Manage certificates that are not issued by letsencrypt.

This commit is contained in:
Andrea Dell'Amico 2024-03-22 18:45:21 +01:00
parent 46161a5fe0
commit 5c33e46a71
Signed by untrusted user: adellam
GPG Key ID: 147ABE6CEB9E20FF
5 changed files with 106 additions and 74 deletions

View File

@ -1,8 +1,8 @@
---
keycloak_major_version: '19'
keycloak_major_version: '24'
keycloak_minor_version: '0'
keycloak_point_version: '2'
keycloak_openjdk_runtime_version: 11
keycloak_point_version: '1'
keycloak_openjdk_runtime_version: 17
keycloak_openjdk_version:
- '{{ keycloak_openjdk_runtime_version }}'
keycloak_openjdk_bin: '/usr/lib/jvm/java-{{ keycloak_openjdk_runtime_version}}-openjdk-amd64/bin/java'
@ -44,7 +44,9 @@ keycloak_external_avatar_dir: '{{ keycloak_data_directory }}/avatar'
keycloak_https_enabled: true
keycloak_https_protocols: 'TLSv1.3'
keycloak_letsencrypt_certs: '{{ keycloak_https_enabled }}'
keycloak_http_enabled: "{% if keycloak_https_enabled %}'false'{% else %}'true'{% endif %}"
keycloak_source_cert_file: "{{ pki_dir }}/certs/{{ ansible_fqdn }}.pem"
keycloak_source_cert_key: "{{ pki_dir }}/keys/{{ ansible_fqdn }}-key.pem"
keycloak_http_enabled: "{% if keycloak_https_enabled %}false{% else %}true{% endif %}"
# Set to /auth to be backward compatible with the old admin console
keycloak_http_relative_path: /
keycloak_listen: '127.0.0.1'

View File

@ -3,3 +3,7 @@
ansible.builtin.service:
name: '{{ keycloak_service_name }}'
state: restarted
- name: Reload the systemd service
ansible.builtin.systemd:
daemon_reload: true

View File

@ -0,0 +1,66 @@
---
- name: keycloak-certificates | TLS certificates management with Letsencrypt
when:
- keycloak_letsencrypt_certs
- letsencrypt_acme_install
tags: ['keycloak', 'keycloak_baremetal', 'keycloak_letsencrypt']
block:
- name: keycloak-certificates | Create the acme hooks directory if it does not yet exist
ansible.builtin.file:
dest: '{{ letsencrypt_acme_services_scripts_dir }}'
state: directory
owner: root
group: root
mode: "0755"
- name: keycloak-certificates | Copy the key file where keycloak expects it
ansible.builtin.copy:
src: '{{ letsencrypt_acme_sh_certificates_install_path }}/privkey'
dest: '{{ keycloak_conf_directory }}/server.key.pem'
owner: root
group: '{{ keycloak_user }}'
mode: "0640"
remote_src: true
notify: Restart Keycloak
- name: keycloak-certificates | Copy the certificate file where keycloak expects it
ansible.builtin.copy:
src: '{{ letsencrypt_acme_sh_certificates_install_path }}/fullchain'
dest: '{{ keycloak_conf_directory }}/server.crt.pem'
owner: root
group: '{{ keycloak_user }}'
mode: "0640"
remote_src: true
notify: Restart Keycloak
- name: keycloak-certificates | Install a script that updates the certificates upon renewal
ansible.builtin.template:
src: keycloak-letsencrypt-hook.j2
dest: '{{ letsencrypt_acme_services_scripts_dir }}/keycloak'
owner: root
group: root
mode: "4555"
- name: keycloak-certificates | TLS certificates management without Letsencrypt
when: not keycloak_letsencrypt_certs
tags: ['keycloak', 'keycloak_baremetal', 'keycloak_letsencrypt']
block:
- name: keycloak-certificates | Copy the key file where keycloak expects it
ansible.builtin.copy:
src: '{{ keycloak_certificate_key }}'
dest: '{{ keycloak_conf_directory }}/server.key.pem'
owner: root
group: '{{ keycloak_user }}'
mode: "0640"
remote_src: true
notify: Restart Keycloak
- name: keycloak-certificates | Copy the certificate file where keycloak expects it
ansible.builtin.copy:
src: '{{ keycloak_certificate_file }}'
dest: '{{ keycloak_conf_directory }}/server.crt.pem'
owner: root
group: '{{ keycloak_user }}'
mode: "0640"
remote_src: true
notify: Restart Keycloak

View File

@ -1,42 +0,0 @@
---
- name: TLS certificates management with Letsencrypt
block:
- name: Create the acme hooks directory if it does not yet exist
file:
dest: '{{ letsencrypt_acme_services_scripts_dir }}'
state: directory
owner: root
group: root
- name: Copy the key file where keycloak expects it
copy:
src: '{{ letsencrypt_acme_sh_certificates_install_path }}/privkey'
dest: '{{ keycloak_conf_directory }}/server.key.pem'
owner: root
group: '{{ keycloak_user }}'
mode: 0640
remote_src: true
notify: Restart Keycloak
- name: Copy the certificate file where keycloak expects it
copy:
src: '{{ letsencrypt_acme_sh_certificates_install_path }}/fullchain'
dest: '{{ keycloak_conf_directory }}/server.crt.pem'
owner: root
group: '{{ keycloak_user }}'
mode: 0640
remote_src: true
notify: Restart Keycloak
- name: Install a script that updates the certificates upon renewal
template:
src: keycloak-letsencrypt-hook.j2
dest: '{{ letsencrypt_acme_services_scripts_dir }}/keycloak'
owner: root
group: root
mode: 4555
when:
- keycloak_letsencrypt_certs
- letsencrypt_acme_install
tags: ['keycloak', 'keycloak_baremetal', 'keycloak_letsencrypt']

View File

@ -1,8 +1,12 @@
---
- import_tasks: keycloak-install.yml
- import_tasks: keycloak-letsencrypt.yml
- import_tasks: keycloak-providers.yml
- import_tasks: keycloak-configuration.yml
- name: Keycloak install
ansible.builtin.import_tasks: keycloak-install.yml
- name: TLS certificates
ansible.builtin.import_tasks: keycloak-certificates.yml
- name: Keycloak providers
ansible.builtin.import_tasks: keycloak-providers.yml
- name: Keycloak configuration
ansible.builtin.import_tasks: keycloak-configuration.yml
- name: Manage the keycloak service
tags:
@ -12,30 +16,28 @@
- keycloak_providers
- keycloak_providers_jar
block:
- name: Install the keycloak systemd unit
ansible.builtin.template:
src: keycloak.service.j2
dest: '/etc/systemd/system/{{ keycloak_service_name }}.service'
owner: root
group: root
mode: 0644
notify: Restart Keycloak
register: keycloak_unit
- name: Install the keycloak systemd unit
ansible.builtin.template:
src: keycloak.service.j2
dest: '/etc/systemd/system/{{ keycloak_service_name }}.service'
owner: root
group: root
mode: "0644"
notify:
- Restart Keycloak
- Reload the systemd service
- name: Reload systemd
ansible.builtin.systemd:
daemon_reload: yes
when: keycloak_unit is changed
- name: Reload the systemd service
ansible.builtin.meta: flush_handlers
- name: ensure that the {{ keycloak_service_name }} service is running and enabled
ansible.builtin.service:
name: '{{ keycloak_service_name }}'
state: started
enabled: true
- name: Wait for the service to be up before proceeding
ansible.builtin.wait_for:
port: "{% if keycloak_https_enabled %}{{ keycloak_https_port }}{% else %}{{ keycloak_http_port }}{% endif %}"
delay: 10
timeout: 90
- name: Ensure that the Keycload service is running and enabled
ansible.builtin.service:
name: '{{ keycloak_service_name }}'
state: started
enabled: true
- name: Wait for the service to be up before proceeding
ansible.builtin.wait_for:
port: "{% if keycloak_https_enabled %}{{ keycloak_https_port }}{% else %}{{ keycloak_http_port }}{% endif %}"
delay: 10
timeout: 90