Downstream variables

README.md

@@ -59,28 +59,6 @@ Both playbooks include the `keycloak` role, with different settings, as describe
 For full service configuration details, refer to the [keycloak role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md).
 
 
-### Choosing between upstream project (Keycloak) and Red Hat Single Sign-On (RHSSO)
-
-The general flag `keycloak_rhsso_enable` controls what to install between upstream (Keycloak, when `False`) or Red Hat Single Sign-On (when `True`).
-The default value for the flag if `True` when Red Hat Network credentials are defined, `False` otherwise.
-
-
-#### Install upstream (Keycloak) from keycloak releases
-
-This is the default approach when RHN credentials are not defined. Keycloak is downloaded from keycloak builds (hosted on github.com) locally, and distributed to target nodes.
-
-
-#### Install RHSSO from the Red Hat Customer Support Portal
-
-Define the credentials as follows, and the default behaviour is to download a fresh archive of RHSSO on the controller node, then distribute to target nodes.
-
-```yaml
-rhn_username: '<customer_portal_username>'
-rhn_password: '<customer_portal_password>'
-# (keycloak_rhsso_enable defaults to True)
-```
-
-
 #### Install from controller node (local source)
 
 Making the keycloak zip archive (or the RHSSO zip archive), available to the playbook repository root directory, and setting `keycloak_offline_install` to `True`, allows to skip
@@ -101,14 +79,12 @@ And depending on `keycloak_rhsso_enable`:
 For RHSSO:
 
 ```yaml
-keycloak_rhsso_enable: True
+sso_download_url: "https://<internal-nexus.private.net>/<path>/<to>/rh-sso-x.y.z-server-dist.zip"
-keycloak_rhsso_download_url: "https://<internal-nexus.private.net>/<path>/<to>/rh-sso-x.y.z-server-dist.zip"
 ```
 
 For keycloak:
 
 ```yaml
-keycloak_rhsso_enable: False
 keycloak_download_url: "https://<internal-nexus.private.net>/<path>/<to>/keycloak-x.y.zip"
 ```
 

playbooks/rhsso.yml

@@ -3,7 +3,7 @@
   hosts: keycloak
   vars:
     keycloak_admin_password: "remembertochangeme"
-    keycloak_rhsso_enable: True
+    sso_enable: True
   collections:
     - middleware_automation.redhat_csp_download
     - middleware_automation.keycloak

roles/keycloak/README.md

@@ -74,16 +74,11 @@ Role Defaults
 
 | Variable | Description | Default |
 |:---------|:------------|:---------|
-|`keycloak_rhsso_enable`| Enable Red Hat Single Sign-on installation | `False` |
 |`keycloak_offline_install` | perform an offline install | `False`|
 |`keycloak_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`| 
-|`keycloak_rhsso_download_url`| Download URL for RHSSO | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=<productID>`|
 |`keycloak_version`| keycloak.org package version | `15.0.2` |
-|`keycloak_rhsso_version`| RHSSO version | `7.5.0` |
-|`keycloak_rhsso_apply_patches`| Install RHSSO more recent cumulative patch | `False` |
 |`keycloak_dest`| Installation root path | `/opt/keycloak` |
 |`keycloak_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}` |
-|`keycloak_rhn_url` | Base download URI for customer portal | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=` |
 |`keycloak_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
 
 
@@ -94,9 +89,6 @@ Role Defaults
 |`keycloak_archive` | keycloak install archive filename | `keycloak-{{ keycloak_version }}.zip` |
 |`keycloak_download_url_9x` | Download URL for keycloak (deprecated) | `https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}` |
 |`keycloak_installdir` | Installation path | `{{ keycloak_dest }}/keycloak-{{ keycloak_version }}` |
-|`keycloak_rhsso_archive` | Red Hat SSO install archive filename | `rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip` |
-|`keycloak_rhsso_installdir`| Installation path for Red Hat SSO | `{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\.([0-9]*).*', '\1.\2') }}` |
-|`keycloak_rhsso_download_url`| Full download URI for Red Hat SSO | `{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}` |
 |`keycloak_jboss_home` | Installation work directory | `{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}` |
 |`keycloak_config_dir` | Path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration` |
 |`keycloak_config_path_to_standalone_xml` | Custom path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}` |
@@ -106,7 +98,6 @@ Role Defaults
 |`keycloak_force_install` | Remove pre-existing versions of service | `False` |
 |`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` |
 |`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` |
-|`rhsso_rhn_id` | Customer Portal product ID for Red Hat SSO | `{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}` |
 
 
 Role Variables
@@ -145,12 +136,9 @@ The following variables are _required_ only when `keycloak_db_enabled` is True:
 |`keycloak_db_pass` | password for connecting to postgres | `keycloak-pass` |
 
 
-Example Playbooks
+Example Playbook
 -----------------
 
-_NOTE_: use ansible vaults or other security systems for storing credentials.
-
-
 * The following is an example playbook that makes use of the role to install keycloak from remote:
 
 ```yaml
@@ -164,27 +152,6 @@ _NOTE_: use ansible vaults or other security systems for storing credentials.
         - middleware_automation.keycloak.keycloak
 ```
 
-* The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from RHN:
-
-```yaml
----
-- name: Playbook for RHSSO
-  hosts: keycloak
-  collections:
-    - middleware_automation.redhat_csp_download
-  roles:
-    - redhat_csp_download
-  tasks:
-    - name: Keycloak Role
-      include_role:
-        name: keycloak
-      vars:
-        keycloak_admin_password: "remembertochangeme"
-        keycloak_rhsso_enable: True
-        rhn_username: '<customer portal username>'
-        rhn_password: '<customer portal password>'
-```
-
 
 * The following example playbook makes use of the role to install keycloak from the controller node:
 
@@ -203,45 +170,6 @@ _NOTE_: use ansible vaults or other security systems for storing credentials.
             # This should be the filename of keycloak archive on Ansible node: keycloak-16.1.0.zip
 ```
 
-
-* This playbook installs Red Hat Single Sign-On from an alternate url:
-
-```yaml
----
-- hosts: keycloak
-  collections:
-    - middleware_automation.keycloak
-  tasks:
-    - name: Keycloak Role
-      include_role:
-        name: keycloak
-      vars:
-        keycloak_admin_password: "remembertochangeme"
-        keycloak_rhsso_enable: True
-        keycloak_rhsso_download_url: "<REPLACE with download url>"
-        # This should be the full of remote source rhsso zip file and can contain basic authentication credentials
-```
-
-
-* The following is an example playbook that makes use of the role to install Red Hat Single Sign-On offline from the controller node, and apply latest cumulative patch:
-
-```yaml
----
-- hosts: keycloak
-  collections:
-    - middleware_automation.keycloak
-  tasks:
-    - name: Keycloak Role
-      include_role:
-        name: keycloak
-      vars:
-        keycloak_admin_password: "remembertochangeme"
-        keycloak_rhsso_enable: True
-        keycloak_offline_install: True
-        keycloak_rhsso_apply_patches: True
-        # This should be the filename of rhsso zip file on Ansible node: rh-sso-7.5-server-dist.zip
-```
-
 License
 -------
 

roles/keycloak/defaults/main.yml

@@ -5,12 +5,13 @@ keycloak_archive: "keycloak-{{ keycloak_version }}.zip"
 keycloak_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"  
 keycloak_download_url_9x: "https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}"
 keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
+keycloak_offline_install: False
 
 ### Install location and service settings
 keycloak_jvm_package: java-1.8.0-openjdk-headless
 keycloak_java_home:
 keycloak_dest: /opt/keycloak
-keycloak_jboss_home: "{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}"
+keycloak_jboss_home: "{{ keycloak_installdir }}"
 keycloak_config_dir: "{{ keycloak_jboss_home }}/standalone/configuration"
 keycloak_config_standalone_xml: "keycloak.xml"
 keycloak_config_path_to_standalone_xml: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}"
@@ -18,6 +19,9 @@ keycloak_config_override_template: ''
 keycloak_service_user: keycloak
 keycloak_service_group: keycloak
 keycloak_service_pidfile: "/run/keycloak.pid"
+keycloak_service_name: keycloak
+keycloak_service_desc: Keycloak
+
 keycloak_configure_firewalld: False
 
 ### administrator console password

roles/keycloak/meta/argument_specs.yml

@@ -51,7 +51,7 @@ argument_specs:
                 type: "str"
             keycloak_jboss_home:
                 # line 25 of keycloak/defaults/main.yml
-                default: "{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}"
+                default: "{{ keycloak_installdir }}"
                 description: "Installation work directory"
                 type: "str"
             keycloak_config_dir:
@@ -254,6 +254,14 @@ argument_specs:
                 default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
                 description: "URL for management console rest calls"
                 type: "str"
+            keycloak_service_name:
+                default: "keycloak"
+                description: "systemd service name for keycloak"
+                type: "str"
+            keycloak_service_desc:
+                default: "Keycloak"
+                description: "systemd description for keycloak"
+                type: "str"
     downstream:
         options:
             sso_version:
@@ -296,3 +304,15 @@ argument_specs:
                 default: True
                 description: "Perform an offline install"
                 type: "bool"
+            sso_service_name:
+                default: "sso"
+                description: "systemd service name for Single Sign-On"
+                type: "str"
+            sso_service_desc:
+                default: "Red Hat Single Sign-On"
+                description: "systemd description for Red Hat Single Sign-On"
+                type: "str"
+            sso_patch_bundle:
+                default: "rh-sso-{{ sso_rhn_ids[keycloak_version].latest_cp.v }}-patch.zip"
+                description: "Red Hat SSO patch archive filename"
+                type: "str"

roles/keycloak/tasks/install.yml

@@ -81,7 +81,7 @@
     - archive_path is defined
     - archive_path.stat is defined
     - not archive_path.stat.exists
-    - not keycloak_rhsso_enable
+    - not sso_enable is defined or not sso_enable
     - not keycloak_offline_install
 
 - name: Perform download from RHN
@@ -96,9 +96,9 @@
     - archive_path is defined
     - archive_path.stat is defined
     - not archive_path.stat.exists
-    - keycloak_rhsso_enable
+    - sso_enable is defined and sso_enable
     - not keycloak_offline_install
-    - keycloak_rhn_url in keycloak_rhsso_download_url
+    - keycloak_rhn_url in keycloak_download_url
 
 - name: Download rhsso archive from alternate location
   ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
@@ -110,9 +110,9 @@
     - archive_path is defined
     - archive_path.stat is defined
     - not archive_path.stat.exists
-    - keycloak_rhsso_enable
+    - sso_enable is defined and sso_enable
     - not keycloak_offline_install
-    - not keycloak_rhn_url in keycloak_rhsso_download_url
+    - not keycloak_rhn_url in keycloak_download_url
 
 - name: Check downloaded archive
   ansible.builtin.stat:
@@ -141,7 +141,7 @@
   register: path_to_workdir
   become: yes
 
-- name: "Extract {{ 'Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Keycloak' }} archive on target"
+- name: "Extract {{ keycloak_service_desc }} archive on target"
   ansible.builtin.unarchive:
     remote_src: yes
     src: "{{ archive }}"

roles/keycloak/tasks/main.yml

@@ -24,7 +24,9 @@
 
 - name: Include patch install tasks
   ansible.builtin.include_tasks: rhsso_patch.yml
-  when: keycloak_rhsso_apply_patches and keycloak_rhsso_enable
+  when:
+    - sso_apply_patches is defined and sso_apply_patches
+    - sso_enable is defined and sso_enable
   tags:
     - install
     - patch

roles/keycloak/tasks/prereqs.yml

@@ -18,11 +18,11 @@
 - name: Validate credentials
   ansible.builtin.assert:
     that:
-      - (rhn_username is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
+      - (rhn_username is defined and sso_enable is defined and sso_enable) or not sso_enable is defined or not sso_enable or keycloak_offline_install
-      - (rhn_password is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
+      - (rhn_password is defined and sso_enable is defined and sso_enable) or not sso_enable is defined or not sso_enable or keycloak_offline_install
     quiet: True
     fail_msg: "Cannot install Red Hat SSO without RHN credentials. Check rhn_username and rhn_password are defined"
-    success_msg: "{{ 'Installing Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Installing keycloak.org' }}"
+    success_msg: "Installing {{ keycloak_service_desc }}"
 
 - name: Validate persistence configuration
   ansible.builtin.assert:

roles/keycloak/tasks/rhsso_patch.yml

@@ -2,7 +2,7 @@
 ## check remote patch archive
 - name: Set download patch archive path
   ansible.builtin.set_fact:
-    patch_archive: "{{ keycloak_dest }}/{{ keycloak.patch_bundle }}"
+    patch_archive: "{{ keycloak_dest }}/{{ sso_patch_bundle }}"
 
 - name: Check download patch archive path
   ansible.builtin.stat:
@@ -11,8 +11,8 @@
 
 - name: Perform download from RHN
   middleware_automation.redhat_csp_download.redhat_csp_download:
-    url: "{{ keycloak_rhn_url }}{{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.id }}"
+    url: "{{ keycloak_rhn_url }}{{ sso_rhn_ids[keycloak_version].latest_cp.id }}"
-    dest: "{{ local_path.stat.path }}/{{ keycloak.patch_bundle }}"
+    dest: "{{ local_path.stat.path }}/{{ sso_patch_bundle }}"
     username: "{{ rhn_username }}"
     password: "{{ rhn_password }}"
   no_log: "{{ omit_rhn_output | default(true) }}"
@@ -21,13 +21,13 @@
     - patch_archive_path is defined
     - patch_archive_path.stat is defined
     - not patch_archive_path.stat.exists
-    - keycloak_rhsso_enable
+    - sso_enable is defined and sso_enable
     - not keycloak_offline_install
 
 ## copy and unpack
 - name: Copy patch archive to target nodes
   ansible.builtin.copy:
-    src: "{{ local_path.stat.path }}/{{ keycloak.patch_bundle }}"
+    src: "{{ local_path.stat.path }}/{{ sso_patch_bundle }}"
     dest: "{{ patch_archive }}"
     owner: "{{ keycloak_service_user }}"
     group: "{{ keycloak_service_group }}"
@@ -48,9 +48,9 @@
   when: 
     - cli_result is defined
     - cli_result.stdout is defined
-    - rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v not in cli_result.stdout
+    - sso_rhn_ids[keycloak_version].latest_cp.v not in cli_result.stdout
   block:
-    - name: "Apply patch {{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }} to server"
+    - name: "Apply patch {{ sso_rhn_ids[keycloak_version].latest_cp.v }} to server"
       ansible.builtin.include_tasks: rhsso_cli.yml
       vars:
         query: "patch apply {{ patch_archive }}"
@@ -78,10 +78,10 @@
     - name: "Verify installed patch version"
       ansible.builtin.assert:
         that:
-          - rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v not in cli_result.stdout
+          - sso_rhn_ids[keycloak_version].latest_cp.v not in cli_result.stdout
         fail_msg: "Patch installation failed"
         success_msg: "Patch installation successful"
 
 - name: "Skipping patch"
   ansible.builtin.debug:
-    msg: "Latest cumulative patch {{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }} already installed, skipping patch installation."
+    msg: "Latest cumulative patch {{ sso_rhn_ids[keycloak_version].latest_cp.v }} already installed, skipping patch installation."

roles/keycloak/vars/main.yml

@@ -16,8 +16,7 @@ keycloak:
   home: "{{ keycloak_jboss_home }}"
   config_dir: "{{ keycloak_config_dir }}"
   bundle: "{{ keycloak_archive }}"
-  patch_bundle: "rh-sso-{{ sso_rhn_ids[keycloak_version].latest_cp.v }}-patch.zip"
+  service_name: "{{ keycloak_service_name }}"
-  service_name: "{{ 'rhsso' if keycloak_rhsso_enable else 'keycloak' }}"
   health_url: "{{ keycloak_management_url }}/health"
   cli_path: "{{ keycloak_jboss_home }}/bin/jboss-cli.sh"
   config_template_source: "{{ keycloak_config_override_template if keycloak_config_override_template | length > 0 else 'standalone.xml.j2' }}"

roles/keycloak_quarkus/tasks/prereqs.yml

@@ -15,15 +15,6 @@
     fail_msg: "Cannot install HA setup without a backend database service. Check keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled"
     success_msg: "{{ 'Configuring HA' if keycloak_quarkus_ha_enabled else 'Configuring standalone' }}"
 
-# - name: Validate credentials
-#   ansible.builtin.assert:
-#     that:
-#       - (rhn_username is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
-#       - (rhn_password is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
-#     quiet: True
-#     fail_msg: "Cannot install Red Hat SSO without RHN credentials. Check rhn_username and rhn_password are defined"
-#     success_msg: "{{ 'Installing Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Installing keycloak.org' }}"
-
 - name: Ensure required packages are installed
   ansible.builtin.include_tasks: fastpackages.yml
   vars:

roles/keycloak_realm/README.md

@@ -15,7 +15,6 @@ Role Defaults
 |`keycloak_http_port`| HTTP port | `8080` |
 |`keycloak_https_port`| TLS HTTP port | `8443` |
 |`keycloak_auth_realm`| Name of the main authentication realm | `master` |
-|`keycloak_rhsso_enable`| Define service is an upstream(Keycloak) or RHSSO | `master` |
 |`keycloak_management_http_port`| Management port | `9990` |
 |`keycloak_auth_client`| Authentication client for configuration REST calls | `admin-cli` |
 |`keycloak_client_public`| Configure a public realm client | `True` |

roles/keycloak_realm/defaults/main.yml

@@ -4,7 +4,6 @@ keycloak_host: localhost
 keycloak_http_port: 8080
 keycloak_https_port: 8443
 keycloak_management_http_port: 9990
-keycloak_rhsso_enable: False
 
 ### Keycloak administration console user
 keycloak_admin_user: admin

roles/keycloak_realm/meta/argument_specs.yml

@@ -26,11 +26,6 @@ argument_specs:
                 default: 9990
                 description: "Management port"
                 type: "int"
-            keycloak_rhsso_enable:
-                # line 7 of keycloak_realm/defaults/main.yml
-                default: false
-                description: "Enable Red Hat Single Sign-on"
-                type: "bool"
             keycloak_admin_user:
                 # line 10 of keycloak_realm/defaults/main.yml
                 default: "admin"
@@ -96,3 +91,25 @@ argument_specs:
                 default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
                 description: "URL for management console rest calls"
                 type: "str"
+    downstream:
+        options:
+            sso_version:
+                default: "7.5.0"
+                description: "Red Hat Single Sign-On version"
+                type: "str"
+            sso_dest:
+                default: "/opt/sso"
+                description: "Root installation directory"
+                type: "str"
+            sso_installdir:
+                default: "{{ keycloak_dest }}/rh-sso-{{ keycloak_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}"
+                description: "Installation path for Red Hat SSO"
+                type: "str"
+            sso_apply_patches:
+                default: False
+                description: "Install Red Hat SSO most recent cumulative patch"
+                type: "bool"
+            sso_enable:
+                default: True
+                description: "Enable Red Hat Single Sign-on installation"
+                type: "str"