diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 8dbc48d..03433c0 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -3,10 +3,10 @@ hosts: all tasks: - name: Disable beta repos - command: yum config-manager --disable '*beta*' + ansible.builtin.command: yum config-manager --disable '*beta*' ignore_errors: yes - name: Install sudo - yum: + ansible.builtin.yum: name: sudo state: present diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 6a7d7f3..0952ba5 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -5,6 +5,6 @@ - name: Populate service facts ansible.builtin.service_facts: - name: Check if keycloak service started - assert: + ansible.builtin.assert: that: - ansible_facts.services["keycloak.service"]["state"] == "running" diff --git a/playbooks/keycloak.yml b/playbooks/keycloak.yml index 2bfcac0..4a2706c 100644 --- a/playbooks/keycloak.yml +++ b/playbooks/keycloak.yml @@ -5,7 +5,7 @@ - middleware_automation.keycloak tasks: - name: Include keycloak role - include_role: - name: keycloak + ansible.builtin.include_role: + name: middleware_automation.keycloak.keycloak vars: keycloak_admin_password: "changeme" \ No newline at end of file diff --git a/playbooks/keycloak_realm.yml b/playbooks/keycloak_realm.yml index e62f6f3..e7d0259 100644 --- a/playbooks/keycloak_realm.yml +++ b/playbooks/keycloak_realm.yml @@ -3,8 +3,8 @@ hosts: keycloak tasks: - name: Keycloak Realm Role - include_role: - name: keycloak_realm + ansible.builtin.include_role: + name: middleware_automation.keycloak.keycloak_realm vars: keycloak_admin_password: "changeme" keycloak_realm: TestRealm diff --git a/playbooks/rhsso.yml b/playbooks/rhsso.yml index 95382e3..8aa73e9 100644 --- a/playbooks/rhsso.yml +++ b/playbooks/rhsso.yml @@ -4,11 +4,11 @@ collections: - middleware_automation.redhat_csp_download roles: - - redhat_csp_download + - middleware_automation.redhat_csp_download.redhat_csp_download tasks: - name: Keycloak Role - include_role: - name: keycloak + ansible.builtin.include_role: + name: middleware_automation.keycloak.keycloak vars: keycloak_admin_password: "changeme" keycloak_rhsso_enable: True \ No newline at end of file diff --git a/roles/keycloak/handlers/main.yml b/roles/keycloak/handlers/main.yml index 6faa06c..1727b6d 100644 --- a/roles/keycloak/handlers/main.yml +++ b/roles/keycloak/handlers/main.yml @@ -1,3 +1,3 @@ --- - name: restart keycloak - include_tasks: restart_keycloak.yml + ansible.builtin.include_tasks: restart_keycloak.yml diff --git a/roles/keycloak/tasks/fastpackages/check.yml b/roles/keycloak/tasks/fastpackages/check.yml index 4b88e72..c0679dc 100644 --- a/roles/keycloak/tasks/fastpackages/check.yml +++ b/roles/keycloak/tasks/fastpackages/check.yml @@ -1,7 +1,7 @@ --- - block: - name: "Check if package {{ package_name }} is already installed" - command: rpm -q {{ package_name }} + ansible.builtin.command: rpm -q {{ package_name }} args: warn: no register: rpm_info @@ -9,6 +9,6 @@ rescue: - name: "Add {{ package_name }} to the yum install list if missing" - set_fact: + ansible.builtin.set_fact: packages_to_install: "{{ packages_to_install + [ package_name ] }}" when: rpm_info.failed \ No newline at end of file diff --git a/roles/keycloak/tasks/fastpackages/install.yml b/roles/keycloak/tasks/fastpackages/install.yml index 7d36432..41133f4 100644 --- a/roles/keycloak/tasks/fastpackages/install.yml +++ b/roles/keycloak/tasks/fastpackages/install.yml @@ -1,18 +1,18 @@ --- - name: Set facts - set_fact: + ansible.builtin.set_fact: update_cache: true packages_to_install: [] - name: "Check packages to be installed" - include_tasks: check.yml + ansible.builtin.include_tasks: check.yml loop: "{{ packages_list | flatten }}" loop_control: loop_var: package_name - name: "Install packages: {{ packages_to_install }}" become: yes - yum: + ansible.builtin.yum: name: "{{ packages_to_install }}" state: present when: packages_to_install | length > 0 \ No newline at end of file diff --git a/roles/keycloak/tasks/firewalld.yml b/roles/keycloak/tasks/firewalld.yml index e05c58f..1703ae9 100644 --- a/roles/keycloak/tasks/firewalld.yml +++ b/roles/keycloak/tasks/firewalld.yml @@ -7,7 +7,7 @@ - name: Enable and start the firewalld service become: yes - systemd: + ansible.builtin.systemd: name: firewalld enabled: yes state: started diff --git a/roles/keycloak/tasks/install.yml b/roles/keycloak/tasks/install.yml index 145d0a2..7698719 100644 --- a/roles/keycloak/tasks/install.yml +++ b/roles/keycloak/tasks/install.yml @@ -1,6 +1,6 @@ --- - name: Validate parameters - assert: + ansible.builtin.assert: that: - keycloak_jboss_home is defined - keycloak_service_user is defined @@ -12,7 +12,7 @@ - name: Check for an existing deployment become: yes - stat: + ansible.builtin.stat: path: "{{ keycloak_jboss_home }}" register: existing_deploy @@ -20,24 +20,24 @@ - name: Stop the old keycloak service become: yes ignore_errors: yes - systemd: + ansible.builtin.systemd: name: keycloak state: stopped - name: Remove the old Keycloak deployment become: yes - file: + ansible.builtin.file: path: "{{ keycloak_jboss_home }}" state: absent when: existing_deploy.stat.exists and keycloak_force_install|bool - name: check for an existing deployment after possible forced removal become: yes - stat: + ansible.builtin.stat: path: "{{ keycloak_jboss_home }}" - name: create Keycloak service user/group become: yes - user: + ansible.builtin.user: name: "{{ keycloak_service_user }}" home: /opt/keycloak system: yes @@ -45,7 +45,7 @@ - name: create Keycloak install location become: yes - file: + ansible.builtin.file: dest: "{{ keycloak_dest }}" state: directory owner: "{{ keycloak_service_user }}" @@ -54,23 +54,23 @@ ## check remote archive - name: Set download archive path - set_fact: + ansible.builtin.set_fact: archive: "{{ keycloak_dest }}/{{ keycloak.bundle }}" - name: Check download archive path - stat: + ansible.builtin.stat: path: "{{ archive }}" register: archive_path ## download to controller - name: Check local download archive path - stat: + ansible.builtin.stat: path: "{{ lookup('env', 'PWD') }}" register: local_path delegate_to: localhost - name: Download keycloak archive - get_url: + ansible.builtin.get_url: url: "{{ keycloak_download_url }}" dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}" delegate_to: localhost @@ -82,7 +82,7 @@ - not keycloak_offline_install - name: Perform download from RHN - redhat_csp_download: + middleware_automation.redhat_csp_download.redhat_csp_download: url: "{{ keycloak_rhsso_download_url }}" dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}" username: "{{ rhn_username }}" @@ -98,7 +98,7 @@ - keycloak_rhn_url in keycloak_rhsso_download_url - name: Download rhsso archive from alternate location - get_url: + ansible.builtin.get_url: url: "{{ keycloak_rhsso_download_url }}" dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}" delegate_to: localhost @@ -111,14 +111,14 @@ - not keycloak_rhn_url in keycloak_rhsso_download_url - name: Check downloaded archive - stat: + ansible.builtin.stat: path: "{{ local_path.stat.path }}/{{ keycloak.bundle }}" register: local_archive_path delegate_to: localhost ## copy and unpack - name: Copy archive to target nodes - copy: + ansible.builtin.copy: src: "{{ local_path.stat.path }}/{{ keycloak.bundle }}" dest: "{{ archive }}" owner: "{{ keycloak_service_user }}" @@ -132,13 +132,13 @@ become: yes - name: "Check target directory: {{ keycloak.home }}" - stat: + ansible.builtin.stat: path: "{{ keycloak.home }}" register: path_to_workdir become: yes - name: "Extract {{ 'Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Keycloak' }} archive on target" - unarchive: + ansible.builtin.unarchive: remote_src: yes src: "{{ archive }}" dest: "{{ keycloak_dest }}" @@ -152,13 +152,13 @@ - restart keycloak - name: Inform decompression was not executed - debug: + ansible.builtin.debug: msg: "{{ keycloak.home }} already exists and version unchanged, skipping decompression" when: - not new_version_downloaded.changed and path_to_workdir.stat.exists - name: "Reown installation directory to {{ keycloak_service_user }}" - file: + ansible.builtin.file: path: "{{ keycloak.home }}" owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_group }}" @@ -168,8 +168,8 @@ # driver and configuration - name: "Install {{ keycloak_jdbc_engine }} driver" - include_role: - name: wildfly_driver + ansible.builtin.include_role: + name: middleware_automation.wildfly.wildfly_driver vars: wildfly_user: "{{ keycloak_service_user }}" jdbc_driver_module_dir: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}" @@ -182,7 +182,7 @@ - name: "Deploy {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}" become: yes - template: + ansible.builtin.template: src: templates/standalone.xml.j2 dest: "{{ keycloak_config_path_to_standalone_xml }}" owner: "{{ keycloak_service_user }}" @@ -194,7 +194,7 @@ - name: "Deploy {{ keycloak.service_name }} config with remote cache store to {{ keycloak_config_path_to_standalone_xml }}" become: yes - template: + ansible.builtin.template: src: templates/standalone-infinispan.xml.j2 dest: "{{ keycloak_config_path_to_standalone_xml }}" owner: "{{ keycloak_service_user }}" diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml index ce8d12d..ba8185f 100644 --- a/roles/keycloak/tasks/main.yml +++ b/roles/keycloak/tasks/main.yml @@ -2,25 +2,25 @@ # tasks file for keycloak - name: Check prerequisites - include_tasks: prereqs.yml + ansible.builtin.include_tasks: prereqs.yml tags: - prereqs - name: Include install tasks - include_tasks: tasks/install.yml + ansible.builtin.include_tasks: tasks/install.yml - name: Include systemd tasks - include_tasks: tasks/systemd.yml + ansible.builtin.include_tasks: tasks/systemd.yml - name: Link default logs directory - file: + ansible.builtin.file: state: link src: "{{ keycloak_jboss_home }}/standalone/log" dest: /var/log/keycloak - block: - name: Check admin credentials by generating a token - uri: + ansible.builtin.uri: url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token" method: POST body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password" @@ -31,7 +31,7 @@ delay: 2 rescue: - name: "Create {{ keycloak.service_name }} admin user" - command: + ansible.builtin.command: args: argv: - "{{ keycloak_jboss_home }}/bin/add-user-keycloak.sh" @@ -41,9 +41,9 @@ changed_when: yes become: yes - name: "Restart {{ keycloak.service_name }}" - include_tasks: tasks/restart_keycloak.yml + ansible.builtin.include_tasks: tasks/restart_keycloak.yml - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}" - uri: + ansible.builtin.uri: url: "{{ keycloak.health_url }}" register: keycloak_status until: keycloak_status.status == 200 diff --git a/roles/keycloak/tasks/prereqs.yml b/roles/keycloak/tasks/prereqs.yml index bb1c44b..0fbe6c1 100644 --- a/roles/keycloak/tasks/prereqs.yml +++ b/roles/keycloak/tasks/prereqs.yml @@ -1,6 +1,6 @@ --- - name: Validate configuration - assert: + ansible.builtin.assert: that: - (keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and not keycloak_db_enabled) quiet: True @@ -8,7 +8,7 @@ success_msg: "{{ 'Configuring HA' if keycloak_ha_enabled else 'Configuring standalone' }}" - name: Validate credentials - assert: + ansible.builtin.assert: that: - (rhn_username is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install - (rhn_password is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install @@ -17,7 +17,7 @@ success_msg: "{{ 'Installing Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Installing keycloak.org' }}" - name: Set required packages facts - set_fact: + ansible.builtin.set_fact: required_packages: - "{{ jvm_package }}" - unzip diff --git a/roles/keycloak/tasks/restart_keycloak.yml b/roles/keycloak/tasks/restart_keycloak.yml index 774d14d..255cb22 100644 --- a/roles/keycloak/tasks/restart_keycloak.yml +++ b/roles/keycloak/tasks/restart_keycloak.yml @@ -1,6 +1,6 @@ --- - name: "Restart and enable keycloack service" - systemd: + ansible.builtin.systemd: name: keycloak enabled: yes state: restarted diff --git a/roles/keycloak/tasks/stop_keycloak.yml b/roles/keycloak/tasks/stop_keycloak.yml index d6203b2..2f76c9d 100644 --- a/roles/keycloak/tasks/stop_keycloak.yml +++ b/roles/keycloak/tasks/stop_keycloak.yml @@ -1,6 +1,6 @@ --- - name: "Stop SSO service" - systemd: + ansible.builtin.systemd: name: keycloak enabled: yes state: stopped diff --git a/roles/keycloak/tasks/systemd.yml b/roles/keycloak/tasks/systemd.yml index 69a23ab..eff55cc 100644 --- a/roles/keycloak/tasks/systemd.yml +++ b/roles/keycloak/tasks/systemd.yml @@ -1,6 +1,6 @@ - name: configure keycloak service script wrapper become: yes - template: + ansible.builtin.template: src: keycloak-service.sh.j2 dest: "{{ keycloak_dest }}/keycloak-service.sh" owner: root @@ -11,7 +11,7 @@ - name: configure sysconfig file for keycloak service become: yes - template: + ansible.builtin.template: src: keycloak-sysconfig.j2 dest: /etc/sysconfig/keycloak owner: root @@ -21,7 +21,7 @@ - restart keycloak - name: configure systemd unit file for keycloak service - template: + ansible.builtin.template: src: keycloak.service.j2 dest: /etc/systemd/system/keycloak.service owner: root @@ -34,33 +34,33 @@ - name: reload systemd become: yes - systemd: + ansible.builtin.systemd: daemon_reload: yes when: systemdunit.changed - name: start keycloak - systemd: + ansible.builtin.systemd: name: keycloak enabled: yes state: started become: yes - name: Check service status - command: "systemctl status keycloak" + ansible.builtin.command: "systemctl status keycloak" register: keycloak_service_status changed_when: False - name: Verify service status - assert: + ansible.builtin.assert: that: - keycloak_service_status is defined - keycloak_service_status.stdout is defined - name: Flush handlers - meta: flush_handlers + ansible.builtin.meta: flush_handlers - name: "Wait until Keycloak becomes active {{ keycloak.health_url }}" - uri: + ansible.builtin.uri: url: "{{ keycloak.health_url }}" register: keycloak_status until: keycloak_status.status == 200 diff --git a/roles/keycloak_realm/tasks/main.yml b/roles/keycloak_realm/tasks/main.yml index b93096e..8659fd3 100644 --- a/roles/keycloak_realm/tasks/main.yml +++ b/roles/keycloak_realm/tasks/main.yml @@ -1,17 +1,18 @@ --- - name: Generate keycloak auth token - uri: + ansible.builtin.uri: url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token" method: POST body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password" validate_certs: no + no_log: True register: keycloak_auth_response until: keycloak_auth_response.status == 200 retries: 5 delay: 2 - name: "Determine if realm exists" - uri: + ansible.builtin.uri: url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}" method: GET status_code: @@ -23,7 +24,7 @@ register: keycloak_realm_exists - name: Create Realm - uri: + ansible.builtin.uri: url: "{{ keycloak_url }}/auth/admin/realms" method: POST body: "{{ lookup('template','realm.json.j2') }}" @@ -47,6 +48,7 @@ provider_type: "{{ item.provider_type | default(org.keycloak.storage.UserStorageProvider) }}" config: "{{ item.config }}" mappers: "{{ item.mappers | default(omit) }}" + no_log: True register: create_user_federation_result loop: "{{ keycloak_user_federation | flatten }}" when: keycloak_user_federation is defined @@ -78,19 +80,20 @@ public_client: "{{ item.public_client | default(False) }}" protocol: "{{ item.protocol | default(omit) }}" state: present + no_log: True register: create_client_result loop: "{{ keycloak_clients | flatten }}" when: (item.name is defined and item.client_id is defined) or (item.name is defined and item.id is defined) - name: Create client roles - include_tasks: manage_client_roles.yml + ansible.builtin.include_tasks: manage_client_roles.yml loop: "{{ keycloak_clients | flatten }}" loop_control: loop_var: client when: "'roles' in client" - name: Create client users - include_tasks: manage_client_users.yml + ansible.builtin.include_tasks: manage_client_users.yml loop: "{{ keycloak_clients | flatten }}" loop_control: loop_var: client diff --git a/roles/keycloak_realm/tasks/manage_client_roles.yml b/roles/keycloak_realm/tasks/manage_client_roles.yml index d7fca8d..dd47eb3 100644 --- a/roles/keycloak_realm/tasks/manage_client_roles.yml +++ b/roles/keycloak_realm/tasks/manage_client_roles.yml @@ -10,3 +10,4 @@ auth_password: "{{ keycloak_admin_password }}" state: present loop: "{{ client.roles | flatten }}" + no_log: True diff --git a/roles/keycloak_realm/tasks/manage_client_users.yml b/roles/keycloak_realm/tasks/manage_client_users.yml index e6f5153..ed9fb03 100644 --- a/roles/keycloak_realm/tasks/manage_client_users.yml +++ b/roles/keycloak_realm/tasks/manage_client_users.yml @@ -1,12 +1,12 @@ --- - name: Manage Users - include_tasks: manage_user.yml + ansible.builtin.include_tasks: manage_user.yml loop: "{{ client.users | flatten }}" loop_control: loop_var: user - name: Manage User Roles - include_tasks: manage_user_roles.yml + ansible.builtin.include_tasks: manage_user_roles.yml loop: "{{ client.users | flatten }}" loop_control: loop_var: user diff --git a/roles/keycloak_realm/tasks/manage_user.yml b/roles/keycloak_realm/tasks/manage_user.yml index c98ae90..d304e13 100644 --- a/roles/keycloak_realm/tasks/manage_user.yml +++ b/roles/keycloak_realm/tasks/manage_user.yml @@ -1,6 +1,6 @@ --- - name: "Check if User Already Exists" - uri: + ansible.builtin.uri: url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}" validate_certs: no headers: @@ -8,7 +8,7 @@ register: keycloak_user_search_result - name: "Create User" - uri: + ansible.builtin.uri: url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users" method: POST body: @@ -26,7 +26,7 @@ when: keycloak_user_search_result.json | length == 0 - name: "Get User" - uri: + ansible.builtin.uri: url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}" validate_certs: no headers: @@ -34,7 +34,7 @@ register: keycloak_user - name: "Update User Password" - uri: + ansible.builtin.uri: url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users/{{ (keycloak_user.json | first).id }}/reset-password" method: PUT body: diff --git a/roles/keycloak_realm/tasks/manage_user_client_roles.yml b/roles/keycloak_realm/tasks/manage_user_client_roles.yml index 562ff09..f29bbc6 100644 --- a/roles/keycloak_realm/tasks/manage_user_client_roles.yml +++ b/roles/keycloak_realm/tasks/manage_user_client_roles.yml @@ -1,6 +1,6 @@ --- - name: "Get Realm for role" - uri: + ansible.builtin.uri: url: "{{ keycloak_url }}/auth/admin/realms/{{ client_role.realm }}" method: GET status_code: @@ -11,7 +11,7 @@ register: client_role_realm - name: Check if Mapping is available - uri: + ansible.builtin.uri: url: "{{ keycloak_url }}/auth/admin/realms/{{ client_role.realm }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}/available" method: GET status_code: @@ -22,7 +22,7 @@ register: client_role_user_available - name: "Create Role Mapping" - uri: + ansible.builtin.uri: url: "{{ keycloak_url }}/auth/admin/realms/{{ client_role.realm }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}" method: POST body: diff --git a/roles/keycloak_realm/tasks/manage_user_roles.yml b/roles/keycloak_realm/tasks/manage_user_roles.yml index 4cc6f09..2d50f8b 100644 --- a/roles/keycloak_realm/tasks/manage_user_roles.yml +++ b/roles/keycloak_realm/tasks/manage_user_roles.yml @@ -1,6 +1,6 @@ --- - name: "Get User {{ user.username }}" - uri: + ansible.builtin.uri: url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}" headers: validate_certs: no @@ -8,18 +8,19 @@ register: keycloak_user - name: Refresh keycloak auth token - uri: + ansible.builtin.uri: url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token" method: POST body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password" validate_certs: no register: keycloak_auth_response + no_log: True until: keycloak_auth_response.status == 200 retries: 5 delay: 2 - name: "Manage Client Role Mapping for {{ user.username }}" - include_tasks: manage_user_client_roles.yml + ansible.builtin.include_tasks: manage_user_client_roles.yml loop: "{{ user.client_roles | flatten }}" loop_control: loop_var: client_role