feat(infra/ansible): Configure permanent admin in Keycloak and disable bootstrapped admin

[martyngigg]

Summary

Keycloak recommend disabling any bootstrapped admin account and creating a new permanent one - there is a banner if you log in with the temporary one.

These changes configure the master realm with a new admin account - the credentials are in the Vault.

Summary by CodeRabbit

• Bug Fixes
  • Keycloak setup now uses a stable local admin account instead of relying on temporary bootstrap credentials.
  • Admin bootstrap runs only when needed, reducing repeated setup steps and improving reliability.
  • LDAP and realm configuration now authenticate with the permanent local admin credentials.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 31c8dba6-7035-421a-887c-f7d95879e9a8

📥 Commits

Reviewing files that changed from the base of the PR and between 5a7505d and e469813.

📒 Files selected for processing (5)

• infra/ansible/group_vars/all/all.yml
• infra/ansible/group_vars/keycloak.yml
• infra/ansible/roles/keycloak/tasks/main.yml
• infra/ansible/roles/keycloak/tasks/setup-ldap.yml
• infra/ansible/roles/keycloak/tasks/setup-target-realm.yml

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

---

📝 Walkthrough

Walkthrough

Introduces a keycloak_local_admin credential variable, hardcodes the temporary bootstrap admin username to "temp-admin", and adds idempotent provisioning logic in main.yml to detect whether the permanent admin exists, conditionally run bootstrap, create the permanent admin user, assign the admin realm role, and disable the temporary account. All downstream tasks switch from keycloak_bootstrap to keycloak_local_admin credentials.

Changes

Keycloak Permanent Admin Lifecycle

Layer / File(s)	Summary
Local admin credentials and bootstrap username infra/ansible/group_vars/keycloak.yml, infra/ansible/group_vars/all/all.yml	Adds keycloak_local_admin block with user/password from secrets, and replaces the secrets-sourced bootstrap_admin_user with the hardcoded literal "temp-admin".
Idempotent bootstrap and permanent admin provisioning infra/ansible/roles/keycloak/tasks/main.yml	Adds a pre-flight token probe to detect whether the local admin exists, gates the bootstrap container task on the result, removes the explicit --username argument, then creates the permanent admin user, assigns the admin realm role, disables the temporary account, and imports setup-target-realm.yml.
Credential switchover in LDAP and realm setup infra/ansible/roles/keycloak/tasks/setup-ldap.yml, infra/ansible/roles/keycloak/tasks/setup-target-realm.yml	Updates auth_username/auth_password in both task files to use keycloak_local_admin instead of keycloak_bootstrap.

Poem

🐇 A temp admin hops in, does its job with a bound,
Then a permanent keeper is safely found.
Roles assigned, the old one disabled with care,
No secrets hard-coded in bootstrap's snare.
The warren is tidy, credentials aligned —
A permanent admin for all humankind! 🎉

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}