forked from cloudera-labs/cloudera.cluster
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
WIP PvC Prereqs and Control Plane merge (cloudera-labs#61)
* Add control keys for autotls, pvc_type, free_ipa to control deployment behavior more simply. * Standardise the host group name for ECS nodes to be 'ecs_nodes' to match the other standard groups we use in Ansible inventory * Deprecate duplicate filter_null_configs filter from api_client * Add handler to restart cloudera management service * Migrate autotls implementation * Migrate cms_tls setup * Add default external_auth configuration to generally handle freeipa or mit setup * Update importAdminCredentials command to not fail when already imported, but report other errors * Add new role cloudera_manager.services_info to perform useful service discovery on existing clusters. * Migrate role to set session_timeout for cloudera_manager * Migrate role to set hue_ticket_lifetime for PvC-DS deployments * Migrate role to setup TLS for KMS * Migrate role to fix some libs for the Oozie UI in some PvC-DS deployments * Migrate role to setup some default Ranger policies for some PvC-DS deployments * Migrate role to setup a SOLR role in Knox for some PvC-DS deployments * Migrate role to ensure a Ranger plugin for SOLR is deployed in some PvC-DS deployments * Update the defaults for database type and version to respond to el7 or el8 appropriately. * Migrate role to setup WXM. * Update krb5_client deployment for FreeIPA setup, including a patch for dbus_session config and specific configs for when running PvC-DS. * Default krb5_domain to krb5_realm.lower automatically. * Add default kerberos configuration to krb5_common, including simple defaults for when MIT KDC or Red Hat IPA are selected. Passwords default to the cloudera_manager_admin_password instead of hardcoded values like 'changeme' * Add fixes for FreeIPA server deployment * Fix refresh_ranger_kms_repo role to function correctly when determining the Ranger URL in modern Ansible. * Add operation to restart a given cluster or a given cluster's services or cluster management services for user convenience. They could be handlers, but this felt more useful as more people know how to use roles than handlers. * Migrate role to setup iptables or nftables for PvC ECS deployment on Rhel7 or Rhel8 * Add firewalld to unwanted services during automated os prereq setup * Add fix where setting up postgresql_connector sometimes requires python3-psycopg2 to be setup for SSB. * Migrate role to set up a subset of necessary local accounts on ecs_nodes * Add check to ensure that FreeIPA and a custom repo are not on the same host as they both try to hardcode port 8443. * Enhance error message when TLS setup is only being partially applied to hosts in the cluster definition * Update ecs cluster template to set version to DATA_SERVICES1 to reflect current Cloudera Manager 7.6.5 requirements * Modifie ecs services Jinja template to seek host groups by long name. * Explicitly set default database_type to postgresql to avoid user confusion * Add nfs-utils to OS prereqs when installing ECS * Add control for whether or not embedded database mode for ECS is implemented * Remove unused deployment.j2 template * Add controlPlaneValuesEmbedded.j2 for embedded database values * Fix bug in services.j2 for ECS deployment where it would look for the wrong host template name * Rename free_ipa switch to freeipa_activated to match other top level switches * Allow Cloudera Manager version and distro to be set explicitly for repo setup * Update default cloudera-manager version to 7.6.5 * Fix custom_repo to recognise ecs_nodes as valid * Update dbus patch for freeipa client to only restart services if something is changed * Add autodns support to freeipa clients * Add autodns function to freeipa server setup, including creating required zones and records for PvC-DS ECS if that is being deployed * Add task to Flush and Delete IPTables when setting up ECS * Set default Cloudera Manager version to 7.6.1 for base deployments. (7.6.5 is primarily for PvC-DS.) * Add draft ECS teardown processes * Add cloudera.cluster.operations.stop_cluster as a convenience method, as ECS needs to be stopped and cleaned in a specific sequence. * Provide additional wildcard DNS records for ECS in FreeIPA Autodns setup Signed-off-by: Daniel Chaffelson <chaffelson@gmail.com>
- Loading branch information
1 parent
32fa36c
commit 9b49655
Showing
108 changed files
with
2,689 additions
and
123 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
--- cert.py 2020-12-02 00:54:05.000000000 +0100 | ||
+++ cert.py_2 2021-02-18 09:09:38.095192730 +0100 | ||
@@ -1949,7 +1949,7 @@ | ||
LOG.info("Could not find JKS truststore at location: %s. Converting " | ||
"PEM truststore to JKS." % cluster_ca_jks) | ||
generate_truststore(self.cfg.keytool, cluster_ca_jks, truststore_password, | ||
- cluster_ca_pem) | ||
+ cluster_ca_pem, self.cfg.keystore_type) | ||
|
||
global_ca_pem = self.trust_files[GLOBAL_TLS_SET][PEM_TLS_TYPE] | ||
copied_cluster_to_global = False |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
--- | ||
- name: Copy patch to machines | ||
copy: | ||
src: "{{ role_path}}/files/cert.py_patch" | ||
dest: /opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/tools/cert.py_patch | ||
owner: cloudera-scm | ||
group: cloudera-scm | ||
mode: '0644' | ||
|
||
- name: Backup cert.py | ||
shell: cp /opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/tools/cert.py /opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/tools/cert.py.backup | ||
|
||
- name: Fix cert.py | ||
ansible.posix.patch: | ||
src: "{{ role_path}}/patch/cert.py_patch" | ||
dest: /opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/tools/cert.py |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
{ | ||
"customCA" : false, | ||
"configureAllServices" : "true", | ||
"sshPort" : 22, | ||
{% if freeipa_activated %}"trustedCaCerts" : "/etc/ipa/ca.crt",{% endif %} | ||
"userName" : "root", | ||
"privateKey": "{{ node_key_one_line }}" | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
{ | ||
"customCA" : false, | ||
"configureAllServices" : "true", | ||
"sshPort" : 22, | ||
{% if freeipa_activated %}"trustedCaCerts" : "/etc/ipa/ca.crt",{% endif %} | ||
"userName" : "root", | ||
"password": "{{ node_password }}" | ||
} | ||
|
This file was deleted.
Oops, something went wrong.
16 changes: 16 additions & 0 deletions
16
roles/cloudera_manager/cms_tls/files/cms_keystore_tls.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
{ | ||
"items": [ | ||
{ | ||
"name": "ssl_server_keystore_location", | ||
"value": "{{CM_AUTO_TLS}}" | ||
}, | ||
{ | ||
"name": "ssl_server_keystore_password", | ||
"value": "{{CM_AUTO_TLS}}" | ||
}, | ||
{ | ||
"name": "ssl_enabled", | ||
"value": "true" | ||
} | ||
] | ||
} |
28 changes: 28 additions & 0 deletions
28
roles/cloudera_manager/cms_tls/files/cms_navigator_keystore_tls.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
{ | ||
"items": [ | ||
{ | ||
"name": "navigator_truststore_file", | ||
"value": "{{CM_AUTO_TLS}}" | ||
}, | ||
{ | ||
"name": "navigator_truststore_password", | ||
"value": "{{CM_AUTO_TLS}}" | ||
}, | ||
{ | ||
"name": "ssl_server_keystore_location", | ||
"value": "{{CM_AUTO_TLS}}" | ||
}, | ||
{ | ||
"name": "ssl_server_keystore_password", | ||
"value": "{{CM_AUTO_TLS}}" | ||
}, | ||
{ | ||
"name": "ssl_server_keystore_keypassword", | ||
"value": "{{CM_AUTO_TLS}}" | ||
}, | ||
{ | ||
"name": "ssl_enabled", | ||
"value": "true" | ||
} | ||
] | ||
} |
20 changes: 20 additions & 0 deletions
20
roles/cloudera_manager/cms_tls/files/cms_navigator_metaserver_keystore_tls.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
{ | ||
"items": [ | ||
{ | ||
"name": "ssl_server_keystore_location", | ||
"value": "{{CM_AUTO_TLS}}" | ||
}, | ||
{ | ||
"name": "ssl_server_keystore_password", | ||
"value": "{{CM_AUTO_TLS}}" | ||
}, | ||
{ | ||
"name": "ssl_server_keystore_keypassword", | ||
"value": "{{CM_AUTO_TLS}}" | ||
}, | ||
{ | ||
"name": "ssl_enabled", | ||
"value": "true" | ||
} | ||
] | ||
} |
12 changes: 12 additions & 0 deletions
12
roles/cloudera_manager/cms_tls/files/cms_truststore_tls.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
{ | ||
"items": [ | ||
{ | ||
"name": "ssl_client_truststore_location", | ||
"value": "{{CM_AUTO_TLS}}" | ||
}, | ||
{ | ||
"name": "ssl_client_truststore_password", | ||
"value": "{{CM_AUTO_TLS}}" | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
--- | ||
dependencies: | ||
- role: cloudera.cluster.cloudera_manager.api_client |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
--- | ||
- name: Setup TLS for Activity Monitor | ||
cm_api: | ||
method: PUT | ||
endpoint: /cm/service/roleConfigGroups/mgmt-ACTIVITYMONITOR-BASE/config | ||
body: "{{ lookup('file', 'cms_keystore_tls.json', convert_data=False) }}" | ||
|
||
- name: Setup TLS for Host Monitor | ||
cm_api: | ||
method: PUT | ||
endpoint: /cm/service/roleConfigGroups/mgmt-HOSTMONITOR-BASE/config | ||
body: "{{ lookup('file', 'cms_keystore_tls.json', convert_data=False) }}" | ||
|
||
- name: Setup TLS for Service Monitor | ||
cm_api: | ||
method: PUT | ||
endpoint: /cm/service/roleConfigGroups/mgmt-SERVICEMONITOR-BASE/config | ||
body: "{{ lookup('file', 'cms_keystore_tls.json', convert_data=False) }}" | ||
|
||
- name: Setup TLS for Navigator | ||
cm_api: | ||
method: PUT | ||
endpoint: /cm/service/roleConfigGroups/mgmt-NAVIGATOR-BASE/config | ||
body: "{{ lookup('file', 'cms_navigator_keystore_tls.json', convert_data=False) }}" | ||
when: cloudera_manager_version is version('7.0.0','<') | ||
|
||
- name: Setup TLS for Navigator Meta Server | ||
cm_api: | ||
method: PUT | ||
endpoint: /cm/service/roleConfigGroups/mgmt-NAVIGATORMETASERVER-BASE/config | ||
body: "{{ lookup('file', 'cms_navigator_metaserver_keystore_tls.json', convert_data=False) }}" | ||
when: cloudera_manager_version is version('7.0.0','<') | ||
|
||
- name: Setup TLS for CMS | ||
cm_api: | ||
method: PUT | ||
endpoint: /cm/service/config | ||
body: "{{ lookup('file', 'cms_truststore_tls.json', convert_data=False) }}" | ||
notify: | ||
- restart cloudera management service |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -14,6 +14,6 @@ | |
|
||
--- | ||
dependencies: | ||
- role: cloudera_manager/api_client | ||
- role: cloudera.cluster.cloudera_manager.api_client | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
cluster_name: Default | ||
ranger_user: "{{ ranger_rangeradmin_user | default('admin') }}" | ||
ranger_password: "{{ ranger_rangeradmin_user_password | default(cloudera_manager_admin_password) }}" | ||
solr_admin_password: "{{ solr_solradmin_user_password | default(cloudera_manager_admin_password) }}" | ||
|
||
wxm_api_port: 12022 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.