more changes

2025-12-06 17:22:49 +01:00 · 2021-06-01 10:53:58 -04:00
parent f87dce8ec1
commit d25a439bd4
6 changed files with 34 additions and 39 deletions
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -22,6 +22,9 @@ base:
  '*_manager or *_managersearch':
    - match: compound
    - data.*
+{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
+    - elasticsearch.auth
+{% endif %}
    - secrets
    - global
    - minions.{{ grains.id }}
@@ -38,6 +41,9 @@ base:
    - secrets
    - healthcheck.eval
    - elasticsearch.eval
+{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
+    - elasticsearch.auth
+{% endif %}
    - global
    - minions.{{ grains.id }}

@@ -91,5 +97,8 @@ base:
    - zeeklogs
    - secrets
    - elasticsearch.eval
+{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
+    - elasticsearch.auth
+{% endif %}
    - global
    - minions.{{ grains.id }}
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -3,12 +3,6 @@

 {% set role = grains.id.split('_') | last %}
 {% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %}
-{% set ES_INCLUDED_NODES = ['so-standalone'] %}
-
-{% if grains.role in ES_INCLUDED_NODES %}
-include:
-  - elasticsearch.auth
-{% %}

 # Remove variables.txt from /tmp - This is temp
 rmvariablesfile:
@@ -174,6 +168,13 @@ alwaysupdated:
 Etc/UTC:
  timezone.system

+elastic_curl_config:
+  file.managed:
+    - name: /opt/so/conf/elasticsearch/curl.config
+    - source: salt://elasticsearch/curl.config
+    - mode: 600
+    - show_changes: False
+
 # Sync some Utilities
 utilsyncscripts:
  file.recurse:
@@ -185,10 +186,6 @@ utilsyncscripts:
    - source: salt://common/tools/sbin
    - defaults:
        ELASTICCURL: {{ ELASTICAUTH.elasticcurl }}
-{% if grains.role in ES_INCLUDED_NODES %}
-    - require:
-      - file: elastic_auth_pillar
-{% endif %}

 {% if role in ['eval', 'standalone', 'sensor', 'heavynode'] %}
 # Add sensor cleanup
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -37,8 +37,6 @@
 {% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %}
 {% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %}

-# used in this state to control who can run the so-users script
-{% set ES_INCLUDED_NODES = ['so-standalone'] %}

 vm.max_map_count:
  sysctl.present:
@@ -173,33 +171,15 @@ eslogdir:
    - group: 939
    - makedirs: True

-{% if grains.role in ES_INCLUDED_NODES %}
-# Must run before elasticsearch docker container is started!
-syncesusers:
-  cmd.run:
-    - name: so-user sync
-    - creates:
-      - /opt/so/saltstack/local/salt/elasticsearch/files/users
-      - /opt/so/saltstack/local/salt/elasticsearch/files/users_roles
-{% endif %}
-
 auth_users:
  file.managed:
    - name: /opt/so/conf/elasticsearch/users
    - source: salt://elasticsearch/files/users
-    - require:
-{% if grains.role in ES_INCLUDED_NODES %}
-      - cmd: syncesusers
-{% endif %}

 auth_users_roles:
  file.managed:
    - name: /opt/so/conf/elasticsearch/users_roles
    - source: salt://elasticsearch/files/users_roles
-{% if grains.role in ES_INCLUDED_NODES %}
-    - require:
-      - cmd: syncesusers
-{% endif %}

 so-elasticsearch:
  docker_container.running:
@@ -289,13 +269,6 @@ so-elasticsearch-templates:
    - template: jinja
 {% endif %}

-elastic_curl_config:
-  file.managed:
-    - name: /opt/so/conf/elasticsearch/curl.config
-    - mode: 600
-    - contents: user = "{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user') }}:{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass') }}"
-    - show_changes: False
-
 {% endif %} {# if grains['role'] != 'so-helix' #}

 {% else %}
--- a/salt/manager/init.sls
+++ b/salt/manager/init.sls
@@ -105,6 +105,22 @@ strelka_yara_update:
    - name: '/usr/sbin/so-yara-update >> /nsm/strelka/log/yara-update.log 2>&1'
    - hour: '7'
    - minute: '1'
+
+elastic_curl_config_distributed:
+  file.managed:
+    - name: /opt/so/saltstack/local/salt/elasticsearch/curl.config
+    - mode: 600
+    - contents: user = "{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user') }}:{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass') }}"
+    - show_changes: False
+
+# Must run before elasticsearch docker container is started!
+syncesusers:
+  cmd.run:
+    - name: so-user sync
+    - creates:
+      - /opt/so/saltstack/local/salt/elasticsearch/files/users
+      - /opt/so/saltstack/local/salt/elasticsearch/files/users_roles
+
 {% else %}

 {{sls}}_state_not_allowed:
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -238,7 +238,6 @@ base:
    {%- endif %}
    {%- if ELASTICSEARCH %}
    - elasticsearch
-    - elasticsearch.auth
    {%- endif %} 
    {%- if LOGSTASH %}
    - logstash
@@ -261,7 +260,7 @@ base:
    - filebeat
    {%- endif %}
    {%- if CURATOR %}
-    - curator
+    - curator0
    {%- endif %}
    {%- if ELASTALERT %}
    - elastalert
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -752,6 +752,7 @@ echo "1" > /root/accept_changes
 		
 		set_progress_str 60 "$(print_salt_state_apply 'manager')"
 		salt-call state.apply -l info manager >> $setup_log 2>&1
+		bash /opt/so/saltstack/default/salt/common/tools/sbin/so-elastic-auth
 	fi

 	set_progress_str 61 "$(print_salt_state_apply 'firewall')"