[ANSIENG-4239] Molecule scenarios for mTLS (#66)

molecule/mini-setup-ldap-mtls/molecule.yml

@@ -0,0 +1,244 @@
+---
+### Installs Confluent Platform Cluster on ubi9.
+### RBAC enabled.
+### MTLS enabled.
+### Kafka Broker Customer Listener.
+### SSO authentication using OIDC in Control center using Okta IdP
+
+driver:
+  name: docker
+platforms:
+  - name: ldap1
+    hostname: ldap1.confluent
+    groups:
+      - ldap_server
+    image: centos:centos8
+    dockerfile: ../Dockerfile-centos8-base.j2
+    command: ""
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    networks:
+      - name: confluent
+  - name: ${KRAFT_CONTROLLER:-zookeeper}1
+    hostname: ${KRAFT_CONTROLLER:-zookeeper}1.confluent
+    groups:
+      - ${CONTROLLER_HOSTGROUP:-zookeeper}
+      - ${CONTROLLER_HOSTGROUP:-zookeeper}_migration
+    image: redhat/ubi9-minimal
+    dockerfile: ../Dockerfile-rhel-java17.j2
+    command: ""
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    networks:
+      - name: confluent
+  - name: ${KRAFT_CONTROLLER:-zookeeper}2
+    hostname: ${KRAFT_CONTROLLER:-zookeeper}2.confluent
+    groups:
+      - ${CONTROLLER_HOSTGROUP:-zookeeper}
+      - ${CONTROLLER_HOSTGROUP:-zookeeper}_migration
+    image: redhat/ubi9-minimal
+    dockerfile: ../Dockerfile-rhel-java17.j2
+    command: ""
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    networks:
+      - name: confluent
+  - name: ${KRAFT_CONTROLLER:-zookeeper}3
+    hostname: ${KRAFT_CONTROLLER:-zookeeper}3.confluent
+    groups:
+      - ${CONTROLLER_HOSTGROUP:-zookeeper}
+      - ${CONTROLLER_HOSTGROUP:-zookeeper}_migration
+    image: redhat/ubi9-minimal
+    dockerfile: ../Dockerfile-rhel-java17.j2
+    command: ""
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    networks:
+      - name: confluent
+  - name: kafka-broker1
+    hostname: kafka-broker1.confluent
+    groups:
+      - kafka_broker
+      - kafka_broker_migration
+    image: redhat/ubi9-minimal
+    dockerfile: ../Dockerfile-rhel-java17.j2
+    command: ""
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    networks:
+      - name: confluent
+  - name: kafka-broker2
+    hostname: kafka-broker2.confluent
+    groups:
+      - kafka_broker
+      - kafka_broker_migration
+    image: redhat/ubi9-minimal
+    dockerfile: ../Dockerfile-rhel-java17.j2
+    command: ""
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    networks:
+      - name: confluent
+  - name: kafka-broker3
+    hostname: kafka-broker3.confluent
+    groups:
+      - kafka_broker
+      - kafka_broker_migration
+    image: redhat/ubi9-minimal
+    dockerfile: ../Dockerfile-rhel-java17.j2
+    command: ""
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    networks:
+      - name: confluent
+  - name: schema-registry1
+    hostname: schema-registry1.confluent
+    groups:
+      - schema_registry
+    image: redhat/ubi9-minimal
+    dockerfile: ../Dockerfile-rhel-java17.j2
+    command: ""
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    networks:
+      - name: confluent
+  - name: kafka-rest1
+    hostname: kafka-rest1.confluent
+    groups:
+      - kafka_rest
+    image: redhat/ubi9-minimal
+    dockerfile: ../Dockerfile-rhel-java17.j2
+    command: ""
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    networks:
+      - name: confluent
+  - name: kafka-connect1
+    hostname: kafka-connect1.confluent
+    groups:
+      - kafka_connect
+    image: redhat/ubi9-minimal
+    dockerfile: ../Dockerfile-rhel-java17.j2
+    command: ""
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    networks:
+      - name: confluent
+  - name: ksql1
+    hostname: ksql1.confluent
+    groups:
+      - ksql
+    image: redhat/ubi9-minimal
+    dockerfile: ../Dockerfile-rhel-java17.j2
+    command: ""
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    networks:
+      - name: confluent
+  - name: control-center1
+    hostname: control-center1.confluent
+    groups:
+      - control_center
+    image: redhat/ubi9-minimal
+    published_ports:
+      - "9021:9021"
+    dockerfile: ../Dockerfile-rhel-java17.j2
+    command: ""
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    networks:
+      - name: confluent
+provisioner:
+  playbooks:
+    converge: ${MIGRATION_CONVERGE:-../collections_converge.yml}
+  inventory:
+    group_vars:
+      all:
+        mask_secrets: false
+        ssl_enabled: true
+        ssl_mutual_auth_enabled: true
+        ssl_client_authentication: required
+
+        rbac_enabled: true
+        auth_mode: ldap
+
+        mds_super_user: mds
+        mds_super_user_password: password
+
+        schema_registry_ldap_user: schema-registry1
+        schema_registry_ldap_password: password
+
+        kafka_connect_ldap_user: kafka-connect1
+        kafka_connect_ldap_password: password
+
+        ksql_ldap_user: ksql1
+        ksql_ldap_password: password
+
+        kafka_rest_ldap_user: kafka-rest1
+        kafka_rest_ldap_password: password
+
+        control_center_ldap_user: control-center1
+        control_center_ldap_password: password
+
+        kafka_broker_custom_properties:
+          ldap.java.naming.factory.initial: com.sun.jndi.ldap.LdapCtxFactory
+          ldap.com.sun.jndi.ldap.read.timeout: 3000
+          ldap.java.naming.provider.url: ldap://ldap1:389
+          ldap.java.naming.security.principal: uid=mds,OU=rbac,DC=example,DC=com
+          ldap.java.naming.security.credentials: password
+          ldap.java.naming.security.authentication: simple
+          ldap.user.search.base: OU=rbac,DC=example,DC=com
+          ldap.group.search.base: OU=rbac,DC=example,DC=com
+          ldap.user.name.attribute: uid
+          ldap.user.memberof.attribute.pattern: CN=(.*),OU=rbac,DC=example,DC=com
+          ldap.group.name.attribute: cn
+          ldap.group.member.attribute.pattern: CN=(.*),OU=rbac,DC=example,DC=com
+          ldap.user.object.class: account
+
+      ldap_server:
+        ldaps_enabled: false
+        ldaps_custom_certs: false
+
+        ldap_admin_password: ldppassword
+
+        ldap_rbac_group: rbac
+        ldap_dc: example
+        ldap_dc_extension: com
+
+        ldap_users:
+          - username: "{{schema_registry_ldap_user}}"
+            password: "{{schema_registry_ldap_password}}"
+            uid: 9998
+            guid: 98
+          - username: "{{kafka_connect_ldap_user}}"
+            password: "{{kafka_connect_ldap_password}}"
+            uid: 9997
+            guid: 97
+          - username: "{{ksql_ldap_user}}"
+            password: "{{ksql_ldap_password}}"
+            uid: 9996
+            guid: 96
+          - username: "{{control_center_ldap_user}}"
+            password: "{{control_center_ldap_password}}"
+            uid: 9995
+            guid: 95
+          - username: "{{kafka_rest_ldap_user}}"
+            password: "{{kafka_rest_ldap_password}}"
+            uid: 9994
+            guid: 94
+          - username: "{{mds_super_user}}"
+            password: "{{mds_super_user_password}}"
+            uid: 9993
+            guid: 93

molecule/mini-setup-ldap-mtls/prepare.yml

@@ -0,0 +1,9 @@
+---
+- name: Install and configure OpenLDAP
+  hosts: ldap_server
+  tasks:
+    - import_role:
+        name: confluent.test.ldap
+- name: Install Zookeeper Cluster
+  import_playbook: confluent.platform.all
+  when: lookup('env', 'MIGRATION')|default('false') == 'true'

molecule/mini-setup-ldap-mtls/verify.yml

@@ -0,0 +1,67 @@
+---
+### Validates that SSL Protocol is set.
+### Validates ssl.client.authentication is set to REQUIRED.
+
+- name: Verify - kafka_controller
+  hosts: kafka_controller
+  gather_facts: false
+  tasks:
+    - import_role:
+        name: variables
+    - import_role:
+        name: confluent.test
+        tasks_from: check_property.yml
+      vars:
+        file_path: /etc/controller/server.properties
+        property: controller.quorum.voters
+        expected_value: "{{ kafka_controller_quorum_voters }}"
+
+- name: Verify - kafka_broker
+  hosts: kafka_broker
+  gather_facts: false
+  tasks:
+    - set_fact:
+        kraft_mode: "{{ ('kafka_controller' in groups.keys() and groups['kafka_controller'] | length > 0) }}"
+
+    - import_role:
+        name: confluent.test
+        tasks_from: check_property.yml
+      vars:
+        file_path: /etc/kafka/server.properties
+        property: confluent.metadata.server.ssl.client.authentication
+        expected_value: REQUIRED
+
+    - name: Get current time in milliseconds
+      command: date +%s%3N
+      register: current_time
+
+    - name: Set current time in milliseconds
+      set_fact:
+        topic_name: "test-topic-{{current_time.stdout}}"
+
+    - name: Display milliseconds since Unix epoch
+      debug:
+        msg:
+          - "topic_name: {{ topic_name }} will be created "
+
+    - name: Create Kafka topic
+      shell: kafka-topics --create --topic "{{ topic_name }}" \
+             --bootstrap-server kafka-broker1:9091 --command-config /etc/kafka/client.properties \
+             --replication-factor 1 --partitions 6
+      run_once: true
+      register: output
+
+    - name: Create Topic Data
+      shell: |
+        seq 10 | kafka-console-producer --topic "{{ topic_name }}" \
+        --bootstrap-server kafka-broker1:9091 --producer.config /etc/kafka/client.properties
+      run_once: true
+
+    - name: Read Topic Data
+      shell: kafka-console-consumer --topic "{{ topic_name }}" \
+             --bootstrap-server kafka-broker1:9091 --timeout-ms 10000 \
+             --from-beginning --consumer.config /etc/kafka/client.properties
+      run_once: true
+      register: consumer_output
+      failed_when:
+        - "'1\n2\n3\n4\n5\n6\n7\n8\n9\n10' not in consumer_output.stdout"

molecule/mini-setup-mtls/credentials

@@ -0,0 +1,2 @@
+user1: password1
+user2: password2