ansible-middleware#190: remove keycloak_quarkus_admin_user[_pass] o…

…nce keycloak is bootstrapped

roles/keycloak_quarkus/README.md

@@ -131,6 +131,7 @@ Role Defaults
 |`keycloak_quarkus_start_dev`| Whether to start the service in development mode (start-dev) | `False` |
 |`keycloak_quarkus_transaction_xa_enabled`| Whether to use XA transactions | `True` |
 |`keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route`| If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy | `True` |
+|`keycloak_quarkus_purge_admin_credentials_after_bootstrapping`| If `True`, purges the env variables corresponding to `keycloak_quarkus_admin_user[_pass]` after bootstrapping since they are no longer needed | `True` |
 
 Role Variables
 --------------

roles/keycloak_quarkus/defaults/main.yml

@@ -20,6 +20,7 @@ keycloak_quarkus_service_pidfile: "/run/keycloak/keycloak.pid"
 keycloak_quarkus_service_restart_always: false
 keycloak_quarkus_service_restart_on_failure: false
 keycloak_quarkus_service_restartsec: "10s"
+keycloak_quarkus_purge_admin_credentials_after_bootstrapping: true
 
 keycloak_quarkus_configure_firewalld: false
 keycloak_quarkus_configure_iptables: false
@@ -135,3 +136,6 @@ keycloak_quarkus_log_target: /var/log/keycloak
 keycloak_quarkus_log_max_file_size: 10M
 keycloak_quarkus_log_max_backup_index: 10
 keycloak_quarkus_log_file_suffix: '.yyyy-MM-dd.zip'
+
+### Internally used variables
+keycloak_quarkus_internal_bootstrapped: false

roles/keycloak_quarkus/handlers/main.yml

@@ -3,6 +3,9 @@
 - name: "Rebuild {{ keycloak.service_name }} config"
   ansible.builtin.include_tasks: rebuild_config.yml
   listen: "rebuild keycloak config"
+- name: "Bootstrapped"
+  ansible.builtin.include_tasks: systemd.yml
+  listen: bootstrapped
 - name: "Restart {{ keycloak.service_name }}"
   ansible.builtin.include_tasks: restart.yml
   listen: "restart keycloak"

roles/keycloak_quarkus/meta/argument_specs.yml

@@ -338,6 +338,11 @@ argument_specs:
                 description: >
                   If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies
                   and we rely on the session affinity capabilities from reverse proxy
+            keycloak_quarkus_purge_admin_credentials_after_bootstrapping:
+                default: true
+                type: "bool"
+                description: >
+                  If `True`, purges the env variables corresponding to `keycloak_quarkus_admin_user[_pass]` after bootstrapping since they are no longer needed
     downstream:
         options:
             rhbk_version:

roles/keycloak_quarkus/tasks/install.yml

@@ -16,6 +16,17 @@
     path: "{{ keycloak.home }}"
   register: existing_deploy
 
+- name: "Check whether {{ keycloak.service_name }} has been bootstrapped"
+  become: true
+  ansible.builtin.command: grep -Fxq "{{ keycloak.bootstrap_mnemonic }}" "{{ keycloak_quarkus_sysconf_file }}"
+  register: keycloak_bootstrapped_mnemonic
+  changed_when: false
+  failed_when: false
+
+- name: "Initialize keycloak_quarkus_internal_bootstrapped"
+  ansible.builtin.set_fact:
+    keycloak_quarkus_internal_bootstrapped: "{{ keycloak_bootstrapped_mnemonic.rc == 0 }}"
+
 - name: "Create {{ keycloak.service_name }} service user/group"
   become: true
   ansible.builtin.user:

roles/keycloak_quarkus/tasks/main.yml

@@ -96,15 +96,30 @@
 - name: "Start and wait for keycloak service"
   ansible.builtin.include_tasks: start.yml
 
-- name: Check service status
-  ansible.builtin.command: "systemctl status keycloak"
-  register: keycloak_service_status
-  changed_when: false
-
 - name: Link default logs directory
   ansible.builtin.file:
     state: link
     src: "{{ keycloak.log.file | dirname }}"
     dest: "{{ keycloak_quarkus_log_target }}"
     force: true
   become: true
+
+- name: Check service status
+  ansible.builtin.systemd_service:
+    name: "{{ keycloak.service_name }}"
+  register: keycloak_service_status
+  changed_when: false
+
+- name: "Trigger bootstrapped notification: remove `keycloak_quarkus_admin_user[_pass]` env vars"
+  when:
+    - keycloak_quarkus_purge_admin_credentials_after_bootstrapping
+    - not keycloak_quarkus_internal_bootstrapped             # it was not bootstrapped prior to the current role's execution
+    - keycloak_service_status.status.ActiveState == "active" # but it is now
+  ansible.builtin.set_fact:
+    keycloak_quarkus_internal_bootstrapped: true
+  changed_when: true
+  notify:
+    - bootstrapped
+
+- name: Flush pending handlers
+  ansible.builtin.meta: flush_handlers

roles/keycloak_quarkus/templates/keycloak-sysconfig.j2

@@ -1,6 +1,10 @@
 {{ ansible_managed | comment }}
+{% if not keycloak_quarkus_purge_admin_credentials_after_bootstrapping or not keycloak_quarkus_internal_bootstrapped %}
 KEYCLOAK_ADMIN={{ keycloak_quarkus_admin_user }}
 KEYCLOAK_ADMIN_PASSWORD='{{ keycloak_quarkus_admin_pass }}'
+{% else %}
+{{ keycloak.bootstrap_mnemonic }}
+{% endif %}
 PATH={{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 JAVA_HOME={{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}
 JAVA_OPTS={{ keycloak_quarkus_java_opts }}

roles/keycloak_quarkus/vars/main.yml

@@ -15,3 +15,4 @@ keycloak: # noqa var-naming this is an internal dict of interpolated values
     file: "{{ keycloak_quarkus_home }}/{{ keycloak_quarkus_log_file }}"
     level: "{{ keycloak_quarkus_log_level }}"
     format: "{{ keycloak_quarkus_log_format }}"
+  bootstrap_mnemonic: "# ansible-middleware/keycloak: bootstrapped"