From 4217ba6e7fe10a441a7c76c686055a06ceb6537b Mon Sep 17 00:00:00 2001 From: root Date: Tue, 11 Jan 2022 01:34:06 -0600 Subject: [PATCH 1/6] Local path installation support --- README.md | 24 +++++++-- playbooks/keycloak-local.yml | 10 ++++ roles/keycloak/README.md | 60 ++++++++++++++++++++-- roles/keycloak/defaults/main.yml | 4 +- roles/keycloak/tasks/download_from_rhn.yml | 26 +++++++--- roles/keycloak/tasks/install.yml | 20 ++++++-- 6 files changed, 126 insertions(+), 18 deletions(-) create mode 100644 playbooks/keycloak-local.yml diff --git a/README.md b/README.md index a25bead..7f6ff00 100644 --- a/README.md +++ b/README.md @@ -31,11 +31,23 @@ collections: ### Install Playbook -`playbooks/keycloak.yml` installs the keycloak or Red Hat Single Sign-On based on the defined variables. +`playbooks/keycloak.yml` installs the keycloak or Red Hat Single Sign-On(RHSSO) based on the defined variables. -### Choosing between Red Hat products and upstream project +### Choosing between Red Hat products and upstream(Keycloak) project -The roles supports installing Red Hat Single Sign-On from the Customer Portal, when the following variables are defined: +The roles supports installing Keycloak or Red Hat Single Sign-On in following ways + +#### Install upstream from remote source + +This is default way, no need to define any additional variables. + +#### Install upstream from local source when the following variable is defined + +``` +keycloak_zip_file_local_path: +``` + +#### Install RHSSO from the Customer Portal, when the following variables are defined ``` rhn_username: '' @@ -45,6 +57,12 @@ rhsso_rhn_id: '' where `sso_product_id` is the ID for the specific Red Hat Single Sign-On version, ie. _101971_ will install version _7.5_) +#### Install RHSSO from local source when the following variable is defined + +``` +rhsso_zip_file_local_path: +``` + ### Install role * [`keycloak`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md): role for installing the service. _Requires: python3-netaddr_ diff --git a/playbooks/keycloak-local.yml b/playbooks/keycloak-local.yml new file mode 100644 index 0000000..a6fe705 --- /dev/null +++ b/playbooks/keycloak-local.yml @@ -0,0 +1,10 @@ +--- +- name: Playbook for Keycloak Hosts + hosts: keycloak + tasks: + - name: Keycloak Role + include_role: + name: keycloak + vars: + keycloak_admin_password: "changeme" + rhsso_zip_file_local_path: "/tmp/rhsso/rh-sso-7.5-server-dist.zip" # This should be local path of rhsso zip file \ No newline at end of file diff --git a/roles/keycloak/README.md b/roles/keycloak/README.md index 3f3c269..d9e98e2 100644 --- a/roles/keycloak/README.md +++ b/roles/keycloak/README.md @@ -66,20 +66,25 @@ The following variables are _required_ only when `keycloak_db_enabled` is True: |`keycloak_db_user` | username for connecting to postgres | `keycloak-user` | |`keycloak_db_pass` | password for connecting to postgres | `keycloak-pass` | +The following variables can be used to install Keycloak or Red Hat Single Sign-On from local path: +| Variable | Description | Default | +|:---------|:------------|:---------| +|`rhsso_zip_file_local_path` | Full local path of Red Hat Single Sign-On zip file | `tmp/rhsso/rh-sso-7.5-server-dist.zip` | +|`keycloak_zip_file_local_path` | Full local path of Keycloak zip file | `/tmp/keycloak/keycloak-16.1.0.zip` | Dependencies ------------ The roles depends on: -* the `redhat_csp_download` role from [middleware_automation.redhat_csp_download](https://github.com/ansible-middleware/redhat-csp-download) collection -* the `wildfly_driver` role from [middleware_automation.wildfly](https://github.com/ansible-middleware/wildfly) collection +* the redhat_csp_download role from [middleware_automation.redhat_csp_download](https://github.com/ansible-middleware/redhat-csp-download) collection if Red Hat Single Sign-on zip have to be downloaded from RHN. +* the wildfly_driver role from [middleware_automation.wildfly](https://github.com/ansible-middleware/wildfly) collection Example Playbook ---------------- -The following is an example playbook that makes use of the role to install keycloak +The following is an example playbook that makes use of the role to install keycloak from remote ```yaml --- @@ -94,6 +99,55 @@ The following is an example playbook that makes use of the role to install keycl keycloak_admin_password: "changeme" ``` +The following is an example playbook that makes use of the role to install keycloak from local path + +```yaml +--- +- hosts: ... + collections: + - middleware_automation.keycloak + tasks: + - name: Include keycloak role + include_role: + name: keycloak + vars: + keycloak_admin_password: "changeme" + keycloak_zip_file_local_path: "/tmp/keycloak/keycloak-16.1.0.zip" # This should be local path of keycloak zip file +``` + +The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from RHN + +```yaml +--- +- name: Playbook for Keycloak Hosts + hosts: keycloak + collections: + - middleware_automation.redhat_csp_download + roles: + - redhat_csp_download + tasks: + - name: Keycloak Role + include_role: + name: keycloak + vars: + keycloak_admin_password: "changeme" +``` + +The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from local path + +```yaml +--- +- hosts: keycloak + tasks: + - name: Keycloak Role + include_role: + name: keycloak + vars: + keycloak_admin_password: "changeme" + rhsso_zip_file_local_path: "/tmp/rhsso/rh-sso-7.5-server-dist.zip" # This should be local path of rhsso zip file +``` + + License ------- diff --git a/roles/keycloak/defaults/main.yml b/roles/keycloak/defaults/main.yml index b2f45e8..3a4656e 100644 --- a/roles/keycloak/defaults/main.yml +++ b/roles/keycloak/defaults/main.yml @@ -6,7 +6,7 @@ keycloak_download_url: https://downloads.jboss.org/keycloak/{{ keycloak_version keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}" ### Configuration specific to Red Hat Single Sing-On -keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined else False }}" +keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined or rhsso_zip_file_local_path is defined else False }}" keycloak_rhsso_version: 7.5 keycloak_rhsso_archive: rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip keycloak_rhsso_installdir: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version }}" @@ -15,7 +15,7 @@ keycloak_rhsso_base_url: 'https://access.redhat.com/jbossnetwork/restricted/soft ### Install location and service settings jvm_package: java-1.8.0-openjdk-devel keycloak_dest: /opt/keycloak -keycloak_jboss_home: "{{ keycloak_rhsso_installdir if rhsso_rhn_id is defined else keycloak_installdir }}" +keycloak_jboss_home: "{{ keycloak_rhsso_installdir if rhsso_rhn_id is defined or rhsso_zip_file_local_path is defined else keycloak_installdir }}" keycloak_config_dir: "{{ keycloak_jboss_home }}/standalone/configuration" keycloak_config_standalone_xml: "keycloak.xml" diff --git a/roles/keycloak/tasks/download_from_rhn.yml b/roles/keycloak/tasks/download_from_rhn.yml index 6ac9029..3ed54e6 100644 --- a/roles/keycloak/tasks/download_from_rhn.yml +++ b/roles/keycloak/tasks/download_from_rhn.yml @@ -2,9 +2,7 @@ - assert: that: - zipfile_dest is defined - - rhn_id_file is defined - - rhn_username is defined - - rhn_password is defined + - (rhn_username is defined and rhn_password is defined and rhn_id_file is defined) or rhsso_zip_file_local_path is defined quiet: true - set_fact: @@ -26,11 +24,25 @@ - archive_path is defined - archive_path.stat is defined - not archive_path.stat.exists + - not rhsso_zip_file_local_path is defined + +- name: "Copy zipfile from local source: {{ rhsso_zip_file_local_path }}" + ansible.builtin.copy: + src: "{{ rhsso_zip_file_local_path }}" + dest: "{{ zipfile_dest }}" + owner: "{{ keycloak_service_user }}" + group: "{{ keycloak_service_group }}" + mode: 0750 + when: + - archive_path is defined + - archive_path.stat is defined + - not archive_path.stat.exists + - rhsso_zip_file_local_path is defined - name: "Check zipfile dest directory {{ zipfile_dest }}" stat: path: "{{ zipfile_dest }}" - register: path_to_downloaded_artefact + register: path_to_downloaded_artifact - block: - file: @@ -68,8 +80,8 @@ when: - target_dir_state.stat.exists when: - - path_to_downloaded_artefact is defined - - path_to_downloaded_artefact.stat is defined - - path_to_downloaded_artefact.stat.exists + - path_to_downloaded_artifact is defined + - path_to_downloaded_artifact.stat is defined + - path_to_downloaded_artifact.stat.exists - target_dir is defined - work_dir is defined diff --git a/roles/keycloak/tasks/install.yml b/roles/keycloak/tasks/install.yml index 88a0ab4..7b687af 100644 --- a/roles/keycloak/tasks/install.yml +++ b/roles/keycloak/tasks/install.yml @@ -74,6 +74,20 @@ - archive_path is defined - archive_path.stat is defined - not archive_path.stat.exists + - not keycloak_zip_file_local_path is defined + + - name: "Copy zipfile from local source: {{ keycloak_zip_file_local_path }}" + ansible.builtin.copy: + src: "{{ keycloak_zip_file_local_path }}" + dest: "{{ keycloak_dest }}" + owner: "{{ keycloak_service_user }}" + group: "{{ keycloak_service_group }}" + mode: 0750 + when: + - archive_path is defined + - archive_path.stat is defined + - not archive_path.stat.exists + - keycloak_zip_file_local_path is defined - name: extract Keycloak archive on target unarchive: @@ -91,9 +105,9 @@ - block: - assert: that: - - rhsso_rhn_id is defined + - rhsso_rhn_id is defined or rhsso_zip_file_local_path is defined quiet: true - fail_msg: "Can't install RHSSO without RHN ID." + fail_msg: "Can't install RHSSO without either RHN ID or RHSSO zip file local path" - name: create download directory file: @@ -105,7 +119,7 @@ - include_tasks: download_from_rhn.yml vars: - rhn_id_file: "{{ rhsso_rhn_id }}" + rhn_id_file: "{{ rhsso_rhn_id | default(None) }}" zipfile_dest: "{{ keycloak_dest }}/{{ keycloak_rhsso_archive }}" work_dir: "{{ keycloak_dest }}" target_dir: "{{ keycloak_jboss_home }}" From ef81faefdfe2ebbf67542b1733405f9ccadec81e Mon Sep 17 00:00:00 2001 From: root Date: Wed, 12 Jan 2022 09:13:53 -0600 Subject: [PATCH 2/6] Download source via url --- README.md | 10 +++++++++- roles/keycloak/README.md | 20 +++++++++++++++++++- roles/keycloak/defaults/main.yml | 4 ++-- roles/keycloak/tasks/download_from_rhn.yml | 19 ++++++++++++++++--- roles/keycloak/tasks/install.yml | 2 +- 5 files changed, 47 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 7f6ff00..b6cea3d 100644 --- a/README.md +++ b/README.md @@ -47,7 +47,7 @@ This is default way, no need to define any additional variables. keycloak_zip_file_local_path: ``` -#### Install RHSSO from the Customer Portal, when the following variables are defined +#### Install RHSSO from the Customer Support Portal, when the following variables are defined ``` rhn_username: '' @@ -57,6 +57,14 @@ rhsso_rhn_id: '' where `sso_product_id` is the ID for the specific Red Hat Single Sign-On version, ie. _101971_ will install version _7.5_) +#### Install RHSSO from remote sources like Nexus etc, when the following variables are defined + +``` +rhsso_source_download_url: '' +``` + +where `sso_product_id` is the ID for the specific Red Hat Single Sign-On version, ie. _101971_ will install version _7.5_) + #### Install RHSSO from local source when the following variable is defined ``` diff --git a/roles/keycloak/README.md b/roles/keycloak/README.md index d9e98e2..ddbbc83 100644 --- a/roles/keycloak/README.md +++ b/roles/keycloak/README.md @@ -72,6 +72,11 @@ The following variables can be used to install Keycloak or Red Hat Single Sign-O |`rhsso_zip_file_local_path` | Full local path of Red Hat Single Sign-On zip file | `tmp/rhsso/rh-sso-7.5-server-dist.zip` | |`keycloak_zip_file_local_path` | Full local path of Keycloak zip file | `/tmp/keycloak/keycloak-16.1.0.zip` | +The following variable can be used to install Red Hat Single Sign-On from source via url, auth support is not added right now. +| Variable | Description | Default | +|:---------|:------------|:---------| +|`rhsso_source_download_url` | URL to download Red Hat Single Sign-On zip file from | `http://localhost:8081/nexus/rhsso/rh-sso-7.5-server-dist.zip` | + Dependencies ------------ @@ -133,6 +138,20 @@ The following is an example playbook that makes use of the role to install Red H keycloak_admin_password: "changeme" ``` +The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from source url + +```yaml +--- +- hosts: keycloak + tasks: + - name: Keycloak Role + include_role: + name: keycloak + vars: + keycloak_admin_password: "changeme" + rhsso_source_download_url: "" # This should be the full of remote source rhsso zip file +``` + The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from local path ```yaml @@ -147,7 +166,6 @@ The following is an example playbook that makes use of the role to install Red H rhsso_zip_file_local_path: "/tmp/rhsso/rh-sso-7.5-server-dist.zip" # This should be local path of rhsso zip file ``` - License ------- diff --git a/roles/keycloak/defaults/main.yml b/roles/keycloak/defaults/main.yml index 3a4656e..638c237 100644 --- a/roles/keycloak/defaults/main.yml +++ b/roles/keycloak/defaults/main.yml @@ -6,7 +6,7 @@ keycloak_download_url: https://downloads.jboss.org/keycloak/{{ keycloak_version keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}" ### Configuration specific to Red Hat Single Sing-On -keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined or rhsso_zip_file_local_path is defined else False }}" +keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined or rhsso_zip_file_local_path is defined or rhsso_source_download_url is defined else False }}" keycloak_rhsso_version: 7.5 keycloak_rhsso_archive: rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip keycloak_rhsso_installdir: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version }}" @@ -15,7 +15,7 @@ keycloak_rhsso_base_url: 'https://access.redhat.com/jbossnetwork/restricted/soft ### Install location and service settings jvm_package: java-1.8.0-openjdk-devel keycloak_dest: /opt/keycloak -keycloak_jboss_home: "{{ keycloak_rhsso_installdir if rhsso_rhn_id is defined or rhsso_zip_file_local_path is defined else keycloak_installdir }}" +keycloak_jboss_home: "{{ keycloak_rhsso_installdir if rhsso_rhn_id is defined or rhsso_zip_file_local_path is defined or rhsso_source_download_url is defined else keycloak_installdir }}" keycloak_config_dir: "{{ keycloak_jboss_home }}/standalone/configuration" keycloak_config_standalone_xml: "keycloak.xml" diff --git a/roles/keycloak/tasks/download_from_rhn.yml b/roles/keycloak/tasks/download_from_rhn.yml index 3ed54e6..1fef600 100644 --- a/roles/keycloak/tasks/download_from_rhn.yml +++ b/roles/keycloak/tasks/download_from_rhn.yml @@ -2,7 +2,7 @@ - assert: that: - zipfile_dest is defined - - (rhn_username is defined and rhn_password is defined and rhn_id_file is defined) or rhsso_zip_file_local_path is defined + - (rhn_username is defined and rhn_password is defined and rhn_id_file is defined) or rhsso_zip_file_local_path is defined or rhsso_source_download_url is defined quiet: true - set_fact: @@ -13,7 +13,7 @@ path: "{{ zipfile_dest }}" register: archive_path -- name: "Install zipfile from RHN: {{ rhn_download_url }}" +- name: "Download zipfile from RHN: {{ rhn_download_url }}" redhat_csp_download: url: "{{ rhn_download_url }}" dest: "{{ zipfile_dest }}" @@ -24,7 +24,20 @@ - archive_path is defined - archive_path.stat is defined - not archive_path.stat.exists - - not rhsso_zip_file_local_path is defined + - rhsso_rhn_id is defined + +- name: "Copy zipfile from source like Nexus etc : {{ rhsso_source_download_url }}" + get_url: + url: "{{ rhsso_source_download_url }}" + dest: "{{ zipfile_dest }}" + owner: "{{ keycloak_service_user }}" + group: "{{ keycloak_service_group }}" + mode: 0750 + when: + - archive_path is defined + - archive_path.stat is defined + - not archive_path.stat.exists + - rhsso_source_download_url is defined - name: "Copy zipfile from local source: {{ rhsso_zip_file_local_path }}" ansible.builtin.copy: diff --git a/roles/keycloak/tasks/install.yml b/roles/keycloak/tasks/install.yml index 7b687af..40b87f1 100644 --- a/roles/keycloak/tasks/install.yml +++ b/roles/keycloak/tasks/install.yml @@ -105,7 +105,7 @@ - block: - assert: that: - - rhsso_rhn_id is defined or rhsso_zip_file_local_path is defined + - rhsso_rhn_id is defined or rhsso_zip_file_local_path is defined or rhsso_source_download_url is defined quiet: true fail_msg: "Can't install RHSSO without either RHN ID or RHSSO zip file local path" From 9113cfe886bf976c96cfe20fa2dc11889252574d Mon Sep 17 00:00:00 2001 From: Pavan Kumar Motaparthi Date: Fri, 14 Jan 2022 09:42:23 -0600 Subject: [PATCH 3/6] Update README.md Co-authored-by: Andrew Block --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b6cea3d..61eb870 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ collections: `playbooks/keycloak.yml` installs the keycloak or Red Hat Single Sign-On(RHSSO) based on the defined variables. -### Choosing between Red Hat products and upstream(Keycloak) project +### Choosing between Red Hat products and upstream (Keycloak) project The roles supports installing Keycloak or Red Hat Single Sign-On in following ways From 7b376e0681922c3bdb553b135ea18bebb2deccf4 Mon Sep 17 00:00:00 2001 From: Pavan Kumar Motaparthi Date: Fri, 14 Jan 2022 09:42:29 -0600 Subject: [PATCH 4/6] Update README.md Co-authored-by: Andrew Block --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 61eb870..fa48506 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ collections: ### Choosing between Red Hat products and upstream (Keycloak) project -The roles supports installing Keycloak or Red Hat Single Sign-On in following ways +The roles supports installing Keycloak or Red Hat Single Sign-On in the following ways #### Install upstream from remote source From ce26ceeed066cd082b12368df58602f79822c36c Mon Sep 17 00:00:00 2001 From: root Date: Fri, 14 Jan 2022 13:54:10 -0600 Subject: [PATCH 5/6] Code review comments --- README.md | 35 ++++++++++++------- playbooks/keycloak.yml | 6 ++-- playbooks/{keycloak-local.yml => rhsso.yml} | 6 +++- roles/keycloak/README.md | 29 +++++++++------ roles/keycloak/defaults/main.yml | 4 +-- .../{download_from_rhn.yml => get_rhsso.yml} | 14 +++++--- roles/keycloak/tasks/install.yml | 15 ++++---- 7 files changed, 65 insertions(+), 44 deletions(-) rename playbooks/{keycloak-local.yml => rhsso.yml} (59%) rename roles/keycloak/tasks/{download_from_rhn.yml => get_rhsso.yml} (87%) diff --git a/README.md b/README.md index fa48506..5a7a810 100644 --- a/README.md +++ b/README.md @@ -31,25 +31,32 @@ collections: ### Install Playbook -`playbooks/keycloak.yml` installs the keycloak or Red Hat Single Sign-On(RHSSO) based on the defined variables. +`playbooks/keycloak.yml` installs the upstream(Keycloak) based on the defined variables. +`playbooks/rhsso.yml` installs Red Hat Single Sign-On(RHSSO) based on defined variables. -### Choosing between Red Hat products and upstream (Keycloak) project +### Choosing between upstream(Keycloak) project and Red Hat Single Sign-On(RHSSO) -The roles supports installing Keycloak or Red Hat Single Sign-On in the following ways +The roles supports installing upstream(Keycloak) or Red Hat Single Sign-On in the following ways -#### Install upstream from remote source +#### Install upstream(Keycloak) from remote source -This is default way, no need to define any additional variables. - -#### Install upstream from local source when the following variable is defined +This is default approach, there is one required variable ``` -keycloak_zip_file_local_path: +keycloak_admin_password: "" ``` -#### Install RHSSO from the Customer Support Portal, when the following variables are defined +#### Install upstream(Keycloak) from local source when the following variable is defined ``` +keycloak_admin_password: "" +zip_file_local_path: +``` + +#### Install RHSSO from the Red Hat Customer Support Portal, when the following variables are defined + +``` +keycloak_admin_password: "" rhn_username: '' rhn_password: '' rhsso_rhn_id: '' @@ -60,15 +67,17 @@ where `sso_product_id` is the ID for the specific Red Hat Single Sign-On version #### Install RHSSO from remote sources like Nexus etc, when the following variables are defined ``` -rhsso_source_download_url: '' +keycloak_admin_password: "" +keycloak_rhsso_enable: True +rhsso_source_download_url: '' ``` -where `sso_product_id` is the ID for the specific Red Hat Single Sign-On version, ie. _101971_ will install version _7.5_) - #### Install RHSSO from local source when the following variable is defined ``` -rhsso_zip_file_local_path: +keycloak_admin_password: "" +keycloak_rhsso_enable: True +zip_file_local_path: ``` ### Install role diff --git a/playbooks/keycloak.yml b/playbooks/keycloak.yml index c40d219..2bfcac0 100644 --- a/playbooks/keycloak.yml +++ b/playbooks/keycloak.yml @@ -2,11 +2,9 @@ - name: Playbook for Keycloak Hosts hosts: keycloak collections: - - middleware_automation.redhat_csp_download - roles: - - redhat_csp_download + - middleware_automation.keycloak tasks: - - name: Keycloak Role + - name: Include keycloak role include_role: name: keycloak vars: diff --git a/playbooks/keycloak-local.yml b/playbooks/rhsso.yml similarity index 59% rename from playbooks/keycloak-local.yml rename to playbooks/rhsso.yml index a6fe705..95382e3 100644 --- a/playbooks/keycloak-local.yml +++ b/playbooks/rhsso.yml @@ -1,10 +1,14 @@ --- - name: Playbook for Keycloak Hosts hosts: keycloak + collections: + - middleware_automation.redhat_csp_download + roles: + - redhat_csp_download tasks: - name: Keycloak Role include_role: name: keycloak vars: keycloak_admin_password: "changeme" - rhsso_zip_file_local_path: "/tmp/rhsso/rh-sso-7.5-server-dist.zip" # This should be local path of rhsso zip file \ No newline at end of file + keycloak_rhsso_enable: True \ No newline at end of file diff --git a/roles/keycloak/README.md b/roles/keycloak/README.md index ddbbc83..392705c 100644 --- a/roles/keycloak/README.md +++ b/roles/keycloak/README.md @@ -18,6 +18,7 @@ Role Defaults | Variable | Description | Default | |:---------|:------------|:---------| +|`keycloak_rhsso_enable`| Enable Red Hat Single Sign-on installation | `False` | |`keycloak_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` | |`keycloak_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_ha_enabled` is True, else `False` | |`keycloak_admin_user`| Administration console user account | `admin` | @@ -66,16 +67,15 @@ The following variables are _required_ only when `keycloak_db_enabled` is True: |`keycloak_db_user` | username for connecting to postgres | `keycloak-user` | |`keycloak_db_pass` | password for connecting to postgres | `keycloak-pass` | -The following variables can be used to install Keycloak or Red Hat Single Sign-On from local path: -| Variable | Description | Default | +The following variable can be used to install Keycloak or Red Hat Single Sign-On from local path: +| Variable | Description | Example | |:---------|:------------|:---------| -|`rhsso_zip_file_local_path` | Full local path of Red Hat Single Sign-On zip file | `tmp/rhsso/rh-sso-7.5-server-dist.zip` | -|`keycloak_zip_file_local_path` | Full local path of Keycloak zip file | `/tmp/keycloak/keycloak-16.1.0.zip` | +|`zip_file_local_path` | Full local path of upstream(Keycloak) or Red Hat Single Sign-On zip file on Ansible control plane | `tmp/rhsso/rh-sso-7.5-server-dist.zip` | The following variable can be used to install Red Hat Single Sign-On from source via url, auth support is not added right now. -| Variable | Description | Default | +| Variable | Description | Example | |:---------|:------------|:---------| -|`rhsso_source_download_url` | URL to download Red Hat Single Sign-On zip file from | `http://localhost:8081/nexus/rhsso/rh-sso-7.5-server-dist.zip` | +|`rhsso_source_download_url` | URL to download Red Hat Single Sign-On zip file from source | `http://localhost:8081/nexus/rhsso/rh-sso-7.5-server-dist.zip` | Dependencies ------------ @@ -104,7 +104,7 @@ The following is an example playbook that makes use of the role to install keycl keycloak_admin_password: "changeme" ``` -The following is an example playbook that makes use of the role to install keycloak from local path +The following is an example playbook that makes use of the role to install keycloak from local path on Ansible node ```yaml --- @@ -117,14 +117,14 @@ The following is an example playbook that makes use of the role to install keycl name: keycloak vars: keycloak_admin_password: "changeme" - keycloak_zip_file_local_path: "/tmp/keycloak/keycloak-16.1.0.zip" # This should be local path of keycloak zip file + zip_file_local_path: "/tmp/keycloak/keycloak-16.1.0.zip" # This should be local path on Ansible node of upstream(keycloak) zip file ``` The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from RHN ```yaml --- -- name: Playbook for Keycloak Hosts +- name: Playbook for RHSSO hosts: keycloak collections: - middleware_automation.redhat_csp_download @@ -136,6 +136,7 @@ The following is an example playbook that makes use of the role to install Red H name: keycloak vars: keycloak_admin_password: "changeme" + keycloak_rhsso_enable: True ``` The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from source url @@ -143,27 +144,33 @@ The following is an example playbook that makes use of the role to install Red H ```yaml --- - hosts: keycloak + collections: + - middleware_automation.keycloak tasks: - name: Keycloak Role include_role: name: keycloak vars: keycloak_admin_password: "changeme" + keycloak_rhsso_enable: True rhsso_source_download_url: "" # This should be the full of remote source rhsso zip file ``` -The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from local path +The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from local path on Ansible node ```yaml --- - hosts: keycloak + collections: + - middleware_automation.keycloak tasks: - name: Keycloak Role include_role: name: keycloak vars: keycloak_admin_password: "changeme" - rhsso_zip_file_local_path: "/tmp/rhsso/rh-sso-7.5-server-dist.zip" # This should be local path of rhsso zip file + keycloak_rhsso_enable: True + zip_file_local_path: "/tmp/rhsso/rh-sso-7.5-server-dist.zip" # This should be local path on Ansible node of rhsso zip file ``` License diff --git a/roles/keycloak/defaults/main.yml b/roles/keycloak/defaults/main.yml index 638c237..2ea1d9a 100644 --- a/roles/keycloak/defaults/main.yml +++ b/roles/keycloak/defaults/main.yml @@ -6,7 +6,7 @@ keycloak_download_url: https://downloads.jboss.org/keycloak/{{ keycloak_version keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}" ### Configuration specific to Red Hat Single Sing-On -keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined or rhsso_zip_file_local_path is defined or rhsso_source_download_url is defined else False }}" +keycloak_rhsso_enable: False keycloak_rhsso_version: 7.5 keycloak_rhsso_archive: rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip keycloak_rhsso_installdir: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version }}" @@ -15,7 +15,7 @@ keycloak_rhsso_base_url: 'https://access.redhat.com/jbossnetwork/restricted/soft ### Install location and service settings jvm_package: java-1.8.0-openjdk-devel keycloak_dest: /opt/keycloak -keycloak_jboss_home: "{{ keycloak_rhsso_installdir if rhsso_rhn_id is defined or rhsso_zip_file_local_path is defined or rhsso_source_download_url is defined else keycloak_installdir }}" +keycloak_jboss_home: "{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}" keycloak_config_dir: "{{ keycloak_jboss_home }}/standalone/configuration" keycloak_config_standalone_xml: "keycloak.xml" diff --git a/roles/keycloak/tasks/download_from_rhn.yml b/roles/keycloak/tasks/get_rhsso.yml similarity index 87% rename from roles/keycloak/tasks/download_from_rhn.yml rename to roles/keycloak/tasks/get_rhsso.yml index 1fef600..fa3fc2b 100644 --- a/roles/keycloak/tasks/download_from_rhn.yml +++ b/roles/keycloak/tasks/get_rhsso.yml @@ -2,11 +2,13 @@ - assert: that: - zipfile_dest is defined - - (rhn_username is defined and rhn_password is defined and rhn_id_file is defined) or rhsso_zip_file_local_path is defined or rhsso_source_download_url is defined + - keycloak_rhsso_enable quiet: true - set_fact: - rhn_download_url: "{{ keycloak_rhsso_base_url }}{{ rhn_id_file }}" + rhn_download_url: "{{ keycloak_rhsso_base_url }}{{ rhsso_rhn_id }}" + when: + - rhsso_rhn_id is defined - name: "Check zipfile dest directory {{ zipfile_dest }}" stat: @@ -24,6 +26,8 @@ - archive_path is defined - archive_path.stat is defined - not archive_path.stat.exists + - rhn_username is defined + - rhn_password is defined - rhsso_rhn_id is defined - name: "Copy zipfile from source like Nexus etc : {{ rhsso_source_download_url }}" @@ -39,9 +43,9 @@ - not archive_path.stat.exists - rhsso_source_download_url is defined -- name: "Copy zipfile from local source: {{ rhsso_zip_file_local_path }}" +- name: "Copy zipfile from local source: {{ zip_file_local_path }}" ansible.builtin.copy: - src: "{{ rhsso_zip_file_local_path }}" + src: "{{ zip_file_local_path }}" dest: "{{ zipfile_dest }}" owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_group }}" @@ -50,7 +54,7 @@ - archive_path is defined - archive_path.stat is defined - not archive_path.stat.exists - - rhsso_zip_file_local_path is defined + - zip_file_local_path is defined - name: "Check zipfile dest directory {{ zipfile_dest }}" stat: diff --git a/roles/keycloak/tasks/install.yml b/roles/keycloak/tasks/install.yml index 40b87f1..6faafe0 100644 --- a/roles/keycloak/tasks/install.yml +++ b/roles/keycloak/tasks/install.yml @@ -74,11 +74,11 @@ - archive_path is defined - archive_path.stat is defined - not archive_path.stat.exists - - not keycloak_zip_file_local_path is defined + - not keycloak_rhsso_enable and not zip_file_local_path is defined - - name: "Copy zipfile from local source: {{ keycloak_zip_file_local_path }}" + - name: "Copy zipfile from local source: {{ zip_file_local_path }}" ansible.builtin.copy: - src: "{{ keycloak_zip_file_local_path }}" + src: "{{ zip_file_local_path }}" dest: "{{ keycloak_dest }}" owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_group }}" @@ -87,7 +87,7 @@ - archive_path is defined - archive_path.stat is defined - not archive_path.stat.exists - - keycloak_zip_file_local_path is defined + - not keycloak_rhsso_enable and zip_file_local_path is defined - name: extract Keycloak archive on target unarchive: @@ -105,9 +105,9 @@ - block: - assert: that: - - rhsso_rhn_id is defined or rhsso_zip_file_local_path is defined or rhsso_source_download_url is defined + - rhsso_rhn_id is defined or zip_file_local_path is defined quiet: true - fail_msg: "Can't install RHSSO without either RHN ID or RHSSO zip file local path" + fail_msg: "Can't install RHSSO without either RHN ID or RHSSO zip file located on Ansible node" - name: create download directory file: @@ -117,9 +117,8 @@ group: "{{ keycloak_service_group }}" mode: 0750 - - include_tasks: download_from_rhn.yml + - include_tasks: get_rhsso.yml vars: - rhn_id_file: "{{ rhsso_rhn_id | default(None) }}" zipfile_dest: "{{ keycloak_dest }}/{{ keycloak_rhsso_archive }}" work_dir: "{{ keycloak_dest }}" target_dir: "{{ keycloak_jboss_home }}" From 247d8b8a225e0d9d3c83f675e366b6cc0643c770 Mon Sep 17 00:00:00 2001 From: root Date: Mon, 17 Jan 2022 15:53:16 -0600 Subject: [PATCH 6/6] User Federation changes --- README.md | 6 ++-- playbooks/keycloak-realm.yml | 40 ++++++++++++++++++++++++++ roles/keycloak_realm/README.md | 22 +++++++++++++- roles/keycloak_realm/defaults/main.yml | 3 ++ roles/keycloak_realm/tasks/main.yml | 18 ++++++++++++ roles/keycloak_realm/vars/main.yml | 2 +- 6 files changed, 86 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index a25bead..4b806da 100644 --- a/README.md +++ b/README.md @@ -69,18 +69,18 @@ ansible-playbook -i -e @rhn-creds.yml playbooks/keycloak.yml -e ### Config Playbook -`playbooks/keycloak-realm.yml` creates provided realm, client(s), client role(s) and client user(s) if they don't exist. +`playbooks/keycloak-realm.yml` creates provided realm, user federation(s), client(s), client role(s) and client user(s) if they don't exist. ### Config role -* [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, with clients and users, in an installed service. +* [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, user federation(s), clients and users, in an installed service. ### Example configuration command Execute the following command from the source root directory ``` -ansible-playbook -i -e @rhn-creds.yml playbooks/keycloak.yml -e keycloak_admin_password= -e keycloak_realm=test +ansible-playbook -i playbooks/keycloak-realm.yml -e keycloak_admin_password= -e keycloak_realm=test ``` - `keycloak_admin_password` password for the administration console user account. diff --git a/playbooks/keycloak-realm.yml b/playbooks/keycloak-realm.yml index ec8de4a..e62f6f3 100644 --- a/playbooks/keycloak-realm.yml +++ b/playbooks/keycloak-realm.yml @@ -8,6 +8,46 @@ vars: keycloak_admin_password: "changeme" keycloak_realm: TestRealm + keycloak_user_federation: + - realm: TestRealm + name: my-ldap + provider_id: ldap + provider_type: org.keycloak.storage.UserStorageProvider + config: + priority: '0' + enabled: true + cachePolicy: DEFAULT + batchSizeForSync: '1000' + editMode: READ_ONLY + importEnabled: true + syncRegistrations: false + vendor: other + usernameLDAPAttribute: uid + rdnLDAPAttribute: uid + uuidLDAPAttribute: entryUUID + userObjectClasses: inetOrgPerson, organizationalPerson + connectionUrl: ldaps://ldap.example.com:636 + usersDn: ou=Users,dc=example,dc=com + authType: simple + bindDn: cn=directory reader + bindCredential: password + searchScope: '1' + validatePasswordPolicy: false + trustEmail: false + useTruststoreSpi: ldapsOnly + connectionPooling: true + pagination: true + allowKerberosAuthentication: false + debug: false + useKerberosForPasswordAuthentication: false + mappers: + - name: "full name" + providerId: "full-name-ldap-mapper" + providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" + config: + ldap.full.name.attribute: cn + read.only: true + write.only: false keycloak_clients: - name: TestClient1 roles: diff --git a/roles/keycloak_realm/README.md b/roles/keycloak_realm/README.md index d39b2a3..cf1c317 100644 --- a/roles/keycloak_realm/README.md +++ b/roles/keycloak_realm/README.md @@ -14,6 +14,8 @@ Role Defaults |`keycloak_http_port` | HTTP port | `8080` | |`keycloak_https_port` | TLS HTTP port | `8443` | |`keycloak_auth_realm` | Name of the main authentication realm | `master` | +|`keycloak_rhsso_enable` | Define service is an upstream(Keycloak) or RHSSO | `master` | + Role Variables @@ -35,10 +37,29 @@ The following variables are available for creating clients: |`keycloak_client_default_roles` | List of default role name for clients | `[]` | |`keycloak_client_users` | List of user/role mappings for a client | `[]` | +The following variable are available for creating user federation: + +| Variable | Description | Default | +|:---------|:------------|:---------| +|`keycloak_user_federation` | List of _keycloak_user_federation_ for the realm | `[]` | + Variable formats ---------------- +* `keycloak_user_federation`, a list of: + +```yaml + - realm: + name: + provider_id: + provider_type: < Provider Type, default is set to org.keycloak.storage.UserStorageProvider> + config: + mappers: +``` + +Refer to [docs](https://docs.ansible.com/ansible/latest/collections/community/general/keycloak_user_federation_module.html) for information on supported variables. + * `keycloak_clients`, a list of: ```yaml @@ -71,7 +92,6 @@ Variable formats For a comprehensive example, refer to the [playbook](playbooks/keycloak.yml). - Example Playbook ---------------- diff --git a/roles/keycloak_realm/defaults/main.yml b/roles/keycloak_realm/defaults/main.yml index dfc7a49..a7897cc 100644 --- a/roles/keycloak_realm/defaults/main.yml +++ b/roles/keycloak_realm/defaults/main.yml @@ -9,6 +9,9 @@ keycloak_admin_user: admin keycloak_auth_realm: master keycloak_auth_client: admin-cli +### List of Keycloak User Federation +keycloak_user_federation: [] + ### Keycloak realm client defaults # list of clients to create in the realm # diff --git a/roles/keycloak_realm/tasks/main.yml b/roles/keycloak_realm/tasks/main.yml index c51ecff..9945fec 100644 --- a/roles/keycloak_realm/tasks/main.yml +++ b/roles/keycloak_realm/tasks/main.yml @@ -34,6 +34,24 @@ status_code: 201 when: keycloak_realm_exists.status == 404 +- name: Create user federation + community.general.keycloak_user_federation: + auth_keycloak_url: "{{ keycloak_url }}/auth" + auth_realm: "{{ keycloak_auth_realm }}" + auth_username: "{{ keycloak_admin_user }}" + auth_password: "{{ keycloak_admin_password }}" + realm: "{{ item.realm }}" + name: "{{ item.name }}" + state: present + provider_id: "{{ item.provider_id }}" + provider_type: "{{ item.provider_type | default(org.keycloak.storage.UserStorageProvider) }}" + config: "{{ item.config }}" + mappers: "{{ item.mappers | default(omit) }}" + register: create_user_federation_result + loop: "{{ keycloak_user_federation | flatten }}" + when: keycloak_user_federation is defined + + - name: Create Client community.general.keycloak_client: auth_client_id: "{{ keycloak_auth_client }}" diff --git a/roles/keycloak_realm/vars/main.yml b/roles/keycloak_realm/vars/main.yml index 2f5a56f..1fe044e 100644 --- a/roles/keycloak_realm/vars/main.yml +++ b/roles/keycloak_realm/vars/main.yml @@ -13,4 +13,4 @@ keycloak_clients: # other settings keycloak_url: "http://{{ keycloak_host }}:{{ keycloak_http_port }}" keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}" -keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined else False }}" \ No newline at end of file +keycloak_rhsso_enable: False \ No newline at end of file