From c49b1341228df103946c0fbf2c322e81ffe3d66c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 15 May 2023 16:43:47 -0400 Subject: [PATCH] move so-catrust --- salt/elasticsearch/ca.sls | 33 +++++++++++++++++ salt/elasticsearch/config.sls | 12 +------ .../tools/sbin_jinja/so-catrust | 12 +++---- salt/logstash/enabled.sls | 1 + salt/ssl/init.sls | 35 ------------------- 5 files changed, 41 insertions(+), 52 deletions(-) create mode 100644 salt/elasticsearch/ca.sls rename salt/{ssl => elasticsearch}/tools/sbin_jinja/so-catrust (68%) diff --git a/salt/elasticsearch/ca.sls b/salt/elasticsearch/ca.sls new file mode 100644 index 000000000..fdd63338d --- /dev/null +++ b/salt/elasticsearch/ca.sls @@ -0,0 +1,33 @@ +# Move our new CA over so Elastic and Logstash can use SSL with the internal CA +catrustdir: + file.directory: + - name: /opt/so/conf/ca + - user: 939 + - group: 939 + - makedirs: True + +{% if GLOBALS.is_manager %} +# We have to add the Manager CA to the CA list +cascriptsync: + cmd.script: + - source: salt://elasticsearch/tools/sbin_jinja/so-catrust + - template: jinja + - defaults: + GLOBALS: {{ GLOBALS }} +{% endif %} + +{% if grains.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-searchnode'] %} +cacertz: + file.managed: + - name: /opt/so/conf/ca/cacerts + - source: salt://elasticsearch/cacerts + - user: 939 + - group: 939 + +capemz: + file.managed: + - name: /opt/so/conf/ca/tls-ca-bundle.pem + - source: salt://elasticsearch/tls-ca-bundle.pem + - user: 939 + - group: 939 +{% endif %} diff --git a/salt/elasticsearch/config.sls b/salt/elasticsearch/config.sls index 68948e982..23e11a710 100644 --- a/salt/elasticsearch/config.sls +++ b/salt/elasticsearch/config.sls @@ -8,6 +8,7 @@ include: - ssl + - elasticsearch.ca {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %} @@ -37,8 +38,6 @@ elasticsearch: - home: /opt/so/conf/elasticsearch - createhome: False - - elasticsearch_sbin: file.recurse: - name: /usr/sbin @@ -47,7 +46,6 @@ elasticsearch_sbin: - group: 939 - file_mode: 755 - exclude_pat: - - so-catrust - so-elasticsearch-pipelines # exclude this because we need to watch it for changes, we sync it in another state elasticsearch_sbin_jinja: @@ -80,14 +78,6 @@ so-elasticsearch-pipelines-script: - group: 939 - mode: 754 -# Move our new CA over so Elastic and Logstash can use SSL with the internal CA -catrustdir: - file.directory: - - name: /opt/so/conf/ca - - user: 939 - - group: 939 - - makedirs: True - esingestdir: file.directory: - name: /opt/so/conf/elasticsearch/ingest diff --git a/salt/ssl/tools/sbin_jinja/so-catrust b/salt/elasticsearch/tools/sbin_jinja/so-catrust similarity index 68% rename from salt/ssl/tools/sbin_jinja/so-catrust rename to salt/elasticsearch/tools/sbin_jinja/so-catrust index 49a3f97f1..fe4ff58bc 100644 --- a/salt/ssl/tools/sbin_jinja/so-catrust +++ b/salt/elasticsearch/tools/sbin_jinja/so-catrust @@ -11,14 +11,14 @@ set -e # Check to see if we have extracted the ca cert. -if [ ! -f /opt/so/saltstack/local/salt/ssl/cacerts ]; then +if [ ! -f /opt/so/saltstack/local/salt/elasticsearch/cacerts ]; then docker run -v /etc/pki/ca.crt:/etc/ssl/ca.crt --name so-elasticsearchca --user root --entrypoint jdk/bin/keytool {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:{{ GLOBALS.so_version }} -keystore /usr/share/elasticsearch/jdk/lib/security/cacerts -alias SOSCA -import -file /etc/ssl/ca.crt -storepass changeit -noprompt - docker cp so-elasticsearchca:/usr/share/elasticsearch/jdk/lib/security/cacerts /opt/so/saltstack/local/salt/ssl/cacerts - docker cp so-elasticsearchca:/etc/ssl/certs/ca-certificates.crt /opt/so/saltstack/local/salt/ssl/tls-ca-bundle.pem + docker cp so-elasticsearchca:/usr/share/elasticsearch/jdk/lib/security/cacerts /opt/so/saltstack/local/salt/elasticsearch/cacerts + docker cp so-elasticsearchca:/etc/ssl/certs/ca-certificates.crt /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem docker rm so-elasticsearchca - echo "" >> /opt/so/saltstack/local/salt/ssl/tls-ca-bundle.pem - echo "sosca" >> /opt/so/saltstack/local/salt/ssl/tls-ca-bundle.pem - cat /etc/pki/ca.crt >> /opt/so/saltstack/local/salt/ssl/tls-ca-bundle.pem + echo "" >> /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem + echo "sosca" >> /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem + cat /etc/pki/ca.crt >> /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem else exit 0 fi diff --git a/salt/logstash/enabled.sls b/salt/logstash/enabled.sls index 2f5a46323..65905cd6c 100644 --- a/salt/logstash/enabled.sls +++ b/salt/logstash/enabled.sls @@ -12,6 +12,7 @@ {% set lsheap = LOGSTASH_MERGED.settings.lsheap %} include: + - elasticsearch.ca - logstash.config - logstash.sostatus diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 54f629182..e077d55d0 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -35,42 +35,7 @@ include: {% set ca_server = global_ca_server[0] %} {% endif %} -{% if GLOBALS.is_manager %} -# We have to add the Manager CA to the CA list -cascriptsync: - file.managed: - - name: /usr/sbin/so-catrust - - source: salt://ssl/tools/sbin_jinja/so-catrust - - user: 939 - - group: 939 - - mode: 750 - - template: jinja - - defaults: - GLOBALS: {{ GLOBALS }} -# Run the CA magic -cascriptfun: - cmd.run: - - name: /usr/sbin/so-catrust - - require: - - file: cascriptsync -{% endif %} - -{% if grains.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-searchnode'] %} -cacertz: - file.managed: - - name: /opt/so/conf/ca/cacerts - - source: salt://ssl/cacerts - - user: 939 - - group: 939 - -capemz: - file.managed: - - name: /opt/so/conf/ca/tls-ca-bundle.pem - - source: salt://ssl/tls-ca-bundle.pem - - user: 939 - - group: 939 -{% endif %} # Trust the CA trusttheca: