keycloak

Install keycloak or Red Hat Single Sign-On server configurations.

Requirements

This role requires the python3-netaddr library installed on the controller node.

to install via yum/dnf: dnf install python3-netaddr
or via pip: pip install netaddr==0.8.0
or via the collection: pip install -r requirements.txt

Dependencies

The roles depends on:

the redhat_csp_download role from middleware_automation.redhat_csp_download collection if Red Hat Single Sign-on zip have to be downloaded from RHN.
the wildfly_driver role from middleware_automation.wildfly collection

Versions

RH-SSO VERSION	Release Date	Keycloak Version	EAP Version	Notes
`7.5.0 GA`	September 20, 2021	`15.0.2`	`7.4.0`	Release Notes

Patching

When variable keycloak_rhsso_apply_patches is True (default: False), the role will automatically apply the latest cumulative patch for the selected base version.

RH-SSO VERSION	Release Date	RH-SSO LATEST CP	Notes
`7.5.0 GA`	January 20, 2022	`7.5.1 GA`	Release Notes

Role Defaults

Service configuration

Variable	Description	Default
`keycloak_ha_enabled`	Enable auto configuration for database backend, clustering and remote caches on infinispan	`False`
`keycloak_db_enabled`	Enable auto configuration for database backend	`True` if `keycloak_ha_enabled` is True, else `False`
`keycloak_admin_user`	Administration console user account	`admin`
`keycloak_bind_address`	Address for binding service ports	`0.0.0.0`
`keycloak_host`	hostname	`localhost`
`keycloak_http_port`	HTTP port	`8080`
`keycloak_https_port`	TLS HTTP port	`8443`
`keycloak_ajp_port`	AJP port	`8009`
`keycloak_jgroups_port`	jgroups cluster tcp port	`7600`
`keycloak_management_http_port`	Management port	`9990`
`keycloak_management_https_port`	TLS management port	`9993`
`keycloak_prefer_ipv4`	Prefer IPv4 stack and addresses for port binding	`True`
`keycloak_config_standalone_xml`	filename for configuration	`keycloak.xml`
`keycloak_service_user`	posix account username	`keycloak`
`keycloak_service_group`	posix account group	`keycloak`
`keycloak_service_pidfile`	pid file path for service	`/run/keycloak.pid`
`keycloak_jvm_package`	RHEL java package runtime	`java-1.8.0-openjdk-headless`
`keycloak_java_home`	JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path	`None`
`keycloak_java_opts`	Additional JVM options	`-Xms1024m -Xmx2048m`

Install options

Variable	Description	Default
`keycloak_rhsso_enable`	Enable Red Hat Single Sign-on installation	`False`
`keycloak_offline_install`	perform an offline install	`False`
`keycloak_download_url`	Download URL for keycloak	`https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`
`keycloak_rhsso_download_url`	Download URL for RHSSO	`https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=<productID>`
`keycloak_version`	keycloak.org package version	`15.0.2`
`keycloak_rhsso_version`	RHSSO version	`7.5.0`
`keycloak_rhsso_apply_patches`	Install RHSSO more recent cumulative patch	`False`
`keycloak_dest`	Installation root path	`/opt/keycloak`
`keycloak_download_url`	Download URL for keycloak	`https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}`
`keycloak_rhn_url`	Base download URI for customer portal	`https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=`
`keycloak_configure_firewalld`	Ensure firewalld is running and configure keycloak ports	`False`

Miscellaneous configuration

Variable	Description	Default
`keycloak_archive`	keycloak install archive filename	`keycloak-{{ keycloak_version }}.zip`
`keycloak_download_url_9x`	Download URL for keycloak (deprecated)	`https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}`
`keycloak_installdir`	Installation path	`{{ keycloak_dest }}/keycloak-{{ keycloak_version }}`
`keycloak_rhsso_archive`	Red Hat SSO install archive filename	`rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip`
`keycloak_rhsso_installdir`	Installation path for Red Hat SSO	`{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version
`keycloak_rhsso_download_url`	Full download URI for Red Hat SSO	`{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}`
`keycloak_jboss_home`	Installation work directory	`{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}`
`keycloak_config_dir`	Path for configuration	`{{ keycloak_jboss_home }}/standalone/configuration`
`keycloak_config_path_to_standalone_xml`	Custom path for configuration	`{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}`
`keycloak_config_override_template`	Path to custom template for standalone.xml configuration	`''`
`keycloak_auth_realm`	Name for rest authentication realm	`master`
`keycloak_auth_client`	Authentication client for configuration REST calls	`admin-cli`
`keycloak_force_install`	Remove pre-existing versions of service	`False`
`keycloak_url`	URL for configuration rest calls	`http://{{ keycloak_host }}:{{ keycloak_http_port }}`
`keycloak_management_url`	URL for management console rest calls	`http://{{ keycloak_host }}:{{ keycloak_management_http_port }}`
`rhsso_rhn_id`	Customer Portal product ID for Red Hat SSO	`{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}`

Role Variables

The following are a set of required variables for the role:

Variable	Description
`keycloak_admin_password`	Password for the administration console user account (minimum 12 characters)
`keycloak_frontend_url`	frontend URL for keycloak endpoint

The following variables are required only when keycloak_ha_enabled is True:

Variable	Description	Default
`keycloak_modcluster_url`	URL for the modcluster reverse proxy	`localhost`
`keycloak_jdbc_engine`	backend database engine when db is enabled: [ postgres, mariadb ]	`postgres`
`infinispan_url`	URL for the infinispan remote-cache server	`localhost:11122`
`infinispan_user`	username for connecting to infinispan	`supervisor`
`infinispan_pass`	password for connecting to infinispan	`supervisor`
`infinispan_sasl_mechanism`	Authentication type	`SCRAM-SHA-512`
`infinispan_use_ssl`	Enable hotrod TLS communication	`False`
`infinispan_trust_store_path`	Path to truststore with infinispan server certificate	`/etc/pki/java/cacerts`
`infinispan_trust_store_password`	Password for opening truststore	`changeit`

The following variables are required only when keycloak_db_enabled is True:

Variable	Description	Default
`keycloak_jdbc_url`	URL for the postgres backend database	`jdbc:postgresql://localhost:5432/keycloak`
`keycloak_jdbc_driver_version`	Version for the JDBC driver to download	`9.4.1212`
`keycloak_db_user`	username for connecting to postgres	`keycloak-user`
`keycloak_db_pass`	password for connecting to postgres	`keycloak-pass`

Example Playbooks

NOTE: use ansible vaults or other security systems for storing credentials.

The following is an example playbook that makes use of the role to install keycloak from remote:

---
- hosts: ...
      vars:
        keycloak_admin_password: "remembertochangeme"
      collections:
        - middleware_automation.keycloak
      roles:
        - middleware_automation.keycloak.keycloak

The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from RHN:

---
- name: Playbook for RHSSO
  hosts: keycloak
  collections:
    - middleware_automation.redhat_csp_download
  roles:
    - redhat_csp_download
  tasks:
    - name: Keycloak Role
      include_role:
        name: keycloak
      vars:
        keycloak_admin_password: "remembertochangeme"
        keycloak_rhsso_enable: True
        rhn_username: '<customer portal username>'
        rhn_password: '<customer portal password>'

The following example playbook makes use of the role to install keycloak from the controller node:

---
- hosts: ...
      collections:
        - middleware_automation.keycloak
      tasks:
        - name: Include keycloak role
          include_role:
            name: keycloak
          vars:
            keycloak_admin_password: "remembertochangeme"
            keycloak_offline_install: True
            # This should be the filename of keycloak archive on Ansible node: keycloak-16.1.0.zip

This playbook installs Red Hat Single Sign-On from an alternate url:

---
- hosts: keycloak
  collections:
    - middleware_automation.keycloak
  tasks:
    - name: Keycloak Role
      include_role:
        name: keycloak
      vars:
        keycloak_admin_password: "remembertochangeme"
        keycloak_rhsso_enable: True
        keycloak_rhsso_download_url: "<REPLACE with download url>"
        # This should be the full of remote source rhsso zip file and can contain basic authentication credentials

The following is an example playbook that makes use of the role to install Red Hat Single Sign-On offline from the controller node, and apply latest cumulative patch:

---
- hosts: keycloak
  collections:
    - middleware_automation.keycloak
  tasks:
    - name: Keycloak Role
      include_role:
        name: keycloak
      vars:
        keycloak_admin_password: "remembertochangeme"
        keycloak_rhsso_enable: True
        keycloak_offline_install: True
        keycloak_rhsso_apply_patches: True
        # This should be the filename of rhsso zip file on Ansible node: rh-sso-7.5-server-dist.zip

License

Apache License 2.0