Updated keycloak variables

roles/web-app-keycloak/tasks/02_update_client_redirects.yml

@@ -3,13 +3,13 @@
 
 # ── REQUIRED VARS (must be provided by caller) ───────────────────────────────
 # - WEB_PROTOCOL                        e.g. "https"
-# - keycloak_realm                      target realm name
-# - keycloak_server_host_url            e.g. "http://127.0.0.1:8080"
-# - keycloak_server_internal_url        e.g. "http://127.0.0.1:8080"
-# - keycloak_kcadm_path                 e.g. "docker exec -i keycloak /opt/keycloak/bin/kcadm.sh"
-# - keycloak_master_api_user_name
-# - keycloak_master_api_user_password
-# - keycloak_client_id                 clientId to update (e.g. same as realm or an app client)
+# - KEYCLOAK_REALM                      target realm name
+# - KEYCLOAK_SERVER_HOST_URL            e.g. "http://127.0.0.1:8080"
+# - KEYCLOAK_SERVER_INTERNAL_URL        e.g. "http://127.0.0.1:8080"
+# - KEYCLOAK_KCADM_PATH                 e.g. "docker exec -i keycloak /opt/keycloak/bin/kcadm.sh"
+# - KEYCLOAK_MASTER_API_USER_NAME
+# - KEYCLOAK_MASTER_API_USER_PASSWORD
+# - KEYCLOAK_CLIENT_ID                 clientId to update (e.g. same as realm or an app client)
 # - domains                             your domain map
 # - applications                        your applications map
 
@@ -17,14 +17,14 @@
   assert:
     that:
       - WEB_PROTOCOL is defined
-      - keycloak_realm is defined
-      - keycloak_server_host_url is defined
-      - keycloak_server_internal_url is defined
-      - keycloak_kcadm_path is defined
-      - keycloak_master_api_user_name is defined
-      - keycloak_master_api_user_password is defined
-      - keycloak_client_id is defined
-      - keycloak_redirect_features is defined
+      - KEYCLOAK_REALM is defined
+      - KEYCLOAK_SERVER_HOST_URL is defined
+      - KEYCLOAK_SERVER_INTERNAL_URL is defined
+      - KEYCLOAK_KCADM_PATH is defined
+      - KEYCLOAK_MASTER_API_USER_NAME is defined
+      - KEYCLOAK_MASTER_API_USER_PASSWORD is defined
+      - KEYCLOAK_CLIENT_ID is defined
+      - KEYCLOAK_REDIRECT_FEATURES is defined
       - domains is defined
       - applications is defined
     fail_msg: "Missing required variable(s). Provide all vars listed at the top of 02_update_client_redirects.yml."
@@ -32,18 +32,18 @@
 - name: "kcadm login"
   no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
   shell: >
-    {{ keycloak_kcadm_path }} config credentials
-    --server {{ keycloak_server_internal_url }}
+    {{ KEYCLOAK_KCADM_PATH }} config credentials
+    --server {{ KEYCLOAK_SERVER_INTERNAL_URL }}
     --realm master
-    --user {{ keycloak_master_api_user_name }}
-    --password {{ keycloak_master_api_user_password }}
+    --user {{ KEYCLOAK_MASTER_API_USER_NAME }}
+    --password {{ KEYCLOAK_MASTER_API_USER_PASSWORD }}
   changed_when: false
 
 # 1) Build desired sets (NO defaults)
 - name: "Build desired redirect URIs from config via filter"
   set_fact:
     kc_redirect_uris: >-
-      {{ domains | redirect_uris(applications, WEB_PROTOCOL, '/*', keycloak_redirect_features, True) }}
+      {{ domains | redirect_uris(applications, WEB_PROTOCOL, '/*', KEYCLOAK_REDIRECT_FEATURES, True) }}
 
 - name: Build desired web origins (scheme://host[:port])
   set_fact:
@@ -55,11 +55,11 @@
          | list | unique }}
 
 # 2) Resolve client id (strictly by provided clientId, no fallback)
-- name: "Resolve client internal id for {{ keycloak_client_id }}"
+- name: "Resolve client internal id for {{ KEYCLOAK_CLIENT_ID }}"
   shell: >
-    {{ keycloak_kcadm_path }} get clients
-    -r {{ keycloak_realm }}
-    --query 'clientId={{ keycloak_client_id }}'
+    {{ KEYCLOAK_KCADM_PATH }} get clients
+    -r {{ KEYCLOAK_REALM }}
+    --query 'clientId={{ KEYCLOAK_CLIENT_ID }}'
     --fields id --format json | jq -r '.[0].id'
   register: kc_client
   changed_when: false
@@ -67,13 +67,13 @@
 - name: "Fail if client not found"
   assert:
     that: kc_client.stdout is match('^[0-9a-f-]+$')
-    fail_msg: "Client '{{ keycloak_client_id }}' not found in realm '{{ keycloak_realm }}'."
+    fail_msg: "Client '{{ KEYCLOAK_CLIENT_ID }}' not found in realm '{{ KEYCLOAK_REALM }}'."
 
 # 3) Read current config (assume keys exist; we don't use defaults)
 - name: "Read current client configuration"
   shell: >
-    {{ keycloak_kcadm_path }} get clients/{{ kc_client.stdout }}
-    -r {{ keycloak_realm }} --format json
+    {{ KEYCLOAK_KCADM_PATH }} get clients/{{ kc_client.stdout }}
+    -r {{ KEYCLOAK_REALM }} --format json
   register: kc_client_obj
   changed_when: false
 
@@ -114,13 +114,13 @@
 # 4) Update only when changed
 - name: "Update client with redirectUris, webOrigins, frontchannelLogout"
   shell: >
-    {{ keycloak_kcadm_path }} update clients/{{ kc_client.stdout }}
-    -r {{ keycloak_realm }}
+    {{ KEYCLOAK_KCADM_PATH }} update clients/{{ kc_client.stdout }}
+    -r {{ KEYCLOAK_REALM }}
     -s 'redirectUris={{ kc_redirect_uris | to_json }}'
     -s 'webOrigins={{ kc_web_origins | to_json }}'
     -s 'frontchannelLogout=true'
-    -s 'attributes."frontchannel.logout.url"={{ kc_desired_frontchannel_logout_url | to_json }}'
+    -s 'attributes."frontchannel.logout.url"={{ KEYCLOAK_FRONTCHANNEL_LOGOUT_URL | to_json }}'
   when: kc_current_redirect_uris != kc_desired_redirect_uris
         or kc_current_web_origins  != kc_desired_web_origins
-        or kc_current_frontchannel_logout_url != kc_desired_frontchannel_logout_url
+        or kc_current_frontchannel_logout_url != KEYCLOAK_FRONTCHANNEL_LOGOUT_URL
 

roles/web-app-keycloak/tasks/03_update-ldap-bind.yml

@@ -12,12 +12,12 @@
 - name: "Assert required vars exist (strict: use ldap.* only, no defaults)"
   assert:
     that:
-      - keycloak_realm is defined
-      - keycloak_container is defined
-      - keycloak_server_internal_url is defined
-      - keycloak_master_api_user_name is defined
-      - keycloak_master_api_user_password is defined
-      - keycloak_ldap_component_name is defined
+      - KEYCLOAK_REALM is defined
+      - KEYCLOAK_CONTAINER is defined
+      - KEYCLOAK_SERVER_INTERNAL_URL is defined
+      - KEYCLOAK_MASTER_API_USER_NAME is defined
+      - KEYCLOAK_MASTER_API_USER_PASSWORD is defined
+      - KEYCLOAK_LDAP_CMP_NAME is defined
       - ldap is defined
       - ldap.dn.administrator is defined
       - ldap.dn.administrator.data is defined
@@ -35,7 +35,7 @@
       - docker
       - exec
       - -i
-      - "{{ keycloak_container }}"
+      - "{{ KEYCLOAK_CONTAINER }}"
       - /opt/keycloak/bin/kcadm.sh
 
 - name: "kcadm login (master)"
@@ -43,19 +43,19 @@
   command:
     argv: "{{ kcadm_argv_base
               + ['config', 'credentials',
-                 '--server', keycloak_server_internal_url,
+                 '--server', KEYCLOAK_SERVER_INTERNAL_URL,
                  '--realm', 'master',
-                 '--user', keycloak_master_api_user_name,
-                 '--password', keycloak_master_api_user_password] }}"
+                 '--user', KEYCLOAK_MASTER_API_USER_NAME,
+                 '--password', KEYCLOAK_MASTER_API_USER_PASSWORD] }}"
   changed_when: false
 
 # Resolve the LDAP component *by name* to avoid picking the wrong one.
-- name: "Resolve LDAP component id by name '{{ keycloak_ldap_component_name }}'"
+- name: "Resolve LDAP component id by name '{{ KEYCLOAK_LDAP_CMP_NAME }}'"
   command:
     argv: "{{ kcadm_argv_base
               + ['get', 'components',
-                 '-r', keycloak_realm,
-                 '--query', 'name=' ~ keycloak_ldap_component_name,
+                 '-r', KEYCLOAK_REALM,
+                 '--query', 'name=' ~ KEYCLOAK_LDAP_CMP_NAME,
                  '--fields', 'id,name,providerId,config',
                  '--format', 'json'] }}"
   register: kc_ldap_list
@@ -68,7 +68,7 @@
     that:
       - (parsed | length) == 1
     fail_msg: >-
-      Expected exactly one LDAP component named '{{ keycloak_ldap_component_name }}',
+      Expected exactly one LDAP component named '{{ KEYCLOAK_LDAP_CMP_NAME }}',
       found {{ (kc_ldap_list.stdout | from_json) | length }}.
 
 - name: "Extract current LDAP component values"
@@ -102,7 +102,7 @@
   command:
     argv: "{{ kcadm_argv_base
               + ['update', 'components/' ~ kc_ldap_component_id,
-                 '-r', keycloak_realm,
+                 '-r', KEYCLOAK_REALM,
                  '-s', 'config.bindDn=' ~ ([kc_desired_bind_dn] | to_json),
                  '-s', 'config.bindCredential=' ~ ([kc_desired_bind_pw] | to_json),
                  '-s', 'config.connectionUrl=' ~ ([kc_desired_connection_url] | to_json)
@@ -112,7 +112,7 @@
 
 - name: "LDAP provider updated"
   debug:
-    msg: "LDAP bindDn/bindCredential/connectionUrl updated on component {{ keycloak_ldap_component_name }}."
+    msg: "LDAP bindDn/bindCredential/connectionUrl updated on component {{ KEYCLOAK_LDAP_CMP_NAME }}."
   when:
     - kc_bind_update is defined
     - kc_bind_update.rc == 0

roles/web-app-keycloak/tasks/04_ssh_public_key.yml

@@ -1,17 +1,17 @@
 # Configure Credentials
 - name: Ensure Keycloak CLI credentials are configured
   shell: |
-    {{ keycloak_kcadm_path }} config credentials \
-      --server {{ keycloak_server_internal_url }} \
+    {{ KEYCLOAK_KCADM_PATH }} config credentials \
+      --server {{ KEYCLOAK_SERVER_INTERNAL_URL }} \
       --realm master \
-      --user {{ keycloak_master_api_user_name }} \
-      --password {{ keycloak_master_api_user_password }}
+      --user {{ KEYCLOAK_MASTER_API_USER_NAME }} \
+      --password {{ KEYCLOAK_MASTER_API_USER_PASSWORD }}
 
 # LDAP Source
 - name: Get ID of LDAP storage provider
   shell: |
-    {{ keycloak_kcadm_path }} get components \
-      -r {{ keycloak_realm }} \
+    {{ KEYCLOAK_KCADM_PATH }} get components \
+      -r {{ KEYCLOAK_REALM }} \
       --query 'providerId=ldap' \
       --fields id,name \
       --format json
@@ -24,7 +24,7 @@
 - name: Ensure {{ ldap.user.attributes.ssh_public_key }} LDAP Mapper exists
   shell: |
     docker exec -i keycloak_application bash -c '
-      /opt/keycloak/bin/kcadm.sh get components -r {{ keycloak_realm }} \
+      /opt/keycloak/bin/kcadm.sh get components -r {{ KEYCLOAK_REALM }} \
       | grep -q "\"name\" : \"{{ ldap.user.attributes.ssh_public_key }}\"" \
       || printf "%s\n" "{
         \"name\": \"{{ ldap.user.attributes.ssh_public_key }}\",
@@ -39,7 +39,7 @@
           \"always.read.value.from.ldap\": [\"false\"],
           \"multivalued\": [\"true\"]
         }
-      }" | /opt/keycloak/bin/kcadm.sh create components -r {{ keycloak_realm }} -f -'
+      }" | /opt/keycloak/bin/kcadm.sh create components -r {{ KEYCLOAK_REALM }} -f -'
   register: mapper_create
   changed_when: mapper_create.rc == 0 and mapper_create.stdout != ""
 
@@ -47,16 +47,16 @@
 
 - name: Enable user profile in realm
   shell: >
-    {{ keycloak_kcadm_path }} update realms/{{ keycloak_realm }}
+    {{ KEYCLOAK_KCADM_PATH }} update realms/{{ KEYCLOAK_REALM }}
     -s 'attributes.userProfileEnabled=true'
 
 - name: Re-authenticate to Keycloak after enabling user profile
   shell: |
-    {{ keycloak_kcadm_path }} config credentials \
-      --server {{ keycloak_server_internal_url }} \
+    {{ KEYCLOAK_KCADM_PATH }} config credentials \
+      --server {{ KEYCLOAK_SERVER_INTERNAL_URL }} \
       --realm master \
-      --user {{ keycloak_master_api_user_name }} \
-      --password {{ keycloak_master_api_user_password }}
+      --user {{ KEYCLOAK_MASTER_API_USER_NAME }} \
+      --password {{ KEYCLOAK_MASTER_API_USER_PASSWORD }}
 
 - name: Render user-profile JSON for SSH key
   template:
@@ -67,5 +67,5 @@
 
 - name: Apply SSH Public Key to user-profile via kcadm
   shell: |
-    docker exec -i {{ keycloak_container }} \
-      /opt/keycloak/bin/kcadm.sh update realms/{{ keycloak_realm }} -f {{ keycloak_docker_import_directory }}user-profile.json
+    docker exec -i {{ KEYCLOAK_CONTAINER }} \
+      /opt/keycloak/bin/kcadm.sh update realms/{{ KEYCLOAK_REALM }} -f {{ KEYCLOAK_DOCKER_IMPORT_DIR }}user-profile.json

roles/web-app-keycloak/tasks/main.yml

@@ -10,10 +10,12 @@
 - name: "load docker, db and proxy for {{ application_id }}"
   include_role: 
     name: cmp-db-docker-proxy
+  vars:
+    docker_compose_flush_handlers: true
 
-- name: "Wait until Keycloak is reachable at {{ keycloak_server_host_url }}"
+- name: "Wait until Keycloak is reachable at {{ KEYCLOAK_SERVER_HOST_URL }}"
   uri:
-    url: "{{ keycloak_server_host_url }}/realms/master"
+    url: "{{ KEYCLOAK_SERVER_HOST_URL }}/realms/master"
     method: GET
     status_code: 200
     validate_certs: false
@@ -26,7 +28,7 @@
   include_tasks: 02_update_client_redirects.yml
 
 - name: "Update LDAP bind credentials from ldap.*"
-  when: keycloak_update_ldap_bind | bool
+  when: KEYCLOAK_UPDATE_LDAP_BIND | bool
   include_tasks: 03_update-ldap-bind.yml
 
 # Deactivated temporary. Import now via realm.yml