[ANSIENG-5755] | Add RHEL 10 Support #2395
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request adds support for RHEL 10 to the Ansible playbooks by updating version checks, Docker configurations, and OS-specific dependencies. The changes ensure compatibility with RHEL 10 while removing support for RHEL 7 and older Debian versions.
Key changes:
- Updated supported RHEL versions from 7, 8, 9 to 8, 9, 10
- Updated Debian supported versions from 9, 10 to 12
- Migrated Docker images from ubi9-minimal to ubi10-minimal with Java 21
- Updated Docker volume mounts for cgroup v2 compatibility
- Added python3-packaging dependency for RHEL 10
Reviewed changes
Copilot reviewed 71 out of 71 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| roles/common/tasks/redhat.yml | Added python3-packaging installation for RHEL 10 and updated FIPS support to include version 10 |
| roles/common/tasks/custom_java_install.yml | Removed CentOS 7 Java 17 compatibility check |
| playbooks/validate_hosts.yml | Updated supported versions: removed RHEL 7, added RHEL 10; updated Debian to only support version 12 |
| molecule/*/molecule.yml | Upgraded all test containers from ubi9-minimal/Java 17 to ubi10-minimal/Java 21, changed cgroup mounts from ro to rw with host mode |
| molecule/certificates.yml | Split Java installation logic to support Java 17 on RHEL 8/9 and Java 21 on RHEL 10 |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
roles/common/tasks/redhat.yml
Outdated
| - pip-package | ||
| when: | ||
| - ansible_distribution != "Amazon" | ||
| - ansible_os_family == "RedHat" and ansible_distribution_major_version in ['10'] |
There was a problem hiding this comment.
The condition uses a list with a single element. For consistency and clarity, this should either use a simple equality check == '10' or be prepared for future versions by using a more descriptive variable name like rhel_versions_requiring_packaging_module.
| - ansible_os_family == "RedHat" and ansible_distribution_major_version in ['10'] | |
| - ansible_os_family == "RedHat" and ansible_distribution_major_version == '10' |
are we going to add support for java25 in 8.2 ? Right now all the dockerfiles in tests are installing java21. So will java version ansible var override it with java25 or in the end all tests will have java21 ? |
|
also can you pls attach the semaphore link |
molecule/certificates.yml
Outdated
| # - ansible_os_family == "RedHat" and ansible_distribution_major_version in ['8', '9', '10'] | ||
| - name: Install crypto-policies-scripts package | ||
| yum: | ||
| name: crypto-policies-scripts |
There was a problem hiding this comment.
isnt this coming by default in rhel8 9?
There was a problem hiding this comment.
essentially i thought we can keep the code w.r.t crypto policies such that it doesnt change for rhel8 9 and for rhel 10 it gets skipped
Add RHEL 10 Support to CP Ansible (preserve RHEL 9 tests)
📋 Summary
This PR introduces RHEL 10 support to the Confluent Platform Ansible collection while maintaining backward compatibility with RHEL 9. The distribution follows an 80/20 strategy where 80% of tests run on RHEL 10 (modern stack) and 20% remain on RHEL 9 (compatibility/legacy features).
Key Changes
redhat/ubi10-minimalwith Java 21redhat/ubi9-minimalwith Java 17Dockerfile-rhel-java21.j2instead of creating new onespackagingmodule installation for RHEL 10ubi10-minimal🎯 Distribution Strategy
RHEL Version Distribution
archive-plain-rhel-fipsarchive-community-plaintext-rhelkafka-connect-replicator-plain-kerberos-rhel-fipsarchive-scram-rhelkerberos-customcerts-rhelbroker-scale-upmulti-ksql-connect-rhelccloudplaintext-rhel-customrepoconfluent-kafka-kerberos-customcerts-rhelrbac-mds-mtls-custom-rhel-fipsconnect-scale-uprbac-scram-custom-rhel-fipscp-kafka-plain-rhelscram-rhelcustom-user-plaintext-rhelkerberos-rhelksql-scale-upmini-setup-ext-mds-mtlsmini-setup-ldap-mtls-fipsmini-setup-mtlsmini-setup-mtls-fipsmini-setup-oauth-mtlsmini-setup-out-ldap-in-mtlsmini-setup-out-oauth-in-mtlsmini-setup-partial-mtlsmini-setup-partial-mtls2mtls-custombundle-rhel-fipsmtls-customcerts-rhelmtls-java21-rhel-fipsoauth-kafka-connect-replicator-mtls-rheloauth-plain-archiveoauth-plain-rheloauth-rbac-mds-scram-custom-rheloauth-rbac-plain-rhel8plain-customcerts-rhel-fipsplain-erp-tls-rhelplaintext-basic-rhelprovided-rhelrbac-mds-kerberos-mtls-custom-rhelrbac-mds-mtls-custom-kerberos-rhelrbac-mds-plain-custom-rhel-fipsrbac-mtls-rhel-fipsrbac-mtls-rhel8sr-switchover-cp-to-cc-ldap-mtlssr-switchover-cp-to-cc-mtlssr-switchover-cp-to-cc-oauth-rbacTOTALS: RHEL 9 = 8 scenarios (19.1%) | RHEL 10 = 39 scenarios (80.9%)
🛡️ RHEL 9 Feature Coverage
The 8 RHEL 9 scenarios were strategically selected to ensure comprehensive backward compatibility testing across all major Confluent Platform features:
🔐 Authentication Coverage (100%)
rbac-scram-custom-rhel-fips,scram-rhelkerberos-customcerts-rhel,scram-rhel,kafka-connect-replicator-plain-kerberos-rhel-fipsrbac-scram-custom-rhel-fips,rbac-mds-mtls-custom-rhel-fipsrbac-scram-custom-rhel-fipsrbac-scram-custom-rhel-fips,rbac-mds-mtls-custom-rhel-fips🛡️ Security Coverage (87.5%)
archive-plain-rhel-fips,rbac-scram-custom-rhel-fips,rbac-mds-mtls-custom-rhel-fips,kafka-connect-replicator-plain-kerberos-rhel-fipsmulti-ksql-connect-rhel,rbac-mds-mtls-custom-rhel-fips,kerberos-customcerts-rhelrbac-scram-custom-rhel-fips,kerberos-customcerts-rhel,rbac-mds-mtls-custom-rhel-fips,kafka-connect-replicator-plain-kerberos-rhel-fips📦 Installation Coverage (37.5%)
archive-plain-rhel-fipsplaintext-rhel-customrepo🔗 Component Coverage (100%)
multi-ksql-connect-rhelmulti-ksql-connect-rhel,rbac-scram-custom-rhel-fipskafka-connect-replicator-plain-kerberos-rhel-fips🏢 Enterprise Coverage (75%)
rbac-scram-custom-rhel-fips,rbac-mds-mtls-custom-rhel-fipsscram-rhel,kerberos-customcerts-rhel,multi-ksql-connect-rhelrbac-scram-custom-rhel-fipsarchive-plain-rhel-fips⚙️ Advanced Features (62.5%)
archive-plain-rhel-fipsrbac-mds-mtls-custom-rhel-fips,kafka-connect-replicator-plain-kerberos-rhel-fipsarchive-plain-rhel-fips,plaintext-rhel-customrepo,multi-ksql-connect-rhelJava Compatibility
Dockerfile-rhel-java17.j2remain on RHEL 9Python Dependencies
packagingmodule required by Ansiblepackagingmodule installation inroles/common/tasks/redhat.ymlbefore pip upgradeImage Standardization
redhat/ubi10-minimal(no AlmaLinux/Rocky Linux flavors)ubi10-minimalfor consistency🔧 Technical Changes
Files Modified
molecule.ymlfiles - Updated image and dockerfile referencesroles/common/tasks/redhat.yml- Added packaging module installationroles/common/vars/main.yml- Added packaging to pip_packagesmolecule/certificates.yml- Updated Java versions and FIPS supportmolecule/Dockerfile-rhel-tar.j2- Updated Java version for archive scenarios✅ Testing Strategy
This distribution ensures:
Molecule Run: https://semaphore.ci.confluent.io/workflows/c9d2f70f-a25b-4901-b1ea-e059a5eda524
Note: This PR maintains full backward compatibility while positioning the project for RHEL 10 adoption. The strategic 80/20 split ensures comprehensive testing coverage while minimizing risk.