diff --git a/manifests/config.pp b/manifests/config.pp index 74e14f1..fe08431 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -1,277 +1,276 @@ # Private class. class keycloak::config { assert_private() file { '/opt/keycloak': ensure => 'link', target => $keycloak::install_base, } # Template uses: # - $keycloak::install_base # - $keycloak::admin_user # - $keycloak::admin_user_password file { 'kcadm-wrapper.sh': ensure => 'file', path => "${keycloak::install_base}/bin/kcadm-wrapper.sh", owner => $keycloak::user, group => $keycloak::group, mode => '0750', content => template('keycloak/kcadm-wrapper.sh.erb'), show_diff => false, } file { "${keycloak::install_base}/tmp": ensure => 'directory', owner => $keycloak::user, group => $keycloak::group, mode => '0755', } $_add_user_keycloak_cmd = "${keycloak::install_base}/bin/add-user-keycloak.sh" $_add_user_keycloak_state = "${keycloak::install_base}/.create-keycloak-admin-${keycloak::datasource_driver}" + $_config_cli_content = template('keycloak/config.cli.erb') if $::keycloak::operating_mode != 'domain' { $_add_user_keycloak_args = "--user ${keycloak::admin_user} --password ${keycloak::admin_user_password} --realm master" $_subdir = 'standalone' - $_config_cli_content = template('keycloak/config.cli.erb') $_java_opts_path = "${keycloak::install_base}/bin/standalone.conf" } else { $_server_conf_dir = "${keycloak::install_base}/domain/servers/${keycloak::server_name}/configuration" $_add_user_keycloak_args = "--user ${keycloak::admin_user} --password ${keycloak::admin_user_password} --realm master --sc ${_server_conf_dir}/" # lint:ignore:140chars $_subdir = 'domain' - $_config_cli_content = template('keycloak/config-domain.cli.erb') $_java_opts_path = "${keycloak::install_base}/bin/domain.conf" $_dirs = [ "${keycloak::install_base}/domain/servers", "${keycloak::install_base}/domain/servers/${keycloak::server_name}", "${keycloak::install_base}/domain/servers/${keycloak::server_name}/configuration", ] file { $_dirs: ensure => 'directory', owner => $keycloak::user, group => $keycloak::group, mode => '0755', } } exec { 'create-keycloak-admin': command => "${_add_user_keycloak_cmd} ${_add_user_keycloak_args} && touch ${_add_user_keycloak_state}", creates => $_add_user_keycloak_state, notify => Class['keycloak::service'], user => $keycloak::user, } concat { "${keycloak::install_base}/config.cli": owner => $keycloak::user, group => $keycloak::group, mode => '0600', notify => Exec['jboss-cli.sh --file=config.cli'], show_diff => false, } concat::fragment { 'config.cli-keycloak': target => "${keycloak::install_base}/config.cli", content => $_config_cli_content, order => '00', } if $keycloak::custom_config_content or $keycloak::custom_config_source { concat::fragment { 'config.cli-custom': target => "${keycloak::install_base}/config.cli", content => $keycloak::custom_config_content, source => $keycloak::custom_config_source, order => '01', } } exec { 'jboss-cli.sh --file=config.cli': command => "${keycloak::install_base}/bin/jboss-cli.sh --file=config.cli", cwd => $keycloak::install_base, user => $keycloak::user, group => $keycloak::group, refreshonly => true, logoutput => true, notify => Class['keycloak::service'], } create_resources('keycloak::truststore::host', $keycloak::truststore_hosts) if $keycloak::java_opts { $java_opts_ensure = 'present' } else { $java_opts_ensure = 'absent' } if $keycloak::java_opts =~ Array { $java_opts = join($keycloak::java_opts, ' ') } else { $java_opts = $keycloak::java_opts } if $keycloak::java_opts_append { $_java_opts = "\$JAVA_OPTS ${java_opts}" } else { $_java_opts = $java_opts } file_line { 'JAVA_OPTS': ensure => $java_opts_ensure, path => $_java_opts_path, line => "JAVA_OPTS=\"${_java_opts}\"", match => '^JAVA_OPTS=', notify => Class['keycloak::service'], } file { "${keycloak::install_base}/${_subdir}/configuration": ensure => 'directory', owner => $keycloak::user, group => $keycloak::group, mode => '0750', } file { "${keycloak::install_base}/${_subdir}/configuration/profile.properties": ensure => 'file', owner => $keycloak::user, group => $keycloak::group, content => template('keycloak/profile.properties.erb'), mode => '0644', notify => Class['keycloak::service'], } if $::keycloak::operating_mode == 'domain' { $_add_user_wildfly_cmd = "${keycloak::install_base}/bin/add-user.sh" $_add_user_wildfly_args = "--user ${keycloak::wildfly_user} --password ${keycloak::wildfly_user_password} -e -s" $_add_user_wildfly_state = "${::keycloak::install_base}/.create-wildfly-user" exec { 'create-wildfly-user': command => "${_add_user_wildfly_cmd} ${_add_user_wildfly_args} && touch ${_add_user_wildfly_state}", creates => $_add_user_wildfly_state, notify => Class['keycloak::service'], } if $keycloak::role == 'master' { # Remove load balancer group # Rename the server # Set port offset to zero to run server on port 8080 augeas { 'ensure-servername': incl => "${keycloak::install_base}/domain/configuration/host-master.xml", context => "/files${keycloak::install_base}/domain/configuration/host-master.xml/host/servers", load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist', lens => 'Xml.lns', changes => [ 'rm server[1]', 'rm server', "set server/#attribute/name ${keycloak::server_name}", 'set server/#attribute/group auth-server-group', 'set server/#attribute/auto-start true', 'set server/socket-bindings/#attribute/port-offset 0', ], notify => Class['keycloak::service'], } # Set up interface names and defaults in host-master.xml augeas { 'ensure-interface-names-defaults-master': incl => "${keycloak::install_base}/domain/configuration/host-master.xml", context => "/files${keycloak::install_base}/domain/configuration/host-master.xml/host/interfaces", load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist', lens => 'Xml.lns', changes => [ # lint:ignore:single_quote_string_with_variables 'set interface[1]/#attribute/name management', 'set interface[1]/inet-address/#attribute/value ${jboss.bind.address.management:127.0.0.1}', 'set interface[2]/#attribute/name private', 'set interface[2]/inet-address/#attribute/value ${jboss.bind.address.private:127.0.0.1}', 'set interface[3]/#attribute/name public', 'set interface[3]/inet-address/#attribute/value ${jboss.bind.address:127.0.0.1}', # lint:endignore ], notify => Class['keycloak::service'], } # Assing management interfaces to logical interfaces augeas { 'assign-management-interaces-master': incl => "${keycloak::install_base}/domain/configuration/host-master.xml", context => "/files${keycloak::install_base}/domain/configuration/host-master.xml/host/management/management-interfaces", load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist', lens => 'Xml.lns', changes => [ 'set native-interface/socket/#attribute/interface management', 'set http-interface/socket/#attribute/interface private', ], notify => Class['keycloak::service'], } } else { # Rename the server # Set port offset to zero, to run server in port 8080 augeas { 'ensure-servername': incl => "${keycloak::install_base}/domain/configuration/host-slave.xml", context => "/files${keycloak::install_base}/domain/configuration/host-slave.xml/host/servers", load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist', lens => 'Xml.lns', changes => [ "set server/#attribute/name ${keycloak::server_name}", 'set server/socket-bindings/#attribute/port-offset 0' ], notify => Class['keycloak::service'], } # Set username for authentication to master augeas { 'ensure-username': incl => "${keycloak::install_base}/domain/configuration/host-slave.xml", context => "/files${keycloak::install_base}/domain/configuration/host-slave.xml/host/domain-controller/remote", load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist', lens => 'Xml.lns', changes => [ "set #attribute/username ${keycloak::wildfly_user}" ], notify => Class['keycloak::service'], } # Set secret for authentication to master augeas { 'ensure-secret': incl => "${keycloak::install_base}/domain/configuration/host-slave.xml", context => "/files${keycloak::install_base}/domain/configuration/host-slave.xml/host/management/security-realms/security-realm[1]/server-identities/secret", # lint:ignore:140chars load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist', lens => 'Xml.lns', changes => [ "set #attribute/value ${keycloak::wildfly_user_password_base64}" ], notify => Class['keycloak::service'], } # Set up interface names and default in host-slave.xml augeas { 'ensure-interface-names-defaults-slave': incl => "${keycloak::install_base}/domain/configuration/host-slave.xml", context => "/files${keycloak::install_base}/domain/configuration/host-slave.xml/host/interfaces", load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist', lens => 'Xml.lns', changes => [ # lint:ignore:single_quote_string_with_variables 'set interface[1]/#attribute/name management', 'set interface[1]/inet-address/#attribute/value ${jboss.bind.address.management:127.0.0.1}', 'set interface[2]/#attribute/name private', 'set interface[2]/inet-address/#attribute/value ${jboss.bind.address.private:127.0.0.1}', 'set interface[3]/#attribute/name public', 'set interface[3]/inet-address/#attribute/value ${jboss.bind.address:127.0.0.1}', # lint:endignore ], notify => Class['keycloak::service'], } # Assing management interfaces to logical interfaces augeas { 'assign-management-interaces-slave': incl => "${keycloak::install_base}/domain/configuration/host-slave.xml", context => "/files${keycloak::install_base}/domain/configuration/host-slave.xml/host/management/management-interfaces", load_path => '/opt/puppetlabs/puppet/share/augeas/lenses/dist', lens => 'Xml.lns', changes => [ 'set native-interface/socket/#attribute/interface management', 'set http-interface/socket/#attribute/interface private', ], notify => Class['keycloak::service'], } } } } diff --git a/templates/config.cli.erb b/templates/config.cli.erb index 91e74b0..f69975f 100644 --- a/templates/config.cli.erb +++ b/templates/config.cli.erb @@ -1,119 +1,284 @@ <% if scope['keycloak::operating_mode'] == 'standalone'-%> embed-server <% elsif scope['keycloak::operating_mode'] == 'clustered'-%> embed-server --server-config=standalone-ha.xml +<% else -%> +embed-host-controller <% end -%> -<%- if scope['keycloak::proxy_https'] -%> + +<% if scope['keycloak::operating_mode'] == 'domain' -%> +if (outcome == success) of /host=master/server-config=load-balancer:read-resource +/host=master/server-config=load-balancer:remove +end-if +if (outcome == success) of /server-group=load-balancer-group:read-resource +/server-group=load-balancer-group:remove +end-if +if (outcome == success) of /profile=load-balancer:read-resource +/profile=load-balancer:remove +end-if +if (outcome == success) of /socket-binding-group=load-balancer-sockets:read-resource +/socket-binding-group=load-balancer-sockets:remove +end-if +if (outcome != success) of /socket-binding-group=ha-sockets/socket-binding=proxy-https:read-resource +/socket-binding-group=ha-sockets/socket-binding=proxy-https:add(port=443) +end-if +<% end -%> + +<%- if scope['keycloak::proxy_https'] -%> +<%- if scope['keycloak::operating_mode'] != 'domain' -%> if (result.proxy-address-forwarding != true) of /subsystem=undertow/server=default-server/http-listener=default:read-resource /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true) end-if if (result.proxy-address-forwarding != true) of /subsystem=undertow/server=default-server/https-listener=https:read-resource /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=proxy-address-forwarding,value=true) end-if if (outcome != success) of /socket-binding-group=standard-sockets/socket-binding=proxy-https:read-resource /socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443) end-if if (result.redirect-socket != proxy-https) of /subsystem=undertow/server=default-server/http-listener=default:read-resource /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https) end-if -<%- end -%> +<%- else -%><%- # is domain -%> +if (result.proxy-address-forwarding != true) of /profile=auth-server-clustered/subsystem=undertow/server=default-server/http-listener=default:read-resource +/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true) +end-if +if (result.proxy-address-forwarding != true) of /profile=auth-server-clustered/subsystem=undertow/server=default-server/http-listener=default:read-resource +/profile=auth-server-clustered/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true) +end-if +if (outcome != success) of /socket-binding-group=ha-sockets/socket-binding=proxy-https:read-resource +/socket-binding-group=ha-sockets/socket-binding=proxy-https:add(port=443) +end-if +if (result.redirect-socket != proxy-https) of /profile=auth-server-clustered/subsystem=undertow/server=default-server/http-listener=default:read-resource +/profile=auth-server-clustered/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https) +end-if +<%- end -%><%- # end not domain -%> +<%- end -%><%- # end proxy_https -%> + +<%- if scope['keycloak::operating_mode'] != 'domain' -%> /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=driver-name, value=<%= scope['keycloak::datasource_driver'] %>) /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=connection-url, value="<%= scope['keycloak::datasource_connection_url'] %>") /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=jndi-name, value=java:jboss/datasources/KeycloakDS) /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=user-name, value=<%= scope['keycloak::datasource_username'] %>) /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=password, value=<%= scope['keycloak::datasource_password'] %>) <%- if scope['keycloak::datasource_driver'] == 'mysql' -%> /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation, value=true) /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=check-valid-connection-sql, value="SELECT 1") /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation-millis, value=60000) /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=flush-strategy, value=IdleConnections) try /subsystem=datasources/jdbc-driver=mysql:add(driver-module-name=com.mysql.jdbc,driver-name=mysql,driver-xa-datasource-class-name=<%= scope['keycloak::mysql_datasource_class'] %>) catch /subsystem=datasources/jdbc-driver=mysql:remove /subsystem=datasources/jdbc-driver=mysql:add(driver-module-name=com.mysql.jdbc,driver-name=mysql,driver-xa-datasource-class-name=<%= scope['keycloak::mysql_datasource_class'] %>) end-try <%- elsif scope['keycloak::datasource_driver'] == 'h2' -%> /subsystem=datasources/data-source=KeycloakDS:undefine-attribute(name=background-validation) /subsystem=datasources/data-source=KeycloakDS:undefine-attribute(name=check-valid-connection-sql) /subsystem=datasources/data-source=KeycloakDS:undefine-attribute(name=background-validation-millis) /subsystem=datasources/data-source=KeycloakDS:undefine-attribute(name=flush-strategy) <%- elsif scope['keycloak::datasource_driver'] == 'oracle' -%> /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation, value=true) /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=check-valid-connection-sql, value="SELECT 1 FROM DUAL") /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation-millis, value=60000) /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=flush-strategy, value=IdleConnections) try /subsystem=datasources/jdbc-driver=oracle:add(driver-module-name=org.oracle,driver-name=oracle,driver-xa-datasource-class-name=oracle.jdbc.xa.client.OracleXADataSource) catch /subsystem=datasources/jdbc-driver=oracle:remove /subsystem=datasources/jdbc-driver=oracle:add(driver-module-name=org.oracle,driver-name=oracle,driver-xa-datasource-class-name=oracle.jdbc.xa.client.OracleXADataSource) end-try <%- elsif scope['keycloak::datasource_driver'] == 'postgresql' -%> /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation, value=true) /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=check-valid-connection-sql, value="SELECT 1") /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation-millis, value=60000) /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=flush-strategy, value=IdleConnections) try /subsystem=datasources/jdbc-driver=postgresql:add(driver-module-name=org.postgresql,driver-name=postgresql,driver-xa-datasource-class-name=org.postgresql.xa.PGXADataSource) catch /subsystem=datasources/jdbc-driver=postgresql:remove /subsystem=datasources/jdbc-driver=postgresql:add(driver-module-name=org.postgresql,driver-name=postgresql,driver-xa-datasource-class-name=org.postgresql.xa.PGXADataSource) end-try +<%- end -%><%- # datasource drivers -%> + +<%- else -%><%- # is domain mode -%> +/profile=auth-server-clustered/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=driver-name, value=<%= scope['keycloak::datasource_driver'] %>) +/profile=auth-server-clustered/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=connection-url, value="<%= scope['keycloak::datasource_connection_url'] %>") +/profile=auth-server-clustered/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=jndi-name, value=java:jboss/datasources/KeycloakDS) +/profile=auth-server-clustered/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=user-name, value=<%= scope['keycloak::datasource_username'] %>) +/profile=auth-server-clustered/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=password, value=<%= scope['keycloak::datasource_password'] %>) +/profile=auth-server-clustered/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation, value=true) +/profile=auth-server-clustered/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=check-valid-connection-sql, value="SELECT 1") +/profile=auth-server-clustered/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation-millis, value=60000) +/profile=auth-server-clustered/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=flush-strategy, value=IdleConnections) +try +/profile=auth-server-clustered/subsystem=datasources/jdbc-driver=postgresql:add(driver-module-name=org.postgresql,driver-name=postgresql,driver-xa-datasource-class-name=org.postgresql.xa.PGXADataSource) +catch +/profile=auth-server-clustered/subsystem=datasources/jdbc-driver=postgresql:remove +/profile=auth-server-clustered/subsystem=datasources/jdbc-driver=postgresql:add(driver-module-name=org.postgresql,driver-name=postgresql,driver-xa-datasource-class-name=org.postgresql.xa.PGXADataSource) +end-try <%- end -%> + +<%- if scope['keycloak::operating_mode'] != 'domain' %> <%- if scope['keycloak::truststore'] -%> if (outcome != success) of /subsystem=keycloak-server/spi=truststore:read-resource /subsystem=keycloak-server/spi=truststore/:add /subsystem=keycloak-server/spi=truststore/provider=file/:add(enabled=true) end-if /subsystem=keycloak-server/spi=truststore/provider=file/:map-put(name=properties,key=file,value=<%= scope['keycloak::install_base'] %>/standalone/configuration/truststore.jks) /subsystem=keycloak-server/spi=truststore/provider=file/:map-put(name=properties,key=password,value=<%= scope['keycloak::truststore_password'] %>) /subsystem=keycloak-server/spi=truststore/provider=file/:map-put(name=properties,key=hostname-verification-policy,value=<%= scope['keycloak::truststore_hostname_verification_policy'] %>) /subsystem=keycloak-server/spi=truststore/provider=file/:map-put(name=properties,key=disabled,value=false) <%- else -%> if (outcome == success) of /subsystem=keycloak-server/spi=truststore:read-resource /subsystem=keycloak-server/spi=truststore/:remove end-if -<%- end -%> +<%- end -%><%- # end keystore -%> +<%- end -%><%- # end is not domain -%> + +<%- if scope['keycloak::operating_mode'] == 'domain' %> +<%- if scope['keycloak::truststore'] -%> +if (outcome != success) of /profile=auth-server-clustered/subsystem=keycloak-server/spi=truststore:read-resource +/profile=auth-server-clustered/subsystem=keycloak-server/spi=truststore/:add +/profile=auth-server-clustered/subsystem=keycloak-server/spi=truststore/provider=file/:add(enabled=true) +end-if +/profile=auth-server-clustered/subsystem=keycloak-server/spi=truststore/provider=file/:map-put(name=properties,key=file,value=<%= scope['keycloak::install_base'] %>/standalone/configuration/truststore.jks) +/profile=auth-server-clustered/subsystem=keycloak-server/spi=truststore/provider=file/:map-put(name=properties,key=password,value=<%= scope['keycloak::truststore_password'] %>) +/profile=auth-server-clustered/subsystem=keycloak-server/spi=truststore/provider=file/:map-put(name=properties,key=hostname-verification-policy,value=<%= scope['keycloak::truststore_hostname_verification_policy'] %>) +/profile=auth-server-clustered/subsystem=keycloak-server/spi=truststore/provider=file/:map-put(name=properties,key=disabled,value=false) +<% else -%> +if (outcome == success) of /profile=auth-server-clustered/subsystem=keycloak-server/spi=truststore:read-resource +/profile=auth-server-clustered/subsystem=keycloak-server/spi=truststore/:remove +end-if +<% end -%><%- # end keystore -%> +<% end -%><%- # end is not domain -%> + +<%- if scope['keycloak::operating_mode'] != 'domain' %> /subsystem=keycloak-server/theme=defaults/:write-attribute(name=staticMaxAge, value=<%= scope['keycloak::theme_static_max_age'] %>) /subsystem=keycloak-server/theme=defaults/:write-attribute(name=cacheThemes, value=<%= scope['keycloak::theme_cache_themes'] %>) /subsystem=keycloak-server/theme=defaults/:write-attribute(name=cacheTemplates, value=<%= scope['keycloak::theme_cache_templates'] %>) /subsystem=deployment-scanner/scanner=default:write-attribute(name="auto-deploy-exploded",value=<%= scope['keycloak::auto_deploy_exploded'] %>) /subsystem=deployment-scanner/scanner=default:write-attribute(name="auto-deploy-zipped",value=<%= scope['keycloak::auto_deploy_zipped'] %>) try /subsystem=keycloak-server/spi=userCache/provider=default/:add(enabled=<%= scope['keycloak::user_cache']%>) catch /subsystem=keycloak-server/spi=userCache/provider=default/:remove /subsystem=keycloak-server/spi=userCache/provider=default/:add(enabled=<%= scope['keycloak::user_cache']%>) end-try +<% else -%><%- # is domain -%> +/profile=auth-server-clustered/subsystem=keycloak-server/theme=defaults/:write-attribute(name=staticMaxAge, value=<%= scope['keycloak::theme_static_max_age'] %>) +/profile=auth-server-clustered/subsystem=keycloak-server/theme=defaults/:write-attribute(name=cacheThemes, value=<%= scope['keycloak::theme_cache_themes'] %>) +/profile=auth-server-clustered/subsystem=keycloak-server/theme=defaults/:write-attribute(name=cacheTemplates, value=<%= scope['keycloak::theme_cache_templates'] %>) +try +/profile=auth-server-clustered/subsystem=keycloak-server/spi=userCache/provider=default/:add(enabled=<%= scope['keycloak::user_cache']%>) +catch +/profile=auth-server-clustered/subsystem=keycloak-server/spi=userCache/provider=default/:remove +/profile=auth-server-clustered/subsystem=keycloak-server/spi=userCache/provider=default/:add(enabled=<%= scope['keycloak::user_cache']%>) +end-try +<% end -%> + <%- if scope['keycloak::operating_mode'] == 'clustered' && scope['keycloak::enable_jdbc_ping'] -%> if (outcome != success) of /subsystem=jgroups/stack=tcp/protocol=JDBC_PING:read-resource <%- if scope['keycloak::datasource_driver'] == 'postgresql' -%> /subsystem=jgroups/stack=tcp/protocol=JDBC_PING: add(add-index=0, data-source="KeycloakDS", properties=[initialize_sql="CREATE TABLE IF NOT EXISTS JGROUPSPING ( own_addr varchar(200) NOT NULL, cluster_name varchar(200) NOT NULL, created TIMESTAMP DEFAULT CURRENT_TIMESTAMP, ping_data BYTEA, constraint PK_JGROUPSPING PRIMARY KEY (own_addr, cluster_name))"]) <%- end -%> <%- if scope['keycloak::datasource_driver'] == 'mysql' -%> /subsystem=jgroups/stack=tcp/protocol=JDBC_PING: add(add-index=0, data-source="KeycloakDS", properties=[initialize_sql="CREATE TABLE IF NOT EXISTS JGROUPSPING (own_addr varchar(200) NOT NULL, cluster_name varchar(200) NOT NULL, updated TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, ping_data varbinary(5000) DEFAULT NULL, PRIMARY KEY (own_addr, cluster_name)) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin"]) <%- end -%> end-if if (outcome == success) of /subsystem=jgroups/stack=tcp/protocol=MPING:read-resource /subsystem=jgroups/stack=tcp/protocol=MPING: remove() end-if if (outcome == success) of /subsystem=jgroups/stack=tcp/protocol=pbcast.GMS:read-resource /subsystem=jgroups/stack=tcp/protocol=pbcast.GMS: remove() /subsystem=jgroups/stack=tcp/protocol=pbcast.GMS: add(properties=[join_timeout=30000, print_local_addr=true, print_physical_addrs=true]) end-if if (outcome != success) of /subsystem=jgroups/stack=tcp/protocol=JDBC_PING:read-resource end-if /subsystem=jgroups/channel=ee:write-attribute(name=stack, value="tcp") if (outcome == success) of /subsystem=jgroups/stack=udp:read-resource /subsystem=jgroups/stack=udp: remove() end-if if (outcome == success) of /socket-binding-group=standard-sockets/socket-binding=jgroups-udp:read-resource /socket-binding-group=standard-sockets/socket-binding=jgroups-udp:remove() end-if if (outcome == success) of /socket-binding-group=standard-sockets/socket-binding=jgroups-mping:read-resource /socket-binding-group=standard-sockets/socket-binding=jgroups-mping:remove() end-if /interface=private:write-attribute(name=inet-address, value=${jboss.bind.address.private:<%= scope['keycloak::jboss_bind_private_address'] %>}) /interface=public:write-attribute(name=inet-address, value=${jboss.bind.address:<%= scope['keycloak::jboss_bind_public_address'] %>}) <%- end -%> + +<%- if scope['keycloak::operating_mode'] == 'domain' && scope['keycloak::enable_jdbc_ping'] -%> +if (outcome != success) of /profile=auth-server-clustered/subsystem=jgroups/stack=tcp/protocol=JDBC_PING:read-resource +<%- if scope['keycloak::datasource_driver'] == 'postgresql' -%> +/profile=auth-server-clustered/subsystem=jgroups/stack=tcp/protocol=JDBC_PING: add(add-index=0, data-source="KeycloakDS", properties=[initialize_sql="CREATE TABLE IF NOT EXISTS JGROUPSPING ( own_addr varchar(200) NOT NULL, cluster_name varchar(200) NOT NULL, created TIMESTAMP DEFAULT CURRENT_TIMESTAMP, ping_data BYTEA, constraint PK_JGROUPSPING PRIMARY KEY (own_addr, cluster_name))"]) +<%- end -%> +<%- if scope['keycloak::datasource_driver'] == 'mysql' -%> +/profile=auth-server-clustered/subsystem=jgroups/stack=tcp/protocol=JDBC_PING: add(add-index=0, data-source="KeycloakDS", properties=[initialize_sql="CREATE TABLE IF NOT EXISTS JGROUPSPING (own_addr varchar(200) NOT NULL, cluster_name varchar(200) NOT NULL, updated TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, ping_data varbinary(5000) DEFAULT NULL, PRIMARY KEY (own_addr, cluster_name)) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin"]) +<%- end -%> +end-if +if (outcome == success) of /profile=auth-server-clustered/subsystem=jgroups/stack=tcp/protocol=MPING:read-resource +/profile=auth-server-clustered/subsystem=jgroups/stack=tcp/protocol=MPING: remove() +end-if +if (outcome == success) of /profile=auth-server-clustered/subsystem=jgroups/stack=tcp/protocol=pbcast.GMS:read-resource +/profile=auth-server-clustered/subsystem=jgroups/stack=tcp/protocol=pbcast.GMS: remove() +/profile=auth-server-clustered/subsystem=jgroups/stack=tcp/protocol=pbcast.GMS: add(properties=[join_timeout=30000, print_local_addr=true, print_physical_addrs=true]) +end-if +if (outcome != success) of /profile=auth-server-clustered/subsystem=jgroups/stack=tcp/protocol=JDBC_PING:read-resource +end-if +/profile=auth-server-clustered/subsystem=jgroups/channel=ee:write-attribute(name=stack, value="tcp") +if (outcome == success) of /profile=auth-server-clustered/subsystem=jgroups/stack=udp:read-resource +/profile=auth-server-clustered/subsystem=jgroups/stack=udp: remove() +end-if +if (outcome == success) of /profile=auth-server-clustered/socket-binding-group=standard-sockets/socket-binding=jgroups-udp:read-resource +/profile=auth-server-clustered/socket-binding-group=standard-sockets/socket-binding=jgroups-udp:remove() +end-if +if (outcome == success) of /profile=auth-server-clustered/socket-binding-group=standard-sockets/socket-binding=jgroups-mping:read-resource +/profile=auth-server-clustered/socket-binding-group=standard-sockets/socket-binding=jgroups-mping:remove() +end-if +/interface=private:write-attribute(name=inet-address, value=${jboss.bind.address.private:<%= scope['keycloak::jboss_bind_private_address'] %>}) +/interface=public:write-attribute(name=inet-address, value=${jboss.bind.address:<%= scope['keycloak::jboss_bind_public_address'] %>}) +<%- end -%> + +<%- if scope['keycloak::operating_mode'] == 'domain' -%> +if (outcome != success) of /interface=management:read-resource() +/interface=management:add() +end-if +if (result != undefined) of /interface=management:read-attribute(name=inet-address) +/interface=management:write-attribute(name=inet-address, value=undefined) +end-if +if (outcome != success) of /interface=private:read-resource() +/interface=private:add() +end-if +if (result != undefined) of /interface=private:read-attribute(name=inet-address) +/interface=private:write-attribute(name=inet-address, value=undefined) +end-if +if (outcome != success) of /interface=public:read-resource() +/interface=public:add() +end-if +if (result != undefined) of /interface=public:read-attribute(name=inet-address) +/interface=public:write-attribute(name=inet-address, value=undefined) +end-if +if (result != public) of /socket-binding-group=ha-sockets:read-attribute(name=default-interface) +/socket-binding-group=ha-sockets:write-attribute(name=default-interface, value=public) +end-if +if (result != defined) of /socket-binding-group=ha-sockets/socket-binding=ajp:read-attribute(name=interface) +/socket-binding-group=ha-sockets/socket-binding=ajp:write-attribute(name=interface, value=undefined) +end-if +if (result != defined) of /socket-binding-group=ha-sockets/socket-binding=http:read-attribute(name=interface) +/socket-binding-group=ha-sockets/socket-binding=http:write-attribute(name=interface, value=undefined) +end-if +if (result != defined) of /socket-binding-group=ha-sockets/socket-binding=https:read-attribute(name=interface) +/socket-binding-group=ha-sockets/socket-binding=https:write-attribute(name=interface, value=undefined) +end-if +if (result != management) of /socket-binding-group=ha-sockets/socket-binding=jgroups-tcp:read-attribute(name=interface) +/socket-binding-group=ha-sockets/socket-binding=jgroups-tcp:write-attribute(name=interface,value=management) +end-if +if (result != java:jboss/datasources/KeycloakDS) of /profile=auth-server-clustered/subsystem=ee/service=default-bindings:read-attribute(name=datasource) +/profile=auth-server-clustered/subsystem=ee/service=default-bindings:write-attribute(name=datasource,value=java:jboss/datasources/KeycloakDS) +end-if +<% end -%> + +<% if scope['keycloak::operating_mode'] == 'domain'-%> +stop-embedded-host-controller +<% end -%> diff --git a/vagrant/run_puppet.sh b/vagrant/run_puppet.sh index ea6f366..0c1f2f4 100755 --- a/vagrant/run_puppet.sh +++ b/vagrant/run_puppet.sh @@ -1,72 +1,72 @@ #!/bin/sh # Exit on any error set -e # Preparations required prior to "puppet apply". usage() { echo echo "Usage: run_puppet.sh -b basedir" echo echo "Options:" echo " -b Base directory for dependency Puppet modules installed by" echo " librarian-puppet." echo " -m Puppet manifests to run. Put them in the provision folder" echo " -d Turn on debugging" exit 1 } # Parse the options # We are run without parameters -> usage if [ "$1" = "" ]; then usage fi while getopts "b:m:h:d:" options; do case $options in b ) BASEDIR=$OPTARG;; m ) MANIFESTS=$OPTARG;; d ) DEBUG=$OPTARG;; h ) usage;; \? ) usage;; * ) usage;; esac done CWD=`pwd` # Configure with "puppet apply" if [ "$DEBUG" == "true" ]; then PUPPET_APPLY="/opt/puppetlabs/bin/puppet apply --verbose --debug --trace --summarize" else PUPPET_APPLY="/opt/puppetlabs/bin/puppet apply" fi # Pass variables to Puppet manifests via environment variables export FACTER_profile='/etc/profile.d/myprofile.sh' export FACTER_basedir="$BASEDIR" -export FACTER_keycloak_version='10.0.1' +export FACTER_keycloak_version='12.0.2' export FACTER_keycloak_datasource_host='db.local' export FACTER_keycloak_datasource_dbname='keycloak' export FACTER_keycloak_datasource_username='keycloak' export FACTER_keycloak_datasource_password='keycloak' export FACTER_keycloak_admin_user='admin' export FACTER_keycloak_admin_user_password='changeme' export FACTER_keycloak_wildfly_user='wildfly' export FACTER_keycloak_wildfly_user_password='wildfly' export FACTER_manage_package_repo='false' export FACTER_postgresql_version='9.6' export FACTER_postgresql_manage_package_repo='true' export FACTER_postgresql_listen_address='*' export FACTER_db_username='keycloak' export FACTER_db_password='keycloak' export FACTER_db_database='keycloak' export FACTER_db_connection_limit='300' for manifest in $MANIFESTS; do $PUPPET_APPLY /vagrant/vagrant/$manifest done cd $CWD