Skip to content

Commit

Permalink
RHBK v26: Migrate to `keycloak_quarkus_bootstrap_admin_user[_password…
Browse files Browse the repository at this point in the history 
…]` (Process for creation of admin account changed #248)
  • Loading branch information
@hwo-wd
hwo-wd committed Dec 9, 2024
1 parent 5ca3070 commit 9a2e265
Show file tree
Hide file tree
Showing 7 changed files with 44 additions and 12 deletions.
8 changes: 5 additions & 3 deletions roles/keycloak_quarkus/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,8 @@ Role Defaults

| Variable | Description | Default |
|:---------|:------------|:--------|
|`keycloak_quarkus_admin_user`| Administration console user account | `admin` |
|`keycloak_quarkus_bootstrap_admin_user`| Administration console user account | `admin` |
|`keycloak_quarkus_admin_user`| Deprecated, use `keycloak_quarkus_bootstrap_admin_user` instead. | |
|`keycloak_quarkus_bind_address`| Address for binding service ports | `0.0.0.0` |
|`keycloak_quarkus_host`| Deprecated, use `keycloak_quarkus_hostname` instead. | |
|`keycloak_quarkus_port`| Deprecated, use `keycloak_quarkus_hostname` instead. | |
Expand Down Expand Up @@ -244,7 +245,8 @@ Role Variables
| Variable | Description | Required |
|:---------|:------------|----------|
|`keycloak_quarkus_admin_pass`| Password of console admin account | `yes` |
|`keycloak_quarkus_bootstrap_admin_password`| Password of console admin account | `yes` |
|`keycloak_quarkus_admin_pass`| Deprecated, use `keycloak_quarkus_bootstrap_admin_password` instead. | |
|`keycloak_quarkus_frontend_url`| Base URL for frontend URLs, including scheme, host, port and path | `no` |
|`keycloak_quarkus_admin_url`| Base URL for accessing the administration console, including scheme, host, port and path | `no` |
|`keycloak_quarkus_ks_vault_pass`| The password for accessing the keystore vault SPI | `no` |
Expand All @@ -266,7 +268,7 @@ The role uses the following [custom facts](https://docs.ansible.com/ansible/late

| Variable | Description |
|:---------|:------------|
|`general.bootstrapped` | A custom fact indicating whether this role has been used for bootstrapping keycloak on the respective host before; set to `false` (e.g., when starting off with a new, empty database) ensures that the initial admin user as defined by `keycloak_quarkus_admin_user[_pass]` gets created |
|`general.bootstrapped` | A custom fact indicating whether this role has been used for bootstrapping keycloak on the respective host before; set to `false` (e.g., when starting off with a new, empty database) ensures that the initial admin user as defined by `keycloak_quarkus_bootstrap_admin_user[_password]` gets created |

License
-------
Expand Down
4 changes: 2 additions & 2 deletions roles/keycloak_quarkus/defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,8 @@ keycloak_quarkus_configure_firewalld: false
keycloak_quarkus_configure_iptables: false

### administrator console password
keycloak_quarkus_admin_user: admin
keycloak_quarkus_admin_pass:
keycloak_quarkus_bootstrap_admin_user: admin
keycloak_quarkus_bootstrap_admin_password:
keycloak_quarkus_master_realm: master

### Configuration settings
Expand Down
4 changes: 2 additions & 2 deletions roles/keycloak_quarkus/meta/argument_specs.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,11 +68,11 @@ argument_specs:
default: "10s"
description: "systemd RestartSec for service"
type: "str"
keycloak_quarkus_admin_user:
keycloak_quarkus_bootstrap_admin_user:
default: "admin"
description: "Administration console user account"
type: "str"
keycloak_quarkus_admin_pass:
keycloak_quarkus_bootstrap_admin_password:
required: true
description: "Password of console admin account"
type: "str"
Expand Down
30 changes: 30 additions & 0 deletions roles/keycloak_quarkus/tasks/deprecations.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,5 +115,35 @@
notify:
- print deprecation warning

# https://github.com/keycloak/keycloak/issues/30009
- name: Check deprecation of keycloak_quarkus_admin_user -> keycloak_quarkus_bootstrap_admin_user
when:
- keycloak_quarkus_bootstrap_admin_user is not defined
- keycloak_quarkus_admin_user is defined
- keycloak_quarkus_admin_user != ''
delegate_to: localhost
run_once: true
changed_when: keycloak_quarkus_show_deprecation_warnings
ansible.builtin.set_fact:
keycloak_quarkus_bootstrap_admin_user: "{{ keycloak_quarkus_admin_user }}"
deprecated_variable: "keycloak_quarkus_admin_user" # read in deprecation handler
notify:
- print deprecation warning

# https://github.com/keycloak/keycloak/issues/30009
- name: Check deprecation of keycloak_quarkus_admin_pass -> keycloak_quarkus_bootstrap_admin_password
when:
- keycloak_quarkus_bootstrap_admin_password is not defined
- keycloak_quarkus_admin_pass is defined
- keycloak_quarkus_admin_pass != ''
delegate_to: localhost
run_once: true
changed_when: keycloak_quarkus_show_deprecation_warnings
ansible.builtin.set_fact:
keycloak_quarkus_bootstrap_admin_user: "{{ keycloak_quarkus_admin_pass }}"
deprecated_variable: "keycloak_quarkus_admin_pass" # read in deprecation handler
notify:
- print deprecation warning

- name: Flush handlers
ansible.builtin.meta: flush_handlers
2 changes: 1 addition & 1 deletion roles/keycloak_quarkus/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@
register: keycloak_service_status
changed_when: false

- name: "Notify to remove `keycloak_quarkus_admin_user[_pass]` env vars"
- name: "Notify to remove `keycloak_quarkus_bootstrap_admin_user[_password]` env vars"
when:
- not ansible_local.keycloak.general.bootstrapped | default(false) | bool # it was not bootstrapped prior to the current role's execution
- keycloak_service_status.status.ActiveState == "active" # but it is now
Expand Down
4 changes: 2 additions & 2 deletions roles/keycloak_quarkus/tasks/prereqs.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@
- name: Validate admin console password
ansible.builtin.assert:
that:
- keycloak_quarkus_admin_pass | length > 12
- keycloak_quarkus_bootstrap_admin_password | length > 12
quiet: true
fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_admin_pass to a 12+ char long string"
fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_bootstrap_admin_password to a 12+ char long string"
success_msg: "{{ 'Console administrator password OK' }}"

- name: Validate relative path
Expand Down
4 changes: 2 additions & 2 deletions roles/keycloak_quarkus/templates/keycloak-sysconfig.j2
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{{ ansible_managed | comment }}
{% if not ansible_local.keycloak.general.bootstrapped | default(false) | bool %}
KEYCLOAK_ADMIN={{ keycloak_quarkus_admin_user }}
KEYCLOAK_ADMIN_PASSWORD='{{ keycloak_quarkus_admin_pass }}'
KC_BOOTSTRAP_ADMIN_USERNAME={{ keycloak_quarkus_bootstrap_admin_user }}
KC_BOOTSTRAP_ADMIN_PASSWORD='{{ keycloak_quarkus_bootstrap_admin_password }}'
{% else %}
{{ keycloak.bootstrap_mnemonic }}
{% endif %}
Expand Down

0 comments on commit 9a2e265

Please sign in to comment.