diff --git a/.ansible-lint b/.ansible-lint index f777db8..f9251eb 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -23,9 +23,13 @@ warn_list: - no-handler - fqcn-builtins - no-log-password + - jinja[spacing] + - jinja[invalid] + - meta-no-tags skip_list: - vars_should_not_be_used + - file_is_small_enough use_default_rules: true parseable: true diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7c96b1d..85da941 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,11 +1,16 @@ --- name: CI -"on": +on: push: branches: - main pull_request: +env: + COLORTERM: 'yes' + TERM: 'xterm-256color' + PYTEST_ADDOPTS: '--color=yes' + jobs: ci: runs-on: ubuntu-latest @@ -29,16 +34,17 @@ jobs: pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous pip install -r ansible_collections/middleware_automation/keycloak/requirements.txt + - name: Create default collection path + run: | + mkdir -p /home/runner/.ansible/ + ln -s /home/runner/work/keycloak/keycloak /home/runner/.ansible/collections + - name: Install ansible-lint custom rules uses: actions/checkout@v2 with: repository: ansible-middleware/ansible-lint-custom-rules path: ansible_collections/ansible-lint-custom-rules/ - - name: Create default collection path - run: | - mkdir -p /home/runner/.ansible/collections/ansible_collections - - name: Run sanity tests run: ansible-test sanity --docker -v --color --python ${{ matrix.python_version }} --exclude changelogs/fragments/.gitignore working-directory: ./ansible_collections/middleware_automation/keycloak diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 7345971..7163a00 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -45,7 +45,8 @@ jobs: - name: Create default collection path run: | - mkdir -p /home/runner/.ansible/collections/ansible_collections + mkdir -p /home/runner/.ansible/ + ln -s /home/runner/work/keycloak/keycloak /home/runner/.ansible/collections - name: Create changelog and documentation uses: ansible-middleware/collection-docs-action@main diff --git a/README.md b/README.md index d341f58..75775d7 100644 --- a/README.md +++ b/README.md @@ -59,28 +59,6 @@ Both playbooks include the `keycloak` role, with different settings, as describe For full service configuration details, refer to the [keycloak role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md). -### Choosing between upstream project (Keycloak) and Red Hat Single Sign-On (RHSSO) - -The general flag `keycloak_rhsso_enable` controls what to install between upstream (Keycloak, when `False`) or Red Hat Single Sign-On (when `True`). -The default value for the flag if `True` when Red Hat Network credentials are defined, `False` otherwise. - - -#### Install upstream (Keycloak) from keycloak releases - -This is the default approach when RHN credentials are not defined. Keycloak is downloaded from keycloak builds (hosted on github.com) locally, and distributed to target nodes. - - -#### Install RHSSO from the Red Hat Customer Support Portal - -Define the credentials as follows, and the default behaviour is to download a fresh archive of RHSSO on the controller node, then distribute to target nodes. - -```yaml -rhn_username: '' -rhn_password: '' -# (keycloak_rhsso_enable defaults to True) -``` - - #### Install from controller node (local source) Making the keycloak zip archive (or the RHSSO zip archive), available to the playbook repository root directory, and setting `keycloak_offline_install` to `True`, allows to skip @@ -101,14 +79,12 @@ And depending on `keycloak_rhsso_enable`: For RHSSO: ```yaml -keycloak_rhsso_enable: True -keycloak_rhsso_download_url: "https://///rh-sso-x.y.z-server-dist.zip" +sso_download_url: "https://///rh-sso-x.y.z-server-dist.zip" ``` For keycloak: ```yaml -keycloak_rhsso_enable: False keycloak_download_url: "https://///keycloak-x.y.zip" ``` diff --git a/galaxy.yml b/galaxy.yml index 6a9e648..e3c6bfb 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -28,8 +28,15 @@ documentation: https://ansible-middleware.github.io/keycloak homepage: https://github.com/ansible-middleware/keycloak issues: https://github.com/ansible-middleware/keycloak/issues build_ignore: - - molecule + - .gitignore - .github + - .ansible-lint + - .yamllint - '*.tar.gz' - '*.zip' - - changelogs/fragments/.gitignore + - molecule + - changelogs + - docs/_gh_include + - docs/conf.py + - docs/roles.rst.template + - docs/requirements.yml diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 40923c9..1d78e2d 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -8,3 +8,13 @@ - sudo - java-1.8.0-openjdk state: present + +- name: Prepare + hosts: all + tasks: + - name: "Run preparation common to all scenario" + ansible.builtin.include_tasks: ../prepare.yml + vars: + assets: + - "{{ assets_server }}/sso/7.5.0/rh-sso-7.5.0-server-dist.zip" + - "{{ assets_server }}/sso/7.5.1/rh-sso-7.5.1-patch.zip" diff --git a/molecule/overridexml/prepare.yml b/molecule/overridexml/prepare.yml index 03433c0..3fc1104 100644 --- a/molecule/overridexml/prepare.yml +++ b/molecule/overridexml/prepare.yml @@ -2,11 +2,8 @@ - name: Prepare hosts: all tasks: - - name: Disable beta repos - ansible.builtin.command: yum config-manager --disable '*beta*' - ignore_errors: yes - - - name: Install sudo - ansible.builtin.yum: - name: sudo - state: present + - name: "Run preparation common to all scenario" + ansible.builtin.include_tasks: ../prepare.yml + vars: + assets: + - "{{ assets_server }}/sso/7.5.0/rh-sso-7.5.0-server-dist.zip" diff --git a/molecule/prepare.yml b/molecule/prepare.yml new file mode 100644 index 0000000..c457571 --- /dev/null +++ b/molecule/prepare.yml @@ -0,0 +1,28 @@ +--- +- name: Display Ansible version + ansible.builtin.debug: + msg: "Ansible version is {{ ansible_version.full }}" + +- name: Install sudo + ansible.builtin.yum: + name: + - sudo + - iproute + state: present + +- name: "Retrieve assets server from env" + ansible.builtin.set_fact: + assets_server: "{{ lookup('env','MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}" + +- name: "Download and deploy jws zips from {{ assets_server }}" + ansible.builtin.get_url: + url: "{{ asset }}" + dest: "{{ lookup('env', 'PWD') }}" + validate_certs: no + delegate_to: localhost + loop: "{{ assets }}" + loop_control: + loop_var: asset + when: + - assets_server is defined + - assets_server | length > 0 diff --git a/playbooks/rhsso.yml b/playbooks/rhsso.yml index ba30a74..e34334f 100644 --- a/playbooks/rhsso.yml +++ b/playbooks/rhsso.yml @@ -3,7 +3,7 @@ hosts: keycloak vars: keycloak_admin_password: "remembertochangeme" - keycloak_rhsso_enable: True + sso_enable: True collections: - middleware_automation.redhat_csp_download - middleware_automation.keycloak diff --git a/roles/keycloak/README.md b/roles/keycloak/README.md index 71787b1..0f3d198 100644 --- a/roles/keycloak/README.md +++ b/roles/keycloak/README.md @@ -74,16 +74,11 @@ Role Defaults | Variable | Description | Default | |:---------|:------------|:---------| -|`keycloak_rhsso_enable`| Enable Red Hat Single Sign-on installation | `False` | |`keycloak_offline_install` | perform an offline install | `False`| |`keycloak_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download//`| -|`keycloak_rhsso_download_url`| Download URL for RHSSO | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=`| |`keycloak_version`| keycloak.org package version | `15.0.2` | -|`keycloak_rhsso_version`| RHSSO version | `7.5.0` | -|`keycloak_rhsso_apply_patches`| Install RHSSO more recent cumulative patch | `False` | |`keycloak_dest`| Installation root path | `/opt/keycloak` | |`keycloak_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}` | -|`keycloak_rhn_url` | Base download URI for customer portal | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=` | |`keycloak_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` | @@ -94,9 +89,6 @@ Role Defaults |`keycloak_archive` | keycloak install archive filename | `keycloak-{{ keycloak_version }}.zip` | |`keycloak_download_url_9x` | Download URL for keycloak (deprecated) | `https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}` | |`keycloak_installdir` | Installation path | `{{ keycloak_dest }}/keycloak-{{ keycloak_version }}` | -|`keycloak_rhsso_archive` | Red Hat SSO install archive filename | `rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip` | -|`keycloak_rhsso_installdir`| Installation path for Red Hat SSO | `{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\.([0-9]*).*', '\1.\2') }}` | -|`keycloak_rhsso_download_url`| Full download URI for Red Hat SSO | `{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}` | |`keycloak_jboss_home` | Installation work directory | `{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}` | |`keycloak_config_dir` | Path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration` | |`keycloak_config_path_to_standalone_xml` | Custom path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}` | @@ -106,7 +98,6 @@ Role Defaults |`keycloak_force_install` | Remove pre-existing versions of service | `False` | |`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` | |`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` | -|`rhsso_rhn_id` | Customer Portal product ID for Red Hat SSO | `{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}` | Role Variables @@ -126,13 +117,13 @@ The following variables are _required_ only when `keycloak_ha_enabled` is True: |:---------|:------------|:---------| |`keycloak_modcluster_url` | URL for the modcluster reverse proxy | `localhost` | |`keycloak_jdbc_engine` | backend database engine when db is enabled: [ postgres, mariadb ] | `postgres` | -|`infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` | -|`infinispan_user` | username for connecting to infinispan | `supervisor` | -|`infinispan_pass` | password for connecting to infinispan | `supervisor` | -|`infinispan_sasl_mechanism`| Authentication type | `SCRAM-SHA-512` | -|`infinispan_use_ssl`| Enable hotrod TLS communication | `False` | -|`infinispan_trust_store_path`| Path to truststore with infinispan server certificate | `/etc/pki/java/cacerts` | -|`infinispan_trust_store_password`| Password for opening truststore | `changeit` | +|`keycloak_infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` | +|`keycloak_infinispan_user` | username for connecting to infinispan | `supervisor` | +|`keycloak_infinispan_pass` | password for connecting to infinispan | `supervisor` | +|`keycloak_infinispan_sasl_mechanism`| Authentication type | `SCRAM-SHA-512` | +|`keycloak_infinispan_use_ssl`| Enable hotrod TLS communication | `False` | +|`keycloak_infinispan_trust_store_path`| Path to truststore with infinispan server certificate | `/etc/pki/java/cacerts` | +|`keycloak_infinispan_trust_store_password`| Password for opening truststore | `changeit` | The following variables are _required_ only when `keycloak_db_enabled` is True: @@ -145,12 +136,9 @@ The following variables are _required_ only when `keycloak_db_enabled` is True: |`keycloak_db_pass` | password for connecting to postgres | `keycloak-pass` | -Example Playbooks +Example Playbook ----------------- -_NOTE_: use ansible vaults or other security systems for storing credentials. - - * The following is an example playbook that makes use of the role to install keycloak from remote: ```yaml @@ -164,27 +152,6 @@ _NOTE_: use ansible vaults or other security systems for storing credentials. - middleware_automation.keycloak.keycloak ``` -* The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from RHN: - -```yaml ---- -- name: Playbook for RHSSO - hosts: keycloak - collections: - - middleware_automation.redhat_csp_download - roles: - - redhat_csp_download - tasks: - - name: Keycloak Role - include_role: - name: keycloak - vars: - keycloak_admin_password: "remembertochangeme" - keycloak_rhsso_enable: True - rhn_username: '' - rhn_password: '' -``` - * The following example playbook makes use of the role to install keycloak from the controller node: @@ -203,45 +170,6 @@ _NOTE_: use ansible vaults or other security systems for storing credentials. # This should be the filename of keycloak archive on Ansible node: keycloak-16.1.0.zip ``` - -* This playbook installs Red Hat Single Sign-On from an alternate url: - -```yaml ---- -- hosts: keycloak - collections: - - middleware_automation.keycloak - tasks: - - name: Keycloak Role - include_role: - name: keycloak - vars: - keycloak_admin_password: "remembertochangeme" - keycloak_rhsso_enable: True - keycloak_rhsso_download_url: "" - # This should be the full of remote source rhsso zip file and can contain basic authentication credentials -``` - - -* The following is an example playbook that makes use of the role to install Red Hat Single Sign-On offline from the controller node, and apply latest cumulative patch: - -```yaml ---- -- hosts: keycloak - collections: - - middleware_automation.keycloak - tasks: - - name: Keycloak Role - include_role: - name: keycloak - vars: - keycloak_admin_password: "remembertochangeme" - keycloak_rhsso_enable: True - keycloak_offline_install: True - keycloak_rhsso_apply_patches: True - # This should be the filename of rhsso zip file on Ansible node: rh-sso-7.5-server-dist.zip -``` - License ------- diff --git a/roles/keycloak/defaults/main.yml b/roles/keycloak/defaults/main.yml index 7ef632a..291ff37 100644 --- a/roles/keycloak/defaults/main.yml +++ b/roles/keycloak/defaults/main.yml @@ -5,26 +5,13 @@ keycloak_archive: "keycloak-{{ keycloak_version }}.zip" keycloak_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}" keycloak_download_url_9x: "https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}" keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}" - -### Configuration specific to Red Hat Single Sign-On -keycloak_rhsso_version: 7.5.0 -rhsso_rhn_id: "{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}" -keycloak_rhsso_archive: "rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip" -keycloak_rhsso_installdir: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}" -keycloak_rhn_url: 'https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=' -keycloak_rhsso_download_url: "{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}" -keycloak_rhsso_apply_patches: False - -### keycloak/rhsso choice: by default install rhsso if rhn credentials are defined -keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined and rhn_username is defined and rhn_password is defined else False }}" -# whether to install from local archive; filename must be keycloak_archive or keycloak_rhsso_archive depending on keycloak_rhsso_enable keycloak_offline_install: False ### Install location and service settings keycloak_jvm_package: java-1.8.0-openjdk-headless keycloak_java_home: keycloak_dest: /opt/keycloak -keycloak_jboss_home: "{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}" +keycloak_jboss_home: "{{ keycloak_installdir }}" keycloak_config_dir: "{{ keycloak_jboss_home }}/standalone/configuration" keycloak_config_standalone_xml: "keycloak.xml" keycloak_config_path_to_standalone_xml: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}" @@ -32,6 +19,9 @@ keycloak_config_override_template: '' keycloak_service_user: keycloak keycloak_service_group: keycloak keycloak_service_pidfile: "/run/keycloak.pid" +keycloak_service_name: keycloak +keycloak_service_desc: Keycloak + keycloak_configure_firewalld: False ### administrator console password @@ -68,14 +58,14 @@ keycloak_modcluster_url: localhost keycloak_frontend_url: http://localhost:8080/auth ### infinispan remote caches access (hotrod) -infinispan_user: supervisor -infinispan_pass: supervisor -infinispan_url: localhost -infinispan_sasl_mechanism: SCRAM-SHA-512 -infinispan_use_ssl: False +keycloak_infinispan_user: supervisor +keycloak_infinispan_pass: supervisor +keycloak_infinispan_url: localhost +keycloak_infinispan_sasl_mechanism: SCRAM-SHA-512 +keycloak_infinispan_use_ssl: False # if ssl is enabled, import ispn server certificate here -infinispan_trust_store_path: /etc/pki/java/cacerts -infinispan_trust_store_password: changeit +keycloak_infinispan_trust_store_path: /etc/pki/java/cacerts +keycloak_infinispan_trust_store_password: changeit ### database backend engine: values [ 'postgres', 'mariadb' ] keycloak_jdbc_engine: postgres diff --git a/roles/keycloak/meta/argument_specs.yml b/roles/keycloak/meta/argument_specs.yml index 983d59d..f34b134 100644 --- a/roles/keycloak/meta/argument_specs.yml +++ b/roles/keycloak/meta/argument_specs.yml @@ -31,46 +31,6 @@ argument_specs: default: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}" description: "Installation path" type: "str" - keycloak_rhsso_version: - # line 10 of keycloak/defaults/main.yml - default: "7.5.0" - description: "Red Hat Single Sign-On version" - type: "str" - rhsso_rhn_id: - # line 11 of keycloak/defaults/main.yml - default: "{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}" - description: "Customer Portal product ID for Red Hat SSO" - type: "str" - keycloak_rhsso_archive: - # line 12 of keycloak/defaults/main.yml - default: "rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip" - description: "ed Hat SSO install archive filename" - type: "str" - keycloak_rhsso_apply_patches: - # line 16 of keycloak/defaults/main.yml - default: false - description: "Install RHSSO more recent cumulative patch" - type: "bool" - keycloak_rhsso_installdir: - # line 13 of keycloak/defaults/main.yml - default: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}" - description: "Installation path for Red Hat SSO" - type: "str" - keycloak_rhn_url: - # line 14 of keycloak/defaults/main.yml - default: "https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=" - description: "Base download URI for customer portal" - type: "str" - keycloak_rhsso_download_url: - # line 15 of keycloak/defaults/main.yml - default: "{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}" - description: "Full download URI for Red Hat SSO" - type: "str" - keycloak_rhsso_enable: - # line 18 of keycloak/defaults/main.yml - default: "{{ True if rhsso_rhn_id is defined and rhn_username is defined and rhn_password is defined else False }}" - description: "Enable Red Hat Single Sign-on installation" - type: "str" keycloak_offline_install: # line 20 of keycloak/defaults/main.yml default: false @@ -91,7 +51,7 @@ argument_specs: type: "str" keycloak_jboss_home: # line 25 of keycloak/defaults/main.yml - default: "{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}" + default: "{{ keycloak_installdir }}" description: "Installation work directory" type: "str" keycloak_config_dir: @@ -219,37 +179,37 @@ argument_specs: default: "http://localhost" description: "Frontend URL for keycloak endpoints when a reverse proxy is used" type: "str" - infinispan_user: + keycloak_infinispan_user: # line 62 of keycloak/defaults/main.yml default: "supervisor" description: "Username for connecting to infinispan" type: "str" - infinispan_pass: + keycloak_infinispan_pass: # line 63 of keycloak/defaults/main.yml default: "supervisor" description: "Password for connecting to infinispan" type: "str" - infinispan_url: + keycloak_infinispan_url: # line 64 of keycloak/defaults/main.yml default: "localhost" description: "URL for the infinispan remote-cache server" type: "str" - infinispan_sasl_mechanism: + keycloak_infinispan_sasl_mechanism: # line 65 of keycloak/defaults/main.yml default: "SCRAM-SHA-512" description: "Authentication type to infinispan server" type: "str" - infinispan_use_ssl: + keycloak_infinispan_use_ssl: # line 66 of keycloak/defaults/main.yml default: false description: "Enable hotrod client TLS communication" type: "bool" - infinispan_trust_store_path: + keycloak_infinispan_trust_store_path: # line 68 of keycloak/defaults/main.yml default: "/etc/pki/java/cacerts" description: "TODO document argument" type: "str" - infinispan_trust_store_password: + keycloak_infinispan_trust_store_password: # line 69 of keycloak/defaults/main.yml default: "changeit" description: "Path to truststore containing infinispan server certificate" @@ -294,3 +254,65 @@ argument_specs: default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}" description: "URL for management console rest calls" type: "str" + keycloak_service_name: + default: "keycloak" + description: "systemd service name for keycloak" + type: "str" + keycloak_service_desc: + default: "Keycloak" + description: "systemd description for keycloak" + type: "str" + downstream: + options: + sso_version: + default: "7.5.0" + description: "Red Hat Single Sign-On version" + type: "str" + sso_rhn_id: + default: "{{ sso_rhn_ids[keycloak_version].id }}" + description: "Customer Portal product ID for Red Hat SSO" + type: "str" + sso_archive: + default: "rh-sso-{{ keycloak_version }}-server-dist.zip" + description: "Red Hat SSO install archive filename" + type: "str" + sso_dest: + default: "/opt/sso" + description: "Root installation directory" + type: "str" + sso_installdir: + default: "{{ keycloak_dest }}/rh-sso-{{ keycloak_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}" + description: "Installation path for Red Hat SSO" + type: "str" + sso_rhn_url: + default: 'https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=' + description: "Base download URI for customer portal" + type: "str" + sso_download_url: + default: "{{ sso_rhn_url }}{{ sso_rhn_id }}" + description: "Full download URI for Red Hat SSO" + type: "str" + sso_apply_patches: + default: False + description: "Install Red Hat SSO most recent cumulative patch" + type: "bool" + sso_enable: + default: True + description: "Enable Red Hat Single Sign-on installation" + type: "str" + sso_offline_install: + default: True + description: "Perform an offline install" + type: "bool" + sso_service_name: + default: "sso" + description: "systemd service name for Single Sign-On" + type: "str" + sso_service_desc: + default: "Red Hat Single Sign-On" + description: "systemd description for Red Hat Single Sign-On" + type: "str" + sso_patch_bundle: + default: "rh-sso-{{ sso_rhn_ids[keycloak_version].latest_cp.v }}-patch.zip" + description: "Red Hat SSO patch archive filename" + type: "str" diff --git a/roles/keycloak/tasks/install.yml b/roles/keycloak/tasks/install.yml index 26c5466..5f85274 100644 --- a/roles/keycloak/tasks/install.yml +++ b/roles/keycloak/tasks/install.yml @@ -81,7 +81,7 @@ - archive_path is defined - archive_path.stat is defined - not archive_path.stat.exists - - not keycloak_rhsso_enable + - not sso_enable is defined or not sso_enable - not keycloak_offline_install - name: Perform download from RHN @@ -96,9 +96,9 @@ - archive_path is defined - archive_path.stat is defined - not archive_path.stat.exists - - keycloak_rhsso_enable + - sso_enable is defined and sso_enable - not keycloak_offline_install - - keycloak_rhn_url in keycloak_rhsso_download_url + - keycloak_rhn_url in keycloak_download_url - name: Download rhsso archive from alternate location ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user @@ -110,9 +110,9 @@ - archive_path is defined - archive_path.stat is defined - not archive_path.stat.exists - - keycloak_rhsso_enable + - sso_enable is defined and sso_enable - not keycloak_offline_install - - not keycloak_rhn_url in keycloak_rhsso_download_url + - not keycloak_rhn_url in keycloak_download_url - name: Check downloaded archive ansible.builtin.stat: @@ -141,7 +141,7 @@ register: path_to_workdir become: yes -- name: "Extract {{ 'Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Keycloak' }} archive on target" +- name: "Extract {{ keycloak_service_desc }} archive on target" ansible.builtin.unarchive: remote_src: yes src: "{{ archive }}" diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml index ba5ec87..b89b401 100644 --- a/roles/keycloak/tasks/main.yml +++ b/roles/keycloak/tasks/main.yml @@ -24,7 +24,9 @@ - name: Include patch install tasks ansible.builtin.include_tasks: rhsso_patch.yml - when: keycloak_rhsso_apply_patches and keycloak_rhsso_enable + when: + - sso_apply_patches is defined and sso_apply_patches + - sso_enable is defined and sso_enable tags: - install - patch diff --git a/roles/keycloak/tasks/prereqs.yml b/roles/keycloak/tasks/prereqs.yml index 31735d5..c774c65 100644 --- a/roles/keycloak/tasks/prereqs.yml +++ b/roles/keycloak/tasks/prereqs.yml @@ -18,11 +18,11 @@ - name: Validate credentials ansible.builtin.assert: that: - - (rhn_username is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install - - (rhn_password is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install + - (rhn_username is defined and sso_enable is defined and sso_enable) or not sso_enable is defined or not sso_enable or keycloak_offline_install + - (rhn_password is defined and sso_enable is defined and sso_enable) or not sso_enable is defined or not sso_enable or keycloak_offline_install quiet: True fail_msg: "Cannot install Red Hat SSO without RHN credentials. Check rhn_username and rhn_password are defined" - success_msg: "{{ 'Installing Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Installing keycloak.org' }}" + success_msg: "Installing {{ keycloak_service_desc }}" - name: Validate persistence configuration ansible.builtin.assert: diff --git a/roles/keycloak/tasks/rhsso_patch.yml b/roles/keycloak/tasks/rhsso_patch.yml index f517e7a..67739a4 100644 --- a/roles/keycloak/tasks/rhsso_patch.yml +++ b/roles/keycloak/tasks/rhsso_patch.yml @@ -2,7 +2,7 @@ ## check remote patch archive - name: Set download patch archive path ansible.builtin.set_fact: - patch_archive: "{{ keycloak_dest }}/{{ keycloak.patch_bundle }}" + patch_archive: "{{ keycloak_dest }}/{{ sso_patch_bundle }}" - name: Check download patch archive path ansible.builtin.stat: @@ -11,8 +11,8 @@ - name: Perform download from RHN middleware_automation.redhat_csp_download.redhat_csp_download: - url: "{{ keycloak_rhn_url }}{{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.id }}" - dest: "{{ local_path.stat.path }}/{{ keycloak.patch_bundle }}" + url: "{{ keycloak_rhn_url }}{{ sso_rhn_ids[keycloak_version].latest_cp.id }}" + dest: "{{ local_path.stat.path }}/{{ sso_patch_bundle }}" username: "{{ rhn_username }}" password: "{{ rhn_password }}" no_log: "{{ omit_rhn_output | default(true) }}" @@ -21,13 +21,13 @@ - patch_archive_path is defined - patch_archive_path.stat is defined - not patch_archive_path.stat.exists - - keycloak_rhsso_enable + - sso_enable is defined and sso_enable - not keycloak_offline_install ## copy and unpack - name: Copy patch archive to target nodes ansible.builtin.copy: - src: "{{ local_path.stat.path }}/{{ keycloak.patch_bundle }}" + src: "{{ local_path.stat.path }}/{{ sso_patch_bundle }}" dest: "{{ patch_archive }}" owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_group }}" @@ -48,9 +48,9 @@ when: - cli_result is defined - cli_result.stdout is defined - - rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v not in cli_result.stdout + - sso_rhn_ids[keycloak_version].latest_cp.v not in cli_result.stdout block: - - name: "Apply patch {{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }} to server" + - name: "Apply patch {{ sso_rhn_ids[keycloak_version].latest_cp.v }} to server" ansible.builtin.include_tasks: rhsso_cli.yml vars: query: "patch apply {{ patch_archive }}" @@ -78,10 +78,10 @@ - name: "Verify installed patch version" ansible.builtin.assert: that: - - rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v not in cli_result.stdout + - sso_rhn_ids[keycloak_version].latest_cp.v not in cli_result.stdout fail_msg: "Patch installation failed" success_msg: "Patch installation successful" - name: "Skipping patch" ansible.builtin.debug: - msg: "Latest cumulative patch {{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }} already installed, skipping patch installation." + msg: "Latest cumulative patch {{ sso_rhn_ids[keycloak_version].latest_cp.v }} already installed, skipping patch installation." diff --git a/roles/keycloak/vars/main.yml b/roles/keycloak/vars/main.yml index 5a6b059..77f35ff 100644 --- a/roles/keycloak/vars/main.yml +++ b/roles/keycloak/vars/main.yml @@ -1,6 +1,6 @@ --- # internal variables below -rhsso_rhn_ids: +sso_rhn_ids: '7.5.0': # noqa vars_in_vars_files_have_valid_names id: '101971' latest_cp: @@ -15,9 +15,8 @@ keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http keycloak: home: "{{ keycloak_jboss_home }}" config_dir: "{{ keycloak_config_dir }}" - bundle: "{{ keycloak_rhsso_archive if keycloak_rhsso_enable else keycloak_archive }}" - patch_bundle: "rh-sso-{{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }}-patch.zip" - service_name: "{{ 'rhsso' if keycloak_rhsso_enable else 'keycloak' }}" + bundle: "{{ keycloak_archive }}" + service_name: "{{ keycloak_service_name }}" health_url: "{{ keycloak_management_url }}/health" cli_path: "{{ keycloak_jboss_home }}/bin/jboss-cli.sh" config_template_source: "{{ keycloak_config_override_template if keycloak_config_override_template | length > 0 else 'standalone.xml.j2' }}" @@ -73,11 +72,11 @@ keycloak_modcluster: # infinispan keycloak_remotecache: enabled: "{{ keycloak_ha_enabled }}" - username: "{{ infinispan_user }}" - password: "{{ infinispan_pass }}" + username: "{{ keycloak_infinispan_user }}" + password: "{{ keycloak_infinispan_pass }}" realm: default - sasl_mechanism: "{{ infinispan_sasl_mechanism }}" - server_name: "{{ infinispan_url }}" - use_ssl: "{{ infinispan_use_ssl }}" - trust_store_path: "{{ infinispan_trust_store_path }}" - trust_store_password: "{{ infinispan_trust_store_password }}" \ No newline at end of file + sasl_mechanism: "{{ keycloak_infinispan_sasl_mechanism }}" + server_name: "{{ keycloak_infinispan_url }}" + use_ssl: "{{ keycloak_infinispan_use_ssl }}" + trust_store_path: "{{ keycloak_infinispan_trust_store_path }}" + trust_store_password: "{{ keycloak_infinispan_trust_store_password }}" \ No newline at end of file diff --git a/roles/keycloak_quarkus/tasks/prereqs.yml b/roles/keycloak_quarkus/tasks/prereqs.yml index ea2b8f4..c0201b3 100644 --- a/roles/keycloak_quarkus/tasks/prereqs.yml +++ b/roles/keycloak_quarkus/tasks/prereqs.yml @@ -15,15 +15,6 @@ fail_msg: "Cannot install HA setup without a backend database service. Check keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled" success_msg: "{{ 'Configuring HA' if keycloak_quarkus_ha_enabled else 'Configuring standalone' }}" -# - name: Validate credentials -# ansible.builtin.assert: -# that: -# - (rhn_username is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install -# - (rhn_password is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install -# quiet: True -# fail_msg: "Cannot install Red Hat SSO without RHN credentials. Check rhn_username and rhn_password are defined" -# success_msg: "{{ 'Installing Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Installing keycloak.org' }}" - - name: Ensure required packages are installed ansible.builtin.include_tasks: fastpackages.yml vars: diff --git a/roles/keycloak_realm/README.md b/roles/keycloak_realm/README.md index 91e6b8f..1a5709c 100644 --- a/roles/keycloak_realm/README.md +++ b/roles/keycloak_realm/README.md @@ -15,7 +15,6 @@ Role Defaults |`keycloak_http_port`| HTTP port | `8080` | |`keycloak_https_port`| TLS HTTP port | `8443` | |`keycloak_auth_realm`| Name of the main authentication realm | `master` | -|`keycloak_rhsso_enable`| Define service is an upstream(Keycloak) or RHSSO | `master` | |`keycloak_management_http_port`| Management port | `9990` | |`keycloak_auth_client`| Authentication client for configuration REST calls | `admin-cli` | |`keycloak_client_public`| Configure a public realm client | `True` | diff --git a/roles/keycloak_realm/defaults/main.yml b/roles/keycloak_realm/defaults/main.yml index 4975380..e1caeec 100644 --- a/roles/keycloak_realm/defaults/main.yml +++ b/roles/keycloak_realm/defaults/main.yml @@ -4,7 +4,6 @@ keycloak_host: localhost keycloak_http_port: 8080 keycloak_https_port: 8443 keycloak_management_http_port: 9990 -keycloak_rhsso_enable: False ### Keycloak administration console user keycloak_admin_user: admin diff --git a/roles/keycloak_realm/meta/argument_specs.yml b/roles/keycloak_realm/meta/argument_specs.yml index 45b5998..8f8e26e 100644 --- a/roles/keycloak_realm/meta/argument_specs.yml +++ b/roles/keycloak_realm/meta/argument_specs.yml @@ -26,11 +26,6 @@ argument_specs: default: 9990 description: "Management port" type: "int" - keycloak_rhsso_enable: - # line 7 of keycloak_realm/defaults/main.yml - default: false - description: "Enable Red Hat Single Sign-on" - type: "bool" keycloak_admin_user: # line 10 of keycloak_realm/defaults/main.yml default: "admin" @@ -96,3 +91,25 @@ argument_specs: default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}" description: "URL for management console rest calls" type: "str" + downstream: + options: + sso_version: + default: "7.5.0" + description: "Red Hat Single Sign-On version" + type: "str" + sso_dest: + default: "/opt/sso" + description: "Root installation directory" + type: "str" + sso_installdir: + default: "{{ keycloak_dest }}/rh-sso-{{ keycloak_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}" + description: "Installation path for Red Hat SSO" + type: "str" + sso_apply_patches: + default: False + description: "Install Red Hat SSO most recent cumulative patch" + type: "bool" + sso_enable: + default: True + description: "Enable Red Hat Single Sign-on installation" + type: "str"