initial work on sasl/acl

.buildkite/scripts/standup-cluster.sh

@@ -50,6 +50,7 @@ if [ -z "$PREFIX" ] || [ -z "$DISTRO" ] || [ -z "$UNSTABLE" ] || [ -z "$TIERED"
   exit 1
 fi
 
+trap cleanup EXIT INT TERM
 cleanup() {
   exit_code=$?
   echo "trapped exit, cleaning up"
@@ -63,7 +64,6 @@ cleanup() {
   }'
   exit $exit_code
 }
-trap cleanup EXIT INT TERM
 
 if [ -z "$MACHINE_ARCH" ]; then
   MACHINE_ARCH="x86_64"
@@ -105,15 +105,15 @@ echo "building cluster"
 DEPLOYMENT_ID=$PREFIX DISTRO=$DISTRO IS_USING_UNSTABLE=$UNSTABLE task "create-$TASK_NAME"
 error_code=$?
 if [ $error_code -ne 0 ]; then
-  echo "error in ansible standup"
+  echo "error in create $TASK_NAME"
   exit 1
 fi
 
 echo "testing cluster"
 DEPLOYMENT_ID=$PREFIX DISTRO=$DISTRO task "test-$TASK_NAME"
 error_code=$?
 if [ $error_code -ne 0 ]; then
-  echo "error in test-tls-cluster"
+  echo "error in test $TASK_NAME"
   exit 1
 fi
 

.buildkite/scripts/test-basic-cluster.sh

@@ -45,16 +45,16 @@ sed 's/,$/\n/')
 
 ## test that we can check status, create a topic and produce to the topic
 echo "checking cluster status"
-"${PATH_TO_RPK_FILE}" cluster status --brokers "$REDPANDA_BROKERS" -v || exit 1
+"${PATH_TO_RPK_FILE}" cluster status --user admin --password admin --brokers "$REDPANDA_BROKERS" -v || exit 1
 
 echo "creating topic"
 "${PATH_TO_RPK_FILE}" topic create testtopic --brokers "$REDPANDA_BROKERS" -v || exit 1
 
 echo "producing to topic"
-echo squirrel | "${PATH_TO_RPK_FILE}" topic produce testtopic --brokers "$REDPANDA_BROKERS" -v || exit 1
+echo squirrel | "${PATH_TO_RPK_FILE}" topic produce --user admin --password admin testtopic --brokers "$REDPANDA_BROKERS" -v || exit 1
 
 echo "consuming from topic"
-"${PATH_TO_RPK_FILE}" topic consume testtopic --brokers "$REDPANDA_BROKERS" -v -o :end | grep squirrel || exit 1
+"${PATH_TO_RPK_FILE}" topic consume --user admin --password admin testtopic --brokers "$REDPANDA_BROKERS" -v -o :end | grep squirrel || exit 1
 
 echo "testing schema registry"
 for ip_port in $(echo $REDPANDA_REGISTRY | tr ',' ' '); do curl $ip_port/subjects ; done 

.buildkite/scripts/test-tiered-storage-cluster.sh

@@ -56,23 +56,28 @@ sed 's/,$/\n/')
 
 ## test that we can check status, create a topic and produce to the topic
 echo "checking cluster status"
-"${PATH_TO_RPK_FILE}" cluster status --brokers "$REDPANDA_BROKERS" --tls-truststore "$PATH_TO_CA_CRT" -v || exit 1
+"${PATH_TO_RPK_FILE}" cluster status --user admin --password password --brokers "$REDPANDA_BROKERS" --tls-truststore "$PATH_TO_CA_CRT" -v || exit 1
 
 echo "creating topic"
-"${PATH_TO_RPK_FILE}" topic create testtopic \
+"${PATH_TO_RPK_FILE}" topic create --user admin --password password testtopic \
 --brokers "$REDPANDA_BROKERS" \
 --tls-truststore "$PATH_TO_CA_CRT" \
 -v || exit 1
 
 echo "producing to topic"
-echo squirrels | "${PATH_TO_RPK_FILE}" topic produce testtopic --brokers "$REDPANDA_BROKERS" --tls-truststore "$PATH_TO_CA_CRT" -v || exit 1
+echo squirrels | "${PATH_TO_RPK_FILE}" topic produce --user admin --password password testtopic --brokers "$REDPANDA_BROKERS" --tls-truststore "$PATH_TO_CA_CRT" -v || exit 1
 
 sleep 30
 
 echo "consuming from topic"
-testoutput=$("${PATH_TO_RPK_FILE}" topic consume testtopic --brokers "$REDPANDA_BROKERS" --tls-truststore "$PATH_TO_CA_CRT" -v -o :end)
+testoutput=$("${PATH_TO_RPK_FILE}" topic consume --user admin --password password testtopic --brokers "$REDPANDA_BROKERS" --tls-truststore "$PATH_TO_CA_CRT" -v -o :end)
 echo $testoutput | grep squirrels || exit 1
 
+"${PATH_TO_RPK_FILE}" acl user list --user admin --password password \
+--brokers "$REDPANDA_BROKERS" \
+--tls-truststore "$PATH_TO_CA_CRT" \
+-v || exit 1
+
 echo "testing schema registry"
 for ip_port in $(echo $REDPANDA_REGISTRY | tr ',' ' '); do curl $ip_port/subjects -k --cacert "$PATH_TO_CA_CRT" ; done
 

Taskfile.yaml

@@ -51,9 +51,9 @@ tasks:
     vars:
       SSH_EMAIL: '{{default "test@redpanda.com" .SSH_EMAIL | lower}}'
     cmds:
-      - ssh-keygen -t rsa -b 4096 -C "{{.SSH_EMAIL}}" -N "" -f artifacts/testkey <<< y && chmod 0700 artifacts/testkey
+      - ssh-keygen -t rsa -b 4096 -C "{{.SSH_EMAIL}}" -N "" -f {{ .PRIVATE_KEY }} <<< y && chmod 0700 {{ .PRIVATE_KEY }}
     status:
-      - test f artifacts/testkey
+      - test -f {{ .PRIVATE_KEY }}
 
   build:
     desc: init and apply terraform

ansible/provision-basic-cluster.yml

@@ -7,6 +7,7 @@
   vars:
     advertise_public_ips: true
     redpanda_version: latest
+    enable_sasl: true
   tasks:
     - name: Install system prereqs
       ansible.builtin.include_role:
@@ -22,6 +23,7 @@
     advertise_public_ips: true
     redpanda_version: latest
     install_console: true
+    enable_sasl: true
   tasks:
     - name: Install and start redpanda console
       ansible.builtin.include_role:

ansible/provision-tiered-storage-cluster.yml

@@ -22,6 +22,7 @@
     ca_cert_file: "tls/ca/ca.crt"
     node_cert_file: "tls/certs/{{ansible_hostname}}/node.crt"
     cloud_storage_credentials_source: "aws_instance_metadata"
+    enable_sasl: true
   tasks:
     - name: Install and configure CA certs for running tls
       ansible.builtin.include_role:
@@ -33,6 +34,10 @@
       ansible.builtin.include_role:
         name: redpanda.cluster.redpanda_broker
       when: not skip_node | default(false) | bool
+    - name: Add Users and ACLs
+      ansible.builtin.include_role:
+        name: redpanda.cluster.user_config
+      when: not skip_node | default(false) | bool
 
 - name: Provision redpanda console
   hosts: client
@@ -46,6 +51,7 @@
     root_ca_dir: "{{ playbook_dir }}/tls/ca"
     ca_cert_file: "tls/ca/ca.crt"
     node_cert_file: "tls/certs/{{ansible_hostname}}/node.crt"
+    enable_sasl: true
   tasks:
     - name: Install and configure CA certs for running tls
       ansible.builtin.include_role:
@@ -54,3 +60,6 @@
       ansible.builtin.include_role:
         name: redpanda.cluster.redpanda_broker
       when: not skip_node | default(false) | bool
+    - name: Configure client for use with RPK
+      ansible.builtin.include_role:
+        name: redpanda.cluster.client_config

ansible/provision-tls-cluster.yml

@@ -20,6 +20,7 @@
     redpanda_version: latest
     ca_cert_file: "tls/ca/ca.crt"
     node_cert_file: "tls/certs/{{ansible_hostname}}/node.crt"
+    enable_sasl: true
   tasks:
     - name: Install and configure CA certs for running tls
       ansible.builtin.include_role:
@@ -31,6 +32,10 @@
       ansible.builtin.include_role:
         name: redpanda.cluster.redpanda_broker
       when: not skip_node | default(false) | bool
+    - name: Add Users and ACLs
+      ansible.builtin.include_role:
+        name: redpanda.cluster.user_config
+      when: not skip_node | default(false) | bool
 
 - name: Provision redpanda console
   hosts: client
@@ -44,6 +49,7 @@
     root_ca_dir: "{{ playbook_dir }}/tls/ca"
     ca_cert_file: "tls/ca/ca.crt"
     node_cert_file: "tls/certs/{{ansible_hostname}}/node.crt"
+    enable_sasl: true
   tasks:
     - name: Install and configure CA certs for running tls
       ansible.builtin.include_role: