Go to file
Guido Grazioli e0664d53a9
fix: copy from local only if target not existing
2022-02-09 15:06:40 +01:00
.github/workflows Add roles argument_specs.yml 2022-02-08 16:28:17 +01:00
meta Add base role and playbook, molecule configuration 2021-12-14 11:26:42 +01:00
molecule/default chore: update dep on jcliff -> wildfly 2022-02-08 15:15:27 +01:00
playbooks Merge pull request #4 from motaparthipavankumar/keycloak-realm-enhancement 2022-01-18 11:23:00 -06:00
roles fix: copy from local only if target not existing 2022-02-09 15:06:40 +01:00
.gitignore gitignore locally downloaded archives 2022-01-27 15:38:04 +01:00
.yamllint Fix linter warnings 2021-12-14 11:34:41 +01:00
CONTRIBUTING.md chore: update dep on jcliff -> wildfly 2022-02-08 15:15:27 +01:00
LICENSE Initial commit 2021-12-14 09:54:49 +01:00
README.md Update documentation 2022-01-27 16:34:06 +01:00
galaxy.yml Start work on 0.2.3 2022-02-01 13:29:03 +01:00
requirements.txt rework docs, add python requirements 2022-01-27 15:38:03 +01:00
requirements.yml chore: update dep on jcliff -> wildfly 2022-02-08 15:15:27 +01:00

README.md

Ansible Collection - keycloak

Build Status

Collection to install and configure Keycloak or Red Hat Single Sign-On.

Ansible version compatibility

This collection has been tested against following Ansible versions: >=2.9.10.

Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions.

Installation

Installing the Collection from Ansible Galaxy

Before using the collection, you need to install it with the Ansible Galaxy CLI:

ansible-galaxy collection install middleware_automation.keycloak

You can also include it in a requirements.yml file and install it via ansible-galaxy collection install -r requirements.yml, using the format:

---
collections:
  - name: middleware_automation.keycloak

The keycloak collection also depends on the following python packages to be present on the controller host:

  • netaddr

A requirement file is provided to install:

pip install -r requirements.txt

Included roles

  • keycloak: role for installing the service.
  • keycloak_realm: role for configuring a realm, user federation(s), clients and users, in an installed service.

Usage

Install Playbook

Both playbooks include the keycloak role, with different settings, as described in the following sections.

For service configuration details, refer to the keycloak role README.

Choosing between upstream project (Keycloak) and Red Hat Single Sign-On (RHSSO)

The general flag keycloak_rhsso_enable controls what to install between upstream(Keycloak, when False) or Red Hat Single Sign-On (when True). The default value for the flag if True when Red Hat Network credentials are defined, False otherwise.

Install upstream (Keycloak) from keycloak releases

This is the default approach when RHN credentials are not defined. Keycloak is downloaded from keycloak builds (hosted on github.com) locally, and distributed to target nodes.

Install RHSSO from the Red Hat Customer Support Portal

Define the credentials as follows, and the default behaviour is to download a fresh archive of RHSSO on the controller node, then distribute to target nodes.

rhn_username: '<customer_portal_username>'
rhn_password: '<customer_portal_password>'
# (keycloak_rhsso_enable defaults to True)

Install from controller node (local source)

Making the keycloak zip archive (or the RHSSO zip archive), available to the playbook repository root directory, and setting keycloak_offline_install to True, allows to skip the download tasks. The local path for the archive matches the downloaded archive path, so it is also used as a cache when multiple hosts are provisioned in a cluster.

keycloak_offline_install: True

And depending on keycloak_rhsso_enable:

  • True: install RHSSO using file rh-sso-x.y.z-server-dist.zip
  • False: install keycloak using file keycloak-x.y.zip

Install from alternate sources (like corporate Nexus, artifactory, proxy, etc)

For RHSSO:

keycloak_rhsso_enable: True
keycloak_rhsso_download_url: "https://<internal-nexus.private.net>/<path>/<to>/rh-sso-x.y.z-server-dist.zip"

For keycloak:

keycloak_rhsso_enable: False
keycloak_download_url: "https://<internal-nexus.private.net>/<path>/<to>/keycloak-x.y.zip"

Example installation command

Execute the following command from the source root directory

ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e keycloak_admin_password=<changeme>
  • keycloak_admin_password Password for the administration console user account.

  • ansible_hosts is the inventory, below is an example inventory for deploying to localhost

    [keycloak]
    localhost ansible_connection=local
    

Configuration

Config Playbook

playbooks/keycloak-realm.yml creates provided realm, user federation(s), client(s), client role(s) and client user(s) if they don't exist.

Example configuration command

Execute the following command from the source root directory

ansible-playbook -i <ansible_hosts> playbooks/keycloak-realm.yml -e keycloak_admin_password=<changeme> -e keycloak_realm=test
  • keycloak_admin_password password for the administration console user account.

  • keycloak_realm name of the realm to be created/used.

  • ansible_hosts is the inventory, below is an example inventory for deploying to localhost

    [keycloak]
    localhost ansible_connection=local
    

For configuration details, refer to the keycloak_realm role README.

License

Apache License v2.0 or later

See LICENSE to view the full text.