diff --git a/manifests/config.pp b/manifests/config.pp index a933212..d7da4e5 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -1,276 +1,377 @@ # Private class. class keycloak::config { assert_private() file { '/opt/keycloak': ensure => 'link', target => $keycloak::install_base, } # Template uses: # - $keycloak::install_base # - $keycloak::admin_user # - $keycloak::admin_user_password file { 'kcadm-wrapper.sh': ensure => 'file', path => "${keycloak::install_base}/bin/kcadm-wrapper.sh", owner => $keycloak::user, group => $keycloak::group, mode => '0750', content => template('keycloak/kcadm-wrapper.sh.erb'), show_diff => false, } file { "${keycloak::install_base}/tmp": ensure => 'directory', owner => $keycloak::user, group => $keycloak::group, mode => '0755', } $_add_user_keycloak_cmd = "${keycloak::install_base}/bin/add-user-keycloak.sh" $_add_user_keycloak_state = "${keycloak::install_base}/.create-keycloak-admin-${keycloak::datasource_driver}" - $_config_cli_content = template('keycloak/config.cli.erb') if $::keycloak::operating_mode != 'domain' { $_add_user_keycloak_args = "--user ${keycloak::admin_user} --password ${keycloak::admin_user_password} --realm master" $_subdir = 'standalone' $_java_opts_path = "${keycloak::install_base}/bin/standalone.conf" } else { $_server_conf_dir = "${keycloak::install_base}/domain/servers/${keycloak::server_name}/configuration" $_add_user_keycloak_args = "--user ${keycloak::admin_user} --password ${keycloak::admin_user_password} --realm master --sc ${_server_conf_dir}/" # lint:ignore:140chars $_subdir = 'domain' $_java_opts_path = "${keycloak::install_base}/bin/domain.conf" $_dirs = [ "${keycloak::install_base}/domain/servers", "${keycloak::install_base}/domain/servers/${keycloak::server_name}", "${keycloak::install_base}/domain/servers/${keycloak::server_name}/configuration", ] file { $_dirs: ensure => 'directory', owner => $keycloak::user, group => $keycloak::group, mode => '0755', } } exec { 'create-keycloak-admin': command => "${_add_user_keycloak_cmd} ${_add_user_keycloak_args} && touch ${_add_user_keycloak_state}", creates => $_add_user_keycloak_state, notify => Class['keycloak::service'], user => $keycloak::user, } + if $keycloak::operating_mode == 'domain' { + $config_cli_prefix = '/profile=auth-server-clustered' + } else { + $config_cli_prefix = '' + } + concat { "${keycloak::install_base}/config.cli": - owner => $keycloak::user, - group => $keycloak::group, - mode => '0600', - notify => Exec['jboss-cli.sh --file=config.cli'], - show_diff => false, + owner => $keycloak::user, + group => $keycloak::group, + mode => '0600', + notify => Exec['jboss-cli.sh --file=config.cli'], + show_diff => false, + ensure_newline => true, } - concat::fragment { 'config.cli-keycloak': + concat::fragment { 'keycloak-config.cli-header': target => "${keycloak::install_base}/config.cli", - content => $_config_cli_content, + content => epp('keycloak/config.cli/00-header.epp', {'operating_mode' => $keycloak::operating_mode}), order => '00', } + if $keycloak::proxy_https { + concat::fragment { 'keycloak-config.cli-https-proxy': + target => "${keycloak::install_base}/config.cli", + content => epp('keycloak/config.cli/01-https-proxy.epp', {'prefix' => $config_cli_prefix}), + order => '01', + } + } + + concat::fragment { 'keycloak-config.cli-datasource': + target => "${keycloak::install_base}/config.cli", + content => epp('keycloak/config.cli/02-datasource.epp', { + 'datasource_driver' => $keycloak::datasource_driver, + 'datasource_connection_url' => $keycloak::datasource_connection_url, + 'datasource_username' => $keycloak::datasource_username, + 'datasource_password' => $keycloak::datasource_password, + 'mysql_datasource_class' => $keycloak::mysql_datasource_class, + 'prefix' => $config_cli_prefix, + }), + order => '02', + } + + concat::fragment { 'keycloak-config.cli-truststore': + target => "${keycloak::install_base}/config.cli", + content => epp('keycloak/config.cli/03-truststore.epp', { + 'truststore' => $keycloak::truststore, + 'operating_mode' => $keycloak::operating_mode, + 'install_base' => $keycloak::install_base, + 'truststore_password' => $keycloak::truststore_password, + 'truststore_hostname_verification_policy' => $keycloak::truststore_hostname_verification_policy, + 'prefix' => $config_cli_prefix, + }), + order => '03', + } + + concat::fragment { 'keycloak-config.cli-theming': + target => "${keycloak::install_base}/config.cli", + content => epp('keycloak/config.cli/04-theming.epp', { + 'theme_static_max_age' => $keycloak::theme_static_max_age, + 'theme_cache_themes' => $keycloak::theme_cache_themes, + 'theme_cache_templates' => $keycloak::theme_cache_templates, + 'prefix' => $config_cli_prefix, + }), + order => '04', + } + + # deployment scanner is not compatible with domain mode + if $keycloak::operating_mode != 'domain' { + concat::fragment { 'keycloak-config.cli-deployment-scanner': + target => "${keycloak::install_base}/config.cli", + content => epp('keycloak/config.cli/05-deployment-scanner.epp', { + 'auto_deploy_exploded' => $keycloak::auto_deploy_exploded, + 'auto_deploy_zipped' => $keycloak::auto_deploy_zipped, + 'prefix' => $config_cli_prefix, + }), + order => '05', + } + } + + concat::fragment { 'keycloak-config.cli-user-cache': + target => "${keycloak::install_base}/config.cli", + content => epp('keycloak/config.cli/06-user-cache.epp', { + 'user_cache' => $keycloak::user_cache, + 'prefix' => $config_cli_prefix, + }), + order => '06', + } + + concat::fragment { 'keycloak-config.cli-cluster': + target => "${keycloak::install_base}/config.cli", + content => epp('keycloak/config.cli/10-cluster.epp', { + 'operating_mode' => $keycloak::operating_mode, + 'enable_jdbc_ping' => $keycloak::enable_jdbc_ping, + 'datasource_driver' => $keycloak::datasource_driver, + 'jboss_bind_private_address' => $keycloak::jboss_bind_private_address, + 'jboss_bind_public_address' => $keycloak::jboss_bind_public_address, + 'prefix' => $config_cli_prefix, + }), + order => '10', + } + + if $keycloak::operating_mode == 'domain' { + concat::fragment { 'keycloak-config.cli-domain': + target => "${keycloak::install_base}/config.cli", + content => epp('keycloak/config.cli/11-domain.epp', { + 'prefix' => $config_cli_prefix, + }), + order => '11', + } + } + if $keycloak::custom_config_content or $keycloak::custom_config_source { - concat::fragment { 'config.cli-custom': + concat::fragment { 'keycloak-config.cli-custom': target => "${keycloak::install_base}/config.cli", content => $keycloak::custom_config_content, source => $keycloak::custom_config_source, - order => '01', + order => '50', } } + concat::fragment { 'keycloak-config.cli-footer': + target => "${keycloak::install_base}/config.cli", + content => epp('keycloak/config.cli/99-footer.epp', {'operating_mode' => $keycloak::operating_mode}), + order => '99', + } + exec { 'jboss-cli.sh --file=config.cli': command => "${keycloak::install_base}/bin/jboss-cli.sh --file=config.cli", cwd => $keycloak::install_base, user => $keycloak::user, group => $keycloak::group, refreshonly => true, logoutput => true, notify => Class['keycloak::service'], } create_resources('keycloak::truststore::host', $keycloak::truststore_hosts) if $keycloak::java_opts { $java_opts_ensure = 'present' } else { $java_opts_ensure = 'absent' } if $keycloak::java_opts =~ Array { $java_opts = join($keycloak::java_opts, ' ') } else { $java_opts = $keycloak::java_opts } if $keycloak::java_opts_append { $_java_opts = "\$JAVA_OPTS ${java_opts}" } else { $_java_opts = $java_opts } file_line { 'keycloak-JAVA_OPTS': ensure => $java_opts_ensure, path => $_java_opts_path, line => "JAVA_OPTS=\"${_java_opts}\"", match => '^JAVA_OPTS=', notify => Class['keycloak::service'], } file { "${keycloak::install_base}/${_subdir}/configuration": ensure => 'directory', owner => $keycloak::user, group => $keycloak::group, mode => '0750', } file { "${keycloak::install_base}/${_subdir}/configuration/profile.properties": ensure => 'file', owner => $keycloak::user, group => $keycloak::group, content => template('keycloak/profile.properties.erb'), mode => '0644', notify => Class['keycloak::service'], } if $::keycloak::operating_mode == 'domain' { $_add_user_wildfly_cmd = "${keycloak::install_base}/bin/add-user.sh" $_add_user_wildfly_args = "--user ${keycloak::wildfly_user} --password ${keycloak::wildfly_user_password} -e -s" $_add_user_wildfly_state = "${::keycloak::install_base}/.create-wildfly-user" exec { 'create-wildfly-user': command => "${_add_user_wildfly_cmd} ${_add_user_wildfly_args} && touch ${_add_user_wildfly_state}", creates => $_add_user_wildfly_state, notify => Class['keycloak::service'], } if $keycloak::role == 'master' { - # Remove load balancer group # Rename the server # Set port offset to zero to run server on port 8080 augeas { 'ensure-servername': incl => "${keycloak::install_base}/domain/configuration/host-master.xml", context => "/files${keycloak::install_base}/domain/configuration/host-master.xml/host/servers", load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist', lens => 'Xml.lns', changes => [ 'rm server[1]', 'rm server', "set server/#attribute/name ${keycloak::server_name}", 'set server/#attribute/group auth-server-group', 'set server/#attribute/auto-start true', 'set server/socket-bindings/#attribute/port-offset 0', ], notify => Class['keycloak::service'], } # Set up interface names and defaults in host-master.xml augeas { 'ensure-interface-names-defaults-master': incl => "${keycloak::install_base}/domain/configuration/host-master.xml", context => "/files${keycloak::install_base}/domain/configuration/host-master.xml/host/interfaces", load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist', lens => 'Xml.lns', changes => [ # lint:ignore:single_quote_string_with_variables 'set interface[1]/#attribute/name management', 'set interface[1]/inet-address/#attribute/value ${jboss.bind.address.management:127.0.0.1}', 'set interface[2]/#attribute/name private', 'set interface[2]/inet-address/#attribute/value ${jboss.bind.address.private:127.0.0.1}', 'set interface[3]/#attribute/name public', 'set interface[3]/inet-address/#attribute/value ${jboss.bind.address:127.0.0.1}', # lint:endignore ], notify => Class['keycloak::service'], } # Assing management interfaces to logical interfaces augeas { 'assign-management-interaces-master': incl => "${keycloak::install_base}/domain/configuration/host-master.xml", context => "/files${keycloak::install_base}/domain/configuration/host-master.xml/host/management/management-interfaces", load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist', lens => 'Xml.lns', changes => [ 'set native-interface/socket/#attribute/interface management', 'set http-interface/socket/#attribute/interface private', ], notify => Class['keycloak::service'], } } else { # Rename the server # Set port offset to zero, to run server in port 8080 augeas { 'ensure-servername': incl => "${keycloak::install_base}/domain/configuration/host-slave.xml", context => "/files${keycloak::install_base}/domain/configuration/host-slave.xml/host/servers", load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist', lens => 'Xml.lns', changes => [ "set server/#attribute/name ${keycloak::server_name}", 'set server/socket-bindings/#attribute/port-offset 0' ], notify => Class['keycloak::service'], } # Set username for authentication to master augeas { 'ensure-username': incl => "${keycloak::install_base}/domain/configuration/host-slave.xml", context => "/files${keycloak::install_base}/domain/configuration/host-slave.xml/host/domain-controller/remote", load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist', lens => 'Xml.lns', changes => [ "set #attribute/username ${keycloak::wildfly_user}" ], notify => Class['keycloak::service'], } # Set secret for authentication to master augeas { 'ensure-secret': incl => "${keycloak::install_base}/domain/configuration/host-slave.xml", context => "/files${keycloak::install_base}/domain/configuration/host-slave.xml/host/management/security-realms/security-realm[1]/server-identities/secret", # lint:ignore:140chars load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist', lens => 'Xml.lns', changes => [ "set #attribute/value ${keycloak::wildfly_user_password_base64}" ], notify => Class['keycloak::service'], } # Set up interface names and default in host-slave.xml augeas { 'ensure-interface-names-defaults-slave': incl => "${keycloak::install_base}/domain/configuration/host-slave.xml", context => "/files${keycloak::install_base}/domain/configuration/host-slave.xml/host/interfaces", load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist', lens => 'Xml.lns', changes => [ # lint:ignore:single_quote_string_with_variables 'set interface[1]/#attribute/name management', 'set interface[1]/inet-address/#attribute/value ${jboss.bind.address.management:127.0.0.1}', 'set interface[2]/#attribute/name private', 'set interface[2]/inet-address/#attribute/value ${jboss.bind.address.private:127.0.0.1}', 'set interface[3]/#attribute/name public', 'set interface[3]/inet-address/#attribute/value ${jboss.bind.address:127.0.0.1}', # lint:endignore ], notify => Class['keycloak::service'], } # Assing management interfaces to logical interfaces augeas { 'assign-management-interaces-slave': incl => "${keycloak::install_base}/domain/configuration/host-slave.xml", context => "/files${keycloak::install_base}/domain/configuration/host-slave.xml/host/management/management-interfaces", load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist', lens => 'Xml.lns', changes => [ 'set native-interface/socket/#attribute/interface management', 'set http-interface/socket/#attribute/interface private', ], notify => Class['keycloak::service'], } } } } diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 70df8fa..224d89e 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -1,288 +1,280 @@ require 'spec_helper' describe 'keycloak' do on_supported_os.each do |os, facts| context "on #{os}" do let(:facts) do facts.merge(concat_basedir: '/dne') end let(:version) { '8.0.1' } case facts[:osfamily] when %r{RedHat} shell = '/sbin/nologin' when %r{Debian} shell = '/usr/sbin/nologin' end it { is_expected.to compile.with_all_deps } it { is_expected.to create_class('keycloak') } it { is_expected.to contain_class('keycloak::install').that_comes_before('Class[keycloak::config]') } it { is_expected.to contain_class('keycloak::config').that_comes_before('Class[keycloak::service]') } it { is_expected.to contain_class('keycloak::service') } context 'domain master' do let(:params) do { operating_mode: 'domain', install_dir: '/opt/keycloak-x', role: 'master', datasource_driver: 'postgresql', wildfly_user: 'wildfly', wildfly_user_password: 'changeme', } end it { is_expected.to compile.with_all_deps } it do is_expected.to contain_augeas('ensure-servername').with(incl: '/opt/keycloak-x/domain/configuration/host-master.xml') is_expected.to contain_exec('create-wildfly-user').with(command: '/opt/keycloak-x/bin/add-user.sh --user wildfly --password changeme -e -s && touch /opt/keycloak-x/.create-wildfly-user') end end context 'domain slave' do let(:params) do { operating_mode: 'domain', install_dir: '/opt/keycloak-x', role: 'slave', master_address: '10.0.5.10', datasource_driver: 'postgresql', wildfly_user: 'wildfly', wildfly_user_password: 'changeme', } end it { is_expected.to compile.with_all_deps } it do is_expected.to contain_augeas('ensure-servername').with(incl: '/opt/keycloak-x/domain/configuration/host-slave.xml', context: '/files/opt/keycloak-x/domain/configuration/host-slave.xml/host/servers') is_expected.to contain_exec('create-wildfly-user').with(command: '/opt/keycloak-x/bin/add-user.sh --user wildfly --password changeme -e -s && touch /opt/keycloak-x/.create-wildfly-user') end end context 'standalone with domain role defined' do let(:params) do { operating_mode: 'standalone', role: 'master', } end it { is_expected.not_to compile } end context 'domain slave without master_address' do let(:params) do { operating_mode: 'domain', wildfly_user: 'wildfly', wildfly_user_password: 'wildfly', role: 'slave', } end it { is_expected.not_to compile } end context 'domain master without wildfly user' do let(:params) do { operating_mode: 'domain', role: 'master', wildfly_user_password: 'wildfly', } end it { is_expected.not_to compile } end context 'domain master without wildfly user password' do let(:params) do { operating_mode: 'domain', role: 'master', wildfly_user: 'wildfly', } end it { is_expected.not_to compile } end context 'keycloak::install' do it do is_expected.to contain_user('keycloak').only_with(ensure: 'present', name: 'keycloak', forcelocal: 'true', shell: shell, gid: 'keycloak', home: '/var/lib/keycloak', managehome: 'true', system: 'true') end end context 'keycloak::datasource::mysql' do let(:pre_condition) { 'include ::mysql::server' } let(:params) { { datasource_driver: 'mysql' } } it { is_expected.to contain_class('keycloak::install').that_comes_before('Class[keycloak::datasource::mysql]') } it { is_expected.to contain_class('keycloak::datasource::mysql').that_comes_before('Class[keycloak::config]') } it do is_expected.to contain_mysql__db('keycloak').with(user: 'sa', password: 'sa', host: 'localhost', grant: 'ALL') end context 'manage_datasource => false' do let(:params) { { datasource_driver: 'mysql', manage_datasource: false } } it { is_expected.not_to contain_mysql__db('keycloak') } end end context 'keycloak::datasource::postgresql' do let(:params) { { datasource_driver: 'postgresql' } } it { is_expected.to contain_class('keycloak::install').that_comes_before('Class[keycloak::datasource::postgresql]') } it { is_expected.to contain_class('keycloak::datasource::postgresql').that_comes_before('Class[keycloak::config]') } it do is_expected.to contain_postgresql__server__db('keycloak').with(user: 'sa', password: %r{.*}) end context 'manage_datasource => false' do let(:params) { { datasource_driver: 'postgresql', manage_datasource: false } } it { is_expected.not_to contain_postgresql__server__db('keycloak') } end end context 'keycloak::config' do it do is_expected.to contain_file('kcadm-wrapper.sh').only_with( ensure: 'file', path: "/opt/keycloak-#{version}/bin/kcadm-wrapper.sh", owner: 'keycloak', group: 'keycloak', mode: '0750', content: %r{.*}, show_diff: 'false', ) end it do is_expected.to contain_exec('create-keycloak-admin') .with(command: "/opt/keycloak-#{version}/bin/add-user-keycloak.sh --user admin --password changeme --realm master && touch /opt/keycloak-#{version}/.create-keycloak-admin-h2", creates: "/opt/keycloak-#{version}/.create-keycloak-admin-h2", notify: 'Class[Keycloak::Service]') end it do is_expected.to contain_file("/opt/keycloak-#{version}/standalone/configuration").only_with( ensure: 'directory', owner: 'keycloak', group: 'keycloak', mode: '0750', ) end it do is_expected.to contain_file("/opt/keycloak-#{version}/standalone/configuration/profile.properties").only_with( ensure: 'file', owner: 'keycloak', group: 'keycloak', mode: '0644', content: %r{.*}, notify: 'Class[Keycloak::Service]', ) end it do verify_exact_file_contents(catalogue, "/opt/keycloak-#{version}/standalone/configuration/profile.properties", []) end it do is_expected.to contain_concat("/opt/keycloak-#{version}/config.cli").with( ensure: 'present', owner: 'keycloak', group: 'keycloak', mode: '0600', notify: 'Exec[jboss-cli.sh --file=config.cli]', show_diff: 'false', ) end - it do - is_expected.to contain_concat__fragment('config.cli-keycloak').with( - target: "/opt/keycloak-#{version}/config.cli", - content: %r{.*}, - order: '00', - ) - end - it do is_expected.to contain_file_line('keycloak-JAVA_OPTS').with( ensure: 'absent', path: "/opt/keycloak-#{version}/bin/standalone.conf", line: 'JAVA_OPTS="$JAVA_OPTS "', match: '^JAVA_OPTS=', notify: 'Class[Keycloak::Service]', ) end context 'when tech_preview_features defined' do let(:params) { { tech_preview_features: ['account_api'] } } it do verify_exact_file_contents(catalogue, "/opt/keycloak-#{version}/standalone/configuration/profile.properties", ['feature.account_api=enabled']) end end context 'when java_opts defined' do let(:params) { { java_opts: '-Xmx512m -Xms64m' } } it do is_expected.to contain_file_line('keycloak-JAVA_OPTS').with( ensure: 'present', path: "/opt/keycloak-#{version}/bin/standalone.conf", line: 'JAVA_OPTS="$JAVA_OPTS -Xmx512m -Xms64m"', match: '^JAVA_OPTS=', notify: 'Class[Keycloak::Service]', ) end context 'when java_opts_append is false' do let(:params) { { java_opts: '-Xmx512m -Xms64m', java_opts_append: false } } it do is_expected.to contain_file_line('keycloak-JAVA_OPTS').with( ensure: 'present', path: "/opt/keycloak-#{version}/bin/standalone.conf", line: 'JAVA_OPTS="-Xmx512m -Xms64m"', match: '^JAVA_OPTS=', notify: 'Class[Keycloak::Service]', ) end end end end context 'keycloak::service' do it do is_expected.to contain_service('keycloak').only_with(ensure: 'running', enable: 'true', name: 'keycloak', hasstatus: 'true', hasrestart: 'true') end end end # end context end # end on_supported_os loop end # end describe diff --git a/templates/config.cli.erb b/templates/config.cli.erb deleted file mode 100644 index 709d215..0000000 --- a/templates/config.cli.erb +++ /dev/null @@ -1,210 +0,0 @@ -<% if scope['keycloak::operating_mode'] == 'standalone'-%> -embed-server -<%- @prefix=''-%> -<%- elsif scope['keycloak::operating_mode'] == 'clustered'-%> -embed-server --server-config=standalone-ha.xml -<%- @prefix=''-%> -<% else -%> -embed-host-controller -<%- @prefix='/profile=auth-server-clustered'-%> -<% end -%> -<%- # https proxying -%> -<%- if scope['keycloak::proxy_https'] -%> -if (result.proxy-address-forwarding != true) of <%= @prefix -%>/subsystem=undertow/server=default-server/http-listener=default:read-resource -<%= @prefix -%>/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true) -end-if -if (result.proxy-address-forwarding != true) of <%= @prefix -%>/subsystem=undertow/server=default-server/https-listener=https:read-resource -<%= @prefix -%>/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=proxy-address-forwarding,value=true) -end-if -if (outcome != success) of <%= @prefix -%>/socket-binding-group=standard-sockets/socket-binding=proxy-https:read-resource -<%= @prefix -%>/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443) -end-if -if (result.redirect-socket != proxy-https) of <%= @prefix -%>/subsystem=undertow/server=default-server/http-listener=default:read-resource -<%= @prefix -%>/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https) -end-if -<%- end -%> -<%- # datasources -%> -<%= @prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=driver-name, value=<%= scope['keycloak::datasource_driver'] %>) -<%= @prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=connection-url, value="<%= scope['keycloak::datasource_connection_url'] %>") -<%= @prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=jndi-name, value=java:jboss/datasources/KeycloakDS) -<%= @prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=user-name, value=<%= scope['keycloak::datasource_username'] %>) -<%= @prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=password, value=<%= scope['keycloak::datasource_password'] %>) -<%- if scope['keycloak::datasource_driver'] == 'mysql' -%> -<%= @prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation, value=true) -<%= @prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=check-valid-connection-sql, value="SELECT 1") -<%= @prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation-millis, value=60000) -<%= @prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=flush-strategy, value=IdleConnections) -try -<%= @prefix -%>/subsystem=datasources/jdbc-driver=mysql:add(driver-module-name=com.mysql.jdbc,driver-name=mysql,driver-xa-datasource-class-name=<%= scope['keycloak::mysql_datasource_class'] %>) -catch -<%= @prefix -%>/subsystem=datasources/jdbc-driver=mysql:remove -<%= @prefix -%>/subsystem=datasources/jdbc-driver=mysql:add(driver-module-name=com.mysql.jdbc,driver-name=mysql,driver-xa-datasource-class-name=<%= scope['keycloak::mysql_datasource_class'] %>) -end-try -<%- elsif scope['keycloak::datasource_driver'] == 'h2' -%> -/subsystem=datasources/data-source=KeycloakDS:undefine-attribute(name=background-validation) -/subsystem=datasources/data-source=KeycloakDS:undefine-attribute(name=check-valid-connection-sql) -/subsystem=datasources/data-source=KeycloakDS:undefine-attribute(name=background-validation-millis) -/subsystem=datasources/data-source=KeycloakDS:undefine-attribute(name=flush-strategy) -<%- elsif scope['keycloak::datasource_driver'] == 'oracle' -%> -<%= @prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation, value=true) -<%= @prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=check-valid-connection-sql, value="SELECT 1 FROM DUAL") -<%= @prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation-millis, value=60000) -<%= @prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=flush-strategy, value=IdleConnections) -try -<%= @prefix -%>/subsystem=datasources/jdbc-driver=oracle:add(driver-module-name=org.oracle,driver-name=oracle,driver-xa-datasource-class-name=oracle.jdbc.xa.client.OracleXADataSource) -catch -<%= @prefix -%>/subsystem=datasources/jdbc-driver=oracle:remove -<%= @prefix -%>/subsystem=datasources/jdbc-driver=oracle:add(driver-module-name=org.oracle,driver-name=oracle,driver-xa-datasource-class-name=oracle.jdbc.xa.client.OracleXADataSource) -end-try -<%- elsif scope['keycloak::datasource_driver'] == 'postgresql' -%> -<%= @prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation, value=true) -<%= @prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=check-valid-connection-sql, value="SELECT 1") -<%= @prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation-millis, value=60000) -<%= @prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=flush-strategy, value=IdleConnections) -try -<%= @prefix -%>/subsystem=datasources/jdbc-driver=postgresql:add(driver-module-name=org.postgresql,driver-name=postgresql,driver-xa-datasource-class-name=org.postgresql.xa.PGXADataSource) -catch -<%= @prefix -%>/subsystem=datasources/jdbc-driver=postgresql:remove -<%= @prefix -%>/subsystem=datasources/jdbc-driver=postgresql:add(driver-module-name=org.postgresql,driver-name=postgresql,driver-xa-datasource-class-name=org.postgresql.xa.PGXADataSource) -end-try -<%- end -%> -<%- # truststore -%> -<%- if scope['keycloak::truststore'] -%> -if (outcome != success) of <%= @prefix -%>/subsystem=keycloak-server/spi=truststore:read-resource -<%= @prefix -%>/subsystem=keycloak-server/spi=truststore/:add -<%= @prefix -%>/subsystem=keycloak-server/spi=truststore/provider=file/:add(enabled=true) -end-if -<% if scope['keycloak::operating_mode'] == 'domain'-%> -<%= @prefix -%>/subsystem=keycloak-server/spi=truststore/provider=file/:map-put(name=properties,key=file,value=<%= scope['keycloak::install_base'] %>/domain/configuration/truststore.jks) -<% else -%> -<%= @prefix -%>/subsystem=keycloak-server/spi=truststore/provider=file/:map-put(name=properties,key=file,value=<%= scope['keycloak::install_base'] %>/standalone/configuration/truststore.jks) -<% end -%> -<%= @prefix -%>/subsystem=keycloak-server/spi=truststore/provider=file/:map-put(name=properties,key=password,value=<%= scope['keycloak::truststore_password'] %>) -<%= @prefix -%>/subsystem=keycloak-server/spi=truststore/provider=file/:map-put(name=properties,key=hostname-verification-policy,value=<%= scope['keycloak::truststore_hostname_verification_policy'] %>) -<%= @prefix -%>/subsystem=keycloak-server/spi=truststore/provider=file/:map-put(name=properties,key=disabled,value=false) -<%- else -%> -if (outcome == success) of <%= @prefix -%>/subsystem=keycloak-server/spi=truststore:read-resource -<%= @prefix -%>/subsystem=keycloak-server/spi=truststore/:remove -end-if -<%- end -%> -<%- # theming -%> -<%= @prefix -%>/subsystem=keycloak-server/theme=defaults/:write-attribute(name=staticMaxAge, value=<%= scope['keycloak::theme_static_max_age'] %>) -<%= @prefix -%>/subsystem=keycloak-server/theme=defaults/:write-attribute(name=cacheThemes, value=<%= scope['keycloak::theme_cache_themes'] %>) -<%= @prefix -%>/subsystem=keycloak-server/theme=defaults/:write-attribute(name=cacheTemplates, value=<%= scope['keycloak::theme_cache_templates'] %>) -<%- # deployment scanner is not compatible with domain mode -%> -<% if scope['keycloak::operating_mode'] != 'domain'-%> -<%= @prefix -%>/subsystem=deployment-scanner/scanner=default:write-attribute(name="auto-deploy-exploded",value=<%= scope['keycloak::auto_deploy_exploded'] %>) -<%= @prefix -%>/subsystem=deployment-scanner/scanner=default:write-attribute(name="auto-deploy-zipped",value=<%= scope['keycloak::auto_deploy_zipped'] %>) -<% end -%> -try -<%= @prefix -%>/subsystem=keycloak-server/spi=userCache/provider=default/:add(enabled=<%= scope['keycloak::user_cache']%>) -catch -<%= @prefix -%>/subsystem=keycloak-server/spi=userCache/provider=default/:remove -<%= @prefix -%>/subsystem=keycloak-server/spi=userCache/provider=default/:add(enabled=<%= scope['keycloak::user_cache']%>) -end-try -<%- # JDBC_PING & remove udp stack -%> -<%- if scope['keycloak::operating_mode'] != 'standalone' && scope['keycloak::enable_jdbc_ping'] -%> -if (outcome != success) of <%= @prefix -%>/subsystem=jgroups/stack=tcp/protocol=JDBC_PING:read-resource -<%- if scope['keycloak::datasource_driver'] == 'postgresql' -%> -<%= @prefix -%>/subsystem=jgroups/stack=tcp/protocol=JDBC_PING: add(add-index=0, data-source="KeycloakDS", properties=[initialize_sql="CREATE TABLE IF NOT EXISTS JGROUPSPING ( own_addr varchar(200) NOT NULL, cluster_name varchar(200) NOT NULL, created TIMESTAMP DEFAULT CURRENT_TIMESTAMP, ping_data BYTEA, constraint PK_JGROUPSPING PRIMARY KEY (own_addr, cluster_name))"]) -<%- end -%> -<%- if scope['keycloak::datasource_driver'] == 'mysql' -%> -<%= @prefix -%>/subsystem=jgroups/stack=tcp/protocol=JDBC_PING: add(add-index=0, data-source="KeycloakDS", properties=[initialize_sql="CREATE TABLE IF NOT EXISTS JGROUPSPING (own_addr varchar(200) NOT NULL, cluster_name varchar(200) NOT NULL, updated TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, ping_data varbinary(5000) DEFAULT NULL, PRIMARY KEY (own_addr, cluster_name)) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin"]) -<%- end -%> -end-if -if (outcome == success) of <%= @prefix -%>/subsystem=jgroups/stack=tcp/protocol=MPING:read-resource -<%= @prefix -%>/subsystem=jgroups/stack=tcp/protocol=MPING: remove() -end-if -if (outcome == success) of <%= @prefix -%>/subsystem=jgroups/stack=tcp/protocol=pbcast.GMS:read-resource -<%= @prefix -%>/subsystem=jgroups/stack=tcp/protocol=pbcast.GMS: remove() -<%= @prefix -%>/subsystem=jgroups/stack=tcp/protocol=pbcast.GMS: add(properties=[join_timeout=30000, print_local_addr=true, print_physical_addrs=true]) -end-if -if (outcome != success) of <%= @prefix -%>/subsystem=jgroups/stack=tcp/protocol=JDBC_PING:read-resource -end-if -<%= @prefix -%>/subsystem=jgroups/channel=ee:write-attribute(name=stack, value="tcp") -if (outcome == success) of <%= @prefix -%>/subsystem=jgroups/stack=udp:read-resource -<%= @prefix -%>/subsystem=jgroups/stack=udp: remove() -end-if -if (outcome == success) of <%= @prefix -%>/socket-binding-group=standard-sockets/socket-binding=jgroups-udp:read-resource -<%= @prefix -%>/socket-binding-group=standard-sockets/socket-binding=jgroups-udp:remove() -end-if -if (outcome == success) of <%= @prefix -%>/socket-binding-group=standard-sockets/socket-binding=jgroups-mping:read-resource -<%= @prefix -%>/socket-binding-group=standard-sockets/socket-binding=jgroups-mping:remove() -end-if -<%- if scope['keycloak::operating_mode'] != 'domain' -%> -/interface=private:write-attribute(name=inet-address, value=${jboss.bind.address.private:<%= scope['keycloak::jboss_bind_private_address'] %>}) -/interface=public:write-attribute(name=inet-address, value=${jboss.bind.address:<%= scope['keycloak::jboss_bind_public_address'] %>}) -<%- end -%> -<%- end -%> -<%- # domain mode specific things -%> -<% if scope['keycloak::operating_mode'] == 'domain' -%> - -<%- # remove load balancer -%> -if (outcome == success) of /host=master/server-config=load-balancer:read-resource -/host=master/server-config=load-balancer:remove -end-if -if (outcome == success) of /server-group=load-balancer-group:read-resource -/server-group=load-balancer-group:remove -end-if -if (outcome == success) of /profile=load-balancer:read-resource -/profile=load-balancer:remove -end-if -if (outcome == success) of /socket-binding-group=load-balancer-sockets:read-resource -/socket-binding-group=load-balancer-sockets:remove -end-if - -<%- # ensure proxying for ha sockets -%> -if (outcome != success) of /socket-binding-group=ha-sockets/socket-binding=proxy-https:read-resource -/socket-binding-group=ha-sockets/socket-binding=proxy-https:add(port=443) -end-if - -<%- # caches -%> -<%= @prefix -%>/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) -<%= @prefix -%>/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) -<%= @prefix -%>/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) -<%= @prefix -%>/subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) -<%= @prefix -%>/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) -<%= @prefix -%>/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) -<%= @prefix -%>/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) - -<%- # take control of the interfaces -%> -if (outcome != success) of /interface=management:read-resource() -/interface=management:add() -end-if -if (result != undefined) of /interface=management:read-attribute(name=inet-address) -/interface=management:write-attribute(name=inet-address, value=undefined) -end-if -if (outcome != success) of /interface=private:read-resource() -/interface=private:add() -end-if -if (result != undefined) of /interface=private:read-attribute(name=inet-address) -/interface=private:write-attribute(name=inet-address, value=undefined) -end-if -if (outcome != success) of /interface=public:read-resource() -/interface=public:add() -end-if -if (result != undefined) of /interface=public:read-attribute(name=inet-address) -/interface=public:write-attribute(name=inet-address, value=undefined) -end-if -if (result != public) of /socket-binding-group=ha-sockets:read-attribute(name=default-interface) -/socket-binding-group=ha-sockets:write-attribute(name=default-interface, value=public) -end-if -if (result != defined) of /socket-binding-group=ha-sockets/socket-binding=ajp:read-attribute(name=interface) -/socket-binding-group=ha-sockets/socket-binding=ajp:write-attribute(name=interface, value=undefined) -end-if -if (result != defined) of /socket-binding-group=ha-sockets/socket-binding=http:read-attribute(name=interface) -/socket-binding-group=ha-sockets/socket-binding=http:write-attribute(name=interface, value=undefined) -end-if -if (result != defined) of /socket-binding-group=ha-sockets/socket-binding=https:read-attribute(name=interface) -/socket-binding-group=ha-sockets/socket-binding=https:write-attribute(name=interface, value=undefined) -end-if -if (result != management) of /socket-binding-group=ha-sockets/socket-binding=jgroups-tcp:read-attribute(name=interface) -/socket-binding-group=ha-sockets/socket-binding=jgroups-tcp:write-attribute(name=interface,value=management) -end-if - -<%- # ensure datasource for ee default bindings is correct -%> -if (result != java:jboss/datasources/KeycloakDS) of <%= @prefix -%>/subsystem=ee/service=default-bindings:read-attribute(name=datasource) -<%= @prefix -%>/subsystem=ee/service=default-bindings:write-attribute(name=datasource,value=java:jboss/datasources/KeycloakDS) -end-if -stop-embedded-host-controller -<% end -%> diff --git a/templates/config.cli/00-header.epp b/templates/config.cli/00-header.epp new file mode 100644 index 0000000..ab4664d --- /dev/null +++ b/templates/config.cli/00-header.epp @@ -0,0 +1,10 @@ +<%- | +String $operating_mode +| -%> +<% if $operating_mode == 'standalone' { -%> +embed-server +<% } elsif $operating_mode == 'clustered' { -%> +embed-server --server-config=standalone-ha.xml +<% } else { -%> +embed-host-controller +<% } -%> diff --git a/templates/config.cli/01-https-proxy.epp b/templates/config.cli/01-https-proxy.epp new file mode 100644 index 0000000..c8daf1b --- /dev/null +++ b/templates/config.cli/01-https-proxy.epp @@ -0,0 +1,15 @@ +<%- | +String $prefix +| -%> +if (result.proxy-address-forwarding != true) of <%= $prefix -%>/subsystem=undertow/server=default-server/http-listener=default:read-resource +<%= $prefix -%>/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true) +end-if +if (result.proxy-address-forwarding != true) of <%= $prefix -%>/subsystem=undertow/server=default-server/https-listener=https:read-resource +<%= $prefix -%>/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=proxy-address-forwarding,value=true) +end-if +if (outcome != success) of <%= $prefix -%>/socket-binding-group=standard-sockets/socket-binding=proxy-https:read-resource +<%= $prefix -%>/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443) +end-if +if (result.redirect-socket != proxy-https) of <%= $prefix -%>/subsystem=undertow/server=default-server/http-listener=default:read-resource +<%= $prefix -%>/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https) +end-if diff --git a/templates/config.cli/02-datasource.epp b/templates/config.cli/02-datasource.epp new file mode 100644 index 0000000..6673aa7 --- /dev/null +++ b/templates/config.cli/02-datasource.epp @@ -0,0 +1,52 @@ +<%- | +String $datasource_driver, +String $datasource_connection_url, +String $datasource_username, +String $datasource_password, +String $mysql_datasource_class, +String $prefix +| -%> +<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=driver-name, value=<%= $datasource_driver %>) +<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=connection-url, value="<%= $datasource_connection_url %>") +<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=jndi-name, value=java:jboss/datasources/KeycloakDS) +<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=user-name, value=<%= $datasource_username %>) +<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=password, value=<%= $datasource_password %>) +<%- if $datasource_driver == 'mysql' { -%> +<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation, value=true) +<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=check-valid-connection-sql, value="SELECT 1") +<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation-millis, value=60000) +<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=flush-strategy, value=IdleConnections) +try +<%= $prefix -%>/subsystem=datasources/jdbc-driver=mysql:add(driver-module-name=com.mysql.jdbc,driver-name=mysql,driver-xa-datasource-class-name=<%= $mysql_datasource_class %>) +catch +<%= $prefix -%>/subsystem=datasources/jdbc-driver=mysql:remove +<%= $prefix -%>/subsystem=datasources/jdbc-driver=mysql:add(driver-module-name=com.mysql.jdbc,driver-name=mysql,driver-xa-datasource-class-name=<%= $mysql_datasource_class %>) +end-try +<%- } elsif $datasource_driver == 'h2' { -%> +/subsystem=datasources/data-source=KeycloakDS:undefine-attribute(name=background-validation) +/subsystem=datasources/data-source=KeycloakDS:undefine-attribute(name=check-valid-connection-sql) +/subsystem=datasources/data-source=KeycloakDS:undefine-attribute(name=background-validation-millis) +/subsystem=datasources/data-source=KeycloakDS:undefine-attribute(name=flush-strategy) +<%- } elsif $datasource_driver == 'oracle' { -%> +<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation, value=true) +<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=check-valid-connection-sql, value="SELECT 1 FROM DUAL") +<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation-millis, value=60000) +<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=flush-strategy, value=IdleConnections) +try +<%= $prefix -%>/subsystem=datasources/jdbc-driver=oracle:add(driver-module-name=org.oracle,driver-name=oracle,driver-xa-datasource-class-name=oracle.jdbc.xa.client.OracleXADataSource) +catch +<%= $prefix -%>/subsystem=datasources/jdbc-driver=oracle:remove +<%= $prefix -%>/subsystem=datasources/jdbc-driver=oracle:add(driver-module-name=org.oracle,driver-name=oracle,driver-xa-datasource-class-name=oracle.jdbc.xa.client.OracleXADataSource) +end-try +<%- } elsif $datasource_driver == 'postgresql' { -%> +<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation, value=true) +<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=check-valid-connection-sql, value="SELECT 1") +<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation-millis, value=60000) +<%= $prefix -%>/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=flush-strategy, value=IdleConnections) +try +<%= $prefix -%>/subsystem=datasources/jdbc-driver=postgresql:add(driver-module-name=org.postgresql,driver-name=postgresql,driver-xa-datasource-class-name=org.postgresql.xa.PGXADataSource) +catch +<%= $prefix -%>/subsystem=datasources/jdbc-driver=postgresql:remove +<%= $prefix -%>/subsystem=datasources/jdbc-driver=postgresql:add(driver-module-name=org.postgresql,driver-name=postgresql,driver-xa-datasource-class-name=org.postgresql.xa.PGXADataSource) +end-try +<%- } -%> diff --git a/templates/config.cli/03-truststore.epp b/templates/config.cli/03-truststore.epp new file mode 100644 index 0000000..3f78fce --- /dev/null +++ b/templates/config.cli/03-truststore.epp @@ -0,0 +1,26 @@ +<%- | +Boolean $truststore, +String $operating_mode, +String $install_base, +String $truststore_password, +String $truststore_hostname_verification_policy, +String $prefix +| -%> +<% if $truststore { -%> +if (outcome != success) of <%= $prefix -%>/subsystem=keycloak-server/spi=truststore:read-resource +<%= $prefix -%>/subsystem=keycloak-server/spi=truststore/:add +<%= $prefix -%>/subsystem=keycloak-server/spi=truststore/provider=file/:add(enabled=true) +end-if +<% if $operating_mode == 'domain' { -%> +<%= $prefix -%>/subsystem=keycloak-server/spi=truststore/provider=file/:map-put(name=properties,key=file,value=<%= $install_base %>/domain/configuration/truststore.jks) +<% } else { -%> +<%= $prefix -%>/subsystem=keycloak-server/spi=truststore/provider=file/:map-put(name=properties,key=file,value=<%= $install_base %>/standalone/configuration/truststore.jks) +<% } -%> +<%= $prefix -%>/subsystem=keycloak-server/spi=truststore/provider=file/:map-put(name=properties,key=password,value=<%= $truststore_password %>) +<%= $prefix -%>/subsystem=keycloak-server/spi=truststore/provider=file/:map-put(name=properties,key=hostname-verification-policy,value=<%= $truststore_hostname_verification_policy %>) +<%= $prefix -%>/subsystem=keycloak-server/spi=truststore/provider=file/:map-put(name=properties,key=disabled,value=false) +<% } else { -%> +if (outcome == success) of <%= $prefix -%>/subsystem=keycloak-server/spi=truststore:read-resource +<%= $prefix -%>/subsystem=keycloak-server/spi=truststore/:remove +end-if +<% } -%> diff --git a/templates/config.cli/04-theming.epp b/templates/config.cli/04-theming.epp new file mode 100644 index 0000000..0f1b029 --- /dev/null +++ b/templates/config.cli/04-theming.epp @@ -0,0 +1,9 @@ +<%- | +Integer $theme_static_max_age, +Boolean $theme_cache_themes, +Boolean $theme_cache_templates, +String $prefix +| -%> +<%= $prefix -%>/subsystem=keycloak-server/theme=defaults/:write-attribute(name=staticMaxAge, value=<%= $theme_static_max_age %>) +<%= $prefix -%>/subsystem=keycloak-server/theme=defaults/:write-attribute(name=cacheThemes, value=<%= $theme_cache_themes %>) +<%= $prefix -%>/subsystem=keycloak-server/theme=defaults/:write-attribute(name=cacheTemplates, value=<%= $theme_cache_templates %>) diff --git a/templates/config.cli/05-deployment-scanner.epp b/templates/config.cli/05-deployment-scanner.epp new file mode 100644 index 0000000..4e30bba --- /dev/null +++ b/templates/config.cli/05-deployment-scanner.epp @@ -0,0 +1,7 @@ +<%- | +Boolean $auto_deploy_exploded, +Boolean $auto_deploy_zipped, +String $prefix +| -%> +<%= $prefix -%>/subsystem=deployment-scanner/scanner=default:write-attribute(name="auto-deploy-exploded",value=<%= $auto_deploy_exploded %>) +<%= $prefix -%>/subsystem=deployment-scanner/scanner=default:write-attribute(name="auto-deploy-zipped",value=<%= $auto_deploy_zipped %>) diff --git a/templates/config.cli/06-user-cache.epp b/templates/config.cli/06-user-cache.epp new file mode 100644 index 0000000..77b83a3 --- /dev/null +++ b/templates/config.cli/06-user-cache.epp @@ -0,0 +1,10 @@ +<%- | +Boolean $user_cache, +String $prefix +| -%> +try +<%= $prefix -%>/subsystem=keycloak-server/spi=userCache/provider=default/:add(enabled=<%= $user_cache %>) +catch +<%= $prefix -%>/subsystem=keycloak-server/spi=userCache/provider=default/:remove +<%= $prefix -%>/subsystem=keycloak-server/spi=userCache/provider=default/:add(enabled=<%= $user_cache %>) +end-try diff --git a/templates/config.cli/10-cluster.epp b/templates/config.cli/10-cluster.epp new file mode 100644 index 0000000..0c94de5 --- /dev/null +++ b/templates/config.cli/10-cluster.epp @@ -0,0 +1,41 @@ +<%- | +String $operating_mode, +Boolean $enable_jdbc_ping, +String $datasource_driver, +String $jboss_bind_private_address, +String $jboss_bind_public_address, +String $prefix +| -%> +<%- if $operating_mode != 'standalone' and $enable_jdbc_ping { -%> +if (outcome != success) of <%= $prefix -%>/subsystem=jgroups/stack=tcp/protocol=JDBC_PING:read-resource +<%- if $datasource_driver == 'postgresql' { -%> +<%= $prefix -%>/subsystem=jgroups/stack=tcp/protocol=JDBC_PING: add(add-index=0, data-source="KeycloakDS", properties=[initialize_sql="CREATE TABLE IF NOT EXISTS JGROUPSPING ( own_addr varchar(200) NOT NULL, cluster_name varchar(200) NOT NULL, created TIMESTAMP DEFAULT CURRENT_TIMESTAMP, ping_data BYTEA, constraint PK_JGROUPSPING PRIMARY KEY (own_addr, cluster_name))"]) +<%- } -%> +<%- if $datasource_driver == 'mysql' { -%> +<%= $prefix -%>/subsystem=jgroups/stack=tcp/protocol=JDBC_PING: add(add-index=0, data-source="KeycloakDS", properties=[initialize_sql="CREATE TABLE IF NOT EXISTS JGROUPSPING (own_addr varchar(200) NOT NULL, cluster_name varchar(200) NOT NULL, updated TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, ping_data varbinary(5000) DEFAULT NULL, PRIMARY KEY (own_addr, cluster_name)) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin"]) +<%- } -%> +end-if +if (outcome == success) of <%= $prefix -%>/subsystem=jgroups/stack=tcp/protocol=MPING:read-resource +<%= $prefix -%>/subsystem=jgroups/stack=tcp/protocol=MPING: remove() +end-if +if (outcome == success) of <%= $prefix -%>/subsystem=jgroups/stack=tcp/protocol=pbcast.GMS:read-resource +<%= $prefix -%>/subsystem=jgroups/stack=tcp/protocol=pbcast.GMS: remove() +<%= $prefix -%>/subsystem=jgroups/stack=tcp/protocol=pbcast.GMS: add(properties=[join_timeout=30000, print_local_addr=true, print_physical_addrs=true]) +end-if +if (outcome != success) of <%= $prefix -%>/subsystem=jgroups/stack=tcp/protocol=JDBC_PING:read-resource +end-if +<%= $prefix -%>/subsystem=jgroups/channel=ee:write-attribute(name=stack, value="tcp") +if (outcome == success) of <%= $prefix -%>/subsystem=jgroups/stack=udp:read-resource +<%= $prefix -%>/subsystem=jgroups/stack=udp: remove() +end-if +if (outcome == success) of <%= $prefix -%>/socket-binding-group=standard-sockets/socket-binding=jgroups-udp:read-resource +<%= $prefix -%>/socket-binding-group=standard-sockets/socket-binding=jgroups-udp:remove() +end-if +if (outcome == success) of <%= $prefix -%>/socket-binding-group=standard-sockets/socket-binding=jgroups-mping:read-resource +<%= $prefix -%>/socket-binding-group=standard-sockets/socket-binding=jgroups-mping:remove() +end-if +<%- if $operating_mode != 'domain' { -%> +/interface=private:write-attribute(name=inet-address, value=${jboss.bind.address.private:<%= $jboss_bind_private_address %>}) +/interface=public:write-attribute(name=inet-address, value=${jboss.bind.address:<%= $jboss_bind_public_address %>}) +<%- } -%> +<%- } -%> diff --git a/templates/config.cli/11-domain.epp b/templates/config.cli/11-domain.epp new file mode 100644 index 0000000..a8b7dcf --- /dev/null +++ b/templates/config.cli/11-domain.epp @@ -0,0 +1,70 @@ +<%- | +String $prefix +| -%> +<%# remove load balancer -%> +if (outcome == success) of /host=master/server-config=load-balancer:read-resource +/host=master/server-config=load-balancer:remove +end-if +if (outcome == success) of /server-group=load-balancer-group:read-resource +/server-group=load-balancer-group:remove +end-if +if (outcome == success) of /profile=load-balancer:read-resource +/profile=load-balancer:remove +end-if +if (outcome == success) of /socket-binding-group=load-balancer-sockets:read-resource +/socket-binding-group=load-balancer-sockets:remove +end-if + +<%# ensure proxying for ha sockets -%> +if (outcome != success) of /socket-binding-group=ha-sockets/socket-binding=proxy-https:read-resource +/socket-binding-group=ha-sockets/socket-binding=proxy-https:add(port=443) +end-if + +<%# caches -%> +<%= $prefix -%>/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) +<%= $prefix -%>/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) +<%= $prefix -%>/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) +<%= $prefix -%>/subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) +<%= $prefix -%>/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) +<%= $prefix -%>/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) +<%= $prefix -%>/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) + +<%# take control of the interfaces -%> +if (outcome != success) of /interface=management:read-resource() +/interface=management:add() +end-if +if (result != undefined) of /interface=management:read-attribute(name=inet-address) +/interface=management:write-attribute(name=inet-address, value=undefined) +end-if +if (outcome != success) of /interface=private:read-resource() +/interface=private:add() +end-if +if (result != undefined) of /interface=private:read-attribute(name=inet-address) +/interface=private:write-attribute(name=inet-address, value=undefined) +end-if +if (outcome != success) of /interface=public:read-resource() +/interface=public:add() +end-if +if (result != undefined) of /interface=public:read-attribute(name=inet-address) +/interface=public:write-attribute(name=inet-address, value=undefined) +end-if +if (result != public) of /socket-binding-group=ha-sockets:read-attribute(name=default-interface) +/socket-binding-group=ha-sockets:write-attribute(name=default-interface, value=public) +end-if +if (result != defined) of /socket-binding-group=ha-sockets/socket-binding=ajp:read-attribute(name=interface) +/socket-binding-group=ha-sockets/socket-binding=ajp:write-attribute(name=interface, value=undefined) +end-if +if (result != defined) of /socket-binding-group=ha-sockets/socket-binding=http:read-attribute(name=interface) +/socket-binding-group=ha-sockets/socket-binding=http:write-attribute(name=interface, value=undefined) +end-if +if (result != defined) of /socket-binding-group=ha-sockets/socket-binding=https:read-attribute(name=interface) +/socket-binding-group=ha-sockets/socket-binding=https:write-attribute(name=interface, value=undefined) +end-if +if (result != management) of /socket-binding-group=ha-sockets/socket-binding=jgroups-tcp:read-attribute(name=interface) +/socket-binding-group=ha-sockets/socket-binding=jgroups-tcp:write-attribute(name=interface,value=management) +end-if + +<%# ensure datasource for ee default bindings is correct -%> +if (result != java:jboss/datasources/KeycloakDS) of <%= $prefix -%>/subsystem=ee/service=default-bindings:read-attribute(name=datasource) +<%= $prefix -%>/subsystem=ee/service=default-bindings:write-attribute(name=datasource,value=java:jboss/datasources/KeycloakDS) +end-if diff --git a/templates/config.cli/99-footer.epp b/templates/config.cli/99-footer.epp new file mode 100644 index 0000000..e71114e --- /dev/null +++ b/templates/config.cli/99-footer.epp @@ -0,0 +1,6 @@ +<%- | +String $operating_mode +| -%> +<% if $operating_mode == 'domain' { -%> +stop-embedded-host-controller +<% } -%>