diff --git a/pillar/top.sls b/pillar/top.sls index 1e684c682..345f7a689 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -120,6 +120,7 @@ base: '*_heavynode': - elasticsearch.auth - soc_global + - redis.soc_redis - minions.{{ grains.id }} - minions.adv_{{ grains.id }} @@ -136,6 +137,7 @@ base: {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth {% endif %} + - redis.soc_redis - soc_global - adv_global - minions.{{ grains.id }} @@ -148,6 +150,8 @@ base: {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth {% endif %} + - redis.soc_redis + - redis.adv_redis - soc_global - adv_global - minions.{{ grains.id }} diff --git a/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja b/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja index 2d7a2d4fe..956bbbaa0 100644 --- a/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja +++ b/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja @@ -1,9 +1,10 @@ -{% set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') -%} -{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) -%} -{% from 'logstash/map.jinja' import REDIS_NODES with context -%} +{%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %} +{%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %} +{%- from 'logstash/map.jinja' import REDIS_NODES with context %} +{%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass') %} -{% for index in range(REDIS_NODES|length) -%} -{% for host in REDIS_NODES[index] -%} +{%- for index in range(REDIS_NODES|length) %} +{%- for host in REDIS_NODES[index] %} input { redis { host => '{{ host }}' @@ -14,6 +15,7 @@ input { type => 'redis-input' threads => {{ THREADS }} batch_count => {{ BATCH }} + password => {{ REDIS_PASS }} } } {% endfor %} diff --git a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja index 68b5187f9..d16434148 100644 --- a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja +++ b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja @@ -4,6 +4,8 @@ {%- set HOST = GLOBALS.manager %} {%- endif %} {%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %} +{%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass') %} + output { redis { host => '{{ HOST }}' @@ -14,5 +16,6 @@ output { congestion_threshold => 50000000 batch => true batch_events => {{ BATCH }} + password => {{ REDIS_PASS }} } } diff --git a/salt/redis/defaults.yaml b/salt/redis/defaults.yaml index 252082901..bd1fc74f5 100644 --- a/salt/redis/defaults.yaml +++ b/salt/redis/defaults.yaml @@ -1,7 +1,7 @@ redis: config: bind: '0.0.0.0' - protected-mode: 'no' + protected-mode: 'yes' tls-cert-file: '/certs/redis.crt' tls-key-file: '/certs/redis.key' tls-ca-cert-file: '/certs/ca.crt' diff --git a/salt/redis/soc_redis.yaml b/salt/redis/soc_redis.yaml index dad76bf80..13186ca6f 100644 --- a/salt/redis/soc_redis.yaml +++ b/salt/redis/soc_redis.yaml @@ -10,6 +10,10 @@ redis: global: True advanced: True helpLink: redis.html + requirepass: + description: Password for accessing Redis. + global: True + sensitive: True tls-cert-file: description: TLS cert file location. global: True diff --git a/setup/so-functions b/setup/so-functions index 4f6af0e7c..8545a4c6f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1209,6 +1209,7 @@ generate_passwords(){ GRAFANAPASS=$(get_random_value) SENSORONIKEY=$(get_random_value) KRATOSKEY=$(get_random_value) + REDISPASS=$(get_random_value) } generate_interface_vars() { @@ -1496,7 +1497,10 @@ docker_pillar() { redis_pillar() { title "Create the redis pillar file" touch $adv_redis_pillar_file - touch $redis_pillar_file + printf '%s\n'\ + "redis:"\ + " config:"\ + " requirepass: '$REDISPASS'" > $redis_pillar_file } influxdb_pillar() {