commit
ffd146d392
|
@ -3,10 +3,10 @@
|
||||||
hosts: all
|
hosts: all
|
||||||
tasks:
|
tasks:
|
||||||
- name: Disable beta repos
|
- name: Disable beta repos
|
||||||
command: yum config-manager --disable '*beta*'
|
ansible.builtin.command: yum config-manager --disable '*beta*'
|
||||||
ignore_errors: yes
|
ignore_errors: yes
|
||||||
|
|
||||||
- name: Install sudo
|
- name: Install sudo
|
||||||
yum:
|
ansible.builtin.yum:
|
||||||
name: sudo
|
name: sudo
|
||||||
state: present
|
state: present
|
||||||
|
|
|
@ -5,6 +5,6 @@
|
||||||
- name: Populate service facts
|
- name: Populate service facts
|
||||||
ansible.builtin.service_facts:
|
ansible.builtin.service_facts:
|
||||||
- name: Check if keycloak service started
|
- name: Check if keycloak service started
|
||||||
assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- ansible_facts.services["keycloak.service"]["state"] == "running"
|
- ansible_facts.services["keycloak.service"]["state"] == "running"
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
- middleware_automation.keycloak
|
- middleware_automation.keycloak
|
||||||
tasks:
|
tasks:
|
||||||
- name: Include keycloak role
|
- name: Include keycloak role
|
||||||
include_role:
|
ansible.builtin.include_role:
|
||||||
name: keycloak
|
name: middleware_automation.keycloak.keycloak
|
||||||
vars:
|
vars:
|
||||||
keycloak_admin_password: "changeme"
|
keycloak_admin_password: "changeme"
|
|
@ -3,8 +3,8 @@
|
||||||
hosts: keycloak
|
hosts: keycloak
|
||||||
tasks:
|
tasks:
|
||||||
- name: Keycloak Realm Role
|
- name: Keycloak Realm Role
|
||||||
include_role:
|
ansible.builtin.include_role:
|
||||||
name: keycloak_realm
|
name: middleware_automation.keycloak.keycloak_realm
|
||||||
vars:
|
vars:
|
||||||
keycloak_admin_password: "changeme"
|
keycloak_admin_password: "changeme"
|
||||||
keycloak_realm: TestRealm
|
keycloak_realm: TestRealm
|
||||||
|
|
|
@ -4,11 +4,11 @@
|
||||||
collections:
|
collections:
|
||||||
- middleware_automation.redhat_csp_download
|
- middleware_automation.redhat_csp_download
|
||||||
roles:
|
roles:
|
||||||
- redhat_csp_download
|
- middleware_automation.redhat_csp_download.redhat_csp_download
|
||||||
tasks:
|
tasks:
|
||||||
- name: Keycloak Role
|
- name: Keycloak Role
|
||||||
include_role:
|
ansible.builtin.include_role:
|
||||||
name: keycloak
|
name: middleware_automation.keycloak.keycloak
|
||||||
vars:
|
vars:
|
||||||
keycloak_admin_password: "changeme"
|
keycloak_admin_password: "changeme"
|
||||||
keycloak_rhsso_enable: True
|
keycloak_rhsso_enable: True
|
|
@ -1,3 +1,3 @@
|
||||||
---
|
---
|
||||||
- name: restart keycloak
|
- name: restart keycloak
|
||||||
include_tasks: restart_keycloak.yml
|
ansible.builtin.include_tasks: restart_keycloak.yml
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
- block:
|
- block:
|
||||||
- name: "Check if package {{ package_name }} is already installed"
|
- name: "Check if package {{ package_name }} is already installed"
|
||||||
command: rpm -q {{ package_name }}
|
ansible.builtin.command: rpm -q {{ package_name }}
|
||||||
args:
|
args:
|
||||||
warn: no
|
warn: no
|
||||||
register: rpm_info
|
register: rpm_info
|
||||||
|
@ -9,6 +9,6 @@
|
||||||
|
|
||||||
rescue:
|
rescue:
|
||||||
- name: "Add {{ package_name }} to the yum install list if missing"
|
- name: "Add {{ package_name }} to the yum install list if missing"
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
packages_to_install: "{{ packages_to_install + [ package_name ] }}"
|
packages_to_install: "{{ packages_to_install + [ package_name ] }}"
|
||||||
when: rpm_info.failed
|
when: rpm_info.failed
|
|
@ -1,18 +1,18 @@
|
||||||
---
|
---
|
||||||
- name: Set facts
|
- name: Set facts
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
update_cache: true
|
update_cache: true
|
||||||
packages_to_install: []
|
packages_to_install: []
|
||||||
|
|
||||||
- name: "Check packages to be installed"
|
- name: "Check packages to be installed"
|
||||||
include_tasks: check.yml
|
ansible.builtin.include_tasks: check.yml
|
||||||
loop: "{{ packages_list | flatten }}"
|
loop: "{{ packages_list | flatten }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: package_name
|
loop_var: package_name
|
||||||
|
|
||||||
- name: "Install packages: {{ packages_to_install }}"
|
- name: "Install packages: {{ packages_to_install }}"
|
||||||
become: yes
|
become: yes
|
||||||
yum:
|
ansible.builtin.yum:
|
||||||
name: "{{ packages_to_install }}"
|
name: "{{ packages_to_install }}"
|
||||||
state: present
|
state: present
|
||||||
when: packages_to_install | length > 0
|
when: packages_to_install | length > 0
|
|
@ -7,7 +7,7 @@
|
||||||
|
|
||||||
- name: Enable and start the firewalld service
|
- name: Enable and start the firewalld service
|
||||||
become: yes
|
become: yes
|
||||||
systemd:
|
ansible.builtin.systemd:
|
||||||
name: firewalld
|
name: firewalld
|
||||||
enabled: yes
|
enabled: yes
|
||||||
state: started
|
state: started
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
- name: Validate parameters
|
- name: Validate parameters
|
||||||
assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- keycloak_jboss_home is defined
|
- keycloak_jboss_home is defined
|
||||||
- keycloak_service_user is defined
|
- keycloak_service_user is defined
|
||||||
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
- name: Check for an existing deployment
|
- name: Check for an existing deployment
|
||||||
become: yes
|
become: yes
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: "{{ keycloak_jboss_home }}"
|
path: "{{ keycloak_jboss_home }}"
|
||||||
register: existing_deploy
|
register: existing_deploy
|
||||||
|
|
||||||
|
@ -20,24 +20,24 @@
|
||||||
- name: Stop the old keycloak service
|
- name: Stop the old keycloak service
|
||||||
become: yes
|
become: yes
|
||||||
ignore_errors: yes
|
ignore_errors: yes
|
||||||
systemd:
|
ansible.builtin.systemd:
|
||||||
name: keycloak
|
name: keycloak
|
||||||
state: stopped
|
state: stopped
|
||||||
- name: Remove the old Keycloak deployment
|
- name: Remove the old Keycloak deployment
|
||||||
become: yes
|
become: yes
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: "{{ keycloak_jboss_home }}"
|
path: "{{ keycloak_jboss_home }}"
|
||||||
state: absent
|
state: absent
|
||||||
when: existing_deploy.stat.exists and keycloak_force_install|bool
|
when: existing_deploy.stat.exists and keycloak_force_install|bool
|
||||||
|
|
||||||
- name: check for an existing deployment after possible forced removal
|
- name: check for an existing deployment after possible forced removal
|
||||||
become: yes
|
become: yes
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: "{{ keycloak_jboss_home }}"
|
path: "{{ keycloak_jboss_home }}"
|
||||||
|
|
||||||
- name: create Keycloak service user/group
|
- name: create Keycloak service user/group
|
||||||
become: yes
|
become: yes
|
||||||
user:
|
ansible.builtin.user:
|
||||||
name: "{{ keycloak_service_user }}"
|
name: "{{ keycloak_service_user }}"
|
||||||
home: /opt/keycloak
|
home: /opt/keycloak
|
||||||
system: yes
|
system: yes
|
||||||
|
@ -45,7 +45,7 @@
|
||||||
|
|
||||||
- name: create Keycloak install location
|
- name: create Keycloak install location
|
||||||
become: yes
|
become: yes
|
||||||
file:
|
ansible.builtin.file:
|
||||||
dest: "{{ keycloak_dest }}"
|
dest: "{{ keycloak_dest }}"
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ keycloak_service_user }}"
|
owner: "{{ keycloak_service_user }}"
|
||||||
|
@ -54,23 +54,23 @@
|
||||||
|
|
||||||
## check remote archive
|
## check remote archive
|
||||||
- name: Set download archive path
|
- name: Set download archive path
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
archive: "{{ keycloak_dest }}/{{ keycloak.bundle }}"
|
archive: "{{ keycloak_dest }}/{{ keycloak.bundle }}"
|
||||||
|
|
||||||
- name: Check download archive path
|
- name: Check download archive path
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: "{{ archive }}"
|
path: "{{ archive }}"
|
||||||
register: archive_path
|
register: archive_path
|
||||||
|
|
||||||
## download to controller
|
## download to controller
|
||||||
- name: Check local download archive path
|
- name: Check local download archive path
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: "{{ lookup('env', 'PWD') }}"
|
path: "{{ lookup('env', 'PWD') }}"
|
||||||
register: local_path
|
register: local_path
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
|
|
||||||
- name: Download keycloak archive
|
- name: Download keycloak archive
|
||||||
get_url:
|
ansible.builtin.get_url:
|
||||||
url: "{{ keycloak_download_url }}"
|
url: "{{ keycloak_download_url }}"
|
||||||
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
|
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
|
@ -82,7 +82,7 @@
|
||||||
- not keycloak_offline_install
|
- not keycloak_offline_install
|
||||||
|
|
||||||
- name: Perform download from RHN
|
- name: Perform download from RHN
|
||||||
redhat_csp_download:
|
middleware_automation.redhat_csp_download.redhat_csp_download:
|
||||||
url: "{{ keycloak_rhsso_download_url }}"
|
url: "{{ keycloak_rhsso_download_url }}"
|
||||||
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
|
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
|
||||||
username: "{{ rhn_username }}"
|
username: "{{ rhn_username }}"
|
||||||
|
@ -98,7 +98,7 @@
|
||||||
- keycloak_rhn_url in keycloak_rhsso_download_url
|
- keycloak_rhn_url in keycloak_rhsso_download_url
|
||||||
|
|
||||||
- name: Download rhsso archive from alternate location
|
- name: Download rhsso archive from alternate location
|
||||||
get_url:
|
ansible.builtin.get_url:
|
||||||
url: "{{ keycloak_rhsso_download_url }}"
|
url: "{{ keycloak_rhsso_download_url }}"
|
||||||
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
|
dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
|
@ -111,14 +111,14 @@
|
||||||
- not keycloak_rhn_url in keycloak_rhsso_download_url
|
- not keycloak_rhn_url in keycloak_rhsso_download_url
|
||||||
|
|
||||||
- name: Check downloaded archive
|
- name: Check downloaded archive
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
|
path: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
|
||||||
register: local_archive_path
|
register: local_archive_path
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
|
|
||||||
## copy and unpack
|
## copy and unpack
|
||||||
- name: Copy archive to target nodes
|
- name: Copy archive to target nodes
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
|
src: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
|
||||||
dest: "{{ archive }}"
|
dest: "{{ archive }}"
|
||||||
owner: "{{ keycloak_service_user }}"
|
owner: "{{ keycloak_service_user }}"
|
||||||
|
@ -132,13 +132,13 @@
|
||||||
become: yes
|
become: yes
|
||||||
|
|
||||||
- name: "Check target directory: {{ keycloak.home }}"
|
- name: "Check target directory: {{ keycloak.home }}"
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: "{{ keycloak.home }}"
|
path: "{{ keycloak.home }}"
|
||||||
register: path_to_workdir
|
register: path_to_workdir
|
||||||
become: yes
|
become: yes
|
||||||
|
|
||||||
- name: "Extract {{ 'Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Keycloak' }} archive on target"
|
- name: "Extract {{ 'Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Keycloak' }} archive on target"
|
||||||
unarchive:
|
ansible.builtin.unarchive:
|
||||||
remote_src: yes
|
remote_src: yes
|
||||||
src: "{{ archive }}"
|
src: "{{ archive }}"
|
||||||
dest: "{{ keycloak_dest }}"
|
dest: "{{ keycloak_dest }}"
|
||||||
|
@ -152,13 +152,13 @@
|
||||||
- restart keycloak
|
- restart keycloak
|
||||||
|
|
||||||
- name: Inform decompression was not executed
|
- name: Inform decompression was not executed
|
||||||
debug:
|
ansible.builtin.debug:
|
||||||
msg: "{{ keycloak.home }} already exists and version unchanged, skipping decompression"
|
msg: "{{ keycloak.home }} already exists and version unchanged, skipping decompression"
|
||||||
when:
|
when:
|
||||||
- not new_version_downloaded.changed and path_to_workdir.stat.exists
|
- not new_version_downloaded.changed and path_to_workdir.stat.exists
|
||||||
|
|
||||||
- name: "Reown installation directory to {{ keycloak_service_user }}"
|
- name: "Reown installation directory to {{ keycloak_service_user }}"
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: "{{ keycloak.home }}"
|
path: "{{ keycloak.home }}"
|
||||||
owner: "{{ keycloak_service_user }}"
|
owner: "{{ keycloak_service_user }}"
|
||||||
group: "{{ keycloak_service_group }}"
|
group: "{{ keycloak_service_group }}"
|
||||||
|
@ -168,8 +168,8 @@
|
||||||
|
|
||||||
# driver and configuration
|
# driver and configuration
|
||||||
- name: "Install {{ keycloak_jdbc_engine }} driver"
|
- name: "Install {{ keycloak_jdbc_engine }} driver"
|
||||||
include_role:
|
ansible.builtin.include_role:
|
||||||
name: wildfly_driver
|
name: middleware_automation.wildfly.wildfly_driver
|
||||||
vars:
|
vars:
|
||||||
wildfly_user: "{{ keycloak_service_user }}"
|
wildfly_user: "{{ keycloak_service_user }}"
|
||||||
jdbc_driver_module_dir: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}"
|
jdbc_driver_module_dir: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}"
|
||||||
|
@ -182,7 +182,7 @@
|
||||||
|
|
||||||
- name: "Deploy {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}"
|
- name: "Deploy {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}"
|
||||||
become: yes
|
become: yes
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: templates/standalone.xml.j2
|
src: templates/standalone.xml.j2
|
||||||
dest: "{{ keycloak_config_path_to_standalone_xml }}"
|
dest: "{{ keycloak_config_path_to_standalone_xml }}"
|
||||||
owner: "{{ keycloak_service_user }}"
|
owner: "{{ keycloak_service_user }}"
|
||||||
|
@ -194,7 +194,7 @@
|
||||||
|
|
||||||
- name: "Deploy {{ keycloak.service_name }} config with remote cache store to {{ keycloak_config_path_to_standalone_xml }}"
|
- name: "Deploy {{ keycloak.service_name }} config with remote cache store to {{ keycloak_config_path_to_standalone_xml }}"
|
||||||
become: yes
|
become: yes
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: templates/standalone-infinispan.xml.j2
|
src: templates/standalone-infinispan.xml.j2
|
||||||
dest: "{{ keycloak_config_path_to_standalone_xml }}"
|
dest: "{{ keycloak_config_path_to_standalone_xml }}"
|
||||||
owner: "{{ keycloak_service_user }}"
|
owner: "{{ keycloak_service_user }}"
|
||||||
|
|
|
@ -2,25 +2,25 @@
|
||||||
# tasks file for keycloak
|
# tasks file for keycloak
|
||||||
|
|
||||||
- name: Check prerequisites
|
- name: Check prerequisites
|
||||||
include_tasks: prereqs.yml
|
ansible.builtin.include_tasks: prereqs.yml
|
||||||
tags:
|
tags:
|
||||||
- prereqs
|
- prereqs
|
||||||
|
|
||||||
- name: Include install tasks
|
- name: Include install tasks
|
||||||
include_tasks: tasks/install.yml
|
ansible.builtin.include_tasks: tasks/install.yml
|
||||||
|
|
||||||
- name: Include systemd tasks
|
- name: Include systemd tasks
|
||||||
include_tasks: tasks/systemd.yml
|
ansible.builtin.include_tasks: tasks/systemd.yml
|
||||||
|
|
||||||
- name: Link default logs directory
|
- name: Link default logs directory
|
||||||
file:
|
ansible.builtin.file:
|
||||||
state: link
|
state: link
|
||||||
src: "{{ keycloak_jboss_home }}/standalone/log"
|
src: "{{ keycloak_jboss_home }}/standalone/log"
|
||||||
dest: /var/log/keycloak
|
dest: /var/log/keycloak
|
||||||
|
|
||||||
- block:
|
- block:
|
||||||
- name: Check admin credentials by generating a token
|
- name: Check admin credentials by generating a token
|
||||||
uri:
|
ansible.builtin.uri:
|
||||||
url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
|
url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
|
||||||
method: POST
|
method: POST
|
||||||
body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
|
body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
|
||||||
|
@ -31,7 +31,7 @@
|
||||||
delay: 2
|
delay: 2
|
||||||
rescue:
|
rescue:
|
||||||
- name: "Create {{ keycloak.service_name }} admin user"
|
- name: "Create {{ keycloak.service_name }} admin user"
|
||||||
command:
|
ansible.builtin.command:
|
||||||
args:
|
args:
|
||||||
argv:
|
argv:
|
||||||
- "{{ keycloak_jboss_home }}/bin/add-user-keycloak.sh"
|
- "{{ keycloak_jboss_home }}/bin/add-user-keycloak.sh"
|
||||||
|
@ -41,9 +41,9 @@
|
||||||
changed_when: yes
|
changed_when: yes
|
||||||
become: yes
|
become: yes
|
||||||
- name: "Restart {{ keycloak.service_name }}"
|
- name: "Restart {{ keycloak.service_name }}"
|
||||||
include_tasks: tasks/restart_keycloak.yml
|
ansible.builtin.include_tasks: tasks/restart_keycloak.yml
|
||||||
- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
|
- name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
|
||||||
uri:
|
ansible.builtin.uri:
|
||||||
url: "{{ keycloak.health_url }}"
|
url: "{{ keycloak.health_url }}"
|
||||||
register: keycloak_status
|
register: keycloak_status
|
||||||
until: keycloak_status.status == 200
|
until: keycloak_status.status == 200
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
- name: Validate configuration
|
- name: Validate configuration
|
||||||
assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- (keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and not keycloak_db_enabled)
|
- (keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and not keycloak_db_enabled)
|
||||||
quiet: True
|
quiet: True
|
||||||
|
@ -8,7 +8,7 @@
|
||||||
success_msg: "{{ 'Configuring HA' if keycloak_ha_enabled else 'Configuring standalone' }}"
|
success_msg: "{{ 'Configuring HA' if keycloak_ha_enabled else 'Configuring standalone' }}"
|
||||||
|
|
||||||
- name: Validate credentials
|
- name: Validate credentials
|
||||||
assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- (rhn_username is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
|
- (rhn_username is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
|
||||||
- (rhn_password is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
|
- (rhn_password is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install
|
||||||
|
@ -17,7 +17,7 @@
|
||||||
success_msg: "{{ 'Installing Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Installing keycloak.org' }}"
|
success_msg: "{{ 'Installing Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Installing keycloak.org' }}"
|
||||||
|
|
||||||
- name: Set required packages facts
|
- name: Set required packages facts
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
required_packages:
|
required_packages:
|
||||||
- "{{ jvm_package }}"
|
- "{{ jvm_package }}"
|
||||||
- unzip
|
- unzip
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
- name: "Restart and enable keycloack service"
|
- name: "Restart and enable keycloack service"
|
||||||
systemd:
|
ansible.builtin.systemd:
|
||||||
name: keycloak
|
name: keycloak
|
||||||
enabled: yes
|
enabled: yes
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
- name: "Stop SSO service"
|
- name: "Stop SSO service"
|
||||||
systemd:
|
ansible.builtin.systemd:
|
||||||
name: keycloak
|
name: keycloak
|
||||||
enabled: yes
|
enabled: yes
|
||||||
state: stopped
|
state: stopped
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
- name: configure keycloak service script wrapper
|
- name: configure keycloak service script wrapper
|
||||||
become: yes
|
become: yes
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: keycloak-service.sh.j2
|
src: keycloak-service.sh.j2
|
||||||
dest: "{{ keycloak_dest }}/keycloak-service.sh"
|
dest: "{{ keycloak_dest }}/keycloak-service.sh"
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -11,7 +11,7 @@
|
||||||
|
|
||||||
- name: configure sysconfig file for keycloak service
|
- name: configure sysconfig file for keycloak service
|
||||||
become: yes
|
become: yes
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: keycloak-sysconfig.j2
|
src: keycloak-sysconfig.j2
|
||||||
dest: /etc/sysconfig/keycloak
|
dest: /etc/sysconfig/keycloak
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -21,7 +21,7 @@
|
||||||
- restart keycloak
|
- restart keycloak
|
||||||
|
|
||||||
- name: configure systemd unit file for keycloak service
|
- name: configure systemd unit file for keycloak service
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: keycloak.service.j2
|
src: keycloak.service.j2
|
||||||
dest: /etc/systemd/system/keycloak.service
|
dest: /etc/systemd/system/keycloak.service
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -34,33 +34,33 @@
|
||||||
|
|
||||||
- name: reload systemd
|
- name: reload systemd
|
||||||
become: yes
|
become: yes
|
||||||
systemd:
|
ansible.builtin.systemd:
|
||||||
daemon_reload: yes
|
daemon_reload: yes
|
||||||
when: systemdunit.changed
|
when: systemdunit.changed
|
||||||
|
|
||||||
- name: start keycloak
|
- name: start keycloak
|
||||||
systemd:
|
ansible.builtin.systemd:
|
||||||
name: keycloak
|
name: keycloak
|
||||||
enabled: yes
|
enabled: yes
|
||||||
state: started
|
state: started
|
||||||
become: yes
|
become: yes
|
||||||
|
|
||||||
- name: Check service status
|
- name: Check service status
|
||||||
command: "systemctl status keycloak"
|
ansible.builtin.command: "systemctl status keycloak"
|
||||||
register: keycloak_service_status
|
register: keycloak_service_status
|
||||||
changed_when: False
|
changed_when: False
|
||||||
|
|
||||||
- name: Verify service status
|
- name: Verify service status
|
||||||
assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- keycloak_service_status is defined
|
- keycloak_service_status is defined
|
||||||
- keycloak_service_status.stdout is defined
|
- keycloak_service_status.stdout is defined
|
||||||
|
|
||||||
- name: Flush handlers
|
- name: Flush handlers
|
||||||
meta: flush_handlers
|
ansible.builtin.meta: flush_handlers
|
||||||
|
|
||||||
- name: "Wait until Keycloak becomes active {{ keycloak.health_url }}"
|
- name: "Wait until Keycloak becomes active {{ keycloak.health_url }}"
|
||||||
uri:
|
ansible.builtin.uri:
|
||||||
url: "{{ keycloak.health_url }}"
|
url: "{{ keycloak.health_url }}"
|
||||||
register: keycloak_status
|
register: keycloak_status
|
||||||
until: keycloak_status.status == 200
|
until: keycloak_status.status == 200
|
||||||
|
|
|
@ -1,17 +1,18 @@
|
||||||
---
|
---
|
||||||
- name: Generate keycloak auth token
|
- name: Generate keycloak auth token
|
||||||
uri:
|
ansible.builtin.uri:
|
||||||
url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
|
url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
|
||||||
method: POST
|
method: POST
|
||||||
body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
|
body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
|
||||||
validate_certs: no
|
validate_certs: no
|
||||||
|
no_log: True
|
||||||
register: keycloak_auth_response
|
register: keycloak_auth_response
|
||||||
until: keycloak_auth_response.status == 200
|
until: keycloak_auth_response.status == 200
|
||||||
retries: 5
|
retries: 5
|
||||||
delay: 2
|
delay: 2
|
||||||
|
|
||||||
- name: "Determine if realm exists"
|
- name: "Determine if realm exists"
|
||||||
uri:
|
ansible.builtin.uri:
|
||||||
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}"
|
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}"
|
||||||
method: GET
|
method: GET
|
||||||
status_code:
|
status_code:
|
||||||
|
@ -23,7 +24,7 @@
|
||||||
register: keycloak_realm_exists
|
register: keycloak_realm_exists
|
||||||
|
|
||||||
- name: Create Realm
|
- name: Create Realm
|
||||||
uri:
|
ansible.builtin.uri:
|
||||||
url: "{{ keycloak_url }}/auth/admin/realms"
|
url: "{{ keycloak_url }}/auth/admin/realms"
|
||||||
method: POST
|
method: POST
|
||||||
body: "{{ lookup('template','realm.json.j2') }}"
|
body: "{{ lookup('template','realm.json.j2') }}"
|
||||||
|
@ -47,6 +48,7 @@
|
||||||
provider_type: "{{ item.provider_type | default(org.keycloak.storage.UserStorageProvider) }}"
|
provider_type: "{{ item.provider_type | default(org.keycloak.storage.UserStorageProvider) }}"
|
||||||
config: "{{ item.config }}"
|
config: "{{ item.config }}"
|
||||||
mappers: "{{ item.mappers | default(omit) }}"
|
mappers: "{{ item.mappers | default(omit) }}"
|
||||||
|
no_log: True
|
||||||
register: create_user_federation_result
|
register: create_user_federation_result
|
||||||
loop: "{{ keycloak_user_federation | flatten }}"
|
loop: "{{ keycloak_user_federation | flatten }}"
|
||||||
when: keycloak_user_federation is defined
|
when: keycloak_user_federation is defined
|
||||||
|
@ -78,19 +80,20 @@
|
||||||
public_client: "{{ item.public_client | default(False) }}"
|
public_client: "{{ item.public_client | default(False) }}"
|
||||||
protocol: "{{ item.protocol | default(omit) }}"
|
protocol: "{{ item.protocol | default(omit) }}"
|
||||||
state: present
|
state: present
|
||||||
|
no_log: True
|
||||||
register: create_client_result
|
register: create_client_result
|
||||||
loop: "{{ keycloak_clients | flatten }}"
|
loop: "{{ keycloak_clients | flatten }}"
|
||||||
when: (item.name is defined and item.client_id is defined) or (item.name is defined and item.id is defined)
|
when: (item.name is defined and item.client_id is defined) or (item.name is defined and item.id is defined)
|
||||||
|
|
||||||
- name: Create client roles
|
- name: Create client roles
|
||||||
include_tasks: manage_client_roles.yml
|
ansible.builtin.include_tasks: manage_client_roles.yml
|
||||||
loop: "{{ keycloak_clients | flatten }}"
|
loop: "{{ keycloak_clients | flatten }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: client
|
loop_var: client
|
||||||
when: "'roles' in client"
|
when: "'roles' in client"
|
||||||
|
|
||||||
- name: Create client users
|
- name: Create client users
|
||||||
include_tasks: manage_client_users.yml
|
ansible.builtin.include_tasks: manage_client_users.yml
|
||||||
loop: "{{ keycloak_clients | flatten }}"
|
loop: "{{ keycloak_clients | flatten }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: client
|
loop_var: client
|
||||||
|
|
|
@ -10,3 +10,4 @@
|
||||||
auth_password: "{{ keycloak_admin_password }}"
|
auth_password: "{{ keycloak_admin_password }}"
|
||||||
state: present
|
state: present
|
||||||
loop: "{{ client.roles | flatten }}"
|
loop: "{{ client.roles | flatten }}"
|
||||||
|
no_log: True
|
||||||
|
|
|
@ -1,12 +1,12 @@
|
||||||
---
|
---
|
||||||
- name: Manage Users
|
- name: Manage Users
|
||||||
include_tasks: manage_user.yml
|
ansible.builtin.include_tasks: manage_user.yml
|
||||||
loop: "{{ client.users | flatten }}"
|
loop: "{{ client.users | flatten }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: user
|
loop_var: user
|
||||||
|
|
||||||
- name: Manage User Roles
|
- name: Manage User Roles
|
||||||
include_tasks: manage_user_roles.yml
|
ansible.builtin.include_tasks: manage_user_roles.yml
|
||||||
loop: "{{ client.users | flatten }}"
|
loop: "{{ client.users | flatten }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: user
|
loop_var: user
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
- name: "Check if User Already Exists"
|
- name: "Check if User Already Exists"
|
||||||
uri:
|
ansible.builtin.uri:
|
||||||
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
|
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
|
||||||
validate_certs: no
|
validate_certs: no
|
||||||
headers:
|
headers:
|
||||||
|
@ -8,7 +8,7 @@
|
||||||
register: keycloak_user_search_result
|
register: keycloak_user_search_result
|
||||||
|
|
||||||
- name: "Create User"
|
- name: "Create User"
|
||||||
uri:
|
ansible.builtin.uri:
|
||||||
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users"
|
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users"
|
||||||
method: POST
|
method: POST
|
||||||
body:
|
body:
|
||||||
|
@ -26,7 +26,7 @@
|
||||||
when: keycloak_user_search_result.json | length == 0
|
when: keycloak_user_search_result.json | length == 0
|
||||||
|
|
||||||
- name: "Get User"
|
- name: "Get User"
|
||||||
uri:
|
ansible.builtin.uri:
|
||||||
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
|
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
|
||||||
validate_certs: no
|
validate_certs: no
|
||||||
headers:
|
headers:
|
||||||
|
@ -34,7 +34,7 @@
|
||||||
register: keycloak_user
|
register: keycloak_user
|
||||||
|
|
||||||
- name: "Update User Password"
|
- name: "Update User Password"
|
||||||
uri:
|
ansible.builtin.uri:
|
||||||
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users/{{ (keycloak_user.json | first).id }}/reset-password"
|
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users/{{ (keycloak_user.json | first).id }}/reset-password"
|
||||||
method: PUT
|
method: PUT
|
||||||
body:
|
body:
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
- name: "Get Realm for role"
|
- name: "Get Realm for role"
|
||||||
uri:
|
ansible.builtin.uri:
|
||||||
url: "{{ keycloak_url }}/auth/admin/realms/{{ client_role.realm }}"
|
url: "{{ keycloak_url }}/auth/admin/realms/{{ client_role.realm }}"
|
||||||
method: GET
|
method: GET
|
||||||
status_code:
|
status_code:
|
||||||
|
@ -11,7 +11,7 @@
|
||||||
register: client_role_realm
|
register: client_role_realm
|
||||||
|
|
||||||
- name: Check if Mapping is available
|
- name: Check if Mapping is available
|
||||||
uri:
|
ansible.builtin.uri:
|
||||||
url: "{{ keycloak_url }}/auth/admin/realms/{{ client_role.realm }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}/available"
|
url: "{{ keycloak_url }}/auth/admin/realms/{{ client_role.realm }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}/available"
|
||||||
method: GET
|
method: GET
|
||||||
status_code:
|
status_code:
|
||||||
|
@ -22,7 +22,7 @@
|
||||||
register: client_role_user_available
|
register: client_role_user_available
|
||||||
|
|
||||||
- name: "Create Role Mapping"
|
- name: "Create Role Mapping"
|
||||||
uri:
|
ansible.builtin.uri:
|
||||||
url: "{{ keycloak_url }}/auth/admin/realms/{{ client_role.realm }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}"
|
url: "{{ keycloak_url }}/auth/admin/realms/{{ client_role.realm }}/users/{{ (keycloak_user.json | first).id }}/role-mappings/clients/{{ (create_client_result.results | selectattr('end_state.clientId', 'equalto', client_role.client) | list | first).end_state.id }}"
|
||||||
method: POST
|
method: POST
|
||||||
body:
|
body:
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
- name: "Get User {{ user.username }}"
|
- name: "Get User {{ user.username }}"
|
||||||
uri:
|
ansible.builtin.uri:
|
||||||
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
|
url: "{{ keycloak_url }}/auth/admin/realms/{{ keycloak_realm }}/users?username={{ user.username }}"
|
||||||
headers:
|
headers:
|
||||||
validate_certs: no
|
validate_certs: no
|
||||||
|
@ -8,18 +8,19 @@
|
||||||
register: keycloak_user
|
register: keycloak_user
|
||||||
|
|
||||||
- name: Refresh keycloak auth token
|
- name: Refresh keycloak auth token
|
||||||
uri:
|
ansible.builtin.uri:
|
||||||
url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
|
url: "{{ keycloak_url }}/auth/realms/master/protocol/openid-connect/token"
|
||||||
method: POST
|
method: POST
|
||||||
body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
|
body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
|
||||||
validate_certs: no
|
validate_certs: no
|
||||||
register: keycloak_auth_response
|
register: keycloak_auth_response
|
||||||
|
no_log: True
|
||||||
until: keycloak_auth_response.status == 200
|
until: keycloak_auth_response.status == 200
|
||||||
retries: 5
|
retries: 5
|
||||||
delay: 2
|
delay: 2
|
||||||
|
|
||||||
- name: "Manage Client Role Mapping for {{ user.username }}"
|
- name: "Manage Client Role Mapping for {{ user.username }}"
|
||||||
include_tasks: manage_user_client_roles.yml
|
ansible.builtin.include_tasks: manage_user_client_roles.yml
|
||||||
loop: "{{ user.client_roles | flatten }}"
|
loop: "{{ user.client_roles | flatten }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: client_role
|
loop_var: client_role
|
||||||
|
|
Loading…
Reference in New Issue