Below are the supported variables for the role confluent.variables
Boolean to specify the become value for localhost, used when dealing with any file present on localhost/controller.
Default: false
Boolean to mask secrets in playbook output, defaults to true
Default: "{{mask_secrets}}"
Boolean to mask output generated by diff flag
Default: true
To copy from Ansible control host or download
Default: true
Boolean to enable Jolokia Agent installation and configuration on all components
Default: true
Full path to download the Jolokia Agent Jar
Default: /opt/jolokia/jolokia.jar
Authentication Mode for Jolokia Agent. Possible values: none, basic. If selecting basic, you must set jolokia_user and jolokia_password
Default: none
Username for Jolokia Agent when using Basic Auth
Default: admin
Password for Jolokia Agent when using Basic Auth
Default: password
To copy from Ansible control host or download
Default: true
Boolean to enable Prometheus Exporter Agent installation and configuration on all components
Default: false
Full path to download the Prometheus Exporter Agent Jar
Default: /opt/prometheus/jmx_prometheus_javaagent.jar
Boolean to have cp-ansible configure components with FIPS security settings. Must have ssl_enabled: true and use Java 8. Only valid for self signed certs and ssl_custom_certs: true, not ssl_provided_keystore_and_truststore: true.
Default: false
Boolean to enable cp-ansible's Custom Log4j Configuration across all components
Default: true
Boolean to configure Kerberos krb5.conf file, must also set kerberos.realm, keberos.kdc_hostname, kerberos.admin_hostname, where kerberos is a dictionary
Default: true
Boolean to install commercially licensed confluent-server instead of community version: confluent-kafka
Default: true
Boolean to enable health checks on all components
Default: true
Boolean to enable health checks on Zookeeper
Default: "{{health_checks_enabled}}"
Boolean to enable health checks on Kafka
Default: "{{health_checks_enabled}}"
Boolean to enable health checks on Schema Registry
Default: "{{health_checks_enabled}}"
Boolean to enable health checks on Kafka Connect
Default: "{{health_checks_enabled}}"
Boolean to enable health checks on Rest Proxy
Default: "{{health_checks_enabled}}"
Boolean to enable health checks on ksqlDB
Default: "{{health_checks_enabled}}"
Boolean to enable health checks on Control Center
Default: "{{health_checks_enabled}}"
Boolean to configure Monitoring Interceptors on ksqlDB, Rest Proxy, and Connect. Defaults to true if Control Center in inventory. Enable if you wish to have monitoring interceptors to report to a centralized monitoring cluster.
Default: "{{ 'control_center' in groups }}"
The method of installation. Valid values are "package" or "archive". If "archive" is selected then services will not be installed via the use of yum or apt, but will instead be installed via expanding the target .tar.gz file from the Confluent archive into the path defined by archive_destination_path
. Configuration files are also kept in this directory structure instead of /etc
. SystemD service units are copied from the ardhive for each target service and overrides are created pointing at the new paths. The "package" installation method is the default behavior that utilizes yum/apt.
Default: "package"
The path the downloaded archive is expanded into. Using the default with a confluent_package_version
of 5.5.1 results in the following installation path /opt/confluent/confluent-5.5.1/
that contains directories such as bin
and share
, but may be overridden usinf the binary_base_path
property.
Default: "/opt/confluent"
Owner of the downloaded archive. Not mandatory to set.
Default: ""
Group Owner of the downloaded archive. Not mandatory to set.
Default: ""
If the installation_method is 'archive' then this will be the base path for the configuration files, otherwise configuration files are in the default /etc locations. For example, configuration files may be placed in /opt/confluent/etc
using this variable.
Default: "{{ archive_destination_path }}"
If the installation_method is 'archive' then this will be the base path for the configuration files, otherwise configuration files are in the default /etc locations. For example, configuration files may be placed in /opt/confluent/etc
using this variable.
Default: "{{ (archive_config_base_path | regex_replace('\/$','')) if installation_method == 'archive' else '/' }}"
Boolean to have cp-ansible download the Confluent CLI
Default: "{{rbac_enabled or secrets_protection_enabled}}"
The path the Confluent CLI archive is expanded into.
Default: /opt/confluent-cli
Full path on hosts for Confluent CLI symlink to executable
Default: "/usr/local/bin/confluent"
Confluent CLI version to download (e.g. "1.9.0"). Support matrix https://docs.confluent.io/platform/current/installation/versions-interoperability.html#confluent-cli
Default: 1.43.2
SASL Mechanism to set on all Kafka Listeners. Configures all components to use that mechanism for authentication. Possible options none, kerberos, plain, scram
Default: none
Boolean to configure components with TLS Encryption. Also manages Java Keystore creation
Default: false
Boolean to enable mTLS Authentication on all components. Configures all components to use mTLS for authentication into Kafka
Default: false
Boolean to create Keystores with Self Signed Certificates, defaults to true. Alternatively can use ssl_provided_keystore_and_truststore or ssl_custom_certs
Default: "{{ false if ssl_provided_keystore_and_truststore|bool or ssl_custom_certs|bool else true }}"
Boolean to have reruns of all.yml regenerate the certificate authority used for self signed certs
Default: true
Boolean to have reruns of all.yml recreate Keystores. Consider disabling this once installation is completed, as this triggers restarts.
Default: true
Boolean for TLS Encryption option to provide own Host Keystores.
Default: false
Full path to host specific keystore on ansible control node. Used with ssl_provided_keystore_and_truststore: true. May set per host, or use inventory_hostname variable eg "/tmp/certs/{{inventory_hostname}}-keystore.jks"
Default: ""
Keystore Key Password for host specific keystore. Used with ssl_provided_keystore_and_truststore: true. May set per host if keystores have unique passwords
Default: ""
Keystore Password for host specific keystore. Used with ssl_provided_keystore_and_truststore: true. May set per host if keystores have unique passwords
Default: ""
Full path to host specific truststore on ansible control node. Used with ssl_provided_keystore_and_truststore: true. Can share same keystore for all components if it contains all ca certs used to sign host certificates
Default: ""
Keystore Password for host specific truststore. Used with ssl_provided_keystore_and_truststore: true
Default: ""
Keystore alias for ca certificate
Default: ""
Boolean for TLS Encryption option to provide own Host Certificates. Must also set ssl_ca_cert_filepath, ssl_signed_cert_filepath, ssl_key_filepath, ssl_key_password
Default: false
Full path to CA Certificate Bundle on ansible control node. Used with ssl_custom_certs: true
Default: ""
Full path to host specific signed cert on ansible control node. Used with ssl_custom_certs: true. May set per host, or use inventory_hostname variable eg "/tmp/certs/{{inventory_hostname}}-signed.crt"
Default: ""
Full path to host specific key on ansible control node. Used with ssl_custom_certs: true. May set per host, or use inventory_hostname variable eg "/tmp/certs/{{inventory_hostname}}-key.pem"
Default: ""
Password to host specific key. Do not set if key does not require password. Used with ssl_custom_certs: true.
Default: ""
Boolean stating certs and keys are already on hosts. Used with ssl_custom_certs: true.
Default: false
Only use to customize Linux User Zookeeper Service runs with. User must exist on host.
Default: "{{zookeeper_default_user}}"
Only use to customize Linux Group Zookeeper Service user belongs to. Group must exist on host.
Default: "{{zookeeper_default_group}}"
Boolean to configure zookeeper with TLS Encryption. Also manages Java Keystore creation
Default: "{{ssl_enabled}}"
Boolean to enable mTLS Authentication on Zookeeper (Server to Server and Client to Server). Configures kafka to authenticate with mTLS.
Default: "{{ssl_mutual_auth_enabled}}"
Port for Kafka to Zookeeper connections. NOTE- 2181 will be configured for zk health checks
Default: "{{'2182' if zookeeper_ssl_enabled|bool else '2181'}}"
SASL Mechanism for Zookeeper Server to Server and Server to Client Authentication. Options are none, kerberos, digest. Server to server auth only working for digest-md5
Default: "{{sasl_protocol if sasl_protocol == 'kerberos' else 'none'}}"
Boolean to enable Jolokia Agent installation and configuration on zookeeper
Default: "{{jolokia_enabled}}"
Port to expose jolokia metrics. Beware of port collisions if colocating components on same host
Default: 7770
Boolean to enable TLS encryption on Zookeeper jolokia metrics
Default: "{{ zookeeper_ssl_enabled }}"
Path on Zookeeper host for Jolokia Configuration file
Default: "{{ (config_base_path, 'etc/kafka/zookeeper_jolokia.properties' ) | community.general.path_join }}"
Authentication Mode for Zookeeper's Jolokia Agent. Possible values: none, basic. If selecting basic, you must set zookeeper_jolokia_user and zookeeper_jolokia_password
Default: "{{jolokia_auth_mode}}"
Username for Zookeeper's Jolokia Agent when using Basic Auth
Default: "{{jolokia_user}}"
Password for Zookeeper's Jolokia Agent when using Basic Auth
Default: "{{jolokia_password}}"
Boolean to enable Prometheus Exporter Agent installation and configuration on zookeeper
Default: "{{jmxexporter_enabled}}"
Port to expose prometheus metrics. Beware of port collisions if colocating components on same host
Default: 8079
Zookeeper peer port
Default: 2888
Zookeeper leader port
Default: 3888
Use to copy files from control node to zookeeper hosts. Set to list of dictionaries with keys: source_path (full path of file on control node) and destination_path (full path to copy file to). Optionally specify directory_mode (default: '750') and file_mode (default: '640') to set directory and file permissions.
Default: []
Use to set custom zookeeper properties. This variable is a dictionary. Put values true/false in quotation marks to perserve case. NOTE- zookeeper.properties is deprecated.
Default: "{{ zookeeper.properties }}"
Boolean to configure more than one kafka listener. Defaults to true. NOTE- kafka_broker_configure_additional_brokers is deprecated
Default: "{{kafka_broker_configure_additional_brokers}}"
Only use to customize Linux User Kafka Service runs with. User must exist on host.
Default: "{{kafka_broker_default_user}}"
Only use to customize Linux Group Kafka Service user belongs to. Group must exist on host.
Default: "{{kafka_broker_default_group}}"
Boolean to configure Schema Validation on Kafka
Default: true
Boolean to enable Jolokia Agent installation and configuration on kafka
Default: "{{jolokia_enabled}}"
Port to expose kafka jolokia metrics. Beware of port collisions if colocating components on same host
Default: 7771
Boolean to enable TLS encryption on Kafka jolokia metrics
Default: "{{ ssl_enabled }}"
Path on Kafka host for Jolokia Configuration file
Default: "{{ (config_base_path,'etc/kafka/kafka_jolokia.properties') | community.general.path_join }}"
Authentication Mode for Kafka's Jolokia Agent. Possible values: none, basic. If selecting basic, you must set kafka_broker_jolokia_user and kafka_broker_jolokia_password
Default: "{{jolokia_auth_mode}}"
Username for Kafka's Jolokia Agent when using Basic Auth
Default: "{{jolokia_user}}"
Password for Kafka's Jolokia Agent when using Basic Auth
Default: "{{jolokia_password}}"
Boolean to enable Prometheus Exporter Agent installation and configuration on kafka
Default: "{{jmxexporter_enabled}}"
Port to expose prometheus metrics. Beware of port collisions if colocating components on same host
Default: 8080
Use to copy files from control node to kafka hosts. Set to list of dictionaries with keys: source_path (full path of file on control node) and destination_path (full path to copy file to). Optionally specify directory_mode (default: '750') and file_mode (default: '640') to set directory and file permissions.
Default: []
Replication Factor for internal topics. Defaults to the minimum of the number of brokers and 3
Default: "{{ [ groups['kafka_broker'] | default(['localhost']) | length, 3 ] | min }}"
Boolean to enable the kafka's metrics reporter. Defaults to true if Control Center in inventory. Enable if you wish to have metrics reported to a centralized monitoring cluster.
Default: "{{ 'control_center' in groups }}"
Use to set custom kafka properties. This variable is a dictionary. Put values true/false in quotation marks to perserve case. NOTE- kafka_broker.properties is deprecated.
Default: "{{ kafka_broker.properties }}"
Boolean to enable the embedded rest proxy within Kafka. NOTE- Embedded Rest Proxy must be enabled if RBAC is enabled and Confluent Server must be enabled
Default: "{{confluent_server_enabled}}"
Only use to customize Linux User Schema Registry Service runs with. User must exist on host.
Default: "{{schema_registry_default_user}}"
Only use to customize Linux Group Schema Registry Service user belongs to. Group must exist on host.
Default: "{{schema_registry_default_group}}"
Port Schema Registry API exposed over
Default: 8081
Boolean to configure schema registry with TLS Encryption. Also manages Java Keystore creation
Default: "{{ssl_enabled}}"
Boolean to enable mTLS Authentication on Schema Registry
Default: "{{ ssl_mutual_auth_enabled }}"
Boolean to enable Jolokia Agent installation and configuration on schema registry
Default: "{{jolokia_enabled}}"
Port to expose schema registry jolokia metrics. Beware of port collisions if colocating components on same host
Default: 7772
Boolean to enable TLS encryption on Schema Registry jolokia metrics
Default: "{{ schema_registry_ssl_enabled }}"
Path on Schema Registry host for Jolokia Configuration file
Default: "{{ (config_base_path,'etc/schema-registry/schema_registry_jolokia.properties') | community.general.path_join }}"
Authentication Mode for Schema Registry's Jolokia Agent. Possible values: none, basic. If selecting basic, you must set schema_registry_jolokia_user and schema_registry_jolokia_password
Default: "{{jolokia_auth_mode}}"
Username for Schema Registry's Jolokia Agent when using Basic Auth
Default: "{{jolokia_user}}"
Password for Schema Registry's Jolokia Agent when using Basic Auth
Default: "{{jolokia_password}}"
Boolean to enable Prometheus Exporter Agent installation and configuration on schema registry
Default: "{{jmxexporter_enabled}}"
Port to expose prometheus metrics. Beware of port collisions if colocating components on same host
Default: 8078
Use to copy files from control node to schema registry hosts. Set to list of dictionaries with keys: source_path (full path of file on control node) and destination_path (full path to copy file to). Optionally specify directory_mode (default: '750') and file_mode (default: '640') to set directory and file permissions.
Default: []
Use to set custom schema registry properties. This variable is a dictionary. Put values true/false in quotation marks to perserve case. NOTE- kafka_broker.properties is deprecated.
Default: "{{ schema_registry.properties }}"
Only use to customize Linux User Rest Proxy Service runs with. User must exist on host.
Default: "{{kafka_rest_default_user}}"
Only use to customize Linux Group Rest Proxy Service user belongs to. Group must exist on host.
Default: "{{kafka_rest_default_group}}"
Port Rest Proxy API exposed over
Default: 8082
Boolean to configure Rest Proxy with TLS Encryption. Also manages Java Keystore creation
Default: "{{ssl_enabled}}"
Boolean to enable mTLS Authentication on Rest Proxy
Default: "{{ ssl_mutual_auth_enabled }}"
Boolean to enable Jolokia Agent installation and configuration on Rest Proxy
Default: "{{jolokia_enabled}}"
Port to expose Rest Proxy jolokia metrics. Beware of port collisions if colocating components on same host
Default: 7775
Boolean to enable TLS encryption on Rest Proxy jolokia metrics
Default: "{{ kafka_rest_ssl_enabled }}"
Path on Rest Proxy host for Jolokia Configuration file
Default: "{{ (config_base_path,'etc/kafka-rest/kafka_rest_jolokia.properties') | community.general.path_join }}"
Authentication Mode for Rest Proxy's Jolokia Agent. Possible values: none, basic. If selecting basic, you must set schema_registry_jolokia_user and schema_registry_jolokia_password
Default: "{{jolokia_auth_mode}}"
Username for Rest Proxy's Jolokia Agent when using Basic Auth
Default: "{{jolokia_user}}"
Password for Rest Proxy's Jolokia Agent when using Basic Auth
Default: "{{jolokia_password}}"
Boolean to enable Prometheus Exporter Agent installation and configuration on Rest Proxy
Default: "{{jmxexporter_enabled}}"
Port to expose prometheus metrics. Beware of port collisions if colocating components on same host
Default: 8075
Use to copy files from control node to schema registry hosts. Set to list of dictionaries with keys: source_path (full path of file on control node) and destination_path (full path to copy file to). Optionally specify directory_mode (default: '750') and file_mode (default: '640') to set directory and file permissions.
Default: []
Use to set custom Rest Proxy properties. This variable is a dictionary. Put values true/false in quotation marks to perserve case. NOTE- kafka_rest.properties is deprecated.
Default: "{{ kafka_rest.properties }}"
Boolean to configure Monitoring Interceptors on Rest Proxy.
Default: "{{ monitoring_interceptors_enabled }}"
Only use to customize Linux User Connect Service runs with. User must exist on host.
Default: "{{kafka_connect_default_user}}"
Only use to customize Linux Group Connect Service user belongs to. Group must exist on host.
Default: "{{kafka_connect_default_group}}"
Port Connect API exposed over
Default: 8083
Boolean to configure Connect with TLS Encryption. Also manages Java Keystore creation
Default: "{{ssl_enabled}}"
Boolean to enable mTLS Authentication on Connect
Default: "{{ ssl_mutual_auth_enabled }}"
Additional set of Connect extension classes.
Default: []
Boolean to enable Jolokia Agent installation and configuration on Connect
Default: "{{jolokia_enabled}}"
Port to expose Connect jolokia metrics. Beware of port collisions if colocating components on same host
Default: 7773
Boolean to enable TLS encryption on Connect jolokia metrics
Default: "{{ kafka_connect_ssl_enabled }}"
Path on Connect host for Jolokia Configuration file
Default: "{{ (config_base_path,'etc/kafka/kafka_connect_jolokia.properties') | community.general.path_join }}"
Authentication Mode for Connect's Jolokia Agent. Possible values: none, basic. If selecting basic, you must set schema_registry_jolokia_user and schema_registry_jolokia_password
Default: "{{jolokia_auth_mode}}"
Username for Connect's Jolokia Agent when using Basic Auth
Default: "{{jolokia_user}}"
Password for Connect's Jolokia Agent when using Basic Auth
Default: "{{jolokia_password}}"
Boolean to enable Prometheus Exporter Agent installation and configuration on Connect
Default: "{{jmxexporter_enabled}}"
Port to expose connect prometheus metrics. Beware of port collisions if colocating components on same host
Default: 8077
Use to copy files from control node to connect hosts. Set to list of dictionaries with keys: source_path (full path of file on control node) and destination_path (full path to copy file to). Optionally specify directory_mode (default: '750') and file_mode (default: '640') to set directory and file permissions.
Default: []
Connect Service Group Id. Customize when configuring multiple connect clusters in same inventory
Default: connect-cluster
Replication Factor for connect internal topics. Defaults to the minimum of the number of brokers and 3
Default: "{{ [ groups['kafka_broker'] | default(['localhost']) | length, 3 ] | min }}"
Boolean to enable and configure Connect Secret Registry
Default: "{{rbac_enabled}}"
Connect Secret Registry Key
Default: 39ff95832750c0090d84ddf5344583832efe91ef
Use to set custom Connect properties. This variable is a dictionary. Put values true/false in quotation marks to perserve case. NOTE- kafka_connect.properties is deprecated.
Default: "{{ kafka_connect.properties }}"
Boolean to configure Monitoring Interceptors on Connect.
Default: "{{ monitoring_interceptors_enabled }}"
Only use to customize Linux User ksqlDB Service runs with. User must exist on host.
Default: "{{ksql_default_user}}"
Only use to customize Linux Group ksqlDB Service user belongs to. Group must exist on host.
Default: "{{ksql_default_group}}"
Port ksqlDB API exposed over
Default: 8088
Boolean to configure ksqlDB with TLS Encryption. Also manages Java Keystore creation
Default: "{{ssl_enabled}}"
Boolean to enable mTLS Authentication on ksqlDB
Default: "{{ ssl_mutual_auth_enabled }}"
Boolean to enable Jolokia Agent installation and configuration on ksqlDB
Default: "{{jolokia_enabled}}"
Port to expose ksqlDB jolokia metrics. Beware of port collisions if colocating components on same host
Default: 7774
Boolean to enable TLS encryption on ksqlDB jolokia metrics
Default: "{{ ksql_ssl_enabled }}"
Path on ksqlDB host for Jolokia Configuration file
Default: "{{ (config_base_path,((confluent_package_version is version('5.5.0', '>=')) | ternary('etc/ksqldb/ksql_jolokia.properties' , 'etc/ksql/ksql_jolokia.properties'))) | community.general.path_join }}"
Authentication Mode for ksqlDB's Jolokia Agent. Possible values: none, basic. If selecting basic, you must set schema_registry_jolokia_user and schema_registry_jolokia_password
Default: "{{jolokia_auth_mode}}"
Username for ksqlDB's Jolokia Agent when using Basic Auth
Default: "{{jolokia_user}}"
Password for ksqlDB's Jolokia Agent when using Basic Auth
Default: "{{jolokia_password}}"
Boolean to enable Prometheus Exporter Agent installation and configuration on ksqlDB
Default: "{{jmxexporter_enabled}}"
Port to expose ksqlDB prometheus metrics. Beware of port collisions if colocating components on same host
Default: 8076
Use to copy files from control node to ksqlDB hosts. Set to list of dictionaries with keys: source_path (full path of file on control node) and destination_path (full path to copy file to). Optionally specify directory_mode (default: '750') and file_mode (default: '640') to set directory and file permissions.
Default: []
Replication Factor for ksqlDB internal topics. Defaults to the minimum of the number of brokers and 3
Default: "{{ [ groups['kafka_broker'] | default(['localhost']) | length, 3 ] | min }}"
ksqlDB Service ID. Use when configuring multiple ksqldb clusters in the same inventory file.
Default: default_
Use to set custom ksqlDB properties. This variable is a dictionary. Put values true/false in quotation marks to perserve case. NOTE- ksql.properties is deprecated.
Default: "{{ ksql.properties }}"
Boolean to configure Monitoring Interceptors on ksqlDB.
Default: "{{ monitoring_interceptors_enabled }}"
Boolean to enable ksqlDB Log Streaming.
Default: false
Only use to customize Linux User Control Center Service runs with. User must exist on host.
Default: "{{control_center_default_user}}"
Only use to customize Linux Group Control Center Service user belongs to. Group must exist on host.
Default: "{{control_center_default_group}}"
Port Control Center exposed over
Default: 9021
Interface on host for Control Center to listen on
Default: "0.0.0.0"
Boolean to configure Control Center with TLS Encryption. Also manages Java Keystore creation
Default: "{{ssl_enabled}}"
Use to copy files from control node to Control Center hosts. Set to list of dictionaries with keys: source_path (full path of file on control node) and destination_path (full path to copy file to). Optionally specify directory_mode (default: '750') and file_mode (default: '640') to set directory and file permissions.
Default: []
Replication Factor for Control Center internal topics. Defaults to the minimum of the number of brokers and 3
Default: "{{ [ groups['kafka_broker'] | default(['localhost']) | length, 3 ] | min }}"
Use to set custom Control Center properties. This variable is a dictionary. Put values true/false in quotation marks to perserve case. NOTE- control_center.properties is deprecated.
Default: "{{ control_center.properties }}"
Boolean to configure Confluent Platform with RBAC enabled. Creates Rolebindings for all components to function
Default: false
Port to expose MDS Server API on
Default: 8090
Boolean to configure TLS encryption on the Broker Rest endpoint. NOTE- mds_ssl_enabled is now deprecated
Default: "{{mds_ssl_enabled}}"
LDAP User which will be granted super user permissions to create role bindings in the MDS
Default: mds
Password to mds_super_user LDAP User
Default: password
LDAP User for Kafkas Embedded Rest Service to authenticate as
Default: "{{mds_super_user}}"
Password to kafka_broker_ldap_user LDAP User
Default: "{{mds_super_user_password}}"
Unique advertised hostname for Metadata Server
Default: ""
LDAP User for Schema Registry to authenticate as
Default: schema-registry
Password to schema_registry_ldap_user LDAP User
Default: password
LDAP User for Connect to authenticate as
Default: connect
Password to kafka_connect_ldap_user LDAP User
Default: password
LDAP User for ksqlDB to authenticate as
Default: ksql
Password to ksql_ldap_user LDAP User
Default: password
LDAP User for Rest Proxy to authenticate as
Default: kafka-rest
Password to kafka_rest_ldap_user LDAP User
Default: password
LDAP User for Control Center to authenticate as
Default: control-center
Password to control_center_ldap_user LDAP User
Default: password
Boolean to describe if kafka group should be configured with an External MDS Kafka Cluster. If set to true, you must also set mds_broker_bootstrap_servers, mds_broker_listener, kafka_broker_rest_ssl_enabled
Default: false
Kafka hosts and listener ports on the Kafka Cluster acting as an external MDS Server. mds_broker_listener dictionary must describe its security settings. Must be configured if external_mds_enabled: true
Default: localhost:9092
Listener Dictionary that describes how kafka clusters connect to MDS Kafka cluster. Make sure it contains the keys: ssl_enabled, ssl_mutual_auth_enabled, sasl_protocol
Default:
Comma separated urls for mds servers. Only set if external_mds_enabled: true
Default: "{{mds_http_protocol}}://{{ groups['kafka_broker'] | default(['localhost']) | join(':' + mds_port|string + ',' + mds_http_protocol + '://') }}:{{mds_port}}"
List of users to be granted system admin Role Bindings across all components
Default: []
List of users to be granted system admin Role Bindings on the Kafka Cluster
Default: "{{rbac_component_additional_system_admins}}"
List of users to be granted system admin Role Bindings on the Schema Registry Cluster
Default: "{{rbac_component_additional_system_admins}}"
List of users to be granted system admin Role Bindings on the ksqlDB Cluster
Default: "{{rbac_component_additional_system_admins}}"
List of users to be granted system admin Role Bindings on the Connect Cluster
Default: "{{rbac_component_additional_system_admins}}"
List of users to be granted system admin Role Bindings on the Control Center Cluster
Default: "{{rbac_component_additional_system_admins}}"
Boolean to enable secrets protection on all components except Zookeeper
Default: false
Boolean to Recreate Secrets File and Masterkey. Only set to false AFTER first cp-ansible run.
Default: true
Masterkey generated by the Confluent Secret CLI. If empty and secrets protection is enabled, then a master key will be randomly generated.
Default: ""
Security file generated by the Confluent Secret CLI. If empty and secrets protection is enabled, then a security file will be randomly generated.
Default: generated_ssl_files/security.properties
Boolean to enable secrets protection in Kafka broker.
Default: "{{secrets_protection_enabled}}"
Boolean to encrypt all properties containing 'password' for Kafka.
Default: "{{kafka_broker_secrets_protection_enabled}}"
List of Kafka properties to encrypt. Can be used in addition to kafka_broker_secrets_protection_encrypt_passwords.
Default: []
Boolean to enable secrets protection in schema registry.
Default: "{{secrets_protection_enabled}}"
Boolean to encrypt all properties containing 'password' for Schema Registry.
Default: "{{schema_registry_secrets_protection_enabled}}"
List of Schema Registry properties to encrypt. Can be used in addition to schema_registry_secrets_protection_encrypt_passwords.
Default: []
Boolean to enable secrets protection in Connect.
Default: "{{secrets_protection_enabled}}"
Boolean to encrypt all properties containing 'password' for Connect.
Default: "{{kafka_connect_secrets_protection_enabled}}"
List of Connect properties to encrypt. Can be used in addition to kafka_connect_secrets_protection_encrypt_passwords.
Default: []
Boolean to enable secrets protection in Rest Proxy.
Default: "{{secrets_protection_enabled}}"
Boolean to encrypt all properties containing 'password' for Rest Proxy.
Default: "{{kafka_rest_secrets_protection_enabled}}"
List of Rest Proxy properties to encrypt. Can be used in addition to kafka_rest_secrets_protection_encrypt_passwords.
Default: []
Boolean to enable secrets protection in KSQL.
Default: "{{secrets_protection_enabled}}"
Boolean to encrypt all properties containing 'password' for KSQL.
Default: "{{ksql_secrets_protection_enabled}}"
List of KSQL properties to encrypt. Can be used in addition to ksql_secrets_protection_encrypt_passwords.
Default: []
Boolean to enable secrets protection in Control Center.
Default: "{{secrets_protection_enabled}}"
Boolean to encrypt all properties containing 'password' for Control Center.
Default: "{{control_center_secrets_protection_enabled}}"
List of Control Center properties to encrypt. Can be used in addition to control_center_secrets_protection_encrypt_passwords.
Default: []
Boolean to configure Telemetry. Must also set telemetry_api_key and telemetry_api_secret
Default: false
API Key used by Telemetry. Mandatory variable for Telemetry
Default: ""
API Secret used by Telemetry. Mandatory variable for Telemetry
Default: ""
Proxy URL used by Telemetry. Only set if using a Proxy Server
Default: ""
Username for Proxy Server used by Telemetry. Only set if Proxy Server requires authentication
Default: ""
Password for Proxy Server used by Telemetry. Only set if Proxy Server requires authentication
Default: ""
Boolean to configure Telemetry on Kafka. Must also set telemetry_api_key and telemetry_api_secret
Default: "{{telemetry_enabled}}"
Boolean to send cp-ansible Telemetry Metrics from Kafka. Currently only sends cp-ansible version data
Default: "{{kafka_broker_telemetry_enabled}}"
Boolean to configure Telemetry on Schema Registry. Must also set telemetry_api_key and telemetry_api_secret
Default: "{{telemetry_enabled}}"
Boolean to send cp-ansible Telemetry Metrics from Schema Registry. Currently only sends cp-ansible version data
Default: "{{schema_registry_telemetry_enabled}}"
Boolean to configure Telemetry on Connect. Must also set telemetry_api_key and telemetry_api_secret
Default: "{{telemetry_enabled}}"
Boolean to send cp-ansible Telemetry Metrics from Connect. Currently only sends cp-ansible version data
Default: "{{kafka_connect_telemetry_enabled}}"
Boolean to configure Telemetry on Rest Proxy. Must also set telemetry_api_key and telemetry_api_secret
Default: "{{telemetry_enabled}}"
Boolean to send cp-ansible Telemetry Metrics from Rest Proxy. Currently only sends cp-ansible version data
Default: "{{kafka_rest_telemetry_enabled}}"
Boolean to configure Telemetry on ksqlDB. Must also set telemetry_api_key and telemetry_api_secret
Default: "{{telemetry_enabled}}"
Boolean to send cp-ansible Telemetry Metrics from ksqlDB. Currently only sends cp-ansible version data
Default: "{{ksql_telemetry_enabled}}"
Boolean to configure Telemetry on Control Center. Must also set telemetry_api_key and telemetry_api_secret
Default: "{{telemetry_enabled}}"
Boolean to send cp-ansible Telemetry Metrics from Control Center. Currently only sends cp-ansible version data
Default: "{{control_center_telemetry_enabled}}"
User for authenticated MDS Health Check. Only relevant if rbac_enabled: true.
Default: "{{mds_super_user}}"
Password for authenticated MDS Health Check. Only relevant if rbac_enabled: true.
Default: "{{mds_super_user_password}}"
User for authenticated Kafka Admin API Health Check. Set if using customized security like Basic Auth.
Default: "{{mds_super_user}}"
Password for authenticated Kafka Admin API Health Check. Set if using customized security like Basic Auth.
Default: "{{mds_super_user_password}}"
User for authenticated Schema Registry Health Check. Set if using customized security like Basic Auth.
Default: "{{schema_registry_ldap_user}}"
Password for authenticated Schema Registry Health Check. Set if using customized security like Basic Auth.
Default: "{{schema_registry_ldap_password}}"
User for authenticated Connect Health Check. Set if using customized security like Basic Auth.
Default: "{{kafka_connect_ldap_user}}"
Password for authenticated Connect Health Check. Set if using customized security like Basic Auth.
Default: "{{kafka_connect_ldap_password}}"
User for authenticated ksqlDB Health Check. Set if using customized security like Basic Auth.
Default: "{{ksql_ldap_user}}"
Password for authenticated ksqlDB Health Check. Set if using customized security like Basic Auth.
Default: "{{ksql_ldap_password}}"
User for authenticated Rest Proxy Health Check. Set if using customized security like Basic Auth.
Default: "{{kafka_rest_ldap_user}}"
Password for authenticated Rest Proxy Health Check. Set if using customized security like Basic Auth.
Default: "{{kafka_rest_ldap_password}}"
User for authenticated Control Center Health Check. Set if using customized security like Basic Auth.
Default: "{{control_center_ldap_user}}"
Password for authenticated Control Center Health Check. Set if using customized security like Basic Auth.
Default: "{{control_center_ldap_password}}"
Below are the supported variables for the role confluent.common
Configures package repositories on hosts. By default will configure confluent's deb/yum repositories. Possible options: none, confluent, custom. Must also set custom_yum_repofile_filepath or custom_apt_repo_filepath if using custom. Note: vars custom_apt_repo and custom_yum_repofile are deprecated
Default: "{{'custom' if custom_apt_repo|bool or custom_yum_repofile else 'confluent'}}"
Full path on control node to custom yum repo file, must also set repository_configuration to custom
Default: ""
Full path on control node to custom apt repo file, must also set repository_configuration to custom
Default: ""
Base URL for Confluent's RPM and Debian Package Repositories
Default: "https://packages.confluent.io"
Boolean to have cp-ansible install Java on hosts
Default: true
Java Package to install on RHEL/Centos hosts. Possible values java-1.8.0-openjdk or java-11-openjdk
Default: java-1.8.0-openjdk
Java Package to install on Debian hosts. Possible values openjdk-8-jdk or openjdk-11-jdk
Default: openjdk-8-jdk
Java Package to install on Ubuntu hosts. Possible values openjdk-8-jdk or openjdk-11-jdk
Default: openjdk-8-jdk
Deb Repository to use for Java Installation
Default: ppa:openjdk-r/ppa
Version of Jolokia Agent Jar to Download
Default: 1.6.2
Full URL used for Jolokia Agent Jar Download. When jolokia_url_remote=false
this represents the path on Ansible control host.
Version of JmxExporter Agent Jar to Donwload
Default: 0.12.0
Full URL used for Prometheus Exporter Jar Download. When jolokia_url_remote=false
this represents the path on Ansible control host.
A path reference to a local archive file or URL. By default this is the URL from Confluent's repositories. In an ansible-pull deployment this could be set to a local file such as "~/.ansible/pull/{{inventory_hostname}}/{{confluent_archive_file_name}}".
Default: "{{confluent_common_repository_baseurl}}/archive/{{confluent_repo_version}}/confluent{{'' if confluent_server_enabled else '-community'}}-{{confluent_package_version}}.tar.gz"
Set to true to indicate the archive file is remote (i.e. already on the target node) or a URL. Set to false if the archive file is on the control node.
Default: true
Base URL for Confluent CLI packages
Default: "https://s3-us-west-2.amazonaws.com/confluent.cloud"
A path reference to a local archive file or URL. By default this is the URL from Confluent CLI repository.
Default: "{{confluent_cli_repository_baseurl}}/confluent-cli/archives/{{confluent_cli_version}}/{{confluent_cli_binary}}{{(confluent_cli_version == 'latest') | ternary('', 'v')}}{{confluent_cli_version}}{{ansible_system|lower}}_{{confluent_cli_goarch[ansible_architecture]}}.tar.gz"
Set to true to indicate the CLI archive file is remote (i.e. already on the target node) or a URL. Set to false if the archive file is on the control node.
Default: true
Below are the supported variables for the role confluent.control_center
Boolean to enable cp-ansible's Custom Log4j Configuration
Default: "{{ custom_log4j }}"
Custom Java Args to add to the Control Center Process
Default: ""
Full Path to the RocksDB Data Directory. If left as empty string, cp-ansible will not configure RocksDB
Default: ""
Overrides to the Service Section of Control Center Systemd File. This variable is a dictionary.
Default:
Environment Variables to be added to the Control Center Service. This variable is a dictionary.
Default:
Overrides to the Unit Section of Control Center Systemd File. This variable is a dictionary.
Default:
Below are the supported variables for the role confluent.kafka_broker
Boolean to enable cp-ansible's Custom Log4j Configuration
Default: "{{ custom_log4j }}"
Custom Java Args to add to the Kafka Process
Default: ""
Overrides to the Service Section of Kafka Systemd File. This variable is a dictionary.
Default:
Environment Variables to be added to the Kafka Service. This variable is a dictionary.
Default:
Overrides to the Unit Section of Kafka Systemd File. This variable is a dictionary.
Default:
Below are the supported variables for the role confluent.kafka_connect
Boolean to enable cp-ansible's Custom Log4j Configuration
Default: "{{ custom_log4j }}"
Custom Java Args to add to the Connect Process
Default: ""
Overrides to the Service Section of Connect Systemd File. This variable is a dictionary.
Default:
Environment Variables to be added to the Connect Service. This variable is a dictionary.
Default:
Overrides to the Unit Section of Connect Systemd File. This variable is a dictionary.
Default:
Below are the supported variables for the role confluent.kafka_rest
Boolean to enable cp-ansible's Custom Log4j Configuration
Default: "{{ custom_log4j }}"
Custom Java Args to add to the Rest Proxy Process
Default: ""
Overrides to the Service Section of Rest Proxy Systemd File. This variable is a dictionary.
Default:
Environment Variables to be added to the Rest Proxy Service. This variable is a dictionary.
Default:
Overrides to the Unit Section of Rest Proxy Systemd File. This variable is a dictionary.
Default:
Below are the supported variables for the role confluent.ksql
Boolean to enable cp-ansible's Custom Log4j Configuration
Default: "{{ custom_log4j }}"
Custom Java Args to add to the ksqlDB Process
Default: ""
Full Path to the RocksDB Data Directory. If set as empty string, cp-ansible will not configure RocksDB
Default: /tmp/ksqldb
Overrides to the Service Section of ksqlDB Systemd File. This variable is a dictionary.
Default:
Environment Variables to be added to the ksqlDB Service. This variable is a dictionary.
Default:
Overrides to the Unit Section of ksqlDB Systemd File. This variable is a dictionary.
Default:
Below are the supported variables for the role confluent.schema_registry
Boolean to enable cp-ansible's Custom Log4j Configuration
Default: "{{ custom_log4j }}"
Custom Java Args to add to the Schema Registry Process
Default: ""
Overrides to the Service Section of Schema Registry Systemd File. This variable is a dictionary.
Default:
Environment Variables to be added to the Schema Registry Service. This variable is a dictionary.
Default:
Overrides to the Unit Section of Schema Registry Systemd File. This variable is a dictionary.
Default:
Below are the supported variables for the role confluent.zookeeper
Boolean to enable cp-ansible's Custom Log4j Configuration
Default: "{{ custom_log4j }}"
Custom Java Args to add to the Zookeeper Process
Default: ""
Overrides to the Service Section of Zookeeper Systemd File. This variable is a dictionary.
Default:
Environment Variables to be added to the Zookeeper Service. This variable is a dictionary.
Default:
Overrides to the Unit Section of Zookeeper Systemd File. This variable is a dictionary.
Default:
Below are the supported variables for the role confluent.ssl
Key Algorithm used by keytool -genkeypair command when creating Keystores. Only used with self-signed certs
Default: RSA
Key Size used by keytool -genkeypair command when creating Keystores. Only used with self-signed certs
Default: 2048