mirror of
				https://github.com/ansible-middleware/keycloak.git
				synced 2025-10-25 05:24:07 -07:00 
			
		
		
		
	Compare commits
	
		
			No commits in common. "main" and "2.4.2" have entirely different histories.
		
	
	
		
	
		
					 95 changed files with 735 additions and 4512 deletions
				
			
		
							
								
								
									
										13
									
								
								.github/workflows/ci.yml
									
										
									
									
										vendored
									
									
								
							
							
						
						
									
										13
									
								
								.github/workflows/ci.yml
									
										
									
									
										vendored
									
									
								
							|  | @ -6,23 +6,14 @@ on: | ||||||
|       - main |       - main | ||||||
|   pull_request: |   pull_request: | ||||||
|   workflow_dispatch: |   workflow_dispatch: | ||||||
|     inputs: |  | ||||||
|       debug_verbosity: |  | ||||||
|         description: 'ANSIBLE_VERBOSITY envvar value' |  | ||||||
|         required: false |  | ||||||
|   schedule: |   schedule: | ||||||
|     - cron: '15 6 * * *' |     - cron: '15 6 * * *' | ||||||
| 
 | 
 | ||||||
| jobs: | jobs: | ||||||
|   ci: |   ci: | ||||||
|     uses: ansible-middleware/github-actions/.github/workflows/cish.yml@main |     uses: ansible-middleware/github-actions/.github/workflows/ci.yml@main | ||||||
|     secrets: inherit |     secrets: inherit | ||||||
|     with: |     with: | ||||||
|       fqcn: 'middleware_automation/keycloak' |       fqcn: 'middleware_automation/keycloak' | ||||||
|       debug_verbosity: "${{ github.event.inputs.debug_verbosity }}" |  | ||||||
|       molecule_tests: >- |       molecule_tests: >- | ||||||
|         [ "debian", "quarkus", "quarkus_ha", "quarkus_ha_remote" ] |           [ "default", "overridexml", "https_revproxy", "quarkus", "quarkus-devmode", "quarkus_upgrade", "debian", "quarkus_ha" ] | ||||||
|       podman_tests_current: >- |  | ||||||
|         [ "default", "quarkus_devmode", "quarkus_upgrade" ] |  | ||||||
|       podman_tests_next: >- |  | ||||||
|         [ "default", "quarkus_devmode", "quarkus_upgrade" ] |  | ||||||
|  |  | ||||||
							
								
								
									
										14
									
								
								.github/workflows/traffic.yml
									
										
									
									
										vendored
									
									
								
							
							
						
						
									
										14
									
								
								.github/workflows/traffic.yml
									
										
									
									
										vendored
									
									
								
							|  | @ -1,9 +1,9 @@ | ||||||
| name: Collect traffic stats | name: Collect traffic stats | ||||||
| on: | on: | ||||||
|   schedule: |   schedule:  | ||||||
|     - cron: "51 23 * * 0" |     - cron: "51 23 * * 0" | ||||||
|   workflow_dispatch: |   workflow_dispatch:  | ||||||
| 
 |      | ||||||
| jobs: | jobs: | ||||||
|   traffic: |   traffic: | ||||||
|     runs-on: ubuntu-latest |     runs-on: ubuntu-latest | ||||||
|  | @ -11,12 +11,12 @@ jobs: | ||||||
|       - uses: actions/checkout@v2 |       - uses: actions/checkout@v2 | ||||||
|         with: |         with: | ||||||
|           ref: "gh-pages" |           ref: "gh-pages" | ||||||
| 
 |      | ||||||
|       - name: GitHub traffic |       - name: GitHub traffic  | ||||||
|         uses: sangonzal/repository-traffic-action@v.0.1.6 |         uses: sangonzal/repository-traffic-action@v.0.1.6 | ||||||
|         env: |         env: | ||||||
|           TRAFFIC_ACTION_TOKEN: ${{ secrets.TRIGGERING_PAT }} |           TRAFFIC_ACTION_TOKEN: ${{ secrets.TRIGGERING_PAT }}  | ||||||
| 
 |       | ||||||
|       - name: Commit changes |       - name: Commit changes | ||||||
|         uses: EndBug/add-and-commit@v4 |         uses: EndBug/add-and-commit@v4 | ||||||
|         with: |         with: | ||||||
|  |  | ||||||
|  | @ -6,76 +6,6 @@ middleware\_automation.keycloak Release Notes | ||||||
| 
 | 
 | ||||||
| This changelog describes changes after version 0.2.6. | This changelog describes changes after version 0.2.6. | ||||||
| 
 | 
 | ||||||
| v3.0.2 |  | ||||||
| ====== |  | ||||||
| 
 |  | ||||||
| Minor Changes |  | ||||||
| ------------- |  | ||||||
| 
 |  | ||||||
| - New ``checksum`` property for keycloak_quarkus_providers `#280 <https://github.com/ansible-middleware/keycloak/pull/280>`_ |  | ||||||
| - New parameter to set the jgroups host IP address `#281 <https://github.com/ansible-middleware/keycloak/pull/281>`_ |  | ||||||
| - Session storage / distributed caches `#287 <https://github.com/ansible-middleware/keycloak/pull/287>`_ |  | ||||||
| - Update keycloak/RHBK to v26.2.4 `#283 <https://github.com/ansible-middleware/keycloak/pull/283>`_ |  | ||||||
| 
 |  | ||||||
| Bugfixes |  | ||||||
| -------- |  | ||||||
| 
 |  | ||||||
| - Fix ``keycloak_quarkus_force_install`` parameter being ignored by install `#296 <https://github.com/ansible-middleware/keycloak/pull/296>`_ |  | ||||||
| - Fix alternate download location being ignored (JBossNeworkAPI always used) `#298 <https://github.com/ansible-middleware/keycloak/pull/298>`_ |  | ||||||
| - Run config rebuild after SPI providers update `#285 <https://github.com/ansible-middleware/keycloak/pull/285>`_ |  | ||||||
| - Use jdk21 as default in debian `#289 <https://github.com/ansible-middleware/keycloak/pull/289>`_ |  | ||||||
| - keycloak_realm: federation default provider type should be a string `#302 <https://github.com/ansible-middleware/keycloak/pull/302>`_ |  | ||||||
| 
 |  | ||||||
| v3.0.1 |  | ||||||
| ====== |  | ||||||
| 
 |  | ||||||
| Minor Changes |  | ||||||
| ------------- |  | ||||||
| 
 |  | ||||||
| - Version update to 26.0.8 / rhbk 26.0.11 `#277 <https://github.com/ansible-middleware/keycloak/pull/277>`_ |  | ||||||
| 
 |  | ||||||
| Bugfixes |  | ||||||
| -------- |  | ||||||
| 
 |  | ||||||
| - Trigger rebuild handler on envvars file change `#276 <https://github.com/ansible-middleware/keycloak/pull/276>`_ |  | ||||||
| 
 |  | ||||||
| v3.0.0 |  | ||||||
| ====== |  | ||||||
| 
 |  | ||||||
| Minor Changes |  | ||||||
| ------------- |  | ||||||
| 
 |  | ||||||
| - Add theme cache invalidation handler `#252 <https://github.com/ansible-middleware/keycloak/pull/252>`_ |  | ||||||
| - keycloak_realm: change url variables to defaults `#268 <https://github.com/ansible-middleware/keycloak/pull/268>`_ |  | ||||||
| 
 |  | ||||||
| Breaking Changes / Porting Guide |  | ||||||
| -------------------------------- |  | ||||||
| 
 |  | ||||||
| - Bump major and ansible-core versions `#266 <https://github.com/ansible-middleware/keycloak/pull/266>`_ |  | ||||||
| - Rename parameters to follow upstream `#270 <https://github.com/ansible-middleware/keycloak/pull/270>`_ |  | ||||||
| - Update for keycloak v26 `#254 <https://github.com/ansible-middleware/keycloak/pull/254>`_ |  | ||||||
| 
 |  | ||||||
| Bugfixes |  | ||||||
| -------- |  | ||||||
| 
 |  | ||||||
| - Access token lifespan is too short for ansible run `#251 <https://github.com/ansible-middleware/keycloak/pull/251>`_ |  | ||||||
| - Load environment vars during kc rebuild `#274 <https://github.com/ansible-middleware/keycloak/pull/274>`_ |  | ||||||
| - Rebuild config and restart service for local providers `#250 <https://github.com/ansible-middleware/keycloak/pull/250>`_ |  | ||||||
| - Rename and honour parameter ``keycloak_quarkus_http_host`` `#271 <https://github.com/ansible-middleware/keycloak/pull/271>`_ |  | ||||||
| 
 |  | ||||||
| New Modules |  | ||||||
| ----------- |  | ||||||
| 
 |  | ||||||
| - middleware_automation.keycloak.keycloak_realm - Allows administration of Keycloak realm via Keycloak API |  | ||||||
| 
 |  | ||||||
| v2.4.3 |  | ||||||
| ====== |  | ||||||
| 
 |  | ||||||
| Minor Changes |  | ||||||
| ------------- |  | ||||||
| 
 |  | ||||||
| - Update keycloak to 24.0.5 `#241 <https://github.com/ansible-middleware/keycloak/pull/241>`_ |  | ||||||
| 
 |  | ||||||
| v2.4.2 | v2.4.2 | ||||||
| ====== | ====== | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -1,37 +1,3 @@ | ||||||
| ## Developing |  | ||||||
| 
 |  | ||||||
| ### Build and install locally |  | ||||||
| 
 |  | ||||||
| Clone the repository, checkout the tag you want to build, or pick the main branch for the development version; then: |  | ||||||
| 
 |  | ||||||
|     ansible-galaxy collection build . |  | ||||||
|     ansible-galaxy collection install middleware_automation-keycloak-*.tar.gz |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| ### Development environment |  | ||||||
| 
 |  | ||||||
| Make sure your development machine has avilable: |  | ||||||
| 
 |  | ||||||
| * python 3.11+ |  | ||||||
| * virtualenv |  | ||||||
| * docker (or podman) |  | ||||||
| 
 |  | ||||||
| In order to run setup the development environment and run the molecule tests locally, after cloning the repository: |  | ||||||
| 
 |  | ||||||
| ``` |  | ||||||
| # create new virtualenv using python 3 |  | ||||||
| virtualenv $PATH_TO_DEV_VIRTUALENV |  | ||||||
| # activate the virtual env |  | ||||||
| source $PATH_TO_DEV_VIRTUALENV/bin/activate |  | ||||||
| # install ansible and tools onto the virtualenv |  | ||||||
| pip install yamllint 'molecule>=6.0' 'molecule-plugins[docker]' 'ansible-core>=2.16' ansible-lint |  | ||||||
| # install collection dependencies |  | ||||||
| ansible-galaxy collection install -r requirements.yml |  | ||||||
| # install python dependencies |  | ||||||
| pip install -r requirements.txt molecule/requirements.txt |  | ||||||
| # execute the tests (replace --all with -s subdirectory to run a single test) |  | ||||||
| molecule test --all |  | ||||||
| ``` |  | ||||||
| 
 | 
 | ||||||
| ## Contributor's Guidelines | ## Contributor's Guidelines | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
							
								
								
									
										20
									
								
								README.md
									
										
									
									
									
								
							
							
						
						
									
										20
									
								
								README.md
									
										
									
									
									
								
							|  | @ -1,9 +1,9 @@ | ||||||
| # Ansible Collection - middleware_automation.keycloak | # Ansible Collection - middleware_automation.keycloak | ||||||
| 
 | 
 | ||||||
| <!--start build_status --> | <!--start build_status --> | ||||||
| [](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml) | [](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml) | ||||||
| 
 | 
 | ||||||
| > **_NOTE:_ If you are Red Hat customer, install `redhat.rhbk` (for Red Hat Build of Keycloak) or `redhat.sso` (for Red Hat Single Sign-On) from [Automation Hub](https://console.redhat.com/ansible/ansible-dashboard) as the certified version of this collection.** | > **_NOTE:_ If you are Red Hat customer, install `redhat.sso` (for Red Hat Single Sign-On) or `redhat.rhbk` (for Red Hat Build of Keycloak) from [Automation Hub](https://console.redhat.com/ansible/ansible-dashboard) as the certified version of this collection.** | ||||||
| 
 | 
 | ||||||
| <!--end build_status --> | <!--end build_status --> | ||||||
| <!--start description --> | <!--start description --> | ||||||
|  | @ -12,7 +12,7 @@ Collection to install and configure [Keycloak](https://www.keycloak.org/) or [Re | ||||||
| <!--start requires_ansible--> | <!--start requires_ansible--> | ||||||
| ## Ansible version compatibility | ## Ansible version compatibility | ||||||
| 
 | 
 | ||||||
| This collection has been tested against following Ansible versions: **>=2.16.0**. | This collection has been tested against following Ansible versions: **>=2.15.0**. | ||||||
| 
 | 
 | ||||||
| Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions. | Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions. | ||||||
| <!--end requires_ansible--> | <!--end requires_ansible--> | ||||||
|  | @ -49,10 +49,9 @@ A requirement file is provided to install: | ||||||
| <!--start roles_paths --> | <!--start roles_paths --> | ||||||
| ### Included roles | ### Included roles | ||||||
| 
 | 
 | ||||||
| * `keycloak_quarkus`: role for installing keycloak (>= 19.0.0, quarkus based). | * [`keycloak`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md): role for installing the service (keycloak <= 19.0). | ||||||
| * `keycloak_realm`: role for configuring a realm, user federation(s), clients and users, in an installed service. | * [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, user federation(s), clients and users, in an installed service. | ||||||
| * `keycloak`: role for installing legacy keycloak (<= 19.0, wildfly based). | * [`keycloak_quarkus`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_quarkus/README.md): role for installing the quarkus variant of keycloak (>= 17.0.0). | ||||||
| 
 |  | ||||||
| <!--end roles_paths --> | <!--end roles_paths --> | ||||||
| 
 | 
 | ||||||
| ## Usage | ## Usage | ||||||
|  | @ -60,9 +59,9 @@ A requirement file is provided to install: | ||||||
| 
 | 
 | ||||||
| ### Install Playbook | ### Install Playbook | ||||||
| <!--start rhbk_playbook --> | <!--start rhbk_playbook --> | ||||||
| * [`playbooks/keycloak_quarkus.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_quarkus.yml) installs keycloak >= 17 based on the defined variables (using most defaults). |  | ||||||
| * [`playbooks/keycloak.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak.yml) installs keycloak legacy based on the defined variables (using most defaults). | * [`playbooks/keycloak.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak.yml) installs keycloak legacy based on the defined variables (using most defaults). | ||||||
| 
 | * [`playbooks/keycloak_quarkus.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_quarkus.yml) installs keycloak >= 17 based on the defined variables (using most defaults). | ||||||
|  |    | ||||||
| Both playbooks include the `keycloak` role, with different settings, as described in the following sections. | Both playbooks include the `keycloak` role, with different settings, as described in the following sections. | ||||||
| 
 | 
 | ||||||
| For full service configuration details, refer to the [keycloak role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md). | For full service configuration details, refer to the [keycloak role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md). | ||||||
|  | @ -93,7 +92,7 @@ Execute the following command from the source root directory | ||||||
| 
 | 
 | ||||||
| ``` | ``` | ||||||
| ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e keycloak_admin_password=<changeme> | ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e keycloak_admin_password=<changeme> | ||||||
| ``` | ```  | ||||||
| 
 | 
 | ||||||
| - `keycloak_admin_password` Password for the administration console user account. | - `keycloak_admin_password` Password for the administration console user account. | ||||||
| - `ansible_hosts` is the inventory, below is an example inventory for deploying to localhost | - `ansible_hosts` is the inventory, below is an example inventory for deploying to localhost | ||||||
|  | @ -144,3 +143,4 @@ Apache License v2.0 or later | ||||||
| <!--start license --> | <!--start license --> | ||||||
| See [LICENSE](LICENSE) to view the full text. | See [LICENSE](LICENSE) to view the full text. | ||||||
| <!--end license --> | <!--end license --> | ||||||
|  | 
 | ||||||
|  |  | ||||||
|  | @ -604,118 +604,3 @@ releases: | ||||||
|     - 237.yaml |     - 237.yaml | ||||||
|     - 239.yaml |     - 239.yaml | ||||||
|     release_date: '2024-09-26' |     release_date: '2024-09-26' | ||||||
|   2.4.3: |  | ||||||
|     changes: |  | ||||||
|       minor_changes: |  | ||||||
|       - 'Update keycloak to 24.0.5 `#241 <https://github.com/ansible-middleware/keycloak/pull/241>`_ |  | ||||||
| 
 |  | ||||||
|         ' |  | ||||||
|     fragments: |  | ||||||
|     - 241.yaml |  | ||||||
|     release_date: '2024-10-16' |  | ||||||
|   3.0.0: |  | ||||||
|     changes: |  | ||||||
|       breaking_changes: |  | ||||||
|       - 'Bump major and ansible-core versions `#266 <https://github.com/ansible-middleware/keycloak/pull/266>`_ |  | ||||||
| 
 |  | ||||||
|         ' |  | ||||||
|       - 'Rename parameters to follow upstream `#270 <https://github.com/ansible-middleware/keycloak/pull/270>`_ |  | ||||||
| 
 |  | ||||||
|         ' |  | ||||||
|       - 'Update for keycloak v26 `#254 <https://github.com/ansible-middleware/keycloak/pull/254>`_ |  | ||||||
| 
 |  | ||||||
|         ' |  | ||||||
|       bugfixes: |  | ||||||
|       - 'Access token lifespan is too short for ansible run `#251 <https://github.com/ansible-middleware/keycloak/pull/251>`_ |  | ||||||
| 
 |  | ||||||
|         ' |  | ||||||
|       - 'Load environment vars during kc rebuild `#274 <https://github.com/ansible-middleware/keycloak/pull/274>`_ |  | ||||||
| 
 |  | ||||||
|         ' |  | ||||||
|       - 'Rebuild config and restart service for local providers `#250 <https://github.com/ansible-middleware/keycloak/pull/250>`_ |  | ||||||
| 
 |  | ||||||
|         ' |  | ||||||
|       - 'Rename and honour parameter ``keycloak_quarkus_http_host`` `#271 <https://github.com/ansible-middleware/keycloak/pull/271>`_ |  | ||||||
| 
 |  | ||||||
|         ' |  | ||||||
|       minor_changes: |  | ||||||
|       - 'Add theme cache invalidation handler `#252 <https://github.com/ansible-middleware/keycloak/pull/252>`_ |  | ||||||
| 
 |  | ||||||
|         ' |  | ||||||
|       - 'keycloak_realm: change url variables to defaults `#268 <https://github.com/ansible-middleware/keycloak/pull/268>`_ |  | ||||||
| 
 |  | ||||||
|         ' |  | ||||||
|     fragments: |  | ||||||
|     - 250.yaml |  | ||||||
|     - 251.yaml |  | ||||||
|     - 252.yaml |  | ||||||
|     - 254.yaml |  | ||||||
|     - 266.yaml |  | ||||||
|     - 268.yaml |  | ||||||
|     - 270.yaml |  | ||||||
|     - 271.yaml |  | ||||||
|     - 274.yaml |  | ||||||
|     modules: |  | ||||||
|     - description: Allows administration of Keycloak realm via Keycloak API |  | ||||||
|       name: keycloak_realm |  | ||||||
|       namespace: '' |  | ||||||
|     release_date: '2025-04-23' |  | ||||||
|   3.0.1: |  | ||||||
|     changes: |  | ||||||
|       bugfixes: |  | ||||||
|       - 'Trigger rebuild handler on envvars file change `#276 <https://github.com/ansible-middleware/keycloak/pull/276>`_ |  | ||||||
| 
 |  | ||||||
|         ' |  | ||||||
|       minor_changes: |  | ||||||
|       - 'Version update to 26.0.8 / rhbk 26.0.11 `#277 <https://github.com/ansible-middleware/keycloak/pull/277>`_ |  | ||||||
| 
 |  | ||||||
|         ' |  | ||||||
|     fragments: |  | ||||||
|     - 276.yaml |  | ||||||
|     - 277.yaml |  | ||||||
|     release_date: '2025-05-02' |  | ||||||
|   3.0.2: |  | ||||||
|     changes: |  | ||||||
|       bugfixes: |  | ||||||
|       - 'Fix ``keycloak_quarkus_force_install`` parameter being ignored by install |  | ||||||
|         `#296 <https://github.com/ansible-middleware/keycloak/pull/296>`_ |  | ||||||
| 
 |  | ||||||
|         ' |  | ||||||
|       - 'Fix alternate download location being ignored (JBossNeworkAPI always used) |  | ||||||
|         `#298 <https://github.com/ansible-middleware/keycloak/pull/298>`_ |  | ||||||
| 
 |  | ||||||
|         ' |  | ||||||
|       - 'Run config rebuild after SPI providers update `#285 <https://github.com/ansible-middleware/keycloak/pull/285>`_ |  | ||||||
| 
 |  | ||||||
|         ' |  | ||||||
|       - 'Use jdk21 as default in debian `#289 <https://github.com/ansible-middleware/keycloak/pull/289>`_ |  | ||||||
| 
 |  | ||||||
|         ' |  | ||||||
|       - 'keycloak_realm: federation default provider type should be a string `#302 |  | ||||||
|         <https://github.com/ansible-middleware/keycloak/pull/302>`_ |  | ||||||
| 
 |  | ||||||
|         ' |  | ||||||
|       minor_changes: |  | ||||||
|       - 'New ``checksum`` property for keycloak_quarkus_providers `#280 <https://github.com/ansible-middleware/keycloak/pull/280>`_ |  | ||||||
| 
 |  | ||||||
|         ' |  | ||||||
|       - 'New parameter to set the jgroups host IP address `#281 <https://github.com/ansible-middleware/keycloak/pull/281>`_ |  | ||||||
| 
 |  | ||||||
|         ' |  | ||||||
|       - 'Session storage / distributed caches `#287 <https://github.com/ansible-middleware/keycloak/pull/287>`_ |  | ||||||
| 
 |  | ||||||
|         ' |  | ||||||
|       - 'Update keycloak/RHBK to v26.2.4 `#283 <https://github.com/ansible-middleware/keycloak/pull/283>`_ |  | ||||||
| 
 |  | ||||||
|         ' |  | ||||||
|     fragments: |  | ||||||
|     - 280.yaml |  | ||||||
|     - 281.yaml |  | ||||||
|     - 283.yaml |  | ||||||
|     - 285.yaml |  | ||||||
|     - 287.yaml |  | ||||||
|     - 289.yaml |  | ||||||
|     - 296.yaml |  | ||||||
|     - 298.yaml |  | ||||||
|     - 302.yaml |  | ||||||
|     release_date: '2025-07-01' |  | ||||||
|  |  | ||||||
|  | @ -7,7 +7,7 @@ | ||||||
|       </div> |       </div> | ||||||
|       <hr/> |       <hr/> | ||||||
|       <div role="contentinfo"> |       <div role="contentinfo"> | ||||||
|         <p>© Copyright 2024, Red Hat, Inc.</p>
 |         <p>© Copyright 2022, Red Hat, Inc.</p>
 | ||||||
|       </div> |       </div> | ||||||
|       Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a |       Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a | ||||||
|         <a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a> |         <a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a> | ||||||
|  | @ -18,4 +18,4 @@ | ||||||
| </section> | </section> | ||||||
| </div> | </div> | ||||||
| </body> | </body> | ||||||
| </html> | </html> | ||||||
|  | @ -10,25 +10,31 @@ Welcome to Keycloak Collection documentation | ||||||
|    README |    README | ||||||
|    plugins/index |    plugins/index | ||||||
|    roles/index |    roles/index | ||||||
|    Changelog <CHANGELOG> |  | ||||||
| 
 | 
 | ||||||
| .. toctree:: | .. toctree:: | ||||||
|    :maxdepth: 2 |    :maxdepth: 2 | ||||||
|    :caption: Developer documentation |    :caption: Developer documentation | ||||||
| 
 | 
 | ||||||
|    Developing <developing> |    testing | ||||||
|    Testing <testing> |    developing | ||||||
|    Releasing <releasing> |    releasing | ||||||
|  | 
 | ||||||
|  | .. toctree:: | ||||||
|  |    :maxdepth: 2 | ||||||
|  |    :caption: General | ||||||
|  | 
 | ||||||
|  |    Changelog <CHANGELOG> | ||||||
| 
 | 
 | ||||||
| .. toctree:: | .. toctree:: | ||||||
|    :maxdepth: 2 |    :maxdepth: 2 | ||||||
|    :caption: Middleware collections |    :caption: Middleware collections | ||||||
| 
 | 
 | ||||||
|    Keycloak / Red Hat Single Sign-On <https://ansible-middleware.github.io/keycloak/main/> |  | ||||||
|    Infinispan / Red Hat Data Grid <https://ansible-middleware.github.io/infinispan/main/> |    Infinispan / Red Hat Data Grid <https://ansible-middleware.github.io/infinispan/main/> | ||||||
|  |    Keycloak / Red Hat Single Sign-On <https://ansible-middleware.github.io/keycloak/main/> | ||||||
|    Wildfly / Red Hat JBoss EAP <https://ansible-middleware.github.io/wildfly/main/> |    Wildfly / Red Hat JBoss EAP <https://ansible-middleware.github.io/wildfly/main/> | ||||||
|    Tomcat / Red Hat JWS <https://ansible-middleware.github.io/jws/main/> |    Tomcat / Red Hat JWS <https://ansible-middleware.github.io/jws/main/> | ||||||
|    ActiveMQ / Red Hat AMQ Broker <https://ansible-middleware.github.io/amq/main/> |    ActiveMQ / Red Hat AMQ Broker <https://ansible-middleware.github.io/amq/main/> | ||||||
|    Kafka / Red Hat AMQ Streams <https://ansible-middleware.github.io/amq_streams/main/> |    Kafka / Red Hat AMQ Streams <https://ansible-middleware.github.io/amq_streams/main/> | ||||||
|    Ansible Middleware utilities <https://ansible-middleware.github.io/common/main/> |    Ansible Middleware utilities <https://ansible-middleware.github.io/common/main/> | ||||||
|  |    Red Hat CSP Download <https://ansible-middleware.github.io/redhat-csp-download/main/> | ||||||
|    JCliff <https://ansible-middleware.github.io/ansible_collections_jcliff/main/> |    JCliff <https://ansible-middleware.github.io/ansible_collections_jcliff/main/> | ||||||
|  |  | ||||||
|  | @ -1,7 +1,7 @@ | ||||||
| antsibull>=0.17.0 | antsibull>=0.17.0 | ||||||
| antsibull-docs | antsibull-docs | ||||||
| antsibull-changelog | antsibull-changelog | ||||||
| ansible-core>=2.16.0 | ansible-core>=2.14.1 | ||||||
| ansible-pygments | ansible-pygments | ||||||
| sphinx-rtd-theme | sphinx-rtd-theme | ||||||
| git+https://github.com/felixfontein/ansible-basic-sphinx-ext | git+https://github.com/felixfontein/ansible-basic-sphinx-ext | ||||||
|  |  | ||||||
|  | @ -4,7 +4,24 @@ | ||||||
| 
 | 
 | ||||||
| The collection is tested with a [molecule](https://github.com/ansible-community/molecule) setup covering the included roles and verifying correct installation and idempotency. | The collection is tested with a [molecule](https://github.com/ansible-community/molecule) setup covering the included roles and verifying correct installation and idempotency. | ||||||
| In order to run the molecule tests locally with python 3.9 available, after cloning the repository: | In order to run the molecule tests locally with python 3.9 available, after cloning the repository: | ||||||
| The test scenarios are available on the source code repository each on his own subdirectory under [molecule/](https://github.com/ansible-middleware/keycloak/molecule). | 
 | ||||||
|  | ``` | ||||||
|  | pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous | ||||||
|  | molecule test --all | ||||||
|  | ``` | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | ## Integration testing | ||||||
|  | 
 | ||||||
|  | Demo repositories which depend on the collection, and aggregate functionality with other middleware_automation collections, are automatically rebuilt | ||||||
|  | at every collection release to ensure non-breaking changes and consistent behaviour. | ||||||
|  | 
 | ||||||
|  | The repository are: | ||||||
|  | 
 | ||||||
|  |  - [Flange demo](https://github.com/ansible-middleware/flange-demo) | ||||||
|  |    A deployment of Wildfly cluster integrated with keycloak and infinispan. | ||||||
|  |  - [CrossDC keycloak demo](https://github.com/ansible-middleware/cross-dc-rhsso-demo) | ||||||
|  |    A clustered multi-regional installation of keycloak with infinispan remote caches. | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| ## Test playbooks | ## Test playbooks | ||||||
|  | @ -12,7 +29,15 @@ The test scenarios are available on the source code repository each on his own s | ||||||
| Sample playbooks are provided in the `playbooks/` directory; to run the playbooks locally (requires a rhel system with python 3.9+, ansible, and systemd) the steps are as follows: | Sample playbooks are provided in the `playbooks/` directory; to run the playbooks locally (requires a rhel system with python 3.9+, ansible, and systemd) the steps are as follows: | ||||||
| 
 | 
 | ||||||
| ``` | ``` | ||||||
| # setup environment as in developing | # setup environment | ||||||
|  | pip install ansible-core | ||||||
|  | # clone the repository | ||||||
|  | git clone https://github.com/ansible-middleware/keycloak | ||||||
|  | cd keycloak | ||||||
|  | # install collection dependencies | ||||||
|  | ansible-galaxy collection install -r requirements.yml | ||||||
|  | # install collection python deps | ||||||
|  | pip install -r requirements.txt | ||||||
| # create inventory for localhost | # create inventory for localhost | ||||||
| cat << EOF > inventory | cat << EOF > inventory | ||||||
| [keycloak] | [keycloak] | ||||||
|  |  | ||||||
|  | @ -1,7 +1,7 @@ | ||||||
| --- | --- | ||||||
| namespace: middleware_automation | namespace: middleware_automation | ||||||
| name: keycloak | name: keycloak | ||||||
| version: "3.0.3" | version: "2.4.2" | ||||||
| readme: README.md | readme: README.md | ||||||
| authors: | authors: | ||||||
|   - Romain Pelisse <rpelisse@redhat.com> |   - Romain Pelisse <rpelisse@redhat.com> | ||||||
|  |  | ||||||
|  | @ -1,2 +1,2 @@ | ||||||
| --- | --- | ||||||
| requires_ansible: ">=2.16.0" | requires_ansible: ">=2.15.0" | ||||||
|  |  | ||||||
|  | @ -3,42 +3,40 @@ | ||||||
|   hosts: all |   hosts: all | ||||||
|   vars: |   vars: | ||||||
|     keycloak_quarkus_show_deprecation_warnings: false |     keycloak_quarkus_show_deprecation_warnings: false | ||||||
|     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" |     keycloak_quarkus_admin_pass: "remembertochangeme" | ||||||
|     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" |     keycloak_realm: TestRealm | ||||||
|     keycloak_quarkus_hostname: http://instance:8080 |  | ||||||
|     keycloak_quarkus_log: file |     keycloak_quarkus_log: file | ||||||
|     keycloak_quarkus_start_dev: true |     keycloak_quarkus_frontend_url: 'http://localhost:8080/' | ||||||
|  |     keycloak_quarkus_start_dev: True | ||||||
|     keycloak_quarkus_proxy_mode: none |     keycloak_quarkus_proxy_mode: none | ||||||
|  |     keycloak_client_default_roles: | ||||||
|  |       - TestRoleAdmin | ||||||
|  |       - TestRoleUser | ||||||
|  |     keycloak_client_users: | ||||||
|  |       - username: TestUser | ||||||
|  |         password: password | ||||||
|  |         client_roles: | ||||||
|  |           - client: TestClient | ||||||
|  |             role: TestRoleUser | ||||||
|  |       - username: TestAdmin | ||||||
|  |         password: password | ||||||
|  |         client_roles: | ||||||
|  |           - client: TestClient | ||||||
|  |             role: TestRoleUser | ||||||
|  |           - client: TestClient | ||||||
|  |             role: TestRoleAdmin | ||||||
|  |     keycloak_clients: | ||||||
|  |       - name: TestClient | ||||||
|  |         roles: "{{ keycloak_client_default_roles }}" | ||||||
|  |         public_client: "{{ keycloak_client_public }}" | ||||||
|  |         web_origins: "{{ keycloak_client_web_origins }}" | ||||||
|  |         users: "{{ keycloak_client_users }}" | ||||||
|  |         client_id: TestClient | ||||||
|  |         attributes: | ||||||
|  |           post.logout.redirect.uris: '/public/logout' | ||||||
|   roles: |   roles: | ||||||
|     - role: keycloak_quarkus |     - role: keycloak_quarkus | ||||||
|     - role: keycloak_realm |     - role: keycloak_realm | ||||||
|       keycloak_url: "{{ keycloak_quarkus_hostname }}" |  | ||||||
|       keycloak_context: '' |  | ||||||
|       keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}" |  | ||||||
|       keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}" |  | ||||||
|       keycloak_client_users: |  | ||||||
|         - username: TestUser |  | ||||||
|           password: password |  | ||||||
|           client_roles: |  | ||||||
|             - client: TestClient |  | ||||||
|               role: TestRoleUser |  | ||||||
|               realm: "{{ keycloak_realm }}" |  | ||||||
|         - username: TestAdmin |  | ||||||
|           password: password |  | ||||||
|           client_roles: |  | ||||||
|             - client: TestClient |  | ||||||
|               role: TestRoleUser |  | ||||||
|               realm: "{{ keycloak_realm }}" |  | ||||||
|             - client: TestClient |  | ||||||
|               role: TestRoleAdmin |  | ||||||
|               realm: "{{ keycloak_realm }}" |  | ||||||
|       keycloak_realm: TestRealm |       keycloak_realm: TestRealm | ||||||
|       keycloak_clients: |       keycloak_admin_password: "remembertochangeme" | ||||||
|         - name: TestClient |       keycloak_context: '' | ||||||
|           realm: "{{ keycloak_realm }}" |  | ||||||
|           public_client: "{{ keycloak_client_public }}" |  | ||||||
|           web_origins: "{{ keycloak_client_web_origins }}" |  | ||||||
|           users: "{{ keycloak_client_users }}" |  | ||||||
|           client_id: TestClient |  | ||||||
|           attributes: |  | ||||||
|             post.logout.redirect.uris: '/public/logout' |  | ||||||
|  |  | ||||||
|  | @ -3,7 +3,7 @@ driver: | ||||||
|   name: docker |   name: docker | ||||||
| platforms: | platforms: | ||||||
|   - name: instance |   - name: instance | ||||||
|     image: ghcr.io/hspaans/molecule-containers:debian-13 |     image: ghcr.io/hspaans/molecule-containers:debian-11 | ||||||
|     pre_build_image: true |     pre_build_image: true | ||||||
|     privileged: true |     privileged: true | ||||||
|     port_bindings: |     port_bindings: | ||||||
|  |  | ||||||
|  | @ -7,5 +7,5 @@ | ||||||
|       ansible.builtin.apt: |       ansible.builtin.apt: | ||||||
|         name: |         name: | ||||||
|           - sudo |           - sudo | ||||||
|           - openjdk-21-jdk-headless |           - openjdk-17-jdk-headless | ||||||
|           - iproute2 |         state: present | ||||||
|  |  | ||||||
|  | @ -2,7 +2,7 @@ | ||||||
| - name: Verify | - name: Verify | ||||||
|   hosts: all |   hosts: all | ||||||
|   vars: |   vars: | ||||||
|     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" |     keycloak_admin_password: "remembertochangeme" | ||||||
|     keycloak_uri: "http://localhost:{{ 8080 + ( keycloak_jboss_port_offset | default(0) ) }}" |     keycloak_uri: "http://localhost:{{ 8080 + ( keycloak_jboss_port_offset | default(0) ) }}" | ||||||
|     keycloak_management_port: "http://localhost:{{ 9990 + ( keycloak_jboss_port_offset | default(0) ) }}" |     keycloak_management_port: "http://localhost:{{ 9990 + ( keycloak_jboss_port_offset | default(0) ) }}" | ||||||
|     keycloak_jboss_port_offset: 10 |     keycloak_jboss_port_offset: 10 | ||||||
|  |  | ||||||
|  | @ -3,24 +3,23 @@ | ||||||
|   hosts: all |   hosts: all | ||||||
|   vars: |   vars: | ||||||
|     keycloak_quarkus_show_deprecation_warnings: false |     keycloak_quarkus_show_deprecation_warnings: false | ||||||
|     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" |     keycloak_quarkus_admin_pass: "remembertochangeme" | ||||||
|     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" |     keycloak_admin_password: "remembertochangeme" | ||||||
|     keycloak_quarkus_hostname: http://instance:8080 |     keycloak_quarkus_host: instance | ||||||
|     keycloak_quarkus_log: file |     keycloak_quarkus_log: file | ||||||
|     keycloak_quarkus_log_level: debug |     keycloak_quarkus_log_level: debug | ||||||
|     keycloak_quarkus_log_target: /tmp/keycloak |     keycloak_quarkus_log_target: /tmp/keycloak | ||||||
|     keycloak_quarkus_start_dev: true |     keycloak_quarkus_start_dev: True | ||||||
|     keycloak_quarkus_proxy_mode: none |     keycloak_quarkus_proxy_mode: none | ||||||
|     keycloak_quarkus_offline_install: true |     keycloak_quarkus_offline_install: true | ||||||
|     keycloak_quarkus_download_path: /tmp/keycloak/ |     keycloak_quarkus_download_path: /tmp/keycloak/ | ||||||
|     keycloak_quarkus_java_heap_opts: "-Xms640m -Xmx640m " |  | ||||||
|   roles: |   roles: | ||||||
|     - role: keycloak_quarkus |     - role: keycloak_quarkus | ||||||
|     - role: keycloak_realm |     - role: keycloak_realm | ||||||
|       keycloak_url: "{{ keycloak_quarkus_hostname }}" |  | ||||||
|       keycloak_context: '' |       keycloak_context: '' | ||||||
|       keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}" |       keycloak_client_default_roles: | ||||||
|       keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}" |         - TestRoleAdmin | ||||||
|  |         - TestRoleUser | ||||||
|       keycloak_client_users: |       keycloak_client_users: | ||||||
|         - username: TestUser |         - username: TestUser | ||||||
|           password: password |           password: password | ||||||
|  | @ -40,6 +39,7 @@ | ||||||
|       keycloak_realm: TestRealm |       keycloak_realm: TestRealm | ||||||
|       keycloak_clients: |       keycloak_clients: | ||||||
|         - name: TestClient |         - name: TestClient | ||||||
|  |           roles: "{{ keycloak_client_default_roles }}" | ||||||
|           realm: "{{ keycloak_realm }}" |           realm: "{{ keycloak_realm }}" | ||||||
|           public_client: "{{ keycloak_client_public }}" |           public_client: "{{ keycloak_client_public }}" | ||||||
|           web_origins: "{{ keycloak_client_web_origins }}" |           web_origins: "{{ keycloak_client_web_origins }}" | ||||||
|  |  | ||||||
|  | @ -1,9 +1,9 @@ | ||||||
| --- | --- | ||||||
| driver: | driver: | ||||||
|   name: podman |   name: docker | ||||||
| platforms: | platforms: | ||||||
|   - name: instance |   - name: instance | ||||||
|     image: registry.access.redhat.com/ubi9/ubi-init:latest |     image: registry.access.redhat.com/ubi8/ubi-init:latest | ||||||
|     pre_build_image: true |     pre_build_image: true | ||||||
|     privileged: true |     privileged: true | ||||||
|     command: "/usr/sbin/init" |     command: "/usr/sbin/init" | ||||||
|  | @ -11,7 +11,6 @@ platforms: | ||||||
|       - "8080/tcp" |       - "8080/tcp" | ||||||
|       - "8443/tcp" |       - "8443/tcp" | ||||||
|       - "8009/tcp" |       - "8009/tcp" | ||||||
|       - "9000/tcp" |  | ||||||
| provisioner: | provisioner: | ||||||
|   name: ansible |   name: ansible | ||||||
|   config_options: |   config_options: | ||||||
|  | @ -29,8 +28,6 @@ provisioner: | ||||||
|         ansible_python_interpreter: "{{ ansible_playbook_python }}" |         ansible_python_interpreter: "{{ ansible_playbook_python }}" | ||||||
|   env: |   env: | ||||||
|     ANSIBLE_FORCE_COLOR: "true" |     ANSIBLE_FORCE_COLOR: "true" | ||||||
|     PROXY: "${PROXY}" |  | ||||||
|     NO_PROXY: "${NO_PROXY}" |  | ||||||
| verifier: | verifier: | ||||||
|   name: ansible |   name: ansible | ||||||
| scenario: | scenario: | ||||||
|  |  | ||||||
|  | @ -7,6 +7,10 @@ | ||||||
|   tasks: |   tasks: | ||||||
|     - name: "Run preparation common to all scenario" |     - name: "Run preparation common to all scenario" | ||||||
|       ansible.builtin.include_tasks: ../prepare.yml |       ansible.builtin.include_tasks: ../prepare.yml | ||||||
|  |       vars: | ||||||
|  |         assets: | ||||||
|  |           - "{{ assets_server }}/sso/7.6.0/rh-sso-7.6.0-server-dist.zip" | ||||||
|  |           - "{{ assets_server }}/sso/7.6.1/rh-sso-7.6.1-patch.zip" | ||||||
| 
 | 
 | ||||||
|     - name: Create controller directory for downloads |     - name: Create controller directory for downloads | ||||||
|       ansible.builtin.file: # noqa risky-file-permissions delegated, uses controller host user |       ansible.builtin.file: # noqa risky-file-permissions delegated, uses controller host user | ||||||
|  | @ -18,7 +22,7 @@ | ||||||
| 
 | 
 | ||||||
|     - name: Download keycloak archive to controller directory |     - name: Download keycloak archive to controller directory | ||||||
|       ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user |       ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user | ||||||
|         url: https://github.com/keycloak/keycloak/releases/download/26.3.0/keycloak-26.3.0.zip |         url: https://github.com/keycloak/keycloak/releases/download/24.0.4/keycloak-24.0.4.zip | ||||||
|         dest: /tmp/keycloak |         dest: /tmp/keycloak | ||||||
|         mode: '0640' |         mode: '0640' | ||||||
|       delegate_to: localhost |       delegate_to: localhost | ||||||
|  |  | ||||||
|  | @ -2,8 +2,7 @@ | ||||||
| - name: Verify | - name: Verify | ||||||
|   hosts: all |   hosts: all | ||||||
|   vars: |   vars: | ||||||
|     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" |     keycloak_admin_password: "remembertochangeme" | ||||||
|     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" |  | ||||||
|     keycloak_uri: "http://localhost:8080" |     keycloak_uri: "http://localhost:8080" | ||||||
|   tasks: |   tasks: | ||||||
|     - name: Populate service facts |     - name: Populate service facts | ||||||
|  | @ -17,7 +16,7 @@ | ||||||
|       ansible.builtin.uri: |       ansible.builtin.uri: | ||||||
|         url: "{{ keycloak_uri }}/realms/master/protocol/openid-connect/token" |         url: "{{ keycloak_uri }}/realms/master/protocol/openid-connect/token" | ||||||
|         method: POST |         method: POST | ||||||
|         body: "client_id=admin-cli&username={{ keycloak_quarkus_bootstrap_admin_user }}&password={{ keycloak_quarkus_bootstrap_admin_user }}&grant_type=password" |         body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password" | ||||||
|         validate_certs: no |         validate_certs: no | ||||||
|       register: keycloak_auth_response |       register: keycloak_auth_response | ||||||
|       until: keycloak_auth_response.status == 200 |       until: keycloak_auth_response.status == 200 | ||||||
|  |  | ||||||
|  | @ -3,14 +3,15 @@ | ||||||
|   hosts: all |   hosts: all | ||||||
|   vars: |   vars: | ||||||
|     keycloak_quarkus_show_deprecation_warnings: false |     keycloak_quarkus_show_deprecation_warnings: false | ||||||
|     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" |     keycloak_quarkus_admin_pass: "remembertochangeme" | ||||||
|     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" |     keycloak_admin_password: "remembertochangeme" | ||||||
|     keycloak_quarkus_hostname: https://proxy |     keycloak_realm: TestRealm | ||||||
|  |     keycloak_quarkus_host: instance | ||||||
|     keycloak_quarkus_log: file |     keycloak_quarkus_log: file | ||||||
|     keycloak_quarkus_http_enabled: True |     keycloak_quarkus_http_enabled: True | ||||||
|     keycloak_quarkus_http_port: 8080 |     keycloak_quarkus_http_port: 8080 | ||||||
|     keycloak_quarkus_proxy_mode: edge |     keycloak_quarkus_proxy_mode: edge | ||||||
|     keycloak_quarkus_http_relative_path: / |     keycloak_quarkus_http_relative_path: / | ||||||
|     keycloak_quarkus_health_check_url: http://proxy:8080/realms/master/.well-known/openid-configuration |     keycloak_quarkus_frontend_url: https://proxy/ | ||||||
|   roles: |   roles: | ||||||
|     - role: keycloak_quarkus |     - role: keycloak_quarkus | ||||||
|  |  | ||||||
|  | @ -3,7 +3,7 @@ driver: | ||||||
|   name: docker |   name: docker | ||||||
| platforms: | platforms: | ||||||
|   - name: instance |   - name: instance | ||||||
|     image: registry.access.redhat.com/ubi9/ubi-init:latest |     image: registry.access.redhat.com/ubi8/ubi-init:latest | ||||||
|     pre_build_image: true |     pre_build_image: true | ||||||
|     privileged: true |     privileged: true | ||||||
|     command: "/usr/sbin/init" |     command: "/usr/sbin/init" | ||||||
|  | @ -14,7 +14,7 @@ platforms: | ||||||
|     published_ports: |     published_ports: | ||||||
|       - 0.0.0.0:8080:8080/tcp |       - 0.0.0.0:8080:8080/tcp | ||||||
|   - name: proxy |   - name: proxy | ||||||
|     image: registry.access.redhat.com/ubi9/ubi-init:latest |     image: registry.access.redhat.com/ubi8/ubi-init:latest | ||||||
|     pre_build_image: true |     pre_build_image: true | ||||||
|     privileged: true |     privileged: true | ||||||
|     command: "/usr/sbin/init" |     command: "/usr/sbin/init" | ||||||
|  |  | ||||||
|  | @ -3,7 +3,7 @@ driver: | ||||||
|   name: docker |   name: docker | ||||||
| platforms: | platforms: | ||||||
|   - name: instance |   - name: instance | ||||||
|     image: registry.access.redhat.com/ubi9/ubi-init:latest |     image: registry.access.redhat.com/ubi8/ubi-init:latest | ||||||
|     pre_build_image: true |     pre_build_image: true | ||||||
|     privileged: true |     privileged: true | ||||||
|     command: "/usr/sbin/init" |     command: "/usr/sbin/init" | ||||||
|  | @ -11,7 +11,6 @@ platforms: | ||||||
|       - "8080/tcp" |       - "8080/tcp" | ||||||
|       - "8443/tcp" |       - "8443/tcp" | ||||||
|       - "8009/tcp" |       - "8009/tcp" | ||||||
|       - "9000/tcp" |  | ||||||
| provisioner: | provisioner: | ||||||
|   name: ansible |   name: ansible | ||||||
|   config_options: |   config_options: | ||||||
|  |  | ||||||
|  | @ -3,23 +3,18 @@ | ||||||
|   hosts: all |   hosts: all | ||||||
|   vars: |   vars: | ||||||
|     keycloak_quarkus_show_deprecation_warnings: false |     keycloak_quarkus_show_deprecation_warnings: false | ||||||
|     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" |     keycloak_quarkus_admin_pass: "remembertochangeme" | ||||||
|     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" |     keycloak_admin_password: "remembertochangeme" | ||||||
|     keycloak_realm: TestRealm |     keycloak_realm: TestRealm | ||||||
|     keycloak_quarkus_log: file |     keycloak_quarkus_log: file | ||||||
|     keycloak_quarkus_hostname: 'http://localhost:8080' |     keycloak_quarkus_frontend_url: 'http://localhost:8080/' | ||||||
|     keycloak_quarkus_start_dev: True |     keycloak_quarkus_start_dev: True | ||||||
|     keycloak_quarkus_proxy_mode: none |     keycloak_quarkus_proxy_mode: none | ||||||
|     keycloak_quarkus_java_home: /opt/openjdk/ |     keycloak_quarkus_java_home: /opt/openjdk/ | ||||||
|     keycloak_quarkus_java_heap_opts: "-Xms640m -Xmx640m" |  | ||||||
| 
 |  | ||||||
|   roles: |   roles: | ||||||
|     - role: keycloak_quarkus |     - role: keycloak_quarkus | ||||||
|     - role: keycloak_realm |     - role: keycloak_realm | ||||||
|       keycloak_url: "{{ keycloak_quarkus_hostname }}" |  | ||||||
|       keycloak_context: '' |       keycloak_context: '' | ||||||
|       keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}" |  | ||||||
|       keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}" |  | ||||||
|       keycloak_client_default_roles: |       keycloak_client_default_roles: | ||||||
|         - TestRoleAdmin |         - TestRoleAdmin | ||||||
|         - TestRoleUser |         - TestRoleUser | ||||||
|  | @ -1,19 +1,17 @@ | ||||||
| --- | --- | ||||||
| driver: | driver: | ||||||
|   name: podman |   name: docker | ||||||
| platforms: | platforms: | ||||||
|   - name: instance |   - name: instance | ||||||
|     image: registry.access.redhat.com/ubi9/ubi-init:latest |     image: registry.access.redhat.com/ubi8/ubi-init:latest | ||||||
|     pre_build_image: true |     pre_build_image: true | ||||||
|     privileged: true |     privileged: true | ||||||
|     command: "/usr/sbin/init" |     command: "/usr/sbin/init" | ||||||
|     port_bindings: |     port_bindings: | ||||||
|       - "8080/tcp" |       - "8080/tcp" | ||||||
|       - "8009/tcp" |       - "8009/tcp" | ||||||
|       - "9000/tcp" |  | ||||||
|     published_ports: |     published_ports: | ||||||
|       - 0.0.0.0:8080:8080/tcp |       - 0.0.0.0:8080:8080/tcp | ||||||
|       - 0.0.0.0:9000:9000/TCP |  | ||||||
| provisioner: | provisioner: | ||||||
|   name: ansible |   name: ansible | ||||||
|   config_options: |   config_options: | ||||||
|  | @ -31,8 +29,6 @@ provisioner: | ||||||
|         ansible_python_interpreter: "{{ ansible_playbook_python }}" |         ansible_python_interpreter: "{{ ansible_playbook_python }}" | ||||||
|   env: |   env: | ||||||
|     ANSIBLE_FORCE_COLOR: "true" |     ANSIBLE_FORCE_COLOR: "true" | ||||||
|     PROXY: "${PROXY}" |  | ||||||
|     NO_PROXY: "${NO_PROXY}" |  | ||||||
| verifier: | verifier: | ||||||
|   name: ansible |   name: ansible | ||||||
| scenario: | scenario: | ||||||
|  | @ -3,10 +3,10 @@ | ||||||
|   hosts: all |   hosts: all | ||||||
|   vars: |   vars: | ||||||
|     keycloak_quarkus_show_deprecation_warnings: false |     keycloak_quarkus_show_deprecation_warnings: false | ||||||
|     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" |     keycloak_quarkus_admin_pass: "remembertochangeme" | ||||||
|     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" |     keycloak_admin_password: "remembertochangeme" | ||||||
|     keycloak_realm: TestRealm |     keycloak_realm: TestRealm | ||||||
|     keycloak_quarkus_hostname: https://instance:8443 |     keycloak_quarkus_host: instance | ||||||
|     keycloak_quarkus_log: file |     keycloak_quarkus_log: file | ||||||
|     keycloak_quarkus_log_level: debug # needed for the verify step |     keycloak_quarkus_log_level: debug # needed for the verify step | ||||||
|     keycloak_quarkus_https_key_file_enabled: true |     keycloak_quarkus_https_key_file_enabled: true | ||||||
|  | @ -22,12 +22,6 @@ | ||||||
|     keycloak_quarkus_systemd_wait_for_timeout: 20 |     keycloak_quarkus_systemd_wait_for_timeout: 20 | ||||||
|     keycloak_quarkus_systemd_wait_for_delay: 2 |     keycloak_quarkus_systemd_wait_for_delay: 2 | ||||||
|     keycloak_quarkus_systemd_wait_for_log: true |     keycloak_quarkus_systemd_wait_for_log: true | ||||||
|     keycloak_quarkus_restart_health_check: false # would fail because of self-signed cert |  | ||||||
|     keycloak_quarkus_version: 26.3.0 |  | ||||||
|     keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx1024m" |  | ||||||
|     keycloak_quarkus_additional_env_vars: |  | ||||||
|       - key: KC_FEATURES_DISABLED |  | ||||||
|         value: impersonation,kerberos |  | ||||||
|     keycloak_quarkus_providers: |     keycloak_quarkus_providers: | ||||||
|       - id: http-client |       - id: http-client | ||||||
|         spi: connections |         spi: connections | ||||||
|  | @ -38,32 +32,26 @@ | ||||||
|             value: 10 |             value: 10 | ||||||
|       - id: spid-saml |       - id: spid-saml | ||||||
|         url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar |         url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar | ||||||
|       - id: spid-saml-w-checksum |  | ||||||
|         url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar |  | ||||||
|         checksum: sha256:fbb50e73739d7a6d35b5bff611b1c01668b29adf6f6259624b95e466a305f377 |  | ||||||
|       - id: keycloak-kerberos-federation |       - id: keycloak-kerberos-federation | ||||||
|         maven: |         maven: | ||||||
|           repository_url: https://repo1.maven.org/maven2/ # https://mvnrepository.com/artifact/org.keycloak/keycloak-kerberos-federation/24.0.4 |           repository_url: https://repo1.maven.org/maven2/ # https://mvnrepository.com/artifact/org.keycloak/keycloak-kerberos-federation/24.0.4 | ||||||
|           group_id: org.keycloak |           group_id: org.keycloak | ||||||
|           artifact_id: keycloak-kerberos-federation |           artifact_id: keycloak-kerberos-federation | ||||||
|           version: 26.3.0 # optional |           version: 24.0.4 # optional | ||||||
|           # username: myUser # optional |           # username: myUser # optional | ||||||
|           # password: myPAT # optional |           # password: myPAT # optional | ||||||
|       # - id: my-static-theme |       # - id: my-static-theme | ||||||
|       #   local_path: /tmp/my-static-theme.jar |       #   local_path: /tmp/my-static-theme.jar | ||||||
|     keycloak_quarkus_policies: |     keycloak_quarkus_policies: | ||||||
|       - name: "cain-and-abel.txt" |       - name: "xato-net-10-million-passwords.txt" | ||||||
|         url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/cain-and-abel.txt" |         url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt" | ||||||
|       - name: "john-the-ripper.txt" |       - name: "xato-net-10-million-passwords-10.txt" | ||||||
|         url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/john-the-ripper.txt" |         url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords-10.txt" | ||||||
|         type: password-blacklists |         type: password-blacklists | ||||||
|   roles: |   roles: | ||||||
|     - role: keycloak_quarkus |     - role: keycloak_quarkus | ||||||
|     - role: keycloak_realm |     - role: keycloak_realm | ||||||
|       keycloak_url: http://instance:8080 |  | ||||||
|       keycloak_context: '' |       keycloak_context: '' | ||||||
|       keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}" |  | ||||||
|       keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}" |  | ||||||
|       keycloak_client_default_roles: |       keycloak_client_default_roles: | ||||||
|         - TestRoleAdmin |         - TestRoleAdmin | ||||||
|         - TestRoleUser |         - TestRoleUser | ||||||
|  |  | ||||||
|  | @ -3,7 +3,7 @@ driver: | ||||||
|   name: docker |   name: docker | ||||||
| platforms: | platforms: | ||||||
|   - name: instance |   - name: instance | ||||||
|     image: registry.access.redhat.com/ubi9/ubi-init:latest |     image: registry.access.redhat.com/ubi8/ubi-init:latest | ||||||
|     pre_build_image: true |     pre_build_image: true | ||||||
|     privileged: true |     privileged: true | ||||||
|     command: "/usr/sbin/init" |     command: "/usr/sbin/init" | ||||||
|  | @ -11,7 +11,6 @@ platforms: | ||||||
|       - "8080/tcp" |       - "8080/tcp" | ||||||
|       - "8443/tcp" |       - "8443/tcp" | ||||||
|       - "8009/tcp" |       - "8009/tcp" | ||||||
|       - "9000/tcp" |  | ||||||
|     published_ports: |     published_ports: | ||||||
|       - 0.0.0.0:8443:8443/tcp |       - 0.0.0.0:8443:8443/tcp | ||||||
| provisioner: | provisioner: | ||||||
|  | @ -31,9 +30,6 @@ provisioner: | ||||||
|         ansible_python_interpreter: "{{ ansible_playbook_python }}" |         ansible_python_interpreter: "{{ ansible_playbook_python }}" | ||||||
|   env: |   env: | ||||||
|     ANSIBLE_FORCE_COLOR: "true" |     ANSIBLE_FORCE_COLOR: "true" | ||||||
|     PYTHONHTTPSVERIFY: 0 |  | ||||||
|     PROXY: "${PROXY}" |  | ||||||
|     NO_PROXY: "${NO_PROXY}" |  | ||||||
| verifier: | verifier: | ||||||
|   name: ansible |   name: ansible | ||||||
| scenario: | scenario: | ||||||
|  |  | ||||||
|  | @ -24,7 +24,7 @@ | ||||||
|     - name: Make sure a jre is available (for keytool to prepare keystore) |     - name: Make sure a jre is available (for keytool to prepare keystore) | ||||||
|       delegate_to: localhost |       delegate_to: localhost | ||||||
|       ansible.builtin.package: |       ansible.builtin.package: | ||||||
|         name: java-21-openjdk-headless |         name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}" | ||||||
|         state: present |         state: present | ||||||
|       become: true |       become: true | ||||||
|       failed_when: false |       failed_when: false | ||||||
|  |  | ||||||
|  | @ -2,8 +2,7 @@ | ||||||
| - name: Verify | - name: Verify | ||||||
|   hosts: all |   hosts: all | ||||||
|   vars: |   vars: | ||||||
|     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" |      keycloak_admin_password: "remembertochangeme" | ||||||
|     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" |  | ||||||
|   tasks: |   tasks: | ||||||
|     - name: Populate service facts |     - name: Populate service facts | ||||||
|       ansible.builtin.service_facts: |       ansible.builtin.service_facts: | ||||||
|  | @ -36,10 +35,10 @@ | ||||||
|         - name: Verify endpoint URLs |         - name: Verify endpoint URLs | ||||||
|           ansible.builtin.assert: |           ansible.builtin.assert: | ||||||
|             that: |             that: | ||||||
|               - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance:8443/realms/master/protocol/openid-connect/ext/ciba/auth' |               - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance/realms/master/protocol/openid-connect/ext/ciba/auth' | ||||||
|               - (openid_config.stdout | from_json)['issuer'] == 'https://instance:8443/realms/master' |               - (openid_config.stdout | from_json)['issuer'] == 'https://instance/realms/master' | ||||||
|               - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/auth' |               - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/auth' | ||||||
|               - (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/token' |               - (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/token' | ||||||
|           delegate_to: localhost |           delegate_to: localhost | ||||||
| 
 | 
 | ||||||
|     - name: Check log folder |     - name: Check log folder | ||||||
|  | @ -92,7 +91,7 @@ | ||||||
|       ansible.builtin.uri: |       ansible.builtin.uri: | ||||||
|         url: "https://instance:8443/realms/master/protocol/openid-connect/token" |         url: "https://instance:8443/realms/master/protocol/openid-connect/token" | ||||||
|         method: POST |         method: POST | ||||||
|         body: "client_id=admin-cli&username={{ keycloak_quarkus_bootstrap_admin_user }}&password={{ keycloak_quarkus_bootstrap_admin_password}}&grant_type=password" |         body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password" | ||||||
|         validate_certs: no |         validate_certs: no | ||||||
|       register: keycloak_auth_response |       register: keycloak_auth_response | ||||||
|       until: keycloak_auth_response.status == 200 |       until: keycloak_auth_response.status == 200 | ||||||
|  | @ -102,8 +101,8 @@ | ||||||
|     - name: "Get Clients" |     - name: "Get Clients" | ||||||
|       ansible.builtin.uri: |       ansible.builtin.uri: | ||||||
|         url: "https://instance:8443/admin/realms/TestRealm/clients" |         url: "https://instance:8443/admin/realms/TestRealm/clients" | ||||||
|         validate_certs: false |  | ||||||
|         headers: |         headers: | ||||||
|  |           validate_certs: false | ||||||
|           Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}" |           Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}" | ||||||
|       register: keycloak_clients |       register: keycloak_clients | ||||||
| 
 | 
 | ||||||
|  | @ -114,15 +113,15 @@ | ||||||
|     - name: "Get Client {{ keycloak_client_uuid }}" |     - name: "Get Client {{ keycloak_client_uuid }}" | ||||||
|       ansible.builtin.uri: |       ansible.builtin.uri: | ||||||
|         url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}" |         url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}" | ||||||
|         validate_certs: false |  | ||||||
|         headers: |         headers: | ||||||
|  |           validate_certs: false | ||||||
|           Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}" |           Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}" | ||||||
|       register: keycloak_test_client |       register: keycloak_test_client | ||||||
| 
 | 
 | ||||||
|     - name: "Get Client roles" |     - name: "Get Client roles" | ||||||
|       ansible.builtin.uri: |       ansible.builtin.uri: | ||||||
|         url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}/roles" |         url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}/roles" | ||||||
|         validate_certs: false |  | ||||||
|         headers: |         headers: | ||||||
|  |           validate_certs: false | ||||||
|           Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}" |           Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}" | ||||||
|       register: keycloak_test_client_roles |       register: keycloak_test_client_roles | ||||||
|  | @ -3,9 +3,10 @@ | ||||||
|   hosts: keycloak |   hosts: keycloak | ||||||
|   vars: |   vars: | ||||||
|     keycloak_quarkus_show_deprecation_warnings: false |     keycloak_quarkus_show_deprecation_warnings: false | ||||||
|     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" |     keycloak_quarkus_admin_pass: "remembertochangeme" | ||||||
|     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" |     keycloak_admin_password: "remembertochangeme" | ||||||
|     keycloak_quarkus_hostname: "http://{{ inventory_hostname }}:8080" |     keycloak_realm: TestRealm | ||||||
|  |     keycloak_quarkus_host: "{{ inventory_hostname }}" | ||||||
|     keycloak_quarkus_log: file |     keycloak_quarkus_log: file | ||||||
|     keycloak_quarkus_log_level: info |     keycloak_quarkus_log_level: info | ||||||
|     keycloak_quarkus_https_key_file_enabled: true |     keycloak_quarkus_https_key_file_enabled: true | ||||||
|  | @ -24,6 +25,6 @@ | ||||||
|     keycloak_quarkus_restart_strategy: restart/serial.yml |     keycloak_quarkus_restart_strategy: restart/serial.yml | ||||||
|     keycloak_quarkus_db_user: keycloak |     keycloak_quarkus_db_user: keycloak | ||||||
|     keycloak_quarkus_db_pass: mysecretpass |     keycloak_quarkus_db_pass: mysecretpass | ||||||
|     keycloak_quarkus_db_url: jdbc:postgresql://postgres:5432/keycloak |     keycloak_quarkus_jdbc_url: jdbc:postgresql://postgres:5432/keycloak | ||||||
|   roles: |   roles: | ||||||
|     - role: keycloak_quarkus |     - role: keycloak_quarkus | ||||||
|  |  | ||||||
|  | @ -14,7 +14,6 @@ platforms: | ||||||
|     port_bindings: |     port_bindings: | ||||||
|       - "8080/tcp" |       - "8080/tcp" | ||||||
|       - "8443/tcp" |       - "8443/tcp" | ||||||
|       - "9000/tcp" |  | ||||||
|   - name: instance2 |   - name: instance2 | ||||||
|     image: registry.access.redhat.com/ubi9/ubi-init:latest |     image: registry.access.redhat.com/ubi9/ubi-init:latest | ||||||
|     pre_build_image: true |     pre_build_image: true | ||||||
|  | @ -27,7 +26,6 @@ platforms: | ||||||
|     port_bindings: |     port_bindings: | ||||||
|       - "8080/tcp" |       - "8080/tcp" | ||||||
|       - "8443/tcp" |       - "8443/tcp" | ||||||
|       - "9000/tcp" |  | ||||||
|   - name: postgres |   - name: postgres | ||||||
|     image: ubuntu/postgres:14-22.04_beta |     image: ubuntu/postgres:14-22.04_beta | ||||||
|     pre_build_image: true |     pre_build_image: true | ||||||
|  | @ -65,7 +63,6 @@ provisioner: | ||||||
|         ansible_python_interpreter: "{{ ansible_playbook_python }}" |         ansible_python_interpreter: "{{ ansible_playbook_python }}" | ||||||
|   env: |   env: | ||||||
|     ANSIBLE_FORCE_COLOR: "true" |     ANSIBLE_FORCE_COLOR: "true" | ||||||
|     PYTHONHTTPSVERIFY: 0 |  | ||||||
| verifier: | verifier: | ||||||
|   name: ansible |   name: ansible | ||||||
| scenario: | scenario: | ||||||
|  |  | ||||||
|  | @ -1,57 +0,0 @@ | ||||||
| --- |  | ||||||
| - name: Converge |  | ||||||
|   hosts: infinispan |  | ||||||
|   roles: |  | ||||||
|     - role: middleware_automation.infinispan.infinispan |  | ||||||
|       infinispan_service_name: infinispan |  | ||||||
|       infinispan_supervisor_password: remembertochangeme |  | ||||||
|       infinispan_keycloak_caches: true |  | ||||||
|       infinispan_keycloak_persistence: False |  | ||||||
|       infinispan_jdbc_engine: postgres |  | ||||||
|       infinispan_jdbc_url: jdbc:postgresql://postgres:5432/keycloak |  | ||||||
|       infinispan_jdbc_driver_version: 9.4.1212 |  | ||||||
|       infinispan_jdbc_user: keycloak |  | ||||||
|       infinispan_jdbc_pass: mysecretpass |  | ||||||
|       infinispan_bind_address: "{{ ansible_default_ipv4.address }}" |  | ||||||
|       infinispan_users: |  | ||||||
|         - { name: 'testuser', password: 'test', roles: 'observer' } |  | ||||||
| 
 |  | ||||||
| - name: Converge |  | ||||||
|   hosts: keycloak |  | ||||||
|   vars: |  | ||||||
|     keycloak_quarkus_show_deprecation_warnings: false |  | ||||||
|     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" |  | ||||||
|     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" |  | ||||||
|     keycloak_quarkus_hostname: "http://{{ inventory_hostname }}:8080" |  | ||||||
|     keycloak_quarkus_log: file |  | ||||||
|     keycloak_quarkus_log_level: info |  | ||||||
|     keycloak_quarkus_https_key_file_enabled: true |  | ||||||
|     keycloak_quarkus_key_file_copy_enabled: true |  | ||||||
|     keycloak_quarkus_key_content: "{{ lookup('file', inventory_hostname + '.key') }}" |  | ||||||
|     keycloak_quarkus_cert_file_copy_enabled: true |  | ||||||
|     keycloak_quarkus_cert_file_src: "{{ inventory_hostname }}.pem" |  | ||||||
|     keycloak_quarkus_ks_vault_enabled: true |  | ||||||
|     keycloak_quarkus_ks_vault_file: "/opt/keycloak/vault/keystore.p12" |  | ||||||
|     keycloak_quarkus_ks_vault_pass: keystorepassword |  | ||||||
|     keycloak_quarkus_systemd_wait_for_port: true |  | ||||||
|     keycloak_quarkus_systemd_wait_for_timeout: 20 |  | ||||||
|     keycloak_quarkus_systemd_wait_for_delay: 2 |  | ||||||
|     keycloak_quarkus_systemd_wait_for_log: true |  | ||||||
|     keycloak_quarkus_ha_enabled: true |  | ||||||
|     keycloak_quarkus_restart_strategy: restart/serial.yml |  | ||||||
|     keycloak_quarkus_db_user: keycloak |  | ||||||
|     keycloak_quarkus_db_pass: mysecretpass |  | ||||||
|     keycloak_quarkus_db_url: jdbc:postgresql://postgres:5432/keycloak |  | ||||||
|     keycloak_quarkus_cache_remote: true |  | ||||||
|     keycloak_quarkus_cache_remote_username: supervisor |  | ||||||
|     keycloak_quarkus_cache_remote_password: remembertochangeme |  | ||||||
|     keycloak_quarkus_cache_remote_host: "infinispan1" |  | ||||||
|     keycloak_quarkus_cache_remote_port: 11222 |  | ||||||
|     keycloak_quarkus_cache_remote_tls_enabled: false |  | ||||||
|     keycloak_quarkus_additional_env_vars: |  | ||||||
|       - key: KC_FEATURES |  | ||||||
|         value: clusterless |  | ||||||
|       - key: KC_FEATURES_DISABLED |  | ||||||
|         value: persistent-user-sessions |  | ||||||
|   roles: |  | ||||||
|     - role: keycloak_quarkus |  | ||||||
|  | @ -1,80 +0,0 @@ | ||||||
| --- |  | ||||||
| driver: |  | ||||||
|   name: docker |  | ||||||
| platforms: |  | ||||||
|   - name: keycloak1 |  | ||||||
|     image: registry.access.redhat.com/ubi9/ubi-init:latest |  | ||||||
|     pre_build_image: true |  | ||||||
|     privileged: true |  | ||||||
|     command: "/usr/sbin/init" |  | ||||||
|     groups: |  | ||||||
|       - keycloak |  | ||||||
|     networks: |  | ||||||
|       - name: rhbk |  | ||||||
|     port_bindings: |  | ||||||
|       - "8080/tcp" |  | ||||||
|       - "8443/tcp" |  | ||||||
|       - "9000/tcp" |  | ||||||
|   - name: infinispan1 |  | ||||||
|     image: registry.access.redhat.com/ubi9/ubi-init:latest |  | ||||||
|     pre_build_image: true |  | ||||||
|     privileged: true |  | ||||||
|     command: "/usr/sbin/init" |  | ||||||
|     groups: |  | ||||||
|       - infinispan |  | ||||||
|     networks: |  | ||||||
|       - name: rhbk |  | ||||||
|     port_bindings: |  | ||||||
|       - "11222/tcp" |  | ||||||
|   - name: postgres |  | ||||||
|     image: ubuntu/postgres:14-22.04_beta |  | ||||||
|     pre_build_image: true |  | ||||||
|     privileged: true |  | ||||||
|     command: postgres |  | ||||||
|     groups: |  | ||||||
|       - database |  | ||||||
|     networks: |  | ||||||
|       - name: rhbk |  | ||||||
|     port_bindings: |  | ||||||
|       - "5432/tcp" |  | ||||||
|     mounts: |  | ||||||
|       - type: bind |  | ||||||
|         target: /etc/postgresql/postgresql.conf |  | ||||||
|         source: ${PWD}/molecule/quarkus_ha/postgresql/postgresql.conf |  | ||||||
|     env: |  | ||||||
|       POSTGRES_USER: keycloak |  | ||||||
|       POSTGRES_PASSWORD: mysecretpass |  | ||||||
|       POSTGRES_DB: keycloak |  | ||||||
|       POSTGRES_HOST_AUTH_METHOD: trust |  | ||||||
| provisioner: |  | ||||||
|   name: ansible |  | ||||||
|   config_options: |  | ||||||
|     defaults: |  | ||||||
|       interpreter_python: auto_silent |  | ||||||
|     ssh_connection: |  | ||||||
|       pipelining: false |  | ||||||
|   playbooks: |  | ||||||
|     prepare: prepare.yml |  | ||||||
|     converge: converge.yml |  | ||||||
|     verify: verify.yml |  | ||||||
|   inventory: |  | ||||||
|     host_vars: |  | ||||||
|       localhost: |  | ||||||
|         ansible_python_interpreter: "{{ ansible_playbook_python }}" |  | ||||||
|   env: |  | ||||||
|     ANSIBLE_FORCE_COLOR: "true" |  | ||||||
|     PYTHONHTTPSVERIFY: 0 |  | ||||||
| verifier: |  | ||||||
|   name: ansible |  | ||||||
| scenario: |  | ||||||
|   test_sequence: |  | ||||||
|     - cleanup |  | ||||||
|     - destroy |  | ||||||
|     - create |  | ||||||
|     - prepare |  | ||||||
|     - converge |  | ||||||
|     - idempotence |  | ||||||
|     - side_effect |  | ||||||
|     - verify |  | ||||||
|     - cleanup |  | ||||||
|     - destroy |  | ||||||
|  | @ -1,750 +0,0 @@ | ||||||
| # ----------------------------- |  | ||||||
| # PostgreSQL configuration file |  | ||||||
| # ----------------------------- |  | ||||||
| # |  | ||||||
| # This file consists of lines of the form: |  | ||||||
| # |  | ||||||
| #   name = value |  | ||||||
| # |  | ||||||
| # (The "=" is optional.)  Whitespace may be used.  Comments are introduced with |  | ||||||
| # "#" anywhere on a line.  The complete list of parameter names and allowed |  | ||||||
| # values can be found in the PostgreSQL documentation. |  | ||||||
| # |  | ||||||
| # The commented-out settings shown in this file represent the default values. |  | ||||||
| # Re-commenting a setting is NOT sufficient to revert it to the default value; |  | ||||||
| # you need to reload the server. |  | ||||||
| # |  | ||||||
| # This file is read on server startup and when the server receives a SIGHUP |  | ||||||
| # signal.  If you edit the file on a running system, you have to SIGHUP the |  | ||||||
| # server for the changes to take effect, run "pg_ctl reload", or execute |  | ||||||
| # "SELECT pg_reload_conf()".  Some parameters, which are marked below, |  | ||||||
| # require a server shutdown and restart to take effect. |  | ||||||
| # |  | ||||||
| # Any parameter can also be given as a command-line option to the server, e.g., |  | ||||||
| # "postgres -c log_connections=on".  Some parameters can be changed at run time |  | ||||||
| # with the "SET" SQL command. |  | ||||||
| # |  | ||||||
| # Memory units:  kB = kilobytes        Time units:  ms  = milliseconds |  | ||||||
| #                MB = megabytes                     s   = seconds |  | ||||||
| #                GB = gigabytes                     min = minutes |  | ||||||
| #                TB = terabytes                     h   = hours |  | ||||||
| #                                                   d   = days |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| # FILE LOCATIONS |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| 
 |  | ||||||
| # The default values of these variables are driven from the -D command-line |  | ||||||
| # option or PGDATA environment variable, represented here as ConfigDir. |  | ||||||
| 
 |  | ||||||
| #data_directory = 'ConfigDir'		# use data in another directory |  | ||||||
| 					# (change requires restart) |  | ||||||
| #hba_file = 'ConfigDir/pg_hba.conf'	# host-based authentication file |  | ||||||
| 					# (change requires restart) |  | ||||||
| #ident_file = 'ConfigDir/pg_ident.conf'	# ident configuration file |  | ||||||
| 					# (change requires restart) |  | ||||||
| 
 |  | ||||||
| # If external_pid_file is not explicitly set, no extra PID file is written. |  | ||||||
| #external_pid_file = ''			# write an extra PID file |  | ||||||
| 					# (change requires restart) |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| # CONNECTIONS AND AUTHENTICATION |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| 
 |  | ||||||
| # - Connection Settings - |  | ||||||
| 
 |  | ||||||
| listen_addresses = '*'		# what IP address(es) to listen on; |  | ||||||
| 					# comma-separated list of addresses; |  | ||||||
| 					# defaults to 'localhost'; use '*' for all |  | ||||||
| 					# (change requires restart) |  | ||||||
| #port = 5432				# (change requires restart) |  | ||||||
| #max_connections = 100			# (change requires restart) |  | ||||||
| #superuser_reserved_connections = 3	# (change requires restart) |  | ||||||
| #unix_socket_directories = '/tmp'	# comma-separated list of directories |  | ||||||
| 					# (change requires restart) |  | ||||||
| #unix_socket_group = ''			# (change requires restart) |  | ||||||
| #unix_socket_permissions = 0777		# begin with 0 to use octal notation |  | ||||||
| 					# (change requires restart) |  | ||||||
| #bonjour = off				# advertise server via Bonjour |  | ||||||
| 					# (change requires restart) |  | ||||||
| #bonjour_name = ''			# defaults to the computer name |  | ||||||
| 					# (change requires restart) |  | ||||||
| 
 |  | ||||||
| # - TCP settings - |  | ||||||
| # see "man 7 tcp" for details |  | ||||||
| 
 |  | ||||||
| #tcp_keepalives_idle = 0		# TCP_KEEPIDLE, in seconds; |  | ||||||
| 					# 0 selects the system default |  | ||||||
| #tcp_keepalives_interval = 0		# TCP_KEEPINTVL, in seconds; |  | ||||||
| 					# 0 selects the system default |  | ||||||
| #tcp_keepalives_count = 0		# TCP_KEEPCNT; |  | ||||||
| 					# 0 selects the system default |  | ||||||
| #tcp_user_timeout = 0			# TCP_USER_TIMEOUT, in milliseconds; |  | ||||||
| 					# 0 selects the system default |  | ||||||
| 
 |  | ||||||
| # - Authentication - |  | ||||||
| 
 |  | ||||||
| #authentication_timeout = 1min		# 1s-600s |  | ||||||
| #password_encryption = md5		# md5 or scram-sha-256 |  | ||||||
| #db_user_namespace = off |  | ||||||
| 
 |  | ||||||
| # GSSAPI using Kerberos |  | ||||||
| #krb_server_keyfile = '' |  | ||||||
| #krb_caseins_users = off |  | ||||||
| 
 |  | ||||||
| # - SSL - |  | ||||||
| 
 |  | ||||||
| #ssl = off |  | ||||||
| #ssl_ca_file = '' |  | ||||||
| #ssl_cert_file = 'server.crt' |  | ||||||
| #ssl_crl_file = '' |  | ||||||
| #ssl_key_file = 'server.key' |  | ||||||
| #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers |  | ||||||
| #ssl_prefer_server_ciphers = on |  | ||||||
| #ssl_ecdh_curve = 'prime256v1' |  | ||||||
| #ssl_min_protocol_version = 'TLSv1' |  | ||||||
| #ssl_max_protocol_version = '' |  | ||||||
| #ssl_dh_params_file = '' |  | ||||||
| #ssl_passphrase_command = '' |  | ||||||
| #ssl_passphrase_command_supports_reload = off |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| # RESOURCE USAGE (except WAL) |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| 
 |  | ||||||
| # - Memory - |  | ||||||
| 
 |  | ||||||
| #shared_buffers = 32MB			# min 128kB |  | ||||||
| 					# (change requires restart) |  | ||||||
| #huge_pages = try			# on, off, or try |  | ||||||
| 					# (change requires restart) |  | ||||||
| #temp_buffers = 8MB			# min 800kB |  | ||||||
| #max_prepared_transactions = 0		# zero disables the feature |  | ||||||
| 					# (change requires restart) |  | ||||||
| # Caution: it is not advisable to set max_prepared_transactions nonzero unless |  | ||||||
| # you actively intend to use prepared transactions. |  | ||||||
| #work_mem = 4MB				# min 64kB |  | ||||||
| #maintenance_work_mem = 64MB		# min 1MB |  | ||||||
| #autovacuum_work_mem = -1		# min 1MB, or -1 to use maintenance_work_mem |  | ||||||
| #max_stack_depth = 2MB			# min 100kB |  | ||||||
| #shared_memory_type = mmap		# the default is the first option |  | ||||||
| 					# supported by the operating system: |  | ||||||
| 					#   mmap |  | ||||||
| 					#   sysv |  | ||||||
| 					#   windows |  | ||||||
| 					# (change requires restart) |  | ||||||
| #dynamic_shared_memory_type = posix	# the default is the first option |  | ||||||
| 					# supported by the operating system: |  | ||||||
| 					#   posix |  | ||||||
| 					#   sysv |  | ||||||
| 					#   windows |  | ||||||
| 					#   mmap |  | ||||||
| 					# (change requires restart) |  | ||||||
| 
 |  | ||||||
| # - Disk - |  | ||||||
| 
 |  | ||||||
| #temp_file_limit = -1			# limits per-process temp file space |  | ||||||
| 					# in kB, or -1 for no limit |  | ||||||
| 
 |  | ||||||
| # - Kernel Resources - |  | ||||||
| 
 |  | ||||||
| #max_files_per_process = 1000		# min 25 |  | ||||||
| 					# (change requires restart) |  | ||||||
| 
 |  | ||||||
| # - Cost-Based Vacuum Delay - |  | ||||||
| 
 |  | ||||||
| #vacuum_cost_delay = 0			# 0-100 milliseconds (0 disables) |  | ||||||
| #vacuum_cost_page_hit = 1		# 0-10000 credits |  | ||||||
| #vacuum_cost_page_miss = 10		# 0-10000 credits |  | ||||||
| #vacuum_cost_page_dirty = 20		# 0-10000 credits |  | ||||||
| #vacuum_cost_limit = 200		# 1-10000 credits |  | ||||||
| 
 |  | ||||||
| # - Background Writer - |  | ||||||
| 
 |  | ||||||
| #bgwriter_delay = 200ms			# 10-10000ms between rounds |  | ||||||
| #bgwriter_lru_maxpages = 100		# max buffers written/round, 0 disables |  | ||||||
| #bgwriter_lru_multiplier = 2.0		# 0-10.0 multiplier on buffers scanned/round |  | ||||||
| #bgwriter_flush_after = 0		# measured in pages, 0 disables |  | ||||||
| 
 |  | ||||||
| # - Asynchronous Behavior - |  | ||||||
| 
 |  | ||||||
| #effective_io_concurrency = 1		# 1-1000; 0 disables prefetching |  | ||||||
| #max_worker_processes = 8		# (change requires restart) |  | ||||||
| #max_parallel_maintenance_workers = 2	# taken from max_parallel_workers |  | ||||||
| #max_parallel_workers_per_gather = 2	# taken from max_parallel_workers |  | ||||||
| #parallel_leader_participation = on |  | ||||||
| #max_parallel_workers = 8		# maximum number of max_worker_processes that |  | ||||||
| 					# can be used in parallel operations |  | ||||||
| #old_snapshot_threshold = -1		# 1min-60d; -1 disables; 0 is immediate |  | ||||||
| 					# (change requires restart) |  | ||||||
| #backend_flush_after = 0		# measured in pages, 0 disables |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| # WRITE-AHEAD LOG |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| 
 |  | ||||||
| # - Settings - |  | ||||||
| 
 |  | ||||||
| #wal_level = replica			# minimal, replica, or logical |  | ||||||
| 					# (change requires restart) |  | ||||||
| #fsync = on				# flush data to disk for crash safety |  | ||||||
| 					# (turning this off can cause |  | ||||||
| 					# unrecoverable data corruption) |  | ||||||
| #synchronous_commit = on		# synchronization level; |  | ||||||
| 					# off, local, remote_write, remote_apply, or on |  | ||||||
| #wal_sync_method = fsync		# the default is the first option |  | ||||||
| 					# supported by the operating system: |  | ||||||
| 					#   open_datasync |  | ||||||
| 					#   fdatasync (default on Linux) |  | ||||||
| 					#   fsync |  | ||||||
| 					#   fsync_writethrough |  | ||||||
| 					#   open_sync |  | ||||||
| #full_page_writes = on			# recover from partial page writes |  | ||||||
| #wal_compression = off			# enable compression of full-page writes |  | ||||||
| #wal_log_hints = off			# also do full page writes of non-critical updates |  | ||||||
| 					# (change requires restart) |  | ||||||
| #wal_init_zero = on			# zero-fill new WAL files |  | ||||||
| #wal_recycle = on			# recycle WAL files |  | ||||||
| #wal_buffers = -1			# min 32kB, -1 sets based on shared_buffers |  | ||||||
| 					# (change requires restart) |  | ||||||
| #wal_writer_delay = 200ms		# 1-10000 milliseconds |  | ||||||
| #wal_writer_flush_after = 1MB		# measured in pages, 0 disables |  | ||||||
| 
 |  | ||||||
| #commit_delay = 0			# range 0-100000, in microseconds |  | ||||||
| #commit_siblings = 5			# range 1-1000 |  | ||||||
| 
 |  | ||||||
| # - Checkpoints - |  | ||||||
| 
 |  | ||||||
| #checkpoint_timeout = 5min		# range 30s-1d |  | ||||||
| #max_wal_size = 1GB |  | ||||||
| #min_wal_size = 80MB |  | ||||||
| #checkpoint_completion_target = 0.5	# checkpoint target duration, 0.0 - 1.0 |  | ||||||
| #checkpoint_flush_after = 0		# measured in pages, 0 disables |  | ||||||
| #checkpoint_warning = 30s		# 0 disables |  | ||||||
| 
 |  | ||||||
| # - Archiving - |  | ||||||
| 
 |  | ||||||
| #archive_mode = off		# enables archiving; off, on, or always |  | ||||||
| 				# (change requires restart) |  | ||||||
| #archive_command = ''		# command to use to archive a logfile segment |  | ||||||
| 				# placeholders: %p = path of file to archive |  | ||||||
| 				#               %f = file name only |  | ||||||
| 				# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f' |  | ||||||
| #archive_timeout = 0		# force a logfile segment switch after this |  | ||||||
| 				# number of seconds; 0 disables |  | ||||||
| 
 |  | ||||||
| # - Archive Recovery - |  | ||||||
| 
 |  | ||||||
| # These are only used in recovery mode. |  | ||||||
| 
 |  | ||||||
| #restore_command = ''		# command to use to restore an archived logfile segment |  | ||||||
| 				# placeholders: %p = path of file to restore |  | ||||||
| 				#               %f = file name only |  | ||||||
| 				# e.g. 'cp /mnt/server/archivedir/%f %p' |  | ||||||
| 				# (change requires restart) |  | ||||||
| #archive_cleanup_command = ''	# command to execute at every restartpoint |  | ||||||
| #recovery_end_command = ''	# command to execute at completion of recovery |  | ||||||
| 
 |  | ||||||
| # - Recovery Target - |  | ||||||
| 
 |  | ||||||
| # Set these only when performing a targeted recovery. |  | ||||||
| 
 |  | ||||||
| #recovery_target = ''		# 'immediate' to end recovery as soon as a |  | ||||||
|                                 # consistent state is reached |  | ||||||
| 				# (change requires restart) |  | ||||||
| #recovery_target_name = ''	# the named restore point to which recovery will proceed |  | ||||||
| 				# (change requires restart) |  | ||||||
| #recovery_target_time = ''	# the time stamp up to which recovery will proceed |  | ||||||
| 				# (change requires restart) |  | ||||||
| #recovery_target_xid = ''	# the transaction ID up to which recovery will proceed |  | ||||||
| 				# (change requires restart) |  | ||||||
| #recovery_target_lsn = ''	# the WAL LSN up to which recovery will proceed |  | ||||||
| 				# (change requires restart) |  | ||||||
| #recovery_target_inclusive = on # Specifies whether to stop: |  | ||||||
| 				# just after the specified recovery target (on) |  | ||||||
| 				# just before the recovery target (off) |  | ||||||
| 				# (change requires restart) |  | ||||||
| #recovery_target_timeline = 'latest'	# 'current', 'latest', or timeline ID |  | ||||||
| 				# (change requires restart) |  | ||||||
| #recovery_target_action = 'pause'	# 'pause', 'promote', 'shutdown' |  | ||||||
| 				# (change requires restart) |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| # REPLICATION |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| 
 |  | ||||||
| # - Sending Servers - |  | ||||||
| 
 |  | ||||||
| # Set these on the master and on any standby that will send replication data. |  | ||||||
| 
 |  | ||||||
| #max_wal_senders = 10		# max number of walsender processes |  | ||||||
| 				# (change requires restart) |  | ||||||
| #wal_keep_segments = 0		# in logfile segments; 0 disables |  | ||||||
| #wal_sender_timeout = 60s	# in milliseconds; 0 disables |  | ||||||
| 
 |  | ||||||
| #max_replication_slots = 10	# max number of replication slots |  | ||||||
| 				# (change requires restart) |  | ||||||
| #track_commit_timestamp = off	# collect timestamp of transaction commit |  | ||||||
| 				# (change requires restart) |  | ||||||
| 
 |  | ||||||
| # - Master Server - |  | ||||||
| 
 |  | ||||||
| # These settings are ignored on a standby server. |  | ||||||
| 
 |  | ||||||
| #synchronous_standby_names = ''	# standby servers that provide sync rep |  | ||||||
| 				# method to choose sync standbys, number of sync standbys, |  | ||||||
| 				# and comma-separated list of application_name |  | ||||||
| 				# from standby(s); '*' = all |  | ||||||
| #vacuum_defer_cleanup_age = 0	# number of xacts by which cleanup is delayed |  | ||||||
| 
 |  | ||||||
| # - Standby Servers - |  | ||||||
| 
 |  | ||||||
| # These settings are ignored on a master server. |  | ||||||
| 
 |  | ||||||
| #primary_conninfo = ''			# connection string to sending server |  | ||||||
| 					# (change requires restart) |  | ||||||
| #primary_slot_name = ''			# replication slot on sending server |  | ||||||
| 					# (change requires restart) |  | ||||||
| #promote_trigger_file = ''		# file name whose presence ends recovery |  | ||||||
| #hot_standby = on			# "off" disallows queries during recovery |  | ||||||
| 					# (change requires restart) |  | ||||||
| #max_standby_archive_delay = 30s	# max delay before canceling queries |  | ||||||
| 					# when reading WAL from archive; |  | ||||||
| 					# -1 allows indefinite delay |  | ||||||
| #max_standby_streaming_delay = 30s	# max delay before canceling queries |  | ||||||
| 					# when reading streaming WAL; |  | ||||||
| 					# -1 allows indefinite delay |  | ||||||
| #wal_receiver_status_interval = 10s	# send replies at least this often |  | ||||||
| 					# 0 disables |  | ||||||
| #hot_standby_feedback = off		# send info from standby to prevent |  | ||||||
| 					# query conflicts |  | ||||||
| #wal_receiver_timeout = 60s		# time that receiver waits for |  | ||||||
| 					# communication from master |  | ||||||
| 					# in milliseconds; 0 disables |  | ||||||
| #wal_retrieve_retry_interval = 5s	# time to wait before retrying to |  | ||||||
| 					# retrieve WAL after a failed attempt |  | ||||||
| #recovery_min_apply_delay = 0		# minimum delay for applying changes during recovery |  | ||||||
| 
 |  | ||||||
| # - Subscribers - |  | ||||||
| 
 |  | ||||||
| # These settings are ignored on a publisher. |  | ||||||
| 
 |  | ||||||
| #max_logical_replication_workers = 4	# taken from max_worker_processes |  | ||||||
| 					# (change requires restart) |  | ||||||
| #max_sync_workers_per_subscription = 2	# taken from max_logical_replication_workers |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| # QUERY TUNING |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| 
 |  | ||||||
| # - Planner Method Configuration - |  | ||||||
| 
 |  | ||||||
| #enable_bitmapscan = on |  | ||||||
| #enable_hashagg = on |  | ||||||
| #enable_hashjoin = on |  | ||||||
| #enable_indexscan = on |  | ||||||
| #enable_indexonlyscan = on |  | ||||||
| #enable_material = on |  | ||||||
| #enable_mergejoin = on |  | ||||||
| #enable_nestloop = on |  | ||||||
| #enable_parallel_append = on |  | ||||||
| #enable_seqscan = on |  | ||||||
| #enable_sort = on |  | ||||||
| #enable_tidscan = on |  | ||||||
| #enable_partitionwise_join = off |  | ||||||
| #enable_partitionwise_aggregate = off |  | ||||||
| #enable_parallel_hash = on |  | ||||||
| #enable_partition_pruning = on |  | ||||||
| 
 |  | ||||||
| # - Planner Cost Constants - |  | ||||||
| 
 |  | ||||||
| #seq_page_cost = 1.0			# measured on an arbitrary scale |  | ||||||
| #random_page_cost = 4.0			# same scale as above |  | ||||||
| #cpu_tuple_cost = 0.01			# same scale as above |  | ||||||
| #cpu_index_tuple_cost = 0.005		# same scale as above |  | ||||||
| #cpu_operator_cost = 0.0025		# same scale as above |  | ||||||
| #parallel_tuple_cost = 0.1		# same scale as above |  | ||||||
| #parallel_setup_cost = 1000.0	# same scale as above |  | ||||||
| 
 |  | ||||||
| #jit_above_cost = 100000		# perform JIT compilation if available |  | ||||||
| 					# and query more expensive than this; |  | ||||||
| 					# -1 disables |  | ||||||
| #jit_inline_above_cost = 500000		# inline small functions if query is |  | ||||||
| 					# more expensive than this; -1 disables |  | ||||||
| #jit_optimize_above_cost = 500000	# use expensive JIT optimizations if |  | ||||||
| 					# query is more expensive than this; |  | ||||||
| 					# -1 disables |  | ||||||
| 
 |  | ||||||
| #min_parallel_table_scan_size = 8MB |  | ||||||
| #min_parallel_index_scan_size = 512kB |  | ||||||
| #effective_cache_size = 4GB |  | ||||||
| 
 |  | ||||||
| # - Genetic Query Optimizer - |  | ||||||
| 
 |  | ||||||
| #geqo = on |  | ||||||
| #geqo_threshold = 12 |  | ||||||
| #geqo_effort = 5			# range 1-10 |  | ||||||
| #geqo_pool_size = 0			# selects default based on effort |  | ||||||
| #geqo_generations = 0			# selects default based on effort |  | ||||||
| #geqo_selection_bias = 2.0		# range 1.5-2.0 |  | ||||||
| #geqo_seed = 0.0			# range 0.0-1.0 |  | ||||||
| 
 |  | ||||||
| # - Other Planner Options - |  | ||||||
| 
 |  | ||||||
| #default_statistics_target = 100	# range 1-10000 |  | ||||||
| #constraint_exclusion = partition	# on, off, or partition |  | ||||||
| #cursor_tuple_fraction = 0.1		# range 0.0-1.0 |  | ||||||
| #from_collapse_limit = 8 |  | ||||||
| #join_collapse_limit = 8		# 1 disables collapsing of explicit |  | ||||||
| 					# JOIN clauses |  | ||||||
| #force_parallel_mode = off |  | ||||||
| #jit = on				# allow JIT compilation |  | ||||||
| #plan_cache_mode = auto			# auto, force_generic_plan or |  | ||||||
| 					# force_custom_plan |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| # REPORTING AND LOGGING |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| 
 |  | ||||||
| # - Where to Log - |  | ||||||
| 
 |  | ||||||
| #log_destination = 'stderr'		# Valid values are combinations of |  | ||||||
| 					# stderr, csvlog, syslog, and eventlog, |  | ||||||
| 					# depending on platform.  csvlog |  | ||||||
| 					# requires logging_collector to be on. |  | ||||||
| 
 |  | ||||||
| # This is used when logging to stderr: |  | ||||||
| #logging_collector = off		# Enable capturing of stderr and csvlog |  | ||||||
| 					# into log files. Required to be on for |  | ||||||
| 					# csvlogs. |  | ||||||
| 					# (change requires restart) |  | ||||||
| 
 |  | ||||||
| # These are only used if logging_collector is on: |  | ||||||
| #log_directory = 'log'			# directory where log files are written, |  | ||||||
| 					# can be absolute or relative to PGDATA |  | ||||||
| #log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'	# log file name pattern, |  | ||||||
| 					# can include strftime() escapes |  | ||||||
| #log_file_mode = 0600			# creation mode for log files, |  | ||||||
| 					# begin with 0 to use octal notation |  | ||||||
| #log_truncate_on_rotation = off		# If on, an existing log file with the |  | ||||||
| 					# same name as the new log file will be |  | ||||||
| 					# truncated rather than appended to. |  | ||||||
| 					# But such truncation only occurs on |  | ||||||
| 					# time-driven rotation, not on restarts |  | ||||||
| 					# or size-driven rotation.  Default is |  | ||||||
| 					# off, meaning append to existing files |  | ||||||
| 					# in all cases. |  | ||||||
| #log_rotation_age = 1d			# Automatic rotation of logfiles will |  | ||||||
| 					# happen after that time.  0 disables. |  | ||||||
| #log_rotation_size = 10MB		# Automatic rotation of logfiles will |  | ||||||
| 					# happen after that much log output. |  | ||||||
| 					# 0 disables. |  | ||||||
| 
 |  | ||||||
| # These are relevant when logging to syslog: |  | ||||||
| #syslog_facility = 'LOCAL0' |  | ||||||
| #syslog_ident = 'postgres' |  | ||||||
| #syslog_sequence_numbers = on |  | ||||||
| #syslog_split_messages = on |  | ||||||
| 
 |  | ||||||
| # This is only relevant when logging to eventlog (win32): |  | ||||||
| # (change requires restart) |  | ||||||
| #event_source = 'PostgreSQL' |  | ||||||
| 
 |  | ||||||
| # - When to Log - |  | ||||||
| 
 |  | ||||||
| #log_min_messages = warning		# values in order of decreasing detail: |  | ||||||
| 					#   debug5 |  | ||||||
| 					#   debug4 |  | ||||||
| 					#   debug3 |  | ||||||
| 					#   debug2 |  | ||||||
| 					#   debug1 |  | ||||||
| 					#   info |  | ||||||
| 					#   notice |  | ||||||
| 					#   warning |  | ||||||
| 					#   error |  | ||||||
| 					#   log |  | ||||||
| 					#   fatal |  | ||||||
| 					#   panic |  | ||||||
| 
 |  | ||||||
| #log_min_error_statement = error	# values in order of decreasing detail: |  | ||||||
| 					#   debug5 |  | ||||||
| 					#   debug4 |  | ||||||
| 					#   debug3 |  | ||||||
| 					#   debug2 |  | ||||||
| 					#   debug1 |  | ||||||
| 					#   info |  | ||||||
| 					#   notice |  | ||||||
| 					#   warning |  | ||||||
| 					#   error |  | ||||||
| 					#   log |  | ||||||
| 					#   fatal |  | ||||||
| 					#   panic (effectively off) |  | ||||||
| 
 |  | ||||||
| #log_min_duration_statement = -1	# -1 is disabled, 0 logs all statements |  | ||||||
| 					# and their durations, > 0 logs only |  | ||||||
| 					# statements running at least this number |  | ||||||
| 					# of milliseconds |  | ||||||
| 
 |  | ||||||
| #log_transaction_sample_rate = 0.0	# Fraction of transactions whose statements |  | ||||||
| 					# are logged regardless of their duration. 1.0 logs all |  | ||||||
| 					# statements from all transactions, 0.0 never logs. |  | ||||||
| 
 |  | ||||||
| # - What to Log - |  | ||||||
| 
 |  | ||||||
| #debug_print_parse = off |  | ||||||
| #debug_print_rewritten = off |  | ||||||
| #debug_print_plan = off |  | ||||||
| #debug_pretty_print = on |  | ||||||
| #log_checkpoints = off |  | ||||||
| #log_connections = off |  | ||||||
| #log_disconnections = off |  | ||||||
| #log_duration = off |  | ||||||
| #log_error_verbosity = default		# terse, default, or verbose messages |  | ||||||
| #log_hostname = off |  | ||||||
| #log_line_prefix = '%m [%p] '		# special values: |  | ||||||
| 					#   %a = application name |  | ||||||
| 					#   %u = user name |  | ||||||
| 					#   %d = database name |  | ||||||
| 					#   %r = remote host and port |  | ||||||
| 					#   %h = remote host |  | ||||||
| 					#   %p = process ID |  | ||||||
| 					#   %t = timestamp without milliseconds |  | ||||||
| 					#   %m = timestamp with milliseconds |  | ||||||
| 					#   %n = timestamp with milliseconds (as a Unix epoch) |  | ||||||
| 					#   %i = command tag |  | ||||||
| 					#   %e = SQL state |  | ||||||
| 					#   %c = session ID |  | ||||||
| 					#   %l = session line number |  | ||||||
| 					#   %s = session start timestamp |  | ||||||
| 					#   %v = virtual transaction ID |  | ||||||
| 					#   %x = transaction ID (0 if none) |  | ||||||
| 					#   %q = stop here in non-session |  | ||||||
| 					#        processes |  | ||||||
| 					#   %% = '%' |  | ||||||
| 					# e.g. '<%u%%%d> ' |  | ||||||
| #log_lock_waits = off			# log lock waits >= deadlock_timeout |  | ||||||
| #log_statement = 'none'			# none, ddl, mod, all |  | ||||||
| #log_replication_commands = off |  | ||||||
| #log_temp_files = -1			# log temporary files equal or larger |  | ||||||
| 					# than the specified size in kilobytes; |  | ||||||
| 					# -1 disables, 0 logs all temp files |  | ||||||
| #log_timezone = 'GMT' |  | ||||||
| 
 |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| # PROCESS TITLE |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| 
 |  | ||||||
| #cluster_name = ''			# added to process titles if nonempty |  | ||||||
| 					# (change requires restart) |  | ||||||
| #update_process_title = on |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| # STATISTICS |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| 
 |  | ||||||
| # - Query and Index Statistics Collector - |  | ||||||
| 
 |  | ||||||
| #track_activities = on |  | ||||||
| #track_counts = on |  | ||||||
| #track_io_timing = off |  | ||||||
| #track_functions = none			# none, pl, all |  | ||||||
| #track_activity_query_size = 1024	# (change requires restart) |  | ||||||
| #stats_temp_directory = 'pg_stat_tmp' |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| # - Monitoring - |  | ||||||
| 
 |  | ||||||
| #log_parser_stats = off |  | ||||||
| #log_planner_stats = off |  | ||||||
| #log_executor_stats = off |  | ||||||
| #log_statement_stats = off |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| # AUTOVACUUM |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| 
 |  | ||||||
| #autovacuum = on			# Enable autovacuum subprocess?  'on' |  | ||||||
| 					# requires track_counts to also be on. |  | ||||||
| #log_autovacuum_min_duration = -1	# -1 disables, 0 logs all actions and |  | ||||||
| 					# their durations, > 0 logs only |  | ||||||
| 					# actions running at least this number |  | ||||||
| 					# of milliseconds. |  | ||||||
| #autovacuum_max_workers = 3		# max number of autovacuum subprocesses |  | ||||||
| 					# (change requires restart) |  | ||||||
| #autovacuum_naptime = 1min		# time between autovacuum runs |  | ||||||
| #autovacuum_vacuum_threshold = 50	# min number of row updates before |  | ||||||
| 					# vacuum |  | ||||||
| #autovacuum_analyze_threshold = 50	# min number of row updates before |  | ||||||
| 					# analyze |  | ||||||
| #autovacuum_vacuum_scale_factor = 0.2	# fraction of table size before vacuum |  | ||||||
| #autovacuum_analyze_scale_factor = 0.1	# fraction of table size before analyze |  | ||||||
| #autovacuum_freeze_max_age = 200000000	# maximum XID age before forced vacuum |  | ||||||
| 					# (change requires restart) |  | ||||||
| #autovacuum_multixact_freeze_max_age = 400000000	# maximum multixact age |  | ||||||
| 					# before forced vacuum |  | ||||||
| 					# (change requires restart) |  | ||||||
| #autovacuum_vacuum_cost_delay = 2ms	# default vacuum cost delay for |  | ||||||
| 					# autovacuum, in milliseconds; |  | ||||||
| 					# -1 means use vacuum_cost_delay |  | ||||||
| #autovacuum_vacuum_cost_limit = -1	# default vacuum cost limit for |  | ||||||
| 					# autovacuum, -1 means use |  | ||||||
| 					# vacuum_cost_limit |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| # CLIENT CONNECTION DEFAULTS |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| 
 |  | ||||||
| # - Statement Behavior - |  | ||||||
| 
 |  | ||||||
| #client_min_messages = notice		# values in order of decreasing detail: |  | ||||||
| 					#   debug5 |  | ||||||
| 					#   debug4 |  | ||||||
| 					#   debug3 |  | ||||||
| 					#   debug2 |  | ||||||
| 					#   debug1 |  | ||||||
| 					#   log |  | ||||||
| 					#   notice |  | ||||||
| 					#   warning |  | ||||||
| 					#   error |  | ||||||
| #search_path = '"$user", public'	# schema names |  | ||||||
| #row_security = on |  | ||||||
| #default_tablespace = ''		# a tablespace name, '' uses the default |  | ||||||
| #temp_tablespaces = ''			# a list of tablespace names, '' uses |  | ||||||
| 					# only default tablespace |  | ||||||
| #default_table_access_method = 'heap' |  | ||||||
| #check_function_bodies = on |  | ||||||
| #default_transaction_isolation = 'read committed' |  | ||||||
| #default_transaction_read_only = off |  | ||||||
| #default_transaction_deferrable = off |  | ||||||
| #session_replication_role = 'origin' |  | ||||||
| #statement_timeout = 0			# in milliseconds, 0 is disabled |  | ||||||
| #lock_timeout = 0			# in milliseconds, 0 is disabled |  | ||||||
| #idle_in_transaction_session_timeout = 0	# in milliseconds, 0 is disabled |  | ||||||
| #vacuum_freeze_min_age = 50000000 |  | ||||||
| #vacuum_freeze_table_age = 150000000 |  | ||||||
| #vacuum_multixact_freeze_min_age = 5000000 |  | ||||||
| #vacuum_multixact_freeze_table_age = 150000000 |  | ||||||
| #vacuum_cleanup_index_scale_factor = 0.1	# fraction of total number of tuples |  | ||||||
| 						# before index cleanup, 0 always performs |  | ||||||
| 						# index cleanup |  | ||||||
| #bytea_output = 'hex'			# hex, escape |  | ||||||
| #xmlbinary = 'base64' |  | ||||||
| #xmloption = 'content' |  | ||||||
| #gin_fuzzy_search_limit = 0 |  | ||||||
| #gin_pending_list_limit = 4MB |  | ||||||
| 
 |  | ||||||
| # - Locale and Formatting - |  | ||||||
| 
 |  | ||||||
| #datestyle = 'iso, mdy' |  | ||||||
| #intervalstyle = 'postgres' |  | ||||||
| #timezone = 'GMT' |  | ||||||
| #timezone_abbreviations = 'Default'     # Select the set of available time zone |  | ||||||
| 					# abbreviations.  Currently, there are |  | ||||||
| 					#   Default |  | ||||||
| 					#   Australia (historical usage) |  | ||||||
| 					#   India |  | ||||||
| 					# You can create your own file in |  | ||||||
| 					# share/timezonesets/. |  | ||||||
| #extra_float_digits = 1			# min -15, max 3; any value >0 actually |  | ||||||
| 					# selects precise output mode |  | ||||||
| #client_encoding = sql_ascii		# actually, defaults to database |  | ||||||
| 					# encoding |  | ||||||
| 
 |  | ||||||
| # These settings are initialized by initdb, but they can be changed. |  | ||||||
| #lc_messages = 'C'			# locale for system error message |  | ||||||
| 					# strings |  | ||||||
| #lc_monetary = 'C'			# locale for monetary formatting |  | ||||||
| #lc_numeric = 'C'			# locale for number formatting |  | ||||||
| #lc_time = 'C'				# locale for time formatting |  | ||||||
| 
 |  | ||||||
| # default configuration for text search |  | ||||||
| #default_text_search_config = 'pg_catalog.simple' |  | ||||||
| 
 |  | ||||||
| # - Shared Library Preloading - |  | ||||||
| 
 |  | ||||||
| #shared_preload_libraries = ''	# (change requires restart) |  | ||||||
| #local_preload_libraries = '' |  | ||||||
| #session_preload_libraries = '' |  | ||||||
| #jit_provider = 'llvmjit'		# JIT library to use |  | ||||||
| 
 |  | ||||||
| # - Other Defaults - |  | ||||||
| 
 |  | ||||||
| #dynamic_library_path = '$libdir' |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| # LOCK MANAGEMENT |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| 
 |  | ||||||
| #deadlock_timeout = 1s |  | ||||||
| #max_locks_per_transaction = 64		# min 10 |  | ||||||
| 					# (change requires restart) |  | ||||||
| #max_pred_locks_per_transaction = 64	# min 10 |  | ||||||
| 					# (change requires restart) |  | ||||||
| #max_pred_locks_per_relation = -2	# negative values mean |  | ||||||
| 					# (max_pred_locks_per_transaction |  | ||||||
| 					#  / -max_pred_locks_per_relation) - 1 |  | ||||||
| #max_pred_locks_per_page = 2            # min 0 |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| # VERSION AND PLATFORM COMPATIBILITY |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| 
 |  | ||||||
| # - Previous PostgreSQL Versions - |  | ||||||
| 
 |  | ||||||
| #array_nulls = on |  | ||||||
| #backslash_quote = safe_encoding	# on, off, or safe_encoding |  | ||||||
| #escape_string_warning = on |  | ||||||
| #lo_compat_privileges = off |  | ||||||
| #operator_precedence_warning = off |  | ||||||
| #quote_all_identifiers = off |  | ||||||
| #standard_conforming_strings = on |  | ||||||
| #synchronize_seqscans = on |  | ||||||
| 
 |  | ||||||
| # - Other Platforms and Clients - |  | ||||||
| 
 |  | ||||||
| #transform_null_equals = off |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| # ERROR HANDLING |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| 
 |  | ||||||
| #exit_on_error = off			# terminate session on any error? |  | ||||||
| #restart_after_crash = on		# reinitialize after backend crash? |  | ||||||
| #data_sync_retry = off			# retry or panic on failure to fsync |  | ||||||
| 					# data? |  | ||||||
| 					# (change requires restart) |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| # CONFIG FILE INCLUDES |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| 
 |  | ||||||
| # These options allow settings to be loaded from files other than the |  | ||||||
| # default postgresql.conf.  Note that these are directives, not variable |  | ||||||
| # assignments, so they can usefully be given more than once. |  | ||||||
| 
 |  | ||||||
| #include_dir = '...'			# include files ending in '.conf' from |  | ||||||
| 					# a directory, e.g., 'conf.d' |  | ||||||
| #include_if_exists = '...'		# include file only if it exists |  | ||||||
| #include = '...'			# include file |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| # CUSTOMIZED OPTIONS |  | ||||||
| #------------------------------------------------------------------------------ |  | ||||||
| 
 |  | ||||||
| # Add settings for extensions here |  | ||||||
|  | @ -1,44 +0,0 @@ | ||||||
| --- |  | ||||||
| - name: Prepare |  | ||||||
|   hosts: 'keycloak:infinispan' |  | ||||||
|   tasks: |  | ||||||
|     - name: "Display hera_home if defined." |  | ||||||
|       ansible.builtin.set_fact: |  | ||||||
|         hera_home: "{{ lookup('env', 'HERA_HOME') }}" |  | ||||||
| 
 |  | ||||||
|     - name: "Ensure common prepare phase are set." |  | ||||||
|       ansible.builtin.include_tasks: ../prepare.yml |  | ||||||
| 
 |  | ||||||
|     - name: Create certificate request |  | ||||||
|       ansible.builtin.command: "openssl req -x509 -newkey rsa:4096 -keyout {{ inventory_hostname }}.key -out {{ inventory_hostname }}.pem -sha256 -days 365 -nodes -subj '/CN={{ inventory_hostname }}'" |  | ||||||
|       delegate_to: localhost |  | ||||||
|       changed_when: False |  | ||||||
| 
 |  | ||||||
|     - name: Create vault directory |  | ||||||
|       become: true |  | ||||||
|       ansible.builtin.file: |  | ||||||
|         state: directory |  | ||||||
|         path: "/opt/keycloak/vault" |  | ||||||
|         mode: 0755 |  | ||||||
| 
 |  | ||||||
|     - name: Make sure a jre is available (for keytool to prepare keystore) |  | ||||||
|       delegate_to: localhost |  | ||||||
|       ansible.builtin.package: |  | ||||||
|         name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}" |  | ||||||
|         state: present |  | ||||||
|       become: true |  | ||||||
|       failed_when: false |  | ||||||
| 
 |  | ||||||
|     - name: Create vault keystore |  | ||||||
|       ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword |  | ||||||
|       delegate_to: localhost |  | ||||||
|       register: keytool_cmd |  | ||||||
|       changed_when: False |  | ||||||
|       failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0 |  | ||||||
| 
 |  | ||||||
|     - name: Copy certificates and vault |  | ||||||
|       become: true |  | ||||||
|       ansible.builtin.copy: |  | ||||||
|         src: keystore.p12 |  | ||||||
|         dest: /opt/keycloak/vault/keystore.p12 |  | ||||||
|         mode: 0444 |  | ||||||
|  | @ -1 +0,0 @@ | ||||||
| ../../roles |  | ||||||
|  | @ -1,29 +0,0 @@ | ||||||
| --- |  | ||||||
| - name: Verify |  | ||||||
|   hosts: keycloak |  | ||||||
|   tasks: |  | ||||||
|     - name: Populate service facts |  | ||||||
|       ansible.builtin.service_facts: |  | ||||||
| 
 |  | ||||||
|     - name: Check if keycloak service started |  | ||||||
|       ansible.builtin.assert: |  | ||||||
|         that: |  | ||||||
|           - ansible_facts.services["keycloak.service"]["state"] == "running" |  | ||||||
|           - ansible_facts.services["keycloak.service"]["status"] == "enabled" |  | ||||||
|         fail_msg: "Service not running" |  | ||||||
| 
 |  | ||||||
|     - name: Set internal envvar |  | ||||||
|       ansible.builtin.set_fact: |  | ||||||
|         hera_home: "{{ lookup('env', 'HERA_HOME') }}" |  | ||||||
| 
 |  | ||||||
|     - name: Check log file |  | ||||||
|       become: true |  | ||||||
|       ansible.builtin.stat: |  | ||||||
|         path: /var/log/keycloak/keycloak.log |  | ||||||
|       register: keycloak_log_file |  | ||||||
| 
 |  | ||||||
|     - name: Check if keycloak file exists |  | ||||||
|       ansible.builtin.assert: |  | ||||||
|         that: |  | ||||||
|           - keycloak_log_file.stat.exists |  | ||||||
|           - not keycloak_log_file.stat.isdir |  | ||||||
|  | @ -5,9 +5,6 @@ | ||||||
|     - vars.yml |     - vars.yml | ||||||
|   vars: |   vars: | ||||||
|     keycloak_quarkus_show_deprecation_warnings: false |     keycloak_quarkus_show_deprecation_warnings: false | ||||||
|     keycloak_quarkus_additional_env_vars: |     keycloak_quarkus_version: 24.0.3 | ||||||
|       - key: KC_FEATURES_DISABLED |  | ||||||
|         value: ciba,device-flow,impersonation,kerberos,docker |  | ||||||
|     keycloak_quarkus_version: 26.0.7 |  | ||||||
|   roles: |   roles: | ||||||
|     - role: keycloak_quarkus |     - role: keycloak_quarkus | ||||||
|  |  | ||||||
|  | @ -4,7 +4,7 @@ dependency: | ||||||
|   options: |   options: | ||||||
|     requirements-file: molecule/requirements.yml |     requirements-file: molecule/requirements.yml | ||||||
| driver: | driver: | ||||||
|   name: podman |   name: docker | ||||||
| platforms: | platforms: | ||||||
|   - name: instance |   - name: instance | ||||||
|     image: registry.access.redhat.com/ubi9/ubi-init:latest |     image: registry.access.redhat.com/ubi9/ubi-init:latest | ||||||
|  | @ -13,10 +13,8 @@ platforms: | ||||||
|     privileged: true |     privileged: true | ||||||
|     port_bindings: |     port_bindings: | ||||||
|       - 8080:8080 |       - 8080:8080 | ||||||
|       - "9000/tcp" |  | ||||||
|     published_ports: |     published_ports: | ||||||
|       - 0.0.0.0:8080:8080/TCP |       - 0.0.0.0:8080:8080/TCP | ||||||
|       - 0.0.0.0:9000:9000/TCP |  | ||||||
| provisioner: | provisioner: | ||||||
|   name: ansible |   name: ansible | ||||||
|   playbooks: |   playbooks: | ||||||
|  | @ -27,10 +25,6 @@ provisioner: | ||||||
|     host_vars: |     host_vars: | ||||||
|       localhost: |       localhost: | ||||||
|         ansible_python_interpreter: "{{ ansible_playbook_python }}" |         ansible_python_interpreter: "{{ ansible_playbook_python }}" | ||||||
|   env: |  | ||||||
|     ANSIBLE_FORCE_COLOR: "true" |  | ||||||
|     PROXY: "${PROXY}" |  | ||||||
|     NO_PROXY: "${NO_PROXY}" |  | ||||||
| verifier: | verifier: | ||||||
|   name: ansible |   name: ansible | ||||||
| scenario: | scenario: | ||||||
|  |  | ||||||
|  | @ -5,10 +5,7 @@ | ||||||
|     - vars.yml |     - vars.yml | ||||||
|   vars: |   vars: | ||||||
|     sudo_pkg_name: sudo |     sudo_pkg_name: sudo | ||||||
|     keycloak_quarkus_version: 26.0.4 |     keycloak_quarkus_version: 23.0.7 | ||||||
|     keycloak_quarkus_additional_env_vars: |  | ||||||
|       - key: KC_FEATURES_DISABLED |  | ||||||
|         value: impersonation,kerberos |  | ||||||
|   pre_tasks: |   pre_tasks: | ||||||
|     - name: Install sudo |     - name: Install sudo | ||||||
|       ansible.builtin.apt: |       ansible.builtin.apt: | ||||||
|  | @ -47,7 +44,6 @@ | ||||||
|       changed_when: false |       changed_when: false | ||||||
|   roles: |   roles: | ||||||
|     - role: keycloak_quarkus |     - role: keycloak_quarkus | ||||||
| 
 |  | ||||||
|   post_tasks: |   post_tasks: | ||||||
|     - name: "Delete custom fact" |     - name: "Delete custom fact" | ||||||
|       ansible.builtin.file: |       ansible.builtin.file: | ||||||
|  |  | ||||||
|  | @ -1,8 +1,9 @@ | ||||||
| --- | --- | ||||||
| keycloak_quarkus_offline_install: false | keycloak_quarkus_offline_install: false | ||||||
| keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" | keycloak_quarkus_admin_password: "remembertochangeme" | ||||||
|  | keycloak_quarkus_admin_pass: "remembertochangeme" | ||||||
| keycloak_quarkus_realm: TestRealm | keycloak_quarkus_realm: TestRealm | ||||||
| keycloak_quarkus_hostname: http://instance:8080 | keycloak_quarkus_host: instance | ||||||
| keycloak_quarkus_log: file | keycloak_quarkus_log: file | ||||||
| keycloak_quarkus_https_key_file_enabled: true | keycloak_quarkus_https_key_file_enabled: true | ||||||
| keycloak_quarkus_log_target: /tmp/keycloak | keycloak_quarkus_log_target: /tmp/keycloak | ||||||
|  |  | ||||||
|  | @ -2,7 +2,7 @@ | ||||||
| - name: Verify | - name: Verify | ||||||
|   hosts: instance |   hosts: instance | ||||||
|   vars: |   vars: | ||||||
|     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" |     keycloak_quarkus_admin_password: "remembertochangeme" | ||||||
|     keycloak_quarkus_port: http://localhost:8080 |     keycloak_quarkus_port: http://localhost:8080 | ||||||
|   tasks: |   tasks: | ||||||
|     - name: Populate service facts |     - name: Populate service facts | ||||||
|  | @ -17,14 +17,14 @@ | ||||||
|     - name: Verify we are running on requested jvm |     - name: Verify we are running on requested jvm | ||||||
|       ansible.builtin.shell: | |       ansible.builtin.shell: | | ||||||
|         set -eo pipefail |         set -eo pipefail | ||||||
|         ps -ef | grep 'etc/alternatives/.*21' | grep -v grep |         ps -ef | grep 'etc/alternatives/.*17' | grep -v grep | ||||||
|       changed_when: false |       changed_when: false | ||||||
| 
 | 
 | ||||||
|     - name: Verify token api call |     - name: Verify token api call | ||||||
|       ansible.builtin.uri: |       ansible.builtin.uri: | ||||||
|         url: "{{ keycloak_quarkus_port }}/realms/master/protocol/openid-connect/token" |         url: "{{ keycloak_quarkus_port }}/realms/master/protocol/openid-connect/token" | ||||||
|         method: POST |         method: POST | ||||||
|         body: "client_id=admin-cli&username=admin&password={{ keycloak_quarkus_bootstrap_admin_password }}&grant_type=password" |         body: "client_id=admin-cli&username=admin&password={{ keycloak_quarkus_admin_password }}&grant_type=password" | ||||||
|         validate_certs: no |         validate_certs: no | ||||||
|       register: keycloak_auth_response |       register: keycloak_auth_response | ||||||
|       until: keycloak_auth_response.status == 200 |       until: keycloak_auth_response.status == 200 | ||||||
|  |  | ||||||
|  | @ -2,7 +2,6 @@ | ||||||
| collections: | collections: | ||||||
|   - name: middleware_automation.common |   - name: middleware_automation.common | ||||||
|   - name: middleware_automation.jbcs |   - name: middleware_automation.jbcs | ||||||
|   - name: middleware_automation.infinispan |  | ||||||
|   - name: community.general |   - name: community.general | ||||||
|   - name: ansible.posix |   - name: ansible.posix | ||||||
|   - name: community.docker |   - name: community.docker | ||||||
|  |  | ||||||
|  | @ -2,8 +2,8 @@ | ||||||
| - name: Playbook for Keycloak X Hosts with HTTPS enabled | - name: Playbook for Keycloak X Hosts with HTTPS enabled | ||||||
|   hosts: all |   hosts: all | ||||||
|   vars: |   vars: | ||||||
|     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" |     keycloak_quarkus_admin_pass: "remembertochangeme" | ||||||
|     keycloak_quarkus_hostname: http://localhost |     keycloak_quarkus_host: localhost | ||||||
|     keycloak_quarkus_port: 8443 |     keycloak_quarkus_port: 8443 | ||||||
|     keycloak_quarkus_log: file |     keycloak_quarkus_log: file | ||||||
|     keycloak_quarkus_proxy_mode: none |     keycloak_quarkus_proxy_mode: none | ||||||
|  |  | ||||||
|  | @ -2,8 +2,8 @@ | ||||||
| - name: Playbook for Keycloak X Hosts in develop mode | - name: Playbook for Keycloak X Hosts in develop mode | ||||||
|   hosts: all |   hosts: all | ||||||
|   vars: |   vars: | ||||||
|     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" |     keycloak_admin_password: "remembertochangeme" | ||||||
|     keycloak_quarkus_hostname: http://localhost |     keycloak_quarkus_host: localhost | ||||||
|     keycloak_quarkus_port: 8080 |     keycloak_quarkus_port: 8080 | ||||||
|     keycloak_quarkus_log: file |     keycloak_quarkus_log: file | ||||||
|     keycloak_quarkus_start_dev: true |     keycloak_quarkus_start_dev: true | ||||||
|  |  | ||||||
										
											
												File diff suppressed because it is too large
												Load diff
											
										
									
								
							|  | @ -40,8 +40,8 @@ options: | ||||||
|     state: |     state: | ||||||
|         description: |         description: | ||||||
|             - State of the client |             - State of the client | ||||||
|             - On V(present), the client will be created (or updated if it exists already). |             - On C(present), the client will be created (or updated if it exists already). | ||||||
|             - On V(absent), the client will be removed if it exists |             - On C(absent), the client will be removed if it exists | ||||||
|         choices: ['present', 'absent'] |         choices: ['present', 'absent'] | ||||||
|         default: 'present' |         default: 'present' | ||||||
|         type: str |         type: str | ||||||
|  | @ -55,7 +55,7 @@ options: | ||||||
|     client_id: |     client_id: | ||||||
|         description: |         description: | ||||||
|             - Client id of client to be worked on. This is usually an alphanumeric name chosen by |             - Client id of client to be worked on. This is usually an alphanumeric name chosen by | ||||||
|               you. Either this or O(id) is required. If you specify both, O(id) takes precedence. |               you. Either this or I(id) is required. If you specify both, I(id) takes precedence. | ||||||
|               This is 'clientId' in the Keycloak REST API. |               This is 'clientId' in the Keycloak REST API. | ||||||
|         aliases: |         aliases: | ||||||
|             - clientId |             - clientId | ||||||
|  | @ -63,13 +63,13 @@ options: | ||||||
| 
 | 
 | ||||||
|     id: |     id: | ||||||
|         description: |         description: | ||||||
|             - Id of client to be worked on. This is usually an UUID. Either this or O(client_id) |             - Id of client to be worked on. This is usually an UUID. Either this or I(client_id) | ||||||
|               is required. If you specify both, this takes precedence. |               is required. If you specify both, this takes precedence. | ||||||
|         type: str |         type: str | ||||||
| 
 | 
 | ||||||
|     name: |     name: | ||||||
|         description: |         description: | ||||||
|             - Name of the client (this is not the same as O(client_id)). |             - Name of the client (this is not the same as I(client_id)). | ||||||
|         type: str |         type: str | ||||||
| 
 | 
 | ||||||
|     description: |     description: | ||||||
|  | @ -108,21 +108,20 @@ options: | ||||||
| 
 | 
 | ||||||
|     client_authenticator_type: |     client_authenticator_type: | ||||||
|         description: |         description: | ||||||
|             - How do clients authenticate with the auth server? Either V(client-secret), |             - How do clients authenticate with the auth server? Either C(client-secret) or | ||||||
|               V(client-jwt), or V(client-x509) can be chosen. When using V(client-secret), the module parameter |               C(client-jwt) can be chosen. When using C(client-secret), the module parameter | ||||||
|               O(secret) can set it, for V(client-jwt), you can use the keys C(use.jwks.url), |               I(secret) can set it, while for C(client-jwt), you can use the keys C(use.jwks.url), | ||||||
|               C(jwks.url), and C(jwt.credential.certificate) in the O(attributes) module parameter |               C(jwks.url), and C(jwt.credential.certificate) in the I(attributes) module parameter | ||||||
|               to configure its behavior. For V(client-x509) you can use the keys C(x509.allow.regex.pattern.comparison) |               to configure its behavior. | ||||||
|               and C(x509.subjectdn) in the O(attributes) module parameter to configure which certificate(s) to accept. |               This is 'clientAuthenticatorType' in the Keycloak REST API. | ||||||
|             - This is 'clientAuthenticatorType' in the Keycloak REST API. |         choices: ['client-secret', 'client-jwt'] | ||||||
|         choices: ['client-secret', 'client-jwt', 'client-x509'] |  | ||||||
|         aliases: |         aliases: | ||||||
|             - clientAuthenticatorType |             - clientAuthenticatorType | ||||||
|         type: str |         type: str | ||||||
| 
 | 
 | ||||||
|     secret: |     secret: | ||||||
|         description: |         description: | ||||||
|             - When using O(client_authenticator_type=client-secret) (the default), you can |             - When using I(client_authenticator_type) C(client-secret) (the default), you can | ||||||
|               specify a secret here (otherwise one will be generated if it does not exit). If |               specify a secret here (otherwise one will be generated if it does not exit). If | ||||||
|               changing this secret, the module will not register a change currently (but the |               changing this secret, the module will not register a change currently (but the | ||||||
|               changed secret will be saved). |               changed secret will be saved). | ||||||
|  | @ -247,11 +246,9 @@ options: | ||||||
| 
 | 
 | ||||||
|     protocol: |     protocol: | ||||||
|         description: |         description: | ||||||
|             - Type of client. |             - Type of client (either C(openid-connect) or C(saml). | ||||||
|             - At creation only, default value will be V(openid-connect) if O(protocol) is omitted. |  | ||||||
|             - The V(docker-v2) value was added in community.general 8.6.0. |  | ||||||
|         type: str |         type: str | ||||||
|         choices: ['openid-connect', 'saml', 'docker-v2'] |         choices: ['openid-connect', 'saml'] | ||||||
| 
 | 
 | ||||||
|     full_scope_allowed: |     full_scope_allowed: | ||||||
|         description: |         description: | ||||||
|  | @ -289,7 +286,7 @@ options: | ||||||
| 
 | 
 | ||||||
|     use_template_config: |     use_template_config: | ||||||
|         description: |         description: | ||||||
|             - Whether or not to use configuration from the O(client_template). |             - Whether or not to use configuration from the I(client_template). | ||||||
|               This is 'useTemplateConfig' in the Keycloak REST API. |               This is 'useTemplateConfig' in the Keycloak REST API. | ||||||
|         aliases: |         aliases: | ||||||
|             - useTemplateConfig |             - useTemplateConfig | ||||||
|  | @ -297,7 +294,7 @@ options: | ||||||
| 
 | 
 | ||||||
|     use_template_scope: |     use_template_scope: | ||||||
|         description: |         description: | ||||||
|             - Whether or not to use scope configuration from the O(client_template). |             - Whether or not to use scope configuration from the I(client_template). | ||||||
|               This is 'useTemplateScope' in the Keycloak REST API. |               This is 'useTemplateScope' in the Keycloak REST API. | ||||||
|         aliases: |         aliases: | ||||||
|             - useTemplateScope |             - useTemplateScope | ||||||
|  | @ -305,7 +302,7 @@ options: | ||||||
| 
 | 
 | ||||||
|     use_template_mappers: |     use_template_mappers: | ||||||
|         description: |         description: | ||||||
|             - Whether or not to use mapper configuration from the O(client_template). |             - Whether or not to use mapper configuration from the I(client_template). | ||||||
|               This is 'useTemplateMappers' in the Keycloak REST API. |               This is 'useTemplateMappers' in the Keycloak REST API. | ||||||
|         aliases: |         aliases: | ||||||
|             - useTemplateMappers |             - useTemplateMappers | ||||||
|  | @ -341,42 +338,6 @@ options: | ||||||
|         description: |         description: | ||||||
|             - Override realm authentication flow bindings. |             - Override realm authentication flow bindings. | ||||||
|         type: dict |         type: dict | ||||||
|         suboptions: |  | ||||||
|             browser: |  | ||||||
|                 description: |  | ||||||
|                     - Flow ID of the browser authentication flow. |  | ||||||
|                     - O(authentication_flow_binding_overrides.browser) |  | ||||||
|                       and O(authentication_flow_binding_overrides.browser_name) are mutually exclusive. |  | ||||||
|                 type: str |  | ||||||
| 
 |  | ||||||
|             browser_name: |  | ||||||
|                 description: |  | ||||||
|                     - Flow name of the browser authentication flow. |  | ||||||
|                     - O(authentication_flow_binding_overrides.browser) |  | ||||||
|                       and O(authentication_flow_binding_overrides.browser_name) are mutually exclusive. |  | ||||||
|                 aliases: |  | ||||||
|                     - browserName |  | ||||||
|                 type: str |  | ||||||
|                 version_added: 9.1.0 |  | ||||||
| 
 |  | ||||||
|             direct_grant: |  | ||||||
|                 description: |  | ||||||
|                     - Flow ID of the direct grant authentication flow. |  | ||||||
|                     - O(authentication_flow_binding_overrides.direct_grant) |  | ||||||
|                       and O(authentication_flow_binding_overrides.direct_grant_name) are mutually exclusive. |  | ||||||
|                 aliases: |  | ||||||
|                     - directGrant |  | ||||||
|                 type: str |  | ||||||
| 
 |  | ||||||
|             direct_grant_name: |  | ||||||
|                 description: |  | ||||||
|                     - Flow name of the direct grant authentication flow. |  | ||||||
|                     - O(authentication_flow_binding_overrides.direct_grant) |  | ||||||
|                       and O(authentication_flow_binding_overrides.direct_grant_name) are mutually exclusive. |  | ||||||
|                 aliases: |  | ||||||
|                     - directGrantName |  | ||||||
|                 type: str |  | ||||||
|                 version_added: 9.1.0 |  | ||||||
|         aliases: |         aliases: | ||||||
|             - authenticationFlowBindingOverrides |             - authenticationFlowBindingOverrides | ||||||
|         version_added: 3.4.0 |         version_added: 3.4.0 | ||||||
|  | @ -430,37 +391,38 @@ options: | ||||||
| 
 | 
 | ||||||
|             protocol: |             protocol: | ||||||
|                 description: |                 description: | ||||||
|                     - This specifies for which protocol this protocol mapper is active. |                     - This is either C(openid-connect) or C(saml), this specifies for which protocol this protocol mapper. | ||||||
|                 choices: ['openid-connect', 'saml', 'docker-v2'] |                       is active. | ||||||
|  |                 choices: ['openid-connect', 'saml'] | ||||||
|                 type: str |                 type: str | ||||||
| 
 | 
 | ||||||
|             protocolMapper: |             protocolMapper: | ||||||
|                 description: |                 description: | ||||||
|                     - "The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is |                     - The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is | ||||||
|                       impossible to provide since this may be extended through SPIs by the user of Keycloak, |                       impossible to provide since this may be extended through SPIs by the user of Keycloak, | ||||||
|                       by default Keycloak as of 3.4 ships with at least:" |                       by default Keycloak as of 3.4 ships with at least | ||||||
|                     - V(docker-v2-allow-all-mapper) |                     - C(docker-v2-allow-all-mapper) | ||||||
|                     - V(oidc-address-mapper) |                     - C(oidc-address-mapper) | ||||||
|                     - V(oidc-full-name-mapper) |                     - C(oidc-full-name-mapper) | ||||||
|                     - V(oidc-group-membership-mapper) |                     - C(oidc-group-membership-mapper) | ||||||
|                     - V(oidc-hardcoded-claim-mapper) |                     - C(oidc-hardcoded-claim-mapper) | ||||||
|                     - V(oidc-hardcoded-role-mapper) |                     - C(oidc-hardcoded-role-mapper) | ||||||
|                     - V(oidc-role-name-mapper) |                     - C(oidc-role-name-mapper) | ||||||
|                     - V(oidc-script-based-protocol-mapper) |                     - C(oidc-script-based-protocol-mapper) | ||||||
|                     - V(oidc-sha256-pairwise-sub-mapper) |                     - C(oidc-sha256-pairwise-sub-mapper) | ||||||
|                     - V(oidc-usermodel-attribute-mapper) |                     - C(oidc-usermodel-attribute-mapper) | ||||||
|                     - V(oidc-usermodel-client-role-mapper) |                     - C(oidc-usermodel-client-role-mapper) | ||||||
|                     - V(oidc-usermodel-property-mapper) |                     - C(oidc-usermodel-property-mapper) | ||||||
|                     - V(oidc-usermodel-realm-role-mapper) |                     - C(oidc-usermodel-realm-role-mapper) | ||||||
|                     - V(oidc-usersessionmodel-note-mapper) |                     - C(oidc-usersessionmodel-note-mapper) | ||||||
|                     - V(saml-group-membership-mapper) |                     - C(saml-group-membership-mapper) | ||||||
|                     - V(saml-hardcode-attribute-mapper) |                     - C(saml-hardcode-attribute-mapper) | ||||||
|                     - V(saml-hardcode-role-mapper) |                     - C(saml-hardcode-role-mapper) | ||||||
|                     - V(saml-role-list-mapper) |                     - C(saml-role-list-mapper) | ||||||
|                     - V(saml-role-name-mapper) |                     - C(saml-role-name-mapper) | ||||||
|                     - V(saml-user-attribute-mapper) |                     - C(saml-user-attribute-mapper) | ||||||
|                     - V(saml-user-property-mapper) |                     - C(saml-user-property-mapper) | ||||||
|                     - V(saml-user-session-note-mapper) |                     - C(saml-user-session-note-mapper) | ||||||
|                     - An exhaustive list of available mappers on your installation can be obtained on |                     - An exhaustive list of available mappers on your installation can be obtained on | ||||||
|                       the admin console by going to Server Info -> Providers and looking under |                       the admin console by going to Server Info -> Providers and looking under | ||||||
|                       'protocol-mapper'. |                       'protocol-mapper'. | ||||||
|  | @ -469,10 +431,10 @@ options: | ||||||
|             config: |             config: | ||||||
|                 description: |                 description: | ||||||
|                     - Dict specifying the configuration options for the protocol mapper; the |                     - Dict specifying the configuration options for the protocol mapper; the | ||||||
|                       contents differ depending on the value of O(protocol_mappers[].protocolMapper) and are not documented |                       contents differ depending on the value of I(protocolMapper) and are not documented | ||||||
|                       other than by the source of the mappers and its parent class(es). An example is given |                       other than by the source of the mappers and its parent class(es). An example is given | ||||||
|                       below. It is easiest to obtain valid config values by dumping an already-existing |                       below. It is easiest to obtain valid config values by dumping an already-existing | ||||||
|                       protocol mapper configuration through check-mode in the RV(existing) field. |                       protocol mapper configuration through check-mode in the I(existing) field. | ||||||
|                 type: dict |                 type: dict | ||||||
| 
 | 
 | ||||||
|     attributes: |     attributes: | ||||||
|  | @ -516,7 +478,7 @@ options: | ||||||
| 
 | 
 | ||||||
|             saml.signature.algorithm: |             saml.signature.algorithm: | ||||||
|                 description: |                 description: | ||||||
|                     - Signature algorithm used to sign SAML documents. One of V(RSA_SHA256), V(RSA_SHA1), V(RSA_SHA512), or V(DSA_SHA1). |                     - Signature algorithm used to sign SAML documents. One of C(RSA_SHA256), C(RSA_SHA1), C(RSA_SHA512), or C(DSA_SHA1). | ||||||
| 
 | 
 | ||||||
|             saml.signing.certificate: |             saml.signing.certificate: | ||||||
|                 description: |                 description: | ||||||
|  | @ -534,21 +496,22 @@ options: | ||||||
|                 description: |                 description: | ||||||
|                     - SAML Redirect Binding URL for the client's assertion consumer service (login responses). |                     - SAML Redirect Binding URL for the client's assertion consumer service (login responses). | ||||||
| 
 | 
 | ||||||
|  | 
 | ||||||
|             saml_force_name_id_format: |             saml_force_name_id_format: | ||||||
|                 description: |                 description: | ||||||
|                     - For SAML clients, Boolean specifying whether to ignore requested NameID subject format and using the configured one instead. |                     - For SAML clients, Boolean specifying whether to ignore requested NameID subject format and using the configured one instead. | ||||||
| 
 | 
 | ||||||
|             saml_name_id_format: |             saml_name_id_format: | ||||||
|                 description: |                 description: | ||||||
|                     - For SAML clients, the NameID format to use (one of V(username), V(email), V(transient), or V(persistent)) |                     - For SAML clients, the NameID format to use (one of C(username), C(email), C(transient), or C(persistent)) | ||||||
| 
 | 
 | ||||||
|             saml_signature_canonicalization_method: |             saml_signature_canonicalization_method: | ||||||
|                 description: |                 description: | ||||||
|                     - SAML signature canonicalization method. This is one of four values, namely |                     - SAML signature canonicalization method. This is one of four values, namely | ||||||
|                       V(http://www.w3.org/2001/10/xml-exc-c14n#) for EXCLUSIVE, |                       C(http://www.w3.org/2001/10/xml-exc-c14n#) for EXCLUSIVE, | ||||||
|                       V(http://www.w3.org/2001/10/xml-exc-c14n#WithComments) for EXCLUSIVE_WITH_COMMENTS, |                       C(http://www.w3.org/2001/10/xml-exc-c14n#WithComments) for EXCLUSIVE_WITH_COMMENTS, | ||||||
|                       V(http://www.w3.org/TR/2001/REC-xml-c14n-20010315) for INCLUSIVE, and |                       C(http://www.w3.org/TR/2001/REC-xml-c14n-20010315) for INCLUSIVE, and | ||||||
|                       V(http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments) for INCLUSIVE_WITH_COMMENTS. |                       C(http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments) for INCLUSIVE_WITH_COMMENTS. | ||||||
| 
 | 
 | ||||||
|             saml_single_logout_service_url_post: |             saml_single_logout_service_url_post: | ||||||
|                 description: |                 description: | ||||||
|  | @ -560,12 +523,12 @@ options: | ||||||
| 
 | 
 | ||||||
|             user.info.response.signature.alg: |             user.info.response.signature.alg: | ||||||
|                 description: |                 description: | ||||||
|                     - For OpenID-Connect clients, JWA algorithm for signed UserInfo-endpoint responses. One of V(RS256) or V(unsigned). |                     - For OpenID-Connect clients, JWA algorithm for signed UserInfo-endpoint responses. One of C(RS256) or C(unsigned). | ||||||
| 
 | 
 | ||||||
|             request.object.signature.alg: |             request.object.signature.alg: | ||||||
|                 description: |                 description: | ||||||
|                     - For OpenID-Connect clients, JWA algorithm which the client needs to use when sending |                     - For OpenID-Connect clients, JWA algorithm which the client needs to use when sending | ||||||
|                       OIDC request object. One of V(any), V(none), V(RS256). |                       OIDC request object. One of C(any), C(none), C(RS256). | ||||||
| 
 | 
 | ||||||
|             use.jwks.url: |             use.jwks.url: | ||||||
|                 description: |                 description: | ||||||
|  | @ -581,21 +544,9 @@ options: | ||||||
|                     - For OpenID-Connect clients, client certificate for validating JWT issued by |                     - For OpenID-Connect clients, client certificate for validating JWT issued by | ||||||
|                       client and signed by its key, base64-encoded. |                       client and signed by its key, base64-encoded. | ||||||
| 
 | 
 | ||||||
|             x509.subjectdn: |  | ||||||
|                 description: |  | ||||||
|                     - For OpenID-Connect clients, subject which will be used to authenticate the client. |  | ||||||
|                 type: str |  | ||||||
|                 version_added: 9.5.0 |  | ||||||
| 
 |  | ||||||
|             x509.allow.regex.pattern.comparison: |  | ||||||
|                 description: |  | ||||||
|                     - For OpenID-Connect clients, boolean specifying whether to allow C(x509.subjectdn) as regular expression. |  | ||||||
|                 type: bool |  | ||||||
|                 version_added: 9.5.0 |  | ||||||
| 
 |  | ||||||
| extends_documentation_fragment: | extends_documentation_fragment: | ||||||
|    - middleware_automation.keycloak.keycloak |     - middleware_automation.keycloak.keycloak | ||||||
|    - middleware_automation.keycloak.attributes |     - middleware_automation.keycloak.attributes | ||||||
| 
 | 
 | ||||||
| author: | author: | ||||||
|     - Eike Frost (@eikef) |     - Eike Frost (@eikef) | ||||||
|  | @ -636,22 +587,6 @@ EXAMPLES = ''' | ||||||
|   delegate_to: localhost |   delegate_to: localhost | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| - name: Create or update a Keycloak client (minimal example), with x509 authentication |  | ||||||
|   middleware_automation.keycloak.keycloak_client: |  | ||||||
|     auth_client_id: admin-cli |  | ||||||
|     auth_keycloak_url: https://auth.example.com/auth |  | ||||||
|     auth_realm: master |  | ||||||
|     auth_username: USERNAME |  | ||||||
|     auth_password: PASSWORD |  | ||||||
|     realm: master |  | ||||||
|     state: present |  | ||||||
|     client_id: test |  | ||||||
|     client_authenticator_type: client-x509 |  | ||||||
|     attributes: |  | ||||||
|       x509.subjectdn: "CN=client" |  | ||||||
|       x509.allow.regex.pattern.comparison: false |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| - name: Create or update a Keycloak client (with all the bells and whistles) | - name: Create or update a Keycloak client (with all the bells and whistles) | ||||||
|   middleware_automation.keycloak.keycloak_client: |   middleware_automation.keycloak.keycloak_client: | ||||||
|     auth_client_id: admin-cli |     auth_client_id: admin-cli | ||||||
|  | @ -702,7 +637,7 @@ EXAMPLES = ''' | ||||||
|       - test01 |       - test01 | ||||||
|       - test02 |       - test02 | ||||||
|     authentication_flow_binding_overrides: |     authentication_flow_binding_overrides: | ||||||
|         browser: 4c90336b-bf1d-4b87-916d-3677ba4e5fbb |       browser: 4c90336b-bf1d-4b87-916d-3677ba4e5fbb | ||||||
|     protocol_mappers: |     protocol_mappers: | ||||||
|       - config: |       - config: | ||||||
|           access.token.claim: true |           access.token.claim: true | ||||||
|  | @ -782,17 +717,11 @@ end_state: | ||||||
| ''' | ''' | ||||||
| 
 | 
 | ||||||
| from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ | from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ | ||||||
|     keycloak_argument_spec, get_token, KeycloakError, is_struct_included |     keycloak_argument_spec, get_token, KeycloakError | ||||||
| from ansible.module_utils.basic import AnsibleModule | from ansible.module_utils.basic import AnsibleModule | ||||||
| import copy | import copy | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| PROTOCOL_OPENID_CONNECT = 'openid-connect' |  | ||||||
| PROTOCOL_SAML = 'saml' |  | ||||||
| PROTOCOL_DOCKER_V2 = 'docker-v2' |  | ||||||
| CLIENT_META_DATA = ['authorizationServicesEnabled'] |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| def normalise_cr(clientrep, remove_ids=False): | def normalise_cr(clientrep, remove_ids=False): | ||||||
|     """ Re-sorts any properties where the order so that diff's is minimised, and adds default values where appropriate so that the |     """ Re-sorts any properties where the order so that diff's is minimised, and adds default values where appropriate so that the | ||||||
|     the change detection is more effective. |     the change detection is more effective. | ||||||
|  | @ -808,12 +737,6 @@ def normalise_cr(clientrep, remove_ids=False): | ||||||
|     if 'attributes' in clientrep: |     if 'attributes' in clientrep: | ||||||
|         clientrep['attributes'] = list(sorted(clientrep['attributes'])) |         clientrep['attributes'] = list(sorted(clientrep['attributes'])) | ||||||
| 
 | 
 | ||||||
|     if 'defaultClientScopes' in clientrep: |  | ||||||
|         clientrep['defaultClientScopes'] = list(sorted(clientrep['defaultClientScopes'])) |  | ||||||
| 
 |  | ||||||
|     if 'optionalClientScopes' in clientrep: |  | ||||||
|         clientrep['optionalClientScopes'] = list(sorted(clientrep['optionalClientScopes'])) |  | ||||||
| 
 |  | ||||||
|     if 'redirectUris' in clientrep: |     if 'redirectUris' in clientrep: | ||||||
|         clientrep['redirectUris'] = list(sorted(clientrep['redirectUris'])) |         clientrep['redirectUris'] = list(sorted(clientrep['redirectUris'])) | ||||||
| 
 | 
 | ||||||
|  | @ -839,70 +762,11 @@ def sanitize_cr(clientrep): | ||||||
|     if 'secret' in result: |     if 'secret' in result: | ||||||
|         result['secret'] = 'no_log' |         result['secret'] = 'no_log' | ||||||
|     if 'attributes' in result: |     if 'attributes' in result: | ||||||
|         attributes = result['attributes'] |         if 'saml.signing.private.key' in result['attributes']: | ||||||
|         if isinstance(attributes, dict) and 'saml.signing.private.key' in attributes: |             result['attributes']['saml.signing.private.key'] = 'no_log' | ||||||
|             attributes['saml.signing.private.key'] = 'no_log' |  | ||||||
|     return normalise_cr(result) |     return normalise_cr(result) | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| def get_authentication_flow_id(flow_name, realm, kc): |  | ||||||
|     """ Get the authentication flow ID based on the flow name, realm, and Keycloak client. |  | ||||||
| 
 |  | ||||||
|     Args: |  | ||||||
|         flow_name (str): The name of the authentication flow. |  | ||||||
|         realm (str): The name of the realm. |  | ||||||
|         kc (KeycloakClient): The Keycloak client instance. |  | ||||||
| 
 |  | ||||||
|     Returns: |  | ||||||
|         str: The ID of the authentication flow. |  | ||||||
| 
 |  | ||||||
|     Raises: |  | ||||||
|         KeycloakAPIException: If the authentication flow with the given name is not found in the realm. |  | ||||||
|     """ |  | ||||||
|     flow = kc.get_authentication_flow_by_alias(flow_name, realm) |  | ||||||
|     if flow: |  | ||||||
|         return flow["id"] |  | ||||||
|     kc.module.fail_json(msg='Authentification flow %s not found in realm %s' % (flow_name, realm)) |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| def flow_binding_from_dict_to_model(newClientFlowBinding, realm, kc): |  | ||||||
|     """ Convert a dictionary representing client flow bindings to a model representation. |  | ||||||
| 
 |  | ||||||
|     Args: |  | ||||||
|         newClientFlowBinding (dict): A dictionary containing client flow bindings. |  | ||||||
|         realm (str): The name of the realm. |  | ||||||
|         kc (KeycloakClient): An instance of the KeycloakClient class. |  | ||||||
| 
 |  | ||||||
|     Returns: |  | ||||||
|         dict: A dictionary representing the model flow bindings. The dictionary has two keys: |  | ||||||
|             - "browser" (str or None): The ID of the browser authentication flow binding, or None if not provided. |  | ||||||
|             - "direct_grant" (str or None): The ID of the direct grant authentication flow binding, or None if not provided. |  | ||||||
| 
 |  | ||||||
|     Raises: |  | ||||||
|         KeycloakAPIException: If the authentication flow with the given name is not found in the realm. |  | ||||||
| 
 |  | ||||||
|     """ |  | ||||||
| 
 |  | ||||||
|     modelFlow = { |  | ||||||
|         "browser": None, |  | ||||||
|         "direct_grant": None |  | ||||||
|     } |  | ||||||
| 
 |  | ||||||
|     for k, v in newClientFlowBinding.items(): |  | ||||||
|         if not v: |  | ||||||
|             continue |  | ||||||
|         if k == "browser": |  | ||||||
|             modelFlow["browser"] = v |  | ||||||
|         elif k == "browser_name": |  | ||||||
|             modelFlow["browser"] = get_authentication_flow_id(v, realm, kc) |  | ||||||
|         elif k == "direct_grant": |  | ||||||
|             modelFlow["direct_grant"] = v |  | ||||||
|         elif k == "direct_grant_name": |  | ||||||
|             modelFlow["direct_grant"] = get_authentication_flow_id(v, realm, kc) |  | ||||||
| 
 |  | ||||||
|     return modelFlow |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| def main(): | def main(): | ||||||
|     """ |     """ | ||||||
|     Module execution |     Module execution | ||||||
|  | @ -916,18 +780,11 @@ def main(): | ||||||
|         consentText=dict(type='str'), |         consentText=dict(type='str'), | ||||||
|         id=dict(type='str'), |         id=dict(type='str'), | ||||||
|         name=dict(type='str'), |         name=dict(type='str'), | ||||||
|         protocol=dict(type='str', choices=[PROTOCOL_OPENID_CONNECT, PROTOCOL_SAML, PROTOCOL_DOCKER_V2]), |         protocol=dict(type='str', choices=['openid-connect', 'saml']), | ||||||
|         protocolMapper=dict(type='str'), |         protocolMapper=dict(type='str'), | ||||||
|         config=dict(type='dict'), |         config=dict(type='dict'), | ||||||
|     ) |     ) | ||||||
| 
 | 
 | ||||||
|     authentication_flow_spec = dict( |  | ||||||
|         browser=dict(type='str'), |  | ||||||
|         browser_name=dict(type='str', aliases=['browserName']), |  | ||||||
|         direct_grant=dict(type='str', aliases=['directGrant']), |  | ||||||
|         direct_grant_name=dict(type='str', aliases=['directGrantName']), |  | ||||||
|     ) |  | ||||||
| 
 |  | ||||||
|     meta_args = dict( |     meta_args = dict( | ||||||
|         state=dict(default='present', choices=['present', 'absent']), |         state=dict(default='present', choices=['present', 'absent']), | ||||||
|         realm=dict(type='str', default='master'), |         realm=dict(type='str', default='master'), | ||||||
|  | @ -941,7 +798,7 @@ def main(): | ||||||
|         base_url=dict(type='str', aliases=['baseUrl']), |         base_url=dict(type='str', aliases=['baseUrl']), | ||||||
|         surrogate_auth_required=dict(type='bool', aliases=['surrogateAuthRequired']), |         surrogate_auth_required=dict(type='bool', aliases=['surrogateAuthRequired']), | ||||||
|         enabled=dict(type='bool'), |         enabled=dict(type='bool'), | ||||||
|         client_authenticator_type=dict(type='str', choices=['client-secret', 'client-jwt', 'client-x509'], aliases=['clientAuthenticatorType']), |         client_authenticator_type=dict(type='str', choices=['client-secret', 'client-jwt'], aliases=['clientAuthenticatorType']), | ||||||
|         secret=dict(type='str', no_log=True), |         secret=dict(type='str', no_log=True), | ||||||
|         registration_access_token=dict(type='str', aliases=['registrationAccessToken'], no_log=True), |         registration_access_token=dict(type='str', aliases=['registrationAccessToken'], no_log=True), | ||||||
|         default_roles=dict(type='list', elements='str', aliases=['defaultRoles']), |         default_roles=dict(type='list', elements='str', aliases=['defaultRoles']), | ||||||
|  | @ -957,7 +814,7 @@ def main(): | ||||||
|         authorization_services_enabled=dict(type='bool', aliases=['authorizationServicesEnabled']), |         authorization_services_enabled=dict(type='bool', aliases=['authorizationServicesEnabled']), | ||||||
|         public_client=dict(type='bool', aliases=['publicClient']), |         public_client=dict(type='bool', aliases=['publicClient']), | ||||||
|         frontchannel_logout=dict(type='bool', aliases=['frontchannelLogout']), |         frontchannel_logout=dict(type='bool', aliases=['frontchannelLogout']), | ||||||
|         protocol=dict(type='str', choices=[PROTOCOL_OPENID_CONNECT, PROTOCOL_SAML, PROTOCOL_DOCKER_V2]), |         protocol=dict(type='str', choices=['openid-connect', 'saml']), | ||||||
|         attributes=dict(type='dict'), |         attributes=dict(type='dict'), | ||||||
|         full_scope_allowed=dict(type='bool', aliases=['fullScopeAllowed']), |         full_scope_allowed=dict(type='bool', aliases=['fullScopeAllowed']), | ||||||
|         node_re_registration_timeout=dict(type='int', aliases=['nodeReRegistrationTimeout']), |         node_re_registration_timeout=dict(type='int', aliases=['nodeReRegistrationTimeout']), | ||||||
|  | @ -967,13 +824,7 @@ def main(): | ||||||
|         use_template_scope=dict(type='bool', aliases=['useTemplateScope']), |         use_template_scope=dict(type='bool', aliases=['useTemplateScope']), | ||||||
|         use_template_mappers=dict(type='bool', aliases=['useTemplateMappers']), |         use_template_mappers=dict(type='bool', aliases=['useTemplateMappers']), | ||||||
|         always_display_in_console=dict(type='bool', aliases=['alwaysDisplayInConsole']), |         always_display_in_console=dict(type='bool', aliases=['alwaysDisplayInConsole']), | ||||||
|         authentication_flow_binding_overrides=dict( |         authentication_flow_binding_overrides=dict(type='dict', aliases=['authenticationFlowBindingOverrides']), | ||||||
|             type='dict', |  | ||||||
|             aliases=['authenticationFlowBindingOverrides'], |  | ||||||
|             options=authentication_flow_spec, |  | ||||||
|             required_one_of=[['browser', 'direct_grant', 'browser_name', 'direct_grant_name']], |  | ||||||
|             mutually_exclusive=[['browser', 'browser_name'], ['direct_grant', 'direct_grant_name']], |  | ||||||
|         ), |  | ||||||
|         protocol_mappers=dict(type='list', elements='dict', options=protmapper_spec, aliases=['protocolMappers']), |         protocol_mappers=dict(type='list', elements='dict', options=protmapper_spec, aliases=['protocolMappers']), | ||||||
|         authorization_settings=dict(type='dict', aliases=['authorizationSettings']), |         authorization_settings=dict(type='dict', aliases=['authorizationSettings']), | ||||||
|         default_client_scopes=dict(type='list', elements='str', aliases=['defaultClientScopes']), |         default_client_scopes=dict(type='list', elements='str', aliases=['defaultClientScopes']), | ||||||
|  | @ -1034,9 +885,7 @@ def main(): | ||||||
|         # Unfortunately, the ansible argument spec checker introduces variables with null values when |         # Unfortunately, the ansible argument spec checker introduces variables with null values when | ||||||
|         # they are not specified |         # they are not specified | ||||||
|         if client_param == 'protocol_mappers': |         if client_param == 'protocol_mappers': | ||||||
|             new_param_value = [{k: v for k, v in x.items() if v is not None} for x in new_param_value] |             new_param_value = [dict((k, v) for k, v in x.items() if x[k] is not None) for x in new_param_value] | ||||||
|         elif client_param == 'authentication_flow_binding_overrides': |  | ||||||
|             new_param_value = flow_binding_from_dict_to_model(new_param_value, realm, kc) |  | ||||||
| 
 | 
 | ||||||
|         changeset[camel(client_param)] = new_param_value |         changeset[camel(client_param)] = new_param_value | ||||||
| 
 | 
 | ||||||
|  | @ -1063,8 +912,6 @@ def main(): | ||||||
| 
 | 
 | ||||||
|         if 'clientId' not in desired_client: |         if 'clientId' not in desired_client: | ||||||
|             module.fail_json(msg='client_id needs to be specified when creating a new client') |             module.fail_json(msg='client_id needs to be specified when creating a new client') | ||||||
|         if 'protocol' not in desired_client: |  | ||||||
|             desired_client['protocol'] = PROTOCOL_OPENID_CONNECT |  | ||||||
| 
 | 
 | ||||||
|         if module._diff: |         if module._diff: | ||||||
|             result['diff'] = dict(before='', after=sanitize_cr(desired_client)) |             result['diff'] = dict(before='', after=sanitize_cr(desired_client)) | ||||||
|  | @ -1093,7 +940,7 @@ def main(): | ||||||
|                 if module._diff: |                 if module._diff: | ||||||
|                     result['diff'] = dict(before=sanitize_cr(before_norm), |                     result['diff'] = dict(before=sanitize_cr(before_norm), | ||||||
|                                           after=sanitize_cr(desired_norm)) |                                           after=sanitize_cr(desired_norm)) | ||||||
|                 result['changed'] = not is_struct_included(desired_norm, before_norm, CLIENT_META_DATA) |                 result['changed'] = (before_norm != desired_norm) | ||||||
| 
 | 
 | ||||||
|                 module.exit_json(**result) |                 module.exit_json(**result) | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -1,848 +0,0 @@ | ||||||
| #!/usr/bin/python |  | ||||||
| # -*- coding: utf-8 -*- |  | ||||||
| 
 |  | ||||||
| # Copyright (c) 2017, Eike Frost <ei@kefro.st> |  | ||||||
| # Copyright (c) 2021, Christophe Gilles <christophe.gilles54@gmail.com> |  | ||||||
| # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) |  | ||||||
| # SPDX-License-Identifier: GPL-3.0-or-later |  | ||||||
| 
 |  | ||||||
| from __future__ import absolute_import, division, print_function |  | ||||||
| __metaclass__ = type |  | ||||||
| 
 |  | ||||||
| DOCUMENTATION = ''' |  | ||||||
| --- |  | ||||||
| module: keycloak_realm |  | ||||||
| 
 |  | ||||||
| short_description: Allows administration of Keycloak realm via Keycloak API |  | ||||||
| 
 |  | ||||||
| version_added: 3.0.0 |  | ||||||
| 
 |  | ||||||
| description: |  | ||||||
|     - This module allows the administration of Keycloak realm via the Keycloak REST API. It |  | ||||||
|       requires access to the REST API via OpenID Connect; the user connecting and the realm being |  | ||||||
|       used must have the requisite access rights. In a default Keycloak installation, admin-cli |  | ||||||
|       and an admin user would work, as would a separate realm definition with the scope tailored |  | ||||||
|       to your needs and a user having the expected roles. |  | ||||||
| 
 |  | ||||||
|     - The names of module options are snake_cased versions of the camelCase ones found in the |  | ||||||
|       Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). |  | ||||||
|       Aliases are provided so camelCased versions can be used as well. |  | ||||||
| 
 |  | ||||||
|     - The Keycloak API does not always sanity check inputs e.g. you can set |  | ||||||
|       SAML-specific settings on an OpenID Connect client for instance and vice versa. Be careful. |  | ||||||
|       If you do not specify a setting, usually a sensible default is chosen. |  | ||||||
| 
 |  | ||||||
| attributes: |  | ||||||
|     check_mode: |  | ||||||
|         support: full |  | ||||||
|     diff_mode: |  | ||||||
|         support: full |  | ||||||
| 
 |  | ||||||
| options: |  | ||||||
|     state: |  | ||||||
|         description: |  | ||||||
|             - State of the realm. |  | ||||||
|             - On V(present), the realm will be created (or updated if it exists already). |  | ||||||
|             - On V(absent), the realm will be removed if it exists. |  | ||||||
|         choices: ['present', 'absent'] |  | ||||||
|         default: 'present' |  | ||||||
|         type: str |  | ||||||
| 
 |  | ||||||
|     id: |  | ||||||
|         description: |  | ||||||
|             - The realm to create. |  | ||||||
|         type: str |  | ||||||
|     realm: |  | ||||||
|         description: |  | ||||||
|             - The realm name. |  | ||||||
|         type: str |  | ||||||
|     access_code_lifespan: |  | ||||||
|         description: |  | ||||||
|             - The realm access code lifespan. |  | ||||||
|         aliases: |  | ||||||
|             - accessCodeLifespan |  | ||||||
|         type: int |  | ||||||
|     access_code_lifespan_login: |  | ||||||
|         description: |  | ||||||
|             - The realm access code lifespan login. |  | ||||||
|         aliases: |  | ||||||
|             - accessCodeLifespanLogin |  | ||||||
|         type: int |  | ||||||
|     access_code_lifespan_user_action: |  | ||||||
|         description: |  | ||||||
|             - The realm access code lifespan user action. |  | ||||||
|         aliases: |  | ||||||
|             - accessCodeLifespanUserAction |  | ||||||
|         type: int |  | ||||||
|     access_token_lifespan: |  | ||||||
|         description: |  | ||||||
|             - The realm access token lifespan. |  | ||||||
|         aliases: |  | ||||||
|             - accessTokenLifespan |  | ||||||
|         type: int |  | ||||||
|     access_token_lifespan_for_implicit_flow: |  | ||||||
|         description: |  | ||||||
|             - The realm access token lifespan for implicit flow. |  | ||||||
|         aliases: |  | ||||||
|             - accessTokenLifespanForImplicitFlow |  | ||||||
|         type: int |  | ||||||
|     account_theme: |  | ||||||
|         description: |  | ||||||
|             - The realm account theme. |  | ||||||
|         aliases: |  | ||||||
|             - accountTheme |  | ||||||
|         type: str |  | ||||||
|     action_token_generated_by_admin_lifespan: |  | ||||||
|         description: |  | ||||||
|             - The realm action token generated by admin lifespan. |  | ||||||
|         aliases: |  | ||||||
|             - actionTokenGeneratedByAdminLifespan |  | ||||||
|         type: int |  | ||||||
|     action_token_generated_by_user_lifespan: |  | ||||||
|         description: |  | ||||||
|             - The realm action token generated by user lifespan. |  | ||||||
|         aliases: |  | ||||||
|             - actionTokenGeneratedByUserLifespan |  | ||||||
|         type: int |  | ||||||
|     admin_events_details_enabled: |  | ||||||
|         description: |  | ||||||
|             - The realm admin events details enabled. |  | ||||||
|         aliases: |  | ||||||
|             - adminEventsDetailsEnabled |  | ||||||
|         type: bool |  | ||||||
|     admin_events_enabled: |  | ||||||
|         description: |  | ||||||
|             - The realm admin events enabled. |  | ||||||
|         aliases: |  | ||||||
|             - adminEventsEnabled |  | ||||||
|         type: bool |  | ||||||
|     admin_theme: |  | ||||||
|         description: |  | ||||||
|             - The realm admin theme. |  | ||||||
|         aliases: |  | ||||||
|             - adminTheme |  | ||||||
|         type: str |  | ||||||
|     attributes: |  | ||||||
|         description: |  | ||||||
|             - The realm attributes. |  | ||||||
|         type: dict |  | ||||||
|     browser_flow: |  | ||||||
|         description: |  | ||||||
|             - The realm browser flow. |  | ||||||
|         aliases: |  | ||||||
|             - browserFlow |  | ||||||
|         type: str |  | ||||||
|     browser_security_headers: |  | ||||||
|         description: |  | ||||||
|             - The realm browser security headers. |  | ||||||
|         aliases: |  | ||||||
|             - browserSecurityHeaders |  | ||||||
|         type: dict |  | ||||||
|     brute_force_protected: |  | ||||||
|         description: |  | ||||||
|             - The realm brute force protected. |  | ||||||
|         aliases: |  | ||||||
|             - bruteForceProtected |  | ||||||
|         type: bool |  | ||||||
|     client_authentication_flow: |  | ||||||
|         description: |  | ||||||
|             - The realm client authentication flow. |  | ||||||
|         aliases: |  | ||||||
|             - clientAuthenticationFlow |  | ||||||
|         type: str |  | ||||||
|     client_scope_mappings: |  | ||||||
|         description: |  | ||||||
|             - The realm client scope mappings. |  | ||||||
|         aliases: |  | ||||||
|             - clientScopeMappings |  | ||||||
|         type: dict |  | ||||||
|     default_default_client_scopes: |  | ||||||
|         description: |  | ||||||
|             - The realm default default client scopes. |  | ||||||
|         aliases: |  | ||||||
|             - defaultDefaultClientScopes |  | ||||||
|         type: list |  | ||||||
|         elements: str |  | ||||||
|     default_groups: |  | ||||||
|         description: |  | ||||||
|             - The realm default groups. |  | ||||||
|         aliases: |  | ||||||
|             - defaultGroups |  | ||||||
|         type: list |  | ||||||
|         elements: str |  | ||||||
|     default_locale: |  | ||||||
|         description: |  | ||||||
|             - The realm default locale. |  | ||||||
|         aliases: |  | ||||||
|             - defaultLocale |  | ||||||
|         type: str |  | ||||||
|     default_optional_client_scopes: |  | ||||||
|         description: |  | ||||||
|             - The realm default optional client scopes. |  | ||||||
|         aliases: |  | ||||||
|             - defaultOptionalClientScopes |  | ||||||
|         type: list |  | ||||||
|         elements: str |  | ||||||
|     default_roles: |  | ||||||
|         description: |  | ||||||
|             - The realm default roles. |  | ||||||
|         aliases: |  | ||||||
|             - defaultRoles |  | ||||||
|         type: list |  | ||||||
|         elements: str |  | ||||||
|     default_signature_algorithm: |  | ||||||
|         description: |  | ||||||
|             - The realm default signature algorithm. |  | ||||||
|         aliases: |  | ||||||
|             - defaultSignatureAlgorithm |  | ||||||
|         type: str |  | ||||||
|     direct_grant_flow: |  | ||||||
|         description: |  | ||||||
|             - The realm direct grant flow. |  | ||||||
|         aliases: |  | ||||||
|             - directGrantFlow |  | ||||||
|         type: str |  | ||||||
|     display_name: |  | ||||||
|         description: |  | ||||||
|             - The realm display name. |  | ||||||
|         aliases: |  | ||||||
|             - displayName |  | ||||||
|         type: str |  | ||||||
|     display_name_html: |  | ||||||
|         description: |  | ||||||
|             - The realm display name HTML. |  | ||||||
|         aliases: |  | ||||||
|             - displayNameHtml |  | ||||||
|         type: str |  | ||||||
|     docker_authentication_flow: |  | ||||||
|         description: |  | ||||||
|             - The realm docker authentication flow. |  | ||||||
|         aliases: |  | ||||||
|             - dockerAuthenticationFlow |  | ||||||
|         type: str |  | ||||||
|     duplicate_emails_allowed: |  | ||||||
|         description: |  | ||||||
|             - The realm duplicate emails allowed option. |  | ||||||
|         aliases: |  | ||||||
|             - duplicateEmailsAllowed |  | ||||||
|         type: bool |  | ||||||
|     edit_username_allowed: |  | ||||||
|         description: |  | ||||||
|             - The realm edit username allowed option. |  | ||||||
|         aliases: |  | ||||||
|             - editUsernameAllowed |  | ||||||
|         type: bool |  | ||||||
|     email_theme: |  | ||||||
|         description: |  | ||||||
|             - The realm email theme. |  | ||||||
|         aliases: |  | ||||||
|             - emailTheme |  | ||||||
|         type: str |  | ||||||
|     enabled: |  | ||||||
|         description: |  | ||||||
|             - The realm enabled option. |  | ||||||
|         type: bool |  | ||||||
|     enabled_event_types: |  | ||||||
|         description: |  | ||||||
|             - The realm enabled event types. |  | ||||||
|         aliases: |  | ||||||
|             - enabledEventTypes |  | ||||||
|         type: list |  | ||||||
|         elements: str |  | ||||||
|     events_enabled: |  | ||||||
|         description: |  | ||||||
|             - Enables or disables login events for this realm. |  | ||||||
|         aliases: |  | ||||||
|             - eventsEnabled |  | ||||||
|         type: bool |  | ||||||
|         version_added: 3.6.0 |  | ||||||
|     events_expiration: |  | ||||||
|         description: |  | ||||||
|             - The realm events expiration. |  | ||||||
|         aliases: |  | ||||||
|             - eventsExpiration |  | ||||||
|         type: int |  | ||||||
|     events_listeners: |  | ||||||
|         description: |  | ||||||
|             - The realm events listeners. |  | ||||||
|         aliases: |  | ||||||
|             - eventsListeners |  | ||||||
|         type: list |  | ||||||
|         elements: str |  | ||||||
|     failure_factor: |  | ||||||
|         description: |  | ||||||
|             - The realm failure factor. |  | ||||||
|         aliases: |  | ||||||
|             - failureFactor |  | ||||||
|         type: int |  | ||||||
|     internationalization_enabled: |  | ||||||
|         description: |  | ||||||
|             - The realm internationalization enabled option. |  | ||||||
|         aliases: |  | ||||||
|             - internationalizationEnabled |  | ||||||
|         type: bool |  | ||||||
|     login_theme: |  | ||||||
|         description: |  | ||||||
|             - The realm login theme. |  | ||||||
|         aliases: |  | ||||||
|             - loginTheme |  | ||||||
|         type: str |  | ||||||
|     login_with_email_allowed: |  | ||||||
|         description: |  | ||||||
|             - The realm login with email allowed option. |  | ||||||
|         aliases: |  | ||||||
|             - loginWithEmailAllowed |  | ||||||
|         type: bool |  | ||||||
|     max_delta_time_seconds: |  | ||||||
|         description: |  | ||||||
|             - The realm max delta time in seconds. |  | ||||||
|         aliases: |  | ||||||
|             - maxDeltaTimeSeconds |  | ||||||
|         type: int |  | ||||||
|     max_failure_wait_seconds: |  | ||||||
|         description: |  | ||||||
|             - The realm max failure wait in seconds. |  | ||||||
|         aliases: |  | ||||||
|             - maxFailureWaitSeconds |  | ||||||
|         type: int |  | ||||||
|     minimum_quick_login_wait_seconds: |  | ||||||
|         description: |  | ||||||
|             - The realm minimum quick login wait in seconds. |  | ||||||
|         aliases: |  | ||||||
|             - minimumQuickLoginWaitSeconds |  | ||||||
|         type: int |  | ||||||
|     not_before: |  | ||||||
|         description: |  | ||||||
|             - The realm not before. |  | ||||||
|         aliases: |  | ||||||
|             - notBefore |  | ||||||
|         type: int |  | ||||||
|     offline_session_idle_timeout: |  | ||||||
|         description: |  | ||||||
|             - The realm offline session idle timeout. |  | ||||||
|         aliases: |  | ||||||
|             - offlineSessionIdleTimeout |  | ||||||
|         type: int |  | ||||||
|     offline_session_max_lifespan: |  | ||||||
|         description: |  | ||||||
|             - The realm offline session max lifespan. |  | ||||||
|         aliases: |  | ||||||
|             - offlineSessionMaxLifespan |  | ||||||
|         type: int |  | ||||||
|     offline_session_max_lifespan_enabled: |  | ||||||
|         description: |  | ||||||
|             - The realm offline session max lifespan enabled option. |  | ||||||
|         aliases: |  | ||||||
|             - offlineSessionMaxLifespanEnabled |  | ||||||
|         type: bool |  | ||||||
|     otp_policy_algorithm: |  | ||||||
|         description: |  | ||||||
|             - The realm otp policy algorithm. |  | ||||||
|         aliases: |  | ||||||
|             - otpPolicyAlgorithm |  | ||||||
|         type: str |  | ||||||
|     otp_policy_digits: |  | ||||||
|         description: |  | ||||||
|             - The realm otp policy digits. |  | ||||||
|         aliases: |  | ||||||
|             - otpPolicyDigits |  | ||||||
|         type: int |  | ||||||
|     otp_policy_initial_counter: |  | ||||||
|         description: |  | ||||||
|             - The realm otp policy initial counter. |  | ||||||
|         aliases: |  | ||||||
|             - otpPolicyInitialCounter |  | ||||||
|         type: int |  | ||||||
|     otp_policy_look_ahead_window: |  | ||||||
|         description: |  | ||||||
|             - The realm otp policy look ahead window. |  | ||||||
|         aliases: |  | ||||||
|             - otpPolicyLookAheadWindow |  | ||||||
|         type: int |  | ||||||
|     otp_policy_period: |  | ||||||
|         description: |  | ||||||
|             - The realm otp policy period. |  | ||||||
|         aliases: |  | ||||||
|             - otpPolicyPeriod |  | ||||||
|         type: int |  | ||||||
|     otp_policy_type: |  | ||||||
|         description: |  | ||||||
|             - The realm otp policy type. |  | ||||||
|         aliases: |  | ||||||
|             - otpPolicyType |  | ||||||
|         type: str |  | ||||||
|     otp_supported_applications: |  | ||||||
|         description: |  | ||||||
|             - The realm otp supported applications. |  | ||||||
|         aliases: |  | ||||||
|             - otpSupportedApplications |  | ||||||
|         type: list |  | ||||||
|         elements: str |  | ||||||
|     password_policy: |  | ||||||
|         description: |  | ||||||
|             - The realm password policy. |  | ||||||
|         aliases: |  | ||||||
|             - passwordPolicy |  | ||||||
|         type: str |  | ||||||
|     permanent_lockout: |  | ||||||
|         description: |  | ||||||
|             - The realm permanent lockout. |  | ||||||
|         aliases: |  | ||||||
|             - permanentLockout |  | ||||||
|         type: bool |  | ||||||
|     quick_login_check_milli_seconds: |  | ||||||
|         description: |  | ||||||
|             - The realm quick login check in milliseconds. |  | ||||||
|         aliases: |  | ||||||
|             - quickLoginCheckMilliSeconds |  | ||||||
|         type: int |  | ||||||
|     refresh_token_max_reuse: |  | ||||||
|         description: |  | ||||||
|             - The realm refresh token max reuse. |  | ||||||
|         aliases: |  | ||||||
|             - refreshTokenMaxReuse |  | ||||||
|         type: int |  | ||||||
|     registration_allowed: |  | ||||||
|         description: |  | ||||||
|             - The realm registration allowed option. |  | ||||||
|         aliases: |  | ||||||
|             - registrationAllowed |  | ||||||
|         type: bool |  | ||||||
|     registration_email_as_username: |  | ||||||
|         description: |  | ||||||
|             - The realm registration email as username option. |  | ||||||
|         aliases: |  | ||||||
|             - registrationEmailAsUsername |  | ||||||
|         type: bool |  | ||||||
|     registration_flow: |  | ||||||
|         description: |  | ||||||
|             - The realm registration flow. |  | ||||||
|         aliases: |  | ||||||
|             - registrationFlow |  | ||||||
|         type: str |  | ||||||
|     remember_me: |  | ||||||
|         description: |  | ||||||
|             - The realm remember me option. |  | ||||||
|         aliases: |  | ||||||
|             - rememberMe |  | ||||||
|         type: bool |  | ||||||
|     reset_credentials_flow: |  | ||||||
|         description: |  | ||||||
|             - The realm reset credentials flow. |  | ||||||
|         aliases: |  | ||||||
|             - resetCredentialsFlow |  | ||||||
|         type: str |  | ||||||
|     reset_password_allowed: |  | ||||||
|         description: |  | ||||||
|             - The realm reset password allowed option. |  | ||||||
|         aliases: |  | ||||||
|             - resetPasswordAllowed |  | ||||||
|         type: bool |  | ||||||
|     revoke_refresh_token: |  | ||||||
|         description: |  | ||||||
|             - The realm revoke refresh token option. |  | ||||||
|         aliases: |  | ||||||
|             - revokeRefreshToken |  | ||||||
|         type: bool |  | ||||||
|     smtp_server: |  | ||||||
|         description: |  | ||||||
|             - The realm smtp server. |  | ||||||
|         aliases: |  | ||||||
|             - smtpServer |  | ||||||
|         type: dict |  | ||||||
|     ssl_required: |  | ||||||
|         description: |  | ||||||
|             - The realm ssl required option. |  | ||||||
|         choices: ['all', 'external', 'none'] |  | ||||||
|         aliases: |  | ||||||
|             - sslRequired |  | ||||||
|         type: str |  | ||||||
|     sso_session_idle_timeout: |  | ||||||
|         description: |  | ||||||
|             - The realm sso session idle timeout. |  | ||||||
|         aliases: |  | ||||||
|             - ssoSessionIdleTimeout |  | ||||||
|         type: int |  | ||||||
|     sso_session_idle_timeout_remember_me: |  | ||||||
|         description: |  | ||||||
|             - The realm sso session idle timeout remember me. |  | ||||||
|         aliases: |  | ||||||
|             - ssoSessionIdleTimeoutRememberMe |  | ||||||
|         type: int |  | ||||||
|     sso_session_max_lifespan: |  | ||||||
|         description: |  | ||||||
|             - The realm sso session max lifespan. |  | ||||||
|         aliases: |  | ||||||
|             - ssoSessionMaxLifespan |  | ||||||
|         type: int |  | ||||||
|     sso_session_max_lifespan_remember_me: |  | ||||||
|         description: |  | ||||||
|             - The realm sso session max lifespan remember me. |  | ||||||
|         aliases: |  | ||||||
|             - ssoSessionMaxLifespanRememberMe |  | ||||||
|         type: int |  | ||||||
|     supported_locales: |  | ||||||
|         description: |  | ||||||
|             - The realm supported locales. |  | ||||||
|         aliases: |  | ||||||
|             - supportedLocales |  | ||||||
|         type: list |  | ||||||
|         elements: str |  | ||||||
|     user_managed_access_allowed: |  | ||||||
|         description: |  | ||||||
|             - The realm user managed access allowed option. |  | ||||||
|         aliases: |  | ||||||
|             - userManagedAccessAllowed |  | ||||||
|         type: bool |  | ||||||
|     verify_email: |  | ||||||
|         description: |  | ||||||
|             - The realm verify email option. |  | ||||||
|         aliases: |  | ||||||
|             - verifyEmail |  | ||||||
|         type: bool |  | ||||||
|     wait_increment_seconds: |  | ||||||
|         description: |  | ||||||
|             - The realm wait increment in seconds. |  | ||||||
|         aliases: |  | ||||||
|             - waitIncrementSeconds |  | ||||||
|         type: int |  | ||||||
| 
 |  | ||||||
| extends_documentation_fragment: |  | ||||||
|     - middleware_automation.keycloak.keycloak |  | ||||||
|     - middleware_automation.keycloak.attributes |  | ||||||
| 
 |  | ||||||
| author: |  | ||||||
|     - Christophe Gilles (@kris2kris) |  | ||||||
| ''' |  | ||||||
| 
 |  | ||||||
| EXAMPLES = ''' |  | ||||||
| - name: Create or update Keycloak realm (minimal example) |  | ||||||
|   middleware_automation.keycloak.keycloak_realm: |  | ||||||
|     auth_client_id: admin-cli |  | ||||||
|     auth_keycloak_url: https://auth.example.com/auth |  | ||||||
|     auth_realm: master |  | ||||||
|     auth_username: USERNAME |  | ||||||
|     auth_password: PASSWORD |  | ||||||
|     id: realm |  | ||||||
|     realm: realm |  | ||||||
|     state: present |  | ||||||
| 
 |  | ||||||
| - name: Delete a Keycloak realm |  | ||||||
|   middleware_automation.keycloak.keycloak_realm: |  | ||||||
|     auth_client_id: admin-cli |  | ||||||
|     auth_keycloak_url: https://auth.example.com/auth |  | ||||||
|     auth_realm: master |  | ||||||
|     auth_username: USERNAME |  | ||||||
|     auth_password: PASSWORD |  | ||||||
|     id: test |  | ||||||
|     state: absent |  | ||||||
| ''' |  | ||||||
| 
 |  | ||||||
| RETURN = ''' |  | ||||||
| msg: |  | ||||||
|     description: Message as to what action was taken. |  | ||||||
|     returned: always |  | ||||||
|     type: str |  | ||||||
|     sample: "Realm testrealm has been updated" |  | ||||||
| 
 |  | ||||||
| proposed: |  | ||||||
|     description: Representation of proposed realm. |  | ||||||
|     returned: always |  | ||||||
|     type: dict |  | ||||||
|     sample: { |  | ||||||
|       id: "test" |  | ||||||
|     } |  | ||||||
| 
 |  | ||||||
| existing: |  | ||||||
|     description: Representation of existing realm (sample is truncated). |  | ||||||
|     returned: always |  | ||||||
|     type: dict |  | ||||||
|     sample: { |  | ||||||
|         "adminUrl": "http://www.example.com/admin_url", |  | ||||||
|         "attributes": { |  | ||||||
|             "request.object.signature.alg": "RS256", |  | ||||||
|         } |  | ||||||
|     } |  | ||||||
| 
 |  | ||||||
| end_state: |  | ||||||
|     description: Representation of realm after module execution (sample is truncated). |  | ||||||
|     returned: on success |  | ||||||
|     type: dict |  | ||||||
|     sample: { |  | ||||||
|         "adminUrl": "http://www.example.com/admin_url", |  | ||||||
|         "attributes": { |  | ||||||
|             "request.object.signature.alg": "RS256", |  | ||||||
|         } |  | ||||||
|     } |  | ||||||
| ''' |  | ||||||
| 
 |  | ||||||
| from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ |  | ||||||
|     keycloak_argument_spec, get_token, KeycloakError |  | ||||||
| from ansible.module_utils.basic import AnsibleModule |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| def normalise_cr(realmrep): |  | ||||||
|     """ Re-sorts any properties where the order is important so that diff's is minimised and the change detection is more effective. |  | ||||||
| 
 |  | ||||||
|     :param realmrep: the realmrep dict to be sanitized |  | ||||||
|     :return: normalised realmrep dict |  | ||||||
|     """ |  | ||||||
|     # Avoid the dict passed in to be modified |  | ||||||
|     realmrep = realmrep.copy() |  | ||||||
| 
 |  | ||||||
|     if 'enabledEventTypes' in realmrep: |  | ||||||
|         realmrep['enabledEventTypes'] = list(sorted(realmrep['enabledEventTypes'])) |  | ||||||
| 
 |  | ||||||
|     if 'otpSupportedApplications' in realmrep: |  | ||||||
|         realmrep['otpSupportedApplications'] = list(sorted(realmrep['otpSupportedApplications'])) |  | ||||||
| 
 |  | ||||||
|     if 'supportedLocales' in realmrep: |  | ||||||
|         realmrep['supportedLocales'] = list(sorted(realmrep['supportedLocales'])) |  | ||||||
| 
 |  | ||||||
|     return realmrep |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| def sanitize_cr(realmrep): |  | ||||||
|     """ Removes probably sensitive details from a realm representation. |  | ||||||
| 
 |  | ||||||
|     :param realmrep: the realmrep dict to be sanitized |  | ||||||
|     :return: sanitized realmrep dict |  | ||||||
|     """ |  | ||||||
|     result = realmrep.copy() |  | ||||||
|     if 'secret' in result: |  | ||||||
|         result['secret'] = '********' |  | ||||||
|     if 'attributes' in result: |  | ||||||
|         if 'saml.signing.private.key' in result['attributes']: |  | ||||||
|             result['attributes'] = result['attributes'].copy() |  | ||||||
|             result['attributes']['saml.signing.private.key'] = '********' |  | ||||||
|     return normalise_cr(result) |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| def main(): |  | ||||||
|     """ |  | ||||||
|     Module execution |  | ||||||
| 
 |  | ||||||
|     :return: |  | ||||||
|     """ |  | ||||||
|     argument_spec = keycloak_argument_spec() |  | ||||||
| 
 |  | ||||||
|     meta_args = dict( |  | ||||||
|         state=dict(default='present', choices=['present', 'absent']), |  | ||||||
| 
 |  | ||||||
|         id=dict(type='str'), |  | ||||||
|         realm=dict(type='str'), |  | ||||||
|         access_code_lifespan=dict(type='int', aliases=['accessCodeLifespan']), |  | ||||||
|         access_code_lifespan_login=dict(type='int', aliases=['accessCodeLifespanLogin']), |  | ||||||
|         access_code_lifespan_user_action=dict(type='int', aliases=['accessCodeLifespanUserAction']), |  | ||||||
|         access_token_lifespan=dict(type='int', aliases=['accessTokenLifespan'], no_log=False), |  | ||||||
|         access_token_lifespan_for_implicit_flow=dict(type='int', aliases=['accessTokenLifespanForImplicitFlow'], no_log=False), |  | ||||||
|         account_theme=dict(type='str', aliases=['accountTheme']), |  | ||||||
|         action_token_generated_by_admin_lifespan=dict(type='int', aliases=['actionTokenGeneratedByAdminLifespan'], no_log=False), |  | ||||||
|         action_token_generated_by_user_lifespan=dict(type='int', aliases=['actionTokenGeneratedByUserLifespan'], no_log=False), |  | ||||||
|         admin_events_details_enabled=dict(type='bool', aliases=['adminEventsDetailsEnabled']), |  | ||||||
|         admin_events_enabled=dict(type='bool', aliases=['adminEventsEnabled']), |  | ||||||
|         admin_theme=dict(type='str', aliases=['adminTheme']), |  | ||||||
|         attributes=dict(type='dict'), |  | ||||||
|         browser_flow=dict(type='str', aliases=['browserFlow']), |  | ||||||
|         browser_security_headers=dict(type='dict', aliases=['browserSecurityHeaders']), |  | ||||||
|         brute_force_protected=dict(type='bool', aliases=['bruteForceProtected']), |  | ||||||
|         client_authentication_flow=dict(type='str', aliases=['clientAuthenticationFlow']), |  | ||||||
|         client_scope_mappings=dict(type='dict', aliases=['clientScopeMappings']), |  | ||||||
|         default_default_client_scopes=dict(type='list', elements='str', aliases=['defaultDefaultClientScopes']), |  | ||||||
|         default_groups=dict(type='list', elements='str', aliases=['defaultGroups']), |  | ||||||
|         default_locale=dict(type='str', aliases=['defaultLocale']), |  | ||||||
|         default_optional_client_scopes=dict(type='list', elements='str', aliases=['defaultOptionalClientScopes']), |  | ||||||
|         default_roles=dict(type='list', elements='str', aliases=['defaultRoles']), |  | ||||||
|         default_signature_algorithm=dict(type='str', aliases=['defaultSignatureAlgorithm']), |  | ||||||
|         direct_grant_flow=dict(type='str', aliases=['directGrantFlow']), |  | ||||||
|         display_name=dict(type='str', aliases=['displayName']), |  | ||||||
|         display_name_html=dict(type='str', aliases=['displayNameHtml']), |  | ||||||
|         docker_authentication_flow=dict(type='str', aliases=['dockerAuthenticationFlow']), |  | ||||||
|         duplicate_emails_allowed=dict(type='bool', aliases=['duplicateEmailsAllowed']), |  | ||||||
|         edit_username_allowed=dict(type='bool', aliases=['editUsernameAllowed']), |  | ||||||
|         email_theme=dict(type='str', aliases=['emailTheme']), |  | ||||||
|         enabled=dict(type='bool'), |  | ||||||
|         enabled_event_types=dict(type='list', elements='str', aliases=['enabledEventTypes']), |  | ||||||
|         events_enabled=dict(type='bool', aliases=['eventsEnabled']), |  | ||||||
|         events_expiration=dict(type='int', aliases=['eventsExpiration']), |  | ||||||
|         events_listeners=dict(type='list', elements='str', aliases=['eventsListeners']), |  | ||||||
|         failure_factor=dict(type='int', aliases=['failureFactor']), |  | ||||||
|         internationalization_enabled=dict(type='bool', aliases=['internationalizationEnabled']), |  | ||||||
|         login_theme=dict(type='str', aliases=['loginTheme']), |  | ||||||
|         login_with_email_allowed=dict(type='bool', aliases=['loginWithEmailAllowed']), |  | ||||||
|         max_delta_time_seconds=dict(type='int', aliases=['maxDeltaTimeSeconds']), |  | ||||||
|         max_failure_wait_seconds=dict(type='int', aliases=['maxFailureWaitSeconds']), |  | ||||||
|         minimum_quick_login_wait_seconds=dict(type='int', aliases=['minimumQuickLoginWaitSeconds']), |  | ||||||
|         not_before=dict(type='int', aliases=['notBefore']), |  | ||||||
|         offline_session_idle_timeout=dict(type='int', aliases=['offlineSessionIdleTimeout']), |  | ||||||
|         offline_session_max_lifespan=dict(type='int', aliases=['offlineSessionMaxLifespan']), |  | ||||||
|         offline_session_max_lifespan_enabled=dict(type='bool', aliases=['offlineSessionMaxLifespanEnabled']), |  | ||||||
|         otp_policy_algorithm=dict(type='str', aliases=['otpPolicyAlgorithm']), |  | ||||||
|         otp_policy_digits=dict(type='int', aliases=['otpPolicyDigits']), |  | ||||||
|         otp_policy_initial_counter=dict(type='int', aliases=['otpPolicyInitialCounter']), |  | ||||||
|         otp_policy_look_ahead_window=dict(type='int', aliases=['otpPolicyLookAheadWindow']), |  | ||||||
|         otp_policy_period=dict(type='int', aliases=['otpPolicyPeriod']), |  | ||||||
|         otp_policy_type=dict(type='str', aliases=['otpPolicyType']), |  | ||||||
|         otp_supported_applications=dict(type='list', elements='str', aliases=['otpSupportedApplications']), |  | ||||||
|         password_policy=dict(type='str', aliases=['passwordPolicy'], no_log=False), |  | ||||||
|         permanent_lockout=dict(type='bool', aliases=['permanentLockout']), |  | ||||||
|         quick_login_check_milli_seconds=dict(type='int', aliases=['quickLoginCheckMilliSeconds']), |  | ||||||
|         refresh_token_max_reuse=dict(type='int', aliases=['refreshTokenMaxReuse'], no_log=False), |  | ||||||
|         registration_allowed=dict(type='bool', aliases=['registrationAllowed']), |  | ||||||
|         registration_email_as_username=dict(type='bool', aliases=['registrationEmailAsUsername']), |  | ||||||
|         registration_flow=dict(type='str', aliases=['registrationFlow']), |  | ||||||
|         remember_me=dict(type='bool', aliases=['rememberMe']), |  | ||||||
|         reset_credentials_flow=dict(type='str', aliases=['resetCredentialsFlow']), |  | ||||||
|         reset_password_allowed=dict(type='bool', aliases=['resetPasswordAllowed'], no_log=False), |  | ||||||
|         revoke_refresh_token=dict(type='bool', aliases=['revokeRefreshToken']), |  | ||||||
|         smtp_server=dict(type='dict', aliases=['smtpServer']), |  | ||||||
|         ssl_required=dict(choices=["external", "all", "none"], aliases=['sslRequired']), |  | ||||||
|         sso_session_idle_timeout=dict(type='int', aliases=['ssoSessionIdleTimeout']), |  | ||||||
|         sso_session_idle_timeout_remember_me=dict(type='int', aliases=['ssoSessionIdleTimeoutRememberMe']), |  | ||||||
|         sso_session_max_lifespan=dict(type='int', aliases=['ssoSessionMaxLifespan']), |  | ||||||
|         sso_session_max_lifespan_remember_me=dict(type='int', aliases=['ssoSessionMaxLifespanRememberMe']), |  | ||||||
|         supported_locales=dict(type='list', elements='str', aliases=['supportedLocales']), |  | ||||||
|         user_managed_access_allowed=dict(type='bool', aliases=['userManagedAccessAllowed']), |  | ||||||
|         verify_email=dict(type='bool', aliases=['verifyEmail']), |  | ||||||
|         wait_increment_seconds=dict(type='int', aliases=['waitIncrementSeconds']), |  | ||||||
|     ) |  | ||||||
| 
 |  | ||||||
|     argument_spec.update(meta_args) |  | ||||||
| 
 |  | ||||||
|     module = AnsibleModule(argument_spec=argument_spec, |  | ||||||
|                            supports_check_mode=True, |  | ||||||
|                            required_one_of=([['id', 'realm', 'enabled'], |  | ||||||
|                                              ['token', 'auth_realm', 'auth_username', 'auth_password']]), |  | ||||||
|                            required_together=([['auth_realm', 'auth_username', 'auth_password']])) |  | ||||||
| 
 |  | ||||||
|     result = dict(changed=False, msg='', diff={}, proposed={}, existing={}, end_state={}) |  | ||||||
| 
 |  | ||||||
|     # Obtain access token, initialize API |  | ||||||
|     try: |  | ||||||
|         connection_header = get_token(module.params) |  | ||||||
|     except KeycloakError as e: |  | ||||||
|         module.fail_json(msg=str(e)) |  | ||||||
| 
 |  | ||||||
|     kc = KeycloakAPI(module, connection_header) |  | ||||||
| 
 |  | ||||||
|     realm = module.params.get('realm') |  | ||||||
|     state = module.params.get('state') |  | ||||||
| 
 |  | ||||||
|     # convert module parameters to realm representation parameters (if they belong in there) |  | ||||||
|     params_to_ignore = list(keycloak_argument_spec().keys()) + ['state'] |  | ||||||
| 
 |  | ||||||
|     # Filter and map the parameters names that apply to the role |  | ||||||
|     realm_params = [x for x in module.params |  | ||||||
|                     if x not in params_to_ignore and |  | ||||||
|                     module.params.get(x) is not None] |  | ||||||
| 
 |  | ||||||
|     # See whether the realm already exists in Keycloak |  | ||||||
|     before_realm = kc.get_realm_by_id(realm=realm) |  | ||||||
| 
 |  | ||||||
|     if before_realm is None: |  | ||||||
|         before_realm = {} |  | ||||||
| 
 |  | ||||||
|     # Build a proposed changeset from parameters given to this module |  | ||||||
|     changeset = {} |  | ||||||
| 
 |  | ||||||
|     for realm_param in realm_params: |  | ||||||
|         new_param_value = module.params.get(realm_param) |  | ||||||
|         changeset[camel(realm_param)] = new_param_value |  | ||||||
| 
 |  | ||||||
|     # Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis) |  | ||||||
|     desired_realm = before_realm.copy() |  | ||||||
|     desired_realm.update(changeset) |  | ||||||
| 
 |  | ||||||
|     result['proposed'] = sanitize_cr(changeset) |  | ||||||
|     before_realm_sanitized = sanitize_cr(before_realm) |  | ||||||
|     result['existing'] = before_realm_sanitized |  | ||||||
| 
 |  | ||||||
|     # Cater for when it doesn't exist (an empty dict) |  | ||||||
|     if not before_realm: |  | ||||||
|         if state == 'absent': |  | ||||||
|             # Do nothing and exit |  | ||||||
|             if module._diff: |  | ||||||
|                 result['diff'] = dict(before='', after='') |  | ||||||
|             result['changed'] = False |  | ||||||
|             result['end_state'] = {} |  | ||||||
|             result['msg'] = 'Realm does not exist, doing nothing.' |  | ||||||
|             module.exit_json(**result) |  | ||||||
| 
 |  | ||||||
|         # Process a creation |  | ||||||
|         result['changed'] = True |  | ||||||
| 
 |  | ||||||
|         if 'id' not in desired_realm: |  | ||||||
|             module.fail_json(msg='id needs to be specified when creating a new realm') |  | ||||||
| 
 |  | ||||||
|         if module._diff: |  | ||||||
|             result['diff'] = dict(before='', after=sanitize_cr(desired_realm)) |  | ||||||
| 
 |  | ||||||
|         if module.check_mode: |  | ||||||
|             module.exit_json(**result) |  | ||||||
| 
 |  | ||||||
|         # create it |  | ||||||
|         kc.create_realm(desired_realm) |  | ||||||
|         after_realm = kc.get_realm_by_id(desired_realm['id']) |  | ||||||
| 
 |  | ||||||
|         result['end_state'] = sanitize_cr(after_realm) |  | ||||||
| 
 |  | ||||||
|         result['msg'] = 'Realm %s has been created.' % desired_realm['id'] |  | ||||||
|         module.exit_json(**result) |  | ||||||
| 
 |  | ||||||
|     else: |  | ||||||
|         if state == 'present': |  | ||||||
|             # Process an update |  | ||||||
| 
 |  | ||||||
|             # doing an update |  | ||||||
|             result['changed'] = True |  | ||||||
|             if module.check_mode: |  | ||||||
|                 # We can only compare the current realm with the proposed updates we have |  | ||||||
|                 before_norm = normalise_cr(before_realm) |  | ||||||
|                 desired_norm = normalise_cr(desired_realm) |  | ||||||
|                 if module._diff: |  | ||||||
|                     result['diff'] = dict(before=sanitize_cr(before_norm), |  | ||||||
|                                           after=sanitize_cr(desired_norm)) |  | ||||||
|                 result['changed'] = (before_norm != desired_norm) |  | ||||||
| 
 |  | ||||||
|                 module.exit_json(**result) |  | ||||||
| 
 |  | ||||||
|             # do the update |  | ||||||
|             kc.update_realm(desired_realm, realm=realm) |  | ||||||
| 
 |  | ||||||
|             after_realm = kc.get_realm_by_id(realm=realm) |  | ||||||
| 
 |  | ||||||
|             if before_realm == after_realm: |  | ||||||
|                 result['changed'] = False |  | ||||||
| 
 |  | ||||||
|             result['end_state'] = sanitize_cr(after_realm) |  | ||||||
| 
 |  | ||||||
|             if module._diff: |  | ||||||
|                 result['diff'] = dict(before=before_realm_sanitized, |  | ||||||
|                                       after=sanitize_cr(after_realm)) |  | ||||||
| 
 |  | ||||||
|             result['msg'] = 'Realm %s has been updated.' % desired_realm['id'] |  | ||||||
|             module.exit_json(**result) |  | ||||||
| 
 |  | ||||||
|         else: |  | ||||||
|             # Process a deletion (because state was not 'present') |  | ||||||
|             result['changed'] = True |  | ||||||
| 
 |  | ||||||
|             if module._diff: |  | ||||||
|                 result['diff'] = dict(before=before_realm_sanitized, after='') |  | ||||||
| 
 |  | ||||||
|             if module.check_mode: |  | ||||||
|                 module.exit_json(**result) |  | ||||||
| 
 |  | ||||||
|             # delete it |  | ||||||
|             kc.delete_realm(realm=realm) |  | ||||||
| 
 |  | ||||||
|             result['proposed'] = {} |  | ||||||
|             result['end_state'] = {} |  | ||||||
| 
 |  | ||||||
|             result['msg'] = 'Realm %s has been deleted.' % before_realm['id'] |  | ||||||
| 
 |  | ||||||
|     module.exit_json(**result) |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| if __name__ == '__main__': |  | ||||||
|     main() |  | ||||||
|  | @ -40,8 +40,8 @@ options: | ||||||
|     state: |     state: | ||||||
|         description: |         description: | ||||||
|             - State of the role. |             - State of the role. | ||||||
|             - On V(present), the role will be created if it does not yet exist, or updated with the parameters you provide. |             - On C(present), the role will be created if it does not yet exist, or updated with the parameters you provide. | ||||||
|             - On V(absent), the role will be removed if it exists. |             - On C(absent), the role will be removed if it exists. | ||||||
|         default: 'present' |         default: 'present' | ||||||
|         type: str |         type: str | ||||||
|         choices: |         choices: | ||||||
|  | @ -77,42 +77,6 @@ options: | ||||||
|         description: |         description: | ||||||
|             - A dict of key/value pairs to set as custom attributes for the role. |             - A dict of key/value pairs to set as custom attributes for the role. | ||||||
|             - Values may be single values (e.g. a string) or a list of strings. |             - Values may be single values (e.g. a string) or a list of strings. | ||||||
|     composite: |  | ||||||
|         description: |  | ||||||
|             - If V(true), the role is a composition of other realm and/or client role. |  | ||||||
|         default: false |  | ||||||
|         type: bool |  | ||||||
|         version_added: 7.1.0 |  | ||||||
|     composites: |  | ||||||
|         description: |  | ||||||
|             - List of roles to include to the composite realm role. |  | ||||||
|             - If the composite role is a client role, the C(clientId) (not ID of the client) must be specified. |  | ||||||
|         default: [] |  | ||||||
|         type: list |  | ||||||
|         elements: dict |  | ||||||
|         version_added: 7.1.0 |  | ||||||
|         suboptions: |  | ||||||
|             name: |  | ||||||
|                 description: |  | ||||||
|                     - Name of the role. This can be the name of a REALM role or a client role. |  | ||||||
|                 type: str |  | ||||||
|                 required: true |  | ||||||
|             client_id: |  | ||||||
|                 description: |  | ||||||
|                     - Client ID if the role is a client role. Do not include this option for a REALM role. |  | ||||||
|                     - Use the client ID you can see in the Keycloak console, not the technical ID of the client. |  | ||||||
|                 type: str |  | ||||||
|                 required: false |  | ||||||
|                 aliases: |  | ||||||
|                     - clientId |  | ||||||
|             state: |  | ||||||
|                 description: |  | ||||||
|                     - Create the composite if present, remove it if absent. |  | ||||||
|                 type: str |  | ||||||
|                 choices: |  | ||||||
|                     - present |  | ||||||
|                     - absent |  | ||||||
|                 default: present |  | ||||||
| 
 | 
 | ||||||
| extends_documentation_fragment: | extends_documentation_fragment: | ||||||
|     - middleware_automation.keycloak.keycloak |     - middleware_automation.keycloak.keycloak | ||||||
|  | @ -178,14 +142,14 @@ EXAMPLES = ''' | ||||||
|     auth_password: PASSWORD |     auth_password: PASSWORD | ||||||
|     name: my-new-role |     name: my-new-role | ||||||
|     attributes: |     attributes: | ||||||
|         attrib1: value1 |       attrib1: value1 | ||||||
|         attrib2: value2 |       attrib2: value2 | ||||||
|         attrib3: |       attrib3: | ||||||
|             - with |         - with | ||||||
|             - numerous |         - numerous | ||||||
|             - individual |         - individual | ||||||
|             - list |         - list | ||||||
|             - items |         - items | ||||||
|   delegate_to: localhost |   delegate_to: localhost | ||||||
| ''' | ''' | ||||||
| 
 | 
 | ||||||
|  | @ -234,9 +198,8 @@ end_state: | ||||||
| ''' | ''' | ||||||
| 
 | 
 | ||||||
| from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ | from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ | ||||||
|     keycloak_argument_spec, get_token, KeycloakError, is_struct_included |     keycloak_argument_spec, get_token, KeycloakError | ||||||
| from ansible.module_utils.basic import AnsibleModule | from ansible.module_utils.basic import AnsibleModule | ||||||
| import copy |  | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| def main(): | def main(): | ||||||
|  | @ -247,12 +210,6 @@ def main(): | ||||||
|     """ |     """ | ||||||
|     argument_spec = keycloak_argument_spec() |     argument_spec = keycloak_argument_spec() | ||||||
| 
 | 
 | ||||||
|     composites_spec = dict( |  | ||||||
|         name=dict(type='str', required=True), |  | ||||||
|         client_id=dict(type='str', aliases=['clientId'], required=False), |  | ||||||
|         state=dict(type='str', default='present', choices=['present', 'absent']) |  | ||||||
|     ) |  | ||||||
| 
 |  | ||||||
|     meta_args = dict( |     meta_args = dict( | ||||||
|         state=dict(type='str', default='present', choices=['present', 'absent']), |         state=dict(type='str', default='present', choices=['present', 'absent']), | ||||||
|         name=dict(type='str', required=True), |         name=dict(type='str', required=True), | ||||||
|  | @ -260,8 +217,6 @@ def main(): | ||||||
|         realm=dict(type='str', default='master'), |         realm=dict(type='str', default='master'), | ||||||
|         client_id=dict(type='str'), |         client_id=dict(type='str'), | ||||||
|         attributes=dict(type='dict'), |         attributes=dict(type='dict'), | ||||||
|         composites=dict(type='list', default=[], options=composites_spec, elements='dict'), |  | ||||||
|         composite=dict(type='bool', default=False), |  | ||||||
|     ) |     ) | ||||||
| 
 | 
 | ||||||
|     argument_spec.update(meta_args) |     argument_spec.update(meta_args) | ||||||
|  | @ -295,7 +250,7 @@ def main(): | ||||||
| 
 | 
 | ||||||
|     # Filter and map the parameters names that apply to the role |     # Filter and map the parameters names that apply to the role | ||||||
|     role_params = [x for x in module.params |     role_params = [x for x in module.params | ||||||
|                    if x not in list(keycloak_argument_spec().keys()) + ['state', 'realm', 'client_id'] and |                    if x not in list(keycloak_argument_spec().keys()) + ['state', 'realm', 'client_id', 'composites'] and | ||||||
|                    module.params.get(x) is not None] |                    module.params.get(x) is not None] | ||||||
| 
 | 
 | ||||||
|     # See if it already exists in Keycloak |     # See if it already exists in Keycloak | ||||||
|  | @ -314,10 +269,10 @@ def main(): | ||||||
|         new_param_value = module.params.get(param) |         new_param_value = module.params.get(param) | ||||||
|         old_value = before_role[param] if param in before_role else None |         old_value = before_role[param] if param in before_role else None | ||||||
|         if new_param_value != old_value: |         if new_param_value != old_value: | ||||||
|             changeset[camel(param)] = copy.deepcopy(new_param_value) |             changeset[camel(param)] = new_param_value | ||||||
| 
 | 
 | ||||||
|     # Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis) |     # Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis) | ||||||
|     desired_role = copy.deepcopy(before_role) |     desired_role = before_role.copy() | ||||||
|     desired_role.update(changeset) |     desired_role.update(changeset) | ||||||
| 
 | 
 | ||||||
|     result['proposed'] = changeset |     result['proposed'] = changeset | ||||||
|  | @ -354,9 +309,6 @@ def main(): | ||||||
|             kc.create_client_role(desired_role, clientid, realm) |             kc.create_client_role(desired_role, clientid, realm) | ||||||
|             after_role = kc.get_client_role(name, clientid, realm) |             after_role = kc.get_client_role(name, clientid, realm) | ||||||
| 
 | 
 | ||||||
|         if after_role['composite']: |  | ||||||
|             after_role['composites'] = kc.get_role_composites(rolerep=after_role, clientid=clientid, realm=realm) |  | ||||||
| 
 |  | ||||||
|         result['end_state'] = after_role |         result['end_state'] = after_role | ||||||
| 
 | 
 | ||||||
|         result['msg'] = 'Role {name} has been created'.format(name=name) |         result['msg'] = 'Role {name} has been created'.format(name=name) | ||||||
|  | @ -364,25 +316,10 @@ def main(): | ||||||
| 
 | 
 | ||||||
|     else: |     else: | ||||||
|         if state == 'present': |         if state == 'present': | ||||||
|             compare_exclude = [] |  | ||||||
|             if 'composites' in desired_role and isinstance(desired_role['composites'], list) and len(desired_role['composites']) > 0: |  | ||||||
|                 composites = kc.get_role_composites(rolerep=before_role, clientid=clientid, realm=realm) |  | ||||||
|                 before_role['composites'] = [] |  | ||||||
|                 for composite in composites: |  | ||||||
|                     before_composite = {} |  | ||||||
|                     if composite['clientRole']: |  | ||||||
|                         composite_client = kc.get_client_by_id(id=composite['containerId'], realm=realm) |  | ||||||
|                         before_composite['client_id'] = composite_client['clientId'] |  | ||||||
|                     else: |  | ||||||
|                         before_composite['client_id'] = None |  | ||||||
|                     before_composite['name'] = composite['name'] |  | ||||||
|                     before_composite['state'] = 'present' |  | ||||||
|                     before_role['composites'].append(before_composite) |  | ||||||
|             else: |  | ||||||
|                 compare_exclude.append('composites') |  | ||||||
|             # Process an update |             # Process an update | ||||||
|  | 
 | ||||||
|             # no changes |             # no changes | ||||||
|             if is_struct_included(desired_role, before_role, exclude=compare_exclude): |             if desired_role == before_role: | ||||||
|                 result['changed'] = False |                 result['changed'] = False | ||||||
|                 result['end_state'] = desired_role |                 result['end_state'] = desired_role | ||||||
|                 result['msg'] = "No changes required to role {name}.".format(name=name) |                 result['msg'] = "No changes required to role {name}.".format(name=name) | ||||||
|  | @ -404,8 +341,6 @@ def main(): | ||||||
|             else: |             else: | ||||||
|                 kc.update_client_role(desired_role, clientid, realm) |                 kc.update_client_role(desired_role, clientid, realm) | ||||||
|                 after_role = kc.get_client_role(name, clientid, realm) |                 after_role = kc.get_client_role(name, clientid, realm) | ||||||
|             if after_role['composite']: |  | ||||||
|                 after_role['composites'] = kc.get_role_composites(rolerep=after_role, clientid=clientid, realm=realm) |  | ||||||
| 
 | 
 | ||||||
|             result['end_state'] = after_role |             result['end_state'] = after_role | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -36,9 +36,9 @@ options: | ||||||
|     state: |     state: | ||||||
|         description: |         description: | ||||||
|             - State of the user federation. |             - State of the user federation. | ||||||
|             - On V(present), the user federation will be created if it does not yet exist, or updated with |             - On C(present), the user federation will be created if it does not yet exist, or updated with | ||||||
|               the parameters you provide. |               the parameters you provide. | ||||||
|             - On V(absent), the user federation will be removed if it exists. |             - On C(absent), the user federation will be removed if it exists. | ||||||
|         default: 'present' |         default: 'present' | ||||||
|         type: str |         type: str | ||||||
|         choices: |         choices: | ||||||
|  | @ -54,7 +54,7 @@ options: | ||||||
|     id: |     id: | ||||||
|         description: |         description: | ||||||
|             - The unique ID for this user federation. If left empty, the user federation will be searched |             - The unique ID for this user federation. If left empty, the user federation will be searched | ||||||
|               by its O(name). |               by its I(name). | ||||||
|         type: str |         type: str | ||||||
| 
 | 
 | ||||||
|     name: |     name: | ||||||
|  | @ -64,15 +64,18 @@ options: | ||||||
| 
 | 
 | ||||||
|     provider_id: |     provider_id: | ||||||
|         description: |         description: | ||||||
|             - Provider for this user federation. Built-in providers are V(ldap), V(kerberos), and V(sssd). |             - Provider for this user federation. | ||||||
|               Custom user storage providers can also be used. |  | ||||||
|         aliases: |         aliases: | ||||||
|             - providerId |             - providerId | ||||||
|         type: str |         type: str | ||||||
|  |         choices: | ||||||
|  |             - ldap | ||||||
|  |             - kerberos | ||||||
|  |             - sssd | ||||||
| 
 | 
 | ||||||
|     provider_type: |     provider_type: | ||||||
|         description: |         description: | ||||||
|             - Component type for user federation (only supported value is V(org.keycloak.storage.UserStorageProvider)). |             - Component type for user federation (only supported value is C(org.keycloak.storage.UserStorageProvider)). | ||||||
|         aliases: |         aliases: | ||||||
|             - providerType |             - providerType | ||||||
|         default: org.keycloak.storage.UserStorageProvider |         default: org.keycloak.storage.UserStorageProvider | ||||||
|  | @ -85,37 +88,13 @@ options: | ||||||
|             - parentId |             - parentId | ||||||
|         type: str |         type: str | ||||||
| 
 | 
 | ||||||
|     remove_unspecified_mappers: |  | ||||||
|         description: |  | ||||||
|             - Remove mappers that are not specified in the configuration for this federation. |  | ||||||
|             - Set to V(false) to keep mappers that are not listed in O(mappers). |  | ||||||
|         type: bool |  | ||||||
|         default: true |  | ||||||
| 
 |  | ||||||
|     bind_credential_update_mode: |  | ||||||
|         description: |  | ||||||
|             - The value of the config parameter O(config.bindCredential) is redacted in the Keycloak responses. |  | ||||||
|               Comparing the redacted value with the desired value always evaluates to not equal. This means |  | ||||||
|               the before and desired states are never equal if the parameter is set. |  | ||||||
|             - Set to V(always) to include O(config.bindCredential) in the comparison of before and desired state. |  | ||||||
|               Because of the redacted value returned by Keycloak the module will always detect a change |  | ||||||
|               and make an update if a O(config.bindCredential) value is set. |  | ||||||
|             - Set to V(only_indirect) to exclude O(config.bindCredential) when comparing the before state with the |  | ||||||
|               desired state. The value of O(config.bindCredential) will only be updated if there are other changes |  | ||||||
|               to the user federation that require an update. |  | ||||||
|         type: str |  | ||||||
|         default: always |  | ||||||
|         choices: |  | ||||||
|             - always |  | ||||||
|             - only_indirect |  | ||||||
| 
 |  | ||||||
|     config: |     config: | ||||||
|         description: |         description: | ||||||
|             - Dict specifying the configuration options for the provider; the contents differ depending on |             - Dict specifying the configuration options for the provider; the contents differ depending on | ||||||
|               the value of O(provider_id). Examples are given below for V(ldap), V(kerberos) and V(sssd). |               the value of I(provider_id). Examples are given below for C(ldap), C(kerberos) and C(sssd). | ||||||
|               It is easiest to obtain valid config values by dumping an already-existing user federation |               It is easiest to obtain valid config values by dumping an already-existing user federation | ||||||
|               configuration through check-mode in the RV(existing) field. |               configuration through check-mode in the I(existing) field. | ||||||
|             - The value V(sssd) has been supported since middleware_automation.keycloak 2.0.0. |             - The value C(sssd) has been supported since middleware_automation.keycloak 1.0.0. | ||||||
|         type: dict |         type: dict | ||||||
|         suboptions: |         suboptions: | ||||||
|             enabled: |             enabled: | ||||||
|  | @ -132,15 +111,15 @@ options: | ||||||
| 
 | 
 | ||||||
|             importEnabled: |             importEnabled: | ||||||
|                 description: |                 description: | ||||||
|                     - If V(true), LDAP users will be imported into Keycloak DB and synced by the configured |                     - If C(true), LDAP users will be imported into Keycloak DB and synced by the configured | ||||||
|                       sync policies. |                       sync policies. | ||||||
|                 default: true |                 default: true | ||||||
|                 type: bool |                 type: bool | ||||||
| 
 | 
 | ||||||
|             editMode: |             editMode: | ||||||
|                 description: |                 description: | ||||||
|                     - V(READ_ONLY) is a read-only LDAP store. V(WRITABLE) means data will be synced back to LDAP |                     - C(READ_ONLY) is a read-only LDAP store. C(WRITABLE) means data will be synced back to LDAP | ||||||
|                       on demand. V(UNSYNCED) means user data will be imported, but not synced back to LDAP. |                       on demand. C(UNSYNCED) means user data will be imported, but not synced back to LDAP. | ||||||
|                 type: str |                 type: str | ||||||
|                 choices: |                 choices: | ||||||
|                     - READ_ONLY |                     - READ_ONLY | ||||||
|  | @ -157,13 +136,13 @@ options: | ||||||
|             vendor: |             vendor: | ||||||
|                 description: |                 description: | ||||||
|                     - LDAP vendor (provider). |                     - LDAP vendor (provider). | ||||||
|                     - Use short name. For instance, write V(rhds) for "Red Hat Directory Server". |                     - Use short name. For instance, write C(rhds) for "Red Hat Directory Server". | ||||||
|                 type: str |                 type: str | ||||||
| 
 | 
 | ||||||
|             usernameLDAPAttribute: |             usernameLDAPAttribute: | ||||||
|                 description: |                 description: | ||||||
|                     - Name of LDAP attribute, which is mapped as Keycloak username. For many LDAP server |                     - Name of LDAP attribute, which is mapped as Keycloak username. For many LDAP server | ||||||
|                       vendors it can be V(uid). For Active directory it can be V(sAMAccountName) or V(cn). |                       vendors it can be C(uid). For Active directory it can be C(sAMAccountName) or C(cn). | ||||||
|                       The attribute should be filled for all LDAP user records you want to import from |                       The attribute should be filled for all LDAP user records you want to import from | ||||||
|                       LDAP to Keycloak. |                       LDAP to Keycloak. | ||||||
|                 type: str |                 type: str | ||||||
|  | @ -172,15 +151,15 @@ options: | ||||||
|                 description: |                 description: | ||||||
|                     - Name of LDAP attribute, which is used as RDN (top attribute) of typical user DN. |                     - Name of LDAP attribute, which is used as RDN (top attribute) of typical user DN. | ||||||
|                       Usually it's the same as Username LDAP attribute, however it is not required. For |                       Usually it's the same as Username LDAP attribute, however it is not required. For | ||||||
|                       example for Active directory, it is common to use V(cn) as RDN attribute when |                       example for Active directory, it is common to use C(cn) as RDN attribute when | ||||||
|                       username attribute might be V(sAMAccountName). |                       username attribute might be C(sAMAccountName). | ||||||
|                 type: str |                 type: str | ||||||
| 
 | 
 | ||||||
|             uuidLDAPAttribute: |             uuidLDAPAttribute: | ||||||
|                 description: |                 description: | ||||||
|                     - Name of LDAP attribute, which is used as unique object identifier (UUID) for objects |                     - Name of LDAP attribute, which is used as unique object identifier (UUID) for objects | ||||||
|                       in LDAP. For many LDAP server vendors, it is V(entryUUID); however some are different. |                       in LDAP. For many LDAP server vendors, it is C(entryUUID); however some are different. | ||||||
|                       For example for Active directory it should be V(objectGUID). If your LDAP server does |                       For example for Active directory it should be C(objectGUID). If your LDAP server does | ||||||
|                       not support the notion of UUID, you can use any other attribute that is supposed to |                       not support the notion of UUID, you can use any other attribute that is supposed to | ||||||
|                       be unique among LDAP users in tree. |                       be unique among LDAP users in tree. | ||||||
|                 type: str |                 type: str | ||||||
|  | @ -188,7 +167,7 @@ options: | ||||||
|             userObjectClasses: |             userObjectClasses: | ||||||
|                 description: |                 description: | ||||||
|                     - All values of LDAP objectClass attribute for users in LDAP divided by comma. |                     - All values of LDAP objectClass attribute for users in LDAP divided by comma. | ||||||
|                       For example V(inetOrgPerson, organizationalPerson). Newly created Keycloak users |                       For example C(inetOrgPerson, organizationalPerson). Newly created Keycloak users | ||||||
|                       will be written to LDAP with all those object classes and existing LDAP user records |                       will be written to LDAP with all those object classes and existing LDAP user records | ||||||
|                       are found just if they contain all those object classes. |                       are found just if they contain all those object classes. | ||||||
|                 type: str |                 type: str | ||||||
|  | @ -272,8 +251,8 @@ options: | ||||||
|             useTruststoreSpi: |             useTruststoreSpi: | ||||||
|                 description: |                 description: | ||||||
|                     - Specifies whether LDAP connection will use the truststore SPI with the truststore |                     - Specifies whether LDAP connection will use the truststore SPI with the truststore | ||||||
|                       configured in standalone.xml/domain.xml. V(always) means that it will always use it. |                       configured in standalone.xml/domain.xml. C(Always) means that it will always use it. | ||||||
|                       V(never) means that it will not use it. V(ldapsOnly) means that it will use if |                       C(Never) means that it will not use it. C(Only for ldaps) means that it will use if | ||||||
|                       your connection URL use ldaps. Note even if standalone.xml/domain.xml is not |                       your connection URL use ldaps. Note even if standalone.xml/domain.xml is not | ||||||
|                       configured, the default Java cacerts or certificate specified by |                       configured, the default Java cacerts or certificate specified by | ||||||
|                       C(javax.net.ssl.trustStore) property will be used. |                       C(javax.net.ssl.trustStore) property will be used. | ||||||
|  | @ -318,7 +297,7 @@ options: | ||||||
|             connectionPoolingDebug: |             connectionPoolingDebug: | ||||||
|                 description: |                 description: | ||||||
|                     - A string that indicates the level of debug output to produce. Example valid values are |                     - A string that indicates the level of debug output to produce. Example valid values are | ||||||
|                       V(fine) (trace connection creation and removal) and V(all) (all debugging information). |                       C(fine) (trace connection creation and removal) and C(all) (all debugging information). | ||||||
|                 type: str |                 type: str | ||||||
| 
 | 
 | ||||||
|             connectionPoolingInitSize: |             connectionPoolingInitSize: | ||||||
|  | @ -342,7 +321,7 @@ options: | ||||||
|             connectionPoolingProtocol: |             connectionPoolingProtocol: | ||||||
|                 description: |                 description: | ||||||
|                     - A list of space-separated protocol types of connections that may be pooled. |                     - A list of space-separated protocol types of connections that may be pooled. | ||||||
|                       Valid types are V(plain) and V(ssl). |                       Valid types are C(plain) and C(ssl). | ||||||
|                 type: str |                 type: str | ||||||
| 
 | 
 | ||||||
|             connectionPoolingTimeout: |             connectionPoolingTimeout: | ||||||
|  | @ -363,26 +342,17 @@ options: | ||||||
|                     - Name of kerberos realm. |                     - Name of kerberos realm. | ||||||
|                 type: str |                 type: str | ||||||
| 
 | 
 | ||||||
|             krbPrincipalAttribute: |  | ||||||
|                 description: |  | ||||||
|                     - Name of the LDAP attribute, which refers to Kerberos principal. |  | ||||||
|                       This is used to lookup appropriate LDAP user after successful Kerberos/SPNEGO authentication in Keycloak. |  | ||||||
|                       When this is empty, the LDAP user will be looked based on LDAP username corresponding |  | ||||||
|                       to the first part of his Kerberos principal. For instance, for principal C(john@KEYCLOAK.ORG), |  | ||||||
|                       it will assume that LDAP username is V(john). |  | ||||||
|                 type: str |  | ||||||
| 
 |  | ||||||
|             serverPrincipal: |             serverPrincipal: | ||||||
|                 description: |                 description: | ||||||
|                     - Full name of server principal for HTTP service including server and domain name. For |                     - Full name of server principal for HTTP service including server and domain name. For | ||||||
|                       example V(HTTP/host.foo.org@FOO.ORG). Use V(*) to accept any service principal in the |                       example C(HTTP/host.foo.org@FOO.ORG). Use C(*) to accept any service principal in the | ||||||
|                       KeyTab file. |                       KeyTab file. | ||||||
|                 type: str |                 type: str | ||||||
| 
 | 
 | ||||||
|             keyTab: |             keyTab: | ||||||
|                 description: |                 description: | ||||||
|                     - Location of Kerberos KeyTab file containing the credentials of server principal. For |                     - Location of Kerberos KeyTab file containing the credentials of server principal. For | ||||||
|                       example V(/etc/krb5.keytab). |                       example C(/etc/krb5.keytab). | ||||||
|                 type: str |                 type: str | ||||||
| 
 | 
 | ||||||
|             debug: |             debug: | ||||||
|  | @ -457,16 +427,6 @@ options: | ||||||
|                     - Max lifespan of cache entry in milliseconds. |                     - Max lifespan of cache entry in milliseconds. | ||||||
|                 type: int |                 type: int | ||||||
| 
 | 
 | ||||||
|             referral: |  | ||||||
|                 description: |  | ||||||
|                     - Specifies if LDAP referrals should be followed or ignored. Please note that enabling |  | ||||||
|                       referrals can slow down authentication as it allows the LDAP server to decide which other |  | ||||||
|                       LDAP servers to use. This could potentially include untrusted servers. |  | ||||||
|                 type: str |  | ||||||
|                 choices: |  | ||||||
|                     - ignore |  | ||||||
|                     - follow |  | ||||||
| 
 |  | ||||||
|     mappers: |     mappers: | ||||||
|         description: |         description: | ||||||
|             - A list of dicts defining mappers associated with this Identity Provider. |             - A list of dicts defining mappers associated with this Identity Provider. | ||||||
|  | @ -491,7 +451,7 @@ options: | ||||||
| 
 | 
 | ||||||
|             providerId: |             providerId: | ||||||
|                 description: |                 description: | ||||||
|                     - The mapper type for this mapper (for instance V(user-attribute-ldap-mapper)). |                     - The mapper type for this mapper (for instance C(user-attribute-ldap-mapper)). | ||||||
|                 type: str |                 type: str | ||||||
| 
 | 
 | ||||||
|             providerType: |             providerType: | ||||||
|  | @ -574,14 +534,14 @@ EXAMPLES = ''' | ||||||
|     provider_id: kerberos |     provider_id: kerberos | ||||||
|     provider_type: org.keycloak.storage.UserStorageProvider |     provider_type: org.keycloak.storage.UserStorageProvider | ||||||
|     config: |     config: | ||||||
|       priority: 0 |     priority: 0 | ||||||
|       enabled: true |     enabled: true | ||||||
|       cachePolicy: DEFAULT |     cachePolicy: DEFAULT | ||||||
|       kerberosRealm: EXAMPLE.COM |     kerberosRealm: EXAMPLE.COM | ||||||
|       serverPrincipal: HTTP/host.example.com@EXAMPLE.COM |     serverPrincipal: HTTP/host.example.com@EXAMPLE.COM | ||||||
|       keyTab: keytab |     keyTab: keytab | ||||||
|       allowPasswordAuthentication: false |     allowPasswordAuthentication: false | ||||||
|       updateProfileFirstLogin: false |     updateProfileFirstLogin: false | ||||||
| 
 | 
 | ||||||
| - name: Create sssd user federation | - name: Create sssd user federation | ||||||
|   middleware_automation.keycloak.keycloak_user_federation: |   middleware_automation.keycloak.keycloak_user_federation: | ||||||
|  | @ -744,27 +704,16 @@ from ansible.module_utils.six.moves.urllib.parse import urlencode | ||||||
| from copy import deepcopy | from copy import deepcopy | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| def normalize_kc_comp(comp): |  | ||||||
|     if 'config' in comp: |  | ||||||
|         # kc completely removes the parameter `krbPrincipalAttribute` if it is set to `''`; the unset kc parameter is equivalent to `''`; |  | ||||||
|         # to make change detection and diff more accurate we set it again in the kc responses |  | ||||||
|         if 'krbPrincipalAttribute' not in comp['config']: |  | ||||||
|             comp['config']['krbPrincipalAttribute'] = [''] |  | ||||||
| 
 |  | ||||||
|         # kc stores a timestamp of the last sync in `lastSync` to time the periodic sync, it is removed to minimize diff/changes |  | ||||||
|         comp['config'].pop('lastSync', None) |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| def sanitize(comp): | def sanitize(comp): | ||||||
|     compcopy = deepcopy(comp) |     compcopy = deepcopy(comp) | ||||||
|     if 'config' in compcopy: |     if 'config' in compcopy: | ||||||
|         compcopy['config'] = {k: v[0] for k, v in compcopy['config'].items()} |         compcopy['config'] = dict((k, v[0]) for k, v in compcopy['config'].items()) | ||||||
|         if 'bindCredential' in compcopy['config']: |         if 'bindCredential' in compcopy['config']: | ||||||
|             compcopy['config']['bindCredential'] = '**********' |             compcopy['config']['bindCredential'] = '**********' | ||||||
|     if 'mappers' in compcopy: |     if 'mappers' in compcopy: | ||||||
|         for mapper in compcopy['mappers']: |         for mapper in compcopy['mappers']: | ||||||
|             if 'config' in mapper: |             if 'config' in mapper: | ||||||
|                 mapper['config'] = {k: v[0] for k, v in mapper['config'].items()} |                 mapper['config'] = dict((k, v[0]) for k, v in mapper['config'].items()) | ||||||
|     return compcopy |     return compcopy | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
|  | @ -811,10 +760,8 @@ def main(): | ||||||
|         priority=dict(type='int', default=0), |         priority=dict(type='int', default=0), | ||||||
|         rdnLDAPAttribute=dict(type='str'), |         rdnLDAPAttribute=dict(type='str'), | ||||||
|         readTimeout=dict(type='int'), |         readTimeout=dict(type='int'), | ||||||
|         referral=dict(type='str', choices=['ignore', 'follow']), |  | ||||||
|         searchScope=dict(type='str', choices=['1', '2'], default='1'), |         searchScope=dict(type='str', choices=['1', '2'], default='1'), | ||||||
|         serverPrincipal=dict(type='str'), |         serverPrincipal=dict(type='str'), | ||||||
|         krbPrincipalAttribute=dict(type='str'), |  | ||||||
|         startTls=dict(type='bool', default=False), |         startTls=dict(type='bool', default=False), | ||||||
|         syncRegistrations=dict(type='bool', default=False), |         syncRegistrations=dict(type='bool', default=False), | ||||||
|         trustEmail=dict(type='bool', default=False), |         trustEmail=dict(type='bool', default=False), | ||||||
|  | @ -845,11 +792,9 @@ def main(): | ||||||
|         realm=dict(type='str', default='master'), |         realm=dict(type='str', default='master'), | ||||||
|         id=dict(type='str'), |         id=dict(type='str'), | ||||||
|         name=dict(type='str'), |         name=dict(type='str'), | ||||||
|         provider_id=dict(type='str', aliases=['providerId']), |         provider_id=dict(type='str', aliases=['providerId'], choices=['ldap', 'kerberos', 'sssd']), | ||||||
|         provider_type=dict(type='str', aliases=['providerType'], default='org.keycloak.storage.UserStorageProvider'), |         provider_type=dict(type='str', aliases=['providerType'], default='org.keycloak.storage.UserStorageProvider'), | ||||||
|         parent_id=dict(type='str', aliases=['parentId']), |         parent_id=dict(type='str', aliases=['parentId']), | ||||||
|         remove_unspecified_mappers=dict(type='bool', default=True), |  | ||||||
|         bind_credential_update_mode=dict(type='str', default='always', choices=['always', 'only_indirect']), |  | ||||||
|         mappers=dict(type='list', elements='dict', options=mapper_spec), |         mappers=dict(type='list', elements='dict', options=mapper_spec), | ||||||
|     ) |     ) | ||||||
| 
 | 
 | ||||||
|  | @ -880,26 +825,19 @@ def main(): | ||||||
| 
 | 
 | ||||||
|     # Keycloak API expects config parameters to be arrays containing a single string element |     # Keycloak API expects config parameters to be arrays containing a single string element | ||||||
|     if config is not None: |     if config is not None: | ||||||
|         module.params['config'] = { |         module.params['config'] = dict((k, [str(v).lower() if not isinstance(v, str) else v]) | ||||||
|             k: [str(v).lower() if not isinstance(v, str) else v] |                                        for k, v in config.items() if config[k] is not None) | ||||||
|             for k, v in config.items() |  | ||||||
|             if config[k] is not None |  | ||||||
|         } |  | ||||||
| 
 | 
 | ||||||
|     if mappers is not None: |     if mappers is not None: | ||||||
|         for mapper in mappers: |         for mapper in mappers: | ||||||
|             if mapper.get('config') is not None: |             if mapper.get('config') is not None: | ||||||
|                 mapper['config'] = { |                 mapper['config'] = dict((k, [str(v).lower() if not isinstance(v, str) else v]) | ||||||
|                     k: [str(v).lower() if not isinstance(v, str) else v] |                                         for k, v in mapper['config'].items() if mapper['config'][k] is not None) | ||||||
|                     for k, v in mapper['config'].items() |  | ||||||
|                     if mapper['config'][k] is not None |  | ||||||
|                 } |  | ||||||
| 
 | 
 | ||||||
|     # Filter and map the parameters names that apply |     # Filter and map the parameters names that apply | ||||||
|     comp_params = [x for x in module.params |     comp_params = [x for x in module.params | ||||||
|                    if x not in list(keycloak_argument_spec().keys()) |                    if x not in list(keycloak_argument_spec().keys()) + ['state', 'realm', 'mappers'] and | ||||||
|                    + ['state', 'realm', 'mappers', 'remove_unspecified_mappers', 'bind_credential_update_mode'] |                    module.params.get(x) is not None] | ||||||
|                    and module.params.get(x) is not None] |  | ||||||
| 
 | 
 | ||||||
|     # See if it already exists in Keycloak |     # See if it already exists in Keycloak | ||||||
|     if cid is None: |     if cid is None: | ||||||
|  | @ -917,9 +855,7 @@ def main(): | ||||||
| 
 | 
 | ||||||
|     # if user federation exists, get associated mappers |     # if user federation exists, get associated mappers | ||||||
|     if cid is not None and before_comp: |     if cid is not None and before_comp: | ||||||
|         before_comp['mappers'] = sorted(kc.get_components(urlencode(dict(parent=cid)), realm), key=lambda x: x.get('name') or '') |         before_comp['mappers'] = sorted(kc.get_components(urlencode(dict(parent=cid)), realm), key=lambda x: x.get('name')) | ||||||
| 
 |  | ||||||
|     normalize_kc_comp(before_comp) |  | ||||||
| 
 | 
 | ||||||
|     # Build a proposed changeset from parameters given to this module |     # Build a proposed changeset from parameters given to this module | ||||||
|     changeset = {} |     changeset = {} | ||||||
|  | @ -928,7 +864,7 @@ def main(): | ||||||
|         new_param_value = module.params.get(param) |         new_param_value = module.params.get(param) | ||||||
|         old_value = before_comp[camel(param)] if camel(param) in before_comp else None |         old_value = before_comp[camel(param)] if camel(param) in before_comp else None | ||||||
|         if param == 'mappers': |         if param == 'mappers': | ||||||
|             new_param_value = [{k: v for k, v in x.items() if v is not None} for x in new_param_value] |             new_param_value = [dict((k, v) for k, v in x.items() if x[k] is not None) for x in new_param_value] | ||||||
|         if new_param_value != old_value: |         if new_param_value != old_value: | ||||||
|             changeset[camel(param)] = new_param_value |             changeset[camel(param)] = new_param_value | ||||||
| 
 | 
 | ||||||
|  | @ -937,17 +873,17 @@ def main(): | ||||||
|         if module.params['provider_id'] in ['kerberos', 'sssd']: |         if module.params['provider_id'] in ['kerberos', 'sssd']: | ||||||
|             module.fail_json(msg='Cannot configure mappers for {type} provider.'.format(type=module.params['provider_id'])) |             module.fail_json(msg='Cannot configure mappers for {type} provider.'.format(type=module.params['provider_id'])) | ||||||
|         for change in module.params['mappers']: |         for change in module.params['mappers']: | ||||||
|             change = {k: v for k, v in change.items() if v is not None} |             change = dict((k, v) for k, v in change.items() if change[k] is not None) | ||||||
|             if change.get('id') is None and change.get('name') is None: |             if change.get('id') is None and change.get('name') is None: | ||||||
|                 module.fail_json(msg='Either `name` or `id` has to be specified on each mapper.') |                 module.fail_json(msg='Either `name` or `id` has to be specified on each mapper.') | ||||||
|             if cid is None: |             if cid is None: | ||||||
|                 old_mapper = {} |                 old_mapper = {} | ||||||
|             elif change.get('id') is not None: |             elif change.get('id') is not None: | ||||||
|                 old_mapper = next((before_mapper for before_mapper in before_comp.get('mappers', []) if before_mapper["id"] == change['id']), None) |                 old_mapper = kc.get_component(change['id'], realm) | ||||||
|                 if old_mapper is None: |                 if old_mapper is None: | ||||||
|                     old_mapper = {} |                     old_mapper = {} | ||||||
|             else: |             else: | ||||||
|                 found = [before_mapper for before_mapper in before_comp.get('mappers', []) if before_mapper['name'] == change['name']] |                 found = kc.get_components(urlencode(dict(parent=cid, name=change['name'])), realm) | ||||||
|                 if len(found) > 1: |                 if len(found) > 1: | ||||||
|                     module.fail_json(msg='Found multiple mappers with name `{name}`. Cannot continue.'.format(name=change['name'])) |                     module.fail_json(msg='Found multiple mappers with name `{name}`. Cannot continue.'.format(name=change['name'])) | ||||||
|                 if len(found) == 1: |                 if len(found) == 1: | ||||||
|  | @ -956,16 +892,10 @@ def main(): | ||||||
|                     old_mapper = {} |                     old_mapper = {} | ||||||
|             new_mapper = old_mapper.copy() |             new_mapper = old_mapper.copy() | ||||||
|             new_mapper.update(change) |             new_mapper.update(change) | ||||||
|             # changeset contains all desired mappers: those existing, to update or to create |             if new_mapper != old_mapper: | ||||||
|             if changeset.get('mappers') is None: |                 if changeset.get('mappers') is None: | ||||||
|                 changeset['mappers'] = list() |                     changeset['mappers'] = list() | ||||||
|             changeset['mappers'].append(new_mapper) |                 changeset['mappers'].append(new_mapper) | ||||||
|         changeset['mappers'] = sorted(changeset['mappers'], key=lambda x: x.get('name') or '') |  | ||||||
| 
 |  | ||||||
|         # to keep unspecified existing mappers we add them to the desired mappers list, unless they're already present |  | ||||||
|         if not module.params['remove_unspecified_mappers'] and 'mappers' in before_comp: |  | ||||||
|             changeset_mapper_ids = [mapper['id'] for mapper in changeset['mappers'] if 'id' in mapper] |  | ||||||
|             changeset['mappers'].extend([mapper for mapper in before_comp['mappers'] if mapper['id'] not in changeset_mapper_ids]) |  | ||||||
| 
 | 
 | ||||||
|     # Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis) |     # Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis) | ||||||
|     desired_comp = before_comp.copy() |     desired_comp = before_comp.copy() | ||||||
|  | @ -988,68 +918,50 @@ def main(): | ||||||
|         # Process a creation |         # Process a creation | ||||||
|         result['changed'] = True |         result['changed'] = True | ||||||
| 
 | 
 | ||||||
|  |         if module._diff: | ||||||
|  |             result['diff'] = dict(before='', after=sanitize(desired_comp)) | ||||||
|  | 
 | ||||||
|         if module.check_mode: |         if module.check_mode: | ||||||
|             if module._diff: |  | ||||||
|                 result['diff'] = dict(before='', after=sanitize(desired_comp)) |  | ||||||
|             module.exit_json(**result) |             module.exit_json(**result) | ||||||
| 
 | 
 | ||||||
|         # create it |         # create it | ||||||
|         desired_mappers = desired_comp.pop('mappers', []) |         desired_comp = desired_comp.copy() | ||||||
|  |         updated_mappers = desired_comp.pop('mappers', []) | ||||||
|         after_comp = kc.create_component(desired_comp, realm) |         after_comp = kc.create_component(desired_comp, realm) | ||||||
|         cid = after_comp['id'] |  | ||||||
|         updated_mappers = [] |  | ||||||
|         # when creating a user federation, keycloak automatically creates default mappers |  | ||||||
|         default_mappers = kc.get_components(urlencode(dict(parent=cid)), realm) |  | ||||||
| 
 | 
 | ||||||
|         # create new mappers or update existing default mappers |         cid = after_comp['id'] | ||||||
|         for desired_mapper in desired_mappers: | 
 | ||||||
|             found = [default_mapper for default_mapper in default_mappers if default_mapper['name'] == desired_mapper['name']] |         for mapper in updated_mappers: | ||||||
|  |             found = kc.get_components(urlencode(dict(parent=cid, name=mapper['name'])), realm) | ||||||
|             if len(found) > 1: |             if len(found) > 1: | ||||||
|                 module.fail_json(msg='Found multiple mappers with name `{name}`. Cannot continue.'.format(name=desired_mapper['name'])) |                 module.fail_json(msg='Found multiple mappers with name `{name}`. Cannot continue.'.format(name=mapper['name'])) | ||||||
|             if len(found) == 1: |             if len(found) == 1: | ||||||
|                 old_mapper = found[0] |                 old_mapper = found[0] | ||||||
|             else: |             else: | ||||||
|                 old_mapper = {} |                 old_mapper = {} | ||||||
| 
 | 
 | ||||||
|             new_mapper = old_mapper.copy() |             new_mapper = old_mapper.copy() | ||||||
|             new_mapper.update(desired_mapper) |             new_mapper.update(mapper) | ||||||
| 
 | 
 | ||||||
|             if new_mapper.get('id') is not None: |             if new_mapper.get('id') is not None: | ||||||
|                 kc.update_component(new_mapper, realm) |                 kc.update_component(new_mapper, realm) | ||||||
|                 updated_mappers.append(new_mapper) |  | ||||||
|             else: |             else: | ||||||
|                 if new_mapper.get('parentId') is None: |                 if new_mapper.get('parentId') is None: | ||||||
|                     new_mapper['parentId'] = cid |                     new_mapper['parentId'] = after_comp['id'] | ||||||
|                 updated_mappers.append(kc.create_component(new_mapper, realm)) |                 mapper = kc.create_component(new_mapper, realm) | ||||||
| 
 | 
 | ||||||
|         if module.params['remove_unspecified_mappers']: |         after_comp['mappers'] = updated_mappers | ||||||
|             # we remove all unwanted default mappers |  | ||||||
|             # we use ids so we dont accidently remove one of the previously updated default mapper |  | ||||||
|             for default_mapper in default_mappers: |  | ||||||
|                 if not default_mapper['id'] in [x['id'] for x in updated_mappers]: |  | ||||||
|                     kc.delete_component(default_mapper['id'], realm) |  | ||||||
| 
 |  | ||||||
|         after_comp['mappers'] = kc.get_components(urlencode(dict(parent=cid)), realm) |  | ||||||
|         normalize_kc_comp(after_comp) |  | ||||||
|         if module._diff: |  | ||||||
|             result['diff'] = dict(before='', after=sanitize(after_comp)) |  | ||||||
|         result['end_state'] = sanitize(after_comp) |         result['end_state'] = sanitize(after_comp) | ||||||
|         result['msg'] = "User federation {id} has been created".format(id=cid) | 
 | ||||||
|  |         result['msg'] = "User federation {id} has been created".format(id=after_comp['id']) | ||||||
|         module.exit_json(**result) |         module.exit_json(**result) | ||||||
| 
 | 
 | ||||||
|     else: |     else: | ||||||
|         if state == 'present': |         if state == 'present': | ||||||
|             # Process an update |             # Process an update | ||||||
| 
 | 
 | ||||||
|             desired_copy = deepcopy(desired_comp) |  | ||||||
|             before_copy = deepcopy(before_comp) |  | ||||||
|             # exclude bindCredential when checking wether an update is required, therefore |  | ||||||
|             # updating it only if there are other changes |  | ||||||
|             if module.params['bind_credential_update_mode'] == 'only_indirect': |  | ||||||
|                 desired_copy.get('config', []).pop('bindCredential', None) |  | ||||||
|                 before_copy.get('config', []).pop('bindCredential', None) |  | ||||||
|             # no changes |             # no changes | ||||||
|             if desired_copy == before_copy: |             if desired_comp == before_comp: | ||||||
|                 result['changed'] = False |                 result['changed'] = False | ||||||
|                 result['end_state'] = sanitize(desired_comp) |                 result['end_state'] = sanitize(desired_comp) | ||||||
|                 result['msg'] = "No changes required to user federation {id}.".format(id=cid) |                 result['msg'] = "No changes required to user federation {id}.".format(id=cid) | ||||||
|  | @ -1065,33 +977,22 @@ def main(): | ||||||
|                 module.exit_json(**result) |                 module.exit_json(**result) | ||||||
| 
 | 
 | ||||||
|             # do the update |             # do the update | ||||||
|             desired_mappers = desired_comp.pop('mappers', []) |             desired_comp = desired_comp.copy() | ||||||
|  |             updated_mappers = desired_comp.pop('mappers', []) | ||||||
|             kc.update_component(desired_comp, realm) |             kc.update_component(desired_comp, realm) | ||||||
|  |             after_comp = kc.get_component(cid, realm) | ||||||
| 
 | 
 | ||||||
|             for before_mapper in before_comp.get('mappers', []): |             for mapper in updated_mappers: | ||||||
|                 # remove unwanted existing mappers that will not be updated |  | ||||||
|                 if not before_mapper['id'] in [x['id'] for x in desired_mappers if 'id' in x]: |  | ||||||
|                     kc.delete_component(before_mapper['id'], realm) |  | ||||||
| 
 |  | ||||||
|             for mapper in desired_mappers: |  | ||||||
|                 if mapper in before_comp.get('mappers', []): |  | ||||||
|                     continue |  | ||||||
|                 if mapper.get('id') is not None: |                 if mapper.get('id') is not None: | ||||||
|                     kc.update_component(mapper, realm) |                     kc.update_component(mapper, realm) | ||||||
|                 else: |                 else: | ||||||
|                     if mapper.get('parentId') is None: |                     if mapper.get('parentId') is None: | ||||||
|                         mapper['parentId'] = desired_comp['id'] |                         mapper['parentId'] = desired_comp['id'] | ||||||
|                     kc.create_component(mapper, realm) |                     mapper = kc.create_component(mapper, realm) | ||||||
|  | 
 | ||||||
|  |             after_comp['mappers'] = updated_mappers | ||||||
|  |             result['end_state'] = sanitize(after_comp) | ||||||
| 
 | 
 | ||||||
|             after_comp = kc.get_component(cid, realm) |  | ||||||
|             after_comp['mappers'] = sorted(kc.get_components(urlencode(dict(parent=cid)), realm), key=lambda x: x.get('name') or '') |  | ||||||
|             normalize_kc_comp(after_comp) |  | ||||||
|             after_comp_sanitized = sanitize(after_comp) |  | ||||||
|             before_comp_sanitized = sanitize(before_comp) |  | ||||||
|             result['end_state'] = after_comp_sanitized |  | ||||||
|             if module._diff: |  | ||||||
|                 result['diff'] = dict(before=before_comp_sanitized, after=after_comp_sanitized) |  | ||||||
|             result['changed'] = before_comp_sanitized != after_comp_sanitized |  | ||||||
|             result['msg'] = "User federation {id} has been updated".format(id=cid) |             result['msg'] = "User federation {id} has been updated".format(id=cid) | ||||||
|             module.exit_json(**result) |             module.exit_json(**result) | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -118,7 +118,3 @@ keycloak_no_log: true | ||||||
| 
 | 
 | ||||||
| ### logging configuration | ### logging configuration | ||||||
| keycloak_log_target: /var/log/keycloak | keycloak_log_target: /var/log/keycloak | ||||||
| 
 |  | ||||||
| # locations |  | ||||||
| keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}" |  | ||||||
| keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}" |  | ||||||
|  |  | ||||||
|  | @ -12,7 +12,7 @@ galaxy_info: | ||||||
| 
 | 
 | ||||||
|   license: Apache License 2.0 |   license: Apache License 2.0 | ||||||
| 
 | 
 | ||||||
|   min_ansible_version: "2.16" |   min_ansible_version: "2.15" | ||||||
| 
 | 
 | ||||||
|   platforms: |   platforms: | ||||||
|     - name: EL |     - name: EL | ||||||
|  |  | ||||||
|  | @ -1,10 +1,6 @@ | ||||||
| --- | --- | ||||||
| - name: Include firewall config tasks | - name: Include firewall config tasks | ||||||
|   ansible.builtin.include_tasks: |   ansible.builtin.include_tasks: iptables.yml | ||||||
|     file: iptables.yml |  | ||||||
|     apply: |  | ||||||
|       tags: |  | ||||||
|         - firewall |  | ||||||
|   when: keycloak_configure_iptables |   when: keycloak_configure_iptables | ||||||
|   tags: |   tags: | ||||||
|     - firewall |     - firewall | ||||||
|  |  | ||||||
|  | @ -1,38 +1,22 @@ | ||||||
| --- | --- | ||||||
| # tasks file for keycloak | # tasks file for keycloak | ||||||
| - name: Check prerequisites | - name: Check prerequisites | ||||||
|   ansible.builtin.include_tasks: |   ansible.builtin.include_tasks: prereqs.yml | ||||||
|     file: prereqs.yml |  | ||||||
|     apply: |  | ||||||
|       tags: |  | ||||||
|         - prereqs |  | ||||||
|   tags: |   tags: | ||||||
|     - prereqs |     - prereqs | ||||||
| 
 | 
 | ||||||
| - name: Distro specific tasks | - name: Distro specific tasks | ||||||
|   ansible.builtin.include_tasks: |   ansible.builtin.include_tasks: "{{ ansible_os_family | lower }}.yml" | ||||||
|     file: "{{ ansible_os_family | lower }}.yml" |  | ||||||
|     apply: |  | ||||||
|       tags: |  | ||||||
|         - unbound |  | ||||||
|   tags: |   tags: | ||||||
|     - unbound |     - unbound | ||||||
| 
 | 
 | ||||||
| - name: Include install tasks | - name: Include install tasks | ||||||
|   ansible.builtin.include_tasks: |   ansible.builtin.include_tasks: install.yml | ||||||
|     file: install.yml |  | ||||||
|     apply: |  | ||||||
|       tags: |  | ||||||
|         - install |  | ||||||
|   tags: |   tags: | ||||||
|     - install |     - install | ||||||
| 
 | 
 | ||||||
| - name: Include systemd tasks | - name: Include systemd tasks | ||||||
|   ansible.builtin.include_tasks: |   ansible.builtin.include_tasks: systemd.yml | ||||||
|     file: systemd.yml |  | ||||||
|     apply: |  | ||||||
|       tags: |  | ||||||
|         - systemd |  | ||||||
|   tags: |   tags: | ||||||
|     - systemd |     - systemd | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -1,10 +1,6 @@ | ||||||
| --- | --- | ||||||
| - name: Include firewall config tasks | - name: Include firewall config tasks | ||||||
|   ansible.builtin.include_tasks: |   ansible.builtin.include_tasks: firewalld.yml | ||||||
|     file: firewalld.yml |  | ||||||
|     apply: |  | ||||||
|       tags: |  | ||||||
|         - firewall |  | ||||||
|   when: keycloak_configure_firewalld |   when: keycloak_configure_firewalld | ||||||
|   tags: |   tags: | ||||||
|     - firewall |     - firewall | ||||||
|  |  | ||||||
|  | @ -2,12 +2,12 @@ | ||||||
| - name: Ensure required params for CLI have been provided | - name: Ensure required params for CLI have been provided | ||||||
|   ansible.builtin.assert: |   ansible.builtin.assert: | ||||||
|     that: |     that: | ||||||
|       - cli_query is defined |       - query is defined | ||||||
|     fail_msg: "Missing required parameters to execute CLI." |     fail_msg: "Missing required parameters to execute CLI." | ||||||
|     quiet: true |     quiet: true | ||||||
| 
 | 
 | ||||||
| - name: "Execute CLI query: {{ cli_query }}" | - name: "Execute CLI query: {{ query }}" | ||||||
|   ansible.builtin.command: > |   ansible.builtin.command: > | ||||||
|     {{ keycloak.cli_path }} --connect --command='{{ cli_query }}' --controller={{ keycloak_host }}:{{ keycloak_management_http_port }} |     {{ keycloak.cli_path }} --connect --command='{{ query }}' --controller={{ keycloak_host }}:{{ keycloak_management_http_port }} | ||||||
|   changed_when: false |   changed_when: false | ||||||
|   register: cli_result |   register: cli_result | ||||||
|  |  | ||||||
|  | @ -106,7 +106,7 @@ | ||||||
| - name: "Check installed patches" | - name: "Check installed patches" | ||||||
|   ansible.builtin.include_tasks: rhsso_cli.yml |   ansible.builtin.include_tasks: rhsso_cli.yml | ||||||
|   vars: |   vars: | ||||||
|     cli_query: "patch info" |     query: "patch info" | ||||||
|   args: |   args: | ||||||
|     apply: |     apply: | ||||||
|       become: true |       become: true | ||||||
|  | @ -121,7 +121,7 @@ | ||||||
|     - name: "Apply patch {{ patch_version }} to server" |     - name: "Apply patch {{ patch_version }} to server" | ||||||
|       ansible.builtin.include_tasks: rhsso_cli.yml |       ansible.builtin.include_tasks: rhsso_cli.yml | ||||||
|       vars: |       vars: | ||||||
|         cli_query: "patch apply {{ patch_archive }}" |         query: "patch apply {{ patch_archive }}" | ||||||
|       args: |       args: | ||||||
|         apply: |         apply: | ||||||
|           become: true |           become: true | ||||||
|  | @ -130,7 +130,7 @@ | ||||||
|     - name: "Restart server to ensure patch content is running" |     - name: "Restart server to ensure patch content is running" | ||||||
|       ansible.builtin.include_tasks: rhsso_cli.yml |       ansible.builtin.include_tasks: rhsso_cli.yml | ||||||
|       vars: |       vars: | ||||||
|         cli_query: "shutdown --restart" |         query: "shutdown --restart" | ||||||
|       when: |       when: | ||||||
|         - cli_result.rc == 0 |         - cli_result.rc == 0 | ||||||
|       args: |       args: | ||||||
|  | @ -149,7 +149,7 @@ | ||||||
|     - name: "Query installed patch after restart" |     - name: "Query installed patch after restart" | ||||||
|       ansible.builtin.include_tasks: rhsso_cli.yml |       ansible.builtin.include_tasks: rhsso_cli.yml | ||||||
|       vars: |       vars: | ||||||
|         cli_query: "patch info" |         query: "patch info" | ||||||
|       args: |       args: | ||||||
|         apply: |         apply: | ||||||
|           become: true |           become: true | ||||||
|  |  | ||||||
|  | @ -1,6 +1,9 @@ | ||||||
| --- | --- | ||||||
| # internal variables below | # internal variables below | ||||||
| 
 | 
 | ||||||
|  | # locations | ||||||
|  | keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}" | ||||||
|  | keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}" | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| keycloak: | keycloak: | ||||||
|  |  | ||||||
|  | @ -33,7 +33,7 @@ Role Defaults | ||||||
| 
 | 
 | ||||||
| | Variable | Description | Default | | | Variable | Description | Default | | ||||||
| |:---------|:------------|:--------| | |:---------|:------------|:--------| | ||||||
| |`keycloak_quarkus_version`| keycloak.org package version | `26.3.0` | | |`keycloak_quarkus_version`| keycloak.org package version | `24.0.4` | | ||||||
| |`keycloak_quarkus_offline_install` | Perform an offline install | `False`| | |`keycloak_quarkus_offline_install` | Perform an offline install | `False`| | ||||||
| |`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` | | |`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` | | ||||||
| |`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` | | |`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` | | ||||||
|  | @ -44,79 +44,30 @@ Role Defaults | ||||||
| 
 | 
 | ||||||
| | Variable | Description | Default | | | Variable | Description | Default | | ||||||
| |:---------|:------------|:--------| | |:---------|:------------|:--------| | ||||||
| |`keycloak_quarkus_bootstrap_admin_user`| Administration console user account | `admin` | | |`keycloak_quarkus_admin_user`| Administration console user account | `admin` | | ||||||
| |`keycloak_quarkus_admin_user`| Deprecated, use `keycloak_quarkus_bootstrap_admin_user` instead. | | | |`keycloak_quarkus_bind_address`| Address for binding service ports | `0.0.0.0` | | ||||||
| |`keycloak_quarkus_bind_address`| Deprecated, use `keycloak_quarkus_http_host` instead |  `0.0.0.0` | | |`keycloak_quarkus_host`| Hostname for the Keycloak server | `localhost` | | ||||||
| |`keycloak_quarkus_host`| Deprecated, use `keycloak_quarkus_hostname` instead. | | | |`keycloak_quarkus_port`| The port used by the proxy when exposing the hostname | `-1` | | ||||||
| |`keycloak_quarkus_port`| Deprecated, use `keycloak_quarkus_hostname` instead. | | | |`keycloak_quarkus_path`| This should be set if proxy uses a different context-path for Keycloak | | | ||||||
| |`keycloak_quarkus_path`| Deprecated, use `keycloak_quarkus_hostname` instead. | | | |`keycloak_quarkus_http_port`| HTTP listening port | `8080` | | ||||||
|  | |`keycloak_quarkus_https_port`| TLS HTTP listening port | `8443` | | ||||||
|  | |`keycloak_quarkus_ajp_port`| AJP port | `8009` | | ||||||
| |`keycloak_quarkus_service_user`| Posix account username | `keycloak` | | |`keycloak_quarkus_service_user`| Posix account username | `keycloak` | | ||||||
| |`keycloak_quarkus_service_group`| Posix account group | `keycloak` | | |`keycloak_quarkus_service_group`| Posix account group | `keycloak` | | ||||||
| |`keycloak_quarkus_service_restart_always`| systemd restart always behavior activation | `False` | | |`keycloak_quarkus_service_restart_always`| systemd restart always behavior activation | `False` | | ||||||
| |`keycloak_quarkus_service_restart_on_failure`| systemd restart on-failure behavior activation | `False` | | |`keycloak_quarkus_service_restart_on_failure`| systemd restart on-failure behavior activation | `False` | | ||||||
| |`keycloak_quarkus_service_restartsec`| systemd RestartSec | `10s` | | |`keycloak_quarkus_service_restartsec`| systemd RestartSec | `10s` | | ||||||
| |`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-21-openjdk-headless` | | |`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-17-openjdk-headless` | | ||||||
| |`keycloak_quarkus_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_quarkus_jvm_package RPM path | `None` | | |`keycloak_quarkus_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_quarkus_jvm_package RPM path | `None` | | ||||||
| |`keycloak_quarkus_java_heap_opts`| Heap memory JVM setting | `-Xms1024m -Xmx2048m` | | |`keycloak_quarkus_java_heap_opts`| Heap memory JVM setting | `-Xms1024m -Xmx2048m` | | ||||||
| |`keycloak_quarkus_java_jvm_opts`| Other JVM settings | same as keycloak | | |`keycloak_quarkus_java_jvm_opts`| Other JVM settings | same as keycloak | | ||||||
| |`keycloak_quarkus_java_opts`| JVM arguments; if overridden, it takes precedence over `keycloak_quarkus_java_*` | `{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}` | | |`keycloak_quarkus_java_opts`| JVM arguments; if overridden, it takes precedence over `keycloak_quarkus_java_*` | `{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}` | | ||||||
| |`keycloak_quarkus_additional_env_vars` | List of additional env variables of { key: str, value: str} to be put in sysconfig file | `[]` | | |`keycloak_quarkus_additional_env_vars` | List of additional env variables of { key: str, value: str} to be put in sysconfig file | `[]` | | ||||||
| |`keycloak_quarkus_frontend_url`| Deprecated, use `keycloak_quarkus_hostname` instead. | | | |`keycloak_quarkus_frontend_url`| Set the base URL for frontend URLs, including scheme, host, port and path | | | ||||||
| |`keycloak_quarkus_admin_url`| Deprecated, use `keycloak_quarkus_hostname_admin` instead. | | | |`keycloak_quarkus_admin_url`| Set the base URL for accessing the administration console, including scheme, host, port and path | | | ||||||
| |`keycloak_quarkus_health_check_url`| Full URL (including scheme, host, path, fragment etc.) used for health check endpoint; keycloak_quarkus_hostname will NOT be prepended; helpful when health checks should happen against http port, but keycloak_quarkus_hostname uses https scheme per default | `` | | |`keycloak_quarkus_http_relative_path` | Set the path relative to / for serving resources. The path must start with a / | `/` | | ||||||
| |`keycloak_quarkus_health_check_url_path`| Path to the health check endpoint; keycloak_quarkus_hostname will be prepended automatically; Note that keycloak_quarkus_health_check_url takes precedence over this property | `realms/master/.well-known/openid-configuration` | | |`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` | | ||||||
| |`keycloak_quarkus_proxy_headers`| Parse reverse proxy headers (`forwarded` or `xforwarded`) | `""` | | |`keycloak_quarkus_health_check_url_path`| Path to the health check endpoint; scheme, host and keycloak_quarkus_http_relative_path will be prepended automatically | `realms/master/.well-known/openid-configuration` | | ||||||
| |`keycloak_quarkus_config_key_store_file`| Path to the configuration key store; only used if `keycloak_quarkus_config_key_store_password` is not empty  | `{{ keycloak.home }}/conf/conf_store.p12` if `keycloak_quarkus_config_key_store_password != ''`, else `''` | |  | ||||||
| |`keycloak_quarkus_config_key_store_password`| Password of the configuration keystore; if non-empty, `keycloak_quarkus_db_pass` will be saved to the keystore at `keycloak_quarkus_config_key_store_file` instead of being written to the configuration file in clear text | `""` | |  | ||||||
| |`keycloak_quarkus_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` | |  | ||||||
| |`keycloak_quarkus_configure_iptables` | Ensure iptables is configured for keycloak ports | `False` | |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| #### High-availability |  | ||||||
| 
 |  | ||||||
| | Variable | Description | Default | |  | ||||||
| |:---------|:------------|:--------| |  | ||||||
| |`keycloak_quarkus_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` | |  | ||||||
| |`keycloak_quarkus_ha_discovery`| Discovery protocol for HA cluster members | `JDBCPING` | |  | ||||||
| |`keycloak_quarkus_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_quarkus_ha_enabled` is True, else `False` | |  | ||||||
| |`keycloak_quarkus_jgroups_ip`| Host jgroups IP.  If changing this variable you must make sure it is always set for all hosts in your cluster. | `{{ ansible_default_ipv4.address }}` | |  | ||||||
| |`keycloak_quarkus_jgroups_port`| jgroups cluster tcp port | `7800` | |  | ||||||
| |`keycloak_quarkus_systemd_wait_for_port` | Whether systemd unit should wait for keycloak port before returning | `{{ keycloak_quarkus_ha_enabled }}` | |  | ||||||
| |`keycloak_quarkus_systemd_wait_for_port_number`| Which port the systemd unit should wait for | `{{ keycloak_quarkus_https_port }}` | |  | ||||||
| |`keycloak_quarkus_systemd_wait_for_log` | Whether systemd unit should wait for service to be up in logs | `false` | |  | ||||||
| |`keycloak_quarkus_systemd_wait_for_timeout`| How long to wait for service to be alive (seconds) | `60` | |  | ||||||
| |`keycloak_quarkus_systemd_wait_for_delay`| Activation delay for service systemd unit (seconds) | `10` | |  | ||||||
| |`keycloak_quarkus_restart_strategy`| Strategy task file for restarting in HA (one of provided restart/['serial.yml','none.yml','serial_then_parallel.yml']) or path to file when providing custom strategy | `restart/serial.yml` | |  | ||||||
| |`keycloak_quarkus_restart_health_check`| Whether to wait for successful health check after restart | `true` | |  | ||||||
| |`keycloak_quarkus_restart_health_check_delay`| Seconds to let pass before starting healch checks | `10` | |  | ||||||
| |`keycloak_quarkus_restart_health_check_retries`| Number of attempts for successful health check before failing | `25` | |  | ||||||
| |`keycloak_quarkus_restart_pause`| Seconds to wait between restarts in HA strategy | `15` | |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| #### Hostname configuration |  | ||||||
| 
 |  | ||||||
| | Variable | Description | Default | |  | ||||||
| |:---------|:------------|:--------| |  | ||||||
| |`keycloak_quarkus_hostname`| Address at which is the server exposed. Can be a full URL, or just a hostname. When only hostname is provided, scheme, port and context path are resolved from the request. | | |  | ||||||
| |`keycloak_quarkus_hostname_admin`| Set the base URL for accessing the administration console, including scheme, host, port and path | `` | |  | ||||||
| |`keycloak_quarkus_hostname_strict`| Disables dynamically resolving the hostname from request headers | `true` | |  | ||||||
| |`keycloak_quarkus_hostname_backchannel_dynamic`| Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path. Set to true if your application accesses Keycloak via a private network. If set to true, hostname option needs to be specified as a full URL. | `false` | |  | ||||||
| |`keycloak_quarkus_hostname_strict_backchannel`| Deprecated, use (the inverted!)`keycloak_quarkus_hostname_backchannel_dynamic` instead. |  | |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| #### HTTP(S) configuration |  | ||||||
| | Variable | Description | Default | |  | ||||||
| |:---------|:------------|:--------| |  | ||||||
| |`keycloak_quarkus_http_relative_path`| Set the path relative to / for serving resources. The path must start with a / | `/` | |  | ||||||
| |`keycloak_quarkus_http_host`| The http host, ie. the address used to bind the service |  `0.0.0.0` | |  | ||||||
| |`keycloak_quarkus_http_port`| HTTP listening port | `8080` | |  | ||||||
| |`keycloak_quarkus_https_port`| TLS HTTP listening port | `8443` | |  | ||||||
| |`keycloak_quarkus_http_management_port`| Port of the management interface. Relevant only when something is exposed on the management interface - see the guide for details. | `9000` | |  | ||||||
| |`keycloak_quarkus_https_key_store_file`| The file path to the key store | `{{ keycloak.home }}/conf/key_store.p12` | |  | ||||||
| |`keycloak_quarkus_https_key_store_password`| Password for the key store | `""` | |  | ||||||
| |`keycloak_quarkus_https_trust_store_enabled`| Enable configuration of the https trust store | `False` | |  | ||||||
| |`keycloak_quarkus_https_trust_store_file`| The file path to the trust store | `{{ keycloak.home }}/conf/trust_store.p12` | |  | ||||||
| |`keycloak_quarkus_https_trust_store_password`| Password for the trust store | `""` | |  | ||||||
| |`keycloak_quarkus_https_key_file_enabled`| Enable listener on HTTPS port | `False` | | |`keycloak_quarkus_https_key_file_enabled`| Enable listener on HTTPS port | `False` | | ||||||
| |`keycloak_quarkus_key_file_copy_enabled`| Enable copy of key file to target host | `False` | | |`keycloak_quarkus_key_file_copy_enabled`| Enable copy of key file to target host | `False` | | ||||||
| |`keycloak_quarkus_key_content`| Content of the TLS private key. Use `"{{ lookup('file', 'server.key.pem') }}"` to lookup a file. | `""` | | |`keycloak_quarkus_key_content`| Content of the TLS private key. Use `"{{ lookup('file', 'server.key.pem') }}"` to lookup a file. | `""` | | ||||||
|  | @ -127,39 +78,85 @@ Role Defaults | ||||||
| |`keycloak_quarkus_https_key_store_enabled`| Enable configuration of HTTPS via a key store | `False` | | |`keycloak_quarkus_https_key_store_enabled`| Enable configuration of HTTPS via a key store | `False` | | ||||||
| |`keycloak_quarkus_key_store_file`| Deprecated, use `keycloak_quarkus_https_key_store_file` instead. || | |`keycloak_quarkus_key_store_file`| Deprecated, use `keycloak_quarkus_https_key_store_file` instead. || | ||||||
| |`keycloak_quarkus_key_store_password`| Deprecated, use `keycloak_quarkus_https_key_store_password` instead.|| | |`keycloak_quarkus_key_store_password`| Deprecated, use `keycloak_quarkus_https_key_store_password` instead.|| | ||||||
| |`keycloak_quarkus_http_relative_path` | Set the path relative to / for serving resources. The path must start with a / | `/` | | |`keycloak_quarkus_https_key_store_file`| The file path to the key store | `{{ keycloak.home }}/conf/key_store.p12` | | ||||||
| |`keycloak_quarkus_http_management_relative_path` | Set the path relative to / for serving resources from management interface. The path must start with a /. If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details. | `/` | | |`keycloak_quarkus_https_key_store_password`| Password for the key store | `""` | | ||||||
| |`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` | | |`keycloak_quarkus_https_trust_store_enabled`| Enable configuration of the https trust store | `False` | | ||||||
|  | |`keycloak_quarkus_https_trust_store_file`| The file path to the trust store | `{{ keycloak.home }}/conf/trust_store.p12` | | ||||||
|  | |`keycloak_quarkus_https_trust_store_password`| Password for the trust store | `""` | | ||||||
|  | |`keycloak_quarkus_proxy_headers`| Parse reverse proxy headers (`forwarded` or `xforwarded`) | `""` | | ||||||
|  | |`keycloak_quarkus_config_key_store_file`| Path to the configuration key store; only used if `keycloak_quarkus_keystore_password` is not empty  | `{{ keycloak.home }}/conf/conf_store.p12` if `keycloak_quarkus_keystore_password != ''`, else `''` | | ||||||
|  | |`keycloak_quarkus_config_key_store_password`| Password of the configuration keystore; if non-empty, `keycloak_quarkus_db_pass` will be saved to the keystore at `keycloak_quarkus_config_key_store_file` instead of being written to the configuration file in clear text | `""` | | ||||||
|  | |`keycloak_quarkus_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` | | ||||||
|  | |`keycloak_quarkus_configure_iptables` | Ensure iptables is configured for keycloak ports | `False` | | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | #### High-availability | ||||||
|  | 
 | ||||||
|  | | Variable | Description | Default | | ||||||
|  | |:---------|:------------|:--------| | ||||||
|  | |`keycloak_quarkus_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` | | ||||||
|  | |`keycloak_quarkus_ha_discovery`| Discovery protocol for HA cluster members | `TCPPING` | | ||||||
|  | |`keycloak_quarkus_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_quarkus_ha_enabled` is True, else `False` | | ||||||
|  | |`keycloak_quarkus_jgroups_port`| jgroups cluster tcp port | `7800` | | ||||||
|  | |`keycloak_quarkus_systemd_wait_for_port` | Whether systemd unit should wait for keycloak port before returning | `{{ keycloak_quarkus_ha_enabled }}` | | ||||||
|  | |`keycloak_quarkus_systemd_wait_for_port_number`| Which port the systemd unit should wait for | `{{ keycloak_quarkus_https_port }}` | | ||||||
|  | |`keycloak_quarkus_systemd_wait_for_log` | Whether systemd unit should wait for service to be up in logs | `false` | | ||||||
|  | |`keycloak_quarkus_systemd_wait_for_timeout`| How long to wait for service to be alive (seconds) | `60` | | ||||||
|  | |`keycloak_quarkus_systemd_wait_for_delay`| Activation delay for service systemd unit (seconds) | `10` | | ||||||
|  | |`keycloak_quarkus_restart_strategy`| Strategy task file for restarting in HA (one of provided restart/['serial.yml','none.yml','serial_then_parallel.yml']) or path to file when providing custom strategy | `restart/serial.yml` | | ||||||
|  | |`keycloak_quarkus_restart_health_check`| Whether to wait for successful health check after restart | `true` | | ||||||
|  | |`keycloak_quarkus_restart_health_check_delay`| Seconds to let pass before starting healch checks | `10` | | ||||||
|  | |`keycloak_quarkus_restart_health_check_reries`| Number of attempts for successful health check before failing | `25` | | ||||||
|  | |`keycloak_quarkus_restart_pause`| Seconds to wait between restarts in HA strategy | `15` | | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | #### Hostname configuration | ||||||
|  | 
 | ||||||
|  | | Variable | Description | Default | | ||||||
|  | |:---------|:------------|:--------| | ||||||
|  | |`keycloak_quarkus_http_relative_path`| Set the path relative to / for serving resources. The path must start with a / | `/` | | ||||||
|  | |`keycloak_quarkus_hostname_strict`| Disables dynamically resolving the hostname from request headers | `true` | | ||||||
|  | |`keycloak_quarkus_hostname_strict_backchannel`| By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all applications use the public URL this option should be enabled. | `false` | | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| #### Database configuration | #### Database configuration | ||||||
| 
 | 
 | ||||||
| | Variable | Description | Default | | | Variable | Description | Default | | ||||||
| |:---------|:------------|:--------| | |:---------|:------------|:--------| | ||||||
| |`keycloak_quarkus_db_engine` | Database engine [mariadb,postres,mssql] | `postgres` | | |`keycloak_quarkus_jdbc_engine` | Database engine [mariadb,postres,mssql] | `postgres` | | ||||||
| |`keycloak_quarkus_db_user` | User for database connection | `keycloak-user` | | |`keycloak_quarkus_db_user` | User for database connection | `keycloak-user` | | ||||||
| |`keycloak_quarkus_db_pass` | Password for database connection | `keycloak-pass` | | |`keycloak_quarkus_db_pass` | Password for database connection | `keycloak-pass` | | ||||||
| |`keycloak_quarkus_db_url` | JDBC URL for connecting to database | `jdbc:postgresql://localhost:5432/keycloak` | | |`keycloak_quarkus_jdbc_url` | JDBC URL for connecting to database | `jdbc:postgresql://localhost:5432/keycloak` | | ||||||
| |`keycloak_quarkus_db_driver_version` | Version for JDBC engine driver | `9.4.1212` | | |`keycloak_quarkus_jdbc_driver_version` | Version for JDBC driver | `9.4.1212` | | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| #### Cache configuration | #### Remote caches configuration | ||||||
| 
 | 
 | ||||||
| | Variable | Description | Default | | | Variable | Description | Default | | ||||||
| |:---------|:------------|:--------| | |:---------|:------------|:--------| | ||||||
| |`keycloak_quarkus_cache_remote` | Whether to connect to remote cache infinispan server | `false` | | |`keycloak_quarkus_ispn_user` | Username for connecting to infinispan | `supervisor` | | ||||||
| |`keycloak_quarkus_cache_remote_username` | Username for connecting to infinispan | `supervisor` | | |`keycloak_quarkus_ispn_pass` | Password for connecting to infinispan | `supervisor` | | ||||||
| |`keycloak_quarkus_cache_remote_password` | Password for connecting to infinispan | `supervisor` | | |`keycloak_quarkus_ispn_hosts` | host name/port for connecting to infinispan, eg. host1:11222;host2:11222 | `localhost:11222` | | ||||||
| |`keycloak_quarkus_cache_remote_host` | Hostname for connecting to infinispan | `localhost` | | |`keycloak_quarkus_ispn_sasl_mechanism` | Infinispan auth mechanism | `SCRAM-SHA-512` | | ||||||
| |`keycloak_quarkus_cache_remote_port`| Port for connecting to infinispan | `11222` | | |`keycloak_quarkus_ispn_use_ssl` | Whether infinispan uses TLS connection | `false` | | ||||||
| |`keycloak_quarkus_cache_remote_sasl_mechanism` | Infinispan auth mechanism | `SCRAM-SHA-512` | | |`keycloak_quarkus_ispn_trust_store_path` | Path to infinispan server trust certificate | `/etc/pki/java/cacerts` | | ||||||
| |`keycloak_quarkus_cache_remote_tls_enabled` | Whether infinispan uses TLS connection | `false` | | |`keycloak_quarkus_ispn_trust_store_password` | Password for infinispan certificate keystore | `changeit` | | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| #### Logging configuration | #### Miscellaneous configuration | ||||||
| 
 | 
 | ||||||
| | Variable | Description | Default | | | Variable | Description | Default | | ||||||
| |:---------|:------------|:--------| | |:---------|:------------|:--------| | ||||||
|  | |`keycloak_quarkus_metrics_enabled`| Whether to enable metrics | `False` | | ||||||
|  | |`keycloak_quarkus_health_enabled`| If the server should expose health check endpoints | `True` | | ||||||
|  | |`keycloak_quarkus_archive` | keycloak install archive filename | `keycloak-{{ keycloak_quarkus_version }}.zip` | | ||||||
|  | |`keycloak_quarkus_installdir` | Installation path | `{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}` | | ||||||
|  | |`keycloak_quarkus_home` | Installation work directory | `{{ keycloak_quarkus_installdir }}` | | ||||||
|  | |`keycloak_quarkus_config_dir` | Path for configuration | `{{ keycloak_quarkus_home }}/conf` | | ||||||
|  | |`keycloak_quarkus_master_realm` | Name for rest authentication realm | `master` | | ||||||
|  | |`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` | | ||||||
|  | |`keycloak_force_install` | Remove pre-existing versions of service | `False` | | ||||||
|  | |`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_quarkus_host }}:{{ keycloak_http_port }}` | | ||||||
| |`keycloak_quarkus_log`| Enable one or more log handlers in a comma-separated list | `file` | | |`keycloak_quarkus_log`| Enable one or more log handlers in a comma-separated list | `file` | | ||||||
| |`keycloak_quarkus_log_level`| The log level of the root category or a comma-separated list of individual categories and their levels | `info` | | |`keycloak_quarkus_log_level`| The log level of the root category or a comma-separated list of individual categories and their levels | `info` | | ||||||
| |`keycloak_quarkus_log_file`| Set the log file path and filename relative to keycloak home | `data/log/keycloak.log` | | |`keycloak_quarkus_log_file`| Set the log file path and filename relative to keycloak home | `data/log/keycloak.log` | | ||||||
|  | @ -168,21 +165,6 @@ Role Defaults | ||||||
| |`keycloak_quarkus_log_max_file_size`| Set the maximum log file size before a log rotation happens; A size configuration option recognises string in this format (shown as a regular expression): `[0-9]+[KkMmGgTtPpEeZzYy]?`. If no suffix is given, assume bytes. | `10M` | | |`keycloak_quarkus_log_max_file_size`| Set the maximum log file size before a log rotation happens; A size configuration option recognises string in this format (shown as a regular expression): `[0-9]+[KkMmGgTtPpEeZzYy]?`. If no suffix is given, assume bytes. | `10M` | | ||||||
| |`keycloak_quarkus_log_max_backup_index`| Set the maximum number of archived log files to keep" | `10` | | |`keycloak_quarkus_log_max_backup_index`| Set the maximum number of archived log files to keep" | `10` | | ||||||
| |`keycloak_quarkus_log_file_suffix`| Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix; Note: If the suffix ends with `.zip` or `.gz`, the rotation file will also be compressed. | `.yyyy-MM-dd.zip` | | |`keycloak_quarkus_log_file_suffix`| Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix; Note: If the suffix ends with `.zip` or `.gz`, the rotation file will also be compressed. | `.yyyy-MM-dd.zip` | | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| #### Miscellaneous configuration |  | ||||||
| 
 |  | ||||||
| | Variable | Description | Default | |  | ||||||
| |:---------|:------------|:--------| |  | ||||||
| |`keycloak_quarkus_metrics_enabled`| Whether to enable metrics | `False` | |  | ||||||
| |`keycloak_quarkus_health_enabled`| If the server should expose health check endpoints on the management interface | `True` | |  | ||||||
| |`keycloak_quarkus_archive` | keycloak install archive filename | `keycloak-{{ keycloak_quarkus_version }}.zip` | |  | ||||||
| |`keycloak_quarkus_installdir` | Installation path | `{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}` | |  | ||||||
| |`keycloak_quarkus_home` | Installation work directory | `{{ keycloak_quarkus_installdir }}` | |  | ||||||
| |`keycloak_quarkus_config_dir` | Path for configuration | `{{ keycloak_quarkus_home }}/conf` | |  | ||||||
| |`keycloak_quarkus_master_realm` | Name for rest authentication realm | `master` | |  | ||||||
| |`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` | |  | ||||||
| |`keycloak_quarkus_force_install` | Remove pre-existing versions of service | `False` | |  | ||||||
| |`keycloak_quarkus_proxy_mode`| The proxy address forwarding mode if the server is behind a reverse proxy | `edge` | | |`keycloak_quarkus_proxy_mode`| The proxy address forwarding mode if the server is behind a reverse proxy | `edge` | | ||||||
| |`keycloak_quarkus_start_dev`| Whether to start the service in development mode (start-dev) | `False` | | |`keycloak_quarkus_start_dev`| Whether to start the service in development mode (start-dev) | `False` | | ||||||
| |`keycloak_quarkus_transaction_xa_enabled`| Whether to use XA transactions | `True` | | |`keycloak_quarkus_transaction_xa_enabled`| Whether to use XA transactions | `True` | | ||||||
|  | @ -190,7 +172,7 @@ Role Defaults | ||||||
| |`keycloak_quarkus_show_deprecation_warnings`| Whether deprecation warnings should be shown | `True` | | |`keycloak_quarkus_show_deprecation_warnings`| Whether deprecation warnings should be shown | `True` | | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| #### Vault configuration | #### Vault SPI | ||||||
| 
 | 
 | ||||||
| | Variable | Description | Default | | | Variable | Description | Default | | ||||||
| |:---------|:------------|:--------| | |:---------|:------------|:--------| | ||||||
|  | @ -218,24 +200,19 @@ keycloak_quarkus_providers: | ||||||
|   - id: http-client                         # required; "{{ id }}.jar" identifies the file name on RHBK |   - id: http-client                         # required; "{{ id }}.jar" identifies the file name on RHBK | ||||||
|     spi: connections                        # required if neither url, local_path nor maven are specified; required for setting properties |     spi: connections                        # required if neither url, local_path nor maven are specified; required for setting properties | ||||||
|     default: true                           # optional, whether to set default for spi, default false |     default: true                           # optional, whether to set default for spi, default false | ||||||
|     restart: true                           # optional, whether to rebuild config and restart the service after deploying, default true |     restart: true                           # optional, whether to restart, default true | ||||||
|     url: https://.../.../custom_spi.jar     # optional, url for download via http |     url: https://.../.../custom_spi.jar     # optional, url for download via http | ||||||
|     local_path: my_theme_spi.jar            # optional, path on local controller for SPI to be uploaded |     local_path: my_theme_spi.jar            # optional, path on local controller for SPI to be uploaded | ||||||
|     remote: true                            # optional, whether to copy from localhost or remotely, see https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html#parameter-remote_src, default false |  | ||||||
|     maven:                                  # optional, for download using maven |     maven:                                  # optional, for download using maven | ||||||
|       repository_url: https://maven.pkg.github.com/OWNER/REPOSITORY # optional, maven repo url |       repository_url: https://maven.pkg.github.com/OWNER/REPOSITORY # optional, maven repo url | ||||||
|       group_id:  my.group                   # optional, maven group id |       group_id:  my.group                   # optional, maven group id | ||||||
|       artifact_id: artifact                 # optional, maven artifact id |       artifact_id: artifact                 # optional, maven artifact id | ||||||
|       version: 24.0.5                       # optional, defaults to latest |       version: 24.0.4                       # optional, defaults to latest | ||||||
|       username:  user                       # optional, cf. https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry#authenticating-to-github-packages |       username:  user                       # optional, cf. https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry#authenticating-to-github-packages | ||||||
|       password: pat                         # optional, provide a PAT for accessing Github's Apache Maven registry |       password: pat                         # optional, provide a PAT for accessing Github's Apache Maven registry | ||||||
|     properties:                             # optional, list of key-values |     properties:                             # optional, list of key-values | ||||||
|       - key: default-connection-pool-size |       - key: default-connection-pool-size | ||||||
|         value: 10 |         value: 10 | ||||||
|     checksum: sha256:D98291AC[...]B6DC7B97  # optional, checksum used to verify integrity: |  | ||||||
|                                             #  for `url` SPIs, use format: <algorithm>:<checksum|url>, cf. <https://docs.ansible.com/ansible/latest/collections/ansible/builtin/get_url_module.html#parameter-checksum>; |  | ||||||
|                                             #  for `local_path` SPIs, use SHA1 format <https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html#parameter-checksum> |  | ||||||
|                                             #  for `maven` SPIs, this field is ignored since maven has integrity verification methods enabled by default |  | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
| the definition above will generate the following build command: | the definition above will generate the following build command: | ||||||
|  | @ -255,9 +232,9 @@ Provider definition: | ||||||
| 
 | 
 | ||||||
| ```yaml | ```yaml | ||||||
| keycloak_quarkus_policies: | keycloak_quarkus_policies: | ||||||
|   - name: john-the-ripper.txt                                                                          # required, resulting file name |   - name: xato-net-10-million-passwords.txt                                                                # required, resulting file name | ||||||
|     url: https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/john-the-ripper.txt  # required, url for download |     url: https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt # required, url for download | ||||||
|     type: password-blacklists                                                                          # optional, defaults to `password-blacklists`; supported values: [`password-blacklists`] |     type: password-blacklists                                                                              # optional, defaults to `password-blacklists`; supported values: [`password-blacklists`] | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
|  | @ -266,8 +243,9 @@ Role Variables | ||||||
| 
 | 
 | ||||||
| | Variable | Description | Required | | | Variable | Description | Required | | ||||||
| |:---------|:------------|----------| | |:---------|:------------|----------| | ||||||
| |`keycloak_quarkus_bootstrap_admin_password`| Password of console admin account | `yes` | | |`keycloak_quarkus_admin_pass`| Password of console admin account | `yes` | | ||||||
| |`keycloak_quarkus_admin_pass`| Deprecated, use `keycloak_quarkus_bootstrap_admin_password` instead. | | | |`keycloak_quarkus_frontend_url`| Base URL for frontend URLs, including scheme, host, port and path | `no` | | ||||||
|  | |`keycloak_quarkus_admin_url`| Base URL for accessing the administration console, including scheme, host, port and path | `no` | | ||||||
| |`keycloak_quarkus_ks_vault_pass`| The password for accessing the keystore vault SPI | `no` | | |`keycloak_quarkus_ks_vault_pass`| The password for accessing the keystore vault SPI | `no` | | ||||||
| |`keycloak_quarkus_alternate_download_url`| Alternate location with optional authentication for downloading RHBK | `no` | | |`keycloak_quarkus_alternate_download_url`| Alternate location with optional authentication for downloading RHBK | `no` | | ||||||
| |`keycloak_quarkus_download_user`| Optional username for http authentication  | `no*` | | |`keycloak_quarkus_download_user`| Optional username for http authentication  | `no*` | | ||||||
|  | @ -287,7 +265,7 @@ The role uses the following [custom facts](https://docs.ansible.com/ansible/late | ||||||
| 
 | 
 | ||||||
| | Variable | Description | | | Variable | Description | | ||||||
| |:---------|:------------| | |:---------|:------------| | ||||||
| |`general.bootstrapped` | A custom fact indicating whether this role has been used for bootstrapping keycloak on the respective host before; set to `false` (e.g., when starting off with a new, empty database) ensures that the initial admin user as defined by `keycloak_quarkus_bootstrap_admin_user[_password]` gets created | | |`general.bootstrapped` | A custom fact indicating whether this role has been used for bootstrapping keycloak on the respective host before; set to `false` (e.g., when starting off with a new, empty database) ensures that the initial admin user as defined by `keycloak_quarkus_admin_user[_pass]` gets created | | ||||||
| 
 | 
 | ||||||
| License | License | ||||||
| ------- | ------- | ||||||
|  |  | ||||||
|  | @ -1,6 +1,6 @@ | ||||||
| --- | --- | ||||||
| ### Configuration specific to keycloak | ### Configuration specific to keycloak | ||||||
| keycloak_quarkus_version: 26.3.0 | keycloak_quarkus_version: 24.0.4 | ||||||
| keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip" | keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip" | ||||||
| keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}" | keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}" | ||||||
| keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}" | keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}" | ||||||
|  | @ -27,32 +27,26 @@ keycloak_quarkus_configure_firewalld: false | ||||||
| keycloak_quarkus_configure_iptables: false | keycloak_quarkus_configure_iptables: false | ||||||
| 
 | 
 | ||||||
| ### administrator console password | ### administrator console password | ||||||
| keycloak_quarkus_bootstrap_admin_user: admin | keycloak_quarkus_admin_user: admin | ||||||
| keycloak_quarkus_bootstrap_admin_password: | keycloak_quarkus_admin_pass: | ||||||
| keycloak_quarkus_master_realm: master | keycloak_quarkus_master_realm: master | ||||||
| 
 | 
 | ||||||
| ### Configuration settings | ### Configuration settings | ||||||
| keycloak_quarkus_bind_address: 0.0.0.0 # deprecated use keycloak_quarkus_http_host | keycloak_quarkus_bind_address: 0.0.0.0 | ||||||
| keycloak_quarkus_http_host: 0.0.0.0 | keycloak_quarkus_host: localhost | ||||||
|  | keycloak_quarkus_port: -1 | ||||||
|  | keycloak_quarkus_path: | ||||||
| keycloak_quarkus_http_enabled: true | keycloak_quarkus_http_enabled: true | ||||||
| keycloak_quarkus_http_port: 8080 | keycloak_quarkus_http_port: 8080 | ||||||
| keycloak_quarkus_https_port: 8443 | keycloak_quarkus_https_port: 8443 | ||||||
| keycloak_quarkus_http_management_port: 9000 | keycloak_quarkus_ajp_port: 8009 | ||||||
| keycloak_quarkus_jgroups_port: 7800 | keycloak_quarkus_jgroups_port: 7800 | ||||||
| keycloak_quarkus_jgroups_bind_address: "{{ ansible_default_ipv4.address }}" |  | ||||||
| keycloak_quarkus_jgroups_external_addr: "{{ keycloak_quarkus_jgroups_bind_address }}" |  | ||||||
| keycloak_quarkus_jgroups_external_port: "{{ keycloak_quarkus_jgroups_port }}" |  | ||||||
| keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx2048m" | keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx2048m" | ||||||
| keycloak_quarkus_java_jvm_opts: > | keycloak_quarkus_java_jvm_opts: "-XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 | ||||||
|   -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 |  | ||||||
|   -Dsun.err.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError |   -Dsun.err.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError | ||||||
|   -Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC -XX:GCTimeRatio=4 |   -Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC -XX:GCTimeRatio=4 | ||||||
|   -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512 |   -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512" | ||||||
| keycloak_quarkus_jgroups_opts: > | keycloak_quarkus_java_opts: "{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}" | ||||||
|   -Djgroups.bind.address={{ keycloak_quarkus_jgroups_bind_address }} |  | ||||||
|   -Djgroups.external_port={{ keycloak_quarkus_jgroups_external_port }} |  | ||||||
|   -Djgroups.external_addr={{ keycloak_quarkus_jgroups_external_addr }} |  | ||||||
| keycloak_quarkus_java_opts: "{{ ' '.join((keycloak_quarkus_jgroups_opts, keycloak_quarkus_java_heap_opts, keycloak_quarkus_java_jvm_opts)) }}" |  | ||||||
| keycloak_quarkus_additional_env_vars: [] | keycloak_quarkus_additional_env_vars: [] | ||||||
| 
 | 
 | ||||||
| ### TLS/HTTPS configuration | ### TLS/HTTPS configuration | ||||||
|  | @ -77,7 +71,7 @@ keycloak_quarkus_config_key_store_password: '' | ||||||
| 
 | 
 | ||||||
| ### Enable configuration for database backend, clustering and remote caches on infinispan | ### Enable configuration for database backend, clustering and remote caches on infinispan | ||||||
| keycloak_quarkus_ha_enabled: false | keycloak_quarkus_ha_enabled: false | ||||||
| keycloak_quarkus_ha_discovery: "JDBCPING" | keycloak_quarkus_ha_discovery: "TCPPING" | ||||||
| ### Enable database configuration, must be enabled when HA is configured | ### Enable database configuration, must be enabled when HA is configured | ||||||
| keycloak_quarkus_db_enabled: "{{ keycloak_quarkus_ha_enabled }}" | keycloak_quarkus_db_enabled: "{{ keycloak_quarkus_ha_enabled }}" | ||||||
| keycloak_quarkus_systemd_wait_for_port: "{{ keycloak_quarkus_ha_enabled }}" | keycloak_quarkus_systemd_wait_for_port: "{{ keycloak_quarkus_ha_enabled }}" | ||||||
|  | @ -87,8 +81,8 @@ keycloak_quarkus_systemd_wait_for_timeout: 60 | ||||||
| keycloak_quarkus_systemd_wait_for_delay: 10 | keycloak_quarkus_systemd_wait_for_delay: 10 | ||||||
| 
 | 
 | ||||||
| ### keycloak frontend url | ### keycloak frontend url | ||||||
| keycloak_quarkus_hostname: | keycloak_quarkus_frontend_url: | ||||||
| keycloak_quarkus_hostname_admin: "" | keycloak_quarkus_admin_url: | ||||||
| 
 | 
 | ||||||
| ### Set the path relative to / for serving resources. The path must start with a / | ### Set the path relative to / for serving resources. The path must start with a / | ||||||
| ### (set to `/auth` for retrocompatibility with pre-quarkus releases) | ### (set to `/auth` for retrocompatibility with pre-quarkus releases) | ||||||
|  | @ -97,9 +91,9 @@ keycloak_quarkus_http_relative_path: / | ||||||
| # Disables dynamically resolving the hostname from request headers. | # Disables dynamically resolving the hostname from request headers. | ||||||
| # Should always be set to true in production, unless proxy verifies the Host header. | # Should always be set to true in production, unless proxy verifies the Host header. | ||||||
| keycloak_quarkus_hostname_strict: true | keycloak_quarkus_hostname_strict: true | ||||||
| # Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path. | # By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. | ||||||
| # Set to true if your application accesses Keycloak via a private network. If set to true, keycloak_quarkus_hostname option needs to be specified as a full URL. | # If all applications use the public URL this option should be enabled. | ||||||
| keycloak_quarkus_hostname_backchannel_dynamic: false | keycloak_quarkus_hostname_strict_backchannel: false | ||||||
| 
 | 
 | ||||||
| # The proxy headers that should be accepted by the server. ['', 'forwarded', 'xforwarded'] | # The proxy headers that should be accepted by the server. ['', 'forwarded', 'xforwarded'] | ||||||
| keycloak_quarkus_proxy_headers: "" | keycloak_quarkus_proxy_headers: "" | ||||||
|  | @ -117,57 +111,36 @@ keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route: true | ||||||
| keycloak_quarkus_metrics_enabled: false | keycloak_quarkus_metrics_enabled: false | ||||||
| keycloak_quarkus_health_enabled: true | keycloak_quarkus_health_enabled: true | ||||||
| 
 | 
 | ||||||
| ### caches; must read: https://www.keycloak.org/2024/12/storing-sessions-in-kc26 |  | ||||||
| ### embedded caches |  | ||||||
| # https://www.keycloak.org/server/caching |  | ||||||
| keycloak_quarkus_cache_metrics_enabled: false |  | ||||||
| keycloak_quarkus_cache_embedded_authorization_max_count: |  | ||||||
| keycloak_quarkus_cache_embedded_client_sessions_max_count: |  | ||||||
| keycloak_quarkus_cache_embedded_crl_max_count: |  | ||||||
| keycloak_quarkus_cache_embedded_keys_max_count: |  | ||||||
| keycloak_quarkus_cache_embedded_offline_client_sessions_max_count: |  | ||||||
| keycloak_quarkus_cache_embedded_offline_sessions_max_count: |  | ||||||
| keycloak_quarkus_cache_embedded_realms_max_count: |  | ||||||
| keycloak_quarkus_cache_embedded_sessions_max_count: |  | ||||||
| keycloak_quarkus_cache_embedded_users_max_count: |  | ||||||
| keycloak_quarkus_cache_embedded_mtls_enabled: true |  | ||||||
| keycloak_quarkus_cache_embedded_mtls_key_store_file: "{{ keycloak.home }}/conf/cache_key_store.p12" |  | ||||||
| keycloak_quarkus_cache_embedded_mtls_key_store_password: '' |  | ||||||
| keycloak_quarkus_cache_embedded_mtls_rotation_interval_days: 30 |  | ||||||
| keycloak_quarkus_cache_embedded_mtls_trust_store_file: "{{ keycloak.home }}/conf/cache_trust_store.p12" |  | ||||||
| keycloak_quarkus_cache_embedded_mtls_trust_store_password: '' |  | ||||||
| 
 |  | ||||||
| ### infinispan remote caches access (hotrod) | ### infinispan remote caches access (hotrod) | ||||||
| # https://www.keycloak.org/server/caching#_remote_cache | keycloak_quarkus_ispn_user: supervisor | ||||||
| keycloak_quarkus_cache_remote: false | keycloak_quarkus_ispn_pass: supervisor | ||||||
| keycloak_quarkus_cache_remote_username: supervisor | keycloak_quarkus_ispn_hosts: "localhost:11222" | ||||||
| keycloak_quarkus_cache_remote_password: supervisor | keycloak_quarkus_ispn_sasl_mechanism: SCRAM-SHA-512 | ||||||
| keycloak_quarkus_cache_remote_host: localhost | keycloak_quarkus_ispn_use_ssl: false | ||||||
| keycloak_quarkus_cache_remote_port: 11222 | # if ssl is enabled, import ispn server certificate here | ||||||
| keycloak_quarkus_cache_remote_tls_enabled: false | keycloak_quarkus_ispn_trust_store_path: /etc/pki/java/cacerts | ||||||
| keycloak_quarkus_cache_remote_sasl_mechanism: SCRAM-SHA-512 | keycloak_quarkus_ispn_trust_store_password: changeit | ||||||
| 
 |  | ||||||
| 
 | 
 | ||||||
| ### database backend engine: values [ 'postgres', 'mariadb' ] | ### database backend engine: values [ 'postgres', 'mariadb' ] | ||||||
| keycloak_quarkus_db_engine: postgres | keycloak_quarkus_jdbc_engine: postgres | ||||||
| ### database backend credentials | ### database backend credentials | ||||||
| keycloak_quarkus_db_user: keycloak-user | keycloak_quarkus_db_user: keycloak-user | ||||||
| keycloak_quarkus_db_pass: keycloak-pass | keycloak_quarkus_db_pass: keycloak-pass | ||||||
| keycloak_quarkus_db_url: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].url }}" | keycloak_quarkus_jdbc_url: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].url }}" | ||||||
| keycloak_quarkus_db_driver_version: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].version }}" | keycloak_quarkus_jdbc_driver_version: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].version }}" | ||||||
| # override the variables above, following defaults show recommended version as per | # override the variables above, following defaults show minimum supported versions | ||||||
| # https://access.redhat.com/articles/7033107 |  | ||||||
| keycloak_quarkus_default_jdbc: | keycloak_quarkus_default_jdbc: | ||||||
|   postgres: |   postgres: | ||||||
|     url: 'jdbc:postgresql://localhost:5432/keycloak' |     url: 'jdbc:postgresql://localhost:5432/keycloak' | ||||||
|     version: 42.7.5 |     version: 9.4.1212 | ||||||
|   mariadb: |   mariadb: | ||||||
|     url: 'jdbc:mariadb://localhost:3306/keycloak' |     url: 'jdbc:mariadb://localhost:3306/keycloak' | ||||||
|     version: 3.5.2 |     version: 2.7.4 | ||||||
|   mssql: |   mssql: | ||||||
|     url: 'jdbc:sqlserver://localhost:1433;databaseName=keycloak;' |     url: 'jdbc:sqlserver://localhost:1433;databaseName=keycloak;' | ||||||
|     version: 12.8.1 |     version: 12.4.2 | ||||||
|     driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.8.1.jre11/mssql-jdbc-12.8.1.jre11.jar" |     driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.4.2.jre11/mssql-jdbc-12.4.2.jre11.jar" | ||||||
|  |     # cf. https://access.redhat.com/documentation/en-us/red_hat_build_of_keycloak/24.0/html/server_guide/db-#db-installing-the-microsoft-sql-server-driver | ||||||
| ### logging configuration | ### logging configuration | ||||||
| keycloak_quarkus_log: file | keycloak_quarkus_log: file | ||||||
| keycloak_quarkus_log_level: info | keycloak_quarkus_log_level: info | ||||||
|  | @ -192,7 +165,5 @@ keycloak_quarkus_supported_policy_types: ['password-blacklists'] | ||||||
| keycloak_quarkus_restart_strategy: restart/serial.yml | keycloak_quarkus_restart_strategy: restart/serial.yml | ||||||
| keycloak_quarkus_restart_health_check: true | keycloak_quarkus_restart_health_check: true | ||||||
| keycloak_quarkus_restart_health_check_delay: 10 | keycloak_quarkus_restart_health_check_delay: 10 | ||||||
| keycloak_quarkus_restart_health_check_retries: 25 | keycloak_quarkus_restart_health_check_reries: 25 | ||||||
| keycloak_quarkus_restart_pause: 15 | keycloak_quarkus_restart_pause: 15 | ||||||
| 
 |  | ||||||
| keycloak_quarkus_force_install: false |  | ||||||
|  |  | ||||||
|  | @ -1,7 +1,4 @@ | ||||||
| --- | --- | ||||||
| - name: "Invalidate {{ keycloak.service_name }} theme cache" |  | ||||||
|   ansible.builtin.include_tasks: invalidate_theme_cache.yml |  | ||||||
|   listen: "invalidate keycloak theme cache" |  | ||||||
| # handler should be invoked anytime a [build configuration](https://www.keycloak.org/server/all-config?f=build) changes | # handler should be invoked anytime a [build configuration](https://www.keycloak.org/server/all-config?f=build) changes | ||||||
| - name: "Rebuild {{ keycloak.service_name }} config" | - name: "Rebuild {{ keycloak.service_name }} config" | ||||||
|   ansible.builtin.include_tasks: rebuild_config.yml |   ansible.builtin.include_tasks: rebuild_config.yml | ||||||
|  |  | ||||||
|  | @ -2,7 +2,7 @@ argument_specs: | ||||||
|     main: |     main: | ||||||
|         options: |         options: | ||||||
|             keycloak_quarkus_version: |             keycloak_quarkus_version: | ||||||
|                 default: "26.3.0" |                 default: "24.0.4" | ||||||
|                 description: "keycloak.org package version" |                 description: "keycloak.org package version" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_archive: |             keycloak_quarkus_archive: | ||||||
|  | @ -22,7 +22,7 @@ argument_specs: | ||||||
|                 description: "Perform an offline install" |                 description: "Perform an offline install" | ||||||
|                 type: "bool" |                 type: "bool" | ||||||
|             keycloak_quarkus_jvm_package: |             keycloak_quarkus_jvm_package: | ||||||
|                 default: "java-21-openjdk-headless" |                 default: "java-11-openjdk-headless" | ||||||
|                 description: "RHEL java package runtime" |                 description: "RHEL java package runtime" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_java_home: |             keycloak_quarkus_java_home: | ||||||
|  | @ -68,17 +68,13 @@ argument_specs: | ||||||
|                 default: "10s" |                 default: "10s" | ||||||
|                 description: "systemd RestartSec for service" |                 description: "systemd RestartSec for service" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_bootstrap_admin_user: |             keycloak_quarkus_admin_user: | ||||||
|                 default: "admin" |                 default: "admin" | ||||||
|                 description: "Administration user account, only for bootstrapping" |                 description: "Administration console user account" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_force_install: |             keycloak_quarkus_admin_pass: | ||||||
|                 default: false |  | ||||||
|                 description: "Remove pre-existing versions of service" |  | ||||||
|                 type: "bool" |  | ||||||
|             keycloak_quarkus_bootstrap_admin_password: |  | ||||||
|                 required: true |                 required: true | ||||||
|                 description: "Password of admin account, only for bootstrapping" |                 description: "Password of console admin account" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_master_realm: |             keycloak_quarkus_master_realm: | ||||||
|                 default: "master" |                 default: "master" | ||||||
|  | @ -86,40 +82,31 @@ argument_specs: | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_bind_address: |             keycloak_quarkus_bind_address: | ||||||
|                 default: "0.0.0.0" |                 default: "0.0.0.0" | ||||||
|                 description: "Deprecated, use `keycloak_quarkus_http_host`" |                 description: "Address for binding service ports" | ||||||
|                 type: "str" |  | ||||||
|             keycloak_quarkus_hostname: |  | ||||||
|                 description: >- |  | ||||||
|                     Address at which is the server exposed. |  | ||||||
|                     Can be a full URL, or just a hostname. When only hostname is provided, scheme, port and context path are resolved from the request. |  | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_host: |             keycloak_quarkus_host: | ||||||
|                 description: "Deprecated in v26, use keycloak_quarkus_hostname instead." |                 default: "localhost" | ||||||
|  |                 description: "Hostname for the Keycloak server" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_port: |             keycloak_quarkus_port: | ||||||
|                 description: "Deprecated in v26, use keycloak_quarkus_hostname instead." |                 default: -1 | ||||||
|  |                 description: "The port used by the proxy when exposing the hostname" | ||||||
|                 type: "int" |                 type: "int" | ||||||
|             keycloak_quarkus_path: |             keycloak_quarkus_path: | ||||||
|                 description: "Deprecated in v26, use keycloak_quarkus_hostname instead." |                 required: false | ||||||
|  |                 description: "This should be set if proxy uses a different context-path for Keycloak" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_http_enabled: |             keycloak_quarkus_http_enabled: | ||||||
|                 default: true |                 default: true | ||||||
|                 description: "Enable listener on HTTP port" |                 description: "Enable listener on HTTP port" | ||||||
|                 type: "bool" |                 type: "bool" | ||||||
|             keycloak_quarkus_http_host: |  | ||||||
|                 default: '0.0.0.0' |  | ||||||
|                 description: "HTTP host, address for binding service ports" |  | ||||||
|                 type: "str" |  | ||||||
|             keycloak_quarkus_http_port: |             keycloak_quarkus_http_port: | ||||||
|                 default: 8080 |                 default: 8080 | ||||||
|                 description: "HTTP port" |                 description: "HTTP port" | ||||||
|                 type: "int" |                 type: "int" | ||||||
|             keycloak_quarkus_health_check_url: |  | ||||||
|                 description: "Full URL (including scheme, host, path, fragment etc.) used for health check endpoint; keycloak_quarkus_hostname will NOT be prepended; helpful when health checks should happen against http port, but keycloak_quarkus_hostname uses https scheme per default" |  | ||||||
|                 type: "str" |  | ||||||
|             keycloak_quarkus_health_check_url_path: |             keycloak_quarkus_health_check_url_path: | ||||||
|                 default: "realms/master/.well-known/openid-configuration" |                 default: "realms/master/.well-known/openid-configuration" | ||||||
|                 description: "Path to the health check endpoint; keycloak_quarkus_hostname will be prepended automatically; Note that keycloak_quarkus_health_check_url takes precedence over this property" |                 description: "Path to the health check endpoint; scheme, host and keycloak_quarkus_http_relative_path will be prepended automatically" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_https_key_file_enabled: |             keycloak_quarkus_https_key_file_enabled: | ||||||
|                 default: false |                 default: false | ||||||
|  | @ -183,7 +170,7 @@ argument_specs: | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_config_key_store_file: |             keycloak_quarkus_config_key_store_file: | ||||||
|                 default: "{{ keycloak.home }}/conf/conf_store.p12" |                 default: "{{ keycloak.home }}/conf/conf_store.p12" | ||||||
|                 description: "Path to the configuration key store; only used if `keycloak_quarkus_config_key_store_password` is not empty" |                 description: "Path to the configuration key store; only used if `keycloak_quarkus_keystore_password` is not empty" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_config_key_store_password: |             keycloak_quarkus_config_key_store_password: | ||||||
|                 default: "" |                 default: "" | ||||||
|  | @ -195,9 +182,13 @@ argument_specs: | ||||||
|                 default: 8443 |                 default: 8443 | ||||||
|                 description: "HTTPS port" |                 description: "HTTPS port" | ||||||
|                 type: "int" |                 type: "int" | ||||||
|             keycloak_quarkus_http_management_port: |             keycloak_quarkus_ajp_port: | ||||||
|                 default: 9000 |                 default: 8009 | ||||||
|                 description: "Port of the management interface. Relevant only when something is exposed on the management interface - see the guide for details." |                 description: "AJP port" | ||||||
|  |                 type: "int" | ||||||
|  |             keycloak_quarkus_jgroups_port: | ||||||
|  |                 default: 7800 | ||||||
|  |                 description: "jgroups cluster tcp port" | ||||||
|                 type: "int" |                 type: "int" | ||||||
|             keycloak_quarkus_java_heap_opts: |             keycloak_quarkus_java_heap_opts: | ||||||
|                 default: "-Xms1024m -Xmx2048m" |                 default: "-Xms1024m -Xmx2048m" | ||||||
|  | @ -211,7 +202,7 @@ argument_specs: | ||||||
|                 description: "Other JVM settings" |                 description: "Other JVM settings" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_java_opts: |             keycloak_quarkus_java_opts: | ||||||
|                 default: "{{ ' '.join((keycloak_quarkus_jgroups_opts, keycloak_quarkus_java_heap_opts, keycloak_quarkus_java_jvm_opts)) }}" |                 default: "{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}" | ||||||
|                 description: "JVM arguments, by default heap_opts + jvm_opts, if overriden it takes precedence over them" |                 description: "JVM arguments, by default heap_opts + jvm_opts, if overriden it takes precedence over them" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_additional_env_vars: |             keycloak_quarkus_additional_env_vars: | ||||||
|  | @ -235,21 +226,13 @@ argument_specs: | ||||||
|                 default: / |                 default: / | ||||||
|                 description: "Set the path relative to / for serving resources. The path must start with a /" |                 description: "Set the path relative to / for serving resources. The path must start with a /" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_http_management_relative_path: |  | ||||||
|                 required: false |  | ||||||
|                 description: "Set the path relative to / for serving resources from management interface. The path must start with a /. If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details." |  | ||||||
|                 type: "str" |  | ||||||
|             keycloak_quarkus_frontend_url: |             keycloak_quarkus_frontend_url: | ||||||
|                 required: false |                 required: false | ||||||
|                 description: "Deprecated in v26, use keycloak_quarkus_hostname instead." |                 description: "Service public URL" | ||||||
|                 type: "str" |  | ||||||
|             keycloak_quarkus_hostname_admin: |  | ||||||
|                 required: false |  | ||||||
|                 description: "Service URL for the admin console" |  | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_admin_url: |             keycloak_quarkus_admin_url: | ||||||
|                 required: false |                 required: false | ||||||
|                 description: "Deprecated in v26, use keycloak_quarkus_hostname_admin instead." |                 description: "Service URL for the admin console" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_metrics_enabled: |             keycloak_quarkus_metrics_enabled: | ||||||
|                 default: false |                 default: false | ||||||
|  | @ -257,37 +240,37 @@ argument_specs: | ||||||
|                 type: "bool" |                 type: "bool" | ||||||
|             keycloak_quarkus_health_enabled: |             keycloak_quarkus_health_enabled: | ||||||
|                 default: true |                 default: true | ||||||
|                 description: "If the server should expose health check endpoints on the management interface" |                 description: "If the server should expose health check endpoints" | ||||||
|                 type: "bool" |                 type: "bool" | ||||||
|             keycloak_quarkus_cache_remote: |             keycloak_quarkus_ispn_user: | ||||||
|                 description: "Whether to connect to remote cache infinispan server" |  | ||||||
|                 default: false |  | ||||||
|                 type: 'bool' |  | ||||||
|             keycloak_quarkus_cache_remote_username: |  | ||||||
|                 default: "supervisor" |                 default: "supervisor" | ||||||
|                 description: "Username for connecting to infinispan" |                 description: "Username for connecting to infinispan" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_cache_remote_password: |             keycloak_quarkus_ispn_pass: | ||||||
|                 default: "supervisor" |                 default: "supervisor" | ||||||
|                 description: "Password for connecting to infinispan" |                 description: "Password for connecting to infinispan" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_cache_remote_host: |             keycloak_quarkus_ispn_hosts: | ||||||
|                 default: "localhost" |                 default: "localhost:11222" | ||||||
|                 description: "Hostname for connecting to infinispan" |                 description: "host name/port for connecting to infinispan, eg. host1:11222;host2:11222" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_cache_remote_port: |             keycloak_quarkus_ispn_sasl_mechanism: | ||||||
|                 default: "11222" |  | ||||||
|                 description: "Port for connecting to infinispan" |  | ||||||
|                 type: "str" |  | ||||||
|             keycloak_quarkus_cache_remote_sasl_mechanism: |  | ||||||
|                 default: "SCRAM-SHA-512" |                 default: "SCRAM-SHA-512" | ||||||
|                 description: "Infinispan auth mechanism" |                 description: "Infinispan auth mechanism" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_cache_remote_tls_enabled: |             keycloak_quarkus_ispn_use_ssl: | ||||||
|                 default: false |                 default: false | ||||||
|                 description: "Whether infinispan uses TLS connection" |                 description: "Whether infinispan uses TLS connection" | ||||||
|                 type: "bool" |                 type: "bool" | ||||||
|             keycloak_quarkus_db_engine: |             keycloak_quarkus_ispn_trust_store_path: | ||||||
|  |                 default: "/etc/pki/java/cacerts" | ||||||
|  |                 description: "Path to infinispan server trust certificate" | ||||||
|  |                 type: "str" | ||||||
|  |             keycloak_quarkus_ispn_trust_store_password: | ||||||
|  |                 default: "changeit" | ||||||
|  |                 description: "Password for infinispan certificate keystore" | ||||||
|  |                 type: "str" | ||||||
|  |             keycloak_quarkus_jdbc_engine: | ||||||
|                 default: "postgres" |                 default: "postgres" | ||||||
|                 description: "Database engine [mariadb,postres,mssql]" |                 description: "Database engine [mariadb,postres,mssql]" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|  | @ -299,12 +282,12 @@ argument_specs: | ||||||
|                 default: "keycloak-pass" |                 default: "keycloak-pass" | ||||||
|                 description: "Password for database connection" |                 description: "Password for database connection" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_db_url: |             keycloak_quarkus_jdbc_url: | ||||||
|                 default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].url }}" |                 default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].url }}" | ||||||
|                 description: "JDBC URL for connecting to database" |                 description: "JDBC URL for connecting to database" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_db_driver_version: |             keycloak_quarkus_jdbc_driver_version: | ||||||
|                 default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].version }}" |                 default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].version }}" | ||||||
|                 description: "Version for JDBC driver" |                 description: "Version for JDBC driver" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_log: |             keycloak_quarkus_log: | ||||||
|  | @ -365,18 +348,24 @@ argument_specs: | ||||||
|                 description: > |                 description: > | ||||||
|                   Disables dynamically resolving the hostname from request headers. Should always be set to true in production, unless |                   Disables dynamically resolving the hostname from request headers. Should always be set to true in production, unless | ||||||
|                   proxy verifies the Host header. |                   proxy verifies the Host header. | ||||||
|             keycloak_quarkus_hostname_backchannel_dynamic: |             keycloak_quarkus_hostname_strict_backchannel: | ||||||
|                 default: false |                 default: false | ||||||
|                 type: "bool" |                 type: "bool" | ||||||
|                 description: > |                 description: > | ||||||
|                     Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path. |                   By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all | ||||||
|                     Set to true if your application accesses Keycloak via a private network. If set to true, hostname option needs to be specified as a full URL. |                   applications use the public URL this option should be enabled. | ||||||
|             keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route: |             keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route: | ||||||
|                 default: true |                 default: true | ||||||
|                 type: "bool" |                 type: "bool" | ||||||
|                 description: > |                 description: > | ||||||
|                   If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies |                   If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies | ||||||
|                   and we rely on the session affinity capabilities from reverse proxy |                   and we rely on the session affinity capabilities from reverse proxy | ||||||
|  |             keycloak_quarkus_hostname_strict_https: | ||||||
|  |                 type: "bool" | ||||||
|  |                 required: false | ||||||
|  |                 description: > | ||||||
|  |                   By default, Keycloak requires running using TLS/HTTPS. If the service MUST run without TLS/HTTPS, then set | ||||||
|  |                   this option to "true" | ||||||
|             keycloak_quarkus_ks_vault_enabled: |             keycloak_quarkus_ks_vault_enabled: | ||||||
|                 default: false |                 default: false | ||||||
|                 type: "bool" |                 type: "bool" | ||||||
|  | @ -464,7 +453,7 @@ argument_specs: | ||||||
|                 description: "Seconds to let pass before starting healch checks" |                 description: "Seconds to let pass before starting healch checks" | ||||||
|                 default: 10 |                 default: 10 | ||||||
|                 type: 'int' |                 type: 'int' | ||||||
|             keycloak_quarkus_restart_health_check_retries: |             keycloak_quarkus_restart_health_check_reries: | ||||||
|                 description: "Number of attempts for successful health check before failing" |                 description: "Number of attempts for successful health check before failing" | ||||||
|                 default: 25 |                 default: 25 | ||||||
|                 type: 'int' |                 type: 'int' | ||||||
|  | @ -476,94 +465,10 @@ argument_specs: | ||||||
|                 description: "Path local to controller for offline/download of install archives" |                 description: "Path local to controller for offline/download of install archives" | ||||||
|                 default: "{{ lookup('env', 'PWD') }}" |                 default: "{{ lookup('env', 'PWD') }}" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_quarkus_cache_metrics_enabled: |  | ||||||
|                 description: 'Enable histograms for metrics for the embedded caches' |  | ||||||
|                 default: false |  | ||||||
|                 type: 'bool' |  | ||||||
|             keycloak_quarkus_cache_embedded_authorization_max_count: |  | ||||||
|                 description: 'The maximum number of entries that can be stored in-memory by the authorization cache' |  | ||||||
|                 required: false |  | ||||||
|                 type: "int" |  | ||||||
|             keycloak_quarkus_cache_embedded_client_sessions_max_count: |  | ||||||
|                 description: 'The maximum number of entries that can be stored in-memory by the clientSessions cache' |  | ||||||
|                 required: false |  | ||||||
|                 type: "int" |  | ||||||
|             keycloak_quarkus_cache_embedded_crl_max_count: |  | ||||||
|                 description: 'The maximum number of entries that can be stored in-memory by the crl cache' |  | ||||||
|                 required: false |  | ||||||
|                 type: "int" |  | ||||||
|             keycloak_quarkus_cache_embedded_keys_max_count: |  | ||||||
|                 description: 'The maximum number of entries that can be stored in-memory by the keys cache' |  | ||||||
|                 required: false |  | ||||||
|                 type: "int" |  | ||||||
|             keycloak_quarkus_cache_embedded_offline_client_sessions_max_count: |  | ||||||
|                 description: 'The maximum number of entries that can be stored in-memory by the offlineClientSessions cache' |  | ||||||
|                 required: false |  | ||||||
|                 type: "int" |  | ||||||
|             keycloak_quarkus_cache_embedded_offline_sessions_max_count: |  | ||||||
|                 description: 'The maximum number of entries that can be stored in-memory by the offlineSessions cache' |  | ||||||
|                 required: false |  | ||||||
|                 type: "int" |  | ||||||
|             keycloak_quarkus_cache_embedded_realms_max_count: |  | ||||||
|                 description: 'The maximum number of entries that can be stored in-memory by the realms cache' |  | ||||||
|                 required: false |  | ||||||
|                 type: "int" |  | ||||||
|             keycloak_quarkus_cache_embedded_sessions_max_count: |  | ||||||
|                 description: 'The maximum number of entries that can be stored in-memory by the sessions cache' |  | ||||||
|                 required: false |  | ||||||
|                 type: "int" |  | ||||||
|             keycloak_quarkus_cache_embedded_users_max_count: |  | ||||||
|                 description: 'The maximum number of entries that can be stored in-memory by the users cache' |  | ||||||
|                 required: false |  | ||||||
|                 type: 'int' |  | ||||||
|             keycloak_quarkus_cache_embedded_mtls_enabled: |  | ||||||
|                 description: 'Encrypts the network communication between Keycloak servers' |  | ||||||
|                 default: true |  | ||||||
|                 type: 'bool' |  | ||||||
|             keycloak_quarkus_cache_embedded_mtls_key_store_file: |  | ||||||
|                 description: 'The Keystore file path' |  | ||||||
|                 default: "{{ keycloak.home }}/conf/cache_key_store.p12" |  | ||||||
|                 type: "str" |  | ||||||
|             keycloak_quarkus_cache_embedded_mtls_key_store_password: |  | ||||||
|                 description: 'The password to access the Keystore' |  | ||||||
|                 default: '' |  | ||||||
|                 type: "str" |  | ||||||
|             keycloak_quarkus_cache_embedded_mtls_rotation_interval_days: |  | ||||||
|                 description: 'Rotation period in days of automatic JGroups MTLS certificates' |  | ||||||
|                 default: 30 |  | ||||||
|                 type: 'int' |  | ||||||
|             keycloak_quarkus_cache_embedded_mtls_trust_store_file: |  | ||||||
|                 description: 'The Truststore file path' |  | ||||||
|                 default: "{{ keycloak.home }}/conf/cache_trust_store.p12" |  | ||||||
|                 type: "str" |  | ||||||
|             keycloak_quarkus_cache_embedded_mtls_trust_store_password: |  | ||||||
|                 description: 'The password to access the Truststore.' |  | ||||||
|                 default: '' |  | ||||||
|                 type: "str" |  | ||||||
|             keycloak_quarkus_jgroups_port: |  | ||||||
|                 description: 'jgroups bind port' |  | ||||||
|                 default: 7800 |  | ||||||
|                 type: "int" |  | ||||||
|             keycloak_quarkus_jgroups_bind_address: |  | ||||||
|                 description: 'jgroups bind address' |  | ||||||
|                 default: "{{ ansible_default_ipv4.address }}" |  | ||||||
|                 type: "str" |  | ||||||
|             keycloak_quarkus_jgroups_external_addr: |  | ||||||
|                 description: 'IP address that other instances in the Keycloak should use to contact this node' |  | ||||||
|                 default: "{{ keycloak_quarkus_jgroups_bind_address }}" |  | ||||||
|                 type: "str" |  | ||||||
|             keycloak_quarkus_jgroups_external_port: |  | ||||||
|                 description: 'Port that other instances in the Keycloak cluster should use to contact this node' |  | ||||||
|                 default: "{{ keycloak_quarkus_jgroups_port }}" |  | ||||||
|                 type: "int" |  | ||||||
|             keycloak_quarkus_jgroups_opts: |  | ||||||
|                 description: "JVM arguments for jgroups configuration" |  | ||||||
|                 default: "-Djgroups.bind.address={{ keycloak_quarkus_jgroups_bind_address }} -Djgroups.external_port={{ keycloak_quarkus_jgroups_external_port }} -Djgroups.external_addr={{ keycloak_quarkus_jgroups_external_addr }}" |  | ||||||
|                 type: "str" |  | ||||||
|     downstream: |     downstream: | ||||||
|         options: |         options: | ||||||
|             rhbk_version: |             rhbk_version: | ||||||
|                 default: "26.2.5" |                 default: "24.0.3" | ||||||
|                 description: "Red Hat Build of Keycloak version" |                 description: "Red Hat Build of Keycloak version" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             rhbk_archive: |             rhbk_archive: | ||||||
|  |  | ||||||
|  | @ -8,7 +8,7 @@ galaxy_info: | ||||||
| 
 | 
 | ||||||
|   license: Apache License 2.0 |   license: Apache License 2.0 | ||||||
| 
 | 
 | ||||||
|   min_ansible_version: "2.16" |   min_ansible_version: "2.15" | ||||||
| 
 | 
 | ||||||
|   platforms: |   platforms: | ||||||
|     - name: EL |     - name: EL | ||||||
|  |  | ||||||
|  | @ -1,10 +1,6 @@ | ||||||
| --- | --- | ||||||
| - name: Include firewall config tasks | - name: Include firewall config tasks | ||||||
|   ansible.builtin.include_tasks: |   ansible.builtin.include_tasks: iptables.yml | ||||||
|     file: iptables.yml |  | ||||||
|     apply: |  | ||||||
|       tags: |  | ||||||
|         - firewall |  | ||||||
|   when: keycloak_quarkus_configure_iptables |   when: keycloak_quarkus_configure_iptables | ||||||
|   tags: |   tags: | ||||||
|     - firewall |     - firewall | ||||||
|  |  | ||||||
|  | @ -49,114 +49,5 @@ | ||||||
|   notify: |   notify: | ||||||
|     - print deprecation warning |     - print deprecation warning | ||||||
| 
 | 
 | ||||||
| # https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options |  | ||||||
| - name: Check deprecation of keycloak_quarkus_frontend_url -> keycloak_quarkus_hostname |  | ||||||
|   when: |  | ||||||
|     - keycloak_quarkus_hostname is not defined |  | ||||||
|     - keycloak_quarkus_frontend_url is defined |  | ||||||
|     - keycloak_quarkus_frontend_url != '' |  | ||||||
|   delegate_to: localhost |  | ||||||
|   run_once: true |  | ||||||
|   changed_when: keycloak_quarkus_show_deprecation_warnings |  | ||||||
|   ansible.builtin.set_fact: |  | ||||||
|     keycloak_quarkus_hostname: "{{ keycloak_quarkus_frontend_url }}" |  | ||||||
|     deprecated_variable: "keycloak_quarkus_frontend_url" # read in deprecation handler |  | ||||||
|   notify: |  | ||||||
|     - print deprecation warning |  | ||||||
| 
 |  | ||||||
| # https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options |  | ||||||
| - name: Check deprecation of keycloak_quarkus_hostname_strict_https + keycloak_quarkus_host + keycloak_quarkus_port + keycloak_quarkus_path -> keycloak_quarkus_hostname |  | ||||||
|   when: |  | ||||||
|     - keycloak_quarkus_hostname is not defined |  | ||||||
|     - keycloak_quarkus_hostname_strict_https is defined or keycloak_quarkus_frontend_url is defined or keycloak_quarkus_port is defined or keycloak_quarkus_path is defined |  | ||||||
|   delegate_to: localhost |  | ||||||
|   run_once: true |  | ||||||
|   changed_when: keycloak_quarkus_show_deprecation_warnings |  | ||||||
|   ansible.builtin.set_fact: |  | ||||||
|     keycloak_quarkus_hostname: >- |  | ||||||
|       {% set protocol = '' %} |  | ||||||
|       {% if keycloak_quarkus_hostname_strict_https %} |  | ||||||
|         {% set protocol = 'https://' %} |  | ||||||
|       {% elif keycloak_quarkus_hostname_strict_https is defined and keycloak_quarkus_hostname_strict_https is False %} |  | ||||||
|         {% set protocol = 'http://' %} |  | ||||||
|       {% endif %} |  | ||||||
|       {{ protocol }}{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_port }}/{{ keycloak_quarkus_path }} |  | ||||||
|     deprecated_variable: "keycloak_quarkus_hostname_strict_https or keycloak_quarkus_frontend_url or keycloak_quarkus_frontend_url or keycloak_quarkus_hostname" # read in deprecation handler |  | ||||||
|   notify: |  | ||||||
|     - print deprecation warning |  | ||||||
| 
 |  | ||||||
| # https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options |  | ||||||
| - name: Check deprecation of keycloak_quarkus_admin_url -> keycloak_quarkus_hostname_admin |  | ||||||
|   when: |  | ||||||
|     - keycloak_quarkus_hostname_admin is not defined |  | ||||||
|     - keycloak_quarkus_admin_url is defined |  | ||||||
|     - keycloak_quarkus_admin_url != '' |  | ||||||
|   delegate_to: localhost |  | ||||||
|   run_once: true |  | ||||||
|   changed_when: keycloak_quarkus_show_deprecation_warnings |  | ||||||
|   ansible.builtin.set_fact: |  | ||||||
|     keycloak_quarkus_hostname_admin: "{{ keycloak_quarkus_admin_url }}" |  | ||||||
|     deprecated_variable: "keycloak_quarkus_admin_url" # read in deprecation handler |  | ||||||
|   notify: |  | ||||||
|     - print deprecation warning |  | ||||||
| 
 |  | ||||||
| # https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options |  | ||||||
| - name: Check deprecation of keycloak_quarkus_hostname_strict_backchannel -> keycloak_quarkus_hostname_backchannel_dynamic |  | ||||||
|   when: |  | ||||||
|     - keycloak_quarkus_hostname_backchannel_dynamic is not defined |  | ||||||
|     - keycloak_quarkus_hostname_strict_backchannel is defined |  | ||||||
|     - keycloak_quarkus_hostname_strict_backchannel != '' |  | ||||||
|   delegate_to: localhost |  | ||||||
|   run_once: true |  | ||||||
|   changed_when: keycloak_quarkus_show_deprecation_warnings |  | ||||||
|   ansible.builtin.set_fact: |  | ||||||
|     keycloak_quarkus_hostname_backchannel_dynamic: "{{ keycloak_quarkus_hostname_strict_backchannel == False }}" |  | ||||||
|     deprecated_variable: "keycloak_quarkus_hostname_backchannel_dynamic" # read in deprecation handler |  | ||||||
|   notify: |  | ||||||
|     - print deprecation warning |  | ||||||
| 
 |  | ||||||
| # https://github.com/keycloak/keycloak/issues/30009 |  | ||||||
| - name: Check deprecation of keycloak_quarkus_admin_user -> keycloak_quarkus_bootstrap_admin_user |  | ||||||
|   when: |  | ||||||
|     - keycloak_quarkus_bootstrap_admin_user is not defined |  | ||||||
|     - keycloak_quarkus_admin_user is defined |  | ||||||
|     - keycloak_quarkus_admin_user != '' |  | ||||||
|   delegate_to: localhost |  | ||||||
|   run_once: true |  | ||||||
|   changed_when: keycloak_quarkus_show_deprecation_warnings |  | ||||||
|   ansible.builtin.set_fact: |  | ||||||
|     keycloak_quarkus_bootstrap_admin_user: "{{ keycloak_quarkus_admin_user }}" |  | ||||||
|     deprecated_variable: "keycloak_quarkus_admin_user" # read in deprecation handler |  | ||||||
|   notify: |  | ||||||
|     - print deprecation warning |  | ||||||
| 
 |  | ||||||
| # https://github.com/keycloak/keycloak/issues/30009 |  | ||||||
| - name: Check deprecation of keycloak_quarkus_admin_pass -> keycloak_quarkus_bootstrap_admin_password |  | ||||||
|   when: |  | ||||||
|     - keycloak_quarkus_bootstrap_admin_password is not defined |  | ||||||
|     - keycloak_quarkus_admin_pass is defined |  | ||||||
|     - keycloak_quarkus_admin_pass != '' |  | ||||||
|   delegate_to: localhost |  | ||||||
|   run_once: true |  | ||||||
|   changed_when: keycloak_quarkus_show_deprecation_warnings |  | ||||||
|   ansible.builtin.set_fact: |  | ||||||
|     keycloak_quarkus_bootstrap_admin_user: "{{ keycloak_quarkus_admin_pass }}" |  | ||||||
|     deprecated_variable: "keycloak_quarkus_admin_pass" # read in deprecation handler |  | ||||||
|   notify: |  | ||||||
|     - print deprecation warning |  | ||||||
| 
 |  | ||||||
| - name: Check deprecation of keycloak_quarkus_bind_address -> keycloak_quarkus_http_host |  | ||||||
|   when: |  | ||||||
|     - keycloak_quarkus_bind_address is defined |  | ||||||
|     - keycloak_quarkus_bind_address != '0.0.0.0' |  | ||||||
|   delegate_to: localhost |  | ||||||
|   run_once: true |  | ||||||
|   changed_when: keycloak_quarkus_show_deprecation_warnings |  | ||||||
|   ansible.builtin.set_fact: |  | ||||||
|     keycloak_quarkus_http_host: "{{ keycloak_quarkus_bind_address }}" |  | ||||||
|     deprecated_variable: "keycloak_quarkus_bind_address" # read in deprecation handler |  | ||||||
|   notify: |  | ||||||
|     - print deprecation warning |  | ||||||
|    |  | ||||||
| - name: Flush handlers | - name: Flush handlers | ||||||
|   ansible.builtin.meta: flush_handlers |   ansible.builtin.meta: flush_handlers | ||||||
|  |  | ||||||
|  | @ -12,17 +12,6 @@ | ||||||
|     enabled: true |     enabled: true | ||||||
|     state: started |     state: started | ||||||
| 
 | 
 | ||||||
| - name: "Configure firewall for {{ keycloak.service_name }} http port" |  | ||||||
|   become: true |  | ||||||
|   ansible.posix.firewalld: |  | ||||||
|     port: "{{ item }}" |  | ||||||
|     permanent: true |  | ||||||
|     state: enabled |  | ||||||
|     immediate: true |  | ||||||
|   loop: |  | ||||||
|     - "{{ keycloak_quarkus_http_port }}/tcp" |  | ||||||
|   when: keycloak_quarkus_http_enabled | bool |  | ||||||
| 
 |  | ||||||
| - name: "Configure firewall for {{ keycloak.service_name }} ports" | - name: "Configure firewall for {{ keycloak.service_name }} ports" | ||||||
|   become: true |   become: true | ||||||
|   ansible.posix.firewalld: |   ansible.posix.firewalld: | ||||||
|  | @ -31,6 +20,6 @@ | ||||||
|     state: enabled |     state: enabled | ||||||
|     immediate: true |     immediate: true | ||||||
|   loop: |   loop: | ||||||
|  |     - "{{ keycloak_quarkus_http_port }}/tcp" | ||||||
|     - "{{ keycloak_quarkus_https_port }}/tcp" |     - "{{ keycloak_quarkus_https_port }}/tcp" | ||||||
|     - "{{ keycloak_quarkus_http_management_port }}/tcp" |  | ||||||
|     - "{{ keycloak_quarkus_jgroups_port }}/tcp" |     - "{{ keycloak_quarkus_jgroups_port }}/tcp" | ||||||
|  |  | ||||||
|  | @ -17,27 +17,6 @@ | ||||||
|     path: "{{ keycloak.home }}" |     path: "{{ keycloak.home }}" | ||||||
|   register: existing_deploy |   register: existing_deploy | ||||||
| 
 | 
 | ||||||
| - name: Stop and restart if existing deployment exists and install forced |  | ||||||
|   when: existing_deploy.stat.exists and keycloak_quarkus_force_install | bool |  | ||||||
|   block: |  | ||||||
|     - name: "Stop the old {{ keycloak.service_name }} service" |  | ||||||
|       become: true |  | ||||||
|       failed_when: false |  | ||||||
|       ansible.builtin.systemd: |  | ||||||
|         name: keycloak |  | ||||||
|         state: stopped |  | ||||||
|     - name: "Remove the old {{ keycloak.service_name }} deployment" |  | ||||||
|       become: true |  | ||||||
|       ansible.builtin.file: |  | ||||||
|         path: "{{ keycloak_quarkus_home }}" |  | ||||||
|         state: absent |  | ||||||
| 
 |  | ||||||
| - name: Check for an existing deployment after possible forced removal |  | ||||||
|   become: true |  | ||||||
|   ansible.builtin.stat: |  | ||||||
|     path: "{{ keycloak_quarkus_home }}" |  | ||||||
|   register: existing_deploy |  | ||||||
| 
 |  | ||||||
| - name: "Create {{ keycloak.service_name }} service user/group" | - name: "Create {{ keycloak.service_name }} service user/group" | ||||||
|   become: true |   become: true | ||||||
|   ansible.builtin.user: |   ansible.builtin.user: | ||||||
|  | @ -98,7 +77,6 @@ | ||||||
|     - not archive_path.stat.exists |     - not archive_path.stat.exists | ||||||
|     - rhbk_enable is defined and rhbk_enable |     - rhbk_enable is defined and rhbk_enable | ||||||
|     - not keycloak.offline_install |     - not keycloak.offline_install | ||||||
|     - keycloak_quarkus_alternate_download_url is undefined |  | ||||||
|   block: |   block: | ||||||
|     - name: Retrieve product download using JBoss Network API |     - name: Retrieve product download using JBoss Network API | ||||||
|       middleware_automation.common.product_search: |       middleware_automation.common.product_search: | ||||||
|  | @ -224,11 +202,11 @@ | ||||||
|     - keycloak_quarkus_cert_file_copy_enabled is defined and keycloak_quarkus_cert_file_copy_enabled |     - keycloak_quarkus_cert_file_copy_enabled is defined and keycloak_quarkus_cert_file_copy_enabled | ||||||
|     - keycloak_quarkus_cert_file_src | length > 0 |     - keycloak_quarkus_cert_file_src | length > 0 | ||||||
| 
 | 
 | ||||||
| - name: "Install {{ keycloak_quarkus_db_engine }} JDBC driver" | - name: "Install {{ keycloak_quarkus_jdbc_engine }} JDBC driver" | ||||||
|   ansible.builtin.include_tasks: jdbc_driver.yml |   ansible.builtin.include_tasks: jdbc_driver.yml | ||||||
|   when: |   when: | ||||||
|     - rhbk_enable is defined and rhbk_enable |     - rhbk_enable is defined and rhbk_enable | ||||||
|     - keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].driver_jar_url is defined |     - keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url is defined | ||||||
| 
 | 
 | ||||||
| - name: "Download custom providers via http" | - name: "Download custom providers via http" | ||||||
|   ansible.builtin.get_url: |   ansible.builtin.get_url: | ||||||
|  | @ -237,11 +215,10 @@ | ||||||
|     owner: "{{ keycloak.service_user }}" |     owner: "{{ keycloak.service_user }}" | ||||||
|     group: "{{ keycloak.service_group }}" |     group: "{{ keycloak.service_group }}" | ||||||
|     mode: '0640' |     mode: '0640' | ||||||
|     checksum: "{{ item.checksum | default(omit) }}" |  | ||||||
|   become: true |   become: true | ||||||
|   loop: "{{ keycloak_quarkus_providers }}" |   loop: "{{ keycloak_quarkus_providers }}" | ||||||
|   when: item.url is defined and item.url | length > 0 |   when: item.url is defined and item.url | length > 0 | ||||||
|   notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}" |   notify: "{{ ['rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or not item.restart else [] }}" | ||||||
| 
 | 
 | ||||||
| # this requires the `lxml` package to be installed; we redirect this step to localhost such that we do need to install it on the remote hosts | # this requires the `lxml` package to be installed; we redirect this step to localhost such that we do need to install it on the remote hosts | ||||||
| - name: "Download custom providers to localhost using maven" | - name: "Download custom providers to localhost using maven" | ||||||
|  | @ -258,6 +235,7 @@ | ||||||
|   loop: "{{ keycloak_quarkus_providers }}" |   loop: "{{ keycloak_quarkus_providers }}" | ||||||
|   when: item.maven is defined |   when: item.maven is defined | ||||||
|   no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}" |   no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}" | ||||||
|  |   notify: "{{ ['rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or not item.restart else [] }}" | ||||||
| 
 | 
 | ||||||
| - name: "Copy maven providers" | - name: "Copy maven providers" | ||||||
|   ansible.builtin.copy: |   ansible.builtin.copy: | ||||||
|  | @ -266,25 +244,21 @@ | ||||||
|     owner: "{{ keycloak.service_user }}" |     owner: "{{ keycloak.service_user }}" | ||||||
|     group: "{{ keycloak.service_group }}" |     group: "{{ keycloak.service_group }}" | ||||||
|     mode: '0640' |     mode: '0640' | ||||||
|     checksum: "{{ item.checksum | default(omit) }}" |  | ||||||
|   become: true |   become: true | ||||||
|   loop: "{{ keycloak_quarkus_providers }}" |   loop: "{{ keycloak_quarkus_providers }}" | ||||||
|   when: item.maven is defined |   when: item.maven is defined | ||||||
|   no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}" |   no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}" | ||||||
|   notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}" |  | ||||||
| 
 | 
 | ||||||
| - name: "Copy local providers" | - name: "Copy providers" | ||||||
|   ansible.builtin.copy: |   ansible.builtin.copy: | ||||||
|     src: "{{ item.local_path }}" |     src: "{{ item.local_path }}" | ||||||
|     dest: "{{ keycloak.home }}/providers/{{ item.id }}.jar" |     dest: "{{ keycloak.home }}/providers/{{ item.id }}.jar" | ||||||
|     owner: "{{ keycloak.service_user }}" |     owner: "{{ keycloak.service_user }}" | ||||||
|     group: "{{ keycloak.service_group }}" |     group: "{{ keycloak.service_group }}" | ||||||
|     mode: '0640' |     mode: '0640' | ||||||
|     remote_src: "{{ item.remote | default(false) }}" |  | ||||||
|   become: true |   become: true | ||||||
|   loop: "{{ keycloak_quarkus_providers }}" |   loop: "{{ keycloak_quarkus_providers }}" | ||||||
|   when: item.local_path is defined |   when: item.local_path is defined | ||||||
|   notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}" |  | ||||||
| 
 | 
 | ||||||
| - name: Ensure required folder structure for policies exists | - name: Ensure required folder structure for policies exists | ||||||
|   ansible.builtin.file: |   ansible.builtin.file: | ||||||
|  |  | ||||||
|  | @ -1,11 +0,0 @@ | ||||||
| --- |  | ||||||
| # From https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/24.0/html/server_developer_guide/themes#creating_a_theme: |  | ||||||
| # If you want to manually delete the content of the themes cache, |  | ||||||
| # you can do so by deleting the data/tmp/kc-gzip-cache directory of the server distribution |  | ||||||
| # It can be useful for instance if you redeployed custom providers or custom themes without |  | ||||||
| # disabling themes caching in the previous server executions. |  | ||||||
| - name: "Delete {{ keycloak.service_name }} theme cache directory" |  | ||||||
|   ansible.builtin.file: |  | ||||||
|     path: "{{ keycloak.home }}/data/tmp/kc-gzip-cache" |  | ||||||
|     state: absent |  | ||||||
|   become: true |  | ||||||
|  | @ -7,9 +7,9 @@ | ||||||
|     (keycloak_quarkus_jdbc_download_user is undefined and keycloak_quarkus_jdbc_download_pass is not undefined) or |     (keycloak_quarkus_jdbc_download_user is undefined and keycloak_quarkus_jdbc_download_pass is not undefined) or | ||||||
|     (keycloak_quarkus_jdbc_download_pass is undefined and keycloak_quarkus_jdbc_download_user is not undefined) |     (keycloak_quarkus_jdbc_download_pass is undefined and keycloak_quarkus_jdbc_download_user is not undefined) | ||||||
| 
 | 
 | ||||||
| - name: "Retrieve JDBC Driver from {{ keycloak_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].driver_jar_url) }}" | - name: "Retrieve JDBC Driver from {{ keycloak_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url) }}" | ||||||
|   ansible.builtin.get_url: |   ansible.builtin.get_url: | ||||||
|     url: "{{ keycloak_quarkus_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].driver_jar_url) }}" |     url: "{{ keycloak_quarkus_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url) }}" | ||||||
|     dest: "{{ keycloak.home }}/providers" |     dest: "{{ keycloak.home }}/providers" | ||||||
|     owner: "{{ keycloak.service_user }}" |     owner: "{{ keycloak.service_user }}" | ||||||
|     group: "{{ keycloak.service_group }}" |     group: "{{ keycloak.service_group }}" | ||||||
|  |  | ||||||
|  | @ -1,58 +1,34 @@ | ||||||
| --- | --- | ||||||
| # tasks file for keycloak | # tasks file for keycloak | ||||||
| - name: Check prerequisites | - name: Check prerequisites | ||||||
|   ansible.builtin.include_tasks: |   ansible.builtin.include_tasks: prereqs.yml | ||||||
|     file: prereqs.yml |  | ||||||
|     apply: |  | ||||||
|       tags: |  | ||||||
|         - prereqs |  | ||||||
|   tags: |   tags: | ||||||
|     - prereqs |     - prereqs | ||||||
|     - always |     - always | ||||||
| 
 | 
 | ||||||
| - name: Check for deprecations | - name: Check for deprecations | ||||||
|   ansible.builtin.include_tasks: |   ansible.builtin.include_tasks: deprecations.yml | ||||||
|     file: deprecations.yml |  | ||||||
|     apply: |  | ||||||
|       tags: |  | ||||||
|         - always |  | ||||||
|   tags: |   tags: | ||||||
|     - always |     - always | ||||||
| 
 | 
 | ||||||
| - name: Distro specific tasks | - name: Distro specific tasks | ||||||
|   ansible.builtin.include_tasks: |   ansible.builtin.include_tasks: "{{ ansible_os_family | lower }}.yml" | ||||||
|     file: "{{ ansible_os_family | lower }}.yml" |  | ||||||
|     apply: |  | ||||||
|       tags: |  | ||||||
|         - unbound |  | ||||||
|   tags: |   tags: | ||||||
|     - unbound |     - unbound | ||||||
| 
 | 
 | ||||||
| - name: Include install tasks | - name: Include install tasks | ||||||
|   ansible.builtin.include_tasks: |   ansible.builtin.include_tasks: install.yml | ||||||
|     file: install.yml |  | ||||||
|     apply: |  | ||||||
|       tags: |  | ||||||
|         - install |  | ||||||
|   tags: |   tags: | ||||||
|     - install |     - install | ||||||
| 
 | 
 | ||||||
| - name: Include systemd tasks | - name: Include systemd tasks | ||||||
|   ansible.builtin.include_tasks: |   ansible.builtin.include_tasks: systemd.yml | ||||||
|     file: systemd.yml |  | ||||||
|     apply: |  | ||||||
|       tags: |  | ||||||
|         - systemd |  | ||||||
|   tags: |   tags: | ||||||
|     - systemd |     - systemd | ||||||
| 
 | 
 | ||||||
| - name: Include configuration key store tasks | - name: Include configuration key store tasks | ||||||
|   ansible.builtin.include_tasks: |  | ||||||
|     file: config_store.yml |  | ||||||
|     apply: |  | ||||||
|       tags: |  | ||||||
|         - install |  | ||||||
|   when: keycloak.config_key_store_enabled |   when: keycloak.config_key_store_enabled | ||||||
|  |   ansible.builtin.include_tasks: config_store.yml | ||||||
|   tags: |   tags: | ||||||
|     - install |     - install | ||||||
| 
 | 
 | ||||||
|  | @ -63,8 +39,8 @@ | ||||||
|         { |         { | ||||||
|           "name": item, |           "name": item, | ||||||
|           "address": 'jgroups-' + item, |           "address": 'jgroups-' + item, | ||||||
|           "inventory_host": hostvars[item].keycloak_quarkus_jgroups_ip | default(item) + '[' + (keycloak_quarkus_jgroups_port | string) + ']', |           "inventory_host": hostvars[item].ansible_default_ipv4.address | default(item) + '[' + (keycloak_quarkus_jgroups_port | string) + ']', | ||||||
|           "value": hostvars[item].keycloak_quarkus_jgroups_ip | default(item) |           "value": hostvars[item].ansible_default_ipv4.address | default(item) | ||||||
|         } |         } | ||||||
|       ] }} |       ] }} | ||||||
|   loop: "{{ ansible_play_batch }}" |   loop: "{{ ansible_play_batch }}" | ||||||
|  | @ -115,7 +91,7 @@ | ||||||
|   register: keycloak_service_status |   register: keycloak_service_status | ||||||
|   changed_when: false |   changed_when: false | ||||||
| 
 | 
 | ||||||
| - name: "Notify to remove `keycloak_quarkus_bootstrap_admin_user[_password]` env vars" | - name: "Notify to remove `keycloak_quarkus_admin_user[_pass]` env vars" | ||||||
|   when: |   when: | ||||||
|     - not ansible_local.keycloak.general.bootstrapped | default(false) | bool # it was not bootstrapped prior to the current role's execution |     - not ansible_local.keycloak.general.bootstrapped | default(false) | bool # it was not bootstrapped prior to the current role's execution | ||||||
|     - keycloak_service_status.status.ActiveState == "active"                  # but it is now |     - keycloak_service_status.status.ActiveState == "active"                  # but it is now | ||||||
|  |  | ||||||
|  | @ -2,12 +2,12 @@ | ||||||
| - name: Validate admin console password | - name: Validate admin console password | ||||||
|   ansible.builtin.assert: |   ansible.builtin.assert: | ||||||
|     that: |     that: | ||||||
|       - keycloak_quarkus_bootstrap_admin_password | length > 12 |       - keycloak_quarkus_admin_pass | length > 12 | ||||||
|     quiet: true |     quiet: true | ||||||
|     fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_bootstrap_admin_password to a 12+ char long string" |     fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_admin_pass to a 12+ char long string" | ||||||
|     success_msg: "{{ 'Console administrator password OK' }}" |     success_msg: "{{ 'Console administrator password OK' }}" | ||||||
| 
 | 
 | ||||||
| - name: Validate http_relative_path | - name: Validate relative path | ||||||
|   ansible.builtin.assert: |   ansible.builtin.assert: | ||||||
|     that: |     that: | ||||||
|       - keycloak_quarkus_http_relative_path is regex('^/.*') |       - keycloak_quarkus_http_relative_path is regex('^/.*') | ||||||
|  | @ -15,15 +15,6 @@ | ||||||
|     fail_msg: "The relative path for keycloak_quarkus_http_relative_path must begin with /" |     fail_msg: "The relative path for keycloak_quarkus_http_relative_path must begin with /" | ||||||
|     success_msg: "{{ 'Relative path OK' }}" |     success_msg: "{{ 'Relative path OK' }}" | ||||||
| 
 | 
 | ||||||
| - name: Validate http_management_relative_path |  | ||||||
|   ansible.builtin.assert: |  | ||||||
|     that: |  | ||||||
|       - keycloak_quarkus_http_management_relative_path is regex('^/.*') |  | ||||||
|     quiet: true |  | ||||||
|     fail_msg: "The relative path for keycloak_quarkus_http_management_relative_path must begin with /" |  | ||||||
|     success_msg: "{{ 'Relative mgmt path OK' }}" |  | ||||||
|   when: keycloak_quarkus_http_management_relative_path is defined |  | ||||||
| 
 |  | ||||||
| - name: Validate configuration | - name: Validate configuration | ||||||
|   ansible.builtin.assert: |   ansible.builtin.assert: | ||||||
|     that: |     that: | ||||||
|  |  | ||||||
|  | @ -2,6 +2,9 @@ | ||||||
| # cf. https://www.keycloak.org/server/configuration#_optimize_the_keycloak_startup | # cf. https://www.keycloak.org/server/configuration#_optimize_the_keycloak_startup | ||||||
| - name: "Rebuild {{ keycloak.service_name }} config" | - name: "Rebuild {{ keycloak.service_name }} config" | ||||||
|   ansible.builtin.shell: | # noqa blocked_modules shell is necessary here |   ansible.builtin.shell: | # noqa blocked_modules shell is necessary here | ||||||
|     env -i bash -c "set -a ; source {{ keycloak_quarkus_sysconf_file }} ; {{ keycloak.home }}/bin/kc.sh build " |     {{ keycloak.home }}/bin/kc.sh build | ||||||
|  |   environment: | ||||||
|  |     PATH: "{{ keycloak_quarkus_java_home | default(keycloak_quarkus_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" | ||||||
|  |     JAVA_HOME: "{{ keycloak_quarkus_java_home | default(keycloak_quarkus_pkg_java_home, true) }}" | ||||||
|   become: true |   become: true | ||||||
|   changed_when: true |   changed_when: true | ||||||
|  |  | ||||||
|  | @ -1,10 +1,6 @@ | ||||||
| --- | --- | ||||||
| - name: Include firewall config tasks | - name: Include firewall config tasks | ||||||
|   ansible.builtin.include_tasks: |   ansible.builtin.include_tasks: firewalld.yml | ||||||
|     file: firewalld.yml |  | ||||||
|     apply: |  | ||||||
|       tags: |  | ||||||
|         - firewall |  | ||||||
|   when: keycloak_quarkus_configure_firewalld |   when: keycloak_quarkus_configure_firewalld | ||||||
|   tags: |   tags: | ||||||
|     - firewall |     - firewall | ||||||
|  |  | ||||||
|  | @ -12,7 +12,7 @@ | ||||||
|     url: "{{ keycloak.health_url }}" |     url: "{{ keycloak.health_url }}" | ||||||
|   register: keycloak_status |   register: keycloak_status | ||||||
|   until: keycloak_status.status == 200 |   until: keycloak_status.status == 200 | ||||||
|   retries: "{{ keycloak_quarkus_restart_health_check_retries }}" |   retries: "{{ keycloak_quarkus_restart_health_check_reries }}" | ||||||
|   delay: "{{ keycloak_quarkus_restart_health_check_delay }}" |   delay: "{{ keycloak_quarkus_restart_health_check_delay }}" | ||||||
|   when: internal_force_health_check | default(keycloak_quarkus_restart_health_check) |   when: internal_force_health_check | default(keycloak_quarkus_restart_health_check) | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -2,7 +2,7 @@ | ||||||
| - name: "Restart services in serial, with optional healtch check (keycloak_quarkus_restart_health_check)" | - name: "Restart services in serial, with optional healtch check (keycloak_quarkus_restart_health_check)" | ||||||
|   throttle: 1 |   throttle: 1 | ||||||
|   block: |   block: | ||||||
|     - name: "Restart and enable {{ keycloak.service_name }} service" |     - name: "Restart and enable {{ keycloak.service_name }} service on {{ item }}" | ||||||
|       ansible.builtin.include_tasks: |       ansible.builtin.include_tasks: | ||||||
|         file: restart.yml |         file: restart.yml | ||||||
|         apply: |         apply: | ||||||
|  |  | ||||||
|  | @ -14,4 +14,3 @@ | ||||||
|   until: keycloak_status.status == 200 |   until: keycloak_status.status == 200 | ||||||
|   retries: 25 |   retries: 25 | ||||||
|   delay: 10 |   delay: 10 | ||||||
|   when: internal_force_health_check | default(keycloak_quarkus_restart_health_check) |  | ||||||
|  |  | ||||||
|  | @ -10,7 +10,6 @@ | ||||||
|   vars: |   vars: | ||||||
|     keycloak_sys_pkg_java_home: "{{ keycloak_quarkus_pkg_java_home }}" |     keycloak_sys_pkg_java_home: "{{ keycloak_quarkus_pkg_java_home }}" | ||||||
|   notify: |   notify: | ||||||
|     - rebuild keycloak config |  | ||||||
|     - restart keycloak |     - restart keycloak | ||||||
| 
 | 
 | ||||||
| - name: "Configure systemd unit file for keycloak service" | - name: "Configure systemd unit file for keycloak service" | ||||||
|  | @ -23,5 +22,4 @@ | ||||||
|   become: true |   become: true | ||||||
|   register: systemdunit |   register: systemdunit | ||||||
|   notify: |   notify: | ||||||
|     - rebuild keycloak config |  | ||||||
|     - restart keycloak |     - restart keycloak | ||||||
|  |  | ||||||
|  | @ -18,17 +18,15 @@ | ||||||
| 
 | 
 | ||||||
| <infinispan | <infinispan | ||||||
|         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||||||
|         xsi:schemaLocation="urn:infinispan:config:15.0 http://www.infinispan.org/schemas/infinispan-config-15.0.xsd" |         xsi:schemaLocation="urn:infinispan:config:14.0 http://www.infinispan.org/schemas/infinispan-config-14.0.xsd" | ||||||
|         xmlns="urn:infinispan:config:15.0"> |         xmlns="urn:infinispan:config:14.0"> | ||||||
| 
 | 
 | ||||||
| {% set stack_expression='' %} | {% set stack_expression='' %} | ||||||
| {% if keycloak_quarkus_version is version_compare('26.2.0', '<') %} | {% if keycloak_quarkus_ha_enabled and keycloak_quarkus_ha_discovery == 'TCPPING' %} | ||||||
| {% if keycloak_quarkus_ha_enabled %} |  | ||||||
| {% if keycloak_quarkus_ha_discovery == 'TCPPING' %} |  | ||||||
| {% set stack_expression='stack="tcpping"' %} | {% set stack_expression='stack="tcpping"' %} | ||||||
|     <jgroups> |     <jgroups> | ||||||
|         <stack name="tcpping" extends="tcp"> |         <stack name="tcpping" extends="tcp"> | ||||||
|             <!-- <TCP external_addr="${env.KC_EXTERNAL_ADDR}" bind_addr="{{ keycloak_quarkus_http_host }}" bind_port="{{ keycloak_quarkus_jgroups_port }}" /> --> |             <!-- <TCP external_addr="${env.KC_EXTERNAL_ADDR}" bind_addr="{{ keycloak_quarkus_bind_address }}" bind_port="{{ keycloak_quarkus_jgroups_port }}" /> --> | ||||||
|             <TCPPING |             <TCPPING | ||||||
|                 initial_hosts="{{ keycloak_quarkus_cluster_nodes | map(attribute='inventory_host') | join (',') }}" |                 initial_hosts="{{ keycloak_quarkus_cluster_nodes | map(attribute='inventory_host') | join (',') }}" | ||||||
|                 port_range="0" |                 port_range="0" | ||||||
|  | @ -37,10 +35,6 @@ | ||||||
|             /> |             /> | ||||||
|         </stack> |         </stack> | ||||||
|     </jgroups> |     </jgroups> | ||||||
| {% elif keycloak_quarkus_ha_discovery == 'JDBCPING' %} |  | ||||||
| {% set stack_expression='stack="JDBC_PING2"' %} |  | ||||||
| {% endif %} |  | ||||||
| {% endif %} |  | ||||||
| {% endif %} | {% endif %} | ||||||
| 
 | 
 | ||||||
|     <cache-container name="keycloak"> |     <cache-container name="keycloak"> | ||||||
|  | @ -61,22 +55,18 @@ | ||||||
|         </local-cache> |         </local-cache> | ||||||
|         <distributed-cache name="sessions" owners="2"> |         <distributed-cache name="sessions" owners="2"> | ||||||
|             <expiration lifespan="-1"/> |             <expiration lifespan="-1"/> | ||||||
|             <memory max-count="10000"/> |  | ||||||
|         </distributed-cache> |         </distributed-cache> | ||||||
|         <distributed-cache name="authenticationSessions" owners="2"> |         <distributed-cache name="authenticationSessions" owners="2"> | ||||||
|             <expiration lifespan="-1"/> |             <expiration lifespan="-1"/> | ||||||
|         </distributed-cache> |         </distributed-cache> | ||||||
|         <distributed-cache name="offlineSessions" owners="2"> |         <distributed-cache name="offlineSessions" owners="2"> | ||||||
|             <expiration lifespan="-1"/> |             <expiration lifespan="-1"/> | ||||||
|             <memory max-count="10000"/> |  | ||||||
|         </distributed-cache> |         </distributed-cache> | ||||||
|         <distributed-cache name="clientSessions" owners="2"> |         <distributed-cache name="clientSessions" owners="2"> | ||||||
|             <expiration lifespan="-1"/> |             <expiration lifespan="-1"/> | ||||||
|             <memory max-count="10000"/> |  | ||||||
|         </distributed-cache> |         </distributed-cache> | ||||||
|         <distributed-cache name="offlineClientSessions" owners="2"> |         <distributed-cache name="offlineClientSessions" owners="2"> | ||||||
|             <expiration lifespan="-1"/> |             <expiration lifespan="-1"/> | ||||||
|             <memory max-count="10000"/> |  | ||||||
|         </distributed-cache> |         </distributed-cache> | ||||||
|         <distributed-cache name="loginFailures" owners="2"> |         <distributed-cache name="loginFailures" owners="2"> | ||||||
|             <expiration lifespan="-1"/> |             <expiration lifespan="-1"/> | ||||||
|  | @ -99,14 +89,6 @@ | ||||||
|             <expiration max-idle="3600000"/> |             <expiration max-idle="3600000"/> | ||||||
|             <memory max-count="1000"/> |             <memory max-count="1000"/> | ||||||
|         </local-cache> |         </local-cache> | ||||||
|         <local-cache name="crl" simple-cache="true"> |  | ||||||
|             <encoding> |  | ||||||
|                 <key media-type="application/x-java-object"/> |  | ||||||
|                 <value media-type="application/x-java-object"/> |  | ||||||
|             </encoding> |  | ||||||
|             <expiration lifespan="-1"/> |  | ||||||
|             <memory max-count="1000"/> |  | ||||||
|         </local-cache> |  | ||||||
|         <distributed-cache name="actionTokens" owners="2"> |         <distributed-cache name="actionTokens" owners="2"> | ||||||
|             <encoding> |             <encoding> | ||||||
|                 <key media-type="application/x-java-object"/> |                 <key media-type="application/x-java-object"/> | ||||||
|  | @ -116,4 +98,4 @@ | ||||||
|             <memory max-count="-1"/> |             <memory max-count="-1"/> | ||||||
|         </distributed-cache> |         </distributed-cache> | ||||||
|     </cache-container> |     </cache-container> | ||||||
| </infinispan> | </infinispan> | ||||||
|  | @ -1,13 +1,13 @@ | ||||||
| {{ ansible_managed | comment }} | {{ ansible_managed | comment }} | ||||||
| {% if not ansible_local.keycloak.general.bootstrapped | default(false) | bool %} | {% if not ansible_local.keycloak.general.bootstrapped | default(false) | bool %} | ||||||
| KC_BOOTSTRAP_ADMIN_USERNAME={{ keycloak_quarkus_bootstrap_admin_user }} | KEYCLOAK_ADMIN={{ keycloak_quarkus_admin_user }} | ||||||
| KC_BOOTSTRAP_ADMIN_PASSWORD='{{ keycloak_quarkus_bootstrap_admin_password }}' | KEYCLOAK_ADMIN_PASSWORD='{{ keycloak_quarkus_admin_pass }}' | ||||||
| {% else %} | {% else %} | ||||||
| {{ keycloak.bootstrap_mnemonic }} | {{ keycloak.bootstrap_mnemonic }} | ||||||
| {% endif %} | {% endif %} | ||||||
| PATH="{{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" | PATH={{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin | ||||||
| JAVA_HOME="{{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}" | JAVA_HOME={{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }} | ||||||
| JAVA_OPTS="{{ keycloak_quarkus_java_opts }}" | JAVA_OPTS={{ keycloak_quarkus_java_opts }} | ||||||
| 
 | 
 | ||||||
| # Custom ENV variables | # Custom ENV variables | ||||||
| {% for env in keycloak_quarkus_additional_env_vars %} | {% for env in keycloak_quarkus_additional_env_vars %} | ||||||
|  |  | ||||||
|  | @ -2,18 +2,26 @@ | ||||||
| 
 | 
 | ||||||
| {% if keycloak_quarkus_db_enabled %} | {% if keycloak_quarkus_db_enabled %} | ||||||
| # Database | # Database | ||||||
| db={{ keycloak_quarkus_db_engine }} | db={{ keycloak_quarkus_jdbc_engine }} | ||||||
| db-url={{ keycloak_quarkus_db_url }} | db-url={{ keycloak_quarkus_jdbc_url }} | ||||||
| db-username={{ keycloak_quarkus_db_user }} | db-username={{ keycloak_quarkus_db_user }} | ||||||
| {% if not keycloak.config_key_store_enabled %} | {% if not keycloak.config_key_store_enabled %} | ||||||
| db-password={{ keycloak_quarkus_db_pass }} | db-password={{ keycloak_quarkus_db_pass }} | ||||||
| {% endif %} | {% endif %} | ||||||
| {% endif %} | {% endif %} | ||||||
| 
 | 
 | ||||||
|  | {% if keycloak_quarkus_hostname_strict_https is defined and keycloak_quarkus_hostname_strict_https is sameas true -%} | ||||||
|  | hostname-strict-https=true | ||||||
|  | {% endif -%} | ||||||
|  | {% if keycloak_quarkus_hostname_strict_https is defined and keycloak_quarkus_hostname_strict_https is sameas false -%} | ||||||
|  | hostname-strict-https=false | ||||||
|  | {% endif -%} | ||||||
|  | 
 | ||||||
| {% if keycloak.config_key_store_enabled %} | {% if keycloak.config_key_store_enabled %} | ||||||
| # Config store | # Config store | ||||||
| config-keystore={{ keycloak_quarkus_config_key_store_file }} | config-keystore={{ keycloak_quarkus_config_key_store_file }} | ||||||
| config-keystore-password={{ keycloak_quarkus_config_key_store_password }} | config-keystore-password={{ keycloak_quarkus_config_key_store_password }} | ||||||
|  | config-keystore-type=PKCS12 | ||||||
| {% endif %} | {% endif %} | ||||||
| 
 | 
 | ||||||
| # Observability | # Observability | ||||||
|  | @ -22,17 +30,8 @@ health-enabled={{ keycloak_quarkus_health_enabled | lower }} | ||||||
| 
 | 
 | ||||||
| # HTTP | # HTTP | ||||||
| http-enabled={{ keycloak_quarkus_http_enabled | lower }} | http-enabled={{ keycloak_quarkus_http_enabled | lower }} | ||||||
| {% if keycloak_quarkus_http_enabled %} |  | ||||||
| http-port={{ keycloak_quarkus_http_port }} | http-port={{ keycloak_quarkus_http_port }} | ||||||
| {% endif %} |  | ||||||
| http-relative-path={{ keycloak_quarkus_http_relative_path }} | http-relative-path={{ keycloak_quarkus_http_relative_path }} | ||||||
| http-host={{ keycloak_quarkus_http_host }} |  | ||||||
| 
 |  | ||||||
| # Management |  | ||||||
| http-management-port={{ keycloak_quarkus_http_management_port }} |  | ||||||
| {% if keycloak_quarkus_http_management_relative_path is defined and keycloak_quarkus_http_management_relative_path | length > 0 %} |  | ||||||
| http-management-relative-path={{ keycloak_quarkus_http_management_relative_path }} |  | ||||||
| {% endif %} |  | ||||||
| 
 | 
 | ||||||
| # HTTPS | # HTTPS | ||||||
| https-port={{ keycloak_quarkus_https_port }} | https-port={{ keycloak_quarkus_https_port }} | ||||||
|  | @ -50,21 +49,23 @@ https-trust-store-password={{ keycloak_quarkus_https_trust_store_password }} | ||||||
| {% endif %} | {% endif %} | ||||||
| 
 | 
 | ||||||
| # Client URL configuration | # Client URL configuration | ||||||
| hostname={{ keycloak_quarkus_hostname }} | {% if keycloak_quarkus_frontend_url %} | ||||||
| hostname-admin={{ keycloak_quarkus_hostname_admin }} | hostname-url={{ keycloak_quarkus_frontend_url }} | ||||||
|  | {% else %} | ||||||
|  | hostname={{ keycloak_quarkus_host }} | ||||||
|  | hostname-port={{ keycloak_quarkus_port }} | ||||||
|  | hostname-path={{ keycloak_quarkus_path }} | ||||||
|  | {% endif %} | ||||||
|  | hostname-admin-url={{ keycloak_quarkus_admin_url }} | ||||||
| hostname-strict={{ keycloak_quarkus_hostname_strict | lower }} | hostname-strict={{ keycloak_quarkus_hostname_strict | lower }} | ||||||
| hostname-backchannel-dynamic={{ keycloak_quarkus_hostname_backchannel_dynamic | lower }} | hostname-strict-backchannel={{ keycloak_quarkus_hostname_strict_backchannel | lower }} | ||||||
| 
 | 
 | ||||||
| # Cluster | # Cluster | ||||||
| {% if keycloak_quarkus_ha_enabled %} | {% if keycloak_quarkus_ha_enabled %} | ||||||
| cache=ispn | cache=ispn | ||||||
| cache-config-file=cache-ispn.xml | cache-config-file=cache-ispn.xml | ||||||
| {% if keycloak_quarkus_cache_remote %} | {% if keycloak_quarkus_ha_enabled and keycloak_quarkus_ha_discovery == 'TCPPING' %} | ||||||
| cache-remote-username={{ keycloak_quarkus_cache_remote_username }} | # cache-stack=tcp # configured directly in `cache-ispn.xml` | ||||||
| cache-remote-password={{ keycloak_quarkus_cache_remote_password }} |  | ||||||
| cache-remote-host={{ keycloak_quarkus_cache_remote_host }} |  | ||||||
| cache-remote-port={{ keycloak_quarkus_cache_remote_port }} |  | ||||||
| cache-remote-tls-enabled={{ keycloak_quarkus_cache_remote_tls_enabled | lower }} |  | ||||||
| {% endif %} | {% endif %} | ||||||
| {% endif %} | {% endif %} | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -1,22 +1,22 @@ | ||||||
| {{ ansible_managed | comment }} | {{ ansible_managed | comment }} | ||||||
| {% if keycloak_quarkus_ha_enabled %} | {% if keycloak_quarkus_ha_enabled %} | ||||||
| {% if keycloak_quarkus_version.split('.')[0] | int < 22 %} | {% if keycloak_quarkus_version.split('.')[0] | int < 22 %} | ||||||
| quarkus.infinispan-client.server-list={{ keycloak_quarkus_cache_remote_host }}:{{ keycloak_quarkus_cache_remote_port }} | quarkus.infinispan-client.server-list={{ keycloak_quarkus_ispn_hosts }} | ||||||
| quarkus.infinispan-client.auth-username={{ keycloak_quarkus_cache_remote_username }} | quarkus.infinispan-client.auth-username={{ keycloak_quarkus_ispn_user }} | ||||||
| quarkus.infinispan-client.auth-password={{ keycloak_quarkus_cache_remote_password }} | quarkus.infinispan-client.auth-password={{ keycloak_quarkus_ispn_pass }} | ||||||
| {% else %} | {% else %} | ||||||
| quarkus.infinispan-client.hosts={{ keycloak_quarkus_cache_remote_host }}:{{ keycloak_quarkus_cache_remote_port }} | quarkus.infinispan-client.hosts={{ keycloak_quarkus_ispn_hosts }} | ||||||
| quarkus.infinispan-client.username={{ keycloak_quarkus_cache_remote_username }} | quarkus.infinispan-client.username={{ keycloak_quarkus_ispn_user }} | ||||||
| quarkus.infinispan-client.password={{ keycloak_quarkus_cache_remote_password }} | quarkus.infinispan-client.password={{ keycloak_quarkus_ispn_pass }} | ||||||
| {% endif %} | {% endif %} | ||||||
| quarkus.infinispan-client.client-intelligence=HASH_DISTRIBUTION_AWARE | quarkus.infinispan-client.client-intelligence=HASH_DISTRIBUTION_AWARE | ||||||
| quarkus.infinispan-client.use-auth=true | quarkus.infinispan-client.use-auth=true | ||||||
| quarkus.infinispan-client.auth-realm=default | quarkus.infinispan-client.auth-realm=default | ||||||
| quarkus.infinispan-client.auth-server-name=infinispan | quarkus.infinispan-client.auth-server-name=infinispan | ||||||
| quarkus.infinispan-client.sasl-mechanism={{ keycloak_quarkus_cache_remote_sasl_mechanism }} | quarkus.infinispan-client.sasl-mechanism={{ keycloak_quarkus_ispn_sasl_mechanism }} | ||||||
| {% if keycloak_quarkus_cache_remote_tls_enabled %} | {% if keycloak_quarkus_ispn_use_ssl %} | ||||||
| quarkus.infinispan-client.trust-store={{ keycloak_quarkus_https_trust_store_file }} | quarkus.infinispan-client.trust-store={{ keycloak_quarkus_ispn_trust_store_path }} | ||||||
| quarkus.infinispan-client.trust-store-password={{ keycloak_quarkus_https_trust_store_password }} | quarkus.infinispan-client.trust-store-password={{ keycloak_quarkus_ispn_trust_store_password }} | ||||||
| quarkus.infinispan-client.trust-store-type=jks | quarkus.infinispan-client.trust-store-type=jks | ||||||
| {% endif %} | {% endif %} | ||||||
| #quarkus.infinispan-client.use-schema-registration=true | #quarkus.infinispan-client.use-schema-registration=true | ||||||
|  |  | ||||||
|  | @ -1,8 +1,7 @@ | ||||||
| --- | --- | ||||||
| keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('openjdk-21-jdk-headless') }}" | keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('openjdk-17-jdk-headless') }}" | ||||||
| keycloak_quarkus_prereq_package_list: | keycloak_quarkus_prereq_package_list: | ||||||
|       - "{{ keycloak_quarkus_varjvm_package }}" |       - "{{ keycloak_quarkus_varjvm_package }}" | ||||||
|       - bash |  | ||||||
|       - unzip |       - unzip | ||||||
|       - procps |       - procps | ||||||
|       - apt |       - apt | ||||||
|  |  | ||||||
|  | @ -4,7 +4,8 @@ keycloak: # noqa var-naming this is an internal dict of interpolated values | ||||||
|   config_dir: "{{ keycloak_quarkus_config_dir }}" |   config_dir: "{{ keycloak_quarkus_config_dir }}" | ||||||
|   bundle: "{{ keycloak_quarkus_archive }}" |   bundle: "{{ keycloak_quarkus_archive }}" | ||||||
|   service_name: "keycloak" |   service_name: "keycloak" | ||||||
|   health_url: "{{ keycloak_quarkus_health_check_url | default(keycloak_quarkus_hostname ~ '/' ~ (keycloak_quarkus_health_check_url_path | default('realms/master/.well-known/openid-configuration'))) }}" |   health_url: "{{ 'https' if keycloak_quarkus_http_enabled == False else 'http' }}://{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_https_port if keycloak_quarkus_http_enabled == False else keycloak_quarkus_http_port }}{{ keycloak_quarkus_http_relative_path }}{{ '/' \ | ||||||
|  |                if keycloak_quarkus_http_relative_path | length > 1 else '' }}{{ keycloak_quarkus_health_check_url_path | default('realms/master/.well-known/openid-configuration') }}" | ||||||
|   cli_path: "{{ keycloak_quarkus_home }}/bin/kcadm.sh" |   cli_path: "{{ keycloak_quarkus_home }}/bin/kcadm.sh" | ||||||
|   service_user: "{{ keycloak_quarkus_service_user }}" |   service_user: "{{ keycloak_quarkus_service_user }}" | ||||||
|   service_group: "{{ keycloak_quarkus_service_group }}" |   service_group: "{{ keycloak_quarkus_service_group }}" | ||||||
|  |  | ||||||
|  | @ -1,8 +1,7 @@ | ||||||
| --- | --- | ||||||
| keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('java-21-openjdk-headless') }}" | keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('java-17-openjdk-headless') }}" | ||||||
| keycloak_quarkus_prereq_package_list: | keycloak_quarkus_prereq_package_list: | ||||||
|       - "{{ keycloak_quarkus_varjvm_package }}" |       - "{{ keycloak_quarkus_varjvm_package }}" | ||||||
|       - bash |  | ||||||
|       - unzip |       - unzip | ||||||
|       - procps-ng |       - procps-ng | ||||||
|       - initscripts |       - initscripts | ||||||
|  |  | ||||||
|  | @ -19,7 +19,7 @@ Role Defaults | ||||||
| |`keycloak_management_http_port`| Management port | `9990` | | |`keycloak_management_http_port`| Management port | `9990` | | ||||||
| |`keycloak_auth_client`| Authentication client for configuration REST calls | `admin-cli` | | |`keycloak_auth_client`| Authentication client for configuration REST calls | `admin-cli` | | ||||||
| |`keycloak_client_public`| Configure a public realm client | `True` | | |`keycloak_client_public`| Configure a public realm client | `True` | | ||||||
| |`keycloak_client_web_origins`| Web origins for realm client | `/*` | | |`keycloak_client_web_origins`| Web origins for realm client | `+` | | ||||||
| |`keycloak_url`| URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` | | |`keycloak_url`| URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` | | ||||||
| |`keycloak_management_url`| URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` | | |`keycloak_management_url`| URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` | | ||||||
| 
 | 
 | ||||||
|  | @ -74,7 +74,6 @@ Refer to [docs](https://docs.ansible.com/ansible/latest/collections/community/ge | ||||||
|     - name: <name of the client> |     - name: <name of the client> | ||||||
|       id: <id of the client> |       id: <id of the client> | ||||||
|       client_id: <id of the client> |       client_id: <id of the client> | ||||||
|       secret: <secret of the client (Optional)> |  | ||||||
|       roles: <keycloak_client_default_roles> |       roles: <keycloak_client_default_roles> | ||||||
|       realm: <name of the realm that contains the client> |       realm: <name of the realm that contains the client> | ||||||
|       public_client: <true for public, false for confidential> |       public_client: <true for public, false for confidential> | ||||||
|  |  | ||||||
|  | @ -43,7 +43,7 @@ keycloak_client_default_roles: [] | ||||||
| keycloak_client_public: true | keycloak_client_public: true | ||||||
| 
 | 
 | ||||||
| # allowed web origins for the client | # allowed web origins for the client | ||||||
| keycloak_client_web_origins: '/*' | keycloak_client_web_origins: '+' | ||||||
| 
 | 
 | ||||||
| # list of user and role mappings to create in the client | # list of user and role mappings to create in the client | ||||||
| # Each user has the form: | # Each user has the form: | ||||||
|  | @ -54,7 +54,3 @@ keycloak_client_users: [] | ||||||
| 
 | 
 | ||||||
| ### List of Keycloak User Federation | ### List of Keycloak User Federation | ||||||
| keycloak_user_federation: [] | keycloak_user_federation: [] | ||||||
| 
 |  | ||||||
| # other settings |  | ||||||
| keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + (keycloak_jboss_port_offset | default(0)) }}" |  | ||||||
| keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + (keycloak_jboss_port_offset | default(0)) }}" |  | ||||||
|  |  | ||||||
|  | @ -53,7 +53,7 @@ argument_specs: | ||||||
|                 type: "bool" |                 type: "bool" | ||||||
|             keycloak_client_web_origins: |             keycloak_client_web_origins: | ||||||
|                 # line 42 of keycloak_realm/defaults/main.yml |                 # line 42 of keycloak_realm/defaults/main.yml | ||||||
|                 default: "/*" |                 default: "+" | ||||||
|                 description: "Web origins for realm client" |                 description: "Web origins for realm client" | ||||||
|                 type: "str" |                 type: "str" | ||||||
|             keycloak_client_users: |             keycloak_client_users: | ||||||
|  |  | ||||||
|  | @ -8,7 +8,7 @@ galaxy_info: | ||||||
| 
 | 
 | ||||||
|   license: Apache License 2.0 |   license: Apache License 2.0 | ||||||
| 
 | 
 | ||||||
|   min_ansible_version: "2.16" |   min_ansible_version: "2.15" | ||||||
| 
 | 
 | ||||||
|   platforms: |   platforms: | ||||||
|     - name: EL |     - name: EL | ||||||
|  |  | ||||||
|  | @ -15,7 +15,6 @@ | ||||||
|   ansible.builtin.uri: |   ansible.builtin.uri: | ||||||
|     url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}" |     url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}" | ||||||
|     method: GET |     method: GET | ||||||
|     validate_certs: false |  | ||||||
|     status_code: |     status_code: | ||||||
|       - 200 |       - 200 | ||||||
|       - 404 |       - 404 | ||||||
|  | @ -46,7 +45,7 @@ | ||||||
|     name: "{{ item.name }}" |     name: "{{ item.name }}" | ||||||
|     state: present |     state: present | ||||||
|     provider_id: "{{ item.provider_id }}" |     provider_id: "{{ item.provider_id }}" | ||||||
|     provider_type: "{{ item.provider_type | default('org.keycloak.storage.UserStorageProvider') }}" |     provider_type: "{{ item.provider_type | default(org.keycloak.storage.UserStorageProvider) }}" | ||||||
|     config: "{{ item.config }}" |     config: "{{ item.config }}" | ||||||
|     mappers: "{{ item.mappers | default(omit) }}" |     mappers: "{{ item.mappers | default(omit) }}" | ||||||
|   no_log: "{{ keycloak_no_log | default('True') }}" |   no_log: "{{ keycloak_no_log | default('True') }}" | ||||||
|  | @ -76,7 +75,6 @@ | ||||||
|     default_roles: "{{ item.roles | default(omit) }}" |     default_roles: "{{ item.roles | default(omit) }}" | ||||||
|     client_id: "{{ item.client_id | default(omit) }}" |     client_id: "{{ item.client_id | default(omit) }}" | ||||||
|     id: "{{ item.id | default(omit) }}" |     id: "{{ item.id | default(omit) }}" | ||||||
|     secret: "{{ item.secret | default(omit) }}" |  | ||||||
|     name: "{{ item.name | default(omit) }}" |     name: "{{ item.name | default(omit) }}" | ||||||
|     description: "{{ item.description | default(omit) }}" |     description: "{{ item.description | default(omit) }}" | ||||||
|     root_url: "{{ item.root_url | default('') }}" |     root_url: "{{ item.root_url | default('') }}" | ||||||
|  | @ -84,7 +82,7 @@ | ||||||
|     base_url: "{{ item.base_url | default('') }}" |     base_url: "{{ item.base_url | default('') }}" | ||||||
|     enabled: "{{ item.enabled | default(True) }}" |     enabled: "{{ item.enabled | default(True) }}" | ||||||
|     redirect_uris: "{{ item.redirect_uris | default(omit) }}" |     redirect_uris: "{{ item.redirect_uris | default(omit) }}" | ||||||
|     web_origins: "{{ item.web_origins | default(omit) }}" |     web_origins: "{{ item.web_origins | default('+') }}" | ||||||
|     bearer_only: "{{ item.bearer_only | default(omit) }}" |     bearer_only: "{{ item.bearer_only | default(omit) }}" | ||||||
|     standard_flow_enabled: "{{ item.standard_flow_enabled | default(omit) }}" |     standard_flow_enabled: "{{ item.standard_flow_enabled | default(omit) }}" | ||||||
|     implicit_flow_enabled: "{{ item.implicit_flow_enabled | default(omit) }}" |     implicit_flow_enabled: "{{ item.implicit_flow_enabled | default(omit) }}" | ||||||
|  | @ -94,7 +92,7 @@ | ||||||
|     protocol: "{{ item.protocol | default(omit) }}" |     protocol: "{{ item.protocol | default(omit) }}" | ||||||
|     attributes: "{{ item.attributes | default(omit) }}" |     attributes: "{{ item.attributes | default(omit) }}" | ||||||
|     state: present |     state: present | ||||||
|   no_log: "{{ keycloak_no_log | default('false') }}" |   no_log: "{{ keycloak_no_log | default('True') }}" | ||||||
|   register: create_client_result |   register: create_client_result | ||||||
|   loop: "{{ keycloak_clients | flatten }}" |   loop: "{{ keycloak_clients | flatten }}" | ||||||
|   when: (item.name is defined and item.client_id is defined) or (item.name is defined and item.id is defined) |   when: (item.name is defined and item.client_id is defined) or (item.name is defined and item.id is defined) | ||||||
|  | @ -112,6 +110,3 @@ | ||||||
|   loop_control: |   loop_control: | ||||||
|     loop_var: client |     loop_var: client | ||||||
|   when: "'users' in client" |   when: "'users' in client" | ||||||
|    |  | ||||||
| - name: Provide Access token lifespan |  | ||||||
|   ansible.builtin.include_tasks: manage_token_lifespan.yml |  | ||||||
|  |  | ||||||
|  | @ -1,14 +0,0 @@ | ||||||
| --- |  | ||||||
| - name: "Update Access token lifespan" |  | ||||||
|   ansible.builtin.uri: |  | ||||||
|     url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}" |  | ||||||
|     method: PUT |  | ||||||
|     body: |  | ||||||
|       accessTokenLifespan: 300 |  | ||||||
|     validate_certs: false |  | ||||||
|     body_format: json |  | ||||||
|     status_code: |  | ||||||
|       - 200 |  | ||||||
|       - 204 |  | ||||||
|     headers: |  | ||||||
|       Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}" |  | ||||||
|  | @ -3,7 +3,6 @@ | ||||||
|   ansible.builtin.uri: |   ansible.builtin.uri: | ||||||
|     url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm | default(keycloak_realm) }}" |     url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm | default(keycloak_realm) }}" | ||||||
|     method: GET |     method: GET | ||||||
|     validate_certs: false |  | ||||||
|     status_code: |     status_code: | ||||||
|       - 200 |       - 200 | ||||||
|     headers: |     headers: | ||||||
|  | @ -17,7 +16,6 @@ | ||||||
|           default(keycloak_realm) }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | \ |           default(keycloak_realm) }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | \ | ||||||
|           selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}/available" |           selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}/available" | ||||||
|     method: GET |     method: GET | ||||||
|     validate_certs: false |  | ||||||
|     status_code: |     status_code: | ||||||
|       - 200 |       - 200 | ||||||
|     headers: |     headers: | ||||||
|  |  | ||||||
|  | @ -3,3 +3,7 @@ | ||||||
| 
 | 
 | ||||||
| # name of the realm to create, this is a required variable | # name of the realm to create, this is a required variable | ||||||
| keycloak_realm: | keycloak_realm: | ||||||
|  | 
 | ||||||
|  | # other settings | ||||||
|  | keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + (keycloak_jboss_port_offset | default(0)) }}" | ||||||
|  | keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + (keycloak_jboss_port_offset | default(0)) }}" | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue