Skip to content

Commit

Permalink
Merge pull request #180 from Puppet-Finland/domain_mode_support
Browse files Browse the repository at this point in the history 
Domain mode support
  • Loading branch information
@treydock
treydock authored Mar 6, 2021
2 parents 9d4b041 + df793b5 commit 2196a28
Show file tree
Hide file tree
Showing 25 changed files with 1,218 additions and 102 deletions.
4 changes: 4 additions & 0 deletions .fixtures-latest.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,13 @@ fixtures:
repo: https://github.com/voxpupuli/puppet-archive.git
systemd:
repo: https://github.com/camptocamp/puppet-systemd.git
ref: "8f68b0dcf3bbbafc60c025879a28004fc9815aab"
yumrepo_core:
repo: https://github.com/puppetlabs/puppetlabs-yumrepo_core.git
puppet_version: ">= 6.0.0"
augeas_core:
repo: https://github.com/puppetlabs/puppetlabs-augeas_core.git
puppet_version: ">= 6.0.0"
apt:
repo: https://github.com/puppetlabs/puppetlabs-apt.git
concat:
Expand Down
5 changes: 5 additions & 0 deletions .fixtures.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,14 @@ fixtures:
systemd:
repo: https://github.com/camptocamp/puppet-systemd.git
ref: 0.4.0
augeas_core:
repo: https://github.com/puppetlabs/puppetlabs-augeas_core.git
puppet_version: ">= 6.0.0"
ref: 1.1.1
yumrepo_core:
repo: https://github.com/puppetlabs/puppetlabs-yumrepo_core.git
puppet_version: ">= 6.0.0"
ref: 1.0.7
apt:
repo: https://github.com/puppetlabs/puppetlabs-apt.git
concat:
Expand Down
19 changes: 19 additions & 0 deletions .github/workflows/ci.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,8 @@ jobs:
- "12.0.1"
keycloak_full:
- "no"
keycloak_domain_mode_cluster:
- "no"
include:
- set: "centos-7"
puppet: "puppet5"
Expand All @@ -85,6 +87,22 @@ jobs:
puppet: "puppet6"
keycloak_version: "12.0.1"
keycloak_full: "yes"
- set: "centos-7-domain-mode-cluster"
puppet: puppet5
keycloak_version: 8.0.1
keycloak_domain_mode_cluster: 'yes'
- set: "centos-7-domain-mode-cluster"
puppet: puppet5
keycloak_version: 12.0.1
keycloak_domain_mode_cluster: 'yes'
- set: "centos-7-domain-mode-cluster"
puppet: puppet6
keycloak_version: 8.0.1
keycloak_domain_mode_cluster: 'yes'
- set: "centos-7-domain-mode-cluster"
puppet: puppet6
keycloak_version: 12.0.1
keycloak_domain_mode_cluster: 'yes'
env:
BUNDLE_WITHOUT: development:release
BEAKER_debug: true
Expand Down Expand Up @@ -115,3 +133,4 @@ jobs:
BEAKER_set: ${{ matrix.set }}
BEAKER_keycloak_version: ${{ matrix.keycloak_version }}
BEAKER_keycloak_full: ${{ matrix.keycloak_full }}
BEAKER_keycloak_domain_mode_cluster: ${{ matrix.keycloak_domain_mode_cluster }}
2 changes: 2 additions & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,5 @@
.project
.envrc
/inventory.yaml
/vagrant/.vagrant/
/vagrant/*.log
38 changes: 38 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,44 @@ apache::vhost { 'idp.example.com':
ssl_key => '/etc/pki/tls/private/idp.example.com.key',
}
```
Setup a domain master. (This needs a shared database, here '1.2.3.4').

```puppet
class { '::keycloak':
operating_mode => 'domain',
role => 'master',
wildfly_user => 'wildfly,
wildfly_user_password => 'changeme,
manage_datasource => false,
datasource_driver => 'postgresql',
datasource_host => '1.2.3.4,
datasource_dbname => 'keycloak,
datasource_username => 'keycloak,
datasource_password => 'changeme,
admin_user => 'admin,
admin_user_password => 'changeme,
}
```

Setup a domain slave. (This needs a shared database, here '1.2.3.4').

```puppet
class { '::keycloak':
operating_mode => 'domain',
role => 'slave',
wildfly_user => 'wildfly,
wildfly_user_password => 'changeme,
manage_datasource => false,
datasource_driver => 'postgresql',
datasource_host => '1.2.3.4,
datasource_dbname => 'keycloak,
datasource_username => 'keycloak,
datasource_password => 'changeme,
admin_user => 'admin,
admin_user_password => 'changeme,
}
```
**NOTE:** The wilfdly user and password need to match those in domain master. These are required for authentication in a cluster.

Setup a host for theme development so that theme changes don't require a service restart, not recommended for production.

Expand Down
209 changes: 185 additions & 24 deletions manifests/config.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,37 +21,46 @@
show_diff => false,
}

$_add_user_keycloak_cmd = "${keycloak::install_base}/bin/add-user-keycloak.sh"
$_add_user_keycloak_args = "--user ${keycloak::admin_user} --password ${keycloak::admin_user_password} --realm master"
$_add_user_keycloak_state = "${keycloak::install_base}/.create-keycloak-admin-${keycloak::datasource_driver}"
exec { 'create-keycloak-admin':
command => "${_add_user_keycloak_cmd} ${_add_user_keycloak_args} && touch ${_add_user_keycloak_state}",
creates => $_add_user_keycloak_state,
notify => Class['keycloak::service'],
user => $keycloak::user,
}

file { "${keycloak::install_base}/tmp":
ensure => 'directory',
owner => $keycloak::user,
group => $keycloak::group,
mode => '0755',
}

file { "${keycloak::install_base}/standalone/configuration":
ensure => 'directory',
owner => $keycloak::user,
group => $keycloak::group,
mode => '0750',
$_add_user_keycloak_cmd = "${keycloak::install_base}/bin/add-user-keycloak.sh"
$_add_user_keycloak_state = "${keycloak::install_base}/.create-keycloak-admin-${keycloak::datasource_driver}"
$_config_cli_content = template('keycloak/config.cli.erb')

if $::keycloak::operating_mode != 'domain' {
$_add_user_keycloak_args = "--user ${keycloak::admin_user} --password ${keycloak::admin_user_password} --realm master"
$_subdir = 'standalone'
$_java_opts_path = "${keycloak::install_base}/bin/standalone.conf"
} else {
$_server_conf_dir = "${keycloak::install_base}/domain/servers/${keycloak::server_name}/configuration"
$_add_user_keycloak_args = "--user ${keycloak::admin_user} --password ${keycloak::admin_user_password} --realm master --sc ${_server_conf_dir}/" # lint:ignore:140chars
$_subdir = 'domain'
$_java_opts_path = "${keycloak::install_base}/bin/domain.conf"

$_dirs = [
"${keycloak::install_base}/domain/servers",
"${keycloak::install_base}/domain/servers/${keycloak::server_name}",
"${keycloak::install_base}/domain/servers/${keycloak::server_name}/configuration",
]

file { $_dirs:
ensure => 'directory',
owner => $keycloak::user,
group => $keycloak::group,
mode => '0755',
}
}

file { "${keycloak::install_base}/standalone/configuration/profile.properties":
ensure => 'file',
owner => $keycloak::user,
group => $keycloak::group,
content => template('keycloak/profile.properties.erb'),
mode => '0644',
exec { 'create-keycloak-admin':
command => "${_add_user_keycloak_cmd} ${_add_user_keycloak_args} && touch ${_add_user_keycloak_state}",
creates => $_add_user_keycloak_state,
notify => Class['keycloak::service'],
user => $keycloak::user,
}

concat { "${keycloak::install_base}/config.cli":
Expand All @@ -64,7 +73,7 @@

concat::fragment { 'config.cli-keycloak':
target => "${keycloak::install_base}/config.cli",
content => template('keycloak/config.cli.erb'),
content => $_config_cli_content,
order => '00',
}

Expand Down Expand Up @@ -105,11 +114,163 @@
} else {
$_java_opts = $java_opts
}
file_line { 'standalone.conf-JAVA_OPTS':
file_line { 'keycloak-JAVA_OPTS':
ensure => $java_opts_ensure,
path => "${keycloak::install_base}/bin/standalone.conf",
path => $_java_opts_path,
line => "JAVA_OPTS=\"${_java_opts}\"",
match => '^JAVA_OPTS=',
notify => Class['keycloak::service'],
}

file { "${keycloak::install_base}/${_subdir}/configuration":
ensure => 'directory',
owner => $keycloak::user,
group => $keycloak::group,
mode => '0750',
}

file { "${keycloak::install_base}/${_subdir}/configuration/profile.properties":
ensure => 'file',
owner => $keycloak::user,
group => $keycloak::group,
content => template('keycloak/profile.properties.erb'),
mode => '0644',
notify => Class['keycloak::service'],
}

if $::keycloak::operating_mode == 'domain' {
$_add_user_wildfly_cmd = "${keycloak::install_base}/bin/add-user.sh"
$_add_user_wildfly_args = "--user ${keycloak::wildfly_user} --password ${keycloak::wildfly_user_password} -e -s"
$_add_user_wildfly_state = "${::keycloak::install_base}/.create-wildfly-user"

exec { 'create-wildfly-user':
command => "${_add_user_wildfly_cmd} ${_add_user_wildfly_args} && touch ${_add_user_wildfly_state}",
creates => $_add_user_wildfly_state,
notify => Class['keycloak::service'],
}

if $keycloak::role == 'master' {

# Remove load balancer group
# Rename the server
# Set port offset to zero to run server on port 8080
augeas { 'ensure-servername':
incl => "${keycloak::install_base}/domain/configuration/host-master.xml",
context => "/files${keycloak::install_base}/domain/configuration/host-master.xml/host/servers",
load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist',
lens => 'Xml.lns',
changes => [
'rm server[1]',
'rm server',
"set server/#attribute/name ${keycloak::server_name}",
'set server/#attribute/group auth-server-group',
'set server/#attribute/auto-start true',
'set server/socket-bindings/#attribute/port-offset 0',
],
notify => Class['keycloak::service'],
}

# Set up interface names and defaults in host-master.xml
augeas { 'ensure-interface-names-defaults-master':
incl => "${keycloak::install_base}/domain/configuration/host-master.xml",
context => "/files${keycloak::install_base}/domain/configuration/host-master.xml/host/interfaces",
load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist',
lens => 'Xml.lns',
changes => [
# lint:ignore:single_quote_string_with_variables
'set interface[1]/#attribute/name management',
'set interface[1]/inet-address/#attribute/value ${jboss.bind.address.management:127.0.0.1}',
'set interface[2]/#attribute/name private',
'set interface[2]/inet-address/#attribute/value ${jboss.bind.address.private:127.0.0.1}',
'set interface[3]/#attribute/name public',
'set interface[3]/inet-address/#attribute/value ${jboss.bind.address:127.0.0.1}',
# lint:endignore
],
notify => Class['keycloak::service'],
}

# Assing management interfaces to logical interfaces
augeas { 'assign-management-interaces-master':
incl => "${keycloak::install_base}/domain/configuration/host-master.xml",
context => "/files${keycloak::install_base}/domain/configuration/host-master.xml/host/management/management-interfaces",
load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist',
lens => 'Xml.lns',
changes => [
'set native-interface/socket/#attribute/interface management',
'set http-interface/socket/#attribute/interface private',
],
notify => Class['keycloak::service'],
}
} else {
# Rename the server
# Set port offset to zero, to run server in port 8080
augeas { 'ensure-servername':
incl => "${keycloak::install_base}/domain/configuration/host-slave.xml",
context => "/files${keycloak::install_base}/domain/configuration/host-slave.xml/host/servers",
load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist',
lens => 'Xml.lns',
changes => [
"set server/#attribute/name ${keycloak::server_name}",
'set server/socket-bindings/#attribute/port-offset 0'
],
notify => Class['keycloak::service'],
}

# Set username for authentication to master
augeas { 'ensure-username':
incl => "${keycloak::install_base}/domain/configuration/host-slave.xml",
context => "/files${keycloak::install_base}/domain/configuration/host-slave.xml/host/domain-controller/remote",
load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist',
lens => 'Xml.lns',
changes => [
"set #attribute/username ${keycloak::wildfly_user}"
],
notify => Class['keycloak::service'],
}

# Set secret for authentication to master
augeas { 'ensure-secret':
incl => "${keycloak::install_base}/domain/configuration/host-slave.xml",
context => "/files${keycloak::install_base}/domain/configuration/host-slave.xml/host/management/security-realms/security-realm[1]/server-identities/secret", # lint:ignore:140chars
load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist',
lens => 'Xml.lns',
changes => [
"set #attribute/value ${keycloak::wildfly_user_password_base64}"
],
notify => Class['keycloak::service'],
}

# Set up interface names and default in host-slave.xml
augeas { 'ensure-interface-names-defaults-slave':
incl => "${keycloak::install_base}/domain/configuration/host-slave.xml",
context => "/files${keycloak::install_base}/domain/configuration/host-slave.xml/host/interfaces",
load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist',
lens => 'Xml.lns',
changes => [
# lint:ignore:single_quote_string_with_variables
'set interface[1]/#attribute/name management',
'set interface[1]/inet-address/#attribute/value ${jboss.bind.address.management:127.0.0.1}',
'set interface[2]/#attribute/name private',
'set interface[2]/inet-address/#attribute/value ${jboss.bind.address.private:127.0.0.1}',
'set interface[3]/#attribute/name public',
'set interface[3]/inet-address/#attribute/value ${jboss.bind.address:127.0.0.1}',
# lint:endignore
],
notify => Class['keycloak::service'],
}

# Assing management interfaces to logical interfaces
augeas { 'assign-management-interaces-slave':
incl => "${keycloak::install_base}/domain/configuration/host-slave.xml",
context => "/files${keycloak::install_base}/domain/configuration/host-slave.xml/host/management/management-interfaces",
load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist',
lens => 'Xml.lns',
changes => [
'set native-interface/socket/#attribute/interface management',
'set http-interface/socket/#attribute/interface private',
],
notify => Class['keycloak::service'],
}
}
}
}
Loading

0 comments on commit 2196a28

Please sign in to comment.