Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ANSIENG-4230] | listener changes (#71) #1802

Open
wants to merge 1 commit into
base: 7.8.x
Choose a base branch
from
+29 −10
Open

[ANSIENG-4230] | listener changes (#71) #1802

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 2 additions & 3 deletions plugins/filter/filters.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,7 @@ def split_newline_to_dict(self, string):
return final_dict

def listener_properties(self, listeners_dict, default_ssl_enabled,
bouncy_castle_keystore, default_ssl_mutual_auth_enabled,
bouncy_castle_keystore, default_ssl_client_authentication,
default_sasl_protocol, kafka_broker_truststore_path,
kafka_broker_truststore_storepass,
kafka_broker_keystore_path,
Expand Down Expand Up @@ -187,8 +187,7 @@ def listener_properties(self, listeners_dict, default_ssl_enabled,
final_dict['listener.name.' + listener_name + '.ssl.truststore.type'] = 'BCFKS'
final_dict['listener.name.' + listener_name + '.ssl.enabled.protocols'] = 'TLSv1.2,TLSv1.3'

if listeners_dict[listener].get('ssl_mutual_auth_enabled', default_ssl_mutual_auth_enabled):
final_dict['listener.name.' + listener_name + '.ssl.client.auth'] = 'required'
final_dict['listener.name.' + listener_name + '.ssl.client.auth'] = listeners_dict[listener].get('ssl_client_authentication', default_ssl_client_authentication)

if self.normalize_sasl_protocol(listeners_dict[listener].get('sasl_protocol', default_sasl_protocol)) == 'PLAIN':
final_dict['listener.name.' + listener_name + '.sasl.enabled.mechanisms'] = 'PLAIN'
Expand Down
26 changes: 23 additions & 3 deletions roles/variables/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -437,6 +437,7 @@ kafka_controller_listeners: "{
'port': {{kafka_controller_port}},
'ssl_enabled': {{kafka_controller_ssl_enabled|string|lower}},
'ssl_mutual_auth_enabled': {{kafka_controller_ssl_mutual_auth_enabled|string|lower}},
'ssl_client_authentication': '{{kafka_controller_ssl_client_authentication|string|lower}}',
'sasl_protocol': '{{kafka_controller_sasl_protocol}}'
}
}"
Expand Down Expand Up @@ -566,20 +567,32 @@ kafka_broker_default_listeners: "{
'port': 9092,
'ssl_enabled': {% if ccloud_kafka_enabled|bool %}true{% else %}{{ssl_enabled|string|lower}}{% endif %},
'ssl_mutual_auth_enabled': {% if ccloud_kafka_enabled|bool %}false{% else %}{{ssl_mutual_auth_enabled|string|lower}}{% endif %},
'sasl_protocol': '{% if rbac_enabled|bool or oauth_enabled|bool %}OAUTH{% elif ccloud_kafka_enabled|bool %}PLAIN{% else %}{{sasl_protocol}}{% endif %}'
}{% if kafka_broker_configure_multiple_listeners|bool %},
'ssl_client_authentication': '{% if ccloud_kafka_enabled|bool %}none{% else %}{{ssl_client_authentication|string|lower}}{% endif %}',
'sasl_protocol': '{% if auth_mode in [\"ldap\", \"ldap_with_oauth\", \"oauth\"] %}OAUTH{% elif ccloud_kafka_enabled|bool %}PLAIN{% else %}{{sasl_protocol}}{% endif %}'
}{% if auth_mode == 'mtls' %},
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add config validation to only define auth_mode in case rbac_enabled is true

'internal_token': {
'name': 'INTERNAL_TOKEN',
'port': 9088,
'ssl_enabled': true,
'ssl_mutual_auth_enabled': true,
'ssl_client_authentication': '{{ssl_client_authentication|string|lower}}',
'sasl_protocol': 'OAUTH'
}{% endif %}
{% if kafka_broker_configure_multiple_listeners|bool %},
'broker': {
'name': 'BROKER',
'port': 9091,
'ssl_enabled': {{ssl_enabled|string|lower}},
'ssl_mutual_auth_enabled': {{ssl_mutual_auth_enabled|string|lower}},
'ssl_client_authentication': '{{ssl_client_authentication|string|lower}}',
'sasl_protocol': '{{sasl_protocol}}'
}{% if kafka_broker_configure_control_plane_listener|bool and not kraft_enabled|bool %},
'controller': {
'name': 'CONTROLLER',
'port': 9089,
'ssl_enabled': {{ssl_enabled|string|lower}},
'ssl_mutual_auth_enabled': {{ssl_mutual_auth_enabled|string|lower}},
'ssl_client_authentication': '{{ssl_client_authentication|string|lower}}',
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test version upgrades to ensure that adding new fields in listeners dict doesnt cause trouble in upgades

'sasl_protocol': '{{sasl_protocol}}'
}{% endif %}{% endif %}
}"
Expand Down Expand Up @@ -703,7 +716,14 @@ kafka_broker_rest_proxy_enabled: "{{confluent_server_enabled and not ccloud_kafk
### Authentication type to add to Kafka's embedded rest proxy or Admin API. Do not set when RBAC is enabled. Options: [basic, none]
kafka_broker_rest_proxy_authentication_type: none

kafka_broker_rest_proxy_listener_name: "{{ 'internal' if rbac_enabled else kafka_broker_inter_broker_listener_name }}"
kafka_broker_rest_proxy_listener_name: >-
{%- if not rbac_enabled|bool -%}
{{ kafka_broker_inter_broker_listener_name }}
{%- elif rbac_enabled|bool and auth_mode == 'mtls' -%}
internal_token
{%- else -%}
internal
{%- endif -%}

### Use to register and identify your Kafka cluster in the MDS.
kafka_broker_cluster_name: ""
Expand Down
8 changes: 4 additions & 4 deletions roles/variables/vars/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@ kafka_controller_properties:
zookeeper.set.acl: 'true'
broker_listener:
enabled: "{{ sasl_protocol=='plain' }}" # might need to add for kerberos also in later release
properties: "{{ {'broker_listener': kafka_broker_listeners[kafka_broker_inter_broker_listener_name]} | confluent.platform.listener_properties(ssl_enabled, fips_enabled, ssl_mutual_auth_enabled, sasl_protocol,
properties: "{{ {'broker_listener': kafka_broker_listeners[kafka_broker_inter_broker_listener_name]} | confluent.platform.listener_properties(ssl_enabled, fips_enabled, ssl_client_authentication, sasl_protocol,
kafka_controller_truststore_path, kafka_controller_truststore_storepass, kafka_controller_keystore_path, kafka_controller_keystore_storepass, kafka_controller_keystore_keypass,
plain_jaas_config, kafka_controller_keytab_path, kafka_controller_kerberos_principal|default('kafka'), kerberos_kafka_controller_primary,
sasl_scram_users_final.admin.principal, sasl_scram_users_final.admin.password, sasl_scram256_users_final.admin.principal, sasl_scram256_users_final.admin.password, rbac_enabled_public_pem_path, oauth_enabled, oauth_jwks_uri, oauth_expected_audience, oauth_sub_claim, rbac_enabled, false, false) }}"
Expand Down Expand Up @@ -274,7 +274,7 @@ kafka_controller_properties:
confluent.oauth.groups.claim.name: "{{oauth_groups_claim}}"
listeners:
enabled: true
properties: "{{ kafka_controller_listeners | confluent.platform.listener_properties(kafka_controller_ssl_enabled, fips_enabled, kafka_controller_ssl_mutual_auth_enabled, kafka_controller_sasl_protocol,
properties: "{{ kafka_controller_listeners | confluent.platform.listener_properties(kafka_controller_ssl_enabled, fips_enabled, kafka_controller_ssl_client_authentication, kafka_controller_sasl_protocol,
kafka_controller_truststore_path, kafka_controller_truststore_storepass, kafka_controller_keystore_path, kafka_controller_keystore_storepass, kafka_controller_keystore_keypass,
plain_jaas_config, kafka_controller_keytab_path, kafka_controller_kerberos_principal|default('kafka'), kerberos_kafka_controller_primary,
sasl_scram_users_final.admin.principal, sasl_scram_users_final.admin.password, sasl_scram256_users_final.admin.principal, sasl_scram256_users_final.admin.password, rbac_enabled_public_pem_path, oauth_enabled, oauth_jwks_uri, oauth_expected_audience, oauth_sub_claim, rbac_enabled, true, false) }}"
Expand Down Expand Up @@ -430,7 +430,7 @@ kafka_broker_properties:
sasl.mechanism.controller.protocol: "{{kafka_controller_listeners['controller']['sasl_protocol'] | default(sasl_protocol) | confluent.platform.normalize_sasl_protocol}}"
controller_listener:
enabled: "{{ kraft_enabled|bool }}"
properties: "{{ kafka_controller_listeners | confluent.platform.listener_properties(kafka_controller_ssl_enabled, fips_enabled, kafka_controller_ssl_mutual_auth_enabled, kafka_controller_sasl_protocol,
properties: "{{ kafka_controller_listeners | confluent.platform.listener_properties(kafka_controller_ssl_enabled, fips_enabled, kafka_controller_ssl_client_authentication, kafka_controller_sasl_protocol,
kafka_broker_truststore_path, kafka_broker_truststore_storepass, kafka_broker_keystore_path, kafka_broker_keystore_storepass, kafka_broker_keystore_keypass,
plain_jaas_config, kafka_broker_keytab_path, kafka_broker_kerberos_principal|default('kafka'), kerberos_kafka_broker_primary,
sasl_scram_users_final.admin.principal, sasl_scram_users_final.admin.password, sasl_scram256_users_final.admin.principal, sasl_scram256_users_final.admin.password, rbac_enabled_public_pem_path, oauth_enabled, oauth_jwks_uri, oauth_expected_audience, oauth_sub_claim, rbac_enabled, false, false) }}"
Expand Down Expand Up @@ -739,7 +739,7 @@ kafka_broker_properties:
confluent.oauth.groups.claim.name: "{{oauth_groups_claim}}"
listeners:
enabled: true
properties: "{{ kafka_broker_listeners | confluent.platform.listener_properties(ssl_enabled, fips_enabled, ssl_mutual_auth_enabled, sasl_protocol,
properties: "{{ kafka_broker_listeners | confluent.platform.listener_properties(ssl_enabled, fips_enabled, ssl_client_authentication, sasl_protocol,
kafka_broker_truststore_path, kafka_broker_truststore_storepass, kafka_broker_keystore_path, kafka_broker_keystore_storepass, kafka_broker_keystore_keypass,
plain_jaas_config, kafka_broker_keytab_path, kafka_broker_kerberos_principal|default('kafka'), kerberos_kafka_broker_primary,
sasl_scram_users_final.admin.principal, sasl_scram_users_final.admin.password, sasl_scram256_users_final.admin.principal, sasl_scram256_users_final.admin.password, rbac_enabled_public_pem_path, oauth_enabled, oauth_jwks_uri, oauth_expected_audience, oauth_sub_claim, rbac_enabled, false, idp_self_signed) }}"
Expand Down