afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Decoupled local actions and updated SearchGuard certificate generator binary

Browse Source
This commit is contained in:
Manuel J. Bernal 2020-04-29 15:54:29 +02:00
parent 53ad5c62cc
commit ae160cf6c3
3 changed files with 49 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml Normal file
View File

@ -0,0 +1,40 @@
---
- name: RedHat/CentOS/Fedora | Create local temporary directory for certificates generation
local_action:
module: file
path: /tmp/opendistro-nodecerts
state: directory
run_once: true
- name: RedHat/CentOS/Fedora | Download certificates generation tool
local_action:
module: get_url
url: https://releases.floragunn.com/search-guard-tlstool/1.7/search-guard-tlstool-1.7.zip
dest: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip
run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip
- name: RedHat/CentOS/Fedora | Extract the certificates generation tool
local_action:
module: unarchive
src: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip
dest: /tmp/opendistro-nodecerts/
- name: RedHat/CentOS/Fedora | Add the execution bit to the binary
local_action:
module: file
dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh
mode: a+x
run_once: true
- name: RedHat/CentOS/Fedora | Prepare the certificates generation template file
local_action:
module: template
src: "templates/tlsconfig.yml.j2"
dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml
run_once: true
- name: RedHat/CentOS/Fedora | Generate the node & admin certificates in local
local_action:
module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ -f
run_once: true

40
roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml
View File

@ -35,46 +35,6 @@
package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present
register: install register: install
## Here we are going to use self-signed certificates for Transport (Node-Node communication) & REST API layer
## Using searchguard offline TLS tool to create node & root certificates
- name: RedHat/CentOS/Fedora | Create local temporary directory for certificates generation
local_action:
module: file
path: /tmp/opendistro-nodecerts
state: directory
run_once: true
- name: RedHat/CentOS/Fedora | Download certificates generation tool
local_action:
module: get_url
url: https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-tlstool/1.5/search-guard-tlstool-1.5.zip
dest: /tmp/opendistro-nodecerts/search-guard-tlstool.zip
run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip
- name: RedHat/CentOS/Fedora | Extract the certificates generation tool
local_action:
module: unarchive
src: /tmp/opendistro-nodecerts/search-guard-tlstool.zip
dest: /tmp/opendistro-nodecerts/
- name: RedHat/CentOS/Fedora | Add the execution bit to the binary
local_action:
module: file
dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh
mode: a+x
run_once: true
- name: RedHat/CentOS/Fedora | Prepare the certificates generation template file
local_action:
module: template
src: "templates/tlsconfig.yml.j2"
dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml
run_once: true
- name: RedHat/CentOS/Fedora | Generate the node & admin certificates in local
local_action:
module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/
run_once: true
- name: RedHat/CentOS/Fedora | Copy the node & admin certificates to Elasticsearch cluster - name: RedHat/CentOS/Fedora | Copy the node & admin certificates to Elasticsearch cluster
copy: copy:

11
roles/opendistro/opendistro-elasticsearch/tasks/main.yml
View File

@ -1,10 +1,12 @@
--- ---
- import_tasks: LocalActions.yml
- import_tasks: RedHat.yml - import_tasks: RedHat.yml
when: ansible_os_family == 'RedHat' when: ansible_os_family == 'RedHat'
- name: Configure OpenDistro Elasticsearch JVM memmory. - name: Configure OpenDistro Elasticsearch JVM memmory.
template: template:
src: jvm.options.j2 src: "templates/jvm.options.j2"
dest: /etc/elasticsearch/jvm.options dest: /etc/elasticsearch/jvm.options
owner: root owner: root
group: elasticsearch group: elasticsearch
@ -19,7 +21,12 @@
when: ansible_os_family == "RedHat" when: ansible_os_family == "RedHat"
- name: Copy Configuration File - name: Copy Configuration File
template: src=elasticsearch.yml dest={{conf_dir}}/elasticsearch.yml group=elasticsearch mode=0644 backup=yes template:
src: "templates/elasticsearch.ym.j2"
dest: "{{conf_dir}}/elasticsearch.yml"
group: elasticsearch
mode: 0644
backup: yes
register: system_change register: system_change
notify: restart elasticsearch notify: restart elasticsearch