From 1f5c33a9eb668d883803df0e0651bb6bb35a2282 Mon Sep 17 00:00:00 2001 From: Raahil Badiani Date: Wed, 25 Sep 2024 10:43:07 +0530 Subject: [PATCH 1/2] Add new vars for mtls ansieng 4229 (#53) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Bump cp-ansible Version: 7.6.2 → 7.6.3 * variables.md updated * Bump CP Version: 7.4.6 → 7.4.7 * Bump cp-ansible Version: 7.4.6 → 7.4.7 * variables.md updated * Bump CP Version: 7.5.5 → 7.5.6 * Bump cp-ansible Version: 7.5.5 → 7.5.6 * variables.md updated * Bump CP Version: 7.3.9 → 7.3.10 * Bump cp-ansible Version: 7.3.10 → 7.3.11 * Bump Version: 7.1.13 → 7.1.14 * variables.md updated * Bump Version: 7.2.11 → 7.2.12 * variables.md updated * Bump Version: 7.0.15 → 7.0.16 * [ANSIENG-4224] | update CHANGELOG.rst (#41) * [ANSIENG-4225] | update CHANGELOG.rst (#42) * [ANSIENG-4226] | update CHANGELOG.rst (#43) * [ANSIENG-4222] | update CHANGELOG.rst (#45) * [ANSIENG-4221] | update CHANGELOG.rst (#46) * [ANSIENG-4220] | update CHANGELOG.rst (#47) * [ANSIENG-4219] | update CHANGELOG.rst (#48) * [ANSIENG-4223] | update CHANGELOG.rst (#44) * [ANSIENG-4223] | update CHANGELOG.rst * [ANSIENG-4223] | update CHANGELOG.rst * [ANSIENG-4229] | adding new user facing variables for rbac over mtls * [ANSIENG-4229] | modifying the default values of ssl_client_authentication and ssl_mutual_auth --------- Co-authored-by: ConfluentSemaphore <40306929+ConfluentSemaphore@users.noreply.github.com> Co-authored-by: Mansi Jain --- roles/variables/defaults/main.yml | 40 +++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/roles/variables/defaults/main.yml b/roles/variables/defaults/main.yml index e630ebecc..b60c2f5eb 100644 --- a/roles/variables/defaults/main.yml +++ b/roles/variables/defaults/main.yml @@ -215,6 +215,20 @@ certificate_authority_expiration_days: 365 ### Boolean to enable mTLS Authentication on all components. Configures all components to use mTLS for authentication into Kafka ssl_mutual_auth_enabled: false +### mTLS server's config to enforce ssl client authentication. Options are none, requested, required +ssl_client_authentication: >- + {%- if ssl_mutual_auth_enabled|bool -%} + {%- if deployment_strategy == 'parallel' -%} + required + {%- elif deployment_strategy in ['serial', 'rolling'] -%} + requested + {%- endif -%} + {%- else -%} + none + {%- endif -%} + +ssl_mutual_auth_enabled: "{{ true if ssl_client_authentication in ['required', 'requested'] else false }}" + ### Boolean to create Keystores with Self Signed Certificates, defaults to true. Alternatively can use ssl_provided_keystore_and_truststore or ssl_custom_certs self_signed: "{{ false if ssl_provided_keystore_and_truststore|bool or ssl_custom_certs|bool else true }}" @@ -225,6 +239,17 @@ ssl_self_signed_ca_password: capassword123 ### Directory on hosts to store all ssl files. ssl_file_dir: /var/ssl/private/ +### principal mapping rules to map the DN from cert into a username +principal_mapping_rules: + - '.*CN=([a-zA-Z0-9.-]*).*$/$1/' + - 'DEFAULT' + +### Users allowed to get an impersonation token for other users except the impersonation protected users. Must be defined in case of RBAC over mTLS only. +impersonation_super_users: [] + +### Users which cant be impersonated using impersonation token. Super users should be added here to disallow them from being impersonated in case of RBAC over mTLS only. +impersonation_protected_users: [] + ### Boolean to have reruns of all.yml regenerate the certificate authority used for self signed certs. regenerate_ca: false @@ -450,6 +475,9 @@ kafka_controller_ssl_enabled: "{{ssl_enabled}}" ### Boolean to enable mTLS Authentication on controller (Server to Server and Client to Server). Configures kafka to authenticate with mTLS. kafka_controller_ssl_mutual_auth_enabled: "{{ssl_mutual_auth_enabled}}" +### mTLS server's config to enforce ssl client authentication. Options are none, requested, required +kafka_controller_ssl_client_authentication: "{{ssl_client_authentication}}" + ### SASL Mechanism for controller Server to Server and Server to Client Authentication. Options are plain, kerberos, none kafka_controller_sasl_protocol: "{{sasl_protocol}}" @@ -735,6 +763,9 @@ schema_registry_ssl_enabled: "{{ssl_enabled}}" ### Deprecated- Boolean to enable mTLS Authentication on Schema Registry schema_registry_ssl_mutual_auth_enabled: "{{ ssl_mutual_auth_enabled }}" +### mTLS server's config to enforce ssl client authentication. Options are none, requested, required +schema_registry_ssl_client_authentication: "{{ssl_client_authentication}}" + ### Authentication to put on Schema Registry Rest Endpoint. Available options: [mtls, basic, none]. schema_registry_authentication_type: "{{ 'mtls' if schema_registry_ssl_mutual_auth_enabled else 'none' }}" @@ -834,6 +865,9 @@ kafka_rest_ssl_enabled: "{{ssl_enabled}}" ### Deprecated- Boolean to enable mTLS Authentication on Rest Proxy kafka_rest_ssl_mutual_auth_enabled: "{{ ssl_mutual_auth_enabled }}" +### mTLS server's config to enforce ssl client authentication. Options are none, requested, required +kafka_rest_ssl_client_authentication: "{{ssl_client_authentication}}" + ### Authentication to put on Schema Registry Rest Endpoint. Available options: [mtls, basic, none]. kafka_rest_authentication_type: "{{ 'mtls' if kafka_rest_ssl_mutual_auth_enabled else 'none' }}" @@ -940,6 +974,9 @@ kafka_connect_ssl_enabled: "{{ssl_enabled}}" ### Deprecated- Boolean to enable mTLS Authentication on Connect kafka_connect_ssl_mutual_auth_enabled: "{{ ssl_mutual_auth_enabled }}" +### mTLS server's config to enforce ssl client authentication. Options are none, requested, required +kafka_connect_ssl_client_authentication: "{{ssl_client_authentication}}" + ### Authentication to put on Connect's Rest Endpoint. Available options: [mtls, basic, none]. kafka_connect_authentication_type: "{{ 'mtls' if kafka_connect_ssl_mutual_auth_enabled|bool else 'none' }}" @@ -2039,6 +2076,9 @@ kafka_connect_replicator_ssl_provided_keystore_and_truststore: false ### Boolean to enable mTLS Authentication on Kafka Connect Replicator. kafka_connect_replicator_ssl_mutual_auth_enabled: "{{ssl_mutual_auth_enabled}}" +### mTLS server's config to enforce ssl client authentication. Options are none, requested, required +kafka_connect_replicator_ssl_client_authentication: "{{ssl_client_authentication}}" + ### Boolean to enable TLS on Kafka Connect Replicator kafka_connect_replicator_ssl_enabled: "{{ssl_enabled}}" From 0725fca9af925a3de1f5e798c4260e77117fd48a Mon Sep 17 00:00:00 2001 From: Raahil Badiani Date: Thu, 26 Sep 2024 16:19:03 +0530 Subject: [PATCH 2/2] [ANSIENG-4229] | adding a yamllint ignore to pass sanity checks (#59) --- roles/variables/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/variables/defaults/main.yml b/roles/variables/defaults/main.yml index b60c2f5eb..1a5ac2a0c 100644 --- a/roles/variables/defaults/main.yml +++ b/roles/variables/defaults/main.yml @@ -227,6 +227,7 @@ ssl_client_authentication: >- none {%- endif -%} +# yamllint disable-line rule:key-duplicates ssl_mutual_auth_enabled: "{{ true if ssl_client_authentication in ['required', 'requested'] else false }}" ### Boolean to create Keystores with Self Signed Certificates, defaults to true. Alternatively can use ssl_provided_keystore_and_truststore or ssl_custom_certs