kafka and zookeeper: fixes after review

hitachienergy · Mar 1, 2022 · 8466d0e · 8466d0e
1 parent c7b5f47
commit 8466d0e
Show file tree

Hide file tree

Showing 7 changed files with 16 additions and 20 deletions.
diff --git a/ansible/playbooks/roles/kafka/tasks/common/download_and_unpack_binary.yml b/ansible/playbooks/roles/kafka/tasks/common/download_and_unpack_binary.yml
@@ -1,5 +1,4 @@
 ---
-
 - name: Download Kafka binaries
   include_role:
     name: download

diff --git a/ansible/playbooks/roles/kafka/tasks/common/start.yml b/ansible/playbooks/roles/kafka/tasks/common/start.yml
@@ -1,5 +1,4 @@
 ---
-
 - name: Enable and Start Kafka
   service:
     name: kafka

diff --git a/ansible/playbooks/roles/kafka/tasks/common/stop.yml b/ansible/playbooks/roles/kafka/tasks/common/stop.yml
@@ -1,5 +1,4 @@
 ---
-
 - name: Stop Kafka
   systemd:
     name: kafka

diff --git a/ansible/playbooks/roles/kafka/tasks/generate-certificates.yml b/ansible/playbooks/roles/kafka/tasks/generate-certificates.yml
@@ -4,7 +4,7 @@
     state: directory
     owner: "{{ specification.user }}"
     group: "{{ specification.group }}"
-    mode: "0755"
+    mode: u=rwx,go=rx
 
 - name: Check if keystore exists on broker
   stat:
@@ -13,11 +13,11 @@
   register: keystore_exists
 
 - name: Generate keystore for each server
-  shell: keytool -keystore {{ specification.security.ssl.server.keystore_location }} \
-         -alias localhost -validity {{ specification.security.ssl.server.cert_validity }} -genkey -keyalg RSA \
-         -noprompt -storepass {{ specification.security.ssl.server.passwords.keystore }} \
-         -keypass {{ specification.security.ssl.server.passwords.key }} \
-         -dname "CN={{ inventory_hostname }}" -ext SAN="DNS:{{ inventory_hostname }}"
+  command: keytool -keystore {{ specification.security.ssl.server.keystore_location }} \
+           -alias localhost -validity {{ specification.security.ssl.server.cert_validity }} -genkey -keyalg RSA \
+           -noprompt -storepass {{ specification.security.ssl.server.passwords.keystore }} \
+           -keypass {{ specification.security.ssl.server.passwords.key }} \
+           -dname "CN={{ inventory_hostname }}" -ext SAN="DNS:{{ inventory_hostname }}"
   when:
     - not keystore_exists.stat.exists
 
@@ -81,7 +81,7 @@
     - not trustore_exists.stat.exists
 
 - name: Check if CA certificate is already imported
-  shell: keytool -list -v -keystore {{ specification.security.ssl.server.keystore_location }} \
+  shell: set -o pipefail && keytool -list -v -keystore {{ specification.security.ssl.server.keystore_location }} \
          -storepass {{ specification.security.ssl.server.passwords.keystore }} \
          | grep -i "Alias name" | grep -i "caroot"
   failed_when: "caroot_exists.rc == 2"

diff --git a/ansible/playbooks/roles/kafka/tasks/metrics.yml b/ansible/playbooks/roles/kafka/tasks/metrics.yml
@@ -13,7 +13,7 @@
     src: jmx-kafka-config.yml
     owner: "{{ specification.user }}"
     group: "{{ specification.group }}"
-    mode: 0644
+    mode: u=rx,go=r
 
 - name: delegated | create prometheus system group
   group:
@@ -52,7 +52,7 @@
     src: file_sd_config.yml.j2
     owner: root
     group: root
-    mode: 0644
+    mode: u=rx,go=r
   delegate_to: "{{ item }}"
   notify: restart prometheus
   with_inventory_hostnames:

diff --git a/ansible/playbooks/roles/kafka/tasks/setup-kafka.yml b/ansible/playbooks/roles/kafka/tasks/setup-kafka.yml
@@ -31,7 +31,7 @@
   copy:
     content: "export PATH=$PATH:/opt/kafka/bin"
     dest: "/etc/profile.d/kafka_path.sh"
-    mode: 0755
+    mode: u=rwx,go=rx
 
 - name: Link /opt/kafka to the right version
   file:
@@ -44,7 +44,7 @@
     dest: /etc/systemd/system/kafka.service
     owner: root
     group: root
-    mode: 0644
+    mode: u=rw,go=r
     src: kafka.service.j2
   notify:
     - restart kafka
@@ -59,7 +59,7 @@
     state: directory
     owner: "{{ specification.user }}"
     group: "{{ specification.group }}"
-    mode: 0755
+    mode: u=rwx,go=rx
 
 - name: Remove lost+found in the datadir
   file:
@@ -72,7 +72,7 @@
     state: directory
     owner: "{{ specification.user }}"
     group: "{{ specification.group }}"
-    mode: 0755
+    mode: u=rwx,go=rx
 
 - name: Create /etc/kafka directory
   file:
@@ -90,7 +90,7 @@
     path: "{{ specification.conf_dir }}/log4j.properties"
     owner: "{{ specification.user }}"
     group: "{{ specification.group }}"
-    mode: 0644
+    mode: u=rw,go=r
 
 - name: Generate certificate
   include_tasks: generate-certificates.yml
@@ -105,7 +105,7 @@
     owner: "{{ specification.user }}"
     group: "{{ specification.group }}"
     # Was 0640
-    mode: 0644
+    mode: u=rw,go=r
     src: server.properties.j2
   register: create_server_properties
   notify:
@@ -123,7 +123,7 @@
     dest: /etc/logrotate.d/kafka
     owner: root
     group: root
-    mode: 0644
+    mode: u=rw,go=r
     src: logrotate.conf.j2
 
 - name: configure system settings, file descriptors and number of threads for kafka

diff --git a/ansible/playbooks/roles/zookeeper/tasks/main.yml b/ansible/playbooks/roles/zookeeper/tasks/main.yml
@@ -74,7 +74,6 @@
     path: /opt/zookeeper
     state: link
     src: "{{ zookeeper_install_dir }}"
-  # force: ?
 
 - name: Add Zookeeper's bin dir to the PATH
   copy: