diff --git a/roles/keycloak/README.md b/roles/keycloak/README.md
index 8a79a67..b1366ef 100644
--- a/roles/keycloak/README.md
+++ b/roles/keycloak/README.md
@@ -24,7 +24,7 @@ Role Defaults
|`keycloak_https_port`| TLS HTTP port | `8443`
|`keycloak_management_http_port`| management port | `9990`
|`keycloak_management_https_port`| TLS management port | `9993`
-|`keycloak_java_opts`| | `-Xms1024m -Xmx20480m -XX:MaxPermSize=768m`
+|`keycloak_java_opts`| Additional JVM options | `-Xms1024m -Xmx20480m -XX:MaxPermSize=768m`
Role Variables
@@ -46,6 +46,10 @@ The following variables are _required_ only when keycloak_ha_enabled is True:
|`infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` |
|`infinispan_user` | username for connecting to infinispan | `supervisor` |
|`infinispan_pass` | password for connecting to infinispan | `supervisor` |
+|`infinispan_sasl_mechanism`| Authentication type | `SCRAM-SHA-512` |
+|`infinispan_use_ssl`| Enable hotrod TLS communication | `False` |
+|`infinispan_trust_store_path`| Path to truststore with infinispan server certificate | `/etc/pki/java/cacerts` |
+|`infinispan_trust_store_password`| Password for opening truststore | `changeit` |
The following variables are _required_ only when keycloak_db_enabled is True and keycloak_jdbc_engine is postgres:
diff --git a/roles/keycloak/defaults/main.yml b/roles/keycloak/defaults/main.yml
index e2b9ac9..9b2ef04 100644
--- a/roles/keycloak/defaults/main.yml
+++ b/roles/keycloak/defaults/main.yml
@@ -49,10 +49,15 @@ keycloak_force_install: False
### mod_cluster reverse proxy
keycloak_modcluster_url: localhost
-### infinispan remote caches access
+### infinispan remote caches access (hotrod)
infinispan_user: supervisor
infinispan_pass: supervisor
infinispan_url: localhost
+infinispan_sasl_mechanism: SCRAM-SHA-512
+infinispan_use_ssl: False
+# if ssl is enabled, import ispn server certificate here
+infinispan_trust_store_path: /etc/pki/java/cacerts
+infinispan_trust_store_password: changeit
### database backend engine: values [ 'postgres', 'mariadb' ]
keycloak_jdbc_engine: postgres
diff --git a/roles/keycloak/templates/standalone-infinispan.xml.j2 b/roles/keycloak/templates/standalone-infinispan.xml.j2
index 498770f..382b1e8 100644
--- a/roles/keycloak/templates/standalone-infinispan.xml.j2
+++ b/roles/keycloak/templates/standalone-infinispan.xml.j2
@@ -405,6 +405,7 @@
{{ keycloak_remotecache.trust_store_path | default('/etc/truststore/truststore.jks') }}
JKS
{{ keycloak_remotecache.trust_store_password | default("changeme") }}
+ TOPOLOGY_AWARE
{% endfor %}
@@ -428,6 +429,7 @@
{{ keycloak_remotecache.trust_store_path | default('/etc/truststore/truststore.jks') }}
JKS
{{ keycloak_remotecache.trust_store_password | default("changeme") }}
+ TOPOLOGY_AWARE
diff --git a/roles/keycloak/templates/standalone-rhsso-jdg.xml.j2 b/roles/keycloak/templates/standalone-rhsso-jdg.xml.j2
index e13703d..09884b5 100644
--- a/roles/keycloak/templates/standalone-rhsso-jdg.xml.j2
+++ b/roles/keycloak/templates/standalone-rhsso-jdg.xml.j2
@@ -400,11 +400,12 @@
{{ keycloak_remotecache.password }}
{{ keycloak_remotecache.realm | default('default') }}
{{ keycloak_remotecache.server_name }}
- {{ keycloak_remotecache.sasl_mechanism | default('SCRAM-SHA-512') }}
- false
- {{ keycloak_remotecache.trust_store_path | default('/etc/truststore/truststore.jks') }}
+ {{ keycloak_remotecache.sasl_mechanism }}
+ {{ keycloak_remotecache.use_ssl }}
+ {{ keycloak_remotecache.trust_store_path }}
JKS
- {{ keycloak_remotecache.trust_store_password | default("changeme") }}
+ {{ keycloak_remotecache.trust_store_password }}
+ TOPOLOGY_AWARE
{% endfor %}
@@ -423,11 +424,12 @@
{{ keycloak_remotecache.password }}
{{ keycloak_remotecache.realm | default('default') }}
{{ keycloak_remotecache.server_name }}
- {{ keycloak_remotecache.sasl_mechanism | default('SCRAM-SHA-512') }}
- false
- {{ keycloak_remotecache.trust_store_path | default('/etc/truststore/truststore.jks') }}
+ {{ keycloak_remotecache.sasl_mechanism }}
+ {{ keycloak_remotecache.use_ssl }}
+ {{ keycloak_remotecache.trust_store_path }}
JKS
- {{ keycloak_remotecache.trust_store_password | default("changeme") }}
+ {{ keycloak_remotecache.trust_store_password }}
+ TOPOLOGY_AWARE
diff --git a/roles/keycloak/vars/main.yml b/roles/keycloak/vars/main.yml
index 41dea0e..db46a10 100644
--- a/roles/keycloak/vars/main.yml
+++ b/roles/keycloak/vars/main.yml
@@ -1,9 +1,10 @@
---
-# vars file for keycloak
-
-# administrator console password, this is a required variable
+# required variables for keycloak
+# administrator console password
keycloak_admin_password:
+# internal variables below
+
# locations
keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
@@ -61,6 +62,8 @@ keycloak_remotecache:
username: "{{ infinispan_user }}"
password: "{{ infinispan_pass }}"
realm: default
+ sasl_mechanism: "{{ infinispan_sasl_mechanism }}"
server_name: "{{ infinispan_url }}"
- trust_store_path: /path/to/jks/keystore
- trust_store_password: changeme
\ No newline at end of file
+ use_ssl: "{{ infinispan_use_ssl }}"
+ trust_store_path: "{{ infinispan_trust_store_path }}"
+ trust_store_password: "{{ infinispan_trust_store_password }}"
\ No newline at end of file