handle elasticsearch.auth state like kibana.secrets

salt/allowed_states.map.jinja

@@ -238,6 +238,10 @@
     {% do allowed_states.append('elasticsearch') %}
   {% endif %}
 
+  {% if ELASTICSEARCH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
+    {% do allowed_states.append('elasticsearch.auth') %}
+  {% endif %}
+
   {% if KIBANA and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
     {% do allowed_states.append('kibana') %}
     {% do allowed_states.append('kibana.secrets') %}

salt/elasticsearch/auth.sls

@@ -1,8 +1,11 @@
-{% set so_elastic_user_pass = salt['random.get_str'](72) %}
+{% from 'allowed_states.map.jinja' import allowed_states %}
-{% set so_kibana_user_pass = salt['random.get_str'](72) %}
+{% if sls in allowed_states %}
-{% set so_logstash_user_pass = salt['random.get_str'](72) %}
+
-{% set so_beats_user_pass = salt['random.get_str'](72) %}
+  {% set so_elastic_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', salt['random.get_str'](72)) %}
-{% set so_monitor_user_pass = salt['random.get_str'](72) %}
+  {% set so_kibana_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass', salt['random.get_str'](72)) %}
+  {% set so_logstash_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', salt['random.get_str'](72)) %}
+  {% set so_beats_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_beats_user:pass', salt['random.get_str'](72)) %}
+  {% set so_monitor_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_monitor_user:pass', salt['random.get_str'](72)) %}
 
 elastic_auth_pillar:
   file.managed:
@@ -29,11 +32,11 @@ elastic_auth_pillar:
               so_monitor_user:
                 user: so_monitor
                 pass: {{ so_monitor_user_pass }}
-    # since we are generating a random password, and we don't want that to happen everytime
+
-    # a highstate runs, we only manage the file each user isn't present in the file. if the
+{% else %}
-    # pillar file doesn't exists, then the default vault provided to pillar.get should not
+
-    # be within the file either, so it should then be created
+{{sls}}_state_not_allowed:
-    - unless:
+  test.fail_without_changes:
-    {% for so_app_user, values in salt['pillar.get']('elasticsearch:auth:users', {'so_noapp_user': {'user': 'r@NDumu53Rd0NtDOoP'}}).items() %}
+    - name: {{sls}}_state_not_allowed
-      - grep {{ values.user }} /opt/so/saltstack/local/pillar/elasticsearch/auth.sls
+
-    {% endfor%}
+{% endif %}

salt/kibana/secrets.sls

@@ -1,7 +1,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}
 
-{% set kibana_encryptedSavedObjects_encryptionKey = salt['pillar.get']('kibana:secrets:encryptedSavedObjects:encryptionKey', salt['random.get_str'](72)) %}
+  {% set kibana_encryptedSavedObjects_encryptionKey = salt['pillar.get']('kibana:secrets:encryptedSavedObjects:encryptionKey', salt['random.get_str'](72)) %}
 
 kibana_pillar_directory:
   file.directory: