From 3d929035821b9f0c3cc17380ce8f372c0439c29d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20P=C3=A9rez=20Garc=C3=ADa?= Date: Mon, 5 Jun 2023 16:52:34 +0200 Subject: [PATCH] resolve #207 support for import SSL certificates into Java truststore --- .travis.yml | 3 + CHANGELOG.md | 2 + README.md | 10 +++ defaults/main.yml | 6 ++ molecule/openjdk-certs/Dockerfile.j2 | 16 ++++ molecule/openjdk-certs/converge.yml | 6 ++ molecule/openjdk-certs/files/ssl.crt | 19 ++++ molecule/openjdk-certs/group_vars/all.yml | 7 ++ molecule/openjdk-certs/molecule.yml | 28 ++++++ molecule/openjdk-certs/prepare.yml | 9 ++ molecule/openjdk-certs/tests/test_openjdk.yml | 16 ++++ molecule/openjdk-certs/verify.yml | 86 +++++++++++++++++++ tasks/import_certs.yml | 26 ++++++ tasks/main.yml | 6 ++ vars/adoptopenjdk/CentOS-8.yml | 1 + vars/adoptopenjdk/Debian-10.yml | 1 + vars/adoptopenjdk/Debian-11.yml | 1 + vars/corretto/CentOS-8.yml | 1 + vars/corretto/Debian-10.yml | 1 + vars/corretto/Debian-11.yml | 1 + vars/openjdk/CentOS-7.yml | 1 + vars/openjdk/CentOS-8.yml | 1 + vars/openjdk/Debian-10.yml | 1 + vars/openjdk/Debian-11.yml | 1 + vars/openjdk/Ubuntu-18.yml | 1 + vars/openjdk/Ubuntu-20.yml | 1 + vars/openjdk/Ubuntu-22.yml | 1 + 27 files changed, 253 insertions(+) create mode 100644 molecule/openjdk-certs/Dockerfile.j2 create mode 100644 molecule/openjdk-certs/converge.yml create mode 100644 molecule/openjdk-certs/files/ssl.crt create mode 100644 molecule/openjdk-certs/group_vars/all.yml create mode 100644 molecule/openjdk-certs/molecule.yml create mode 100644 molecule/openjdk-certs/prepare.yml create mode 100644 molecule/openjdk-certs/tests/test_openjdk.yml create mode 100644 molecule/openjdk-certs/verify.yml create mode 100644 tasks/import_certs.yml diff --git a/.travis.yml b/.travis.yml index bdec29a..34671b4 100644 --- a/.travis.yml +++ b/.travis.yml @@ -54,6 +54,9 @@ env: - DOCKER_IMAGE_BASE=quay.io/centos/centos:stream8 JDK_MAJOR=11 JDK_VERSION=11.0.13.0.8 DOCKER_TAG_TO_PUBLISH=11.0.13.0.8-centos8-openjdk-headless + # SSL certificates scenario + - DOCKER_IMAGE_BASE=debian:buster-slim JDK_VENDOR=openjdk-certs + # Java 17 - DOCKER_IMAGE_BASE=debian:bullseye-slim DOCKER_TAG_TO_PUBLISH=17-bullseye-openjdk-headless - DOCKER_IMAGE_BASE=debian:bullseye-slim JDK_MAJOR=17 JDK_VERSION=17.0.6+10-1~deb11u1 diff --git a/CHANGELOG.md b/CHANGELOG.md index 5612150..0dd1446 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,8 @@ All notable changes to this project will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org/) and [Keep a changelog](https://github.com/olivierlacan/keep-a-changelog). ## [Unreleased](https://github.com/idealista/java_role/tree/develop) +### Added +- *[#207](https://github.com/idealista/java_role/issues/207) Add support for import SSL certificates into Java's truststore* @emepege ## [8.0.0](https://github.com/idealista/java_role/tree/8.0.0) (2022-08-10) [Full Changelog](https://github.com/idealista/java_role/compare/7.1.0...8.0.0) diff --git a/README.md b/README.md index 12230e3..0a047e8 100644 --- a/README.md +++ b/README.md @@ -124,6 +124,16 @@ CentOS 8 | `1.8.0` CentOS 8 | `11` (default) Other OpenJDK implementations out of GNU/Linux distributions streams are not officially supported, but it's easy use this role too adding extra repositories (see vars/ in AdoptOpenJDK and Corretto directories). + +### Adding certificates into Java's truststore + +This role supports adding certificates into Java's truststore. Truststore location may change depending on Java version: + +- Truststore location for Java 9 onwards: $JAVA_HOME/lib/security/cacerts +- Truststore location for Java prior to 9: $JAVA_HOME/jre/lib/security/cacerts + +A specific truststore location should be selected overriding `java_keystore_dir` variable using group vars/host vars. In addition, you must to set which certificates you want to add setting `java_certs` variable and the truststore password setting `java_cert_keystore_pass` + ## Testing ```sh diff --git a/defaults/main.yml b/defaults/main.yml index 08f760e..f886fd0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -3,3 +3,9 @@ java_jdk_vendor: openjdk java_open_jdk_apt_extra_packages: [] java_open_jdk_home: /usr/lib/jvm/{{ java_open_jdk_home_dir }} + +# java_certs: +# - java_cert_path: /path/to/cert/ssl.crt +# java_cert_alias: ssl +# +# java_cert_keystore_pass: changeit diff --git a/molecule/openjdk-certs/Dockerfile.j2 b/molecule/openjdk-certs/Dockerfile.j2 new file mode 100644 index 0000000..8e3be40 --- /dev/null +++ b/molecule/openjdk-certs/Dockerfile.j2 @@ -0,0 +1,16 @@ +# Molecule managed + +{% if item.registry is defined %} +FROM {{ item.registry.url }}/{{ item.image }} +{% else %} +FROM {{ item.image }} +{% endif %} + +RUN mkdir -p /usr/share/man/man1 +RUN if [ $(command -v apt-get) ]; then sed -i -e 's/^APT/# APT/' -e 's/^DPkg/# DPkg/' /etc/apt/apt.conf.d/docker-clean; fi + +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python3 sudo bash ca-certificates && apt-get clean; \ + elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python36 sudo python3-dnf bash && dnf clean all; \ + elif [ $(command -v yum) ]; then yum makecache fast && yum update -y && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ + elif [ $(command -v zypper) ]; then zypper refresh && zypper update -y && zypper install -y python sudo bash python-xml && zypper clean -a; \ + elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; fi diff --git a/molecule/openjdk-certs/converge.yml b/molecule/openjdk-certs/converge.yml new file mode 100644 index 0000000..f4d4971 --- /dev/null +++ b/molecule/openjdk-certs/converge.yml @@ -0,0 +1,6 @@ +--- + +- name: Converge + hosts: openjdk + roles: + - java_role diff --git a/molecule/openjdk-certs/files/ssl.crt b/molecule/openjdk-certs/files/ssl.crt new file mode 100644 index 0000000..b0590b1 --- /dev/null +++ b/molecule/openjdk-certs/files/ssl.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDETCCAfkCFCDQip+sJfpHN2tcLCd8SgKRWlcEMA0GCSqGSIb3DQEBCwUAMEUx +CzAJBgNVBAYTAkVTMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl +cm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMjMwNjA1MTEwNTE3WhcNMjMwNzA1MTEw +NTE3WjBFMQswCQYDVQQGEwJFUzETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UE +CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAsZotx9CdrUH2SwzmKlRQJVeD40tvnP/tX66i2gNgkFy4hpac +kl9fcdTKNkLdLpl5hola+FJNQpDnUGToQRY2x2XtmnqKA/vGpXZVLizH6rxy5YAj +5cjR2tYt89P2URXGVU5+8AJWANh1bONln4Qu8UOP6/AVlTrWl79nlOBqj+6rsVOW +HgzdqE0hJnoKcVlTGb0OPnYNjDcsfLz9FJYgbPognhDk4EBD3GqJt5+J9ijXaiWh +Q4rJ8/vInJt6Boqdz7KtCfD/VeWwLJDmtihJ6lseyo9WU2umPdOPz20Thk1k+VkN +zpUvDS+bmQqQxlOiZi+1Z7OZaTNRfxVytEy3IwIDAQABMA0GCSqGSIb3DQEBCwUA +A4IBAQA85o3erbRCnqJg70E7z19+F/o8Tg0cnl3oHU1GbAOrkzcxzcHLH05dN+BT +bUGr//E+hgICeh14bDBCwtO3K2oDBRC82pYnTsDIK1my90fEQmvDMi+K/o4xw0pM +yQBYmpnggS5+NJExx+MNBUUnAdQ0eH/wTyABz9PJL8MT8VR5K5/XIQCZYLwxyWYb +4ga5ZQN5Jg9J2Dc/BIfLUXJavkIT2TINYDB6uhu6XeT5Qa0l+n621bMTle8ygleP +CjasBNJsjgYNJi/1rO2DChKCPAAiObqHL+Wu0fdcHk+H5bDxoHXqil7s9l9hhv74 +oZFRmw2LG75mEonyXB90R2e9ZPXi +-----END CERTIFICATE----- diff --git a/molecule/openjdk-certs/group_vars/all.yml b/molecule/openjdk-certs/group_vars/all.yml new file mode 100644 index 0000000..42053a2 --- /dev/null +++ b/molecule/openjdk-certs/group_vars/all.yml @@ -0,0 +1,7 @@ +--- + +java_certs: + - java_cert_path: /tmp/ssl.crt + java_cert_alias: ssl + +java_cert_keystore_pass: changeit diff --git a/molecule/openjdk-certs/molecule.yml b/molecule/openjdk-certs/molecule.yml new file mode 100644 index 0000000..91f925f --- /dev/null +++ b/molecule/openjdk-certs/molecule.yml @@ -0,0 +1,28 @@ +--- +dependency: + name: galaxy +driver: + name: docker + +lint: | + yamllint . + ansible-lint . + +platforms: + - name: openjdktest + groups: + - openjdk + image: ${DOCKER_IMAGE_BASE:-debian:buster-slim} + +provisioner: + name: ansible + inventory: + group_vars: + openjdk: + java_jdk_vendor: openjdk + java_open_jdk_version: ${JDK_VERSION} + java_open_jdk_version_major: ${JDK_MAJOR} +scenario: + name: certs +verifier: + name: ansible diff --git a/molecule/openjdk-certs/prepare.yml b/molecule/openjdk-certs/prepare.yml new file mode 100644 index 0000000..401147e --- /dev/null +++ b/molecule/openjdk-certs/prepare.yml @@ -0,0 +1,9 @@ +--- +- name: Prepare + hosts: openjdktest + gather_facts: false + tasks: + - name: Copy SSL certificate + copy: + src: "{{ playbook_dir }}/files/ssl.crt" + dest: /tmp/ssl.crt diff --git a/molecule/openjdk-certs/tests/test_openjdk.yml b/molecule/openjdk-certs/tests/test_openjdk.yml new file mode 100644 index 0000000..f79f094 --- /dev/null +++ b/molecule/openjdk-certs/tests/test_openjdk.yml @@ -0,0 +1,16 @@ +--- + +file: + {{ java_open_jdk_home }}/lib: + exists: true + filetype: directory +package: +{% if java_open_jdk_version is defined and java_open_jdk_version is not sameas None and java_open_jdk_version != "" %} + {{ java_open_jdk_package }}: + installed: true + versions: + - {{ java_open_jdk_version }} +{% else %} + {{ java_open_jdk_package }}: + installed: true +{% endif %} diff --git a/molecule/openjdk-certs/verify.yml b/molecule/openjdk-certs/verify.yml new file mode 100644 index 0000000..79905e7 --- /dev/null +++ b/molecule/openjdk-certs/verify.yml @@ -0,0 +1,86 @@ +--- +# This is an example playbook to execute goss tests. +# Tests need distributed to the appropriate ansible host/groups +# prior to execution by `goss validate`. +# +# The goss ansible module is installed with molecule. The ANSIBLE_LIBRARY +# path is updated appropriately on `molecule verify`. + +# Details about ansible module: +# - https://github.com/indusbox/goss-ansible + +- name: Verify + hosts: all + vars: + goss_version: v0.3.16 + goss_sha256sum: 827e354b48f93bce933f5efcd1f00dc82569c42a179cf2d384b040d8a80bfbfb + goss_arch: amd64 + goss_dst: /usr/local/bin/goss + goss_url: "https://github.com/aelsabbahy/goss/releases/download/{{ goss_version }}/goss-linux-{{ goss_arch }}" + goss_test_directory: /tmp + goss_format: documentation + molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}" + molecule_yml: "{{ lookup('file', molecule_file) | molecule_from_yaml }}" + + vars_files: + - ../../defaults/main.yml + + tasks: + - name: Java | Gather OS specific variables + include_vars: "../../vars/{{ java_jdk_vendor }}/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml" + + - name: Gather architecture specific variables + include_vars: "../../vars/architecture.yml" + + # Using pattern described in Ansible Best Practices and Conventions (Appendix B), Ansible for Devops (p. 406) + # Allowing to 'override' variables that are defined using include_vars + + - name: Java | Setting OS specific variables + set_fact: + java_open_jdk_version: "{{ java_open_jdk_version if java_open_jdk_version is defined and java_open_jdk_version is not sameas None }}" + java_open_jdk_version_major: "{{ java_open_jdk_version_major if java_open_jdk_version_major is defined and java_open_jdk_version_major is not sameas None and java_open_jdk_version_major else __java_open_jdk_version_major }}" # noqa 204 + + - name: Java | Setting OS specific variables (II) + set_fact: + java_open_jdk_home_dir: "{{ java_open_jdk_home_dir if java_open_jdk_home_dir is defined and java_open_jdk_home_dir is not sameas None and java_open_jdk_home_dir else __java_open_jdk_home_dir }}" # noqa 204 + java_open_jdk_package: "{{ java_open_jdk_package if java_open_jdk_package is defined and java_open_jdk_package is not sameas None and java_open_jdk_package else __java_open_jdk_package }}" # noqa 204 + + - name: Java | Setting specific variables + set_fact: + java_home: "{{ java_open_jdk_home }}" + + - name: Download and install goss + get_url: + url: "{{ goss_url }}" + dest: "{{ goss_dst }}" + mode: 0755 + + - name: Copy tests to remote + template: + src: "{{ item }}" + dest: "{{ goss_test_directory }}/{{ item | basename }}" + with_fileglob: + - "{{ playbook_dir }}/tests/test_*.yml" + + - name: Register test files + shell: "ls {{ goss_test_directory }}/test_*.yml" + register: test_files + changed_when: false + + - name: Execute Goss tests + command: "goss -g {{ item }} validate --format {{ goss_format }}" + register: test_results + with_items: "{{ test_files.stdout_lines }}" + ignore_errors: true + changed_when: false + + - name: Display details about the goss results + debug: + msg: "{{ item.stdout_lines }}" + with_items: "{{ test_results.results }}" + + - name: Fail when tests fail + fail: + msg: "Goss failed to validate" + when: item.rc != 0 + with_items: "{{ test_results.results }}" diff --git a/tasks/import_certs.yml b/tasks/import_certs.yml new file mode 100644 index 0000000..97a017d --- /dev/null +++ b/tasks/import_certs.yml @@ -0,0 +1,26 @@ +--- + +- name: Java | Check if certificates exists + stat: + path: "{{ item.java_cert_path }}" + with_items: "{{ java_certs }}" + register: check_java_certs + +- name: Java | Fail if some cert doesn't exist + fail: + msg: "Certificate {{ item.item.java_cert_path }} doesn't exist" + with_items: "{{ check_java_certs.results }}" + when: not item.stat.exists + +- name: Java | Setting keystore variables + set_fact: + java_keystore_dir: "{{ java_keystore_dir if java_keystore_dir is defined and java_keystore_dir is not sameas None and java_keystore_dir else __java_keystore_dir }}" + +- name: Java | Import SSL certificates + java_cert: + cert_path: "{{ item.java_cert_path }}" + keystore_path: "{{ java_open_jdk_home }}/{{ java_keystore_dir }}/cacerts" + keystore_pass: "{{ java_cert_keystore_pass }}" + state: present + cert_alias: "{{ item.java_cert_alias }}" + with_items: "{{ java_certs }}" diff --git a/tasks/main.yml b/tasks/main.yml index bfae01d..d542c9a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -4,3 +4,9 @@ include_tasks: install_openjdk.yml tags: - install + +- name: Java | Import certificates into Java Keystore + include_tasks: import_certs.yml + when: java_certs is defined + tags: + - certs diff --git a/vars/adoptopenjdk/CentOS-8.yml b/vars/adoptopenjdk/CentOS-8.yml index 3364565..d85b0b8 100644 --- a/vars/adoptopenjdk/CentOS-8.yml +++ b/vars/adoptopenjdk/CentOS-8.yml @@ -1,6 +1,7 @@ --- java_open_jdk_apt_extra_packages: [] __java_open_jdk_version_major: 8 +__java_keystore_dir: jre/lib/security # Supported major releases: 8 and from 11 to 14; hotspot and openj9 implementations __java_required_repositories_openjdk: diff --git a/vars/adoptopenjdk/Debian-10.yml b/vars/adoptopenjdk/Debian-10.yml index 00ad171..8506b3c 100644 --- a/vars/adoptopenjdk/Debian-10.yml +++ b/vars/adoptopenjdk/Debian-10.yml @@ -3,6 +3,7 @@ java_open_jdk_apt_extra_packages: - python-apt - apt-transport-https __java_open_jdk_version_major: 8 +__java_keystore_dir: jre/lib/security # Supported major releases: 8 and from 11 to 14; hotspot and openj9 implementations # For Debian family diff --git a/vars/adoptopenjdk/Debian-11.yml b/vars/adoptopenjdk/Debian-11.yml index 19fc161..d094df8 100644 --- a/vars/adoptopenjdk/Debian-11.yml +++ b/vars/adoptopenjdk/Debian-11.yml @@ -4,6 +4,7 @@ java_open_jdk_apt_extra_packages: - apt-transport-https - gnupg2 __java_open_jdk_version_major: 8 +__java_keystore_dir: jre/lib/security # Supported major releases: 8 and from 11 to 14; hotspot and openj9 implementations # For Debian family diff --git a/vars/corretto/CentOS-8.yml b/vars/corretto/CentOS-8.yml index c9c4c78..f56374f 100644 --- a/vars/corretto/CentOS-8.yml +++ b/vars/corretto/CentOS-8.yml @@ -1,5 +1,6 @@ --- __java_open_jdk_version_major: 1.8.0 +__java_keystore_dir: jre/lib/security # Supported versions: 8 (1.8.0 in RHEL), 11 __java_required_repositories_openjdk: diff --git a/vars/corretto/Debian-10.yml b/vars/corretto/Debian-10.yml index 12d180a..b475bb4 100644 --- a/vars/corretto/Debian-10.yml +++ b/vars/corretto/Debian-10.yml @@ -4,6 +4,7 @@ java_open_jdk_apt_extra_packages: - apt-transport-https __java_open_jdk_version_major: 1.8.0 +__java_keystore_dir: jre/lib/security # Supported versions: 8 (1.8.0L), 11 __java_required_repositories_openjdk: diff --git a/vars/corretto/Debian-11.yml b/vars/corretto/Debian-11.yml index 67c8286..737ceca 100644 --- a/vars/corretto/Debian-11.yml +++ b/vars/corretto/Debian-11.yml @@ -5,6 +5,7 @@ java_open_jdk_apt_extra_packages: - gnupg2 __java_open_jdk_version_major: 1.8.0 +__java_keystore_dir: jre/lib/security # Supported versions: 8 (1.8.0L), 11 __java_required_repositories_openjdk: diff --git a/vars/openjdk/CentOS-7.yml b/vars/openjdk/CentOS-7.yml index dbbe4f4..bc5ed94 100644 --- a/vars/openjdk/CentOS-7.yml +++ b/vars/openjdk/CentOS-7.yml @@ -2,6 +2,7 @@ # Using pattern described in Ansible Best Practices and Conventions (Appendix B), Ansible for Devops (p. 406) __java_open_jdk_version_major: 11 +__java_keystore_dir: lib/security # Supported openjdk major releases: 1.6.0, 1.7.0, 1.8.0, 11 # __java_required_repositories_openjdk: [] diff --git a/vars/openjdk/CentOS-8.yml b/vars/openjdk/CentOS-8.yml index 10c51b0..814f539 100644 --- a/vars/openjdk/CentOS-8.yml +++ b/vars/openjdk/CentOS-8.yml @@ -2,6 +2,7 @@ # Using pattern described in Ansible Best Practices and Conventions (Appendix B), Ansible for Devops (p. 406) __java_open_jdk_version_major: 11 +__java_keystore_dir: lib/security # Supported openjdk major releases: 1.8.0, 11 __java_required_repositories_openjdk: [] diff --git a/vars/openjdk/Debian-10.yml b/vars/openjdk/Debian-10.yml index 13deec7..655753d 100644 --- a/vars/openjdk/Debian-10.yml +++ b/vars/openjdk/Debian-10.yml @@ -2,6 +2,7 @@ # Using pattern described in Ansible Best Practices and Conventions (Appendix B), Ansible for Devops (p. 406) __java_open_jdk_version_major: 11 +__java_keystore_dir: lib/security # Supported openjdk major releases: 11 __java_required_repositories_openjdk: [] diff --git a/vars/openjdk/Debian-11.yml b/vars/openjdk/Debian-11.yml index 68296a2..01c74d9 100644 --- a/vars/openjdk/Debian-11.yml +++ b/vars/openjdk/Debian-11.yml @@ -2,6 +2,7 @@ # Using pattern described in Ansible Best Practices and Conventions (Appendix B), Ansible for Devops (p. 406) __java_open_jdk_version_major: 11 +__java_keystore_dir: lib/security # Supported openjdk major releases: 11, 17 __java_required_repositories_openjdk: [] diff --git a/vars/openjdk/Ubuntu-18.yml b/vars/openjdk/Ubuntu-18.yml index f0b00e4..3e5a29a 100644 --- a/vars/openjdk/Ubuntu-18.yml +++ b/vars/openjdk/Ubuntu-18.yml @@ -6,6 +6,7 @@ java_open_jdk_apt_extra_packages: # Using pattern described in Ansible Best Practices and Conventions (Appendix B), Ansible for Devops (p. 406) __java_open_jdk_version_major: 11 +__java_keystore_dir: lib/security # Supported openjdk major releases: 8, 11 __java_required_repositories_openjdk: [] diff --git a/vars/openjdk/Ubuntu-20.yml b/vars/openjdk/Ubuntu-20.yml index 8271fb6..9fbba5a 100644 --- a/vars/openjdk/Ubuntu-20.yml +++ b/vars/openjdk/Ubuntu-20.yml @@ -5,6 +5,7 @@ java_open_jdk_apt_extra_packages: - gnupg2 # Using pattern described in Ansible Best Practices and Conventions (Appendix B), Ansible for Devops (p. 406) __java_open_jdk_version_major: 17 +__java_keystore_dir: lib/security # Supported openjdk major releases: 8, 11, 13, 14, 17 __java_required_repositories_openjdk: [] diff --git a/vars/openjdk/Ubuntu-22.yml b/vars/openjdk/Ubuntu-22.yml index 07d88b2..d9a187e 100644 --- a/vars/openjdk/Ubuntu-22.yml +++ b/vars/openjdk/Ubuntu-22.yml @@ -5,6 +5,7 @@ java_open_jdk_apt_extra_packages: - gnupg2 # Using pattern described in Ansible Best Practices and Conventions (Appendix B), Ansible for Devops (p. 406) __java_open_jdk_version_major: 17 +__java_keystore_dir: lib/security # Supported openjdk major releases: 8, 11, 17, 18 __java_required_repositories_openjdk: []