Merge pull request #31 from guidograzioli/ensure_java_home

Make sure systemd unit starts with selected java JVM

molecule/default/converge.yml

@@ -3,6 +3,7 @@
   hosts: all
   vars: 
     keycloak_admin_password: "remembertochangeme"
+    keycloak_jvm_package: java-11-openjdk-headless
   roles:
     - role: keycloak
   tasks:

molecule/default/prepare.yml

@@ -8,5 +8,7 @@
 
     - name: Install sudo
       ansible.builtin.yum:
-        name: sudo
+        name:
+          - sudo
+          - java-1.8.0-openjdk
         state: present

molecule/default/verify.yml

@@ -1,6 +1,11 @@
 ---
 - name: Verify
   hosts: all
+  vars:
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_jvm_package: java-11-openjdk-headless
+    keycloak_port: http://localhost:8080
+    keycloak_management_port: http://localhost:9990
   tasks:
     - name: Populate service facts
       ansible.builtin.service_facts:
@@ -9,3 +14,16 @@
         that:
           - ansible_facts.services["keycloak.service"]["state"] == "running"
           - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+    - name: Verify we are running on requested jvm
+      shell: |
+        ps -ef | grep /usr/lib/jvm/java-11 | grep -v grep
+    - name: Verify token api call
+      ansible.builtin.uri:
+        url: "{{ keycloak_port }}/auth/realms/master/protocol/openid-connect/token"
+        method: POST
+        body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password"
+        validate_certs: no
+      register: keycloak_auth_response
+      until: keycloak_auth_response.status == 200
+      retries: 2
+      delay: 2

playbooks/keycloak.yml

@@ -6,4 +6,4 @@
   collections:
     - middleware_automation.keycloak
   roles:
-    - middleware_automation.keycloak.keycloak
+    - keycloak

roles/keycloak/README.md

@@ -60,13 +60,14 @@ Role Defaults
 |`keycloak_jgroups_port`| jgroups cluster tcp port | `7600` |
 |`keycloak_management_http_port`| Management port | `9990` |
 |`keycloak_management_https_port`| TLS management port | `9993` |
-|`keycloak_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
 |`keycloak_prefer_ipv4`| Prefer IPv4 stack and addresses for port binding | `True` |
 |`keycloak_config_standalone_xml`| filename for configuration | `keycloak.xml` |
 |`keycloak_service_user`| posix account username | `keycloak` |
 |`keycloak_service_group`| posix account group | `keycloak` |
 |`keycloak_service_pidfile`| pid file path for service | `/run/keycloak.pid` |
 |`keycloak_jvm_package`| RHEL java package runtime | `java-1.8.0-openjdk-devel` |
+|`keycloak_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path | `None` |
+|`keycloak_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` |
 
 
 * Install options

roles/keycloak/defaults/main.yml

@@ -21,7 +21,8 @@ keycloak_rhsso_enable: "{{ True if rhsso_rhn_id is defined and rhn_username is d
 keycloak_offline_install: False
 
 ### Install location and service settings
-keycloak_jvm_package: java-1.8.0-openjdk-devel
+keycloak_jvm_package: java-1.8.0-openjdk-headless
+keycloak_java_home:
 keycloak_dest: /opt/keycloak
 keycloak_jboss_home: "{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}"
 keycloak_config_dir: "{{ keycloak_jboss_home }}/standalone/configuration"

roles/keycloak/handlers/main.yml

@@ -1,4 +1,4 @@
 ---
-- name: "Restart {{ keycloak.service_name }}"
+- name: "Restart handler"
   ansible.builtin.include_tasks: restart_keycloak.yml
   listen: "restart keycloak"

roles/keycloak/meta/argument_specs.yml

@@ -81,6 +81,9 @@ argument_specs:
                 default: "java-1.8.0-openjdk-devel"
                 description: "RHEL java package runtime rpm"
                 type: "str"
+            keycloak_java_home:
+                description: "JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path"
+                type: "str"
             keycloak_dest:
                 # line 24 of keycloak/defaults/main.yml
                 default: "/opt/keycloak"

roles/keycloak/tasks/install.yml

@@ -71,9 +71,10 @@
   delegate_to: localhost
 
 - name: Download keycloak archive
-  ansible.builtin.get_url:
+  ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
     url: "{{ keycloak_download_url }}"
     dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
+    mode: 0640
   delegate_to: localhost
   when:
     - archive_path is defined
@@ -99,9 +100,10 @@
     - keycloak_rhn_url in keycloak_rhsso_download_url
 
 - name: Download rhsso archive from alternate location
-  ansible.builtin.get_url:
+  ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
     url: "{{ keycloak_rhsso_download_url }}"
     dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
+    mode: 0640
   delegate_to: localhost
   when:
     - archive_path is defined

roles/keycloak/tasks/rhsso_patch.yml

@@ -31,7 +31,7 @@
     dest: "{{ patch_archive }}"
     owner: "{{ keycloak_service_user }}"
     group: "{{ keycloak_service_group }}"
-    mode: 0750
+    mode: 0640
   register: new_version_downloaded
   when:
     - not patch_archive_path.stat.exists
@@ -83,5 +83,5 @@
         success_msg: "Patch installation successful"
 
 - name: "Skipping patch"
-  debug:
+  ansible.builtin.debug:
     msg: "Latest cumulative patch {{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }} already installed, skipping patch installation."

roles/keycloak/tasks/systemd.yml

@@ -9,6 +9,15 @@
   notify:
     - restart keycloak
 
+- name: Determine JAVA_HOME for selected JVM RPM  # noqa blocked_modules
+  ansible.builtin.shell: |
+    set -o pipefail
+    rpm -ql {{ keycloak_jvm_package }} | grep -Po '/usr/lib/jvm/.*(?=/bin/java$)'
+  args:
+    executable: /bin/bash
+  changed_when: False
+  register: rpm_java_home
+
 - name: "Configure sysconfig file for {{ keycloak.service_name }} service"
   become: yes
   ansible.builtin.template:
@@ -17,6 +26,8 @@
     owner: root
     group: root
     mode: 0644
+  vars:
+    keycloak_rpm_java_home: "{{ rpm_java_home.stdout }}"
   notify:
     - restart keycloak
 

roles/keycloak/templates/keycloak-service.sh.j2

@@ -17,7 +17,7 @@ checkEnvVar() {
 #  for testing outside systemd
 . /etc/sysconfig/keycloak
 
-readonly KEYCLOAK_HOME={{ keycloak_jboss_home }}
+readonly KEYCLOAK_HOME={{ keycloak.home }}
 readonly KEYCLOAK_BIND_ADDRESS=${KEYCLOAK_BIND_ADDRESS}
 readonly KEYCLOAK_HTTP_PORT=${KEYCLOAK_HTTP_PORT}
 readonly KEYCLOAK_HTTPS_PORT=${KEYCLOAK_HTTPS_PORT}
@@ -27,7 +27,7 @@ readonly KEYCLOAK_PIDFILE={{ keycloak_service_pidfile }}
 
 set -u
 if [ ! -d "${KEYCLOAK_HOME}" ]; then
-  echo "KEYCLOAK_HOME (${KEYCLOAK_HOME}) is not a director or does not exists."
+  echo "KEYCLOAK_HOME (${KEYCLOAK_HOME}) is not a directory or does not exists."
   exit 1
 fi
 

roles/keycloak/templates/keycloak-sysconfig.j2

@@ -1,6 +1,7 @@
 # {{ ansible_managed }}
 JAVA_OPTS='{{ keycloak_java_opts }}'
-JBOSS_HOME={{ keycloak_jboss_home }}
+JAVA_HOME={{ keycloak_java_home  | default(keycloak_rpm_java_home, true) }}
+JBOSS_HOME={{ keycloak.home }}
 KEYCLOAK_BIND_ADDRESS={{ keycloak_bind_address }}
 KEYCLOAK_HTTP_PORT={{ keycloak_http_port }}
 KEYCLOAK_HTTPS_PORT={{ keycloak_https_port }}

roles/keycloak_quarkus/tasks/install.yml

@@ -52,9 +52,10 @@
   delegate_to: localhost
 
 - name: Download keycloak archive
-  ansible.builtin.get_url:
+  ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
     url: "{{ keycloak_quarkus_download_url }}"
     dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
+    mode: 0640
   delegate_to: localhost
   when:
     - archive_path is defined