keycloak_quarkus
Install keycloak >= 20.0.0 (quarkus) server configurations.
Requirements
This role requires the python3-netaddr
and lxml
library installed on the controller node.
to install via yum/dnf:
dnf install python3-netaddr python3-lxml
to install via apt:
apt install python3-netaddr python3-lxml
or via the collection:
pip install -r requirements.txt
Dependencies
The roles depends on:
To install all the dependencies via galaxy:
ansible-galaxy collection install -r requirements.yml
Role Defaults
Installation options
Variable |
Description |
Default |
---|---|---|
|
keycloak.org package version |
|
|
Perform an offline install |
|
|
Installation root path |
|
|
Download URL for keycloak |
|
|
Path local to controller for offline/download of install archives |
|
Service configuration
Variable |
Description |
Default |
---|---|---|
|
Administration console user account |
|
|
Address for binding service ports |
|
|
Hostname for the Keycloak server |
|
|
The port used by the proxy when exposing the hostname |
|
|
This should be set if proxy uses a different context-path for Keycloak |
|
|
HTTP listening port |
|
|
TLS HTTP listening port |
|
|
AJP port |
|
|
Posix account username |
|
|
Posix account group |
|
|
systemd restart always behavior activation |
|
|
systemd restart on-failure behavior activation |
|
|
systemd RestartSec |
|
|
RHEL java package runtime |
|
|
JAVA_HOME of installed JRE, leave empty for using specified keycloak_quarkus_jvm_package RPM path |
|
|
Heap memory JVM setting |
|
|
Other JVM settings |
same as keycloak |
|
JVM arguments; if overridden, it takes precedence over |
|
|
List of additional env variables of { key: str, value: str} to be put in sysconfig file |
|
|
Set the base URL for frontend URLs, including scheme, host, port and path |
|
|
Set the base URL for accessing the administration console, including scheme, host, port and path |
|
|
Set the path relative to / for serving resources. The path must start with a / |
|
|
Enable listener on HTTP port |
|
|
Path to the health check endpoint; scheme, host and keycloak_quarkus_http_relative_path will be prepended automatically |
|
|
Enable listener on HTTPS port |
|
|
Enable copy of key file to target host |
|
|
Content of the TLS private key. Use |
|
|
The file path to a private key in PEM format |
|
|
Enable copy of cert file to target host |
|
|
Set the source file path |
|
|
The file path to a server certificate or certificate chain in PEM format |
|
|
Enable configuration of HTTPS via a key store |
|
|
Deprecated, use |
|
|
Deprecated, use |
|
|
The file path to the key store |
|
|
Password for the key store |
|
|
Enable configuration of the https trust store |
|
|
The file path to the trust store |
|
|
Password for the trust store |
|
|
Parse reverse proxy headers ( |
|
|
Path to the configuration key store; only used if |
|
|
Password of the configuration keystore; if non-empty, |
|
|
Ensure firewalld is running and configure keycloak ports |
|
|
Ensure iptables is configured for keycloak ports |
|
High-availability
Variable |
Description |
Default |
---|---|---|
|
Enable auto configuration for database backend, clustering and remote caches on infinispan |
|
|
Discovery protocol for HA cluster members |
|
|
Enable auto configuration for database backend |
|
|
jgroups cluster tcp port |
|
|
Whether systemd unit should wait for keycloak port before returning |
|
|
Which port the systemd unit should wait for |
|
|
Whether systemd unit should wait for service to be up in logs |
|
|
How long to wait for service to be alive (seconds) |
|
|
Activation delay for service systemd unit (seconds) |
|
|
Strategy task file for restarting in HA (one of provided restart/[‘serial.yml’,’none.yml’,’serial_then_parallel.yml’]) or path to file when providing custom strategy |
|
|
Whether to wait for successful health check after restart |
|
|
Seconds to let pass before starting healch checks |
|
|
Number of attempts for successful health check before failing |
|
|
Seconds to wait between restarts in HA strategy |
|
Hostname configuration
Variable |
Description |
Default |
---|---|---|
|
Set the path relative to / for serving resources. The path must start with a / |
|
|
Disables dynamically resolving the hostname from request headers |
|
|
By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all applications use the public URL this option should be enabled. |
|
Database configuration
Variable |
Description |
Default |
---|---|---|
|
Database engine [mariadb,postres,mssql] |
|
|
User for database connection |
|
|
Password for database connection |
|
|
JDBC URL for connecting to database |
|
|
Version for JDBC driver |
|
Remote caches configuration
Variable |
Description |
Default |
---|---|---|
|
Username for connecting to infinispan |
|
|
Password for connecting to infinispan |
|
|
host name/port for connecting to infinispan, eg. host1:11222;host2:11222 |
|
|
Infinispan auth mechanism |
|
|
Whether infinispan uses TLS connection |
|
|
Path to infinispan server trust certificate |
|
|
Password for infinispan certificate keystore |
|
Miscellaneous configuration
Variable |
Description |
Default |
---|---|---|
|
Whether to enable metrics |
|
|
If the server should expose health check endpoints |
|
|
keycloak install archive filename |
|
|
Installation path |
|
|
Installation work directory |
|
|
Path for configuration |
|
|
Name for rest authentication realm |
|
|
Authentication client for configuration REST calls |
|
|
Remove pre-existing versions of service |
|
|
URL for configuration rest calls |
|
|
Enable one or more log handlers in a comma-separated list |
|
|
The log level of the root category or a comma-separated list of individual categories and their levels |
|
|
Set the log file path and filename relative to keycloak home |
|
|
Set a format specific to file log entries |
|
|
Set the destination of the keycloak log folder link |
|
|
Set the maximum log file size before a log rotation happens; A size configuration option recognises string in this format (shown as a regular expression): |
|
|
Set the maximum number of archived log files to keep” |
|
|
Set the log file handler rotation file suffix. When used, the file will be rotated based on its suffix; Note: If the suffix ends with |
|
|
The proxy address forwarding mode if the server is behind a reverse proxy |
|
|
Whether to start the service in development mode (start-dev) |
|
|
Whether to use XA transactions |
|
|
If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy |
|
|
Whether deprecation warnings should be shown |
|
Vault SPI
Variable |
Description |
Default |
---|---|---|
|
Whether to enable the vault SPI |
|
|
The keystore path for the vault SPI |
|
|
Type of the keystore used for the vault SPI |
|
Configuring providers
Variable |
Description |
Default |
---|---|---|
|
List of provider definitions; see below |
|
Providers support different sources:
url
: http download for providers not requiring authenticationmaven
: maven download for providers hosted publicly on Apache Maven Central or private Maven repositories like Github Maven requiring authenticationlocal_path
: static providers to be uploaded
Provider definition:
keycloak_quarkus_providers:
- id: http-client # required; "{{ id }}.jar" identifies the file name on RHBK
spi: connections # required if neither url, local_path nor maven are specified; required for setting properties
default: true # optional, whether to set default for spi, default false
restart: true # optional, whether to rebuild config and restart the service after deploying, default true
url: https://.../.../custom_spi.jar # optional, url for download via http
local_path: my_theme_spi.jar # optional, path on local controller for SPI to be uploaded
maven: # optional, for download using maven
repository_url: https://maven.pkg.github.com/OWNER/REPOSITORY # optional, maven repo url
group_id: my.group # optional, maven group id
artifact_id: artifact # optional, maven artifact id
version: 24.0.5 # optional, defaults to latest
username: user # optional, cf. https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry#authenticating-to-github-packages
password: pat # optional, provide a PAT for accessing Github's Apache Maven registry
properties: # optional, list of key-values
- key: default-connection-pool-size
value: 10
the definition above will generate the following build command:
bin/kc.sh build --spi-connections-provider=http-client --spi-connections-http-client-default-connection-pool-size=10
Configuring policies
Variable |
Description |
Default |
---|---|---|
|
List of policy definitions; see below |
|
Provider definition:
keycloak_quarkus_policies:
- name: xato-net-10-million-passwords.txt # required, resulting file name
url: https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt # required, url for download
type: password-blacklists # optional, defaults to `password-blacklists`; supported values: [`password-blacklists`]
Role Variables
Variable |
Description |
Required |
---|---|---|
|
Password of console admin account |
|
|
Base URL for frontend URLs, including scheme, host, port and path |
|
|
Base URL for accessing the administration console, including scheme, host, port and path |
|
|
The password for accessing the keystore vault SPI |
|
|
Alternate location with optional authentication for downloading RHBK |
|
|
Optional username for http authentication |
|
|
Optional password for http authentication |
|
|
Whether to validate certs for URL |
|
|
Optional username for http authentication |
|
|
Optional password for http authentication |
|
|
Whether to validate certs for URL |
|
*
username/password authentication credentials must be both declared or both undefined
Role custom facts
The role uses the following custom facts found in /etc/ansible/facts.d/keycloak.fact
(and thus identified by the ansible_local.keycloak.
prefix):
Variable |
Description |
---|---|
|
A custom fact indicating whether this role has been used for bootstrapping keycloak on the respective host before; set to |
License
Apache License 2.0