added option to fetch keycloak public key

bootstrap.sh

@@ -1,13 +1,5 @@
 #!/bin/bash
 
-upgrade_redhat_6() {
-  echo "Upgrade Ansbile on RedHat 6"
-  sudo yum install python27
-  curl "https://bootstrap.pypa.io/get-pip.py" -o "/tmp/get-pip.py"
-  sudo python2.7 /tmp/get-pip.py
-  sudo pip install ansible
-}
-
 bootstrap() {
     echo "Bootstrap Ansible ..."
 
@@ -35,17 +27,11 @@ bootstrap() {
         sudo yum install -y epel-release
         sudo yum install -y gcc-c++ make
         sudo yum install -y ansible
-        major_release=$(cat /etc/redhat-release | tr -dc '0-9.'|cut -d \. -f1)
-        if [ $major_release = "6" ] ; then
-          if [ -f /etc/centos-release ] ; then
-            # needed for galaxy usage with python 2.6 on CentOS 6
-            sudo yum install -y python-urllib3 pyOpenSSL python2-ndg_httpsclient python-pyasn1
-          else
-            upgrade_redhat_6
-          fi
-        fi
     elif [ `uname -s` = "Darwin" ] ; then
         echo "Install Homebrew packages ..."
+        # Temporary workaround to Python bug in macOS High Sierra which can break Ansible
+        # https://github.com/ansible/ansible/issues/34056#issuecomment-352862252
+        export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
         brew install ansible
     fi
 }

docs/source/preparing.rst

@@ -65,6 +65,14 @@ Use brew_ to install Ansible:
   $ ansible --version
   ansible 2.7.2
 
+Use this workaround_ to a Python bug in macOS which can break Ansible:
+
+.. code-block:: console
+
+  $ export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
+
+.. _workaround: https://github.com/ansible/ansible/issues/34056#issuecomment-352862252
+
 Conda
 ~~~~~
 

docs/source/testing.rst

@@ -34,6 +34,7 @@ You need Ansible locally installed:
   $ conda install -c conda-forge ansible
   OR
   $ brew install ansible # macOS only
+  $ export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES # workaround needed on macOS
 
 Install Ansible roles:
 

etc/sample-twitcher-keycloak.yml

@@ -10,3 +10,4 @@ twitcher_enable_https: true
 twitcher_token_type: 'keycloak_token'
 keycloak_url: 'http://localhost:8080'
 keycloak_token_secret: 'public_key_from_keycloak'
+keycloak_fetch_public_key: false

etc/sample-vagrant.yml

@@ -4,3 +4,7 @@ db_install_postgresql: true
 db_install_sqlite: false
 # twitcher
 twitcher_enable_https: false
+# keycloak
+keycloak_url: "http://localhost:8080"
+keycloak_token_secret: "public_key_from_keycloak"
+keycloak_fetch_public_key: false

roles/twitcher/tasks/certs.yml

@@ -1,3 +1,4 @@
+---
 - name: Download esgf-ca-bundle.crt
   get_url:
     url: "{{ ssl_certs_cacert_url }}"

roles/twitcher/tasks/keycloak.yml

@@ -0,0 +1,6 @@
+---
+- set_fact:
+    keycloak_token_secret: "{{ (lookup('url', '{{ keycloak_public_certs_url }}') | from_json)['keys'][0]['x5c'][0] }}"
+  tags:
+    - keycloak
+  when: keycloak_fetch_public_key

roles/twitcher/tasks/main.yml

@@ -5,6 +5,8 @@
 
 - include: folders.yml
 
+- include: keycloak.yml
+
 - include: config.yml
 
 - include: db.yml

vars/main.yml

@@ -59,3 +59,6 @@ twitcher_bind: "unix:{{ twitcher_run_dir }}/twitcher.sock"
 # twitcher keycloak
 keycloak_url: "http://localhost:8080"
 keycloak_token_secret: "public_key_from_keycloak"
+keycloak_fetch_public_key: false
+keycloak_realm: master
+keycloak_public_certs_url: "{{ keycloak_url }}/auth/realms/{{ keycloak_realm }}/protocol/openid-connect/certs"