Merge pull request #293 from world-direct/fix/292

Update to keycloak 26.3.0

.ansible-lint

@@ -5,6 +5,8 @@ exclude_paths:
   - molecule/
   - .ansible-lint
   - .yamllint
+  - meta/
+  - playbooks/roles/
 
 rulesdir:
    - ../../ansible-lint-custom-rules/rules/
@@ -16,12 +18,26 @@ enable_list:
 warn_list:
   - role_vars_start_with_role_name
   - vars_in_vars_files_have_valid_names
-  - vars_should_not_be_used
   - experimental
   - ignore-errors
   - no-handler
-  - fqcn-builtins
   - no-log-password
+  - jinja[spacing]
+  - jinja[invalid]
+  - meta-no-tags
+  - name[casing]
+  - fqcn[action]
+  - schema[meta]
+  - key-order[task]
+  - blocked_modules
+  - run-once[task]
+
+skip_list:
+  - vars_should_not_be_used
+  - file_is_small_enough
+  - file_has_valid_name
+  - name[template]
+  - var-naming[no-role-prefix]
 
 use_default_rules: true
 parseable: true

.github/workflows/ci.yml

@@ -1,51 +1,28 @@
 ---
 name: CI
-"on":
+on:
   push:
     branches:
       - main
   pull_request:
+  workflow_dispatch:
+    inputs:
+      debug_verbosity:
+        description: 'ANSIBLE_VERBOSITY envvar value'
+        required: false
+  schedule:
+    - cron: '15 6 * * *'
 
 jobs:
   ci:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        python_version: ["3.9"]
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v2
-        with:
-          path: ansible_collections/middleware_automation/keycloak
-
-      - name: Set up Python ${{ matrix.python_version }}
-        uses: actions/setup-python@v1
-        with:
-          python-version: ${{ matrix.python_version }}
-
-      - name: Install yamllint, ansible and molecule
-        run: |
-          python -m pip install --upgrade pip
-          pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous
-          pip install -r ansible_collections/middleware_automation/keycloak/requirements.txt
-
-      - name: Install ansible-lint custom rules
-        uses: actions/checkout@v2
-        with:
-          repository: ansible-middleware/ansible-lint-custom-rules
-          path: ansible_collections/ansible-lint-custom-rules/
-
-      - name: Create default collection path
-        run: |
-          mkdir -p /home/runner/.ansible/collections/ansible_collections
-
-      - name: Run sanity tests
-        run: ansible-test sanity --docker -v --color --python ${{ matrix.python_version }}
-        working-directory: ./ansible_collections/middleware_automation/keycloak
-
-      - name: Run molecule test
-        run: molecule test --all
-        working-directory: ./ansible_collections/middleware_automation/keycloak
-        env:
-          PY_COLORS: '1'
-          ANSIBLE_FORCE_COLOR: '1'
+    uses: ansible-middleware/github-actions/.github/workflows/cish.yml@main
+    secrets: inherit
+    with:
+      fqcn: 'middleware_automation/keycloak'
+      debug_verbosity: "${{ github.event.inputs.debug_verbosity }}"
+      molecule_tests: >-
+        [ "debian", "quarkus", "quarkus_ha", "quarkus_ha_remote" ]
+      podman_tests_current: >-
+        [ "default", "quarkus_devmode", "quarkus_upgrade" ]
+      podman_tests_next: >-
+        [ "default", "quarkus_devmode", "quarkus_upgrade" ]

.github/workflows/docs.yml

@@ -5,71 +5,14 @@ on:
     branches:
       - main
     tags:
-      - "*.*.*"
-
-env:
-  COLORTERM: 'yes'
-  TERM: 'xterm-256color'
-  PYTEST_ADDOPTS: '--color=yes'
+      - "[0-9]+.[0-9]+.[0-9]+"
+  workflow_dispatch:
 
 jobs:
   docs:
-    runs-on: ubuntu-latest
-    if: github.repository == 'ansible-middleware/keycloak'
-    permissions:
-      actions: write
-      checks: write
-      contents: write
-      deployments: write
-      packages: write
-      pages: write
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v2
-        with:
-          path: ansible_collections/middleware_automation/keycloak
-          fetch-depth: 0
-
-      - name: Set up Python
-        uses: actions/setup-python@v2
-        with:
-          python-version: 3.9
-
-      - name: Install doc dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install -r ansible_collections/middleware_automation/keycloak/docs/requirements.txt
-          pip install -r ansible_collections/middleware_automation/keycloak/requirements.txt
-
-      - name: Create default collection path
-        run: |
-          mkdir -p /home/runner/.ansible/collections/ansible_collections
-
-      - name: Create doc directories and resources
-        run: |
-          mkdir -p ./docs/plugins ./docs/roles
-          cat ./docs/roles.rst.template > ./docs/roles/index.rst
-          antsibull-docs collection --use-current --squash-hierarchy --dest-dir docs/plugins  middleware_automation.keycloak
-          for role_readme in roles/*/README.md; do ln -f -s ../../$role_readme ./docs/roles/$(basename $(dirname $role_readme)).md; echo " * :doc:\`$(basename $(dirname $role_readme))\`" >> ./docs/roles/index.rst; done
-        working-directory: ansible_collections/middleware_automation/keycloak
-
-      - name: Run sphinx
-        run: |
-          sphinx-build -M html . _build -v
-        working-directory: ansible_collections/middleware_automation/keycloak/docs/
-
-      - name: Commit docs
-        run: |
-          git config user.name github-actions
-          git config user.email github-actions@github.com
-          git checkout gh-pages
-          rm -rf $(basename ${GITHUB_REF})
-          mv docs/_build/html $(basename ${GITHUB_REF})
-          ln --force --no-dereference --symbolic   main latest
-          git show origin/main:docs/_gh_include/header.inc > index.html
-          (echo main; echo latest; dirname *.*.*/index.html | sort --version-sort --reverse) | xargs -I@@ -n1 echo '<li class="toctree-l1"><a class="reference internal" href="@@/">@@</a></li>' >> index.html
-          git show origin/main:docs/_gh_include/footer.inc >> index.html
-          git add $(basename ${GITHUB_REF}) latest index.html
-          git commit -m "Update docs for $(basename ${GITHUB_REF})" || true
-          git push origin gh-pages
-        working-directory: ansible_collections/middleware_automation/keycloak/
+    uses: ansible-middleware/github-actions/.github/workflows/docs.yml@main
+    secrets: inherit
+    with:
+      fqcn: 'middleware_automation/keycloak'
+      collection_fqcn: 'middleware_automation.keycloak'
+      historical_docs: 'false'

.github/workflows/release.yml

@@ -1,47 +1,28 @@
+---
 name: Release collection
-
 on:
-  push:
-    tags:
-      - "*.*.*"
+  workflow_dispatch:
+    inputs:
+      release_summary:
+        description: 'Optional release summary for changelogs'
+        required: false
 
 jobs:
   release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - name: Set up Python
-        uses: actions/setup-python@v1
-        with:
-          python-version: "3.x"
-      - name: Get Tag Version
-        id: get_version
-        run: echo ::set-output name=TAG_VERSION::${GITHUB_REF#refs/tags/}
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install ansible-core
-      - name: Build collection
-        run: |
-          ansible-galaxy collection build .
-      - name: Publish Release
-        uses: softprops/action-gh-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          files: "*.tar.gz"
-          body: "Release ${{ steps.get_version.outputs.TAG_VERSION }}"
-      - name: Publish collection
-        env:
-          ANSIBLE_GALAXY_API_KEY: ${{ secrets.ANSIBLE_GALAXY_API_KEY }}
-        run: |
-          ansible-galaxy collection publish *.tar.gz --api-key $ANSIBLE_GALAXY_API_KEY
+    uses: ansible-middleware/github-actions/.github/workflows/release.yml@main
+    with:
+      collection_fqcn: 'middleware_automation.keycloak'
+      downstream_name: 'rhbk'
+      release_summary: "${{ github.event.inputs.release_summary }}"
+    secrets:
+      galaxy_token: ${{ secrets.ANSIBLE_GALAXY_API_KEY }}
+      jira_webhook: ${{ secrets.JIRA_WEBHOOK_CREATE_VERSION }}
+
   dispatch:
     needs: release
     strategy:
       matrix:
-        repo: ['ansible-middleware/cross-dc-rhsso-demo', 'ansible-middleware/flange-demo']
+        repo: ['ansible-middleware/ansible-middleware-ee']
     runs-on: ubuntu-latest
     steps:
       - name: Repository Dispatch
@@ -49,5 +30,5 @@ jobs:
         with:
           token: ${{ secrets.TRIGGERING_PAT }}
           repository: ${{ matrix.repo }}
-          event-type: "Dependency released - Keycloak"
+          event-type: "Dependency released - Keycloak v${{ needs.release.outputs.tag_version }}"
           client-payload: '{ "github": ${{toJson(github)}} }'

.github/workflows/traffic.yml

@@ -0,0 +1,26 @@
+name: Collect traffic stats
+on:
+  schedule:
+    - cron: "51 23 * * 0"
+  workflow_dispatch:
+
+jobs:
+  traffic:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          ref: "gh-pages"
+
+      - name: GitHub traffic
+        uses: sangonzal/repository-traffic-action@v.0.1.6
+        env:
+          TRAFFIC_ACTION_TOKEN: ${{ secrets.TRIGGERING_PAT }}
+
+      - name: Commit changes
+        uses: EndBug/add-and-commit@v4
+        with:
+          author_name: Ansible Middleware
+          message: "GitHub traffic"
+          add: "./traffic/*"
+          ref: "gh-pages"

.gitignore

@@ -2,9 +2,15 @@
 *.zip
 .tmp
 .cache
+.vscode/
+__pycache__/
 docs/plugins/
 docs/roles/
 docs/_build/
 .pytest_cache/
 .mypy_cache/
 *.retry
+changelogs/.plugin-cache.yaml
+*.pem
+*.key
+*.p12

.yamllint

@@ -15,7 +15,8 @@ rules:
   commas:
     max-spaces-after: -1
     level: error
-  comments: disable
+  comments:
+    min-spaces-from-content: 1
   comments-indentation: disable
   document-start: disable
   empty-lines:
@@ -30,4 +31,8 @@ rules:
   new-lines:
     type: unix
   trailing-spaces: disable
-  truthy: disable
+  truthy: disable
+  octal-values:
+    forbid-implicit-octal: true
+    forbid-explicit-octal: true
+

CHANGELOG.rst

@@ -0,0 +1,513 @@
+=============================================
+middleware\_automation.keycloak Release Notes
+=============================================
+
+.. contents:: Topics
+
+This changelog describes changes after version 0.2.6.
+
+v3.0.2
+======
+
+Minor Changes
+-------------
+
+- New ``checksum`` property for keycloak_quarkus_providers `#280 <https://github.com/ansible-middleware/keycloak/pull/280>`_
+- New parameter to set the jgroups host IP address `#281 <https://github.com/ansible-middleware/keycloak/pull/281>`_
+- Session storage / distributed caches `#287 <https://github.com/ansible-middleware/keycloak/pull/287>`_
+- Update keycloak/RHBK to v26.2.4 `#283 <https://github.com/ansible-middleware/keycloak/pull/283>`_
+
+Bugfixes
+--------
+
+- Fix ``keycloak_quarkus_force_install`` parameter being ignored by install `#296 <https://github.com/ansible-middleware/keycloak/pull/296>`_
+- Fix alternate download location being ignored (JBossNeworkAPI always used) `#298 <https://github.com/ansible-middleware/keycloak/pull/298>`_
+- Run config rebuild after SPI providers update `#285 <https://github.com/ansible-middleware/keycloak/pull/285>`_
+- Use jdk21 as default in debian `#289 <https://github.com/ansible-middleware/keycloak/pull/289>`_
+- keycloak_realm: federation default provider type should be a string `#302 <https://github.com/ansible-middleware/keycloak/pull/302>`_
+
+v3.0.1
+======
+
+Minor Changes
+-------------
+
+- Version update to 26.0.8 / rhbk 26.0.11 `#277 <https://github.com/ansible-middleware/keycloak/pull/277>`_
+
+Bugfixes
+--------
+
+- Trigger rebuild handler on envvars file change `#276 <https://github.com/ansible-middleware/keycloak/pull/276>`_
+
+v3.0.0
+======
+
+Minor Changes
+-------------
+
+- Add theme cache invalidation handler `#252 <https://github.com/ansible-middleware/keycloak/pull/252>`_
+- keycloak_realm: change url variables to defaults `#268 <https://github.com/ansible-middleware/keycloak/pull/268>`_
+
+Breaking Changes / Porting Guide
+--------------------------------
+
+- Bump major and ansible-core versions `#266 <https://github.com/ansible-middleware/keycloak/pull/266>`_
+- Rename parameters to follow upstream `#270 <https://github.com/ansible-middleware/keycloak/pull/270>`_
+- Update for keycloak v26 `#254 <https://github.com/ansible-middleware/keycloak/pull/254>`_
+
+Bugfixes
+--------
+
+- Access token lifespan is too short for ansible run `#251 <https://github.com/ansible-middleware/keycloak/pull/251>`_
+- Load environment vars during kc rebuild `#274 <https://github.com/ansible-middleware/keycloak/pull/274>`_
+- Rebuild config and restart service for local providers `#250 <https://github.com/ansible-middleware/keycloak/pull/250>`_
+- Rename and honour parameter ``keycloak_quarkus_http_host`` `#271 <https://github.com/ansible-middleware/keycloak/pull/271>`_
+
+New Modules
+-----------
+
+- middleware_automation.keycloak.keycloak_realm - Allows administration of Keycloak realm via Keycloak API
+
+v2.4.3
+======
+
+Minor Changes
+-------------
+
+- Update keycloak to 24.0.5 `#241 <https://github.com/ansible-middleware/keycloak/pull/241>`_
+
+v2.4.2
+======
+
+Minor Changes
+-------------
+
+- New parameter ``keycloak_quarkus_download_path``  `#239 <https://github.com/ansible-middleware/keycloak/pull/239>`_
+
+Bugfixes
+--------
+
+- Add wait_for_port number parameter `#237 <https://github.com/ansible-middleware/keycloak/pull/237>`_
+
+v2.4.1
+======
+
+Release Summary
+---------------
+
+Internal release, documentation or test changes only.
+
+v2.4.0
+======
+
+Major Changes
+-------------
+
+- Enable by default health check on restart `#234 <https://github.com/ansible-middleware/keycloak/pull/234>`_
+- Update minimum ansible-core version > 2.15 `#232 <https://github.com/ansible-middleware/keycloak/pull/232>`_
+
+v2.3.0
+======
+
+Major Changes
+-------------
+
+- Allow for custom providers hosted on maven repositories `#223 <https://github.com/ansible-middleware/keycloak/pull/223>`_
+- Restart handler strategy behaviour `#231 <https://github.com/ansible-middleware/keycloak/pull/231>`_
+
+Minor Changes
+-------------
+
+- Add support for policy files `#225 <https://github.com/ansible-middleware/keycloak/pull/225>`_
+- Allow to add extra custom env vars in sysconfig file `#229 <https://github.com/ansible-middleware/keycloak/pull/229>`_
+- Download from alternate URL with optional http authentication `#220 <https://github.com/ansible-middleware/keycloak/pull/220>`_
+- Update Keycloak to version 24.0.4 `#218 <https://github.com/ansible-middleware/keycloak/pull/218>`_
+- ``proxy-header`` enhancement `#227 <https://github.com/ansible-middleware/keycloak/pull/227>`_
+
+Bugfixes
+--------
+
+- ``kc.sh build`` uses configured jdk `#211 <https://github.com/ansible-middleware/keycloak/pull/211>`_
+
+v2.2.2
+======
+
+Minor Changes
+-------------
+
+- Copying of key material for TLS configuration `#210 <https://github.com/ansible-middleware/keycloak/pull/210>`_
+- Validate certs parameter for JDBC driver downloads `#207 <https://github.com/ansible-middleware/keycloak/pull/207>`_
+
+Bugfixes
+--------
+
+- Turn off controller privilege escalation `#209 <https://github.com/ansible-middleware/keycloak/pull/209>`_
+
+v2.2.1
+======
+
+Release Summary
+---------------
+
+Internal release, documentation or test changes only.
+
+Bugfixes
+--------
+
+- JDBC provider: fix clause in argument validation `#204 <https://github.com/ansible-middleware/keycloak/pull/204>`_
+
+v2.2.0
+======
+
+Major Changes
+-------------
+
+- Support java keystore for configuration of sensitive options `#189 <https://github.com/ansible-middleware/keycloak/pull/189>`_
+
+Minor Changes
+-------------
+
+- Add ``wait_for_port`` and ``wait_for_log`` systemd unit logic `#199 <https://github.com/ansible-middleware/keycloak/pull/199>`_
+- Customize jdbc driver downloads, optional authentication `#202 <https://github.com/ansible-middleware/keycloak/pull/202>`_
+- Keystore-based vault SPI configuration `#196 <https://github.com/ansible-middleware/keycloak/pull/196>`_
+- New ``keycloak_quarkus_hostname_strict_https`` parameter `#195 <https://github.com/ansible-middleware/keycloak/pull/195>`_
+- Providers config and custom providers `#201 <https://github.com/ansible-middleware/keycloak/pull/201>`_
+- Remove administrator credentials from files once keycloak is bootstrapped `#197 <https://github.com/ansible-middleware/keycloak/pull/197>`_
+- Update keycloak to 24.0 `#194 <https://github.com/ansible-middleware/keycloak/pull/194>`_
+
+v2.1.2
+======
+
+Release Summary
+---------------
+
+Internal release, documentation or test changes only.
+
+v2.1.1
+======
+
+Minor Changes
+-------------
+
+- Add reverse ``proxy_headers`` config, supersedes ``proxy_mode`` `#187 <https://github.com/ansible-middleware/keycloak/pull/187>`_
+- Debian/Ubuntu compatibility `#178 <https://github.com/ansible-middleware/keycloak/pull/178>`_
+- Use ``keycloak_realm`` as default for sub-entities `#180 <https://github.com/ansible-middleware/keycloak/pull/180>`_
+
+Bugfixes
+--------
+
+- Fix permissions on controller-side downloaded artifacts `#184 <https://github.com/ansible-middleware/keycloak/pull/184>`_
+- JVM args moved to ``JAVA_OPTS`` envvar (instead of JAVA_OPTS_APPEND) `#186 <https://github.com/ansible-middleware/keycloak/pull/186>`_
+- Unrelax configuration file permissions `#191 <https://github.com/ansible-middleware/keycloak/pull/191>`_
+- Utilize comment filter for ``ansible_managed`` annotations `#176 <https://github.com/ansible-middleware/keycloak/pull/176>`_
+
+v2.1.0
+======
+
+Major Changes
+-------------
+
+- Implement infinispan TCPPING discovery protocol `#159 <https://github.com/ansible-middleware/keycloak/pull/159>`_
+
+Minor Changes
+-------------
+
+- Set enable-recovery when xa transactions are enabled `#167 <https://github.com/ansible-middleware/keycloak/pull/167>`_
+- keycloak_quarkus: Allow configuring log rotate options in quarkus configuration `#161 <https://github.com/ansible-middleware/keycloak/pull/161>`_
+- keycloak_quarkus: ``sticky-session`` for infinispan routes `#163 <https://github.com/ansible-middleware/keycloak/pull/163>`_
+
+Breaking Changes / Porting Guide
+--------------------------------
+
+- keycloak_quarkus: renamed infinispan host list configuration `#157 <https://github.com/ansible-middleware/keycloak/pull/157>`_
+
+Bugfixes
+--------
+
+- keycloak_quarkus: fix custom JAVA_HOME parameter name `#171 <https://github.com/ansible-middleware/keycloak/pull/171>`_
+
+v2.0.2
+======
+
+Minor Changes
+-------------
+
+- keycloak_quarkus: Add support for sqlserver jdbc driver `#148 <https://github.com/ansible-middleware/keycloak/pull/148>`_
+- keycloak_quarkus: allow configuration of ``hostname-strict-backchannel`` `#152 <https://github.com/ansible-middleware/keycloak/pull/152>`_
+- keycloak_quarkus: systemd restart behavior `#145 <https://github.com/ansible-middleware/keycloak/pull/145>`_
+
+Bugfixes
+--------
+
+- keycloak_quarkus: Use ``keycloak_quarkus_java_opts`` `#154 <https://github.com/ansible-middleware/keycloak/pull/154>`_
+- keycloak_quarkus: allow ports <1024 (e.g. :443) in systemd unit `#150 <https://github.com/ansible-middleware/keycloak/pull/150>`_
+
+v2.0.1
+======
+
+Minor Changes
+-------------
+
+- keycloak_quarkus: add hostname-strict parameter `#139 <https://github.com/ansible-middleware/keycloak/pull/139>`_
+- keycloak_quarkus: update to version 23.0.1 `#133 <https://github.com/ansible-middleware/keycloak/pull/133>`_
+
+Bugfixes
+--------
+
+- keycloak_quarkus: template requires lowercase boolean values `#138 <https://github.com/ansible-middleware/keycloak/pull/138>`_
+
+v2.0.0
+======
+
+Minor Changes
+-------------
+
+- Add new parameter for port offset configuration `#124 <https://github.com/ansible-middleware/keycloak/pull/124>`_
+- Update Keycloak to version 22.0.5 `#122 <https://github.com/ansible-middleware/keycloak/pull/122>`_
+
+Breaking Changes / Porting Guide
+--------------------------------
+
+- Add support for more http-related configs `#115 <https://github.com/ansible-middleware/keycloak/pull/115>`_
+- Update minimum ansible-core version > 2.14 `#119 <https://github.com/ansible-middleware/keycloak/pull/119>`_
+- keycloak_quarkus: enable config of key store and trust store `#116 <https://github.com/ansible-middleware/keycloak/pull/116>`_
+
+v1.3.0
+======
+
+Major Changes
+-------------
+
+- Run service as ``keycloak_service_user`` `#106 <https://github.com/ansible-middleware/keycloak/pull/106>`_
+
+Minor Changes
+-------------
+
+- keycloak_quarkus: Update Keycloak to version 22.0.3 `#112 <https://github.com/ansible-middleware/keycloak/pull/112>`_
+- keycloak_quarkus: fix admin console redirect when running locally `#111 <https://github.com/ansible-middleware/keycloak/pull/111>`_
+- keycloak_quarkus: skip proxy config if ``keycloak_quarkus_proxy_mode`` is ``none`` `#109 <https://github.com/ansible-middleware/keycloak/pull/109>`_
+
+Bugfixes
+--------
+
+- keycloak_quarkus: fix validation failure upon port configuration change `#113 <https://github.com/ansible-middleware/keycloak/pull/113>`_
+
+v1.2.8
+======
+
+Minor Changes
+-------------
+
+- keycloak_quarkus: set openjdk 17 as default `#103 <https://github.com/ansible-middleware/keycloak/pull/103>`_
+- keycloak_quarkus: update to version 22.0.1 `#107 <https://github.com/ansible-middleware/keycloak/pull/107>`_
+
+Bugfixes
+--------
+
+- Fix incorrect checks for ``keycloak_jgroups_subnet`` `#98 <https://github.com/ansible-middleware/keycloak/pull/98>`_
+- Undefine ``keycloak_db_valid_conn_sql`` default `#91 <https://github.com/ansible-middleware/keycloak/pull/91>`_
+- Update bindep.txt package python3-devel to support RHEL9 `#105 <https://github.com/ansible-middleware/keycloak/pull/105>`_
+
+v1.2.7
+======
+
+Minor Changes
+-------------
+
+- Allow to override jgroups subnet `#93 <https://github.com/ansible-middleware/keycloak/pull/93>`_
+- keycloak-quarkus: update keycloakx to v21.1.1 `#92 <https://github.com/ansible-middleware/keycloak/pull/92>`_
+
+v1.2.6
+======
+
+Minor Changes
+-------------
+
+- Add profile features enabling/disabling `#87 <https://github.com/ansible-middleware/keycloak/pull/87>`_
+- Improve service restart behavior configuration `#88 <https://github.com/ansible-middleware/keycloak/pull/88>`_
+- Update default xa_datasource_class value for mariadb jdbc configuration `#89 <https://github.com/ansible-middleware/keycloak/pull/89>`_
+
+Bugfixes
+--------
+
+- Handle WFLYCTL0117 when background validation millis is 0 `#90 <https://github.com/ansible-middleware/keycloak/pull/90>`_
+
+v1.2.5
+======
+
+Minor Changes
+-------------
+
+- Add configuration for database connection pool validation `#85 <https://github.com/ansible-middleware/keycloak/pull/85>`_
+- Allow to configure administration endpoint URL `#86 <https://github.com/ansible-middleware/keycloak/pull/86>`_
+- Allow to force backend URLs to frontend URLs `#84 <https://github.com/ansible-middleware/keycloak/pull/84>`_
+- Introduce systemd unit restart behavior `#81 <https://github.com/ansible-middleware/keycloak/pull/81>`_
+
+v1.2.4
+======
+
+Minor Changes
+-------------
+
+- Add ``sqlserver`` to keycloak role jdbc configurations `#78 <https://github.com/ansible-middleware/keycloak/pull/78>`_
+- Add configurability for XA transactions `#73 <https://github.com/ansible-middleware/keycloak/pull/73>`_
+
+Bugfixes
+--------
+
+- Fix deprecation warning for ``ipaddr`` `#77 <https://github.com/ansible-middleware/keycloak/pull/77>`_
+- Fix undefined facts when offline patching sso `#71 <https://github.com/ansible-middleware/keycloak/pull/71>`_
+
+v1.2.1
+======
+
+Minor Changes
+-------------
+
+- Allow to setup keycloak HA cluster without remote cache store `#68 <https://github.com/ansible-middleware/keycloak/pull/68>`_
+
+Bugfixes
+--------
+
+- Pass attributes to realm clients `#69 <https://github.com/ansible-middleware/keycloak/pull/69>`_
+
+v1.2.0
+======
+
+Major Changes
+-------------
+
+- Provide config for multiple modcluster proxies `#60 <https://github.com/ansible-middleware/keycloak/pull/60>`_
+
+Minor Changes
+-------------
+
+- Allow to configure TCPPING for cluster discovery `#62 <https://github.com/ansible-middleware/keycloak/pull/62>`_
+- Drop community.general from dependencies `#61 <https://github.com/ansible-middleware/keycloak/pull/61>`_
+- Switch middleware_automation.redhat_csp_download for middleware_automation.common `#63 <https://github.com/ansible-middleware/keycloak/pull/63>`_
+- Switch to middleware_automation.common for rh-sso patching `#64 <https://github.com/ansible-middleware/keycloak/pull/64>`_
+
+v1.1.1
+======
+
+Bugfixes
+--------
+
+- keycloak-quarkus: fix ``cache-config-file`` path in keycloak.conf.j2 template `#53 <https://github.com/ansible-middleware/keycloak/pull/53>`_
+
+v1.1.0
+======
+
+Minor Changes
+-------------
+
+- Update keycloak to 18.0.2 - sso to 7.6.1 `#46 <https://github.com/ansible-middleware/keycloak/pull/46>`_
+- Variable ``keycloak_no_log`` controls ansible ``no_log`` parameter (for debugging purposes) `#47 <https://github.com/ansible-middleware/keycloak/pull/47>`_
+- Variables to override service start retries and delay `#51 <https://github.com/ansible-middleware/keycloak/pull/51>`_
+- keycloak_quarkus: variable to enable development mode `#45 <https://github.com/ansible-middleware/keycloak/pull/45>`_
+
+Breaking Changes / Porting Guide
+--------------------------------
+
+- Rename variables from ``infinispan_`` prefix to ``keycloak_infinispan_`` `#42 <https://github.com/ansible-middleware/keycloak/pull/42>`_
+
+Bugfixes
+--------
+
+- keycloak_quarkus: fix /var/log/keycloak symlink to keycloak log directory `#44 <https://github.com/ansible-middleware/keycloak/pull/44>`_
+
+v1.0.7
+======
+
+Breaking Changes / Porting Guide
+--------------------------------
+
+- keycloak_quarkus: use absolute path for certificate files `#39 <https://github.com/ansible-middleware/keycloak/pull/39>`_
+
+Bugfixes
+--------
+
+- keycloak_quarkus: use become for tasks that will otherwise fail `#38 <https://github.com/ansible-middleware/keycloak/pull/38>`_
+
+v1.0.6
+======
+
+Bugfixes
+--------
+
+- keycloak_quarkus: add selected java to PATH in systemd unit `#34 <https://github.com/ansible-middleware/keycloak/pull/34>`_
+- keycloak_quarkus: set logfile path correctly under keycloak home `#35 <https://github.com/ansible-middleware/keycloak/pull/35>`_
+
+v1.0.5
+======
+
+Minor Changes
+-------------
+
+- Update config options: keycloak and quarkus `#32 <https://github.com/ansible-middleware/keycloak/pull/32>`_
+
+v1.0.4
+======
+
+Release Summary
+---------------
+
+Internal release, documentation or test changes only.
+
+v1.0.3
+======
+
+Major Changes
+-------------
+
+- New role for installing keycloak >= 17.0.0 (quarkus) `#29 <https://github.com/ansible-middleware/keycloak/pull/29>`_
+
+Minor Changes
+-------------
+
+- Add ``keycloak_config_override_template`` parameter for passing a custom xml config template `#30 <https://github.com/ansible-middleware/keycloak/pull/30>`_
+
+Bugfixes
+--------
+
+- Make sure systemd unit starts with selected java JVM `#31 <https://github.com/ansible-middleware/keycloak/pull/31>`_
+
+v1.0.2
+======
+
+Minor Changes
+-------------
+
+- Make ``keycloak_admin_password`` a default with assert (was: role variable) `#26 <https://github.com/ansible-middleware/keycloak/pull/26>`_
+- Simplify dependency install logic and reduce play execution time `#19 <https://github.com/ansible-middleware/keycloak/pull/19>`_
+
+Bugfixes
+--------
+
+- Set ``keycloak_frontend_url`` default according to other defaults `#25 <https://github.com/ansible-middleware/keycloak/pull/25>`_
+
+v1.0.1
+======
+
+Release Summary
+---------------
+
+Minor enhancements, bug and documentation fixes.
+
+Major Changes
+-------------
+
+- Apply latest cumulative patch of RH-SSO automatically when new parameter ``keycloak_rhsso_apply_patches`` is ``true`` `#18 <https://github.com/ansible-middleware/keycloak/pull/18>`_
+
+Minor Changes
+-------------
+
+- Clustered installs now perform database initialization on first node to avoid locking issues `#17 <https://github.com/ansible-middleware/keycloak/pull/17>`_
+
+v1.0.0
+======
+
+Release Summary
+---------------
+
+This is the first stable release of the ``middleware_automation.keycloak`` collection.

CONTRIBUTING.md

@@ -1,7 +1,41 @@
+## Developing
+
+### Build and install locally
+
+Clone the repository, checkout the tag you want to build, or pick the main branch for the development version; then:
+
+    ansible-galaxy collection build .
+    ansible-galaxy collection install middleware_automation-keycloak-*.tar.gz
+
+
+### Development environment
+
+Make sure your development machine has avilable:
+
+* python 3.11+
+* virtualenv
+* docker (or podman)
+
+In order to run setup the development environment and run the molecule tests locally, after cloning the repository:
+
+```
+# create new virtualenv using python 3
+virtualenv $PATH_TO_DEV_VIRTUALENV
+# activate the virtual env
+source $PATH_TO_DEV_VIRTUALENV/bin/activate
+# install ansible and tools onto the virtualenv
+pip install yamllint 'molecule>=6.0' 'molecule-plugins[docker]' 'ansible-core>=2.16' ansible-lint
+# install collection dependencies
+ansible-galaxy collection install -r requirements.yml
+# install python dependencies
+pip install -r requirements.txt molecule/requirements.txt
+# execute the tests (replace --all with -s subdirectory to run a single test)
+molecule test --all
+```
 
 ## Contributor's Guidelines
 
-- All YAML files named with '.yml' extension
+- All YAML files named with `.yml` extension
 - Use spaces around jinja variables. `{{ var }}` over `{{var}}`
 - Variables that are internal to the role should be lowercase and start with the role name
 - Keep roles self contained - Roles should avoid including tasks from other roles when possible
@@ -11,4 +45,4 @@
 - Indentation - Use 2 spaces for each indent
 - `vars/` vs `defaults/` - internal or interpolated variables that don't need to change or be overridden by user go in `vars/`, those that a user would likely override, go under `defaults/` directory
 - All role arguments have a specification in `meta/argument_specs.yml`
-- All playbooks/roles should be focused on compatibility with Ansible Tower
+- All playbooks/roles should be focused on compatibility with Ansible Automation Platform

README.md

@@ -1,14 +1,18 @@
 # Ansible Collection - middleware_automation.keycloak
 
+<!--start build_status -->
 [![Build Status](https://github.com/ansible-middleware/keycloak/workflows/CI/badge.svg?branch=main)](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml)
 
+> **_NOTE:_ If you are Red Hat customer, install `redhat.rhbk` (for Red Hat Build of Keycloak) or `redhat.sso` (for Red Hat Single Sign-On) from [Automation Hub](https://console.redhat.com/ansible/ansible-dashboard) as the certified version of this collection.**
 
-Collection to install and configure [Keycloak](https://www.keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on). 
-
+<!--end build_status -->
+<!--start description -->
+Collection to install and configure [Keycloak](https://www.keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on) / [Red Hat Build of Keycloak](https://access.redhat.com/products/red-hat-build-of-keycloak).
+<!--end description -->
 <!--start requires_ansible-->
 ## Ansible version compatibility
 
-This collection has been tested against following Ansible versions: **>=2.9.10**.
+This collection has been tested against following Ansible versions: **>=2.16.0**.
 
 Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions.
 <!--end requires_ansible-->
@@ -16,12 +20,15 @@ Plugins and modules within a collection may be tested with only specific Ansible
 
 ## Installation
 
+<!--start galaxy_download -->
 ### Installing the Collection from Ansible Galaxy
 
 Before using the collection, you need to install it with the Ansible Galaxy CLI:
 
     ansible-galaxy collection install middleware_automation.keycloak
 
+<!--end galaxy_download -->
+
 You can also include it in a `requirements.yml` file and install it via `ansible-galaxy collection install -r requirements.yml`, using the format:
 
 ```yaml
@@ -33,92 +40,60 @@ collections:
 The keycloak collection also depends on the following python packages to be present on the controller host:
 
 * netaddr
+* lxml
 
 A requirement file is provided to install:
 
     pip install -r requirements.txt
 
-
+<!--start roles_paths -->
 ### Included roles
 
-* [`keycloak`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md): role for installing the service.
-* [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, user federation(s), clients and users, in an installed service.
+* `keycloak_quarkus`: role for installing keycloak (>= 19.0.0, quarkus based).
+* `keycloak_realm`: role for configuring a realm, user federation(s), clients and users, in an installed service.
+* `keycloak`: role for installing legacy keycloak (<= 19.0, wildfly based).
 
+<!--end roles_paths -->
 
 ## Usage
 
 
 ### Install Playbook
-
-* [`playbooks/keycloak.yml`](playbooks/keycloak.yml) installs the upstream(Keycloak) based on the defined variables.
-* [`playbooks/rhsso.yml`](playbooks/rhsso.yml) installs Red Hat Single Sign-On(RHSSO) based on defined variables.
+<!--start rhbk_playbook -->
+* [`playbooks/keycloak_quarkus.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_quarkus.yml) installs keycloak >= 17 based on the defined variables (using most defaults).
+* [`playbooks/keycloak.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak.yml) installs keycloak legacy based on the defined variables (using most defaults).
 
 Both playbooks include the `keycloak` role, with different settings, as described in the following sections.
 
-For full service configuration details, refer to the [keycloak role README](roles/keycloak/README.md).
+For full service configuration details, refer to the [keycloak role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md).
+<!--end rhbk_playbook -->
 
+#### Install from controller node (offline)
 
-### Choosing between upstream project (Keycloak) and Red Hat Single Sign-On (RHSSO)
-
-The general flag `keycloak_rhsso_enable` controls what to install between upstream (Keycloak, when `False`) or Red Hat Single Sign-On (when `True`).
-The default value for the flag if `True` when Red Hat Network credentials are defined, `False` otherwise.
-
-
-#### Install upstream (Keycloak) from keycloak releases
-
-This is the default approach when RHN credentials are not defined. Keycloak is downloaded from keycloak builds (hosted on github.com) locally, and distributed to target nodes.
-
-
-#### Install RHSSO from the Red Hat Customer Support Portal
-
-Define the credentials as follows, and the default behaviour is to download a fresh archive of RHSSO on the controller node, then distribute to target nodes.
+Making the keycloak zip archive available to the playbook working directory, and setting `keycloak_offline_install` to `true`, allows to skip
+the download tasks. The local path for the archive does match the downloaded archive path, so that it is also used as a cache when multiple hosts are provisioned in a cluster.
 
 ```yaml
-rhn_username: '<customer_portal_username>'
-rhn_password: '<customer_portal_password>'
-# (keycloak_rhsso_enable defaults to True)
+keycloak_offline_install: true
 ```
 
 
-#### Install from controller node (local source)
-
-Making the keycloak zip archive (or the RHSSO zip archive), available to the playbook repository root directory, and setting `keycloak_offline_install` to `True`, allows to skip
-the download tasks. The local path for the archive matches the downloaded archive path, so it is also used as a cache when multiple hosts are provisioned in a cluster.
-
-```yaml
-keycloak_offline_install: True
-```
-
-And depending on `keycloak_rhsso_enable`:
-
-* `True`: install RHSSO using file rh-sso-x.y.z-server-dist.zip
-* `False`: install keycloak using file keycloak-x.y.zip
+<!--start rhn_credentials -->
+<!--end rhn_credentials -->
 
 
 #### Install from alternate sources (like corporate Nexus, artifactory, proxy, etc)
 
-For RHSSO:
-
-```yaml
-keycloak_rhsso_enable: True
-keycloak_rhsso_download_url: "https://<internal-nexus.private.net>/<path>/<to>/rh-sso-x.y.z-server-dist.zip"
-```
-
-For keycloak:
-
-```yaml
-keycloak_rhsso_enable: False
-keycloak_download_url: "https://<internal-nexus.private.net>/<path>/<to>/keycloak-x.y.zip"
-```
+It is possible to perform downloads from alternate sources, using the `keycloak_download_url` variable; make sure the final downloaded filename matches with the source filename (ie. keycloak-legacy-x.y.zip or rh-sso-x.y.z-server-dist.zip).
 
 
 ### Example installation command
 
-Execute the following command from the source root directory 
+Execute the following command from the source root directory
 
 ```
 ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e keycloak_admin_password=<changeme>
-``` 
+```
 
 - `keycloak_admin_password` Password for the administration console user account.
 - `ansible_hosts` is the inventory, below is an example inventory for deploying to localhost
@@ -128,14 +103,16 @@ ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e
   localhost ansible_connection=local
   ```
 
+Note: when deploying clustered configurations, all hosts belonging to the cluster must be present in `ansible_play_batch`; ie. they must be targeted by the same ansible-playbook execution.
+
 
 ## Configuration
 
 
 ### Config Playbook
-
-[`playbooks/keycloak_realm.yml`](playbooks/keycloak_realm.yml) creates or updates provided realm, user federation(s), client(s), client role(s) and client user(s).
-
+<!--start rhbk_realm_playbook -->
+[`playbooks/keycloak_realm.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_realm.yml) creates or updates provided realm, user federation(s), client(s), client role(s) and client user(s).
+<!--end rhbk_realm_playbook -->
 
 ### Example configuration command
 
@@ -153,13 +130,17 @@ ansible-playbook -i <ansible_hosts> playbooks/keycloak_realm.yml -e keycloak_adm
   [keycloak]
   localhost ansible_connection=local
   ```
+<!--start rhbk_realm_readme -->
+For full configuration details, refer to the [keycloak_realm role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md).
+<!--end rhbk_realm_readme -->
 
-For full configuration details, refer to the [keycloak_realm role README](roles/keycloak_realm/README.md).
+<!--start support -->
+<!--end support -->
 
 
 ## License
 
 Apache License v2.0 or later
-
+<!--start license -->
 See [LICENSE](LICENSE) to view the full text.
-
+<!--end license -->

bindep.txt

@@ -0,0 +1,9 @@
+python3-dev [compile platform:dpkg]
+python3-devel [compile platform:rpm]
+python39-devel [compile platform:centos-8 platform:rhel-8]
+git-lfs [platform:rpm platform:dpkg]
+python3-netaddr [platform:rpm platform:dpkg]
+python3-lxml [platform:rpm platform:dpkg]
+python3-jmespath [platform:rpm platform:dpkg]
+python3-requests [platform:rpm platform:dpkg]
+

changelogs/changelog.yaml

@@ -0,0 +1,721 @@
+ancestor: 0.2.6
+releases:
+  1.0.0:
+    changes:
+      release_summary: 'This is the first stable release of the ``middleware_automation.keycloak``
+        collection.
+
+        '
+    release_date: '2022-03-04'
+  1.0.1:
+    changes:
+      major_changes:
+      - Apply latest cumulative patch of RH-SSO automatically when new parameter ``keycloak_rhsso_apply_patches``
+        is ``true`` `#18 <https://github.com/ansible-middleware/keycloak/pull/18>`_
+      minor_changes:
+      - Clustered installs now perform database initialization on first node to avoid
+        locking issues `#17 <https://github.com/ansible-middleware/keycloak/pull/17>`_
+      release_summary: 'Minor enhancements, bug and documentation fixes.
+
+        '
+    release_date: '2022-03-11'
+  1.0.2:
+    changes:
+      bugfixes:
+      - 'Set ``keycloak_frontend_url`` default according to other defaults `#25 <https://github.com/ansible-middleware/keycloak/pull/25>`_
+
+        '
+      minor_changes:
+      - 'Make ``keycloak_admin_password`` a default with assert (was: role variable)
+        `#26 <https://github.com/ansible-middleware/keycloak/pull/26>`_
+
+        '
+      - 'Simplify dependency install logic and reduce play execution time `#19 <https://github.com/ansible-middleware/keycloak/pull/19>`_
+
+        '
+    fragments:
+    - 19.yaml
+    - 25.yaml
+    - 26.yaml
+    release_date: '2022-04-01'
+  1.0.3:
+    changes:
+      bugfixes:
+      - 'Make sure systemd unit starts with selected java JVM `#31 <https://github.com/ansible-middleware/keycloak/pull/31>`_
+
+        '
+      major_changes:
+      - 'New role for installing keycloak >= 17.0.0 (quarkus) `#29 <https://github.com/ansible-middleware/keycloak/pull/29>`_
+
+        '
+      minor_changes:
+      - 'Add ``keycloak_config_override_template`` parameter for passing a custom
+        xml config template `#30 <https://github.com/ansible-middleware/keycloak/pull/30>`_
+
+        '
+    fragments:
+    - 29.yaml
+    - 30.yaml
+    - 31.yaml
+    release_date: '2022-05-09'
+  1.0.4:
+    changes:
+      release_summary: 'Internal release, documentation or test changes only.
+
+        '
+    release_date: '2022-05-11'
+  1.0.5:
+    changes:
+      minor_changes:
+      - 'Update config options: keycloak and quarkus `#32 <https://github.com/ansible-middleware/keycloak/pull/32>`_
+
+        '
+    fragments:
+    - 32.yaml
+    release_date: '2022-05-25'
+  1.0.6:
+    changes:
+      bugfixes:
+      - 'keycloak_quarkus: add selected java to PATH in systemd unit `#34 <https://github.com/ansible-middleware/keycloak/pull/34>`_
+
+        '
+      - 'keycloak_quarkus: set logfile path correctly under keycloak home `#35 <https://github.com/ansible-middleware/keycloak/pull/35>`_
+
+        '
+    fragments:
+    - 34.yaml
+    - 35.yaml
+    release_date: '2022-06-01'
+  1.0.7:
+    changes:
+      breaking_changes:
+      - 'keycloak_quarkus: use absolute path for certificate files `#39 <https://github.com/ansible-middleware/keycloak/pull/39>`_
+
+        '
+      bugfixes:
+      - 'keycloak_quarkus: use become for tasks that will otherwise fail `#38 <https://github.com/ansible-middleware/keycloak/pull/38>`_
+
+        '
+    fragments:
+    - 38.yaml
+    - 39.yaml
+    release_date: '2022-07-06'
+  1.1.0:
+    changes:
+      breaking_changes:
+      - 'Rename variables from ``infinispan_`` prefix to ``keycloak_infinispan_``
+        `#42 <https://github.com/ansible-middleware/keycloak/pull/42>`_
+
+        '
+      bugfixes:
+      - 'keycloak_quarkus: fix /var/log/keycloak symlink to keycloak log directory
+        `#44 <https://github.com/ansible-middleware/keycloak/pull/44>`_
+
+        '
+      minor_changes:
+      - 'Update keycloak to 18.0.2 - sso to 7.6.1 `#46 <https://github.com/ansible-middleware/keycloak/pull/46>`_
+
+        '
+      - 'Variable ``keycloak_no_log`` controls ansible ``no_log`` parameter (for debugging
+        purposes) `#47 <https://github.com/ansible-middleware/keycloak/pull/47>`_
+
+        '
+      - 'Variables to override service start retries and delay `#51 <https://github.com/ansible-middleware/keycloak/pull/51>`_
+
+        '
+      - 'keycloak_quarkus: variable to enable development mode `#45 <https://github.com/ansible-middleware/keycloak/pull/45>`_
+
+        '
+    fragments:
+    - 42.yaml
+    - 44.yaml
+    - 45.yaml
+    - 46.yaml
+    - 47.yaml
+    - 51.yaml
+    release_date: '2023-01-09'
+  1.1.1:
+    changes:
+      bugfixes:
+      - 'keycloak-quarkus: fix ``cache-config-file`` path in keycloak.conf.j2 template
+        `#53 <https://github.com/ansible-middleware/keycloak/pull/53>`_
+
+        '
+    fragments:
+    - 53.yaml
+    release_date: '2023-03-07'
+  1.2.0:
+    changes:
+      major_changes:
+      - 'Provide config for multiple modcluster proxies `#60 <https://github.com/ansible-middleware/keycloak/pull/60>`_
+
+        '
+      minor_changes:
+      - 'Allow to configure TCPPING for cluster discovery `#62 <https://github.com/ansible-middleware/keycloak/pull/62>`_
+
+        '
+      - 'Drop community.general from dependencies `#61 <https://github.com/ansible-middleware/keycloak/pull/61>`_
+
+        '
+      - 'Switch middleware_automation.redhat_csp_download for middleware_automation.common
+        `#63 <https://github.com/ansible-middleware/keycloak/pull/63>`_
+
+        '
+      - 'Switch to middleware_automation.common for rh-sso patching `#64 <https://github.com/ansible-middleware/keycloak/pull/64>`_
+
+        '
+    fragments:
+    - 60.yaml
+    - 61.yaml
+    - 62.yaml
+    - 63.yaml
+    - 64.yaml
+    release_date: '2023-03-16'
+  1.2.1:
+    changes:
+      bugfixes:
+      - 'Pass attributes to realm clients `#69 <https://github.com/ansible-middleware/keycloak/pull/69>`_
+
+        '
+      minor_changes:
+      - 'Allow to setup keycloak HA cluster without remote cache store `#68 <https://github.com/ansible-middleware/keycloak/pull/68>`_
+
+        '
+    fragments:
+    - 68.yaml
+    - 69.yaml
+    release_date: '2023-04-11'
+  1.2.4:
+    changes:
+      bugfixes:
+      - 'Fix deprecation warning for ``ipaddr`` `#77 <https://github.com/ansible-middleware/keycloak/pull/77>`_
+
+        '
+      - 'Fix undefined facts when offline patching sso `#71 <https://github.com/ansible-middleware/keycloak/pull/71>`_
+
+        '
+      minor_changes:
+      - 'Add ``sqlserver`` to keycloak role jdbc configurations `#78 <https://github.com/ansible-middleware/keycloak/pull/78>`_
+
+        '
+      - 'Add configurability for XA transactions `#73 <https://github.com/ansible-middleware/keycloak/pull/73>`_
+
+        '
+    fragments:
+    - 71.yaml
+    - 73.yaml
+    - 77.yaml
+    - 78.yaml
+    release_date: '2023-05-09'
+  1.2.5:
+    changes:
+      minor_changes:
+      - 'Add configuration for database connection pool validation `#85 <https://github.com/ansible-middleware/keycloak/pull/85>`_
+
+        '
+      - 'Allow to configure administration endpoint URL `#86 <https://github.com/ansible-middleware/keycloak/pull/86>`_
+
+        '
+      - 'Allow to force backend URLs to frontend URLs `#84 <https://github.com/ansible-middleware/keycloak/pull/84>`_
+
+        '
+      - 'Introduce systemd unit restart behavior `#81 <https://github.com/ansible-middleware/keycloak/pull/81>`_
+
+        '
+    fragments:
+    - 81.yaml
+    - 84.yaml
+    - 85.yaml
+    - 86.yaml
+    release_date: '2023-05-26'
+  1.2.6:
+    changes:
+      bugfixes:
+      - 'Handle WFLYCTL0117 when background validation millis is 0 `#90 <https://github.com/ansible-middleware/keycloak/pull/90>`_
+
+        '
+      minor_changes:
+      - 'Add profile features enabling/disabling `#87 <https://github.com/ansible-middleware/keycloak/pull/87>`_
+
+        '
+      - 'Improve service restart behavior configuration `#88 <https://github.com/ansible-middleware/keycloak/pull/88>`_
+
+        '
+      - 'Update default xa_datasource_class value for mariadb jdbc configuration `#89
+        <https://github.com/ansible-middleware/keycloak/pull/89>`_
+
+        '
+    fragments:
+    - 87.yaml
+    - 88.yaml
+    - 89.yaml
+    - 90.yaml
+    release_date: '2023-06-07'
+  1.2.7:
+    changes:
+      minor_changes:
+      - 'Allow to override jgroups subnet `#93 <https://github.com/ansible-middleware/keycloak/pull/93>`_
+
+        '
+      - 'keycloak-quarkus: update keycloakx to v21.1.1 `#92 <https://github.com/ansible-middleware/keycloak/pull/92>`_
+
+        '
+    fragments:
+    - 92.yaml
+    - 93.yaml
+    release_date: '2023-06-19'
+  1.2.8:
+    changes:
+      bugfixes:
+      - 'Fix incorrect checks for ``keycloak_jgroups_subnet`` `#98 <https://github.com/ansible-middleware/keycloak/pull/98>`_
+
+        '
+      - 'Undefine ``keycloak_db_valid_conn_sql`` default `#91 <https://github.com/ansible-middleware/keycloak/pull/91>`_
+
+        '
+      - 'Update bindep.txt package python3-devel to support RHEL9 `#105 <https://github.com/ansible-middleware/keycloak/pull/105>`_
+
+        '
+      minor_changes:
+      - 'keycloak_quarkus: set openjdk 17 as default `#103 <https://github.com/ansible-middleware/keycloak/pull/103>`_
+
+        '
+      - 'keycloak_quarkus: update to version 22.0.1 `#107 <https://github.com/ansible-middleware/keycloak/pull/107>`_
+
+        '
+    fragments:
+    - 103.yaml
+    - 105.yaml
+    - 107.yaml
+    - 91.yaml
+    - 98.yaml
+    release_date: '2023-08-28'
+  1.3.0:
+    changes:
+      bugfixes:
+      - 'keycloak_quarkus: fix validation failure upon port configuration change `#113
+        <https://github.com/ansible-middleware/keycloak/pull/113>`_
+
+        '
+      major_changes:
+      - 'Run service as ``keycloak_service_user`` `#106 <https://github.com/ansible-middleware/keycloak/pull/106>`_
+
+        '
+      minor_changes:
+      - 'keycloak_quarkus: Update Keycloak to version 22.0.3 `#112 <https://github.com/ansible-middleware/keycloak/pull/112>`_
+
+        '
+      - 'keycloak_quarkus: fix admin console redirect when running locally `#111 <https://github.com/ansible-middleware/keycloak/pull/111>`_
+
+        '
+      - 'keycloak_quarkus: skip proxy config if ``keycloak_quarkus_proxy_mode`` is
+        ``none`` `#109 <https://github.com/ansible-middleware/keycloak/pull/109>`_
+
+        '
+    fragments:
+    - 106.yaml
+    - 109.yaml
+    - 111.yaml
+    - 112.yaml
+    - 113.yaml
+    release_date: '2023-09-25'
+  2.0.0:
+    changes:
+      breaking_changes:
+      - 'Add support for more http-related configs `#115 <https://github.com/ansible-middleware/keycloak/pull/115>`_
+
+        '
+      - 'Update minimum ansible-core version > 2.14 `#119 <https://github.com/ansible-middleware/keycloak/pull/119>`_
+
+        '
+      - 'keycloak_quarkus: enable config of key store and trust store `#116 <https://github.com/ansible-middleware/keycloak/pull/116>`_
+
+        '
+      minor_changes:
+      - 'Add new parameter for port offset configuration `#124 <https://github.com/ansible-middleware/keycloak/pull/124>`_
+
+        '
+      - 'Update Keycloak to version 22.0.5 `#122 <https://github.com/ansible-middleware/keycloak/pull/122>`_
+
+        '
+    fragments:
+    - 115.yaml
+    - 116.yaml
+    - 119.yaml
+    - 122.yaml
+    - 124.yaml
+    release_date: '2023-11-20'
+  2.0.1:
+    changes:
+      bugfixes:
+      - 'keycloak_quarkus: template requires lowercase boolean values `#138 <https://github.com/ansible-middleware/keycloak/pull/138>`_
+
+        '
+      minor_changes:
+      - 'keycloak_quarkus: add hostname-strict parameter `#139 <https://github.com/ansible-middleware/keycloak/pull/139>`_
+
+        '
+      - 'keycloak_quarkus: update to version 23.0.1 `#133 <https://github.com/ansible-middleware/keycloak/pull/133>`_
+
+        '
+    fragments:
+    - 133.yaml
+    - 138.yaml
+    - 139.yaml
+    release_date: '2023-12-07'
+  2.0.2:
+    changes:
+      bugfixes:
+      - 'keycloak_quarkus: Use ``keycloak_quarkus_java_opts`` `#154 <https://github.com/ansible-middleware/keycloak/pull/154>`_
+
+        '
+      - 'keycloak_quarkus: allow ports <1024 (e.g. :443) in systemd unit `#150 <https://github.com/ansible-middleware/keycloak/pull/150>`_
+
+        '
+      minor_changes:
+      - 'keycloak_quarkus: Add support for sqlserver jdbc driver `#148 <https://github.com/ansible-middleware/keycloak/pull/148>`_
+
+        '
+      - 'keycloak_quarkus: allow configuration of ``hostname-strict-backchannel``
+        `#152 <https://github.com/ansible-middleware/keycloak/pull/152>`_
+
+        '
+      - 'keycloak_quarkus: systemd restart behavior `#145 <https://github.com/ansible-middleware/keycloak/pull/145>`_
+
+        '
+    fragments:
+    - 145.yaml
+    - 148.yaml
+    - 150.yaml
+    - 152.yaml
+    - 154.yaml
+    release_date: '2024-01-17'
+  2.1.0:
+    changes:
+      breaking_changes:
+      - 'keycloak_quarkus: renamed infinispan host list configuration `#157 <https://github.com/ansible-middleware/keycloak/pull/157>`_
+
+        '
+      bugfixes:
+      - 'keycloak_quarkus: fix custom JAVA_HOME parameter name `#171 <https://github.com/ansible-middleware/keycloak/pull/171>`_
+
+        '
+      major_changes:
+      - 'Implement infinispan TCPPING discovery protocol `#159 <https://github.com/ansible-middleware/keycloak/pull/159>`_
+
+        '
+      minor_changes:
+      - 'Set enable-recovery when xa transactions are enabled `#167 <https://github.com/ansible-middleware/keycloak/pull/167>`_
+
+        '
+      - 'keycloak_quarkus: Allow configuring log rotate options in quarkus configuration
+        `#161 <https://github.com/ansible-middleware/keycloak/pull/161>`_
+
+        '
+      - 'keycloak_quarkus: ``sticky-session`` for infinispan routes `#163 <https://github.com/ansible-middleware/keycloak/pull/163>`_
+
+        '
+    fragments:
+    - 157.yaml
+    - 159.yaml
+    - 161.yaml
+    - 163.yaml
+    - 167.yaml
+    - 171.yaml
+    release_date: '2024-02-28'
+  2.1.1:
+    changes:
+      bugfixes:
+      - 'Fix permissions on controller-side downloaded artifacts `#184 <https://github.com/ansible-middleware/keycloak/pull/184>`_
+
+        '
+      - 'JVM args moved to ``JAVA_OPTS`` envvar (instead of JAVA_OPTS_APPEND) `#186
+        <https://github.com/ansible-middleware/keycloak/pull/186>`_
+
+        '
+      - 'Unrelax configuration file permissions `#191 <https://github.com/ansible-middleware/keycloak/pull/191>`_
+
+        '
+      - 'Utilize comment filter for ``ansible_managed`` annotations `#176 <https://github.com/ansible-middleware/keycloak/pull/176>`_
+
+        '
+      minor_changes:
+      - 'Add reverse ``proxy_headers`` config, supersedes ``proxy_mode`` `#187 <https://github.com/ansible-middleware/keycloak/pull/187>`_
+
+        '
+      - 'Debian/Ubuntu compatibility `#178 <https://github.com/ansible-middleware/keycloak/pull/178>`_
+
+        '
+      - 'Use ``keycloak_realm`` as default for sub-entities `#180 <https://github.com/ansible-middleware/keycloak/pull/180>`_
+
+        '
+    fragments:
+    - 176.yaml
+    - 178.yaml
+    - 180.yaml
+    - 184.yaml
+    - 186.yaml
+    - 187.yaml
+    - 191.yaml
+    release_date: '2024-04-17'
+  2.1.2:
+    changes:
+      release_summary: 'Internal release, documentation or test changes only.
+
+        '
+    release_date: '2024-04-17'
+  2.2.0:
+    changes:
+      major_changes:
+      - 'Support java keystore for configuration of sensitive options `#189 <https://github.com/ansible-middleware/keycloak/pull/189>`_
+
+        '
+      minor_changes:
+      - 'Add ``wait_for_port`` and ``wait_for_log`` systemd unit logic `#199 <https://github.com/ansible-middleware/keycloak/pull/199>`_
+
+        '
+      - 'Customize jdbc driver downloads, optional authentication `#202 <https://github.com/ansible-middleware/keycloak/pull/202>`_
+
+        '
+      - 'Keystore-based vault SPI configuration `#196 <https://github.com/ansible-middleware/keycloak/pull/196>`_
+
+        '
+      - 'New ``keycloak_quarkus_hostname_strict_https`` parameter `#195 <https://github.com/ansible-middleware/keycloak/pull/195>`_
+
+        '
+      - 'Providers config and custom providers `#201 <https://github.com/ansible-middleware/keycloak/pull/201>`_
+
+        '
+      - 'Remove administrator credentials from files once keycloak is bootstrapped
+        `#197 <https://github.com/ansible-middleware/keycloak/pull/197>`_
+
+        '
+      - 'Update keycloak to 24.0 `#194 <https://github.com/ansible-middleware/keycloak/pull/194>`_
+
+        '
+    fragments:
+    - 189.yaml
+    - 194.yaml
+    - 195.yaml
+    - 196.yaml
+    - 197.yaml
+    - 199.yaml
+    - 201.yaml
+    - 202.yaml
+    release_date: '2024-05-01'
+  2.2.1:
+    changes:
+      bugfixes:
+      - 'JDBC provider: fix clause in argument validation `#204 <https://github.com/ansible-middleware/keycloak/pull/204>`_
+
+        '
+      release_summary: Internal release, documentation or test changes only.
+    fragments:
+    - 204.yaml
+    - v2.2.1-devel_summary.yaml
+    release_date: '2024-05-02'
+  2.2.2:
+    changes:
+      bugfixes:
+      - 'Turn off controller privilege escalation `#209 <https://github.com/ansible-middleware/keycloak/pull/209>`_
+
+        '
+      minor_changes:
+      - 'Copying of key material for TLS configuration `#210 <https://github.com/ansible-middleware/keycloak/pull/210>`_
+
+        '
+      - 'Validate certs parameter for JDBC driver downloads `#207 <https://github.com/ansible-middleware/keycloak/pull/207>`_
+
+        '
+    fragments:
+    - 207.yaml
+    - 209.yaml
+    - 210.yaml
+    release_date: '2024-05-06'
+  2.3.0:
+    changes:
+      bugfixes:
+      - '``kc.sh build`` uses configured jdk `#211 <https://github.com/ansible-middleware/keycloak/pull/211>`_
+
+        '
+      major_changes:
+      - 'Allow for custom providers hosted on maven repositories `#223 <https://github.com/ansible-middleware/keycloak/pull/223>`_
+
+        '
+      - 'Restart handler strategy behaviour `#231 <https://github.com/ansible-middleware/keycloak/pull/231>`_
+
+        '
+      minor_changes:
+      - 'Add support for policy files `#225 <https://github.com/ansible-middleware/keycloak/pull/225>`_
+
+        '
+      - 'Allow to add extra custom env vars in sysconfig file `#229 <https://github.com/ansible-middleware/keycloak/pull/229>`_
+
+        '
+      - 'Download from alternate URL with optional http authentication `#220 <https://github.com/ansible-middleware/keycloak/pull/220>`_
+
+        '
+      - 'Update Keycloak to version 24.0.4 `#218 <https://github.com/ansible-middleware/keycloak/pull/218>`_
+
+        '
+      - '``proxy-header`` enhancement `#227 <https://github.com/ansible-middleware/keycloak/pull/227>`_
+
+        '
+    fragments:
+    - 211.yaml
+    - 218.yaml
+    - 220.yaml
+    - 223.yaml
+    - 225.yaml
+    - 227.yaml
+    - 229.yaml
+    - 231.yaml
+    release_date: '2024-05-20'
+  2.4.0:
+    changes:
+      major_changes:
+      - 'Enable by default health check on restart `#234 <https://github.com/ansible-middleware/keycloak/pull/234>`_
+
+        '
+      - 'Update minimum ansible-core version > 2.15 `#232 <https://github.com/ansible-middleware/keycloak/pull/232>`_
+
+        '
+    fragments:
+    - 232.yaml
+    - 234.yaml
+    release_date: '2024-06-04'
+  2.4.1:
+    changes:
+      release_summary: Internal release, documentation or test changes only.
+    fragments:
+    - v2.4.1-devel_summary.yaml
+    release_date: '2024-07-02'
+  2.4.2:
+    changes:
+      bugfixes:
+      - 'Add wait_for_port number parameter `#237 <https://github.com/ansible-middleware/keycloak/pull/237>`_
+
+        '
+      minor_changes:
+      - 'New parameter ``keycloak_quarkus_download_path``  `#239 <https://github.com/ansible-middleware/keycloak/pull/239>`_
+
+        '
+    fragments:
+    - 237.yaml
+    - 239.yaml
+    release_date: '2024-09-26'
+  2.4.3:
+    changes:
+      minor_changes:
+      - 'Update keycloak to 24.0.5 `#241 <https://github.com/ansible-middleware/keycloak/pull/241>`_
+
+        '
+    fragments:
+    - 241.yaml
+    release_date: '2024-10-16'
+  3.0.0:
+    changes:
+      breaking_changes:
+      - 'Bump major and ansible-core versions `#266 <https://github.com/ansible-middleware/keycloak/pull/266>`_
+
+        '
+      - 'Rename parameters to follow upstream `#270 <https://github.com/ansible-middleware/keycloak/pull/270>`_
+
+        '
+      - 'Update for keycloak v26 `#254 <https://github.com/ansible-middleware/keycloak/pull/254>`_
+
+        '
+      bugfixes:
+      - 'Access token lifespan is too short for ansible run `#251 <https://github.com/ansible-middleware/keycloak/pull/251>`_
+
+        '
+      - 'Load environment vars during kc rebuild `#274 <https://github.com/ansible-middleware/keycloak/pull/274>`_
+
+        '
+      - 'Rebuild config and restart service for local providers `#250 <https://github.com/ansible-middleware/keycloak/pull/250>`_
+
+        '
+      - 'Rename and honour parameter ``keycloak_quarkus_http_host`` `#271 <https://github.com/ansible-middleware/keycloak/pull/271>`_
+
+        '
+      minor_changes:
+      - 'Add theme cache invalidation handler `#252 <https://github.com/ansible-middleware/keycloak/pull/252>`_
+
+        '
+      - 'keycloak_realm: change url variables to defaults `#268 <https://github.com/ansible-middleware/keycloak/pull/268>`_
+
+        '
+    fragments:
+    - 250.yaml
+    - 251.yaml
+    - 252.yaml
+    - 254.yaml
+    - 266.yaml
+    - 268.yaml
+    - 270.yaml
+    - 271.yaml
+    - 274.yaml
+    modules:
+    - description: Allows administration of Keycloak realm via Keycloak API
+      name: keycloak_realm
+      namespace: ''
+    release_date: '2025-04-23'
+  3.0.1:
+    changes:
+      bugfixes:
+      - 'Trigger rebuild handler on envvars file change `#276 <https://github.com/ansible-middleware/keycloak/pull/276>`_
+
+        '
+      minor_changes:
+      - 'Version update to 26.0.8 / rhbk 26.0.11 `#277 <https://github.com/ansible-middleware/keycloak/pull/277>`_
+
+        '
+    fragments:
+    - 276.yaml
+    - 277.yaml
+    release_date: '2025-05-02'
+  3.0.2:
+    changes:
+      bugfixes:
+      - 'Fix ``keycloak_quarkus_force_install`` parameter being ignored by install
+        `#296 <https://github.com/ansible-middleware/keycloak/pull/296>`_
+
+        '
+      - 'Fix alternate download location being ignored (JBossNeworkAPI always used)
+        `#298 <https://github.com/ansible-middleware/keycloak/pull/298>`_
+
+        '
+      - 'Run config rebuild after SPI providers update `#285 <https://github.com/ansible-middleware/keycloak/pull/285>`_
+
+        '
+      - 'Use jdk21 as default in debian `#289 <https://github.com/ansible-middleware/keycloak/pull/289>`_
+
+        '
+      - 'keycloak_realm: federation default provider type should be a string `#302
+        <https://github.com/ansible-middleware/keycloak/pull/302>`_
+
+        '
+      minor_changes:
+      - 'New ``checksum`` property for keycloak_quarkus_providers `#280 <https://github.com/ansible-middleware/keycloak/pull/280>`_
+
+        '
+      - 'New parameter to set the jgroups host IP address `#281 <https://github.com/ansible-middleware/keycloak/pull/281>`_
+
+        '
+      - 'Session storage / distributed caches `#287 <https://github.com/ansible-middleware/keycloak/pull/287>`_
+
+        '
+      - 'Update keycloak/RHBK to v26.2.4 `#283 <https://github.com/ansible-middleware/keycloak/pull/283>`_
+
+        '
+    fragments:
+    - 280.yaml
+    - 281.yaml
+    - 283.yaml
+    - 285.yaml
+    - 287.yaml
+    - 289.yaml
+    - 296.yaml
+    - 298.yaml
+    - 302.yaml
+    release_date: '2025-07-01'

changelogs/config.yaml

@@ -0,0 +1,32 @@
+---
+changelog_filename_template: ../CHANGELOG.rst
+changelog_filename_version_depth: 0
+changes_file: changelog.yaml
+changes_format: combined
+ignore_other_fragment_extensions: true
+keep_fragments: false
+mention_ancestor: true
+new_plugins_after_name: removed_features
+notesdir: fragments
+prelude_section_name: release_summary
+prelude_section_title: Release Summary
+sections:
+  - - major_changes
+    - Major Changes
+  - - minor_changes
+    - Minor Changes
+  - - breaking_changes
+    - Breaking Changes / Porting Guide
+  - - deprecated_features
+    - Deprecated Features
+  - - removed_features
+    - Removed Features
+  - - security_fixes
+    - Security Fixes
+  - - bugfixes
+    - Bugfixes
+  - - known_issues
+    - Known Issues
+title: middleware_automation.keycloak
+trivial_section_name: trivial
+use_fqcn: true

changelogs/fragments/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

docs/CHANGELOG.rst

@@ -0,0 +1 @@
+../CHANGELOG.rst

docs/_gh_include/footer.inc

@@ -7,7 +7,7 @@
       </div>
       <hr/>
       <div role="contentinfo">
-        <p>&#169; Copyright 2022, Red Hat, Inc..</p>
+        <p>&#169; Copyright 2024, Red Hat, Inc.</p>
       </div>
       Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
         <a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
@@ -18,4 +18,4 @@
 </section>
 </div>
 </body>
-</html>
+</html>

docs/_gh_include/header.inc

@@ -21,6 +21,20 @@
         <div class="wy-side-nav-search" >
             <a href="#" class="icon icon-home"> Keycloak Ansible Collection</a>
         </div>
+        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
+            <p class="caption" role="heading"><span class="caption-text">Middleware Automation</span></p>
+            <ul>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/infinispan/main/">Infinispan / Red Hat Data Grid</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/keycloak/main/">Keycloak / Red Hat Single Sign-On</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/wildfly/main/">Wildfly / Red Hat JBoss EAP</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/jws/main/">Tomcat / Red Hat JWS</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/amq/main/">ActiveMQ / Red Hat AMQ Broker</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/amq_streams/main/">Kafka / Red Hat AMQ Streams</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/common/main/">Ansible Middleware utilities</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/redhat-csp-download/main/">Red Hat CSP Download</a></li>
+              <li class="toctree-l1"><a class="reference internal" href="https://ansible-middleware.github.io/ansible_collections_jcliff/main/">JCliff</a></li>
+            </ul>
+        </div>
       </div>
     </nav>
     <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

docs/conf.py

@@ -43,6 +43,7 @@ extensions = [
     'myst_parser',
     'sphinx.ext.autodoc',
     'sphinx.ext.intersphinx',
+    'sphinx_antsibull_ext',
     'ansible_basic_sphinx_ext',
 ]
 
@@ -71,7 +72,7 @@ language = None
 exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store', '.tmp']
 
 # The name of the Pygments (syntax highlighting) style to use.
-pygments_style = 'sphinx'
+pygments_style = 'ansible'
 
 highlight_language = 'YAML+Jinja'
 

docs/index.rst

@@ -10,23 +10,25 @@ Welcome to Keycloak Collection documentation
    README
    plugins/index
    roles/index
+   Changelog <CHANGELOG>
 
 .. toctree::
    :maxdepth: 2
    :caption: Developer documentation
 
-   developing
-   testing
-   releasing
+   Developing <developing>
+   Testing <testing>
+   Releasing <releasing>
 
 .. toctree::
    :maxdepth: 2
-   :caption: General
+   :caption: Middleware collections
 
-   Changelog <CHANGELOG>
-
-Indices and tables
-==================
-
-* :ref:`genindex`
-* :ref:`search`
+   Keycloak / Red Hat Single Sign-On <https://ansible-middleware.github.io/keycloak/main/>
+   Infinispan / Red Hat Data Grid <https://ansible-middleware.github.io/infinispan/main/>
+   Wildfly / Red Hat JBoss EAP <https://ansible-middleware.github.io/wildfly/main/>
+   Tomcat / Red Hat JWS <https://ansible-middleware.github.io/jws/main/>
+   ActiveMQ / Red Hat AMQ Broker <https://ansible-middleware.github.io/amq/main/>
+   Kafka / Red Hat AMQ Streams <https://ansible-middleware.github.io/amq_streams/main/>
+   Ansible Middleware utilities <https://ansible-middleware.github.io/common/main/>
+   JCliff <https://ansible-middleware.github.io/ansible_collections_jcliff/main/>

docs/releasing.md

@@ -0,0 +1,61 @@
+# Collection Versioning Strategy
+
+Each supported collection maintained by Ansible follows Semantic Versioning 2.0.0 (https://semver.org/), for example:
+Given a version number MAJOR.MINOR.PATCH, the following is incremented:
+
+MAJOR version: when making incompatible API changes (see Feature Release scenarios below for examples)
+
+MINOR version: when adding features or functionality in a backwards compatible manner, or updating testing matrix and/or metadata (deprecation)
+
+PATCH version: when adding backwards compatible bug fixes or security fixes (strict).
+
+Additional labels for pre-release and build metadata are available as extensions to the MAJOR.MINOR.PATCH format.
+
+The first version of a generally available supported collection on Ansible Automation Hub shall be version 1.0.0. NOTE: By default, all newly created collections may begin with a smaller default version of 0.1.0, and therefore a version of 1.0.0 should be explicitly stated by the collection maintainer.
+
+## New content is added to an existing collection
+
+Assuming the current release is 1.0.0, and a new module is ready to be added to the collection, the minor version would be incremented to 1.1.0. The change in the MINOR version indicates an additive change was made while maintaining backward compatibility for existing content within the collection.
+
+
+## New feature to existing plugin or role within a collection (backwards compatible)
+
+Assuming the current release is 1.0.0, and new features for an existing module are ready for release . We would increment the MINOR version to 1.1.0. The change in the MINOR version indicates an additive change was made while maintaining backward compatibility for existing content within the collection.
+
+
+## Bug fix or security fix to existing content within a collection
+
+Assuming the current release is 1.0.0 and a bug is fixed prior to the next minor release, the PATCH version would be incremented to 1.0.1. The patch indicates only a bug was fixed within a current version. The PATCH release does not contain new content, nor was functionality removed. Bug fixes may be included in a MINOR or MAJOR feature release if the timing allows, eliminating the need for a PATCH dedicated to the fix.
+
+
+## Breaking change to any content within a collection
+
+Assuming the current release is 1.0.0, and a breaking change (API or module) is introduced for a user or developer. The MAJOR version would be incremented to 2.0.0.
+
+Examples of breaking changes within a collection may include but are not limited to:
+
+ - Argspec changes for a module that require either inventory structure or playbook changes.
+ - A change in the shape of either the inbound or returned payload of a filter plugin.
+ - Changes to a connection plugin that require additional inventory parameters or ansible.cfg entries.
+ - New functionality added to a module that changes the outcome of that module as released in previous versions.
+ - The removal of plugins from a collection.
+
+
+## Content removed from a collection
+
+Deleting a module or API is a breaking change. Please see the 'Breaking change' section for how to version this.
+
+
+## A typographical error was fixed in the documentation for a collection
+
+A correction to the README would be considered a bug fix and the PATCH incremented. See 'Bug fix' above.
+
+
+## Documentation added/removed/modified within a collection
+
+Only the PATCH version should be increased for a release that contains changes limited to revised documentation.
+
+
+## Release automation
+
+New releases are triggered by annotated git tags named after semantic versioning. The automation publishes the built artifacts to ansible-galaxy and github releases page.

docs/requirements.txt

@@ -1,5 +1,8 @@
 antsibull>=0.17.0
-ansible-base>=2.10.12
+antsibull-docs
+antsibull-changelog
+ansible-core>=2.16.0
+ansible-pygments
 sphinx-rtd-theme
 git+https://github.com/felixfontein/ansible-basic-sphinx-ext
 myst-parser

docs/roles.rst.template

@@ -1,3 +1,4 @@
 Role Index
 ==========
 
+.. toctree::

docs/testing.md

@@ -0,0 +1,23 @@
+# Testing
+
+## Continuous integration
+
+The collection is tested with a [molecule](https://github.com/ansible-community/molecule) setup covering the included roles and verifying correct installation and idempotency.
+In order to run the molecule tests locally with python 3.9 available, after cloning the repository:
+The test scenarios are available on the source code repository each on his own subdirectory under [molecule/](https://github.com/ansible-middleware/keycloak/molecule).
+
+
+## Test playbooks
+
+Sample playbooks are provided in the `playbooks/` directory; to run the playbooks locally (requires a rhel system with python 3.9+, ansible, and systemd) the steps are as follows:
+
+```
+# setup environment as in developing
+# create inventory for localhost
+cat << EOF > inventory
+[keycloak]
+localhost ansible_connection=local
+EOF
+# run the playbook
+ansible-playbook -i inventory playbooks/keycloak.yml
+```

galaxy.yml

@@ -1,27 +1,46 @@
+---
 namespace: middleware_automation
 name: keycloak
-version: "0.2.5"
+version: "3.0.3"
 readme: README.md
 authors:
   - Romain Pelisse <rpelisse@redhat.com>
   - Guido Grazioli <ggraziol@redhat.com>
   - Pavan Kumar Motaparthi <pmotapar@redhat.com>
+  - Helmut Wolf <hwo@world-direct.at>
 description: Install and configure a keycloak, or Red Hat Single Sign-on, service.
 license_file: "LICENSE"
 tags:
   - keycloak
   - redhat
   - rhel
-  - rhn
   - sso
-  - single sign-on
+  - openid
+  - application
+  - identity
   - security
   - infrastructure
   - authentication
+  - java
+  - runtimes
+  - middleware
+  - a4mw
 dependencies:
-  "middleware_automation.redhat_csp_download": ">=1.2.1"
-  "middleware_automation.wildfly": ">=0.0.6"
+  "middleware_automation.common": ">=1.2.1"
+  "ansible.posix": ">=1.4.0"
 repository: https://github.com/ansible-middleware/keycloak
 documentation: https://ansible-middleware.github.io/keycloak
 homepage: https://github.com/ansible-middleware/keycloak
 issues: https://github.com/ansible-middleware/keycloak/issues
+build_ignore:
+  - .gitignore
+  - .github
+  - .yamllint
+  - '*.tar.gz'
+  - '*.zip'
+  - molecule
+  - changelogs
+  - docs/_gh_include
+  - docs/conf.py
+  - docs/roles.rst.template
+  - docs/requirements.yml

meta/execution-environment.yml

@@ -0,0 +1,11 @@
+---
+version: 1
+build_arg_defaults:
+  EE_BASE_IMAGE: 'quay.io/ansible/ansible-runner:stable-2.12-devel'
+dependencies:
+  galaxy: requirements.yml
+  python: requirements.txt
+  system: bindep.txt
+additional_build_steps:
+  append:
+    - RUN alternatives --set python /usr/bin/python3

meta/runtime.yml

@@ -1,2 +1,2 @@
 ---
-requires_ansible: ">=2.9.10"
+requires_ansible: ">=2.16.0"

molecule/debian/converge.yml

@@ -0,0 +1,44 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    keycloak_quarkus_show_deprecation_warnings: false
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
+    keycloak_quarkus_hostname: http://instance:8080
+    keycloak_quarkus_log: file
+    keycloak_quarkus_start_dev: true
+    keycloak_quarkus_proxy_mode: none
+  roles:
+    - role: keycloak_quarkus
+    - role: keycloak_realm
+      keycloak_url: "{{ keycloak_quarkus_hostname }}"
+      keycloak_context: ''
+      keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
+      keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
+      keycloak_client_users:
+        - username: TestUser
+          password: password
+          client_roles:
+            - client: TestClient
+              role: TestRoleUser
+              realm: "{{ keycloak_realm }}"
+        - username: TestAdmin
+          password: password
+          client_roles:
+            - client: TestClient
+              role: TestRoleUser
+              realm: "{{ keycloak_realm }}"
+            - client: TestClient
+              role: TestRoleAdmin
+              realm: "{{ keycloak_realm }}"
+      keycloak_realm: TestRealm
+      keycloak_clients:
+        - name: TestClient
+          realm: "{{ keycloak_realm }}"
+          public_client: "{{ keycloak_client_public }}"
+          web_origins: "{{ keycloak_client_web_origins }}"
+          users: "{{ keycloak_client_users }}"
+          client_id: TestClient
+          attributes:
+            post.logout.redirect.uris: '/public/logout'

molecule/debian/molecule.yml

@@ -0,0 +1,48 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: ghcr.io/hspaans/molecule-containers:debian-13
+    pre_build_image: true
+    privileged: true
+    port_bindings:
+      - "8080/tcp"
+      - "8443/tcp"
+      - "8009/tcp"
+    cgroupns_mode: host
+    command: "/lib/systemd/systemd"
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: /usr/bin/python3
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+    ANSIBLE_REMOTE_TMP: /tmp/.ansible/tmp
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy

molecule/debian/prepare.yml

@@ -0,0 +1,11 @@
+---
+- name: Prepare
+  hosts: all
+  gather_facts: yes
+  tasks:
+    - name: Install sudo
+      ansible.builtin.apt:
+        name:
+          - sudo
+          - openjdk-21-jdk-headless
+          - iproute2

molecule/debian/roles

@@ -0,0 +1 @@
+../../roles

molecule/debian/verify.yml

@@ -0,0 +1,40 @@
+---
+- name: Verify
+  hosts: all
+  vars:
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
+    keycloak_uri: "http://localhost:{{ 8080 + ( keycloak_jboss_port_offset | default(0) ) }}"
+    keycloak_management_port: "http://localhost:{{ 9990 + ( keycloak_jboss_port_offset | default(0) ) }}"
+    keycloak_jboss_port_offset: 10
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+
+    - name: Verify openid config
+      block:
+        - name: Fetch openID config # noqa blocked_modules command-instead-of-module
+          ansible.builtin.shell: |
+            set -o pipefail
+            curl http://localhost:8080/realms/master/.well-known/openid-configuration -k | jq .
+          args:
+            executable: /bin/bash
+          delegate_to: localhost
+          register: openid_config
+          changed_when: False
+        - name: Verify endpoint URLs
+          ansible.builtin.assert:
+            that:
+              - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'http://localhost:8080/realms/master/protocol/openid-connect/ext/ciba/auth'
+              - (openid_config.stdout | from_json)['issuer'] == 'http://localhost:8080/realms/master'
+              - (openid_config.stdout | from_json)['authorization_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/auth'
+              - (openid_config.stdout | from_json)['token_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/token'
+          delegate_to: localhost
+      when:
+        - hera_home is defined
+        - hera_home | length == 0

molecule/default/converge.yml

@@ -1,43 +1,47 @@
 ---
 - name: Converge
   hosts: all
-  vars: 
-  tasks:
-    - name: Include keycloak role
-      include_role:
-        name: ../../roles/keycloak
-      vars:
-        keycloak_admin_password: "changeme"
-    - name: Keycloak Realm Role
-      include_role:
-        name: ../../roles/keycloak_realm
-      vars:
-        keycloak_admin_password: "changeme"
-        keycloak_client_default_roles:
-          - TestRoleAdmin
-          - TestRoleUser
-        keycloak_client_users:
-          - username: TestUser
-            password: password
-            client_roles:
-              - client: TestClient
-                role: TestRoleUser
-                realm: "{{ keycloak_realm }}"
-          - username: TestAdmin
-            password: password
-            client_roles:
-              - client: TestClient
-                role: TestRoleUser
-                realm: "{{ keycloak_realm }}"
-              - client: TestClient
-                role: TestRoleAdmin
-                realm: "{{ keycloak_realm }}"
-        keycloak_realm: TestRealm
-        keycloak_clients:
-          - name: TestClient
-            roles: "{{ keycloak_client_default_roles }}"
-            realm: "{{ keycloak_realm }}"
-            public_client: "{{ keycloak_client_public }}"
-            web_origins: "{{ keycloak_client_web_origins }}"
-            users: "{{ keycloak_client_users }}"
-            client_id: TestClient
+  vars:
+    keycloak_quarkus_show_deprecation_warnings: false
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
+    keycloak_quarkus_hostname: http://instance:8080
+    keycloak_quarkus_log: file
+    keycloak_quarkus_log_level: debug
+    keycloak_quarkus_log_target: /tmp/keycloak
+    keycloak_quarkus_start_dev: true
+    keycloak_quarkus_proxy_mode: none
+    keycloak_quarkus_offline_install: true
+    keycloak_quarkus_download_path: /tmp/keycloak/
+    keycloak_quarkus_java_heap_opts: "-Xms640m -Xmx640m "
+  roles:
+    - role: keycloak_quarkus
+    - role: keycloak_realm
+      keycloak_url: "{{ keycloak_quarkus_hostname }}"
+      keycloak_context: ''
+      keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
+      keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
+      keycloak_client_users:
+        - username: TestUser
+          password: password
+          client_roles:
+            - client: TestClient
+              role: TestRoleUser
+              realm: "{{ keycloak_realm }}"
+        - username: TestAdmin
+          password: password
+          client_roles:
+            - client: TestClient
+              role: TestRoleUser
+              realm: "{{ keycloak_realm }}"
+            - client: TestClient
+              role: TestRoleAdmin
+              realm: "{{ keycloak_realm }}"
+      keycloak_realm: TestRealm
+      keycloak_clients:
+        - name: TestClient
+          realm: "{{ keycloak_realm }}"
+          public_client: "{{ keycloak_client_public }}"
+          web_origins: "{{ keycloak_client_web_origins }}"
+          users: "{{ keycloak_client_users }}"
+          client_id: TestClient

molecule/default/molecule.yml

@@ -1,22 +1,17 @@
 ---
-dependency:
-  name: shell
-  command: ansible-galaxy collection install -r molecule/default/requirements.yml -p $HOME/.ansible/collections --force-with-deps
 driver:
-  name: docker
-lint: |
-  ansible-lint --version
-  ansible-lint -v
+  name: podman
 platforms:
   - name: instance
-    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
     pre_build_image: true
     privileged: true
     command: "/usr/sbin/init"
     port_bindings:
       - "8080/tcp"
       - "8443/tcp"
-      - "8009/tcp"      
+      - "8009/tcp"
+      - "9000/tcp"
 provisioner:
   name: ansible
   config_options:
@@ -33,16 +28,15 @@ provisioner:
       localhost:
         ansible_python_interpreter: "{{ ansible_playbook_python }}"
   env:
-    ANSIBLE_FORCE_COLOR: "true"        
+    ANSIBLE_FORCE_COLOR: "true"
+    PROXY: "${PROXY}"
+    NO_PROXY: "${NO_PROXY}"
 verifier:
   name: ansible
 scenario:
   test_sequence:
-    - dependency
-    - lint
     - cleanup
     - destroy
-    - syntax
     - create
     - prepare
     - converge

molecule/default/prepare.yml

@@ -1,12 +1,25 @@
 ---
 - name: Prepare
   hosts: all
+  gather_facts: yes
+  vars:
+    sudo_pkg_name: sudo
   tasks:
-    - name: Disable beta repos
-      command: yum config-manager --disable '*beta*'
-      ignore_errors: yes
+    - name: "Run preparation common to all scenario"
+      ansible.builtin.include_tasks: ../prepare.yml
 
-    - name: Install sudo
-      yum:
-        name: sudo
-        state: present
+    - name: Create controller directory for downloads
+      ansible.builtin.file: # noqa risky-file-permissions delegated, uses controller host user
+        path: /tmp/keycloak
+        state: directory
+        mode: '0750'
+      delegate_to: localhost
+      run_once: true
+
+    - name: Download keycloak archive to controller directory
+      ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
+        url: https://github.com/keycloak/keycloak/releases/download/26.3.0/keycloak-26.3.0.zip
+        dest: /tmp/keycloak
+        mode: '0640'
+      delegate_to: localhost
+      run_once: true

molecule/default/requirements.yml

@@ -1,10 +0,0 @@
----
-collections:
-  - name: middleware_automation.redhat_csp_download
-    version: ">=1.2.1"
-  - name: middleware_automation.wildfly
-    version: ">=0.0.5"
-  - name: community.general
-  - name: community.docker
-    version: ">=1.9.1"
-    

molecule/default/roles

@@ -0,0 +1 @@
+../../roles

molecule/default/verify.yml

@@ -1,10 +1,25 @@
 ---
 - name: Verify
   hosts: all
+  vars:
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
+    keycloak_uri: "http://localhost:8080"
   tasks:
     - name: Populate service facts
       ansible.builtin.service_facts:
     - name: Check if keycloak service started
-      assert:
+      ansible.builtin.assert:
         that:
           - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+    - name: Verify token api call
+      ansible.builtin.uri:
+        url: "{{ keycloak_uri }}/realms/master/protocol/openid-connect/token"
+        method: POST
+        body: "client_id=admin-cli&username={{ keycloak_quarkus_bootstrap_admin_user }}&password={{ keycloak_quarkus_bootstrap_admin_user }}&grant_type=password"
+        validate_certs: no
+      register: keycloak_auth_response
+      until: keycloak_auth_response.status == 200
+      retries: 2
+      delay: 2

molecule/https_revproxy/converge.yml

@@ -0,0 +1,16 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    keycloak_quarkus_show_deprecation_warnings: false
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
+    keycloak_quarkus_hostname: https://proxy
+    keycloak_quarkus_log: file
+    keycloak_quarkus_http_enabled: True
+    keycloak_quarkus_http_port: 8080
+    keycloak_quarkus_proxy_mode: edge
+    keycloak_quarkus_http_relative_path: /
+    keycloak_quarkus_health_check_url: http://proxy:8080/realms/master/.well-known/openid-configuration
+  roles:
+    - role: keycloak_quarkus

molecule/https_revproxy/molecule.yml

@@ -0,0 +1,57 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    networks:
+      - name: keycloak
+    port_bindings:
+      - "8080/tcp"
+    published_ports:
+      - 0.0.0.0:8080:8080/tcp
+  - name: proxy
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    networks:
+      - name: keycloak
+    port_bindings:
+      - "443/tcp"
+    published_ports:
+      - 0.0.0.0:443:443/tcp
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy

molecule/https_revproxy/prepare.yml

@@ -0,0 +1,49 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: Install sudo
+      ansible.builtin.dnf:
+        name: sudo
+        state: present
+
+    - name: "Display hera_home if defined."
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+- name: Prepare proxy
+  hosts: proxy
+  vars:
+    nginx_proxy: |
+      location / {
+          proxy_set_header        Host $host;
+          proxy_set_header        X-Real-IP $remote_addr;
+          proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header        X-Forwarded-Proto $scheme;
+          proxy_pass              http://instance:8080;
+      }
+  roles:
+    - elan.simple_nginx_reverse_proxy
+  pre_tasks:
+    - name: Create certificate request
+      ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=proxy'
+      delegate_to: localhost
+      changed_when: false
+    - name: Make certificate directory
+      ansible.builtin.file:
+        path: /etc/nginx/tls
+        state: directory
+        mode: 0755
+    - name: Copy certificates
+      ansible.builtin.copy:
+        src: "{{ item.name }}"
+        dest: "{{ item.dest }}"
+        mode: 0444
+      become: true
+      loop:
+        - { name: 'cert.pem', dest: '/etc/nginx/tls/certificate.crt' }
+        - { name: 'key.pem', dest: '/etc/nginx/tls/certificate.key' }
+    - name: Update CA trust
+      ansible.builtin.command: update-ca-trust
+      changed_when: false
+      become: true

molecule/https_revproxy/roles

@@ -0,0 +1 @@
+../../roles

molecule/https_revproxy/verify.yml

@@ -0,0 +1,28 @@
+---
+- name: Verify
+  hosts: instance
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+
+    - name: Verify openid config
+      block:
+        - name: Fetch openID config # noqa blocked_modules command-instead-of-module
+          ansible.builtin.uri:
+            url: http://localhost:8080/realms/master/.well-known/openid-configuration
+            validate_certs: false
+            headers:
+              Host: proxy
+          register: openid_config
+          changed_when: False
+        - name: Verify endpoint URLs
+          ansible.builtin.assert:
+            that:
+              - openid_config.json['issuer'] == 'https://proxy/realms/master'
+              - openid_config.json['authorization_endpoint'] == 'https://proxy/realms/master/protocol/openid-connect/auth'

molecule/overridexml/converge.yml

@@ -0,0 +1,11 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_config_override_template: custom.xml.j2
+    keycloak_http_port: 8081
+    keycloak_management_http_port: 19990
+    keycloak_service_runas: True
+  roles:
+    - role: keycloak

molecule/overridexml/molecule.yml

@@ -0,0 +1,45 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    port_bindings:
+      - "8080/tcp"
+      - "8443/tcp"
+      - "8009/tcp"
+      - "9000/tcp"
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy

molecule/overridexml/prepare.yml

@@ -0,0 +1,12 @@
+---
+- name: Prepare
+  hosts: all
+  gather_facts: yes
+  vars:
+    sudo_pkg_name: sudo
+  tasks:
+    - name: "Run preparation common to all scenario"
+      ansible.builtin.include_tasks: ../prepare.yml
+      vars:
+        assets:
+          - "{{ assets_server }}/sso/7.6.0/rh-sso-7.6.0-server-dist.zip"

molecule/overridexml/roles

@@ -0,0 +1 @@
+../../roles

molecule/overridexml/templates/custom.xml.j2

@@ -0,0 +1,562 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!-- this is a custom file -->
+<server xmlns="urn:jboss:domain:16.0">
+    <extensions>
+        <extension module="org.jboss.as.clustering.infinispan"/>
+        <extension module="org.jboss.as.connector"/>
+        <extension module="org.jboss.as.deployment-scanner"/>
+        <extension module="org.jboss.as.ee"/>
+        <extension module="org.jboss.as.ejb3"/>
+        <extension module="org.jboss.as.jaxrs"/>
+        <extension module="org.jboss.as.jmx"/>
+        <extension module="org.jboss.as.jpa"/>
+        <extension module="org.jboss.as.logging"/>
+        <extension module="org.jboss.as.mail"/>
+        <extension module="org.jboss.as.modcluster"/>
+        <extension module="org.jboss.as.naming"/>
+        <extension module="org.jboss.as.remoting"/>
+        <extension module="org.jboss.as.transactions"/>
+        <extension module="org.jboss.as.weld"/>
+        <extension module="org.keycloak.keycloak-server-subsystem"/>
+        <extension module="org.wildfly.extension.bean-validation"/>
+        <extension module="org.wildfly.extension.core-management"/>
+        <extension module="org.wildfly.extension.elytron"/>
+        <extension module="org.wildfly.extension.health"/>
+        <extension module="org.wildfly.extension.io"/>
+        <extension module="org.wildfly.extension.metrics"/>
+        <extension module="org.wildfly.extension.request-controller"/>
+        <extension module="org.wildfly.extension.security.manager"/>
+        <extension module="org.wildfly.extension.undertow"/>
+    </extensions>
+    <management>
+        <audit-log>
+            <formatters>
+                <json-formatter name="json-formatter"/>
+            </formatters>
+            <handlers>
+                <file-handler name="file" formatter="json-formatter" path="audit-log.log" relative-to="jboss.server.data.dir"/>
+            </handlers>
+            <logger log-boot="true" log-read-only="false" enabled="false">
+                <handlers>
+                    <handler name="file"/>
+                </handlers>
+            </logger>
+        </audit-log>
+        <management-interfaces>
+            <http-interface http-authentication-factory="management-http-authentication">
+                <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
+                <socket-binding http="management-http"/>
+            </http-interface>
+        </management-interfaces>
+        <access-control provider="simple">
+            <role-mapping>
+                <role name="SuperUser">
+                    <include>
+                        <user name="$local"/>
+                    </include>
+                </role>
+            </role-mapping>
+        </access-control>
+    </management>
+    <profile>
+        <subsystem xmlns="urn:jboss:domain:logging:8.0">
+            <console-handler name="CONSOLE">
+                <level name="INFO"/>
+                <formatter>
+                    <named-formatter name="COLOR-PATTERN"/>
+                </formatter>
+            </console-handler>
+            <periodic-rotating-file-handler name="FILE" autoflush="true">
+                <formatter>
+                    <named-formatter name="PATTERN"/>
+                </formatter>
+                <file relative-to="jboss.server.log.dir" path="server.log"/>
+                <suffix value=".yyyy-MM-dd"/>
+                <append value="true"/>
+            </periodic-rotating-file-handler>
+            <logger category="com.arjuna">
+                <level name="WARN"/>
+            </logger>
+            <logger category="io.jaegertracing.Configuration">
+                <level name="WARN"/>
+            </logger>
+            <logger category="org.jboss.as.config">
+                <level name="DEBUG"/>
+            </logger>
+            <logger category="sun.rmi">
+                <level name="WARN"/>
+            </logger>
+            <root-logger>
+                <level name="INFO"/>
+                <handlers>
+                    <handler name="CONSOLE"/>
+                    <handler name="FILE"/>
+                </handlers>
+            </root-logger>
+            <formatter name="PATTERN">
+                <pattern-formatter pattern="%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
+            </formatter>
+            <formatter name="COLOR-PATTERN">
+                <pattern-formatter pattern="%K{level}%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
+            </formatter>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:datasources:6.0">
+            <datasources>
+                <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
+                    <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
+                    <driver>h2</driver>
+                    <security>
+                        <user-name>sa</user-name>
+                        <password>sa</password>
+                    </security>
+                </datasource>
+                <drivers>
+                    <driver name="h2" module="com.h2database.h2">
+                        <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
+                    </driver>
+                </drivers>
+            </datasources>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
+            <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:ee:6.0">
+            <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
+            <concurrent>
+                <context-services>
+                    <context-service name="default" jndi-name="java:jboss/ee/concurrency/context/default" use-transaction-setup-provider="true"/>
+                </context-services>
+                <managed-thread-factories>
+                    <managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/>
+                </managed-thread-factories>
+                <managed-executor-services>
+                    <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="5000"/>
+                </managed-executor-services>
+                <managed-scheduled-executor-services>
+                    <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="3000"/>
+                </managed-scheduled-executor-services>
+            </concurrent>
+            <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/KeycloakDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:ejb3:9.0">
+            <session-bean>
+                <stateless>
+                    <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
+                </stateless>
+                <stateful default-access-timeout="5000" cache-ref="simple" passivation-disabled-cache-ref="simple"/>
+                <singleton default-access-timeout="5000"/>
+            </session-bean>
+            <pools>
+                <bean-instance-pools>
+                    <strict-max-pool name="mdb-strict-max-pool" derive-size="from-cpu-count" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
+                    <strict-max-pool name="slsb-strict-max-pool" derive-size="from-worker-pools" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
+                </bean-instance-pools>
+            </pools>
+            <caches>
+                <cache name="simple"/>
+                <cache name="distributable" passivation-store-ref="infinispan" aliases="passivating clustered"/>
+            </caches>
+            <passivation-stores>
+                <passivation-store name="infinispan" cache-container="ejb" max-size="10000"/>
+            </passivation-stores>
+            <async thread-pool-name="default"/>
+            <timer-service thread-pool-name="default" default-data-store="default-file-store">
+                <data-stores>
+                    <file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/>
+                </data-stores>
+            </timer-service>
+            <remote cluster="ejb" connectors="http-remoting-connector" thread-pool-name="default">
+                <channel-creation-options>
+                    <option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>
+                </channel-creation-options>
+            </remote>
+            <thread-pools>
+                <thread-pool name="default">
+                    <max-threads count="10"/>
+                    <keepalive-time time="60" unit="seconds"/>
+                </thread-pool>
+            </thread-pools>
+            <default-security-domain value="other"/>
+            <application-security-domains>
+                <application-security-domain name="other" security-domain="ApplicationDomain"/>
+            </application-security-domains>
+            <default-missing-method-permissions-deny-access value="true"/>
+            <statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
+            <log-system-exceptions value="true"/>
+        </subsystem>
+        <subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
+            <providers>
+                <aggregate-providers name="combined-providers">
+                    <providers name="elytron"/>
+                    <providers name="openssl"/>
+                </aggregate-providers>
+                <provider-loader name="elytron" module="org.wildfly.security.elytron"/>
+                <provider-loader name="openssl" module="org.wildfly.openssl"/>
+            </providers>
+            <audit-logging>
+                <file-audit-log name="local-audit" path="audit.log" relative-to="jboss.server.log.dir" format="JSON"/>
+            </audit-logging>
+            <security-domains>
+                <security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">
+                    <realm name="ApplicationRealm" role-decoder="groups-to-roles"/>
+                    <realm name="local"/>
+                </security-domain>
+                <security-domain name="ManagementDomain" default-realm="ManagementRealm" permission-mapper="default-permission-mapper">
+                    <realm name="ManagementRealm" role-decoder="groups-to-roles"/>
+                    <realm name="local" role-mapper="super-user-mapper"/>
+                </security-domain>
+            </security-domains>
+            <security-realms>
+                <identity-realm name="local" identity="$local"/>
+                <properties-realm name="ApplicationRealm">
+                    <users-properties path="application-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ApplicationRealm"/>
+                    <groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
+                </properties-realm>
+                <properties-realm name="ManagementRealm">
+                    <users-properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ManagementRealm"/>
+                    <groups-properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
+                </properties-realm>
+            </security-realms>
+            <mappers>
+                <simple-permission-mapper name="default-permission-mapper" mapping-mode="first">
+                    <permission-mapping>
+                        <principal name="anonymous"/>
+                        <permission-set name="default-permissions"/>
+                    </permission-mapping>
+                    <permission-mapping match-all="true">
+                        <permission-set name="login-permission"/>
+                        <permission-set name="default-permissions"/>
+                    </permission-mapping>
+                </simple-permission-mapper>
+                <constant-realm-mapper name="local" realm-name="local"/>
+                <simple-role-decoder name="groups-to-roles" attribute="groups"/>
+                <constant-role-mapper name="super-user-mapper">
+                    <role name="SuperUser"/>
+                </constant-role-mapper>
+            </mappers>
+            <permission-sets>
+                <permission-set name="login-permission">
+                    <permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
+                </permission-set>
+                <permission-set name="default-permissions">
+                    <permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
+                    <permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
+                    <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
+                    <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
+                </permission-set>
+            </permission-sets>
+            <http>
+                <http-authentication-factory name="management-http-authentication" security-domain="ManagementDomain" http-server-mechanism-factory="global">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="DIGEST">
+                            <mechanism-realm realm-name="ManagementRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </http-authentication-factory>
+                <http-authentication-factory name="application-http-authentication" security-domain="ApplicationDomain" http-server-mechanism-factory="global">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="BASIC">
+                            <mechanism-realm realm-name="ApplicationRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </http-authentication-factory>
+                <provider-http-server-mechanism-factory name="global"/>
+            </http>
+            <sasl>
+                <sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
+                        <mechanism mechanism-name="DIGEST-MD5">
+                            <mechanism-realm realm-name="ApplicationRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </sasl-authentication-factory>
+                <sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" security-domain="ManagementDomain">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
+                        <mechanism mechanism-name="DIGEST-MD5">
+                            <mechanism-realm realm-name="ManagementRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </sasl-authentication-factory>
+                <configurable-sasl-server-factory name="configured" sasl-server-factory="elytron">
+                    <properties>
+                        <property name="wildfly.sasl.local-user.default-user" value="$local"/>
+                    </properties>
+                </configurable-sasl-server-factory>
+                <mechanism-provider-filtering-sasl-server-factory name="elytron" sasl-server-factory="global">
+                    <filters>
+                        <filter provider-name="WildFlyElytron"/>
+                    </filters>
+                </mechanism-provider-filtering-sasl-server-factory>
+                <provider-sasl-server-factory name="global"/>
+            </sasl>
+            <tls>
+                <key-stores>
+                    <key-store name="applicationKS">
+                        <credential-reference clear-text="password"/>
+                        <implementation type="JKS"/>
+                        <file path="application.keystore" relative-to="jboss.server.config.dir"/>
+                    </key-store>
+                </key-stores>
+                <key-managers>
+                    <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
+                        <credential-reference clear-text="password"/>
+                    </key-manager>
+                </key-managers>
+                <server-ssl-contexts>
+                    <server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
+                </server-ssl-contexts>
+            </tls>
+        </subsystem>
+        <subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
+        <subsystem xmlns="urn:jboss:domain:infinispan:12.0">
+            <cache-container name="ejb" default-cache="passivation" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
+                <local-cache name="passivation">
+                    <locking isolation="REPEATABLE_READ"/>
+                    <transaction mode="BATCH"/>
+                    <file-store passivation="true" purge="false"/>
+                </local-cache>
+            </cache-container>
+            <cache-container name="keycloak" modules="org.keycloak.keycloak-model-infinispan">
+                <local-cache name="realms">
+                    <heap-memory size="10000"/>
+                </local-cache>
+                <local-cache name="users">
+                    <heap-memory size="10000"/>
+                </local-cache>
+                <local-cache name="sessions"/>
+                <local-cache name="authenticationSessions"/>
+                <local-cache name="offlineSessions"/>
+                <local-cache name="clientSessions"/>
+                <local-cache name="offlineClientSessions"/>
+                <local-cache name="loginFailures"/>
+                <local-cache name="work"/>
+                <local-cache name="authorization">
+                    <heap-memory size="10000"/>
+                </local-cache>
+                <local-cache name="keys">
+                    <heap-memory size="1000"/>
+                    <expiration max-idle="3600000"/>
+                </local-cache>
+                <local-cache name="actionTokens">
+                    <heap-memory size="-1"/>
+                    <expiration interval="300000" max-idle="-1"/>
+                </local-cache>
+            </cache-container>
+            <cache-container name="server" default-cache="default" modules="org.wildfly.clustering.server">
+                <local-cache name="default">
+                    <transaction mode="BATCH"/>
+                </local-cache>
+            </cache-container>
+            <cache-container name="web" default-cache="passivation" modules="org.wildfly.clustering.web.infinispan">
+                <local-cache name="passivation">
+                    <locking isolation="REPEATABLE_READ"/>
+                    <transaction mode="BATCH"/>
+                    <file-store passivation="true" purge="false"/>
+                </local-cache>
+                <local-cache name="sso">
+                    <locking isolation="REPEATABLE_READ"/>
+                    <transaction mode="BATCH"/>
+                </local-cache>
+                <local-cache name="routing"/>
+            </cache-container>
+            <cache-container name="hibernate" modules="org.infinispan.hibernate-cache">
+                <local-cache name="entity">
+                    <heap-memory size="10000"/>
+                    <expiration max-idle="100000"/>
+                </local-cache>
+                <local-cache name="local-query">
+                    <heap-memory size="10000"/>
+                    <expiration max-idle="100000"/>
+                </local-cache>
+                <local-cache name="timestamps"/>
+            </cache-container>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:io:3.0">
+            <worker name="default"/>
+            <buffer-pool name="default"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/>
+        <subsystem xmlns="urn:jboss:domain:jca:5.0">
+            <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
+            <bean-validation enabled="true"/>
+            <default-workmanager>
+                <short-running-threads>
+                    <core-threads count="50"/>
+                    <queue-length count="50"/>
+                    <max-threads count="50"/>
+                    <keepalive-time time="10" unit="seconds"/>
+                </short-running-threads>
+                <long-running-threads>
+                    <core-threads count="50"/>
+                    <queue-length count="50"/>
+                    <max-threads count="50"/>
+                    <keepalive-time time="10" unit="seconds"/>
+                </long-running-threads>
+            </default-workmanager>
+            <cached-connection-manager/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jmx:1.3">
+            <expose-resolved-model/>
+            <expose-expression-model/>
+            <remoting-connector/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jpa:1.1">
+            <jpa default-extended-persistence-inheritance="DEEP"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
+            <web-context>auth</web-context>
+            <providers>
+                <provider>
+                    classpath:${jboss.home.dir}/providers/*
+                </provider>
+            </providers>
+            <master-realm-name>master</master-realm-name>
+            <scheduled-task-interval>900</scheduled-task-interval>
+            <theme>
+                <staticMaxAge>2592000</staticMaxAge>
+                <cacheThemes>true</cacheThemes>
+                <cacheTemplates>true</cacheTemplates>
+                <dir>${jboss.home.dir}/themes</dir>
+            </theme>
+            <spi name="eventsStore">
+                <provider name="jpa" enabled="true">
+                    <properties>
+                        <property name="exclude-events" value="[&quot;REFRESH_TOKEN&quot;]"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="userCache">
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="userSessionPersister">
+                <default-provider>jpa</default-provider>
+            </spi>
+            <spi name="timer">
+                <default-provider>basic</default-provider>
+            </spi>
+            <spi name="connectionsHttpClient">
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="connectionsJpa">
+                <provider name="default" enabled="true">
+                    <properties>
+                        <property name="dataSource" value="java:jboss/datasources/KeycloakDS"/>
+                        <property name="initializeEmpty" value="true"/>
+                        <property name="migrationStrategy" value="update"/>
+                        <property name="migrationExport" value="${jboss.home.dir}/keycloak-database-update.sql"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="realmCache">
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="connectionsInfinispan">
+                <default-provider>default</default-provider>
+                <provider name="default" enabled="true">
+                    <properties>
+                        <property name="cacheContainer" value="java:jboss/infinispan/container/keycloak"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="jta-lookup">
+                <default-provider>${keycloak.jta.lookup.provider:jboss}</default-provider>
+                <provider name="jboss" enabled="true"/>
+            </spi>
+            <spi name="publicKeyStorage">
+                <provider name="infinispan" enabled="true">
+                    <properties>
+                        <property name="minTimeBetweenRequests" value="10"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="x509cert-lookup">
+                <default-provider>${keycloak.x509cert.lookup.provider:default}</default-provider>
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="hostname">
+                <default-provider>default</default-provider>
+                <provider name="default" enabled="true">
+                    <properties>
+                        <property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="false"/>
+                    </properties>
+                </provider>
+            </spi>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:mail:4.0">
+            <mail-session name="default" jndi-name="java:jboss/mail/Default">
+                <smtp-server outbound-socket-binding-ref="mail-smtp"/>
+            </mail-session>
+        </subsystem>
+        <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
+        <subsystem xmlns="urn:jboss:domain:naming:2.0">
+            <remote-naming/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:remoting:4.0">
+            <http-connector name="http-remoting-connector" connector-ref="default" sasl-authentication-factory="application-sasl-authentication"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
+            <deployment-permissions>
+                <maximum-set>
+                    <permission class="java.security.AllPermission"/>
+                </maximum-set>
+            </deployment-permissions>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:transactions:6.0">
+            <core-environment node-identifier="${jboss.tx.node.id:1}">
+                <process-id>
+                    <uuid/>
+                </process-id>
+            </core-environment>
+            <recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
+            <coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
+            <object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
+            <buffer-cache name="default"/>
+            <server name="default-server">
+                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
+                <https-listener name="https" socket-binding="https" ssl-context="applicationSSC" enable-http2="true"/>
+                <host name="default-host" alias="localhost">
+                    <location name="/" handler="welcome-content"/>
+                    <http-invoker http-authentication-factory="application-http-authentication"/>
+                </host>
+            </server>
+            <servlet-container name="default">
+                <jsp-config/>
+                <websockets/>
+            </servlet-container>
+            <handlers>
+                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
+            </handlers>
+            <application-security-domains>
+                <application-security-domain name="other" security-domain="ApplicationDomain"/>
+            </application-security-domains>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
+    </profile>
+    <interfaces>
+        <interface name="management">
+            <inet-address value="127.0.0.1"/>
+        </interface>
+        <interface name="public">
+            <inet-address value="127.0.0.1"/>
+        </interface>
+    </interfaces>
+    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
+        <socket-binding name="http" port="8081"/>
+        <socket-binding name="https" port="8443"/>
+        <socket-binding name="management-http" interface="management" port="19990"/>
+        <socket-binding name="management-https" interface="management" port="19991"/>
+        <socket-binding name="txn-recovery-environment" port="4712"/>
+        <socket-binding name="txn-status-manager" port="4713"/>
+        <outbound-socket-binding name="mail-smtp">
+            <remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
+        </outbound-socket-binding>
+    </socket-binding-group>
+</server>

molecule/overridexml/verify.yml

@@ -0,0 +1,32 @@
+---
+- name: Verify
+  hosts: all
+  vars:
+    keycloak_uri: "http://localhost:8081"
+    keycloak_management_port: "http://localhost:19990"
+    keycloak_admin_password: "remembertochangeme"
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+    - name: Verify we are running on requested jvm # noqa blocked_modules command-instead-of-module
+      ansible.builtin.shell: |
+        set -o pipefail
+        ps -ef | grep '/etc/alternatives/jre_1.8.0/' | grep -v grep
+      args:
+        executable: /bin/bash
+      changed_when: no
+    - name: Verify token api call
+      ansible.builtin.uri:
+        url: "{{ keycloak_uri }}/auth/realms/master/protocol/openid-connect/token"
+        method: POST
+        body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password"
+        validate_certs: no
+      register: keycloak_auth_response
+      until: keycloak_auth_response.status == 200
+      retries: 2
+      delay: 2

molecule/prepare.yml

@@ -0,0 +1,58 @@
+---
+- name: Display Ansible version
+  ansible.builtin.debug:
+    msg: "Ansible version is  {{ ansible_version.full }}"
+
+- name: "Set package name for sudo"
+  ansible.builtin.set_fact:
+    sudo_pkg_name: sudo
+
+- name: "Ensure {{ sudo_pkg_name }} is installed (if user is root)."
+  ansible.builtin.yum:
+    name: "{{ sudo_pkg_name }}"
+    state: present
+  when:
+    - ansible_user_id == 'root'
+
+- name: Gather the package facts
+  ansible.builtin.package_facts:
+    manager: auto
+
+- name: "Check if sudo is installed."
+  ansible.builtin.assert:
+    that:
+      - sudo_pkg_name in ansible_facts.packages
+    fail_msg: "sudo is not installed on target system"
+
+- name: "Install iproute"
+  become: true
+  ansible.builtin.yum:
+    name:
+      - iproute
+    state: present
+
+- name: "Retrieve assets server from env"
+  ansible.builtin.set_fact:
+    assets_server: "{{ lookup('env', 'MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"
+
+- name: "Download artefacts only if assets_server is set"
+  when:
+    - assets_server is defined
+    - assets_server | length > 0
+    - assets is defined
+    - assets | length > 0
+  block:
+    - name: "Set offline when assets server from env is defined"
+      ansible.builtin.set_fact:
+        sso_offline_install: True
+
+    - name: "Download and deploy zips from {{ assets_server }}"
+      ansible.builtin.get_url:
+        url: "{{ asset }}"
+        dest: "{{ lookup('env', 'PWD') }}"
+        validate_certs: no
+        mode: '0644'
+      delegate_to: localhost
+      loop: "{{ assets }}"
+      loop_control:
+        loop_var: asset

molecule/quarkus/converge.yml

@@ -0,0 +1,94 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    keycloak_quarkus_show_deprecation_warnings: false
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
+    keycloak_realm: TestRealm
+    keycloak_quarkus_hostname: https://instance:8443
+    keycloak_quarkus_log: file
+    keycloak_quarkus_log_level: debug # needed for the verify step
+    keycloak_quarkus_https_key_file_enabled: true
+    keycloak_quarkus_key_file_copy_enabled: true
+    keycloak_quarkus_key_content: "{{ lookup('file', 'key.pem') }}"
+    keycloak_quarkus_cert_file_copy_enabled: true
+    keycloak_quarkus_cert_file_src: cert.pem
+    keycloak_quarkus_log_target: /tmp/keycloak
+    keycloak_quarkus_ks_vault_enabled: true
+    keycloak_quarkus_ks_vault_file: "/opt/keycloak/vault/keystore.p12"
+    keycloak_quarkus_ks_vault_pass: keystorepassword
+    keycloak_quarkus_systemd_wait_for_port: true
+    keycloak_quarkus_systemd_wait_for_timeout: 20
+    keycloak_quarkus_systemd_wait_for_delay: 2
+    keycloak_quarkus_systemd_wait_for_log: true
+    keycloak_quarkus_restart_health_check: false # would fail because of self-signed cert
+    keycloak_quarkus_version: 26.3.0
+    keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx1024m"
+    keycloak_quarkus_additional_env_vars:
+      - key: KC_FEATURES_DISABLED
+        value: impersonation,kerberos
+    keycloak_quarkus_providers:
+      - id: http-client
+        spi: connections
+        default: true
+        restart: true
+        properties:
+          - key: default-connection-pool-size
+            value: 10
+      - id: spid-saml
+        url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar
+      - id: spid-saml-w-checksum
+        url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar
+        checksum: sha256:fbb50e73739d7a6d35b5bff611b1c01668b29adf6f6259624b95e466a305f377
+      - id: keycloak-kerberos-federation
+        maven:
+          repository_url: https://repo1.maven.org/maven2/ # https://mvnrepository.com/artifact/org.keycloak/keycloak-kerberos-federation/24.0.4
+          group_id: org.keycloak
+          artifact_id: keycloak-kerberos-federation
+          version: 26.3.0 # optional
+          # username: myUser # optional
+          # password: myPAT # optional
+      # - id: my-static-theme
+      #   local_path: /tmp/my-static-theme.jar
+    keycloak_quarkus_policies:
+      - name: "cain-and-abel.txt"
+        url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/cain-and-abel.txt"
+      - name: "john-the-ripper.txt"
+        url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/john-the-ripper.txt"
+        type: password-blacklists
+  roles:
+    - role: keycloak_quarkus
+    - role: keycloak_realm
+      keycloak_url: http://instance:8080
+      keycloak_context: ''
+      keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
+      keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
+      keycloak_client_default_roles:
+        - TestRoleAdmin
+        - TestRoleUser
+      keycloak_client_users:
+        - username: TestUser
+          password: password
+          client_roles:
+            - client: TestClient
+              role: TestRoleUser
+              realm: "{{ keycloak_realm }}"
+        - username: TestAdmin
+          password: password
+          client_roles:
+            - client: TestClient
+              role: TestRoleUser
+              realm: "{{ keycloak_realm }}"
+            - client: TestClient
+              role: TestRoleAdmin
+              realm: "{{ keycloak_realm }}"
+      keycloak_realm: TestRealm
+      keycloak_clients:
+        - name: TestClient
+          roles: "{{ keycloak_client_default_roles }}"
+          realm: "{{ keycloak_realm }}"
+          public_client: "{{ keycloak_client_public }}"
+          web_origins: "{{ keycloak_client_web_origins }}"
+          users: "{{ keycloak_client_users }}"
+          client_id: TestClient

molecule/quarkus/molecule.yml

@@ -0,0 +1,50 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    port_bindings:
+      - "8080/tcp"
+      - "8443/tcp"
+      - "8009/tcp"
+      - "9000/tcp"
+    published_ports:
+      - 0.0.0.0:8443:8443/tcp
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+    PYTHONHTTPSVERIFY: 0
+    PROXY: "${PROXY}"
+    NO_PROXY: "${NO_PROXY}"
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy

molecule/quarkus/prepare.yml

@@ -0,0 +1,44 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: "Display hera_home if defined."
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+    - name: "Ensure common prepare phase are set."
+      ansible.builtin.include_tasks: ../prepare.yml
+
+    - name: Create certificate request
+      ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
+      delegate_to: localhost
+      changed_when: false
+
+    - name: Create vault directory
+      become: true
+      ansible.builtin.file:
+        state: directory
+        path: "/opt/keycloak/vault"
+        mode: '0755'
+
+    - name: Make sure a jre is available (for keytool to prepare keystore)
+      delegate_to: localhost
+      ansible.builtin.package:
+        name: java-21-openjdk-headless
+        state: present
+      become: true
+      failed_when: false
+
+    - name: Create vault keystore
+      ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword
+      delegate_to: localhost
+      register: keytool_cmd
+      changed_when: False
+      failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
+
+    - name: Copy certificates and vault
+      become: true
+      ansible.builtin.copy:
+        src: keystore.p12
+        dest: /opt/keycloak/vault/keystore.p12
+        mode: '0444'

molecule/quarkus/roles

@@ -0,0 +1 @@
+../../roles

molecule/quarkus/verify.yml

@@ -0,0 +1,128 @@
+---
+- name: Verify
+  hosts: all
+  vars:
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+        fail_msg: "Service not running"
+
+    - name: Set internal envvar
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+    - name: Verify openid config
+      when:
+        - hera_home is defined
+        - hera_home | length == 0
+      block:
+        - name: Fetch openID config # noqa blocked_modules command-instead-of-module
+          ansible.builtin.shell: |
+            set -o pipefail
+            curl -H 'Host: instance' https://localhost:8443/realms/master/.well-known/openid-configuration -k | jq .
+          args:
+            executable: /bin/bash
+          delegate_to: localhost
+          register: openid_config
+          changed_when: False
+        - name: Verify endpoint URLs
+          ansible.builtin.assert:
+            that:
+              - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance:8443/realms/master/protocol/openid-connect/ext/ciba/auth'
+              - (openid_config.stdout | from_json)['issuer'] == 'https://instance:8443/realms/master'
+              - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/auth'
+              - (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/token'
+          delegate_to: localhost
+
+    - name: Check log folder
+      ansible.builtin.stat:
+        path: /tmp/keycloak
+      register: keycloak_log_folder
+
+    - name: Check that keycloak log folder exists and is a link
+      ansible.builtin.assert:
+        that:
+          - keycloak_log_folder.stat.exists
+          - not keycloak_log_folder.stat.isdir
+          - keycloak_log_folder.stat.islnk
+        fail_msg: "Service log symlink not correctly created"
+
+    - name: Check log file
+      become: true
+      ansible.builtin.stat:
+        path: /tmp/keycloak/keycloak.log
+      register: keycloak_log_file
+
+    - name: Check if keycloak file exists
+      ansible.builtin.assert:
+        that:
+          - keycloak_log_file.stat.exists
+          - not keycloak_log_file.stat.isdir
+
+    - name: Check default log folder
+      become: yes
+      ansible.builtin.stat:
+        path: /var/log/keycloak
+      register: keycloak_default_log_folder
+      failed_when: false
+
+    - name: Check that default keycloak log folder doesn't exist
+      ansible.builtin.assert:
+        that:
+          - not keycloak_default_log_folder.stat.exists
+
+    - name: Verify vault SPI in logfile
+      become: true
+      ansible.builtin.shell: |
+        set -o pipefail
+        zgrep 'Configured KeystoreVaultProviderFactory with the keystore file' /opt/keycloak/keycloak-*/data/log/keycloak.log*zip
+      changed_when: false
+      failed_when: slurped_log.rc != 0
+      register: slurped_log
+
+    - name: Verify token api call
+      ansible.builtin.uri:
+        url: "https://instance:8443/realms/master/protocol/openid-connect/token"
+        method: POST
+        body: "client_id=admin-cli&username={{ keycloak_quarkus_bootstrap_admin_user }}&password={{ keycloak_quarkus_bootstrap_admin_password}}&grant_type=password"
+        validate_certs: no
+      register: keycloak_auth_response
+      until: keycloak_auth_response.status == 200
+      retries: 2
+      delay: 2
+
+    - name: "Get Clients"
+      ansible.builtin.uri:
+        url: "https://instance:8443/admin/realms/TestRealm/clients"
+        validate_certs: false
+        headers:
+          Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
+      register: keycloak_clients
+
+    - name: Get client uuid
+      ansible.builtin.set_fact:
+        keycloak_client_uuid: "{{ ((keycloak_clients.json | selectattr('clientId', '==', 'TestClient')) | first).id }}"
+
+    - name: "Get Client {{ keycloak_client_uuid }}"
+      ansible.builtin.uri:
+        url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}"
+        validate_certs: false
+        headers:
+          Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
+      register: keycloak_test_client
+
+    - name: "Get Client roles"
+      ansible.builtin.uri:
+        url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}/roles"
+        validate_certs: false
+        headers:
+          Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
+      register: keycloak_test_client_roles

molecule/quarkus_devmode/converge.yml

@@ -0,0 +1,50 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    keycloak_quarkus_show_deprecation_warnings: false
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
+    keycloak_realm: TestRealm
+    keycloak_quarkus_log: file
+    keycloak_quarkus_hostname: 'http://localhost:8080'
+    keycloak_quarkus_start_dev: True
+    keycloak_quarkus_proxy_mode: none
+    keycloak_quarkus_java_home: /opt/openjdk/
+    keycloak_quarkus_java_heap_opts: "-Xms640m -Xmx640m"
+
+  roles:
+    - role: keycloak_quarkus
+    - role: keycloak_realm
+      keycloak_url: "{{ keycloak_quarkus_hostname }}"
+      keycloak_context: ''
+      keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
+      keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
+      keycloak_client_default_roles:
+        - TestRoleAdmin
+        - TestRoleUser
+      keycloak_client_users:
+        - username: TestUser
+          password: password
+          client_roles:
+            - client: TestClient
+              role: TestRoleUser
+              realm: "{{ keycloak_realm }}"
+        - username: TestAdmin
+          password: password
+          client_roles:
+            - client: TestClient
+              role: TestRoleUser
+              realm: "{{ keycloak_realm }}"
+            - client: TestClient
+              role: TestRoleAdmin
+              realm: "{{ keycloak_realm }}"
+      keycloak_realm: TestRealm
+      keycloak_clients:
+        - name: TestClient
+          roles: "{{ keycloak_client_default_roles }}"
+          realm: "{{ keycloak_realm }}"
+          public_client: "{{ keycloak_client_public }}"
+          web_origins: "{{ keycloak_client_web_origins }}"
+          users: "{{ keycloak_client_users }}"
+          client_id: TestClient

molecule/quarkus_devmode/molecule.yml

@@ -0,0 +1,49 @@
+---
+driver:
+  name: podman
+platforms:
+  - name: instance
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    port_bindings:
+      - "8080/tcp"
+      - "8009/tcp"
+      - "9000/tcp"
+    published_ports:
+      - 0.0.0.0:8080:8080/tcp
+      - 0.0.0.0:9000:9000/TCP
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+    PROXY: "${PROXY}"
+    NO_PROXY: "${NO_PROXY}"
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy

molecule/quarkus_devmode/prepare.yml

@@ -0,0 +1,49 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: Install sudo
+      ansible.builtin.apt:
+        name:
+          - sudo
+          - openjdk-17-jdk-headless
+        state: present
+      when:
+        - ansible_facts.os_family == 'Debian'
+
+    - name: "Ensure common prepare phase are set."
+      ansible.builtin.include_tasks: ../prepare.yml
+
+    - name: Install JDK17
+      become: yes
+      ansible.builtin.yum:
+        name:
+          - java-17-openjdk-headless
+        state: present
+      when:
+        - ansible_facts.os_family == 'RedHat'
+
+    - name: Link default logs directory
+      become: yes
+      ansible.builtin.file:
+        state: link
+        src: "{{ item }}"
+        dest: /opt/openjdk
+        force: true
+      with_fileglob:
+        - /usr/lib/jvm/java-17-openjdk*
+      when:
+        - ansible_facts.os_family == "Debian"
+
+    - name: Link default logs directory
+      ansible.builtin.file:
+        state: link
+        src: /usr/lib/jvm/jre-17-openjdk
+        dest: /opt/openjdk
+        force: true
+      when:
+        - ansible_facts.os_family == "RedHat"
+
+    - name: "Display hera_home if defined."
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"

molecule/quarkus_devmode/roles

@@ -0,0 +1 @@
+../../roles

molecule/quarkus_devmode/verify.yml

@@ -0,0 +1,47 @@
+---
+- name: Verify
+  hosts: all
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+
+    - name: Verify we are running on requested JAVA_HOME # noqa blocked_modules command-instead-of-module
+      ansible.builtin.shell: |
+        set -o pipefail
+        ps -ef | grep '/opt/openjdk' | grep -v grep
+      args:
+        executable: /bin/bash
+      changed_when: False
+
+    - name: Set internal envvar
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+    - name: Verify openid config
+      block:
+        - name: Fetch openID config # noqa blocked_modules command-instead-of-module
+          ansible.builtin.shell: |
+            set -o pipefail
+            curl http://localhost:8080/realms/master/.well-known/openid-configuration -k | jq .
+          args:
+            executable: /bin/bash
+          delegate_to: localhost
+          register: openid_config
+          changed_when: False
+        - name: Verify endpoint URLs
+          ansible.builtin.assert:
+            that:
+              - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'http://localhost:8080/realms/master/protocol/openid-connect/ext/ciba/auth'
+              - (openid_config.stdout | from_json)['issuer'] == 'http://localhost:8080/realms/master'
+              - (openid_config.stdout | from_json)['authorization_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/auth'
+              - (openid_config.stdout | from_json)['token_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/token'
+          delegate_to: localhost
+      when:
+        - hera_home is defined
+        - hera_home | length == 0

molecule/quarkus_ha/converge.yml

@@ -0,0 +1,29 @@
+---
+- name: Converge
+  hosts: keycloak
+  vars:
+    keycloak_quarkus_show_deprecation_warnings: false
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
+    keycloak_quarkus_hostname: "http://{{ inventory_hostname }}:8080"
+    keycloak_quarkus_log: file
+    keycloak_quarkus_log_level: info
+    keycloak_quarkus_https_key_file_enabled: true
+    keycloak_quarkus_key_file_copy_enabled: true
+    keycloak_quarkus_key_content: "{{ lookup('file', inventory_hostname + '.key') }}"
+    keycloak_quarkus_cert_file_copy_enabled: true
+    keycloak_quarkus_cert_file_src: "{{ inventory_hostname }}.pem"
+    keycloak_quarkus_ks_vault_enabled: true
+    keycloak_quarkus_ks_vault_file: "/opt/keycloak/vault/keystore.p12"
+    keycloak_quarkus_ks_vault_pass: keystorepassword
+    keycloak_quarkus_systemd_wait_for_port: true
+    keycloak_quarkus_systemd_wait_for_timeout: 20
+    keycloak_quarkus_systemd_wait_for_delay: 2
+    keycloak_quarkus_systemd_wait_for_log: true
+    keycloak_quarkus_ha_enabled: true
+    keycloak_quarkus_restart_strategy: restart/serial.yml
+    keycloak_quarkus_db_user: keycloak
+    keycloak_quarkus_db_pass: mysecretpass
+    keycloak_quarkus_db_url: jdbc:postgresql://postgres:5432/keycloak
+  roles:
+    - role: keycloak_quarkus

molecule/quarkus_ha/molecule.yml

@@ -0,0 +1,82 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: instance1
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    groups:
+      - keycloak
+    networks:
+      - name: rhbk
+    port_bindings:
+      - "8080/tcp"
+      - "8443/tcp"
+      - "9000/tcp"
+  - name: instance2
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    groups:
+      - keycloak
+    networks:
+      - name: rhbk
+    port_bindings:
+      - "8080/tcp"
+      - "8443/tcp"
+      - "9000/tcp"
+  - name: postgres
+    image: ubuntu/postgres:14-22.04_beta
+    pre_build_image: true
+    privileged: true
+    command: postgres
+    groups:
+      - database
+    networks:
+      - name: rhbk
+    port_bindings:
+      - "5432/tcp"
+    mounts:
+      - type: bind
+        target: /etc/postgresql/postgresql.conf
+        source: ${PWD}/molecule/quarkus_ha/postgresql/postgresql.conf
+    env:
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD: mysecretpass
+      POSTGRES_DB: keycloak
+      POSTGRES_HOST_AUTH_METHOD: trust
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+    PYTHONHTTPSVERIFY: 0
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy

molecule/quarkus_ha/postgresql/postgresql.conf

@@ -0,0 +1,750 @@
+# -----------------------------
+# PostgreSQL configuration file
+# -----------------------------
+#
+# This file consists of lines of the form:
+#
+#   name = value
+#
+# (The "=" is optional.)  Whitespace may be used.  Comments are introduced with
+# "#" anywhere on a line.  The complete list of parameter names and allowed
+# values can be found in the PostgreSQL documentation.
+#
+# The commented-out settings shown in this file represent the default values.
+# Re-commenting a setting is NOT sufficient to revert it to the default value;
+# you need to reload the server.
+#
+# This file is read on server startup and when the server receives a SIGHUP
+# signal.  If you edit the file on a running system, you have to SIGHUP the
+# server for the changes to take effect, run "pg_ctl reload", or execute
+# "SELECT pg_reload_conf()".  Some parameters, which are marked below,
+# require a server shutdown and restart to take effect.
+#
+# Any parameter can also be given as a command-line option to the server, e.g.,
+# "postgres -c log_connections=on".  Some parameters can be changed at run time
+# with the "SET" SQL command.
+#
+# Memory units:  kB = kilobytes        Time units:  ms  = milliseconds
+#                MB = megabytes                     s   = seconds
+#                GB = gigabytes                     min = minutes
+#                TB = terabytes                     h   = hours
+#                                                   d   = days
+
+
+#------------------------------------------------------------------------------
+# FILE LOCATIONS
+#------------------------------------------------------------------------------
+
+# The default values of these variables are driven from the -D command-line
+# option or PGDATA environment variable, represented here as ConfigDir.
+
+#data_directory = 'ConfigDir'		# use data in another directory
+					# (change requires restart)
+#hba_file = 'ConfigDir/pg_hba.conf'	# host-based authentication file
+					# (change requires restart)
+#ident_file = 'ConfigDir/pg_ident.conf'	# ident configuration file
+					# (change requires restart)
+
+# If external_pid_file is not explicitly set, no extra PID file is written.
+#external_pid_file = ''			# write an extra PID file
+					# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# CONNECTIONS AND AUTHENTICATION
+#------------------------------------------------------------------------------
+
+# - Connection Settings -
+
+listen_addresses = '*'		# what IP address(es) to listen on;
+					# comma-separated list of addresses;
+					# defaults to 'localhost'; use '*' for all
+					# (change requires restart)
+#port = 5432				# (change requires restart)
+#max_connections = 100			# (change requires restart)
+#superuser_reserved_connections = 3	# (change requires restart)
+#unix_socket_directories = '/tmp'	# comma-separated list of directories
+					# (change requires restart)
+#unix_socket_group = ''			# (change requires restart)
+#unix_socket_permissions = 0777		# begin with 0 to use octal notation
+					# (change requires restart)
+#bonjour = off				# advertise server via Bonjour
+					# (change requires restart)
+#bonjour_name = ''			# defaults to the computer name
+					# (change requires restart)
+
+# - TCP settings -
+# see "man 7 tcp" for details
+
+#tcp_keepalives_idle = 0		# TCP_KEEPIDLE, in seconds;
+					# 0 selects the system default
+#tcp_keepalives_interval = 0		# TCP_KEEPINTVL, in seconds;
+					# 0 selects the system default
+#tcp_keepalives_count = 0		# TCP_KEEPCNT;
+					# 0 selects the system default
+#tcp_user_timeout = 0			# TCP_USER_TIMEOUT, in milliseconds;
+					# 0 selects the system default
+
+# - Authentication -
+
+#authentication_timeout = 1min		# 1s-600s
+#password_encryption = md5		# md5 or scram-sha-256
+#db_user_namespace = off
+
+# GSSAPI using Kerberos
+#krb_server_keyfile = ''
+#krb_caseins_users = off
+
+# - SSL -
+
+#ssl = off
+#ssl_ca_file = ''
+#ssl_cert_file = 'server.crt'
+#ssl_crl_file = ''
+#ssl_key_file = 'server.key'
+#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
+#ssl_prefer_server_ciphers = on
+#ssl_ecdh_curve = 'prime256v1'
+#ssl_min_protocol_version = 'TLSv1'
+#ssl_max_protocol_version = ''
+#ssl_dh_params_file = ''
+#ssl_passphrase_command = ''
+#ssl_passphrase_command_supports_reload = off
+
+
+#------------------------------------------------------------------------------
+# RESOURCE USAGE (except WAL)
+#------------------------------------------------------------------------------
+
+# - Memory -
+
+#shared_buffers = 32MB			# min 128kB
+					# (change requires restart)
+#huge_pages = try			# on, off, or try
+					# (change requires restart)
+#temp_buffers = 8MB			# min 800kB
+#max_prepared_transactions = 0		# zero disables the feature
+					# (change requires restart)
+# Caution: it is not advisable to set max_prepared_transactions nonzero unless
+# you actively intend to use prepared transactions.
+#work_mem = 4MB				# min 64kB
+#maintenance_work_mem = 64MB		# min 1MB
+#autovacuum_work_mem = -1		# min 1MB, or -1 to use maintenance_work_mem
+#max_stack_depth = 2MB			# min 100kB
+#shared_memory_type = mmap		# the default is the first option
+					# supported by the operating system:
+					#   mmap
+					#   sysv
+					#   windows
+					# (change requires restart)
+#dynamic_shared_memory_type = posix	# the default is the first option
+					# supported by the operating system:
+					#   posix
+					#   sysv
+					#   windows
+					#   mmap
+					# (change requires restart)
+
+# - Disk -
+
+#temp_file_limit = -1			# limits per-process temp file space
+					# in kB, or -1 for no limit
+
+# - Kernel Resources -
+
+#max_files_per_process = 1000		# min 25
+					# (change requires restart)
+
+# - Cost-Based Vacuum Delay -
+
+#vacuum_cost_delay = 0			# 0-100 milliseconds (0 disables)
+#vacuum_cost_page_hit = 1		# 0-10000 credits
+#vacuum_cost_page_miss = 10		# 0-10000 credits
+#vacuum_cost_page_dirty = 20		# 0-10000 credits
+#vacuum_cost_limit = 200		# 1-10000 credits
+
+# - Background Writer -
+
+#bgwriter_delay = 200ms			# 10-10000ms between rounds
+#bgwriter_lru_maxpages = 100		# max buffers written/round, 0 disables
+#bgwriter_lru_multiplier = 2.0		# 0-10.0 multiplier on buffers scanned/round
+#bgwriter_flush_after = 0		# measured in pages, 0 disables
+
+# - Asynchronous Behavior -
+
+#effective_io_concurrency = 1		# 1-1000; 0 disables prefetching
+#max_worker_processes = 8		# (change requires restart)
+#max_parallel_maintenance_workers = 2	# taken from max_parallel_workers
+#max_parallel_workers_per_gather = 2	# taken from max_parallel_workers
+#parallel_leader_participation = on
+#max_parallel_workers = 8		# maximum number of max_worker_processes that
+					# can be used in parallel operations
+#old_snapshot_threshold = -1		# 1min-60d; -1 disables; 0 is immediate
+					# (change requires restart)
+#backend_flush_after = 0		# measured in pages, 0 disables
+
+
+#------------------------------------------------------------------------------
+# WRITE-AHEAD LOG
+#------------------------------------------------------------------------------
+
+# - Settings -
+
+#wal_level = replica			# minimal, replica, or logical
+					# (change requires restart)
+#fsync = on				# flush data to disk for crash safety
+					# (turning this off can cause
+					# unrecoverable data corruption)
+#synchronous_commit = on		# synchronization level;
+					# off, local, remote_write, remote_apply, or on
+#wal_sync_method = fsync		# the default is the first option
+					# supported by the operating system:
+					#   open_datasync
+					#   fdatasync (default on Linux)
+					#   fsync
+					#   fsync_writethrough
+					#   open_sync
+#full_page_writes = on			# recover from partial page writes
+#wal_compression = off			# enable compression of full-page writes
+#wal_log_hints = off			# also do full page writes of non-critical updates
+					# (change requires restart)
+#wal_init_zero = on			# zero-fill new WAL files
+#wal_recycle = on			# recycle WAL files
+#wal_buffers = -1			# min 32kB, -1 sets based on shared_buffers
+					# (change requires restart)
+#wal_writer_delay = 200ms		# 1-10000 milliseconds
+#wal_writer_flush_after = 1MB		# measured in pages, 0 disables
+
+#commit_delay = 0			# range 0-100000, in microseconds
+#commit_siblings = 5			# range 1-1000
+
+# - Checkpoints -
+
+#checkpoint_timeout = 5min		# range 30s-1d
+#max_wal_size = 1GB
+#min_wal_size = 80MB
+#checkpoint_completion_target = 0.5	# checkpoint target duration, 0.0 - 1.0
+#checkpoint_flush_after = 0		# measured in pages, 0 disables
+#checkpoint_warning = 30s		# 0 disables
+
+# - Archiving -
+
+#archive_mode = off		# enables archiving; off, on, or always
+				# (change requires restart)
+#archive_command = ''		# command to use to archive a logfile segment
+				# placeholders: %p = path of file to archive
+				#               %f = file name only
+				# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
+#archive_timeout = 0		# force a logfile segment switch after this
+				# number of seconds; 0 disables
+
+# - Archive Recovery -
+
+# These are only used in recovery mode.
+
+#restore_command = ''		# command to use to restore an archived logfile segment
+				# placeholders: %p = path of file to restore
+				#               %f = file name only
+				# e.g. 'cp /mnt/server/archivedir/%f %p'
+				# (change requires restart)
+#archive_cleanup_command = ''	# command to execute at every restartpoint
+#recovery_end_command = ''	# command to execute at completion of recovery
+
+# - Recovery Target -
+
+# Set these only when performing a targeted recovery.
+
+#recovery_target = ''		# 'immediate' to end recovery as soon as a
+                                # consistent state is reached
+				# (change requires restart)
+#recovery_target_name = ''	# the named restore point to which recovery will proceed
+				# (change requires restart)
+#recovery_target_time = ''	# the time stamp up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_xid = ''	# the transaction ID up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_lsn = ''	# the WAL LSN up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_inclusive = on # Specifies whether to stop:
+				# just after the specified recovery target (on)
+				# just before the recovery target (off)
+				# (change requires restart)
+#recovery_target_timeline = 'latest'	# 'current', 'latest', or timeline ID
+				# (change requires restart)
+#recovery_target_action = 'pause'	# 'pause', 'promote', 'shutdown'
+				# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# REPLICATION
+#------------------------------------------------------------------------------
+
+# - Sending Servers -
+
+# Set these on the master and on any standby that will send replication data.
+
+#max_wal_senders = 10		# max number of walsender processes
+				# (change requires restart)
+#wal_keep_segments = 0		# in logfile segments; 0 disables
+#wal_sender_timeout = 60s	# in milliseconds; 0 disables
+
+#max_replication_slots = 10	# max number of replication slots
+				# (change requires restart)
+#track_commit_timestamp = off	# collect timestamp of transaction commit
+				# (change requires restart)
+
+# - Master Server -
+
+# These settings are ignored on a standby server.
+
+#synchronous_standby_names = ''	# standby servers that provide sync rep
+				# method to choose sync standbys, number of sync standbys,
+				# and comma-separated list of application_name
+				# from standby(s); '*' = all
+#vacuum_defer_cleanup_age = 0	# number of xacts by which cleanup is delayed
+
+# - Standby Servers -
+
+# These settings are ignored on a master server.
+
+#primary_conninfo = ''			# connection string to sending server
+					# (change requires restart)
+#primary_slot_name = ''			# replication slot on sending server
+					# (change requires restart)
+#promote_trigger_file = ''		# file name whose presence ends recovery
+#hot_standby = on			# "off" disallows queries during recovery
+					# (change requires restart)
+#max_standby_archive_delay = 30s	# max delay before canceling queries
+					# when reading WAL from archive;
+					# -1 allows indefinite delay
+#max_standby_streaming_delay = 30s	# max delay before canceling queries
+					# when reading streaming WAL;
+					# -1 allows indefinite delay
+#wal_receiver_status_interval = 10s	# send replies at least this often
+					# 0 disables
+#hot_standby_feedback = off		# send info from standby to prevent
+					# query conflicts
+#wal_receiver_timeout = 60s		# time that receiver waits for
+					# communication from master
+					# in milliseconds; 0 disables
+#wal_retrieve_retry_interval = 5s	# time to wait before retrying to
+					# retrieve WAL after a failed attempt
+#recovery_min_apply_delay = 0		# minimum delay for applying changes during recovery
+
+# - Subscribers -
+
+# These settings are ignored on a publisher.
+
+#max_logical_replication_workers = 4	# taken from max_worker_processes
+					# (change requires restart)
+#max_sync_workers_per_subscription = 2	# taken from max_logical_replication_workers
+
+
+#------------------------------------------------------------------------------
+# QUERY TUNING
+#------------------------------------------------------------------------------
+
+# - Planner Method Configuration -
+
+#enable_bitmapscan = on
+#enable_hashagg = on
+#enable_hashjoin = on
+#enable_indexscan = on
+#enable_indexonlyscan = on
+#enable_material = on
+#enable_mergejoin = on
+#enable_nestloop = on
+#enable_parallel_append = on
+#enable_seqscan = on
+#enable_sort = on
+#enable_tidscan = on
+#enable_partitionwise_join = off
+#enable_partitionwise_aggregate = off
+#enable_parallel_hash = on
+#enable_partition_pruning = on
+
+# - Planner Cost Constants -
+
+#seq_page_cost = 1.0			# measured on an arbitrary scale
+#random_page_cost = 4.0			# same scale as above
+#cpu_tuple_cost = 0.01			# same scale as above
+#cpu_index_tuple_cost = 0.005		# same scale as above
+#cpu_operator_cost = 0.0025		# same scale as above
+#parallel_tuple_cost = 0.1		# same scale as above
+#parallel_setup_cost = 1000.0	# same scale as above
+
+#jit_above_cost = 100000		# perform JIT compilation if available
+					# and query more expensive than this;
+					# -1 disables
+#jit_inline_above_cost = 500000		# inline small functions if query is
+					# more expensive than this; -1 disables
+#jit_optimize_above_cost = 500000	# use expensive JIT optimizations if
+					# query is more expensive than this;
+					# -1 disables
+
+#min_parallel_table_scan_size = 8MB
+#min_parallel_index_scan_size = 512kB
+#effective_cache_size = 4GB
+
+# - Genetic Query Optimizer -
+
+#geqo = on
+#geqo_threshold = 12
+#geqo_effort = 5			# range 1-10
+#geqo_pool_size = 0			# selects default based on effort
+#geqo_generations = 0			# selects default based on effort
+#geqo_selection_bias = 2.0		# range 1.5-2.0
+#geqo_seed = 0.0			# range 0.0-1.0
+
+# - Other Planner Options -
+
+#default_statistics_target = 100	# range 1-10000
+#constraint_exclusion = partition	# on, off, or partition
+#cursor_tuple_fraction = 0.1		# range 0.0-1.0
+#from_collapse_limit = 8
+#join_collapse_limit = 8		# 1 disables collapsing of explicit
+					# JOIN clauses
+#force_parallel_mode = off
+#jit = on				# allow JIT compilation
+#plan_cache_mode = auto			# auto, force_generic_plan or
+					# force_custom_plan
+
+
+#------------------------------------------------------------------------------
+# REPORTING AND LOGGING
+#------------------------------------------------------------------------------
+
+# - Where to Log -
+
+#log_destination = 'stderr'		# Valid values are combinations of
+					# stderr, csvlog, syslog, and eventlog,
+					# depending on platform.  csvlog
+					# requires logging_collector to be on.
+
+# This is used when logging to stderr:
+#logging_collector = off		# Enable capturing of stderr and csvlog
+					# into log files. Required to be on for
+					# csvlogs.
+					# (change requires restart)
+
+# These are only used if logging_collector is on:
+#log_directory = 'log'			# directory where log files are written,
+					# can be absolute or relative to PGDATA
+#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'	# log file name pattern,
+					# can include strftime() escapes
+#log_file_mode = 0600			# creation mode for log files,
+					# begin with 0 to use octal notation
+#log_truncate_on_rotation = off		# If on, an existing log file with the
+					# same name as the new log file will be
+					# truncated rather than appended to.
+					# But such truncation only occurs on
+					# time-driven rotation, not on restarts
+					# or size-driven rotation.  Default is
+					# off, meaning append to existing files
+					# in all cases.
+#log_rotation_age = 1d			# Automatic rotation of logfiles will
+					# happen after that time.  0 disables.
+#log_rotation_size = 10MB		# Automatic rotation of logfiles will
+					# happen after that much log output.
+					# 0 disables.
+
+# These are relevant when logging to syslog:
+#syslog_facility = 'LOCAL0'
+#syslog_ident = 'postgres'
+#syslog_sequence_numbers = on
+#syslog_split_messages = on
+
+# This is only relevant when logging to eventlog (win32):
+# (change requires restart)
+#event_source = 'PostgreSQL'
+
+# - When to Log -
+
+#log_min_messages = warning		# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   info
+					#   notice
+					#   warning
+					#   error
+					#   log
+					#   fatal
+					#   panic
+
+#log_min_error_statement = error	# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   info
+					#   notice
+					#   warning
+					#   error
+					#   log
+					#   fatal
+					#   panic (effectively off)
+
+#log_min_duration_statement = -1	# -1 is disabled, 0 logs all statements
+					# and their durations, > 0 logs only
+					# statements running at least this number
+					# of milliseconds
+
+#log_transaction_sample_rate = 0.0	# Fraction of transactions whose statements
+					# are logged regardless of their duration. 1.0 logs all
+					# statements from all transactions, 0.0 never logs.
+
+# - What to Log -
+
+#debug_print_parse = off
+#debug_print_rewritten = off
+#debug_print_plan = off
+#debug_pretty_print = on
+#log_checkpoints = off
+#log_connections = off
+#log_disconnections = off
+#log_duration = off
+#log_error_verbosity = default		# terse, default, or verbose messages
+#log_hostname = off
+#log_line_prefix = '%m [%p] '		# special values:
+					#   %a = application name
+					#   %u = user name
+					#   %d = database name
+					#   %r = remote host and port
+					#   %h = remote host
+					#   %p = process ID
+					#   %t = timestamp without milliseconds
+					#   %m = timestamp with milliseconds
+					#   %n = timestamp with milliseconds (as a Unix epoch)
+					#   %i = command tag
+					#   %e = SQL state
+					#   %c = session ID
+					#   %l = session line number
+					#   %s = session start timestamp
+					#   %v = virtual transaction ID
+					#   %x = transaction ID (0 if none)
+					#   %q = stop here in non-session
+					#        processes
+					#   %% = '%'
+					# e.g. '<%u%%%d> '
+#log_lock_waits = off			# log lock waits >= deadlock_timeout
+#log_statement = 'none'			# none, ddl, mod, all
+#log_replication_commands = off
+#log_temp_files = -1			# log temporary files equal or larger
+					# than the specified size in kilobytes;
+					# -1 disables, 0 logs all temp files
+#log_timezone = 'GMT'
+
+#------------------------------------------------------------------------------
+# PROCESS TITLE
+#------------------------------------------------------------------------------
+
+#cluster_name = ''			# added to process titles if nonempty
+					# (change requires restart)
+#update_process_title = on
+
+
+#------------------------------------------------------------------------------
+# STATISTICS
+#------------------------------------------------------------------------------
+
+# - Query and Index Statistics Collector -
+
+#track_activities = on
+#track_counts = on
+#track_io_timing = off
+#track_functions = none			# none, pl, all
+#track_activity_query_size = 1024	# (change requires restart)
+#stats_temp_directory = 'pg_stat_tmp'
+
+
+# - Monitoring -
+
+#log_parser_stats = off
+#log_planner_stats = off
+#log_executor_stats = off
+#log_statement_stats = off
+
+
+#------------------------------------------------------------------------------
+# AUTOVACUUM
+#------------------------------------------------------------------------------
+
+#autovacuum = on			# Enable autovacuum subprocess?  'on'
+					# requires track_counts to also be on.
+#log_autovacuum_min_duration = -1	# -1 disables, 0 logs all actions and
+					# their durations, > 0 logs only
+					# actions running at least this number
+					# of milliseconds.
+#autovacuum_max_workers = 3		# max number of autovacuum subprocesses
+					# (change requires restart)
+#autovacuum_naptime = 1min		# time between autovacuum runs
+#autovacuum_vacuum_threshold = 50	# min number of row updates before
+					# vacuum
+#autovacuum_analyze_threshold = 50	# min number of row updates before
+					# analyze
+#autovacuum_vacuum_scale_factor = 0.2	# fraction of table size before vacuum
+#autovacuum_analyze_scale_factor = 0.1	# fraction of table size before analyze
+#autovacuum_freeze_max_age = 200000000	# maximum XID age before forced vacuum
+					# (change requires restart)
+#autovacuum_multixact_freeze_max_age = 400000000	# maximum multixact age
+					# before forced vacuum
+					# (change requires restart)
+#autovacuum_vacuum_cost_delay = 2ms	# default vacuum cost delay for
+					# autovacuum, in milliseconds;
+					# -1 means use vacuum_cost_delay
+#autovacuum_vacuum_cost_limit = -1	# default vacuum cost limit for
+					# autovacuum, -1 means use
+					# vacuum_cost_limit
+
+
+#------------------------------------------------------------------------------
+# CLIENT CONNECTION DEFAULTS
+#------------------------------------------------------------------------------
+
+# - Statement Behavior -
+
+#client_min_messages = notice		# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   log
+					#   notice
+					#   warning
+					#   error
+#search_path = '"$user", public'	# schema names
+#row_security = on
+#default_tablespace = ''		# a tablespace name, '' uses the default
+#temp_tablespaces = ''			# a list of tablespace names, '' uses
+					# only default tablespace
+#default_table_access_method = 'heap'
+#check_function_bodies = on
+#default_transaction_isolation = 'read committed'
+#default_transaction_read_only = off
+#default_transaction_deferrable = off
+#session_replication_role = 'origin'
+#statement_timeout = 0			# in milliseconds, 0 is disabled
+#lock_timeout = 0			# in milliseconds, 0 is disabled
+#idle_in_transaction_session_timeout = 0	# in milliseconds, 0 is disabled
+#vacuum_freeze_min_age = 50000000
+#vacuum_freeze_table_age = 150000000
+#vacuum_multixact_freeze_min_age = 5000000
+#vacuum_multixact_freeze_table_age = 150000000
+#vacuum_cleanup_index_scale_factor = 0.1	# fraction of total number of tuples
+						# before index cleanup, 0 always performs
+						# index cleanup
+#bytea_output = 'hex'			# hex, escape
+#xmlbinary = 'base64'
+#xmloption = 'content'
+#gin_fuzzy_search_limit = 0
+#gin_pending_list_limit = 4MB
+
+# - Locale and Formatting -
+
+#datestyle = 'iso, mdy'
+#intervalstyle = 'postgres'
+#timezone = 'GMT'
+#timezone_abbreviations = 'Default'     # Select the set of available time zone
+					# abbreviations.  Currently, there are
+					#   Default
+					#   Australia (historical usage)
+					#   India
+					# You can create your own file in
+					# share/timezonesets/.
+#extra_float_digits = 1			# min -15, max 3; any value >0 actually
+					# selects precise output mode
+#client_encoding = sql_ascii		# actually, defaults to database
+					# encoding
+
+# These settings are initialized by initdb, but they can be changed.
+#lc_messages = 'C'			# locale for system error message
+					# strings
+#lc_monetary = 'C'			# locale for monetary formatting
+#lc_numeric = 'C'			# locale for number formatting
+#lc_time = 'C'				# locale for time formatting
+
+# default configuration for text search
+#default_text_search_config = 'pg_catalog.simple'
+
+# - Shared Library Preloading -
+
+#shared_preload_libraries = ''	# (change requires restart)
+#local_preload_libraries = ''
+#session_preload_libraries = ''
+#jit_provider = 'llvmjit'		# JIT library to use
+
+# - Other Defaults -
+
+#dynamic_library_path = '$libdir'
+
+
+#------------------------------------------------------------------------------
+# LOCK MANAGEMENT
+#------------------------------------------------------------------------------
+
+#deadlock_timeout = 1s
+#max_locks_per_transaction = 64		# min 10
+					# (change requires restart)
+#max_pred_locks_per_transaction = 64	# min 10
+					# (change requires restart)
+#max_pred_locks_per_relation = -2	# negative values mean
+					# (max_pred_locks_per_transaction
+					#  / -max_pred_locks_per_relation) - 1
+#max_pred_locks_per_page = 2            # min 0
+
+
+#------------------------------------------------------------------------------
+# VERSION AND PLATFORM COMPATIBILITY
+#------------------------------------------------------------------------------
+
+# - Previous PostgreSQL Versions -
+
+#array_nulls = on
+#backslash_quote = safe_encoding	# on, off, or safe_encoding
+#escape_string_warning = on
+#lo_compat_privileges = off
+#operator_precedence_warning = off
+#quote_all_identifiers = off
+#standard_conforming_strings = on
+#synchronize_seqscans = on
+
+# - Other Platforms and Clients -
+
+#transform_null_equals = off
+
+
+#------------------------------------------------------------------------------
+# ERROR HANDLING
+#------------------------------------------------------------------------------
+
+#exit_on_error = off			# terminate session on any error?
+#restart_after_crash = on		# reinitialize after backend crash?
+#data_sync_retry = off			# retry or panic on failure to fsync
+					# data?
+					# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# CONFIG FILE INCLUDES
+#------------------------------------------------------------------------------
+
+# These options allow settings to be loaded from files other than the
+# default postgresql.conf.  Note that these are directives, not variable
+# assignments, so they can usefully be given more than once.
+
+#include_dir = '...'			# include files ending in '.conf' from
+					# a directory, e.g., 'conf.d'
+#include_if_exists = '...'		# include file only if it exists
+#include = '...'			# include file
+
+
+#------------------------------------------------------------------------------
+# CUSTOMIZED OPTIONS
+#------------------------------------------------------------------------------
+
+# Add settings for extensions here

molecule/quarkus_ha/prepare.yml

@@ -0,0 +1,44 @@
+---
+- name: Prepare
+  hosts: keycloak
+  tasks:
+    - name: "Display hera_home if defined."
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+    - name: "Ensure common prepare phase are set."
+      ansible.builtin.include_tasks: ../prepare.yml
+
+    - name: Create certificate request
+      ansible.builtin.command: "openssl req -x509 -newkey rsa:4096 -keyout {{ inventory_hostname }}.key -out {{ inventory_hostname }}.pem -sha256 -days 365 -nodes -subj '/CN={{ inventory_hostname }}'"
+      delegate_to: localhost
+      changed_when: False
+
+    - name: Create vault directory
+      become: true
+      ansible.builtin.file:
+        state: directory
+        path: "/opt/keycloak/vault"
+        mode: 0755
+
+    - name: Make sure a jre is available (for keytool to prepare keystore)
+      delegate_to: localhost
+      ansible.builtin.package:
+        name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
+        state: present
+      become: true
+      failed_when: false
+
+    - name: Create vault keystore
+      ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword
+      delegate_to: localhost
+      register: keytool_cmd
+      changed_when: False
+      failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
+
+    - name: Copy certificates and vault
+      become: true
+      ansible.builtin.copy:
+        src: keystore.p12
+        dest: /opt/keycloak/vault/keystore.p12
+        mode: 0444

molecule/quarkus_ha/roles

@@ -0,0 +1 @@
+../../roles

molecule/quarkus_ha/verify.yml

@@ -0,0 +1,29 @@
+---
+- name: Verify
+  hosts: keycloak
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+        fail_msg: "Service not running"
+
+    - name: Set internal envvar
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+    - name: Check log file
+      become: true
+      ansible.builtin.stat:
+        path: /var/log/keycloak/keycloak.log
+      register: keycloak_log_file
+
+    - name: Check if keycloak file exists
+      ansible.builtin.assert:
+        that:
+          - keycloak_log_file.stat.exists
+          - not keycloak_log_file.stat.isdir

molecule/quarkus_ha_remote/converge.yml

@@ -0,0 +1,57 @@
+---
+- name: Converge
+  hosts: infinispan
+  roles:
+    - role: middleware_automation.infinispan.infinispan
+      infinispan_service_name: infinispan
+      infinispan_supervisor_password: remembertochangeme
+      infinispan_keycloak_caches: true
+      infinispan_keycloak_persistence: False
+      infinispan_jdbc_engine: postgres
+      infinispan_jdbc_url: jdbc:postgresql://postgres:5432/keycloak
+      infinispan_jdbc_driver_version: 9.4.1212
+      infinispan_jdbc_user: keycloak
+      infinispan_jdbc_pass: mysecretpass
+      infinispan_bind_address: "{{ ansible_default_ipv4.address }}"
+      infinispan_users:
+        - { name: 'testuser', password: 'test', roles: 'observer' }
+
+- name: Converge
+  hosts: keycloak
+  vars:
+    keycloak_quarkus_show_deprecation_warnings: false
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
+    keycloak_quarkus_hostname: "http://{{ inventory_hostname }}:8080"
+    keycloak_quarkus_log: file
+    keycloak_quarkus_log_level: info
+    keycloak_quarkus_https_key_file_enabled: true
+    keycloak_quarkus_key_file_copy_enabled: true
+    keycloak_quarkus_key_content: "{{ lookup('file', inventory_hostname + '.key') }}"
+    keycloak_quarkus_cert_file_copy_enabled: true
+    keycloak_quarkus_cert_file_src: "{{ inventory_hostname }}.pem"
+    keycloak_quarkus_ks_vault_enabled: true
+    keycloak_quarkus_ks_vault_file: "/opt/keycloak/vault/keystore.p12"
+    keycloak_quarkus_ks_vault_pass: keystorepassword
+    keycloak_quarkus_systemd_wait_for_port: true
+    keycloak_quarkus_systemd_wait_for_timeout: 20
+    keycloak_quarkus_systemd_wait_for_delay: 2
+    keycloak_quarkus_systemd_wait_for_log: true
+    keycloak_quarkus_ha_enabled: true
+    keycloak_quarkus_restart_strategy: restart/serial.yml
+    keycloak_quarkus_db_user: keycloak
+    keycloak_quarkus_db_pass: mysecretpass
+    keycloak_quarkus_db_url: jdbc:postgresql://postgres:5432/keycloak
+    keycloak_quarkus_cache_remote: true
+    keycloak_quarkus_cache_remote_username: supervisor
+    keycloak_quarkus_cache_remote_password: remembertochangeme
+    keycloak_quarkus_cache_remote_host: "infinispan1"
+    keycloak_quarkus_cache_remote_port: 11222
+    keycloak_quarkus_cache_remote_tls_enabled: false
+    keycloak_quarkus_additional_env_vars:
+      - key: KC_FEATURES
+        value: clusterless
+      - key: KC_FEATURES_DISABLED
+        value: persistent-user-sessions
+  roles:
+    - role: keycloak_quarkus

molecule/quarkus_ha_remote/molecule.yml

@@ -0,0 +1,80 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: keycloak1
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    groups:
+      - keycloak
+    networks:
+      - name: rhbk
+    port_bindings:
+      - "8080/tcp"
+      - "8443/tcp"
+      - "9000/tcp"
+  - name: infinispan1
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    groups:
+      - infinispan
+    networks:
+      - name: rhbk
+    port_bindings:
+      - "11222/tcp"
+  - name: postgres
+    image: ubuntu/postgres:14-22.04_beta
+    pre_build_image: true
+    privileged: true
+    command: postgres
+    groups:
+      - database
+    networks:
+      - name: rhbk
+    port_bindings:
+      - "5432/tcp"
+    mounts:
+      - type: bind
+        target: /etc/postgresql/postgresql.conf
+        source: ${PWD}/molecule/quarkus_ha/postgresql/postgresql.conf
+    env:
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD: mysecretpass
+      POSTGRES_DB: keycloak
+      POSTGRES_HOST_AUTH_METHOD: trust
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+    PYTHONHTTPSVERIFY: 0
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy

molecule/quarkus_ha_remote/postgresql/postgresql.conf

@@ -0,0 +1,750 @@
+# -----------------------------
+# PostgreSQL configuration file
+# -----------------------------
+#
+# This file consists of lines of the form:
+#
+#   name = value
+#
+# (The "=" is optional.)  Whitespace may be used.  Comments are introduced with
+# "#" anywhere on a line.  The complete list of parameter names and allowed
+# values can be found in the PostgreSQL documentation.
+#
+# The commented-out settings shown in this file represent the default values.
+# Re-commenting a setting is NOT sufficient to revert it to the default value;
+# you need to reload the server.
+#
+# This file is read on server startup and when the server receives a SIGHUP
+# signal.  If you edit the file on a running system, you have to SIGHUP the
+# server for the changes to take effect, run "pg_ctl reload", or execute
+# "SELECT pg_reload_conf()".  Some parameters, which are marked below,
+# require a server shutdown and restart to take effect.
+#
+# Any parameter can also be given as a command-line option to the server, e.g.,
+# "postgres -c log_connections=on".  Some parameters can be changed at run time
+# with the "SET" SQL command.
+#
+# Memory units:  kB = kilobytes        Time units:  ms  = milliseconds
+#                MB = megabytes                     s   = seconds
+#                GB = gigabytes                     min = minutes
+#                TB = terabytes                     h   = hours
+#                                                   d   = days
+
+
+#------------------------------------------------------------------------------
+# FILE LOCATIONS
+#------------------------------------------------------------------------------
+
+# The default values of these variables are driven from the -D command-line
+# option or PGDATA environment variable, represented here as ConfigDir.
+
+#data_directory = 'ConfigDir'		# use data in another directory
+					# (change requires restart)
+#hba_file = 'ConfigDir/pg_hba.conf'	# host-based authentication file
+					# (change requires restart)
+#ident_file = 'ConfigDir/pg_ident.conf'	# ident configuration file
+					# (change requires restart)
+
+# If external_pid_file is not explicitly set, no extra PID file is written.
+#external_pid_file = ''			# write an extra PID file
+					# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# CONNECTIONS AND AUTHENTICATION
+#------------------------------------------------------------------------------
+
+# - Connection Settings -
+
+listen_addresses = '*'		# what IP address(es) to listen on;
+					# comma-separated list of addresses;
+					# defaults to 'localhost'; use '*' for all
+					# (change requires restart)
+#port = 5432				# (change requires restart)
+#max_connections = 100			# (change requires restart)
+#superuser_reserved_connections = 3	# (change requires restart)
+#unix_socket_directories = '/tmp'	# comma-separated list of directories
+					# (change requires restart)
+#unix_socket_group = ''			# (change requires restart)
+#unix_socket_permissions = 0777		# begin with 0 to use octal notation
+					# (change requires restart)
+#bonjour = off				# advertise server via Bonjour
+					# (change requires restart)
+#bonjour_name = ''			# defaults to the computer name
+					# (change requires restart)
+
+# - TCP settings -
+# see "man 7 tcp" for details
+
+#tcp_keepalives_idle = 0		# TCP_KEEPIDLE, in seconds;
+					# 0 selects the system default
+#tcp_keepalives_interval = 0		# TCP_KEEPINTVL, in seconds;
+					# 0 selects the system default
+#tcp_keepalives_count = 0		# TCP_KEEPCNT;
+					# 0 selects the system default
+#tcp_user_timeout = 0			# TCP_USER_TIMEOUT, in milliseconds;
+					# 0 selects the system default
+
+# - Authentication -
+
+#authentication_timeout = 1min		# 1s-600s
+#password_encryption = md5		# md5 or scram-sha-256
+#db_user_namespace = off
+
+# GSSAPI using Kerberos
+#krb_server_keyfile = ''
+#krb_caseins_users = off
+
+# - SSL -
+
+#ssl = off
+#ssl_ca_file = ''
+#ssl_cert_file = 'server.crt'
+#ssl_crl_file = ''
+#ssl_key_file = 'server.key'
+#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
+#ssl_prefer_server_ciphers = on
+#ssl_ecdh_curve = 'prime256v1'
+#ssl_min_protocol_version = 'TLSv1'
+#ssl_max_protocol_version = ''
+#ssl_dh_params_file = ''
+#ssl_passphrase_command = ''
+#ssl_passphrase_command_supports_reload = off
+
+
+#------------------------------------------------------------------------------
+# RESOURCE USAGE (except WAL)
+#------------------------------------------------------------------------------
+
+# - Memory -
+
+#shared_buffers = 32MB			# min 128kB
+					# (change requires restart)
+#huge_pages = try			# on, off, or try
+					# (change requires restart)
+#temp_buffers = 8MB			# min 800kB
+#max_prepared_transactions = 0		# zero disables the feature
+					# (change requires restart)
+# Caution: it is not advisable to set max_prepared_transactions nonzero unless
+# you actively intend to use prepared transactions.
+#work_mem = 4MB				# min 64kB
+#maintenance_work_mem = 64MB		# min 1MB
+#autovacuum_work_mem = -1		# min 1MB, or -1 to use maintenance_work_mem
+#max_stack_depth = 2MB			# min 100kB
+#shared_memory_type = mmap		# the default is the first option
+					# supported by the operating system:
+					#   mmap
+					#   sysv
+					#   windows
+					# (change requires restart)
+#dynamic_shared_memory_type = posix	# the default is the first option
+					# supported by the operating system:
+					#   posix
+					#   sysv
+					#   windows
+					#   mmap
+					# (change requires restart)
+
+# - Disk -
+
+#temp_file_limit = -1			# limits per-process temp file space
+					# in kB, or -1 for no limit
+
+# - Kernel Resources -
+
+#max_files_per_process = 1000		# min 25
+					# (change requires restart)
+
+# - Cost-Based Vacuum Delay -
+
+#vacuum_cost_delay = 0			# 0-100 milliseconds (0 disables)
+#vacuum_cost_page_hit = 1		# 0-10000 credits
+#vacuum_cost_page_miss = 10		# 0-10000 credits
+#vacuum_cost_page_dirty = 20		# 0-10000 credits
+#vacuum_cost_limit = 200		# 1-10000 credits
+
+# - Background Writer -
+
+#bgwriter_delay = 200ms			# 10-10000ms between rounds
+#bgwriter_lru_maxpages = 100		# max buffers written/round, 0 disables
+#bgwriter_lru_multiplier = 2.0		# 0-10.0 multiplier on buffers scanned/round
+#bgwriter_flush_after = 0		# measured in pages, 0 disables
+
+# - Asynchronous Behavior -
+
+#effective_io_concurrency = 1		# 1-1000; 0 disables prefetching
+#max_worker_processes = 8		# (change requires restart)
+#max_parallel_maintenance_workers = 2	# taken from max_parallel_workers
+#max_parallel_workers_per_gather = 2	# taken from max_parallel_workers
+#parallel_leader_participation = on
+#max_parallel_workers = 8		# maximum number of max_worker_processes that
+					# can be used in parallel operations
+#old_snapshot_threshold = -1		# 1min-60d; -1 disables; 0 is immediate
+					# (change requires restart)
+#backend_flush_after = 0		# measured in pages, 0 disables
+
+
+#------------------------------------------------------------------------------
+# WRITE-AHEAD LOG
+#------------------------------------------------------------------------------
+
+# - Settings -
+
+#wal_level = replica			# minimal, replica, or logical
+					# (change requires restart)
+#fsync = on				# flush data to disk for crash safety
+					# (turning this off can cause
+					# unrecoverable data corruption)
+#synchronous_commit = on		# synchronization level;
+					# off, local, remote_write, remote_apply, or on
+#wal_sync_method = fsync		# the default is the first option
+					# supported by the operating system:
+					#   open_datasync
+					#   fdatasync (default on Linux)
+					#   fsync
+					#   fsync_writethrough
+					#   open_sync
+#full_page_writes = on			# recover from partial page writes
+#wal_compression = off			# enable compression of full-page writes
+#wal_log_hints = off			# also do full page writes of non-critical updates
+					# (change requires restart)
+#wal_init_zero = on			# zero-fill new WAL files
+#wal_recycle = on			# recycle WAL files
+#wal_buffers = -1			# min 32kB, -1 sets based on shared_buffers
+					# (change requires restart)
+#wal_writer_delay = 200ms		# 1-10000 milliseconds
+#wal_writer_flush_after = 1MB		# measured in pages, 0 disables
+
+#commit_delay = 0			# range 0-100000, in microseconds
+#commit_siblings = 5			# range 1-1000
+
+# - Checkpoints -
+
+#checkpoint_timeout = 5min		# range 30s-1d
+#max_wal_size = 1GB
+#min_wal_size = 80MB
+#checkpoint_completion_target = 0.5	# checkpoint target duration, 0.0 - 1.0
+#checkpoint_flush_after = 0		# measured in pages, 0 disables
+#checkpoint_warning = 30s		# 0 disables
+
+# - Archiving -
+
+#archive_mode = off		# enables archiving; off, on, or always
+				# (change requires restart)
+#archive_command = ''		# command to use to archive a logfile segment
+				# placeholders: %p = path of file to archive
+				#               %f = file name only
+				# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
+#archive_timeout = 0		# force a logfile segment switch after this
+				# number of seconds; 0 disables
+
+# - Archive Recovery -
+
+# These are only used in recovery mode.
+
+#restore_command = ''		# command to use to restore an archived logfile segment
+				# placeholders: %p = path of file to restore
+				#               %f = file name only
+				# e.g. 'cp /mnt/server/archivedir/%f %p'
+				# (change requires restart)
+#archive_cleanup_command = ''	# command to execute at every restartpoint
+#recovery_end_command = ''	# command to execute at completion of recovery
+
+# - Recovery Target -
+
+# Set these only when performing a targeted recovery.
+
+#recovery_target = ''		# 'immediate' to end recovery as soon as a
+                                # consistent state is reached
+				# (change requires restart)
+#recovery_target_name = ''	# the named restore point to which recovery will proceed
+				# (change requires restart)
+#recovery_target_time = ''	# the time stamp up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_xid = ''	# the transaction ID up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_lsn = ''	# the WAL LSN up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_inclusive = on # Specifies whether to stop:
+				# just after the specified recovery target (on)
+				# just before the recovery target (off)
+				# (change requires restart)
+#recovery_target_timeline = 'latest'	# 'current', 'latest', or timeline ID
+				# (change requires restart)
+#recovery_target_action = 'pause'	# 'pause', 'promote', 'shutdown'
+				# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# REPLICATION
+#------------------------------------------------------------------------------
+
+# - Sending Servers -
+
+# Set these on the master and on any standby that will send replication data.
+
+#max_wal_senders = 10		# max number of walsender processes
+				# (change requires restart)
+#wal_keep_segments = 0		# in logfile segments; 0 disables
+#wal_sender_timeout = 60s	# in milliseconds; 0 disables
+
+#max_replication_slots = 10	# max number of replication slots
+				# (change requires restart)
+#track_commit_timestamp = off	# collect timestamp of transaction commit
+				# (change requires restart)
+
+# - Master Server -
+
+# These settings are ignored on a standby server.
+
+#synchronous_standby_names = ''	# standby servers that provide sync rep
+				# method to choose sync standbys, number of sync standbys,
+				# and comma-separated list of application_name
+				# from standby(s); '*' = all
+#vacuum_defer_cleanup_age = 0	# number of xacts by which cleanup is delayed
+
+# - Standby Servers -
+
+# These settings are ignored on a master server.
+
+#primary_conninfo = ''			# connection string to sending server
+					# (change requires restart)
+#primary_slot_name = ''			# replication slot on sending server
+					# (change requires restart)
+#promote_trigger_file = ''		# file name whose presence ends recovery
+#hot_standby = on			# "off" disallows queries during recovery
+					# (change requires restart)
+#max_standby_archive_delay = 30s	# max delay before canceling queries
+					# when reading WAL from archive;
+					# -1 allows indefinite delay
+#max_standby_streaming_delay = 30s	# max delay before canceling queries
+					# when reading streaming WAL;
+					# -1 allows indefinite delay
+#wal_receiver_status_interval = 10s	# send replies at least this often
+					# 0 disables
+#hot_standby_feedback = off		# send info from standby to prevent
+					# query conflicts
+#wal_receiver_timeout = 60s		# time that receiver waits for
+					# communication from master
+					# in milliseconds; 0 disables
+#wal_retrieve_retry_interval = 5s	# time to wait before retrying to
+					# retrieve WAL after a failed attempt
+#recovery_min_apply_delay = 0		# minimum delay for applying changes during recovery
+
+# - Subscribers -
+
+# These settings are ignored on a publisher.
+
+#max_logical_replication_workers = 4	# taken from max_worker_processes
+					# (change requires restart)
+#max_sync_workers_per_subscription = 2	# taken from max_logical_replication_workers
+
+
+#------------------------------------------------------------------------------
+# QUERY TUNING
+#------------------------------------------------------------------------------
+
+# - Planner Method Configuration -
+
+#enable_bitmapscan = on
+#enable_hashagg = on
+#enable_hashjoin = on
+#enable_indexscan = on
+#enable_indexonlyscan = on
+#enable_material = on
+#enable_mergejoin = on
+#enable_nestloop = on
+#enable_parallel_append = on
+#enable_seqscan = on
+#enable_sort = on
+#enable_tidscan = on
+#enable_partitionwise_join = off
+#enable_partitionwise_aggregate = off
+#enable_parallel_hash = on
+#enable_partition_pruning = on
+
+# - Planner Cost Constants -
+
+#seq_page_cost = 1.0			# measured on an arbitrary scale
+#random_page_cost = 4.0			# same scale as above
+#cpu_tuple_cost = 0.01			# same scale as above
+#cpu_index_tuple_cost = 0.005		# same scale as above
+#cpu_operator_cost = 0.0025		# same scale as above
+#parallel_tuple_cost = 0.1		# same scale as above
+#parallel_setup_cost = 1000.0	# same scale as above
+
+#jit_above_cost = 100000		# perform JIT compilation if available
+					# and query more expensive than this;
+					# -1 disables
+#jit_inline_above_cost = 500000		# inline small functions if query is
+					# more expensive than this; -1 disables
+#jit_optimize_above_cost = 500000	# use expensive JIT optimizations if
+					# query is more expensive than this;
+					# -1 disables
+
+#min_parallel_table_scan_size = 8MB
+#min_parallel_index_scan_size = 512kB
+#effective_cache_size = 4GB
+
+# - Genetic Query Optimizer -
+
+#geqo = on
+#geqo_threshold = 12
+#geqo_effort = 5			# range 1-10
+#geqo_pool_size = 0			# selects default based on effort
+#geqo_generations = 0			# selects default based on effort
+#geqo_selection_bias = 2.0		# range 1.5-2.0
+#geqo_seed = 0.0			# range 0.0-1.0
+
+# - Other Planner Options -
+
+#default_statistics_target = 100	# range 1-10000
+#constraint_exclusion = partition	# on, off, or partition
+#cursor_tuple_fraction = 0.1		# range 0.0-1.0
+#from_collapse_limit = 8
+#join_collapse_limit = 8		# 1 disables collapsing of explicit
+					# JOIN clauses
+#force_parallel_mode = off
+#jit = on				# allow JIT compilation
+#plan_cache_mode = auto			# auto, force_generic_plan or
+					# force_custom_plan
+
+
+#------------------------------------------------------------------------------
+# REPORTING AND LOGGING
+#------------------------------------------------------------------------------
+
+# - Where to Log -
+
+#log_destination = 'stderr'		# Valid values are combinations of
+					# stderr, csvlog, syslog, and eventlog,
+					# depending on platform.  csvlog
+					# requires logging_collector to be on.
+
+# This is used when logging to stderr:
+#logging_collector = off		# Enable capturing of stderr and csvlog
+					# into log files. Required to be on for
+					# csvlogs.
+					# (change requires restart)
+
+# These are only used if logging_collector is on:
+#log_directory = 'log'			# directory where log files are written,
+					# can be absolute or relative to PGDATA
+#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'	# log file name pattern,
+					# can include strftime() escapes
+#log_file_mode = 0600			# creation mode for log files,
+					# begin with 0 to use octal notation
+#log_truncate_on_rotation = off		# If on, an existing log file with the
+					# same name as the new log file will be
+					# truncated rather than appended to.
+					# But such truncation only occurs on
+					# time-driven rotation, not on restarts
+					# or size-driven rotation.  Default is
+					# off, meaning append to existing files
+					# in all cases.
+#log_rotation_age = 1d			# Automatic rotation of logfiles will
+					# happen after that time.  0 disables.
+#log_rotation_size = 10MB		# Automatic rotation of logfiles will
+					# happen after that much log output.
+					# 0 disables.
+
+# These are relevant when logging to syslog:
+#syslog_facility = 'LOCAL0'
+#syslog_ident = 'postgres'
+#syslog_sequence_numbers = on
+#syslog_split_messages = on
+
+# This is only relevant when logging to eventlog (win32):
+# (change requires restart)
+#event_source = 'PostgreSQL'
+
+# - When to Log -
+
+#log_min_messages = warning		# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   info
+					#   notice
+					#   warning
+					#   error
+					#   log
+					#   fatal
+					#   panic
+
+#log_min_error_statement = error	# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   info
+					#   notice
+					#   warning
+					#   error
+					#   log
+					#   fatal
+					#   panic (effectively off)
+
+#log_min_duration_statement = -1	# -1 is disabled, 0 logs all statements
+					# and their durations, > 0 logs only
+					# statements running at least this number
+					# of milliseconds
+
+#log_transaction_sample_rate = 0.0	# Fraction of transactions whose statements
+					# are logged regardless of their duration. 1.0 logs all
+					# statements from all transactions, 0.0 never logs.
+
+# - What to Log -
+
+#debug_print_parse = off
+#debug_print_rewritten = off
+#debug_print_plan = off
+#debug_pretty_print = on
+#log_checkpoints = off
+#log_connections = off
+#log_disconnections = off
+#log_duration = off
+#log_error_verbosity = default		# terse, default, or verbose messages
+#log_hostname = off
+#log_line_prefix = '%m [%p] '		# special values:
+					#   %a = application name
+					#   %u = user name
+					#   %d = database name
+					#   %r = remote host and port
+					#   %h = remote host
+					#   %p = process ID
+					#   %t = timestamp without milliseconds
+					#   %m = timestamp with milliseconds
+					#   %n = timestamp with milliseconds (as a Unix epoch)
+					#   %i = command tag
+					#   %e = SQL state
+					#   %c = session ID
+					#   %l = session line number
+					#   %s = session start timestamp
+					#   %v = virtual transaction ID
+					#   %x = transaction ID (0 if none)
+					#   %q = stop here in non-session
+					#        processes
+					#   %% = '%'
+					# e.g. '<%u%%%d> '
+#log_lock_waits = off			# log lock waits >= deadlock_timeout
+#log_statement = 'none'			# none, ddl, mod, all
+#log_replication_commands = off
+#log_temp_files = -1			# log temporary files equal or larger
+					# than the specified size in kilobytes;
+					# -1 disables, 0 logs all temp files
+#log_timezone = 'GMT'
+
+#------------------------------------------------------------------------------
+# PROCESS TITLE
+#------------------------------------------------------------------------------
+
+#cluster_name = ''			# added to process titles if nonempty
+					# (change requires restart)
+#update_process_title = on
+
+
+#------------------------------------------------------------------------------
+# STATISTICS
+#------------------------------------------------------------------------------
+
+# - Query and Index Statistics Collector -
+
+#track_activities = on
+#track_counts = on
+#track_io_timing = off
+#track_functions = none			# none, pl, all
+#track_activity_query_size = 1024	# (change requires restart)
+#stats_temp_directory = 'pg_stat_tmp'
+
+
+# - Monitoring -
+
+#log_parser_stats = off
+#log_planner_stats = off
+#log_executor_stats = off
+#log_statement_stats = off
+
+
+#------------------------------------------------------------------------------
+# AUTOVACUUM
+#------------------------------------------------------------------------------
+
+#autovacuum = on			# Enable autovacuum subprocess?  'on'
+					# requires track_counts to also be on.
+#log_autovacuum_min_duration = -1	# -1 disables, 0 logs all actions and
+					# their durations, > 0 logs only
+					# actions running at least this number
+					# of milliseconds.
+#autovacuum_max_workers = 3		# max number of autovacuum subprocesses
+					# (change requires restart)
+#autovacuum_naptime = 1min		# time between autovacuum runs
+#autovacuum_vacuum_threshold = 50	# min number of row updates before
+					# vacuum
+#autovacuum_analyze_threshold = 50	# min number of row updates before
+					# analyze
+#autovacuum_vacuum_scale_factor = 0.2	# fraction of table size before vacuum
+#autovacuum_analyze_scale_factor = 0.1	# fraction of table size before analyze
+#autovacuum_freeze_max_age = 200000000	# maximum XID age before forced vacuum
+					# (change requires restart)
+#autovacuum_multixact_freeze_max_age = 400000000	# maximum multixact age
+					# before forced vacuum
+					# (change requires restart)
+#autovacuum_vacuum_cost_delay = 2ms	# default vacuum cost delay for
+					# autovacuum, in milliseconds;
+					# -1 means use vacuum_cost_delay
+#autovacuum_vacuum_cost_limit = -1	# default vacuum cost limit for
+					# autovacuum, -1 means use
+					# vacuum_cost_limit
+
+
+#------------------------------------------------------------------------------
+# CLIENT CONNECTION DEFAULTS
+#------------------------------------------------------------------------------
+
+# - Statement Behavior -
+
+#client_min_messages = notice		# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   log
+					#   notice
+					#   warning
+					#   error
+#search_path = '"$user", public'	# schema names
+#row_security = on
+#default_tablespace = ''		# a tablespace name, '' uses the default
+#temp_tablespaces = ''			# a list of tablespace names, '' uses
+					# only default tablespace
+#default_table_access_method = 'heap'
+#check_function_bodies = on
+#default_transaction_isolation = 'read committed'
+#default_transaction_read_only = off
+#default_transaction_deferrable = off
+#session_replication_role = 'origin'
+#statement_timeout = 0			# in milliseconds, 0 is disabled
+#lock_timeout = 0			# in milliseconds, 0 is disabled
+#idle_in_transaction_session_timeout = 0	# in milliseconds, 0 is disabled
+#vacuum_freeze_min_age = 50000000
+#vacuum_freeze_table_age = 150000000
+#vacuum_multixact_freeze_min_age = 5000000
+#vacuum_multixact_freeze_table_age = 150000000
+#vacuum_cleanup_index_scale_factor = 0.1	# fraction of total number of tuples
+						# before index cleanup, 0 always performs
+						# index cleanup
+#bytea_output = 'hex'			# hex, escape
+#xmlbinary = 'base64'
+#xmloption = 'content'
+#gin_fuzzy_search_limit = 0
+#gin_pending_list_limit = 4MB
+
+# - Locale and Formatting -
+
+#datestyle = 'iso, mdy'
+#intervalstyle = 'postgres'
+#timezone = 'GMT'
+#timezone_abbreviations = 'Default'     # Select the set of available time zone
+					# abbreviations.  Currently, there are
+					#   Default
+					#   Australia (historical usage)
+					#   India
+					# You can create your own file in
+					# share/timezonesets/.
+#extra_float_digits = 1			# min -15, max 3; any value >0 actually
+					# selects precise output mode
+#client_encoding = sql_ascii		# actually, defaults to database
+					# encoding
+
+# These settings are initialized by initdb, but they can be changed.
+#lc_messages = 'C'			# locale for system error message
+					# strings
+#lc_monetary = 'C'			# locale for monetary formatting
+#lc_numeric = 'C'			# locale for number formatting
+#lc_time = 'C'				# locale for time formatting
+
+# default configuration for text search
+#default_text_search_config = 'pg_catalog.simple'
+
+# - Shared Library Preloading -
+
+#shared_preload_libraries = ''	# (change requires restart)
+#local_preload_libraries = ''
+#session_preload_libraries = ''
+#jit_provider = 'llvmjit'		# JIT library to use
+
+# - Other Defaults -
+
+#dynamic_library_path = '$libdir'
+
+
+#------------------------------------------------------------------------------
+# LOCK MANAGEMENT
+#------------------------------------------------------------------------------
+
+#deadlock_timeout = 1s
+#max_locks_per_transaction = 64		# min 10
+					# (change requires restart)
+#max_pred_locks_per_transaction = 64	# min 10
+					# (change requires restart)
+#max_pred_locks_per_relation = -2	# negative values mean
+					# (max_pred_locks_per_transaction
+					#  / -max_pred_locks_per_relation) - 1
+#max_pred_locks_per_page = 2            # min 0
+
+
+#------------------------------------------------------------------------------
+# VERSION AND PLATFORM COMPATIBILITY
+#------------------------------------------------------------------------------
+
+# - Previous PostgreSQL Versions -
+
+#array_nulls = on
+#backslash_quote = safe_encoding	# on, off, or safe_encoding
+#escape_string_warning = on
+#lo_compat_privileges = off
+#operator_precedence_warning = off
+#quote_all_identifiers = off
+#standard_conforming_strings = on
+#synchronize_seqscans = on
+
+# - Other Platforms and Clients -
+
+#transform_null_equals = off
+
+
+#------------------------------------------------------------------------------
+# ERROR HANDLING
+#------------------------------------------------------------------------------
+
+#exit_on_error = off			# terminate session on any error?
+#restart_after_crash = on		# reinitialize after backend crash?
+#data_sync_retry = off			# retry or panic on failure to fsync
+					# data?
+					# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# CONFIG FILE INCLUDES
+#------------------------------------------------------------------------------
+
+# These options allow settings to be loaded from files other than the
+# default postgresql.conf.  Note that these are directives, not variable
+# assignments, so they can usefully be given more than once.
+
+#include_dir = '...'			# include files ending in '.conf' from
+					# a directory, e.g., 'conf.d'
+#include_if_exists = '...'		# include file only if it exists
+#include = '...'			# include file
+
+
+#------------------------------------------------------------------------------
+# CUSTOMIZED OPTIONS
+#------------------------------------------------------------------------------
+
+# Add settings for extensions here

molecule/quarkus_ha_remote/prepare.yml

@@ -0,0 +1,44 @@
+---
+- name: Prepare
+  hosts: 'keycloak:infinispan'
+  tasks:
+    - name: "Display hera_home if defined."
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+    - name: "Ensure common prepare phase are set."
+      ansible.builtin.include_tasks: ../prepare.yml
+
+    - name: Create certificate request
+      ansible.builtin.command: "openssl req -x509 -newkey rsa:4096 -keyout {{ inventory_hostname }}.key -out {{ inventory_hostname }}.pem -sha256 -days 365 -nodes -subj '/CN={{ inventory_hostname }}'"
+      delegate_to: localhost
+      changed_when: False
+
+    - name: Create vault directory
+      become: true
+      ansible.builtin.file:
+        state: directory
+        path: "/opt/keycloak/vault"
+        mode: 0755
+
+    - name: Make sure a jre is available (for keytool to prepare keystore)
+      delegate_to: localhost
+      ansible.builtin.package:
+        name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
+        state: present
+      become: true
+      failed_when: false
+
+    - name: Create vault keystore
+      ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword
+      delegate_to: localhost
+      register: keytool_cmd
+      changed_when: False
+      failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
+
+    - name: Copy certificates and vault
+      become: true
+      ansible.builtin.copy:
+        src: keystore.p12
+        dest: /opt/keycloak/vault/keystore.p12
+        mode: 0444

molecule/quarkus_ha_remote/roles

@@ -0,0 +1 @@
+../../roles

molecule/quarkus_ha_remote/verify.yml

@@ -0,0 +1,29 @@
+---
+- name: Verify
+  hosts: keycloak
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+        fail_msg: "Service not running"
+
+    - name: Set internal envvar
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+    - name: Check log file
+      become: true
+      ansible.builtin.stat:
+        path: /var/log/keycloak/keycloak.log
+      register: keycloak_log_file
+
+    - name: Check if keycloak file exists
+      ansible.builtin.assert:
+        that:
+          - keycloak_log_file.stat.exists
+          - not keycloak_log_file.stat.isdir

molecule/quarkus_upgrade/converge.yml

@@ -0,0 +1,13 @@
+---
+- name: Converge
+  hosts: all
+  vars_files:
+    - vars.yml
+  vars:
+    keycloak_quarkus_show_deprecation_warnings: false
+    keycloak_quarkus_additional_env_vars:
+      - key: KC_FEATURES_DISABLED
+        value: ciba,device-flow,impersonation,kerberos,docker
+    keycloak_quarkus_version: 26.0.7
+  roles:
+    - role: keycloak_quarkus

molecule/quarkus_upgrade/molecule.yml

@@ -0,0 +1,49 @@
+---
+dependency:
+  name: galaxy
+  options:
+    requirements-file: molecule/requirements.yml
+driver:
+  name: podman
+platforms:
+  - name: instance
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
+    command: "/usr/sbin/init"
+    pre_build_image: true
+    privileged: true
+    port_bindings:
+      - 8080:8080
+      - "9000/tcp"
+    published_ports:
+      - 0.0.0.0:8080:8080/TCP
+      - 0.0.0.0:9000:9000/TCP
+provisioner:
+  name: ansible
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+    PROXY: "${PROXY}"
+    NO_PROXY: "${NO_PROXY}"
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - dependency
+    - cleanup
+    - destroy
+    - syntax
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy

molecule/quarkus_upgrade/prepare.yml

@@ -0,0 +1,56 @@
+---
+- name: Prepare
+  hosts: all
+  vars_files:
+    - vars.yml
+  vars:
+    sudo_pkg_name: sudo
+    keycloak_quarkus_version: 26.0.4
+    keycloak_quarkus_additional_env_vars:
+      - key: KC_FEATURES_DISABLED
+        value: impersonation,kerberos
+  pre_tasks:
+    - name: Install sudo
+      ansible.builtin.apt:
+        name:
+          - sudo
+          - openjdk-17-jdk-headless
+        state: present
+      when:
+        - ansible_facts.os_family == 'Debian'
+
+    - name: "Ensure common prepare phase are set."
+      ansible.builtin.include_tasks: ../prepare.yml
+
+    - name: Display Ansible version
+      ansible.builtin.debug:
+        msg: "Ansible version is {{ ansible_version.full }}"
+
+    - name: "Ensure {{ sudo_pkg_name }} is installed (if user is root)."
+      ansible.builtin.dnf:
+        name: "{{ sudo_pkg_name }}"
+      when:
+        - ansible_user_id == 'root'
+
+    - name: Gather the package facts
+      ansible.builtin.package_facts:
+        manager: auto
+
+    - name: "Check if {{ sudo_pkg_name }} is installed."
+      ansible.builtin.assert:
+        that:
+          - sudo_pkg_name in ansible_facts.packages
+
+    - name: Create certificate request
+      ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
+      delegate_to: localhost
+      changed_when: false
+  roles:
+    - role: keycloak_quarkus
+
+  post_tasks:
+    - name: "Delete custom fact"
+      ansible.builtin.file:
+        path: /etc/ansible/facts.d/keycloak.fact
+        state: absent
+      become: true

molecule/quarkus_upgrade/roles

@@ -0,0 +1 @@
+../../roles

molecule/quarkus_upgrade/vars.yml

@@ -0,0 +1,13 @@
+---
+keycloak_quarkus_offline_install: false
+keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+keycloak_quarkus_realm: TestRealm
+keycloak_quarkus_hostname: http://instance:8080
+keycloak_quarkus_log: file
+keycloak_quarkus_https_key_file_enabled: true
+keycloak_quarkus_log_target: /tmp/keycloak
+keycloak_quarkus_hostname_strict: false
+keycloak_quarkus_cert_file_copy_enabled: true
+keycloak_quarkus_key_file_copy_enabled: true
+keycloak_quarkus_key_content: "{{ lookup('file', 'key.pem') }}"
+keycloak_quarkus_cert_file_src: cert.pem

molecule/quarkus_upgrade/verify.yml

@@ -0,0 +1,32 @@
+---
+- name: Verify
+  hosts: instance
+  vars:
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_port: http://localhost:8080
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+
+    - name: Verify we are running on requested jvm
+      ansible.builtin.shell: |
+        set -eo pipefail
+        ps -ef | grep 'etc/alternatives/.*21' | grep -v grep
+      changed_when: false
+
+    - name: Verify token api call
+      ansible.builtin.uri:
+        url: "{{ keycloak_quarkus_port }}/realms/master/protocol/openid-connect/token"
+        method: POST
+        body: "client_id=admin-cli&username=admin&password={{ keycloak_quarkus_bootstrap_admin_password }}&grant_type=password"
+        validate_certs: no
+      register: keycloak_auth_response
+      until: keycloak_auth_response.status == 200
+      retries: 2
+      delay: 2

molecule/requirements.yml

@@ -0,0 +1,12 @@
+---
+collections:
+  - name: middleware_automation.common
+  - name: middleware_automation.jbcs
+  - name: middleware_automation.infinispan
+  - name: community.general
+  - name: ansible.posix
+  - name: community.docker
+    version: ">=3.8.0"
+
+roles:
+  - name: elan.simple_nginx_reverse_proxy

playbooks/keycloak.yml

@@ -1,11 +1,7 @@
 ---
 - name: Playbook for Keycloak Hosts
-  hosts: keycloak
-  collections:
-    - middleware_automation.keycloak
-  tasks:
-    - name: Include keycloak role
-      include_role:
-        name: keycloak
-      vars:
-        keycloak_admin_password: "changeme"
+  hosts: all
+  vars:
+    keycloak_admin_password: "remembertochangeme"
+  roles:
+    - middleware_automation.keycloak.keycloak

playbooks/keycloak_federation.yml

@@ -0,0 +1,68 @@
+---
+- name: Playbook for Keycloak Hosts
+  hosts: all
+  tasks:
+    - name: Keycloak Realm Role
+      ansible.builtin.include_role:
+        name: keycloak_realm
+      vars:
+        keycloak_admin_password: "remembertochangeme"
+        keycloak_realm: TestRealm
+        keycloak_user_federation:
+          - realm: TestRealm
+            name: my-ldap
+            provider_id: ldap
+            provider_type: org.keycloak.storage.UserStorageProvider
+            config:
+              priority: '0'
+              enabled: true
+              cachePolicy: DEFAULT
+              batchSizeForSync: '1000'
+              editMode: READ_ONLY
+              importEnabled: true
+              syncRegistrations: false
+              vendor: other
+              usernameLDAPAttribute: uid
+              rdnLDAPAttribute: uid
+              uuidLDAPAttribute: entryUUID
+              userObjectClasses: inetOrgPerson, organizationalPerson
+              connectionUrl: ldaps://ldap.example.com:636
+              usersDn: ou=Users,dc=example,dc=com
+              authType: simple
+              bindDn: cn=directory reader
+              bindCredential: password
+              searchScope: '1'
+              validatePasswordPolicy: false
+              trustEmail: false
+              useTruststoreSpi: ldapsOnly
+              connectionPooling: true
+              pagination: true
+              allowKerberosAuthentication: false
+              debug: false
+              useKerberosForPasswordAuthentication: false
+            mappers:
+              - name: "full name"
+                providerId: "full-name-ldap-mapper"
+                providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+                config:
+                  ldap.full.name.attribute: cn
+                  read.only: true
+                  write.only: false
+        keycloak_clients:
+          - name: TestClient1
+            client_id: TestClient1
+            roles:
+              - TestClient1Admin
+              - TestClient1User
+            realm: "{{ keycloak_realm }}"
+            public_client: true
+            web_origins:
+              - http://testclient1origin/application
+              - http://testclient1origin/other
+            users:
+              - username: TestUser
+                password: password
+                client_roles:
+                  - client: TestClient1
+                    role: TestClient1User
+                    realm: "{{ keycloak_realm }}"

playbooks/keycloak_quarkus.yml

@@ -0,0 +1,11 @@
+---
+- name: Playbook for Keycloak X Hosts with HTTPS enabled
+  hosts: all
+  vars:
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_hostname: http://localhost
+    keycloak_quarkus_port: 8443
+    keycloak_quarkus_log: file
+    keycloak_quarkus_proxy_mode: none
+  roles:
+    - middleware_automation.keycloak.keycloak_quarkus

playbooks/keycloak_quarkus_dev.yml

@@ -0,0 +1,12 @@
+---
+- name: Playbook for Keycloak X Hosts in develop mode
+  hosts: all
+  vars:
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_hostname: http://localhost
+    keycloak_quarkus_port: 8080
+    keycloak_quarkus_log: file
+    keycloak_quarkus_start_dev: true
+    keycloak_quarkus_proxy_mode: none
+  roles:
+    - middleware_automation.keycloak.keycloak_quarkus

playbooks/keycloak_realm.yml

@@ -1,67 +1,26 @@
 ---
 - name: Playbook for Keycloak Hosts
-  hosts: keycloak
-  tasks:
-    - name: Keycloak Realm Role
-      include_role:
-        name: keycloak_realm
-      vars:
-        keycloak_admin_password: "changeme"
-        keycloak_realm: TestRealm
-        keycloak_user_federation:
-          - realm: TestRealm
-            name: my-ldap
-            provider_id: ldap
-            provider_type: org.keycloak.storage.UserStorageProvider
-            config:
-              priority: '0'
-              enabled: true
-              cachePolicy: DEFAULT
-              batchSizeForSync: '1000'
-              editMode: READ_ONLY
-              importEnabled: true
-              syncRegistrations: false
-              vendor: other
-              usernameLDAPAttribute: uid
-              rdnLDAPAttribute: uid
-              uuidLDAPAttribute: entryUUID
-              userObjectClasses: inetOrgPerson, organizationalPerson
-              connectionUrl: ldaps://ldap.example.com:636
-              usersDn: ou=Users,dc=example,dc=com
-              authType: simple
-              bindDn: cn=directory reader
-              bindCredential: password
-              searchScope: '1'
-              validatePasswordPolicy: false
-              trustEmail: false
-              useTruststoreSpi: ldapsOnly
-              connectionPooling: true
-              pagination: true
-              allowKerberosAuthentication: false
-              debug: false
-              useKerberosForPasswordAuthentication: false
-            mappers:
-              - name: "full name"
-                providerId: "full-name-ldap-mapper"
-                providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
-                config:
-                  ldap.full.name.attribute: cn
-                  read.only: true
-                  write.only: false
-        keycloak_clients:
-          - name: TestClient1
-            roles:
-              - TestClient1Admin
-              - TestClient1User
-            realm: "{{ keycloak_realm }}"
-            public_client: True
-            web_origins:
-              - http://testclient1origin/application
-              - http://testclient1origin/other
-            users:
-            - username: TestUser
-              password: password
-              client_roles:
-                - client: TestClient1
-                  role: TestClient1User
-                  realm: "{{ keycloak_realm }}"
+  hosts: all
+  vars:
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_clients:
+      - name: TestClient1
+        client_id: TestClient1
+        roles:
+          - TestClient1Admin
+          - TestClient1User
+        realm: TestRealm
+        public_client: true
+        web_origins:
+          - http://testclient1origin/application
+          - http://testclient1origin/other
+        users:
+          - username: TestUser
+            password: password
+            client_roles:
+              - client: TestClient1
+                role: TestClient1User
+                realm: TestRealm
+  roles:
+    - role: middleware_automation.keycloak.keycloak_realm
+      keycloak_realm: TestRealm

playbooks/rhsso.yml

@@ -1,14 +1,8 @@
 ---
-- name: Playbook for Keycloak Hosts
-  hosts: keycloak
-  collections:
-    - middleware_automation.redhat_csp_download
+- name: Playbook for Red Hat SSO Hosts
+  hosts: sso
+  vars:
+    keycloak_admin_password: "remembertochangeme"
+    sso_enable: true
   roles:
-    - redhat_csp_download
-  tasks:
-    - name: Keycloak Role
-      include_role:
-        name: keycloak
-      vars:
-        keycloak_admin_password: "changeme"
-        keycloak_rhsso_enable: True
+    - middleware_automation.keycloak.keycloak

plugins/doc_fragments/attributes.py

@@ -0,0 +1,93 @@
+# -*- coding: utf-8 -*-
+
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+
+class ModuleDocFragment(object):
+
+    # Standard documentation fragment
+    DOCUMENTATION = r'''
+options: {}
+attributes:
+    check_mode:
+      description: Can run in C(check_mode) and return changed status prediction without modifying target.
+    diff_mode:
+      description: Will return details on what has changed (or possibly needs changing in C(check_mode)), when in diff mode.
+'''
+
+    PLATFORM = r'''
+options: {}
+attributes:
+    platform:
+      description: Target OS/families that can be operated against.
+      support: N/A
+'''
+
+    # Should be used together with the standard fragment
+    INFO_MODULE = r'''
+options: {}
+attributes:
+    check_mode:
+      support: full
+      details:
+        - This action does not modify state.
+    diff_mode:
+      support: N/A
+      details:
+        - This action does not modify state.
+'''
+
+    CONN = r'''
+options: {}
+attributes:
+    become:
+      description: Is usable alongside C(become) keywords.
+    connection:
+      description: Uses the target's configured connection information to execute code on it.
+    delegation:
+      description: Can be used in conjunction with C(delegate_to) and related keywords.
+'''
+
+    FACTS = r'''
+options: {}
+attributes:
+    facts:
+      description: Action returns an C(ansible_facts) dictionary that will update existing host facts.
+'''
+
+    # Should be used together with the standard fragment and the FACTS fragment
+    FACTS_MODULE = r'''
+options: {}
+attributes:
+    check_mode:
+      support: full
+      details:
+        - This action does not modify state.
+    diff_mode:
+      support: N/A
+      details:
+        - This action does not modify state.
+    facts:
+      support: full
+'''
+
+    FILES = r'''
+options: {}
+attributes:
+    safe_file_operations:
+      description: Uses Ansible's strict file operation functions to ensure proper permissions and avoid data corruption.
+'''
+
+    FLOW = r'''
+options: {}
+attributes:
+    action:
+      description: Indicates this has a corresponding action plugin so some parts of the options can be executed on the controller.
+    async:
+      description: Supports being used with the C(async) keyword.
+'''

plugins/doc_fragments/keycloak.py

@@ -0,0 +1,78 @@
+# -*- coding: utf-8 -*-
+
+# Copyright (c) 2017, Eike Frost <ei@kefro.st>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+
+class ModuleDocFragment(object):
+
+    # Standard documentation fragment
+    DOCUMENTATION = r'''
+options:
+    auth_keycloak_url:
+        description:
+            - URL to the Keycloak instance.
+        type: str
+        required: true
+        aliases:
+          - url
+
+    auth_client_id:
+        description:
+            - OpenID Connect I(client_id) to authenticate to the API with.
+        type: str
+        default: admin-cli
+
+    auth_realm:
+        description:
+            - Keycloak realm name to authenticate to for API access.
+        type: str
+
+    auth_client_secret:
+        description:
+            - Client Secret to use in conjunction with I(auth_client_id) (if required).
+        type: str
+
+    auth_username:
+        description:
+            - Username to authenticate for API access with.
+        type: str
+        aliases:
+          - username
+
+    auth_password:
+        description:
+            - Password to authenticate for API access with.
+        type: str
+        aliases:
+          - password
+
+    token:
+        description:
+            - Authentication token for Keycloak API.
+        type: str
+        version_added: 3.0.0
+
+    validate_certs:
+        description:
+            - Verify TLS certificates (do not disable this in production).
+        type: bool
+        default: true
+
+    connection_timeout:
+        description:
+            - Controls the HTTP connections timeout period (in seconds) to Keycloak API.
+        type: int
+        default: 10
+        version_added: 4.5.0
+    http_agent:
+        description:
+            - Configures the HTTP User-Agent header.
+        type: str
+        default: Ansible
+        version_added: 5.4.0
+'''

plugins/modules/keycloak_realm.py

@@ -0,0 +1,848 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Copyright (c) 2017, Eike Frost <ei@kefro.st>
+# Copyright (c) 2021, Christophe Gilles <christophe.gilles54@gmail.com>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+DOCUMENTATION = '''
+---
+module: keycloak_realm
+
+short_description: Allows administration of Keycloak realm via Keycloak API
+
+version_added: 3.0.0
+
+description:
+    - This module allows the administration of Keycloak realm via the Keycloak REST API. It
+      requires access to the REST API via OpenID Connect; the user connecting and the realm being
+      used must have the requisite access rights. In a default Keycloak installation, admin-cli
+      and an admin user would work, as would a separate realm definition with the scope tailored
+      to your needs and a user having the expected roles.
+
+    - The names of module options are snake_cased versions of the camelCase ones found in the
+      Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
+      Aliases are provided so camelCased versions can be used as well.
+
+    - The Keycloak API does not always sanity check inputs e.g. you can set
+      SAML-specific settings on an OpenID Connect client for instance and vice versa. Be careful.
+      If you do not specify a setting, usually a sensible default is chosen.
+
+attributes:
+    check_mode:
+        support: full
+    diff_mode:
+        support: full
+
+options:
+    state:
+        description:
+            - State of the realm.
+            - On V(present), the realm will be created (or updated if it exists already).
+            - On V(absent), the realm will be removed if it exists.
+        choices: ['present', 'absent']
+        default: 'present'
+        type: str
+
+    id:
+        description:
+            - The realm to create.
+        type: str
+    realm:
+        description:
+            - The realm name.
+        type: str
+    access_code_lifespan:
+        description:
+            - The realm access code lifespan.
+        aliases:
+            - accessCodeLifespan
+        type: int
+    access_code_lifespan_login:
+        description:
+            - The realm access code lifespan login.
+        aliases:
+            - accessCodeLifespanLogin
+        type: int
+    access_code_lifespan_user_action:
+        description:
+            - The realm access code lifespan user action.
+        aliases:
+            - accessCodeLifespanUserAction
+        type: int
+    access_token_lifespan:
+        description:
+            - The realm access token lifespan.
+        aliases:
+            - accessTokenLifespan
+        type: int
+    access_token_lifespan_for_implicit_flow:
+        description:
+            - The realm access token lifespan for implicit flow.
+        aliases:
+            - accessTokenLifespanForImplicitFlow
+        type: int
+    account_theme:
+        description:
+            - The realm account theme.
+        aliases:
+            - accountTheme
+        type: str
+    action_token_generated_by_admin_lifespan:
+        description:
+            - The realm action token generated by admin lifespan.
+        aliases:
+            - actionTokenGeneratedByAdminLifespan
+        type: int
+    action_token_generated_by_user_lifespan:
+        description:
+            - The realm action token generated by user lifespan.
+        aliases:
+            - actionTokenGeneratedByUserLifespan
+        type: int
+    admin_events_details_enabled:
+        description:
+            - The realm admin events details enabled.
+        aliases:
+            - adminEventsDetailsEnabled
+        type: bool
+    admin_events_enabled:
+        description:
+            - The realm admin events enabled.
+        aliases:
+            - adminEventsEnabled
+        type: bool
+    admin_theme:
+        description:
+            - The realm admin theme.
+        aliases:
+            - adminTheme
+        type: str
+    attributes:
+        description:
+            - The realm attributes.
+        type: dict
+    browser_flow:
+        description:
+            - The realm browser flow.
+        aliases:
+            - browserFlow
+        type: str
+    browser_security_headers:
+        description:
+            - The realm browser security headers.
+        aliases:
+            - browserSecurityHeaders
+        type: dict
+    brute_force_protected:
+        description:
+            - The realm brute force protected.
+        aliases:
+            - bruteForceProtected
+        type: bool
+    client_authentication_flow:
+        description:
+            - The realm client authentication flow.
+        aliases:
+            - clientAuthenticationFlow
+        type: str
+    client_scope_mappings:
+        description:
+            - The realm client scope mappings.
+        aliases:
+            - clientScopeMappings
+        type: dict
+    default_default_client_scopes:
+        description:
+            - The realm default default client scopes.
+        aliases:
+            - defaultDefaultClientScopes
+        type: list
+        elements: str
+    default_groups:
+        description:
+            - The realm default groups.
+        aliases:
+            - defaultGroups
+        type: list
+        elements: str
+    default_locale:
+        description:
+            - The realm default locale.
+        aliases:
+            - defaultLocale
+        type: str
+    default_optional_client_scopes:
+        description:
+            - The realm default optional client scopes.
+        aliases:
+            - defaultOptionalClientScopes
+        type: list
+        elements: str
+    default_roles:
+        description:
+            - The realm default roles.
+        aliases:
+            - defaultRoles
+        type: list
+        elements: str
+    default_signature_algorithm:
+        description:
+            - The realm default signature algorithm.
+        aliases:
+            - defaultSignatureAlgorithm
+        type: str
+    direct_grant_flow:
+        description:
+            - The realm direct grant flow.
+        aliases:
+            - directGrantFlow
+        type: str
+    display_name:
+        description:
+            - The realm display name.
+        aliases:
+            - displayName
+        type: str
+    display_name_html:
+        description:
+            - The realm display name HTML.
+        aliases:
+            - displayNameHtml
+        type: str
+    docker_authentication_flow:
+        description:
+            - The realm docker authentication flow.
+        aliases:
+            - dockerAuthenticationFlow
+        type: str
+    duplicate_emails_allowed:
+        description:
+            - The realm duplicate emails allowed option.
+        aliases:
+            - duplicateEmailsAllowed
+        type: bool
+    edit_username_allowed:
+        description:
+            - The realm edit username allowed option.
+        aliases:
+            - editUsernameAllowed
+        type: bool
+    email_theme:
+        description:
+            - The realm email theme.
+        aliases:
+            - emailTheme
+        type: str
+    enabled:
+        description:
+            - The realm enabled option.
+        type: bool
+    enabled_event_types:
+        description:
+            - The realm enabled event types.
+        aliases:
+            - enabledEventTypes
+        type: list
+        elements: str
+    events_enabled:
+        description:
+            - Enables or disables login events for this realm.
+        aliases:
+            - eventsEnabled
+        type: bool
+        version_added: 3.6.0
+    events_expiration:
+        description:
+            - The realm events expiration.
+        aliases:
+            - eventsExpiration
+        type: int
+    events_listeners:
+        description:
+            - The realm events listeners.
+        aliases:
+            - eventsListeners
+        type: list
+        elements: str
+    failure_factor:
+        description:
+            - The realm failure factor.
+        aliases:
+            - failureFactor
+        type: int
+    internationalization_enabled:
+        description:
+            - The realm internationalization enabled option.
+        aliases:
+            - internationalizationEnabled
+        type: bool
+    login_theme:
+        description:
+            - The realm login theme.
+        aliases:
+            - loginTheme
+        type: str
+    login_with_email_allowed:
+        description:
+            - The realm login with email allowed option.
+        aliases:
+            - loginWithEmailAllowed
+        type: bool
+    max_delta_time_seconds:
+        description:
+            - The realm max delta time in seconds.
+        aliases:
+            - maxDeltaTimeSeconds
+        type: int
+    max_failure_wait_seconds:
+        description:
+            - The realm max failure wait in seconds.
+        aliases:
+            - maxFailureWaitSeconds
+        type: int
+    minimum_quick_login_wait_seconds:
+        description:
+            - The realm minimum quick login wait in seconds.
+        aliases:
+            - minimumQuickLoginWaitSeconds
+        type: int
+    not_before:
+        description:
+            - The realm not before.
+        aliases:
+            - notBefore
+        type: int
+    offline_session_idle_timeout:
+        description:
+            - The realm offline session idle timeout.
+        aliases:
+            - offlineSessionIdleTimeout
+        type: int
+    offline_session_max_lifespan:
+        description:
+            - The realm offline session max lifespan.
+        aliases:
+            - offlineSessionMaxLifespan
+        type: int
+    offline_session_max_lifespan_enabled:
+        description:
+            - The realm offline session max lifespan enabled option.
+        aliases:
+            - offlineSessionMaxLifespanEnabled
+        type: bool
+    otp_policy_algorithm:
+        description:
+            - The realm otp policy algorithm.
+        aliases:
+            - otpPolicyAlgorithm
+        type: str
+    otp_policy_digits:
+        description:
+            - The realm otp policy digits.
+        aliases:
+            - otpPolicyDigits
+        type: int
+    otp_policy_initial_counter:
+        description:
+            - The realm otp policy initial counter.
+        aliases:
+            - otpPolicyInitialCounter
+        type: int
+    otp_policy_look_ahead_window:
+        description:
+            - The realm otp policy look ahead window.
+        aliases:
+            - otpPolicyLookAheadWindow
+        type: int
+    otp_policy_period:
+        description:
+            - The realm otp policy period.
+        aliases:
+            - otpPolicyPeriod
+        type: int
+    otp_policy_type:
+        description:
+            - The realm otp policy type.
+        aliases:
+            - otpPolicyType
+        type: str
+    otp_supported_applications:
+        description:
+            - The realm otp supported applications.
+        aliases:
+            - otpSupportedApplications
+        type: list
+        elements: str
+    password_policy:
+        description:
+            - The realm password policy.
+        aliases:
+            - passwordPolicy
+        type: str
+    permanent_lockout:
+        description:
+            - The realm permanent lockout.
+        aliases:
+            - permanentLockout
+        type: bool
+    quick_login_check_milli_seconds:
+        description:
+            - The realm quick login check in milliseconds.
+        aliases:
+            - quickLoginCheckMilliSeconds
+        type: int
+    refresh_token_max_reuse:
+        description:
+            - The realm refresh token max reuse.
+        aliases:
+            - refreshTokenMaxReuse
+        type: int
+    registration_allowed:
+        description:
+            - The realm registration allowed option.
+        aliases:
+            - registrationAllowed
+        type: bool
+    registration_email_as_username:
+        description:
+            - The realm registration email as username option.
+        aliases:
+            - registrationEmailAsUsername
+        type: bool
+    registration_flow:
+        description:
+            - The realm registration flow.
+        aliases:
+            - registrationFlow
+        type: str
+    remember_me:
+        description:
+            - The realm remember me option.
+        aliases:
+            - rememberMe
+        type: bool
+    reset_credentials_flow:
+        description:
+            - The realm reset credentials flow.
+        aliases:
+            - resetCredentialsFlow
+        type: str
+    reset_password_allowed:
+        description:
+            - The realm reset password allowed option.
+        aliases:
+            - resetPasswordAllowed
+        type: bool
+    revoke_refresh_token:
+        description:
+            - The realm revoke refresh token option.
+        aliases:
+            - revokeRefreshToken
+        type: bool
+    smtp_server:
+        description:
+            - The realm smtp server.
+        aliases:
+            - smtpServer
+        type: dict
+    ssl_required:
+        description:
+            - The realm ssl required option.
+        choices: ['all', 'external', 'none']
+        aliases:
+            - sslRequired
+        type: str
+    sso_session_idle_timeout:
+        description:
+            - The realm sso session idle timeout.
+        aliases:
+            - ssoSessionIdleTimeout
+        type: int
+    sso_session_idle_timeout_remember_me:
+        description:
+            - The realm sso session idle timeout remember me.
+        aliases:
+            - ssoSessionIdleTimeoutRememberMe
+        type: int
+    sso_session_max_lifespan:
+        description:
+            - The realm sso session max lifespan.
+        aliases:
+            - ssoSessionMaxLifespan
+        type: int
+    sso_session_max_lifespan_remember_me:
+        description:
+            - The realm sso session max lifespan remember me.
+        aliases:
+            - ssoSessionMaxLifespanRememberMe
+        type: int
+    supported_locales:
+        description:
+            - The realm supported locales.
+        aliases:
+            - supportedLocales
+        type: list
+        elements: str
+    user_managed_access_allowed:
+        description:
+            - The realm user managed access allowed option.
+        aliases:
+            - userManagedAccessAllowed
+        type: bool
+    verify_email:
+        description:
+            - The realm verify email option.
+        aliases:
+            - verifyEmail
+        type: bool
+    wait_increment_seconds:
+        description:
+            - The realm wait increment in seconds.
+        aliases:
+            - waitIncrementSeconds
+        type: int
+
+extends_documentation_fragment:
+    - middleware_automation.keycloak.keycloak
+    - middleware_automation.keycloak.attributes
+
+author:
+    - Christophe Gilles (@kris2kris)
+'''
+
+EXAMPLES = '''
+- name: Create or update Keycloak realm (minimal example)
+  middleware_automation.keycloak.keycloak_realm:
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com/auth
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    id: realm
+    realm: realm
+    state: present
+
+- name: Delete a Keycloak realm
+  middleware_automation.keycloak.keycloak_realm:
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com/auth
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    id: test
+    state: absent
+'''
+
+RETURN = '''
+msg:
+    description: Message as to what action was taken.
+    returned: always
+    type: str
+    sample: "Realm testrealm has been updated"
+
+proposed:
+    description: Representation of proposed realm.
+    returned: always
+    type: dict
+    sample: {
+      id: "test"
+    }
+
+existing:
+    description: Representation of existing realm (sample is truncated).
+    returned: always
+    type: dict
+    sample: {
+        "adminUrl": "http://www.example.com/admin_url",
+        "attributes": {
+            "request.object.signature.alg": "RS256",
+        }
+    }
+
+end_state:
+    description: Representation of realm after module execution (sample is truncated).
+    returned: on success
+    type: dict
+    sample: {
+        "adminUrl": "http://www.example.com/admin_url",
+        "attributes": {
+            "request.object.signature.alg": "RS256",
+        }
+    }
+'''
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
+    keycloak_argument_spec, get_token, KeycloakError
+from ansible.module_utils.basic import AnsibleModule
+
+
+def normalise_cr(realmrep):
+    """ Re-sorts any properties where the order is important so that diff's is minimised and the change detection is more effective.
+
+    :param realmrep: the realmrep dict to be sanitized
+    :return: normalised realmrep dict
+    """
+    # Avoid the dict passed in to be modified
+    realmrep = realmrep.copy()
+
+    if 'enabledEventTypes' in realmrep:
+        realmrep['enabledEventTypes'] = list(sorted(realmrep['enabledEventTypes']))
+
+    if 'otpSupportedApplications' in realmrep:
+        realmrep['otpSupportedApplications'] = list(sorted(realmrep['otpSupportedApplications']))
+
+    if 'supportedLocales' in realmrep:
+        realmrep['supportedLocales'] = list(sorted(realmrep['supportedLocales']))
+
+    return realmrep
+
+
+def sanitize_cr(realmrep):
+    """ Removes probably sensitive details from a realm representation.
+
+    :param realmrep: the realmrep dict to be sanitized
+    :return: sanitized realmrep dict
+    """
+    result = realmrep.copy()
+    if 'secret' in result:
+        result['secret'] = '********'
+    if 'attributes' in result:
+        if 'saml.signing.private.key' in result['attributes']:
+            result['attributes'] = result['attributes'].copy()
+            result['attributes']['saml.signing.private.key'] = '********'
+    return normalise_cr(result)
+
+
+def main():
+    """
+    Module execution
+
+    :return:
+    """
+    argument_spec = keycloak_argument_spec()
+
+    meta_args = dict(
+        state=dict(default='present', choices=['present', 'absent']),
+
+        id=dict(type='str'),
+        realm=dict(type='str'),
+        access_code_lifespan=dict(type='int', aliases=['accessCodeLifespan']),
+        access_code_lifespan_login=dict(type='int', aliases=['accessCodeLifespanLogin']),
+        access_code_lifespan_user_action=dict(type='int', aliases=['accessCodeLifespanUserAction']),
+        access_token_lifespan=dict(type='int', aliases=['accessTokenLifespan'], no_log=False),
+        access_token_lifespan_for_implicit_flow=dict(type='int', aliases=['accessTokenLifespanForImplicitFlow'], no_log=False),
+        account_theme=dict(type='str', aliases=['accountTheme']),
+        action_token_generated_by_admin_lifespan=dict(type='int', aliases=['actionTokenGeneratedByAdminLifespan'], no_log=False),
+        action_token_generated_by_user_lifespan=dict(type='int', aliases=['actionTokenGeneratedByUserLifespan'], no_log=False),
+        admin_events_details_enabled=dict(type='bool', aliases=['adminEventsDetailsEnabled']),
+        admin_events_enabled=dict(type='bool', aliases=['adminEventsEnabled']),
+        admin_theme=dict(type='str', aliases=['adminTheme']),
+        attributes=dict(type='dict'),
+        browser_flow=dict(type='str', aliases=['browserFlow']),
+        browser_security_headers=dict(type='dict', aliases=['browserSecurityHeaders']),
+        brute_force_protected=dict(type='bool', aliases=['bruteForceProtected']),
+        client_authentication_flow=dict(type='str', aliases=['clientAuthenticationFlow']),
+        client_scope_mappings=dict(type='dict', aliases=['clientScopeMappings']),
+        default_default_client_scopes=dict(type='list', elements='str', aliases=['defaultDefaultClientScopes']),
+        default_groups=dict(type='list', elements='str', aliases=['defaultGroups']),
+        default_locale=dict(type='str', aliases=['defaultLocale']),
+        default_optional_client_scopes=dict(type='list', elements='str', aliases=['defaultOptionalClientScopes']),
+        default_roles=dict(type='list', elements='str', aliases=['defaultRoles']),
+        default_signature_algorithm=dict(type='str', aliases=['defaultSignatureAlgorithm']),
+        direct_grant_flow=dict(type='str', aliases=['directGrantFlow']),
+        display_name=dict(type='str', aliases=['displayName']),
+        display_name_html=dict(type='str', aliases=['displayNameHtml']),
+        docker_authentication_flow=dict(type='str', aliases=['dockerAuthenticationFlow']),
+        duplicate_emails_allowed=dict(type='bool', aliases=['duplicateEmailsAllowed']),
+        edit_username_allowed=dict(type='bool', aliases=['editUsernameAllowed']),
+        email_theme=dict(type='str', aliases=['emailTheme']),
+        enabled=dict(type='bool'),
+        enabled_event_types=dict(type='list', elements='str', aliases=['enabledEventTypes']),
+        events_enabled=dict(type='bool', aliases=['eventsEnabled']),
+        events_expiration=dict(type='int', aliases=['eventsExpiration']),
+        events_listeners=dict(type='list', elements='str', aliases=['eventsListeners']),
+        failure_factor=dict(type='int', aliases=['failureFactor']),
+        internationalization_enabled=dict(type='bool', aliases=['internationalizationEnabled']),
+        login_theme=dict(type='str', aliases=['loginTheme']),
+        login_with_email_allowed=dict(type='bool', aliases=['loginWithEmailAllowed']),
+        max_delta_time_seconds=dict(type='int', aliases=['maxDeltaTimeSeconds']),
+        max_failure_wait_seconds=dict(type='int', aliases=['maxFailureWaitSeconds']),
+        minimum_quick_login_wait_seconds=dict(type='int', aliases=['minimumQuickLoginWaitSeconds']),
+        not_before=dict(type='int', aliases=['notBefore']),
+        offline_session_idle_timeout=dict(type='int', aliases=['offlineSessionIdleTimeout']),
+        offline_session_max_lifespan=dict(type='int', aliases=['offlineSessionMaxLifespan']),
+        offline_session_max_lifespan_enabled=dict(type='bool', aliases=['offlineSessionMaxLifespanEnabled']),
+        otp_policy_algorithm=dict(type='str', aliases=['otpPolicyAlgorithm']),
+        otp_policy_digits=dict(type='int', aliases=['otpPolicyDigits']),
+        otp_policy_initial_counter=dict(type='int', aliases=['otpPolicyInitialCounter']),
+        otp_policy_look_ahead_window=dict(type='int', aliases=['otpPolicyLookAheadWindow']),
+        otp_policy_period=dict(type='int', aliases=['otpPolicyPeriod']),
+        otp_policy_type=dict(type='str', aliases=['otpPolicyType']),
+        otp_supported_applications=dict(type='list', elements='str', aliases=['otpSupportedApplications']),
+        password_policy=dict(type='str', aliases=['passwordPolicy'], no_log=False),
+        permanent_lockout=dict(type='bool', aliases=['permanentLockout']),
+        quick_login_check_milli_seconds=dict(type='int', aliases=['quickLoginCheckMilliSeconds']),
+        refresh_token_max_reuse=dict(type='int', aliases=['refreshTokenMaxReuse'], no_log=False),
+        registration_allowed=dict(type='bool', aliases=['registrationAllowed']),
+        registration_email_as_username=dict(type='bool', aliases=['registrationEmailAsUsername']),
+        registration_flow=dict(type='str', aliases=['registrationFlow']),
+        remember_me=dict(type='bool', aliases=['rememberMe']),
+        reset_credentials_flow=dict(type='str', aliases=['resetCredentialsFlow']),
+        reset_password_allowed=dict(type='bool', aliases=['resetPasswordAllowed'], no_log=False),
+        revoke_refresh_token=dict(type='bool', aliases=['revokeRefreshToken']),
+        smtp_server=dict(type='dict', aliases=['smtpServer']),
+        ssl_required=dict(choices=["external", "all", "none"], aliases=['sslRequired']),
+        sso_session_idle_timeout=dict(type='int', aliases=['ssoSessionIdleTimeout']),
+        sso_session_idle_timeout_remember_me=dict(type='int', aliases=['ssoSessionIdleTimeoutRememberMe']),
+        sso_session_max_lifespan=dict(type='int', aliases=['ssoSessionMaxLifespan']),
+        sso_session_max_lifespan_remember_me=dict(type='int', aliases=['ssoSessionMaxLifespanRememberMe']),
+        supported_locales=dict(type='list', elements='str', aliases=['supportedLocales']),
+        user_managed_access_allowed=dict(type='bool', aliases=['userManagedAccessAllowed']),
+        verify_email=dict(type='bool', aliases=['verifyEmail']),
+        wait_increment_seconds=dict(type='int', aliases=['waitIncrementSeconds']),
+    )
+
+    argument_spec.update(meta_args)
+
+    module = AnsibleModule(argument_spec=argument_spec,
+                           supports_check_mode=True,
+                           required_one_of=([['id', 'realm', 'enabled'],
+                                             ['token', 'auth_realm', 'auth_username', 'auth_password']]),
+                           required_together=([['auth_realm', 'auth_username', 'auth_password']]))
+
+    result = dict(changed=False, msg='', diff={}, proposed={}, existing={}, end_state={})
+
+    # Obtain access token, initialize API
+    try:
+        connection_header = get_token(module.params)
+    except KeycloakError as e:
+        module.fail_json(msg=str(e))
+
+    kc = KeycloakAPI(module, connection_header)
+
+    realm = module.params.get('realm')
+    state = module.params.get('state')
+
+    # convert module parameters to realm representation parameters (if they belong in there)
+    params_to_ignore = list(keycloak_argument_spec().keys()) + ['state']
+
+    # Filter and map the parameters names that apply to the role
+    realm_params = [x for x in module.params
+                    if x not in params_to_ignore and
+                    module.params.get(x) is not None]
+
+    # See whether the realm already exists in Keycloak
+    before_realm = kc.get_realm_by_id(realm=realm)
+
+    if before_realm is None:
+        before_realm = {}
+
+    # Build a proposed changeset from parameters given to this module
+    changeset = {}
+
+    for realm_param in realm_params:
+        new_param_value = module.params.get(realm_param)
+        changeset[camel(realm_param)] = new_param_value
+
+    # Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis)
+    desired_realm = before_realm.copy()
+    desired_realm.update(changeset)
+
+    result['proposed'] = sanitize_cr(changeset)
+    before_realm_sanitized = sanitize_cr(before_realm)
+    result['existing'] = before_realm_sanitized
+
+    # Cater for when it doesn't exist (an empty dict)
+    if not before_realm:
+        if state == 'absent':
+            # Do nothing and exit
+            if module._diff:
+                result['diff'] = dict(before='', after='')
+            result['changed'] = False
+            result['end_state'] = {}
+            result['msg'] = 'Realm does not exist, doing nothing.'
+            module.exit_json(**result)
+
+        # Process a creation
+        result['changed'] = True
+
+        if 'id' not in desired_realm:
+            module.fail_json(msg='id needs to be specified when creating a new realm')
+
+        if module._diff:
+            result['diff'] = dict(before='', after=sanitize_cr(desired_realm))
+
+        if module.check_mode:
+            module.exit_json(**result)
+
+        # create it
+        kc.create_realm(desired_realm)
+        after_realm = kc.get_realm_by_id(desired_realm['id'])
+
+        result['end_state'] = sanitize_cr(after_realm)
+
+        result['msg'] = 'Realm %s has been created.' % desired_realm['id']
+        module.exit_json(**result)
+
+    else:
+        if state == 'present':
+            # Process an update
+
+            # doing an update
+            result['changed'] = True
+            if module.check_mode:
+                # We can only compare the current realm with the proposed updates we have
+                before_norm = normalise_cr(before_realm)
+                desired_norm = normalise_cr(desired_realm)
+                if module._diff:
+                    result['diff'] = dict(before=sanitize_cr(before_norm),
+                                          after=sanitize_cr(desired_norm))
+                result['changed'] = (before_norm != desired_norm)
+
+                module.exit_json(**result)
+
+            # do the update
+            kc.update_realm(desired_realm, realm=realm)
+
+            after_realm = kc.get_realm_by_id(realm=realm)
+
+            if before_realm == after_realm:
+                result['changed'] = False
+
+            result['end_state'] = sanitize_cr(after_realm)
+
+            if module._diff:
+                result['diff'] = dict(before=before_realm_sanitized,
+                                      after=sanitize_cr(after_realm))
+
+            result['msg'] = 'Realm %s has been updated.' % desired_realm['id']
+            module.exit_json(**result)
+
+        else:
+            # Process a deletion (because state was not 'present')
+            result['changed'] = True
+
+            if module._diff:
+                result['diff'] = dict(before=before_realm_sanitized, after='')
+
+            if module.check_mode:
+                module.exit_json(**result)
+
+            # delete it
+            kc.delete_realm(realm=realm)
+
+            result['proposed'] = {}
+            result['end_state'] = {}
+
+            result['msg'] = 'Realm %s has been deleted.' % before_realm['id']
+
+    module.exit_json(**result)
+
+
+if __name__ == '__main__':
+    main()

plugins/modules/keycloak_role.py

@@ -0,0 +1,439 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Copyright (c) 2019, Adam Goossens <adam.goossens@gmail.com>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+DOCUMENTATION = '''
+---
+module: keycloak_role
+
+short_description: Allows administration of Keycloak roles via Keycloak API
+
+version_added: 3.4.0
+
+description:
+    - This module allows you to add, remove or modify Keycloak roles via the Keycloak REST API.
+      It requires access to the REST API via OpenID Connect; the user connecting and the client being
+      used must have the requisite access rights. In a default Keycloak installation, admin-cli
+      and an admin user would work, as would a separate client definition with the scope tailored
+      to your needs and a user having the expected roles.
+
+    - The names of module options are snake_cased versions of the camelCase ones found in the
+      Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
+
+    - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
+      be returned that way by this module. You may pass single values for attributes when calling the module,
+      and this will be translated into a list suitable for the API.
+
+attributes:
+    check_mode:
+        support: full
+    diff_mode:
+        support: full
+
+options:
+    state:
+        description:
+            - State of the role.
+            - On V(present), the role will be created if it does not yet exist, or updated with the parameters you provide.
+            - On V(absent), the role will be removed if it exists.
+        default: 'present'
+        type: str
+        choices:
+            - present
+            - absent
+
+    name:
+        type: str
+        required: true
+        description:
+            - Name of the role.
+            - This parameter is required.
+
+    description:
+        type: str
+        description:
+            - The role description.
+
+    realm:
+        type: str
+        description:
+            - The Keycloak realm under which this role resides.
+        default: 'master'
+
+    client_id:
+        type: str
+        description:
+            - If the role is a client role, the client id under which it resides.
+            - If this parameter is absent, the role is considered a realm role.
+
+    attributes:
+        type: dict
+        description:
+            - A dict of key/value pairs to set as custom attributes for the role.
+            - Values may be single values (e.g. a string) or a list of strings.
+    composite:
+        description:
+            - If V(true), the role is a composition of other realm and/or client role.
+        default: false
+        type: bool
+        version_added: 7.1.0
+    composites:
+        description:
+            - List of roles to include to the composite realm role.
+            - If the composite role is a client role, the C(clientId) (not ID of the client) must be specified.
+        default: []
+        type: list
+        elements: dict
+        version_added: 7.1.0
+        suboptions:
+            name:
+                description:
+                    - Name of the role. This can be the name of a REALM role or a client role.
+                type: str
+                required: true
+            client_id:
+                description:
+                    - Client ID if the role is a client role. Do not include this option for a REALM role.
+                    - Use the client ID you can see in the Keycloak console, not the technical ID of the client.
+                type: str
+                required: false
+                aliases:
+                    - clientId
+            state:
+                description:
+                    - Create the composite if present, remove it if absent.
+                type: str
+                choices:
+                    - present
+                    - absent
+                default: present
+
+extends_documentation_fragment:
+    - middleware_automation.keycloak.keycloak
+    - middleware_automation.keycloak.attributes
+
+author:
+    - Laurent Paumier (@laurpaum)
+'''
+
+EXAMPLES = '''
+- name: Create a Keycloak realm role, authentication with credentials
+  middleware_automation.keycloak.keycloak_role:
+    name: my-new-kc-role
+    realm: MyCustomRealm
+    state: present
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com/auth
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+  delegate_to: localhost
+
+- name: Create a Keycloak realm role, authentication with token
+  middleware_automation.keycloak.keycloak_role:
+    name: my-new-kc-role
+    realm: MyCustomRealm
+    state: present
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com/auth
+    token: TOKEN
+  delegate_to: localhost
+
+- name: Create a Keycloak client role
+  middleware_automation.keycloak.keycloak_role:
+    name: my-new-kc-role
+    realm: MyCustomRealm
+    client_id: MyClient
+    state: present
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com/auth
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+  delegate_to: localhost
+
+- name: Delete a Keycloak role
+  middleware_automation.keycloak.keycloak_role:
+    name: my-role-for-deletion
+    state: absent
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com/auth
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+  delegate_to: localhost
+
+- name: Create a keycloak role with some custom attributes
+  middleware_automation.keycloak.keycloak_role:
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com/auth
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    name: my-new-role
+    attributes:
+        attrib1: value1
+        attrib2: value2
+        attrib3:
+            - with
+            - numerous
+            - individual
+            - list
+            - items
+  delegate_to: localhost
+'''
+
+RETURN = '''
+msg:
+    description: Message as to what action was taken.
+    returned: always
+    type: str
+    sample: "Role myrole has been updated"
+
+proposed:
+    description: Representation of proposed role.
+    returned: always
+    type: dict
+    sample: {
+        "description": "My updated test description"
+    }
+
+existing:
+    description: Representation of existing role.
+    returned: always
+    type: dict
+    sample: {
+        "attributes": {},
+        "clientRole": true,
+        "composite": false,
+        "containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a",
+        "description": "My client test role",
+        "id": "561703dd-0f38-45ff-9a5a-0c978f794547",
+        "name": "myrole"
+    }
+
+end_state:
+    description: Representation of role after module execution (sample is truncated).
+    returned: on success
+    type: dict
+    sample: {
+        "attributes": {},
+        "clientRole": true,
+        "composite": false,
+        "containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a",
+        "description": "My updated client test role",
+        "id": "561703dd-0f38-45ff-9a5a-0c978f794547",
+        "name": "myrole"
+    }
+'''
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
+    keycloak_argument_spec, get_token, KeycloakError, is_struct_included
+from ansible.module_utils.basic import AnsibleModule
+import copy
+
+
+def main():
+    """
+    Module execution
+
+    :return:
+    """
+    argument_spec = keycloak_argument_spec()
+
+    composites_spec = dict(
+        name=dict(type='str', required=True),
+        client_id=dict(type='str', aliases=['clientId'], required=False),
+        state=dict(type='str', default='present', choices=['present', 'absent'])
+    )
+
+    meta_args = dict(
+        state=dict(type='str', default='present', choices=['present', 'absent']),
+        name=dict(type='str', required=True),
+        description=dict(type='str'),
+        realm=dict(type='str', default='master'),
+        client_id=dict(type='str'),
+        attributes=dict(type='dict'),
+        composites=dict(type='list', default=[], options=composites_spec, elements='dict'),
+        composite=dict(type='bool', default=False),
+    )
+
+    argument_spec.update(meta_args)
+
+    module = AnsibleModule(argument_spec=argument_spec,
+                           supports_check_mode=True,
+                           required_one_of=([['token', 'auth_realm', 'auth_username', 'auth_password']]),
+                           required_together=([['auth_realm', 'auth_username', 'auth_password']]))
+
+    result = dict(changed=False, msg='', diff={}, proposed={}, existing={}, end_state={})
+
+    # Obtain access token, initialize API
+    try:
+        connection_header = get_token(module.params)
+    except KeycloakError as e:
+        module.fail_json(msg=str(e))
+
+    kc = KeycloakAPI(module, connection_header)
+
+    realm = module.params.get('realm')
+    clientid = module.params.get('client_id')
+    name = module.params.get('name')
+    state = module.params.get('state')
+
+    # attributes in Keycloak have their values returned as lists
+    # via the API. attributes is a dict, so we'll transparently convert
+    # the values to lists.
+    if module.params.get('attributes') is not None:
+        for key, val in module.params['attributes'].items():
+            module.params['attributes'][key] = [val] if not isinstance(val, list) else val
+
+    # Filter and map the parameters names that apply to the role
+    role_params = [x for x in module.params
+                   if x not in list(keycloak_argument_spec().keys()) + ['state', 'realm', 'client_id'] and
+                   module.params.get(x) is not None]
+
+    # See if it already exists in Keycloak
+    if clientid is None:
+        before_role = kc.get_realm_role(name, realm)
+    else:
+        before_role = kc.get_client_role(name, clientid, realm)
+
+    if before_role is None:
+        before_role = {}
+
+    # Build a proposed changeset from parameters given to this module
+    changeset = {}
+
+    for param in role_params:
+        new_param_value = module.params.get(param)
+        old_value = before_role[param] if param in before_role else None
+        if new_param_value != old_value:
+            changeset[camel(param)] = copy.deepcopy(new_param_value)
+
+    # Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis)
+    desired_role = copy.deepcopy(before_role)
+    desired_role.update(changeset)
+
+    result['proposed'] = changeset
+    result['existing'] = before_role
+
+    # Cater for when it doesn't exist (an empty dict)
+    if not before_role:
+        if state == 'absent':
+            # Do nothing and exit
+            if module._diff:
+                result['diff'] = dict(before='', after='')
+            result['changed'] = False
+            result['end_state'] = {}
+            result['msg'] = 'Role does not exist, doing nothing.'
+            module.exit_json(**result)
+
+        # Process a creation
+        result['changed'] = True
+
+        if name is None:
+            module.fail_json(msg='name must be specified when creating a new role')
+
+        if module._diff:
+            result['diff'] = dict(before='', after=desired_role)
+
+        if module.check_mode:
+            module.exit_json(**result)
+
+        # create it
+        if clientid is None:
+            kc.create_realm_role(desired_role, realm)
+            after_role = kc.get_realm_role(name, realm)
+        else:
+            kc.create_client_role(desired_role, clientid, realm)
+            after_role = kc.get_client_role(name, clientid, realm)
+
+        if after_role['composite']:
+            after_role['composites'] = kc.get_role_composites(rolerep=after_role, clientid=clientid, realm=realm)
+
+        result['end_state'] = after_role
+
+        result['msg'] = 'Role {name} has been created'.format(name=name)
+        module.exit_json(**result)
+
+    else:
+        if state == 'present':
+            compare_exclude = []
+            if 'composites' in desired_role and isinstance(desired_role['composites'], list) and len(desired_role['composites']) > 0:
+                composites = kc.get_role_composites(rolerep=before_role, clientid=clientid, realm=realm)
+                before_role['composites'] = []
+                for composite in composites:
+                    before_composite = {}
+                    if composite['clientRole']:
+                        composite_client = kc.get_client_by_id(id=composite['containerId'], realm=realm)
+                        before_composite['client_id'] = composite_client['clientId']
+                    else:
+                        before_composite['client_id'] = None
+                    before_composite['name'] = composite['name']
+                    before_composite['state'] = 'present'
+                    before_role['composites'].append(before_composite)
+            else:
+                compare_exclude.append('composites')
+            # Process an update
+            # no changes
+            if is_struct_included(desired_role, before_role, exclude=compare_exclude):
+                result['changed'] = False
+                result['end_state'] = desired_role
+                result['msg'] = "No changes required to role {name}.".format(name=name)
+                module.exit_json(**result)
+
+            # doing an update
+            result['changed'] = True
+
+            if module._diff:
+                result['diff'] = dict(before=before_role, after=desired_role)
+
+            if module.check_mode:
+                module.exit_json(**result)
+
+            # do the update
+            if clientid is None:
+                kc.update_realm_role(desired_role, realm)
+                after_role = kc.get_realm_role(name, realm)
+            else:
+                kc.update_client_role(desired_role, clientid, realm)
+                after_role = kc.get_client_role(name, clientid, realm)
+            if after_role['composite']:
+                after_role['composites'] = kc.get_role_composites(rolerep=after_role, clientid=clientid, realm=realm)
+
+            result['end_state'] = after_role
+
+            result['msg'] = "Role {name} has been updated".format(name=name)
+            module.exit_json(**result)
+
+        else:
+            # Process a deletion (because state was not 'present')
+            result['changed'] = True
+
+            if module._diff:
+                result['diff'] = dict(before=before_role, after='')
+
+            if module.check_mode:
+                module.exit_json(**result)
+
+            # delete it
+            if clientid is None:
+                kc.delete_realm_role(name, realm)
+            else:
+                kc.delete_client_role(name, clientid, realm)
+
+            result['end_state'] = {}
+
+            result['msg'] = "Role {name} has been deleted".format(name=name)
+
+    module.exit_json(**result)
+
+
+if __name__ == '__main__':
+    main()

requirements.txt

@@ -1,6 +1,7 @@
 #################################################
-# python dependencies required to be installed 
+# python dependencies required to be installed
 # on the controller host with:
 # pip install -r requirements.txt
 #
-netaddr
+netaddr
+lxml # for middleware_automation.common.maven_artifact

requirements.yml

@@ -1,7 +1,5 @@
 ---
 collections:
-  - name: middleware_automation.redhat_csp_download
+  - name: middleware_automation.common
     version: ">=1.2.1"
-  - name: middleware_automation.wildfly
-    version: ">=0.0.5"
-  - name: community.general
+  - name: ansible.posix

roles/keycloak/README.md

@@ -1,7 +1,7 @@
 keycloak
 ========
 
-Install [keycloak](https://keycloak.org/) or [Red Hat Single Sing-On](https://access.redhat.com/products/red-hat-single-sign-on) server configurations.
+Install [keycloak](https://keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on) server configurations.
 
 
 Requirements
@@ -10,6 +10,7 @@ Requirements
 This role requires the `python3-netaddr` library installed on the controller node.
 
 * to install via yum/dnf: `dnf install python3-netaddr`
+* to install via apt: `apt install python3-netaddr`
 * or via pip: `pip install netaddr==0.8.0`
 * or via the collection: `pip install -r requirements.txt`
 
@@ -19,8 +20,12 @@ Dependencies
 
 The roles depends on:
 
-* the `redhat_csp_download` role from [middleware_automation.redhat_csp_download](https://github.com/ansible-middleware/redhat-csp-download) collection if Red Hat Single Sign-on zip have to be downloaded from RHN.
-* the `wildfly_driver` role from [middleware_automation.wildfly](https://github.com/ansible-middleware/wildfly) collection
+* [middleware_automation.common](https://github.com/ansible-middleware/common)
+* [ansible-posix](https://docs.ansible.com/ansible/latest/collections/ansible/posix/index.html)
+
+To install all the dependencies via galaxy:
+
+    ansible-galaxy collection install -r requirements.yml
 
 
 Versions
@@ -28,7 +33,19 @@ Versions
 
 | RH-SSO VERSION | Release Date      | Keycloak Version | EAP Version | Notes           |
 |:---------------|:------------------|:-----------------|:------------|:----------------|
-|`7.5.0 GA`      |September 20, 2021 |`15.0.2`          | `7.4.0`     |[Release Notes](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/html/release_notes/index)|
+|`7.5.0 GA`      |September 20, 2021 |`15.0.2`          | `7.4.6`     |[Release Notes](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/html/release_notes/index)|
+|`7.6.0 GA`      |June 30, 2022      |`18.0.3`          | `7.4.6`     |[Release Notes](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html-single/release_notes/index)|
+
+
+Patching
+--------
+
+When variable `keycloak_rhsso_apply_patches` is `true` (default: `false`), the role will automatically apply the latest cumulative patch for the selected base version.
+
+| RH-SSO VERSION | Release Date      | RH-SSO LATEST CP | Notes           |
+|:---------------|:------------------|:-----------------|:----------------|
+|`7.5.0 GA`      |January 20, 2022   |`7.5.3 GA`        |[Release Notes](https://access.redhat.com/articles/6646321)|
+|`7.6.0 GA`      |November 11, 2022  |`7.6.1 GA`        |[Release Notes](https://access.redhat.com/articles/6982711)|
 
 
 Role Defaults
@@ -39,9 +56,12 @@ Role Defaults
 | Variable | Description | Default |
 |:---------|:------------|:---------|
 |`keycloak_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
+|`keycloak_ha_discovery`| Discovery protocol for HA cluster members | `JDBC_PING` if `keycloak_db_enabled` else `TCPPING` |
 |`keycloak_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_ha_enabled` is True, else `False` |
+|`keycloak_remote_cache_enabled`| Enable remote cache store when in clustered ha configurations | `True` if `keycloak_ha_enabled` else `False` |
 |`keycloak_admin_user`| Administration console user account | `admin` |
 |`keycloak_bind_address`| Address for binding service ports | `0.0.0.0` |
+|`keycloak_management_port_bind_address`| Address for binding management ports | `127.0.0.1` |
 |`keycloak_host`| hostname | `localhost` |
 |`keycloak_http_port`| HTTP port | `8080` |
 |`keycloak_https_port`| TLS HTTP port | `8443` |
@@ -49,49 +69,57 @@ Role Defaults
 |`keycloak_jgroups_port`| jgroups cluster tcp port | `7600` |
 |`keycloak_management_http_port`| Management port | `9990` |
 |`keycloak_management_https_port`| TLS management port | `9993` |
-|`keycloak_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
-|`keycloak_prefer_ipv4`| Prefer IPv4 stack and addresses for port binding | `True` |
+|`keycloak_prefer_ipv4`| Prefer IPv4 stack and addresses for port binding | `true` |
 |`keycloak_config_standalone_xml`| filename for configuration | `keycloak.xml` |
 |`keycloak_service_user`| posix account username | `keycloak` |
 |`keycloak_service_group`| posix account group | `keycloak` |
-|`keycloak_service_pidfile`| pid file path for service | `/run/keycloak.pid` |
-|`jvm_package`| RHEL java package runtime | `java-1.8.0-openjdk-devel` |
+|`keycloak_service_restart_always`| systemd restart always behavior activation | `False` |
+|`keycloak_service_restart_on_failure`| systemd restart on-failure behavior activation | `False` |
+|`keycloak_service_startlimitintervalsec`| systemd StartLimitIntervalSec | `300` |
+|`keycloak_service_startlimitburst`| systemd StartLimitBurst | `5` |
+|`keycloak_service_restartsec`| systemd RestartSec | `10s` |
+|`keycloak_service_pidfile`| pid file path for service | `/run/keycloak/keycloak.pid` |
+|`keycloak_features` | List of `name`/`status` pairs of features (also known as profiles on RH-SSO) to `enable` or `disable`, example: `[ { name: 'docker', status: 'enabled' } ]` | `[]`
+|`keycloak_jvm_package`| RHEL java package runtime | `java-1.8.0-openjdk-headless` |
+|`keycloak_java_home`| `JAVA_HOME` of installed JRE, leave empty for using RPM path at `keycloak_jvm_package` | `None` |
+|`keycloak_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
 
 
 * Install options
 
 | Variable | Description | Default |
 |:---------|:------------|:---------|
-|`keycloak_rhsso_enable`| Enable Red Hat Single Sign-on installation  | `False` |
-|`keycloak_offline_install` | perform an offline install | `False`|
-|`keycloak_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`| 
-|`keycloak_rhsso_download_url`| Download URL for RHSSO | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=<productID>`|
-|`keycloak_version`| keycloak.org package version | `15.0.2` |
-|`keycloak_rhsso_version`| RHSSO version | `7.5.0` |
+|`keycloak_offline_install` | perform an offline install | `false`|
+|`keycloak_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`|
+|`keycloak_version`| keycloak.org package version | `18.0.2` |
 |`keycloak_dest`| Installation root path | `/opt/keycloak` |
 |`keycloak_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}` |
-|`keycloak_rhn_url` | Base download URI for customer portal | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=` |
+|`keycloak_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `false` |
 
 
 * Miscellaneous configuration
 
 | Variable | Description | Default |
 |:---------|:------------|:--------|
-|`keycloak_archive` | keycloak install archive filename | `keycloak-{{ keycloak_version }}.zip` |
+|`keycloak_archive` | keycloak install archive filename | `keycloak-legacy-{{ keycloak_version }}.zip` |
 |`keycloak_download_url_9x` | Download URL for keycloak (deprecated) | `https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}` |
 |`keycloak_installdir` | Installation path | `{{ keycloak_dest }}/keycloak-{{ keycloak_version }}` |
-|`keycloak_rhsso_archive` | Red Hat SSO install archive filename | `rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip` |
-|`keycloak_rhsso_installdir`| Installation path for Red Hat SSO | `{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\.([0-9]*).*', '\1.\2') }}` |
-|`keycloak_rhsso_download_url`| Full download URI for Red Hat SSO | `{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}` |
-|`keycloak_jboss_home` | Installation work directory | `{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}` |
+|`keycloak_jboss_home` | Installation work directory | `{{ keycloak_rhsso_installdir }}` |
+|`keycloak_jboss_port_offset` | Port offset for the JBoss socket binding | `0` |
 |`keycloak_config_dir` | Path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration` |
 |`keycloak_config_path_to_standalone_xml` | Custom path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}` |
+|`keycloak_config_override_template` | Path to custom template for standalone.xml configuration | `''` |
 |`keycloak_auth_realm` | Name for rest authentication realm | `master` |
 |`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` |
-|`keycloak_force_install` | Remove pre-existing versions of service | `False` |
-|`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` |
-|`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` |
-|`rhsso_rhn_id` | Customer Portal product ID for Red Hat SSO | `{{ rhsso_rhn_ids[keycloak_rhsso_version] }}` |
+|`keycloak_force_install` | Remove pre-existing versions of service | `false` |
+|`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}` |
+|`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}` |
+|`keycloak_frontend_url_force` | Force backend requests to use the frontend URL | `false` |
+|`keycloak_db_background_validation` | Enable background validation of database connection | `false` |
+|`keycloak_db_background_validation_millis`| How frequenly the connection pool is validated in the background | `10000` if background validation enabled |
+|`keycloak_db_background_validate_on_match` | Enable validate on match for database connections | `false` |
+|`keycloak_frontend_url` | frontend URL for keycloak endpoint | `http://localhost:8080/auth/` |
+|`keycloak_log_target`| Set the destination of the keycloak log folder link | `/var/log/keycloak` |
 
 
 Role Variables
@@ -101,26 +129,29 @@ The following are a set of _required_ variables for the role:
 
 | Variable | Description |
 |:---------|:------------|
-|`keycloak_admin_password`| Password for the administration console user account |
+|`keycloak_admin_password`| Password for the administration console user account (minimum 12 characters) |
+|`keycloak_frontend_url` | frontend URL for keycloak endpoint | `http://localhost:8080/auth/` |
 
 
-The following variables are _required_ only when `keycloak_ha_enabled` is True:
+The following parameters are _required_ only when `keycloak_ha_enabled` is true:
 
 | Variable | Description | Default |
-|:---------|:------------|:---------|
-|`keycloak_modcluster_url` | URL for the modcluster reverse proxy | `localhost` |
-|`keycloak_frontend_url` | frontend URL for keycloak endpoints when a reverse proxy is used | `http://localhost` |
-|`keycloak_jdbc_engine` | backend database flavour when db is enabled: [ postgres, mariadb ] | `postgres` |
-|`infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` |
-|`infinispan_user` | username for connecting to infinispan | `supervisor` |
-|`infinispan_pass` | password for connecting to infinispan | `supervisor` |
-|`infinispan_sasl_mechanism`| Authentication type | `SCRAM-SHA-512` |
-|`infinispan_use_ssl`| Enable hotrod TLS communication | `False` |
-|`infinispan_trust_store_path`| Path to truststore with infinispan server certificate | `/etc/pki/java/cacerts` |
-|`infinispan_trust_store_password`| Password for opening truststore | `changeit` |
+|:---------|:------------|:--------|
+|`keycloak_modcluster_enabled`| Enable configuration for modcluster subsystem | `True` if `keycloak_ha_enabled` is True, else `False` |
+|`keycloak_modcluster_url` | _deprecated_ Host for the modcluster reverse proxy | `localhost` |
+|`keycloak_modcluster_port` | _deprecated_ Port for the modcluster reverse proxy | `6666` |
+|`keycloak_modcluster_urls` | List of {host,port} dicts for the modcluster reverse proxies | `[ { localhost:6666 } ]` |
+|`keycloak_jdbc_engine` | backend database engine when db is enabled: [ postgres, mariadb, sqlserver ] | `postgres` |
+|`keycloak_infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` |
+|`keycloak_infinispan_user` | username for connecting to infinispan | `supervisor` |
+|`keycloak_infinispan_pass` | password for connecting to infinispan | `supervisor` |
+|`keycloak_infinispan_sasl_mechanism`| Authentication type | `SCRAM-SHA-512` |
+|`keycloak_infinispan_use_ssl`| Enable hotrod TLS communication | `False` |
+|`keycloak_infinispan_trust_store_path`| Path to truststore with infinispan server certificate | `/etc/pki/java/cacerts` |
+|`keycloak_infinispan_trust_store_password`| Password for opening truststore | `changeit` |
 
 
-The following variables are _required_ only when `keycloak_db_enabled` is True:
+The following parameters are _required_ only when `keycloak_db_enabled` is true:
 
 | Variable | Description | Default |
 |:---------|:------------|:---------|
@@ -130,46 +161,26 @@ The following variables are _required_ only when `keycloak_db_enabled` is True:
 |`keycloak_db_pass` | password for connecting to postgres | `keycloak-pass` |
 
 
-Example Playbooks
+The following variables are _optional_:
+
+| Variable | Description |
+|:---------|:------------|
+|`keycloak_db_valid_conn_sql` | Override the default database connection validation query sql |
+|`keycloak_admin_url` | Override the default administration endpoint URL |
+|`keycloak_jgroups_subnet`| Override the subnet match for jgroups cluster formation; if not defined, it will be inferred from local machine route configuration |
+
+Example Playbook
 -----------------
 
-_NOTE_: use ansible vaults or other security systems for storing credentials.
-
-
 * The following is an example playbook that makes use of the role to install keycloak from remote:
 
 ```yaml
 ---
 - hosts: ...
-      collections:
-        - middleware_automation.keycloak
-      tasks:
-        - name: Include keycloak role
-          include_role:
-            name: keycloak
-          vars:
-            keycloak_admin_password: "changeme"
-```
-
-* The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from RHN:
-
-```yaml
----
-- name: Playbook for RHSSO
-  hosts: keycloak
-  collections:
-    - middleware_automation.redhat_csp_download
-  roles:
-    - redhat_csp_download
-  tasks:
-    - name: Keycloak Role
-      include_role:
-        name: keycloak
       vars:
-        keycloak_admin_password: "changeme"
-        keycloak_rhsso_enable: True
-        rhn_username: '<customer portal username>'
-        rhn_password: '<customer portal password>'
+        keycloak_admin_password: "remembertochangeme"
+      roles:
+        - middleware_automation.keycloak.keycloak
 ```
 
 
@@ -185,49 +196,11 @@ _NOTE_: use ansible vaults or other security systems for storing credentials.
           include_role:
             name: keycloak
           vars:
-            keycloak_admin_password: "changeme"
-            keycloak_offline_install: True
+            keycloak_admin_password: "remembertochangeme"
+            keycloak_offline_install: true
             # This should be the filename of keycloak archive on Ansible node: keycloak-16.1.0.zip
 ```
 
-
-* This playbook installs Red Hat Single Sign-On from an alternate url:
-
-```yaml
----
-- hosts: keycloak
-  collections:
-    - middleware_automation.keycloak
-  tasks:
-    - name: Keycloak Role
-      include_role:
-        name: keycloak
-      vars:
-        keycloak_admin_password: "changeme"
-        keycloak_rhsso_enable: True
-        keycloak_rhsso_download_url: "<REPLACE with download url>"
-        # This should be the full of remote source rhsso zip file and can contain basic authentication credentials
-```
-
-
-* The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from the controller node:
-
-```yaml
----
-- hosts: keycloak
-  collections:
-    - middleware_automation.keycloak
-  tasks:
-    - name: Keycloak Role
-      include_role:
-        name: keycloak
-      vars:
-        keycloak_admin_password: "changeme"
-        keycloak_rhsso_enable: True
-        keycloak_offline_install: True
-        # This should be the filename of rhsso zip file on Ansible node: rh-sso-7.5-server-dist.zip
-```
-
 License
 -------
 

roles/keycloak/defaults/main.yml

@@ -1,34 +1,41 @@
 ---
 ### Configuration specific to keycloak
-keycloak_version: 15.0.2
-keycloak_archive: "keycloak-{{ keycloak_version }}.zip"
-keycloak_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"  
+keycloak_version: 18.0.2
+keycloak_archive: "keycloak-legacy-{{ keycloak_version }}.zip"
+keycloak_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"
 keycloak_download_url_9x: "https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}"
 keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
-
-### Configuration specific to Red Hat Single Sing-On
-keycloak_rhsso_version: 7.5.0
-rhsso_rhn_id: "{{ rhsso_rhn_ids[keycloak_rhsso_version] }}"
-keycloak_rhsso_archive: "rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip"
-keycloak_rhsso_installdir: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}"
-keycloak_rhn_url: 'https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId='
-keycloak_rhsso_download_url: "{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}"
-
-### keycloak/rhsso choice: by default install rhsso if rhn credentials are defined
-keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined and rhn_username is defined and rhn_password is defined else False }}"
-# whether to install from local archive; filename must be keycloak_archive or keycloak_rhsso_archive depending on keycloak_rhsso_enable
-keycloak_offline_install: False
+keycloak_offline_install: false
 
 ### Install location and service settings
-jvm_package: java-1.8.0-openjdk-devel
+keycloak_java_home:
 keycloak_dest: /opt/keycloak
-keycloak_jboss_home: "{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}"
+keycloak_jboss_home: "{{ keycloak_installdir }}"
+keycloak_jboss_port_offset: 0
 keycloak_config_dir: "{{ keycloak_jboss_home }}/standalone/configuration"
 keycloak_config_standalone_xml: "keycloak.xml"
 keycloak_config_path_to_standalone_xml: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}"
+keycloak_config_override_template: ''
+keycloak_config_path_to_properties: "{{ keycloak_jboss_home }}/standalone/configuration/profile.properties"
+keycloak_service_runas: false
 keycloak_service_user: keycloak
 keycloak_service_group: keycloak
-keycloak_service_pidfile: "/run/keycloak.pid"
+keycloak_service_pidfile: "/run/keycloak/keycloak.pid"
+keycloak_service_name: keycloak
+keycloak_service_desc: Keycloak
+keycloak_service_start_delay: 10
+keycloak_service_start_retries: 25
+keycloak_service_restart_always: false
+keycloak_service_restart_on_failure: false
+keycloak_service_startlimitintervalsec: "300"
+keycloak_service_startlimitburst: "5"
+keycloak_service_restartsec: "10s"
+
+keycloak_configure_firewalld: false
+keycloak_configure_iptables: false
+
+### administrator console password
+keycloak_admin_password: ''
 
 ### Common configuration settings
 keycloak_bind_address: 0.0.0.0
@@ -37,42 +44,62 @@ keycloak_http_port: 8080
 keycloak_https_port: 8443
 keycloak_ajp_port: 8009
 keycloak_jgroups_port: 7600
+keycloak_jgroups_subnet:
+keycloak_management_port_bind_address: 127.0.0.1
 keycloak_management_http_port: 9990
 keycloak_management_https_port: 9993
 keycloak_java_opts: "-Xms1024m -Xmx2048m"
-keycloak_prefer_ipv4: True
+keycloak_prefer_ipv4: true
+keycloak_features: []
 
 ### Enable configuration for database backend, clustering and remote caches on infinispan
-keycloak_ha_enabled: False
+keycloak_ha_enabled: false
 ### Enable database configuration, must be enabled when HA is configured
 keycloak_db_enabled: "{{ True if keycloak_ha_enabled else False }}"
+### Discovery protocol for ha cluster members, valus [ 'JDBC_PING', 'TCPPING' ]
+keycloak_ha_discovery: "{{ 'JDBC_PING' if keycloak_db_enabled else 'TCPPING' }}"
+### Remote cache store on infinispan cluster
+keycloak_remote_cache_enabled: "{{ True if keycloak_ha_enabled else False }}"
 
 ### Keycloak administration console user
 keycloak_admin_user: admin
 keycloak_auth_realm: master
 keycloak_auth_client: admin-cli
 
-keycloak_force_install: False
+keycloak_force_install: false
 
-### mod_cluster reverse proxy
+### mod_cluster reverse proxy list
+keycloak_modcluster_enabled: "{{ True if keycloak_ha_enabled else False }}"
 keycloak_modcluster_url: localhost
-keycloak_frontend_url: http://localhost
+keycloak_modcluster_port: 6666
+keycloak_modcluster_urls:
+  - host: "{{ keycloak_modcluster_url }}"
+    port: "{{ keycloak_modcluster_port }}"
+
+### keycloak frontend url
+keycloak_frontend_url: http://localhost:8080/auth/
+keycloak_frontend_url_force: false
+keycloak_admin_url:
 
 ### infinispan remote caches access (hotrod)
-infinispan_user: supervisor
-infinispan_pass: supervisor
-infinispan_url: localhost
-infinispan_sasl_mechanism: SCRAM-SHA-512
-infinispan_use_ssl: False
+keycloak_infinispan_user: supervisor
+keycloak_infinispan_pass: supervisor
+keycloak_infinispan_url: localhost
+keycloak_infinispan_sasl_mechanism: SCRAM-SHA-512
+keycloak_infinispan_use_ssl: false
 # if ssl is enabled, import ispn server certificate here
-infinispan_trust_store_path: /etc/pki/java/cacerts
-infinispan_trust_store_password: changeit
+keycloak_infinispan_trust_store_path: /etc/pki/java/cacerts
+keycloak_infinispan_trust_store_password: changeit
 
-### database backend engine: values [ 'postgres', 'mariadb' ]
+### database backend engine: values [ 'postgres', 'mariadb', 'sqlserver' ]
 keycloak_jdbc_engine: postgres
 ### database backend credentials
 keycloak_db_user: keycloak-user
 keycloak_db_pass: keycloak-pass
+## connection validation
+keycloak_db_background_validation: false
+keycloak_db_background_validation_millis: "{{ 10000 if keycloak_db_background_validation else 0 }}"
+keycloak_db_background_validate_on_match: false
 keycloak_jdbc_url: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].url }}"
 keycloak_jdbc_driver_version: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].version }}"
 # override the variables above, following defaults show minimum supported versions
@@ -83,3 +110,15 @@ keycloak_default_jdbc:
   mariadb:
     url: 'jdbc:mariadb://localhost:3306/keycloak'
     version: 2.7.4
+  sqlserver:
+    url: 'jdbc:sqlserver://localhost:1433;databaseName=keycloak;'
+    version: 12.2.0
+# role specific vars
+keycloak_no_log: true
+
+### logging configuration
+keycloak_log_target: /var/log/keycloak
+
+# locations
+keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}"
+keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}"

roles/keycloak/handlers/main.yml

@@ -1,3 +1,4 @@
 ---
-- name: restart keycloak
-  include_tasks: restart_keycloak.yml
+- name: "Restart handler"
+  ansible.builtin.include_tasks: restart_keycloak.yml
+  listen: "restart keycloak"

roles/keycloak/meta/argument_specs.yml

@@ -2,277 +2,384 @@ argument_specs:
     main:
         options:
             keycloak_version:
-                # line 3 of keycloak/defaults/main.yml
-                default: "15.0.2"
+                default: "18.0.2"
                 description: "keycloak.org package version"
                 type: "str"
             keycloak_archive:
-                # line 4 of keycloak/defaults/main.yml
-                default: "keycloak-{{ keycloak_version }}.zip"
+                default: "keycloak-legacy-{{ keycloak_version }}.zip"
                 description: "keycloak install archive filename"
                 type: "str"
+            keycloak_configure_iptables:
+                default: false
+                description: "Ensure iptables is running and configure keycloak ports"
+                type: "bool"
+            keycloak_configure_firewalld:
+                default: false
+                description: "Ensure firewalld is running and configure keycloak ports"
+                type: "bool"
             keycloak_download_url:
-                # line 5 of keycloak/defaults/main.yml
                 default: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"
                 description: "Download URL for keycloak"
                 type: "str"
             keycloak_download_url_9x:
-                # line 6 of keycloak/defaults/main.yml
                 default: "https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}"
                 description: "Download URL for keycloak (deprecated)"
                 type: "str"
             keycloak_installdir:
-                # line 7 of keycloak/defaults/main.yml
                 default: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
                 description: "Installation path"
                 type: "str"
-            keycloak_rhsso_version:
-                # line 10 of keycloak/defaults/main.yml
-                default: "7.5.0"
-                description: "Red Hat Single Sign-On version"
-                type: "str"
-            rhsso_rhn_id:
-                # line 11 of keycloak/defaults/main.yml
-                default: "{{ rhsso_rhn_ids[keycloak_rhsso_version] }}"
-                description: "Customer Portal product ID for Red Hat SSO"
-                type: "str"
-            keycloak_rhsso_archive:
-                # line 12 of keycloak/defaults/main.yml
-                default: "rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip"
-                description: "ed Hat SSO install archive filename"
-                type: "str"
-            keycloak_rhsso_installdir:
-                # line 13 of keycloak/defaults/main.yml
-                default: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}"
-                description: "Installation path for Red Hat SSO"
-                type: "str"
-            keycloak_rhn_url:
-                # line 14 of keycloak/defaults/main.yml
-                default: "https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId="
-                description: "Base download URI for customer portal"
-                type: "str"
-            keycloak_rhsso_download_url:
-                # line 15 of keycloak/defaults/main.yml
-                default: "{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}"
-                description: "Full download URI for Red Hat SSO"
-                type: "str"
-            keycloak_rhsso_enable:
-                # line 18 of keycloak/defaults/main.yml
-                default: "{{ True if rhsso_rhn_id is defined and rhn_username is defined and rhn_password is defined else False }}"
-                description: "Enable Red Hat Single Sign-on installation"
-                type: "str"
             keycloak_offline_install:
-                # line 20 of keycloak/defaults/main.yml
                 default: false
                 description: "Perform an offline install"
                 type: "bool"
-            jvm_package:
-                # line 23 of keycloak/defaults/main.yml
-                default: "java-1.8.0-openjdk-devel"
+            keycloak_jvm_package:
+                default: "java-1.8.0-openjdk-headless"
                 description: "RHEL java package runtime rpm"
                 type: "str"
+            keycloak_java_home:
+                description: "JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path"
+                type: "str"
             keycloak_dest:
-                # line 24 of keycloak/defaults/main.yml
                 default: "/opt/keycloak"
                 description: "Root installation directory"
                 type: "str"
             keycloak_jboss_home:
-                # line 25 of keycloak/defaults/main.yml
-                default: "{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}"
+                default: "{{ keycloak_installdir }}"
                 description: "Installation work directory"
                 type: "str"
+            keycloak_jboss_port_offset:
+                default: 0
+                description: "Port offset for the JBoss socket binding"
+                type: "int"
             keycloak_config_dir:
-                # line 26 of keycloak/defaults/main.yml
                 default: "{{ keycloak_jboss_home }}/standalone/configuration"
                 description: "Path for configuration"
                 type: "str"
             keycloak_config_standalone_xml:
-                # line 27 of keycloak/defaults/main.yml
                 default: "keycloak.xml"
                 description: "Service configuration filename"
                 type: "str"
             keycloak_config_path_to_standalone_xml:
-                # line 28 of keycloak/defaults/main.yml
                 default: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}"
                 description: "Custom path for configuration"
                 type: "str"
+            keycloak_config_override_template:
+                default: ""
+                description: "Path to custom template for standalone.xml configuration"
+                type: "str"
+            keycloak_service_runas:
+                default: false
+                description: "Enable execution of service as `keycloak_service_user`"
+                type: "bool"
             keycloak_service_user:
-                # line 29 of keycloak/defaults/main.yml
                 default: "keycloak"
                 description: "posix account username"
                 type: "str"
             keycloak_service_group:
-                # line 30 of keycloak/defaults/main.yml
                 default: "keycloak"
                 description: "posix account group"
                 type: "str"
             keycloak_service_pidfile:
-                # line 31 of keycloak/defaults/main.yml
-                default: "/run/keycloak.pid"
+                default: "/run/keycloak/keycloak.pid"
                 description: "PID file path for service"
                 type: "str"
+            keycloak_features:
+                default: "[]"
+                description: >
+                  List of `name`/`status` pairs of features (also known as profiles on RH-SSO) to `enable` or `disable`,
+                  example: `[ { name: 'docker', status: 'enabled' } ]`
+                type: "list"
             keycloak_bind_address:
-                # line 34 of keycloak/defaults/main.yml
                 default: "0.0.0.0"
                 description: "Address for binding service ports"
                 type: "str"
+            keycloak_management_port_bind_address:
+                default: "127.0.0.1"
+                description: "Address for binding the management ports"
+                type: "str"
             keycloak_host:
-                # line 35 of keycloak/defaults/main.yml
                 default: "localhost"
                 description: "Hostname for service"
                 type: "str"
             keycloak_http_port:
-                # line 36 of keycloak/defaults/main.yml
                 default: 8080
                 description: "Listening HTTP port"
                 type: "int"
             keycloak_https_port:
-                # line 37 of keycloak/defaults/main.yml
                 default: 8443
                 description: "Listening HTTPS port"
                 type: "int"
             keycloak_ajp_port:
-                # line 38 of keycloak/defaults/main.yml
                 default: 8009
                 description: "Listening AJP port"
                 type: "int"
             keycloak_jgroups_port:
-                # line 39 of keycloak/defaults/main.yml
                 default: 7600
                 description: "jgroups cluster tcp port"
                 type: "int"
             keycloak_management_http_port:
-                # line 40 of keycloak/defaults/main.yml
                 default: 9990
                 description: "Management port (http)"
                 type: "int"
             keycloak_management_https_port:
-                # line 41 of keycloak/defaults/main.yml
                 default: 9993
                 description: "Management port (https)"
                 type: "int"
             keycloak_java_opts:
-                # line 42 of keycloak/defaults/main.yml
                 default: "-Xms1024m -Xmx2048m"
                 description: "Additional JVM options"
                 type: "str"
             keycloak_prefer_ipv4:
-                # line 43 of keycloak/defaults/main.yml
                 default: true
                 description: "Prefer IPv4 stack and addresses for port binding"
                 type: "bool"
             keycloak_ha_enabled:
-                # line 46 of keycloak/defaults/main.yml
                 default: false
                 description: "Enable auto configuration for database backend, clustering and remote caches on infinispan"
                 type: "bool"
+            keycloak_ha_discovery:
+                default: "{{ 'JDBC_PING' if keycloak_db_enabled else 'TCPPING' }}"
+                description: "Discovery protocol for HA cluster members"
+                type: "str"
             keycloak_db_enabled:
-                # line 48 of keycloak/defaults/main.yml
                 default: "{{ True if keycloak_ha_enabled else False }}"
                 description: "Enable auto configuration for database backend"
-                type: "str"
+                type: "bool"
             keycloak_admin_user:
-                # line 51 of keycloak/defaults/main.yml
                 default: "admin"
                 description: "Administration console user account"
                 type: "str"
             keycloak_auth_realm:
-                # line 52 of keycloak/defaults/main.yml
                 default: "master"
                 description: "Name for rest authentication realm"
                 type: "str"
             keycloak_auth_client:
-                # line 53 of keycloak/defaults/main.yml
                 default: "admin-cli"
                 description: "Authentication client for configuration REST calls"
                 type: "str"
             keycloak_force_install:
-                # line 55 of keycloak/defaults/main.yml
                 default: false
                 description: "Remove pre-existing versions of service"
                 type: "bool"
+            keycloak_modcluster_enabled:
+                default: "{{ True if keycloak_ha_enabled else False }}"
+                description: "Enable configuration for modcluster subsystem"
+                type: "bool"
             keycloak_modcluster_url:
-                # line 58 of keycloak/defaults/main.yml
                 default: "localhost"
                 description: "URL for the modcluster reverse proxy"
                 type: "str"
+            keycloak_modcluster_port:
+                default: 6666
+                description: "Port for the modcluster reverse proxy"
+                type: "int"
+            keycloak_modcluster_urls:
+                default: "[ { host: 'localhost', port: 6666 } ]"
+                description: "List of modproxy node URLs in the format { host, port } for the modcluster reverse proxy"
+                type: "list"
             keycloak_frontend_url:
-                # line 59 of keycloak/defaults/main.yml
                 default: "http://localhost"
                 description: "Frontend URL for keycloak endpoints when a reverse proxy is used"
                 type: "str"
-            infinispan_user:
-                # line 62 of keycloak/defaults/main.yml
+            keycloak_frontend_url_force:
+                default: false
+                description: "Force backend requests to use the frontend URL"
+                type: "bool"
+            keycloak_infinispan_user:
                 default: "supervisor"
                 description: "Username for connecting to infinispan"
                 type: "str"
-            infinispan_pass:
-                # line 63 of keycloak/defaults/main.yml
+            keycloak_infinispan_pass:
                 default: "supervisor"
                 description: "Password for connecting to infinispan"
                 type: "str"
-            infinispan_url:
-                # line 64 of keycloak/defaults/main.yml
+            keycloak_infinispan_url:
                 default: "localhost"
                 description: "URL for the infinispan remote-cache server"
                 type: "str"
-            infinispan_sasl_mechanism:
-                # line 65 of keycloak/defaults/main.yml
+            keycloak_infinispan_sasl_mechanism:
                 default: "SCRAM-SHA-512"
                 description: "Authentication type to infinispan server"
                 type: "str"
-            infinispan_use_ssl:
-                # line 66 of keycloak/defaults/main.yml
+            keycloak_infinispan_use_ssl:
                 default: false
                 description: "Enable hotrod client TLS communication"
                 type: "bool"
-            infinispan_trust_store_path:
-                # line 68 of keycloak/defaults/main.yml
+            keycloak_infinispan_trust_store_path:
                 default: "/etc/pki/java/cacerts"
                 description: "TODO document argument"
                 type: "str"
-            infinispan_trust_store_password:
-                # line 69 of keycloak/defaults/main.yml
+            keycloak_infinispan_trust_store_password:
                 default: "changeit"
                 description: "Path to truststore containing infinispan server certificate"
                 type: "str"
             keycloak_jdbc_engine:
-                # line 72 of keycloak/defaults/main.yml
                 default: "postgres"
-                description: "Backend database flavour when db is enabled: [ postgres, mariadb ]"
+                description: "Backend database flavour when db is enabled: [ postgres, mariadb, sqlserver ]"
                 type: "str"
             keycloak_db_user:
-                # line 74 of keycloak/defaults/main.yml
                 default: "keycloak-user"
                 description: "Username for connecting to database"
                 type: "str"
             keycloak_db_pass:
-                # line 75 of keycloak/defaults/main.yml
                 default: "keycloak-pass"
                 description: "Password for connecting to database"
                 type: "str"
             keycloak_jdbc_url:
-                # line 76 of keycloak/defaults/main.yml
                 default: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].url }}"
                 description: "URL for connecting to backend database"
                 type: "str"
             keycloak_jdbc_driver_version:
-                # line 77 of keycloak/defaults/main.yml
                 default: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].version }}"
                 description: "Version for the JDBC driver to download"
                 type: "str"
             keycloak_admin_password:
-                # line 4 of keycloak/vars/main.yml
                 required: true
                 description: "Password for the administration console user account"
                 type: "str"
             keycloak_url:
-                # line 12 of keycloak/vars/main.yml
-                default: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
+                default: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}"
                 description: "URL for configuration rest calls"
                 type: "str"
             keycloak_management_url:
-                # line 13 of keycloak/vars/main.yml
-                default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
+                default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}"
                 description: "URL for management console rest calls"
                 type: "str"
+            keycloak_service_name:
+                default: "keycloak"
+                description: "systemd service name for keycloak"
+                type: "str"
+            keycloak_service_desc:
+                default: "Keycloak"
+                description: "systemd description for keycloak"
+                type: "str"
+            keycloak_service_start_delay:
+                default: "10"
+                description: "Expected delay in ms before the service is expected to be available after start."
+                type: "int"
+            keycloak_service_start_retries:
+                default: "25"
+                description: "How many time should Ansible retry to connect to the service after it was started, before failing."
+                type: "int"
+            keycloak_service_restart_always:
+                default: false
+                description: "systemd restart always behavior activation for keycloak"
+                type: "bool"
+            keycloak_service_restart_on_failure:
+                default: false
+                description: "systemd restart on-failure behavior activation for keycloak"
+                type: "bool"
+            keycloak_service_startlimitintervalsec:
+                default: 300
+                description: "systemd StartLimitIntervalSec for keycloak"
+                type: "int"
+            keycloak_service_startlimitburst:
+                default: 5
+                description: "systemd StartLimitBurst for keycloak"
+                type: "int"
+            keycloak_service_restartsec:
+                default: "5s"
+                description: "systemd RestartSec for keycloak"
+                type: "str"
+            keycloak_no_log:
+                default: true
+                type: "bool"
+                description: "Changes default behavior for no_log for debugging purpose, do not change for production system."
+            keycloak_remote_cache_enabled:
+                default: "{{ True if keycloak_ha_enabled else False }}"
+                description: "Enable remote cache store when in clustered ha configurations"
+                type: "bool"
+            keycloak_db_background_validation:
+                default: false
+                description: "Enable background validation of database connection"
+                type: "bool"
+            keycloak_db_background_validation_millis:
+                default: "{{ 10000 if keycloak_db_background_validation else 0 }}"
+                description: "How frequenly the connection pool is validated in the background"
+                type: 'int'
+            keycloak_db_background_validate_on_match:
+                default: false
+                description: "Enable validate on match for database connections"
+                type: "bool"
+            keycloak_db_valid_conn_sql:
+                required: false
+                description: "Override the default database connection validation query sql"
+                type: "str"
+            keycloak_admin_url:
+                required: false
+                description: "Override the default administration endpoint URL"
+                type: "str"
+            keycloak_jgroups_subnet:
+                required: false
+                description: >
+                  Override the subnet match for jgroups cluster formation; if not defined, it will be inferred from local machine route configuration
+                type: "str"
+            keycloak_log_target:
+                default: '/var/log/keycloak'
+                type: "str"
+                description: "Set the destination of the keycloak log folder link"
+            keycloak_jdbc_download_url:
+                description: "Override the default Maven Central download URL for the JDBC driver"
+                type: "str"
+            keycloak_jdbc_download_user:
+                description: "Set a username with which to authenticate when downloading JDBC drivers from an alternative location"
+                type: "str"
+            keycloak_jdbc_download_pass:
+                description: >
+                  Set a password with which to authenticate when downloading JDBC drivers from an alternative location (requires keycloak_jdbc_download_user)
+                type: "str"
+            keycloak_jdbc_download_validate_certs:
+                default: true
+                description: "Allow the option to ignore invalid certificates when downloading JDBC drivers from a custom URL"
+                type: "bool"
+    downstream:
+        options:
+            sso_version:
+                default: "7.6.0"
+                description: "Red Hat Single Sign-On version"
+                type: "str"
+            sso_archive:
+                default: "rh-sso-{{ sso_version }}-server-dist.zip"
+                description: "Red Hat SSO install archive filename"
+                type: "str"
+            sso_dest:
+                default: "/opt/sso"
+                description: "Root installation directory"
+                type: "str"
+            sso_installdir:
+                default: "{{ sso_dest }}/rh-sso-{{ sso_version.split('.')[0] }}.{{ sso_version.split('.')[1] }}"
+                description: "Installation path for Red Hat SSO"
+                type: "str"
+            sso_apply_patches:
+                default: false
+                description: "Install Red Hat SSO most recent cumulative patch"
+                type: "bool"
+            sso_enable:
+                default: true
+                description: "Enable Red Hat Single Sign-on installation"
+                type: "str"
+            sso_offline_install:
+                default: false
+                description: "Perform an offline install"
+                type: "bool"
+            sso_service_name:
+                default: "sso"
+                description: "systemd service name for Single Sign-On"
+                type: "str"
+            sso_service_desc:
+                default: "Red Hat Single Sign-On"
+                description: "systemd description for Red Hat Single Sign-On"
+                type: "str"
+            sso_patch_version:
+                required: false
+                description: "Red Hat Single Sign-On latest cumulative patch version to apply; defaults to latest version when sso_apply_patches is True"
+                type: "str"
+            sso_patch_bundle:
+                default: "rh-sso-{{ sso_patch_version | default('[0-9]+[.][0-9]+[.][0-9]+') }}-patch.zip"
+                description: "Red Hat SSO patch archive filename"
+                type: "str"
+            sso_product_category:
+                default: "core.service.rhsso"
+                description: "JBossNetwork API category for Single Sign-On"
+                type: "str"

roles/keycloak/meta/main.yml

@@ -1,27 +1,29 @@
 ---
 collections:
-  - middleware_automation.redhat_csp_download
-  - middleware_automation.wildfly
+  - middleware_automation.common
+  - ansible.posix
 
 galaxy_info:
   role_name: keycloak
   namespace: middleware_automation
   author: Romain Pelisse, Guido Grazioli, Pavan Kumar Motaparthi
-  description: Install keycloak or Red Hat Single Sing-On server configurations
+  description: Install keycloak or Red Hat Single Sign-On server configurations
   company: Red Hat, Inc.
 
   license: Apache License 2.0
 
-  min_ansible_version: "2.9"
+  min_ansible_version: "2.16"
 
   platforms:
-   - name: EL
-     versions:
-     - 8
+    - name: EL
+      versions:
+        - "8"
 
   galaxy_tags:
     - keycloak
     - redhat
     - rhel
-    - rhn
-    - sso
+    - sso
+    - authentication
+    - identity
+    - security

roles/keycloak/tasks/debian.yml

@@ -0,0 +1,10 @@
+---
+- name: Include firewall config tasks
+  ansible.builtin.include_tasks:
+    file: iptables.yml
+    apply:
+      tags:
+        - firewall
+  when: keycloak_configure_iptables
+  tags:
+    - firewall

roles/keycloak/tasks/fastpackages.yml

@@ -0,0 +1,31 @@
+---
+- name: "Check if packages are already installed" # noqa command-instead-of-module this runs faster
+  ansible.builtin.command: "rpm -q {{ packages_list | join(' ') }}"
+  register: rpm_info
+  changed_when: false
+  failed_when: false
+  when: ansible_facts.os_family == "RedHat"
+
+- name: "Add missing packages to the yum install list"
+  ansible.builtin.set_fact:
+    packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | \
+                          map('regex_findall', 'package (.+) is not installed$') | default([]) | flatten }}"
+  when: ansible_facts.os_family == "RedHat"
+
+- name: "Install packages: {{ packages_to_install }}"
+  become: true
+  ansible.builtin.dnf:
+    name: "{{ packages_to_install }}"
+    state: present
+  when:
+    - packages_to_install | default([]) | length > 0
+    - ansible_facts.os_family == "RedHat"
+
+- name: "Install packages: {{ packages_list }}"
+  become: true
+  ansible.builtin.package:
+    name: "{{ packages_list }}"
+    state: present
+  when:
+    - packages_list | default([]) | length > 0
+    - ansible_facts.os_family == "Debian"