Add molecule scenario to test ZK mTLS

Marco Ronconi · Marco Ronconi · commit 22c53880a669 · 2024-08-29T17:01:55.000+02:00
diff --git a/molecule/zk-secured/converge.yml b/molecule/zk-secured/converge.yml
@@ -0,0 +1,2 @@
+---
+- import_playbook: ../../playbooks/setup.yml
diff --git a/molecule/zk-secured/molecule.yml b/molecule/zk-secured/molecule.yml
@@ -0,0 +1,113 @@
+---
+# skip prerun because I am experiencing the issue described here:
+# https://github.com/ansible/ansible-lint/issues/2070
+prerun: false
+dependency:
+  name: galaxy
+driver:
+  name: docker
+lint: |
+  ansible-lint -v
+platforms:
+
+  - name: machine1
+    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    groups:
+      - kafka
+      - zookeeper
+    networks:
+      - name: molecule
+
+  - name: machine2
+    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    groups:
+      - kafka
+      - zookeeper
+    networks:
+      - name: molecule
+
+  - name: machine3
+    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    groups:
+      - kafka
+      - zookeeper
+    networks:
+      - name: molecule
+
+provisioner:
+  name: ansible
+  ansible_args:
+    - --diff
+  playbooks:
+    converge: converge.yml
+    prepare: ../shared/prepare.yml
+    verify: verify.yml
+  inventory:
+    group_vars:
+      zookeeper:
+        zookeeper_interface_name: eth0
+
+        zookeeper_auth_client_enabled: true
+        zookeeper_auth_quorum_enabled: true
+        zookeeper_auth_type: tls
+
+        zookeeper_tls_config:
+          enabled: true
+          trustedCA:
+            file: ../../../molecule/shared/certs/ca-root.pem
+            location: /etc/certs/ca-root.pem
+          keystore:
+            file: ../../../molecule/shared/certs/cert-cluster.p12
+            location: /etc/certs/cert-cluster.p12
+            password: changeit
+            type: PKCS12
+
+      kafka:
+        kafka_advertised_interface_name: eth0
+        kafka_advertised_host: "{{ ansible_hostname }}"
+        
+        kafka_tls_config:
+          enabled: true
+          trustedCA:
+            file: ../../../molecule/shared/certs/ca-root.pem
+            location: /etc/certs/ca-root.pem
+          keystore:
+            file: ../../../molecule/shared/certs/cert-cluster.p12
+            location: /etc/certs/cert-cluster.p12
+            password: changeit
+            type: PKCS12
+
+        kafka_listeners:
+
+          - name: plain
+            port: 9092
+            tls: false
+
+        kafka_inter_broker_listener_name: plain
+        
+        kafka_admin:
+          listener_name: plain
+
+    host_vars:
+      machine1:
+        kafka_broker_id: 1
+        zookeeper_myid: 1
+      machine2:
+        kafka_broker_id: 2
+        zookeeper_myid: 2
+      machine3:
+        kafka_broker_id: 3
+        zookeeper_myid: 3
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+verifier:
+  name: ansible
diff --git a/molecule/zk-secured/verify.yml b/molecule/zk-secured/verify.yml
@@ -0,0 +1,47 @@
+---
+- name: Verify
+  hosts: all
+  gather_facts: true
+  vars: 
+    kafka_home: /opt/kafka/kafka_2.13-3.7.0
+  tasks:
+  
+  - name: Ensure ZK CLI config file exist
+    ansible.builtin.copy:
+      content: |
+        zookeeper.ssl.keystore.location=/etc/certs/cert-cluster.p12
+        zookeeper.ssl.keystore.password=changeit
+        zookeeper.ssl.keystore.type=PKCS12
+        zookeeper.ssl.truststore.location=/etc/certs/ca-root.pem
+        zookeeper.ssl.truststore.type=PEM
+        zookeeper.ssl.client.enable=true
+        zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
+      dest: /tmp/zk-tls-config.properties
+  
+  - name: Test ZK CLI mTLS connection
+    ansible.builtin.command: >
+      {{ kafka_home }}/bin/zookeeper-shell.sh \
+        {{ ansible_default_ipv4.address }}:2182 \
+        whoami \
+        -zk-tls-config-file /tmp/zk-tls-config.properties
+    changed_when: false
+    register: zk_cli_res
+
+  - name: ZK CLI mTLS connection assertions
+    ansible.builtin.assert:
+      that: 
+        - zk_cli_res.stdout_lines is search('SyncConnected') 
+        - zk_cli_res.stdout_lines is search('x509:\ CN=kafka')
+
+  - name: Test Kafka to ZK mTLS connection
+    ansible.builtin.command: >
+      {{ kafka_home }}/bin/kafka-topics.sh \
+        --bootstrap-server {{ ansible_default_ipv4.address }}:9092 \
+        --describe
+    changed_when: false
+    run_once: true
+    register: kafka_zk_res
+
+  - name: Kafka to ZK mTLS connection assertions
+    ansible.builtin.assert:
+      that: kafka_zk_res.rc == 0

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+---`
	`2`	`+- import_playbook: ../../playbooks/setup.yml`