Java cacerts or certificate specified by | ||||
|                       C(javax.net.ssl.trustStore) property will be used. | ||||
|  | @ -297,7 +318,7 @@ options: | |||
|             connectionPoolingDebug: | ||||
|                 description: | ||||
|                     - A string that indicates the level of debug output to produce. Example valid values are | ||||
|                       C(fine) (trace connection creation and removal) and C(all) (all debugging information). | ||||
|                       V(fine) (trace connection creation and removal) and V(all) (all debugging information). | ||||
|                 type: str | ||||
| 
 | ||||
|             connectionPoolingInitSize: | ||||
|  | @ -321,7 +342,7 @@ options: | |||
|             connectionPoolingProtocol: | ||||
|                 description: | ||||
|                     - A list of space-separated protocol types of connections that may be pooled. | ||||
|                       Valid types are C(plain) and C(ssl). | ||||
|                       Valid types are V(plain) and V(ssl). | ||||
|                 type: str | ||||
| 
 | ||||
|             connectionPoolingTimeout: | ||||
|  | @ -342,17 +363,26 @@ options: | |||
|                     - Name of kerberos realm. | ||||
|                 type: str | ||||
| 
 | ||||
|             krbPrincipalAttribute: | ||||
|                 description: | ||||
|                     - Name of the LDAP attribute, which refers to Kerberos principal. | ||||
|                       This is used to lookup appropriate LDAP user after successful Kerberos/SPNEGO authentication in Keycloak. | ||||
|                       When this is empty, the LDAP user will be looked based on LDAP username corresponding | ||||
|                       to the first part of his Kerberos principal. For instance, for principal C(john@KEYCLOAK.ORG), | ||||
|                       it will assume that LDAP username is V(john). | ||||
|                 type: str | ||||
| 
 | ||||
|             serverPrincipal: | ||||
|                 description: | ||||
|                     - Full name of server principal for HTTP service including server and domain name. For | ||||
|                       example C(HTTP/host.foo.org@FOO.ORG). Use C(*) to accept any service principal in the | ||||
|                       example V(HTTP/host.foo.org@FOO.ORG). Use V(*) to accept any service principal in the | ||||
|                       KeyTab file. | ||||
|                 type: str | ||||
| 
 | ||||
|             keyTab: | ||||
|                 description: | ||||
|                     - Location of Kerberos KeyTab file containing the credentials of server principal. For | ||||
|                       example C(/etc/krb5.keytab). | ||||
|                       example V(/etc/krb5.keytab). | ||||
|                 type: str | ||||
| 
 | ||||
|             debug: | ||||
|  | @ -427,6 +457,16 @@ options: | |||
|                     - Max lifespan of cache entry in milliseconds. | ||||
|                 type: int | ||||
| 
 | ||||
|             referral: | ||||
|                 description: | ||||
|                     - Specifies if LDAP referrals should be followed or ignored. Please note that enabling | ||||
|                       referrals can slow down authentication as it allows the LDAP server to decide which other | ||||
|                       LDAP servers to use. This could potentially include untrusted servers. | ||||
|                 type: str | ||||
|                 choices: | ||||
|                     - ignore | ||||
|                     - follow | ||||
| 
 | ||||
|     mappers: | ||||
|         description: | ||||
|             - A list of dicts defining mappers associated with this Identity Provider. | ||||
|  | @ -451,7 +491,7 @@ options: | |||
| 
 | ||||
|             providerId: | ||||
|                 description: | ||||
|                     - The mapper type for this mapper (for instance C(user-attribute-ldap-mapper)). | ||||
|                     - The mapper type for this mapper (for instance V(user-attribute-ldap-mapper)). | ||||
|                 type: str | ||||
| 
 | ||||
|             providerType: | ||||
|  | @ -534,14 +574,14 @@ EXAMPLES = ''' | |||
|     provider_id: kerberos | ||||
|     provider_type: org.keycloak.storage.UserStorageProvider | ||||
|     config: | ||||
|     priority: 0 | ||||
|     enabled: true | ||||
|     cachePolicy: DEFAULT | ||||
|     kerberosRealm: EXAMPLE.COM | ||||
|     serverPrincipal: HTTP/host.example.com@EXAMPLE.COM | ||||
|     keyTab: keytab | ||||
|     allowPasswordAuthentication: false | ||||
|     updateProfileFirstLogin: false | ||||
|       priority: 0 | ||||
|       enabled: true | ||||
|       cachePolicy: DEFAULT | ||||
|       kerberosRealm: EXAMPLE.COM | ||||
|       serverPrincipal: HTTP/host.example.com@EXAMPLE.COM | ||||
|       keyTab: keytab | ||||
|       allowPasswordAuthentication: false | ||||
|       updateProfileFirstLogin: false | ||||
| 
 | ||||
| - name: Create sssd user federation | ||||
|   middleware_automation.keycloak.keycloak_user_federation: | ||||
|  | @ -704,16 +744,27 @@ from ansible.module_utils.six.moves.urllib.parse import urlencode | |||
| from copy import deepcopy | ||||
| 
 | ||||
| 
 | ||||
| def normalize_kc_comp(comp): | ||||
|     if 'config' in comp: | ||||
|         # kc completely removes the parameter `krbPrincipalAttribute` if it is set to `''`; the unset kc parameter is equivalent to `''`; | ||||
|         # to make change detection and diff more accurate we set it again in the kc responses | ||||
|         if 'krbPrincipalAttribute' not in comp['config']: | ||||
|             comp['config']['krbPrincipalAttribute'] = [''] | ||||
| 
 | ||||
|         # kc stores a timestamp of the last sync in `lastSync` to time the periodic sync, it is removed to minimize diff/changes | ||||
|         comp['config'].pop('lastSync', None) | ||||
| 
 | ||||
| 
 | ||||
| def sanitize(comp): | ||||
|     compcopy = deepcopy(comp) | ||||
|     if 'config' in compcopy: | ||||
|         compcopy['config'] = dict((k, v[0]) for k, v in compcopy['config'].items()) | ||||
|         compcopy['config'] = {k: v[0] for k, v in compcopy['config'].items()} | ||||
|         if 'bindCredential' in compcopy['config']: | ||||
|             compcopy['config']['bindCredential'] = '**********' | ||||
|     if 'mappers' in compcopy: | ||||
|         for mapper in compcopy['mappers']: | ||||
|             if 'config' in mapper: | ||||
|                 mapper['config'] = dict((k, v[0]) for k, v in mapper['config'].items()) | ||||
|                 mapper['config'] = {k: v[0] for k, v in mapper['config'].items()} | ||||
|     return compcopy | ||||
| 
 | ||||
| 
 | ||||
|  | @ -760,8 +811,10 @@ def main(): | |||
|         priority=dict(type='int', default=0), | ||||
|         rdnLDAPAttribute=dict(type='str'), | ||||
|         readTimeout=dict(type='int'), | ||||
|         referral=dict(type='str', choices=['ignore', 'follow']), | ||||
|         searchScope=dict(type='str', choices=['1', '2'], default='1'), | ||||
|         serverPrincipal=dict(type='str'), | ||||
|         krbPrincipalAttribute=dict(type='str'), | ||||
|         startTls=dict(type='bool', default=False), | ||||
|         syncRegistrations=dict(type='bool', default=False), | ||||
|         trustEmail=dict(type='bool', default=False), | ||||
|  | @ -792,9 +845,11 @@ def main(): | |||
|         realm=dict(type='str', default='master'), | ||||
|         id=dict(type='str'), | ||||
|         name=dict(type='str'), | ||||
|         provider_id=dict(type='str', aliases=['providerId'], choices=['ldap', 'kerberos', 'sssd']), | ||||
|         provider_id=dict(type='str', aliases=['providerId']), | ||||
|         provider_type=dict(type='str', aliases=['providerType'], default='org.keycloak.storage.UserStorageProvider'), | ||||
|         parent_id=dict(type='str', aliases=['parentId']), | ||||
|         remove_unspecified_mappers=dict(type='bool', default=True), | ||||
|         bind_credential_update_mode=dict(type='str', default='always', choices=['always', 'only_indirect']), | ||||
|         mappers=dict(type='list', elements='dict', options=mapper_spec), | ||||
|     ) | ||||
| 
 | ||||
|  | @ -825,19 +880,26 @@ def main(): | |||
| 
 | ||||
|     # Keycloak API expects config parameters to be arrays containing a single string element | ||||
|     if config is not None: | ||||
|         module.params['config'] = dict((k, [str(v).lower() if not isinstance(v, str) else v]) | ||||
|                                        for k, v in config.items() if config[k] is not None) | ||||
|         module.params['config'] = { | ||||
|             k: [str(v).lower() if not isinstance(v, str) else v] | ||||
|             for k, v in config.items() | ||||
|             if config[k] is not None | ||||
|         } | ||||
| 
 | ||||
|     if mappers is not None: | ||||
|         for mapper in mappers: | ||||
|             if mapper.get('config') is not None: | ||||
|                 mapper['config'] = dict((k, [str(v).lower() if not isinstance(v, str) else v]) | ||||
|                                         for k, v in mapper['config'].items() if mapper['config'][k] is not None) | ||||
|                 mapper['config'] = { | ||||
|                     k: [str(v).lower() if not isinstance(v, str) else v] | ||||
|                     for k, v in mapper['config'].items() | ||||
|                     if mapper['config'][k] is not None | ||||
|                 } | ||||
| 
 | ||||
|     # Filter and map the parameters names that apply | ||||
|     comp_params = [x for x in module.params | ||||
|                    if x not in list(keycloak_argument_spec().keys()) + ['state', 'realm', 'mappers'] and | ||||
|                    module.params.get(x) is not None] | ||||
|                    if x not in list(keycloak_argument_spec().keys()) | ||||
|                    + ['state', 'realm', 'mappers', 'remove_unspecified_mappers', 'bind_credential_update_mode'] | ||||
|                    and module.params.get(x) is not None] | ||||
| 
 | ||||
|     # See if it already exists in Keycloak | ||||
|     if cid is None: | ||||
|  | @ -855,7 +917,9 @@ def main(): | |||
| 
 | ||||
|     # if user federation exists, get associated mappers | ||||
|     if cid is not None and before_comp: | ||||
|         before_comp['mappers'] = sorted(kc.get_components(urlencode(dict(parent=cid)), realm), key=lambda x: x.get('name')) | ||||
|         before_comp['mappers'] = sorted(kc.get_components(urlencode(dict(parent=cid)), realm), key=lambda x: x.get('name') or '') | ||||
| 
 | ||||
|     normalize_kc_comp(before_comp) | ||||
| 
 | ||||
|     # Build a proposed changeset from parameters given to this module | ||||
|     changeset = {} | ||||
|  | @ -864,7 +928,7 @@ def main(): | |||
|         new_param_value = module.params.get(param) | ||||
|         old_value = before_comp[camel(param)] if camel(param) in before_comp else None | ||||
|         if param == 'mappers': | ||||
|             new_param_value = [dict((k, v) for k, v in x.items() if x[k] is not None) for x in new_param_value] | ||||
|             new_param_value = [{k: v for k, v in x.items() if v is not None} for x in new_param_value] | ||||
|         if new_param_value != old_value: | ||||
|             changeset[camel(param)] = new_param_value | ||||
| 
 | ||||
|  | @ -873,17 +937,17 @@ def main(): | |||
|         if module.params['provider_id'] in ['kerberos', 'sssd']: | ||||
|             module.fail_json(msg='Cannot configure mappers for {type} provider.'.format(type=module.params['provider_id'])) | ||||
|         for change in module.params['mappers']: | ||||
|             change = dict((k, v) for k, v in change.items() if change[k] is not None) | ||||
|             change = {k: v for k, v in change.items() if v is not None} | ||||
|             if change.get('id') is None and change.get('name') is None: | ||||
|                 module.fail_json(msg='Either `name` or `id` has to be specified on each mapper.') | ||||
|             if cid is None: | ||||
|                 old_mapper = {} | ||||
|             elif change.get('id') is not None: | ||||
|                 old_mapper = kc.get_component(change['id'], realm) | ||||
|                 old_mapper = next((before_mapper for before_mapper in before_comp.get('mappers', []) if before_mapper["id"] == change['id']), None) | ||||
|                 if old_mapper is None: | ||||
|                     old_mapper = {} | ||||
|             else: | ||||
|                 found = kc.get_components(urlencode(dict(parent=cid, name=change['name'])), realm) | ||||
|                 found = [before_mapper for before_mapper in before_comp.get('mappers', []) if before_mapper['name'] == change['name']] | ||||
|                 if len(found) > 1: | ||||
|                     module.fail_json(msg='Found multiple mappers with name `{name}`. Cannot continue.'.format(name=change['name'])) | ||||
|                 if len(found) == 1: | ||||
|  | @ -892,10 +956,16 @@ def main(): | |||
|                     old_mapper = {} | ||||
|             new_mapper = old_mapper.copy() | ||||
|             new_mapper.update(change) | ||||
|             if new_mapper != old_mapper: | ||||
|                 if changeset.get('mappers') is None: | ||||
|                     changeset['mappers'] = list() | ||||
|                 changeset['mappers'].append(new_mapper) | ||||
|             # changeset contains all desired mappers: those existing, to update or to create | ||||
|             if changeset.get('mappers') is None: | ||||
|                 changeset['mappers'] = list() | ||||
|             changeset['mappers'].append(new_mapper) | ||||
|         changeset['mappers'] = sorted(changeset['mappers'], key=lambda x: x.get('name') or '') | ||||
| 
 | ||||
|         # to keep unspecified existing mappers we add them to the desired mappers list, unless they're already present | ||||
|         if not module.params['remove_unspecified_mappers'] and 'mappers' in before_comp: | ||||
|             changeset_mapper_ids = [mapper['id'] for mapper in changeset['mappers'] if 'id' in mapper] | ||||
|             changeset['mappers'].extend([mapper for mapper in before_comp['mappers'] if mapper['id'] not in changeset_mapper_ids]) | ||||
| 
 | ||||
|     # Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis) | ||||
|     desired_comp = before_comp.copy() | ||||
|  | @ -918,50 +988,68 @@ def main(): | |||
|         # Process a creation | ||||
|         result['changed'] = True | ||||
| 
 | ||||
|         if module._diff: | ||||
|             result['diff'] = dict(before='', after=sanitize(desired_comp)) | ||||
| 
 | ||||
|         if module.check_mode: | ||||
|             if module._diff: | ||||
|                 result['diff'] = dict(before='', after=sanitize(desired_comp)) | ||||
|             module.exit_json(**result) | ||||
| 
 | ||||
|         # create it | ||||
|         desired_comp = desired_comp.copy() | ||||
|         updated_mappers = desired_comp.pop('mappers', []) | ||||
|         desired_mappers = desired_comp.pop('mappers', []) | ||||
|         after_comp = kc.create_component(desired_comp, realm) | ||||
| 
 | ||||
|         cid = after_comp['id'] | ||||
|         updated_mappers = [] | ||||
|         # when creating a user federation, keycloak automatically creates default mappers | ||||
|         default_mappers = kc.get_components(urlencode(dict(parent=cid)), realm) | ||||
| 
 | ||||
|         for mapper in updated_mappers: | ||||
|             found = kc.get_components(urlencode(dict(parent=cid, name=mapper['name'])), realm) | ||||
|         # create new mappers or update existing default mappers | ||||
|         for desired_mapper in desired_mappers: | ||||
|             found = [default_mapper for default_mapper in default_mappers if default_mapper['name'] == desired_mapper['name']] | ||||
|             if len(found) > 1: | ||||
|                 module.fail_json(msg='Found multiple mappers with name `{name}`. Cannot continue.'.format(name=mapper['name'])) | ||||
|                 module.fail_json(msg='Found multiple mappers with name `{name}`. Cannot continue.'.format(name=desired_mapper['name'])) | ||||
|             if len(found) == 1: | ||||
|                 old_mapper = found[0] | ||||
|             else: | ||||
|                 old_mapper = {} | ||||
| 
 | ||||
|             new_mapper = old_mapper.copy() | ||||
|             new_mapper.update(mapper) | ||||
|             new_mapper.update(desired_mapper) | ||||
| 
 | ||||
|             if new_mapper.get('id') is not None: | ||||
|                 kc.update_component(new_mapper, realm) | ||||
|                 updated_mappers.append(new_mapper) | ||||
|             else: | ||||
|                 if new_mapper.get('parentId') is None: | ||||
|                     new_mapper['parentId'] = after_comp['id'] | ||||
|                 mapper = kc.create_component(new_mapper, realm) | ||||
|                     new_mapper['parentId'] = cid | ||||
|                 updated_mappers.append(kc.create_component(new_mapper, realm)) | ||||
| 
 | ||||
|         after_comp['mappers'] = updated_mappers | ||||
|         if module.params['remove_unspecified_mappers']: | ||||
|             # we remove all unwanted default mappers | ||||
|             # we use ids so we dont accidently remove one of the previously updated default mapper | ||||
|             for default_mapper in default_mappers: | ||||
|                 if not default_mapper['id'] in [x['id'] for x in updated_mappers]: | ||||
|                     kc.delete_component(default_mapper['id'], realm) | ||||
| 
 | ||||
|         after_comp['mappers'] = kc.get_components(urlencode(dict(parent=cid)), realm) | ||||
|         normalize_kc_comp(after_comp) | ||||
|         if module._diff: | ||||
|             result['diff'] = dict(before='', after=sanitize(after_comp)) | ||||
|         result['end_state'] = sanitize(after_comp) | ||||
| 
 | ||||
|         result['msg'] = "User federation {id} has been created".format(id=after_comp['id']) | ||||
|         result['msg'] = "User federation {id} has been created".format(id=cid) | ||||
|         module.exit_json(**result) | ||||
| 
 | ||||
|     else: | ||||
|         if state == 'present': | ||||
|             # Process an update | ||||
| 
 | ||||
|             desired_copy = deepcopy(desired_comp) | ||||
|             before_copy = deepcopy(before_comp) | ||||
|             # exclude bindCredential when checking wether an update is required, therefore | ||||
|             # updating it only if there are other changes | ||||
|             if module.params['bind_credential_update_mode'] == 'only_indirect': | ||||
|                 desired_copy.get('config', []).pop('bindCredential', None) | ||||
|                 before_copy.get('config', []).pop('bindCredential', None) | ||||
|             # no changes | ||||
|             if desired_comp == before_comp: | ||||
|             if desired_copy == before_copy: | ||||
|                 result['changed'] = False | ||||
|                 result['end_state'] = sanitize(desired_comp) | ||||
|                 result['msg'] = "No changes required to user federation {id}.".format(id=cid) | ||||
|  | @ -977,22 +1065,33 @@ def main(): | |||
|                 module.exit_json(**result) | ||||
| 
 | ||||
|             # do the update | ||||
|             desired_comp = desired_comp.copy() | ||||
|             updated_mappers = desired_comp.pop('mappers', []) | ||||
|             desired_mappers = desired_comp.pop('mappers', []) | ||||
|             kc.update_component(desired_comp, realm) | ||||
|             after_comp = kc.get_component(cid, realm) | ||||
| 
 | ||||
|             for mapper in updated_mappers: | ||||
|             for before_mapper in before_comp.get('mappers', []): | ||||
|                 # remove unwanted existing mappers that will not be updated | ||||
|                 if not before_mapper['id'] in [x['id'] for x in desired_mappers if 'id' in x]: | ||||
|                     kc.delete_component(before_mapper['id'], realm) | ||||
| 
 | ||||
|             for mapper in desired_mappers: | ||||
|                 if mapper in before_comp.get('mappers', []): | ||||
|                     continue | ||||
|                 if mapper.get('id') is not None: | ||||
|                     kc.update_component(mapper, realm) | ||||
|                 else: | ||||
|                     if mapper.get('parentId') is None: | ||||
|                         mapper['parentId'] = desired_comp['id'] | ||||
|                     mapper = kc.create_component(mapper, realm) | ||||
| 
 | ||||
|             after_comp['mappers'] = updated_mappers | ||||
|             result['end_state'] = sanitize(after_comp) | ||||
|                     kc.create_component(mapper, realm) | ||||
| 
 | ||||
|             after_comp = kc.get_component(cid, realm) | ||||
|             after_comp['mappers'] = sorted(kc.get_components(urlencode(dict(parent=cid)), realm), key=lambda x: x.get('name') or '') | ||||
|             normalize_kc_comp(after_comp) | ||||
|             after_comp_sanitized = sanitize(after_comp) | ||||
|             before_comp_sanitized = sanitize(before_comp) | ||||
|             result['end_state'] = after_comp_sanitized | ||||
|             if module._diff: | ||||
|                 result['diff'] = dict(before=before_comp_sanitized, after=after_comp_sanitized) | ||||
|             result['changed'] = before_comp_sanitized != after_comp_sanitized | ||||
|             result['msg'] = "User federation {id} has been updated".format(id=cid) | ||||
|             module.exit_json(**result) | ||||
| 
 | ||||
|  |  | |||
|  | @ -118,3 +118,7 @@ keycloak_no_log: true | |||
| 
 | ||||
| ### logging configuration | ||||
| keycloak_log_target: /var/log/keycloak | ||||
| 
 | ||||
| # locations | ||||
| keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}" | ||||
| keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}" | ||||
|  |  | |||
|  | @ -12,7 +12,7 @@ galaxy_info: | |||
| 
 | ||||
|   license: Apache License 2.0 | ||||
| 
 | ||||
|   min_ansible_version: "2.15" | ||||
|   min_ansible_version: "2.16" | ||||
| 
 | ||||
|   platforms: | ||||
|     - name: EL | ||||
|  |  | |||
|  | @ -1,6 +1,10 @@ | |||
| --- | ||||
| - name: Include firewall config tasks | ||||
|   ansible.builtin.include_tasks: iptables.yml | ||||
|   ansible.builtin.include_tasks: | ||||
|     file: iptables.yml | ||||
|     apply: | ||||
|       tags: | ||||
|         - firewall | ||||
|   when: keycloak_configure_iptables | ||||
|   tags: | ||||
|     - firewall | ||||
|  |  | |||
|  | @ -1,22 +1,38 @@ | |||
| --- | ||||
| # tasks file for keycloak | ||||
| - name: Check prerequisites | ||||
|   ansible.builtin.include_tasks: prereqs.yml | ||||
|   ansible.builtin.include_tasks: | ||||
|     file: prereqs.yml | ||||
|     apply: | ||||
|       tags: | ||||
|         - prereqs | ||||
|   tags: | ||||
|     - prereqs | ||||
| 
 | ||||
| - name: Distro specific tasks | ||||
|   ansible.builtin.include_tasks: "{{ ansible_os_family | lower }}.yml" | ||||
|   ansible.builtin.include_tasks: | ||||
|     file: "{{ ansible_os_family | lower }}.yml" | ||||
|     apply: | ||||
|       tags: | ||||
|         - unbound | ||||
|   tags: | ||||
|     - unbound | ||||
| 
 | ||||
| - name: Include install tasks | ||||
|   ansible.builtin.include_tasks: install.yml | ||||
|   ansible.builtin.include_tasks: | ||||
|     file: install.yml | ||||
|     apply: | ||||
|       tags: | ||||
|         - install | ||||
|   tags: | ||||
|     - install | ||||
| 
 | ||||
| - name: Include systemd tasks | ||||
|   ansible.builtin.include_tasks: systemd.yml | ||||
|   ansible.builtin.include_tasks: | ||||
|     file: systemd.yml | ||||
|     apply: | ||||
|       tags: | ||||
|         - systemd | ||||
|   tags: | ||||
|     - systemd | ||||
| 
 | ||||
|  |  | |||
|  | @ -1,6 +1,10 @@ | |||
| --- | ||||
| - name: Include firewall config tasks | ||||
|   ansible.builtin.include_tasks: firewalld.yml | ||||
|   ansible.builtin.include_tasks: | ||||
|     file: firewalld.yml | ||||
|     apply: | ||||
|       tags: | ||||
|         - firewall | ||||
|   when: keycloak_configure_firewalld | ||||
|   tags: | ||||
|     - firewall | ||||
|  |  | |||
|  | @ -2,12 +2,12 @@ | |||
| - name: Ensure required params for CLI have been provided | ||||
|   ansible.builtin.assert: | ||||
|     that: | ||||
|       - query is defined | ||||
|       - cli_query is defined | ||||
|     fail_msg: "Missing required parameters to execute CLI." | ||||
|     quiet: true | ||||
| 
 | ||||
| - name: "Execute CLI query: {{ query }}" | ||||
| - name: "Execute CLI query: {{ cli_query }}" | ||||
|   ansible.builtin.command: > | ||||
|     {{ keycloak.cli_path }} --connect --command='{{ query }}' --controller={{ keycloak_host }}:{{ keycloak_management_http_port }} | ||||
|     {{ keycloak.cli_path }} --connect --command='{{ cli_query }}' --controller={{ keycloak_host }}:{{ keycloak_management_http_port }} | ||||
|   changed_when: false | ||||
|   register: cli_result | ||||
|  |  | |||
|  | @ -106,7 +106,7 @@ | |||
| - name: "Check installed patches" | ||||
|   ansible.builtin.include_tasks: rhsso_cli.yml | ||||
|   vars: | ||||
|     query: "patch info" | ||||
|     cli_query: "patch info" | ||||
|   args: | ||||
|     apply: | ||||
|       become: true | ||||
|  | @ -121,7 +121,7 @@ | |||
|     - name: "Apply patch {{ patch_version }} to server" | ||||
|       ansible.builtin.include_tasks: rhsso_cli.yml | ||||
|       vars: | ||||
|         query: "patch apply {{ patch_archive }}" | ||||
|         cli_query: "patch apply {{ patch_archive }}" | ||||
|       args: | ||||
|         apply: | ||||
|           become: true | ||||
|  | @ -130,7 +130,7 @@ | |||
|     - name: "Restart server to ensure patch content is running" | ||||
|       ansible.builtin.include_tasks: rhsso_cli.yml | ||||
|       vars: | ||||
|         query: "shutdown --restart" | ||||
|         cli_query: "shutdown --restart" | ||||
|       when: | ||||
|         - cli_result.rc == 0 | ||||
|       args: | ||||
|  | @ -149,7 +149,7 @@ | |||
|     - name: "Query installed patch after restart" | ||||
|       ansible.builtin.include_tasks: rhsso_cli.yml | ||||
|       vars: | ||||
|         query: "patch info" | ||||
|         cli_query: "patch info" | ||||
|       args: | ||||
|         apply: | ||||
|           become: true | ||||
|  |  | |||
|  | @ -1,9 +1,6 @@ | |||
| --- | ||||
| # internal variables below | ||||
| 
 | ||||
| # locations | ||||
| keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}" | ||||
| keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}" | ||||
| 
 | ||||
| 
 | ||||
| keycloak: | ||||
|  |  | |||
|  | @ -33,7 +33,7 @@ Role Defaults | |||
| 
 | ||||
| | Variable | Description | Default | | ||||
| |:---------|:------------|:--------| | ||||
| |`keycloak_quarkus_version`| keycloak.org package version | `24.0.4` | | ||||
| |`keycloak_quarkus_version`| keycloak.org package version | `26.3.0` | | ||||
| |`keycloak_quarkus_offline_install` | Perform an offline install | `False`| | ||||
| |`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` | | ||||
| |`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` | | ||||
|  | @ -44,47 +44,29 @@ Role Defaults | |||
| 
 | ||||
| | Variable | Description | Default | | ||||
| |:---------|:------------|:--------| | ||||
| |`keycloak_quarkus_admin_user`| Administration console user account | `admin` | | ||||
| |`keycloak_quarkus_bind_address`| Address for binding service ports | `0.0.0.0` | | ||||
| |`keycloak_quarkus_host`| Hostname for the Keycloak server | `localhost` | | ||||
| |`keycloak_quarkus_port`| The port used by the proxy when exposing the hostname | `-1` | | ||||
| |`keycloak_quarkus_path`| This should be set if proxy uses a different context-path for Keycloak | | | ||||
| |`keycloak_quarkus_http_port`| HTTP listening port | `8080` | | ||||
| |`keycloak_quarkus_https_port`| TLS HTTP listening port | `8443` | | ||||
| |`keycloak_quarkus_ajp_port`| AJP port | `8009` | | ||||
| |`keycloak_quarkus_bootstrap_admin_user`| Administration console user account | `admin` | | ||||
| |`keycloak_quarkus_admin_user`| Deprecated, use `keycloak_quarkus_bootstrap_admin_user` instead. | | | ||||
| |`keycloak_quarkus_bind_address`| Deprecated, use `keycloak_quarkus_http_host` instead |  `0.0.0.0` | | ||||
| |`keycloak_quarkus_host`| Deprecated, use `keycloak_quarkus_hostname` instead. | | | ||||
| |`keycloak_quarkus_port`| Deprecated, use `keycloak_quarkus_hostname` instead. | | | ||||
| |`keycloak_quarkus_path`| Deprecated, use `keycloak_quarkus_hostname` instead. | | | ||||
| |`keycloak_quarkus_service_user`| Posix account username | `keycloak` | | ||||
| |`keycloak_quarkus_service_group`| Posix account group | `keycloak` | | ||||
| |`keycloak_quarkus_service_restart_always`| systemd restart always behavior activation | `False` | | ||||
| |`keycloak_quarkus_service_restart_on_failure`| systemd restart on-failure behavior activation | `False` | | ||||
| |`keycloak_quarkus_service_restartsec`| systemd RestartSec | `10s` | | ||||
| |`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-17-openjdk-headless` | | ||||
| |`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-21-openjdk-headless` | | ||||
| |`keycloak_quarkus_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_quarkus_jvm_package RPM path | `None` | | ||||
| |`keycloak_quarkus_java_heap_opts`| Heap memory JVM setting | `-Xms1024m -Xmx2048m` | | ||||
| |`keycloak_quarkus_java_jvm_opts`| Other JVM settings | same as keycloak | | ||||
| |`keycloak_quarkus_java_opts`| JVM arguments; if overridden, it takes precedence over `keycloak_quarkus_java_*` | `{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}` | | ||||
| |`keycloak_quarkus_additional_env_vars` | List of additional env variables of { key: str, value: str} to be put in sysconfig file | `[]` | | ||||
| |`keycloak_quarkus_frontend_url`| Set the base URL for frontend URLs, including scheme, host, port and path | | | ||||
| |`keycloak_quarkus_admin_url`| Set the base URL for accessing the administration console, including scheme, host, port and path | | | ||||
| |`keycloak_quarkus_http_relative_path` | Set the path relative to / for serving resources. The path must start with a / | `/` | | ||||
| |`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` | | ||||
| |`keycloak_quarkus_health_check_url_path`| Path to the health check endpoint; scheme, host and keycloak_quarkus_http_relative_path will be prepended automatically | `realms/master/.well-known/openid-configuration` | | ||||
| |`keycloak_quarkus_https_key_file_enabled`| Enable listener on HTTPS port | `False` | | ||||
| |`keycloak_quarkus_key_file_copy_enabled`| Enable copy of key file to target host | `False` | | ||||
| |`keycloak_quarkus_key_content`| Content of the TLS private key. Use `"{{ lookup('file', 'server.key.pem') }}"` to lookup a file. | `""` | | ||||
| |`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `/etc/pki/tls/private/server.key.pem` | | ||||
| |`keycloak_quarkus_cert_file_copy_enabled`| Enable copy of cert file to target host | `False`| | ||||
| |`keycloak_quarkus_cert_file_src`| Set the source file path | `""` | | ||||
| |`keycloak_quarkus_cert_file`| The file path to a server certificate or certificate chain in PEM format | `/etc/pki/tls/certs/server.crt.pem` | | ||||
| |`keycloak_quarkus_https_key_store_enabled`| Enable configuration of HTTPS via a key store | `False` | | ||||
| |`keycloak_quarkus_key_store_file`| Deprecated, use `keycloak_quarkus_https_key_store_file` instead. || | ||||
| |`keycloak_quarkus_key_store_password`| Deprecated, use `keycloak_quarkus_https_key_store_password` instead.|| | ||||
| |`keycloak_quarkus_https_key_store_file`| The file path to the key store | `{{ keycloak.home }}/conf/key_store.p12` | | ||||
| |`keycloak_quarkus_https_key_store_password`| Password for the key store | `""` | | ||||
| |`keycloak_quarkus_https_trust_store_enabled`| Enable configuration of the https trust store | `False` | | ||||
| |`keycloak_quarkus_https_trust_store_file`| The file path to the trust store | `{{ keycloak.home }}/conf/trust_store.p12` | | ||||
| |`keycloak_quarkus_https_trust_store_password`| Password for the trust store | `""` | | ||||
| |`keycloak_quarkus_frontend_url`| Deprecated, use `keycloak_quarkus_hostname` instead. | | | ||||
| |`keycloak_quarkus_admin_url`| Deprecated, use `keycloak_quarkus_hostname_admin` instead. | | | ||||
| |`keycloak_quarkus_health_check_url`| Full URL (including scheme, host, path, fragment etc.) used for health check endpoint; keycloak_quarkus_hostname will NOT be prepended; helpful when health checks should happen against http port, but keycloak_quarkus_hostname uses https scheme per default | `` | | ||||
| |`keycloak_quarkus_health_check_url_path`| Path to the health check endpoint; keycloak_quarkus_hostname will be prepended automatically; Note that keycloak_quarkus_health_check_url takes precedence over this property | `realms/master/.well-known/openid-configuration` | | ||||
| |`keycloak_quarkus_proxy_headers`| Parse reverse proxy headers (`forwarded` or `xforwarded`) | `""` | | ||||
| |`keycloak_quarkus_config_key_store_file`| Path to the configuration key store; only used if `keycloak_quarkus_keystore_password` is not empty  | `{{ keycloak.home }}/conf/conf_store.p12` if `keycloak_quarkus_keystore_password != ''`, else `''` | | ||||
| |`keycloak_quarkus_config_key_store_file`| Path to the configuration key store; only used if `keycloak_quarkus_config_key_store_password` is not empty  | `{{ keycloak.home }}/conf/conf_store.p12` if `keycloak_quarkus_config_key_store_password != ''`, else `''` | | ||||
| |`keycloak_quarkus_config_key_store_password`| Password of the configuration keystore; if non-empty, `keycloak_quarkus_db_pass` will be saved to the keystore at `keycloak_quarkus_config_key_store_file` instead of being written to the configuration file in clear text | `""` | | ||||
| |`keycloak_quarkus_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` | | ||||
| |`keycloak_quarkus_configure_iptables` | Ensure iptables is configured for keycloak ports | `False` | | ||||
|  | @ -95,8 +77,9 @@ Role Defaults | |||
| | Variable | Description | Default | | ||||
| |:---------|:------------|:--------| | ||||
| |`keycloak_quarkus_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` | | ||||
| |`keycloak_quarkus_ha_discovery`| Discovery protocol for HA cluster members | `TCPPING` | | ||||
| |`keycloak_quarkus_ha_discovery`| Discovery protocol for HA cluster members | `JDBCPING` | | ||||
| |`keycloak_quarkus_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_quarkus_ha_enabled` is True, else `False` | | ||||
| |`keycloak_quarkus_jgroups_ip`| Host jgroups IP.  If changing this variable you must make sure it is always set for all hosts in your cluster. | `{{ ansible_default_ipv4.address }}` | | ||||
| |`keycloak_quarkus_jgroups_port`| jgroups cluster tcp port | `7800` | | ||||
| |`keycloak_quarkus_systemd_wait_for_port` | Whether systemd unit should wait for keycloak port before returning | `{{ keycloak_quarkus_ha_enabled }}` | | ||||
| |`keycloak_quarkus_systemd_wait_for_port_number`| Which port the systemd unit should wait for | `{{ keycloak_quarkus_https_port }}` | | ||||
|  | @ -106,7 +89,7 @@ Role Defaults | |||
| |`keycloak_quarkus_restart_strategy`| Strategy task file for restarting in HA (one of provided restart/['serial.yml','none.yml','serial_then_parallel.yml']) or path to file when providing custom strategy | `restart/serial.yml` | | ||||
| |`keycloak_quarkus_restart_health_check`| Whether to wait for successful health check after restart | `true` | | ||||
| |`keycloak_quarkus_restart_health_check_delay`| Seconds to let pass before starting healch checks | `10` | | ||||
| |`keycloak_quarkus_restart_health_check_reries`| Number of attempts for successful health check before failing | `25` | | ||||
| |`keycloak_quarkus_restart_health_check_retries`| Number of attempts for successful health check before failing | `25` | | ||||
| |`keycloak_quarkus_restart_pause`| Seconds to wait between restarts in HA strategy | `15` | | ||||
| 
 | ||||
| 
 | ||||
|  | @ -114,49 +97,69 @@ Role Defaults | |||
| 
 | ||||
| | Variable | Description | Default | | ||||
| |:---------|:------------|:--------| | ||||
| |`keycloak_quarkus_http_relative_path`| Set the path relative to / for serving resources. The path must start with a / | `/` | | ||||
| |`keycloak_quarkus_hostname`| Address at which is the server exposed. Can be a full URL, or just a hostname. When only hostname is provided, scheme, port and context path are resolved from the request. | | | ||||
| |`keycloak_quarkus_hostname_admin`| Set the base URL for accessing the administration console, including scheme, host, port and path | `` | | ||||
| |`keycloak_quarkus_hostname_strict`| Disables dynamically resolving the hostname from request headers | `true` | | ||||
| |`keycloak_quarkus_hostname_strict_backchannel`| By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all applications use the public URL this option should be enabled. | `false` | | ||||
| |`keycloak_quarkus_hostname_backchannel_dynamic`| Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path. Set to true if your application accesses Keycloak via a private network. If set to true, hostname option needs to be specified as a full URL. | `false` | | ||||
| |`keycloak_quarkus_hostname_strict_backchannel`| Deprecated, use (the inverted!)`keycloak_quarkus_hostname_backchannel_dynamic` instead. |  | | ||||
| 
 | ||||
| 
 | ||||
| #### HTTP(S) configuration | ||||
| | Variable | Description | Default | | ||||
| |:---------|:------------|:--------| | ||||
| |`keycloak_quarkus_http_relative_path`| Set the path relative to / for serving resources. The path must start with a / | `/` | | ||||
| |`keycloak_quarkus_http_host`| The http host, ie. the address used to bind the service |  `0.0.0.0` | | ||||
| |`keycloak_quarkus_http_port`| HTTP listening port | `8080` | | ||||
| |`keycloak_quarkus_https_port`| TLS HTTP listening port | `8443` | | ||||
| |`keycloak_quarkus_http_management_port`| Port of the management interface. Relevant only when something is exposed on the management interface - see the guide for details. | `9000` | | ||||
| |`keycloak_quarkus_https_key_store_file`| The file path to the key store | `{{ keycloak.home }}/conf/key_store.p12` | | ||||
| |`keycloak_quarkus_https_key_store_password`| Password for the key store | `""` | | ||||
| |`keycloak_quarkus_https_trust_store_enabled`| Enable configuration of the https trust store | `False` | | ||||
| |`keycloak_quarkus_https_trust_store_file`| The file path to the trust store | `{{ keycloak.home }}/conf/trust_store.p12` | | ||||
| |`keycloak_quarkus_https_trust_store_password`| Password for the trust store | `""` | | ||||
| |`keycloak_quarkus_https_key_file_enabled`| Enable listener on HTTPS port | `False` | | ||||
| |`keycloak_quarkus_key_file_copy_enabled`| Enable copy of key file to target host | `False` | | ||||
| |`keycloak_quarkus_key_content`| Content of the TLS private key. Use `"{{ lookup('file', 'server.key.pem') }}"` to lookup a file. | `""` | | ||||
| |`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `/etc/pki/tls/private/server.key.pem` | | ||||
| |`keycloak_quarkus_cert_file_copy_enabled`| Enable copy of cert file to target host | `False`| | ||||
| |`keycloak_quarkus_cert_file_src`| Set the source file path | `""` | | ||||
| |`keycloak_quarkus_cert_file`| The file path to a server certificate or certificate chain in PEM format | `/etc/pki/tls/certs/server.crt.pem` | | ||||
| |`keycloak_quarkus_https_key_store_enabled`| Enable configuration of HTTPS via a key store | `False` | | ||||
| |`keycloak_quarkus_key_store_file`| Deprecated, use `keycloak_quarkus_https_key_store_file` instead. || | ||||
| |`keycloak_quarkus_key_store_password`| Deprecated, use `keycloak_quarkus_https_key_store_password` instead.|| | ||||
| |`keycloak_quarkus_http_relative_path` | Set the path relative to / for serving resources. The path must start with a / | `/` | | ||||
| |`keycloak_quarkus_http_management_relative_path` | Set the path relative to / for serving resources from management interface. The path must start with a /. If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details. | `/` | | ||||
| |`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` | | ||||
| 
 | ||||
| 
 | ||||
| #### Database configuration | ||||
| 
 | ||||
| | Variable | Description | Default | | ||||
| |:---------|:------------|:--------| | ||||
| |`keycloak_quarkus_jdbc_engine` | Database engine [mariadb,postres,mssql] | `postgres` | | ||||
| |`keycloak_quarkus_db_engine` | Database engine [mariadb,postres,mssql] | `postgres` | | ||||
| |`keycloak_quarkus_db_user` | User for database connection | `keycloak-user` | | ||||
| |`keycloak_quarkus_db_pass` | Password for database connection | `keycloak-pass` | | ||||
| |`keycloak_quarkus_jdbc_url` | JDBC URL for connecting to database | `jdbc:postgresql://localhost:5432/keycloak` | | ||||
| |`keycloak_quarkus_jdbc_driver_version` | Version for JDBC driver | `9.4.1212` | | ||||
| |`keycloak_quarkus_db_url` | JDBC URL for connecting to database | `jdbc:postgresql://localhost:5432/keycloak` | | ||||
| |`keycloak_quarkus_db_driver_version` | Version for JDBC engine driver | `9.4.1212` | | ||||
| 
 | ||||
| 
 | ||||
| #### Remote caches configuration | ||||
| #### Cache configuration | ||||
| 
 | ||||
| | Variable | Description | Default | | ||||
| |:---------|:------------|:--------| | ||||
| |`keycloak_quarkus_ispn_user` | Username for connecting to infinispan | `supervisor` | | ||||
| |`keycloak_quarkus_ispn_pass` | Password for connecting to infinispan | `supervisor` | | ||||
| |`keycloak_quarkus_ispn_hosts` | host name/port for connecting to infinispan, eg. host1:11222;host2:11222 | `localhost:11222` | | ||||
| |`keycloak_quarkus_ispn_sasl_mechanism` | Infinispan auth mechanism | `SCRAM-SHA-512` | | ||||
| |`keycloak_quarkus_ispn_use_ssl` | Whether infinispan uses TLS connection | `false` | | ||||
| |`keycloak_quarkus_ispn_trust_store_path` | Path to infinispan server trust certificate | `/etc/pki/java/cacerts` | | ||||
| |`keycloak_quarkus_ispn_trust_store_password` | Password for infinispan certificate keystore | `changeit` | | ||||
| |`keycloak_quarkus_cache_remote` | Whether to connect to remote cache infinispan server | `false` | | ||||
| |`keycloak_quarkus_cache_remote_username` | Username for connecting to infinispan | `supervisor` | | ||||
| |`keycloak_quarkus_cache_remote_password` | Password for connecting to infinispan | `supervisor` | | ||||
| |`keycloak_quarkus_cache_remote_host` | Hostname for connecting to infinispan | `localhost` | | ||||
| |`keycloak_quarkus_cache_remote_port`| Port for connecting to infinispan | `11222` | | ||||
| |`keycloak_quarkus_cache_remote_sasl_mechanism` | Infinispan auth mechanism | `SCRAM-SHA-512` | | ||||
| |`keycloak_quarkus_cache_remote_tls_enabled` | Whether infinispan uses TLS connection | `false` | | ||||
| 
 | ||||
| 
 | ||||
| #### Miscellaneous configuration | ||||
| #### Logging configuration | ||||
| 
 | ||||
| | Variable | Description | Default | | ||||
| |:---------|:------------|:--------| | ||||
| |`keycloak_quarkus_metrics_enabled`| Whether to enable metrics | `False` | | ||||
| |`keycloak_quarkus_health_enabled`| If the server should expose health check endpoints | `True` | | ||||
| |`keycloak_quarkus_archive` | keycloak install archive filename | `keycloak-{{ keycloak_quarkus_version }}.zip` | | ||||
| |`keycloak_quarkus_installdir` | Installation path | `{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}` | | ||||
| |`keycloak_quarkus_home` | Installation work directory | `{{ keycloak_quarkus_installdir }}` | | ||||
| |`keycloak_quarkus_config_dir` | Path for configuration | `{{ keycloak_quarkus_home }}/conf` | | ||||
| |`keycloak_quarkus_master_realm` | Name for rest authentication realm | `master` | | ||||
| |`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` | | ||||
| |`keycloak_force_install` | Remove pre-existing versions of service | `False` | | ||||
| |`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_quarkus_host }}:{{ keycloak_http_port }}` | | ||||
| |`keycloak_quarkus_log`| Enable one or more log handlers in a comma-separated list | `file` | | ||||
| |`keycloak_quarkus_log_level`| The log level of the root category or a comma-separated list of individual categories and their levels | `info` | | ||||
| |`keycloak_quarkus_log_file`| Set the log file path and filename relative to keycloak home | `data/log/keycloak.log` | | ||||
|  | @ -165,6 +168,21 @@ Role Defaults | |||
| |`keycloak_quarkus_log_max_file_size`| Set the maximum log file size before a log rotation happens; A size configuration option recognises string in this format (shown as a regular expression): `[0-9]+[KkMmGgTtPpEeZzYy]?`. If no suffix is given, assume bytes. | `10M` | | ||||
| |`keycloak_quarkus_log_max_backup_index`| Set the maximum number of archived log files to keep" | `10` | | ||||
| |`keycloak_quarkus_log_file_suffix`| Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix; Note: If the suffix ends with `.zip` or `.gz`, the rotation file will also be compressed. | `.yyyy-MM-dd.zip` | | ||||
| 
 | ||||
| 
 | ||||
| #### Miscellaneous configuration | ||||
| 
 | ||||
| | Variable | Description | Default | | ||||
| |:---------|:------------|:--------| | ||||
| |`keycloak_quarkus_metrics_enabled`| Whether to enable metrics | `False` | | ||||
| |`keycloak_quarkus_health_enabled`| If the server should expose health check endpoints on the management interface | `True` | | ||||
| |`keycloak_quarkus_archive` | keycloak install archive filename | `keycloak-{{ keycloak_quarkus_version }}.zip` | | ||||
| |`keycloak_quarkus_installdir` | Installation path | `{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}` | | ||||
| |`keycloak_quarkus_home` | Installation work directory | `{{ keycloak_quarkus_installdir }}` | | ||||
| |`keycloak_quarkus_config_dir` | Path for configuration | `{{ keycloak_quarkus_home }}/conf` | | ||||
| |`keycloak_quarkus_master_realm` | Name for rest authentication realm | `master` | | ||||
| |`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` | | ||||
| |`keycloak_quarkus_force_install` | Remove pre-existing versions of service | `False` | | ||||
| |`keycloak_quarkus_proxy_mode`| The proxy address forwarding mode if the server is behind a reverse proxy | `edge` | | ||||
| |`keycloak_quarkus_start_dev`| Whether to start the service in development mode (start-dev) | `False` | | ||||
| |`keycloak_quarkus_transaction_xa_enabled`| Whether to use XA transactions | `True` | | ||||
|  | @ -172,7 +190,7 @@ Role Defaults | |||
| |`keycloak_quarkus_show_deprecation_warnings`| Whether deprecation warnings should be shown | `True` | | ||||
| 
 | ||||
| 
 | ||||
| #### Vault SPI | ||||
| #### Vault configuration | ||||
| 
 | ||||
| | Variable | Description | Default | | ||||
| |:---------|:------------|:--------| | ||||
|  | @ -200,19 +218,24 @@ keycloak_quarkus_providers: | |||
|   - id: http-client                         # required; "{{ id }}.jar" identifies the file name on RHBK | ||||
|     spi: connections                        # required if neither url, local_path nor maven are specified; required for setting properties | ||||
|     default: true                           # optional, whether to set default for spi, default false | ||||
|     restart: true                           # optional, whether to restart, default true | ||||
|     restart: true                           # optional, whether to rebuild config and restart the service after deploying, default true | ||||
|     url: https://.../.../custom_spi.jar     # optional, url for download via http | ||||
|     local_path: my_theme_spi.jar            # optional, path on local controller for SPI to be uploaded | ||||
|     remote: true                            # optional, whether to copy from localhost or remotely, see https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html#parameter-remote_src, default false | ||||
|     maven:                                  # optional, for download using maven | ||||
|       repository_url: https://maven.pkg.github.com/OWNER/REPOSITORY # optional, maven repo url | ||||
|       group_id:  my.group                   # optional, maven group id | ||||
|       artifact_id: artifact                 # optional, maven artifact id | ||||
|       version: 24.0.4                       # optional, defaults to latest | ||||
|       version: 24.0.5                       # optional, defaults to latest | ||||
|       username:  user                       # optional, cf. https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry#authenticating-to-github-packages | ||||
|       password: pat                         # optional, provide a PAT for accessing Github's Apache Maven registry | ||||
|     properties:                             # optional, list of key-values | ||||
|       - key: default-connection-pool-size | ||||
|         value: 10 | ||||
|     checksum: sha256:D98291AC[...]B6DC7B97  # optional, checksum used to verify integrity: | ||||
|                                             #  for `url` SPIs, use format: <algorithm>:<checksum|url>, cf. <https://docs.ansible.com/ansible/latest/collections/ansible/builtin/get_url_module.html#parameter-checksum>; | ||||
|                                             #  for `local_path` SPIs, use SHA1 format <https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html#parameter-checksum> | ||||
|                                             #  for `maven` SPIs, this field is ignored since maven has integrity verification methods enabled by default | ||||
| ``` | ||||
| 
 | ||||
| the definition above will generate the following build command: | ||||
|  | @ -232,9 +255,9 @@ Provider definition: | |||
| 
 | ||||
| ```yaml | ||||
| keycloak_quarkus_policies: | ||||
|   - name: xato-net-10-million-passwords.txt                                                                # required, resulting file name | ||||
|     url: https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt # required, url for download | ||||
|     type: password-blacklists                                                                              # optional, defaults to `password-blacklists`; supported values: [`password-blacklists`] | ||||
|   - name: john-the-ripper.txt                                                                          # required, resulting file name | ||||
|     url: https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/john-the-ripper.txt  # required, url for download | ||||
|     type: password-blacklists                                                                          # optional, defaults to `password-blacklists`; supported values: [`password-blacklists`] | ||||
| ``` | ||||
| 
 | ||||
| 
 | ||||
|  | @ -243,9 +266,8 @@ Role Variables | |||
| 
 | ||||
| | Variable | Description | Required | | ||||
| |:---------|:------------|----------| | ||||
| |`keycloak_quarkus_admin_pass`| Password of console admin account | `yes` | | ||||
| |`keycloak_quarkus_frontend_url`| Base URL for frontend URLs, including scheme, host, port and path | `no` | | ||||
| |`keycloak_quarkus_admin_url`| Base URL for accessing the administration console, including scheme, host, port and path | `no` | | ||||
| |`keycloak_quarkus_bootstrap_admin_password`| Password of console admin account | `yes` | | ||||
| |`keycloak_quarkus_admin_pass`| Deprecated, use `keycloak_quarkus_bootstrap_admin_password` instead. | | | ||||
| |`keycloak_quarkus_ks_vault_pass`| The password for accessing the keystore vault SPI | `no` | | ||||
| |`keycloak_quarkus_alternate_download_url`| Alternate location with optional authentication for downloading RHBK | `no` | | ||||
| |`keycloak_quarkus_download_user`| Optional username for http authentication  | `no*` | | ||||
|  | @ -265,7 +287,7 @@ The role uses the following [custom facts](https://docs.ansible.com/ansible/late | |||
| 
 | ||||
| | Variable | Description | | ||||
| |:---------|:------------| | ||||
| |`general.bootstrapped` | A custom fact indicating whether this role has been used for bootstrapping keycloak on the respective host before; set to `false` (e.g., when starting off with a new, empty database) ensures that the initial admin user as defined by `keycloak_quarkus_admin_user[_pass]` gets created | | ||||
| |`general.bootstrapped` | A custom fact indicating whether this role has been used for bootstrapping keycloak on the respective host before; set to `false` (e.g., when starting off with a new, empty database) ensures that the initial admin user as defined by `keycloak_quarkus_bootstrap_admin_user[_password]` gets created | | ||||
| 
 | ||||
| License | ||||
| ------- | ||||
|  |  | |||
|  | @ -1,6 +1,6 @@ | |||
| --- | ||||
| ### Configuration specific to keycloak | ||||
| keycloak_quarkus_version: 24.0.4 | ||||
| keycloak_quarkus_version: 26.3.0 | ||||
| keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip" | ||||
| keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}" | ||||
| keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}" | ||||
|  | @ -27,26 +27,32 @@ keycloak_quarkus_configure_firewalld: false | |||
| keycloak_quarkus_configure_iptables: false | ||||
| 
 | ||||
| ### administrator console password | ||||
| keycloak_quarkus_admin_user: admin | ||||
| keycloak_quarkus_admin_pass: | ||||
| keycloak_quarkus_bootstrap_admin_user: admin | ||||
| keycloak_quarkus_bootstrap_admin_password: | ||||
| keycloak_quarkus_master_realm: master | ||||
| 
 | ||||
| ### Configuration settings | ||||
| keycloak_quarkus_bind_address: 0.0.0.0 | ||||
| keycloak_quarkus_host: localhost | ||||
| keycloak_quarkus_port: -1 | ||||
| keycloak_quarkus_path: | ||||
| keycloak_quarkus_bind_address: 0.0.0.0 # deprecated use keycloak_quarkus_http_host | ||||
| keycloak_quarkus_http_host: 0.0.0.0 | ||||
| keycloak_quarkus_http_enabled: true | ||||
| keycloak_quarkus_http_port: 8080 | ||||
| keycloak_quarkus_https_port: 8443 | ||||
| keycloak_quarkus_ajp_port: 8009 | ||||
| keycloak_quarkus_http_management_port: 9000 | ||||
| keycloak_quarkus_jgroups_port: 7800 | ||||
| keycloak_quarkus_jgroups_bind_address: "{{ ansible_default_ipv4.address }}" | ||||
| keycloak_quarkus_jgroups_external_addr: "{{ keycloak_quarkus_jgroups_bind_address }}" | ||||
| keycloak_quarkus_jgroups_external_port: "{{ keycloak_quarkus_jgroups_port }}" | ||||
| keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx2048m" | ||||
| keycloak_quarkus_java_jvm_opts: "-XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 | ||||
| keycloak_quarkus_java_jvm_opts: > | ||||
|   -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 | ||||
|   -Dsun.err.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError | ||||
|   -Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC -XX:GCTimeRatio=4 | ||||
|   -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512" | ||||
| keycloak_quarkus_java_opts: "{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}" | ||||
|   -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512 | ||||
| keycloak_quarkus_jgroups_opts: > | ||||
|   -Djgroups.bind.address={{ keycloak_quarkus_jgroups_bind_address }} | ||||
|   -Djgroups.external_port={{ keycloak_quarkus_jgroups_external_port }} | ||||
|   -Djgroups.external_addr={{ keycloak_quarkus_jgroups_external_addr }} | ||||
| keycloak_quarkus_java_opts: "{{ ' '.join((keycloak_quarkus_jgroups_opts, keycloak_quarkus_java_heap_opts, keycloak_quarkus_java_jvm_opts)) }}" | ||||
| keycloak_quarkus_additional_env_vars: [] | ||||
| 
 | ||||
| ### TLS/HTTPS configuration | ||||
|  | @ -71,7 +77,7 @@ keycloak_quarkus_config_key_store_password: '' | |||
| 
 | ||||
| ### Enable configuration for database backend, clustering and remote caches on infinispan | ||||
| keycloak_quarkus_ha_enabled: false | ||||
| keycloak_quarkus_ha_discovery: "TCPPING" | ||||
| keycloak_quarkus_ha_discovery: "JDBCPING" | ||||
| ### Enable database configuration, must be enabled when HA is configured | ||||
| keycloak_quarkus_db_enabled: "{{ keycloak_quarkus_ha_enabled }}" | ||||
| keycloak_quarkus_systemd_wait_for_port: "{{ keycloak_quarkus_ha_enabled }}" | ||||
|  | @ -81,8 +87,8 @@ keycloak_quarkus_systemd_wait_for_timeout: 60 | |||
| keycloak_quarkus_systemd_wait_for_delay: 10 | ||||
| 
 | ||||
| ### keycloak frontend url | ||||
| keycloak_quarkus_frontend_url: | ||||
| keycloak_quarkus_admin_url: | ||||
| keycloak_quarkus_hostname: | ||||
| keycloak_quarkus_hostname_admin: "" | ||||
| 
 | ||||
| ### Set the path relative to / for serving resources. The path must start with a / | ||||
| ### (set to `/auth` for retrocompatibility with pre-quarkus releases) | ||||
|  | @ -91,9 +97,9 @@ keycloak_quarkus_http_relative_path: / | |||
| # Disables dynamically resolving the hostname from request headers. | ||||
| # Should always be set to true in production, unless proxy verifies the Host header. | ||||
| keycloak_quarkus_hostname_strict: true | ||||
| # By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. | ||||
| # If all applications use the public URL this option should be enabled. | ||||
| keycloak_quarkus_hostname_strict_backchannel: false | ||||
| # Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path. | ||||
| # Set to true if your application accesses Keycloak via a private network. If set to true, keycloak_quarkus_hostname option needs to be specified as a full URL. | ||||
| keycloak_quarkus_hostname_backchannel_dynamic: false | ||||
| 
 | ||||
| # The proxy headers that should be accepted by the server. ['', 'forwarded', 'xforwarded'] | ||||
| keycloak_quarkus_proxy_headers: "" | ||||
|  | @ -111,36 +117,57 @@ keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route: true | |||
| keycloak_quarkus_metrics_enabled: false | ||||
| keycloak_quarkus_health_enabled: true | ||||
| 
 | ||||
| ### caches; must read: https://www.keycloak.org/2024/12/storing-sessions-in-kc26 | ||||
| ### embedded caches | ||||
| # https://www.keycloak.org/server/caching | ||||
| keycloak_quarkus_cache_metrics_enabled: false | ||||
| keycloak_quarkus_cache_embedded_authorization_max_count: | ||||
| keycloak_quarkus_cache_embedded_client_sessions_max_count: | ||||
| keycloak_quarkus_cache_embedded_crl_max_count: | ||||
| keycloak_quarkus_cache_embedded_keys_max_count: | ||||
| keycloak_quarkus_cache_embedded_offline_client_sessions_max_count: | ||||
| keycloak_quarkus_cache_embedded_offline_sessions_max_count: | ||||
| keycloak_quarkus_cache_embedded_realms_max_count: | ||||
| keycloak_quarkus_cache_embedded_sessions_max_count: | ||||
| keycloak_quarkus_cache_embedded_users_max_count: | ||||
| keycloak_quarkus_cache_embedded_mtls_enabled: true | ||||
| keycloak_quarkus_cache_embedded_mtls_key_store_file: "{{ keycloak.home }}/conf/cache_key_store.p12" | ||||
| keycloak_quarkus_cache_embedded_mtls_key_store_password: '' | ||||
| keycloak_quarkus_cache_embedded_mtls_rotation_interval_days: 30 | ||||
| keycloak_quarkus_cache_embedded_mtls_trust_store_file: "{{ keycloak.home }}/conf/cache_trust_store.p12" | ||||
| keycloak_quarkus_cache_embedded_mtls_trust_store_password: '' | ||||
| 
 | ||||
| ### infinispan remote caches access (hotrod) | ||||
| keycloak_quarkus_ispn_user: supervisor | ||||
| keycloak_quarkus_ispn_pass: supervisor | ||||
| keycloak_quarkus_ispn_hosts: "localhost:11222" | ||||
| keycloak_quarkus_ispn_sasl_mechanism: SCRAM-SHA-512 | ||||
| keycloak_quarkus_ispn_use_ssl: false | ||||
| # if ssl is enabled, import ispn server certificate here | ||||
| keycloak_quarkus_ispn_trust_store_path: /etc/pki/java/cacerts | ||||
| keycloak_quarkus_ispn_trust_store_password: changeit | ||||
| # https://www.keycloak.org/server/caching#_remote_cache | ||||
| keycloak_quarkus_cache_remote: false | ||||
| keycloak_quarkus_cache_remote_username: supervisor | ||||
| keycloak_quarkus_cache_remote_password: supervisor | ||||
| keycloak_quarkus_cache_remote_host: localhost | ||||
| keycloak_quarkus_cache_remote_port: 11222 | ||||
| keycloak_quarkus_cache_remote_tls_enabled: false | ||||
| keycloak_quarkus_cache_remote_sasl_mechanism: SCRAM-SHA-512 | ||||
| 
 | ||||
| 
 | ||||
| ### database backend engine: values [ 'postgres', 'mariadb' ] | ||||
| keycloak_quarkus_jdbc_engine: postgres | ||||
| keycloak_quarkus_db_engine: postgres | ||||
| ### database backend credentials | ||||
| keycloak_quarkus_db_user: keycloak-user | ||||
| keycloak_quarkus_db_pass: keycloak-pass | ||||
| keycloak_quarkus_jdbc_url: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].url }}" | ||||
| keycloak_quarkus_jdbc_driver_version: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].version }}" | ||||
| # override the variables above, following defaults show minimum supported versions | ||||
| keycloak_quarkus_db_url: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].url }}" | ||||
| keycloak_quarkus_db_driver_version: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].version }}" | ||||
| # override the variables above, following defaults show recommended version as per | ||||
| # https://access.redhat.com/articles/7033107 | ||||
| keycloak_quarkus_default_jdbc: | ||||
|   postgres: | ||||
|     url: 'jdbc:postgresql://localhost:5432/keycloak' | ||||
|     version: 9.4.1212 | ||||
|     version: 42.7.5 | ||||
|   mariadb: | ||||
|     url: 'jdbc:mariadb://localhost:3306/keycloak' | ||||
|     version: 2.7.4 | ||||
|     version: 3.5.2 | ||||
|   mssql: | ||||
|     url: 'jdbc:sqlserver://localhost:1433;databaseName=keycloak;' | ||||
|     version: 12.4.2 | ||||
|     driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.4.2.jre11/mssql-jdbc-12.4.2.jre11.jar" | ||||
|     # cf. https://access.redhat.com/documentation/en-us/red_hat_build_of_keycloak/24.0/html/server_guide/db-#db-installing-the-microsoft-sql-server-driver | ||||
|     version: 12.8.1 | ||||
|     driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.8.1.jre11/mssql-jdbc-12.8.1.jre11.jar" | ||||
| ### logging configuration | ||||
| keycloak_quarkus_log: file | ||||
| keycloak_quarkus_log_level: info | ||||
|  | @ -165,5 +192,7 @@ keycloak_quarkus_supported_policy_types: ['password-blacklists'] | |||
| keycloak_quarkus_restart_strategy: restart/serial.yml | ||||
| keycloak_quarkus_restart_health_check: true | ||||
| keycloak_quarkus_restart_health_check_delay: 10 | ||||
| keycloak_quarkus_restart_health_check_reries: 25 | ||||
| keycloak_quarkus_restart_health_check_retries: 25 | ||||
| keycloak_quarkus_restart_pause: 15 | ||||
| 
 | ||||
| keycloak_quarkus_force_install: false | ||||
|  |  | |||
|  | @ -1,4 +1,7 @@ | |||
| --- | ||||
| - name: "Invalidate {{ keycloak.service_name }} theme cache" | ||||
|   ansible.builtin.include_tasks: invalidate_theme_cache.yml | ||||
|   listen: "invalidate keycloak theme cache" | ||||
| # handler should be invoked anytime a [build configuration](https://www.keycloak.org/server/all-config?f=build) changes | ||||
| - name: "Rebuild {{ keycloak.service_name }} config" | ||||
|   ansible.builtin.include_tasks: rebuild_config.yml | ||||
|  |  | |||
|  | @ -2,7 +2,7 @@ argument_specs: | |||
|     main: | ||||
|         options: | ||||
|             keycloak_quarkus_version: | ||||
|                 default: "24.0.4" | ||||
|                 default: "26.3.0" | ||||
|                 description: "keycloak.org package version" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_archive: | ||||
|  | @ -22,7 +22,7 @@ argument_specs: | |||
|                 description: "Perform an offline install" | ||||
|                 type: "bool" | ||||
|             keycloak_quarkus_jvm_package: | ||||
|                 default: "java-11-openjdk-headless" | ||||
|                 default: "java-21-openjdk-headless" | ||||
|                 description: "RHEL java package runtime" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_java_home: | ||||
|  | @ -68,13 +68,17 @@ argument_specs: | |||
|                 default: "10s" | ||||
|                 description: "systemd RestartSec for service" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_admin_user: | ||||
|             keycloak_quarkus_bootstrap_admin_user: | ||||
|                 default: "admin" | ||||
|                 description: "Administration console user account" | ||||
|                 description: "Administration user account, only for bootstrapping" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_admin_pass: | ||||
|             keycloak_quarkus_force_install: | ||||
|                 default: false | ||||
|                 description: "Remove pre-existing versions of service" | ||||
|                 type: "bool" | ||||
|             keycloak_quarkus_bootstrap_admin_password: | ||||
|                 required: true | ||||
|                 description: "Password of console admin account" | ||||
|                 description: "Password of admin account, only for bootstrapping" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_master_realm: | ||||
|                 default: "master" | ||||
|  | @ -82,31 +86,40 @@ argument_specs: | |||
|                 type: "str" | ||||
|             keycloak_quarkus_bind_address: | ||||
|                 default: "0.0.0.0" | ||||
|                 description: "Address for binding service ports" | ||||
|                 description: "Deprecated, use `keycloak_quarkus_http_host`" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_hostname: | ||||
|                 description: >- | ||||
|                     Address at which is the server exposed. | ||||
|                     Can be a full URL, or just a hostname. When only hostname is provided, scheme, port and context path are resolved from the request. | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_host: | ||||
|                 default: "localhost" | ||||
|                 description: "Hostname for the Keycloak server" | ||||
|                 description: "Deprecated in v26, use keycloak_quarkus_hostname instead." | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_port: | ||||
|                 default: -1 | ||||
|                 description: "The port used by the proxy when exposing the hostname" | ||||
|                 description: "Deprecated in v26, use keycloak_quarkus_hostname instead." | ||||
|                 type: "int" | ||||
|             keycloak_quarkus_path: | ||||
|                 required: false | ||||
|                 description: "This should be set if proxy uses a different context-path for Keycloak" | ||||
|                 description: "Deprecated in v26, use keycloak_quarkus_hostname instead." | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_http_enabled: | ||||
|                 default: true | ||||
|                 description: "Enable listener on HTTP port" | ||||
|                 type: "bool" | ||||
|             keycloak_quarkus_http_host: | ||||
|                 default: '0.0.0.0' | ||||
|                 description: "HTTP host, address for binding service ports" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_http_port: | ||||
|                 default: 8080 | ||||
|                 description: "HTTP port" | ||||
|                 type: "int" | ||||
|             keycloak_quarkus_health_check_url: | ||||
|                 description: "Full URL (including scheme, host, path, fragment etc.) used for health check endpoint; keycloak_quarkus_hostname will NOT be prepended; helpful when health checks should happen against http port, but keycloak_quarkus_hostname uses https scheme per default" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_health_check_url_path: | ||||
|                 default: "realms/master/.well-known/openid-configuration" | ||||
|                 description: "Path to the health check endpoint; scheme, host and keycloak_quarkus_http_relative_path will be prepended automatically" | ||||
|                 description: "Path to the health check endpoint; keycloak_quarkus_hostname will be prepended automatically; Note that keycloak_quarkus_health_check_url takes precedence over this property" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_https_key_file_enabled: | ||||
|                 default: false | ||||
|  | @ -170,7 +183,7 @@ argument_specs: | |||
|                 type: "str" | ||||
|             keycloak_quarkus_config_key_store_file: | ||||
|                 default: "{{ keycloak.home }}/conf/conf_store.p12" | ||||
|                 description: "Path to the configuration key store; only used if `keycloak_quarkus_keystore_password` is not empty" | ||||
|                 description: "Path to the configuration key store; only used if `keycloak_quarkus_config_key_store_password` is not empty" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_config_key_store_password: | ||||
|                 default: "" | ||||
|  | @ -182,13 +195,9 @@ argument_specs: | |||
|                 default: 8443 | ||||
|                 description: "HTTPS port" | ||||
|                 type: "int" | ||||
|             keycloak_quarkus_ajp_port: | ||||
|                 default: 8009 | ||||
|                 description: "AJP port" | ||||
|                 type: "int" | ||||
|             keycloak_quarkus_jgroups_port: | ||||
|                 default: 7800 | ||||
|                 description: "jgroups cluster tcp port" | ||||
|             keycloak_quarkus_http_management_port: | ||||
|                 default: 9000 | ||||
|                 description: "Port of the management interface. Relevant only when something is exposed on the management interface - see the guide for details." | ||||
|                 type: "int" | ||||
|             keycloak_quarkus_java_heap_opts: | ||||
|                 default: "-Xms1024m -Xmx2048m" | ||||
|  | @ -202,7 +211,7 @@ argument_specs: | |||
|                 description: "Other JVM settings" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_java_opts: | ||||
|                 default: "{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}" | ||||
|                 default: "{{ ' '.join((keycloak_quarkus_jgroups_opts, keycloak_quarkus_java_heap_opts, keycloak_quarkus_java_jvm_opts)) }}" | ||||
|                 description: "JVM arguments, by default heap_opts + jvm_opts, if overriden it takes precedence over them" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_additional_env_vars: | ||||
|  | @ -226,13 +235,21 @@ argument_specs: | |||
|                 default: / | ||||
|                 description: "Set the path relative to / for serving resources. The path must start with a /" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_http_management_relative_path: | ||||
|                 required: false | ||||
|                 description: "Set the path relative to / for serving resources from management interface. The path must start with a /. If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details." | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_frontend_url: | ||||
|                 required: false | ||||
|                 description: "Service public URL" | ||||
|                 description: "Deprecated in v26, use keycloak_quarkus_hostname instead." | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_hostname_admin: | ||||
|                 required: false | ||||
|                 description: "Service URL for the admin console" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_admin_url: | ||||
|                 required: false | ||||
|                 description: "Service URL for the admin console" | ||||
|                 description: "Deprecated in v26, use keycloak_quarkus_hostname_admin instead." | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_metrics_enabled: | ||||
|                 default: false | ||||
|  | @ -240,37 +257,37 @@ argument_specs: | |||
|                 type: "bool" | ||||
|             keycloak_quarkus_health_enabled: | ||||
|                 default: true | ||||
|                 description: "If the server should expose health check endpoints" | ||||
|                 description: "If the server should expose health check endpoints on the management interface" | ||||
|                 type: "bool" | ||||
|             keycloak_quarkus_ispn_user: | ||||
|             keycloak_quarkus_cache_remote: | ||||
|                 description: "Whether to connect to remote cache infinispan server" | ||||
|                 default: false | ||||
|                 type: 'bool' | ||||
|             keycloak_quarkus_cache_remote_username: | ||||
|                 default: "supervisor" | ||||
|                 description: "Username for connecting to infinispan" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_ispn_pass: | ||||
|             keycloak_quarkus_cache_remote_password: | ||||
|                 default: "supervisor" | ||||
|                 description: "Password for connecting to infinispan" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_ispn_hosts: | ||||
|                 default: "localhost:11222" | ||||
|                 description: "host name/port for connecting to infinispan, eg. host1:11222;host2:11222" | ||||
|             keycloak_quarkus_cache_remote_host: | ||||
|                 default: "localhost" | ||||
|                 description: "Hostname for connecting to infinispan" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_ispn_sasl_mechanism: | ||||
|             keycloak_quarkus_cache_remote_port: | ||||
|                 default: "11222" | ||||
|                 description: "Port for connecting to infinispan" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_cache_remote_sasl_mechanism: | ||||
|                 default: "SCRAM-SHA-512" | ||||
|                 description: "Infinispan auth mechanism" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_ispn_use_ssl: | ||||
|             keycloak_quarkus_cache_remote_tls_enabled: | ||||
|                 default: false | ||||
|                 description: "Whether infinispan uses TLS connection" | ||||
|                 type: "bool" | ||||
|             keycloak_quarkus_ispn_trust_store_path: | ||||
|                 default: "/etc/pki/java/cacerts" | ||||
|                 description: "Path to infinispan server trust certificate" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_ispn_trust_store_password: | ||||
|                 default: "changeit" | ||||
|                 description: "Password for infinispan certificate keystore" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_jdbc_engine: | ||||
|             keycloak_quarkus_db_engine: | ||||
|                 default: "postgres" | ||||
|                 description: "Database engine [mariadb,postres,mssql]" | ||||
|                 type: "str" | ||||
|  | @ -282,12 +299,12 @@ argument_specs: | |||
|                 default: "keycloak-pass" | ||||
|                 description: "Password for database connection" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_jdbc_url: | ||||
|                 default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].url }}" | ||||
|             keycloak_quarkus_db_url: | ||||
|                 default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].url }}" | ||||
|                 description: "JDBC URL for connecting to database" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_jdbc_driver_version: | ||||
|                 default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].version }}" | ||||
|             keycloak_quarkus_db_driver_version: | ||||
|                 default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].version }}" | ||||
|                 description: "Version for JDBC driver" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_log: | ||||
|  | @ -348,24 +365,18 @@ argument_specs: | |||
|                 description: > | ||||
|                   Disables dynamically resolving the hostname from request headers. Should always be set to true in production, unless | ||||
|                   proxy verifies the Host header. | ||||
|             keycloak_quarkus_hostname_strict_backchannel: | ||||
|             keycloak_quarkus_hostname_backchannel_dynamic: | ||||
|                 default: false | ||||
|                 type: "bool" | ||||
|                 description: > | ||||
|                   By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all | ||||
|                   applications use the public URL this option should be enabled. | ||||
|                     Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path. | ||||
|                     Set to true if your application accesses Keycloak via a private network. If set to true, hostname option needs to be specified as a full URL. | ||||
|             keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route: | ||||
|                 default: true | ||||
|                 type: "bool" | ||||
|                 description: > | ||||
|                   If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies | ||||
|                   and we rely on the session affinity capabilities from reverse proxy | ||||
|             keycloak_quarkus_hostname_strict_https: | ||||
|                 type: "bool" | ||||
|                 required: false | ||||
|                 description: > | ||||
|                   By default, Keycloak requires running using TLS/HTTPS. If the service MUST run without TLS/HTTPS, then set | ||||
|                   this option to "true" | ||||
|             keycloak_quarkus_ks_vault_enabled: | ||||
|                 default: false | ||||
|                 type: "bool" | ||||
|  | @ -453,7 +464,7 @@ argument_specs: | |||
|                 description: "Seconds to let pass before starting healch checks" | ||||
|                 default: 10 | ||||
|                 type: 'int' | ||||
|             keycloak_quarkus_restart_health_check_reries: | ||||
|             keycloak_quarkus_restart_health_check_retries: | ||||
|                 description: "Number of attempts for successful health check before failing" | ||||
|                 default: 25 | ||||
|                 type: 'int' | ||||
|  | @ -465,10 +476,94 @@ argument_specs: | |||
|                 description: "Path local to controller for offline/download of install archives" | ||||
|                 default: "{{ lookup('env', 'PWD') }}" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_cache_metrics_enabled: | ||||
|                 description: 'Enable histograms for metrics for the embedded caches' | ||||
|                 default: false | ||||
|                 type: 'bool' | ||||
|             keycloak_quarkus_cache_embedded_authorization_max_count: | ||||
|                 description: 'The maximum number of entries that can be stored in-memory by the authorization cache' | ||||
|                 required: false | ||||
|                 type: "int" | ||||
|             keycloak_quarkus_cache_embedded_client_sessions_max_count: | ||||
|                 description: 'The maximum number of entries that can be stored in-memory by the clientSessions cache' | ||||
|                 required: false | ||||
|                 type: "int" | ||||
|             keycloak_quarkus_cache_embedded_crl_max_count: | ||||
|                 description: 'The maximum number of entries that can be stored in-memory by the crl cache' | ||||
|                 required: false | ||||
|                 type: "int" | ||||
|             keycloak_quarkus_cache_embedded_keys_max_count: | ||||
|                 description: 'The maximum number of entries that can be stored in-memory by the keys cache' | ||||
|                 required: false | ||||
|                 type: "int" | ||||
|             keycloak_quarkus_cache_embedded_offline_client_sessions_max_count: | ||||
|                 description: 'The maximum number of entries that can be stored in-memory by the offlineClientSessions cache' | ||||
|                 required: false | ||||
|                 type: "int" | ||||
|             keycloak_quarkus_cache_embedded_offline_sessions_max_count: | ||||
|                 description: 'The maximum number of entries that can be stored in-memory by the offlineSessions cache' | ||||
|                 required: false | ||||
|                 type: "int" | ||||
|             keycloak_quarkus_cache_embedded_realms_max_count: | ||||
|                 description: 'The maximum number of entries that can be stored in-memory by the realms cache' | ||||
|                 required: false | ||||
|                 type: "int" | ||||
|             keycloak_quarkus_cache_embedded_sessions_max_count: | ||||
|                 description: 'The maximum number of entries that can be stored in-memory by the sessions cache' | ||||
|                 required: false | ||||
|                 type: "int" | ||||
|             keycloak_quarkus_cache_embedded_users_max_count: | ||||
|                 description: 'The maximum number of entries that can be stored in-memory by the users cache' | ||||
|                 required: false | ||||
|                 type: 'int' | ||||
|             keycloak_quarkus_cache_embedded_mtls_enabled: | ||||
|                 description: 'Encrypts the network communication between Keycloak servers' | ||||
|                 default: true | ||||
|                 type: 'bool' | ||||
|             keycloak_quarkus_cache_embedded_mtls_key_store_file: | ||||
|                 description: 'The Keystore file path' | ||||
|                 default: "{{ keycloak.home }}/conf/cache_key_store.p12" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_cache_embedded_mtls_key_store_password: | ||||
|                 description: 'The password to access the Keystore' | ||||
|                 default: '' | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_cache_embedded_mtls_rotation_interval_days: | ||||
|                 description: 'Rotation period in days of automatic JGroups MTLS certificates' | ||||
|                 default: 30 | ||||
|                 type: 'int' | ||||
|             keycloak_quarkus_cache_embedded_mtls_trust_store_file: | ||||
|                 description: 'The Truststore file path' | ||||
|                 default: "{{ keycloak.home }}/conf/cache_trust_store.p12" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_cache_embedded_mtls_trust_store_password: | ||||
|                 description: 'The password to access the Truststore.' | ||||
|                 default: '' | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_jgroups_port: | ||||
|                 description: 'jgroups bind port' | ||||
|                 default: 7800 | ||||
|                 type: "int" | ||||
|             keycloak_quarkus_jgroups_bind_address: | ||||
|                 description: 'jgroups bind address' | ||||
|                 default: "{{ ansible_default_ipv4.address }}" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_jgroups_external_addr: | ||||
|                 description: 'IP address that other instances in the Keycloak should use to contact this node' | ||||
|                 default: "{{ keycloak_quarkus_jgroups_bind_address }}" | ||||
|                 type: "str" | ||||
|             keycloak_quarkus_jgroups_external_port: | ||||
|                 description: 'Port that other instances in the Keycloak cluster should use to contact this node' | ||||
|                 default: "{{ keycloak_quarkus_jgroups_port }}" | ||||
|                 type: "int" | ||||
|             keycloak_quarkus_jgroups_opts: | ||||
|                 description: "JVM arguments for jgroups configuration" | ||||
|                 default: "-Djgroups.bind.address={{ keycloak_quarkus_jgroups_bind_address }} -Djgroups.external_port={{ keycloak_quarkus_jgroups_external_port }} -Djgroups.external_addr={{ keycloak_quarkus_jgroups_external_addr }}" | ||||
|                 type: "str" | ||||
|     downstream: | ||||
|         options: | ||||
|             rhbk_version: | ||||
|                 default: "24.0.3" | ||||
|                 default: "26.2.5" | ||||
|                 description: "Red Hat Build of Keycloak version" | ||||
|                 type: "str" | ||||
|             rhbk_archive: | ||||
|  |  | |||
|  | @ -8,7 +8,7 @@ galaxy_info: | |||
| 
 | ||||
|   license: Apache License 2.0 | ||||
| 
 | ||||
|   min_ansible_version: "2.15" | ||||
|   min_ansible_version: "2.16" | ||||
| 
 | ||||
|   platforms: | ||||
|     - name: EL | ||||
|  |  | |||
|  | @ -1,6 +1,10 @@ | |||
| --- | ||||
| - name: Include firewall config tasks | ||||
|   ansible.builtin.include_tasks: iptables.yml | ||||
|   ansible.builtin.include_tasks: | ||||
|     file: iptables.yml | ||||
|     apply: | ||||
|       tags: | ||||
|         - firewall | ||||
|   when: keycloak_quarkus_configure_iptables | ||||
|   tags: | ||||
|     - firewall | ||||
|  |  | |||
|  | @ -49,5 +49,114 @@ | |||
|   notify: | ||||
|     - print deprecation warning | ||||
| 
 | ||||
| # https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options | ||||
| - name: Check deprecation of keycloak_quarkus_frontend_url -> keycloak_quarkus_hostname | ||||
|   when: | ||||
|     - keycloak_quarkus_hostname is not defined | ||||
|     - keycloak_quarkus_frontend_url is defined | ||||
|     - keycloak_quarkus_frontend_url != '' | ||||
|   delegate_to: localhost | ||||
|   run_once: true | ||||
|   changed_when: keycloak_quarkus_show_deprecation_warnings | ||||
|   ansible.builtin.set_fact: | ||||
|     keycloak_quarkus_hostname: "{{ keycloak_quarkus_frontend_url }}" | ||||
|     deprecated_variable: "keycloak_quarkus_frontend_url" # read in deprecation handler | ||||
|   notify: | ||||
|     - print deprecation warning | ||||
| 
 | ||||
| # https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options | ||||
| - name: Check deprecation of keycloak_quarkus_hostname_strict_https + keycloak_quarkus_host + keycloak_quarkus_port + keycloak_quarkus_path -> keycloak_quarkus_hostname | ||||
|   when: | ||||
|     - keycloak_quarkus_hostname is not defined | ||||
|     - keycloak_quarkus_hostname_strict_https is defined or keycloak_quarkus_frontend_url is defined or keycloak_quarkus_port is defined or keycloak_quarkus_path is defined | ||||
|   delegate_to: localhost | ||||
|   run_once: true | ||||
|   changed_when: keycloak_quarkus_show_deprecation_warnings | ||||
|   ansible.builtin.set_fact: | ||||
|     keycloak_quarkus_hostname: >- | ||||
|       {% set protocol = '' %} | ||||
|       {% if keycloak_quarkus_hostname_strict_https %} | ||||
|         {% set protocol = 'https://' %} | ||||
|       {% elif keycloak_quarkus_hostname_strict_https is defined and keycloak_quarkus_hostname_strict_https is False %} | ||||
|         {% set protocol = 'http://' %} | ||||
|       {% endif %} | ||||
|       {{ protocol }}{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_port }}/{{ keycloak_quarkus_path }} | ||||
|     deprecated_variable: "keycloak_quarkus_hostname_strict_https or keycloak_quarkus_frontend_url or keycloak_quarkus_frontend_url or keycloak_quarkus_hostname" # read in deprecation handler | ||||
|   notify: | ||||
|     - print deprecation warning | ||||
| 
 | ||||
| # https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options | ||||
| - name: Check deprecation of keycloak_quarkus_admin_url -> keycloak_quarkus_hostname_admin | ||||
|   when: | ||||
|     - keycloak_quarkus_hostname_admin is not defined | ||||
|     - keycloak_quarkus_admin_url is defined | ||||
|     - keycloak_quarkus_admin_url != '' | ||||
|   delegate_to: localhost | ||||
|   run_once: true | ||||
|   changed_when: keycloak_quarkus_show_deprecation_warnings | ||||
|   ansible.builtin.set_fact: | ||||
|     keycloak_quarkus_hostname_admin: "{{ keycloak_quarkus_admin_url }}" | ||||
|     deprecated_variable: "keycloak_quarkus_admin_url" # read in deprecation handler | ||||
|   notify: | ||||
|     - print deprecation warning | ||||
| 
 | ||||
| # https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options | ||||
| - name: Check deprecation of keycloak_quarkus_hostname_strict_backchannel -> keycloak_quarkus_hostname_backchannel_dynamic | ||||
|   when: | ||||
|     - keycloak_quarkus_hostname_backchannel_dynamic is not defined | ||||
|     - keycloak_quarkus_hostname_strict_backchannel is defined | ||||
|     - keycloak_quarkus_hostname_strict_backchannel != '' | ||||
|   delegate_to: localhost | ||||
|   run_once: true | ||||
|   changed_when: keycloak_quarkus_show_deprecation_warnings | ||||
|   ansible.builtin.set_fact: | ||||
|     keycloak_quarkus_hostname_backchannel_dynamic: "{{ keycloak_quarkus_hostname_strict_backchannel == False }}" | ||||
|     deprecated_variable: "keycloak_quarkus_hostname_backchannel_dynamic" # read in deprecation handler | ||||
|   notify: | ||||
|     - print deprecation warning | ||||
| 
 | ||||
| # https://github.com/keycloak/keycloak/issues/30009 | ||||
| - name: Check deprecation of keycloak_quarkus_admin_user -> keycloak_quarkus_bootstrap_admin_user | ||||
|   when: | ||||
|     - keycloak_quarkus_bootstrap_admin_user is not defined | ||||
|     - keycloak_quarkus_admin_user is defined | ||||
|     - keycloak_quarkus_admin_user != '' | ||||
|   delegate_to: localhost | ||||
|   run_once: true | ||||
|   changed_when: keycloak_quarkus_show_deprecation_warnings | ||||
|   ansible.builtin.set_fact: | ||||
|     keycloak_quarkus_bootstrap_admin_user: "{{ keycloak_quarkus_admin_user }}" | ||||
|     deprecated_variable: "keycloak_quarkus_admin_user" # read in deprecation handler | ||||
|   notify: | ||||
|     - print deprecation warning | ||||
| 
 | ||||
| # https://github.com/keycloak/keycloak/issues/30009 | ||||
| - name: Check deprecation of keycloak_quarkus_admin_pass -> keycloak_quarkus_bootstrap_admin_password | ||||
|   when: | ||||
|     - keycloak_quarkus_bootstrap_admin_password is not defined | ||||
|     - keycloak_quarkus_admin_pass is defined | ||||
|     - keycloak_quarkus_admin_pass != '' | ||||
|   delegate_to: localhost | ||||
|   run_once: true | ||||
|   changed_when: keycloak_quarkus_show_deprecation_warnings | ||||
|   ansible.builtin.set_fact: | ||||
|     keycloak_quarkus_bootstrap_admin_user: "{{ keycloak_quarkus_admin_pass }}" | ||||
|     deprecated_variable: "keycloak_quarkus_admin_pass" # read in deprecation handler | ||||
|   notify: | ||||
|     - print deprecation warning | ||||
| 
 | ||||
| - name: Check deprecation of keycloak_quarkus_bind_address -> keycloak_quarkus_http_host | ||||
|   when: | ||||
|     - keycloak_quarkus_bind_address is defined | ||||
|     - keycloak_quarkus_bind_address != '0.0.0.0' | ||||
|   delegate_to: localhost | ||||
|   run_once: true | ||||
|   changed_when: keycloak_quarkus_show_deprecation_warnings | ||||
|   ansible.builtin.set_fact: | ||||
|     keycloak_quarkus_http_host: "{{ keycloak_quarkus_bind_address }}" | ||||
|     deprecated_variable: "keycloak_quarkus_bind_address" # read in deprecation handler | ||||
|   notify: | ||||
|     - print deprecation warning | ||||
|    | ||||
| - name: Flush handlers | ||||
|   ansible.builtin.meta: flush_handlers | ||||
|  |  | |||
|  | @ -12,7 +12,7 @@ | |||
|     enabled: true | ||||
|     state: started | ||||
| 
 | ||||
| - name: "Configure firewall for {{ keycloak.service_name }} ports" | ||||
| - name: "Configure firewall for {{ keycloak.service_name }} http port" | ||||
|   become: true | ||||
|   ansible.posix.firewalld: | ||||
|     port: "{{ item }}" | ||||
|  | @ -21,5 +21,16 @@ | |||
|     immediate: true | ||||
|   loop: | ||||
|     - "{{ keycloak_quarkus_http_port }}/tcp" | ||||
|   when: keycloak_quarkus_http_enabled | bool | ||||
| 
 | ||||
| - name: "Configure firewall for {{ keycloak.service_name }} ports" | ||||
|   become: true | ||||
|   ansible.posix.firewalld: | ||||
|     port: "{{ item }}" | ||||
|     permanent: true | ||||
|     state: enabled | ||||
|     immediate: true | ||||
|   loop: | ||||
|     - "{{ keycloak_quarkus_https_port }}/tcp" | ||||
|     - "{{ keycloak_quarkus_http_management_port }}/tcp" | ||||
|     - "{{ keycloak_quarkus_jgroups_port }}/tcp" | ||||
|  |  | |||
|  | @ -17,6 +17,27 @@ | |||
|     path: "{{ keycloak.home }}" | ||||
|   register: existing_deploy | ||||
| 
 | ||||
| - name: Stop and restart if existing deployment exists and install forced | ||||
|   when: existing_deploy.stat.exists and keycloak_quarkus_force_install | bool | ||||
|   block: | ||||
|     - name: "Stop the old {{ keycloak.service_name }} service" | ||||
|       become: true | ||||
|       failed_when: false | ||||
|       ansible.builtin.systemd: | ||||
|         name: keycloak | ||||
|         state: stopped | ||||
|     - name: "Remove the old {{ keycloak.service_name }} deployment" | ||||
|       become: true | ||||
|       ansible.builtin.file: | ||||
|         path: "{{ keycloak_quarkus_home }}" | ||||
|         state: absent | ||||
| 
 | ||||
| - name: Check for an existing deployment after possible forced removal | ||||
|   become: true | ||||
|   ansible.builtin.stat: | ||||
|     path: "{{ keycloak_quarkus_home }}" | ||||
|   register: existing_deploy | ||||
| 
 | ||||
| - name: "Create {{ keycloak.service_name }} service user/group" | ||||
|   become: true | ||||
|   ansible.builtin.user: | ||||
|  | @ -77,6 +98,7 @@ | |||
|     - not archive_path.stat.exists | ||||
|     - rhbk_enable is defined and rhbk_enable | ||||
|     - not keycloak.offline_install | ||||
|     - keycloak_quarkus_alternate_download_url is undefined | ||||
|   block: | ||||
|     - name: Retrieve product download using JBoss Network API | ||||
|       middleware_automation.common.product_search: | ||||
|  | @ -202,11 +224,11 @@ | |||
|     - keycloak_quarkus_cert_file_copy_enabled is defined and keycloak_quarkus_cert_file_copy_enabled | ||||
|     - keycloak_quarkus_cert_file_src | length > 0 | ||||
| 
 | ||||
| - name: "Install {{ keycloak_quarkus_jdbc_engine }} JDBC driver" | ||||
| - name: "Install {{ keycloak_quarkus_db_engine }} JDBC driver" | ||||
|   ansible.builtin.include_tasks: jdbc_driver.yml | ||||
|   when: | ||||
|     - rhbk_enable is defined and rhbk_enable | ||||
|     - keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url is defined | ||||
|     - keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].driver_jar_url is defined | ||||
| 
 | ||||
| - name: "Download custom providers via http" | ||||
|   ansible.builtin.get_url: | ||||
|  | @ -215,10 +237,11 @@ | |||
|     owner: "{{ keycloak.service_user }}" | ||||
|     group: "{{ keycloak.service_group }}" | ||||
|     mode: '0640' | ||||
|     checksum: "{{ item.checksum | default(omit) }}" | ||||
|   become: true | ||||
|   loop: "{{ keycloak_quarkus_providers }}" | ||||
|   when: item.url is defined and item.url | length > 0 | ||||
|   notify: "{{ ['rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or not item.restart else [] }}" | ||||
|   notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}" | ||||
| 
 | ||||
| # this requires the `lxml` package to be installed; we redirect this step to localhost such that we do need to install it on the remote hosts | ||||
| - name: "Download custom providers to localhost using maven" | ||||
|  | @ -235,7 +258,6 @@ | |||
|   loop: "{{ keycloak_quarkus_providers }}" | ||||
|   when: item.maven is defined | ||||
|   no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}" | ||||
|   notify: "{{ ['rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or not item.restart else [] }}" | ||||
| 
 | ||||
| - name: "Copy maven providers" | ||||
|   ansible.builtin.copy: | ||||
|  | @ -244,21 +266,25 @@ | |||
|     owner: "{{ keycloak.service_user }}" | ||||
|     group: "{{ keycloak.service_group }}" | ||||
|     mode: '0640' | ||||
|     checksum: "{{ item.checksum | default(omit) }}" | ||||
|   become: true | ||||
|   loop: "{{ keycloak_quarkus_providers }}" | ||||
|   when: item.maven is defined | ||||
|   no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}" | ||||
|   notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}" | ||||
| 
 | ||||
| - name: "Copy providers" | ||||
| - name: "Copy local providers" | ||||
|   ansible.builtin.copy: | ||||
|     src: "{{ item.local_path }}" | ||||
|     dest: "{{ keycloak.home }}/providers/{{ item.id }}.jar" | ||||
|     owner: "{{ keycloak.service_user }}" | ||||
|     group: "{{ keycloak.service_group }}" | ||||
|     mode: '0640' | ||||
|     remote_src: "{{ item.remote | default(false) }}" | ||||
|   become: true | ||||
|   loop: "{{ keycloak_quarkus_providers }}" | ||||
|   when: item.local_path is defined | ||||
|   notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}" | ||||
| 
 | ||||
| - name: Ensure required folder structure for policies exists | ||||
|   ansible.builtin.file: | ||||
|  |  | |||
							
								
								
									
										11
									
								
								roles/keycloak_quarkus/tasks/invalidate_theme_cache.yml
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										11
									
								
								roles/keycloak_quarkus/tasks/invalidate_theme_cache.yml
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,11 @@ | |||
| --- | ||||
| # From https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/24.0/html/server_developer_guide/themes#creating_a_theme: | ||||
| # If you want to manually delete the content of the themes cache, | ||||
| # you can do so by deleting the data/tmp/kc-gzip-cache directory of the server distribution | ||||
| # It can be useful for instance if you redeployed custom providers or custom themes without | ||||
| # disabling themes caching in the previous server executions. | ||||
| - name: "Delete {{ keycloak.service_name }} theme cache directory" | ||||
|   ansible.builtin.file: | ||||
|     path: "{{ keycloak.home }}/data/tmp/kc-gzip-cache" | ||||
|     state: absent | ||||
|   become: true | ||||
|  | @ -7,9 +7,9 @@ | |||
|     (keycloak_quarkus_jdbc_download_user is undefined and keycloak_quarkus_jdbc_download_pass is not undefined) or | ||||
|     (keycloak_quarkus_jdbc_download_pass is undefined and keycloak_quarkus_jdbc_download_user is not undefined) | ||||
| 
 | ||||
| - name: "Retrieve JDBC Driver from {{ keycloak_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url) }}" | ||||
| - name: "Retrieve JDBC Driver from {{ keycloak_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].driver_jar_url) }}" | ||||
|   ansible.builtin.get_url: | ||||
|     url: "{{ keycloak_quarkus_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url) }}" | ||||
|     url: "{{ keycloak_quarkus_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].driver_jar_url) }}" | ||||
|     dest: "{{ keycloak.home }}/providers" | ||||
|     owner: "{{ keycloak.service_user }}" | ||||
|     group: "{{ keycloak.service_group }}" | ||||
|  |  | |||
|  | @ -1,34 +1,58 @@ | |||
| --- | ||||
| # tasks file for keycloak | ||||
| - name: Check prerequisites | ||||
|   ansible.builtin.include_tasks: prereqs.yml | ||||
|   ansible.builtin.include_tasks: | ||||
|     file: prereqs.yml | ||||
|     apply: | ||||
|       tags: | ||||
|         - prereqs | ||||
|   tags: | ||||
|     - prereqs | ||||
|     - always | ||||
| 
 | ||||
| - name: Check for deprecations | ||||
|   ansible.builtin.include_tasks: deprecations.yml | ||||
|   ansible.builtin.include_tasks: | ||||
|     file: deprecations.yml | ||||
|     apply: | ||||
|       tags: | ||||
|         - always | ||||
|   tags: | ||||
|     - always | ||||
| 
 | ||||
| - name: Distro specific tasks | ||||
|   ansible.builtin.include_tasks: "{{ ansible_os_family | lower }}.yml" | ||||
|   ansible.builtin.include_tasks: | ||||
|     file: "{{ ansible_os_family | lower }}.yml" | ||||
|     apply: | ||||
|       tags: | ||||
|         - unbound | ||||
|   tags: | ||||
|     - unbound | ||||
| 
 | ||||
| - name: Include install tasks | ||||
|   ansible.builtin.include_tasks: install.yml | ||||
|   ansible.builtin.include_tasks: | ||||
|     file: install.yml | ||||
|     apply: | ||||
|       tags: | ||||
|         - install | ||||
|   tags: | ||||
|     - install | ||||
| 
 | ||||
| - name: Include systemd tasks | ||||
|   ansible.builtin.include_tasks: systemd.yml | ||||
|   ansible.builtin.include_tasks: | ||||
|     file: systemd.yml | ||||
|     apply: | ||||
|       tags: | ||||
|         - systemd | ||||
|   tags: | ||||
|     - systemd | ||||
| 
 | ||||
| - name: Include configuration key store tasks | ||||
|   ansible.builtin.include_tasks: | ||||
|     file: config_store.yml | ||||
|     apply: | ||||
|       tags: | ||||
|         - install | ||||
|   when: keycloak.config_key_store_enabled | ||||
|   ansible.builtin.include_tasks: config_store.yml | ||||
|   tags: | ||||
|     - install | ||||
| 
 | ||||
|  | @ -39,8 +63,8 @@ | |||
|         { | ||||
|           "name": item, | ||||
|           "address": 'jgroups-' + item, | ||||
|           "inventory_host": hostvars[item].ansible_default_ipv4.address | default(item) + '[' + (keycloak_quarkus_jgroups_port | string) + ']', | ||||
|           "value": hostvars[item].ansible_default_ipv4.address | default(item) | ||||
|           "inventory_host": hostvars[item].keycloak_quarkus_jgroups_ip | default(item) + '[' + (keycloak_quarkus_jgroups_port | string) + ']', | ||||
|           "value": hostvars[item].keycloak_quarkus_jgroups_ip | default(item) | ||||
|         } | ||||
|       ] }} | ||||
|   loop: "{{ ansible_play_batch }}" | ||||
|  | @ -91,7 +115,7 @@ | |||
|   register: keycloak_service_status | ||||
|   changed_when: false | ||||
| 
 | ||||
| - name: "Notify to remove `keycloak_quarkus_admin_user[_pass]` env vars" | ||||
| - name: "Notify to remove `keycloak_quarkus_bootstrap_admin_user[_password]` env vars" | ||||
|   when: | ||||
|     - not ansible_local.keycloak.general.bootstrapped | default(false) | bool # it was not bootstrapped prior to the current role's execution | ||||
|     - keycloak_service_status.status.ActiveState == "active"                  # but it is now | ||||
|  |  | |||
|  | @ -2,12 +2,12 @@ | |||
| - name: Validate admin console password | ||||
|   ansible.builtin.assert: | ||||
|     that: | ||||
|       - keycloak_quarkus_admin_pass | length > 12 | ||||
|       - keycloak_quarkus_bootstrap_admin_password | length > 12 | ||||
|     quiet: true | ||||
|     fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_admin_pass to a 12+ char long string" | ||||
|     fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_bootstrap_admin_password to a 12+ char long string" | ||||
|     success_msg: "{{ 'Console administrator password OK' }}" | ||||
| 
 | ||||
| - name: Validate relative path | ||||
| - name: Validate http_relative_path | ||||
|   ansible.builtin.assert: | ||||
|     that: | ||||
|       - keycloak_quarkus_http_relative_path is regex('^/.*') | ||||
|  | @ -15,6 +15,15 @@ | |||
|     fail_msg: "The relative path for keycloak_quarkus_http_relative_path must begin with /" | ||||
|     success_msg: "{{ 'Relative path OK' }}" | ||||
| 
 | ||||
| - name: Validate http_management_relative_path | ||||
|   ansible.builtin.assert: | ||||
|     that: | ||||
|       - keycloak_quarkus_http_management_relative_path is regex('^/.*') | ||||
|     quiet: true | ||||
|     fail_msg: "The relative path for keycloak_quarkus_http_management_relative_path must begin with /" | ||||
|     success_msg: "{{ 'Relative mgmt path OK' }}" | ||||
|   when: keycloak_quarkus_http_management_relative_path is defined | ||||
| 
 | ||||
| - name: Validate configuration | ||||
|   ansible.builtin.assert: | ||||
|     that: | ||||
|  |  | |||
|  | @ -2,9 +2,6 @@ | |||
| # cf. https://www.keycloak.org/server/configuration#_optimize_the_keycloak_startup | ||||
| - name: "Rebuild {{ keycloak.service_name }} config" | ||||
|   ansible.builtin.shell: | # noqa blocked_modules shell is necessary here | ||||
|     {{ keycloak.home }}/bin/kc.sh build | ||||
|   environment: | ||||
|     PATH: "{{ keycloak_quarkus_java_home | default(keycloak_quarkus_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" | ||||
|     JAVA_HOME: "{{ keycloak_quarkus_java_home | default(keycloak_quarkus_pkg_java_home, true) }}" | ||||
|     env -i bash -c "set -a ; source {{ keycloak_quarkus_sysconf_file }} ; {{ keycloak.home }}/bin/kc.sh build " | ||||
|   become: true | ||||
|   changed_when: true | ||||
|  |  | |||
|  | @ -1,6 +1,10 @@ | |||
| --- | ||||
| - name: Include firewall config tasks | ||||
|   ansible.builtin.include_tasks: firewalld.yml | ||||
|   ansible.builtin.include_tasks: | ||||
|     file: firewalld.yml | ||||
|     apply: | ||||
|       tags: | ||||
|         - firewall | ||||
|   when: keycloak_quarkus_configure_firewalld | ||||
|   tags: | ||||
|     - firewall | ||||
|  |  | |||
|  | @ -12,7 +12,7 @@ | |||
|     url: "{{ keycloak.health_url }}" | ||||
|   register: keycloak_status | ||||
|   until: keycloak_status.status == 200 | ||||
|   retries: "{{ keycloak_quarkus_restart_health_check_reries }}" | ||||
|   retries: "{{ keycloak_quarkus_restart_health_check_retries }}" | ||||
|   delay: "{{ keycloak_quarkus_restart_health_check_delay }}" | ||||
|   when: internal_force_health_check | default(keycloak_quarkus_restart_health_check) | ||||
| 
 | ||||
|  |  | |||
|  | @ -2,7 +2,7 @@ | |||
| - name: "Restart services in serial, with optional healtch check (keycloak_quarkus_restart_health_check)" | ||||
|   throttle: 1 | ||||
|   block: | ||||
|     - name: "Restart and enable {{ keycloak.service_name }} service on {{ item }}" | ||||
|     - name: "Restart and enable {{ keycloak.service_name }} service" | ||||
|       ansible.builtin.include_tasks: | ||||
|         file: restart.yml | ||||
|         apply: | ||||
|  |  | |||
|  | @ -14,3 +14,4 @@ | |||
|   until: keycloak_status.status == 200 | ||||
|   retries: 25 | ||||
|   delay: 10 | ||||
|   when: internal_force_health_check | default(keycloak_quarkus_restart_health_check) | ||||
|  |  | |||
|  | @ -10,6 +10,7 @@ | |||
|   vars: | ||||
|     keycloak_sys_pkg_java_home: "{{ keycloak_quarkus_pkg_java_home }}" | ||||
|   notify: | ||||
|     - rebuild keycloak config | ||||
|     - restart keycloak | ||||
| 
 | ||||
| - name: "Configure systemd unit file for keycloak service" | ||||
|  | @ -22,4 +23,5 @@ | |||
|   become: true | ||||
|   register: systemdunit | ||||
|   notify: | ||||
|     - rebuild keycloak config | ||||
|     - restart keycloak | ||||
|  |  | |||
|  | @ -18,15 +18,17 @@ | |||
| 
 | ||||
| <infinispan | ||||
|         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||||
|         xsi:schemaLocation="urn:infinispan:config:14.0 http://www.infinispan.org/schemas/infinispan-config-14.0.xsd" | ||||
|         xmlns="urn:infinispan:config:14.0"> | ||||
|         xsi:schemaLocation="urn:infinispan:config:15.0 http://www.infinispan.org/schemas/infinispan-config-15.0.xsd" | ||||
|         xmlns="urn:infinispan:config:15.0"> | ||||
| 
 | ||||
| {% set stack_expression='' %} | ||||
| {% if keycloak_quarkus_ha_enabled and keycloak_quarkus_ha_discovery == 'TCPPING' %} | ||||
| {% if keycloak_quarkus_version is version_compare('26.2.0', '<') %} | ||||
| {% if keycloak_quarkus_ha_enabled %} | ||||
| {% if keycloak_quarkus_ha_discovery == 'TCPPING' %} | ||||
| {% set stack_expression='stack="tcpping"' %} | ||||
|     <jgroups> | ||||
|         <stack name="tcpping" extends="tcp"> | ||||
|             <!-- <TCP external_addr="${env.KC_EXTERNAL_ADDR}" bind_addr="{{ keycloak_quarkus_bind_address }}" bind_port="{{ keycloak_quarkus_jgroups_port }}" /> --> | ||||
|             <!-- <TCP external_addr="${env.KC_EXTERNAL_ADDR}" bind_addr="{{ keycloak_quarkus_http_host }}" bind_port="{{ keycloak_quarkus_jgroups_port }}" /> --> | ||||
|             <TCPPING | ||||
|                 initial_hosts="{{ keycloak_quarkus_cluster_nodes | map(attribute='inventory_host') | join (',') }}" | ||||
|                 port_range="0" | ||||
|  | @ -35,6 +37,10 @@ | |||
|             /> | ||||
|         </stack> | ||||
|     </jgroups> | ||||
| {% elif keycloak_quarkus_ha_discovery == 'JDBCPING' %} | ||||
| {% set stack_expression='stack="JDBC_PING2"' %} | ||||
| {% endif %} | ||||
| {% endif %} | ||||
| {% endif %} | ||||
| 
 | ||||
|     <cache-container name="keycloak"> | ||||
|  | @ -55,18 +61,22 @@ | |||
|         </local-cache> | ||||
|         <distributed-cache name="sessions" owners="2"> | ||||
|             <expiration lifespan="-1"/> | ||||
|             <memory max-count="10000"/> | ||||
|         </distributed-cache> | ||||
|         <distributed-cache name="authenticationSessions" owners="2"> | ||||
|             <expiration lifespan="-1"/> | ||||
|         </distributed-cache> | ||||
|         <distributed-cache name="offlineSessions" owners="2"> | ||||
|             <expiration lifespan="-1"/> | ||||
|             <memory max-count="10000"/> | ||||
|         </distributed-cache> | ||||
|         <distributed-cache name="clientSessions" owners="2"> | ||||
|             <expiration lifespan="-1"/> | ||||
|             <memory max-count="10000"/> | ||||
|         </distributed-cache> | ||||
|         <distributed-cache name="offlineClientSessions" owners="2"> | ||||
|             <expiration lifespan="-1"/> | ||||
|             <memory max-count="10000"/> | ||||
|         </distributed-cache> | ||||
|         <distributed-cache name="loginFailures" owners="2"> | ||||
|             <expiration lifespan="-1"/> | ||||
|  | @ -89,6 +99,14 @@ | |||
|             <expiration max-idle="3600000"/> | ||||
|             <memory max-count="1000"/> | ||||
|         </local-cache> | ||||
|         <local-cache name="crl" simple-cache="true"> | ||||
|             <encoding> | ||||
|                 <key media-type="application/x-java-object"/> | ||||
|                 <value media-type="application/x-java-object"/> | ||||
|             </encoding> | ||||
|             <expiration lifespan="-1"/> | ||||
|             <memory max-count="1000"/> | ||||
|         </local-cache> | ||||
|         <distributed-cache name="actionTokens" owners="2"> | ||||
|             <encoding> | ||||
|                 <key media-type="application/x-java-object"/> | ||||
|  |  | |||
|  | @ -1,13 +1,13 @@ | |||
| {{ ansible_managed | comment }} | ||||
| {% if not ansible_local.keycloak.general.bootstrapped | default(false) | bool %} | ||||
| KEYCLOAK_ADMIN={{ keycloak_quarkus_admin_user }} | ||||
| KEYCLOAK_ADMIN_PASSWORD='{{ keycloak_quarkus_admin_pass }}' | ||||
| KC_BOOTSTRAP_ADMIN_USERNAME={{ keycloak_quarkus_bootstrap_admin_user }} | ||||
| KC_BOOTSTRAP_ADMIN_PASSWORD='{{ keycloak_quarkus_bootstrap_admin_password }}' | ||||
| {% else %} | ||||
| {{ keycloak.bootstrap_mnemonic }} | ||||
| {% endif %} | ||||
| PATH={{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin | ||||
| JAVA_HOME={{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }} | ||||
| JAVA_OPTS={{ keycloak_quarkus_java_opts }} | ||||
| PATH="{{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" | ||||
| JAVA_HOME="{{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}" | ||||
| JAVA_OPTS="{{ keycloak_quarkus_java_opts }}" | ||||
| 
 | ||||
| # Custom ENV variables | ||||
| {% for env in keycloak_quarkus_additional_env_vars %} | ||||
|  |  | |||
|  | @ -2,26 +2,18 @@ | |||
| 
 | ||||
| {% if keycloak_quarkus_db_enabled %} | ||||
| # Database | ||||
| db={{ keycloak_quarkus_jdbc_engine }} | ||||
| db-url={{ keycloak_quarkus_jdbc_url }} | ||||
| db={{ keycloak_quarkus_db_engine }} | ||||
| db-url={{ keycloak_quarkus_db_url }} | ||||
| db-username={{ keycloak_quarkus_db_user }} | ||||
| {% if not keycloak.config_key_store_enabled %} | ||||
| db-password={{ keycloak_quarkus_db_pass }} | ||||
| {% endif %} | ||||
| {% endif %} | ||||
| 
 | ||||
| {% if keycloak_quarkus_hostname_strict_https is defined and keycloak_quarkus_hostname_strict_https is sameas true -%} | ||||
| hostname-strict-https=true | ||||
| {% endif -%} | ||||
| {% if keycloak_quarkus_hostname_strict_https is defined and keycloak_quarkus_hostname_strict_https is sameas false -%} | ||||
| hostname-strict-https=false | ||||
| {% endif -%} | ||||
| 
 | ||||
| {% if keycloak.config_key_store_enabled %} | ||||
| # Config store | ||||
| config-keystore={{ keycloak_quarkus_config_key_store_file }} | ||||
| config-keystore-password={{ keycloak_quarkus_config_key_store_password }} | ||||
| config-keystore-type=PKCS12 | ||||
| {% endif %} | ||||
| 
 | ||||
| # Observability | ||||
|  | @ -30,8 +22,17 @@ health-enabled={{ keycloak_quarkus_health_enabled | lower }} | |||
| 
 | ||||
| # HTTP | ||||
| http-enabled={{ keycloak_quarkus_http_enabled | lower }} | ||||
| {% if keycloak_quarkus_http_enabled %} | ||||
| http-port={{ keycloak_quarkus_http_port }} | ||||
| {% endif %} | ||||
| http-relative-path={{ keycloak_quarkus_http_relative_path }} | ||||
| http-host={{ keycloak_quarkus_http_host }} | ||||
| 
 | ||||
| # Management | ||||
| http-management-port={{ keycloak_quarkus_http_management_port }} | ||||
| {% if keycloak_quarkus_http_management_relative_path is defined and keycloak_quarkus_http_management_relative_path | length > 0 %} | ||||
| http-management-relative-path={{ keycloak_quarkus_http_management_relative_path }} | ||||
| {% endif %} | ||||
| 
 | ||||
| # HTTPS | ||||
| https-port={{ keycloak_quarkus_https_port }} | ||||
|  | @ -49,23 +50,21 @@ https-trust-store-password={{ keycloak_quarkus_https_trust_store_password }} | |||
| {% endif %} | ||||
| 
 | ||||
| # Client URL configuration | ||||
| {% if keycloak_quarkus_frontend_url %} | ||||
| hostname-url={{ keycloak_quarkus_frontend_url }} | ||||
| {% else %} | ||||
| hostname={{ keycloak_quarkus_host }} | ||||
| hostname-port={{ keycloak_quarkus_port }} | ||||
| hostname-path={{ keycloak_quarkus_path }} | ||||
| {% endif %} | ||||
| hostname-admin-url={{ keycloak_quarkus_admin_url }} | ||||
| hostname={{ keycloak_quarkus_hostname }} | ||||
| hostname-admin={{ keycloak_quarkus_hostname_admin }} | ||||
| hostname-strict={{ keycloak_quarkus_hostname_strict | lower }} | ||||
| hostname-strict-backchannel={{ keycloak_quarkus_hostname_strict_backchannel | lower }} | ||||
| hostname-backchannel-dynamic={{ keycloak_quarkus_hostname_backchannel_dynamic | lower }} | ||||
| 
 | ||||
| # Cluster | ||||
| {% if keycloak_quarkus_ha_enabled %} | ||||
| cache=ispn | ||||
| cache-config-file=cache-ispn.xml | ||||
| {% if keycloak_quarkus_ha_enabled and keycloak_quarkus_ha_discovery == 'TCPPING' %} | ||||
| # cache-stack=tcp # configured directly in `cache-ispn.xml` | ||||
| {% if keycloak_quarkus_cache_remote %} | ||||
| cache-remote-username={{ keycloak_quarkus_cache_remote_username }} | ||||
| cache-remote-password={{ keycloak_quarkus_cache_remote_password }} | ||||
| cache-remote-host={{ keycloak_quarkus_cache_remote_host }} | ||||
| cache-remote-port={{ keycloak_quarkus_cache_remote_port }} | ||||
| cache-remote-tls-enabled={{ keycloak_quarkus_cache_remote_tls_enabled | lower }} | ||||
| {% endif %} | ||||
| {% endif %} | ||||
| 
 | ||||
|  |  | |||
|  | @ -1,22 +1,22 @@ | |||
| {{ ansible_managed | comment }} | ||||
| {% if keycloak_quarkus_ha_enabled %} | ||||
| {% if keycloak_quarkus_version.split('.')[0] | int < 22 %} | ||||
| quarkus.infinispan-client.server-list={{ keycloak_quarkus_ispn_hosts }} | ||||
| quarkus.infinispan-client.auth-username={{ keycloak_quarkus_ispn_user }} | ||||
| quarkus.infinispan-client.auth-password={{ keycloak_quarkus_ispn_pass }} | ||||
| quarkus.infinispan-client.server-list={{ keycloak_quarkus_cache_remote_host }}:{{ keycloak_quarkus_cache_remote_port }} | ||||
| quarkus.infinispan-client.auth-username={{ keycloak_quarkus_cache_remote_username }} | ||||
| quarkus.infinispan-client.auth-password={{ keycloak_quarkus_cache_remote_password }} | ||||
| {% else %} | ||||
| quarkus.infinispan-client.hosts={{ keycloak_quarkus_ispn_hosts }} | ||||
| quarkus.infinispan-client.username={{ keycloak_quarkus_ispn_user }} | ||||
| quarkus.infinispan-client.password={{ keycloak_quarkus_ispn_pass }} | ||||
| quarkus.infinispan-client.hosts={{ keycloak_quarkus_cache_remote_host }}:{{ keycloak_quarkus_cache_remote_port }} | ||||
| quarkus.infinispan-client.username={{ keycloak_quarkus_cache_remote_username }} | ||||
| quarkus.infinispan-client.password={{ keycloak_quarkus_cache_remote_password }} | ||||
| {% endif %} | ||||
| quarkus.infinispan-client.client-intelligence=HASH_DISTRIBUTION_AWARE | ||||
| quarkus.infinispan-client.use-auth=true | ||||
| quarkus.infinispan-client.auth-realm=default | ||||
| quarkus.infinispan-client.auth-server-name=infinispan | ||||
| quarkus.infinispan-client.sasl-mechanism={{ keycloak_quarkus_ispn_sasl_mechanism }} | ||||
| {% if keycloak_quarkus_ispn_use_ssl %} | ||||
| quarkus.infinispan-client.trust-store={{ keycloak_quarkus_ispn_trust_store_path }} | ||||
| quarkus.infinispan-client.trust-store-password={{ keycloak_quarkus_ispn_trust_store_password }} | ||||
| quarkus.infinispan-client.sasl-mechanism={{ keycloak_quarkus_cache_remote_sasl_mechanism }} | ||||
| {% if keycloak_quarkus_cache_remote_tls_enabled %} | ||||
| quarkus.infinispan-client.trust-store={{ keycloak_quarkus_https_trust_store_file }} | ||||
| quarkus.infinispan-client.trust-store-password={{ keycloak_quarkus_https_trust_store_password }} | ||||
| quarkus.infinispan-client.trust-store-type=jks | ||||
| {% endif %} | ||||
| #quarkus.infinispan-client.use-schema-registration=true | ||||
|  |  | |||
|  | @ -1,7 +1,8 @@ | |||
| --- | ||||
| keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('openjdk-17-jdk-headless') }}" | ||||
| keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('openjdk-21-jdk-headless') }}" | ||||
| keycloak_quarkus_prereq_package_list: | ||||
|       - "{{ keycloak_quarkus_varjvm_package }}" | ||||
|       - bash | ||||
|       - unzip | ||||
|       - procps | ||||
|       - apt | ||||
|  |  | |||
|  | @ -4,8 +4,7 @@ keycloak: # noqa var-naming this is an internal dict of interpolated values | |||
|   config_dir: "{{ keycloak_quarkus_config_dir }}" | ||||
|   bundle: "{{ keycloak_quarkus_archive }}" | ||||
|   service_name: "keycloak" | ||||
|   health_url: "{{ 'https' if keycloak_quarkus_http_enabled == False else 'http' }}://{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_https_port if keycloak_quarkus_http_enabled == False else keycloak_quarkus_http_port }}{{ keycloak_quarkus_http_relative_path }}{{ '/' \ | ||||
|                if keycloak_quarkus_http_relative_path | length > 1 else '' }}{{ keycloak_quarkus_health_check_url_path | default('realms/master/.well-known/openid-configuration') }}" | ||||
|   health_url: "{{ keycloak_quarkus_health_check_url | default(keycloak_quarkus_hostname ~ '/' ~ (keycloak_quarkus_health_check_url_path | default('realms/master/.well-known/openid-configuration'))) }}" | ||||
|   cli_path: "{{ keycloak_quarkus_home }}/bin/kcadm.sh" | ||||
|   service_user: "{{ keycloak_quarkus_service_user }}" | ||||
|   service_group: "{{ keycloak_quarkus_service_group }}" | ||||
|  |  | |||
|  | @ -1,7 +1,8 @@ | |||
| --- | ||||
| keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('java-17-openjdk-headless') }}" | ||||
| keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('java-21-openjdk-headless') }}" | ||||
| keycloak_quarkus_prereq_package_list: | ||||
|       - "{{ keycloak_quarkus_varjvm_package }}" | ||||
|       - bash | ||||
|       - unzip | ||||
|       - procps-ng | ||||
|       - initscripts | ||||
|  |  | |||
|  | @ -19,7 +19,7 @@ Role Defaults | |||
| |`keycloak_management_http_port`| Management port | `9990` | | ||||
| |`keycloak_auth_client`| Authentication client for configuration REST calls | `admin-cli` | | ||||
| |`keycloak_client_public`| Configure a public realm client | `True` | | ||||
| |`keycloak_client_web_origins`| Web origins for realm client | `+` | | ||||
| |`keycloak_client_web_origins`| Web origins for realm client | `/*` | | ||||
| |`keycloak_url`| URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` | | ||||
| |`keycloak_management_url`| URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` | | ||||
| 
 | ||||
|  | @ -74,6 +74,7 @@ Refer to [docs](https://docs.ansible.com/ansible/latest/collections/community/ge | |||
|     - name: <name of the client> | ||||
|       id: <id of the client> | ||||
|       client_id: <id of the client> | ||||
|       secret: <secret of the client (Optional)> | ||||
|       roles: <keycloak_client_default_roles> | ||||
|       realm: <name of the realm that contains the client> | ||||
|       public_client: <true for public, false for confidential> | ||||
|  |  | |||
|  | @ -43,7 +43,7 @@ keycloak_client_default_roles: [] | |||
| keycloak_client_public: true | ||||
| 
 | ||||
| # allowed web origins for the client | ||||
| keycloak_client_web_origins: '+' | ||||
| keycloak_client_web_origins: '/*' | ||||
| 
 | ||||
| # list of user and role mappings to create in the client | ||||
| # Each user has the form: | ||||
|  | @ -54,3 +54,7 @@ keycloak_client_users: [] | |||
| 
 | ||||
| ### List of Keycloak User Federation | ||||
| keycloak_user_federation: [] | ||||
| 
 | ||||
| # other settings | ||||
| keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + (keycloak_jboss_port_offset | default(0)) }}" | ||||
| keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + (keycloak_jboss_port_offset | default(0)) }}" | ||||
|  |  | |||
|  | @ -53,7 +53,7 @@ argument_specs: | |||
|                 type: "bool" | ||||
|             keycloak_client_web_origins: | ||||
|                 # line 42 of keycloak_realm/defaults/main.yml | ||||
|                 default: "+" | ||||
|                 default: "/*" | ||||
|                 description: "Web origins for realm client" | ||||
|                 type: "str" | ||||
|             keycloak_client_users: | ||||
|  |  | |||
|  | @ -8,7 +8,7 @@ galaxy_info: | |||
| 
 | ||||
|   license: Apache License 2.0 | ||||
| 
 | ||||
|   min_ansible_version: "2.15" | ||||
|   min_ansible_version: "2.16" | ||||
| 
 | ||||
|   platforms: | ||||
|     - name: EL | ||||
|  |  | |||
|  | @ -15,6 +15,7 @@ | |||
|   ansible.builtin.uri: | ||||
|     url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}" | ||||
|     method: GET | ||||
|     validate_certs: false | ||||
|     status_code: | ||||
|       - 200 | ||||
|       - 404 | ||||
|  | @ -45,7 +46,7 @@ | |||
|     name: "{{ item.name }}" | ||||
|     state: present | ||||
|     provider_id: "{{ item.provider_id }}" | ||||
|     provider_type: "{{ item.provider_type | default(org.keycloak.storage.UserStorageProvider) }}" | ||||
|     provider_type: "{{ item.provider_type | default('org.keycloak.storage.UserStorageProvider') }}" | ||||
|     config: "{{ item.config }}" | ||||
|     mappers: "{{ item.mappers | default(omit) }}" | ||||
|   no_log: "{{ keycloak_no_log | default('True') }}" | ||||
|  | @ -75,6 +76,7 @@ | |||
|     default_roles: "{{ item.roles | default(omit) }}" | ||||
|     client_id: "{{ item.client_id | default(omit) }}" | ||||
|     id: "{{ item.id | default(omit) }}" | ||||
|     secret: "{{ item.secret | default(omit) }}" | ||||
|     name: "{{ item.name | default(omit) }}" | ||||
|     description: "{{ item.description | default(omit) }}" | ||||
|     root_url: "{{ item.root_url | default('') }}" | ||||
|  | @ -82,7 +84,7 @@ | |||
|     base_url: "{{ item.base_url | default('') }}" | ||||
|     enabled: "{{ item.enabled | default(True) }}" | ||||
|     redirect_uris: "{{ item.redirect_uris | default(omit) }}" | ||||
|     web_origins: "{{ item.web_origins | default('+') }}" | ||||
|     web_origins: "{{ item.web_origins | default(omit) }}" | ||||
|     bearer_only: "{{ item.bearer_only | default(omit) }}" | ||||
|     standard_flow_enabled: "{{ item.standard_flow_enabled | default(omit) }}" | ||||
|     implicit_flow_enabled: "{{ item.implicit_flow_enabled | default(omit) }}" | ||||
|  | @ -92,7 +94,7 @@ | |||
|     protocol: "{{ item.protocol | default(omit) }}" | ||||
|     attributes: "{{ item.attributes | default(omit) }}" | ||||
|     state: present | ||||
|   no_log: "{{ keycloak_no_log | default('True') }}" | ||||
|   no_log: "{{ keycloak_no_log | default('false') }}" | ||||
|   register: create_client_result | ||||
|   loop: "{{ keycloak_clients | flatten }}" | ||||
|   when: (item.name is defined and item.client_id is defined) or (item.name is defined and item.id is defined) | ||||
|  | @ -110,3 +112,6 @@ | |||
|   loop_control: | ||||
|     loop_var: client | ||||
|   when: "'users' in client" | ||||
|    | ||||
| - name: Provide Access token lifespan | ||||
|   ansible.builtin.include_tasks: manage_token_lifespan.yml | ||||
|  |  | |||
							
								
								
									
										14
									
								
								roles/keycloak_realm/tasks/manage_token_lifespan.yml
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										14
									
								
								roles/keycloak_realm/tasks/manage_token_lifespan.yml
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,14 @@ | |||
| --- | ||||
| - name: "Update Access token lifespan" | ||||
|   ansible.builtin.uri: | ||||
|     url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}" | ||||
|     method: PUT | ||||
|     body: | ||||
|       accessTokenLifespan: 300 | ||||
|     validate_certs: false | ||||
|     body_format: json | ||||
|     status_code: | ||||
|       - 200 | ||||
|       - 204 | ||||
|     headers: | ||||
|       Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}" | ||||
|  | @ -3,6 +3,7 @@ | |||
|   ansible.builtin.uri: | ||||
|     url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm | default(keycloak_realm) }}" | ||||
|     method: GET | ||||
|     validate_certs: false | ||||
|     status_code: | ||||
|       - 200 | ||||
|     headers: | ||||
|  | @ -16,6 +17,7 @@ | |||
|           default(keycloak_realm) }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | \ | ||||
|           selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}/available" | ||||
|     method: GET | ||||
|     validate_certs: false | ||||
|     status_code: | ||||
|       - 200 | ||||
|     headers: | ||||
|  |  | |||
|  | @ -3,7 +3,3 @@ | |||
| 
 | ||||
| # name of the realm to create, this is a required variable | ||||
| keycloak_realm: | ||||
| 
 | ||||
| # other settings | ||||
| keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + (keycloak_jboss_port_offset | default(0)) }}" | ||||
| keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + (keycloak_jboss_port_offset | default(0)) }}" | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue