Merge pull request #68 from guidograzioli/ha_internal_infinispan

Allow to setup keycloak HA cluster without remote cache store
ansible-middleware · Apr 1, 2023 · f013a99 · f013a99
2 parents a2c17f5 + 6bfe046
commit f013a99
Show file tree

Hide file tree

Showing 7 changed files with 748 additions and 6 deletions.
diff --git a/roles/keycloak/README.md b/roles/keycloak/README.md
@@ -57,6 +57,7 @@ Role Defaults
 |`keycloak_ha_enabled`| Enable auto configuration for database backend, clustering and remote caches on infinispan | `False` |
 |`keycloak_ha_discovery`| Discovery protocol for HA cluster members | `JDBC_PING` if keycloak_db_enabled else `TCPPING` |
 |`keycloak_db_enabled`| Enable auto configuration for database backend | `True` if `keycloak_ha_enabled` is True, else `False` |
+|`keycloak_remote_cache_enabled`| Enable remote cache store when in clustered ha configurations | `True` if `keycloak_ha_enabled` else `False` |
 |`keycloak_admin_user`| Administration console user account | `admin` |
 |`keycloak_bind_address`| Address for binding service ports | `0.0.0.0` |
 |`keycloak_management_port_bind_address`| Address for binding management ports | `127.0.0.1` |

diff --git a/roles/keycloak/defaults/main.yml b/roles/keycloak/defaults/main.yml
@@ -48,6 +48,8 @@ keycloak_ha_enabled: False
 keycloak_db_enabled: "{{ True if keycloak_ha_enabled else False }}"
 ### Discovery protocol for ha cluster members, valus [ 'JDBC_PING', 'TCPPING' ]
 keycloak_ha_discovery: "{{ 'JDBC_PING' if keycloak_db_enabled else 'TCPPING' }}"
+### Remote cache store on infinispan cluster
+keycloak_remote_cache_enabled: "{{ True if keycloak_ha_enabled else False }}"
 
 ### Keycloak administration console user
 keycloak_admin_user: admin

diff --git a/roles/keycloak/meta/argument_specs.yml b/roles/keycloak/meta/argument_specs.yml
@@ -294,6 +294,10 @@ argument_specs:
                 default: true
                 type: "bool"
                 description: "Changes default behavior for no_log for debugging purpose, do not change for production system."
+            keycloak_remote_cache_enabled:
+                default: "{{ True if keycloak_ha_enabled else False }}"
+                description: "Enable remote cache store when in clustered ha configurations"
+                type: "bool"
     downstream:
         options:
             sso_version:

diff --git a/roles/keycloak/tasks/install.yml b/roles/keycloak/tasks/install.yml
@@ -199,17 +199,31 @@
   ansible.builtin.include_tasks: jdbc_driver.yml
   when: keycloak_jdbc[keycloak_jdbc_engine].enabled
 
-- name: "Deploy {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }} from {{ keycloak.config_template_source }}"
+- name: "Deploy custom {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }} from {{ keycloak_config_override_template }}"
   become: yes
   ansible.builtin.template:
-    src: "templates/{{ keycloak.config_template_source }}"
+    src: "templates/{{ keycloak_config_override_template }}"
     dest: "{{ keycloak_config_path_to_standalone_xml }}"
     owner: "{{ keycloak_service_user }}"
     group: "{{ keycloak_service_group }}"
     mode: 0640
   notify:
     - restart keycloak
-  when: not keycloak_remotecache.enabled or keycloak_config_override_template | length > 0
+  when: keycloak_config_override_template | length > 0
+
+- name: "Deploy standalone {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }}"
+  become: yes
+  ansible.builtin.template:
+    src: templates/standalone.xml.j2
+    dest: "{{ keycloak_config_path_to_standalone_xml }}"
+    owner: "{{ keycloak_service_user }}"
+    group: "{{ keycloak_service_group }}"
+    mode: 0640
+  notify:
+    - restart keycloak
+  when:
+    - not keycloak_ha_enabled
+    - keycloak_config_override_template | length == 0
 
 - name: Create tcpping cluster node list
   ansible.builtin.set_fact:
@@ -225,7 +239,22 @@
     loop: "{{ ansible_play_batch }}"
   when: keycloak_ha_enabled and keycloak_ha_discovery == 'TCPPING'
 
-- name: "Deploy {{ keycloak.service_name }} config with remote cache store to {{ keycloak_config_path_to_standalone_xml }}"
+- name: "Deploy HA {{ keycloak.service_name }} config to {{ keycloak_config_path_to_standalone_xml }} from {{ keycloak.config_template_source }}"
+  become: yes
+  ansible.builtin.template:
+    src: templates/standalone-ha.xml.j2
+    dest: "{{ keycloak_config_path_to_standalone_xml }}"
+    owner: "{{ keycloak_service_user }}"
+    group: "{{ keycloak_service_group }}"
+    mode: 0640
+  notify:
+    - restart keycloak
+  when:
+    - keycloak_ha_enabled
+    - not keycloak_remote_cache_enabled
+    - keycloak_config_override_template | length == 0
+
+- name: "Deploy HA {{ keycloak.service_name }} config with infinispan remote cache store to {{ keycloak_config_path_to_standalone_xml }}"
   become: yes
   ansible.builtin.template:
     src: templates/standalone-infinispan.xml.j2
@@ -235,4 +264,7 @@
     mode: 0640
   notify:
     - restart keycloak
-  when: keycloak_remotecache.enabled
+  when:
+    - keycloak_ha_enabled
+    - keycloak_remote_cache_enabled    
+    - keycloak_config_override_template | length == 0
diff --git a/roles/keycloak/tasks/prereqs.yml b/roles/keycloak/tasks/prereqs.yml
@@ -15,6 +15,14 @@
     fail_msg: "Cannot install HA setup without a backend database service. Check keycloak_ha_enabled and keycloak_db_enabled"
     success_msg: "{{ 'Configuring HA' if keycloak_ha_enabled else 'Configuring standalone' }}"
 
+- name: Validate remote cache store configuration
+  ansible.builtin.assert:
+    that:
+      - (keycloak_remote_cache_enabled and keycloak_ha_enabled) or (not keycloak_ha_enabled)
+    quiet: True
+    fail_msg: "Cannot deploy with remote cache storage on infinispan when keycloak_ha_enabled is false"
+    success_msg: "{{ 'Configuring HA with infinispan remote cache storage' if keycloak_ha_enabled else 'Configuring standalone' }}"
+
 - name: Validate credentials
   ansible.builtin.assert:
     that: