update 18.0.0, add JAVA_HOME check, runas systemd unit

roles/keycloak_quarkus/README.md

@@ -27,11 +27,12 @@ Role Defaults
 |`keycloak_quarkus_https_port`| TLS HTTP port | `8443` |
 |`keycloak_quarkus_ajp_port`| AJP port | `8009` |
 |`keycloak_quarkus_jgroups_port`| jgroups cluster tcp port | `7600` |
-|`keycloak_quarkus_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
 |`keycloak_quarkus_service_user`| Posix account username | `keycloak` |
 |`keycloak_quarkus_service_group`| Posix account group | `keycloak` |
 |`keycloak_quarkus_service_pidfile`| Pid file path for service | `/run/keycloak.pid` |
 |`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-11-openjdk-headless` |
+|`keycloak_quarkus_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_quarkus_jvm_package RPM path | `None` |
+|`keycloak_quarkus_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
 |`keycloak_quarkus_frontend_url`| Service public URL | `http://localhost:8080/auth` |
 |`keycloak_quarkus_http_relative_path` | Service context path | `auth` |
 |`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` |

roles/keycloak_quarkus/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 ### Configuration specific to keycloak
-keycloak_quarkus_version: 17.0.1
+keycloak_quarkus_version: 18.0.0
 keycloak_quarkus_archive: "keycloak-{{ keycloak_quarkus_version }}.zip"
 keycloak_quarkus_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_quarkus_version }}/{{ keycloak_quarkus_archive }}"  
 keycloak_quarkus_installdir: "{{ keycloak_quarkus_dest }}/keycloak-{{ keycloak_quarkus_version }}"
@@ -10,6 +10,7 @@ keycloak_quarkus_offline_install: False
 
 ### Install location and service settings
 keycloak_quarkus_jvm_package: java-11-openjdk-headless
+keycloak_quarkus_java_home:
 keycloak_quarkus_dest: /opt/keycloak
 keycloak_quarkus_home: "{{ keycloak_quarkus_installdir }}"
 keycloak_quarkus_config_dir: "{{ keycloak_quarkus_home }}/conf"
@@ -47,6 +48,9 @@ keycloak_quarkus_db_enabled: "{{ True if keycloak_quarkus_ha_enabled else False
 keycloak_quarkus_http_relative_path: auth
 keycloak_quarkus_frontend_url: http://localhost:8080/auth
 
+# proxy address forwarding mode if the server is behind a reverse proxy. [edge, reencrypt, passthrough]
+keycloak_quarkus_proxy_mode: edge
+
 keycloak_quarkus_metrics_enabled: False
 keycloak_quarkus_health_enabled: True
 

roles/keycloak_quarkus/meta/argument_specs.yml

@@ -31,6 +31,9 @@ argument_specs:
                 default: "java-11-openjdk-headless"
                 description: "RHEL java package runtime"
                 type: "str"
+            keycloak_quarkus_java_home:
+                description: "JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path"
+                type: "str"
             keycloak_quarkus_dest:
                 # line 13 of defaults/main.yml
                 default: "/opt/keycloak"

roles/keycloak_quarkus/tasks/main.yml

@@ -1,6 +1,5 @@
 ---
 # tasks file for keycloak
-
 - name: Check prerequisites
   ansible.builtin.include_tasks: prereqs.yml
   tags:
@@ -53,5 +52,6 @@
 - name: Link default logs directory
   ansible.builtin.file:
     state: link
-    src: "{{ keycloak.home }}/{{ keycloak.log_file }}"
+    src: "{{ keycloak.home }}/{{ keycloak.log.file }}"
     dest: /var/log/keycloak
+    force: yes

roles/keycloak_quarkus/tasks/systemd.yml

@@ -1,4 +1,13 @@
 ---
+- name: Determine JAVA_HOME for selected JVM RPM  # noqa blocked_modules
+  ansible.builtin.shell: |
+    set -o pipefail
+    rpm -ql {{ keycloak_quarkus_jvm_package }} | grep -Po '/usr/lib/jvm/.*(?=/bin/java$)'
+  args:
+    executable: /bin/bash
+  changed_when: False
+  register: rpm_java_home
+
 - name: "Configure sysconfig file for keycloak service"
   become: yes
   ansible.builtin.template:
@@ -7,6 +16,8 @@
     owner: root
     group: root
     mode: 0644
+  vars:
+    keycloak_rpm_java_home: "{{ rpm_java_home.stdout }}"
   notify:
     - restart keycloak
 

roles/keycloak_quarkus/templates/keycloak-sysconfig.j2

@@ -1,3 +1,4 @@
 # {{ ansible_managed }}
 KEYCLOAK_ADMIN={{ keycloak_quarkus_admin_user }}
 KEYCLOAK_ADMIN_PASSWORD='{{ keycloak_quarkus_admin_pass }}'
+JAVA_HOME={{ keycloak_java_home  | default(keycloak_rpm_java_home, true) }}

roles/keycloak_quarkus/templates/keycloak.conf.j2

@@ -22,8 +22,6 @@ https-port={{ keycloak_quarkus_https_port }}
 https-certificate-file={{ keycloak.home }}/{{ keycloak_quarkus_cert_file}}
 https-certificate-key-file={{ keycloak.home }}/{{ keycloak_quarkus_key_file }}
 {% endif %}
-# Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy
-#spi-sticky-session-encoder-infinispan-should-attach-route=false
 
 # Hostname for the Keycloak server.
 hostname={{ keycloak_quarkus_host }}
@@ -37,13 +35,13 @@ cache-stack=tcp
 {% endif %}
 
 # Proxy
-# The proxy address forwarding mode if the server is behind a reverse proxy. [edge, reencrypt, passthrough]
-#proxy=
+proxy={{ keycloak_quarkus_proxy_mode }}
+# Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy
+#spi-sticky-session-encoder-infinispan-should-attach-route=false
 
 # Logging
-# The format of log entries.
 #log-format=%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n
-log=file
+log={{ keycloak_quarkus_log }}
 log-level={{ keycloak.log.level }}
 log-file={{ keycloak.log.file }}
 log-file-format={{ keycloak.log.format }}

roles/keycloak_quarkus/templates/keycloak.service.j2

@@ -7,7 +7,8 @@ After=network.target
 Type=simple
 EnvironmentFile=-/etc/sysconfig/keycloak
 PIDFile={{ keycloak_quarkus_service_pidfile }}
-ExecStart={{ keycloak.home }}/bin/kc.sh start --auto-build 
+ExecStart={{ keycloak.home }}/bin/kc.sh start --auto-build --log={{ keycloak_quarkus_log }}
+User={{ keycloak.service_user }}
 
 [Install]
 WantedBy=multi-user.target