Hi,
There is an extra thing to be added to my article http://log-it.tech/2017/07/27/configure-kafka-truststore-keystore-using-puppet/
As is the code copies the files at each puppet run to the other nodes which not contain the keystore generation code. And to fix this i used yet again another puppet module that should share data between the nodes, you can find it here https://github.com/WhatsARanjit/puppet-share_data
As far as i saw it gets the job done, and in order to use it, you will need to include the following pieces of code to your repo. First of all, one piece of custom fact:
require 'facter'
filename = '/home/kafka/kafka.server.keystore.jks'
Facter.add(:kafkakeystore) do
setcode do
if File.file?(filename)
kafkakeystore = "enabled"
else
kafkakeystore = "disabled"
end
end
end
If the file is present, this means that the setup is probably activated. For the kafka manifests, if it’s not the node on which the keystore it’s generated we need to share the fact which we actually added in form:
share_data { "${fqdn}":
data => [ $::fqdn,$::kafkakeystore ],
label => 'keystore',
}
If it’s the node that actually generates and copies the keystore then we will need to include in the class that actually does this kafka_security_gen following piece:
$data = share_data::retrieve('keystore')
$data.each |$item| {
# $servers.each |String $server| {
if (member($servers,$item[0]) and $item[1] == "disabled") {
exec{"copy files to ${item[0]}":
cwd => '/home/kafka',
path => '/usr/bin:/usr/sbin:/bin',
command => "scp /home/kafka/kafka* kafka@${item[0]}:/home/kafka",
user => 'kafka',
}
}
}
And this should assure you that puppet will not try to copy the keystore on nodes that already has it. Now come to think of it, if you need to refresh the store, it should be a proble, but i will think also for a fix for that and come back.
Cheers!