An Ansible Role that installs et configure Keycloak on Linux.
You need:
- At least OpenJDK 11 or newer installed before running this role. To ensure it's installed, you can use the
geerlingguy.javarole for example. - The
sudocommand and a user allowed to use it (orrootuser)
And requirements to run Keycloak in production:
- A supported database
- A valid hostname
- HTTPS/TLS certificates provided in PEM format or in a Java Keystore
Available variables are listed below, along with default values (see defaults/main.yml):
keycloak_version: 20.0.2
The version of Keycloak to install on the system. If not defined, we try to find the latest release on GitHub API.
keycloak_install_dir: /opt/keycloak
The target folder where Keycloak version will be installed.
keycloak_hostname: keycloak.example.com
Hostname for the Keycloak server. If not specified, ansible_fqdn variable will be used.
keycloak_admin_hostname: console.keycloak.example.com
Hostname for the Keycloak Administration console. If not specified, keycloak_hostname variable will be used.
keycloak_https_port: 8443
The port listened by Keycloak for HTTPS traffic.
WARNING: As Keycloak will run as a service user (non-root), it cannot be < 1024.
See Keycloak documentation to run Keycloak behind a proxy if you need.
keycloak_tls_certificate_format: keystore
Format of the TLS certificate. Can be either keystore (default) or pem.
See variables below to see related variables.
keycloak_tls_certificate_format: keystore
keycloak_keystore_file: /opt/keycloak/keycloak.jks
keycloak_keystore_password: changeme
The file path and password for the Java Keystore containing the SSL/TLS certificate and associated key.
keycloak_tls_certificate_format: pem
keycloak_cert_file: /etc/ssl/certs/example/example.com.crt
keycloak_key_file: /etc/ssl/private/example.com.key
The file path to SSL/TLS certificate and associated key (ignored if using a Java Keystore).
Please note that for now, there's no way to provide a passphrase for the key to Keycloak.
keycloak_service_user: keycloak
The system user/group name who will be running Keycloak. The role will automatically create & set up the user account if necessary.
keycloak_database_vendor: postgres
keycloak_database_host: localhost
keycloak_database_user: db_user
keycloak_database_password: db_password
keycloak_database_name: keycloak_db
Settings for the database to use with Keycloak. See Keycloak documentation for details on allowed values.
keycloak_database_schema: kc_schema
keycloak_database_port: 1234
keycloak_database_properties: "myProperty1=value1;otherProperty=value2"
Optional parameters for JDBC connection URL.
keycloak_dev_mode: true
Make Keycloak start in dev mode (default: true).
If true, it will bypass Keycloak build step and setup service with start-dev instead of start command.
None
- hosts: all
roles:
- role: sedona_solutions.keycloak
vars:
keycloak_version: 20.0.1
keycloak_keystore_file: /etc/keycloak/keycloak.jks
keycloak_keystore_password: changeme
keycloak_hostname: keycloak.example.com
keycloak_database_host: localhost
keycloak_database_vendor: postgres
keycloak_database_user: db_user
keycloak_database_password: db_password
keycloak_database_name: keycloak_dbMIT / BSD
This role was created in 2022 by Sébastien Collado for Sedona Solutions.