From 3780a4e3c0659a9ccf8cf2798cc382622280e9a9 Mon Sep 17 00:00:00 2001 From: ansible-middleware-core Date: Tue, 1 Jul 2025 16:56:26 +0000 Subject: [PATCH 1/9] Bump version to 3.0.3 --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index 006207e..70fb7b1 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -1,7 +1,7 @@ --- namespace: middleware_automation name: keycloak -version: "3.0.2" +version: "3.0.3" readme: README.md authors: - Romain Pelisse From dcd448443f276b044b3e74401348c4b9fe1f0c50 Mon Sep 17 00:00:00 2001 From: LEDUNOIS Simon Date: Wed, 2 Jul 2025 14:36:25 +0000 Subject: [PATCH 2/9] feat: allow secret in keycloak_clients --- roles/keycloak_realm/README.md | 1 + roles/keycloak_realm/tasks/main.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/keycloak_realm/README.md b/roles/keycloak_realm/README.md index 179784e..2fb8942 100644 --- a/roles/keycloak_realm/README.md +++ b/roles/keycloak_realm/README.md @@ -74,6 +74,7 @@ Refer to [docs](https://docs.ansible.com/ansible/latest/collections/community/ge - name: id: client_id: + secret: roles: realm: public_client: diff --git a/roles/keycloak_realm/tasks/main.yml b/roles/keycloak_realm/tasks/main.yml index f39af9d..5c19d68 100644 --- a/roles/keycloak_realm/tasks/main.yml +++ b/roles/keycloak_realm/tasks/main.yml @@ -76,6 +76,7 @@ default_roles: "{{ item.roles | default(omit) }}" client_id: "{{ item.client_id | default(omit) }}" id: "{{ item.id | default(omit) }}" + secret: "{{ item.secret | default(omit) }}" name: "{{ item.name | default(omit) }}" description: "{{ item.description | default(omit) }}" root_url: "{{ item.root_url | default('') }}" From bbe568baa512cfa44ffb1c8e22a55c92129e2c8b Mon Sep 17 00:00:00 2001 From: Andreas Wagner Date: Wed, 2 Jul 2025 16:39:49 +0200 Subject: [PATCH 3/9] Added support for copy remote_src function for providers --- roles/keycloak_quarkus/README.md | 1 + roles/keycloak_quarkus/tasks/install.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/keycloak_quarkus/README.md b/roles/keycloak_quarkus/README.md index 58e3ef4..f625a90 100644 --- a/roles/keycloak_quarkus/README.md +++ b/roles/keycloak_quarkus/README.md @@ -221,6 +221,7 @@ keycloak_quarkus_providers: restart: true # optional, whether to rebuild config and restart the service after deploying, default true url: https://.../.../custom_spi.jar # optional, url for download via http local_path: my_theme_spi.jar # optional, path on local controller for SPI to be uploaded + remote: true # optional, whether to copy from localhost or remotely, see https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html#parameter-remote_src, default false maven: # optional, for download using maven repository_url: https://maven.pkg.github.com/OWNER/REPOSITORY # optional, maven repo url group_id: my.group # optional, maven group id diff --git a/roles/keycloak_quarkus/tasks/install.yml b/roles/keycloak_quarkus/tasks/install.yml index 9ed84ac..73ff2c4 100644 --- a/roles/keycloak_quarkus/tasks/install.yml +++ b/roles/keycloak_quarkus/tasks/install.yml @@ -280,6 +280,7 @@ owner: "{{ keycloak.service_user }}" group: "{{ keycloak.service_group }}" mode: '0640' + remote_src: "{{ item.remote | default(false) }}" become: true loop: "{{ keycloak_quarkus_providers }}" when: item.local_path is defined From 1ff25325a709f6cb5eef26cbc2317723b1af9577 Mon Sep 17 00:00:00 2001 From: Helmut Wolf Date: Mon, 16 Jun 2025 12:41:34 +0200 Subject: [PATCH 4/9] fix(ispn): use legacy JGroups stack configuration for < 26.2 only --- roles/keycloak_quarkus/templates/cache-ispn.xml.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/keycloak_quarkus/templates/cache-ispn.xml.j2 b/roles/keycloak_quarkus/templates/cache-ispn.xml.j2 index 2d745d5..cf74656 100644 --- a/roles/keycloak_quarkus/templates/cache-ispn.xml.j2 +++ b/roles/keycloak_quarkus/templates/cache-ispn.xml.j2 @@ -22,6 +22,7 @@ xmlns="urn:infinispan:config:15.0"> {% set stack_expression='' %} +{% if keycloak_quarkus_version is version_compare('26.2.0', '<') %} {% if keycloak_quarkus_ha_enabled %} {% if keycloak_quarkus_ha_discovery == 'TCPPING' %} {% set stack_expression='stack="tcpping"' %} @@ -39,6 +40,7 @@ {% elif keycloak_quarkus_ha_discovery == 'JDBCPING' %} {% set stack_expression='stack="JDBC_PING2"' %} {% endif %} +{% endif %} {% endif %} From 19564987ca2ba1cec5fd57025f79343c70ff19b7 Mon Sep 17 00:00:00 2001 From: Helmut Wolf Date: Mon, 16 Jun 2025 12:41:52 +0200 Subject: [PATCH 5/9] fix(quarkus): update infinispan-client configuration to include port in server-list and hosts --- roles/keycloak_quarkus/templates/quarkus.properties.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/keycloak_quarkus/templates/quarkus.properties.j2 b/roles/keycloak_quarkus/templates/quarkus.properties.j2 index 06d9077..cd0f969 100644 --- a/roles/keycloak_quarkus/templates/quarkus.properties.j2 +++ b/roles/keycloak_quarkus/templates/quarkus.properties.j2 @@ -1,11 +1,11 @@ {{ ansible_managed | comment }} {% if keycloak_quarkus_ha_enabled %} {% if keycloak_quarkus_version.split('.')[0] | int < 22 %} -quarkus.infinispan-client.server-list={{ keycloak_quarkus_cache_remote_host }} +quarkus.infinispan-client.server-list={{ keycloak_quarkus_cache_remote_host }}:{{ keycloak_quarkus_cache_remote_port }} quarkus.infinispan-client.auth-username={{ keycloak_quarkus_cache_remote_username }} quarkus.infinispan-client.auth-password={{ keycloak_quarkus_cache_remote_password }} {% else %} -quarkus.infinispan-client.hosts={{ keycloak_quarkus_cache_remote_host }} +quarkus.infinispan-client.hosts={{ keycloak_quarkus_cache_remote_host }}:{{ keycloak_quarkus_cache_remote_port }} quarkus.infinispan-client.username={{ keycloak_quarkus_cache_remote_username }} quarkus.infinispan-client.password={{ keycloak_quarkus_cache_remote_password }} {% endif %} From f79fd227ebc4c5d1c4ed7d2d5ee7d9ab85f713e6 Mon Sep 17 00:00:00 2001 From: Helmut Wolf Date: Mon, 16 Jun 2025 12:46:00 +0200 Subject: [PATCH 6/9] chore: bump KC/RHBK to v26.3.0/v26.2.5 --- molecule/default/prepare.yml | 2 +- molecule/quarkus/converge.yml | 4 ++-- roles/keycloak_quarkus/README.md | 2 +- roles/keycloak_quarkus/defaults/main.yml | 2 +- roles/keycloak_quarkus/meta/argument_specs.yml | 8 ++++---- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 44d4a91..540e321 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -18,7 +18,7 @@ - name: Download keycloak archive to controller directory ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user - url: https://github.com/keycloak/keycloak/releases/download/26.2.4/keycloak-26.2.4.zip + url: https://github.com/keycloak/keycloak/releases/download/26.3.0/keycloak-26.3.0.zip dest: /tmp/keycloak mode: '0640' delegate_to: localhost diff --git a/molecule/quarkus/converge.yml b/molecule/quarkus/converge.yml index fa2d70f..857c072 100644 --- a/molecule/quarkus/converge.yml +++ b/molecule/quarkus/converge.yml @@ -23,7 +23,7 @@ keycloak_quarkus_systemd_wait_for_delay: 2 keycloak_quarkus_systemd_wait_for_log: true keycloak_quarkus_restart_health_check: false # would fail because of self-signed cert - keycloak_quarkus_version: 26.2.4 + keycloak_quarkus_version: 26.3.0 keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx1024m" keycloak_quarkus_additional_env_vars: - key: KC_FEATURES_DISABLED @@ -46,7 +46,7 @@ repository_url: https://repo1.maven.org/maven2/ # https://mvnrepository.com/artifact/org.keycloak/keycloak-kerberos-federation/24.0.4 group_id: org.keycloak artifact_id: keycloak-kerberos-federation - version: 26.2.4 # optional + version: 26.3.0 # optional # username: myUser # optional # password: myPAT # optional # - id: my-static-theme diff --git a/roles/keycloak_quarkus/README.md b/roles/keycloak_quarkus/README.md index f625a90..8ac353f 100644 --- a/roles/keycloak_quarkus/README.md +++ b/roles/keycloak_quarkus/README.md @@ -33,7 +33,7 @@ Role Defaults | Variable | Description | Default | |:---------|:------------|:--------| -|`keycloak_quarkus_version`| keycloak.org package version | `26.2.4` | +|`keycloak_quarkus_version`| keycloak.org package version | `26.3.0` | |`keycloak_quarkus_offline_install` | Perform an offline install | `False`| |`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` | |`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` | diff --git a/roles/keycloak_quarkus/defaults/main.yml b/roles/keycloak_quarkus/defaults/main.yml index be05225..c96aa8a 100644 --- a/roles/keycloak_quarkus/defaults/main.yml +++ b/roles/keycloak_quarkus/defaults/main.yml @@ -1,6 +1,6 @@ --- ### Configuration specific to keycloak -keycloak_quarkus_version: 26.2.4 +keycloak_quarkus_version: 26.3.0 keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip" keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}" keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}" diff --git a/roles/keycloak_quarkus/meta/argument_specs.yml b/roles/keycloak_quarkus/meta/argument_specs.yml index 5bf57e4..7525c50 100644 --- a/roles/keycloak_quarkus/meta/argument_specs.yml +++ b/roles/keycloak_quarkus/meta/argument_specs.yml @@ -2,7 +2,7 @@ argument_specs: main: options: keycloak_quarkus_version: - default: "26.2.4" + default: "26.3.0" description: "keycloak.org package version" type: "str" keycloak_quarkus_archive: @@ -540,7 +540,7 @@ argument_specs: description: 'The password to access the Truststore.' default: '' type: "str" - keycloak_quarkus_jgroups_port: + keycloak_quarkus_jgroups_port: description: 'jgroups bind port' default: 7800 type: "int" @@ -552,7 +552,7 @@ argument_specs: description: 'IP address that other instances in the Keycloak should use to contact this node' default: "{{ keycloak_quarkus_jgroups_bind_address }}" type: "str" - keycloak_quarkus_jgroups_external_port: + keycloak_quarkus_jgroups_external_port: description: 'Port that other instances in the Keycloak cluster should use to contact this node' default: "{{ keycloak_quarkus_jgroups_port }}" type: "int" @@ -563,7 +563,7 @@ argument_specs: downstream: options: rhbk_version: - default: "26.2.4" + default: "26.2.5" description: "Red Hat Build of Keycloak version" type: "str" rhbk_archive: From 556d15553349ce30c2255e7d14b312dd123792aa Mon Sep 17 00:00:00 2001 From: Stephane Vigan Date: Mon, 21 Jul 2025 16:15:59 +0200 Subject: [PATCH 7/9] Fix config_key_store_file description to match variable name --- roles/keycloak_quarkus/README.md | 2 +- roles/keycloak_quarkus/meta/argument_specs.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/keycloak_quarkus/README.md b/roles/keycloak_quarkus/README.md index 8ac353f..60c95b5 100644 --- a/roles/keycloak_quarkus/README.md +++ b/roles/keycloak_quarkus/README.md @@ -66,7 +66,7 @@ Role Defaults |`keycloak_quarkus_health_check_url`| Full URL (including scheme, host, path, fragment etc.) used for health check endpoint; keycloak_quarkus_hostname will NOT be prepended; helpful when health checks should happen against http port, but keycloak_quarkus_hostname uses https scheme per default | `` | |`keycloak_quarkus_health_check_url_path`| Path to the health check endpoint; keycloak_quarkus_hostname will be prepended automatically; Note that keycloak_quarkus_health_check_url takes precedence over this property | `realms/master/.well-known/openid-configuration` | |`keycloak_quarkus_proxy_headers`| Parse reverse proxy headers (`forwarded` or `xforwarded`) | `""` | -|`keycloak_quarkus_config_key_store_file`| Path to the configuration key store; only used if `keycloak_quarkus_keystore_password` is not empty | `{{ keycloak.home }}/conf/conf_store.p12` if `keycloak_quarkus_keystore_password != ''`, else `''` | +|`keycloak_quarkus_config_key_store_file`| Path to the configuration key store; only used if `keycloak_quarkus_config_key_store_password` is not empty | `{{ keycloak.home }}/conf/conf_store.p12` if `keycloak_quarkus_config_key_store_password != ''`, else `''` | |`keycloak_quarkus_config_key_store_password`| Password of the configuration keystore; if non-empty, `keycloak_quarkus_db_pass` will be saved to the keystore at `keycloak_quarkus_config_key_store_file` instead of being written to the configuration file in clear text | `""` | |`keycloak_quarkus_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` | |`keycloak_quarkus_configure_iptables` | Ensure iptables is configured for keycloak ports | `False` | diff --git a/roles/keycloak_quarkus/meta/argument_specs.yml b/roles/keycloak_quarkus/meta/argument_specs.yml index 7525c50..a96fccf 100644 --- a/roles/keycloak_quarkus/meta/argument_specs.yml +++ b/roles/keycloak_quarkus/meta/argument_specs.yml @@ -183,7 +183,7 @@ argument_specs: type: "str" keycloak_quarkus_config_key_store_file: default: "{{ keycloak.home }}/conf/conf_store.p12" - description: "Path to the configuration key store; only used if `keycloak_quarkus_keystore_password` is not empty" + description: "Path to the configuration key store; only used if `keycloak_quarkus_config_key_store_password` is not empty" type: "str" keycloak_quarkus_config_key_store_password: default: "" From 66228c3a13d29cf406a764e9b9e052a11c95a17a Mon Sep 17 00:00:00 2001 From: Helmut Wolf Date: Tue, 22 Jul 2025 12:09:14 +0200 Subject: [PATCH 8/9] ansible 2.19.0: fix error 'item' is undefined error, https://github.com/ansible-middleware/keycloak/issues/309#issuecomment-3101960407 --- roles/keycloak_quarkus/tasks/restart/serial.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/keycloak_quarkus/tasks/restart/serial.yml b/roles/keycloak_quarkus/tasks/restart/serial.yml index 26397d3..5bf0da0 100644 --- a/roles/keycloak_quarkus/tasks/restart/serial.yml +++ b/roles/keycloak_quarkus/tasks/restart/serial.yml @@ -2,7 +2,7 @@ - name: "Restart services in serial, with optional healtch check (keycloak_quarkus_restart_health_check)" throttle: 1 block: - - name: "Restart and enable {{ keycloak.service_name }} service on {{ item }}" + - name: "Restart and enable {{ keycloak.service_name }} service" ansible.builtin.include_tasks: file: restart.yml apply: From 8b2ef220235dc39bf7504c121338755c86ec15f1 Mon Sep 17 00:00:00 2001 From: Helmut Wolf Date: Tue, 22 Jul 2025 12:11:09 +0200 Subject: [PATCH 9/9] fix ansible-core v2.19.0: initialize keycloak_quarkus_hostname_admin to an empty string --- roles/keycloak_quarkus/README.md | 2 +- roles/keycloak_quarkus/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/keycloak_quarkus/README.md b/roles/keycloak_quarkus/README.md index 8ac353f..cf89b89 100644 --- a/roles/keycloak_quarkus/README.md +++ b/roles/keycloak_quarkus/README.md @@ -98,7 +98,7 @@ Role Defaults | Variable | Description | Default | |:---------|:------------|:--------| |`keycloak_quarkus_hostname`| Address at which is the server exposed. Can be a full URL, or just a hostname. When only hostname is provided, scheme, port and context path are resolved from the request. | | -|`keycloak_quarkus_hostname_admin`| Set the base URL for accessing the administration console, including scheme, host, port and path | | +|`keycloak_quarkus_hostname_admin`| Set the base URL for accessing the administration console, including scheme, host, port and path | `` | |`keycloak_quarkus_hostname_strict`| Disables dynamically resolving the hostname from request headers | `true` | |`keycloak_quarkus_hostname_backchannel_dynamic`| Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path. Set to true if your application accesses Keycloak via a private network. If set to true, hostname option needs to be specified as a full URL. | `false` | |`keycloak_quarkus_hostname_strict_backchannel`| Deprecated, use (the inverted!)`keycloak_quarkus_hostname_backchannel_dynamic` instead. | | diff --git a/roles/keycloak_quarkus/defaults/main.yml b/roles/keycloak_quarkus/defaults/main.yml index c96aa8a..2d1326e 100644 --- a/roles/keycloak_quarkus/defaults/main.yml +++ b/roles/keycloak_quarkus/defaults/main.yml @@ -88,7 +88,7 @@ keycloak_quarkus_systemd_wait_for_delay: 10 ### keycloak frontend url keycloak_quarkus_hostname: -keycloak_quarkus_hostname_admin: +keycloak_quarkus_hostname_admin: "" ### Set the path relative to / for serving resources. The path must start with a / ### (set to `/auth` for retrocompatibility with pre-quarkus releases)