generate elasticsearch.auth pillar if it doesnt exist

2025-12-06 17:22:49 +01:00 · 2021-05-25 11:52:58 -04:00
parent 5a1e8d9fe9
commit 8d9d5a267a
4 changed files with 22 additions and 1 deletions
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -46,6 +46,9 @@ base:
    - logstash.manager
    - logstash.search
    - elasticsearch.search
+{% if salt['file.exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
+    - elasticsearch.auth
+{% endif %}
    - data.*
    - zeeklogs
    - secrets
@@ -89,4 +92,4 @@ base:
    - secrets
    - elasticsearch.eval
    - global
-    - minions.{{ grains.id }}
+    - minions.{{ grains.id }}
--- a/salt/elasticsearch/auth.sls
+++ b/salt/elasticsearch/auth.sls
@@ -0,0 +1,9 @@
+elastic_auth_pillar:
+  file.managed:
+    - name: /opt/so/saltstack/local/pillar/elasticsearch/auth.sls
+    - contents: |
+        elasticsearch:
+          auth:
+            enabled: False
+            user: so_elastic
+            pass: {{ salt['random.get_str'](20) }}
--- a/salt/elasticsearch/files/curl.config
+++ b/salt/elasticsearch/files/curl.config
@@ -0,0 +1 @@
+user = "salt['pillar.get']('elasticsearch:auth:user'):salt['pillar.get']('elasticsearch:auth:pass')"
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -256,6 +256,14 @@ so-elasticsearch-templates:
    - template: jinja
 {% endif %}

+elastic_curl_config:
+  file.managed:
+    - name: /opt/so/conf/elasticsearch/curl.config
+    - mode: 600
+    # since we are generating a random password, and we don't want that to happen everytime
+    # a highstate runs, we only manage the file if it doesn't exist
+    - unless: ls /opt/so/conf/elasticsearch/curl.config
+
 {% endif %} {# if grains['role'] != 'so-helix' #}

 {% else %}
				`@@ -0,0 +1 @@`
				`user = "salt['pillar.get']('elasticsearch:auth:user'):salt['pillar.get']('elasticsearch:auth:pass')"`