fix: ssl files cleanup

module_utils/kafka_lib_acl.py

@@ -174,8 +174,11 @@ def process_module_acls(module, params=None):
     finally:
         if manager:
             manager.close()
-        maybe_clean_kafka_ssl_files(params)
-        maybe_clean_zk_ssl_files(params)
+        # Use cached SSL files from manager to avoid recreating them
+        maybe_clean_kafka_ssl_files(
+            params, getattr(manager, 'kafka_ssl_files', None))
+        maybe_clean_zk_ssl_files(
+            params, getattr(manager, 'zookeeper_ssl_files', None))
 
     if not changed:
         msg += 'nothing to do.'

module_utils/kafka_lib_commons.py

@@ -7,6 +7,8 @@
     generate_ssl_object, generate_ssl_context
 )
 
+# SSL cleanup logging removed to prevent interference with Ansible JSON output
+
 DOCUMENTATION_COMMON = '''
   bootstrap_servers:
     description:
@@ -353,26 +355,73 @@ def get_manager_from_params(params):
     if 'zookeeper_max_retries' in params:
         manager.zookeeper_max_retries = params['zookeeper_max_retries']
 
-    return manager
+    # Store SSL files information for cleanup
+    manager.kafka_ssl_files = kafka_ssl_files
+    if 'zookeeper' in params and manager.zk_configuration:
+        manager.zookeeper_ssl_files = get_zookeeper_ssl_files(params)
 
+    return manager
 
-def maybe_clean_kafka_ssl_files(params):
 
-    ssl_cafile = params['ssl_cafile']
-    ssl_certfile = params['ssl_certfile']
-    ssl_keyfile = params['ssl_keyfile']
-    ssl_crlfile = params['ssl_crlfile']
-
-    kafka_ssl_files = generate_ssl_object(
-        ssl_cafile, ssl_certfile, ssl_keyfile, ssl_crlfile
-    )
+def maybe_clean_kafka_ssl_files(params, kafka_ssl_files=None):
+    """
+    Clean up temporary Kafka SSL files.
+
+    Args:
+        params: Module parameters
+        kafka_ssl_files: Optional pre-generated SSL files object to avoid
+                         recreation
+    """
+    try:
+        if kafka_ssl_files is None:
+            # Fallback to old behavior if SSL files not provided
+            ssl_cafile = params.get('ssl_cafile')
+            ssl_certfile = params.get('ssl_certfile')
+            ssl_keyfile = params.get('ssl_keyfile')
+            ssl_crlfile = params.get('ssl_crlfile')
+
+            if not any([ssl_cafile, ssl_certfile, ssl_keyfile, ssl_crlfile]):
+                return
+
+            kafka_ssl_files = generate_ssl_object(
+                ssl_cafile, ssl_certfile, ssl_keyfile, ssl_crlfile
+            )
+
+        cleanup_count = 0
+        for key, value in kafka_ssl_files.items():
+            if (value['path'] is not None and value['is_temp']):
+                if os.path.exists(os.path.dirname(value['path'])):
+                    if os.path.exists(value['path']):
+                        try:
+                            os.remove(value['path'])
+                            cleanup_count += 1
+                        except (OSError, Exception):
+                            # Silently ignore cleanup errors to avoid module
+                            # failure
+                            pass
+
+    except (KeyError, Exception):
+        # Silently ignore all cleanup errors to avoid module failure
+        pass
+
+
+def get_zookeeper_ssl_files(params):
+    """
+    Generate SSL files object for zookeeper without creating configuration.
+    This is used for cleanup purposes.
+    """
+    if ('zookeeper_ssl_cafile' in params and
+            'zookeeper_ssl_certfile' in params and
+            'zookeeper_ssl_keyfile' in params):
+        zookeeper_ssl_cafile = params['zookeeper_ssl_cafile']
+        zookeeper_ssl_certfile = params['zookeeper_ssl_certfile']
+        zookeeper_ssl_keyfile = params['zookeeper_ssl_keyfile']
 
-    for _key, value in kafka_ssl_files.items():
-        if (
-                value['path'] is not None and value['is_temp'] and
-                os.path.exists(os.path.dirname(value['path']))
-        ):
-            os.remove(value['path'])
+        return generate_ssl_object(
+            zookeeper_ssl_cafile, zookeeper_ssl_certfile,
+            zookeeper_ssl_keyfile
+        )
+    return None
 
 
 def get_zookeeper_configuration(params):
@@ -415,23 +464,44 @@ def get_zookeeper_configuration(params):
     return None
 
 
-def maybe_clean_zk_ssl_files(params):
-
-    if ('zookeeper_ssl_cafile' in params and
-            'zookeeper_ssl_certfile' in params and
-            'zookeeper_ssl_keyfile' in params):
-        zookeeper_ssl_cafile = params['zookeeper_ssl_cafile']
-        zookeeper_ssl_certfile = params['zookeeper_ssl_certfile']
-        zookeeper_ssl_keyfile = params['zookeeper_ssl_keyfile']
-
-        zookeeper_ssl_files = generate_ssl_object(
-            zookeeper_ssl_cafile, zookeeper_ssl_certfile,
-            zookeeper_ssl_keyfile
-        )
-
-        for _key, value in zookeeper_ssl_files.items():
-            if (
-                    value['path'] is not None and value['is_temp'] and
-                    os.path.exists(os.path.dirname(value['path']))
-            ):
-                os.remove(value['path'])
+def maybe_clean_zk_ssl_files(params, zookeeper_ssl_files=None):
+    """
+    Clean up temporary ZooKeeper SSL files created during operations.
+    """
+    try:
+        if zookeeper_ssl_files is None:
+            # Fallback to old behavior if SSL files not provided
+            if ('zookeeper_ssl_cafile' in params and
+                    'zookeeper_ssl_certfile' in params and
+                    'zookeeper_ssl_keyfile' in params):
+                zookeeper_ssl_cafile = params['zookeeper_ssl_cafile']
+                zookeeper_ssl_certfile = params['zookeeper_ssl_certfile']
+                zookeeper_ssl_keyfile = params['zookeeper_ssl_keyfile']
+
+                if not any([zookeeper_ssl_cafile, zookeeper_ssl_certfile,
+                           zookeeper_ssl_keyfile]):
+                    return
+
+                zookeeper_ssl_files = generate_ssl_object(
+                    zookeeper_ssl_cafile, zookeeper_ssl_certfile,
+                    zookeeper_ssl_keyfile
+                )
+            else:
+                return
+
+            cleanup_count = 0
+        for key, value in zookeeper_ssl_files.items():
+            if (value['path'] is not None and value['is_temp']):
+                if os.path.exists(os.path.dirname(value['path'])):
+                    if os.path.exists(value['path']):
+                        try:
+                            os.remove(value['path'])
+                            cleanup_count += 1
+                        except (OSError, Exception):
+                            # Silently ignore cleanup errors to avoid module
+                            # failure
+                            pass
+
+    except (KeyError, Exception):
+        # Silently ignore all cleanup errors to avoid module failure
+        pass

module_utils/kafka_lib_quotas.py

@@ -110,8 +110,11 @@ def process_module_quotas(module, params=None):
     finally:
         if manager:
             manager.close()
-        maybe_clean_kafka_ssl_files(params)
-        maybe_clean_zk_ssl_files(params)
+        # Use cached SSL files from manager to avoid recreating them
+        maybe_clean_kafka_ssl_files(
+            params, getattr(manager, 'kafka_ssl_files', None))
+        maybe_clean_zk_ssl_files(
+            params, getattr(manager, 'zookeeper_ssl_files', None))
 
     if not changed:
         msg += 'nothing to do.'

module_utils/kafka_lib_topic.py

@@ -114,8 +114,11 @@ def process_module_topics(module, params=None):
     finally:
         if manager:
             manager.close()
-        maybe_clean_kafka_ssl_files(params)
-        maybe_clean_zk_ssl_files(params)
+        # Use cached SSL files from manager to avoid recreating them
+        maybe_clean_kafka_ssl_files(
+            params, getattr(manager, 'kafka_ssl_files', None))
+        maybe_clean_zk_ssl_files(
+            params, getattr(manager, 'zookeeper_ssl_files', None))
 
     if not changed:
         msg += 'nothing to do.'

module_utils/kafka_lib_user.py

@@ -58,8 +58,11 @@ def process_module_users(module, params):
     finally:
         if manager:
             manager.close()
-        maybe_clean_kafka_ssl_files(params)
-        maybe_clean_zk_ssl_files(params)
+        # Use cached SSL files from manager to avoid recreating them
+        maybe_clean_kafka_ssl_files(
+            params, getattr(manager, 'kafka_ssl_files', None))
+        maybe_clean_zk_ssl_files(
+            params, getattr(manager, 'zookeeper_ssl_files', None))
 
 
 def run_module_users(manager, module, params):