-
-
Save jrosser/0444430988ee4d28788f2577c64712a9 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
- name: "Add Client {{ client.clientId }}" | |
uri: | |
url: "{{ keycloak_base_url }}/{{ realm.realm }}/clients" | |
method: POST | |
validate_certs: no | |
status_code: | |
- 200 | |
- 201 | |
- 409 # Conflict - already exists | |
headers: | |
Accept: "application/json" | |
Authorization: "Bearer {{ keycloak_token.json.access_token }}" | |
body_format: json | |
body: "{{ client }}" | |
register: keycloak_client_output | |
- name: "Update Client {{ client.clientId }}" | |
uri: | |
url: "{{ keycloak_base_url }}/{{ realm.realm }}/clients/{{ item.id }}" | |
method: PUT | |
validate_certs: no | |
status_code: | |
- 200 | |
- 201 | |
- 204 | |
headers: | |
Accept: "application/json" | |
Authorization: "Bearer {{ keycloak_token.json.access_token }}" | |
body_format: json | |
body: "{{ item | combine(client) }}" | |
with_items: "{{ keycloak_client_list.json | selectattr('clientId', 'eq', client.clientId )}}" | |
when: | |
- keycloak_client_output.status == 409 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
- name: "Get list of Roles for Client: {{ client_role.key }}" | |
uri: | |
url: "{{ keycloak_base_url }}/{{ realm.realm }}/clients/{{ keycloak_client_id }}/roles" | |
method: GET | |
validate_certs: no | |
status_code: | |
- 200 | |
headers: | |
Accept: "application/json" | |
Authorization: "Bearer {{ keycloak_token.json.access_token }}" | |
register: keycloak_client_roles | |
- name: "Add Roles {{ client_role.value }} from Client {{ client_role.key }} to User {{ user.username }}" | |
uri: | |
url: "{{ keycloak_base_url }}/{{ realm.realm }}/users/{{ keycloak_current_user_id }}/role-mappings/clients/{{ keycloak_client_id }}" | |
method: POST | |
validate_certs: no | |
status_code: | |
- 200 | |
- 201 | |
- 204 | |
headers: | |
Accept: "application/json" | |
Authorization: "Bearer {{ keycloak_token.json.access_token }}" | |
body_format: json | |
body: | |
- "{{ item }}" | |
with_items: "{{ keycloak_client_roles.json | selectattr('name', 'in', client_role.value) | list() }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
#### CLIENT SCOPES #### | |
- name: "Add Client Scopes: {{ client_scope.name }}" | |
uri: | |
url: "{{ keycloak_base_url }}/{{ realm.realm }}/client-scopes" | |
method: POST | |
validate_certs: no | |
status_code: | |
- 200 | |
- 201 | |
- 409 # Conflict - already exists | |
headers: | |
Accept: "application/json" | |
Authorization: "Bearer {{ keycloak_token.json.access_token }}" | |
body_format: json | |
body: "{{ client_scope }}" | |
register: client_scope_output | |
- name: "Get list of current Client Scopes" | |
uri: | |
url: "{{ keycloak_base_url }}/{{ realm.realm }}/client-scopes" | |
method: GET | |
validate_certs: no | |
status_code: | |
- 200 | |
headers: | |
Accept: "application/json" | |
Authorization: "Bearer {{ keycloak_token.json.access_token }}" | |
register: client_scope_list | |
- name: "Update Client Scopes: {{ client_scope.name }}" | |
uri: | |
url: "{{ keycloak_base_url }}/{{ realm.realm }}/client-scopes/{{ item.id }}" | |
method: PUT | |
validate_certs: no | |
status_code: | |
- 200 | |
- 201 | |
- 204 | |
headers: | |
Accept: "application/json" | |
Authorization: "Bearer {{ keycloak_token.json.access_token }}" | |
body_format: json | |
body: "{{ item | combine(client_scope) }}" | |
with_items: "{{ client_scope_list.json | selectattr('name', 'eq', client_scope.name )}}" | |
when: | |
- client_scope_output.status == 409 | |
#### PROTOCOL MAPPERS #### | |
- name: Add Protocol Mappers to Client Scope | |
include_tasks: add_protocol_mapper.yml | |
loop: "{{ client_scope.protocolMappers }}" | |
loop_control: | |
loop_var: protocol_mapper | |
vars: | |
keycloak_current_client_scope_id: "{{ (client_scope_list.json | selectattr('name', 'eq', client_scope.name))[0].id }}" | |
when: client_scope.protocolMappers is defined |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- name: Get Admin Token from Master Realm of Keycloak | |
uri: | |
url: "https://{{ ansible_host }}:{{ keycloak_admin_port }}/auth/realms/master/protocol/openid-connect/token" | |
method: POST | |
validate_certs: no | |
body_format: form-urlencoded | |
body: | |
username: "{{ keycloak_admin_user_name }}" | |
password: "{{ keycloak_dashboard_password }}" | |
grant_type: password | |
client_id: admin-cli | |
register: keycloak_token | |
# All realms that are created should have this available | |
- name: "Get {{ realm.realm }} events config" | |
uri: | |
url: "{{ keycloak_base_url }}/{{ realm.realm }}/events/config" | |
method: GET | |
validate_certs: no | |
status_code: | |
- 200 | |
- 404 | |
headers: | |
Accept: "application/json" | |
Authorization: "Bearer {{ keycloak_token.json.access_token }}" | |
register: realm_events_config | |
- name: "Add metrics-listener" | |
set_fact: | |
new_events_listeners: | |
eventsListeners: "{{ (realm_events_config.json.eventsListeners + ['metrics-listener']) | unique }}" | |
when: realm_events_config.status != 404 | |
- name: "Update {{ realm.realm }} events listeners" | |
uri: | |
url: "{{ keycloak_base_url }}/{{ realm.realm }}/events/config" | |
method: PUT | |
validate_certs: no | |
status_code: | |
- 200 | |
- 201 | |
- 204 | |
headers: | |
Accept: "application/json" | |
Authorization: "Bearer {{ keycloak_token.json.access_token }}" | |
body_format: json | |
body: "{{ realm_events_config.json | combine(new_events_listeners) }}" | |
when: realm_events_config.status != 404 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
- name: "Add Identity Provider {{ idp.alias }} to BBC Login using ACR" | |
include_tasks: add_bbc_login_client.yml | |
when: idp.acr_add_bbc_client | default(false) | bool | |
- name: Remove ACR-prefixed Key Values from IdP Dict for Keycloak API request | |
set_fact: | |
filtered_idp: "{{ filtered_idp | default({}) | combine({item.key:item.value}) }}" | |
with_dict: "{{ idp }}" | |
when: item.key is not search('acr_') | |
- name: Add Client ID and Client Secret to IdP Dict | |
set_fact: | |
filtered_idp: "{{ filtered_idp | combine({ | |
'config': { | |
'clientId': keycloak_vault_client_id, 'clientSecret': keycloak_vault_client_secret | |
}}, recursive=True | |
) }}" | |
when: idp.acr_add_bbc_client | default(false) | bool | |
- name: "Add Identity Provider: {{ idp.alias }}" | |
uri: | |
url: "{{ keycloak_base_url }}/{{ realm.realm }}/identity-provider/instances" | |
method: POST | |
validate_certs: no | |
status_code: | |
- 200 | |
- 201 | |
- 409 # Conflict - already exists | |
headers: | |
Accept: "application/json" | |
Authorization: "Bearer {{ keycloak_token.json.access_token }}" | |
body_format: json | |
body: "{{ filtered_idp }}" | |
register: keycloak_idp_output | |
- name: "Update Identity Provider {{ idp.alias }}" | |
uri: | |
url: "{{ keycloak_base_url }}/{{ realm.realm }}/identity-provider/instances/{{ item.alias }}" | |
method: PUT | |
validate_certs: no | |
status_code: | |
- 200 | |
- 201 | |
- 204 | |
headers: | |
Accept: "application/json" | |
Authorization: "Bearer {{ keycloak_token.json.access_token }}" | |
body_format: json | |
body: "{{ item | combine(filtered_idp) }}" | |
with_items: "{{ keycloak_idp_list.json | selectattr('alias', 'eq', idp.alias) }}" | |
when: | |
- keycloak_idp_output.status == 409 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
- name: "Get IdP Mapper Info for {{ idp_mapper.identityProviderAlias }}" | |
uri: | |
url: "{{ keycloak_base_url }}/{{ realm.realm }}/identity-provider/instances/{{ idp_mapper.identityProviderAlias }}/mappers" | |
method: GET | |
validate_certs: no | |
status_code: | |
- 200 | |
headers: | |
Accept: "application/json" | |
Authorization: "Bearer {{ keycloak_token.json.access_token }}" | |
register: keycloak_idp_mapper_list | |
- name: "Add IdP Mapper: {{ idp_mapper.name }}" | |
uri: | |
url: "{{ keycloak_base_url }}/{{ realm.realm }}/identity-provider/instances/{{ idp_mapper.identityProviderAlias }}/mappers" | |
method: POST | |
validate_certs: no | |
status_code: | |
- 200 | |
- 201 | |
- 400 # Trying to add a mapper with the same name as a current one returns a 400 | |
headers: | |
Accept: "application/json" | |
Authorization: "Bearer {{ keycloak_token.json.access_token }}" | |
body_format: json | |
body: "{{ idp_mapper }}" | |
register: keycloak_idp_mapper_output | |
- name: "Update IdP Mapper: {{ idp_mapper.name }}" | |
uri: | |
url: "{{ keycloak_base_url }}/{{ realm.realm }}/identity-provider/instances/{{ idp_mapper.identityProviderAlias }}/mappers/{{ item.id }}" | |
method: PUT | |
validate_certs: no | |
status_code: | |
- 200 | |
- 201 | |
- 204 | |
headers: | |
Accept: "application/json" | |
Authorization: "Bearer {{ keycloak_token.json.access_token }}" | |
body_format: json | |
body: "{{ item | combine(idp_mapper) }}" | |
with_items: "{{ keycloak_idp_mapper_list.json | selectattr('name', 'eq', idp_mapper.name) }}" | |
when: | |
- keycloak_idp_mapper_output.status == 400 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
- name: "Get list of Protocol Mappers for Client Scope: {{ client_scope.name }}" | |
uri: | |
url: "{{ keycloak_base_url }}/{{ realm.realm }}/client-scopes/{{ keycloak_current_client_scope_id }}/protocol-mappers/models" | |
method: GET | |
validate_certs: no | |
status_code: | |
- 200 | |
headers: | |
Accept: "application/json" | |
Authorization: "Bearer {{ keycloak_token.json.access_token }}" | |
register: protocol_mapper_list | |
- name: "Add Protocol Mapper: {{ protocol_mapper.name }}" | |
uri: | |
url: "{{ keycloak_base_url }}/{{ realm.realm }}/client-scopes/{{ keycloak_current_client_scope_id }}/protocol-mappers/models" | |
method: POST | |
validate_certs: no | |
status_code: | |
- 200 | |
- 201 | |
- 409 # Conflict - already exists | |
headers: | |
Accept: "application/json" | |
Authorization: "Bearer {{ keycloak_token.json.access_token }}" | |
body_format: json | |
body: "{{ protocol_mapper }}" | |
register: protocol_mapper_output | |
- name: "Update Protocol Mapper: {{ protocol_mapper.name }}" | |
uri: | |
url: "{{ keycloak_base_url }}/{{ realm.realm }}/client-scopes/{{ keycloak_current_client_scope_id }}/protocol-mappers/models/{{ item.id }}" | |
method: PUT | |
validate_certs: no | |
status_code: | |
- 200 | |
- 201 | |
- 204 | |
headers: | |
Accept: "application/json" | |
Authorization: "Bearer {{ keycloak_token.json.access_token }}" | |
body_format: json | |
body: "{{ item | combine(protocol_mapper) }}" | |
with_items: "{{ protocol_mapper_list.json | selectattr('name', 'eq', protocol_mapper.name) }}" | |
when: | |
- protocol_mapper_output.status == 409 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
- name: "Find out, if Realm {{ realm.realm }} for service Keycloak exists" | |
uri: | |
url: "{{ keycloak_base_url }}/{{ realm.realm }}" | |
method: GET | |
validate_certs: no | |
status_code: | |
- 200 | |
- 404 | |
headers: | |
Accept: "application/json" | |
Authorization: "Bearer {{ keycloak_token.json.access_token }}" | |
register: keycloak_realm_exists | |
- name: "Create Realm {{ realm.realm }}" | |
uri: | |
url: "{{ keycloak_base_url }}" | |
method: POST | |
validate_certs: no | |
status_code: | |
- 200 | |
- 201 | |
headers: | |
Accept: "application/json" | |
Authorization: "Bearer {{ keycloak_token.json.access_token }}" | |
body_format: json | |
body: # Adding entire realm object appeared to wipe away default client scopes | |
realm: "{{ realm.realm }}" | |
enabled: "{{ realm.enabled }}" | |
ssoSessionIdleTimeout: "{{ realm.ssoSessionIdleTimeout | default(omit) }}" | |
when: "keycloak_realm_exists.status == 404" | |
# NOTE: Updating a realm doesn't add additonal resources (clients, IdP's, etc) - it just apears to update top-level information | |
- name: "Update Realm {{ realm.realm }}" | |
uri: | |
url: "{{ keycloak_base_url }}/{{ realm.realm }}" | |
method: PUT | |
validate_certs: no | |
status_code: | |
- 200 | |
- 201 | |
- 204 | |
headers: | |
Accept: "application/json" | |
Authorization: "Bearer {{ keycloak_token.json.access_token }}" | |
body_format: json | |
body: | |
realm: "{{ realm.realm }}" | |
enabled: "{{ realm.enabled }}" | |
ssoSessionIdleTimeout: "{{ realm.ssoSessionIdleTimeout | default(omit) }}" | |
register: keycloak_realm_create | |
when: "keycloak_realm_exists.status == 200" | |
#### CLIENT SCOPES #### | |
- name: Configure Client Scopes and Protocol Mappers | |
include_tasks: add_client_scope.yml | |
loop: "{{ realm.clientScopes }}" | |
loop_control: | |
loop_var: client_scope | |
when: realm.clientScopes is defined | |
#### CLIENTS #### | |
- name: "Get list of current Clients" | |
uri: | |
url: "{{ keycloak_base_url }}/{{ realm.realm }}/clients" | |
method: GET | |
validate_certs: no | |
status_code: | |
- 200 | |
headers: | |
Accept: "application/json" | |
Authorization: "Bearer {{ keycloak_token.json.access_token }}" | |
register: keycloak_client_list | |
- name: Configure each Client | |
include_tasks: add_client.yml | |
loop: "{{ realm.clients }}" | |
loop_control: | |
loop_var: client | |
when: realm.clients is defined | |
#### IDENTITY PROVIDERS #### | |
- name: "Get list of current Identity Providers" | |
uri: | |
url: "{{ keycloak_base_url }}/{{ realm.realm }}/identity-provider/instances" | |
method: GET | |
validate_certs: no | |
status_code: | |
- 200 | |
headers: | |
Accept: "application/json" | |
Authorization: "Bearer {{ keycloak_token.json.access_token }}" | |
register: keycloak_idp_list | |
- name: Configure each Identity Provider | |
include_tasks: add_idp.yml | |
loop: "{{ realm.identityProviders }}" | |
loop_control: | |
loop_var: idp | |
when: realm.identityProviders is defined | |
- name: Configure each Identity Provider Mapper | |
include_tasks: add_idp_mapper.yml | |
loop: "{{ realm.identityProviderMappers }}" | |
loop_control: | |
loop_var: idp_mapper | |
when: realm.identityProviderMappers is defined | |
#### USERS AND ROLES #### | |
- name: Add Users and Roles to Users | |
include_tasks: add_user.yml | |
loop: "{{ realm.users }}" | |
loop_control: | |
loop_var: user | |
when: realm.users is defined | |
no_log: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
#### USERS #### | |
- name: "Add User: {{ user.username }}" | |
uri: | |
url: "{{ keycloak_base_url }}/{{ realm.realm }}/users" | |
method: POST | |
validate_certs: no | |
status_code: | |
- 200 | |
- 201 | |
- 409 # Conflict - already exists | |
headers: | |
Accept: "application/json" | |
Authorization: "Bearer {{ keycloak_token.json.access_token }}" | |
body_format: json | |
body: "{{ user | del_by_list(['password']) }}" | |
register: keycloak_user_output | |
- name: "Get list of Users" | |
uri: | |
url: "{{ keycloak_base_url }}/{{ realm.realm }}/users?briefRepresentation=true" | |
method: GET | |
validate_certs: no | |
status_code: | |
- 200 | |
headers: | |
Accept: "application/json" | |
Authorization: "Bearer {{ keycloak_token.json.access_token }}" | |
register: keycloak_user_list | |
- debug: | |
var: keycloak_user_list | |
- name: "Update User: {{ user.username }}" | |
uri: | |
url: "{{ keycloak_base_url }}/{{ realm.realm }}/users/{{ item.id }}" | |
method: PUT | |
validate_certs: no | |
status_code: | |
- 200 | |
- 201 | |
- 204 | |
headers: | |
Accept: "application/json" | |
Authorization: "Bearer {{ keycloak_token.json.access_token }}" | |
body_format: json | |
body: "{{ item | combine(user) | del_by_list(['password']) }}" | |
with_items: "{{ keycloak_user_list.json | selectattr('username', 'eq', user.username) }}" | |
when: | |
- keycloak_user_output.status == 409 | |
- name: "Set password for: {{ user.username }}" | |
uri: | |
url: "{{ keycloak_base_url }}/{{ realm.realm }}/users/{{ item.id }}/reset-password" | |
method: PUT | |
validate_certs: no | |
status_code: | |
- 200 | |
- 201 | |
- 204 | |
headers: | |
Accept: "application/json" | |
Authorization: "Bearer {{ keycloak_token.json.access_token }}" | |
body_format: json | |
body: | |
type: "password" | |
value: "{{ user.password }}" | |
with_items: "{{ keycloak_user_list.json | selectattr('username', 'eq', user.username) }}" | |
when: | |
- user.password is defined | |
- keycloak_user_output.status == 409 | |
no_log: true | |
#### CLIENT ROLES #### | |
- name: "Get list of Clients for realm {{ realm.realm }}" | |
uri: | |
url: "{{ keycloak_base_url }}/{{ realm.realm }}/clients" | |
method: GET | |
validate_certs: no | |
status_code: | |
- 200 | |
headers: | |
Accept: "application/json" | |
Authorization: "Bearer {{ keycloak_token.json.access_token }}" | |
register: keycloak_client_list | |
- name: Add Client Role {{ client_role.key }} to user {{ user.username }} | |
include_tasks: add_client_role.yml | |
loop: "{{ user.clientRoles | default({}) | dict2items }}" | |
loop_control: | |
loop_var: client_role | |
vars: | |
keycloak_client_id: "{{ (keycloak_client_list.json | selectattr('clientId', 'eq', client_role.key))[0].id }}" | |
keycloak_current_user_id: "{{ (keycloak_user_list.json | selectattr('username', 'eq', user.username))[0].id }}" | |
when: user.clientRoles is defined |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- name: Configure Master Keycloak Instance with Resources using API | |
when: keycloak_node_type == "master" | |
block: | |
- name: Get Admin Token from Master Realm of Keycloak | |
uri: | |
url: "https://{{ ansible_host }}:{{ keycloak_admin_port }}/auth/realms/master/protocol/openid-connect/token" | |
method: POST | |
validate_certs: no | |
body_format: form-urlencoded | |
body: | |
username: "{{ keycloak_admin_user_name }}" | |
password: "{{ keycloak_dashboard_password }}" | |
grant_type: password | |
client_id: admin-cli | |
register: keycloak_token | |
- name: Configure each realm | |
include_tasks: add_realm.yml | |
loop: "{{ keycloak_realms }}" | |
loop_control: | |
loop_var: realm | |
- name: Add metrics-listener to event listeners for realms with metrics_enabled | |
include_tasks: add_event_listeners.yml | |
loop: "{{ keycloak_realms }}" | |
loop_control: | |
loop_var: realm | |
when: (realm.metrics_enabled | default(omit)) | bool | |
# API configuration is the preferred method of Keycloak configuration but below are | |
# examples of using both the Keycloak CLI and keycloak_client ansible module for configuration | |
# - name: Get client info using CLI Command | |
# command: "./kcadm.sh get clients/ --fields id,clientId,redirectUris --no-config --server http://localhost:8080/auth --realm master --user admin --password {{ keycloak_dashboard_password }}" | |
# args: | |
# chdir: "{{ keycloak_root_dir }}/bin/" | |
# register: cli_output | |
# | |
# - name: Print output of CLI command | |
# debug: | |
# msg: "{{ cli_output.stdout }}" | |
# - name: Create new realm | |
# tags: | |
# - realm | |
# command: "./kcadm.sh create realms -s realm={{ keycloak_realm_name }} -s enabled=true -o --no-config | |
# --server http://localhost:8080/auth --realm master --user {{ keycloak_admin_user_name }} --password {{ keycloak_dashboard_password }}" | |
# args: | |
# chdir: "{{ keycloak_root_dir }}/bin/" | |
# ignore_errors: true # Returns error if realm already exists | |
# - name: Update realm using templated config (this doesn't seem to work as expected) | |
# tags: | |
# - realm | |
# command: "./kcadm.sh update realms/{{ keycloak_realm_name }} -f {{ keycloak_root_dir }}/{{ keycloak_realm_name }}-realm.json --no-config | |
# --server http://localhost:8080/auth --realm master --user {{ keycloak_admin_user_name }} --password {{ keycloak_dashboard_password }}" | |
# args: | |
# chdir: "{{ keycloak_root_dir }}/bin/" | |
# - name: Add clients to Keycloak | |
# keycloak_client: | |
# auth_keycloak_url: "http://{{ ansible_host }}:8080/auth" | |
# auth_username: "{{ keycloak_admin_user_name }}" | |
# auth_password: "{{ keycloak_dashboard_password }}" | |
# auth_realm: master | |
# validate_certs: no | |
# realm: "{{ keycloak_realm_name }}" | |
# name: "{{ item.name | default(omit) }}" | |
# client_id: "{{ item.client_id }}" | |
# redirect_uris: "{{ item.redirect_uris }}" | |
# protocol: openid-connect | |
# standard_flow_enabled: yes | |
# enabled: yes | |
# public_client : no | |
# loop: "{{ keycloak_clients }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
keycloak_user_group: keycloak | |
keycloak_admin_user_name: admin | |
keycloak_jboss_admin_username: jboss-admin # Note: jboss usernames have a restricted characterset. | |
# Resource names and locations | |
keycloak_mirror_url: https://github.com/keycloak/keycloak/releases/download/12.0.4 | |
keycloak_version_number: 12.0.4 | |
keycloak_filename: keycloak-{{keycloak_version_number}}.tar.gz | |
keycloak_download_dir: /tmp/ | |
keycloak_install_dir: /opt/ | |
#directory to install into | |
keycloak_root_dir: "{{ keycloak_install_dir }}{{ keycloak_filename | replace('.tar.gz', '') }}" | |
# Node and Group Identifiers | |
keycloak_node_type: slave # Change to 'master' on selected master node | |
keycloak_master_node: "" # inventory_hostname / IP address of master keycloak instance - only used by slaves | |
keycloak_group_name: "" # Group corresponding to the keycloak cluster - for use in TCP clustering setup | |
# IP and Port Variables | |
keycloak_public_bind_address: "0.0.0.0" | |
keycloak_private_bind_address: "{{ ansible_host }}" | |
keycloak_management_bind_address: "{{ ansible_host }}" | |
# Enable a dedicated port for the admin console, or when disabled serve the admin console on the main http port | |
keyclock_admin_port_enabled: True | |
keycloak_admin_port: "{{ keycloak_admin_port_enabled | ternary('8444', '8443') }}" | |
keycloak_admin_redirect_uris: [] # URL's to permit access to admin panel, such as rproxy | |
# Systemd Arguments | |
keycloak_master_extra_args: [] | |
keycloak_slave_extra_args: [] | |
# Keycloak Proxy Mapping Variables | |
keycloak_proxy: "" | |
keycloak_proxy_mappings: [] | |
# Database and DB Driver Variables | |
keycloak_db_external: true # Change to false to use Keycloak's embedded java db (testing) | |
keycloak_db_host: "" # inventory_hostname of database host - must be set if external db is true | |
keycloak_db_name: keycloak | |
keycloak_db_user_name: keycloak | |
keycloak_jdbc_provider: mariadb | |
keycloak_jdbc_filename: mariadb-java-client-2.5.4.jar | |
keycloak_jdbc_driver_class: org.mariadb.jdbc.Driver | |
keycloak_jdbc_xa_datasource_class: org.mariadb.jdbc.MariaDbDataSource | |
keycloak_jdbc_haproxy_vip: 192.168.100.1 | |
keycloak_jdbc_db_port: 3306 | |
keycloak_jdbc_valid_connection_checker: org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker | |
keycloak_jdbc_valid_connection_exception_sorter: org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter | |
# Password Variables | |
keycloak_dashboard_password: dashboard_password | |
keycloak_db_user_password: user_password | |
keycloak_jboss_admin_password: jboss_password | |
# ACR API Variables (for adding clients to BBC login) | |
keycloak_domain: keycloak.example.com # without protocol | |
keycloak_contact_email: "email.address@example.com" | |
keycloak_acr_cert_path: '~/.certs/forge_cert.pem' | |
# Aerogear Keycloak Metrics SPI for Prometheus | |
keycloak_metrics_spi_filename: "keycloak-metrics-spi-2.0.1.jar" | |
keycloak_metrics_spi_jar_url: "{{ keycloak_mirror_url }}{{ keycloak_metrics_spi_filename }}" | |
# List of Keycloak Realms defining Clients, IdPs, Scopes, etc. | |
# For full API details see: | |
# https://www.keycloak.org/docs-api/5.0/rest-api/index.html#_overview | |
# For Keycloak config examples to give a clue what to put in the API requests see: | |
# https://github.com/keycloak/keycloak/tree/master/examples | |
keycloak_realms: [] | |
# keycloak_realms: | |
# - realm: test | |
# enabled: true | |
# clients: | |
# - clientId: identifier_of_client | |
# rootUrl: https://example.co.uk/auth/login/ | |
# secret: shhhhhhhh | |
# redirectUris: | |
# - https://example.co.uk/auth/logout/ | |
# - https://example.co.uk/auth/callback/ | |
# identityProviders: | |
# - alias: test_idp # IdP's use the alias in place of an ID for updates | |
# displayName: test IDP | |
# enabled: true | |
# providerId: oidc | |
# acr_add_bbc_client: true # Add IdP as BBC client to ACR API. Default: False | |
# acr_env: production # ACR environment - 'production' or 'staging'. Default: Production | |
# acr_group_id: bbc-rd # Group ID to add client to within ACR API. Default: bbc-rd | |
# config: | |
# clientId: identifier_of_client | |
# clientSecret: shhhhhhh | |
# userInfoUrl: https://example.co.uk/oauth2/userinfo | |
# authorizationUrl: https://example.co.uk/oauth2/authorize | |
# tokenUrl: https://example.co.uk/oauth2/token | |
# clientAuthMethod: client_secret_post | |
# defaultScope: openid email profile | |
# forwardParameters: some_special_param | |
# - alias: another_test_idp # IdP's use the alias in place of an ID for updates | |
# displayName: another test IDP | |
# enabled: true | |
# providerId: oidc | |
# config: | |
# clientId: identifier_of_client | |
# clientSecret: shhhhhhh | |
# userInfoUrl: https://example.co.uk/oauth2/userinfo | |
# authorizationUrl: https://example.co.uk/oauth2/authorize | |
# tokenUrl: https://example.co.uk/oauth2/token | |
# clientAuthMethod: client_secret_post | |
# defaultScope: openid email profile | |
# forwardParameters: some_special_param | |
# identityProviderMappers: | |
# - name: department_mapper | |
# identityProviderAlias: test_idp # this connects the mapper to the specified IdP | |
# identityProviderMapper: oidc-user-attribute-idp-mapper | |
# config: | |
# claim: department | |
# user.attribute: department | |
# syncMode: INHERIT # Only required in v11 - can be INHERIT, FORCE, LEGACY or IMPORT | |
# - name: mark_mapper | |
# identityProviderAlias: test_idp | |
# identityProviderMapper: oidc-user-attribute-idp-mapper | |
# config: | |
# claim: mark | |
# user.attribute: mark | |
# syncMode: INHERIT # Only required in v11 - can be INHERIT, FORCE, LEGACY or IMPORT | |
# - name: issuer_hardcoded_mapper | |
# identityProviderAlias: test_idp | |
# identityProviderMapper: hardcoded-attribute-idp-mapper | |
# config: | |
# attribute: my_iss | |
# attribute.value: https://gateway.example.co.uk:443/eiam/oauth2 | |
# syncMode: INHERIT # Only required in v11 - can be INHERIT, FORCE, LEGACY or IMPORT | |
# clientScopes: | |
# - name: my_scopes # this is the requested scope name and so cannot contain spaces | |
# protocol: openid-connect | |
# protocolMappers: | |
# - name: Code Code | |
# protocol: openid-connect | |
# protocolMapper: oidc-usermodel-attribute-mapper | |
# config: | |
# claim.name: cost_code | |
# user.attribute: cost_code | |
# jsonType.label: String | |
# id.token.claim: true | |
# userinfo.token.claim: true | |
# users: | |
# - username: userone | |
# email: user1@example.com | |
# firstName: user | |
# lastName: one | |
# enabled: true | |
# clientRoles: # client roles are added by add_client_role.yml | |
# realm-management: [ "realm-admin" ] | |
# broker: [ "read-token" ] | |
# - username: test-admin | |
# password: test-admin | |
# - realm: another_test_realm | |
# enabled: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
- name: Ensure providers keycloak folder exists | |
file: | |
path: "{{ keycloak_root_dir }}/providers" | |
state: directory | |
owner: "{{ keycloak_user_group }}" | |
group: "{{ keycloak_user_group }}" | |
mode: 0750 | |
- name: Download keycloak metrics spi server from mirror | |
get_url: | |
url: "{{ keycloak_metrics_spi_jar_url }}" | |
dest: "{{ keycloak_root_dir }}/providers/" | |
notify: restart keycloak server |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment