Version information
This version is compatible with:
- Puppet Enterprise 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
- Puppet >= 4.7.0 < 6.0.0
- , , ,
Start using this module
Add this module to your Puppetfile:
mod 'treydock-keycloak', '2.7.0'Learn more about managing modules with a PuppetfileDocumentation
puppet-module-keycloak
Table of Contents
- Overview
- Usage - Configuration options
- Reference - Parameter and detailed reference to all options
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
Overview
The keycloak module allows easy installation and management of Keycloak.
Usage
keycloak
Install Keycloak using default database storage.
class { 'keycloak': }
Install keycloak and use a local MySQL server for database storage
include mysql::server
class { 'keycloak':
datasource_driver => 'mysql',
datasource_host => 'localhost',
datasource_port => 3306,
datasource_dbname => 'keycloak',
datasource_username => 'keycloak',
datasource_password => 'foobar',
}
Configure a SSL certificate truststore and add a LDAP server's certificate to the truststore.
class { 'keycloak':
truststore => true,
truststore_password => 'supersecret',
truststore_hostname_verification_policy => 'STRICT',
}
keycloak::truststore::host { 'ldap1.example.com':
certificate => '/etc/openldap/certs/0a00000.0',
}
Setup Keycloak to proxy through Apache HTTPS.
class { 'keycloak':
proxy_https => true
}
apache::vhost { 'idp.example.com':
servername => 'idp.example.com',
port => '443',
ssl => true,
manage_docroot => false,
docroot => '/var/www/html',
proxy_preserve_host => true,
proxy_pass => [
{'path' => '/', 'url' => 'http://localhost:8080/'}
],
request_headers => [
'set X-Forwarded-Proto "https"',
'set X-Forwarded-Port "443"'
],
ssl_cert => '/etc/pki/tls/certs/idp.example.com/crt',
ssl_key => '/etc/pki/tls/private/idp.example.com.key',
}
Setup a host for theme development so that theme changes don't require a service restart, not recommended for production.
class { 'keycloak':
theme_static_max_age => -1,
theme_cache_themes => false,
theme_cache_templates => false,
}
keycloak_realm
Define a Keycloak realm that uses username and not email for login and to use a local branded theme.
keycloak_realm { 'test':
ensure => 'present',
remember_me => true,
login_with_email_allowed => false,
login_theme => 'my_theme',
}
keycloak_ldap_user_provider
Define a LDAP user provider so that authentication can be performed against LDAP. The example below uses two LDAP servers, disables importing of users and assumes the SSL certificates are trusted and do not require being in the truststore.
keycloak_ldap_user_provider { 'LDAP on test':
ensure => 'present',
users_dn => 'ou=People,dc=example,dc=com',
connection_url => 'ldaps://ldap1.example.com:636 ldaps://ldap2.example.com:636',
import_enabled => false,
use_truststore_spi => 'never',
}
NOTE The Id for the above resource would be LDAP-test where the format is ${resource_name}-${realm}.
keycloak_ldap_mapper
Use the LDAP attribute 'gecos' as the full name attribute.
keycloak_ldap_mapper { 'full name for LDAP-test on test:
ensure => 'present',
resource_name => 'full name',
type => 'full-name-ldap-mapper',
ldap_attribute => 'gecos',
}
keycloak_client
Register a client.
keycloak_client { 'www.example.com':
ensure => 'present',
realm => 'test',
redirect_uris => [
"https://www.example.com/oidc",
"https://www.example.com",
],
client_template => 'oidc-clients',
secret => 'supersecret',
}
keycloak::client_template
Defined type that can be used to define both keycloak_client_template and keycloak_protocol_mapper resources. The example below will define a client template and several protocol mappers that are built into keycloak.
keycloak::client_template { 'oidc-clients':
realm => 'test',
}
keycloak_client_template
Define a Client Template in Keycloak:
keycloak_client_template { 'oidc-clients':
realm => 'test',
resource_name => 'oidc-clients',
protocol => 'openid-connect',
full_scope_allowed => true,
}
keycloak_protocol_mapper
Associate a Protocol Mapper to a given template. The name in the following example will add the email protocol mapper to client template oidc-clients in the realm test.
keycloak_protocol_mapper { "email for oidc-clients on test":
consent_text => '${email}',
claim_name => 'email',
user_attribute => 'email',
}
keycloak_api
The keycloak_api type can be used to define how this module's types access the Keycloak API if this module is only used for the types/providers and the module's kcadm-wrapper.sh is not installed.
keycloak_api { 'keycloak'
install_base => '/opt/keycloak',
server => 'http://localhost:8080/auth',
realm => 'master',
user => 'admin',
password => 'changeme',
}
The path for install_base will be joined with bin/kcadm.sh to produce the full path to kcadm.sh.
Reference
http://treydock.github.io/puppet-module-keycloak/
Limitations
This module has been tested on:
- CentOS 7 x86_64
- Debian 9 x86_64
- RedHat 7 x86_64
Development
Testing
Testing requires the following dependencies:
- rake
- bundler
Install gem dependencies
bundle install
Run unit tests
bundle exec rake test
If you have Vagrant >= 1.2.0 installed you can run system tests
bundle exec rake beaker
Reference
Table of Contents
Classes
Public Classes
keycloak: summary Manage Keycloakkeycloak::config: Private class.keycloak::datasource::h2: Private class.keycloak::install: Private class.keycloak::params: Private class.keycloak::service: Private class.
Private Classes
keycloak::datasource::mysql: Manage MySQL datasource
Defined types
keycloak::client_template: Manage Keycloak client templatekeycloak::truststore::host: Add host to Keycloak truststore
Resource types
keycloak_api: Type that configures API connection parameters for other keycloak types that use the Keycloak API.keycloak_client: Manage Keycloak clientskeycloak_client_template: Manage Keycloak client templateskeycloak_conn_validator: Verify that a connection can be successfully established between a node and the keycloak server. Its primary use is as a precondition to prekeycloak_ldap_mapper: Manage Keycloak LDAP attribute mapperskeycloak_ldap_user_provider: Manage Keycloak LDAP user providerskeycloak_protocol_mapper: Manage Keycloak protocol mapperskeycloak_realm: Manage Keycloak realms
Classes
keycloak
summary Manage Keycloak
Examples
include ::keycloak
Parameters
The following parameters are available in the keycloak class.
version
Data type: String
Version of Keycloak to install and manage.
Default is 3.4.1.Final.
Default value: '3.4.1.Final'
package_url
Data type: Optional[Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]]
URL of the Keycloak download. Default is based on version.
Default value: undef
install_dir
Data type: Stdlib::Absolutepath
Parent directory of where to install Keycloak.
Default is /opt.
Default value: '/opt'
service_name
Data type: String
Keycloak service name.
Default is keycloak.
Default value: $keycloak::params::service_name
service_ensure
Data type: String
Keycloak service ensure property.
Default is running.
Default value: 'running'
service_enable
Data type: Boolean
Keycloak service enable property.
Default is true.
Default value: true
service_hasstatus
Data type: Boolean
Keycloak service hasstatus parameter.
Default is true.
Default value: $keycloak::params::service_hasstatus
service_hasrestart
Data type: Boolean
Keycloak service hasrestart parameter.
Default is true.
Default value: $keycloak::params::service_hasrestart
user
Data type: String
Keycloak user name.
Default is keycloak.
Default value: 'keycloak'
group
Data type: String
Keycloak user group name.
Default is keycloak.
Default value: 'keycloak'
user_uid
Data type: Optional[Integer]
Keycloak user UID.
Default is undef.
Default value: undef
group_gid
Data type: Optional[Integer]
Keycloak user group GID.
Default is undef.
Default value: undef
admin_user
Data type: String
Keycloak administrative username.
Default is admin.
Default value: 'admin'
admin_user_password
Data type: String
Keycloak administrative user password.
Default is changeme.
Default value: 'changeme'
manage_datasource
Data type: Boolean
Boolean that determines if configured datasource will be managed.
Only applies when datasource_driver is mysql.
Default is true.
Default value: true
datasource_driver
Data type: Enum['h2', 'mysql']
Datasource driver to use for Keycloak.
Valid values are h2 and mysql.
Default is h2.
Default value: 'h2'
datasource_host
Data type: Optional[String]
Datasource host.
Only used when datasource_driver is mysql.
Default is localhost for MySQL.
Default value: undef
datasource_port
Data type: Optional[Integer]
Datasource port.
Only used when datasource_driver is mysql.
Default is 3306 for MySQL.
Default value: undef
datasource_dbname
Data type: String
Datasource database name.
Default is keycloak.
Default value: 'keycloak'
datasource_username
Data type: String
Datasource user name.
Default is sa.
Default value: 'sa'
datasource_password
Data type: String
Datasource user password.
Default is sa.
Default value: 'sa'
proxy_https
Data type: Boolean
Boolean that sets if HTTPS proxy should be enabled.
Set to true if proxying traffic through Apache.
Default is false.
Default value: false
truststore
Data type: Boolean
Boolean that sets if truststore should be used.
Default is false.
Default value: false
truststore_hosts
Data type: Hash
Hash that is used to define keycloak::turststore::host resources.
Default is {}.
Default value: {}
truststore_password
Data type: String
Truststore password.
Default is keycloak.
Default value: 'keycloak'
truststore_hostname_verification_policy
Data type: Enum['WILDCARD', 'STRICT', 'ANY']
Valid values are WILDCARD, STRICT, and ANY.
Default is WILDCARD.
Default value: 'WILDCARD'
http_port
Data type: Integer
HTTP port used by Keycloak.
Default is 8080.
Default value: 8080
theme_static_max_age
Data type: Integer
Max cache age in seconds of static content.
Default is 2592000.
Default value: 2592000
theme_cache_themes
Data type: Boolean
Boolean that sets if themes should be cached.
Default is true.
Default value: true
theme_cache_templates
Data type: Boolean
Boolean that sets if templates should be cached.
Default is true.
Default value: true
realms
Data type: Hash
Hash that is used to define keycloak_realm resources.
Default is {}.
Default value: {}
client_templates
Data type: Hash
Hash that is used to define keycloak::client_template resources.
Default is {}.
Default value: {}
service_java_opts
Data type: Variant[String, Array]
Default value: $keycloak::params::service_java_opts
keycloak::config
Private class.
keycloak::datasource::h2
Private class.
keycloak::install
Private class.
keycloak::params
Private class.
keycloak::service
Private class.
Defined types
keycloak::client_template
Manage Keycloak client template
Examples
keycloak::client_template { 'oidc-clients':
realm => 'test',
}
Parameters
The following parameters are available in the keycloak::client_template defined type.
realm
Data type: String
Realm of the client template.
resource_name
Data type: String
Name of the client template resource
Default value: $name
protocol
Data type: Enum['openid-connect', 'saml']
The protocol of the client template.
Default value: 'openid-connect'
full_scope_allowed
Data type: Boolean
full_scope_allowed property for keycloak_client_template resource.
Default value: true
keycloak::truststore::host
Add host to Keycloak truststore
Examples
keycloak::truststore::host { 'ldap1.example.com':
certificate => '/etc/openldap/certs/0a00000.0',
}
Parameters
The following parameters are available in the keycloak::truststore::host defined type.
certificate
Data type: String
Path to host certificate
ensure
Data type: Enum['latest', 'present', 'absent']
Host ensure value passed to java_ks resource.
Default value: 'latest'
Resource types
keycloak_api
Type that configures API connection parameters for other keycloak types that use the Keycloak API.
Examples
Define API access
keycloak_api { 'keycloak'
install_base => '/opt/keycloak',
server => 'http://localhost:8080/auth',
realm => 'master',
user => 'admin',
password => 'changeme',
}
Parameters
The following parameters are available in the keycloak_api type.
name
namevar
Keycloak API config
install_base
Install location of Keycloak
server
Auth URL for Keycloak server
Default value: http://localhost:8080/auth
realm
Realm for authentication
Default value: master
user
User for authentication
Default value: admin
password
Password for authentication
Default value: changeme
use_wrapper
Valid values: true, false
Boolean that determines if kcadm_wrapper.sh should be used
Default value: false
keycloak_client
Manage Keycloak clients
Examples
Add a OpenID Connect client
keycloak_client { 'www.example.com':
ensure => 'present',
realm => 'test',
redirect_uris => [
"https://www.example.com/oidc",
"https://www.example.com",
],
client_template => 'oidc-clients',
secret => 'supersecret',
}
Properties
The following properties are available in the keycloak_client type.
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
protocol
Valid values: openid-connect, saml
protocol
Default value: openid-connect
client_authenticator_type
clientAuthenticatorType
Default value: client-secret
client_template
clientTemplate
enabled
Valid values: true, false
enabled
Default value: true
direct_access_grants_enabled
Valid values: true, false
enabled
Default value: true
public_client
Valid values: true, false
enabled
Default value: false
redirect_uris
redirectUris
Default value: []
web_origins
webOrigins
Default value: []
Parameters
The following parameters are available in the keycloak_client type.
name
namevar
The client name
client_id
clientId
id
Id
realm
realm
secret
secret
keycloak_client_template
Manage Keycloak client templates
Examples
Define a OpenID Connect client template in the test realm
keycloak_client_template { 'oidc-clients on test':
protocol => 'openid-connect',
full_scope_allowed => true,
}
Properties
The following properties are available in the keycloak_client_template type.
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
protocol
Valid values: openid-connect, saml
protocol
Default value: openid-connect
full_scope_allowed
Valid values: true, false
fullScopeAllowed
Default value: true
Parameters
The following parameters are available in the keycloak_client_template type.
name
namevar
The client template name
resource_name
The client template name
id
Id
realm
realm
keycloak_conn_validator
Verify that a connection can be successfully established between a node and the keycloak server. Its primary use is as a precondition to prevent configuration changes from being applied if the keycloak server cannot be reached, but it could potentially be used for other purposes such as monitoring.
Properties
The following properties are available in the keycloak_conn_validator type.
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
Parameters
The following parameters are available in the keycloak_conn_validator type.
name
namevar
An arbitrary name used as the identity of the resource.
keycloak_server
The DNS name or IP address of the server where keycloak should be running.
Default value: localhost
keycloak_port
The port that the keycloak server should be listening on.
Default value: 8080
use_ssl
Whether the connection will be attemped using https
Default value: false
test_url
URL to use for testing if the Keycloak database is up
Default value: /auth/admin/serverinfo
timeout
The max number of seconds that the validator should wait before giving up and deciding that keycloak is not running; defaults to 15 seconds.
Default value: 30
keycloak_ldap_mapper
Manage Keycloak LDAP attribute mappers
Examples
Add full name attribute mapping
keycloak_ldap_mapper { 'full name for LDAP-test on test:
ensure => 'present',
type => 'full-name-ldap-mapper',
ldap_attribute => 'gecos',
}
Properties
The following properties are available in the keycloak_ldap_mapper type.
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
ldap_attribute
ldapAttribute
user_model_attribute
userModelAttribute
is_mandatory_in_ldap
is.mandatory.in.ldap
always_read_value_from_ldap
Valid values: true, false
always.read.value.from.ldap
read_only
Valid values: true, false
readOnly
Default value: true
write_only
Valid values: true, false
writeOnly
Default value: false
Parameters
The following parameters are available in the keycloak_ldap_mapper type.
name
namevar
The LDAP mapper name
id
Id
resource_name
The LDAP mapper name
type
Valid values: user-attribute-ldap-mapper, full-name-ldap-mapper
providerId
Default value: user-attribute-ldap-mapper
realm
realm
ldap
parentId
keycloak_ldap_user_provider
Manage Keycloak LDAP user providers
Examples
Add LDAP user provider to test realm
keycloak_ldap_user_provider { 'LDAP on test':
ensure => 'present',
users_dn => 'ou=People,dc=example,dc=com',
connection_url => 'ldaps://ldap1.example.com:636 ldaps://ldap2.example.com:636',
import_enabled => false,
use_truststore_spi => 'never',
}
Properties
The following properties are available in the keycloak_ldap_user_provider type.
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
auth_type
Valid values: none, simple
authType
Default value: none
edit_mode
Valid values: READ_ONLY, WRITABLE, UNSYNCED
editMode
Default value: READ_ONLY
vendor
Valid values: ad, rhds, tivoli, eDirectory, other
vendor
Default value: other
use_truststore_spi
Valid values: always, ldapsOnly, never
useTruststoreSpi
Default value: ldapsOnly
users_dn
usersDn
connection_url
connectionUrl
priority
priority
Default value: 0
batch_size_for_sync
batchSizeForSync
Default value: 1000
username_ldap_attribute
usernameLdapAttribute
Default value: uid
rdn_ldap_attribute
rdnLdapAttribute
Default value: uid
uuid_ldap_attribute
uuidLdapAttribute
Default value: entryUUID
bind_dn
bindDn
bind_credential
bindCredential
import_enabled
Valid values: true, false
importEnabled
Default value: true
use_kerberos_for_password_authentication
Valid values: true, false
useKerberosForPasswordAuthentication
user_object_classes
userObjectClasses
Default value: ['inetOrgPerson', 'organizationalPerson']
search_scope
Valid values: one, one_level, subtree, 1, 2, 1, 2
searchScope
custom_user_search_filter
Valid values: /.*/, absent
customUserSearchFilter
Default value: absent
Parameters
The following parameters are available in the keycloak_ldap_user_provider type.
name
namevar
The LDAP user provider name
resource_name
The LDAP user provider name
id
Id
realm
parentId
keycloak_protocol_mapper
Manage Keycloak protocol mappers
Examples
Add email protocol mapper to oidc-client client template in realm test
keycloak_protocol_mapper { "email for oidc-clients on test":
consent_text => '${email}',
claim_name => 'email',
user_attribute => 'email',
}
Properties
The following properties are available in the keycloak_protocol_mapper type.
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
protocol
Valid values: openid-connect, saml
protocol
Default value: openid-connect
user_attribute
user.attribute
json_type_label
json.type.label
friendly_name
friendly.name
attribute_name
attribute.name
consent_text
consentText
claim_name
claim.name
consent_required
Valid values: true, false
consentRequired
Default value: true
id_token_claim
Valid values: true, false
id.token.claim
access_token_claim
Valid values: true, false
access.token.claim
userinfo_token_claim
Valid values: true, false
userinfo.token.claim
attribute_nameformat
attribute.nameformat
single
Valid values: true, false
single
Parameters
The following parameters are available in the keycloak_protocol_mapper type.
name
namevar
The protocol mapper name
id
Id
resource_name
The protocol mapper name
client_template
client template
realm
realm
type
Valid values: oidc-usermodel-property-mapper, oidc-full-name-mapper, saml-user-property-mapper, saml-role-list-mapper
protocolMapper
keycloak_realm
Manage Keycloak realms
Examples
Add a realm with a custom theme
keycloak_realm { 'test':
ensure => 'present',
remember_me => true,
login_with_email_allowed => false,
login_theme => 'my_theme',
}
Properties
The following properties are available in the keycloak_realm type.
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
display_name
displayName
display_name_html
displayNameHtml
login_theme
loginTheme
Default value: keycloak
account_theme
accountTheme
Default value: keycloak
admin_theme
adminTheme
Default value: keycloak
email_theme
emailTheme
Default value: keycloak
enabled
Valid values: true, false
enabled
Default value: true
remember_me
Valid values: true, false
rememberMe
Default value: false
login_with_email_allowed
Valid values: true, false
loginWithEmailAllowed
Default value: true
Parameters
The following parameters are available in the keycloak_realm type.
name
namevar
The realm name
id
Id
Types in this module release
treydock-keycloak changelog
2.7.0 (2018-08-14)
Implemented enhancements:
2.6.0 (2018-07-20)
Implemented enhancements:
- Add search_scope and custom_user_search_filter properties to keycloak_ldap_user_provider type #29 (treydock)
Closed issues:
- Support customUserSearchFilter #25
Merged pull requests:
- Use puppet-strings for documentation #30 (treydock)
- Fix for keycloak_protocol_mapper type property and type unit test improvements #28 (treydock)
- Explicitly define all type properties #27 (treydock)
- Improve acceptance tests #26 (treydock)
2.5.0 (2018-07-18)
Implemented enhancements:
- Support setting auth_type=simple related properties for keycloak_ldap_user_provider type #24 (treydock)
Closed issues:
- bindDn and bindCredential for keycloak_ldap_user_provider #23
2.4.0 (2018-06-04)
Implemented enhancements:
Closed issues:
- Are the types in this module compatible with biemond/wildfly? #20
2.3.1 (2018-03-10)
Fixed bugs:
- Fix title patterns that use procs are not supported #21 (alexjfisher)
2.3.0 (2018-03-08)
Implemented enhancements:
- Allow keycloak_protocol_mapper attribute_nameformat to be simpler values #18 (treydock)
- Add SAML username protocol mapper to keycloak::client_template #17 (treydock)
- Support SAML role list protocol mapper #16 (treydock)
- Add SAML support to keycloak_protocol_mapper and keycloak::client_template #15 (treydock)
Fixed bugs:
2.2.1 (2018-02-27)
Fixed bugs:
2.2.0 (2018-02-26)
Implemented enhancements:
2.1.0 (2018-02-22)
Implemented enhancements:
- Increase minimum java dependency to 2.2.0 to to support Debian 9. Update unit tests to test all supported OSes #12 (treydock)
- Symlink instead of copy mysql connector. puppetlabs/mysql 5 compatibility #11 (NITEMAN)
- Add support for http port configuration #9 (NITEMAN)
- Add Debian 9 support #8 (NITEMAN)
Fixed bugs:
2.0.1 (2017-12-18)
Fixed bugs:
2.0.0 (2017-12-11)
Implemented enhancements:
- BREAKING: Remove deprecated defined types #6 (treydock)
- Add always_read_value_from_ldap property to keycloak_ldap_mapper #5 (treydock)
- BREAKING: Set default version to 3.4.1.Final #4 (treydock)
- BREAKING: Drop Puppet 3 support #3 (treydock)
1.0.0 (2017-09-05)
Initial release using custom types and providers
Changes since 0.0.1:
- Add keycloak_realm type that deprecates keycloak::realm
- Add keycloak_ldap_user_provider that deprecates keycloak::user_federation::ldap
- Add keycloak_ldap_mapper that deprecates keycloak::user_federation::ldap_mapper
- Add keycloak_client that deprecates keycloak::client
- Add keycloak_client_template and keycloak_protocol_mapper types
- Update keycloak::client_template to use keycloak_client_template and keycloak_protocol_mapper types
- Add symlink /opt/keycloak that points to currently managed keycloak install
- Add kcadm-wrapper.sh to install's bin directory which is used by custom types/providers
0.0.1 (2017-08-11)
Initial release
Dependencies
- puppetlabs/stdlib (>= 4.15.0 <5.0.0)
- puppetlabs/mysql (>= 3.0.0 <6.0.0)
- puppetlabs/java (>= 2.2.0 <3.0.0)
- puppetlabs/java_ks (>= 1.0.0 <2.0.0)
- puppet/archive (>= 0.5.1 <3.0.0)
- camptocamp/systemd (>= 0.4.0 <2.0.0)
Copyright (C) 2017 <FULL NAME> <EMAIL>
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.