Skip to content

Add SASL support to operation playbooks and new SASL playbooks #243

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
vuldin wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add SASL support to operation playbooks and new SASL playbooks #243

vuldin wants to merge 1 commit into from

Conversation

@vuldin
Copy link
Member

@vuldin vuldin commented Jan 31, 2026
edited
Loading

Updates operation playbooks to support SASL-enabled clusters:

  • operation-rolling-restart.yml: Add rpk_opts/rpk_admin_opts for SASL auth
  • operation-apply-license.yml: Add SASL support for license application
  • operation-configure-logging.yml: Add SASL support for logging config

New playbooks:

  • provision-cluster-tls-sasl.yml: Deploy TLS + SASL enabled clusters
  • manage-sasl-users.yml: Manage SASL users and ACLs via user_management role

Testing Instructions

This PR requires testing alongside deployment-automation PR #243.

Prerequisites

  • GCP or AWS account with terraform access
  • SSH key pair
  • Redpanda Enterprise license file (for Schema Registry authorization features)

Setup

1. Clone and checkout both branches

# Clone deployment-automation and checkout SASL branch
git clone https://github.com/redpanda-data/deployment-automation.git
cd deployment-automation
git fetch origin pull/243/head:add-sasl
git checkout add-sasl

# Install ansible collection from PR branch
ansible-galaxy collection install git+https://github.com/redpanda-data/redpanda-ansible-collection.git,add-sasl --force -p artifacts/collections
ansible-galaxy install -r requirements.yml -p artifacts/roles

2. Create infrastructure (GCP example)

cd gcp
terraform init
terraform apply \
  -var='public_key_path=~/.ssh/your-key.pub' \
  -var='deployment_prefix=sasl-test' \
  -var='ssh_user=your-username' \
  -var='project_name=your-gcp-project' \
  -var='region=us-central1' \
  -var='machine_type=n2-standard-4' \
  -var='broker_count=3' \
  -var='client_count=0' \
  -var='enable_monitoring=false'
cd ..

3. Set environment variables

export CLOUD_PROVIDER=gcp
export DEPLOYMENT_PREFIX=sasl-test
export ANSIBLE_COLLECTIONS_PATH=${PWD}/artifacts/collections
export ANSIBLE_ROLES_PATH=${PWD}/artifacts/roles
export ANSIBLE_INVENTORY=${PWD}/artifacts/hosts_gcp_${DEPLOYMENT_PREFIX}.ini

# SASL credentials
export REDPANDA_SASL_PASSWORD="SecureAdminPass123"
export SR_SERVICE_PASSWORD="SecureSRPass123"
export PP_SERVICE_PASSWORD="SecurePPPass123"

4. Add license file (optional, required for Schema Registry authorization)

cp /path/to/redpanda.license .

Test Scenarios

Basic TLS + SASL Deployment

ansible-playbook ansible/provision-cluster-tls-sasl.yml \
  --private-key ~/.ssh/your-key \
  -i $ANSIBLE_INVENTORY

Verify:

# SSH to a broker
ssh -i ~/.ssh/your-key your-username@<broker-ip>

# Should fail without credentials
rpk cluster health

# Should succeed with credentials
rpk cluster health \
  -X tls.enabled=true \
  -X tls.ca=/etc/redpanda/certs/truststore.pem \
  -X user=admin \
  -X pass=SecureAdminPass123 \
  -X sasl.mechanism=SCRAM-SHA-256

# List users (should show admin, schema_registry_client, pandaproxy_client)
rpk security user list \
  -X tls.enabled=true \
  -X tls.ca=/etc/redpanda/certs/truststore.pem \
  -X user=admin \
  -X pass=SecureAdminPass123 \
  -X sasl.mechanism=SCRAM-SHA-256

User Management (requires collection PR merged first)

export PRODUCER_APP_PASSWORD="ProducerPass123"
export CONSUMER_APP_PASSWORD="ConsumerPass123"

ansible-playbook ansible/manage-sasl-users.yml \
  --private-key ~/.ssh/your-key \
  -i $ANSIBLE_INVENTORY

Verify:

# List users (should include producer_app, consumer_app)
rpk security user list \
  -X tls.enabled=true \
  -X tls.ca=/etc/redpanda/certs/truststore.pem \
  -X user=admin \
  -X pass=SecureAdminPass123 \
  -X sasl.mechanism=SCRAM-SHA-256

# List ACLs
rpk security acl list \
  -X tls.enabled=true \
  -X tls.ca=/etc/redpanda/certs/truststore.pem \
  -X user=admin \
  -X pass=SecureAdminPass123 \
  -X sasl.mechanism=SCRAM-SHA-256

Operation Playbooks with SASL

# Rolling restart
ansible-playbook ansible/operation-rolling-restart.yml \
  --private-key ~/.ssh/your-key \
  -i $ANSIBLE_INVENTORY \
  -e kafka_enable_authorization=true \
  -e sasl_superuser_password=$REDPANDA_SASL_PASSWORD \
  -e enable_tls=true

# Apply license
ansible-playbook ansible/operation-apply-license.yml \
  --private-key ~/.ssh/your-key \
  -i $ANSIBLE_INVENTORY \
  -e kafka_enable_authorization=true \
  -e sasl_superuser_password=$REDPANDA_SASL_PASSWORD \
  -e enable_tls=true \
  -e redpanda_license_key_file=/etc/redpanda/redpanda.license

Cleanup

cd gcp
terraform destroy \
  -var='public_key_path=~/.ssh/your-key.pub' \
  -var='deployment_prefix=sasl-test' \
  -var='ssh_user=your-username' \
  -var='project_name=your-gcp-project' \
  -var='region=us-central1'

Key Features to Verify

  • Bootstrap superuser created automatically on first deploy
  • Service accounts created for Schema Registry and HTTP Proxy
  • TLS + SASL work together
  • Unauthenticated access is denied
  • Authenticated access works with correct credentials
  • Rolling restart works with SASL-enabled cluster
  • User management role creates users and ACLs correctly

@vuldin vuldin mentioned this pull request Jan 31, 2026
Open
@vuldin
feat: add SASL support to operation playbooks and new SASL playbooks
d2c2c55 
Updates operation playbooks to support SASL-enabled clusters:
- operation-rolling-restart.yml: Add rpk_opts/rpk_admin_opts for SASL auth
- operation-apply-license.yml: Add SASL support for license application
- operation-configure-logging.yml: Add SASL support for logging config

New playbooks:
- provision-cluster-tls-sasl.yml: Deploy TLS + SASL enabled clusters
- manage-sasl-users.yml: Manage SASL users and ACLs via user_management role

Usage: Pass SASL credentials via extra vars:
  -e "kafka_enable_authorization=true"
  -e "admin_api_require_auth=true"
  -e "sasl_superuser_username=admin"
  -e "sasl_superuser_password=<password>"
@vuldin vuldin requested a review from gene-redpanda January 31, 2026 04:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gene-redpanda gene-redpanda Awaiting requested review from gene-redpanda

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vuldin