Add configuration for hotrod TLS

main
Guido Grazioli 2022-01-04 14:30:28 +01:00
parent 5eba1c12e4
commit 15d3411f45
5 changed files with 31 additions and 15 deletions

View File

@ -24,7 +24,7 @@ Role Defaults
|`keycloak_https_port`| TLS HTTP port | `8443` |`keycloak_https_port`| TLS HTTP port | `8443`
|`keycloak_management_http_port`| management port | `9990` |`keycloak_management_http_port`| management port | `9990`
|`keycloak_management_https_port`| TLS management port | `9993` |`keycloak_management_https_port`| TLS management port | `9993`
|`keycloak_java_opts`| | `-Xms1024m -Xmx20480m -XX:MaxPermSize=768m` |`keycloak_java_opts`| Additional JVM options | `-Xms1024m -Xmx20480m -XX:MaxPermSize=768m`
Role Variables Role Variables
@ -46,6 +46,10 @@ The following variables are _required_ only when keycloak_ha_enabled is True:
|`infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` | |`infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` |
|`infinispan_user` | username for connecting to infinispan | `supervisor` | |`infinispan_user` | username for connecting to infinispan | `supervisor` |
|`infinispan_pass` | password for connecting to infinispan | `supervisor` | |`infinispan_pass` | password for connecting to infinispan | `supervisor` |
|`infinispan_sasl_mechanism`| Authentication type | `SCRAM-SHA-512` |
|`infinispan_use_ssl`| Enable hotrod TLS communication | `False` |
|`infinispan_trust_store_path`| Path to truststore with infinispan server certificate | `/etc/pki/java/cacerts` |
|`infinispan_trust_store_password`| Password for opening truststore | `changeit` |
The following variables are _required_ only when keycloak_db_enabled is True and keycloak_jdbc_engine is postgres: The following variables are _required_ only when keycloak_db_enabled is True and keycloak_jdbc_engine is postgres:

View File

@ -49,10 +49,15 @@ keycloak_force_install: False
### mod_cluster reverse proxy ### mod_cluster reverse proxy
keycloak_modcluster_url: localhost keycloak_modcluster_url: localhost
### infinispan remote caches access ### infinispan remote caches access (hotrod)
infinispan_user: supervisor infinispan_user: supervisor
infinispan_pass: supervisor infinispan_pass: supervisor
infinispan_url: localhost infinispan_url: localhost
infinispan_sasl_mechanism: SCRAM-SHA-512
infinispan_use_ssl: False
# if ssl is enabled, import ispn server certificate here
infinispan_trust_store_path: /etc/pki/java/cacerts
infinispan_trust_store_password: changeit
### database backend engine: values [ 'postgres', 'mariadb' ] ### database backend engine: values [ 'postgres', 'mariadb' ]
keycloak_jdbc_engine: postgres keycloak_jdbc_engine: postgres

View File

@ -405,6 +405,7 @@
<property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path | default('/etc/truststore/truststore.jks') }}</property> <property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path | default('/etc/truststore/truststore.jks') }}</property>
<property name="infinispan.client.hotrod.trust_store_type">JKS</property> <property name="infinispan.client.hotrod.trust_store_type">JKS</property>
<property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password | default("changeme") }}</property> <property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password | default("changeme") }}</property>
<property name="infinispan.client.hotrod.client_intelligence">TOPOLOGY_AWARE</property>
</remote-store> </remote-store>
</distributed-cache> </distributed-cache>
{% endfor %} {% endfor %}
@ -428,6 +429,7 @@
<property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path | default('/etc/truststore/truststore.jks') }}</property> <property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path | default('/etc/truststore/truststore.jks') }}</property>
<property name="infinispan.client.hotrod.trust_store_type">JKS</property> <property name="infinispan.client.hotrod.trust_store_type">JKS</property>
<property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password | default("changeme") }}</property> <property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password | default("changeme") }}</property>
<property name="infinispan.client.hotrod.client_intelligence">TOPOLOGY_AWARE</property>
</remote-store> </remote-store>
</replicated-cache> </replicated-cache>
<local-cache name="authorization"> <local-cache name="authorization">

View File

@ -400,11 +400,12 @@
<property name="infinispan.client.hotrod.auth_password">{{ keycloak_remotecache.password }}</property> <property name="infinispan.client.hotrod.auth_password">{{ keycloak_remotecache.password }}</property>
<property name="infinispan.client.hotrod.auth_realm">{{ keycloak_remotecache.realm | default('default') }}</property> <property name="infinispan.client.hotrod.auth_realm">{{ keycloak_remotecache.realm | default('default') }}</property>
<property name="infinispan.client.hotrod.auth_server_name">{{ keycloak_remotecache.server_name }}</property> <property name="infinispan.client.hotrod.auth_server_name">{{ keycloak_remotecache.server_name }}</property>
<property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism | default('SCRAM-SHA-512') }}</property> <property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism }}</property>
<property name="infinispan.client.hotrod.use_ssl">false</property> <property name="infinispan.client.hotrod.use_ssl">{{ keycloak_remotecache.use_ssl }}</property>
<property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path | default('/etc/truststore/truststore.jks') }}</property> <property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path }}</property>
<property name="infinispan.client.hotrod.trust_store_type">JKS</property> <property name="infinispan.client.hotrod.trust_store_type">JKS</property>
<property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password | default("changeme") }}</property> <property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password }}</property>
<property name="infinispan.client.hotrod.client_intelligence">TOPOLOGY_AWARE</property>
</remote-store> </remote-store>
</distributed-cache> </distributed-cache>
{% endfor %} {% endfor %}
@ -423,11 +424,12 @@
<property name="infinispan.client.hotrod.auth_password">{{ keycloak_remotecache.password }}</property> <property name="infinispan.client.hotrod.auth_password">{{ keycloak_remotecache.password }}</property>
<property name="infinispan.client.hotrod.auth_realm">{{ keycloak_remotecache.realm | default('default') }}</property> <property name="infinispan.client.hotrod.auth_realm">{{ keycloak_remotecache.realm | default('default') }}</property>
<property name="infinispan.client.hotrod.auth_server_name">{{ keycloak_remotecache.server_name }}</property> <property name="infinispan.client.hotrod.auth_server_name">{{ keycloak_remotecache.server_name }}</property>
<property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism | default('SCRAM-SHA-512') }}</property> <property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism }}</property>
<property name="infinispan.client.hotrod.use_ssl">false</property> <property name="infinispan.client.hotrod.use_ssl">{{ keycloak_remotecache.use_ssl }}</property>
<property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path | default('/etc/truststore/truststore.jks') }}</property> <property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path }}</property>
<property name="infinispan.client.hotrod.trust_store_type">JKS</property> <property name="infinispan.client.hotrod.trust_store_type">JKS</property>
<property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password | default("changeme") }}</property> <property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password }}</property>
<property name="infinispan.client.hotrod.client_intelligence">TOPOLOGY_AWARE</property>
</remote-store> </remote-store>
</replicated-cache> </replicated-cache>
<local-cache name="authorization"> <local-cache name="authorization">

View File

@ -1,9 +1,10 @@
--- ---
# vars file for keycloak # required variables for keycloak
# administrator console password
# administrator console password, this is a required variable
keycloak_admin_password: keycloak_admin_password:
# internal variables below
# locations # locations
keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}" keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}"
keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}" keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
@ -61,6 +62,8 @@ keycloak_remotecache:
username: "{{ infinispan_user }}" username: "{{ infinispan_user }}"
password: "{{ infinispan_pass }}" password: "{{ infinispan_pass }}"
realm: default realm: default
sasl_mechanism: "{{ infinispan_sasl_mechanism }}"
server_name: "{{ infinispan_url }}" server_name: "{{ infinispan_url }}"
trust_store_path: /path/to/jks/keystore use_ssl: "{{ infinispan_use_ssl }}"
trust_store_password: changeme trust_store_path: "{{ infinispan_trust_store_path }}"
trust_store_password: "{{ infinispan_trust_store_password }}"