diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 938aaa0..7e73d70 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -3,6 +3,7 @@ hosts: all vars: keycloak_admin_password: "remembertochangeme" + keycloak_jvm_package: java-11-openjdk-headless roles: - role: keycloak tasks: diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 03433c0..8137cfd 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -8,5 +8,7 @@ - name: Install sudo ansible.builtin.yum: - name: sudo + name: + - sudo + - java-1.8.0-openjdk state: present diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index ef973cd..07acf4d 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -1,6 +1,11 @@ --- - name: Verify hosts: all + vars: + keycloak_admin_password: "remembertochangeme" + keycloak_jvm_package: java-11-openjdk-headless + keycloak_port: http://localhost:8080 + keycloak_management_port: http://localhost:9990 tasks: - name: Populate service facts ansible.builtin.service_facts: @@ -9,3 +14,16 @@ that: - ansible_facts.services["keycloak.service"]["state"] == "running" - ansible_facts.services["keycloak.service"]["status"] == "enabled" + - name: Verify we are running on requested jvm + shell: | + ps -ef | grep /usr/lib/jvm/java-11 | grep -v grep + - name: Verify token api call + ansible.builtin.uri: + url: "{{ keycloak_port }}/auth/realms/master/protocol/openid-connect/token" + method: POST + body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password" + validate_certs: no + register: keycloak_auth_response + until: keycloak_auth_response.status == 200 + retries: 2 + delay: 2 \ No newline at end of file diff --git a/playbooks/keycloak.yml b/playbooks/keycloak.yml index e4ac27c..2b222a5 100644 --- a/playbooks/keycloak.yml +++ b/playbooks/keycloak.yml @@ -6,4 +6,4 @@ collections: - middleware_automation.keycloak roles: - - middleware_automation.keycloak.keycloak + - keycloak diff --git a/roles/keycloak/README.md b/roles/keycloak/README.md index 7ef3cb5..c63085b 100644 --- a/roles/keycloak/README.md +++ b/roles/keycloak/README.md @@ -60,13 +60,14 @@ Role Defaults |`keycloak_jgroups_port`| jgroups cluster tcp port | `7600` | |`keycloak_management_http_port`| Management port | `9990` | |`keycloak_management_https_port`| TLS management port | `9993` | -|`keycloak_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` | |`keycloak_prefer_ipv4`| Prefer IPv4 stack and addresses for port binding | `True` | |`keycloak_config_standalone_xml`| filename for configuration | `keycloak.xml` | |`keycloak_service_user`| posix account username | `keycloak` | |`keycloak_service_group`| posix account group | `keycloak` | |`keycloak_service_pidfile`| pid file path for service | `/run/keycloak.pid` | |`keycloak_jvm_package`| RHEL java package runtime | `java-1.8.0-openjdk-devel` | +|`keycloak_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path | `None` | +|`keycloak_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` | * Install options diff --git a/roles/keycloak/defaults/main.yml b/roles/keycloak/defaults/main.yml index f33d332..7ef632a 100644 --- a/roles/keycloak/defaults/main.yml +++ b/roles/keycloak/defaults/main.yml @@ -21,7 +21,8 @@ keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined and rhn_username is d keycloak_offline_install: False ### Install location and service settings -keycloak_jvm_package: java-1.8.0-openjdk-devel +keycloak_jvm_package: java-1.8.0-openjdk-headless +keycloak_java_home: keycloak_dest: /opt/keycloak keycloak_jboss_home: "{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}" keycloak_config_dir: "{{ keycloak_jboss_home }}/standalone/configuration" diff --git a/roles/keycloak/handlers/main.yml b/roles/keycloak/handlers/main.yml index dda3682..4dd6ba2 100644 --- a/roles/keycloak/handlers/main.yml +++ b/roles/keycloak/handlers/main.yml @@ -1,4 +1,4 @@ --- -- name: "Restart {{ keycloak.service_name }}" +- name: "Restart handler" ansible.builtin.include_tasks: restart_keycloak.yml listen: "restart keycloak" diff --git a/roles/keycloak/meta/argument_specs.yml b/roles/keycloak/meta/argument_specs.yml index 67121c2..24b644c 100644 --- a/roles/keycloak/meta/argument_specs.yml +++ b/roles/keycloak/meta/argument_specs.yml @@ -81,6 +81,9 @@ argument_specs: default: "java-1.8.0-openjdk-devel" description: "RHEL java package runtime rpm" type: "str" + keycloak_java_home: + description: "JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path" + type: "str" keycloak_dest: # line 24 of keycloak/defaults/main.yml default: "/opt/keycloak" diff --git a/roles/keycloak/tasks/install.yml b/roles/keycloak/tasks/install.yml index 9e0dbd3..7fee03d 100644 --- a/roles/keycloak/tasks/install.yml +++ b/roles/keycloak/tasks/install.yml @@ -71,9 +71,10 @@ delegate_to: localhost - name: Download keycloak archive - ansible.builtin.get_url: + ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user url: "{{ keycloak_download_url }}" dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}" + mode: 0640 delegate_to: localhost when: - archive_path is defined @@ -99,9 +100,10 @@ - keycloak_rhn_url in keycloak_rhsso_download_url - name: Download rhsso archive from alternate location - ansible.builtin.get_url: + ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user url: "{{ keycloak_rhsso_download_url }}" dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}" + mode: 0640 delegate_to: localhost when: - archive_path is defined diff --git a/roles/keycloak/tasks/rhsso_patch.yml b/roles/keycloak/tasks/rhsso_patch.yml index d4a4273..f517e7a 100644 --- a/roles/keycloak/tasks/rhsso_patch.yml +++ b/roles/keycloak/tasks/rhsso_patch.yml @@ -31,7 +31,7 @@ dest: "{{ patch_archive }}" owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_group }}" - mode: 0750 + mode: 0640 register: new_version_downloaded when: - not patch_archive_path.stat.exists @@ -83,5 +83,5 @@ success_msg: "Patch installation successful" - name: "Skipping patch" - debug: + ansible.builtin.debug: msg: "Latest cumulative patch {{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }} already installed, skipping patch installation." diff --git a/roles/keycloak/tasks/systemd.yml b/roles/keycloak/tasks/systemd.yml index cfc3762..77f7d7c 100644 --- a/roles/keycloak/tasks/systemd.yml +++ b/roles/keycloak/tasks/systemd.yml @@ -9,6 +9,15 @@ notify: - restart keycloak +- name: Determine JAVA_HOME for selected JVM RPM # noqa blocked_modules + ansible.builtin.shell: | + set -o pipefail + rpm -ql {{ keycloak_jvm_package }} | grep -Po '/usr/lib/jvm/.*(?=/bin/java$)' + args: + executable: /bin/bash + changed_when: False + register: rpm_java_home + - name: "Configure sysconfig file for {{ keycloak.service_name }} service" become: yes ansible.builtin.template: @@ -17,6 +26,8 @@ owner: root group: root mode: 0644 + vars: + keycloak_rpm_java_home: "{{ rpm_java_home.stdout }}" notify: - restart keycloak diff --git a/roles/keycloak/templates/keycloak-service.sh.j2 b/roles/keycloak/templates/keycloak-service.sh.j2 index 2281b17..577959e 100755 --- a/roles/keycloak/templates/keycloak-service.sh.j2 +++ b/roles/keycloak/templates/keycloak-service.sh.j2 @@ -17,7 +17,7 @@ checkEnvVar() { # for testing outside systemd . /etc/sysconfig/keycloak -readonly KEYCLOAK_HOME={{ keycloak_jboss_home }} +readonly KEYCLOAK_HOME={{ keycloak.home }} readonly KEYCLOAK_BIND_ADDRESS=${KEYCLOAK_BIND_ADDRESS} readonly KEYCLOAK_HTTP_PORT=${KEYCLOAK_HTTP_PORT} readonly KEYCLOAK_HTTPS_PORT=${KEYCLOAK_HTTPS_PORT} @@ -27,7 +27,7 @@ readonly KEYCLOAK_PIDFILE={{ keycloak_service_pidfile }} set -u if [ ! -d "${KEYCLOAK_HOME}" ]; then - echo "KEYCLOAK_HOME (${KEYCLOAK_HOME}) is not a director or does not exists." + echo "KEYCLOAK_HOME (${KEYCLOAK_HOME}) is not a directory or does not exists." exit 1 fi diff --git a/roles/keycloak/templates/keycloak-sysconfig.j2 b/roles/keycloak/templates/keycloak-sysconfig.j2 index 15b777c..68474c3 100644 --- a/roles/keycloak/templates/keycloak-sysconfig.j2 +++ b/roles/keycloak/templates/keycloak-sysconfig.j2 @@ -1,6 +1,7 @@ # {{ ansible_managed }} JAVA_OPTS='{{ keycloak_java_opts }}' -JBOSS_HOME={{ keycloak_jboss_home }} +JAVA_HOME={{ keycloak_java_home | default(keycloak_rpm_java_home, true) }} +JBOSS_HOME={{ keycloak.home }} KEYCLOAK_BIND_ADDRESS={{ keycloak_bind_address }} KEYCLOAK_HTTP_PORT={{ keycloak_http_port }} KEYCLOAK_HTTPS_PORT={{ keycloak_https_port }} diff --git a/roles/keycloak_quarkus/tasks/install.yml b/roles/keycloak_quarkus/tasks/install.yml index c8e5b73..ba6ec40 100644 --- a/roles/keycloak_quarkus/tasks/install.yml +++ b/roles/keycloak_quarkus/tasks/install.yml @@ -52,9 +52,10 @@ delegate_to: localhost - name: Download keycloak archive - ansible.builtin.get_url: + ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user url: "{{ keycloak_quarkus_download_url }}" dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}" + mode: 0640 delegate_to: localhost when: - archive_path is defined