Skip to content

apaceh/cp-ansible-demo

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
firewall
firewall
 
 
krb_ldap
krb_ldap
 
 
ssl
ssl
 
 
ansible-host.yml
ansible-host.yml
 
 
readme.md
readme.md
 
 

Repository files navigation

Setup Confluent Using Ansible

This is instruction to run confluent cluster automatically via ansible. Original documentation can be foudn here.

Prerequisite

We need 5 machine to run this demo. One machine for ansible control node, one machine for kerberos and openldap server and three others for confluent host.

Hostname IP Address OS Description
ans.alfi.com 172.18.46.10 Centos 7 Ansible control node
broker1.alfi.com 172.18.46.11 Centos 7 Confluent first node
broker2.alfi.com 172.18.46.12 Centos 7 Confluent second node
broker3.alfi.com 172.18.46.13 Centos 7 Confluent third node
kerberos.alfi.com 172.18.46.14 Centos 7 Kerberos and ldap node

For Kerberos and ldap configuration, you can follow this instruction : link Make sure all node is connected and ssh installed.

Below is list of kerberos principal we will use:

Kerberos Principal Keytab Name
kafka/broker1.alfi.com allprinc.keytab
kafka/broker2.alfi.com allprinc.keytab
kafka/broker3.alfi.com allprinc.keytab
zookeeper/broker1.alfi.com allprinc.keytab
zookeeper/broker2.alfi.com allprinc.keytab
zookeeper/broker3.alfi.com allprinc.keytab
connect/broker1.alfi.com connect.keytab
ksql/broker1.alfi.com ksql.keytab
schemaregistry/broker1.alfi.com schemaregistry.keytab
restproxy/broker1.alfi.com restproxy.keytab
controlcenter/broker1.alfi.com controlcenter.keytab

Put all keytab file at /tmp/keytabs/.

Below is list of LDAP principal we will use:

LDAP Principal Object Class memberOf
cn=kafkadev,ou=people,dc=alfi,dc=com groupOfNames -
cn=kafka_broker,ou=people,dc=alfi,dc=com person kafkadev
cn=mds,ou=people,dc=alfi,dc=com person kafkadev
cn=connect,ou=people,dc=alfi,dc=com person kafkadev
cn=schemaregistry,ou=people,dc=alfi,dc=com person kafkadev
cn=restproxy,ou=people,dc=alfi,dc=com person kafkadev
cn=ksql,ou=people,dc=alfi,dc=com person kafkadev
cn=controlcenter,ou=people,dc=alfi,dc=com person kafkadev

Generate SSH Keypair

Execute command below to generate ssh keypair for confluent host, so you can login to all confluent host without password.

[root@ans ~]# ssh-keygen
[root@ans ~]# ssh-copy-id root@broker1.alfi.com
[root@ans ~]# ssh-copy-id root@broker2.alfi.com
[root@ans ~]# ssh-copy-id root@broker3.alfi.com
[root@ans ~]# ssh-agent bash
[root@ans ~]# ssh-add ~/.ssh/id_rsa
[root@ans ~]# mkdir /tmp/certs/
[root@ans ~]# openssl rsa -in ~/.ssh/id_rsa -outform pem > /tmp/certs/ssh_priv.pem

Generate custom certificate for each confluent host

[root@ans ~]# mkdir /tmp/certs/ssl
[root@ans ~]# cd /tmp/certs/ssl
[root@ans ~]# mkdir ssl
[root@ans ~]# cd ssl
[root@ans ~]# vim create-cert.sh

The contents of create-cert.sh file can be seen here.

[root@ans ~]# vim certs-create-per-user.sh

The contents of certs-create-per-user.sh file can be seen here.

[root@ans ~]# chmod +x create-cert.sh
[root@ans ~]# chmod +x certs-create-per-user.sh
[root@ans ~]# ./create-cert.sh

Note : if shown error such as bash: ./create-cert.sh: /usr/bin/bash^M: bad interpreter: No such file or directory. Run this command: sed -i -e 's/\r$//' create-cert.sh && sed -i -e 's/\r$//' certs-create-per-user.sh.

Create a PEM key pair

Documentation to generate rbac keypair can be found here.

[root@ans ~]# cd /tmp/certs
[root@ans ~]# openssl genrsa -out /tmp/certs/tokenKeypair.pem 2048
[root@ans ~]# openssl rsa -in /tmp/certs/tokenKeypair.pem -outform PEM -pubout -out /tmp/certs/tokenPublicKey.pem

Install Ansible on Control Host

[root@ans ~]# yum install epel-release -y
[root@ans ~]# yum -y install ansible git
[root@ans ~]# ansible --version
[root@ans ~]# ansible-galaxy collection install community.general:==4.8.1

Firewall setting

We need to configure firewall to open access for ports exposed by confluent. See this documentation for details.

[root@ans ~]# vim firewalld-inventory

The contents of firewalld-inventory file can be seen here.

[root@ans ~]# vim firewalld-playbook.yml

The contents of firewalld-playbook.yml file can be seen here.

[root@ans ~]# ansible-playbook -i firewalld-inventory firewalld-playbook.yml

Setup cp-ansible

[root@ans ~]# mkdir -p ansible/ansible_collections/confluent/
[root@ans ~]# git clone https://github.com/confluentinc/cp-ansible ansible/ansible_collections/confluent/platform
[root@ans ~]# cd ansible/ansible_collections/confluent/platform/
[root@ans ~]# vim hosts.yml

The contents of hosts.yml file can be seen here.

// verify connection to host.
[root@ans ~]# ansible -i hosts.yml all -m ping
[root@ans ~]# ansible-playbook -i hosts.yml playbooks/all.yml

// to rolling reconfigure
[root@ans ~]# ansible-playbook -i hosts.yml playbooks/all.yml --skip-tags package --extra-vars deployment_strategy=rolling

// to stop service on remote host via ansible
[root@ans ~]# ansible -i hosts.yml all -m shell -a 'systemctl stop confluent-*'

Access control center in browser

https://172.18.46.11:9021

Control center user:

username : controlcenter
password : password

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages