diff --git a/manifests/init.pp b/manifests/init.pp index 04f4198..f64e2f2 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,165 +1,186 @@ # Class: zookeeper # # This module manages ZooKeeper installation # # # Parameters: # * [global_outstanding_limit] Clients can submit requests faster than ZooKeeper can process them, # especially if there are a lot of clients. To prevent ZooKeeper from running out of memory due to # queued requests, ZooKeeper will throttle clients so that there is no more than globalOutstandingLimit # outstanding requests in the system # # # * [whitelist_4lw] Fine grained control over the set of commands ZooKeeper can execute # # whitelist_4lw = ['stat','ruok'] # class zookeeper ( # meta options String $ensure = $zookeeper::params::ensure, Variant[Boolean,String] $ensure_account = $zookeeper::params::ensure_account, Boolean $ensure_cron = $zookeeper::params::ensure_cron, String $group = $zookeeper::params::group, Boolean $system_group = $zookeeper::params::system_group, Array[String] $packages = $zookeeper::params::packages, String $shell = $zookeeper::params::shell, String $user = $zookeeper::params::user, Boolean $system_user = $zookeeper::params::system_user, # installation options Hash $archive_checksum = $zookeeper::params::archive_checksum, Optional[String] $archive_dl_site = $zookeeper::params::archive_dl_site, Integer $archive_dl_timeout = $zookeeper::params::archive_dl_timeout, Optional[String] $archive_dl_url = $zookeeper::params::archive_dl_url, String $archive_install_dir = $zookeeper::params::archive_install_dir, Boolean $archive_symlink = $zookeeper::params::archive_symlink, String $archive_symlink_name = $zookeeper::params::archive_symlink_name, String $archive_version = $zookeeper::params::archive_version, Optional[String] $proxy_server = $zookeeper::params::proxy_server, Optional[String] $proxy_type = $zookeeper::params::proxy_type, Optional[String] $cdhver = $zookeeper::params::cdhver, Boolean $install_java = $zookeeper::params::install_java, String $install_method = $zookeeper::params::install_method, String $java_bin = $zookeeper::params::java_bin, String $java_opts = $zookeeper::params::java_opts, Optional[String] $java_package = $zookeeper::params::java_package, Optional[Hash] $repo = $zookeeper::params::repo, # service options Boolean $manage_service = $zookeeper::params::manage_service, Boolean $manage_service_file = $zookeeper::params::manage_service_file, String $pid_dir = $zookeeper::params::pid_dir, Optional[String] $pid_file = $zookeeper::params::pid_file, Boolean $restart_on_change = $zookeeper::params::restart_on_change, String $service_ensure = $zookeeper::params::service_ensure, String $service_name = $zookeeper::params::service_name, Optional[String] $service_provider = $zookeeper::params::service_provider, Optional[String] $systemd_unit_want = $zookeeper::params::systemd_unit_want, String $systemd_unit_after = $zookeeper::params::systemd_unit_after, String $systemd_path = $zookeeper::params::systemd_path, String $zk_dir = $zookeeper::params::zk_dir, # zookeeper config String $cfg_dir = $zookeeper::params::cfg_dir, String $cleanup_sh = $zookeeper::params::cleanup_sh, Optional[String] $client_ip = $zookeeper::params::client_ip, Integer $client_port = $zookeeper::params::client_port, Optional[Integer] $secure_client_port = $zookeeper::params::secure_client_port, + Optional[Boolean] $ssl = $zookeeper::params::ssl, + Optional[String] $ssl_clientauth = $zookeeper::params::ssl_clientauth, + Optional[String] $keystore_location = $zookeeper::params::keystore_location, + Optional[String] $keystore_type = $zookeeper::params::keystore_type, + Optional[String] $keystore_password = $zookeeper::params::keystore_password, + Optional[String] $truststore_location = $zookeeper::params::truststore_location, + Optional[String] $truststore_type = $zookeeper::params::truststore_type, + Optional[String] $truststore_password = $zookeeper::params::truststore_password, + Optional[Boolean] $ssl_hostname_verification = $zookeeper::params::ssl_hostname_verification, + Optional[String] $ssl_ciphersuites = $zookeeper::params::ssl_ciphersuites, + Optional[String] $ssl_protocol = $zookeeper::params::ssl_protocol, + Optional[String] $keystore_quorum_location = $zookeeper::params::keystore_quorum_location, + Optional[String] $keystore_quorum_type = $zookeeper::params::keystore_quorum_type, + Optional[String] $keystore_quorum_password = $zookeeper::params::keystore_quorum_password, + Optional[String] $truststore_quorum_location = $zookeeper::params::truststore_quorum_location, + Optional[String] $truststore_quorum_type = $zookeeper::params::truststore_quorum_type, + Optional[String] $truststore_quorum_password = $zookeeper::params::truststore_quorum_password, + Optional[Boolean] $ssl_quorum_hostname_verification = $zookeeper::params::ssl_quorum_hostname_verification, + Optional[String] $ssl_quorum_ciphersuites = $zookeeper::params::ssl_quorum_ciphersuites, + Optional[String] $ssl_quorum_protocol = $zookeeper::params::ssl_quorum_protocol, + Optional[Boolean] $ssl_quorum = $zookeeper::params::ssl_quorum, Optional[Boolean] $port_unification = $zookeeper::params::port_unification, String $datastore = $zookeeper::params::datastore, Optional[String] $datalogstore = $zookeeper::params::datalogstore, Integer $election_port = $zookeeper::params::election_port, String $export_tag = $zookeeper::params::export_tag, String $id = $zookeeper::params::id, Integer $init_limit = $zookeeper::params::init_limit, Boolean $initialize_datastore = $zookeeper::params::initialize_datastore, String $initialize_datastore_bin = $zookeeper::params::initialize_datastore_bin, Boolean $leader = $zookeeper::params::leader, Integer $leader_port = $zookeeper::params::leader_port, String $log_dir = $zookeeper::params::log_dir, Boolean $manual_clean = $zookeeper::params::manual_clean, Optional[Integer] $max_session_timeout = $zookeeper::params::max_session_timeout, Optional[Integer] $min_session_timeout = $zookeeper::params::min_session_timeout, Array[String] $observers = $zookeeper::params::observers, Integer $purge_interval = $zookeeper::params::purge_interval, Variant[Array[String],Hash[String,String]] $servers = $zookeeper::params::servers, Integer $pre_alloc_size = $zookeeper::params::pre_alloc_size, Integer $snap_count = $zookeeper::params::snap_count, Integer $snap_retain_count = $zookeeper::params::snap_retain_count, Integer $sync_limit = $zookeeper::params::sync_limit, Integer $tick_time = $zookeeper::params::tick_time, Integer $global_outstanding_limit = $zookeeper::params::global_outstanding_limit, Boolean $use_sasl_auth = $zookeeper::params::use_sasl_auth, String $zoo_dir = $zookeeper::params::zoo_dir, String $zoo_main = $zookeeper::params::zoo_main, Boolean $quorum_listen_on_all_ips = $zookeeper::params::quorum_listen_on_all_ips, # log4j properties String $environment_file = $zookeeper::params::environment_file, String $log4j_prop = $zookeeper::params::log4j_prop, String $maxfilesize = $zookeeper::params::maxfilesize, Integer $maxbackupindex = $zookeeper::params::maxbackupindex, Optional[Integer] $max_allowed_connections = $zookeeper::params::max_allowed_connections, String $peer_type = $zookeeper::params::peer_type, String $rollingfile_threshold = $zookeeper::params::rollingfile_threshold, String $tracefile_threshold = $zookeeper::params::tracefile_threshold, String $console_threshold = $zookeeper::params::console_threshold, Hash[String,Hash[String,String]] $extra_appenders = $zookeeper::params::extra_appenders, # sasl options Hash[String, String] $sasl_users = $zookeeper::params::sasl_users, String $keytab_path = $zookeeper::params::keytab_path, String $principal = $zookeeper::params::principal, String $realm = $zookeeper::params::realm, Boolean $sasl_krb5 = $zookeeper::params::sasl_krb5, Boolean $store_key = $zookeeper::params::store_key, Boolean $use_keytab = $zookeeper::params::use_keytab, Boolean $use_ticket_cache = $zookeeper::params::use_ticket_cache, Boolean $remove_host_principal = $zookeeper::params::remove_host_principal, Boolean $remove_realm_principal = $zookeeper::params::remove_realm_principal, # four letter words whitelist Array[String] $whitelist_4lw = $zookeeper::params::whitelist_4lw, # Metrics Providers Optional[String] $metrics_provider_classname = $zookeeper::params::metrics_provider_classname, Integer $metrics_provider_http_port = $zookeeper::params::metrics_provider_http_port, Boolean $metrics_provider_export_jvm_info = $zookeeper::params::metrics_provider_export_jvm_info, ) inherits zookeeper::params { if $pid_file { $pid_path = $pid_file } else { $pid_path = "${pid_dir}/zookeeper.pid" } if $zookeeper::ensure_account { group { $group: ensure => $ensure_account, system => $system_group, } user { $user: ensure => $ensure_account, home => $datastore, comment => 'Zookeeper', gid => $group, shell => $shell, system => $system_user, require => Group[$group], } } include zookeeper::install include zookeeper::config anchor { 'zookeeper::start': } -> Class['zookeeper::install'] -> Class['zookeeper::config'] if ($use_sasl_auth) { include zookeeper::sasl Class['zookeeper::config'] -> Class['zookeeper::sasl'] -> Class['zookeeper::service'] } if ($manage_service) and ($service_provider != 'exhibitor') { include zookeeper::service Class['zookeeper::config'] -> Class['zookeeper::service'] -> Anchor['zookeeper::end'] } anchor { 'zookeeper::end': } } diff --git a/manifests/params.pp b/manifests/params.pp index 9c1d417..715e1ea 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,193 +1,214 @@ # OS specific configuration should be defined here # # PRIVATE CLASS - do not use directly (use main `zookeeper` class). class zookeeper::params { $_defaults = { 'packages' => ['zookeeper'], } $os_family = $facts['os']['family'] $os_name = $facts['os']['name'] $os_release = $facts['os']['release']['major'] case $os_family { 'Debian': { case $os_name { 'Debian', 'Ubuntu': { $initstyle = 'systemd' } default: { $initstyle = undef } } $_os_overrides = { 'packages' => ['zookeeper', 'zookeeperd'], 'service_name' => 'zookeeper', 'service_provider' => $initstyle, 'shell' => '/bin/false', 'initialize_datastore_bin' => '/usr/bin/zookeeper-server-initialize' } # 'environment' file probably read just by Debian # see #16, #81 $environment_file = 'environment' } 'RedHat': { case $os_name { 'RedHat', 'CentOS': { if versioncmp($os_release, '7') < 0 { $initstyle = 'redhat' } else { $initstyle = 'systemd' } } default: { $initstyle = undef } } $_os_overrides = { 'packages' => ['zookeeper', 'zookeeper-server'], 'service_name' => 'zookeeper-server', 'service_provider' => $initstyle, 'shell' => '/sbin/nologin', 'initialize_datastore_bin' => '/usr/bin/zookeeper-server-initialize' } $environment_file = 'java.env' } 'Suse': { case $os_name { 'SLES': { $initstyle = 'systemd' } default: { $initstyle = undef } } $_os_overrides = { 'packages' => ['zookeeper', 'zookeeper-server'], 'service_name' => 'zookeeper-server', 'service_provider' => $initstyle, 'shell' => '/bin/false', 'initialize_datastore_bin' => '/usr/bin/zookeeper-server-initialize' } $environment_file = 'java.env' } default: { fail("Module '${module_name}' is not supported on OS: '${os_name}', family: '${os_family}'") } } $_params = merge($_defaults, $_os_overrides) # meta options $ensure = present $ensure_account = present $ensure_cron = true $group = 'zookeeper' $system_group = false $packages = $_params['packages'] $shell = $_params['shell'] $user = 'zookeeper' $system_user = false # installation options $archive_checksum = {} $archive_dl_site = undef $archive_dl_timeout = 600 $archive_dl_url = undef $archive_install_dir = '/opt' $archive_symlink = true $archive_symlink_name = "${archive_install_dir}/zookeeper" $archive_version = '3.4.8' $cdhver = '5' $install_java = false $install_method = 'package' $java_bin = '/usr/bin/java' $java_opts = '' $java_package = undef $repo = undef $proxy_server = undef $proxy_type = undef # service options $manage_service = true $manage_service_file = false $pid_dir = '/var/run' $pid_file = undef $restart_on_change = true $service_ensure = 'running' $service_name = $_params['service_name'] $service_provider = $_params['service_provider'] # systemd_unit_want and _after can be overridden to # donate the matching directives in the [Unit] section $systemd_unit_want = undef $systemd_unit_after = 'network.target' $systemd_path = '/etc/systemd/system' $zk_dir = '/etc/zookeeper' # zookeeper config $cfg_dir = '/etc/zookeeper/conf' $cleanup_sh = '/usr/share/zookeeper/bin/zkCleanup.sh' $client_ip = undef # use e.g. $::ipaddress if you want to bind to single interface $client_port = 2181 $secure_client_port = undef + $ssl = false + $ssl_protocol = 'TLSv1.2' + $ssl_ciphersuites = '' + $ssl_hostname_verification = true + $ssl_clientauth = 'none' + $keystore_location = "/etc/zookeeper/conf/keystores/${::fqdn}.pem" + $keystore_type = 'PEM' + $keystore_password = undef + $truststore_location = '/etc/ssl/certs/ca-certificates.crt' + $truststore_type = 'PEM' + $truststore_password = undef + $keystore_quorum_location = "/etc/zookeeper/conf/keystores/${::fqdn}.pem" + $keystore_quorum_type = 'PEM' + $keystore_quorum_password = undef + $truststore_quorum_location = '/etc/ssl/certs/ca-certificates.crt' + $truststore_quorum_password = undef + $truststore_quorum_type = 'PEM' + $ssl_quorum_ciphersuites = '' + $ssl_quorum_hostname_verification = true + $ssl_quorum_protocol = 'TLSv1.2' + $ssl_quorum = false $quorum_listen_on_all_ips = false $port_unification = undef $datastore = '/var/lib/zookeeper' # datalogstore used to put transaction logs in separate location than snapshots $datalogstore = undef $election_port = 2888 $export_tag = 'zookeeper' $id = '1' $init_limit = 10 $initialize_datastore = false $initialize_datastore_bin = $_params['initialize_datastore_bin'] $leader = true $leader_port = 3888 $log_dir = '/var/log/zookeeper' $manual_clean = false $max_allowed_connections = undef $max_session_timeout = undef $min_session_timeout = undef $observers = [] # interval in hours, purging enabled when >= 1 $purge_interval = 0 $servers = [] $pre_alloc_size = 65536 $snap_count = 10000 # since zookeeper 3.4, for earlier version cron task might be used $snap_retain_count = 3 $sync_limit = 5 $tick_time = 2000 $global_outstanding_limit = 1000 $use_sasl_auth = false $zoo_dir = '/usr/lib/zookeeper' $zoo_main = 'org.apache.zookeeper.server.quorum.QuorumPeerMain' # log4j properties $log4j_prop = 'INFO,ROLLINGFILE' $peer_type = 'UNSET' $rollingfile_threshold = 'INFO' $console_threshold = 'INFO' $tracefile_threshold = 'TRACE' $maxfilesize = '256MB' $maxbackupindex = 20 $extra_appenders = {} # sasl options $sasl_krb5 = true $sasl_users = {} $keytab_path = '/etc/zookeeper/conf/zookeeper.keytab' $principal = "zookeeper/${facts['networking']['fqdn']}" $realm = pick($trusted['domain'], $trusted['certname'], 'puppet') $store_key = true $use_keytab = true $use_ticket_cache = false $remove_host_principal = false $remove_realm_principal = false # whitelist of Four Letter Words commands, see https://zookeeper.apache.org/doc/r3.4.12/zookeeperAdmin.html#sc_zkCommands $whitelist_4lw = [] # Metrics Providers $metrics_provider_classname = undef $metrics_provider_http_port = 7000 $metrics_provider_export_jvm_info = true } diff --git a/templates/conf/zoo.cfg.erb b/templates/conf/zoo.cfg.erb index 8d5e7fd..592d778 100644 --- a/templates/conf/zoo.cfg.erb +++ b/templates/conf/zoo.cfg.erb @@ -1,165 +1,230 @@ # http://hadoop.apache.org/zookeeper/docs/current/zookeeperAdmin.html # The number of milliseconds of each tick tickTime=<%= scope.lookupvar("zookeeper::tick_time") %> # The number of ticks that the initial # synchronization phase can take initLimit=<%= scope.lookupvar("zookeeper::init_limit") %> # The number of ticks that can pass between # sending a request and getting an acknowledgement syncLimit=<%= scope.lookupvar("zookeeper::sync_limit") %> # ZooKeeper will throttle clients so that there is no more than globalOutstandingLimit outstanding requests in the system. globalOutstandingLimit=<%= scope.lookupvar('zookeeper::global_outstanding_limit') %> # the directory where the snapshot is stored. dataDir=<%= scope.lookupvar("zookeeper::datastore") %> # Place the dataLogDir to a separate physical disc for better performance <% if ! [nil, :undefined, :undef].include?(scope.lookupvar("zookeeper::datalogstore")) -%> dataLogDir=<%= scope.lookupvar("zookeeper::datalogstore") %> <% else -%> # dataLogDir=/disk2/zookeeper <% end -%> # the port at which the clients will connect clientPort=<%= scope.lookupvar("zookeeper::client_port") %> # interface to bind <% if ! [nil, :undefined, :undef].include?(scope.lookupvar("zookeeper::client_ip")) -%> clientPortAddress=<%= scope.lookupvar("zookeeper::client_ip") %> <% else -%> #clientPortAddress= <% end -%> -# Supported since 3.5.1 -<% if ! [nil, :undefined, :undef].include?(scope.lookupvar("zookeeper::secure_client_port")) -%> -secureClientPort=<%= scope.lookupvar("zookeeper::secure_client_port") %> -<% else -%> -#secureClientPort=2281 -<% end -%> -# Supported since 3.5.5 -<% if ! [nil, :undefined, :undef].include?(scope.lookupvar("zookeeper::port_unification")) -%> -portUnification=<%= scope.lookupvar("zookeeper::port_unification") %> -<% end -%> - # specify all zookeeper servers # The first port is used by followers to connect to the leader # The second one is used for leader election #server.1=zookeeper1:2888:3888 #server.2=zookeeper2:2888:3888 #server.3=zookeeper3:2888:3888 <%- if scope.lookupvar("zookeeper::servers").is_a?(Hash) -%> <%- _servers = scope.lookupvar("zookeeper::servers") -%> <% else -%> <%# make sure @servers is a hash -%> <%- _servers = Hash.new -%> <%- scope.lookupvar("zookeeper::servers").map.each_with_index {|e, i| _servers[i + 1] = e } -%> <%- end -%> <%- _servers.each_pair do |id, host| -%> <%# make sure port is not included in hostname -%> <%- if host.index(':') -%> <%- host = host[0...(host.index(':'))] -%> <%- end -%> <%- if scope.lookupvar("zookeeper::observers").include? host -%> <%- observer_text=':observer' -%> <%- end -%> <%= "server.#{id}=#{host}:%s:%s%s" % [scope.lookupvar("zookeeper::election_port"), scope.lookupvar("zookeeper::leader_port"), observer_text ] %> <%- end -%> # Bind election_port and leader_port to all interfaces (0.0.0.0) quorumListenOnAllIPs=<%= scope.lookupvar("zookeeper::quorum_listen_on_all_ips") %> # To avoid seeks ZooKeeper allocates space in the transaction log file in # blocks of preAllocSize kilobytes. The default block size is 64M. One reason # for changing the size of the blocks is to reduce the block size if snapshots # are taken more often. (Also, see snapCount). preAllocSize=<%= scope.lookupvar("zookeeper::pre_alloc_size") %> # Clients can submit requests faster than ZooKeeper can process them, # especially if there are a lot of clients. To prevent ZooKeeper from running # out of memory due to queued requests, ZooKeeper will throttle clients so that # there is no more than globalOutstandingLimit outstanding requests in the # system. The default limit is 1,000.ZooKeeper logs transactions to a # transaction log. After snapCount transactions are written to a log file a # snapshot is started and a new transaction log file is started. The default # snapCount is 10,000. snapCount=<%= scope.lookupvar("zookeeper::snap_count") %> # If this option is defined, requests will be will logged to a trace file named # traceFile.year.month.day. #traceFile= # Leader accepts client connections. Default value is "yes". The leader machine # coordinates updates. For higher update throughput at thes slight expense of # read throughput the leader can be configured to not accept clients and focus # on coordination. <% if scope.lookupvar("zookeeper::leader") -%> leaderServes=yes <% else -%> leaderServes=no <% end -%> # Since 3.4.0: When enabled, ZooKeeper auto purge feature retains the autopurge. # snapRetainCount most recent snapshots and the corresponding transaction logs # in the dataDir and dataLogDir respectively and deletes the rest. # Defaults to 3. Minimum value is 3. autopurge.snapRetainCount=<%= scope.lookupvar("zookeeper::snap_retain_count") %> # Since 3.4.0: The time interval in hours for which the purge task has to be # triggered. Set to a positive integer (1 and above) to enable the auto purging. # Defaults to 0. autopurge.purgeInterval=<%= scope.lookupvar("zookeeper::purge_interval") %> # Maximum allowed connections <% if ! [nil, :undefined, :undef].include?(scope.lookupvar("zookeeper::max_allowed_connections")) -%> maxClientCnxns=<%= scope.lookupvar("zookeeper::max_allowed_connections") %> <% else -%> #maxClientCnxns=60 <% end -%> <% if scope.lookupvar("zookeeper::peer_type") != 'UNSET' -%> # Zookeeper peer type peerType=<%= scope.lookupvar("zookeeper::peer_type") %> <% end -%> # The minimum session timeout in milliseconds that the server will allow the # client to negotiate. Defaults to 2 times the tickTime. <% if ! [nil, :undefined, :undef].include?(scope.lookupvar("zookeeper::min_session_timeout")) -%> minSessionTimeout=<%= scope.lookupvar("zookeeper::min_session_timeout") %> <% else -%> #minSessionTimeout=2 <% end -%> # The maximum session timeout in milliseconds that the server will allow the # client to negotiate. Defaults to 20 times the tickTime. <% if ! [nil, :undefined, :undef].include?(scope.lookupvar("zookeeper::max_session_timeout")) -%> maxSessionTimeout=<%= scope.lookupvar("zookeeper::max_session_timeout") %> <% else -%> #maxSessionTimeout=20 <% end -%> <% if scope.lookupvar("zookeeper::use_sasl_auth") -%> # Enable SASL authentication and use the default provider/renew provided by cloudera authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider jaasLoginRenew=3600000 <% if scope.lookupvar("zookeeper::remove_host_principal") -%> kerberos.removeHostFromPrincipal=true <% end -%> <% if scope.lookupvar("zookeeper::remove_realm_principal") -%> kerberos.removeRealmFromPrincipal=true <% end -%> <% end -%> +<% if scope.lookupvar("zookeeper::ssl") -%> +# Supported since 3.5.1 +<% if ! [nil, :undefined, :undef].include?(scope.lookupvar("zookeeper::secure_client_port")) -%> +secureClientPort=<%= scope.lookupvar("zookeeper::secure_client_port") %> +<% else -%> +#secureClientPort=2281 +<% end -%> +# Supported since 3.5.5 +<% if ! [nil, :undefined, :undef].include?(scope.lookupvar("zookeeper::port_unification")) -%> +portUnification=<%= scope.lookupvar("zookeeper::port_unification") %> +<% end -%> + +# Client TLS configuration +serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory +# Force TLS version +ssl.protocol=<%= scope.lookupvar("zookeeper::ssl_protocol") %> +# Hostname verification (default yes) +ssl.hostnameVerification=<%= scope.lookupvar("zookeeper::ssl_hostname_verification") %> +# Client authentication +ssl.clientAuth=<%= scope.lookupvar("zookeeper::ssl_clientauth") %> + +## Hint: if PEM is used, private key must be in PKCS#8 format +# Line must begin with "-----BEGIN PRIVATE KEY-----" +# and not "-----BEGIN RSA PRIVATE KEY-----" +# Client TLS configuration +ssl.keyStore.location=<%= scope.lookupvar("zookeeper::keystore_location") %> +ssl.keyStore.type=<%= scope.lookupvar("zookeeper::keystore_type") %> +<% if scope.lookupvar("zookeeper::keystore_password") %> +ssl.keyStore.password=<%= scope.lookupvar("zookeeper::keystore_password") %> +<% end -%> + + +## Hint: if PEM is used, private key must be in PKCS#8 format +# Line must begin with "-----BEGIN PRIVATE KEY-----" +# and not "-----BEGIN RSA PRIVATE KEY-----" +ssl.trustStore.location=<%= scope.lookupvar("zookeeper::truststore_location") %> +ssl.trustStore.type=<%= scope.lookupvar("zookeeper::keystore_type") %> +<% if scope.lookupvar("zookeeper::truststore_password") %> +ssl.trustStore.password=<%= scope.lookupvar("zookeeper::truststore_password") %> +<% end -%> +<% if scope.lookupvar("zookeeper::zookeeper:ssl_ciphersuites") %> +# Set allowed Ciphers +ssl.ciphersuites=<%= scope.lookupvar("zookeeper:ssl_ciphersuites") %> +<% end -%> + +# Server TLS configuration +sslQuorum=<%= scope.lookupvar("zookeeper::ssl_quorum") %> +# Force TLS version +ssl.quorum.protocol=<%= scope.lookupvar("zookeeper::ssl_quorum_protocol") %> +# Hostname verification from node to node (default yes) +ssl.quorum.hostnameVerification=<%= scope.lookupvar("zookeeper::ssl_quorum_hostname_verification") %> + +## Hint: if PEM is used, private key must be in PKCS#8 format +# Line must begin with "-----BEGIN PRIVATE KEY-----" +# and not "-----BEGIN RSA PRIVATE KEY-----" +ssl.quorum.keyStore.location=<%= scope.lookupvar("zookeeper::keystore_quorum_location") %> +ssl.quorum.keyStore.type=<%= scope.lookupvar("zookeeper::keystore_quorum_type") %> +<% if scope.lookupvar("zookeeper::keystore_keystore_quorum_password") %> +ssl.quorum.keyStore.password=<%= scope.lookupvar("zookeeper::keystore_quorum_password") %> +<% end -%> + +ssl.quorum.trustStore.type=<%= scope.lookupvar("zookeeper::keystore_quorum_type") %> +## Hint: if PEM is used, private key must be in PKCS#8 format +# Line must begin with "-----BEGIN PRIVATE KEY-----" +# and not "-----BEGIN RSA PRIVATE KEY-----" +ssl.quorum.trustStore.location=<%= scope.lookupvar("zookeeper::truststore_quorum_location") %> +<% if scope.lookupvar("zookeeper::truststore_quorum_password") %> +ssl.quorum.trustStore.password=<%= scope.lookupvar("zookeeper::truststore_quorum_password") %> +<% end -%> + +<% if scope.lookupvar("zookeeper::zookeeper:ssl_quorum_ciphersuites") %> +# Set allowed Ciphers +ssl.quorum.ciphersuites=<%=ssl.ciphersuites=scope.lookupvar("zookeeper:ssl_quorum_ciphersuites") %> +<% end -%> +<% end -%> + <% unless scope.lookupvar("zookeeper::whitelist_4lw").empty? -%> # Supported since 3.4.10 4lw.commands.whitelist=<%= scope.lookupvar("zookeeper::whitelist_4lw").join(',') %> <% end -%> # Supported since 3.6 ## Metrics Providers # # https://prometheus.io Metrics Exporter <% unless [nil, :undefined, :undef].include?(scope.lookupvar("zookeeper::metrics_provider_classname")) -%> metricsProvider.className=<%= scope.lookupvar("zookeeper::metrics_provider_classname") %> metricsProvider.httpPort=<%= scope.lookupvar("zookeeper::metrics_provider_http_port") %> metricsProvider.exportJvmInfo=<%= scope.lookupvar("zookeeper::metrics_provider_export_jvm_info") %> <% else -%> #metricsProvider.className=org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider #metricsProvider.httpPort=7000 #metricsProvider.exportJvmInfo=true <% end -%>