cp-ansible
cp-ansible copied to clipboard
confluentinc
Allow creation of keystore and truststore with custom password when using custom or self-signed certs
Description
Truststore and Keystores are created using hardcoded visible password in the ssl role when using custom certs or self-signed. This change allow to specify a custom password for those stores in a way compatible with the "provided truststore and keystore" mechanism
This surfaced with deployment using "secrets protection", the customer doesn't want to provide the JKS stores but their custom certificates and the password for the stores via Ansible Vault
Fixes # (#641)
Type of change
- [ ] Bug fix (non-breaking change which fixes an issue)
- [X] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
- [ ] This change requires a documentation update
How Has This Been Tested?
Sadly I have trouble running molecule, I could use a hand with that and would be able to provide automated tests, in the meantime I've tested this manually with VM's using custom certificated (with encrypted and unencrypted keys) and providing custom stores for all services except replicator.
Besides simple sanity checks via Control Center, with each test scenario/deployment, I double-check the properties file of the services to confirm the expected value of appropriate '.keystore.password' and '.trustore.password', and used those to "open" the stores addressed by '.trustore.location' and '.keystore.location'
Test Configuration: Custom Certificates and Key for all services Custom Certificates and Key for each service Custom Certificates and Encrypted key for all services Provided Keystore and Truststore for all services
Checklist:
- [X] My code follows the style guidelines of this project
- [X] I have performed a self-review of my own code
- [X] I have commented my code, particularly in hard-to-understand areas
- [X] I have made corresponding changes to the documentation
- [X] My changes generate no new warnings
- [ ] I have added tests that prove my fix is effective or that my feature works
- [ ] Any dependent changes have been merged and published in downstream modules
- [X] Any variable changes have been validated to be backwards compatible
NOTE: The 'ssl_keystore_key_password' doesn't need to be set with custom certificates as the generated keystore will use the same password for both the key and the store (I'm guessing it's due to the limitation PKCS12)
Hey @DennisFederico, we have some work ongoing on the CI builds. Will be fixed real soon and we'll run the tests again (no need to worry about that for now). We'll also have a look at the PR. Thanks for the contribution.
Hey @DennisFederico, we have some work ongoing on the CI builds. Will be fixed real soon and we'll run the tests again (no need to worry about that for now). We'll also have a look at the PR. Thanks for the contribution.
Seems the CI issues have been fixed congrats
The changes will be merged from https://github.com/confluentinc/cp-ansible/pull/1083 to all downstream branches. This PR would not be needed.
