guillaume
/
ansible-keycloak
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: use FQCN

main
Guido Grazioli 2022-02-24 15:00:10 +01:00
parent 73bbca9fc1
commit b90684a44a
No known key found for this signature in database
GPG Key ID: 22C8C31EF2BC093B
21 changed files with 84 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
molecule/default/prepare.yml
View File

@ -3,10 +3,10 @@
hosts: all
tasks:
- name: Disable beta repos
command: yum config-manager --disable '*beta*'
ansible.builtin.command: yum config-manager --disable '*beta*'
ignore_errors: yes
- name: Install sudo
yum:
ansible.builtin.yum:
name: sudo
state: present

2
molecule/default/verify.yml
View File

@ -5,6 +5,6 @@
- name: Populate service facts
ansible.builtin.service_facts:
- name: Check if keycloak service started
assert:
ansible.builtin.assert:
that:
- ansible_facts.services["keycloak.service"]["state"] == "running"

4
playbooks/keycloak.yml
View File

@ -5,7 +5,7 @@
- middleware_automation.keycloak
tasks:
- name: Include keycloak role
include_role:
name: keycloak
ansible.builtin.include_role:
name: middleware_automation.keycloak.keycloak
vars:
keycloak_admin_password: "changeme"

4
playbooks/keycloak_realm.yml
View File

@ -3,8 +3,8 @@
hosts: keycloak
tasks:
- name: Keycloak Realm Role
include_role:
name: keycloak_realm
ansible.builtin.include_role:
name: middleware_automation.keycloak.keycloak_realm
vars:
keycloak_admin_password: "changeme"
keycloak_realm: TestRealm

6
playbooks/rhsso.yml
View File

@ -4,11 +4,11 @@
collections:
- middleware_automation.redhat_csp_download
roles:
- redhat_csp_download
- middleware_automation.redhat_csp_download.redhat_csp_download
tasks:
- name: Keycloak Role
include_role:
name: keycloak
ansible.builtin.include_role:
name: middleware_automation.keycloak.keycloak
vars:
keycloak_admin_password: "changeme"
keycloak_rhsso_enable: True

2
roles/keycloak/handlers/main.yml
View File

@ -1,3 +1,3 @@
---
- name: restart keycloak
include_tasks: restart_keycloak.yml
ansible.builtin.include_tasks: restart_keycloak.yml

4
roles/keycloak/tasks/fastpackages/check.yml
View File

@ -1,7 +1,7 @@
---
- block:
- name: "Check if package {{ package_name }} is already installed"
command: rpm -q {{ package_name }}
ansible.builtin.command: rpm -q {{ package_name }}
args:
warn: no
register: rpm_info
@ -9,6 +9,6 @@
rescue:
- name: "Add {{ package_name }} to the yum install list if missing"
set_fact:
ansible.builtin.set_fact:
packages_to_install: "{{ packages_to_install + [ package_name ] }}"
when: rpm_info.failed

6
roles/keycloak/tasks/fastpackages/install.yml
View File

@ -1,18 +1,18 @@
---
- name: Set facts
set_fact:
ansible.builtin.set_fact:
update_cache: true
packages_to_install: []
- name: "Check packages to be installed"
include_tasks: check.yml
ansible.builtin.include_tasks: check.yml
loop: "{{ packages_list | flatten }}"
loop_control:
loop_var: package_name
- name: "Install packages: {{ packages_to_install }}"
become: yes
yum:
ansible.builtin.yum:
name: "{{ packages_to_install }}"
state: present
when: packages_to_install | length > 0

2
roles/keycloak/tasks/firewalld.yml
View File

@ -7,7 +7,7 @@
- name: Enable and start the firewalld service
become: yes
systemd:
ansible.builtin.systemd:
name: firewalld
enabled: yes
state: started

46
roles/keycloak/tasks/install.yml
View File

@ -1,6 +1,6 @@
---
- name: Validate parameters
assert:
ansible.builtin.assert:
that:
- keycloak_jboss_home is defined
- keycloak_service_user is defined
@ -12,7 +12,7 @@
- name: Check for an existing deployment
become: yes
stat:
ansible.builtin.stat:
path: "{{ keycloak_jboss_home }}"
register: existing_deploy
@ -20,24 +20,24 @@
- name: Stop the old keycloak service
become: yes
ignore_errors: yes
systemd:
ansible.builtin.systemd:
name: keycloak
state: stopped
- name: Remove the old Keycloak deployment
become: yes
file:
ansible.builtin.file:
path: "{{ keycloak_jboss_home }}"
state: absent
when: existing_deploy.stat.exists and keycloak_force_install|bool
- name: check for an existing deployment after possible forced removal
become: yes
stat:
ansible.builtin.stat:
path: "{{ keycloak_jboss_home }}"
- name: create Keycloak service user/group
become: yes
user:
ansible.builtin.user:
name: "{{ keycloak_service_user }}"
home: /opt/keycloak
system: yes
@ -45,7 +45,7 @@
- name: create Keycloak install location
become: yes
file:
ansible.builtin.file:
dest: "{{ keycloak_dest }}"
state: directory
owner: "{{ keycloak_service_user }}"
@ -54,23 +54,23 @@
## check remote archive
- name: Set download archive path
set_fact:
ansible.builtin.set_fact:
archive: "{{ keycloak_dest }}/{{ keycloak.bundle }}"
- name: Check download archive path
stat:
ansible.builtin.stat:
path: "{{ archive }}"
register: archive_path
## download to controller
- name: Check local download archive path
stat:
ansible.builtin.stat:
path: "{{ lookup('env', 'PWD') }}"
register: local_path
delegate_to: localhost
- name: Download keycloak archive
get_url:
ansible.builtin.get_url:
url: "{{ keycloak_download_url }}"
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
delegate_to: localhost
@ -82,7 +82,7 @@
- not keycloak_offline_install
- name: Perform download from RHN
redhat_csp_download:
middleware_automation.redhat_csp_download.redhat_csp_download:
url: "{{ keycloak_rhsso_download_url }}"
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
username: "{{ rhn_username }}"
@ -98,7 +98,7 @@
- keycloak_rhn_url in keycloak_rhsso_download_url
- name: Download rhsso archive from alternate location
get_url:
ansible.builtin.get_url:
url: "{{ keycloak_rhsso_download_url }}"
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
delegate_to: localhost
@ -111,14 +111,14 @@
- not keycloak_rhn_url in keycloak_rhsso_download_url
- name: Check downloaded archive
stat:
ansible.builtin.stat:
path: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
register: local_archive_path
delegate_to: localhost
## copy and unpack
- name: Copy archive to target nodes
copy:
ansible.builtin.copy:
src: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
dest: "{{ archive }}"
owner: "{{ keycloak_service_user }}"
@ -132,13 +132,13 @@
become: yes
- name: "Check target directory: {{ keycloak.home }}"
stat:
ansible.builtin.stat:
path: "{{ keycloak.home }}"
register: path_to_workdir
become: yes
- name: "Extract {{ 'Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Keycloak' }} archive on target"
unarchive:
ansible.builtin.unarchive:
remote_src: yes
src: "{{ archive }}"
dest: "{{ keycloak_dest }}"
@ -152,13 +152,13 @@
- restart keycloak
- name: Inform decompression was not executed
debug:
ansible.builtin.debug:
msg: "{{ keycloak.home }} already exists and version unchanged, skipping decompression"
when:
- not new_version_downloaded.changed and path_to_workdir.stat.exists
- name: "Reown installation directory to {{ keycloak_service_user }}"
file:
ansible.builtin.file:
path: "{{ keycloak.home }}"
owner: "{{ keycloak_service_user }}"
group: "{{ keycloak_service_group }}"
@ -168,8 +168,8 @@
# driver and configuration
- name: "Install {{ keycloak_jdbc_engine }} driver"
include_role:
name: wildfly_driver
ansible.builtin.include_role:
name: middleware_automation.wildfly.wildfly_driver
vars:
wildfly_user: "{{ keycloak_service_user }}"
jdbc_driver_module_dir: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}"
@ -182,7 +182,7 @@
- name: "Deploy {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}"
become: yes
template:
ansible.builtin.template:
src: templates/standalone.xml.j2
dest: "{{ keycloak_config_path_to_standalone_xml }}"
owner: "{{ keycloak_service_user }}"
@ -194,7 +194,7 @@
- name: "Deploy {{ keycloak.service_name }} config with remote cache store to {{ keycloak_config_path_to_standalone_xml }}"
become: yes
template:
ansible.builtin.template:
src: templates/standalone-infinispan.xml.j2
dest: "{{ keycloak_config_path_to_standalone_xml }}"
owner: "{{ keycloak_service_user }}"

16
roles/keycloak/tasks/main.yml
View File

@ -2,25 +2,25 @@
# tasks file for keycloak
- name: Check prerequisites
include_tasks: prereqs.yml
ansible.builtin.include_tasks: prereqs.yml
tags:
- prereqs
- name: Include install tasks
include_tasks: tasks/install.yml
ansible.builtin.include_tasks: tasks/install.yml
- name: Include systemd tasks
include_tasks: tasks/systemd.yml
ansible.builtin.include_tasks: tasks/systemd.yml
- name: Link default logs directory
file:
ansible.builtin.file:
state: link
src: "{{ keycloak_jboss_home }}/standalone/log"
dest: /var/log/keycloak
- block:
- name: Check admin credentials by generating a token
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
method: POST
body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
@ -31,7 +31,7 @@
delay: 2
rescue:
- name: "Create {{ keycloak.service_name }} admin user"
command:
ansible.builtin.command:
args:
argv:
- "{{ keycloak_jboss_home }}/bin/add-user-keycloak.sh"
@ -41,9 +41,9 @@
changed_when: yes
become: yes
- name: "Restart {{ keycloak.service_name }}"
include_tasks: tasks/restart_keycloak.yml
ansible.builtin.include_tasks: tasks/restart_keycloak.yml
- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
uri:
ansible.builtin.uri:
url: "{{ keycloak.health_url }}"
register: keycloak_status
until: keycloak_status.status == 200

6
roles/keycloak/tasks/prereqs.yml
View File

@ -1,6 +1,6 @@
---
- name: Validate configuration
assert:
ansible.builtin.assert:
that:
- (keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and not keycloak_db_enabled)
quiet: True
@ -8,7 +8,7 @@
success_msg: "{{ 'Configuring HA' if keycloak_ha_enabled else 'Configuring standalone' }}"
- name: Validate credentials
assert:
ansible.builtin.assert:
that:
- (rhn_username is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
- (rhn_password is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
@ -17,7 +17,7 @@
success_msg: "{{ 'Installing Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Installing keycloak.org' }}"
- name: Set required packages facts
set_fact:
ansible.builtin.set_fact:
required_packages:
- "{{ jvm_package }}"
- unzip

2
roles/keycloak/tasks/restart_keycloak.yml
View File

@ -1,6 +1,6 @@
---
- name: "Restart and enable keycloack service"
systemd:
ansible.builtin.systemd:
name: keycloak
enabled: yes
state: restarted

2
roles/keycloak/tasks/stop_keycloak.yml
View File

@ -1,6 +1,6 @@
---
- name: "Stop SSO service"
systemd:
ansible.builtin.systemd:
name: keycloak
enabled: yes
state: stopped

18
roles/keycloak/tasks/systemd.yml
View File

@ -1,6 +1,6 @@
- name: configure keycloak service script wrapper
become: yes
template:
ansible.builtin.template:
src: keycloak-service.sh.j2
dest: "{{ keycloak_dest }}/keycloak-service.sh"
owner: root
@ -11,7 +11,7 @@
- name: configure sysconfig file for keycloak service
become: yes
template:
ansible.builtin.template:
src: keycloak-sysconfig.j2
dest: /etc/sysconfig/keycloak
owner: root
@ -21,7 +21,7 @@
- restart keycloak
- name: configure systemd unit file for keycloak service
template:
ansible.builtin.template:
src: keycloak.service.j2
dest: /etc/systemd/system/keycloak.service
owner: root
@ -34,33 +34,33 @@
- name: reload systemd
become: yes
systemd:
ansible.builtin.systemd:
daemon_reload: yes
when: systemdunit.changed
- name: start keycloak
systemd:
ansible.builtin.systemd:
name: keycloak
enabled: yes
state: started
become: yes
- name: Check service status
command: "systemctl status keycloak"
ansible.builtin.command: "systemctl status keycloak"
register: keycloak_service_status
changed_when: False
- name: Verify service status
assert:
ansible.builtin.assert:
that:
- keycloak_service_status is defined
- keycloak_service_status.stdout is defined
- name: Flush handlers
meta: flush_handlers
ansible.builtin.meta: flush_handlers
- name: "Wait until Keycloak becomes active {{ keycloak.health_url }}"
uri:
ansible.builtin.uri:
url: "{{ keycloak.health_url }}"
register: keycloak_status
until: keycloak_status.status == 200

13
roles/keycloak_realm/tasks/main.yml
View File

@ -1,17 +1,18 @@
---
- name: Generate keycloak auth token
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
method: POST
body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
validate_certs: no
no_log: True
register: keycloak_auth_response
until: keycloak_auth_response.status == 200
retries: 5
delay: 2
- name: "Determine if realm exists"
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}"
method: GET
status_code:
@ -23,7 +24,7 @@
register: keycloak_realm_exists
- name: Create Realm
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms"
method: POST
body: "{{ lookup('template','realm.json.j2') }}"
@ -47,6 +48,7 @@
provider_type: "{{ item.provider_type | default(org.keycloak.storage.UserStorageProvider) }}"
config: "{{ item.config }}"
mappers: "{{ item.mappers | default(omit) }}"
no_log: True
register: create_user_federation_result
loop: "{{ keycloak_user_federation | flatten }}"
when: keycloak_user_federation is defined
@ -78,19 +80,20 @@
public_client: "{{ item.public_client | default(False) }}"
protocol: "{{ item.protocol | default(omit) }}"
state: present
no_log: True
register: create_client_result
loop: "{{ keycloak_clients | flatten }}"
when: (item.name is defined and item.client_id is defined) or (item.name is defined and item.id is defined)
- name: Create client roles
include_tasks: manage_client_roles.yml
ansible.builtin.include_tasks: manage_client_roles.yml
loop: "{{ keycloak_clients | flatten }}"
loop_control:
loop_var: client
when: "'roles' in client"
- name: Create client users
include_tasks: manage_client_users.yml
ansible.builtin.include_tasks: manage_client_users.yml
loop: "{{ keycloak_clients | flatten }}"
loop_control:
loop_var: client

1
roles/keycloak_realm/tasks/manage_client_roles.yml
View File

@ -10,3 +10,4 @@
auth_password: "{{ keycloak_admin_password }}"
state: present
loop: "{{ client.roles | flatten }}"
no_log: True

4
roles/keycloak_realm/tasks/manage_client_users.yml
View File

@ -1,12 +1,12 @@
---
- name: Manage Users
include_tasks: manage_user.yml
ansible.builtin.include_tasks: manage_user.yml
loop: "{{ client.users | flatten }}"
loop_control:
loop_var: user
- name: Manage User Roles
include_tasks: manage_user_roles.yml
ansible.builtin.include_tasks: manage_user_roles.yml
loop: "{{ client.users | flatten }}"
loop_control:
loop_var: user

8
roles/keycloak_realm/tasks/manage_user.yml
View File

@ -1,6 +1,6 @@
---
- name: "Check if User Already Exists"
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
validate_certs: no
headers:
@ -8,7 +8,7 @@
register: keycloak_user_search_result
- name: "Create User"
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users"
method: POST
body:
@ -26,7 +26,7 @@
when: keycloak_user_search_result.json | length == 0
- name: "Get User"
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
validate_certs: no
headers:
@ -34,7 +34,7 @@
register: keycloak_user
- name: "Update User Password"
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users/{{ (keycloak_user.json | first).id }}/reset-password"
method: PUT
body:

6
roles/keycloak_realm/tasks/manage_user_client_roles.yml
View File

@ -1,6 +1,6 @@
---
- name: "Get Realm for role"
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ client_role.realm }}"
method: GET
status_code:
@ -11,7 +11,7 @@
register: client_role_realm
- name: Check if Mapping is available
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ client_role.realm }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}/available"
method: GET
status_code:
@ -22,7 +22,7 @@
register: client_role_user_available
- name: "Create Role Mapping"
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ client_role.realm }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}"
method: POST
body:

7
roles/keycloak_realm/tasks/manage_user_roles.yml
View File

@ -1,6 +1,6 @@
---
- name: "Get User {{ user.username }}"
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
headers:
validate_certs: no
@ -8,18 +8,19 @@
register: keycloak_user
- name: Refresh keycloak auth token
uri:
ansible.builtin.uri:
url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
method: POST
body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
validate_certs: no
register: keycloak_auth_response
no_log: True
until: keycloak_auth_response.status == 200
retries: 5
delay: 2
- name: "Manage Client Role Mapping for {{ user.username }}"
include_tasks: manage_user_client_roles.yml
ansible.builtin.include_tasks: manage_user_client_roles.yml
loop: "{{ user.client_roles | flatten }}"
loop_control:
loop_var: client_role