guillaume
/
ansible-keycloak
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add role keycloak_quarkus

main
Guido Grazioli 2022-04-07 14:07:08 +02:00
parent c7b6bc1d61
commit 419c862341
No known key found for this signature in database
GPG Key ID: 22C8C31EF2BC093B
16 changed files with 666 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
roles/keycloak_quarkus/defaults/main.yml 100644
View File

@ -0,0 +1,70 @@
---
### Configuration specific to keycloak
keycloak_quarkus_version: 17.0.1
keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip"
keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"
keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"
# whether to install from local archive
keycloak_quarkus_offline_install: False
### Install location and service settings
keycloak_quarkus_jvm_package: java-11-openjdk-headless
keycloak_quarkus_dest: /opt/keycloak
keycloak_quarkus_home: "{{ keycloak_quarkus_installdir }}"
keycloak_quarkus_config_dir: "{{ keycloak_quarkus_home }}/conf"
keycloak_quarkus_service_user: keycloak
keycloak_quarkus_service_group: keycloak
keycloak_quarkus_service_pidfile: "/run/keycloak.pid"
keycloak_quarkus_configure_firewalld: False
### administrator console password
keycloak_quarkus_admin_user: admin
keycloak_quarkus_admin_pass: ''
keycloak_quarkus_master_realm: master
### Configuration settings
keycloak_quarkus_bind_address: 0.0.0.0
keycloak_quarkus_host: localhost
keycloak_quarkus_http_port: 8080
keycloak_quarkus_https_port: 8443
keycloak_quarkus_ajp_port: 8009
keycloak_quarkus_jgroups_port: 7600
keycloak_quarkus_java_opts: "-Xms1024m -Xmx2048m"
### Enable configuration for database backend, clustering and remote caches on infinispan
keycloak_quarkus_ha_enabled: False
### Enable database configuration, must be enabled when HA is configured
keycloak_quarkus_db_enabled: "{{ True if keycloak_quarkus_ha_enabled else False }}"
### keycloak frontend url
keycloak_quarkus_http_relative_path: auth
keycloak_quarkus_frontend_url: http://localhost:8080/auth
keycloak_quarkus_metrics_enabled: False
### infinispan remote caches access (hotrod)
keycloak_quarkus_ispn_user: supervisor
keycloak_quarkus_ispn_pass: supervisor
keycloak_quarkus_ispn_url: localhost
keycloak_quarkus_ispn_sasl_mechanism: SCRAM-SHA-512
keycloak_quarkus_ispn_use_ssl: False
# if ssl is enabled, import ispn server certificate here
keycloak_quarkus_ispn_trust_store_path: /etc/pki/java/cacerts
keycloak_quarkus_ispn_trust_store_password: changeit
### database backend engine: values [ 'postgres', 'mariadb' ]
keycloak_quarkus_jdbc_engine: postgres
### database backend credentials
keycloak_quarkus_db_user: keycloak-user
keycloak_quarkus_db_pass: keycloak-pass
keycloak_quarkus_jdbc_url: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].url }}"
keycloak_quarkus_jdbc_driver_version: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].version }}"
# override the variables above, following defaults show minimum supported versions
keycloak_quarkus_default_jdbc:
postgres:
url: 'jdbc:postgresql://localhost:5432/keycloak'
version: 9.4.1212
mariadb:
url: 'jdbc:mariadb://localhost:3306/keycloak'
version: 2.7.4

4
roles/keycloak_quarkus/handlers/main.yml 100644
View File

@ -0,0 +1,4 @@
---
- name: "Restart {{ keycloak.service_name }}"
ansible.builtin.include_tasks: restart.yml
listen: "restart keycloak"

203
roles/keycloak_quarkus/meta/argument_specs.yml 100644
View File

@ -0,0 +1,203 @@
argument_specs:
main:
options:
keycloak_quarkus_version:
# line 3 of defaults/main.yml
default: "17.0.1"
description: "TODO document argument"
type: "str"
keycloak_quarkus_archive:
# line 4 of defaults/main.yml
default: "keycloak-{{ keycloak_quarkus_version }}.zip"
description: "TODO document argument"
type: "str"
keycloak_quarkus_download_url:
# line 5 of defaults/main.yml
default: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"
description: "TODO document argument"
type: "str"
keycloak_quarkus_installdir:
# line 6 of defaults/main.yml
default: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"
description: "TODO document argument"
type: "str"
keycloak_quarkus_offline_install:
# line 9 of defaults/main.yml
default: false
description: "TODO document argument"
type: "bool"
keycloak_quarkus_jvm_package:
# line 12 of defaults/main.yml
default: "java-11-openjdk-headless"
description: "TODO document argument"
type: "str"
keycloak_quarkus_dest:
# line 13 of defaults/main.yml
default: "/opt/keycloak"
description: "TODO document argument"
type: "str"
keycloak_quarkus_home:
# line 14 of defaults/main.yml
default: "{{ keycloak_quarkus_installdir }}"
description: "TODO document argument"
type: "str"
keycloak_quarkus_config_dir:
# line 15 of defaults/main.yml
default: "{{ keycloak_quarkus_home }}/conf"
description: "TODO document argument"
type: "str"
keycloak_quarkus_service_user:
# line 16 of defaults/main.yml
default: "keycloak"
description: "TODO document argument"
type: "str"
keycloak_quarkus_service_group:
# line 17 of defaults/main.yml
default: "keycloak"
description: "TODO document argument"
type: "str"
keycloak_quarkus_service_pidfile:
# line 18 of defaults/main.yml
default: "/run/keycloak.pid"
description: "TODO document argument"
type: "str"
keycloak_quarkus_configure_firewalld:
# line 19 of defaults/main.yml
default: false
description: "TODO document argument"
type: "bool"
keycloak_quarkus_admin_user:
# line 22 of defaults/main.yml
default: "admin"
description: "TODO document argument"
type: "str"
keycloak_quarkus_admin_pass:
# line 23 of defaults/main.yml
default: ""
description: "TODO document argument"
type: "str"
keycloak_quarkus_master_realm:
# line 24 of defaults/main.yml
default: "master"
description: "TODO document argument"
type: "str"
keycloak_quarkus_bind_address:
# line 27 of defaults/main.yml
default: "0.0.0.0"
description: "TODO document argument"
type: "str"
keycloak_quarkus_host:
# line 28 of defaults/main.yml
default: "localhost"
description: "TODO document argument"
type: "str"
keycloak_quarkus_http_port:
# line 29 of defaults/main.yml
default: 8080
description: "TODO document argument"
type: "int"
keycloak_quarkus_https_port:
# line 30 of defaults/main.yml
default: 8443
description: "TODO document argument"
type: "int"
keycloak_quarkus_ajp_port:
# line 31 of defaults/main.yml
default: 8009
description: "TODO document argument"
type: "int"
keycloak_quarkus_jgroups_port:
# line 32 of defaults/main.yml
default: 7600
description: "TODO document argument"
type: "int"
keycloak_quarkus_java_opts:
# line 33 of defaults/main.yml
default: "-Xms1024m -Xmx2048m"
description: "TODO document argument"
type: "str"
keycloak_quarkus_ha_enabled:
# line 36 of defaults/main.yml
default: false
description: "TODO document argument"
type: "bool"
keycloak_quarkus_db_enabled:
# line 38 of defaults/main.yml
default: "{{ True if keycloak_quarkus_ha_enabled else False }}"
description: "TODO document argument"
type: "str"
keycloak_quarkus_http_relative_path:
# line 41 of defaults/main.yml
default: "auth"
description: "TODO document argument"
type: "str"
keycloak_quarkus_frontend_url:
# line 41 of defaults/main.yml
default: "http://localhost:8080/auth"
description: "TODO document argument"
type: "str"
keycloak_quarkus_metrics_enabled:
# line 43 of defaults/main.yml
default: false
description: "TODO document argument"
type: "bool"
keycloak_quarkus_ispn_user:
# line 46 of defaults/main.yml
default: "supervisor"
description: "TODO document argument"
type: "str"
keycloak_quarkus_ispn_pass:
# line 47 of defaults/main.yml
default: "supervisor"
description: "TODO document argument"
type: "str"
keycloak_quarkus_ispn_url:
# line 48 of defaults/main.yml
default: "localhost"
description: "TODO document argument"
type: "str"
keycloak_quarkus_ispn_sasl_mechanism:
# line 49 of defaults/main.yml
default: "SCRAM-SHA-512"
description: "TODO document argument"
type: "str"
keycloak_quarkus_ispn_use_ssl:
# line 50 of defaults/main.yml
default: false
description: "TODO document argument"
type: "bool"
keycloak_quarkus_ispn_trust_store_path:
# line 52 of defaults/main.yml
default: "/etc/pki/java/cacerts"
description: "TODO document argument"
type: "str"
keycloak_quarkus_ispn_trust_store_password:
# line 53 of defaults/main.yml
default: "changeit"
description: "TODO document argument"
type: "str"
keycloak_quarkus_jdbc_engine:
# line 56 of defaults/main.yml
default: "postgres"
description: "TODO document argument"
type: "str"
keycloak_quarkus_db_user:
# line 58 of defaults/main.yml
default: "keycloak-user"
description: "TODO document argument"
type: "str"
keycloak_quarkus_db_pass:
# line 59 of defaults/main.yml
default: "keycloak-pass"
description: "TODO document argument"
type: "str"
keycloak_quarkus_jdbc_url:
# line 60 of defaults/main.yml
default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].url }}"
description: "TODO document argument"
type: "str"
keycloak_quarkus_jdbc_driver_version:
# line 61 of defaults/main.yml
default: "{{ keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].version }}"
description: "TODO document argument"
type: "str"

28
roles/keycloak_quarkus/meta/main.yml 100644
View File

@ -0,0 +1,28 @@
---
collections:
galaxy_info:
role_name: keycloak_quarkus
namespace: middleware_automation
author: Guido Grazioli
description: Install keycloak on quarkus server configurations
company: Red Hat, Inc.
license: Apache License 2.0
min_ansible_version: "2.9"
platforms:
- name: EL
versions:
- 8
galaxy_tags:
- keycloak
- quarkus
- redhat
- rhel
- sso
- authentication
- identity
- security

21
roles/keycloak_quarkus/tasks/fastpackages.yml 100644
View File

@ -0,0 +1,21 @@
---
- block:
- name: "Check if packages are already installed"
ansible.builtin.command: "rpm -q {{ packages_list | join(' ') }}"
args:
warn: no
register: rpm_info
changed_when: rpm_info.failed
rescue:
- name: "Add missing packages to the yum install list"
ansible.builtin.set_fact:
packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | flatten }}"
when: rpm_info.failed
- name: "Install packages: {{ packages_to_install }}"
become: yes
ansible.builtin.yum:
name: "{{ packages_to_install }}"
state: present
when: packages_to_install | default([]) | length > 0

25
roles/keycloak_quarkus/tasks/firewalld.yml 100644
View File

@ -0,0 +1,25 @@
---
- name: Ensure required package firewalld are installed
ansible.builtin.include_tasks: fastpackages.yml
vars:
packages_list:
- firewalld
- name: Enable and start the firewalld service
become: yes
ansible.builtin.systemd:
name: firewalld
enabled: yes
state: started
- name: "Configure firewall for {{ keycloak.service_name }} ports"
become: yes
firewalld:
port: "{{ item }}"
permanent: true
state: enabled
immediate: yes
loop:
- "{{ keycloak_quarkus_http_port }}/tcp"
- "{{ keycloak_quarkus_https_port }}/tcp"
- "{{ keycloak_quarkus_jgroups_port }}/tcp"

110
roles/keycloak_quarkus/tasks/install.yml 100644
View File

@ -0,0 +1,110 @@
---
- name: Validate parameters
ansible.builtin.assert:
that:
- keycloak.home is defined
- keycloak_quarkus_service_user is defined
- keycloak_quarkus_dest is defined
- keycloak_quarkus_archive is defined
- keycloak_quarkus_download_url is defined
- keycloak_quarkus_version is defined
quiet: true
- name: Check for an existing deployment
become: yes
ansible.builtin.stat:
path: "{{ keycloak.home }}"
register: existing_deploy
- name: "Create {{ keycloak.service_name }} service user/group"
become: yes
ansible.builtin.user:
name: "{{ keycloak.service_user }}"
home: /opt/keycloak
system: yes
create_home: no
- name: "Create {{ keycloak.service_name }} install location"
become: yes
ansible.builtin.file:
dest: "{{ keycloak_quarkus_dest }}"
state: directory
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: 0750
## check remote archive
- name: Set download archive path
ansible.builtin.set_fact:
archive: "{{ keycloak_quarkus_dest }}/{{ keycloak.bundle }}"
- name: Check download archive path
become: yes
ansible.builtin.stat:
path: "{{ archive }}"
register: archive_path
## download to controller
- name: Check local download archive path
ansible.builtin.stat:
path: "{{ lookup('env', 'PWD') }}"
register: local_path
delegate_to: localhost
- name: Download keycloak archive
ansible.builtin.get_url:
url: "{{ keycloak_quarkus_download_url }}"
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
delegate_to: localhost
when:
- archive_path is defined
- archive_path.stat is defined
- not archive_path.stat.exists
- not keycloak.offline_install
- name: Check downloaded archive
ansible.builtin.stat:
path: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
register: local_archive_path
delegate_to: localhost
## copy and unpack
- name: Copy archive to target nodes
ansible.builtin.copy:
src: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
dest: "{{ archive }}"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: 0750
register: new_version_downloaded
when:
- not archive_path.stat.exists
- local_archive_path.stat is defined
- local_archive_path.stat.exists
become: yes
- name: "Check target directory: {{ keycloak.home }}"
ansible.builtin.stat:
path: "{{ keycloak.home }}"
register: path_to_workdir
become: yes
- name: "Extract Keycloak archive on target"
ansible.builtin.unarchive:
remote_src: yes
src: "{{ archive }}"
dest: "{{ keycloak_quarkus_dest }}"
creates: "{{ keycloak.home }}"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
become: yes
when:
- new_version_downloaded.changed or not path_to_workdir.stat.exists
notify:
- restart keycloak
- name: Inform decompression was not executed
ansible.builtin.debug:
msg: "{{ keycloak.home }} already exists and version unchanged, skipping decompression"
when:
- not new_version_downloaded.changed and path_to_workdir.stat.exists

41
roles/keycloak_quarkus/tasks/main.yml 100644
View File

@ -0,0 +1,41 @@
---
# tasks file for keycloak
- name: Check prerequisites
ansible.builtin.include_tasks: prereqs.yml
tags:
- prereqs
- name: Include firewall config tasks
ansible.builtin.include_tasks: firewalld.yml
when: keycloak_quarkus_configure_firewalld
tags:
- firewall
- name: Include install tasks
ansible.builtin.include_tasks: install.yml
tags:
- install
- name: Include systemd tasks
ansible.builtin.include_tasks: systemd.yml
tags:
- systemd
- name: "Configure config for keycloak service"
ansible.builtin.template:
src: keycloak.conf.j2
dest: "{{ keycloak.home }}/conf/keycloak.conf"
owner: "{{ keycloak.service_user }}"
group: "{{ keycloak.service_group }}"
mode: 0644
notify:
- restart keycloak
- name: "Start and wait for keycloak service"
ansible.builtin.include_tasks: start.yml
- name: Check service status
ansible.builtin.command: "systemctl status keycloak"
register: keycloak_service_status
changed_when: False

34
roles/keycloak_quarkus/tasks/prereqs.yml 100644
View File

@ -0,0 +1,34 @@
---
- name: Validate admin console password
ansible.builtin.assert:
that:
- keycloak_quarkus_admin_pass | length > 12
quiet: True
fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_admin_pass variable to a 12+ char long string"
success_msg: "{{ 'Console administrator password OK' }}"
- name: Validate configuration
ansible.builtin.assert:
that:
- (keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or (not keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or (not keycloak_quarkus_ha_enabled and not keycloak_quarkus_db_enabled)
quiet: True
fail_msg: "Cannot install HA setup without a backend database service. Check keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled"
success_msg: "{{ 'Configuring HA' if keycloak_quarkus_ha_enabled else 'Configuring standalone' }}"
# - name: Validate credentials
# ansible.builtin.assert:
# that:
# - (rhn_username is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
# - (rhn_password is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
# quiet: True
# fail_msg: "Cannot install Red Hat SSO without RHN credentials. Check rhn_username and rhn_password are defined"
# success_msg: "{{ 'Installing Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Installing keycloak.org' }}"
- name: Ensure required packages are installed
ansible.builtin.include_tasks: fastpackages.yml
vars:
packages_list:
- "{{ keycloak_quarkus_jvm_package }}"
- unzip
- procps-ng
- initscripts

7
roles/keycloak_quarkus/tasks/restart.yml 100644
View File

@ -0,0 +1,7 @@
---
- name: "Restart and enable {{ keycloak.service_name }} service"
ansible.builtin.systemd:
name: keycloak
enabled: yes
state: restarted
become: yes

15
roles/keycloak_quarkus/tasks/start.yml 100644
View File

@ -0,0 +1,15 @@
---
- name: "Start {{ keycloak.service_name }} service"
ansible.builtin.systemd:
name: keycloak
enabled: yes
state: started
become: yes
- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
ansible.builtin.uri:
url: "{{ keycloak.health_url }}"
register: keycloak_status
until: keycloak_status.status == 200
retries: 25
delay: 10

29
roles/keycloak_quarkus/tasks/systemd.yml 100644
View File

@ -0,0 +1,29 @@
---
- name: "Configure sysconfig file for keycloak service"
become: yes
ansible.builtin.template:
src: keycloak-sysconfig.j2
dest: /etc/sysconfig/keycloak
owner: root
group: root
mode: 0644
notify:
- restart keycloak
- name: "Configure systemd unit file for keycloak service"
ansible.builtin.template:
src: keycloak.service.j2
dest: /etc/systemd/system/keycloak.service
owner: root
group: root
mode: 0644
become: yes
register: systemdunit
notify:
- restart keycloak
- name: Reload systemd
become: yes
ansible.builtin.systemd:
daemon_reload: yes
when: systemdunit.changed

3
roles/keycloak_quarkus/templates/keycloak-sysconfig.j2 100644
View File

@ -0,0 +1,3 @@
# {{ ansible_managed }}
KEYCLOAK_ADMIN={{ keycloak_quarkus_admin_user }}
KEYCLOAK_ADMIN_PASSWORD='{{ keycloak_quarkus_admin_pass }}'

51
roles/keycloak_quarkus/templates/keycloak.conf.j2 100644
View File

@ -0,0 +1,51 @@
# {{ ansible_managed }}
# Database
# Database vendor [dev-file, dev-mem, mariadb, mssql, mysql, oracle, postgres]
#db=postgres
# The username of the database user.
#db-username=keycloak
# The password of the database user.
#db-password=password
# The full database JDBC URL. If not provided, a default URL is set based on the selected database vendor.
#db-url=jdbc:postgresql://localhost/keycloak
# Observability
# If the server should expose metrics and healthcheck endpoints.
#metrics-enabled=true
# HTTP
http-enabled=true
http-port=8080
https-port=8443
# The file path to a server certificate or certificate chain in PEM format.
#https-certificate-file=${kc.home.dir}conf/server.crt.pem
# The file path to a private key in PEM format.
#https-certificate-key-file=${kc.home.dir}conf/server.key.pem
# The proxy address forwarding mode if the server is behind a reverse proxy.
#proxy=reencrypt
# Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy
#spi-sticky-session-encoder-infinispan-should-attach-route=false
# Hostname for the Keycloak server.
hostname={{ keycloak_quarkus_host }}
hostname-path={{ keycloak_quarkus_http_relative_path }}
# Cluster
#cache=ispn
#Defines the cache mechanism for high-availability. [local, ispn]
#cache-config-file=conf/cache-ispn.xml
#Defines the file from which cache configuration should be loaded from.
#cache-stack=tcp
#Define the default stack to use for cluster communication and node discovery. [tcp, udp, kubernetes, ec2, azure, google]
# Proxy
# The proxy address forwarding mode if the server is behind a reverse proxy. [edge, reencrypt, passthrough]
#proxy=
# Logging
# The format of log entries.
#log-format=%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n
# The log level of the root category or a comma-separated list of individual categories and their levels.
#log-level=info

14
roles/keycloak_quarkus/templates/keycloak.service.j2 100644
View File

@ -0,0 +1,14 @@
# {{ ansible_managed }}
[Unit]
Description=Keycloak Server
After=network.target
[Service]
Type=simple
EnvironmentFile=-/etc/sysconfig/keycloak
PIDFile={{ keycloak_quarkus_service_pidfile }}
ExecStart={{ keycloak.home }}/bin/kc.sh start
#--http-relative-path={{ keycloak_quarkus_http_relative_path }}
[Install]
WantedBy=multi-user.target

11
roles/keycloak_quarkus/vars/main.yml 100644
View File

@ -0,0 +1,11 @@
---
keycloak:
home: "{{ keycloak_quarkus_home }}"
config_dir: "{{ keycloak_quarkus_config_dir }}"
bundle: "{{ keycloak_quarkus_archive }}"
service_name: "keycloak"
health_url: "http://localhost:8080/realms/master/.well-known/openid-configuration"
cli_path: "{{ keycloak_quarkus_home }}/bin/kcadm.sh"
service_user: "{{ keycloak_quarkus_service_user }}"
service_group: "{{ keycloak_quarkus_service_group }}"
offline_install: "{{ keycloak_quarkus_offline_install }}"