keycloak
Install keycloak or Red Hat Single Sign-On server configurations.
Requirements
This role requires the python3-netaddr library installed on the controller node.
- to install via yum/dnf: - dnf install python3-netaddr
- to install via apt: - apt install python3-netaddr
- or via pip: - pip install netaddr==0.8.0
- or via the collection: - pip install -r requirements.txt
Dependencies
The roles depends on:
To install all the dependencies via galaxy:
ansible-galaxy collection install -r requirements.yml
Versions
| RH-SSO VERSION | Release Date | Keycloak Version | EAP Version | Notes | 
|---|---|---|---|---|
| 
 | September 20, 2021 | 
 | 
 | |
| 
 | June 30, 2022 | 
 | 
 | 
Patching
When variable keycloak_rhsso_apply_patches is true (default: false), the role will automatically apply the latest cumulative patch for the selected base version.
| RH-SSO VERSION | Release Date | RH-SSO LATEST CP | Notes | 
|---|---|---|---|
| 
 | January 20, 2022 | 
 | |
| 
 | November 11, 2022 | 
 | 
Role Defaults
- Service configuration 
| Variable | Description | Default | 
|---|---|---|
| 
 | Enable auto configuration for database backend, clustering and remote caches on infinispan | 
 | 
| 
 | Discovery protocol for HA cluster members | 
 | 
| 
 | Enable auto configuration for database backend | 
 | 
| 
 | Enable remote cache store when in clustered ha configurations | 
 | 
| 
 | Administration console user account | 
 | 
| 
 | Address for binding service ports | 
 | 
| 
 | Address for binding management ports | 
 | 
| 
 | hostname | 
 | 
| 
 | HTTP port | 
 | 
| 
 | TLS HTTP port | 
 | 
| 
 | AJP port | 
 | 
| 
 | jgroups cluster tcp port | 
 | 
| 
 | Management port | 
 | 
| 
 | TLS management port | 
 | 
| 
 | Prefer IPv4 stack and addresses for port binding | 
 | 
| 
 | filename for configuration | 
 | 
| 
 | posix account username | 
 | 
| 
 | posix account group | 
 | 
| 
 | systemd restart always behavior activation | 
 | 
| 
 | systemd restart on-failure behavior activation | 
 | 
| 
 | systemd StartLimitIntervalSec | 
 | 
| 
 | systemd StartLimitBurst | 
 | 
| 
 | systemd RestartSec | 
 | 
| 
 | pid file path for service | 
 | 
| 
 | List of  | 
 | 
| 
 | RHEL java package runtime | 
 | 
| 
 | 
 | 
 | 
| 
 | Additional JVM options | 
 | 
- Install options 
| Variable | Description | Default | 
|---|---|---|
| 
 | perform an offline install | 
 | 
| 
 | Download URL for keycloak | 
 | 
| 
 | keycloak.org package version | 
 | 
| 
 | Installation root path | 
 | 
| 
 | Download URL for keycloak | 
 | 
| 
 | Ensure firewalld is running and configure keycloak ports | 
 | 
- Miscellaneous configuration 
| Variable | Description | Default | 
|---|---|---|
| 
 | keycloak install archive filename | 
 | 
| 
 | Download URL for keycloak (deprecated) | 
 | 
| 
 | Installation path | 
 | 
| 
 | Installation work directory | 
 | 
| 
 | Port offset for the JBoss socket binding | 
 | 
| 
 | Path for configuration | 
 | 
| 
 | Custom path for configuration | 
 | 
| 
 | Path to custom template for standalone.xml configuration | 
 | 
| 
 | Name for rest authentication realm | 
 | 
| 
 | Authentication client for configuration REST calls | 
 | 
| 
 | Remove pre-existing versions of service | 
 | 
| 
 | URL for configuration rest calls | 
 | 
| 
 | URL for management console rest calls | 
 | 
| 
 | Force backend requests to use the frontend URL | 
 | 
| 
 | Enable background validation of database connection | 
 | 
| 
 | How frequenly the connection pool is validated in the background | 
 | 
| 
 | Enable validate on match for database connections | 
 | 
| 
 | frontend URL for keycloak endpoint | 
 | 
| 
 | Set the destination of the keycloak log folder link | 
 | 
Role Variables
The following are a set of required variables for the role:
| Variable | Description | 
|---|---|
| 
 | Password for the administration console user account (minimum 12 characters) | 
| 
 | frontend URL for keycloak endpoint | 
The following parameters are required only when keycloak_ha_enabled is true:
| Variable | Description | Default | 
|---|---|---|
| 
 | Enable configuration for modcluster subsystem | 
 | 
| 
 | deprecated Host for the modcluster reverse proxy | 
 | 
| 
 | deprecated Port for the modcluster reverse proxy | 
 | 
| 
 | List of {host,port} dicts for the modcluster reverse proxies | 
 | 
| 
 | backend database engine when db is enabled: [ postgres, mariadb, sqlserver ] | 
 | 
| 
 | URL for the infinispan remote-cache server | 
 | 
| 
 | username for connecting to infinispan | 
 | 
| 
 | password for connecting to infinispan | 
 | 
| 
 | Authentication type | 
 | 
| 
 | Enable hotrod TLS communication | 
 | 
| 
 | Path to truststore with infinispan server certificate | 
 | 
| 
 | Password for opening truststore | 
 | 
The following parameters are required only when keycloak_db_enabled is true:
| Variable | Description | Default | 
|---|---|---|
| 
 | URL for the postgres backend database | 
 | 
| 
 | Version for the JDBC driver to download | 
 | 
| 
 | username for connecting to postgres | 
 | 
| 
 | password for connecting to postgres | 
 | 
The following variables are optional:
| Variable | Description | 
|---|---|
| 
 | Override the default database connection validation query sql | 
| 
 | Override the default administration endpoint URL | 
| 
 | Override the subnet match for jgroups cluster formation; if not defined, it will be inferred from local machine route configuration | 
Example Playbook
- The following is an example playbook that makes use of the role to install keycloak from remote: 
---
- hosts: ...
      vars:
        keycloak_admin_password: "remembertochangeme"
      roles:
        - middleware_automation.keycloak.keycloak
- The following example playbook makes use of the role to install keycloak from the controller node: 
---
- hosts: ...
      collections:
        - middleware_automation.keycloak
      tasks:
        - name: Include keycloak role
          include_role:
            name: keycloak
          vars:
            keycloak_admin_password: "remembertochangeme"
            keycloak_offline_install: true
            # This should be the filename of keycloak archive on Ansible node: keycloak-16.1.0.zip
License
Apache License 2.0