Merge pull request #46 from guidograzioli/keycloak_19

Update keycloak to 18.0.2 - sso to 7.6.1
ansible-middleware · Dec 16, 2022 · e209507 · e209507
2 parents e17fda2 + b956045
commit e209507
Show file tree

Hide file tree

Showing 12 changed files with 1,479 additions and 211 deletions.
diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml
@@ -16,5 +16,5 @@
       ansible.builtin.include_tasks: ../prepare.yml
       vars:
         assets:
-          - "{{ assets_server }}/sso/7.5.0/rh-sso-7.5.0-server-dist.zip"
-          - "{{ assets_server }}/sso/7.5.1/rh-sso-7.5.1-patch.zip"
+          - "{{ assets_server }}/sso/7.6.0/rh-sso-7.6.0-server-dist.zip"
+          - "{{ assets_server }}/sso/7.6.1/rh-sso-7.6.1-patch.zip"
diff --git a/molecule/overridexml/prepare.yml b/molecule/overridexml/prepare.yml
@@ -6,4 +6,4 @@
       ansible.builtin.include_tasks: ../prepare.yml
       vars:
         assets:
-          - "{{ assets_server }}/sso/7.5.0/rh-sso-7.5.0-server-dist.zip"
+          - "{{ assets_server }}/sso/7.6.0/rh-sso-7.6.0-server-dist.zip"
diff --git a/molecule/overridexml/templates/custom.xml.j2 b/molecule/overridexml/templates/custom.xml.j2
@@ -15,7 +15,6 @@
         <extension module="org.jboss.as.modcluster"/>
         <extension module="org.jboss.as.naming"/>
         <extension module="org.jboss.as.remoting"/>
-        <extension module="org.jboss.as.security"/>
         <extension module="org.jboss.as.transactions"/>
         <extension module="org.jboss.as.weld"/>
         <extension module="org.keycloak.keycloak-server-subsystem"/>
@@ -30,31 +29,6 @@
         <extension module="org.wildfly.extension.undertow"/>
     </extensions>
     <management>
-        <security-realms>
-            <security-realm name="ManagementRealm">
-                <authentication>
-                    <local default-user="$local" skip-group-loading="true"/>
-                    <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
-                </authentication>
-                <authorization map-groups-to-roles="false">
-                    <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
-                </authorization>
-            </security-realm>
-            <security-realm name="ApplicationRealm">
-                <server-identities>
-                    <ssl>
-                        <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
-                    </ssl>
-                </server-identities>
-                <authentication>
-                    <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
-                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
-                </authentication>
-                <authorization>
-                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
-                </authorization>
-            </security-realm>
-        </security-realms>
         <audit-log>
             <formatters>
                 <json-formatter name="json-formatter"/>
@@ -69,7 +43,7 @@
             </logger>
         </audit-log>
         <management-interfaces>
-            <http-interface security-realm="ManagementRealm">
+            <http-interface http-authentication-factory="management-http-authentication">
                 <http-upgrade enabled="true"/>
                 <socket-binding http="management-http"/>
             </http-interface>
@@ -513,41 +487,9 @@
             <remote-naming/>
         </subsystem>
         <subsystem xmlns="urn:jboss:domain:remoting:4.0">
-            <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
+            <http-connector name="http-remoting-connector" connector-ref="default" sasl-authentication-factory="application-sasl-authentication"/>
         </subsystem>
         <subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
-        <subsystem xmlns="urn:jboss:domain:security:2.0">
-            <security-domains>
-                <security-domain name="other" cache-type="default">
-                    <authentication>
-                        <login-module code="Remoting" flag="optional">
-                            <module-option name="password-stacking" value="useFirstPass"/>
-                        </login-module>
-                        <login-module code="RealmDirect" flag="required">
-                            <module-option name="password-stacking" value="useFirstPass"/>
-                        </login-module>
-                    </authentication>
-                </security-domain>
-                <security-domain name="jboss-web-policy" cache-type="default">
-                    <authorization>
-                        <policy-module code="Delegating" flag="required"/>
-                    </authorization>
-                </security-domain>
-                <security-domain name="jaspitest" cache-type="default">
-                    <authentication-jaspi>
-                        <login-module-stack name="dummy">
-                            <login-module code="Dummy" flag="optional"/>
-                        </login-module-stack>
-                        <auth-module code="Dummy"/>
-                    </authentication-jaspi>
-                </security-domain>
-                <security-domain name="jboss-ejb-policy" cache-type="default">
-                    <authorization>
-                        <policy-module code="Delegating" flag="required"/>
-                    </authorization>
-                </security-domain>
-            </security-domains>
-        </subsystem>
         <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
             <deployment-permissions>
                 <maximum-set>

diff --git a/roles/keycloak/README.md b/roles/keycloak/README.md
@@ -27,7 +27,8 @@ Versions
 
 | RH-SSO VERSION | Release Date      | Keycloak Version | EAP Version | Notes           |
 |:---------------|:------------------|:-----------------|:------------|:----------------|
-|`7.5.0 GA`      |September 20, 2021 |`15.0.2`          | `7.4.0`     |[Release Notes](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/html/release_notes/index)|
+|`7.5.0 GA`      |September 20, 2021 |`15.0.2`          | `7.4.6`     |[Release Notes](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/html/release_notes/index)|
+|`7.6.0 GA`      |June 30, 2022      |`18.0.3`          | `7.4.6`     |[Release Notes](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html-single/release_notes/index)|
 
 
 Patching
@@ -37,8 +38,8 @@ When variable `keycloak_rhsso_apply_patches` is `True` (default: `False`), the r
 
 | RH-SSO VERSION | Release Date      | RH-SSO LATEST CP | Notes           |
 |:---------------|:------------------|:-----------------|:----------------|
-|`7.5.0 GA`      |January 20, 2022   |`7.5.1 GA`        |[Release Notes](https://access.redhat.com/articles/6646321)|
-
+|`7.5.0 GA`      |January 20, 2022   |`7.5.3 GA`        |[Release Notes](https://access.redhat.com/articles/6646321)|
+|`7.6.0 GA`      |November 11, 2022  |`7.6.1 GA`        |[Release Notes](https://access.redhat.com/articles/6982711)|
 
 
 Role Defaults
@@ -76,7 +77,7 @@ Role Defaults
 |:---------|:------------|:---------|
 |`keycloak_offline_install` | perform an offline install | `False`|
 |`keycloak_download_url`| Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/<version>/<archive>`| 
-|`keycloak_version`| keycloak.org package version | `15.0.2` |
+|`keycloak_version`| keycloak.org package version | `18.0.2` |
 |`keycloak_dest`| Installation root path | `/opt/keycloak` |
 |`keycloak_download_url` | Download URL for keycloak | `https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}` |
 |`keycloak_configure_firewalld` | Ensure firewalld is running and configure keycloak ports | `False` |
@@ -86,7 +87,7 @@ Role Defaults
 
 | Variable | Description | Default |
 |:---------|:------------|:--------|
-|`keycloak_archive` | keycloak install archive filename | `keycloak-{{ keycloak_version }}.zip` |
+|`keycloak_archive` | keycloak install archive filename | `keycloak-legacy-{{ keycloak_version }}.zip` |
 |`keycloak_download_url_9x` | Download URL for keycloak (deprecated) | `https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}` |
 |`keycloak_installdir` | Installation path | `{{ keycloak_dest }}/keycloak-{{ keycloak_version }}` |
 |`keycloak_jboss_home` | Installation work directory | `{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}` |

diff --git a/roles/keycloak/defaults/main.yml b/roles/keycloak/defaults/main.yml
@@ -1,8 +1,8 @@
 ---
 ### Configuration specific to keycloak
-keycloak_version: 15.0.2
-keycloak_archive: "keycloak-{{ keycloak_version }}.zip"
-keycloak_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"
+keycloak_version: 18.0.2
+keycloak_archive: "keycloak-legacy-{{ keycloak_version }}.zip"
+keycloak_download_url: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/{{ keycloak_archive }}"  
 keycloak_download_url_9x: "https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}"
 keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
 keycloak_offline_install: False

diff --git a/roles/keycloak/meta/argument_specs.yml b/roles/keycloak/meta/argument_specs.yml
@@ -3,12 +3,12 @@ argument_specs:
         options:
             keycloak_version:
                 # line 3 of keycloak/defaults/main.yml
-                default: "15.0.2"
+                default: "18.0.2"
                 description: "keycloak.org package version"
                 type: "str"
             keycloak_archive:
                 # line 4 of keycloak/defaults/main.yml
-                default: "keycloak-{{ keycloak_version }}.zip"
+                default: "keycloak-legacy-{{ keycloak_version }}.zip"
                 description: "keycloak install archive filename"
                 type: "str"
             keycloak_configure_firewalld:
@@ -273,11 +273,11 @@ argument_specs:
     downstream:
         options:
             sso_version:
-                default: "7.5.0"
+                default: "7.6.0"
                 description: "Red Hat Single Sign-On version"
                 type: "str"
             sso_rhn_id:
-                default: "{{ sso_rhn_ids[sso_version].id }}"
+                default: "104539"
                 description: "Customer Portal product ID for Red Hat SSO"
                 type: "str"
             sso_archive:
@@ -320,7 +320,15 @@ argument_specs:
                 default: "Red Hat Single Sign-On"
                 description: "systemd description for Red Hat Single Sign-On"
                 type: "str"
+            sso_patch_version:
+                default: "7.6.1"
+                description: "Red Hat Single Sign-On latest cumulative patch version"
+                type: "str"
             sso_patch_bundle:
-                default: "rh-sso-{{ sso_rhn_ids[sso_version].latest_cp.v }}-patch.zip"
+                default: "rh-sso-{{ sso_patch_version }}-patch.zip"
                 description: "Red Hat SSO patch archive filename"
                 type: "str"
+            sso_patch_rhn_id:
+                default: "104867"
+                description: "Customer Portal product ID for Red Hat SSO latest cumulative patch"
+                type: "str"
diff --git a/roles/keycloak/tasks/rhsso_patch.yml b/roles/keycloak/tasks/rhsso_patch.yml
@@ -11,7 +11,7 @@
 
 - name: Perform download from RHN
   middleware_automation.redhat_csp_download.redhat_csp_download:
-    url: "{{ keycloak_rhn_url }}{{ sso_rhn_ids[keycloak_version].latest_cp.id }}"
+    url: "{{ keycloak_rhn_url }}{{ sso_patch_rhn_id }}"
     dest: "{{ local_path.stat.path }}/{{ sso_patch_bundle }}"
     username: "{{ rhn_username }}"
     password: "{{ rhn_password }}"
@@ -48,9 +48,9 @@
   when: 
     - cli_result is defined
     - cli_result.stdout is defined
-    - sso_rhn_ids[keycloak_version].latest_cp.v not in cli_result.stdout
+    - sso_patch_version not in cli_result.stdout
   block:
-    - name: "Apply patch {{ sso_rhn_ids[keycloak_version].latest_cp.v }} to server"
+    - name: "Apply patch {{ sso_patch_version }} to server"
       ansible.builtin.include_tasks: rhsso_cli.yml
       vars:
         query: "patch apply {{ patch_archive }}"
@@ -78,10 +78,10 @@
     - name: "Verify installed patch version"
       ansible.builtin.assert:
         that:
-          - sso_rhn_ids[keycloak_version].latest_cp.v not in cli_result.stdout
+          - sso_patch_version not in cli_result.stdout
         fail_msg: "Patch installation failed"
         success_msg: "Patch installation successful"
 
 - name: "Skipping patch"
   ansible.builtin.debug:
-    msg: "Latest cumulative patch {{ sso_rhn_ids[keycloak_version].latest_cp.v }} already installed, skipping patch installation."
+    msg: "Latest cumulative patch {{ sso_patch_version }} already installed, skipping patch installation."