confluentinc · abaghel-git · Nov 3, 2025 · Sep 5, 2025 · Oct 30, 2025 · Oct 30, 2025
@@ -1,6 +1,6 @@
 ---
 - name: Host Prerequisites
-  hosts: zookeeper:kafka_controller:kafka_broker:schema_registry:kafka_connect:ksql:control_center:control_center_next_gen:kafka_rest:kafka_connect_replicator
+  hosts: zookeeper:kafka_controller:kafka_broker:schema_registry:kafka_connect:ksql:control_center:control_center_next_gen:kafka_rest:kafka_connect_replicator:usm_agent
   gather_facts: false
   environment: "{{ proxy_env }}"
   tasks:
@@ -22,7 +22,8 @@
         kafka_connect_ssl_enabled|bool or
         ksql_ssl_enabled|bool or
         control_center_ssl_enabled|bool or
-        control_center_next_gen_ssl_enabled|bool))
+        control_center_next_gen_ssl_enabled|bool or
+        usm_agent_ssl_enabled|bool))
 
     - import_role:
         name: common

@@ -115,7 +115,8 @@
         kafka_rest_ssl_enabled|bool or
         kafka_connect_ssl_enabled|bool or
         ksql_ssl_enabled|bool or
-        control_center_ssl_enabled|bool)
+        control_center_ssl_enabled|bool or
+        usm_agent_ssl_enabled|bool)
 
     - name: Create MDS Private key
       tags: certificate_authority
@@ -169,4 +170,5 @@
     kafka_rest_ssl_enabled|bool or
     kafka_connect_ssl_enabled|bool or
     ksql_ssl_enabled|bool or
-    control_center_ssl_enabled|bool))
+    control_center_ssl_enabled|bool or
+    usm_agent_ssl_enabled|bool))
@@ -336,3 +336,11 @@
       - not (control_center_next_gen_dependency_alertmanager_ssl_enabled | bool and control_center_next_gen_dependency_alertmanager_mtls_enabled | bool and control_center_next_gen_dependency_alertmanager_basic_auth_enabled | bool)
     fail_msg: "Alertmanager SSL, mTLS, and Basic Auth cannot all be enabled simultaneously."
   tags: validate
+
+- name: Validate USM Agent Configuration
+  include_tasks: validate_usm_agent_configs.yml
+  when:
+    - ('usm_agent' in groups.keys() and groups['usm_agent'] | length > 0) | bool
+  tags:
+    - validate
+    - validate_usm_agent_configs
@@ -0,0 +1,90 @@
+---
+- name: Validate USM Agent CCloud Credentials are provided
+  assert:
+    that:
+      - usm_agent_ccloud_credential.username is defined
+      - usm_agent_ccloud_credential.username != ""
+      - usm_agent_ccloud_credential.password is defined
+      - usm_agent_ccloud_credential.password != ""
+    fail_msg: "CCloud credentials (username and password) are required for USM Agent to function. Please provide ccloud_credential.username and ccloud_credential.password in your inventory."
+    success_msg: "CCloud credentials validation passed"
+  when:
+    - "'usm_agent' in group_names"
+  tags:
+    - validate_usm_agent_configs
+
+- name: Validate USM Agent CCloud Configuration is provided
+  assert:
+    that:
+      - usm_agent_ccloud_host is defined
+      - usm_agent_ccloud_host != ""
+      - usm_agent_ccloud_environment_id is defined
+      - usm_agent_ccloud_environment_id != ""
+    fail_msg: "CCloud configuration (host and environment_id) are required for USM Agent to function. Please provide ccloud_host and ccloud_environment_id in your inventory."
+    success_msg: "CCloud configuration validation passed"
+  when:
+    - "'usm_agent' in group_names"
+  tags:
+    - validate_usm_agent_configs
+
+- name: Set USM Agent Server Effective Authentication Values
+  set_fact:
+    usm_agent_server_basic_auth_effective: "{{ hostvars[groups['usm_agent'][0]]['usm_agent_basic_auth_enabled'] | bool }}"
+    usm_agent_server_ssl_effective: "{{ hostvars[groups['usm_agent'][0]]['usm_agent_ssl_enabled'] | bool }}"
+    usm_agent_server_mtls_effective: "{{ hostvars[groups['usm_agent'][0]]['usm_agent_ssl_mutual_auth_enabled'] | bool }}"
+  when:
+    - "'usm_agent' in groups"
+    - "groups['usm_agent'] | length > 0"
+  tags:
+    - validate_usm_agent_configs
+
+- name: Validate USM Agent Basic Auth Configuration Consistency Between Server and Clients
+  assert:
+    that:
+      - (hostvars[item]['usm_agent_basic_auth_enabled'] | bool) == (usm_agent_server_basic_auth_effective | bool)
+    fail_msg: |
+      USM Agent basic auth configuration mismatch:
+      - USM Agent server ({{ groups['usm_agent'][0] }}) effective value: {{ usm_agent_server_basic_auth_effective }}
+      - Client ({{ item }}) effective value: {{ hostvars[item]['usm_agent_basic_auth_enabled'] }}
+      Server and all clients must have consistent usm_agent_basic_auth_enabled values.
+  loop: "{{ (groups.get('kafka_controller', []) + groups.get('kafka_broker', []) + groups.get('kafka_connect', [])) | unique }}"
+  when:
+    - "'usm_agent' in groups"
+    - "groups['usm_agent'] | length > 0"
+    - usm_agent_server_basic_auth_effective is defined
+  tags:
+    - validate_usm_agent_configs
+
+- name: Validate USM Agent SSL Configuration Consistency Between Server and Clients
+  assert:
+    that:
+      - (hostvars[item]['usm_agent_ssl_enabled'] | bool) == (usm_agent_server_ssl_effective | bool)
+    fail_msg: |
+      USM Agent SSL configuration mismatch:
+      - USM Agent server ({{ groups['usm_agent'][0] }}) effective value: {{ usm_agent_server_ssl_effective }}
+      - Client ({{ item }}) effective value: {{ hostvars[item]['usm_agent_ssl_enabled'] }}
+      Server and all clients must have consistent usm_agent_ssl_enabled values.
+  loop: "{{ (groups.get('kafka_controller', []) + groups.get('kafka_broker', []) + groups.get('kafka_connect', [])) | unique }}"
+  when:
+    - "'usm_agent' in groups"
+    - "groups['usm_agent'] | length > 0"
+    - usm_agent_server_ssl_effective is defined
+  tags:
+    - validate_usm_agent_configs
+
+- name: Validate USM Agent mTLS Configuration Consistency Between Server and Clients
+  assert:
+    that:
+      - (hostvars[item]['usm_agent_ssl_mutual_auth_enabled'] | bool) == (usm_agent_server_mtls_effective | bool)
+    fail_msg: |
+      USM Agent mTLS configuration mismatch:
+      - USM Agent server ({{ groups['usm_agent'][0] }}) effective value: {{ usm_agent_server_mtls_effective }}
+      - Client ({{ item }}) effective value: {{ hostvars[item]['usm_agent_ssl_mutual_auth_enabled'] }}
+      Server and all clients must have consistent usm_agent_ssl_mutual_auth_enabled values.
+  loop: "{{ (groups.get('kafka_controller', []) + groups.get('kafka_broker', []) + groups.get('kafka_connect', [])) | unique }}"
+  when:
+    - "'usm_agent' in groups"
+    - "groups['usm_agent'] | length > 0"
+    - usm_agent_server_mtls_effective is defined
+  tags:
+    - validate_usm_agent_configs
@@ -26,3 +26,17 @@
   when:
     - not ansible_check_mode
     - usm_agent_health_check_enabled|bool
+
+- name: Verify USM Agent's Confluent Cloud Configurations (Credentials, Endpoint, Environment ID) are valid
+  uri:
+    url: "http://{{ hostvars[inventory_hostname]|confluent.platform.resolve_hostname }}:{{ usm_agent_controlplane_port }}/validz"
+    status_code: 200
+    validate_certs: false
+    timeout: 2
+  register: valid_result
+  until: valid_result.status == 200
+  retries: "{{ usm_agent_health_check_retries }}"
+  delay: "{{ usm_agent_health_check_delay }}"
+  when:
+    - not ansible_check_mode
+    - usm_agent_health_check_enabled|bool
@@ -3027,9 +3027,10 @@ usm_agent_copy_files: []
 
 usm_agent_health_checks_enabled: "{{ health_checks_enabled }}"
 
-usm_agent_default_admin_port: 9901
-usm_agent_default_controlplane_port: 9999
-usm_agent_default_dataplane_port: 10000
+usm_agent_admin_port: 9901
+usm_agent_controlplane_port: 9999
+usm_agent_dataplane_port: 10000
+usm_agent_listener_monitoring_port: 9910
 
 # USM Agent server side configurations
 usm_agent_basic_auth_enabled: "false"

@@ -2666,9 +2666,6 @@ usm_agent:
   cp_credential_file: "{{ (config_base_path, usm_agent_config_prefix_path, 'secrets', 'cp_credential.yaml') | path_join }}"
   log_dir: "/var/log/confluent/usm-agent"
 
-usm_agent_admin_port: "{{ usm_agent_default_admin_port }}"
-usm_agent_controlplane_port: "{{ usm_agent_default_controlplane_port }}"
-usm_agent_dataplane_port: "{{ usm_agent_default_dataplane_port }}"
 
 usm_agent_ccloud_environment_id: "{{ ccloud_environment_id }}"
 usm_agent_ccloud_host: "{{ ccloud_endpoint | urlsplit('hostname') }}"
@@ -2699,6 +2696,7 @@ usm_agent_properties:
       confluent.usm-agent.ccloud.basic.auth.credential.location: "{{ usm_agent.ccloud_credential_file }}"
       confluent.usm-agent.ccloud.ssl.enabled: "{{ usm_agent_ccloud_ssl_enabled|string|lower }}"
       confluent.usm-agent.ccloud.ssl.trusted.ca.location: "{{ usm_agent_ccloud_ssl_trusted_ca_location }}"
+      confluent.usm-agent.listener.monitoring.port: "{{ usm_agent_listener_monitoring_port }}"
   basic:
     enabled: "{{ usm_agent_basic_auth_enabled }}"
     properties: