diff --git a/roles/web-app-keycloak/tasks/02_update_client_redirects.yml b/roles/web-app-keycloak/tasks/02_update_client_redirects.yml index 1ef3c32d..822a7a67 100644 --- a/roles/web-app-keycloak/tasks/02_update_client_redirects.yml +++ b/roles/web-app-keycloak/tasks/02_update_client_redirects.yml @@ -3,13 +3,13 @@ # ── REQUIRED VARS (must be provided by caller) ─────────────────────────────── # - WEB_PROTOCOL e.g. "https" -# - keycloak_realm target realm name -# - keycloak_server_host_url e.g. "http://127.0.0.1:8080" -# - keycloak_server_internal_url e.g. "http://127.0.0.1:8080" -# - keycloak_kcadm_path e.g. "docker exec -i keycloak /opt/keycloak/bin/kcadm.sh" -# - keycloak_master_api_user_name -# - keycloak_master_api_user_password -# - keycloak_client_id clientId to update (e.g. same as realm or an app client) +# - KEYCLOAK_REALM target realm name +# - KEYCLOAK_SERVER_HOST_URL e.g. "http://127.0.0.1:8080" +# - KEYCLOAK_SERVER_INTERNAL_URL e.g. "http://127.0.0.1:8080" +# - KEYCLOAK_KCADM_PATH e.g. "docker exec -i keycloak /opt/keycloak/bin/kcadm.sh" +# - KEYCLOAK_MASTER_API_USER_NAME +# - KEYCLOAK_MASTER_API_USER_PASSWORD +# - KEYCLOAK_CLIENT_ID clientId to update (e.g. same as realm or an app client) # - domains your domain map # - applications your applications map @@ -17,14 +17,14 @@ assert: that: - WEB_PROTOCOL is defined - - keycloak_realm is defined - - keycloak_server_host_url is defined - - keycloak_server_internal_url is defined - - keycloak_kcadm_path is defined - - keycloak_master_api_user_name is defined - - keycloak_master_api_user_password is defined - - keycloak_client_id is defined - - keycloak_redirect_features is defined + - KEYCLOAK_REALM is defined + - KEYCLOAK_SERVER_HOST_URL is defined + - KEYCLOAK_SERVER_INTERNAL_URL is defined + - KEYCLOAK_KCADM_PATH is defined + - KEYCLOAK_MASTER_API_USER_NAME is defined + - KEYCLOAK_MASTER_API_USER_PASSWORD is defined + - KEYCLOAK_CLIENT_ID is defined + - KEYCLOAK_REDIRECT_FEATURES is defined - domains is defined - applications is defined fail_msg: "Missing required variable(s). Provide all vars listed at the top of 02_update_client_redirects.yml." @@ -32,18 +32,18 @@ - name: "kcadm login" no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}" shell: > - {{ keycloak_kcadm_path }} config credentials - --server {{ keycloak_server_internal_url }} + {{ KEYCLOAK_KCADM_PATH }} config credentials + --server {{ KEYCLOAK_SERVER_INTERNAL_URL }} --realm master - --user {{ keycloak_master_api_user_name }} - --password {{ keycloak_master_api_user_password }} + --user {{ KEYCLOAK_MASTER_API_USER_NAME }} + --password {{ KEYCLOAK_MASTER_API_USER_PASSWORD }} changed_when: false # 1) Build desired sets (NO defaults) - name: "Build desired redirect URIs from config via filter" set_fact: kc_redirect_uris: >- - {{ domains | redirect_uris(applications, WEB_PROTOCOL, '/*', keycloak_redirect_features, True) }} + {{ domains | redirect_uris(applications, WEB_PROTOCOL, '/*', KEYCLOAK_REDIRECT_FEATURES, True) }} - name: Build desired web origins (scheme://host[:port]) set_fact: @@ -55,11 +55,11 @@ | list | unique }} # 2) Resolve client id (strictly by provided clientId, no fallback) -- name: "Resolve client internal id for {{ keycloak_client_id }}" +- name: "Resolve client internal id for {{ KEYCLOAK_CLIENT_ID }}" shell: > - {{ keycloak_kcadm_path }} get clients - -r {{ keycloak_realm }} - --query 'clientId={{ keycloak_client_id }}' + {{ KEYCLOAK_KCADM_PATH }} get clients + -r {{ KEYCLOAK_REALM }} + --query 'clientId={{ KEYCLOAK_CLIENT_ID }}' --fields id --format json | jq -r '.[0].id' register: kc_client changed_when: false @@ -67,13 +67,13 @@ - name: "Fail if client not found" assert: that: kc_client.stdout is match('^[0-9a-f-]+$') - fail_msg: "Client '{{ keycloak_client_id }}' not found in realm '{{ keycloak_realm }}'." + fail_msg: "Client '{{ KEYCLOAK_CLIENT_ID }}' not found in realm '{{ KEYCLOAK_REALM }}'." # 3) Read current config (assume keys exist; we don't use defaults) - name: "Read current client configuration" shell: > - {{ keycloak_kcadm_path }} get clients/{{ kc_client.stdout }} - -r {{ keycloak_realm }} --format json + {{ KEYCLOAK_KCADM_PATH }} get clients/{{ kc_client.stdout }} + -r {{ KEYCLOAK_REALM }} --format json register: kc_client_obj changed_when: false @@ -114,13 +114,13 @@ # 4) Update only when changed - name: "Update client with redirectUris, webOrigins, frontchannelLogout" shell: > - {{ keycloak_kcadm_path }} update clients/{{ kc_client.stdout }} - -r {{ keycloak_realm }} + {{ KEYCLOAK_KCADM_PATH }} update clients/{{ kc_client.stdout }} + -r {{ KEYCLOAK_REALM }} -s 'redirectUris={{ kc_redirect_uris | to_json }}' -s 'webOrigins={{ kc_web_origins | to_json }}' -s 'frontchannelLogout=true' - -s 'attributes."frontchannel.logout.url"={{ kc_desired_frontchannel_logout_url | to_json }}' + -s 'attributes."frontchannel.logout.url"={{ KEYCLOAK_FRONTCHANNEL_LOGOUT_URL | to_json }}' when: kc_current_redirect_uris != kc_desired_redirect_uris or kc_current_web_origins != kc_desired_web_origins - or kc_current_frontchannel_logout_url != kc_desired_frontchannel_logout_url + or kc_current_frontchannel_logout_url != KEYCLOAK_FRONTCHANNEL_LOGOUT_URL diff --git a/roles/web-app-keycloak/tasks/03_update-ldap-bind.yml b/roles/web-app-keycloak/tasks/03_update-ldap-bind.yml index 3bccb655..2594318e 100644 --- a/roles/web-app-keycloak/tasks/03_update-ldap-bind.yml +++ b/roles/web-app-keycloak/tasks/03_update-ldap-bind.yml @@ -12,12 +12,12 @@ - name: "Assert required vars exist (strict: use ldap.* only, no defaults)" assert: that: - - keycloak_realm is defined - - keycloak_container is defined - - keycloak_server_internal_url is defined - - keycloak_master_api_user_name is defined - - keycloak_master_api_user_password is defined - - keycloak_ldap_component_name is defined + - KEYCLOAK_REALM is defined + - KEYCLOAK_CONTAINER is defined + - KEYCLOAK_SERVER_INTERNAL_URL is defined + - KEYCLOAK_MASTER_API_USER_NAME is defined + - KEYCLOAK_MASTER_API_USER_PASSWORD is defined + - KEYCLOAK_LDAP_CMP_NAME is defined - ldap is defined - ldap.dn.administrator is defined - ldap.dn.administrator.data is defined @@ -35,7 +35,7 @@ - docker - exec - -i - - "{{ keycloak_container }}" + - "{{ KEYCLOAK_CONTAINER }}" - /opt/keycloak/bin/kcadm.sh - name: "kcadm login (master)" @@ -43,19 +43,19 @@ command: argv: "{{ kcadm_argv_base + ['config', 'credentials', - '--server', keycloak_server_internal_url, + '--server', KEYCLOAK_SERVER_INTERNAL_URL, '--realm', 'master', - '--user', keycloak_master_api_user_name, - '--password', keycloak_master_api_user_password] }}" + '--user', KEYCLOAK_MASTER_API_USER_NAME, + '--password', KEYCLOAK_MASTER_API_USER_PASSWORD] }}" changed_when: false # Resolve the LDAP component *by name* to avoid picking the wrong one. -- name: "Resolve LDAP component id by name '{{ keycloak_ldap_component_name }}'" +- name: "Resolve LDAP component id by name '{{ KEYCLOAK_LDAP_CMP_NAME }}'" command: argv: "{{ kcadm_argv_base + ['get', 'components', - '-r', keycloak_realm, - '--query', 'name=' ~ keycloak_ldap_component_name, + '-r', KEYCLOAK_REALM, + '--query', 'name=' ~ KEYCLOAK_LDAP_CMP_NAME, '--fields', 'id,name,providerId,config', '--format', 'json'] }}" register: kc_ldap_list @@ -68,7 +68,7 @@ that: - (parsed | length) == 1 fail_msg: >- - Expected exactly one LDAP component named '{{ keycloak_ldap_component_name }}', + Expected exactly one LDAP component named '{{ KEYCLOAK_LDAP_CMP_NAME }}', found {{ (kc_ldap_list.stdout | from_json) | length }}. - name: "Extract current LDAP component values" @@ -102,7 +102,7 @@ command: argv: "{{ kcadm_argv_base + ['update', 'components/' ~ kc_ldap_component_id, - '-r', keycloak_realm, + '-r', KEYCLOAK_REALM, '-s', 'config.bindDn=' ~ ([kc_desired_bind_dn] | to_json), '-s', 'config.bindCredential=' ~ ([kc_desired_bind_pw] | to_json), '-s', 'config.connectionUrl=' ~ ([kc_desired_connection_url] | to_json) @@ -112,7 +112,7 @@ - name: "LDAP provider updated" debug: - msg: "LDAP bindDn/bindCredential/connectionUrl updated on component {{ keycloak_ldap_component_name }}." + msg: "LDAP bindDn/bindCredential/connectionUrl updated on component {{ KEYCLOAK_LDAP_CMP_NAME }}." when: - kc_bind_update is defined - kc_bind_update.rc == 0 diff --git a/roles/web-app-keycloak/tasks/04_ssh_public_key.yml b/roles/web-app-keycloak/tasks/04_ssh_public_key.yml index 1f1b509a..b4232035 100644 --- a/roles/web-app-keycloak/tasks/04_ssh_public_key.yml +++ b/roles/web-app-keycloak/tasks/04_ssh_public_key.yml @@ -1,17 +1,17 @@ # Configure Credentials - name: Ensure Keycloak CLI credentials are configured shell: | - {{ keycloak_kcadm_path }} config credentials \ - --server {{ keycloak_server_internal_url }} \ + {{ KEYCLOAK_KCADM_PATH }} config credentials \ + --server {{ KEYCLOAK_SERVER_INTERNAL_URL }} \ --realm master \ - --user {{ keycloak_master_api_user_name }} \ - --password {{ keycloak_master_api_user_password }} + --user {{ KEYCLOAK_MASTER_API_USER_NAME }} \ + --password {{ KEYCLOAK_MASTER_API_USER_PASSWORD }} # LDAP Source - name: Get ID of LDAP storage provider shell: | - {{ keycloak_kcadm_path }} get components \ - -r {{ keycloak_realm }} \ + {{ KEYCLOAK_KCADM_PATH }} get components \ + -r {{ KEYCLOAK_REALM }} \ --query 'providerId=ldap' \ --fields id,name \ --format json @@ -24,7 +24,7 @@ - name: Ensure {{ ldap.user.attributes.ssh_public_key }} LDAP Mapper exists shell: | docker exec -i keycloak_application bash -c ' - /opt/keycloak/bin/kcadm.sh get components -r {{ keycloak_realm }} \ + /opt/keycloak/bin/kcadm.sh get components -r {{ KEYCLOAK_REALM }} \ | grep -q "\"name\" : \"{{ ldap.user.attributes.ssh_public_key }}\"" \ || printf "%s\n" "{ \"name\": \"{{ ldap.user.attributes.ssh_public_key }}\", @@ -39,7 +39,7 @@ \"always.read.value.from.ldap\": [\"false\"], \"multivalued\": [\"true\"] } - }" | /opt/keycloak/bin/kcadm.sh create components -r {{ keycloak_realm }} -f -' + }" | /opt/keycloak/bin/kcadm.sh create components -r {{ KEYCLOAK_REALM }} -f -' register: mapper_create changed_when: mapper_create.rc == 0 and mapper_create.stdout != "" @@ -47,16 +47,16 @@ - name: Enable user profile in realm shell: > - {{ keycloak_kcadm_path }} update realms/{{ keycloak_realm }} + {{ KEYCLOAK_KCADM_PATH }} update realms/{{ KEYCLOAK_REALM }} -s 'attributes.userProfileEnabled=true' - name: Re-authenticate to Keycloak after enabling user profile shell: | - {{ keycloak_kcadm_path }} config credentials \ - --server {{ keycloak_server_internal_url }} \ + {{ KEYCLOAK_KCADM_PATH }} config credentials \ + --server {{ KEYCLOAK_SERVER_INTERNAL_URL }} \ --realm master \ - --user {{ keycloak_master_api_user_name }} \ - --password {{ keycloak_master_api_user_password }} + --user {{ KEYCLOAK_MASTER_API_USER_NAME }} \ + --password {{ KEYCLOAK_MASTER_API_USER_PASSWORD }} - name: Render user-profile JSON for SSH key template: @@ -67,5 +67,5 @@ - name: Apply SSH Public Key to user-profile via kcadm shell: | - docker exec -i {{ keycloak_container }} \ - /opt/keycloak/bin/kcadm.sh update realms/{{ keycloak_realm }} -f {{ keycloak_docker_import_directory }}user-profile.json + docker exec -i {{ KEYCLOAK_CONTAINER }} \ + /opt/keycloak/bin/kcadm.sh update realms/{{ KEYCLOAK_REALM }} -f {{ KEYCLOAK_DOCKER_IMPORT_DIR }}user-profile.json diff --git a/roles/web-app-keycloak/tasks/main.yml b/roles/web-app-keycloak/tasks/main.yml index 2d14da65..451cfe21 100644 --- a/roles/web-app-keycloak/tasks/main.yml +++ b/roles/web-app-keycloak/tasks/main.yml @@ -10,10 +10,12 @@ - name: "load docker, db and proxy for {{ application_id }}" include_role: name: cmp-db-docker-proxy + vars: + docker_compose_flush_handlers: true -- name: "Wait until Keycloak is reachable at {{ keycloak_server_host_url }}" +- name: "Wait until Keycloak is reachable at {{ KEYCLOAK_SERVER_HOST_URL }}" uri: - url: "{{ keycloak_server_host_url }}/realms/master" + url: "{{ KEYCLOAK_SERVER_HOST_URL }}/realms/master" method: GET status_code: 200 validate_certs: false @@ -26,7 +28,7 @@ include_tasks: 02_update_client_redirects.yml - name: "Update LDAP bind credentials from ldap.*" - when: keycloak_update_ldap_bind | bool + when: KEYCLOAK_UPDATE_LDAP_BIND | bool include_tasks: 03_update-ldap-bind.yml # Deactivated temporary. Import now via realm.yml diff --git a/roles/web-app-keycloak/templates/docker-compose.yml.j2 b/roles/web-app-keycloak/templates/docker-compose.yml.j2 index 3fc8647e..77498306 100644 --- a/roles/web-app-keycloak/templates/docker-compose.yml.j2 +++ b/roles/web-app-keycloak/templates/docker-compose.yml.j2 @@ -1,14 +1,14 @@ {% include 'roles/docker-compose/templates/base.yml.j2' %} application: - image: "{{ keycloak_image }}:{{ keycloak_version }}" - container_name: {{ keycloak_container }} - command: start{% if keycloak_import_realm %} --import-realm{% endif %}{% if keycloak_debug_enabled %} --verbose{% endif %} + image: "{{ KEYCLOAK_IMAGE }}:{{ KEYCLOAK_VERSION }}" + container_name: {{ KEYCLOAK_CONTAINER }} + command: start{% if KEYCLOAK_IMPORT_REALM_ENABLED %} --import-realm{% endif %}{% if KEYCLOAK_DEBUG_ENABLED %} --verbose{% endif %} {% include 'roles/docker-container/templates/base.yml.j2' %} ports: - - "{{ keycloak_server_host }}:8080" + - "{{ KEYCLOAK_SERVER_HOST }}:8080" volumes: - - "{{ keycloak_host_import_directory }}:{{keycloak_docker_import_directory}}" + - "{{ keycloak_host_import_directory }}:{{KEYCLOAK_DOCKER_IMPORT_DIR}}" {% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %} {% include 'roles/docker-container/templates/networks.yml.j2' %} {% set container_port = 9000 %} diff --git a/roles/web-app-keycloak/templates/import/realm.json.j2 b/roles/web-app-keycloak/templates/import/realm.json.j2 index dec51fd5..8dd7b161 100644 --- a/roles/web-app-keycloak/templates/import/realm.json.j2 +++ b/roles/web-app-keycloak/templates/import/realm.json.j2 @@ -1,6 +1,6 @@ { "id": "3b03105b-5fe6-4b53-ba24-c8796525be0e", - "realm": "{{ keycloak_realm }}", + "realm": "{{ KEYCLOAK_REALM }}", "displayName": "", "displayNameHtml": "", "notBefore": 0, @@ -60,7 +60,7 @@ }, { "id": "01d9dd2a-75b2-47a2-af36-b14251f1b956", - "name": "default-roles-{{ keycloak_realm }}", + "name": "default-roles-{{ KEYCLOAK_REALM }}", "description": "${role_default-roles}", "composite": true, "composites": { @@ -302,7 +302,7 @@ "attributes": {} } ], - "{{ keycloak_realm }}": [], + "{{ KEYCLOAK_REALM }}": [], "security-admin-console": [], "admin-cli": [], "account-console": [], @@ -410,7 +410,7 @@ "groups": [], "defaultRole": { "id": "01d9dd2a-75b2-47a2-af36-b14251f1b956", - "name": "default-roles-{{ keycloak_realm }}", + "name": "default-roles-{{ KEYCLOAK_REALM }}", "description": "${role_default-roles}", "composite": true, "clientRole": false, @@ -464,18 +464,18 @@ "users": [ { "id": "19ecedfd-acf2-49e8-9f66-91ab71d54fc3", - "username": "service-account-{{ keycloak_realm }}", + "username": "service-account-{{ KEYCLOAK_REALM }}", "emailVerified": false, "createdTimestamp": 1737925519602, "enabled": true, "totp": false, - "serviceAccountClientId": "{{ keycloak_realm }}", + "serviceAccountClientId": "{{ KEYCLOAK_REALM }}", "disableableCredentialTypes": [], "requiredActions": [ "CONFIGURE_TOTP" ], "realmRoles": [ - "default-roles-{{ keycloak_realm }}" + "default-roles-{{ KEYCLOAK_REALM }}" ], "notBefore": 0, "groups": [] @@ -508,13 +508,13 @@ "description": "", "rootUrl": "${authBaseUrl}", "adminUrl": "", - "baseUrl": "/realms/{{ keycloak_realm }}/account/", + "baseUrl": "/realms/{{ KEYCLOAK_REALM }}/account/", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "desktop-secret", "redirectUris": [ - "/realms/{{ keycloak_realm }}/account/*" + "/realms/{{ KEYCLOAK_REALM }}/account/*" ], "webOrigins": [ "{{ domains | get_url('web-app-keycloak', WEB_PROTOCOL) }}" @@ -530,7 +530,7 @@ "frontchannelLogout": true, "protocol": "openid-connect", "attributes": { - "frontchannel.logout.url": "{{ kc_desired_frontchannel_logout_url }}", + "frontchannel.logout.url": "{{ KEYCLOAK_FRONTCHANNEL_LOGOUT_URL }}", "realm_client": "false", "oidc.ciba.grant.enabled": "false", "backchannel.logout.session.required": "true", @@ -565,13 +565,13 @@ "description": "", "rootUrl": "${authBaseUrl}", "adminUrl": "", - "baseUrl": "/realms/{{ keycloak_realm }}/account/", + "baseUrl": "/realms/{{ KEYCLOAK_REALM }}/account/", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "desktop-secret", "redirectUris": [ - "/realms/{{ keycloak_realm }}/account/*" + "/realms/{{ KEYCLOAK_REALM }}/account/*" ], "webOrigins": [ "*" @@ -757,13 +757,13 @@ "clientId": "security-admin-console", "name": "${client_security-admin-console}", "rootUrl": "${authAdminUrl}", - "baseUrl": "/admin/{{ keycloak_realm }}/console/", + "baseUrl": "/admin/{{ KEYCLOAK_REALM }}/console/", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "desktop-secret", "redirectUris": [ - "/admin/{{ keycloak_realm }}/console/*" + "/admin/{{ KEYCLOAK_REALM }}/console/*" ], "webOrigins": [ "+" @@ -823,12 +823,12 @@ }, { "id": "7b5f97e3-7fa8-4d86-b1e9-80aac996da26", - "clientId": "{{ keycloak_realm }}", + "clientId": "{{ KEYCLOAK_REALM }}", "name": "", "description": "", - "rootUrl": "{{ WEB_PROTOCOL }}://{{ keycloak_realm }}/", - "adminUrl": "{{ WEB_PROTOCOL }}://{{ keycloak_realm }}/", - "baseUrl": "{{ WEB_PROTOCOL }}://{{ keycloak_realm }}/", + "rootUrl": "{{ WEB_PROTOCOL }}://{{ KEYCLOAK_REALM }}/", + "adminUrl": "{{ WEB_PROTOCOL }}://{{ KEYCLOAK_REALM }}/", + "baseUrl": "{{ WEB_PROTOCOL }}://{{ KEYCLOAK_REALM }}/", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, @@ -1823,7 +1823,7 @@ "org.keycloak.storage.UserStorageProvider": [ { "id": "bBD2l6kVRMaSABbfOJVRaw", - "name": "{{ keycloak_ldap_component_name }}", + "name": "{{ KEYCLOAK_LDAP_CMP_NAME }}", "providerId": "ldap", "subComponents": { "org.keycloak.storage.ldap.mappers.LDAPStorageMapper": [ diff --git a/roles/web-app-keycloak/vars/main.yml b/roles/web-app-keycloak/vars/main.yml index 8c3d4b1f..8bdd4bb2 100644 --- a/roles/web-app-keycloak/vars/main.yml +++ b/roles/web-app-keycloak/vars/main.yml @@ -3,25 +3,22 @@ application_id: "web-app-keycloak" database_type: "postgres" # Database which will be used # Keycloak -keycloak_container: "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.name') }}" # Name of the keycloak docker container -keycloak_docker_import_directory: "/opt/keycloak/data/import/" # Directory in which keycloak import files are placed in the running docker container -keycloak_realm: "{{ OIDC.CLIENT.REALM }}" # This is the name of the default realm which is used by the applications -keycloak_master_api_user: "{{ applications | get_app_conf(application_id, 'users.administrator') }}" # Master Administrator -keycloak_master_api_user_name: "{{ keycloak_master_api_user.username }}" # Master Administrator Username -keycloak_master_api_user_password: "{{ keycloak_master_api_user.password }}" # Master Administrator Password -keycloak_kcadm_path: "docker exec -i {{ keycloak_container }} /opt/keycloak/bin/kcadm.sh" # Init script for keycloak -keycloak_server_internal_url: "http://127.0.0.1:8080" -keycloak_server_host: "127.0.0.1:{{ ports.localhost.http[application_id] }}" -keycloak_server_host_url: "http://{{ keycloak_server_host }}" -keycloak_image: "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.image') }}" # Keycloak docker image -keycloak_version: "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.version') }}" # Keycloak docker version -keycloak_debug_enabled: "{{ MODE_DEBUG }}" -keycloak_redirect_features: ["features.oauth2","features.oidc"] -keycloak_client_id: "{{ OIDC.CLIENT.ID }}" -keycloak_ldap_component_name: "{{ ldap.server.domain }}" # Name of the LDAP User Federation component in Keycloak (as shown in UI) -keycloak_import_realm: "{{ applications | get_app_conf(application_id, 'actions.import_realm') }}" # Activate realm import -keycloak_update_ldap_bind: "{{ applications | get_app_conf(application_id, 'actions.update_ldap_bind') }}" # Toggle the LDAP bind update step -kc_desired_frontchannel_logout_url: "{{ domains | get_url('web-svc-logout', WEB_PROTOCOL) }}/" - -# Docker -docker_compose_flush_handlers: true # Remember to copy realm import before flush when set to true \ No newline at end of file +KEYCLOAK_CONTAINER: "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.name') }}" # Name of the keycloak docker container +KEYCLOAK_DOCKER_IMPORT_DIR: "/opt/keycloak/data/import/" # Directory in which keycloak import files are placed in the running docker container +KEYCLOAK_REALM: "{{ OIDC.CLIENT.REALM }}" # This is the name of the default realm which is used by the applications +KEYCLOAK_MASTER_API_USER: "{{ applications | get_app_conf(application_id, 'users.administrator') }}" # Master Administrator +KEYCLOAK_MASTER_API_USER_NAME: "{{ KEYCLOAK_MASTER_API_USER.username }}" # Master Administrator Username +KEYCLOAK_MASTER_API_USER_PASSWORD: "{{ KEYCLOAK_MASTER_API_USER.password }}" # Master Administrator Password +KEYCLOAK_KCADM_PATH: "docker exec -i {{ KEYCLOAK_CONTAINER }} /opt/keycloak/bin/kcadm.sh" # Init script for keycloak +KEYCLOAK_SERVER_INTERNAL_URL: "http://127.0.0.1:8080" +KEYCLOAK_SERVER_HOST: "127.0.0.1:{{ ports.localhost.http[application_id] }}" +KEYCLOAK_SERVER_HOST_URL: "http://{{ KEYCLOAK_SERVER_HOST }}" +KEYCLOAK_IMAGE: "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.image') }}" # Keycloak docker image +KEYCLOAK_VERSION: "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.version') }}" # Keycloak docker version +KEYCLOAK_DEBUG_ENABLED: "{{ MODE_DEBUG }}" +KEYCLOAK_REDIRECT_FEATURES: ["features.oauth2","features.oidc"] +KEYCLOAK_CLIENT_ID: "{{ OIDC.CLIENT.ID }}" +KEYCLOAK_LDAP_CMP_NAME: "{{ ldap.server.domain }}" # Name of the LDAP User Federation component in Keycloak (as shown in UI) +KEYCLOAK_IMPORT_REALM_ENABLED: "{{ applications | get_app_conf(application_id, 'actions.import_realm') }}" # Activate realm import +KEYCLOAK_UPDATE_LDAP_BIND: "{{ applications | get_app_conf(application_id, 'actions.update_ldap_bind') }}" # Toggle the LDAP bind update step +KEYCLOAK_FRONTCHANNEL_LOGOUT_URL: "{{ domains | get_url('web-svc-logout', WEB_PROTOCOL) }}/"