forked from datastax/pulsar-ansible
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path01.create_secFiles.yaml
executable file
·124 lines (118 loc) · 4.94 KB
/
01.create_secFiles.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
###
# Copyright DataStax, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
###
---
##
## NOTE: DO not change the sequence of the tasks!
## This is needed when broker or function worker security is enabled!
##
#########################
# Generate Pulsar broker security related files (only relevant when Pulsar broker security is enabled).
# - JWT tokens and keys
# - TLS certificates and keys
#
# NOTE: this step will run bash script locally. This means that the localhost
# can't be Windows based machine. Linux or Mac machine are fine.
# -----------------------
- hosts: localhost
connection: local
vars:
cleanLocalSecStaging: true
showLocalCmdOutput: true
srv_component: 'broker'
jwtTokenOnly: false
brokerOnly: false
# srv_host_list: "{{ groups['broker']['private_ip']|join(',') }}"
srv_host_list: "{{ groups['broker'] | map('extract', hostvars, ['private_ip']) | join(',') if srv_component in groups else None }}"
roles:
- { role: local_process/gen_secFile/create_jwt_token,
user_roles_list: "{{ brkr_super_user_roles_list_str }}",
when: srv_host_list != "" and
enable_brkr_authNZ is defined and enable_brkr_authNZ|bool and
skip_brkr_jwt_token_generation is defined and not skip_brkr_jwt_token_generation|bool
}
- { role: local_process/gen_secFile/create_tls_certs,
srv_key_password: "{{ brkr_key_password }}",
srv_cert_expire_days: "{{ brkr_cert_expire_days }}",
when: not jwtTokenOnly|bool and
srv_host_list != "" and
enable_brkr_tls is defined and enable_brkr_tls|bool and
skip_brkr_tls_certs_generatation is defined and not skip_brkr_tls_certs_generatation|bool }
#########################
# Generate Pulsar functions worker security related files
# - JWT tokens and keys
# - TLS certificates and keys
#
# This is only relevant when
# - dedicated functions worker deployment is needed, and
# - functions worker security is enabled
#
# NOTE: this step will run bash script locally. This means that the localhost
# can't be Windows based machine. Linux or Mac machine are fine.
# -----------------------
- hosts: localhost
connection: local
vars:
cleanLocalSecStaging: "true"
showLocalCmdOutput: true
srv_component: 'functions_worker'
srv_host_list: "{{ groups['functions_worker']|join(',') if srv_component in groups else None }}"
jwtTokenOnly: false
brokerOnly: false
roles:
- { role: local_process/gen_secFile/create_jwt_token,
user_roles_list: "{{ fwrkr_super_user_roles_list_str }}",
when: srv_host_list != "" and
deploy_functions_worker is defined and deploy_functions_worker == 'dedicated' and
enable_fwrkr_authNZ is defined and enable_fwrkr_authNZ|bool and
skip_fwrkr_jwt_token_generation is defined and not skip_fwrkr_jwt_token_generation|bool
}
- { role: local_process/gen_secFile/create_tls_certs,
srv_key_password: "{{ fwrkr_key_password }}",
srv_cert_expire_days: "{{ fwrkr_cert_expire_days }}",
when: not brokerOnly|bool and
not jwtTokenOnly|bool and
srv_host_list != "" and
deploy_functions_worker is defined and deploy_functions_worker == 'dedicated' and
enable_fwrkr_tls is defined and enable_fwrkr_tls|bool and
skip_fwrkr_tls_certs_generatation is defined and not skip_fwrkr_tls_certs_generatation|bool }
#########################
# Generate Pulsar AdminConsole security related files
# - JWT tokens and keys
# - TLS certificates and keys
#
# This is only relevant when
# - AdminConsole deployment is needed, and
# - AdminConsole security is enabled
#
# NOTE: this step will run bash script locally. This means that the localhost
# can't be Windows based machine. Linux or Mac machine are fine.
# -----------------------
- hosts: localhost
connection: local
vars:
showLocalCmdOutput: true
srv_component: 'adminConsole'
srv_host_list: "{{ groups['adminConsole']|join(',') if srv_component in groups else None }}"
jwtTokenOnly: false
brokerOnly: false
roles:
- { role: local_process/gen_secFile/create_tls_certs,
srv_key_password: "{{ ac_key_password }}",
srv_cert_expire_days: "{{ ac_cert_expire_days }}",
when: not brokerOnly|bool and
not jwtTokenOnly|bool and
srv_host_list != "" and
enable_ac_https is defined and enable_ac_https|bool }