diff --git a/.gitignore b/.gitignore index ef79fe9..9cc2eb2 100644 --- a/.gitignore +++ b/.gitignore @@ -9,3 +9,4 @@ docs/_build/ .mypy_cache/ *.retry changelogs/.plugin-cache.yaml +*.pem diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 8137cfd..40923c9 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -2,10 +2,6 @@ - name: Prepare hosts: all tasks: - - name: Disable beta repos - ansible.builtin.command: yum config-manager --disable '*beta*' - ignore_errors: yes - - name: Install sudo ansible.builtin.yum: name: diff --git a/molecule/quarkus/converge.yml b/molecule/quarkus/converge.yml index 1f77fe5..fd40a44 100644 --- a/molecule/quarkus/converge.yml +++ b/molecule/quarkus/converge.yml @@ -5,6 +5,12 @@ keycloak_quarkus_admin_pass: "remembertochangeme" keycloak_admin_password: "remembertochangeme" keycloak_realm: TestRealm + keycloak_quarkus_host: instance:8443 + keycloak_quarkus_http_relative_path: '' + keycloak_quarkus_log: file + keycloak_quarkus_https_enabled: True + keycloak_quarkus_key_file: conf/key.pem + keycloak_quarkus_cert_file: conf/cert.pem roles: - role: keycloak_quarkus - role: keycloak_realm diff --git a/molecule/quarkus/molecule.yml b/molecule/quarkus/molecule.yml index ea8ad61..785de19 100644 --- a/molecule/quarkus/molecule.yml +++ b/molecule/quarkus/molecule.yml @@ -16,7 +16,9 @@ platforms: port_bindings: - "8080/tcp" - "8443/tcp" - - "8009/tcp" + - "8009/tcp" + published_ports: + - 0.0.0.0:8443:8443/tcp provisioner: name: ansible config_options: diff --git a/molecule/quarkus/prepare.yml b/molecule/quarkus/prepare.yml index bda79cf..7d95f2f 100644 --- a/molecule/quarkus/prepare.yml +++ b/molecule/quarkus/prepare.yml @@ -6,3 +6,21 @@ ansible.builtin.yum: name: sudo state: present + - command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance' + delegate_to: localhost + - lineinfile: + dest: /etc/hosts + line: "127.0.0.1 instance" + state: present + delegate_to: localhost + become: yes + - file: + state: directory + path: /opt/keycloak/keycloak-18.0.0/conf/ + - copy: + src: "{{ item }}" + dest: "/opt/keycloak/keycloak-18.0.0/conf/{{ item }}" + mode: 0444 + loop: + - cert.pem + - key.pem diff --git a/molecule/quarkus/verify.yml b/molecule/quarkus/verify.yml index ef973cd..9b469a4 100644 --- a/molecule/quarkus/verify.yml +++ b/molecule/quarkus/verify.yml @@ -9,3 +9,19 @@ that: - ansible_facts.services["keycloak.service"]["state"] == "running" - ansible_facts.services["keycloak.service"]["status"] == "enabled" + - name: Fetch openID config + shell: | + curl https://instance:8443/realms/master/.well-known/openid-configuration -k | jq . + delegate_to: localhost + register: openid_config + - debug: + msg: " {{ openid_config.stdout | from_json }}" + delegate_to: localhost + - name: Verify endpoint URLs + assert: + that: + - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance:8443/realms/master/protocol/openid-connect/ext/ciba/auth' + - (openid_config.stdout | from_json)['issuer'] == 'https://instance:8443/realms/master' + - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/auth' + - (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/token' + delegate_to: localhost diff --git a/playbooks/keycloak_quarkus.yml b/playbooks/keycloak_quarkus.yml index ebed89b..b9bbbba 100644 --- a/playbooks/keycloak_quarkus.yml +++ b/playbooks/keycloak_quarkus.yml @@ -3,7 +3,13 @@ hosts: all vars: keycloak_admin_password: "remembertochangeme" + keycloak_quarkus_host: localhost:8443 + keycloak_quarkus_http_relative_path: '' + keycloak_quarkus_log: file + keycloak_quarkus_https_enabled: True + keycloak_quarkus_key_file: conf/key.pem + keycloak_quarkus_cert_file: conf/cert.pem collections: - middleware_automation.keycloak roles: - - keycloak_quarkus \ No newline at end of file + - keycloak_quarkus diff --git a/roles/keycloak_quarkus/tasks/install.yml b/roles/keycloak_quarkus/tasks/install.yml index ba6ec40..b1ea1ee 100644 --- a/roles/keycloak_quarkus/tasks/install.yml +++ b/roles/keycloak_quarkus/tasks/install.yml @@ -84,9 +84,9 @@ - local_archive_path.stat.exists become: yes -- name: "Check target directory: {{ keycloak.home }}" +- name: "Check target directory: {{ keycloak.home }}/bin/" ansible.builtin.stat: - path: "{{ keycloak.home }}" + path: "{{ keycloak.home }}/bin/" register: path_to_workdir become: yes @@ -95,12 +95,12 @@ remote_src: yes src: "{{ archive }}" dest: "{{ keycloak_quarkus_dest }}" - creates: "{{ keycloak.home }}" + creates: "{{ keycloak.home }}/bin/" owner: "{{ keycloak.service_user }}" group: "{{ keycloak.service_group }}" become: yes when: - - new_version_downloaded.changed or not path_to_workdir.stat.exists + - (not path_to_workdir.stat.exists) or new_version_downloaded.changed notify: - restart keycloak @@ -108,4 +108,4 @@ ansible.builtin.debug: msg: "{{ keycloak.home }} already exists and version unchanged, skipping decompression" when: - - not new_version_downloaded.changed and path_to_workdir.stat.exists + - (not new_version_downloaded.changed) and path_to_workdir.stat.exists diff --git a/roles/keycloak_quarkus/tasks/main.yml b/roles/keycloak_quarkus/tasks/main.yml index 0ed3ece..cf855a2 100644 --- a/roles/keycloak_quarkus/tasks/main.yml +++ b/roles/keycloak_quarkus/tasks/main.yml @@ -41,6 +41,14 @@ notify: - restart keycloak +- name: Ensure logdirectory exists + ansible.builtin.file: + state: directory + path: "{{ keycloak.home }}/{{ keycloak.log.file | dirname }}" + owner: "{{ keycloak.service_user }}" + group: "{{ keycloak.service_group }}" + mode: 0775 + - name: "Start and wait for keycloak service" ansible.builtin.include_tasks: start.yml @@ -52,6 +60,6 @@ - name: Link default logs directory ansible.builtin.file: state: link - src: "{{ keycloak.home }}/{{ keycloak.log.file }}" + src: "{{ keycloak.home }}/{{ keycloak.log.file | dirname }}" dest: /var/log/keycloak force: yes