Import artemis create configuration tasks

Author: guidograzioli

roles/amq_broker/defaults/main.yml

@@ -43,11 +43,44 @@ amq_broker_port_stomp: 61613  # for protocols [STOMP]
 
 ### Enable configuration for high availability
 amq_broker_ha_enabled: False
+amq_broker_cluster_user: amq-cluster-user
+amq_broker_cluster_pass: amq-cluster-pass
+amq_broker_cluster_maxhops: 1
+amq_broker_cluster_lb_policy: ON_DEMAND
+amq_broker_replicate: False
+amq_broker_replicated: False
 
 ### Enable database configuration for JDBC persistence
 amq_broker_db_enabled: False
 
-### Enable SSLServerSocket transport
-amq_broker_ssl_enabled: False
-amq_broker_ssl_keystore_path: broker.ks
-amq_broker_ssl_keystore_password: changeme
+### Enable TLS
+amq_broker_tls_enabled: False
+amq_broker_tls_keystore_path: identity.ks
+amq_broker_tls_keystore_password: changeme
+amq_broker_tls_keystore_dest: "{{ amq_broker_dest }}/{{ amq_broker_instance_name }}/etc/identity.ks"
+
+# Mutual authentication (requires TLS)
+amq_broker_tls_mutual_authentication: False
+amq_broker_tls_truststore:
+amq_broker_tls_truststore_password:
+amq_broker_tls_truststore_dest: "{{ amq_broker_dest }}/{{ amq_broker_instance_name }}/etc/trust.ks"
+
+# NIO option
+amq_broker_nio_enabled: False
+
+## Shared Storage
+amq_broker_shared_storage: False
+
+## Ports
+amq_broker_ports_offset_enabled: False
+amq_broker_ports_offset: 0
+
+# Queues
+amq_broker_disable_destination_autocreate: True
+amq_broker_queues: queue.in,queue.out
+
+# Protocol disablement
+amq_broker_disable_amqp_protocol: False
+amq_broker_disable_hornetq_protocol: False
+amq_broker_disable_mqtt_protocol: False
+amq_broker_disable_stomp_protocol: False

roles/amq_broker/meta/argument_specs.yml

@@ -177,25 +177,130 @@ argument_specs:
                 description: "Whether to enable clustering"
                 type: "bool"
             amq_broker_db_enabled:
-                # line 48 of defaults/main.yml
+                # line 54 of defaults/main.yml
                 default: false
                 description: "Whether to enable JDBC persistence"
                 type: "bool"
-            amq_broker_ssl_enabled:
+            amq_broker_cluster_user:
+                # line 46 of defaults/main.yml
+                default: "amq-cluster-user"
+                description: "Cluster username"
+                type: "str"
+            amq_broker_cluster_pass:
+                # line 47 of defaults/main.yml
+                default: "amq-cluster-pass"
+                description: "Cluster user password"
+                type: "str"
+            amq_broker_cluster_maxhops:
+                # line 48 of defaults/main.yml
+                default: 1
+                description: "Cluster max hops"
+                type: "int"
+            amq_broker_cluster_lb_policy:
+                # line 49 of defaults/main.yml
+                default: "ON_DEMAND"
+                description: "Policy for cluster load balancing"
+                type: "str"
+            amq_broker_replicate:
+                # line 50 of defaults/main.yml
+                default: false
+                description: "Enables replication"
+                type: "bool"
+            amq_broker_replicated:
                 # line 51 of defaults/main.yml
                 default: false
-                description: "Whether to enable SSL listeners"
+                description: "Designate instance as replicated node"
                 type: "bool"
-            amq_broker_ssl_keystore_path:
-                # line 52 of defaults/main.yml
-                default: "broker.ks"
-                description: "Keystore path for SSL listener"
+            amq_broker_tls_enabled:
+                # line 57 of defaults/main.yml
+                default: false
+                description: "Whether to enable TLS"
+                type: "bool"
+            amq_broker_tls_keystore_path:
+                # line 58 of defaults/main.yml
+                default: "identity.ks"
+                description: "Keystore path for TLS connections"
                 type: "str"
-            amq_broker_ssl_keystore_password:
-                # line 53 of defaults/main.yml
+            amq_broker_tls_keystore_password:
+                # line 59 of defaults/main.yml
                 default: "changeme"
-                description: "Keystore password for SSL listener"
+                description: "Keystore password for TLS connections"
+                type: "str"
+            amq_broker_tls_keystore_dest:
+                # line 60 of defaults/main.yml
+                default: "{{ amq_broker_dest }}/{{ amq_broker_instance_name }}/etc/identity.ks"
+                description: "Path for installation of truststore"
+                type: "str"
+            amq_broker_tls_mutual_authentication:
+                # line 63 of defaults/main.yml
+                default: false
+                description: "Whether to enable TLS mutual auth, requires TLS enabled"
+                type: "bool"
+            amq_broker_tls_truststore:
+                # line 64 of defaults/main.yml
+                default: None
+                description: "Truststore to use for TLS mutual authentication"
+                type: "str"
+            amq_broker_tls_truststore_password:
+                # line 65 of defaults/main.yml
+                default: None
+                description: "Password for truststore"
                 type: "str"
+            amq_broker_tls_truststore_dest:
+                # line 66 of defaults/main.yml
+                default: "{{ amq_broker_dest }}/{{ amq_broker_instance_name }}/etc/trust.ks"
+                description: "Path for installation of truststore"
+                type: "str"
+            amq_broker_nio_enabled:
+                # line 69 of defaults/main.yml
+                default: false
+                description: "Enable Native IO using libaio"
+                type: "bool"
+            amq_broker_shared_storage:
+                # line 72 of defaults/main.yml
+                default: false
+                description: "Use shared filesystem directory for storage"
+                type: "bool"
+            amq_broker_ports_offset_enabled:
+                # line 75 of defaults/main.yml
+                default: false
+                description: "Whether to enable port offset"
+                type: "bool"
+            amq_broker_ports_offset:
+                # line 76 of defaults/main.yml
+                default: 0
+                description: "Port offset for all default ports"
+                type: "int"
+            amq_broker_disable_destination_autocreate:
+                # line 79 of defaults/main.yml
+                default: true
+                description: "Disable automatic creation of destination"
+                type: "bool"
+            amq_broker_queues:
+                # line 80 of defaults/main.yml
+                default: "queue.in,queue.out"
+                description: "Queue names comma separated"
+                type: "str"
+            amq_broker_disable_amqp_protocol:
+                # line 83 of defaults/main.yml
+                default: false
+                description: "Whether to disable AMQP protocol"
+                type: "bool"
+            amq_broker_disable_hornetq_protocol:
+                # line 84 of defaults/main.yml
+                default: false
+                description: "Whether to disable HORNETQ protocol"
+                type: "bool"
+            amq_broker_disable_mqtt_protocol:
+                # line 85 of defaults/main.yml
+                default: false
+                description: "Whether to disable MQTT protocol"
+                type: "bool"
+            amq_broker_disable_stomp_protocol:
+                # line 86 of defaults/main.yml
+                default: false
+                description: "Whether to disable STOMP protocol"
+                type: "bool"
             amq_broker_rhn_baseurl:
                 # line 8 of vars/main.yml
                 default: "https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId="

roles/amq_broker/tasks/configure.yml

@@ -0,0 +1,156 @@
+---
+- name: Create broker cluster node members
+  set_fact:
+    amq_broker_cluster_nodes: >
+      {{ amq_broker_cluster_nodes | default( [] ) + [
+           {
+             "name": amq_broker.instance_name,
+             "address": item,
+             "inventory_host": item,
+             "value": "tcp://" + item + ":" + (((61616|int + amq_broker_ports_offset|int)|abs)|string)
+           }
+         ] }}
+  loop: "{{ ansible_play_batch }}"
+
+- name: Prepare broker creation options
+  set_fact:
+    amq_broker_options:
+      - "--name {{ amq_broker.instance_name }}"
+
+- name: Enable clustering
+  set_fact:
+    amq_broker_options:
+      - "{{ amq_broker_options | join(' ') }}"
+      - "--clustered"
+      - "--cluster-user {{ amq_broker_cluster_user }}"
+      - "--cluster-password {{ amq_broker_cluster_pass }}"
+      - "--max-hops {{ amq_broker_cluster_maxhops }}"
+      - "--message-load-balancing {{ amq_broker_cluster_load_balancing_policy }}"
+      - "--failover-on-shutdown"
+  when: amq_broker_ha_enabled
+
+- name: Enable security
+  set_fact:
+    amq_broker_options:
+      - "{{ amq_broker_options | join(' ') }}"
+      - "--require-login"
+      - "--user {{ amq_broker_instance_username }}"
+      - "--password {{ amq_broker_instance_password }}"
+  when: not amq_broker_instance_anonymous
+
+- name: Set address broker accepts connections on
+  set_fact:
+    amq_broker_options:
+      - "{{ amq_broker_options | join(' ') }}"
+      - "--host {{ amq_broker_host }}"
+
+- name: Set address embedded web server accepts connections on
+  set_fact:
+    amq_broker_options:
+      - "{{ amq_broker_options | join(' ') }}"
+      - "--http-host {{ amq_broker_host }}"
+
+- name: Disable automatic creation of queues
+  set_fact:
+    amq_broker_options:
+      - "{{ amq_broker_options | join(' ') }}"
+      - "--no-autocreate"
+  when: amq_broker_disable_destination_autocreate
+
+- name: Set up queues
+  set_fact:
+    amq_broker_options:
+      - "{{ amq_broker_options | join(' ') }}"
+      - "--queues {{ amq_broker_queues }}"
+
+- name: Set up data directory
+  set_fact:
+    amq_broker_options:
+      - "{{ amq_broker_options | join(' ') }}"
+      - "--data {{ amq_broker.instance_home }}/data"
+  when: not amq_broker_shared_storage
+
+- name: Set as replicated node
+  set_fact:
+    amq_broker_options:
+      - "{{ amq_broker_options | join(' ') }}"
+      - "--slave"
+  when: amq_broker_replicate
+
+- name: Enable replication
+  set_fact:
+    amq_broker_options:
+      - "{{ amq_broker_options | join(' ') }}"
+      - "--replicated"
+  when: amq_broker_replicated
+
+- name: Enable shared storage
+  set_fact:
+    amq_broker_options:
+      - "{{ amq_broker_options | join(' ') }}"
+      - "--shared-store"
+      - "--data {{ amq_broker.home }}/data"
+  when: amq_broker_shared_storage
+
+- name: Set up port offset
+  set_fact:
+    amq_broker_options:
+      - "{{ amq_broker_options | join(' ') }}"
+      - "--port-offset {{ (0|int + amq_broker_ports_offset|int)|abs }}"
+  when: amq_broker_ports_offset_enabled
+
+- name: Disable AMQP protocol
+  set_fact:
+    amq_broker_options:
+      - "{{ amq_broker_options | join(' ') }}"
+      - "--no-amqp-acceptor"
+  when: amq_broker_disable_amqp_protocol
+
+- name: Disable HornetQ protocol
+  set_fact:
+    amq_broker_options:
+      - "{{ amq_broker_options | join(' ') }}"
+      - "--no-hornetq-acceptor"
+  when: amq_broker_disable_hornetq_protocol
+
+- name: Disable MQTT protocol
+  set_fact:
+    amq_broker_options:
+      - "{{ amq_broker_options | join(' ') }}"
+      - "--no-mqtt-acceptor"
+  when: amq_broker_disable_mqtt_protocol
+
+- name: Disable STOMP
+  set_fact:
+    amq_broker_options:
+      - "{{ amq_broker_options | join(' ') }}"
+      - "--no-stomp-acceptor"
+  when: amq_broker_disable_stomp_protocol
+
+- name: Set the journal as nio
+  set_fact:
+    amq_broker_options:
+      - "{{ amq_broker_options | join(' ') }}"
+      - "--nio"
+  when: amq_broker_nio_enabled
+
+- name: Enable TLS for web UI
+  set_fact:
+    amq_broker_options:
+      - "{{ amq_broker_options | join(' ') }}"
+      - "--ssl-key {{ amq_broker_tls_keystore_dest }}"
+      - "--ssl-key-password {{ amq_broker_tls_keystore_password }}"
+  when: amq_broker_tls_enabled and amq_broker_tls_keystore and amq_broker_tls_keystore_password
+
+- name: Enable TLS client authentication for web UI
+  set_fact:
+    amq_broker_options:
+      - "{{ amq_broker_options | join(' ') }}"
+      - "--ssl-trust {{ amq_broker_tls_truststore_dest }}"
+      - "--ssl-trust-password {{ amq_broker_tls_truststore_password }}"
+      - "--use-client-auth"
+  when: amq_broker_tls_enabled and amq_broker_tls_mutual_authentication and amq_broker_tls_truststore and amq_broker_tls_truststore_password
+
+- name: Create final broker creation options
+  set_fact:
+    amq_broker_options: "{{ amq_broker_options | join(' ') }}"

roles/amq_broker/tasks/prereqs.yml

@@ -24,11 +24,20 @@
     fail_msg: "Cannot install Red Hat AMQ Broker without RHN credentials. Check rhn_username and rhn_password are defined"
     success_msg: "{{ 'Installing Red Hat AMQ Broker' if amq_broker_enable else 'Installing Apache ActiveMQ' }}"
 
+- name: Validate TLS mutual auth config
+  ansible.builtin.assert:
+    that:
+      - amq_broker_tls_truststore is defined
+      - amq_broker_tls_truststore_password is defined
+      - amq_broker_tls_enabled
+  when: amq_broker_tls_mutual_authentication
+
 - name: Ensure required packages are installed
   ansible.builtin.include_tasks: fastpackages.yml
   vars:
     packages_list:
       - "{{ amq_broker_jvm_package }}"
       - unzip
       - procps-ng
-      - initscripts
+      - initscripts
+      - libaio

roles/amq_broker/tasks/systemd.yml

@@ -39,11 +39,17 @@
   register: instance_directory
   become: yes
 
+- name: "Generate configuration for: {{ amq_broker_dest }}/{{ amq_broker.instance_name }}"
+  ansible.builtin.include_tasks: configure.yml
+  when:
+    - not instance_directory.stat.exists
+
 - name: "Create instance {{ amq_broker.instance_name }} of {{ amq_broker.service_name }}"
   ansible.builtin.command:
-    cmd: "{{ amq_broker.home }}/bin/artemis create {{ amq_broker_dest }}/{{ amq_broker.instance_name }} --user {{ amq_broker_instance_username }} --password {{ amq_broker_instance_password }} --require-login"
+    cmd: "{{ amq_broker.home }}/bin/artemis create {{ amq_broker.instance_home }} {{ amq_broker_options }}"
     creates: "{{ amq_broker.instance_home }}/bin/artemis-service"
   become: yes
+  register: broker_created
   when:
     - not instance_directory.stat.exists