Add documentation for TLS roles

Signed-off-by: Jim Enright <jenright@cloudera.com>

Author: jimright

roles/tls_fetch_ca_certs/meta/argument_specs.yml

@@ -0,0 +1,44 @@
+# Copyright 2024 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+
+argument_specs:
+  main:
+    short_description: "Bring CA root and intermediate cert back to controller"
+    description:
+      - Fetch the named root and intermediate CA TLS Certificates from the CA Server.
+    author:
+      - "Jim Enright <jenright@cloudera.com>"
+    options:
+      ca_server_intermediate_path:
+        description: "Path to intermediate CA cert on the CA server"
+        default: "/ca/intermediate/certs"
+        type: "str"
+      ca_server_intermediate_cert_name:
+        description: "Name of the intermediate CA cert file"
+        type: "str"
+        default: "intermediate.cert.pem"
+      ca_server_root_path:
+        description: "Path to root CA cert on the CA server"
+        default: "/ca/certs"
+        type: "str"
+      ca_server_root_cert_name:
+        description: "Name of the root CA cert file"
+        type: "str"
+        default: "ca.cert.pem"
+      local_ca_certs_dir:
+        description: "Directory on Ansible controller to store the root and intermediate CA cert files"
+        type: "str"
+        required: true

roles/tls_generate_csr/defaults/main.yml

@@ -13,7 +13,6 @@
 # limitations under the License.
 
 ---
-keytool_path: /usr/bin/keytool
 openssl_path: /usr/bin/openssl
 
 base_dir_security: /opt/cloudera/security
@@ -22,7 +21,6 @@ tls_csr_config_path: "{{ base_dir_security_pki }}/csr.cnf"
 tls_csr_path: "{{ base_dir_security_pki }}/{{ inventory_hostname }}.csr"
 
 # local_csrs_dir: "/tmp/csrs"
-# subject_alternative_names # optional variable which can be defined for each host
 
 ca_server_attrs_general:
   OU: PS
@@ -31,248 +29,6 @@ ca_server_attrs_general:
   C: US
 
 
-tls_keystore_password: changeme
 tls_key_password: changeme
 
-tls_keystore_path: "{{ base_dir_security_pki }}/{{ inventory_hostname }}.jks"
-tls_keystore_path_generic: "{{ base_dir_security_pki }}/host.jks"
-
-tls_key_password_file: "{{ base_dir_security_pki }}/host.key.pw"
-
 tls_key_path: "{{ base_dir_security_pki }}/{{ inventory_hostname }}.key"
-tls_key_path_generic: "{{ base_dir_security_pki }}/host.key"
-
-tls_key_path_plaintext: "{{ tls_key_path }}.unenc"
-tls_key_path_plaintext_generic: "{{ tls_key_path_generic }}.unenc"
-
-
-local_accounts:
-
-  - user: accumulo
-    home: /var/lib/accumulo
-    comment: Accumulo
-
-  - user: atlas
-    home: /var/lib/atlas
-    comment: Atlas
-    extra_groups: [hadoop]
-
-  - user: cloudera-scm
-    home: /var/lib/cloudera-scm-server
-    comment: Cloudera Manager
-    mode: '770'
-    keystore_acl: True
-    key_acl: True
-    key_password_acl: True
-
-  - user: cruisecontrol
-    home: /var/lib/cruise_control
-    comment: Cruise Control
-    keystore_acl: True
-
-  - user: druid
-    home: /var/lib/druid
-    comment: Druid
-    extra_groups: [hadoop]
-
-  - user: flink
-    home: /var/lib/flink
-    comment: Flink
-    keystore_acl: True
-
-  - user: ssb
-    home: /var/lib/ssb
-    comment: SQL Stream Builder
-    keystore_acl: True
-    key_acl: True
-    key_password_acl: True
-
-  - user: flume
-    home: /var/lib/flume-ng
-    comment: Flume
-    keystore_acl: True
-
-  - user: hbase
-    home: /var/lib/hbase
-    comment: HBase
-    keystore_acl: True
-
-  - user: hdfs
-    home: /var/lib/hadoop-hdfs
-    comment: Hadoop HDFS
-    extra_groups: [hadoop]
-
-  - user: hive
-    home: /var/lib/hive
-    comment: Hive
-    keystore_acl: True
-
-  - user: httpfs
-    home: /var/lib/hadoop-httpfs
-    comment: Hadoop HTTPFS
-    keystore_acl: True
-
-  - user: hue
-    home: /usr/lib/hue
-    comment: Hue
-    key_acl: True
-    key_password_acl: True
-
-  - user: impala
-    home: /var/lib/impala
-    comment: Impala
-    extra_groups: [hive]
-    key_acl: True
-    key_password_acl: True
-
-  - user: kafka
-    home: /var/lib/kafka
-    comment: Kafka
-    keystore_acl: True
-
-  - user: keytrustee
-    home: /var/lib/keytrustee
-    comment: KeyTrustee KMS
-    keystore_acl: True
-    key_acl: True
-    key_password_acl: True
-
-  - user: kms
-    home: /var/lib/hadoop-kms
-    comment: Hadoop KMS
-    keystore_acl: True
-
-  - user: knox
-    home: /var/lib/knox
-    comment: Knox
-    extra_groups: [hadoop]
-    keystore_acl: True
-
-  - user: kudu
-    home: /var/lib/kudu
-    comment: Kudu
-    key_acl: True
-    key_password_acl: True
-
-  - user: livy
-    home: /var/lib/livy
-    comment: Livy
-    keystore_acl: True
-
-  - user: mapred
-    home: /var/lib/hadoop-mapreduce
-    comment: Hadoop MapReduce
-    extra_groups: [hadoop]
-
-  - user: nifi
-    home: /var/lib/nifi
-    command: NiFi
-    keystore_acl: True
-
-  - user: nifiregistry
-    home: /var/lib/nifiregistry
-    command: NiFi Registry
-    keystore_acl: True
-
-  - user: nifi
-    home: /var/lib/nifi
-    command: NiFi
-
-  - user: nifiregistry
-    home: /var/lib/nifiregistry
-    command: NiFi Registry
-
-  - user: oozie
-    home: /var/lib/oozie
-    comment: Oozie User
-    keystore_acl: True
-
-  - user: phoenix
-    home: /var/lib/phoenix
-    comment: Phoenix User
-
-  - user: ranger
-    home: /var/lib/ranger
-    comment: Ranger
-    extra_groups: [hadoop]
-
-  - user: rangerraz
-    home: /var/lib/rangerraz
-    comment: Ranger Raz User
-    extra_groups: [ranger, hadoop]
-
-  - user: rangertagsync
-    home: /var/lib/rangertagsync
-    comment: Ranger Tagsync User
-    extra_groups: [ranger, hadoop]
-
-  - user: schemaregistry
-    home: /var/lib/schemaregistry
-    comment: Schema Registry
-    keystore_acl: True
-
-  - user: sentry
-    home: /var/lib/sentry
-    comment: Sentry
-
-  - user: solr
-    home: /var/lib/solr
-    comment: Solr
-    keystore_acl: True
-
-  - user: spark
-    home: /var/lib/spark
-    comment: Spark
-    keystore_acl: True
-
-  - user: spark2
-    home: /var/lib/spark2
-    comment: Spark2
-
-  - user: sqoop
-    home: /var/lib/sqoop
-    comment: Sqoop
-
-  - user: sqoop2
-    home: /var/lib/sqoop2
-    comment: Sqoop2
-    extra_groups: [sqoop]
-
-  - user: streamsmsgmgr
-    home: /var/lib/streams_messaging_manager
-    comment: Streams Messaging Manager
-    keystore_acl: True
-    key_acl: True
-
-  - user: streamsrepmgr
-    home: /var/lib/streams_replication_manager
-    comment: Streams Replication Manager
-    keystore_acl: True
-
-  - user: superset
-    home: /var/lib/superset
-    comment: Superset
-
-  - user: yarn
-    home: /var/lib/hadoop-yarn
-    comment: Hadoop Yarn
-    extra_groups: [hadoop, spark]
-
-  - user: zeppelin
-    home: /var/lib/zeppelin
-    comment: Zeppelin
-    keystore_acl: True
-
-  - user: zookeeper
-    home: /var/lib/zookeeper
-    comment: ZooKeeper
-    keystore_acl: True
-
-ecs_accounts:
-  - user: cloudera-scm
-    home: /var/lib/cloudera-scm-server
-    comment: Cloudera Manager
-    mode: '770'
-    keystore_acl: True
-    key_acl: True
-    key_password_acl: True

roles/tls_generate_csr/meta/argument_specs.yml

@@ -0,0 +1,67 @@
+# Copyright 2024 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+
+argument_specs:
+  main:
+    short_description: "Generates a CSR on each host and copies it back to the Ansible controller"
+    description:
+      - Generates a TLS Certificate Signing Request (CSR).
+      - Once created the CSR file is copied back to the Ansibles controller.
+    author:
+      - "Jim Enright <jenright@cloudera.com>"
+    options:
+      openssl_path:
+        description: "Absolute path to the C(openssl) executable"
+        default: "/usr/bin/openssl"
+        type: "str"
+      base_dir_security:
+        description: "Base directory for Cloudera CDP security related files"
+        type: "str"
+        default: "/opt/cloudera/security"
+      base_dir_security_pki:
+        description: "Base directory for Cloudera CDP PKI security related files"
+        type: "str"
+        default: "{{ base_dir_security }}/pki"
+      tls_csr_config_path:
+        description: 
+          - Location of the OpenSSL configuration file that will be created by the role.
+          - This file will be generated by the C(csr.cnf.j2) template file.
+        type: "str"
+        default: "{{ base_dir_security_pki }}/csr.cnf"
+      tls_csr_path:
+        description: "Location of the OpenSSL Certificate Signing Request file that will be created by the role"
+        type: "str"
+        default: "{{ base_dir_security_pki }}/{{ inventory_hostname }}.csr"
+      ca_server_attrs_general:
+        description: "Attributes to use in the certificate signing request"
+        type: "dict"
+        default:
+          OU: PS
+          O: "Cloudera, Inc."
+          ST: "CA"
+          C: "US"
+      tls_key_password:
+        description: "Password for the TLS Key."
+        type: "str"
+        default: "changeme" 
+      tls_key_path:
+        description: "Location of the TLS key."
+        type: "str"
+        default: "{{ base_dir_security_pki }}/{{ inventory_hostname }}.key"
+      local_csrs_dir:
+        description: "Location on the Ansible Controller where the CSR will be copied."
+        type: "str"
+        default: "{{ base_dir_security_pki }}/{{ inventory_hostname }}.key"