From 3e28b3f4f792a5f5027078e063446ec56ff3ff10 Mon Sep 17 00:00:00 2001 From: Deven Phillips Date: Wed, 17 Apr 2024 16:52:18 -0400 Subject: [PATCH 1/4] Added hostname-strict-https option --- roles/keycloak_quarkus/templates/keycloak.conf.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/keycloak_quarkus/templates/keycloak.conf.j2 b/roles/keycloak_quarkus/templates/keycloak.conf.j2 index 6c9433e3..f31e1100 100644 --- a/roles/keycloak_quarkus/templates/keycloak.conf.j2 +++ b/roles/keycloak_quarkus/templates/keycloak.conf.j2 @@ -10,6 +10,10 @@ db-password={{ keycloak_quarkus_db_pass }} {% endif %} {% endif %} +{% if keycloak_quarkus_hostname_strict_https -%} +hostname-strict-https={{ keycloak_quarkus_hostname_strict_https }} +{% endif -%} + {% if keycloak.config_key_store_enabled %} # Config store config-keystore={{ keycloak_quarkus_config_key_store_file }} From 47e6644fdd165d6f1307003a70aadb22666c90b5 Mon Sep 17 00:00:00 2001 From: Deven Phillips Date: Wed, 17 Apr 2024 16:57:52 -0400 Subject: [PATCH 2/4] Ensure that value for keycloak_quarkus_hostname_strict_https is boolean, otherwise ignore it --- roles/keycloak_quarkus/templates/keycloak.conf.j2 | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/roles/keycloak_quarkus/templates/keycloak.conf.j2 b/roles/keycloak_quarkus/templates/keycloak.conf.j2 index f31e1100..3b064b11 100644 --- a/roles/keycloak_quarkus/templates/keycloak.conf.j2 +++ b/roles/keycloak_quarkus/templates/keycloak.conf.j2 @@ -10,8 +10,11 @@ db-password={{ keycloak_quarkus_db_pass }} {% endif %} {% endif %} -{% if keycloak_quarkus_hostname_strict_https -%} -hostname-strict-https={{ keycloak_quarkus_hostname_strict_https }} +{% if keycloak_quarkus_hostname_strict_https and keycloak_quarkus_hostname_strict_https is sameas true -%} +hostname-strict-https=true +{% endif -%} +{% if keycloak_quarkus_hostname_strict_https and keycloak_quarkus_hostname_strict_https is sameas false -%} +hostname-strict-https=false {% endif -%} {% if keycloak.config_key_store_enabled %} From b8cba487acc71c0cfa7858b61aac3c5c82a94699 Mon Sep 17 00:00:00 2001 From: Deven Phillips Date: Thu, 18 Apr 2024 13:15:46 -0400 Subject: [PATCH 3/4] Add better error trapping for booleans --- roles/keycloak_quarkus/templates/keycloak.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/keycloak_quarkus/templates/keycloak.conf.j2 b/roles/keycloak_quarkus/templates/keycloak.conf.j2 index 3b064b11..86d6628c 100644 --- a/roles/keycloak_quarkus/templates/keycloak.conf.j2 +++ b/roles/keycloak_quarkus/templates/keycloak.conf.j2 @@ -10,10 +10,10 @@ db-password={{ keycloak_quarkus_db_pass }} {% endif %} {% endif %} -{% if keycloak_quarkus_hostname_strict_https and keycloak_quarkus_hostname_strict_https is sameas true -%} +{% if keycloak_quarkus_hostname_strict_https is defined and keycloak_quarkus_hostname_strict_https is sameas true -%} hostname-strict-https=true {% endif -%} -{% if keycloak_quarkus_hostname_strict_https and keycloak_quarkus_hostname_strict_https is sameas false -%} +{% if keycloak_quarkus_hostname_strict_https is defined and keycloak_quarkus_hostname_strict_https is sameas false -%} hostname-strict-https=false {% endif -%} From 04bb465992924576186787f5fdc75d147e33c23e Mon Sep 17 00:00:00 2001 From: Deven Phillips Date: Fri, 19 Apr 2024 09:55:08 -0400 Subject: [PATCH 4/4] Added argument specs --- roles/keycloak_quarkus/meta/argument_specs.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/keycloak_quarkus/meta/argument_specs.yml b/roles/keycloak_quarkus/meta/argument_specs.yml index 7a74e643..a07b1a92 100644 --- a/roles/keycloak_quarkus/meta/argument_specs.yml +++ b/roles/keycloak_quarkus/meta/argument_specs.yml @@ -338,6 +338,12 @@ argument_specs: description: > If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy + keycloak_quarkus_hostname_strict_https: + type: "bool" + description: > + By default, Keycloak requires running using TLS/HTTPS. If the service MUST run without TLS/HTTPS, then set + this option to "true" + downstream: options: rhbk_version: