From 5b3ef33d066756c2fa2a16dec4eeae69dd1ab099 Mon Sep 17 00:00:00 2001 From: treydock Date: Mon, 6 Jun 2022 09:15:12 -0400 Subject: [PATCH] Major rewrite to support Keycloak 18+ using Quarkus (see README for breaking changes) (#247) * Major rewrite to support Keycloak 18+ using Quarkus (see README for breaking changes) * No longer test SSSD user provider * Get testing environment working * Better README examples and fixes * Ensure config changes restart Keycloak --- .fixtures.yml | 36 +- .github/workflows/ci.yaml | 51 +-- .sync.yml | 50 +-- Gemfile | 2 +- README.md | 223 ++++----- Vagrantfile | 32 +- data/common.yaml | 2 - data/os/Debian.yaml | 5 + data/os/RedHat.yaml | 4 + data/os/RedHat/8.yaml | 2 - data/os/Ubuntu/20.04.yaml | 4 +- files/database/mysql/module.xml | 12 - files/database/postgresql/module.xml | 13 - lib/puppet/provider/keycloak_api.rb | 1 + .../keycloak_conn_validator/puppet_https.rb | 4 +- lib/puppet/type/keycloak_api.rb | 4 +- manifests/config.pp | 398 ++-------------- manifests/datasource/h2.pp | 5 - manifests/datasource/mysql.pp | 58 --- manifests/datasource/oracle.pp | 50 --- manifests/datasource/postgresql.pp | 50 --- manifests/db/mariadb.pp | 8 + manifests/db/mysql.pp | 21 + manifests/db/postgres.pp | 18 + manifests/init.pp | 424 +++++++----------- manifests/service.pp | 4 +- manifests/spi_deployment.pp | 22 +- manifests/truststore/host.pp | 9 +- metadata.json | 17 +- spec/acceptance/10_required_action_spec.rb | 15 +- spec/acceptance/11_role_mapping_spec.rb | 15 +- spec/acceptance/1_class_spec.rb | 99 +--- spec/acceptance/1_domain_mode_cluster_spec.rb | 134 ------ spec/acceptance/2_realm_spec.rb | 15 +- spec/acceptance/3_ldap_spec.rb | 35 +- spec/acceptance/3_sssd_spec.rb | 9 +- spec/acceptance/4_client_scopes_spec.rb | 10 +- spec/acceptance/5_client_spec.rb | 15 +- spec/acceptance/6_protocol_mapper_spec.rb | 15 +- .../7_client_protocol_mapper_spec.rb | 10 +- spec/acceptance/8_identity_provider_spec.rb | 15 +- spec/acceptance/9_flow_spec.rb | 15 +- .../nodesets/centos-7-domain-mode-cluster.yml | 60 --- spec/acceptance/nodesets/debian-9.yml | 28 -- spec/acceptance/z_keycloak_api_spec.rb | 9 +- spec/classes/init_spec.rb | 263 +++-------- spec/defines/spi_deployment_spec.rb | 18 +- ...keycloak-duo-spi-jar-with-dependencies.jar | Bin 22908 -> 22908 bytes spec/fixtures/test.pp | 32 +- spec/spec_helper_acceptance_setup.rb | 24 +- templates/config.cli/00-header.epp | 10 - templates/config.cli/01-https-proxy.epp | 23 - templates/config.cli/02-datasource.epp | 52 --- templates/config.cli/03-truststore.epp | 26 -- templates/config.cli/04-theming.epp | 9 - .../config.cli/05-deployment-scanner.epp | 7 - templates/config.cli/06-user-cache.epp | 10 - templates/config.cli/10-cluster.epp | 41 -- templates/config.cli/11-domain.epp | 65 --- templates/config.cli/12-syslog.epp | 27 -- templates/config.cli/99-footer.epp | 6 - templates/database/oracle/module.xml.erb | 13 - templates/kcadm-wrapper.sh.erb | 2 +- templates/keycloak.conf.erb | 12 + templates/keycloak.service.erb | 26 +- templates/profile.properties.erb | 4 - types/configs.pp | 56 +++ vagrant-common.sh | 2 +- vagrant/Puppetfile | 24 - vagrant/Vagrantfile | 107 ----- vagrant/db.pp | 36 -- vagrant/install_agent.sh | 69 --- vagrant/lb.pp | 38 -- vagrant/master.pp | 51 --- vagrant/prepare.pp | 28 -- vagrant/run_puppet.sh | 72 --- vagrant/slave.pp | 26 -- 77 files changed, 654 insertions(+), 2553 deletions(-) delete mode 100644 data/os/RedHat/8.yaml delete mode 100644 files/database/mysql/module.xml delete mode 100644 files/database/postgresql/module.xml delete mode 100644 manifests/datasource/h2.pp delete mode 100644 manifests/datasource/mysql.pp delete mode 100644 manifests/datasource/oracle.pp delete mode 100644 manifests/datasource/postgresql.pp create mode 100644 manifests/db/mariadb.pp create mode 100644 manifests/db/mysql.pp create mode 100644 manifests/db/postgres.pp delete mode 100644 spec/acceptance/1_domain_mode_cluster_spec.rb delete mode 100644 spec/acceptance/nodesets/centos-7-domain-mode-cluster.yml delete mode 100644 spec/acceptance/nodesets/debian-9.yml delete mode 100644 templates/config.cli/00-header.epp delete mode 100644 templates/config.cli/01-https-proxy.epp delete mode 100644 templates/config.cli/02-datasource.epp delete mode 100644 templates/config.cli/03-truststore.epp delete mode 100644 templates/config.cli/04-theming.epp delete mode 100644 templates/config.cli/05-deployment-scanner.epp delete mode 100644 templates/config.cli/06-user-cache.epp delete mode 100644 templates/config.cli/10-cluster.epp delete mode 100644 templates/config.cli/11-domain.epp delete mode 100644 templates/config.cli/12-syslog.epp delete mode 100644 templates/config.cli/99-footer.epp delete mode 100644 templates/database/oracle/module.xml.erb create mode 100644 templates/keycloak.conf.erb delete mode 100644 templates/profile.properties.erb create mode 100644 types/configs.pp delete mode 100644 vagrant/Puppetfile delete mode 100644 vagrant/Vagrantfile delete mode 100644 vagrant/db.pp delete mode 100755 vagrant/install_agent.sh delete mode 100644 vagrant/lb.pp delete mode 100644 vagrant/master.pp delete mode 100644 vagrant/prepare.pp delete mode 100755 vagrant/run_puppet.sh delete mode 100644 vagrant/slave.pp diff --git a/.fixtures.yml b/.fixtures.yml index c936d489..086e805f 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,35 +1,21 @@ fixtures: - repositories: + forge_modules: stdlib: - repo: https://github.com/puppetlabs/puppetlabs-stdlib.git - ref: 4.25.0 + repo: puppetlabs/stdlib mysql: - repo: https://github.com/puppetlabs/puppetlabs-mysql.git - ref: v10.3.0 + repo: puppetlabs/mysql postgresql: - repo: https://github.com/puppetlabs/puppetlabs-postgresql.git - ref: v7.4.0 + repo: puppetlabs/postgresql java: - repo: https://github.com/puppetlabs/puppetlabs-java.git - ref: v7.3.0 + repo: puppetlabs/java java_ks: - repo: https://github.com/puppetlabs/puppetlabs-java_ks.git - ref: 1.4.1 + repo: puppetlabs/java_ks + # Dependency of other modules + concat: + repo: puppetlabs/concat archive: - repo: https://github.com/voxpupuli/puppet-archive.git - ref: v0.5.1 + repo: puppet/archive systemd: - repo: https://github.com/voxpupuli/puppet-systemd.git - ref: 0.4.0 - augeas_core: - repo: https://github.com/puppetlabs/puppetlabs-augeas_core.git - ref: 1.1.1 - yumrepo_core: - repo: https://github.com/puppetlabs/puppetlabs-yumrepo_core.git - ref: 1.0.7 - apt: - repo: https://github.com/puppetlabs/puppetlabs-apt.git - concat: - repo: https://github.com/puppetlabs/puppetlabs-concat.git + repo: puppet/systemd symlinks: keycloak: "#{source_dir}" diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 9f963c36..0bb72b10 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -7,6 +7,7 @@ on: - master pull_request: + jobs: unit: runs-on: ubuntu-latest @@ -57,7 +58,6 @@ jobs: set: - "centos-7" - "rocky-8" - - "debian-9" - "debian-10" - "debian-11" - "ubuntu-1804" @@ -66,60 +66,18 @@ jobs: - "puppet6" - "puppet7" keycloak_version: - - "12.0.4" - - "13.0.1" - - "14.0.0" - - "15.0.1" - - "16.1.1" + - "18.0.0" keycloak_full: - "no" - keycloak_domain_mode_cluster: - - "no" include: - set: "centos-7" puppet: "puppet6" - keycloak_version: "12.0.4" - keycloak_full: "yes" - - set: "centos-7" - puppet: "puppet7" - keycloak_version: "12.0.4" + keycloak_version: "18.0.0" keycloak_full: "yes" - set: "centos-7" puppet: "puppet7" - keycloak_version: "13.0.1" + keycloak_version: "18.0.0" keycloak_full: "yes" - - set: "centos-7" - puppet: "puppet7" - keycloak_version: "14.0.0" - keycloak_full: "yes" - - set: "centos-7" - puppet: "puppet7" - keycloak_version: "15.0.1" - keycloak_full: "yes" - - set: "centos-7" - puppet: "puppet7" - keycloak_version: "16.1.1" - keycloak_full: "yes" - - set: "centos-7-domain-mode-cluster" - puppet: "puppet7" - keycloak_version: "12.0.4" - keycloak_domain_mode_cluster: "yes" - - set: "centos-7-domain-mode-cluster" - puppet: "puppet7" - keycloak_version: "13.0.1" - keycloak_domain_mode_cluster: "yes" - - set: "centos-7-domain-mode-cluster" - puppet: "puppet7" - keycloak_version: "14.0.0" - keycloak_domain_mode_cluster: "yes" - - set: "centos-7-domain-mode-cluster" - puppet: "puppet7" - keycloak_version: "15.0.1" - keycloak_domain_mode_cluster: "yes" - - set: "centos-7-domain-mode-cluster" - puppet: "puppet7" - keycloak_version: "16.1.1" - keycloak_domain_mode_cluster: "yes" env: BUNDLE_WITHOUT: development:release BEAKER_debug: true @@ -150,4 +108,3 @@ jobs: BEAKER_set: ${{ matrix.set }} BEAKER_keycloak_version: ${{ matrix.keycloak_version }} BEAKER_keycloak_full: ${{ matrix.keycloak_full }} - BEAKER_keycloak_domain_mode_cluster: ${{ matrix.keycloak_domain_mode_cluster }} diff --git a/.sync.yml b/.sync.yml index e243d9d6..a84ab485 100644 --- a/.sync.yml +++ b/.sync.yml @@ -18,7 +18,6 @@ Rakefile: set: - centos-7 - rocky-8 - - debian-9 - debian-10 - debian-11 - ubuntu-1804 @@ -27,58 +26,17 @@ Rakefile: - puppet6 - puppet7 keycloak_version: - - '12.0.4' - - '13.0.1' - - '14.0.0' - - '15.0.1' - - '16.1.1' + - '18.0.0' keycloak_full: ['no'] - keycloak_domain_mode_cluster: ['no'] acceptance_includes: - set: centos-7 puppet: puppet6 - keycloak_version: 12.0.4 + keycloak_version: 18.0.0 keycloak_full: 'yes' - set: centos-7 puppet: puppet7 - keycloak_version: 12.0.4 + keycloak_version: 18.0.0 keycloak_full: 'yes' - - set: centos-7 - puppet: puppet7 - keycloak_version: 13.0.1 - keycloak_full: 'yes' - - set: centos-7 - puppet: puppet7 - keycloak_version: 14.0.0 - keycloak_full: 'yes' - - set: centos-7 - puppet: puppet7 - keycloak_version: 15.0.1 - keycloak_full: 'yes' - - set: centos-7 - puppet: puppet7 - keycloak_version: 16.1.1 - keycloak_full: 'yes' - - set: centos-7-domain-mode-cluster - puppet: puppet7 - keycloak_version: 12.0.4 - keycloak_domain_mode_cluster: 'yes' - - set: centos-7-domain-mode-cluster - puppet: puppet7 - keycloak_version: 13.0.1 - keycloak_domain_mode_cluster: 'yes' - - set: centos-7-domain-mode-cluster - puppet: puppet7 - keycloak_version: 14.0.0 - keycloak_domain_mode_cluster: 'yes' - - set: centos-7-domain-mode-cluster - puppet: puppet7 - keycloak_version: 15.0.1 - keycloak_domain_mode_cluster: 'yes' - - set: centos-7-domain-mode-cluster - puppet: puppet7 - keycloak_version: 16.1.1 - keycloak_domain_mode_cluster: 'yes' .gitignore: paths: - /vagrant/.vagrant/ @@ -87,6 +45,8 @@ Rakefile: delete: true appveyor.yml: delete: true +spec/acceptance/nodesets/debian-9.yml: + delete: true spec/acceptance/nodesets/debian-10.yml: packages: - iproute2 diff --git a/Gemfile b/Gemfile index 114c81e5..c9844383 100644 --- a/Gemfile +++ b/Gemfile @@ -39,7 +39,7 @@ group :system_tests do gem "beaker-pe", require: false gem "beaker-hostgenerator" gem "beaker-rspec" - gem "beaker-docker", *location_for(ENV['BEAKER_DOCKER_VERSION'] || '~> 0.7.0') + gem "beaker-docker" gem "beaker-puppet" gem "beaker-puppet_install_helper", require: false gem "beaker-module_install_helper", require: false diff --git a/README.md b/README.md index 1b9c976a..72da2846 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,7 @@ #### Table of Contents 1. [Overview](#overview) + * [Upgrade to 8.x](#upgrade-to-8x) * [Supported Versions of Keycloak](#supported-versions-of-keycloak) 2. [Usage - Configuration options](#usage) * [Keycloak](#keycloak) @@ -32,6 +33,70 @@ The keycloak module allows easy installation and management of Keycloak. +### Upgrade to 8.x + +This module underwent major changes in the 8.0.0 release to support Keycloak that uses Quarkus. +The initial 8.0.0 release of this module only supports Keycloak 18.x. + +Numerous parameters were changed or removed. Below is a list of the changes to parameters as well as some behavior changes. + +**Parameters removed** + +* `service_hasstatus`, `service_hasrestart` +* `management_bind_address` +* `java_opts_append` +* `wildfly_user`, `wildfly_user_password` +* `datasource_package`, `datasource_jar_source`, `datasource_jar_filename`, `datasource_module_source`, `datasource_xa_class` +* `proxy_https` +* `truststore_hostname_verification_policy` +* `theme_static_max_age`, `theme_cache_themes`, `theme_cache_templates` +* `operating_mode`, `enable_jdbc_ping`, `jboss_bind_public_address`, `jboss_bind_private_address` +* `master_address`, `server_name`, `role`, `user_cache` +* `tech_preview_features` +* `auto_deploy_exploded`, `auto_deploy_zipped` +* `syslog`, `syslog_app_name`, `syslog_facility`, `syslog_hostname`, `syslog_level` +* `syslog_port`, `syslog_server_address`, `syslog_format` + +**Parameters renamed** + +* `service_bind_address` renamed to `http_host` and now defined in keycloak.conf instead of the systemd unit file +* `manage_datasource` renamed to `manage_db` +* `datasource_driver` renamed to `db` +* `datasource_host` renamed to `db_url_host` +* `datasource_port` renamed to `db_url_port` +* `datasource_url` renamed to `db_url` +* `datasource_dbname` renamed to `db_url_database` +* `datasource_username` renamed to `db_username` +* `datasource_password` renamed to `db_password` +* `mysql_database_charset` renamed to `db_charset` +* `auth_url_path` renamed to `validator_test_url` and default value changed + +**Parameters added** + +* `java_declare_method` to make it easier for EL platforms to deploy working Keycloak with correct Java +* `java_package`, `java_home`, `java_alternative_path`, `java_alternative` +* `start_command` +* `configs` +* `hostname`, `http_enabled`, `http_host`, `https_port`, `proxy` +* `manage_db_server` +* `features` +* `features_disabled` +* `providers_purge` + +**Behavior changes** + +The SSSD parameters are no longer tested and likely won't work. If you use the SSSD user provider and SSSD related parameters, please open an issue on this repo. + +This module no longer makes copies for DB driver jar files or install Java bindings, they are not necessary. + +When `db` is set to `mariadb`, `mysql` or `postgres` this module will by default install the database server to the Keycloak host. If you run a remote DB server for Keycloak, set `manage_db_server` and `manage_db` to `false`. + +There is no longer a need to define cluster or domain modes in the Quarkus deployment, all related functionality is removed. + +Some basic configuration options are exposed using parameters but most configuration options for Keycloak will need to be passed into the `configs` parameter. + +Drop Debian 9 support due to OS repos not having Java 11. + ### Supported Versions of Keycloak Currently this module supports Keycloak version 12.x. @@ -44,12 +109,13 @@ This module may work on earlier versions but this is the only version tested. | 6.x - 8.x | 4.x - 5.x | | 8.x - 12.x | 6.x | | 12.x - 16.x | 7.x | +| 18.x | 8.x | ## Usage ### keycloak -Install Keycloak using default `h2` database storage. +Install Keycloak using default `dev-file` database. ```puppet class { 'keycloak': } @@ -59,33 +125,33 @@ Install a specific version of Keycloak. ```puppet class { 'keycloak': - version => '6.0.1', - datasource_driver => 'mysql', + version => '18.0.0', + db => 'mariadb', } ``` -Upgrading Keycloak version works by changing `version` parameter as long as the `datasource_driver` is not the default of `h2`. An upgrade involves installing the new version without touching the old version, updating the symlink which defaults to `/opt/keycloak`, applying all changes to new version and then restarting the `keycloak` service. +Upgrading Keycloak version works by changing `version` parameter as long as the `db` parameter is not the default of `dev-file`. An upgrade involves installing the new version without touching the old version, updating the symlink which defaults to `/opt/keycloak`, applying all changes to new version and then restarting the `keycloak` service. -If the previous `version` was `6.0.1` using the following will upgrade to `7.0.0`: +If the previous `version` was `18.0.0` using the following will upgrade to `19.0.0`: ```puppet class { 'keycloak': - version => '7.0.0', - datasource_driver => 'mysql', + version => '19.0.0', + db => 'mariadb', } ``` -Install keycloak and use a local MySQL server for database storage +Install keycloak and use a local MariaDB server for database storage ```puppet include mysql::server class { 'keycloak': - datasource_driver => 'mysql', - datasource_host => 'localhost', - datasource_port => 3306, - datasource_dbname => 'keycloak', - datasource_username => 'keycloak', - datasource_password => 'foobar', + db => 'mariadb', + db_url_host => 'localhost', + db_url_port => 3306, + db_url_database => 'keycloak', + db_username => 'keycloak', + db_password => 'foobar', } ``` @@ -94,33 +160,12 @@ The following example can be used to configure keycloak with a local PostgreSQL ```puppet include postgresql::server class { 'keycloak': - datasource_driver => 'postgresql', - datasource_host => 'localhost', - datasource_port => 5432, - datasource_dbname => 'keycloak', - datasource_username => 'keycloak', - datasource_password => 'foobar', -} -``` - -Configure keycloak to use a remote Oracle database. - -The parameter `datasource_jar_source` is always required with Oracle database. -The jar is downloaded to the keycloak module dir and renamed to `datasource_jar_filename` or `'ojdbc8.jar'` as default value. - -With a special database configuration it may be more suitable to give the complete database url `'jdbc:oracle:thin:@[...]'` using the parameter `database_url` instead of `database_host`, `database_port` and `database_dbname`. -The default value with Oracle database for `database_host` is `'localhost'` and the default value for `database_port` is here `1521`. - -```puppet -class { 'keycloak': - datasource_driver => 'oracle', - datasource_host => 'oracleserver.mydomain.de', - datasource_port => 1521, - datasource_dbname => 'keycloak', - datasource_username => 'keycloak', - datasource_password => 'foobar', - datasource_jar_source => 'https://oracle.com/path/to/driver.jar', - datasource_jar_filename => 'ojdbc8.jar', + db => 'postgres', + db_url_host => 'localhost', + db_url_port => 5432, + db_url_database => 'keycloak', + db_username => 'keycloak', + db_password => 'foobar', } ``` @@ -128,9 +173,8 @@ Configure a SSL certificate truststore and add a LDAP server's certificate to th ```puppet class { 'keycloak': - truststore => true, - truststore_password => 'supersecret', - truststore_hostname_verification_policy => 'STRICT', + truststore => true, + truststore_password => 'supersecret', } keycloak::truststore::host { 'ldap1.example.com': certificate => '/etc/openldap/certs/0a00000.0', @@ -141,15 +185,17 @@ Setup Keycloak to proxy through Apache HTTPS. ```puppet class { 'keycloak': - proxy_https => true + http_host => '127.0.0.1', + proxy => 'edge', } apache::vhost { 'idp.example.com': - servername => 'idp.example.com', - port => '443', - ssl => true, - manage_docroot => false, - docroot => '/var/www/html', + servername => 'idp.example.com', + port => '443', + ssl => true, + manage_docroot => false, + docroot => '/var/www/html', proxy_preserve_host => true, + proxy_add_headers => true, proxy_pass => [ {'path' => '/', 'url' => 'http://localhost:8080/'} ], @@ -161,80 +207,6 @@ apache::vhost { 'idp.example.com': ssl_key => '/etc/pki/tls/private/idp.example.com.key', } ``` -Setup a domain master. (This needs a shared database, here '1.2.3.4'). - -```puppet -class { '::keycloak': - operating_mode => 'domain', - role => 'master', - wildfly_user => 'wildfly, - wildfly_user_password => 'changeme, - manage_datasource => false, - datasource_driver => 'postgresql', - datasource_host => '1.2.3.4, - datasource_dbname => 'keycloak, - datasource_username => 'keycloak, - datasource_password => 'changeme, - admin_user => 'admin, - admin_user_password => 'changeme, -} -``` - -Setup a domain slave. (This needs a shared database, here '1.2.3.4'). - -```puppet -class { '::keycloak': - operating_mode => 'domain', - role => 'slave', - wildfly_user => 'wildfly, - wildfly_user_password => 'changeme, - manage_datasource => false, - datasource_driver => 'postgresql', - datasource_host => '1.2.3.4, - datasource_dbname => 'keycloak, - datasource_username => 'keycloak, - datasource_password => 'changeme, - admin_user => 'admin, - admin_user_password => 'changeme, -} -``` -**NOTE:** The wilfdly user and password need to match those in domain master. These are required for authentication in a cluster. - -Setup a host for theme development so that theme changes don't require a service restart, not recommended for production. - -```puppet -class { 'keycloak': - theme_static_max_age => -1, - theme_cache_themes => false, - theme_cache_templates => false, -} -``` - -Run Keycloak using standalone clustered mode (multicast): - -```puppet -class { 'keycloak': - operating_mode => 'clustered', -} -``` - -Run Keycloak using standalone clustered mode (JDBC_PING): - -> [JDBC_PING](http://jgroups.org/manual/#_jdbc_ping) uses port **7600** to ensure cluster members are discoverable by each other. This module **does NOT manage firewall changes**. - -```puppet -class { 'keycloak': - operating_mode => 'clustered', - datasource_driver => 'postgresql', - enable_jdbc_ping => true, - jboss_bind_private_address => $facts['networking']['ip'], - jboss_bind_public_address => $facts['networking']['ip'], -} - -# your puppet code to open port 7600 -# ... -# ... -``` ### Deploy SPI @@ -562,8 +534,7 @@ keycloak_required_action { 'webauthn-register on master': This module has been tested on: * RedHat/CentOS 7 x86_64 -* RedHat/CentOS 8 x86_64 -* Debian 9 x86_64 +* RedHat/Rocky 8 x86_64 * Debian 10 x86_64 * Debian 11 x86_64 * Ubuntu 18.04 x86_64 diff --git a/Vagrantfile b/Vagrantfile index 8a5952f1..296823eb 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -4,30 +4,32 @@ Vagrant.configure(2) do |config| config.vm.synced_folder ".", "/vagrant", type: "virtualbox" - config.vm.define "keycloak", primary: true, autostart: true do |ood| - ood.vm.box = "centos/7" - ood.vbguest.installer_options = { allow_kernel_upgrade: true } - ood.vm.network "forwarded_port", guest: 8080, host: 8080, auto_correct: true - ood.vm.provision "shell", inline: <<-SHELL - rpm -Uvh https://yum.puppet.com/puppet5/puppet5-release-el-7.noarch.rpm + config.vm.define "keycloak", primary: true, autostart: true do |k| + k.vm.box = "centos/7" + k.vbguest.installer_options = { allow_kernel_upgrade: true } + k.vm.network "forwarded_port", guest: 8080, host: 8080, auto_correct: true + k.vm.network "forwarded_port", guest: 9090, host: 9090, auto_correct: true + k.vm.provision "shell", inline: <<-SHELL + rpm -Uvh https://yum.puppet.com/puppet6-release-el-7.noarch.rpm yum -y install puppet-agent source /etc/profile.d/puppet-agent.sh + setenforce 0 SHELL - ood.vm.provision "shell", path: "vagrant-common.sh" + k.vm.provision "shell", path: "vagrant-common.sh" end - config.vm.define "keycloak-ubuntu-1804", primary: false, autostart: false do |ood| - ood.vm.box = "ubuntu/bionic64" - ood.vm.box_version = "20190903.0.0" - ood.vm.network "forwarded_port", guest: 8080, host: 8081, auto_correct: true - ood.vm.provision "shell", inline: <<-SHELL - wget https://apt.puppetlabs.com/puppet5-release-bionic.deb - dpkg -i puppet5-release-bionic.deb + config.vm.define "keycloak-ubuntu-1804", primary: false, autostart: false do |k| + k.vm.box = "ubuntu/bionic64" + k.vm.box_version = "20190903.0.0" + k.vm.network "forwarded_port", guest: 8080, host: 8081, auto_correct: true + k.vm.provision "shell", inline: <<-SHELL + wget https://apt.puppetlabs.com/puppet6-release-bionic.deb + dpkg -i puppet6-release-bionic.deb apt-get update apt-get install puppet-agent echo "export PATH=/opt/puppetlabs/bin:/opt/puppetlabs/puppet/bin:/usr/share/puppetmaster-installer/bin:$PATH" > /etc/profile.d/puppetlabs.sh SHELL - ood.vm.provision "shell", path: "vagrant-common.sh" + k.vm.provision "shell", path: "vagrant-common.sh" end end diff --git a/data/common.yaml b/data/common.yaml index 42e16c9e..45567299 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -1,5 +1,3 @@ --- keycloak::libunix_dbus_java_source: 'https://github.com/keycloak/libunix-dbus-java/archive/libunix-dbus-java-0.8.0.tar.gz' keycloak::service_name: 'keycloak' -keycloak::service_hasstatus: true -keycloak::service_hasrestart: true \ No newline at end of file diff --git a/data/os/Debian.yaml b/data/os/Debian.yaml index 4c8bbcc0..71a7b2da 100644 --- a/data/os/Debian.yaml +++ b/data/os/Debian.yaml @@ -1,4 +1,9 @@ --- +keycloak::java_declare_method: include +keycloak::java_package: openjdk-11-jdk +keycloak::java_home: /usr/lib/jvm/java-1.11.0-openjdk-amd64/ +keycloak::java_alternative_path: /usr/lib/jvm/java-1.11.0-openjdk-amd64/bin/java +keycloak::java_alternative: java-1.11.0-openjdk-amd64 keycloak::user_shell: '/usr/sbin/nologin' keycloak::libunix_dbus_java_build_dependencies: - 'zlib1g-dev' diff --git a/data/os/RedHat.yaml b/data/os/RedHat.yaml index fbd8dbbf..38a99bc7 100644 --- a/data/os/RedHat.yaml +++ b/data/os/RedHat.yaml @@ -1,4 +1,8 @@ --- +keycloak::java_package: java-11-openjdk-devel +keycloak::java_home: /usr/lib/jvm/java-11-openjdk/ +keycloak::java_alternative_path: /usr/lib/jvm/java-11-openjdk/bin/java +keycloak::java_alternative: /usr/lib/jvm/java-11-openjdk/bin/java keycloak::user_shell: '/sbin/nologin' keycloak::libunix_dbus_java_build_dependencies: - 'which' diff --git a/data/os/RedHat/8.yaml b/data/os/RedHat/8.yaml deleted file mode 100644 index d93ec72e..00000000 --- a/data/os/RedHat/8.yaml +++ /dev/null @@ -1,2 +0,0 @@ ---- -keycloak::datasource_package: mariadb-java-client diff --git a/data/os/Ubuntu/20.04.yaml b/data/os/Ubuntu/20.04.yaml index 97f95038..57322bc9 100644 --- a/data/os/Ubuntu/20.04.yaml +++ b/data/os/Ubuntu/20.04.yaml @@ -1,2 +1,4 @@ --- -keycloak::mysql_database_charset: utf8mb3 +# TODO: Use until this released to force mariadb: +# https://github.com/puppetlabs/puppetlabs-mysql/commit/8c8c01739f593b2bcd1943297761a09dde994197 +keycloak::db_charset: utf8mb3 diff --git a/files/database/mysql/module.xml b/files/database/mysql/module.xml deleted file mode 100644 index c97bcc6d..00000000 --- a/files/database/mysql/module.xml +++ /dev/null @@ -1,12 +0,0 @@ - - - - - - - - - - - - diff --git a/files/database/postgresql/module.xml b/files/database/postgresql/module.xml deleted file mode 100644 index 574e0ca9..00000000 --- a/files/database/postgresql/module.xml +++ /dev/null @@ -1,13 +0,0 @@ - - - - - - - - - - - - - diff --git a/lib/puppet/provider/keycloak_api.rb b/lib/puppet/provider/keycloak_api.rb index 11ad2d34..93e8f216 100644 --- a/lib/puppet/provider/keycloak_api.rb +++ b/lib/puppet/provider/keycloak_api.rb @@ -177,6 +177,7 @@ def name_uuid(*args) end def check_theme_exists(theme, res) + return true if theme == 'keycloak' install_dir = self.class.install_dir || '/opt/keycloak' path = File.join(install_dir, 'themes', theme) return if File.exist?(path) diff --git a/lib/puppet/provider/keycloak_conn_validator/puppet_https.rb b/lib/puppet/provider/keycloak_conn_validator/puppet_https.rb index 562589aa..ce1af4e9 100644 --- a/lib/puppet/provider/keycloak_conn_validator/puppet_https.rb +++ b/lib/puppet/provider/keycloak_conn_validator/puppet_https.rb @@ -38,8 +38,8 @@ def exists? # especially on the first install. Therefore, our first connection attempt # may fail. Here we have somewhat arbitrarily chosen to retry every 2 # seconds until the configurable timeout has expired. - Puppet.notice('Failed to connect to keycloak; sleeping 2 seconds before retry') - sleep 2 + Puppet.notice('Failed to connect to keycloak; sleeping 5 seconds before retry') + sleep 5 success = validator.attempt_connection end diff --git a/lib/puppet/type/keycloak_api.rb b/lib/puppet/type/keycloak_api.rb index b8760227..ee836ce5 100644 --- a/lib/puppet/type/keycloak_api.rb +++ b/lib/puppet/type/keycloak_api.rb @@ -10,7 +10,7 @@ @example Define API access keycloak_api { 'keycloak' install_dir => '/opt/keycloak', - server => 'http://localhost:8080/auth', + server => 'http://localhost:8080', realm => 'master', user => 'admin', password => 'changeme', @@ -27,7 +27,7 @@ newparam(:server) do desc 'Auth URL for Keycloak server' - defaultto('http://localhost:8080/auth') + defaultto('http://localhost:8080') end newparam(:realm) do diff --git a/manifests/config.pp b/manifests/config.pp index 16772c77..1343add0 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -23,388 +23,52 @@ show_diff => false, } - file { "${keycloak::install_base}/tmp": - ensure => 'directory', - owner => $keycloak::user, - group => $keycloak::group, - mode => '0755', - } - - $_add_user_keycloak_cmd = "${keycloak::install_base}/bin/add-user-keycloak.sh" - $_add_user_keycloak_state = "${keycloak::install_base}/.create-keycloak-admin-${keycloak::datasource_driver}" - - if $::keycloak::operating_mode != 'domain' { - $_server_conf_dir = "${keycloak::install_base}/standalone/configuration" - $_add_user_keycloak_args = "--user ${keycloak::admin_user} --password ${keycloak::admin_user_password} --realm master" - $_java_opts_path = "${keycloak::install_base}/bin/standalone.conf" - - } else { - $_server_conf_dir = "${keycloak::install_base}/domain/servers/${keycloak::server_name}/configuration" - $_add_user_keycloak_args = "--user ${keycloak::admin_user} --password ${keycloak::admin_user_password} --realm master --sc ${_server_conf_dir}/" # lint:ignore:140chars - $_java_opts_path = "${keycloak::install_base}/bin/domain.conf" - - $_dirs = [ - dirname(dirname($_server_conf_dir)), - dirname($_server_conf_dir) - ] - - file { $_dirs: - ensure => 'directory', - owner => $keycloak::user, - group => $keycloak::group, - mode => '0755', - } - } - - exec { 'create-keycloak-admin': - command => "${_add_user_keycloak_cmd} ${_add_user_keycloak_args} && touch ${_add_user_keycloak_state}", - creates => $_add_user_keycloak_state, - notify => Class['keycloak::service'], - user => $keycloak::user, - require => File[$_server_conf_dir], + file { $keycloak::admin_env: + ensure => 'file', + owner => $keycloak::user, + group => $keycloak::group, + mode => '0600', + content => join([ + '# File managed by Puppet', + "KEYCLOAK_ADMIN=${keycloak::admin_user}", + "KEYCLOAK_ADMIN_PASSWORD=${keycloak::admin_user_password}", + '', + ], "\n"), + show_diff => false, } - if $keycloak::operating_mode == 'domain' { - $config_cli_prefix = '/profile=auth-server-clustered' + if $keycloak::custom_config_content { + $config_content = $keycloak::custom_config_content } else { - $config_cli_prefix = '' + $config_content = template('keycloak/keycloak.conf.erb') } - - concat { "${keycloak::install_base}/config.cli": - owner => $keycloak::user, - group => $keycloak::group, - mode => '0600', - notify => Exec['jboss-cli.sh --file=config.cli'], - show_diff => false, - ensure_newline => true, - } - - concat::fragment { 'keycloak-config.cli-header': - target => "${keycloak::install_base}/config.cli", - content => epp('keycloak/config.cli/00-header.epp', {'operating_mode' => $keycloak::operating_mode}), - order => '00', - } - - if $keycloak::proxy_https { - concat::fragment { 'keycloak-config.cli-https-proxy': - target => "${keycloak::install_base}/config.cli", - content => epp('keycloak/config.cli/01-https-proxy.epp', { - 'prefix' => $config_cli_prefix, - 'operating_mode' => $keycloak::operating_mode, - }), - order => '01', - } - } - - concat::fragment { 'keycloak-config.cli-datasource': - target => "${keycloak::install_base}/config.cli", - content => epp('keycloak/config.cli/02-datasource.epp', { - 'datasource_driver' => $keycloak::datasource_driver, - 'datasource_connection_url' => $keycloak::datasource_connection_url, - 'datasource_username' => $keycloak::datasource_username, - 'datasource_password' => $keycloak::datasource_password, - 'mysql_datasource_class' => $keycloak::mysql_datasource_class, - 'prefix' => $config_cli_prefix, - }), - order => '02', - } - - concat::fragment { 'keycloak-config.cli-truststore': - target => "${keycloak::install_base}/config.cli", - content => epp('keycloak/config.cli/03-truststore.epp', { - 'truststore' => $keycloak::truststore, - 'operating_mode' => $keycloak::operating_mode, - 'install_base' => $keycloak::install_base, - 'truststore_password' => $keycloak::truststore_password, - 'truststore_hostname_verification_policy' => $keycloak::truststore_hostname_verification_policy, - 'prefix' => $config_cli_prefix, - }), - order => '03', - } - - concat::fragment { 'keycloak-config.cli-theming': - target => "${keycloak::install_base}/config.cli", - content => epp('keycloak/config.cli/04-theming.epp', { - 'theme_static_max_age' => $keycloak::theme_static_max_age, - 'theme_cache_themes' => $keycloak::theme_cache_themes, - 'theme_cache_templates' => $keycloak::theme_cache_templates, - 'prefix' => $config_cli_prefix, - }), - order => '04', - } - - # deployment scanner is not compatible with domain mode - if $keycloak::operating_mode != 'domain' { - concat::fragment { 'keycloak-config.cli-deployment-scanner': - target => "${keycloak::install_base}/config.cli", - content => epp('keycloak/config.cli/05-deployment-scanner.epp', { - 'auto_deploy_exploded' => $keycloak::auto_deploy_exploded, - 'auto_deploy_zipped' => $keycloak::auto_deploy_zipped, - 'prefix' => $config_cli_prefix, - }), - order => '05', - } - } - - concat::fragment { 'keycloak-config.cli-user-cache': - target => "${keycloak::install_base}/config.cli", - content => epp('keycloak/config.cli/06-user-cache.epp', { - 'user_cache' => $keycloak::user_cache, - 'prefix' => $config_cli_prefix, - }), - order => '06', - } - - concat::fragment { 'keycloak-config.cli-cluster': - target => "${keycloak::install_base}/config.cli", - content => epp('keycloak/config.cli/10-cluster.epp', { - 'operating_mode' => $keycloak::operating_mode, - 'enable_jdbc_ping' => $keycloak::enable_jdbc_ping, - 'datasource_driver' => $keycloak::datasource_driver, - 'jboss_bind_private_address' => $keycloak::jboss_bind_private_address, - 'jboss_bind_public_address' => $keycloak::jboss_bind_public_address, - 'prefix' => $config_cli_prefix, - }), - order => '10', - } - - if $keycloak::operating_mode == 'domain' { - concat::fragment { 'keycloak-config.cli-domain': - target => "${keycloak::install_base}/config.cli", - content => epp('keycloak/config.cli/11-domain.epp', { - 'prefix' => $config_cli_prefix, - }), - order => '11', - } - } - - concat::fragment { 'keycloak-config.cli-syslog': - target => "${keycloak::install_base}/config.cli", - content => epp('keycloak/config.cli/12-syslog.epp', { - 'prefix' => $config_cli_prefix, - 'syslog' => $keycloak::syslog, - 'syslog_app_name' => $keycloak::syslog_app_name, - 'syslog_facility' => $keycloak::syslog_facility, - 'syslog_hostname' => $keycloak::syslog_hostname, - 'syslog_level' => $keycloak::syslog_level, - 'syslog_port' => $keycloak::syslog_port, - 'syslog_server_address' => $keycloak::syslog_server_address, - 'syslog_format' => $keycloak::syslog_format, - }), - order => '12', - } - - if $keycloak::custom_config_content or $keycloak::custom_config_source { - concat::fragment { 'keycloak-config.cli-custom': - target => "${keycloak::install_base}/config.cli", - content => $keycloak::custom_config_content, - source => $keycloak::custom_config_source, - order => '50', - } - } - - concat::fragment { 'keycloak-config.cli-footer': - target => "${keycloak::install_base}/config.cli", - content => epp('keycloak/config.cli/99-footer.epp', {'operating_mode' => $keycloak::operating_mode}), - order => '99', - } - - exec { 'jboss-cli.sh --file=config.cli': - command => "${keycloak::install_base}/bin/jboss-cli.sh --file=config.cli", - cwd => $keycloak::install_base, - user => $keycloak::user, - group => $keycloak::group, - refreshonly => true, - logoutput => true, - notify => Class['keycloak::service'], + file { "${keycloak::install_base}/conf/keycloak.conf": + owner => $keycloak::user, + group => $keycloak::group, + mode => '0600', + show_diff => false, + content => $config_content, + source => $keycloak::custom_config_source, + notify => Class['keycloak::service'], } create_resources('keycloak::truststore::host', $keycloak::truststore_hosts) - if $keycloak::java_opts { - $java_opts_ensure = 'present' - } else { - $java_opts_ensure = 'absent' - } - - if $keycloak::java_opts =~ Array { - $java_opts = join($keycloak::java_opts, ' ') - } else { - $java_opts = $keycloak::java_opts - } - if $keycloak::java_opts_append { - $_java_opts = "\$JAVA_OPTS ${java_opts}" - } else { - $_java_opts = $java_opts - } - file_line { 'keycloak-JAVA_OPTS': - ensure => $java_opts_ensure, - path => $_java_opts_path, - line => "JAVA_OPTS=\"${_java_opts}\"", - match => '^JAVA_OPTS=', - notify => Class['keycloak::service'], - } - - file { $_server_conf_dir: + file { $keycloak::tmp_dir: ensure => 'directory', owner => $keycloak::user, group => $keycloak::group, - mode => '0750', + mode => '0755', } - file { "${_server_conf_dir}/profile.properties": - ensure => 'file', + file { $keycloak::providers_dir: + ensure => 'directory', owner => $keycloak::user, group => $keycloak::group, - content => template('keycloak/profile.properties.erb'), - mode => '0644', + mode => '0755', + purge => $keycloak::providers_purge, + force => $keycloak::providers_purge, + recurse => $keycloak::providers_purge, notify => Class['keycloak::service'], } - - if $::keycloak::operating_mode == 'domain' { - $_add_user_wildfly_cmd = "${keycloak::install_base}/bin/add-user.sh" - $_add_user_wildfly_args = "--user ${keycloak::wildfly_user} --password ${keycloak::wildfly_user_password} -e -s" - $_add_user_wildfly_state = "${::keycloak::install_base}/.create-wildfly-user" - - exec { 'create-wildfly-user': - command => "${_add_user_wildfly_cmd} ${_add_user_wildfly_args} && touch ${_add_user_wildfly_state}", - creates => $_add_user_wildfly_state, - notify => Class['keycloak::service'], - } - - if $keycloak::role == 'master' { - # Remove load balancer group - # Rename the server - # Set port offset to zero to run server on port 8080 - augeas { 'ensure-servername': - incl => "${keycloak::install_base}/domain/configuration/host-master.xml", - context => "/files${keycloak::install_base}/domain/configuration/host-master.xml/host/servers", - load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist', - lens => 'Xml.lns', - changes => [ - 'rm server[1]', - 'rm server', - "set server/#attribute/name ${keycloak::server_name}", - 'set server/#attribute/group auth-server-group', - 'set server/#attribute/auto-start true', - 'set server/socket-bindings/#attribute/port-offset 0', - ], - notify => Class['keycloak::service'], - } - - # Set up interface names and defaults in host-master.xml - augeas { 'ensure-interface-names-defaults-master': - incl => "${keycloak::install_base}/domain/configuration/host-master.xml", - context => "/files${keycloak::install_base}/domain/configuration/host-master.xml/host/interfaces", - load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist', - lens => 'Xml.lns', - changes => [ - # lint:ignore:single_quote_string_with_variables - 'set interface[1]/#attribute/name management', - 'set interface[1]/inet-address/#attribute/value ${jboss.bind.address.management:127.0.0.1}', - 'set interface[2]/#attribute/name private', - 'set interface[2]/inet-address/#attribute/value ${jboss.bind.address.private:127.0.0.1}', - 'set interface[3]/#attribute/name public', - 'set interface[3]/inet-address/#attribute/value ${jboss.bind.address:127.0.0.1}', - # lint:endignore - ], - notify => Class['keycloak::service'], - } - - # Assing management interfaces to logical interfaces - augeas { 'assign-management-interfaces-master': - incl => "${keycloak::install_base}/domain/configuration/host-master.xml", - context => "/files${keycloak::install_base}/domain/configuration/host-master.xml/host/management/management-interfaces", - load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist', - lens => 'Xml.lns', - changes => [ - # lint:ignore:single_quote_string_with_variables - 'set native-interface/#attribute/security-realm ManagementRealm', - 'set native-interface/socket/#attribute/interface management', - 'set native-interface/socket/#attribute/port ${jboss.management.native.port:9999}', - 'set http-interface/#attribute/security-realm ManagementRealm', - 'set http-interface/socket/#attribute/interface management', - 'set http-interface/socket/#attribute/port ${jboss.management.http.port:9990}', - # lint:endignore - ], - notify => Class['keycloak::service'], - } - } else { - # Rename the server - # Set port offset to zero, to run server in port 8080 - augeas { 'ensure-servername': - incl => "${keycloak::install_base}/domain/configuration/host-slave.xml", - context => "/files${keycloak::install_base}/domain/configuration/host-slave.xml/host/servers", - load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist', - lens => 'Xml.lns', - changes => [ - "set server/#attribute/name ${keycloak::server_name}", - 'set server/socket-bindings/#attribute/port-offset 0' - ], - notify => Class['keycloak::service'], - } - - # Set username for authentication to master - augeas { 'ensure-username': - incl => "${keycloak::install_base}/domain/configuration/host-slave.xml", - context => "/files${keycloak::install_base}/domain/configuration/host-slave.xml/host/domain-controller/remote", - load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist', - lens => 'Xml.lns', - changes => [ - "set #attribute/username ${keycloak::wildfly_user}" - ], - notify => Class['keycloak::service'], - } - - # Set secret for authentication to master - augeas { 'ensure-secret': - incl => "${keycloak::install_base}/domain/configuration/host-slave.xml", - context => "/files${keycloak::install_base}/domain/configuration/host-slave.xml/host/management/security-realms/security-realm[1]/server-identities/secret", # lint:ignore:140chars - load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist', - lens => 'Xml.lns', - changes => [ - "set #attribute/value ${keycloak::wildfly_user_password_base64}" - ], - notify => Class['keycloak::service'], - } - - # Set up interface names and default in host-slave.xml - augeas { 'ensure-interface-names-defaults-slave': - incl => "${keycloak::install_base}/domain/configuration/host-slave.xml", - context => "/files${keycloak::install_base}/domain/configuration/host-slave.xml/host/interfaces", - load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist', - lens => 'Xml.lns', - changes => [ - # lint:ignore:single_quote_string_with_variables - 'set interface[1]/#attribute/name management', - 'set interface[1]/inet-address/#attribute/value ${jboss.bind.address.management:127.0.0.1}', - 'set interface[2]/#attribute/name private', - 'set interface[2]/inet-address/#attribute/value ${jboss.bind.address.private:127.0.0.1}', - 'set interface[3]/#attribute/name public', - 'set interface[3]/inet-address/#attribute/value ${jboss.bind.address:127.0.0.1}', - # lint:endignore - ], - notify => Class['keycloak::service'], - } - - # Assing management interfaces to logical interfaces - augeas { 'assign-management-interaces-slave': - incl => "${keycloak::install_base}/domain/configuration/host-slave.xml", - context => "/files${keycloak::install_base}/domain/configuration/host-slave.xml/host/management/management-interfaces", - load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist', - lens => 'Xml.lns', - changes => [ - # lint:ignore:single_quote_string_with_variables - 'set native-interface/#attribute/security-realm ManagementRealm', - 'set native-interface/socket/#attribute/interface management', - 'set native-interface/socket/#attribute/port ${jboss.management.native.port:9999}', - 'set http-interface/#attribute/security-realm ManagementRealm', - 'set http-interface/socket/#attribute/interface management', - 'set http-interface/socket/#attribute/port ${jboss.management.http.port:9990}', - # lint:endignore - ], - notify => Class['keycloak::service'], - } - } - } } diff --git a/manifests/datasource/h2.pp b/manifests/datasource/h2.pp deleted file mode 100644 index f79045ec..00000000 --- a/manifests/datasource/h2.pp +++ /dev/null @@ -1,5 +0,0 @@ -# Private class. -class keycloak::datasource::h2 { - assert_private() - # Do nothing -} diff --git a/manifests/datasource/mysql.pp b/manifests/datasource/mysql.pp deleted file mode 100644 index 43b4f8df..00000000 --- a/manifests/datasource/mysql.pp +++ /dev/null @@ -1,58 +0,0 @@ -# @summary Manage MySQL datasource -# -# @api private -class keycloak::datasource::mysql { - assert_private() - - $jar_source = pick($keycloak::datasource_jar_source, $keycloak::mysql_jar_source) - $module_source = pick($keycloak::datasource_module_source, 'puppet:///modules/keycloak/database/mysql/module.xml') - $module_dir = "${keycloak::install_base}/modules/system/layers/keycloak/com/mysql/jdbc/main" - - if $keycloak::datasource_package { - ensure_packages([$keycloak::datasource_package]) - $jar_require = Package[$keycloak::datasource_package] - } else { - include ::mysql::bindings - include ::mysql::bindings::java - $jar_require = Class['::mysql::bindings::java'] - } - - exec { "mkdir -p ${module_dir}": - path => '/usr/bin:/bin', - creates => $module_dir, - user => $keycloak::user, - group => $keycloak::group, - } - -> file { $module_dir: - ensure => 'directory', - owner => $keycloak::user, - group => $keycloak::group, - mode => '0755', - } - file { "${$module_dir}/mysql-connector-java.jar": - ensure => 'link', - target => $jar_source, - owner => $keycloak::user, - group => $keycloak::group, - mode => '0644', - require => $jar_require, - } - file { "${$module_dir}/module.xml": - ensure => 'file', - source => $module_source, - owner => $keycloak::user, - group => $keycloak::group, - mode => '0644', - } - - if $keycloak::manage_datasource { - mysql::db { $keycloak::datasource_dbname: - user => $keycloak::datasource_username, - password => $keycloak::datasource_password, - host => $keycloak::db_host, - grant => 'ALL', - charset => $keycloak::mysql_database_charset, - } - } - -} diff --git a/manifests/datasource/oracle.pp b/manifests/datasource/oracle.pp deleted file mode 100644 index 7a0e0b02..00000000 --- a/manifests/datasource/oracle.pp +++ /dev/null @@ -1,50 +0,0 @@ -# @summary Manage Oracle datasource -# -# @api private -# -class keycloak::datasource::oracle { - assert_private() - - $jar_filename = pick($keycloak::datasource_jar_filename, 'ojdbc8.jar') - $module_dir = "${keycloak::install_base}/modules/system/layers/keycloak/org/oracle/main" - - exec { "mkdir -p ${module_dir}": - path => '/usr/bin:/bin', - creates => $module_dir, - user => $keycloak::user, - group => $keycloak::group, - } - -> file { $module_dir: - ensure => 'directory', - owner => $keycloak::user, - group => $keycloak::group, - mode => '0755', - } - - file { "${module_dir}/${jar_filename}": - ensure => 'file', - source => $keycloak::datasource_jar_source, - owner => $keycloak::user, - group => $keycloak::group, - mode => '0644', - } - - $module_xml_defaults = { - ensure => 'file', - owner => $keycloak::user, - group => $keycloak::group, - mode => '0644', - } - if $keycloak::datasource_module_source { - $module_xml_options = { - source => $keycloak::datasource_module_source, - } - } else { - $module_xml_options = { - content => template('keycloak/database/oracle/module.xml.erb'), - } - } - file { "${$module_dir}/module.xml": - * => $module_xml_defaults + $module_xml_options, - } -} diff --git a/manifests/datasource/postgresql.pp b/manifests/datasource/postgresql.pp deleted file mode 100644 index ae19fbc4..00000000 --- a/manifests/datasource/postgresql.pp +++ /dev/null @@ -1,50 +0,0 @@ -# @summary Manage postgresql datasource -# -# @api private -class keycloak::datasource::postgresql { - assert_private() - - $jar_source = pick($keycloak::datasource_jar_source, $keycloak::postgresql_jar_source) - $module_source = pick($keycloak::datasource_module_source, 'puppet:///modules/keycloak/database/postgresql/module.xml') - $module_dir = "${keycloak::install_base}/modules/system/layers/keycloak/org/postgresql/main" - - include ::postgresql::lib::java - - exec { "mkdir -p ${module_dir}": - path => '/usr/bin:/bin', - creates => $module_dir, - user => $keycloak::user, - group => $keycloak::group, - } - -> file { $module_dir: - ensure => 'directory', - owner => $keycloak::user, - group => $keycloak::group, - mode => '0755', - } - - file { "${module_dir}/postgresql-jdbc.jar": - ensure => 'file', - source => $jar_source, - owner => $keycloak::user, - group => $keycloak::group, - mode => '0644', - require => Class['postgresql::lib::java'], - } - - file { "${$module_dir}/module.xml": - ensure => 'file', - source => $module_source, - owner => $keycloak::user, - group => $keycloak::group, - mode => '0644', - } - - if $keycloak::manage_datasource { - include ::postgresql::server - postgresql::server::db { $keycloak::datasource_dbname: - user => $keycloak::datasource_username, - password => postgresql::postgresql_password($keycloak::datasource_username, $keycloak::datasource_password), - } - } -} diff --git a/manifests/db/mariadb.pp b/manifests/db/mariadb.pp new file mode 100644 index 00000000..9b6dd0e7 --- /dev/null +++ b/manifests/db/mariadb.pp @@ -0,0 +1,8 @@ +# @summary Manage MySQL DB +# +# @api private +class keycloak::db::mariadb { + assert_private() + + contain 'keycloak::db::mysql' +} diff --git a/manifests/db/mysql.pp b/manifests/db/mysql.pp new file mode 100644 index 00000000..b5043c6b --- /dev/null +++ b/manifests/db/mysql.pp @@ -0,0 +1,21 @@ +# @summary Manage MySQL DB +# +# @api private +class keycloak::db::mysql { + assert_private() + + if $keycloak::manage_db_server { + contain mysql::server + } + + if $keycloak::manage_db { + mysql::db { $keycloak::db_url_database: + user => $keycloak::db_username, + password => $keycloak::db_password, + host => $keycloak::db_url_host, + grant => 'ALL', + charset => $keycloak::db_charset, + } + } + +} diff --git a/manifests/db/postgres.pp b/manifests/db/postgres.pp new file mode 100644 index 00000000..5f3fd800 --- /dev/null +++ b/manifests/db/postgres.pp @@ -0,0 +1,18 @@ +# @summary Manage postgres DB +# +# @api private +class keycloak::db::postgres { + assert_private() + + if $keycloak::manage_db_server { + contain postgresql::server + } + + if $keycloak::manage_db { + postgresql::server::db { $keycloak::db_url_database: + user => $keycloak::db_username, + password => postgresql::postgresql_password($keycloak::db_username, $keycloak::db_password), + encoding => 'UTF8', + } + } +} diff --git a/manifests/init.pp b/manifests/init.pp index 0f1d644d..f7425cad 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -16,6 +16,19 @@ # @param install_dir # The directory of where to install Keycloak. # Default is `/opt/keycloak-${version}`. +# @param java_declare_method +# How to declare the Java class within this module +# The `include` value only includes the java class +# The `class` method defines the Java class and passes necessary parameters +# For RedHat base systems this defaults to `class`, other OSes default to `include` +# @param java_package +# Java package name, only used when `java_declare_method` is `class` +# @param java_home +# Java home path, only used when `java_declare_method` is `class` +# @param java_alternative_path +# Java alternative path, only used when `java_declare_method` is `class` +# @param java_alternative +# Java alternative, only used when `java_declare_method` is `class` # @param service_name # Keycloak service name. # Default is `keycloak`. @@ -25,24 +38,26 @@ # @param service_enable # Keycloak service enable property. # Default is `true`. -# @param service_hasstatus -# Keycloak service hasstatus parameter. -# Default is `true`. -# @param service_hasrestart -# Keycloak service hasrestart parameter. -# Default is `true`. -# @param service_bind_address -# Bind address for Keycloak service. -# Default is '0.0.0.0'. -# @param management_bind_address -# Bind address for Keycloak management. -# Default is '0.0.0.0'. # @param java_opts # Sets additional options to Java virtual machine environment variable. -# @param java_opts_append -# Determine if $JAVA_OPTS should be appended to when setting `java_opts` parameter +# @param start_command +# The start command to use to run Keycloak # @param service_extra_opts # Additional options added to the end of the service command-line. +# @param service_environment_file +# Path to the file with environment variables for the systemd service +# @param configs +# Define additional configs for keycloak.conf +# @param hostname +# hostname to set in keycloak.conf +# @param http_enabled +# Whether to enable HTTP +# @param http_host +# HTTP host +# @param http_port +# HTTP port +# @param https_port +# HTTPS port # @param manage_user # Defines if the module should manage the Linux user for Keycloak installation # @param user @@ -68,56 +83,30 @@ # @param admin_user_password # Keycloak administrative user password. # Default is `changeme`. -# @param wildfly_user -# Wildfly user. Required for domain mode. -# @param wildfly_user_password -# Wildfly user password. Required for domain mode. -# @param manage_datasource -# Boolean that determines if configured datasource will be managed. -# Default is `true`. -# @param datasource_driver -# Datasource driver to use for Keycloak. -# Valid values are `h2`, `mysql`, 'oracle' and 'postgresql' -# Default is `h2`. -# @param datasource_host -# Datasource host. -# Only used when datasource_driver is `mysql`, 'oracle' or 'postgresql' -# Default is `localhost` for MySQL. -# @param datasource_port -# Datasource port. -# Only used when datasource_driver is `mysql`, 'oracle' or 'postgresql' -# Default is `3306` for MySQL. -# @param datasource_url -# Datasource url. -# Default datasource URLs are defined in init class. -# @param datasource_dbname -# Datasource database name. -# Default is `keycloak`. -# @param datasource_username -# Datasource user name. -# Default is `sa`. -# @param datasource_password -# Datasource user password. -# Default is `sa`. -# @param datasource_package -# Package to add specified datasource support -# @param datasource_jar_source -# Source for datasource JDBC driver - could be puppet link or local file on the node. -# Default is dependent on value for `datasource_driver`. -# This parameter is required if `datasource_driver` is `oracle`. -# @param datasource_jar_filename -# Specify the filename of the destination datasource jar in the module dir of keycloak. -# This parameter is only working at the moment if `datasource_driver` is `oracle`. -# @param datasource_module_source -# Source for datasource module.xml. Default depends on `datasource_driver`. -# @param datasource_xa_class -# MySQL Connector/J JDBC driver xa-datasource class name -# @param mysql_database_charset -# MySQL database charset -# @param proxy_https -# Boolean that sets if HTTPS proxy should be enabled. -# Set to `true` if proxying traffic through Apache. -# Default is `false`. +# @param manage_db +# Boolean that determines if configured database will be managed. +# @param manage_db_server +# Include the DB server class for postgres, mariadb or mysql +# @param db +# Database driver to use for Keycloak. +# @param db_url_host +# Database host. +# @param db_url_port +# Database port. +# @param db_url +# Database url. +# @param db_url_database +# Database name. +# @param db_username +# Database user name. +# @param db_password +# Database user password. +# @param db_charset +# MySQL and MariaDB database charset +# @param features +# Keycloak features to enable +# @param features_disabled +# Keycloak features to disable # @param truststore # Boolean that sets if truststore should be used. # Default is `false`. @@ -127,21 +116,8 @@ # @param truststore_password # Truststore password. # Default is `keycloak`. -# @param truststore_hostname_verification_policy -# Valid values are `WILDCARD`, `STRICT`, and `ANY`. -# Default is `WILDCARD`. -# @param http_port -# HTTP port used by Keycloak. -# Default is `8080`. -# @param theme_static_max_age -# Max cache age in seconds of static content. -# Default is `2592000`. -# @param theme_cache_themes -# Boolean that sets if themes should be cached. -# Default is `true`. -# @param theme_cache_templates -# Boolean that sets if templates should be cached. -# Default is `true`. +# @param proxy +# Type of proxy to use for Keycloak # @param realms # Hash that is used to define keycloak_realm resources. # Default is `{}`. @@ -213,74 +189,41 @@ # user_attributes to define for SSSD ifp service # @param restart_sssd # Boolean that determines if SSSD should be restarted -# @param service_environment_file -# Path to the file with environment variables for the systemd service -# @param operating_mode -# Keycloak operating mode deployment -# @param enable_jdbc_ping -# Use JDBC_PING to discover the nodes and manage the replication of data -# More info: http://jgroups.org/manual/#_jdbc_ping -# Only applies when `operating_mode` is either `clustered` or `domain` -# JDBC_PING uses port 7600 to ensure cluster members are discoverable by each other -# This module does not manage firewall changes -# @param jboss_bind_public_address -# JBoss bind public IP address -# @param jboss_bind_private_address -# JBoss bind private IP address -# @param role -# Role when operating mode is domain. -# @param user_cache -# Boolean that determines if userCache is enabled -# @param tech_preview_features -# List of technology Preview features to enable -# @param auto_deploy_exploded -# Set if exploded deployements will be auto deployed -# @param auto_deploy_zipped -# Set if zipped deployments will be auto deployed # @param spi_deployments # Hash used to define keycloak::spi_deployment resources +# @param providers_purge +# Purge the providers directory of unmanaged SPIs # @param custom_config_content -# Custom configuration content to be added to config.cli +# Custom configuration content to be added to keycloak.conf # @param custom_config_source -# Custom configuration source file to be added to config.cli -# @param master_address -# IP address of the master in domain mode -# @param server_name -# Server name in domain mode. Defaults to hostname. -# @param syslog -# Enable syslog. Default false. -# @param syslog_app_name -# Syslog app name. Default 'keycloak'. -# @param syslog_facility -# Syslog facility. Default 'user-level'. See https://docs.jboss.org/author/display/AS72/Logging%20Configuration.html -# @param syslog_hostname -# Syslog hostname of the server. Default $facts['fqdn']. -# @param syslog_level -# Syslog level. Default 'INFO'. See https://docs.jboss.org/author/display/AS72/Logging%20Configuration.html -# @param syslog_port -# The port the syslog server is listening on. Default '514'. -# @param syslog_server_address -# The address of the syslog server. Default 'localhost'. -# @param syslog_format -# Syslog format. Either 'RFC3164' or 'RFC5424' Default 'RFC3164'. -# @param auth_url_path -# The URL path for /auth +# Custom configuration source file to be added to keycloak.conf +# @param validator_test_url +# The URL path for validator testing +# Only necessary to set if the URL path to Keycloak is modified class keycloak ( Boolean $manage_install = true, - String $version = '12.0.4', + String $version = '18.0.0', Optional[Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]] $package_url = undef, Optional[Stdlib::Absolutepath] $install_dir = undef, + Enum['include','class'] $java_declare_method = 'class', + String[1] $java_package = 'java-11-openjdk-devel', + Stdlib::Absolutepath $java_home = '/usr/lib/jvm/java-11-openjdk', + Stdlib::Absolutepath $java_alternative_path = '/usr/lib/jvm/java-11-openjdk/bin/java', + String[1] $java_alternative = '/usr/lib/jvm/java-11-openjdk/bin/java', String $service_name = 'keycloak', String $service_ensure = 'running', Boolean $service_enable = true, - Boolean $service_hasstatus = true, - Boolean $service_hasrestart = true, - Stdlib::IP::Address $service_bind_address = '0.0.0.0', - Stdlib::IP::Address $management_bind_address = '0.0.0.0', Optional[Variant[String, Array]] $java_opts = undef, - Boolean $java_opts_append = true, + Enum['start','start-dev'] $start_command = 'start', Optional[String] $service_extra_opts = undef, + Optional[Stdlib::Absolutepath] $service_environment_file = undef, + Keycloak::Configs $configs = {}, + Stdlib::Host $hostname = $facts['networking']['fqdn'], + Boolean $http_enabled = true, + Stdlib::IP::Address $http_host = '0.0.0.0', + Stdlib::Port $http_port = 8080, + Stdlib::Port $https_port = 8443, Boolean $manage_user = true, String $user = 'keycloak', Stdlib::Absolutepath $user_shell = '/sbin/nologin', @@ -290,31 +233,22 @@ Optional[Integer] $group_gid = undef, String $admin_user = 'admin', String $admin_user_password = 'changeme', - Optional[String] $wildfly_user = undef, - Optional[String] $wildfly_user_password = undef, - Boolean $manage_datasource = true, - Enum['h2', 'mysql', 'oracle', 'postgresql'] $datasource_driver = 'h2', - Optional[String] $datasource_host = undef, - Optional[Integer] $datasource_port = undef, - Optional[String] $datasource_url = undef, - Optional[String] $datasource_xa_class = undef, - String $datasource_dbname = 'keycloak', - String $datasource_username = 'sa', - String $datasource_password = 'sa', - Optional[String] $datasource_package = undef, - Optional[String] $datasource_jar_source = undef, - Optional[String] $datasource_jar_filename = undef, - Optional[String] $datasource_module_source = undef, - String $mysql_database_charset = 'utf8', - Boolean $proxy_https = false, + Boolean $manage_db = true, + Boolean $manage_db_server = true, + Enum['dev-file', 'dev-mem', 'mariadb', 'mysql', 'oracle', 'postgres'] $db = 'dev-file', + Optional[Stdlib::Host] $db_url_host = undef, + Optional[Stdlib::Port] $db_url_port = undef, + Optional[String[1]] $db_url = undef, + String[1] $db_url_database = 'keycloak', + String[1] $db_username = 'keycloak', + String[1] $db_password = 'changeme', + String $db_charset = 'utf8', + Optional[Array[String[1]]] $features = undef, + Optional[Array[String[1]]] $features_disabled = undef, Boolean $truststore = false, Hash $truststore_hosts = {}, String $truststore_password = 'keycloak', - Enum['WILDCARD', 'STRICT', 'ANY'] $truststore_hostname_verification_policy = 'WILDCARD', - Integer $http_port = 8080, - Integer $theme_static_max_age = 2592000, - Boolean $theme_cache_themes = true, - Boolean $theme_cache_templates = true, + Enum['edge','reencrypt','passthrough','none'] $proxy = 'none', Hash $realms = {}, Boolean $realms_merge = false, Hash $oidc_client_scopes = {}, @@ -350,154 +284,110 @@ Boolean $manage_sssd_config = true, Array $sssd_ifp_user_attributes = [], Boolean $restart_sssd = true, - Optional[Stdlib::Absolutepath] $service_environment_file = undef, - Enum['standalone', 'clustered', 'domain'] $operating_mode = 'standalone', - Boolean $enable_jdbc_ping = false, - Stdlib::IP::Address $jboss_bind_public_address = $facts['networking']['ip'], - Stdlib::IP::Address $jboss_bind_private_address = $facts['networking']['ip'], - Optional[Enum['master', 'slave']] $role = undef, - Boolean $user_cache = true, - Array $tech_preview_features = [], - Boolean $auto_deploy_exploded = false, - Boolean $auto_deploy_zipped = true, Hash $spi_deployments = {}, + Boolean $providers_purge = true, Optional[String] $custom_config_content = undef, Optional[Variant[String, Array]] $custom_config_source = undef, - Optional[Stdlib::Host] $master_address = undef, - String $server_name = $facts['hostname'], - Boolean $syslog = false, - String $syslog_app_name = 'keycloak', - String $syslog_facility = 'user-level', - Stdlib::Host $syslog_hostname = $facts['fqdn'], - String $syslog_level = 'INFO', - Stdlib::Port $syslog_port = 514, - Stdlib::Host $syslog_server_address = 'localhost', - Enum['RFC3164', 'RFC5424'] $syslog_format = 'RFC3164', - String $auth_url_path = '/auth', + String $validator_test_url = '/realms/master/.well-known/openid-configuration', ) { if ! ($facts['os']['family'] in ['RedHat','Debian']) { fail("Unsupported osfamily: ${facts['os']['family']}, module ${module_name} only support osfamilies Debian and Redhat") } - if $role and ! ($operating_mode == 'domain') { - fail('Role can only be specified in domain operating mode') - } - - if $operating_mode == 'domain' { - unless $role { - fail("Role not specified: in domain mode role needs to be specified. This needs to be either 'master' or 'slave'.") - } - unless $wildfly_user { - fail('Wildfly user not specified: in domain mode Wildfly user needs to be specified.') - } - unless $wildfly_user_password { - fail('Wildfly user password not specified: in domain, mode Wildfly user password needs to be specified.') - } - - if $role == 'slave' and ! $master_address { - fail('Master address not specified: in domain mode, master address needs to be specified for a slave.') - } + $download_url = pick($package_url, "https://github.com/keycloak/keycloak/releases/download/${version}/keycloak-${version}.tar.gz") - if $datasource_driver == 'h2' { - fail("Invalid datasource driver for domain mode: ${datasource_driver}") - } + $install_base = pick($install_dir, "/opt/keycloak-${keycloak::version}") + $admin_env = "${install_base}/conf/admin.env" + $truststore_file = "${install_base}/conf/truststore.jks" + $tmp_dir = "${install_base}/tmp" + $providers_dir = "${install_base}/providers" - $wildfly_user_password_base64 = strip(base64('encode', $wildfly_user_password)) + $default_config = { + 'hostname' => $hostname, + 'http-enabled' => $http_enabled, + 'http-host' => $http_host, + 'http-port' => $http_port, + 'https-port' => $https_port, + 'db' => $db, + 'db-url-host' => $db_url_host, + 'db-url-port' => $db_url_port, + 'db-url' => $db_url, + 'db-url-database' => $db_url_database, + 'db-username' => $db_username, + 'db-password' => $db_password, + 'features' => $features, + 'features-disabled' => $features_disabled, + 'proxy' => $proxy, } - - if versioncmp($version, '12.0.0') >= 0 { - $download_url = pick($package_url, "https://github.com/keycloak/keycloak/releases/download/${version}/keycloak-${version}.tar.gz") + if $truststore { + $truststore_configs = { + 'https-trust-store-file' => $truststore_file, + 'https-trust-store-password' => $truststore_password, + } } else { - $download_url = pick($package_url, "https://downloads.jboss.org/keycloak/${version}/keycloak-${version}.tar.gz") - } - case $datasource_driver { - 'h2': { - $datasource_connection_url = pick($datasource_url, "jdbc:h2:\${jboss.server.data.dir}/${datasource_dbname};AUTO_SERVER=TRUE") - } - 'mysql': { - $db_host = pick($datasource_host, 'localhost') - $db_port = pick($datasource_port, 3306) - $datasource_connection_url = pick($datasource_url, "jdbc:mysql://${db_host}:${db_port}/${datasource_dbname}") - } - 'oracle': { - $db_host = pick($datasource_host, 'localhost') - $db_port = pick($datasource_port, 1521) - $datasource_connection_url = pick($datasource_url, "jdbc:oracle:thin:@${db_host}:${db_port}:${datasource_dbname}") - } - 'postgresql': { - $db_host = pick($datasource_host, 'localhost') - $db_port = pick($datasource_port, 5432) - $datasource_connection_url = pick($datasource_url, "jdbc:postgresql://${db_host}:${db_port}/${datasource_dbname}") - } - default: {} + $truststore_configs = {} } + $config = $default_config + $truststore_configs + $configs - if ($datasource_driver == 'oracle') and ($datasource_jar_source == undef) { - fail('Using Oracle RDBMS requires definition datasource_jar_source for Oracle JDBC driver. Refer to module documentation') + if $config['http-enabled'] { + $wrapper_protocol = 'http' + $wrapper_port = $config['http-port'] + $validator_port = $config['http-port'] + $validator_ssl = false + if $config['http-host'] in ['0.0.0.0', '127.0.0.1'] { + $wrapper_address = 'localhost' + $validator_server = 'localhost' + } else { + $wrapper_address = $config['http-host'] + $validator_server = $config['http-host'] + } + } else { + $wrapper_protocol = 'https' + $wrapper_port = $config['https-port'] + $wrapper_address = $config['hostname'] + $validator_port = $config['https-port'] + $validator_server = $config['hostname'] + $validator_ssl = true } + $wrapper_server = "${wrapper_protocol}://${wrapper_address}:${wrapper_port}" - case $facts['os']['family'] { - 'RedHat': { - if versioncmp($facts['os']['release']['major'], '8') >= 0 { - $mysql_datasource_class = pick($datasource_xa_class, 'org.mariadb.jdbc.MariaDbDataSource') - $mysql_jar_source = '/usr/lib/java/mariadb-java-client.jar' - $postgresql_jar_source = '/usr/share/java/postgresql-jdbc/postgresql.jar' - } else { - $mysql_datasource_class = pick($datasource_xa_class, 'com.mysql.jdbc.jdbc2.optional.MysqlXADataSource') - $mysql_jar_source = '/usr/share/java/mysql-connector-java.jar' - $postgresql_jar_source = '/usr/share/java/postgresql-jdbc.jar' - } - } - 'Debian': { - if ($facts['os']['name'] == 'Debian' and versioncmp($facts['os']['release']['major'], '10') >= 0) or - ($facts['os']['name'] == 'Ubuntu' and versioncmp($facts['os']['release']['major'], '20.04') >= 0) { - $mysql_datasource_class = pick($datasource_xa_class, 'org.mariadb.jdbc.MariaDbDataSource') - $mysql_jar_source = '/usr/share/java/mariadb-java-client.jar' - } else { - $mysql_datasource_class = pick($datasource_xa_class, 'com.mysql.jdbc.jdbc2.optional.MysqlXADataSource') - $mysql_jar_source = '/usr/share/java/mysql-connector-java.jar' - } - $postgresql_jar_source = '/usr/share/java/postgresql.jar' - } - default: { - # do nothing + if $java_declare_method == 'include' { + contain java + } else { + class { 'java': + package => $java_package, + java_home => $java_home, + java_alternative_path => $java_alternative_path, + java_alternative => $java_alternative, } } - $install_base = pick($install_dir, "/opt/keycloak-${keycloak::version}") - - include ::java contain 'keycloak::install' - contain "keycloak::datasource::${datasource_driver}" contain 'keycloak::config' contain 'keycloak::service' - Class['::java'] + Class['java'] -> Class['keycloak::install'] - -> Class["keycloak::datasource::${datasource_driver}"] -> Class['keycloak::config'] -> Class['keycloak::service'] - Class["keycloak::datasource::${datasource_driver}"]~>Class['keycloak::service'] + if $db in ['mysql','mariadb','postgres'] { + contain "keycloak::db::${db}" + Class["keycloak::db::${db}"]~>Class['keycloak::service'] + } if $with_sssd_support { contain 'keycloak::sssd' Class['keycloak::sssd'] ~> Class['keycloak::service'] } - if $service_bind_address == '0.0.0.0' { - $validator_keycloak_server = '127.0.0.1' - } else { - $validator_keycloak_server = $service_bind_address - } - keycloak_conn_validator { 'keycloak': - keycloak_server => $validator_keycloak_server, - keycloak_port => $http_port, - use_ssl => false, + keycloak_server => $validator_server, + keycloak_port => $validator_port, + use_ssl => $validator_ssl, timeout => 60, - test_url => "${auth_url_path}/realms/master/.well-known/openid-configuration", + test_url => $validator_test_url, require => Class['keycloak::service'], } diff --git a/manifests/service.pp b/manifests/service.pp index 9b1bccbb..d8074944 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -11,8 +11,8 @@ ensure => $keycloak::service_ensure, enable => $keycloak::service_enable, name => $keycloak::service_name, - hasstatus => $keycloak::service_hasstatus, - hasrestart => $keycloak::service_hasrestart, + hasstatus => true, + hasrestart => true, } } diff --git a/manifests/spi_deployment.pp b/manifests/spi_deployment.pp index 7e5a7b99..897d3bbc 100644 --- a/manifests/spi_deployment.pp +++ b/manifests/spi_deployment.pp @@ -47,12 +47,9 @@ ) { include keycloak - $dir = "${keycloak::install_base}/standalone/deployments" $basename = basename($source) - $dest = "${dir}/${deployed_name}" - $tmp = "${keycloak::install_base}/tmp/${basename}" - $dodeploy = "${dest}.dodeploy" - $deployed = "${dest}.deployed" + $dest = "${keycloak::providers_dir}/${deployed_name}" + $tmp = "${keycloak::tmp_dir}/${basename}" if $ensure == 'present' { if $source =~ Stdlib::HTTPUrl or $source =~ Stdlib::HTTPSUrl { @@ -66,7 +63,7 @@ cleanup => false, user => $keycloak::user, group => $keycloak::group, - require => File["${keycloak::install_base}/tmp"], + require => File[$keycloak::tmp_dir], before => File[$dest], } } else { @@ -79,14 +76,7 @@ group => $keycloak::group, mode => '0644', require => Class['keycloak::install'], - notify => Exec["${name}-dodeploy"], - } - exec { "${name}-dodeploy": - path => '/usr/bin:/bin:/usr/sbin:/sbin', - command => "touch ${dodeploy}", - refreshonly => true, - user => $keycloak::user, - group => $keycloak::group, + notify => Class['keycloak::service'], } if $test_url and $test_key and $test_value { @@ -96,13 +86,13 @@ test_value => $test_value, realm => $test_realm, dependent_resources => $test_before, - require => Exec["${name}-dodeploy"], + require => Class['keycloak::service'], } } } if $ensure == 'absent' { - file { $deployed: + file { $dest: ensure => 'absent', } } diff --git a/manifests/truststore/host.pp b/manifests/truststore/host.pp index a5e20e3a..6f838220 100644 --- a/manifests/truststore/host.pp +++ b/manifests/truststore/host.pp @@ -17,18 +17,13 @@ include keycloak - if $keycloak::operating_mode == 'domain' { - $_path = "${keycloak::install_base}/domain/configuration/truststore.jks" - } else { - $_path = "${keycloak::install_base}/standalone/configuration/truststore.jks" - } - java_ks { $name: ensure => $ensure, certificate => $certificate, - target => $_path, + target => $keycloak::truststore_file, password => $keycloak::truststore_password, trustcacerts => true, + require => Class['keycloak::install'], notify => Class['keycloak::service'], } diff --git a/metadata.json b/metadata.json index 2990274f..c4914292 100644 --- a/metadata.json +++ b/metadata.json @@ -14,28 +14,20 @@ }, { "name": "puppetlabs/mysql", - "version_requirement": ">= 10.3.0 <13.0.0" + "version_requirement": ">= 11.1.0 <13.0.0" }, { "name": "puppetlabs/postgresql", - "version_requirement": ">= 6.6.0 <9.0.0" + "version_requirement": ">= 7.4.0 <9.0.0" }, { "name": "puppetlabs/java", - "version_requirement": ">= 7.3.0 <8.0.0" + "version_requirement": ">= 7.3.0 <9.0.0" }, { "name": "puppetlabs/java_ks", "version_requirement": ">= 1.0.0 <5.0.0" }, - { - "name": "puppetlabs/augeas_core", - "version_requirement": ">= 1.0.0 <2.0.0" - }, - { - "name": "puppetlabs/yumrepo_core", - "version_requirement": ">= 1.0.0 <2.0.0" - }, { "name": "puppet/archive", "version_requirement": ">= 0.5.1 <7.0.0" @@ -68,7 +60,6 @@ { "operatingsystem": "Debian", "operatingsystemrelease": [ - "9", "10", "11" ] @@ -89,5 +80,5 @@ ], "pdk-version": "2.1.0", "template-url": "https://github.com/treydock/pdk-templates.git#master", - "template-ref": "heads/master-0-g6c46c75" + "template-ref": "heads/master-0-g3ff6177" } diff --git a/spec/acceptance/10_required_action_spec.rb b/spec/acceptance/10_required_action_spec.rb index 2d1642e4..b03a8f13 100644 --- a/spec/acceptance/10_required_action_spec.rb +++ b/spec/acceptance/10_required_action_spec.rb @@ -4,10 +4,7 @@ context 'creates required action' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } -> keycloak_realm { 'test': ensure => 'present' } @@ -46,10 +43,7 @@ class { 'keycloak': context 'updates required action' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } -> keycloak_realm { 'test': ensure => 'present' } @@ -79,10 +73,7 @@ class { 'keycloak': context 'ensure => absent' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } -> keycloak_required_action { 'custom-alias on test': ensure => 'absent' } diff --git a/spec/acceptance/11_role_mapping_spec.rb b/spec/acceptance/11_role_mapping_spec.rb index 1ed9c1f6..ac1130ba 100644 --- a/spec/acceptance/11_role_mapping_spec.rb +++ b/spec/acceptance/11_role_mapping_spec.rb @@ -4,10 +4,7 @@ context 'removes role mappings for admin' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak_role_mapping { 'admin': realm => 'master', name => 'admin', @@ -33,10 +30,7 @@ class { 'keycloak': context 'adds role mappings for admin' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak_role_mapping { 'admin': realm => 'master', name => 'admin', @@ -66,10 +60,7 @@ class { 'keycloak': it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak_role_mapping { 'testgroup': realm => 'master', name => 'testgroup', diff --git a/spec/acceptance/1_class_spec.rb b/spec/acceptance/1_class_spec.rb index 19f00c6f..495afe0d 100644 --- a/spec/acceptance/1_class_spec.rb +++ b/spec/acceptance/1_class_spec.rb @@ -1,10 +1,10 @@ require 'spec_helper_acceptance' -describe 'keycloak class:', unless: RSpec.configuration.keycloak_domain_mode_cluster do +describe 'keycloak class:', unless: RSpec.configuration.keycloak_full do context 'default parameters' do it 'runs successfully' do pp = <<-EOS - class { 'keycloak': } + class { 'keycloak': db => 'dev-file' } EOS apply_manifest(pp, catch_failures: true) @@ -21,58 +21,10 @@ class { 'keycloak': } end end - context 'default with clustered mode enable' do - it 'runs successfully' do - pp = <<-EOS - class { 'keycloak': - operating_mode => 'clustered', - } - EOS - - apply_manifest(pp, catch_failures: true) - apply_manifest(pp, catch_changes: true) - end - - describe service('keycloak') do - it { is_expected.to be_enabled } - it { is_expected.to be_running } - end - end - - context 'default with mysql datasource' do + context 'default with mysql/mariadb db' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } - EOS - - apply_manifest(pp, catch_failures: true) - apply_manifest(pp, catch_changes: true) - end - - describe service('keycloak') do - it { is_expected.to be_enabled } - it { is_expected.to be_running } - end - - describe port(8080) do - it { is_expected.to be_listening.on('0.0.0.0').with('tcp') } - end - - describe port(9990) do - it { is_expected.to be_listening.on('127.0.0.1').with('tcp') } - end - end - - context 'default with postgresql datasource' do - it 'runs successfully' do - pp = <<-EOS - include postgresql::server - class { 'keycloak': - datasource_driver => 'postgresql', - } + class { 'keycloak': } EOS apply_manifest(pp, catch_failures: true) @@ -85,24 +37,15 @@ class { 'keycloak': end describe port(8080) do - it { is_expected.to be_listening.on('0.0.0.0').with('tcp') } - end - - describe port(9990) do it { is_expected.to be_listening.on('127.0.0.1').with('tcp') } end end - context 'default with JDBC_PING, clustered mode and postgresql datasource' do + context 'default with postgresql db' do it 'runs successfully' do pp = <<-EOS - include postgresql::server class { 'keycloak': - datasource_driver => 'postgresql', - operating_mode => 'clustered', - enable_jdbc_ping => true, - jboss_bind_private_address => '0.0.0.0', - jboss_bind_public_address => '0.0.0.0', + db => 'postgres', } EOS @@ -116,27 +59,18 @@ class { 'keycloak': end describe port(8080) do - it { is_expected.to be_listening.on('0.0.0.0').with('tcp') } - end - - describe port(9990) do it { is_expected.to be_listening.on('127.0.0.1').with('tcp') } end - - describe port(7600) do - it { is_expected.to be_listening.on('0.0.0.0').with('tcp') } - end end context 'changes to defaults' do it 'runs successfully' do pp = <<-EOS - include mysql::server class { 'keycloak': - datasource_driver => 'mysql', - proxy_https => true, - java_opts => '-Xmx512m -Xms64m', - syslog => true, + java_opts => '-Xmx512m -Xms64m', + configs => { + 'metrics-enabled' => true, + }, } EOS @@ -150,10 +84,6 @@ class { 'keycloak': end describe port(8080) do - it { is_expected.to be_listening.on('0.0.0.0').with('tcp') } - end - - describe port(9990) do it { is_expected.to be_listening.on('127.0.0.1').with('tcp') } end end @@ -161,10 +91,7 @@ class { 'keycloak': context 'reset to defaults' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } EOS apply_manifest(pp, catch_failures: true) @@ -177,10 +104,6 @@ class { 'keycloak': end describe port(8080) do - it { is_expected.to be_listening.on('0.0.0.0').with('tcp') } - end - - describe port(9990) do it { is_expected.to be_listening.on('127.0.0.1').with('tcp') } end end diff --git a/spec/acceptance/1_domain_mode_cluster_spec.rb b/spec/acceptance/1_domain_mode_cluster_spec.rb deleted file mode 100644 index c43e1b7c..00000000 --- a/spec/acceptance/1_domain_mode_cluster_spec.rb +++ /dev/null @@ -1,134 +0,0 @@ -require 'spec_helper_acceptance' - -describe 'keycloak domain mode cluster', if: RSpec.configuration.keycloak_domain_mode_cluster do - domain_master = hosts_with_name(hosts, 'master')[0] - domain_slave = hosts_with_name(hosts, 'slave')[0] - db = hosts_with_name(hosts, 'db')[0] - - context 'new cluster' do - it 'launches' do - db_pp = <<-EOS - class { '::postgresql::globals': - encoding => 'UTF-8', - locale => 'en_US.UTF-8', - manage_package_repo => true, - version => '9.6', - } - - class { '::postgresql::server': - listen_addresses => '*', - require => Class['::postgresql::globals'] - } - - ::postgresql::server::role { 'keycloak': - password_hash => postgresql_password('keycloak', 'keycloak'), - connection_limit => 300, - require => Class['::postgresql::server'] - } - - ::postgresql::server::database_grant { 'Grant all to keycloak': - privilege => 'ALL', - db => 'keycloak', - role => 'keycloak', - } - - ::postgresql::server::db { 'keycloak': - user => 'keycloak', - password => postgresql_password('keycloak', 'keycloak'), - } - - postgresql::server::pg_hba_rule { 'Allow Keycloak instances network access to the database': - description => 'Open up PostgreSQL for access from anywhere', - type => 'host', - database => 'keycloak', - user => 'keycloak', - address => '0.0.0.0/0', - auth_method => 'md5', - require => Class['::postgresql::server'] - } - EOS - - master_pp = <<-EOS - class { '::keycloak': - operating_mode => 'domain', - role => 'master', - management_bind_address => $::ipaddress, - enable_jdbc_ping => true, - wildfly_user => 'wildfly', - wildfly_user_password => 'wildfly', - manage_install => true, - manage_datasource => false, - version => '10.0.1', - datasource_driver => 'postgresql', - datasource_host => 'db', - datasource_port => 5432, - datasource_dbname => 'keycloak', - datasource_username => 'keycloak', - datasource_password => 'keycloak', - admin_user => 'admin', - admin_user_password => 'changeme', - service_bind_address => '0.0.0.0', - proxy_https => false, - } - EOS - - slave_pp = <<-EOS - class { '::keycloak': - operating_mode => 'domain', - role => 'slave', - enable_jdbc_ping => true, - management_bind_address => $::ipaddress, - wildfly_user => 'wildfly', - wildfly_user_password => 'wildfly', - master_address => 'master', - manage_install => true, - manage_datasource => false, - version => '10.0.1', - datasource_driver => 'postgresql', - datasource_host => 'db', - datasource_port => 5432, - datasource_dbname => 'keycloak', - datasource_username => 'keycloak', - datasource_password => 'keycloak', - admin_user => 'admin', - admin_user_password => 'changeme', - service_bind_address => '0.0.0.0', - proxy_https => false, - } - EOS - - apply_manifest_on(db, db_pp, catch_failures: true) - apply_manifest_on(domain_master, master_pp, catch_failures: true) - apply_manifest_on(domain_master, master_pp, catch_changes: true) - apply_manifest_on(domain_slave, slave_pp, catch_failures: true) - apply_manifest_on(domain_slave, slave_pp, catch_changes: true) - end - - describe service('keycloak'), node: domain_master do - it { is_expected.to be_enabled } - it { is_expected.to be_running } - end - - describe service('keycloak'), node: domain_slave do - it { is_expected.to be_enabled } - it { is_expected.to be_running } - end - - it 'data replicates from master to slave' do - on domain_master, '/opt/keycloak/bin/kcadm-wrapper.sh create roles -r master -s name=testrole' - on domain_slave, '/opt/keycloak/bin/kcadm-wrapper.sh get roles/testrole -r master' do - data = JSON.parse(stdout) - expect(data['name']).to eq('testrole') - end - end - - it 'data replicates from slave to master' do - on domain_slave, '/opt/keycloak/bin/kcadm-wrapper.sh delete roles/testrole -r master' - on domain_master, '/opt/keycloak/bin/kcadm-wrapper.sh get roles -r master' do - data = JSON.parse(stdout) - match = data.select { |role| role['name'] == 'testrole' } - expect(match).to be_empty - end - end - end -end diff --git a/spec/acceptance/2_realm_spec.rb b/spec/acceptance/2_realm_spec.rb index a72cfc55..53dcd9bf 100644 --- a/spec/acceptance/2_realm_spec.rb +++ b/spec/acceptance/2_realm_spec.rb @@ -4,10 +4,7 @@ context 'creates realm' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak_realm { 'test': ensure => 'present', smtp_server_host => 'smtp.example.org', @@ -142,10 +139,7 @@ class { 'keycloak': context 'updates realm' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak_realm { 'test': ensure => 'present', remember_me => true, @@ -269,10 +263,7 @@ class { 'keycloak': context 'creates realm with invalid browser flow' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak_realm { 'test2': ensure => 'present', browser_flow => 'Copy of browser', diff --git a/spec/acceptance/3_ldap_spec.rb b/spec/acceptance/3_ldap_spec.rb index b6400d61..dfc459a8 100644 --- a/spec/acceptance/3_ldap_spec.rb +++ b/spec/acceptance/3_ldap_spec.rb @@ -4,10 +4,7 @@ context 'creates ldap' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak_realm { 'test': ensure => 'present' } keycloak_ldap_user_provider { 'LDAP': realm => 'test', @@ -98,10 +95,7 @@ class { 'keycloak': context 'updates ldap' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak_realm { 'test': ensure => 'present' } keycloak_ldap_user_provider { 'LDAP': realm => 'test', @@ -180,10 +174,7 @@ class { 'keycloak': context 'creates ldap with simple auth' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak_realm { 'test': ensure => 'present' } keycloak_ldap_user_provider { 'LDAP2': realm => 'test', @@ -219,10 +210,7 @@ class { 'keycloak': context 'updates ldap auth' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak_realm { 'test': ensure => 'present' } keycloak_ldap_user_provider { 'LDAP': realm => 'test', @@ -258,10 +246,7 @@ class { 'keycloak': context 'ensure => absent' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak_ldap_mapper { 'full-name': ensure => 'absent', realm => 'test', @@ -285,10 +270,7 @@ class { 'keycloak': context 'creates freeipa user provider' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak_realm { 'test': ensure => 'present' } keycloak::freeipa_user_provider { 'ipa.example.org': ensure => 'present', @@ -309,10 +291,7 @@ class { 'keycloak': context 'creates freeipa ldap mappers' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak_realm { 'test': ensure => 'present' } keycloak::freeipa_user_provider { 'ipa.example.org': ensure => 'present', diff --git a/spec/acceptance/3_sssd_spec.rb b/spec/acceptance/3_sssd_spec.rb index 6a0f5c20..3f788505 100644 --- a/spec/acceptance/3_sssd_spec.rb +++ b/spec/acceptance/3_sssd_spec.rb @@ -1,6 +1,7 @@ require 'spec_helper_acceptance' -describe 'keycloak_sssd_user_provider:', if: RSpec.configuration.keycloak_full do +# TODO: Figure out how to support SSSD user provider on latest Keycloak and Java 11 +describe 'keycloak_sssd_user_provider:', if: false do context 'bootstrap sssd' do it 'is successful' do on hosts, 'puppet resource package sssd-dbus ensure=installed' @@ -29,9 +30,7 @@ it 'runs successfully' do pp = <<-EOS service { 'sssd': ensure => 'running' } - include mysql::server class { 'keycloak': - datasource_driver => 'mysql', with_sssd_support => true, } keycloak_realm { 'test': ensure => 'present' } @@ -59,9 +58,7 @@ class { 'keycloak': it 'runs successfully' do pp = <<-EOS service { 'sssd': ensure => 'running' } - include mysql::server class { 'keycloak': - datasource_driver => 'mysql', with_sssd_support => true, } keycloak_realm { 'test': ensure => 'present' } @@ -90,9 +87,7 @@ class { 'keycloak': it 'runs successfully' do pp = <<-EOS service { 'sssd': ensure => 'running' } - include mysql::server class { 'keycloak': - datasource_driver => 'mysql', with_sssd_support => true, } keycloak_realm { 'test': ensure => 'present' } diff --git a/spec/acceptance/4_client_scopes_spec.rb b/spec/acceptance/4_client_scopes_spec.rb index 7ac8fe94..c178fe36 100644 --- a/spec/acceptance/4_client_scopes_spec.rb +++ b/spec/acceptance/4_client_scopes_spec.rb @@ -4,10 +4,7 @@ context 'creates client scopes' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak_realm { 'test': ensure => 'present' } keycloak::client_scope::oidc { 'openid-connect-clients': realm => 'test', @@ -75,10 +72,7 @@ class { 'keycloak': context 'creates saml client scope' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak_realm { 'test': ensure => 'present' } keycloak::client_scope::saml { 'saml-clients': realm => 'test', diff --git a/spec/acceptance/5_client_spec.rb b/spec/acceptance/5_client_spec.rb index 60166aa0..8d8eda7e 100644 --- a/spec/acceptance/5_client_spec.rb +++ b/spec/acceptance/5_client_spec.rb @@ -4,10 +4,7 @@ context 'creates client' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak_realm { 'test': ensure => 'present' } keycloak_flow { 'foo on test': ensure => 'present' } keycloak_client { 'test.foo.bar': @@ -172,10 +169,7 @@ class { 'keycloak': context 'updates client' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak_realm { 'test': ensure => 'present' } keycloak_client { 'test.foo.bar': realm => 'test', @@ -274,10 +268,7 @@ class { 'keycloak': it 'manages authorization services properly' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak_realm { 'test': ensure => 'present' } keycloak_client { 'test.foo.bar': realm => 'test', diff --git a/spec/acceptance/6_protocol_mapper_spec.rb b/spec/acceptance/6_protocol_mapper_spec.rb index 3e691625..0f22c25b 100644 --- a/spec/acceptance/6_protocol_mapper_spec.rb +++ b/spec/acceptance/6_protocol_mapper_spec.rb @@ -4,10 +4,7 @@ context 'creates protocol_mapper' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak_realm { 'test': ensure => 'present' } keycloak_client_scope { 'oidc on test': ensure => 'present', @@ -89,10 +86,7 @@ class { 'keycloak': context 'updates protocol_mapper' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak_realm { 'test': ensure => 'present' } keycloak_client_scope { 'oidc on test': ensure => 'present', @@ -169,10 +163,7 @@ class { 'keycloak': context 'creates saml protocol_mapper' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak_realm { 'test': ensure => 'present' } keycloak_client_scope { 'saml on test': ensure => 'present', diff --git a/spec/acceptance/7_client_protocol_mapper_spec.rb b/spec/acceptance/7_client_protocol_mapper_spec.rb index f428067e..e8f844fd 100644 --- a/spec/acceptance/7_client_protocol_mapper_spec.rb +++ b/spec/acceptance/7_client_protocol_mapper_spec.rb @@ -4,10 +4,7 @@ context 'creates protocol_mapper' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak_realm { 'test': ensure => 'present' } keycloak_client { 'test.foo.bar': realm => 'test', @@ -83,10 +80,7 @@ class { 'keycloak': context 'updates protocol_mapper' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak_realm { 'test': ensure => 'present' } keycloak_client { 'test.foo.bar': realm => 'test', diff --git a/spec/acceptance/8_identity_provider_spec.rb b/spec/acceptance/8_identity_provider_spec.rb index 2d9fffd2..41507b9f 100644 --- a/spec/acceptance/8_identity_provider_spec.rb +++ b/spec/acceptance/8_identity_provider_spec.rb @@ -4,10 +4,7 @@ context 'creates identity provider' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak_realm { 'test': ensure => 'present' } keycloak_identity_provider { 'cilogon on test': ensure => 'present', @@ -69,10 +66,7 @@ class { 'keycloak': context 'updates identity provider' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak_realm { 'test': ensure => 'present' } keycloak_identity_provider { 'cilogon on test': ensure => 'present', @@ -136,10 +130,7 @@ class { 'keycloak': context 'ensure => absent' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak_identity_provider { 'cilogon on test': ensure => 'absent', } diff --git a/spec/acceptance/9_flow_spec.rb b/spec/acceptance/9_flow_spec.rb index 0ff204d6..8e71400f 100644 --- a/spec/acceptance/9_flow_spec.rb +++ b/spec/acceptance/9_flow_spec.rb @@ -4,10 +4,7 @@ context 'creates flow' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak::spi_deployment { 'duo-spi': deployed_name => 'keycloak-duo-spi-jar-with-dependencies.jar', source => 'file:///tmp/keycloak-duo-spi-jar-with-dependencies.jar', @@ -120,10 +117,7 @@ class { 'keycloak': context 'updates flow' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak::spi_deployment { 'duo-spi': deployed_name => 'keycloak-duo-spi-jar-with-dependencies.jar', source => 'file:///tmp/keycloak-duo-spi-jar-with-dependencies.jar', @@ -239,10 +233,7 @@ class { 'keycloak': context 'ensure => absent' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } keycloak_flow { 'browser-with-duo on test': ensure => 'absent', } diff --git a/spec/acceptance/nodesets/centos-7-domain-mode-cluster.yml b/spec/acceptance/nodesets/centos-7-domain-mode-cluster.yml deleted file mode 100644 index a816d3b9..00000000 --- a/spec/acceptance/nodesets/centos-7-domain-mode-cluster.yml +++ /dev/null @@ -1,60 +0,0 @@ -HOSTS: - master: - roles: - - agent - - default - - domain_master - platform: el-7-x86_64 - hypervisor: docker - image: centos:7 - docker_preserve_image: true - docker_cmd: - - '/usr/sbin/init' - docker_image_commands: - - 'yum install -y wget which cronie iproute initscripts' - docker_env: - - LANG=en_US.UTF-8 - - LANGUAGE=en_US.UTF-8 - - LC_ALL=en_US.UTF-8 - docker_container_name: 'keycloak-master-el7' - slave: - roles: - - agent - - domain_slave - platform: el-7-x86_64 - hypervisor: docker - image: centos:7 - docker_preserve_image: true - docker_cmd: - - '/usr/sbin/init' - docker_image_commands: - - 'yum install -y wget which cronie iproute initscripts' - docker_env: - - LANG=en_US.UTF-8 - - LANGUAGE=en_US.UTF-8 - - LC_ALL=en_US.UTF-8 - docker_container_name: 'keycloak-slave-el7' - db: - roles: - - agent - - db - platform: el-7-x86_64 - hypervisor: docker - image: centos:7 - docker_preserve_image: true - docker_cmd: - - '/usr/sbin/init' - docker_image_commands: - - 'yum install -y wget which cronie iproute initscripts' - docker_env: - - LANG=en_US.UTF-8 - - LANGUAGE=en_US.UTF-8 - - LC_ALL=en_US.UTF-8 - docker_container_name: 'keycloak-db-el7' -CONFIG: - log_level: debug - type: foss -ssh: - password: root - auth_methods: ["password"] - diff --git a/spec/acceptance/nodesets/debian-9.yml b/spec/acceptance/nodesets/debian-9.yml deleted file mode 100644 index 0a843a23..00000000 --- a/spec/acceptance/nodesets/debian-9.yml +++ /dev/null @@ -1,28 +0,0 @@ -HOSTS: - debian9: - roles: - - agent - platform: debian-9-amd64 - hypervisor: docker - image: debian:9 - docker_preserve_image: true - docker_cmd: - - '/sbin/init' - docker_image_commands: - - 'apt-get install -y wget net-tools systemd-sysv locales apt-transport-https ca-certificates' - - 'echo "LC_ALL=en_US.UTF-8" >> /etc/environment' - - 'echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen' - - 'echo "LANG=en_US.UTF-8" > /etc/locale.conf' - - 'locale-gen en_US.UTF-8' - docker_env: - - LANG=en_US.UTF-8 - - LANGUAGE=en_US.UTF-8 - - LC_ALL=en_US.UTF-8 - docker_container_name: 'keycloak-debian9' -CONFIG: - log_level: debug - type: foss -ssh: - password: root - auth_methods: ["password"] - diff --git a/spec/acceptance/z_keycloak_api_spec.rb b/spec/acceptance/z_keycloak_api_spec.rb index 561530db..3b275624 100644 --- a/spec/acceptance/z_keycloak_api_spec.rb +++ b/spec/acceptance/z_keycloak_api_spec.rb @@ -4,10 +4,7 @@ context 'bootstraps' do it 'runs successfully' do pp = <<-EOS - include mysql::server - class { 'keycloak': - datasource_driver => 'mysql', - } + class { 'keycloak': } EOS apply_manifest(pp, catch_failures: true) @@ -29,7 +26,7 @@ class { 'keycloak': end it 'has created a realm' do - on hosts, '/opt/keycloak/bin/kcadm.sh get realms/test2 --no-config --server http://localhost:8080/auth --realm master --user admin --password changeme' do + on hosts, '/opt/keycloak/bin/kcadm.sh get realms/test2 --no-config --server http://127.0.0.1:8080 --realm master --user admin --password changeme' do data = JSON.parse(stdout) expect(data['id']).to eq('test2') end @@ -54,7 +51,7 @@ class { 'keycloak': end it 'has updated a realm' do - on hosts, '/opt/keycloak/bin/kcadm.sh get realms/test2 --no-config --server http://localhost:8080/auth --realm master --user admin --password changeme' do + on hosts, '/opt/keycloak/bin/kcadm.sh get realms/test2 --no-config --server http://127.0.0.1:8080 --realm master --user admin --password changeme' do data = JSON.parse(stdout) expect(data['rememberMe']).to eq(true) end diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 19a8c15f..37f503d1 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -6,7 +6,7 @@ let(:facts) do facts.merge(concat_basedir: '/dne') end - let(:version) { '12.0.4' } + let(:version) { '18.0.0' } case facts[:osfamily] when %r{RedHat} @@ -23,95 +23,6 @@ it { is_expected.to contain_class('keycloak::config').that_comes_before('Class[keycloak::service]') } it { is_expected.to contain_class('keycloak::service') } - context 'domain master' do - let(:params) do - { - operating_mode: 'domain', - install_dir: '/opt/keycloak-x', - role: 'master', - datasource_driver: 'postgresql', - wildfly_user: 'wildfly', - wildfly_user_password: 'changeme', - } - end - - it { is_expected.to compile.with_all_deps } - it do - is_expected.to contain_augeas('ensure-servername').with(incl: '/opt/keycloak-x/domain/configuration/host-master.xml') - is_expected.to contain_exec('create-wildfly-user').with(command: '/opt/keycloak-x/bin/add-user.sh --user wildfly --password changeme -e -s && touch /opt/keycloak-x/.create-wildfly-user') - end - end - - context 'domain slave' do - let(:params) do - { - operating_mode: 'domain', - install_dir: '/opt/keycloak-x', - role: 'slave', - master_address: '10.0.5.10', - datasource_driver: 'postgresql', - wildfly_user: 'wildfly', - wildfly_user_password: 'changeme', - } - end - - it { is_expected.to compile.with_all_deps } - - it do - is_expected.to contain_augeas('ensure-servername').with(incl: '/opt/keycloak-x/domain/configuration/host-slave.xml', - context: '/files/opt/keycloak-x/domain/configuration/host-slave.xml/host/servers') - is_expected.to contain_exec('create-wildfly-user').with(command: '/opt/keycloak-x/bin/add-user.sh --user wildfly --password changeme -e -s && touch /opt/keycloak-x/.create-wildfly-user') - end - end - - context 'standalone with domain role defined' do - let(:params) do - { - operating_mode: 'standalone', - role: 'master', - } - end - - it { is_expected.not_to compile } - end - - context 'domain slave without master_address' do - let(:params) do - { - operating_mode: 'domain', - wildfly_user: 'wildfly', - wildfly_user_password: 'wildfly', - role: 'slave', - } - end - - it { is_expected.not_to compile } - end - - context 'domain master without wildfly user' do - let(:params) do - { - operating_mode: 'domain', - role: 'master', - wildfly_user_password: 'wildfly', - } - end - - it { is_expected.not_to compile } - end - - context 'domain master without wildfly user password' do - let(:params) do - { - operating_mode: 'domain', - role: 'master', - wildfly_user: 'wildfly', - } - end - - it { is_expected.not_to compile } - end - context 'keycloak::install' do it do is_expected.to contain_user('keycloak').only_with(ensure: 'present', @@ -125,143 +36,111 @@ end end - context 'keycloak::datasource::mysql' do + context 'keycloak db=mysql' do let(:pre_condition) { 'include ::mysql::server' } - let(:params) { { datasource_driver: 'mysql' } } - - it { is_expected.to contain_class('keycloak::install').that_comes_before('Class[keycloak::datasource::mysql]') } - it { is_expected.to contain_class('keycloak::datasource::mysql').that_comes_before('Class[keycloak::config]') } + let(:params) { { db: 'mysql' } } + it { is_expected.to contain_class('keycloak::db::mysql').that_notifies('Class[keycloak::service]') } it do - is_expected.to contain_mysql__db('keycloak').with(user: 'sa', - password: 'sa', + is_expected.to contain_mysql__db('keycloak').with(user: 'keycloak', + password: 'changeme', host: 'localhost', grant: 'ALL') end - context 'manage_datasource => false' do - let(:params) { { datasource_driver: 'mysql', manage_datasource: false } } + it do + verify_contents(catalogue, "/opt/keycloak-#{version}/conf/keycloak.conf", [ + 'db=mysql', + ]) + end + + context 'manage_db => false' do + let(:params) { { db: 'mysql', manage_db: false } } it { is_expected.not_to contain_mysql__db('keycloak') } end end - context 'keycloak::datasource::postgresql' do - let(:params) { { datasource_driver: 'postgresql' } } + context 'keycloak db=mariadb' do + let(:pre_condition) { 'include ::mysql::server' } + let(:params) { { db: 'mariadb' } } - it { is_expected.to contain_class('keycloak::install').that_comes_before('Class[keycloak::datasource::postgresql]') } - it { is_expected.to contain_class('keycloak::datasource::postgresql').that_comes_before('Class[keycloak::config]') } + it { is_expected.to contain_class('keycloak::db::mariadb').that_notifies('Class[keycloak::service]') } + it do + is_expected.to contain_mysql__db('keycloak').with(user: 'keycloak', + password: 'changeme', + host: 'localhost', + grant: 'ALL') + end it do - is_expected.to contain_postgresql__server__db('keycloak').with(user: 'sa', - password: %r{.*}) + verify_contents(catalogue, "/opt/keycloak-#{version}/conf/keycloak.conf", [ + 'db=mariadb', + ]) end - context 'manage_datasource => false' do - let(:params) { { datasource_driver: 'postgresql', manage_datasource: false } } + context 'manage_db => false' do + let(:params) { { db: 'mariadb', manage_db: false } } - it { is_expected.not_to contain_postgresql__server__db('keycloak') } + it { is_expected.not_to contain_mysql__db('keycloak') } end end - context 'keycloak::config' do - it do - is_expected.to contain_file('kcadm-wrapper.sh').only_with( - ensure: 'file', - path: "/opt/keycloak-#{version}/bin/kcadm-wrapper.sh", - owner: 'keycloak', - group: 'keycloak', - mode: '0750', - content: %r{.*}, - show_diff: 'false', - ) - end + context 'keycloak db=postgres' do + let(:params) { { db: 'postgres' } } + it { is_expected.to contain_class('keycloak::db::postgres').that_notifies('Class[keycloak::service]') } it do - is_expected.to contain_exec('create-keycloak-admin') - .with(command: "/opt/keycloak-#{version}/bin/add-user-keycloak.sh --user admin --password changeme --realm master && touch /opt/keycloak-#{version}/.create-keycloak-admin-h2", - creates: "/opt/keycloak-#{version}/.create-keycloak-admin-h2", - notify: 'Class[Keycloak::Service]') + is_expected.to contain_postgresql__server__db('keycloak').with(user: 'keycloak', + password: %r{.*}) end it do - is_expected.to contain_file("/opt/keycloak-#{version}/standalone/configuration").only_with( - ensure: 'directory', - owner: 'keycloak', - group: 'keycloak', - mode: '0750', - ) + verify_contents(catalogue, "/opt/keycloak-#{version}/conf/keycloak.conf", [ + 'db=postgres', + ]) end - it do - is_expected.to contain_file("/opt/keycloak-#{version}/standalone/configuration/profile.properties").only_with( - ensure: 'file', - owner: 'keycloak', - group: 'keycloak', - mode: '0644', - content: %r{.*}, - notify: 'Class[Keycloak::Service]', - ) - end + context 'manage_db => false' do + let(:params) { { db: 'postgres', manage_db: false } } - it do - verify_exact_file_contents(catalogue, "/opt/keycloak-#{version}/standalone/configuration/profile.properties", []) + it { is_expected.not_to contain_postgresql__server__db('keycloak') } end + end + context 'keycloak::config' do it do - is_expected.to contain_concat("/opt/keycloak-#{version}/config.cli").with( - ensure: 'present', + is_expected.to contain_file('kcadm-wrapper.sh').only_with( + ensure: 'file', + path: "/opt/keycloak-#{version}/bin/kcadm-wrapper.sh", owner: 'keycloak', group: 'keycloak', - mode: '0600', - notify: 'Exec[jboss-cli.sh --file=config.cli]', + mode: '0750', + content: %r{.*}, show_diff: 'false', ) end it do - is_expected.to contain_file_line('keycloak-JAVA_OPTS').with( - ensure: 'absent', - path: "/opt/keycloak-#{version}/bin/standalone.conf", - line: 'JAVA_OPTS="$JAVA_OPTS "', - match: '^JAVA_OPTS=', - notify: 'Class[Keycloak::Service]', - ) - end - - context 'when tech_preview_features defined' do - let(:params) { { tech_preview_features: ['account_api'] } } + verify_exact_file_contents(catalogue, "/opt/keycloak-#{version}/conf/keycloak.conf", [ + "hostname=#{facts[:fqdn]}", + 'http-enabled=true', + 'http-host=0.0.0.0', + 'http-port=8080', + 'https-port=8443', + 'db=dev-file', + 'db-url-database=keycloak', + 'db-username=keycloak', + 'db-password=changeme', + 'proxy=none', + ]) + end + + context 'when features defined' do + let(:params) { { features: ['authorization','impersonation'] } } it do - verify_exact_file_contents(catalogue, "/opt/keycloak-#{version}/standalone/configuration/profile.properties", ['feature.account_api=enabled']) - end - end - - context 'when java_opts defined' do - let(:params) { { java_opts: '-Xmx512m -Xms64m' } } - - it do - is_expected.to contain_file_line('keycloak-JAVA_OPTS').with( - ensure: 'present', - path: "/opt/keycloak-#{version}/bin/standalone.conf", - line: 'JAVA_OPTS="$JAVA_OPTS -Xmx512m -Xms64m"', - match: '^JAVA_OPTS=', - notify: 'Class[Keycloak::Service]', - ) - end - - context 'when java_opts_append is false' do - let(:params) { { java_opts: '-Xmx512m -Xms64m', java_opts_append: false } } - - it do - is_expected.to contain_file_line('keycloak-JAVA_OPTS').with( - ensure: 'present', - path: "/opt/keycloak-#{version}/bin/standalone.conf", - line: 'JAVA_OPTS="-Xmx512m -Xms64m"', - match: '^JAVA_OPTS=', - notify: 'Class[Keycloak::Service]', - ) - end + verify_contents(catalogue, "/opt/keycloak-#{version}/conf/keycloak.conf", ['features=authorization,impersonation']) end end end @@ -274,13 +153,15 @@ hasstatus: 'true', hasrestart: 'true') end - end - context 'syslog support' do - let(:params) { { syslog: true, install_dir: '/opt/keycloak-x' } } + context 'when java_opts defined' do + let(:params) { { java_opts: '-Xmx512m -Xms64m' } } - it do - is_expected.to contain_concat_fragment('keycloak-config.cli-syslog').with(target: '/opt/keycloak-x/config.cli', order: '12') + it do + is_expected.to contain_systemd__unit_file('keycloak.service').with( + content: %r{Environment='JAVA_OPTS_APPEND=-Xmx512m -Xms64m'} + ) + end end end end # end context diff --git a/spec/defines/spi_deployment_spec.rb b/spec/defines/spi_deployment_spec.rb index 896b9685..f46ab636 100644 --- a/spec/defines/spi_deployment_spec.rb +++ b/spec/defines/spi_deployment_spec.rb @@ -6,7 +6,7 @@ let(:facts) do facts.merge(concat_basedir: '/dne') end - let(:version) { '12.0.4' } + let(:version) { '18.0.0' } let(:title) { 'duo-spi' } let(:params) { { deployed_name: 'keycloak-duo-spi-jar-with-dependencies.jar', source: 'https://example.com/files/keycloak-duo-spi-jar-with-dependencies.jar' } } @@ -20,29 +20,19 @@ user: 'keycloak', group: 'keycloak', require: "File[/opt/keycloak-#{version}/tmp]", - before: "File[/opt/keycloak-#{version}/standalone/deployments/keycloak-duo-spi-jar-with-dependencies.jar]", + before: "File[/opt/keycloak-#{version}/providers/keycloak-duo-spi-jar-with-dependencies.jar]", ) end it do - is_expected.to contain_file("/opt/keycloak-#{version}/standalone/deployments/keycloak-duo-spi-jar-with-dependencies.jar").with( + is_expected.to contain_file("/opt/keycloak-#{version}/providers/keycloak-duo-spi-jar-with-dependencies.jar").with( ensure: 'file', source: "/opt/keycloak-#{version}/tmp/keycloak-duo-spi-jar-with-dependencies.jar", owner: 'keycloak', group: 'keycloak', mode: '0644', require: 'Class[Keycloak::Install]', - notify: 'Exec[duo-spi-dodeploy]', - ) - end - - it do - is_expected.to contain_exec('duo-spi-dodeploy').with( - path: '/usr/bin:/bin:/usr/sbin:/sbin', - command: "touch /opt/keycloak-#{version}/standalone/deployments/keycloak-duo-spi-jar-with-dependencies.jar.dodeploy", - refreshonly: 'true', - user: 'keycloak', - group: 'keycloak', + notify: 'Class[Keycloak::Service]', ) end end diff --git a/spec/fixtures/keycloak-duo-spi-jar-with-dependencies.jar b/spec/fixtures/keycloak-duo-spi-jar-with-dependencies.jar index 115fa0494e15b94792a805e218bedf833df1a543..d45b5366afc37bba1e64c54264215b60afef5b5b 100644 GIT binary patch delta 390 zcmeyfiSf@SM!o=VW)?065Kzz9A2N|onMDmqZ#3Ov#v%)3Onz&o!=eCU$eOD|7#`*Z z5Jru;DTJ}r+)@an25bzJP-d8{7^w<3o`V5o+Gb;mAB81F))Cg+9g zLpTe=eIYtOh37y-W=BXdDOv$tYBBkJgpdNr6CH|+8WY(W7{mn`7@U!Ow50L2J5Zs! zFU(;O$6o5n(qmy_V322JVBkhkKG&atA*D25H#aR&FRdgez?+o~BrgesbAaZb3Iy>0 DbD3tP delta 350 zcmeyfiSf@SM!o=VW)?065LmHNEnp&_GRtxxz0q`w8OstNWAa-w9hRjahOD_dgyCUs z0AbXan?e{{%`G8}Pv*8@U7L+9elS8LTprMoBhDcA&3)hDTE)4gD zX#5nO17X-kN?9vfF)*Z*=IiFBCF-S>xm^i#3!b&2nY#^nQKsbk;f#Fmjhz9^XeQ6E= diff --git a/spec/fixtures/test.pp b/spec/fixtures/test.pp index a0ec305a..16d83933 100644 --- a/spec/fixtures/test.pp +++ b/spec/fixtures/test.pp @@ -1,4 +1,34 @@ include mysql::server class { 'keycloak': - datasource_driver => 'mysql', + db => 'mariadb', + hostname => 'localhost', + proxy => 'edge', + http_host => '127.0.0.1', + http_port => 9090, + configs => { + 'hostname-port' => 8080, + 'hostname-strict-https' => false, + }, } +class { 'apache': + default_vhost => false, +} +apache::vhost { 'localhost': + servername => 'localhost', + port => '8080', + ssl => false, + manage_docroot => false, + docroot => '/var/www/html', + proxy_preserve_host => true, + proxy_add_headers => true, + proxy_pass => [ + {'path' => '/', 'url' => 'http://localhost:9090/'} + ], + request_headers => [ + 'set X-Forwarded-Proto "http"', + 'set X-Forwarded-Port "8080"' + ], + #headers => [ + # 'always unset X-Frame-Options', + #], +} \ No newline at end of file diff --git a/spec/spec_helper_acceptance_setup.rb b/spec/spec_helper_acceptance_setup.rb index c0081316..61341889 100644 --- a/spec/spec_helper_acceptance_setup.rb +++ b/spec/spec_helper_acceptance_setup.rb @@ -1,15 +1,13 @@ RSpec.configure do |c| c.add_setting :keycloak_version keycloak_version = if ENV['BEAKER_keycloak_version'].nil? || ENV['BEAKER_keycloak_version'].empty? - '12.0.4' + '18.0.0' else ENV['BEAKER_keycloak_version'] end c.keycloak_version = keycloak_version c.add_setting :keycloak_full c.keycloak_full = (ENV['BEAKER_keycloak_full'] == 'true' || ENV['BEAKER_keycloak_full'] == 'yes') - c.add_setting :keycloak_domain_mode_cluster - c.keycloak_domain_mode_cluster = (ENV['BEAKER_keycloak_domain_mode_cluster'] == 'true' || ENV['BEAKER_keycloak_domain_mode_cluster'] == 'yes') end proj_root = File.expand_path(File.join(File.dirname(__FILE__), '..')) @@ -27,23 +25,31 @@ - name: "Common" path: "common.yaml" EOS -# TODO: Use until released https://github.com/puppetlabs/puppetlabs-mysql/pull/1373 -ubuntu2004_yaml = <<-EOS -mysql::bindings::java_package_name: libmariadb-java -EOS centos7_yaml = <<-EOS postgresql::server::service_reload: 'systemctl reload postgresql 2>/dev/null 1>/dev/null' EOS +ubuntu1804_yaml = <<-EOS +keycloak::db: mysql +EOS +# TODO: Use until this released to force mariadb: +# https://github.com/puppetlabs/puppetlabs-mysql/commit/8c8c01739f593b2bcd1943297761a09dde994197 +ubuntu2004_yaml = <<-EOS +keycloak::db: mysql +EOS common_yaml = <<-EOS --- keycloak::version: '#{RSpec.configuration.keycloak_version}' +keycloak::http_host: '127.0.0.1' +keycloak::db: mariadb +keycloak::proxy: edge postgresql::server::service_status: 'service postgresql status 2>/dev/null 1>/dev/null' EOS create_remote_file(hosts, '/etc/puppetlabs/puppet/hiera.yaml', hiera_yaml) on hosts, 'mkdir -p /etc/puppetlabs/puppet/data' create_remote_file(hosts, '/etc/puppetlabs/puppet/data/common.yaml', common_yaml) -on hosts, 'mkdir -p /etc/puppetlabs/puppet/data/os/Ubuntu' -create_remote_file(hosts, '/etc/puppetlabs/puppet/data/os/Ubuntu/20.04.yaml', ubuntu2004_yaml) on hosts, 'mkdir -p /etc/puppetlabs/puppet/data/os/CentOS' create_remote_file(hosts, '/etc/puppetlabs/puppet/data/os/CentOS/7.yaml', centos7_yaml) +on hosts, 'mkdir -p /etc/puppetlabs/puppet/data/os/Ubuntu' +create_remote_file(hosts, '/etc/puppetlabs/puppet/data/os/Ubuntu/18.04.yaml', ubuntu1804_yaml) +create_remote_file(hosts, '/etc/puppetlabs/puppet/data/os/Ubuntu/20.04.yaml', ubuntu2004_yaml) diff --git a/templates/config.cli/00-header.epp b/templates/config.cli/00-header.epp deleted file mode 100644 index ab4664db..00000000 --- a/templates/config.cli/00-header.epp +++ /dev/null @@ -1,10 +0,0 @@ -<%- | -String $operating_mode -| -%> -<% if $operating_mode == 'standalone' { -%> -embed-server -<% } elsif $operating_mode == 'clustered' { -%> -embed-server --server-config=standalone-ha.xml -<% } else { -%> -embed-host-controller -<% } -%> diff --git a/templates/config.cli/01-https-proxy.epp b/templates/config.cli/01-https-proxy.epp deleted file mode 100644 index 05966898..00000000 --- a/templates/config.cli/01-https-proxy.epp +++ /dev/null @@ -1,23 +0,0 @@ -<%- | -String $prefix, -String $operating_mode -| -%> -if (result.proxy-address-forwarding != true) of <%= $prefix -%>/subsystem=undertow/server=default-server/http-listener=default:read-resource -<%= $prefix -%>/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true) -end-if -if (result.proxy-address-forwarding != true) of <%= $prefix -%>/subsystem=undertow/server=default-server/https-listener=https:read-resource -<%= $prefix -%>/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=proxy-address-forwarding,value=true) -end-if -<%# use ha sockets in domain mode -%> -<% if $operating_mode != 'domain' { -%> -if (outcome != success) of /socket-binding-group=standard-sockets/socket-binding=proxy-https:read-resource -/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443) -end-if -<% } else { -%> -if (outcome != success) of /socket-binding-group=ha-sockets/socket-binding=proxy-https:read-resource -/socket-binding-group=ha-sockets/socket-binding=proxy-https:add(port=443) -end-if -<% end } -%> -if (result.redirect-socket != proxy-https) of <%= $prefix -%>/subsystem=undertow/server=default-server/http-listener=default:read-resource -<%= $prefix -%>/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https) -end-if diff --git a/templates/config.cli/02-datasource.epp b/templates/config.cli/02-datasource.epp deleted file mode 100644 index 9e136a4a..00000000 --- a/templates/config.cli/02-datasource.epp +++ /dev/null @@ -1,52 +0,0 @@ -<%- | -String $datasource_driver, -String $datasource_connection_url, -String $datasource_username, -String $datasource_password, -String $mysql_datasource_class, -String $prefix -| -%> -<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=driver-name, value=<%= $datasource_driver %>) -<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=connection-url, value="<%= $datasource_connection_url %>") -<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=jndi-name, value=java:jboss/datasources/KeycloakDS) -<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=user-name, value="<%= $datasource_username %>") -<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=password, value="<%= $datasource_password %>") -<%- if $datasource_driver == 'mysql' { -%> -<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation, value=true) -<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=check-valid-connection-sql, value="SELECT 1") -<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation-millis, value=60000) -<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=flush-strategy, value=IdleConnections) -try -<%= $prefix -%>/subsystem=datasources/jdbc-driver=mysql:add(driver-module-name=com.mysql.jdbc,driver-name=mysql,driver-xa-datasource-class-name=<%= $mysql_datasource_class %>) -catch -<%= $prefix -%>/subsystem=datasources/jdbc-driver=mysql:remove -<%= $prefix -%>/subsystem=datasources/jdbc-driver=mysql:add(driver-module-name=com.mysql.jdbc,driver-name=mysql,driver-xa-datasource-class-name=<%= $mysql_datasource_class %>) -end-try -<%- } elsif $datasource_driver == 'h2' { -%> -/subsystem=datasources/data-source=KeycloakDS:undefine-attribute(name=background-validation) -/subsystem=datasources/data-source=KeycloakDS:undefine-attribute(name=check-valid-connection-sql) -/subsystem=datasources/data-source=KeycloakDS:undefine-attribute(name=background-validation-millis) -/subsystem=datasources/data-source=KeycloakDS:undefine-attribute(name=flush-strategy) -<%- } elsif $datasource_driver == 'oracle' { -%> -<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation, value=true) -<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=check-valid-connection-sql, value="SELECT 1 FROM DUAL") -<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation-millis, value=60000) -<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=flush-strategy, value=IdleConnections) -try -<%= $prefix -%>/subsystem=datasources/jdbc-driver=oracle:add(driver-module-name=org.oracle,driver-name=oracle,driver-xa-datasource-class-name=oracle.jdbc.xa.client.OracleXADataSource) -catch -<%= $prefix -%>/subsystem=datasources/jdbc-driver=oracle:remove -<%= $prefix -%>/subsystem=datasources/jdbc-driver=oracle:add(driver-module-name=org.oracle,driver-name=oracle,driver-xa-datasource-class-name=oracle.jdbc.xa.client.OracleXADataSource) -end-try -<%- } elsif $datasource_driver == 'postgresql' { -%> -<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation, value=true) -<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=check-valid-connection-sql, value="SELECT 1") -<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation-millis, value=60000) -<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=flush-strategy, value=IdleConnections) -try -<%= $prefix -%>/subsystem=datasources/jdbc-driver=postgresql:add(driver-module-name=org.postgresql,driver-name=postgresql,driver-xa-datasource-class-name=org.postgresql.xa.PGXADataSource) -catch -<%= $prefix -%>/subsystem=datasources/jdbc-driver=postgresql:remove -<%= $prefix -%>/subsystem=datasources/jdbc-driver=postgresql:add(driver-module-name=org.postgresql,driver-name=postgresql,driver-xa-datasource-class-name=org.postgresql.xa.PGXADataSource) -end-try -<%- } -%> diff --git a/templates/config.cli/03-truststore.epp b/templates/config.cli/03-truststore.epp deleted file mode 100644 index 3f78fcec..00000000 --- a/templates/config.cli/03-truststore.epp +++ /dev/null @@ -1,26 +0,0 @@ -<%- | -Boolean $truststore, -String $operating_mode, -String $install_base, -String $truststore_password, -String $truststore_hostname_verification_policy, -String $prefix -| -%> -<% if $truststore { -%> -if (outcome != success) of <%= $prefix -%>/subsystem=keycloak-server/spi=truststore:read-resource -<%= $prefix -%>/subsystem=keycloak-server/spi=truststore/:add -<%= $prefix -%>/subsystem=keycloak-server/spi=truststore/provider=file/:add(enabled=true) -end-if -<% if $operating_mode == 'domain' { -%> -<%= $prefix -%>/subsystem=keycloak-server/spi=truststore/provider=file/:map-put(name=properties,key=file,value=<%= $install_base %>/domain/configuration/truststore.jks) -<% } else { -%> -<%= $prefix -%>/subsystem=keycloak-server/spi=truststore/provider=file/:map-put(name=properties,key=file,value=<%= $install_base %>/standalone/configuration/truststore.jks) -<% } -%> -<%= $prefix -%>/subsystem=keycloak-server/spi=truststore/provider=file/:map-put(name=properties,key=password,value=<%= $truststore_password %>) -<%= $prefix -%>/subsystem=keycloak-server/spi=truststore/provider=file/:map-put(name=properties,key=hostname-verification-policy,value=<%= $truststore_hostname_verification_policy %>) -<%= $prefix -%>/subsystem=keycloak-server/spi=truststore/provider=file/:map-put(name=properties,key=disabled,value=false) -<% } else { -%> -if (outcome == success) of <%= $prefix -%>/subsystem=keycloak-server/spi=truststore:read-resource -<%= $prefix -%>/subsystem=keycloak-server/spi=truststore/:remove -end-if -<% } -%> diff --git a/templates/config.cli/04-theming.epp b/templates/config.cli/04-theming.epp deleted file mode 100644 index 0f1b0292..00000000 --- a/templates/config.cli/04-theming.epp +++ /dev/null @@ -1,9 +0,0 @@ -<%- | -Integer $theme_static_max_age, -Boolean $theme_cache_themes, -Boolean $theme_cache_templates, -String $prefix -| -%> -<%= $prefix -%>/subsystem=keycloak-server/theme=defaults/:write-attribute(name=staticMaxAge, value=<%= $theme_static_max_age %>) -<%= $prefix -%>/subsystem=keycloak-server/theme=defaults/:write-attribute(name=cacheThemes, value=<%= $theme_cache_themes %>) -<%= $prefix -%>/subsystem=keycloak-server/theme=defaults/:write-attribute(name=cacheTemplates, value=<%= $theme_cache_templates %>) diff --git a/templates/config.cli/05-deployment-scanner.epp b/templates/config.cli/05-deployment-scanner.epp deleted file mode 100644 index 4e30bba5..00000000 --- a/templates/config.cli/05-deployment-scanner.epp +++ /dev/null @@ -1,7 +0,0 @@ -<%- | -Boolean $auto_deploy_exploded, -Boolean $auto_deploy_zipped, -String $prefix -| -%> -<%= $prefix -%>/subsystem=deployment-scanner/scanner=default:write-attribute(name="auto-deploy-exploded",value=<%= $auto_deploy_exploded %>) -<%= $prefix -%>/subsystem=deployment-scanner/scanner=default:write-attribute(name="auto-deploy-zipped",value=<%= $auto_deploy_zipped %>) diff --git a/templates/config.cli/06-user-cache.epp b/templates/config.cli/06-user-cache.epp deleted file mode 100644 index 77b83a37..00000000 --- a/templates/config.cli/06-user-cache.epp +++ /dev/null @@ -1,10 +0,0 @@ -<%- | -Boolean $user_cache, -String $prefix -| -%> -try -<%= $prefix -%>/subsystem=keycloak-server/spi=userCache/provider=default/:add(enabled=<%= $user_cache %>) -catch -<%= $prefix -%>/subsystem=keycloak-server/spi=userCache/provider=default/:remove -<%= $prefix -%>/subsystem=keycloak-server/spi=userCache/provider=default/:add(enabled=<%= $user_cache %>) -end-try diff --git a/templates/config.cli/10-cluster.epp b/templates/config.cli/10-cluster.epp deleted file mode 100644 index 0c94de53..00000000 --- a/templates/config.cli/10-cluster.epp +++ /dev/null @@ -1,41 +0,0 @@ -<%- | -String $operating_mode, -Boolean $enable_jdbc_ping, -String $datasource_driver, -String $jboss_bind_private_address, -String $jboss_bind_public_address, -String $prefix -| -%> -<%- if $operating_mode != 'standalone' and $enable_jdbc_ping { -%> -if (outcome != success) of <%= $prefix -%>/subsystem=jgroups/stack=tcp/protocol=JDBC_PING:read-resource -<%- if $datasource_driver == 'postgresql' { -%> -<%= $prefix -%>/subsystem=jgroups/stack=tcp/protocol=JDBC_PING: add(add-index=0, data-source="KeycloakDS", properties=[initialize_sql="CREATE TABLE IF NOT EXISTS JGROUPSPING ( own_addr varchar(200) NOT NULL, cluster_name varchar(200) NOT NULL, created TIMESTAMP DEFAULT CURRENT_TIMESTAMP, ping_data BYTEA, constraint PK_JGROUPSPING PRIMARY KEY (own_addr, cluster_name))"]) -<%- } -%> -<%- if $datasource_driver == 'mysql' { -%> -<%= $prefix -%>/subsystem=jgroups/stack=tcp/protocol=JDBC_PING: add(add-index=0, data-source="KeycloakDS", properties=[initialize_sql="CREATE TABLE IF NOT EXISTS JGROUPSPING (own_addr varchar(200) NOT NULL, cluster_name varchar(200) NOT NULL, updated TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, ping_data varbinary(5000) DEFAULT NULL, PRIMARY KEY (own_addr, cluster_name)) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin"]) -<%- } -%> -end-if -if (outcome == success) of <%= $prefix -%>/subsystem=jgroups/stack=tcp/protocol=MPING:read-resource -<%= $prefix -%>/subsystem=jgroups/stack=tcp/protocol=MPING: remove() -end-if -if (outcome == success) of <%= $prefix -%>/subsystem=jgroups/stack=tcp/protocol=pbcast.GMS:read-resource -<%= $prefix -%>/subsystem=jgroups/stack=tcp/protocol=pbcast.GMS: remove() -<%= $prefix -%>/subsystem=jgroups/stack=tcp/protocol=pbcast.GMS: add(properties=[join_timeout=30000, print_local_addr=true, print_physical_addrs=true]) -end-if -if (outcome != success) of <%= $prefix -%>/subsystem=jgroups/stack=tcp/protocol=JDBC_PING:read-resource -end-if -<%= $prefix -%>/subsystem=jgroups/channel=ee:write-attribute(name=stack, value="tcp") -if (outcome == success) of <%= $prefix -%>/subsystem=jgroups/stack=udp:read-resource -<%= $prefix -%>/subsystem=jgroups/stack=udp: remove() -end-if -if (outcome == success) of <%= $prefix -%>/socket-binding-group=standard-sockets/socket-binding=jgroups-udp:read-resource -<%= $prefix -%>/socket-binding-group=standard-sockets/socket-binding=jgroups-udp:remove() -end-if -if (outcome == success) of <%= $prefix -%>/socket-binding-group=standard-sockets/socket-binding=jgroups-mping:read-resource -<%= $prefix -%>/socket-binding-group=standard-sockets/socket-binding=jgroups-mping:remove() -end-if -<%- if $operating_mode != 'domain' { -%> -/interface=private:write-attribute(name=inet-address, value=${jboss.bind.address.private:<%= $jboss_bind_private_address %>}) -/interface=public:write-attribute(name=inet-address, value=${jboss.bind.address:<%= $jboss_bind_public_address %>}) -<%- } -%> -<%- } -%> diff --git a/templates/config.cli/11-domain.epp b/templates/config.cli/11-domain.epp deleted file mode 100644 index 6f99d117..00000000 --- a/templates/config.cli/11-domain.epp +++ /dev/null @@ -1,65 +0,0 @@ -<%- | -String $prefix -| -%> -<%# remove load balancer -%> -if (outcome == success) of /host=master/server-config=load-balancer:read-resource -/host=master/server-config=load-balancer:remove -end-if -if (outcome == success) of /server-group=load-balancer-group:read-resource -/server-group=load-balancer-group:remove -end-if -if (outcome == success) of /profile=load-balancer:read-resource -/profile=load-balancer:remove -end-if -if (outcome == success) of /socket-binding-group=load-balancer-sockets:read-resource -/socket-binding-group=load-balancer-sockets:remove -end-if - -<%# caches -%> -<%= $prefix -%>/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) -<%= $prefix -%>/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) -<%= $prefix -%>/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) -<%= $prefix -%>/subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) -<%= $prefix -%>/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) -<%= $prefix -%>/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) -<%= $prefix -%>/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) - -<%# take control of the interfaces -%> -if (outcome != success) of /interface=management:read-resource() -/interface=management:add() -end-if -if (result != undefined) of /interface=management:read-attribute(name=inet-address) -/interface=management:write-attribute(name=inet-address, value=undefined) -end-if -if (outcome != success) of /interface=private:read-resource() -/interface=private:add() -end-if -if (result != undefined) of /interface=private:read-attribute(name=inet-address) -/interface=private:write-attribute(name=inet-address, value=undefined) -end-if -if (outcome != success) of /interface=public:read-resource() -/interface=public:add() -end-if -if (result != undefined) of /interface=public:read-attribute(name=inet-address) -/interface=public:write-attribute(name=inet-address, value=undefined) -end-if -if (result != public) of /socket-binding-group=ha-sockets:read-attribute(name=default-interface) -/socket-binding-group=ha-sockets:write-attribute(name=default-interface, value=public) -end-if -if (result != defined) of /socket-binding-group=ha-sockets/socket-binding=ajp:read-attribute(name=interface) -/socket-binding-group=ha-sockets/socket-binding=ajp:write-attribute(name=interface, value=undefined) -end-if -if (result != defined) of /socket-binding-group=ha-sockets/socket-binding=http:read-attribute(name=interface) -/socket-binding-group=ha-sockets/socket-binding=http:write-attribute(name=interface, value=undefined) -end-if -if (result != defined) of /socket-binding-group=ha-sockets/socket-binding=https:read-attribute(name=interface) -/socket-binding-group=ha-sockets/socket-binding=https:write-attribute(name=interface, value=undefined) -end-if -if (result != management) of /socket-binding-group=ha-sockets/socket-binding=jgroups-tcp:read-attribute(name=interface) -/socket-binding-group=ha-sockets/socket-binding=jgroups-tcp:write-attribute(name=interface,value=management) -end-if - -<%# ensure datasource for ee default bindings is correct -%> -if (result != java:jboss/datasources/KeycloakDS) of <%= $prefix -%>/subsystem=ee/service=default-bindings:read-attribute(name=datasource) -<%= $prefix -%>/subsystem=ee/service=default-bindings:write-attribute(name=datasource,value=java:jboss/datasources/KeycloakDS) -end-if diff --git a/templates/config.cli/12-syslog.epp b/templates/config.cli/12-syslog.epp deleted file mode 100644 index 03916096..00000000 --- a/templates/config.cli/12-syslog.epp +++ /dev/null @@ -1,27 +0,0 @@ -<%- | -String $prefix, -Boolean $syslog, -String $syslog_app_name, -String $syslog_facility, -Stdlib::Host $syslog_hostname, -String $syslog_level, -Stdlib::Port $syslog_port, -Stdlib::Host $syslog_server_address, -Enum['RFC3164', 'RFC5424'] $syslog_format = 'RFC3164' -| -%> -<%- if $syslog { -%> -if (outcome != success) of <%= $prefix -%>/subsystem=logging/syslog-handler=SYSLOG:read-resource -<%= $prefix -%>/subsystem=logging/syslog-handler=SYSLOG:add -end-if -<%= $prefix -%>/subsystem=logging/syslog-handler=SYSLOG/:write-attribute(name=app-name, value=<%= $syslog_app_name %>) -<%= $prefix -%>/subsystem=logging/syslog-handler=SYSLOG/:write-attribute(name=facility, value=<%= $syslog_facility %>) -<%= $prefix -%>/subsystem=logging/syslog-handler=SYSLOG/:write-attribute(name=hostname, value=<%= $syslog_hostname %>) -<%= $prefix -%>/subsystem=logging/syslog-handler=SYSLOG/:write-attribute(name=level, value=<%= $syslog_level %>) -<%= $prefix -%>/subsystem=logging/syslog-handler=SYSLOG/:write-attribute(name=port, value=<%= $syslog_port %>) -<%= $prefix -%>/subsystem=logging/syslog-handler=SYSLOG/:write-attribute(name=server-address, value=<%= $syslog_server_address %>) -<%= $prefix -%>/subsystem=logging/syslog-handler=SYSLOG/:write-attribute(name=syslog-format, value=<%= $syslog_format %>) -<%- } else { -%> -if (outcome == success) of <%= $prefix -%>/subsystem=logging/syslog-handler=SYSLOG:read-resource -<%= $prefix -%>/subsystem=logging/syslog-handler=SYSLOG:remove -end-if -<%- } -%> \ No newline at end of file diff --git a/templates/config.cli/99-footer.epp b/templates/config.cli/99-footer.epp deleted file mode 100644 index e71114e5..00000000 --- a/templates/config.cli/99-footer.epp +++ /dev/null @@ -1,6 +0,0 @@ -<%- | -String $operating_mode -| -%> -<% if $operating_mode == 'domain' { -%> -stop-embedded-host-controller -<% } -%> diff --git a/templates/database/oracle/module.xml.erb b/templates/database/oracle/module.xml.erb deleted file mode 100644 index 69bd79a8..00000000 --- a/templates/database/oracle/module.xml.erb +++ /dev/null @@ -1,13 +0,0 @@ - - - - - - - - - - - - - diff --git a/templates/kcadm-wrapper.sh.erb b/templates/kcadm-wrapper.sh.erb index 0c9c86ee..030109a3 100644 --- a/templates/kcadm-wrapper.sh.erb +++ b/templates/kcadm-wrapper.sh.erb @@ -2,4 +2,4 @@ KCADM="<%= scope['keycloak::install_base'] %>/bin/kcadm.sh" -${KCADM} "$@" --no-config --server http://localhost:<%= scope['keycloak::http_port'] %><%= scope['keycloak::auth_url_path'] %> --realm master --user <%= scope['keycloak::admin_user'] %> --password <%= scope['keycloak::admin_user_password'] %> +${KCADM} "$@" --no-config --server <%= scope['keycloak::wrapper_server'] %> --realm master --user <%= scope['keycloak::admin_user'] %> --password <%= scope['keycloak::admin_user_password'] %> diff --git a/templates/keycloak.conf.erb b/templates/keycloak.conf.erb new file mode 100644 index 00000000..a9c586a1 --- /dev/null +++ b/templates/keycloak.conf.erb @@ -0,0 +1,12 @@ +# File managed by Puppet, do not edit +<% scope['keycloak::config'].each_pair do |k,v| -%> + <%- next if [:undef, nil].include?(v) -%> + <%- + if v.is_a?(Array) + value = v.join(',') + else + value = v + end + -%> +<%= k %>=<%= value %> +<% end -%> diff --git a/templates/keycloak.service.erb b/templates/keycloak.service.erb index 0392f2cf..8094e90f 100644 --- a/templates/keycloak.service.erb +++ b/templates/keycloak.service.erb @@ -1,6 +1,7 @@ [Unit] -Description=Jboss Application Server -After=network.target +Description=Keycloak service +After=network-online.target +Wants=network-online.target [Service] Type=idle @@ -8,21 +9,20 @@ SyslogIdentifier=keycloak <% if scope['keycloak::service_environment_file'] -%> EnvironmentFile=<%= scope['keycloak::service_environment_file'] %> <% end -%> +EnvironmentFile=<%= scope['keycloak::admin_env'] %> +<% if scope['keycloak::java_opts'] -%> + <%- if scope['keycloak::java_opts'].is_a?(Array) -%> +Environment='JAVA_OPTS_APPEND=<%= scope['keycloak::java_opts'].join(' ') %>' + <%- else -%> +Environment='JAVA_OPTS_APPEND=<%= scope['keycloak::java_opts'] %>' + <%- end -%> +<% end -%> User=<%= scope['keycloak::user'] %> Group=<%= scope['keycloak::group'] %> -<% if scope['keycloak::operating_mode'] == 'standalone'-%> -ExecStart=<%= scope['keycloak::install_base'] %>/bin/standalone.sh -b <%= scope['keycloak::service_bind_address'] %> -Djboss.http.port=<%= scope['keycloak::http_port'] %><% if scope['keycloak::service_extra_opts'] -%> <%= scope['keycloak::service_extra_opts'] -%><% end %> -<% elsif scope['keycloak::operating_mode'] == 'clustered'-%> -ExecStart=<%= scope['keycloak::install_base'] %>/bin/standalone.sh --server-config=standalone-ha.xml -b <%= scope['keycloak::service_bind_address'] %> -Djboss.http.port=<%= scope['keycloak::http_port'] %><% if scope['keycloak::service_extra_opts'] -%> <%= scope['keycloak::service_extra_opts'] -%><% end %> -<% elsif scope['keycloak::operating_mode'] == 'domain'-%> -<% if scope['keycloak::role'] == 'master' -%> -ExecStart=<%= scope['keycloak::install_base'] %>/bin/domain.sh --host-config=host-master.xml -b <%= scope['keycloak::service_bind_address'] %> -Djboss.http.port=<%= scope['keycloak::http_port'] %> -Djboss.bind.address.management=<%= scope['keycloak::management_bind_address'] %> <% if scope['keycloak::service_extra_opts'] -%> <%= scope['keycloak::service_extra_opts'] -%><% end %> -<% else -%> -ExecStart=<%= scope['keycloak::install_base'] %>/bin/domain.sh --host-config=host-slave.xml -b <%= scope['keycloak::service_bind_address'] %> -Djboss.http.port=<%= scope['keycloak::http_port'] %> -Djboss.domain.master.address=<%= scope['keycloak::master_address'] %> -Djboss.bind.address.management=<%= scope['keycloak::management_bind_address'] %> <% if scope['keycloak::service_extra_opts'] -%> <%= scope['keycloak::service_extra_opts'] -%><% end %> -<% end -%> -<% end -%> +ExecStart=<%= scope['keycloak::install_base'] %>/bin/kc.sh <%= scope['keycloak::start_command']%> --auto-build<% if scope['keycloak::service_extra_opts'] -%> <%= scope['keycloak::service_extra_opts'] -%><% end %> TimeoutStartSec=600 TimeoutStopSec=600 +SuccessExitStatus=0 143 [Install] WantedBy=multi-user.target diff --git a/templates/profile.properties.erb b/templates/profile.properties.erb deleted file mode 100644 index 3d2acb01..00000000 --- a/templates/profile.properties.erb +++ /dev/null @@ -1,4 +0,0 @@ -# File managed by Puppet - DO NOT EDIT -<%- scope['keycloak::tech_preview_features'].each do |feature_name| -%> -feature.<%= feature_name %>=enabled -<%- end -%> diff --git a/types/configs.pp b/types/configs.pp new file mode 100644 index 00000000..24c6beb8 --- /dev/null +++ b/types/configs.pp @@ -0,0 +1,56 @@ +# https://www.keycloak.org/server/all-config +type Keycloak::Configs = Struct[ + { + Optional['cache'] => Enum['local', 'ispn'], + Optional['cache-config-file'] => Stdlib::Absolutepath, + Optional['cache-stack'] => Enum['tcp','udp','kubernetes','ec2','azure','google'], + Optional['db'] => Enum['dev-file','dev-mem','mariadb','mysql','oracle','postgres'], + Optional['db-password'] => String[1], + Optional['db-pool-initial-size'] => Integer, + Optional['db-pool-max-size'] => Integer, + Optional['db-pool-min-size'] => Integer, + Optional['db-schema'] => String[1], + Optional['db-url'] => String[1], + Optional['db-url-database'] => String[1], + Optional['db-url-host'] => Stdlib::Host, + Optional['db-url-port'] => Stdlib::Port, + Optional['db-url-properties'] => String[1], + Optional['db-username'] => String[1], + Optional['transaction-xa-enabled'] => Boolean, + Optional['features'] => Array[String[1]], + Optional['features-disabled'] => Array[String[1]], + Optional['hostname'] => Stdlib::Host, + Optional['hostname-path'] => String[1], + Optional['hostname-port'] => Stdlib::Port, + Optional['hostname-strict'] => Boolean, + Optional['hostname-strict-backchannel'] => Boolean, + Optional['hostname-strict-https'] => Boolean, + Optional['http-enabled'] => Boolean, + Optional['http-host'] => Stdlib::Host, + Optional['http-port'] => Stdlib::Port, + Optional['http-relative-path'] => String[1], + Optional['https-certificate-file'] => Stdlib::Absolutepath, + Optional['https-certificate-key-file'] => Stdlib::Absolutepath, + Optional['https-cipher-suites'] => Array[String[1]], + Optional['https-client-auth'] => Enum['none','request','required'], + Optional['https-key-store-file'] => Stdlib::Absolutepath, + Optional['https-key-store-password'] => String[1], + Optional['https-key-store-type'] => String[1], + Optional['https-port'] => Stdlib::Port, + Optional['https-protocols'] => Array[String[1]], + Optional['https-trust-store-file'] => Stdlib::Absolutepath, + Optional['https-trust-store-password'] => String[1], + Optional['https-trust-store-type'] => String[1], + Optional['health-enabled'] => Boolean, + Optional['metrics-enabled'] => Boolean, + Optional['proxy'] => Enum['edge','reencrypt','passthrough','none'], + Optional['vault'] => Enum['vault','vault-dir'], + Optional['log'] => Array[Enum['console','file']], + Optional['log-console-color'] => Boolean, + Optional['log-console-format'] => String[1], + Optional['log-console-output'] => Enum['default','json'], + Optional['log-file'] => Stdlib::Absolutepath, + Optional['log-file-format'] => String[1], + Optional['log-level'] => String[1], + } +] \ No newline at end of file diff --git a/vagrant-common.sh b/vagrant-common.sh index 72163930..d9e16508 100755 --- a/vagrant-common.sh +++ b/vagrant-common.sh @@ -6,9 +6,9 @@ ln -s /vagrant /etc/puppetlabs/code/environments/production/modules/keycloak puppet module install puppetlabs-stdlib puppet module install puppetlabs-mysql puppet module install puppetlabs-postgresql +puppet module install puppetlabs-apache puppet module install puppetlabs-java puppet module install puppetlabs-java_ks -puppet module install puppetlabs-concat puppet module install puppet-archive puppet module install camptocamp-systemd puppet apply /vagrant/spec/fixtures/test.pp diff --git a/vagrant/Puppetfile b/vagrant/Puppetfile deleted file mode 100644 index d09d55ba..00000000 --- a/vagrant/Puppetfile +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/bin/env ruby -#^syntax detection - -forge "https://forgeapi.puppetlabs.com" - -mod 'puppetlabs-stdlib' -mod 'puppetfinland-easy_ipa', - :git => 'https://github.com/Puppet-Finland/puppet-ipa.git', - :commit => '67874ab7f40e4643b77adfd4155f9eb494776bc8' -mod 'puppetlabs-mysql' -mod 'puppetlabs-java' -mod 'puppetlabs-java_ks' -mod 'puppet-archive' -mod 'camptocamp-systemd' -mod 'puppetlabs-concat' -mod 'puppetlabs-apt' -mod 'puppetlabs-postgresql' -mod 'puppetlabs-cron_core' -mod 'puppetlabs-inifile' -mod 'puppetlabs-k5login_core' -mod 'puppetlabs-resource_api' -mod 'puppetlabs-translate' -mod 'puppetlabs-puppetserver_gem' -mod 'puppetlabs-haproxy' diff --git a/vagrant/Vagrantfile b/vagrant/Vagrantfile deleted file mode 100644 index b34252ba..00000000 --- a/vagrant/Vagrantfile +++ /dev/null @@ -1,107 +0,0 @@ -# -*- mode: ruby -*- -# vi: set ft=ruby : - -Vagrant.configure(2) do |config| - config.hostmanager.enabled = true - config.hostmanager.manage_host = true - config.hostmanager.manage_guest = true - config.hostmanager.ignore_private_ip = false - config.hostmanager.include_offline = false - - config.vm.define "db" do |box| - box.vm.box = "centos/7" - box.vm.hostname = 'db.local' - box.vm.synced_folder "..", "/vagrant", type: "virtualbox" - box.hostmanager.manage_guest = true - box.hostmanager.aliases = %w(db) - box.vm.network "private_network", ip: "192.168.168.254" - box.vm.provider 'virtualbox' do |vb| - vb.linked_clone = true - vb.gui = false - vb.memory = 1024 - vb.customize ["modifyvm", :id, "--ioapic", "on"] - vb.customize ["modifyvm", :id, "--hpet", "on"] - vb.customize ["modifyvm", :id, "--audio", "none"] - end - box.vm.provision "shell" do |s| - s.path = "install_agent.sh" - end - box.vm.provision "shell" do |s| - s.path = "run_puppet.sh" - s.args = ["-b", "/vagrant", "-m", "prepare.pp db.pp" ] - end - end - - config.vm.define "master" do |box| - box.vm.box = "centos/7" - box.vm.hostname = 'master.local' - box.vm.synced_folder "..", "/vagrant", type: "virtualbox" - box.hostmanager.manage_guest = true - box.hostmanager.aliases = %w(master) - box.vm.network "private_network", ip: "192.168.168.253" - box.vm.provider 'virtualbox' do |vb| - vb.linked_clone = true - vb.gui = false - vb.memory = 1024 - vb.customize ["modifyvm", :id, "--ioapic", "on"] - vb.customize ["modifyvm", :id, "--hpet", "on"] - vb.customize ["modifyvm", :id, "--audio", "none"] - end - box.vm.provision "shell" do |s| - s.path = "install_agent.sh" - end - box.vm.provision "shell" do |s| - s.path = "run_puppet.sh" - s.args = ["-b", "/vagrant", "-m", "prepare.pp master.pp"] - end - end - - config.vm.define "slave" do |box| - box.vm.box = "centos/7" - box.vm.hostname = 'slave.local' - box.vm.synced_folder "..", "/vagrant", type: "virtualbox" - box.hostmanager.manage_guest = true - box.hostmanager.aliases = %w(slave) - box.vm.network "private_network", ip: "192.168.168.252" - box.vm.provider 'virtualbox' do |vb| - vb.linked_clone = true - vb.gui = false - vb.memory = 1024 - vb.customize ["modifyvm", :id, "--ioapic", "on"] - vb.customize ["modifyvm", :id, "--hpet", "on"] - vb.customize ["modifyvm", :id, "--audio", "none"] - end - box.vm.provision "shell" do |s| - s.path = "install_agent.sh" - end - box.vm.provision "shell" do |s| - s.path = "run_puppet.sh" - s.args = ["-b", "/vagrant", "-m", "prepare.pp slave.pp"] - end - end - - config.vm.define "lb" do |box| - box.vm.box = "centos/7" - box.vm.hostname = 'lb.local' - box.vm.synced_folder "..", "/vagrant", type: "virtualbox" - box.hostmanager.manage_guest = true - box.hostmanager.aliases = %w(lb) - box.vm.network "private_network", ip: "192.168.168.251" - box.vm.provider 'virtualbox' do |vb| - vb.linked_clone = true - vb.gui = false - vb.memory = 1024 - vb.customize ["modifyvm", :id, "--ioapic", "on"] - vb.customize ["modifyvm", :id, "--hpet", "on"] - vb.customize ["modifyvm", :id, "--audio", "none"] - end - box.vm.provision "shell" do |s| - s.path = "install_agent.sh" - end - box.vm.provision "shell" do |s| - s.path = "run_puppet.sh" - s.args = ["-b", "/vagrant", "-m", "prepare.pp lb.pp"] - end - end -end - diff --git a/vagrant/db.pp b/vagrant/db.pp deleted file mode 100644 index b9fb0faa..00000000 --- a/vagrant/db.pp +++ /dev/null @@ -1,36 +0,0 @@ -class { '::postgresql::globals': - manage_package_repo => $manage_package_repo, - version => $postgresql_version, -} - -class { '::postgresql::server': - listen_addresses => $postgresql_listen_address, - require => Class['::postgresql::globals'] -} - -::postgresql::server::role { $db_username: - password_hash => postgresql_password($db_username, $db_password), - connection_limit => $db_connection_limit, - require => Class['::postgresql::server'] -} - -::postgresql::server::database_grant { "Grant all to ${db_username}": - privilege => 'ALL', - db => $db_database, - role => $db_username, -} - -::postgresql::server::db { $db_database: - user => $db_username, - password => postgresql_password($db_username, $db_password), -} - -postgresql::server::pg_hba_rule { 'Allow Keycloak instances network access to the database': - description => 'Open up PostgreSQL for access from 192.168.168.0/24', - type => 'host', - database => $db_username, - user => $db_password, - address => '192.168.168.0/24', - auth_method => 'md5', - require => Class['::postgresql::server'] -} diff --git a/vagrant/install_agent.sh b/vagrant/install_agent.sh deleted file mode 100755 index 19b70e92..00000000 --- a/vagrant/install_agent.sh +++ /dev/null @@ -1,69 +0,0 @@ -#!/bin/sh - -# Exit on any error -set -e - -CWD=`pwd` - -detect_osfamily() { - if [ -f /etc/redhat-release ]; then - OSFAMILY='redhat' - RELEASE=$(cat /etc/redhat-release) - if [ "`echo $RELEASE | grep -E 7\.[0-9]+`" ]; then - RHEL_VERSION="7" - else - echo "Unsupported Redhat/Centos version. Supported versions are 7.x" - exit 1 - fi - elif [ "`lsb_release -d | grep -E '(Ubuntu|Debian)'`" ]; then - OSFAMILY='debian' - DESCR="$(lsb_release -d | awk '{ print $2}')" - if [ `echo $DESCR|grep Ubuntu` ]; then - UBUNTU_VERSION="$(lsb_release -c | awk '{ print $2}')" - elif [ `echo $DESCR|grep Debian` ]; then - DEBIAN_VERSION="$(lsb_release -c | awk '{ print $2}')" - else - echo "Unsupported Debian family operating system. Supported are Debian and Ubuntu" - exit 1 - fi - else - echo "ERROR: unsupported osfamily. Supported are Debian and RedHat" - exit 1 - fi -} - -setup_puppet() { - if [ -x /opt/puppetlabs/bin/puppet ]; then - true - else - if [ $RHEL_VERSION ]; then - RELEASE_URL="https://yum.puppetlabs.com/puppet6/puppet6-release-el-${RHEL_VERSION}.noarch.rpm" - rpm -hiv "${RELEASE_URL}" || (c=$?; echo "Failed to install ${RELEASE_URL}"; (exit $c)) - yum -y install puppet-agent || (c=$?; echo "Failed to install puppet agent"; (exit $c)) - if systemctl list-unit-files --type=service | grep firewalld; then - systemctl stop firewalld - systemctl disable firewalld - systemctl mask firewalld - fi - else - if [ $UBUNTU_VERSION ]; then - APT_URL="https://apt.puppetlabs.com/puppet6-release-${UBUNTU_VERSION}.deb" - fi - if [ $DEBIAN_VERSION ]; then - APT_URL="https://apt.puppetlabs.com/puppet6-release-${DEBIAN_VERSION}.deb" - fi - # https://serverfault.com/questions/500764/dpkg-reconfigure-unable-to-re-open-stdin-no-file-or-directory - export DEBIAN_FRONTEND=noninteractive - FILE="$(mktemp -d)/puppet-release.db" - wget "${APT_URL}" -qO $FILE || (c=$?; echo "Failed to retrieve ${APT_URL}"; (exit $c)) - dpkg --install $FILE; rm $FILE; apt-get update || (c=$?; echo "Failed to install from ${FILE}"; (exit $c)) - apt-get -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -y install puppet-agent || (c=$?; echo "Failed to install puppet agent"; (exit $c)) - fi - fi -} - -# Main program -detect_osfamily -setup_puppet - -cd $CWD diff --git a/vagrant/lb.pp b/vagrant/lb.pp deleted file mode 100644 index 3be769c7..00000000 --- a/vagrant/lb.pp +++ /dev/null @@ -1,38 +0,0 @@ -notify { 'Installing Load Balancer': } - -include ::haproxy - -haproxy::listen { 'kc': - collect_exported => false, - ipaddress => $facts['networking']['interfaces']['eth1']['ip'], - mode => 'http', - ports => '80', - options => { - 'option' => [ - 'tcplog', - 'forwardfor', - 'http-keep-alive' - ], - 'balance' => 'roundrobin', - 'cookie' => 'SRVNAME insert', - 'http-request' => 'set-header X-Forwarded-Port %[dst_port]', - }, -} - -haproxy::balancermember { 'master': - listening_service => 'kc', - server_names => 'master.local', - ipaddresses => '192.168.168.253', - ports => '8080', - options => 'cookie DC check', -} - -haproxy::balancermember { 'slave': - listening_service => 'kc', - server_names => 'slave.local', - ipaddresses => '192.168.168.252', - ports => '8080', - options => 'cookie HC check', -} - - diff --git a/vagrant/master.pp b/vagrant/master.pp deleted file mode 100644 index 1ddd1732..00000000 --- a/vagrant/master.pp +++ /dev/null @@ -1,51 +0,0 @@ -notify { 'Installing Master': } - -class { '::keycloak': - operating_mode => 'domain', - role => 'master', - management_bind_address => '192.168.168.253', - enable_jdbc_ping => true, - wildfly_user => $keycloak_wildfly_user, - wildfly_user_password => $keycloak_wildfly_user_password, - manage_install => true, - manage_datasource => false, - version => $keycloak_version, - datasource_driver => 'postgresql', - datasource_host => $keycloak_datasource_host, - datasource_port => 5432, - datasource_dbname => $keycloak_datasource_dbname, - datasource_username => $keycloak_datasource_username, - datasource_password => $keycloak_datasource_password, - admin_user => $keycloak_admin_user, - admin_user_password => $keycloak_admin_user_password, - service_bind_address => '0.0.0.0', - proxy_https => false, - syslog => true, -} - -keycloak_realm { 'TEST.NET': - ensure => 'present', - display_name => 'TEST.NET', - display_name_html => 'TEST.NET', - login_with_email_allowed => false, - remember_me => false, - events_enabled => true, - admin_events_enabled => true, - admin_events_details_enabled => true, -} - -keycloak_client { 'example.com': - ensure => 'present', - realm => 'TEST.NET', - standard_flow_enabled => true, - protocol => 'saml', - full_scope_allowed => true, - service_accounts_enabled => false, - base_url => 'https://example.com/', - redirect_uris => [ - 'https://example.com/', - 'https://example.com/*', - ], - require => Keycloak_realm['TEST.NET'], -} - diff --git a/vagrant/prepare.pp b/vagrant/prepare.pp deleted file mode 100644 index 2c6d655b..00000000 --- a/vagrant/prepare.pp +++ /dev/null @@ -1,28 +0,0 @@ -notify { 'Preparing for setup': } - -$tools = [ 'tcpdump', 'strace', 'nmap', 'screen', 'net-tools' ] - -package { $tools: - ensure => 'installed', -} - -package { 'r10k': - ensure => 'present', - provider => 'puppet_gem', -} - -package { 'git': - ensure => 'latest', -} - -exec { 'Update modules': - logoutput => true, - command => "r10k puppetfile install --puppetfile ${::basedir}/vagrant/Puppetfile --verbose --moduledir /etc/puppetlabs/code/environments/production/modules", # lint:ignore:140chars - timeout => 600, - path => ['/bin','/usr/bin','/opt/puppetlabs/bin','/opt/puppetlabs/puppet/bin'], -} - -file { '/etc/puppetlabs/code/environments/production/modules/keycloak': - ensure => 'link', - target => $::basedir, -} diff --git a/vagrant/run_puppet.sh b/vagrant/run_puppet.sh deleted file mode 100755 index 0c1f2f47..00000000 --- a/vagrant/run_puppet.sh +++ /dev/null @@ -1,72 +0,0 @@ -#!/bin/sh - -# Exit on any error -set -e - -# Preparations required prior to "puppet apply". - -usage() { - echo - echo "Usage: run_puppet.sh -b basedir" - echo - echo "Options:" - echo " -b Base directory for dependency Puppet modules installed by" - echo " librarian-puppet." - echo " -m Puppet manifests to run. Put them in the provision folder" - echo " -d Turn on debugging" - exit 1 -} - -# Parse the options - -# We are run without parameters -> usage -if [ "$1" = "" ]; then - usage -fi - -while getopts "b:m:h:d:" options; do - case $options in - b ) BASEDIR=$OPTARG;; - m ) MANIFESTS=$OPTARG;; - d ) DEBUG=$OPTARG;; - h ) usage;; - \? ) usage;; - * ) usage;; - esac -done - -CWD=`pwd` - -# Configure with "puppet apply" -if [ "$DEBUG" == "true" ]; then - PUPPET_APPLY="/opt/puppetlabs/bin/puppet apply --verbose --debug --trace --summarize" -else - PUPPET_APPLY="/opt/puppetlabs/bin/puppet apply" -fi - -# Pass variables to Puppet manifests via environment variables -export FACTER_profile='/etc/profile.d/myprofile.sh' -export FACTER_basedir="$BASEDIR" -export FACTER_keycloak_version='12.0.2' -export FACTER_keycloak_datasource_host='db.local' -export FACTER_keycloak_datasource_dbname='keycloak' -export FACTER_keycloak_datasource_username='keycloak' -export FACTER_keycloak_datasource_password='keycloak' -export FACTER_keycloak_admin_user='admin' -export FACTER_keycloak_admin_user_password='changeme' -export FACTER_keycloak_wildfly_user='wildfly' -export FACTER_keycloak_wildfly_user_password='wildfly' -export FACTER_manage_package_repo='false' -export FACTER_postgresql_version='9.6' -export FACTER_postgresql_manage_package_repo='true' -export FACTER_postgresql_listen_address='*' -export FACTER_db_username='keycloak' -export FACTER_db_password='keycloak' -export FACTER_db_database='keycloak' -export FACTER_db_connection_limit='300' - -for manifest in $MANIFESTS; do - $PUPPET_APPLY /vagrant/vagrant/$manifest -done - -cd $CWD diff --git a/vagrant/slave.pp b/vagrant/slave.pp deleted file mode 100644 index bb35f87e..00000000 --- a/vagrant/slave.pp +++ /dev/null @@ -1,26 +0,0 @@ -notify { 'Installing Slave': } - -class { '::keycloak': - operating_mode => 'domain', - role => 'slave', - enable_jdbc_ping => true, - management_bind_address => '192.168.168.252', - wildfly_user => $keycloak_wildfly_user, - wildfly_user_password => $keycloak_wildfly_user_password, - master_address => '192.168.168.253', - manage_install => true, - manage_datasource => false, - version => $keycloak_version, - datasource_driver => 'postgresql', - datasource_host => $keycloak_datasource_host, - datasource_port => 5432, - datasource_dbname => $keycloak_datasource_dbname, - datasource_username => $keycloak_datasource_username, - datasource_password => $keycloak_datasource_password, - admin_user => $keycloak_admin_user, - admin_user_password => $keycloak_admin_user_password, - service_bind_address => '0.0.0.0', - proxy_https => false, - syslog => true, -} -