guillaume
/
ansible-keycloak
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'ansible-middleware:main' into stable

main
Pavan Kumar Motaparthi 2022-01-18 17:03:54 -06:00 committed by GitHub
parent a1f483afe9 f1eec2596d
commit a309f7caae
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
16 changed files with 610 additions and 576 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.github/workflows/ci.yml vendored
View File

@ -28,10 +28,9 @@ jobs:
python -m pip install --upgrade pip python -m pip install --upgrade pip
pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous
- name: Create default collection path symlink - name: Create default collection path
run: | run: |
mkdir -p /home/runner/.ansible mkdir -p /home/runner/.ansible/collections/ansible_collections
ln -s /home/runner/work/middleware_automation/keycloak /home/runner/.ansible/collections
- name: Run sanity tests - name: Run sanity tests
run: ansible-test sanity --docker -v --color --python ${{ matrix.python_version }} run: ansible-test sanity --docker -v --color --python ${{ matrix.python_version }}
@ -40,6 +39,7 @@ jobs:
- name: Run molecule test - name: Run molecule test
run: molecule test --all run: molecule test --all
working-directory: ./ansible_collections/middleware_automation/keycloak working-directory: ./ansible_collections/middleware_automation/keycloak
env: env:
PY_COLORS: '1' PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1' ANSIBLE_FORCE_COLOR: '1'

2
galaxy.yml
View File

@ -1,6 +1,6 @@
namespace: middleware_automation namespace: middleware_automation
name: keycloak name: keycloak
version: "0.1.7" version: "0.1.8"
readme: README.md readme: README.md
authors: authors:
- Romain Pelisse <rpelisse@redhat.com> - Romain Pelisse <rpelisse@redhat.com>

3
molecule/default/molecule.yml
View File

@ -1,6 +1,7 @@
--- ---
dependency: dependency:
name: galaxy name: shell
command: ansible-galaxy collection install -r molecule/default/requirements.yml -p $HOME/.ansible/collections --force-with-deps
driver: driver:
name: docker name: docker
platforms: platforms:

4
molecule/default/prepare.yml
View File

@ -2,6 +2,10 @@
- name: Prepare - name: Prepare
hosts: all hosts: all
tasks: tasks:
- name: Disable beta repos
command: yum config-manager --disable '*beta*'
ignore_errors: yes
- name: Install sudo - name: Install sudo
yum: yum:
name: sudo name: sudo

10
molecule/default/requirements.yml 100644
View File

@ -0,0 +1,10 @@
---
collections:
- name: middleware_automation.redhat_csp_download
version: ">=1.2.1"
- name: middleware_automation.jcliff
version: ">=0.0.19"
- name: community.general
- name: community.docker
version: ">=1.9.1"

9
roles/keycloak/README.md
View File

@ -13,6 +13,14 @@ This role requires the `python3-netaddr` library installed on the controller nod
* or via pip: `pip install netaddr==0.8.0` * or via pip: `pip install netaddr==0.8.0`
Versions
--------
| RH-SSO VERSION | Release Date | Keycloak Version | EAP Version | Notes |
|:---------------|:------------------|:-----------------|:------------|:----------------|
|`7.5.0 GA` |September 20, 2021 |`15.0.2` | `7.4.0` |[Release Notes](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/html/release_notes/index)|
Role Defaults Role Defaults
------------- -------------
@ -48,6 +56,7 @@ The following variables are _required_ only when `keycloak_ha_enabled` is True:
| Variable | Description | Default | | Variable | Description | Default |
|:---------|:------------|:---------| |:---------|:------------|:---------|
|`keycloak_modcluster_url` | URL for the modcluster reverse proxy | `localhost` | |`keycloak_modcluster_url` | URL for the modcluster reverse proxy | `localhost` |
|`keycloak_frontend_url` | frontend URL for keycloak endpoints when a reverse proxy is used | `http://localhost` |
|`keycloak_jdbc_engine` | backend database flavour when db is enabled: [ postgres, mariadb ] | `postgres` | |`keycloak_jdbc_engine` | backend database flavour when db is enabled: [ postgres, mariadb ] | `postgres` |
|`infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` | |`infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` |
|`infinispan_user` | username for connecting to infinispan | `supervisor` | |`infinispan_user` | username for connecting to infinispan | `supervisor` |

10
roles/keycloak/defaults/main.yml
View File

@ -1,14 +1,15 @@
--- ---
### Configuration specific to keycloak ### Configuration specific to keycloak
keycloak_version: 9.0.2 keycloak_version: 15.0.2
keycloak_archive: keycloak-{{ keycloak_version }}.zip keycloak_archive: "keycloak-{{ keycloak_version }}.zip"
keycloak_download_url: https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }} keycloak_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"
keycloak_download_url_9x: "https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}"
keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}" keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
### Configuration specific to Red Hat Single Sing-On ### Configuration specific to Red Hat Single Sing-On
keycloak_rhsso_enable: False keycloak_rhsso_enable: False
keycloak_rhsso_version: 7.5 keycloak_rhsso_version: 7.5
keycloak_rhsso_archive: rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip keycloak_rhsso_archive: "rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip"
keycloak_rhsso_installdir: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version }}" keycloak_rhsso_installdir: "{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version }}"
keycloak_rhsso_base_url: 'https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=' keycloak_rhsso_base_url: 'https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId='
@ -50,6 +51,7 @@ keycloak_force_install: False
### mod_cluster reverse proxy ### mod_cluster reverse proxy
keycloak_modcluster_url: localhost keycloak_modcluster_url: localhost
keycloak_frontend_url: http://localhost
### infinispan remote caches access (hotrod) ### infinispan remote caches access (hotrod)
infinispan_user: supervisor infinispan_user: supervisor

4
roles/keycloak/tasks/install.yml
View File

@ -142,7 +142,7 @@
- name: "Deploy Keycloak's standalone.xml" - name: "Deploy Keycloak's standalone.xml"
become: yes become: yes
template: template:
src: "{{ 'templates/standalone-rhsso.xml.j2' if keycloak_rhsso_enable else 'templates/standalone.xml.j2' }}" src: templates/standalone.xml.j2
dest: "{{ keycloak_config_path_to_standalone_xml }}" dest: "{{ keycloak_config_path_to_standalone_xml }}"
owner: "{{ keycloak_service_user }}" owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}" group: "{{ keycloak_service_group }}"
@ -154,7 +154,7 @@
- name: "Deploy Keycloak's standalone.xml with remote cache store" - name: "Deploy Keycloak's standalone.xml with remote cache store"
become: yes become: yes
template: template:
src: "{{ 'templates/standalone-rhsso-jdg.xml.j2' if keycloak_rhsso_enable else 'templates/standalone-infinispan.xml.j2' }}" src: templates/standalone-infinispan.xml.j2
dest: "{{ keycloak_config_path_to_standalone_xml }}" dest: "{{ keycloak_config_path_to_standalone_xml }}"
owner: "{{ keycloak_service_user }}" owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}" group: "{{ keycloak_service_group }}"

12
roles/keycloak/tasks/main.yml
View File

@ -6,9 +6,17 @@
tags: tags:
- prereqs - prereqs
- include_tasks: tasks/install.yml - name: Include install tasks
include_tasks: tasks/install.yml
- include_tasks: tasks/systemd.yml - name: Include systemd tasks
include_tasks: tasks/systemd.yml
- name: Link default logs directory
file:
state: link
src: "{{keycloak_jboss_home}}/standalone/log"
dest: /var/log/keycloak
- block: - block:
- name: Check admin credentials by generating a token - name: Check admin credentials by generating a token

6
roles/keycloak/tasks/systemd.yml
View File

@ -38,6 +38,9 @@
daemon_reload: yes daemon_reload: yes
when: systemdunit.changed when: systemdunit.changed
- set_fact:
health_url: "{{ keycloak_management_url }}/health"
- name: start keycloak - name: start keycloak
systemd: systemd:
name: keycloak name: keycloak
@ -56,9 +59,6 @@
- meta: flush_handlers - meta: flush_handlers
- set_fact:
health_url: "{{ keycloak_management_url }}/health"
- name: "Wait until Keycloak becomes active {{ health_url }}" - name: "Wait until Keycloak becomes active {{ health_url }}"
uri: uri:
url: "{{ health_url }}" url: "{{ health_url }}"

118
roles/keycloak/templates/standalone-rhsso-jdg.xml.j2 → roles/keycloak/templates/9.0.2/standalone-infinispan.xml.j2
View File

@ -1,6 +1,6 @@
<?xml version='1.0' encoding='UTF-8'?> <?xml version='1.0' encoding='UTF-8'?>
<server xmlns="urn:jboss:domain:16.0"> <server xmlns="urn:jboss:domain:10.0">
<extensions> <extensions>
<extension module="org.jboss.as.clustering.infinispan"/> <extension module="org.jboss.as.clustering.infinispan"/>
<extension module="org.jboss.as.clustering.jgroups"/> <extension module="org.jboss.as.clustering.jgroups"/>
@ -23,9 +23,10 @@
<extension module="org.wildfly.extension.bean-validation"/> <extension module="org.wildfly.extension.bean-validation"/>
<extension module="org.wildfly.extension.core-management"/> <extension module="org.wildfly.extension.core-management"/>
<extension module="org.wildfly.extension.elytron"/> <extension module="org.wildfly.extension.elytron"/>
<extension module="org.wildfly.extension.health"/>
<extension module="org.wildfly.extension.io"/> <extension module="org.wildfly.extension.io"/>
<extension module="org.wildfly.extension.metrics"/> <extension module="org.wildfly.extension.microprofile.config-smallrye"/>
<extension module="org.wildfly.extension.microprofile.health-smallrye"/>
<extension module="org.wildfly.extension.microprofile.metrics-smallrye"/>
<extension module="org.wildfly.extension.request-controller"/> <extension module="org.wildfly.extension.request-controller"/>
<extension module="org.wildfly.extension.security.manager"/> <extension module="org.wildfly.extension.security.manager"/>
<extension module="org.wildfly.extension.undertow"/> <extension module="org.wildfly.extension.undertow"/>
@ -44,7 +45,8 @@
<security-realm name="ApplicationRealm"> <security-realm name="ApplicationRealm">
<server-identities> <server-identities>
<ssl> <ssl>
<keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/> <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password"
alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
</ssl> </ssl>
</server-identities> </server-identities>
<authentication> <authentication>
@ -141,7 +143,7 @@
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/> <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
<subsystem xmlns="urn:jboss:domain:core-management:1.0"/> <subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
<subsystem xmlns="urn:jboss:domain:datasources:6.0"> <subsystem xmlns="urn:jboss:domain:datasources:5.0">
<datasources> <datasources>
<datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}"> <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
<connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url> <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
@ -152,15 +154,15 @@
</security> </security>
</datasource> </datasource>
<datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}"> <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %} {% if keycloak_jdbc.postgres.enabled %}
<connection-url>{{ keycloak_jdbc[keycloak_jdbc_engine].connection_url }}</connection-url> <connection-url>{{ keycloak_jdbc.postgres.connection_url }}</connection-url>
<driver>{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}</driver> <driver>{{ keycloak_jdbc.postgres.driver_module_name }}</driver>
<pool> <pool>
<max-pool-size>20</max-pool-size> <max-pool-size>20</max-pool-size>
</pool> </pool>
<security> <security>
<user-name>{{ keycloak_jdbc[keycloak_jdbc_engine].db_user }}</user-name> <user-name>{{ keycloak_jdbc.postgres.db_user }}</user-name>
<password>{{ keycloak_jdbc[keycloak_jdbc_engine].db_password }}</password> <password>{{ keycloak_jdbc.postgres.db_password }}</password>
</security> </security>
{% else %} {% else %}
<connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url> <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
@ -172,10 +174,10 @@
{% endif %} {% endif %}
</datasource> </datasource>
<drivers> <drivers>
{% if keycloak_jdbc[keycloak_jdbc_engine].enabled %} {% if keycloak_jdbc.postgres.enabled %}
<driver name="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}" module="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}"> <driver name="{{ keycloak_jdbc.postgres.driver_module_name }}" module="{{ keycloak_jdbc.postgres.driver_module_name }}">
<driver-class>{{ keycloak_jdbc[keycloak_jdbc_engine].driver_class }}</driver-class> <driver-class>org.postgresql.Driver</driver-class>
<xa-datasource-class>{{ keycloak_jdbc[keycloak_jdbc_engine].xa_datasource_class }}</xa-datasource-class> <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
</driver> </driver>
{% endif %} {% endif %}
<driver name="h2" module="com.h2database.h2"> <driver name="h2" module="com.h2database.h2">
@ -187,7 +189,7 @@
<subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0"> <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
<deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/> <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:ee:6.0"> <subsystem xmlns="urn:jboss:domain:ee:4.0">
<spec-descriptor-property-replacement>false</spec-descriptor-property-replacement> <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
<concurrent> <concurrent>
<context-services> <context-services>
@ -197,15 +199,17 @@
<managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/> <managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/>
</managed-thread-factories> </managed-thread-factories>
<managed-executor-services> <managed-executor-services>
<managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="5000"/> <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-threshold="60000" keepalive-time="5000"/>
</managed-executor-services> </managed-executor-services>
<managed-scheduled-executor-services> <managed-scheduled-executor-services>
<managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="3000"/> <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-threshold="60000" keepalive-time="3000"/>
</managed-scheduled-executor-services> </managed-scheduled-executor-services>
</concurrent> </concurrent>
<default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/> <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS"
managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default"
managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:ejb3:9.0"> <subsystem xmlns="urn:jboss:domain:ejb3:6.0">
<session-bean> <session-bean>
<stateless> <stateless>
<bean-instance-pool-ref pool-name="slsb-strict-max-pool"/> <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
@ -232,7 +236,7 @@
<file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/> <file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/>
</data-stores> </data-stores>
</timer-service> </timer-service>
<remote cluster="ejb" connectors="http-remoting-connector" thread-pool-name="default"> <remote cluster="ejb" connector-ref="http-remoting-connector" thread-pool-name="default">
<channel-creation-options> <channel-creation-options>
<option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/> <option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>
</channel-creation-options> </channel-creation-options>
@ -248,7 +252,7 @@
<statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/> <statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
<log-system-exceptions value="true"/> <log-system-exceptions value="true"/>
</subsystem> </subsystem>
<subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto"> <subsystem xmlns="urn:wildfly:elytron:8.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
<providers> <providers>
<aggregate-providers name="combined-providers"> <aggregate-providers name="combined-providers">
<providers name="elytron"/> <providers name="elytron"/>
@ -357,7 +361,7 @@
</key-store> </key-store>
</key-stores> </key-stores>
<key-managers> <key-managers>
<key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost"> <key-manager name="applicationKM" key-store="applicationKS">
<credential-reference clear-text="password"/> <credential-reference clear-text="password"/>
</key-manager> </key-manager>
</key-managers> </key-managers>
@ -366,25 +370,24 @@
</server-ssl-contexts> </server-ssl-contexts>
</tls> </tls>
</subsystem> </subsystem>
<subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/> <subsystem xmlns="urn:jboss:domain:infinispan:9.0">
<subsystem xmlns="urn:jboss:domain:infinispan:12.0"> <cache-container name="ejb" default-cache="passivation" aliases="sfsb" module="org.wildfly.clustering.ejb.infinispan">
<cache-container name="ejb" default-cache="passivation" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
<local-cache name="passivation"> <local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/> <locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/> <transaction mode="BATCH"/>
<file-store passivation="true" purge="false"/> <file-store passivation="true" purge="false"/>
</local-cache> </local-cache>
</cache-container> </cache-container>
<cache-container name="keycloak" modules="org.keycloak.keycloak-model-infinispan"> <cache-container name="keycloak" module="org.keycloak.keycloak-model-infinispan">
<transport lock-timeout="60000"/> <transport lock-timeout="60000"/>
<local-cache name="realms"> <local-cache name="realms">
<heap-memory size="10000"/> <object-memory size="10000"/>
</local-cache> </local-cache>
<local-cache name="users"> <local-cache name="users">
<heap-memory size="10000"/> <object-memory size="10000"/>
</local-cache> </local-cache>
<local-cache name="authenticationSessions"/> <local-cache name="authenticationSessions"/>
{% for cachename in [ "sessions", "offlineSessions", "clientSessions", "offlineClientSessions", "loginFailures", "actionTokens" ] %} {% for cachename in [ "sessions", "offlineSessions", "clientSessions", "offlineClientSessions", "loginFailures", "actionTokens" ] %}
<distributed-cache name="{{ cachename }}"> <distributed-cache name="{{ cachename }}">
<remote-store cache="{{ cachename }}" <remote-store cache="{{ cachename }}"
remote-servers="remote-cache" remote-servers="remote-cache"
@ -400,15 +403,15 @@
<property name="infinispan.client.hotrod.auth_password">{{ keycloak_remotecache.password }}</property> <property name="infinispan.client.hotrod.auth_password">{{ keycloak_remotecache.password }}</property>
<property name="infinispan.client.hotrod.auth_realm">{{ keycloak_remotecache.realm | default('default') }}</property> <property name="infinispan.client.hotrod.auth_realm">{{ keycloak_remotecache.realm | default('default') }}</property>
<property name="infinispan.client.hotrod.auth_server_name">{{ keycloak_remotecache.server_name }}</property> <property name="infinispan.client.hotrod.auth_server_name">{{ keycloak_remotecache.server_name }}</property>
<property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism }}</property> <property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism | default('SCRAM-SHA-512') }}</property>
<property name="infinispan.client.hotrod.use_ssl">{{ keycloak_remotecache.use_ssl }}</property> <property name="infinispan.client.hotrod.use_ssl">false</property>
<property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path }}</property> <property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path | default('/etc/truststore/truststore.jks') }}</property>
<property name="infinispan.client.hotrod.trust_store_type">JKS</property> <property name="infinispan.client.hotrod.trust_store_type">JKS</property>
<property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password }}</property> <property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password | default("changeme") }}</property>
<property name="infinispan.client.hotrod.client_intelligence">TOPOLOGY_AWARE</property> <property name="infinispan.client.hotrod.client_intelligence">TOPOLOGY_AWARE</property>
</remote-store> </remote-store>
</distributed-cache> </distributed-cache>
{% endfor %} {% endfor %}
<replicated-cache name="work"> <replicated-cache name="work">
<remote-store cache="work" <remote-store cache="work"
remote-servers="remote-cache" remote-servers="remote-cache"
@ -424,28 +427,28 @@
<property name="infinispan.client.hotrod.auth_password">{{ keycloak_remotecache.password }}</property> <property name="infinispan.client.hotrod.auth_password">{{ keycloak_remotecache.password }}</property>
<property name="infinispan.client.hotrod.auth_realm">{{ keycloak_remotecache.realm | default('default') }}</property> <property name="infinispan.client.hotrod.auth_realm">{{ keycloak_remotecache.realm | default('default') }}</property>
<property name="infinispan.client.hotrod.auth_server_name">{{ keycloak_remotecache.server_name }}</property> <property name="infinispan.client.hotrod.auth_server_name">{{ keycloak_remotecache.server_name }}</property>
<property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism }}</property> <property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism | default('SCRAM-SHA-512') }}</property>
<property name="infinispan.client.hotrod.use_ssl">{{ keycloak_remotecache.use_ssl }}</property> <property name="infinispan.client.hotrod.use_ssl">false</property>
<property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path }}</property> <property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path | default('/etc/truststore/truststore.jks') }}</property>
<property name="infinispan.client.hotrod.trust_store_type">JKS</property> <property name="infinispan.client.hotrod.trust_store_type">JKS</property>
<property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password }}</property> <property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password | default("changeme") }}</property>
<property name="infinispan.client.hotrod.client_intelligence">TOPOLOGY_AWARE</property> <property name="infinispan.client.hotrod.client_intelligence">TOPOLOGY_AWARE</property>
</remote-store> </remote-store>
</replicated-cache> </replicated-cache>
<local-cache name="authorization"> <local-cache name="authorization">
<heap-memory size="10000"/> <object-memory size="10000"/>
</local-cache> </local-cache>
<local-cache name="keys"> <local-cache name="keys">
<heap-memory size="1000"/> <object-memory size="1000"/>
<expiration max-idle="3600000"/> <expiration max-idle="3600000"/>
</local-cache> </local-cache>
</cache-container> </cache-container>
<cache-container name="server" default-cache="default" modules="org.wildfly.clustering.server"> <cache-container name="server" default-cache="default" module="org.wildfly.clustering.server">
<local-cache name="default"> <local-cache name="default">
<transaction mode="BATCH"/> <transaction mode="BATCH"/>
</local-cache> </local-cache>
</cache-container> </cache-container>
<cache-container name="web" default-cache="passivation" modules="org.wildfly.clustering.web.infinispan"> <cache-container name="web" default-cache="passivation" module="org.wildfly.clustering.web.infinispan">
<local-cache name="passivation"> <local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/> <locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/> <transaction mode="BATCH"/>
@ -457,13 +460,13 @@
</local-cache> </local-cache>
<local-cache name="routing"/> <local-cache name="routing"/>
</cache-container> </cache-container>
<cache-container name="hibernate" modules="org.infinispan.hibernate-cache"> <cache-container name="hibernate" module="org.infinispan.hibernate-cache">
<local-cache name="entity"> <local-cache name="entity">
<heap-memory size="10000"/> <object-memory size="10000"/>
<expiration max-idle="100000"/> <expiration max-idle="100000"/>
</local-cache> </local-cache>
<local-cache name="local-query"> <local-cache name="local-query">
<heap-memory size="10000"/> <object-memory size="10000"/>
<expiration max-idle="100000"/> <expiration max-idle="100000"/>
</local-cache> </local-cache>
<local-cache name="timestamps"/> <local-cache name="timestamps"/>
@ -473,7 +476,7 @@
<worker name="default"/> <worker name="default"/>
<buffer-pool name="default"/> <buffer-pool name="default"/>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/> <subsystem xmlns="urn:jboss:domain:jaxrs:1.0"/>
<subsystem xmlns="urn:jboss:domain:jca:5.0"> <subsystem xmlns="urn:jboss:domain:jca:5.0">
<archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/> <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
<bean-validation enabled="true"/> <bean-validation enabled="true"/>
@ -493,7 +496,7 @@
</default-workmanager> </default-workmanager>
<cached-connection-manager/> <cached-connection-manager/>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:jgroups:8.0"> <subsystem xmlns="urn:jboss:domain:jgroups:7.0">
<channels default="ee"> <channels default="ee">
<channel name="ee" stack="tcp" cluster="ejb"/> <channel name="ee" stack="tcp" cluster="ejb"/>
</channels> </channels>
@ -530,7 +533,7 @@
<remoting-connector/> <remoting-connector/>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:jpa:1.1"> <subsystem xmlns="urn:jboss:domain:jpa:1.1">
<jpa default-extended-persistence-inheritance="DEEP"/> <jpa default-datasource="" default-extended-persistence-inheritance="DEEP"/>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1"> <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
<web-context>auth</web-context> <web-context>auth</web-context>
@ -606,18 +609,17 @@
<default-provider>default</default-provider> <default-provider>default</default-provider>
<provider name="default" enabled="true"> <provider name="default" enabled="true">
<properties> <properties>
<property name="frontendUrl" value="${keycloak.frontendUrl:}"/> <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
<property name="forceBackendUrlToFrontendUrl" value="false"/> <property name="forceBackendUrlToFrontendUrl" value="true"/>
</properties> </properties>
</provider> </provider>
</spi> </spi>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:mail:4.0"> <subsystem xmlns="urn:jboss:domain:mail:3.0">
<mail-session name="default" jndi-name="java:jboss/mail/Default"> <mail-session name="default" jndi-name="java:jboss/mail/Default">
<smtp-server outbound-socket-binding-ref="mail-smtp"/> <smtp-server outbound-socket-binding-ref="mail-smtp"/>
</mail-session> </mail-session>
</subsystem> </subsystem>
<subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
{% if keycloak_modcluster.enabled %} {% if keycloak_modcluster.enabled %}
<subsystem xmlns="urn:jboss:domain:modcluster:5.0"> <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
<proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1"> <proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
@ -673,7 +675,7 @@
</maximum-set> </maximum-set>
</deployment-permissions> </deployment-permissions>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:transactions:6.0"> <subsystem xmlns="urn:jboss:domain:transactions:5.0">
<core-environment node-identifier="{{ inventory_hostname | default('${jboss.tx.node.id:1}') }}"> <core-environment node-identifier="{{ inventory_hostname | default('${jboss.tx.node.id:1}') }}">
<process-id> <process-id>
<uuid/> <uuid/>
@ -683,7 +685,9 @@
<coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/> <coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
<object-store path="tx-object-store" relative-to="jboss.server.data.dir"/> <object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}"> <subsystem xmlns="urn:jboss:domain:undertow:10.0" default-server="default-server" default-virtual-host="default-host"
default-servlet-container="default" default-security-domain="other"
statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/> <buffer-cache name="default"/>
<server name="default-server"> <server name="default-server">
<ajp-listener name="ajp" socket-binding="ajp"/> <ajp-listener name="ajp" socket-binding="ajp"/>
@ -708,6 +712,12 @@
</filters> </filters>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:weld:4.0"/> <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
<subsystem xmlns="urn:wildfly:microprofile-config-smallrye:1.0"/>
<subsystem xmlns="urn:wildfly:microprofile-health-smallrye:2.0" security-enabled="false"
empty-liveness-checks-status="${env.MP_HEALTH_EMPTY_LIVENESS_CHECKS_STATUS:UP}"
empty-readiness-checks-status="${env.MP_HEALTH_EMPTY_READINESS_CHECKS_STATUS:UP}"/>
<subsystem xmlns="urn:wildfly:microprofile-metrics-smallrye:2.0" security-enabled="false"
exposed-subsystems="*" prefix="${wildfly.metrics.prefix:wildfly}"/>
</profile> </profile>
<interfaces> <interfaces>
<interface name="management"> <interface name="management">

427
roles/keycloak/templates/standalone-rhsso.xml.j2 → roles/keycloak/templates/9.0.2/standalone.xml.j2
View File

@ -1,6 +1,6 @@
<?xml version='1.0' encoding='UTF-8'?> <?xml version='1.0' encoding='UTF-8'?>
<server xmlns="urn:jboss:domain:16.0"> <server xmlns="urn:jboss:domain:10.0">
<extensions> <extensions>
<extension module="org.jboss.as.clustering.infinispan"/> <extension module="org.jboss.as.clustering.infinispan"/>
<extension module="org.jboss.as.connector"/> <extension module="org.jboss.as.connector"/>
@ -22,9 +22,10 @@
<extension module="org.wildfly.extension.bean-validation"/> <extension module="org.wildfly.extension.bean-validation"/>
<extension module="org.wildfly.extension.core-management"/> <extension module="org.wildfly.extension.core-management"/>
<extension module="org.wildfly.extension.elytron"/> <extension module="org.wildfly.extension.elytron"/>
<extension module="org.wildfly.extension.health"/>
<extension module="org.wildfly.extension.io"/> <extension module="org.wildfly.extension.io"/>
<extension module="org.wildfly.extension.metrics"/> <extension module="org.wildfly.extension.microprofile.config-smallrye"/>
<extension module="org.wildfly.extension.microprofile.health-smallrye"/>
<extension module="org.wildfly.extension.microprofile.metrics-smallrye"/>
<extension module="org.wildfly.extension.request-controller"/> <extension module="org.wildfly.extension.request-controller"/>
<extension module="org.wildfly.extension.security.manager"/> <extension module="org.wildfly.extension.security.manager"/>
<extension module="org.wildfly.extension.undertow"/> <extension module="org.wildfly.extension.undertow"/>
@ -43,7 +44,8 @@
<security-realm name="ApplicationRealm"> <security-realm name="ApplicationRealm">
<server-identities> <server-identities>
<ssl> <ssl>
<keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/> <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password"
alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
</ssl> </ssl>
</server-identities> </server-identities>
<authentication> <authentication>
@ -128,7 +130,7 @@
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/> <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
<subsystem xmlns="urn:jboss:domain:core-management:1.0"/> <subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
<subsystem xmlns="urn:jboss:domain:datasources:6.0"> <subsystem xmlns="urn:jboss:domain:datasources:5.0">
<datasources> <datasources>
<datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}"> <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
<connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url> <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
@ -156,7 +158,7 @@
<subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0"> <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
<deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/> <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:ee:6.0"> <subsystem xmlns="urn:jboss:domain:ee:4.0">
<spec-descriptor-property-replacement>false</spec-descriptor-property-replacement> <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
<concurrent> <concurrent>
<context-services> <context-services>
@ -166,15 +168,17 @@
<managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/> <managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/>
</managed-thread-factories> </managed-thread-factories>
<managed-executor-services> <managed-executor-services>
<managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="5000"/> <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-threshold="60000" keepalive-time="5000"/>
</managed-executor-services> </managed-executor-services>
<managed-scheduled-executor-services> <managed-scheduled-executor-services>
<managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="3000"/> <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-threshold="60000" keepalive-time="3000"/>
</managed-scheduled-executor-services> </managed-scheduled-executor-services>
</concurrent> </concurrent>
<default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/> <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS"
managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default"
managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:ejb3:9.0"> <subsystem xmlns="urn:jboss:domain:ejb3:6.0">
<session-bean> <session-bean>
<stateless> <stateless>
<bean-instance-pool-ref pool-name="slsb-strict-max-pool"/> <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
@ -201,7 +205,7 @@
<file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/> <file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/>
</data-stores> </data-stores>
</timer-service> </timer-service>
<remote cluster="ejb" connectors="http-remoting-connector" thread-pool-name="default"> <remote connector-ref="http-remoting-connector" thread-pool-name="default">
<channel-creation-options> <channel-creation-options>
<option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/> <option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>
</channel-creation-options> </channel-creation-options>
@ -217,7 +221,130 @@
<statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/> <statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
<log-system-exceptions value="true"/> <log-system-exceptions value="true"/>
</subsystem> </subsystem>
<subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto"> <subsystem xmlns="urn:jboss:domain:io:3.0">
<worker name="default"/>
<buffer-pool name="default"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:infinispan:9.0">
<cache-container name="keycloak">
<local-cache name="realms">
<object-memory size="10000"/>
</local-cache>
<local-cache name="users">
<object-memory size="10000"/>
</local-cache>
<local-cache name="sessions"/>
<local-cache name="authenticationSessions"/>
<local-cache name="offlineSessions"/>
<local-cache name="clientSessions"/>
<local-cache name="offlineClientSessions"/>
<local-cache name="loginFailures"/>
<local-cache name="work"/>
<local-cache name="authorization">
<object-memory size="10000"/>
</local-cache>
<local-cache name="keys">
<object-memory size="1000"/>
<expiration max-idle="3600000"/>
</local-cache>
<local-cache name="actionTokens">
<object-memory size="-1"/>
<expiration max-idle="-1" interval="300000"/>
</local-cache>
</cache-container>
<cache-container name="server" default-cache="default" module="org.wildfly.clustering.server">
<local-cache name="default">
<transaction mode="BATCH"/>
</local-cache>
</cache-container>
<cache-container name="web" default-cache="passivation" module="org.wildfly.clustering.web.infinispan">
<local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<file-store passivation="true" purge="false"/>
</local-cache>
<local-cache name="sso">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
</local-cache>
<local-cache name="routing"/>
</cache-container>
<cache-container name="ejb" aliases="sfsb" default-cache="passivation" module="org.wildfly.clustering.ejb.infinispan">
<local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<file-store passivation="true" purge="false"/>
</local-cache>
</cache-container>
<cache-container name="hibernate" module="org.infinispan.hibernate-cache">
<local-cache name="entity">
<object-memory size="10000"/>
<expiration max-idle="100000"/>
</local-cache>
<local-cache name="local-query">
<object-memory size="10000"/>
<expiration max-idle="100000"/>
</local-cache>
<local-cache name="timestamps"/>
</cache-container>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jaxrs:1.0"/>
<subsystem xmlns="urn:jboss:domain:jca:5.0">
<archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
<bean-validation enabled="true"/>
<default-workmanager>
<short-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</short-running-threads>
<long-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</long-running-threads>
</default-workmanager>
<cached-connection-manager/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jmx:1.3">
<expose-resolved-model/>
<expose-expression-model/>
<remoting-connector/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jpa:1.1">
<jpa default-datasource="" default-extended-persistence-inheritance="DEEP"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:mail:3.0">
<mail-session name="default" jndi-name="java:jboss/mail/Default">
<smtp-server outbound-socket-binding-ref="mail-smtp"/>
</mail-session>
</subsystem>
{% if keycloak_modcluster.enabled %}
<subsystem xmlns="urn:jboss:domain:modcluster:5.0">
<proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
<dynamic-load-provider>
<load-metric type="cpu"/>
</dynamic-load-provider>
</proxy>
</subsystem>
{% endif %}
<subsystem xmlns="urn:jboss:domain:naming:2.0">
<remote-naming/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:remoting:4.0">
<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
<subsystem xmlns="urn:jboss:domain:security-manager:1.0">
<deployment-permissions>
<maximum-set>
<permission class="java.security.AllPermission"/>
</maximum-set>
</deployment-permissions>
</subsystem>
<subsystem xmlns="urn:wildfly:elytron:8.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
<providers> <providers>
<aggregate-providers name="combined-providers"> <aggregate-providers name="combined-providers">
<providers name="elytron"/> <providers name="elytron"/>
@ -275,7 +402,6 @@
<permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/> <permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
<permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/> <permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
<permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/> <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
<permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
</permission-set> </permission-set>
</permission-sets> </permission-sets>
<http> <http>
@ -317,126 +443,78 @@
</mechanism-provider-filtering-sasl-server-factory> </mechanism-provider-filtering-sasl-server-factory>
<provider-sasl-server-factory name="global"/> <provider-sasl-server-factory name="global"/>
</sasl> </sasl>
<tls>
<key-stores>
<key-store name="applicationKS">
<credential-reference clear-text="password"/>
<implementation type="JKS"/>
<file path="application.keystore" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
<credential-reference clear-text="password"/>
</key-manager>
</key-managers>
<server-ssl-contexts>
<server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
</server-ssl-contexts>
</tls>
</subsystem> </subsystem>
<subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/> <subsystem xmlns="urn:jboss:domain:security:2.0">
<subsystem xmlns="urn:jboss:domain:infinispan:12.0"> <security-domains>
<cache-container name="ejb" default-cache="passivation" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan"> <security-domain name="other" cache-type="default">
<local-cache name="passivation"> <authentication>
<locking isolation="REPEATABLE_READ"/> <login-module code="Remoting" flag="optional">
<transaction mode="BATCH"/> <module-option name="password-stacking" value="useFirstPass"/>
<file-store passivation="true" purge="false"/> </login-module>
</local-cache> <login-module code="RealmDirect" flag="required">
</cache-container> <module-option name="password-stacking" value="useFirstPass"/>
<cache-container name="keycloak" modules="org.keycloak.keycloak-model-infinispan"> </login-module>
<local-cache name="realms"> </authentication>
<heap-memory size="10000"/> </security-domain>
</local-cache> <security-domain name="jboss-web-policy" cache-type="default">
<local-cache name="users"> <authorization>
<heap-memory size="10000"/> <policy-module code="Delegating" flag="required"/>
</local-cache> </authorization>
<local-cache name="sessions"/> </security-domain>
<local-cache name="authenticationSessions"/> <security-domain name="jaspitest" cache-type="default">
<local-cache name="offlineSessions"/> <authentication-jaspi>
<local-cache name="clientSessions"/> <login-module-stack name="dummy">
<local-cache name="offlineClientSessions"/> <login-module code="Dummy" flag="optional"/>
<local-cache name="loginFailures"/> </login-module-stack>
<local-cache name="work"/> <auth-module code="Dummy"/>
<local-cache name="authorization"> </authentication-jaspi>
<heap-memory size="10000"/> </security-domain>
</local-cache> <security-domain name="jboss-ejb-policy" cache-type="default">
<local-cache name="keys"> <authorization>
<heap-memory size="1000"/> <policy-module code="Delegating" flag="required"/>
<expiration max-idle="3600000"/> </authorization>
</local-cache> </security-domain>
<local-cache name="actionTokens"> </security-domains>
<heap-memory size="-1"/>
<expiration interval="300000" max-idle="-1"/>
</local-cache>
</cache-container>
<cache-container name="server" default-cache="default" modules="org.wildfly.clustering.server">
<local-cache name="default">
<transaction mode="BATCH"/>
</local-cache>
</cache-container>
<cache-container name="web" default-cache="passivation" modules="org.wildfly.clustering.web.infinispan">
<local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<file-store passivation="true" purge="false"/>
</local-cache>
<local-cache name="sso">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
</local-cache>
<local-cache name="routing"/>
</cache-container>
<cache-container name="hibernate" modules="org.infinispan.hibernate-cache">
<local-cache name="entity">
<heap-memory size="10000"/>
<expiration max-idle="100000"/>
</local-cache>
<local-cache name="local-query">
<heap-memory size="10000"/>
<expiration max-idle="100000"/>
</local-cache>
<local-cache name="timestamps"/>
</cache-container>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:io:3.0"> <subsystem xmlns="urn:jboss:domain:transactions:5.0">
<worker name="default"/> <core-environment node-identifier="${jboss.tx.node.id:1}">
<buffer-pool name="default"/> <process-id>
<uuid/>
</process-id>
</core-environment>
<recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
<coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
<object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/> <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
<subsystem xmlns="urn:jboss:domain:jca:5.0"> <subsystem xmlns="urn:wildfly:microprofile-config-smallrye:1.0"/>
<archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/> <subsystem xmlns="urn:wildfly:microprofile-health-smallrye:2.0" security-enabled="false"
<bean-validation enabled="true"/> empty-liveness-checks-status="${env.MP_HEALTH_EMPTY_LIVENESS_CHECKS_STATUS:UP}" empty-readiness-checks-status="${env.MP_HEALTH_EMPTY_READINESS_CHECKS_STATUS:UP}"/>
<default-workmanager> <subsystem xmlns="urn:wildfly:microprofile-metrics-smallrye:2.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:wildfly}"/>
<short-running-threads> <subsystem xmlns="urn:jboss:domain:undertow:10.0" default-server="default-server" default-virtual-host="default-host"
<core-threads count="50"/> default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<queue-length count="50"/> <buffer-cache name="default"/>
<max-threads count="50"/> <server name="default-server">
<keepalive-time time="10" unit="seconds"/> <ajp-listener name="ajp" socket-binding="ajp"/>
</short-running-threads> <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<long-running-threads> <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<core-threads count="50"/> <host name="default-host" alias="localhost">
<queue-length count="50"/> <location name="/" handler="welcome-content"/>
<max-threads count="50"/> <http-invoker security-realm="ApplicationRealm"/>
<keepalive-time time="10" unit="seconds"/> </host>
</long-running-threads> </server>
</default-workmanager> <servlet-container name="default">
<cached-connection-manager/> <jsp-config/>
</subsystem> <websockets/>
<subsystem xmlns="urn:jboss:domain:jmx:1.3"> </servlet-container>
<expose-resolved-model/> <handlers>
<expose-expression-model/> <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
<remoting-connector/> </handlers>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jpa:1.1">
<jpa default-extended-persistence-inheritance="DEEP"/>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1"> <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
<web-context>auth</web-context> <web-context>auth</web-context>
<providers> <providers>
<provider> <provider>classpath:${jboss.home.dir}/providers/*</provider>
classpath:${jboss.home.dir}/providers/*
</provider>
</providers> </providers>
<master-realm-name>master</master-realm-name> <master-realm-name>master</master-realm-name>
<scheduled-task-interval>900</scheduled-task-interval> <scheduled-task-interval>900</scheduled-task-interval>
@ -505,103 +583,12 @@
<default-provider>default</default-provider> <default-provider>default</default-provider>
<provider name="default" enabled="true"> <provider name="default" enabled="true">
<properties> <properties>
<property name="frontendUrl" value="${keycloak.frontendUrl:}"/> <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
<property name="forceBackendUrlToFrontendUrl" value="false"/> <property name="forceBackendUrlToFrontendUrl" value="true"/>
</properties> </properties>
</provider> </provider>
</spi> </spi>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:mail:4.0">
<mail-session name="default" jndi-name="java:jboss/mail/Default">
<smtp-server outbound-socket-binding-ref="mail-smtp"/>
</mail-session>
</subsystem>
<subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
{% if keycloak_modcluster.enabled %}
<subsystem xmlns="urn:jboss:domain:modcluster:5.0">
<proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
<dynamic-load-provider>
<load-metric type="cpu"/>
</dynamic-load-provider>
</proxy>
</subsystem>
{% endif %}
<subsystem xmlns="urn:jboss:domain:naming:2.0">
<remote-naming/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:remoting:4.0">
<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
<subsystem xmlns="urn:jboss:domain:security:2.0">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jaspitest" cache-type="default">
<authentication-jaspi>
<login-module-stack name="dummy">
<login-module code="Dummy" flag="optional"/>
</login-module-stack>
<auth-module code="Dummy"/>
</authentication-jaspi>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
</security-domains>
</subsystem>
<subsystem xmlns="urn:jboss:domain:security-manager:1.0">
<deployment-permissions>
<maximum-set>
<permission class="java.security.AllPermission"/>
</maximum-set>
</deployment-permissions>
</subsystem>
<subsystem xmlns="urn:jboss:domain:transactions:6.0">
<core-environment node-identifier="${jboss.tx.node.id:1}">
<process-id>
<uuid/>
</process-id>
</core-environment>
<recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
<coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
<object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/>
<server name="default-server">
<ajp-listener name="ajp" socket-binding="ajp"/>
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
</subsystem>
<subsystem xmlns="urn:jboss:domain:weld:4.0"/>
</profile> </profile>
<interfaces> <interfaces>
<interface name="management"> <interface name="management">
@ -621,7 +608,7 @@
<socket-binding name="txn-recovery-environment" port="4712"/> <socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/> <socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp"> <outbound-socket-binding name="mail-smtp">
<remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/> <remote-destination host="localhost" port="25"/>
</outbound-socket-binding> </outbound-socket-binding>
{% if keycloak_modcluster.enabled %} {% if keycloak_modcluster.enabled %}
<outbound-socket-binding name="proxy1"> <outbound-socket-binding name="proxy1">

3
roles/keycloak/templates/keycloak-service.sh.j2
View File

@ -83,8 +83,7 @@ startKeycloak() {
-Djboss.management.https.port=${KEYCLOAK_MANAGEMENT_HTTPS_PORT} \ -Djboss.management.https.port=${KEYCLOAK_MANAGEMENT_HTTPS_PORT} \
-Djboss.node.name={{ inventory_hostname }} \ -Djboss.node.name={{ inventory_hostname }} \
{% if keycloak_prefer_ipv4 %}-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true {% endif %}\ {% if keycloak_prefer_ipv4 %}-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true {% endif %}\
{% if keycloak_config_standalone_xml is defined %}--server-config={{ keycloak_config_standalone_xml }}{% endif %} \ {% if keycloak_config_standalone_xml is defined %}--server-config={{ keycloak_config_standalone_xml }}{% endif %} &
2>&1 >> "${KEYCLOAK_LOGFILE}" &
while [ ! -f ${KEYCLOAK_PIDFILE} ]; do sleep 1; done while [ ! -f ${KEYCLOAK_PIDFILE} ]; do sleep 1; done
fi fi
} }

118
roles/keycloak/templates/standalone-infinispan.xml.j2
View File

@ -1,6 +1,6 @@
<?xml version='1.0' encoding='UTF-8'?> <?xml version='1.0' encoding='UTF-8'?>
<server xmlns="urn:jboss:domain:10.0"> <server xmlns="urn:jboss:domain:16.0">
<extensions> <extensions>
<extension module="org.jboss.as.clustering.infinispan"/> <extension module="org.jboss.as.clustering.infinispan"/>
<extension module="org.jboss.as.clustering.jgroups"/> <extension module="org.jboss.as.clustering.jgroups"/>
@ -23,10 +23,9 @@
<extension module="org.wildfly.extension.bean-validation"/> <extension module="org.wildfly.extension.bean-validation"/>
<extension module="org.wildfly.extension.core-management"/> <extension module="org.wildfly.extension.core-management"/>
<extension module="org.wildfly.extension.elytron"/> <extension module="org.wildfly.extension.elytron"/>
<extension module="org.wildfly.extension.health"/>
<extension module="org.wildfly.extension.io"/> <extension module="org.wildfly.extension.io"/>
<extension module="org.wildfly.extension.microprofile.config-smallrye"/> <extension module="org.wildfly.extension.metrics"/>
<extension module="org.wildfly.extension.microprofile.health-smallrye"/>
<extension module="org.wildfly.extension.microprofile.metrics-smallrye"/>
<extension module="org.wildfly.extension.request-controller"/> <extension module="org.wildfly.extension.request-controller"/>
<extension module="org.wildfly.extension.security.manager"/> <extension module="org.wildfly.extension.security.manager"/>
<extension module="org.wildfly.extension.undertow"/> <extension module="org.wildfly.extension.undertow"/>
@ -45,8 +44,7 @@
<security-realm name="ApplicationRealm"> <security-realm name="ApplicationRealm">
<server-identities> <server-identities>
<ssl> <ssl>
<keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
</ssl> </ssl>
</server-identities> </server-identities>
<authentication> <authentication>
@ -143,7 +141,7 @@
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/> <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
<subsystem xmlns="urn:jboss:domain:core-management:1.0"/> <subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
<subsystem xmlns="urn:jboss:domain:datasources:5.0"> <subsystem xmlns="urn:jboss:domain:datasources:6.0">
<datasources> <datasources>
<datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}"> <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
<connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url> <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
@ -154,15 +152,15 @@
</security> </security>
</datasource> </datasource>
<datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}"> <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
{% if keycloak_jdbc.postgres.enabled %} {% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
<connection-url>{{ keycloak_jdbc.postgres.connection_url }}</connection-url> <connection-url>{{ keycloak_jdbc[keycloak_jdbc_engine].connection_url }}</connection-url>
<driver>{{ keycloak_jdbc.postgres.driver_module_name }}</driver> <driver>{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}</driver>
<pool> <pool>
<max-pool-size>20</max-pool-size> <max-pool-size>20</max-pool-size>
</pool> </pool>
<security> <security>
<user-name>{{ keycloak_jdbc.postgres.db_user }}</user-name> <user-name>{{ keycloak_jdbc[keycloak_jdbc_engine].db_user }}</user-name>
<password>{{ keycloak_jdbc.postgres.db_password }}</password> <password>{{ keycloak_jdbc[keycloak_jdbc_engine].db_password }}</password>
</security> </security>
{% else %} {% else %}
<connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url> <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
@ -174,10 +172,10 @@
{% endif %} {% endif %}
</datasource> </datasource>
<drivers> <drivers>
{% if keycloak_jdbc.postgres.enabled %} {% if keycloak_jdbc[keycloak_jdbc_engine].enabled %}
<driver name="{{ keycloak_jdbc.postgres.driver_module_name }}" module="{{ keycloak_jdbc.postgres.driver_module_name }}"> <driver name="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}" module="{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_name }}">
<driver-class>org.postgresql.Driver</driver-class> <driver-class>{{ keycloak_jdbc[keycloak_jdbc_engine].driver_class }}</driver-class>
<xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class> <xa-datasource-class>{{ keycloak_jdbc[keycloak_jdbc_engine].xa_datasource_class }}</xa-datasource-class>
</driver> </driver>
{% endif %} {% endif %}
<driver name="h2" module="com.h2database.h2"> <driver name="h2" module="com.h2database.h2">
@ -189,7 +187,7 @@
<subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0"> <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
<deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/> <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:ee:4.0"> <subsystem xmlns="urn:jboss:domain:ee:6.0">
<spec-descriptor-property-replacement>false</spec-descriptor-property-replacement> <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
<concurrent> <concurrent>
<context-services> <context-services>
@ -199,17 +197,15 @@
<managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/> <managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/>
</managed-thread-factories> </managed-thread-factories>
<managed-executor-services> <managed-executor-services>
<managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-threshold="60000" keepalive-time="5000"/> <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="5000"/>
</managed-executor-services> </managed-executor-services>
<managed-scheduled-executor-services> <managed-scheduled-executor-services>
<managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-threshold="60000" keepalive-time="3000"/> <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="3000"/>
</managed-scheduled-executor-services> </managed-scheduled-executor-services>
</concurrent> </concurrent>
<default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS" <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default"
managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:ejb3:6.0"> <subsystem xmlns="urn:jboss:domain:ejb3:9.0">
<session-bean> <session-bean>
<stateless> <stateless>
<bean-instance-pool-ref pool-name="slsb-strict-max-pool"/> <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
@ -236,7 +232,7 @@
<file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/> <file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/>
</data-stores> </data-stores>
</timer-service> </timer-service>
<remote cluster="ejb" connector-ref="http-remoting-connector" thread-pool-name="default"> <remote cluster="ejb" connectors="http-remoting-connector" thread-pool-name="default">
<channel-creation-options> <channel-creation-options>
<option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/> <option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>
</channel-creation-options> </channel-creation-options>
@ -252,7 +248,7 @@
<statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/> <statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
<log-system-exceptions value="true"/> <log-system-exceptions value="true"/>
</subsystem> </subsystem>
<subsystem xmlns="urn:wildfly:elytron:8.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto"> <subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
<providers> <providers>
<aggregate-providers name="combined-providers"> <aggregate-providers name="combined-providers">
<providers name="elytron"/> <providers name="elytron"/>
@ -361,7 +357,7 @@
</key-store> </key-store>
</key-stores> </key-stores>
<key-managers> <key-managers>
<key-manager name="applicationKM" key-store="applicationKS"> <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
<credential-reference clear-text="password"/> <credential-reference clear-text="password"/>
</key-manager> </key-manager>
</key-managers> </key-managers>
@ -370,24 +366,25 @@
</server-ssl-contexts> </server-ssl-contexts>
</tls> </tls>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:infinispan:9.0"> <subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
<cache-container name="ejb" default-cache="passivation" aliases="sfsb" module="org.wildfly.clustering.ejb.infinispan"> <subsystem xmlns="urn:jboss:domain:infinispan:12.0">
<cache-container name="ejb" default-cache="passivation" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
<local-cache name="passivation"> <local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/> <locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/> <transaction mode="BATCH"/>
<file-store passivation="true" purge="false"/> <file-store passivation="true" purge="false"/>
</local-cache> </local-cache>
</cache-container> </cache-container>
<cache-container name="keycloak" module="org.keycloak.keycloak-model-infinispan"> <cache-container name="keycloak" modules="org.keycloak.keycloak-model-infinispan">
<transport lock-timeout="60000"/> <transport lock-timeout="60000"/>
<local-cache name="realms"> <local-cache name="realms">
<object-memory size="10000"/> <heap-memory size="10000"/>
</local-cache> </local-cache>
<local-cache name="users"> <local-cache name="users">
<object-memory size="10000"/> <heap-memory size="10000"/>
</local-cache> </local-cache>
<local-cache name="authenticationSessions"/> <local-cache name="authenticationSessions"/>
{% for cachename in [ "sessions", "offlineSessions", "clientSessions", "offlineClientSessions", "loginFailures", "actionTokens" ] %} {% for cachename in [ "sessions", "offlineSessions", "clientSessions", "offlineClientSessions", "loginFailures", "actionTokens" ] %}
<distributed-cache name="{{ cachename }}"> <distributed-cache name="{{ cachename }}">
<remote-store cache="{{ cachename }}" <remote-store cache="{{ cachename }}"
remote-servers="remote-cache" remote-servers="remote-cache"
@ -403,15 +400,15 @@
<property name="infinispan.client.hotrod.auth_password">{{ keycloak_remotecache.password }}</property> <property name="infinispan.client.hotrod.auth_password">{{ keycloak_remotecache.password }}</property>
<property name="infinispan.client.hotrod.auth_realm">{{ keycloak_remotecache.realm | default('default') }}</property> <property name="infinispan.client.hotrod.auth_realm">{{ keycloak_remotecache.realm | default('default') }}</property>
<property name="infinispan.client.hotrod.auth_server_name">{{ keycloak_remotecache.server_name }}</property> <property name="infinispan.client.hotrod.auth_server_name">{{ keycloak_remotecache.server_name }}</property>
<property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism | default('SCRAM-SHA-512') }}</property> <property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism }}</property>
<property name="infinispan.client.hotrod.use_ssl">false</property> <property name="infinispan.client.hotrod.use_ssl">{{ keycloak_remotecache.use_ssl }}</property>
<property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path | default('/etc/truststore/truststore.jks') }}</property> <property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path }}</property>
<property name="infinispan.client.hotrod.trust_store_type">JKS</property> <property name="infinispan.client.hotrod.trust_store_type">JKS</property>
<property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password | default("changeme") }}</property> <property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password }}</property>
<property name="infinispan.client.hotrod.client_intelligence">TOPOLOGY_AWARE</property> <property name="infinispan.client.hotrod.client_intelligence">TOPOLOGY_AWARE</property>
</remote-store> </remote-store>
</distributed-cache> </distributed-cache>
{% endfor %} {% endfor %}
<replicated-cache name="work"> <replicated-cache name="work">
<remote-store cache="work" <remote-store cache="work"
remote-servers="remote-cache" remote-servers="remote-cache"
@ -427,28 +424,28 @@
<property name="infinispan.client.hotrod.auth_password">{{ keycloak_remotecache.password }}</property> <property name="infinispan.client.hotrod.auth_password">{{ keycloak_remotecache.password }}</property>
<property name="infinispan.client.hotrod.auth_realm">{{ keycloak_remotecache.realm | default('default') }}</property> <property name="infinispan.client.hotrod.auth_realm">{{ keycloak_remotecache.realm | default('default') }}</property>
<property name="infinispan.client.hotrod.auth_server_name">{{ keycloak_remotecache.server_name }}</property> <property name="infinispan.client.hotrod.auth_server_name">{{ keycloak_remotecache.server_name }}</property>
<property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism | default('SCRAM-SHA-512') }}</property> <property name="infinispan.client.hotrod.sasl_mechanism">{{ keycloak_remotecache.sasl_mechanism }}</property>
<property name="infinispan.client.hotrod.use_ssl">false</property> <property name="infinispan.client.hotrod.use_ssl">{{ keycloak_remotecache.use_ssl }}</property>
<property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path | default('/etc/truststore/truststore.jks') }}</property> <property name="infinispan.client.hotrod.trust_store_file_name">{{ keycloak_remotecache.trust_store_path }}</property>
<property name="infinispan.client.hotrod.trust_store_type">JKS</property> <property name="infinispan.client.hotrod.trust_store_type">JKS</property>
<property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password | default("changeme") }}</property> <property name="infinispan.client.hotrod.trust_store_password">{{ keycloak_remotecache.trust_store_password }}</property>
<property name="infinispan.client.hotrod.client_intelligence">TOPOLOGY_AWARE</property> <property name="infinispan.client.hotrod.client_intelligence">TOPOLOGY_AWARE</property>
</remote-store> </remote-store>
</replicated-cache> </replicated-cache>
<local-cache name="authorization"> <local-cache name="authorization">
<object-memory size="10000"/> <heap-memory size="10000"/>
</local-cache> </local-cache>
<local-cache name="keys"> <local-cache name="keys">
<object-memory size="1000"/> <heap-memory size="1000"/>
<expiration max-idle="3600000"/> <expiration max-idle="3600000"/>
</local-cache> </local-cache>
</cache-container> </cache-container>
<cache-container name="server" default-cache="default" module="org.wildfly.clustering.server"> <cache-container name="server" default-cache="default" modules="org.wildfly.clustering.server">
<local-cache name="default"> <local-cache name="default">
<transaction mode="BATCH"/> <transaction mode="BATCH"/>
</local-cache> </local-cache>
</cache-container> </cache-container>
<cache-container name="web" default-cache="passivation" module="org.wildfly.clustering.web.infinispan"> <cache-container name="web" default-cache="passivation" modules="org.wildfly.clustering.web.infinispan">
<local-cache name="passivation"> <local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/> <locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/> <transaction mode="BATCH"/>
@ -460,13 +457,13 @@
</local-cache> </local-cache>
<local-cache name="routing"/> <local-cache name="routing"/>
</cache-container> </cache-container>
<cache-container name="hibernate" module="org.infinispan.hibernate-cache"> <cache-container name="hibernate" modules="org.infinispan.hibernate-cache">
<local-cache name="entity"> <local-cache name="entity">
<object-memory size="10000"/> <heap-memory size="10000"/>
<expiration max-idle="100000"/> <expiration max-idle="100000"/>
</local-cache> </local-cache>
<local-cache name="local-query"> <local-cache name="local-query">
<object-memory size="10000"/> <heap-memory size="10000"/>
<expiration max-idle="100000"/> <expiration max-idle="100000"/>
</local-cache> </local-cache>
<local-cache name="timestamps"/> <local-cache name="timestamps"/>
@ -476,7 +473,7 @@
<worker name="default"/> <worker name="default"/>
<buffer-pool name="default"/> <buffer-pool name="default"/>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:jaxrs:1.0"/> <subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/>
<subsystem xmlns="urn:jboss:domain:jca:5.0"> <subsystem xmlns="urn:jboss:domain:jca:5.0">
<archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/> <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
<bean-validation enabled="true"/> <bean-validation enabled="true"/>
@ -496,7 +493,7 @@
</default-workmanager> </default-workmanager>
<cached-connection-manager/> <cached-connection-manager/>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:jgroups:7.0"> <subsystem xmlns="urn:jboss:domain:jgroups:8.0">
<channels default="ee"> <channels default="ee">
<channel name="ee" stack="tcp" cluster="ejb"/> <channel name="ee" stack="tcp" cluster="ejb"/>
</channels> </channels>
@ -533,7 +530,7 @@
<remoting-connector/> <remoting-connector/>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:jpa:1.1"> <subsystem xmlns="urn:jboss:domain:jpa:1.1">
<jpa default-datasource="" default-extended-persistence-inheritance="DEEP"/> <jpa default-extended-persistence-inheritance="DEEP"/>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1"> <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
<web-context>auth</web-context> <web-context>auth</web-context>
@ -609,17 +606,18 @@
<default-provider>default</default-provider> <default-provider>default</default-provider>
<provider name="default" enabled="true"> <provider name="default" enabled="true">
<properties> <properties>
<property name="frontendUrl" value="${keycloak.frontendUrl:}"/> <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
<property name="forceBackendUrlToFrontendUrl" value="false"/> <property name="forceBackendUrlToFrontendUrl" value="true"/>
</properties> </properties>
</provider> </provider>
</spi> </spi>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:mail:3.0"> <subsystem xmlns="urn:jboss:domain:mail:4.0">
<mail-session name="default" jndi-name="java:jboss/mail/Default"> <mail-session name="default" jndi-name="java:jboss/mail/Default">
<smtp-server outbound-socket-binding-ref="mail-smtp"/> <smtp-server outbound-socket-binding-ref="mail-smtp"/>
</mail-session> </mail-session>
</subsystem> </subsystem>
<subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
{% if keycloak_modcluster.enabled %} {% if keycloak_modcluster.enabled %}
<subsystem xmlns="urn:jboss:domain:modcluster:5.0"> <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
<proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1"> <proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
@ -675,7 +673,7 @@
</maximum-set> </maximum-set>
</deployment-permissions> </deployment-permissions>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:transactions:5.0"> <subsystem xmlns="urn:jboss:domain:transactions:6.0">
<core-environment node-identifier="{{ inventory_hostname | default('${jboss.tx.node.id:1}') }}"> <core-environment node-identifier="{{ inventory_hostname | default('${jboss.tx.node.id:1}') }}">
<process-id> <process-id>
<uuid/> <uuid/>
@ -685,9 +683,7 @@
<coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/> <coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
<object-store path="tx-object-store" relative-to="jboss.server.data.dir"/> <object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:undertow:10.0" default-server="default-server" default-virtual-host="default-host" <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
default-servlet-container="default" default-security-domain="other"
statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/> <buffer-cache name="default"/>
<server name="default-server"> <server name="default-server">
<ajp-listener name="ajp" socket-binding="ajp"/> <ajp-listener name="ajp" socket-binding="ajp"/>
@ -712,12 +708,6 @@
</filters> </filters>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:weld:4.0"/> <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
<subsystem xmlns="urn:wildfly:microprofile-config-smallrye:1.0"/>
<subsystem xmlns="urn:wildfly:microprofile-health-smallrye:2.0" security-enabled="false"
empty-liveness-checks-status="${env.MP_HEALTH_EMPTY_LIVENESS_CHECKS_STATUS:UP}"
empty-readiness-checks-status="${env.MP_HEALTH_EMPTY_READINESS_CHECKS_STATUS:UP}"/>
<subsystem xmlns="urn:wildfly:microprofile-metrics-smallrye:2.0" security-enabled="false"
exposed-subsystems="*" prefix="${wildfly.metrics.prefix:wildfly}"/>
</profile> </profile>
<interfaces> <interfaces>
<interface name="management"> <interface name="management">

427
roles/keycloak/templates/standalone.xml.j2
View File

@ -1,6 +1,6 @@
<?xml version='1.0' encoding='UTF-8'?> <?xml version='1.0' encoding='UTF-8'?>
<server xmlns="urn:jboss:domain:10.0"> <server xmlns="urn:jboss:domain:16.0">
<extensions> <extensions>
<extension module="org.jboss.as.clustering.infinispan"/> <extension module="org.jboss.as.clustering.infinispan"/>
<extension module="org.jboss.as.connector"/> <extension module="org.jboss.as.connector"/>
@ -22,10 +22,9 @@
<extension module="org.wildfly.extension.bean-validation"/> <extension module="org.wildfly.extension.bean-validation"/>
<extension module="org.wildfly.extension.core-management"/> <extension module="org.wildfly.extension.core-management"/>
<extension module="org.wildfly.extension.elytron"/> <extension module="org.wildfly.extension.elytron"/>
<extension module="org.wildfly.extension.health"/>
<extension module="org.wildfly.extension.io"/> <extension module="org.wildfly.extension.io"/>
<extension module="org.wildfly.extension.microprofile.config-smallrye"/> <extension module="org.wildfly.extension.metrics"/>
<extension module="org.wildfly.extension.microprofile.health-smallrye"/>
<extension module="org.wildfly.extension.microprofile.metrics-smallrye"/>
<extension module="org.wildfly.extension.request-controller"/> <extension module="org.wildfly.extension.request-controller"/>
<extension module="org.wildfly.extension.security.manager"/> <extension module="org.wildfly.extension.security.manager"/>
<extension module="org.wildfly.extension.undertow"/> <extension module="org.wildfly.extension.undertow"/>
@ -44,8 +43,7 @@
<security-realm name="ApplicationRealm"> <security-realm name="ApplicationRealm">
<server-identities> <server-identities>
<ssl> <ssl>
<keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
</ssl> </ssl>
</server-identities> </server-identities>
<authentication> <authentication>
@ -130,7 +128,7 @@
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/> <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
<subsystem xmlns="urn:jboss:domain:core-management:1.0"/> <subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
<subsystem xmlns="urn:jboss:domain:datasources:5.0"> <subsystem xmlns="urn:jboss:domain:datasources:6.0">
<datasources> <datasources>
<datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}"> <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
<connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url> <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
@ -158,7 +156,7 @@
<subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0"> <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
<deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/> <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:ee:4.0"> <subsystem xmlns="urn:jboss:domain:ee:6.0">
<spec-descriptor-property-replacement>false</spec-descriptor-property-replacement> <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
<concurrent> <concurrent>
<context-services> <context-services>
@ -168,17 +166,15 @@
<managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/> <managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/>
</managed-thread-factories> </managed-thread-factories>
<managed-executor-services> <managed-executor-services>
<managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-threshold="60000" keepalive-time="5000"/> <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="5000"/>
</managed-executor-services> </managed-executor-services>
<managed-scheduled-executor-services> <managed-scheduled-executor-services>
<managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-threshold="60000" keepalive-time="3000"/> <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="3000"/>
</managed-scheduled-executor-services> </managed-scheduled-executor-services>
</concurrent> </concurrent>
<default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS" <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default"
managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:ejb3:6.0"> <subsystem xmlns="urn:jboss:domain:ejb3:9.0">
<session-bean> <session-bean>
<stateless> <stateless>
<bean-instance-pool-ref pool-name="slsb-strict-max-pool"/> <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
@ -205,7 +201,7 @@
<file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/> <file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/>
</data-stores> </data-stores>
</timer-service> </timer-service>
<remote connector-ref="http-remoting-connector" thread-pool-name="default"> <remote cluster="ejb" connectors="http-remoting-connector" thread-pool-name="default">
<channel-creation-options> <channel-creation-options>
<option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/> <option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>
</channel-creation-options> </channel-creation-options>
@ -221,130 +217,7 @@
<statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/> <statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
<log-system-exceptions value="true"/> <log-system-exceptions value="true"/>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:io:3.0"> <subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
<worker name="default"/>
<buffer-pool name="default"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:infinispan:9.0">
<cache-container name="keycloak">
<local-cache name="realms">
<object-memory size="10000"/>
</local-cache>
<local-cache name="users">
<object-memory size="10000"/>
</local-cache>
<local-cache name="sessions"/>
<local-cache name="authenticationSessions"/>
<local-cache name="offlineSessions"/>
<local-cache name="clientSessions"/>
<local-cache name="offlineClientSessions"/>
<local-cache name="loginFailures"/>
<local-cache name="work"/>
<local-cache name="authorization">
<object-memory size="10000"/>
</local-cache>
<local-cache name="keys">
<object-memory size="1000"/>
<expiration max-idle="3600000"/>
</local-cache>
<local-cache name="actionTokens">
<object-memory size="-1"/>
<expiration max-idle="-1" interval="300000"/>
</local-cache>
</cache-container>
<cache-container name="server" default-cache="default" module="org.wildfly.clustering.server">
<local-cache name="default">
<transaction mode="BATCH"/>
</local-cache>
</cache-container>
<cache-container name="web" default-cache="passivation" module="org.wildfly.clustering.web.infinispan">
<local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<file-store passivation="true" purge="false"/>
</local-cache>
<local-cache name="sso">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
</local-cache>
<local-cache name="routing"/>
</cache-container>
<cache-container name="ejb" aliases="sfsb" default-cache="passivation" module="org.wildfly.clustering.ejb.infinispan">
<local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<file-store passivation="true" purge="false"/>
</local-cache>
</cache-container>
<cache-container name="hibernate" module="org.infinispan.hibernate-cache">
<local-cache name="entity">
<object-memory size="10000"/>
<expiration max-idle="100000"/>
</local-cache>
<local-cache name="local-query">
<object-memory size="10000"/>
<expiration max-idle="100000"/>
</local-cache>
<local-cache name="timestamps"/>
</cache-container>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jaxrs:1.0"/>
<subsystem xmlns="urn:jboss:domain:jca:5.0">
<archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
<bean-validation enabled="true"/>
<default-workmanager>
<short-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</short-running-threads>
<long-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</long-running-threads>
</default-workmanager>
<cached-connection-manager/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jmx:1.3">
<expose-resolved-model/>
<expose-expression-model/>
<remoting-connector/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jpa:1.1">
<jpa default-datasource="" default-extended-persistence-inheritance="DEEP"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:mail:3.0">
<mail-session name="default" jndi-name="java:jboss/mail/Default">
<smtp-server outbound-socket-binding-ref="mail-smtp"/>
</mail-session>
</subsystem>
{% if keycloak_modcluster.enabled %}
<subsystem xmlns="urn:jboss:domain:modcluster:5.0">
<proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
<dynamic-load-provider>
<load-metric type="cpu"/>
</dynamic-load-provider>
</proxy>
</subsystem>
{% endif %}
<subsystem xmlns="urn:jboss:domain:naming:2.0">
<remote-naming/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:remoting:4.0">
<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
<subsystem xmlns="urn:jboss:domain:security-manager:1.0">
<deployment-permissions>
<maximum-set>
<permission class="java.security.AllPermission"/>
</maximum-set>
</deployment-permissions>
</subsystem>
<subsystem xmlns="urn:wildfly:elytron:8.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
<providers> <providers>
<aggregate-providers name="combined-providers"> <aggregate-providers name="combined-providers">
<providers name="elytron"/> <providers name="elytron"/>
@ -402,6 +275,7 @@
<permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/> <permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
<permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/> <permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
<permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/> <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
<permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
</permission-set> </permission-set>
</permission-sets> </permission-sets>
<http> <http>
@ -443,78 +317,126 @@
</mechanism-provider-filtering-sasl-server-factory> </mechanism-provider-filtering-sasl-server-factory>
<provider-sasl-server-factory name="global"/> <provider-sasl-server-factory name="global"/>
</sasl> </sasl>
<tls>
<key-stores>
<key-store name="applicationKS">
<credential-reference clear-text="password"/>
<implementation type="JKS"/>
<file path="application.keystore" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
<credential-reference clear-text="password"/>
</key-manager>
</key-managers>
<server-ssl-contexts>
<server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
</server-ssl-contexts>
</tls>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:security:2.0"> <subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
<security-domains> <subsystem xmlns="urn:jboss:domain:infinispan:12.0">
<security-domain name="other" cache-type="default"> <cache-container name="ejb" default-cache="passivation" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
<authentication> <local-cache name="passivation">
<login-module code="Remoting" flag="optional"> <locking isolation="REPEATABLE_READ"/>
<module-option name="password-stacking" value="useFirstPass"/> <transaction mode="BATCH"/>
</login-module> <file-store passivation="true" purge="false"/>
<login-module code="RealmDirect" flag="required"> </local-cache>
<module-option name="password-stacking" value="useFirstPass"/> </cache-container>
</login-module> <cache-container name="keycloak" modules="org.keycloak.keycloak-model-infinispan">
</authentication> <local-cache name="realms">
</security-domain> <heap-memory size="10000"/>
<security-domain name="jboss-web-policy" cache-type="default"> </local-cache>
<authorization> <local-cache name="users">
<policy-module code="Delegating" flag="required"/> <heap-memory size="10000"/>
</authorization> </local-cache>
</security-domain> <local-cache name="sessions"/>
<security-domain name="jaspitest" cache-type="default"> <local-cache name="authenticationSessions"/>
<authentication-jaspi> <local-cache name="offlineSessions"/>
<login-module-stack name="dummy"> <local-cache name="clientSessions"/>
<login-module code="Dummy" flag="optional"/> <local-cache name="offlineClientSessions"/>
</login-module-stack> <local-cache name="loginFailures"/>
<auth-module code="Dummy"/> <local-cache name="work"/>
</authentication-jaspi> <local-cache name="authorization">
</security-domain> <heap-memory size="10000"/>
<security-domain name="jboss-ejb-policy" cache-type="default"> </local-cache>
<authorization> <local-cache name="keys">
<policy-module code="Delegating" flag="required"/> <heap-memory size="1000"/>
</authorization> <expiration max-idle="3600000"/>
</security-domain> </local-cache>
</security-domains> <local-cache name="actionTokens">
<heap-memory size="-1"/>
<expiration interval="300000" max-idle="-1"/>
</local-cache>
</cache-container>
<cache-container name="server" default-cache="default" modules="org.wildfly.clustering.server">
<local-cache name="default">
<transaction mode="BATCH"/>
</local-cache>
</cache-container>
<cache-container name="web" default-cache="passivation" modules="org.wildfly.clustering.web.infinispan">
<local-cache name="passivation">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<file-store passivation="true" purge="false"/>
</local-cache>
<local-cache name="sso">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
</local-cache>
<local-cache name="routing"/>
</cache-container>
<cache-container name="hibernate" modules="org.infinispan.hibernate-cache">
<local-cache name="entity">
<heap-memory size="10000"/>
<expiration max-idle="100000"/>
</local-cache>
<local-cache name="local-query">
<heap-memory size="10000"/>
<expiration max-idle="100000"/>
</local-cache>
<local-cache name="timestamps"/>
</cache-container>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:transactions:5.0"> <subsystem xmlns="urn:jboss:domain:io:3.0">
<core-environment node-identifier="${jboss.tx.node.id:1}"> <worker name="default"/>
<process-id> <buffer-pool name="default"/>
<uuid/>
</process-id>
</core-environment>
<recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
<coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
<object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:weld:4.0"/> <subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/>
<subsystem xmlns="urn:wildfly:microprofile-config-smallrye:1.0"/> <subsystem xmlns="urn:jboss:domain:jca:5.0">
<subsystem xmlns="urn:wildfly:microprofile-health-smallrye:2.0" security-enabled="false" <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
empty-liveness-checks-status="${env.MP_HEALTH_EMPTY_LIVENESS_CHECKS_STATUS:UP}" empty-readiness-checks-status="${env.MP_HEALTH_EMPTY_READINESS_CHECKS_STATUS:UP}"/> <bean-validation enabled="true"/>
<subsystem xmlns="urn:wildfly:microprofile-metrics-smallrye:2.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:wildfly}"/> <default-workmanager>
<subsystem xmlns="urn:jboss:domain:undertow:10.0" default-server="default-server" default-virtual-host="default-host" <short-running-threads>
default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}"> <core-threads count="50"/>
<buffer-cache name="default"/> <queue-length count="50"/>
<server name="default-server"> <max-threads count="50"/>
<ajp-listener name="ajp" socket-binding="ajp"/> <keepalive-time time="10" unit="seconds"/>
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/> </short-running-threads>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/> <long-running-threads>
<host name="default-host" alias="localhost"> <core-threads count="50"/>
<location name="/" handler="welcome-content"/> <queue-length count="50"/>
<http-invoker security-realm="ApplicationRealm"/> <max-threads count="50"/>
</host> <keepalive-time time="10" unit="seconds"/>
</server> </long-running-threads>
<servlet-container name="default"> </default-workmanager>
<jsp-config/> <cached-connection-manager/>
<websockets/> </subsystem>
</servlet-container> <subsystem xmlns="urn:jboss:domain:jmx:1.3">
<handlers> <expose-resolved-model/>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/> <expose-expression-model/>
</handlers> <remoting-connector/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jpa:1.1">
<jpa default-extended-persistence-inheritance="DEEP"/>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1"> <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
<web-context>auth</web-context> <web-context>auth</web-context>
<providers> <providers>
<provider>classpath:${jboss.home.dir}/providers/*</provider> <provider>
classpath:${jboss.home.dir}/providers/*
</provider>
</providers> </providers>
<master-realm-name>master</master-realm-name> <master-realm-name>master</master-realm-name>
<scheduled-task-interval>900</scheduled-task-interval> <scheduled-task-interval>900</scheduled-task-interval>
@ -583,12 +505,103 @@
<default-provider>default</default-provider> <default-provider>default</default-provider>
<provider name="default" enabled="true"> <provider name="default" enabled="true">
<properties> <properties>
<property name="frontendUrl" value="${keycloak.frontendUrl:}"/> <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
<property name="forceBackendUrlToFrontendUrl" value="false"/> <property name="forceBackendUrlToFrontendUrl" value="true"/>
</properties> </properties>
</provider> </provider>
</spi> </spi>
</subsystem> </subsystem>
<subsystem xmlns="urn:jboss:domain:mail:4.0">
<mail-session name="default" jndi-name="java:jboss/mail/Default">
<smtp-server outbound-socket-binding-ref="mail-smtp"/>
</mail-session>
</subsystem>
<subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
{% if keycloak_modcluster.enabled %}
<subsystem xmlns="urn:jboss:domain:modcluster:5.0">
<proxy name="default" advertise-socket="modcluster" listener="ajp" proxies="proxy1">
<dynamic-load-provider>
<load-metric type="cpu"/>
</dynamic-load-provider>
</proxy>
</subsystem>
{% endif %}
<subsystem xmlns="urn:jboss:domain:naming:2.0">
<remote-naming/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:remoting:4.0">
<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
<subsystem xmlns="urn:jboss:domain:security:2.0">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jaspitest" cache-type="default">
<authentication-jaspi>
<login-module-stack name="dummy">
<login-module code="Dummy" flag="optional"/>
</login-module-stack>
<auth-module code="Dummy"/>
</authentication-jaspi>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
</security-domains>
</subsystem>
<subsystem xmlns="urn:jboss:domain:security-manager:1.0">
<deployment-permissions>
<maximum-set>
<permission class="java.security.AllPermission"/>
</maximum-set>
</deployment-permissions>
</subsystem>
<subsystem xmlns="urn:jboss:domain:transactions:6.0">
<core-environment node-identifier="${jboss.tx.node.id:1}">
<process-id>
<uuid/>
</process-id>
</core-environment>
<recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
<coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
<object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/>
<server name="default-server">
<ajp-listener name="ajp" socket-binding="ajp"/>
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
</subsystem>
<subsystem xmlns="urn:jboss:domain:weld:4.0"/>
</profile> </profile>
<interfaces> <interfaces>
<interface name="management"> <interface name="management">
@ -608,7 +621,7 @@
<socket-binding name="txn-recovery-environment" port="4712"/> <socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/> <socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp"> <outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/> <remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
</outbound-socket-binding> </outbound-socket-binding>
{% if keycloak_modcluster.enabled %} {% if keycloak_modcluster.enabled %}
<outbound-socket-binding name="proxy1"> <outbound-socket-binding name="proxy1">

1
roles/keycloak/vars/main.yml
View File

@ -55,6 +55,7 @@ keycloak_jdbc:
keycloak_modcluster: keycloak_modcluster:
enabled: "{{ keycloak_ha_enabled }}" enabled: "{{ keycloak_ha_enabled }}"
reverse_proxy_url: "{{ keycloak_modcluster_url }}" reverse_proxy_url: "{{ keycloak_modcluster_url }}"
frontend_url: "{{ keycloak_frontend_url }}"
# infinispan # infinispan
keycloak_remotecache: keycloak_remotecache: