From 7ca6f8136f5c58d07a493c63310142517ad4ee06 Mon Sep 17 00:00:00 2001 From: Ranabir Chakraborty Date: Tue, 8 Jul 2025 21:47:43 +0530 Subject: [PATCH] HTTP relative path not reflected in the health_url --- molecule/https_revproxy/converge.yml | 1 - roles/keycloak_quarkus/defaults/main.yml | 2 ++ .../keycloak_quarkus/meta/argument_specs.yml | 4 +++ roles/keycloak_quarkus/tasks/restart.yml | 5 ++++ roles/keycloak_quarkus/vars/main.yml | 4 ++- roles/keycloak_realm/README.md | 28 +++++++++---------- 6 files changed, 28 insertions(+), 16 deletions(-) diff --git a/molecule/https_revproxy/converge.yml b/molecule/https_revproxy/converge.yml index 92994fa8..ef5d315d 100644 --- a/molecule/https_revproxy/converge.yml +++ b/molecule/https_revproxy/converge.yml @@ -11,6 +11,5 @@ keycloak_quarkus_http_port: 8080 keycloak_quarkus_proxy_mode: edge keycloak_quarkus_http_relative_path: / - keycloak_quarkus_health_check_url: http://proxy:8080/realms/master/.well-known/openid-configuration roles: - role: keycloak_quarkus diff --git a/roles/keycloak_quarkus/defaults/main.yml b/roles/keycloak_quarkus/defaults/main.yml index 2d1326ec..ad600cac 100644 --- a/roles/keycloak_quarkus/defaults/main.yml +++ b/roles/keycloak_quarkus/defaults/main.yml @@ -116,6 +116,8 @@ keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route: true keycloak_quarkus_metrics_enabled: false keycloak_quarkus_health_enabled: true +keycloak_quarkus_health_check_url_path: "realms/master/.well-known/openid-configuration" +keycloak_quarkus_http_health_port: 9000 ### caches; must read: https://www.keycloak.org/2024/12/storing-sessions-in-kc26 ### embedded caches diff --git a/roles/keycloak_quarkus/meta/argument_specs.yml b/roles/keycloak_quarkus/meta/argument_specs.yml index 7525c507..533a0964 100644 --- a/roles/keycloak_quarkus/meta/argument_specs.yml +++ b/roles/keycloak_quarkus/meta/argument_specs.yml @@ -259,6 +259,10 @@ argument_specs: default: true description: "If the server should expose health check endpoints on the management interface" type: "bool" + keycloak_quarkus_http_health_port: + default: 9000 + description: "Port used for the health endpoint when health checks are enabled. This is typically different from the main HTTP port." + type: "int" keycloak_quarkus_cache_remote: description: "Whether to connect to remote cache infinispan server" default: false diff --git a/roles/keycloak_quarkus/tasks/restart.yml b/roles/keycloak_quarkus/tasks/restart.yml index 3aa97f60..290d186d 100644 --- a/roles/keycloak_quarkus/tasks/restart.yml +++ b/roles/keycloak_quarkus/tasks/restart.yml @@ -7,6 +7,11 @@ daemon_reload: true become: true +- name: "Fail if health check URL does not use port 9000 while health is enabled" + ansible.builtin.fail: + msg: "When `keycloak_quarkus_health_enabled` is true, the health check URL must use port 9000. Current URL: {{ keycloak_quarkus_health_check_url }}" + when: keycloak_quarkus_health_enabled | bool and keycloak_quarkus_health_check_url is defined and (keycloak_quarkus_health_check_url | regex_search(':(\\d+)', '\\1') | int) != 9000 + - name: "Wait until {{ keycloak.service_name }} service becomes active {{ keycloak.health_url }}" ansible.builtin.uri: url: "{{ keycloak.health_url }}" diff --git a/roles/keycloak_quarkus/vars/main.yml b/roles/keycloak_quarkus/vars/main.yml index 997d7dc1..19a109c7 100644 --- a/roles/keycloak_quarkus/vars/main.yml +++ b/roles/keycloak_quarkus/vars/main.yml @@ -1,10 +1,12 @@ --- +keycloak_quarkus_effective_health_path: "{{ 'health/ready' if keycloak_quarkus_health_enabled | bool else keycloak_quarkus_health_check_url_path }}" +keycloak_quarkus_hostname_stripped: "{{ keycloak_quarkus_hostname | regex_replace('(:\\d+)(?=/|$)', '') }}" keycloak: # noqa var-naming this is an internal dict of interpolated values home: "{{ keycloak_quarkus_home }}" config_dir: "{{ keycloak_quarkus_config_dir }}" bundle: "{{ keycloak_quarkus_archive }}" service_name: "keycloak" - health_url: "{{ keycloak_quarkus_health_check_url | default(keycloak_quarkus_hostname ~ '/' ~ (keycloak_quarkus_health_check_url_path | default('realms/master/.well-known/openid-configuration'))) }}" + health_url: "{{ keycloak_quarkus_health_check_url | default(((('https://' ~ keycloak_quarkus_hostname_stripped ~ ':' ~ keycloak_quarkus_http_health_port) if not (keycloak_quarkus_hostname.startswith('http://') or keycloak_quarkus_hostname.startswith('https://')) else keycloak_quarkus_hostname_stripped ~ ':' ~ keycloak_quarkus_http_health_port) ~ keycloak_quarkus_http_relative_path ~ keycloak_quarkus_effective_health_path), true) }}" cli_path: "{{ keycloak_quarkus_home }}/bin/kcadm.sh" service_user: "{{ keycloak_quarkus_service_user }}" service_group: "{{ keycloak_quarkus_service_group }}" diff --git a/roles/keycloak_realm/README.md b/roles/keycloak_realm/README.md index 2fb89423..d2d97466 100644 --- a/roles/keycloak_realm/README.md +++ b/roles/keycloak_realm/README.md @@ -8,20 +8,20 @@ Create realms and clients in [keycloak](https://keycloak.org/) or [Red Hat Singl Role Defaults ------------- -| Variable | Description | Default | -|:---------|:------------|:--------| -|`keycloak_admin_user`| Administration console user account | `admin` | -|`keycloak_host`| hostname | `localhost` | -|`keycloak_context`| Context path for rest calls | `/auth` | -|`keycloak_http_port`| HTTP port | `8080` | -|`keycloak_https_port`| TLS HTTP port | `8443` | -|`keycloak_auth_realm`| Name of the main authentication realm | `master` | -|`keycloak_management_http_port`| Management port | `9990` | -|`keycloak_auth_client`| Authentication client for configuration REST calls | `admin-cli` | -|`keycloak_client_public`| Configure a public realm client | `True` | -|`keycloak_client_web_origins`| Web origins for realm client | `/*` | -|`keycloak_url`| URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` | -|`keycloak_management_url`| URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` | +| Variable | Description | Default | +|:------------------------------------|:-----------------------------------------------------------------|:------------------------------------------------------| +| `keycloak_admin_user` | Administration console user account | `admin` | +| `keycloak_host` | hostname | `localhost` | +| `keycloak_context` | Context path for rest calls | `/auth` | +| `keycloak_http_port` | HTTP port | `8080` | +| `keycloak_https_port` | TLS HTTP port | `8443` | +| `keycloak_auth_realm` | Name of the main authentication realm | `master` | +| `keycloak_management_http_port` | Management port | `9990` | +| `keycloak_auth_client` | Authentication client for configuration REST calls | `admin-cli` | +| `keycloak_client_public` | Configure a public realm client | `True` | +| `keycloak_client_web_origins` | Web origins for realm client | `/*` | +| `keycloak_url` | URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` | +| `keycloak_quarkus_http_health_port` | Port used for the health endpoint when health checks are enabled | `9000` | Role Variables