Merge pull request #1848 from confluentinc/update-sample-inventory-files-78

Update sample inventory files 7.8 to have centralized MDS as well

Author: rrbadiani

CHANGELOG.rst

@@ -4,6 +4,18 @@ Ansible Playbooks for Confluent Platform - Release Notes
 
 .. contents:: Topics
 
+v7.8.0
+======
+
+New features
+-------------
+- Role-based access control (RBAC) with principal from mTLS certs is now supported
+- SASL/SCRAM authentication support for kraft controllers and broker communication
+
+Notable enhancements
+-------------
+- Ubuntu 22, Alma Linux 8, and Alma Linux 9 Operating systems are now supported
+
 v7.7.0
 ======
 

docs/MOLECULE_SCENARIOS.md

@@ -398,13 +398,11 @@ Validates that Control Center Can connect to each KSQL cluster
 
 Installs Confluent Platform Cluster on ubi9.
 
-RBAC enabled.
-
-MTLS enabled.
+RBAC over mTLS enabled.
 
-Kafka Broker Customer Listener.
+Centralized MDS.
 
-SSO authentication using OIDC in Control center using Okta IdP
+File based login to C3 using overrides.
 
 #### Scenario mini-setup-ext-mds-mtls verify test's the following:
 
@@ -420,13 +418,11 @@ Validates ssl.client.authentication is set to REQUIRED.
 
 Installs Confluent Platform Cluster on ubi9.
 
-RBAC enabled.
+RBAC over mTLS+LDAP enabled.
 
-MTLS enabled.
+MDS accepts LDAP credentials and mTLS certs.
 
-Kafka Broker Customer Listener.
-
-SSO authentication using OIDC in Control center using Okta IdP
+LDAP based login to C3.
 
 #### Scenario mini-setup-ldap-mtls verify test's the following:
 
@@ -442,13 +438,9 @@ Validates ssl.client.authentication is set to REQUIRED.
 
 Installs Confluent Platform Cluster on ubi9.
 
-RBAC enabled.
-
-MTLS enabled.
-
-Kafka Broker Customer Listener.
+RBAC over mTLS enabled.
 
-SSO authentication using OIDC in Control center using Okta IdP
+File based login to C3 using overrides.
 
 #### Scenario mini-setup-mtls verify test's the following:
 
@@ -464,13 +456,9 @@ Validates ssl.client.authentication is set to REQUIRED.
 
 Installs Confluent Platform Cluster on ubi9.
 
-RBAC enabled.
-
-MTLS enabled.
-
-Kafka Broker Customer Listener.
+RBAC over mTLS+OAuth enabled.
 
-SSO authentication using OIDC in Control center using Okta IdP
+SSO authentication using OIDC in Control center using Okta IdP.
 
 #### Scenario mini-setup-oauth-mtls verify test's the following:
 
@@ -486,13 +474,13 @@ Validates ssl.client.authentication is set to REQUIRED.
 
 Installs Confluent Platform Cluster on ubi9.
 
-RBAC enabled.
+RBAC over mTLS+LDAP enabled.
 
-MTLS enabled.
+Outside CP to CP communication over LDAP.
 
-Kafka Broker Customer Listener.
+Internal CP communication over mTLS.
 
-SSO authentication using OIDC in Control center using Okta IdP
+LDAP based login to C3.
 
 #### Scenario mini-setup-out-ldap-in-mtls verify test's the following:
 
@@ -508,13 +496,13 @@ Validates ssl.client.authentication is set to REQUIRED.
 
 Installs Confluent Platform Cluster on ubi9.
 
-RBAC enabled.
+RBAC over mTLS+OAuth enabled.
 
-MTLS enabled.
+Outside CP to CP communication over OAuth.
 
-Kafka Broker Customer Listener.
+Internal CP communication over mTLS.
 
-SSO authentication using OIDC in Control center using Okta IdP
+SSO authentication using OIDC in Control center using Okta IdP.
 
 #### Scenario mini-setup-out-oauth-in-mtls verify test's the following:
 

docs/sample_inventories/rbac-over-mtls-centralized-mds

@@ -0,0 +1,88 @@
+---
+##
+## The following is an example inventory file of the configuration required for setting up Confluent Platform with RBAC over mTLS.
+## Sets RBAC on a cluster which talks to already running Centralized MDS server
+## Principals extracted from certs are given role bindings.
+
+all:
+  vars:
+    ansible_connection: ssh
+    ansible_user: ec2-user
+    ansible_become: true
+    ansible_ssh_private_key_file: /home/ec2-user/guest.pem
+    ansible_python_interpreter: /usr/bin/python3
+
+    ## TLS Configuration
+    ssl_enabled: true
+    # 3 ways to handle ssl
+    # Self Signed Certs (Default) Not recommended for production clusters
+    # Custom Certs
+    # Set ssl_custom_certs, ssl_ca_cert_filepath, ssl_signed_cert_filepath, ssl_key_filepath, ssl_key_password & ssl_custom_certs_remote_src(optional)
+    # Provided Keystore Truststore
+    # Set ssl_provided_keystore_and_truststore, ssl_keystore_and_truststore_custom_password, ssl_keystore_filepath, ssl_keystore_key_password, ssl_keystore_store_password, ssl_keystore_alias, ssl_truststore_filepath, ssl_truststore_password, ssl_truststore_ca_cert_alias and ssl_provided_keystore_and_truststore_remote_src (optional)
+
+    rbac_enabled: true
+    auth_mode: mtls # MDS server will use mTLS certs for authentication, no user store like ldap/oauth will be setup on server
+
+    # Centralized MDS server configuration
+    external_mds_enabled: true # This is for cluster to talk to remote MDS server
+    mds_broker_bootstrap_servers: mds-kafka-broker1:9093,mds-kafka-broker2:9093,mds-kafka-broker3:9093
+    mds_bootstrap_server_urls: https://mds-kafka-broker1:8090,https://mds-kafka-broker2:8090
+    mds_broker_listener:
+      ssl_enabled: true
+      ssl_mutual_auth_enabled: true
+      sasl_protocol: none
+
+    # This should be a superuser cert. In cases of LDAP/OAuth based setup we only needed user names or client id of super user inside this cluster to give role bindings to all components like SR/RP/Connect. Here we need a certificate whose principal is super user in MDS.
+    mds_super_user_external_cert_path: <cert path>
+    mds_super_user_external_key_path: <key path>
+
+    create_mds_certs: false
+    token_services_public_pem_file: /home/ec2-user/keys/public.pem
+    token_services_private_pem_file: /home/ec2-user/keys/tokenKeypair.pem
+
+    # ssl_mutual_auth_enabled: true  Deprecated in 7.8.x
+    ssl_client_authentication: required  # <required/requested/none>
+    # Sets mTLS on kafka broker listeners
+
+    mds_ssl_client_authentication: requested  # <required/requested/none>
+    # This decides clients behaviour when talking to Centralized MDS server.
+    # Must be defined in all section as all components need to know its value for assigning role bindings
+    # Default value is none
+
+    # When set to required clients must send certs to server
+    # When set to requested sending certs is optional given there is another mechanism like ldap/oauth which is sending principal
+    # requested mode is used for upgrade scenarios where all clients might not be sending certs to server
+    # Once all clients start sending certs to server this requested should be changed to required
+
+    principal_mapping_rules:
+      - "RULE:.*CN=([a-zA-Z0-9.-_]*).*$/$1/"
+      - "DEFAULT"
+
+kafka_controller:
+  hosts:
+    ec2-34-219-110-48.us-west-2.compute.amazonaws.com:
+    ec2-18-237-72-224.us-west-2.compute.amazonaws.com:
+    ec2-35-161-39-212.us-west-2.compute.amazonaws.com:
+
+kafka_broker:
+  hosts:
+    ec2-34-211-33-32.us-west-2.compute.amazonaws.com:
+    ec2-35-89-77-112.us-west-2.compute.amazonaws.com:
+    ec2-35-163-80-4.us-west-2.compute.amazonaws.com:
+
+schema_registry:
+  hosts:
+    ec2-34-212-49-238.us-west-2.compute.amazonaws.com:
+
+kafka_connect:
+  hosts:
+    ec2-35-93-21-143.us-west-2.compute.amazonaws.com:
+
+kafka_rest:
+  hosts:
+    ec2-34-222-41-249.us-west-2.compute.amazonaws.com:
+
+control_center:
+  hosts:
+    ec2-35-87-151-33.us-west-2.compute.amazonaws.com:

molecule/mini-setup-ext-mds-mtls/molecule.yml

@@ -1,9 +1,8 @@
 ---
 ### Installs Confluent Platform Cluster on ubi9.
-### RBAC enabled.
-### MTLS enabled.
-### Kafka Broker Customer Listener.
-### SSO authentication using OIDC in Control center using Okta IdP
+### RBAC over mTLS enabled.
+### Centralized MDS.
+### File based login to C3 using overrides.
 
 driver:
   name: docker

molecule/mini-setup-ldap-mtls/molecule.yml

@@ -1,9 +1,8 @@
 ---
 ### Installs Confluent Platform Cluster on ubi9.
-### RBAC enabled.
-### MTLS enabled.
-### Kafka Broker Customer Listener.
-### SSO authentication using OIDC in Control center using Okta IdP
+### RBAC over mTLS+LDAP enabled.
+### MDS accepts LDAP credentials and mTLS certs.
+### LDAP based login to C3.
 
 driver:
   name: docker

molecule/mini-setup-mtls/molecule.yml

@@ -1,9 +1,7 @@
 ---
 ### Installs Confluent Platform Cluster on ubi9.
-### RBAC enabled.
-### MTLS enabled.
-### Kafka Broker Customer Listener.
-### SSO authentication using OIDC in Control center using Okta IdP
+### RBAC over mTLS enabled.
+### File based login to C3 using overrides.
 
 driver:
   name: docker

molecule/mini-setup-oauth-mtls/molecule.yml

@@ -1,9 +1,7 @@
 ---
 ### Installs Confluent Platform Cluster on ubi9.
-### RBAC enabled.
-### MTLS enabled.
-### Kafka Broker Customer Listener.
-### SSO authentication using OIDC in Control center using Okta IdP
+### RBAC over mTLS+OAuth enabled.
+### SSO authentication using OIDC in Control center using Okta IdP.
 
 driver:
   name: docker

molecule/mini-setup-out-ldap-in-mtls/molecule.yml

@@ -1,9 +1,9 @@
 ---
 ### Installs Confluent Platform Cluster on ubi9.
-### RBAC enabled.
-### MTLS enabled.
-### Kafka Broker Customer Listener.
-### SSO authentication using OIDC in Control center using Okta IdP
+### RBAC over mTLS+LDAP enabled.
+### Outside CP to CP communication over LDAP.
+### Internal CP communication over mTLS.
+### LDAP based login to C3.
 
 driver:
   name: docker

molecule/mini-setup-out-oauth-in-mtls/molecule.yml

@@ -1,9 +1,9 @@
 ---
 ### Installs Confluent Platform Cluster on ubi9.
-### RBAC enabled.
-### MTLS enabled.
-### Kafka Broker Customer Listener.
-### SSO authentication using OIDC in Control center using Okta IdP
+### RBAC over mTLS+OAuth enabled.
+### Outside CP to CP communication over OAuth.
+### Internal CP communication over mTLS.
+### SSO authentication using OIDC in Control center using Okta IdP.
 
 driver:
   name: docker