From ccf26997ee8873156d76e0ada85e3b4a921efc53 Mon Sep 17 00:00:00 2001 From: gene-redpanda <123959009+gene-redpanda@users.noreply.github.com> Date: Wed, 11 Oct 2023 13:18:49 -0400 Subject: [PATCH 1/2] initial work on sasl/acl Still need to make some major changes here, specifically * got to bifurcate test scripts for sasl/no sasl * need a sasl enabled basic cluster playbook * need to add sasl to all the non-basic playbooks * taskfile work to support sasl testing --- .buildkite/scripts/standup-cluster.sh | 6 +++--- .buildkite/scripts/test-basic-cluster.sh | 6 +++--- .buildkite/scripts/test-tiered-storage-cluster.sh | 8 ++++---- Taskfile.yaml | 4 ++-- ansible/provision-basic-cluster.yml | 2 ++ ansible/provision-tiered-storage-cluster.yml | 5 +++++ 6 files changed, 19 insertions(+), 12 deletions(-) diff --git a/.buildkite/scripts/standup-cluster.sh b/.buildkite/scripts/standup-cluster.sh index afa4377..884758a 100755 --- a/.buildkite/scripts/standup-cluster.sh +++ b/.buildkite/scripts/standup-cluster.sh @@ -50,6 +50,7 @@ if [ -z "$PREFIX" ] || [ -z "$DISTRO" ] || [ -z "$UNSTABLE" ] || [ -z "$TIERED" exit 1 fi +trap cleanup EXIT INT TERM cleanup() { exit_code=$? echo "trapped exit, cleaning up" @@ -63,7 +64,6 @@ cleanup() { }' exit $exit_code } -trap cleanup EXIT INT TERM if [ -z "$MACHINE_ARCH" ]; then MACHINE_ARCH="x86_64" @@ -105,7 +105,7 @@ echo "building cluster" DEPLOYMENT_ID=$PREFIX DISTRO=$DISTRO IS_USING_UNSTABLE=$UNSTABLE task "create-$TASK_NAME" error_code=$? if [ $error_code -ne 0 ]; then - echo "error in ansible standup" + echo "error in create $TASK_NAME" exit 1 fi @@ -113,7 +113,7 @@ echo "testing cluster" DEPLOYMENT_ID=$PREFIX DISTRO=$DISTRO task "test-$TASK_NAME" error_code=$? if [ $error_code -ne 0 ]; then - echo "error in test-tls-cluster" + echo "error in test $TASK_NAME" exit 1 fi diff --git a/.buildkite/scripts/test-basic-cluster.sh b/.buildkite/scripts/test-basic-cluster.sh index 80c5997..1f02a7a 100755 --- a/.buildkite/scripts/test-basic-cluster.sh +++ b/.buildkite/scripts/test-basic-cluster.sh @@ -45,16 +45,16 @@ sed 's/,$/\n/') ## test that we can check status, create a topic and produce to the topic echo "checking cluster status" -"${PATH_TO_RPK_FILE}" cluster status --brokers "$REDPANDA_BROKERS" -v || exit 1 +"${PATH_TO_RPK_FILE}" cluster status --user admin --password admin --brokers "$REDPANDA_BROKERS" -v || exit 1 echo "creating topic" "${PATH_TO_RPK_FILE}" topic create testtopic --brokers "$REDPANDA_BROKERS" -v || exit 1 echo "producing to topic" -echo squirrel | "${PATH_TO_RPK_FILE}" topic produce testtopic --brokers "$REDPANDA_BROKERS" -v || exit 1 +echo squirrel | "${PATH_TO_RPK_FILE}" topic produce --user admin --password admin testtopic --brokers "$REDPANDA_BROKERS" -v || exit 1 echo "consuming from topic" -"${PATH_TO_RPK_FILE}" topic consume testtopic --brokers "$REDPANDA_BROKERS" -v -o :end | grep squirrel || exit 1 +"${PATH_TO_RPK_FILE}" topic consume --user admin --password admin testtopic --brokers "$REDPANDA_BROKERS" -v -o :end | grep squirrel || exit 1 echo "testing schema registry" for ip_port in $(echo $REDPANDA_REGISTRY | tr ',' ' '); do curl $ip_port/subjects ; done diff --git a/.buildkite/scripts/test-tiered-storage-cluster.sh b/.buildkite/scripts/test-tiered-storage-cluster.sh index 1e1f3b8..98980c5 100755 --- a/.buildkite/scripts/test-tiered-storage-cluster.sh +++ b/.buildkite/scripts/test-tiered-storage-cluster.sh @@ -56,21 +56,21 @@ sed 's/,$/\n/') ## test that we can check status, create a topic and produce to the topic echo "checking cluster status" -"${PATH_TO_RPK_FILE}" cluster status --brokers "$REDPANDA_BROKERS" --tls-truststore "$PATH_TO_CA_CRT" -v || exit 1 +"${PATH_TO_RPK_FILE}" cluster status --user admin --password password --brokers "$REDPANDA_BROKERS" --tls-truststore "$PATH_TO_CA_CRT" -v || exit 1 echo "creating topic" -"${PATH_TO_RPK_FILE}" topic create testtopic \ +"${PATH_TO_RPK_FILE}" topic create --user admin --password password testtopic \ --brokers "$REDPANDA_BROKERS" \ --tls-truststore "$PATH_TO_CA_CRT" \ -v || exit 1 echo "producing to topic" -echo squirrels | "${PATH_TO_RPK_FILE}" topic produce testtopic --brokers "$REDPANDA_BROKERS" --tls-truststore "$PATH_TO_CA_CRT" -v || exit 1 +echo squirrels | "${PATH_TO_RPK_FILE}" topic produce --user admin --password password testtopic --brokers "$REDPANDA_BROKERS" --tls-truststore "$PATH_TO_CA_CRT" -v || exit 1 sleep 30 echo "consuming from topic" -testoutput=$("${PATH_TO_RPK_FILE}" topic consume testtopic --brokers "$REDPANDA_BROKERS" --tls-truststore "$PATH_TO_CA_CRT" -v -o :end) +testoutput=$("${PATH_TO_RPK_FILE}" topic consume --user admin --password password testtopic --brokers "$REDPANDA_BROKERS" --tls-truststore "$PATH_TO_CA_CRT" -v -o :end) echo $testoutput | grep squirrels || exit 1 echo "testing schema registry" diff --git a/Taskfile.yaml b/Taskfile.yaml index 055fb4b..fc8d516 100644 --- a/Taskfile.yaml +++ b/Taskfile.yaml @@ -51,9 +51,9 @@ tasks: vars: SSH_EMAIL: '{{default "test@redpanda.com" .SSH_EMAIL | lower}}' cmds: - - ssh-keygen -t rsa -b 4096 -C "{{.SSH_EMAIL}}" -N "" -f artifacts/testkey <<< y && chmod 0700 artifacts/testkey + - ssh-keygen -t rsa -b 4096 -C "{{.SSH_EMAIL}}" -N "" -f {{ .PRIVATE_KEY }} <<< y && chmod 0700 {{ .PRIVATE_KEY }} status: - - test f artifacts/testkey + - test -f {{ .PRIVATE_KEY }} build: desc: init and apply terraform diff --git a/ansible/provision-basic-cluster.yml b/ansible/provision-basic-cluster.yml index ca3b0af..a7316b9 100644 --- a/ansible/provision-basic-cluster.yml +++ b/ansible/provision-basic-cluster.yml @@ -7,6 +7,7 @@ vars: advertise_public_ips: true redpanda_version: latest + enable_sasl: true tasks: - name: Install system prereqs ansible.builtin.include_role: @@ -22,6 +23,7 @@ advertise_public_ips: true redpanda_version: latest install_console: true + enable_sasl: true tasks: - name: Install and start redpanda console ansible.builtin.include_role: diff --git a/ansible/provision-tiered-storage-cluster.yml b/ansible/provision-tiered-storage-cluster.yml index 391975a..a4941eb 100644 --- a/ansible/provision-tiered-storage-cluster.yml +++ b/ansible/provision-tiered-storage-cluster.yml @@ -22,6 +22,7 @@ ca_cert_file: "tls/ca/ca.crt" node_cert_file: "tls/certs/{{ansible_hostname}}/node.crt" cloud_storage_credentials_source: "aws_instance_metadata" + enable_sasl: true tasks: - name: Install and configure CA certs for running tls ansible.builtin.include_role: @@ -46,6 +47,7 @@ root_ca_dir: "{{ playbook_dir }}/tls/ca" ca_cert_file: "tls/ca/ca.crt" node_cert_file: "tls/certs/{{ansible_hostname}}/node.crt" + enable_sasl: true tasks: - name: Install and configure CA certs for running tls ansible.builtin.include_role: @@ -54,3 +56,6 @@ ansible.builtin.include_role: name: redpanda.cluster.redpanda_broker when: not skip_node | default(false) | bool + - name: Configure client for use with RPK + ansible.builtin.include_role: + name: redpanda.cluster.client_config From dc8cb36479ed629f838bc6a0a3bc9270dd934d5e Mon Sep 17 00:00:00 2001 From: gene-redpanda <123959009+gene-redpanda@users.noreply.github.com> Date: Wed, 18 Oct 2023 12:40:50 -0400 Subject: [PATCH 2/2] playbook and minor test updates --- .buildkite/scripts/test-tiered-storage-cluster.sh | 5 +++++ ansible/provision-tiered-storage-cluster.yml | 4 ++++ ansible/provision-tls-cluster.yml | 6 ++++++ 3 files changed, 15 insertions(+) diff --git a/.buildkite/scripts/test-tiered-storage-cluster.sh b/.buildkite/scripts/test-tiered-storage-cluster.sh index 98980c5..35433f6 100755 --- a/.buildkite/scripts/test-tiered-storage-cluster.sh +++ b/.buildkite/scripts/test-tiered-storage-cluster.sh @@ -73,6 +73,11 @@ echo "consuming from topic" testoutput=$("${PATH_TO_RPK_FILE}" topic consume --user admin --password password testtopic --brokers "$REDPANDA_BROKERS" --tls-truststore "$PATH_TO_CA_CRT" -v -o :end) echo $testoutput | grep squirrels || exit 1 +"${PATH_TO_RPK_FILE}" acl user list --user admin --password password \ +--brokers "$REDPANDA_BROKERS" \ +--tls-truststore "$PATH_TO_CA_CRT" \ +-v || exit 1 + echo "testing schema registry" for ip_port in $(echo $REDPANDA_REGISTRY | tr ',' ' '); do curl $ip_port/subjects -k --cacert "$PATH_TO_CA_CRT" ; done diff --git a/ansible/provision-tiered-storage-cluster.yml b/ansible/provision-tiered-storage-cluster.yml index a4941eb..d5bc063 100644 --- a/ansible/provision-tiered-storage-cluster.yml +++ b/ansible/provision-tiered-storage-cluster.yml @@ -34,6 +34,10 @@ ansible.builtin.include_role: name: redpanda.cluster.redpanda_broker when: not skip_node | default(false) | bool + - name: Add Users and ACLs + ansible.builtin.include_role: + name: redpanda.cluster.user_config + when: not skip_node | default(false) | bool - name: Provision redpanda console hosts: client diff --git a/ansible/provision-tls-cluster.yml b/ansible/provision-tls-cluster.yml index 1606e20..44f6ea9 100644 --- a/ansible/provision-tls-cluster.yml +++ b/ansible/provision-tls-cluster.yml @@ -20,6 +20,7 @@ redpanda_version: latest ca_cert_file: "tls/ca/ca.crt" node_cert_file: "tls/certs/{{ansible_hostname}}/node.crt" + enable_sasl: true tasks: - name: Install and configure CA certs for running tls ansible.builtin.include_role: @@ -31,6 +32,10 @@ ansible.builtin.include_role: name: redpanda.cluster.redpanda_broker when: not skip_node | default(false) | bool + - name: Add Users and ACLs + ansible.builtin.include_role: + name: redpanda.cluster.user_config + when: not skip_node | default(false) | bool - name: Provision redpanda console hosts: client @@ -44,6 +49,7 @@ root_ca_dir: "{{ playbook_dir }}/tls/ca" ca_cert_file: "tls/ca/ca.crt" node_cert_file: "tls/certs/{{ansible_hostname}}/node.crt" + enable_sasl: true tasks: - name: Install and configure CA certs for running tls ansible.builtin.include_role: