From a7d282b412cef5dc41af231767de2c8996b95b01 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Sat, 15 Apr 2023 18:33:44 -0400 Subject: [PATCH] Firewall fixup --- salt/common/tools/sbin/so-elastic-fleet-setup | 26 ++-- salt/elasticfleet/init.sls | 8 +- salt/firewall/assigned_hostgroups.map.yaml | 3 + salt/ssl/init.sls | 119 ++++++++++++++++-- 4 files changed, 131 insertions(+), 25 deletions(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup index 87fe6f608..86b9c1107 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-setup +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -28,7 +28,7 @@ elastic_fleet_policy_create() { elastic_fleet_policy_update() { POLICYID=$1 - JSONBLOB=$2 + JSON_STRING_UPDATE=$2 curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/agent_policies/$POLICYID" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING_UPDATE" } @@ -42,16 +42,12 @@ elastic_fleet_integration_create() { } -mkdir -p /opt/so/conf/elastic-fleet/certs -cp /etc/ssl/certs/intca.crt /opt/so/conf/elastic-fleet/certs -cp /etc/pki/elasticfleet* /opt/so/conf/elastic-fleet/certs - printf "\n### Create ES Token ###\n" ESTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/service_tokens" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq -r .value) ### Create Outputs & Fleet URLs ### printf "\nAdd Manager Elasticsearch Ouput...\n" -ESCACRT=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/intca.crt) +ESCACRT=$(openssl x509 -in /etc/pki/tls/certs/intca.crt) JSON_STRING=$( jq -n \ --arg ESCACRT "$ESCACRT" \ '{"name":"so-manager_elasticsearch","id":"so-manager_elasticsearch","type":"elasticsearch","hosts":["https://{{ GLOBALS.manager_ip }}:9200","https://{{ GLOBALS.manager }}:9200"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl":{"certificate_authorities": [$ESCACRT]}}' ) @@ -60,9 +56,9 @@ printf "\n\n" printf "\nCreate Logstash Output if node is not an Import or Eval install\n" {% if grains.role not in ['so-import', 'so-eval'] %} -LOGSTASHCRT=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/elasticfleet.crt) -LOGSTASHKEY=$(openssl rsa -in /opt/so/conf/elastic-fleet/certs/elasticfleet.key) -LOGSTASHCA=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/intca.crt) +LOGSTASHCRT=$(openssl x509 -in /etc/pki/elasticfleet-logstash.crt) +LOGSTASHKEY=$(openssl rsa -in /etc/pki/elasticfleet-logstash.key) +LOGSTASHCA=$(openssl x509 -in /etc/pki/tls/certs/intca.crt) JSON_STRING=$( jq -n \ --arg LOGSTASHCRT "$LOGSTASHCRT" \ --arg LOGSTASHKEY "$LOGSTASHKEY" \ @@ -83,11 +79,19 @@ printf "\n\n" # Manager Fleet Server Host elastic_fleet_policy_create "FleetServer_{{ GLOBALS.hostname }}" "Fleet Server - {{ GLOBALS.hostname }}" "true" | jq -#elastic_fleet_policy_update "FleetServer_{{ GLOBALS.hostname }}" "@FleeServerHost_Fixup" +#elastic_fleet_policy_update "FleetServer_{{ GLOBALS.hostname }}" "@/opt/so/saltstack/default/salt/elasticfleet/files/FleeServerHost_Fixup.json" + +#Temp Fixup +JSON_STRING=$( jq -n \ + --arg NAME "FleetServer_{{ GLOBALS.hostname }}" \ + '{"name": $NAME,"description": $NAME,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":120,"data_output_id":"so-manager_elasticsearch"}' + ) +curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/agent_policies/FleetServer_{{ GLOBALS.hostname }}" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" + # Initial Endpoints elastic_fleet_policy_create "endpoints-initial" "Initial Endpoint Policy" "false" | jq -for INTEGRATION in opt/so/saltstack/default/salt/elasticfleet/files/integrations/endpoints-initial/*.json +for INTEGRATION in /opt/so/saltstack/default/salt/elasticfleet/files/integrations/endpoints-initial/*.json do elastic_fleet_integration_create "@$INTEGRATION" | jq done diff --git a/salt/elasticfleet/init.sls b/salt/elasticfleet/init.sls index 5130c9a63..d03ec5e5e 100644 --- a/salt/elasticfleet/init.sls +++ b/salt/elasticfleet/init.sls @@ -76,18 +76,18 @@ so-elastic-fleet: - {{ BINDING }} {% endfor %} - binds: - - /opt/so/conf/elastic-fleet/certs:/etc/pki:ro - - /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw + - /etc/pki:/etc/pki:ro + #- /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw - environment: - FLEET_SERVER_ENABLE=true - FLEET_URL=https://{{ GLOBALS.node_ip }}:8220 - FLEET_SERVER_ELASTICSEARCH_HOST=https://{{ GLOBALS.manager }}:9200 - FLEET_SERVER_SERVICE_TOKEN={{ SERVICETOKEN }} - FLEET_SERVER_POLICY_ID=FleetServer_{{ GLOBALS.hostname }} - - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/intca.crt + - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt - FLEET_SERVER_CERT=/etc/pki/elasticfleet.crt - FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet.key - - FLEET_CA=/etc/pki/intca.crt + - FLEET_CA=/etc/pki/tls/certs/intca.crt {% endif %} append_so-elastic-fleet_so-status.conf: diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 3039eee96..b9a8f7fb2 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -391,6 +391,9 @@ role: dockernet: portgroups: - {{ portgroups.all }} + fleet: + portgroups: + - {{ portgroups.salt_manager }} localhost: portgroups: - {{ portgroups.all }} diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 9c47d16f4..a28abe8af 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -147,6 +147,8 @@ rediskeyperms: {% endif %} {% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-fleet'] %} +# Create cert for Elastic Fleet Host + etc_elasticfleet_key: x509.private_key_managed: - name: /etc/pki/elasticfleet.key @@ -199,33 +201,130 @@ efperms: - mode: 640 - group: 939 -chownilogstashelasticfleetp8: +chownelasticfleetcrt: file.managed: - replace: False - - name: /etc/pki/elasticfleet.p8 + - name: /etc/pki/elasticfleet.crt - mode: 640 - user: 947 - group: 939 -# Create Symlinks to the keys so I can distribute it to all the things +chownelasticfleetkey: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet.key + - mode: 640 + - user: 947 + - group: 939 + +# Create Symlinks to the keys to distribute it to all the things elasticfleetdircerts: file.directory: - name: /opt/so/saltstack/local/salt/elasticfleet/files/certs - makedirs: True -efkeylink: - file.symlink: - - name: /opt/so/saltstack/local/salt/elasticfleet/files/certs/elasticfleet.p8 - - target: /etc/pki/elasticfleet.p8 - - user: socore - - group: socore - efcrtlink: file.symlink: - name: /opt/so/saltstack/local/salt/elasticfleet/files/certs/elasticfleet.crt - target: /etc/pki/elasticfleet.crt - user: socore - group: socore + + +{% if grains.role not in ['so-fleet'] %} +# Create Cert for Elastic Fleet Logstash Input (Same cert used across all Fleet nodes) + +etc_elasticfleetlogstash_key: + x509.private_key_managed: + - name: /etc/pki/elasticfleet-logstash.key + - CN: {{ COMMONNAME }} + - bits: 4096 + - days_remaining: 0 + - days_valid: 820 + - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/elasticfleet-logstash.key') -%} + - prereq: + - x509: etc_elasticfleet_crt + {%- endif %} + - timeout: 30 + - retry: + attempts: 5 + interval: 30 + +# Request a cert and drop it where it needs to go to be distributed +etc_elasticfleetlogstash_crt: + x509.certificate_managed: + - name: /etc/pki/elasticfleet-logstash.crt + - ca_server: {{ ca_server }} + - signing_policy: elasticfleet + - public_key: /etc/pki/elasticfleet-logstash.key + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} + - days_remaining: 0 + - days_valid: 820 + - backup: True +{% if grains.role not in ['so-heavynode'] %} + - unless: + # https://github.com/saltstack/salt/issues/52167 + # Will trigger 5 days (432000 sec) from cert expiration + - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticfleet-logstash.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' +{% endif %} + - timeout: 30 + - retry: + attempts: 5 + interval: 30 + cmd.run: + - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-logstash.key -topk8 -out /etc/pki/elasticfleet-logstash.p8 -nocrypt" + - onchanges: + - x509: etc_elasticfleet_key + +eflogstashperms: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet-logstash.key + - mode: 640 + - group: 939 + +chownilogstashelasticfleetp8: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet-logstash.p8 + - mode: 640 + - user: 947 + - group: 939 + +chownilogstashelasticfleetlogstashcrt: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet-logstash.crt + - mode: 640 + - user: 947 + - group: 939 + +chownilogstashelasticfleetlogstashkey: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet-logstash.key + - mode: 640 + - user: 947 + - group: 939 + +eflogstashkeylink: + file.symlink: + - name: /opt/so/saltstack/local/salt/elasticfleet/files/certs/elasticfleet-logstash.p8 + - target: /etc/pki/elasticfleet.p8 + - user: socore + - group: socore + +eflogstashcrtlink: + file.symlink: + - name: /opt/so/saltstack/local/salt/elasticfleet/files/certs/elasticfleet-logstash.crt + - target: /etc/pki/elasticfleet.crt + - user: socore + - group: socore + +{% endif %} {% endif %} {% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %}