7.2 KiB

Raw Blame History

keycloak

Install keycloak or Red Hat Single Sing-On server configurations.

Requirements

This role requires the python3-netaddr library installed on the controller node.

to install via yum/dnf: dnf install python3-netaddr
or via pip: pip install netaddr==0.8.0

Versions

RH-SSO VERSION	Release Date	Keycloak Version	EAP Version	Notes
`7.5.0 GA`	September 20, 2021	`15.0.2`	`7.4.0`	Release Notes

Role Defaults

Variable	Description	Default
`keycloak_rhsso_enable`	Enable Red Hat Single Sign-on installation	`False`
`keycloak_ha_enabled`	Enable auto configuration for database backend, clustering and remote caches on infinispan	`False`
`keycloak_db_enabled`	Enable auto configuration for database backend	`True` if `keycloak_ha_enabled` is True, else `False`
`keycloak_admin_user`	Administration console user account	`admin`
`keycloak_bind_address`	Address for binding service ports	`0.0.0.0`
`keycloak_host`	hostname	`localhost`
`keycloak_http_port`	HTTP port	`8080`
`keycloak_https_port`	TLS HTTP port	`8443`
`keycloak_management_http_port`	Management port	`9990`
`keycloak_management_https_port`	TLS management port	`9993`
`keycloak_java_opts`	Additional JVM options	`-Xms1024m -Xmx2048m`
`keycloak_prefer_ipv4`	Prefer IPv4 stack and addresses for port binding	`True`
`jvm_package`	RHEL java package runtime	`java-1.8.0-openjdk-devel`

Role Variables

The following are a set of required variables for the role:

Variable	Description
`keycloak_admin_password`	Password for the administration console user account

The following variables are required only when keycloak_ha_enabled is True:

Variable	Description	Default
`keycloak_modcluster_url`	URL for the modcluster reverse proxy	`localhost`
`keycloak_frontend_url`	frontend URL for keycloak endpoints when a reverse proxy is used	`http://localhost`
`keycloak_jdbc_engine`	backend database flavour when db is enabled: [ postgres, mariadb ]	`postgres`
`infinispan_url`	URL for the infinispan remote-cache server	`localhost:11122`
`infinispan_user`	username for connecting to infinispan	`supervisor`
`infinispan_pass`	password for connecting to infinispan	`supervisor`
`infinispan_sasl_mechanism`	Authentication type	`SCRAM-SHA-512`
`infinispan_use_ssl`	Enable hotrod TLS communication	`False`
`infinispan_trust_store_path`	Path to truststore with infinispan server certificate	`/etc/pki/java/cacerts`
`infinispan_trust_store_password`	Password for opening truststore	`changeit`

The following variables are required only when keycloak_db_enabled is True:

Variable	Description	Default
`keycloak_jdbc_url`	URL for the postgres backend database	`jdbc:postgresql://localhost:5432/keycloak`
`keycloak_jdbc_driver_version`	Version for the JDBC driver to download	`9.4.1212`
`keycloak_db_user`	username for connecting to postgres	`keycloak-user`
`keycloak_db_pass`	password for connecting to postgres	`keycloak-pass`

The following variable can be used to install Keycloak or Red Hat Single Sign-On from local path:

Variable	Description	Example
`zip_file_local_path`	Full local path of upstream(Keycloak) or Red Hat Single Sign-On zip file on Ansible control plane	`tmp/rhsso/rh-sso-7.5-server-dist.zip`

The following variable can be used to install Red Hat Single Sign-On from source via url, auth support is not added right now.

Variable	Description	Example
`rhsso_source_download_url`	URL to download Red Hat Single Sign-On zip file from source	`http://localhost:8081/nexus/rhsso/rh-sso-7.5-server-dist.zip`

Dependencies

The roles depends on:

the redhat_csp_download role from middleware_automation.redhat_csp_download collection if Red Hat Single Sign-on zip have to be downloaded from RHN.
the wildfly_driver role from middleware_automation.wildfly collection

Example Playbook

The following is an example playbook that makes use of the role to install keycloak from remote

---
- hosts: ...
      collections:
        - middleware_automation.keycloak
      tasks:
        - name: Include keycloak role
          include_role:
            name: keycloak
          vars:
            keycloak_admin_password: "changeme"

The following is an example playbook that makes use of the role to install keycloak from local path on Ansible node

---
- hosts: ...
      collections:
        - middleware_automation.keycloak
      tasks:
        - name: Include keycloak role
          include_role:
            name: keycloak
          vars:
            keycloak_admin_password: "changeme"
            zip_file_local_path: "/tmp/keycloak/keycloak-16.1.0.zip"  # This should be local path on Ansible node of upstream(keycloak) zip file

The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from RHN

---
- name: Playbook for RHSSO
  hosts: keycloak
  collections:
    - middleware_automation.redhat_csp_download
  roles:
    - redhat_csp_download
  tasks:
    - name: Keycloak Role
      include_role:
        name: keycloak
      vars:
        keycloak_admin_password: "changeme"
        keycloak_rhsso_enable: True

The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from source url

---
- hosts: keycloak
  collections:
    - middleware_automation.keycloak
  tasks:
    - name: Keycloak Role
      include_role:
        name: keycloak
      vars:
        keycloak_admin_password: "changeme"
        keycloak_rhsso_enable: True
        rhsso_source_download_url: "<REPLACE with - Source download url>" # This should be the full of remote source rhsso zip file

The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from local path on Ansible node

---
- hosts: keycloak
  collections:
    - middleware_automation.keycloak
  tasks:
    - name: Keycloak Role
      include_role:
        name: keycloak
      vars:
        keycloak_admin_password: "changeme"
        keycloak_rhsso_enable: True
        zip_file_local_path: "/tmp/rhsso/rh-sso-7.5-server-dist.zip"  # This should be local path on Ansible node of rhsso zip file

License

Apache License 2.0

7.2 KiB Raw Blame History