SipsOfCode/infrastructure
2
2
Fork 0
Code Issues 8 Pull requests 6 Releases Activity

feat(keycloak)!: Add admin, realm & client provisioning #444

Merged
saibotk merged 1 commit from keycloak-provisioning into main 2025-10-26 17:39:54 +01:00
Conversation 2 Commits 1 Files changed 6 +446 -13
saibotk commented 2025-10-23 01:05:03 +02:00
Owner
Copy link

This changes the Keycloak role to provision the master and an additional user realm. It also creates admin accounts and OAuth clients for the user realm.

Keycloak is now bootstrapped on start.
This causes the playbook to start Keycloak with a random initial password for the admin account if it does not detect a bootstrapped file.
This admin user is then instantly repalced with a special ansible service account, which is then used for all future provisioning.

After the bootstrap process is done, we delete the bootstrap env file and the container is retemplated as usual.

Also, we now configure the admin users after Keycloak has started:

  • Create temporary initial password
  • Create new account in master realm
  • Store temporary initial password for user in initial_passwords directory
  • Assign admin role

Note: The keycloak_user action does not change users after they have been created, so its safe to execute even when users set their new passwords.

Further, we now also enable brute force protection on the master realm and create a normal realm along with the configured OAuth OpenID-Connect clients.

We do not offer options for all config options for now and only limit ourselves to the necessary and common ones.
We can easily add more variables later on.
Additionally, we also support creating client roles, which can be useful e.g. for tools like Grafana.

At the moment, we only support creating a single custom realm.

Migration hints:

This role expects you to own a master realm and another user realm.
When migrating existing installations, we recommend the following steps.

  • touch bootstrapped in the keycloak directory
  • Create a service account for ansible and configure the new provision client secret variable. (Look at the bootstrap playbook for hints on how to create a service account)
  • Configure your user realm in keycloak_realm, clients are optional and will not be deleted if none are added
This changes the Keycloak role to provision the master and an additional user realm. It also creates admin accounts and OAuth clients for the user realm. Keycloak is now bootstrapped on start. This causes the playbook to start Keycloak with a random initial password for the admin account if it does not detect a `bootstrapped` file. This admin user is then instantly repalced with a special ansible service account, which is then used for all future provisioning. After the bootstrap process is done, we delete the bootstrap env file and the container is retemplated as usual. Also, we now configure the admin users after Keycloak has started: - Create temporary initial password - Create new account in master realm - Store temporary initial password for user in `initial_passwords` directory - Assign admin role Note: The `keycloak_user` action does not change users after they have been created, so its safe to execute even when users set their new passwords. Further, we now also enable brute force protection on the master realm and create a normal realm along with the configured OAuth OpenID-Connect clients. We do not offer options for all config options for now and only limit ourselves to the necessary and common ones. We can easily add more variables later on. Additionally, we also support creating client roles, which can be useful e.g. for tools like Grafana. At the moment, we only support creating a single custom realm. Migration hints: This role expects you to own a master realm and another user realm. When migrating existing installations, we recommend the following steps. - `touch bootstrapped` in the keycloak directory - Create a service account for ansible and configure the new provision client secret variable. (Look at the bootstrap playbook for hints on how to create a service account) - Configure your user realm in `keycloak_realm`, clients are optional and will not be deleted if none are added
saibotk self-assigned this 2025-10-23 01:05:03 +02:00
feat(keycloak)!: Add admin, realm & client provisioning
Some checks failed
ci/woodpecker/pr/ansible-lint Pipeline failed
Details
d0dd5ee85d
 
This changes the Keycloak role to provision the master and an additional user realm. It also creates admin accounts and OAuth clients for the user realm.

Keycloak is now bootstrapped on start.
This causes the playbook to start Keycloak with a random initial password for the admin account if it does not detect a `bootstrapped` file.
This admin user is then instantly repalced with a special ansible service account, which is then used for all future provisioning.

After the bootstrap process is done, we delete the bootstrap env file and the container is retemplated as usual.

Also, we now configure the admin users after Keycloak has started:
- Create temporary initial password
- Create new account in master realm
- Store temporary initial password for user in `initial_passwords` directory
- Assign admin role

Note: The `keycloak_user` action does not change users after they have been created, so its safe to execute even when users set their new passwords.

Further, we now also enable brute force protection on the master realm and create a normal realm along with the configured OAuth OpenID-Connect clients.

We do not offer options for all config options for now and only limit ourselves to the necessary and common ones.
We can easily add more variables later on.
Additionally, we also support creating client roles, which can be useful e.g. for tools like Grafana.

At the moment, we only support creating a single custom realm.

Migration hints:

This role expects you to own a master realm and another user realm.
When migrating existing installations, we recommend the following steps.

- `touch bootstrapped` in the keycloak directory
- Create a service account for ansible and configure the new provision client secret variable. (Look at the bootstrap playbook for hints on how to create a service account)
- Configure your user realm in `keycloak_realm`, clients are optional and will not be deleted if none are added
saibotk force-pushed keycloak-provisioning from d0dd5ee85d
Some checks failed
ci/woodpecker/pr/ansible-lint Pipeline failed
Details
to 38c545ee77
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
2025-10-23 01:05:31 +02:00 Compare
saibotk force-pushed keycloak-provisioning from 38c545ee77
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
to 7d7f5ad953
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
2025-10-23 01:22:16 +02:00 Compare
saibotk force-pushed keycloak-provisioning from 7d7f5ad953
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
to cc2aebcb3e
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
2025-10-26 15:46:20 +01:00 Compare
saibotk changed target branch from grafana-keycloak-adjustments to main 2025-10-26 15:47:30 +01:00
histalek approved these changes 2025-10-26 16:34:46 +01:00
Dismissed
histalek left a comment
Owner
Copy link

LGTM 2 nits and a suggestion :)

LGTM 2 nits and a suggestion :)
roles/keycloak/defaults/main.yml Outdated
@ -36,0 +72,4 @@
# name: "My Application"
# public_client: false
# standard_flow_enabled: true
# direct_access_grants_enabled: false
histalek commented 2025-10-26 16:25:36 +01:00
Owner
Copy link

should we really leave this configurable? Seeing that this is the Resource Owner Password Credentials Grant which is insecure and MUST NOT be used [1]

[1] https://www.rfc-editor.org/rfc/rfc9700.html#name-resource-owner-password-cre

edit: they are disabled in the task anyway so they should be removed from here

should we really leave this configurable? Seeing that this is the `Resource Owner Password Credentials Grant` which is insecure and MUST NOT be used [1] [1] https://www.rfc-editor.org/rfc/rfc9700.html#name-resource-owner-password-cre edit: they are disabled in the task anyway so they should be removed from here
histalek marked this conversation as resolved
roles/keycloak/defaults/main.yml Outdated
@ -36,0 +74,4 @@
# standard_flow_enabled: true
# direct_access_grants_enabled: false
# service_accounts_enabled: false
# implicit_flow_enabled: false
histalek commented 2025-10-26 16:27:12 +01:00
Owner
Copy link

same here the implicit flow SHOULD NOT be used [2]

[2] https://www.rfc-editor.org/rfc/rfc9700.html#name-implicit-grant

edit: they are disabled in the task anyway so they should be removed from here

same here the implicit flow SHOULD NOT be used [2] [2] https://www.rfc-editor.org/rfc/rfc9700.html#name-implicit-grant edit: they are disabled in the task anyway so they should be removed from here
histalek marked this conversation as resolved
roles/keycloak/tasks/bootstrap.yml Outdated
@ -0,0 +58,4 @@
- name: Retemplate the container file for bootstrapping
ansible.builtin.template:
src: keycloak.container.j2
dest: "/etc/containers/systemd/keycloak.container"
histalek commented 2025-10-26 16:31:55 +01:00
Owner
Copy link

Should we deploy this as keycloak-bootstrap.container?

that would make it exceedingly clear what this is intended to do and might be more obvious if something would go wrong.
As a side effect this would also generate to a keycloak-bootstrap.service file which we can then distinguish in the journal logs

Should we deploy this as `keycloak-bootstrap.container`? that would make it exceedingly clear what this is intended to do and might be more obvious if something would go wrong. As a side effect this would also generate to a `keycloak-bootstrap.service` file which we can then distinguish in the journal logs
histalek marked this conversation as resolved
saibotk force-pushed keycloak-provisioning from cc2aebcb3e
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
to 965a65264f
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
2025-10-26 17:29:43 +01:00 Compare
histalek approved these changes 2025-10-26 17:34:02 +01:00
histalek left a comment
Owner
Copy link

Noice :)

Noice :)
saibotk force-pushed keycloak-provisioning from 965a65264f
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
to d1b176f56d
Some checks failed
ci/woodpecker/pr/ansible-lint Pipeline failed
Details
2025-10-26 17:37:07 +01:00 Compare
saibotk force-pushed keycloak-provisioning from d1b176f56d
Some checks failed
ci/woodpecker/pr/ansible-lint Pipeline failed
Details
to 0685527504
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
ci/woodpecker/push/ansible-lint Pipeline was successful
Details
2025-10-26 17:37:24 +01:00 Compare
saibotk deleted branch keycloak-provisioning 2025-10-26 17:39:54 +01:00
Sign in to join this conversation.
Reviewers
No reviewers
histalek
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
saibotk
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
SipsOfCode/infrastructure!444
No description provided.