cloudera.cluster.cm_autotls module – Manage and configure Auto-TLS and Cloudera Manager CA
Note
This module is part of the cloudera.cluster collection (version 5.0.0).
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install cloudera.cluster
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: cloudera.cluster.cm_autotls
.
New in cloudera.cluster 5.0.0
Synopsis
Enables and configures Auto-TLS and Cloudera Manager as a CA.
Disabling of Auto-TLS is also supported.
Note that disabling Auto-TLS does not remove the TLS resources (keys, truststores, etc.) created during the enable process.
Requirements
The below requirements are needed on the host that executes this module.
cm_client
Parameters
Parameter |
Comments |
---|---|
Set the HTTP user agent header when interacting with the CM API endpoint. Default: |
|
The certificate for the user-provided certificate authority in PEM format. Required and only used if |
|
The certificate for the CM host in PEM format. Required and only used if |
|
The private key for the CM host in PEM format. Required and only used if |
|
Whether to configure all existing services to use Auto-TLS. If All future services will be configured to use Auto-TLS regardless of this setting. Choices:
|
|
The passphrase associated with the private key used to authenticate with the hosts. |
|
The password used to authenticate with the hosts. Specify either this or a |
|
The private key to authenticate with the hosts. Specify either this or a The private key, if specified, needs to be a standard PEM-encoded key as a single string, with all line breaks replaced with the line-feed control character ‘\n’. |
|
SSH port to connect to each host. |
|
The username used to authenticate with the hosts. Root access to your hosts is required to install Cloudera packages. The installer will connect to your hosts via SSH and log in either directly as root or as another user with password-less sudo privileges to become root. |
|
Whether to generate an internal CMCA When Choices:
|
|
Capture the HTTP interaction logs with the CM API endpoint. Choices:
|
|
Forces enabling Auto-TLS even if it is already determined to be enabled. Applicable only when Choices:
|
|
Flag to force TLS during CM API endpoint discovery. If Choices:
|
|
Hostname of the CM API endpoint. If set, the Mutually exclusive with url. |
|
A list of cert objects for each host. This associates a hostname with the corresponding certificate and private key. Only used if |
|
The certificate for this host in PEM format. |
|
The FQDN of a host in the deployment. |
|
The private key for this host in PEM format. |
|
Whether specific parameters are interpreted as filenames local to the Cloudera Manager host. When Choices:
|
|
The password used for all Auto-TLS keystores. Required and only used if |
|
The location on disk to store the CMCA directory. If there is already a CMCA created there, it will be backed up, and a new one will be created in its place. |
|
Password for access to the CM API endpoint. This parameter is set to |
|
Port of the CM API endpoint. If set, CM API endpoint discovery will connect to the designated port first and will follow redirects. Default: |
|
Set the HTTP/S proxy server when interacting with the CM API endpoint. |
|
Path to SSL CA certificate to use for validation. |
|
The declarative state of Auto-TLS. Disabling Auto-TLS does not remove the TLS resources (keys, truststores, etc.) created during the enable process. Choices:
|
|
A list of CA certificates that will be imported into the Auto-TLS truststore and distributed to all hosts. |
|
The password used for all Auto-TLS truststores. Required and only used if |
|
The CM API endpoint URL and should include scheme, host, port, and API root path. Mutually exclusive with host. |
|
Username for access to the CM API endpoint. |
|
Verify the TLS certificates for the CM API endpoint. Choices:
|
|
API version of the CM API endpoint. Default: |
Attributes
Attribute |
Support |
Description |
---|---|---|
Support: full |
Can run in check_mode and return changed status prediction without modifying target, if not supported the action will be skipped. |
|
Support: full |
Will return details on what has changed (or possibly needs changing in check_mode), when in diff mode |
|
Platforms: all |
Target OS/families that can be operated against |
Notes
Note
Using the
cm_config
withpurge=yes
will remove the Cloudera Manager configurations set by this module.Requires
cm_client
.
See Also
See also
- cloudera.cluster.cm_config
Manage the configuration of Cloudera Manager.
Examples
---
- name: Enable Auto-TLS
cloudera.cluster.cm_autotls:
host: example.cloudera.com
username: "jane_smith"
password: "S&peR4Ec*re"
state: present
connection_user_name: clouduser
connection_private_key: "-----BEGIN YOUR KEY -----\n[base-64 encoded key]\n-----END YOUR KEY-----"
- name: Disable Auto-TLS
cloudera.cluster.cm_autotls:
host: example.cloudera.com
username: "jane_smith"
password: "S&peR4Ec*re"
state: absent
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
Cloudera Manager Server configurations with Auto-TLS settings where available. Returned: always |
|
The default value. Returned: when supported |
|
A textual description of the parameter. Returned: when supported |
|
A user-friendly name of the parameters, as would have been shown in the web UI. Returned: when supported |
|
The canonical name that identifies this configuration parameter. Returned: always |
|
If applicable, contains the related configuration variable used by the source project. Returned: when supported |
|
Whether this configuration is required for the object. If any required configuration is not set, operations on the object may not work. Returned: when supported |
|
Whether this configuration is sensitive, i.e. contains information such as passwords. This parameter might affect how the value of this configuration might be shared by the caller. Returned: when supported |
|
State of the configuration parameter after validation. For example, Returned: when supported |
|
A message explaining the parameter’s validation state. Returned: when supported |
|
Whether validation warnings associated with this parameter are suppressed. In general, suppressed validation warnings are hidden in the Cloudera Manager UI. Configurations that do not produce warnings will not contain this field. Returned: when supported |
|
The user-defined value. When absent, the default value (if any) will be used. Can also be absent, when enumerating allowed configs. Returned: when supported |