fix(keycloak): make permanent admin creation idempotent and fix password command

- prevent task failure when 'User exists with same username' - remove invalid '--temporary false' flag from set-password command - ensure realm-admin role grant remains idempotent See: https://chatgpt.com/share/68e99271-fdb0-800f-a8ad-11c15d02a670
2025-11-04 12:18:17 +00:00 · 2025-10-11 01:10:57 +02:00
parent 41c12bdc12
commit ab48cf522f
1 changed files with 9 additions and 5 deletions
--- a/roles/web-app-keycloak/tasks/05_login.yml
+++ b/roles/web-app-keycloak/tasks/05_login.yml
@@ -14,7 +14,7 @@
      changed_when: false

  rescue:
-  
+
    - name: Login with bootstrap admin (uses container ENV)
      shell: |
        {{ KEYCLOAK_EXEC_CONTAINER }} sh -lc '
@@ -36,16 +36,20 @@
            -s "enabled=true"
        '
      register: kc_create_perm_admin
+      failed_when: >
+        not (
+          kc_create_perm_admin.rc == 0 or
+          (kc_create_perm_admin.stderr is defined and
+          ('User exists with same username' in kc_create_perm_admin.stderr))
+        )
      changed_when: kc_create_perm_admin.rc == 0
-      failed_when: kc_create_perm_admin.rc not in [0, 409]

    - name: Set permanent admin password (by username, no ID needed)
      shell: |
        {{ KEYCLOAK_EXEC_CONTAINER }} sh -lc '
          {{ KEYCLOAK_KCADM }} set-password -r master \
            --username "$KEYCLOAK_PERMANENT_ADMIN_USERNAME" \
-            --new-password "$KEYCLOAK_PERMANENT_ADMIN_PASSWORD" \
-            --temporary false
+            --new-password "$KEYCLOAK_PERMANENT_ADMIN_PASSWORD"
        '
      changed_when: true

@@ -60,7 +64,7 @@
      register: kc_grant_admin
      changed_when: (kc_grant_admin.stderr is defined and kc_grant_admin.stderr | length > 0) or
                    (kc_grant_admin.stdout is defined and kc_grant_admin.stdout | length > 0)
-      failed_when: false  # idempotent: falls Rolle schon existiert
+      failed_when: false

    - name: Verify login with permanent admin (after creation)
      shell: |