feat(kerberos): add kerberos service to handle spnego keytabs

Spnego keytabs need to be created once per machine.

Add support for creating spnego HA keytabs by adding HA addresses
(for example a load balancer) inside the spnego keytab.

playbooks/kerberos_spnego_install.yml

@@ -0,0 +1,14 @@
+# Copyright 2022 TOSIT.IO
+# SPDX-License-Identifier: Apache-2.0
+
+---
+- name: Kerberos spnego install
+  hosts: hdfs_nn:hdfs_jn:hdfs_dn:hdfs_httpfs:yarn_rm:yarn_nm:yarn_ats:mapred_jhs:hive_s2:hbase_rest:phoenix_queryserver_daemon:ranger_admin:ranger_kms:spark_hs:spark3_hs
+  tasks:
+    - tosit.tdp.resolve: # noqa unnamed-task
+        node_name: kerberos_spnego
+    - name: Install Kerberos spnego
+      ansible.builtin.import_role:
+        name: tosit.tdp.kerberos.spnego
+        tasks_from: install
+    - ansible.builtin.meta: clear_facts # noqa unnamed-task

roles/kerberos/spnego/tasks/install.yml

@@ -0,0 +1,50 @@
+# Copyright 2022 TOSIT.IO
+# SPDX-License-Identifier: Apache-2.0
+
+---
+- name: Ensure kerberos common installation steps are performed
+  ansible.builtin.import_role:
+    name: tosit.tdp.utils.kerberos
+    tasks_from: install
+
+- name: Kerberos spnego keytabs creation
+  when: krb_create_principals_keytabs
+  block:
+    - name: Ensure HTTP spnego's keytab exists
+      ansible.builtin.import_role:
+        name: tosit.tdp.utils.kerberos
+        tasks_from: create_principal_keytab
+      vars:
+        principal: "{{ kerberos_spnego_default_principal }}"
+        keytab: spnego.service.keytab
+        user: root
+        group: "{{ hadoop_group }}"
+        mode: "0640"
+      when: kerberos_spnego_generated_ha_service_principals is not defined or
+            kerberos_spnego_generated_ha_service_principals | length < 1
+
+    - name: Ensure HTTP spnego's keytab with HA support exists
+      ansible.builtin.import_role:
+        name: tosit.tdp.utils.kerberos
+        tasks_from: create_headless_principal_keytab
+      vars:
+        principal: "{{ kerberos_spnego_ha_principals }}"
+        keytab: spnego.service.keytab
+        user: root
+        group: "{{ hadoop_group }}"
+        mode: "0640"
+      when:
+        - kerberos_spnego_generated_ha_service_principals is defined
+        - kerberos_spnego_generated_ha_service_principals | length > 0
+
+- name: Ensure HTTP spnego keytab works
+  ansible.builtin.import_role:
+    name: tosit.tdp.utils.kerberos
+    tasks_from: check_secure_keytab
+  vars:
+    principal: "{{ kerberos_spnego_default_principal }}"
+    keytab: spnego.service.keytab
+    user: root
+    group: "{{ hadoop_group }}"
+    mode: "640"
+  when: not krb_create_principals_keytabs

tdp_vars_defaults/kerberos/kerberos_spnego.yml

@@ -0,0 +1,23 @@
+# Copyright 2022 TOSIT.IO
+# SPDX-License-Identifier: Apache-2.0
+
+---
+kerberos_spnego_default_principal: HTTP/{{ ansible_fqdn }}
+kerberos_spnego_generated_ha_fqdn: >-
+  {{ ansible_play_hosts |
+     map('extract', hostvars, 'ansible_fqdn') |
+     list
+  }}
+kerberos_spnego_generated_ha_fqdn_principals: >-
+  {{ ['HTTP/'] |
+     product(kerberos_spnego_generated_ha_fqdn) |
+     map('join') |
+     list
+  }}
+kerberos_spnego_generated_ha_service_principals: >-
+  [
+    {%- if ranger_ha_address is defined -%}
+      "HTTP/{{ ranger_ha_address | urlsplit("hostname") }}",
+    {%- endif -%}
+  ]
+kerberos_spnego_ha_principals: "{{ kerberos_spnego_generated_ha_fqdn_principals + kerberos_spnego_generated_ha_service_principals }}"