2021-12-15 11:33:42 +00:00
keycloak
========
Install [keycloak ](https://keycloak.org/ ) or [Red Hat Single Sing-On ](https://access.redhat.com/products/red-hat-single-sign-on ) server configurations.
2021-12-30 11:24:46 +00:00
Requirements
------------
This role requires the `python3-netaddr` library installed on the controller node.
2022-01-10 13:26:54 +00:00
* to install via yum/dnf: `dnf install python3-netaddr`
* or via pip: `pip install netaddr==0.8.0`
2022-01-27 12:23:00 +00:00
* or via the collection: `pip install -r requirements.txt`
2022-01-10 13:26:54 +00:00
2021-12-30 11:24:46 +00:00
2022-01-14 09:06:43 +00:00
Versions
--------
| RH-SSO VERSION | Release Date | Keycloak Version | EAP Version | Notes |
|:---------------|:------------------|:-----------------|:------------|:----------------|
|`7.5.0 GA` |September 20, 2021 |`15.0.2` | `7.4.0` |[Release Notes](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/html/release_notes/index)|
2021-12-15 11:33:42 +00:00
Role Defaults
-------------
| Variable | Description | Default |
|:---------|:------------|:---------|
2022-01-14 19:54:10 +00:00
|`keycloak_rhsso_enable`| Enable Red Hat Single Sign-on installation | `False` |
2022-01-04 15:01:37 +00:00
|`keycloak_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
2022-01-10 16:49:23 +00:00
|`keycloak_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_ha_enabled` is True, else `False` |
2021-12-15 11:33:42 +00:00
|`keycloak_admin_user`| Administration console user account | `admin` |
2022-01-04 15:01:37 +00:00
|`keycloak_bind_address`| Address for binding service ports | `0.0.0.0` |
|`keycloak_host`| hostname | `localhost` |
|`keycloak_http_port`| HTTP port | `8080` |
|`keycloak_https_port`| TLS HTTP port | `8443` |
|`keycloak_management_http_port`| Management port | `9990` |
|`keycloak_management_https_port`| TLS management port | `9993` |
2022-01-10 16:49:23 +00:00
|`keycloak_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
|`keycloak_prefer_ipv4`| Prefer IPv4 stack and addresses for port binding | `True` |
2022-01-27 12:23:00 +00:00
|`keycloak_offline_install` | perform an offline install | `False` |
|`keycloak_config_standalone_xml`| filename for configuration | `keycloak.xml` |
|`keycloak_service_user`| posix account username | `keycloak` |
|`keycloak_service_group`| posix account group | `keycloak` |
|`keycloak_service_pidfile`| pid file path for service | `/run/keycloak.pid` |
2022-01-04 15:01:37 +00:00
|`jvm_package`| RHEL java package runtime | `java-1.8.0-openjdk-devel` |
2021-12-15 11:33:42 +00:00
2021-12-30 11:24:46 +00:00
2021-12-15 11:33:42 +00:00
Role Variables
--------------
2021-12-20 14:54:24 +00:00
The following are a set of _required_ variables for the role:
2021-12-15 11:33:42 +00:00
| Variable | Description |
|:---------|:------------|
|`keycloak_admin_password`| Password for the administration console user account |
2021-12-20 14:54:24 +00:00
2022-01-10 13:26:54 +00:00
The following variables are _required_ only when `keycloak_ha_enabled` is True:
2021-12-15 11:33:42 +00:00
| Variable | Description | Default |
|:---------|:------------|:---------|
|`keycloak_modcluster_url` | URL for the modcluster reverse proxy | `localhost` |
2022-01-14 08:54:26 +00:00
|`keycloak_frontend_url` | frontend URL for keycloak endpoints when a reverse proxy is used | `http://localhost` |
2021-12-20 14:54:24 +00:00
|`keycloak_jdbc_engine` | backend database flavour when db is enabled: [ postgres, mariadb ] | `postgres` |
2021-12-15 11:33:42 +00:00
|`infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` |
|`infinispan_user` | username for connecting to infinispan | `supervisor` |
|`infinispan_pass` | password for connecting to infinispan | `supervisor` |
2022-01-04 13:30:28 +00:00
|`infinispan_sasl_mechanism`| Authentication type | `SCRAM-SHA-512` |
|`infinispan_use_ssl`| Enable hotrod TLS communication | `False` |
|`infinispan_trust_store_path`| Path to truststore with infinispan server certificate | `/etc/pki/java/cacerts` |
|`infinispan_trust_store_password`| Password for opening truststore | `changeit` |
2021-12-15 11:33:42 +00:00
2022-01-10 13:26:54 +00:00
The following variables are _required_ only when `keycloak_db_enabled` is True:
2021-12-20 14:54:24 +00:00
| Variable | Description | Default |
|:---------|:------------|:---------|
2022-01-05 12:53:29 +00:00
|`keycloak_jdbc_url` | URL for the postgres backend database | `jdbc:postgresql://localhost:5432/keycloak` |
|`keycloak_jdbc_driver_version`| Version for the JDBC driver to download | `9.4.1212` |
|`keycloak_db_user` | username for connecting to postgres | `keycloak-user` |
|`keycloak_db_pass` | password for connecting to postgres | `keycloak-pass` |
2021-12-20 14:54:24 +00:00
2022-01-14 19:54:10 +00:00
The following variable can be used to install Keycloak or Red Hat Single Sign-On from local path:
2022-01-27 12:23:00 +00:00
2022-01-14 19:54:10 +00:00
| Variable | Description | Example |
2022-01-11 07:34:06 +00:00
|:---------|:------------|:---------|
2022-01-14 19:54:10 +00:00
|`zip_file_local_path` | Full local path of upstream(Keycloak) or Red Hat Single Sign-On zip file on Ansible control plane | `tmp/rhsso/rh-sso-7.5-server-dist.zip` |
2021-12-20 14:54:24 +00:00
2022-01-12 15:13:53 +00:00
The following variable can be used to install Red Hat Single Sign-On from source via url, auth support is not added right now.
2022-01-27 12:23:00 +00:00
2022-01-14 19:54:10 +00:00
| Variable | Description | Example |
2022-01-12 15:13:53 +00:00
|:---------|:------------|:---------|
2022-01-14 19:54:10 +00:00
|`rhsso_source_download_url` | URL to download Red Hat Single Sign-On zip file from source | `http://localhost:8081/nexus/rhsso/rh-sso-7.5-server-dist.zip` |
2022-01-12 15:13:53 +00:00
2022-01-27 12:23:00 +00:00
2021-12-15 11:33:42 +00:00
Dependencies
------------
The roles depends on:
2022-01-27 10:59:35 +00:00
* the `redhat_csp_download` role from [middleware_automation.redhat_csp_download ](https://github.com/ansible-middleware/redhat-csp-download ) collection if Red Hat Single Sign-on zip have to be downloaded from RHN.
* the `wildfly_driver` role from [middleware_automation.wildfly ](https://github.com/ansible-middleware/wildfly ) collection
2021-12-15 11:33:42 +00:00
Example Playbook
----------------
2022-01-11 07:34:06 +00:00
The following is an example playbook that makes use of the role to install keycloak from remote
2021-12-15 11:33:42 +00:00
```yaml
---
- hosts: ...
collections:
- middleware_automation.keycloak
tasks:
- name: Include keycloak role
include_role:
name: keycloak
vars:
keycloak_admin_password: "changeme"
```
2022-01-14 19:54:10 +00:00
The following is an example playbook that makes use of the role to install keycloak from local path on Ansible node
2022-01-11 07:34:06 +00:00
```yaml
---
- hosts: ...
collections:
- middleware_automation.keycloak
tasks:
- name: Include keycloak role
include_role:
name: keycloak
vars:
keycloak_admin_password: "changeme"
2022-01-14 19:54:10 +00:00
zip_file_local_path: "/tmp/keycloak/keycloak-16.1.0.zip" # This should be local path on Ansible node of upstream(keycloak) zip file
2022-01-11 07:34:06 +00:00
```
The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from RHN
```yaml
---
2022-01-14 19:54:10 +00:00
- name: Playbook for RHSSO
2022-01-11 07:34:06 +00:00
hosts: keycloak
collections:
- middleware_automation.redhat_csp_download
roles:
- redhat_csp_download
tasks:
- name: Keycloak Role
include_role:
name: keycloak
vars:
keycloak_admin_password: "changeme"
2022-01-14 19:54:10 +00:00
keycloak_rhsso_enable: True
2022-01-11 07:34:06 +00:00
```
2022-01-12 15:13:53 +00:00
The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from source url
```yaml
---
- hosts: keycloak
2022-01-14 19:54:10 +00:00
collections:
- middleware_automation.keycloak
2022-01-12 15:13:53 +00:00
tasks:
- name: Keycloak Role
include_role:
name: keycloak
vars:
keycloak_admin_password: "changeme"
2022-01-14 19:54:10 +00:00
keycloak_rhsso_enable: True
2022-01-12 15:13:53 +00:00
rhsso_source_download_url: "< REPLACE with - Source download url > " # This should be the full of remote source rhsso zip file
```
2022-01-14 19:54:10 +00:00
The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from local path on Ansible node
2022-01-11 07:34:06 +00:00
```yaml
---
- hosts: keycloak
2022-01-14 19:54:10 +00:00
collections:
- middleware_automation.keycloak
2022-01-11 07:34:06 +00:00
tasks:
- name: Keycloak Role
include_role:
name: keycloak
vars:
keycloak_admin_password: "changeme"
2022-01-14 19:54:10 +00:00
keycloak_rhsso_enable: True
zip_file_local_path: "/tmp/rhsso/rh-sso-7.5-server-dist.zip" # This should be local path on Ansible node of rhsso zip file
2022-01-11 07:34:06 +00:00
```
2021-12-15 11:33:42 +00:00
License
-------
Apache License 2.0
Author Information
------------------
* [Guido Grazioli ](https://github.com/guidograzioli )
2022-01-10 13:26:54 +00:00
* [Romain Pelisse ](https://github.com/rpelisse )
2022-01-19 16:21:05 +00:00
* [Pavan Kumar Motaparthi ](https://github.com/motaparthipavankumar )