From e83c6f8d86cf1d34701bd16ab6bbd2a99bf0bd88 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Thu, 7 May 2020 20:03:39 +0200 Subject: [PATCH] Refactor of production ready actions --- .../tasks/LocalActions.yml | 82 ++++++++-------- .../opendistro-elasticsearch/tasks/RedHat.yml | 58 ++++++------ .../tasks/SecurityActions.yml | 88 ++++++++++++++++++ .../opendistro-elasticsearch/tasks/main.yml | 93 ++----------------- 4 files changed, 168 insertions(+), 153 deletions(-) create mode 100644 roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml index 432a4423..8ff56b64 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml @@ -1,47 +1,51 @@ --- +- block: -- name: RedHat/CentOS/Fedora | Create local temporary directory for certificates generation - local_action: - module: file - path: /tmp/opendistro-nodecerts - state: directory - run_once: true + - name: Local action | Create local temporary directory for certificates generation + local_action: + module: file + path: /tmp/opendistro-nodecerts + state: directory + run_once: true + + - name: Local action | Download certificates generation tool + local_action: + module: get_url + url: https://releases.floragunn.com/search-guard-tlstool/1.7/search-guard-tlstool-1.7.zip + dest: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip + run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip -- name: RedHat/CentOS/Fedora | Download certificates generation tool - local_action: - module: get_url - url: https://releases.floragunn.com/search-guard-tlstool/1.7/search-guard-tlstool-1.7.zip - dest: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip - run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip + - name: Local action | Extract the certificates generation tool + local_action: + module: unarchive + src: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip + dest: /tmp/opendistro-nodecerts/ -- name: RedHat/CentOS/Fedora | Extract the certificates generation tool - local_action: - module: unarchive - src: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip - dest: /tmp/opendistro-nodecerts/ + - name: Local action | Add the execution bit to the binary + local_action: + module: file + dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh + mode: a+x + run_once: true -- name: RedHat/CentOS/Fedora | Add the execution bit to the binary - local_action: - module: file - dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh - mode: a+x - run_once: true + - name: Local action | Prepare the certificates generation template file + local_action: + module: template + src: "templates/tlsconfig.yml.j2" + dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml + run_once: true -- name: RedHat/CentOS/Fedora | Prepare the certificates generation template file - local_action: - module: template - src: "templates/tlsconfig.yml.j2" - dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml - run_once: true + - name: Local action | Check if root CA file exists + local_action: + module: stat + path: /tmp/opendistro-nodecerts/config/root-ca.key + register: root_ca_file -- name: RedHat/CentOS/Fedora | Check if root CA file exists - local_action: - module: stat - path: /tmp/opendistro-nodecerts/config/root-ca.key - register: root_ca_file + - name: Local action | Generate the node & admin certificates in local + local_action: + module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ -f -o + run_once: true + when: root_ca_file.stat.exists == False -- name: RedHat/CentOS/Fedora | Generate the node & admin certificates in local - local_action: - module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ -f -o - run_once: true - when: root_ca_file.stat.exists == False \ No newline at end of file + tags: + - generate-certs \ No newline at end of file diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index b3318193..68459544 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -1,32 +1,36 @@ --- +- block: -- name: RedHat/CentOS/Fedora | Add OpenDistro repo - yum_repository: - file: opendistro - name: opendistro_repo - description: Opendistro yum repository - baseurl: "{{ package_repos.yum.opendistro.baseurl }}" - gpgkey: "{{ package_repos.yum.opendistro.gpg }}" - gpgcheck: true - changed_when: false + - name: RedHat/CentOS/Fedora | Add OpenDistro repo + yum_repository: + file: opendistro + name: opendistro_repo + description: Opendistro yum repository + baseurl: "{{ package_repos.yum.opendistro.baseurl }}" + gpgkey: "{{ package_repos.yum.opendistro.gpg }}" + gpgcheck: true + changed_when: false -- name: RedHat/CentOS/Fedora | Add Elasticsearch-oss repo - yum_repository: - file: opendistro - name: elasticsearch_oss_repo - description: Elasticsearch-oss yum repository - baseurl: "{{ package_repos.yum.elasticsearch_oss.baseurl }}" - gpgkey: "{{ package_repos.yum.elasticsearch_oss.gpg }}" - gpgcheck: true - changed_when: false + - name: RedHat/CentOS/Fedora | Add Elasticsearch-oss repo + yum_repository: + file: opendistro + name: elasticsearch_oss_repo + description: Elasticsearch-oss yum repository + baseurl: "{{ package_repos.yum.elasticsearch_oss.baseurl }}" + gpgkey: "{{ package_repos.yum.elasticsearch_oss.gpg }}" + gpgcheck: true + changed_when: false -- name: RedHat/CentOS/Fedora | Install OpenJDK 11 - yum: name=java-11-openjdk-devel state=present + - name: RedHat/CentOS/Fedora | Install OpenJDK 11 + yum: name=java-11-openjdk-devel state=present -- name: RedHat/CentOS/Fedora | Install OpenDistro dependencies - yum: - name: "{{ packages }}" - vars: - packages: - - wget - - unzip + - name: RedHat/CentOS/Fedora | Install OpenDistro dependencies + yum: + name: "{{ packages }}" + vars: + packages: + - wget + - unzip + + tags: + - install \ No newline at end of file diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml new file mode 100644 index 00000000..c6323fde --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml @@ -0,0 +1,88 @@ +- block: + + - name: Remove demo certs + file: + path: "{{ item }}" + state: absent + with_items: + - "{{opendistro_conf_path}}/kirk.pem" + - "{{opendistro_conf_path}}/kirk-key.pem" + - "{{opendistro_conf_path}}/esnode.pem" + - "{{opendistro_conf_path}}/esnode-key.pem" + when: install.changed + + - name: Copy the node & admin certificates to Elasticsearch cluster + copy: + src: "/tmp/opendistro-nodecerts/config/{{ item }}" + dest: /etc/elasticsearch/ + mode: 0644 + with_items: + - root-ca.pem + - root-ca.key + - "{{ inventory_hostname }}.key" + - "{{ inventory_hostname }}.pem" + - "{{ inventory_hostname }}_http.key" + - "{{ inventory_hostname }}_http.pem" + - "{{ inventory_hostname }}_elasticsearch_config_snippet.yml" + - admin.key + - admin.pem + when: install.changed + + - name: Copy the opendistro security configuration file to cluster + blockinfile: + block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" + dest: "{{ opendistro_conf_path }}/elasticsearch.yml" + insertafter: EOF + marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" + when: install.changed + + - name: Prepare the opendistro security configuration file + replace: + path: "{{ opendistro_conf_path }}/elasticsearch.yml" + regexp: 'searchguard' + replace: 'opendistro_security' + tags: local + when: install.changed + + - name: Restart elasticsearch with security configuration + systemd: + name: elasticsearch + state: restarted + when: install.changed + + - name: Copy the opendistro security internal users template + template: + src: "templates/internal_users.yml.j2" + dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" + mode: 0644 + run_once: true + when: install.changed + + - name: Set the Admin user password + shell: > + sed -i 's,{{ opendistro_admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }} | tail -1)',' + {{ opendistro_sec_plugin_conf_path }}/internal_users.yml + run_once: true + when: install.changed + + - name: Set the kibanaserver user pasword + shell: > + sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)',' + {{ opendistro_sec_plugin_conf_path }}/internal_users.yml + run_once: true + when: install.changed + + - name: Initialize the opendistro security index in elasticsearch + shell: > + sh {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh + -cacert {{ opendistro_conf_path }}/root-ca.pem + -cert {{ opendistro_conf_path }}/admin.pem + -key {{ opendistro_conf_path }}/admin.key + -cd {{ opendistro_sec_plugin_conf_path }}/ + -nhnv -icl + -h {{ hostvars[inventory_hostname]['ip'] }} + run_once: true + when: install.changed + + tags: + - production_ready diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index ea56183e..94f4ab91 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -1,4 +1,5 @@ --- + - import_tasks: LocalActions.yml - import_tasks: RedHat.yml @@ -7,40 +8,14 @@ - name: Install OpenDistro package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present register: install - -- name: Copy the node & admin certificates to Elasticsearch cluster - copy: - src: "/tmp/opendistro-nodecerts/config/{{ item }}" - dest: /etc/elasticsearch/ - mode: 0644 - with_items: - - root-ca.pem - - root-ca.key - - "{{ inventory_hostname }}.key" - - "{{ inventory_hostname }}.pem" - - "{{ inventory_hostname }}_http.key" - - "{{ inventory_hostname }}_http.pem" - - "{{ inventory_hostname }}_elasticsearch_config_snippet.yml" - - admin.key - - admin.pem - when: install.changed - -- name: Remove demo certs - file: - path: "{{ item }}" - state: absent - with_items: - - "{{opendistro_conf_path}}/kirk.pem" - - "{{opendistro_conf_path}}/kirk-key.pem" - - "{{opendistro_conf_path}}/esnode.pem" - - "{{opendistro_conf_path}}/esnode-key.pem" - when: install.changed + tags: install - name: Remove elasticsearch configuration file file: path: "{{opendistro_conf_path}}/elasticsearch.yml" state: absent when: install.changed + tags: install - name: Copy Configuration File blockinfile: @@ -51,62 +26,9 @@ mode: 0640 marker: "## {mark} Opendistro general settings ##" when: install.changed + tags: install -- name: Copy the opendistro security configuration file to cluster - blockinfile: - block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" - dest: "{{ opendistro_conf_path }}/elasticsearch.yml" - insertafter: EOF - marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" - when: install.changed - -- name: Prepare the opendistro security configuration file - replace: - path: "{{ opendistro_conf_path }}/elasticsearch.yml" - regexp: 'searchguard' - replace: 'opendistro_security' - tags: local - when: install.changed - -- name: Restart elasticsearch with security configuration - systemd: - name: elasticsearch - state: restarted - when: install.changed - -- name: Copy the opendistro security internal users template - template: - src: "templates/internal_users.yml.j2" - dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" - mode: 0644 - run_once: true - when: install.changed - -- name: Set the Admin user password - shell: > - sed -i 's,{{ opendistro_admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }} | tail -1)',' - {{ opendistro_sec_plugin_conf_path }}/internal_users.yml - run_once: true - when: install.changed - -- name: Set the kibanaserver user pasword - shell: > - sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)',' - {{ opendistro_sec_plugin_conf_path }}/internal_users.yml - run_once: true - when: install.changed - -- name: Initialize the opendistro security index in elasticsearch - shell: > - sh {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh - -cacert {{ opendistro_conf_path }}/root-ca.pem - -cert {{ opendistro_conf_path }}/admin.pem - -key {{ opendistro_conf_path }}/admin.key - -cd {{ opendistro_sec_plugin_conf_path }}/ - -nhnv -icl - -h {{ hostvars[inventory_hostname]['ip'] }} - run_once: true - when: install.changed +- import_tasks: SecurityActions.yml - name: Configure OpenDistro Elasticsearch JVM memmory. template: @@ -117,16 +39,13 @@ mode: 0644 force: yes notify: restart elasticsearch - tags: opendistro + tags: install - name: Ensure Elasticsearch started and enabled service: name: elasticsearch enabled: true state: started - tags: - - opendistro - - init - name: Wait for Elasticsearch API uri: