ci: move intermittent test back

Merge pull request #284 from guidograzioli/caches
Refactor test scenarios
2025-06-02 23:19:12 -07:00 · 2025-05-29 21:03:03 +02:00 · 2025-05-29 20:45:37 +02:00 · 2025-05-29 20:37:39 +02:00 · 2025-05-29 20:14:04 +02:00 · 2025-05-27 11:12:07 +02:00
82 changed files with 1689 additions and 312 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -6,14 +6,23 @@ on:
      - main
  pull_request:
  workflow_dispatch:
    inputs:
      debug_verbosity:
        description: 'ANSIBLE_VERBOSITY envvar value'
        required: false
  schedule:
    - cron: '15 6 * * *'
 jobs:
  ci:
-    uses: ansible-middleware/github-actions/.github/workflows/ci.yml@main
+    uses: ansible-middleware/github-actions/.github/workflows/cish.yml@main
    secrets: inherit
    with:
      fqcn: 'middleware_automation/keycloak'
      debug_verbosity: "${{ github.event.inputs.debug_verbosity }}"
      molecule_tests: >-
-          [ "default", "overridexml", "https_revproxy", "quarkus", "quarkus-devmode", "quarkus_upgrade", "debian", "quarkus_ha" ]
+        [ "debian", "quarkus", "quarkus_ha", "quarkus_ha_remote" ]
      podman_tests_current: >-
        [ "default", "quarkus_devmode", "quarkus_upgrade" ]
      podman_tests_next: >-
        [ "default", "quarkus_devmode", "quarkus_upgrade" ]
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@ -6,6 +6,48 @@ middleware\_automation.keycloak Release Notes
 This changelog describes changes after version 0.2.6.
 v3.0.1
 ======
 Minor Changes
 -------------
 - Version update to 26.0.8 / rhbk 26.0.11 `#277 <https://github.com/ansible-middleware/keycloak/pull/277>`_
 Bugfixes
 --------
 - Trigger rebuild handler on envvars file change `#276 <https://github.com/ansible-middleware/keycloak/pull/276>`_
 v3.0.0
 ======
 Minor Changes
 -------------
 - Add theme cache invalidation handler `#252 <https://github.com/ansible-middleware/keycloak/pull/252>`_
 - keycloak_realm: change url variables to defaults `#268 <https://github.com/ansible-middleware/keycloak/pull/268>`_
 Breaking Changes / Porting Guide
 --------------------------------
 - Bump major and ansible-core versions `#266 <https://github.com/ansible-middleware/keycloak/pull/266>`_
 - Rename parameters to follow upstream `#270 <https://github.com/ansible-middleware/keycloak/pull/270>`_
 - Update for keycloak v26 `#254 <https://github.com/ansible-middleware/keycloak/pull/254>`_
 Bugfixes
 --------
 - Access token lifespan is too short for ansible run `#251 <https://github.com/ansible-middleware/keycloak/pull/251>`_
 - Load environment vars during kc rebuild `#274 <https://github.com/ansible-middleware/keycloak/pull/274>`_
 - Rebuild config and restart service for local providers `#250 <https://github.com/ansible-middleware/keycloak/pull/250>`_
 - Rename and honour parameter ``keycloak_quarkus_http_host`` `#271 <https://github.com/ansible-middleware/keycloak/pull/271>`_
 New Modules
 -----------
 - middleware_automation.keycloak.keycloak_realm - Allows administration of Keycloak realm via Keycloak API
 v2.4.3
 ======
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -24,7 +24,7 @@ virtualenv $PATH_TO_DEV_VIRTUALENV
 # activate the virtual env
 source $PATH_TO_DEV_VIRTUALENV/bin/activate
 # install ansible and tools onto the virtualenv
-pip install yamllint 'molecule>=6.0' 'molecule-plugins[docker]' 'ansible-core>=2.15' ansible-lint
+pip install yamllint 'molecule>=6.0' 'molecule-plugins[docker]' 'ansible-core>=2.16' ansible-lint
 # install collection dependencies
 ansible-galaxy collection install -r requirements.yml
 # install python dependencies
--- a/README.md
+++ b/README.md
@ -12,7 +12,7 @@ Collection to install and configure [Keycloak](https://www.keycloak.org/) or [Re
 <!--start requires_ansible-->
 ## Ansible version compatibility
-This collection has been tested against following Ansible versions: **>=2.15.0**.
+This collection has been tested against following Ansible versions: **>=2.16.0**.
 Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions.
 <!--end requires_ansible-->
--- a/changelogs/changelog.yaml
+++ b/changelogs/changelog.yaml
@ -613,3 +613,64 @@ releases:
    fragments:
    - 241.yaml
    release_date: '2024-10-16'
  3.0.0:
    changes:
      breaking_changes:
      - 'Bump major and ansible-core versions `#266 <https://github.com/ansible-middleware/keycloak/pull/266>`_
        '
      - 'Rename parameters to follow upstream `#270 <https://github.com/ansible-middleware/keycloak/pull/270>`_
        '
      - 'Update for keycloak v26 `#254 <https://github.com/ansible-middleware/keycloak/pull/254>`_
        '
      bugfixes:
      - 'Access token lifespan is too short for ansible run `#251 <https://github.com/ansible-middleware/keycloak/pull/251>`_
        '
      - 'Load environment vars during kc rebuild `#274 <https://github.com/ansible-middleware/keycloak/pull/274>`_
        '
      - 'Rebuild config and restart service for local providers `#250 <https://github.com/ansible-middleware/keycloak/pull/250>`_
        '
      - 'Rename and honour parameter ``keycloak_quarkus_http_host`` `#271 <https://github.com/ansible-middleware/keycloak/pull/271>`_
        '
      minor_changes:
      - 'Add theme cache invalidation handler `#252 <https://github.com/ansible-middleware/keycloak/pull/252>`_
        '
      - 'keycloak_realm: change url variables to defaults `#268 <https://github.com/ansible-middleware/keycloak/pull/268>`_
        '
    fragments:
    - 250.yaml
    - 251.yaml
    - 252.yaml
    - 254.yaml
    - 266.yaml
    - 268.yaml
    - 270.yaml
    - 271.yaml
    - 274.yaml
    modules:
    - description: Allows administration of Keycloak realm via Keycloak API
      name: keycloak_realm
      namespace: ''
    release_date: '2025-04-23'
  3.0.1:
    changes:
      bugfixes:
      - 'Trigger rebuild handler on envvars file change `#276 <https://github.com/ansible-middleware/keycloak/pull/276>`_
        '
      minor_changes:
      - 'Version update to 26.0.8 / rhbk 26.0.11 `#277 <https://github.com/ansible-middleware/keycloak/pull/277>`_
        '
    fragments:
    - 276.yaml
    - 277.yaml
    release_date: '2025-05-02'
--- a/docs/requirements.txt
+++ b/docs/requirements.txt
@ -1,7 +1,7 @@
 antsibull>=0.17.0
 antsibull-docs
 antsibull-changelog
-ansible-core>=2.14.1
+ansible-core>=2.16.0
 ansible-pygments
 sphinx-rtd-theme
 git+https://github.com/felixfontein/ansible-basic-sphinx-ext
--- a/galaxy.yml
+++ b/galaxy.yml
@ -1,7 +1,7 @@
 ---
 namespace: middleware_automation
 name: keycloak
-version: "2.4.3"
+version: "3.0.2"
 readme: README.md
 authors:
  - Romain Pelisse <rpelisse@redhat.com>
--- a/meta/runtime.yml
+++ b/meta/runtime.yml
@ -1,2 +1,2 @@
 ---
-requires_ansible: ">=2.15.0"
+requires_ansible: ">=2.16.0"
--- a/molecule/debian/converge.yml
+++ b/molecule/debian/converge.yml
@ -3,16 +3,19 @@
  hosts: all
  vars:
    keycloak_quarkus_show_deprecation_warnings: false
-    keycloak_quarkus_admin_pass: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
-    keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
-    keycloak_quarkus_host: instance
+    keycloak_quarkus_hostname: http://instance:8080
    keycloak_quarkus_log: file
    keycloak_quarkus_start_dev: true
    keycloak_quarkus_proxy_mode: none
  roles:
    - role: keycloak_quarkus
    - role: keycloak_realm
      keycloak_url: "{{ keycloak_quarkus_hostname }}"
      keycloak_context: ''
      keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
      keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
      keycloak_client_users:
        - username: TestUser
          password: password
--- a/molecule/debian/prepare.yml
+++ b/molecule/debian/prepare.yml
@ -7,5 +7,11 @@
      ansible.builtin.apt:
        name:
          - sudo
          # - openjdk-21-jdk-headless # this is not available in ghcr.io/hspaans/molecule-containers:debian-11 (neither in debian-12) since the images are using outdated package sources
          - openjdk-17-jdk-headless
        state: present
    - name: "Install iproute2"
      ansible.builtin.apt:
        name:
          - iproute2
        state: present
--- a/molecule/debian/verify.yml
+++ b/molecule/debian/verify.yml
@ -2,7 +2,7 @@
 - name: Verify
  hosts: all
  vars:
-    keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
    keycloak_uri: "http://localhost:{{ 8080 + ( keycloak_jboss_port_offset | default(0) ) }}"
    keycloak_management_port: "http://localhost:{{ 9990 + ( keycloak_jboss_port_offset | default(0) ) }}"
    keycloak_jboss_port_offset: 10
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@ -3,9 +3,9 @@
  hosts: all
  vars:
    keycloak_quarkus_show_deprecation_warnings: false
-    keycloak_quarkus_admin_pass: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
-    keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
-    keycloak_quarkus_host: instance
+    keycloak_quarkus_hostname: http://instance:8080
    keycloak_quarkus_log: file
    keycloak_quarkus_log_level: debug
    keycloak_quarkus_log_target: /tmp/keycloak
@ -13,10 +13,14 @@
    keycloak_quarkus_proxy_mode: none
    keycloak_quarkus_offline_install: true
    keycloak_quarkus_download_path: /tmp/keycloak/
    keycloak_quarkus_java_heap_opts: "-Xms640m -Xmx640m "
  roles:
    - role: keycloak_quarkus
    - role: keycloak_realm
      keycloak_url: "{{ keycloak_quarkus_hostname }}"
      keycloak_context: ''
      keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
      keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
      keycloak_client_users:
        - username: TestUser
          password: password
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@ -1,9 +1,9 @@
 ---
 driver:
-  name: docker
+  name: podman
 platforms:
  - name: instance
-    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
    privileged: true
    command: "/usr/sbin/init"
@ -11,6 +11,7 @@ platforms:
      - "8080/tcp"
      - "8443/tcp"
      - "8009/tcp"
      - "9000/tcp"
 provisioner:
  name: ansible
  config_options:
@ -28,6 +29,8 @@ provisioner:
        ansible_python_interpreter: "{{ ansible_playbook_python }}"
  env:
    ANSIBLE_FORCE_COLOR: "true"
    PROXY: "${PROXY}"
    NO_PROXY: "${NO_PROXY}"
 verifier:
  name: ansible
 scenario:
--- a/molecule/default/prepare.yml
+++ b/molecule/default/prepare.yml
@ -7,10 +7,6 @@
  tasks:
    - name: "Run preparation common to all scenario"
      ansible.builtin.include_tasks: ../prepare.yml
      vars:
        assets:
          - "{{ assets_server }}/sso/7.6.0/rh-sso-7.6.0-server-dist.zip"
          - "{{ assets_server }}/sso/7.6.1/rh-sso-7.6.1-patch.zip"
    - name: Create controller directory for downloads
      ansible.builtin.file: # noqa risky-file-permissions delegated, uses controller host user
@ -22,7 +18,7 @@
    - name: Download keycloak archive to controller directory
      ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
-        url: https://github.com/keycloak/keycloak/releases/download/24.0.5/keycloak-24.0.5.zip
+        url: https://github.com/keycloak/keycloak/releases/download/26.2.4/keycloak-26.2.4.zip
        dest: /tmp/keycloak
        mode: '0640'
      delegate_to: localhost
--- a/molecule/default/verify.yml
+++ b/molecule/default/verify.yml
@ -2,7 +2,8 @@
 - name: Verify
  hosts: all
  vars:
-    keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
    keycloak_uri: "http://localhost:8080"
  tasks:
    - name: Populate service facts
@ -16,7 +17,7 @@
      ansible.builtin.uri:
        url: "{{ keycloak_uri }}/realms/master/protocol/openid-connect/token"
        method: POST
-        body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password"
+        body: "client_id=admin-cli&username={{ keycloak_quarkus_bootstrap_admin_user }}&password={{ keycloak_quarkus_bootstrap_admin_user }}&grant_type=password"
        validate_certs: no
      register: keycloak_auth_response
      until: keycloak_auth_response.status == 200
--- a/molecule/https_revproxy/converge.yml
+++ b/molecule/https_revproxy/converge.yml
@ -3,15 +3,14 @@
  hosts: all
  vars:
    keycloak_quarkus_show_deprecation_warnings: false
-    keycloak_quarkus_admin_pass: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
-    keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
-    keycloak_realm: TestRealm
+    keycloak_quarkus_hostname: https://proxy
    keycloak_quarkus_host: instance
    keycloak_quarkus_log: file
    keycloak_quarkus_http_enabled: True
    keycloak_quarkus_http_port: 8080
    keycloak_quarkus_proxy_mode: edge
    keycloak_quarkus_http_relative_path: /
-    keycloak_quarkus_frontend_url: https://proxy/
+    keycloak_quarkus_health_check_url: http://proxy:8080/realms/master/.well-known/openid-configuration
  roles:
    - role: keycloak_quarkus
--- a/molecule/https_revproxy/molecule.yml
+++ b/molecule/https_revproxy/molecule.yml
@ -3,7 +3,7 @@ driver:
  name: docker
 platforms:
  - name: instance
-    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
    privileged: true
    command: "/usr/sbin/init"
@ -14,7 +14,7 @@ platforms:
    published_ports:
      - 0.0.0.0:8080:8080/tcp
  - name: proxy
-    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
    privileged: true
    command: "/usr/sbin/init"
--- a/molecule/overridexml/molecule.yml
+++ b/molecule/overridexml/molecule.yml
@ -3,7 +3,7 @@ driver:
  name: docker
 platforms:
  - name: instance
-    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
    privileged: true
    command: "/usr/sbin/init"
@ -11,6 +11,7 @@ platforms:
      - "8080/tcp"
      - "8443/tcp"
      - "8009/tcp"
      - "9000/tcp"
 provisioner:
  name: ansible
  config_options:
--- a/molecule/quarkus/converge.yml
+++ b/molecule/quarkus/converge.yml
@ -3,10 +3,10 @@
  hosts: all
  vars:
    keycloak_quarkus_show_deprecation_warnings: false
-    keycloak_quarkus_admin_pass: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
-    keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
    keycloak_realm: TestRealm
-    keycloak_quarkus_host: instance
+    keycloak_quarkus_hostname: https://instance:8443
    keycloak_quarkus_log: file
    keycloak_quarkus_log_level: debug # needed for the verify step
    keycloak_quarkus_https_key_file_enabled: true
@ -22,6 +22,12 @@
    keycloak_quarkus_systemd_wait_for_timeout: 20
    keycloak_quarkus_systemd_wait_for_delay: 2
    keycloak_quarkus_systemd_wait_for_log: true
    keycloak_quarkus_restart_health_check: false # would fail because of self-signed cert
    keycloak_quarkus_version: 26.2.4
    keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx1024m"
    keycloak_quarkus_additional_env_vars:
      - key: KC_FEATURES_DISABLED
        value: impersonation,kerberos
    keycloak_quarkus_providers:
      - id: http-client
        spi: connections
@ -32,26 +38,32 @@
            value: 10
      - id: spid-saml
        url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar
      - id: spid-saml-w-checksum
        url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar
        checksum: sha256:fbb50e73739d7a6d35b5bff611b1c01668b29adf6f6259624b95e466a305f377
      - id: keycloak-kerberos-federation
        maven:
          repository_url: https://repo1.maven.org/maven2/ # https://mvnrepository.com/artifact/org.keycloak/keycloak-kerberos-federation/24.0.4
          group_id: org.keycloak
          artifact_id: keycloak-kerberos-federation
-          version: 24.0.5 # optional
+          version: 26.2.4 # optional
          # username: myUser # optional
          # password: myPAT # optional
      # - id: my-static-theme
      #   local_path: /tmp/my-static-theme.jar
    keycloak_quarkus_policies:
-      - name: "xato-net-10-million-passwords.txt"
+      - name: "cain-and-abel.txt"
-        url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt"
+        url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/cain-and-abel.txt"
-      - name: "xato-net-10-million-passwords-10.txt"
+      - name: "john-the-ripper.txt"
-        url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords-10.txt"
+        url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/john-the-ripper.txt"
        type: password-blacklists
  roles:
    - role: keycloak_quarkus
    - role: keycloak_realm
      keycloak_url: http://instance:8080
      keycloak_context: ''
      keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
      keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
      keycloak_client_default_roles:
        - TestRoleAdmin
        - TestRoleUser
--- a/molecule/quarkus/molecule.yml
+++ b/molecule/quarkus/molecule.yml
@ -3,7 +3,7 @@ driver:
  name: docker
 platforms:
  - name: instance
-    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
    privileged: true
    command: "/usr/sbin/init"
@ -11,6 +11,7 @@ platforms:
      - "8080/tcp"
      - "8443/tcp"
      - "8009/tcp"
      - "9000/tcp"
    published_ports:
      - 0.0.0.0:8443:8443/tcp
 provisioner:
@ -30,6 +31,9 @@ provisioner:
        ansible_python_interpreter: "{{ ansible_playbook_python }}"
  env:
    ANSIBLE_FORCE_COLOR: "true"
    PYTHONHTTPSVERIFY: 0
    PROXY: "${PROXY}"
    NO_PROXY: "${NO_PROXY}"
 verifier:
  name: ansible
 scenario:
--- a/molecule/quarkus/prepare.yml
+++ b/molecule/quarkus/prepare.yml
@ -24,7 +24,7 @@
    - name: Make sure a jre is available (for keytool to prepare keystore)
      delegate_to: localhost
      ansible.builtin.package:
-        name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
+        name: java-21-openjdk-headless
        state: present
      become: true
      failed_when: false
--- a/molecule/quarkus/verify.yml
+++ b/molecule/quarkus/verify.yml
@ -2,7 +2,8 @@
 - name: Verify
  hosts: all
  vars:
-     keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
  tasks:
    - name: Populate service facts
      ansible.builtin.service_facts:
@ -35,10 +36,10 @@
        - name: Verify endpoint URLs
          ansible.builtin.assert:
            that:
-              - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance/realms/master/protocol/openid-connect/ext/ciba/auth'
+              - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance:8443/realms/master/protocol/openid-connect/ext/ciba/auth'
-              - (openid_config.stdout | from_json)['issuer'] == 'https://instance/realms/master'
+              - (openid_config.stdout | from_json)['issuer'] == 'https://instance:8443/realms/master'
-              - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/auth'
+              - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/auth'
-              - (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/token'
+              - (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/token'
          delegate_to: localhost
    - name: Check log folder
@ -91,7 +92,7 @@
      ansible.builtin.uri:
        url: "https://instance:8443/realms/master/protocol/openid-connect/token"
        method: POST
-        body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password"
+        body: "client_id=admin-cli&username={{ keycloak_quarkus_bootstrap_admin_user }}&password={{ keycloak_quarkus_bootstrap_admin_password}}&grant_type=password"
        validate_certs: no
      register: keycloak_auth_response
      until: keycloak_auth_response.status == 200
@ -101,8 +102,8 @@
    - name: "Get Clients"
      ansible.builtin.uri:
        url: "https://instance:8443/admin/realms/TestRealm/clients"
        validate_certs: false
        headers:
          validate_certs: false
          Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
      register: keycloak_clients
@ -113,15 +114,15 @@
    - name: "Get Client {{ keycloak_client_uuid }}"
      ansible.builtin.uri:
        url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}"
        validate_certs: false
        headers:
          validate_certs: false
          Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
      register: keycloak_test_client
    - name: "Get Client roles"
      ansible.builtin.uri:
        url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}/roles"
        validate_certs: false
        headers:
          validate_certs: false
          Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
-      register: keycloak_test_client_roles
+      register: keycloak_test_client_roles
--- a/molecule/quarkus_devmode/converge.yml
+++ b/molecule/quarkus_devmode/converge.yml
@ -3,18 +3,23 @@
  hosts: all
  vars:
    keycloak_quarkus_show_deprecation_warnings: false
-    keycloak_quarkus_admin_pass: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
-    keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
    keycloak_realm: TestRealm
    keycloak_quarkus_log: file
-    keycloak_quarkus_frontend_url: 'http://localhost:8080/'
+    keycloak_quarkus_hostname: 'http://localhost:8080'
    keycloak_quarkus_start_dev: True
    keycloak_quarkus_proxy_mode: none
    keycloak_quarkus_java_home: /opt/openjdk/
    keycloak_quarkus_java_heap_opts: "-Xms640m -Xmx640m"
  roles:
    - role: keycloak_quarkus
    - role: keycloak_realm
      keycloak_url: "{{ keycloak_quarkus_hostname }}"
      keycloak_context: ''
      keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
      keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
      keycloak_client_default_roles:
        - TestRoleAdmin
        - TestRoleUser
--- a/molecule/quarkus_devmode/molecule.yml
+++ b/molecule/quarkus_devmode/molecule.yml
@ -1,17 +1,19 @@
 ---
 driver:
-  name: docker
+  name: podman
 platforms:
  - name: instance
-    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
    privileged: true
    command: "/usr/sbin/init"
    port_bindings:
      - "8080/tcp"
      - "8009/tcp"
      - "9000/tcp"
    published_ports:
      - 0.0.0.0:8080:8080/tcp
      - 0.0.0.0:9000:9000/TCP
 provisioner:
  name: ansible
  config_options:
@ -29,6 +31,8 @@ provisioner:
        ansible_python_interpreter: "{{ ansible_playbook_python }}"
  env:
    ANSIBLE_FORCE_COLOR: "true"
    PROXY: "${PROXY}"
    NO_PROXY: "${NO_PROXY}"
 verifier:
  name: ansible
 scenario:
--- a/molecule/quarkus_devmode/prepare.yml
+++ b/molecule/quarkus_devmode/prepare.yml
--- a/molecule/quarkus_devmode/roles
+++ b/molecule/quarkus_devmode/roles
--- a/molecule/quarkus_devmode/verify.yml
+++ b/molecule/quarkus_devmode/verify.yml
--- a/molecule/quarkus_ha/converge.yml
+++ b/molecule/quarkus_ha/converge.yml
@ -3,10 +3,9 @@
  hosts: keycloak
  vars:
    keycloak_quarkus_show_deprecation_warnings: false
-    keycloak_quarkus_admin_pass: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
-    keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
-    keycloak_realm: TestRealm
+    keycloak_quarkus_hostname: "http://{{ inventory_hostname }}:8080"
    keycloak_quarkus_host: "{{ inventory_hostname }}"
    keycloak_quarkus_log: file
    keycloak_quarkus_log_level: info
    keycloak_quarkus_https_key_file_enabled: true
@ -25,6 +24,6 @@
    keycloak_quarkus_restart_strategy: restart/serial.yml
    keycloak_quarkus_db_user: keycloak
    keycloak_quarkus_db_pass: mysecretpass
-    keycloak_quarkus_jdbc_url: jdbc:postgresql://postgres:5432/keycloak
+    keycloak_quarkus_db_url: jdbc:postgresql://postgres:5432/keycloak
  roles:
    - role: keycloak_quarkus
--- a/molecule/quarkus_ha/molecule.yml
+++ b/molecule/quarkus_ha/molecule.yml
@ -14,6 +14,7 @@ platforms:
    port_bindings:
      - "8080/tcp"
      - "8443/tcp"
      - "9000/tcp"
  - name: instance2
    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
@ -26,6 +27,7 @@ platforms:
    port_bindings:
      - "8080/tcp"
      - "8443/tcp"
      - "9000/tcp"
  - name: postgres
    image: ubuntu/postgres:14-22.04_beta
    pre_build_image: true
@ -63,6 +65,7 @@ provisioner:
        ansible_python_interpreter: "{{ ansible_playbook_python }}"
  env:
    ANSIBLE_FORCE_COLOR: "true"
    PYTHONHTTPSVERIFY: 0
 verifier:
  name: ansible
 scenario:
--- a/molecule/quarkus_ha_remote/converge.yml
+++ b/molecule/quarkus_ha_remote/converge.yml
@ -0,0 +1,49 @@
 ---
 - name: Converge
  hosts: infinispan
  roles:
    - role: middleware_automation.infinispan.infinispan
      infinispan_service_name: infinispan
      infinispan_supervisor_password: remembertochangeme
      infinispan_keycloak_caches: true
      infinispan_keycloak_persistence: False
      infinispan_jdbc_engine: postgres
      infinispan_jdbc_url: jdbc:postgresql://postgres:5432/keycloak
      infinispan_jdbc_driver_version: 9.4.1212
      infinispan_jdbc_user: keycloak
      infinispan_jdbc_pass: mysecretpass
      infinispan_users:
        - { name: 'testuser', password: 'test', roles: 'observer' }
 - name: Converge
  hosts: keycloak
  vars:
    keycloak_quarkus_show_deprecation_warnings: false
    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
    keycloak_quarkus_hostname: "http://{{ inventory_hostname }}:8080"
    keycloak_quarkus_log: file
    keycloak_quarkus_log_level: info
    keycloak_quarkus_https_key_file_enabled: true
    keycloak_quarkus_key_file_copy_enabled: true
    keycloak_quarkus_key_content: "{{ lookup('file', inventory_hostname + '.key') }}"
    keycloak_quarkus_cert_file_copy_enabled: true
    keycloak_quarkus_cert_file_src: "{{ inventory_hostname }}.pem"
    keycloak_quarkus_ks_vault_enabled: true
    keycloak_quarkus_ks_vault_file: "/opt/keycloak/vault/keystore.p12"
    keycloak_quarkus_ks_vault_pass: keystorepassword
    keycloak_quarkus_systemd_wait_for_port: true
    keycloak_quarkus_systemd_wait_for_timeout: 20
    keycloak_quarkus_systemd_wait_for_delay: 2
    keycloak_quarkus_systemd_wait_for_log: true
    keycloak_quarkus_ha_enabled: true
    keycloak_quarkus_restart_strategy: restart/serial.yml
    keycloak_quarkus_db_user: keycloak
    keycloak_quarkus_db_pass: mysecretpass
    keycloak_quarkus_db_url: jdbc:postgresql://postgres:5432/keycloak
    keycloak_quarkus_cache_remote_username: supervisor
    keycloak_quarkus_cache_remote_password: remembertochangeme
    keycloak_quarkus_cache_remote_host: "infinispan1:11222"
    keycloak_quarkus_cache_remote_tls_enabled: false
  roles:
    - role: keycloak_quarkus
--- a/molecule/quarkus_ha_remote/molecule.yml
+++ b/molecule/quarkus_ha_remote/molecule.yml
@ -0,0 +1,80 @@
 ---
 driver:
  name: docker
 platforms:
  - name: keycloak1
    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
    privileged: true
    command: "/usr/sbin/init"
    groups:
      - keycloak
    networks:
      - name: rhbk
    port_bindings:
      - "8080/tcp"
      - "8443/tcp"
      - "9000/tcp"
  - name: infinispan1
    image: registry.access.redhat.com/ubi9/ubi-init:latest
    pre_build_image: true
    privileged: true
    command: "/usr/sbin/init"
    groups:
      - infinispan
    networks:
      - name: rhbk
    port_bindings:
      - "11222/tcp"
  - name: postgres
    image: ubuntu/postgres:14-22.04_beta
    pre_build_image: true
    privileged: true
    command: postgres
    groups:
      - database
    networks:
      - name: rhbk
    port_bindings:
      - "5432/tcp"
    mounts:
      - type: bind
        target: /etc/postgresql/postgresql.conf
        source: ${PWD}/molecule/quarkus_ha/postgresql/postgresql.conf
    env:
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: mysecretpass
      POSTGRES_DB: keycloak
      POSTGRES_HOST_AUTH_METHOD: trust
 provisioner:
  name: ansible
  config_options:
    defaults:
      interpreter_python: auto_silent
    ssh_connection:
      pipelining: false
  playbooks:
    prepare: prepare.yml
    converge: converge.yml
    verify: verify.yml
  inventory:
    host_vars:
      localhost:
        ansible_python_interpreter: "{{ ansible_playbook_python }}"
  env:
    ANSIBLE_FORCE_COLOR: "true"
    PYTHONHTTPSVERIFY: 0
 verifier:
  name: ansible
 scenario:
  test_sequence:
    - cleanup
    - destroy
    - create
    - prepare
    - converge
    - idempotence
    - side_effect
    - verify
    - cleanup
    - destroy
--- a/molecule/quarkus_ha_remote/postgresql/postgresql.conf
+++ b/molecule/quarkus_ha_remote/postgresql/postgresql.conf
@ -0,0 +1,750 @@
 # -----------------------------
 # PostgreSQL configuration file
 # -----------------------------
 #
 # This file consists of lines of the form:
 #
 #   name = value
 #
 # (The "=" is optional.)  Whitespace may be used.  Comments are introduced with
 # "#" anywhere on a line.  The complete list of parameter names and allowed
 # values can be found in the PostgreSQL documentation.
 #
 # The commented-out settings shown in this file represent the default values.
 # Re-commenting a setting is NOT sufficient to revert it to the default value;
 # you need to reload the server.
 #
 # This file is read on server startup and when the server receives a SIGHUP
 # signal.  If you edit the file on a running system, you have to SIGHUP the
 # server for the changes to take effect, run "pg_ctl reload", or execute
 # "SELECT pg_reload_conf()".  Some parameters, which are marked below,
 # require a server shutdown and restart to take effect.
 #
 # Any parameter can also be given as a command-line option to the server, e.g.,
 # "postgres -c log_connections=on".  Some parameters can be changed at run time
 # with the "SET" SQL command.
 #
 # Memory units:  kB = kilobytes        Time units:  ms  = milliseconds
 #                MB = megabytes                     s   = seconds
 #                GB = gigabytes                     min = minutes
 #                TB = terabytes                     h   = hours
 #                                                   d   = days
 #------------------------------------------------------------------------------
 # FILE LOCATIONS
 #------------------------------------------------------------------------------
 # The default values of these variables are driven from the -D command-line
 # option or PGDATA environment variable, represented here as ConfigDir.
 #data_directory = 'ConfigDir'		# use data in another directory
 					# (change requires restart)
 #hba_file = 'ConfigDir/pg_hba.conf'	# host-based authentication file
 					# (change requires restart)
 #ident_file = 'ConfigDir/pg_ident.conf'	# ident configuration file
 					# (change requires restart)
 # If external_pid_file is not explicitly set, no extra PID file is written.
 #external_pid_file = ''			# write an extra PID file
 					# (change requires restart)
 #------------------------------------------------------------------------------
 # CONNECTIONS AND AUTHENTICATION
 #------------------------------------------------------------------------------
 # - Connection Settings -
 listen_addresses = '*'		# what IP address(es) to listen on;
 					# comma-separated list of addresses;
 					# defaults to 'localhost'; use '*' for all
 					# (change requires restart)
 #port = 5432				# (change requires restart)
 #max_connections = 100			# (change requires restart)
 #superuser_reserved_connections = 3	# (change requires restart)
 #unix_socket_directories = '/tmp'	# comma-separated list of directories
 					# (change requires restart)
 #unix_socket_group = ''			# (change requires restart)
 #unix_socket_permissions = 0777		# begin with 0 to use octal notation
 					# (change requires restart)
 #bonjour = off				# advertise server via Bonjour
 					# (change requires restart)
 #bonjour_name = ''			# defaults to the computer name
 					# (change requires restart)
 # - TCP settings -
 # see "man 7 tcp" for details
 #tcp_keepalives_idle = 0		# TCP_KEEPIDLE, in seconds;
 					# 0 selects the system default
 #tcp_keepalives_interval = 0		# TCP_KEEPINTVL, in seconds;
 					# 0 selects the system default
 #tcp_keepalives_count = 0		# TCP_KEEPCNT;
 					# 0 selects the system default
 #tcp_user_timeout = 0			# TCP_USER_TIMEOUT, in milliseconds;
 					# 0 selects the system default
 # - Authentication -
 #authentication_timeout = 1min		# 1s-600s
 #password_encryption = md5		# md5 or scram-sha-256
 #db_user_namespace = off
 # GSSAPI using Kerberos
 #krb_server_keyfile = ''
 #krb_caseins_users = off
 # - SSL -
 #ssl = off
 #ssl_ca_file = ''
 #ssl_cert_file = 'server.crt'
 #ssl_crl_file = ''
 #ssl_key_file = 'server.key'
 #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
 #ssl_prefer_server_ciphers = on
 #ssl_ecdh_curve = 'prime256v1'
 #ssl_min_protocol_version = 'TLSv1'
 #ssl_max_protocol_version = ''
 #ssl_dh_params_file = ''
 #ssl_passphrase_command = ''
 #ssl_passphrase_command_supports_reload = off
 #------------------------------------------------------------------------------
 # RESOURCE USAGE (except WAL)
 #------------------------------------------------------------------------------
 # - Memory -
 #shared_buffers = 32MB			# min 128kB
 					# (change requires restart)
 #huge_pages = try			# on, off, or try
 					# (change requires restart)
 #temp_buffers = 8MB			# min 800kB
 #max_prepared_transactions = 0		# zero disables the feature
 					# (change requires restart)
 # Caution: it is not advisable to set max_prepared_transactions nonzero unless
 # you actively intend to use prepared transactions.
 #work_mem = 4MB				# min 64kB
 #maintenance_work_mem = 64MB		# min 1MB
 #autovacuum_work_mem = -1		# min 1MB, or -1 to use maintenance_work_mem
 #max_stack_depth = 2MB			# min 100kB
 #shared_memory_type = mmap		# the default is the first option
 					# supported by the operating system:
 					#   mmap
 					#   sysv
 					#   windows
 					# (change requires restart)
 #dynamic_shared_memory_type = posix	# the default is the first option
 					# supported by the operating system:
 					#   posix
 					#   sysv
 					#   windows
 					#   mmap
 					# (change requires restart)
 # - Disk -
 #temp_file_limit = -1			# limits per-process temp file space
 					# in kB, or -1 for no limit
 # - Kernel Resources -
 #max_files_per_process = 1000		# min 25
 					# (change requires restart)
 # - Cost-Based Vacuum Delay -
 #vacuum_cost_delay = 0			# 0-100 milliseconds (0 disables)
 #vacuum_cost_page_hit = 1		# 0-10000 credits
 #vacuum_cost_page_miss = 10		# 0-10000 credits
 #vacuum_cost_page_dirty = 20		# 0-10000 credits
 #vacuum_cost_limit = 200		# 1-10000 credits
 # - Background Writer -
 #bgwriter_delay = 200ms			# 10-10000ms between rounds
 #bgwriter_lru_maxpages = 100		# max buffers written/round, 0 disables
 #bgwriter_lru_multiplier = 2.0		# 0-10.0 multiplier on buffers scanned/round
 #bgwriter_flush_after = 0		# measured in pages, 0 disables
 # - Asynchronous Behavior -
 #effective_io_concurrency = 1		# 1-1000; 0 disables prefetching
 #max_worker_processes = 8		# (change requires restart)
 #max_parallel_maintenance_workers = 2	# taken from max_parallel_workers
 #max_parallel_workers_per_gather = 2	# taken from max_parallel_workers
 #parallel_leader_participation = on
 #max_parallel_workers = 8		# maximum number of max_worker_processes that
 					# can be used in parallel operations
 #old_snapshot_threshold = -1		# 1min-60d; -1 disables; 0 is immediate
 					# (change requires restart)
 #backend_flush_after = 0		# measured in pages, 0 disables
 #------------------------------------------------------------------------------
 # WRITE-AHEAD LOG
 #------------------------------------------------------------------------------
 # - Settings -
 #wal_level = replica			# minimal, replica, or logical
 					# (change requires restart)
 #fsync = on				# flush data to disk for crash safety
 					# (turning this off can cause
 					# unrecoverable data corruption)
 #synchronous_commit = on		# synchronization level;
 					# off, local, remote_write, remote_apply, or on
 #wal_sync_method = fsync		# the default is the first option
 					# supported by the operating system:
 					#   open_datasync
 					#   fdatasync (default on Linux)
 					#   fsync
 					#   fsync_writethrough
 					#   open_sync
 #full_page_writes = on			# recover from partial page writes
 #wal_compression = off			# enable compression of full-page writes
 #wal_log_hints = off			# also do full page writes of non-critical updates
 					# (change requires restart)
 #wal_init_zero = on			# zero-fill new WAL files
 #wal_recycle = on			# recycle WAL files
 #wal_buffers = -1			# min 32kB, -1 sets based on shared_buffers
 					# (change requires restart)
 #wal_writer_delay = 200ms		# 1-10000 milliseconds
 #wal_writer_flush_after = 1MB		# measured in pages, 0 disables
 #commit_delay = 0			# range 0-100000, in microseconds
 #commit_siblings = 5			# range 1-1000
 # - Checkpoints -
 #checkpoint_timeout = 5min		# range 30s-1d
 #max_wal_size = 1GB
 #min_wal_size = 80MB
 #checkpoint_completion_target = 0.5	# checkpoint target duration, 0.0 - 1.0
 #checkpoint_flush_after = 0		# measured in pages, 0 disables
 #checkpoint_warning = 30s		# 0 disables
 # - Archiving -
 #archive_mode = off		# enables archiving; off, on, or always
 				# (change requires restart)
 #archive_command = ''		# command to use to archive a logfile segment
 				# placeholders: %p = path of file to archive
 				#               %f = file name only
 				# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
 #archive_timeout = 0		# force a logfile segment switch after this
 				# number of seconds; 0 disables
 # - Archive Recovery -
 # These are only used in recovery mode.
 #restore_command = ''		# command to use to restore an archived logfile segment
 				# placeholders: %p = path of file to restore
 				#               %f = file name only
 				# e.g. 'cp /mnt/server/archivedir/%f %p'
 				# (change requires restart)
 #archive_cleanup_command = ''	# command to execute at every restartpoint
 #recovery_end_command = ''	# command to execute at completion of recovery
 # - Recovery Target -
 # Set these only when performing a targeted recovery.
 #recovery_target = ''		# 'immediate' to end recovery as soon as a
                                # consistent state is reached
 				# (change requires restart)
 #recovery_target_name = ''	# the named restore point to which recovery will proceed
 				# (change requires restart)
 #recovery_target_time = ''	# the time stamp up to which recovery will proceed
 				# (change requires restart)
 #recovery_target_xid = ''	# the transaction ID up to which recovery will proceed
 				# (change requires restart)
 #recovery_target_lsn = ''	# the WAL LSN up to which recovery will proceed
 				# (change requires restart)
 #recovery_target_inclusive = on # Specifies whether to stop:
 				# just after the specified recovery target (on)
 				# just before the recovery target (off)
 				# (change requires restart)
 #recovery_target_timeline = 'latest'	# 'current', 'latest', or timeline ID
 				# (change requires restart)
 #recovery_target_action = 'pause'	# 'pause', 'promote', 'shutdown'
 				# (change requires restart)
 #------------------------------------------------------------------------------
 # REPLICATION
 #------------------------------------------------------------------------------
 # - Sending Servers -
 # Set these on the master and on any standby that will send replication data.
 #max_wal_senders = 10		# max number of walsender processes
 				# (change requires restart)
 #wal_keep_segments = 0		# in logfile segments; 0 disables
 #wal_sender_timeout = 60s	# in milliseconds; 0 disables
 #max_replication_slots = 10	# max number of replication slots
 				# (change requires restart)
 #track_commit_timestamp = off	# collect timestamp of transaction commit
 				# (change requires restart)
 # - Master Server -
 # These settings are ignored on a standby server.
 #synchronous_standby_names = ''	# standby servers that provide sync rep
 				# method to choose sync standbys, number of sync standbys,
 				# and comma-separated list of application_name
 				# from standby(s); '*' = all
 #vacuum_defer_cleanup_age = 0	# number of xacts by which cleanup is delayed
 # - Standby Servers -
 # These settings are ignored on a master server.
 #primary_conninfo = ''			# connection string to sending server
 					# (change requires restart)
 #primary_slot_name = ''			# replication slot on sending server
 					# (change requires restart)
 #promote_trigger_file = ''		# file name whose presence ends recovery
 #hot_standby = on			# "off" disallows queries during recovery
 					# (change requires restart)
 #max_standby_archive_delay = 30s	# max delay before canceling queries
 					# when reading WAL from archive;
 					# -1 allows indefinite delay
 #max_standby_streaming_delay = 30s	# max delay before canceling queries
 					# when reading streaming WAL;
 					# -1 allows indefinite delay
 #wal_receiver_status_interval = 10s	# send replies at least this often
 					# 0 disables
 #hot_standby_feedback = off		# send info from standby to prevent
 					# query conflicts
 #wal_receiver_timeout = 60s		# time that receiver waits for
 					# communication from master
 					# in milliseconds; 0 disables
 #wal_retrieve_retry_interval = 5s	# time to wait before retrying to
 					# retrieve WAL after a failed attempt
 #recovery_min_apply_delay = 0		# minimum delay for applying changes during recovery
 # - Subscribers -
 # These settings are ignored on a publisher.
 #max_logical_replication_workers = 4	# taken from max_worker_processes
 					# (change requires restart)
 #max_sync_workers_per_subscription = 2	# taken from max_logical_replication_workers
 #------------------------------------------------------------------------------
 # QUERY TUNING
 #------------------------------------------------------------------------------
 # - Planner Method Configuration -
 #enable_bitmapscan = on
 #enable_hashagg = on
 #enable_hashjoin = on
 #enable_indexscan = on
 #enable_indexonlyscan = on
 #enable_material = on
 #enable_mergejoin = on
 #enable_nestloop = on
 #enable_parallel_append = on
 #enable_seqscan = on
 #enable_sort = on
 #enable_tidscan = on
 #enable_partitionwise_join = off
 #enable_partitionwise_aggregate = off
 #enable_parallel_hash = on
 #enable_partition_pruning = on
 # - Planner Cost Constants -
 #seq_page_cost = 1.0			# measured on an arbitrary scale
 #random_page_cost = 4.0			# same scale as above
 #cpu_tuple_cost = 0.01			# same scale as above
 #cpu_index_tuple_cost = 0.005		# same scale as above
 #cpu_operator_cost = 0.0025		# same scale as above
 #parallel_tuple_cost = 0.1		# same scale as above
 #parallel_setup_cost = 1000.0	# same scale as above
 #jit_above_cost = 100000		# perform JIT compilation if available
 					# and query more expensive than this;
 					# -1 disables
 #jit_inline_above_cost = 500000		# inline small functions if query is
 					# more expensive than this; -1 disables
 #jit_optimize_above_cost = 500000	# use expensive JIT optimizations if
 					# query is more expensive than this;
 					# -1 disables
 #min_parallel_table_scan_size = 8MB
 #min_parallel_index_scan_size = 512kB
 #effective_cache_size = 4GB
 # - Genetic Query Optimizer -
 #geqo = on
 #geqo_threshold = 12
 #geqo_effort = 5			# range 1-10
 #geqo_pool_size = 0			# selects default based on effort
 #geqo_generations = 0			# selects default based on effort
 #geqo_selection_bias = 2.0		# range 1.5-2.0
 #geqo_seed = 0.0			# range 0.0-1.0
 # - Other Planner Options -
 #default_statistics_target = 100	# range 1-10000
 #constraint_exclusion = partition	# on, off, or partition
 #cursor_tuple_fraction = 0.1		# range 0.0-1.0
 #from_collapse_limit = 8
 #join_collapse_limit = 8		# 1 disables collapsing of explicit
 					# JOIN clauses
 #force_parallel_mode = off
 #jit = on				# allow JIT compilation
 #plan_cache_mode = auto			# auto, force_generic_plan or
 					# force_custom_plan
 #------------------------------------------------------------------------------
 # REPORTING AND LOGGING
 #------------------------------------------------------------------------------
 # - Where to Log -
 #log_destination = 'stderr'		# Valid values are combinations of
 					# stderr, csvlog, syslog, and eventlog,
 					# depending on platform.  csvlog
 					# requires logging_collector to be on.
 # This is used when logging to stderr:
 #logging_collector = off		# Enable capturing of stderr and csvlog
 					# into log files. Required to be on for
 					# csvlogs.
 					# (change requires restart)
 # These are only used if logging_collector is on:
 #log_directory = 'log'			# directory where log files are written,
 					# can be absolute or relative to PGDATA
 #log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'	# log file name pattern,
 					# can include strftime() escapes
 #log_file_mode = 0600			# creation mode for log files,
 					# begin with 0 to use octal notation
 #log_truncate_on_rotation = off		# If on, an existing log file with the
 					# same name as the new log file will be
 					# truncated rather than appended to.
 					# But such truncation only occurs on
 					# time-driven rotation, not on restarts
 					# or size-driven rotation.  Default is
 					# off, meaning append to existing files
 					# in all cases.
 #log_rotation_age = 1d			# Automatic rotation of logfiles will
 					# happen after that time.  0 disables.
 #log_rotation_size = 10MB		# Automatic rotation of logfiles will
 					# happen after that much log output.
 					# 0 disables.
 # These are relevant when logging to syslog:
 #syslog_facility = 'LOCAL0'
 #syslog_ident = 'postgres'
 #syslog_sequence_numbers = on
 #syslog_split_messages = on
 # This is only relevant when logging to eventlog (win32):
 # (change requires restart)
 #event_source = 'PostgreSQL'
 # - When to Log -
 #log_min_messages = warning		# values in order of decreasing detail:
 					#   debug5
 					#   debug4
 					#   debug3
 					#   debug2
 					#   debug1
 					#   info
 					#   notice
 					#   warning
 					#   error
 					#   log
 					#   fatal
 					#   panic
 #log_min_error_statement = error	# values in order of decreasing detail:
 					#   debug5
 					#   debug4
 					#   debug3
 					#   debug2
 					#   debug1
 					#   info
 					#   notice
 					#   warning
 					#   error
 					#   log
 					#   fatal
 					#   panic (effectively off)
 #log_min_duration_statement = -1	# -1 is disabled, 0 logs all statements
 					# and their durations, > 0 logs only
 					# statements running at least this number
 					# of milliseconds
 #log_transaction_sample_rate = 0.0	# Fraction of transactions whose statements
 					# are logged regardless of their duration. 1.0 logs all
 					# statements from all transactions, 0.0 never logs.
 # - What to Log -
 #debug_print_parse = off
 #debug_print_rewritten = off
 #debug_print_plan = off
 #debug_pretty_print = on
 #log_checkpoints = off
 #log_connections = off
 #log_disconnections = off
 #log_duration = off
 #log_error_verbosity = default		# terse, default, or verbose messages
 #log_hostname = off
 #log_line_prefix = '%m [%p] '		# special values:
 					#   %a = application name
 					#   %u = user name
 					#   %d = database name
 					#   %r = remote host and port
 					#   %h = remote host
 					#   %p = process ID
 					#   %t = timestamp without milliseconds
 					#   %m = timestamp with milliseconds
 					#   %n = timestamp with milliseconds (as a Unix epoch)
 					#   %i = command tag
 					#   %e = SQL state
 					#   %c = session ID
 					#   %l = session line number
 					#   %s = session start timestamp
 					#   %v = virtual transaction ID
 					#   %x = transaction ID (0 if none)
 					#   %q = stop here in non-session
 					#        processes
 					#   %% = '%'
 					# e.g. '<%u%%%d> '
 #log_lock_waits = off			# log lock waits >= deadlock_timeout
 #log_statement = 'none'			# none, ddl, mod, all
 #log_replication_commands = off
 #log_temp_files = -1			# log temporary files equal or larger
 					# than the specified size in kilobytes;
 					# -1 disables, 0 logs all temp files
 #log_timezone = 'GMT'
 #------------------------------------------------------------------------------
 # PROCESS TITLE
 #------------------------------------------------------------------------------
 #cluster_name = ''			# added to process titles if nonempty
 					# (change requires restart)
 #update_process_title = on
 #------------------------------------------------------------------------------
 # STATISTICS
 #------------------------------------------------------------------------------
 # - Query and Index Statistics Collector -
 #track_activities = on
 #track_counts = on
 #track_io_timing = off
 #track_functions = none			# none, pl, all
 #track_activity_query_size = 1024	# (change requires restart)
 #stats_temp_directory = 'pg_stat_tmp'
 # - Monitoring -
 #log_parser_stats = off
 #log_planner_stats = off
 #log_executor_stats = off
 #log_statement_stats = off
 #------------------------------------------------------------------------------
 # AUTOVACUUM
 #------------------------------------------------------------------------------
 #autovacuum = on			# Enable autovacuum subprocess?  'on'
 					# requires track_counts to also be on.
 #log_autovacuum_min_duration = -1	# -1 disables, 0 logs all actions and
 					# their durations, > 0 logs only
 					# actions running at least this number
 					# of milliseconds.
 #autovacuum_max_workers = 3		# max number of autovacuum subprocesses
 					# (change requires restart)
 #autovacuum_naptime = 1min		# time between autovacuum runs
 #autovacuum_vacuum_threshold = 50	# min number of row updates before
 					# vacuum
 #autovacuum_analyze_threshold = 50	# min number of row updates before
 					# analyze
 #autovacuum_vacuum_scale_factor = 0.2	# fraction of table size before vacuum
 #autovacuum_analyze_scale_factor = 0.1	# fraction of table size before analyze
 #autovacuum_freeze_max_age = 200000000	# maximum XID age before forced vacuum
 					# (change requires restart)
 #autovacuum_multixact_freeze_max_age = 400000000	# maximum multixact age
 					# before forced vacuum
 					# (change requires restart)
 #autovacuum_vacuum_cost_delay = 2ms	# default vacuum cost delay for
 					# autovacuum, in milliseconds;
 					# -1 means use vacuum_cost_delay
 #autovacuum_vacuum_cost_limit = -1	# default vacuum cost limit for
 					# autovacuum, -1 means use
 					# vacuum_cost_limit
 #------------------------------------------------------------------------------
 # CLIENT CONNECTION DEFAULTS
 #------------------------------------------------------------------------------
 # - Statement Behavior -
 #client_min_messages = notice		# values in order of decreasing detail:
 					#   debug5
 					#   debug4
 					#   debug3
 					#   debug2
 					#   debug1
 					#   log
 					#   notice
 					#   warning
 					#   error
 #search_path = '"$user", public'	# schema names
 #row_security = on
 #default_tablespace = ''		# a tablespace name, '' uses the default
 #temp_tablespaces = ''			# a list of tablespace names, '' uses
 					# only default tablespace
 #default_table_access_method = 'heap'
 #check_function_bodies = on
 #default_transaction_isolation = 'read committed'
 #default_transaction_read_only = off
 #default_transaction_deferrable = off
 #session_replication_role = 'origin'
 #statement_timeout = 0			# in milliseconds, 0 is disabled
 #lock_timeout = 0			# in milliseconds, 0 is disabled
 #idle_in_transaction_session_timeout = 0	# in milliseconds, 0 is disabled
 #vacuum_freeze_min_age = 50000000
 #vacuum_freeze_table_age = 150000000
 #vacuum_multixact_freeze_min_age = 5000000
 #vacuum_multixact_freeze_table_age = 150000000
 #vacuum_cleanup_index_scale_factor = 0.1	# fraction of total number of tuples
 						# before index cleanup, 0 always performs
 						# index cleanup
 #bytea_output = 'hex'			# hex, escape
 #xmlbinary = 'base64'
 #xmloption = 'content'
 #gin_fuzzy_search_limit = 0
 #gin_pending_list_limit = 4MB
 # - Locale and Formatting -
 #datestyle = 'iso, mdy'
 #intervalstyle = 'postgres'
 #timezone = 'GMT'
 #timezone_abbreviations = 'Default'     # Select the set of available time zone
 					# abbreviations.  Currently, there are
 					#   Default
 					#   Australia (historical usage)
 					#   India
 					# You can create your own file in
 					# share/timezonesets/.
 #extra_float_digits = 1			# min -15, max 3; any value >0 actually
 					# selects precise output mode
 #client_encoding = sql_ascii		# actually, defaults to database
 					# encoding
 # These settings are initialized by initdb, but they can be changed.
 #lc_messages = 'C'			# locale for system error message
 					# strings
 #lc_monetary = 'C'			# locale for monetary formatting
 #lc_numeric = 'C'			# locale for number formatting
 #lc_time = 'C'				# locale for time formatting
 # default configuration for text search
 #default_text_search_config = 'pg_catalog.simple'
 # - Shared Library Preloading -
 #shared_preload_libraries = ''	# (change requires restart)
 #local_preload_libraries = ''
 #session_preload_libraries = ''
 #jit_provider = 'llvmjit'		# JIT library to use
 # - Other Defaults -
 #dynamic_library_path = '$libdir'
 #------------------------------------------------------------------------------
 # LOCK MANAGEMENT
 #------------------------------------------------------------------------------
 #deadlock_timeout = 1s
 #max_locks_per_transaction = 64		# min 10
 					# (change requires restart)
 #max_pred_locks_per_transaction = 64	# min 10
 					# (change requires restart)
 #max_pred_locks_per_relation = -2	# negative values mean
 					# (max_pred_locks_per_transaction
 					#  / -max_pred_locks_per_relation) - 1
 #max_pred_locks_per_page = 2            # min 0
 #------------------------------------------------------------------------------
 # VERSION AND PLATFORM COMPATIBILITY
 #------------------------------------------------------------------------------
 # - Previous PostgreSQL Versions -
 #array_nulls = on
 #backslash_quote = safe_encoding	# on, off, or safe_encoding
 #escape_string_warning = on
 #lo_compat_privileges = off
 #operator_precedence_warning = off
 #quote_all_identifiers = off
 #standard_conforming_strings = on
 #synchronize_seqscans = on
 # - Other Platforms and Clients -
 #transform_null_equals = off
 #------------------------------------------------------------------------------
 # ERROR HANDLING
 #------------------------------------------------------------------------------
 #exit_on_error = off			# terminate session on any error?
 #restart_after_crash = on		# reinitialize after backend crash?
 #data_sync_retry = off			# retry or panic on failure to fsync
 					# data?
 					# (change requires restart)
 #------------------------------------------------------------------------------
 # CONFIG FILE INCLUDES
 #------------------------------------------------------------------------------
 # These options allow settings to be loaded from files other than the
 # default postgresql.conf.  Note that these are directives, not variable
 # assignments, so they can usefully be given more than once.
 #include_dir = '...'			# include files ending in '.conf' from
 					# a directory, e.g., 'conf.d'
 #include_if_exists = '...'		# include file only if it exists
 #include = '...'			# include file
 #------------------------------------------------------------------------------
 # CUSTOMIZED OPTIONS
 #------------------------------------------------------------------------------
 # Add settings for extensions here
--- a/molecule/quarkus_ha_remote/prepare.yml
+++ b/molecule/quarkus_ha_remote/prepare.yml
@ -0,0 +1,44 @@
 ---
 - name: Prepare
  hosts: 'keycloak:infinispan'
  tasks:
    - name: "Display hera_home if defined."
      ansible.builtin.set_fact:
        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
    - name: "Ensure common prepare phase are set."
      ansible.builtin.include_tasks: ../prepare.yml
    - name: Create certificate request
      ansible.builtin.command: "openssl req -x509 -newkey rsa:4096 -keyout {{ inventory_hostname }}.key -out {{ inventory_hostname }}.pem -sha256 -days 365 -nodes -subj '/CN={{ inventory_hostname }}'"
      delegate_to: localhost
      changed_when: False
    - name: Create vault directory
      become: true
      ansible.builtin.file:
        state: directory
        path: "/opt/keycloak/vault"
        mode: 0755
    - name: Make sure a jre is available (for keytool to prepare keystore)
      delegate_to: localhost
      ansible.builtin.package:
        name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
        state: present
      become: true
      failed_when: false
    - name: Create vault keystore
      ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword
      delegate_to: localhost
      register: keytool_cmd
      changed_when: False
      failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
    - name: Copy certificates and vault
      become: true
      ansible.builtin.copy:
        src: keystore.p12
        dest: /opt/keycloak/vault/keystore.p12
        mode: 0444
--- a/molecule/quarkus_ha_remote/roles
+++ b/molecule/quarkus_ha_remote/roles
@ -0,0 +1 @@
 ../../roles
--- a/molecule/quarkus_ha_remote/verify.yml
+++ b/molecule/quarkus_ha_remote/verify.yml
@ -0,0 +1,29 @@
 ---
 - name: Verify
  hosts: keycloak
  tasks:
    - name: Populate service facts
      ansible.builtin.service_facts:
    - name: Check if keycloak service started
      ansible.builtin.assert:
        that:
          - ansible_facts.services["keycloak.service"]["state"] == "running"
          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
        fail_msg: "Service not running"
    - name: Set internal envvar
      ansible.builtin.set_fact:
        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
    - name: Check log file
      become: true
      ansible.builtin.stat:
        path: /var/log/keycloak/keycloak.log
      register: keycloak_log_file
    - name: Check if keycloak file exists
      ansible.builtin.assert:
        that:
          - keycloak_log_file.stat.exists
          - not keycloak_log_file.stat.isdir
--- a/molecule/quarkus_upgrade/converge.yml
+++ b/molecule/quarkus_upgrade/converge.yml
@ -5,6 +5,9 @@
    - vars.yml
  vars:
    keycloak_quarkus_show_deprecation_warnings: false
-    keycloak_quarkus_version: 24.0.3
+    keycloak_quarkus_additional_env_vars:
      - key: KC_FEATURES_DISABLED
        value: ciba,device-flow,impersonation,kerberos,docker
    keycloak_quarkus_version: 26.0.7
  roles:
    - role: keycloak_quarkus
--- a/molecule/quarkus_upgrade/molecule.yml
+++ b/molecule/quarkus_upgrade/molecule.yml
@ -4,7 +4,7 @@ dependency:
  options:
    requirements-file: molecule/requirements.yml
 driver:
-  name: docker
+  name: podman
 platforms:
  - name: instance
    image: registry.access.redhat.com/ubi9/ubi-init:latest
@ -13,8 +13,10 @@ platforms:
    privileged: true
    port_bindings:
      - 8080:8080
      - "9000/tcp"
    published_ports:
      - 0.0.0.0:8080:8080/TCP
      - 0.0.0.0:9000:9000/TCP
 provisioner:
  name: ansible
  playbooks:
@ -25,6 +27,10 @@ provisioner:
    host_vars:
      localhost:
        ansible_python_interpreter: "{{ ansible_playbook_python }}"
  env:
    ANSIBLE_FORCE_COLOR: "true"
    PROXY: "${PROXY}"
    NO_PROXY: "${NO_PROXY}"
 verifier:
  name: ansible
 scenario:
--- a/molecule/quarkus_upgrade/prepare.yml
+++ b/molecule/quarkus_upgrade/prepare.yml
@ -5,7 +5,10 @@
    - vars.yml
  vars:
    sudo_pkg_name: sudo
-    keycloak_quarkus_version: 23.0.7
+    keycloak_quarkus_version: 26.0.4
    keycloak_quarkus_additional_env_vars:
      - key: KC_FEATURES_DISABLED
        value: impersonation,kerberos
  pre_tasks:
    - name: Install sudo
      ansible.builtin.apt:
@ -44,6 +47,7 @@
      changed_when: false
  roles:
    - role: keycloak_quarkus
  post_tasks:
    - name: "Delete custom fact"
      ansible.builtin.file:
--- a/molecule/quarkus_upgrade/vars.yml
+++ b/molecule/quarkus_upgrade/vars.yml
@ -1,9 +1,8 @@
 ---
 keycloak_quarkus_offline_install: false
-keycloak_quarkus_admin_password: "remembertochangeme"
+keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
 keycloak_quarkus_admin_pass: "remembertochangeme"
 keycloak_quarkus_realm: TestRealm
-keycloak_quarkus_host: instance
+keycloak_quarkus_hostname: http://instance:8080
 keycloak_quarkus_log: file
 keycloak_quarkus_https_key_file_enabled: true
 keycloak_quarkus_log_target: /tmp/keycloak
--- a/molecule/quarkus_upgrade/verify.yml
+++ b/molecule/quarkus_upgrade/verify.yml
@ -2,7 +2,7 @@
 - name: Verify
  hosts: instance
  vars:
-    keycloak_quarkus_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
    keycloak_quarkus_port: http://localhost:8080
  tasks:
    - name: Populate service facts
@ -17,14 +17,14 @@
    - name: Verify we are running on requested jvm
      ansible.builtin.shell: |
        set -eo pipefail
-        ps -ef | grep 'etc/alternatives/.*17' | grep -v grep
+        ps -ef | grep 'etc/alternatives/.*21' | grep -v grep
      changed_when: false
    - name: Verify token api call
      ansible.builtin.uri:
        url: "{{ keycloak_quarkus_port }}/realms/master/protocol/openid-connect/token"
        method: POST
-        body: "client_id=admin-cli&username=admin&password={{ keycloak_quarkus_admin_password }}&grant_type=password"
+        body: "client_id=admin-cli&username=admin&password={{ keycloak_quarkus_bootstrap_admin_password }}&grant_type=password"
        validate_certs: no
      register: keycloak_auth_response
      until: keycloak_auth_response.status == 200
--- a/molecule/requirements.yml
+++ b/molecule/requirements.yml
@ -2,6 +2,7 @@
 collections:
  - name: middleware_automation.common
  - name: middleware_automation.jbcs
  - name: middleware_automation.infinispan
  - name: community.general
  - name: ansible.posix
  - name: community.docker
--- a/playbooks/keycloak_quarkus.yml
+++ b/playbooks/keycloak_quarkus.yml
@ -2,8 +2,8 @@
 - name: Playbook for Keycloak X Hosts with HTTPS enabled
  hosts: all
  vars:
-    keycloak_quarkus_admin_pass: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
-    keycloak_quarkus_host: localhost
+    keycloak_quarkus_hostname: http://localhost
    keycloak_quarkus_port: 8443
    keycloak_quarkus_log: file
    keycloak_quarkus_proxy_mode: none
--- a/playbooks/keycloak_quarkus_dev.yml
+++ b/playbooks/keycloak_quarkus_dev.yml
@ -2,8 +2,8 @@
 - name: Playbook for Keycloak X Hosts in develop mode
  hosts: all
  vars:
-    keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
-    keycloak_quarkus_host: localhost
+    keycloak_quarkus_hostname: http://localhost
    keycloak_quarkus_port: 8080
    keycloak_quarkus_log: file
    keycloak_quarkus_start_dev: true
--- a/roles/keycloak/defaults/main.yml
+++ b/roles/keycloak/defaults/main.yml
@ -118,3 +118,7 @@ keycloak_no_log: true
 ### logging configuration
 keycloak_log_target: /var/log/keycloak
 # locations
 keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}"
 keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}"
--- a/roles/keycloak/meta/main.yml
+++ b/roles/keycloak/meta/main.yml
@ -12,7 +12,7 @@ galaxy_info:
  license: Apache License 2.0
-  min_ansible_version: "2.15"
+  min_ansible_version: "2.16"
  platforms:
    - name: EL
--- a/roles/keycloak/tasks/debian.yml
+++ b/roles/keycloak/tasks/debian.yml
@ -1,6 +1,10 @@
 ---
 - name: Include firewall config tasks
-  ansible.builtin.include_tasks: iptables.yml
+  ansible.builtin.include_tasks:
    file: iptables.yml
    apply:
      tags:
        - firewall
  when: keycloak_configure_iptables
  tags:
    - firewall
--- a/roles/keycloak/tasks/main.yml
+++ b/roles/keycloak/tasks/main.yml
@ -1,22 +1,38 @@
 ---
 # tasks file for keycloak
 - name: Check prerequisites
-  ansible.builtin.include_tasks: prereqs.yml
+  ansible.builtin.include_tasks:
    file: prereqs.yml
    apply:
      tags:
        - prereqs
  tags:
    - prereqs
 - name: Distro specific tasks
-  ansible.builtin.include_tasks: "{{ ansible_os_family | lower }}.yml"
+  ansible.builtin.include_tasks:
    file: "{{ ansible_os_family | lower }}.yml"
    apply:
      tags:
        - unbound
  tags:
    - unbound
 - name: Include install tasks
-  ansible.builtin.include_tasks: install.yml
+  ansible.builtin.include_tasks:
    file: install.yml
    apply:
      tags:
        - install
  tags:
    - install
 - name: Include systemd tasks
-  ansible.builtin.include_tasks: systemd.yml
+  ansible.builtin.include_tasks:
    file: systemd.yml
    apply:
      tags:
        - systemd
  tags:
    - systemd
--- a/roles/keycloak/tasks/redhat.yml
+++ b/roles/keycloak/tasks/redhat.yml
@ -1,6 +1,10 @@
 ---
 - name: Include firewall config tasks
-  ansible.builtin.include_tasks: firewalld.yml
+  ansible.builtin.include_tasks:
    file: firewalld.yml
    apply:
      tags:
        - firewall
  when: keycloak_configure_firewalld
  tags:
    - firewall
--- a/roles/keycloak/tasks/rhsso_cli.yml
+++ b/roles/keycloak/tasks/rhsso_cli.yml
@ -2,12 +2,12 @@
 - name: Ensure required params for CLI have been provided
  ansible.builtin.assert:
    that:
-      - query is defined
+      - cli_query is defined
    fail_msg: "Missing required parameters to execute CLI."
    quiet: true
- name: "Execute CLI query: {{ query }}"
+- name: "Execute CLI query: {{ cli_query }}"
  ansible.builtin.command: >
-    {{ keycloak.cli_path }} --connect --command='{{ query }}' --controller={{ keycloak_host }}:{{ keycloak_management_http_port }}
+    {{ keycloak.cli_path }} --connect --command='{{ cli_query }}' --controller={{ keycloak_host }}:{{ keycloak_management_http_port }}
  changed_when: false
  register: cli_result
--- a/roles/keycloak/tasks/rhsso_patch.yml
+++ b/roles/keycloak/tasks/rhsso_patch.yml
@ -106,7 +106,7 @@
 - name: "Check installed patches"
  ansible.builtin.include_tasks: rhsso_cli.yml
  vars:
-    query: "patch info"
+    cli_query: "patch info"
  args:
    apply:
      become: true
@ -121,7 +121,7 @@
    - name: "Apply patch {{ patch_version }} to server"
      ansible.builtin.include_tasks: rhsso_cli.yml
      vars:
-        query: "patch apply {{ patch_archive }}"
+        cli_query: "patch apply {{ patch_archive }}"
      args:
        apply:
          become: true
@ -130,7 +130,7 @@
    - name: "Restart server to ensure patch content is running"
      ansible.builtin.include_tasks: rhsso_cli.yml
      vars:
-        query: "shutdown --restart"
+        cli_query: "shutdown --restart"
      when:
        - cli_result.rc == 0
      args:
@ -149,7 +149,7 @@
    - name: "Query installed patch after restart"
      ansible.builtin.include_tasks: rhsso_cli.yml
      vars:
-        query: "patch info"
+        cli_query: "patch info"
      args:
        apply:
          become: true
--- a/roles/keycloak/vars/main.yml
+++ b/roles/keycloak/vars/main.yml
@ -1,9 +1,6 @@
 ---
 # internal variables below
 # locations
 keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}"
 keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}"
 keycloak:
--- a/roles/keycloak_quarkus/README.md
+++ b/roles/keycloak_quarkus/README.md
@ -33,7 +33,7 @@ Role Defaults
 | Variable | Description | Default |
 |:---------|:------------|:--------|
-|`keycloak_quarkus_version`| keycloak.org package version | `24.0.5` |
+|`keycloak_quarkus_version`| keycloak.org package version | `26.2.4` |
 |`keycloak_quarkus_offline_install` | Perform an offline install | `False`|
 |`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` |
 |`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` |
@ -44,45 +44,27 @@ Role Defaults
 | Variable | Description | Default |
 |:---------|:------------|:--------|
-|`keycloak_quarkus_admin_user`| Administration console user account | `admin` |
+|`keycloak_quarkus_bootstrap_admin_user`| Administration console user account | `admin` |
-|`keycloak_quarkus_bind_address`| Address for binding service ports | `0.0.0.0` |
+|`keycloak_quarkus_admin_user`| Deprecated, use `keycloak_quarkus_bootstrap_admin_user` instead. | |
-|`keycloak_quarkus_host`| Hostname for the Keycloak server | `localhost` |
+|`keycloak_quarkus_bind_address`| Deprecated, use `keycloak_quarkus_http_host` instead |  `0.0.0.0` |
-|`keycloak_quarkus_port`| The port used by the proxy when exposing the hostname | `-1` |
+|`keycloak_quarkus_host`| Deprecated, use `keycloak_quarkus_hostname` instead. | |
-|`keycloak_quarkus_path`| This should be set if proxy uses a different context-path for Keycloak | |
+|`keycloak_quarkus_port`| Deprecated, use `keycloak_quarkus_hostname` instead. | |
-|`keycloak_quarkus_http_port`| HTTP listening port | `8080` |
+|`keycloak_quarkus_path`| Deprecated, use `keycloak_quarkus_hostname` instead. | |
 |`keycloak_quarkus_https_port`| TLS HTTP listening port | `8443` |
 |`keycloak_quarkus_ajp_port`| AJP port | `8009` |
 |`keycloak_quarkus_service_user`| Posix account username | `keycloak` |
 |`keycloak_quarkus_service_group`| Posix account group | `keycloak` |
 |`keycloak_quarkus_service_restart_always`| systemd restart always behavior activation | `False` |
 |`keycloak_quarkus_service_restart_on_failure`| systemd restart on-failure behavior activation | `False` |
 |`keycloak_quarkus_service_restartsec`| systemd RestartSec | `10s` |
-|`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-17-openjdk-headless` |
+|`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-21-openjdk-headless` |
 |`keycloak_quarkus_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_quarkus_jvm_package RPM path | `None` |
 |`keycloak_quarkus_java_heap_opts`| Heap memory JVM setting | `-Xms1024m -Xmx2048m` |
 |`keycloak_quarkus_java_jvm_opts`| Other JVM settings | same as keycloak |
 |`keycloak_quarkus_java_opts`| JVM arguments; if overridden, it takes precedence over `keycloak_quarkus_java_*` | `{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}` |
 |`keycloak_quarkus_additional_env_vars` | List of additional env variables of { key: str, value: str} to be put in sysconfig file | `[]` |
-|`keycloak_quarkus_frontend_url`| Set the base URL for frontend URLs, including scheme, host, port and path | |
+|`keycloak_quarkus_frontend_url`| Deprecated, use `keycloak_quarkus_hostname` instead. | |
-|`keycloak_quarkus_admin_url`| Set the base URL for accessing the administration console, including scheme, host, port and path | |
+|`keycloak_quarkus_admin_url`| Deprecated, use `keycloak_quarkus_hostname_admin` instead. | |
-|`keycloak_quarkus_http_relative_path` | Set the path relative to / for serving resources. The path must start with a / | `/` |
+|`keycloak_quarkus_health_check_url`| Full URL (including scheme, host, path, fragment etc.) used for health check endpoint; keycloak_quarkus_hostname will NOT be prepended; helpful when health checks should happen against http port, but keycloak_quarkus_hostname uses https scheme per default | `` |
-|`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` |
+|`keycloak_quarkus_health_check_url_path`| Path to the health check endpoint; keycloak_quarkus_hostname will be prepended automatically; Note that keycloak_quarkus_health_check_url takes precedence over this property | `realms/master/.well-known/openid-configuration` |
 |`keycloak_quarkus_health_check_url_path`| Path to the health check endpoint; scheme, host and keycloak_quarkus_http_relative_path will be prepended automatically | `realms/master/.well-known/openid-configuration` |
 |`keycloak_quarkus_https_key_file_enabled`| Enable listener on HTTPS port | `False` |
 |`keycloak_quarkus_key_file_copy_enabled`| Enable copy of key file to target host | `False` |
 |`keycloak_quarkus_key_content`| Content of the TLS private key. Use `"{{ lookup('file', 'server.key.pem') }}"` to lookup a file. | `""` |
 |`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `/etc/pki/tls/private/server.key.pem` |
 |`keycloak_quarkus_cert_file_copy_enabled`| Enable copy of cert file to target host | `False`|
 |`keycloak_quarkus_cert_file_src`| Set the source file path | `""` |
 |`keycloak_quarkus_cert_file`| The file path to a server certificate or certificate chain in PEM format | `/etc/pki/tls/certs/server.crt.pem` |
 |`keycloak_quarkus_https_key_store_enabled`| Enable configuration of HTTPS via a key store | `False` |
 |`keycloak_quarkus_key_store_file`| Deprecated, use `keycloak_quarkus_https_key_store_file` instead. ||
 |`keycloak_quarkus_key_store_password`| Deprecated, use `keycloak_quarkus_https_key_store_password` instead.||
 |`keycloak_quarkus_https_key_store_file`| The file path to the key store | `{{ keycloak.home }}/conf/key_store.p12` |
 |`keycloak_quarkus_https_key_store_password`| Password for the key store | `""` |
 |`keycloak_quarkus_https_trust_store_enabled`| Enable configuration of the https trust store | `False` |
 |`keycloak_quarkus_https_trust_store_file`| The file path to the trust store | `{{ keycloak.home }}/conf/trust_store.p12` |
 |`keycloak_quarkus_https_trust_store_password`| Password for the trust store | `""` |
 |`keycloak_quarkus_proxy_headers`| Parse reverse proxy headers (`forwarded` or `xforwarded`) | `""` |
 |`keycloak_quarkus_config_key_store_file`| Path to the configuration key store; only used if `keycloak_quarkus_keystore_password` is not empty  | `{{ keycloak.home }}/conf/conf_store.p12` if `keycloak_quarkus_keystore_password != ''`, else `''` |
 |`keycloak_quarkus_config_key_store_password`| Password of the configuration keystore; if non-empty, `keycloak_quarkus_db_pass` will be saved to the keystore at `keycloak_quarkus_config_key_store_file` instead of being written to the configuration file in clear text | `""` |
@ -95,8 +77,9 @@ Role Defaults
 | Variable | Description | Default |
 |:---------|:------------|:--------|
 |`keycloak_quarkus_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
-|`keycloak_quarkus_ha_discovery`| Discovery protocol for HA cluster members | `TCPPING` |
+|`keycloak_quarkus_ha_discovery`| Discovery protocol for HA cluster members | `JDBCPING` |
 |`keycloak_quarkus_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_quarkus_ha_enabled` is True, else `False` |
 |`keycloak_quarkus_jgroups_ip`| Host jgroups IP.  If changing this variable you must make sure it is always set for all hosts in your cluster. | `{{ ansible_default_ipv4.address }}` |
 |`keycloak_quarkus_jgroups_port`| jgroups cluster tcp port | `7800` |
 |`keycloak_quarkus_systemd_wait_for_port` | Whether systemd unit should wait for keycloak port before returning | `{{ keycloak_quarkus_ha_enabled }}` |
 |`keycloak_quarkus_systemd_wait_for_port_number`| Which port the systemd unit should wait for | `{{ keycloak_quarkus_https_port }}` |
@ -106,7 +89,7 @@ Role Defaults
 |`keycloak_quarkus_restart_strategy`| Strategy task file for restarting in HA (one of provided restart/['serial.yml','none.yml','serial_then_parallel.yml']) or path to file when providing custom strategy | `restart/serial.yml` |
 |`keycloak_quarkus_restart_health_check`| Whether to wait for successful health check after restart | `true` |
 |`keycloak_quarkus_restart_health_check_delay`| Seconds to let pass before starting healch checks | `10` |
-|`keycloak_quarkus_restart_health_check_reries`| Number of attempts for successful health check before failing | `25` |
+|`keycloak_quarkus_restart_health_check_retries`| Number of attempts for successful health check before failing | `25` |
 |`keycloak_quarkus_restart_pause`| Seconds to wait between restarts in HA strategy | `15` |
@ -114,49 +97,67 @@ Role Defaults
 | Variable | Description | Default |
 |:---------|:------------|:--------|
-|`keycloak_quarkus_http_relative_path`| Set the path relative to / for serving resources. The path must start with a / | `/` |
+|`keycloak_quarkus_hostname`| Address at which is the server exposed. Can be a full URL, or just a hostname. When only hostname is provided, scheme, port and context path are resolved from the request. | |
 |`keycloak_quarkus_hostname_admin`| Set the base URL for accessing the administration console, including scheme, host, port and path | |
 |`keycloak_quarkus_hostname_strict`| Disables dynamically resolving the hostname from request headers | `true` |
-|`keycloak_quarkus_hostname_strict_backchannel`| By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all applications use the public URL this option should be enabled. | `false` |
+|`keycloak_quarkus_hostname_backchannel_dynamic`| Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path. Set to true if your application accesses Keycloak via a private network. If set to true, hostname option needs to be specified as a full URL. | `false` |
 |`keycloak_quarkus_hostname_strict_backchannel`| Deprecated, use (the inverted!)`keycloak_quarkus_hostname_backchannel_dynamic` instead. |  |
 #### HTTP(S) configuration
 | Variable | Description | Default |
 |:---------|:------------|:--------|
 |`keycloak_quarkus_http_relative_path`| Set the path relative to / for serving resources. The path must start with a / | `/` |
 |`keycloak_quarkus_http_host`| The http host, ie. the address used to bind the service |  `0.0.0.0` |
 |`keycloak_quarkus_http_port`| HTTP listening port | `8080` |
 |`keycloak_quarkus_https_port`| TLS HTTP listening port | `8443` |
 |`keycloak_quarkus_http_management_port`| Port of the management interface. Relevant only when something is exposed on the management interface - see the guide for details. | `9000` |
 |`keycloak_quarkus_https_key_store_file`| The file path to the key store | `{{ keycloak.home }}/conf/key_store.p12` |
 |`keycloak_quarkus_https_key_store_password`| Password for the key store | `""` |
 |`keycloak_quarkus_https_trust_store_enabled`| Enable configuration of the https trust store | `False` |
 |`keycloak_quarkus_https_trust_store_file`| The file path to the trust store | `{{ keycloak.home }}/conf/trust_store.p12` |
 |`keycloak_quarkus_https_trust_store_password`| Password for the trust store | `""` |
 |`keycloak_quarkus_https_key_file_enabled`| Enable listener on HTTPS port | `False` |
 |`keycloak_quarkus_key_file_copy_enabled`| Enable copy of key file to target host | `False` |
 |`keycloak_quarkus_key_content`| Content of the TLS private key. Use `"{{ lookup('file', 'server.key.pem') }}"` to lookup a file. | `""` |
 |`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `/etc/pki/tls/private/server.key.pem` |
 |`keycloak_quarkus_cert_file_copy_enabled`| Enable copy of cert file to target host | `False`|
 |`keycloak_quarkus_cert_file_src`| Set the source file path | `""` |
 |`keycloak_quarkus_cert_file`| The file path to a server certificate or certificate chain in PEM format | `/etc/pki/tls/certs/server.crt.pem` |
 |`keycloak_quarkus_https_key_store_enabled`| Enable configuration of HTTPS via a key store | `False` |
 |`keycloak_quarkus_key_store_file`| Deprecated, use `keycloak_quarkus_https_key_store_file` instead. ||
 |`keycloak_quarkus_key_store_password`| Deprecated, use `keycloak_quarkus_https_key_store_password` instead.||
 |`keycloak_quarkus_http_relative_path` | Set the path relative to / for serving resources. The path must start with a / | `/` |
 |`keycloak_quarkus_http_management_relative_path` | Set the path relative to / for serving resources from management interface. The path must start with a /. If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details. | `/` |
 |`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` |
 #### Database configuration
 | Variable | Description | Default |
 |:---------|:------------|:--------|
-|`keycloak_quarkus_jdbc_engine` | Database engine [mariadb,postres,mssql] | `postgres` |
+|`keycloak_quarkus_db_engine` | Database engine [mariadb,postres,mssql] | `postgres` |
 |`keycloak_quarkus_db_user` | User for database connection | `keycloak-user` |
 |`keycloak_quarkus_db_pass` | Password for database connection | `keycloak-pass` |
-|`keycloak_quarkus_jdbc_url` | JDBC URL for connecting to database | `jdbc:postgresql://localhost:5432/keycloak` |
+|`keycloak_quarkus_db_url` | JDBC URL for connecting to database | `jdbc:postgresql://localhost:5432/keycloak` |
-|`keycloak_quarkus_jdbc_driver_version` | Version for JDBC driver | `9.4.1212` |
+|`keycloak_quarkus_db_driver_version` | Version for JDBC engine driver | `9.4.1212` |
-#### Remote caches configuration
+#### Cache configuration
 | Variable | Description | Default |
 |:---------|:------------|:--------|
-|`keycloak_quarkus_ispn_user` | Username for connecting to infinispan | `supervisor` |
+|`keycloak_quarkus_cache_remote_username` | Username for connecting to infinispan | `supervisor` |
-|`keycloak_quarkus_ispn_pass` | Password for connecting to infinispan | `supervisor` |
+|`keycloak_quarkus_cache_remote_password` | Password for connecting to infinispan | `supervisor` |
-|`keycloak_quarkus_ispn_hosts` | host name/port for connecting to infinispan, eg. host1:11222;host2:11222 | `localhost:11222` |
+|`keycloak_quarkus_cache_remote_host` | host name/port for connecting to infinispan, eg. host1:11222;host2:11222 | `localhost:11222` |
-|`keycloak_quarkus_ispn_sasl_mechanism` | Infinispan auth mechanism | `SCRAM-SHA-512` |
+|`keycloak_quarkus_cache_remote_sasl_mechanism` | Infinispan auth mechanism | `SCRAM-SHA-512` |
-|`keycloak_quarkus_ispn_use_ssl` | Whether infinispan uses TLS connection | `false` |
+|`keycloak_quarkus_cache_remote_tls_enabled` | Whether infinispan uses TLS connection | `false` |
 |`keycloak_quarkus_ispn_trust_store_path` | Path to infinispan server trust certificate | `/etc/pki/java/cacerts` |
 |`keycloak_quarkus_ispn_trust_store_password` | Password for infinispan certificate keystore | `changeit` |
-#### Miscellaneous configuration
+#### Logging configuration
 | Variable | Description | Default |
 |:---------|:------------|:--------|
 |`keycloak_quarkus_metrics_enabled`| Whether to enable metrics | `False` |
 |`keycloak_quarkus_health_enabled`| If the server should expose health check endpoints | `True` |
 |`keycloak_quarkus_archive` | keycloak install archive filename | `keycloak-{{ keycloak_quarkus_version }}.zip` |
 |`keycloak_quarkus_installdir` | Installation path | `{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}` |
 |`keycloak_quarkus_home` | Installation work directory | `{{ keycloak_quarkus_installdir }}` |
 |`keycloak_quarkus_config_dir` | Path for configuration | `{{ keycloak_quarkus_home }}/conf` |
 |`keycloak_quarkus_master_realm` | Name for rest authentication realm | `master` |
 |`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` |
 |`keycloak_force_install` | Remove pre-existing versions of service | `False` |
 |`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_quarkus_host }}:{{ keycloak_http_port }}` |
 |`keycloak_quarkus_log`| Enable one or more log handlers in a comma-separated list | `file` |
 |`keycloak_quarkus_log_level`| The log level of the root category or a comma-separated list of individual categories and their levels | `info` |
 |`keycloak_quarkus_log_file`| Set the log file path and filename relative to keycloak home | `data/log/keycloak.log` |
@ -165,6 +166,21 @@ Role Defaults
 |`keycloak_quarkus_log_max_file_size`| Set the maximum log file size before a log rotation happens; A size configuration option recognises string in this format (shown as a regular expression): `[0-9]+[KkMmGgTtPpEeZzYy]?`. If no suffix is given, assume bytes. | `10M` |
 |`keycloak_quarkus_log_max_backup_index`| Set the maximum number of archived log files to keep" | `10` |
 |`keycloak_quarkus_log_file_suffix`| Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix; Note: If the suffix ends with `.zip` or `.gz`, the rotation file will also be compressed. | `.yyyy-MM-dd.zip` |
 #### Miscellaneous configuration
 | Variable | Description | Default |
 |:---------|:------------|:--------|
 |`keycloak_quarkus_metrics_enabled`| Whether to enable metrics | `False` |
 |`keycloak_quarkus_health_enabled`| If the server should expose health check endpoints on the management interface | `True` |
 |`keycloak_quarkus_archive` | keycloak install archive filename | `keycloak-{{ keycloak_quarkus_version }}.zip` |
 |`keycloak_quarkus_installdir` | Installation path | `{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}` |
 |`keycloak_quarkus_home` | Installation work directory | `{{ keycloak_quarkus_installdir }}` |
 |`keycloak_quarkus_config_dir` | Path for configuration | `{{ keycloak_quarkus_home }}/conf` |
 |`keycloak_quarkus_master_realm` | Name for rest authentication realm | `master` |
 |`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` |
 |`keycloak_force_install` | Remove pre-existing versions of service | `False` |
 |`keycloak_quarkus_proxy_mode`| The proxy address forwarding mode if the server is behind a reverse proxy | `edge` |
 |`keycloak_quarkus_start_dev`| Whether to start the service in development mode (start-dev) | `False` |
 |`keycloak_quarkus_transaction_xa_enabled`| Whether to use XA transactions | `True` |
@ -172,7 +188,7 @@ Role Defaults
 |`keycloak_quarkus_show_deprecation_warnings`| Whether deprecation warnings should be shown | `True` |
-#### Vault SPI
+#### Vault configuration
 | Variable | Description | Default |
 |:---------|:------------|:--------|
@ -200,7 +216,7 @@ keycloak_quarkus_providers:
  - id: http-client                         # required; "{{ id }}.jar" identifies the file name on RHBK
    spi: connections                        # required if neither url, local_path nor maven are specified; required for setting properties
    default: true                           # optional, whether to set default for spi, default false
-    restart: true                           # optional, whether to restart, default true
+    restart: true                           # optional, whether to rebuild config and restart the service after deploying, default true
    url: https://.../.../custom_spi.jar     # optional, url for download via http
    local_path: my_theme_spi.jar            # optional, path on local controller for SPI to be uploaded
    maven:                                  # optional, for download using maven
@ -213,6 +229,10 @@ keycloak_quarkus_providers:
    properties:                             # optional, list of key-values
      - key: default-connection-pool-size
        value: 10
    checksum: sha256:D98291AC[...]B6DC7B97  # optional, checksum used to verify integrity:
                                            #  for `url` SPIs, use format: <algorithm>:<checksum|url>, cf. <https://docs.ansible.com/ansible/latest/collections/ansible/builtin/get_url_module.html#parameter-checksum>;
                                            #  for `local_path` SPIs, use SHA1 format <https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html#parameter-checksum>
                                            #  for `maven` SPIs, this field is ignored since maven has integrity verification methods enabled by default
 ```
 the definition above will generate the following build command:
@ -232,9 +252,9 @@ Provider definition:
 ```yaml
 keycloak_quarkus_policies:
-  - name: xato-net-10-million-passwords.txt                                                                # required, resulting file name
+  - name: john-the-ripper.txt                                                                          # required, resulting file name
-    url: https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt # required, url for download
+    url: https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/john-the-ripper.txt  # required, url for download
-    type: password-blacklists                                                                              # optional, defaults to `password-blacklists`; supported values: [`password-blacklists`]
+    type: password-blacklists                                                                          # optional, defaults to `password-blacklists`; supported values: [`password-blacklists`]
 ```
@ -243,9 +263,8 @@ Role Variables
 | Variable | Description | Required |
 |:---------|:------------|----------|
-|`keycloak_quarkus_admin_pass`| Password of console admin account | `yes` |
+|`keycloak_quarkus_bootstrap_admin_password`| Password of console admin account | `yes` |
-|`keycloak_quarkus_frontend_url`| Base URL for frontend URLs, including scheme, host, port and path | `no` |
+|`keycloak_quarkus_admin_pass`| Deprecated, use `keycloak_quarkus_bootstrap_admin_password` instead. | |
 |`keycloak_quarkus_admin_url`| Base URL for accessing the administration console, including scheme, host, port and path | `no` |
 |`keycloak_quarkus_ks_vault_pass`| The password for accessing the keystore vault SPI | `no` |
 |`keycloak_quarkus_alternate_download_url`| Alternate location with optional authentication for downloading RHBK | `no` |
 |`keycloak_quarkus_download_user`| Optional username for http authentication  | `no*` |
@ -265,7 +284,7 @@ The role uses the following [custom facts](https://docs.ansible.com/ansible/late
 | Variable | Description |
 |:---------|:------------|
-|`general.bootstrapped` | A custom fact indicating whether this role has been used for bootstrapping keycloak on the respective host before; set to `false` (e.g., when starting off with a new, empty database) ensures that the initial admin user as defined by `keycloak_quarkus_admin_user[_pass]` gets created |
+|`general.bootstrapped` | A custom fact indicating whether this role has been used for bootstrapping keycloak on the respective host before; set to `false` (e.g., when starting off with a new, empty database) ensures that the initial admin user as defined by `keycloak_quarkus_bootstrap_admin_user[_password]` gets created |
 License
 -------
--- a/roles/keycloak_quarkus/defaults/main.yml
+++ b/roles/keycloak_quarkus/defaults/main.yml
@ -1,6 +1,6 @@
 ---
 ### Configuration specific to keycloak
-keycloak_quarkus_version: 24.0.5
+keycloak_quarkus_version: 26.2.4
 keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip"
 keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"
 keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"
@ -27,19 +27,18 @@ keycloak_quarkus_configure_firewalld: false
 keycloak_quarkus_configure_iptables: false
 ### administrator console password
-keycloak_quarkus_admin_user: admin
+keycloak_quarkus_bootstrap_admin_user: admin
-keycloak_quarkus_admin_pass:
+keycloak_quarkus_bootstrap_admin_password:
 keycloak_quarkus_master_realm: master
 ### Configuration settings
-keycloak_quarkus_bind_address: 0.0.0.0
+keycloak_quarkus_bind_address: 0.0.0.0 # deprecated use keycloak_quarkus_http_host
-keycloak_quarkus_host: localhost
+keycloak_quarkus_http_host: 0.0.0.0
 keycloak_quarkus_port: -1
 keycloak_quarkus_path:
 keycloak_quarkus_http_enabled: true
 keycloak_quarkus_http_port: 8080
 keycloak_quarkus_https_port: 8443
-keycloak_quarkus_ajp_port: 8009
+keycloak_quarkus_http_management_port: 9000
 keycloak_quarkus_jgroups_ip: "{{ ansible_default_ipv4.address }}"
 keycloak_quarkus_jgroups_port: 7800
 keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx2048m"
 keycloak_quarkus_java_jvm_opts: "-XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8
@ -71,7 +70,7 @@ keycloak_quarkus_config_key_store_password: ''
 ### Enable configuration for database backend, clustering and remote caches on infinispan
 keycloak_quarkus_ha_enabled: false
-keycloak_quarkus_ha_discovery: "TCPPING"
+keycloak_quarkus_ha_discovery: "JDBCPING"
 ### Enable database configuration, must be enabled when HA is configured
 keycloak_quarkus_db_enabled: "{{ keycloak_quarkus_ha_enabled }}"
 keycloak_quarkus_systemd_wait_for_port: "{{ keycloak_quarkus_ha_enabled }}"
@ -81,8 +80,8 @@ keycloak_quarkus_systemd_wait_for_timeout: 60
 keycloak_quarkus_systemd_wait_for_delay: 10
 ### keycloak frontend url
-keycloak_quarkus_frontend_url:
+keycloak_quarkus_hostname:
-keycloak_quarkus_admin_url:
+keycloak_quarkus_hostname_admin:
 ### Set the path relative to / for serving resources. The path must start with a /
 ### (set to `/auth` for retrocompatibility with pre-quarkus releases)
@ -91,9 +90,9 @@ keycloak_quarkus_http_relative_path: /
 # Disables dynamically resolving the hostname from request headers.
 # Should always be set to true in production, unless proxy verifies the Host header.
 keycloak_quarkus_hostname_strict: true
-# By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications.
+# Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path.
-# If all applications use the public URL this option should be enabled.
+# Set to true if your application accesses Keycloak via a private network. If set to true, keycloak_quarkus_hostname option needs to be specified as a full URL.
-keycloak_quarkus_hostname_strict_backchannel: false
+keycloak_quarkus_hostname_backchannel_dynamic: false
 # The proxy headers that should be accepted by the server. ['', 'forwarded', 'xforwarded']
 keycloak_quarkus_proxy_headers: ""
@ -112,35 +111,33 @@ keycloak_quarkus_metrics_enabled: false
 keycloak_quarkus_health_enabled: true
 ### infinispan remote caches access (hotrod)
-keycloak_quarkus_ispn_user: supervisor
+keycloak_quarkus_cache_remote_username: supervisor
-keycloak_quarkus_ispn_pass: supervisor
+keycloak_quarkus_cache_remote_password: supervisor
-keycloak_quarkus_ispn_hosts: "localhost:11222"
+keycloak_quarkus_cache_remote_host: "localhost:11222"
-keycloak_quarkus_ispn_sasl_mechanism: SCRAM-SHA-512
+keycloak_quarkus_cache_remote_tls_enabled: false
-keycloak_quarkus_ispn_use_ssl: false
+keycloak_quarkus_cache_remote_sasl_mechanism: SCRAM-SHA-512
-# if ssl is enabled, import ispn server certificate here
+
 keycloak_quarkus_ispn_trust_store_path: /etc/pki/java/cacerts
 keycloak_quarkus_ispn_trust_store_password: changeit
 ### database backend engine: values [ 'postgres', 'mariadb' ]
-keycloak_quarkus_jdbc_engine: postgres
+keycloak_quarkus_db_engine: postgres
 ### database backend credentials
 keycloak_quarkus_db_user: keycloak-user
 keycloak_quarkus_db_pass: keycloak-pass
-keycloak_quarkus_jdbc_url: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].url }}"
+keycloak_quarkus_db_url: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].url }}"
-keycloak_quarkus_jdbc_driver_version: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].version }}"
+keycloak_quarkus_db_driver_version: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].version }}"
-# override the variables above, following defaults show minimum supported versions
+# override the variables above, following defaults show recommended version as per
 # https://access.redhat.com/articles/7033107
 keycloak_quarkus_default_jdbc:
  postgres:
    url: 'jdbc:postgresql://localhost:5432/keycloak'
-    version: 9.4.1212
+    version: 42.7.5
  mariadb:
    url: 'jdbc:mariadb://localhost:3306/keycloak'
-    version: 2.7.4
+    version: 3.5.2
  mssql:
    url: 'jdbc:sqlserver://localhost:1433;databaseName=keycloak;'
-    version: 12.4.2
+    version: 12.8.1
-    driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.4.2.jre11/mssql-jdbc-12.4.2.jre11.jar"
+    driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.8.1.jre11/mssql-jdbc-12.8.1.jre11.jar"
    # cf. https://access.redhat.com/documentation/en-us/red_hat_build_of_keycloak/24.0/html/server_guide/db-#db-installing-the-microsoft-sql-server-driver
 ### logging configuration
 keycloak_quarkus_log: file
 keycloak_quarkus_log_level: info
@ -165,5 +162,5 @@ keycloak_quarkus_supported_policy_types: ['password-blacklists']
 keycloak_quarkus_restart_strategy: restart/serial.yml
 keycloak_quarkus_restart_health_check: true
 keycloak_quarkus_restart_health_check_delay: 10
-keycloak_quarkus_restart_health_check_reries: 25
+keycloak_quarkus_restart_health_check_retries: 25
 keycloak_quarkus_restart_pause: 15
--- a/roles/keycloak_quarkus/handlers/main.yml
+++ b/roles/keycloak_quarkus/handlers/main.yml
@ -1,4 +1,7 @@
 ---
 - name: "Invalidate {{ keycloak.service_name }} theme cache"
  ansible.builtin.include_tasks: invalidate_theme_cache.yml
  listen: "invalidate keycloak theme cache"
 # handler should be invoked anytime a [build configuration](https://www.keycloak.org/server/all-config?f=build) changes
 - name: "Rebuild {{ keycloak.service_name }} config"
  ansible.builtin.include_tasks: rebuild_config.yml
--- a/roles/keycloak_quarkus/meta/argument_specs.yml
+++ b/roles/keycloak_quarkus/meta/argument_specs.yml
@ -2,7 +2,7 @@ argument_specs:
    main:
        options:
            keycloak_quarkus_version:
-                default: "24.0.5"
+                default: "26.2.4"
                description: "keycloak.org package version"
                type: "str"
            keycloak_quarkus_archive:
@ -22,7 +22,7 @@ argument_specs:
                description: "Perform an offline install"
                type: "bool"
            keycloak_quarkus_jvm_package:
-                default: "java-11-openjdk-headless"
+                default: "java-21-openjdk-headless"
                description: "RHEL java package runtime"
                type: "str"
            keycloak_quarkus_java_home:
@ -68,13 +68,13 @@ argument_specs:
                default: "10s"
                description: "systemd RestartSec for service"
                type: "str"
-            keycloak_quarkus_admin_user:
+            keycloak_quarkus_bootstrap_admin_user:
                default: "admin"
-                description: "Administration console user account"
+                description: "Administration user account, only for bootstrapping"
                type: "str"
-            keycloak_quarkus_admin_pass:
+            keycloak_quarkus_bootstrap_admin_password:
                required: true
-                description: "Password of console admin account"
+                description: "Password of admin account, only for bootstrapping"
                type: "str"
            keycloak_quarkus_master_realm:
                default: "master"
@ -82,31 +82,40 @@ argument_specs:
                type: "str"
            keycloak_quarkus_bind_address:
                default: "0.0.0.0"
-                description: "Address for binding service ports"
+                description: "Deprecated, use `keycloak_quarkus_http_host`"
                type: "str"
            keycloak_quarkus_hostname:
                description: >-
                    Address at which is the server exposed.
                    Can be a full URL, or just a hostname. When only hostname is provided, scheme, port and context path are resolved from the request.
                type: "str"
            keycloak_quarkus_host:
-                default: "localhost"
+                description: "Deprecated in v26, use keycloak_quarkus_hostname instead."
                description: "Hostname for the Keycloak server"
                type: "str"
            keycloak_quarkus_port:
-                default: -1
+                description: "Deprecated in v26, use keycloak_quarkus_hostname instead."
                description: "The port used by the proxy when exposing the hostname"
                type: "int"
            keycloak_quarkus_path:
-                required: false
+                description: "Deprecated in v26, use keycloak_quarkus_hostname instead."
                description: "This should be set if proxy uses a different context-path for Keycloak"
                type: "str"
            keycloak_quarkus_http_enabled:
                default: true
                description: "Enable listener on HTTP port"
                type: "bool"
            keycloak_quarkus_http_host:
                default: '0.0.0.0'
                description: "HTTP host, address for binding service ports"
                type: "str"
            keycloak_quarkus_http_port:
                default: 8080
                description: "HTTP port"
                type: "int"
            keycloak_quarkus_health_check_url:
                description: "Full URL (including scheme, host, path, fragment etc.) used for health check endpoint; keycloak_quarkus_hostname will NOT be prepended; helpful when health checks should happen against http port, but keycloak_quarkus_hostname uses https scheme per default"
                type: "str"
            keycloak_quarkus_health_check_url_path:
                default: "realms/master/.well-known/openid-configuration"
-                description: "Path to the health check endpoint; scheme, host and keycloak_quarkus_http_relative_path will be prepended automatically"
+                description: "Path to the health check endpoint; keycloak_quarkus_hostname will be prepended automatically; Note that keycloak_quarkus_health_check_url takes precedence over this property"
                type: "str"
            keycloak_quarkus_https_key_file_enabled:
                default: false
@ -182,10 +191,14 @@ argument_specs:
                default: 8443
                description: "HTTPS port"
                type: "int"
-            keycloak_quarkus_ajp_port:
+            keycloak_quarkus_http_management_port:
-                default: 8009
+                default: 9000
-                description: "AJP port"
+                description: "Port of the management interface. Relevant only when something is exposed on the management interface - see the guide for details."
                type: "int"
            keycloak_quarkus_jgroups_ip:
                default: "{{ ansible_default_ipv4.address }}"
                description: Host jgroups IP.  If changing this variable you must make sure it is always set for all hosts in your cluster.
                type: "str"
            keycloak_quarkus_jgroups_port:
                default: 7800
                description: "jgroups cluster tcp port"
@ -226,13 +239,21 @@ argument_specs:
                default: /
                description: "Set the path relative to / for serving resources. The path must start with a /"
                type: "str"
            keycloak_quarkus_http_management_relative_path:
                required: false
                description: "Set the path relative to / for serving resources from management interface. The path must start with a /. If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details."
                type: "str"
            keycloak_quarkus_frontend_url:
                required: false
-                description: "Service public URL"
+                description: "Deprecated in v26, use keycloak_quarkus_hostname instead."
                type: "str"
            keycloak_quarkus_hostname_admin:
                required: false
                description: "Service URL for the admin console"
                type: "str"
            keycloak_quarkus_admin_url:
                required: false
-                description: "Service URL for the admin console"
+                description: "Deprecated in v26, use keycloak_quarkus_hostname_admin instead."
                type: "str"
            keycloak_quarkus_metrics_enabled:
                default: false
@ -240,37 +261,29 @@ argument_specs:
                type: "bool"
            keycloak_quarkus_health_enabled:
                default: true
-                description: "If the server should expose health check endpoints"
+                description: "If the server should expose health check endpoints on the management interface"
                type: "bool"
-            keycloak_quarkus_ispn_user:
+            keycloak_quarkus_cache_remote_username:
                default: "supervisor"
                description: "Username for connecting to infinispan"
                type: "str"
-            keycloak_quarkus_ispn_pass:
+            keycloak_quarkus_cache_remote_password:
                default: "supervisor"
                description: "Password for connecting to infinispan"
                type: "str"
-            keycloak_quarkus_ispn_hosts:
+            keycloak_quarkus_cache_remote_host:
                default: "localhost:11222"
                description: "host name/port for connecting to infinispan, eg. host1:11222;host2:11222"
                type: "str"
-            keycloak_quarkus_ispn_sasl_mechanism:
+            keycloak_quarkus_cache_remote_sasl_mechanism:
                default: "SCRAM-SHA-512"
                description: "Infinispan auth mechanism"
                type: "str"
-            keycloak_quarkus_ispn_use_ssl:
+            keycloak_quarkus_cache_remote_tls_enabled:
                default: false
                description: "Whether infinispan uses TLS connection"
                type: "bool"
-            keycloak_quarkus_ispn_trust_store_path:
+            keycloak_quarkus_db_engine:
                default: "/etc/pki/java/cacerts"
                description: "Path to infinispan server trust certificate"
                type: "str"
            keycloak_quarkus_ispn_trust_store_password:
                default: "changeit"
                description: "Password for infinispan certificate keystore"
                type: "str"
            keycloak_quarkus_jdbc_engine:
                default: "postgres"
                description: "Database engine [mariadb,postres,mssql]"
                type: "str"
@ -282,12 +295,12 @@ argument_specs:
                default: "keycloak-pass"
                description: "Password for database connection"
                type: "str"
-            keycloak_quarkus_jdbc_url:
+            keycloak_quarkus_db_url:
-                default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].url }}"
+                default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].url }}"
                description: "JDBC URL for connecting to database"
                type: "str"
-            keycloak_quarkus_jdbc_driver_version:
+            keycloak_quarkus_db_driver_version:
-                default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].version }}"
+                default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].version }}"
                description: "Version for JDBC driver"
                type: "str"
            keycloak_quarkus_log:
@ -348,24 +361,18 @@ argument_specs:
                description: >
                  Disables dynamically resolving the hostname from request headers. Should always be set to true in production, unless
                  proxy verifies the Host header.
-            keycloak_quarkus_hostname_strict_backchannel:
+            keycloak_quarkus_hostname_backchannel_dynamic:
                default: false
                type: "bool"
                description: >
-                  By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all
+                    Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path.
-                  applications use the public URL this option should be enabled.
+                    Set to true if your application accesses Keycloak via a private network. If set to true, hostname option needs to be specified as a full URL.
            keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route:
                default: true
                type: "bool"
                description: >
                  If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies
                  and we rely on the session affinity capabilities from reverse proxy
            keycloak_quarkus_hostname_strict_https:
                type: "bool"
                required: false
                description: >
                  By default, Keycloak requires running using TLS/HTTPS. If the service MUST run without TLS/HTTPS, then set
                  this option to "true"
            keycloak_quarkus_ks_vault_enabled:
                default: false
                type: "bool"
@ -453,7 +460,7 @@ argument_specs:
                description: "Seconds to let pass before starting healch checks"
                default: 10
                type: 'int'
-            keycloak_quarkus_restart_health_check_reries:
+            keycloak_quarkus_restart_health_check_retries:
                description: "Number of attempts for successful health check before failing"
                default: 25
                type: 'int'
@ -468,7 +475,7 @@ argument_specs:
    downstream:
        options:
            rhbk_version:
-                default: "24.0.3"
+                default: "26.2.4"
                description: "Red Hat Build of Keycloak version"
                type: "str"
            rhbk_archive:
--- a/roles/keycloak_quarkus/meta/main.yml
+++ b/roles/keycloak_quarkus/meta/main.yml
@ -8,7 +8,7 @@ galaxy_info:
  license: Apache License 2.0
-  min_ansible_version: "2.15"
+  min_ansible_version: "2.16"
  platforms:
    - name: EL
--- a/roles/keycloak_quarkus/tasks/debian.yml
+++ b/roles/keycloak_quarkus/tasks/debian.yml
@ -1,6 +1,10 @@
 ---
 - name: Include firewall config tasks
-  ansible.builtin.include_tasks: iptables.yml
+  ansible.builtin.include_tasks:
    file: iptables.yml
    apply:
      tags:
        - firewall
  when: keycloak_quarkus_configure_iptables
  tags:
    - firewall
--- a/roles/keycloak_quarkus/tasks/deprecations.yml
+++ b/roles/keycloak_quarkus/tasks/deprecations.yml
@ -49,5 +49,114 @@
  notify:
    - print deprecation warning
 # https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options
 - name: Check deprecation of keycloak_quarkus_frontend_url -> keycloak_quarkus_hostname
  when:
    - keycloak_quarkus_hostname is not defined
    - keycloak_quarkus_frontend_url is defined
    - keycloak_quarkus_frontend_url != ''
  delegate_to: localhost
  run_once: true
  changed_when: keycloak_quarkus_show_deprecation_warnings
  ansible.builtin.set_fact:
    keycloak_quarkus_hostname: "{{ keycloak_quarkus_frontend_url }}"
    deprecated_variable: "keycloak_quarkus_frontend_url" # read in deprecation handler
  notify:
    - print deprecation warning
 # https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options
 - name: Check deprecation of keycloak_quarkus_hostname_strict_https + keycloak_quarkus_host + keycloak_quarkus_port + keycloak_quarkus_path -> keycloak_quarkus_hostname
  when:
    - keycloak_quarkus_hostname is not defined
    - keycloak_quarkus_hostname_strict_https is defined or keycloak_quarkus_frontend_url is defined or keycloak_quarkus_port is defined or keycloak_quarkus_path is defined
  delegate_to: localhost
  run_once: true
  changed_when: keycloak_quarkus_show_deprecation_warnings
  ansible.builtin.set_fact:
    keycloak_quarkus_hostname: >-
      {% set protocol = '' %}
      {% if keycloak_quarkus_hostname_strict_https %}
        {% set protocol = 'https://' %}
      {% elif keycloak_quarkus_hostname_strict_https is defined and keycloak_quarkus_hostname_strict_https is False %}
        {% set protocol = 'http://' %}
      {% endif %}
      {{ protocol }}{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_port }}/{{ keycloak_quarkus_path }}
    deprecated_variable: "keycloak_quarkus_hostname_strict_https or keycloak_quarkus_frontend_url or keycloak_quarkus_frontend_url or keycloak_quarkus_hostname" # read in deprecation handler
  notify:
    - print deprecation warning
 # https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options
 - name: Check deprecation of keycloak_quarkus_admin_url -> keycloak_quarkus_hostname_admin
  when:
    - keycloak_quarkus_hostname_admin is not defined
    - keycloak_quarkus_admin_url is defined
    - keycloak_quarkus_admin_url != ''
  delegate_to: localhost
  run_once: true
  changed_when: keycloak_quarkus_show_deprecation_warnings
  ansible.builtin.set_fact:
    keycloak_quarkus_hostname_admin: "{{ keycloak_quarkus_admin_url }}"
    deprecated_variable: "keycloak_quarkus_admin_url" # read in deprecation handler
  notify:
    - print deprecation warning
 # https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options
 - name: Check deprecation of keycloak_quarkus_hostname_strict_backchannel -> keycloak_quarkus_hostname_backchannel_dynamic
  when:
    - keycloak_quarkus_hostname_backchannel_dynamic is not defined
    - keycloak_quarkus_hostname_strict_backchannel is defined
    - keycloak_quarkus_hostname_strict_backchannel != ''
  delegate_to: localhost
  run_once: true
  changed_when: keycloak_quarkus_show_deprecation_warnings
  ansible.builtin.set_fact:
    keycloak_quarkus_hostname_backchannel_dynamic: "{{ keycloak_quarkus_hostname_strict_backchannel == False }}"
    deprecated_variable: "keycloak_quarkus_hostname_backchannel_dynamic" # read in deprecation handler
  notify:
    - print deprecation warning
 # https://github.com/keycloak/keycloak/issues/30009
 - name: Check deprecation of keycloak_quarkus_admin_user -> keycloak_quarkus_bootstrap_admin_user
  when:
    - keycloak_quarkus_bootstrap_admin_user is not defined
    - keycloak_quarkus_admin_user is defined
    - keycloak_quarkus_admin_user != ''
  delegate_to: localhost
  run_once: true
  changed_when: keycloak_quarkus_show_deprecation_warnings
  ansible.builtin.set_fact:
    keycloak_quarkus_bootstrap_admin_user: "{{ keycloak_quarkus_admin_user }}"
    deprecated_variable: "keycloak_quarkus_admin_user" # read in deprecation handler
  notify:
    - print deprecation warning
 # https://github.com/keycloak/keycloak/issues/30009
 - name: Check deprecation of keycloak_quarkus_admin_pass -> keycloak_quarkus_bootstrap_admin_password
  when:
    - keycloak_quarkus_bootstrap_admin_password is not defined
    - keycloak_quarkus_admin_pass is defined
    - keycloak_quarkus_admin_pass != ''
  delegate_to: localhost
  run_once: true
  changed_when: keycloak_quarkus_show_deprecation_warnings
  ansible.builtin.set_fact:
    keycloak_quarkus_bootstrap_admin_user: "{{ keycloak_quarkus_admin_pass }}"
    deprecated_variable: "keycloak_quarkus_admin_pass" # read in deprecation handler
  notify:
    - print deprecation warning
 - name: Check deprecation of keycloak_quarkus_bind_address -> keycloak_quarkus_http_host
  when:
    - keycloak_quarkus_bind_address is defined
    - keycloak_quarkus_bind_address != '0.0.0.0'
  delegate_to: localhost
  run_once: true
  changed_when: keycloak_quarkus_show_deprecation_warnings
  ansible.builtin.set_fact:
    keycloak_quarkus_http_host: "{{ keycloak_quarkus_bind_address }}"
    deprecated_variable: "keycloak_quarkus_bind_address" # read in deprecation handler
  notify:
    - print deprecation warning
 - name: Flush handlers
  ansible.builtin.meta: flush_handlers
--- a/roles/keycloak_quarkus/tasks/firewalld.yml
+++ b/roles/keycloak_quarkus/tasks/firewalld.yml
@ -12,7 +12,7 @@
    enabled: true
    state: started
- name: "Configure firewall for {{ keycloak.service_name }} ports"
+- name: "Configure firewall for {{ keycloak.service_name }} http port"
  become: true
  ansible.posix.firewalld:
    port: "{{ item }}"
@ -21,5 +21,16 @@
    immediate: true
  loop:
    - "{{ keycloak_quarkus_http_port }}/tcp"
  when: keycloak_quarkus_http_enabled | bool
 - name: "Configure firewall for {{ keycloak.service_name }} ports"
  become: true
  ansible.posix.firewalld:
    port: "{{ item }}"
    permanent: true
    state: enabled
    immediate: true
  loop:
    - "{{ keycloak_quarkus_https_port }}/tcp"
    - "{{ keycloak_quarkus_http_management_port }}/tcp"
    - "{{ keycloak_quarkus_jgroups_port }}/tcp"
--- a/roles/keycloak_quarkus/tasks/install.yml
+++ b/roles/keycloak_quarkus/tasks/install.yml
@ -202,11 +202,11 @@
    - keycloak_quarkus_cert_file_copy_enabled is defined and keycloak_quarkus_cert_file_copy_enabled
    - keycloak_quarkus_cert_file_src | length > 0
- name: "Install {{ keycloak_quarkus_jdbc_engine }} JDBC driver"
+- name: "Install {{ keycloak_quarkus_db_engine }} JDBC driver"
  ansible.builtin.include_tasks: jdbc_driver.yml
  when:
    - rhbk_enable is defined and rhbk_enable
-    - keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url is defined
+    - keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].driver_jar_url is defined
 - name: "Download custom providers via http"
  ansible.builtin.get_url:
@ -215,10 +215,11 @@
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
    mode: '0640'
    checksum: "{{ item.checksum | default(omit) }}"
  become: true
  loop: "{{ keycloak_quarkus_providers }}"
  when: item.url is defined and item.url | length > 0
-  notify: "{{ ['rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or not item.restart else [] }}"
+  notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}"
 # this requires the `lxml` package to be installed; we redirect this step to localhost such that we do need to install it on the remote hosts
 - name: "Download custom providers to localhost using maven"
@ -235,7 +236,6 @@
  loop: "{{ keycloak_quarkus_providers }}"
  when: item.maven is defined
  no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}"
  notify: "{{ ['rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or not item.restart else [] }}"
 - name: "Copy maven providers"
  ansible.builtin.copy:
@ -244,12 +244,14 @@
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
    mode: '0640'
    checksum: "{{ item.checksum | default(omit) }}"
  become: true
  loop: "{{ keycloak_quarkus_providers }}"
  when: item.maven is defined
  no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}"
  notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}"
- name: "Copy providers"
+- name: "Copy local providers"
  ansible.builtin.copy:
    src: "{{ item.local_path }}"
    dest: "{{ keycloak.home }}/providers/{{ item.id }}.jar"
@ -259,6 +261,7 @@
  become: true
  loop: "{{ keycloak_quarkus_providers }}"
  when: item.local_path is defined
  notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}"
 - name: Ensure required folder structure for policies exists
  ansible.builtin.file:
--- a/roles/keycloak_quarkus/tasks/invalidate_theme_cache.yml
+++ b/roles/keycloak_quarkus/tasks/invalidate_theme_cache.yml
@ -0,0 +1,11 @@
 ---
 # From https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/24.0/html/server_developer_guide/themes#creating_a_theme:
 # If you want to manually delete the content of the themes cache,
 # you can do so by deleting the data/tmp/kc-gzip-cache directory of the server distribution
 # It can be useful for instance if you redeployed custom providers or custom themes without
 # disabling themes caching in the previous server executions.
 - name: "Delete {{ keycloak.service_name }} theme cache directory"
  ansible.builtin.file:
    path: "{{ keycloak.home }}/data/tmp/kc-gzip-cache"
    state: absent
  become: true
--- a/roles/keycloak_quarkus/tasks/jdbc_driver.yml
+++ b/roles/keycloak_quarkus/tasks/jdbc_driver.yml
@ -7,9 +7,9 @@
    (keycloak_quarkus_jdbc_download_user is undefined and keycloak_quarkus_jdbc_download_pass is not undefined) or
    (keycloak_quarkus_jdbc_download_pass is undefined and keycloak_quarkus_jdbc_download_user is not undefined)
- name: "Retrieve JDBC Driver from {{ keycloak_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url) }}"
+- name: "Retrieve JDBC Driver from {{ keycloak_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].driver_jar_url) }}"
  ansible.builtin.get_url:
-    url: "{{ keycloak_quarkus_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url) }}"
+    url: "{{ keycloak_quarkus_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].driver_jar_url) }}"
    dest: "{{ keycloak.home }}/providers"
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
--- a/roles/keycloak_quarkus/tasks/main.yml
+++ b/roles/keycloak_quarkus/tasks/main.yml
@ -1,34 +1,58 @@
 ---
 # tasks file for keycloak
 - name: Check prerequisites
-  ansible.builtin.include_tasks: prereqs.yml
+  ansible.builtin.include_tasks:
    file: prereqs.yml
    apply:
      tags:
        - prereqs
  tags:
    - prereqs
    - always
 - name: Check for deprecations
-  ansible.builtin.include_tasks: deprecations.yml
+  ansible.builtin.include_tasks:
    file: deprecations.yml
    apply:
      tags:
        - always
  tags:
    - always
 - name: Distro specific tasks
-  ansible.builtin.include_tasks: "{{ ansible_os_family | lower }}.yml"
+  ansible.builtin.include_tasks:
    file: "{{ ansible_os_family | lower }}.yml"
    apply:
      tags:
        - unbound
  tags:
    - unbound
 - name: Include install tasks
-  ansible.builtin.include_tasks: install.yml
+  ansible.builtin.include_tasks:
    file: install.yml
    apply:
      tags:
        - install
  tags:
    - install
 - name: Include systemd tasks
-  ansible.builtin.include_tasks: systemd.yml
+  ansible.builtin.include_tasks:
    file: systemd.yml
    apply:
      tags:
        - systemd
  tags:
    - systemd
 - name: Include configuration key store tasks
  ansible.builtin.include_tasks:
    file: config_store.yml
    apply:
      tags:
        - install
  when: keycloak.config_key_store_enabled
  ansible.builtin.include_tasks: config_store.yml
  tags:
    - install
@ -39,8 +63,8 @@
        {
          "name": item,
          "address": 'jgroups-' + item,
-          "inventory_host": hostvars[item].ansible_default_ipv4.address | default(item) + '[' + (keycloak_quarkus_jgroups_port | string) + ']',
+          "inventory_host": hostvars[item].keycloak_quarkus_jgroups_ip | default(item) + '[' + (keycloak_quarkus_jgroups_port | string) + ']',
-          "value": hostvars[item].ansible_default_ipv4.address | default(item)
+          "value": hostvars[item].keycloak_quarkus_jgroups_ip | default(item)
        }
      ] }}
  loop: "{{ ansible_play_batch }}"
@ -91,7 +115,7 @@
  register: keycloak_service_status
  changed_when: false
- name: "Notify to remove `keycloak_quarkus_admin_user[_pass]` env vars"
+- name: "Notify to remove `keycloak_quarkus_bootstrap_admin_user[_password]` env vars"
  when:
    - not ansible_local.keycloak.general.bootstrapped | default(false) | bool # it was not bootstrapped prior to the current role's execution
    - keycloak_service_status.status.ActiveState == "active"                  # but it is now
--- a/roles/keycloak_quarkus/tasks/prereqs.yml
+++ b/roles/keycloak_quarkus/tasks/prereqs.yml
@ -2,12 +2,12 @@
 - name: Validate admin console password
  ansible.builtin.assert:
    that:
-      - keycloak_quarkus_admin_pass | length > 12
+      - keycloak_quarkus_bootstrap_admin_password | length > 12
    quiet: true
-    fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_admin_pass to a 12+ char long string"
+    fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_bootstrap_admin_password to a 12+ char long string"
    success_msg: "{{ 'Console administrator password OK' }}"
- name: Validate relative path
+- name: Validate http_relative_path
  ansible.builtin.assert:
    that:
      - keycloak_quarkus_http_relative_path is regex('^/.*')
@ -15,6 +15,15 @@
    fail_msg: "The relative path for keycloak_quarkus_http_relative_path must begin with /"
    success_msg: "{{ 'Relative path OK' }}"
 - name: Validate http_management_relative_path
  ansible.builtin.assert:
    that:
      - keycloak_quarkus_http_management_relative_path is regex('^/.*')
    quiet: true
    fail_msg: "The relative path for keycloak_quarkus_http_management_relative_path must begin with /"
    success_msg: "{{ 'Relative mgmt path OK' }}"
  when: keycloak_quarkus_http_management_relative_path is defined
 - name: Validate configuration
  ansible.builtin.assert:
    that:
--- a/roles/keycloak_quarkus/tasks/rebuild_config.yml
+++ b/roles/keycloak_quarkus/tasks/rebuild_config.yml
@ -2,9 +2,6 @@
 # cf. https://www.keycloak.org/server/configuration#_optimize_the_keycloak_startup
 - name: "Rebuild {{ keycloak.service_name }} config"
  ansible.builtin.shell: | # noqa blocked_modules shell is necessary here
-    {{ keycloak.home }}/bin/kc.sh build
+    env -i bash -c "set -a ; source {{ keycloak_quarkus_sysconf_file }} ; {{ keycloak.home }}/bin/kc.sh build "
  environment:
    PATH: "{{ keycloak_quarkus_java_home | default(keycloak_quarkus_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
    JAVA_HOME: "{{ keycloak_quarkus_java_home | default(keycloak_quarkus_pkg_java_home, true) }}"
  become: true
  changed_when: true
--- a/roles/keycloak_quarkus/tasks/redhat.yml
+++ b/roles/keycloak_quarkus/tasks/redhat.yml
@ -1,6 +1,10 @@
 ---
 - name: Include firewall config tasks
-  ansible.builtin.include_tasks: firewalld.yml
+  ansible.builtin.include_tasks:
    file: firewalld.yml
    apply:
      tags:
        - firewall
  when: keycloak_quarkus_configure_firewalld
  tags:
    - firewall
--- a/roles/keycloak_quarkus/tasks/restart.yml
+++ b/roles/keycloak_quarkus/tasks/restart.yml
@ -12,7 +12,7 @@
    url: "{{ keycloak.health_url }}"
  register: keycloak_status
  until: keycloak_status.status == 200
-  retries: "{{ keycloak_quarkus_restart_health_check_reries }}"
+  retries: "{{ keycloak_quarkus_restart_health_check_retries }}"
  delay: "{{ keycloak_quarkus_restart_health_check_delay }}"
  when: internal_force_health_check | default(keycloak_quarkus_restart_health_check)
--- a/roles/keycloak_quarkus/tasks/start.yml
+++ b/roles/keycloak_quarkus/tasks/start.yml
@ -14,3 +14,4 @@
  until: keycloak_status.status == 200
  retries: 25
  delay: 10
  when: internal_force_health_check | default(keycloak_quarkus_restart_health_check)
--- a/roles/keycloak_quarkus/tasks/systemd.yml
+++ b/roles/keycloak_quarkus/tasks/systemd.yml
@ -10,6 +10,7 @@
  vars:
    keycloak_sys_pkg_java_home: "{{ keycloak_quarkus_pkg_java_home }}"
  notify:
    - rebuild keycloak config
    - restart keycloak
 - name: "Configure systemd unit file for keycloak service"
@ -22,4 +23,5 @@
  become: true
  register: systemdunit
  notify:
    - rebuild keycloak config
    - restart keycloak
--- a/roles/keycloak_quarkus/templates/cache-ispn.xml.j2
+++ b/roles/keycloak_quarkus/templates/cache-ispn.xml.j2
@ -18,15 +18,16 @@
 <infinispan
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xsi:schemaLocation="urn:infinispan:config:14.0 http://www.infinispan.org/schemas/infinispan-config-14.0.xsd"
+        xsi:schemaLocation="urn:infinispan:config:15.0 http://www.infinispan.org/schemas/infinispan-config-15.0.xsd"
-        xmlns="urn:infinispan:config:14.0">
+        xmlns="urn:infinispan:config:15.0">
 {% set stack_expression='' %}
-{% if keycloak_quarkus_ha_enabled and keycloak_quarkus_ha_discovery == 'TCPPING' %}
+{% if keycloak_quarkus_ha_enabled %}
 {% if keycloak_quarkus_ha_discovery == 'TCPPING' %}
 {% set stack_expression='stack="tcpping"' %}
    <jgroups>
        <stack name="tcpping" extends="tcp">
-            <!-- <TCP external_addr="${env.KC_EXTERNAL_ADDR}" bind_addr="{{ keycloak_quarkus_bind_address }}" bind_port="{{ keycloak_quarkus_jgroups_port }}" /> -->
+            <!-- <TCP external_addr="${env.KC_EXTERNAL_ADDR}" bind_addr="{{ keycloak_quarkus_http_host }}" bind_port="{{ keycloak_quarkus_jgroups_port }}" /> -->
            <TCPPING
                initial_hosts="{{ keycloak_quarkus_cluster_nodes | map(attribute='inventory_host') | join (',') }}"
                port_range="0"
@ -35,6 +36,9 @@
            />
        </stack>
    </jgroups>
 {% elif keycloak_quarkus_ha_discovery == 'JDBCPING' %}
 {% set stack_expression='stack="JDBC_PING2"' %}
 {% endif %}
 {% endif %}
    <cache-container name="keycloak">
@ -55,18 +59,22 @@
        </local-cache>
        <distributed-cache name="sessions" owners="2">
            <expiration lifespan="-1"/>
            <memory max-count="10000"/>
        </distributed-cache>
        <distributed-cache name="authenticationSessions" owners="2">
            <expiration lifespan="-1"/>
        </distributed-cache>
        <distributed-cache name="offlineSessions" owners="2">
            <expiration lifespan="-1"/>
            <memory max-count="10000"/>
        </distributed-cache>
        <distributed-cache name="clientSessions" owners="2">
            <expiration lifespan="-1"/>
            <memory max-count="10000"/>
        </distributed-cache>
        <distributed-cache name="offlineClientSessions" owners="2">
            <expiration lifespan="-1"/>
            <memory max-count="10000"/>
        </distributed-cache>
        <distributed-cache name="loginFailures" owners="2">
            <expiration lifespan="-1"/>
@ -89,6 +97,14 @@
            <expiration max-idle="3600000"/>
            <memory max-count="1000"/>
        </local-cache>
        <local-cache name="crl" simple-cache="true">
            <encoding>
                <key media-type="application/x-java-object"/>
                <value media-type="application/x-java-object"/>
            </encoding>
            <expiration lifespan="-1"/>
            <memory max-count="1000"/>
        </local-cache>
        <distributed-cache name="actionTokens" owners="2">
            <encoding>
                <key media-type="application/x-java-object"/>
@ -98,4 +114,4 @@
            <memory max-count="-1"/>
        </distributed-cache>
    </cache-container>
-</infinispan>
+</infinispan>
--- a/roles/keycloak_quarkus/templates/keycloak-sysconfig.j2
+++ b/roles/keycloak_quarkus/templates/keycloak-sysconfig.j2
@ -1,13 +1,13 @@
 {{ ansible_managed | comment }}
 {% if not ansible_local.keycloak.general.bootstrapped | default(false) | bool %}
-KEYCLOAK_ADMIN={{ keycloak_quarkus_admin_user }}
+KC_BOOTSTRAP_ADMIN_USERNAME={{ keycloak_quarkus_bootstrap_admin_user }}
-KEYCLOAK_ADMIN_PASSWORD='{{ keycloak_quarkus_admin_pass }}'
+KC_BOOTSTRAP_ADMIN_PASSWORD='{{ keycloak_quarkus_bootstrap_admin_password }}'
 {% else %}
 {{ keycloak.bootstrap_mnemonic }}
 {% endif %}
-PATH={{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+PATH="{{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-JAVA_HOME={{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}
+JAVA_HOME="{{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}"
-JAVA_OPTS={{ keycloak_quarkus_java_opts }}
+JAVA_OPTS="{{ keycloak_quarkus_java_opts }}"
 # Custom ENV variables
 {% for env in keycloak_quarkus_additional_env_vars %}
--- a/roles/keycloak_quarkus/templates/keycloak.conf.j2
+++ b/roles/keycloak_quarkus/templates/keycloak.conf.j2
@ -2,26 +2,18 @@
 {% if keycloak_quarkus_db_enabled %}
 # Database
-db={{ keycloak_quarkus_jdbc_engine }}
+db={{ keycloak_quarkus_db_engine }}
-db-url={{ keycloak_quarkus_jdbc_url }}
+db-url={{ keycloak_quarkus_db_url }}
 db-username={{ keycloak_quarkus_db_user }}
 {% if not keycloak.config_key_store_enabled %}
 db-password={{ keycloak_quarkus_db_pass }}
 {% endif %}
 {% endif %}
 {% if keycloak_quarkus_hostname_strict_https is defined and keycloak_quarkus_hostname_strict_https is sameas true -%}
 hostname-strict-https=true
 {% endif -%}
 {% if keycloak_quarkus_hostname_strict_https is defined and keycloak_quarkus_hostname_strict_https is sameas false -%}
 hostname-strict-https=false
 {% endif -%}
 {% if keycloak.config_key_store_enabled %}
 # Config store
 config-keystore={{ keycloak_quarkus_config_key_store_file }}
 config-keystore-password={{ keycloak_quarkus_config_key_store_password }}
 config-keystore-type=PKCS12
 {% endif %}
 # Observability
@ -30,8 +22,17 @@ health-enabled={{ keycloak_quarkus_health_enabled | lower }}
 # HTTP
 http-enabled={{ keycloak_quarkus_http_enabled | lower }}
 {% if keycloak_quarkus_http_enabled %}
 http-port={{ keycloak_quarkus_http_port }}
 {% endif %}
 http-relative-path={{ keycloak_quarkus_http_relative_path }}
 http-host={{ keycloak_quarkus_http_host }}
 # Management
 http-management-port={{ keycloak_quarkus_http_management_port }}
 {% if keycloak_quarkus_http_management_relative_path is defined and keycloak_quarkus_http_management_relative_path | length > 0 %}
 http-management-relative-path={{ keycloak_quarkus_http_management_relative_path }}
 {% endif %}
 # HTTPS
 https-port={{ keycloak_quarkus_https_port }}
@ -49,16 +50,10 @@ https-trust-store-password={{ keycloak_quarkus_https_trust_store_password }}
 {% endif %}
 # Client URL configuration
-{% if keycloak_quarkus_frontend_url %}
+hostname={{ keycloak_quarkus_hostname }}
-hostname-url={{ keycloak_quarkus_frontend_url }}
+hostname-admin={{ keycloak_quarkus_hostname_admin }}
 {% else %}
 hostname={{ keycloak_quarkus_host }}
 hostname-port={{ keycloak_quarkus_port }}
 hostname-path={{ keycloak_quarkus_path }}
 {% endif %}
 hostname-admin-url={{ keycloak_quarkus_admin_url }}
 hostname-strict={{ keycloak_quarkus_hostname_strict | lower }}
-hostname-strict-backchannel={{ keycloak_quarkus_hostname_strict_backchannel | lower }}
+hostname-backchannel-dynamic={{ keycloak_quarkus_hostname_backchannel_dynamic | lower }}
 # Cluster
 {% if keycloak_quarkus_ha_enabled %}
--- a/roles/keycloak_quarkus/templates/quarkus.properties.j2
+++ b/roles/keycloak_quarkus/templates/quarkus.properties.j2
@ -1,22 +1,22 @@
 {{ ansible_managed | comment }}
 {% if keycloak_quarkus_ha_enabled %}
 {% if keycloak_quarkus_version.split('.')[0] | int < 22 %}
-quarkus.infinispan-client.server-list={{ keycloak_quarkus_ispn_hosts }}
+quarkus.infinispan-client.server-list={{ keycloak_quarkus_cache_remote_host }}
-quarkus.infinispan-client.auth-username={{ keycloak_quarkus_ispn_user }}
+quarkus.infinispan-client.auth-username={{ keycloak_quarkus_cache_remote_username }}
-quarkus.infinispan-client.auth-password={{ keycloak_quarkus_ispn_pass }}
+quarkus.infinispan-client.auth-password={{ keycloak_quarkus_cache_remote_password }}
 {% else %}
-quarkus.infinispan-client.hosts={{ keycloak_quarkus_ispn_hosts }}
+quarkus.infinispan-client.hosts={{ keycloak_quarkus_cache_remote_host }}
-quarkus.infinispan-client.username={{ keycloak_quarkus_ispn_user }}
+quarkus.infinispan-client.username={{ keycloak_quarkus_cache_remote_username }}
-quarkus.infinispan-client.password={{ keycloak_quarkus_ispn_pass }}
+quarkus.infinispan-client.password={{ keycloak_quarkus_cache_remote_password }}
 {% endif %}
 quarkus.infinispan-client.client-intelligence=HASH_DISTRIBUTION_AWARE
 quarkus.infinispan-client.use-auth=true
 quarkus.infinispan-client.auth-realm=default
 quarkus.infinispan-client.auth-server-name=infinispan
-quarkus.infinispan-client.sasl-mechanism={{ keycloak_quarkus_ispn_sasl_mechanism }}
+quarkus.infinispan-client.sasl-mechanism={{ keycloak_quarkus_cache_remote_sasl_mechanism }}
-{% if keycloak_quarkus_ispn_use_ssl %}
+{% if keycloak_quarkus_cache_remote_tls_enabled %}
-quarkus.infinispan-client.trust-store={{ keycloak_quarkus_ispn_trust_store_path }}
+quarkus.infinispan-client.trust-store={{ keycloak_quarkus_https_trust_store_file }}
-quarkus.infinispan-client.trust-store-password={{ keycloak_quarkus_ispn_trust_store_password }}
+quarkus.infinispan-client.trust-store-password={{ keycloak_quarkus_https_trust_store_password }}
 quarkus.infinispan-client.trust-store-type=jks
 {% endif %}
 #quarkus.infinispan-client.use-schema-registration=true
--- a/roles/keycloak_quarkus/vars/debian.yml
+++ b/roles/keycloak_quarkus/vars/debian.yml
@ -2,6 +2,7 @@
 keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('openjdk-17-jdk-headless') }}"
 keycloak_quarkus_prereq_package_list:
      - "{{ keycloak_quarkus_varjvm_package }}"
      - bash
      - unzip
      - procps
      - apt
--- a/roles/keycloak_quarkus/vars/main.yml
+++ b/roles/keycloak_quarkus/vars/main.yml
@ -4,8 +4,7 @@ keycloak: # noqa var-naming this is an internal dict of interpolated values
  config_dir: "{{ keycloak_quarkus_config_dir }}"
  bundle: "{{ keycloak_quarkus_archive }}"
  service_name: "keycloak"
-  health_url: "{{ 'https' if keycloak_quarkus_http_enabled == False else 'http' }}://{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_https_port if keycloak_quarkus_http_enabled == False else keycloak_quarkus_http_port }}{{ keycloak_quarkus_http_relative_path }}{{ '/' \
+  health_url: "{{ keycloak_quarkus_health_check_url | default(keycloak_quarkus_hostname ~ '/' ~ (keycloak_quarkus_health_check_url_path | default('realms/master/.well-known/openid-configuration'))) }}"
               if keycloak_quarkus_http_relative_path | length > 1 else '' }}{{ keycloak_quarkus_health_check_url_path | default('realms/master/.well-known/openid-configuration') }}"
  cli_path: "{{ keycloak_quarkus_home }}/bin/kcadm.sh"
  service_user: "{{ keycloak_quarkus_service_user }}"
  service_group: "{{ keycloak_quarkus_service_group }}"
--- a/roles/keycloak_quarkus/vars/redhat.yml
+++ b/roles/keycloak_quarkus/vars/redhat.yml
@ -1,7 +1,8 @@
 ---
-keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('java-17-openjdk-headless') }}"
+keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('java-21-openjdk-headless') }}"
 keycloak_quarkus_prereq_package_list:
      - "{{ keycloak_quarkus_varjvm_package }}"
      - bash
      - unzip
      - procps-ng
      - initscripts
--- a/roles/keycloak_realm/defaults/main.yml
+++ b/roles/keycloak_realm/defaults/main.yml
@ -54,3 +54,7 @@ keycloak_client_users: []
 ### List of Keycloak User Federation
 keycloak_user_federation: []
 # other settings
 keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + (keycloak_jboss_port_offset | default(0)) }}"
 keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + (keycloak_jboss_port_offset | default(0)) }}"
--- a/roles/keycloak_realm/meta/main.yml
+++ b/roles/keycloak_realm/meta/main.yml
@ -8,7 +8,7 @@ galaxy_info:
  license: Apache License 2.0
-  min_ansible_version: "2.15"
+  min_ansible_version: "2.16"
  platforms:
    - name: EL
--- a/roles/keycloak_realm/tasks/main.yml
+++ b/roles/keycloak_realm/tasks/main.yml
@ -15,6 +15,7 @@
  ansible.builtin.uri:
    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}"
    method: GET
    validate_certs: false
    status_code:
      - 200
      - 404
@ -110,3 +111,6 @@
  loop_control:
    loop_var: client
  when: "'users' in client"
 - name: Provide Access token lifespan
  ansible.builtin.include_tasks: manage_token_lifespan.yml
--- a/roles/keycloak_realm/tasks/manage_token_lifespan.yml
+++ b/roles/keycloak_realm/tasks/manage_token_lifespan.yml
@ -0,0 +1,14 @@
 ---
 - name: "Update Access token lifespan"
  ansible.builtin.uri:
    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}"
    method: PUT
    body:
      accessTokenLifespan: 300
    validate_certs: false
    body_format: json
    status_code:
      - 200
      - 204
    headers:
      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
--- a/roles/keycloak_realm/tasks/manage_user_client_roles.yml
+++ b/roles/keycloak_realm/tasks/manage_user_client_roles.yml
@ -3,6 +3,7 @@
  ansible.builtin.uri:
    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm | default(keycloak_realm) }}"
    method: GET
    validate_certs: false
    status_code:
      - 200
    headers:
@ -16,6 +17,7 @@
          default(keycloak_realm) }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | \
          selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}/available"
    method: GET
    validate_certs: false
    status_code:
      - 200
    headers:
--- a/roles/keycloak_realm/vars/main.yml
+++ b/roles/keycloak_realm/vars/main.yml
@ -3,7 +3,3 @@
 # name of the realm to create, this is a required variable
 keycloak_realm:
 # other settings
 keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + (keycloak_jboss_port_offset | default(0)) }}"
 keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + (keycloak_jboss_port_offset | default(0)) }}"
Author	SHA1	Message	Date
Guido Grazioli	de0ea02272	ci: move intermittent test back Some checks failed CI / ci (push) Has been cancelled Details Documentation / docs (push) Has been cancelled Details	2025-05-29 21:03:03 +02:00
Guido Grazioli	b6e585f503	Merge pull request #284 from guidograzioli/caches Refactor test scenarios	2025-05-29 20:45:37 +02:00
Guido Grazioli	18de37706f	tune Xmx Xms jvm args	2025-05-29 20:37:39 +02:00
Guido Grazioli	b569e4e713	update remote cache test	2025-05-29 20:14:04 +02:00
Guido Grazioli	919d55f806	Merge pull request #286 from RanabirChakraborty/AMW-398 Some checks failed CI / ci (push) Has been cancelled Details Documentation / docs (push) Has been cancelled Details Use tags to decorate the role workflow	2025-05-27 11:12:07 +02:00
Guido Grazioli	476bc0ec0b	update test config	2025-05-23 14:59:50 +02:00
Helmut Wolf	2954bf81e8	Merge pull request #285 from world-direct/fix/keycloak_config_rebuild Some checks failed CI / ci (push) Has been cancelled Details Documentation / docs (push) Has been cancelled Details Run config rebuild after SPI providers update	2025-05-21 09:26:07 +02:00
Ranabir Chakraborty	0403939c03	AMW-398 Use tags to decorate the role workflow	2025-05-20 21:40:32 +05:30
Helmut Wolf	88e4ea8d99	fix: MVN provider invokes KC config rebuild	2025-05-20 13:53:56 +02:00
Guido Grazioli	0a5fc3ae25	restructure molecule tests	2025-05-20 10:35:01 +02:00
Guido Grazioli	f4a1798f26	Merge pull request #283 from world-direct/feature/282 Some checks failed CI / ci (push) Has been cancelled Details Documentation / docs (push) Has been cancelled Details RHBK v26.2 (#282)	2025-05-19 18:37:01 +02:00
Helmut Wolf	d23ae39c25	chore(molecule): RHBK v26.2 (#282 )	2025-05-19 14:44:34 +02:00
Helmut Wolf	8f95bcb9e6	feat(HA): Change default ispn discovery mechanism to JDBCPING as per v26.2.* (#282 )	2025-05-19 14:44:34 +02:00
Helmut Wolf	f8c75de5d5	chore: RHBK v26.2: Bump KC version to v26.2.4	2025-05-19 14:44:34 +02:00
Helmut Wolf	8093b1af2a	chore: RHBK v26.2: Bump RHBK version to v26.2.4	2025-05-19 14:12:22 +02:00
Helmut Wolf	a70aece0d9	chore: RHBK v26.2: Update recommended JDBC driver versions	2025-05-19 14:12:22 +02:00
Guido Grazioli	d427a6b721	Merge pull request #281 from jonathanspw/keycloak_quarkus_jgroups_ip Some checks failed CI / ci (push) Has been cancelled Details Documentation / docs (push) Has been cancelled Details New parameter to set the jgroups host IP address	2025-05-13 19:04:56 +02:00
Jonathan Wright	c614af127e	Add var to set the jgroups IP per host This is useful if the default route does not represent the network you want/need to use for cluster communication.	2025-05-13 09:48:46 -05:00
Guido Grazioli	0936d415c7	ci: update test linking removed url Some checks failed CI / ci (push) Has been cancelled Details Documentation / docs (push) Has been cancelled Details	2025-05-09 15:20:57 +02:00
Guido Grazioli	a120b1c9b5	Merge pull request #280 from world-direct/feature/279_provider_checksums Some checks failed CI / ci (push) Has been cancelled Details Documentation / docs (push) Has been cancelled Details New `checksum` property for keycloak_quarkus_providers	2025-05-06 17:49:41 +02:00
Helmut Wolf	5cd400b053	feat: introduce `checksum` for keycloak_quarkus_providers (#279 )	2025-05-06 15:16:50 +02:00
ansible-middleware-core	e0c4b1e1ff	Bump version to 3.0.2 Some checks failed CI / ci (push) Has been cancelled Details Documentation / docs (push) Has been cancelled Details	2025-05-02 09:49:08 +00:00
ansible-middleware-core	88be789260	Update changelog for release 3.0.1 Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>	2025-05-02 09:48:54 +00:00
Guido Grazioli	868dac4f72	Merge pull request #277 from guidograzioli/26_0_11_update Version update to 26.0.8 / rhbk 26.0.11	2025-05-02 11:42:01 +02:00
Guido Grazioli	c45f7c0d60	Update remote cache default	2025-05-02 11:33:28 +02:00
Guido Grazioli	77c5b893b1	Merge pull request #276 from guidograzioli/275_envvars_handler Trigger rebuild handler on envvars file change	2025-05-02 11:25:27 +02:00
Guido Grazioli	9974ab2ee1	update molecule scenario	2025-05-02 11:18:57 +02:00
Guido Grazioli	b8a2ebc699	update keycloak version	2025-05-02 10:55:17 +02:00
Guido Grazioli	5beb5dcda4	Add trigger on envvars file change	2025-05-02 10:50:01 +02:00
ansible-middleware-core	d97044523d	Bump version to 3.0.1 Some checks failed CI / ci (push) Has been cancelled Details Documentation / docs (push) Has been cancelled Details	2025-04-23 11:47:54 +00:00
ansible-middleware-core	2abc580041	Update changelog for release 3.0.0 Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>	2025-04-23 11:47:38 +00:00
Guido Grazioli	2379e10091	Merge pull request #274 from guidograzioli/273_extra_envvars_rebuild Some checks are pending CI / ci (push) Waiting to run Details Documentation / docs (push) Waiting to run Details Load environment vars during kc rebuild	2025-04-23 10:47:36 +02:00
Guido Grazioli	c86dff66ba	double quote sysconfig envvars	2025-04-22 20:18:48 +02:00
Guido Grazioli	f750e93d02	Add bash to preinstalled packages	2025-04-22 14:51:15 +02:00
Guido Grazioli	1a4590b0b8	Load envvars in kc rebuild	2025-04-18 17:59:16 +02:00
Guido Grazioli	5e9535c866	Merge pull request #271 from guidograzioli/honor_http_host_setting Some checks failed CI / ci (push) Has been cancelled Details Documentation / docs (push) Has been cancelled Details Rename and honour parameter `keycloak_quarkus_http_host`	2025-04-18 09:11:11 +02:00
Guido Grazioli	b8028d376a	Rename and honor parameter keycloak_quarkus_http_host	2025-04-16 14:16:07 +02:00
Guido Grazioli	20797e4cad	Merge pull request #270 from guidograzioli/jdbc_params_rename Some checks failed CI / ci (push) Has been cancelled Details Documentation / docs (push) Has been cancelled Details Rename parameters to follow upstream	2025-04-16 13:55:19 +02:00
Guido Grazioli	70d61ce8de	rename ispn parameters	2025-04-16 11:58:04 +02:00
Guido Grazioli	69a947c0b6	rename _admin to _hostname_admin	2025-04-16 11:34:12 +02:00
Guido Grazioli	c7ce7be6c4	drop ajp port parameter	2025-04-16 10:42:07 +02:00
Guido Grazioli	e9061b29ef	Rename parameters from jdbc to db	2025-04-16 10:31:48 +02:00
Guido Grazioli	c92bf19720	Merge pull request #269 from Preskton/patch-1 Some checks failed CI / ci (push) Has been cancelled Details Documentation / docs (push) Has been cancelled Details Update example playbooks to use new `bootstrap` var	2025-04-14 12:52:51 +02:00
Guido Grazioli	1ca0b30a81	Merge pull request #268 from RanabirChakraborty/AMW-384 keycloak_realm: change url variables to defaults	2025-04-14 10:49:01 +02:00
Preston Doster	7738e0feb1	Update keycloak_quarkus_dev.yml	2025-04-13 10:18:27 -05:00
Preston Doster	671cf4eb53	Updating example playbooks to use `bootstrap` admin password It looks like the underlying `quarkus` provider has changed to use `keycloak_quarkus_bootstrap_admin_password`.	2025-04-13 10:17:22 -05:00
Ranabir Chakraborty	f146eb5fda	AMW-384 Keycloak realm variable keycloak_url with hard-coded http	2025-04-11 21:49:01 +05:30
Guido Grazioli	a10bc95bfc	Merge pull request #266 from guidograzioli/major_bump_3 Some checks failed CI / ci (push) Has been cancelled Details Documentation / docs (push) Has been cancelled Details Bump major and ansible-core versions	2025-04-09 20:28:52 +02:00
Guido Grazioli	314e2f26b2	Fix spell in parameter name	2025-04-09 18:08:18 +02:00
Guido Grazioli	f628b84fb0	disable restart health check because of selfsigned cert	2025-04-09 17:21:49 +02:00
Guido Grazioli	ac0ceca35f	Update to ubi9	2025-04-09 09:45:22 +02:00
Guido Grazioli	744766fe3b	update doc generation to 2.16	2025-04-08 15:36:38 +02:00
Guido Grazioli	7f980c44d2	Bump major and ansible-core versions	2025-04-08 11:58:47 +02:00
Guido Grazioli	532dc12a60	Merge pull request #254 from world-direct/feature/253_rhbk_v26 Some checks failed CI / ci (push) Has been cancelled Details Documentation / docs (push) Has been cancelled Details Role support for keycloak/RHBK v26	2025-04-08 11:47:35 +02:00
Guido Grazioli	173a85638f	Merge pull request #257 from NilsDeckert/main Some checks failed CI / ci (push) Has been cancelled Details Documentation / docs (push) Has been cancelled Details Skip certificate checking	2025-04-01 15:27:39 +02:00
Guido Grazioli	81f019f8b5	Merge pull request #264 from guidograzioli/linter_reserved_words Variables names must not be Ansible reserved names	2025-04-01 15:25:10 +02:00
Guido Grazioli	5db96afa56	Variables names must not be Ansible reserved names	2025-04-01 15:20:37 +02:00
Helmut Wolf	fa36721207	Improve string interpolation	2025-01-20 09:44:27 +01:00
Helmut Wolf	86284b12c2	Fix molecule tests	2025-01-09 12:17:07 +01:00
Nils Deckert	b3e93dd89b	Skip certificate checking	2024-12-20 17:21:49 +01:00
Helmut Wolf	e029e1c2fd	keycloak_quarkus: Introduce keycloak_quarkus_health_check_url	2024-12-13 12:12:02 +01:00
Helmut Wolf	d0f19b59dc	keycloak_quarkus: Add http_management_port and http_management_relative_path options RHBK v26 exposes health endpoints and metrics on this port moving forward. Note that the scheme of the MGMT interface is defined by the overall keycloak configuration: if https is enabled and configured, th MGMT interface is exposed via https and NOT via http; this might be breaking some configured load balancer health checks	2024-12-13 12:11:35 +01:00
Helmut Wolf	213449ec58	RHBK v26: Add hostname v2 (KC/RHBK v26 Support #253 ) Cf. https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options - especially the removed options	2024-12-13 12:11:35 +01:00
Helmut Wolf	277e1336ee	RHBK v26: Migrate to `keycloak_quarkus_bootstrap_admin_user[_password]` (Process for creation of admin account changed #248 )	2024-12-13 12:11:35 +01:00
Helmut Wolf	58233549a7	keycloak.conf: Remove `config-keystore-type` (KC/RHBK v26 Support #253 ) Cf. <https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#keystore_and_trust_store_default_format_change>	2024-12-13 12:11:35 +01:00
Helmut Wolf	0c58ae48ff	RHBK v26: Update ispn session usages (KC/RHBK v26 Support #253 ) Cf. <https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#restricting_the_size_of_session_caches>	2024-12-13 12:11:35 +01:00
Helmut Wolf	bf0bd9e1da	RHBK v26: Update mssqj jdbc driver (KC/RHBK v26 Support #253 ) As per <https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/server_configuration_guide/index#db-installing-the-microsoft-sql-server-driver>	2024-12-13 12:11:35 +01:00
Helmut Wolf	5d15d37890	RHBK v26: Raise default KC+RHBK versions to v26.x (#253 )	2024-12-13 12:11:35 +01:00
Guido Grazioli	910a2aa5d4	Merge pull request #252 from world-direct/feature/cache_buster Add theme cache invalidation handler	2024-12-12 09:36:18 +01:00
Helmut Wolf	5f534ca566	keycloak_quarkus: Add theme cache invalidation handler	2024-12-12 09:05:09 +01:00
Guido Grazioli	692fb59797	Merge pull request #251 from RanabirChakraborty/increase_access_token_lifespan Access token lifespan is too short for ansible run	2024-12-11 16:19:13 +01:00
Ranabir Chakraborty	d1859aaff2	Access token lifespan is too short for ansible run	2024-12-03 22:40:25 +05:30
Guido Grazioli	0d0e52f9ff	Merge pull request #250 from world-direct/feature/249 Rebuild config and restart service for local providers	2024-11-25 08:40:54 +01:00
Helmut Wolf	68a0f88423	keycloak_quarkus: Rebuild config and restart service for local providers (#249 )	2024-11-22 08:08:09 +01:00
ansible-middleware-core	333d55ad73	Bump version to 2.4.4	2024-10-16 07:24:57 +00:00
`@ -1,2 +1,2 @@`
	`---`	`---`
	`requires_ansible: ">=2.15.0"`	`requires_ansible: ">=2.16.0"`