Merge pull request #10926 from Security-Onion-Solutions/2.4/FleetEnhancments

2.4/fleet-Enhancements

salt/elasticfleet/defaults.yaml

@@ -2,7 +2,7 @@ elasticfleet:
   enabled: False
   config:
     server:
-      custom_fqdn: ''
+      custom_fqdn: []
       enable_auto_configuration: True
       endpoints_enrollment: ''
       es_token: ''

salt/elasticfleet/enabled.sls

@@ -15,6 +15,7 @@
 include:
   - elasticfleet.config
   - elasticfleet.sostatus
+  - ssl
 
 # If enabled, automatically update Fleet Logstash Outputs
 {% if ELASTICFLEETMERGED.config.server.enable_auto_configuration and grains.role not in ['so-import', 'so-eval', 'so-fleet'] %}
@@ -61,11 +62,14 @@ so-elastic-fleet:
       - {{ BINDING }}
       {% endfor %}
     - binds:
-      - /etc/pki:/etc/pki:ro
+      - /etc/pki/elasticfleet-server.crt:/etc/pki/elasticfleet-server.crt:ro
+      - /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro
+      - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
       {% if GLOBALS.os_family == 'Debian' %}
-      - /etc/ssl:/etc/ssl:ro
+      - /etc/ssl/elasticfleet-server.crt:/etc/ssl/elasticfleet-server.crt:ro
+      - /etc/ssl/elasticfleet-server.key:/etc/ssl/elasticfleet-server.key:ro
+      - /etc/ssl/tls/certs/intca.crt:/etc/ssl/tls/certs/intca.crt:ro
       {% endif %}
-      #- /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw
       - /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs 
      {% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
         {% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
@@ -93,6 +97,9 @@ so-elastic-fleet:
       - {{ XTRAENV }}
         {% endfor %}
       {% endif %}
+    - watch:
+      - x509: etc_elasticfleet_key
+      - x509: etc_elasticfleet_crt
 {%   endif %}
 
 {%  if GLOBALS.role != "so-fleet" %}

salt/elasticfleet/soc_elasticfleet.yaml

@@ -12,10 +12,11 @@ elasticfleet:
   config:
     server:
       custom_fqdn:
-        description: Custom FQDN for Agents to connect to.
+        description: Custom FQDN for Agents to connect to. One per line.
         global: True
         helpLink: elastic-fleet.html
         advanced: True
+        forcedType: "[]string"
       enable_auto_configuration:
         description: Enable auto-configuration of Logstash Outputs & Fleet Host URLs.
         global: True

salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers

@@ -11,6 +11,12 @@
 . /usr/sbin/so-common
 . /usr/sbin/so-elastic-fleet-common
 
+LOG="/opt/so/log/elasticfleet/so-elastic-agent-gen-installers.log"
+
+# Check to see if we are already running
+NUM_RUNNING=$(pgrep -cf "/bin/bash /sbin/so-elastic-agent-gen-installers")
+[ "$NUM_RUNNING" -gt 1 ] && echo "$(date) - $NUM_RUNNING gen installers script processes running...exiting." >>$LOG && exit 0
+
 for i in {1..30}
 do
    ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json'  | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-initial")) | .api_key')

salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update

@@ -2,7 +2,7 @@
 # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
 # this file except in compliance with the Elastic License 2.0.
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% set CUSTOMFQDN = salt['pillar.get']('elasticfleet:config:server:custom_fqdn') %}
+{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
 
 . /usr/sbin/so-common
 
@@ -41,9 +41,16 @@ else
     NEW_LIST=("{{ GLOBALS.url_base }}:5055" "{{ GLOBALS.hostname }}:5055")
 fi
 
-{% if CUSTOMFQDN != "" %}
-# Add Custom Hostname to list
-NEW_LIST+=("{{ CUSTOMFQDN }}:5055")
+# Query for FQDN entries & add them to the list
+{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %}
+CUSTOMFQDNLIST=({{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(' ') }})
+if [ -n "$CUSTOMFQDNLIST" ]; then
+    readarray -t CUSTOMFQDN <<< $CUSTOMFQDNLIST
+    for CUSTOMNAME in "${CUSTOMFQDN[@]}"
+    do
+    NEW_LIST+=("https://$CUSTOMNAME:8220")
+    done
+fi
 {% endif %}
 
 # Query for the current Grid Nodes that are running Logstash

salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update

@@ -2,7 +2,7 @@
 # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
 # this file except in compliance with the Elastic License 2.0.
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% set CUSTOMFQDN = salt['pillar.get']('elasticfleet:config:server:custom_fqdn') %}
+{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
 
 . /usr/sbin/so-common
 
@@ -41,9 +41,16 @@ else
     NEW_LIST=("https://{{ GLOBALS.url_base }}:8220" "https://{{ GLOBALS.hostname }}:8220")
 fi
 
-{% if CUSTOMFQDN != "" %}
-# Add Custom Hostname to list
-NEW_LIST+=("https://{{ CUSTOMFQDN }}:8220")
+# Query for FQDN entries & add them to the list
+{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %}
+CUSTOMFQDNLIST=({{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(' ') }})
+if [ -n "$CUSTOMFQDNLIST" ]; then
+    readarray -t CUSTOMFQDN <<< $CUSTOMFQDNLIST
+    for CUSTOMNAME in "${CUSTOMFQDN[@]}"
+    do
+    NEW_LIST+=("https://$CUSTOMNAME:8220")
+    done
+fi
 {% endif %}
 
 # Query for the current Grid Nodes that are running Logstash (which includes Fleet Nodes)
@@ -62,7 +69,7 @@ fi
 NEW_LIST_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${NEW_LIST[@]}")
 NEW_HASH=$(sha1sum <<< "$NEW_LIST_JSON" | awk '{print $1}')
 
-# Compare the current & new list of URLs - if different, update the Fleet Server URLs
+# Compare the current & new list of URLs - if different, update the Fleet Server URLs & regenerate the agent installer
 if [ "$NEW_HASH" = "$CURRENT_HASH" ]; then
     printf "\nHashes match - no update needed.\n"
     printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
@@ -71,4 +78,5 @@ else
     printf "\nHashes don't match - update needed.\n"
     printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
     update_fleet_urls
+    /sbin/so-elastic-agent-gen-installers >> /opt/so/log/elasticfleet/so-elastic-agent-gen-installers.log &
 fi

salt/logstash/enabled.sls

@@ -22,6 +22,7 @@ include:
 {%   endif %}
   - logstash.config
   - logstash.sostatus
+  - ssl
 
 so-logstash:
   docker_container.running:
@@ -90,6 +91,8 @@ so-logstash:
         {% endfor %}
       {% endif %}
     - watch:
+      - x509: etc_elasticfleet_logstash_key
+      - x509: etc_elasticfleet_logstash_crt
       - file: lsetcsync
       {% for assigned_pipeline in LOGSTASH_MERGED.assigned_pipelines.roles[GLOBALS.role.split('-')[1]] %}
       - file: ls_pipeline_{{assigned_pipeline}}

salt/ssl/init.sls

@@ -7,7 +7,7 @@
 {% if sls in allowed_states %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 
-{% set CUSTOMFQDN = salt['pillar.get']('elasticfleet:config:server:custom_fqdn') %}
+{%   from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
 
 {% set global_ca_text = [] %}
 {% set global_ca_server = [] %}
@@ -154,7 +154,7 @@ etc_elasticfleet_crt:
     - signing_policy: elasticfleet
     - private_key: /etc/pki/elasticfleet-server.key
     - CN: {{ GLOBALS.url_base }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }},IP:{{ GLOBALS.node_ip }} {% if CUSTOMFQDN != "" %},DNS:{{ CUSTOMFQDN }}{% endif %}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
     - days_remaining: 0
     - days_valid: 820
     - backup: True
@@ -211,7 +211,7 @@ etc_elasticfleet_logstash_crt:
     - signing_policy: elasticfleet
     - private_key: /etc/pki/elasticfleet-logstash.key
     - CN: {{ GLOBALS.url_base }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }},IP:{{ GLOBALS.node_ip }} {% if CUSTOMFQDN != "" %},DNS:{{ CUSTOMFQDN }}{% endif %}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
     - days_remaining: 0
     - days_valid: 820
     - backup: True