This requires upgrading keycloak (to get smtp configuration) and postgresql (see https://github.com/treydock/puppet-module-keycloak/pull/143) keycloak modules.
A warning is now issued when the login_theme option is absent from client configuration, so set it to swh.
I cannot push directly to https://forge.softwareheritage.org/source/puppet-treydock-keycloak/
so I changed the repo url to the github one before running octocatalog-diff.
Depends on D3847
14:52 $ bin/octocatalog-diff --octocatalog-diff-args --no-truncate-details -t staging kelvingrove.internal.softwareheritage.org Found host kelvingrove.internal.softwareheritage.org WARN -> Environment "add-keycloak-realm-and-client" contained non-word characters, correcting name to add_keycloak_realm_and_client WARN -> Environment "api-remove-rl-for-m" contained non-word characters, correcting name to api_remove_rl_for_m WARN -> Environment "change-swh-web-static-dir" contained non-word characters, correcting name to change_swh_web_static_dir WARN -> Environment "icinga-rv-log" contained non-word characters, correcting name to icinga_rv_log WARN -> Environment "keycloak-add-swh-theme" contained non-word characters, correcting name to keycloak_add_swh_theme WARN -> Environment "openaire-ips" contained non-word characters, correcting name to openaire_ips WARN -> Environment "swh-web-conf-update" contained non-word characters, correcting name to swh_web_conf_update WARN -> Environment "swh-web-remove-recaptcha" contained non-word characters, correcting name to swh_web_remove_recaptcha WARN -> Environment "update-webapp-conf" contained non-word characters, correcting name to update_webapp_conf WARN -> Environment "webapp-exempt-dinsic" contained non-word characters, correcting name to webapp_exempt_dinsic WARN -> Environment "webapp-set-search-empty-dict" contained non-word characters, correcting name to webapp_set_search_empty_dict Clonage dans '/tmp/swh-ocd.qhCcPKj1/environments/production/data/private'... fait. Clonage dans '/tmp/swh-ocd.qhCcPKj1/environments/staging/data/private'... fait. *** Running octocatalog-diff on host kelvingrove.internal.softwareheritage.org I, [2020-08-26T14:52:42.391305 #10904] INFO -- : Catalogs compiled for kelvingrove.internal.softwareheritage.org I, [2020-08-26T14:52:43.500340 #10904] INFO -- : Diffs computed for kelvingrove.internal.softwareheritage.org diff origin/production/kelvingrove.internal.softwareheritage.org current/kelvingrove.internal.softwareheritage.org ******************************************* + Concat::Fragment[config.cli-keycloak] => parameters => "order": "00" "target": "/opt/keycloak-8.0.1/config.cli" "content": >>> embed-server if (result.proxy-address-forwarding != true) of /subsystem=undertow/server=default-server/http-listener=default:read-resource /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true) end-if if (result.proxy-address-forwarding != true) of /subsystem=undertow/server=default-server/https-listener=https:read-resource /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=proxy-address-forwarding,value=true) end-if if (outcome != success) of /socket-binding-group=standard-sockets/socket-binding=proxy-https:read-resource /socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443) end-if if (result.redirect-socket != proxy-https) of /subsystem=undertow/server=default-server/http-listener=default:read-resource /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https) end-if /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=driver-name, value=postgresql) /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=connection-url, value="jdbc:postgresql://db.internal.softwareheritage.org:5432/keycloak") /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=jndi-name, value=java:jboss/datasources/KeycloakDS) /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=user-name, value=keycloak) /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=password, value=keycloak::postgres::password) /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation, value=true) /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=check-valid-connection-sql, value="SELECT 1") /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation-millis, value=60000) /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=flush-strategy, value=IdleConnections) try /subsystem=datasources/jdbc-driver=postgresql:add(driver-module-name=org.postgresql,driver-name=postgresql,driver-xa-datasource-class-name=org.postgresql.xa.PGXADataSource) catch /subsystem=datasources/jdbc-driver=postgresql:remove /subsystem=datasources/jdbc-driver=postgresql:add(driver-module-name=org.postgresql,driver-name=postgresql,driver-xa-datasource-class-name=org.postgresql.xa.PGXADataSource) end-try if (outcome == success) of /subsystem=keycloak-server/spi=truststore:read-resource /subsystem=keycloak-server/spi=truststore/:remove end-if /subsystem=keycloak-server/theme=defaults/:write-attribute(name=staticMaxAge, value=2592000) /subsystem=keycloak-server/theme=defaults/:write-attribute(name=cacheThemes, value=true) /subsystem=keycloak-server/theme=defaults/:write-attribute(name=cacheTemplates, value=true) /subsystem=deployment-scanner/scanner=default:write-attribute(name="auto-deploy-exploded",value=false) /subsystem=deployment-scanner/scanner=default:write-attribute(name="auto-deploy-zipped",value=true) try /subsystem=keycloak-server/spi=userCache/provider=default/:add(enabled=true) catch /subsystem=keycloak-server/spi=userCache/provider=default/:remove /subsystem=keycloak-server/spi=userCache/provider=default/:add(enabled=true) end-try <<< ******************************************* + Concat[/opt/keycloak-8.0.1/config.cli] => parameters => "backup": "puppet" "ensure": "present" "ensure_newline": false "force": false "format": "plain" "group": "keycloak" "mode": "0600" "notify": "Exec[jboss-cli.sh --file=config.cli]" "order": "alpha" "owner": "keycloak" "path": "/opt/keycloak-8.0.1/config.cli" "replace": true "show_diff": false "warn": false ******************************************* + Concat_file[/opt/keycloak-8.0.1/config.cli] => parameters => "backup": "puppet" "ensure_newline": false "force": false "format": "plain" "group": "keycloak" "mode": "0600" "order": "alpha" "owner": "keycloak" "replace": true "show_diff": false "tag": "_opt_keycloak-8.0.1_config.cli" ******************************************* + Concat_fragment[config.cli-keycloak] => parameters => "order": "00" "tag": "_opt_keycloak-8.0.1_config.cli" "target": "/opt/keycloak-8.0.1/config.cli" "content": >>> embed-server if (result.proxy-address-forwarding != true) of /subsystem=undertow/server=default-server/http-listener=default:read-resource /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true) end-if if (result.proxy-address-forwarding != true) of /subsystem=undertow/server=default-server/https-listener=https:read-resource /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=proxy-address-forwarding,value=true) end-if if (outcome != success) of /socket-binding-group=standard-sockets/socket-binding=proxy-https:read-resource /socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443) end-if if (result.redirect-socket != proxy-https) of /subsystem=undertow/server=default-server/http-listener=default:read-resource /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https) end-if /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=driver-name, value=postgresql) /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=connection-url, value="jdbc:postgresql://db.internal.softwareheritage.org:5432/keycloak") /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=jndi-name, value=java:jboss/datasources/KeycloakDS) /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=user-name, value=keycloak) /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=password, value=keycloak::postgres::password) /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation, value=true) /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=check-valid-connection-sql, value="SELECT 1") /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=background-validation-millis, value=60000) /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=flush-strategy, value=IdleConnections) try /subsystem=datasources/jdbc-driver=postgresql:add(driver-module-name=org.postgresql,driver-name=postgresql,driver-xa-datasource-class-name=org.postgresql.xa.PGXADataSource) catch /subsystem=datasources/jdbc-driver=postgresql:remove /subsystem=datasources/jdbc-driver=postgresql:add(driver-module-name=org.postgresql,driver-name=postgresql,driver-xa-datasource-class-name=org.postgresql.xa.PGXADataSource) end-try if (outcome == success) of /subsystem=keycloak-server/spi=truststore:read-resource /subsystem=keycloak-server/spi=truststore/:remove end-if /subsystem=keycloak-server/theme=defaults/:write-attribute(name=staticMaxAge, value=2592000) /subsystem=keycloak-server/theme=defaults/:write-attribute(name=cacheThemes, value=true) /subsystem=keycloak-server/theme=defaults/:write-attribute(name=cacheTemplates, value=true) /subsystem=deployment-scanner/scanner=default:write-attribute(name="auto-deploy-exploded",value=false) /subsystem=deployment-scanner/scanner=default:write-attribute(name="auto-deploy-zipped",value=true) try /subsystem=keycloak-server/spi=userCache/provider=default/:add(enabled=true) catch /subsystem=keycloak-server/spi=userCache/provider=default/:remove /subsystem=keycloak-server/spi=userCache/provider=default/:add(enabled=true) end-try <<< ******************************************* Exec[create-keycloak-admin] => parameters => user => + keycloak ******************************************* - File[/opt/keycloak-8.0.1/config.cli] ******************************************* Group[keycloak] => parameters => system => + true ******************************************* Keycloak_client[swh-web on SoftwareHeritageStaging] => parameters => login_theme => + swh ******************************************* Keycloak_client[swh-web on SoftwareHeritage] => parameters => login_theme => + swh ******************************************* Keycloak_realm[SoftwareHeritageStaging] => parameters => smtp_server_from => + noreply@softwareheritage.org smtp_server_from_display_name => + Software Heritage Authentication Service smtp_server_host => + localhost ******************************************* Keycloak_realm[SoftwareHeritage] => parameters => smtp_server_from => + noreply@softwareheritage.org smtp_server_from_display_name => + Software Heritage Authentication Service smtp_server_host => + localhost ******************************************* Keycloak_realm[master] => parameters => smtp_server_from => + noreply@softwareheritage.org smtp_server_from_display_name => + Software Heritage Authentication Service smtp_server_host => + localhost ******************************************* User[keycloak] => parameters => system => + true ******************************************* *** End octocatalog-diff on kelvingrove.internal.softwareheritage.org