Gitiles
Code Review Sign In
gerrit.opencord.org / ansible / role / keycloak / 7260e78ea05f0e206f8790e3162fca749d215462 / . / tasks / main.yml
blob: aa31ddb4a0c88895a03592ae84c6145ff1c4e97d [file] [log] [blame]
---
# keycloak tasks/main.yml
#
# SPDX-FileCopyrightText: © 2021 Open Networking Foundation <support@opennetworking.org>
# SPDX-License-Identifier: Apache-2.0
- name: include OS-specific tasks
include_tasks: "{{ ansible_os_family }}.yml"
- name: Create group for Keycloak
group:
name: "{{ keycloak_groupname }}"
- name: Create user for Keycloak
user:
name: "{{ keycloak_username }}"
group: "{{ keycloak_groupname }}"
comment: "{{ keycloak_comment }}"
shell: "{{ keycloak_shell }}"
system: true
password_lock: true
- name: Create keycloak dist directory
file:
path: "{{ keycloak_dist_dir }}"
owner: "{{ keycloak_username }}"
group: "{{ keycloak_groupname }}"
state: directory
mode: 0700
- name: Download keycloak
get_url:
url: "{{ keycloak_download_url }}"
dest: "{{ keycloak_dist_dir }}"
timeout: 30
checksum: "{{ keycloak_checksum }}"
become: true
become_user: "{{ keycloak_username }}"
- name: Extract keycloak
unarchive:
remote_src: true
src: "{{ keycloak_dist_dir }}/keycloak-{{ keycloak_version }}.tar.gz"
dest: "{{ keycloak_base_dir }}"
owner: "{{ keycloak_username }}"
group: "{{ keycloak_groupname }}"
creates: "{{ keycloak_base_dir }}/keycloak-{{ keycloak_version }}"
- name: Link Keycloak distro to working dir
file:
state: "link"
src: "{{ keycloak_base_dir }}/keycloak-{{ keycloak_version }}"
dest: "{{ keycloak_working_dir }}"
- name: Check admin account
command:
chdir: "{{ keycloak_working_dir }}/bin/"
cmd: >
./kcadm.sh get users
--server {{ keycloak_server }}/auth
--realm master --user {{ keycloak_admin_username }}
--password {{ keycloak_admin_password }}
register: kcadm_result
changed_when: false
failed_when: false
- name: Create admin account
command:
chdir: "{{ keycloak_working_dir }}/bin/"
cmd: >
./add-user-keycloak.sh
--realm master --user {{ keycloak_admin_username }}
--password {{ keycloak_admin_password }}
when: kcadm_result.rc != 0
notify:
- "start-keycloak"
- "restart-keycloak"
- name: Flush handlers to start keycloak server before configuring it via API
meta: flush_handlers
- name: Wait for Keycloak to be ready
uri:
url: "http://localhost:9990/health"
method: GET
return_content: "yes"
timeout: 5
body_format: raw
follow_redirects: "no"
status_code: 200
register: result
until: result.status == 200
retries: 60
delay: 5
- name: Configure Keycloak client
community.general.keycloak_client:
auth_keycloak_url: "{{ keycloak_server }}/auth"
auth_realm: "{{ item.auth_realm }}"
auth_username: "{{ keycloak_admin_username }}"
auth_password: "{{ keycloak_admin_password }}"
client_id: "{{ item.client_id }}"
name: "{{ item.name }}"
protocol: "{{ item.protocol }}"
description: "{{ item.description }}"
attributes: "{{ item.attributes }}"
redirect_uris: "{{ item.redirect_uris }}"
protocol_mappers: "{{ item.protocol_mappers }}"
state: present
with_items: "{{ keycloak_client_settings }}"
- name: "Create Token for Keycloak service"
uri:
url: "{{ keycloak_server }}/auth/realms/master/protocol/openid-connect/token"
method: POST
body_format: form-urlencoded
body:
username: "{{ keycloak_admin_username }}"
password: "{{ keycloak_admin_password }}"
grant_type: "password"
client_id: "admin-cli"
register: keycloak_token
- name: "Get existing LDAP configuration"
uri:
url: "{{ keycloak_admin_api }}/components?type=org.keycloak.storage.UserStorageProvider"
method: GET
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
register: keycloak_components_list
- name: Check if the Keycloak already has the LDAP configuration
set_fact:
ldap_id: "{{ item.id }}"
with_items: "{{ keycloak_components_list.json }}"
when: item.name == "ldap"
- name: Generate a local json file for LDAP configuration
become: false
delegate_to: localhost
template:
src: "ldap.config.j2"
dest: "/tmp/ldap.config"
mode: "0600"
changed_when: false
- name: "Create LDAP Provider if not exist"
uri:
url: "{{ keycloak_admin_api }}/components"
method: POST
src: /tmp/ldap.config
status_code: [201]
headers:
Content-Type: application/json
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
register: keycloak_create_ldap_response
when: ldap_id is not defined
- name: "Update LDAP Provider if exist"
uri:
url: "{{ keycloak_admin_api }}/components/{{ ldap_id }}"
method: PUT
src: /tmp/ldap.config
status_code: [204]
headers:
Content-Type: application/json
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
when: ldap_id is defined
- name: Update LDAP_ID with new created LDAP components
set_fact:
ldap_id: "{{ keycloak_create_ldap_response.location | basename }}"
when: ldap_id is not defined
- name: Generate a local json file for LDAP mapper configuration
become: false
delegate_to: localhost
template:
src: "{{ item }}.j2"
dest: "/tmp/{{ item }}"
mode: "0600"
with_items:
- ldap.mapper.group
- keycloak.event.config
changed_when: false
- name: Create LDAP mapper from local json configuraiton
uri:
url: "{{ keycloak_admin_api }}/components/"
method: POST
src: "/tmp/{{ item }}"
status_code: [201]
headers:
Content-Type: application/json
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
with_items:
- ldap.mapper.group
- name: Create LDAP mapper from local json configuraiton
uri:
url: "{{ keycloak_admin_api }}/events/config"
method: PUT
src: "/tmp/keycloak.event.config"
status_code: [204]
headers:
Content-Type: application/json
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
- name: Remove local LDAP json file
delegate_to: localhost
file:
path: "/tmp/{{ item }}"
state: absent
with_items:
- ldap.config
- ldap.mapper.group
- keycloak.event.config
changed_when: false