afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor of production ready actions

Browse Source
This commit is contained in:
Manuel J. Bernal 2020-05-07 20:03:39 +02:00
parent 0c04b22b0f
commit e83c6f8d86
4 changed files with 168 additions and 153 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml
View File

@ -1,47 +1,51 @@
--- ---
- block:
- name: RedHat/CentOS/Fedora | Create local temporary directory for certificates generation - name: Local action | Create local temporary directory for certificates generation
local_action: local_action:
module: file module: file
path: /tmp/opendistro-nodecerts path: /tmp/opendistro-nodecerts
state: directory state: directory
run_once: true run_once: true
- name: RedHat/CentOS/Fedora | Download certificates generation tool - name: Local action | Download certificates generation tool
local_action: local_action:
module: get_url module: get_url
url: https://releases.floragunn.com/search-guard-tlstool/1.7/search-guard-tlstool-1.7.zip url: https://releases.floragunn.com/search-guard-tlstool/1.7/search-guard-tlstool-1.7.zip
dest: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip dest: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip
run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip
- name: RedHat/CentOS/Fedora | Extract the certificates generation tool - name: Local action | Extract the certificates generation tool
local_action: local_action:
module: unarchive module: unarchive
src: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip src: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip
dest: /tmp/opendistro-nodecerts/ dest: /tmp/opendistro-nodecerts/
- name: RedHat/CentOS/Fedora | Add the execution bit to the binary - name: Local action | Add the execution bit to the binary
local_action: local_action:
module: file module: file
dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh
mode: a+x mode: a+x
run_once: true run_once: true
- name: RedHat/CentOS/Fedora | Prepare the certificates generation template file - name: Local action | Prepare the certificates generation template file
local_action: local_action:
module: template module: template
src: "templates/tlsconfig.yml.j2" src: "templates/tlsconfig.yml.j2"
dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml
run_once: true run_once: true
- name: RedHat/CentOS/Fedora | Check if root CA file exists - name: Local action | Check if root CA file exists
local_action: local_action:
module: stat module: stat
path: /tmp/opendistro-nodecerts/config/root-ca.key path: /tmp/opendistro-nodecerts/config/root-ca.key
register: root_ca_file register: root_ca_file
- name: RedHat/CentOS/Fedora | Generate the node & admin certificates in local - name: Local action | Generate the node & admin certificates in local
local_action: local_action:
module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ -f -o module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ -f -o
run_once: true run_once: true
when: root_ca_file.stat.exists == False when: root_ca_file.stat.exists == False
tags:
- generate-certs

12
roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml
View File

@ -1,6 +1,7 @@
--- ---
- block:
- name: RedHat/CentOS/Fedora | Add OpenDistro repo - name: RedHat/CentOS/Fedora | Add OpenDistro repo
yum_repository: yum_repository:
file: opendistro file: opendistro
name: opendistro_repo name: opendistro_repo
@ -10,7 +11,7 @@
gpgcheck: true gpgcheck: true
changed_when: false changed_when: false
- name: RedHat/CentOS/Fedora | Add Elasticsearch-oss repo - name: RedHat/CentOS/Fedora | Add Elasticsearch-oss repo
yum_repository: yum_repository:
file: opendistro file: opendistro
name: elasticsearch_oss_repo name: elasticsearch_oss_repo
@ -20,13 +21,16 @@
gpgcheck: true gpgcheck: true
changed_when: false changed_when: false
- name: RedHat/CentOS/Fedora | Install OpenJDK 11 - name: RedHat/CentOS/Fedora | Install OpenJDK 11
yum: name=java-11-openjdk-devel state=present yum: name=java-11-openjdk-devel state=present
- name: RedHat/CentOS/Fedora | Install OpenDistro dependencies - name: RedHat/CentOS/Fedora | Install OpenDistro dependencies
yum: yum:
name: "{{ packages }}" name: "{{ packages }}"
vars: vars:
packages: packages:
- wget - wget
- unzip - unzip
tags:
- install

88
roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml Normal file
View File

@ -0,0 +1,88 @@
- block:
- name: Remove demo certs
file:
path: "{{ item }}"
state: absent
with_items:
- "{{opendistro_conf_path}}/kirk.pem"
- "{{opendistro_conf_path}}/kirk-key.pem"
- "{{opendistro_conf_path}}/esnode.pem"
- "{{opendistro_conf_path}}/esnode-key.pem"
when: install.changed
- name: Copy the node & admin certificates to Elasticsearch cluster
copy:
src: "/tmp/opendistro-nodecerts/config/{{ item }}"
dest: /etc/elasticsearch/
mode: 0644
with_items:
- root-ca.pem
- root-ca.key
- "{{ inventory_hostname }}.key"
- "{{ inventory_hostname }}.pem"
- "{{ inventory_hostname }}_http.key"
- "{{ inventory_hostname }}_http.pem"
- "{{ inventory_hostname }}_elasticsearch_config_snippet.yml"
- admin.key
- admin.pem
when: install.changed
- name: Copy the opendistro security configuration file to cluster
blockinfile:
block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}"
dest: "{{ opendistro_conf_path }}/elasticsearch.yml"
insertafter: EOF
marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##"
when: install.changed
- name: Prepare the opendistro security configuration file
replace:
path: "{{ opendistro_conf_path }}/elasticsearch.yml"
regexp: 'searchguard'
replace: 'opendistro_security'
tags: local
when: install.changed
- name: Restart elasticsearch with security configuration
systemd:
name: elasticsearch
state: restarted
when: install.changed
- name: Copy the opendistro security internal users template
template:
src: "templates/internal_users.yml.j2"
dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml"
mode: 0644
run_once: true
when: install.changed
- name: Set the Admin user password
shell: >
sed -i 's,{{ opendistro_admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }} | tail -1)','
{{ opendistro_sec_plugin_conf_path }}/internal_users.yml
run_once: true
when: install.changed
- name: Set the kibanaserver user pasword
shell: >
sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)','
{{ opendistro_sec_plugin_conf_path }}/internal_users.yml
run_once: true
when: install.changed
- name: Initialize the opendistro security index in elasticsearch
shell: >
sh {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh
-cacert {{ opendistro_conf_path }}/root-ca.pem
-cert {{ opendistro_conf_path }}/admin.pem
-key {{ opendistro_conf_path }}/admin.key
-cd {{ opendistro_sec_plugin_conf_path }}/
-nhnv -icl
-h {{ hostvars[inventory_hostname]['ip'] }}
run_once: true
when: install.changed
tags:
- production_ready

93
roles/opendistro/opendistro-elasticsearch/tasks/main.yml
View File

@ -1,4 +1,5 @@
--- ---
- import_tasks: LocalActions.yml - import_tasks: LocalActions.yml
- import_tasks: RedHat.yml - import_tasks: RedHat.yml
@ -7,40 +8,14 @@
- name: Install OpenDistro - name: Install OpenDistro
package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present
register: install register: install
tags: install
- name: Copy the node & admin certificates to Elasticsearch cluster
copy:
src: "/tmp/opendistro-nodecerts/config/{{ item }}"
dest: /etc/elasticsearch/
mode: 0644
with_items:
- root-ca.pem
- root-ca.key
- "{{ inventory_hostname }}.key"
- "{{ inventory_hostname }}.pem"
- "{{ inventory_hostname }}_http.key"
- "{{ inventory_hostname }}_http.pem"
- "{{ inventory_hostname }}_elasticsearch_config_snippet.yml"
- admin.key
- admin.pem
when: install.changed
- name: Remove demo certs
file:
path: "{{ item }}"
state: absent
with_items:
- "{{opendistro_conf_path}}/kirk.pem"
- "{{opendistro_conf_path}}/kirk-key.pem"
- "{{opendistro_conf_path}}/esnode.pem"
- "{{opendistro_conf_path}}/esnode-key.pem"
when: install.changed
- name: Remove elasticsearch configuration file - name: Remove elasticsearch configuration file
file: file:
path: "{{opendistro_conf_path}}/elasticsearch.yml" path: "{{opendistro_conf_path}}/elasticsearch.yml"
state: absent state: absent
when: install.changed when: install.changed
tags: install
- name: Copy Configuration File - name: Copy Configuration File
blockinfile: blockinfile:
@ -51,62 +26,9 @@
mode: 0640 mode: 0640
marker: "## {mark} Opendistro general settings ##" marker: "## {mark} Opendistro general settings ##"
when: install.changed when: install.changed
tags: install
- name: Copy the opendistro security configuration file to cluster - import_tasks: SecurityActions.yml
blockinfile:
block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}"
dest: "{{ opendistro_conf_path }}/elasticsearch.yml"
insertafter: EOF
marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##"
when: install.changed
- name: Prepare the opendistro security configuration file
replace:
path: "{{ opendistro_conf_path }}/elasticsearch.yml"
regexp: 'searchguard'
replace: 'opendistro_security'
tags: local
when: install.changed
- name: Restart elasticsearch with security configuration
systemd:
name: elasticsearch
state: restarted
when: install.changed
- name: Copy the opendistro security internal users template
template:
src: "templates/internal_users.yml.j2"
dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml"
mode: 0644
run_once: true
when: install.changed
- name: Set the Admin user password
shell: >
sed -i 's,{{ opendistro_admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }} | tail -1)','
{{ opendistro_sec_plugin_conf_path }}/internal_users.yml
run_once: true
when: install.changed
- name: Set the kibanaserver user pasword
shell: >
sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)','
{{ opendistro_sec_plugin_conf_path }}/internal_users.yml
run_once: true
when: install.changed
- name: Initialize the opendistro security index in elasticsearch
shell: >
sh {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh
-cacert {{ opendistro_conf_path }}/root-ca.pem
-cert {{ opendistro_conf_path }}/admin.pem
-key {{ opendistro_conf_path }}/admin.key
-cd {{ opendistro_sec_plugin_conf_path }}/
-nhnv -icl
-h {{ hostvars[inventory_hostname]['ip'] }}
run_once: true
when: install.changed
- name: Configure OpenDistro Elasticsearch JVM memmory. - name: Configure OpenDistro Elasticsearch JVM memmory.
template: template:
@ -117,16 +39,13 @@
mode: 0644 mode: 0644
force: yes force: yes
notify: restart elasticsearch notify: restart elasticsearch
tags: opendistro tags: install
- name: Ensure Elasticsearch started and enabled - name: Ensure Elasticsearch started and enabled
service: service:
name: elasticsearch name: elasticsearch
enabled: true enabled: true
state: started state: started
tags:
- opendistro
- init
- name: Wait for Elasticsearch API - name: Wait for Elasticsearch API
uri: uri: