ansible-middleware · RanabirChakraborty · Jul 8, 2025
diff --git a/molecule/https_revproxy/converge.yml b/molecule/https_revproxy/converge.yml
@@ -11,6 +11,5 @@
     keycloak_quarkus_http_port: 8080
     keycloak_quarkus_proxy_mode: edge
     keycloak_quarkus_http_relative_path: /
-    keycloak_quarkus_health_check_url: http://proxy:8080/realms/master/.well-known/openid-configuration
   roles:
     - role: keycloak_quarkus
diff --git a/molecule/quarkus_ha/converge.yml b/molecule/quarkus_ha/converge.yml
@@ -5,7 +5,7 @@
     keycloak_quarkus_show_deprecation_warnings: false
     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
-    keycloak_quarkus_hostname: "http://{{ inventory_hostname }}:8080"
+    keycloak_quarkus_hostname: "https://{{ inventory_hostname }}:8080"
     keycloak_quarkus_log: file
     keycloak_quarkus_log_level: info
     keycloak_quarkus_https_key_file_enabled: true

diff --git a/molecule/quarkus_ha_remote/converge.yml b/molecule/quarkus_ha_remote/converge.yml
@@ -22,7 +22,7 @@
     keycloak_quarkus_show_deprecation_warnings: false
     keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
     keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
-    keycloak_quarkus_hostname: "http://{{ inventory_hostname }}:8080"
+    keycloak_quarkus_hostname: "https://{{ inventory_hostname }}:8080"
     keycloak_quarkus_log: file
     keycloak_quarkus_log_level: info
     keycloak_quarkus_https_key_file_enabled: true

diff --git a/molecule/quarkus_upgrade/vars.yml b/molecule/quarkus_upgrade/vars.yml
@@ -2,7 +2,7 @@
 keycloak_quarkus_offline_install: false
 keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
 keycloak_quarkus_realm: TestRealm
-keycloak_quarkus_hostname: http://instance:8080
+keycloak_quarkus_hostname: https://instance:8080
 keycloak_quarkus_log: file
 keycloak_quarkus_https_key_file_enabled: true
 keycloak_quarkus_log_target: /tmp/keycloak

diff --git a/roles/keycloak_quarkus/defaults/main.yml b/roles/keycloak_quarkus/defaults/main.yml
@@ -116,6 +116,8 @@ keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route: true
 
 keycloak_quarkus_metrics_enabled: false
 keycloak_quarkus_health_enabled: true
+keycloak_quarkus_health_check_url_path: "realms/master/.well-known/openid-configuration"
+keycloak_quarkus_http_health_port: 9000
 
 ### caches; must read: https://www.keycloak.org/2024/12/storing-sessions-in-kc26
 ### embedded caches

diff --git a/roles/keycloak_quarkus/meta/argument_specs.yml b/roles/keycloak_quarkus/meta/argument_specs.yml
@@ -259,6 +259,10 @@ argument_specs:
                 default: true
                 description: "If the server should expose health check endpoints on the management interface"
                 type: "bool"
+            keycloak_quarkus_http_health_port:
+                default: 9000
+                description: "Port used for the health endpoint when health checks are enabled. This is typically different from the main HTTP port."
+                type: "int"
             keycloak_quarkus_cache_remote:
                 description: "Whether to connect to remote cache infinispan server"
                 default: false

diff --git a/roles/keycloak_quarkus/tasks/restart.yml b/roles/keycloak_quarkus/tasks/restart.yml
@@ -7,9 +7,15 @@
     daemon_reload: true
   become: true
 
+- name: "Fail if health check URL does not use port 9000 while health is enabled"
+  ansible.builtin.fail:
+    msg: "When `keycloak_quarkus_health_enabled` is true, the health check URL must use port 9000. Current URL: {{ keycloak_quarkus_health_check_url }}"
+  when: keycloak_quarkus_health_enabled | bool and keycloak_quarkus_health_check_url is defined and (keycloak_quarkus_health_check_url | regex_search(':(\\d+)', '\\1') | int) != 9000
+
 - name: "Wait until {{ keycloak.service_name }} service becomes active {{ keycloak.health_url }}"
   ansible.builtin.uri:
     url: "{{ keycloak.health_url }}"
+    validate_certs: false
   register: keycloak_status
   until: keycloak_status.status == 200
   retries: "{{ keycloak_quarkus_restart_health_check_retries }}"

diff --git a/roles/keycloak_quarkus/tasks/start.yml b/roles/keycloak_quarkus/tasks/start.yml
@@ -10,6 +10,7 @@
 - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
   ansible.builtin.uri:
     url: "{{ keycloak.health_url }}"
+    validate_certs: false
   register: keycloak_status
   until: keycloak_status.status == 200
   retries: 25

diff --git a/roles/keycloak_quarkus/vars/main.yml b/roles/keycloak_quarkus/vars/main.yml
@@ -1,10 +1,12 @@
 ---
+keycloak_quarkus_effective_health_path: "{{ 'health/ready' if keycloak_quarkus_health_enabled | bool else keycloak_quarkus_health_check_url_path }}"
+keycloak_quarkus_hostname_stripped: "{{ keycloak_quarkus_hostname | regex_replace('(:\\d+)(?=/|$)', '') }}"
 keycloak: # noqa var-naming this is an internal dict of interpolated values
   home: "{{ keycloak_quarkus_home }}"
   config_dir: "{{ keycloak_quarkus_config_dir }}"
   bundle: "{{ keycloak_quarkus_archive }}"
   service_name: "keycloak"
-  health_url: "{{ keycloak_quarkus_health_check_url | default(keycloak_quarkus_hostname ~ '/' ~ (keycloak_quarkus_health_check_url_path | default('realms/master/.well-known/openid-configuration'))) }}"
+  health_url: "{{ keycloak_quarkus_health_check_url | default(((('https://' ~ keycloak_quarkus_hostname_stripped ~ ':' ~ keycloak_quarkus_http_health_port) if not (keycloak_quarkus_hostname.startswith('http://') or keycloak_quarkus_hostname.startswith('https://')) else keycloak_quarkus_hostname_stripped ~ ':' ~ keycloak_quarkus_http_health_port) ~ keycloak_quarkus_http_relative_path ~ keycloak_quarkus_effective_health_path), true) }}"
   cli_path: "{{ keycloak_quarkus_home }}/bin/kcadm.sh"
   service_user: "{{ keycloak_quarkus_service_user }}"
   service_group: "{{ keycloak_quarkus_service_group }}"

diff --git a/roles/keycloak_realm/README.md b/roles/keycloak_realm/README.md
@@ -8,20 +8,20 @@ Create realms and clients in [keycloak](https://keycloak.org/) or [Red Hat Singl
 Role Defaults
 -------------
 
-| Variable | Description | Default |
-|:---------|:------------|:--------|
-|`keycloak_admin_user`| Administration console user account | `admin` |
-|`keycloak_host`| hostname | `localhost` |
-|`keycloak_context`| Context path for rest calls | `/auth` |
-|`keycloak_http_port`| HTTP port | `8080` |
-|`keycloak_https_port`| TLS HTTP port | `8443` |
-|`keycloak_auth_realm`| Name of the main authentication realm | `master` |
-|`keycloak_management_http_port`| Management port | `9990` |
-|`keycloak_auth_client`| Authentication client for configuration REST calls | `admin-cli` |
-|`keycloak_client_public`| Configure a public realm client | `True` |
-|`keycloak_client_web_origins`| Web origins for realm client | `/*` |
-|`keycloak_url`| URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` |
-|`keycloak_management_url`| URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` |
+| Variable                            | Description                                                      | Default                                               |
+|:------------------------------------|:-----------------------------------------------------------------|:------------------------------------------------------|
+| `keycloak_admin_user`               | Administration console user account                              | `admin`                                               |
+| `keycloak_host`                     | hostname                                                         | `localhost`                                           |
+| `keycloak_context`                  | Context path for rest calls                                      | `/auth`                                               |
+| `keycloak_http_port`                | HTTP port                                                        | `8080`                                                |
+| `keycloak_https_port`               | TLS HTTP port                                                    | `8443`                                                |
+| `keycloak_auth_realm`               | Name of the main authentication realm                            | `master`                                              |
+| `keycloak_management_http_port`     | Management port                                                  | `9990`                                                |
+| `keycloak_auth_client`              | Authentication client for configuration REST calls               | `admin-cli`                                           |
+| `keycloak_client_public`            | Configure a public realm client                                  | `True`                                                |
+| `keycloak_client_web_origins`       | Web origins for realm client                                     | `/*`                                                  |
+| `keycloak_url`                      | URL for configuration rest calls                                 | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` |
+| `keycloak_quarkus_http_health_port` | Port used for the health endpoint when health checks are enabled | `9000`                                                |
 
 
 Role Variables