Version information
This version is compatible with:
- Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x
- Puppet >= 5.0.0 < 7.0.0
- , , ,
Start using this module
Add this module to your Puppetfile:
mod 'treydock-keycloak', '3.7.0'Learn more about managing modules with a PuppetfileDocumentation
puppet-module-keycloak
Table of Contents
- Overview
- Usage - Configuration options
- Reference - Parameter and detailed reference to all options
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
Overview
The keycloak module allows easy installation and management of Keycloak.
Upgrade to 3.x
There are several key differences between 2.x and 3.x of this module that were required to support Keycloak 4.x.
- The default version of Keycloak deployed by this module has been bumped to 4.2.1
keycloak_client_templatetype has becomekeycloak_client_scopebut with different properties.- The protocol mapper types had
consent_textandconsent_requiredparameters removed. - The
keycloak::client_templatedefined type is left as a helper but is deprecated.
Supported Versions of Keycloak
| Keycloak Version | Keycloak Puppet module versions |
|---|---|
| 3.x | 2.x |
| 4.x - 6.x | 3.x |
Usage
keycloak
Install Keycloak using default database storage.
class { 'keycloak': }
Install a specific version of Keycloak.
class { 'keycloak':
version => '4.8.1.Final',
}
Upgrading Keycloak version works by changing version parameter as long as the datasource_driver is not the default of h2. An upgrade involves installing the new version without touching the old version, updating the symlink which defaults to /opt/keycloak, applying all changes to new version and then restarting the keycloak service.
If the previous version was 4.2.1.Final using the following will upgrade to 4.9.0.Final:
class { 'keycloak':
version => '4.9.0.Final',
}
Install keycloak and use a local MySQL server for database storage
include mysql::server
class { 'keycloak':
datasource_driver => 'mysql',
datasource_host => 'localhost',
datasource_port => 3306,
datasource_dbname => 'keycloak',
datasource_username => 'keycloak',
datasource_password => 'foobar',
}
The following example can be used to configure keycloak with a local PostgreSQL server. Note that the PostgreSQL driver has to passed through.
include postgresql::server
class { 'keycloak':
datasource_driver => 'postgresql',
datasource_host => 'localhost',
datasource_port => 5432,
datasource_dbname => 'keycloak',
datasource_username => 'keycloak',
datasource_password => 'foobar',
postgresql_jar_file => 'postgresql-42.2.5.jar',
postgresql_jar_source => 'puppet:///modules/custom_module/drivers/postgresql-42.2.5.jar'
}
Configure a SSL certificate truststore and add a LDAP server's certificate to the truststore.
class { 'keycloak':
truststore => true,
truststore_password => 'supersecret',
truststore_hostname_verification_policy => 'STRICT',
}
keycloak::truststore::host { 'ldap1.example.com':
certificate => '/etc/openldap/certs/0a00000.0',
}
Setup Keycloak to proxy through Apache HTTPS.
class { 'keycloak':
proxy_https => true
}
apache::vhost { 'idp.example.com':
servername => 'idp.example.com',
port => '443',
ssl => true,
manage_docroot => false,
docroot => '/var/www/html',
proxy_preserve_host => true,
proxy_pass => [
{'path' => '/', 'url' => 'http://localhost:8080/'}
],
request_headers => [
'set X-Forwarded-Proto "https"',
'set X-Forwarded-Port "443"'
],
ssl_cert => '/etc/pki/tls/certs/idp.example.com/crt',
ssl_key => '/etc/pki/tls/private/idp.example.com.key',
}
Setup a host for theme development so that theme changes don't require a service restart, not recommended for production.
class { 'keycloak':
theme_static_max_age => -1,
theme_cache_themes => false,
theme_cache_templates => false,
}
keycloak_realm
Define a Keycloak realm that uses username and not email for login and to use a local branded theme.
keycloak_realm { 'test':
ensure => 'present',
remember_me => true,
login_with_email_allowed => false,
login_theme => 'my_theme',
}
keycloak_ldap_user_provider
Define a LDAP user provider so that authentication can be performed against LDAP. The example below uses two LDAP servers, disables importing of users and assumes the SSL certificates are trusted and do not require being in the truststore.
keycloak_ldap_user_provider { 'LDAP on test':
ensure => 'present',
users_dn => 'ou=People,dc=example,dc=com',
connection_url => 'ldaps://ldap1.example.com:636 ldaps://ldap2.example.com:636',
import_enabled => false,
use_truststore_spi => 'never',
}
NOTE The Id for the above resource would be LDAP-test where the format is ${resource_name}-${realm}.
keycloak_ldap_mapper
Use the LDAP attribute 'gecos' as the full name attribute.
keycloak_ldap_mapper { 'full name for LDAP-test on test:
ensure => 'present',
resource_name => 'full name',
type => 'full-name-ldap-mapper',
ldap_attribute => 'gecos',
}
keycloak_sssd_user_provider
Define SSSD user provider. NOTE This type requires that SSSD be properly configured and Keycloak service restarted after SSSD ifp service is setup. Also requires keycloak class be called with with_sssd_support set to true.
keycloak_sssd_user_provider { 'SSSD on test':
ensure => 'present',
}
keycloak_client
Register a client.
keycloak_client { 'www.example.com':
ensure => 'present',
realm => 'test',
redirect_uris => [
"https://www.example.com/oidc",
"https://www.example.com",
],
client_template => 'oidc-clients',
secret => 'supersecret',
}
keycloak::client_template
Defined type that can be used to define both keycloak_client_scope and keycloak_protocol_mapper resources. The example below will define a client template and several protocol mappers that are built into keycloak.
keycloak::client_template { 'oidc-clients':
realm => 'test',
}
NOTE: This define is deprecated as templates were replaced by client scopes in Keycloak 4.x.
keycloak_client_scope
Define a Client Scope of email for realm test in Keycloak:
keycloak_client_scope { 'email on test':
protocol => 'openid-connect',
}
keycloak_protocol_mapper
Associate a Protocol Mapper to a given Client Scope. The name in the following example will add the email protocol mapper to client scope oidc-email in the realm test.
keycloak_protocol_mapper { "email for oidc-email on test":
claim_name => 'email',
user_attribute => 'email',
}
keycloak_client_protocol_mapper
Add email protocol mapper to test.example.com client in realm test
keycloak_client_protocol_mapper { "email for test.example.com on test":
claim_name => 'email',
user_attribute => 'email',
}
keycloak_api
The keycloak_api type can be used to define how this module's types access the Keycloak API if this module is only used for the types/providers and the module's kcadm-wrapper.sh is not installed.
keycloak_api { 'keycloak'
install_base => '/opt/keycloak',
server => 'http://localhost:8080/auth',
realm => 'master',
user => 'admin',
password => 'changeme',
}
The path for install_base will be joined with bin/kcadm.sh to produce the full path to kcadm.sh.
Reference
http://treydock.github.io/puppet-module-keycloak/
Limitations
This module has been tested on:
- CentOS 7 x86_64
- Debian 9 x86_64
- RedHat 7 x86_64
Development
Testing
Testing requires the following dependencies:
- rake
- bundler
Install gem dependencies
bundle install
Run unit tests
bundle exec rake test
If you have Vagrant >= 1.2.0 installed you can run system tests
bundle exec rake beaker
Reference
Table of Contents
Classes
Public Classes
keycloak: Manage Keycloakkeycloak::config: Private class.keycloak::datasource::h2: Private class.keycloak::datasource::oracle: Private class.keycloak::datasource::postgresql: Private class.keycloak::install: Private class.keycloak::params: Private class.keycloak::service: Private class.keycloak::sssd: Private class.
Private Classes
keycloak::datasource::mysql: Manage MySQL datasource
Defined types
keycloak::client_template: Manage Keycloak client templatekeycloak::truststore::host: Add host to Keycloak truststore
Resource types
keycloak_api: Type that configures API connection parameters for other keycloak types that use the Keycloak API.keycloak_client: Manage Keycloak clientskeycloak_client_protocol_mapper: Manage Keycloak protocol mapperskeycloak_client_scope: Manage Keycloak client scopeskeycloak_conn_validator: Verify that a connection can be successfully established between a node and the keycloak server. Its primary use is as a precondition to prekeycloak_ldap_mapper: Manage Keycloak LDAP attribute mapperskeycloak_ldap_user_provider: Manage Keycloak LDAP user providerskeycloak_protocol_mapper: Manage Keycloak protocol mapperskeycloak_realm: Manage Keycloak realmskeycloak_sssd_user_provider: Manage Keycloak SSSD user providers
Classes
keycloak
Manage Keycloak
Examples
include ::keycloak
Parameters
The following parameters are available in the keycloak class.
version
Data type: String
Version of Keycloak to install and manage.
Default is 4.2.1.Final.
Default value: '4.2.1.Final'
package_url
Data type: Optional[Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]]
URL of the Keycloak download. Default is based on version.
Default value: undef
install_dir
Data type: Stdlib::Absolutepath
Parent directory of where to install Keycloak.
Default is /opt.
Default value: '/opt'
service_name
Data type: String
Keycloak service name.
Default is keycloak.
Default value: $keycloak::params::service_name
service_ensure
Data type: String
Keycloak service ensure property.
Default is running.
Default value: 'running'
service_enable
Data type: Boolean
Keycloak service enable property.
Default is true.
Default value: true
service_hasstatus
Data type: Boolean
Keycloak service hasstatus parameter.
Default is true.
Default value: $keycloak::params::service_hasstatus
service_hasrestart
Data type: Boolean
Keycloak service hasrestart parameter.
Default is true.
Default value: $keycloak::params::service_hasrestart
service_java_opts
Data type: Optional[Variant[String, Array]]
Sets additional options to Java virtual machine environment variable.
Default value: undef
manage_user
Data type: Boolean
Defines if the module should manage the Linux user for Keycloak installation
Default value: true
user
Data type: String
Keycloak user name.
Default is keycloak.
Default value: 'keycloak'
group
Data type: String
Keycloak user group name.
Default is keycloak.
Default value: 'keycloak'
user_uid
Data type: Optional[Integer]
Keycloak user UID.
Default is undef.
Default value: undef
group_gid
Data type: Optional[Integer]
Keycloak user group GID.
Default is undef.
Default value: undef
admin_user
Data type: String
Keycloak administrative username.
Default is admin.
Default value: 'admin'
admin_user_password
Data type: String
Keycloak administrative user password.
Default is changeme.
Default value: 'changeme'
manage_datasource
Data type: Boolean
Boolean that determines if configured datasource will be managed.
Only applies when datasource_driver is mysql.
Default is true.
Default value: true
datasource_driver
Data type: Enum['h2', 'mysql', 'oracle', 'postgresql']
Datasource driver to use for Keycloak.
Valid values are h2, mysql, 'oracle' and 'postgresql'
Default is h2.
Default value: 'h2'
datasource_host
Data type: Optional[String]
Datasource host.
Only used when datasource_driver is mysql, 'oracle' or 'postgresql'
Default is localhost for MySQL.
Default value: undef
datasource_port
Data type: Optional[Integer]
Datasource port.
Only used when datasource_driver is mysql, 'oracle' or 'postgresql'
Default is 3306 for MySQL.
Default value: undef
datasource_url
Data type: Optional[String]
Datasource url. Default datasource URLs are defined in init class.
Default value: undef
datasource_dbname
Data type: String
Datasource database name.
Default is keycloak.
Default value: 'keycloak'
datasource_username
Data type: String
Datasource user name.
Default is sa.
Default value: 'sa'
datasource_password
Data type: String
Datasource user password.
Default is sa.
Default value: 'sa'
proxy_https
Data type: Boolean
Boolean that sets if HTTPS proxy should be enabled.
Set to true if proxying traffic through Apache.
Default is false.
Default value: false
truststore
Data type: Boolean
Boolean that sets if truststore should be used.
Default is false.
Default value: false
truststore_hosts
Data type: Hash
Hash that is used to define keycloak::turststore::host resources.
Default is {}.
Default value: {}
truststore_password
Data type: String
Truststore password.
Default is keycloak.
Default value: 'keycloak'
truststore_hostname_verification_policy
Data type: Enum['WILDCARD', 'STRICT', 'ANY']
Valid values are WILDCARD, STRICT, and ANY.
Default is WILDCARD.
Default value: 'WILDCARD'
http_port
Data type: Integer
HTTP port used by Keycloak.
Default is 8080.
Default value: 8080
theme_static_max_age
Data type: Integer
Max cache age in seconds of static content.
Default is 2592000.
Default value: 2592000
theme_cache_themes
Data type: Boolean
Boolean that sets if themes should be cached.
Default is true.
Default value: true
theme_cache_templates
Data type: Boolean
Boolean that sets if templates should be cached.
Default is true.
Default value: true
realms
Data type: Hash
Hash that is used to define keycloak_realm resources.
Default is {}.
Default value: {}
client_templates
Data type: Hash
Hash that is used to define keycloak::client_template resources.
Default is {}.
Default value: {}
oracle_jar_file
Data type: Optional[String]
Oracle JDBC driver to use. Only use if $datasource_driver is set to oracle Default is not defined
Default value: undef
oracle_jar_source
Data type: Optional[String]
Source for Oracle JDBC driver - could be puppet link or local file on the node. Only use if $datasource_driver is set to oracle Default is not set
Default value: undef
postgresql_jar_file
Data type: Optional[String]
PostgresQL JDBC driver to use. Only use if $datasource_driver is set to postgresql Default is not defined
Default value: undef
postgresql_jar_source
Data type: Optional[String]
Source for PostgresQL JDBC driver - could be puppet link or local file on the node. Only use if $datasource_driver is set to postgresql Default is not set
Default value: undef
with_sssd_support
Data type: Boolean
Boolean that determines if SSSD user provider support should be available
Default value: false
libunix_dbus_java_source
Data type: Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]
Source URL of libunix-dbus-java
Default value: $keycloak::params::libunix_dbus_java_source
install_libunix_dbus_java_build_dependencies
Data type: Boolean
Boolean that determines of libunix-dbus-java build dependencies are managed by this module
Default value: true
libunix_dbus_java_build_dependencies
Data type: Array
Packages needed to build libunix-dbus-java
Default value: $keycloak::params::libunix_dbus_java_build_dependencies
libunix_dbus_java_libdir
Data type: Stdlib::Absolutepath
Path to directory to install libunix-dbus-java libraries
Default value: $keycloak::params::libunix_dbus_java_libdir
jna_package_name
Data type: String
Package name for jna
Default value: $keycloak::params::jna_package_name
manage_sssd_config
Data type: Boolean
Boolean that determines if SSSD ifp config for Keycloak is managed
Default value: true
sssd_ifp_user_attributes
Data type: Array
user_attributes to define for SSSD ifp service
Default value: []
restart_sssd
Data type: Boolean
Boolean that determines if SSSD should be restarted
Default value: true
service_environment_file
Data type: Optional[Stdlib::Absolutepath]
Path to the file with environment variables for the systemd service
Default value: undef
keycloak::config
Private class.
keycloak::datasource::h2
Private class.
keycloak::datasource::oracle
Private class.
Parameters
The following parameters are available in the keycloak::datasource::oracle class.
jar_file
Data type: Any
Default value: $keycloak::oracle_jar_file
jar_source
Data type: Any
Default value: $keycloak::oracle_jar_source
module_source
Data type: Any
Default value: 'puppet:///modules/keycloak/database/oracle/module.xml'
keycloak::datasource::postgresql
Private class.
Parameters
The following parameters are available in the keycloak::datasource::postgresql class.
jar_file
Data type: Any
Default value: $keycloak::postgresql_jar_file
jar_source
Data type: Any
Default value: $keycloak::postgresql_jar_source
module_source
Data type: Any
Default value: 'keycloak/database/postgresql/module.xml.erb'
keycloak::install
Private class.
keycloak::params
Private class.
keycloak::service
Private class.
keycloak::sssd
Private class.
Defined types
keycloak::client_template
Manage Keycloak client template
Examples
keycloak::client_template { 'oidc-clients':
realm => 'test',
}
Parameters
The following parameters are available in the keycloak::client_template defined type.
realm
Data type: String
Realm of the client template.
resource_name
Data type: String
Name of the client template resource
Default value: $name
protocol
Data type: Enum['openid-connect', 'saml']
The protocol of the client template.
Default value: 'openid-connect'
keycloak::truststore::host
Add host to Keycloak truststore
Examples
keycloak::truststore::host { 'ldap1.example.com':
certificate => '/etc/openldap/certs/0a00000.0',
}
Parameters
The following parameters are available in the keycloak::truststore::host defined type.
certificate
Data type: String
Path to host certificate
ensure
Data type: Enum['latest', 'present', 'absent']
Host ensure value passed to java_ks resource.
Default value: 'latest'
Resource types
keycloak_api
Type that configures API connection parameters for other keycloak types that use the Keycloak API.
Examples
Define API access
keycloak_api { 'keycloak'
install_base => '/opt/keycloak',
server => 'http://localhost:8080/auth',
realm => 'master',
user => 'admin',
password => 'changeme',
}
Parameters
The following parameters are available in the keycloak_api type.
name
namevar
Keycloak API config
install_base
Install location of Keycloak
server
Auth URL for Keycloak server
Default value: http://localhost:8080/auth
realm
Realm for authentication
Default value: master
user
User for authentication
Default value: admin
password
Password for authentication
Default value: changeme
use_wrapper
Valid values: true, false
Boolean that determines if kcadm_wrapper.sh should be used
Default value: false
keycloak_client
Manage Keycloak clients
Examples
Add a OpenID Connect client
keycloak_client { 'www.example.com':
ensure => 'present',
realm => 'test',
redirect_uris => [
"https://www.example.com/oidc",
"https://www.example.com",
],
default_client_scopes => ['profile','email'],
secret => 'supersecret',
}
Properties
The following properties are available in the keycloak_client type.
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
protocol
Valid values: openid-connect, saml
protocol
Default value: openid-connect
client_authenticator_type
clientAuthenticatorType
Default value: client-secret
default_client_scopes
defaultClientScopes
Default value: []
optional_client_scopes
optionalClientScopes
Default value: []
full_scope_allowed
Valid values: true, false
fullScopeAllowed
Default value: true
enabled
Valid values: true, false
enabled
Default value: true
direct_access_grants_enabled
Valid values: true, false
enabled
Default value: true
public_client
Valid values: true, false
enabled
Default value: false
redirect_uris
redirectUris
Default value: []
web_origins
webOrigins
Default value: []
Parameters
The following parameters are available in the keycloak_client type.
name
namevar
The client name
client_id
clientId. Defaults to name.
id
Id. Defaults to client_id
realm
realm
secret
secret
keycloak_client_protocol_mapper
Manage Keycloak protocol mappers
Examples
Add email protocol mapper to test.example.com client in realm test
keycloak_client_protocol_mapper { "email for test.example.com on test":
claim_name => 'email',
user_attribute => 'email',
}
Properties
The following properties are available in the keycloak_client_protocol_mapper type.
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
protocol
Valid values: openid-connect, saml
protocol
Default value: openid-connect
user_attribute
user.attribute. Default to resource_name for type oidc-usermodel-property-mapper or saml-user-property-mapper
json_type_label
json.type.label. Default to String for type oidc-usermodel-property-mapper.
friendly_name
friendly.name. Default to resource_name for type saml-user-property-mapper.
attribute_name
attribute.name Default to resource_name for type saml-user-property-mapper.
claim_name
claim.name
id_token_claim
Valid values: true, false
id.token.claim. Default to true for protocol openid-connect.
access_token_claim
Valid values: true, false
access.token.claim. Default to true for protocol openid-connect.
userinfo_token_claim
Valid values: true, false
userinfo.token.claim. Default to true for protocol openid-connect.
attribute_nameformat
attribute.nameformat
single
Valid values: true, false
single. Default to false for type saml-role-list-mapper.
Parameters
The following parameters are available in the keycloak_client_protocol_mapper type.
name
namevar
The protocol mapper name
id
Id.
resource_name
The protocol mapper name. Defaults to name.
client
client
realm
realm
type
Valid values: oidc-usermodel-property-mapper, oidc-full-name-mapper, saml-user-property-mapper, saml-role-list-mapper
protocolMapper.
Default is oidc-usermodel-property-mapper for protocol openid-connect and
saml-user-property-mapper for protocol saml.
keycloak_client_scope
Manage Keycloak client scopes
Examples
Define a OpenID Connect client scope in the test realm
keycloak_client_scope { 'email on test':
protocol => 'openid-connect',
}
Properties
The following properties are available in the keycloak_client_scope type.
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
protocol
Valid values: openid-connect, saml
protocol
Default value: openid-connect
consent_screen_text
consent.screen.text
display_on_consent_screen
Valid values: true, false
display.on.consent.screen
Default value: true
Parameters
The following parameters are available in the keycloak_client_scope type.
name
namevar
The client scope name
resource_name
The client scope name. Defaults to name.
id
Id. Defaults to resource_name.
realm
realm
keycloak_conn_validator
Verify that a connection can be successfully established between a node and the keycloak server. Its primary use is as a precondition to prevent configuration changes from being applied if the keycloak server cannot be reached, but it could potentially be used for other purposes such as monitoring.
Properties
The following properties are available in the keycloak_conn_validator type.
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
Parameters
The following parameters are available in the keycloak_conn_validator type.
name
namevar
An arbitrary name used as the identity of the resource.
keycloak_server
The DNS name or IP address of the server where keycloak should be running.
Default value: localhost
keycloak_port
The port that the keycloak server should be listening on.
Default value: 8080
use_ssl
Whether the connection will be attemped using https
Default value: false
test_url
URL to use for testing if the Keycloak database is up
Default value: /auth/admin/serverinfo
timeout
The max number of seconds that the validator should wait before giving up and deciding that keycloak is not running; defaults to 15 seconds.
Default value: 30
keycloak_ldap_mapper
Manage Keycloak LDAP attribute mappers
Examples
Add full name attribute mapping
keycloak_ldap_mapper { 'full name for LDAP-test on test:
ensure => 'present',
type => 'full-name-ldap-mapper',
ldap_attribute => 'gecos',
}
Properties
The following properties are available in the keycloak_ldap_mapper type.
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
ldap_attribute
ldap.attribute
user_model_attribute
user.model.attribute
is_mandatory_in_ldap
is.mandatory.in.ldap. Defaults to false unless type is full-name-ldap-mapper.
always_read_value_from_ldap
Valid values: true, false
always.read.value.from.ldap. Defaults to true if type is user-attribute-ldap-mapper.
read_only
Valid values: true, false
read.only
Default value: true
write_only
Valid values: true, false
write.only. Defaults to false if type is full-name-ldap-mapper.
Parameters
The following parameters are available in the keycloak_ldap_mapper type.
name
namevar
The LDAP mapper name
id
Id.
resource_name
The LDAP mapper name. Defaults to name
type
Valid values: user-attribute-ldap-mapper, full-name-ldap-mapper
providerId
Default value: user-attribute-ldap-mapper
realm
realm
ldap
parentId
keycloak_ldap_user_provider
Manage Keycloak LDAP user providers
Examples
Add LDAP user provider to test realm
keycloak_ldap_user_provider { 'LDAP on test':
ensure => 'present',
users_dn => 'ou=People,dc=example,dc=com',
connection_url => 'ldaps://ldap1.example.com:636 ldaps://ldap2.example.com:636',
import_enabled => false,
use_truststore_spi => 'never',
}
Properties
The following properties are available in the keycloak_ldap_user_provider type.
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
enabled
Valid values: true, false
enabled
Default value: true
auth_type
Valid values: none, simple
authType
Default value: none
edit_mode
Valid values: READ_ONLY, WRITABLE, UNSYNCED
editMode
Default value: READ_ONLY
vendor
Valid values: ad, rhds, tivoli, eDirectory, other
vendor
Default value: other
use_truststore_spi
Valid values: always, ldapsOnly, never
useTruststoreSpi
Default value: ldapsOnly
users_dn
usersDn
connection_url
connectionUrl
priority
priority
Default value: 0
batch_size_for_sync
batchSizeForSync
Default value: 1000
username_ldap_attribute
usernameLdapAttribute
Default value: uid
rdn_ldap_attribute
rdnLdapAttribute
Default value: uid
uuid_ldap_attribute
uuidLdapAttribute
Default value: entryUUID
bind_dn
bindDn
bind_credential
bindCredential
import_enabled
Valid values: true, false
importEnabled
Default value: true
use_kerberos_for_password_authentication
Valid values: true, false
useKerberosForPasswordAuthentication
user_object_classes
userObjectClasses
Default value: ['inetOrgPerson', 'organizationalPerson']
search_scope
Valid values: one, one_level, subtree, 1, 2, 1, 2
searchScope
custom_user_search_filter
Valid values: /.*/, absent
customUserSearchFilter
Default value: absent
Parameters
The following parameters are available in the keycloak_ldap_user_provider type.
name
namevar
The LDAP user provider name
resource_name
The LDAP user provider name. Defaults to name.
id
Id. Defaults to "resource_name-realm"
realm
parentId
keycloak_protocol_mapper
Manage Keycloak protocol mappers
Examples
Add email protocol mapper to oidc-client client scope in realm test
keycloak_protocol_mapper { "email for oidc-clients on test":
claim_name => 'email',
user_attribute => 'email',
}
Properties
The following properties are available in the keycloak_protocol_mapper type.
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
protocol
Valid values: openid-connect, saml
protocol
Default value: openid-connect
user_attribute
user.attribute. Default to resource_name for type oidc-usermodel-property-mapper or saml-user-property-mapper
json_type_label
json.type.label. Default to String for type oidc-usermodel-property-mapper.
friendly_name
friendly.name. Default to resource_name for type saml-user-property-mapper.
attribute_name
attribute.name Default to resource_name for type saml-user-property-mapper.
claim_name
claim.name
id_token_claim
Valid values: true, false
id.token.claim. Default to true for protocol openid-connect.
access_token_claim
Valid values: true, false
access.token.claim. Default to true for protocol openid-connect.
userinfo_token_claim
Valid values: true, false
userinfo.token.claim. Default to true for protocol openid-connect.
attribute_nameformat
attribute.nameformat
single
Valid values: true, false
single. Default to false for type saml-role-list-mapper.
Parameters
The following parameters are available in the keycloak_protocol_mapper type.
name
namevar
The protocol mapper name
id
Id.
resource_name
The protocol mapper name. Defaults to name.
client_scope
client scope
realm
realm
type
Valid values: oidc-usermodel-property-mapper, oidc-full-name-mapper, saml-user-property-mapper, saml-role-list-mapper
protocolMapper.
Default is oidc-usermodel-property-mapper for protocol openid-connect and
saml-user-property-mapper for protocol saml.
keycloak_realm
Manage Keycloak realms
Examples
Add a realm with a custom theme
keycloak_realm { 'test':
ensure => 'present',
remember_me => true,
login_with_email_allowed => false,
login_theme => 'my_theme',
}
Properties
The following properties are available in the keycloak_realm type.
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
display_name
displayName
display_name_html
displayNameHtml
login_theme
loginTheme
Default value: keycloak
account_theme
accountTheme
Default value: keycloak
admin_theme
adminTheme
Default value: keycloak
email_theme
emailTheme
Default value: keycloak
enabled
Valid values: true, false
enabled
Default value: true
remember_me
Valid values: true, false
rememberMe
Default value: false
login_with_email_allowed
Valid values: true, false
loginWithEmailAllowed
Default value: true
default_client_scopes
Default Client Scopes
optional_client_scopes
Optional Client Scopes
events_enabled
Valid values: true, false
eventsEnabled
Default value: false
events_expiration
eventsExpiration
events_listeners
eventsListeners
Default value: ['jboss-logging']
admin_events_enabled
Valid values: true, false
adminEventsEnabled
Default value: false
admin_events_details_enabled
Valid values: true, false
adminEventsDetailsEnabled
Default value: false
Parameters
The following parameters are available in the keycloak_realm type.
name
namevar
The realm name
id
Id. Default to name.
keycloak_sssd_user_provider
Manage Keycloak SSSD user providers
Examples
Add SSSD user provider to test realm
keycloak_sssd_user_provider { 'SSSD on test':
ensure => 'present',
}
Properties
The following properties are available in the keycloak_sssd_user_provider type.
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
enabled
Valid values: true, false
enabled
Default value: true
priority
priority
Default value: 0
cache_policy
Valid values: DEFAULT, EVICT_DAILY, EVICT_WEEKLY, MAX_LIFESPAN, NO_CACHE
cachePolicy
Default value: DEFAULT
eviction_day
evictionDay
eviction_hour
evictionHour
eviction_minute
evictionMinute
max_lifespan
maxLifespan
Parameters
The following parameters are available in the keycloak_sssd_user_provider type.
name
namevar
The SSSD user provider name
resource_name
The SSSD user provider name. Defaults to name.
id
Id. Defaults to "resource_name-realm"
realm
parentId
treydock-keycloak changelog
3.7.0 (2019-05-20)
Implemented enhancements:
3.6.1 (2019-05-13)
Fixed bugs:
3.6.0 (2019-05-06)
Implemented enhancements:
Closed issues:
- Upgrading Keycloak does not execute migration scripts #52
Merged pull requests:
3.5.0 (2019-04-09)
Implemented enhancements:
3.4.0 (2019-02-25)
Implemented enhancements:
- JAVA_OPTS via systemd unit Environment variable #51 (danifr)
- Add option for service environment file #50 (asieraguado)
Closed issues:
service\_java\_optsparameter not actually being used #49- Dependency error while installing Keycloak from scratch #48
3.3.0 (2019-01-28)
Implemented enhancements:
Fixed bugs:
- Fix keycloak_ldap_mapper id handling and write_only property #46 (treydock)
- Fix PuppetX usage for keycloak_ldap_mapper #45 (treydock)
Closed issues:
- keycloak_ldap_mapper with user-attribute-ldap-mapper #44
Merged pull requests:
3.2.0 (2018-12-21)
Implemented enhancements:
- Support SSSD User Provider #42 (treydock)
- Add enabled property to keycloak_ldap_user_provider #41 (treydock)
3.1.0 (2018-12-13)
Implemented enhancements:
- Bump dependency ranges for stdlib and mysql #40 (treydock)
- Support Puppet 6 and drop support for Puppet 4 #39 (treydock)
- Use beaker 4.x #37 (treydock)
Fixed bugs:
3.0.0 (2018-08-14)
Merged pull requests:
- BREAKING: Major overhaul to support Keycloak 4.x #32 (treydock)
- Update module dependency version ranges #35 (treydock)
Implemented enhancements:
- Support Keycloak 4.x #31
2.7.1 (2018-08-14)
Fixed bugs:
2.7.0 (2018-08-14)
Implemented enhancements:
2.6.0 (2018-07-20)
Implemented enhancements:
- Add search_scope and custom_user_search_filter properties to keycloak_ldap_user_provider type #29 (treydock)
Closed issues:
- Support customUserSearchFilter #25
Merged pull requests:
- Use puppet-strings for documentation #30 (treydock)
- Fix for keycloak_protocol_mapper type property and type unit test improvements #28 (treydock)
- Explicitly define all type properties #27 (treydock)
- Improve acceptance tests #26 (treydock)
2.5.0 (2018-07-18)
Implemented enhancements:
- Support setting auth_type=simple related properties for keycloak_ldap_user_provider type #24 (treydock)
Closed issues:
- bindDn and bindCredential for keycloak_ldap_user_provider #23
2.4.0 (2018-06-04)
Implemented enhancements:
Closed issues:
- Are the types in this module compatible with biemond/wildfly? #20
2.3.1 (2018-03-10)
Fixed bugs:
- Fix title patterns that use procs are not supported #21 (alexjfisher)
2.3.0 (2018-03-08)
Implemented enhancements:
- Allow keycloak_protocol_mapper attribute_nameformat to be simpler values #18 (treydock)
- Add SAML username protocol mapper to keycloak::client_template #17 (treydock)
- Support SAML role list protocol mapper #16 (treydock)
- Add SAML support to keycloak_protocol_mapper and keycloak::client_template #15 (treydock)
Fixed bugs:
2.2.1 (2018-02-27)
Fixed bugs:
2.2.0 (2018-02-26)
Implemented enhancements:
2.1.0 (2018-02-22)
Implemented enhancements:
- Increase minimum java dependency to 2.2.0 to to support Debian 9. Update unit tests to test all supported OSes #12 (treydock)
- Symlink instead of copy mysql connector. puppetlabs/mysql 5 compatibility #11 (NITEMAN)
- Add support for http port configuration #9 (NITEMAN)
- Add Debian 9 support #8 (NITEMAN)
Fixed bugs:
2.0.1 (2017-12-18)
Fixed bugs:
2.0.0 (2017-12-11)
Implemented enhancements:
- BREAKING: Remove deprecated defined types #6 (treydock)
- Add always_read_value_from_ldap property to keycloak_ldap_mapper #5 (treydock)
- BREAKING: Set default version to 3.4.1.Final #4 (treydock)
- BREAKING: Drop Puppet 3 support #3 (treydock)
1.0.0 (2017-09-05)
Initial release using custom types and providers
Changes since 0.0.1:
- Add keycloak_realm type that deprecates keycloak::realm
- Add keycloak_ldap_user_provider that deprecates keycloak::user_federation::ldap
- Add keycloak_ldap_mapper that deprecates keycloak::user_federation::ldap_mapper
- Add keycloak_client that deprecates keycloak::client
- Add keycloak_client_template and keycloak_protocol_mapper types
- Update keycloak::client_template to use keycloak_client_template and keycloak_protocol_mapper types
- Add symlink /opt/keycloak that points to currently managed keycloak install
- Add kcadm-wrapper.sh to install's bin directory which is used by custom types/providers
0.0.1 (2017-08-11)
Initial release
Dependencies
- puppetlabs/stdlib (>= 4.15.0 <6.0.0)
- puppetlabs/mysql (>= 3.0.0 <8.0.0)
- puppetlabs/java (>= 2.2.0 <4.0.0)
- puppetlabs/java_ks (>= 1.0.0 <3.0.0)
- puppet/archive (>= 0.5.1 <4.0.0)
- camptocamp/systemd (>= 0.4.0 <3.0.0)
Copyright (C) 2017 <FULL NAME> <EMAIL>
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.