Add extra Keycloak realm options
Change-Id: Ia9862dc6b58a9870de76fbf37eb8faa0e06cd017
(cherry picked from commit 1f150c13654a68f4bc1763f5b4815cfe18dee3e2)
diff --git a/releasenotes/notes/add-extra-keycloak-realm-options-a8b14740bd999ebb.yaml b/releasenotes/notes/add-extra-keycloak-realm-options-a8b14740bd999ebb.yaml
new file mode 100644
index 0000000..4a7a43b
--- /dev/null
+++ b/releasenotes/notes/add-extra-keycloak-realm-options-a8b14740bd999ebb.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - The Keystone role now supports additional parameters when creating the
+ Keycloak realm to allow for the configuration of options such as password
+ policy, brute force protection, and more.
diff --git a/roles/keystone/defaults/main.yml b/roles/keystone/defaults/main.yml
index f71c59f..1ae9e09 100644
--- a/roles/keystone/defaults/main.yml
+++ b/roles/keystone/defaults/main.yml
@@ -34,6 +34,15 @@
keystone_keycloak_admin_password: "{{ keycloak_admin_password }}"
keystone_keycloak_realm: atmosphere
keystone_keycloak_realm_name: Atmosphere
+# keystone_keycloak_realm_default_password_policy:
+# keystone_keycloak_realm_default_brute_force_protected:
+# keystone_keycloak_realm_default_brute_force_failure_factor:
+# keystone_keycloak_realm_default_brute_force_wait_increment_seconds:
+# keystone_keycloak_realm_default_brute_force_max_failure_wait_seconds:
+# keystone_keycloak_realm_default_brute_force_max_delta_time_seconds:
+# keystone_keycloak_realm_default_minimum_quick_login_wait_seconds:
+# keystone_keycloak_realm_default_quick_login_check_milli_seconds:
+
keystone_keycloak_client_id: keystone
# keystone_keycloak_client_secret:
keystone_keycloak_scopes: "openid email profile"
diff --git a/roles/keystone/tasks/main.yml b/roles/keystone/tasks/main.yml
index a35a9ce..38a1e36 100644
--- a/roles/keystone/tasks/main.yml
+++ b/roles/keystone/tasks/main.yml
@@ -29,6 +29,14 @@
realm: "{{ item.keycloak_realm }}"
display_name: "{{ item.label }}"
enabled: true
+ password_policy: "{{ item.keycloak_password_policy | default(keystone_keycloak_realm_default_password_policy | default(omit)) }}"
+ brute_force_protected: "{{ item.keycloak_brute_force_protected | default(keystone_keycloak_realm_default_brute_force_protected | default(omit)) }}"
+ failure_factor: "{{ item.keycloak_brute_force_failure_factor | default(keystone_keycloak_realm_default_brute_force_failure_factor | default(omit)) }}"
+ wait_increment_seconds: "{{ item.keycloak_brute_force_wait_increment_seconds | default(keystone_keycloak_realm_default_brute_force_wait_increment_seconds | default(omit)) }}"
+ max_failure_wait_seconds: "{{ item.keycloak_brute_force_max_failure_wait_seconds | default(keystone_keycloak_realm_default_brute_force_max_failure_wait_seconds | default(omit)) }}"
+ max_delta_time_seconds: "{{ item.keycloak_brute_force_max_delta_time_seconds | default(keystone_keycloak_realm_default_brute_force_max_delta_time_seconds | default(omit)) }}"
+ minimum_quick_login_wait_seconds: "{{ item.keycloak_minimum_quick_login_wait_seconds | default(keystone_keycloak_realm_default_minimum_quick_login_wait_seconds | default(omit)) }}"
+ quick_login_check_milli_seconds: "{{ item.keycloak_quick_login_check_milli_seconds | default(keystone_keycloak_realm_default_quick_login_check_milli_seconds | default(omit)) }}"
loop: "{{ keystone_domains }}"
loop_control:
label: "{{ item.name }}"