diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index 99d8cb38a..fc5368e12 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -77,7 +77,6 @@ firewall: elastic_agent_data: tcp: - 5055 - - 9092 udp: [] elastic_agent_update: tcp: @@ -91,16 +90,20 @@ firewall: tcp: - 8086 udp: [] - kafka: + kafka_controller: tcp: - 9093 udp: [] + kafka_data: + tcp: + - 9092 + udp: [] kibana: tcp: - 5601 udp: [] localrules: - tcp: + tcp: - 7788 udp: [] nginx: @@ -369,7 +372,6 @@ firewall: - elastic_agent_update - localrules - sensoroni - - kafka fleet: portgroups: - elasticsearch_rest @@ -440,7 +442,6 @@ firewall: - elastic_agent_data - elastic_agent_update - sensoroni - - kafka analyst: portgroups: - nginx @@ -565,7 +566,6 @@ firewall: - elastic_agent_update - localrules - sensoroni - - kafka fleet: portgroups: - elasticsearch_rest @@ -634,7 +634,6 @@ firewall: - elastic_agent_data - elastic_agent_update - sensoroni - - kafka analyst: portgroups: - nginx @@ -762,7 +761,6 @@ firewall: - beats_5044 - beats_5644 - beats_5056 - - kafka - elasticsearch_node - elastic_agent_control - elastic_agent_data @@ -832,7 +830,6 @@ firewall: - elastic_agent_data - elastic_agent_update - sensoroni - - kafka analyst: portgroups: - nginx @@ -1297,21 +1294,17 @@ firewall: portgroups: - redis - elastic_agent_data - - kafka manager: portgroups: - elastic_agent_data - - kafka managersearch: portgroups: - redis - elastic_agent_data - - kafka self: portgroups: - redis - elastic_agent_data - - kafka beats_endpoint: portgroups: - beats_5044 @@ -1324,6 +1317,8 @@ firewall: endgame: portgroups: - endgame + receiver: + portgroups: [] customhostgroup0: portgroups: [] customhostgroup1: diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja index 74b3a66be..fe04d7ad3 100644 --- a/salt/firewall/map.jinja +++ b/salt/firewall/map.jinja @@ -18,4 +18,28 @@ {% endfor %} {% endif %} +{# Only add Kafka firewall items when Kafka enabled #} +{% set role = GLOBALS.role.split('-')[1] %} + +{% if GLOBALS.pipeline == 'KAFKA' and role in ['manager', 'managersearch', 'standalone'] %} +{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups[role].portgroups.append('kafka_controller') %} +{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.receiver.portgroups.append('kafka_controller') %} +{% endif %} + +{% if GLOBALS.pipeline == 'KAFKA' and role == 'receiver' %} +{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.self.portgroups.append('kafka_controller') %} +{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.standalone.portgroups.append('kafka_controller') %} +{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.manager.portgroups.append('kafka_controller') %} +{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.managersearch.portgroups.append('kafka_controller') %} +{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups.receiver.portgroups.append('kafka_controller') %} +{% endif %} + +{% if GLOBALS.pipeline == 'KAFKA' and role in ['manager', 'managersearch', 'standalone', 'receiver'] %} +{% for r in ['manager', 'managersearch', 'standalone', 'receiver', 'fleet', 'idh', 'sensor', 'searchnode','heavynode', 'elastic_agent_endpoint', 'desktop'] %} +{% if FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups[r] is defined %} +{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups[r].portgroups.append('kafka_data') %} +{% endif %} +{% endfor %} +{% endif %} + {% set FIREWALL_MERGED = salt['pillar.get']('firewall', FIREWALL_DEFAULT.firewall, merge=True) %} diff --git a/salt/logstash/enabled.sls b/salt/logstash/enabled.sls index 3881ef1f4..f95a76f13 100644 --- a/salt/logstash/enabled.sls +++ b/salt/logstash/enabled.sls @@ -78,6 +78,8 @@ so-logstash: {% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-searchnode' ] %} - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro - /opt/so/conf/ca/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro + {% endif %} + {% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-searchnode'] %} - /etc/pki/kafka-logstash.p12:/usr/share/logstash/kafka-logstash.p12:ro {% endif %} {% if GLOBALS.role == 'so-eval' %} diff --git a/salt/manager/init.sls b/salt/manager/init.sls index ec37f9ff3..2feda45ae 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -73,6 +73,15 @@ manager_sbin: - exclude_pat: - "*_test.py" +manager_sbin_jinja: + file.recurse: + - name: /usr/sbin/ + - source: salt://manager/tools/sbin_jinja/ + - user: socore + - group: socore + - file_mode: 755 + - template: jinja + so-repo-file: file.managed: - name: /opt/so/conf/reposync/repodownload.conf