From dd6171f0247733fc12534698111f78dbd8b206e7 Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Mon, 25 Mar 2024 10:19:08 +0100 Subject: [PATCH 1/7] Add ansible_family based vars loading --- roles/keycloak_quarkus/defaults/main.yml | 1 - roles/keycloak_quarkus/meta/main.yml | 6 ++++++ roles/keycloak_quarkus/tasks/prereqs.yml | 22 +++++++++++++++------- roles/keycloak_quarkus/vars/debian.yml | 11 +++++++++++ roles/keycloak_quarkus/vars/redhat.yml | 11 +++++++++++ 5 files changed, 43 insertions(+), 8 deletions(-) create mode 100644 roles/keycloak_quarkus/vars/debian.yml create mode 100644 roles/keycloak_quarkus/vars/redhat.yml diff --git a/roles/keycloak_quarkus/defaults/main.yml b/roles/keycloak_quarkus/defaults/main.yml index f2f07a58..e630bd32 100644 --- a/roles/keycloak_quarkus/defaults/main.yml +++ b/roles/keycloak_quarkus/defaults/main.yml @@ -9,7 +9,6 @@ keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_q keycloak_quarkus_offline_install: false ### Install location and service settings -keycloak_quarkus_jvm_package: "{{ 'java-17-openjdk-headless' if ansible_facts.os_family == 'RedHat' else 'openjdk-17-jdk-headless' }}" keycloak_quarkus_java_home: keycloak_quarkus_dest: /opt/keycloak keycloak_quarkus_home: "{{ keycloak_quarkus_installdir }}" diff --git a/roles/keycloak_quarkus/meta/main.yml b/roles/keycloak_quarkus/meta/main.yml index 8d7331d3..0f820034 100644 --- a/roles/keycloak_quarkus/meta/main.yml +++ b/roles/keycloak_quarkus/meta/main.yml @@ -14,6 +14,11 @@ galaxy_info: - name: EL versions: - "8" + - "9" + - name: Fedora + - name: Debian + - name: Ubuntu + galaxy_tags: - keycloak @@ -25,3 +30,4 @@ galaxy_info: - identity - security - rhbk + - debian diff --git a/roles/keycloak_quarkus/tasks/prereqs.yml b/roles/keycloak_quarkus/tasks/prereqs.yml index 252f75fc..7a33a487 100644 --- a/roles/keycloak_quarkus/tasks/prereqs.yml +++ b/roles/keycloak_quarkus/tasks/prereqs.yml @@ -6,7 +6,7 @@ quiet: true fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_admin_pass variable to a 12+ char long string" success_msg: "{{ 'Console administrator password OK' }}" - + - name: Validate relative path ansible.builtin.assert: that: @@ -23,12 +23,20 @@ fail_msg: "Cannot install HA setup without a backend database service. Check keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled" success_msg: "{{ 'Configuring HA' if keycloak_quarkus_ha_enabled else 'Configuring standalone' }}" +- name: Validate OS family + ansible.builtin.assert: + that: + - ansible_os_family in ["RedHat", "Debian"] + quiet: true + fail_msg: "Can only install on RedHat or Debian OS families; found {{ ansible_os_family }}" + success_msg: "Installing on {{ ansible_os_family }}" + +- name: Load OS specific variables + ansible.builtin.include_vars: "vars/{{ ansible_os_family | lower }}.yml" + tags: + - always + - name: Ensure required packages are installed ansible.builtin.include_tasks: fastpackages.yml vars: - packages_list: - - "{{ keycloak_quarkus_jvm_package }}" - - unzip - - "{{ 'procps-ng' if ansible_facts.os_family == 'RedHat' else 'procps' }}" - - "{{ 'initscripts' if ansible_facts.os_family == 'RedHat' else 'apt' }}" - - "{{ 'tzdata-java' if ansible_facts.os_family == 'RedHat' else 'tzdata' }}" + packages_list: "{{ keycloak_prereq_package_list }}" diff --git a/roles/keycloak_quarkus/vars/debian.yml b/roles/keycloak_quarkus/vars/debian.yml new file mode 100644 index 00000000..6c7ed903 --- /dev/null +++ b/roles/keycloak_quarkus/vars/debian.yml @@ -0,0 +1,11 @@ +--- +keycloak_quarkus_jvm_package: openjdk-17-jdk-headless +keycloak_prereq_package_list: + - "{{ keycloak_quarkus_jvm_package }}" + - unzip + - procps + - apt + - tzdata +keycloak_quarkus_configure_iptables: True +keycloak_quarkus_sysconf_file: /etc/default/keycloak +keycloak_quarkus_pkg_java_home: "/lib/jvm/java-{{ keycloak_quarkus_jvm_package | regex_search('(?!:openjdk-)[0-9.]+') }}-openjdk-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}" diff --git a/roles/keycloak_quarkus/vars/redhat.yml b/roles/keycloak_quarkus/vars/redhat.yml new file mode 100644 index 00000000..775f9832 --- /dev/null +++ b/roles/keycloak_quarkus/vars/redhat.yml @@ -0,0 +1,11 @@ +--- +keycloak_quarkus_jvm_package: java-17-openjdk-headless +keycloak_prereq_package_list: + - "{{ keycloak_quarkus_jvm_package }}" + - unzip + - procps-ng + - initscripts + - tzdata-java +keycloak_quarkus_configure_iptables: False +keycloak_quarkus_sysconf_file: /etc/sysconfig/keycloak +keycloak_quarkus_pkg_java_home: "/etc/alternatives/jre_{{ keycloak_quarkus_jvm_package | regex_search('(?<=java-)[0-9.]+') }}" From 3b1534d700c02ca2d863a62cfa0b89e439fd440f Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Mon, 25 Mar 2024 10:19:28 +0100 Subject: [PATCH 2/7] refactor --- roles/keycloak_quarkus/tasks/debian.yml | 2 +- roles/keycloak_quarkus/tasks/fastpackages.yml | 2 +- roles/keycloak_quarkus/tasks/main.yml | 10 ++---- roles/keycloak_quarkus/tasks/systemd.yml | 33 ++----------------- .../templates/keycloak-sysconfig.j2 | 4 +-- .../templates/keycloak.service.j2 | 2 +- 6 files changed, 9 insertions(+), 44 deletions(-) diff --git a/roles/keycloak_quarkus/tasks/debian.yml b/roles/keycloak_quarkus/tasks/debian.yml index ffb1348f..4a366611 100644 --- a/roles/keycloak_quarkus/tasks/debian.yml +++ b/roles/keycloak_quarkus/tasks/debian.yml @@ -1,6 +1,6 @@ --- - name: Include firewall config tasks ansible.builtin.include_tasks: iptables.yml - when: keycloak_configure_iptables + when: keycloak_quarkus_configure_iptables tags: - firewall diff --git a/roles/keycloak_quarkus/tasks/fastpackages.yml b/roles/keycloak_quarkus/tasks/fastpackages.yml index 3b557ef8..5affe64c 100644 --- a/roles/keycloak_quarkus/tasks/fastpackages.yml +++ b/roles/keycloak_quarkus/tasks/fastpackages.yml @@ -13,7 +13,7 @@ - name: "Install packages: {{ packages_to_install }}" become: true - ansible.builtin.yum: + ansible.builtin.dnf: name: "{{ packages_to_install }}" state: present when: diff --git a/roles/keycloak_quarkus/tasks/main.yml b/roles/keycloak_quarkus/tasks/main.yml index 72f4fddc..86b32119 100644 --- a/roles/keycloak_quarkus/tasks/main.yml +++ b/roles/keycloak_quarkus/tasks/main.yml @@ -4,16 +4,10 @@ ansible.builtin.include_tasks: prereqs.yml tags: - prereqs + - always - name: Debian specific tasks - ansible.builtin.include_tasks: debian.yml - when: ansible_facts.os_family == "Debian" - tags: - - unbound - -- name: RedHat specific tasks - ansible.builtin.include_tasks: redhat.yml - when: ansible_facts.os_family == "RedHat" + ansible.builtin.include_tasks: "{{ ansible_os_family | lower }}.yml" tags: - unbound diff --git a/roles/keycloak_quarkus/tasks/systemd.yml b/roles/keycloak_quarkus/tasks/systemd.yml index 65aeeb3b..58dbc7e6 100644 --- a/roles/keycloak_quarkus/tasks/systemd.yml +++ b/roles/keycloak_quarkus/tasks/systemd.yml @@ -1,43 +1,14 @@ --- -- name: Determine JAVA_HOME for selected JVM RPM - ansible.builtin.set_fact: - rpm_java_home: "/etc/alternatives/jre_{{ keycloak_quarkus_jvm_package | regex_search('(?<=java-)[0-9.]+') }}" - when: - - ansible_facts.os_family == "RedHat" - -- name: Determine JAVA_HOME for selected JVM RPM - ansible.builtin.set_fact: - rpm_java_home: "/lib/jvm/java-{{ keycloak_quarkus_jvm_package | regex_search('(?!:openjdk-)[0-9.]+') }}-openjdk-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}" - when: - - ansible_facts.os_family == "Debian" - -- name: "Configure sysconfig file for {{ keycloak.service_name }} service" - become: true - ansible.builtin.template: - src: keycloak-sysconfig.j2 - dest: /etc/default/keycloak - owner: root - group: root - mode: 0644 - vars: - keycloak_rpm_java_home: "{{ rpm_java_home }}" - when: - - ansible_facts.os_family == "Debian" - notify: - - restart keycloak - - name: "Configure sysconfig file for {{ keycloak.service_name }} service" become: true ansible.builtin.template: src: keycloak-sysconfig.j2 - dest: /etc/sysconfig/keycloak + dest: "{{ keycloak_quarkus_sysconf_file }}" owner: root group: root mode: 0644 vars: - keycloak_rpm_java_home: "{{ rpm_java_home }}" - when: - - ansible_facts.os_family == "RedHat" + keycloak_pkg_java_home: "{{ keycloak_quarkus_pkg_java_home }}" notify: - restart keycloak diff --git a/roles/keycloak_quarkus/templates/keycloak-sysconfig.j2 b/roles/keycloak_quarkus/templates/keycloak-sysconfig.j2 index aa6aef76..358794cb 100644 --- a/roles/keycloak_quarkus/templates/keycloak-sysconfig.j2 +++ b/roles/keycloak_quarkus/templates/keycloak-sysconfig.j2 @@ -1,6 +1,6 @@ {{ ansible_managed | comment }} KEYCLOAK_ADMIN={{ keycloak_quarkus_admin_user }} KEYCLOAK_ADMIN_PASSWORD='{{ keycloak_quarkus_admin_pass }}' -PATH={{ keycloak_quarkus_java_home | default(keycloak_rpm_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin -JAVA_HOME={{ keycloak_quarkus_java_home | default(keycloak_rpm_java_home, true) }} +PATH={{ keycloak_quarkus_java_home | default(keycloak_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +JAVA_HOME={{ keycloak_quarkus_java_home | default(keycloak_pkg_java_home, true) }} JAVA_OPTS_APPEND={{ keycloak_quarkus_java_opts }} diff --git a/roles/keycloak_quarkus/templates/keycloak.service.j2 b/roles/keycloak_quarkus/templates/keycloak.service.j2 index af610078..3cdfacf6 100644 --- a/roles/keycloak_quarkus/templates/keycloak.service.j2 +++ b/roles/keycloak_quarkus/templates/keycloak.service.j2 @@ -5,7 +5,7 @@ After=network.target [Service] Type=simple -EnvironmentFile=-/etc/sysconfig/keycloak +EnvironmentFile=-{{ keycloak_quarkus_sysconf_file }} PIDFile={{ keycloak_quarkus_service_pidfile }} {% if keycloak_quarkus_start_dev %} ExecStart={{ keycloak.home }}/bin/kc.sh start-dev From 3400b64b105e19c2b8690bedba518fe8295130df Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Mon, 25 Mar 2024 14:34:25 +0100 Subject: [PATCH 3/7] add to ci --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index afb14034..509bebb8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,4 +15,4 @@ jobs: with: fqcn: 'middleware_automation/keycloak' molecule_tests: >- - [ "default", "overridexml", "https_revproxy", "quarkus", "quarkus-devmode" ] + [ "default", "overridexml", "https_revproxy", "quarkus", "quarkus-devmode", "debian" ] From 0e4df659f431f563b7800bf31b49867051305911 Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Mon, 25 Mar 2024 14:34:36 +0100 Subject: [PATCH 4/7] add test --- molecule/debian/converge.yml | 40 ++++++++++++++++++ molecule/debian/molecule.yml | 44 ++++++++++++++++++++ molecule/debian/prepare.yml | 11 +++++ molecule/debian/roles | 1 + molecule/debian/verify.yml | 52 ++++++++++++++++++++++++ roles/keycloak_quarkus/tasks/main.yml | 2 +- roles/keycloak_quarkus/tasks/prereqs.yml | 2 +- roles/keycloak_quarkus/vars/debian.yml | 2 +- roles/keycloak_quarkus/vars/redhat.yml | 2 +- 9 files changed, 152 insertions(+), 4 deletions(-) create mode 100644 molecule/debian/converge.yml create mode 100644 molecule/debian/molecule.yml create mode 100644 molecule/debian/prepare.yml create mode 120000 molecule/debian/roles create mode 100644 molecule/debian/verify.yml diff --git a/molecule/debian/converge.yml b/molecule/debian/converge.yml new file mode 100644 index 00000000..0be6a85f --- /dev/null +++ b/molecule/debian/converge.yml @@ -0,0 +1,40 @@ +--- +- name: Converge + hosts: all + vars: + keycloak_admin_password: "remembertochangeme" + keycloak_quarkus_admin_pass: "remembertochangeme" + keycloak_realm: TestRealm + keycloak_quarkus_log: file + keycloak_quarkus_frontend_url: 'http://localhost:8080/' + keycloak_quarkus_start_dev: True + keycloak_quarkus_proxy_mode: none + keycloak_client_default_roles: + - TestRoleAdmin + - TestRoleUser + keycloak_client_users: + - username: TestUser + password: password + client_roles: + - client: TestClient + role: TestRoleUser + - username: TestAdmin + password: password + client_roles: + - client: TestClient + role: TestRoleUser + - client: TestClient + role: TestRoleAdmin + keycloak_clients: + - name: TestClient + roles: "{{ keycloak_client_default_roles }}" + public_client: "{{ keycloak_client_public }}" + web_origins: "{{ keycloak_client_web_origins }}" + users: "{{ keycloak_client_users }}" + client_id: TestClient + attributes: + post.logout.redirect.uris: '/public/logout' + roles: + - role: keycloak_quarkus + - role: keycloak_realm + keycloak_realm: TestRealm diff --git a/molecule/debian/molecule.yml b/molecule/debian/molecule.yml new file mode 100644 index 00000000..78b102c3 --- /dev/null +++ b/molecule/debian/molecule.yml @@ -0,0 +1,44 @@ +--- +driver: + name: docker +platforms: + - name: instance + image: ghcr.io/hspaans/molecule-containers:debian-11 + pre_build_image: true + privileged: true + port_bindings: + - "8080/tcp" + - "8443/tcp" + - "8009/tcp" +provisioner: + name: ansible + config_options: + defaults: + interpreter_python: auto_silent + ssh_connection: + pipelining: false + playbooks: + prepare: prepare.yml + converge: converge.yml + verify: verify.yml + inventory: + host_vars: + localhost: + ansible_python_interpreter: /usr/bin/python3 + env: + ANSIBLE_FORCE_COLOR: "true" + ANSIBLE_REMOTE_TMP: /tmp/.ansible/tmp +verifier: + name: ansible +scenario: + test_sequence: + - cleanup + - destroy + - create + - prepare + - converge + - idempotence + - side_effect + - verify + - cleanup + - destroy diff --git a/molecule/debian/prepare.yml b/molecule/debian/prepare.yml new file mode 100644 index 00000000..6025ef9d --- /dev/null +++ b/molecule/debian/prepare.yml @@ -0,0 +1,11 @@ +--- +- name: Prepare + hosts: all + gather_facts: yes + tasks: + - name: Install sudo + ansible.builtin.apt: + name: + - sudo + - openjdk-17-jdk-headless + state: present diff --git a/molecule/debian/roles b/molecule/debian/roles new file mode 120000 index 00000000..b741aa3d --- /dev/null +++ b/molecule/debian/roles @@ -0,0 +1 @@ +../../roles \ No newline at end of file diff --git a/molecule/debian/verify.yml b/molecule/debian/verify.yml new file mode 100644 index 00000000..040558ac --- /dev/null +++ b/molecule/debian/verify.yml @@ -0,0 +1,52 @@ +--- +- name: Verify + hosts: all + vars: + keycloak_admin_password: "remembertochangeme" + keycloak_uri: "http://localhost:{{ 8080 + ( keycloak_jboss_port_offset | default(0) ) }}" + keycloak_management_port: "http://localhost:{{ 9990 + ( keycloak_jboss_port_offset | default(0) ) }}" + keycloak_jboss_port_offset: 10 + tasks: + - name: Populate service facts + ansible.builtin.service_facts: + + - name: Check if keycloak service started + ansible.builtin.assert: + that: + - ansible_facts.services["keycloak.service"]["state"] == "running" + - ansible_facts.services["keycloak.service"]["status"] == "enabled" + + - name: Verify we are running on requested JAVA_HOME # noqa blocked_modules command-instead-of-module + ansible.builtin.shell: | + set -o pipefail + ps -ef | grep '/opt/openjdk' | grep -v grep + args: + executable: /bin/bash + changed_when: False + + - name: Set internal envvar + ansible.builtin.set_fact: + hera_home: "{{ lookup('env', 'HERA_HOME') }}" + + - name: Verify openid config + block: + - name: Fetch openID config # noqa blocked_modules command-instead-of-module + ansible.builtin.shell: | + set -o pipefail + curl http://localhost:8080/realms/master/.well-known/openid-configuration -k | jq . + args: + executable: /bin/bash + delegate_to: localhost + register: openid_config + changed_when: False + - name: Verify endpoint URLs + ansible.builtin.assert: + that: + - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'http://localhost:8080/realms/master/protocol/openid-connect/ext/ciba/auth' + - (openid_config.stdout | from_json)['issuer'] == 'http://localhost:8080/realms/master' + - (openid_config.stdout | from_json)['authorization_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/auth' + - (openid_config.stdout | from_json)['token_endpoint'] == 'http://localhost:8080/realms/master/protocol/openid-connect/token' + delegate_to: localhost + when: + - hera_home is defined + - hera_home | length == 0 diff --git a/roles/keycloak_quarkus/tasks/main.yml b/roles/keycloak_quarkus/tasks/main.yml index 86b32119..decb63b2 100644 --- a/roles/keycloak_quarkus/tasks/main.yml +++ b/roles/keycloak_quarkus/tasks/main.yml @@ -6,7 +6,7 @@ - prereqs - always -- name: Debian specific tasks +- name: Distro specific tasks ansible.builtin.include_tasks: "{{ ansible_os_family | lower }}.yml" tags: - unbound diff --git a/roles/keycloak_quarkus/tasks/prereqs.yml b/roles/keycloak_quarkus/tasks/prereqs.yml index 7a33a487..a9fbeaa8 100644 --- a/roles/keycloak_quarkus/tasks/prereqs.yml +++ b/roles/keycloak_quarkus/tasks/prereqs.yml @@ -39,4 +39,4 @@ - name: Ensure required packages are installed ansible.builtin.include_tasks: fastpackages.yml vars: - packages_list: "{{ keycloak_prereq_package_list }}" + packages_list: "{{ keycloak_quarkus_prereq_package_list }}" diff --git a/roles/keycloak_quarkus/vars/debian.yml b/roles/keycloak_quarkus/vars/debian.yml index 6c7ed903..8ff67750 100644 --- a/roles/keycloak_quarkus/vars/debian.yml +++ b/roles/keycloak_quarkus/vars/debian.yml @@ -1,6 +1,6 @@ --- keycloak_quarkus_jvm_package: openjdk-17-jdk-headless -keycloak_prereq_package_list: +keycloak_quarkus_prereq_package_list: - "{{ keycloak_quarkus_jvm_package }}" - unzip - procps diff --git a/roles/keycloak_quarkus/vars/redhat.yml b/roles/keycloak_quarkus/vars/redhat.yml index 775f9832..e40a94a7 100644 --- a/roles/keycloak_quarkus/vars/redhat.yml +++ b/roles/keycloak_quarkus/vars/redhat.yml @@ -1,6 +1,6 @@ --- keycloak_quarkus_jvm_package: java-17-openjdk-headless -keycloak_prereq_package_list: +keycloak_quarkus_prereq_package_list: - "{{ keycloak_quarkus_jvm_package }}" - unzip - procps-ng From e17505fe423eb2500aff3a73e0fa99941a462151 Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Mon, 25 Mar 2024 15:37:02 +0100 Subject: [PATCH 5/7] update molecule for debian container --- molecule/debian/molecule.yml | 4 ++++ molecule/requirements.yml | 2 +- roles/keycloak_quarkus/vars/debian.yml | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/molecule/debian/molecule.yml b/molecule/debian/molecule.yml index 78b102c3..afe29c5f 100644 --- a/molecule/debian/molecule.yml +++ b/molecule/debian/molecule.yml @@ -10,6 +10,10 @@ platforms: - "8080/tcp" - "8443/tcp" - "8009/tcp" + cgroupns_mode: host + command: "/lib/systemd/systemd" + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw provisioner: name: ansible config_options: diff --git a/molecule/requirements.yml b/molecule/requirements.yml index c87fd9a2..5c8bb43f 100644 --- a/molecule/requirements.yml +++ b/molecule/requirements.yml @@ -5,7 +5,7 @@ collections: - name: community.general - name: ansible.posix - name: community.docker - version: ">=1.9.1" + version: ">=3.8.0" roles: - name: elan.simple_nginx_reverse_proxy diff --git a/roles/keycloak_quarkus/vars/debian.yml b/roles/keycloak_quarkus/vars/debian.yml index 8ff67750..e8c90e31 100644 --- a/roles/keycloak_quarkus/vars/debian.yml +++ b/roles/keycloak_quarkus/vars/debian.yml @@ -8,4 +8,4 @@ keycloak_quarkus_prereq_package_list: - tzdata keycloak_quarkus_configure_iptables: True keycloak_quarkus_sysconf_file: /etc/default/keycloak -keycloak_quarkus_pkg_java_home: "/lib/jvm/java-{{ keycloak_quarkus_jvm_package | regex_search('(?!:openjdk-)[0-9.]+') }}-openjdk-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}" +keycloak_quarkus_pkg_java_home: "/usr/lib/jvm/java-{{ keycloak_quarkus_jvm_package | regex_search('(?!:openjdk-)[0-9.]+') }}-openjdk-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}" From 467cfda0f7ef1d62157970d7e91a03b4929842e0 Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Mon, 25 Mar 2024 15:41:57 +0100 Subject: [PATCH 6/7] same changes for keycloak-legacy --- molecule/debian/converge.yml | 3 ++- molecule/debian/verify.yml | 12 ----------- roles/keycloak/defaults/main.yml | 2 -- roles/keycloak/tasks/main.yml | 11 ++-------- roles/keycloak/tasks/prereqs.yml | 20 ++++++++++++------ roles/keycloak/tasks/systemd.yml | 21 +------------------ .../keycloak/templates/keycloak-sysconfig.j2 | 2 +- roles/keycloak/templates/keycloak.service.j2 | 2 +- roles/keycloak/vars/debian.yml | 11 ++++++++++ roles/keycloak/vars/redhat.yml | 11 ++++++++++ 10 files changed, 43 insertions(+), 52 deletions(-) create mode 100644 roles/keycloak/vars/debian.yml create mode 100644 roles/keycloak/vars/redhat.yml diff --git a/molecule/debian/converge.yml b/molecule/debian/converge.yml index 0be6a85f..17517b8b 100644 --- a/molecule/debian/converge.yml +++ b/molecule/debian/converge.yml @@ -2,7 +2,6 @@ - name: Converge hosts: all vars: - keycloak_admin_password: "remembertochangeme" keycloak_quarkus_admin_pass: "remembertochangeme" keycloak_realm: TestRealm keycloak_quarkus_log: file @@ -38,3 +37,5 @@ - role: keycloak_quarkus - role: keycloak_realm keycloak_realm: TestRealm + keycloak_admin_password: "remembertochangeme" + keycloak_context: '' diff --git a/molecule/debian/verify.yml b/molecule/debian/verify.yml index 040558ac..59bf4836 100644 --- a/molecule/debian/verify.yml +++ b/molecule/debian/verify.yml @@ -16,18 +16,6 @@ - ansible_facts.services["keycloak.service"]["state"] == "running" - ansible_facts.services["keycloak.service"]["status"] == "enabled" - - name: Verify we are running on requested JAVA_HOME # noqa blocked_modules command-instead-of-module - ansible.builtin.shell: | - set -o pipefail - ps -ef | grep '/opt/openjdk' | grep -v grep - args: - executable: /bin/bash - changed_when: False - - - name: Set internal envvar - ansible.builtin.set_fact: - hera_home: "{{ lookup('env', 'HERA_HOME') }}" - - name: Verify openid config block: - name: Fetch openID config # noqa blocked_modules command-instead-of-module diff --git a/roles/keycloak/defaults/main.yml b/roles/keycloak/defaults/main.yml index 66587743..cfa9a3fc 100644 --- a/roles/keycloak/defaults/main.yml +++ b/roles/keycloak/defaults/main.yml @@ -8,8 +8,6 @@ keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}" keycloak_offline_install: false ### Install location and service settings -keycloak_jvm_package: "{{ 'java-1.8.0-openjdk-headless' if ansible_facts.os_family == 'RedHat' else 'openjdk-8-jdk-headless' }}" - keycloak_java_home: keycloak_dest: /opt/keycloak keycloak_jboss_home: "{{ keycloak_installdir }}" diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml index 284900b6..a21f3599 100644 --- a/roles/keycloak/tasks/main.yml +++ b/roles/keycloak/tasks/main.yml @@ -5,15 +5,8 @@ tags: - prereqs -- name: Debian specific tasks - ansible.builtin.include_tasks: debian.yml - when: ansible_facts.os_family == "Debian" - tags: - - unbound - -- name: RedHat specific tasks - ansible.builtin.include_tasks: redhat.yml - when: ansible_facts.os_family == "RedHat" +- name: Distro specific tasks + ansible.builtin.include_tasks: "{{ ansible_os_family | lower }}.yml" tags: - unbound diff --git a/roles/keycloak/tasks/prereqs.yml b/roles/keycloak/tasks/prereqs.yml index 565931bb..c92bb1ce 100644 --- a/roles/keycloak/tasks/prereqs.yml +++ b/roles/keycloak/tasks/prereqs.yml @@ -36,12 +36,20 @@ success_msg: "Configuring JDBC persistence using {{ keycloak_jdbc_engine }} database" when: keycloak_db_enabled +- name: Validate OS family + ansible.builtin.assert: + that: + - ansible_os_family in ["RedHat", "Debian"] + quiet: true + fail_msg: "Can only install on RedHat or Debian OS families; found {{ ansible_os_family }}" + success_msg: "Installing on {{ ansible_os_family }}" + +- name: Load OS specific variables + ansible.builtin.include_vars: "vars/{{ ansible_os_family | lower }}.yml" + tags: + - always + - name: Ensure required packages are installed ansible.builtin.include_tasks: fastpackages.yml vars: - packages_list: - - "{{ keycloak_jvm_package }}" - - unzip - - "{{ 'procps-ng' if ansible_facts.os_family == 'RedHat' else 'procps' }}" - - "{{ 'initscripts' if ansible_facts.os_family == 'RedHat' else 'apt' }}" - - "{{ 'tzdata-java' if ansible_facts.os_family == 'RedHat' else 'tzdata' }}" + packages_list: "{{ keycloak_prereq_package_list }}" diff --git a/roles/keycloak/tasks/systemd.yml b/roles/keycloak/tasks/systemd.yml index cf84c321..40fa6b84 100644 --- a/roles/keycloak/tasks/systemd.yml +++ b/roles/keycloak/tasks/systemd.yml @@ -26,29 +26,10 @@ become: true ansible.builtin.template: src: keycloak-sysconfig.j2 - dest: /etc/default/keycloak + dest: "{{ keycloak_sysconf_file }}" owner: root group: root mode: 0644 - vars: - keycloak_rpm_java_home: "{{ rpm_java_home }}" - when: - - ansible_facts.os_family == "Debian" - notify: - - restart keycloak - -- name: "Configure sysconfig file for {{ keycloak.service_name }} service" - become: true - ansible.builtin.template: - src: keycloak-sysconfig.j2 - dest: /etc/sysconfig/keycloak - owner: root - group: root - mode: 0644 - vars: - keycloak_rpm_java_home: "{{ rpm_java_home }}" - when: - - ansible_facts.os_family == "RedHat" notify: - restart keycloak diff --git a/roles/keycloak/templates/keycloak-sysconfig.j2 b/roles/keycloak/templates/keycloak-sysconfig.j2 index 4c385225..33889dfa 100644 --- a/roles/keycloak/templates/keycloak-sysconfig.j2 +++ b/roles/keycloak/templates/keycloak-sysconfig.j2 @@ -1,6 +1,6 @@ {{ ansible_managed | comment }} JAVA_OPTS='{{ keycloak_java_opts }}' -JAVA_HOME={{ keycloak_java_home | default(keycloak_rpm_java_home, true) }} +JAVA_HOME={{ keycloak_java_home | default(keycloak_pkg_java_home, true) }} JBOSS_HOME={{ keycloak.home }} KEYCLOAK_BIND_ADDRESS={{ keycloak_bind_address }} KEYCLOAK_HTTP_PORT={{ keycloak_http_port }} diff --git a/roles/keycloak/templates/keycloak.service.j2 b/roles/keycloak/templates/keycloak.service.j2 index eea3ba17..9a04e887 100644 --- a/roles/keycloak/templates/keycloak.service.j2 +++ b/roles/keycloak/templates/keycloak.service.j2 @@ -11,7 +11,7 @@ StartLimitBurst={{ keycloak_service_startlimitburst }} User={{ keycloak_service_user }} Group={{ keycloak_service_group }} {% endif -%} -EnvironmentFile=-/etc/sysconfig/keycloak +EnvironmentFile=-{{ keycloak_sysconf_file }} PIDFile={{ keycloak_service_pidfile }} ExecStart={{ keycloak.home }}/bin/standalone.sh $WILDFLY_OPTS WorkingDirectory={{ keycloak.home }} diff --git a/roles/keycloak/vars/debian.yml b/roles/keycloak/vars/debian.yml new file mode 100644 index 00000000..ac3df14f --- /dev/null +++ b/roles/keycloak/vars/debian.yml @@ -0,0 +1,11 @@ +--- +keycloak_jvm_package: openjdk-11-jdk-headless +keycloak_prereq_package_list: + - "{{ keycloak_jvm_package }}" + - unzip + - procps + - apt + - tzdata +keycloak_configure_iptables: True +keycloak_sysconf_file: /etc/default/keycloak +keycloak_pkg_java_home: "/usr/lib/jvm/java-{{ keycloak_jvm_package | regex_search('(?!:openjdk-)[0-9.]+') }}-openjdk-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}" diff --git a/roles/keycloak/vars/redhat.yml b/roles/keycloak/vars/redhat.yml new file mode 100644 index 00000000..206251ee --- /dev/null +++ b/roles/keycloak/vars/redhat.yml @@ -0,0 +1,11 @@ +--- +keycloak_jvm_package: java-1.8.0-openjdk-headless +keycloak_prereq_package_list: + - "{{ keycloak_jvm_package }}" + - unzip + - procps-ng + - initscripts + - tzdata-java +keycloak_configure_iptables: False +keycloak_sysconf_file: /etc/sysconfig/keycloak +keycloak_pkg_java_home: "/etc/alternatives/jre_{{ keycloak_jvm_package | regex_search('(?<=java-)[0-9.]+') }}" From 2bbf7d9cc4a94f75942d8a35a56abcd04a33cd3b Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Mon, 25 Mar 2024 16:30:13 +0100 Subject: [PATCH 7/7] revert JVM var that cannot be overridden --- molecule/default/converge.yml | 2 +- roles/keycloak/meta/argument_specs.yml | 55 +------------------ roles/keycloak/tasks/systemd.yml | 12 ---- roles/keycloak/vars/debian.yml | 6 +- roles/keycloak/vars/redhat.yml | 7 +-- roles/keycloak_quarkus/defaults/main.yml | 4 +- .../keycloak_quarkus/meta/argument_specs.yml | 41 ++------------ roles/keycloak_quarkus/vars/debian.yml | 7 +-- roles/keycloak_quarkus/vars/redhat.yml | 7 +-- 9 files changed, 22 insertions(+), 119 deletions(-) diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index ace4743f..5927ff9a 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -1,7 +1,7 @@ --- - name: Converge hosts: all - vars: + vars: keycloak_admin_password: "remembertochangeme" keycloak_jvm_package: java-11-openjdk-headless keycloak_modcluster_enabled: True diff --git a/roles/keycloak/meta/argument_specs.yml b/roles/keycloak/meta/argument_specs.yml index ca1cb8b0..7ba65094 100644 --- a/roles/keycloak/meta/argument_specs.yml +++ b/roles/keycloak/meta/argument_specs.yml @@ -2,47 +2,38 @@ argument_specs: main: options: keycloak_version: - # line 3 of keycloak/defaults/main.yml default: "18.0.2" description: "keycloak.org package version" type: "str" keycloak_archive: - # line 4 of keycloak/defaults/main.yml default: "keycloak-legacy-{{ keycloak_version }}.zip" description: "keycloak install archive filename" type: "str" keycloak_configure_iptables: - # line 33 of keycloak/defaults/main.yml default: false description: "Ensure iptables is running and configure keycloak ports" type: "bool" keycloak_configure_firewalld: - # line 33 of keycloak/defaults/main.yml default: false description: "Ensure firewalld is running and configure keycloak ports" type: "bool" keycloak_download_url: - # line 5 of keycloak/defaults/main.yml default: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}" description: "Download URL for keycloak" type: "str" keycloak_download_url_9x: - # line 6 of keycloak/defaults/main.yml default: "https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}" description: "Download URL for keycloak (deprecated)" type: "str" keycloak_installdir: - # line 7 of keycloak/defaults/main.yml default: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}" description: "Installation path" type: "str" keycloak_offline_install: - # line 20 of keycloak/defaults/main.yml default: false description: "Perform an offline install" type: "bool" keycloak_jvm_package: - # line 23 of keycloak/defaults/main.yml default: "java-1.8.0-openjdk-headless" description: "RHEL java package runtime rpm" type: "str" @@ -50,12 +41,10 @@ argument_specs: description: "JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path" type: "str" keycloak_dest: - # line 24 of keycloak/defaults/main.yml default: "/opt/keycloak" description: "Root installation directory" type: "str" keycloak_jboss_home: - # line 25 of keycloak/defaults/main.yml default: "{{ keycloak_installdir }}" description: "Installation work directory" type: "str" @@ -64,52 +53,42 @@ argument_specs: description: "Port offset for the JBoss socket binding" type: "int" keycloak_config_dir: - # line 26 of keycloak/defaults/main.yml default: "{{ keycloak_jboss_home }}/standalone/configuration" description: "Path for configuration" type: "str" keycloak_config_standalone_xml: - # line 27 of keycloak/defaults/main.yml default: "keycloak.xml" description: "Service configuration filename" type: "str" keycloak_config_path_to_standalone_xml: - # line 28 of keycloak/defaults/main.yml default: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}" description: "Custom path for configuration" type: "str" keycloak_config_override_template: - # line 30 of keycloak/defaults/main.yml default: "" description: "Path to custom template for standalone.xml configuration" type: "str" - keycloak_service_runas: - # line 20 of keycloak/defaults/main.yml + keycloak_service_runas: default: false description: "Enable execution of service as `keycloak_service_user`" type: "bool" keycloak_service_user: - # line 29 of keycloak/defaults/main.yml default: "keycloak" description: "posix account username" type: "str" keycloak_service_group: - # line 30 of keycloak/defaults/main.yml default: "keycloak" description: "posix account group" type: "str" keycloak_service_pidfile: - # line 31 of keycloak/defaults/main.yml default: "/run/keycloak/keycloak.pid" description: "PID file path for service" type: "str" keycloak_features: - # line 17 of keycloak/defaults/main.yml default: "[]" description: "List of `name`/`status` pairs of features (also known as profiles on RH-SSO) to `enable` or `disable`, example: `[ { name: 'docker', status: 'enabled' } ]`" type: "list" keycloak_bind_address: - # line 34 of keycloak/defaults/main.yml default: "0.0.0.0" description: "Address for binding service ports" type: "str" @@ -118,52 +97,42 @@ argument_specs: description: "Address for binding the management ports" type: "str" keycloak_host: - # line 35 of keycloak/defaults/main.yml default: "localhost" description: "Hostname for service" type: "str" keycloak_http_port: - # line 36 of keycloak/defaults/main.yml default: 8080 description: "Listening HTTP port" type: "int" keycloak_https_port: - # line 37 of keycloak/defaults/main.yml default: 8443 description: "Listening HTTPS port" type: "int" keycloak_ajp_port: - # line 38 of keycloak/defaults/main.yml default: 8009 description: "Listening AJP port" type: "int" keycloak_jgroups_port: - # line 39 of keycloak/defaults/main.yml default: 7600 description: "jgroups cluster tcp port" type: "int" keycloak_management_http_port: - # line 40 of keycloak/defaults/main.yml default: 9990 description: "Management port (http)" type: "int" keycloak_management_https_port: - # line 41 of keycloak/defaults/main.yml default: 9993 description: "Management port (https)" type: "int" keycloak_java_opts: - # line 42 of keycloak/defaults/main.yml default: "-Xms1024m -Xmx2048m" description: "Additional JVM options" type: "str" keycloak_prefer_ipv4: - # line 43 of keycloak/defaults/main.yml default: true description: "Prefer IPv4 stack and addresses for port binding" type: "bool" keycloak_ha_enabled: - # line 46 of keycloak/defaults/main.yml default: false description: "Enable auto configuration for database backend, clustering and remote caches on infinispan" type: "bool" @@ -172,27 +141,22 @@ argument_specs: description: "Discovery protocol for HA cluster members" type: "str" keycloak_db_enabled: - # line 48 of keycloak/defaults/main.yml default: "{{ True if keycloak_ha_enabled else False }}" description: "Enable auto configuration for database backend" type: "bool" keycloak_admin_user: - # line 51 of keycloak/defaults/main.yml default: "admin" description: "Administration console user account" type: "str" keycloak_auth_realm: - # line 52 of keycloak/defaults/main.yml default: "master" description: "Name for rest authentication realm" type: "str" keycloak_auth_client: - # line 53 of keycloak/defaults/main.yml default: "admin-cli" description: "Authentication client for configuration REST calls" type: "str" keycloak_force_install: - # line 55 of keycloak/defaults/main.yml default: false description: "Remove pre-existing versions of service" type: "bool" @@ -201,7 +165,6 @@ argument_specs: description: "Enable configuration for modcluster subsystem" type: "bool" keycloak_modcluster_url: - # line 58 of keycloak/defaults/main.yml default: "localhost" description: "URL for the modcluster reverse proxy" type: "str" @@ -214,7 +177,6 @@ argument_specs: description: "List of modproxy node URLs in the format { host, port } for the modcluster reverse proxy" type: "list" keycloak_frontend_url: - # line 59 of keycloak/defaults/main.yml default: "http://localhost" description: "Frontend URL for keycloak endpoints when a reverse proxy is used" type: "str" @@ -223,77 +185,62 @@ argument_specs: description: "Force backend requests to use the frontend URL" type: "bool" keycloak_infinispan_user: - # line 62 of keycloak/defaults/main.yml default: "supervisor" description: "Username for connecting to infinispan" type: "str" keycloak_infinispan_pass: - # line 63 of keycloak/defaults/main.yml default: "supervisor" description: "Password for connecting to infinispan" type: "str" keycloak_infinispan_url: - # line 64 of keycloak/defaults/main.yml default: "localhost" description: "URL for the infinispan remote-cache server" type: "str" keycloak_infinispan_sasl_mechanism: - # line 65 of keycloak/defaults/main.yml default: "SCRAM-SHA-512" description: "Authentication type to infinispan server" type: "str" keycloak_infinispan_use_ssl: - # line 66 of keycloak/defaults/main.yml default: false description: "Enable hotrod client TLS communication" type: "bool" keycloak_infinispan_trust_store_path: - # line 68 of keycloak/defaults/main.yml default: "/etc/pki/java/cacerts" description: "TODO document argument" type: "str" keycloak_infinispan_trust_store_password: - # line 69 of keycloak/defaults/main.yml default: "changeit" description: "Path to truststore containing infinispan server certificate" type: "str" keycloak_jdbc_engine: - # line 72 of keycloak/defaults/main.yml default: "postgres" description: "Backend database flavour when db is enabled: [ postgres, mariadb, sqlserver ]" type: "str" keycloak_db_user: - # line 74 of keycloak/defaults/main.yml default: "keycloak-user" description: "Username for connecting to database" type: "str" keycloak_db_pass: - # line 75 of keycloak/defaults/main.yml default: "keycloak-pass" description: "Password for connecting to database" type: "str" keycloak_jdbc_url: - # line 76 of keycloak/defaults/main.yml default: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].url }}" description: "URL for connecting to backend database" type: "str" keycloak_jdbc_driver_version: - # line 77 of keycloak/defaults/main.yml default: "{{ keycloak_default_jdbc[keycloak_jdbc_engine].version }}" description: "Version for the JDBC driver to download" type: "str" keycloak_admin_password: - # line 4 of keycloak/vars/main.yml required: true description: "Password for the administration console user account" type: "str" keycloak_url: - # line 12 of keycloak/vars/main.yml default: "http://{{ keycloak_host }}:{{ keycloak_http_port + keycloak_jboss_port_offset }}" description: "URL for configuration rest calls" type: "str" keycloak_management_url: - # line 13 of keycloak/vars/main.yml default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port + keycloak_jboss_port_offset }}" description: "URL for management console rest calls" type: "str" diff --git a/roles/keycloak/tasks/systemd.yml b/roles/keycloak/tasks/systemd.yml index 40fa6b84..797eb7b6 100644 --- a/roles/keycloak/tasks/systemd.yml +++ b/roles/keycloak/tasks/systemd.yml @@ -10,18 +10,6 @@ notify: - restart keycloak -- name: Determine JAVA_HOME for selected JVM RPM - ansible.builtin.set_fact: - rpm_java_home: "/lib/jvm/java-{{ keycloak_jvm_package | regex_search('(?<=java-)[0-9.]+') }}-openjdk-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}" - when: - - ansible_facts.os_family == 'Debian' - -- name: Determine JAVA_HOME for selected JVM RPM - ansible.builtin.set_fact: - rpm_java_home: "/etc/alternatives/jre_{{ keycloak_jvm_package | regex_search('(?<=java-)[0-9.]+') }}" - when: - - ansible_facts.os_family == 'RedHat' - - name: "Configure sysconfig file for {{ keycloak.service_name }} service" become: true ansible.builtin.template: diff --git a/roles/keycloak/vars/debian.yml b/roles/keycloak/vars/debian.yml index ac3df14f..60cdfa8a 100644 --- a/roles/keycloak/vars/debian.yml +++ b/roles/keycloak/vars/debian.yml @@ -1,11 +1,11 @@ --- -keycloak_jvm_package: openjdk-11-jdk-headless +keycloak_varjvm_package: "{{ keycloak_jvm_package | default('openjdk-11-jdk-headless') }}" keycloak_prereq_package_list: - - "{{ keycloak_jvm_package }}" + - "{{ keycloak_varjvm_package }}" - unzip - procps - apt - tzdata keycloak_configure_iptables: True keycloak_sysconf_file: /etc/default/keycloak -keycloak_pkg_java_home: "/usr/lib/jvm/java-{{ keycloak_jvm_package | regex_search('(?!:openjdk-)[0-9.]+') }}-openjdk-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}" +keycloak_pkg_java_home: "/usr/lib/jvm/java-{{ keycloak_varjvm_package | regex_search('(?!:openjdk-)[0-9.]+') }}-openjdk-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}" diff --git a/roles/keycloak/vars/redhat.yml b/roles/keycloak/vars/redhat.yml index 206251ee..6c368474 100644 --- a/roles/keycloak/vars/redhat.yml +++ b/roles/keycloak/vars/redhat.yml @@ -1,11 +1,10 @@ --- -keycloak_jvm_package: java-1.8.0-openjdk-headless +keycloak_varjvm_package: "{{ keycloak_jvm_package | default('java-1.8.0-openjdk-headless') }}" keycloak_prereq_package_list: - - "{{ keycloak_jvm_package }}" + - "{{ keycloak_varjvm_package }}" - unzip - procps-ng - initscripts - tzdata-java -keycloak_configure_iptables: False keycloak_sysconf_file: /etc/sysconfig/keycloak -keycloak_pkg_java_home: "/etc/alternatives/jre_{{ keycloak_jvm_package | regex_search('(?<=java-)[0-9.]+') }}" +keycloak_pkg_java_home: "/etc/alternatives/jre_{{ keycloak_varjvm_package | regex_search('(?<=java-)[0-9.]+') }}" diff --git a/roles/keycloak_quarkus/defaults/main.yml b/roles/keycloak_quarkus/defaults/main.yml index e630bd32..d931cabc 100644 --- a/roles/keycloak_quarkus/defaults/main.yml +++ b/roles/keycloak_quarkus/defaults/main.yml @@ -17,11 +17,13 @@ keycloak_quarkus_start_dev: false keycloak_quarkus_service_user: keycloak keycloak_quarkus_service_group: keycloak keycloak_quarkus_service_pidfile: "/run/keycloak/keycloak.pid" -keycloak_quarkus_configure_firewalld: false keycloak_quarkus_service_restart_always: false keycloak_quarkus_service_restart_on_failure: false keycloak_quarkus_service_restartsec: "10s" +keycloak_quarkus_configure_firewalld: false +keycloak_quarkus_configure_iptables: false + ### administrator console password keycloak_quarkus_admin_user: admin keycloak_quarkus_admin_pass: diff --git a/roles/keycloak_quarkus/meta/argument_specs.yml b/roles/keycloak_quarkus/meta/argument_specs.yml index b1baea28..c7cd4463 100644 --- a/roles/keycloak_quarkus/meta/argument_specs.yml +++ b/roles/keycloak_quarkus/meta/argument_specs.yml @@ -2,32 +2,26 @@ argument_specs: main: options: keycloak_quarkus_version: - # line 3 of defaults/main.yml - default: "17.0.1" + default: "23.0.7" description: "keycloak.org package version" type: "str" keycloak_quarkus_archive: - # line 4 of defaults/main.yml default: "keycloak-{{ keycloak_quarkus_version }}.zip" description: "keycloak install archive filename" type: "str" keycloak_quarkus_download_url: - # line 5 of defaults/main.yml default: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}" description: "Download URL for keycloak" type: "str" keycloak_quarkus_installdir: - # line 6 of defaults/main.yml default: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}" description: "Installation path" type: "str" keycloak_quarkus_offline_install: - # line 9 of defaults/main.yml default: false description: "Perform an offline install" type: "bool" keycloak_quarkus_jvm_package: - # line 12 of defaults/main.yml default: "java-11-openjdk-headless" description: "RHEL java package runtime" type: "str" @@ -35,37 +29,34 @@ argument_specs: description: "JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path" type: "str" keycloak_quarkus_dest: - # line 13 of defaults/main.yml default: "/opt/keycloak" description: "Installation root path" type: "str" keycloak_quarkus_home: - # line 14 of defaults/main.yml default: "{{ keycloak_quarkus_installdir }}" description: "Installation work directory" type: "str" keycloak_quarkus_config_dir: - # line 15 of defaults/main.yml default: "{{ keycloak_quarkus_home }}/conf" description: "Path for configuration" type: "str" keycloak_quarkus_service_user: - # line 16 of defaults/main.yml default: "keycloak" description: "Posix account username" type: "str" keycloak_quarkus_service_group: - # line 17 of defaults/main.yml default: "keycloak" description: "Posix account group" type: "str" keycloak_quarkus_service_pidfile: - # line 18 of defaults/main.yml default: "/run/keycloak/keycloak.pid" description: "Pid file path for service" type: "str" keycloak_quarkus_configure_firewalld: - # line 19 of defaults/main.yml + default: false + description: "Ensure firewalld is running and configure keycloak ports" + type: "bool" + keycloak_quarkus_configure_iptables: default: false description: "Ensure firewalld is running and configure keycloak ports" type: "bool" @@ -90,12 +81,10 @@ argument_specs: description: "Password of console admin account" type: "str" keycloak_quarkus_master_realm: - # line 24 of defaults/main.yml default: "master" description: "Name for rest authentication realm" type: "str" keycloak_quarkus_bind_address: - # line 27 of defaults/main.yml default: "0.0.0.0" description: "Address for binding service ports" type: "str" @@ -116,7 +105,6 @@ argument_specs: description: "Enable listener on HTTP port" type: "bool" keycloak_quarkus_http_port: - # line 29 of defaults/main.yml default: 8080 description: "HTTP port" type: "int" @@ -157,27 +145,22 @@ argument_specs: description: "Password for the trust store" type: "str" keycloak_quarkus_https_port: - # line 30 of defaults/main.yml default: 8443 description: "HTTPS port" type: "int" keycloak_quarkus_ajp_port: - # line 31 of defaults/main.yml default: 8009 description: "AJP port" type: "int" keycloak_quarkus_jgroups_port: - # line 32 of defaults/main.yml default: 7800 description: "jgroups cluster tcp port" type: "int" keycloak_quarkus_java_opts: - # line 33 of defaults/main.yml default: "-Xms1024m -Xmx2048m" description: "Additional JVM options" type: "str" keycloak_quarkus_ha_enabled: - # line 36 of defaults/main.yml default: false description: "Enable auto configuration for database backend, clustering and remote caches on infinispan" type: "bool" @@ -186,7 +169,6 @@ argument_specs: description: "Discovery protocol for HA cluster members" type: "str" keycloak_quarkus_db_enabled: - # line 38 of defaults/main.yml default: "{{ True if keycloak_quarkus_ha_enabled else False }}" description: "Enable auto configuration for database backend" type: "str" @@ -204,7 +186,6 @@ argument_specs: description: "Service URL for the admin console" type: "str" keycloak_quarkus_metrics_enabled: - # line 43 of defaults/main.yml default: false description: "Whether to enable metrics" type: "bool" @@ -213,62 +194,50 @@ argument_specs: description: "If the server should expose health check endpoints" type: "bool" keycloak_quarkus_ispn_user: - # line 46 of defaults/main.yml default: "supervisor" description: "Username for connecting to infinispan" type: "str" keycloak_quarkus_ispn_pass: - # line 47 of defaults/main.yml default: "supervisor" description: "Password for connecting to infinispan" type: "str" keycloak_quarkus_ispn_hosts: - # line 48 of defaults/main.yml default: "localhost:11222" description: "host name/port for connecting to infinispan, eg. host1:11222;host2:11222" type: "str" keycloak_quarkus_ispn_sasl_mechanism: - # line 49 of defaults/main.yml default: "SCRAM-SHA-512" description: "Infinispan auth mechanism" type: "str" keycloak_quarkus_ispn_use_ssl: - # line 50 of defaults/main.yml default: false description: "Whether infinispan uses TLS connection" type: "bool" keycloak_quarkus_ispn_trust_store_path: - # line 52 of defaults/main.yml default: "/etc/pki/java/cacerts" description: "Path to infinispan server trust certificate" type: "str" keycloak_quarkus_ispn_trust_store_password: - # line 53 of defaults/main.yml default: "changeit" description: "Password for infinispan certificate keystore" type: "str" keycloak_quarkus_jdbc_engine: - # line 56 of defaults/main.yml default: "postgres" description: "Database engine [mariadb,postres,mssql]" type: "str" keycloak_quarkus_db_user: - # line 58 of defaults/main.yml default: "keycloak-user" description: "User for database connection" type: "str" keycloak_quarkus_db_pass: - # line 59 of defaults/main.yml default: "keycloak-pass" description: "Password for database connection" type: "str" keycloak_quarkus_jdbc_url: - # line 60 of defaults/main.yml default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].url }}" description: "JDBC URL for connecting to database" type: "str" keycloak_quarkus_jdbc_driver_version: - # line 61 of defaults/main.yml default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].version }}" description: "Version for JDBC driver" type: "str" diff --git a/roles/keycloak_quarkus/vars/debian.yml b/roles/keycloak_quarkus/vars/debian.yml index e8c90e31..a42eb5f4 100644 --- a/roles/keycloak_quarkus/vars/debian.yml +++ b/roles/keycloak_quarkus/vars/debian.yml @@ -1,11 +1,10 @@ --- -keycloak_quarkus_jvm_package: openjdk-17-jdk-headless +keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('openjdk-17-jdk-headless') }}" keycloak_quarkus_prereq_package_list: - - "{{ keycloak_quarkus_jvm_package }}" + - "{{ keycloak_quarkus_varjvm_package }}" - unzip - procps - apt - tzdata -keycloak_quarkus_configure_iptables: True keycloak_quarkus_sysconf_file: /etc/default/keycloak -keycloak_quarkus_pkg_java_home: "/usr/lib/jvm/java-{{ keycloak_quarkus_jvm_package | regex_search('(?!:openjdk-)[0-9.]+') }}-openjdk-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}" +keycloak_quarkus_pkg_java_home: "/usr/lib/jvm/java-{{ keycloak_quarkus_varjvm_package | regex_search('(?!:openjdk-)[0-9.]+') }}-openjdk-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}" diff --git a/roles/keycloak_quarkus/vars/redhat.yml b/roles/keycloak_quarkus/vars/redhat.yml index e40a94a7..c311321f 100644 --- a/roles/keycloak_quarkus/vars/redhat.yml +++ b/roles/keycloak_quarkus/vars/redhat.yml @@ -1,11 +1,10 @@ --- -keycloak_quarkus_jvm_package: java-17-openjdk-headless +keycloak_quarkus_varjvm_package: "{{ keycloak_quarkus_jvm_package | default('java-17-openjdk-headless') }}" keycloak_quarkus_prereq_package_list: - - "{{ keycloak_quarkus_jvm_package }}" + - "{{ keycloak_quarkus_varjvm_package }}" - unzip - procps-ng - initscripts - tzdata-java -keycloak_quarkus_configure_iptables: False keycloak_quarkus_sysconf_file: /etc/sysconfig/keycloak -keycloak_quarkus_pkg_java_home: "/etc/alternatives/jre_{{ keycloak_quarkus_jvm_package | regex_search('(?<=java-)[0-9.]+') }}" +keycloak_quarkus_pkg_java_home: "/etc/alternatives/jre_{{ keycloak_quarkus_varjvm_package | regex_search('(?<=java-)[0-9.]+') }}"