From 3e02001544c0a9fade7e5172a407f8892b0b3386 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 29 Apr 2026 08:48:45 -0400 Subject: [PATCH 1/3] Open postgres port for import role in DOCKER-USER firewall When so-postgres was wired in (868cd1187), the import role's firewall defaults were missed while every other manager-class role (manager, managerhype, managersearch, standalone, eval) had postgres added to their DOCKER-USER manager-hostgroup portgroups. As a result, on a fresh import install the so-postgres container starts but tcp/5432 is dropped at DOCKER-USER, so soc/kratos/telegraf can't reach it. Add postgres alongside the existing influxdb entry so import nodes match the other roles. --- salt/firewall/defaults.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index e9c82401d..9d0af3d0d 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -1482,6 +1482,7 @@ firewall: - kibana - redis - influxdb + - postgres - elasticsearch_rest - elasticsearch_node - elastic_agent_control From 82e55ae87f3d785358d2ac0992e9b302f3b8b3e1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 29 Apr 2026 09:09:50 -0400 Subject: [PATCH 2/3] Open postgres on every hostgroup that opens influxdb The static defaults only listed postgres on each role's self-hostgroup, leaving sensor/searchnode/heavynode/receiver/fleet/idh/desktop/hypervisor hostgroups unable to reach the manager's so-postgres in distributed grids. A dynamic block in firewall/map.jinja added postgres to those hostgroups only when telegraf.output was switched to POSTGRES/BOTH, which left postgres unreachable by default. Mirror influxdb statically across manager/managerhype/managersearch/ standalone for every hostgroup that already lists influxdb, and drop the now-redundant telegraf-gated dynamic block from firewall/map.jinja. --- salt/firewall/defaults.yaml | 32 ++++++++++++++++++++++++++++++++ salt/firewall/map.jinja | 13 ------------- 2 files changed, 32 insertions(+), 13 deletions(-) diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index 9d0af3d0d..5c1229787 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -398,6 +398,7 @@ firewall: - elasticsearch_rest - docker_registry - influxdb + - postgres - sensoroni - yum - beats_5044 @@ -410,6 +411,7 @@ firewall: portgroups: - docker_registry - influxdb + - postgres - sensoroni - yum - beats_5044 @@ -427,6 +429,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - sensoroni searchnode: portgroups: @@ -437,6 +440,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update @@ -450,6 +454,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update @@ -459,6 +464,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update @@ -492,6 +498,7 @@ firewall: portgroups: - docker_registry - influxdb + - postgres - sensoroni - yum - elastic_agent_control @@ -502,6 +509,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update @@ -610,6 +618,7 @@ firewall: - elasticsearch_rest - docker_registry - influxdb + - postgres - sensoroni - yum - beats_5044 @@ -622,6 +631,7 @@ firewall: portgroups: - docker_registry - influxdb + - postgres - sensoroni - yum - beats_5044 @@ -639,6 +649,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - sensoroni searchnode: portgroups: @@ -649,6 +660,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update @@ -662,6 +674,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update @@ -671,6 +684,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update @@ -702,6 +716,7 @@ firewall: portgroups: - docker_registry - influxdb + - postgres - sensoroni - yum - elastic_agent_control @@ -712,6 +727,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update @@ -820,6 +836,7 @@ firewall: - elasticsearch_rest - docker_registry - influxdb + - postgres - sensoroni - yum - beats_5044 @@ -832,6 +849,7 @@ firewall: portgroups: - docker_registry - influxdb + - postgres - sensoroni - yum - beats_5044 @@ -849,6 +867,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - sensoroni searchnode: portgroups: @@ -858,6 +877,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update @@ -870,6 +890,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update @@ -879,6 +900,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update @@ -912,6 +934,7 @@ firewall: portgroups: - docker_registry - influxdb + - postgres - sensoroni - yum - elastic_agent_control @@ -922,6 +945,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update @@ -1040,6 +1064,7 @@ firewall: - elasticsearch_rest - docker_registry - influxdb + - postgres - sensoroni - yum - beats_5044 @@ -1052,6 +1077,7 @@ firewall: portgroups: - docker_registry - influxdb + - postgres - sensoroni - yum - beats_5044 @@ -1063,6 +1089,7 @@ firewall: portgroups: - docker_registry - influxdb + - postgres - sensoroni - yum - beats_5044 @@ -1074,6 +1101,7 @@ firewall: portgroups: - docker_registry - influxdb + - postgres - sensoroni - yum - redis @@ -1083,6 +1111,7 @@ firewall: portgroups: - docker_registry - influxdb + - postgres - sensoroni - yum - redis @@ -1093,6 +1122,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update @@ -1129,6 +1159,7 @@ firewall: portgroups: - docker_registry - influxdb + - postgres - sensoroni - yum - elastic_agent_control @@ -1139,6 +1170,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja index 61f8215b8..58d8c189d 100644 --- a/salt/firewall/map.jinja +++ b/salt/firewall/map.jinja @@ -1,6 +1,5 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %} -{% from 'telegraf/map.jinja' import TELEGRAFMERGED %} {% import_yaml 'firewall/defaults.yaml' as FIREWALL_DEFAULT %} {# add our ip to self #} @@ -56,16 +55,4 @@ {% endif %} -{# Open Postgres (5432) to minion hostgroups when Telegraf is configured to write to Postgres #} -{% set TG_OUT = TELEGRAFMERGED.output | upper %} -{% if TG_OUT in ['POSTGRES', 'BOTH'] %} -{% if role.startswith('manager') or role == 'standalone' or role == 'eval' %} -{% for r in ['sensor', 'searchnode', 'heavynode', 'receiver', 'fleet', 'idh', 'desktop', 'import'] %} -{% if FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups[r] is defined %} -{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups[r].portgroups.append('postgres') %} -{% endif %} -{% endfor %} -{% endif %} -{% endif %} - {% set FIREWALL_MERGED = salt['pillar.get']('firewall', FIREWALL_DEFAULT.firewall, merge=True) %} From 2f01ce3b23a99faa1eb0cab11855aaeec377d0c2 Mon Sep 17 00:00:00 2001 From: Jorge Reyes <94730068+reyesj2@users.noreply.github.com> Date: Wed, 29 Apr 2026 12:33:28 -0500 Subject: [PATCH 3/3] so-elastic-fleet-outputs-update now checks for cert drift. Remove running --cert arg on cert change to prevent highstate from running outputs-update 2x --- salt/elasticfleet/manager.sls | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/salt/elasticfleet/manager.sls b/salt/elasticfleet/manager.sls index 00fead9cf..1728f2010 100644 --- a/salt/elasticfleet/manager.sls +++ b/salt/elasticfleet/manager.sls @@ -18,17 +18,6 @@ so-elastic-fleet-auto-configure-logstash-outputs: - retry: attempts: 4 interval: 30 - -{# Separate from above in order to catch elasticfleet-logstash.crt changes and force update to fleet output policy #} -so-elastic-fleet-auto-configure-logstash-outputs-force: - cmd.run: - - name: /usr/sbin/so-elastic-fleet-outputs-update --certs - - retry: - attempts: 4 - interval: 30 - - onchanges: - - x509: etc_elasticfleet_logstash_crt - - x509: elasticfleet_kafka_crt {% endif %} # If enabled, automatically update Fleet Server URLs & ES Connection