RHBK v26: Add hostname v2 (KC/RHBK v26 Support ansible-middleware#253)

Cf. https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options - especially the removed options
world-direct · Dec 9, 2024 · 5ca3070 · 5ca3070
1 parent 6a4e505
commit 5ca3070
Show file tree

Hide file tree

Showing 5 changed files with 97 additions and 49 deletions.
diff --git a/roles/keycloak_quarkus/README.md b/roles/keycloak_quarkus/README.md
@@ -46,9 +46,9 @@ Role Defaults
 |:---------|:------------|:--------|
 |`keycloak_quarkus_admin_user`| Administration console user account | `admin` |
 |`keycloak_quarkus_bind_address`| Address for binding service ports | `0.0.0.0` |
-|`keycloak_quarkus_host`| Hostname for the Keycloak server | `localhost` |
-|`keycloak_quarkus_port`| The port used by the proxy when exposing the hostname | `-1` |
-|`keycloak_quarkus_path`| This should be set if proxy uses a different context-path for Keycloak | |
+|`keycloak_quarkus_host`| Deprecated, use `keycloak_quarkus_hostname` instead. | |
+|`keycloak_quarkus_port`| Deprecated, use `keycloak_quarkus_hostname` instead. | |
+|`keycloak_quarkus_path`| Deprecated, use `keycloak_quarkus_hostname` instead. | |
 |`keycloak_quarkus_http_port`| HTTP listening port | `8080` |
 |`keycloak_quarkus_https_port`| TLS HTTP listening port | `8443` |
 |`keycloak_quarkus_ajp_port`| AJP port | `8009` |
@@ -63,8 +63,10 @@ Role Defaults
 |`keycloak_quarkus_java_jvm_opts`| Other JVM settings | same as keycloak |
 |`keycloak_quarkus_java_opts`| JVM arguments; if overridden, it takes precedence over `keycloak_quarkus_java_*` | `{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}` |
 |`keycloak_quarkus_additional_env_vars` | List of additional env variables of { key: str, value: str} to be put in sysconfig file | `[]` |
-|`keycloak_quarkus_frontend_url`| Set the base URL for frontend URLs, including scheme, host, port and path | |
-|`keycloak_quarkus_admin_url`| Set the base URL for accessing the administration console, including scheme, host, port and path | |
+|`keycloak_quarkus_hostname`| Address at which is the server exposed. Can be a full URL, or just a hostname. When only hostname is provided, scheme, port and context path are resolved from the request. | |
+|`keycloak_quarkus_frontend_url`| Deprecated, use `keycloak_quarkus_hostname` instead. | |
+|`keycloak_quarkus_admin`| Set the base URL for accessing the administration console, including scheme, host, port and path | |
+|`keycloak_quarkus_admin_url`| Deprecated, use `keycloak_quarkus_admin` instead. | |
 |`keycloak_quarkus_http_relative_path` | Set the path relative to / for serving resources. The path must start with a / | `/` |
 |`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` |
 |`keycloak_quarkus_health_check_url_path`| Path to the health check endpoint; scheme, host and keycloak_quarkus_http_relative_path will be prepended automatically | `realms/master/.well-known/openid-configuration` |
@@ -115,8 +117,8 @@ Role Defaults
 | Variable | Description | Default |
 |:---------|:------------|:--------|
 |`keycloak_quarkus_http_relative_path`| Set the path relative to / for serving resources. The path must start with a / | `/` |
-|`keycloak_quarkus_hostname_strict`| Disables dynamically resolving the hostname from request headers | `true` |
-|`keycloak_quarkus_hostname_strict_backchannel`| By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all applications use the public URL this option should be enabled. | `false` |
+|`keycloak_quarkus_hostname_strict`| Disables dynamically resolving the hostname from request headers | `true` ||`keycloak_quarkus_hostname_backchannel_dynamic`| Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path. Set to true if your application accesses Keycloak via a private network. If set to true, hostname option needs to be specified as a full URL. | `false` |
+|`keycloak_quarkus_hostname_strict_backchannel`| Deprecated, use (the inverted!)`keycloak_quarkus_hostname_backchannel_dynamic` instead. |  |
 
 
 #### Database configuration
@@ -156,7 +158,6 @@ Role Defaults
 |`keycloak_quarkus_master_realm` | Name for rest authentication realm | `master` |
 |`keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` |
 |`keycloak_force_install` | Remove pre-existing versions of service | `False` |
-|`keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_quarkus_host }}:{{ keycloak_http_port }}` |
 |`keycloak_quarkus_log`| Enable one or more log handlers in a comma-separated list | `file` |
 |`keycloak_quarkus_log_level`| The log level of the root category or a comma-separated list of individual categories and their levels | `info` |
 |`keycloak_quarkus_log_file`| Set the log file path and filename relative to keycloak home | `data/log/keycloak.log` |

diff --git a/roles/keycloak_quarkus/defaults/main.yml b/roles/keycloak_quarkus/defaults/main.yml
@@ -33,9 +33,6 @@ keycloak_quarkus_master_realm: master
 
 ### Configuration settings
 keycloak_quarkus_bind_address: 0.0.0.0
-keycloak_quarkus_host: localhost
-keycloak_quarkus_port: -1
-keycloak_quarkus_path:
 keycloak_quarkus_http_enabled: true
 keycloak_quarkus_http_port: 8080
 keycloak_quarkus_https_port: 8443
@@ -81,8 +78,8 @@ keycloak_quarkus_systemd_wait_for_timeout: 60
 keycloak_quarkus_systemd_wait_for_delay: 10
 
 ### keycloak frontend url
-keycloak_quarkus_frontend_url:
-keycloak_quarkus_admin_url:
+keycloak_quarkus_hostname:
+keycloak_quarkus_admin:
 
 ### Set the path relative to / for serving resources. The path must start with a /
 ### (set to `/auth` for retrocompatibility with pre-quarkus releases)
@@ -91,9 +88,6 @@ keycloak_quarkus_http_relative_path: /
 # Disables dynamically resolving the hostname from request headers.
 # Should always be set to true in production, unless proxy verifies the Host header.
 keycloak_quarkus_hostname_strict: true
-# By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications.
-# If all applications use the public URL this option should be enabled.
-keycloak_quarkus_hostname_strict_backchannel: false
 
 # The proxy headers that should be accepted by the server. ['', 'forwarded', 'xforwarded']
 keycloak_quarkus_proxy_headers: ""

diff --git a/roles/keycloak_quarkus/meta/argument_specs.yml b/roles/keycloak_quarkus/meta/argument_specs.yml
@@ -84,17 +84,19 @@ argument_specs:
                 default: "0.0.0.0"
                 description: "Address for binding service ports"
                 type: "str"
+            keycloak_quarkus_hostname:
+                description: >-
+                    Address at which is the server exposed.
+                    Can be a full URL, or just a hostname. When only hostname is provided, scheme, port and context path are resolved from the request.
+                type: "str"
             keycloak_quarkus_host:
-                default: "localhost"
-                description: "Hostname for the Keycloak server"
+                description: "Deprecated in v26, use keycloak_quarkus_hostname instead."
                 type: "str"
             keycloak_quarkus_port:
-                default: -1
-                description: "The port used by the proxy when exposing the hostname"
+                description: "Deprecated in v26, use keycloak_quarkus_hostname instead."
                 type: "int"
             keycloak_quarkus_path:
-                required: false
-                description: "This should be set if proxy uses a different context-path for Keycloak"
+                description: "Deprecated in v26, use keycloak_quarkus_hostname instead."
                 type: "str"
             keycloak_quarkus_http_enabled:
                 default: true
@@ -228,12 +230,16 @@ argument_specs:
                 type: "str"
             keycloak_quarkus_frontend_url:
                 required: false
-                description: "Service public URL"
+                description: "Deprecated in v26, use keycloak_quarkus_hostname instead."
                 type: "str"
-            keycloak_quarkus_admin_url:
+            keycloak_quarkus_admin:
                 required: false
                 description: "Service URL for the admin console"
                 type: "str"
+            keycloak_quarkus_admin_url:
+                required: false
+                description: "Deprecated in v26, use keycloak_quarkus_admin instead."
+                type: "str"
             keycloak_quarkus_metrics_enabled:
                 default: false
                 description: "Whether to enable metrics"
@@ -348,24 +354,18 @@ argument_specs:
                 description: >
                   Disables dynamically resolving the hostname from request headers. Should always be set to true in production, unless
                   proxy verifies the Host header.
-            keycloak_quarkus_hostname_strict_backchannel:
+            keycloak_quarkus_hostname_backchannel_dynamic:
                 default: false
                 type: "bool"
                 description: >
-                  By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications. If all
-                  applications use the public URL this option should be enabled.
+                    Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path.
+                    Set to true if your application accesses Keycloak via a private network. If set to true, hostname option needs to be specified as a full URL.
             keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route:
                 default: true
                 type: "bool"
                 description: >
                   If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies
                   and we rely on the session affinity capabilities from reverse proxy
-            keycloak_quarkus_hostname_strict_https:
-                type: "bool"
-                required: false
-                description: >
-                  By default, Keycloak requires running using TLS/HTTPS. If the service MUST run without TLS/HTTPS, then set
-                  this option to "true"
             keycloak_quarkus_ks_vault_enabled:
                 default: false
                 type: "bool"

diff --git a/roles/keycloak_quarkus/tasks/deprecations.yml b/roles/keycloak_quarkus/tasks/deprecations.yml
@@ -49,5 +49,71 @@
   notify:
     - print deprecation warning
 
+# https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options
+- name: Check deprecation of keycloak_quarkus_frontend_url -> keycloak_quarkus_hostname
+  when:
+    - keycloak_quarkus_hostname is not defined
+    - keycloak_quarkus_frontend_url is defined
+    - keycloak_quarkus_frontend_url != ''
+  delegate_to: localhost
+  run_once: true
+  changed_when: keycloak_quarkus_show_deprecation_warnings
+  ansible.builtin.set_fact:
+    keycloak_quarkus_hostname: "{{ keycloak_quarkus_frontend_url }}"
+    deprecated_variable: "keycloak_quarkus_frontend_url" # read in deprecation handler
+  notify:
+    - print deprecation warning
+
+# https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options
+- name: Check deprecation of keycloak_quarkus_hostname_strict_https + keycloak_quarkus_host + keycloak_quarkus_port + keycloak_quarkus_path -> keycloak_quarkus_hostname
+  when:
+    - keycloak_quarkus_hostname is not defined
+    - keycloak_quarkus_hostname_strict_https is defined or keycloak_quarkus_frontend_url is defined or keycloak_quarkus_port is defined or keycloak_quarkus_path is defined
+  delegate_to: localhost
+  run_once: true
+  changed_when: keycloak_quarkus_show_deprecation_warnings
+  ansible.builtin.set_fact:
+    keycloak_quarkus_hostname: >-
+      {% set protocol = '' %}
+      {% if keycloak_quarkus_hostname_strict_https %}
+        {% set protocol = 'https://' %}
+      {% elif keycloak_quarkus_hostname_strict_https is defined and keycloak_quarkus_hostname_strict_https is False %}
+        {% set protocol = 'http://' %}
+      {% endif %}
+      {{ protocol }}{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_port }}/{{ keycloak_quarkus_path }}
+    deprecated_variable: "keycloak_quarkus_hostname_strict_https or keycloak_quarkus_frontend_url or keycloak_quarkus_frontend_url or keycloak_quarkus_hostname" # read in deprecation handler
+  notify:
+    - print deprecation warning
+
+# https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options
+- name: Check deprecation of keycloak_quarkus_admin_url -> keycloak_quarkus_admin
+  when:
+    - keycloak_quarkus_admin is not defined
+    - keycloak_quarkus_admin_url is defined
+    - keycloak_quarkus_admin_url != ''
+  delegate_to: localhost
+  run_once: true
+  changed_when: keycloak_quarkus_show_deprecation_warnings
+  ansible.builtin.set_fact:
+    keycloak_quarkus_admin: "{{ keycloak_quarkus_admin_url }}"
+    deprecated_variable: "keycloak_quarkus_admin_url" # read in deprecation handler
+  notify:
+    - print deprecation warning
+
+# https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/upgrading_guide/index#new_hostname_options
+- name: Check deprecation of keycloak_quarkus_hostname_strict_backchannel -> keycloak_quarkus_hostname_backchannel_dynamic
+  when:
+    - keycloak_quarkus_hostname_backchannel_dynamic is not defined
+    - keycloak_quarkus_hostname_strict_backchannel is defined
+    - keycloak_quarkus_hostname_strict_backchannel != ''
+  delegate_to: localhost
+  run_once: true
+  changed_when: keycloak_quarkus_show_deprecation_warnings
+  ansible.builtin.set_fact:
+    keycloak_quarkus_hostname_backchannel_dynamic: "{{ keycloak_quarkus_hostname_strict_backchannel == False }}"
+    deprecated_variable: "keycloak_quarkus_hostname_backchannel_dynamic" # read in deprecation handler
+  notify:
+    - print deprecation warning
+
 - name: Flush handlers
   ansible.builtin.meta: flush_handlers
diff --git a/roles/keycloak_quarkus/templates/keycloak.conf.j2 b/roles/keycloak_quarkus/templates/keycloak.conf.j2
@@ -10,13 +10,6 @@ db-password={{ keycloak_quarkus_db_pass }}
 {% endif %}
 {% endif %}
 
-{% if keycloak_quarkus_hostname_strict_https is defined and keycloak_quarkus_hostname_strict_https is sameas true -%}
-hostname-strict-https=true
-{% endif -%}
-{% if keycloak_quarkus_hostname_strict_https is defined and keycloak_quarkus_hostname_strict_https is sameas false -%}
-hostname-strict-https=false
-{% endif -%}
-
 {% if keycloak.config_key_store_enabled %}
 # Config store
 config-keystore={{ keycloak_quarkus_config_key_store_file }}
@@ -48,16 +41,10 @@ https-trust-store-password={{ keycloak_quarkus_https_trust_store_password }}
 {% endif %}
 
 # Client URL configuration
-{% if keycloak_quarkus_frontend_url %}
-hostname-url={{ keycloak_quarkus_frontend_url }}
-{% else %}
-hostname={{ keycloak_quarkus_host }}
-hostname-port={{ keycloak_quarkus_port }}
-hostname-path={{ keycloak_quarkus_path }}
-{% endif %}
-hostname-admin-url={{ keycloak_quarkus_admin_url }}
+hostname={{ keycloak_quarkus_hostname }}
+hostname-admin={{ keycloak_quarkus_admin }}
 hostname-strict={{ keycloak_quarkus_hostname_strict | lower }}
-hostname-strict-backchannel={{ keycloak_quarkus_hostname_strict_backchannel | lower }}
+hostname-backchannel-dynamic={{ keycloak_quarkus_hostname_backchannel_dynamic | lower }}
 
 # Cluster
 {% if keycloak_quarkus_ha_enabled %}