feat(keycloak): add automation service account client support

Introduce a confidential service-account client (Option A) to replace user-based kcadm sessions. The client is created automatically, granted realm-admin role, and used for all subsequent Keycloak updates. Includes improved error handling for HTTP 401 responses. Discussion: https://chatgpt.com/share/68e01da3-39fc-800f-81be-2d0c8efd81a1
2025-11-04 12:18:17 +00:00 · 2025-10-03 21:02:16 +02:00
parent 4d9890406e
commit 6fcf6a1ab6
5 changed files with 113 additions and 5 deletions
--- a/roles/web-app-keycloak/vars/main.yml
+++ b/roles/web-app-keycloak/vars/main.yml
@@ -1,6 +1,6 @@
 # General
-application_id:                   "web-app-keycloak"                                                                          # Internal Infinito.Nexus application id 
-database_type:                    "postgres"                                                                                  # Database which will be used
+application_id:                     "web-app-keycloak"                                                                          # Internal Infinito.Nexus application id 
+database_type:                      "postgres"                                                                                  # Database which will be used

 # Keycloak

@@ -34,9 +34,16 @@ KEYCLOAK_ADMIN_PASSWORD:            "{{ applications | get_app_conf(application_

 ## Docker
 KEYCLOAK_CONTAINER:                 "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.name') }}"      # Name of the keycloak docker container
-KEYCLOAK_EXEC_KCADM:                "docker exec -i {{ KEYCLOAK_CONTAINER }} /opt/keycloak/bin/kcadm.sh"                      # Init script for keycloak
 KEYCLOAK_IMAGE:                     "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.image') }}"     # Keycloak docker image
 KEYCLOAK_VERSION:                   "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.version') }}"   # Keycloak docker version
+KEYCLOAK_KCADM_CONFIG:              "/opt/keycloak/data/kcadm.config"
+KEYCLOAK_EXEC_KCADM:                "docker exec -i {{ KEYCLOAK_CONTAINER }} /opt/keycloak/bin/kcadm.sh --config {{ KEYCLOAK_KCADM_CONFIG }}"
+
+## Automation Service Account (Option A)
+KEYCLOAK_AUTOMATION_CLIENT_ID:      "infinito-automation"
+KEYCLOAK_AUTOMATION_GRANT_ROLE:     "realm-admin"   # or granular roles if you prefer
+# Will be discovered dynamically and set as a fact during the run:
+# KEYCLOAK_AUTOMATION_CLIENT_SECRET

 ## Server
 KEYCLOAK_SERVER_HOST:               "127.0.0.1:{{ ports.localhost.http[application_id] }}"