cp-ansible
cp-ansible copied to clipboard
confluentinc
Regenerate self signed certificates on expiration
For Confluent Enterprise Support customers, we would strongly advise you to open a Support ticket which will be addressed within your Support contract SLA at https://support.confluent.io
Describe the issue When I use cp-ansible to generate self-signed certificates, it generates a CA with a validity of 1 year only. How can we use cp-ansible to regerate ca.crt, zookeeper.crt, and kafka_broker.crt?
Also, is there a way to increase validity from the current 1 year to say 10 years?
To Reproduce Steps to reproduce the behaviour:
ansible-playbook -i hosts.yml confluent.platform.all --tags=certificate_authority
ansible-playbook -i hosts.yml confluent.platform.all --tags=masterkey
ansible-playbook -i hosts.yml confluent.platform.all --tags=zookeeper
ansible-playbook -i hosts.yml confluent.platform.all --tags=kafka_broker
Then on broker & ZK nodes check CA:
keytool -printcert -v -file /var/ssl/private/ca.crt
keytool -printcert -v -file /var/ssl/private/zookeeper.crt
keytool -printcert -v -file /var/ssl/private/kafka_broker.crt
Expected behaviour
- Steps to regenerate new certificates with new validity
- Steps to generate certificates with increased validity of say 10 years.
Inventory File
all:
vars:
ansible_connection: ssh
ansible_user: kafkadev
ansible_become: true
ansible_ssh_private_key_file: ~/.ssh/kafkadevb0_key
sasl_protocol: scram
zookeeper_sasl_protocol: none
ssl_enabled: true
self_signed: true
regenerate_ca: false
regenerate_keystore_and_truststore: false
zookeeper_ssl_mutual_auth_enabled: false
zookeeper_chroot: "/kafkasslscram"
confluent_server_enabled: false
kafka_broker_rest_proxy_authentication_type: basic
kafka_broker_custom_properties:
authorizer.class.name: kafka.security.authorizer.AclAuthorizer
super.users: User:administrator
auto.create.topics.enable: False
log.dirs: /data/0
zookeeper:
hosts:
192.168.1.7:
ansible_host: 50.45.123.22
kafka_broker:
hosts:
192.168.1.5:
ansible_host: 50.45.123.199
kafka_broker_custom_listeners:
broker:
hostname: 192.168.1.5
internal:
hostname: 50.45.123.199
Logs The certificates always have a validity of 1 year
Environment (please complete the following information):
- OS: 18.04.1-Ubuntu x86_64
- CP-Ansible Branch: 7.0.1-post
- Ansible Version: 2.12.2
@rahulsinghai Thanks for opening this issue! I think it would make a lot of sense for cp-ansible to fix renewal of certificates.
@nsharma-git This is one of the improvements that we could potentially do once we are allowed to use modules from the community.crypto collection. I did an attempt in https://github.com/confluentinc/cp-ansible/pull/934, but sadly it got reverted in https://github.com/confluentinc/cp-ansible/pull/943. Can we somehow lift the Ansible version requirement for running newer versions of cp-ansible?
Thanks @rahulsinghai and @erikgb We are reviewing the cp-ansible for all possible Day2 operations. I understand, its being used for cluster management for many task, however, we need to relook holistically. Regarding the Ansible version, we are supporting 2.9 and 2.11 for the newest release. I would love to have some solution which is bit agnostic to Ansible version. We will certainly have a look on this. cc: @anuj-apdev
@rahulsinghai you can use the following variable to decide/declare on the validity of certs in case certs are generated by cp-ansible.
keystore_expiration_days
Although the name of variable might not suggest that, it's basically used to set expiry dates for the certificates.
Currently, the default value is set to 365 days.
Hope this will help you resolve this issue of fixed expiry dates.
