Updated keycloak variables

2025-08-20 02:35:04 +02:00 · 2025-08-17 10:47:40 +02:00 · 2025-08-17 10:47:40 +02:00 · 0a83f3159a
commit 0a83f3159a
parent fb7b3a3c8e
7 changed files with 110 additions and 111 deletions
--- a/roles/web-app-keycloak/tasks/02_update_client_redirects.yml
+++ b/roles/web-app-keycloak/tasks/02_update_client_redirects.yml
@ -3,13 +3,13 @@

 # ── REQUIRED VARS (must be provided by caller) ───────────────────────────────
 # - WEB_PROTOCOL                        e.g. "https"
-# - keycloak_realm                      target realm name
-# - keycloak_server_host_url            e.g. "http://127.0.0.1:8080"
-# - keycloak_server_internal_url        e.g. "http://127.0.0.1:8080"
-# - keycloak_kcadm_path                 e.g. "docker exec -i keycloak /opt/keycloak/bin/kcadm.sh"
-# - keycloak_master_api_user_name
-# - keycloak_master_api_user_password
-# - keycloak_client_id                 clientId to update (e.g. same as realm or an app client)
+# - KEYCLOAK_REALM                      target realm name
+# - KEYCLOAK_SERVER_HOST_URL            e.g. "http://127.0.0.1:8080"
+# - KEYCLOAK_SERVER_INTERNAL_URL        e.g. "http://127.0.0.1:8080"
+# - KEYCLOAK_KCADM_PATH                 e.g. "docker exec -i keycloak /opt/keycloak/bin/kcadm.sh"
+# - KEYCLOAK_MASTER_API_USER_NAME
+# - KEYCLOAK_MASTER_API_USER_PASSWORD
+# - KEYCLOAK_CLIENT_ID                 clientId to update (e.g. same as realm or an app client)
 # - domains                             your domain map
 # - applications                        your applications map

@ -17,14 +17,14 @@
  assert:
    that:
      - WEB_PROTOCOL is defined
-      - keycloak_realm is defined
-      - keycloak_server_host_url is defined
-      - keycloak_server_internal_url is defined
-      - keycloak_kcadm_path is defined
-      - keycloak_master_api_user_name is defined
-      - keycloak_master_api_user_password is defined
-      - keycloak_client_id is defined
-      - keycloak_redirect_features is defined
+      - KEYCLOAK_REALM is defined
+      - KEYCLOAK_SERVER_HOST_URL is defined
+      - KEYCLOAK_SERVER_INTERNAL_URL is defined
+      - KEYCLOAK_KCADM_PATH is defined
+      - KEYCLOAK_MASTER_API_USER_NAME is defined
+      - KEYCLOAK_MASTER_API_USER_PASSWORD is defined
+      - KEYCLOAK_CLIENT_ID is defined
+      - KEYCLOAK_REDIRECT_FEATURES is defined
      - domains is defined
      - applications is defined
    fail_msg: "Missing required variable(s). Provide all vars listed at the top of 02_update_client_redirects.yml."
@ -32,18 +32,18 @@
 - name: "kcadm login"
  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
  shell: >
-    {{ keycloak_kcadm_path }} config credentials
-    --server {{ keycloak_server_internal_url }}
+    {{ KEYCLOAK_KCADM_PATH }} config credentials
+    --server {{ KEYCLOAK_SERVER_INTERNAL_URL }}
    --realm master
-    --user {{ keycloak_master_api_user_name }}
-    --password {{ keycloak_master_api_user_password }}
+    --user {{ KEYCLOAK_MASTER_API_USER_NAME }}
+    --password {{ KEYCLOAK_MASTER_API_USER_PASSWORD }}
  changed_when: false

 # 1) Build desired sets (NO defaults)
 - name: "Build desired redirect URIs from config via filter"
  set_fact:
    kc_redirect_uris: >-
-      {{ domains | redirect_uris(applications, WEB_PROTOCOL, '/*', keycloak_redirect_features, True) }}
+      {{ domains | redirect_uris(applications, WEB_PROTOCOL, '/*', KEYCLOAK_REDIRECT_FEATURES, True) }}

 - name: Build desired web origins (scheme://host[:port])
  set_fact:
@ -55,11 +55,11 @@
         | list | unique }}

 # 2) Resolve client id (strictly by provided clientId, no fallback)
- name: "Resolve client internal id for {{ keycloak_client_id }}"
+- name: "Resolve client internal id for {{ KEYCLOAK_CLIENT_ID }}"
  shell: >
-    {{ keycloak_kcadm_path }} get clients
-    -r {{ keycloak_realm }}
-    --query 'clientId={{ keycloak_client_id }}'
+    {{ KEYCLOAK_KCADM_PATH }} get clients
+    -r {{ KEYCLOAK_REALM }}
+    --query 'clientId={{ KEYCLOAK_CLIENT_ID }}'
    --fields id --format json | jq -r '.[0].id'
  register: kc_client
  changed_when: false
@ -67,13 +67,13 @@
 - name: "Fail if client not found"
  assert:
    that: kc_client.stdout is match('^[0-9a-f-]+$')
-    fail_msg: "Client '{{ keycloak_client_id }}' not found in realm '{{ keycloak_realm }}'."
+    fail_msg: "Client '{{ KEYCLOAK_CLIENT_ID }}' not found in realm '{{ KEYCLOAK_REALM }}'."

 # 3) Read current config (assume keys exist; we don't use defaults)
 - name: "Read current client configuration"
  shell: >
-    {{ keycloak_kcadm_path }} get clients/{{ kc_client.stdout }}
-    -r {{ keycloak_realm }} --format json
+    {{ KEYCLOAK_KCADM_PATH }} get clients/{{ kc_client.stdout }}
+    -r {{ KEYCLOAK_REALM }} --format json
  register: kc_client_obj
  changed_when: false

@ -114,13 +114,13 @@
 # 4) Update only when changed
 - name: "Update client with redirectUris, webOrigins, frontchannelLogout"
  shell: >
-    {{ keycloak_kcadm_path }} update clients/{{ kc_client.stdout }}
-    -r {{ keycloak_realm }}
+    {{ KEYCLOAK_KCADM_PATH }} update clients/{{ kc_client.stdout }}
+    -r {{ KEYCLOAK_REALM }}
    -s 'redirectUris={{ kc_redirect_uris | to_json }}'
    -s 'webOrigins={{ kc_web_origins | to_json }}'
    -s 'frontchannelLogout=true'
-    -s 'attributes."frontchannel.logout.url"={{ kc_desired_frontchannel_logout_url | to_json }}'
+    -s 'attributes."frontchannel.logout.url"={{ KEYCLOAK_FRONTCHANNEL_LOGOUT_URL | to_json }}'
  when: kc_current_redirect_uris != kc_desired_redirect_uris
        or kc_current_web_origins  != kc_desired_web_origins
-        or kc_current_frontchannel_logout_url != kc_desired_frontchannel_logout_url
+        or kc_current_frontchannel_logout_url != KEYCLOAK_FRONTCHANNEL_LOGOUT_URL

--- a/roles/web-app-keycloak/tasks/03_update-ldap-bind.yml
+++ b/roles/web-app-keycloak/tasks/03_update-ldap-bind.yml
@ -12,12 +12,12 @@
 - name: "Assert required vars exist (strict: use ldap.* only, no defaults)"
  assert:
    that:
-      - keycloak_realm is defined
-      - keycloak_container is defined
-      - keycloak_server_internal_url is defined
-      - keycloak_master_api_user_name is defined
-      - keycloak_master_api_user_password is defined
-      - keycloak_ldap_component_name is defined
+      - KEYCLOAK_REALM is defined
+      - KEYCLOAK_CONTAINER is defined
+      - KEYCLOAK_SERVER_INTERNAL_URL is defined
+      - KEYCLOAK_MASTER_API_USER_NAME is defined
+      - KEYCLOAK_MASTER_API_USER_PASSWORD is defined
+      - KEYCLOAK_LDAP_CMP_NAME is defined
      - ldap is defined
      - ldap.dn.administrator is defined
      - ldap.dn.administrator.data is defined
@ -35,7 +35,7 @@
      - docker
      - exec
      - -i
-      - "{{ keycloak_container }}"
+      - "{{ KEYCLOAK_CONTAINER }}"
      - /opt/keycloak/bin/kcadm.sh

 - name: "kcadm login (master)"
@ -43,19 +43,19 @@
  command:
    argv: "{{ kcadm_argv_base
              + ['config', 'credentials',
-                 '--server', keycloak_server_internal_url,
+                 '--server', KEYCLOAK_SERVER_INTERNAL_URL,
                 '--realm', 'master',
-                 '--user', keycloak_master_api_user_name,
-                 '--password', keycloak_master_api_user_password] }}"
+                 '--user', KEYCLOAK_MASTER_API_USER_NAME,
+                 '--password', KEYCLOAK_MASTER_API_USER_PASSWORD] }}"
  changed_when: false

 # Resolve the LDAP component *by name* to avoid picking the wrong one.
- name: "Resolve LDAP component id by name '{{ keycloak_ldap_component_name }}'"
+- name: "Resolve LDAP component id by name '{{ KEYCLOAK_LDAP_CMP_NAME }}'"
  command:
    argv: "{{ kcadm_argv_base
              + ['get', 'components',
-                 '-r', keycloak_realm,
-                 '--query', 'name=' ~ keycloak_ldap_component_name,
+                 '-r', KEYCLOAK_REALM,
+                 '--query', 'name=' ~ KEYCLOAK_LDAP_CMP_NAME,
                 '--fields', 'id,name,providerId,config',
                 '--format', 'json'] }}"
  register: kc_ldap_list
@ -68,7 +68,7 @@
    that:
      - (parsed | length) == 1
    fail_msg: >-
-      Expected exactly one LDAP component named '{{ keycloak_ldap_component_name }}',
+      Expected exactly one LDAP component named '{{ KEYCLOAK_LDAP_CMP_NAME }}',
      found {{ (kc_ldap_list.stdout | from_json) | length }}.

 - name: "Extract current LDAP component values"
@ -102,7 +102,7 @@
  command:
    argv: "{{ kcadm_argv_base
              + ['update', 'components/' ~ kc_ldap_component_id,
-                 '-r', keycloak_realm,
+                 '-r', KEYCLOAK_REALM,
                 '-s', 'config.bindDn=' ~ ([kc_desired_bind_dn] | to_json),
                 '-s', 'config.bindCredential=' ~ ([kc_desired_bind_pw] | to_json),
                 '-s', 'config.connectionUrl=' ~ ([kc_desired_connection_url] | to_json)
@ -112,7 +112,7 @@

 - name: "LDAP provider updated"
  debug:
-    msg: "LDAP bindDn/bindCredential/connectionUrl updated on component {{ keycloak_ldap_component_name }}."
+    msg: "LDAP bindDn/bindCredential/connectionUrl updated on component {{ KEYCLOAK_LDAP_CMP_NAME }}."
  when:
    - kc_bind_update is defined
    - kc_bind_update.rc == 0
--- a/roles/web-app-keycloak/tasks/04_ssh_public_key.yml
+++ b/roles/web-app-keycloak/tasks/04_ssh_public_key.yml
@ -1,17 +1,17 @@
 # Configure Credentials
 - name: Ensure Keycloak CLI credentials are configured
  shell: |
-    {{ keycloak_kcadm_path }} config credentials \
-      --server {{ keycloak_server_internal_url }} \
+    {{ KEYCLOAK_KCADM_PATH }} config credentials \
+      --server {{ KEYCLOAK_SERVER_INTERNAL_URL }} \
      --realm master \
-      --user {{ keycloak_master_api_user_name }} \
-      --password {{ keycloak_master_api_user_password }}
+      --user {{ KEYCLOAK_MASTER_API_USER_NAME }} \
+      --password {{ KEYCLOAK_MASTER_API_USER_PASSWORD }}

 # LDAP Source
 - name: Get ID of LDAP storage provider
  shell: |
-    {{ keycloak_kcadm_path }} get components \
-      -r {{ keycloak_realm }} \
+    {{ KEYCLOAK_KCADM_PATH }} get components \
+      -r {{ KEYCLOAK_REALM }} \
      --query 'providerId=ldap' \
      --fields id,name \
      --format json
@ -24,7 +24,7 @@
 - name: Ensure {{ ldap.user.attributes.ssh_public_key }} LDAP Mapper exists
  shell: |
    docker exec -i keycloak_application bash -c '
-      /opt/keycloak/bin/kcadm.sh get components -r {{ keycloak_realm }} \
+      /opt/keycloak/bin/kcadm.sh get components -r {{ KEYCLOAK_REALM }} \
      | grep -q "\"name\" : \"{{ ldap.user.attributes.ssh_public_key }}\"" \
      || printf "%s\n" "{
        \"name\": \"{{ ldap.user.attributes.ssh_public_key }}\",
@ -39,7 +39,7 @@
          \"always.read.value.from.ldap\": [\"false\"],
          \"multivalued\": [\"true\"]
        }
-      }" | /opt/keycloak/bin/kcadm.sh create components -r {{ keycloak_realm }} -f -'
+      }" | /opt/keycloak/bin/kcadm.sh create components -r {{ KEYCLOAK_REALM }} -f -'
  register: mapper_create
  changed_when: mapper_create.rc == 0 and mapper_create.stdout != ""

@ -47,16 +47,16 @@

 - name: Enable user profile in realm
  shell: >
-    {{ keycloak_kcadm_path }} update realms/{{ keycloak_realm }}
+    {{ KEYCLOAK_KCADM_PATH }} update realms/{{ KEYCLOAK_REALM }}
    -s 'attributes.userProfileEnabled=true'

 - name: Re-authenticate to Keycloak after enabling user profile
  shell: |
-    {{ keycloak_kcadm_path }} config credentials \
-      --server {{ keycloak_server_internal_url }} \
+    {{ KEYCLOAK_KCADM_PATH }} config credentials \
+      --server {{ KEYCLOAK_SERVER_INTERNAL_URL }} \
      --realm master \
-      --user {{ keycloak_master_api_user_name }} \
-      --password {{ keycloak_master_api_user_password }}
+      --user {{ KEYCLOAK_MASTER_API_USER_NAME }} \
+      --password {{ KEYCLOAK_MASTER_API_USER_PASSWORD }}

 - name: Render user-profile JSON for SSH key
  template:
@ -67,5 +67,5 @@

 - name: Apply SSH Public Key to user-profile via kcadm
  shell: |
-    docker exec -i {{ keycloak_container }} \
-      /opt/keycloak/bin/kcadm.sh update realms/{{ keycloak_realm }} -f {{ keycloak_docker_import_directory }}user-profile.json
+    docker exec -i {{ KEYCLOAK_CONTAINER }} \
+      /opt/keycloak/bin/kcadm.sh update realms/{{ KEYCLOAK_REALM }} -f {{ KEYCLOAK_DOCKER_IMPORT_DIR }}user-profile.json
--- a/roles/web-app-keycloak/tasks/main.yml
+++ b/roles/web-app-keycloak/tasks/main.yml
@ -10,10 +10,12 @@
 - name: "load docker, db and proxy for {{ application_id }}"
  include_role: 
    name: cmp-db-docker-proxy
+  vars:
+    docker_compose_flush_handlers: true

- name: "Wait until Keycloak is reachable at {{ keycloak_server_host_url }}"
+- name: "Wait until Keycloak is reachable at {{ KEYCLOAK_SERVER_HOST_URL }}"
  uri:
-    url: "{{ keycloak_server_host_url }}/realms/master"
+    url: "{{ KEYCLOAK_SERVER_HOST_URL }}/realms/master"
    method: GET
    status_code: 200
    validate_certs: false
@ -26,7 +28,7 @@
  include_tasks: 02_update_client_redirects.yml

 - name: "Update LDAP bind credentials from ldap.*"
-  when: keycloak_update_ldap_bind | bool
+  when: KEYCLOAK_UPDATE_LDAP_BIND | bool
  include_tasks: 03_update-ldap-bind.yml

 # Deactivated temporary. Import now via realm.yml
--- a/roles/web-app-keycloak/templates/docker-compose.yml.j2
+++ b/roles/web-app-keycloak/templates/docker-compose.yml.j2
@ -1,14 +1,14 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}

  application:
-    image: "{{ keycloak_image }}:{{ keycloak_version }}"
-    container_name: {{ keycloak_container }}
-    command: start{% if keycloak_import_realm %} --import-realm{% endif %}{% if keycloak_debug_enabled %} --verbose{% endif %}
+    image: "{{ KEYCLOAK_IMAGE }}:{{ KEYCLOAK_VERSION }}"
+    container_name: {{ KEYCLOAK_CONTAINER }}
+    command: start{% if KEYCLOAK_IMPORT_REALM_ENABLED %} --import-realm{% endif %}{% if KEYCLOAK_DEBUG_ENABLED %} --verbose{% endif %}
    {% include 'roles/docker-container/templates/base.yml.j2' %}
    ports:
-      - "{{ keycloak_server_host }}:8080"
+      - "{{ KEYCLOAK_SERVER_HOST }}:8080"
    volumes:
-      - "{{ keycloak_host_import_directory }}:{{keycloak_docker_import_directory}}"
+      - "{{ keycloak_host_import_directory }}:{{KEYCLOAK_DOCKER_IMPORT_DIR}}"
 {% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %}
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
 {% set container_port = 9000 %}
--- a/roles/web-app-keycloak/templates/import/realm.json.j2
+++ b/roles/web-app-keycloak/templates/import/realm.json.j2
@ -1,6 +1,6 @@
 {
  "id": "3b03105b-5fe6-4b53-ba24-c8796525be0e",
-  "realm": "{{ keycloak_realm }}",
+  "realm": "{{ KEYCLOAK_REALM }}",
  "displayName": "",
  "displayNameHtml": "",
  "notBefore": 0,
@ -60,7 +60,7 @@
      },
      {
        "id": "01d9dd2a-75b2-47a2-af36-b14251f1b956",
-        "name": "default-roles-{{ keycloak_realm }}",
+        "name": "default-roles-{{ KEYCLOAK_REALM }}",
        "description": "${role_default-roles}",
        "composite": true,
        "composites": {
@ -302,7 +302,7 @@
          "attributes": {}
        }
      ],
-      "{{ keycloak_realm }}": [],
+      "{{ KEYCLOAK_REALM }}": [],
      "security-admin-console": [],
      "admin-cli": [],
      "account-console": [],
@ -410,7 +410,7 @@
  "groups": [],
  "defaultRole": {
    "id": "01d9dd2a-75b2-47a2-af36-b14251f1b956",
-    "name": "default-roles-{{ keycloak_realm }}",
+    "name": "default-roles-{{ KEYCLOAK_REALM }}",
    "description": "${role_default-roles}",
    "composite": true,
    "clientRole": false,
@ -464,18 +464,18 @@
  "users": [
    {
      "id": "19ecedfd-acf2-49e8-9f66-91ab71d54fc3",
-      "username": "service-account-{{ keycloak_realm }}",
+      "username": "service-account-{{ KEYCLOAK_REALM }}",
      "emailVerified": false,
      "createdTimestamp": 1737925519602,
      "enabled": true,
      "totp": false,
-      "serviceAccountClientId": "{{ keycloak_realm }}",
+      "serviceAccountClientId": "{{ KEYCLOAK_REALM }}",
      "disableableCredentialTypes": [],
      "requiredActions": [
        "CONFIGURE_TOTP"
      ],
      "realmRoles": [
-        "default-roles-{{ keycloak_realm }}"
+        "default-roles-{{ KEYCLOAK_REALM }}"
      ],
      "notBefore": 0,
      "groups": []
@ -508,13 +508,13 @@
      "description": "",
      "rootUrl": "${authBaseUrl}",
      "adminUrl": "",
-      "baseUrl": "/realms/{{ keycloak_realm }}/account/",
+      "baseUrl": "/realms/{{ KEYCLOAK_REALM }}/account/",
      "surrogateAuthRequired": false,
      "enabled": true,
      "alwaysDisplayInConsole": false,
      "clientAuthenticatorType": "desktop-secret",
      "redirectUris": [
-        "/realms/{{ keycloak_realm }}/account/*"
+        "/realms/{{ KEYCLOAK_REALM }}/account/*"
      ],
      "webOrigins": [
        "{{ domains | get_url('web-app-keycloak', WEB_PROTOCOL) }}"
@ -530,7 +530,7 @@
      "frontchannelLogout": true,
      "protocol": "openid-connect",
      "attributes": {
-        "frontchannel.logout.url": "{{ kc_desired_frontchannel_logout_url }}",
+        "frontchannel.logout.url": "{{ KEYCLOAK_FRONTCHANNEL_LOGOUT_URL }}",
        "realm_client": "false",
        "oidc.ciba.grant.enabled": "false",
        "backchannel.logout.session.required": "true",
@ -565,13 +565,13 @@
      "description": "",
      "rootUrl": "${authBaseUrl}",
      "adminUrl": "",
-      "baseUrl": "/realms/{{ keycloak_realm }}/account/",
+      "baseUrl": "/realms/{{ KEYCLOAK_REALM }}/account/",
      "surrogateAuthRequired": false,
      "enabled": true,
      "alwaysDisplayInConsole": false,
      "clientAuthenticatorType": "desktop-secret",
      "redirectUris": [
-        "/realms/{{ keycloak_realm }}/account/*"
+        "/realms/{{ KEYCLOAK_REALM }}/account/*"
      ],
      "webOrigins": [
        "*"
@ -757,13 +757,13 @@
      "clientId": "security-admin-console",
      "name": "${client_security-admin-console}",
      "rootUrl": "${authAdminUrl}",
-      "baseUrl": "/admin/{{ keycloak_realm }}/console/",
+      "baseUrl": "/admin/{{ KEYCLOAK_REALM }}/console/",
      "surrogateAuthRequired": false,
      "enabled": true,
      "alwaysDisplayInConsole": false,
      "clientAuthenticatorType": "desktop-secret",
      "redirectUris": [
-        "/admin/{{ keycloak_realm }}/console/*"
+        "/admin/{{ KEYCLOAK_REALM }}/console/*"
      ],
      "webOrigins": [
        "+"
@ -823,12 +823,12 @@
    },
    {
      "id": "7b5f97e3-7fa8-4d86-b1e9-80aac996da26",
-      "clientId": "{{ keycloak_realm }}",
+      "clientId": "{{ KEYCLOAK_REALM }}",
      "name": "",
      "description": "",
-      "rootUrl":  "{{ WEB_PROTOCOL }}://{{ keycloak_realm }}/",
-      "adminUrl": "{{ WEB_PROTOCOL }}://{{ keycloak_realm }}/",
-      "baseUrl":  "{{ WEB_PROTOCOL }}://{{ keycloak_realm }}/",
+      "rootUrl":  "{{ WEB_PROTOCOL }}://{{ KEYCLOAK_REALM }}/",
+      "adminUrl": "{{ WEB_PROTOCOL }}://{{ KEYCLOAK_REALM }}/",
+      "baseUrl":  "{{ WEB_PROTOCOL }}://{{ KEYCLOAK_REALM }}/",
      "surrogateAuthRequired": false,
      "enabled": true,
      "alwaysDisplayInConsole": false,
@ -1823,7 +1823,7 @@
    "org.keycloak.storage.UserStorageProvider": [
      {
        "id": "bBD2l6kVRMaSABbfOJVRaw",
-        "name": "{{ keycloak_ldap_component_name }}",
+        "name": "{{ KEYCLOAK_LDAP_CMP_NAME }}",
        "providerId": "ldap",
        "subComponents": {
          "org.keycloak.storage.ldap.mappers.LDAPStorageMapper": [
--- a/roles/web-app-keycloak/vars/main.yml
+++ b/roles/web-app-keycloak/vars/main.yml
@ -3,25 +3,22 @@ application_id:                   "web-app-keycloak"
 database_type:                    "postgres"                                                                                  # Database which will be used

 # Keycloak
-keycloak_container:                 "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.name') }}"      # Name of the keycloak docker container
-keycloak_docker_import_directory:   "/opt/keycloak/data/import/"                                                              # Directory in which keycloak import files are placed in the running docker container
-keycloak_realm:                     "{{ OIDC.CLIENT.REALM }}"                                                                     # This is the name of the default realm which is used by the applications
-keycloak_master_api_user:           "{{ applications | get_app_conf(application_id, 'users.administrator') }}"                # Master Administrator
-keycloak_master_api_user_name:      "{{ keycloak_master_api_user.username }}"                                                 # Master Administrator Username
-keycloak_master_api_user_password:  "{{ keycloak_master_api_user.password }}"                                                 # Master Administrator Password
-keycloak_kcadm_path:                "docker exec -i {{ keycloak_container }} /opt/keycloak/bin/kcadm.sh"                      # Init script for keycloak
-keycloak_server_internal_url:       "http://127.0.0.1:8080"
-keycloak_server_host:               "127.0.0.1:{{ ports.localhost.http[application_id] }}"
-keycloak_server_host_url:           "http://{{ keycloak_server_host }}"
-keycloak_image:                     "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.image') }}"     # Keycloak docker image
-keycloak_version:                   "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.version') }}"   # Keycloak docker version
-keycloak_debug_enabled:             "{{ MODE_DEBUG }}"
-keycloak_redirect_features:         ["features.oauth2","features.oidc"]
-keycloak_client_id:                 "{{ OIDC.CLIENT.ID }}"
-keycloak_ldap_component_name:       "{{ ldap.server.domain }}"                                                                                    # Name of the LDAP User Federation component in Keycloak (as shown in UI)
-keycloak_import_realm:              "{{ applications | get_app_conf(application_id, 'actions.import_realm') }}"               # Activate realm import  
-keycloak_update_ldap_bind:          "{{ applications | get_app_conf(application_id, 'actions.update_ldap_bind') }}"           # Toggle the LDAP bind update step
-kc_desired_frontchannel_logout_url: "{{ domains | get_url('web-svc-logout', WEB_PROTOCOL) }}/"
-
-# Docker 
-docker_compose_flush_handlers:      true                                                                                      # Remember to copy realm import before flush when set to true
+KEYCLOAK_CONTAINER:                 "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.name') }}"      # Name of the keycloak docker container
+KEYCLOAK_DOCKER_IMPORT_DIR:         "/opt/keycloak/data/import/"                                                              # Directory in which keycloak import files are placed in the running docker container
+KEYCLOAK_REALM:                     "{{ OIDC.CLIENT.REALM }}"                                                                     # This is the name of the default realm which is used by the applications
+KEYCLOAK_MASTER_API_USER:           "{{ applications | get_app_conf(application_id, 'users.administrator') }}"                # Master Administrator
+KEYCLOAK_MASTER_API_USER_NAME:      "{{ KEYCLOAK_MASTER_API_USER.username }}"                                                 # Master Administrator Username
+KEYCLOAK_MASTER_API_USER_PASSWORD:  "{{ KEYCLOAK_MASTER_API_USER.password }}"                                                 # Master Administrator Password
+KEYCLOAK_KCADM_PATH:                "docker exec -i {{ KEYCLOAK_CONTAINER }} /opt/keycloak/bin/kcadm.sh"                      # Init script for keycloak
+KEYCLOAK_SERVER_INTERNAL_URL:       "http://127.0.0.1:8080"
+KEYCLOAK_SERVER_HOST:               "127.0.0.1:{{ ports.localhost.http[application_id] }}"
+KEYCLOAK_SERVER_HOST_URL:           "http://{{ KEYCLOAK_SERVER_HOST }}"
+KEYCLOAK_IMAGE:                     "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.image') }}"     # Keycloak docker image
+KEYCLOAK_VERSION:                   "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.version') }}"   # Keycloak docker version
+KEYCLOAK_DEBUG_ENABLED:             "{{ MODE_DEBUG }}"
+KEYCLOAK_REDIRECT_FEATURES:         ["features.oauth2","features.oidc"]
+KEYCLOAK_CLIENT_ID:                 "{{ OIDC.CLIENT.ID }}"
+KEYCLOAK_LDAP_CMP_NAME:             "{{ ldap.server.domain }}"                                                                                    # Name of the LDAP User Federation component in Keycloak (as shown in UI)
+KEYCLOAK_IMPORT_REALM_ENABLED:      "{{ applications | get_app_conf(application_id, 'actions.import_realm') }}"               # Activate realm import  
+KEYCLOAK_UPDATE_LDAP_BIND:          "{{ applications | get_app_conf(application_id, 'actions.update_ldap_bind') }}"           # Toggle the LDAP bind update step
+KEYCLOAK_FRONTCHANNEL_LOGOUT_URL:   "{{ domains | get_url('web-svc-logout', WEB_PROTOCOL) }}/"