Extract vars, template fixes, add README

molecule/default/converge.yml

@@ -6,3 +6,5 @@
     - name: Include keycloak role
       include_role:
         name: ../../roles/keycloak
+      vars:
+        keycloak_admin_password: "changeme"

molecule/default/verify.yml

@@ -4,7 +4,7 @@
   tasks:
     - name: Populate service facts
       ansible.builtin.service_facts:
-    - name: Check if infinispan service started
+    - name: Check if keycloak service started
       assert:
         that:
           - ansible_facts.services["keycloak.service"]["state"] == "running"

playbooks/keycloak.yml

@@ -9,3 +9,5 @@
     - name: Keycloak Role
       include_role:
         name: keycloak
+      vars:
+        keycloak_admin_password: "changeme"

roles/keycloak/README.md

@@ -0,0 +1,75 @@
+keycloak
+========
+
+Install [keycloak](https://keycloak.org/) or [Red Hat Single Sing-On](https://access.redhat.com/products/red-hat-single-sign-on) server configurations.
+
+
+Role Defaults
+-------------
+
+| Variable | Description | Default |
+|:---------|:------------|:---------|
+|`keycloak_ha_enabled`| enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
+|`keycloak_admin_user`| Administration console user account | `admin` |
+
+
+Role Variables
+--------------
+
+The following are a set of required variables for the role:
+
+| Variable | Description |
+|:---------|:------------|
+|`keycloak_admin_password`| Password for the administration console user account |
+
+The following variables are required when keycloak_ha_enabled is True:
+
+| Variable | Description | Default |
+|:---------|:------------|:---------|
+|`keycloak_modcluster_url` | URL for the modcluster reverse proxy | `localhost` |
+|`postgres_jdbc_url` | URL for the postgres backend database | `jdbc:postgresql://localhost:5432/keycloak` |
+|`postgres_db_user` | username for connecting to postgres | `keycloak-user` |
+|`postgres_db_pass` | password for connecting to postgres | `keycloak-pass` |
+|`infinispan_url` | URL for the infinispan remote-cache server | `localhost:11122` |
+|`infinispan_user` | username for connecting to infinispan | `supervisor` |
+|`infinispan_pass` | password for connecting to infinispan | `supervisor` |
+
+
+Dependencies
+------------
+
+The roles depends on:
+
+* the redhat_csp_download role of [middleware_automation.redhat_csp_download](https://github.com/ansible-middleware/redhat-csp-download) collection
+* the jcliff role of [middleware_automation.jcliff](https://github.com/ansible-middleware/ansible_collections_jcliff) collection
+
+
+Example Playbook
+----------------
+
+The following is an example playbook that makes use of the role to install keycloak
+
+```yaml
+---
+- hosts: ...
+      collections:
+        - middleware_automation.keycloak
+      tasks:
+        - name: Include keycloak role
+          include_role:
+            name: keycloak
+          vars:
+            keycloak_admin_password: "changeme"
+```
+
+License
+-------
+
+Apache License 2.0
+
+
+Author Information
+------------------
+
+* [Guido Grazioli](https://github.com/guidograzioli)
+* [Romain Pelisse](https://github.com/rpelisse)

roles/keycloak/defaults/main.yml

@@ -38,7 +38,6 @@ keycloak_ha_enabled: False
 
 # keycloak administration console user
 keycloak_admin_user: admin
-keycloak_admin_password: "password"
 
 keycloak_auth_realm: master
 keycloak_auth_client: admin-cli
@@ -47,14 +46,14 @@ keycloak_force_install: False
 
 keycloak_modcluster:
   enabled: "{{ keycloak_ha_enabled }}"
-  reverse_proxy_url: jbcs-0
+  reverse_proxy_url: "{{ keycloak_modcluster_url | default('localhost') }}"
 
 keycloak_remotecache:
   enabled: "{{ keycloak_ha_enabled }}"
-  username: supervisor
+  username: "{{ infinispan_user | default('supervisor') }}"
-  password: itsme
+  password: "{{ infinispan_pass | default('supervisor') }}"
   realm: default
-  server_name: jdg-1
+  server_name: "{{ infinispan_url | default('localhost') }}"
   trust_store_path: /path/to/jks/keystore
   trust_store_password: changeme
 
@@ -66,6 +65,6 @@ keycloak_jdbc:
     driver_version: 9.4.1212
     driver_jar_filename: "postgresql-9.4.1212.jar"
     driver_jar_url: "https://repo.maven.apache.org/maven2/org/postgresql/postgresql/9.4.1212/postgresql-9.4.1212.jar"
-    connection_url: "jdbc:postgresql://pgsql-0:5432/keycloak"
+    connection_url: "{{ postgres_jdbc_url | default('jdbc:postgresql://localhost:5432/keycloak') }}"
-    db_user: "keycloak-user"
+    db_user: "{{ postgres_db_user | default('keycloak-user') }}"
-    db_password: "keycloak-pass"
+    db_password: "{{ postgres_db_pass | default('keycloak-pass') }}"

roles/keycloak/tasks/firewalld.yml

@@ -14,7 +14,7 @@
 
 - name: Configure firewall for jdg ports
   become: yes
-  ansible.posix.firewalld:
+  firewalld:
     port: "{{ item }}"
     permanent: true
     state: enabled
@@ -22,4 +22,6 @@
   loop:
     - "{{ keycloak_http_port }}/tcp"
     - "{{ keycloak_https_port }}/tcp"
+    - "{{ keycloak_management_http_port }}/tcp"
+    - "{{ keycloak_management_https_port }}/tcp"
     - "8009/tcp"

roles/keycloak/templates/standalone-infinispan.xml.j2

@@ -709,11 +709,11 @@
         </outbound-socket-binding>
 {% if keycloak_modcluster.enabled %}        
         <outbound-socket-binding name="proxy1">
-            <remote-destination host="{{ (groups['jbcs'][0] if groups['jbcs'] | length > 0 else 'localhost') }}" port="6666"/>
+            <remote-destination host="{{ keycloak_modcluster.reverse_proxy_url | default('localhost') }}" port="6666"/>
         </outbound-socket-binding>
 {% endif %}
         <outbound-socket-binding name="remote-cache">
-            <remote-destination host="{{ (groups['jdg'][0] if groups['jdg'] | length > 0 else 'localhost') }}" port="${remote.cache.port:11222}"/>
+            <remote-destination host="{{ keycloak_remotecache.server_name | default('localhost') }}" port="${remote.cache.port:11222}"/>
         </outbound-socket-binding>
     </socket-binding-group>
 </server>

roles/keycloak/templates/standalone-rhsso-jdg.xml.j2

@@ -709,11 +709,11 @@
         </outbound-socket-binding>
 {% if keycloak_modcluster.enabled %}            
         <outbound-socket-binding name="proxy1">
-            <remote-destination host="{{ (groups['jbcs'][0] if groups['jbcs'] | length > 0 else 'localhost') }}" port="6666"/>
+            <remote-destination host="{{ keycloak_modcluster.reverse_proxy_url | default('localhost') }}" port="6666"/>
         </outbound-socket-binding>
 {% endif %}        
         <outbound-socket-binding name="remote-cache">
-            <remote-destination host="{{ (groups['jdg'][0] if groups['jdg'] | length > 0 else 'localhost') }}" port="${remote.cache.port:11222}"/>
+            <remote-destination host="{{ keycloak_remotecache.server_name | default('localhost') }}" port="${remote.cache.port:11222}"/>
         </outbound-socket-binding>
     </socket-binding-group>
 </server>

roles/keycloak/templates/standalone-rhsso.xml.j2

@@ -625,7 +625,7 @@
         </outbound-socket-binding>
 {% if keycloak_modcluster.enabled %}        
         <outbound-socket-binding name="proxy1">
-            <remote-destination host="{{ (groups['jbcs'][0] if groups['jbcs'] | length > 0 else 'localhost') }}" port="6666"/>
+            <remote-destination host="{{ keycloak_modcluster.reverse_proxy_url | default('localhost') }}" port="6666"/>
         </outbound-socket-binding>
 {% endif %}        
     </socket-binding-group>

roles/keycloak/templates/standalone.xml.j2

@@ -607,7 +607,7 @@
         </outbound-socket-binding>
 {% if keycloak_modcluster.enabled %}
         <outbound-socket-binding name="proxy1">
-            <remote-destination host="{{ (groups['jbcs'][0] if groups['jbcs'] | length > 0 else 'localhost') }}" port="6666"/>
+            <remote-destination host="{{ keycloak_modcluster.reverse_proxy_url | default('localhost') }}" port="6666"/>
         </outbound-socket-binding>
 {% endif %}        
     </socket-binding-group>

roles/keycloak/vars/main.yml

@@ -1,2 +1,3 @@
 ---
 # vars file for keycloak
+keycloak_admin_password: