Coder Social home page Coder Social logo

ansible-middleware / keycloak Goto Github PK

View Code? Open in Web Editor NEW
83.0 8.0 50.0 4.93 MB

Collection to install and configure Keycloak or Red Hat Single Sign-On / Red Hat Build of Keycloak

License: Apache License 2.0

Shell 0.63% Jinja 60.02% Python 39.35%
ansible keycloak ansible-collection hacktoberfest sso rhbk

keycloak's Introduction

Ansible Collection - middleware_automation.keycloak

Build Status

NOTE: If you are Red Hat customer, install redhat.sso (for Red Hat Single Sign-On) or redhat.rhbk (for Red Hat Build of Keycloak) from Automation Hub as the certified version of this collection.

Collection to install and configure Keycloak or Red Hat Single Sign-On / Red Hat Build of Keycloak.

Ansible version compatibility

This collection has been tested against following Ansible versions: >=2.15.0.

Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions.

Installation

Installing the Collection from Ansible Galaxy

Before using the collection, you need to install it with the Ansible Galaxy CLI:

ansible-galaxy collection install middleware_automation.keycloak

You can also include it in a requirements.yml file and install it via ansible-galaxy collection install -r requirements.yml, using the format:

---
collections:
  - name: middleware_automation.keycloak

The keycloak collection also depends on the following python packages to be present on the controller host:

  • netaddr

A requirement file is provided to install:

pip install -r requirements.txt

Included roles

  • keycloak: role for installing the service (keycloak <= 19.0).
  • keycloak_realm: role for configuring a realm, user federation(s), clients and users, in an installed service.
  • keycloak_quarkus: role for installing the quarkus variant of keycloak (>= 17.0.0).

Usage

Install Playbook

Both playbooks include the keycloak role, with different settings, as described in the following sections.

For full service configuration details, refer to the keycloak role README.

Install from controller node (offline)

Making the keycloak zip archive available to the playbook working directory, and setting keycloak_offline_install to true, allows to skip the download tasks. The local path for the archive does match the downloaded archive path, so that it is also used as a cache when multiple hosts are provisioned in a cluster.

keycloak_offline_install: true

Install from alternate sources (like corporate Nexus, artifactory, proxy, etc)

It is possible to perform downloads from alternate sources, using the keycloak_download_url variable; make sure the final downloaded filename matches with the source filename (ie. keycloak-legacy-x.y.zip or rh-sso-x.y.z-server-dist.zip).

Example installation command

Execute the following command from the source root directory

ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e keycloak_admin_password=<changeme>

  • keycloak_admin_password Password for the administration console user account.

  • ansible_hosts is the inventory, below is an example inventory for deploying to localhost

    [keycloak]
localhost ansible_connection=local

Note: when deploying clustered configurations, all hosts belonging to the cluster must be present in ansible_play_batch; ie. they must be targeted by the same ansible-playbook execution.

Configuration

Config Playbook

playbooks/keycloak_realm.yml creates or updates provided realm, user federation(s), client(s), client role(s) and client user(s).

Example configuration command

Execute the following command from the source root directory:

ansible-playbook -i <ansible_hosts> playbooks/keycloak_realm.yml -e keycloak_admin_password=<changeme> -e keycloak_realm=test

  • keycloak_admin_password password for the administration console user account.

  • keycloak_realm name of the realm to be created/used.

  • ansible_hosts is the inventory, below is an example inventory for deploying to localhost

    [keycloak]
localhost ansible_connection=local

For full configuration details, refer to the keycloak_realm role README.

License

Apache License v2.0 or later

See LICENSE to view the full text.

keycloak's People

Contributors

aeyk avatar ansible-middleware-core avatar avskor avatar bbarun avatar footur avatar generalpax avatar gionn avatar growi avatar guidograzioli avatar hcherukuri avatar hwo-wd avatar infosec812 avatar jacobdotcosta avatar jmuff22 avatar joelkle avatar jonathanspw avatar kabroxiko avatar motaparthipavankumar avatar msherman13 avatar ranabirchakraborty avatar rpelisse avatar saadsb20 avatar sabre1041 avatar schmaxit avatar xdavila-eiq avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

guidograzioli sabre1041 motaparthipavankumar hcherukuri briantward yanegorz antoinejdd gicor001 nicnacnacho xabarin-forks kamiquasi ergoz neo-escieur isolovey kabroxiko generalpax fluehmann n0toose bbarun marcelomrwin tzvia-davidzada cstaff14 jonathanspw rommy-prawirasatya world-direct dsavineau schmaxit footur theshedman mschiavon-dedagroup chrisdjscott devnicoloko gionn pida42 jacobdotcosta isccarrasco ranabirchakraborty jmuff22 saadsb20 tektite-io jacac growi candido aeyk avskor roumano infosec812 msherman13 alvaro-orion

keycloak's Issues

keycloak_quarkus: `rhbk_apply_patches` not referenced anywhere

SUMMARY
<title>
ISSUE TYPE
  • Bug Report (or a feature request ;-))

@guidograzioli do you happen to know how rhbk patches will happen? I mean, there was a 22.0.6 and the upgrade to 22.0.7 happened via changing the version mnemonicer, but the question is, whether incremental patches are available or simple a installation from scratch?

Thanks!

Keycloak failing at create service user/group when account is in LDAP

SUMMARY

keycloak failing at user creation step

ISSUE TYPE
  • Bug Report
ANSIBLE VERSION
ansible [core 2.11.12]
  config file = /home/<username>/src/gitlab.com/bmrc/ceph/keycloak/ansible/ansible.cfg
  configured module search path = ['/home/<username>/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/<username>/venvs/ansible-keycloak/lib64/python3.6/site-packages/ansible
  ansible collection location = /home/<username>/src/gitlab.com/bmrc/ceph/keycloak/ansible
  executable location = /home/<username>/venvs/ansible-keycloak/bin/ansible
  python version = 3.6.8 (default, Nov 16 2020, 16:55:22) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]
  jinja version = 3.0.3
  libyaml = True
COLLECTION VERSION
# /home/<username>/venvs/ansible-keycloak/lib/python3.6/site-packages/ansible_collections                                                                                                                       [152/1968]
Collection                    Version
----------------------------- -------
amazon.aws                    1.5.1
ansible.netcommon             2.5.0
ansible.posix                 1.3.0
ansible.utils                 2.4.3
ansible.windows               1.8.0
arista.eos                    2.2.0
awx.awx                       19.4.0
azure.azcollection            1.10.0
check_point.mgmt              2.2.0
chocolatey.chocolatey         1.1.0
cisco.aci                     2.1.0
cisco.asa                     2.1.0
cisco.intersight              1.0.18
cisco.ios                     2.6.0
cisco.iosxr                   2.6.0
cisco.meraki                  2.5.0
cisco.mso                     1.2.0
cisco.nso                     1.0.3
cisco.nxos                    2.8.2
cisco.ucs                     1.6.0
cloudscale_ch.cloud           2.2.0
community.aws                 1.5.0
community.azure               1.1.0
community.crypto              1.9.8
community.digitalocean        1.13.0
community.docker              1.10.2
community.fortios             1.0.0
community.general             3.8.3
community.google              1.0.0
community.grafana             1.3.0
community.hashi_vault         1.5.0
community.hrobot              1.2.1
community.kubernetes          1.2.1
community.kubevirt            1.0.0
community.libvirt             1.0.2
community.mongodb             1.3.2
community.mysql               2.3.2
community.network             3.0.0
community.okd                 1.1.2
community.postgresql          1.6.0
community.proxysql            1.3.0
community.rabbitmq            1.1.0
community.routeros            1.2.0
community.skydive             1.0.0
community.sops                1.2.0
community.vmware              1.17.0
community.windows             1.8.0
community.zabbix              1.5.1
containers.podman             1.9.0
cyberark.conjur               1.1.0
cyberark.pas                  1.0.13
dellemc.enterprise_sonic      1.1.0
dellemc.openmanage            3.6.0
dellemc.os10                  1.1.1
dellemc.os6                   1.0.7
dellemc.os9                   1.0.4
f5networks.f5_modules         1.13.0
fortinet.fortimanager         2.1.4
fortinet.fortios              2.1.3
frr.frr                       1.0.3
gluster.gluster               1.0.2
google.cloud                  1.0.2
hetzner.hcloud                1.6.0
hpe.nimble                    1.1.4
ibm.qradar                    1.0.3
infinidat.infinibox           1.3.0
inspur.sm                     1.3.0
junipernetworks.junos         2.8.0
kubernetes.core               1.2.1
mellanox.onyx                 1.0.0
netapp.aws                    21.7.0
netapp.azure                  21.10.0
netapp.cloudmanager           21.12.1
netapp.elementsw              21.7.0
netapp.ontap                  21.14.1
netapp.um_info                21.8.0
netapp_eseries.santricity     1.2.13
netbox.netbox                 3.4.0
ngine_io.cloudstack           2.2.2
ngine_io.exoscale             1.0.0
ngine_io.vultr                1.1.0
openstack.cloud               1.5.3
openvswitch.openvswitch       2.1.0
ovirt.ovirt                   1.6.6
purestorage.flasharray        1.11.0
purestorage.flashblade        1.8.1
sensu.sensu_go                1.12.0
servicenow.servicenow         1.0.6
splunk.es                     1.0.2
t_systems_mms.icinga_director 1.26.0
theforeman.foreman            2.2.0
vyos.vyos                     2.6.0
wti.remote                    1.0.3
# /home/<username>/src/gitlab.com/bmrc/ceph/keycloak/ansible/ansible_collections
Collection                                Version
----------------------------------------- -------
ansible.posix                             1.5.1
community.general                         6.4.0
community.hashi_vault                     4.1.0
middleware_automation.keycloak            1.1.0
middleware_automation.redhat_csp_download 1.2.2

# /home/<username>/venvs/ansible-keycloak/lib64/python3.6/site-packages/ansible_collections
Collection                    Version
----------------------------- -------
amazon.aws                    1.5.1
ansible.netcommon             2.5.0
ansible.posix                 1.3.0
ansible.utils                 2.4.3
ansible.windows               1.8.0
arista.eos                    2.2.0
awx.awx                       19.4.0
azure.azcollection            1.10.0
check_point.mgmt              2.2.0
chocolatey.chocolatey         1.1.0
cisco.aci                     2.1.0
cisco.asa                     2.1.0
cisco.intersight              1.0.18
cisco.ios                     2.6.0
cisco.iosxr                   2.6.0
cisco.meraki                  2.5.0
cisco.mso                     1.2.0
cisco.nso                     1.0.3
cisco.nxos                    2.8.2
cisco.ucs                     1.6.0
cloudscale_ch.cloud           2.2.0
community.aws                 1.5.0
community.azure               1.1.0
community.crypto              1.9.8
community.digitalocean        1.13.0
community.docker              1.10.2
community.fortios             1.0.0
community.general             3.8.3
community.google              1.0.0
community.grafana             1.3.0
community.hashi_vault         1.5.0
community.hrobot              1.2.1
community.kubernetes          1.2.1
community.kubevirt            1.0.0
community.libvirt             1.0.2
community.mongodb             1.3.2
community.mysql               2.3.2
community.network             3.0.0
community.okd                 1.1.2
community.postgresql          1.6.0
community.proxysql            1.3.0
community.rabbitmq            1.1.0
community.routeros            1.2.0
community.skydive             1.0.0
community.sops                1.2.0
community.vmware              1.17.0
community.windows             1.8.0
community.zabbix              1.5.1
containers.podman             1.9.0
cyberark.conjur               1.1.0
cyberark.pas                  1.0.13
dellemc.enterprise_sonic      1.1.0
dellemc.openmanage            3.6.0
dellemc.os10                  1.1.1
dellemc.os6                   1.0.7
dellemc.os9                   1.0.4
f5networks.f5_modules         1.13.0
fortinet.fortimanager         2.1.4
fortinet.fortios              2.1.3
frr.frr                       1.0.3
gluster.gluster               1.0.2
google.cloud                  1.0.2
hetzner.hcloud                1.6.0
hpe.nimble                    1.1.4
ibm.qradar                    1.0.3
infinidat.infinibox           1.3.0
inspur.sm                     1.3.0
junipernetworks.junos         2.8.0
kubernetes.core               1.2.1
mellanox.onyx                 1.0.0
netapp.aws                    21.7.0
netapp.azure                  21.10.0
netapp.cloudmanager           21.12.1
netapp.elementsw              21.7.0
netapp.ontap                  21.14.1
netapp.um_info                21.8.0
netapp_eseries.santricity     1.2.13
netbox.netbox                 3.4.0
ngine_io.cloudstack           2.2.2
ngine_io.exoscale             1.0.0
ngine_io.vultr                1.1.0
openstack.cloud               1.5.3
openvswitch.openvswitch       2.1.0
ovirt.ovirt                   1.6.6
purestorage.flasharray        1.11.0
purestorage.flashblade        1.8.1
sensu.sensu_go                1.12.0
servicenow.servicenow         1.0.6
splunk.es                     1.0.2
t_systems_mms.icinga_director 1.26.0
theforeman.foreman            2.2.0
vyos.vyos                     2.6.0
wti.remote                    1.0.3
STEPS TO REPRODUCE
---
- name: Playbook for Keycloak Hosts
  hosts: <host group>
  collections:
    - middleware_automation.keycloak
  roles:
    - keycloak
EXPECTED RESULTS

Playbook completes, including creation of the Keycloak user

ACTUAL RESULTS


fatal: [<hostname>]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "append": false,
            "authorization": null,
            "comment": null,
            "create_home": false,
            "expires": null,
            "force": false,
            "generate_ssh_key": null,
            "group": null,
            "groups": null,
            "hidden": null,
            "home": "/opt/keycloak",
            "local": null,
            "login_class": null,
            "move_home": false,
            "name": "keycloak",
            "non_unique": false,
            "password": null,
            "password_expire_max": null,
            "password_expire_min": null,
            "password_lock": null,
            "profile": null,
            "remove": false,
            "role": null,
            "seuser": null,
            "shell": null,
            "skeleton": null,
            "ssh_key_bits": 0,
            "ssh_key_comment": "ansible-generated on <hostname>",
            "ssh_key_file": null,
            "ssh_key_passphrase": null,
            "ssh_key_type": "rsa",
            "state": "present",
            "system": true,
            "uid": null,
            "update_password": "always"
        }
    },
    "name": "keycloak",
    "rc": 6
}

MSG:

usermod: user 'keycloak' does not exist in /etc/passwd

Support for debian/ubuntu os

SUMMARY

Currently the available roles only supports RHEL and derivatives, but it should not hard to support also debian derivates still leveraging systemd.

(currently not high priority for us but can be in the next future)

ISSUE TYPE
  • Feature Idea

Providers add to script

Hi Team,

thank you for great ansible for keycloak. I wonder if you are planing to add that would b possible during installation add providers or themes to keycloak?
I'm interested in providers because I'm deploying keycloak cluster to AWS and there I have to install few providers and also change HA settings.
And also we are using PrivacyIDEA keycloak plugin.
Another think is we are using mysql would be possible to add not that is hard to add but it is handy if would be there already.

I modify my script and add extra task for providers

  • name: Include binaries for providers
    when: keycloak_quarkus_providers is defined
    ansible.builtin.include_tasks: providers.yml
    register: keycloak_provides
    tags:
    • providers

and task to for build

  • name: Building Keycloak
    when: keycloak_provides is defined
    ansible.builtin.command: "{{ keycloak.home }}/bin/kc.sh build"
    changed_when: False
    become: yes
    notify:
    • restart keycloak

providers.yml

  • name: Download JAR files for providers
    get_url:
    url: "{{ item }}"
    dest: "{{ keycloak_quarkus_providers_dir }}{{ item | regex_replace('.+/(\w+-\d+\.\d+\.\d+\.jar)', '\1') }}"
    loop: "{{ keycloak_quarkus_providers }}"

And for AWS deployment I modify cache-ispn.xml.

I did very simple but probably you can do better than me, because my knowledge is very basic for ansible and keycloak.
Hope not asking to much. thanks and keep doing good work.
Ales

Keycloak v17.0.0 supported?

SUMMARY

Is KeyCloak v17.0.0 supported?
It seems the latest version changed its directory structure ( i.e. missing directory /opt/keycloak/keycloak-17.0.0/standalone )

ISSUE TYPE
  • Bug Report
ANSIBLE VERSION
ansible 2.9.27
  config file = /root/.ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Nov 16 2020, 22:23:17) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]
COLLECTION VERSION
community
google
middleware_automation
os_migrate
STEPS TO REPRODUCE

$ansible-playbook --become -i hosts playbook.yml

- hosts: keycloak_server
  strategy: free

  collections:
  - middleware_automation.keycloak
  tasks:
    - name: Include keycloak role
      include_role:
        name: keycloak
      vars:
        keycloak_admin_password: "deepDarksecret"
        keycloak_version: 17.0.0
        keycloak_configure_firewalld: true
EXPECTED RESULTS

Installation of KeyCloak v17.0.0

ACTUAL RESULTS
Everything runs fine until here:

TASK [middleware_automation.keycloak.keycloak : Deploy keycloak config to /opt/keycloak/keycloak-17.0.0/standalone/configuration/keycloak.xml] ***
fatal: [keycloak.example.edu]: FAILED! => changed=false
  checksum: 0ed45176030cca4dce4b3730505aa40ad08e3ec7
  msg: Destination directory /opt/keycloak/keycloak-17.0.0/standalone/configuration does not exist

PLAY RECAP **************************************************************************************************************************************
keycloak.example.edu     : ok=34   changed=0    unreachable=0    failed=1    skipped=10   rescued=0    ignored=0

Setup properties in the `hostname` spi from the vars

SUMMARY

The current hostname spi is fixed by the standalone(-ha).xml.j2 templates without the capability to define different values, or to add extra properties. In some cases, it is needed to add some additional properties to set up this component in a good way for the ecosystem where Keycloak is running.

The current definition of this spi is similar to:

            <spi name="hostname">
                <default-provider>default</default-provider>
                <provider name="default" enabled="true">
                    <properties>
                        <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
                        <property name="forceBackendUrlToFrontendUrl" value="true"/>
                    </properties>
                </provider>
            </spi>

This template does not allow to change the forceBackendurlToFrontendUrl property or to add others like adminUrl.

This feature request wants to allow to extend the capabilities of this spi to define a list of properties to apply as part of the configuration of the playbook.

Implementation Approach

For example a way of implementation could be defining a set of new properties to enable these properties, for example with something similar to:

- name: Playbook for Red Hat SSO Hosts
  hosts: sso
  vars_files:
    - ../vars/variables.yml
  collections:
    - redhat.sso
  tasks:
    - name: Include SSO role
      ansible.builtin.include_role:
        name: redhat.sso.sso
      vars:
        sso_offline_install: True
        sso_apply_patches: "{{ rh_sso_apply_patches }}"
        eap_properties:
          - name: property1-name
            value: property1-value
          - name: property2-name
            value: property2-value
        spi:
          hostname:
            properties:
              forceBackendUrlToFrontendUrl: false
              adminUrl: adminUrl-value

The spi.hostname.properties is a list of key-value properties to add in this spi automatically as part of the automation process.

The implementation could be done updating the standalone.xml.j2, standalone-ha.xml.j2 templates, or include a loop to add each attribute using the cli tool

The following tasks using the CLI could be an example of implementation:

  #
  tasks:
    - name: 'Setting hostname spi properties'
      ansible.builtin.command: >
        {{ keycloak.cli_path }} --connect --command='/subsystem=keycloak-server/spi=hostname/provider=default:write-attribute(name=properties.{{ item.name }},value={{ item.value}})'
      loop: "{{ spi.hostname.properties | dict2items }}"
      changed_when: false
      register: cli_result

NOTE: Sorry, I am not an Ansible expert, sorry for any typo in the Ansible syntax.

ISSUE TYPE
  • Feature Idea

Improve first installation playbook to not use serial

When a cluster of keycloaks is installed for the first time, liquibase needs to be run for initializing the database.
Even if a dblock is in the jpa configuration, the nodes of clusters that are started at the same time, concurrently
try to perform the database update, resulting in errors. Current workaround is to have playbook run with

serial:
  - 1
  - 100%

which will run the full playbook on the first host, and then run again on remaining nodes.

Improvement is needed to check database state before starting the service, and in case an update is needed,
only serialize the startup of instances (along with the wait task to let the database update terminate), not the whole play.

keycloak_realm doesn't pass attributes to keycloak_client

SUMMARY

When provisioning a Keycloak client, sometimes attributes need to be set. The keycloak_realm role fails to pass attributes to the keycloak_client plugin.

ISSUE TYPE
  • Bug Report
ANSIBLE VERSION
ansible [core 2.14.1]
  config file = None
  configured module search path = ['/home/***/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/***/.local/lib/python3.11/site-packages/ansible
  ansible collection location = /home/***/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/***/.local/bin/ansible
  python version = 3.11.2 (main, Feb  8 2023, 00:00:00) [GCC 12.2.1 20221121 (Red Hat 12.2.1-4)] (/usr/bin/python3)
  jinja version = 3.0.3
  libyaml = True
COLLECTION VERSION
[a very long list; if you really need it, let me know]
STEPS TO REPRODUCE
- name: Create Realm
  include_role:
    name: middleware_automation.keycloak.keycloak_realm
  vars:
    keycloak_realm: "{{ keycloak_realm }}"
    keycloak_host: localhost
    keycloak_admin_user: "{{ keycloak_quarkus_admin_user }}"
    keycloak_admin_password: "{{ keycloak_quarkus_admin_pass }}"
    keycloak_clients:
      - name: "Public Client"
        realm: "{{ keycloak_realm }}"
        client_id: Client-public
        public_client: True
        web_origins: '+'
        root_url: "https://{{ keycloak_public_fqhn }}"
        base_url: /
        redirect_uris:
          - "https://{{ keycloak_public_fqhn }}/*"
        attributes:
          post.logout.redirect.uris: "{{ keycloak_logout_uri }}"

[Where keycloak_logout_uri could be '+' to allow all valid redirect uris, or a specific value '/public/logout', or multiple values (since it is a list in the admin UI) as '/somewhere/logout1##/somewhereElse/logout2' โ€” yes, really, separated by two # ๐Ÿ˜บ ]

EXPECTED RESULTS

That the Valid post logout redirect URIs would have been set in this realm's client.

ACTUAL RESULTS

The attributes weren't set at all, as the attributes aren't passed down. The problem can be fixed simply with:

diff --git a/roles/keycloak_realm/tasks/main.yml b/roles/keycloak_realm/tasks/main.yml
index 9233080..c137270 100644
--- a/roles/keycloak_realm/tasks/main.yml
+++ b/roles/keycloak_realm/tasks/main.yml
@@ -90,6 +90,7 @@
     service_accounts_enabled: "{{ item.service_accounts_enabled | default(omit) }}"
     public_client: "{{ item.public_client | default(False) }}"
     protocol: "{{ item.protocol | default(omit) }}"
+    attributes: "{{ item.attributes | default(omit) }}"
     state: present
   no_log: "{{ keycloak_no_log | default('True') }}"
   register: create_client_result

step1.html is called without port (in quarkus-version)

SUMMARY

I installed keycloak using the quarkus version.
The installation worked, keycloak is running, the start page is showing as expexted.
But the administration console is unusable, if a port is included in the URI, as at least one file (step1.html) is loaded without the port.

ISSUE TYPE
  • Bug Report
ANSIBLE VERSION
ansible 2.9.27
COLLECTION VERSION
none
STEPS TO REPRODUCE

Install keycloak using the quarkus-role



EXPECTED RESULTS



A usable administration console -> the step1.html should use the same path WITH the port, if one is used.


ACTUAL RESULTS





Currently I don't use a reverse proxy and use keycloak via Port 8080/8443.

After I login, while all other files are referenced with a path like the page itself (so in my case with the port included in the URI - https://MYSERVER:8443/admin/master/console/) the following is always included without port:

https://MYSERVER/auth/realms/master/protocol/openid-connect/3p-cookies/step1.html?version=txb9r


This results in a blank unusable page which reloads every few seconds.






    

  
    

    
  
    

    
 
      

        keycloak_frontend_url property is currently defaulting for the installed keycloak app to be behind a reverse proxy
      

      
SUMMARY


keycloak_frontend_url property is currently defaulting for the installed keycloak app to be behind a reverse proxy. Without setting this property value explicitly in the ansible playbook, only api requests are able to communicate with the app but not the browsers


ISSUE TYPE


    

  • Bug Report
    • 



ANSIBLE VERSION


ansible --version


ansible 2.9.27
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/kakella/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.6/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.6.8 (default, Sep  9 2021, 07:49:02) [GCC 8.5.0 20210514 (Red Hat 8.5.0-3)]




COLLECTION VERSION


1.0.0



STEPS TO REPRODUCE


execute the following command

ansible-playbook -become -i ../inventory updated.yml -K


- name: Playbook for Keycloak Hosts
  hosts: keycloak
  collections:
    - middleware_automation.keycloak
  tasks: 
    - name: Include keycloak role
      ansible.builtin.include_role:
        name: middleware_automation.keycloak.keycloak
      vars:
        keycloak_admin_password: "changeme"



EXPECTED RESULTS


We expect the keycloak application to work without issue when accessed from the browser after running the playbook and verifying the keycloak service is up and running


ACTUAL RESULTS


We are getting ERR_CONNECTION_REFUSED from the browser when we access any url's which have redirects.


WORK AROUND


Once we add the below var in the vars section of the playbook, it runs without issue.

keycloak_frontend_url: http://localhost:8080/auth

    

  
    

    
  
    

    
  
    
      

    
    
  

    

    
 
      

        Enable KeycloakDS Datasource validations
      

      
SUMMARY


Keycloak uses a database to persist all the information of the system, this database is connected by a datasource defined in the underlying EAP platform without any kind of sanity or check process. It is a good practice to enable some validations in the datasource for a healhty life cycle and avoid issues in runtime when the connections are not running successfuly or they are suffering some issues.


References:



This feature request wants to provide a way to setup this kind of validations in the KeycloakDS datasource as part of the collection, and it is open for discussion with the community.


Implementation Approach


For example a way of implementation could be defining a set of new properties to enable these properties, for example with something similar to:


- name: Playbook for Red Hat SSO Hosts
  hosts: sso
  vars_files:
    - ../vars/variables.yml
  collections:
    - redhat.sso
  tasks:
    - name: Include SSO role
      ansible.builtin.include_role:
        name: redhat.sso.sso
      vars:
        sso_offline_install: True
        sso_apply_patches: "{{ rh_sso_apply_patches }}"
        eap_properties:
          - name: property1-name
            value: property1-value
          - name: property2-name
            value: property2-value
        datasource:
          validation:
            enabled: true
            valid_connection_sql: Select 1


A new set of variables under a new datasource group are proposed, such as:


    

  • validation.enabled - boolean variable to enable this feature
    • 

  • validation.valid_connection_sql- String variable to identify a SQL sentence to check the connectio
    • 



The implementation could be done updating the standalone.xml.j2, standalone-ha.xml.j2 templates, or include some extra tasks using the cli enabling this feature.


The following tasks using the CLI could be an example of implementation:


  #
  tasks:
    - name: 'Setup Database Connection Validator - Validate on match enabled'
      ansible.builtin.command: >
        {{ keycloak.cli_path }} --connect --command='/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=validate-on-match,value=false)'
      become: true

    - name: 'Setup Database Connection Validator - Valid Connection SQL Check '
      ansible.builtin.command: >
        {{ keycloak.cli_path }} --connect --command='/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=check-valid-connection-sql,value={{ valid_connection_sql }})'
      changed_when: false
      register: cli_result

    - name: 'Setup Database Connection Validator - Background validation enabled'
      ansible.builtin.command: >
        {{ keycloak.cli_path }} --connect --command='/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation,value=true)'
      changed_when: false
      register: cli_result

    - name: 'Setup Database Connection Validator - Shared prepared statements disabled'
      ansible.builtin.command: >
        {{ keycloak.cli_path }} --connect --command='/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=share-prepared-statements,value=false)'
      changed_when: false
      register: cli_result


NOTE: Sorry, I am not an Ansible expert, sorry for any typo in the Ansible syntax.


ISSUE TYPE


    

  • Feature Idea
    • 


    

  
    

    
 
      

        Missing PORT Offset conffiguration
      

      
SUMMARY



It is not possible to configure a port offset


ISSUE TYPE


    

  • Bug Report
    • 



ANSIBLE VERSION



ansible [core 2.14.2]



COLLECTION VERSION




middleware_automation.infinispan          1.1.2  
middleware_automation.keycloak            1.1.0  
middleware_automation.redhat_csp_download 1.2.2  
middleware_automation.wildfly             1.3.1



STEPS TO REPRODUCE




There is no set up available for port offset impacting on all ports (including mod_cluster)


EXPECTED RESULTS



ACTUAL RESULTS






<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">


    

  
    

    
 
      

        Setting administrator password is too clumsy
      

      
SUMMARY



The keycloak_admin_password is declared empty in the keycloak role varfile. Given variable precedence it becomes only possible to set the value in include_task  parameters or commandline. Find a better solution


ISSUE TYPE


    

  • Bug Report
    • 



COLLECTION VERSION




1.0.0



STEPS TO REPRODUCE




- playbook: [..]
  vars:
    keycloak_admin_password: "changeme"
  roles:
     -  keycloak


EXPECTED RESULTS



keycloak_admin_password is overriden by playbook vars, or by inventory host|group_vars


ACTUAL RESULTS





It is only possible to override with extra_vars, or include_role vars






    

  
    

    
 
      

        Support Socket Settings Customization
      

      
Right now we don't have option to customize the http-listener and socket binding settings, For example to customize as below


...
        <subsystem xmlns="urn:jboss:domain:undertow:12.0" ...>
            ...
            <server name="default-server">
                ...
                <http-listener name="default" socket-binding="http" redirect-socket="proxy-https" proxy-address-forwarding="true"/>
                ...
...
    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
        ...
        <socket-binding name="proxy-https" port="443"/>
...



Changes have to be made to existing two templates roles/keycloak/templates/......xml.j2, so that based on the condition consumers can opt to customize as needed.

    

  
    

    
  
    
      

    
    
  

    

    
 
      

        Health check broken in 2.0.0 due to incorrect health_url
      

      
SUMMARY


The health check in keycloak_qurkus fails to properly detect if a keycloak instance is online.


ISSUE TYPE


    

  • Bug Report
    • 



ANSIBLE VERSION


ansible [core 2.16.0]
  config file = /home/jonathan/alma-ansible/ansible-keycloak/ansible.cfg
  configured module search path = ['/home/jonathan/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.12/site-packages/ansible
  ansible collection location = /home/jonathan/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.12.0 (main, Oct  2 2023, 00:00:00) [GCC 13.2.1 20230918 (Red Hat 13.2.1-3)] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True



COLLECTION VERSION


middleware_automation.keycloak 2.0.0



STEPS TO REPRODUCE


Run a playbook with keycloak_quarkus.


EXPECTED RESULTS


The playbook should recognize that the server is online.


ACTUAL RESULTS


The check loops due to a missing / after the port in the URL.  This stems from a missing / in https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_quarkus/vars/main.yml#L7

    

  
    

    
 
      

        JGROUPS Through TCP PING
      

      
SUMMARY



JGROUPS ping is only available through Database.


ISSUE TYPE


    

  • For installation in single datacenter will be faster a JGROUP Ping through TCP, instead of Database.
    • 


    

  
    

    
 
      

        Add a destination variable for the log link
      

      
SUMMARY


It is not possible to modify the destination of the log link.


By default the keycloak logs are physically in /opt, I would like them to be in /var/log.



  

    

      keycloak/roles/keycloak_quarkus/tasks/main.yml
    

    

        Lines 63 to 69
      in
      01fd2cc
    

  

  

    


        

          
           - name: Link default logs directory 
        


        

          
             ansible.builtin.file: 
        


        

          
               state: link 
        


        

          
               src: "{{ keycloak.log.file | dirname }}" 
        


        

          
               dest: /var/log/keycloak 
        


        

          
               force: yes 
        


        

          
             become: yes 
        

    

  






Task : roles/keycloak_quarkus/tasks/main.yml


ISSUE TYPE


    

  • Feature Idea
    • 


    

  
    

    
 
      

        Module throws error when middleware_automation.redhat_csp_download isn't include, even when its not needed
      

      
SUMMARY



When trying to install RH SSO from a local file archive, i.e. with keycloak_offline_install = true the module middleware_automation.redhat_csp_download.redhat_csp_download shouldn't be needed. It still throws an error because on line 87 install.yaml of the middleware_automation.keycloak.keycloak role. This is because it doesn't understand what the middleware_automation.redhat_csp_download.redhat_csp_download module is.


ISSUE TYPE


    

  • Bug Report
    • 



ANSIBLE VERSION



N/A



COLLECTION VERSION




v0.2.5



STEPS TO REPRODUCE




- name: Playbook for Keycloak Hosts
  become: true
  hosts: keykloak_host
  vars:
  - keycloak_offline_install: True
  - keycloak_admin_password: "mypass"
  - keycloak_rhsso_enable: True
  - keycloak_rhsso_download_url: my_local_place/rh-sso-7.5.0-server-dist.zip
  roles:
  - middleware_automation.keycloak.keycloak



EXPECTED RESULTS



The installation should procede without errors


ACTUAL RESULTS





The installer fails because ansible doesn't recognise

middleware_automation.redhat_csp_download.redhat_csp_download



TASK [middleware_automation.keycloak.keycloak : Include install tasks] *********
fatal: [hostname]: FAILED! => {"reason": "couldn't resolve module/action 'middleware_automation.redhat_csp_download.redhat_csp_download'. This often indicates a misspelling, missing collection, or incorrect module path.

The error appears to be in '.../middleware_automation/keycloak/roles/keycloak/tasks/install.yml': line 87, column 3, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

- name: Perform download from RHN
  ^ here
"}


    

  
    

    
  
    
      

    
    
  

    

    
 
      

        Using collection as dependency in Execution Environment with RHEL9 fails (python39-devel)
      

      
SUMMARY


With Ansible Automation Platform release 4.4 new Execution Environments have been released. These EEs are based on RHEL9.


registry.redhat.io/ansible-automation-platform-24/ee-minimal-rhel9:latest
registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest



The build of a custom execution environment with the tool ansible-builder, the above mentioned RHEL9 based base EE images and this collections as dependency fails.


Error from ansible-builder:


[3/4] STEP 13/14: RUN $PYCMD /output/scripts/introspect.py introspect --sanitize --user-pip=requirements.txt --user-bindep=bindep.txt --write-bindep=/tmp/src/bindep.txt --write-pip=/tmp/src/requirements.txt
...
- 'python39-devel [platform:rpm compile]  # from collection redhat.sso'
...
+ /usr/bin/microdnf install -y --nodocs --setopt install_weak_deps=0 bind-utils cryptsetup dnf gcc hostname krb5-devel libssh-devel nmap-ncat openldap-devel python3-Cython python3-devel python39-devel unzip
Downloading metadata...
Downloading metadata...
Downloading metadata...
Downloading metadata...
Downloading metadata...
Downloading metadata...
error: No package matches 'python39-devel'



ISSUE TYPE


    

  • Bug Report
    • 



ANSIBLE VERSION



core 2.15.0



COLLECTION VERSION




redhat.sso v1.2.7


    

  
    

    
 
      

        mod_cluster port always set default (6666)
      

      
SUMMARY



There is no variable to define and setup mod_cluster PORT, it is always set to default (6666)


ISSUE TYPE


    

  • Bug Report
    • 



ANSIBLE VERSION



ansible [core 2.14.2]



COLLECTION VERSION




middleware_automation.infinispan                       1.1.2  
middleware_automation.keycloak                         1.1.0  
middleware_automation.redhat_csp_download 1.2.2



STEPS TO REPRODUCE




- name: Playbook for Wildfly Hosts - Host 1
  hosts: keycloak
  collections:
    - middleware_automation.keycloak
  tasks:
    - name: Include keycloak role
      ansible.builtin.include_role:
        name: middleware_automation.keycloak.keycloak 
      vars:
        keycloak_jvm_package: "java-11-openjdk-headless.x86_64"
        keycloak_ha_enabled: True
        keycloak_config_standalone_xml: "standalone-ha.xml"
        keycloak_admin_user: "admin"
        keycloak_admin_password: "myadminpassword"
        keycloak_db_enabled: True
        keycloak_jdbc_engine: "postgres"
        keycloak_jdbc_url: "jdbc:postgresql://mycustomdbhost:5432/sso?currentSchema=rh_sso" 
        keycloak_jdbc_driver_version: "42.0.0" 
        keycloak_db_user: "sso_user"
        keycloak_db_pass: "myCustomPassword_1234"
        keycloak_management_port_bind_address: "0.0.0.0"
        keycloak_host: "node1.mysso.redhat.rh"
        keycloak_modcluster_frontend_url: "http://mycustommodclusterfrontend/auth"
        keycloak_modcluster_url: "mycustommodclusterurl"
        keycloak_modcluster_enabled: "True"
        keycloak_infinispan_url: "myInfinispancustomurl"
        keycloak_infinispan_user: "supervisor"
        keycloak_infinispan_pass: "supervisorpassword"


EXPECTED RESULTS



{% if keycloak_modcluster.enabled %}
        <outbound-socket-binding name="proxy1">
            <remote-destination host="{{ keycloak_modcluster.reverse_proxy_url | default('localhost') }}" port="**6666**"/>
        </outbound-socket-binding>
{% endif %}



ACTUAL RESULTS






{% if keycloak_modcluster.enabled %}
        <outbound-socket-binding name="proxy1">
            <remote-destination host="{{ keycloak_modcluster.reverse_proxy_url | default('localhost') }}" port="**6666**"/>
        </outbound-socket-binding>
{% endif %}


    

  
    

    
 
      

        keycloak_quarkus fails to start upon installation
      

      
SUMMARY



I have installed keycloak with Quarkus as follows:


ansible-playbook -i host.ini playbooks/keycloak_quarkus.yml -e keycloak_quarkus_admin_pass=Password1234 --ask-become-pass


When the installation completes, it fails to start the keycloak server:


TASK [middleware_automation.keycloak.keycloak_quarkus : Wait until keycloak becomes active http://localhost:8443:8080/realms/master/.well-known/openid-configuration] ***
FAILED - RETRYING: [localhost]: Wait until keycloak becomes active http://localhost:8443:8080/realms/master/.well-known/openid-configuration (25 retries left).



I've also tried starting the server from /opt/keycloak with the 'keycloak' user but it does not start and no information is logged:


[keycloak@fedora bin]$ ./kc.sh start-dev
Updating the configuration  and installing your custom providers, if any. Please wait.



log.txt


ISSUE TYPE


    

  • Bug Report
    • 



ANSIBLE VERSION



ansible --version
ansible [core 2.13.5]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/francesco/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/francesco/.local/lib/python3.10/site-packages/ansible
  ansible collection location = /home/francesco/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/francesco/.local/bin/ansible
  python version = 3.10.8 (main, Nov 14 2022, 00:00:00) [GCC 11.3.1 20220421 (Red Hat 11.3.1-3)]
  jinja version = 3.1.2
  libyaml = True




COLLECTION VERSION




ansible-galaxy collection list

# /home/francesco/.ansible/collections/ansible_collections
Collection                     Version
------------------------------ -------
ansible.posix                  1.5.4  
middleware_automation.common   1.1.2  
middleware_automation.keycloak 1.2.8  

# /home/francesco/.local/lib/python3.10/site-packages/ansible_collections
Collection                    Version
----------------------------- -------
amazon.aws                    3.5.0  
ansible.netcommon             3.1.3  
ansible.posix                 1.4.0  
ansible.utils                 2.6.1  
ansible.windows               1.11.1 
arista.eos                    5.0.1  
awx.awx                       21.7.0 
azure.azcollection            1.13.0 
check_point.mgmt              2.3.0  
chocolatey.chocolatey         1.3.1  
cisco.aci                     2.2.0  
cisco.asa                     3.1.0  
cisco.dnac                    6.6.0  
cisco.intersight              1.0.19 
cisco.ios                     3.3.2  
cisco.iosxr                   3.3.1  
cisco.ise                     2.5.5  
cisco.meraki                  2.11.0 
cisco.mso                     2.0.0  
cisco.nso                     1.0.3  
cisco.nxos                    3.2.0  
cisco.ucs                     1.8.0  
cloud.common                  2.1.2  
cloudscale_ch.cloud           2.2.2  
community.aws                 3.6.0  
community.azure               1.1.0  
community.ciscosmb            1.0.5  
community.crypto              2.7.0  
community.digitalocean        1.22.0 
community.dns                 2.3.3  
community.docker              2.7.1  
community.fortios             1.0.0  
community.general             5.7.0  
community.google              1.0.0  
community.grafana             1.5.3  
community.hashi_vault         3.3.1  
community.hrobot              1.5.2  
community.libvirt             1.2.0  
community.mongodb             1.4.2  
community.mysql               3.5.1  
community.network             4.0.1  
community.okd                 2.2.0  
community.postgresql          2.2.0  
community.proxysql            1.4.0  
community.rabbitmq            1.2.2  
community.routeros            2.3.0  
community.sap                 1.0.0  
community.sap_libs            1.3.0  
community.skydive             1.0.0  
community.sops                1.4.1  
community.vmware              2.10.0 
community.windows             1.11.0 
community.zabbix              1.8.0  
containers.podman             1.9.4  
cyberark.conjur               1.2.0  
cyberark.pas                  1.0.14 
dellemc.enterprise_sonic      1.1.2  
dellemc.openmanage            5.5.0  
dellemc.os10                  1.1.1  
dellemc.os6                   1.0.7  
dellemc.os9                   1.0.4  
f5networks.f5_modules         1.20.0 
fortinet.fortimanager         2.1.5  
fortinet.fortios              2.1.7  
frr.frr                       2.0.0  
gluster.gluster               1.0.2  
google.cloud                  1.0.2  
hetzner.hcloud                1.8.2  
hpe.nimble                    1.1.4  
ibm.qradar                    2.1.0  
ibm.spectrum_virtualize       1.10.0 
infinidat.infinibox           1.3.3  
infoblox.nios_modules         1.4.0  
inspur.ispim                  1.1.0  
inspur.sm                     2.2.0  
junipernetworks.junos         3.1.0  
kubernetes.core               2.3.2  
mellanox.onyx                 1.0.0  
netapp.aws                    21.7.0 
netapp.azure                  21.10.0
netapp.cloudmanager           21.20.1
netapp.elementsw              21.7.0 
netapp.ontap                  21.24.1
netapp.storagegrid            21.11.1
netapp.um_info                21.8.0 
netapp_eseries.santricity     1.3.1  
netbox.netbox                 3.8.0  
ngine_io.cloudstack           2.2.4  
ngine_io.exoscale             1.0.0  
ngine_io.vultr                1.1.2  
openstack.cloud               1.10.0 
openvswitch.openvswitch       2.1.0  
ovirt.ovirt                   2.2.3  
purestorage.flasharray        1.14.0 
purestorage.flashblade        1.10.0 
purestorage.fusion            1.1.1  
sensu.sensu_go                1.13.1 
servicenow.servicenow         1.0.6  
splunk.es                     2.1.0  
t_systems_mms.icinga_director 1.31.0 
theforeman.foreman            3.7.0  
vmware.vmware_rest            2.2.0  
vultr.cloud                   1.1.0  
vyos.vyos                     3.0.1  
wti.remote                    1.0.4 



STEPS TO REPRODUCE



Using the following host.ini


[keycloak]
localhost ansible_connection=local


    

  
    

    
  
    

    
 
      

        quarkus.properties not loaded by default
      

      
Hi, I want to report a strange behavior that when the keycloak is deployed using keycloak-quarkus role connection to external infinispan is not working out of the box. Maybe I'm missing something but what I think is that quarkus.properties file is not used by the current configuration of the service. The only workaround for me was specifying of remote store explicitly in the cache-ispn.xml file using  <remote-server host="> directive.


Keycloak documentation is saying this.


If an enhancement request is not possible, you can configure the server using raw Quarkus properties:

Create a quarkus.properties file in the conf directory.

Define the required properties in that file.

You can use only a [subset](https://github.com/keycloak/keycloak/blob/main/quarkus/runtime/pom.xml#L17) of the Quarkus extensions that are defined in the [Quarkus documentation](https://quarkus.io/guides/all-config). Also, note these differences for Quarkus properties:

A lock icon for a Quarkus property in the [Quarkus documentation](https://quarkus.io/guides/all-config) indicates a build time property. You run the build command to apply this property. For details about the build command, see the subsequent sections on optimizing Keycloak.

No lock icon for a property in the Quarkus guide indicates a runtime property for Quarkus and Keycloak.

Use the [-cf|--config-file] command line parameter to include that file.


    

  
    
      

    
    
  

    

    
  
    

    
  
    

    
  
    

    
 
      

        Wait until keycloak becomes active http://localhost:9990/health
      

      
SUMMARY


i tried install keycklock with ha_mod but always i have a problem in this step : Wait until keycloak becomes active http://localhost:9990/health


STEPS TO REPRODUCE


- name: Playbook for Wildfly Hosts - Host 1
  hosts: keycloak
  collections:
    - middleware_automation.keycloak
  tasks:
    - name: Include keycloak role
      ansible.builtin.include_role:
        name: middleware_automation.keycloak.keycloak 
      vars:
        keycloak_ha_enabled: True
        keycloak_admin_user: "admin"
        keycloak_host: "kube1"
        keycloak_modcluster_url: 192.168.56.200
        keycloak_modcluster_enabled: "True"


EXPECTED RESULTS



ACTUAL RESULTS


[curl  -I http://localhost:9990/health
HTTP/1.1 503 Service Unavailable
Connection: keep-alive
Content-Type: application/json
Content-Length: 114364

Date: Mon, 19 Jun 2023 15:06:46 GMT](fatal: [192.168.56.72]: FAILED! => {"attempts": 25, "changed": false, "connection": "close", "content_length": "114364", "content_type": "application/json", "date": "Mon, 19 Jun 2023 15:05:15 GMT", "elapsed": 0, "msg": "Status code was 503 and not [200]: HTTP Error 503: Service Unavailable", "redirected": false, "status": 503, "url": "http://localhost:9990/health"})



    

  
    

    
 
      

        Request for New Release
      

      
Our team has been eagerly awaiting the latest features and bug fixes to be merged into the main branch. However, the latest release is out of date and we are currently unable to benefit from the improvements made to the codebase. To ensure that we can use the latest version in our production environment, we respectfully request a new release.

    

  
    
      

    
    
  

    

    
  
    

    
  
    

    
 
      

        Keycloak redirecting to localhost
      

      
SUMMARY


I'm trying to configure keycloak on a single server. I can run this playbook, and it completes successfully, but the server redirects me to localhost when I try to access it in my web browser.


ISSUE TYPE


    

  • Bug Report
    • 



ANSIBLE VERSION



ansible [core 2.14.3]
  config file = None
  configured module search path = ['/home/luna/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.10/site-packages/ansible
  ansible collection location = /home/luna/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/lib/python-exec/python3.10/ansible
  python version = 3.10.10 (main, Mar 20 2023, 13:23:51) [GCC 12.2.1 20230121] (/usr/bin/python3.10)
  jinja version = 3.1.2
  libyaml = True



COLLECTION VERSION




# /usr/lib/python3.10/site-packages/ansible_collections
Collection                    Version
----------------------------- -------
amazon.aws                    5.2.0  
ansible.netcommon             4.1.0  
ansible.posix                 1.5.1  
ansible.utils                 2.9.0  
ansible.windows               1.13.0 
arista.eos                    6.0.0  
awx.awx                       21.12.0
azure.azcollection            1.14.0 
check_point.mgmt              4.0.0  
chocolatey.chocolatey         1.4.0  
cisco.aci                     2.4.0  
cisco.asa                     4.0.0  
cisco.dnac                    6.6.3  
cisco.intersight              1.0.23 
cisco.ios                     4.3.1  
cisco.iosxr                   4.1.0  
cisco.ise                     2.5.12 
cisco.meraki                  2.15.1 
cisco.mso                     2.2.1  
cisco.nso                     1.0.3  
cisco.nxos                    4.1.0  
cisco.ucs                     1.8.0  
cloud.common                  2.1.2  
cloudscale_ch.cloud           2.2.4  
community.aws                 5.2.0  
community.azure               2.0.0  
community.ciscosmb            1.0.5  
community.crypto              2.11.0 
community.digitalocean        1.23.0 
community.dns                 2.5.1  
community.docker              3.4.2  
community.fortios             1.0.0  
community.general             6.4.0  
community.google              1.0.0  
community.grafana             1.5.4  
community.hashi_vault         4.1.0  
community.hrobot              1.7.0  
community.libvirt             1.2.0  
community.mongodb             1.5.1  
community.mysql               3.6.0  
community.network             5.0.0  
community.okd                 2.3.0  
community.postgresql          2.3.2  
community.proxysql            1.5.1  
community.rabbitmq            1.2.3  
community.routeros            2.7.0  
community.sap                 1.0.0  
community.sap_libs            1.4.0  
community.skydive             1.0.0  
community.sops                1.6.1  
community.vmware              3.4.0  
community.windows             1.12.0 
community.zabbix              1.9.2  
containers.podman             1.10.1 
cyberark.conjur               1.2.0  
cyberark.pas                  1.0.17 
dellemc.enterprise_sonic      2.0.0  
dellemc.openmanage            6.3.0  
dellemc.os10                  1.1.1  
dellemc.os6                   1.0.7  
dellemc.os9                   1.0.4  
dellemc.powerflex             1.5.0  
dellemc.unity                 1.5.0  
f5networks.f5_modules         1.22.1 
fortinet.fortimanager         2.1.7  
fortinet.fortios              2.2.2  
frr.frr                       2.0.0  
gluster.gluster               1.0.2  
google.cloud                  1.1.2  
grafana.grafana               1.1.1  
hetzner.hcloud                1.10.0 
hpe.nimble                    1.1.4  
ibm.qradar                    2.1.0  
ibm.spectrum_virtualize       1.11.0 
infinidat.infinibox           1.3.12 
infoblox.nios_modules         1.4.1  
inspur.ispim                  1.3.0  
inspur.sm                     2.3.0  
junipernetworks.junos         4.1.0  
kubernetes.core               2.4.0  
lowlydba.sqlserver            1.3.1  
mellanox.onyx                 1.0.0  
netapp.aws                    21.7.0 
netapp.azure                  21.10.0
netapp.cloudmanager           21.22.0
netapp.elementsw              21.7.0 
netapp.ontap                  22.3.0 
netapp.storagegrid            21.11.1
netapp.um_info                21.8.0 
netapp_eseries.santricity     1.4.0  
netbox.netbox                 3.11.0 
ngine_io.cloudstack           2.3.0  
ngine_io.exoscale             1.0.0  
ngine_io.vultr                1.1.3  
openstack.cloud               1.10.0 
openvswitch.openvswitch       2.1.0  
ovirt.ovirt                   2.4.1  
purestorage.flasharray        1.17.0 
purestorage.flashblade        1.10.0 
purestorage.fusion            1.3.0  
sensu.sensu_go                1.13.2 
splunk.es                     2.1.0  
t_systems_mms.icinga_director 1.32.0 
theforeman.foreman            3.9.0  
vmware.vmware_rest            2.2.0  
vultr.cloud                   1.7.0  
vyos.vyos                     4.0.0  
wti.remote                    1.0.4  

# /home/luna/.ansible/collections/ansible_collections
Collection                     Version
------------------------------ -------
ansible.posix                  1.5.2  
freeipa.ansible_freeipa        1.10.0 
middleware_automation.common   1.0.2  
middleware_automation.keycloak 1.2.1  



STEPS TO REPRODUCE



1: Make playbook

2: Run playbook

3: Go to server in browser, click on administration console



- name: Install Keycloak
  hosts: all
  vars:
    keycloak_admin_password: [redacted]
  roles:
    - middleware_automation.keycloak.keycloak


EXPECTED RESULTS


When I go to the browser, I should be able to access the administrator console using the servers hostname.


ACTUAL RESULTS


The page redirects to localhost:


image

image


What I've tried


I have tried setting keycloak_host, at which point the playbook hangs waiting for health to come online:


FAILED - RETRYING: [msh-keyc-1.serv.missinghell.internal]: Wait until keycloak becomes active http://msh-keyc-1.serv.missinghell.internal:9990/health (25 retries left).
FAILED - RETRYING: [msh-keyc-1.serv.missinghell.internal]: Wait until keycloak becomes active http://msh-keyc-1.serv.missinghell.internal:9990/health (24 retries left).
FAILED - RETRYING: [msh-keyc-1.serv.missinghell.internal]: Wait until keycloak becomes active http://msh-keyc-1.serv.missinghell.internal:9990/health (23 retries left).
FAILED - RETRYING: [msh-keyc-1.serv.missinghell.internal]: Wait until keycloak becomes active http://msh-keyc-1.serv.missinghell.internal:9990/health (22 retries left).
FAILED - RETRYING: [msh-keyc-1.serv.missinghell.internal]: Wait until keycloak becomes active http://msh-keyc-1.serv.missinghell.internal:9990/health (21 retries left).
FAILED - RETRYING: [msh-keyc-1.serv.missinghell.internal]: Wait until keycloak becomes active http://msh-keyc-1.serv.missinghell.internal:9990/health (20 retries left).





I ended the output there for brevity but eventually the playbook fails.




Do I need a reverse proxy or something, or am I making a configuration mistake? From the README it sounds like what I'm doing is normal but for some reason it isn't working how I expected.

    

  
    

    
 
      

        keycloak: Template folder is no longer available for newer versions of Keycloak
      

      
SUMMARY


When adding the keycloak role for installing the version 22.0.5 in a playbook, an error is thrown due to the missing folder for templates that would contain the configuration for the standalone server.


Reviewing the content of the zip file downloaded, the newer version of keycloak does not contain the template folder for the configuration, it does not use the xml files for configuring the server.


ISSUE TYPE


    

  • Bug Report
    • 



ANSIBLE VERSION



โžœ ansible --version                                                       
ansible [core 2.15.5]
  config file = /Users/ansible/ansible.cfg
  configured module search path = ['/Users/ansible/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/ansible/.virtualenvs/ansible/lib/python3.10/site-packages/ansible
  ansible collection location = /Users/ansible/.ansible/collections:/usr/share/ansible/collections
  executable location = /Users/ansible/.virtualenvs/ansible/bin/ansible
  python version = 3.10.6 (main, Sep  2 2022, 16:29:31) [Clang 13.1.6 (clang-1316.0.21.2.5)] (/Users/ansible/.virtualenvs/ansible/bin/python)
  jinja version = 3.1.2
  libyaml = True



COLLECTION VERSION




Collection                     Version
------------------------------ -------
middleware_automation.common   1.1.4  
middleware_automation.keycloak 1.3.0 



STEPS TO REPRODUCE




  tasks:
    - name: Include keycloak role for installation
      include_role:
        name: keycloak
      vars:
        keycloak_version: 22.0.5
        keycloak_archive: "keycloak-{{ keycloak_version }}.tar.gz"
        keycloak_admin_password: "remembertochangeme"
        keycloak_ha_enabled: True
        # keycloak_remote_cache_enabled: False
        # keycloak_config_override_template: ''
      tags:
        - kc


EXPECTED RESULTS



I expect that the installer continues the configuration without the template, since the newer version of keycloak works directly by executing the script that runs the server


ACTUAL RESULTS






TASK [middleware_automation.keycloak.keycloak : Deploy HA keycloak config with infinispan remote cache store to /opt/keycloak/keycloak-22.0.5/standalone/configuration/keycloak.xml] ***
fatal: [default]: FAILED! => {"changed": false, "checksum": "2e2dba94996eff3c7d3de307739275cf90e383b1", "msg": "Destination directory /opt/keycloak/keycloak-22.0.5/standalone/configuration does not exist"}



    

  
    

    
 
      

        keycloak_quarkus: Permissions issue on controller-side install package
      

      
SUMMARY


When installing onto a remote node, the locally-created ZIP file appears to be created as root.

It's unclear why this is the case - Ansible is not running as root on the controller node.


ISSUE TYPE


    

  • Bug Report
    • 



ANSIBLE VERSION



ansible [core 2.15.5]
  config file = None
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.10/dist-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.10.12 (main, Jun 11 2023, 05:26:28) [GCC 11.4.0] (/usr/bin/python3)
  jinja version = 3.0.3
  libyaml = True



COLLECTION VERSION




# /home/ubuntu/.ansible/collections/ansible_collections
Collection                     Version
------------------------------ -------
community.general              7.5.0  
freeipa.ansible_freeipa        1.11.1 
middleware_automation.common   1.1.4  
middleware_automation.keycloak 1.3.0  



STEPS TO REPRODUCE




- name: Provision Keycloak
  hosts: keycloak
  # We gather facts after our VM comes up
  gather_facts: false
  tasks:
    - name: Wait for SSH connectivity
      ansible.builtin.wait_for_connection:
    - name: Gathering Facts
      ansible.builtin.setup:
    - name: Install QEMU Guest Agent
      become: true
      ansible.builtin.yum:
        name:
          - qemu-guest-agent
    - name: Install Keycloak
      vars:
        keycloak_quarkus_admin_pass: "{{ lookup('ansible.builtin.password', hostvars.localhost.keycloak_dir.path + '/keycloak_admin_password') }}"
      ansible.builtin.include_role:
        name: middleware_automation.keycloak.keycloak_quarkus



EXPECTED RESULTS



I expected the installation to continue.


ACTUAL RESULTS





The installation fails, with a permissions issue on the locally-copied ZIP file.

The file itself is owned by root:root.



TASK [middleware_automation.keycloak.keycloak_quarkus : Copy archive to target nodes] ***
fatal: [keycloak]: FAILED! => {"msg": "an error occurred while trying to read the file '/home/ubuntu/keycloak-22.0.3.zip': [Errno 13] Permission denied: b'/home/ubuntu/keycloak-22.0.3.zip'. [Errno 13] Permission denied: b'/home/ubuntu/keycloak-22.0.3.zip'"}


    

  
    
      

    
    
  

    

    
 
      

        #93 keycloak_jgroups_subnet introduced issue
      

      
The changes introduced via PR #93  around



  

    

      keycloak/roles/keycloak/templates/standalone-ha.xml.j2
    

    

         Line 664
      in
      cebec9c
    

  

  

    


        

          
           <interface name="jgroups"> 
        

    

  



:


        <interface name="jgroups">
{% if keycloak_jgroups_subnet is defined and keycloak_jgroups_subnet | string | length > 0 %}
            <subnet-match value="{{ keycloak_jgroups_subnet | string }}"/>
{% elif ansible_default_ipv4 is defined and (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') | length > 0 %}
            <subnet-match value="{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') }}"/>
{% else %}
            <any-address />
{% endif %}
        </interface>


by default:


    

  • keycloak_jgroups_subnet is defined (=null which is mapped to None on jinja, or sth. similar, but the end result is a string of length 4 with content None)
    • 

  • thus the first branch is taken
    • 

  • and a <subnet-match value="None"/>
    • 


    

  
    

    
 
      

        Troubles with console access behind a proxy when setting keycloak_quarkus_http_relative_path
      

      
SUMMARY



I have troubles accessing the admin console when exposing keycloak under /auth behind a custom nginx proxy.


ISSUE TYPE


    

  • Bug Report
    • 



ANSIBLE VERSION



ansible [core 2.14.4]
  config file = /Users/Giovanni.Toraldo/src/alfresco/alfresco-ansible-deployment/ansible.cfg
  configured module search path = ['/Users/Giovanni.Toraldo/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/Giovanni.Toraldo/.virtualenvs/alfresco-ansible-deployment-LdMEq9P-/lib/python3.10/site-packages/ansible
  ansible collection location = /Users/Giovanni.Toraldo/.ansible/collections:/usr/share/ansible/collections
  executable location = /Users/Giovanni.Toraldo/.virtualenvs/alfresco-ansible-deployment-LdMEq9P-/bin/ansible
  python version = 3.10.12 (main, Jul 28 2023, 18:44:44) [Clang 14.0.3 (clang-1403.0.22.14.1)] (/Users/Giovanni.Toraldo/.virtualenvs/alfresco-ansible-deployment-LdMEq9P-/bin/python)
  jinja version = 3.1.2
  libyaml = True



COLLECTION VERSION




Collection                     Version
------------------------------ -------
amazon.aws                     6.3.0  
ansible.posix                  1.5.4  
ansible.utils                  2.6.0  
community.aws                  6.3.0  
community.crypto               2.10.0 
community.docker               3.4.8  
community.general              7.4.0  
community.postgresql           2.1.0  
middleware_automation.common   1.1.2  
middleware_automation.keycloak 1.3.0  



STEPS TO REPRODUCE




- name: Install Keycloak
  vars:
    keycloak_quarkus_admin_pass: "{{ identity_admin_password }}"
    keycloak_quarkus_version: "21.1.2"
    keycloak_quarkus_start_dev: true
    keycloak_quarkus_proxy_mode: edge
    keycloak_quarkus_host: localhost
    keycloak_quarkus_http_port: 8082
    keycloak_quarkus_http_relative_path: auth
  ansible.builtin.include_role:
    name: middleware_automation.keycloak.keycloak_quarkus


nginx vhost snippet as a reference:


    location /auth/ {
        proxy_pass http://172.17.0.2:8082/;
        proxy_set_header Host              $host:$server_port;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }



EXPECTED RESULTS



I should be able to access keycloak admin console under /auth/admin and my realm under /auth/realms/myrealm


ACTUAL RESULTS


Realm seems properly exposed under /auth because I can reach the public info at https://localhost/auth/realms/alfresco:

Screenshot 2023-10-03 at 17 15 18


If I try to access the console under /auth/admin I get a redirect to https://localhost/admin/master/console/ (which returns 404 because it's outside of the keycloak location).


If I try to access /auth/admin/master/console/ directly I get the Loading the Admin UI message but it fails to load /resources/ (again, because it should have been /auth/resources).


I tried also configuring manually http-relative-path documented here in /etc/systeconfig/keycloak and drop the hostname-path=auth, and actually it seems that I get what I expected without any additional configuration change.


Also setting manually hostname-admin-url (while keeping hostname-path) seems a way to fix my issue, but it's slightly less convenient to set because it requires a full URL.


So, what's actually the reason for having the role argument keycloak_quarkus_http_relative_path to set hostname-path config param instead of the http-relative-path param?


I would like to submit a PR to have the possibility to set http-relative-path within the quarkus role, but not sure how to proceed / if it make sense overall (I am definitively not a keycloak expert).

    

  
    

    
 
      

        Support passing-in standalone.xml template
      

      
SUMMARY



Templating of configuration xml cannot cover everything, so allow to pass a custom template to the role (completely bypassing internal templating). Of course passing a preconfigured configuration means there is no guarantee variables for the role and what is in the template matches, the documentation must clearly state that.


ISSUE TYPE


    

  • Feature Idea
    • 


    

  
    

    
 
      

        [retracted]
      

      
[retracted] - likely temporary network error of some kind

    

  
    

    
  
    
      

    
    
  

    

    
 
      

        Cannot set more than 1 mod_cluster reverse proxy in standalone.*.xml
      

      
SUMMARY


In production Env, with a HA configuration, it would be suggested to have (at least) 2 mod_cluster instances registered in Keycloak / SSO configuration File.

This collection does not allow multiple mod_cluster proxy configuration.


if HA is configured :


keycloak_ha_enabled: True



attributes of reverse proxy must be specified:


keycloak_modcluster_url: "{{ PROXY_IP_ADDRESS }}"



ISSUE TYPE


    

  • Bug Report
    • 



ANSIBLE VERSION



ansible [core 2.14.2]



COLLECTION VERSION




middleware_automation.infinispan          1.1.2  
middleware_automation.keycloak            1.1.0  
middleware_automation.redhat_csp_download 1.2.2  
middleware_automation.wildfly             1.3.1



CURRENT AVAILABLE SETUP




- name: Playbook for Wildfly Hosts - Host 1
  hosts: keycloak
  collections:
    - middleware_automation.keycloak
  tasks:
    - name: Include keycloak role
      ansible.builtin.include_role:
        name: middleware_automation.keycloak.keycloak 
      vars:
        keycloak_jvm_package: "java-11-openjdk-headless.x86_64"
        keycloak_ha_enabled: True
        keycloak_config_standalone_xml: "standalone-ha.xml"
        keycloak_admin_user: "admin"
        keycloak_admin_password: "myadminpassword"
        keycloak_db_enabled: True
        keycloak_jdbc_engine: "postgres"
        keycloak_jdbc_url: "jdbc:postgresql://mycustomdbhost:5432/sso?currentSchema=rh_sso" 
        keycloak_jdbc_driver_version: "42.0.0" 
        keycloak_db_user: "sso_user"
        keycloak_db_pass: "myCustomPassword_1234"
        keycloak_management_port_bind_address: "0.0.0.0"
        keycloak_host: "node1.mysso.redhat.rh"
        keycloak_modcluster_frontend_url: "http://mycustommodclusterfrontend/auth"
        keycloak_modcluster_url: "mycustommodclusterurl"
        keycloak_modcluster_enabled: "True"
        keycloak_infinispan_url: "myInfinispancustomurl"
        keycloak_infinispan_user: "supervisor"
        keycloak_infinispan_pass: "supervisorpassword"



EXPECTED RESULTS



<outbound-socket-binding name="mod_cluster_balancer">
              <remote-destination host="mod_cluster_host_1" port="6666"/>
</outbound-socket-binding>
<outbound-socket-binding name="mod_cluster_balancer_2">
              <remote-destination host="mod_cluster_host_2" port="6666"/>
</outbound-socket-binding>



ACTUAL RESULTS






{% if keycloak_modcluster.enabled %}        
        <outbound-socket-binding name="proxy1">
            <remote-destination host="{{ keycloak_modcluster.reverse_proxy_url | default('localhost') }}" port="6666"/>
        </outbound-socket-binding>
{% endif %}  


    

  
    

    
 
      

        keycloak_realm does not reassign user roles
      

      
ISSUE TYPE


    

  • Bug Report
    • 



SUMMARY



Re-executing the keycloak_realm role with renamed roles does not reassign users to new role names. Also renamed roles are not purged.


ANSIBLE VERSION



ansible [core 2.13.3]



COLLECTION VERSION




1.1.0



STEPS TO REPRODUCE



Execute with following:


    - include_role:
        name: sso_realm
        apply:
          delegate_to: "{{ ansible_play_hosts | first }}"
          run_once: true
      vars:
        sso_admin_password: "{{ admin_pass }}"
        sso_realm: addressbook
        sso_clients:
          - name: addressbook
            client_id: addressbook
            roles:
              - admin
              - user
            realm: addressbook
            public_client: False
            web_origins: '+'
            users:
              - username: flangeadmin
                email: [email protected]
                firstName: Flange
                lastName: Admin
                password: password
                client_roles:
                  - client: addressbook
                    role: admin
                    realm: addressbook
                  - client: addressbook
                    role: user
                    realm: addressbook
              - username: flangeuser
                email: [email protected]
                firstName: Flange
                lastName: User
                password: password
                client_roles:
                  - client: addressbook
                    role: user
                    realm: addressbook



then execute again with:


    - include_role:
        name: sso_realm
        apply:
          delegate_to: "{{ ansible_play_hosts | first }}"
          run_once: true
      vars:
        sso_admin_password: "{{ admin_pass }}"
        sso_realm: addressbook
        sso_clients:
          - name: addressbook
            client_id: addressbook
            roles:
              - flangeadmin
              - flangeuser
            realm: addressbook
            public_client: False
            web_origins: '+'
            users:
              - username: flangeadmin
                email: [email protected]
                firstName: Flange
                lastName: Admin
                password: password
                client_roles:
                  - client: addressbook
                    role: flangeadmin
                    realm: addressbook
                  - client: addressbook
                    role: flangeuser
                    realm: addressbook
              - username: flangeuser
                email: [email protected]
                firstName: Flange
                lastName: User
                password: password
                client_roles:
                  - client: addressbook
                    role: flangeuser
                    realm: addressbook 



ie. rename the roles admin->flangeadmin user->flangeuser and reassign flangeadmin user to flangeadmin role (same for flangeuser)


EXPECTED RESULTS



flangeadmin has roles [ flangeadmin, flangeuser]

flangeuser has role [ flangeuser ]


roles admin and user are purged


ACTUAL RESULTS





flangeadmin has roles [ admin, user]

flangeuser has role [ user ]

    

  
    

    
 
      

        Keycloak/RHSSO role uses deprecated `ipaddr` module which "will be removed from  ansible.netcommon in a release after 2024-01-01"
      

      
SUMMARY


Cf. Title


ISSUE TYPE


    

  • Bug Report
    • 



ANSIBLE VERSION


ansible --version
ansible [core 2.14.5]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['~/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = ~/.local/lib/python3.10/site-packages/ansible
  ansible collection location = ~/.ansible/collections:/usr/share/ansible/collections
  executable location = ~/.local/bin/ansible
  python version = 3.10.6 (main, Mar 10 2023, 10:55:28) [GCC 11.3.0] (/usr/bin/python3)
  jinja version = 3.0.3
  libyaml = True



COLLECTION VERSION




~/.local/lib/python3.10/site-packages/ansible_collections
Collection                    Version
----------------------------- -------
amazon.aws                    5.4.0  
ansible.netcommon             4.1.0  
ansible.posix                 1.5.2  
ansible.utils                 2.9.0  
ansible.windows               1.13.0 
arista.eos                    6.0.1  
awx.awx                       21.14.0
azure.azcollection            1.15.0 
check_point.mgmt              4.0.0  
chocolatey.chocolatey         1.4.0  
cisco.aci                     2.6.0  
cisco.asa                     4.0.0  
cisco.dnac                    6.7.1  
cisco.intersight              1.0.27 
cisco.ios                     4.5.0  
cisco.iosxr                   4.1.0  
cisco.ise                     2.5.12 
cisco.meraki                  2.15.1 
cisco.mso                     2.4.0  
cisco.nso                     1.0.3  
cisco.nxos                    4.3.0  
cisco.ucs                     1.8.0  
cloud.common                  2.1.3  
cloudscale_ch.cloud           2.2.4  
community.aws                 5.4.0  
community.azure               2.0.0  
community.ciscosmb            1.0.5  
community.crypto              2.12.0 
community.digitalocean        1.23.0 
community.dns                 2.5.3  
community.docker              3.4.3  
community.fortios             1.0.0  
community.general             6.6.0  
community.google              1.0.0  
community.grafana             1.5.4  
community.hashi_vault         4.2.0  
community.hrobot              1.8.0  
community.libvirt             1.2.0  
community.mongodb             1.5.2  
community.mysql               3.6.0  
community.network             5.0.0  
community.okd                 2.3.0  
community.postgresql          2.3.2  
community.proxysql            1.5.1  
community.rabbitmq            1.2.3  
community.routeros            2.8.0  
community.sap                 1.0.0  
community.sap_libs            1.4.1  
community.skydive             1.0.0  
community.sops                1.6.1  
community.vmware              3.5.0  
community.windows             1.12.0 
community.zabbix              1.9.3  
containers.podman             1.10.1 
cyberark.conjur               1.2.0  
cyberark.pas                  1.0.17 
dellemc.enterprise_sonic      2.0.0  
dellemc.openmanage            6.3.0
dellemc.os10                  1.1.1
dellemc.os6                   1.0.7
dellemc.os9                   1.0.4
dellemc.powerflex             1.6.0
dellemc.unity                 1.6.0
f5networks.f5_modules         1.23.0
fortinet.fortimanager         2.1.7
fortinet.fortios              2.2.3
frr.frr                       2.0.2
gluster.gluster               1.0.2
google.cloud                  1.1.3
grafana.grafana               1.1.1
hetzner.hcloud                1.11.0
hpe.nimble                    1.1.4
ibm.qradar                    2.1.0
ibm.spectrum_virtualize       1.11.0
infinidat.infinibox           1.3.12
infoblox.nios_modules         1.4.1
inspur.ispim                  1.3.0
inspur.sm                     2.3.0
junipernetworks.junos         4.1.0
kubernetes.core               2.4.0
lowlydba.sqlserver            1.3.1
mellanox.onyx                 1.0.0
microsoft.ad                  1.0.0
netapp.aws                    21.7.0
netapp.azure                  21.10.0
netapp.cloudmanager           21.22.0
netapp.elementsw              21.7.0
netapp.ontap                  22.5.0
netapp.storagegrid            21.11.1
netapp.um_info                21.8.0
netapp_eseries.santricity     1.4.0
netbox.netbox                 3.12.0
ngine_io.cloudstack           2.3.0
ngine_io.exoscale             1.0.0
ngine_io.vultr                1.1.3
openstack.cloud               1.10.0
openvswitch.openvswitch       2.1.0
ovirt.ovirt                   2.4.1
purestorage.flasharray        1.17.2
purestorage.flashblade        1.11.0
purestorage.fusion            1.4.2
sensu.sensu_go                1.13.2
splunk.es                     2.1.0
t_systems_mms.icinga_director 1.32.2
theforeman.foreman            3.10.0
vmware.vmware_rest            2.3.1
vultr.cloud                   1.7.0
vyos.vyos                     4.0.2
wti.remote                    1.0.4

# ~/.ansible/collections/ansible_collections
Collection                     Version
------------------------------ -------
ansible.posix                  1.5.2
middleware_automation.common   1.1.0
middleware_automation.keycloak 1.2.3



STEPS TO REPRODUCE


    

  • Run the example playbook to create a HA deployment and you'll see:
    • 





TASK [middleware_automation.keycloak.keycloak : Deploy HA keycloak config with infinispan remote cache store to /opt/keycloak/keycloak-18.0.2/standalone/configuration/keycloak.xml] ***

[DEPRECATION WARNING]: Use 'ansible.utils.ipaddr' module instead. This feature will be removed from

ansible.netcommon in a release after 2024-01-01. Deprecation warnings can be disabled by setting




EXPECTED RESULTS


    

  • No deprecation warnings, since they will be troublesome after 1.1.2024 ;-)
    • 


    

  
    

    
 
      

        Destination directory /opt/keycloak/keycloak-23.0.3/standalone/configuration does not exist
      

      
SUMMARY



I've got an error when running the playbook to install Keycloak on AlmaLinux 9.3. Details as following:


TASK [middleware_automation.keycloak.keycloak : Deploy standalone keycloak config to /opt/keycloak/keycloak-23.0.3/standalone/configuration/keycloak.xml] ***
fatal: [192.168.1.xxx]: FAILED! => {"changed": false, "checksum": "22acea149f5e2da64f026fb4dcc50f46a1a6976b", "msg": "Destination directory /opt/keycloak/keycloak-23.0.3/standalone/configuration does not exist"}



ISSUE TYPE


    

  • Bug Report
    • 



ANSIBLE VERSION



ansible [core 2.16.2]
  config file = /Users/xxx/Code/self-hosted/proxmox/nodes/mac-mini/ansible/ansible.cfg
  configured module search path = ['/Users/xxx/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/xxx/.asdf/installs/ansible/9.1.0/venv/lib/python3.11/site-packages/ansible
  ansible collection location = /Users/xxx/.ansible/collections:/usr/share/ansible/collections
  executable location = /Users/xxx/.asdf/installs/ansible/9.1.0/bin/ansible
  python version = 3.11.5 (main, Sep 28 2023, 17:39:14) [Clang 15.0.0 (clang-1500.0.40.1)] (/Users/xxx/.asdf/installs/ansible/9.1.0/venv/bin/python3)
  jinja version = 3.1.2
  libyaml = True



COLLECTION VERSION




Collection                     Version
------------------------------ -------
community.general              7.4.0  
freeipa.ansible_freeipa        1.12.0 
geerlingguy.mac                2.1.1  
middleware_automation.common   1.1.4  
middleware_automation.keycloak 2.0.1



STEPS TO REPRODUCE




---
- name: Setup ID server (FreeIPA, Keycloak)
  hosts: id_server
  become: true
  roles:
    - role: id_server
      vars:
        # keycloak vars
        keycloak_admin_password: "xxxxxx"
        keycloak_offline_install: true
        keycloak_version: 23.0.3
        keycloak_archive: keycloak-23.0.3.zip



My custom role id_server main.yml:


- name: Invoke keycloak role from collection middleware_automation.keycloak
  ansible.builtin.include_role:
    name: middleware_automation.keycloak.keycloak



And I ran sensible playbook on macOS Sonoma 14.2.1


EXPECTED RESULTS



Playbook should finish without errors


ACTUAL RESULTS






TASK [middleware_automation.keycloak.keycloak : Deploy custom keycloak config to /opt/keycloak/keycloak-23.0.3/standalone/configuration/keycloak.xml from] ***
skipping: [192.168.1.xxx]

TASK [middleware_automation.keycloak.keycloak : Deploy standalone keycloak config to /opt/keycloak/keycloak-23.0.3/standalone/configuration/keycloak.xml] ***
fatal: [192.168.1.xxx]: FAILED! => {"changed": false, "checksum": "22acea149f5e2da64f026fb4dcc50f46a1a6976b", "msg": "Destination directory /opt/keycloak/keycloak-23.0.3/standalone/configuration does not exist"}```


    

  
    

    
 
      

        Service configuration needs to be updated for newer versions of Keycloak
      

      
SUMMARY


The scripts created by the role to start Keycloak as a service still refer to standalone.sh rather than kc.sh


ISSUE TYPE


    

  • Bug Report
    • 



ANSIBLE VERSION



ansible [core 2.11.12]
  config file = /home/crm194/src/gitlab.com/bmrc/ceph/keycloak/ansible/ansible.cfg
  configured module search path = ['/home/crm194/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/crm194/venvs/ansible-keycloak/lib64/python3.6/site-packages/ansible
  ansible collection location = /home/crm194/src/gitlab.com/bmrc/ceph/keycloak/ansible
  executable location = /home/crm194/venvs/ansible-keycloak/bin/ansible
  python version = 3.6.8 (default, Nov 16 2020, 16:55:22) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]
  jinja version = 3.0.3
  libyaml = True



COLLECTION VERSION




Collection                                Version
----------------------------------------- -------
ansible.posix                             1.5.1
community.general                         6.4.0
community.hashi_vault                     4.1.0
middleware_automation.keycloak            1.1.0
middleware_automation.redhat_csp_download 1.2.2



STEPS TO REPRODUCE



ansible-playbook -v playbooks/install_keycloak.yml



---
- name: Playbook for Keycloak Hosts
  hosts: <host group>
  collections:
    - middleware_automation.keycloak
  roles:
    - keycloak


EXPECTED RESULTS



Keycloak starts after installation and service configuration


ACTUAL RESULTS






 sudo systemctl status keycloak
โ— keycloak.service - keycloak Server
   Loaded: loaded (/etc/systemd/system/keycloak.service; enabled; vendor preset: disabled)
   Active: failed (Result: timeout) since Thu 2023-03-02 17:12:00 UTC; 10min ago
  Process: 160751 ExecStart=/opt/keycloak/keycloak-service.sh start (code=killed, signal=TERM)

Mar 02 17:11:30 <hostname> systemd[1]: Starting keycloak Server...
Mar 02 17:11:30 <hostname> keycloak-service.sh[160754]: /opt/keycloak/keycloak-service.sh: line 77: /opt/keycloak/keycloak-21.0.1/bin/standalone.sh: No such file or directory
Mar 02 17:12:00 <hostname> systemd[1]: keycloak.service: start operation timed out. Terminating.
Mar 02 17:12:00 <hostname> systemd[1]: keycloak.service: Failed with result 'timeout'.
Mar 02 17:12:00 <hostname>systemd[1]: Failed to start keycloak Server.


    

  
    
      

    
    
  

    

    
 
      

        Keycloak installation doesn't work with ubuntu 22
      

      
SUMMARY


Usage with Ubuntu fails because of missing rpm and consequently resulting problems.


ISSUE TYPE


    

  • Bug Report
    • 



ANSIBLE VERSION


2.12.10



COLLECTION VERSION


Collection                     Version               
------------------------------ -------               
ansible.posix                  1.5.2                 
middleware_automation.common   1.0.2                 
middleware_automation.keycloak 1.2.1  



STEPS TO REPRODUCE


---
- hosts: export_vm
  vars:
    keycloak_admin_password: "{{ keycloud_default_pass }}"
  collections:
    - middleware_automation.keycloak
  roles:
    - middleware_automation.keycloak.keycloak


EXPECTED RESULTS


Installation on Ubuntu


ACTUAL RESULTS


Failed.


PLAY [export_vm] ***************************************************************

TASK [Gathering Facts] *********************************************************
ok: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Validating arguments against arg spec 'main'] ***
ok: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Check prerequisites] ***********
included: /home/dopeforhope/.ansible/collections/ansible_collections/middleware_automation/keycloak/roles/keycloak/tasks/prereqs.yml for export_vm

TASK [middleware_automation.keycloak.keycloak : Validate admin console password] ***
ok: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Validate configuration] ********
ok: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Validate remote cache store configuration] ***
ok: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Validate credentials] **********
ok: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Validate persistence configuration] ***
skipping: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Ensure required packages are installed] ***
included: /home/dopeforhope/.ansible/collections/ansible_collections/middleware_automation/keycloak/roles/keycloak/tasks/fastpackages.yml for export_vm

TASK [middleware_automation.keycloak.keycloak : Check if packages are already installed] ***
fatal: [export_vm]: FAILED! => {"changed": true, "cmd": "rpm -q java-1.8.0-openjdk-headless unzip procps-ng initscripts", "msg": "[Errno 2] No such file or directory: b'rpm'", "rc": 2, "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}

TASK [middleware_automation.keycloak.keycloak : Add missing packages to the yum install list] ***
ok: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Install packages: []] **********
skipping: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Include firewall config tasks] ***
skipping: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Include install tasks] *********
included: /home/dopeforhope/.ansible/collections/ansible_collections/middleware_automation/keycloak/roles/keycloak/tasks/install.yml for export_vm

TASK [middleware_automation.keycloak.keycloak : Validate parameters] ***********
ok: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Check for an existing deployment] ***
ok: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Stop the old keycloak service] ***
skipping: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Remove the old keycloak deployment] ***
skipping: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Check for an existing deployment after possible forced removal] ***
ok: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Create keycloak service user/group] ***
ok: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Create keycloak install location] ***
ok: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Set download archive path] *****
ok: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Check download archive path] ***
ok: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Check local download archive path] ***
ok: [export_vm -> localhost]

TASK [middleware_automation.keycloak.keycloak : Download keycloak archive] *****
skipping: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Retrieve product download using JBoss Network API] ***
skipping: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Determine install zipfile from search results] ***
skipping: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Download Red Hat Single Sign-On] ***
skipping: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Download rhsso archive from alternate location] ***
skipping: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Check downloaded archive] ******
ok: [export_vm -> localhost]

TASK [middleware_automation.keycloak.keycloak : Copy archive to target nodes] ***
skipping: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Check target directory: /opt/keycloak/keycloak-18.0.2] ***
ok: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Extract Keycloak archive on target] ***
skipping: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Inform decompression was not executed] ***
ok: [export_vm] => {
    "msg": "/opt/keycloak/keycloak-18.0.2 already exists and version unchanged, skipping decompression"
}

TASK [middleware_automation.keycloak.keycloak : Reown installation directory to keycloak] ***
ok: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Install postgres driver] *******
skipping: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Deploy custom keycloak config to /opt/keycloak/keycloak-18.0.2/standalone/configuration/keycloak.xml from] ***
skipping: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Deploy standalone keycloak config to /opt/keycloak/keycloak-18.0.2/standalone/configuration/keycloak.xml] ***
ok: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Create tcpping cluster node list] ***
skipping: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Deploy HA keycloak config to /opt/keycloak/keycloak-18.0.2/standalone/configuration/keycloak.xml from standalone.xml.j2] ***
skipping: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Deploy HA keycloak config with infinispan remote cache store to /opt/keycloak/keycloak-18.0.2/standalone/configuration/keycloak.xml] ***
skipping: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Include systemd tasks] *********
included: /home/dopeforhope/.ansible/collections/ansible_collections/middleware_automation/keycloak/roles/keycloak/tasks/systemd.yml for export_vm

TASK [middleware_automation.keycloak.keycloak : Configure keycloak service script wrapper] ***
ok: [export_vm]

TASK [middleware_automation.keycloak.keycloak : Determine JAVA_HOME for selected JVM RPM] ***
fatal: [export_vm]: FAILED! => {"changed": false, "cmd": "set -o pipefail\nrpm -ql java-1.8.0-openjdk-headless | grep -Po '/usr/lib/jvm/.*(?=/bin/java$)'\n", "delta": "0:00:00.010692", "end": "2023-04-11 16:43:23.942225", "msg": "non-zero return code", "rc": 1, "start": "2023-04-11 16:43:23.931533", "stderr": "/bin/bash: line 1: rpm: command not found", "stderr_lines": ["/bin/bash: line 1: rpm: command not found"], "stdout": "", "stdout_lines": []}

PLAY RECAP *********************************************************************
export_vm                  : ok=25   changed=0    unreachable=0    failed=1    skipped=17   rescued=1    ignored=0   


    

  






        

          

          

            
            
              

            
            
            
            

Recommend Projects

            
    
              
  • 
                
    
    
  
              
    • 
              
              
  • 
                

    
  
    
    
      
      React photo
      
      React
    
  
    
  
    A declarative, efficient, and flexible JavaScript library for building user interfaces.
    

    

              
    • 
              
              
  • 
                

    
  
    
    
      
      Vue.js photo
      
      Vue.js
    
  
    
  
    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
    

    

              
    • 
              
              
  • 
                

    
  
    
    
      
      Typescript photo
      
      Typescript
    
  
    
  
    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
    

    

              
    • 
              
              
  • 
                

    
  
    
    
      
      TensorFlow photo
      
      TensorFlow
    
  
    
  
    An Open Source Machine Learning Framework for Everyone
    

    

              
    • 
              
              
  • 
                

    
  
    
    
      
      Django photo
      
      Django
    
  
    
  
    The Web framework for perfectionists with deadlines.
    

    

              
    • 
              
              
  • 
                


              
    • 
              
              
  • 
                

    
  
    
    
      
      D3 photo
      
      D3
    
  
    
  
    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰
    

    

              
    • 
              
              
  • 
                
    
                  
    
    
  
                
    
              
    • 
            

          


          

            
            

Recommend Topics

            
    
              
              
  • 
                

    
  
    
    
      
      javascript
    
  
    
  
    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
    

    

              
    • 
              
              
  • 
                

    
  
    
    
      
      web
    
  
    
  
    Some thing interesting about web. New door for the world.
    

    

              
    • 
              
              
  • 
                

    
  
    
    
      
      server
    
  
    
  
    A server is a program made to process requests and deliver data to clients.
    

    

              
    • 
              
              
  • 
                

    
  
    
    
      
      Machine learning
    
  
    
  
    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
    

    

              
    • 
              
              
  • 
                


              
    • 
              
              
  • 
                

    
  
    
    
      
      Game
    
  
    
  
    Some thing interesting about game, make everyone happy.
    

    

              
    • 
              
              
  • 
                
    
    
  
              
    • 
            

          


          

            
            

Recommend Org

            
    
              
              
  • 
                

    
  
    
    
      
      Facebook photo
      
      Facebook
    
  
    
  
    We are working to build community through open source technology. NB: members must have two-factor auth.
    

    

              
    • 
              
              
  • 
                

    
  
    
    
      
      Microsoft photo
      
      Microsoft
    
  
    
  
    Open source projects and samples from Microsoft.
    

    

              
    • 
              
              
  • 
                

    
  
    
    
      
      Google photo
      
      Google
    
  
    
  
    Google โค๏ธ Open Source for everyone.
    

    

              
    • 
              
              
  • 
                


              
    • 
              
              
  • 
                

    
  
    
    
      
      D3 photo
      
      D3
    
  
    
  
    Data-Driven Documents codes.
    

    

              
    • 
              
              
  • 
                


              
    • 
              
              
  • 
                
    
    
  
              
    •