Puppet Class: keycloak

Defined in:
manifests/init.pp

Summary

Manage Keycloak

Overview

Examples:

include ::keycloak

Parameters:

  • manage_install (Boolean) (defaults to: true)

    Install Keycloak from upstream Keycloak tarball. Set to false to manage installation of Keycloak outside this module and set $install_dir to match. Defaults to true.

  • version (String) (defaults to: '22.0.0')

    Version of Keycloak to install and manage.

  • package_url (Optional[Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]]) (defaults to: undef)

    URL of the Keycloak download. Default is based on version.

  • install_dir (Optional[Stdlib::Absolutepath]) (defaults to: undef)

    The directory of where to install Keycloak. Default is /opt/keycloak-${version}.

  • java_package_dependencies (Array[String[1]]) (defaults to: [])

    Packages to install before Java

  • java_declare_method (Enum['include','class']) (defaults to: 'class')

    How to declare the Java class within this module The include value only includes the java class The class method defines the Java class and passes necessary parameters For RedHat base systems this defaults to class, other OSes default to include

  • java_package (String[1]) (defaults to: 'java-17-openjdk-devel')

    Java package name, only used when java_declare_method is class

  • java_home (Stdlib::Absolutepath) (defaults to: '/usr/lib/jvm/java-17-openjdk')

    Java home path. This value is used when java_declare_method is class as well as to set JAVA_HOME environment variable for the Keycloak service.

  • java_alternative_path (Stdlib::Absolutepath) (defaults to: '/usr/lib/jvm/java-17-openjdk/bin/java')

    Java alternative path, only used when java_declare_method is class

  • java_alternative (String[1]) (defaults to: '/usr/lib/jvm/java-17-openjdk/bin/java')

    Java alternative, only used when java_declare_method is class

  • service_name (String) (defaults to: 'keycloak')

    Keycloak service name. Default is keycloak.

  • service_ensure (String) (defaults to: 'running')

    Keycloak service ensure property. Default is running.

  • service_enable (Boolean) (defaults to: true)

    Keycloak service enable property. Default is true.

  • java_opts (Optional[Variant[String, Array]]) (defaults to: undef)

    Sets additional options to Java virtual machine environment variable.

  • start_command (Enum['start','start-dev']) (defaults to: 'start')

    The start command to use to run Keycloak

  • service_extra_opts (Optional[String]) (defaults to: undef)

    Additional options added to the end of the service command-line.

  • service_environment_file (Optional[Stdlib::Absolutepath]) (defaults to: undef)

    Path to the file with environment variables for the systemd service

  • conf_dir_mode (Stdlib::Filemode) (defaults to: '0755')

    The mode for the configuration directory

  • conf_dir_purge (Boolean) (defaults to: true)

    Purge unmanaged files in configuration directory

  • conf_dir_purge_ignore (Array) (defaults to: ['cache-ispn.xml', 'README.md', 'truststore.jks'])

    The files to ignore when unmanaged files are purged from the configuration directory

  • configs (Keycloak::Configs) (defaults to: {})

    Define additional configs for keycloak.conf

  • extra_configs (Hash[String, Variant[String[1],Boolean,Array]]) (defaults to: {})

    Additional configs for keycloak.conf

  • hostname (Variant[Stdlib::Host, Enum['unset','UNSET']]) (defaults to: $facts['networking']['fqdn'])

    hostname to set in keycloak.conf Set to unset or UNSET to not define this in keycloak.conf

  • http_enabled (Boolean) (defaults to: true)

    Whether to enable HTTP

  • http_host (Stdlib::IP::Address) (defaults to: '0.0.0.0')

    HTTP host

  • http_port (Stdlib::Port) (defaults to: 8080)

    HTTP port

  • https_port (Stdlib::Port) (defaults to: 8443)

    HTTPS port

  • http_relative_path (Pattern[/^\/.*/]) (defaults to: '/')

    Set the path relative to '/' for serving resources. The path must start with a '/'.

  • manage_user (Boolean) (defaults to: true)

    Defines if the module should manage the Linux user for Keycloak installation

  • user (String) (defaults to: 'keycloak')

    Keycloak user name. Default is keycloak.

  • user_shell (Stdlib::Absolutepath) (defaults to: '/sbin/nologin')

    Keycloak user shell.

  • group (String) (defaults to: 'keycloak')

    Keycloak user group name. Default is keycloak.

  • user_uid (Optional[Integer]) (defaults to: undef)

    Keycloak user UID. Default is undef.

  • group_gid (Optional[Integer]) (defaults to: undef)

    Keycloak user group GID. Default is undef.

  • system_user (Boolean) (defaults to: true)

    If keycloak user should be a system user with lower uid and gid. Default is true

  • admin_user (String) (defaults to: 'admin')

    Keycloak administrative username. Default is admin.

  • admin_user_password (String) (defaults to: 'changeme')

    Keycloak administrative user password. Default is changeme.

  • manage_db (Boolean) (defaults to: true)

    Boolean that determines if configured database will be managed.

  • manage_db_server (Boolean) (defaults to: true)

    Include the DB server class for postgres, mariadb or mysql

  • db (Enum['dev-file', 'dev-mem', 'mariadb', 'mysql', 'oracle', 'postgres']) (defaults to: 'dev-file')

    Database driver to use for Keycloak.

  • db_url_host (Optional[Stdlib::Host]) (defaults to: undef)

    Database host.

  • db_url_port (Optional[Stdlib::Port]) (defaults to: undef)

    Database port.

  • db_url (Optional[String[1]]) (defaults to: undef)

    Database url.

  • db_url_database (String[1]) (defaults to: 'keycloak')

    Database name.

  • db_username (String[1]) (defaults to: 'keycloak')

    Database user name.

  • db_password (String[1]) (defaults to: 'changeme')

    Database user password.

  • db_charset (String) (defaults to: 'utf8')

    MySQL and MariaDB database charset

  • db_collate (String) (defaults to: 'utf8_general_ci')

    MySQL and MariaDB database collate

  • db_encoding (String) (defaults to: 'UTF8')

    PostgreSQL database encoding

  • features (Optional[Array[String[1]]]) (defaults to: undef)

    Keycloak features to enable

  • features_disabled (Optional[Array[String[1]]]) (defaults to: undef)

    Keycloak features to disable

  • truststore (Boolean) (defaults to: false)

    Boolean that sets if truststore should be used. Default is false.

  • truststore_hosts (Hash) (defaults to: {})

    Hash that is used to define keycloak::turststore::host resources. Default is {}.

  • truststore_password (String) (defaults to: 'keycloak')

    Truststore password. Default is keycloak.

  • proxy (Enum['edge','reencrypt','passthrough','none']) (defaults to: 'none')

    Type of proxy to use for Keycloak

  • realms (Hash) (defaults to: {})

    Hash that is used to define keycloak_realm resources. Default is {}.

  • realms_merge (Boolean) (defaults to: false)

    Boolean that sets if realms should be merged from Hiera.

  • oidc_client_scopes (Hash) (defaults to: {})

    Hash that is used to define keycloak::client_scope::oidc resources. Default is {}.

  • oidc_client_scopes_merge (Boolean) (defaults to: false)

    Boolean that sets if oidc_client_scopes should be merged from Hiera.

  • saml_client_scopes (Hash) (defaults to: {})

    Hash that is used to define keycloak::client_scope::saml resources. Default is {}.

  • saml_client_scopes_merge (Boolean) (defaults to: false)

    Boolean that sets if saml_client_scopes should be merged from Hiera.

  • identity_providers (Hash) (defaults to: {})

    Hash that is used to define keycloak_identity_provider resources.

  • identity_providers_merge (Boolean) (defaults to: false)

    Boolean that sets if identity_providers should be merged from Hiera.

  • client_protocol_mappers (Hash) (defaults to: {})

    Hash that is used to define keycloak_client_protocol_mapper resources.

  • client_scopes (Hash) (defaults to: {})

    Hash that is used to define keycloak_client_scope resources.

  • client_scopes_merge (Boolean) (defaults to: false)

    Boolean that sets if client_scopes should be merged from Hiera.

  • protocol_mappers (Hash) (defaults to: {})

    Hash that is used to define keycloak_protocol_mapper resources.

  • protocol_mappers_merge (Boolean) (defaults to: false)

    Boolean that sets if protocol_mappers should be merged from Hiera.

  • clients (Hash) (defaults to: {})

    Hash that is used to define keycloak_client resources.

  • clients_merge (Boolean) (defaults to: false)

    Boolean that sets if clients should be merged from Hiera.

  • flows (Hash) (defaults to: {})

    Hash taht is used to define keycloak_flow resources.

  • flows_merge (Boolean) (defaults to: false)

    Boolean that sets if flows should be merged from Hiera.

  • flow_executions (Hash) (defaults to: {})

    Hash taht is used to define keycloak_flow resources.

  • flow_executions_merge (Boolean) (defaults to: false)

    Boolean that sets if flows should be merged from Hiera.

  • required_actions (Hash) (defaults to: {})

    Hash that is used to define keycloak_required_action resources.

  • required_actions_merge (Boolean) (defaults to: false)

    Boolean that sets if required_actions should be merged from Hiera.

  • ldap_mappers (Hash) (defaults to: {})

    Hash that is used to define keycloak_ldap_mapper resources.

  • ldap_mappers_merge (Boolean) (defaults to: false)

    Boolean that sets if ldap_mappers should be merged from Hiera.

  • ldap_user_providers (Hash) (defaults to: {})

    Hash that is used to define keycloak_ldap_user_provider resources.

  • ldap_user_providers_merge (Boolean) (defaults to: false)

    Boolean that sets if ldap_user_providers should be merged from Hiera.

  • with_sssd_support (Boolean) (defaults to: false)

    Boolean that determines if SSSD user provider support should be available

  • libunix_dbus_java_source (Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]) (defaults to: 'https://github.com/keycloak/libunix-dbus-java/archive/libunix-dbus-java-0.8.0.tar.gz')

    Source URL of libunix-dbus-java

  • install_libunix_dbus_java_build_dependencies (Boolean) (defaults to: true)

    Boolean that determines of libunix-dbus-java build dependencies are managed by this module

  • libunix_dbus_java_build_dependencies (Array) (defaults to: [])

    Packages needed to build libunix-dbus-java

  • libunix_dbus_java_libdir (Stdlib::Absolutepath) (defaults to: '/usr/lib64')

    Path to directory to install libunix-dbus-java libraries

  • jna_package_name (String) (defaults to: 'jna')

    Package name for jna

  • manage_sssd_config (Boolean) (defaults to: true)

    Boolean that determines if SSSD ifp config for Keycloak is managed

  • sssd_ifp_user_attributes (Array) (defaults to: [])

    user_attributes to define for SSSD ifp service

  • restart_sssd (Boolean) (defaults to: true)

    Boolean that determines if SSSD should be restarted

  • spi_deployments (Hash) (defaults to: {})

    Hash used to define keycloak::spi_deployment resources

  • partial_imports (Hash) (defaults to: {})

    Hash used to define keycloak::partial_import resources

  • providers_purge (Boolean) (defaults to: true)

    Purge the providers directory of unmanaged SPIs

  • custom_config_content (Optional[String]) (defaults to: undef)

    Custom configuration content to be added to keycloak.conf

  • custom_config_source (Optional[Variant[String, Array]]) (defaults to: undef)

    Custom configuration source file to be added to keycloak.conf

  • validator_test_url (String) (defaults to: '/realms/master/.well-known/openid-configuration')

    The URL path for validator testing Only necessary to set if the URL path to Keycloak is modified



223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
# File 'manifests/init.pp', line 223

class keycloak (
  Boolean $manage_install       = true,
  String $version               = '22.0.0',
  Optional[Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]] $package_url= undef,
  Optional[Stdlib::Absolutepath] $install_dir = undef,
  Array[String[1]] $java_package_dependencies = [],
  Enum['include','class'] $java_declare_method = 'class',
  String[1] $java_package = 'java-17-openjdk-devel',
  Stdlib::Absolutepath $java_home = '/usr/lib/jvm/java-17-openjdk',
  Stdlib::Absolutepath $java_alternative_path = '/usr/lib/jvm/java-17-openjdk/bin/java',
  String[1] $java_alternative = '/usr/lib/jvm/java-17-openjdk/bin/java',
  String $service_name          = 'keycloak',
  String $service_ensure        = 'running',
  Boolean $service_enable       = true,
  Optional[Variant[String, Array]] $java_opts = undef,
  Enum['start','start-dev'] $start_command = 'start',
  Optional[String] $service_extra_opts = undef,
  Optional[Stdlib::Absolutepath] $service_environment_file = undef,
  Stdlib::Filemode $conf_dir_mode = '0755',
  Boolean $conf_dir_purge = true,
  Array $conf_dir_purge_ignore = ['cache-ispn.xml', 'README.md', 'truststore.jks'],
  Keycloak::Configs $configs = {},
  Hash[String, Variant[String[1],Boolean,Array]] $extra_configs = {},
  Variant[Stdlib::Host, Enum['unset','UNSET']] $hostname = $facts['networking']['fqdn'],
  Boolean $http_enabled = true,
  Stdlib::IP::Address $http_host = '0.0.0.0',
  Stdlib::Port $http_port = 8080,
  Stdlib::Port $https_port = 8443,
  Pattern[/^\/.*/] $http_relative_path = '/',
  Boolean $manage_user = true,
  String $user                  = 'keycloak',
  Stdlib::Absolutepath $user_shell = '/sbin/nologin',
  String $group                 = 'keycloak',
  Boolean $system_user          = true,
  Optional[Integer] $user_uid   = undef,
  Optional[Integer] $group_gid  = undef,
  String $admin_user            = 'admin',
  String $admin_user_password   = 'changeme',
  Boolean $manage_db = true,
  Boolean $manage_db_server = true,
  Enum['dev-file', 'dev-mem', 'mariadb', 'mysql', 'oracle', 'postgres'] $db = 'dev-file',
  Optional[Stdlib::Host] $db_url_host = undef,
  Optional[Stdlib::Port] $db_url_port = undef,
  Optional[String[1]] $db_url = undef,
  String[1] $db_url_database = 'keycloak',
  String[1] $db_username = 'keycloak',
  String[1] $db_password = 'changeme',
  String $db_charset = 'utf8',
  String $db_collate = 'utf8_general_ci',
  String $db_encoding = 'UTF8',
  Optional[Array[String[1]]] $features = undef,
  Optional[Array[String[1]]] $features_disabled = undef,
  Boolean $truststore = false,
  Hash $truststore_hosts = {},
  String $truststore_password = 'keycloak',
  Enum['edge','reencrypt','passthrough','none'] $proxy = 'none',
  Hash $realms = {},
  Boolean $realms_merge = false,
  Hash $oidc_client_scopes = {},
  Boolean $oidc_client_scopes_merge = false,
  Hash $saml_client_scopes = {},
  Boolean $saml_client_scopes_merge = false,
  Hash $client_protocol_mappers = {},
  Hash $client_scopes = {},
  Boolean $client_scopes_merge = false,
  Hash $protocol_mappers = {},
  Boolean $protocol_mappers_merge = false,
  Hash $identity_providers = {},
  Boolean $identity_providers_merge = false,
  Hash $clients = {},
  Boolean $clients_merge = false,
  Hash $flows = {},
  Boolean $flows_merge = false,
  Hash $flow_executions = {},
  Hash $required_actions = {},
  Boolean $required_actions_merge = false,
  Hash $ldap_mappers = {},
  Boolean $ldap_mappers_merge = false,
  Hash $ldap_user_providers = {},
  Boolean $ldap_user_providers_merge = false,
  Boolean $flow_executions_merge = false,
  Boolean $with_sssd_support = false,
  Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl] $libunix_dbus_java_source = 'https://github.com/keycloak/libunix-dbus-java/archive/libunix-dbus-java-0.8.0.tar.gz',
  Boolean $install_libunix_dbus_java_build_dependencies = true,
  Array $libunix_dbus_java_build_dependencies = [],
  Stdlib::Absolutepath $libunix_dbus_java_libdir = '/usr/lib64',
  String $jna_package_name = 'jna',
  Boolean $manage_sssd_config = true,
  Array $sssd_ifp_user_attributes = [],
  Boolean $restart_sssd = true,
  Hash $spi_deployments = {},
  Hash $partial_imports = {},
  Boolean $providers_purge = true,
  Optional[String] $custom_config_content = undef,
  Optional[Variant[String, Array]] $custom_config_source = undef,
  String $validator_test_url = '/realms/master/.well-known/openid-configuration',
) {
  if ! ($facts['os']['family'] in ['RedHat','Debian']) {
    fail("Unsupported osfamily: ${facts['os']['family']}, module ${module_name} only support osfamilies Debian and Redhat")
  }

  $download_url = pick($package_url, "https://github.com/keycloak/keycloak/releases/download/${version}/keycloak-${version}.tar.gz")

  $install_base = pick($install_dir, "/opt/keycloak-${keycloak::version}")
  $conf_dir = "${install_base}/conf"
  $admin_env = "${conf_dir}/admin.env"
  $truststore_file = "${conf_dir}/truststore.jks"
  $tmp_dir = "${install_base}/tmp"
  $providers_dir = "${install_base}/providers"
  $wrapper_path = "${keycloak::install_base}/bin/kcadm-wrapper.sh"

  $default_config = {
    'hostname' => $hostname,
    'http-enabled' => $http_enabled,
    'http-host' => $http_host,
    'http-port' => $http_port,
    'https-port' => $https_port,
    'http-relative-path' => $http_relative_path,
    'db' => $db,
    'db-url-host' => $db_url_host,
    'db-url-port' => $db_url_port,
    'db-url' => $db_url,
    'db-url-database' => $db_url_database,
    'db-username' => $db_username,
    'db-password' => $db_password,
    'features' => $features,
    'features-disabled' => $features_disabled,
    'proxy' => $proxy,
  }.filter |$key, $value| { $value =~ NotUndef and ! ($value in ['unset', 'UNSET']) }
  if $truststore {
    $truststore_configs = {
      'https-trust-store-file' => $truststore_file,
      'https-trust-store-password' => $truststore_password,
    }
  } else {
    $truststore_configs = {}
  }
  $config = $default_config + $truststore_configs + $configs + $extra_configs

  if $config['http-enabled'] {
    $wrapper_protocol = 'http'
    $wrapper_port = $config['http-port']
    $validator_port = $config['http-port']
    $validator_ssl = false
    if $config['http-host'] in ['0.0.0.0', '127.0.0.1'] {
      $wrapper_address = 'localhost'
      $validator_server = 'localhost'
    } else {
      $wrapper_address = $config['http-host']
      $validator_server = $config['http-host']
    }
  } else {
    if $config['hostname'] in ['unset', 'UNSET'] {
      $effective_hostname = $facts['networking']['fqdn']
    } else {
      $effective_hostname = $config['hostname']
    }
    $wrapper_protocol = 'https'
    $wrapper_port = $config['https-port']
    $wrapper_address = $effective_hostname
    $validator_port = $config['https-port']
    $validator_server = $effective_hostname
    $validator_ssl = true
  }
  $wrapper_server = "${wrapper_protocol}://${wrapper_address}:${wrapper_port}${config['http-relative-path']}"

  $service_start = [
    "${install_base}/bin/kc.sh",
    $start_command,
    $service_extra_opts,
  ].filter |$s| { $s =~ NotUndef }
  $service_start_cmd = join($service_start, ' ')

  $java_package_dependencies.each |$package| {
    package { $package:
      ensure => 'installed',
      before => Class['java'],
    }
  }

  if $java_declare_method == 'include' {
    contain java
  } else {
    class { 'java':
      package               => $java_package,
      java_home             => $java_home,
      java_alternative_path => $java_alternative_path,
      java_alternative      => $java_alternative,
    }
  }

  contain 'keycloak::install'
  contain 'keycloak::config'
  contain 'keycloak::service'

  Class['java']
  -> Class['keycloak::install']
  -> Class['keycloak::config']
  -> Class['keycloak::service']

  if $db in ['mysql','mariadb','postgres'] {
    contain "keycloak::db::${db}"
    Class["keycloak::db::${db}"] ~> Class['keycloak::service']
  }

  if $with_sssd_support {
    contain 'keycloak::sssd'
    Class['keycloak::sssd'] ~> Class['keycloak::service']
  }

  keycloak_conn_validator { 'keycloak':
    keycloak_server => $validator_server,
    keycloak_port   => $validator_port,
    use_ssl         => $validator_ssl,
    timeout         => 60,
    test_url        => $validator_test_url,
    relative_path   => $http_relative_path,
    require         => Class['keycloak::service'],
  }

  include keycloak::resources
}