DennisFederico · May 31, 2023 15:19
diff --git a/cp-ansible-hosts-template.yml b/cp-ansible-hosts-template.yml
 ---
 all:
  vars:
    ## ANSIBLE CONNECTIVITY PARAMS AND FLAGS
    ansible_connection: ssh
    ansible_user: dfederico
    ansible_become: true
    ansible_ssh_private_key_file: ~/.ssh/id_rsa
    ansible_python_interpreter: /usr/bin/python3
    ansible_ssh_common_args: '-o StrictHostKeyChecking=no'

    ## DEBUG ANSIBLE PLAYBOOKS FLAGS
    # mask_secrets: false
    # mask_sensitive_logs: false
    # mask_sensitive_diff: false
    
    ## CP-ANSIBLE SPECIFICS
    ## (serial - rolling restart | useful for upgrades and config changes)   
    # deployment_strategy: serial
    validate_hosts: false
    secrets_protection_enabled: true

    ## Setting Proxy Environment variables ####
    ## To set proxy env vars for the duration of playbook run, uncomment below block and set as necessary
    # proxy_env:
    #   http_proxy: http://proxy.example.com:8080
    #   https_proxy: https://proxy.example.com:8080
    ## Note: You must use Hostnames or IPs to define your no_proxy server addresses, CIDR ranges are not supported.
    #   no_proxy: http://10.198.0.0:8080

    ## JAVA INSTALL CONFIG 
    # If you don't want to install JAVA, provide a custom path with the location
    # of the exiting java distron in your hosts using 'custom_java_path' var 
    # custom_java_path: /var/bin/
    redhat_java_package_name: java-17-openjdk
    debian_java_package_name: openjdk-17-jdk
    ubuntu_java_package_name: openjdk-17-jdk

    #### Custom Yum Repo File (Rhel/Centos) ####
    ## If you are using your own yum repo server to host the packages, in the case of an air-gapped environment,
    ## use the below variables to distribute a custom .repo file to the hosts and skip our repo setup.
    ## Note, your repo server must host all confluent packages
    # repository_configuration: custom
    # custom_yum_repofile_filepath: /tmp/my-repo.repo

    ## CONFLUENT PLATFORM DISTRIBUTION AND LICENSE
    confluent_package_version: 7.3.3
    confluent_server_enabled: true

    ## TLS/SSL CONFIGURATION
    ssl_enabled: true
    # ssl_mutual_auth_enabled: true
    ssl_custom_certs: true
    ssl_ca_cert_filepath: ~/inventories/gcp-sandbox/ssl/generated/CAcert.pem
    ssl_signed_cert_filepath: ~/inventories/gcp-sandbox/ssl/generated/server-demo.pem
    ssl_key_filepath: ~/inventories/gcp-sandbox/ssl/generated/server-demo-key.pem
    #regenerate_keystore_and_truststore: true # USE WHEN REFRESHING CERTIFICATES

    ## TODO (Optional) provide custom password for the generated truststores and keystores
    # ssl_keystore_and_truststore_custom_password: true
    # ssl_truststore_password: <mytruststorecustompassword> can be set for each host or service
    # ssl_keystore_store_password: <mykeystorecustompassword> can be set for each host or service
    
    ## Monitoring Configuration
    jmxexporter_enabled: false
    jmxexporter_url_remote: false
    jmxexporter_jar_url: ~/inventories/gcp-sandbox/jmx/jmx_prometheus_javaagent-0.17.2.jar
    zookeeper_jmxexporter_config_source_path: ~/inventories/gcp-sandbox/jmx/zookeeper.yml
    kafka_broker_jmxexporter_config_source_path: ~/inventories/gcp-sandbox/jmx/kafka_broker.yml
    schema_registry_jmxexporter_config_source_path: ~/inventories/gcp-sandbox/jmx/confluent_schemaregistry.yml
    kafka_connect_jmxexporter_config_source_path: ~/inventories/gcp-sandbox/jmx/kafka_connect.yml
    ksql_jmxexporter_config_source_path: ~/inventories/gcp-sandbox/jmx/confluent_ksql.yml

    #### Zookeeper TLS Configuration ####
    zookeeper_ssl_enabled: true
    zookeeper_ssl_mutual_auth_enabled: false

    ## CONFLUENT SERVER FEATURE
    kafka_broker_schema_validation_enabled: false

    #### PLATFORM (BROKER) Authentication Configuration
    sasl_protocol: plain    

    ## Configuring Role Based Access Control (PLATFORM AUTHORIZATION)
    rbac_enabled: true

    kafka_broker_custom_listeners:
      broker:
        name: BROKER
        port: 9091
        ssl_enabled: false
        sasl_protocol: plain
      internal:
        name: INTERNAL
        port: 9093
        sasl_protocol: oauth
      client:
        name: CLIENT
        port: 9092
        sasl_protocol: plain

    ## LDAP Users
    ## TODO (USE ANSIBLE VAULT TO MASK THE PASSWORD)
    ## Note: Below users must already exist in your LDAP environment.  See kafka_broker vars, for LDAP connection details.
    mds_super_user: mds
    mds_super_user_password: "{{ vault_mds_super_user_password }}"
    kafka_broker_ldap_user: kafka
    kafka_broker_ldap_password: "{{ vault_kafka_broker_ldap_password }}"
    schema_registry_ldap_user: sr
    schema_registry_ldap_password: "{{ vault_schema_registry_ldap_password }}"
    kafka_connect_ldap_user: connect
    kafka_connect_ldap_password: "{{ vault_kafka_connect_ldap_password }}"
    ksql_ldap_user: ksql
    ksql_ldap_password: "{{ vault_ksql_ldap_password }}"
    kafka_rest_ldap_user: kafka
    kafka_rest_ldap_password: "{{ vault_kafka_rest_ldap_password }}"
    control_center_ldap_user: c3
    control_center_ldap_password: "{{ vault_control_center_ldap_password }}"
  
    ## MDS CONFIGURATION FOR TOKENS
    create_mds_certs: false
    copy_certs: true
    token_services_public_pem_file: ~/inventories/gcp-sandbox/ssl/generated/mds-pub-key.pem
    token_services_private_pem_file: ~/inventories/gcp-sandbox/ssl/generated/mds-priv-key.pem
    
    ## Allow the playbooks to configure additional principals as system admins on the platform, set the list below
    rbac_component_additional_system_admins:
      - User:dfederico
      - Group:safaricom

    #########
    ## COMPONENT SPECIFIC CONFIGURATION
    kafka_broker_custom_properties:
      log.retention.hours: 4
      default.replication.factor: 3
      min.insync.replicas: 2
      confluent.metadata.server.openapi.enable: true
      listener.name.client.plain.sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required;
      listener.name.client.plain.sasl.server.callback.handler.class: io.confluent.security.auth.provider.ldap.LdapAuthenticateCallbackHandler
      # super.users: User:kafka;User:c3;User:ksql
      # confluent.balancer.enable: true
      ## LDAP CONNECTION CONFIG
      ldap.java.naming.factory.initial: com.sun.jndi.ldap.LdapCtxFactory
      #ldap.com.sun.jndi.ldap.read.timeout: 3000
      ldap.refresh.interval.ms: 180000
      ldap.java.naming.provider.url: ldap://dfederico-ldap-openldap:389
      ldap.java.naming.security.principal: CN=mds-ldap,DC=dennis,DC=cflt,DC=com
      ldap.java.naming.security.credentials: "{{ vault_ldap_java_naming_security_credentials }}"
      ldap.java.naming.security.authentication: simple
      ldap.search.mode: GROUPS
      # Search Groups      
      ldap.group.search.base: ou=groups,dc=dennis,dc=cflt,dc=com
      ldap.group.object.class: groupOfNames
      ldap.group.name.attribute: cn
      ldap.group.member.attribute: member
      ldap.group.member.attribute.pattern: cn=(.*),ou=users,dc=dennis,dc=cflt,dc=com
      
      # Search Base
      ldap.user.search.base: ou=users,dc=dennis,dc=cflt,dc=com
      ldap.user.object.class: person
      ldap.user.name.attribute: cn
      #ldap.user.memberof.attribute.pattern: CN=(.*),OU=users,DC=dennis,DC=cflt,DC=com

    control_center_custom_properties:      
      confluent.controlcenter.mode.enable: management

 zookeeper:
  hosts:
    dfederico-demo-zk-0:
      zookeeper_id: 1

 kafka_broker:  
  vars:
    kafka_broker_cluster_name: kafka-main
  hosts:
    dfederico-demo-broker-0:
      broker_id: 1
      kafka_broker_custom_properties:
        broker.rack: rack1
        replica.selector.class: org.apache.kafka.common.replica.RackAwareReplicaSelector
    dfederico-demo-broker-1:
      broker_id: 2
      kafka_broker_custom_properties:
        broker.rack: rack1
        replica.selector.class: org.apache.kafka.common.replica.RackAwareReplicaSelector
    dfederico-demo-broker-2:
      broker_id: 3
      kafka_broker_custom_properties:
        broker.rack: rack2
        replica.selector.class: org.apache.kafka.common.replica.RackAwareReplicaSelector

 schema_registry:  
  hosts:
    dfederico-demo-sr-0:    

 kafka_connect:
  vars:
    kafka_connect_cluster_name: connect
    kafka_connect_group_id: connect
    kafka_connect_confluent_hub_plugins:
      - confluentinc/kafka-connect-datagen:0.6.0
      # - confluentinc/kafka-connect-jdbc:10.6.4
  hosts:
    dfederico-demo-connect-0:

 ksql:
  vars:
    ksql_cluster_name: ksql-primary
    ksql_service_id: ksql-primary
    ksql_log_streaming_enabled: true
  hosts:
    dfederico-demo-ksql-0:

 control_center:
  hosts:
    dfederico-demo-c3-0:
	---
	all:
	vars:
	## ANSIBLE CONNECTIVITY PARAMS AND FLAGS
	ansible_connection: ssh
	ansible_user: dfederico
	ansible_become: true
	ansible_ssh_private_key_file: ~/.ssh/id_rsa
	ansible_python_interpreter: /usr/bin/python3
	ansible_ssh_common_args: '-o StrictHostKeyChecking=no'

	## DEBUG ANSIBLE PLAYBOOKS FLAGS
	# mask_secrets: false
	# mask_sensitive_logs: false
	# mask_sensitive_diff: false

	## CP-ANSIBLE SPECIFICS
	## (serial - rolling restart \| useful for upgrades and config changes)
	# deployment_strategy: serial
	validate_hosts: false
	secrets_protection_enabled: true

	## Setting Proxy Environment variables ####
	## To set proxy env vars for the duration of playbook run, uncomment below block and set as necessary
	# proxy_env:
	# http_proxy: http://proxy.example.com:8080
	# https_proxy: https://proxy.example.com:8080
	## Note: You must use Hostnames or IPs to define your no_proxy server addresses, CIDR ranges are not supported.
	# no_proxy: http://10.198.0.0:8080

	## JAVA INSTALL CONFIG
	# If you don't want to install JAVA, provide a custom path with the location
	# of the exiting java distron in your hosts using 'custom_java_path' var
	# custom_java_path: /var/bin/
	redhat_java_package_name: java-17-openjdk
	debian_java_package_name: openjdk-17-jdk
	ubuntu_java_package_name: openjdk-17-jdk

	#### Custom Yum Repo File (Rhel/Centos) ####
	## If you are using your own yum repo server to host the packages, in the case of an air-gapped environment,
	## use the below variables to distribute a custom .repo file to the hosts and skip our repo setup.
	## Note, your repo server must host all confluent packages
	# repository_configuration: custom
	# custom_yum_repofile_filepath: /tmp/my-repo.repo

	## CONFLUENT PLATFORM DISTRIBUTION AND LICENSE
	confluent_package_version: 7.3.3
	confluent_server_enabled: true

	## TLS/SSL CONFIGURATION
	ssl_enabled: true
	# ssl_mutual_auth_enabled: true
	ssl_custom_certs: true
	ssl_ca_cert_filepath: ~/inventories/gcp-sandbox/ssl/generated/CAcert.pem
	ssl_signed_cert_filepath: ~/inventories/gcp-sandbox/ssl/generated/server-demo.pem
	ssl_key_filepath: ~/inventories/gcp-sandbox/ssl/generated/server-demo-key.pem
	#regenerate_keystore_and_truststore: true # USE WHEN REFRESHING CERTIFICATES

	## TODO (Optional) provide custom password for the generated truststores and keystores
	# ssl_keystore_and_truststore_custom_password: true
	# ssl_truststore_password: <mytruststorecustompassword> can be set for each host or service
	# ssl_keystore_store_password: <mykeystorecustompassword> can be set for each host or service

	## Monitoring Configuration
	jmxexporter_enabled: false
	jmxexporter_url_remote: false
	jmxexporter_jar_url: ~/inventories/gcp-sandbox/jmx/jmx_prometheus_javaagent-0.17.2.jar
	zookeeper_jmxexporter_config_source_path: ~/inventories/gcp-sandbox/jmx/zookeeper.yml
	kafka_broker_jmxexporter_config_source_path: ~/inventories/gcp-sandbox/jmx/kafka_broker.yml
	schema_registry_jmxexporter_config_source_path: ~/inventories/gcp-sandbox/jmx/confluent_schemaregistry.yml
	kafka_connect_jmxexporter_config_source_path: ~/inventories/gcp-sandbox/jmx/kafka_connect.yml
	ksql_jmxexporter_config_source_path: ~/inventories/gcp-sandbox/jmx/confluent_ksql.yml

	#### Zookeeper TLS Configuration ####
	zookeeper_ssl_enabled: true
	zookeeper_ssl_mutual_auth_enabled: false

	## CONFLUENT SERVER FEATURE
	kafka_broker_schema_validation_enabled: false

	#### PLATFORM (BROKER) Authentication Configuration
	sasl_protocol: plain

	## Configuring Role Based Access Control (PLATFORM AUTHORIZATION)
	rbac_enabled: true

	kafka_broker_custom_listeners:
	broker:
	name: BROKER
	port: 9091
	ssl_enabled: false
	sasl_protocol: plain
	internal:
	name: INTERNAL
	port: 9093
	sasl_protocol: oauth
	client:
	name: CLIENT
	port: 9092
	sasl_protocol: plain

	## LDAP Users
	## TODO (USE ANSIBLE VAULT TO MASK THE PASSWORD)
	## Note: Below users must already exist in your LDAP environment. See kafka_broker vars, for LDAP connection details.
	mds_super_user: mds
	mds_super_user_password: "{{ vault_mds_super_user_password }}"
	kafka_broker_ldap_user: kafka
	kafka_broker_ldap_password: "{{ vault_kafka_broker_ldap_password }}"
	schema_registry_ldap_user: sr
	schema_registry_ldap_password: "{{ vault_schema_registry_ldap_password }}"
	kafka_connect_ldap_user: connect
	kafka_connect_ldap_password: "{{ vault_kafka_connect_ldap_password }}"
	ksql_ldap_user: ksql
	ksql_ldap_password: "{{ vault_ksql_ldap_password }}"
	kafka_rest_ldap_user: kafka
	kafka_rest_ldap_password: "{{ vault_kafka_rest_ldap_password }}"
	control_center_ldap_user: c3
	control_center_ldap_password: "{{ vault_control_center_ldap_password }}"

	## MDS CONFIGURATION FOR TOKENS
	create_mds_certs: false
	copy_certs: true
	token_services_public_pem_file: ~/inventories/gcp-sandbox/ssl/generated/mds-pub-key.pem
	token_services_private_pem_file: ~/inventories/gcp-sandbox/ssl/generated/mds-priv-key.pem

	## Allow the playbooks to configure additional principals as system admins on the platform, set the list below
	rbac_component_additional_system_admins:
	- User:dfederico
	- Group:safaricom

	#########
	## COMPONENT SPECIFIC CONFIGURATION
	kafka_broker_custom_properties:
	log.retention.hours: 4
	default.replication.factor: 3
	min.insync.replicas: 2
	confluent.metadata.server.openapi.enable: true
	listener.name.client.plain.sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required;
	listener.name.client.plain.sasl.server.callback.handler.class: io.confluent.security.auth.provider.ldap.LdapAuthenticateCallbackHandler
	# super.users: User:kafka;User:c3;User:ksql
	# confluent.balancer.enable: true
	## LDAP CONNECTION CONFIG
	ldap.java.naming.factory.initial: com.sun.jndi.ldap.LdapCtxFactory
	#ldap.com.sun.jndi.ldap.read.timeout: 3000
	ldap.refresh.interval.ms: 180000
	ldap.java.naming.provider.url: ldap://dfederico-ldap-openldap:389
	ldap.java.naming.security.principal: CN=mds-ldap,DC=dennis,DC=cflt,DC=com
	ldap.java.naming.security.credentials: "{{ vault_ldap_java_naming_security_credentials }}"
	ldap.java.naming.security.authentication: simple
	ldap.search.mode: GROUPS
	# Search Groups
	ldap.group.search.base: ou=groups,dc=dennis,dc=cflt,dc=com
	ldap.group.object.class: groupOfNames
	ldap.group.name.attribute: cn
	ldap.group.member.attribute: member
	ldap.group.member.attribute.pattern: cn=(.*),ou=users,dc=dennis,dc=cflt,dc=com

	# Search Base
	ldap.user.search.base: ou=users,dc=dennis,dc=cflt,dc=com
	ldap.user.object.class: person
	ldap.user.name.attribute: cn
	#ldap.user.memberof.attribute.pattern: CN=(.*),OU=users,DC=dennis,DC=cflt,DC=com

	control_center_custom_properties:
	confluent.controlcenter.mode.enable: management

	zookeeper:
	hosts:
	dfederico-demo-zk-0:
	zookeeper_id: 1

	kafka_broker:
	vars:
	kafka_broker_cluster_name: kafka-main
	hosts:
	dfederico-demo-broker-0:
	broker_id: 1
	kafka_broker_custom_properties:
	broker.rack: rack1
	replica.selector.class: org.apache.kafka.common.replica.RackAwareReplicaSelector
	dfederico-demo-broker-1:
	broker_id: 2
	kafka_broker_custom_properties:
	broker.rack: rack1
	replica.selector.class: org.apache.kafka.common.replica.RackAwareReplicaSelector
	dfederico-demo-broker-2:
	broker_id: 3
	kafka_broker_custom_properties:
	broker.rack: rack2
	replica.selector.class: org.apache.kafka.common.replica.RackAwareReplicaSelector

	schema_registry:
	hosts:
	dfederico-demo-sr-0:

	kafka_connect:
	vars:
	kafka_connect_cluster_name: connect
	kafka_connect_group_id: connect
	kafka_connect_confluent_hub_plugins:
	- confluentinc/kafka-connect-datagen:0.6.0
	# - confluentinc/kafka-connect-jdbc:10.6.4
	hosts:
	dfederico-demo-connect-0:

	ksql:
	vars:
	ksql_cluster_name: ksql-primary
	ksql_service_id: ksql-primary
	ksql_log_streaming_enabled: true
	hosts:
	dfederico-demo-ksql-0:

	control_center:
	hosts:
	dfederico-demo-c3-0: