From 19bfd5beca00cbcea4646f6abc2a0c354a383645 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 13 Jun 2024 12:16:39 -0400 Subject: [PATCH 1/2] fix kafka nodeid assignment to increment correctly Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/kafka/nodes.map.jinja | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/salt/kafka/nodes.map.jinja b/salt/kafka/nodes.map.jinja index 3a73b038fa..e162d3f084 100644 --- a/salt/kafka/nodes.map.jinja +++ b/salt/kafka/nodes.map.jinja @@ -30,7 +30,7 @@ {% endif %} {# Create list of possible node ids #} -{% set all_possible_ids = range(1, 65536)|list %} +{% set all_possible_ids = range(1, 2000)|list %} {# Create list of available node ids by looping through all_possible_ids and ensuring it isn't in existing_ids #} {% set available_ids = [] %} @@ -44,11 +44,7 @@ {% set NEW_KAFKANODES = {} %} {% for minionid, ip in current_kafkanodes.items() %} {% set hostname = minionid.split('_')[0] %} -{% if STORED_KAFKANODES != none and hostname not in STORED_KAFKANODES.items() %} -{% set new_id = available_ids.pop(0) %} -{% do NEW_KAFKANODES.update({hostname: {'nodeid': new_id, 'ip': ip[0], 'role': process_x_roles }}) %} -{% endif %} -{% if hostname not in NEW_KAFKANODES.items() %} +{% if not STORED_KAFKANODES or hostname not in STORED_KAFKANODES %} {% set new_id = available_ids.pop(0) %} {% do NEW_KAFKANODES.update({hostname: {'nodeid': new_id, 'ip': ip[0], 'role': process_x_roles }}) %} {% endif %} From 816a1d446e67aac4e067c9b6f9a53934f3196778 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 13 Jun 2024 12:18:13 -0400 Subject: [PATCH 2/2] Generate kafka-logstash cert on standalone,manager,managersearch in addition to searchnodes. Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/ssl/init.sls | 66 ++++------------------------------------------- 1 file changed, 5 insertions(+), 61 deletions(-) diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 625f1ddd87..abcb1a5593 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -663,65 +663,6 @@ elastickeyperms: - name: /etc/pki/elasticsearch.key - mode: 640 - group: 930 - -kafka_logstash_key: - x509.private_key_managed: - - name: /etc/pki/kafka-logstash.key - - keysize: 4096 - - backup: True - - new: True - {% if salt['file.file_exists']('/etc/pki/kafka-logstash.key') -%} - - prereq: - - x509: /etc/pki/kafka-logstash.crt - {%- endif %} - - retry: - attempts: 5 - interval: 30 - -kafka_logstash_crt: - x509.certificate_managed: - - name: /etc/pki/kafka-logstash.crt - - ca_server: {{ ca_server }} - - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - - signing_policy: kafka - - private_key: /etc/pki/kafka-logstash.key - - CN: {{ GLOBALS.hostname }} - - days_remaining: 0 - - days_valid: 820 - - backup: True - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - cmd.run: - - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/kafka-logstash.key -in /etc/pki/kafka-logstash.crt -export -out /etc/pki/kafka-logstash.p12 -nodes -passout pass:{{ kafka_password }}" - - onchanges: - - x509: /etc/pki/kafka-logstash.key - -kafka_logstash_key_perms: - file.managed: - - replace: False - - name: /etc/pki/kafka-logstash.key - - mode: 640 - - user: 960 - - group: 939 - -kafka_logstash_crt_perms: - file.managed: - - replace: False - - name: /etc/pki/kafka-logstash.crt - - mode: 640 - - user: 960 - - group: 939 - -kafka_logstash_pkcs12_perms: - file.managed: - - replace: False - - name: /etc/pki/kafka-logstash.p12 - - mode: 640 - - user: 960 - - group: 931 - {%- endif %} {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] %} @@ -892,8 +833,10 @@ kafka_pkcs12_perms: - group: 939 {% endif %} -{# For automated testing standalone will need kafka-logstash key to pull logs from Kafka #} -{% if grains['role'] == 'so-standalone' %} + +# Standalone needs kafka-logstash for automated testing. Searchnode/manager search need it for logstash to consume from Kafka. +# Manager will have cert, but be unused until a pipeline is created and logstash enabled. +{% if grains['role'] in ['so-standalone', 'so-managersearch', 'so-searchnode', 'so-manager'] %} kafka_logstash_key: x509.private_key_managed: - name: /etc/pki/kafka-logstash.key @@ -951,6 +894,7 @@ kafka_logstash_pkcs12_perms: - mode: 640 - user: 960 - group: 931 + {% endif %} {% else %}