Page Menu
Home
Software Heritage
Search
Configure Global Search
Log In
Files
F9123716
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
21 KB
Subscribers
None
View Options
diff --git a/manifests/init.pp b/manifests/init.pp
index 20c9923..8dbef44 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,422 +1,425 @@
# @summary Manage Keycloak
#
# @example
# include ::keycloak
#
# @param manage_install
# Install Keycloak from upstream Keycloak tarball.
# Set to false to manage installation of Keycloak outside
# this module and set $install_dir to match.
# Defaults to true.
# @param version
# Version of Keycloak to install and manage.
# @param package_url
# URL of the Keycloak download.
# Default is based on version.
# @param install_dir
# The directory of where to install Keycloak.
# Default is `/opt/keycloak-${version}`.
# @param service_name
# Keycloak service name.
# Default is `keycloak`.
# @param service_ensure
# Keycloak service ensure property.
# Default is `running`.
# @param service_enable
# Keycloak service enable property.
# Default is `true`.
# @param service_hasstatus
# Keycloak service hasstatus parameter.
# Default is `true`.
# @param service_hasrestart
# Keycloak service hasrestart parameter.
# Default is `true`.
# @param service_bind_address
# Bind address for Keycloak service.
# Default is '0.0.0.0'.
# @param java_opts
# Sets additional options to Java virtual machine environment variable.
# @param java_opts_append
# Determine if $JAVA_OPTS should be appended to when setting `java_opts` parameter
# @param service_extra_opts
# Additional options added to the end of the service command-line.
# @param manage_user
# Defines if the module should manage the Linux user for Keycloak installation
# @param user
# Keycloak user name.
# Default is `keycloak`.
# @param user_shell
# Keycloak user shell.
# @param group
# Keycloak user group name.
# Default is `keycloak`.
# @param user_uid
# Keycloak user UID.
# Default is `undef`.
# @param group_gid
# Keycloak user group GID.
# Default is `undef`.
# @param system_user
# If keycloak user should be a system user with lower uid and gid.
# Default is `true`
# @param admin_user
# Keycloak administrative username.
# Default is `admin`.
# @param admin_user_password
# Keycloak administrative user password.
# Default is `changeme`.
# @param manage_datasource
# Boolean that determines if configured datasource will be managed.
# Default is `true`.
# @param datasource_driver
# Datasource driver to use for Keycloak.
# Valid values are `h2`, `mysql`, 'oracle' and 'postgresql'
# Default is `h2`.
# @param datasource_host
# Datasource host.
# Only used when datasource_driver is `mysql`, 'oracle' or 'postgresql'
# Default is `localhost` for MySQL.
# @param datasource_port
# Datasource port.
# Only used when datasource_driver is `mysql`, 'oracle' or 'postgresql'
# Default is `3306` for MySQL.
# @param datasource_url
# Datasource url.
# Default datasource URLs are defined in init class.
# @param datasource_dbname
# Datasource database name.
# Default is `keycloak`.
# @param datasource_username
# Datasource user name.
# Default is `sa`.
# @param datasource_password
# Datasource user password.
# Default is `sa`.
# @param datasource_package
# Package to add specified datasource support
# @param datasource_jar_source
# Source for datasource JDBC driver - could be puppet link or local file on the node.
# Default is dependent on value for `datasource_driver`.
# This parameter is required if `datasource_driver` is `oracle`.
# @param datasource_jar_filename
# Specify the filename of the destination datasource jar in the module dir of keycloak.
# This parameter is only working at the moment if `datasource_driver` is `oracle`.
# @param datasource_module_source
# Source for datasource module.xml. Default depends on `datasource_driver`.
# @param datasource_xa_class
# MySQL Connector/J JDBC driver xa-datasource class name
# @param proxy_https
# Boolean that sets if HTTPS proxy should be enabled.
# Set to `true` if proxying traffic through Apache.
# Default is `false`.
# @param truststore
# Boolean that sets if truststore should be used.
# Default is `false`.
# @param truststore_hosts
# Hash that is used to define `keycloak::turststore::host` resources.
# Default is `{}`.
# @param truststore_password
# Truststore password.
# Default is `keycloak`.
# @param truststore_hostname_verification_policy
# Valid values are `WILDCARD`, `STRICT`, and `ANY`.
# Default is `WILDCARD`.
# @param http_port
# HTTP port used by Keycloak.
# Default is `8080`.
# @param theme_static_max_age
# Max cache age in seconds of static content.
# Default is `2592000`.
# @param theme_cache_themes
# Boolean that sets if themes should be cached.
# Default is `true`.
# @param theme_cache_templates
# Boolean that sets if templates should be cached.
# Default is `true`.
# @param realms
# Hash that is used to define keycloak_realm resources.
# Default is `{}`.
# @param realms_merge
# Boolean that sets if `realms` should be merged from Hiera.
# @param oidc_client_scopes
# Hash that is used to define keycloak::client_scope::oidc resources.
# Default is `{}`.
# @param oidc_client_scopes_merge
# Boolean that sets if `oidc_client_scopes` should be merged from Hiera.
# @param saml_client_scopes
# Hash that is used to define keycloak::client_scope::saml resources.
# Default is `{}`.
# @param saml_client_scopes_merge
# Boolean that sets if `saml_client_scopes` should be merged from Hiera.
# @param identity_providers
# Hash that is used to define keycloak_identity_provider resources.
# @param identity_providers_merge
# Boolean that sets if `identity_providers` should be merged from Hiera.
+# @param client_protocol_mappers
+# Hash that is used to define keycloak_client_protocol_mapper resources.
# @param client_scopes
# Hash that is used to define keycloak_client_scope resources.
# @param client_scopes_merge
# Boolean that sets if `client_scopes` should be merged from Hiera.
# @param protocol_mappers
# Hash that is used to define keycloak_protocol_mapper resources.
# @param protocol_mappers_merge
# Boolean that sets if `protocol_mappers` should be merged from Hiera.
# @param clients
# Hash that is used to define keycloak_client resources.
# @param clients_merge
# Boolean that sets if `clients` should be merged from Hiera.
# @param flows
# Hash taht is used to define keycloak_flow resources.
# @param flows_merge
# Boolean that sets if `flows` should be merged from Hiera.
# @param flow_executions
# Hash taht is used to define keycloak_flow resources.
# @param flow_executions_merge
# Boolean that sets if `flows` should be merged from Hiera.
# @param required_actions
# Hash that is used to define keycloak_required_action resources.
# @param required_actions_merge
# Boolean that sets if `required_actions` should be merged from Hiera.
# @param ldap_mappers
# Hash that is used to define keycloak_ldap_mapper resources.
# @param ldap_mappers_merge
# Boolean that sets if `ldap_mappers` should be merged from Hiera.
# @param ldap_user_providers
# Hash that is used to define keycloak_ldap_user_provider resources.
# @param ldap_user_providers_merge
# Boolean that sets if `ldap_user_providers` should be merged from Hiera.
# @param with_sssd_support
# Boolean that determines if SSSD user provider support should be available
# @param libunix_dbus_java_source
# Source URL of libunix-dbus-java
# @param install_libunix_dbus_java_build_dependencies
# Boolean that determines of libunix-dbus-java build dependencies are managed by this module
# @param libunix_dbus_java_build_dependencies
# Packages needed to build libunix-dbus-java
# @param libunix_dbus_java_libdir
# Path to directory to install libunix-dbus-java libraries
# @param jna_package_name
# Package name for jna
# @param manage_sssd_config
# Boolean that determines if SSSD ifp config for Keycloak is managed
# @param sssd_ifp_user_attributes
# user_attributes to define for SSSD ifp service
# @param restart_sssd
# Boolean that determines if SSSD should be restarted
# @param service_environment_file
# Path to the file with environment variables for the systemd service
# @param operating_mode
# Keycloak operating mode deployment
# @param enable_jdbc_ping
# Use JDBC_PING to discover the nodes and manage the replication of data
# More info: http://jgroups.org/manual/#_jdbc_ping
# Only applies when `operating_mode` is `clustered`
# JDBC_PING uses port 7600 to ensure cluster members are discoverable by each other
# This module does not manage firewall changes
# @param jboss_bind_public_address
# JBoss bind public IP address
# @param jboss_bind_private_address
# JBoss bind private IP address
# @param user_cache
# Boolean that determines if userCache is enabled
# @param tech_preview_features
# List of technology Preview features to enable
# @param auto_deploy_exploded
# Set if exploded deployements will be auto deployed
# @param auto_deploy_zipped
# Set if zipped deployments will be auto deployed
# @param spi_deployments
# Hash used to define keycloak::spi_deployment resources
# @param custom_config_content
# Custom configuration content to be added to config.cli
# @param custom_config_source
# Custom configuration source file to be added to config.cli
#
class keycloak (
Boolean $manage_install = true,
String $version = '8.0.1',
Optional[Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]]
$package_url = undef,
Optional[Stdlib::Absolutepath] $install_dir = undef,
String $service_name = 'keycloak',
String $service_ensure = 'running',
Boolean $service_enable = true,
Boolean $service_hasstatus = true,
Boolean $service_hasrestart = true,
Stdlib::IP::Address $service_bind_address = '0.0.0.0',
Optional[Variant[String, Array]] $java_opts = undef,
Boolean $java_opts_append = true,
Optional[String] $service_extra_opts = undef,
Boolean $manage_user = true,
String $user = 'keycloak',
Stdlib::Absolutepath $user_shell = '/sbin/nologin',
String $group = 'keycloak',
Boolean $system_user = true,
Optional[Integer] $user_uid = undef,
Optional[Integer] $group_gid = undef,
String $admin_user = 'admin',
String $admin_user_password = 'changeme',
Boolean $manage_datasource = true,
Enum['h2', 'mysql', 'oracle', 'postgresql'] $datasource_driver = 'h2',
Optional[String] $datasource_host = undef,
Optional[Integer] $datasource_port = undef,
Optional[String] $datasource_url = undef,
Optional[String] $datasource_xa_class = undef,
String $datasource_dbname = 'keycloak',
String $datasource_username = 'sa',
String $datasource_password = 'sa',
Optional[String] $datasource_package = undef,
Optional[String] $datasource_jar_source = undef,
Optional[String] $datasource_jar_filename = undef,
Optional[String] $datasource_module_source = undef,
Boolean $proxy_https = false,
Boolean $truststore = false,
Hash $truststore_hosts = {},
String $truststore_password = 'keycloak',
Enum['WILDCARD', 'STRICT', 'ANY'] $truststore_hostname_verification_policy = 'WILDCARD',
Integer $http_port = 8080,
Integer $theme_static_max_age = 2592000,
Boolean $theme_cache_themes = true,
Boolean $theme_cache_templates = true,
Hash $realms = {},
Boolean $realms_merge = false,
Hash $oidc_client_scopes = {},
Boolean $oidc_client_scopes_merge = false,
Hash $saml_client_scopes = {},
Boolean $saml_client_scopes_merge = false,
+ Hash $client_protocol_mappers = {},
Hash $client_scopes = {},
Boolean $client_scopes_merge = false,
Hash $protocol_mappers = {},
Boolean $protocol_mappers_merge = false,
Hash $identity_providers = {},
Boolean $identity_providers_merge = false,
Hash $clients = {},
Boolean $clients_merge = false,
Hash $flows = {},
Boolean $flows_merge = false,
Hash $flow_executions = {},
Hash $required_actions = {},
Boolean $required_actions_merge = false,
Hash $ldap_mappers = {},
Boolean $ldap_mappers_merge = false,
Hash $ldap_user_providers = {},
Boolean $ldap_user_providers_merge = false,
Boolean $flow_executions_merge = false,
Boolean $with_sssd_support = false,
Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]
$libunix_dbus_java_source = 'https://github.com/keycloak/libunix-dbus-java/archive/libunix-dbus-java-0.8.0.tar.gz',
Boolean $install_libunix_dbus_java_build_dependencies = true,
Array $libunix_dbus_java_build_dependencies = [],
Stdlib::Absolutepath $libunix_dbus_java_libdir = '/usr/lib64',
String $jna_package_name = 'jna',
Boolean $manage_sssd_config = true,
Array $sssd_ifp_user_attributes = [],
Boolean $restart_sssd = true,
Optional[Stdlib::Absolutepath] $service_environment_file = undef,
Enum['standalone', 'clustered'] $operating_mode = 'standalone',
Boolean $enable_jdbc_ping = false,
Stdlib::IP::Address $jboss_bind_public_address = $facts['networking']['ip'],
Stdlib::IP::Address $jboss_bind_private_address = $facts['networking']['ip'],
Boolean $user_cache = true,
Array $tech_preview_features = [],
Boolean $auto_deploy_exploded = false,
Boolean $auto_deploy_zipped = true,
Hash $spi_deployments = {},
Optional[String] $custom_config_content = undef,
Optional[Variant[String, Array]] $custom_config_source = undef,
) {
if ! ($facts['os']['family'] in ['RedHat','Debian']) {
fail("Unsupported osfamily: ${facts['os']['family']}, module ${module_name} only support osfamilies Debian and Redhat")
}
if versioncmp($version, '12.0.0') >= 0 {
$download_url = pick($package_url, "https://github.com/keycloak/keycloak/releases/download/${version}/keycloak-${version}.tar.gz")
} else {
$download_url = pick($package_url, "https://downloads.jboss.org/keycloak/${version}/keycloak-${version}.tar.gz")
}
case $datasource_driver {
'h2': {
$datasource_connection_url = pick($datasource_url, "jdbc:h2:\${jboss.server.data.dir}/${datasource_dbname};AUTO_SERVER=TRUE")
}
'mysql': {
$db_host = pick($datasource_host, 'localhost')
$db_port = pick($datasource_port, 3306)
$datasource_connection_url = pick($datasource_url, "jdbc:mysql://${db_host}:${db_port}/${datasource_dbname}")
}
'oracle': {
$db_host = pick($datasource_host, 'localhost')
$db_port = pick($datasource_port, 1521)
$datasource_connection_url = pick($datasource_url, "jdbc:oracle:thin:@${db_host}:${db_port}:${datasource_dbname}")
}
'postgresql': {
$db_host = pick($datasource_host, 'localhost')
$db_port = pick($datasource_port, 5432)
$datasource_connection_url = pick($datasource_url, "jdbc:postgresql://${db_host}:${db_port}/${datasource_dbname}")
}
default: {}
}
if ($datasource_driver == 'oracle') and ($datasource_jar_source == undef) {
fail('Using Oracle RDBMS requires definition datasource_jar_source for Oracle JDBC driver. Refer to module documentation')
}
case $facts['os']['family'] {
'RedHat': {
if versioncmp($facts['os']['release']['major'], '8') >= 0 {
$mysql_datasource_class = pick($datasource_xa_class, 'org.mariadb.jdbc.MariaDbDataSource')
$mysql_jar_source = '/usr/lib/java/mariadb-java-client.jar'
$postgresql_jar_source = '/usr/share/java/postgresql-jdbc/postgresql.jar'
} else {
$mysql_datasource_class = pick($datasource_xa_class, 'com.mysql.jdbc.jdbc2.optional.MysqlXADataSource')
$mysql_jar_source = '/usr/share/java/mysql-connector-java.jar'
$postgresql_jar_source = '/usr/share/java/postgresql-jdbc.jar'
}
}
'Debian': {
if $facts['os']['name'] == 'Debian' and versioncmp($facts['os']['release']['major'], '10') >= 0 {
$mysql_datasource_class = pick($datasource_xa_class, 'org.mariadb.jdbc.MariaDbDataSource')
$mysql_jar_source = '/usr/share/java/mariadb-java-client.jar'
} else {
$mysql_datasource_class = pick($datasource_xa_class, 'com.mysql.jdbc.jdbc2.optional.MysqlXADataSource')
$mysql_jar_source = '/usr/share/java/mysql-connector-java.jar'
}
$postgresql_jar_source = '/usr/share/java/postgresql.jar'
}
default: {
# do nothing
}
}
$install_base = pick($install_dir, "/opt/keycloak-${keycloak::version}")
include ::java
contain 'keycloak::install'
contain "keycloak::datasource::${datasource_driver}"
contain 'keycloak::config'
contain 'keycloak::service'
Class['::java']
-> Class['keycloak::install']
-> Class["keycloak::datasource::${datasource_driver}"]
-> Class['keycloak::config']
-> Class['keycloak::service']
Class["keycloak::datasource::${datasource_driver}"]~>Class['keycloak::service']
if $with_sssd_support {
contain 'keycloak::sssd'
Class['keycloak::sssd'] ~> Class['keycloak::service']
}
keycloak_conn_validator { 'keycloak':
keycloak_server => 'localhost',
keycloak_port => $http_port,
use_ssl => false,
timeout => 60,
test_url => '/auth/realms/master/.well-known/openid-configuration',
require => Class['keycloak::service'],
}
include keycloak::resources
}
diff --git a/manifests/resources.pp b/manifests/resources.pp
index a7c355c..71f8a59 100644
--- a/manifests/resources.pp
+++ b/manifests/resources.pp
@@ -1,106 +1,109 @@
# @summary Define Keycloak resources
# @api private
class keycloak::resources {
assert_private()
if $keycloak::realms_merge {
$realms = lookup('keycloak::realms', Hash, 'deep', {})
} else {
$realms = $keycloak::realms
}
if $keycloak::oidc_client_scopes_merge {
$oidc_client_scopes = lookup('keycloak::oidc_client_scopes', Hash, 'deep', {})
} else {
$oidc_client_scopes = $keycloak::oidc_client_scopes
}
if $keycloak::saml_client_scopes_merge {
$saml_client_scopes = lookup('keycloak::saml_client_scopes', Hash, 'deep', {})
} else {
$saml_client_scopes = $keycloak::saml_client_scopes
}
if $keycloak::client_scopes_merge {
$client_scopes = lookup('keycloak::client_scopes', Hash, 'deep', {})
} else {
$client_scopes = $keycloak::client_scopes
}
if $keycloak::protocol_mappers_merge {
$protocol_mappers = lookup('keycloak::protocol_mappers', Hash, 'deep', {})
} else {
$protocol_mappers = $keycloak::protocol_mappers
}
if $keycloak::identity_providers_merge {
$identity_providers = lookup('keycloak::identity_providers', Hash, 'deep', {})
} else {
$identity_providers = $keycloak::identity_providers
}
if $keycloak::clients_merge {
$clients = lookup('keycloak::clients', Hash, 'deep', {})
} else {
$clients = $keycloak::clients
}
if $keycloak::flows_merge {
$flows = lookup('keycloak::flows', Hash, 'deep', {})
} else {
$flows = $keycloak::flows
}
if $keycloak::flow_executions_merge {
$flow_executions = lookup('keycloak::flow_executions', Hash, 'deep', {})
} else {
$flow_executions = $keycloak::flow_executions
}
if $keycloak::required_actions_merge {
$required_actions = lookup('keycloak::required_actions', Hash, 'deep', {})
} else {
$required_actions = $keycloak::required_actions
}
if $keycloak::ldap_mappers_merge {
$ldap_mappers = lookup('keycloak::ldap_mappers', Hash, 'deep', {})
} else {
$ldap_mappers = $keycloak::ldap_mappers
}
if $keycloak::ldap_user_providers_merge {
$ldap_user_providers = lookup('keycloak::ldap_user_providers', Hash, 'deep', {})
} else {
$ldap_user_providers = $keycloak::ldap_user_providers
}
$realms.each |$name, $realm| {
keycloak_realm { $name: * => $realm }
}
$oidc_client_scopes.each |$name, $scope| {
keycloak::client_scope::oidc { $name: * => $scope }
}
$saml_client_scopes.each |$name, $scope| {
keycloak::client_scope::saml { $name: * => $scope }
}
+ $keycloak::client_protocol_mappers.each |$name, $client_protocol_mapper| {
+ keycloak_client_protocol_mapper { $name: * => $client_protocol_mapper }
+ }
$client_scopes.each |$name, $client_scope| {
keycloak_client_scope { $name: * => $client_scope }
}
$protocol_mappers.each |$name, $protocol_mapper| {
keycloak_protocol_mapper { $name: * => $protocol_mapper }
}
$identity_providers.each |$name, $data| {
keycloak_identity_provider { $name: * => $data }
}
$clients.each |$name, $data| {
keycloak_client { $name: * => $data }
}
$flows.each |$name, $data| {
keycloak_flow { $name: * => $data }
}
$flow_executions.each |$name, $data| {
keycloak_flow_execution { $name: * => $data }
}
$required_actions.each |$name, $data| {
keycloak_required_action { $name: * => $data }
}
$ldap_mappers.each |$name, $data| {
keycloak_ldap_mapper { $name: * => $data }
}
$ldap_user_providers.each |$name, $data| {
keycloak_ldap_user_provider { $name: * => $data }
}
$keycloak::spi_deployments.each |$name, $deployment| {
keycloak::spi_deployment { $name: * => $deployment }
}
}
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Sat, Jun 21, 5:59 PM (1 w, 6 d ago)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3332586
Attached To
R212 puppet-treydock-keycloak
Event Timeline
Log In to Comment