11 KiB
11 KiB
keycloak
Install keycloak or Red Hat Single Sign-On server configurations.
Requirements
This role requires the python3-netaddr
library installed on the controller node.
- to install via yum/dnf:
dnf install python3-netaddr
- or via pip:
pip install netaddr==0.8.0
- or via the collection:
pip install -r requirements.txt
Dependencies
The roles depends on:
- the
redhat_csp_download
role from middleware_automation.redhat_csp_download collection if Red Hat Single Sign-on zip have to be downloaded from RHN. - the
wildfly_driver
role from middleware_automation.wildfly collection
Versions
RH-SSO VERSION | Release Date | Keycloak Version | EAP Version | Notes |
---|---|---|---|---|
7.5.0 GA |
September 20, 2021 | 15.0.2 |
7.4.0 |
Release Notes |
Patching
When variable keycloak_rhsso_apply_patches
is True
(default: False
), the role will automatically apply the latest cumulative patch for the selected base version.
RH-SSO VERSION | Release Date | RH-SSO LATEST CP | Notes |
---|---|---|---|
7.5.0 GA |
January 20, 2022 | 7.5.1 GA |
Release Notes |
Role Defaults
- Service configuration
Variable | Description | Default |
---|---|---|
keycloak_ha_enabled |
Enable auto configuration for database backend, clustering and remote caches on infinispan | False |
keycloak_db_enabled |
Enable auto configuration for database backend | True if keycloak_ha_enabled is True, else False |
keycloak_admin_user |
Administration console user account | admin |
keycloak_bind_address |
Address for binding service ports | 0.0.0.0 |
keycloak_host |
hostname | localhost |
keycloak_http_port |
HTTP port | 8080 |
keycloak_https_port |
TLS HTTP port | 8443 |
keycloak_ajp_port |
AJP port | 8009 |
keycloak_jgroups_port |
jgroups cluster tcp port | 7600 |
keycloak_management_http_port |
Management port | 9990 |
keycloak_management_https_port |
TLS management port | 9993 |
keycloak_prefer_ipv4 |
Prefer IPv4 stack and addresses for port binding | True |
keycloak_config_standalone_xml |
filename for configuration | keycloak.xml |
keycloak_service_user |
posix account username | keycloak |
keycloak_service_group |
posix account group | keycloak |
keycloak_service_pidfile |
pid file path for service | /run/keycloak.pid |
keycloak_jvm_package |
RHEL java package runtime | java-1.8.0-openjdk-devel |
keycloak_java_home |
JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path | None |
keycloak_java_opts |
Additional JVM options | -Xms1024m -Xmx2048m |
- Install options
Variable | Description | Default |
---|---|---|
keycloak_rhsso_enable |
Enable Red Hat Single Sign-on installation | False |
keycloak_offline_install |
perform an offline install | False |
keycloak_download_url |
Download URL for keycloak | https://github.com/keycloak/keycloak/releases/download/<version>/<archive> |
keycloak_rhsso_download_url |
Download URL for RHSSO | https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=<productID> |
keycloak_version |
keycloak.org package version | 15.0.2 |
keycloak_rhsso_version |
RHSSO version | 7.5.0 |
keycloak_rhsso_apply_patches |
Install RHSSO more recent cumulative patch | False |
keycloak_dest |
Installation root path | /opt/keycloak |
keycloak_download_url |
Download URL for keycloak | https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }} |
keycloak_rhn_url |
Base download URI for customer portal | https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId= |
keycloak_configure_firewalld |
Ensure firewalld is running and configure keycloak ports | False |
- Miscellaneous configuration
Variable | Description | Default |
---|---|---|
keycloak_archive |
keycloak install archive filename | keycloak-{{ keycloak_version }}.zip |
keycloak_download_url_9x |
Download URL for keycloak (deprecated) | https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }} |
keycloak_installdir |
Installation path | {{ keycloak_dest }}/keycloak-{{ keycloak_version }} |
keycloak_rhsso_archive |
Red Hat SSO install archive filename | rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip |
keycloak_rhsso_installdir |
Installation path for Red Hat SSO | `{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version |
keycloak_rhsso_download_url |
Full download URI for Red Hat SSO | {{ keycloak_rhn_url }}{{ rhsso_rhn_id }} |
keycloak_jboss_home |
Installation work directory | {{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }} |
keycloak_config_dir |
Path for configuration | {{ keycloak_jboss_home }}/standalone/configuration |
keycloak_config_path_to_standalone_xml |
Custom path for configuration | {{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }} |
keycloak_config_override_template |
Path to custom template for standalone.xml configuration | '' |
keycloak_auth_realm |
Name for rest authentication realm | master |
keycloak_auth_client |
Authentication client for configuration REST calls | admin-cli |
keycloak_force_install |
Remove pre-existing versions of service | False |
keycloak_url |
URL for configuration rest calls | http://{{ keycloak_host }}:{{ keycloak_http_port }} |
keycloak_management_url |
URL for management console rest calls | http://{{ keycloak_host }}:{{ keycloak_management_http_port }} |
rhsso_rhn_id |
Customer Portal product ID for Red Hat SSO | {{ rhsso_rhn_ids[keycloak_rhsso_version].id }} |
Role Variables
The following are a set of required variables for the role:
Variable | Description |
---|---|
keycloak_admin_password |
Password for the administration console user account (minimum 12 characters) |
keycloak_frontend_url |
frontend URL for keycloak endpoint |
The following variables are required only when keycloak_ha_enabled
is True:
Variable | Description | Default |
---|---|---|
keycloak_modcluster_url |
URL for the modcluster reverse proxy | localhost |
keycloak_jdbc_engine |
backend database engine when db is enabled: [ postgres, mariadb ] | postgres |
infinispan_url |
URL for the infinispan remote-cache server | localhost:11122 |
infinispan_user |
username for connecting to infinispan | supervisor |
infinispan_pass |
password for connecting to infinispan | supervisor |
infinispan_sasl_mechanism |
Authentication type | SCRAM-SHA-512 |
infinispan_use_ssl |
Enable hotrod TLS communication | False |
infinispan_trust_store_path |
Path to truststore with infinispan server certificate | /etc/pki/java/cacerts |
infinispan_trust_store_password |
Password for opening truststore | changeit |
The following variables are required only when keycloak_db_enabled
is True:
Variable | Description | Default |
---|---|---|
keycloak_jdbc_url |
URL for the postgres backend database | jdbc:postgresql://localhost:5432/keycloak |
keycloak_jdbc_driver_version |
Version for the JDBC driver to download | 9.4.1212 |
keycloak_db_user |
username for connecting to postgres | keycloak-user |
keycloak_db_pass |
password for connecting to postgres | keycloak-pass |
Example Playbooks
NOTE: use ansible vaults or other security systems for storing credentials.
- The following is an example playbook that makes use of the role to install keycloak from remote:
---
- hosts: ...
vars:
keycloak_admin_password: "remembertochangeme"
collections:
- middleware_automation.keycloak
roles:
- middleware_automation.keycloak.keycloak
- The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from RHN:
---
- name: Playbook for RHSSO
hosts: keycloak
collections:
- middleware_automation.redhat_csp_download
roles:
- redhat_csp_download
tasks:
- name: Keycloak Role
include_role:
name: keycloak
vars:
keycloak_admin_password: "remembertochangeme"
keycloak_rhsso_enable: True
rhn_username: '<customer portal username>'
rhn_password: '<customer portal password>'
- The following example playbook makes use of the role to install keycloak from the controller node:
---
- hosts: ...
collections:
- middleware_automation.keycloak
tasks:
- name: Include keycloak role
include_role:
name: keycloak
vars:
keycloak_admin_password: "remembertochangeme"
keycloak_offline_install: True
# This should be the filename of keycloak archive on Ansible node: keycloak-16.1.0.zip
- This playbook installs Red Hat Single Sign-On from an alternate url:
---
- hosts: keycloak
collections:
- middleware_automation.keycloak
tasks:
- name: Keycloak Role
include_role:
name: keycloak
vars:
keycloak_admin_password: "remembertochangeme"
keycloak_rhsso_enable: True
keycloak_rhsso_download_url: "<REPLACE with download url>"
# This should be the full of remote source rhsso zip file and can contain basic authentication credentials
- The following is an example playbook that makes use of the role to install Red Hat Single Sign-On offline from the controller node, and apply latest cumulative patch:
---
- hosts: keycloak
collections:
- middleware_automation.keycloak
tasks:
- name: Keycloak Role
include_role:
name: keycloak
vars:
keycloak_admin_password: "remembertochangeme"
keycloak_rhsso_enable: True
keycloak_offline_install: True
keycloak_rhsso_apply_patches: True
# This should be the filename of rhsso zip file on Ansible node: rh-sso-7.5-server-dist.zip
License
Apache License 2.0