openwhisk-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cbic...@apache.org
Subject [incubator-openwhisk] branch master updated: Limit cipher suites used for Kafka SSL. (#3604)
Date Tue, 08 May 2018 07:53:45 GMT
This is an automated email from the ASF dual-hosted git repository.

cbickel pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-openwhisk.git


The following commit(s) were added to refs/heads/master by this push:
     new 939c3d7  Limit cipher suites used for Kafka SSL. (#3604)
939c3d7 is described below

commit 939c3d797b54a870efbb085c14eb7fb4201d8fbb
Author: Vadim Raskin <raskinvadim@gmail.com>
AuthorDate: Tue May 8 09:53:41 2018 +0200

    Limit cipher suites used for Kafka SSL. (#3604)
---
 ansible/group_vars/all               | 7 +++++++
 ansible/roles/kafka/tasks/deploy.yml | 1 +
 2 files changed, 8 insertions(+)

diff --git a/ansible/group_vars/all b/ansible/group_vars/all
index 977d6ed..d4258b8 100644
--- a/ansible/group_vars/all
+++ b/ansible/group_vars/all
@@ -108,6 +108,13 @@ kafka:
     keystore:
       name: kafka-keystore.jks
       password: openwhisk
+    cipher_suites:
+    - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+    - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+    - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+    - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
   protocol: "{{ kafka_protocol_for_setup }}"
   version: 0.11.0.1
   port: 9072
diff --git a/ansible/roles/kafka/tasks/deploy.yml b/ansible/roles/kafka/tasks/deploy.yml
index ae4a7df..244c997 100644
--- a/ansible/roles/kafka/tasks/deploy.yml
+++ b/ansible/roles/kafka/tasks/deploy.yml
@@ -63,6 +63,7 @@
       "KAFKA_SSL_TRUSTSTORE_LOCATION": "/config/{{ kafka.ssl.keystore.name }}"
       "KAFKA_SSL_TRUSTSTORE_PASSWORD": "{{ kafka.ssl.keystore.password }}"
       "KAFKA_SSL_CLIENT_AUTH": "{{ kafka.ssl.client_authentication }}"
+      "KAFKA_SSL_CIPHER_SUITES": "{{ kafka.ssl.cipher_suites | join(',') }}"
     # The sed script passed in CUSTOM_INIT_SCRIPT fixes a bug in the wurstmeister dcoker
image
     # by patching the server.configuration file right before kafka is started.
     # The script adds the missing advertized hostname to the advertised.listener property

-- 
To stop receiving notification emails like this one, please contact
cbickel@apache.org.

Mime
View raw message