Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new vars for mtls ansieng 4229 (#53) #1794

Open
wants to merge 2 commits into
base: 7.8.x
Choose a base branch
from
+41 −0
Open

Add new vars for mtls ansieng 4229 (#53) #1794

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1f5c33a
Add new vars for mtls ansieng 4229 (#53)
rrbadiani Sep 25, 2024
0725fca
[ANSIENG-4229] | adding a yamllint ignore to pass sanity checks (#59)
rrbadiani Sep 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions roles/variables/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -215,6 +215,21 @@ certificate_authority_expiration_days: 365
### Boolean to enable mTLS Authentication on all components. Configures all components to use mTLS for authentication into Kafka
ssl_mutual_auth_enabled: false

### mTLS server's config to enforce ssl client authentication. Options are none, requested, required
ssl_client_authentication: >-
{%- if ssl_mutual_auth_enabled|bool -%}
{%- if deployment_strategy == 'parallel' -%}
required
{%- elif deployment_strategy in ['serial', 'rolling'] -%}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If not defined in case of deployment strategy serial/rolling then we should fail the setup

requested
{%- endif -%}
{%- else -%}
none
{%- endif -%}

# yamllint disable-line rule:key-duplicates
ssl_mutual_auth_enabled: "{{ true if ssl_client_authentication in ['required', 'requested'] else false }}"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in config validations check if user is defining both these in contrdictory way and stop the setup


### Boolean to create Keystores with Self Signed Certificates, defaults to true. Alternatively can use ssl_provided_keystore_and_truststore or ssl_custom_certs
self_signed: "{{ false if ssl_provided_keystore_and_truststore|bool or ssl_custom_certs|bool else true }}"

Expand All @@ -225,6 +240,17 @@ ssl_self_signed_ca_password: capassword123
### Directory on hosts to store all ssl files.
ssl_file_dir: /var/ssl/private/

### principal mapping rules to map the DN from cert into a username
principal_mapping_rules:
- '.*CN=([a-zA-Z0-9.-]*).*$/$1/'
- 'DEFAULT'

### Users allowed to get an impersonation token for other users except the impersonation protected users. Must be defined in case of RBAC over mTLS only.
impersonation_super_users: []

### Users which cant be impersonated using impersonation token. Super users should be added here to disallow them from being impersonated in case of RBAC over mTLS only.
impersonation_protected_users: []

### Boolean to have reruns of all.yml regenerate the certificate authority used for self signed certs.
regenerate_ca: false

Expand Down Expand Up @@ -450,6 +476,9 @@ kafka_controller_ssl_enabled: "{{ssl_enabled}}"
### Boolean to enable mTLS Authentication on controller (Server to Server and Client to Server). Configures kafka to authenticate with mTLS.
kafka_controller_ssl_mutual_auth_enabled: "{{ssl_mutual_auth_enabled}}"

### mTLS server's config to enforce ssl client authentication. Options are none, requested, required
kafka_controller_ssl_client_authentication: "{{ssl_client_authentication}}"

### SASL Mechanism for controller Server to Server and Server to Client Authentication. Options are plain, kerberos, none
kafka_controller_sasl_protocol: "{{sasl_protocol}}"

Expand Down Expand Up @@ -735,6 +764,9 @@ schema_registry_ssl_enabled: "{{ssl_enabled}}"
### Deprecated- Boolean to enable mTLS Authentication on Schema Registry
schema_registry_ssl_mutual_auth_enabled: "{{ ssl_mutual_auth_enabled }}"

### mTLS server's config to enforce ssl client authentication. Options are none, requested, required
schema_registry_ssl_client_authentication: "{{ssl_client_authentication}}"

### Authentication to put on Schema Registry Rest Endpoint. Available options: [mtls, basic, none].
schema_registry_authentication_type: "{{ 'mtls' if schema_registry_ssl_mutual_auth_enabled else 'none' }}"

Expand Down Expand Up @@ -834,6 +866,9 @@ kafka_rest_ssl_enabled: "{{ssl_enabled}}"
### Deprecated- Boolean to enable mTLS Authentication on Rest Proxy
kafka_rest_ssl_mutual_auth_enabled: "{{ ssl_mutual_auth_enabled }}"

### mTLS server's config to enforce ssl client authentication. Options are none, requested, required
kafka_rest_ssl_client_authentication: "{{ssl_client_authentication}}"

### Authentication to put on Schema Registry Rest Endpoint. Available options: [mtls, basic, none].
kafka_rest_authentication_type: "{{ 'mtls' if kafka_rest_ssl_mutual_auth_enabled else 'none' }}"

Expand Down Expand Up @@ -940,6 +975,9 @@ kafka_connect_ssl_enabled: "{{ssl_enabled}}"
### Deprecated- Boolean to enable mTLS Authentication on Connect
kafka_connect_ssl_mutual_auth_enabled: "{{ ssl_mutual_auth_enabled }}"

### mTLS server's config to enforce ssl client authentication. Options are none, requested, required
kafka_connect_ssl_client_authentication: "{{ssl_client_authentication}}"

### Authentication to put on Connect's Rest Endpoint. Available options: [mtls, basic, none].
kafka_connect_authentication_type: "{{ 'mtls' if kafka_connect_ssl_mutual_auth_enabled|bool else 'none' }}"

Expand Down Expand Up @@ -2039,6 +2077,9 @@ kafka_connect_replicator_ssl_provided_keystore_and_truststore: false
### Boolean to enable mTLS Authentication on Kafka Connect Replicator.
kafka_connect_replicator_ssl_mutual_auth_enabled: "{{ssl_mutual_auth_enabled}}"

### mTLS server's config to enforce ssl client authentication. Options are none, requested, required
kafka_connect_replicator_ssl_client_authentication: "{{ssl_client_authentication}}"

### Boolean to enable TLS on Kafka Connect Replicator
kafka_connect_replicator_ssl_enabled: "{{ssl_enabled}}"

Expand Down