diff --git a/README.md b/README.md
index 91e0a73ea1b2b98328fe7ea023fe844019eb5002..a37d6ef97dc147ad4e8b6d9c0a8e20d443668e89 100644
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@ Installation
Edit soctools-inventory and add the desired docker containers to be deployed. The playbook has been tested on CentOS 7.
Edit settings in group_vars/all/main.yml.
-The first entry in the nifiadmin variable is the user with full admin privileges in NiFi.
+The first entry in the soctools_users variable is the user with full admin privileges in NiFi and Kibana.
To build the Docker images needed, run the ansible playbook:
`ansible-playbook -i soctools-inventory buildimages.yml`
@@ -21,7 +21,9 @@ To start and stop the cluster, run the ansible playbook soctools.yml:
`ansible-playbook -i soctools-inventory soctools.yml -t start` to start the cluster.
`ansible-playbook -i soctools-inventory soctools.yml -t stop` to stop the cluster.
-The NiFi interface should now be available on port 443 on the server.
+The NiFi interface should now be available on port 9443 on the server.
+The OpenDistro for Elasticsearch interface should now be available on port 5601 on the server.
+The Keycloak IdP interface should now be available on port 12443 on the server.
License
-------
diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml
index f44018388f7bbdc2f2d81890a5b2bf6b427bceae..97a257f5b2b903074e427343821fb9972963c8b7 100644
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@@ -4,7 +4,7 @@ soctools_netname: "dslnifinet"
repo: gn43-dsl
version: 7
-suffix: a20200516
+suffix: a20200520
temp_root: "/tmp/centosbuild"
@@ -32,14 +32,39 @@ javamem: "384m"
ca_cn: "dsldev test ca"
-nifiadmin:
- - [ "Bozidar Proevski", "Pass001" ]
- - [ "Arne Oslebo", "Pass002" ]
- - [ "NifiELKuser", "Pass003" ]
+#nifiadmin:
+# - [ "Bozidar Proevski", "Pass001" ]
+# - [ "Arne Oslebo", "Pass002" ]
+# - [ "NifiELKuser", "Pass003" ]
+
+soctools_users:
+ - firstname: "Arne"
+ lastname: "Oslebo"
+ username: "arne.oslebo"
+ email: "arne.oslebo@uninett.no"
+ DN: "CN=Arne Oslebo"
+ CN: "Arne Oslebo"
+ password: "Pass002"
+ - firstname: "Bozidar"
+ lastname: "Proevski"
+ username: "bozidar.proevski"
+ email: "bozidar.proevski@finki.ukim.mk"
+ DN: "CN=Bozidar Proevski"
+ CN: "Bozidar Proevski"
+ password: "Pass001"
+
odfees_img: "{{repo}}/odfees:{{version}}{{suffix}}"
odfekibana_img: "{{repo}}/odfekibana:{{version}}{{suffix}}"
-
odfees_adminpass: "Pass004"
+#elk_version: "oss-7.6.1"
+#odfeplugin_version: "1.7.0.0"
+elk_version: "oss-7.4.2"
+odfeplugin_version: "1.4.0.0"
+
openid_realm: "GN43WP8T31SOC1"
+openid_scope: profile
openid_subjkey: preferred_username
+
+keycloak_img: "{{repo}}/keycloak:{{version}}{{suffix}}"
+keycloak_adminpass: "Pass005"
diff --git a/roles/build/tasks/keycloak.yml b/roles/build/tasks/keycloak.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f7a7c2b1989bf013e7a23a1646e7d7e62500098e
--- /dev/null
+++ b/roles/build/tasks/keycloak.yml
@@ -0,0 +1,18 @@
+---
+
+- name: Configure the keycloak Dockerfile
+ template:
+ src: keycloak/Dockerfile.j2
+ dest: "{{role_path}}/files/keycloakDockerfile"
+
+- name: Copy tools to build path
+ command: "cp -av {{role_path}}/templates/keycloak/keycloak-tools/ {{role_path}}/files/keycloak-tools/"
+
+- name: Build keycloak image
+ command: docker build -t {{repo}}/keycloak:{{version}}{{suffix}} -f {{role_path}}/files/keycloakDockerfile {{role_path}}/files
+
+- name: Remove tools from build path
+ file:
+ path: "{{role_path}}/files/keycloak-tools/"
+ state: absent
+
diff --git a/roles/build/tasks/main.yml b/roles/build/tasks/main.yml
index 643f91f1a674d0d782fd3d75e381d1acc25ba003..b585b59530f730a3d147d59b9ac75351ed7e6985 100644
--- a/roles/build/tasks/main.yml
+++ b/roles/build/tasks/main.yml
@@ -8,3 +8,4 @@
- include: nifi.yml
- include: odfees.yml
- include: odfekibana.yml
+- include: keycloak.yml
diff --git a/roles/build/templates/keycloak/Dockerfile.j2 b/roles/build/templates/keycloak/Dockerfile.j2
new file mode 100644
index 0000000000000000000000000000000000000000..d8c3b6b46b96dac244154889943bb2aad256605c
--- /dev/null
+++ b/roles/build/templates/keycloak/Dockerfile.j2
@@ -0,0 +1,41 @@
+FROM {{repo}}/openjdk:{{version}}{{suffix}}
+
+ENV KEYCLOAK_VERSION 10.0.1
+ENV JDBC_POSTGRES_VERSION 42.2.5
+ENV JBOSS_HOME /opt/jboss/keycloak
+
+ARG KEYCLOAK_DIST=https://downloads.jboss.org/keycloak/$KEYCLOAK_VERSION/keycloak-$KEYCLOAK_VERSION.tar.gz
+
+USER root
+
+#ADD /{{role_path}}/templates/keycloak/keycloak-tools /opt/jboss/tools
+ADD keycloak-tools /opt/jboss/tools
+#ADD ../templates/keycloak/keycloak-tools /opt/jboss/tools
+RUN yum -y install openssl && yum -y clean all && \
+ mkdir -p /opt/jboss/ && cd /opt/jboss/ && \
+ curl -L $KEYCLOAK_DIST | tar zx && \
+ mv /opt/jboss/keycloak-* /opt/jboss/keycloak && \
+ mkdir -p /opt/jboss/keycloak/modules/system/layers/base/org/postgresql/jdbc/main && \
+ cd /opt/jboss/keycloak/modules/system/layers/base/org/postgresql/jdbc/main && \
+ curl -L https://repo1.maven.org/maven2/org/postgresql/postgresql/$JDBC_POSTGRES_VERSION/postgresql-$JDBC_POSTGRES_VERSION.jar > postgres-jdbc.jar && \
+ cp /opt/jboss/tools/databases/postgres/module.xml . && \
+ cd /opt/jboss/keycloak && \
+ bin/jboss-cli.sh --file=/opt/jboss/tools/cli/standalone-configuration.cli && \
+ rm -rf /opt/jboss/keycloak/standalone/configuration/standalone_xml_history && \
+ rm -rf /opt/jboss/keycloak/standalone/tmp/auth && \
+ rm -rf /opt/jboss/keycloak/domain/tmp/auth && \
+ adduser -u 1000 -g 0 -d /opt/jboss jboss && \
+ chown -R jboss:root /opt/jboss && \
+ chmod -R g+rwX /opt/jboss && \
+ mkdir -p /etc/x509/{https,ca} && chown -R jboss:root /etc/x509/{https,ca}
+
+ENV PATH="/opt/jboss/keycloak/bin:${PATH}"
+
+WORKDIR /opt/jboss/keycloak
+
+EXPOSE 8080
+EXPOSE 8443
+
+USER jboss
+ENTRYPOINT ["/bin/bash"]
+
diff --git a/roles/build/templates/keycloak/keycloak-tools/autorun.sh b/roles/build/templates/keycloak/keycloak-tools/autorun.sh
new file mode 100755
index 0000000000000000000000000000000000000000..1479d3b641ab9e323a38b02bc8b3116a05c159e5
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/autorun.sh
@@ -0,0 +1,19 @@
+#!/bin/bash -e
+cd /opt/jboss/keycloak
+
+ENTRYPOINT_DIR=/opt/jboss/startup-scripts
+
+if [[ -d "$ENTRYPOINT_DIR" ]]; then
+ # First run cli autoruns
+ for f in "$ENTRYPOINT_DIR"/*; do
+ if [[ "$f" == *.cli ]]; then
+ echo "Executing cli script: $f"
+ bin/jboss-cli.sh --file="$f"
+ elif [[ -x "$f" ]]; then
+ echo "Executing: $f"
+ "$f"
+ else
+ echo "Ignoring file in $ENTRYPOINT_DIR (not *.cli or executable): $f"
+ fi
+ done
+fi
diff --git a/roles/build/templates/keycloak/keycloak-tools/build-keycloak.sh b/roles/build/templates/keycloak/keycloak-tools/build-keycloak.sh
new file mode 100755
index 0000000000000000000000000000000000000000..cf01d7c7aef7c3ae84a7fc04e382b4aa170e5ed4
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/build-keycloak.sh
@@ -0,0 +1,105 @@
+#!/bin/bash -e
+
+###########################
+# Build/download Keycloak #
+###########################
+
+if [ "$GIT_REPO" != "" ]; then
+ if [ "$GIT_BRANCH" == "" ]; then
+ GIT_BRANCH="master"
+ fi
+
+ # Install Git
+ microdnf install -y git
+
+ # Install Maven
+ cd /opt/jboss
+ curl -s https://apache.uib.no/maven/maven-3/3.5.4/binaries/apache-maven-3.5.4-bin.tar.gz | tar xz
+ mv apache-maven-3.5.4 /opt/jboss/maven
+ export M2_HOME=/opt/jboss/maven
+
+ # Clone repository
+ git clone --depth 1 https://github.com/$GIT_REPO.git -b $GIT_BRANCH /opt/jboss/keycloak-source
+
+ # Build
+ cd /opt/jboss/keycloak-source
+
+ MASTER_HEAD=`git log -n1 --format="%H"`
+ echo "Keycloak from [build]: $GIT_REPO/$GIT_BRANCH/commit/$MASTER_HEAD"
+
+ $M2_HOME/bin/mvn -Pdistribution -pl distribution/server-dist -am -Dmaven.test.skip clean install
+
+ cd /opt/jboss
+
+ tar xfz /opt/jboss/keycloak-source/distribution/server-dist/target/keycloak-*.tar.gz
+
+ mv /opt/jboss/keycloak-* /opt/jboss/keycloak
+
+ # Remove temporary files
+ rm -rf /opt/jboss/maven
+ rm -rf /opt/jboss/keycloak-source
+ rm -rf $HOME/.m2/repository
+else
+ echo "Keycloak from [download]: $KEYCLOAK_DIST"
+
+ cd /opt/jboss/
+ curl -L $KEYCLOAK_DIST | tar zx
+ mv /opt/jboss/keycloak-* /opt/jboss/keycloak
+fi
+
+#####################
+# Create DB modules #
+#####################
+
+mkdir -p /opt/jboss/keycloak/modules/system/layers/base/com/mysql/jdbc/main
+cd /opt/jboss/keycloak/modules/system/layers/base/com/mysql/jdbc/main
+curl -O https://repo1.maven.org/maven2/mysql/mysql-connector-java/$JDBC_MYSQL_VERSION/mysql-connector-java-$JDBC_MYSQL_VERSION.jar
+cp /opt/jboss/tools/databases/mysql/module.xml .
+sed "s/JDBC_MYSQL_VERSION/$JDBC_MYSQL_VERSION/" /opt/jboss/tools/databases/mysql/module.xml > module.xml
+
+mkdir -p /opt/jboss/keycloak/modules/system/layers/base/org/postgresql/jdbc/main
+cd /opt/jboss/keycloak/modules/system/layers/base/org/postgresql/jdbc/main
+curl -L https://repo1.maven.org/maven2/org/postgresql/postgresql/$JDBC_POSTGRES_VERSION/postgresql-$JDBC_POSTGRES_VERSION.jar > postgres-jdbc.jar
+cp /opt/jboss/tools/databases/postgres/module.xml .
+
+mkdir -p /opt/jboss/keycloak/modules/system/layers/base/org/mariadb/jdbc/main
+cd /opt/jboss/keycloak/modules/system/layers/base/org/mariadb/jdbc/main
+curl -L https://repo1.maven.org/maven2/org/mariadb/jdbc/mariadb-java-client/$JDBC_MARIADB_VERSION/mariadb-java-client-$JDBC_MARIADB_VERSION.jar > mariadb-jdbc.jar
+cp /opt/jboss/tools/databases/mariadb/module.xml .
+
+mkdir -p /opt/jboss/keycloak/modules/system/layers/base/com/oracle/jdbc/main
+cd /opt/jboss/keycloak/modules/system/layers/base/com/oracle/jdbc/main
+cp /opt/jboss/tools/databases/oracle/module.xml .
+
+mkdir -p /opt/jboss/keycloak/modules/system/layers/keycloak/com/microsoft/sqlserver/jdbc/main
+cd /opt/jboss/keycloak/modules/system/layers/keycloak/com/microsoft/sqlserver/jdbc/main
+curl -L https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/$JDBC_MSSQL_VERSION/mssql-jdbc-$JDBC_MSSQL_VERSION.jar > mssql-jdbc.jar
+cp /opt/jboss/tools/databases/mssql/module.xml .
+
+######################
+# Configure Keycloak #
+######################
+
+cd /opt/jboss/keycloak
+
+bin/jboss-cli.sh --file=/opt/jboss/tools/cli/standalone-configuration.cli
+rm -rf /opt/jboss/keycloak/standalone/configuration/standalone_xml_history
+
+bin/jboss-cli.sh --file=/opt/jboss/tools/cli/standalone-ha-configuration.cli
+rm -rf /opt/jboss/keycloak/standalone/configuration/standalone_xml_history
+
+###########
+# Garbage #
+###########
+
+rm -rf /opt/jboss/keycloak/standalone/tmp/auth
+rm -rf /opt/jboss/keycloak/domain/tmp/auth
+
+###################
+# Set permissions #
+###################
+
+echo "jboss:x:0:root" >> /etc/group
+echo "jboss:x:1000:0:JBoss user:/opt/jboss:/sbin/nologin" >> /etc/passwd
+chown -R jboss:root /opt/jboss
+chmod -R g+rwX /opt/jboss
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/databases/mariadb/change-database.cli b/roles/build/templates/keycloak/keycloak-tools/cli/databases/mariadb/change-database.cli
new file mode 100644
index 0000000000000000000000000000000000000000..2f099f2efb8b418a3145407da700e8c7d20954fb
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/databases/mariadb/change-database.cli
@@ -0,0 +1,9 @@
+/subsystem=datasources/data-source=KeycloakDS: remove()
+/subsystem=datasources/data-source=KeycloakDS: add(jndi-name=java:jboss/datasources/KeycloakDS,enabled=true,use-java-context=true,use-ccm=true, connection-url=jdbc:mariadb://${env.DB_ADDR:mariadb}:${env.DB_PORT:3306}/${env.DB_DATABASE:keycloak}${env.JDBC_PARAMS:}, driver-name=mariadb)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=user-name, value=${env.DB_USER:keycloak})
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=password, value=${env.DB_PASSWORD:password})
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=check-valid-connection-sql, value="SELECT 1")
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation, value=true)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation-millis, value=60000)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=flush-strategy, value=IdleConnections)
+/subsystem=datasources/jdbc-driver=mariadb:add(driver-name=mariadb, driver-module-name=org.mariadb.jdbc, driver-xa-datasource-class-name=org.mariadb.jdbc.MySQLDataSource)
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/databases/mariadb/standalone-configuration.cli b/roles/build/templates/keycloak/keycloak-tools/cli/databases/mariadb/standalone-configuration.cli
new file mode 100644
index 0000000000000000000000000000000000000000..60c04534546af22512db18c8027540c12a8fd4ce
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/databases/mariadb/standalone-configuration.cli
@@ -0,0 +1,3 @@
+embed-server --server-config=standalone.xml --std-out=echo
+run-batch --file=/opt/jboss/tools/cli/databases/mariadb/change-database.cli
+stop-embedded-server
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/databases/mariadb/standalone-ha-configuration.cli b/roles/build/templates/keycloak/keycloak-tools/cli/databases/mariadb/standalone-ha-configuration.cli
new file mode 100644
index 0000000000000000000000000000000000000000..de59136129f6c2a653375f1681195779af456094
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/databases/mariadb/standalone-ha-configuration.cli
@@ -0,0 +1,3 @@
+embed-server --server-config=standalone-ha.xml --std-out=echo
+run-batch --file=/opt/jboss/tools/cli/databases/mariadb/change-database.cli
+stop-embedded-server
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/databases/mssql/change-database.cli b/roles/build/templates/keycloak/keycloak-tools/cli/databases/mssql/change-database.cli
new file mode 100644
index 0000000000000000000000000000000000000000..08dd3fbf55296b54c94e031a429120b47a9d50a4
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/databases/mssql/change-database.cli
@@ -0,0 +1,9 @@
+/subsystem=datasources/data-source=KeycloakDS: remove()
+/subsystem=datasources/data-source=KeycloakDS: add(jndi-name=java:jboss/datasources/KeycloakDS,enabled=true,use-java-context=true,use-ccm=true, connection-url="jdbc:sqlserver://${env.DB_ADDR:mssql}:${env.DB_PORT:1433};databaseName=${env.DB_DATABASE:keycloak};sendStringParametersAsUnicode=false;integratedSecurity=false;user=${env.DB_USER:keycloak};password=${env.DB_PASSWORD:password};${env.JDBC_PARAMS:}", driver-name=sqlserver)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=user-name, value=${env.DB_USER:keycloak})
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=password, value=${env.DB_PASSWORD:password})
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=check-valid-connection-sql, value="SELECT 1")
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation, value=true)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation-millis, value=60000)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=flush-strategy, value=IdleConnections)
+/subsystem=datasources/jdbc-driver=sqlserver:add(driver-name=sqlserver,driver-module-name=com.microsoft.sqlserver.jdbc,driver-xa-datasource-class-name=com.microsoft.sqlserver.jdbc.SQLServerXADataSource)
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/databases/mssql/standalone-configuration.cli b/roles/build/templates/keycloak/keycloak-tools/cli/databases/mssql/standalone-configuration.cli
new file mode 100644
index 0000000000000000000000000000000000000000..8a616cab64282c5f84e960f11ef8657a03193d1d
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/databases/mssql/standalone-configuration.cli
@@ -0,0 +1,3 @@
+embed-server --server-config=standalone.xml --std-out=echo
+run-batch --file=/opt/jboss/tools/cli/databases/mssql/change-database.cli
+stop-embedded-server
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/databases/mssql/standalone-ha-configuration.cli b/roles/build/templates/keycloak/keycloak-tools/cli/databases/mssql/standalone-ha-configuration.cli
new file mode 100644
index 0000000000000000000000000000000000000000..5057630f69f46f7b982c9077a782f649e91c4575
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/databases/mssql/standalone-ha-configuration.cli
@@ -0,0 +1,3 @@
+embed-server --server-config=standalone-ha.xml --std-out=echo
+run-batch --file=/opt/jboss/tools/cli/databases/mssql/change-database.cli
+stop-embedded-server
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/databases/mysql/change-database.cli b/roles/build/templates/keycloak/keycloak-tools/cli/databases/mysql/change-database.cli
new file mode 100644
index 0000000000000000000000000000000000000000..e7096973718f86cb4d3abaeef840522465214416
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/databases/mysql/change-database.cli
@@ -0,0 +1,9 @@
+/subsystem=datasources/data-source=KeycloakDS: remove()
+/subsystem=datasources/data-source=KeycloakDS: add(jndi-name=java:jboss/datasources/KeycloakDS,enabled=true,use-java-context=true,use-ccm=true, connection-url=jdbc:mysql://${env.DB_ADDR:mysql}:${env.DB_PORT:3306}/${env.DB_DATABASE:keycloak}${env.JDBC_PARAMS:}, driver-name=mysql)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=user-name, value=${env.DB_USER:keycloak})
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=password, value=${env.DB_PASSWORD:password})
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=check-valid-connection-sql, value="SELECT 1")
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation, value=true)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation-millis, value=60000)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=flush-strategy, value=IdleConnections)
+/subsystem=datasources/jdbc-driver=mysql:add(driver-name=mysql, driver-module-name=com.mysql.jdbc, driver-xa-datasource-class-name=com.mysql.cj.jdbc.MysqlXADataSource)
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/databases/mysql/standalone-configuration.cli b/roles/build/templates/keycloak/keycloak-tools/cli/databases/mysql/standalone-configuration.cli
new file mode 100644
index 0000000000000000000000000000000000000000..00370f68fa8cece5039eb23990868a73e1bbb5ef
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/databases/mysql/standalone-configuration.cli
@@ -0,0 +1,3 @@
+embed-server --server-config=standalone.xml --std-out=echo
+run-batch --file=/opt/jboss/tools/cli/databases/mysql/change-database.cli
+stop-embedded-server
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/databases/mysql/standalone-ha-configuration.cli b/roles/build/templates/keycloak/keycloak-tools/cli/databases/mysql/standalone-ha-configuration.cli
new file mode 100644
index 0000000000000000000000000000000000000000..5787e8a53d520a006370a7ae6b3fd08cf5c546d2
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/databases/mysql/standalone-ha-configuration.cli
@@ -0,0 +1,3 @@
+embed-server --server-config=standalone-ha.xml --std-out=echo
+run-batch --file=/opt/jboss/tools/cli/databases/mysql/change-database.cli
+stop-embedded-server
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/databases/oracle/change-database.cli b/roles/build/templates/keycloak/keycloak-tools/cli/databases/oracle/change-database.cli
new file mode 100644
index 0000000000000000000000000000000000000000..3ea85bf0824ccd920a935258763e9cfae8d9409d
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/databases/oracle/change-database.cli
@@ -0,0 +1,9 @@
+/subsystem=datasources/data-source=KeycloakDS: remove()
+/subsystem=datasources/data-source=KeycloakDS: add(jndi-name=java:jboss/datasources/KeycloakDS,enabled=true,use-java-context=true,use-ccm=true, connection-url=jdbc:oracle:thin:@${env.DB_ADDR:oracle}:${env.DB_PORT:1521}:${env.DB_DATABASE:XE}${env.JDBC_PARAMS:}, driver-name=oracle)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=user-name, value=${env.DB_USER:SYSTEM})
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=password, value=${env.DB_PASSWORD:oracle})
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=check-valid-connection-sql, value="SELECT 1 FROM dual")
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation, value=true)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation-millis, value=60000)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=flush-strategy, value=IdleConnections)
+/subsystem=datasources/jdbc-driver=oracle:add(driver-name=oracle, driver-module-name=com.oracle.jdbc, driver-xa-datasource-class-name=oracle.jdbc.xa.client.OracleXADataSource)
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/databases/oracle/standalone-configuration.cli b/roles/build/templates/keycloak/keycloak-tools/cli/databases/oracle/standalone-configuration.cli
new file mode 100644
index 0000000000000000000000000000000000000000..4f1f3dcd088a2daba1158552b3448eb551906d58
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/databases/oracle/standalone-configuration.cli
@@ -0,0 +1,3 @@
+embed-server --server-config=standalone.xml --std-out=echo
+run-batch --file=/opt/jboss/tools/cli/databases/oracle/change-database.cli
+stop-embedded-server
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/databases/oracle/standalone-ha-configuration.cli b/roles/build/templates/keycloak/keycloak-tools/cli/databases/oracle/standalone-ha-configuration.cli
new file mode 100644
index 0000000000000000000000000000000000000000..57762b81930020b4fbe173ef8e3ee94b600caa7c
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/databases/oracle/standalone-ha-configuration.cli
@@ -0,0 +1,3 @@
+embed-server --server-config=standalone-ha.xml --std-out=echo
+run-batch --file=/opt/jboss/tools/cli/databases/oracle/change-database.cli
+stop-embedded-server
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/databases/postgres/change-database.cli b/roles/build/templates/keycloak/keycloak-tools/cli/databases/postgres/change-database.cli
new file mode 100644
index 0000000000000000000000000000000000000000..f6b70425fef25ff7b3aceea23007c9c8ef907cce
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/databases/postgres/change-database.cli
@@ -0,0 +1,11 @@
+/subsystem=datasources/data-source=KeycloakDS: remove()
+/subsystem=datasources/data-source=KeycloakDS: add(jndi-name=java:jboss/datasources/KeycloakDS,enabled=true,use-java-context=true,use-ccm=true, connection-url=jdbc:postgresql://${env.DB_ADDR:postgres}/${env.DB_DATABASE:keycloak}${env.JDBC_PARAMS:}, driver-name=postgresql)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=user-name, value=${env.DB_USER:keycloak})
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=password, value=${env.DB_PASSWORD:password})
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=check-valid-connection-sql, value="SELECT 1")
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation, value=true)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation-millis, value=60000)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=flush-strategy, value=IdleConnections)
+/subsystem=datasources/jdbc-driver=postgresql:add(driver-name=postgresql, driver-module-name=org.postgresql.jdbc, driver-xa-datasource-class-name=org.postgresql.xa.PGXADataSource)
+
+/subsystem=keycloak-server/spi=connectionsJpa/provider=default:write-attribute(name=properties.schema,value=${env.DB_SCHEMA:public})
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/databases/postgres/standalone-configuration.cli b/roles/build/templates/keycloak/keycloak-tools/cli/databases/postgres/standalone-configuration.cli
new file mode 100644
index 0000000000000000000000000000000000000000..e10ff84b9a0a684e8e0ee619ad4189a1c3178dd8
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/databases/postgres/standalone-configuration.cli
@@ -0,0 +1,3 @@
+embed-server --server-config=standalone.xml --std-out=echo
+run-batch --file=/opt/jboss/tools/cli/databases/postgres/change-database.cli
+stop-embedded-server
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/databases/postgres/standalone-ha-configuration.cli b/roles/build/templates/keycloak/keycloak-tools/cli/databases/postgres/standalone-ha-configuration.cli
new file mode 100644
index 0000000000000000000000000000000000000000..e95f34448060c875537ec323beab36f89ea5271e
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/databases/postgres/standalone-ha-configuration.cli
@@ -0,0 +1,3 @@
+embed-server --server-config=standalone-ha.xml --std-out=echo
+run-batch --file=/opt/jboss/tools/cli/databases/postgres/change-database.cli
+stop-embedded-server
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/files-plaintext-vault.cli b/roles/build/templates/keycloak/keycloak-tools/cli/files-plaintext-vault.cli
new file mode 100644
index 0000000000000000000000000000000000000000..991d04480d4537750bf7e6e5da4eaed6b5bac6af
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/files-plaintext-vault.cli
@@ -0,0 +1,6 @@
+embed-server --server-config=$configuration_file --std-out=discard
+echo ** Adding vault spi **
+/subsystem=keycloak-server/spi=vault/:add
+/subsystem=keycloak-server/spi=vault/provider=files-plaintext/:add(enabled=true,properties={dir => $plaintext_vault_provider_dir})
+stop-embedded-server
+
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/hostname.cli b/roles/build/templates/keycloak/keycloak-tools/cli/hostname.cli
new file mode 100644
index 0000000000000000000000000000000000000000..c9e82e125b3af811debd9ebf014e8f9556ec17ba
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/hostname.cli
@@ -0,0 +1,2 @@
+/subsystem=keycloak-server/spi=hostname:write-attribute(name=default-provider, value="${keycloak.hostname.provider:default}")
+/subsystem=keycloak-server/spi=hostname/provider=fixed/:add(properties={hostname => "${keycloak.hostname.fixed.hostname:localhost}",httpPort => "${keycloak.hostname.fixed.httpPort:-1}",httpsPort => "${keycloak.hostname.fixed.httpsPort:-1}",alwaysHttps => "${keycloak.hostname.fixed.alwaysHttps:false}"},enabled=true)
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/infinispan/cache-owners.cli b/roles/build/templates/keycloak/keycloak-tools/cli/infinispan/cache-owners.cli
new file mode 100644
index 0000000000000000000000000000000000000000..dc207e7626532cd2ab200b9888ba3cbca6ea72c1
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/infinispan/cache-owners.cli
@@ -0,0 +1,11 @@
+embed-server --server-config=standalone-ha.xml --std-out=echo
+batch
+/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions: write-attribute(name=owners, value=${env.CACHE_OWNERS_COUNT:1})
+/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions: write-attribute(name=owners, value=${env.CACHE_OWNERS_COUNT:1})
+/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures: write-attribute(name=owners, value=${env.CACHE_OWNERS_COUNT:1})
+/subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions: write-attribute(name=owners, value=${env.CACHE_OWNERS_COUNT:1})
+/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions: write-attribute(name=owners, value=${env.CACHE_OWNERS_COUNT:1})
+/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens: write-attribute(name=owners, value=${env.CACHE_OWNERS_COUNT:1})
+/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions: write-attribute(name=owners, value=${env.CACHE_OWNERS_AUTH_SESSIONS_COUNT:1})
+run-batch
+stop-embedded-server
\ No newline at end of file
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/jgroups/discovery/default.cli b/roles/build/templates/keycloak/keycloak-tools/cli/jgroups/discovery/default.cli
new file mode 100644
index 0000000000000000000000000000000000000000..68da05a1c6661a98a7bd9c367d7e71582efbb0f4
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/jgroups/discovery/default.cli
@@ -0,0 +1,11 @@
+embed-server --server-config=standalone-ha.xml --std-out=echo
+batch
+/subsystem=jgroups/stack=udp/protocol=PING:remove()
+/subsystem=jgroups/stack=udp/protocol=$keycloak_jgroups_discovery_protocol:add(add-index=0, properties=$keycloak_jgroups_discovery_protocol_properties)
+
+/subsystem=jgroups/stack=tcp/protocol=MPING:remove()
+/subsystem=jgroups/stack=tcp/protocol=$keycloak_jgroups_discovery_protocol:add(add-index=0, properties=$keycloak_jgroups_discovery_protocol_properties)
+
+/subsystem=jgroups/channel=ee:write-attribute(name="stack", value=$keycloak_jgroups_transport_stack)
+run-batch
+stop-embedded-server
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/loglevel.cli b/roles/build/templates/keycloak/keycloak-tools/cli/loglevel.cli
new file mode 100644
index 0000000000000000000000000000000000000000..c6adb8826a8189ff6bee02efc71747a5d7ea0a74
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/loglevel.cli
@@ -0,0 +1,9 @@
+/subsystem=logging/logger=org.keycloak:add
+/subsystem=logging/logger=org.keycloak:write-attribute(name=level,value=${env.KEYCLOAK_LOGLEVEL:INFO})
+
+/subsystem=logging/root-logger=ROOT:change-root-log-level(level=${env.ROOT_LOGLEVEL:INFO})
+
+/subsystem=logging/root-logger=ROOT:remove-handler(name="FILE")
+/subsystem=logging/periodic-rotating-file-handler=FILE:remove
+
+/subsystem=logging/console-handler=CONSOLE:undefine-attribute(name=level)
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/metrics/db.cli b/roles/build/templates/keycloak/keycloak-tools/cli/metrics/db.cli
new file mode 100644
index 0000000000000000000000000000000000000000..7524657172ea4bbe07df2a53de3c9d623d777656
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/metrics/db.cli
@@ -0,0 +1,5 @@
+embed-server --server-config=standalone-ha.xml --std-out=echo
+batch
+/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=statistics-enabled, value=true)
+run-batch
+stop-embedded-server
\ No newline at end of file
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/metrics/http.cli b/roles/build/templates/keycloak/keycloak-tools/cli/metrics/http.cli
new file mode 100644
index 0000000000000000000000000000000000000000..322c7db9be186a14438c6bb4dba0ea06a759fbc0
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/metrics/http.cli
@@ -0,0 +1,5 @@
+embed-server --server-config=standalone-ha.xml --std-out=echo
+batch
+/subsystem=undertow:write-attribute(name=statistics-enabled,value=true)
+run-batch
+stop-embedded-server
\ No newline at end of file
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/metrics/jgroups.cli b/roles/build/templates/keycloak/keycloak-tools/cli/metrics/jgroups.cli
new file mode 100644
index 0000000000000000000000000000000000000000..dac4cb55d60502ea0792511f1c8f309cfe62578c
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/metrics/jgroups.cli
@@ -0,0 +1,5 @@
+embed-server --server-config=standalone-ha.xml --std-out=echo
+batch
+/subsystem=jgroups/channel=ee:write-attribute(name=statistics-enabled, value=true)
+run-batch
+stop-embedded-server
\ No newline at end of file
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/proxy.cli b/roles/build/templates/keycloak/keycloak-tools/cli/proxy.cli
new file mode 100644
index 0000000000000000000000000000000000000000..3c1984b1b5556da048cfd5aaae1ffafdcd1c4623
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/proxy.cli
@@ -0,0 +1,2 @@
+/subsystem=undertow/server=default-server/http-listener=default: write-attribute(name=proxy-address-forwarding, value=${env.PROXY_ADDRESS_FORWARDING:false})
+/subsystem=undertow/server=default-server/https-listener=https: write-attribute(name=proxy-address-forwarding, value=${env.PROXY_ADDRESS_FORWARDING:false})
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/standalone-configuration.cli b/roles/build/templates/keycloak/keycloak-tools/cli/standalone-configuration.cli
new file mode 100644
index 0000000000000000000000000000000000000000..6e47c46ca887ed7dc359eb1328c0e712aa31c4d9
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/standalone-configuration.cli
@@ -0,0 +1,6 @@
+embed-server --server-config=standalone.xml --std-out=echo
+run-batch --file=/opt/jboss/tools/cli/loglevel.cli
+run-batch --file=/opt/jboss/tools/cli/proxy.cli
+run-batch --file=/opt/jboss/tools/cli/hostname.cli
+run-batch --file=/opt/jboss/tools/cli/theme.cli
+stop-embedded-server
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/standalone-ha-configuration.cli b/roles/build/templates/keycloak/keycloak-tools/cli/standalone-ha-configuration.cli
new file mode 100644
index 0000000000000000000000000000000000000000..33e1440f3a2ce0e3d35148192430d55c12cd7198
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/standalone-ha-configuration.cli
@@ -0,0 +1,6 @@
+embed-server --server-config=standalone-ha.xml --std-out=echo
+run-batch --file=/opt/jboss/tools/cli/loglevel.cli
+run-batch --file=/opt/jboss/tools/cli/proxy.cli
+run-batch --file=/opt/jboss/tools/cli/hostname.cli
+run-batch --file=/opt/jboss/tools/cli/theme.cli
+stop-embedded-server
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/theme.cli b/roles/build/templates/keycloak/keycloak-tools/cli/theme.cli
new file mode 100644
index 0000000000000000000000000000000000000000..dba1937d71ac08dad97ac4f5c8f6eacdb0d7263e
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/theme.cli
@@ -0,0 +1,2 @@
+/subsystem=keycloak-server/theme=defaults:write-attribute(name=welcomeTheme,value=${env.KEYCLOAK_WELCOME_THEME:keycloak})
+/subsystem=keycloak-server/theme=defaults:write-attribute(name=default,value=${env.KEYCLOAK_DEFAULT_THEME:keycloak})
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/x509-keystore.cli b/roles/build/templates/keycloak/keycloak-tools/cli/x509-keystore.cli
new file mode 100644
index 0000000000000000000000000000000000000000..270a70065b00c0615384321f22da384be5ae9836
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/x509-keystore.cli
@@ -0,0 +1,9 @@
+embed-server --server-config=$configuration_file --std-out=discard
+/subsystem=elytron/key-store=kcKeyStore:add(path=$keycloak_tls_keystore_file,type=JKS,credential-reference={clear-text=$keycloak_tls_keystore_password})
+/subsystem=elytron/key-manager=kcKeyManager:add(key-store=kcKeyStore,credential-reference={clear-text=$keycloak_tls_keystore_password})
+/subsystem=elytron/server-ssl-context=kcSSLContext:add(key-manager=kcKeyManager)
+batch
+/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
+/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=kcSSLContext)
+run-batch
+stop-embedded-server
diff --git a/roles/build/templates/keycloak/keycloak-tools/cli/x509-truststore.cli b/roles/build/templates/keycloak/keycloak-tools/cli/x509-truststore.cli
new file mode 100644
index 0000000000000000000000000000000000000000..79f94db09e11ada87309fc763e1090c5f8c6eeb7
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/cli/x509-truststore.cli
@@ -0,0 +1,25 @@
+embed-server --server-config=$configuration_file --std-out=discard
+/subsystem=elytron/key-store=kcTrustStore:add(path=$keycloak_tls_truststore_file,type=JKS,credential-reference={clear-text=$keycloak_tls_truststore_password})
+/subsystem=elytron/trust-manager=kcTrustManager:add(key-store=kcTrustStore)
+if (outcome != success) of /subsystem=elytron/server-ssl-context=kcSSLContext:read-resource
+ # Since WF requires a Key Manager for creating /subsystem=elytron/server-ssl-context, there's nothing we can do at this point.
+ # We can not automatically generate a self-signed key (Elytron doesn't support this, see https://docs.wildfly.org/13/WildFly_Elytron_Security.html#configure-ssltls),
+ # and we don't have anything else at hand.
+ # However, there is no big harm here - the Trust Store is more needed by Keycloak Truststore SPI.
+ echo "WARNING! There is no Key Manager (No Key Store specified). Skipping HTTPS Listener configuration..."
+else
+ # The SSL Context has been added by keystore, not much to do - just append trust store and we are done.
+ /subsystem=elytron/server-ssl-context=kcSSLContext:write-attribute(name=trust-manager, value=kcTrustManager)
+ /subsystem=elytron/server-ssl-context=kcSSLContext:write-attribute(name=want-client-auth, value=true)
+end-if
+
+if (outcome != success) of /subsystem=keycloak-server/spi=truststore:read-resource
+ /subsystem=keycloak-server/spi=truststore/:add
+end-if
+/subsystem=keycloak-server/spi=truststore/provider=file/:add(enabled=true,properties={ \
+ file => $keycloak_tls_truststore_file, \
+ password => $keycloak_tls_truststore_password, \
+ hostname-verification-policy => "WILDCARD", \
+disabled => "false"})
+
+stop-embedded-server
\ No newline at end of file
diff --git a/roles/build/templates/keycloak/keycloak-tools/databases/change-database.sh b/roles/build/templates/keycloak/keycloak-tools/databases/change-database.sh
new file mode 100644
index 0000000000000000000000000000000000000000..55a4a8e823385e1de2e88fbd71f34e7f9b591a31
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/databases/change-database.sh
@@ -0,0 +1,11 @@
+#!/bin/bash -e
+
+DB_VENDOR=$1
+
+cd /opt/jboss/keycloak
+
+bin/jboss-cli.sh --file=/opt/jboss/tools/cli/databases/$DB_VENDOR/standalone-configuration.cli
+rm -rf /opt/jboss/keycloak/standalone/configuration/standalone_xml_history
+
+bin/jboss-cli.sh --file=/opt/jboss/tools/cli/databases/$DB_VENDOR/standalone-ha-configuration.cli
+rm -rf standalone/configuration/standalone_xml_history/current/*
\ No newline at end of file
diff --git a/roles/build/templates/keycloak/keycloak-tools/databases/mariadb/module.xml b/roles/build/templates/keycloak/keycloak-tools/databases/mariadb/module.xml
new file mode 100644
index 0000000000000000000000000000000000000000..a3f6f962d5095d387ee4ceaf62ee0e99b4ea3f03
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/databases/mariadb/module.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ JBoss, Home of Professional Open Source.
+ ~ Copyright 2010, Red Hat, Inc., and individual contributors
+ ~ as indicated by the @author tags. See the copyright.txt file in the
+ ~ distribution for a full listing of individual contributors.
+ ~
+ ~ This is free software; you can redistribute it and/or modify it
+ ~ under the terms of the GNU Lesser General Public License as
+ ~ published by the Free Software Foundation; either version 2.1 of
+ ~ the License, or (at your option) any later version.
+ ~
+ ~ This software is distributed in the hope that it will be useful,
+ ~ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ ~ Lesser General Public License for more details.
+ ~
+ ~ You should have received a copy of the GNU Lesser General Public
+ ~ License along with this software; if not, write to the Free
+ ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ -->
+<module xmlns="urn:jboss:module:1.0" name="org.mariadb.jdbc">
+ <resources>
+ <resource-root path="mariadb-jdbc.jar"/>
+ </resources>
+ <dependencies>
+ <module name="javax.api"/>
+ <module name="javax.transaction.api"/>
+ </dependencies>
+</module>
diff --git a/roles/build/templates/keycloak/keycloak-tools/databases/mssql/module.xml b/roles/build/templates/keycloak/keycloak-tools/databases/mssql/module.xml
new file mode 100644
index 0000000000000000000000000000000000000000..23574b804da9a6e8329ddd2936b47422d130d95c
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/databases/mssql/module.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module xmlns="urn:jboss:module:1.3" name="com.microsoft.sqlserver.jdbc">
+
+<resources>
+ <resource-root path="mssql-jdbc.jar"/>
+</resources>
+<dependencies>
+ <module name="javax.api"/>
+ <module name="javax.transaction.api"/>
+ <module name="javax.xml.bind.api"/>
+ <module name="javax.servlet.api" optional="true"/>
+</dependencies>
+</module>
diff --git a/roles/build/templates/keycloak/keycloak-tools/databases/mysql/module.xml b/roles/build/templates/keycloak/keycloak-tools/databases/mysql/module.xml
new file mode 100644
index 0000000000000000000000000000000000000000..600bdedbfb2c68168076c972d217e3e7da6384f0
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/databases/mysql/module.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ JBoss, Home of Professional Open Source.
+ ~ Copyright 2010, Red Hat, Inc., and individual contributors
+ ~ as indicated by the @author tags. See the copyright.txt file in the
+ ~ distribution for a full listing of individual contributors.
+ ~
+ ~ This is free software; you can redistribute it and/or modify it
+ ~ under the terms of the GNU Lesser General Public License as
+ ~ published by the Free Software Foundation; either version 2.1 of
+ ~ the License, or (at your option) any later version.
+ ~
+ ~ This software is distributed in the hope that it will be useful,
+ ~ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ ~ Lesser General Public License for more details.
+ ~
+ ~ You should have received a copy of the GNU Lesser General Public
+ ~ License along with this software; if not, write to the Free
+ ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ -->
+<module xmlns="urn:jboss:module:1.0" name="com.mysql.jdbc">
+ <resources>
+ <resource-root path="mysql-connector-java-JDBC_MYSQL_VERSION.jar"/>
+ </resources>
+ <dependencies>
+ <module name="javax.api"/>
+ <module name="javax.transaction.api"/>
+ </dependencies>
+</module>
diff --git a/roles/build/templates/keycloak/keycloak-tools/databases/oracle/module.xml b/roles/build/templates/keycloak/keycloak-tools/databases/oracle/module.xml
new file mode 100644
index 0000000000000000000000000000000000000000..8720a08f93a1a58e05c015b63af0d0f6676fd794
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/databases/oracle/module.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ JBoss, Home of Professional Open Source.
+ ~ Copyright 2010, Red Hat, Inc., and individual contributors
+ ~ as indicated by the @author tags. See the copyright.txt file in the
+ ~ distribution for a full listing of individual contributors.
+ ~
+ ~ This is free software; you can redistribute it and/or modify it
+ ~ under the terms of the GNU Lesser General Public License as
+ ~ published by the Free Software Foundation; either version 2.1 of
+ ~ the License, or (at your option) any later version.
+ ~
+ ~ This software is distributed in the hope that it will be useful,
+ ~ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ ~ Lesser General Public License for more details.
+ ~
+ ~ You should have received a copy of the GNU Lesser General Public
+ ~ License along with this software; if not, write to the Free
+ ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ -->
+<module xmlns="urn:jboss:module:1.0" name="com.oracle.jdbc">
+ <resources>
+ <resource-root path="driver/ojdbc.jar"/>
+ </resources>
+ <dependencies>
+ <module name="javax.api"/>
+ <module name="javax.transaction.api"/>
+ </dependencies>
+</module>
diff --git a/roles/build/templates/keycloak/keycloak-tools/databases/postgres/module.xml b/roles/build/templates/keycloak/keycloak-tools/databases/postgres/module.xml
new file mode 100644
index 0000000000000000000000000000000000000000..2180e59ea83a54a44379f6373e200b7ff93bb1a6
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/databases/postgres/module.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ JBoss, Home of Professional Open Source.
+ ~ Copyright 2010, Red Hat, Inc., and individual contributors
+ ~ as indicated by the @author tags. See the copyright.txt file in the
+ ~ distribution for a full listing of individual contributors.
+ ~
+ ~ This is free software; you can redistribute it and/or modify it
+ ~ under the terms of the GNU Lesser General Public License as
+ ~ published by the Free Software Foundation; either version 2.1 of
+ ~ the License, or (at your option) any later version.
+ ~
+ ~ This software is distributed in the hope that it will be useful,
+ ~ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ ~ Lesser General Public License for more details.
+ ~
+ ~ You should have received a copy of the GNU Lesser General Public
+ ~ License along with this software; if not, write to the Free
+ ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ -->
+<module xmlns="urn:jboss:module:1.0" name="org.postgresql.jdbc">
+ <resources>
+ <resource-root path="postgres-jdbc.jar"/>
+ </resources>
+ <dependencies>
+ <module name="javax.api"/>
+ <module name="javax.transaction.api"/>
+ </dependencies>
+</module>
diff --git a/roles/build/templates/keycloak/keycloak-tools/docker-entrypoint.sh b/roles/build/templates/keycloak/keycloak-tools/docker-entrypoint.sh
new file mode 100755
index 0000000000000000000000000000000000000000..29284f2add7a8b2011360c891dee221da794b931
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/docker-entrypoint.sh
@@ -0,0 +1,234 @@
+#!/bin/bash
+set -eou pipefail
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [[ ${!var:-} && ${!fileVar:-} ]]; then
+ echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+ exit 1
+ fi
+ local val="$def"
+ if [[ ${!var:-} ]]; then
+ val="${!var}"
+ elif [[ ${!fileVar:-} ]]; then
+ val="$(< "${!fileVar}")"
+ fi
+
+ if [[ -n $val ]]; then
+ export "$var"="$val"
+ fi
+
+ unset "$fileVar"
+}
+
+SYS_PROPS=""
+
+##################
+# Add admin user #
+##################
+
+file_env 'KEYCLOAK_USER'
+file_env 'KEYCLOAK_PASSWORD'
+
+if [[ -n ${KEYCLOAK_USER:-} && -n ${KEYCLOAK_PASSWORD:-} ]]; then
+ /opt/jboss/keycloak/bin/add-user-keycloak.sh --user "$KEYCLOAK_USER" --password "$KEYCLOAK_PASSWORD"
+fi
+
+############
+# Hostname #
+############
+
+if [[ -n ${KEYCLOAK_FRONTEND_URL:-} ]]; then
+ SYS_PROPS+="-Dkeycloak.frontendUrl=$KEYCLOAK_FRONTEND_URL"
+fi
+
+if [[ -n ${KEYCLOAK_HOSTNAME:-} ]]; then
+ SYS_PROPS+=" -Dkeycloak.hostname.provider=fixed -Dkeycloak.hostname.fixed.hostname=$KEYCLOAK_HOSTNAME"
+
+ if [[ -n ${KEYCLOAK_HTTP_PORT:-} ]]; then
+ SYS_PROPS+=" -Dkeycloak.hostname.fixed.httpPort=$KEYCLOAK_HTTP_PORT"
+ fi
+
+ if [[ -n ${KEYCLOAK_HTTPS_PORT:-} ]]; then
+ SYS_PROPS+=" -Dkeycloak.hostname.fixed.httpsPort=$KEYCLOAK_HTTPS_PORT"
+ fi
+
+ if [[ -n ${KEYCLOAK_ALWAYS_HTTPS:-} ]]; then
+ SYS_PROPS+=" -Dkeycloak.hostname.fixed.alwaysHttps=$KEYCLOAK_ALWAYS_HTTPS"
+ fi
+fi
+
+################
+# Realm import #
+################
+
+if [[ -n ${KEYCLOAK_IMPORT:-} ]]; then
+ SYS_PROPS+=" -Dkeycloak.import=$KEYCLOAK_IMPORT"
+fi
+
+########################
+# JGroups bind options #
+########################
+
+if [[ -z ${BIND:-} ]]; then
+ BIND=$(hostname --all-ip-addresses)
+fi
+if [[ -z ${BIND_OPTS:-} ]]; then
+ for BIND_IP in $BIND
+ do
+ BIND_OPTS+=" -Djboss.bind.address=$BIND_IP -Djboss.bind.address.private=$BIND_IP "
+ done
+fi
+SYS_PROPS+=" $BIND_OPTS"
+
+#########################################
+# Expose management console for metrics #
+#########################################
+
+if [[ -n ${KEYCLOAK_STATISTICS:-} ]] ; then
+ SYS_PROPS+=" -Djboss.bind.address.management=0.0.0.0"
+fi
+
+#################
+# Configuration #
+#################
+
+# If the server configuration parameter is not present, append the HA profile.
+if echo "$@" | grep -E -v -- '-c |-c=|--server-config |--server-config='; then
+ SYS_PROPS+=" -c=standalone-ha.xml"
+fi
+
+############
+# DB setup #
+############
+
+file_env 'DB_USER'
+file_env 'DB_PASSWORD'
+# Lower case DB_VENDOR
+if [[ -n ${DB_VENDOR:-} ]]; then
+ DB_VENDOR=$(echo "$DB_VENDOR" | tr "[:upper:]" "[:lower:]")
+fi
+
+# Detect DB vendor from default host names
+if [[ -z ${DB_VENDOR:-} ]]; then
+ if (getent hosts postgres &>/dev/null); then
+ export DB_VENDOR="postgres"
+ elif (getent hosts mysql &>/dev/null); then
+ export DB_VENDOR="mysql"
+ elif (getent hosts mariadb &>/dev/null); then
+ export DB_VENDOR="mariadb"
+ elif (getent hosts oracle &>/dev/null); then
+ export DB_VENDOR="oracle"
+ elif (getent hosts mssql &>/dev/null); then
+ export DB_VENDOR="mssql"
+ fi
+fi
+
+# Detect DB vendor from legacy `*_ADDR` environment variables
+if [[ -z ${DB_VENDOR:-} ]]; then
+ if (printenv | grep '^POSTGRES_ADDR=' &>/dev/null); then
+ export DB_VENDOR="postgres"
+ elif (printenv | grep '^MYSQL_ADDR=' &>/dev/null); then
+ export DB_VENDOR="mysql"
+ elif (printenv | grep '^MARIADB_ADDR=' &>/dev/null); then
+ export DB_VENDOR="mariadb"
+ elif (printenv | grep '^ORACLE_ADDR=' &>/dev/null); then
+ export DB_VENDOR="oracle"
+ elif (printenv | grep '^MSSQL_ADDR=' &>/dev/null); then
+ export DB_VENDOR="mssql"
+ fi
+fi
+
+# Default to H2 if DB type not detected
+if [[ -z ${DB_VENDOR:-} ]]; then
+ export DB_VENDOR="h2"
+fi
+
+# if the DB_VENDOR is postgres then append port to the DB_ADDR
+function append_port_db_addr() {
+ local db_host_regex='^[a-zA-Z0-9]([a-zA-Z0-9]|-|.)*:[0-9]{4,5}$'
+ IFS=',' read -ra addresses <<< "$DB_ADDR"
+ DB_ADDR=""
+ for i in "${addresses[@]}"; do
+ if [[ $i =~ $db_host_regex ]]; then
+ DB_ADDR+=$i;
+ else
+ DB_ADDR+="${i}:${DB_PORT}";
+ fi
+ DB_ADDR+=","
+ done
+ DB_ADDR=$(echo $DB_ADDR | sed 's/.$//') # remove the last comma
+}
+# Set DB name
+case "$DB_VENDOR" in
+ postgres)
+ DB_NAME="PostgreSQL"
+ if [[ -z ${DB_PORT:-} ]] ; then
+ DB_PORT="5432"
+ fi
+ append_port_db_addr
+ ;;
+ mysql)
+ DB_NAME="MySQL";;
+ mariadb)
+ DB_NAME="MariaDB";;
+ oracle)
+ DB_NAME="Oracle";;
+ h2)
+ DB_NAME="Embedded H2";;
+ mssql)
+ DB_NAME="Microsoft SQL Server";;
+ *)
+ echo "Unknown DB vendor $DB_VENDOR"
+ exit 1
+esac
+
+# Append '?' in the beggining of the string if JDBC_PARAMS value isn't empty
+JDBC_PARAMS=$(echo "${JDBC_PARAMS:-}" | sed '/^$/! s/^/?/')
+export JDBC_PARAMS
+
+# Convert deprecated DB specific variables
+function set_legacy_vars() {
+ local suffixes=(ADDR DATABASE USER PASSWORD PORT)
+ for suffix in "${suffixes[@]}"; do
+ local varname="$1_$suffix"
+ if [[ -n ${!varname:-} ]]; then
+ echo WARNING: "$varname" variable name is DEPRECATED replace with DB_"$suffix"
+ export DB_"$suffix=${!varname}"
+ fi
+ done
+}
+set_legacy_vars "$(echo "$DB_VENDOR" | tr "[:upper:]" "[:lower:]")"
+
+# Configure DB
+
+echo "========================================================================="
+echo ""
+echo " Using $DB_NAME database"
+echo ""
+echo "========================================================================="
+echo ""
+
+if [ "$DB_VENDOR" != "h2" ]; then
+ /bin/sh /opt/jboss/tools/databases/change-database.sh $DB_VENDOR
+fi
+
+/opt/jboss/tools/x509.sh
+/opt/jboss/tools/jgroups.sh
+/opt/jboss/tools/infinispan.sh
+/opt/jboss/tools/statistics.sh
+/opt/jboss/tools/autorun.sh
+/opt/jboss/tools/vault.sh
+
+##################
+# Start Keycloak #
+##################
+
+exec /opt/jboss/keycloak/bin/standalone.sh $SYS_PROPS $@
+exit $?
diff --git a/roles/build/templates/keycloak/keycloak-tools/infinispan.sh b/roles/build/templates/keycloak/keycloak-tools/infinispan.sh
new file mode 100755
index 0000000000000000000000000000000000000000..be15edfa51008b35cdd365891793b193a70e01cf
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/infinispan.sh
@@ -0,0 +1,14 @@
+# How many owners / replicas should our distributed caches have. If <2 any node that is removed from the cluster will cause a data-loss!
+# As it is only sensible to replicate AuthenticationSessions for certain cases, their replication factor can be configured independently
+
+if [ -n "$CACHE_OWNERS_COUNT" ]; then
+ echo "Setting cache owners to $CACHE_OWNERS_COUNT replicas"
+
+ # Check and log the replication factor of AuthenticationSessions, otherwise this is set to 1 by default
+ if [ -n "$CACHE_OWNERS_AUTH_SESSIONS_COUNT" ]; then
+ echo "Enabling replication of AuthenticationSessions with ${CACHE_OWNERS_AUTH_SESSIONS_COUNT} replicas"
+ else
+ echo "AuthenticationSessions will NOT be replicated, set CACHE_OWNERS_AUTH_SESSIONS_COUNT to configure this"
+ fi
+$JBOSS_HOME/bin/jboss-cli.sh --file="/opt/jboss/tools/cli/infinispan/cache-owners.cli" >& /dev/null
+fi
diff --git a/roles/build/templates/keycloak/keycloak-tools/jgroups.sh b/roles/build/templates/keycloak/keycloak-tools/jgroups.sh
new file mode 100755
index 0000000000000000000000000000000000000000..36f34a56ae39e69e72feac646b1e7fff775f5290
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/jgroups.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# If JGROUPS_DISCOVERY_PROPERTIES is set, it must be in the following format: PROP1=FOO,PROP2=BAR
+# If JGROUPS_DISCOVERY_PROPERTIES_DIRECT is set, it must be in the following format: {PROP1=>FOO,PROP2=>BAR}
+# It's a configuration error to set both of these variables
+
+if [ -n "$JGROUPS_DISCOVERY_PROTOCOL" ]; then
+ if [ -n "$JGROUPS_DISCOVERY_PROPERTIES" ] && [ -n "$JGROUPS_DISCOVERY_PROPERTIES_DIRECT" ]; then
+ echo >&2 "error: both JGROUPS_DISCOVERY_PROPERTIES and JGROUPS_DISCOVERY_PROPERTIES_DIRECT are set (but are exclusive)"
+ exit 1
+ fi
+
+ if [ -n "$JGROUPS_DISCOVERY_PROPERTIES_DIRECT" ]; then
+ JGROUPS_DISCOVERY_PROPERTIES_PARSED="$JGROUPS_DISCOVERY_PROPERTIES_DIRECT"
+ else
+ JGROUPS_DISCOVERY_PROPERTIES_PARSED=`echo $JGROUPS_DISCOVERY_PROPERTIES | sed "s/=/=>/g"`
+ JGROUPS_DISCOVERY_PROPERTIES_PARSED="{$JGROUPS_DISCOVERY_PROPERTIES_PARSED}"
+ fi
+
+ echo "Setting JGroups discovery to $JGROUPS_DISCOVERY_PROTOCOL with properties $JGROUPS_DISCOVERY_PROPERTIES_PARSED"
+ echo "set keycloak_jgroups_discovery_protocol=${JGROUPS_DISCOVERY_PROTOCOL}" >> "$JBOSS_HOME/bin/.jbossclirc"
+ echo "set keycloak_jgroups_discovery_protocol_properties=${JGROUPS_DISCOVERY_PROPERTIES_PARSED}" >> "$JBOSS_HOME/bin/.jbossclirc"
+ echo "set keycloak_jgroups_transport_stack=${JGROUPS_TRANSPORT_STACK:-tcp}" >> "$JBOSS_HOME/bin/.jbossclirc"
+ # If there's a specific CLI file for given protocol - execute it. If not, we should be good with the default one.
+ if [ -f "/opt/jboss/tools/cli/jgroups/discovery/$JGROUPS_DISCOVERY_PROTOCOL.cli" ]; then
+ $JBOSS_HOME/bin/jboss-cli.sh --file="/opt/jboss/tools/cli/jgroups/discovery/$JGROUPS_DISCOVERY_PROTOCOL.cli" >& /dev/null
+ else
+ $JBOSS_HOME/bin/jboss-cli.sh --file="/opt/jboss/tools/cli/jgroups/discovery/default.cli" >& /dev/null
+ fi
+fi
diff --git a/roles/build/templates/keycloak/keycloak-tools/statistics.sh b/roles/build/templates/keycloak/keycloak-tools/statistics.sh
new file mode 100755
index 0000000000000000000000000000000000000000..5c90f00ad5f81434623f6d7db865c26222eda3e2
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/statistics.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+if [ -n "$KEYCLOAK_STATISTICS" ]; then
+ IFS=',' read -ra metrics <<< "$KEYCLOAK_STATISTICS"
+ for file in /opt/jboss/tools/cli/metrics/*.cli; do
+ name=${file##*/}
+ base=${name%.cli}
+ if [[ $KEYCLOAK_STATISTICS == *"$base"* ]] || [[ $KEYCLOAK_STATISTICS == *"all"* ]]; then
+ $JBOSS_HOME/bin/jboss-cli.sh --file="$file" >& /dev/null
+ fi
+ done
+fi
diff --git a/roles/build/templates/keycloak/keycloak-tools/vault.sh b/roles/build/templates/keycloak/keycloak-tools/vault.sh
new file mode 100755
index 0000000000000000000000000000000000000000..77e86ee3ba54307f056e1e0b5eea000f5fa7123f
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/vault.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+if [ -d "$JBOSS_HOME/secrets" ]; then
+ echo "set plaintext_vault_provider_dir=${JBOSS_HOME}/secrets" >> "$JBOSS_HOME/bin/.jbossclirc"
+
+ echo "set configuration_file=standalone.xml" >> "$JBOSS_HOME/bin/.jbossclirc"
+ $JBOSS_HOME/bin/jboss-cli.sh --file=/opt/jboss/tools/cli/files-plaintext-vault.cli
+ sed -i '$ d' "$JBOSS_HOME/bin/.jbossclirc"
+
+ echo "set configuration_file=standalone-ha.xml" >> "$JBOSS_HOME/bin/.jbossclirc"
+ $JBOSS_HOME/bin/jboss-cli.sh --file=/opt/jboss/tools/cli/files-plaintext-vault.cli
+ sed -i '$ d' "$JBOSS_HOME/bin/.jbossclirc"
+fi
diff --git a/roles/build/templates/keycloak/keycloak-tools/x509.sh b/roles/build/templates/keycloak/keycloak-tools/x509.sh
new file mode 100755
index 0000000000000000000000000000000000000000..3b036b9cfac5d6c21038c0df800daa2e048e770f
--- /dev/null
+++ b/roles/build/templates/keycloak/keycloak-tools/x509.sh
@@ -0,0 +1,111 @@
+#!/bin/bash
+
+function autogenerate_keystores() {
+ # Keystore infix notation as used in templates to keystore name mapping
+ declare -A KEYSTORES=( ["https"]="HTTPS" )
+
+ local KEYSTORES_STORAGE="${JBOSS_HOME}/standalone/configuration/keystores"
+ if [ ! -d "${KEYSTORES_STORAGE}" ]; then
+ mkdir -p "${KEYSTORES_STORAGE}"
+ fi
+
+ # Auto-generate the HTTPS keystore if volumes for OpenShift's
+ # serving x509 certificate secrets service were properly mounted
+ for KEYSTORE_TYPE in "${!KEYSTORES[@]}"; do
+
+ local X509_KEYSTORE_DIR="/etc/x509/${KEYSTORE_TYPE}"
+ local X509_CRT="tls.crt"
+ local X509_KEY="tls.key"
+ local NAME="keycloak-${KEYSTORE_TYPE}-key"
+ local PASSWORD=$(openssl rand -base64 32 2>/dev/null)
+ local JKS_KEYSTORE_FILE="${KEYSTORE_TYPE}-keystore.jks"
+ local PKCS12_KEYSTORE_FILE="${KEYSTORE_TYPE}-keystore.pk12"
+
+ if [ -f "${X509_KEYSTORE_DIR}/${X509_KEY}" ] && [ -f "${X509_KEYSTORE_DIR}/${X509_CRT}" ]; then
+
+ echo "Creating ${KEYSTORES[$KEYSTORE_TYPE]} keystore via OpenShift's service serving x509 certificate secrets.."
+
+ openssl pkcs12 -export \
+ -name "${NAME}" \
+ -inkey "${X509_KEYSTORE_DIR}/${X509_KEY}" \
+ -in "${X509_KEYSTORE_DIR}/${X509_CRT}" \
+ -out "${KEYSTORES_STORAGE}/${PKCS12_KEYSTORE_FILE}" \
+ -password pass:"${PASSWORD}" >& /dev/null
+
+ keytool -importkeystore -noprompt \
+ -srcalias "${NAME}" -destalias "${NAME}" \
+ -srckeystore "${KEYSTORES_STORAGE}/${PKCS12_KEYSTORE_FILE}" \
+ -srcstoretype pkcs12 \
+ -destkeystore "${KEYSTORES_STORAGE}/${JKS_KEYSTORE_FILE}" \
+ -storepass "${PASSWORD}" -srcstorepass "${PASSWORD}" >& /dev/null
+
+ if [ -f "${KEYSTORES_STORAGE}/${JKS_KEYSTORE_FILE}" ]; then
+ echo "${KEYSTORES[$KEYSTORE_TYPE]} keystore successfully created at: ${KEYSTORES_STORAGE}/${JKS_KEYSTORE_FILE}"
+ fi
+
+ echo "set keycloak_tls_keystore_password=${PASSWORD}" >> "$JBOSS_HOME/bin/.jbossclirc"
+ echo "set keycloak_tls_keystore_file=${KEYSTORES_STORAGE}/${JKS_KEYSTORE_FILE}" >> "$JBOSS_HOME/bin/.jbossclirc"
+ echo "set configuration_file=standalone.xml" >> "$JBOSS_HOME/bin/.jbossclirc"
+ $JBOSS_HOME/bin/jboss-cli.sh --file=/opt/jboss/tools/cli/x509-keystore.cli >& /dev/null
+ sed -i '$ d' "$JBOSS_HOME/bin/.jbossclirc"
+ echo "set configuration_file=standalone-ha.xml" >> "$JBOSS_HOME/bin/.jbossclirc"
+ $JBOSS_HOME/bin/jboss-cli.sh --file=/opt/jboss/tools/cli/x509-keystore.cli >& /dev/null
+ sed -i '$ d' "$JBOSS_HOME/bin/.jbossclirc"
+ fi
+
+ done
+
+ # Auto-generate the Keycloak truststore if X509_CA_BUNDLE was provided
+ local -r X509_CRT_DELIMITER="/-----BEGIN CERTIFICATE-----/"
+ local JKS_TRUSTSTORE_FILE="truststore.jks"
+ local JKS_TRUSTSTORE_PATH="${KEYSTORES_STORAGE}/${JKS_TRUSTSTORE_FILE}"
+ local PASSWORD=$(openssl rand -base64 32 2>/dev/null)
+ local TEMPORARY_CERTIFICATE="temporary_ca.crt"
+ if [ -n "${X509_CA_BUNDLE}" ]; then
+ pushd /tmp >& /dev/null
+ echo "Creating Keycloak truststore.."
+ # We use cat here, so that users could specify multiple CA Bundles using space or even wildcard:
+ # X509_CA_BUNDLE=/var/run/secrets/kubernetes.io/serviceaccount/*.crt
+ # Note, that there is no quotes here, that's intentional. Once can use spaces in the $X509_CA_BUNDLE like this:
+ # X509_CA_BUNDLE=/ca.crt /ca2.crt
+ cat ${X509_CA_BUNDLE} > ${TEMPORARY_CERTIFICATE}
+ csplit -s -z -f crt- "${TEMPORARY_CERTIFICATE}" "${X509_CRT_DELIMITER}" '{*}'
+ for CERT_FILE in crt-*; do
+ keytool -import -noprompt -keystore "${JKS_TRUSTSTORE_PATH}" -file "${CERT_FILE}" \
+ -storepass "${PASSWORD}" -alias "service-${CERT_FILE}" >& /dev/null
+ done
+
+ if [ -f "${JKS_TRUSTSTORE_PATH}" ]; then
+ echo "Keycloak truststore successfully created at: ${JKS_TRUSTSTORE_PATH}"
+ fi
+
+ # Import existing system CA certificates into the newly generated truststore
+ local SYSTEM_CACERTS=$(readlink -e $(dirname $(readlink -e $(which keytool)))"/../lib/security/cacerts")
+ if keytool -v -list -keystore "${SYSTEM_CACERTS}" -storepass "changeit" > /dev/null; then
+ echo "Importing certificates from system's Java CA certificate bundle into Keycloak truststore.."
+ keytool -importkeystore -noprompt \
+ -srckeystore "${SYSTEM_CACERTS}" \
+ -destkeystore "${JKS_TRUSTSTORE_PATH}" \
+ -srcstoretype jks -deststoretype jks \
+ -storepass "${PASSWORD}" -srcstorepass "changeit" >& /dev/null
+ if [ "$?" -eq "0" ]; then
+ echo "Successfully imported certificates from system's Java CA certificate bundle into Keycloak truststore at: ${JKS_TRUSTSTORE_PATH}"
+ else
+ echo "Failed to import certificates from system's Java CA certificate bundle into Keycloak truststore!"
+ fi
+ fi
+
+ echo "set keycloak_tls_truststore_password=${PASSWORD}" >> "$JBOSS_HOME/bin/.jbossclirc"
+ echo "set keycloak_tls_truststore_file=${KEYSTORES_STORAGE}/${JKS_TRUSTSTORE_FILE}" >> "$JBOSS_HOME/bin/.jbossclirc"
+ echo "set configuration_file=standalone.xml" >> "$JBOSS_HOME/bin/.jbossclirc"
+ $JBOSS_HOME/bin/jboss-cli.sh --file=/opt/jboss/tools/cli/x509-truststore.cli >& /dev/null
+ sed -i '$ d' "$JBOSS_HOME/bin/.jbossclirc"
+ echo "set configuration_file=standalone-ha.xml" >> "$JBOSS_HOME/bin/.jbossclirc"
+ $JBOSS_HOME/bin/jboss-cli.sh --file=/opt/jboss/tools/cli/x509-truststore.cli >& /dev/null
+ sed -i '$ d' "$JBOSS_HOME/bin/.jbossclirc"
+
+ popd >& /dev/null
+ fi
+}
+
+autogenerate_keystores
diff --git a/roles/build/templates/odfees/Dockerfile-elastic.j2 b/roles/build/templates/odfees/Dockerfile-elastic.j2
index 8ec389d19a74dd53d6e24c679ad3c621985c641b..3a51a784650298962e3cc9928d884a73a2fa8bf0 100644
--- a/roles/build/templates/odfees/Dockerfile-elastic.j2
+++ b/roles/build/templates/odfees/Dockerfile-elastic.j2
@@ -8,7 +8,7 @@ RUN groupadd -g 1000 elasticsearch && \
WORKDIR /usr/share/elasticsearch
RUN rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch && \
- rpm -Uvh https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-oss-7.6.1-no-jdk-x86_64.rpm && \
+ rpm -Uvh https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-{{elk_version}}-no-jdk-x86_64.rpm && \
cp -a /etc/elasticsearch/ /usr/share/elasticsearch/config/ && \
chown -R elasticsearch /usr/share/elasticsearch/config && \
sed -i -e 's,ES_PATH_CONF=/etc/elasticsearch,ES_PATH_CONF=/usr/share/elasticsearch/config,g' /etc/sysconfig/elasticsearch
diff --git a/roles/build/templates/odfees/Dockerfile-odfeelastic.j2 b/roles/build/templates/odfees/Dockerfile-odfeelastic.j2
index 8fe4cb8620eb5761cdc53d0191fdbfcbfd432edf..0803d0bf517d57ce14364bd35be194f6bdbae0cc 100644
--- a/roles/build/templates/odfees/Dockerfile-odfeelastic.j2
+++ b/roles/build/templates/odfees/Dockerfile-odfeelastic.j2
@@ -6,9 +6,9 @@ USER root
WORKDIR /usr/share/elasticsearch
RUN for PLUGIN in \
- https://d3g5vo6xdbdb9a.cloudfront.net/downloads/elasticsearch-plugins/opendistro-security/opendistro_security-1.6.0.0.zip \
- https://d3g5vo6xdbdb9a.cloudfront.net/downloads/elasticsearch-plugins/opendistro-alerting/opendistro_alerting-1.6.0.0.zip \
- https://d3g5vo6xdbdb9a.cloudfront.net/downloads/elasticsearch-plugins/opendistro-sql/opendistro_sql-1.6.0.0.zip; \
+ https://d3g5vo6xdbdb9a.cloudfront.net/downloads/elasticsearch-plugins/opendistro-security/opendistro_security-{{odfeplugin_version}}.zip \
+ https://d3g5vo6xdbdb9a.cloudfront.net/downloads/elasticsearch-plugins/opendistro-alerting/opendistro_alerting-{{odfeplugin_version}}.zip \
+ https://d3g5vo6xdbdb9a.cloudfront.net/downloads/elasticsearch-plugins/opendistro-sql/opendistro_sql-{{odfeplugin_version}}.zip; \
do bin/elasticsearch-plugin install -b ${PLUGIN}; done && \
chown -R elasticsearch plugins/opendistro_security
diff --git a/roles/build/templates/odfekibana/Dockerfile-kibana.j2 b/roles/build/templates/odfekibana/Dockerfile-kibana.j2
index fe136898a514a8773f164f326f704f2ef772a9d9..c443597ddd2a10457ce9163c7b4dd722f2d8790f 100644
--- a/roles/build/templates/odfekibana/Dockerfile-kibana.j2
+++ b/roles/build/templates/odfekibana/Dockerfile-kibana.j2
@@ -8,7 +8,7 @@ RUN groupadd -g 1000 kibana && \
WORKDIR /usr/share/kibana
RUN rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch && \
- rpm -Uvh https://artifacts.elastic.co/downloads/kibana/kibana-oss-7.6.1-x86_64.rpm && \
+ rpm -Uvh https://artifacts.elastic.co/downloads/kibana/kibana-{{elk_version}}-x86_64.rpm && \
cp -a /etc/kibana/ /usr/share/kibana/config/ && \
chown -R kibana /usr/share/kibana/config/
diff --git a/roles/build/templates/odfekibana/Dockerfile-odfekibana.j2 b/roles/build/templates/odfekibana/Dockerfile-odfekibana.j2
index b127fc2229c8d0a301e0be9f33de787468b49dab..8f72fd770ba85b5b54962fe96dd9bb5bbd898069 100644
--- a/roles/build/templates/odfekibana/Dockerfile-odfekibana.j2
+++ b/roles/build/templates/odfekibana/Dockerfile-odfekibana.j2
@@ -6,9 +6,9 @@ USER root
WORKDIR /usr/share/kibana
RUN for PLUGIN in \
- https://d3g5vo6xdbdb9a.cloudfront.net/downloads/kibana-plugins/opendistro-security/opendistro_security_kibana_plugin-1.6.0.0.zip \
- https://d3g5vo6xdbdb9a.cloudfront.net/downloads/kibana-plugins/opendistro-alerting/opendistro-alerting-1.6.0.0.zip \
- https://d3g5vo6xdbdb9a.cloudfront.net/downloads/kibana-plugins/opendistro-index-management/opendistro_index_management_kibana-1.6.0.0.zip; \
+ https://d3g5vo6xdbdb9a.cloudfront.net/downloads/kibana-plugins/opendistro-security/opendistro_security_kibana_plugin-{{odfeplugin_version}}.zip \
+ https://d3g5vo6xdbdb9a.cloudfront.net/downloads/kibana-plugins/opendistro-alerting/opendistro-alerting-{{odfeplugin_version}}.zip \
+ https://d3g5vo6xdbdb9a.cloudfront.net/downloads/kibana-plugins/opendistro-index-management/opendistro_index_management_kibana-{{odfeplugin_version}}.zip; \
do bin/kibana-plugin install --allow-root ${PLUGIN}; done
USER kibana
diff --git a/roles/ca/tasks/main.yml b/roles/ca/tasks/main.yml
index a5ed4a4294f623dd9a23b4709dc11fc232c41fb9..c10b3acaf7ba309548967371108ca71c78165398 100644
--- a/roles/ca/tasks/main.yml
+++ b/roles/ca/tasks/main.yml
@@ -42,6 +42,7 @@
- "{{ groups['nificontainers'] }}"
- "{{ groups['odfeescontainers'] }}"
- "{{ groups['odfekibanacontainers'] }}"
+ - "{{ groups['keycloakcontainers'] }}"
environment:
EASYRSA_BATCH: 1
EASYRSA_PKI: roles/ca/files/CA
@@ -57,6 +58,7 @@
- "{{ groups['nificontainers'] }}"
- "{{ groups['odfeescontainers'] }}"
- "{{ groups['odfekibanacontainers'] }}"
+ - "{{ groups['keycloakcontainers'] }}"
environment:
EASYRSA_BATCH: 1
EASYRSA_PKI: roles/ca/files/CA
@@ -88,6 +90,7 @@
- "{{ groups['nificontainers'] }}"
- "{{ groups['odfeescontainers'] }}"
- "{{ groups['odfekibanacontainers'] }}"
+ - "{{ groups['keycloakcontainers'] }}"
environment:
EASYRSA_BATCH: 1
EASYRSA_PKI: roles/ca/files/CA
@@ -127,6 +130,20 @@
with_items:
- "{{ groups['odfekibanacontainers'] }}"
+- name: Copy keycloak host certs to keycloak role
+ copy:
+ src: roles/ca/files/CA/issued/{{item}}.crt
+ dest: roles/keycloak/files/{{item}}.crt
+ with_items:
+ - "{{ groups['keycloakcontainers'] }}"
+
+- name: Copy keycloak host keys to keycloak role
+ copy:
+ src: roles/ca/files/CA/private/{{item}}.key
+ dest: roles/keycloak/files/{{item}}.key
+ with_items:
+ - "{{ groups['keycloakcontainers'] }}"
+
- name: Copy truststore to roles
copy:
src: roles/ca/files/truststore/cacerts.jks
@@ -135,11 +152,22 @@
- nifi
- odfees
- odfekibana
+ - keycloak
+
+- name: Copy ca cert to roles
+ copy:
+ src: "roles/ca/files/truststore/{{ ca_cn }}.crt"
+ dest: "roles/{{item}}/files/{{ ca_cn }}.crt"
+ with_items:
+ - nifi
+ - odfees
+ - odfekibana
+ - keycloak
- name: Check for existing user certificates
- command: roles/ca/files/easyrsa/easyrsa show-cert {{item[0] | regex_escape()}}
+ command: roles/ca/files/easyrsa/easyrsa show-cert {{item.CN | regex_escape()}}
with_items:
- - "{{nifiadmin}}"
+ - "{{soctools_users}}"
environment:
EASYRSA_BATCH: 1
EASYRSA_PKI: roles/ca/files/CA
@@ -147,9 +175,9 @@
ignore_errors: true
- name: Generate user certificates
- command: roles/ca/files/easyrsa/easyrsa build-client-full {{item[0] | regex_escape()}} nopass
+ command: roles/ca/files/easyrsa/easyrsa build-client-full {{item.CN | regex_escape()}} nopass
with_items:
- - "{{nifiadmin}}"
+ - "{{soctools_users}}"
environment:
EASYRSA_BATCH: 1
EASYRSA_PKI: roles/ca/files/CA
@@ -160,11 +188,11 @@
- name: Export user certificates
expect:
- command: roles/ca/files/easyrsa/easyrsa export-p12 "{{item[0]}}"
+ command: roles/ca/files/easyrsa/easyrsa export-p12 "{{item.CN}}"
responses:
- Enter Export Password: "{{item[1]}}"
+ Enter Export Password: "{{item.password}}"
with_items:
- - "{{nifiadmin}}"
+ - "{{soctools_users}}"
environment:
EASYRSA_BATCH: 1
EASYRSA_PKI: roles/ca/files/CA
diff --git a/roles/docker/tasks/keycloak.yml b/roles/docker/tasks/keycloak.yml
new file mode 100644
index 0000000000000000000000000000000000000000..c910408f048a5fa76ace4a47ec1c2d32a314c21f
--- /dev/null
+++ b/roles/docker/tasks/keycloak.yml
@@ -0,0 +1,26 @@
+---
+
+- name: Create keycloak containers and connect to network
+ docker_container:
+ name: "{{ item }}"
+ hostname: "{{ item }}"
+ image: "{{ keycloak_img }}"
+ networks:
+ - name: "{{ soctools_netname }}"
+ networks_cli_compatible: yes
+ published_ports:
+ - "12443:8443"
+ entrypoint: "/bin/bash"
+ interactive: "yes"
+ with_items: "{{ groups['keycloakcontainers'] }}"
+ tags:
+ - start
+
+- name: Disconnect keycloak containers from network and remove
+ docker_container:
+ name: "{{ item }}"
+ state: absent
+ with_items: "{{ groups['keycloakcontainers'] }}"
+ tags:
+ - stop
+
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index 23ced1adceecc87ab1ad3505eb1e34570a47cda8..a92bff6fa58493852c39f1031d5bd72316cbec83 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -5,6 +5,7 @@
- include: nifi.yml
- include: odfees.yml
- include: odfekibana.yml
+- include: keycloak.yml
- include: nginx.yml
- include: networkremove.yml
diff --git a/roles/docker/tasks/odfekibana.yml b/roles/docker/tasks/odfekibana.yml
index 33feb906294eeda07eaae6ea2fa001c0a9b91a8b..c24611b8869d7b1163065721d600ae7318356ddc 100644
--- a/roles/docker/tasks/odfekibana.yml
+++ b/roles/docker/tasks/odfekibana.yml
@@ -16,7 +16,7 @@
tags:
- start
-- name: Disconnect odfe elasticsearch containers from network and remove
+- name: Disconnect odfe kibana containers from network and remove
docker_container:
name: "{{ item }}"
state: absent
diff --git a/roles/keycloak/defaults/main.yml b/roles/keycloak/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/roles/keycloak/files/.empty b/roles/keycloak/files/.empty
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/roles/keycloak/handlers/main.yml b/roles/keycloak/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/roles/keycloak/meta/main.yml b/roles/keycloak/meta/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..49ee1459c8375814d56f9dba4264bbebfa8c2831
--- /dev/null
+++ b/roles/keycloak/tasks/main.yml
@@ -0,0 +1,117 @@
+---
+
+#- name: Create config directory
+# file:
+# name: config
+# state: directory
+# mode: 0700
+# tags:
+# - start
+
+- name: Copy certificates in keycloak x509 conf dir
+ copy:
+ src: "{{ item.local }}"
+ dest: "{{ item.remote }}"
+ mode: "{{ item.mode}}"
+ with_items:
+ - local: "files/{{ inventory_hostname }}.crt"
+ remote: /etc/x509/https/tls.crt
+ mode: '0644'
+ - local: "files/{{ inventory_hostname }}.key"
+ remote: /etc/x509/https/tls.key
+ mode: '0600'
+ - local: "files/{{ ca_cn }}.crt"
+ remote: /etc/x509/ca/ca.crt
+ mode: '0644'
+ - local: "files/gn43wp8t31ca.crt"
+ remote: /etc/x509/ca/gn43wp8t31ca.crt
+ mode: '0644'
+ - local: "files/cacerts.jks"
+ remote: /opt/jboss/keycloak/cacerts.jks
+ mode: '0644'
+ tags:
+ - start
+
+- name: Generate Keycloak secure config
+ command: "/opt/jboss/tools/x509.sh"
+ environment:
+ X509_CA_BUNDLE: "/etc/x509/ca/ca.crt /etc/x509/ca/gn43wp8t31ca.crt"
+ tags:
+ - start
+
+- name: Set admin password
+ command: /opt/jboss/keycloak/bin/add-user-keycloak.sh --user "admin" --password "{{keycloak_adminpass}}"
+ tags:
+ - start
+
+- name: Configure Keycloak start script
+ template:
+ src: "{{item}}.j2"
+ dest: "/opt/jboss/tools/{{item}}"
+ mode: 0750
+ with_items:
+ - startkeycloak.sh
+ - initkeycloakrealm.sh
+ tags:
+ - start
+
+#- name: Exit here to test ODFE
+# meta: end_play
+# tags:
+# - start
+
+- name: Start Keycloak IdP
+ command: /opt/jboss/tools/startkeycloak.sh
+ #shell: exec /usr/share/kibana/bin/kibana -c config/kibana.yml &
+ #shell: "nohup /usr/share/kibana/bin/kibana -c config/kibana.yml &"
+ tags:
+ - start
+
+#- name: Exit here to test Keycloak
+# meta: end_play
+# tags:
+# - start
+
+- name: Wait for Keycloak
+ wait_for:
+ host: "{{groups['keycloakcontainers'][0]}}"
+ port: 8443
+ state: started
+ delay: 5
+ tags:
+ - start
+
+#- name: Start Keycloak
+# command: /opt/jboss/keycloak/bin/standalone.sh -b 0.0.0.0
+# #shell: exec /usr/share/kibana/bin/kibana -c config/kibana.yml &
+# #shell: "nohup /usr/share/kibana/bin/kibana -c config/kibana.yml &"
+# tags:
+# - start
+
+- name: Initialize Keycloak realm
+ command: /opt/jboss/tools/initkeycloakrealm.sh
+ tags:
+ - start
+
+- name: Copy secrets from Keycloak
+ fetch:
+ src: "{{ item.remote }}"
+ dest: "{{ item.local }}"
+ flat: yes
+ with_items:
+ - remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/nifisecret"
+ local: "roles/nifi/files/nifisecret"
+ - remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/kibanasecret"
+ local: "roles/odfekibana/files/kibanasecret"
+ tags:
+ - start
+
+#- name: Exit here to test Keycloak
+# meta: end_play
+# tags:
+# - start
+
+- name: Stop Keycloak
+ command: "pkill -SIGTERM -F {{inventory_hostname}}.pid"
+ tags:
+ - stop
diff --git a/roles/keycloak/templates/initkeycloakrealm.sh.j2 b/roles/keycloak/templates/initkeycloakrealm.sh.j2
new file mode 100644
index 0000000000000000000000000000000000000000..f3f00735140868751405414fa187bccf4d129423
--- /dev/null
+++ b/roles/keycloak/templates/initkeycloakrealm.sh.j2
@@ -0,0 +1,36 @@
+#!/bin/bash -x
+
+exec 6>&1
+exec 7>&2
+exec > /opt/jboss/keycloak/initkeycloak.log 2>&1
+
+
+kcadm.sh config truststore --trustpass {{tspass}} /opt/jboss/keycloak/cacerts.jks
+kcadm.sh config credentials --server https://{{groups['keycloakcontainers'][0]}}:8443/auth --realm master --user admin --password {{keycloak_adminpass}}
+kcadm.sh create realms -b '{ "enabled": "true", "id": "{{openid_realm}}", "realm": "{{openid_realm}}"}'
+kcadm.sh create realms/{{openid_realm}}/authentication/flows/browser/copy -b '{ "id": "browser-x509", "newName": "X.509 Browser" }'
+BROWSERFORM=$(kcadm.sh create realms/{{openid_realm}}/authentication/flows/X.509%20Browser/executions/execution -i -b '{ "provider": "auth-x509-client-username-form" }')
+kcadm.sh create realms/{{openid_realm}}/authentication/executions/${BROWSERFORM}/raise-priority
+kcadm.sh update realms/{{openid_realm}}/authentication/flows/X.509%20Browser/executions -b '{ "id": "'${BROWSERFORM}'", "requirement": "ALTERNATIVE"}'
+kcadm.sh update realms/{{openid_realm}} -b '{"browserFlow": "X.509 Browser"}'
+kcadm.sh create realms/{{openid_realm}}/authentication/executions/${BROWSERFORM}/config -b '{"config":{"x509-cert-auth.mapping-source-selection":"Subject'\''s Common Name","x509-cert-auth.canonical-dn-enabled":"true","x509-cert-auth.serialnumber-hex-enabled":false,"x509-cert-auth.regular-expression":"(.*?)(?:$)","x509-cert-auth.mapper-selection":"Custom Attribute Mapper","x509-cert-auth.mapper-selection.user-attribute-name":"CN","x509-cert-auth.timestamp-validation-enabled":"true","x509-cert-auth.crl-checking-enabled":"","x509-cert-auth.crldp-checking-enabled":false,"x509-cert-auth.crl-relative-path":"crl.pem","x509-cert-auth.ocsp-checking-enabled":"","x509-cert-auth.confirmation-page-disallowed":""},"alias":"x509-form-config"}'
+kcadm.sh create realms/{{openid_realm}}/groups -b '{"name":"GN43WP8T31"}'
+
+{% for user in soctools_users %}
+kcadm.sh create realms/{{openid_realm}}/users -b '{"enabled":true,"attributes":{"DN": ["{{user.DN}}"],"CN": ["{{user.CN}}"]},"username":"{{user.username}}","emailVerified":"","email":"{{user.email}}","firstName":"{{user.firstname}}","lastName":"{{user.lastname}}","groups": ["/GN43WP8T31"] }'
+kcadm.sh set-password -r {{openid_realm}} --username {{user.username}} --new-password {{user.password}}
+{% endfor %}
+
+NIFICLIENT=$(kcadm.sh create realms/{{openid_realm}}/clients -i -b '{"enabled":true, "clientId":"dsoclab-nifi","protocol":"openid-connect","clientAuthenticatorType": "client-secret","redirectUris": ["https://{{dslproxy}}:9443/*" ],"webOrigins": [], "publicClient": false }')
+kcadm.sh create realms/{{openid_realm}}/clients/${NIFICLIENT}/protocol-mappers/models -b '{"protocol":"openid-connect","config":{"id.token.claim":"true","access.token.claim":"true","userinfo.token.claim":"true","multivalued":"","aggregate.attrs":"","user.attribute":"DN","claim.name":"DN","jsonType.label":"String"},"name":"SendDN","protocolMapper":"oidc-usermodel-attribute-mapper"}'
+kcadm.sh get realms/{{openid_realm}}/clients/${NIFICLIENT}/client-secret --fields value > /opt/jboss/keycloak/nifisecret
+
+KIBANACLIENT=$(kcadm.sh create realms/{{openid_realm}}/clients -i -b '{"enabled":true, "clientId":"dsoclab-kibana","protocol":"openid-connect","clientAuthenticatorType": "client-secret","rootUrl": "https://{{dslproxy}}:5601","adminUrl": "","redirectUris": ["https://{{dslproxy}}:5601", "https://{{dslproxy}}:5601/auth/openid/login", "https://{{dslproxy}}:5601/app/kibana" ],"webOrigins": [], "publicClient": false }')
+kcadm.sh get realms/{{openid_realm}}/clients/${KIBANACLIENT}/client-secret --fields value > /opt/jboss/keycloak/kibanasecret
+
+
+kcadm.sh config truststore --delete
+
+exec 1>&6 6>&-
+exec 2>&7 7>&-
+
diff --git a/roles/keycloak/templates/startkeycloak.sh.j2 b/roles/keycloak/templates/startkeycloak.sh.j2
new file mode 100644
index 0000000000000000000000000000000000000000..4eaf9f0978486861d8f298fbe2a018064840c488
--- /dev/null
+++ b/roles/keycloak/templates/startkeycloak.sh.j2
@@ -0,0 +1,5 @@
+#!/bin/bash -x
+/opt/jboss/keycloak/bin/standalone.sh -b 0.0.0.0 > kblog 2>&1 &
+# disown
+
+
diff --git a/roles/keycloak/vars/main.yml b/roles/keycloak/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2
index 69614b2bb47ec777823a6f3028bcd966510a25bf..dd788829fa2006795bbc99017da833b42068eb4b 100644
--- a/roles/nginx/templates/nginx.conf.j2
+++ b/roles/nginx/templates/nginx.conf.j2
@@ -23,6 +23,7 @@ stream {
}
upstream odfeserv {
+ hash $remote_addr consistent;
{% for odfehost in groups['odfeescontainers'] %}
server {{odfehost}}:9200;
{% endfor %}
@@ -32,24 +33,36 @@ stream {
proxy_pass odfeserv;
}
- upstream nifiservtcp7750 {
+ upstream keycloakserv {
+ {% for keycloakhost in groups['keycloakcontainers'] %}
+ server {{keycloakhost}}:8443;
+ {% endfor %}
+ }
+ server {
+ listen 10443;
+ proxy_pass keycloakserv;
+ }
+
+ {% for port in range(50, 60) %}
+ upstream nifiservtcp77{{port}} {
{% for nifihost in groups['nificontainers'] %}
- server {{nifihost}}:7750;
+ server {{nifihost}}:77{{port}};
{% endfor %}
}
server {
- listen 7750;
- proxy_pass nifiservtcp7750;
+ listen 77{{port}};
+ proxy_pass nifiservtcp77{{port}};
}
+ {% endfor %}
- upstream nifiservtcp7751 {
+ upstream nifiservtcp7771 {
{% for nifihost in groups['nificontainers'] %}
- server {{nifihost}}:7751;
+ server {{nifihost}}:7771;
{% endfor %}
}
server {
- listen 7751;
- proxy_pass nifiservtcp7751;
+ listen 7771;
+ proxy_pass nifiservtcp7771;
}
}
diff --git a/roles/nifi/tasks/main.yml b/roles/nifi/tasks/main.yml
index b1f8c59c1787f8f1212e087690dcc494adee37e6..1587294a2f3ca4a7f638f4fb252f71705475edf1 100644
--- a/roles/nifi/tasks/main.yml
+++ b/roles/nifi/tasks/main.yml
@@ -1,5 +1,19 @@
---
+- name: Copy cacert to ca-trust dir
+ remote_user: root
+ copy:
+ src: "files/{{ca_cn}}.crt"
+ dest: /etc/pki/ca-trust/source/anchors/ca.crt
+ tags:
+ - start
+
+- name: Install cacert to root truststore
+ remote_user: root
+ command: "update-ca-trust"
+ tags:
+ - start
+
- name: Copy certificates in NiFi conf dir
copy:
src: "{{ item }}"
@@ -19,6 +33,12 @@
tags:
- start
+- name: Get openid authkey
+ set_fact:
+ nifisecret: "{{lookup('file', 'files/nifisecret',convert_data=False) | from_json }}"
+ tags:
+ - start
+
- name: Configure NiFi boostrap properties
template:
src: bootstrap.conf.j2
diff --git a/roles/nifi/templates/authorizers.xml.j2 b/roles/nifi/templates/authorizers.xml.j2
index fd8fcc7870a6c57f3c0c9340dd9efa75a92da8f4..7852ebfc1b1f4a44559e89afe13077aaa7bf711f 100644
--- a/roles/nifi/templates/authorizers.xml.j2
+++ b/roles/nifi/templates/authorizers.xml.j2
@@ -49,7 +49,7 @@
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
- <property name="Initial User Identity 1">CN={{ nifiadmin[0][0] }}</property>
+ <property name="Initial User Identity 1">{{soctools_users[0].username}}</property>
{% for nifi in groups['nificontainers'] %}
<property name="Initial User Identity {{ loop.index +1 }}">CN={{ nifi }}</property>
{% endfor %}
@@ -252,7 +252,7 @@
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
- <property name="Initial Admin Identity">CN={{ nifiadmin[0][0] }}</property>
+ <property name="Initial Admin Identity">{{soctools_users[0].username}}</property>
<property name="Legacy Authorized Users File"></property>
{% for nifi in groups['nificontainers'] %}
<property name="Node Identity {{ loop.index }}">CN={{ nifi }}</property>
diff --git a/roles/nifi/templates/nifi.properties.j2 b/roles/nifi/templates/nifi.properties.j2
index 6830450c0e433a2cc69ee73eb06ca68a53a7d146..426e5ce0d6c5975ff27cef19449d2deea9a93b20 100644
--- a/roles/nifi/templates/nifi.properties.j2
+++ b/roles/nifi/templates/nifi.properties.j2
@@ -165,12 +165,14 @@ nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=
# OpenId Connect SSO Properties #
-nifi.security.user.oidc.discovery.url=
+nifi.security.user.oidc.discovery.url=https://{{dslproxy}}:12443/auth/realms/{{openid_realm}}/.well-known/openid-configuration
nifi.security.user.oidc.connect.timeout=5 secs
nifi.security.user.oidc.read.timeout=5 secs
-nifi.security.user.oidc.client.id=
-nifi.security.user.oidc.client.secret=
+nifi.security.user.oidc.client.id=dsoclab-nifi
+nifi.security.user.oidc.client.secret={{nifisecret.value}}
nifi.security.user.oidc.preferred.jwsalgorithm=
+nifi.security.user.oidc.additional.scopes={{openid_scope}}
+nifi.security.user.oidc.claim.identifying.user={{openid_subjkey}}
# Apache Knox SSO Properties #
nifi.security.user.knox.url=
diff --git a/roles/odfees/tasks/main.yml b/roles/odfees/tasks/main.yml
index e05ae27e16be19e0443e443b8650e73355a82d06..87ee2a129eb0d15797436ab99243448e094f4c2e 100644
--- a/roles/odfees/tasks/main.yml
+++ b/roles/odfees/tasks/main.yml
@@ -1,5 +1,19 @@
---
+- name: Copy cacert to ca-trust dir
+ remote_user: root
+ copy:
+ src: "files/{{ca_cn}}.crt"
+ dest: /etc/pki/ca-trust/source/anchors/ca.crt
+ tags:
+ - start
+
+- name: Install cacert to root truststore
+ remote_user: root
+ command: "update-ca-trust"
+ tags:
+ - start
+
- name: Create config directory
file:
name: config
@@ -16,7 +30,7 @@
with_items:
- "{{ inventory_hostname }}.p12"
- cacerts.jks
- - "{{nifiadmin.0[0]}}.p12"
+ - "{{soctools_users[0].CN}}.p12"
tags:
- start
@@ -38,6 +52,14 @@
# line: ES_PATH_CONF=/usr/share/elasticsearch/config
# tags:
# - start
+
+
+#- name: Get openid authkey
+# set_fact:
+# odfesecret: "{{lookup('file', 'files/odfesecret',convert_data=False) | from_json }}"
+# tags:
+# - start
+
- name: Configure odfe properties
template:
src: "config/{{item}}.j2"
@@ -70,6 +92,7 @@
with_items:
- internal_users.yml
- config.yml
+ - roles_mapping.yml
tags:
- start
@@ -93,7 +116,7 @@
- start
- name: Configure OpenDistro security
- command: "bash ./plugins/opendistro_security/tools/securityadmin.sh -h {{groups['odfeescontainers'][0]}} -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -ks '/usr/share/elasticsearch/config/{{nifiadmin.0[0]}}.p12' -kspass {{nifiadmin.0[1]}} -ts /usr/share/elasticsearch/config/cacerts.jks -tspass {{tspass}} -cn dsoclab-cluster"
+ command: "bash ./plugins/opendistro_security/tools/securityadmin.sh -h {{groups['odfeescontainers'][0]}} -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -ks '/usr/share/elasticsearch/config/{{soctools_users[0].CN}}.p12' -kspass {{soctools_users[0].password}} -ts /usr/share/elasticsearch/config/cacerts.jks -tspass {{tspass}} -cn dsoclab-cluster"
when: "'{{groups['odfeescontainers'][0]}}' in inventory_hostname"
tags:
- start
diff --git a/roles/odfees/templates/config/elasticsearch.yml.j2 b/roles/odfees/templates/config/elasticsearch.yml.j2
index 928b1ed9f9a75620a0a8c0212ab56eea862998d7..ef61cd36dac6bdefebeaeab66a3c15b97aa3a25d 100644
--- a/roles/odfees/templates/config/elasticsearch.yml.j2
+++ b/roles/odfees/templates/config/elasticsearch.yml.j2
@@ -51,7 +51,7 @@ opendistro_security.ssl.http.truststore_password: {{ tspass }}
opendistro_security.allow_unsafe_democertificates: false
opendistro_security.allow_default_init_securityindex: false
opendistro_security.authcz.admin_dn:
- - "CN={{ nifiadmin[0][0] }}"
+ - "{{soctools_users[0].DN}}"
opendistro_security.nodes_dn:
{% for odfees in groups['odfeescontainers'] %}
diff --git a/roles/odfees/templates/securityconfig/config.yml.j2 b/roles/odfees/templates/securityconfig/config.yml.j2
index ccaf0a2c7902ead40b628b031c30be7e0e628f8c..26e77a4fa806fe68767015fc40ad620117985ac5 100644
--- a/roles/odfees/templates/securityconfig/config.yml.j2
+++ b/roles/odfees/templates/securityconfig/config.yml.j2
@@ -116,10 +116,10 @@ config:
config:
subject_key: {{openid_subjkey}}
roles_key: roles
- openid_connect_url: https://{{dslproxy}}:10443/auth/realms/{{openid_realm}}/.well-known/openid-configuration
+ openid_connect_url: https://{{dslproxy}}:12443/auth/realms/{{openid_realm}}/.well-known/openid-configuration
enable_ssl: true
verify_hostnames: false
- # pemtrustedcas_filepath: /usr/share/elasticsearch/config/dslca.crt
+ pemtrustedcas_filepath: "/usr/share/elasticsearch/config/{{ca_cn}}.crt"
authentication_backend:
type: noop
proxy_auth_domain:
diff --git a/roles/odfees/templates/securityconfig/roles_mapping.yml b/roles/odfees/templates/securityconfig/roles_mapping.yml.j2
similarity index 95%
rename from roles/odfees/templates/securityconfig/roles_mapping.yml
rename to roles/odfees/templates/securityconfig/roles_mapping.yml.j2
index 4ebe922b2dfd9981022d407c2ddd8a9470a78f7b..e044f14621d63c43a135c56ce3cd6883939ebc8e 100644
--- a/roles/odfees/templates/securityconfig/roles_mapping.yml
+++ b/roles/odfees/templates/securityconfig/roles_mapping.yml.j2
@@ -15,7 +15,7 @@ all_access:
backend_roles:
- "admin"
users:
- - "bozidar.proevski"
+ - "{{soctools_users[0].username}}"
description: "Maps admin to all_access"
own_index:
diff --git a/roles/odfekibana/tasks/main.yml b/roles/odfekibana/tasks/main.yml
index fa69837af75f25ec5a3956e70f6e72fe103482bb..cef2eed9047c6f4e067a99d6fbc02734215ce72e 100644
--- a/roles/odfekibana/tasks/main.yml
+++ b/roles/odfekibana/tasks/main.yml
@@ -8,6 +8,20 @@
# tags:
# - start
+- name: Copy cacert to ca-trust dir
+ remote_user: root
+ copy:
+ src: "files/{{ca_cn}}.crt"
+ dest: /etc/pki/ca-trust/source/anchors/ca.crt
+ tags:
+ - start
+
+- name: Install cacert to root truststore
+ remote_user: root
+ command: "update-ca-trust"
+ tags:
+ - start
+
- name: Copy certificates in odfe kibana conf dir
copy:
src: "{{ item }}"
@@ -18,7 +32,14 @@
- "{{ inventory_hostname }}.crt"
- "{{ inventory_hostname }}.key"
- cacerts.jks
-# - "{{nifiadmin.0[0]}}.p12"
+ - "{{ca_cn}}.crt"
+ - "{{soctools_users[0].CN}}.p12"
+ tags:
+ - start
+
+- name: Get openid authkey
+ set_fact:
+ kibanasecret: "{{lookup('file', 'files/kibanasecret',convert_data=False) | from_json }}"
tags:
- start
diff --git a/roles/odfekibana/templates/kibana.yml.j2 b/roles/odfekibana/templates/kibana.yml.j2
index c1242977e01b7621cb52848505f7a30f65687f68..41a9b66d5b7684aeb8755035722d582512445828 100644
--- a/roles/odfekibana/templates/kibana.yml.j2
+++ b/roles/odfekibana/templates/kibana.yml.j2
@@ -37,16 +37,16 @@ newsfeed.enabled: false
telemetry.optIn: false
telemetry.enabled: false
-#opendistro_security.auth.type: "openid"
-#opendistro_security.openid.connect_url: "https://dsldev.gn4-3-wp8-soc.sunet.se:10443/auth/realms/GN43WP8T31SOC1/.well-known/openid-configuration"
-#opendistro_security.openid.client_id: "dsoclab-kibana"
-#opendistro_security.openid.client_secret: "ccaa137f-2a2b-48ae-bcce-9e1fbcbbf181"
-#opendistro_security.openid.root_ca: /usr/share/kibana/config/dslca.crt
-## opendistro_security.openid.root_ca: /usr/share/kibana/config/gn43wp8t31ca.crt
-#opendistro_security.openid.base_redirect_url: "https://dsldev.gn4-3-wp8-soc.sunet.se:5601"
+opendistro_security.auth.type: "openid"
+opendistro_security.openid.connect_url: "https://{{dslproxy}}:12443/auth/realms/{{openid_realm}}/.well-known/openid-configuration"
+opendistro_security.openid.client_id: "dsoclab-kibana"
+opendistro_security.openid.client_secret: "{{kibanasecret.value}}"
+opendistro_security.openid.root_ca: "/usr/share/kibana/config/{{ca_cn}}.crt"
+opendistro_security.openid.base_redirect_url: "https://{{dslproxy}}:5601"
opendistro_security.cookie.secure: true
-opendistro_security.cookie.password: "MezgW6l2v9BWi6wEwbEn4gaqJZbWGPSI"
+#opendistro_security.cookie.password: "MezgW6l2v9BWi6wEwbEn4gaqJZbWGPSI"
+opendistro_security.cookie.password: "{{lookup('password', '/dev/null length=32 chars=ascii_letters,digits,hexdigits')}}"
server.ssl.enabled: true
#server.ssl.key: /usr/share/kibana/config/{{inventory_hostname}}.key
diff --git a/soctools-inventory b/soctools-inventory
index dfec58ef286f8d823f1e3388452ef3ff0dc0b7cc..ee70732c83a10dc814738b0a29277f8f10b7fcd6 100644
--- a/soctools-inventory
+++ b/soctools-inventory
@@ -13,6 +13,9 @@ dsoclab-odfe-2 ansible_connection=docker
[odfekibanacontainers]
dsoclab-kibana ansible_connection=docker
+[keycloakcontainers]
+dsoclab-keycloak ansible_connection=docker
+
[nginx]
dsoclab-nginx ansible_connection=docker
diff --git a/startsoctools.yml b/startsoctools.yml
index aa8cc1108361c4204e18bbb3928598180a29cb9c..3ddc7dc09f32c58625d0d9145c6d870cc45f3af8 100644
--- a/startsoctools.yml
+++ b/startsoctools.yml
@@ -10,6 +10,11 @@
roles:
- nginx
+- name: Reconfigure and start Keycloak
+ hosts: keycloakcontainers
+ roles:
+ - keycloak
+
- name: Reconfigure and start NiFi
hosts: nificontainers
roles: