confluentinc · mansi-jain-1206 · Sep 25, 2024 · Oct 16, 2024 · Oct 16, 2024 · Oct 16, 2024
diff --git a/docs/sample_inventories/scram_kraft.yml b/docs/sample_inventories/scram_kraft.yml
@@ -0,0 +1,55 @@
+---
+##
+## The following is an example inventory file of the configuration required for setting up Confluent Platform with Kraft Controller with SCRAM.
+## You can use any of the below approaches to setup SCRAM communication with Kraft. Same can be followed for migration as well.
+## Option 1: This will set up controller-controller and controller-broker communication via plain and other communication via scram.
+## Option 2: This will set up controller-controller via plain and other communication via scram.
+
+all:
+  vars:
+    ansible_connection: ssh
+    ansible_user: ec2-user
+    ansible_become: true
+    ansible_ssh_private_key_file: /home/ec2-user/guest.pem
+    ansible_python_interpreter: /usr/bin/python3
+
+    ssl_enabled: true
+    sasl_protocol: scram
+
+    ## Option 1
+    kafka_controller_sasl_protocol: plain,scram
+
+kafka_controller:
+  vars:
+    ## Option 2
+    kafka_controller_sasl_protocol: plain,scram
+  hosts:
+    ec2-35-160-193-90.us-west-2.compute.amazonaws.com:
+    ec2-35-85-219-150.us-west-2.compute.amazonaws.com:
+    ec2-34-219-169-190.us-west-2.compute.amazonaws.com:
+
+kafka_broker:
+  hosts:
+    ec2-35-91-214-11.us-west-2.compute.amazonaws.com:
+    ec2-54-71-228-219.us-west-2.compute.amazonaws.com:
+    ec2-54-218-9-145.us-west-2.compute.amazonaws.com:
+
+schema_registry:
+  hosts:
+    ec2-35-160-193-90.us-west-2.compute.amazonaws.com:
+
+kafka_connect:
+  hosts:
+    ec2-35-85-219-150.us-west-2.compute.amazonaws.com:
+
+kafka_rest:
+  hosts:
+    ec2-34-219-169-190.us-west-2.compute.amazonaws.com:
+
+ksql:
+  hosts:
+    ec2-35-91-214-11.us-west-2.compute.amazonaws.com:
+
+control_center:
+  hosts:
+    ec2-35-85-219-150.us-west-2.compute.amazonaws.com:
@@ -7,10 +7,11 @@
 driver:
   name: docker
 platforms:
-  - name: zookeeper1
-    hostname: zookeeper1.confluent
+  - name: ${KRAFT_CONTROLLER:-zookeeper}1
+    hostname: ${KRAFT_CONTROLLER:-zookeeper}1.confluent
     groups:
-      - zookeeper
+      - ${CONTROLLER_HOSTGROUP:-zookeeper}
+      - ${CONTROLLER_HOSTGROUP:-zookeeper}_migration
     image: oraclelinux:8-slim
     dockerfile: ../Dockerfile-rhel-tar.j2
     command: ""
@@ -94,11 +95,14 @@ platforms:
     networks:
       - name: confluent
 provisioner:
+  playbooks:
+    converge: ${MIGRATION_CONVERGE:-../collections_converge.yml}
   inventory:
     group_vars:
       all:
         ssl_enabled: true
-        sasl_protocol: scram
+        sasl_protocol: scram256
+        kafka_controller_sasl_protocol: plain,scram256
 
         installation_method: archive
 

@@ -10,3 +10,7 @@
     - name: Create Custom User
       user:
         name: "{{archive_owner}}"
+
+- name: Install Zookeeper Cluster
+  import_playbook: confluent.platform.all
+  when: lookup('env', 'MIGRATION')|default('false') == 'true'
@@ -23,6 +23,27 @@
           - archive.stat.pw_name == 'cp-custom'
         quiet: true
 
+- name: Verify - kafka_controller
+  hosts: kafka_controller
+  gather_facts: false
+  tasks:
+    - import_role:
+        name: variables
+    - import_role:
+        name: confluent.test
+        tasks_from: check_property.yml
+      vars:
+        file_path: /opt/confluent/etc/controller/server.properties
+        property: sasl.enabled.mechanisms
+        expected_value: SCRAM-SHA-256,PLAIN
+    - import_role:
+        name: confluent.test
+        tasks_from: check_property.yml
+      vars:
+        file_path: /opt/confluent/etc/controller/server.properties
+        property: sasl.mechanism.controller.protocol
+        expected_value: PLAIN
+
 - name: Verify - kafka_connect
   hosts: kafka_connect
   gather_facts: false

@@ -45,7 +45,7 @@ platforms:
     privileged: true
     networks:
       - name: confluent
-  # MDS Zookeeper and Kafka
+  # MDS Controller, Zookeeper and Kafka
   - name: mds-${KRAFT_CONTROLLER:-zookeeper}1
     hostname: mds-${KRAFT_CONTROLLER:-zookeeper}1.confluent
     groups:
@@ -86,10 +86,10 @@ platforms:
     networks:
       - name: confluent
   # Cluster 2 goups, groupnames will be changed during converge phase
-  - name: zookeeper1
-    hostname: zookeeper1.confluent
+  - name: ${KRAFT_CONTROLLER:-zookeeper}1
+    hostname: ${KRAFT_CONTROLLER:-zookeeper}1.confluent
     groups:
-      - zookeeper2
+      - ${KRAFT_CONTROLLER:-zookeeper}2
       - cluster2
     image: rockylinux:9-minimal
     dockerfile: ../Dockerfile-rhel-java17.j2
@@ -216,6 +216,7 @@ provisioner:
 
         ssl_enabled: true
         sasl_protocol: scram
+        kafka_controller_sasl_protocol: plain,scram
 
         ssl_custom_certs: true
         ssl_ca_cert_filepath: "{{ lookup('env', 'MOLECULE_SCENARIO_DIRECTORY') }}/generated_ssl_files/ca.crt"

@@ -10,3 +10,7 @@
 
 - name: Install MDS Cluster
   import_playbook: confluent.platform.all
+
+- name: Install Zookeeper Cluster
+  import_playbook: confluent.platform.all
+  when: lookup('env', 'MIGRATION')|default('false') == 'true'
@@ -189,6 +189,7 @@ provisioner:
 
         ssl_enabled: true
         sasl_protocol: scram
+        kafka_controller_sasl_protocol: plain,scram
         ssl_custom_certs: true
         ssl_ca_cert_filepath: "{{ lookup('env', 'MOLECULE_SCENARIO_DIRECTORY') }}/generated_ssl_files/ca.crt"
         ssl_signed_cert_filepath: "{{ lookup('env', 'MOLECULE_SCENARIO_DIRECTORY') }}/generated_ssl_files/{{inventory_hostname}}-ca1-signed.crt"

@@ -4,3 +4,7 @@
 
 - name: Provision LDAP Server
   import_playbook: ../ldap.yml
+
+- name: Install Zookeeper Cluster
+  import_playbook: confluent.platform.all
+  when: lookup('env', 'MIGRATION')|default('false') == 'true'
@@ -8,6 +8,27 @@
 ### Validates that FIPS is in use in OpenSSL.
 ### Validates that both the Connectors are Running
 
+- name: Verify - kafka_controller
+  hosts: kafka_controller
+  gather_facts: false
+  tasks:
+    - import_role:
+        name: variables
+    - import_role:
+        name: confluent.test
+        tasks_from: check_property.yml
+      vars:
+        file_path: /etc/controller/server.properties
+        property: sasl.enabled.mechanisms
+        expected_value: SCRAM-SHA-512,PLAIN
+    - import_role:
+        name: confluent.test
+        tasks_from: check_property.yml
+      vars:
+        file_path: /etc/controller/server.properties
+        property: sasl.mechanism.controller.protocol
+        expected_value: PLAIN
+
 - name: Verify - kafka_broker
   hosts: kafka_broker
   gather_facts: false

@@ -5,10 +5,37 @@
 driver:
   name: docker
 platforms:
-  - name: zookeeper1
-    hostname: zookeeper1.confluent
+  - name: ${KRAFT_CONTROLLER:-zookeeper}1
+    hostname: ${KRAFT_CONTROLLER:-zookeeper}1.confluent
     groups:
-      - zookeeper
+      - ${CONTROLLER_HOSTGROUP:-zookeeper}
+      - ${CONTROLLER_HOSTGROUP:-zookeeper}_migration
+    image: redhat/ubi8-minimal
+    dockerfile: ../Dockerfile-rhel-java17.j2
+    command: ""
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    networks:
+      - name: confluent
+  - name: ${KRAFT_CONTROLLER:-zookeeper}2
+    hostname: ${KRAFT_CONTROLLER:-zookeeper}2.confluent
+    groups:
+      - ${CONTROLLER_HOSTGROUP:-zookeeper}
+      - ${CONTROLLER_HOSTGROUP:-zookeeper}_migration
+    image: redhat/ubi8-minimal
+    dockerfile: ../Dockerfile-rhel-java17.j2
+    command: ""
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    networks:
+            - name: confluent
+  - name: ${KRAFT_CONTROLLER:-zookeeper}3
+    hostname: ${KRAFT_CONTROLLER:-zookeeper}3.confluent
+    groups:
+      - ${CONTROLLER_HOSTGROUP:-zookeeper}
+      - ${CONTROLLER_HOSTGROUP:-zookeeper}_migration
     image: redhat/ubi8-minimal
     dockerfile: ../Dockerfile-rhel-java17.j2
     command: ""
@@ -91,7 +118,45 @@ platforms:
       - "9021:9021"
     networks:
       - name: confluent
+  - name: controller1-mig
+    hostname: controller1-mig.confluent
+    groups:
+      - kafka_controller_migration
+    image: redhat/ubi8-minimal
+    dockerfile: ../Dockerfile-rhel-java17.j2
+    command: ""
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    networks:
+      - name: confluent
+  - name: controller2-mig
+    hostname: controller2-mig.confluent
+    groups:
+      - kafka_controller_migration
+    image: redhat/ubi8-minimal
+    dockerfile: ../Dockerfile-rhel-java17.j2
+    command: ""
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    networks:
+      - name: confluent
+  - name: controller3-mig
+    hostname: controller3-mig.confluent
+    groups:
+      - kafka_controller_migration
+    image: redhat/ubi8-minimal
+    dockerfile: ../Dockerfile-rhel-java17.j2
+    command: ""
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    networks:
+      - name: confluent
 provisioner:
+  playbooks:
+    converge: ${MIGRATION_CONVERGE:-../collections_converge.yml}
   inventory:
     group_vars:
       all:
@@ -106,3 +171,6 @@ provisioner:
 
         schema_registry_kafka_listener_name: client
         kafka_broker_configure_control_plane_listener: true
+
+      kafka_controller:
+        kafka_controller_sasl_protocol: plain,scram
@@ -0,0 +1,3 @@
+- name: Install Zookeeper Cluster
+  import_playbook: confluent.platform.all
+  when: lookup('env', 'MIGRATION')|default('false') == 'true'
@@ -1,5 +1,25 @@
 ---
-### Validates that SCRAM is enabled on all components.
+### Validates that SCRAM is enabled on all components except kafka controller.
+- name: Verify - kafka_controller
+  hosts: kafka_controller
+  gather_facts: false
+  tasks:
+    - import_role:
+        name: variables
+    - import_role:
+        name: confluent.test
+        tasks_from: check_property.yml
+      vars:
+        file_path: /etc/controller/server.properties
+        property: sasl.enabled.mechanisms
+        expected_value: SCRAM-SHA-512,SCRAM-SHA-256,PLAIN
+    - import_role:
+        name: confluent.test
+        tasks_from: check_property.yml
+      vars:
+        file_path: /etc/controller/server.properties
+        property: sasl.mechanism.controller.protocol
+        expected_value: PLAIN
 
 - name: Verify - kafka_broker
   hosts: kafka_broker

@@ -206,3 +206,26 @@
     fail_msg: "OAuth is not supported on FIPS enabled cluster yet. Please disable FIPS or OAuth to setup the cluster."
   when: auth_mode == 'oauth' or auth_mode == 'ldap_with_oauth'
   tags: validate
+
+- assert:
+    that:
+      - hostvars[item]['kafka_controller_sasl_protocol'].replace(" ", "").split(',') | length > 1
+      - hostvars[item]['kafka_controller_sasl_protocol'].replace(" ", "").split(',')[0] not in ['scram', 'scram256']
+    fail_msg: "kafka_controller_sasl_protocol in kafka controller cannot have first value as scram or scram256 since inter-controller communication via SCRAM is not supported. Please use other protocols along with it."
+  loop: "{{ groups['kafka_controller'] }}"
+  when:
+    - ('kafka_controller' in groups.keys() and groups['kafka_controller'] | length > 1) | bool
+    - hostvars[item]['kafka_controller_sasl_protocol'] is defined
+  tags: validate
+
+- assert:
+    that:
+      - "'scram' in ({{ hostvars[item]['kafka_controller_sasl_protocol'].replace(' ', '').split(',') }} ) or 'scram256' in ( {{ hostvars[item]['kafka_controller_sasl_protocol'].replace(' ', '').split(',') }} )"
+      - hostvars[item]['kafka_controller_sasl_protocol'].replace(" ", "").split(',') | length > 1
+    fail_msg: "kafka_controller_sasl_protocol in kafka broker must have multiple values defined if it has scram or scram256 as one of the protocols and kafka controller is present."
+  loop: "{{ groups['kafka_broker'] }}"
+  when:
+    - ('kafka_broker' in groups.keys() and groups['kafka_broker'] | length > 0) | bool
+    - ('kafka_controller' in groups.keys() and groups['kafka_controller'] | length > 1) | bool
+    - hostvars[item]['kafka_controller_sasl_protocol'] is defined
+  tags: validate