afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

WIP: Testing first secured cluster deployment

Browse Source
This commit is contained in:
Manuel J. Bernal 2020-05-06 17:33:53 +02:00
parent 7269b15041
commit e899b1c602
2 changed files with 107 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml
View File

@ -30,78 +30,3 @@
packages: packages:
- wget - wget
- unzip - unzip
- name: RedHat/CentOS/Fedora | Install OpenDistro
package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present
register: install
- name: RedHat/CentOS/Fedora | Copy the node & admin certificates to Elasticsearch cluster
copy:
src: "/tmp/opendistro-nodecerts/config/{{ item }}"
dest: /etc/elasticsearch/
mode: 0644
with_items:
- root-ca.pem
- root-ca.key
- "{{ inventory_hostname }}.key"
- "{{ inventory_hostname }}.pem"
- "{{ inventory_hostname }}_http.key"
- "{{ inventory_hostname }}_http.pem"
- "{{ inventory_hostname }}_elasticsearch_config_snippet.yml"
- admin.key
- admin.pem
when: install.changed
- name: RedHat/CentOS/Fedora | Copy the opendistro security configuration file to cluster
blockinfile:
block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}"
dest: "{{ opendistro_conf_path }}/elasticsearch.yml"
backup: yes
insertafter: EOF
marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##"
when: install.changed
- name: RedHat/CentOS/Fedora | Prepare the opendistro security configuration file
command: sed -i 's/searchguard/opendistro_security/g' {{ opendistro_conf_path }}/elasticsearch.yml
when: install.changed
- name: RedHat/CentOS/Fedora | Restart elasticsearch with security configuration
systemd:
name: elasticsearch
state: restarted
when: install.changed
- name: RedHat/CentOS/Fedora | Copy the opendistro security internal users template
template:
src: "templates/internal_users.yml.j2"
dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml"
mode: 0644
run_once: true
when: install.changed
- name: RedHat/CentOS/Fedora | Set the Admin user password
shell: >
sed -i 's,{{ admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ admin_password }} | tail -1)','
{{ opendistro_sec_plugin_conf_path }}/internal_users.yml
run_once: true
when: install.changed
- name: RedHat/CentOS/Fedora | Set the kibanaserver user pasword
shell: >
sed -i 's,{{ kibanaserver_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ kibanaserver_password }} | tail -1)','
{{ opendistro_sec_plugin_conf_path }}/internal_users.yml
run_once: true
when: install.changed
- name: RedHat/CentOS/Fedora | Initialize the opendistro security index in elasticsearch
shell: >
sh {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh
-cacert {{ opendistro_conf_path }}/root-ca.pem
-cert {{ opendistro_conf_path }}/admin.pem
-key {{ opendistro_conf_path }}/admin.key
-cd {{ opendistro_sec_plugin_conf_path }}/
-nhnv -icl
-h {{ hostvars[inventory_hostname]['ip'] }}
run_once: true
when: install.changed

125
roles/opendistro/opendistro-elasticsearch/tasks/main.yml
View File

@ -4,6 +4,110 @@
- import_tasks: RedHat.yml - import_tasks: RedHat.yml
when: ansible_os_family == 'RedHat' when: ansible_os_family == 'RedHat'
- name: Install OpenDistro
package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present
register: install
- name: Copy the node & admin certificates to Elasticsearch cluster
copy:
src: "/tmp/opendistro-nodecerts/config/{{ item }}"
dest: /etc/elasticsearch/
mode: 0644
with_items:
- root-ca.pem
- root-ca.key
- "{{ inventory_hostname }}.key"
- "{{ inventory_hostname }}.pem"
- "{{ inventory_hostname }}_http.key"
- "{{ inventory_hostname }}_http.pem"
- "{{ inventory_hostname }}_elasticsearch_config_snippet.yml"
- admin.key
- admin.pem
when: install.changed
- name: Remove demo certs
file:
path: "{{ item }}"
state: absent
with_items:
- "{{opendistro_conf_path}}/kirk.pem"
- "{{opendistro_conf_path}}/kirk-key.pem"
- "{{opendistro_conf_path}}/esnode.pem"
- "{{opendistro_conf_path}}/esnode-key.pem"
when: install.changed
- name: Remove elasticsearch configuration file
file:
path: "{{opendistro_conf_path}}/elasticsearch.yml"
state: absent
when: install.changed
- name: Copy Configuration File
blockinfile:
block: "{{ lookup('template', 'elasticsearch.yml.j2') }}"
dest: "{{ opendistro_conf_path }}/elasticsearch.yml"
create: true
group: elasticsearch
mode: 0640
marker: "## {mark} Opendistro general settings ##"
when: install.changed
- name: Copy the opendistro security configuration file to cluster
blockinfile:
block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}"
dest: "{{ opendistro_conf_path }}/elasticsearch.yml"
insertafter: EOF
marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##"
when: install.changed
- name: Prepare the opendistro security configuration file
replace:
path: "{{ opendistro_conf_path }}/elasticsearch.yml"
regexp: 'searchguard'
replace: 'opendistro_security'
tags: local
when: install.changed
- name: Restart elasticsearch with security configuration
systemd:
name: elasticsearch
state: restarted
when: install.changed
- name: Copy the opendistro security internal users template
template:
src: "templates/internal_users.yml.j2"
dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml"
mode: 0644
run_once: true
when: install.changed
- name: Set the Admin user password
shell: >
sed -i 's,{{ admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ admin_password }} | tail -1)','
{{ opendistro_sec_plugin_conf_path }}/internal_users.yml
run_once: true
when: install.changed
- name: Set the kibanaserver user pasword
shell: >
sed -i 's,{{ kibanaserver_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ kibanaserver_password }} | tail -1)','
{{ opendistro_sec_plugin_conf_path }}/internal_users.yml
run_once: true
when: install.changed
- name: Initialize the opendistro security index in elasticsearch
shell: >
sh {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh
-cacert {{ opendistro_conf_path }}/root-ca.pem
-cert {{ opendistro_conf_path }}/admin.pem
-key {{ opendistro_conf_path }}/admin.key
-cd {{ opendistro_sec_plugin_conf_path }}/
-nhnv -icl
-h {{ hostvars[inventory_hostname]['ip'] }}
run_once: true
when: install.changed
- name: Configure OpenDistro Elasticsearch JVM memmory. - name: Configure OpenDistro Elasticsearch JVM memmory.
template: template:
src: "templates/jvm.options.j2" src: "templates/jvm.options.j2"
@ -13,22 +117,7 @@
mode: 0644 mode: 0644
force: yes force: yes
notify: restart elasticsearch notify: restart elasticsearch
tags: configure tags: opendistro
# fix in new PR (ignore_errors)
- import_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat"
- name: Copy Configuration File
template:
src: "templates/elasticsearch.yml.j2"
dest: "{{opendistro_conf_path}}/elasticsearch.yml"
group: elasticsearch
mode: 0644
backup: yes
register: system_change
notify: restart elasticsearch
- name: Ensure Elasticsearch started and enabled - name: Ensure Elasticsearch started and enabled
service: service:
@ -36,13 +125,13 @@
enabled: true enabled: true
state: started state: started
tags: tags:
- configure - opendistro
- init - init
- name: Make sure Elasticsearch is running before proceeding - name: Make sure Elasticsearch is running before proceeding
wait_for: host=localhost port=9200 delay=3 timeout=400 wait_for: host=localhost port=9200 delay=3 timeout=400
tags: tags:
- configure - opendistro
- init - init
- import_tasks: "RMRedHat.yml" - import_tasks: "RMRedHat.yml"