Added support of remote providers loaded from URL. The variable to use is `keycloak_remote_providers_url`

tag specific to the systemd unit.
Add a missing endif.
2025-01-28 17:54:54 +01:00 · 2024-11-04 18:53:04 +01:00 · 2024-05-30 12:38:25 +02:00 · 2024-05-30 12:37:26 +02:00 · 2024-05-29 18:47:37 +02:00 · 2024-05-29 18:41:01 +02:00
6 changed files with 70 additions and 19 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -36,6 +36,18 @@ keycloak_remote_providers: []
  #   maven_extension: ''
  #   maven_version: ''

+keycloak_remote_providers_url: []
+  # - name: 'foo'
+  #   url: ''
+  # [optional]
+  #   dest_file: ''  # to force file name different from 'url'
+  #   force: 'true|false'
+  #   checksum: ''
+  #   validate_certs: 'true|false'
+  #   force_basic_auth: 'true|false'
+  #   username ''
+  #   password: ''
+
 keycloak_additional_properties: []
 keycloak_quarkus_additional_properties: []

@ -93,5 +105,7 @@ keycloak_cache_container_name: keycloak
 keycloak_jgroups_multicast_port: 46655
 keycloak_jgroups_multicast_address: 228.6.7.8
 keycloak_jgroups_bind_port: 55200
+keycloak_jgroups_bind_specific_ip: false
+keycloak_jgroups_bind_ip_address: "{{ ansible_default_ipv4.address }}"
 keycloak_jgroups_extended_stack: false
 keycloak_jgroups_extended_stack_name: "extended-{{ keycloak_cache_stack }}"
--- a/tasks/keycloak-providers.yml
+++ b/tasks/keycloak-providers.yml
@ -1,19 +1,34 @@
 ---
 - name: keycloak-providers | Get the keycloak providers
-  community.general.maven_artifact:
-    artifact_id: "{{ item.maven_id }}"
-    version: "{{ item.maven_version | default('latest') }}"
-    group_id: "{{ item.maven_group_id }}"
-    extension: "{{ item.maven_extension | default('jar') }}"
-    repository_url: "{{ item.maven_repo_url }}"
-    dest: "{{ keycloak_providers_directory }}/{{ item.name }}.{{ item.maven_extension | default('jar') }}"
-    verify_checksum: always
-    mode: "0644"
-  loop: '{{ keycloak_remote_providers }}'
-  when: item.maven_extension is not defined or item.maven_extension != "ear"
-  notify: Restart Keycloak
-
  tags:
    - keycloak
    - keycloak_providers
    - keycloak_providers_jar
+  block:
+    - name: keycloak-providers | Getting maven artifact providers
+      community.general.maven_artifact:
+        artifact_id: "{{ item.maven_id }}"
+        version: "{{ item.maven_version | default('latest') }}"
+        group_id: "{{ item.maven_group_id }}"
+        extension: "{{ item.maven_extension | default('jar') }}"
+        repository_url: "{{ item.maven_repo_url }}"
+        dest: "{{ keycloak_providers_directory }}/{{ item.name }}.{{ item.maven_extension | default('jar') }}"
+        verify_checksum: always
+        mode: "0644"
+      loop: '{{ keycloak_remote_providers }}'
+      when: item.maven_extension is not defined or item.maven_extension != "ear"
+      notify: Restart Keycloak
+
+    - name: keycloak-providers | Getting providers from URL
+      ansible.builtin.get_url:
+        url: "{{ item.url }}"
+        dest: "{{ keycloak_providers_directory }}/{{ item.dest_file | default('') }}"
+        force: "{{ item.force | default( omit ) }}"
+        checksum: "{{ item.checksum | default( omit ) }}"
+        validate_certs: "{{ item.validate_certs | default( omit ) }}"
+        force_basic_auth: "{{ item.force_basic_auth | default( omit ) }}"
+        url_username: "{{ item.username | default( omit ) }}"
+        url_password: "{{ item.password | default( omit ) }}"
+        mode: "0644"
+      loop: '{{ keycloak_remote_providers_url }}'
+      notify: Restart Keycloak
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -15,6 +15,7 @@
    - keycloak_conf
    - keycloak_providers
    - keycloak_providers_jar
+    - keycloak_systemd_unit
  block:
    - name: Install the keycloak systemd unit
      ansible.builtin.template:
@ -38,6 +39,7 @@

    - name: Wait for the service to be up before proceeding
      ansible.builtin.wait_for:
+        host: "{{ keycloak_listen }}"
        port: "{% if keycloak_https_enabled %}{{ keycloak_https_port }}{% else %}{{ keycloak_http_port }}{% endif %}"
        delay: 10
        timeout: 90
--- a/templates/cache-ispn.xml.j2
+++ b/templates/cache-ispn.xml.j2
@ -21,11 +21,19 @@
        xsi:schemaLocation="urn:infinispan:config:11.0 http://www.infinispan.org/schemas/infinispan-config-11.0.xsd"
        xmlns="urn:infinispan:config:11.0">

+{% if keycloak_jgroups_bind_specific_ip %}
+    <interfaces>
+        <interface name="public">
+          <inet-address value="{{ keycloak_jgroups_bind_ip_address }}"/>
+        </interface>
+    </interfaces>
+{% endif %}
+
 {% if keycloak_jgroups_extended_stack %}
    <!-- custom stack goes into the jgroups element -->
    <jgroups>
        <stack name="{{ keycloak_jgroups_extended_stack_name }}" extends="{{ keycloak_cache_stack }}">
-            <UDP bind_addr="${jgroups.bind.address,jgroups.udp.address:SITE_LOCAL}"
+            <UDP bind_addr="{% if keycloak_jgroups_bind_specific_ip %}{{ keycloak_jgroups_bind_ip_address }}{% else %}${jgroups.bind.address,jgroups.udp.address:SITE_LOCAL}{% endif %}"
                bind_port="{{ keycloak_jgroups_bind_port }}"
                mcast_addr="{{ keycloak_jgroups_multicast_address }}"
                mcast_port="{{ keycloak_jgroups_multicast_port }}"
@ -109,4 +117,4 @@
            <memory max-count="-1"/>
        </distributed-cache>
    </cache-container>
-</infinispan>
+</infinispan>
--- a/templates/keycloak.conf.j2
+++ b/templates/keycloak.conf.j2
@ -38,9 +38,13 @@ https-port={{ keycloak_https_port }}
 {% endif %}

 {% if keycloak_behind_reverse_proxy %}
+{% if keycloak_version is version_compare('22.0.0', '<') %}
+proxy=reencrypt
+{% else %}
 # The proxy address forwarding mode if the server is behind a reverse proxy.
 proxy-headers={{ keycloak_reverse_proxy_type }}
 {% endif %}
+{% endif %}

 {% if keycloak_set_hostname %}
 # Hostname for the Keycloak server.
@ -53,7 +57,7 @@ features-disabled={% for dis in keycloak_disabled_features %}{{ dis }}{% if not
 {% if keycloak_preview_features | length  %}features={% for feat in keycloak_preview_features %}{{ feat }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %}

 {% if keycloak_external_avatar_dir_enabled %}
-spi-avatar-storage-avatar-storage-file-avatar-folder={{ keycloak_external_avatar_dir}}
+spi-avatar-storage-avatar-storage-file-avatar-folder={{ keycloak_external_avatar_dir }}
 {% endif %}

 {% if keycloak_s3_avatar_enabled %}
@ -67,7 +71,7 @@ spi-avatar-storage-avatar-storage-s3-root-bucket={{ keycloak_s3_avatar_bucket }}
 # Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy
 spi-sticky-session-encoder-infinispan-should-attach-route={{ keycloak_reverse_proxy_infinispan_attach_route }}
 cache={{ keycloak_cache_type }}
-cache-stack={{ keycloak_cache_stack }}
+# cache-stack={{ keycloak_cache_stack }}
 cache-config-file={{ keycloak_conf_directory }}/cache-ispn.xml
 {% endif %}
 # Logging
--- a/templates/keycloak.service.j2
+++ b/templates/keycloak.service.j2
@ -1,3 +1,6 @@
+#
+# Systemd unit file that manages Keycloak
+#
 [Unit]
 Description=Keycloak Application Server, running with Quarkus
 After=syslog.target network.target
@ -12,19 +15,24 @@ Before=httpd.service
 Before=apache2.service
 {% endif %}
 {% endif %}
+StartLimitIntervalSec=500
+StartLimitBurst=5

 [Service]
 Environment=JAVA={{ keycloak_openjdk_bin }}
 Environment=JAVA_HOME=/usr/lib/jvm/java-{{ keycloak_openjdk_runtime_version}}-openjdk-amd64
 Environment=JAVA_OPTS="{{ keycloak_java_opts }}"
 {% if not keycloak_jgroups_extended_stack %}
-Environment=JAVA_OPTS_APPEND="-Djgroups.mcast_addr={{ keycloak_jgroups_multicast_address}} -Djgroups.mcast_port={{ keycloak_jgroups_multicast_port }}"
+Environment=JAVA_OPTS_APPEND="-Djgroups.bind_addr={{ keycloak_jgroups_multicast_bind_host | default(ansible_default_ipv4.address) }} -Djgroups.mcast_addr={{ keycloak_jgroups_multicast_address}} -Djgroups.mcast_port={{ keycloak_jgroups_multicast_port }}"
 {% endif %}
 User={{ keycloak_user }}
 Group={{ keycloak_user }}
+ExecStart={{ keycloak_runtime_home }}/bin/kc.sh start
 SuccessExitStatus=0 143
 UMask=0027
-ExecStart={{ keycloak_runtime_home }}/bin/kc.sh start
+RestartSec=10
+Restart=on-failure

 [Install]
 WantedBy=multi-user.target
+
Author	SHA1	Message	Date
Mauro Mugnaini	ed3913edee	Added support of remote providers loaded from URL. The variable to use is `keycloak_remote_providers_url`	2025-01-28 17:54:54 +01:00
Andrea Dell'Amico	62ad034604	tag specific to the systemd unit.	2024-11-04 18:53:04 +01:00
Andrea Dell'Amico	a0a92dc3c4	Add a missing endif.	2024-05-30 12:38:25 +02:00
Andrea Dell'Amico	a62b68295e	proxy configuration for versions older than 20.	2024-05-30 12:37:26 +02:00
Andrea Dell'Amico	a177be5312	keycloak wait for the listening port using the correct interface.	2024-05-29 18:47:37 +02:00
Andrea Dell'Amico	e9fdd107a6	jgrops configuration to bind a specific address.	2024-05-29 18:41:01 +02:00
Andrea Dell'Amico	5bb4ad21fb	Specify a bind address for jgroups.	2024-05-29 18:16:23 +02:00