diff --git a/README.md b/README.md index d341f587..75775d7a 100644 --- a/README.md +++ b/README.md @@ -59,28 +59,6 @@ Both playbooks include the `keycloak` role, with different settings, as describe For full service configuration details, refer to the [keycloak role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md). -### Choosing between upstream project (Keycloak) and Red Hat Single Sign-On (RHSSO) - -The general flag `keycloak_rhsso_enable` controls what to install between upstream (Keycloak, when `False`) or Red Hat Single Sign-On (when `True`). -The default value for the flag if `True` when Red Hat Network credentials are defined, `False` otherwise. - - -#### Install upstream (Keycloak) from keycloak releases - -This is the default approach when RHN credentials are not defined. Keycloak is downloaded from keycloak builds (hosted on github.com) locally, and distributed to target nodes. - - -#### Install RHSSO from the Red Hat Customer Support Portal - -Define the credentials as follows, and the default behaviour is to download a fresh archive of RHSSO on the controller node, then distribute to target nodes. - -```yaml -rhn_username: '' -rhn_password: '' -# (keycloak_rhsso_enable defaults to True) -``` - - #### Install from controller node (local source) Making the keycloak zip archive (or the RHSSO zip archive), available to the playbook repository root directory, and setting `keycloak_offline_install` to `True`, allows to skip @@ -101,14 +79,12 @@ And depending on `keycloak_rhsso_enable`: For RHSSO: ```yaml -keycloak_rhsso_enable: True -keycloak_rhsso_download_url: "https://///rh-sso-x.y.z-server-dist.zip" +sso_download_url: "https://///rh-sso-x.y.z-server-dist.zip" ``` For keycloak: ```yaml -keycloak_rhsso_enable: False keycloak_download_url: "https://///keycloak-x.y.zip" ``` diff --git a/playbooks/rhsso.yml b/playbooks/rhsso.yml index ba30a74d..e34334f3 100644 --- a/playbooks/rhsso.yml +++ b/playbooks/rhsso.yml @@ -3,7 +3,7 @@ hosts: keycloak vars: keycloak_admin_password: "remembertochangeme" - keycloak_rhsso_enable: True + sso_enable: True collections: - middleware_automation.redhat_csp_download - middleware_automation.keycloak diff --git a/roles/keycloak/README.md b/roles/keycloak/README.md index 1693a667..0f3d198f 100644 --- a/roles/keycloak/README.md +++ b/roles/keycloak/README.md @@ -74,16 +74,11 @@ Role Defaults | Variable | Description | Default | |:---------|:------------|:---------| -|`keycloak_rhsso_enable`| Enable Red Hat Single Sign-on installation | `False` | |`keycloak_offline_install` | perform an offline install | `False`| |`keycloak_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download//`| -|`keycloak_rhsso_download_url`| Download URL for RHSSO | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=`| |`keycloak_version`| keycloak.org package version | `15.0.2` | -|`keycloak_rhsso_version`| RHSSO version | `7.5.0` | -|`keycloak_rhsso_apply_patches`| Install RHSSO more recent cumulative patch | `False` | |`keycloak_dest`| Installation root path | `/opt/keycloak` | |`keycloak_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}` | -|`keycloak_rhn_url` | Base download URI for customer portal | `https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=` | |`keycloak_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` | @@ -94,9 +89,6 @@ Role Defaults |`keycloak_archive` | keycloak install archive filename | `keycloak-{{ keycloak_version }}.zip` | |`keycloak_download_url_9x` | Download URL for keycloak (deprecated) | `https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}` | |`keycloak_installdir` | Installation path | `{{ keycloak_dest }}/keycloak-{{ keycloak_version }}` | -|`keycloak_rhsso_archive` | Red Hat SSO install archive filename | `rh-sso-{{ keycloak_rhsso_version }}-server-dist.zip` | -|`keycloak_rhsso_installdir`| Installation path for Red Hat SSO | `{{ keycloak_dest }}/rh-sso-{{ keycloak_rhsso_version | regex_replace('^([0-9])\.([0-9]*).*', '\1.\2') }}` | -|`keycloak_rhsso_download_url`| Full download URI for Red Hat SSO | `{{ keycloak_rhn_url }}{{ rhsso_rhn_id }}` | |`keycloak_jboss_home` | Installation work directory | `{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}` | |`keycloak_config_dir` | Path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration` | |`keycloak_config_path_to_standalone_xml` | Custom path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}` | @@ -106,7 +98,6 @@ Role Defaults |`keycloak_force_install` | Remove pre-existing versions of service | `False` | |`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` | |`keycloak_management_url` | URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` | -|`rhsso_rhn_id` | Customer Portal product ID for Red Hat SSO | `{{ rhsso_rhn_ids[keycloak_rhsso_version].id }}` | Role Variables @@ -145,12 +136,9 @@ The following variables are _required_ only when `keycloak_db_enabled` is True: |`keycloak_db_pass` | password for connecting to postgres | `keycloak-pass` | -Example Playbooks +Example Playbook ----------------- -_NOTE_: use ansible vaults or other security systems for storing credentials. - - * The following is an example playbook that makes use of the role to install keycloak from remote: ```yaml @@ -164,27 +152,6 @@ _NOTE_: use ansible vaults or other security systems for storing credentials. - middleware_automation.keycloak.keycloak ``` -* The following is an example playbook that makes use of the role to install Red Hat Single Sign-On from RHN: - -```yaml ---- -- name: Playbook for RHSSO - hosts: keycloak - collections: - - middleware_automation.redhat_csp_download - roles: - - redhat_csp_download - tasks: - - name: Keycloak Role - include_role: - name: keycloak - vars: - keycloak_admin_password: "remembertochangeme" - keycloak_rhsso_enable: True - rhn_username: '' - rhn_password: '' -``` - * The following example playbook makes use of the role to install keycloak from the controller node: @@ -203,45 +170,6 @@ _NOTE_: use ansible vaults or other security systems for storing credentials. # This should be the filename of keycloak archive on Ansible node: keycloak-16.1.0.zip ``` - -* This playbook installs Red Hat Single Sign-On from an alternate url: - -```yaml ---- -- hosts: keycloak - collections: - - middleware_automation.keycloak - tasks: - - name: Keycloak Role - include_role: - name: keycloak - vars: - keycloak_admin_password: "remembertochangeme" - keycloak_rhsso_enable: True - keycloak_rhsso_download_url: "" - # This should be the full of remote source rhsso zip file and can contain basic authentication credentials -``` - - -* The following is an example playbook that makes use of the role to install Red Hat Single Sign-On offline from the controller node, and apply latest cumulative patch: - -```yaml ---- -- hosts: keycloak - collections: - - middleware_automation.keycloak - tasks: - - name: Keycloak Role - include_role: - name: keycloak - vars: - keycloak_admin_password: "remembertochangeme" - keycloak_rhsso_enable: True - keycloak_offline_install: True - keycloak_rhsso_apply_patches: True - # This should be the filename of rhsso zip file on Ansible node: rh-sso-7.5-server-dist.zip -``` - License ------- diff --git a/roles/keycloak/defaults/main.yml b/roles/keycloak/defaults/main.yml index ba3413cd..7fc402a3 100644 --- a/roles/keycloak/defaults/main.yml +++ b/roles/keycloak/defaults/main.yml @@ -10,7 +10,7 @@ keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}" keycloak_jvm_package: java-1.8.0-openjdk-headless keycloak_java_home: keycloak_dest: /opt/keycloak -keycloak_jboss_home: "{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}" +keycloak_jboss_home: "{{ keycloak_installdir }}" keycloak_config_dir: "{{ keycloak_jboss_home }}/standalone/configuration" keycloak_config_standalone_xml: "keycloak.xml" keycloak_config_path_to_standalone_xml: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}" @@ -18,6 +18,9 @@ keycloak_config_override_template: '' keycloak_service_user: keycloak keycloak_service_group: keycloak keycloak_service_pidfile: "/run/keycloak.pid" +keycloak_service_name: keycloak +keycloak_service_desc: Keycloak + keycloak_configure_firewalld: False ### administrator console password diff --git a/roles/keycloak/meta/argument_specs.yml b/roles/keycloak/meta/argument_specs.yml index 39c047a3..f34b1343 100644 --- a/roles/keycloak/meta/argument_specs.yml +++ b/roles/keycloak/meta/argument_specs.yml @@ -51,7 +51,7 @@ argument_specs: type: "str" keycloak_jboss_home: # line 25 of keycloak/defaults/main.yml - default: "{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}" + default: "{{ keycloak_installdir }}" description: "Installation work directory" type: "str" keycloak_config_dir: @@ -254,6 +254,14 @@ argument_specs: default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}" description: "URL for management console rest calls" type: "str" + keycloak_service_name: + default: "keycloak" + description: "systemd service name for keycloak" + type: "str" + keycloak_service_desc: + default: "Keycloak" + description: "systemd description for keycloak" + type: "str" downstream: options: sso_version: @@ -296,3 +304,15 @@ argument_specs: default: True description: "Perform an offline install" type: "bool" + sso_service_name: + default: "sso" + description: "systemd service name for Single Sign-On" + type: "str" + sso_service_desc: + default: "Red Hat Single Sign-On" + description: "systemd description for Red Hat Single Sign-On" + type: "str" + sso_patch_bundle: + default: "rh-sso-{{ sso_rhn_ids[keycloak_version].latest_cp.v }}-patch.zip" + description: "Red Hat SSO patch archive filename" + type: "str" diff --git a/roles/keycloak/tasks/install.yml b/roles/keycloak/tasks/install.yml index 26c54661..5f852743 100644 --- a/roles/keycloak/tasks/install.yml +++ b/roles/keycloak/tasks/install.yml @@ -81,7 +81,7 @@ - archive_path is defined - archive_path.stat is defined - not archive_path.stat.exists - - not keycloak_rhsso_enable + - not sso_enable is defined or not sso_enable - not keycloak_offline_install - name: Perform download from RHN @@ -96,9 +96,9 @@ - archive_path is defined - archive_path.stat is defined - not archive_path.stat.exists - - keycloak_rhsso_enable + - sso_enable is defined and sso_enable - not keycloak_offline_install - - keycloak_rhn_url in keycloak_rhsso_download_url + - keycloak_rhn_url in keycloak_download_url - name: Download rhsso archive from alternate location ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user @@ -110,9 +110,9 @@ - archive_path is defined - archive_path.stat is defined - not archive_path.stat.exists - - keycloak_rhsso_enable + - sso_enable is defined and sso_enable - not keycloak_offline_install - - not keycloak_rhn_url in keycloak_rhsso_download_url + - not keycloak_rhn_url in keycloak_download_url - name: Check downloaded archive ansible.builtin.stat: @@ -141,7 +141,7 @@ register: path_to_workdir become: yes -- name: "Extract {{ 'Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Keycloak' }} archive on target" +- name: "Extract {{ keycloak_service_desc }} archive on target" ansible.builtin.unarchive: remote_src: yes src: "{{ archive }}" diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml index ba5ec878..b89b401b 100644 --- a/roles/keycloak/tasks/main.yml +++ b/roles/keycloak/tasks/main.yml @@ -24,7 +24,9 @@ - name: Include patch install tasks ansible.builtin.include_tasks: rhsso_patch.yml - when: keycloak_rhsso_apply_patches and keycloak_rhsso_enable + when: + - sso_apply_patches is defined and sso_apply_patches + - sso_enable is defined and sso_enable tags: - install - patch diff --git a/roles/keycloak/tasks/prereqs.yml b/roles/keycloak/tasks/prereqs.yml index 31735d5c..c774c656 100644 --- a/roles/keycloak/tasks/prereqs.yml +++ b/roles/keycloak/tasks/prereqs.yml @@ -18,11 +18,11 @@ - name: Validate credentials ansible.builtin.assert: that: - - (rhn_username is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install - - (rhn_password is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install + - (rhn_username is defined and sso_enable is defined and sso_enable) or not sso_enable is defined or not sso_enable or keycloak_offline_install + - (rhn_password is defined and sso_enable is defined and sso_enable) or not sso_enable is defined or not sso_enable or keycloak_offline_install quiet: True fail_msg: "Cannot install Red Hat SSO without RHN credentials. Check rhn_username and rhn_password are defined" - success_msg: "{{ 'Installing Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Installing keycloak.org' }}" + success_msg: "Installing {{ keycloak_service_desc }}" - name: Validate persistence configuration ansible.builtin.assert: diff --git a/roles/keycloak/tasks/rhsso_patch.yml b/roles/keycloak/tasks/rhsso_patch.yml index f517e7a6..67739a49 100644 --- a/roles/keycloak/tasks/rhsso_patch.yml +++ b/roles/keycloak/tasks/rhsso_patch.yml @@ -2,7 +2,7 @@ ## check remote patch archive - name: Set download patch archive path ansible.builtin.set_fact: - patch_archive: "{{ keycloak_dest }}/{{ keycloak.patch_bundle }}" + patch_archive: "{{ keycloak_dest }}/{{ sso_patch_bundle }}" - name: Check download patch archive path ansible.builtin.stat: @@ -11,8 +11,8 @@ - name: Perform download from RHN middleware_automation.redhat_csp_download.redhat_csp_download: - url: "{{ keycloak_rhn_url }}{{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.id }}" - dest: "{{ local_path.stat.path }}/{{ keycloak.patch_bundle }}" + url: "{{ keycloak_rhn_url }}{{ sso_rhn_ids[keycloak_version].latest_cp.id }}" + dest: "{{ local_path.stat.path }}/{{ sso_patch_bundle }}" username: "{{ rhn_username }}" password: "{{ rhn_password }}" no_log: "{{ omit_rhn_output | default(true) }}" @@ -21,13 +21,13 @@ - patch_archive_path is defined - patch_archive_path.stat is defined - not patch_archive_path.stat.exists - - keycloak_rhsso_enable + - sso_enable is defined and sso_enable - not keycloak_offline_install ## copy and unpack - name: Copy patch archive to target nodes ansible.builtin.copy: - src: "{{ local_path.stat.path }}/{{ keycloak.patch_bundle }}" + src: "{{ local_path.stat.path }}/{{ sso_patch_bundle }}" dest: "{{ patch_archive }}" owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_group }}" @@ -48,9 +48,9 @@ when: - cli_result is defined - cli_result.stdout is defined - - rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v not in cli_result.stdout + - sso_rhn_ids[keycloak_version].latest_cp.v not in cli_result.stdout block: - - name: "Apply patch {{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }} to server" + - name: "Apply patch {{ sso_rhn_ids[keycloak_version].latest_cp.v }} to server" ansible.builtin.include_tasks: rhsso_cli.yml vars: query: "patch apply {{ patch_archive }}" @@ -78,10 +78,10 @@ - name: "Verify installed patch version" ansible.builtin.assert: that: - - rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v not in cli_result.stdout + - sso_rhn_ids[keycloak_version].latest_cp.v not in cli_result.stdout fail_msg: "Patch installation failed" success_msg: "Patch installation successful" - name: "Skipping patch" ansible.builtin.debug: - msg: "Latest cumulative patch {{ rhsso_rhn_ids[keycloak_rhsso_version].latest_cp.v }} already installed, skipping patch installation." + msg: "Latest cumulative patch {{ sso_rhn_ids[keycloak_version].latest_cp.v }} already installed, skipping patch installation." diff --git a/roles/keycloak/vars/main.yml b/roles/keycloak/vars/main.yml index 76d2b58f..77f35fff 100644 --- a/roles/keycloak/vars/main.yml +++ b/roles/keycloak/vars/main.yml @@ -16,8 +16,7 @@ keycloak: home: "{{ keycloak_jboss_home }}" config_dir: "{{ keycloak_config_dir }}" bundle: "{{ keycloak_archive }}" - patch_bundle: "rh-sso-{{ sso_rhn_ids[keycloak_version].latest_cp.v }}-patch.zip" - service_name: "{{ 'rhsso' if keycloak_rhsso_enable else 'keycloak' }}" + service_name: "{{ keycloak_service_name }}" health_url: "{{ keycloak_management_url }}/health" cli_path: "{{ keycloak_jboss_home }}/bin/jboss-cli.sh" config_template_source: "{{ keycloak_config_override_template if keycloak_config_override_template | length > 0 else 'standalone.xml.j2' }}" diff --git a/roles/keycloak_quarkus/tasks/prereqs.yml b/roles/keycloak_quarkus/tasks/prereqs.yml index ea2b8f4c..c0201b32 100644 --- a/roles/keycloak_quarkus/tasks/prereqs.yml +++ b/roles/keycloak_quarkus/tasks/prereqs.yml @@ -15,15 +15,6 @@ fail_msg: "Cannot install HA setup without a backend database service. Check keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled" success_msg: "{{ 'Configuring HA' if keycloak_quarkus_ha_enabled else 'Configuring standalone' }}" -# - name: Validate credentials -# ansible.builtin.assert: -# that: -# - (rhn_username is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install -# - (rhn_password is defined and keycloak_rhsso_enable) or not keycloak_rhsso_enable or keycloak_offline_install -# quiet: True -# fail_msg: "Cannot install Red Hat SSO without RHN credentials. Check rhn_username and rhn_password are defined" -# success_msg: "{{ 'Installing Red Hat Single Sign-On' if keycloak_rhsso_enable else 'Installing keycloak.org' }}" - - name: Ensure required packages are installed ansible.builtin.include_tasks: fastpackages.yml vars: diff --git a/roles/keycloak_realm/README.md b/roles/keycloak_realm/README.md index 91e6b8f1..1a5709c8 100644 --- a/roles/keycloak_realm/README.md +++ b/roles/keycloak_realm/README.md @@ -15,7 +15,6 @@ Role Defaults |`keycloak_http_port`| HTTP port | `8080` | |`keycloak_https_port`| TLS HTTP port | `8443` | |`keycloak_auth_realm`| Name of the main authentication realm | `master` | -|`keycloak_rhsso_enable`| Define service is an upstream(Keycloak) or RHSSO | `master` | |`keycloak_management_http_port`| Management port | `9990` | |`keycloak_auth_client`| Authentication client for configuration REST calls | `admin-cli` | |`keycloak_client_public`| Configure a public realm client | `True` | diff --git a/roles/keycloak_realm/defaults/main.yml b/roles/keycloak_realm/defaults/main.yml index 49753806..e1caeecb 100644 --- a/roles/keycloak_realm/defaults/main.yml +++ b/roles/keycloak_realm/defaults/main.yml @@ -4,7 +4,6 @@ keycloak_host: localhost keycloak_http_port: 8080 keycloak_https_port: 8443 keycloak_management_http_port: 9990 -keycloak_rhsso_enable: False ### Keycloak administration console user keycloak_admin_user: admin diff --git a/roles/keycloak_realm/meta/argument_specs.yml b/roles/keycloak_realm/meta/argument_specs.yml index 45b59984..8f8e26ef 100644 --- a/roles/keycloak_realm/meta/argument_specs.yml +++ b/roles/keycloak_realm/meta/argument_specs.yml @@ -26,11 +26,6 @@ argument_specs: default: 9990 description: "Management port" type: "int" - keycloak_rhsso_enable: - # line 7 of keycloak_realm/defaults/main.yml - default: false - description: "Enable Red Hat Single Sign-on" - type: "bool" keycloak_admin_user: # line 10 of keycloak_realm/defaults/main.yml default: "admin" @@ -96,3 +91,25 @@ argument_specs: default: "http://{{ keycloak_host }}:{{ keycloak_management_http_port }}" description: "URL for management console rest calls" type: "str" + downstream: + options: + sso_version: + default: "7.5.0" + description: "Red Hat Single Sign-On version" + type: "str" + sso_dest: + default: "/opt/sso" + description: "Root installation directory" + type: "str" + sso_installdir: + default: "{{ keycloak_dest }}/rh-sso-{{ keycloak_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}" + description: "Installation path for Red Hat SSO" + type: "str" + sso_apply_patches: + default: False + description: "Install Red Hat SSO most recent cumulative patch" + type: "bool" + sso_enable: + default: True + description: "Enable Red Hat Single Sign-on installation" + type: "str"