-
Notifications
You must be signed in to change notification settings - Fork 407
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add new vars for mtls ansieng 4229 (#53) #1794
Open
rrbadiani
wants to merge
2
commits into
7.8.x
Choose a base branch
from
add-new-vars-mtls-ANSIENG-4229
base: 7.8.x
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+41
−0
Open
Changes from all commits
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -215,6 +215,21 @@ certificate_authority_expiration_days: 365 | |
### Boolean to enable mTLS Authentication on all components. Configures all components to use mTLS for authentication into Kafka | ||
ssl_mutual_auth_enabled: false | ||
|
||
### mTLS server's config to enforce ssl client authentication. Options are none, requested, required | ||
ssl_client_authentication: >- | ||
{%- if ssl_mutual_auth_enabled|bool -%} | ||
{%- if deployment_strategy == 'parallel' -%} | ||
required | ||
{%- elif deployment_strategy in ['serial', 'rolling'] -%} | ||
requested | ||
{%- endif -%} | ||
{%- else -%} | ||
none | ||
{%- endif -%} | ||
|
||
# yamllint disable-line rule:key-duplicates | ||
ssl_mutual_auth_enabled: "{{ true if ssl_client_authentication in ['required', 'requested'] else false }}" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. in config validations check if user is defining both these in contrdictory way and stop the setup |
||
|
||
### Boolean to create Keystores with Self Signed Certificates, defaults to true. Alternatively can use ssl_provided_keystore_and_truststore or ssl_custom_certs | ||
self_signed: "{{ false if ssl_provided_keystore_and_truststore|bool or ssl_custom_certs|bool else true }}" | ||
|
||
|
@@ -225,6 +240,17 @@ ssl_self_signed_ca_password: capassword123 | |
### Directory on hosts to store all ssl files. | ||
ssl_file_dir: /var/ssl/private/ | ||
|
||
### principal mapping rules to map the DN from cert into a username | ||
principal_mapping_rules: | ||
- '.*CN=([a-zA-Z0-9.-]*).*$/$1/' | ||
- 'DEFAULT' | ||
|
||
### Users allowed to get an impersonation token for other users except the impersonation protected users. Must be defined in case of RBAC over mTLS only. | ||
impersonation_super_users: [] | ||
|
||
### Users which cant be impersonated using impersonation token. Super users should be added here to disallow them from being impersonated in case of RBAC over mTLS only. | ||
impersonation_protected_users: [] | ||
|
||
### Boolean to have reruns of all.yml regenerate the certificate authority used for self signed certs. | ||
regenerate_ca: false | ||
|
||
|
@@ -450,6 +476,9 @@ kafka_controller_ssl_enabled: "{{ssl_enabled}}" | |
### Boolean to enable mTLS Authentication on controller (Server to Server and Client to Server). Configures kafka to authenticate with mTLS. | ||
kafka_controller_ssl_mutual_auth_enabled: "{{ssl_mutual_auth_enabled}}" | ||
|
||
### mTLS server's config to enforce ssl client authentication. Options are none, requested, required | ||
kafka_controller_ssl_client_authentication: "{{ssl_client_authentication}}" | ||
|
||
### SASL Mechanism for controller Server to Server and Server to Client Authentication. Options are plain, kerberos, none | ||
kafka_controller_sasl_protocol: "{{sasl_protocol}}" | ||
|
||
|
@@ -735,6 +764,9 @@ schema_registry_ssl_enabled: "{{ssl_enabled}}" | |
### Deprecated- Boolean to enable mTLS Authentication on Schema Registry | ||
schema_registry_ssl_mutual_auth_enabled: "{{ ssl_mutual_auth_enabled }}" | ||
|
||
### mTLS server's config to enforce ssl client authentication. Options are none, requested, required | ||
schema_registry_ssl_client_authentication: "{{ssl_client_authentication}}" | ||
|
||
### Authentication to put on Schema Registry Rest Endpoint. Available options: [mtls, basic, none]. | ||
schema_registry_authentication_type: "{{ 'mtls' if schema_registry_ssl_mutual_auth_enabled else 'none' }}" | ||
|
||
|
@@ -834,6 +866,9 @@ kafka_rest_ssl_enabled: "{{ssl_enabled}}" | |
### Deprecated- Boolean to enable mTLS Authentication on Rest Proxy | ||
kafka_rest_ssl_mutual_auth_enabled: "{{ ssl_mutual_auth_enabled }}" | ||
|
||
### mTLS server's config to enforce ssl client authentication. Options are none, requested, required | ||
kafka_rest_ssl_client_authentication: "{{ssl_client_authentication}}" | ||
|
||
### Authentication to put on Schema Registry Rest Endpoint. Available options: [mtls, basic, none]. | ||
kafka_rest_authentication_type: "{{ 'mtls' if kafka_rest_ssl_mutual_auth_enabled else 'none' }}" | ||
|
||
|
@@ -940,6 +975,9 @@ kafka_connect_ssl_enabled: "{{ssl_enabled}}" | |
### Deprecated- Boolean to enable mTLS Authentication on Connect | ||
kafka_connect_ssl_mutual_auth_enabled: "{{ ssl_mutual_auth_enabled }}" | ||
|
||
### mTLS server's config to enforce ssl client authentication. Options are none, requested, required | ||
kafka_connect_ssl_client_authentication: "{{ssl_client_authentication}}" | ||
|
||
### Authentication to put on Connect's Rest Endpoint. Available options: [mtls, basic, none]. | ||
kafka_connect_authentication_type: "{{ 'mtls' if kafka_connect_ssl_mutual_auth_enabled|bool else 'none' }}" | ||
|
||
|
@@ -2039,6 +2077,9 @@ kafka_connect_replicator_ssl_provided_keystore_and_truststore: false | |
### Boolean to enable mTLS Authentication on Kafka Connect Replicator. | ||
kafka_connect_replicator_ssl_mutual_auth_enabled: "{{ssl_mutual_auth_enabled}}" | ||
|
||
### mTLS server's config to enforce ssl client authentication. Options are none, requested, required | ||
kafka_connect_replicator_ssl_client_authentication: "{{ssl_client_authentication}}" | ||
|
||
### Boolean to enable TLS on Kafka Connect Replicator | ||
kafka_connect_replicator_ssl_enabled: "{{ssl_enabled}}" | ||
|
||
|
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If not defined in case of deployment strategy serial/rolling then we should fail the setup