middleware_automation.keycloak/roles/keycloak/tasks/rhsso_patch.yml

---
## check remote patch archive
- name: Set download patch archive path
  ansible.builtin.set_fact:
    patch_archive: "{{ keycloak_dest }}/{{ sso_patch_bundle }}"
    patch_bundle: "{{ sso_patch_bundle }}"
    patch_version: "{{ sso_patch_version }}"
  when: sso_patch_version is defined

- name: Check download patch archive path
  ansible.builtin.stat:
    path: "{{ patch_archive }}"
  register: patch_archive_path
  when: sso_patch_version is defined
  become: true

- name: Perform patch download from RHN via JBossNetwork API
  delegate_to: localhost
  run_once: true
  when:
    - sso_enable is defined and sso_enable
    - not keycloak_offline_install
    - sso_apply_patches
  block:
    - name: Retrieve product download using JBossNetwork API
      middleware_automation.common.product_search:
        client_id: "{{ rhn_username }}"
        client_secret: "{{ rhn_password }}"
        product_type: BUGFIX
        product_version: "{{ sso_version.split('.')[:2] | join('.') }}"
        product_category: "{{ sso_product_category }}"
      register: rhn_products
      no_log: "{{ omit_rhn_output | default(true) }}"
      delegate_to: localhost
      run_once: true

    - name: Determine patch versions list
      ansible.builtin.set_fact:
        filtered_versions: "{{ rhn_products.results | map(attribute='file_path') | \
                               select('match', '^[^/]*/rh-sso-.*[0-9]*[.][0-9]*[.][0-9]*.*$') | \
                               map('regex_replace', '[^/]*/rh-sso-([0-9]*[.][0-9]*[.][0-9]*(-[0-9])?)-.*', '\\1') | list | unique }}"
      when: sso_patch_version is not defined or sso_patch_version | length == 0
      delegate_to: localhost
      run_once: true

    - name: Determine latest version
      ansible.builtin.set_fact:
        sso_latest_version: "{{ filtered_versions | middleware_automation.common.version_sort | last }}"
      when: sso_patch_version is not defined or sso_patch_version | length == 0
      delegate_to: localhost
      run_once: true

    - name: Determine install zipfile from search results
      ansible.builtin.set_fact:
        rhn_filtered_products: "{{ rhn_products.results | selectattr('file_path', 'match', '[^/]*/rh-sso-' + sso_latest_version + '-patch.zip$') }}"
        patch_bundle: "rh-sso-{{ sso_latest_version }}-patch.zip"
        patch_version: "{{ sso_latest_version }}"
      when: sso_patch_version is not defined or sso_patch_version | length == 0
      delegate_to: localhost
      run_once: true

    - name: "Determine selected patch from supplied version: {{ sso_patch_version }}"
      ansible.builtin.set_fact:
        rhn_filtered_products: "{{ rhn_products.results | selectattr('file_path', 'match', '[^/]*/' + sso_patch_bundle + '$') }}"
        patch_bundle: "{{ sso_patch_bundle }}"
        patch_version: "{{ sso_patch_version }}"
      when: sso_patch_version is defined
      delegate_to: localhost
      run_once: true

    - name: Download Red Hat Single Sign-On patch
      middleware_automation.common.product_download: # noqa risky-file-permissions delegated, uses controller host user
        client_id: "{{ rhn_username }}"
        client_secret: "{{ rhn_password }}"
        product_id: "{{ (rhn_filtered_products | sort | last).id }}"
        dest: "{{ local_path.stat.path }}/{{ patch_bundle }}"
      no_log: "{{ omit_rhn_output | default(true) }}"
      delegate_to: localhost
      run_once: true

- name: Set download patch archive path
  ansible.builtin.set_fact:
    patch_archive: "{{ keycloak_dest }}/{{ patch_bundle }}"

- name: Check download patch archive path
  ansible.builtin.stat:
    path: "{{ patch_archive }}"
  register: patch_archive_path
  become: true

## copy and unpack
- name: Copy patch archive to target nodes
  ansible.builtin.copy:
    src: "{{ local_path.stat.path }}/{{ patch_bundle }}"
    dest: "{{ patch_archive }}"
    owner: "{{ keycloak_service_user }}"
    group: "{{ keycloak_service_group }}"
    mode: '0640'
  register: new_version_downloaded
  when:
    - not patch_archive_path.stat.exists
    - local_archive_path.stat is defined
    - local_archive_path.stat.exists
  become: true

- name: "Check installed patches"
  ansible.builtin.include_tasks: rhsso_cli.yml
  vars:
    query: "patch info"
  args:
    apply:
      become: true
      become_user: "{{ keycloak_service_user }}"

- name: "Perform patching"
  when:
    - cli_result is defined
    - cli_result.stdout is defined
    - patch_version | regex_replace('-[0-9]$', '') not in cli_result.stdout
  block:
    - name: "Apply patch {{ patch_version }} to server"
      ansible.builtin.include_tasks: rhsso_cli.yml
      vars:
        query: "patch apply {{ patch_archive }}"
      args:
        apply:
          become: true
          become_user: "{{ keycloak_service_user }}"

    - name: "Restart server to ensure patch content is running"
      ansible.builtin.include_tasks: rhsso_cli.yml
      vars:
        query: "shutdown --restart"
      when:
        - cli_result.rc == 0
      args:
        apply:
          become: true
          become_user: "{{ keycloak_service_user }}"

    - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
      ansible.builtin.uri:
        url: "{{ keycloak.health_url }}"
      register: keycloak_status
      until: keycloak_status.status == 200
      retries: 25
      delay: 10

    - name: "Query installed patch after restart"
      ansible.builtin.include_tasks: rhsso_cli.yml
      vars:
        query: "patch info"
      args:
        apply:
          become: true
          become_user: "{{ keycloak_service_user }}"

    - name: "Verify installed patch version"
      ansible.builtin.assert:
        that:
          - patch_version not in cli_result.stdout
        fail_msg: "Patch installation failed"
        success_msg: "Patch installation successful"

- name: "Skipping patch"
  ansible.builtin.debug:
    msg: "Cumulative patch {{ patch_version }} already installed, skipping patch installation."
  when:
    - cli_result is defined
    - cli_result.stdout is defined
    - patch_version in cli_result.stdout