ANSIBLE
Ansible Playbooks for Confluent Platform supports the PLAINTEXT (no encryption) and TLS encryption methods with PLAINTEXT being the default.
To enable TLS encryption for all components, add the following in the hosts.yml file.
hosts.yml
all: vars: ssl_enabled: true
To selectively enable or disable TLS encryption for specific components, set the following settings to true or false in addition to the global ssl_enabled setting.
true
false
ssl_enabled
zookeeper_ssl_enabled
kafka_connect_ssl_enabled
kafka_rest_ssl_enabled
schema_registry_ssl_enabled
control_center_ssl_enabled
ksql_ssl_enabled
For example, if you want TLS enabled for all components except for Schema Registry, set:
all: vars: ssl_enabled: true schema_registry_ssl_enabled: false
By default, the certs for this configuration are self-signed. To deploy custom certificates, you can provide either custom certs or custom keystores and truststores.
You can enable TLS encryption using one of the following:
To provide custom certs for each host, you need the Certificate Authority certificate, the signed certificates, and keys for each host on the Ansible control node.
Complete the following steps to update hosts.yml.
Specify that custom certs are provided.
all: vars: ssl_custom_certs: true
Enter the path to the Certificate Authority Cert used to sign each host certificate.
all: vars: ssl_ca_cert_filepath: "/tmp/certs/ca.crt"
Set the signed certificate path and key file path for each host.
all: vars: ssl_signed_cert_filepath: "/tmp/certs/{{inventory_hostname}}-signed.crt" ssl_key_filepath: "/tmp/certs/{{inventory_hostname}}-key.pem"
The variable {{inventory_hostname}} in the example shows that Ansible can read the hostnames set in the inventory file. For this reason, you can keep the inventory file shorter if you put the hostname in the filename for each signed certificate and key file.
{{inventory_hostname}}
As an alternative, you can set the variables directly under a host. For example:
schema_registry: hosts: ip-192-24-10-207.us-west.compute.internal: ssl_signed_cert_filepath: "/tmp/certs/192-24-10-207-signed.crt ssl_key_filepath: "/tmp/certs/192-24-10-207-key.pem
To provide custom keystores and truststores for each host, you need to have keystores and truststores (and their passwords) for each host on the Ansible control node and their passwords.
Specify that custom keystores and truststores are provided.
all: vars: ssl_provided_keystore_and_truststore: true
Provide the keystore and truststore filepaths and passwords.
all: vars: ssl_keystore_filepath: "/tmp/certs/{{inventory_hostname}}-keystore.jks" ssl_keystore_key_password: mystorepassword ssl_keystore_store_password: mystorepassword ssl_truststore_filepath: "/tmp/certs/truststore.jks" ssl_truststore_password: truststorepass
Using the {{inventory_hostname}} variable and setting the same password for each host, you can set these variable once in the hosts.yml file.
As an alternative, you can set these variables under each host. For example:
schema_registry: hosts: ip-192-24-10-207.us-west.compute.internal: ssl_keystore_filepath: "/tmp/certs/{{inventory_hostname}}-keystore.jks" ssl_keystore_key_password: mystorepassword ssl_keystore_store_password: mystorepassword ssl_truststore_filepath: "/tmp/certs/truststore.jks" ssl_truststore_password: truststorepass