mirror of
https://github.com/ansible-middleware/keycloak.git
synced 2025-04-05 10:20:27 -07:00
b14d75dfab
- Added jdbc_download customization to both keycloak releases - Added option to allow invalid certificates to download JDBC drivers |
||
|---|---|---|
| .. | ||
| defaults | ||
| handlers | ||
| meta | ||
| tasks | ||
| templates | ||
| vars | ||
| README.md | ||
keycloak
Install keycloak or Red Hat Single Sign-On server configurations.
Requirements
This role requires the python3-netaddr library installed on the controller node.
- to install via yum/dnf:
dnf install python3-netaddr - to install via apt:
apt install python3-netaddr - or via pip:
pip install netaddr==0.8.0 - or via the collection:
pip install -r requirements.txt
Dependencies
The roles depends on:
To install all the dependencies via galaxy:
ansible-galaxy collection install -r requirements.yml
Versions
| RH-SSO VERSION | Release Date | Keycloak Version | EAP Version | Notes |
|---|---|---|---|---|
7.5.0 GA |
September 20, 2021 | 15.0.2 |
7.4.6 |
Release Notes |
7.6.0 GA |
June 30, 2022 | 18.0.3 |
7.4.6 |
Release Notes |
Patching
When variable keycloak_rhsso_apply_patches is true (default: false), the role will automatically apply the latest cumulative patch for the selected base version.
| RH-SSO VERSION | Release Date | RH-SSO LATEST CP | Notes |
|---|---|---|---|
7.5.0 GA |
January 20, 2022 | 7.5.3 GA |
Release Notes |
7.6.0 GA |
November 11, 2022 | 7.6.1 GA |
Release Notes |
Role Defaults
- Service configuration
| Variable | Description | Default |
|---|---|---|
keycloak_ha_enabled |
Enable auto configuration for database backend, clustering and remote caches on infinispan | False |
keycloak_ha_discovery |
Discovery protocol for HA cluster members | JDBC_PING if keycloak_db_enabled else TCPPING |
keycloak_db_enabled |
Enable auto configuration for database backend | True if keycloak_ha_enabled is True, else False |
keycloak_remote_cache_enabled |
Enable remote cache store when in clustered ha configurations | True if keycloak_ha_enabled else False |
keycloak_admin_user |
Administration console user account | admin |
keycloak_bind_address |
Address for binding service ports | 0.0.0.0 |
keycloak_management_port_bind_address |
Address for binding management ports | 127.0.0.1 |
keycloak_host |
hostname | localhost |
keycloak_http_port |
HTTP port | 8080 |
keycloak_https_port |
TLS HTTP port | 8443 |
keycloak_ajp_port |
AJP port | 8009 |
keycloak_jgroups_port |
jgroups cluster tcp port | 7600 |
keycloak_management_http_port |
Management port | 9990 |
keycloak_management_https_port |
TLS management port | 9993 |
keycloak_prefer_ipv4 |
Prefer IPv4 stack and addresses for port binding | true |
keycloak_config_standalone_xml |
filename for configuration | keycloak.xml |
keycloak_service_user |
posix account username | keycloak |
keycloak_service_group |
posix account group | keycloak |
keycloak_service_restart_always |
systemd restart always behavior activation | False |
keycloak_service_restart_on_failure |
systemd restart on-failure behavior activation | False |
keycloak_service_startlimitintervalsec |
systemd StartLimitIntervalSec | 300 |
keycloak_service_startlimitburst |
systemd StartLimitBurst | 5 |
keycloak_service_restartsec |
systemd RestartSec | 10s |
keycloak_service_pidfile |
pid file path for service | /run/keycloak/keycloak.pid |
keycloak_features |
List of name/status pairs of features (also known as profiles on RH-SSO) to enable or disable, example: [ { name: 'docker', status: 'enabled' } ] |
[] |
keycloak_jvm_package |
RHEL java package runtime | java-1.8.0-openjdk-headless |
keycloak_java_home |
JAVA_HOME of installed JRE, leave empty for using RPM path at keycloak_jvm_package |
None |
keycloak_java_opts |
Additional JVM options | -Xms1024m -Xmx2048m |
- Install options
| Variable | Description | Default |
|---|---|---|
keycloak_offline_install |
perform an offline install | false |
keycloak_download_url |
Download URL for keycloak | https://github.com/keycloak/keycloak/releases/download/<version>/<archive> |
keycloak_version |
keycloak.org package version | 18.0.2 |
keycloak_dest |
Installation root path | /opt/keycloak |
keycloak_download_url |
Download URL for keycloak | https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }} |
keycloak_configure_firewalld |
Ensure firewalld is running and configure keycloak ports | false |
- Miscellaneous configuration
| Variable | Description | Default |
|---|---|---|
keycloak_archive |
keycloak install archive filename | keycloak-legacy-{{ keycloak_version }}.zip |
keycloak_download_url_9x |
Download URL for keycloak (deprecated) | https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }} |
keycloak_installdir |
Installation path | {{ keycloak_dest }}/keycloak-{{ keycloak_version }} |
keycloak_jboss_home |
Installation work directory | {{ keycloak_rhsso_installdir }} |
keycloak_jboss_port_offset |
Port offset for the JBoss socket binding | 0 |
keycloak_config_dir |
Path for configuration | {{ keycloak_jboss_home }}/standalone/configuration |
keycloak_config_path_to_standalone_xml |
Custom path for configuration | {{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }} |
keycloak_config_override_template |
Path to custom template for standalone.xml configuration | '' |
keycloak_auth_realm |
Name for rest authentication realm | master |
keycloak_auth_client |
Authentication client for configuration REST calls | admin-cli |
keycloak_force_install |
Remove pre-existing versions of service | false |
keycloak_url |
URL for configuration rest calls | http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }} |
keycloak_management_url |
URL for management console rest calls | http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }} |
keycloak_frontend_url_force |
Force backend requests to use the frontend URL | false |
keycloak_db_background_validation |
Enable background validation of database connection | false |
keycloak_db_background_validation_millis |
How frequenly the connection pool is validated in the background | 10000 if background validation enabled |
keycloak_db_background_validate_on_match |
Enable validate on match for database connections | false |
keycloak_frontend_url |
frontend URL for keycloak endpoint | http://localhost:8080/auth/ |
keycloak_log_target |
Set the destination of the keycloak log folder link | /var/log/keycloak |
Role Variables
The following are a set of required variables for the role:
| Variable | Description |
|---|---|
keycloak_admin_password |
Password for the administration console user account (minimum 12 characters) |
keycloak_frontend_url |
frontend URL for keycloak endpoint |
The following parameters are required only when keycloak_ha_enabled is true:
| Variable | Description | Default |
|---|---|---|
keycloak_modcluster_enabled |
Enable configuration for modcluster subsystem | True if keycloak_ha_enabled is True, else False |
keycloak_modcluster_url |
deprecated Host for the modcluster reverse proxy | localhost |
keycloak_modcluster_port |
deprecated Port for the modcluster reverse proxy | 6666 |
keycloak_modcluster_urls |
List of {host,port} dicts for the modcluster reverse proxies | [ { localhost:6666 } ] |
keycloak_jdbc_engine |
backend database engine when db is enabled: [ postgres, mariadb, sqlserver ] | postgres |
keycloak_infinispan_url |
URL for the infinispan remote-cache server | localhost:11122 |
keycloak_infinispan_user |
username for connecting to infinispan | supervisor |
keycloak_infinispan_pass |
password for connecting to infinispan | supervisor |
keycloak_infinispan_sasl_mechanism |
Authentication type | SCRAM-SHA-512 |
keycloak_infinispan_use_ssl |
Enable hotrod TLS communication | False |
keycloak_infinispan_trust_store_path |
Path to truststore with infinispan server certificate | /etc/pki/java/cacerts |
keycloak_infinispan_trust_store_password |
Password for opening truststore | changeit |
The following parameters are required only when keycloak_db_enabled is true:
| Variable | Description | Default |
|---|---|---|
keycloak_jdbc_url |
URL for the postgres backend database | jdbc:postgresql://localhost:5432/keycloak |
keycloak_jdbc_driver_version |
Version for the JDBC driver to download | 9.4.1212 |
keycloak_db_user |
username for connecting to postgres | keycloak-user |
keycloak_db_pass |
password for connecting to postgres | keycloak-pass |
The following variables are optional:
| Variable | Description |
|---|---|
keycloak_db_valid_conn_sql |
Override the default database connection validation query sql |
keycloak_admin_url |
Override the default administration endpoint URL |
keycloak_jgroups_subnet |
Override the subnet match for jgroups cluster formation; if not defined, it will be inferred from local machine route configuration |
Example Playbook
- The following is an example playbook that makes use of the role to install keycloak from remote:
---
- hosts: ...
vars:
keycloak_admin_password: "remembertochangeme"
roles:
- middleware_automation.keycloak.keycloak
- The following example playbook makes use of the role to install keycloak from the controller node:
---
- hosts: ...
collections:
- middleware_automation.keycloak
tasks:
- name: Include keycloak role
include_role:
name: keycloak
vars:
keycloak_admin_password: "remembertochangeme"
keycloak_offline_install: true
# This should be the filename of keycloak archive on Ansible node: keycloak-16.1.0.zip
License
Apache License 2.0