Compare commits

..

No commits in common. "main" and "2.4.2" have entirely different histories.

95 changed files with 735 additions and 4512 deletions

View file

@ -6,23 +6,14 @@ on:
- main - main
pull_request: pull_request:
workflow_dispatch: workflow_dispatch:
inputs:
debug_verbosity:
description: 'ANSIBLE_VERBOSITY envvar value'
required: false
schedule: schedule:
- cron: '15 6 * * *' - cron: '15 6 * * *'
jobs: jobs:
ci: ci:
uses: ansible-middleware/github-actions/.github/workflows/cish.yml@main uses: ansible-middleware/github-actions/.github/workflows/ci.yml@main
secrets: inherit secrets: inherit
with: with:
fqcn: 'middleware_automation/keycloak' fqcn: 'middleware_automation/keycloak'
debug_verbosity: "${{ github.event.inputs.debug_verbosity }}"
molecule_tests: >- molecule_tests: >-
[ "debian", "quarkus", "quarkus_ha", "quarkus_ha_remote" ] [ "default", "overridexml", "https_revproxy", "quarkus", "quarkus-devmode", "quarkus_upgrade", "debian", "quarkus_ha" ]
podman_tests_current: >-
[ "default", "quarkus_devmode", "quarkus_upgrade" ]
podman_tests_next: >-
[ "default", "quarkus_devmode", "quarkus_upgrade" ]

View file

@ -1,9 +1,9 @@
name: Collect traffic stats name: Collect traffic stats
on: on:
schedule: schedule:
- cron: "51 23 * * 0" - cron: "51 23 * * 0"
workflow_dispatch: workflow_dispatch:
jobs: jobs:
traffic: traffic:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -11,12 +11,12 @@ jobs:
- uses: actions/checkout@v2 - uses: actions/checkout@v2
with: with:
ref: "gh-pages" ref: "gh-pages"
- name: GitHub traffic - name: GitHub traffic
uses: sangonzal/repository-traffic-action@v.0.1.6 uses: sangonzal/repository-traffic-action@v.0.1.6
env: env:
TRAFFIC_ACTION_TOKEN: ${{ secrets.TRIGGERING_PAT }} TRAFFIC_ACTION_TOKEN: ${{ secrets.TRIGGERING_PAT }}
- name: Commit changes - name: Commit changes
uses: EndBug/add-and-commit@v4 uses: EndBug/add-and-commit@v4
with: with:

View file

@ -6,76 +6,6 @@ middleware\_automation.keycloak Release Notes
This changelog describes changes after version 0.2.6. This changelog describes changes after version 0.2.6.
v3.0.2
======
Minor Changes
-------------
- New ``checksum`` property for keycloak_quarkus_providers `#280 <https://github.com/ansible-middleware/keycloak/pull/280>`_
- New parameter to set the jgroups host IP address `#281 <https://github.com/ansible-middleware/keycloak/pull/281>`_
- Session storage / distributed caches `#287 <https://github.com/ansible-middleware/keycloak/pull/287>`_
- Update keycloak/RHBK to v26.2.4 `#283 <https://github.com/ansible-middleware/keycloak/pull/283>`_
Bugfixes
--------
- Fix ``keycloak_quarkus_force_install`` parameter being ignored by install `#296 <https://github.com/ansible-middleware/keycloak/pull/296>`_
- Fix alternate download location being ignored (JBossNeworkAPI always used) `#298 <https://github.com/ansible-middleware/keycloak/pull/298>`_
- Run config rebuild after SPI providers update `#285 <https://github.com/ansible-middleware/keycloak/pull/285>`_
- Use jdk21 as default in debian `#289 <https://github.com/ansible-middleware/keycloak/pull/289>`_
- keycloak_realm: federation default provider type should be a string `#302 <https://github.com/ansible-middleware/keycloak/pull/302>`_
v3.0.1
======
Minor Changes
-------------
- Version update to 26.0.8 / rhbk 26.0.11 `#277 <https://github.com/ansible-middleware/keycloak/pull/277>`_
Bugfixes
--------
- Trigger rebuild handler on envvars file change `#276 <https://github.com/ansible-middleware/keycloak/pull/276>`_
v3.0.0
======
Minor Changes
-------------
- Add theme cache invalidation handler `#252 <https://github.com/ansible-middleware/keycloak/pull/252>`_
- keycloak_realm: change url variables to defaults `#268 <https://github.com/ansible-middleware/keycloak/pull/268>`_
Breaking Changes / Porting Guide
--------------------------------
- Bump major and ansible-core versions `#266 <https://github.com/ansible-middleware/keycloak/pull/266>`_
- Rename parameters to follow upstream `#270 <https://github.com/ansible-middleware/keycloak/pull/270>`_
- Update for keycloak v26 `#254 <https://github.com/ansible-middleware/keycloak/pull/254>`_
Bugfixes
--------
- Access token lifespan is too short for ansible run `#251 <https://github.com/ansible-middleware/keycloak/pull/251>`_
- Load environment vars during kc rebuild `#274 <https://github.com/ansible-middleware/keycloak/pull/274>`_
- Rebuild config and restart service for local providers `#250 <https://github.com/ansible-middleware/keycloak/pull/250>`_
- Rename and honour parameter ``keycloak_quarkus_http_host`` `#271 <https://github.com/ansible-middleware/keycloak/pull/271>`_
New Modules
-----------
- middleware_automation.keycloak.keycloak_realm - Allows administration of Keycloak realm via Keycloak API
v2.4.3
======
Minor Changes
-------------
- Update keycloak to 24.0.5 `#241 <https://github.com/ansible-middleware/keycloak/pull/241>`_
v2.4.2 v2.4.2
====== ======

View file

@ -1,37 +1,3 @@
## Developing
### Build and install locally
Clone the repository, checkout the tag you want to build, or pick the main branch for the development version; then:
ansible-galaxy collection build .
ansible-galaxy collection install middleware_automation-keycloak-*.tar.gz
### Development environment
Make sure your development machine has avilable:
* python 3.11+
* virtualenv
* docker (or podman)
In order to run setup the development environment and run the molecule tests locally, after cloning the repository:
```
# create new virtualenv using python 3
virtualenv $PATH_TO_DEV_VIRTUALENV
# activate the virtual env
source $PATH_TO_DEV_VIRTUALENV/bin/activate
# install ansible and tools onto the virtualenv
pip install yamllint 'molecule>=6.0' 'molecule-plugins[docker]' 'ansible-core>=2.16' ansible-lint
# install collection dependencies
ansible-galaxy collection install -r requirements.yml
# install python dependencies
pip install -r requirements.txt molecule/requirements.txt
# execute the tests (replace --all with -s subdirectory to run a single test)
molecule test --all
```
## Contributor's Guidelines ## Contributor's Guidelines

View file

@ -1,9 +1,9 @@
# Ansible Collection - middleware_automation.keycloak # Ansible Collection - middleware_automation.keycloak
<!--start build_status --> <!--start build_status -->
[![Build Status](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml) [![Build Status](https://github.com/ansible-middleware/keycloak/workflows/CI/badge.svg?branch=main)](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml)
> **_NOTE:_ If you are Red Hat customer, install `redhat.rhbk` (for Red Hat Build of Keycloak) or `redhat.sso` (for Red Hat Single Sign-On) from [Automation Hub](https://console.redhat.com/ansible/ansible-dashboard) as the certified version of this collection.** > **_NOTE:_ If you are Red Hat customer, install `redhat.sso` (for Red Hat Single Sign-On) or `redhat.rhbk` (for Red Hat Build of Keycloak) from [Automation Hub](https://console.redhat.com/ansible/ansible-dashboard) as the certified version of this collection.**
<!--end build_status --> <!--end build_status -->
<!--start description --> <!--start description -->
@ -12,7 +12,7 @@ Collection to install and configure [Keycloak](https://www.keycloak.org/) or [Re
<!--start requires_ansible--> <!--start requires_ansible-->
## Ansible version compatibility ## Ansible version compatibility
This collection has been tested against following Ansible versions: **>=2.16.0**. This collection has been tested against following Ansible versions: **>=2.15.0**.
Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions. Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions.
<!--end requires_ansible--> <!--end requires_ansible-->
@ -49,10 +49,9 @@ A requirement file is provided to install:
<!--start roles_paths --> <!--start roles_paths -->
### Included roles ### Included roles
* `keycloak_quarkus`: role for installing keycloak (>= 19.0.0, quarkus based). * [`keycloak`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md): role for installing the service (keycloak <= 19.0).
* `keycloak_realm`: role for configuring a realm, user federation(s), clients and users, in an installed service. * [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, user federation(s), clients and users, in an installed service.
* `keycloak`: role for installing legacy keycloak (<= 19.0, wildfly based). * [`keycloak_quarkus`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_quarkus/README.md): role for installing the quarkus variant of keycloak (>= 17.0.0).
<!--end roles_paths --> <!--end roles_paths -->
## Usage ## Usage
@ -60,9 +59,9 @@ A requirement file is provided to install:
### Install Playbook ### Install Playbook
<!--start rhbk_playbook --> <!--start rhbk_playbook -->
* [`playbooks/keycloak_quarkus.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_quarkus.yml) installs keycloak >= 17 based on the defined variables (using most defaults).
* [`playbooks/keycloak.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak.yml) installs keycloak legacy based on the defined variables (using most defaults). * [`playbooks/keycloak.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak.yml) installs keycloak legacy based on the defined variables (using most defaults).
* [`playbooks/keycloak_quarkus.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_quarkus.yml) installs keycloak >= 17 based on the defined variables (using most defaults).
Both playbooks include the `keycloak` role, with different settings, as described in the following sections. Both playbooks include the `keycloak` role, with different settings, as described in the following sections.
For full service configuration details, refer to the [keycloak role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md). For full service configuration details, refer to the [keycloak role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md).
@ -93,7 +92,7 @@ Execute the following command from the source root directory
``` ```
ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e keycloak_admin_password=<changeme> ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e keycloak_admin_password=<changeme>
``` ```
- `keycloak_admin_password` Password for the administration console user account. - `keycloak_admin_password` Password for the administration console user account.
- `ansible_hosts` is the inventory, below is an example inventory for deploying to localhost - `ansible_hosts` is the inventory, below is an example inventory for deploying to localhost
@ -144,3 +143,4 @@ Apache License v2.0 or later
<!--start license --> <!--start license -->
See [LICENSE](LICENSE) to view the full text. See [LICENSE](LICENSE) to view the full text.
<!--end license --> <!--end license -->

View file

@ -604,118 +604,3 @@ releases:
- 237.yaml - 237.yaml
- 239.yaml - 239.yaml
release_date: '2024-09-26' release_date: '2024-09-26'
2.4.3:
changes:
minor_changes:
- 'Update keycloak to 24.0.5 `#241 <https://github.com/ansible-middleware/keycloak/pull/241>`_
'
fragments:
- 241.yaml
release_date: '2024-10-16'
3.0.0:
changes:
breaking_changes:
- 'Bump major and ansible-core versions `#266 <https://github.com/ansible-middleware/keycloak/pull/266>`_
'
- 'Rename parameters to follow upstream `#270 <https://github.com/ansible-middleware/keycloak/pull/270>`_
'
- 'Update for keycloak v26 `#254 <https://github.com/ansible-middleware/keycloak/pull/254>`_
'
bugfixes:
- 'Access token lifespan is too short for ansible run `#251 <https://github.com/ansible-middleware/keycloak/pull/251>`_
'
- 'Load environment vars during kc rebuild `#274 <https://github.com/ansible-middleware/keycloak/pull/274>`_
'
- 'Rebuild config and restart service for local providers `#250 <https://github.com/ansible-middleware/keycloak/pull/250>`_
'
- 'Rename and honour parameter ``keycloak_quarkus_http_host`` `#271 <https://github.com/ansible-middleware/keycloak/pull/271>`_
'
minor_changes:
- 'Add theme cache invalidation handler `#252 <https://github.com/ansible-middleware/keycloak/pull/252>`_
'
- 'keycloak_realm: change url variables to defaults `#268 <https://github.com/ansible-middleware/keycloak/pull/268>`_
'
fragments:
- 250.yaml
- 251.yaml
- 252.yaml
- 254.yaml
- 266.yaml
- 268.yaml
- 270.yaml
- 271.yaml
- 274.yaml
modules:
- description: Allows administration of Keycloak realm via Keycloak API
name: keycloak_realm
namespace: ''
release_date: '2025-04-23'
3.0.1:
changes:
bugfixes:
- 'Trigger rebuild handler on envvars file change `#276 <https://github.com/ansible-middleware/keycloak/pull/276>`_
'
minor_changes:
- 'Version update to 26.0.8 / rhbk 26.0.11 `#277 <https://github.com/ansible-middleware/keycloak/pull/277>`_
'
fragments:
- 276.yaml
- 277.yaml
release_date: '2025-05-02'
3.0.2:
changes:
bugfixes:
- 'Fix ``keycloak_quarkus_force_install`` parameter being ignored by install
`#296 <https://github.com/ansible-middleware/keycloak/pull/296>`_
'
- 'Fix alternate download location being ignored (JBossNeworkAPI always used)
`#298 <https://github.com/ansible-middleware/keycloak/pull/298>`_
'
- 'Run config rebuild after SPI providers update `#285 <https://github.com/ansible-middleware/keycloak/pull/285>`_
'
- 'Use jdk21 as default in debian `#289 <https://github.com/ansible-middleware/keycloak/pull/289>`_
'
- 'keycloak_realm: federation default provider type should be a string `#302
<https://github.com/ansible-middleware/keycloak/pull/302>`_
'
minor_changes:
- 'New ``checksum`` property for keycloak_quarkus_providers `#280 <https://github.com/ansible-middleware/keycloak/pull/280>`_
'
- 'New parameter to set the jgroups host IP address `#281 <https://github.com/ansible-middleware/keycloak/pull/281>`_
'
- 'Session storage / distributed caches `#287 <https://github.com/ansible-middleware/keycloak/pull/287>`_
'
- 'Update keycloak/RHBK to v26.2.4 `#283 <https://github.com/ansible-middleware/keycloak/pull/283>`_
'
fragments:
- 280.yaml
- 281.yaml
- 283.yaml
- 285.yaml
- 287.yaml
- 289.yaml
- 296.yaml
- 298.yaml
- 302.yaml
release_date: '2025-07-01'

View file

@ -7,7 +7,7 @@
</div> </div>
<hr/> <hr/>
<div role="contentinfo"> <div role="contentinfo">
<p>&#169; Copyright 2024, Red Hat, Inc.</p> <p>&#169; Copyright 2022, Red Hat, Inc.</p>
</div> </div>
Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
<a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a> <a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
@ -18,4 +18,4 @@
</section> </section>
</div> </div>
</body> </body>
</html> </html>

View file

@ -10,25 +10,31 @@ Welcome to Keycloak Collection documentation
README README
plugins/index plugins/index
roles/index roles/index
Changelog <CHANGELOG>
.. toctree:: .. toctree::
:maxdepth: 2 :maxdepth: 2
:caption: Developer documentation :caption: Developer documentation
Developing <developing> testing
Testing <testing> developing
Releasing <releasing> releasing
.. toctree::
:maxdepth: 2
:caption: General
Changelog <CHANGELOG>
.. toctree:: .. toctree::
:maxdepth: 2 :maxdepth: 2
:caption: Middleware collections :caption: Middleware collections
Keycloak / Red Hat Single Sign-On <https://ansible-middleware.github.io/keycloak/main/>
Infinispan / Red Hat Data Grid <https://ansible-middleware.github.io/infinispan/main/> Infinispan / Red Hat Data Grid <https://ansible-middleware.github.io/infinispan/main/>
Keycloak / Red Hat Single Sign-On <https://ansible-middleware.github.io/keycloak/main/>
Wildfly / Red Hat JBoss EAP <https://ansible-middleware.github.io/wildfly/main/> Wildfly / Red Hat JBoss EAP <https://ansible-middleware.github.io/wildfly/main/>
Tomcat / Red Hat JWS <https://ansible-middleware.github.io/jws/main/> Tomcat / Red Hat JWS <https://ansible-middleware.github.io/jws/main/>
ActiveMQ / Red Hat AMQ Broker <https://ansible-middleware.github.io/amq/main/> ActiveMQ / Red Hat AMQ Broker <https://ansible-middleware.github.io/amq/main/>
Kafka / Red Hat AMQ Streams <https://ansible-middleware.github.io/amq_streams/main/> Kafka / Red Hat AMQ Streams <https://ansible-middleware.github.io/amq_streams/main/>
Ansible Middleware utilities <https://ansible-middleware.github.io/common/main/> Ansible Middleware utilities <https://ansible-middleware.github.io/common/main/>
Red Hat CSP Download <https://ansible-middleware.github.io/redhat-csp-download/main/>
JCliff <https://ansible-middleware.github.io/ansible_collections_jcliff/main/> JCliff <https://ansible-middleware.github.io/ansible_collections_jcliff/main/>

View file

@ -1,7 +1,7 @@
antsibull>=0.17.0 antsibull>=0.17.0
antsibull-docs antsibull-docs
antsibull-changelog antsibull-changelog
ansible-core>=2.16.0 ansible-core>=2.14.1
ansible-pygments ansible-pygments
sphinx-rtd-theme sphinx-rtd-theme
git+https://github.com/felixfontein/ansible-basic-sphinx-ext git+https://github.com/felixfontein/ansible-basic-sphinx-ext

View file

@ -4,7 +4,24 @@
The collection is tested with a [molecule](https://github.com/ansible-community/molecule) setup covering the included roles and verifying correct installation and idempotency. The collection is tested with a [molecule](https://github.com/ansible-community/molecule) setup covering the included roles and verifying correct installation and idempotency.
In order to run the molecule tests locally with python 3.9 available, after cloning the repository: In order to run the molecule tests locally with python 3.9 available, after cloning the repository:
The test scenarios are available on the source code repository each on his own subdirectory under [molecule/](https://github.com/ansible-middleware/keycloak/molecule).
```
pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous
molecule test --all
```
## Integration testing
Demo repositories which depend on the collection, and aggregate functionality with other middleware_automation collections, are automatically rebuilt
at every collection release to ensure non-breaking changes and consistent behaviour.
The repository are:
- [Flange demo](https://github.com/ansible-middleware/flange-demo)
A deployment of Wildfly cluster integrated with keycloak and infinispan.
- [CrossDC keycloak demo](https://github.com/ansible-middleware/cross-dc-rhsso-demo)
A clustered multi-regional installation of keycloak with infinispan remote caches.
## Test playbooks ## Test playbooks
@ -12,7 +29,15 @@ The test scenarios are available on the source code repository each on his own s
Sample playbooks are provided in the `playbooks/` directory; to run the playbooks locally (requires a rhel system with python 3.9+, ansible, and systemd) the steps are as follows: Sample playbooks are provided in the `playbooks/` directory; to run the playbooks locally (requires a rhel system with python 3.9+, ansible, and systemd) the steps are as follows:
``` ```
# setup environment as in developing # setup environment
pip install ansible-core
# clone the repository
git clone https://github.com/ansible-middleware/keycloak
cd keycloak
# install collection dependencies
ansible-galaxy collection install -r requirements.yml
# install collection python deps
pip install -r requirements.txt
# create inventory for localhost # create inventory for localhost
cat << EOF > inventory cat << EOF > inventory
[keycloak] [keycloak]

View file

@ -1,7 +1,7 @@
--- ---
namespace: middleware_automation namespace: middleware_automation
name: keycloak name: keycloak
version: "3.0.3" version: "2.4.2"
readme: README.md readme: README.md
authors: authors:
- Romain Pelisse <rpelisse@redhat.com> - Romain Pelisse <rpelisse@redhat.com>

View file

@ -1,2 +1,2 @@
--- ---
requires_ansible: ">=2.16.0" requires_ansible: ">=2.15.0"

View file

@ -3,42 +3,40 @@
hosts: all hosts: all
vars: vars:
keycloak_quarkus_show_deprecation_warnings: false keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" keycloak_realm: TestRealm
keycloak_quarkus_hostname: http://instance:8080
keycloak_quarkus_log: file keycloak_quarkus_log: file
keycloak_quarkus_start_dev: true keycloak_quarkus_frontend_url: 'http://localhost:8080/'
keycloak_quarkus_start_dev: True
keycloak_quarkus_proxy_mode: none keycloak_quarkus_proxy_mode: none
keycloak_client_default_roles:
- TestRoleAdmin
- TestRoleUser
keycloak_client_users:
- username: TestUser
password: password
client_roles:
- client: TestClient
role: TestRoleUser
- username: TestAdmin
password: password
client_roles:
- client: TestClient
role: TestRoleUser
- client: TestClient
role: TestRoleAdmin
keycloak_clients:
- name: TestClient
roles: "{{ keycloak_client_default_roles }}"
public_client: "{{ keycloak_client_public }}"
web_origins: "{{ keycloak_client_web_origins }}"
users: "{{ keycloak_client_users }}"
client_id: TestClient
attributes:
post.logout.redirect.uris: '/public/logout'
roles: roles:
- role: keycloak_quarkus - role: keycloak_quarkus
- role: keycloak_realm - role: keycloak_realm
keycloak_url: "{{ keycloak_quarkus_hostname }}"
keycloak_context: ''
keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
keycloak_client_users:
- username: TestUser
password: password
client_roles:
- client: TestClient
role: TestRoleUser
realm: "{{ keycloak_realm }}"
- username: TestAdmin
password: password
client_roles:
- client: TestClient
role: TestRoleUser
realm: "{{ keycloak_realm }}"
- client: TestClient
role: TestRoleAdmin
realm: "{{ keycloak_realm }}"
keycloak_realm: TestRealm keycloak_realm: TestRealm
keycloak_clients: keycloak_admin_password: "remembertochangeme"
- name: TestClient keycloak_context: ''
realm: "{{ keycloak_realm }}"
public_client: "{{ keycloak_client_public }}"
web_origins: "{{ keycloak_client_web_origins }}"
users: "{{ keycloak_client_users }}"
client_id: TestClient
attributes:
post.logout.redirect.uris: '/public/logout'

View file

@ -3,7 +3,7 @@ driver:
name: docker name: docker
platforms: platforms:
- name: instance - name: instance
image: ghcr.io/hspaans/molecule-containers:debian-13 image: ghcr.io/hspaans/molecule-containers:debian-11
pre_build_image: true pre_build_image: true
privileged: true privileged: true
port_bindings: port_bindings:

View file

@ -7,5 +7,5 @@
ansible.builtin.apt: ansible.builtin.apt:
name: name:
- sudo - sudo
- openjdk-21-jdk-headless - openjdk-17-jdk-headless
- iproute2 state: present

View file

@ -2,7 +2,7 @@
- name: Verify - name: Verify
hosts: all hosts: all
vars: vars:
keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" keycloak_admin_password: "remembertochangeme"
keycloak_uri: "http://localhost:{{ 8080 + ( keycloak_jboss_port_offset | default(0) ) }}" keycloak_uri: "http://localhost:{{ 8080 + ( keycloak_jboss_port_offset | default(0) ) }}"
keycloak_management_port: "http://localhost:{{ 9990 + ( keycloak_jboss_port_offset | default(0) ) }}" keycloak_management_port: "http://localhost:{{ 9990 + ( keycloak_jboss_port_offset | default(0) ) }}"
keycloak_jboss_port_offset: 10 keycloak_jboss_port_offset: 10

View file

@ -3,24 +3,23 @@
hosts: all hosts: all
vars: vars:
keycloak_quarkus_show_deprecation_warnings: false keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" keycloak_admin_password: "remembertochangeme"
keycloak_quarkus_hostname: http://instance:8080 keycloak_quarkus_host: instance
keycloak_quarkus_log: file keycloak_quarkus_log: file
keycloak_quarkus_log_level: debug keycloak_quarkus_log_level: debug
keycloak_quarkus_log_target: /tmp/keycloak keycloak_quarkus_log_target: /tmp/keycloak
keycloak_quarkus_start_dev: true keycloak_quarkus_start_dev: True
keycloak_quarkus_proxy_mode: none keycloak_quarkus_proxy_mode: none
keycloak_quarkus_offline_install: true keycloak_quarkus_offline_install: true
keycloak_quarkus_download_path: /tmp/keycloak/ keycloak_quarkus_download_path: /tmp/keycloak/
keycloak_quarkus_java_heap_opts: "-Xms640m -Xmx640m "
roles: roles:
- role: keycloak_quarkus - role: keycloak_quarkus
- role: keycloak_realm - role: keycloak_realm
keycloak_url: "{{ keycloak_quarkus_hostname }}"
keycloak_context: '' keycloak_context: ''
keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}" keycloak_client_default_roles:
keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}" - TestRoleAdmin
- TestRoleUser
keycloak_client_users: keycloak_client_users:
- username: TestUser - username: TestUser
password: password password: password
@ -40,6 +39,7 @@
keycloak_realm: TestRealm keycloak_realm: TestRealm
keycloak_clients: keycloak_clients:
- name: TestClient - name: TestClient
roles: "{{ keycloak_client_default_roles }}"
realm: "{{ keycloak_realm }}" realm: "{{ keycloak_realm }}"
public_client: "{{ keycloak_client_public }}" public_client: "{{ keycloak_client_public }}"
web_origins: "{{ keycloak_client_web_origins }}" web_origins: "{{ keycloak_client_web_origins }}"

View file

@ -1,9 +1,9 @@
--- ---
driver: driver:
name: podman name: docker
platforms: platforms:
- name: instance - name: instance
image: registry.access.redhat.com/ubi9/ubi-init:latest image: registry.access.redhat.com/ubi8/ubi-init:latest
pre_build_image: true pre_build_image: true
privileged: true privileged: true
command: "/usr/sbin/init" command: "/usr/sbin/init"
@ -11,7 +11,6 @@ platforms:
- "8080/tcp" - "8080/tcp"
- "8443/tcp" - "8443/tcp"
- "8009/tcp" - "8009/tcp"
- "9000/tcp"
provisioner: provisioner:
name: ansible name: ansible
config_options: config_options:
@ -29,8 +28,6 @@ provisioner:
ansible_python_interpreter: "{{ ansible_playbook_python }}" ansible_python_interpreter: "{{ ansible_playbook_python }}"
env: env:
ANSIBLE_FORCE_COLOR: "true" ANSIBLE_FORCE_COLOR: "true"
PROXY: "${PROXY}"
NO_PROXY: "${NO_PROXY}"
verifier: verifier:
name: ansible name: ansible
scenario: scenario:

View file

@ -7,6 +7,10 @@
tasks: tasks:
- name: "Run preparation common to all scenario" - name: "Run preparation common to all scenario"
ansible.builtin.include_tasks: ../prepare.yml ansible.builtin.include_tasks: ../prepare.yml
vars:
assets:
- "{{ assets_server }}/sso/7.6.0/rh-sso-7.6.0-server-dist.zip"
- "{{ assets_server }}/sso/7.6.1/rh-sso-7.6.1-patch.zip"
- name: Create controller directory for downloads - name: Create controller directory for downloads
ansible.builtin.file: # noqa risky-file-permissions delegated, uses controller host user ansible.builtin.file: # noqa risky-file-permissions delegated, uses controller host user
@ -18,7 +22,7 @@
- name: Download keycloak archive to controller directory - name: Download keycloak archive to controller directory
ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
url: https://github.com/keycloak/keycloak/releases/download/26.3.0/keycloak-26.3.0.zip url: https://github.com/keycloak/keycloak/releases/download/24.0.4/keycloak-24.0.4.zip
dest: /tmp/keycloak dest: /tmp/keycloak
mode: '0640' mode: '0640'
delegate_to: localhost delegate_to: localhost

View file

@ -2,8 +2,7 @@
- name: Verify - name: Verify
hosts: all hosts: all
vars: vars:
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" keycloak_admin_password: "remembertochangeme"
keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
keycloak_uri: "http://localhost:8080" keycloak_uri: "http://localhost:8080"
tasks: tasks:
- name: Populate service facts - name: Populate service facts
@ -17,7 +16,7 @@
ansible.builtin.uri: ansible.builtin.uri:
url: "{{ keycloak_uri }}/realms/master/protocol/openid-connect/token" url: "{{ keycloak_uri }}/realms/master/protocol/openid-connect/token"
method: POST method: POST
body: "client_id=admin-cli&username={{ keycloak_quarkus_bootstrap_admin_user }}&password={{ keycloak_quarkus_bootstrap_admin_user }}&grant_type=password" body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password"
validate_certs: no validate_certs: no
register: keycloak_auth_response register: keycloak_auth_response
until: keycloak_auth_response.status == 200 until: keycloak_auth_response.status == 200

View file

@ -3,14 +3,15 @@
hosts: all hosts: all
vars: vars:
keycloak_quarkus_show_deprecation_warnings: false keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" keycloak_admin_password: "remembertochangeme"
keycloak_quarkus_hostname: https://proxy keycloak_realm: TestRealm
keycloak_quarkus_host: instance
keycloak_quarkus_log: file keycloak_quarkus_log: file
keycloak_quarkus_http_enabled: True keycloak_quarkus_http_enabled: True
keycloak_quarkus_http_port: 8080 keycloak_quarkus_http_port: 8080
keycloak_quarkus_proxy_mode: edge keycloak_quarkus_proxy_mode: edge
keycloak_quarkus_http_relative_path: / keycloak_quarkus_http_relative_path: /
keycloak_quarkus_health_check_url: http://proxy:8080/realms/master/.well-known/openid-configuration keycloak_quarkus_frontend_url: https://proxy/
roles: roles:
- role: keycloak_quarkus - role: keycloak_quarkus

View file

@ -3,7 +3,7 @@ driver:
name: docker name: docker
platforms: platforms:
- name: instance - name: instance
image: registry.access.redhat.com/ubi9/ubi-init:latest image: registry.access.redhat.com/ubi8/ubi-init:latest
pre_build_image: true pre_build_image: true
privileged: true privileged: true
command: "/usr/sbin/init" command: "/usr/sbin/init"
@ -14,7 +14,7 @@ platforms:
published_ports: published_ports:
- 0.0.0.0:8080:8080/tcp - 0.0.0.0:8080:8080/tcp
- name: proxy - name: proxy
image: registry.access.redhat.com/ubi9/ubi-init:latest image: registry.access.redhat.com/ubi8/ubi-init:latest
pre_build_image: true pre_build_image: true
privileged: true privileged: true
command: "/usr/sbin/init" command: "/usr/sbin/init"

View file

@ -3,7 +3,7 @@ driver:
name: docker name: docker
platforms: platforms:
- name: instance - name: instance
image: registry.access.redhat.com/ubi9/ubi-init:latest image: registry.access.redhat.com/ubi8/ubi-init:latest
pre_build_image: true pre_build_image: true
privileged: true privileged: true
command: "/usr/sbin/init" command: "/usr/sbin/init"
@ -11,7 +11,6 @@ platforms:
- "8080/tcp" - "8080/tcp"
- "8443/tcp" - "8443/tcp"
- "8009/tcp" - "8009/tcp"
- "9000/tcp"
provisioner: provisioner:
name: ansible name: ansible
config_options: config_options:

View file

@ -3,23 +3,18 @@
hosts: all hosts: all
vars: vars:
keycloak_quarkus_show_deprecation_warnings: false keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" keycloak_admin_password: "remembertochangeme"
keycloak_realm: TestRealm keycloak_realm: TestRealm
keycloak_quarkus_log: file keycloak_quarkus_log: file
keycloak_quarkus_hostname: 'http://localhost:8080' keycloak_quarkus_frontend_url: 'http://localhost:8080/'
keycloak_quarkus_start_dev: True keycloak_quarkus_start_dev: True
keycloak_quarkus_proxy_mode: none keycloak_quarkus_proxy_mode: none
keycloak_quarkus_java_home: /opt/openjdk/ keycloak_quarkus_java_home: /opt/openjdk/
keycloak_quarkus_java_heap_opts: "-Xms640m -Xmx640m"
roles: roles:
- role: keycloak_quarkus - role: keycloak_quarkus
- role: keycloak_realm - role: keycloak_realm
keycloak_url: "{{ keycloak_quarkus_hostname }}"
keycloak_context: '' keycloak_context: ''
keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
keycloak_client_default_roles: keycloak_client_default_roles:
- TestRoleAdmin - TestRoleAdmin
- TestRoleUser - TestRoleUser

View file

@ -1,19 +1,17 @@
--- ---
driver: driver:
name: podman name: docker
platforms: platforms:
- name: instance - name: instance
image: registry.access.redhat.com/ubi9/ubi-init:latest image: registry.access.redhat.com/ubi8/ubi-init:latest
pre_build_image: true pre_build_image: true
privileged: true privileged: true
command: "/usr/sbin/init" command: "/usr/sbin/init"
port_bindings: port_bindings:
- "8080/tcp" - "8080/tcp"
- "8009/tcp" - "8009/tcp"
- "9000/tcp"
published_ports: published_ports:
- 0.0.0.0:8080:8080/tcp - 0.0.0.0:8080:8080/tcp
- 0.0.0.0:9000:9000/TCP
provisioner: provisioner:
name: ansible name: ansible
config_options: config_options:
@ -31,8 +29,6 @@ provisioner:
ansible_python_interpreter: "{{ ansible_playbook_python }}" ansible_python_interpreter: "{{ ansible_playbook_python }}"
env: env:
ANSIBLE_FORCE_COLOR: "true" ANSIBLE_FORCE_COLOR: "true"
PROXY: "${PROXY}"
NO_PROXY: "${NO_PROXY}"
verifier: verifier:
name: ansible name: ansible
scenario: scenario:

View file

@ -3,10 +3,10 @@
hosts: all hosts: all
vars: vars:
keycloak_quarkus_show_deprecation_warnings: false keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" keycloak_admin_password: "remembertochangeme"
keycloak_realm: TestRealm keycloak_realm: TestRealm
keycloak_quarkus_hostname: https://instance:8443 keycloak_quarkus_host: instance
keycloak_quarkus_log: file keycloak_quarkus_log: file
keycloak_quarkus_log_level: debug # needed for the verify step keycloak_quarkus_log_level: debug # needed for the verify step
keycloak_quarkus_https_key_file_enabled: true keycloak_quarkus_https_key_file_enabled: true
@ -22,12 +22,6 @@
keycloak_quarkus_systemd_wait_for_timeout: 20 keycloak_quarkus_systemd_wait_for_timeout: 20
keycloak_quarkus_systemd_wait_for_delay: 2 keycloak_quarkus_systemd_wait_for_delay: 2
keycloak_quarkus_systemd_wait_for_log: true keycloak_quarkus_systemd_wait_for_log: true
keycloak_quarkus_restart_health_check: false # would fail because of self-signed cert
keycloak_quarkus_version: 26.3.0
keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx1024m"
keycloak_quarkus_additional_env_vars:
- key: KC_FEATURES_DISABLED
value: impersonation,kerberos
keycloak_quarkus_providers: keycloak_quarkus_providers:
- id: http-client - id: http-client
spi: connections spi: connections
@ -38,32 +32,26 @@
value: 10 value: 10
- id: spid-saml - id: spid-saml
url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar
- id: spid-saml-w-checksum
url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar
checksum: sha256:fbb50e73739d7a6d35b5bff611b1c01668b29adf6f6259624b95e466a305f377
- id: keycloak-kerberos-federation - id: keycloak-kerberos-federation
maven: maven:
repository_url: https://repo1.maven.org/maven2/ # https://mvnrepository.com/artifact/org.keycloak/keycloak-kerberos-federation/24.0.4 repository_url: https://repo1.maven.org/maven2/ # https://mvnrepository.com/artifact/org.keycloak/keycloak-kerberos-federation/24.0.4
group_id: org.keycloak group_id: org.keycloak
artifact_id: keycloak-kerberos-federation artifact_id: keycloak-kerberos-federation
version: 26.3.0 # optional version: 24.0.4 # optional
# username: myUser # optional # username: myUser # optional
# password: myPAT # optional # password: myPAT # optional
# - id: my-static-theme # - id: my-static-theme
# local_path: /tmp/my-static-theme.jar # local_path: /tmp/my-static-theme.jar
keycloak_quarkus_policies: keycloak_quarkus_policies:
- name: "cain-and-abel.txt" - name: "xato-net-10-million-passwords.txt"
url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/cain-and-abel.txt" url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt"
- name: "john-the-ripper.txt" - name: "xato-net-10-million-passwords-10.txt"
url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/john-the-ripper.txt" url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords-10.txt"
type: password-blacklists type: password-blacklists
roles: roles:
- role: keycloak_quarkus - role: keycloak_quarkus
- role: keycloak_realm - role: keycloak_realm
keycloak_url: http://instance:8080
keycloak_context: '' keycloak_context: ''
keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
keycloak_client_default_roles: keycloak_client_default_roles:
- TestRoleAdmin - TestRoleAdmin
- TestRoleUser - TestRoleUser

View file

@ -3,7 +3,7 @@ driver:
name: docker name: docker
platforms: platforms:
- name: instance - name: instance
image: registry.access.redhat.com/ubi9/ubi-init:latest image: registry.access.redhat.com/ubi8/ubi-init:latest
pre_build_image: true pre_build_image: true
privileged: true privileged: true
command: "/usr/sbin/init" command: "/usr/sbin/init"
@ -11,7 +11,6 @@ platforms:
- "8080/tcp" - "8080/tcp"
- "8443/tcp" - "8443/tcp"
- "8009/tcp" - "8009/tcp"
- "9000/tcp"
published_ports: published_ports:
- 0.0.0.0:8443:8443/tcp - 0.0.0.0:8443:8443/tcp
provisioner: provisioner:
@ -31,9 +30,6 @@ provisioner:
ansible_python_interpreter: "{{ ansible_playbook_python }}" ansible_python_interpreter: "{{ ansible_playbook_python }}"
env: env:
ANSIBLE_FORCE_COLOR: "true" ANSIBLE_FORCE_COLOR: "true"
PYTHONHTTPSVERIFY: 0
PROXY: "${PROXY}"
NO_PROXY: "${NO_PROXY}"
verifier: verifier:
name: ansible name: ansible
scenario: scenario:

View file

@ -24,7 +24,7 @@
- name: Make sure a jre is available (for keytool to prepare keystore) - name: Make sure a jre is available (for keytool to prepare keystore)
delegate_to: localhost delegate_to: localhost
ansible.builtin.package: ansible.builtin.package:
name: java-21-openjdk-headless name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
state: present state: present
become: true become: true
failed_when: false failed_when: false

View file

@ -2,8 +2,7 @@
- name: Verify - name: Verify
hosts: all hosts: all
vars: vars:
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" keycloak_admin_password: "remembertochangeme"
keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
tasks: tasks:
- name: Populate service facts - name: Populate service facts
ansible.builtin.service_facts: ansible.builtin.service_facts:
@ -36,10 +35,10 @@
- name: Verify endpoint URLs - name: Verify endpoint URLs
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance:8443/realms/master/protocol/openid-connect/ext/ciba/auth' - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance/realms/master/protocol/openid-connect/ext/ciba/auth'
- (openid_config.stdout | from_json)['issuer'] == 'https://instance:8443/realms/master' - (openid_config.stdout | from_json)['issuer'] == 'https://instance/realms/master'
- (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/auth' - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/auth'
- (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/token' - (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/token'
delegate_to: localhost delegate_to: localhost
- name: Check log folder - name: Check log folder
@ -92,7 +91,7 @@
ansible.builtin.uri: ansible.builtin.uri:
url: "https://instance:8443/realms/master/protocol/openid-connect/token" url: "https://instance:8443/realms/master/protocol/openid-connect/token"
method: POST method: POST
body: "client_id=admin-cli&username={{ keycloak_quarkus_bootstrap_admin_user }}&password={{ keycloak_quarkus_bootstrap_admin_password}}&grant_type=password" body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password"
validate_certs: no validate_certs: no
register: keycloak_auth_response register: keycloak_auth_response
until: keycloak_auth_response.status == 200 until: keycloak_auth_response.status == 200
@ -102,8 +101,8 @@
- name: "Get Clients" - name: "Get Clients"
ansible.builtin.uri: ansible.builtin.uri:
url: "https://instance:8443/admin/realms/TestRealm/clients" url: "https://instance:8443/admin/realms/TestRealm/clients"
validate_certs: false
headers: headers:
validate_certs: false
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}" Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
register: keycloak_clients register: keycloak_clients
@ -114,15 +113,15 @@
- name: "Get Client {{ keycloak_client_uuid }}" - name: "Get Client {{ keycloak_client_uuid }}"
ansible.builtin.uri: ansible.builtin.uri:
url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}" url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}"
validate_certs: false
headers: headers:
validate_certs: false
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}" Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
register: keycloak_test_client register: keycloak_test_client
- name: "Get Client roles" - name: "Get Client roles"
ansible.builtin.uri: ansible.builtin.uri:
url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}/roles" url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}/roles"
validate_certs: false
headers: headers:
validate_certs: false
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}" Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
register: keycloak_test_client_roles register: keycloak_test_client_roles

View file

@ -3,9 +3,10 @@
hosts: keycloak hosts: keycloak
vars: vars:
keycloak_quarkus_show_deprecation_warnings: false keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_quarkus_bootstrap_admin_user: "remembertochangeme" keycloak_admin_password: "remembertochangeme"
keycloak_quarkus_hostname: "http://{{ inventory_hostname }}:8080" keycloak_realm: TestRealm
keycloak_quarkus_host: "{{ inventory_hostname }}"
keycloak_quarkus_log: file keycloak_quarkus_log: file
keycloak_quarkus_log_level: info keycloak_quarkus_log_level: info
keycloak_quarkus_https_key_file_enabled: true keycloak_quarkus_https_key_file_enabled: true
@ -24,6 +25,6 @@
keycloak_quarkus_restart_strategy: restart/serial.yml keycloak_quarkus_restart_strategy: restart/serial.yml
keycloak_quarkus_db_user: keycloak keycloak_quarkus_db_user: keycloak
keycloak_quarkus_db_pass: mysecretpass keycloak_quarkus_db_pass: mysecretpass
keycloak_quarkus_db_url: jdbc:postgresql://postgres:5432/keycloak keycloak_quarkus_jdbc_url: jdbc:postgresql://postgres:5432/keycloak
roles: roles:
- role: keycloak_quarkus - role: keycloak_quarkus

View file

@ -14,7 +14,6 @@ platforms:
port_bindings: port_bindings:
- "8080/tcp" - "8080/tcp"
- "8443/tcp" - "8443/tcp"
- "9000/tcp"
- name: instance2 - name: instance2
image: registry.access.redhat.com/ubi9/ubi-init:latest image: registry.access.redhat.com/ubi9/ubi-init:latest
pre_build_image: true pre_build_image: true
@ -27,7 +26,6 @@ platforms:
port_bindings: port_bindings:
- "8080/tcp" - "8080/tcp"
- "8443/tcp" - "8443/tcp"
- "9000/tcp"
- name: postgres - name: postgres
image: ubuntu/postgres:14-22.04_beta image: ubuntu/postgres:14-22.04_beta
pre_build_image: true pre_build_image: true
@ -65,7 +63,6 @@ provisioner:
ansible_python_interpreter: "{{ ansible_playbook_python }}" ansible_python_interpreter: "{{ ansible_playbook_python }}"
env: env:
ANSIBLE_FORCE_COLOR: "true" ANSIBLE_FORCE_COLOR: "true"
PYTHONHTTPSVERIFY: 0
verifier: verifier:
name: ansible name: ansible
scenario: scenario:

View file

@ -1,57 +0,0 @@
---
- name: Converge
hosts: infinispan
roles:
- role: middleware_automation.infinispan.infinispan
infinispan_service_name: infinispan
infinispan_supervisor_password: remembertochangeme
infinispan_keycloak_caches: true
infinispan_keycloak_persistence: False
infinispan_jdbc_engine: postgres
infinispan_jdbc_url: jdbc:postgresql://postgres:5432/keycloak
infinispan_jdbc_driver_version: 9.4.1212
infinispan_jdbc_user: keycloak
infinispan_jdbc_pass: mysecretpass
infinispan_bind_address: "{{ ansible_default_ipv4.address }}"
infinispan_users:
- { name: 'testuser', password: 'test', roles: 'observer' }
- name: Converge
hosts: keycloak
vars:
keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
keycloak_quarkus_hostname: "http://{{ inventory_hostname }}:8080"
keycloak_quarkus_log: file
keycloak_quarkus_log_level: info
keycloak_quarkus_https_key_file_enabled: true
keycloak_quarkus_key_file_copy_enabled: true
keycloak_quarkus_key_content: "{{ lookup('file', inventory_hostname + '.key') }}"
keycloak_quarkus_cert_file_copy_enabled: true
keycloak_quarkus_cert_file_src: "{{ inventory_hostname }}.pem"
keycloak_quarkus_ks_vault_enabled: true
keycloak_quarkus_ks_vault_file: "/opt/keycloak/vault/keystore.p12"
keycloak_quarkus_ks_vault_pass: keystorepassword
keycloak_quarkus_systemd_wait_for_port: true
keycloak_quarkus_systemd_wait_for_timeout: 20
keycloak_quarkus_systemd_wait_for_delay: 2
keycloak_quarkus_systemd_wait_for_log: true
keycloak_quarkus_ha_enabled: true
keycloak_quarkus_restart_strategy: restart/serial.yml
keycloak_quarkus_db_user: keycloak
keycloak_quarkus_db_pass: mysecretpass
keycloak_quarkus_db_url: jdbc:postgresql://postgres:5432/keycloak
keycloak_quarkus_cache_remote: true
keycloak_quarkus_cache_remote_username: supervisor
keycloak_quarkus_cache_remote_password: remembertochangeme
keycloak_quarkus_cache_remote_host: "infinispan1"
keycloak_quarkus_cache_remote_port: 11222
keycloak_quarkus_cache_remote_tls_enabled: false
keycloak_quarkus_additional_env_vars:
- key: KC_FEATURES
value: clusterless
- key: KC_FEATURES_DISABLED
value: persistent-user-sessions
roles:
- role: keycloak_quarkus

View file

@ -1,80 +0,0 @@
---
driver:
name: docker
platforms:
- name: keycloak1
image: registry.access.redhat.com/ubi9/ubi-init:latest
pre_build_image: true
privileged: true
command: "/usr/sbin/init"
groups:
- keycloak
networks:
- name: rhbk
port_bindings:
- "8080/tcp"
- "8443/tcp"
- "9000/tcp"
- name: infinispan1
image: registry.access.redhat.com/ubi9/ubi-init:latest
pre_build_image: true
privileged: true
command: "/usr/sbin/init"
groups:
- infinispan
networks:
- name: rhbk
port_bindings:
- "11222/tcp"
- name: postgres
image: ubuntu/postgres:14-22.04_beta
pre_build_image: true
privileged: true
command: postgres
groups:
- database
networks:
- name: rhbk
port_bindings:
- "5432/tcp"
mounts:
- type: bind
target: /etc/postgresql/postgresql.conf
source: ${PWD}/molecule/quarkus_ha/postgresql/postgresql.conf
env:
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: mysecretpass
POSTGRES_DB: keycloak
POSTGRES_HOST_AUTH_METHOD: trust
provisioner:
name: ansible
config_options:
defaults:
interpreter_python: auto_silent
ssh_connection:
pipelining: false
playbooks:
prepare: prepare.yml
converge: converge.yml
verify: verify.yml
inventory:
host_vars:
localhost:
ansible_python_interpreter: "{{ ansible_playbook_python }}"
env:
ANSIBLE_FORCE_COLOR: "true"
PYTHONHTTPSVERIFY: 0
verifier:
name: ansible
scenario:
test_sequence:
- cleanup
- destroy
- create
- prepare
- converge
- idempotence
- side_effect
- verify
- cleanup
- destroy

View file

@ -1,750 +0,0 @@
# -----------------------------
# PostgreSQL configuration file
# -----------------------------
#
# This file consists of lines of the form:
#
# name = value
#
# (The "=" is optional.) Whitespace may be used. Comments are introduced with
# "#" anywhere on a line. The complete list of parameter names and allowed
# values can be found in the PostgreSQL documentation.
#
# The commented-out settings shown in this file represent the default values.
# Re-commenting a setting is NOT sufficient to revert it to the default value;
# you need to reload the server.
#
# This file is read on server startup and when the server receives a SIGHUP
# signal. If you edit the file on a running system, you have to SIGHUP the
# server for the changes to take effect, run "pg_ctl reload", or execute
# "SELECT pg_reload_conf()". Some parameters, which are marked below,
# require a server shutdown and restart to take effect.
#
# Any parameter can also be given as a command-line option to the server, e.g.,
# "postgres -c log_connections=on". Some parameters can be changed at run time
# with the "SET" SQL command.
#
# Memory units: kB = kilobytes Time units: ms = milliseconds
# MB = megabytes s = seconds
# GB = gigabytes min = minutes
# TB = terabytes h = hours
# d = days
#------------------------------------------------------------------------------
# FILE LOCATIONS
#------------------------------------------------------------------------------
# The default values of these variables are driven from the -D command-line
# option or PGDATA environment variable, represented here as ConfigDir.
#data_directory = 'ConfigDir' # use data in another directory
# (change requires restart)
#hba_file = 'ConfigDir/pg_hba.conf' # host-based authentication file
# (change requires restart)
#ident_file = 'ConfigDir/pg_ident.conf' # ident configuration file
# (change requires restart)
# If external_pid_file is not explicitly set, no extra PID file is written.
#external_pid_file = '' # write an extra PID file
# (change requires restart)
#------------------------------------------------------------------------------
# CONNECTIONS AND AUTHENTICATION
#------------------------------------------------------------------------------
# - Connection Settings -
listen_addresses = '*' # what IP address(es) to listen on;
# comma-separated list of addresses;
# defaults to 'localhost'; use '*' for all
# (change requires restart)
#port = 5432 # (change requires restart)
#max_connections = 100 # (change requires restart)
#superuser_reserved_connections = 3 # (change requires restart)
#unix_socket_directories = '/tmp' # comma-separated list of directories
# (change requires restart)
#unix_socket_group = '' # (change requires restart)
#unix_socket_permissions = 0777 # begin with 0 to use octal notation
# (change requires restart)
#bonjour = off # advertise server via Bonjour
# (change requires restart)
#bonjour_name = '' # defaults to the computer name
# (change requires restart)
# - TCP settings -
# see "man 7 tcp" for details
#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds;
# 0 selects the system default
#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
# 0 selects the system default
#tcp_keepalives_count = 0 # TCP_KEEPCNT;
# 0 selects the system default
#tcp_user_timeout = 0 # TCP_USER_TIMEOUT, in milliseconds;
# 0 selects the system default
# - Authentication -
#authentication_timeout = 1min # 1s-600s
#password_encryption = md5 # md5 or scram-sha-256
#db_user_namespace = off
# GSSAPI using Kerberos
#krb_server_keyfile = ''
#krb_caseins_users = off
# - SSL -
#ssl = off
#ssl_ca_file = ''
#ssl_cert_file = 'server.crt'
#ssl_crl_file = ''
#ssl_key_file = 'server.key'
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
#ssl_prefer_server_ciphers = on
#ssl_ecdh_curve = 'prime256v1'
#ssl_min_protocol_version = 'TLSv1'
#ssl_max_protocol_version = ''
#ssl_dh_params_file = ''
#ssl_passphrase_command = ''
#ssl_passphrase_command_supports_reload = off
#------------------------------------------------------------------------------
# RESOURCE USAGE (except WAL)
#------------------------------------------------------------------------------
# - Memory -
#shared_buffers = 32MB # min 128kB
# (change requires restart)
#huge_pages = try # on, off, or try
# (change requires restart)
#temp_buffers = 8MB # min 800kB
#max_prepared_transactions = 0 # zero disables the feature
# (change requires restart)
# Caution: it is not advisable to set max_prepared_transactions nonzero unless
# you actively intend to use prepared transactions.
#work_mem = 4MB # min 64kB
#maintenance_work_mem = 64MB # min 1MB
#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem
#max_stack_depth = 2MB # min 100kB
#shared_memory_type = mmap # the default is the first option
# supported by the operating system:
# mmap
# sysv
# windows
# (change requires restart)
#dynamic_shared_memory_type = posix # the default is the first option
# supported by the operating system:
# posix
# sysv
# windows
# mmap
# (change requires restart)
# - Disk -
#temp_file_limit = -1 # limits per-process temp file space
# in kB, or -1 for no limit
# - Kernel Resources -
#max_files_per_process = 1000 # min 25
# (change requires restart)
# - Cost-Based Vacuum Delay -
#vacuum_cost_delay = 0 # 0-100 milliseconds (0 disables)
#vacuum_cost_page_hit = 1 # 0-10000 credits
#vacuum_cost_page_miss = 10 # 0-10000 credits
#vacuum_cost_page_dirty = 20 # 0-10000 credits
#vacuum_cost_limit = 200 # 1-10000 credits
# - Background Writer -
#bgwriter_delay = 200ms # 10-10000ms between rounds
#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables
#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round
#bgwriter_flush_after = 0 # measured in pages, 0 disables
# - Asynchronous Behavior -
#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching
#max_worker_processes = 8 # (change requires restart)
#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers
#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers
#parallel_leader_participation = on
#max_parallel_workers = 8 # maximum number of max_worker_processes that
# can be used in parallel operations
#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate
# (change requires restart)
#backend_flush_after = 0 # measured in pages, 0 disables
#------------------------------------------------------------------------------
# WRITE-AHEAD LOG
#------------------------------------------------------------------------------
# - Settings -
#wal_level = replica # minimal, replica, or logical
# (change requires restart)
#fsync = on # flush data to disk for crash safety
# (turning this off can cause
# unrecoverable data corruption)
#synchronous_commit = on # synchronization level;
# off, local, remote_write, remote_apply, or on
#wal_sync_method = fsync # the default is the first option
# supported by the operating system:
# open_datasync
# fdatasync (default on Linux)
# fsync
# fsync_writethrough
# open_sync
#full_page_writes = on # recover from partial page writes
#wal_compression = off # enable compression of full-page writes
#wal_log_hints = off # also do full page writes of non-critical updates
# (change requires restart)
#wal_init_zero = on # zero-fill new WAL files
#wal_recycle = on # recycle WAL files
#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers
# (change requires restart)
#wal_writer_delay = 200ms # 1-10000 milliseconds
#wal_writer_flush_after = 1MB # measured in pages, 0 disables
#commit_delay = 0 # range 0-100000, in microseconds
#commit_siblings = 5 # range 1-1000
# - Checkpoints -
#checkpoint_timeout = 5min # range 30s-1d
#max_wal_size = 1GB
#min_wal_size = 80MB
#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0
#checkpoint_flush_after = 0 # measured in pages, 0 disables
#checkpoint_warning = 30s # 0 disables
# - Archiving -
#archive_mode = off # enables archiving; off, on, or always
# (change requires restart)
#archive_command = '' # command to use to archive a logfile segment
# placeholders: %p = path of file to archive
# %f = file name only
# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
#archive_timeout = 0 # force a logfile segment switch after this
# number of seconds; 0 disables
# - Archive Recovery -
# These are only used in recovery mode.
#restore_command = '' # command to use to restore an archived logfile segment
# placeholders: %p = path of file to restore
# %f = file name only
# e.g. 'cp /mnt/server/archivedir/%f %p'
# (change requires restart)
#archive_cleanup_command = '' # command to execute at every restartpoint
#recovery_end_command = '' # command to execute at completion of recovery
# - Recovery Target -
# Set these only when performing a targeted recovery.
#recovery_target = '' # 'immediate' to end recovery as soon as a
# consistent state is reached
# (change requires restart)
#recovery_target_name = '' # the named restore point to which recovery will proceed
# (change requires restart)
#recovery_target_time = '' # the time stamp up to which recovery will proceed
# (change requires restart)
#recovery_target_xid = '' # the transaction ID up to which recovery will proceed
# (change requires restart)
#recovery_target_lsn = '' # the WAL LSN up to which recovery will proceed
# (change requires restart)
#recovery_target_inclusive = on # Specifies whether to stop:
# just after the specified recovery target (on)
# just before the recovery target (off)
# (change requires restart)
#recovery_target_timeline = 'latest' # 'current', 'latest', or timeline ID
# (change requires restart)
#recovery_target_action = 'pause' # 'pause', 'promote', 'shutdown'
# (change requires restart)
#------------------------------------------------------------------------------
# REPLICATION
#------------------------------------------------------------------------------
# - Sending Servers -
# Set these on the master and on any standby that will send replication data.
#max_wal_senders = 10 # max number of walsender processes
# (change requires restart)
#wal_keep_segments = 0 # in logfile segments; 0 disables
#wal_sender_timeout = 60s # in milliseconds; 0 disables
#max_replication_slots = 10 # max number of replication slots
# (change requires restart)
#track_commit_timestamp = off # collect timestamp of transaction commit
# (change requires restart)
# - Master Server -
# These settings are ignored on a standby server.
#synchronous_standby_names = '' # standby servers that provide sync rep
# method to choose sync standbys, number of sync standbys,
# and comma-separated list of application_name
# from standby(s); '*' = all
#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed
# - Standby Servers -
# These settings are ignored on a master server.
#primary_conninfo = '' # connection string to sending server
# (change requires restart)
#primary_slot_name = '' # replication slot on sending server
# (change requires restart)
#promote_trigger_file = '' # file name whose presence ends recovery
#hot_standby = on # "off" disallows queries during recovery
# (change requires restart)
#max_standby_archive_delay = 30s # max delay before canceling queries
# when reading WAL from archive;
# -1 allows indefinite delay
#max_standby_streaming_delay = 30s # max delay before canceling queries
# when reading streaming WAL;
# -1 allows indefinite delay
#wal_receiver_status_interval = 10s # send replies at least this often
# 0 disables
#hot_standby_feedback = off # send info from standby to prevent
# query conflicts
#wal_receiver_timeout = 60s # time that receiver waits for
# communication from master
# in milliseconds; 0 disables
#wal_retrieve_retry_interval = 5s # time to wait before retrying to
# retrieve WAL after a failed attempt
#recovery_min_apply_delay = 0 # minimum delay for applying changes during recovery
# - Subscribers -
# These settings are ignored on a publisher.
#max_logical_replication_workers = 4 # taken from max_worker_processes
# (change requires restart)
#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers
#------------------------------------------------------------------------------
# QUERY TUNING
#------------------------------------------------------------------------------
# - Planner Method Configuration -
#enable_bitmapscan = on
#enable_hashagg = on
#enable_hashjoin = on
#enable_indexscan = on
#enable_indexonlyscan = on
#enable_material = on
#enable_mergejoin = on
#enable_nestloop = on
#enable_parallel_append = on
#enable_seqscan = on
#enable_sort = on
#enable_tidscan = on
#enable_partitionwise_join = off
#enable_partitionwise_aggregate = off
#enable_parallel_hash = on
#enable_partition_pruning = on
# - Planner Cost Constants -
#seq_page_cost = 1.0 # measured on an arbitrary scale
#random_page_cost = 4.0 # same scale as above
#cpu_tuple_cost = 0.01 # same scale as above
#cpu_index_tuple_cost = 0.005 # same scale as above
#cpu_operator_cost = 0.0025 # same scale as above
#parallel_tuple_cost = 0.1 # same scale as above
#parallel_setup_cost = 1000.0 # same scale as above
#jit_above_cost = 100000 # perform JIT compilation if available
# and query more expensive than this;
# -1 disables
#jit_inline_above_cost = 500000 # inline small functions if query is
# more expensive than this; -1 disables
#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if
# query is more expensive than this;
# -1 disables
#min_parallel_table_scan_size = 8MB
#min_parallel_index_scan_size = 512kB
#effective_cache_size = 4GB
# - Genetic Query Optimizer -
#geqo = on
#geqo_threshold = 12
#geqo_effort = 5 # range 1-10
#geqo_pool_size = 0 # selects default based on effort
#geqo_generations = 0 # selects default based on effort
#geqo_selection_bias = 2.0 # range 1.5-2.0
#geqo_seed = 0.0 # range 0.0-1.0
# - Other Planner Options -
#default_statistics_target = 100 # range 1-10000
#constraint_exclusion = partition # on, off, or partition
#cursor_tuple_fraction = 0.1 # range 0.0-1.0
#from_collapse_limit = 8
#join_collapse_limit = 8 # 1 disables collapsing of explicit
# JOIN clauses
#force_parallel_mode = off
#jit = on # allow JIT compilation
#plan_cache_mode = auto # auto, force_generic_plan or
# force_custom_plan
#------------------------------------------------------------------------------
# REPORTING AND LOGGING
#------------------------------------------------------------------------------
# - Where to Log -
#log_destination = 'stderr' # Valid values are combinations of
# stderr, csvlog, syslog, and eventlog,
# depending on platform. csvlog
# requires logging_collector to be on.
# This is used when logging to stderr:
#logging_collector = off # Enable capturing of stderr and csvlog
# into log files. Required to be on for
# csvlogs.
# (change requires restart)
# These are only used if logging_collector is on:
#log_directory = 'log' # directory where log files are written,
# can be absolute or relative to PGDATA
#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern,
# can include strftime() escapes
#log_file_mode = 0600 # creation mode for log files,
# begin with 0 to use octal notation
#log_truncate_on_rotation = off # If on, an existing log file with the
# same name as the new log file will be
# truncated rather than appended to.
# But such truncation only occurs on
# time-driven rotation, not on restarts
# or size-driven rotation. Default is
# off, meaning append to existing files
# in all cases.
#log_rotation_age = 1d # Automatic rotation of logfiles will
# happen after that time. 0 disables.
#log_rotation_size = 10MB # Automatic rotation of logfiles will
# happen after that much log output.
# 0 disables.
# These are relevant when logging to syslog:
#syslog_facility = 'LOCAL0'
#syslog_ident = 'postgres'
#syslog_sequence_numbers = on
#syslog_split_messages = on
# This is only relevant when logging to eventlog (win32):
# (change requires restart)
#event_source = 'PostgreSQL'
# - When to Log -
#log_min_messages = warning # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic
#log_min_error_statement = error # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic (effectively off)
#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements
# and their durations, > 0 logs only
# statements running at least this number
# of milliseconds
#log_transaction_sample_rate = 0.0 # Fraction of transactions whose statements
# are logged regardless of their duration. 1.0 logs all
# statements from all transactions, 0.0 never logs.
# - What to Log -
#debug_print_parse = off
#debug_print_rewritten = off
#debug_print_plan = off
#debug_pretty_print = on
#log_checkpoints = off
#log_connections = off
#log_disconnections = off
#log_duration = off
#log_error_verbosity = default # terse, default, or verbose messages
#log_hostname = off
#log_line_prefix = '%m [%p] ' # special values:
# %a = application name
# %u = user name
# %d = database name
# %r = remote host and port
# %h = remote host
# %p = process ID
# %t = timestamp without milliseconds
# %m = timestamp with milliseconds
# %n = timestamp with milliseconds (as a Unix epoch)
# %i = command tag
# %e = SQL state
# %c = session ID
# %l = session line number
# %s = session start timestamp
# %v = virtual transaction ID
# %x = transaction ID (0 if none)
# %q = stop here in non-session
# processes
# %% = '%'
# e.g. '<%u%%%d> '
#log_lock_waits = off # log lock waits >= deadlock_timeout
#log_statement = 'none' # none, ddl, mod, all
#log_replication_commands = off
#log_temp_files = -1 # log temporary files equal or larger
# than the specified size in kilobytes;
# -1 disables, 0 logs all temp files
#log_timezone = 'GMT'
#------------------------------------------------------------------------------
# PROCESS TITLE
#------------------------------------------------------------------------------
#cluster_name = '' # added to process titles if nonempty
# (change requires restart)
#update_process_title = on
#------------------------------------------------------------------------------
# STATISTICS
#------------------------------------------------------------------------------
# - Query and Index Statistics Collector -
#track_activities = on
#track_counts = on
#track_io_timing = off
#track_functions = none # none, pl, all
#track_activity_query_size = 1024 # (change requires restart)
#stats_temp_directory = 'pg_stat_tmp'
# - Monitoring -
#log_parser_stats = off
#log_planner_stats = off
#log_executor_stats = off
#log_statement_stats = off
#------------------------------------------------------------------------------
# AUTOVACUUM
#------------------------------------------------------------------------------
#autovacuum = on # Enable autovacuum subprocess? 'on'
# requires track_counts to also be on.
#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and
# their durations, > 0 logs only
# actions running at least this number
# of milliseconds.
#autovacuum_max_workers = 3 # max number of autovacuum subprocesses
# (change requires restart)
#autovacuum_naptime = 1min # time between autovacuum runs
#autovacuum_vacuum_threshold = 50 # min number of row updates before
# vacuum
#autovacuum_analyze_threshold = 50 # min number of row updates before
# analyze
#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum
#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze
#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum
# (change requires restart)
#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age
# before forced vacuum
# (change requires restart)
#autovacuum_vacuum_cost_delay = 2ms # default vacuum cost delay for
# autovacuum, in milliseconds;
# -1 means use vacuum_cost_delay
#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for
# autovacuum, -1 means use
# vacuum_cost_limit
#------------------------------------------------------------------------------
# CLIENT CONNECTION DEFAULTS
#------------------------------------------------------------------------------
# - Statement Behavior -
#client_min_messages = notice # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# log
# notice
# warning
# error
#search_path = '"$user", public' # schema names
#row_security = on
#default_tablespace = '' # a tablespace name, '' uses the default
#temp_tablespaces = '' # a list of tablespace names, '' uses
# only default tablespace
#default_table_access_method = 'heap'
#check_function_bodies = on
#default_transaction_isolation = 'read committed'
#default_transaction_read_only = off
#default_transaction_deferrable = off
#session_replication_role = 'origin'
#statement_timeout = 0 # in milliseconds, 0 is disabled
#lock_timeout = 0 # in milliseconds, 0 is disabled
#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled
#vacuum_freeze_min_age = 50000000
#vacuum_freeze_table_age = 150000000
#vacuum_multixact_freeze_min_age = 5000000
#vacuum_multixact_freeze_table_age = 150000000
#vacuum_cleanup_index_scale_factor = 0.1 # fraction of total number of tuples
# before index cleanup, 0 always performs
# index cleanup
#bytea_output = 'hex' # hex, escape
#xmlbinary = 'base64'
#xmloption = 'content'
#gin_fuzzy_search_limit = 0
#gin_pending_list_limit = 4MB
# - Locale and Formatting -
#datestyle = 'iso, mdy'
#intervalstyle = 'postgres'
#timezone = 'GMT'
#timezone_abbreviations = 'Default' # Select the set of available time zone
# abbreviations. Currently, there are
# Default
# Australia (historical usage)
# India
# You can create your own file in
# share/timezonesets/.
#extra_float_digits = 1 # min -15, max 3; any value >0 actually
# selects precise output mode
#client_encoding = sql_ascii # actually, defaults to database
# encoding
# These settings are initialized by initdb, but they can be changed.
#lc_messages = 'C' # locale for system error message
# strings
#lc_monetary = 'C' # locale for monetary formatting
#lc_numeric = 'C' # locale for number formatting
#lc_time = 'C' # locale for time formatting
# default configuration for text search
#default_text_search_config = 'pg_catalog.simple'
# - Shared Library Preloading -
#shared_preload_libraries = '' # (change requires restart)
#local_preload_libraries = ''
#session_preload_libraries = ''
#jit_provider = 'llvmjit' # JIT library to use
# - Other Defaults -
#dynamic_library_path = '$libdir'
#------------------------------------------------------------------------------
# LOCK MANAGEMENT
#------------------------------------------------------------------------------
#deadlock_timeout = 1s
#max_locks_per_transaction = 64 # min 10
# (change requires restart)
#max_pred_locks_per_transaction = 64 # min 10
# (change requires restart)
#max_pred_locks_per_relation = -2 # negative values mean
# (max_pred_locks_per_transaction
# / -max_pred_locks_per_relation) - 1
#max_pred_locks_per_page = 2 # min 0
#------------------------------------------------------------------------------
# VERSION AND PLATFORM COMPATIBILITY
#------------------------------------------------------------------------------
# - Previous PostgreSQL Versions -
#array_nulls = on
#backslash_quote = safe_encoding # on, off, or safe_encoding
#escape_string_warning = on
#lo_compat_privileges = off
#operator_precedence_warning = off
#quote_all_identifiers = off
#standard_conforming_strings = on
#synchronize_seqscans = on
# - Other Platforms and Clients -
#transform_null_equals = off
#------------------------------------------------------------------------------
# ERROR HANDLING
#------------------------------------------------------------------------------
#exit_on_error = off # terminate session on any error?
#restart_after_crash = on # reinitialize after backend crash?
#data_sync_retry = off # retry or panic on failure to fsync
# data?
# (change requires restart)
#------------------------------------------------------------------------------
# CONFIG FILE INCLUDES
#------------------------------------------------------------------------------
# These options allow settings to be loaded from files other than the
# default postgresql.conf. Note that these are directives, not variable
# assignments, so they can usefully be given more than once.
#include_dir = '...' # include files ending in '.conf' from
# a directory, e.g., 'conf.d'
#include_if_exists = '...' # include file only if it exists
#include = '...' # include file
#------------------------------------------------------------------------------
# CUSTOMIZED OPTIONS
#------------------------------------------------------------------------------
# Add settings for extensions here

View file

@ -1,44 +0,0 @@
---
- name: Prepare
hosts: 'keycloak:infinispan'
tasks:
- name: "Display hera_home if defined."
ansible.builtin.set_fact:
hera_home: "{{ lookup('env', 'HERA_HOME') }}"
- name: "Ensure common prepare phase are set."
ansible.builtin.include_tasks: ../prepare.yml
- name: Create certificate request
ansible.builtin.command: "openssl req -x509 -newkey rsa:4096 -keyout {{ inventory_hostname }}.key -out {{ inventory_hostname }}.pem -sha256 -days 365 -nodes -subj '/CN={{ inventory_hostname }}'"
delegate_to: localhost
changed_when: False
- name: Create vault directory
become: true
ansible.builtin.file:
state: directory
path: "/opt/keycloak/vault"
mode: 0755
- name: Make sure a jre is available (for keytool to prepare keystore)
delegate_to: localhost
ansible.builtin.package:
name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
state: present
become: true
failed_when: false
- name: Create vault keystore
ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword
delegate_to: localhost
register: keytool_cmd
changed_when: False
failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
- name: Copy certificates and vault
become: true
ansible.builtin.copy:
src: keystore.p12
dest: /opt/keycloak/vault/keystore.p12
mode: 0444

View file

@ -1 +0,0 @@
../../roles

View file

@ -1,29 +0,0 @@
---
- name: Verify
hosts: keycloak
tasks:
- name: Populate service facts
ansible.builtin.service_facts:
- name: Check if keycloak service started
ansible.builtin.assert:
that:
- ansible_facts.services["keycloak.service"]["state"] == "running"
- ansible_facts.services["keycloak.service"]["status"] == "enabled"
fail_msg: "Service not running"
- name: Set internal envvar
ansible.builtin.set_fact:
hera_home: "{{ lookup('env', 'HERA_HOME') }}"
- name: Check log file
become: true
ansible.builtin.stat:
path: /var/log/keycloak/keycloak.log
register: keycloak_log_file
- name: Check if keycloak file exists
ansible.builtin.assert:
that:
- keycloak_log_file.stat.exists
- not keycloak_log_file.stat.isdir

View file

@ -5,9 +5,6 @@
- vars.yml - vars.yml
vars: vars:
keycloak_quarkus_show_deprecation_warnings: false keycloak_quarkus_show_deprecation_warnings: false
keycloak_quarkus_additional_env_vars: keycloak_quarkus_version: 24.0.3
- key: KC_FEATURES_DISABLED
value: ciba,device-flow,impersonation,kerberos,docker
keycloak_quarkus_version: 26.0.7
roles: roles:
- role: keycloak_quarkus - role: keycloak_quarkus

View file

@ -4,7 +4,7 @@ dependency:
options: options:
requirements-file: molecule/requirements.yml requirements-file: molecule/requirements.yml
driver: driver:
name: podman name: docker
platforms: platforms:
- name: instance - name: instance
image: registry.access.redhat.com/ubi9/ubi-init:latest image: registry.access.redhat.com/ubi9/ubi-init:latest
@ -13,10 +13,8 @@ platforms:
privileged: true privileged: true
port_bindings: port_bindings:
- 8080:8080 - 8080:8080
- "9000/tcp"
published_ports: published_ports:
- 0.0.0.0:8080:8080/TCP - 0.0.0.0:8080:8080/TCP
- 0.0.0.0:9000:9000/TCP
provisioner: provisioner:
name: ansible name: ansible
playbooks: playbooks:
@ -27,10 +25,6 @@ provisioner:
host_vars: host_vars:
localhost: localhost:
ansible_python_interpreter: "{{ ansible_playbook_python }}" ansible_python_interpreter: "{{ ansible_playbook_python }}"
env:
ANSIBLE_FORCE_COLOR: "true"
PROXY: "${PROXY}"
NO_PROXY: "${NO_PROXY}"
verifier: verifier:
name: ansible name: ansible
scenario: scenario:

View file

@ -5,10 +5,7 @@
- vars.yml - vars.yml
vars: vars:
sudo_pkg_name: sudo sudo_pkg_name: sudo
keycloak_quarkus_version: 26.0.4 keycloak_quarkus_version: 23.0.7
keycloak_quarkus_additional_env_vars:
- key: KC_FEATURES_DISABLED
value: impersonation,kerberos
pre_tasks: pre_tasks:
- name: Install sudo - name: Install sudo
ansible.builtin.apt: ansible.builtin.apt:
@ -47,7 +44,6 @@
changed_when: false changed_when: false
roles: roles:
- role: keycloak_quarkus - role: keycloak_quarkus
post_tasks: post_tasks:
- name: "Delete custom fact" - name: "Delete custom fact"
ansible.builtin.file: ansible.builtin.file:

View file

@ -1,8 +1,9 @@
--- ---
keycloak_quarkus_offline_install: false keycloak_quarkus_offline_install: false
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" keycloak_quarkus_admin_password: "remembertochangeme"
keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_quarkus_realm: TestRealm keycloak_quarkus_realm: TestRealm
keycloak_quarkus_hostname: http://instance:8080 keycloak_quarkus_host: instance
keycloak_quarkus_log: file keycloak_quarkus_log: file
keycloak_quarkus_https_key_file_enabled: true keycloak_quarkus_https_key_file_enabled: true
keycloak_quarkus_log_target: /tmp/keycloak keycloak_quarkus_log_target: /tmp/keycloak

View file

@ -2,7 +2,7 @@
- name: Verify - name: Verify
hosts: instance hosts: instance
vars: vars:
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" keycloak_quarkus_admin_password: "remembertochangeme"
keycloak_quarkus_port: http://localhost:8080 keycloak_quarkus_port: http://localhost:8080
tasks: tasks:
- name: Populate service facts - name: Populate service facts
@ -17,14 +17,14 @@
- name: Verify we are running on requested jvm - name: Verify we are running on requested jvm
ansible.builtin.shell: | ansible.builtin.shell: |
set -eo pipefail set -eo pipefail
ps -ef | grep 'etc/alternatives/.*21' | grep -v grep ps -ef | grep 'etc/alternatives/.*17' | grep -v grep
changed_when: false changed_when: false
- name: Verify token api call - name: Verify token api call
ansible.builtin.uri: ansible.builtin.uri:
url: "{{ keycloak_quarkus_port }}/realms/master/protocol/openid-connect/token" url: "{{ keycloak_quarkus_port }}/realms/master/protocol/openid-connect/token"
method: POST method: POST
body: "client_id=admin-cli&username=admin&password={{ keycloak_quarkus_bootstrap_admin_password }}&grant_type=password" body: "client_id=admin-cli&username=admin&password={{ keycloak_quarkus_admin_password }}&grant_type=password"
validate_certs: no validate_certs: no
register: keycloak_auth_response register: keycloak_auth_response
until: keycloak_auth_response.status == 200 until: keycloak_auth_response.status == 200

View file

@ -2,7 +2,6 @@
collections: collections:
- name: middleware_automation.common - name: middleware_automation.common
- name: middleware_automation.jbcs - name: middleware_automation.jbcs
- name: middleware_automation.infinispan
- name: community.general - name: community.general
- name: ansible.posix - name: ansible.posix
- name: community.docker - name: community.docker

View file

@ -2,8 +2,8 @@
- name: Playbook for Keycloak X Hosts with HTTPS enabled - name: Playbook for Keycloak X Hosts with HTTPS enabled
hosts: all hosts: all
vars: vars:
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" keycloak_quarkus_admin_pass: "remembertochangeme"
keycloak_quarkus_hostname: http://localhost keycloak_quarkus_host: localhost
keycloak_quarkus_port: 8443 keycloak_quarkus_port: 8443
keycloak_quarkus_log: file keycloak_quarkus_log: file
keycloak_quarkus_proxy_mode: none keycloak_quarkus_proxy_mode: none

View file

@ -2,8 +2,8 @@
- name: Playbook for Keycloak X Hosts in develop mode - name: Playbook for Keycloak X Hosts in develop mode
hosts: all hosts: all
vars: vars:
keycloak_quarkus_bootstrap_admin_password: "remembertochangeme" keycloak_admin_password: "remembertochangeme"
keycloak_quarkus_hostname: http://localhost keycloak_quarkus_host: localhost
keycloak_quarkus_port: 8080 keycloak_quarkus_port: 8080
keycloak_quarkus_log: file keycloak_quarkus_log: file
keycloak_quarkus_start_dev: true keycloak_quarkus_start_dev: true

File diff suppressed because it is too large Load diff

View file

@ -40,8 +40,8 @@ options:
state: state:
description: description:
- State of the client - State of the client
- On V(present), the client will be created (or updated if it exists already). - On C(present), the client will be created (or updated if it exists already).
- On V(absent), the client will be removed if it exists - On C(absent), the client will be removed if it exists
choices: ['present', 'absent'] choices: ['present', 'absent']
default: 'present' default: 'present'
type: str type: str
@ -55,7 +55,7 @@ options:
client_id: client_id:
description: description:
- Client id of client to be worked on. This is usually an alphanumeric name chosen by - Client id of client to be worked on. This is usually an alphanumeric name chosen by
you. Either this or O(id) is required. If you specify both, O(id) takes precedence. you. Either this or I(id) is required. If you specify both, I(id) takes precedence.
This is 'clientId' in the Keycloak REST API. This is 'clientId' in the Keycloak REST API.
aliases: aliases:
- clientId - clientId
@ -63,13 +63,13 @@ options:
id: id:
description: description:
- Id of client to be worked on. This is usually an UUID. Either this or O(client_id) - Id of client to be worked on. This is usually an UUID. Either this or I(client_id)
is required. If you specify both, this takes precedence. is required. If you specify both, this takes precedence.
type: str type: str
name: name:
description: description:
- Name of the client (this is not the same as O(client_id)). - Name of the client (this is not the same as I(client_id)).
type: str type: str
description: description:
@ -108,21 +108,20 @@ options:
client_authenticator_type: client_authenticator_type:
description: description:
- How do clients authenticate with the auth server? Either V(client-secret), - How do clients authenticate with the auth server? Either C(client-secret) or
V(client-jwt), or V(client-x509) can be chosen. When using V(client-secret), the module parameter C(client-jwt) can be chosen. When using C(client-secret), the module parameter
O(secret) can set it, for V(client-jwt), you can use the keys C(use.jwks.url), I(secret) can set it, while for C(client-jwt), you can use the keys C(use.jwks.url),
C(jwks.url), and C(jwt.credential.certificate) in the O(attributes) module parameter C(jwks.url), and C(jwt.credential.certificate) in the I(attributes) module parameter
to configure its behavior. For V(client-x509) you can use the keys C(x509.allow.regex.pattern.comparison) to configure its behavior.
and C(x509.subjectdn) in the O(attributes) module parameter to configure which certificate(s) to accept. This is 'clientAuthenticatorType' in the Keycloak REST API.
- This is 'clientAuthenticatorType' in the Keycloak REST API. choices: ['client-secret', 'client-jwt']
choices: ['client-secret', 'client-jwt', 'client-x509']
aliases: aliases:
- clientAuthenticatorType - clientAuthenticatorType
type: str type: str
secret: secret:
description: description:
- When using O(client_authenticator_type=client-secret) (the default), you can - When using I(client_authenticator_type) C(client-secret) (the default), you can
specify a secret here (otherwise one will be generated if it does not exit). If specify a secret here (otherwise one will be generated if it does not exit). If
changing this secret, the module will not register a change currently (but the changing this secret, the module will not register a change currently (but the
changed secret will be saved). changed secret will be saved).
@ -247,11 +246,9 @@ options:
protocol: protocol:
description: description:
- Type of client. - Type of client (either C(openid-connect) or C(saml).
- At creation only, default value will be V(openid-connect) if O(protocol) is omitted.
- The V(docker-v2) value was added in community.general 8.6.0.
type: str type: str
choices: ['openid-connect', 'saml', 'docker-v2'] choices: ['openid-connect', 'saml']
full_scope_allowed: full_scope_allowed:
description: description:
@ -289,7 +286,7 @@ options:
use_template_config: use_template_config:
description: description:
- Whether or not to use configuration from the O(client_template). - Whether or not to use configuration from the I(client_template).
This is 'useTemplateConfig' in the Keycloak REST API. This is 'useTemplateConfig' in the Keycloak REST API.
aliases: aliases:
- useTemplateConfig - useTemplateConfig
@ -297,7 +294,7 @@ options:
use_template_scope: use_template_scope:
description: description:
- Whether or not to use scope configuration from the O(client_template). - Whether or not to use scope configuration from the I(client_template).
This is 'useTemplateScope' in the Keycloak REST API. This is 'useTemplateScope' in the Keycloak REST API.
aliases: aliases:
- useTemplateScope - useTemplateScope
@ -305,7 +302,7 @@ options:
use_template_mappers: use_template_mappers:
description: description:
- Whether or not to use mapper configuration from the O(client_template). - Whether or not to use mapper configuration from the I(client_template).
This is 'useTemplateMappers' in the Keycloak REST API. This is 'useTemplateMappers' in the Keycloak REST API.
aliases: aliases:
- useTemplateMappers - useTemplateMappers
@ -341,42 +338,6 @@ options:
description: description:
- Override realm authentication flow bindings. - Override realm authentication flow bindings.
type: dict type: dict
suboptions:
browser:
description:
- Flow ID of the browser authentication flow.
- O(authentication_flow_binding_overrides.browser)
and O(authentication_flow_binding_overrides.browser_name) are mutually exclusive.
type: str
browser_name:
description:
- Flow name of the browser authentication flow.
- O(authentication_flow_binding_overrides.browser)
and O(authentication_flow_binding_overrides.browser_name) are mutually exclusive.
aliases:
- browserName
type: str
version_added: 9.1.0
direct_grant:
description:
- Flow ID of the direct grant authentication flow.
- O(authentication_flow_binding_overrides.direct_grant)
and O(authentication_flow_binding_overrides.direct_grant_name) are mutually exclusive.
aliases:
- directGrant
type: str
direct_grant_name:
description:
- Flow name of the direct grant authentication flow.
- O(authentication_flow_binding_overrides.direct_grant)
and O(authentication_flow_binding_overrides.direct_grant_name) are mutually exclusive.
aliases:
- directGrantName
type: str
version_added: 9.1.0
aliases: aliases:
- authenticationFlowBindingOverrides - authenticationFlowBindingOverrides
version_added: 3.4.0 version_added: 3.4.0
@ -430,37 +391,38 @@ options:
protocol: protocol:
description: description:
- This specifies for which protocol this protocol mapper is active. - This is either C(openid-connect) or C(saml), this specifies for which protocol this protocol mapper.
choices: ['openid-connect', 'saml', 'docker-v2'] is active.
choices: ['openid-connect', 'saml']
type: str type: str
protocolMapper: protocolMapper:
description: description:
- "The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is - The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is
impossible to provide since this may be extended through SPIs by the user of Keycloak, impossible to provide since this may be extended through SPIs by the user of Keycloak,
by default Keycloak as of 3.4 ships with at least:" by default Keycloak as of 3.4 ships with at least
- V(docker-v2-allow-all-mapper) - C(docker-v2-allow-all-mapper)
- V(oidc-address-mapper) - C(oidc-address-mapper)
- V(oidc-full-name-mapper) - C(oidc-full-name-mapper)
- V(oidc-group-membership-mapper) - C(oidc-group-membership-mapper)
- V(oidc-hardcoded-claim-mapper) - C(oidc-hardcoded-claim-mapper)
- V(oidc-hardcoded-role-mapper) - C(oidc-hardcoded-role-mapper)
- V(oidc-role-name-mapper) - C(oidc-role-name-mapper)
- V(oidc-script-based-protocol-mapper) - C(oidc-script-based-protocol-mapper)
- V(oidc-sha256-pairwise-sub-mapper) - C(oidc-sha256-pairwise-sub-mapper)
- V(oidc-usermodel-attribute-mapper) - C(oidc-usermodel-attribute-mapper)
- V(oidc-usermodel-client-role-mapper) - C(oidc-usermodel-client-role-mapper)
- V(oidc-usermodel-property-mapper) - C(oidc-usermodel-property-mapper)
- V(oidc-usermodel-realm-role-mapper) - C(oidc-usermodel-realm-role-mapper)
- V(oidc-usersessionmodel-note-mapper) - C(oidc-usersessionmodel-note-mapper)
- V(saml-group-membership-mapper) - C(saml-group-membership-mapper)
- V(saml-hardcode-attribute-mapper) - C(saml-hardcode-attribute-mapper)
- V(saml-hardcode-role-mapper) - C(saml-hardcode-role-mapper)
- V(saml-role-list-mapper) - C(saml-role-list-mapper)
- V(saml-role-name-mapper) - C(saml-role-name-mapper)
- V(saml-user-attribute-mapper) - C(saml-user-attribute-mapper)
- V(saml-user-property-mapper) - C(saml-user-property-mapper)
- V(saml-user-session-note-mapper) - C(saml-user-session-note-mapper)
- An exhaustive list of available mappers on your installation can be obtained on - An exhaustive list of available mappers on your installation can be obtained on
the admin console by going to Server Info -> Providers and looking under the admin console by going to Server Info -> Providers and looking under
'protocol-mapper'. 'protocol-mapper'.
@ -469,10 +431,10 @@ options:
config: config:
description: description:
- Dict specifying the configuration options for the protocol mapper; the - Dict specifying the configuration options for the protocol mapper; the
contents differ depending on the value of O(protocol_mappers[].protocolMapper) and are not documented contents differ depending on the value of I(protocolMapper) and are not documented
other than by the source of the mappers and its parent class(es). An example is given other than by the source of the mappers and its parent class(es). An example is given
below. It is easiest to obtain valid config values by dumping an already-existing below. It is easiest to obtain valid config values by dumping an already-existing
protocol mapper configuration through check-mode in the RV(existing) field. protocol mapper configuration through check-mode in the I(existing) field.
type: dict type: dict
attributes: attributes:
@ -516,7 +478,7 @@ options:
saml.signature.algorithm: saml.signature.algorithm:
description: description:
- Signature algorithm used to sign SAML documents. One of V(RSA_SHA256), V(RSA_SHA1), V(RSA_SHA512), or V(DSA_SHA1). - Signature algorithm used to sign SAML documents. One of C(RSA_SHA256), C(RSA_SHA1), C(RSA_SHA512), or C(DSA_SHA1).
saml.signing.certificate: saml.signing.certificate:
description: description:
@ -534,21 +496,22 @@ options:
description: description:
- SAML Redirect Binding URL for the client's assertion consumer service (login responses). - SAML Redirect Binding URL for the client's assertion consumer service (login responses).
saml_force_name_id_format: saml_force_name_id_format:
description: description:
- For SAML clients, Boolean specifying whether to ignore requested NameID subject format and using the configured one instead. - For SAML clients, Boolean specifying whether to ignore requested NameID subject format and using the configured one instead.
saml_name_id_format: saml_name_id_format:
description: description:
- For SAML clients, the NameID format to use (one of V(username), V(email), V(transient), or V(persistent)) - For SAML clients, the NameID format to use (one of C(username), C(email), C(transient), or C(persistent))
saml_signature_canonicalization_method: saml_signature_canonicalization_method:
description: description:
- SAML signature canonicalization method. This is one of four values, namely - SAML signature canonicalization method. This is one of four values, namely
V(http://www.w3.org/2001/10/xml-exc-c14n#) for EXCLUSIVE, C(http://www.w3.org/2001/10/xml-exc-c14n#) for EXCLUSIVE,
V(http://www.w3.org/2001/10/xml-exc-c14n#WithComments) for EXCLUSIVE_WITH_COMMENTS, C(http://www.w3.org/2001/10/xml-exc-c14n#WithComments) for EXCLUSIVE_WITH_COMMENTS,
V(http://www.w3.org/TR/2001/REC-xml-c14n-20010315) for INCLUSIVE, and C(http://www.w3.org/TR/2001/REC-xml-c14n-20010315) for INCLUSIVE, and
V(http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments) for INCLUSIVE_WITH_COMMENTS. C(http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments) for INCLUSIVE_WITH_COMMENTS.
saml_single_logout_service_url_post: saml_single_logout_service_url_post:
description: description:
@ -560,12 +523,12 @@ options:
user.info.response.signature.alg: user.info.response.signature.alg:
description: description:
- For OpenID-Connect clients, JWA algorithm for signed UserInfo-endpoint responses. One of V(RS256) or V(unsigned). - For OpenID-Connect clients, JWA algorithm for signed UserInfo-endpoint responses. One of C(RS256) or C(unsigned).
request.object.signature.alg: request.object.signature.alg:
description: description:
- For OpenID-Connect clients, JWA algorithm which the client needs to use when sending - For OpenID-Connect clients, JWA algorithm which the client needs to use when sending
OIDC request object. One of V(any), V(none), V(RS256). OIDC request object. One of C(any), C(none), C(RS256).
use.jwks.url: use.jwks.url:
description: description:
@ -581,21 +544,9 @@ options:
- For OpenID-Connect clients, client certificate for validating JWT issued by - For OpenID-Connect clients, client certificate for validating JWT issued by
client and signed by its key, base64-encoded. client and signed by its key, base64-encoded.
x509.subjectdn:
description:
- For OpenID-Connect clients, subject which will be used to authenticate the client.
type: str
version_added: 9.5.0
x509.allow.regex.pattern.comparison:
description:
- For OpenID-Connect clients, boolean specifying whether to allow C(x509.subjectdn) as regular expression.
type: bool
version_added: 9.5.0
extends_documentation_fragment: extends_documentation_fragment:
- middleware_automation.keycloak.keycloak - middleware_automation.keycloak.keycloak
- middleware_automation.keycloak.attributes - middleware_automation.keycloak.attributes
author: author:
- Eike Frost (@eikef) - Eike Frost (@eikef)
@ -636,22 +587,6 @@ EXAMPLES = '''
delegate_to: localhost delegate_to: localhost
- name: Create or update a Keycloak client (minimal example), with x509 authentication
middleware_automation.keycloak.keycloak_client:
auth_client_id: admin-cli
auth_keycloak_url: https://auth.example.com/auth
auth_realm: master
auth_username: USERNAME
auth_password: PASSWORD
realm: master
state: present
client_id: test
client_authenticator_type: client-x509
attributes:
x509.subjectdn: "CN=client"
x509.allow.regex.pattern.comparison: false
- name: Create or update a Keycloak client (with all the bells and whistles) - name: Create or update a Keycloak client (with all the bells and whistles)
middleware_automation.keycloak.keycloak_client: middleware_automation.keycloak.keycloak_client:
auth_client_id: admin-cli auth_client_id: admin-cli
@ -702,7 +637,7 @@ EXAMPLES = '''
- test01 - test01
- test02 - test02
authentication_flow_binding_overrides: authentication_flow_binding_overrides:
browser: 4c90336b-bf1d-4b87-916d-3677ba4e5fbb browser: 4c90336b-bf1d-4b87-916d-3677ba4e5fbb
protocol_mappers: protocol_mappers:
- config: - config:
access.token.claim: true access.token.claim: true
@ -782,17 +717,11 @@ end_state:
''' '''
from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError, is_struct_included keycloak_argument_spec, get_token, KeycloakError
from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.basic import AnsibleModule
import copy import copy
PROTOCOL_OPENID_CONNECT = 'openid-connect'
PROTOCOL_SAML = 'saml'
PROTOCOL_DOCKER_V2 = 'docker-v2'
CLIENT_META_DATA = ['authorizationServicesEnabled']
def normalise_cr(clientrep, remove_ids=False): def normalise_cr(clientrep, remove_ids=False):
""" Re-sorts any properties where the order so that diff's is minimised, and adds default values where appropriate so that the """ Re-sorts any properties where the order so that diff's is minimised, and adds default values where appropriate so that the
the change detection is more effective. the change detection is more effective.
@ -808,12 +737,6 @@ def normalise_cr(clientrep, remove_ids=False):
if 'attributes' in clientrep: if 'attributes' in clientrep:
clientrep['attributes'] = list(sorted(clientrep['attributes'])) clientrep['attributes'] = list(sorted(clientrep['attributes']))
if 'defaultClientScopes' in clientrep:
clientrep['defaultClientScopes'] = list(sorted(clientrep['defaultClientScopes']))
if 'optionalClientScopes' in clientrep:
clientrep['optionalClientScopes'] = list(sorted(clientrep['optionalClientScopes']))
if 'redirectUris' in clientrep: if 'redirectUris' in clientrep:
clientrep['redirectUris'] = list(sorted(clientrep['redirectUris'])) clientrep['redirectUris'] = list(sorted(clientrep['redirectUris']))
@ -839,70 +762,11 @@ def sanitize_cr(clientrep):
if 'secret' in result: if 'secret' in result:
result['secret'] = 'no_log' result['secret'] = 'no_log'
if 'attributes' in result: if 'attributes' in result:
attributes = result['attributes'] if 'saml.signing.private.key' in result['attributes']:
if isinstance(attributes, dict) and 'saml.signing.private.key' in attributes: result['attributes']['saml.signing.private.key'] = 'no_log'
attributes['saml.signing.private.key'] = 'no_log'
return normalise_cr(result) return normalise_cr(result)
def get_authentication_flow_id(flow_name, realm, kc):
""" Get the authentication flow ID based on the flow name, realm, and Keycloak client.
Args:
flow_name (str): The name of the authentication flow.
realm (str): The name of the realm.
kc (KeycloakClient): The Keycloak client instance.
Returns:
str: The ID of the authentication flow.
Raises:
KeycloakAPIException: If the authentication flow with the given name is not found in the realm.
"""
flow = kc.get_authentication_flow_by_alias(flow_name, realm)
if flow:
return flow["id"]
kc.module.fail_json(msg='Authentification flow %s not found in realm %s' % (flow_name, realm))
def flow_binding_from_dict_to_model(newClientFlowBinding, realm, kc):
""" Convert a dictionary representing client flow bindings to a model representation.
Args:
newClientFlowBinding (dict): A dictionary containing client flow bindings.
realm (str): The name of the realm.
kc (KeycloakClient): An instance of the KeycloakClient class.
Returns:
dict: A dictionary representing the model flow bindings. The dictionary has two keys:
- "browser" (str or None): The ID of the browser authentication flow binding, or None if not provided.
- "direct_grant" (str or None): The ID of the direct grant authentication flow binding, or None if not provided.
Raises:
KeycloakAPIException: If the authentication flow with the given name is not found in the realm.
"""
modelFlow = {
"browser": None,
"direct_grant": None
}
for k, v in newClientFlowBinding.items():
if not v:
continue
if k == "browser":
modelFlow["browser"] = v
elif k == "browser_name":
modelFlow["browser"] = get_authentication_flow_id(v, realm, kc)
elif k == "direct_grant":
modelFlow["direct_grant"] = v
elif k == "direct_grant_name":
modelFlow["direct_grant"] = get_authentication_flow_id(v, realm, kc)
return modelFlow
def main(): def main():
""" """
Module execution Module execution
@ -916,18 +780,11 @@ def main():
consentText=dict(type='str'), consentText=dict(type='str'),
id=dict(type='str'), id=dict(type='str'),
name=dict(type='str'), name=dict(type='str'),
protocol=dict(type='str', choices=[PROTOCOL_OPENID_CONNECT, PROTOCOL_SAML, PROTOCOL_DOCKER_V2]), protocol=dict(type='str', choices=['openid-connect', 'saml']),
protocolMapper=dict(type='str'), protocolMapper=dict(type='str'),
config=dict(type='dict'), config=dict(type='dict'),
) )
authentication_flow_spec = dict(
browser=dict(type='str'),
browser_name=dict(type='str', aliases=['browserName']),
direct_grant=dict(type='str', aliases=['directGrant']),
direct_grant_name=dict(type='str', aliases=['directGrantName']),
)
meta_args = dict( meta_args = dict(
state=dict(default='present', choices=['present', 'absent']), state=dict(default='present', choices=['present', 'absent']),
realm=dict(type='str', default='master'), realm=dict(type='str', default='master'),
@ -941,7 +798,7 @@ def main():
base_url=dict(type='str', aliases=['baseUrl']), base_url=dict(type='str', aliases=['baseUrl']),
surrogate_auth_required=dict(type='bool', aliases=['surrogateAuthRequired']), surrogate_auth_required=dict(type='bool', aliases=['surrogateAuthRequired']),
enabled=dict(type='bool'), enabled=dict(type='bool'),
client_authenticator_type=dict(type='str', choices=['client-secret', 'client-jwt', 'client-x509'], aliases=['clientAuthenticatorType']), client_authenticator_type=dict(type='str', choices=['client-secret', 'client-jwt'], aliases=['clientAuthenticatorType']),
secret=dict(type='str', no_log=True), secret=dict(type='str', no_log=True),
registration_access_token=dict(type='str', aliases=['registrationAccessToken'], no_log=True), registration_access_token=dict(type='str', aliases=['registrationAccessToken'], no_log=True),
default_roles=dict(type='list', elements='str', aliases=['defaultRoles']), default_roles=dict(type='list', elements='str', aliases=['defaultRoles']),
@ -957,7 +814,7 @@ def main():
authorization_services_enabled=dict(type='bool', aliases=['authorizationServicesEnabled']), authorization_services_enabled=dict(type='bool', aliases=['authorizationServicesEnabled']),
public_client=dict(type='bool', aliases=['publicClient']), public_client=dict(type='bool', aliases=['publicClient']),
frontchannel_logout=dict(type='bool', aliases=['frontchannelLogout']), frontchannel_logout=dict(type='bool', aliases=['frontchannelLogout']),
protocol=dict(type='str', choices=[PROTOCOL_OPENID_CONNECT, PROTOCOL_SAML, PROTOCOL_DOCKER_V2]), protocol=dict(type='str', choices=['openid-connect', 'saml']),
attributes=dict(type='dict'), attributes=dict(type='dict'),
full_scope_allowed=dict(type='bool', aliases=['fullScopeAllowed']), full_scope_allowed=dict(type='bool', aliases=['fullScopeAllowed']),
node_re_registration_timeout=dict(type='int', aliases=['nodeReRegistrationTimeout']), node_re_registration_timeout=dict(type='int', aliases=['nodeReRegistrationTimeout']),
@ -967,13 +824,7 @@ def main():
use_template_scope=dict(type='bool', aliases=['useTemplateScope']), use_template_scope=dict(type='bool', aliases=['useTemplateScope']),
use_template_mappers=dict(type='bool', aliases=['useTemplateMappers']), use_template_mappers=dict(type='bool', aliases=['useTemplateMappers']),
always_display_in_console=dict(type='bool', aliases=['alwaysDisplayInConsole']), always_display_in_console=dict(type='bool', aliases=['alwaysDisplayInConsole']),
authentication_flow_binding_overrides=dict( authentication_flow_binding_overrides=dict(type='dict', aliases=['authenticationFlowBindingOverrides']),
type='dict',
aliases=['authenticationFlowBindingOverrides'],
options=authentication_flow_spec,
required_one_of=[['browser', 'direct_grant', 'browser_name', 'direct_grant_name']],
mutually_exclusive=[['browser', 'browser_name'], ['direct_grant', 'direct_grant_name']],
),
protocol_mappers=dict(type='list', elements='dict', options=protmapper_spec, aliases=['protocolMappers']), protocol_mappers=dict(type='list', elements='dict', options=protmapper_spec, aliases=['protocolMappers']),
authorization_settings=dict(type='dict', aliases=['authorizationSettings']), authorization_settings=dict(type='dict', aliases=['authorizationSettings']),
default_client_scopes=dict(type='list', elements='str', aliases=['defaultClientScopes']), default_client_scopes=dict(type='list', elements='str', aliases=['defaultClientScopes']),
@ -1034,9 +885,7 @@ def main():
# Unfortunately, the ansible argument spec checker introduces variables with null values when # Unfortunately, the ansible argument spec checker introduces variables with null values when
# they are not specified # they are not specified
if client_param == 'protocol_mappers': if client_param == 'protocol_mappers':
new_param_value = [{k: v for k, v in x.items() if v is not None} for x in new_param_value] new_param_value = [dict((k, v) for k, v in x.items() if x[k] is not None) for x in new_param_value]
elif client_param == 'authentication_flow_binding_overrides':
new_param_value = flow_binding_from_dict_to_model(new_param_value, realm, kc)
changeset[camel(client_param)] = new_param_value changeset[camel(client_param)] = new_param_value
@ -1063,8 +912,6 @@ def main():
if 'clientId' not in desired_client: if 'clientId' not in desired_client:
module.fail_json(msg='client_id needs to be specified when creating a new client') module.fail_json(msg='client_id needs to be specified when creating a new client')
if 'protocol' not in desired_client:
desired_client['protocol'] = PROTOCOL_OPENID_CONNECT
if module._diff: if module._diff:
result['diff'] = dict(before='', after=sanitize_cr(desired_client)) result['diff'] = dict(before='', after=sanitize_cr(desired_client))
@ -1093,7 +940,7 @@ def main():
if module._diff: if module._diff:
result['diff'] = dict(before=sanitize_cr(before_norm), result['diff'] = dict(before=sanitize_cr(before_norm),
after=sanitize_cr(desired_norm)) after=sanitize_cr(desired_norm))
result['changed'] = not is_struct_included(desired_norm, before_norm, CLIENT_META_DATA) result['changed'] = (before_norm != desired_norm)
module.exit_json(**result) module.exit_json(**result)

View file

@ -1,848 +0,0 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Copyright (c) 2017, Eike Frost <ei@kefro.st>
# Copyright (c) 2021, Christophe Gilles <christophe.gilles54@gmail.com>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
module: keycloak_realm
short_description: Allows administration of Keycloak realm via Keycloak API
version_added: 3.0.0
description:
- This module allows the administration of Keycloak realm via the Keycloak REST API. It
requires access to the REST API via OpenID Connect; the user connecting and the realm being
used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate realm definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
Aliases are provided so camelCased versions can be used as well.
- The Keycloak API does not always sanity check inputs e.g. you can set
SAML-specific settings on an OpenID Connect client for instance and vice versa. Be careful.
If you do not specify a setting, usually a sensible default is chosen.
attributes:
check_mode:
support: full
diff_mode:
support: full
options:
state:
description:
- State of the realm.
- On V(present), the realm will be created (or updated if it exists already).
- On V(absent), the realm will be removed if it exists.
choices: ['present', 'absent']
default: 'present'
type: str
id:
description:
- The realm to create.
type: str
realm:
description:
- The realm name.
type: str
access_code_lifespan:
description:
- The realm access code lifespan.
aliases:
- accessCodeLifespan
type: int
access_code_lifespan_login:
description:
- The realm access code lifespan login.
aliases:
- accessCodeLifespanLogin
type: int
access_code_lifespan_user_action:
description:
- The realm access code lifespan user action.
aliases:
- accessCodeLifespanUserAction
type: int
access_token_lifespan:
description:
- The realm access token lifespan.
aliases:
- accessTokenLifespan
type: int
access_token_lifespan_for_implicit_flow:
description:
- The realm access token lifespan for implicit flow.
aliases:
- accessTokenLifespanForImplicitFlow
type: int
account_theme:
description:
- The realm account theme.
aliases:
- accountTheme
type: str
action_token_generated_by_admin_lifespan:
description:
- The realm action token generated by admin lifespan.
aliases:
- actionTokenGeneratedByAdminLifespan
type: int
action_token_generated_by_user_lifespan:
description:
- The realm action token generated by user lifespan.
aliases:
- actionTokenGeneratedByUserLifespan
type: int
admin_events_details_enabled:
description:
- The realm admin events details enabled.
aliases:
- adminEventsDetailsEnabled
type: bool
admin_events_enabled:
description:
- The realm admin events enabled.
aliases:
- adminEventsEnabled
type: bool
admin_theme:
description:
- The realm admin theme.
aliases:
- adminTheme
type: str
attributes:
description:
- The realm attributes.
type: dict
browser_flow:
description:
- The realm browser flow.
aliases:
- browserFlow
type: str
browser_security_headers:
description:
- The realm browser security headers.
aliases:
- browserSecurityHeaders
type: dict
brute_force_protected:
description:
- The realm brute force protected.
aliases:
- bruteForceProtected
type: bool
client_authentication_flow:
description:
- The realm client authentication flow.
aliases:
- clientAuthenticationFlow
type: str
client_scope_mappings:
description:
- The realm client scope mappings.
aliases:
- clientScopeMappings
type: dict
default_default_client_scopes:
description:
- The realm default default client scopes.
aliases:
- defaultDefaultClientScopes
type: list
elements: str
default_groups:
description:
- The realm default groups.
aliases:
- defaultGroups
type: list
elements: str
default_locale:
description:
- The realm default locale.
aliases:
- defaultLocale
type: str
default_optional_client_scopes:
description:
- The realm default optional client scopes.
aliases:
- defaultOptionalClientScopes
type: list
elements: str
default_roles:
description:
- The realm default roles.
aliases:
- defaultRoles
type: list
elements: str
default_signature_algorithm:
description:
- The realm default signature algorithm.
aliases:
- defaultSignatureAlgorithm
type: str
direct_grant_flow:
description:
- The realm direct grant flow.
aliases:
- directGrantFlow
type: str
display_name:
description:
- The realm display name.
aliases:
- displayName
type: str
display_name_html:
description:
- The realm display name HTML.
aliases:
- displayNameHtml
type: str
docker_authentication_flow:
description:
- The realm docker authentication flow.
aliases:
- dockerAuthenticationFlow
type: str
duplicate_emails_allowed:
description:
- The realm duplicate emails allowed option.
aliases:
- duplicateEmailsAllowed
type: bool
edit_username_allowed:
description:
- The realm edit username allowed option.
aliases:
- editUsernameAllowed
type: bool
email_theme:
description:
- The realm email theme.
aliases:
- emailTheme
type: str
enabled:
description:
- The realm enabled option.
type: bool
enabled_event_types:
description:
- The realm enabled event types.
aliases:
- enabledEventTypes
type: list
elements: str
events_enabled:
description:
- Enables or disables login events for this realm.
aliases:
- eventsEnabled
type: bool
version_added: 3.6.0
events_expiration:
description:
- The realm events expiration.
aliases:
- eventsExpiration
type: int
events_listeners:
description:
- The realm events listeners.
aliases:
- eventsListeners
type: list
elements: str
failure_factor:
description:
- The realm failure factor.
aliases:
- failureFactor
type: int
internationalization_enabled:
description:
- The realm internationalization enabled option.
aliases:
- internationalizationEnabled
type: bool
login_theme:
description:
- The realm login theme.
aliases:
- loginTheme
type: str
login_with_email_allowed:
description:
- The realm login with email allowed option.
aliases:
- loginWithEmailAllowed
type: bool
max_delta_time_seconds:
description:
- The realm max delta time in seconds.
aliases:
- maxDeltaTimeSeconds
type: int
max_failure_wait_seconds:
description:
- The realm max failure wait in seconds.
aliases:
- maxFailureWaitSeconds
type: int
minimum_quick_login_wait_seconds:
description:
- The realm minimum quick login wait in seconds.
aliases:
- minimumQuickLoginWaitSeconds
type: int
not_before:
description:
- The realm not before.
aliases:
- notBefore
type: int
offline_session_idle_timeout:
description:
- The realm offline session idle timeout.
aliases:
- offlineSessionIdleTimeout
type: int
offline_session_max_lifespan:
description:
- The realm offline session max lifespan.
aliases:
- offlineSessionMaxLifespan
type: int
offline_session_max_lifespan_enabled:
description:
- The realm offline session max lifespan enabled option.
aliases:
- offlineSessionMaxLifespanEnabled
type: bool
otp_policy_algorithm:
description:
- The realm otp policy algorithm.
aliases:
- otpPolicyAlgorithm
type: str
otp_policy_digits:
description:
- The realm otp policy digits.
aliases:
- otpPolicyDigits
type: int
otp_policy_initial_counter:
description:
- The realm otp policy initial counter.
aliases:
- otpPolicyInitialCounter
type: int
otp_policy_look_ahead_window:
description:
- The realm otp policy look ahead window.
aliases:
- otpPolicyLookAheadWindow
type: int
otp_policy_period:
description:
- The realm otp policy period.
aliases:
- otpPolicyPeriod
type: int
otp_policy_type:
description:
- The realm otp policy type.
aliases:
- otpPolicyType
type: str
otp_supported_applications:
description:
- The realm otp supported applications.
aliases:
- otpSupportedApplications
type: list
elements: str
password_policy:
description:
- The realm password policy.
aliases:
- passwordPolicy
type: str
permanent_lockout:
description:
- The realm permanent lockout.
aliases:
- permanentLockout
type: bool
quick_login_check_milli_seconds:
description:
- The realm quick login check in milliseconds.
aliases:
- quickLoginCheckMilliSeconds
type: int
refresh_token_max_reuse:
description:
- The realm refresh token max reuse.
aliases:
- refreshTokenMaxReuse
type: int
registration_allowed:
description:
- The realm registration allowed option.
aliases:
- registrationAllowed
type: bool
registration_email_as_username:
description:
- The realm registration email as username option.
aliases:
- registrationEmailAsUsername
type: bool
registration_flow:
description:
- The realm registration flow.
aliases:
- registrationFlow
type: str
remember_me:
description:
- The realm remember me option.
aliases:
- rememberMe
type: bool
reset_credentials_flow:
description:
- The realm reset credentials flow.
aliases:
- resetCredentialsFlow
type: str
reset_password_allowed:
description:
- The realm reset password allowed option.
aliases:
- resetPasswordAllowed
type: bool
revoke_refresh_token:
description:
- The realm revoke refresh token option.
aliases:
- revokeRefreshToken
type: bool
smtp_server:
description:
- The realm smtp server.
aliases:
- smtpServer
type: dict
ssl_required:
description:
- The realm ssl required option.
choices: ['all', 'external', 'none']
aliases:
- sslRequired
type: str
sso_session_idle_timeout:
description:
- The realm sso session idle timeout.
aliases:
- ssoSessionIdleTimeout
type: int
sso_session_idle_timeout_remember_me:
description:
- The realm sso session idle timeout remember me.
aliases:
- ssoSessionIdleTimeoutRememberMe
type: int
sso_session_max_lifespan:
description:
- The realm sso session max lifespan.
aliases:
- ssoSessionMaxLifespan
type: int
sso_session_max_lifespan_remember_me:
description:
- The realm sso session max lifespan remember me.
aliases:
- ssoSessionMaxLifespanRememberMe
type: int
supported_locales:
description:
- The realm supported locales.
aliases:
- supportedLocales
type: list
elements: str
user_managed_access_allowed:
description:
- The realm user managed access allowed option.
aliases:
- userManagedAccessAllowed
type: bool
verify_email:
description:
- The realm verify email option.
aliases:
- verifyEmail
type: bool
wait_increment_seconds:
description:
- The realm wait increment in seconds.
aliases:
- waitIncrementSeconds
type: int
extends_documentation_fragment:
- middleware_automation.keycloak.keycloak
- middleware_automation.keycloak.attributes
author:
- Christophe Gilles (@kris2kris)
'''
EXAMPLES = '''
- name: Create or update Keycloak realm (minimal example)
middleware_automation.keycloak.keycloak_realm:
auth_client_id: admin-cli
auth_keycloak_url: https://auth.example.com/auth
auth_realm: master
auth_username: USERNAME
auth_password: PASSWORD
id: realm
realm: realm
state: present
- name: Delete a Keycloak realm
middleware_automation.keycloak.keycloak_realm:
auth_client_id: admin-cli
auth_keycloak_url: https://auth.example.com/auth
auth_realm: master
auth_username: USERNAME
auth_password: PASSWORD
id: test
state: absent
'''
RETURN = '''
msg:
description: Message as to what action was taken.
returned: always
type: str
sample: "Realm testrealm has been updated"
proposed:
description: Representation of proposed realm.
returned: always
type: dict
sample: {
id: "test"
}
existing:
description: Representation of existing realm (sample is truncated).
returned: always
type: dict
sample: {
"adminUrl": "http://www.example.com/admin_url",
"attributes": {
"request.object.signature.alg": "RS256",
}
}
end_state:
description: Representation of realm after module execution (sample is truncated).
returned: on success
type: dict
sample: {
"adminUrl": "http://www.example.com/admin_url",
"attributes": {
"request.object.signature.alg": "RS256",
}
}
'''
from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError
from ansible.module_utils.basic import AnsibleModule
def normalise_cr(realmrep):
""" Re-sorts any properties where the order is important so that diff's is minimised and the change detection is more effective.
:param realmrep: the realmrep dict to be sanitized
:return: normalised realmrep dict
"""
# Avoid the dict passed in to be modified
realmrep = realmrep.copy()
if 'enabledEventTypes' in realmrep:
realmrep['enabledEventTypes'] = list(sorted(realmrep['enabledEventTypes']))
if 'otpSupportedApplications' in realmrep:
realmrep['otpSupportedApplications'] = list(sorted(realmrep['otpSupportedApplications']))
if 'supportedLocales' in realmrep:
realmrep['supportedLocales'] = list(sorted(realmrep['supportedLocales']))
return realmrep
def sanitize_cr(realmrep):
""" Removes probably sensitive details from a realm representation.
:param realmrep: the realmrep dict to be sanitized
:return: sanitized realmrep dict
"""
result = realmrep.copy()
if 'secret' in result:
result['secret'] = '********'
if 'attributes' in result:
if 'saml.signing.private.key' in result['attributes']:
result['attributes'] = result['attributes'].copy()
result['attributes']['saml.signing.private.key'] = '********'
return normalise_cr(result)
def main():
"""
Module execution
:return:
"""
argument_spec = keycloak_argument_spec()
meta_args = dict(
state=dict(default='present', choices=['present', 'absent']),
id=dict(type='str'),
realm=dict(type='str'),
access_code_lifespan=dict(type='int', aliases=['accessCodeLifespan']),
access_code_lifespan_login=dict(type='int', aliases=['accessCodeLifespanLogin']),
access_code_lifespan_user_action=dict(type='int', aliases=['accessCodeLifespanUserAction']),
access_token_lifespan=dict(type='int', aliases=['accessTokenLifespan'], no_log=False),
access_token_lifespan_for_implicit_flow=dict(type='int', aliases=['accessTokenLifespanForImplicitFlow'], no_log=False),
account_theme=dict(type='str', aliases=['accountTheme']),
action_token_generated_by_admin_lifespan=dict(type='int', aliases=['actionTokenGeneratedByAdminLifespan'], no_log=False),
action_token_generated_by_user_lifespan=dict(type='int', aliases=['actionTokenGeneratedByUserLifespan'], no_log=False),
admin_events_details_enabled=dict(type='bool', aliases=['adminEventsDetailsEnabled']),
admin_events_enabled=dict(type='bool', aliases=['adminEventsEnabled']),
admin_theme=dict(type='str', aliases=['adminTheme']),
attributes=dict(type='dict'),
browser_flow=dict(type='str', aliases=['browserFlow']),
browser_security_headers=dict(type='dict', aliases=['browserSecurityHeaders']),
brute_force_protected=dict(type='bool', aliases=['bruteForceProtected']),
client_authentication_flow=dict(type='str', aliases=['clientAuthenticationFlow']),
client_scope_mappings=dict(type='dict', aliases=['clientScopeMappings']),
default_default_client_scopes=dict(type='list', elements='str', aliases=['defaultDefaultClientScopes']),
default_groups=dict(type='list', elements='str', aliases=['defaultGroups']),
default_locale=dict(type='str', aliases=['defaultLocale']),
default_optional_client_scopes=dict(type='list', elements='str', aliases=['defaultOptionalClientScopes']),
default_roles=dict(type='list', elements='str', aliases=['defaultRoles']),
default_signature_algorithm=dict(type='str', aliases=['defaultSignatureAlgorithm']),
direct_grant_flow=dict(type='str', aliases=['directGrantFlow']),
display_name=dict(type='str', aliases=['displayName']),
display_name_html=dict(type='str', aliases=['displayNameHtml']),
docker_authentication_flow=dict(type='str', aliases=['dockerAuthenticationFlow']),
duplicate_emails_allowed=dict(type='bool', aliases=['duplicateEmailsAllowed']),
edit_username_allowed=dict(type='bool', aliases=['editUsernameAllowed']),
email_theme=dict(type='str', aliases=['emailTheme']),
enabled=dict(type='bool'),
enabled_event_types=dict(type='list', elements='str', aliases=['enabledEventTypes']),
events_enabled=dict(type='bool', aliases=['eventsEnabled']),
events_expiration=dict(type='int', aliases=['eventsExpiration']),
events_listeners=dict(type='list', elements='str', aliases=['eventsListeners']),
failure_factor=dict(type='int', aliases=['failureFactor']),
internationalization_enabled=dict(type='bool', aliases=['internationalizationEnabled']),
login_theme=dict(type='str', aliases=['loginTheme']),
login_with_email_allowed=dict(type='bool', aliases=['loginWithEmailAllowed']),
max_delta_time_seconds=dict(type='int', aliases=['maxDeltaTimeSeconds']),
max_failure_wait_seconds=dict(type='int', aliases=['maxFailureWaitSeconds']),
minimum_quick_login_wait_seconds=dict(type='int', aliases=['minimumQuickLoginWaitSeconds']),
not_before=dict(type='int', aliases=['notBefore']),
offline_session_idle_timeout=dict(type='int', aliases=['offlineSessionIdleTimeout']),
offline_session_max_lifespan=dict(type='int', aliases=['offlineSessionMaxLifespan']),
offline_session_max_lifespan_enabled=dict(type='bool', aliases=['offlineSessionMaxLifespanEnabled']),
otp_policy_algorithm=dict(type='str', aliases=['otpPolicyAlgorithm']),
otp_policy_digits=dict(type='int', aliases=['otpPolicyDigits']),
otp_policy_initial_counter=dict(type='int', aliases=['otpPolicyInitialCounter']),
otp_policy_look_ahead_window=dict(type='int', aliases=['otpPolicyLookAheadWindow']),
otp_policy_period=dict(type='int', aliases=['otpPolicyPeriod']),
otp_policy_type=dict(type='str', aliases=['otpPolicyType']),
otp_supported_applications=dict(type='list', elements='str', aliases=['otpSupportedApplications']),
password_policy=dict(type='str', aliases=['passwordPolicy'], no_log=False),
permanent_lockout=dict(type='bool', aliases=['permanentLockout']),
quick_login_check_milli_seconds=dict(type='int', aliases=['quickLoginCheckMilliSeconds']),
refresh_token_max_reuse=dict(type='int', aliases=['refreshTokenMaxReuse'], no_log=False),
registration_allowed=dict(type='bool', aliases=['registrationAllowed']),
registration_email_as_username=dict(type='bool', aliases=['registrationEmailAsUsername']),
registration_flow=dict(type='str', aliases=['registrationFlow']),
remember_me=dict(type='bool', aliases=['rememberMe']),
reset_credentials_flow=dict(type='str', aliases=['resetCredentialsFlow']),
reset_password_allowed=dict(type='bool', aliases=['resetPasswordAllowed'], no_log=False),
revoke_refresh_token=dict(type='bool', aliases=['revokeRefreshToken']),
smtp_server=dict(type='dict', aliases=['smtpServer']),
ssl_required=dict(choices=["external", "all", "none"], aliases=['sslRequired']),
sso_session_idle_timeout=dict(type='int', aliases=['ssoSessionIdleTimeout']),
sso_session_idle_timeout_remember_me=dict(type='int', aliases=['ssoSessionIdleTimeoutRememberMe']),
sso_session_max_lifespan=dict(type='int', aliases=['ssoSessionMaxLifespan']),
sso_session_max_lifespan_remember_me=dict(type='int', aliases=['ssoSessionMaxLifespanRememberMe']),
supported_locales=dict(type='list', elements='str', aliases=['supportedLocales']),
user_managed_access_allowed=dict(type='bool', aliases=['userManagedAccessAllowed']),
verify_email=dict(type='bool', aliases=['verifyEmail']),
wait_increment_seconds=dict(type='int', aliases=['waitIncrementSeconds']),
)
argument_spec.update(meta_args)
module = AnsibleModule(argument_spec=argument_spec,
supports_check_mode=True,
required_one_of=([['id', 'realm', 'enabled'],
['token', 'auth_realm', 'auth_username', 'auth_password']]),
required_together=([['auth_realm', 'auth_username', 'auth_password']]))
result = dict(changed=False, msg='', diff={}, proposed={}, existing={}, end_state={})
# Obtain access token, initialize API
try:
connection_header = get_token(module.params)
except KeycloakError as e:
module.fail_json(msg=str(e))
kc = KeycloakAPI(module, connection_header)
realm = module.params.get('realm')
state = module.params.get('state')
# convert module parameters to realm representation parameters (if they belong in there)
params_to_ignore = list(keycloak_argument_spec().keys()) + ['state']
# Filter and map the parameters names that apply to the role
realm_params = [x for x in module.params
if x not in params_to_ignore and
module.params.get(x) is not None]
# See whether the realm already exists in Keycloak
before_realm = kc.get_realm_by_id(realm=realm)
if before_realm is None:
before_realm = {}
# Build a proposed changeset from parameters given to this module
changeset = {}
for realm_param in realm_params:
new_param_value = module.params.get(realm_param)
changeset[camel(realm_param)] = new_param_value
# Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis)
desired_realm = before_realm.copy()
desired_realm.update(changeset)
result['proposed'] = sanitize_cr(changeset)
before_realm_sanitized = sanitize_cr(before_realm)
result['existing'] = before_realm_sanitized
# Cater for when it doesn't exist (an empty dict)
if not before_realm:
if state == 'absent':
# Do nothing and exit
if module._diff:
result['diff'] = dict(before='', after='')
result['changed'] = False
result['end_state'] = {}
result['msg'] = 'Realm does not exist, doing nothing.'
module.exit_json(**result)
# Process a creation
result['changed'] = True
if 'id' not in desired_realm:
module.fail_json(msg='id needs to be specified when creating a new realm')
if module._diff:
result['diff'] = dict(before='', after=sanitize_cr(desired_realm))
if module.check_mode:
module.exit_json(**result)
# create it
kc.create_realm(desired_realm)
after_realm = kc.get_realm_by_id(desired_realm['id'])
result['end_state'] = sanitize_cr(after_realm)
result['msg'] = 'Realm %s has been created.' % desired_realm['id']
module.exit_json(**result)
else:
if state == 'present':
# Process an update
# doing an update
result['changed'] = True
if module.check_mode:
# We can only compare the current realm with the proposed updates we have
before_norm = normalise_cr(before_realm)
desired_norm = normalise_cr(desired_realm)
if module._diff:
result['diff'] = dict(before=sanitize_cr(before_norm),
after=sanitize_cr(desired_norm))
result['changed'] = (before_norm != desired_norm)
module.exit_json(**result)
# do the update
kc.update_realm(desired_realm, realm=realm)
after_realm = kc.get_realm_by_id(realm=realm)
if before_realm == after_realm:
result['changed'] = False
result['end_state'] = sanitize_cr(after_realm)
if module._diff:
result['diff'] = dict(before=before_realm_sanitized,
after=sanitize_cr(after_realm))
result['msg'] = 'Realm %s has been updated.' % desired_realm['id']
module.exit_json(**result)
else:
# Process a deletion (because state was not 'present')
result['changed'] = True
if module._diff:
result['diff'] = dict(before=before_realm_sanitized, after='')
if module.check_mode:
module.exit_json(**result)
# delete it
kc.delete_realm(realm=realm)
result['proposed'] = {}
result['end_state'] = {}
result['msg'] = 'Realm %s has been deleted.' % before_realm['id']
module.exit_json(**result)
if __name__ == '__main__':
main()

View file

@ -40,8 +40,8 @@ options:
state: state:
description: description:
- State of the role. - State of the role.
- On V(present), the role will be created if it does not yet exist, or updated with the parameters you provide. - On C(present), the role will be created if it does not yet exist, or updated with the parameters you provide.
- On V(absent), the role will be removed if it exists. - On C(absent), the role will be removed if it exists.
default: 'present' default: 'present'
type: str type: str
choices: choices:
@ -77,42 +77,6 @@ options:
description: description:
- A dict of key/value pairs to set as custom attributes for the role. - A dict of key/value pairs to set as custom attributes for the role.
- Values may be single values (e.g. a string) or a list of strings. - Values may be single values (e.g. a string) or a list of strings.
composite:
description:
- If V(true), the role is a composition of other realm and/or client role.
default: false
type: bool
version_added: 7.1.0
composites:
description:
- List of roles to include to the composite realm role.
- If the composite role is a client role, the C(clientId) (not ID of the client) must be specified.
default: []
type: list
elements: dict
version_added: 7.1.0
suboptions:
name:
description:
- Name of the role. This can be the name of a REALM role or a client role.
type: str
required: true
client_id:
description:
- Client ID if the role is a client role. Do not include this option for a REALM role.
- Use the client ID you can see in the Keycloak console, not the technical ID of the client.
type: str
required: false
aliases:
- clientId
state:
description:
- Create the composite if present, remove it if absent.
type: str
choices:
- present
- absent
default: present
extends_documentation_fragment: extends_documentation_fragment:
- middleware_automation.keycloak.keycloak - middleware_automation.keycloak.keycloak
@ -178,14 +142,14 @@ EXAMPLES = '''
auth_password: PASSWORD auth_password: PASSWORD
name: my-new-role name: my-new-role
attributes: attributes:
attrib1: value1 attrib1: value1
attrib2: value2 attrib2: value2
attrib3: attrib3:
- with - with
- numerous - numerous
- individual - individual
- list - list
- items - items
delegate_to: localhost delegate_to: localhost
''' '''
@ -234,9 +198,8 @@ end_state:
''' '''
from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError, is_struct_included keycloak_argument_spec, get_token, KeycloakError
from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.basic import AnsibleModule
import copy
def main(): def main():
@ -247,12 +210,6 @@ def main():
""" """
argument_spec = keycloak_argument_spec() argument_spec = keycloak_argument_spec()
composites_spec = dict(
name=dict(type='str', required=True),
client_id=dict(type='str', aliases=['clientId'], required=False),
state=dict(type='str', default='present', choices=['present', 'absent'])
)
meta_args = dict( meta_args = dict(
state=dict(type='str', default='present', choices=['present', 'absent']), state=dict(type='str', default='present', choices=['present', 'absent']),
name=dict(type='str', required=True), name=dict(type='str', required=True),
@ -260,8 +217,6 @@ def main():
realm=dict(type='str', default='master'), realm=dict(type='str', default='master'),
client_id=dict(type='str'), client_id=dict(type='str'),
attributes=dict(type='dict'), attributes=dict(type='dict'),
composites=dict(type='list', default=[], options=composites_spec, elements='dict'),
composite=dict(type='bool', default=False),
) )
argument_spec.update(meta_args) argument_spec.update(meta_args)
@ -295,7 +250,7 @@ def main():
# Filter and map the parameters names that apply to the role # Filter and map the parameters names that apply to the role
role_params = [x for x in module.params role_params = [x for x in module.params
if x not in list(keycloak_argument_spec().keys()) + ['state', 'realm', 'client_id'] and if x not in list(keycloak_argument_spec().keys()) + ['state', 'realm', 'client_id', 'composites'] and
module.params.get(x) is not None] module.params.get(x) is not None]
# See if it already exists in Keycloak # See if it already exists in Keycloak
@ -314,10 +269,10 @@ def main():
new_param_value = module.params.get(param) new_param_value = module.params.get(param)
old_value = before_role[param] if param in before_role else None old_value = before_role[param] if param in before_role else None
if new_param_value != old_value: if new_param_value != old_value:
changeset[camel(param)] = copy.deepcopy(new_param_value) changeset[camel(param)] = new_param_value
# Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis) # Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis)
desired_role = copy.deepcopy(before_role) desired_role = before_role.copy()
desired_role.update(changeset) desired_role.update(changeset)
result['proposed'] = changeset result['proposed'] = changeset
@ -354,9 +309,6 @@ def main():
kc.create_client_role(desired_role, clientid, realm) kc.create_client_role(desired_role, clientid, realm)
after_role = kc.get_client_role(name, clientid, realm) after_role = kc.get_client_role(name, clientid, realm)
if after_role['composite']:
after_role['composites'] = kc.get_role_composites(rolerep=after_role, clientid=clientid, realm=realm)
result['end_state'] = after_role result['end_state'] = after_role
result['msg'] = 'Role {name} has been created'.format(name=name) result['msg'] = 'Role {name} has been created'.format(name=name)
@ -364,25 +316,10 @@ def main():
else: else:
if state == 'present': if state == 'present':
compare_exclude = []
if 'composites' in desired_role and isinstance(desired_role['composites'], list) and len(desired_role['composites']) > 0:
composites = kc.get_role_composites(rolerep=before_role, clientid=clientid, realm=realm)
before_role['composites'] = []
for composite in composites:
before_composite = {}
if composite['clientRole']:
composite_client = kc.get_client_by_id(id=composite['containerId'], realm=realm)
before_composite['client_id'] = composite_client['clientId']
else:
before_composite['client_id'] = None
before_composite['name'] = composite['name']
before_composite['state'] = 'present'
before_role['composites'].append(before_composite)
else:
compare_exclude.append('composites')
# Process an update # Process an update
# no changes # no changes
if is_struct_included(desired_role, before_role, exclude=compare_exclude): if desired_role == before_role:
result['changed'] = False result['changed'] = False
result['end_state'] = desired_role result['end_state'] = desired_role
result['msg'] = "No changes required to role {name}.".format(name=name) result['msg'] = "No changes required to role {name}.".format(name=name)
@ -404,8 +341,6 @@ def main():
else: else:
kc.update_client_role(desired_role, clientid, realm) kc.update_client_role(desired_role, clientid, realm)
after_role = kc.get_client_role(name, clientid, realm) after_role = kc.get_client_role(name, clientid, realm)
if after_role['composite']:
after_role['composites'] = kc.get_role_composites(rolerep=after_role, clientid=clientid, realm=realm)
result['end_state'] = after_role result['end_state'] = after_role

View file

@ -36,9 +36,9 @@ options:
state: state:
description: description:
- State of the user federation. - State of the user federation.
- On V(present), the user federation will be created if it does not yet exist, or updated with - On C(present), the user federation will be created if it does not yet exist, or updated with
the parameters you provide. the parameters you provide.
- On V(absent), the user federation will be removed if it exists. - On C(absent), the user federation will be removed if it exists.
default: 'present' default: 'present'
type: str type: str
choices: choices:
@ -54,7 +54,7 @@ options:
id: id:
description: description:
- The unique ID for this user federation. If left empty, the user federation will be searched - The unique ID for this user federation. If left empty, the user federation will be searched
by its O(name). by its I(name).
type: str type: str
name: name:
@ -64,15 +64,18 @@ options:
provider_id: provider_id:
description: description:
- Provider for this user federation. Built-in providers are V(ldap), V(kerberos), and V(sssd). - Provider for this user federation.
Custom user storage providers can also be used.
aliases: aliases:
- providerId - providerId
type: str type: str
choices:
- ldap
- kerberos
- sssd
provider_type: provider_type:
description: description:
- Component type for user federation (only supported value is V(org.keycloak.storage.UserStorageProvider)). - Component type for user federation (only supported value is C(org.keycloak.storage.UserStorageProvider)).
aliases: aliases:
- providerType - providerType
default: org.keycloak.storage.UserStorageProvider default: org.keycloak.storage.UserStorageProvider
@ -85,37 +88,13 @@ options:
- parentId - parentId
type: str type: str
remove_unspecified_mappers:
description:
- Remove mappers that are not specified in the configuration for this federation.
- Set to V(false) to keep mappers that are not listed in O(mappers).
type: bool
default: true
bind_credential_update_mode:
description:
- The value of the config parameter O(config.bindCredential) is redacted in the Keycloak responses.
Comparing the redacted value with the desired value always evaluates to not equal. This means
the before and desired states are never equal if the parameter is set.
- Set to V(always) to include O(config.bindCredential) in the comparison of before and desired state.
Because of the redacted value returned by Keycloak the module will always detect a change
and make an update if a O(config.bindCredential) value is set.
- Set to V(only_indirect) to exclude O(config.bindCredential) when comparing the before state with the
desired state. The value of O(config.bindCredential) will only be updated if there are other changes
to the user federation that require an update.
type: str
default: always
choices:
- always
- only_indirect
config: config:
description: description:
- Dict specifying the configuration options for the provider; the contents differ depending on - Dict specifying the configuration options for the provider; the contents differ depending on
the value of O(provider_id). Examples are given below for V(ldap), V(kerberos) and V(sssd). the value of I(provider_id). Examples are given below for C(ldap), C(kerberos) and C(sssd).
It is easiest to obtain valid config values by dumping an already-existing user federation It is easiest to obtain valid config values by dumping an already-existing user federation
configuration through check-mode in the RV(existing) field. configuration through check-mode in the I(existing) field.
- The value V(sssd) has been supported since middleware_automation.keycloak 2.0.0. - The value C(sssd) has been supported since middleware_automation.keycloak 1.0.0.
type: dict type: dict
suboptions: suboptions:
enabled: enabled:
@ -132,15 +111,15 @@ options:
importEnabled: importEnabled:
description: description:
- If V(true), LDAP users will be imported into Keycloak DB and synced by the configured - If C(true), LDAP users will be imported into Keycloak DB and synced by the configured
sync policies. sync policies.
default: true default: true
type: bool type: bool
editMode: editMode:
description: description:
- V(READ_ONLY) is a read-only LDAP store. V(WRITABLE) means data will be synced back to LDAP - C(READ_ONLY) is a read-only LDAP store. C(WRITABLE) means data will be synced back to LDAP
on demand. V(UNSYNCED) means user data will be imported, but not synced back to LDAP. on demand. C(UNSYNCED) means user data will be imported, but not synced back to LDAP.
type: str type: str
choices: choices:
- READ_ONLY - READ_ONLY
@ -157,13 +136,13 @@ options:
vendor: vendor:
description: description:
- LDAP vendor (provider). - LDAP vendor (provider).
- Use short name. For instance, write V(rhds) for "Red Hat Directory Server". - Use short name. For instance, write C(rhds) for "Red Hat Directory Server".
type: str type: str
usernameLDAPAttribute: usernameLDAPAttribute:
description: description:
- Name of LDAP attribute, which is mapped as Keycloak username. For many LDAP server - Name of LDAP attribute, which is mapped as Keycloak username. For many LDAP server
vendors it can be V(uid). For Active directory it can be V(sAMAccountName) or V(cn). vendors it can be C(uid). For Active directory it can be C(sAMAccountName) or C(cn).
The attribute should be filled for all LDAP user records you want to import from The attribute should be filled for all LDAP user records you want to import from
LDAP to Keycloak. LDAP to Keycloak.
type: str type: str
@ -172,15 +151,15 @@ options:
description: description:
- Name of LDAP attribute, which is used as RDN (top attribute) of typical user DN. - Name of LDAP attribute, which is used as RDN (top attribute) of typical user DN.
Usually it's the same as Username LDAP attribute, however it is not required. For Usually it's the same as Username LDAP attribute, however it is not required. For
example for Active directory, it is common to use V(cn) as RDN attribute when example for Active directory, it is common to use C(cn) as RDN attribute when
username attribute might be V(sAMAccountName). username attribute might be C(sAMAccountName).
type: str type: str
uuidLDAPAttribute: uuidLDAPAttribute:
description: description:
- Name of LDAP attribute, which is used as unique object identifier (UUID) for objects - Name of LDAP attribute, which is used as unique object identifier (UUID) for objects
in LDAP. For many LDAP server vendors, it is V(entryUUID); however some are different. in LDAP. For many LDAP server vendors, it is C(entryUUID); however some are different.
For example for Active directory it should be V(objectGUID). If your LDAP server does For example for Active directory it should be C(objectGUID). If your LDAP server does
not support the notion of UUID, you can use any other attribute that is supposed to not support the notion of UUID, you can use any other attribute that is supposed to
be unique among LDAP users in tree. be unique among LDAP users in tree.
type: str type: str
@ -188,7 +167,7 @@ options:
userObjectClasses: userObjectClasses:
description: description:
- All values of LDAP objectClass attribute for users in LDAP divided by comma. - All values of LDAP objectClass attribute for users in LDAP divided by comma.
For example V(inetOrgPerson, organizationalPerson). Newly created Keycloak users For example C(inetOrgPerson, organizationalPerson). Newly created Keycloak users
will be written to LDAP with all those object classes and existing LDAP user records will be written to LDAP with all those object classes and existing LDAP user records
are found just if they contain all those object classes. are found just if they contain all those object classes.
type: str type: str
@ -272,8 +251,8 @@ options:
useTruststoreSpi: useTruststoreSpi:
description: description:
- Specifies whether LDAP connection will use the truststore SPI with the truststore - Specifies whether LDAP connection will use the truststore SPI with the truststore
configured in standalone.xml/domain.xml. V(always) means that it will always use it. configured in standalone.xml/domain.xml. C(Always) means that it will always use it.
V(never) means that it will not use it. V(ldapsOnly) means that it will use if C(Never) means that it will not use it. C(Only for ldaps) means that it will use if
your connection URL use ldaps. Note even if standalone.xml/domain.xml is not your connection URL use ldaps. Note even if standalone.xml/domain.xml is not
configured, the default Java cacerts or certificate specified by configured, the default Java cacerts or certificate specified by
C(javax.net.ssl.trustStore) property will be used. C(javax.net.ssl.trustStore) property will be used.
@ -318,7 +297,7 @@ options:
connectionPoolingDebug: connectionPoolingDebug:
description: description:
- A string that indicates the level of debug output to produce. Example valid values are - A string that indicates the level of debug output to produce. Example valid values are
V(fine) (trace connection creation and removal) and V(all) (all debugging information). C(fine) (trace connection creation and removal) and C(all) (all debugging information).
type: str type: str
connectionPoolingInitSize: connectionPoolingInitSize:
@ -342,7 +321,7 @@ options:
connectionPoolingProtocol: connectionPoolingProtocol:
description: description:
- A list of space-separated protocol types of connections that may be pooled. - A list of space-separated protocol types of connections that may be pooled.
Valid types are V(plain) and V(ssl). Valid types are C(plain) and C(ssl).
type: str type: str
connectionPoolingTimeout: connectionPoolingTimeout:
@ -363,26 +342,17 @@ options:
- Name of kerberos realm. - Name of kerberos realm.
type: str type: str
krbPrincipalAttribute:
description:
- Name of the LDAP attribute, which refers to Kerberos principal.
This is used to lookup appropriate LDAP user after successful Kerberos/SPNEGO authentication in Keycloak.
When this is empty, the LDAP user will be looked based on LDAP username corresponding
to the first part of his Kerberos principal. For instance, for principal C(john@KEYCLOAK.ORG),
it will assume that LDAP username is V(john).
type: str
serverPrincipal: serverPrincipal:
description: description:
- Full name of server principal for HTTP service including server and domain name. For - Full name of server principal for HTTP service including server and domain name. For
example V(HTTP/host.foo.org@FOO.ORG). Use V(*) to accept any service principal in the example C(HTTP/host.foo.org@FOO.ORG). Use C(*) to accept any service principal in the
KeyTab file. KeyTab file.
type: str type: str
keyTab: keyTab:
description: description:
- Location of Kerberos KeyTab file containing the credentials of server principal. For - Location of Kerberos KeyTab file containing the credentials of server principal. For
example V(/etc/krb5.keytab). example C(/etc/krb5.keytab).
type: str type: str
debug: debug:
@ -457,16 +427,6 @@ options:
- Max lifespan of cache entry in milliseconds. - Max lifespan of cache entry in milliseconds.
type: int type: int
referral:
description:
- Specifies if LDAP referrals should be followed or ignored. Please note that enabling
referrals can slow down authentication as it allows the LDAP server to decide which other
LDAP servers to use. This could potentially include untrusted servers.
type: str
choices:
- ignore
- follow
mappers: mappers:
description: description:
- A list of dicts defining mappers associated with this Identity Provider. - A list of dicts defining mappers associated with this Identity Provider.
@ -491,7 +451,7 @@ options:
providerId: providerId:
description: description:
- The mapper type for this mapper (for instance V(user-attribute-ldap-mapper)). - The mapper type for this mapper (for instance C(user-attribute-ldap-mapper)).
type: str type: str
providerType: providerType:
@ -574,14 +534,14 @@ EXAMPLES = '''
provider_id: kerberos provider_id: kerberos
provider_type: org.keycloak.storage.UserStorageProvider provider_type: org.keycloak.storage.UserStorageProvider
config: config:
priority: 0 priority: 0
enabled: true enabled: true
cachePolicy: DEFAULT cachePolicy: DEFAULT
kerberosRealm: EXAMPLE.COM kerberosRealm: EXAMPLE.COM
serverPrincipal: HTTP/host.example.com@EXAMPLE.COM serverPrincipal: HTTP/host.example.com@EXAMPLE.COM
keyTab: keytab keyTab: keytab
allowPasswordAuthentication: false allowPasswordAuthentication: false
updateProfileFirstLogin: false updateProfileFirstLogin: false
- name: Create sssd user federation - name: Create sssd user federation
middleware_automation.keycloak.keycloak_user_federation: middleware_automation.keycloak.keycloak_user_federation:
@ -744,27 +704,16 @@ from ansible.module_utils.six.moves.urllib.parse import urlencode
from copy import deepcopy from copy import deepcopy
def normalize_kc_comp(comp):
if 'config' in comp:
# kc completely removes the parameter `krbPrincipalAttribute` if it is set to `''`; the unset kc parameter is equivalent to `''`;
# to make change detection and diff more accurate we set it again in the kc responses
if 'krbPrincipalAttribute' not in comp['config']:
comp['config']['krbPrincipalAttribute'] = ['']
# kc stores a timestamp of the last sync in `lastSync` to time the periodic sync, it is removed to minimize diff/changes
comp['config'].pop('lastSync', None)
def sanitize(comp): def sanitize(comp):
compcopy = deepcopy(comp) compcopy = deepcopy(comp)
if 'config' in compcopy: if 'config' in compcopy:
compcopy['config'] = {k: v[0] for k, v in compcopy['config'].items()} compcopy['config'] = dict((k, v[0]) for k, v in compcopy['config'].items())
if 'bindCredential' in compcopy['config']: if 'bindCredential' in compcopy['config']:
compcopy['config']['bindCredential'] = '**********' compcopy['config']['bindCredential'] = '**********'
if 'mappers' in compcopy: if 'mappers' in compcopy:
for mapper in compcopy['mappers']: for mapper in compcopy['mappers']:
if 'config' in mapper: if 'config' in mapper:
mapper['config'] = {k: v[0] for k, v in mapper['config'].items()} mapper['config'] = dict((k, v[0]) for k, v in mapper['config'].items())
return compcopy return compcopy
@ -811,10 +760,8 @@ def main():
priority=dict(type='int', default=0), priority=dict(type='int', default=0),
rdnLDAPAttribute=dict(type='str'), rdnLDAPAttribute=dict(type='str'),
readTimeout=dict(type='int'), readTimeout=dict(type='int'),
referral=dict(type='str', choices=['ignore', 'follow']),
searchScope=dict(type='str', choices=['1', '2'], default='1'), searchScope=dict(type='str', choices=['1', '2'], default='1'),
serverPrincipal=dict(type='str'), serverPrincipal=dict(type='str'),
krbPrincipalAttribute=dict(type='str'),
startTls=dict(type='bool', default=False), startTls=dict(type='bool', default=False),
syncRegistrations=dict(type='bool', default=False), syncRegistrations=dict(type='bool', default=False),
trustEmail=dict(type='bool', default=False), trustEmail=dict(type='bool', default=False),
@ -845,11 +792,9 @@ def main():
realm=dict(type='str', default='master'), realm=dict(type='str', default='master'),
id=dict(type='str'), id=dict(type='str'),
name=dict(type='str'), name=dict(type='str'),
provider_id=dict(type='str', aliases=['providerId']), provider_id=dict(type='str', aliases=['providerId'], choices=['ldap', 'kerberos', 'sssd']),
provider_type=dict(type='str', aliases=['providerType'], default='org.keycloak.storage.UserStorageProvider'), provider_type=dict(type='str', aliases=['providerType'], default='org.keycloak.storage.UserStorageProvider'),
parent_id=dict(type='str', aliases=['parentId']), parent_id=dict(type='str', aliases=['parentId']),
remove_unspecified_mappers=dict(type='bool', default=True),
bind_credential_update_mode=dict(type='str', default='always', choices=['always', 'only_indirect']),
mappers=dict(type='list', elements='dict', options=mapper_spec), mappers=dict(type='list', elements='dict', options=mapper_spec),
) )
@ -880,26 +825,19 @@ def main():
# Keycloak API expects config parameters to be arrays containing a single string element # Keycloak API expects config parameters to be arrays containing a single string element
if config is not None: if config is not None:
module.params['config'] = { module.params['config'] = dict((k, [str(v).lower() if not isinstance(v, str) else v])
k: [str(v).lower() if not isinstance(v, str) else v] for k, v in config.items() if config[k] is not None)
for k, v in config.items()
if config[k] is not None
}
if mappers is not None: if mappers is not None:
for mapper in mappers: for mapper in mappers:
if mapper.get('config') is not None: if mapper.get('config') is not None:
mapper['config'] = { mapper['config'] = dict((k, [str(v).lower() if not isinstance(v, str) else v])
k: [str(v).lower() if not isinstance(v, str) else v] for k, v in mapper['config'].items() if mapper['config'][k] is not None)
for k, v in mapper['config'].items()
if mapper['config'][k] is not None
}
# Filter and map the parameters names that apply # Filter and map the parameters names that apply
comp_params = [x for x in module.params comp_params = [x for x in module.params
if x not in list(keycloak_argument_spec().keys()) if x not in list(keycloak_argument_spec().keys()) + ['state', 'realm', 'mappers'] and
+ ['state', 'realm', 'mappers', 'remove_unspecified_mappers', 'bind_credential_update_mode'] module.params.get(x) is not None]
and module.params.get(x) is not None]
# See if it already exists in Keycloak # See if it already exists in Keycloak
if cid is None: if cid is None:
@ -917,9 +855,7 @@ def main():
# if user federation exists, get associated mappers # if user federation exists, get associated mappers
if cid is not None and before_comp: if cid is not None and before_comp:
before_comp['mappers'] = sorted(kc.get_components(urlencode(dict(parent=cid)), realm), key=lambda x: x.get('name') or '') before_comp['mappers'] = sorted(kc.get_components(urlencode(dict(parent=cid)), realm), key=lambda x: x.get('name'))
normalize_kc_comp(before_comp)
# Build a proposed changeset from parameters given to this module # Build a proposed changeset from parameters given to this module
changeset = {} changeset = {}
@ -928,7 +864,7 @@ def main():
new_param_value = module.params.get(param) new_param_value = module.params.get(param)
old_value = before_comp[camel(param)] if camel(param) in before_comp else None old_value = before_comp[camel(param)] if camel(param) in before_comp else None
if param == 'mappers': if param == 'mappers':
new_param_value = [{k: v for k, v in x.items() if v is not None} for x in new_param_value] new_param_value = [dict((k, v) for k, v in x.items() if x[k] is not None) for x in new_param_value]
if new_param_value != old_value: if new_param_value != old_value:
changeset[camel(param)] = new_param_value changeset[camel(param)] = new_param_value
@ -937,17 +873,17 @@ def main():
if module.params['provider_id'] in ['kerberos', 'sssd']: if module.params['provider_id'] in ['kerberos', 'sssd']:
module.fail_json(msg='Cannot configure mappers for {type} provider.'.format(type=module.params['provider_id'])) module.fail_json(msg='Cannot configure mappers for {type} provider.'.format(type=module.params['provider_id']))
for change in module.params['mappers']: for change in module.params['mappers']:
change = {k: v for k, v in change.items() if v is not None} change = dict((k, v) for k, v in change.items() if change[k] is not None)
if change.get('id') is None and change.get('name') is None: if change.get('id') is None and change.get('name') is None:
module.fail_json(msg='Either `name` or `id` has to be specified on each mapper.') module.fail_json(msg='Either `name` or `id` has to be specified on each mapper.')
if cid is None: if cid is None:
old_mapper = {} old_mapper = {}
elif change.get('id') is not None: elif change.get('id') is not None:
old_mapper = next((before_mapper for before_mapper in before_comp.get('mappers', []) if before_mapper["id"] == change['id']), None) old_mapper = kc.get_component(change['id'], realm)
if old_mapper is None: if old_mapper is None:
old_mapper = {} old_mapper = {}
else: else:
found = [before_mapper for before_mapper in before_comp.get('mappers', []) if before_mapper['name'] == change['name']] found = kc.get_components(urlencode(dict(parent=cid, name=change['name'])), realm)
if len(found) > 1: if len(found) > 1:
module.fail_json(msg='Found multiple mappers with name `{name}`. Cannot continue.'.format(name=change['name'])) module.fail_json(msg='Found multiple mappers with name `{name}`. Cannot continue.'.format(name=change['name']))
if len(found) == 1: if len(found) == 1:
@ -956,16 +892,10 @@ def main():
old_mapper = {} old_mapper = {}
new_mapper = old_mapper.copy() new_mapper = old_mapper.copy()
new_mapper.update(change) new_mapper.update(change)
# changeset contains all desired mappers: those existing, to update or to create if new_mapper != old_mapper:
if changeset.get('mappers') is None: if changeset.get('mappers') is None:
changeset['mappers'] = list() changeset['mappers'] = list()
changeset['mappers'].append(new_mapper) changeset['mappers'].append(new_mapper)
changeset['mappers'] = sorted(changeset['mappers'], key=lambda x: x.get('name') or '')
# to keep unspecified existing mappers we add them to the desired mappers list, unless they're already present
if not module.params['remove_unspecified_mappers'] and 'mappers' in before_comp:
changeset_mapper_ids = [mapper['id'] for mapper in changeset['mappers'] if 'id' in mapper]
changeset['mappers'].extend([mapper for mapper in before_comp['mappers'] if mapper['id'] not in changeset_mapper_ids])
# Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis) # Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis)
desired_comp = before_comp.copy() desired_comp = before_comp.copy()
@ -988,68 +918,50 @@ def main():
# Process a creation # Process a creation
result['changed'] = True result['changed'] = True
if module._diff:
result['diff'] = dict(before='', after=sanitize(desired_comp))
if module.check_mode: if module.check_mode:
if module._diff:
result['diff'] = dict(before='', after=sanitize(desired_comp))
module.exit_json(**result) module.exit_json(**result)
# create it # create it
desired_mappers = desired_comp.pop('mappers', []) desired_comp = desired_comp.copy()
updated_mappers = desired_comp.pop('mappers', [])
after_comp = kc.create_component(desired_comp, realm) after_comp = kc.create_component(desired_comp, realm)
cid = after_comp['id']
updated_mappers = []
# when creating a user federation, keycloak automatically creates default mappers
default_mappers = kc.get_components(urlencode(dict(parent=cid)), realm)
# create new mappers or update existing default mappers cid = after_comp['id']
for desired_mapper in desired_mappers:
found = [default_mapper for default_mapper in default_mappers if default_mapper['name'] == desired_mapper['name']] for mapper in updated_mappers:
found = kc.get_components(urlencode(dict(parent=cid, name=mapper['name'])), realm)
if len(found) > 1: if len(found) > 1:
module.fail_json(msg='Found multiple mappers with name `{name}`. Cannot continue.'.format(name=desired_mapper['name'])) module.fail_json(msg='Found multiple mappers with name `{name}`. Cannot continue.'.format(name=mapper['name']))
if len(found) == 1: if len(found) == 1:
old_mapper = found[0] old_mapper = found[0]
else: else:
old_mapper = {} old_mapper = {}
new_mapper = old_mapper.copy() new_mapper = old_mapper.copy()
new_mapper.update(desired_mapper) new_mapper.update(mapper)
if new_mapper.get('id') is not None: if new_mapper.get('id') is not None:
kc.update_component(new_mapper, realm) kc.update_component(new_mapper, realm)
updated_mappers.append(new_mapper)
else: else:
if new_mapper.get('parentId') is None: if new_mapper.get('parentId') is None:
new_mapper['parentId'] = cid new_mapper['parentId'] = after_comp['id']
updated_mappers.append(kc.create_component(new_mapper, realm)) mapper = kc.create_component(new_mapper, realm)
if module.params['remove_unspecified_mappers']: after_comp['mappers'] = updated_mappers
# we remove all unwanted default mappers
# we use ids so we dont accidently remove one of the previously updated default mapper
for default_mapper in default_mappers:
if not default_mapper['id'] in [x['id'] for x in updated_mappers]:
kc.delete_component(default_mapper['id'], realm)
after_comp['mappers'] = kc.get_components(urlencode(dict(parent=cid)), realm)
normalize_kc_comp(after_comp)
if module._diff:
result['diff'] = dict(before='', after=sanitize(after_comp))
result['end_state'] = sanitize(after_comp) result['end_state'] = sanitize(after_comp)
result['msg'] = "User federation {id} has been created".format(id=cid)
result['msg'] = "User federation {id} has been created".format(id=after_comp['id'])
module.exit_json(**result) module.exit_json(**result)
else: else:
if state == 'present': if state == 'present':
# Process an update # Process an update
desired_copy = deepcopy(desired_comp)
before_copy = deepcopy(before_comp)
# exclude bindCredential when checking wether an update is required, therefore
# updating it only if there are other changes
if module.params['bind_credential_update_mode'] == 'only_indirect':
desired_copy.get('config', []).pop('bindCredential', None)
before_copy.get('config', []).pop('bindCredential', None)
# no changes # no changes
if desired_copy == before_copy: if desired_comp == before_comp:
result['changed'] = False result['changed'] = False
result['end_state'] = sanitize(desired_comp) result['end_state'] = sanitize(desired_comp)
result['msg'] = "No changes required to user federation {id}.".format(id=cid) result['msg'] = "No changes required to user federation {id}.".format(id=cid)
@ -1065,33 +977,22 @@ def main():
module.exit_json(**result) module.exit_json(**result)
# do the update # do the update
desired_mappers = desired_comp.pop('mappers', []) desired_comp = desired_comp.copy()
updated_mappers = desired_comp.pop('mappers', [])
kc.update_component(desired_comp, realm) kc.update_component(desired_comp, realm)
after_comp = kc.get_component(cid, realm)
for before_mapper in before_comp.get('mappers', []): for mapper in updated_mappers:
# remove unwanted existing mappers that will not be updated
if not before_mapper['id'] in [x['id'] for x in desired_mappers if 'id' in x]:
kc.delete_component(before_mapper['id'], realm)
for mapper in desired_mappers:
if mapper in before_comp.get('mappers', []):
continue
if mapper.get('id') is not None: if mapper.get('id') is not None:
kc.update_component(mapper, realm) kc.update_component(mapper, realm)
else: else:
if mapper.get('parentId') is None: if mapper.get('parentId') is None:
mapper['parentId'] = desired_comp['id'] mapper['parentId'] = desired_comp['id']
kc.create_component(mapper, realm) mapper = kc.create_component(mapper, realm)
after_comp['mappers'] = updated_mappers
result['end_state'] = sanitize(after_comp)
after_comp = kc.get_component(cid, realm)
after_comp['mappers'] = sorted(kc.get_components(urlencode(dict(parent=cid)), realm), key=lambda x: x.get('name') or '')
normalize_kc_comp(after_comp)
after_comp_sanitized = sanitize(after_comp)
before_comp_sanitized = sanitize(before_comp)
result['end_state'] = after_comp_sanitized
if module._diff:
result['diff'] = dict(before=before_comp_sanitized, after=after_comp_sanitized)
result['changed'] = before_comp_sanitized != after_comp_sanitized
result['msg'] = "User federation {id} has been updated".format(id=cid) result['msg'] = "User federation {id} has been updated".format(id=cid)
module.exit_json(**result) module.exit_json(**result)

View file

@ -118,7 +118,3 @@ keycloak_no_log: true
### logging configuration ### logging configuration
keycloak_log_target: /var/log/keycloak keycloak_log_target: /var/log/keycloak
# locations
keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}"
keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}"

View file

@ -12,7 +12,7 @@ galaxy_info:
license: Apache License 2.0 license: Apache License 2.0
min_ansible_version: "2.16" min_ansible_version: "2.15"
platforms: platforms:
- name: EL - name: EL

View file

@ -1,10 +1,6 @@
--- ---
- name: Include firewall config tasks - name: Include firewall config tasks
ansible.builtin.include_tasks: ansible.builtin.include_tasks: iptables.yml
file: iptables.yml
apply:
tags:
- firewall
when: keycloak_configure_iptables when: keycloak_configure_iptables
tags: tags:
- firewall - firewall

View file

@ -1,38 +1,22 @@
--- ---
# tasks file for keycloak # tasks file for keycloak
- name: Check prerequisites - name: Check prerequisites
ansible.builtin.include_tasks: ansible.builtin.include_tasks: prereqs.yml
file: prereqs.yml
apply:
tags:
- prereqs
tags: tags:
- prereqs - prereqs
- name: Distro specific tasks - name: Distro specific tasks
ansible.builtin.include_tasks: ansible.builtin.include_tasks: "{{ ansible_os_family | lower }}.yml"
file: "{{ ansible_os_family | lower }}.yml"
apply:
tags:
- unbound
tags: tags:
- unbound - unbound
- name: Include install tasks - name: Include install tasks
ansible.builtin.include_tasks: ansible.builtin.include_tasks: install.yml
file: install.yml
apply:
tags:
- install
tags: tags:
- install - install
- name: Include systemd tasks - name: Include systemd tasks
ansible.builtin.include_tasks: ansible.builtin.include_tasks: systemd.yml
file: systemd.yml
apply:
tags:
- systemd
tags: tags:
- systemd - systemd

View file

@ -1,10 +1,6 @@
--- ---
- name: Include firewall config tasks - name: Include firewall config tasks
ansible.builtin.include_tasks: ansible.builtin.include_tasks: firewalld.yml
file: firewalld.yml
apply:
tags:
- firewall
when: keycloak_configure_firewalld when: keycloak_configure_firewalld
tags: tags:
- firewall - firewall

View file

@ -2,12 +2,12 @@
- name: Ensure required params for CLI have been provided - name: Ensure required params for CLI have been provided
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- cli_query is defined - query is defined
fail_msg: "Missing required parameters to execute CLI." fail_msg: "Missing required parameters to execute CLI."
quiet: true quiet: true
- name: "Execute CLI query: {{ cli_query }}" - name: "Execute CLI query: {{ query }}"
ansible.builtin.command: > ansible.builtin.command: >
{{ keycloak.cli_path }} --connect --command='{{ cli_query }}' --controller={{ keycloak_host }}:{{ keycloak_management_http_port }} {{ keycloak.cli_path }} --connect --command='{{ query }}' --controller={{ keycloak_host }}:{{ keycloak_management_http_port }}
changed_when: false changed_when: false
register: cli_result register: cli_result

View file

@ -106,7 +106,7 @@
- name: "Check installed patches" - name: "Check installed patches"
ansible.builtin.include_tasks: rhsso_cli.yml ansible.builtin.include_tasks: rhsso_cli.yml
vars: vars:
cli_query: "patch info" query: "patch info"
args: args:
apply: apply:
become: true become: true
@ -121,7 +121,7 @@
- name: "Apply patch {{ patch_version }} to server" - name: "Apply patch {{ patch_version }} to server"
ansible.builtin.include_tasks: rhsso_cli.yml ansible.builtin.include_tasks: rhsso_cli.yml
vars: vars:
cli_query: "patch apply {{ patch_archive }}" query: "patch apply {{ patch_archive }}"
args: args:
apply: apply:
become: true become: true
@ -130,7 +130,7 @@
- name: "Restart server to ensure patch content is running" - name: "Restart server to ensure patch content is running"
ansible.builtin.include_tasks: rhsso_cli.yml ansible.builtin.include_tasks: rhsso_cli.yml
vars: vars:
cli_query: "shutdown --restart" query: "shutdown --restart"
when: when:
- cli_result.rc == 0 - cli_result.rc == 0
args: args:
@ -149,7 +149,7 @@
- name: "Query installed patch after restart" - name: "Query installed patch after restart"
ansible.builtin.include_tasks: rhsso_cli.yml ansible.builtin.include_tasks: rhsso_cli.yml
vars: vars:
cli_query: "patch info" query: "patch info"
args: args:
apply: apply:
become: true become: true

View file

@ -1,6 +1,9 @@
--- ---
# internal variables below # internal variables below
# locations
keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}"
keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}"
keycloak: keycloak:

View file

@ -33,7 +33,7 @@ Role Defaults
| Variable | Description | Default | | Variable | Description | Default |
|:---------|:------------|:--------| |:---------|:------------|:--------|
|`keycloak_quarkus_version`| keycloak.org package version | `26.3.0` | |`keycloak_quarkus_version`| keycloak.org package version | `24.0.4` |
|`keycloak_quarkus_offline_install` | Perform an offline install | `False`| |`keycloak_quarkus_offline_install` | Perform an offline install | `False`|
|`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` | |`keycloak_quarkus_dest`| Installation root path | `/opt/keycloak` |
|`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` | |`keycloak_quarkus_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}` |
@ -44,79 +44,30 @@ Role Defaults
| Variable | Description | Default | | Variable | Description | Default |
|:---------|:------------|:--------| |:---------|:------------|:--------|
|`keycloak_quarkus_bootstrap_admin_user`| Administration console user account | `admin` | |`keycloak_quarkus_admin_user`| Administration console user account | `admin` |
|`keycloak_quarkus_admin_user`| Deprecated, use `keycloak_quarkus_bootstrap_admin_user` instead. | | |`keycloak_quarkus_bind_address`| Address for binding service ports | `0.0.0.0` |
|`keycloak_quarkus_bind_address`| Deprecated, use `keycloak_quarkus_http_host` instead | `0.0.0.0` | |`keycloak_quarkus_host`| Hostname for the Keycloak server | `localhost` |
|`keycloak_quarkus_host`| Deprecated, use `keycloak_quarkus_hostname` instead. | | |`keycloak_quarkus_port`| The port used by the proxy when exposing the hostname | `-1` |
|`keycloak_quarkus_port`| Deprecated, use `keycloak_quarkus_hostname` instead. | | |`keycloak_quarkus_path`| This should be set if proxy uses a different context-path for Keycloak | |
|`keycloak_quarkus_path`| Deprecated, use `keycloak_quarkus_hostname` instead. | | |`keycloak_quarkus_http_port`| HTTP listening port | `8080` |
|`keycloak_quarkus_https_port`| TLS HTTP listening port | `8443` |
|`keycloak_quarkus_ajp_port`| AJP port | `8009` |
|`keycloak_quarkus_service_user`| Posix account username | `keycloak` | |`keycloak_quarkus_service_user`| Posix account username | `keycloak` |
|`keycloak_quarkus_service_group`| Posix account group | `keycloak` | |`keycloak_quarkus_service_group`| Posix account group | `keycloak` |
|`keycloak_quarkus_service_restart_always`| systemd restart always behavior activation | `False` | |`keycloak_quarkus_service_restart_always`| systemd restart always behavior activation | `False` |
|`keycloak_quarkus_service_restart_on_failure`| systemd restart on-failure behavior activation | `False` | |`keycloak_quarkus_service_restart_on_failure`| systemd restart on-failure behavior activation | `False` |
|`keycloak_quarkus_service_restartsec`| systemd RestartSec | `10s` | |`keycloak_quarkus_service_restartsec`| systemd RestartSec | `10s` |
|`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-21-openjdk-headless` | |`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-17-openjdk-headless` |
|`keycloak_quarkus_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_quarkus_jvm_package RPM path | `None` | |`keycloak_quarkus_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_quarkus_jvm_package RPM path | `None` |
|`keycloak_quarkus_java_heap_opts`| Heap memory JVM setting | `-Xms1024m -Xmx2048m` | |`keycloak_quarkus_java_heap_opts`| Heap memory JVM setting | `-Xms1024m -Xmx2048m` |
|`keycloak_quarkus_java_jvm_opts`| Other JVM settings | same as keycloak | |`keycloak_quarkus_java_jvm_opts`| Other JVM settings | same as keycloak |
|`keycloak_quarkus_java_opts`| JVM arguments; if overridden, it takes precedence over `keycloak_quarkus_java_*` | `{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}` | |`keycloak_quarkus_java_opts`| JVM arguments; if overridden, it takes precedence over `keycloak_quarkus_java_*` | `{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}` |
|`keycloak_quarkus_additional_env_vars` | List of additional env variables of { key: str, value: str} to be put in sysconfig file | `[]` | |`keycloak_quarkus_additional_env_vars` | List of additional env variables of { key: str, value: str} to be put in sysconfig file | `[]` |
|`keycloak_quarkus_frontend_url`| Deprecated, use `keycloak_quarkus_hostname` instead. | | |`keycloak_quarkus_frontend_url`| Set the base URL for frontend URLs, including scheme, host, port and path | |
|`keycloak_quarkus_admin_url`| Deprecated, use `keycloak_quarkus_hostname_admin` instead. | | |`keycloak_quarkus_admin_url`| Set the base URL for accessing the administration console, including scheme, host, port and path | |
|`keycloak_quarkus_health_check_url`| Full URL (including scheme, host, path, fragment etc.) used for health check endpoint; keycloak_quarkus_hostname will NOT be prepended; helpful when health checks should happen against http port, but keycloak_quarkus_hostname uses https scheme per default | `` | |`keycloak_quarkus_http_relative_path` | Set the path relative to / for serving resources. The path must start with a / | `/` |
|`keycloak_quarkus_health_check_url_path`| Path to the health check endpoint; keycloak_quarkus_hostname will be prepended automatically; Note that keycloak_quarkus_health_check_url takes precedence over this property | `realms/master/.well-known/openid-configuration` | |`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` |
|`keycloak_quarkus_proxy_headers`| Parse reverse proxy headers (`forwarded` or `xforwarded`) | `""` | |`keycloak_quarkus_health_check_url_path`| Path to the health check endpoint; scheme, host and keycloak_quarkus_http_relative_path will be prepended automatically | `realms/master/.well-known/openid-configuration` |
|`keycloak_quarkus_config_key_store_file`| Path to the configuration key store; only used if `keycloak_quarkus_config_key_store_password` is not empty | `{{ keycloak.home }}/conf/conf_store.p12` if `keycloak_quarkus_config_key_store_password != ''`, else `''` |
|`keycloak_quarkus_config_key_store_password`| Password of the configuration keystore; if non-empty, `keycloak_quarkus_db_pass` will be saved to the keystore at `keycloak_quarkus_config_key_store_file` instead of being written to the configuration file in clear text | `""` |
|`keycloak_quarkus_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
|`keycloak_quarkus_configure_iptables` | Ensure iptables is configured for keycloak ports | `False` |
#### High-availability
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
|`keycloak_quarkus_ha_discovery`| Discovery protocol for HA cluster members | `JDBCPING` |
|`keycloak_quarkus_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_quarkus_ha_enabled` is True, else `False` |
|`keycloak_quarkus_jgroups_ip`| Host jgroups IP. If changing this variable you must make sure it is always set for all hosts in your cluster. | `{{ ansible_default_ipv4.address }}` |
|`keycloak_quarkus_jgroups_port`| jgroups cluster tcp port | `7800` |
|`keycloak_quarkus_systemd_wait_for_port` | Whether systemd unit should wait for keycloak port before returning | `{{ keycloak_quarkus_ha_enabled }}` |
|`keycloak_quarkus_systemd_wait_for_port_number`| Which port the systemd unit should wait for | `{{ keycloak_quarkus_https_port }}` |
|`keycloak_quarkus_systemd_wait_for_log` | Whether systemd unit should wait for service to be up in logs | `false` |
|`keycloak_quarkus_systemd_wait_for_timeout`| How long to wait for service to be alive (seconds) | `60` |
|`keycloak_quarkus_systemd_wait_for_delay`| Activation delay for service systemd unit (seconds) | `10` |
|`keycloak_quarkus_restart_strategy`| Strategy task file for restarting in HA (one of provided restart/['serial.yml','none.yml','serial_then_parallel.yml']) or path to file when providing custom strategy | `restart/serial.yml` |
|`keycloak_quarkus_restart_health_check`| Whether to wait for successful health check after restart | `true` |
|`keycloak_quarkus_restart_health_check_delay`| Seconds to let pass before starting healch checks | `10` |
|`keycloak_quarkus_restart_health_check_retries`| Number of attempts for successful health check before failing | `25` |
|`keycloak_quarkus_restart_pause`| Seconds to wait between restarts in HA strategy | `15` |
#### Hostname configuration
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_hostname`| Address at which is the server exposed. Can be a full URL, or just a hostname. When only hostname is provided, scheme, port and context path are resolved from the request. | |
|`keycloak_quarkus_hostname_admin`| Set the base URL for accessing the administration console, including scheme, host, port and path | `` |
|`keycloak_quarkus_hostname_strict`| Disables dynamically resolving the hostname from request headers | `true` |
|`keycloak_quarkus_hostname_backchannel_dynamic`| Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path. Set to true if your application accesses Keycloak via a private network. If set to true, hostname option needs to be specified as a full URL. | `false` |
|`keycloak_quarkus_hostname_strict_backchannel`| Deprecated, use (the inverted!)`keycloak_quarkus_hostname_backchannel_dynamic` instead. | |
#### HTTP(S) configuration
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_http_relative_path`| Set the path relative to / for serving resources. The path must start with a / | `/` |
|`keycloak_quarkus_http_host`| The http host, ie. the address used to bind the service | `0.0.0.0` |
|`keycloak_quarkus_http_port`| HTTP listening port | `8080` |
|`keycloak_quarkus_https_port`| TLS HTTP listening port | `8443` |
|`keycloak_quarkus_http_management_port`| Port of the management interface. Relevant only when something is exposed on the management interface - see the guide for details. | `9000` |
|`keycloak_quarkus_https_key_store_file`| The file path to the key store | `{{ keycloak.home }}/conf/key_store.p12` |
|`keycloak_quarkus_https_key_store_password`| Password for the key store | `""` |
|`keycloak_quarkus_https_trust_store_enabled`| Enable configuration of the https trust store | `False` |
|`keycloak_quarkus_https_trust_store_file`| The file path to the trust store | `{{ keycloak.home }}/conf/trust_store.p12` |
|`keycloak_quarkus_https_trust_store_password`| Password for the trust store | `""` |
|`keycloak_quarkus_https_key_file_enabled`| Enable listener on HTTPS port | `False` | |`keycloak_quarkus_https_key_file_enabled`| Enable listener on HTTPS port | `False` |
|`keycloak_quarkus_key_file_copy_enabled`| Enable copy of key file to target host | `False` | |`keycloak_quarkus_key_file_copy_enabled`| Enable copy of key file to target host | `False` |
|`keycloak_quarkus_key_content`| Content of the TLS private key. Use `"{{ lookup('file', 'server.key.pem') }}"` to lookup a file. | `""` | |`keycloak_quarkus_key_content`| Content of the TLS private key. Use `"{{ lookup('file', 'server.key.pem') }}"` to lookup a file. | `""` |
@ -127,39 +78,85 @@ Role Defaults
|`keycloak_quarkus_https_key_store_enabled`| Enable configuration of HTTPS via a key store | `False` | |`keycloak_quarkus_https_key_store_enabled`| Enable configuration of HTTPS via a key store | `False` |
|`keycloak_quarkus_key_store_file`| Deprecated, use `keycloak_quarkus_https_key_store_file` instead. || |`keycloak_quarkus_key_store_file`| Deprecated, use `keycloak_quarkus_https_key_store_file` instead. ||
|`keycloak_quarkus_key_store_password`| Deprecated, use `keycloak_quarkus_https_key_store_password` instead.|| |`keycloak_quarkus_key_store_password`| Deprecated, use `keycloak_quarkus_https_key_store_password` instead.||
|`keycloak_quarkus_http_relative_path` | Set the path relative to / for serving resources. The path must start with a / | `/` | |`keycloak_quarkus_https_key_store_file`| The file path to the key store | `{{ keycloak.home }}/conf/key_store.p12` |
|`keycloak_quarkus_http_management_relative_path` | Set the path relative to / for serving resources from management interface. The path must start with a /. If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details. | `/` | |`keycloak_quarkus_https_key_store_password`| Password for the key store | `""` |
|`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` | |`keycloak_quarkus_https_trust_store_enabled`| Enable configuration of the https trust store | `False` |
|`keycloak_quarkus_https_trust_store_file`| The file path to the trust store | `{{ keycloak.home }}/conf/trust_store.p12` |
|`keycloak_quarkus_https_trust_store_password`| Password for the trust store | `""` |
|`keycloak_quarkus_proxy_headers`| Parse reverse proxy headers (`forwarded` or `xforwarded`) | `""` |
|`keycloak_quarkus_config_key_store_file`| Path to the configuration key store; only used if `keycloak_quarkus_keystore_password` is not empty | `{{ keycloak.home }}/conf/conf_store.p12` if `keycloak_quarkus_keystore_password != ''`, else `''` |
|`keycloak_quarkus_config_key_store_password`| Password of the configuration keystore; if non-empty, `keycloak_quarkus_db_pass` will be saved to the keystore at `keycloak_quarkus_config_key_store_file` instead of being written to the configuration file in clear text | `""` |
|`keycloak_quarkus_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
|`keycloak_quarkus_configure_iptables` | Ensure iptables is configured for keycloak ports | `False` |
#### High-availability
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
|`keycloak_quarkus_ha_discovery`| Discovery protocol for HA cluster members | `TCPPING` |
|`keycloak_quarkus_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_quarkus_ha_enabled` is True, else `False` |
|`keycloak_quarkus_jgroups_port`| jgroups cluster tcp port | `7800` |
|`keycloak_quarkus_systemd_wait_for_port` | Whether systemd unit should wait for keycloak port before returning | `{{ keycloak_quarkus_ha_enabled }}` |
|`keycloak_quarkus_systemd_wait_for_port_number`| Which port the systemd unit should wait for | `{{ keycloak_quarkus_https_port }}` |
|`keycloak_quarkus_systemd_wait_for_log` | Whether systemd unit should wait for service to be up in logs | `false` |
|`keycloak_quarkus_systemd_wait_for_timeout`| How long to wait for service to be alive (seconds) | `60` |
|`keycloak_quarkus_systemd_wait_for_delay`| Activation delay for service systemd unit (seconds) | `10` |
|`keycloak_quarkus_restart_strategy`| Strategy task file for restarting in HA (one of provided restart/['serial.yml','none.yml','serial_then_parallel.yml']) or path to file when providing custom strategy | `restart/serial.yml` |
|`keycloak_quarkus_restart_health_check`| Whether to wait for successful health check after restart | `true` |
|`keycloak_quarkus_restart_health_check_delay`| Seconds to let pass before starting healch checks | `10` |
|`keycloak_quarkus_restart_health_check_reries`| Number of attempts for successful health check before failing | `25` |
|`keycloak_quarkus_restart_pause`| Seconds to wait between restarts in HA strategy | `15` |
#### Hostname configuration
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_http_relative_path`| Set the path relative to / for serving resources. The path must start with a / | `/` |
|`keycloak_quarkus_hostname_strict`| Disables dynamically resolving the hostname from request headers | `true` |
|`keycloak_quarkus_hostname_strict_backchannel`| By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all applications use the public URL this option should be enabled. | `false` |
#### Database configuration #### Database configuration
| Variable | Description | Default | | Variable | Description | Default |
|:---------|:------------|:--------| |:---------|:------------|:--------|
|`keycloak_quarkus_db_engine` | Database engine [mariadb,postres,mssql] | `postgres` | |`keycloak_quarkus_jdbc_engine` | Database engine [mariadb,postres,mssql] | `postgres` |
|`keycloak_quarkus_db_user` | User for database connection | `keycloak-user` | |`keycloak_quarkus_db_user` | User for database connection | `keycloak-user` |
|`keycloak_quarkus_db_pass` | Password for database connection | `keycloak-pass` | |`keycloak_quarkus_db_pass` | Password for database connection | `keycloak-pass` |
|`keycloak_quarkus_db_url` | JDBC URL for connecting to database | `jdbc:postgresql://localhost:5432/keycloak` | |`keycloak_quarkus_jdbc_url` | JDBC URL for connecting to database | `jdbc:postgresql://localhost:5432/keycloak` |
|`keycloak_quarkus_db_driver_version` | Version for JDBC engine driver | `9.4.1212` | |`keycloak_quarkus_jdbc_driver_version` | Version for JDBC driver | `9.4.1212` |
#### Cache configuration #### Remote caches configuration
| Variable | Description | Default | | Variable | Description | Default |
|:---------|:------------|:--------| |:---------|:------------|:--------|
|`keycloak_quarkus_cache_remote` | Whether to connect to remote cache infinispan server | `false` | |`keycloak_quarkus_ispn_user` | Username for connecting to infinispan | `supervisor` |
|`keycloak_quarkus_cache_remote_username` | Username for connecting to infinispan | `supervisor` | |`keycloak_quarkus_ispn_pass` | Password for connecting to infinispan | `supervisor` |
|`keycloak_quarkus_cache_remote_password` | Password for connecting to infinispan | `supervisor` | |`keycloak_quarkus_ispn_hosts` | host name/port for connecting to infinispan, eg. host1:11222;host2:11222 | `localhost:11222` |
|`keycloak_quarkus_cache_remote_host` | Hostname for connecting to infinispan | `localhost` | |`keycloak_quarkus_ispn_sasl_mechanism` | Infinispan auth mechanism | `SCRAM-SHA-512` |
|`keycloak_quarkus_cache_remote_port`| Port for connecting to infinispan | `11222` | |`keycloak_quarkus_ispn_use_ssl` | Whether infinispan uses TLS connection | `false` |
|`keycloak_quarkus_cache_remote_sasl_mechanism` | Infinispan auth mechanism | `SCRAM-SHA-512` | |`keycloak_quarkus_ispn_trust_store_path` | Path to infinispan server trust certificate | `/etc/pki/java/cacerts` |
|`keycloak_quarkus_cache_remote_tls_enabled` | Whether infinispan uses TLS connection | `false` | |`keycloak_quarkus_ispn_trust_store_password` | Password for infinispan certificate keystore | `changeit` |
#### Logging configuration #### Miscellaneous configuration
| Variable | Description | Default | | Variable | Description | Default |
|:---------|:------------|:--------| |:---------|:------------|:--------|
|`keycloak_quarkus_metrics_enabled`| Whether to enable metrics | `False` |
|`keycloak_quarkus_health_enabled`| If the server should expose health check endpoints | `True` |
|`keycloak_quarkus_archive` | keycloak install archive filename | `keycloak-{{ keycloak_quarkus_version }}.zip` |
|`keycloak_quarkus_installdir` | Installation path | `{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}` |
|`keycloak_quarkus_home` | Installation work directory | `{{ keycloak_quarkus_installdir }}` |
|`keycloak_quarkus_config_dir` | Path for configuration | `{{ keycloak_quarkus_home }}/conf` |
|`keycloak_quarkus_master_realm` | Name for rest authentication realm | `master` |
|`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` |
|`keycloak_force_install` | Remove pre-existing versions of service | `False` |
|`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_quarkus_host }}:{{ keycloak_http_port }}` |
|`keycloak_quarkus_log`| Enable one or more log handlers in a comma-separated list | `file` | |`keycloak_quarkus_log`| Enable one or more log handlers in a comma-separated list | `file` |
|`keycloak_quarkus_log_level`| The log level of the root category or a comma-separated list of individual categories and their levels | `info` | |`keycloak_quarkus_log_level`| The log level of the root category or a comma-separated list of individual categories and their levels | `info` |
|`keycloak_quarkus_log_file`| Set the log file path and filename relative to keycloak home | `data/log/keycloak.log` | |`keycloak_quarkus_log_file`| Set the log file path and filename relative to keycloak home | `data/log/keycloak.log` |
@ -168,21 +165,6 @@ Role Defaults
|`keycloak_quarkus_log_max_file_size`| Set the maximum log file size before a log rotation happens; A size configuration option recognises string in this format (shown as a regular expression): `[0-9]+[KkMmGgTtPpEeZzYy]?`. If no suffix is given, assume bytes. | `10M` | |`keycloak_quarkus_log_max_file_size`| Set the maximum log file size before a log rotation happens; A size configuration option recognises string in this format (shown as a regular expression): `[0-9]+[KkMmGgTtPpEeZzYy]?`. If no suffix is given, assume bytes. | `10M` |
|`keycloak_quarkus_log_max_backup_index`| Set the maximum number of archived log files to keep" | `10` | |`keycloak_quarkus_log_max_backup_index`| Set the maximum number of archived log files to keep" | `10` |
|`keycloak_quarkus_log_file_suffix`| Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix; Note: If the suffix ends with `.zip` or `.gz`, the rotation file will also be compressed. | `.yyyy-MM-dd.zip` | |`keycloak_quarkus_log_file_suffix`| Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix; Note: If the suffix ends with `.zip` or `.gz`, the rotation file will also be compressed. | `.yyyy-MM-dd.zip` |
#### Miscellaneous configuration
| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_metrics_enabled`| Whether to enable metrics | `False` |
|`keycloak_quarkus_health_enabled`| If the server should expose health check endpoints on the management interface | `True` |
|`keycloak_quarkus_archive` | keycloak install archive filename | `keycloak-{{ keycloak_quarkus_version }}.zip` |
|`keycloak_quarkus_installdir` | Installation path | `{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}` |
|`keycloak_quarkus_home` | Installation work directory | `{{ keycloak_quarkus_installdir }}` |
|`keycloak_quarkus_config_dir` | Path for configuration | `{{ keycloak_quarkus_home }}/conf` |
|`keycloak_quarkus_master_realm` | Name for rest authentication realm | `master` |
|`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` |
|`keycloak_quarkus_force_install` | Remove pre-existing versions of service | `False` |
|`keycloak_quarkus_proxy_mode`| The proxy address forwarding mode if the server is behind a reverse proxy | `edge` | |`keycloak_quarkus_proxy_mode`| The proxy address forwarding mode if the server is behind a reverse proxy | `edge` |
|`keycloak_quarkus_start_dev`| Whether to start the service in development mode (start-dev) | `False` | |`keycloak_quarkus_start_dev`| Whether to start the service in development mode (start-dev) | `False` |
|`keycloak_quarkus_transaction_xa_enabled`| Whether to use XA transactions | `True` | |`keycloak_quarkus_transaction_xa_enabled`| Whether to use XA transactions | `True` |
@ -190,7 +172,7 @@ Role Defaults
|`keycloak_quarkus_show_deprecation_warnings`| Whether deprecation warnings should be shown | `True` | |`keycloak_quarkus_show_deprecation_warnings`| Whether deprecation warnings should be shown | `True` |
#### Vault configuration #### Vault SPI
| Variable | Description | Default | | Variable | Description | Default |
|:---------|:------------|:--------| |:---------|:------------|:--------|
@ -218,24 +200,19 @@ keycloak_quarkus_providers:
- id: http-client # required; "{{ id }}.jar" identifies the file name on RHBK - id: http-client # required; "{{ id }}.jar" identifies the file name on RHBK
spi: connections # required if neither url, local_path nor maven are specified; required for setting properties spi: connections # required if neither url, local_path nor maven are specified; required for setting properties
default: true # optional, whether to set default for spi, default false default: true # optional, whether to set default for spi, default false
restart: true # optional, whether to rebuild config and restart the service after deploying, default true restart: true # optional, whether to restart, default true
url: https://.../.../custom_spi.jar # optional, url for download via http url: https://.../.../custom_spi.jar # optional, url for download via http
local_path: my_theme_spi.jar # optional, path on local controller for SPI to be uploaded local_path: my_theme_spi.jar # optional, path on local controller for SPI to be uploaded
remote: true # optional, whether to copy from localhost or remotely, see https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html#parameter-remote_src, default false
maven: # optional, for download using maven maven: # optional, for download using maven
repository_url: https://maven.pkg.github.com/OWNER/REPOSITORY # optional, maven repo url repository_url: https://maven.pkg.github.com/OWNER/REPOSITORY # optional, maven repo url
group_id: my.group # optional, maven group id group_id: my.group # optional, maven group id
artifact_id: artifact # optional, maven artifact id artifact_id: artifact # optional, maven artifact id
version: 24.0.5 # optional, defaults to latest version: 24.0.4 # optional, defaults to latest
username: user # optional, cf. https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry#authenticating-to-github-packages username: user # optional, cf. https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry#authenticating-to-github-packages
password: pat # optional, provide a PAT for accessing Github's Apache Maven registry password: pat # optional, provide a PAT for accessing Github's Apache Maven registry
properties: # optional, list of key-values properties: # optional, list of key-values
- key: default-connection-pool-size - key: default-connection-pool-size
value: 10 value: 10
checksum: sha256:D98291AC[...]B6DC7B97 # optional, checksum used to verify integrity:
# for `url` SPIs, use format: <algorithm>:<checksum|url>, cf. <https://docs.ansible.com/ansible/latest/collections/ansible/builtin/get_url_module.html#parameter-checksum>;
# for `local_path` SPIs, use SHA1 format <https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html#parameter-checksum>
# for `maven` SPIs, this field is ignored since maven has integrity verification methods enabled by default
``` ```
the definition above will generate the following build command: the definition above will generate the following build command:
@ -255,9 +232,9 @@ Provider definition:
```yaml ```yaml
keycloak_quarkus_policies: keycloak_quarkus_policies:
- name: john-the-ripper.txt # required, resulting file name - name: xato-net-10-million-passwords.txt # required, resulting file name
url: https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/john-the-ripper.txt # required, url for download url: https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt # required, url for download
type: password-blacklists # optional, defaults to `password-blacklists`; supported values: [`password-blacklists`] type: password-blacklists # optional, defaults to `password-blacklists`; supported values: [`password-blacklists`]
``` ```
@ -266,8 +243,9 @@ Role Variables
| Variable | Description | Required | | Variable | Description | Required |
|:---------|:------------|----------| |:---------|:------------|----------|
|`keycloak_quarkus_bootstrap_admin_password`| Password of console admin account | `yes` | |`keycloak_quarkus_admin_pass`| Password of console admin account | `yes` |
|`keycloak_quarkus_admin_pass`| Deprecated, use `keycloak_quarkus_bootstrap_admin_password` instead. | | |`keycloak_quarkus_frontend_url`| Base URL for frontend URLs, including scheme, host, port and path | `no` |
|`keycloak_quarkus_admin_url`| Base URL for accessing the administration console, including scheme, host, port and path | `no` |
|`keycloak_quarkus_ks_vault_pass`| The password for accessing the keystore vault SPI | `no` | |`keycloak_quarkus_ks_vault_pass`| The password for accessing the keystore vault SPI | `no` |
|`keycloak_quarkus_alternate_download_url`| Alternate location with optional authentication for downloading RHBK | `no` | |`keycloak_quarkus_alternate_download_url`| Alternate location with optional authentication for downloading RHBK | `no` |
|`keycloak_quarkus_download_user`| Optional username for http authentication | `no*` | |`keycloak_quarkus_download_user`| Optional username for http authentication | `no*` |
@ -287,7 +265,7 @@ The role uses the following [custom facts](https://docs.ansible.com/ansible/late
| Variable | Description | | Variable | Description |
|:---------|:------------| |:---------|:------------|
|`general.bootstrapped` | A custom fact indicating whether this role has been used for bootstrapping keycloak on the respective host before; set to `false` (e.g., when starting off with a new, empty database) ensures that the initial admin user as defined by `keycloak_quarkus_bootstrap_admin_user[_password]` gets created | |`general.bootstrapped` | A custom fact indicating whether this role has been used for bootstrapping keycloak on the respective host before; set to `false` (e.g., when starting off with a new, empty database) ensures that the initial admin user as defined by `keycloak_quarkus_admin_user[_pass]` gets created |
License License
------- -------

View file

@ -1,6 +1,6 @@
--- ---
### Configuration specific to keycloak ### Configuration specific to keycloak
keycloak_quarkus_version: 26.3.0 keycloak_quarkus_version: 24.0.4
keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip" keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip"
keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}" keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"
keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}" keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"
@ -27,32 +27,26 @@ keycloak_quarkus_configure_firewalld: false
keycloak_quarkus_configure_iptables: false keycloak_quarkus_configure_iptables: false
### administrator console password ### administrator console password
keycloak_quarkus_bootstrap_admin_user: admin keycloak_quarkus_admin_user: admin
keycloak_quarkus_bootstrap_admin_password: keycloak_quarkus_admin_pass:
keycloak_quarkus_master_realm: master keycloak_quarkus_master_realm: master
### Configuration settings ### Configuration settings
keycloak_quarkus_bind_address: 0.0.0.0 # deprecated use keycloak_quarkus_http_host keycloak_quarkus_bind_address: 0.0.0.0
keycloak_quarkus_http_host: 0.0.0.0 keycloak_quarkus_host: localhost
keycloak_quarkus_port: -1
keycloak_quarkus_path:
keycloak_quarkus_http_enabled: true keycloak_quarkus_http_enabled: true
keycloak_quarkus_http_port: 8080 keycloak_quarkus_http_port: 8080
keycloak_quarkus_https_port: 8443 keycloak_quarkus_https_port: 8443
keycloak_quarkus_http_management_port: 9000 keycloak_quarkus_ajp_port: 8009
keycloak_quarkus_jgroups_port: 7800 keycloak_quarkus_jgroups_port: 7800
keycloak_quarkus_jgroups_bind_address: "{{ ansible_default_ipv4.address }}"
keycloak_quarkus_jgroups_external_addr: "{{ keycloak_quarkus_jgroups_bind_address }}"
keycloak_quarkus_jgroups_external_port: "{{ keycloak_quarkus_jgroups_port }}"
keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx2048m" keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx2048m"
keycloak_quarkus_java_jvm_opts: > keycloak_quarkus_java_jvm_opts: "-XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8
-XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8
-Dsun.err.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError -Dsun.err.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError
-Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC -XX:GCTimeRatio=4 -Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC -XX:GCTimeRatio=4
-XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512 -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512"
keycloak_quarkus_jgroups_opts: > keycloak_quarkus_java_opts: "{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}"
-Djgroups.bind.address={{ keycloak_quarkus_jgroups_bind_address }}
-Djgroups.external_port={{ keycloak_quarkus_jgroups_external_port }}
-Djgroups.external_addr={{ keycloak_quarkus_jgroups_external_addr }}
keycloak_quarkus_java_opts: "{{ ' '.join((keycloak_quarkus_jgroups_opts, keycloak_quarkus_java_heap_opts, keycloak_quarkus_java_jvm_opts)) }}"
keycloak_quarkus_additional_env_vars: [] keycloak_quarkus_additional_env_vars: []
### TLS/HTTPS configuration ### TLS/HTTPS configuration
@ -77,7 +71,7 @@ keycloak_quarkus_config_key_store_password: ''
### Enable configuration for database backend, clustering and remote caches on infinispan ### Enable configuration for database backend, clustering and remote caches on infinispan
keycloak_quarkus_ha_enabled: false keycloak_quarkus_ha_enabled: false
keycloak_quarkus_ha_discovery: "JDBCPING" keycloak_quarkus_ha_discovery: "TCPPING"
### Enable database configuration, must be enabled when HA is configured ### Enable database configuration, must be enabled when HA is configured
keycloak_quarkus_db_enabled: "{{ keycloak_quarkus_ha_enabled }}" keycloak_quarkus_db_enabled: "{{ keycloak_quarkus_ha_enabled }}"
keycloak_quarkus_systemd_wait_for_port: "{{ keycloak_quarkus_ha_enabled }}" keycloak_quarkus_systemd_wait_for_port: "{{ keycloak_quarkus_ha_enabled }}"
@ -87,8 +81,8 @@ keycloak_quarkus_systemd_wait_for_timeout: 60
keycloak_quarkus_systemd_wait_for_delay: 10 keycloak_quarkus_systemd_wait_for_delay: 10
### keycloak frontend url ### keycloak frontend url
keycloak_quarkus_hostname: keycloak_quarkus_frontend_url:
keycloak_quarkus_hostname_admin: "" keycloak_quarkus_admin_url:
### Set the path relative to / for serving resources. The path must start with a / ### Set the path relative to / for serving resources. The path must start with a /
### (set to `/auth` for retrocompatibility with pre-quarkus releases) ### (set to `/auth` for retrocompatibility with pre-quarkus releases)
@ -97,9 +91,9 @@ keycloak_quarkus_http_relative_path: /
# Disables dynamically resolving the hostname from request headers. # Disables dynamically resolving the hostname from request headers.
# Should always be set to true in production, unless proxy verifies the Host header. # Should always be set to true in production, unless proxy verifies the Host header.
keycloak_quarkus_hostname_strict: true keycloak_quarkus_hostname_strict: true
# Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path. # By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications.
# Set to true if your application accesses Keycloak via a private network. If set to true, keycloak_quarkus_hostname option needs to be specified as a full URL. # If all applications use the public URL this option should be enabled.
keycloak_quarkus_hostname_backchannel_dynamic: false keycloak_quarkus_hostname_strict_backchannel: false
# The proxy headers that should be accepted by the server. ['', 'forwarded', 'xforwarded'] # The proxy headers that should be accepted by the server. ['', 'forwarded', 'xforwarded']
keycloak_quarkus_proxy_headers: "" keycloak_quarkus_proxy_headers: ""
@ -117,57 +111,36 @@ keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route: true
keycloak_quarkus_metrics_enabled: false keycloak_quarkus_metrics_enabled: false
keycloak_quarkus_health_enabled: true keycloak_quarkus_health_enabled: true
### caches; must read: https://www.keycloak.org/2024/12/storing-sessions-in-kc26
### embedded caches
# https://www.keycloak.org/server/caching
keycloak_quarkus_cache_metrics_enabled: false
keycloak_quarkus_cache_embedded_authorization_max_count:
keycloak_quarkus_cache_embedded_client_sessions_max_count:
keycloak_quarkus_cache_embedded_crl_max_count:
keycloak_quarkus_cache_embedded_keys_max_count:
keycloak_quarkus_cache_embedded_offline_client_sessions_max_count:
keycloak_quarkus_cache_embedded_offline_sessions_max_count:
keycloak_quarkus_cache_embedded_realms_max_count:
keycloak_quarkus_cache_embedded_sessions_max_count:
keycloak_quarkus_cache_embedded_users_max_count:
keycloak_quarkus_cache_embedded_mtls_enabled: true
keycloak_quarkus_cache_embedded_mtls_key_store_file: "{{ keycloak.home }}/conf/cache_key_store.p12"
keycloak_quarkus_cache_embedded_mtls_key_store_password: ''
keycloak_quarkus_cache_embedded_mtls_rotation_interval_days: 30
keycloak_quarkus_cache_embedded_mtls_trust_store_file: "{{ keycloak.home }}/conf/cache_trust_store.p12"
keycloak_quarkus_cache_embedded_mtls_trust_store_password: ''
### infinispan remote caches access (hotrod) ### infinispan remote caches access (hotrod)
# https://www.keycloak.org/server/caching#_remote_cache keycloak_quarkus_ispn_user: supervisor
keycloak_quarkus_cache_remote: false keycloak_quarkus_ispn_pass: supervisor
keycloak_quarkus_cache_remote_username: supervisor keycloak_quarkus_ispn_hosts: "localhost:11222"
keycloak_quarkus_cache_remote_password: supervisor keycloak_quarkus_ispn_sasl_mechanism: SCRAM-SHA-512
keycloak_quarkus_cache_remote_host: localhost keycloak_quarkus_ispn_use_ssl: false
keycloak_quarkus_cache_remote_port: 11222 # if ssl is enabled, import ispn server certificate here
keycloak_quarkus_cache_remote_tls_enabled: false keycloak_quarkus_ispn_trust_store_path: /etc/pki/java/cacerts
keycloak_quarkus_cache_remote_sasl_mechanism: SCRAM-SHA-512 keycloak_quarkus_ispn_trust_store_password: changeit
### database backend engine: values [ 'postgres', 'mariadb' ] ### database backend engine: values [ 'postgres', 'mariadb' ]
keycloak_quarkus_db_engine: postgres keycloak_quarkus_jdbc_engine: postgres
### database backend credentials ### database backend credentials
keycloak_quarkus_db_user: keycloak-user keycloak_quarkus_db_user: keycloak-user
keycloak_quarkus_db_pass: keycloak-pass keycloak_quarkus_db_pass: keycloak-pass
keycloak_quarkus_db_url: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].url }}" keycloak_quarkus_jdbc_url: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].url }}"
keycloak_quarkus_db_driver_version: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].version }}" keycloak_quarkus_jdbc_driver_version: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].version }}"
# override the variables above, following defaults show recommended version as per # override the variables above, following defaults show minimum supported versions
# https://access.redhat.com/articles/7033107
keycloak_quarkus_default_jdbc: keycloak_quarkus_default_jdbc:
postgres: postgres:
url: 'jdbc:postgresql://localhost:5432/keycloak' url: 'jdbc:postgresql://localhost:5432/keycloak'
version: 42.7.5 version: 9.4.1212
mariadb: mariadb:
url: 'jdbc:mariadb://localhost:3306/keycloak' url: 'jdbc:mariadb://localhost:3306/keycloak'
version: 3.5.2 version: 2.7.4
mssql: mssql:
url: 'jdbc:sqlserver://localhost:1433;databaseName=keycloak;' url: 'jdbc:sqlserver://localhost:1433;databaseName=keycloak;'
version: 12.8.1 version: 12.4.2
driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.8.1.jre11/mssql-jdbc-12.8.1.jre11.jar" driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.4.2.jre11/mssql-jdbc-12.4.2.jre11.jar"
# cf. https://access.redhat.com/documentation/en-us/red_hat_build_of_keycloak/24.0/html/server_guide/db-#db-installing-the-microsoft-sql-server-driver
### logging configuration ### logging configuration
keycloak_quarkus_log: file keycloak_quarkus_log: file
keycloak_quarkus_log_level: info keycloak_quarkus_log_level: info
@ -192,7 +165,5 @@ keycloak_quarkus_supported_policy_types: ['password-blacklists']
keycloak_quarkus_restart_strategy: restart/serial.yml keycloak_quarkus_restart_strategy: restart/serial.yml
keycloak_quarkus_restart_health_check: true keycloak_quarkus_restart_health_check: true
keycloak_quarkus_restart_health_check_delay: 10 keycloak_quarkus_restart_health_check_delay: 10
keycloak_quarkus_restart_health_check_retries: 25 keycloak_quarkus_restart_health_check_reries: 25
keycloak_quarkus_restart_pause: 15 keycloak_quarkus_restart_pause: 15
keycloak_quarkus_force_install: false

View file

@ -1,7 +1,4 @@
--- ---
- name: "Invalidate {{ keycloak.service_name }} theme cache"
ansible.builtin.include_tasks: invalidate_theme_cache.yml
listen: "invalidate keycloak theme cache"
# handler should be invoked anytime a [build configuration](https://www.keycloak.org/server/all-config?f=build) changes # handler should be invoked anytime a [build configuration](https://www.keycloak.org/server/all-config?f=build) changes
- name: "Rebuild {{ keycloak.service_name }} config" - name: "Rebuild {{ keycloak.service_name }} config"
ansible.builtin.include_tasks: rebuild_config.yml ansible.builtin.include_tasks: rebuild_config.yml

View file

@ -2,7 +2,7 @@ argument_specs:
main: main:
options: options:
keycloak_quarkus_version: keycloak_quarkus_version:
default: "26.3.0" default: "24.0.4"
description: "keycloak.org package version" description: "keycloak.org package version"
type: "str" type: "str"
keycloak_quarkus_archive: keycloak_quarkus_archive:
@ -22,7 +22,7 @@ argument_specs:
description: "Perform an offline install" description: "Perform an offline install"
type: "bool" type: "bool"
keycloak_quarkus_jvm_package: keycloak_quarkus_jvm_package:
default: "java-21-openjdk-headless" default: "java-11-openjdk-headless"
description: "RHEL java package runtime" description: "RHEL java package runtime"
type: "str" type: "str"
keycloak_quarkus_java_home: keycloak_quarkus_java_home:
@ -68,17 +68,13 @@ argument_specs:
default: "10s" default: "10s"
description: "systemd RestartSec for service" description: "systemd RestartSec for service"
type: "str" type: "str"
keycloak_quarkus_bootstrap_admin_user: keycloak_quarkus_admin_user:
default: "admin" default: "admin"
description: "Administration user account, only for bootstrapping" description: "Administration console user account"
type: "str" type: "str"
keycloak_quarkus_force_install: keycloak_quarkus_admin_pass:
default: false
description: "Remove pre-existing versions of service"
type: "bool"
keycloak_quarkus_bootstrap_admin_password:
required: true required: true
description: "Password of admin account, only for bootstrapping" description: "Password of console admin account"
type: "str" type: "str"
keycloak_quarkus_master_realm: keycloak_quarkus_master_realm:
default: "master" default: "master"
@ -86,40 +82,31 @@ argument_specs:
type: "str" type: "str"
keycloak_quarkus_bind_address: keycloak_quarkus_bind_address:
default: "0.0.0.0" default: "0.0.0.0"
description: "Deprecated, use `keycloak_quarkus_http_host`" description: "Address for binding service ports"
type: "str"
keycloak_quarkus_hostname:
description: >-
Address at which is the server exposed.
Can be a full URL, or just a hostname. When only hostname is provided, scheme, port and context path are resolved from the request.
type: "str" type: "str"
keycloak_quarkus_host: keycloak_quarkus_host:
description: "Deprecated in v26, use keycloak_quarkus_hostname instead." default: "localhost"
description: "Hostname for the Keycloak server"
type: "str" type: "str"
keycloak_quarkus_port: keycloak_quarkus_port:
description: "Deprecated in v26, use keycloak_quarkus_hostname instead." default: -1
description: "The port used by the proxy when exposing the hostname"
type: "int" type: "int"
keycloak_quarkus_path: keycloak_quarkus_path:
description: "Deprecated in v26, use keycloak_quarkus_hostname instead." required: false
description: "This should be set if proxy uses a different context-path for Keycloak"
type: "str" type: "str"
keycloak_quarkus_http_enabled: keycloak_quarkus_http_enabled:
default: true default: true
description: "Enable listener on HTTP port" description: "Enable listener on HTTP port"
type: "bool" type: "bool"
keycloak_quarkus_http_host:
default: '0.0.0.0'
description: "HTTP host, address for binding service ports"
type: "str"
keycloak_quarkus_http_port: keycloak_quarkus_http_port:
default: 8080 default: 8080
description: "HTTP port" description: "HTTP port"
type: "int" type: "int"
keycloak_quarkus_health_check_url:
description: "Full URL (including scheme, host, path, fragment etc.) used for health check endpoint; keycloak_quarkus_hostname will NOT be prepended; helpful when health checks should happen against http port, but keycloak_quarkus_hostname uses https scheme per default"
type: "str"
keycloak_quarkus_health_check_url_path: keycloak_quarkus_health_check_url_path:
default: "realms/master/.well-known/openid-configuration" default: "realms/master/.well-known/openid-configuration"
description: "Path to the health check endpoint; keycloak_quarkus_hostname will be prepended automatically; Note that keycloak_quarkus_health_check_url takes precedence over this property" description: "Path to the health check endpoint; scheme, host and keycloak_quarkus_http_relative_path will be prepended automatically"
type: "str" type: "str"
keycloak_quarkus_https_key_file_enabled: keycloak_quarkus_https_key_file_enabled:
default: false default: false
@ -183,7 +170,7 @@ argument_specs:
type: "str" type: "str"
keycloak_quarkus_config_key_store_file: keycloak_quarkus_config_key_store_file:
default: "{{ keycloak.home }}/conf/conf_store.p12" default: "{{ keycloak.home }}/conf/conf_store.p12"
description: "Path to the configuration key store; only used if `keycloak_quarkus_config_key_store_password` is not empty" description: "Path to the configuration key store; only used if `keycloak_quarkus_keystore_password` is not empty"
type: "str" type: "str"
keycloak_quarkus_config_key_store_password: keycloak_quarkus_config_key_store_password:
default: "" default: ""
@ -195,9 +182,13 @@ argument_specs:
default: 8443 default: 8443
description: "HTTPS port" description: "HTTPS port"
type: "int" type: "int"
keycloak_quarkus_http_management_port: keycloak_quarkus_ajp_port:
default: 9000 default: 8009
description: "Port of the management interface. Relevant only when something is exposed on the management interface - see the guide for details." description: "AJP port"
type: "int"
keycloak_quarkus_jgroups_port:
default: 7800
description: "jgroups cluster tcp port"
type: "int" type: "int"
keycloak_quarkus_java_heap_opts: keycloak_quarkus_java_heap_opts:
default: "-Xms1024m -Xmx2048m" default: "-Xms1024m -Xmx2048m"
@ -211,7 +202,7 @@ argument_specs:
description: "Other JVM settings" description: "Other JVM settings"
type: "str" type: "str"
keycloak_quarkus_java_opts: keycloak_quarkus_java_opts:
default: "{{ ' '.join((keycloak_quarkus_jgroups_opts, keycloak_quarkus_java_heap_opts, keycloak_quarkus_java_jvm_opts)) }}" default: "{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}"
description: "JVM arguments, by default heap_opts + jvm_opts, if overriden it takes precedence over them" description: "JVM arguments, by default heap_opts + jvm_opts, if overriden it takes precedence over them"
type: "str" type: "str"
keycloak_quarkus_additional_env_vars: keycloak_quarkus_additional_env_vars:
@ -235,21 +226,13 @@ argument_specs:
default: / default: /
description: "Set the path relative to / for serving resources. The path must start with a /" description: "Set the path relative to / for serving resources. The path must start with a /"
type: "str" type: "str"
keycloak_quarkus_http_management_relative_path:
required: false
description: "Set the path relative to / for serving resources from management interface. The path must start with a /. If not given, the value is inherited from HTTP options. Relevant only when something is exposed on the management interface - see the guide for details."
type: "str"
keycloak_quarkus_frontend_url: keycloak_quarkus_frontend_url:
required: false required: false
description: "Deprecated in v26, use keycloak_quarkus_hostname instead." description: "Service public URL"
type: "str"
keycloak_quarkus_hostname_admin:
required: false
description: "Service URL for the admin console"
type: "str" type: "str"
keycloak_quarkus_admin_url: keycloak_quarkus_admin_url:
required: false required: false
description: "Deprecated in v26, use keycloak_quarkus_hostname_admin instead." description: "Service URL for the admin console"
type: "str" type: "str"
keycloak_quarkus_metrics_enabled: keycloak_quarkus_metrics_enabled:
default: false default: false
@ -257,37 +240,37 @@ argument_specs:
type: "bool" type: "bool"
keycloak_quarkus_health_enabled: keycloak_quarkus_health_enabled:
default: true default: true
description: "If the server should expose health check endpoints on the management interface" description: "If the server should expose health check endpoints"
type: "bool" type: "bool"
keycloak_quarkus_cache_remote: keycloak_quarkus_ispn_user:
description: "Whether to connect to remote cache infinispan server"
default: false
type: 'bool'
keycloak_quarkus_cache_remote_username:
default: "supervisor" default: "supervisor"
description: "Username for connecting to infinispan" description: "Username for connecting to infinispan"
type: "str" type: "str"
keycloak_quarkus_cache_remote_password: keycloak_quarkus_ispn_pass:
default: "supervisor" default: "supervisor"
description: "Password for connecting to infinispan" description: "Password for connecting to infinispan"
type: "str" type: "str"
keycloak_quarkus_cache_remote_host: keycloak_quarkus_ispn_hosts:
default: "localhost" default: "localhost:11222"
description: "Hostname for connecting to infinispan" description: "host name/port for connecting to infinispan, eg. host1:11222;host2:11222"
type: "str" type: "str"
keycloak_quarkus_cache_remote_port: keycloak_quarkus_ispn_sasl_mechanism:
default: "11222"
description: "Port for connecting to infinispan"
type: "str"
keycloak_quarkus_cache_remote_sasl_mechanism:
default: "SCRAM-SHA-512" default: "SCRAM-SHA-512"
description: "Infinispan auth mechanism" description: "Infinispan auth mechanism"
type: "str" type: "str"
keycloak_quarkus_cache_remote_tls_enabled: keycloak_quarkus_ispn_use_ssl:
default: false default: false
description: "Whether infinispan uses TLS connection" description: "Whether infinispan uses TLS connection"
type: "bool" type: "bool"
keycloak_quarkus_db_engine: keycloak_quarkus_ispn_trust_store_path:
default: "/etc/pki/java/cacerts"
description: "Path to infinispan server trust certificate"
type: "str"
keycloak_quarkus_ispn_trust_store_password:
default: "changeit"
description: "Password for infinispan certificate keystore"
type: "str"
keycloak_quarkus_jdbc_engine:
default: "postgres" default: "postgres"
description: "Database engine [mariadb,postres,mssql]" description: "Database engine [mariadb,postres,mssql]"
type: "str" type: "str"
@ -299,12 +282,12 @@ argument_specs:
default: "keycloak-pass" default: "keycloak-pass"
description: "Password for database connection" description: "Password for database connection"
type: "str" type: "str"
keycloak_quarkus_db_url: keycloak_quarkus_jdbc_url:
default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].url }}" default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].url }}"
description: "JDBC URL for connecting to database" description: "JDBC URL for connecting to database"
type: "str" type: "str"
keycloak_quarkus_db_driver_version: keycloak_quarkus_jdbc_driver_version:
default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].version }}" default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].version }}"
description: "Version for JDBC driver" description: "Version for JDBC driver"
type: "str" type: "str"
keycloak_quarkus_log: keycloak_quarkus_log:
@ -365,18 +348,24 @@ argument_specs:
description: > description: >
Disables dynamically resolving the hostname from request headers. Should always be set to true in production, unless Disables dynamically resolving the hostname from request headers. Should always be set to true in production, unless
proxy verifies the Host header. proxy verifies the Host header.
keycloak_quarkus_hostname_backchannel_dynamic: keycloak_quarkus_hostname_strict_backchannel:
default: false default: false
type: "bool" type: "bool"
description: > description: >
Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path. By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all
Set to true if your application accesses Keycloak via a private network. If set to true, hostname option needs to be specified as a full URL. applications use the public URL this option should be enabled.
keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route: keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route:
default: true default: true
type: "bool" type: "bool"
description: > description: >
If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies
and we rely on the session affinity capabilities from reverse proxy and we rely on the session affinity capabilities from reverse proxy
keycloak_quarkus_hostname_strict_https:
type: "bool"
required: false
description: >
By default, Keycloak requires running using TLS/HTTPS. If the service MUST run without TLS/HTTPS, then set
this option to "true"
keycloak_quarkus_ks_vault_enabled: keycloak_quarkus_ks_vault_enabled:
default: false default: false
type: "bool" type: "bool"
@ -464,7 +453,7 @@ argument_specs:
description: "Seconds to let pass before starting healch checks" description: "Seconds to let pass before starting healch checks"
default: 10 default: 10
type: 'int' type: 'int'
keycloak_quarkus_restart_health_check_retries: keycloak_quarkus_restart_health_check_reries:
description: "Number of attempts for successful health check before failing" description: "Number of attempts for successful health check before failing"
default: 25 default: 25
type: 'int' type: 'int'
@ -476,94 +465,10 @@ argument_specs:
description: "Path local to controller for offline/download of install archives" description: "Path local to controller for offline/download of install archives"
default: "{{ lookup('env', 'PWD') }}" default: "{{ lookup('env', 'PWD') }}"
type: "str" type: "str"
keycloak_quarkus_cache_metrics_enabled:
description: 'Enable histograms for metrics for the embedded caches'
default: false
type: 'bool'
keycloak_quarkus_cache_embedded_authorization_max_count:
description: 'The maximum number of entries that can be stored in-memory by the authorization cache'
required: false
type: "int"
keycloak_quarkus_cache_embedded_client_sessions_max_count:
description: 'The maximum number of entries that can be stored in-memory by the clientSessions cache'
required: false
type: "int"
keycloak_quarkus_cache_embedded_crl_max_count:
description: 'The maximum number of entries that can be stored in-memory by the crl cache'
required: false
type: "int"
keycloak_quarkus_cache_embedded_keys_max_count:
description: 'The maximum number of entries that can be stored in-memory by the keys cache'
required: false
type: "int"
keycloak_quarkus_cache_embedded_offline_client_sessions_max_count:
description: 'The maximum number of entries that can be stored in-memory by the offlineClientSessions cache'
required: false
type: "int"
keycloak_quarkus_cache_embedded_offline_sessions_max_count:
description: 'The maximum number of entries that can be stored in-memory by the offlineSessions cache'
required: false
type: "int"
keycloak_quarkus_cache_embedded_realms_max_count:
description: 'The maximum number of entries that can be stored in-memory by the realms cache'
required: false
type: "int"
keycloak_quarkus_cache_embedded_sessions_max_count:
description: 'The maximum number of entries that can be stored in-memory by the sessions cache'
required: false
type: "int"
keycloak_quarkus_cache_embedded_users_max_count:
description: 'The maximum number of entries that can be stored in-memory by the users cache'
required: false
type: 'int'
keycloak_quarkus_cache_embedded_mtls_enabled:
description: 'Encrypts the network communication between Keycloak servers'
default: true
type: 'bool'
keycloak_quarkus_cache_embedded_mtls_key_store_file:
description: 'The Keystore file path'
default: "{{ keycloak.home }}/conf/cache_key_store.p12"
type: "str"
keycloak_quarkus_cache_embedded_mtls_key_store_password:
description: 'The password to access the Keystore'
default: ''
type: "str"
keycloak_quarkus_cache_embedded_mtls_rotation_interval_days:
description: 'Rotation period in days of automatic JGroups MTLS certificates'
default: 30
type: 'int'
keycloak_quarkus_cache_embedded_mtls_trust_store_file:
description: 'The Truststore file path'
default: "{{ keycloak.home }}/conf/cache_trust_store.p12"
type: "str"
keycloak_quarkus_cache_embedded_mtls_trust_store_password:
description: 'The password to access the Truststore.'
default: ''
type: "str"
keycloak_quarkus_jgroups_port:
description: 'jgroups bind port'
default: 7800
type: "int"
keycloak_quarkus_jgroups_bind_address:
description: 'jgroups bind address'
default: "{{ ansible_default_ipv4.address }}"
type: "str"
keycloak_quarkus_jgroups_external_addr:
description: 'IP address that other instances in the Keycloak should use to contact this node'
default: "{{ keycloak_quarkus_jgroups_bind_address }}"
type: "str"
keycloak_quarkus_jgroups_external_port:
description: 'Port that other instances in the Keycloak cluster should use to contact this node'
default: "{{ keycloak_quarkus_jgroups_port }}"
type: "int"
keycloak_quarkus_jgroups_opts:
description: "JVM arguments for jgroups configuration"
default: "-Djgroups.bind.address={{ keycloak_quarkus_jgroups_bind_address }} -Djgroups.external_port={{ keycloak_quarkus_jgroups_external_port }} -Djgroups.external_addr={{ keycloak_quarkus_jgroups_external_addr }}"
type: "str"
downstream: downstream:
options: options:
rhbk_version: rhbk_version:
default: "26.2.5" default: "24.0.3"
description: "Red Hat Build of Keycloak version" description: "Red Hat Build of Keycloak version"
type: "str" type: "str"
rhbk_archive: rhbk_archive:

View file

@ -8,7 +8,7 @@ galaxy_info:
license: Apache License 2.0 license: Apache License 2.0
min_ansible_version: "2.16" min_ansible_version: "2.15"
platforms: platforms:
- name: EL - name: EL

View file

@ -1,10 +1,6 @@
--- ---
- name: Include firewall config tasks - name: Include firewall config tasks
ansible.builtin.include_tasks: ansible.builtin.include_tasks: iptables.yml
file: iptables.yml
apply:
tags:
- firewall
when: keycloak_quarkus_configure_iptables when: keycloak_quarkus_configure_iptables
tags: tags:
- firewall - firewall

View file

@ -49,114 +49,5 @@
notify: notify:
- print deprecation warning - print deprecation warning
# https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options
- name: Check deprecation of keycloak_quarkus_frontend_url -> keycloak_quarkus_hostname
when:
- keycloak_quarkus_hostname is not defined
- keycloak_quarkus_frontend_url is defined
- keycloak_quarkus_frontend_url != ''
delegate_to: localhost
run_once: true
changed_when: keycloak_quarkus_show_deprecation_warnings
ansible.builtin.set_fact:
keycloak_quarkus_hostname: "{{ keycloak_quarkus_frontend_url }}"
deprecated_variable: "keycloak_quarkus_frontend_url" # read in deprecation handler
notify:
- print deprecation warning
# https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options
- name: Check deprecation of keycloak_quarkus_hostname_strict_https + keycloak_quarkus_host + keycloak_quarkus_port + keycloak_quarkus_path -> keycloak_quarkus_hostname
when:
- keycloak_quarkus_hostname is not defined
- keycloak_quarkus_hostname_strict_https is defined or keycloak_quarkus_frontend_url is defined or keycloak_quarkus_port is defined or keycloak_quarkus_path is defined
delegate_to: localhost
run_once: true
changed_when: keycloak_quarkus_show_deprecation_warnings
ansible.builtin.set_fact:
keycloak_quarkus_hostname: >-
{% set protocol = '' %}
{% if keycloak_quarkus_hostname_strict_https %}
{% set protocol = 'https://' %}
{% elif keycloak_quarkus_hostname_strict_https is defined and keycloak_quarkus_hostname_strict_https is False %}
{% set protocol = 'http://' %}
{% endif %}
{{ protocol }}{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_port }}/{{ keycloak_quarkus_path }}
deprecated_variable: "keycloak_quarkus_hostname_strict_https or keycloak_quarkus_frontend_url or keycloak_quarkus_frontend_url or keycloak_quarkus_hostname" # read in deprecation handler
notify:
- print deprecation warning
# https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options
- name: Check deprecation of keycloak_quarkus_admin_url -> keycloak_quarkus_hostname_admin
when:
- keycloak_quarkus_hostname_admin is not defined
- keycloak_quarkus_admin_url is defined
- keycloak_quarkus_admin_url != ''
delegate_to: localhost
run_once: true
changed_when: keycloak_quarkus_show_deprecation_warnings
ansible.builtin.set_fact:
keycloak_quarkus_hostname_admin: "{{ keycloak_quarkus_admin_url }}"
deprecated_variable: "keycloak_quarkus_admin_url" # read in deprecation handler
notify:
- print deprecation warning
# https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options
- name: Check deprecation of keycloak_quarkus_hostname_strict_backchannel -> keycloak_quarkus_hostname_backchannel_dynamic
when:
- keycloak_quarkus_hostname_backchannel_dynamic is not defined
- keycloak_quarkus_hostname_strict_backchannel is defined
- keycloak_quarkus_hostname_strict_backchannel != ''
delegate_to: localhost
run_once: true
changed_when: keycloak_quarkus_show_deprecation_warnings
ansible.builtin.set_fact:
keycloak_quarkus_hostname_backchannel_dynamic: "{{ keycloak_quarkus_hostname_strict_backchannel == False }}"
deprecated_variable: "keycloak_quarkus_hostname_backchannel_dynamic" # read in deprecation handler
notify:
- print deprecation warning
# https://github.com/keycloak/keycloak/issues/30009
- name: Check deprecation of keycloak_quarkus_admin_user -> keycloak_quarkus_bootstrap_admin_user
when:
- keycloak_quarkus_bootstrap_admin_user is not defined
- keycloak_quarkus_admin_user is defined
- keycloak_quarkus_admin_user != ''
delegate_to: localhost
run_once: true
changed_when: keycloak_quarkus_show_deprecation_warnings
ansible.builtin.set_fact:
keycloak_quarkus_bootstrap_admin_user: "{{ keycloak_quarkus_admin_user }}"
deprecated_variable: "keycloak_quarkus_admin_user" # read in deprecation handler
notify:
- print deprecation warning
# https://github.com/keycloak/keycloak/issues/30009
- name: Check deprecation of keycloak_quarkus_admin_pass -> keycloak_quarkus_bootstrap_admin_password
when:
- keycloak_quarkus_bootstrap_admin_password is not defined
- keycloak_quarkus_admin_pass is defined
- keycloak_quarkus_admin_pass != ''
delegate_to: localhost
run_once: true
changed_when: keycloak_quarkus_show_deprecation_warnings
ansible.builtin.set_fact:
keycloak_quarkus_bootstrap_admin_user: "{{ keycloak_quarkus_admin_pass }}"
deprecated_variable: "keycloak_quarkus_admin_pass" # read in deprecation handler
notify:
- print deprecation warning
- name: Check deprecation of keycloak_quarkus_bind_address -> keycloak_quarkus_http_host
when:
- keycloak_quarkus_bind_address is defined
- keycloak_quarkus_bind_address != '0.0.0.0'
delegate_to: localhost
run_once: true
changed_when: keycloak_quarkus_show_deprecation_warnings
ansible.builtin.set_fact:
keycloak_quarkus_http_host: "{{ keycloak_quarkus_bind_address }}"
deprecated_variable: "keycloak_quarkus_bind_address" # read in deprecation handler
notify:
- print deprecation warning
- name: Flush handlers - name: Flush handlers
ansible.builtin.meta: flush_handlers ansible.builtin.meta: flush_handlers

View file

@ -12,17 +12,6 @@
enabled: true enabled: true
state: started state: started
- name: "Configure firewall for {{ keycloak.service_name }} http port"
become: true
ansible.posix.firewalld:
port: "{{ item }}"
permanent: true
state: enabled
immediate: true
loop:
- "{{ keycloak_quarkus_http_port }}/tcp"
when: keycloak_quarkus_http_enabled | bool
- name: "Configure firewall for {{ keycloak.service_name }} ports" - name: "Configure firewall for {{ keycloak.service_name }} ports"
become: true become: true
ansible.posix.firewalld: ansible.posix.firewalld:
@ -31,6 +20,6 @@
state: enabled state: enabled
immediate: true immediate: true
loop: loop:
- "{{ keycloak_quarkus_http_port }}/tcp"
- "{{ keycloak_quarkus_https_port }}/tcp" - "{{ keycloak_quarkus_https_port }}/tcp"
- "{{ keycloak_quarkus_http_management_port }}/tcp"
- "{{ keycloak_quarkus_jgroups_port }}/tcp" - "{{ keycloak_quarkus_jgroups_port }}/tcp"

View file

@ -17,27 +17,6 @@
path: "{{ keycloak.home }}" path: "{{ keycloak.home }}"
register: existing_deploy register: existing_deploy
- name: Stop and restart if existing deployment exists and install forced
when: existing_deploy.stat.exists and keycloak_quarkus_force_install | bool
block:
- name: "Stop the old {{ keycloak.service_name }} service"
become: true
failed_when: false
ansible.builtin.systemd:
name: keycloak
state: stopped
- name: "Remove the old {{ keycloak.service_name }} deployment"
become: true
ansible.builtin.file:
path: "{{ keycloak_quarkus_home }}"
state: absent
- name: Check for an existing deployment after possible forced removal
become: true
ansible.builtin.stat:
path: "{{ keycloak_quarkus_home }}"
register: existing_deploy
- name: "Create {{ keycloak.service_name }} service user/group" - name: "Create {{ keycloak.service_name }} service user/group"
become: true become: true
ansible.builtin.user: ansible.builtin.user:
@ -98,7 +77,6 @@
- not archive_path.stat.exists - not archive_path.stat.exists
- rhbk_enable is defined and rhbk_enable - rhbk_enable is defined and rhbk_enable
- not keycloak.offline_install - not keycloak.offline_install
- keycloak_quarkus_alternate_download_url is undefined
block: block:
- name: Retrieve product download using JBoss Network API - name: Retrieve product download using JBoss Network API
middleware_automation.common.product_search: middleware_automation.common.product_search:
@ -224,11 +202,11 @@
- keycloak_quarkus_cert_file_copy_enabled is defined and keycloak_quarkus_cert_file_copy_enabled - keycloak_quarkus_cert_file_copy_enabled is defined and keycloak_quarkus_cert_file_copy_enabled
- keycloak_quarkus_cert_file_src | length > 0 - keycloak_quarkus_cert_file_src | length > 0
- name: "Install {{ keycloak_quarkus_db_engine }} JDBC driver" - name: "Install {{ keycloak_quarkus_jdbc_engine }} JDBC driver"
ansible.builtin.include_tasks: jdbc_driver.yml ansible.builtin.include_tasks: jdbc_driver.yml
when: when:
- rhbk_enable is defined and rhbk_enable - rhbk_enable is defined and rhbk_enable
- keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].driver_jar_url is defined - keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url is defined
- name: "Download custom providers via http" - name: "Download custom providers via http"
ansible.builtin.get_url: ansible.builtin.get_url:
@ -237,11 +215,10 @@
owner: "{{ keycloak.service_user }}" owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}" group: "{{ keycloak.service_group }}"
mode: '0640' mode: '0640'
checksum: "{{ item.checksum | default(omit) }}"
become: true become: true
loop: "{{ keycloak_quarkus_providers }}" loop: "{{ keycloak_quarkus_providers }}"
when: item.url is defined and item.url | length > 0 when: item.url is defined and item.url | length > 0
notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}" notify: "{{ ['rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or not item.restart else [] }}"
# this requires the `lxml` package to be installed; we redirect this step to localhost such that we do need to install it on the remote hosts # this requires the `lxml` package to be installed; we redirect this step to localhost such that we do need to install it on the remote hosts
- name: "Download custom providers to localhost using maven" - name: "Download custom providers to localhost using maven"
@ -258,6 +235,7 @@
loop: "{{ keycloak_quarkus_providers }}" loop: "{{ keycloak_quarkus_providers }}"
when: item.maven is defined when: item.maven is defined
no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}" no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}"
notify: "{{ ['rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or not item.restart else [] }}"
- name: "Copy maven providers" - name: "Copy maven providers"
ansible.builtin.copy: ansible.builtin.copy:
@ -266,25 +244,21 @@
owner: "{{ keycloak.service_user }}" owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}" group: "{{ keycloak.service_group }}"
mode: '0640' mode: '0640'
checksum: "{{ item.checksum | default(omit) }}"
become: true become: true
loop: "{{ keycloak_quarkus_providers }}" loop: "{{ keycloak_quarkus_providers }}"
when: item.maven is defined when: item.maven is defined
no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}" no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}"
notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}"
- name: "Copy local providers" - name: "Copy providers"
ansible.builtin.copy: ansible.builtin.copy:
src: "{{ item.local_path }}" src: "{{ item.local_path }}"
dest: "{{ keycloak.home }}/providers/{{ item.id }}.jar" dest: "{{ keycloak.home }}/providers/{{ item.id }}.jar"
owner: "{{ keycloak.service_user }}" owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}" group: "{{ keycloak.service_group }}"
mode: '0640' mode: '0640'
remote_src: "{{ item.remote | default(false) }}"
become: true become: true
loop: "{{ keycloak_quarkus_providers }}" loop: "{{ keycloak_quarkus_providers }}"
when: item.local_path is defined when: item.local_path is defined
notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}"
- name: Ensure required folder structure for policies exists - name: Ensure required folder structure for policies exists
ansible.builtin.file: ansible.builtin.file:

View file

@ -1,11 +0,0 @@
---
# From https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/24.0/html/server_developer_guide/themes#creating_a_theme:
# If you want to manually delete the content of the themes cache,
# you can do so by deleting the data/tmp/kc-gzip-cache directory of the server distribution
# It can be useful for instance if you redeployed custom providers or custom themes without
# disabling themes caching in the previous server executions.
- name: "Delete {{ keycloak.service_name }} theme cache directory"
ansible.builtin.file:
path: "{{ keycloak.home }}/data/tmp/kc-gzip-cache"
state: absent
become: true

View file

@ -7,9 +7,9 @@
(keycloak_quarkus_jdbc_download_user is undefined and keycloak_quarkus_jdbc_download_pass is not undefined) or (keycloak_quarkus_jdbc_download_user is undefined and keycloak_quarkus_jdbc_download_pass is not undefined) or
(keycloak_quarkus_jdbc_download_pass is undefined and keycloak_quarkus_jdbc_download_user is not undefined) (keycloak_quarkus_jdbc_download_pass is undefined and keycloak_quarkus_jdbc_download_user is not undefined)
- name: "Retrieve JDBC Driver from {{ keycloak_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].driver_jar_url) }}" - name: "Retrieve JDBC Driver from {{ keycloak_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url) }}"
ansible.builtin.get_url: ansible.builtin.get_url:
url: "{{ keycloak_quarkus_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_db_engine].driver_jar_url) }}" url: "{{ keycloak_quarkus_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url) }}"
dest: "{{ keycloak.home }}/providers" dest: "{{ keycloak.home }}/providers"
owner: "{{ keycloak.service_user }}" owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}" group: "{{ keycloak.service_group }}"

View file

@ -1,58 +1,34 @@
--- ---
# tasks file for keycloak # tasks file for keycloak
- name: Check prerequisites - name: Check prerequisites
ansible.builtin.include_tasks: ansible.builtin.include_tasks: prereqs.yml
file: prereqs.yml
apply:
tags:
- prereqs
tags: tags:
- prereqs - prereqs
- always - always
- name: Check for deprecations - name: Check for deprecations
ansible.builtin.include_tasks: ansible.builtin.include_tasks: deprecations.yml
file: deprecations.yml
apply:
tags:
- always
tags: tags:
- always - always
- name: Distro specific tasks - name: Distro specific tasks
ansible.builtin.include_tasks: ansible.builtin.include_tasks: "{{ ansible_os_family | lower }}.yml"
file: "{{ ansible_os_family | lower }}.yml"
apply:
tags:
- unbound
tags: tags:
- unbound - unbound
- name: Include install tasks - name: Include install tasks
ansible.builtin.include_tasks: ansible.builtin.include_tasks: install.yml
file: install.yml
apply:
tags:
- install
tags: tags:
- install - install
- name: Include systemd tasks - name: Include systemd tasks
ansible.builtin.include_tasks: ansible.builtin.include_tasks: systemd.yml
file: systemd.yml
apply:
tags:
- systemd
tags: tags:
- systemd - systemd
- name: Include configuration key store tasks - name: Include configuration key store tasks
ansible.builtin.include_tasks:
file: config_store.yml
apply:
tags:
- install
when: keycloak.config_key_store_enabled when: keycloak.config_key_store_enabled
ansible.builtin.include_tasks: config_store.yml
tags: tags:
- install - install
@ -63,8 +39,8 @@
{ {
"name": item, "name": item,
"address": 'jgroups-' + item, "address": 'jgroups-' + item,
"inventory_host": hostvars[item].keycloak_quarkus_jgroups_ip | default(item) + '[' + (keycloak_quarkus_jgroups_port | string) + ']', "inventory_host": hostvars[item].ansible_default_ipv4.address | default(item) + '[' + (keycloak_quarkus_jgroups_port | string) + ']',
"value": hostvars[item].keycloak_quarkus_jgroups_ip | default(item) "value": hostvars[item].ansible_default_ipv4.address | default(item)
} }
] }} ] }}
loop: "{{ ansible_play_batch }}" loop: "{{ ansible_play_batch }}"
@ -115,7 +91,7 @@
register: keycloak_service_status register: keycloak_service_status
changed_when: false changed_when: false
- name: "Notify to remove `keycloak_quarkus_bootstrap_admin_user[_password]` env vars" - name: "Notify to remove `keycloak_quarkus_admin_user[_pass]` env vars"
when: when:
- not ansible_local.keycloak.general.bootstrapped | default(false) | bool # it was not bootstrapped prior to the current role's execution - not ansible_local.keycloak.general.bootstrapped | default(false) | bool # it was not bootstrapped prior to the current role's execution
- keycloak_service_status.status.ActiveState == "active" # but it is now - keycloak_service_status.status.ActiveState == "active" # but it is now

View file

@ -2,12 +2,12 @@
- name: Validate admin console password - name: Validate admin console password
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- keycloak_quarkus_bootstrap_admin_password | length > 12 - keycloak_quarkus_admin_pass | length > 12
quiet: true quiet: true
fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_bootstrap_admin_password to a 12+ char long string" fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_admin_pass to a 12+ char long string"
success_msg: "{{ 'Console administrator password OK' }}" success_msg: "{{ 'Console administrator password OK' }}"
- name: Validate http_relative_path - name: Validate relative path
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- keycloak_quarkus_http_relative_path is regex('^/.*') - keycloak_quarkus_http_relative_path is regex('^/.*')
@ -15,15 +15,6 @@
fail_msg: "The relative path for keycloak_quarkus_http_relative_path must begin with /" fail_msg: "The relative path for keycloak_quarkus_http_relative_path must begin with /"
success_msg: "{{ 'Relative path OK' }}" success_msg: "{{ 'Relative path OK' }}"
- name: Validate http_management_relative_path
ansible.builtin.assert:
that:
- keycloak_quarkus_http_management_relative_path is regex('^/.*')
quiet: true
fail_msg: "The relative path for keycloak_quarkus_http_management_relative_path must begin with /"
success_msg: "{{ 'Relative mgmt path OK' }}"
when: keycloak_quarkus_http_management_relative_path is defined
- name: Validate configuration - name: Validate configuration
ansible.builtin.assert: ansible.builtin.assert:
that: that:

View file

@ -2,6 +2,9 @@
# cf. https://www.keycloak.org/server/configuration#_optimize_the_keycloak_startup # cf. https://www.keycloak.org/server/configuration#_optimize_the_keycloak_startup
- name: "Rebuild {{ keycloak.service_name }} config" - name: "Rebuild {{ keycloak.service_name }} config"
ansible.builtin.shell: | # noqa blocked_modules shell is necessary here ansible.builtin.shell: | # noqa blocked_modules shell is necessary here
env -i bash -c "set -a ; source {{ keycloak_quarkus_sysconf_file }} ; {{ keycloak.home }}/bin/kc.sh build " {{ keycloak.home }}/bin/kc.sh build
environment:
PATH: "{{ keycloak_quarkus_java_home | default(keycloak_quarkus_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
JAVA_HOME: "{{ keycloak_quarkus_java_home | default(keycloak_quarkus_pkg_java_home, true) }}"
become: true become: true
changed_when: true changed_when: true

View file

@ -1,10 +1,6 @@
--- ---
- name: Include firewall config tasks - name: Include firewall config tasks
ansible.builtin.include_tasks: ansible.builtin.include_tasks: firewalld.yml
file: firewalld.yml
apply:
tags:
- firewall
when: keycloak_quarkus_configure_firewalld when: keycloak_quarkus_configure_firewalld
tags: tags:
- firewall - firewall

View file

@ -12,7 +12,7 @@
url: "{{ keycloak.health_url }}" url: "{{ keycloak.health_url }}"
register: keycloak_status register: keycloak_status
until: keycloak_status.status == 200 until: keycloak_status.status == 200
retries: "{{ keycloak_quarkus_restart_health_check_retries }}" retries: "{{ keycloak_quarkus_restart_health_check_reries }}"
delay: "{{ keycloak_quarkus_restart_health_check_delay }}" delay: "{{ keycloak_quarkus_restart_health_check_delay }}"
when: internal_force_health_check | default(keycloak_quarkus_restart_health_check) when: internal_force_health_check | default(keycloak_quarkus_restart_health_check)

View file

@ -2,7 +2,7 @@
- name: "Restart services in serial, with optional healtch check (keycloak_quarkus_restart_health_check)" - name: "Restart services in serial, with optional healtch check (keycloak_quarkus_restart_health_check)"
throttle: 1 throttle: 1
block: block:
- name: "Restart and enable {{ keycloak.service_name }} service" - name: "Restart and enable {{ keycloak.service_name }} service on {{ item }}"
ansible.builtin.include_tasks: ansible.builtin.include_tasks:
file: restart.yml file: restart.yml
apply: apply:

View file

@ -14,4 +14,3 @@
until: keycloak_status.status == 200 until: keycloak_status.status == 200
retries: 25 retries: 25
delay: 10 delay: 10
when: internal_force_health_check | default(keycloak_quarkus_restart_health_check)

View file

@ -10,7 +10,6 @@
vars: vars:
keycloak_sys_pkg_java_home: "{{ keycloak_quarkus_pkg_java_home }}" keycloak_sys_pkg_java_home: "{{ keycloak_quarkus_pkg_java_home }}"
notify: notify:
- rebuild keycloak config
- restart keycloak - restart keycloak
- name: "Configure systemd unit file for keycloak service" - name: "Configure systemd unit file for keycloak service"
@ -23,5 +22,4 @@
become: true become: true
register: systemdunit register: systemdunit
notify: notify:
- rebuild keycloak config
- restart keycloak - restart keycloak

View file

@ -18,17 +18,15 @@
<infinispan <infinispan
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:infinispan:config:15.0 http://www.infinispan.org/schemas/infinispan-config-15.0.xsd" xsi:schemaLocation="urn:infinispan:config:14.0 http://www.infinispan.org/schemas/infinispan-config-14.0.xsd"
xmlns="urn:infinispan:config:15.0"> xmlns="urn:infinispan:config:14.0">
{% set stack_expression='' %} {% set stack_expression='' %}
{% if keycloak_quarkus_version is version_compare('26.2.0', '<') %} {% if keycloak_quarkus_ha_enabled and keycloak_quarkus_ha_discovery == 'TCPPING' %}
{% if keycloak_quarkus_ha_enabled %}
{% if keycloak_quarkus_ha_discovery == 'TCPPING' %}
{% set stack_expression='stack="tcpping"' %} {% set stack_expression='stack="tcpping"' %}
<jgroups> <jgroups>
<stack name="tcpping" extends="tcp"> <stack name="tcpping" extends="tcp">
<!-- <TCP external_addr="${env.KC_EXTERNAL_ADDR}" bind_addr="{{ keycloak_quarkus_http_host }}" bind_port="{{ keycloak_quarkus_jgroups_port }}" /> --> <!-- <TCP external_addr="${env.KC_EXTERNAL_ADDR}" bind_addr="{{ keycloak_quarkus_bind_address }}" bind_port="{{ keycloak_quarkus_jgroups_port }}" /> -->
<TCPPING <TCPPING
initial_hosts="{{ keycloak_quarkus_cluster_nodes | map(attribute='inventory_host') | join (',') }}" initial_hosts="{{ keycloak_quarkus_cluster_nodes | map(attribute='inventory_host') | join (',') }}"
port_range="0" port_range="0"
@ -37,10 +35,6 @@
/> />
</stack> </stack>
</jgroups> </jgroups>
{% elif keycloak_quarkus_ha_discovery == 'JDBCPING' %}
{% set stack_expression='stack="JDBC_PING2"' %}
{% endif %}
{% endif %}
{% endif %} {% endif %}
<cache-container name="keycloak"> <cache-container name="keycloak">
@ -61,22 +55,18 @@
</local-cache> </local-cache>
<distributed-cache name="sessions" owners="2"> <distributed-cache name="sessions" owners="2">
<expiration lifespan="-1"/> <expiration lifespan="-1"/>
<memory max-count="10000"/>
</distributed-cache> </distributed-cache>
<distributed-cache name="authenticationSessions" owners="2"> <distributed-cache name="authenticationSessions" owners="2">
<expiration lifespan="-1"/> <expiration lifespan="-1"/>
</distributed-cache> </distributed-cache>
<distributed-cache name="offlineSessions" owners="2"> <distributed-cache name="offlineSessions" owners="2">
<expiration lifespan="-1"/> <expiration lifespan="-1"/>
<memory max-count="10000"/>
</distributed-cache> </distributed-cache>
<distributed-cache name="clientSessions" owners="2"> <distributed-cache name="clientSessions" owners="2">
<expiration lifespan="-1"/> <expiration lifespan="-1"/>
<memory max-count="10000"/>
</distributed-cache> </distributed-cache>
<distributed-cache name="offlineClientSessions" owners="2"> <distributed-cache name="offlineClientSessions" owners="2">
<expiration lifespan="-1"/> <expiration lifespan="-1"/>
<memory max-count="10000"/>
</distributed-cache> </distributed-cache>
<distributed-cache name="loginFailures" owners="2"> <distributed-cache name="loginFailures" owners="2">
<expiration lifespan="-1"/> <expiration lifespan="-1"/>
@ -99,14 +89,6 @@
<expiration max-idle="3600000"/> <expiration max-idle="3600000"/>
<memory max-count="1000"/> <memory max-count="1000"/>
</local-cache> </local-cache>
<local-cache name="crl" simple-cache="true">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
<expiration lifespan="-1"/>
<memory max-count="1000"/>
</local-cache>
<distributed-cache name="actionTokens" owners="2"> <distributed-cache name="actionTokens" owners="2">
<encoding> <encoding>
<key media-type="application/x-java-object"/> <key media-type="application/x-java-object"/>
@ -116,4 +98,4 @@
<memory max-count="-1"/> <memory max-count="-1"/>
</distributed-cache> </distributed-cache>
</cache-container> </cache-container>
</infinispan> </infinispan>

View file

@ -1,13 +1,13 @@
{{ ansible_managed | comment }} {{ ansible_managed | comment }}
{% if not ansible_local.keycloak.general.bootstrapped | default(false) | bool %} {% if not ansible_local.keycloak.general.bootstrapped | default(false) | bool %}
KC_BOOTSTRAP_ADMIN_USERNAME={{ keycloak_quarkus_bootstrap_admin_user }} KEYCLOAK_ADMIN={{ keycloak_quarkus_admin_user }}
KC_BOOTSTRAP_ADMIN_PASSWORD='{{ keycloak_quarkus_bootstrap_admin_password }}' KEYCLOAK_ADMIN_PASSWORD='{{ keycloak_quarkus_admin_pass }}'
{% else %} {% else %}
{{ keycloak.bootstrap_mnemonic }} {{ keycloak.bootstrap_mnemonic }}
{% endif %} {% endif %}
PATH="{{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" PATH={{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
JAVA_HOME="{{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}" JAVA_HOME={{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}
JAVA_OPTS="{{ keycloak_quarkus_java_opts }}" JAVA_OPTS={{ keycloak_quarkus_java_opts }}
# Custom ENV variables # Custom ENV variables
{% for env in keycloak_quarkus_additional_env_vars %} {% for env in keycloak_quarkus_additional_env_vars %}

View file

@ -2,18 +2,26 @@
{% if keycloak_quarkus_db_enabled %} {% if keycloak_quarkus_db_enabled %}
# Database # Database
db={{ keycloak_quarkus_db_engine }} db={{ keycloak_quarkus_jdbc_engine }}
db-url={{ keycloak_quarkus_db_url }} db-url={{ keycloak_quarkus_jdbc_url }}
db-username={{ keycloak_quarkus_db_user }} db-username={{ keycloak_quarkus_db_user }}
{% if not keycloak.config_key_store_enabled %} {% if not keycloak.config_key_store_enabled %}
db-password={{ keycloak_quarkus_db_pass }} db-password={{ keycloak_quarkus_db_pass }}
{% endif %} {% endif %}
{% endif %} {% endif %}
{% if keycloak_quarkus_hostname_strict_https is defined and keycloak_quarkus_hostname_strict_https is sameas true -%}
hostname-strict-https=true
{% endif -%}
{% if keycloak_quarkus_hostname_strict_https is defined and keycloak_quarkus_hostname_strict_https is sameas false -%}
hostname-strict-https=false
{% endif -%}
{% if keycloak.config_key_store_enabled %} {% if keycloak.config_key_store_enabled %}
# Config store # Config store
config-keystore={{ keycloak_quarkus_config_key_store_file }} config-keystore={{ keycloak_quarkus_config_key_store_file }}
config-keystore-password={{ keycloak_quarkus_config_key_store_password }} config-keystore-password={{ keycloak_quarkus_config_key_store_password }}
config-keystore-type=PKCS12
{% endif %} {% endif %}
# Observability # Observability
@ -22,17 +30,8 @@ health-enabled={{ keycloak_quarkus_health_enabled | lower }}
# HTTP # HTTP
http-enabled={{ keycloak_quarkus_http_enabled | lower }} http-enabled={{ keycloak_quarkus_http_enabled | lower }}
{% if keycloak_quarkus_http_enabled %}
http-port={{ keycloak_quarkus_http_port }} http-port={{ keycloak_quarkus_http_port }}
{% endif %}
http-relative-path={{ keycloak_quarkus_http_relative_path }} http-relative-path={{ keycloak_quarkus_http_relative_path }}
http-host={{ keycloak_quarkus_http_host }}
# Management
http-management-port={{ keycloak_quarkus_http_management_port }}
{% if keycloak_quarkus_http_management_relative_path is defined and keycloak_quarkus_http_management_relative_path | length > 0 %}
http-management-relative-path={{ keycloak_quarkus_http_management_relative_path }}
{% endif %}
# HTTPS # HTTPS
https-port={{ keycloak_quarkus_https_port }} https-port={{ keycloak_quarkus_https_port }}
@ -50,21 +49,23 @@ https-trust-store-password={{ keycloak_quarkus_https_trust_store_password }}
{% endif %} {% endif %}
# Client URL configuration # Client URL configuration
hostname={{ keycloak_quarkus_hostname }} {% if keycloak_quarkus_frontend_url %}
hostname-admin={{ keycloak_quarkus_hostname_admin }} hostname-url={{ keycloak_quarkus_frontend_url }}
{% else %}
hostname={{ keycloak_quarkus_host }}
hostname-port={{ keycloak_quarkus_port }}
hostname-path={{ keycloak_quarkus_path }}
{% endif %}
hostname-admin-url={{ keycloak_quarkus_admin_url }}
hostname-strict={{ keycloak_quarkus_hostname_strict | lower }} hostname-strict={{ keycloak_quarkus_hostname_strict | lower }}
hostname-backchannel-dynamic={{ keycloak_quarkus_hostname_backchannel_dynamic | lower }} hostname-strict-backchannel={{ keycloak_quarkus_hostname_strict_backchannel | lower }}
# Cluster # Cluster
{% if keycloak_quarkus_ha_enabled %} {% if keycloak_quarkus_ha_enabled %}
cache=ispn cache=ispn
cache-config-file=cache-ispn.xml cache-config-file=cache-ispn.xml
{% if keycloak_quarkus_cache_remote %} {% if keycloak_quarkus_ha_enabled and keycloak_quarkus_ha_discovery == 'TCPPING' %}
cache-remote-username={{ keycloak_quarkus_cache_remote_username }} # cache-stack=tcp # configured directly in `cache-ispn.xml`
cache-remote-password={{ keycloak_quarkus_cache_remote_password }}
cache-remote-host={{ keycloak_quarkus_cache_remote_host }}
cache-remote-port={{ keycloak_quarkus_cache_remote_port }}
cache-remote-tls-enabled={{ keycloak_quarkus_cache_remote_tls_enabled | lower }}
{% endif %} {% endif %}
{% endif %} {% endif %}

View file

@ -1,22 +1,22 @@
{{ ansible_managed | comment }} {{ ansible_managed | comment }}
{% if keycloak_quarkus_ha_enabled %} {% if keycloak_quarkus_ha_enabled %}
{% if keycloak_quarkus_version.split('.')[0] | int < 22 %} {% if keycloak_quarkus_version.split('.')[0] | int < 22 %}
quarkus.infinispan-client.server-list={{ keycloak_quarkus_cache_remote_host }}:{{ keycloak_quarkus_cache_remote_port }} quarkus.infinispan-client.server-list={{ keycloak_quarkus_ispn_hosts }}
quarkus.infinispan-client.auth-username={{ keycloak_quarkus_cache_remote_username }} quarkus.infinispan-client.auth-username={{ keycloak_quarkus_ispn_user }}
quarkus.infinispan-client.auth-password={{ keycloak_quarkus_cache_remote_password }} quarkus.infinispan-client.auth-password={{ keycloak_quarkus_ispn_pass }}
{% else %} {% else %}
quarkus.infinispan-client.hosts={{ keycloak_quarkus_cache_remote_host }}:{{ keycloak_quarkus_cache_remote_port }} quarkus.infinispan-client.hosts={{ keycloak_quarkus_ispn_hosts }}
quarkus.infinispan-client.username={{ keycloak_quarkus_cache_remote_username }} quarkus.infinispan-client.username={{ keycloak_quarkus_ispn_user }}
quarkus.infinispan-client.password={{ keycloak_quarkus_cache_remote_password }} quarkus.infinispan-client.password={{ keycloak_quarkus_ispn_pass }}
{% endif %} {% endif %}
quarkus.infinispan-client.client-intelligence=HASH_DISTRIBUTION_AWARE quarkus.infinispan-client.client-intelligence=HASH_DISTRIBUTION_AWARE
quarkus.infinispan-client.use-auth=true quarkus.infinispan-client.use-auth=true
quarkus.infinispan-client.auth-realm=default quarkus.infinispan-client.auth-realm=default
quarkus.infinispan-client.auth-server-name=infinispan quarkus.infinispan-client.auth-server-name=infinispan
quarkus.infinispan-client.sasl-mechanism={{ keycloak_quarkus_cache_remote_sasl_mechanism }} quarkus.infinispan-client.sasl-mechanism={{ keycloak_quarkus_ispn_sasl_mechanism }}
{% if keycloak_quarkus_cache_remote_tls_enabled %} {% if keycloak_quarkus_ispn_use_ssl %}
quarkus.infinispan-client.trust-store={{ keycloak_quarkus_https_trust_store_file }} quarkus.infinispan-client.trust-store={{ keycloak_quarkus_ispn_trust_store_path }}
quarkus.infinispan-client.trust-store-password={{ keycloak_quarkus_https_trust_store_password }} quarkus.infinispan-client.trust-store-password={{ keycloak_quarkus_ispn_trust_store_password }}
quarkus.infinispan-client.trust-store-type=jks quarkus.infinispan-client.trust-store-type=jks
{% endif %} {% endif %}
#quarkus.infinispan-client.use-schema-registration=true #quarkus.infinispan-client.use-schema-registration=true

View file

@ -1,8 +1,7 @@
--- ---
keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('openjdk-21-jdk-headless') }}" keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('openjdk-17-jdk-headless') }}"
keycloak_quarkus_prereq_package_list: keycloak_quarkus_prereq_package_list:
- "{{ keycloak_quarkus_varjvm_package }}" - "{{ keycloak_quarkus_varjvm_package }}"
- bash
- unzip - unzip
- procps - procps
- apt - apt

View file

@ -4,7 +4,8 @@ keycloak: # noqa var-naming this is an internal dict of interpolated values
config_dir: "{{ keycloak_quarkus_config_dir }}" config_dir: "{{ keycloak_quarkus_config_dir }}"
bundle: "{{ keycloak_quarkus_archive }}" bundle: "{{ keycloak_quarkus_archive }}"
service_name: "keycloak" service_name: "keycloak"
health_url: "{{ keycloak_quarkus_health_check_url | default(keycloak_quarkus_hostname ~ '/' ~ (keycloak_quarkus_health_check_url_path | default('realms/master/.well-known/openid-configuration'))) }}" health_url: "{{ 'https' if keycloak_quarkus_http_enabled == False else 'http' }}://{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_https_port if keycloak_quarkus_http_enabled == False else keycloak_quarkus_http_port }}{{ keycloak_quarkus_http_relative_path }}{{ '/' \
if keycloak_quarkus_http_relative_path | length > 1 else '' }}{{ keycloak_quarkus_health_check_url_path | default('realms/master/.well-known/openid-configuration') }}"
cli_path: "{{ keycloak_quarkus_home }}/bin/kcadm.sh" cli_path: "{{ keycloak_quarkus_home }}/bin/kcadm.sh"
service_user: "{{ keycloak_quarkus_service_user }}" service_user: "{{ keycloak_quarkus_service_user }}"
service_group: "{{ keycloak_quarkus_service_group }}" service_group: "{{ keycloak_quarkus_service_group }}"

View file

@ -1,8 +1,7 @@
--- ---
keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('java-21-openjdk-headless') }}" keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('java-17-openjdk-headless') }}"
keycloak_quarkus_prereq_package_list: keycloak_quarkus_prereq_package_list:
- "{{ keycloak_quarkus_varjvm_package }}" - "{{ keycloak_quarkus_varjvm_package }}"
- bash
- unzip - unzip
- procps-ng - procps-ng
- initscripts - initscripts

View file

@ -19,7 +19,7 @@ Role Defaults
|`keycloak_management_http_port`| Management port | `9990` | |`keycloak_management_http_port`| Management port | `9990` |
|`keycloak_auth_client`| Authentication client for configuration REST calls | `admin-cli` | |`keycloak_auth_client`| Authentication client for configuration REST calls | `admin-cli` |
|`keycloak_client_public`| Configure a public realm client | `True` | |`keycloak_client_public`| Configure a public realm client | `True` |
|`keycloak_client_web_origins`| Web origins for realm client | `/*` | |`keycloak_client_web_origins`| Web origins for realm client | `+` |
|`keycloak_url`| URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` | |`keycloak_url`| URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` |
|`keycloak_management_url`| URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` | |`keycloak_management_url`| URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` |
@ -74,7 +74,6 @@ Refer to [docs](https://docs.ansible.com/ansible/latest/collections/community/ge
- name: <name of the client> - name: <name of the client>
id: <id of the client> id: <id of the client>
client_id: <id of the client> client_id: <id of the client>
secret: <secret of the client (Optional)>
roles: <keycloak_client_default_roles> roles: <keycloak_client_default_roles>
realm: <name of the realm that contains the client> realm: <name of the realm that contains the client>
public_client: <true for public, false for confidential> public_client: <true for public, false for confidential>

View file

@ -43,7 +43,7 @@ keycloak_client_default_roles: []
keycloak_client_public: true keycloak_client_public: true
# allowed web origins for the client # allowed web origins for the client
keycloak_client_web_origins: '/*' keycloak_client_web_origins: '+'
# list of user and role mappings to create in the client # list of user and role mappings to create in the client
# Each user has the form: # Each user has the form:
@ -54,7 +54,3 @@ keycloak_client_users: []
### List of Keycloak User Federation ### List of Keycloak User Federation
keycloak_user_federation: [] keycloak_user_federation: []
# other settings
keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + (keycloak_jboss_port_offset | default(0)) }}"
keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + (keycloak_jboss_port_offset | default(0)) }}"

View file

@ -53,7 +53,7 @@ argument_specs:
type: "bool" type: "bool"
keycloak_client_web_origins: keycloak_client_web_origins:
# line 42 of keycloak_realm/defaults/main.yml # line 42 of keycloak_realm/defaults/main.yml
default: "/*" default: "+"
description: "Web origins for realm client" description: "Web origins for realm client"
type: "str" type: "str"
keycloak_client_users: keycloak_client_users:

View file

@ -8,7 +8,7 @@ galaxy_info:
license: Apache License 2.0 license: Apache License 2.0
min_ansible_version: "2.16" min_ansible_version: "2.15"
platforms: platforms:
- name: EL - name: EL

View file

@ -15,7 +15,6 @@
ansible.builtin.uri: ansible.builtin.uri:
url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}" url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}"
method: GET method: GET
validate_certs: false
status_code: status_code:
- 200 - 200
- 404 - 404
@ -46,7 +45,7 @@
name: "{{ item.name }}" name: "{{ item.name }}"
state: present state: present
provider_id: "{{ item.provider_id }}" provider_id: "{{ item.provider_id }}"
provider_type: "{{ item.provider_type | default('org.keycloak.storage.UserStorageProvider') }}" provider_type: "{{ item.provider_type | default(org.keycloak.storage.UserStorageProvider) }}"
config: "{{ item.config }}" config: "{{ item.config }}"
mappers: "{{ item.mappers | default(omit) }}" mappers: "{{ item.mappers | default(omit) }}"
no_log: "{{ keycloak_no_log | default('True') }}" no_log: "{{ keycloak_no_log | default('True') }}"
@ -76,7 +75,6 @@
default_roles: "{{ item.roles | default(omit) }}" default_roles: "{{ item.roles | default(omit) }}"
client_id: "{{ item.client_id | default(omit) }}" client_id: "{{ item.client_id | default(omit) }}"
id: "{{ item.id | default(omit) }}" id: "{{ item.id | default(omit) }}"
secret: "{{ item.secret | default(omit) }}"
name: "{{ item.name | default(omit) }}" name: "{{ item.name | default(omit) }}"
description: "{{ item.description | default(omit) }}" description: "{{ item.description | default(omit) }}"
root_url: "{{ item.root_url | default('') }}" root_url: "{{ item.root_url | default('') }}"
@ -84,7 +82,7 @@
base_url: "{{ item.base_url | default('') }}" base_url: "{{ item.base_url | default('') }}"
enabled: "{{ item.enabled | default(True) }}" enabled: "{{ item.enabled | default(True) }}"
redirect_uris: "{{ item.redirect_uris | default(omit) }}" redirect_uris: "{{ item.redirect_uris | default(omit) }}"
web_origins: "{{ item.web_origins | default(omit) }}" web_origins: "{{ item.web_origins | default('+') }}"
bearer_only: "{{ item.bearer_only | default(omit) }}" bearer_only: "{{ item.bearer_only | default(omit) }}"
standard_flow_enabled: "{{ item.standard_flow_enabled | default(omit) }}" standard_flow_enabled: "{{ item.standard_flow_enabled | default(omit) }}"
implicit_flow_enabled: "{{ item.implicit_flow_enabled | default(omit) }}" implicit_flow_enabled: "{{ item.implicit_flow_enabled | default(omit) }}"
@ -94,7 +92,7 @@
protocol: "{{ item.protocol | default(omit) }}" protocol: "{{ item.protocol | default(omit) }}"
attributes: "{{ item.attributes | default(omit) }}" attributes: "{{ item.attributes | default(omit) }}"
state: present state: present
no_log: "{{ keycloak_no_log | default('false') }}" no_log: "{{ keycloak_no_log | default('True') }}"
register: create_client_result register: create_client_result
loop: "{{ keycloak_clients | flatten }}" loop: "{{ keycloak_clients | flatten }}"
when: (item.name is defined and item.client_id is defined) or (item.name is defined and item.id is defined) when: (item.name is defined and item.client_id is defined) or (item.name is defined and item.id is defined)
@ -112,6 +110,3 @@
loop_control: loop_control:
loop_var: client loop_var: client
when: "'users' in client" when: "'users' in client"
- name: Provide Access token lifespan
ansible.builtin.include_tasks: manage_token_lifespan.yml

View file

@ -1,14 +0,0 @@
---
- name: "Update Access token lifespan"
ansible.builtin.uri:
url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}"
method: PUT
body:
accessTokenLifespan: 300
validate_certs: false
body_format: json
status_code:
- 200
- 204
headers:
Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"

View file

@ -3,7 +3,6 @@
ansible.builtin.uri: ansible.builtin.uri:
url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm | default(keycloak_realm) }}" url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm | default(keycloak_realm) }}"
method: GET method: GET
validate_certs: false
status_code: status_code:
- 200 - 200
headers: headers:
@ -17,7 +16,6 @@
default(keycloak_realm) }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | \ default(keycloak_realm) }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | \
selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}/available" selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}/available"
method: GET method: GET
validate_certs: false
status_code: status_code:
- 200 - 200
headers: headers:

View file

@ -3,3 +3,7 @@
# name of the realm to create, this is a required variable # name of the realm to create, this is a required variable
keycloak_realm: keycloak_realm:
# other settings
keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + (keycloak_jboss_port_offset | default(0)) }}"
keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + (keycloak_jboss_port_offset | default(0)) }}"