diff --git a/.ansible-lint b/.ansible-lint index 92e5eaf0..9c2702e3 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -28,7 +28,6 @@ warn_list: - name[casing] - fqcn[action] - schema[meta] - - var-naming[no-role-prefix] - key-order[task] - blocked_modules @@ -36,6 +35,7 @@ skip_list: - vars_should_not_be_used - file_is_small_enough - name[template] + - var-naming[no-role-prefix] use_default_rules: true parseable: true diff --git a/changelogs/config.yaml b/changelogs/config.yaml index 374ae659..3c7fb7e1 100644 --- a/changelogs/config.yaml +++ b/changelogs/config.yaml @@ -11,22 +11,22 @@ notesdir: fragments prelude_section_name: release_summary prelude_section_title: Release Summary sections: -- - major_changes - - Major Changes -- - minor_changes - - Minor Changes -- - breaking_changes - - Breaking Changes / Porting Guide -- - deprecated_features - - Deprecated Features -- - removed_features - - Removed Features -- - security_fixes - - Security Fixes -- - bugfixes - - Bugfixes -- - known_issues - - Known Issues + - - major_changes + - Major Changes + - - minor_changes + - Minor Changes + - - breaking_changes + - Breaking Changes / Porting Guide + - - deprecated_features + - Deprecated Features + - - removed_features + - Removed Features + - - security_fixes + - Security Fixes + - - bugfixes + - Bugfixes + - - known_issues + - Known Issues title: middleware_automation.keycloak trivial_section_name: trivial use_fqcn: true diff --git a/roles/keycloak/meta/argument_specs.yml b/roles/keycloak/meta/argument_specs.yml index eab89cff..5f6052d3 100644 --- a/roles/keycloak/meta/argument_specs.yml +++ b/roles/keycloak/meta/argument_specs.yml @@ -86,7 +86,9 @@ argument_specs: type: "str" keycloak_features: default: "[]" - description: "List of `name`/`status` pairs of features (also known as profiles on RH-SSO) to `enable` or `disable`, example: `[ { name: 'docker', status: 'enabled' } ]`" + description: > + List of `name`/`status` pairs of features (also known as profiles on RH-SSO) to `enable` or `disable`, + example: `[ { name: 'docker', status: 'enabled' } ]` type: "list" keycloak_bind_address: default: "0.0.0.0" @@ -310,7 +312,8 @@ argument_specs: type: "str" keycloak_jgroups_subnet: required: false - description: "Override the subnet match for jgroups cluster formation; if not defined, it will be inferred from local machine route configuration" + description: > + Override the subnet match for jgroups cluster formation; if not defined, it will be inferred from local machine route configuration type: "str" keycloak_log_target: default: '/var/log/keycloak' @@ -323,7 +326,8 @@ argument_specs: description: "Set a username with which to authenticate when downloading JDBC drivers from an alternative location" type: "str" keycloak_jdbc_download_pass: - description: "Set a password with which to authenticate when downloading JDBC drivers from an alternative location (requires keycloak_jdbc_download_user)" + description: > + Set a password with which to authenticate when downloading JDBC drivers from an alternative location (requires keycloak_jdbc_download_user) type: "str" keycloak_jdbc_download_validate_certs: default: true diff --git a/roles/keycloak/tasks/fastpackages.yml b/roles/keycloak/tasks/fastpackages.yml index 3b557ef8..be34c720 100644 --- a/roles/keycloak/tasks/fastpackages.yml +++ b/roles/keycloak/tasks/fastpackages.yml @@ -8,7 +8,8 @@ - name: "Add missing packages to the yum install list" ansible.builtin.set_fact: - packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | map('regex_findall', 'package (.+) is not installed$') | default([]) | flatten }}" + packages_to_install: "{{ packages_to_install | default([]) + rpm_info.stdout_lines | \ + map('regex_findall', 'package (.+) is not installed$') | default([]) | flatten }}" when: ansible_facts.os_family == "RedHat" - name: "Install packages: {{ packages_to_install }}" @@ -17,8 +18,8 @@ name: "{{ packages_to_install }}" state: present when: - - packages_to_install | default([]) | length > 0 - - ansible_facts.os_family == "RedHat" + - packages_to_install | default([]) | length > 0 + - ansible_facts.os_family == "RedHat" - name: "Install packages: {{ packages_list }}" become: true diff --git a/roles/keycloak/tasks/install.yml b/roles/keycloak/tasks/install.yml index 67b98cd6..b620b03f 100644 --- a/roles/keycloak/tasks/install.yml +++ b/roles/keycloak/tasks/install.yml @@ -41,8 +41,8 @@ ansible.builtin.user: name: "{{ keycloak_service_user }}" home: /opt/keycloak - system: yes - create_home: no + system: true + create_home: false - name: "Create install location for {{ keycloak.service_name }}" become: true @@ -51,7 +51,7 @@ state: directory owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_group }}" - mode: 0750 + mode: '0750' - name: Create pidfile folder become: true @@ -60,7 +60,7 @@ state: directory owner: "{{ keycloak_service_user if keycloak_service_runas else omit }}" group: "{{ keycloak_service_group if keycloak_service_runas else omit }}" - mode: 0750 + mode: '0750' ## check remote archive - name: Set download archive path @@ -84,7 +84,7 @@ ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user url: "{{ keycloak_download_url }}" dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}" - mode: 0644 + mode: '0644' delegate_to: localhost run_once: true when: @@ -136,7 +136,7 @@ ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user url: "{{ keycloak_rhsso_download_url }}" dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}" - mode: 0644 + mode: '0644' delegate_to: localhost run_once: true when: @@ -160,7 +160,7 @@ dest: "{{ archive }}" owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_group }}" - mode: 0640 + mode: '0640' register: new_version_downloaded when: - not archive_path.stat.exists @@ -221,7 +221,7 @@ dest: "{{ keycloak_config_path_to_standalone_xml }}" owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_group }}" - mode: 0640 + mode: '0640' notify: - restart keycloak when: keycloak_config_override_template | length > 0 @@ -233,7 +233,7 @@ dest: "{{ keycloak_config_path_to_standalone_xml }}" owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_group }}" - mode: 0640 + mode: '0640' notify: - restart keycloak when: @@ -261,7 +261,7 @@ dest: "{{ keycloak_config_path_to_standalone_xml }}" owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_group }}" - mode: 0640 + mode: '0640' notify: - restart keycloak when: @@ -276,7 +276,7 @@ dest: "{{ keycloak_config_path_to_standalone_xml }}" owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_group }}" - mode: 0640 + mode: '0640' notify: - restart keycloak when: @@ -291,7 +291,7 @@ dest: "{{ keycloak_config_path_to_properties }}" owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_group }}" - mode: 0640 + mode: '0640' notify: - restart keycloak when: keycloak_features | length > 0 diff --git a/roles/keycloak/tasks/jdbc_driver.yml b/roles/keycloak/tasks/jdbc_driver.yml index a7cd8ab7..bec80e3c 100644 --- a/roles/keycloak/tasks/jdbc_driver.yml +++ b/roles/keycloak/tasks/jdbc_driver.yml @@ -12,7 +12,7 @@ recurse: true owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_group }}" - mode: 0750 + mode: '0750' become: true when: - not dest_path.stat.exists @@ -20,8 +20,9 @@ ansible.builtin.fail: msg: >- When JDBC driver download credentials are set, both the username and the password MUST be set - when: - - (keycloak_jdbc_download_user is undefined and keycloak_jdbc_download_pass is not undefined) or (keycloak_jdbc_download_pass is undefined and keycloak_jdbc_download_user is not undefined) + when: > + (keycloak_jdbc_download_user is undefined and keycloak_jdbc_download_pass is not undefined) or + (keycloak_jdbc_download_pass is undefined and keycloak_jdbc_download_user is not undefined) - name: "Retrieve JDBC Driver from {{ keycloak_jdbc[keycloak_jdbc_engine].driver_jar_url }}" ansible.builtin.get_url: @@ -32,7 +33,7 @@ url_username: "{{ keycloak_jdbc_download_user | default(omit) }}" url_password: "{{ keycloak_jdbc_download_pass | default(omit) }}" validate_certs: "{{ keycloak_jdbc_download_validate_certs | default(omit) }}" - mode: 0640 + mode: '0640' become: true - name: "Deploy module.xml for JDBC Driver" @@ -41,5 +42,5 @@ dest: "{{ keycloak_jdbc[keycloak_jdbc_engine].driver_module_dir }}/module.xml" group: "{{ keycloak_service_group }}" owner: "{{ keycloak_service_user }}" - mode: 0640 + mode: '0640' become: true diff --git a/roles/keycloak/tasks/prereqs.yml b/roles/keycloak/tasks/prereqs.yml index c92bb1ce..d97390c5 100644 --- a/roles/keycloak/tasks/prereqs.yml +++ b/roles/keycloak/tasks/prereqs.yml @@ -4,13 +4,16 @@ that: - keycloak_admin_password | length > 12 quiet: true - fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_admin_password variable to a 12+ char long string" + fail_msg: > + The console administrator password is empty or invalid. Please set the keycloak_admin_password variable to a 12+ char long string success_msg: "{{ 'Console administrator password OK' }}" - name: Validate configuration ansible.builtin.assert: - that: - - (keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and keycloak_db_enabled) or (not keycloak_ha_enabled and not keycloak_db_enabled) + that: > + (keycloak_ha_enabled and keycloak_db_enabled) or + (not keycloak_ha_enabled and keycloak_db_enabled) or + (not keycloak_ha_enabled and not keycloak_db_enabled) quiet: true fail_msg: "Cannot install HA setup without a backend database service. Check keycloak_ha_enabled and keycloak_db_enabled" success_msg: "{{ 'Configuring HA' if keycloak_ha_enabled else 'Configuring standalone' }}" diff --git a/roles/keycloak/tasks/restart_keycloak.yml b/roles/keycloak/tasks/restart_keycloak.yml index bae91cd4..7284bd0f 100644 --- a/roles/keycloak/tasks/restart_keycloak.yml +++ b/roles/keycloak/tasks/restart_keycloak.yml @@ -22,7 +22,7 @@ - name: "Restart and enable {{ keycloak.service_name }} service" ansible.builtin.systemd: name: keycloak - enabled: yes + enabled: true state: restarted become: true when: inventory_hostname != ansible_play_hosts | first diff --git a/roles/keycloak/tasks/rhsso_cli.yml b/roles/keycloak/tasks/rhsso_cli.yml index c51cdc7a..fd41dd64 100644 --- a/roles/keycloak/tasks/rhsso_cli.yml +++ b/roles/keycloak/tasks/rhsso_cli.yml @@ -10,4 +10,4 @@ ansible.builtin.command: > {{ keycloak.cli_path }} --connect --command='{{ query }}' --controller={{ keycloak_host }}:{{ keycloak_management_http_port }} changed_when: false - register: cli_result \ No newline at end of file + register: cli_result diff --git a/roles/keycloak/tasks/rhsso_patch.yml b/roles/keycloak/tasks/rhsso_patch.yml index 191a3e0f..e7ac3f00 100644 --- a/roles/keycloak/tasks/rhsso_patch.yml +++ b/roles/keycloak/tasks/rhsso_patch.yml @@ -45,7 +45,7 @@ - name: Determine latest version ansible.builtin.set_fact: - sso_latest_version: "{{ filtered_versions | middleware_automation.common.version_sort | last }}" + sso_latest_version: "{{ filtered_versions | middleware_automation.common.version_sort | last }}" when: sso_patch_version is not defined or sso_patch_version | length == 0 delegate_to: localhost run_once: true @@ -95,7 +95,7 @@ dest: "{{ patch_archive }}" owner: "{{ keycloak_service_user }}" group: "{{ keycloak_service_group }}" - mode: 0640 + mode: '0640' register: new_version_downloaded when: - not patch_archive_path.stat.exists @@ -135,8 +135,8 @@ - cli_result.rc == 0 args: apply: - become: true - become_user: "{{ keycloak_service_user }}" + become: true + become_user: "{{ keycloak_service_user }}" - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}" ansible.builtin.uri: @@ -152,8 +152,8 @@ query: "patch info" args: apply: - become: true - become_user: "{{ keycloak_service_user }}" + become: true + become_user: "{{ keycloak_service_user }}" - name: "Verify installed patch version" ansible.builtin.assert: diff --git a/roles/keycloak/tasks/systemd.yml b/roles/keycloak/tasks/systemd.yml index 797eb7b6..1653406a 100644 --- a/roles/keycloak/tasks/systemd.yml +++ b/roles/keycloak/tasks/systemd.yml @@ -6,7 +6,7 @@ dest: "{{ keycloak_dest }}/keycloak-service.sh" owner: root group: root - mode: 0755 + mode: '0755' notify: - restart keycloak @@ -17,7 +17,7 @@ dest: "{{ keycloak_sysconf_file }}" owner: root group: root - mode: 0644 + mode: '0644' notify: - restart keycloak @@ -27,7 +27,7 @@ dest: /etc/systemd/system/keycloak.service owner: root group: root - mode: 0644 + mode: '0644' become: true register: systemdunit notify: diff --git a/roles/keycloak/vars/debian.yml b/roles/keycloak/vars/debian.yml index 60cdfa8a..b005b0a1 100644 --- a/roles/keycloak/vars/debian.yml +++ b/roles/keycloak/vars/debian.yml @@ -6,6 +6,7 @@ keycloak_prereq_package_list: - procps - apt - tzdata -keycloak_configure_iptables: True +keycloak_configure_iptables: true keycloak_sysconf_file: /etc/default/keycloak -keycloak_pkg_java_home: "/usr/lib/jvm/java-{{ keycloak_varjvm_package | regex_search('(?!:openjdk-)[0-9.]+') }}-openjdk-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}" +keycloak_pkg_java_home: "/usr/lib/jvm/java-{{ keycloak_varjvm_package | \ + regex_search('(?!:openjdk-)[0-9.]+') }}-openjdk-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}" diff --git a/roles/keycloak/vars/main.yml b/roles/keycloak/vars/main.yml index b03a1a5a..7f7dfd18 100644 --- a/roles/keycloak/vars/main.yml +++ b/roles/keycloak/vars/main.yml @@ -13,7 +13,8 @@ keycloak: service_name: "{{ keycloak_service_name }}" health_url: "{{ keycloak_management_url }}/health" cli_path: "{{ keycloak_jboss_home }}/bin/jboss-cli.sh" - config_template_source: "{{ keycloak_config_override_template if keycloak_config_override_template | length > 0 else 'standalone-ha.xml.j2' if keycloak_remote_cache_enabled else 'standalone.xml.j2' }}" + config_template_source: "{{ keycloak_config_override_template if keycloak_config_override_template | length > 0 \ + else 'standalone-ha.xml.j2' if keycloak_remote_cache_enabled else 'standalone.xml.j2' }}" features: "{{ keycloak_features }}" # database @@ -26,7 +27,8 @@ keycloak_jdbc: driver_module_dir: "{{ keycloak_jboss_home }}/modules/org/postgresql/main" driver_version: "{{ keycloak_jdbc_driver_version }}" driver_jar_filename: "postgresql-{{ keycloak_jdbc_driver_version }}.jar" - driver_jar_url: "https://repo.maven.apache.org/maven2/org/postgresql/postgresql/{{ keycloak_jdbc_driver_version }}/postgresql-{{ keycloak_jdbc_driver_version }}.jar" + driver_jar_url: > + {{ keycloak_maven_central }}org/postgresql/postgresql/{{ keycloak_jdbc_driver_version }}/postgresql-{{ keycloak_jdbc_driver_version }}.jar connection_url: "{{ keycloak_jdbc_url }}" db_user: "{{ keycloak_db_user }}" db_password: "{{ keycloak_db_pass }}" @@ -46,7 +48,8 @@ keycloak_jdbc: driver_module_dir: "{{ keycloak_jboss_home }}/modules/org/mariadb/main" driver_version: "{{ keycloak_jdbc_driver_version }}" driver_jar_filename: "mariadb-java-client-{{ keycloak_jdbc_driver_version }}.jar" - driver_jar_url: "https://repo1.maven.org/maven2/org/mariadb/jdbc/mariadb-java-client/{{ keycloak_jdbc_driver_version }}/mariadb-java-client-{{ keycloak_jdbc_driver_version }}.jar" + driver_jar_url: > + {{ keycloak_maven_central }}org/mariadb/jdbc/mariadb-java-client/{{ keycloak_jdbc_driver_version }}/mariadb-java-client-{{ keycloak_jdbc_driver_version }}.jar connection_url: "{{ keycloak_jdbc_url }}" db_user: "{{ keycloak_db_user }}" db_password: "{{ keycloak_db_pass }}" @@ -67,7 +70,8 @@ keycloak_jdbc: driver_module_dir: "{{ keycloak_jboss_home }}/modules/com/microsoft/sqlserver/main" driver_version: "{{ keycloak_jdbc_driver_version }}" driver_jar_filename: "mssql-java-client-{{ keycloak_jdbc_driver_version }}.jar" - driver_jar_url: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/{{ keycloak_jdbc_driver_version }}.jre11/mssql-jdbc-{{ keycloak_jdbc_driver_version }}.jre11.jar" # e.g., https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.2.0.jre11/mssql-jdbc-12.2.0.jre11.jar + driver_jar_url: > + {{ keycloak_maven_central }}com/microsoft/sqlserver/mssql-jdbc/{{ keycloak_jdbc_driver_version }}.jre11/mssql-jdbc-{{ keycloak_jdbc_driver_version }}.jre11.jar connection_url: "{{ keycloak_jdbc_url }}" db_user: "{{ keycloak_db_user }}" db_password: "{{ keycloak_db_pass }}" @@ -102,3 +106,5 @@ keycloak_remotecache: use_ssl: "{{ keycloak_infinispan_use_ssl }}" trust_store_path: "{{ keycloak_infinispan_trust_store_path }}" trust_store_password: "{{ keycloak_infinispan_trust_store_password }}" + +keycloak_maven_central: https://repo1.maven.org/maven2/ diff --git a/roles/keycloak_quarkus/handlers/main.yml b/roles/keycloak_quarkus/handlers/main.yml index f60e7476..b95d5c39 100644 --- a/roles/keycloak_quarkus/handlers/main.yml +++ b/roles/keycloak_quarkus/handlers/main.yml @@ -12,6 +12,6 @@ - name: "Print deprecation warning" ansible.builtin.fail: msg: "Deprecation warning: you are using the deprecated variable '{{ deprecated_variable | d('NotSet') }}', check docs on how to upgrade." - ignore_errors: true failed_when: false + changed_when: true listen: "print deprecation warning" diff --git a/roles/keycloak_quarkus/meta/argument_specs.yml b/roles/keycloak_quarkus/meta/argument_specs.yml index 5fccedcb..a8b1a05a 100644 --- a/roles/keycloak_quarkus/meta/argument_specs.yml +++ b/roles/keycloak_quarkus/meta/argument_specs.yml @@ -170,7 +170,9 @@ argument_specs: type: "str" keycloak_quarkus_config_key_store_password: default: "" - description: "Password of the configuration key store; if non-empty, `keycloak_quarkus_db_pass` will be saved to the key store at `keycloak_quarkus_config_key_store_file` (instead of being written to the configuration file in clear text" + description: > + Password of the configuration key store; if non-empty, `keycloak_quarkus_db_pass` will be saved to the key store + at `keycloak_quarkus_config_key_store_file` (instead of being written to the configuration file in clear text) type: "str" keycloak_quarkus_https_port: default: 8443 @@ -399,7 +401,9 @@ argument_specs: description: "Set a username with which to authenticate when downloading JDBC drivers from an alternative location" type: "str" keycloak_quarkus_jdbc_download_pass: - description: "Set a password with which to authenticate when downloading JDBC drivers from an alternative location (requires keycloak_quarkus_jdbc_download_user)" + description: > + Set a password with which to authenticate when downloading JDBC drivers from an alternative location + (requires `keycloak_quarkus_jdbc_download_user``) type: "str" keycloak_quarkus_jdbc_download_validate_certs: default: true diff --git a/roles/keycloak_quarkus/tasks/install.yml b/roles/keycloak_quarkus/tasks/install.yml index 732e5b13..65fd3919 100644 --- a/roles/keycloak_quarkus/tasks/install.yml +++ b/roles/keycloak_quarkus/tasks/install.yml @@ -170,7 +170,7 @@ dest: "{{ keycloak_quarkus_key_file }}" owner: "{{ keycloak.service_user }}" group: "{{ keycloak.service_group }}" - mode: 0640 + mode: '0640' become: true when: - keycloak_quarkus_https_key_file_enabled is defined and keycloak_quarkus_https_key_file_enabled @@ -183,7 +183,7 @@ dest: "{{ keycloak_quarkus_cert_file }}" owner: "{{ keycloak.service_user }}" group: "{{ keycloak.service_group }}" - mode: 0644 + mode: '0644' become: true when: - keycloak_quarkus_https_key_file_enabled is defined and keycloak_quarkus_https_key_file_enabled diff --git a/roles/keycloak_quarkus/tasks/jdbc_driver.yml b/roles/keycloak_quarkus/tasks/jdbc_driver.yml index 52298aa9..880a9150 100644 --- a/roles/keycloak_quarkus/tasks/jdbc_driver.yml +++ b/roles/keycloak_quarkus/tasks/jdbc_driver.yml @@ -3,9 +3,11 @@ ansible.builtin.fail: msg: >- When JDBC driver download credentials are set, both the username and the password MUST be set - when: - - (keycloak_quarkus_jdbc_download_user is undefined and keycloak_quarkus_jdbc_download_pass is not undefined) or (keycloak_quarkus_jdbc_download_pass is undefined and keycloak_quarkus_jdbc_download_user is not undefined) -- name: "Retrieve JDBC Driver from {{ keycloak_jdbc_download_user | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url) }}" + when: > + (keycloak_quarkus_jdbc_download_user is undefined and keycloak_quarkus_jdbc_download_pass is not undefined) or + (keycloak_quarkus_jdbc_download_pass is undefined and keycloak_quarkus_jdbc_download_user is not undefined) + +- name: "Retrieve JDBC Driver from {{ keycloak_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url) }}" ansible.builtin.get_url: url: "{{ keycloak_quarkus_jdbc_download_url | default(keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url) }}" dest: "{{ keycloak.home }}/providers"