From b96c3f8c2ff7678ea7a5149d43d7d0a65f5b49b9 Mon Sep 17 00:00:00 2001
From: Justin Lee <jlee@confluent.io>
Date: Wed, 11 Dec 2024 08:05:00 +0800
Subject: [PATCH] Update KRaft SCRAM user creation to support secrets
 protection

---
 roles/kafka_broker/tasks/main.yml | 36 +++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/roles/kafka_broker/tasks/main.yml b/roles/kafka_broker/tasks/main.yml
index 9492d98b5..0e97bbdf7 100644
--- a/roles/kafka_broker/tasks/main.yml
+++ b/roles/kafka_broker/tasks/main.yml
@@ -572,6 +572,7 @@
   when:
     - "'SCRAM-SHA-512' in kafka_sasl_enabled_mechanisms"
     - kraft_enabled|bool
+    - not ( kafka_broker_client_secrets_protection_enabled|bool )
   no_log: "{{ mask_secrets|bool }}"
 
 - name: Create SCRAM 256 Users with KRaft
@@ -586,6 +587,41 @@
   when:
     - "'SCRAM-SHA-256' in kafka_sasl_enabled_mechanisms"
     - kraft_enabled|bool
+    - not ( kafka_broker_client_secrets_protection_enabled|bool )
+  no_log: "{{ mask_secrets|bool }}"
+
+- name: Create SCRAM Users with KRaft with Secrets Protection enabled
+  shell: |
+    {{ binary_base_path }}/bin/kafka-configs \
+      --bootstrap-server {{ hostvars[inventory_hostname]|confluent.platform.resolve_hostname }}:{{kafka_broker_listeners[kafka_broker_inter_broker_listener_name]['port']}} \
+      --command-config {{ kafka_broker.client_config_file }} \
+      --alter --add-config 'SCRAM-SHA-512=[password={{ item.value['password'] }}]' \
+      --entity-type users --entity-name {{ item.value['principal'] }}
+  environment:
+    CONFLUENT_SECURITY_MASTER_KEY: "{{ secrets_protection_masterkey }}"
+  loop: "{{ sasl_scram_users_final|dict2items }}"
+  run_once: true
+  when:
+    - "'SCRAM-SHA-512' in kafka_sasl_enabled_mechanisms"
+    - kraft_enabled|bool
+    - kafka_broker_client_secrets_protection_enabled|bool
+  no_log: "{{ mask_secrets|bool }}"
+
+- name: Create SCRAM 256 Users with KRaft with Secrets Protection enabled
+  shell: |
+    {{ binary_base_path }}/bin/kafka-configs \
+      --bootstrap-server {{ hostvars[inventory_hostname]|confluent.platform.resolve_hostname }}:{{kafka_broker_listeners[kafka_broker_inter_broker_listener_name]['port']}} \
+      --command-config {{ kafka_broker.client_config_file }} \
+      --alter --add-config 'SCRAM-SHA-256=[password={{ item.value['password'] }}]' \
+      --entity-type users --entity-name {{ item.value['principal'] }}
+  environment:
+    CONFLUENT_SECURITY_MASTER_KEY: "{{ secrets_protection_masterkey }}"
+  loop: "{{ sasl_scram256_users_final|dict2items }}"
+  run_once: true
+  when:
+    - "'SCRAM-SHA-256' in kafka_sasl_enabled_mechanisms"
+    - kraft_enabled|bool
+    - kafka_broker_client_secrets_protection_enabled|bool
   no_log: "{{ mask_secrets|bool }}"
 
 - name: Register Cluster