From bf14612258a48e627d1b693beac6b23582accfdf Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Tue, 13 Sep 2022 15:58:53 -0400
Subject: [PATCH] Change out Elastic Fleet certs

---
 salt/common/tools/sbin/so-elastic-fleet-setup | 10 ++-
 salt/elastic-fleet/init.sls                   |  6 +-
 salt/ssl/init.sls                             | 82 +++++++++++++++++++
 3 files changed, 91 insertions(+), 7 deletions(-)

diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup
index 490fb34db..85ca755fa 100644
--- a/salt/common/tools/sbin/so-elastic-fleet-setup
+++ b/salt/common/tools/sbin/so-elastic-fleet-setup
@@ -20,10 +20,12 @@ curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fle
 printf "\n\n"
 
 # Create Logstash Output payload
-cp /etc/ssl/certs/intca.crt /opt/so/conf/filebeat/etc/pki/
-LOGSTASHCRT=$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/filebeat.crt)
-LOGSTASHKEY=$(openssl rsa -in  /opt/so/conf/filebeat/etc/pki/filebeat.key)
-LOGSTASHCA=$(openssl x509 -in  /opt/so/conf/filebeat/etc/pki/intca.crt)
+mkdir /opt/so/conf/elastic-fleet/certs
+cp /etc/ssl/certs/intca.crt /opt/so/conf/elastic-fleet/certs
+cp /etc/pki/elasticfleet* /opt/so/conf/elastic-fleet/certs
+LOGSTASHCRT=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/elasticfleet.crt)
+LOGSTASHKEY=$(openssl rsa -in  /opt/so/conf/elastic-fleet/certs/elasticfleet.key)
+LOGSTASHCA=$(openssl x509 -in  /opt/so/conf/elastic-fleet/certs/intca.crt)
 JSON_STRING=$( jq -n \
                   --arg LOGSTASHCRT "$LOGSTASHCRT" \
                   --arg LOGSTASHKEY "$LOGSTASHKEY" \
diff --git a/salt/elastic-fleet/init.sls b/salt/elastic-fleet/init.sls
index 6059da3cb..ea3092c0b 100644
--- a/salt/elastic-fleet/init.sls
+++ b/salt/elastic-fleet/init.sls
@@ -28,7 +28,7 @@ so-elastic-fleet:
     - port_bindings:
       - 0.0.0.0:8220:8220
     - binds:
-      - /opt/so/conf/filebeat/etc/pki:/etc/pki:ro
+      - /opt/so/conf/elastic-fleet/certs:/etc/pki:ro
       - /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw
     - environment:
       - FLEET_SERVER_ENABLE=true
@@ -37,8 +37,8 @@ so-elastic-fleet:
       - FLEET_SERVER_SERVICE_TOKEN={{ SERVICETOKEN }}
       - FLEET_SERVER_POLICY_ID={{ FLEETSERVERPOLICY }}
       - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/intca.crt
-      - FLEET_SERVER_CERT=/etc/pki/filebeat.crt
-      - FLEET_SERVER_CERT_KEY=/etc/pki/filebeat.key
+      - FLEET_SERVER_CERT=/etc/pki/elasticfleet.crt
+      - FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet.key
       - FLEET_CA=/etc/pki/intca.crt
   {% endif %}
 
diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls
index 1ef4a08ea..3be0e9711 100644
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -152,6 +152,88 @@ rediskeyperms:
     - group: 939
 {% endif %}
 
+{% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode'] %}
+etc_elasticfleet_key:
+  x509.private_key_managed:
+    - name: /etc/pki/elasticfleet.key
+    - CN: {{ COMMONNAME }}
+    - bits: 4096
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/elasticfleet.key') -%}
+    - prereq:
+      - x509: etc_elasticfleet_crt
+    {%- endif %}
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+
+# Request a cert and drop it where it needs to go to be distributed
+etc_elasticfleet_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/elasticfleet.crt
+    - ca_server: {{ ca_server }}
+    - signing_policy: fleet
+    - public_key: /etc/pki/elasticfleet.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+{% if grains.role not in ['so-heavynode'] %}
+    - unless:
+      # https://github.com/saltstack/salt/issues/52167
+      # Will trigger 5 days (432000 sec) from cert expiration
+      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticfleet.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
+{% endif %}
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+  cmd.run:
+    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet.key -topk8 -out /etc/pki/elasticfleet.p8 -nocrypt"
+    - onchanges:
+      - x509: etc_elasticfleet_key
+
+efperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet.key
+    - mode: 640
+    - group: 939
+
+chownilogstashelasticfleetp8:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet.p8
+    - mode: 640
+    - user: 931
+    - group: 939
+
+# Create Symlinks to the keys so I can distribute it to all the things
+elasticfleetdir:
+  file.directory:
+    - name: /opt/so/saltstack/local/salt/elastic-fleet/files/certs
+    - makedirs: True
+
+efkeylink:
+  file.symlink:
+    - name: /opt/so/saltstack/local/salt/elastic-fleet/files/certs/elasticfleet.p8
+    - target: /etc/pki/elasticfleet.p8
+    - user: socore
+    - group: socore
+
+efcrtlink:
+  file.symlink:
+    - name: /opt/so/saltstack/local/salt/elastic-fleet/files/certs/elasticfleet.crt
+    - target: /etc/pki/elasticfleet.crt
+    - user: socore
+    - group: socore
+{% endif %}
+
 {% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %}
 etc_filebeat_key:
   x509.private_key_managed: