Added opendistro tasks and templates

2020-04-08 17:38:44 +02:00 · 2020-04-08 17:38:44 +02:00 · 9fc2b1e3c4
commit 9fc2b1e3c4
parent dbeb8b31fb
5 changed files with 257 additions and 17 deletions
--- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml
+++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml
@ -2,6 +2,19 @@
 # The OpenDistro version
 opendistro_version: 1.6.0

+elasticsearch_cluster_name: wazuh-cluster
+
+# Minimum master nodes in cluster, 2 for 3 nodes elasticsearch cluster
+minimum_master_nodes: 2
+
+# Elasticsearch version
+es_version: "7.3.2"
+es_major_version: "7.x"
+
+# Configure hostnames for Elasticsearch nodes
+# Example es1.example.com, es2.example.com
+domain_name: example.com
+
 # The OpenDistro package repository
 package_repos:
  yum: 
@ -12,8 +25,60 @@ package_repos:
      baseurl: 'https://artifacts.elastic.co/packages/oss-7.x/yum'
      gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'

+populate_inventory_to_hosts_file: true
+
+es_plugin_bin_path: /usr/share/elasticsearch/bin/elasticsearch-plugin
+es_sec_plugin_conf_path: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig
+es_sec_plugin_tools_path: /usr/share/elasticsearch/plugins/opendistro_security/tools
+
+es_nodes: |-
+        {% for item in groups['es-cluster'] -%}
+          {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %}
+        {%- endfor %}
+
 # Security password
 opendistro_security_password: admin
-
 # Set JVM memory limits
-elasticsearch_jvm_xms: null
+opendistro_jvm_xms: null
+
+opendistro_http_port: 9200
+opendistro_network_host: 127.0.0.1
+opendistro_reachable_host: 127.0.0.1
+opendistro_jvm_xms: null
+elastic_stack_version: 7.6.1
+opendistro_lower_disk_requirements: false
+
+elasticrepo:
+  apt: 'https://artifacts.elastic.co/packages/7.x/apt'
+  yum: 'https://artifacts.elastic.co/packages/7.x/yum'
+  gpg: 'https://artifacts.elastic.co/GPG-KEY-opendistro'
+  key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4'
+
+# Cluster Settings
+single_node: true
+opendistro_cluster_name: wazuh
+opendistro_node_name: node-1
+opendistro_bootstrap_node: false
+opendistro_node_master: false
+opendistro_cluster_nodes:
+  - 127.0.0.1
+opendistro_discovery_nodes:
+  - 127.0.0.1
+opendistro_node_data: true
+opendistro_node_ingest: true
+
+# X-Pack Security 
+opendistro_xpack_security: false
+opendistro_xpack_security_user: elastic
+opendistro_xpack_security_password: elastic_pass
+
+node_certs_generator: false
+node_certs_source: /usr/share/elasticsearch
+node_certs_destination: /etc/elasticsearch/certs
+
+# CA generation
+master_certs_path: /es_certs
+generate_CA: true
+ca_key_name: ""
+ca_cert_name: ""
+ca_password: ""
--- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml
+++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml
@ -34,3 +34,118 @@
 - name: RedHat/CentOS/Fedora | Install OpenDistro
  package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present
  tags: install
+
+## Here we are going to use self-signed certificates for Transport (Node-Node communication) & REST API layer
+## Using searchguard offline TLS tool to create node & root certificates
+- name: RedHat/CentOS/Fedora | Create local temporary directory for certificates generation
+  local_action:
+    module: file
+    path: /tmp/opendistro-nodecerts
+    state: directory
+  run_once: true
+  when: install.changed
+
+- name: RedHat/CentOS/Fedora | Download certificates generation tool
+  local_action:
+    module: get_url
+    url: https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-tlstool/1.5/search-guard-tlstool-1.5.zip
+    dest: /tmp/opendistro-nodecerts/search-guard-tlstool.zip
+  run_once: true
+  when: install.changed
+
+- name: RedHat/CentOS/Fedora | Extract the certificates generation tool
+  local_action: command chdir=/tmp/opendistro-nodecerts tar -xvf search-guard-tlstool.zip
+  run_once: true
+  when: install.changed
+
+- name: RedHat/CentOS/Fedora | Add the execution bit to the binary
+  local_action:
+    module: file
+    dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh
+    mode: a+x
+  run_once: true
+  when: install.changed
+
+- name: RedHat/CentOS/Fedora | Prepare the certificates generation template file
+  local_action:
+    module: template
+    src: tlsconfig.yml
+    dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml
+  run_once: true
+  when: install.changed
+
+- name: RedHat/CentOS/Fedora | Generate the node & admin certificates in local
+  local_action:
+    module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/
+  run_once: true
+  when: install.changed
+
+- name: RedHat/CentOS/Fedora | Copy the node & admin certificates to Elasticsearch cluster
+  copy:
+    src: "/tmp/opendistro-nodecerts/config/{{ item }}"
+    dest: /etc/elasticsearch/
+    mode: 0644
+  with_items:
+    - root-ca.pem
+    - root-ca.key
+    - "{{ inventory_hostname }}.key"
+    - "{{ inventory_hostname }}.pem"
+    - "{{ inventory_hostname }}_http.key"
+    - "{{ inventory_hostname }}_http.pem"
+    - "{{ inventory_hostname }}_elasticsearch_config_snippet.yml"
+    - admin.key
+    - admin.pem
+  when: install.changed
+
+- name: RedHat/CentOS/Fedora | Copy the opendistro security configuration file to cluster
+  blockinfile:
+    block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}"
+    dest: "{{ conf_dir }}/elasticsearch.yml"
+    backup: yes
+    insertafter: EOF
+    marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##"
+  when: install.changed
+
+- name: RedHat/CentOS/Fedora | Prepare the opendistro security configuration file
+  command: sed -i 's/searchguard/opendistro_security/g' {{ conf_dir }}/elasticsearch.yml
+  when: install.changed
+
+- name: RedHat/CentOS/Fedora | Restart elasticsearch with security configuration
+  systemd:
+    name: elasticsearch
+    state: restarted
+  when: install.changed
+
+- name: RedHat/CentOS/Fedora | Copy the opendistro security internal users template
+  template:
+    src: internal_users.yml
+    dest: "{{ es_sec_plugin_conf_path }}/internal_users.yml"
+    mode: 0644
+  run_once: true
+  when: install.changed
+
+- name: RedHat/CentOS/Fedora | Set the Admin user password
+  shell: >
+    sed -i 's,{{ admin_password }},'$(sh {{ es_sec_plugin_tools_path }}/hash.sh -p {{ admin_password }} | tail -1)','
+    {{ es_sec_plugin_conf_path }}/internal_users.yml
+  run_once: true
+  when: install.changed
+
+- name: RedHat/CentOS/Fedora | Set the kibanaserver user pasword
+  shell: >
+    sed -i 's,{{ kibanaserver_password }},'$(sh {{ es_sec_plugin_tools_path }}/hash.sh -p {{ kibanaserver_password }} | tail -1)','
+    {{ es_sec_plugin_conf_path }}/internal_users.yml
+  run_once: true
+  when: install.changed
+
+- name: RedHat/CentOS/Fedora | Initialize the opendistro security index in elasticsearch
+  shell: >
+    sh {{ es_sec_plugin_tools_path }}/securityadmin.sh
+    -cacert {{ conf_dir }}/root-ca.pem
+    -cert {{ conf_dir }}/admin.pem
+    -key {{ conf_dir }}/admin.key
+    -cd {{ es_sec_plugin_conf_path }}/
+    -nhnv -icl
+    -h {{ hostvars[inventory_hostname]['ip'] }}
+  run_once: true
+  when: install.changed
--- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml
+++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml
@ -11,7 +11,8 @@
    dest: /etc/elasticsearch/jvm.options
    owner: root
    group: elasticsearch
-    mode: 0660
+    mode: 0644
+    force: yes
  notify: restart elasticsearch
  tags: configure

@ -20,6 +21,10 @@
 - import_tasks: "RMRedHat.yml"
  when: ansible_os_family == "RedHat"

+- name: Copy Configuration File
+  template: src=elasticsearch.yml dest={{conf_dir}}/elasticsearch.yml group=elasticsearch mode=0644 backup=yes
+  register: system_change
+  notify: restart elasticsearch

 - name: Ensure Elasticsearch started and enabled
  service:
@ -42,17 +47,3 @@
 - import_tasks: "RMDebian.yml"
  when: ansible_os_family == "Debian"

- name: Wait for Elasticsearch API
-  uri:
-    url: "https://localhost:9200/_cluster/health/"
-    user: "admin" # Default Elasticsearch user is always "elastic"
-    password: "{{ opendistro_security_password }}"
-    validate_certs: no
-    status_code: 200,401
-    return_content: yes
-    timeout: 4
-  register: _result
-  until: (  _result.json is defined) and (_result.json.status == "green")
-  retries: 24
-  delay: 5
-
--- a/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2
+++ b/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2
@ -0,0 +1,22 @@
+cluster.name: "{{ elasticsearch_cluster_name }}"
+
+node.name: "{{ inventory_hostname }}"
+
+path.data: /var/lib/elasticsearch
+
+path.logs: /var/log/elasticsearch
+
+network.host: "{{ hostvars[inventory_hostname]['ip'] }}"
+
+http.port: "{{ opendistro_http_port }}"
+
+discovery.seed_hosts: ["{{ es_nodes }}"]
+
+cluster.initial_master_nodes: ["{{ es_nodes }}"]
+
+discovery.zen.minimum_master_nodes: "{{ minimum_master_nodes }}"
+opendistro_security.allow_default_init_securityindex: true
+opendistro_security.audit.type: internal_elasticsearch
+opendistro_security.enable_snapshot_restore_privilege: true
+opendistro_security.check_snapshot_restore_write_privileges: true
+opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
--- a/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2
+++ b/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2
@ -0,0 +1,47 @@
+ca:
+   root:
+      dn: CN=root.ca.{{ domain_name }},OU=CA,O={{ domain_name }}\, Inc.,DC={{ domain_name }}
+      keysize: 2048
+      validityDays: 730
+      pkPassword: none
+      file: root-ca.pem
+
+### Default values and global settings
+defaults:
+      validityDays: 730
+      pkPassword: none
+      # Set this to true in order to generate config and certificates for
+      # the HTTP interface of nodes
+      httpsEnabled: true
+      reuseTransportCertificatesForHttp: false
+      verifyHostnames: false
+      resolveHostnames: false
+
+
+###
+### Nodes
+###
+#
+# Specify the nodes of your ES cluster here
+#
+nodes:
+{% for item in groups['es-cluster'] %}
+  - name: {{ item }}
+    dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }}
+    dns: {{ item }}.{{ domain_name }}
+    ip: {{ hostvars[item]['ip'] }}
+{% endfor %}
+
+###
+### Clients
+###
+#
+# Specify the clients that shall access your ES cluster with certificate authentication here
+#
+# At least one client must be an admin user (i.e., a super-user). Admin users can
+# be specified with the attribute admin: true
+#
+clients:
+  - name: admin
+    dn: CN=admin.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }}
+    admin: true