feat: add SASL support to operation playbooks and new SASL playbooks

Updates operation playbooks to support SASL-enabled clusters:
- operation-rolling-restart.yml: Add rpk_opts/rpk_admin_opts for SASL auth
- operation-apply-license.yml: Add SASL support for license application
- operation-configure-logging.yml: Add SASL support for logging config

New playbooks:
- provision-cluster-tls-sasl.yml: Deploy TLS + SASL enabled clusters
- manage-sasl-users.yml: Manage SASL users and ACLs via user_management role

Usage: Pass SASL credentials via extra vars:
  -e "kafka_enable_authorization=true"
  -e "admin_api_require_auth=true"
  -e "sasl_superuser_username=admin"
  -e "sasl_superuser_password=<password>"

Author: vuldin

README.md

@@ -63,6 +63,36 @@ ansible-playbook ansible/deploy-client.yml --private-key ~/.ssh/id_rsa
 
 The playbooks can all be run in any order. However they are designed with the assumption that you will run only either the TLS or non TLS playbooks, not both. Currently we do not support converting a cluster from non-TLS to TLS or vice versa.
 
+## SASL Authentication Deployments
+
+### TLS + SASL Cluster
+
+Deploy a cluster with both TLS encryption and SASL authentication:
+
+```bash
+export REDPANDA_SASL_PASSWORD="your-secure-password"
+export SR_SERVICE_PASSWORD="schema-registry-password"
+export PP_SERVICE_PASSWORD="pandaproxy-password"
+
+ansible-playbook ansible/provision-cluster-tls-sasl.yml \
+  --private-key ~/.ssh/id_rsa \
+  --inventory artifacts/hosts_gcp_$DEPLOYMENT_PREFIX.ini
+```
+
+### Managing Users and ACLs
+
+After deploying a SASL-enabled cluster, you can manage additional users and ACLs:
+
+```bash
+export REDPANDA_SASL_PASSWORD="your-admin-password"
+export PRODUCER_APP_PASSWORD="producer-password"
+export CONSUMER_APP_PASSWORD="consumer-password"
+
+ansible-playbook ansible/manage-sasl-users.yml \
+  --private-key ~/.ssh/id_rsa \
+  --inventory artifacts/hosts_gcp_$DEPLOYMENT_PREFIX.ini
+```
+
 ## Additional Documentation
 
 More information on consuming this collection

ansible/manage-sasl-users.yml

@@ -0,0 +1,157 @@
+---
+# Idempotent SASL User, Role, and ACL Management
+#
+# This playbook manages users, roles, and ACLs in a declarative way.
+# It queries existing state and only makes necessary changes.
+#
+# Usage:
+#   export REDPANDA_SASL_PASSWORD="admin-password"
+#   ansible-playbook ansible/manage-sasl-users.yml \
+#     --private-key ~/.ssh/id_rsa \
+#     --inventory hosts.ini \
+#     -e @path/to/users.yml  # Optional: override users/roles/acls from file
+#
+- name: Manage SASL Users, Roles, and ACLs
+  hosts: redpanda[0]
+  become: true
+  vars:
+    # Connection settings (must match cluster configuration)
+    enable_tls: true
+    redpanda_truststore_file: "/etc/redpanda/certs/truststore.pem"
+
+    # Admin credentials
+    sasl_admin_username: "admin"
+    sasl_admin_password: "{{ lookup('env', 'REDPANDA_SASL_PASSWORD') }}"
+
+    # =========================================================================
+    # USERS
+    # =========================================================================
+    # Define users to manage. Set state: absent to delete.
+    # Set update_password: true to force password update for existing users.
+    sasl_users:
+      - username: "producer_app"
+        password: "{{ lookup('env', 'PRODUCER_APP_PASSWORD') | default('producer-secret', true) }}"
+        mechanism: "SCRAM-SHA-256"
+        state: present
+
+      - username: "consumer_app"
+        password: "{{ lookup('env', 'CONSUMER_APP_PASSWORD') | default('consumer-secret', true) }}"
+        mechanism: "SCRAM-SHA-256"
+        state: present
+
+      # Example: delete a user
+      # - username: "old_user"
+      #   state: absent
+
+    # =========================================================================
+    # ROLES (Enterprise Feature - RBAC)
+    # =========================================================================
+    # Define roles and their members
+    sasl_roles: []
+      # Example:
+      # - name: "producers"
+      #   state: present
+      #   members:
+      #     - "producer_app"
+      #
+      # - name: "old_role"
+      #   state: absent
+
+    # =========================================================================
+    # KAFKA ACLs
+    # =========================================================================
+    # Define ACLs for Kafka resources (topics, groups, cluster, transactional-id)
+    # Supports: multiple operations per ACL, multiple resources per ACL, role-based ACLs
+    sasl_acls:
+      # Producer: write and describe to events-* topics (multiple operations)
+      - principal: "User:producer_app"
+        resource_type: topic
+        resource_name: "events-"
+        pattern_type: prefixed
+        operation:
+          - write
+          - describe
+        permission: allow
+        state: present
+
+      # Consumer: read and describe from events-* topics (multiple operations)
+      - principal: "User:consumer_app"
+        resource_type: topic
+        resource_name: "events-"
+        pattern_type: prefixed
+        operation:
+          - read
+          - describe
+        permission: allow
+        state: present
+
+      # Consumer: use consumer groups
+      - principal: "User:consumer_app"
+        resource_type: group
+        resource_name: "consumer-"
+        pattern_type: prefixed
+        operation: read
+        permission: allow
+        state: present
+
+      # Example: multiple topics in one ACL
+      # - principal: "User:app_user"
+      #   resource_type: topic
+      #   resource_name:
+      #     - "orders"
+      #     - "payments"
+      #     - "notifications"
+      #   operation: read
+      #   permission: allow
+      #   state: present
+
+      # Example: role-based ACL (Enterprise RBAC)
+      # - role: "producers"
+      #   resource_type: topic
+      #   resource_name: "events-"
+      #   pattern_type: prefixed
+      #   operation: write
+      #   permission: allow
+      #   state: present
+
+      # Example: delete an ACL
+      # - principal: "User:old_user"
+      #   resource_type: topic
+      #   resource_name: "old-topic"
+      #   pattern_type: literal
+      #   operation: all
+      #   permission: allow
+      #   state: absent
+
+    # =========================================================================
+    # SCHEMA REGISTRY ACLs (Enterprise Feature)
+    # =========================================================================
+    # Define ACLs for Schema Registry resources
+    schema_registry_acls:
+      # Producer: write schemas for events-* subjects
+      - principal: "User:producer_app"
+        resource_type: subject
+        resource_name: "events-"
+        pattern_type: prefixed
+        operation: write
+        permission: allow
+        state: present
+
+      # Consumer: read schemas for events-* subjects
+      - principal: "User:consumer_app"
+        resource_type: subject
+        resource_name: "events-"
+        pattern_type: prefixed
+        operation: read
+        permission: allow
+        state: present
+
+      # Example: Schema admin with global access
+      # - principal: "User:schema_admin"
+      #   resource_type: global
+      #   operation: all
+      #   permission: allow
+      #   state: present
+
+  roles:
+    - role: redpanda.cluster.user_management

ansible/operation-apply-license.yml

@@ -5,32 +5,63 @@
   vars:
     rpk_bin: rpk
 
+    # SASL Authentication (optional)
+    # Set kafka_enable_authorization=true and provide credentials for SASL-enabled clusters
+    kafka_enable_authorization: false
+    admin_api_require_auth: false
+    sasl_superuser_username: "admin"
+    sasl_superuser_password: ""
+
+    # TLS Configuration (optional)
+    enable_tls: false
+    redpanda_truststore_file: /etc/redpanda/certs/truststore.pem
+
+    # Kafka port
+    redpanda_kafka_port: 9092
+
+    # Build rpk options based on configuration
+    rpk_opts: >-
+      -X brokers={{ hostvars[inventory_hostname].private_ip | default(ansible_default_ipv4.address) }}:{{ redpanda_kafka_port }}
+      {% if enable_tls | default(false) %}-X tls.enabled=true -X tls.ca={{ redpanda_truststore_file }}{% endif %}
+      {% if kafka_enable_authorization | default(false) and sasl_superuser_password != '' %}-X user={{ sasl_superuser_username }} -X pass={{ sasl_superuser_password }} -X sasl.mechanism=SCRAM-SHA-256{% endif %}
+
+    # Admin API options
+    rpk_admin_opts: >-
+      {% if enable_tls | default(false) %}-X admin.tls.enabled=true -X admin.tls.ca={{ redpanda_truststore_file }}{% endif %}
+      {% if admin_api_require_auth | default(false) and sasl_superuser_password != '' %}-X user={{ sasl_superuser_username }} -X pass={{ sasl_superuser_password }}{% endif %}
+
   tasks:
     - name: Check cluster health
       ansible.builtin.shell: |
-        {{ rpk_bin }} cluster health | grep -i 'healthy:' | tr -d '[:space:]' | awk -F ':' '{print tolower($2)}'
+        {{ rpk_bin }} cluster health {{ rpk_opts }} {{ rpk_admin_opts }} | grep -i 'healthy:' | tr -d '[:space:]' | awk -F ':' '{print tolower($2)}'
       register: health_check
       run_once: true
       failed_when: "health_check.stdout != 'true'"
       changed_when: false
+      no_log: "{{ kafka_enable_authorization | default(false) }}"
 
+    # License from string (direct value)
     - name: Set Redpanda license (string)
-      ansible.builtin.command: rpk cluster license set {{ redpanda_license }}
+      ansible.builtin.shell: "{{ rpk_bin }} cluster license set {{ redpanda_license }} {{ rpk_opts }} {{ rpk_admin_opts }}"
       run_once: true
       changed_when: false
       when:
         - redpanda_license is defined
+      no_log: true
 
+    # License from file path (file must exist on remote node)
     - name: Set Redpanda license (path)
-      ansible.builtin.command: rpk cluster license set --path {{ redpanda_license_path }}
+      ansible.builtin.shell: "{{ rpk_bin }} cluster license set --path {{ redpanda_license_path }} {{ rpk_opts }} {{ rpk_admin_opts }}"
       changed_when: false
       run_once: true
       when:
         - redpanda_license_path is defined
+      no_log: "{{ kafka_enable_authorization | default(false) }}"
 
     - name: Check broker status
       ansible.builtin.shell: |
-        {{ rpk_bin }} redpanda admin brokers list | grep -q 'active.*true'
+        {{ rpk_bin }} redpanda admin brokers list {{ rpk_admin_opts }} | grep -q 'active.*true'
       register: broker_status
       changed_when: false
       failed_when: broker_status.rc != 0
+      no_log: "{{ kafka_enable_authorization | default(false) }}"

ansible/operation-configure-logging.yml

@@ -5,15 +5,41 @@
   vars:
     rpk_bin: rpk
 
+    # SASL Authentication (optional)
+    # Set kafka_enable_authorization=true and provide credentials for SASL-enabled clusters
+    kafka_enable_authorization: false
+    admin_api_require_auth: false
+    sasl_superuser_username: "admin"
+    sasl_superuser_password: ""
+
+    # TLS Configuration (optional)
+    enable_tls: false
+    redpanda_truststore_file: /etc/redpanda/certs/truststore.pem
+
+    # Kafka port
+    redpanda_kafka_port: 9092
+
+    # Build rpk options based on configuration
+    rpk_opts: >-
+      -X brokers={{ hostvars[inventory_hostname].private_ip | default(ansible_default_ipv4.address) }}:{{ redpanda_kafka_port }}
+      {% if enable_tls | default(false) %}-X tls.enabled=true -X tls.ca={{ redpanda_truststore_file }}{% endif %}
+      {% if kafka_enable_authorization | default(false) and sasl_superuser_password != '' %}-X user={{ sasl_superuser_username }} -X pass={{ sasl_superuser_password }} -X sasl.mechanism=SCRAM-SHA-256{% endif %}
+
+    # Admin API options
+    rpk_admin_opts: >-
+      {% if enable_tls | default(false) %}-X admin.tls.enabled=true -X admin.tls.ca={{ redpanda_truststore_file }}{% endif %}
+      {% if admin_api_require_auth | default(false) and sasl_superuser_password != '' %}-X user={{ sasl_superuser_username }} -X pass={{ sasl_superuser_password }}{% endif %}
+
   tasks:
     - name: Check cluster health
       ansible.builtin.shell: |
         set -o pipefail
-        {{ rpk_bin }} cluster health | grep -i 'healthy:' | tr -d '[:space:]' | awk -F ':' '{print tolower($2)}'
+        {{ rpk_bin }} cluster health {{ rpk_opts }} {{ rpk_admin_opts }} | grep -i 'healthy:' | tr -d '[:space:]' | awk -F ':' '{print tolower($2)}'
       register: health_check
       run_once: true
       failed_when: "health_check.stdout != 'true'"
       changed_when: false
+      no_log: "{{ kafka_enable_authorization | default(false) }}"
 
     - name: Apply logging role
       ansible.builtin.include_role:
@@ -59,10 +85,11 @@
     - name: Check broker status
       ansible.builtin.shell: |
         set -o pipefail
-        {{ rpk_bin }} redpanda admin brokers list | grep -q 'active.*true'
+        {{ rpk_bin }} redpanda admin brokers list {{ rpk_admin_opts }} | grep -q 'active.*true'
       register: broker_status
       changed_when: false
       failed_when: broker_status.rc != 0
+      no_log: "{{ kafka_enable_authorization | default(false) }}"
 
     - name: Display logging configuration summary
       ansible.builtin.debug: