Use kafka:password for kafka certs

Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>

salt/kafka/config.map.jinja

@@ -6,6 +6,7 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 
 {% set KAFKA_NODES_PILLAR = salt['pillar.get']('kafka:nodes') %}
+{% set KAFKA_PASSWORD = salt['pillar.get']('kafka:password') %}
 
 {# Create list of KRaft controllers #}
 {% set controllers = [] %}
@@ -29,6 +30,7 @@
 {%   do KAFKAMERGED.config.broker.update({'advertised_x_listeners': 'BROKER://'+ GLOBALS.node_ip +':9092' }) %}
 {%   do KAFKAMERGED.config.broker.update({'controller_x_quorum_x_voters': kafka_controller_quorum_voters }) %}
 {%   do KAFKAMERGED.config.broker.update({'node_x_id': salt['pillar.get']('kafka:nodes:'+ GLOBALS.hostname +':nodeid') }) %}
+{%   do KAFKAMERGED.config.broker.update({'ssl_x_keystore_x_password': KAFKA_PASSWORD }) %}
 
 {# Nodes with only the 'broker' role need to have the below settings for communicating with controller nodes #}
 {%   do KAFKAMERGED.config.broker.update({'controller_x_listener_x_names': KAFKAMERGED.config.controller.controller_x_listener_x_names }) %}
@@ -41,6 +43,7 @@
 {% if node_type == 'controller' %}
 {%   do KAFKAMERGED.config.controller.update({'controller_x_quorum_x_voters': kafka_controller_quorum_voters }) %}
 {%   do KAFKAMERGED.config.controller.update({'node_x_id': salt['pillar.get']('kafka:nodes:'+ GLOBALS.hostname +':nodeid') }) %}
+{%   do KAFKAMERGED.config.controller.update({'ssl_x_keystore_x_password': KAFKA_PASSWORD }) %}
 
 {% endif %}
 
@@ -51,6 +54,7 @@
 {%   do KAFKAMERGED.config.broker.update({'controller_x_quorum_x_voters': kafka_controller_quorum_voters }) %}
 {%   do KAFKAMERGED.config.broker.update({'node_x_id': salt['pillar.get']('kafka:nodes:'+ GLOBALS.hostname +':nodeid') }) %}
 {%   do KAFKAMERGED.config.broker.update({'process_x_roles': 'broker,controller' }) %}
+{%   do KAFKAMERGED.config.broker.update({'ssl_x_keystore_x_password': KAFKA_PASSWORD }) %}
 
 {%   do KAFKAMERGED.config.broker.update({
        'listeners': KAFKAMERGED.config.broker.listeners + ',' + KAFKAMERGED.config.controller.listeners })
@@ -63,8 +67,25 @@
 
 {% endif %}
 
+{# If a password other than PLACEHOLDER isn't set remove it from the server.properties #}
+{% if KAFKAMERGED.config.broker.ssl_x_truststore_x_password == 'PLACEHOLDER' %}
+{%   do KAFKAMERGED.config.broker.pop('ssl_x_truststore_x_password') %}
+{% endif %}
+
+{% if KAFKAMERGED.config.controller.ssl_x_truststore_x_password == 'PLACEHOLDER' %}
+{%   do KAFKAMERGED.config.controller.pop('ssl_x_truststore_x_password') %}
+{% endif %}
+
+{# Client properties stuff #}
+{% if KAFKAMERGED.config.client.ssl_x_truststore_x_password == 'PLACEHOLDER' %}
+{%   do KAFKAMERGED.config.client.pop('ssl_x_truststore_x_password') %}
+{% endif %}
+{% do KAFKAMERGED.config.client.update({'ssl_x_keystore_x_password': KAFKA_PASSWORD }) %}
+
 {% if 'broker' in node_type %}
 {%   set KAFKACONFIG = KAFKAMERGED.config.broker %}
 {% else %}
 {%   set KAFKACONFIG = KAFKAMERGED.config.controller %}
 {% endif %}
+
+{% set KAFKACLIENT = KAFKAMERGED.config.client %}

salt/kafka/defaults.yaml

@@ -29,18 +29,20 @@ kafka:
       socket_x_send_x_buffer_x_bytes: 102400
       ssl_x_keystore_x_location: /etc/pki/kafka.p12
       ssl_x_keystore_x_type: PKCS12
-      ssl_x_keystore_x_password: changeit
+      ssl_x_keystore_x_password:
       ssl_x_truststore_x_location: /etc/pki/java/sos/cacerts
-      ssl_x_truststore_x_password: changeit
+      ssl_x_truststore_x_password: PLACEHOLDER
+      ssl_x_truststore_x_type: PEM
       transaction_x_state_x_log_x_min_x_isr: 1
       transaction_x_state_x_log_x_replication_x_factor: 1
     client:
       security_x_protocol: SSL
       ssl_x_truststore_x_location: /etc/pki/java/sos/cacerts
-      ssl_x_truststore_x_password: changeit
+      ssl_x_truststore_x_password: PLACEHOLDER
+      ssl_x_truststore_x_type: PEM
       ssl_x_keystore_x_location: /etc/pki/kafka.p12
       ssl_x_keystore_x_type: PKCS12
-      ssl_x_keystore_x_password: changeit
+      ssl_x_keystore_x_password:
     controller:
       controller_x_listener_x_names: CONTROLLER
       controller_x_quorum_x_voters:
@@ -54,6 +56,7 @@ kafka:
       process_x_roles: controller
       ssl_x_keystore_x_location: /etc/pki/kafka.p12
       ssl_x_keystore_x_type: PKCS12
-      ssl_x_keystore_x_password: changeit
+      ssl_x_keystore_x_password:
       ssl_x_truststore_x_location: /etc/pki/java/sos/cacerts
-      ssl_x_truststore_x_password: changeit
+      ssl_x_truststore_x_password: PLACEHOLDER
+      ssl_x_truststore_x_type: PEM

salt/kafka/enabled.sls

@@ -49,7 +49,7 @@ so-kafka:
       {% endfor %}
     - binds:
       - /etc/pki/kafka.p12:/etc/pki/kafka.p12:ro
-      - /opt/so/conf/ca/cacerts:/etc/pki/java/sos/cacerts:ro
+      - /etc/pki/tls/certs/intca.crt:/etc/pki/java/sos/cacerts:ro
       - /nsm/kafka/data/:/nsm/kafka/data/:rw
       - /opt/so/log/kafka:/opt/kafka/logs/:rw
       - /opt/so/conf/kafka/server.properties:/opt/kafka/config/kraft/server.properties:ro

salt/kafka/etc/client.properties.jinja

@@ -3,5 +3,5 @@
    https://securityonion.net/license; you may not use this file except in compliance with the
    Elastic License 2.0. #}
 
-{% from 'kafka/map.jinja' import KAFKAMERGED -%}
-{{ KAFKAMERGED.config.client | yaml(False) | replace("_x_", ".") }}
+{% from 'kafka/config.map.jinja' import KAFKACLIENT -%}
+{{ KAFKACLIENT | yaml(False) | replace("_x_", ".") }}

salt/logstash/pipelines/config/so/0800_input_kafka.conf.jinja

@@ -1,3 +1,4 @@
+{%- set kafka_password = salt['pillar.get']('kafka:password') %}
 {%- set kafka_brokers = salt['pillar.get']('kafka:nodes', {}) %}
 {%- set brokers = [] %}
 
@@ -18,7 +19,7 @@ input {
         security_protocol => 'SSL'
         bootstrap_servers => '{{ bootstrap_servers }}'
         ssl_keystore_location => '/usr/share/logstash/kafka-logstash.p12'
-        ssl_keystore_password => 'changeit'
+        ssl_keystore_password => '{{ kafka_password }}'
         ssl_keystore_type => 'PKCS12'
         ssl_truststore_location => '/etc/pki/ca-trust/extracted/java/cacerts'
         ssl_truststore_password => 'changeit'

salt/ssl/init.sls

@@ -17,6 +17,8 @@
   {% set COMMONNAME = GLOBALS.manager %}
 {% endif %}
 
+{% set kafka_password = salt['pillar.get']('kafka:password') %}
+
 {% if grains.id.split('_')|last in ['manager', 'managersearch', 'eval', 'standalone', 'import'] %}
 include:
   - ca
@@ -692,7 +694,7 @@ kafka_logstash_crt:
         attempts: 5
         interval: 30
   cmd.run:
-    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/kafka-logstash.key -in /etc/pki/kafka-logstash.crt -export -out /etc/pki/kafka-logstash.p12 -nodes -passout pass:changeit"
+    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/kafka-logstash.key -in /etc/pki/kafka-logstash.crt -export -out /etc/pki/kafka-logstash.p12 -nodes -passout pass:{{ kafka_password }}"
     - onchanges:
       - x509: /etc/pki/kafka-logstash.key
 
@@ -862,7 +864,7 @@ kafka_crt:
         attempts: 5
         interval: 30
   cmd.run:
-    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/kafka.key -in /etc/pki/kafka.crt -export -out /etc/pki/kafka.p12 -nodes -passout pass:changeit"
+    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/kafka.key -in /etc/pki/kafka.crt -export -out /etc/pki/kafka.p12 -nodes -passout pass:{{ kafka_password }}"
     - onchanges:
       - x509: /etc/pki/kafka.key
 kafka_key_perms:
@@ -922,7 +924,7 @@ kafka_logstash_crt:
         attempts: 5
         interval: 30
   cmd.run:
-    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/kafka-logstash.key -in /etc/pki/kafka-logstash.crt -export -out /etc/pki/kafka-logstash.p12 -nodes -passout pass:changeit"
+    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/kafka-logstash.key -in /etc/pki/kafka-logstash.crt -export -out /etc/pki/kafka-logstash.p12 -nodes -passout pass:{{ kafka_password }}"
     - onchanges:
       - x509: /etc/pki/kafka-logstash.key