Perform installation and configuration of Kafka brokers cluster.
This role requires to have a zookeepers group (identified by the
amq_streams_zookeeper_inventory_group variable) in the inventory file to identify
each node of he Zookeeper cluster. This group is used to set up the right
configuration files in order to establish the communication between Zookeeper cluster members.
The brokers group (identified by the amq_streams_broker_inventory_group variable)
is used in the same way identifying the members of the Kafka cluster.
The order of this group will be used to set up the right configuration files and establish
the right cluster configuration:
Example of inventory:
[zookeepers]
zknode1
zknode2
zknode3
[brokers]
broker1
broker2
broker3
broker4
| Variable | Description | Default |
|---|---|---|
amq_streams_broker_create_topic_script |
{{ amq_streams_common_home }}/bin/kafka-topics.sh |
|
amq_streams_broker_enabled |
true |
|
amq_streams_broker_server_start |
{{ amq_streams_common_home }}/bin/kafka-server-start.sh |
|
amq_streams_broker_config |
/etc/amq_streams_broker.properties |
|
amq_streams_broker_service_name |
amq_streams_broker |
|
amq_streams_broker_user |
amq_streams_broker |
|
amq_streams_broker_listener_port |
Port defined for external communications | 9092 |
amq_streams_broker_listener_internal_port |
Port defined for inter-broker communications | 9091 |
amq_streams_broker_group |
amq_streams |
|
amq_streams_broker_service_config_template |
templates/service.conf.j2 |
|
amq_streams_broker_service_config_file |
/etc/broker.conf |
|
amq_streams_broker_data_dir |
Folders to store the commit logs (Comma-value property) | /var/lib/{{ amq_streams_broker_service_name }}/ |
amq_streams_broker_logs_dir |
Folder to store the logs of broker service | /var/log/{{ amq_streams_broker_service_name }}/ |
amq_streams_broker_java_opts |
Default values to apply to KAFKA_OPTS env variable |
|
amq_streams_broker_java_heap_opts |
Default values to apply to KAFKA_HEAP_OPTS env variable |
-Xmx1G -Xms1G |
amq_streams_broker_java_performance_opts |
Default values to apply to KAFKA_JVM_PERFORMANCE_OPTS env variable |
|
amq_streams_broker_java_java_gc_log_opts |
Default values to apply to KAFKA_GC_LOG_OPTS env variable |
|
amq_streams_broker_java_jmx_opts |
Default values to apply to KAFKA_JMX_OPTS env variable |
|
amq_streams_broker_num_network_threads |
3 |
|
amq_streams_broker_num_io_threads |
8 |
|
amq_streams_broker_buffer_send_bytes |
102400 |
|
amq_streams_broker_buffer_bytes |
102400 |
|
amq_streams_broker_socket_request_max_bytes |
104857600 |
|
amq_streams_broker_num_partitions |
1 |
|
amq_streams_broker_num_recovery_threads_per_data_dir |
1 |
|
amq_streams_broker_offsets_topic_replication_factor |
1 |
|
amq_streams_broker_transaction_state_log_replication_factor |
1 |
|
amq_streams_broker_transaction_state_log_min_isr |
1 |
|
amq_streams_broker_log_retention_hours |
168 |
|
amq_streams_broker_log_retention_check_interval_ms |
300000 |
|
amq_streams_broker_log_message_format_version |
Log message format version. Required for Kafka upgrade. | |
amq_streams_broker_inter_broker_protocol_version |
Inter broker protocol version. Required for Kafka upgrade. | |
amq_streams_broker_zookeeper_connection_timeout_ms |
18000 |
|
amq_streams_broker_group_initial_rebalance_delay_ms |
0 |
|
amq_streams_broker_properties_template |
templates/server.properties.j2 |
|
amq_streams_broker_bootstrap_server_host |
localhost |
|
amq_streams_broker_bootstrap_server_port |
9092 |
|
amq_streams_firewalld_package_name: |
firewalld |
|
amq_streams_firewalld_enabled |
false |
|
amq_streams_broker_instance_count_enabled |
true |
|
amq_streams_broker_instance_count |
0 |
|
amq_streams_deployment_balance_check_enabled |
true |
|
amq_streams_zookeeper_auth_enabled |
Enable Zookeeper authentication. Zookeeper must be deployed with the authentication enabled. | false |
amq_streams_broker_zookeeper_auth_config |
JAAS file for brokers | /etc/broker-jaas.conf |
amq_streams_broker_zookeeper_auth_config_template |
JAAS template for brokers | templates/broker-jaas.conf.j2 |
amq_streams_broker_listeners |
Default list of broker listeners | PLAINTEXT://:{{ amq_streams_broker_listener_port }} |
amq_streams_broker_advertised_listeners |
Default list of advertised listener per broker (hosts variable). Name must match those listed in the amq_streams_broker_listeners property |
|
amq_streams_broker_auth_enabled |
Enable Broker authentication | false |
amq_streams_broker_auth_scram_enabled |
Enable SASL SCRAM authentication | false |
amq_streams_broker_auth_listeners |
Default list of authenticated listeners | PLAINTEXT:PLAINTEXT |
amq_streams_broker_auth_sasl_mechanisms |
Default list of authenticated SASL mechanism | PLAIN |
amq_streams_broker_inventory_group |
Identify the group of broker nodes | groups['brokers'] |
amq_streams_broker_broker_id |
Identify the broker with specific id in the inventory. | |
amq_streams_broker_topics |
List of topics to create. Each topics requires the name property, and optionally the partitions and replication_factor. |
List of required variables for the role:
| Variable | Description | Required |
|---|---|---|
amq_streams_zookeeper_auth_user |
Zookeeper user to authenticate. Mandatory if amq_streams_zookeeper_auth_enabled: true. |
'true' |
amq_streams_zookeeper_auth_pass |
Zookeeper user password to authenticate. Mandatory if amq_streams_zookeeper_auth_enabled: true. |
true |
Enabling the amq_streams_broker_auth_enabled requires to define the following variables to execute the role successfully:
| Variable | Description | Required | Sample |
|---|---|---|---|
amq_streams_broker_auth_listeners |
List of authenticated listeners | true |
|
| ` - PLAINTEXT:PLAINTEXT |
- AUTHENTICATED://:9093
| |amq_streams_broker_auth_sasl_mechanisms| Default list of authenticated SASL mechanism |true|PLAIN| |amq_streams_broker_auth_plain_users| List of users (username,password) to add into the Kafka cluster |true| `` | |amq_streams_broker_admin_username| Default admin user to manage topics |false| | |amq_streams_broker_admin_password| Default password of the admin user to manage topics |false` | |
Kafka supports TLS for encrypting communication with Kafka clients. The role allows to enable TLS encryption but it is required to have a keystore containing private and public keys.
The following variables are involved to enable TLS encryption:
| Variable | Description | Required | Default |
|---|---|---|---|
amq_streams_broker_tls_enabled |
Enable TLS encryption for listeners | false |
false |
amq_streams_broker_tls_keystore_dir |
Local folder with the keystore | true |
/tmp |
amq_streams_broker_tls_keystore |
Filename of the keystore | true |
server.keystore.jks |
amq_streams_broker_tls_keystore_location |
Location on Kafka server for the keystore | true |
/opt |
amq_streams_broker_tls_keystore_password |
Password of the keystore | true |
PLEASE_CHANGEME_IAMNOTGOOD_FOR_PRODUCTION |
amq_streams_broker_tls_truststore_dir |
Local folder with the truststore | true |
/tmp |
amq_streams_broker_tls_truststore |
Filename of the truststore | true |
server.truststore.jks |
amq_streams_broker_tls_truststore_location |
Location on Kafka server for the truststore | true |
/opt |
amq_streams_broker_tls_truststore_password |
Password of the truststore | true |
PLEASE_CHANGEME_IAMNOTGOOD_FOR_PRODUCTION |
amq_streams_broker_tls_truststore_client_dir |
Local folder with the keystore file used by clients | false |
/tmp |
amq_streams_broker_tls_truststore_client |
Filename of the client truststore | false |
client.truststore.jks |
amq_streams_broker_tls_truststore_client_location |
Location on Kafka server for the client truststore | false |
/opt |
amq_streams_broker_tls_truststore_client_password |
Password of the client truststore | false |
PLEASE_CHANGEME_IAMNOTGOOD_FOR_PRODUCTION |
Here a sample to enable SSL listeners at port 9093 for client connections and using
plain connections for inter-broker communication:
vars:
# Enabling SSL listeners
amq_streams_broker_tls_enabled: true
amq_streams_broker_tls_keystore_dir: ./certs
amq_streams_broker_tls_truststore_dir: ./certs
amq_streams_broker_tls_truststore_client_dir: ./certs
amq_streams_broker_tls_keystore_password: password
amq_streams_broker_tls_truststore_password: password
amq_streams_broker_tls_keystore_client_password: password
amq_streams_broker_tls_truststore_client_password: password
# Broker Listeners
amq_streams_broker_listeners:
- PLAINTEXT://:{{ amq_streams_broker_listener_port }} # Insecure for inter-broker connections
- SSL://:{{ amq_streams_broker_listener_tls_port }} # Secure for client connections
# Using SSL bootstrap server port for management operations
amq_streams_broker_bootstrap_server_host: localhost
amq_streams_broker_bootstrap_server_port: 9093The client truststore identified by the amq_streams_broker_tls_truststore_client is only
required for topic or user management operations done by the role. The properties
amq_streams_broker_bootstrap_server_host and amq_streams_broker_bootstrap_server_port
are used to establish the admin connections to operate with topics or users.
This section includes a set of example to enable the broker authentication for the following scenarios:
- SASL PLAIN authentication
- SASL SCRAM authentication
This is a sample configuration to enable that configuration using two
different listeners, one for the clients (AUTHENTICATED) and other for
the inter-broker connections (REPLICATION). Both listeners require
a SASL plain authentication.
The amq_streams_broker_auth_plain_users variable defines the list of
different users to create to authenticate to the brokers.
The amq_streams_broker_inter_broker_auth_sasl_mechanisms: PLAIN property defines
the protocol to authenticate the inter-broker connections. That requires to
identify which user will be used to establish these connections, that user is defined
by the amq_streams_broker_inter_broker_auth_broker_username and amq_streams_broker_inter_broker_auth_broker_password
variables.
# Broker Listeners
amq_streams_broker_listeners:
- AUTHENTICATED://:{{ amq_streams_broker_listener_port }}
- REPLICATION://:{{ amq_streams_broker_listener_internal_port }}
amq_streams_broker_inter_broker_listener: REPLICATION
# Broker Authentication
amq_streams_broker_auth_enabled: 'true'
amq_streams_broker_auth_listeners:
- AUTHENTICATED:SASL_PLAINTEXT
- REPLICATION:SASL_PLAINTEXT
amq_streams_broker_auth_sasl_mechanisms:
- PLAIN
# Kafka Plain Users
amq_streams_broker_auth_plain_users:
- username: admin
password: password
- username: usr
password: password
amq_streams_broker_inter_broker_auth_sasl_mechanisms: PLAIN
amq_streams_broker_inter_broker_auth_broker_username: interbroker
amq_streams_broker_inter_broker_auth_broker_password: passwordThis is a sample configuration to enable that configuration using two
different listeners, one for the clients (AUTHENTICATED) and other for
the inter-broker connections (REPLICATION). Both listeners require
a SASL plain authentication. SCRAM authentication is enabled by the
amq_streams_broker_auth_scram_enabled variable.
Users must be created using the kafka-configs.sh script from Kafka.
The amq_streams_broker_inter_broker_auth_sasl_mechanisms: SCRAM-SHA-512 property defines
the protocol to authenticate the inter-broker connections. That requires to
identify which user will be used to establish these connections, that user is defined
by the amq_streams_broker_inter_broker_listener_auth variable.
# Broker Listeners
amq_streams_broker_listeners:
- AUTHENTICATED://:{{ amq_streams_broker_listener_port }}
- REPLICATION://:{{ amq_streams_broker_listener_internal_port }}
amq_streams_broker_inter_broker_listener: REPLICATION
# Broker Authentication
amq_streams_broker_auth_enabled: 'true'
amq_streams_broker_auth_scram_enabled: 'true'
amq_streams_broker_auth_listeners:
- AUTHENTICATED:SASL_PLAINTEXT
- REPLICATION:SASL_PLAINTEXT
amq_streams_broker_auth_sasl_mechanisms:
- PLAIN
- SCRAM-SHA-512
amq_streams_broker_inter_broker_auth_sasl_mechanisms: SCRAM-SHA-512
amq_streams_broker_inter_broker_listener_auth: |
listener.name.replication.scram-sha-512.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="<USER>" password="<PASSWORD>";To manage SCRAM users, the role includes the following tasks:
- Create
- Describe
- Delete
The role uses the amq_streams_broker_topics variable to identify the list of topics
to be managed by the role for each stage of the life cycle.
The amq_streams_broker_auth_scram_users variable defines the list of
different SCRAM users to manage in the Kafka cluster.
Example of definition of SCRAM users:
vars:
# Kafka SCRAM Users
amq_streams_broker_auth_scram_users:
- username: kafkauser01
password: p@ssw0rd
- username: kafkauser02
password: p@ssw0rdCreating SCRAM users can be done with this task:
- name: "Create SCRAM users"
ansible.builtin.include_role:
name: amq_streams_broker
tasks_from: user-scram/create.yml
loop: "{{ amq_streams_broker_auth_scram_users }}"
loop_control:
loop_var: user
vars:
user_username: "{{ user.username }}"
user_password: "{{ user.password }}"Describing SCRAM users can be done with this task:
- name: "Describe SCRAM users"
ansible.builtin.include_role:
name: amq_streams_broker
tasks_from: user-scram/describe.yml
loop: "{{ amq_streams_broker_auth_scram_users }}"
loop_control:
loop_var: user
vars:
user_username: "{{ user.username }}"Deleting SCRAM users can be done with this task:
- name: "Delete SCRAM users"
ansible.builtin.include_role:
name: amq_streams_broker
tasks_from: user-scram/delete.yml
loop: "{{ amq_streams_broker_auth_scram_users }}"
loop_control:
loop_var: user
vars:
user_username: "{{ user.username }}"SASL authentication mechanism using SSL listeners follows the same configuration described
above, however the listener must be declared as SASL_SSL and the authentication for
that listener must be declared as SASL_SSL:SASL_SSL.
Here an example of vars to authenticate over a SSL listener at 9093 port:
vars:
# Enabling SSL
amq_streams_broker_tls_enabled: true
# Broker Listeners
amq_streams_broker_listeners:
- PLAINTEXT://:{{ amq_streams_broker_listener_port }} # Insecure for inter-broker connections
- SASL_SSL://:{{ amq_streams_broker_listener_tls_port }} # Secured connections
# Enabling Kafka Broker Authentication
amq_streams_broker_auth_enabled: true
amq_streams_broker_auth_scram_enabled: true
amq_streams_broker_auth_listeners:
- PLAINTEXT:PLAINTEXT
- SASL_SSL:SASL_SSL
amq_streams_broker_auth_sasl_mechanisms:
- PLAIN
- SCRAM-SHA-512
# Using SSL bootstrap server port
amq_streams_broker_bootstrap_server_host: localhost
amq_streams_broker_bootstrap_server_port: 9093The role allows to manage the following stages of the life cycle of topics:
- Create
- Describe
- Delete
The role uses the amq_streams_broker_topics variable to identify the list of topics
to be managed by the role for each stage of the life cycle.
Example of definition of topics:
vars:
# Topic management
amq_streams_broker_topics:
- name: sampleTopic
partitions: 2
replication_factor: 1
- name: otherTopic
partitions: 4
replication_factor: 1NOTE: To manage topics in a distributed Kafka broker, the operation should be done in one single broker instance. Create or delete actions are replicated across the Kafka cluster.
This task will create new topics in a Kafka broker:
- name: "Create topics"
ansible.builtin.include_role:
name: amq_streams_broker
tasks_from: topic/create.yml
loop: "{{ amq_streams_broker_topics }}"
loop_control:
loop_var: topic
vars:
topic_name: "{{ topic.name }}"
topic_partitions: "{{ topic.partitions }}"
topic_replication_factor: "{{ topic.replication_factor }}"This task will describe the information and details of each topic from a Kafka broker:
- name: "Describe topics"
ansible.builtin.include_role:
name: amq_streams_broker
tasks_from: topic/describe.yml
loop: "{{ amq_streams_broker_topics }}"
loop_control:
loop_var: topic
vars:
topic_name: "{{ topic.name }}"This task will delete topics from a Kafka broker:
- name: "Delete topics"
ansible.builtin.include_role:
name: amq_streams_broker
tasks_from: topic/delete.yml
loop: "{{ amq_streams_broker_topics }}"
loop_control:
loop_var: topic
vars:
topic_name: "{{ topic.name }}"To operate topics with this role in Broker with authentication enabled, it is required to identify the mechanism of authentication and admin user credentials. The admin user must be identified to connect to the Broker and execute the topic action.
The amq_streams_broker_admin_mechanism variable identifies the authentication mechanism from
one of the following options: PLAIN, SCRAM-SHA-512.
The amq_streams_admin_username, and amq_streams_broker_admin_password variables identify the
admin user.
All these variables are required to execute the actions.
Example of definition:
vars:
# Enabling Kafka Broker Authentication
amq_streams_broker_auth_enabled: 'true'
amq_streams_broker_admin_mechanism: PLAIN
amq_streams_broker_admin_username: admin
amq_streams_broker_admin_password: passwordApache License v2.0 or later