more requires on docker containers

2025-12-06 01:02:46 +01:00 · 2021-10-22 14:10:59 -04:00
parent 451b19dc4d
commit fed8bfac67
8 changed files with 63 additions and 24 deletions
--- a/salt/domainstats/init.sls
+++ b/salt/domainstats/init.sls
@@ -45,8 +45,6 @@ so-domainstatsimage:

 so-domainstats:
  docker_container.running:
-    - require:
-      - so-domainstatsimage
    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-domainstats:{{ VERSION }}
    - hostname: domainstats
    - name: so-domainstats
@@ -55,6 +53,7 @@ so-domainstats:
      - /opt/so/log/domainstats:/var/log/domain_stats
    - require:
      - file: dstatslogdir
+      - cmd: so-domainstatsimage

 append_so-domainstats_so-status.conf:
  file.append:
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -25,9 +25,10 @@
 {% from 'filebeat/map.jinja' import SO with context %}
 {% set ES_INCLUDED_NODES = ['so-eval', 'so-standalone', 'so-managersearch', 'so-node', 'so-heavynode', 'so-import'] %}

+include:
+  - ssl
 #only include elastic state for certain nodes
 {% if grains.role in ES_INCLUDED_NODES %}
-include:
  - elasticsearch
 {% endif %}

@@ -66,7 +67,7 @@ fileregistrydir:
    - makedirs: True

 # This needs to be owned by root
-filebeatconfsync:
+filebeatconf:
  file.managed:
    - name: /opt/so/conf/filebeat/etc/filebeat.yml
    - source: salt://filebeat/etc/filebeat.yml
@@ -78,7 +79,7 @@ filebeatconfsync:
        OUTPUT: {{ salt['pillar.get']('filebeat:config:output', {}) }}

 # Filebeat module config file
-filebeatmoduleconfsync:
+filebeatmoduleconf:
  file.managed:
    - name: /opt/so/conf/filebeat/etc/module-setup.yml
    - source: salt://filebeat/etc/module-setup.yml
@@ -135,7 +136,14 @@ so-filebeat:
  {% endfor %}
 {% endfor %}
    - watch:
-      - file: /opt/so/conf/filebeat/etc/filebeat.yml
+      - file: filebeatconf
+    - require:
+      - file: filebeatconf
+      - file: filebeatmoduleconf
+      - file: filebeatmoduledir
+      - x509: filebeat_crt
+      - x509: filebeat_key
+      - x509: trusttheca

 {% if grains.role in ES_INCLUDED_NODES %}
 run_module_setup:
--- a/salt/fleet/init.sls
+++ b/salt/fleet/init.sls
@@ -17,6 +17,7 @@


 include:
+  - ssl
  - mysql

 # Fleet Setup
@@ -136,10 +137,13 @@ so-fleet:
      - /opt/so/conf/fleet/packs:/packs
    - watch:
      - /opt/so/conf/fleet/etc
+    - require:
+      - x509: fleet_key
+      - x509: fleet_crt

 append_so-fleet_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-fleet

-{% endif %}
+{% endif %}
--- a/salt/grafana/init.sls
+++ b/salt/grafana/init.sls
@@ -132,6 +132,8 @@ so-grafana:
      - 0.0.0.0:3000:3000
    - watch:
      - file: /opt/so/conf/grafana/*
+    - require:
+      - file: grafana-config

 append_so-grafana_so-status.conf:
  file.append:
--- a/salt/influxdb/init.sls
+++ b/salt/influxdb/init.sls
@@ -17,6 +17,8 @@
 include:
  - salt.minion
  - salt.python3-influxdb
+  - ssl
+  
 # Influx DB
 influxconfdir:
  file.directory:
@@ -60,6 +62,10 @@ so-influxdb:
      - 0.0.0.0:8086:8086
    - watch:
      - file: influxdbconf
+    - require:
+      - file: influxdbconf
+      - x509: influxdb_key
+      - x509: influxdb_crt

 append_so-influxdb_so-status.conf:
  file.append:
--- a/salt/learn/logscan.sls
+++ b/salt/learn/logscan.sls
@@ -51,6 +51,8 @@ so-logscan:
      - /opt/so/log/logscan:/logscan/output:rw
      - /opt/so/log:/logscan/logs:ro
    - cpu_period: {{ logscan_cpu_period }}
+    - require:
+      - file: logscan_conf
    {% else %}
    - force: true
    {% endif %}
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -45,6 +45,7 @@
 {% endif %}

 include:
+  - ssl
  - elasticsearch

 # Create the logstash group
@@ -162,9 +163,7 @@ so-logstash:
 {% endfor %}
    - binds:
      - /opt/so/conf/elasticsearch/templates/:/templates/:ro
-      - /opt/so/conf/logstash/etc/log4j2.properties:/usr/share/logstash/config/log4j2.properties:ro
-      - /opt/so/conf/logstash/etc/logstash.yml:/usr/share/logstash/config/logstash.yml:ro
-      - /opt/so/conf/logstash/etc/pipelines.yml:/usr/share/logstash/config/pipelines.yml
+      - /opt/so/conf/logstash/etc/:/usr/share/logstash/config/:ro
      - /opt/so/conf/logstash/pipelines:/usr/share/logstash/pipelines:ro
      - /opt/so/rules:/etc/nsm/rules:ro
      - /nsm/import:/nsm/import:ro
@@ -181,7 +180,6 @@ so-logstash:
      {% endif %}
      - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro
      - /opt/so/conf/ca/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro
-      - /etc/pki/ca.cer:/ca/ca.crt:ro
      {%- if grains['role'] == 'so-eval' %}
      - /nsm/zeek:/nsm/zeek:ro
      - /nsm/suricata:/suricata:ro
@@ -201,6 +199,16 @@ so-logstash:
 {% for TEMPLATE in TEMPLATES %}
      - file: es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}
 {% endfor %}
+    - require:
+      - x509: filebeat_crt
+      - x509: filebeat_key
+{% if grains['role'] == 'so-heavynode' %}
+      - x509: trusttheca
+{% else %}
+      - x509: pki_public_ca_crt
+{% endif %}
+      - file: cacertz
+      - file: capemz

 append_so-logstash_so-status.conf:
  file.append:
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -67,8 +67,9 @@ removeesp12dir:
    - name: /etc/pki/elasticsearch.p12
    - onlyif: "[ -d /etc/pki/elasticsearch.p12 ]"
    
-/etc/pki/influxdb.key:
+influxdb_key:
  x509.private_key_managed:
+    - name: /etc/pki/influxdb.key
    - CN: {{ manager }}
    - bits: 4096
    - days_remaining: 0
@@ -85,8 +86,9 @@ removeesp12dir:
        interval: 30

 # Create a cert for the talking to influxdb
-/etc/pki/influxdb.crt:
+influxdb_crt:
  x509.certificate_managed:
+    - name: /etc/pki/influxdb.crt
    - ca_server: {{ ca_server }}
    - signing_policy: influxdb
    - public_key: /etc/pki/influxdb.key
@@ -161,8 +163,9 @@ rediskeyperms:
 {% endif %}

 {% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode'] %}
-/etc/pki/filebeat.key:
+filebeat_key:
  x509.private_key_managed:
+    - name: /etc/pki/filebeat.key
    - CN: {{ COMMONNAME }}
    - bits: 4096
    - days_remaining: 0
@@ -179,8 +182,9 @@ rediskeyperms:
        interval: 30

 # Request a cert and drop it where it needs to go to be distributed
-/etc/pki/filebeat.crt:
+filebeat_crt:
  x509.certificate_managed:
+    - name: /etc/pki/filebeat.crt
    - ca_server: {{ ca_server }}
    - signing_policy: filebeat
    - public_key: /etc/pki/filebeat.key
@@ -201,7 +205,7 @@ rediskeyperms:
  cmd.run:
    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt"
    - onchanges:
-      - x509: /etc/pki/filebeat.key
+      - x509: filebeat_key


 fbperms:
@@ -427,8 +431,9 @@ msslkeyperms:
    - group: 939

 # Create a private key and cert for OSQuery
-/etc/pki/fleet.key:
+fleet_key:
  x509.private_key_managed:
+    - name: /etc/pki/fleet.key
    - CN: {{ manager }}
    - bits: 4096
    - days_remaining: 0
@@ -444,8 +449,9 @@ msslkeyperms:
        attempts: 5
        interval: 30

-/etc/pki/fleet.crt:
+fleet_crt:
  x509.certificate_managed:
+    - name: /etc/pki/fleet.crt
    - signing_private_key: /etc/pki/fleet.key
    - CN: {{ manager }}
    - subjectAltName: DNS:{{ manager }},IP:{{ managerip }}
@@ -476,8 +482,9 @@ fbcertdir:
    - name: /opt/so/conf/filebeat/etc/pki
    - makedirs: True

-/opt/so/conf/filebeat/etc/pki/filebeat.key:
+filebeat_key:
  x509.private_key_managed:
+    - name: /opt/so/conf/filebeat/etc/pki/filebeat.key
    - CN: {{ COMMONNAME }}
    - bits: 4096
    - days_remaining: 0
@@ -486,7 +493,7 @@ fbcertdir:
    - new: True
    {% if salt['file.file_exists']('/opt/so/conf/filebeat/etc/pki/filebeat.key') -%}
    - prereq:
-      - x509: /opt/so/conf/filebeat/etc/pki/filebeat.crt
+      - x509: filebeat_crt
    {%- endif %}
    - timeout: 30
    - retry:
@@ -494,8 +501,9 @@ fbcertdir:
        interval: 30

 # Request a cert and drop it where it needs to go to be distributed
-/opt/so/conf/filebeat/etc/pki/filebeat.crt:
+filebeat_crt:
  x509.certificate_managed:
+    - name: /opt/so/conf/filebeat/etc/pki/filebeat.crt
    - ca_server: {{ ca_server }}
    - signing_policy: filebeat
    - public_key: /opt/so/conf/filebeat/etc/pki/filebeat.key
@@ -519,7 +527,7 @@ filebeatpkcs:
  cmd.run:
    - name: "/usr/bin/openssl pkcs8 -in /opt/so/conf/filebeat/etc/pki/filebeat.key -topk8 -out /opt/so/conf/filebeat/etc/pki/filebeat.p8 -passout pass:"
    - onchanges:
-      - x509: /opt/so/conf/filebeat/etc/pki/filebeat.key
+      - x509: filebeat_key

 filebeatkeyperms:
  file.managed:
@@ -585,8 +593,9 @@ msslkeyperms:
    - group: 939

 # Create a private key and cert for Fleet
-/etc/pki/fleet.key:
+fleet_key:
  x509.private_key_managed:
+    - name: /etc/pki/fleet.key
    - CN: {{ manager }}
    - bits: 4096
    - days_remaining: 0
@@ -602,8 +611,9 @@ msslkeyperms:
        attempts: 5
        interval: 30

-/etc/pki/fleet.crt:
+fleet_crt:
  x509.certificate_managed:
+    - name: /etc/pki/fleet.crt
    - signing_private_key: /etc/pki/fleet.key
    - CN: {{ HOSTNAME }}
    - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %}