Merge pull request #42 from guidograzioli/downstream_rename

Rename variables from `infinispan_` prefix to `keycloak_infinispan_`

.ansible-lint

@@ -23,9 +23,13 @@ warn_list:
   - no-handler
   - fqcn-builtins
   - no-log-password
+  - jinja[spacing]
+  - jinja[invalid]
+  - meta-no-tags
 
 skip_list:
   - vars_should_not_be_used
+  - file_is_small_enough
 
 use_default_rules: true
 parseable: true

.github/workflows/ci.yml

@@ -1,11 +1,16 @@
 ---
 name: CI
-"on":
+on:
   push:
     branches:
       - main
   pull_request:
 
+env:
+  COLORTERM: 'yes'
+  TERM: 'xterm-256color'
+  PYTEST_ADDOPTS: '--color=yes'
+
 jobs:
   ci:
     runs-on: ubuntu-latest
@@ -29,16 +34,17 @@ jobs:
           pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous
           pip install -r ansible_collections/middleware_automation/keycloak/requirements.txt
 
+      - name: Create default collection path
+        run: |
+          mkdir -p /home/runner/.ansible/
+          ln -s /home/runner/work/keycloak/keycloak /home/runner/.ansible/collections
+
       - name: Install ansible-lint custom rules
         uses: actions/checkout@v2
         with:
           repository: ansible-middleware/ansible-lint-custom-rules
           path: ansible_collections/ansible-lint-custom-rules/
 
-      - name: Create default collection path
-        run: |
-          mkdir -p /home/runner/.ansible/collections/ansible_collections
-
       - name: Run sanity tests
         run: ansible-test sanity --docker -v --color --python ${{ matrix.python_version }} --exclude changelogs/fragments/.gitignore
         working-directory: ./ansible_collections/middleware_automation/keycloak

.github/workflows/docs.yml

@@ -45,7 +45,8 @@ jobs:
 
       - name: Create default collection path
         run: |
-          mkdir -p /home/runner/.ansible/collections/ansible_collections
+          mkdir -p /home/runner/.ansible/
+          ln -s /home/runner/work/keycloak/keycloak /home/runner/.ansible/collections
 
       - name: Create changelog and documentation
         uses: ansible-middleware/collection-docs-action@main

README.md

@@ -59,28 +59,6 @@ Both playbooks include the `keycloak` role, with different settings, as describe
 For full service configuration details, refer to the [keycloak role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md).
 
 
-### Choosing between upstream project (Keycloak) and Red Hat Single Sign-On (RHSSO)
-
-The general flag `keycloak_rhsso_enable` controls what to install between upstream (Keycloak, when `False`) or Red Hat Single Sign-On (when `True`).
-The default value for the flag if `True` when Red Hat Network credentials are defined, `False` otherwise.
-
-
-#### Install upstream (Keycloak) from keycloak releases
-
-This is the default approach when RHN credentials are not defined. Keycloak is downloaded from keycloak builds (hosted on github.com) locally, and distributed to target nodes.
-
-
-#### Install RHSSO from the Red Hat Customer Support Portal
-
-Define the credentials as follows, and the default behaviour is to download a fresh archive of RHSSO on the controller node, then distribute to target nodes.
-
-```yaml
-rhn_username: '<customer_portal_username>'
-rhn_password: '<customer_portal_password>'
-# (keycloak_rhsso_enable defaults to True)
-```
-
-
 #### Install from controller node (local source)
 
 Making the keycloak zip archive (or the RHSSO zip archive), available to the playbook repository root directory, and setting `keycloak_offline_install` to `True`, allows to skip
@@ -101,14 +79,12 @@ And depending on `keycloak_rhsso_enable`:
 For RHSSO:
 
 ```yaml
-keycloak_rhsso_enable: True
+sso_download_url: "https://<internal-nexus.private.net>/<path>/<to>/rh-sso-x.y.z-server-dist.zip"
-keycloak_rhsso_download_url: "https://<internal-nexus.private.net>/<path>/<to>/rh-sso-x.y.z-server-dist.zip"
 ```
 
 For keycloak:
 
 ```yaml
-keycloak_rhsso_enable: False
 keycloak_download_url: "https://<internal-nexus.private.net>/<path>/<to>/keycloak-x.y.zip"
 ```
 

galaxy.yml

@@ -28,8 +28,15 @@ documentation: https://ansible-middleware.github.io/keycloak
 homepage: https://github.com/ansible-middleware/keycloak
 issues: https://github.com/ansible-middleware/keycloak/issues
 build_ignore:
-  - molecule
+  - .gitignore
   - .github
+  - .ansible-lint
+  - .yamllint
   - '*.tar.gz'
   - '*.zip'
-  - changelogs/fragments/.gitignore
+  - molecule
+  - changelogs
+  - docs/_gh_include
+  - docs/conf.py
+  - docs/roles.rst.template
+  - docs/requirements.yml

molecule/default/prepare.yml

@@ -8,3 +8,13 @@
           - sudo
           - java-1.8.0-openjdk
         state: present
+
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: "Run preparation common to all scenario"
+      ansible.builtin.include_tasks: ../prepare.yml
+      vars:
+        assets:
+          - "{{ assets_server }}/sso/7.5.0/rh-sso-7.5.0-server-dist.zip"
+          - "{{ assets_server }}/sso/7.5.1/rh-sso-7.5.1-patch.zip"

molecule/overridexml/prepare.yml

@@ -2,11 +2,8 @@
 - name: Prepare
   hosts: all
   tasks:
-    - name: Disable beta repos
+    - name: "Run preparation common to all scenario"
-      ansible.builtin.command: yum config-manager --disable '*beta*'
+      ansible.builtin.include_tasks: ../prepare.yml
-      ignore_errors: yes
+      vars:
-
+        assets:
-    - name: Install sudo
+          - "{{ assets_server }}/sso/7.5.0/rh-sso-7.5.0-server-dist.zip"
-      ansible.builtin.yum:
-        name: sudo
-        state: present

molecule/prepare.yml

@@ -0,0 +1,28 @@
+---
+- name: Display Ansible version
+  ansible.builtin.debug:
+    msg: "Ansible version is  {{ ansible_version.full }}"
+
+- name: Install sudo
+  ansible.builtin.yum:
+    name: 
+      - sudo
+      - iproute
+    state: present
+
+- name: "Retrieve assets server from env"
+  ansible.builtin.set_fact:
+    assets_server: "{{ lookup('env','MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"
+
+- name: "Download and deploy jws zips from {{ assets_server }}"
+  ansible.builtin.get_url:
+    url: "{{ asset }}"
+    dest: "{{ lookup('env', 'PWD') }}"
+    validate_certs: no
+  delegate_to: localhost
+  loop: "{{ assets }}"
+  loop_control:
+    loop_var: asset
+  when:
+    - assets_server is defined
+    - assets_server | length > 0

playbooks/rhsso.yml

@@ -3,7 +3,7 @@
   hosts: keycloak
   vars:
     keycloak_admin_password: "remembertochangeme"
-    keycloak_rhsso_enable: True
+    sso_enable: True
   collections:
     - middleware_automation.redhat_csp_download
     - middleware_automation.keycloak

roles/keycloak/README.md

@@ -74,16 +74,11 @@ Role Defaults
 
 | Variable | Description | Default |
 |:---------|:------------|:---------|
-|`keycloak_rhsso_enable`| Enable Red Hat Single Sign-on installation | `False` |
 |`keycloak_offline_install` | perform an offline install | `False`|
 |`keycloak_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`| 
-|`keycloak_rhsso_download_url`| Download URL for RHSSO | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=<productID>`|
 |`keycloak_version`| keycloak.org package version | `15.0.2` |
-|`keycloak_rhsso_version`| RHSSO version | `7.5.0` |
-|`keycloak_rhsso_apply_patches`| Install RHSSO more recent cumulative patch | `False` |
 |`keycloak_dest`| Installation root path | `/opt/keycloak` |
 |`keycloak_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}` |
-|`keycloak_rhn_url` | Base download URI for customer portal | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=` |
 |`keycloak_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
 
 
@@ -94,9 +89,6 @@ Role Defaults
 |`keycloak_archive` | keycloak install archive filename | `keycloak-{{ keycloak_version }}.zip` |
 |`keycloak_download_url_9x` | Download URL for keycloak (deprecated) | `https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}` |
 |`keycloak_installdir` | Installation path | `{{ keycloak_dest }}/keycloak-{{ keycloak_version }}` |
-|`keycloak_rhsso_archive` | Red Hat SSO install archive filename | `rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip` |
-|`keycloak_rhsso_installdir`| Installation path for Red Hat SSO | `{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\.([0-9]*).*', '\1.\2') }}` |
-|`keycloak_rhsso_download_url`| Full download URI for Red Hat SSO | `{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}` |
 |`keycloak_jboss_home` | Installation work directory | `{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}` |
 |`keycloak_config_dir` | Path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration` |
 |`keycloak_config_path_to_standalone_xml` | Custom path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}` |
@@ -106,7 +98,6 @@ Role Defaults
 |`keycloak_force_install` | Remove pre-existing versions of service | `False` |
 |`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` |
 |`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` |
-|`rhsso_rhn_id` | Customer Portal product ID for Red Hat SSO | `{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}` |
 
 
 Role Variables
@@ -126,13 +117,13 @@ The following variables are _required_ only when `keycloak_ha_enabled` is True:
 |:---------|:------------|:---------|
 |`keycloak_modcluster_url` | URL for the modcluster reverse proxy | `localhost` |
 |`keycloak_jdbc_engine` | backend database engine when db is enabled: [ postgres, mariadb ] | `postgres` |
-|`infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` |
+|`keycloak_infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` |
-|`infinispan_user` | username for connecting to infinispan | `supervisor` |
+|`keycloak_infinispan_user` | username for connecting to infinispan | `supervisor` |
-|`infinispan_pass` | password for connecting to infinispan | `supervisor` |
+|`keycloak_infinispan_pass` | password for connecting to infinispan | `supervisor` |
-|`infinispan_sasl_mechanism`| Authentication type | `SCRAM-SHA-512` |
+|`keycloak_infinispan_sasl_mechanism`| Authentication type | `SCRAM-SHA-512` |
-|`infinispan_use_ssl`| Enable hotrod TLS communication | `False` |
+|`keycloak_infinispan_use_ssl`| Enable hotrod TLS communication | `False` |
-|`infinispan_trust_store_path`| Path to truststore with infinispan server certificate | `/etc/pki/java/cacerts` |
+|`keycloak_infinispan_trust_store_path`| Path to truststore with infinispan server certificate | `/etc/pki/java/cacerts` |
-|`infinispan_trust_store_password`| Password for opening truststore | `changeit` |
+|`keycloak_infinispan_trust_store_password`| Password for opening truststore | `changeit` |
 
 
 The following variables are _required_ only when `keycloak_db_enabled` is True:
@@ -145,12 +136,9 @@ The following variables are _required_ only when `keycloak_db_enabled` is True:
 |`keycloak_db_pass` | password for connecting to postgres | `keycloak-pass` |
 
 
-Example Playbooks
+Example Playbook
 -----------------
 
-_NOTE_: use ansible vaults or other security systems for storing credentials.
-
-
 * The following is an example playbook that makes use of the role to install keycloak from remote:
 
 ```yaml
@@ -164,27 +152,6 @@ _NOTE_: use ansible vaults or other security systems for storing credentials.
         - middleware_automation.keycloak.keycloak
 ```
 
-* The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from RHN:
-
-```yaml
----
-- name: Playbook for RHSSO
-  hosts: keycloak
-  collections:
-    - middleware_automation.redhat_csp_download
-  roles:
-    - redhat_csp_download
-  tasks:
-    - name: Keycloak Role
-      include_role:
-        name: keycloak
-      vars:
-        keycloak_admin_password: "remembertochangeme"
-        keycloak_rhsso_enable: True
-        rhn_username: '<customer portal username>'
-        rhn_password: '<customer portal password>'
-```
-
 
 * The following example playbook makes use of the role to install keycloak from the controller node:
 
@@ -203,45 +170,6 @@ _NOTE_: use ansible vaults or other security systems for storing credentials.
             # This should be the filename of keycloak archive on Ansible node: keycloak-16.1.0.zip
 ```
 
-
-* This playbook installs Red Hat Single Sign-On from an alternate url:
-
-```yaml
----
-- hosts: keycloak
-  collections:
-    - middleware_automation.keycloak
-  tasks:
-    - name: Keycloak Role
-      include_role:
-        name: keycloak
-      vars:
-        keycloak_admin_password: "remembertochangeme"
-        keycloak_rhsso_enable: True
-        keycloak_rhsso_download_url: "<REPLACE with download url>"
-        # This should be the full of remote source rhsso zip file and can contain basic authentication credentials
-```
-
-
-* The following is an example playbook that makes use of the role to install Red Hat Single Sign-On offline from the controller node, and apply latest cumulative patch:
-
-```yaml
----
-- hosts: keycloak
-  collections:
-    - middleware_automation.keycloak
-  tasks:
-    - name: Keycloak Role
-      include_role:
-        name: keycloak
-      vars:
-        keycloak_admin_password: "remembertochangeme"
-        keycloak_rhsso_enable: True
-        keycloak_offline_install: True
-        keycloak_rhsso_apply_patches: True
-        # This should be the filename of rhsso zip file on Ansible node: rh-sso-7.5-server-dist.zip
-```
-
 License
 -------
 

roles/keycloak/defaults/main.yml

@@ -5,26 +5,13 @@ keycloak_archive: "keycloak-{{ keycloak_version }}.zip"
 keycloak_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"  
 keycloak_download_url_9x: "https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}"
 keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
-
-### Configuration specific to Red Hat Single Sign-On
-keycloak_rhsso_version: 7.5.0
-rhsso_rhn_id: "{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}"
-keycloak_rhsso_archive: "rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip"
-keycloak_rhsso_installdir: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}"
-keycloak_rhn_url: 'https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId='
-keycloak_rhsso_download_url: "{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}"
-keycloak_rhsso_apply_patches: False
-
-### keycloak/rhsso choice: by default install rhsso if rhn credentials are defined
-keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined and rhn_username is defined and rhn_password is defined else False }}"
-# whether to install from local archive; filename must be keycloak_archive or keycloak_rhsso_archive depending on keycloak_rhsso_enable
 keycloak_offline_install: False
 
 ### Install location and service settings
 keycloak_jvm_package: java-1.8.0-openjdk-headless
 keycloak_java_home:
 keycloak_dest: /opt/keycloak
-keycloak_jboss_home: "{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}"
+keycloak_jboss_home: "{{ keycloak_installdir }}"
 keycloak_config_dir: "{{ keycloak_jboss_home }}/standalone/configuration"
 keycloak_config_standalone_xml: "keycloak.xml"
 keycloak_config_path_to_standalone_xml: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}"
@@ -32,6 +19,9 @@ keycloak_config_override_template: ''
 keycloak_service_user: keycloak
 keycloak_service_group: keycloak
 keycloak_service_pidfile: "/run/keycloak.pid"
+keycloak_service_name: keycloak
+keycloak_service_desc: Keycloak
+
 keycloak_configure_firewalld: False
 
 ### administrator console password
@@ -68,14 +58,14 @@ keycloak_modcluster_url: localhost
 keycloak_frontend_url: http://localhost:8080/auth
 
 ### infinispan remote caches access (hotrod)
-infinispan_user: supervisor
+keycloak_infinispan_user: supervisor
-infinispan_pass: supervisor
+keycloak_infinispan_pass: supervisor
-infinispan_url: localhost
+keycloak_infinispan_url: localhost
-infinispan_sasl_mechanism: SCRAM-SHA-512
+keycloak_infinispan_sasl_mechanism: SCRAM-SHA-512
-infinispan_use_ssl: False
+keycloak_infinispan_use_ssl: False
 # if ssl is enabled, import ispn server certificate here
-infinispan_trust_store_path: /etc/pki/java/cacerts
+keycloak_infinispan_trust_store_path: /etc/pki/java/cacerts
-infinispan_trust_store_password: changeit
+keycloak_infinispan_trust_store_password: changeit
 
 ### database backend engine: values [ 'postgres', 'mariadb' ]
 keycloak_jdbc_engine: postgres

roles/keycloak/meta/argument_specs.yml

@@ -31,46 +31,6 @@ argument_specs:
                 default: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
                 description: "Installation path"
                 type: "str"
-            keycloak_rhsso_version:
-                # line 10 of keycloak/defaults/main.yml
-                default: "7.5.0"
-                description: "Red Hat Single Sign-On version"
-                type: "str"
-            rhsso_rhn_id:
-                # line 11 of keycloak/defaults/main.yml
-                default: "{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}"
-                description: "Customer Portal product ID for Red Hat SSO"
-                type: "str"
-            keycloak_rhsso_archive:
-                # line 12 of keycloak/defaults/main.yml
-                default: "rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip"
-                description: "ed Hat SSO install archive filename"
-                type: "str"
-            keycloak_rhsso_apply_patches:
-                # line 16 of keycloak/defaults/main.yml
-                default: false
-                description: "Install RHSSO more recent cumulative patch"
-                type: "bool"
-            keycloak_rhsso_installdir:
-                # line 13 of keycloak/defaults/main.yml
-                default: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}"
-                description: "Installation path for Red Hat SSO"
-                type: "str"
-            keycloak_rhn_url:
-                # line 14 of keycloak/defaults/main.yml
-                default: "https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId="
-                description: "Base download URI for customer portal"
-                type: "str"
-            keycloak_rhsso_download_url:
-                # line 15 of keycloak/defaults/main.yml
-                default: "{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}"
-                description: "Full download URI for Red Hat SSO"
-                type: "str"
-            keycloak_rhsso_enable:
-                # line 18 of keycloak/defaults/main.yml
-                default: "{{ True if rhsso_rhn_id is defined and rhn_username is defined and rhn_password is defined else False }}"
-                description: "Enable Red Hat Single Sign-on installation"
-                type: "str"
             keycloak_offline_install:
                 # line 20 of keycloak/defaults/main.yml
                 default: false
@@ -91,7 +51,7 @@ argument_specs:
                 type: "str"
             keycloak_jboss_home:
                 # line 25 of keycloak/defaults/main.yml
-                default: "{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}"
+                default: "{{ keycloak_installdir }}"
                 description: "Installation work directory"
                 type: "str"
             keycloak_config_dir:
@@ -219,37 +179,37 @@ argument_specs:
                 default: "http://localhost"
                 description: "Frontend URL for keycloak endpoints when a reverse proxy is used"
                 type: "str"
-            infinispan_user:
+            keycloak_infinispan_user:
                 # line 62 of keycloak/defaults/main.yml
                 default: "supervisor"
                 description: "Username for connecting to infinispan"
                 type: "str"
-            infinispan_pass:
+            keycloak_infinispan_pass:
                 # line 63 of keycloak/defaults/main.yml
                 default: "supervisor"
                 description: "Password for connecting to infinispan"
                 type: "str"
-            infinispan_url:
+            keycloak_infinispan_url:
                 # line 64 of keycloak/defaults/main.yml
                 default: "localhost"
                 description: "URL for the infinispan remote-cache server"
                 type: "str"
-            infinispan_sasl_mechanism:
+            keycloak_infinispan_sasl_mechanism:
                 # line 65 of keycloak/defaults/main.yml
                 default: "SCRAM-SHA-512"
                 description: "Authentication type to infinispan server"
                 type: "str"
-            infinispan_use_ssl:
+            keycloak_infinispan_use_ssl:
                 # line 66 of keycloak/defaults/main.yml
                 default: false
                 description: "Enable hotrod client TLS communication"
                 type: "bool"
-            infinispan_trust_store_path:
+            keycloak_infinispan_trust_store_path:
                 # line 68 of keycloak/defaults/main.yml
                 default: "/etc/pki/java/cacerts"
                 description: "TODO document argument"
                 type: "str"
-            infinispan_trust_store_password:
+            keycloak_infinispan_trust_store_password:
                 # line 69 of keycloak/defaults/main.yml
                 default: "changeit"
                 description: "Path to truststore containing infinispan server certificate"
@@ -294,3 +254,65 @@ argument_specs:
                 default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
                 description: "URL for management console rest calls"
                 type: "str"
+            keycloak_service_name:
+                default: "keycloak"
+                description: "systemd service name for keycloak"
+                type: "str"
+            keycloak_service_desc:
+                default: "Keycloak"
+                description: "systemd description for keycloak"
+                type: "str"
+    downstream:
+        options:
+            sso_version:
+                default: "7.5.0"
+                description: "Red Hat Single Sign-On version"
+                type: "str"
+            sso_rhn_id:
+                default: "{{ sso_rhn_ids[keycloak_version].id }}"
+                description: "Customer Portal product ID for Red Hat SSO"
+                type: "str"                
+            sso_archive:
+                default: "rh-sso-{{ keycloak_version }}-server-dist.zip"
+                description: "Red Hat SSO install archive filename"
+                type: "str"                
+            sso_dest:
+                default: "/opt/sso"
+                description: "Root installation directory"
+                type: "str"
+            sso_installdir:
+                default: "{{ keycloak_dest }}/rh-sso-{{ keycloak_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}"
+                description: "Installation path for Red Hat SSO"
+                type: "str"
+            sso_rhn_url:
+                default: 'https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId='
+                description: "Base download URI for customer portal"
+                type: "str"
+            sso_download_url:
+                default: "{{ sso_rhn_url }}{{ sso_rhn_id }}"
+                description: "Full download URI for Red Hat SSO"
+                type: "str"
+            sso_apply_patches:
+                default: False
+                description: "Install Red Hat SSO most recent cumulative patch"
+                type: "bool"
+            sso_enable:
+                default: True
+                description: "Enable Red Hat Single Sign-on installation"
+                type: "str"
+            sso_offline_install:
+                default: True
+                description: "Perform an offline install"
+                type: "bool"
+            sso_service_name:
+                default: "sso"
+                description: "systemd service name for Single Sign-On"
+                type: "str"
+            sso_service_desc:
+                default: "Red Hat Single Sign-On"
+                description: "systemd description for Red Hat Single Sign-On"
+                type: "str"
+            sso_patch_bundle:
+                default: "rh-sso-{{ sso_rhn_ids[keycloak_version].latest_cp.v }}-patch.zip"
+                description: "Red Hat SSO patch archive filename"
+                type: "str"

roles/keycloak/tasks/install.yml

@@ -81,7 +81,7 @@
     - archive_path is defined
     - archive_path.stat is defined
     - not archive_path.stat.exists
-    - not keycloak_rhsso_enable
+    - not sso_enable is defined or not sso_enable
     - not keycloak_offline_install
 
 - name: Perform download from RHN
@@ -96,9 +96,9 @@
     - archive_path is defined
     - archive_path.stat is defined
     - not archive_path.stat.exists
-    - keycloak_rhsso_enable
+    - sso_enable is defined and sso_enable
     - not keycloak_offline_install
-    - keycloak_rhn_url in keycloak_rhsso_download_url
+    - keycloak_rhn_url in keycloak_download_url
 
 - name: Download rhsso archive from alternate location
   ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
@@ -110,9 +110,9 @@
     - archive_path is defined
     - archive_path.stat is defined
     - not archive_path.stat.exists
-    - keycloak_rhsso_enable
+    - sso_enable is defined and sso_enable
     - not keycloak_offline_install
-    - not keycloak_rhn_url in keycloak_rhsso_download_url
+    - not keycloak_rhn_url in keycloak_download_url
 
 - name: Check downloaded archive
   ansible.builtin.stat:
@@ -141,7 +141,7 @@
   register: path_to_workdir
   become: yes
 
-- name: "Extract {{ 'Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Keycloak' }} archive on target"
+- name: "Extract {{ keycloak_service_desc }} archive on target"
   ansible.builtin.unarchive:
     remote_src: yes
     src: "{{ archive }}"

roles/keycloak/tasks/main.yml

@@ -24,7 +24,9 @@
 
 - name: Include patch install tasks
   ansible.builtin.include_tasks: rhsso_patch.yml
-  when: keycloak_rhsso_apply_patches and keycloak_rhsso_enable
+  when:
+    - sso_apply_patches is defined and sso_apply_patches
+    - sso_enable is defined and sso_enable
   tags:
     - install
     - patch

roles/keycloak/tasks/prereqs.yml

@@ -18,11 +18,11 @@
 - name: Validate credentials
   ansible.builtin.assert:
     that:
-      - (rhn_username is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
+      - (rhn_username is defined and sso_enable is defined and sso_enable) or not sso_enable is defined or not sso_enable or keycloak_offline_install
-      - (rhn_password is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
+      - (rhn_password is defined and sso_enable is defined and sso_enable) or not sso_enable is defined or not sso_enable or keycloak_offline_install
     quiet: True
     fail_msg: "Cannot install Red Hat SSO without RHN credentials. Check rhn_username and rhn_password are defined"
-    success_msg: "{{ 'Installing Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Installing keycloak.org' }}"
+    success_msg: "Installing {{ keycloak_service_desc }}"
 
 - name: Validate persistence configuration
   ansible.builtin.assert:

roles/keycloak/tasks/rhsso_patch.yml

@@ -2,7 +2,7 @@
 ## check remote patch archive
 - name: Set download patch archive path
   ansible.builtin.set_fact:
-    patch_archive: "{{ keycloak_dest }}/{{ keycloak.patch_bundle }}"
+    patch_archive: "{{ keycloak_dest }}/{{ sso_patch_bundle }}"
 
 - name: Check download patch archive path
   ansible.builtin.stat:
@@ -11,8 +11,8 @@
 
 - name: Perform download from RHN
   middleware_automation.redhat_csp_download.redhat_csp_download:
-    url: "{{ keycloak_rhn_url }}{{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.id }}"
+    url: "{{ keycloak_rhn_url }}{{ sso_rhn_ids[keycloak_version].latest_cp.id }}"
-    dest: "{{ local_path.stat.path }}/{{ keycloak.patch_bundle }}"
+    dest: "{{ local_path.stat.path }}/{{ sso_patch_bundle }}"
     username: "{{ rhn_username }}"
     password: "{{ rhn_password }}"
   no_log: "{{ omit_rhn_output | default(true) }}"
@@ -21,13 +21,13 @@
     - patch_archive_path is defined
     - patch_archive_path.stat is defined
     - not patch_archive_path.stat.exists
-    - keycloak_rhsso_enable
+    - sso_enable is defined and sso_enable
     - not keycloak_offline_install
 
 ## copy and unpack
 - name: Copy patch archive to target nodes
   ansible.builtin.copy:
-    src: "{{ local_path.stat.path }}/{{ keycloak.patch_bundle }}"
+    src: "{{ local_path.stat.path }}/{{ sso_patch_bundle }}"
     dest: "{{ patch_archive }}"
     owner: "{{ keycloak_service_user }}"
     group: "{{ keycloak_service_group }}"
@@ -48,9 +48,9 @@
   when: 
     - cli_result is defined
     - cli_result.stdout is defined
-    - rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v not in cli_result.stdout
+    - sso_rhn_ids[keycloak_version].latest_cp.v not in cli_result.stdout
   block:
-    - name: "Apply patch {{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }} to server"
+    - name: "Apply patch {{ sso_rhn_ids[keycloak_version].latest_cp.v }} to server"
       ansible.builtin.include_tasks: rhsso_cli.yml
       vars:
         query: "patch apply {{ patch_archive }}"
@@ -78,10 +78,10 @@
     - name: "Verify installed patch version"
       ansible.builtin.assert:
         that:
-          - rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v not in cli_result.stdout
+          - sso_rhn_ids[keycloak_version].latest_cp.v not in cli_result.stdout
         fail_msg: "Patch installation failed"
         success_msg: "Patch installation successful"
 
 - name: "Skipping patch"
   ansible.builtin.debug:
-    msg: "Latest cumulative patch {{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }} already installed, skipping patch installation."
+    msg: "Latest cumulative patch {{ sso_rhn_ids[keycloak_version].latest_cp.v }} already installed, skipping patch installation."

roles/keycloak/vars/main.yml

@@ -1,6 +1,6 @@
 ---
 # internal variables below
-rhsso_rhn_ids:
+sso_rhn_ids:
   '7.5.0': # noqa vars_in_vars_files_have_valid_names
     id: '101971'
     latest_cp:
@@ -15,9 +15,8 @@ keycloak_management_url: "http://{{ keycloak_host }}:{{ keycloak_management_http
 keycloak:
   home: "{{ keycloak_jboss_home }}"
   config_dir: "{{ keycloak_config_dir }}"
-  bundle: "{{ keycloak_rhsso_archive if keycloak_rhsso_enable else keycloak_archive }}"
+  bundle: "{{ keycloak_archive }}"
-  patch_bundle: "rh-sso-{{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }}-patch.zip"
+  service_name: "{{ keycloak_service_name }}"
-  service_name: "{{ 'rhsso' if keycloak_rhsso_enable else 'keycloak' }}"
   health_url: "{{ keycloak_management_url }}/health"
   cli_path: "{{ keycloak_jboss_home }}/bin/jboss-cli.sh"
   config_template_source: "{{ keycloak_config_override_template if keycloak_config_override_template | length > 0 else 'standalone.xml.j2' }}"
@@ -73,11 +72,11 @@ keycloak_modcluster:
 # infinispan
 keycloak_remotecache:
   enabled: "{{ keycloak_ha_enabled }}"
-  username: "{{ infinispan_user }}"
+  username: "{{ keycloak_infinispan_user }}"
-  password: "{{ infinispan_pass }}"
+  password: "{{ keycloak_infinispan_pass }}"
   realm: default
-  sasl_mechanism: "{{ infinispan_sasl_mechanism }}"
+  sasl_mechanism: "{{ keycloak_infinispan_sasl_mechanism }}"
-  server_name: "{{ infinispan_url }}"
+  server_name: "{{ keycloak_infinispan_url }}"
-  use_ssl: "{{ infinispan_use_ssl }}"
+  use_ssl: "{{ keycloak_infinispan_use_ssl }}"
-  trust_store_path: "{{ infinispan_trust_store_path }}"
+  trust_store_path: "{{ keycloak_infinispan_trust_store_path }}"
-  trust_store_password: "{{ infinispan_trust_store_password }}"
+  trust_store_password: "{{ keycloak_infinispan_trust_store_password }}"

roles/keycloak_quarkus/tasks/prereqs.yml

@@ -15,15 +15,6 @@
     fail_msg: "Cannot install HA setup without a backend database service. Check keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled"
     success_msg: "{{ 'Configuring HA' if keycloak_quarkus_ha_enabled else 'Configuring standalone' }}"
 
-# - name: Validate credentials
-#   ansible.builtin.assert:
-#     that:
-#       - (rhn_username is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
-#       - (rhn_password is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
-#     quiet: True
-#     fail_msg: "Cannot install Red Hat SSO without RHN credentials. Check rhn_username and rhn_password are defined"
-#     success_msg: "{{ 'Installing Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Installing keycloak.org' }}"
-
 - name: Ensure required packages are installed
   ansible.builtin.include_tasks: fastpackages.yml
   vars:

roles/keycloak_realm/README.md

@@ -15,7 +15,6 @@ Role Defaults
 |`keycloak_http_port`| HTTP port | `8080` |
 |`keycloak_https_port`| TLS HTTP port | `8443` |
 |`keycloak_auth_realm`| Name of the main authentication realm | `master` |
-|`keycloak_rhsso_enable`| Define service is an upstream(Keycloak) or RHSSO | `master` |
 |`keycloak_management_http_port`| Management port | `9990` |
 |`keycloak_auth_client`| Authentication client for configuration REST calls | `admin-cli` |
 |`keycloak_client_public`| Configure a public realm client | `True` |

roles/keycloak_realm/defaults/main.yml

@@ -4,7 +4,6 @@ keycloak_host: localhost
 keycloak_http_port: 8080
 keycloak_https_port: 8443
 keycloak_management_http_port: 9990
-keycloak_rhsso_enable: False
 
 ### Keycloak administration console user
 keycloak_admin_user: admin

roles/keycloak_realm/meta/argument_specs.yml

@@ -26,11 +26,6 @@ argument_specs:
                 default: 9990
                 description: "Management port"
                 type: "int"
-            keycloak_rhsso_enable:
-                # line 7 of keycloak_realm/defaults/main.yml
-                default: false
-                description: "Enable Red Hat Single Sign-on"
-                type: "bool"
             keycloak_admin_user:
                 # line 10 of keycloak_realm/defaults/main.yml
                 default: "admin"
@@ -96,3 +91,25 @@ argument_specs:
                 default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}"
                 description: "URL for management console rest calls"
                 type: "str"
+    downstream:
+        options:
+            sso_version:
+                default: "7.5.0"
+                description: "Red Hat Single Sign-On version"
+                type: "str"
+            sso_dest:
+                default: "/opt/sso"
+                description: "Root installation directory"
+                type: "str"
+            sso_installdir:
+                default: "{{ keycloak_dest }}/rh-sso-{{ keycloak_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}"
+                description: "Installation path for Red Hat SSO"
+                type: "str"
+            sso_apply_patches:
+                default: False
+                description: "Install Red Hat SSO most recent cumulative patch"
+                type: "bool"
+            sso_enable:
+                default: True
+                description: "Enable Red Hat Single Sign-on installation"
+                type: "str"