From fc78c97ce224ee280610ad14775b2fe09cd24226 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Fri, 4 Aug 2023 17:42:25 +0200 Subject: [PATCH 1/5] Install cryptography Python library We had this as a requirement. But it makes sense to have the role install the library without any further interaction with the user. fixes #212 --- docs/role-beats.md | 1 - docs/role-elasticsearch.md | 5 ----- docs/role-kibana.md | 5 ----- docs/role-logstash.md | 1 - roles/elasticsearch/tasks/elasticsearch-security.yml | 4 ++++ roles/kibana/tasks/kibana-security.yml | 4 ++++ roles/logstash/tasks/logstash-security.yml | 4 ++++ 7 files changed, 12 insertions(+), 12 deletions(-) diff --git a/docs/role-beats.md b/docs/role-beats.md index 2f45e14f..95192bfc 100644 --- a/docs/role-beats.md +++ b/docs/role-beats.md @@ -10,7 +10,6 @@ Requirements You need to have the beats you want to install available in your software repositories. We provide a [role](./role-repos.md) for just that but if you have other ways of managing software, just make sure it's available. Alternatively you can install the Beats yourself. -* `cryptography` >= 2.5 * `community.crypto` collection: ansible-galaxy collection install community.crypto Role Variables diff --git a/docs/role-elasticsearch.md b/docs/role-elasticsearch.md index 566094bc..5e922214 100644 --- a/docs/role-elasticsearch.md +++ b/docs/role-elasticsearch.md @@ -9,11 +9,6 @@ If you use the role to set up security you, can use its CA to create certificate Please note that setting `elasticsearch_bootstrap_pw` as variable will only take effect when initialising Elasticsearch. Changes after starting elasticsearch for the first time will not change the bootstrap password for the instance and will lead to breaking tests. -Requirements ------------- - -* `cryptography` >= 2.5 - Role Variables -------------- diff --git a/docs/role-kibana.md b/docs/role-kibana.md index 28abf012..07d17653 100644 --- a/docs/role-kibana.md +++ b/docs/role-kibana.md @@ -5,11 +5,6 @@ Ansible Role: Kibana This roles installs and configures Kibana. -Requirements ------------- - -* `cryptography` >= 2.5 - Role Variables -------------- diff --git a/docs/role-logstash.md b/docs/role-logstash.md index 321a9d9c..cd14e237 100644 --- a/docs/role-logstash.md +++ b/docs/role-logstash.md @@ -19,7 +19,6 @@ Requirements ------------ * `community.general` collection -* `cryptography` >= 2.5 You need to have the Elastic Repos configured on your system. You can use our [role](./role-repos.md) diff --git a/roles/elasticsearch/tasks/elasticsearch-security.yml b/roles/elasticsearch/tasks/elasticsearch-security.yml index 5bf64363..2f2b0e79 100644 --- a/roles/elasticsearch/tasks/elasticsearch-security.yml +++ b/roles/elasticsearch/tasks/elasticsearch-security.yml @@ -1,5 +1,9 @@ --- +- name: Make sure cryptography Elasticsearch module is installed + package: + name: python-cryptography + - name: Set elasticstack_ca variable if not already done by user set_fact: elasticstack_ca: "{{ groups['elasticsearch'][0] }}" diff --git a/roles/kibana/tasks/kibana-security.yml b/roles/kibana/tasks/kibana-security.yml index 469b845e..15842179 100644 --- a/roles/kibana/tasks/kibana-security.yml +++ b/roles/kibana/tasks/kibana-security.yml @@ -1,5 +1,9 @@ --- +- name: Make sure cryptography Elasticsearch module is installed + package: + name: python-cryptography + - name: Make sure openssl is installed package: name: openssl diff --git a/roles/logstash/tasks/logstash-security.yml b/roles/logstash/tasks/logstash-security.yml index 83c75634..106e2b9e 100644 --- a/roles/logstash/tasks/logstash-security.yml +++ b/roles/logstash/tasks/logstash-security.yml @@ -1,5 +1,9 @@ --- +- name: Make sure cryptography Elasticsearch module is installed + package: + name: python-cryptography + - name: Install unzip for certificate handling package: name: unzip From db4d7edaa5c809b533cb1f673f036ef26c97dc27 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Fri, 4 Aug 2023 18:30:10 +0200 Subject: [PATCH 2/5] Use package name per OS --- roles/elasticsearch/tasks/elasticsearch-security.yml | 2 +- roles/elasticsearch/vars/Debian.yml | 1 + roles/elasticsearch/vars/RedHat.yml | 1 + roles/kibana/tasks/kibana-security.yml | 4 ---- roles/logstash/tasks/logstash-security.yml | 4 ---- 5 files changed, 3 insertions(+), 9 deletions(-) diff --git a/roles/elasticsearch/tasks/elasticsearch-security.yml b/roles/elasticsearch/tasks/elasticsearch-security.yml index 2f2b0e79..174fd6c2 100644 --- a/roles/elasticsearch/tasks/elasticsearch-security.yml +++ b/roles/elasticsearch/tasks/elasticsearch-security.yml @@ -2,7 +2,7 @@ - name: Make sure cryptography Elasticsearch module is installed package: - name: python-cryptography + name: "{{ elasticsearch_pythoncryptography_pkgname }}" - name: Set elasticstack_ca variable if not already done by user set_fact: diff --git a/roles/elasticsearch/vars/Debian.yml b/roles/elasticsearch/vars/Debian.yml index 1713160e..2ceb0f41 100644 --- a/roles/elasticsearch/vars/Debian.yml +++ b/roles/elasticsearch/vars/Debian.yml @@ -1,4 +1,5 @@ --- elasticsearch_sysconfig_file: /etc/default/elasticsearch +elasticsearch_pythoncryptography_pkgname: python3-cryptography elasticstack_versionseparator: "=" diff --git a/roles/elasticsearch/vars/RedHat.yml b/roles/elasticsearch/vars/RedHat.yml index d12aa3b5..ca8e2aea 100644 --- a/roles/elasticsearch/vars/RedHat.yml +++ b/roles/elasticsearch/vars/RedHat.yml @@ -1,4 +1,5 @@ --- elasticsearch_sysconfig_file: /etc/sysconfig/elasticsearch +elasticsearch_pythoncryptography_pkgname: python-cryptography elasticstack_versionseparator: "-" diff --git a/roles/kibana/tasks/kibana-security.yml b/roles/kibana/tasks/kibana-security.yml index 15842179..469b845e 100644 --- a/roles/kibana/tasks/kibana-security.yml +++ b/roles/kibana/tasks/kibana-security.yml @@ -1,9 +1,5 @@ --- -- name: Make sure cryptography Elasticsearch module is installed - package: - name: python-cryptography - - name: Make sure openssl is installed package: name: openssl diff --git a/roles/logstash/tasks/logstash-security.yml b/roles/logstash/tasks/logstash-security.yml index 106e2b9e..83c75634 100644 --- a/roles/logstash/tasks/logstash-security.yml +++ b/roles/logstash/tasks/logstash-security.yml @@ -1,9 +1,5 @@ --- -- name: Make sure cryptography Elasticsearch module is installed - package: - name: python-cryptography - - name: Install unzip for certificate handling package: name: unzip From 24ec82906fbd1d4a249953cd458b91532415bcf5 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Fri, 11 Aug 2023 13:23:46 +0200 Subject: [PATCH 3/5] Fix name of package --- roles/elasticsearch/vars/RedHat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/elasticsearch/vars/RedHat.yml b/roles/elasticsearch/vars/RedHat.yml index ca8e2aea..2da814bc 100644 --- a/roles/elasticsearch/vars/RedHat.yml +++ b/roles/elasticsearch/vars/RedHat.yml @@ -1,5 +1,5 @@ --- elasticsearch_sysconfig_file: /etc/sysconfig/elasticsearch -elasticsearch_pythoncryptography_pkgname: python-cryptography +elasticsearch_pythoncryptography_pkgname: python3-cryptography elasticstack_versionseparator: "-" From 2ba7fba17e7483bf072826ee742c0b561cd9533c Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Mon, 21 Aug 2023 14:14:04 +0200 Subject: [PATCH 4/5] Synchronize security packages between roles --- docs/role-beats.md | 1 - roles/beats/defaults/main.yml | 1 - roles/beats/tasks/beats-security.yml | 10 +++++++--- roles/elasticsearch/tasks/elasticsearch-security.yml | 12 ++++++++++-- roles/elasticsearch/vars/Debian.yml | 1 - roles/elasticsearch/vars/RedHat.yml | 1 - roles/kibana/tasks/kibana-security.yml | 7 +++++-- roles/logstash/tasks/logstash-security.yml | 7 +++++-- 8 files changed, 27 insertions(+), 13 deletions(-) diff --git a/docs/role-beats.md b/docs/role-beats.md index 95192bfc..73722a6c 100644 --- a/docs/role-beats.md +++ b/docs/role-beats.md @@ -86,7 +86,6 @@ beats_filebeat_journald_inputs: * *beats_loglevel*: Level of logging (for all beats) (Default: `info`) * *beats_logpath*: If logging to file, where to put logfiles (Default: `/var/log/beats`) * *beats_fields*: Fields that are added to every input in the configuration -* *beats_manage_unzip*: Install `unzip` via package manager (Default: `true`) The following variables only apply if you use this role together with our other Elastic Stack roles. diff --git a/roles/beats/defaults/main.yml b/roles/beats/defaults/main.yml index 829bda5e..ea494225 100644 --- a/roles/beats/defaults/main.yml +++ b/roles/beats/defaults/main.yml @@ -10,7 +10,6 @@ elasticstack_beats_port: 5044 beats_logging: file beats_logpath: /var/log/beats beats_loglevel: info -beats_manage_unzip: true # Use TLS without Elastic X-Pack # diff --git a/roles/beats/tasks/beats-security.yml b/roles/beats/tasks/beats-security.yml index e99f79f6..eecf4ce7 100644 --- a/roles/beats/tasks/beats-security.yml +++ b/roles/beats/tasks/beats-security.yml @@ -1,11 +1,15 @@ --- -- name: Install unzip for certificate handling +- name: Install packages for security tasks package: - name: unzip - when: beats_manage_unzip | bool + name: + - unzip + - python3-cryptography + - openssl tags: + - certificates - renew_ca + - renew_kibana_cert - renew_beats_cert - name: Ensure beats certificate exists diff --git a/roles/elasticsearch/tasks/elasticsearch-security.yml b/roles/elasticsearch/tasks/elasticsearch-security.yml index 2744294b..52d2f19e 100644 --- a/roles/elasticsearch/tasks/elasticsearch-security.yml +++ b/roles/elasticsearch/tasks/elasticsearch-security.yml @@ -1,8 +1,16 @@ --- -- name: Make sure cryptography Elasticsearch module is installed +- name: Install packages for security tasks package: - name: "{{ elasticsearch_pythoncryptography_pkgname }}" + name: + - unzip + - python3-cryptography + - openssl + tags: + - certificates + - renew_ca + - renew_kibana_cert + - renew_es_cert - name: Set elasticstack_ca variable if not already done by user set_fact: diff --git a/roles/elasticsearch/vars/Debian.yml b/roles/elasticsearch/vars/Debian.yml index 2ceb0f41..1713160e 100644 --- a/roles/elasticsearch/vars/Debian.yml +++ b/roles/elasticsearch/vars/Debian.yml @@ -1,5 +1,4 @@ --- elasticsearch_sysconfig_file: /etc/default/elasticsearch -elasticsearch_pythoncryptography_pkgname: python3-cryptography elasticstack_versionseparator: "=" diff --git a/roles/elasticsearch/vars/RedHat.yml b/roles/elasticsearch/vars/RedHat.yml index 2da814bc..d12aa3b5 100644 --- a/roles/elasticsearch/vars/RedHat.yml +++ b/roles/elasticsearch/vars/RedHat.yml @@ -1,5 +1,4 @@ --- elasticsearch_sysconfig_file: /etc/sysconfig/elasticsearch -elasticsearch_pythoncryptography_pkgname: python3-cryptography elasticstack_versionseparator: "-" diff --git a/roles/kibana/tasks/kibana-security.yml b/roles/kibana/tasks/kibana-security.yml index 469b845e..eb1e5684 100644 --- a/roles/kibana/tasks/kibana-security.yml +++ b/roles/kibana/tasks/kibana-security.yml @@ -1,8 +1,11 @@ --- -- name: Make sure openssl is installed +- name: Install packages for security tasks package: - name: openssl + name: + - unzip + - python3-cryptography + - openssl tags: - certificates - renew_ca diff --git a/roles/logstash/tasks/logstash-security.yml b/roles/logstash/tasks/logstash-security.yml index 83c75634..c920d16a 100644 --- a/roles/logstash/tasks/logstash-security.yml +++ b/roles/logstash/tasks/logstash-security.yml @@ -1,8 +1,11 @@ --- -- name: Install unzip for certificate handling +- name: Install packages for security tasks package: - name: unzip + name: + - unzip + - python3-cryptography + - openssl tags: - certificates - renew_ca From 57cfd85a31ef8f982a2ee303b83fcb58e9bc28ef Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Tue, 5 Sep 2023 10:08:11 +0200 Subject: [PATCH 5/5] Fix lint --- roles/beats/tasks/beats-security.yml | 2 +- roles/elasticsearch/tasks/elasticsearch-security.yml | 2 +- roles/kibana/tasks/kibana-security.yml | 2 +- roles/logstash/tasks/logstash-security.yml | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/beats/tasks/beats-security.yml b/roles/beats/tasks/beats-security.yml index 782630ac..ef034ee3 100644 --- a/roles/beats/tasks/beats-security.yml +++ b/roles/beats/tasks/beats-security.yml @@ -1,7 +1,7 @@ --- - name: Install packages for security tasks - package: + ansible.builtin.package: name: - unzip - python3-cryptography diff --git a/roles/elasticsearch/tasks/elasticsearch-security.yml b/roles/elasticsearch/tasks/elasticsearch-security.yml index 90adabd3..fb5b9f43 100644 --- a/roles/elasticsearch/tasks/elasticsearch-security.yml +++ b/roles/elasticsearch/tasks/elasticsearch-security.yml @@ -1,7 +1,7 @@ --- - name: Install packages for security tasks - package: + ansible.builtin.package: name: - unzip - python3-cryptography diff --git a/roles/kibana/tasks/kibana-security.yml b/roles/kibana/tasks/kibana-security.yml index 3f9c061e..4bb14fbd 100644 --- a/roles/kibana/tasks/kibana-security.yml +++ b/roles/kibana/tasks/kibana-security.yml @@ -1,7 +1,7 @@ --- - name: Install packages for security tasks - package: + ansible.builtin.package: name: - unzip - python3-cryptography diff --git a/roles/logstash/tasks/logstash-security.yml b/roles/logstash/tasks/logstash-security.yml index 9e0a2163..330d6a20 100644 --- a/roles/logstash/tasks/logstash-security.yml +++ b/roles/logstash/tasks/logstash-security.yml @@ -1,7 +1,7 @@ --- - name: Install packages for security tasks - package: + ansible.builtin.package: name: - unzip - python3-cryptography @@ -386,7 +386,7 @@ - name: Create logstash password hash salt ansible.builtin.copy: - content: "{{ lookup('password', '/dev/null', chars=['ascii_lowercase', 'digits'], length=logstash_password_hash_salt_length, seed=logstash_password_hash_salt_seed)}}" + content: "{{ lookup('password', '/dev/null', chars=['ascii_lowercase', 'digits'], length=logstash_password_hash_salt_length, seed=logstash_password_hash_salt_seed) }}" dest: /root/logstash_password_hash_salt owner: root group: root