diff --git a/galaxy.yml b/galaxy.yml index dd553457..2e996a00 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -35,7 +35,6 @@ issues: https://github.com/ansible-middleware/keycloak/issues build_ignore: - .gitignore - .github - - .ansible-lint - .yamllint - '*.tar.gz' - '*.zip' diff --git a/molecule/prepare.yml b/molecule/prepare.yml index f122f9d6..27486a37 100644 --- a/molecule/prepare.yml +++ b/molecule/prepare.yml @@ -25,7 +25,7 @@ fail_msg: "sudo is not installed on target system" - name: "Install iproute" - become: yes + become: true ansible.builtin.yum: name: - iproute @@ -33,7 +33,7 @@ - name: "Retrieve assets server from env" ansible.builtin.set_fact: - assets_server: "{{ lookup('env','MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}" + assets_server: "{{ lookup('env', 'MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}" - name: "Download artefacts only if assets_server is set" when: @@ -51,6 +51,7 @@ url: "{{ asset }}" dest: "{{ lookup('env', 'PWD') }}" validate_certs: no + mode: '0644' delegate_to: localhost loop: "{{ assets }}" loop_control: diff --git a/molecule/quarkus-devmode/prepare.yml b/molecule/quarkus-devmode/prepare.yml index 3a9bcb98..9ce721e3 100644 --- a/molecule/quarkus-devmode/prepare.yml +++ b/molecule/quarkus-devmode/prepare.yml @@ -30,11 +30,11 @@ src: "{{ item }}" dest: /opt/openjdk force: true - with_fileglob: - - /usr/lib/jvm/java-17-openjdk* + with_fileglob: + - /usr/lib/jvm/java-17-openjdk* when: - ansible_facts.os_family == "Debian" - + - name: Link default logs directory ansible.builtin.file: state: link diff --git a/roles/keycloak_quarkus/defaults/main.yml b/roles/keycloak_quarkus/defaults/main.yml index 6848acfe..5821acab 100644 --- a/roles/keycloak_quarkus/defaults/main.yml +++ b/roles/keycloak_quarkus/defaults/main.yml @@ -86,7 +86,8 @@ keycloak_quarkus_proxy_mode: edge # disable xa transactions keycloak_quarkus_transaction_xa_enabled: true -# If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy +# If the route should be attached to cookies to reflect the node that owns a particular session. +# If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route: true keycloak_quarkus_metrics_enabled: false @@ -120,7 +121,8 @@ keycloak_quarkus_default_jdbc: mssql: url: 'jdbc:sqlserver://localhost:1433;databaseName=keycloak;' version: 12.2.0 - driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.2.0.jre11/mssql-jdbc-12.2.0.jre11.jar" # cf. https://access.redhat.com/documentation/en-us/red_hat_build_of_keycloak/22.0/html/server_guide/db-#db-installing-the-microsoft-sql-server-driver + driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.2.0.jre11/mssql-jdbc-12.2.0.jre11.jar" + # cf. https://access.redhat.com/documentation/en-us/red_hat_build_of_keycloak/22.0/html/server_guide/db-#db-installing-the-microsoft-sql-server-driver ### logging configuration keycloak_quarkus_log: file keycloak_quarkus_log_level: info diff --git a/roles/keycloak_quarkus/handlers/main.yml b/roles/keycloak_quarkus/handlers/main.yml index 6cbe276a..82e229b6 100644 --- a/roles/keycloak_quarkus/handlers/main.yml +++ b/roles/keycloak_quarkus/handlers/main.yml @@ -5,4 +5,4 @@ listen: "rebuild keycloak config" - name: "Restart {{ keycloak.service_name }}" ansible.builtin.include_tasks: restart.yml - listen: "restart keycloak" \ No newline at end of file + listen: "restart keycloak" diff --git a/roles/keycloak_quarkus/meta/argument_specs.yml b/roles/keycloak_quarkus/meta/argument_specs.yml index da32de0e..657ebbf2 100644 --- a/roles/keycloak_quarkus/meta/argument_specs.yml +++ b/roles/keycloak_quarkus/meta/argument_specs.yml @@ -161,7 +161,10 @@ argument_specs: description: "Heap memory JVM setting" type: "str" keycloak_quarkus_java_jvm_opts: - default: "-XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.err.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512" + default: > + -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.err.encoding=UTF-8 + -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC + -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512 description: "Other JVM settings" type: "str" keycloak_quarkus_java_opts: @@ -272,7 +275,9 @@ argument_specs: keycloak_quarkus_log_max_file_size: default: 10M type: "str" - description: "Set the maximum log file size before a log rotation happens; A size configuration option recognises string in this format (shown as a regular expression): [0-9]+[KkMmGgTtPpEeZzYy]?. If no suffix is given, assume bytes." + description: > + Set the maximum log file size before a log rotation happens; A size configuration option recognises string in this format (shown as a regular + expression): [0-9]+[KkMmGgTtPpEeZzYy]?. If no suffix is given, assume bytes. keycloak_quarkus_log_max_backup_index: default: 10 type: "str" @@ -280,7 +285,9 @@ argument_specs: keycloak_quarkus_log_file_suffix: default: '.yyyy-MM-dd.zip' type: "str" - description: "Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix; Note: If the suffix ends with .zip or .gz, the rotation file will also be compressed." + description: > + Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix. Note: If the suffix ends + with .zip or .gz, the rotation file will also be compressed. keycloak_quarkus_proxy_mode: default: 'edge' type: "str" @@ -300,15 +307,21 @@ argument_specs: keycloak_quarkus_hostname_strict: default: true type: "bool" - description: "Disables dynamically resolving the hostname from request headers. Should always be set to true in production, unless proxy verifies the Host header." + description: > + Disables dynamically resolving the hostname from request headers. Should always be set to true in production, unless + proxy verifies the Host header. keycloak_quarkus_hostname_strict_backchannel: default: false type: "bool" - description: "By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all applications use the public URL this option should be enabled." + description: > + By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all + applications use the public URL this option should be enabled. keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route: default: true type: "bool" - description: "If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy" + description: > + If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies + and we rely on the session affinity capabilities from reverse proxy downstream: options: rhbk_version: diff --git a/roles/keycloak_quarkus/tasks/fastpackages.yml b/roles/keycloak_quarkus/tasks/fastpackages.yml index 5affe64c..9dc16217 100644 --- a/roles/keycloak_quarkus/tasks/fastpackages.yml +++ b/roles/keycloak_quarkus/tasks/fastpackages.yml @@ -8,7 +8,8 @@ - name: "Add missing packages to the yum install list" ansible.builtin.set_fact: - packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | default([]) | flatten }}" + packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | \ + map('regex_findall', 'package (.+) is not installed$') | default([]) | flatten }}" when: ansible_facts.os_family == "RedHat" - name: "Install packages: {{ packages_to_install }}" @@ -17,8 +18,8 @@ name: "{{ packages_to_install }}" state: present when: - - packages_to_install | default([]) | length > 0 - - ansible_facts.os_family == "RedHat" + - packages_to_install | default([]) | length > 0 + - ansible_facts.os_family == "RedHat" - name: "Install packages: {{ packages_list }}" become: true diff --git a/roles/keycloak_quarkus/tasks/install.yml b/roles/keycloak_quarkus/tasks/install.yml index 3cf4b559..cc2aa7ff 100644 --- a/roles/keycloak_quarkus/tasks/install.yml +++ b/roles/keycloak_quarkus/tasks/install.yml @@ -132,7 +132,7 @@ register: path_to_workdir become: true -- name: "Extract Keycloak archive on target" +- name: "Extract Keycloak archive on target" # noqa no-handler need to run this here ansible.builtin.unarchive: remote_src: true src: "{{ archive }}" diff --git a/roles/keycloak_quarkus/tasks/jdbc_driver.yml b/roles/keycloak_quarkus/tasks/jdbc_driver.yml index c95ef2b1..310509a7 100644 --- a/roles/keycloak_quarkus/tasks/jdbc_driver.yml +++ b/roles/keycloak_quarkus/tasks/jdbc_driver.yml @@ -1,5 +1,4 @@ --- - - name: "Retrieve JDBC Driver from {{ keycloak_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url }}" ansible.builtin.get_url: url: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url }}" diff --git a/roles/keycloak_quarkus/tasks/prereqs.yml b/roles/keycloak_quarkus/tasks/prereqs.yml index a9fbeaa8..d344e98c 100644 --- a/roles/keycloak_quarkus/tasks/prereqs.yml +++ b/roles/keycloak_quarkus/tasks/prereqs.yml @@ -4,7 +4,7 @@ that: - keycloak_quarkus_admin_pass | length > 12 quiet: true - fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_admin_pass variable to a 12+ char long string" + fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_admin_pass to a 12+ char long string" success_msg: "{{ 'Console administrator password OK' }}" - name: Validate relative path @@ -12,15 +12,17 @@ that: - keycloak_quarkus_http_relative_path is regex('^/.*') quiet: true - fail_msg: "the relative path must begin with /" - success_msg: "{{ 'relative path OK' }}" + fail_msg: "The relative path for keycloak_quarkus_http_relative_path must begin with /" + success_msg: "{{ 'Relative path OK' }}" - name: Validate configuration ansible.builtin.assert: that: - - (keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or (not keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or (not keycloak_quarkus_ha_enabled and not keycloak_quarkus_db_enabled) + - (keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or + (not keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or + (not keycloak_quarkus_ha_enabled and not keycloak_quarkus_db_enabled) quiet: true - fail_msg: "Cannot install HA setup without a backend database service. Check keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled" + fail_msg: "HA setup requires a backend database service. Check keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled" success_msg: "{{ 'Configuring HA' if keycloak_quarkus_ha_enabled else 'Configuring standalone' }}" - name: Validate OS family diff --git a/roles/keycloak_quarkus/tasks/systemd.yml b/roles/keycloak_quarkus/tasks/systemd.yml index fcc1a719..47f05702 100644 --- a/roles/keycloak_quarkus/tasks/systemd.yml +++ b/roles/keycloak_quarkus/tasks/systemd.yml @@ -8,7 +8,7 @@ group: root mode: '0640' vars: - keycloak_pkg_java_home: "{{ keycloak_quarkus_pkg_java_home }}" + keycloak_sys_pkg_java_home: "{{ keycloak_quarkus_pkg_java_home }}" notify: - restart keycloak diff --git a/roles/keycloak_quarkus/templates/keycloak-sysconfig.j2 b/roles/keycloak_quarkus/templates/keycloak-sysconfig.j2 index 2ec71e0b..4667596d 100644 --- a/roles/keycloak_quarkus/templates/keycloak-sysconfig.j2 +++ b/roles/keycloak_quarkus/templates/keycloak-sysconfig.j2 @@ -1,6 +1,6 @@ {{ ansible_managed | comment }} KEYCLOAK_ADMIN={{ keycloak_quarkus_admin_user }} KEYCLOAK_ADMIN_PASSWORD='{{ keycloak_quarkus_admin_pass }}' -PATH={{ keycloak_quarkus_java_home | default(keycloak_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin -JAVA_HOME={{ keycloak_quarkus_java_home | default(keycloak_pkg_java_home, true) }} +PATH={{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +JAVA_HOME={{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }} JAVA_OPTS={{ keycloak_quarkus_java_opts }} diff --git a/roles/keycloak_quarkus/vars/debian.yml b/roles/keycloak_quarkus/vars/debian.yml index a42eb5f4..e63c0d11 100644 --- a/roles/keycloak_quarkus/vars/debian.yml +++ b/roles/keycloak_quarkus/vars/debian.yml @@ -1,7 +1,7 @@ --- keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('openjdk-17-jdk-headless') }}" keycloak_quarkus_prereq_package_list: - - "{{ keycloak_quarkus_varjvm_package }}" + - "{{ keycloak_quarkus_varjvm_package }}" - unzip - procps - apt diff --git a/roles/keycloak_realm/defaults/main.yml b/roles/keycloak_realm/defaults/main.yml index c3964814..e4882076 100644 --- a/roles/keycloak_realm/defaults/main.yml +++ b/roles/keycloak_realm/defaults/main.yml @@ -26,14 +26,14 @@ keycloak_admin_password: '' # and users is a list of account, see below for the format definition # an empty name will skip the creation of the client # -#keycloak_clients: -# - name: '' -# roles: "{{ keycloak_client_default_roles }}" -# realm: "{{ keycloak_realm }}" -# public_client: "{{ keycloak_client_public }}" -# web_origins: "{{ keycloak_client_web_origins }}" -# redirect_uris: "{{ keycloak_client_redirect_uris }}" -# users: "{{ keycloak_client_users }}" +# keycloak_clients: +# - name: '' +# roles: "{{ keycloak_client_default_roles }}" +# realm: "{{ keycloak_realm }}" +# public_client: "{{ keycloak_client_public }}" +# web_origins: "{{ keycloak_client_web_origins }}" +# redirect_uris: "{{ keycloak_client_redirect_uris }}" +# users: "{{ keycloak_client_users }}" keycloak_clients: [] # list of roles to create in the client diff --git a/roles/keycloak_realm/meta/argument_specs.yml b/roles/keycloak_realm/meta/argument_specs.yml index ca174dcc..ed87ee61 100644 --- a/roles/keycloak_realm/meta/argument_specs.yml +++ b/roles/keycloak_realm/meta/argument_specs.yml @@ -10,7 +10,7 @@ argument_specs: # line 5 of keycloak_realm/defaults/main.yml default: "/auth" description: "Context path for rest calls" - type: "str" + type: "str" keycloak_http_port: # line 4 of keycloak_realm/defaults/main.yml default: 8080 diff --git a/roles/keycloak_realm/tasks/manage_client_users.yml b/roles/keycloak_realm/tasks/manage_client_users.yml index ed9fb032..5234cb11 100644 --- a/roles/keycloak_realm/tasks/manage_client_users.yml +++ b/roles/keycloak_realm/tasks/manage_client_users.yml @@ -10,4 +10,4 @@ loop: "{{ client.users | flatten }}" loop_control: loop_var: user - when: "'client_roles' in user" \ No newline at end of file + when: "'client_roles' in user" diff --git a/roles/keycloak_realm/tasks/manage_user_client_roles.yml b/roles/keycloak_realm/tasks/manage_user_client_roles.yml index 4311daa7..3884f425 100644 --- a/roles/keycloak_realm/tasks/manage_user_client_roles.yml +++ b/roles/keycloak_realm/tasks/manage_user_client_roles.yml @@ -12,7 +12,9 @@ - name: Check if Mapping is available ansible.builtin.uri: - url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm | default(keycloak_realm) }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}/available" + url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm | \ + default(keycloak_realm) }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | \ + selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}/available" method: GET status_code: - 200 @@ -23,7 +25,9 @@ - name: "Create Role Mapping" ansible.builtin.uri: - url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm | default(keycloak_realm) }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}" + url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ client_role.realm | \ + default(keycloak_realm) }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | \ + selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}" method: POST body: - id: "{{ item.id }}"