mirror of
https://github.com/ansible-middleware/keycloak.git
synced 2025-04-05 18:30:27 -07:00
320a5f0d9a
This change should avoid storing plain private keys on disk due to security risks. It also makes it easier to encrypt the data with SOPS.
204 lines
6.7 KiB
YAML
204 lines
6.7 KiB
YAML
---
|
|
- name: Validate parameters
|
|
ansible.builtin.assert:
|
|
that:
|
|
- keycloak.home is defined
|
|
- keycloak_quarkus_service_user is defined
|
|
- keycloak_quarkus_dest is defined
|
|
- keycloak_quarkus_archive is defined
|
|
- keycloak_quarkus_download_url is defined
|
|
- keycloak_quarkus_version is defined
|
|
quiet: true
|
|
|
|
- name: Check for an existing deployment
|
|
become: true
|
|
ansible.builtin.stat:
|
|
path: "{{ keycloak.home }}"
|
|
register: existing_deploy
|
|
|
|
- name: "Create {{ keycloak.service_name }} service user/group"
|
|
become: true
|
|
ansible.builtin.user:
|
|
name: "{{ keycloak.service_user }}"
|
|
home: /opt/keycloak
|
|
system: true
|
|
create_home: false
|
|
|
|
- name: "Create {{ keycloak.service_name }} install location"
|
|
become: true
|
|
ansible.builtin.file:
|
|
dest: "{{ keycloak_quarkus_dest }}"
|
|
state: directory
|
|
owner: "{{ keycloak.service_user }}"
|
|
group: "{{ keycloak.service_group }}"
|
|
mode: '0750'
|
|
|
|
- name: Create directory for ansible custom facts
|
|
become: true
|
|
ansible.builtin.file:
|
|
state: directory
|
|
recurse: true
|
|
path: /etc/ansible/facts.d
|
|
|
|
## check remote archive
|
|
- name: Set download archive path
|
|
ansible.builtin.set_fact:
|
|
archive: "{{ keycloak_quarkus_dest }}/{{ keycloak.bundle }}"
|
|
|
|
- name: Check download archive path
|
|
become: true
|
|
ansible.builtin.stat:
|
|
path: "{{ archive }}"
|
|
register: archive_path
|
|
|
|
## download to controller
|
|
- name: Check local download archive path
|
|
ansible.builtin.stat:
|
|
path: "{{ lookup('env', 'PWD') }}"
|
|
register: local_path
|
|
delegate_to: localhost
|
|
become: false
|
|
|
|
- name: Download keycloak archive
|
|
ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
|
|
url: "{{ keycloak_quarkus_download_url }}"
|
|
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
|
|
mode: '0640'
|
|
delegate_to: localhost
|
|
become: false
|
|
run_once: true
|
|
when:
|
|
- archive_path is defined
|
|
- archive_path.stat is defined
|
|
- not archive_path.stat.exists
|
|
- not keycloak.offline_install
|
|
- not rhbk_enable is defined or not rhbk_enable
|
|
|
|
- name: Perform download from RHN using JBoss Network API
|
|
delegate_to: localhost
|
|
run_once: true
|
|
when:
|
|
- archive_path is defined
|
|
- archive_path.stat is defined
|
|
- not archive_path.stat.exists
|
|
- rhbk_enable is defined and rhbk_enable
|
|
- not keycloak.offline_install
|
|
block:
|
|
- name: Retrieve product download using JBoss Network API
|
|
middleware_automation.common.product_search:
|
|
client_id: "{{ rhn_username }}"
|
|
client_secret: "{{ rhn_password }}"
|
|
product_type: DISTRIBUTION
|
|
product_version: "{{ rhbk_version }}"
|
|
product_category: "{{ rhbk_product_category }}"
|
|
register: rhn_products
|
|
no_log: "{{ omit_rhn_output | default(true) }}"
|
|
delegate_to: localhost
|
|
run_once: true
|
|
|
|
- name: Determine install zipfile from search results
|
|
ansible.builtin.set_fact:
|
|
rhn_filtered_products: "{{ rhn_products.results | selectattr('file_path', 'match', '[^/]*/' + rhbk_archive + '$') }}"
|
|
delegate_to: localhost
|
|
run_once: true
|
|
|
|
- name: Download Red Hat Build of Keycloak
|
|
middleware_automation.common.product_download: # noqa risky-file-permissions delegated, uses controller host user
|
|
client_id: "{{ rhn_username }}"
|
|
client_secret: "{{ rhn_password }}"
|
|
product_id: "{{ (rhn_filtered_products | first).id }}"
|
|
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
|
|
no_log: "{{ omit_rhn_output | default(true) }}"
|
|
delegate_to: localhost
|
|
run_once: true
|
|
|
|
- name: Check downloaded archive
|
|
ansible.builtin.stat:
|
|
path: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
|
|
register: local_archive_path
|
|
delegate_to: localhost
|
|
|
|
## copy and unpack
|
|
- name: Copy archive to target nodes
|
|
ansible.builtin.copy:
|
|
src: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
|
|
dest: "{{ archive }}"
|
|
owner: "{{ keycloak.service_user }}"
|
|
group: "{{ keycloak.service_group }}"
|
|
mode: '0640'
|
|
register: new_version_downloaded
|
|
when:
|
|
- not archive_path.stat.exists
|
|
- local_archive_path.stat is defined
|
|
- local_archive_path.stat.exists
|
|
become: true
|
|
|
|
- name: "Check target directory: {{ keycloak.home }}/bin/"
|
|
ansible.builtin.stat:
|
|
path: "{{ keycloak.home }}/bin/"
|
|
register: path_to_workdir
|
|
become: true
|
|
|
|
- name: "Extract Keycloak archive on target" # noqa no-handler need to run this here
|
|
ansible.builtin.unarchive:
|
|
remote_src: true
|
|
src: "{{ archive }}"
|
|
dest: "{{ keycloak_quarkus_dest }}"
|
|
creates: "{{ keycloak.home }}/bin/"
|
|
owner: "{{ keycloak.service_user }}"
|
|
group: "{{ keycloak.service_group }}"
|
|
become: true
|
|
when:
|
|
- (not path_to_workdir.stat.exists) or new_version_downloaded.changed
|
|
notify:
|
|
- restart keycloak
|
|
|
|
- name: Inform decompression was not executed
|
|
ansible.builtin.debug:
|
|
msg: "{{ keycloak.home }} already exists and version unchanged, skipping decompression"
|
|
when:
|
|
- (not new_version_downloaded.changed) and path_to_workdir.stat.exists
|
|
|
|
- name: "Copy private key to target"
|
|
ansible.builtin.copy:
|
|
content: "{{ keycloak_quarkus_key_content }}"
|
|
dest: "{{ keycloak_quarkus_key_file }}"
|
|
owner: "{{ keycloak.service_user }}"
|
|
group: "{{ keycloak.service_group }}"
|
|
mode: 0640
|
|
become: true
|
|
when:
|
|
- keycloak_quarkus_https_key_file_enabled is defined and keycloak_quarkus_https_key_file_enabled
|
|
- keycloak_quarkus_key_file_copy_enabled is defined and keycloak_quarkus_key_file_copy_enabled
|
|
- keycloak_quarkus_key_content | length > 0
|
|
|
|
- name: "Copy certificate to target"
|
|
ansible.builtin.copy:
|
|
src: "{{ keycloak_quarkus_cert_file_src }}"
|
|
dest: "{{ keycloak_quarkus_cert_file }}"
|
|
owner: "{{ keycloak.service_user }}"
|
|
group: "{{ keycloak.service_group }}"
|
|
mode: 0644
|
|
become: true
|
|
when:
|
|
- keycloak_quarkus_https_key_file_enabled is defined and keycloak_quarkus_https_key_file_enabled
|
|
- keycloak_quarkus_cert_file_copy_enabled is defined and keycloak_quarkus_cert_file_copy_enabled
|
|
- keycloak_quarkus_cert_file_src | length > 0
|
|
|
|
- name: "Install {{ keycloak_quarkus_jdbc_engine }} JDBC driver"
|
|
ansible.builtin.include_tasks: jdbc_driver.yml
|
|
when:
|
|
- rhbk_enable is defined and rhbk_enable
|
|
- keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url is defined
|
|
|
|
- name: "Download custom providers"
|
|
ansible.builtin.get_url:
|
|
url: "{{ item.url }}"
|
|
dest: "{{ keycloak.home }}/providers/{{ item.id }}.jar"
|
|
owner: "{{ keycloak.service_user }}"
|
|
group: "{{ keycloak.service_group }}"
|
|
mode: '0640'
|
|
become: true
|
|
loop: "{{ keycloak_quarkus_providers }}"
|
|
when: item.url is defined and item.url | length > 0
|
|
notify: "{{ ['rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or not item.restart else [] }}"
|