fix(keycloak): make permanent admin creation idempotent and fix password command

- prevent task failure when 'User exists with same username' - remove invalid '--temporary false' flag from set-password command - ensure realm-admin role grant remains idempotent See: https://chatgpt.com/share/68e99271-fdb0-800f-a8ad-11c15d02a670
Refactor Keycloak permanent admin creation:
2025-11-18 11:06:29 +00:00 · 2025-10-11 01:10:57 +02:00 · 2025-10-11 00:54:04 +02:00 · 2025-10-11 00:20:27 +02:00 · 2025-10-10 23:40:58 +02:00 · 2025-10-10 22:45:26 +02:00
13 changed files with 177 additions and 212 deletions
--- a/roles/web-app-keycloak/config/main.yml
+++ b/roles/web-app-keycloak/config/main.yml
@@ -1,7 +1,6 @@
-load_dependencies:            True  # When set to false the dependencies aren't loaded. Helpful for developing
+load_dependencies:    True  # When set to false the dependencies aren't loaded. Helpful for developing
 actions:
-  import_realm:               True  # Import REALM
-  create_automation_client:   True
+  import_realm:       True  # Import REALM
 features:
  matomo:             true
  css:                true
@@ -50,4 +49,10 @@ docker:
 credentials:
  recaptcha:
    website_key:    "" # Required if you enabled recaptcha:
-    secret_key:     ""  # Required if you enabled recaptcha:
+    secret_key:     ""  # Required if you enabled recaptcha:
+
+accounts:
+  bootstrap:
+    username: "administrator"
+  system:
+    username: "{{ SOFTWARE_NAME | replace('.', '_') | lower }}"
--- a/roles/web-app-keycloak/tasks/05_login.yml
+++ b/roles/web-app-keycloak/tasks/05_login.yml
@@ -0,0 +1,78 @@
+- name: Ensure permanent Keycloak admin exists and can log in (container env only)
+  block:
+
+    - name: Try login with permanent admin (uses container ENV)
+      shell: |
+        {{ KEYCLOAK_EXEC_CONTAINER }} sh -lc '
+          {{ KEYCLOAK_KCADM }} config credentials \
+            --server {{ KEYCLOAK_SERVER_INTERNAL_URL }} \
+            --realm master \
+            --user "$KEYCLOAK_PERMANENT_ADMIN_USERNAME" \
+            --password "$KEYCLOAK_PERMANENT_ADMIN_PASSWORD"
+        '
+      register: kc_login_perm
+      changed_when: false
+
+  rescue:
+
+    - name: Login with bootstrap admin (uses container ENV)
+      shell: |
+        {{ KEYCLOAK_EXEC_CONTAINER }} sh -lc '
+          {{ KEYCLOAK_KCADM }} config credentials \
+            --server {{ KEYCLOAK_SERVER_INTERNAL_URL }} \
+            --realm master \
+            --user "$KC_BOOTSTRAP_ADMIN_USERNAME" \
+            --password "$KC_BOOTSTRAP_ADMIN_PASSWORD"
+        '
+      register: kc_login_bootstrap
+      changed_when: false
+
+    - name: Ensure permanent admin user exists (create if missing)
+      shell: |
+        {{ KEYCLOAK_EXEC_CONTAINER }} sh -lc '
+          # Try to create; if it already exists, Keycloak returns 409
+          {{ KEYCLOAK_KCADM }} create users -r master \
+            -s "username=$KEYCLOAK_PERMANENT_ADMIN_USERNAME" \
+            -s "enabled=true"
+        '
+      register: kc_create_perm_admin
+      failed_when: >
+        not (
+          kc_create_perm_admin.rc == 0 or
+          (kc_create_perm_admin.stderr is defined and
+          ('User exists with same username' in kc_create_perm_admin.stderr))
+        )
+      changed_when: kc_create_perm_admin.rc == 0
+
+    - name: Set permanent admin password (by username, no ID needed)
+      shell: |
+        {{ KEYCLOAK_EXEC_CONTAINER }} sh -lc '
+          {{ KEYCLOAK_KCADM }} set-password -r master \
+            --username "$KEYCLOAK_PERMANENT_ADMIN_USERNAME" \
+            --new-password "$KEYCLOAK_PERMANENT_ADMIN_PASSWORD"
+        '
+      changed_when: true
+
+    - name: Grant realm-admin role to permanent admin (by username)
+      shell: |
+        {{ KEYCLOAK_EXEC_CONTAINER }} sh -lc '
+          {{ KEYCLOAK_KCADM }} add-roles -r master \
+            --uusername "$KEYCLOAK_PERMANENT_ADMIN_USERNAME" \
+            --cclientid realm-management \
+            --rolename realm-admin
+        '
+      register: kc_grant_admin
+      changed_when: (kc_grant_admin.stderr is defined and kc_grant_admin.stderr | length > 0) or
+                    (kc_grant_admin.stdout is defined and kc_grant_admin.stdout | length > 0)
+      failed_when: false
+
+    - name: Verify login with permanent admin (after creation)
+      shell: |
+        {{ KEYCLOAK_EXEC_CONTAINER }} sh -lc '
+          {{ KEYCLOAK_KCADM }} config credentials \
+            --server {{ KEYCLOAK_SERVER_INTERNAL_URL }} \
+            --realm master \
+            --user "$KEYCLOAK_PERMANENT_ADMIN_USERNAME" \
+            --password "$KEYCLOAK_PERMANENT_ADMIN_PASSWORD"
+        '
+      changed_when: false
--- a/roles/web-app-keycloak/tasks/05a_service_account.yml
+++ b/roles/web-app-keycloak/tasks/05a_service_account.yml
@@ -1,63 +0,0 @@
-# Creates a confidential client with service account, fetches the secret,
-# and grants realm-management/realm-admin to its service-account user.
-
- name: "Ensure automation client exists (confidential + service accounts)"
-  shell: |
-    {{ KEYCLOAK_EXEC_KCADM }} create clients -r {{ KEYCLOAK_REALM }} \
-      -s clientId={{ KEYCLOAK_AUTOMATION_CLIENT_ID }} \
-      -s protocol=openid-connect \
-      -s publicClient=false \
-      -s serviceAccountsEnabled=true \
-      -s directAccessGrantsEnabled=false
-  register: create_client
-  changed_when: create_client.rc == 0
-  failed_when: create_client.rc != 0 and ('already exists' not in (create_client.stderr | lower))
-
- name: "Resolve automation client id"
-  shell: >
-    {{ KEYCLOAK_EXEC_KCADM }} get clients -r {{ KEYCLOAK_REALM }}
-    --query 'clientId={{ KEYCLOAK_AUTOMATION_CLIENT_ID }}' --fields id --format json | jq -r '.[0].id'
-  register: auto_client_id_cmd
-  changed_when: false
-
- name: "Fail if client id could not be resolved"
-  assert:
-    that:
-      - "(auto_client_id_cmd.stdout | trim) is match('^[0-9a-f-]+$')"
-    fail_msg: "Automation client id could not be resolved."
-
- name: "Read client secret"
-  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
-  shell: >
-    {{ KEYCLOAK_EXEC_KCADM }} get clients/{{ auto_client_id_cmd.stdout | trim }}/client-secret
-    -r {{ KEYCLOAK_REALM }} --format json | jq -r .value
-  register: auto_client_secret_cmd
-  changed_when: false
-
- name: "Expose client secret as a fact"
-  set_fact:
-    KEYCLOAK_AUTOMATION_CLIENT_SECRET: "{{ auto_client_secret_cmd.stdout | trim }}"
-  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
-
- name: "Grant {{ KEYCLOAK_AUTOMATION_GRANT_ROLE }} to service account"
-  shell: >
-    {{ KEYCLOAK_EXEC_KCADM }} add-roles -r {{ KEYCLOAK_REALM }}
-    --uusername service-account-{{ KEYCLOAK_AUTOMATION_CLIENT_ID }}
-    --cclientid realm-management
-    --rolename {{ KEYCLOAK_AUTOMATION_GRANT_ROLE }}
-  register: grant_role
-  changed_when: grant_role.rc == 0
-  failed_when: grant_role.rc != 0 and ('already exists' not in (grant_role.stderr | lower))
-
- name: "Verify client-credentials login works"
-  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
-  shell: >
-    {{ KEYCLOAK_EXEC_KCADM }} config credentials
-    --server {{ KEYCLOAK_SERVER_INTERNAL_URL }}
-    --realm {{ KEYCLOAK_REALM }}
-    --client {{ KEYCLOAK_AUTOMATION_CLIENT_ID }}
-    --client-secret {{ KEYCLOAK_AUTOMATION_CLIENT_SECRET }} &&
-    {{ KEYCLOAK_EXEC_KCADM }} get realms/{{ KEYCLOAK_REALM }} --format json | jq -r '.realm'
-  register: verify_cc
-  changed_when: false
-  failed_when: (verify_cc.rc != 0) or ((verify_cc.stdout | trim) != (KEYCLOAK_REALM | trim))
--- a/roles/web-app-keycloak/tasks/main.yml
+++ b/roles/web-app-keycloak/tasks/main.yml
@@ -13,118 +13,18 @@
  include_tasks: 04_dependencies.yml
  when: KEYCLOAK_LOAD_DEPENDENCIES | bool

- name: "Wait until '{{ KEYCLOAK_CONTAINER }}' container is healthy"
-  community.docker.docker_container_info:
-    name: "{{ KEYCLOAK_CONTAINER }}"
-  register: kc_info
-  retries: 60
-  delay: 5
-  until: >
-    kc_info is succeeded and
-    (kc_info.container | default({})) != {} and
-    (kc_info.container.State | default({})) != {} and
-    (kc_info.container.State.Health | default({})) != {} and
-    (kc_info.container.State.Health.Status | default('')) == 'healthy'
+- name: "Load Login routines for '{{ application_id }}'"
+  include_tasks: 05_login.yml

- name: kcadm login (master)
-  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
-  shell: >
-    {{ KEYCLOAK_EXEC_KCADM }} config credentials
-    --server {{ KEYCLOAK_SERVER_INTERNAL_URL }}
-    --realm master
-    --user {{ KEYCLOAK_MASTER_API_USER_NAME }}
-    --password {{ KEYCLOAK_MASTER_API_USER_PASSWORD }}
-  changed_when: false
+- name: "Load Client Update routines for '{{ application_id }}'"
+  include_tasks: update/01_client.yml

- name: Verify kcadm session works (quick read)
-  shell: >
-    {{ KEYCLOAK_EXEC_KCADM }} get realms --format json | jq -r '.[0].realm' | head -n1
-  register: kcadm_verify
-  changed_when: false
-  failed_when: >
-    (kcadm_verify.rc != 0)
-    or ('HTTP 401' in (kcadm_verify.stderr | default('')))
-    or ((kcadm_verify.stdout | trim) == '')
- 
-# --- Create & grant automation service account (Option A) ---
- name: "Ensure automation service account client (Option A)"
-  include_tasks: 05a_service_account.yml
-  when: applications | get_app_conf(application_id, 'actions.create_automation_client', True)
+- name: "Load Mail Update routines for '{{ application_id }}'"
+  include_tasks: update/02_mail.yml

-# --- Switch session to the service account for all subsequent API work ---
- name: kcadm login (realm) using service account
-  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
-  shell: >
-    {{ KEYCLOAK_EXEC_KCADM }} config credentials
-    --server {{ KEYCLOAK_SERVER_INTERNAL_URL }}
-    --realm {{ KEYCLOAK_REALM }}
-    --client {{ KEYCLOAK_AUTOMATION_CLIENT_ID }}
-    --client-secret {{ KEYCLOAK_AUTOMATION_CLIENT_SECRET }}
-  changed_when: false
+- name: "Load RBAC Update routines for '{{ application_id }}'"
+  include_tasks: update/03_rbac_client_scope.yml

- name: Verify kcadm session works (exact realm via service account)
-  shell: >
-    {{ KEYCLOAK_EXEC_KCADM }} get realms/{{ KEYCLOAK_REALM }} --format json | jq -r '.realm'
-  register: kcadm_verify_sa
-  changed_when: false
-  failed_when: >
-    (kcadm_verify_sa.rc != 0)
-    or ('HTTP 401' in (kcadm_verify_sa.stderr | default('')))
-    or ((kcadm_verify_sa.stdout | trim) != (KEYCLOAK_REALM | trim))
-
- name: "Update Client settings"
-  vars:
-    kc_object_kind:  "client"
-    kc_lookup_value: "{{ KEYCLOAK_CLIENT_ID }}"
-    kc_desired: >-
-      {{
-        KEYCLOAK_DICTIONARY_REALM.clients
-          | selectattr('clientId','equalto', KEYCLOAK_CLIENT_ID)
-          | list | first
-      }}
-    kc_force_attrs:
-      publicClient: >-
-        {{
-          (KEYCLOAK_DICTIONARY_REALM.clients
-            | selectattr('clientId','equalto', KEYCLOAK_CLIENT_ID)
-            | map(attribute='publicClient')
-            | first)
-        }}
-      serviceAccountsEnabled: >-
-        {{
-          (KEYCLOAK_DICTIONARY_REALM.clients
-            | selectattr('clientId','equalto', KEYCLOAK_CLIENT_ID)
-            | map(attribute='serviceAccountsEnabled')
-            | first )
-        }}
-      frontchannelLogout:  >-
-        {{
-          (KEYCLOAK_DICTIONARY_REALM.clients
-            | selectattr('clientId','equalto', KEYCLOAK_CLIENT_ID)
-            | map(attribute='frontchannelLogout')
-            | first)
-        }}
-      attributes: >-
-        {{
-          ( (KEYCLOAK_DICTIONARY_REALM.clients
-              | selectattr('clientId','equalto', KEYCLOAK_CLIENT_ID)
-              | list | first | default({}) ).attributes | default({}) )
-          | combine({'frontchannel.logout.url': KEYCLOAK_FRONTCHANNEL_LOGOUT_URL}, recursive=True)
-        }}
-  include_tasks: _update.yml
-
- name: "Update REALM mail settings from realm dictionary (SPOT)"
-  include_tasks: _update.yml
-  vars:
-    kc_object_kind:  "realm"
-    kc_lookup_field: "id"
-    kc_lookup_value: "{{ KEYCLOAK_REALM }}"
-    kc_desired:
-      smtpServer: "{{ KEYCLOAK_DICTIONARY_REALM.smtpServer | default({}, true) }}"
-    kc_merge_path:  "smtpServer"
-  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
-
- include_tasks: 05_rbac_client_scope.yml
-
- include_tasks: 06_ldap.yml
+- name: "Load LDAP Update routines for '{{ application_id }}'"
+  include_tasks: update/04_ldap.yml
  when: KEYCLOAK_LDAP_ENABLED | bool
--- a/roles/web-app-keycloak/tasks/update/01_client.yml
+++ b/roles/web-app-keycloak/tasks/update/01_client.yml
@@ -0,0 +1,40 @@
+- name: "Update Client settings"
+  vars:
+    kc_object_kind:  "client"
+    kc_lookup_value: "{{ KEYCLOAK_CLIENT_ID }}"
+    kc_desired: >-
+      {{
+        KEYCLOAK_DICTIONARY_REALM.clients
+          | selectattr('clientId','equalto', KEYCLOAK_CLIENT_ID)
+          | list | first
+      }}
+    kc_force_attrs:
+      publicClient: >-
+        {{
+          (KEYCLOAK_DICTIONARY_REALM.clients
+            | selectattr('clientId','equalto', KEYCLOAK_CLIENT_ID)
+            | map(attribute='publicClient')
+            | first)
+        }}
+      serviceAccountsEnabled: >-
+        {{
+          (KEYCLOAK_DICTIONARY_REALM.clients
+            | selectattr('clientId','equalto', KEYCLOAK_CLIENT_ID)
+            | map(attribute='serviceAccountsEnabled')
+            | first )
+        }}
+      frontchannelLogout:  >-
+        {{
+          (KEYCLOAK_DICTIONARY_REALM.clients
+            | selectattr('clientId','equalto', KEYCLOAK_CLIENT_ID)
+            | map(attribute='frontchannelLogout')
+            | first)
+        }}
+      attributes: >-
+        {{
+          ( (KEYCLOAK_DICTIONARY_REALM.clients
+              | selectattr('clientId','equalto', KEYCLOAK_CLIENT_ID)
+              | list | first | default({}) ).attributes | default({}) )
+          | combine({'frontchannel.logout.url': KEYCLOAK_FRONTCHANNEL_LOGOUT_URL}, recursive=True)
+        }}
+  include_tasks: _update.yml
--- a/roles/web-app-keycloak/tasks/update/02_mail.yml
+++ b/roles/web-app-keycloak/tasks/update/02_mail.yml
@@ -0,0 +1,10 @@
+- name: "Update REALM mail settings from realm dictionary (SPOT)"
+  include_tasks: _update.yml
+  vars:
+    kc_object_kind:  "realm"
+    kc_lookup_field: "id"
+    kc_lookup_value: "{{ KEYCLOAK_REALM }}"
+    kc_desired:
+      smtpServer: "{{ KEYCLOAK_DICTIONARY_REALM.smtpServer | default({}, true) }}"
+    kc_merge_path:  "smtpServer"
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
--- a/roles/web-app-keycloak/tasks/update/03_rbac_client_scope.yml
+++ b/roles/web-app-keycloak/tasks/update/03_rbac_client_scope.yml
@@ -1,4 +1,3 @@
-# --- Ensure RBAC client scope exists (idempotent) ---
 - name: Ensure RBAC client scope exists
  shell: |
    cat <<'JSON' | {{ KEYCLOAK_EXEC_KCADM }} create client-scopes -r {{ KEYCLOAK_REALM }} -f -
@@ -16,12 +15,10 @@
               ('already exists' not in (create_rbac_scope.stderr | lower))
  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"

-# --- Get the scope id we will attach to the client ---
 - name: Get all client scopes
  shell: "{{ KEYCLOAK_EXEC_KCADM }} get client-scopes -r {{ KEYCLOAK_REALM }} --format json"
  register: all_scopes
  changed_when: false
-  failed_when: "'HTTP 401' in (all_scopes.stderr | default(''))"

 - name: Extract RBAC scope id
  set_fact:
--- a/roles/web-app-keycloak/tasks/update/04_ldap.yml
+++ b/roles/web-app-keycloak/tasks/update/04_ldap.yml
--- a/roles/web-app-keycloak/tasks/update/_update.yml
+++ b/roles/web-app-keycloak/tasks/update/_update.yml
--- a/roles/web-app-keycloak/templates/env.j2
+++ b/roles/web-app-keycloak/templates/env.j2
@@ -10,19 +10,21 @@ KC_HTTP_ENABLED=                true
 KC_HEALTH_ENABLED=              {{ KEYCLOAK_HEALTH_ENABLED | lower }}
 KC_METRICS_ENABLED=             true

-# Administrator
-KEYCLOAK_ADMIN=                 "{{ KEYCLOAK_ADMIN }}"
-KEYCLOAK_ADMIN_PASSWORD=        "{{ KEYCLOAK_ADMIN_PASSWORD }}"
-
 # Database
 KC_DB=                          {{ database_type }}
 KC_DB_URL=                      {{ database_url_jdbc }}
 KC_DB_USERNAME=                 {{ database_username }}
 KC_DB_PASSWORD=                 {{ database_password }}

-# If the initial administrator already exists and the environment variables are still present at startup, an error message stating the failed creation of the initial administrator is shown in the logs. Keycloak ignores the values and starts up correctly.
-KC_BOOTSTRAP_ADMIN_USERNAME=    "{{ KEYCLOAK_ADMIN }}"
-KC_BOOTSTRAP_ADMIN_PASSWORD=    "{{ KEYCLOAK_ADMIN_PASSWORD }}"
+# Credentials
+
+## Bootstrap
+KC_BOOTSTRAP_ADMIN_USERNAME="{{ KEYCLOAK_BOOTSTRAP_ADMIN_USERNAME }}"
+KC_BOOTSTRAP_ADMIN_PASSWORD="{{ KEYCLOAK_BOOTSTRAP_ADMIN_PASSWORD }}"
+
+## Permanent
+KEYCLOAK_PERMANENT_ADMIN_USERNAME="{{ KEYCLOAK_PERMANENT_ADMIN_USERNAME }}"
+KEYCLOAK_PERMANENT_ADMIN_PASSWORD="{{ KEYCLOAK_PERMANENT_ADMIN_PASSWORD }}"

 # Enable detailed logs
 {% if MODE_DEBUG | bool %}
--- a/roles/web-app-keycloak/users/main.yml
+++ b/roles/web-app-keycloak/users/main.yml
@@ -1,3 +0,0 @@
-users:
-  administrator:
-    username:         "administrator"
--- a/roles/web-app-keycloak/vars/main.yml
+++ b/roles/web-app-keycloak/vars/main.yml
@@ -1,6 +1,6 @@
 # General
-application_id:                     "web-app-keycloak"                                                                          # Internal Infinito.Nexus application id 
-database_type:                      "postgres"                                                                                  # Database which will be used
+application_id:                   "web-app-keycloak"                                                                          # Internal Infinito.Nexus application id 
+database_type:                    "postgres"                                                                                  # Database which will be used

 # Keycloak

@@ -29,21 +29,22 @@ KEYCLOAK_REALM_IMPORT_FILE_SRC:     "import/realm.json.j2"
 KEYCLOAK_REALM_IMPORT_FILE_DST:     "{{ [KEYCLOAK_REALM_IMPORT_DIR_HOST,'realm.json'] | path_join }}"

 ## Credentials
-KEYCLOAK_ADMIN:                     "{{ applications | get_app_conf(application_id, 'users.administrator.username') }}"
-KEYCLOAK_ADMIN_PASSWORD:            "{{ applications | get_app_conf(application_id, 'credentials.administrator_password') }}"
+
+### Bootstrap
+KEYCLOAK_BOOTSTRAP_ADMIN_USERNAME:  "{{ applications | get_app_conf(application_id, 'accounts.bootstrap.username') }}"
+KEYCLOAK_BOOTSTRAP_ADMIN_PASSWORD:  "{{ applications | get_app_conf(application_id, 'credentials.administrator_password') }}"
+
+### Permanent
+KEYCLOAK_PERMANENT_ADMIN_USERNAME:  "{{ applications | get_app_conf(application_id, 'accounts.system.username') }}"
+KEYCLOAK_PERMANENT_ADMIN_PASSWORD:  "{{ applications | get_app_conf(application_id, 'credentials.administrator_password') }}"

 ## Docker
-KEYCLOAK_CONTAINER:                 "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.name') }}"      # Name of the keycloak docker container
-KEYCLOAK_IMAGE:                     "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.image') }}"     # Keycloak docker image
-KEYCLOAK_VERSION:                   "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.version') }}"   # Keycloak docker version
-KEYCLOAK_KCADM_CONFIG:              "/opt/keycloak/data/kcadm.config"
-KEYCLOAK_EXEC_KCADM:                "docker exec -i {{ KEYCLOAK_CONTAINER }} /opt/keycloak/bin/kcadm.sh --config {{ KEYCLOAK_KCADM_CONFIG }}"
-
-## Automation Service Account (Option A)
-KEYCLOAK_AUTOMATION_CLIENT_ID:      "infinito-automation"
-KEYCLOAK_AUTOMATION_GRANT_ROLE:     "realm-admin"   # or granular roles if you prefer
-# Will be discovered dynamically and set as a fact during the run:
-# KEYCLOAK_AUTOMATION_CLIENT_SECRET
+KEYCLOAK_CONTAINER:                 "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.name') }}"
+KEYCLOAK_EXEC_CONTAINER:            "docker exec -i {{ KEYCLOAK_CONTAINER }}"
+KEYCLOAK_KCADM:                     "/opt/keycloak/bin/kcadm.sh"
+KEYCLOAK_EXEC_KCADM:                "{{ KEYCLOAK_EXEC_CONTAINER }} {{ KEYCLOAK_KCADM }}"
+KEYCLOAK_IMAGE:                     "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.image') }}"
+KEYCLOAK_VERSION:                   "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.version') }}"

 ## Server
 KEYCLOAK_SERVER_HOST:               "127.0.0.1:{{ ports.localhost.http[application_id] }}"
@@ -76,11 +77,6 @@ KEYCLOAK_LDAP_USER_OBJECT_CLASSES: >
      ) | join(', ') 
  }}

-## API
-KEYCLOAK_MASTER_API_USER:           "{{ applications | get_app_conf(application_id, 'users.administrator') }}" # Master Administrator
-KEYCLOAK_MASTER_API_USER_NAME:      "{{ KEYCLOAK_MASTER_API_USER.username }}"                                  # Master Administrator Username
-KEYCLOAK_MASTER_API_USER_PASSWORD:  "{{ KEYCLOAK_MASTER_API_USER.password }}"                                  # Master Administrator Password
-
 # Dictionaries
 KEYCLOAK_DICTIONARY_REALM_RAW: "{{ lookup('template', 'import/realm.json.j2') }}"
 KEYCLOAK_DICTIONARY_REALM: >-
--- a/tests/integration/test_filters_are_defined.py
+++ b/tests/integration/test_filters_are_defined.py
@@ -28,14 +28,17 @@ BUILTIN_FILTERS: Set[str] = {
    "int", "join", "last", "length", "list", "lower", "map", "min", "max", "random",
    "reject", "rejectattr", "replace", "reverse", "round", "safe", "select",
    "selectattr", "slice", "sort", "string", "striptags", "sum", "title", "trim",
-    "truncate", "unique", "upper", "urlencode", "urlize", "wordcount", "xmlattr",
+    "truncate", "unique", "upper", "urlencode", "urlize", "wordcount", "xmlattr","contains",

    # Common Ansible filters (subset, extend as needed)
    "b64decode", "b64encode", "basename", "dirname", "from_json", "to_json",
    "from_yaml", "to_yaml", "combine", "difference", "intersect",
    "flatten", "zip", "regex_search", "regex_replace", "bool",
    "type_debug", "json_query", "mandatory", "hash", "checksum",
-    "lower", "upper", "capitalize", "unique", "dict2items", "items2dict", "password_hash", "path_join", "product", "quote", "split", "ternary", "to_nice_yaml", "tojson",
+    "lower", "upper", "capitalize", "unique", "dict2items", "items2dict", 
+    "password_hash", "path_join", "product", "quote", "split", "ternary", "to_nice_yaml", 
+    "tojson", "to_nice_json",
+

    # Date/time-ish
    "strftime",
Author	SHA1	Message	Date
Kevin Veen-Birkenbach	ab48cf522f	fix(keycloak): make permanent admin creation idempotent and fix password command - prevent task failure when 'User exists with same username' - remove invalid '--temporary false' flag from set-password command - ensure realm-admin role grant remains idempotent See: https://chatgpt.com/share/68e99271-fdb0-800f-a8ad-11c15d02a670	2025-10-11 01:10:57 +02:00
Kevin Veen-Birkenbach	41c12bdc12	Refactor Keycloak permanent admin creation: - Remove jq dependency to avoid container command errors - Use username-based operations instead of user ID lookups - Improve idempotency and portability across environments See: https://chatgpt.com/share/68e98e77-9b3c-800f-8393-71b0be22cb46	2025-10-11 00:54:04 +02:00
Kevin Veen-Birkenbach	aae463b602	Optimized keycloak setup procedures	2025-10-11 00:20:27 +02:00
Kevin Veen-Birkenbach	bb50551533	Restrucutred keycloak accounts	2025-10-10 23:40:58 +02:00
Kevin Veen-Birkenbach	098099b41e	Refactored web-app-keycloak	2025-10-10 22:45:26 +02:00
Kevin Veen-Birkenbach	0a7d767252	Added contains to filter	2025-10-10 22:16:23 +02:00
Kevin Veen-Birkenbach	d88599f76c	Added 'to_nice_json' exception	2025-10-10 22:16:22 +02:00