Reuse session when running kcadm commands (#328)

* Reuse session when running kcadm commands
Fixes #327

* Move to using kcadm-wrapper config file so that script is just a script and not a template

* Fix conditional

* Remove kcmadm login session when Keycloak service restarts unless using persistent sessions

Author: treydock

files/kcadm-wrapper.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# shellcheck source=/dev/null
+. /opt/keycloak/conf/kcadm-wrapper.conf
+
+EXPIRES=$(/usr/bin/sed  -n -r 's|.*"refreshExpiresAt" : ([0-9]*).*|\1|p' "$CONFIG" 2>/dev/null || echo "0")
+NOW=$(/usr/bin/date +%s%3N)
+
+if [ ! -f "$CONFIG" ] || [ "$EXPIRES" -lt "$NOW" ]; then
+    ${KCADM} config credentials --config "$CONFIG" --server "$SERVER" --realm "$REALM" --user "$ADMIN_USER" --password "$PASSWORD"
+fi
+
+${KCADM} "$@" --config "$CONFIG"

manifests/config.pp

@@ -9,18 +9,33 @@
     }
   }
 
-  # Template uses:
-  # - $keycloak::install_base
-  # - $keycloak::admin_user
-  # - $keycloak::admin_user_password
+  $wrapper_conf = {
+    'KCADM'      => "${keycloak::install_base}/bin/kcadm.sh",
+    'CONFIG'     => $keycloak::login_config,
+    'SERVER'     => $keycloak::wrapper_server,
+    'REALM'      => 'master',
+    'ADMIN_USER' => $keycloak::admin_user,
+    'PASSWORD'   => $keycloak::admin_user_password,
+  }
+  file { 'kcadm-wrapper.conf':
+    ensure    => 'file',
+    path      => $keycloak::wrapper_conf,
+    owner     => $keycloak::user,
+    group     => $keycloak::group,
+    mode      => '0640',
+    content   => epp('keycloak/shell_vars.epp', { 'vars' => $wrapper_conf }),
+    show_diff => false,
+  }
+
   file { 'kcadm-wrapper.sh':
     ensure    => 'file',
     path      => $keycloak::wrapper_path,
     owner     => $keycloak::user,
     group     => $keycloak::group,
     mode      => '0750',
-    content   => template('keycloak/kcadm-wrapper.sh.erb'),
+    source    => 'puppet:///modules/keycloak/kcadm-wrapper.sh',
     show_diff => false,
+    require   => File['kcadm-wrapper.conf'],
   }
 
   file { $keycloak::conf_dir:

manifests/init.pp

@@ -240,7 +240,7 @@
   Optional[Stdlib::Absolutepath] $service_environment_file = undef,
   Stdlib::Filemode $conf_dir_mode = '0755',
   Boolean $conf_dir_purge = true,
-  Array $conf_dir_purge_ignore = ['cache-ispn.xml', 'README.md', 'truststore.jks'],
+  Array $conf_dir_purge_ignore = ['cache-ispn.xml', 'README.md', 'truststore.jks', 'kcadm.config'],
   Keycloak::Configs $configs = {},
   Hash[String, Variant[String[1],Boolean,Array]] $extra_configs = {},
   Variant[Stdlib::Host, Stdlib::HTTPUrl, Stdlib::HTTPSUrl, Enum['unset','UNSET']] $hostname = $facts['networking']['fqdn'],
@@ -330,6 +330,8 @@
   $tmp_dir = "${install_base}/tmp"
   $providers_dir = "${install_base}/providers"
   $wrapper_path = "${keycloak::install_base}/bin/kcadm-wrapper.sh"
+  $wrapper_conf = "${conf_dir}/kcadm-wrapper.conf"
+  $login_config = "${conf_dir}/kcadm.config"
 
   $default_config = {
     'hostname' => $hostname,

spec/classes/init_spec.rb

@@ -121,8 +121,9 @@
             owner: 'keycloak',
             group: 'keycloak',
             mode: '0750',
-            content: %r{.*},
+            source: 'puppet:///modules/keycloak/kcadm-wrapper.sh',
             show_diff: 'false',
+            require: 'File[kcadm-wrapper.conf]',
           )
         end
 

templates/kcadm-wrapper.sh.erb

@@ -21,6 +21,10 @@ Environment='JAVA_HOME=<%= scope['keycloak::java_home'] %>'
 User=<%= scope['keycloak::user'] %>
 Group=<%= scope['keycloak::group'] %>
 ExecStart=<%= scope['keycloak::service_start_cmd'] %>
+# TODO: remove once upgraded from Keycloak 25 to 26
+<% unless (scope['keycloak::features'] || []).include?('persistent-user-sessions') -%>
+ExecStartPost=-/usr/bin/rm -f <%= scope['keycloak::login_config'] %>
+<% end -%>
 TimeoutStartSec=600
 TimeoutStopSec=600
 SuccessExitStatus=0 143

templates/keycloak.service.erb

@@ -0,0 +1,8 @@
+<%- |
+  Hash[String, String] $vars
+| -%>
+# This file is managed by Puppet, DO NOT EDIT
+
+<% $vars.each |$key, $value| { -%>
+<%= $key %>='<%= $value %>'
+<% } -%>