From bf14612258a48e627d1b693beac6b23582accfdf Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 13 Sep 2022 15:58:53 -0400 Subject: [PATCH 1/5] Change out Elastic Fleet certs --- salt/common/tools/sbin/so-elastic-fleet-setup | 10 ++- salt/elastic-fleet/init.sls | 6 +- salt/ssl/init.sls | 82 +++++++++++++++++++ 3 files changed, 91 insertions(+), 7 deletions(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup index 490fb34db..85ca755fa 100644 --- a/salt/common/tools/sbin/so-elastic-fleet-setup +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -20,10 +20,12 @@ curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fle printf "\n\n" # Create Logstash Output payload -cp /etc/ssl/certs/intca.crt /opt/so/conf/filebeat/etc/pki/ -LOGSTASHCRT=$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/filebeat.crt) -LOGSTASHKEY=$(openssl rsa -in /opt/so/conf/filebeat/etc/pki/filebeat.key) -LOGSTASHCA=$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/intca.crt) +mkdir /opt/so/conf/elastic-fleet/certs +cp /etc/ssl/certs/intca.crt /opt/so/conf/elastic-fleet/certs +cp /etc/pki/elasticfleet* /opt/so/conf/elastic-fleet/certs +LOGSTASHCRT=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/elasticfleet.crt) +LOGSTASHKEY=$(openssl rsa -in /opt/so/conf/elastic-fleet/certs/elasticfleet.key) +LOGSTASHCA=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/intca.crt) JSON_STRING=$( jq -n \ --arg LOGSTASHCRT "$LOGSTASHCRT" \ --arg LOGSTASHKEY "$LOGSTASHKEY" \ diff --git a/salt/elastic-fleet/init.sls b/salt/elastic-fleet/init.sls index 6059da3cb..ea3092c0b 100644 --- a/salt/elastic-fleet/init.sls +++ b/salt/elastic-fleet/init.sls @@ -28,7 +28,7 @@ so-elastic-fleet: - port_bindings: - 0.0.0.0:8220:8220 - binds: - - /opt/so/conf/filebeat/etc/pki:/etc/pki:ro + - /opt/so/conf/elastic-fleet/certs:/etc/pki:ro - /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw - environment: - FLEET_SERVER_ENABLE=true @@ -37,8 +37,8 @@ so-elastic-fleet: - FLEET_SERVER_SERVICE_TOKEN={{ SERVICETOKEN }} - FLEET_SERVER_POLICY_ID={{ FLEETSERVERPOLICY }} - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/intca.crt - - FLEET_SERVER_CERT=/etc/pki/filebeat.crt - - FLEET_SERVER_CERT_KEY=/etc/pki/filebeat.key + - FLEET_SERVER_CERT=/etc/pki/elasticfleet.crt + - FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet.key - FLEET_CA=/etc/pki/intca.crt {% endif %} diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 1ef4a08ea..3be0e9711 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -152,6 +152,88 @@ rediskeyperms: - group: 939 {% endif %} +{% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode'] %} +etc_elasticfleet_key: + x509.private_key_managed: + - name: /etc/pki/elasticfleet.key + - CN: {{ COMMONNAME }} + - bits: 4096 + - days_remaining: 0 + - days_valid: 820 + - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/elasticfleet.key') -%} + - prereq: + - x509: etc_elasticfleet_crt + {%- endif %} + - timeout: 30 + - retry: + attempts: 5 + interval: 30 + +# Request a cert and drop it where it needs to go to be distributed +etc_elasticfleet_crt: + x509.certificate_managed: + - name: /etc/pki/elasticfleet.crt + - ca_server: {{ ca_server }} + - signing_policy: fleet + - public_key: /etc/pki/elasticfleet.key + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} + - days_remaining: 0 + - days_valid: 820 + - backup: True +{% if grains.role not in ['so-heavynode'] %} + - unless: + # https://github.com/saltstack/salt/issues/52167 + # Will trigger 5 days (432000 sec) from cert expiration + - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticfleet.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' +{% endif %} + - timeout: 30 + - retry: + attempts: 5 + interval: 30 + cmd.run: + - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet.key -topk8 -out /etc/pki/elasticfleet.p8 -nocrypt" + - onchanges: + - x509: etc_elasticfleet_key + +efperms: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet.key + - mode: 640 + - group: 939 + +chownilogstashelasticfleetp8: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet.p8 + - mode: 640 + - user: 931 + - group: 939 + +# Create Symlinks to the keys so I can distribute it to all the things +elasticfleetdir: + file.directory: + - name: /opt/so/saltstack/local/salt/elastic-fleet/files/certs + - makedirs: True + +efkeylink: + file.symlink: + - name: /opt/so/saltstack/local/salt/elastic-fleet/files/certs/elasticfleet.p8 + - target: /etc/pki/elasticfleet.p8 + - user: socore + - group: socore + +efcrtlink: + file.symlink: + - name: /opt/so/saltstack/local/salt/elastic-fleet/files/certs/elasticfleet.crt + - target: /etc/pki/elasticfleet.crt + - user: socore + - group: socore +{% endif %} + {% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %} etc_filebeat_key: x509.private_key_managed: From 6945596eee64b1855d1d8022b051ed010b48001b Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 14 Sep 2022 08:10:42 -0400 Subject: [PATCH 2/5] Tweak elastic agent ssl gen --- salt/ca/files/signing_policies.conf | 5 ++--- salt/ssl/init.sls | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/salt/ca/files/signing_policies.conf b/salt/ca/files/signing_policies.conf index 1e05be006..cb57cc640 100644 --- a/salt/ca/files/signing_policies.conf +++ b/salt/ca/files/signing_policies.conf @@ -57,7 +57,7 @@ x509_signing_policies: - extendedKeyUsage: serverAuth - days_valid: 820 - copypath: /etc/pki/issued_certs/ - fleet: + elasticfleet: - minions: '*' - signing_private_key: /etc/pki/ca.key - signing_cert: /etc/pki/ca.crt @@ -65,9 +65,8 @@ x509_signing_policies: - ST: Utah - L: Salt Lake City - basicConstraints: "critical CA:false" - - keyUsage: "critical keyEncipherment" + - keyUsage: "digitalSignature, nonRepudiation" - subjectKeyIdentifier: hash - authorityKeyIdentifier: keyid,issuer:always - - extendedKeyUsage: serverAuth - days_valid: 820 - copypath: /etc/pki/issued_certs/ diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 3be0e9711..7093ae912 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -176,7 +176,7 @@ etc_elasticfleet_crt: x509.certificate_managed: - name: /etc/pki/elasticfleet.crt - ca_server: {{ ca_server }} - - signing_policy: fleet + - signing_policy: elasticfleet - public_key: /etc/pki/elasticfleet.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} @@ -214,7 +214,7 @@ chownilogstashelasticfleetp8: - group: 939 # Create Symlinks to the keys so I can distribute it to all the things -elasticfleetdir: +elasticfleetdircerts: file.directory: - name: /opt/so/saltstack/local/salt/elastic-fleet/files/certs - makedirs: True From 334a0d7b1cb56f0ada8c11d196a3920ee87fcb69 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 14 Sep 2022 10:33:27 -0400 Subject: [PATCH 3/5] Start using so-elastic-agent container --- salt/elastic-fleet/init.sls | 28 ++++++++++++++++++++++++++-- salt/ssl/init.sls | 2 +- 2 files changed, 27 insertions(+), 3 deletions(-) diff --git a/salt/elastic-fleet/init.sls b/salt/elastic-fleet/init.sls index ea3092c0b..54ac866ed 100644 --- a/salt/elastic-fleet/init.sls +++ b/salt/elastic-fleet/init.sls @@ -10,15 +10,39 @@ {% set FLEETSERVERPOLICY = salt['pillar.get']('elasticfleet:server:server_policy','so-manager') %} {% set FLEETURL = salt['pillar.get']('elasticfleet:server:url') %} -elasticfleetdir: +# Add EA Group +elasticsagentgroup: + group.present: + - name: elastic-agent + - gid: 947 + +# Add EA user +elastic-agent: + user.present: + - uid: 947 + - gid: 947 + - home: /opt/so/conf/elastic-fleet + - createhome: False + +eaconfdir: + file.directory: + - name: /opt/so/conf/elastic-fleet + - user: 947 + - group: 939 + - makedirs: True + +eastatedir: file.directory: - name: /opt/so/conf/elastic-fleet/state + - user: 947 + - group: 939 - makedirs: True + {% if SERVICETOKEN != '' %} so-elastic-fleet: docker_container.running: - - image: docker.elastic.co/beats/elastic-agent:8.4.1 + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent:{{ GLOBALS.so_version }} - name: so-elastic-fleet - hostname: Fleet-{{ GLOBALS.hostname }} - detach: True diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 7093ae912..855a4a3ea 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -210,7 +210,7 @@ chownilogstashelasticfleetp8: - replace: False - name: /etc/pki/elasticfleet.p8 - mode: 640 - - user: 931 + - user: 947 - group: 939 # Create Symlinks to the keys so I can distribute it to all the things From b7b92c73a3e2fbec8ca1ef3f5ca05c9ea303b582 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 14 Sep 2022 11:00:16 -0400 Subject: [PATCH 4/5] add so-elastic-agent to container list --- salt/common/tools/sbin/so-image-common | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index 32bfb2acc..a7fc19801 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -40,6 +40,7 @@ container_list() { TRUSTED_CONTAINERS=( "so-curator" "so-elastalert" + "so-elastic-agent" "so-elastic-agent-builder" "so-elasticsearch" "so-filebeat" From 1c671b47d72b5489caaf2fb73f77c3a44a74f56e Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 14 Sep 2022 14:17:54 -0400 Subject: [PATCH 5/5] Run container as elastic-fleet user --- salt/elastic-fleet/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elastic-fleet/init.sls b/salt/elastic-fleet/init.sls index 54ac866ed..9ba74d095 100644 --- a/salt/elastic-fleet/init.sls +++ b/salt/elastic-fleet/init.sls @@ -46,7 +46,7 @@ so-elastic-fleet: - name: so-elastic-fleet - hostname: Fleet-{{ GLOBALS.hostname }} - detach: True - - user: root + - user: 947 - extra_hosts: - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - port_bindings: