Add ability to disable fleet

elastic-container.sh

@@ -33,7 +33,7 @@ passphrase_reset() {
 # Create the script usage menu
 usage() {
   cat <<EOF | sed -e 's/^  //'
-  usage: ./elastic-container.sh [-v] (stage|start|stop|restart|status|help)
+  usage: ./elastic-container.sh [-v|-n] (stage|start|stop|restart|status|help)
   actions:
     stage     downloads all necessary images to local storage
     start     creates a container network and starts containers
@@ -45,6 +45,7 @@ usage() {
     help      print this message
   flags:
     -v        enable verbose output
+    -n        disable fleet
 EOF
 }
 
@@ -179,16 +180,21 @@ clear_documents() {
 OPTIND=1 # Reset in case getopts has been used previously in the shell.
 
 verbose=0
+fleet=1
 
-while getopts "v" opt; do
+while getopts ":vn" opt; do
   case "$opt" in
   v)
     verbose=1
     ;;
+  n)
+    fleet=0
+    ;;
   *) ;;
   esac
 done
 
+
 shift $((OPTIND - 1))
 
 [ "${1:-}" = "--" ] && shift
@@ -210,6 +216,11 @@ else
   exit 2
 fi
 
+if [ $fleet -eq 0 ]; then
+  COMPOSE_STRING=" --file no-fleet-docker-compose.yml"
+else
+  COMPOSE_STRING=" --file docker-compose.yml"
+fi
 case "${ACTION}" in
 
 "stage")
@@ -225,19 +236,26 @@ case "${ACTION}" in
   get_host_ip
 
   echo "Starting Elastic Stack network and containers."
-
-  ${COMPOSE} up -d --no-deps 
+  
+  ${COMPOSE} ${COMPOSE_STRING} up -d --no-deps
 
   configure_kbn 1>&2 2>&3
 
-  echo "Waiting 40 seconds for Fleet Server setup."
-  echo
+  if [ $fleet -eq 0 ]; then
+
+    echo "Not waiting 40 seconds for Fleet Server setup. It is not used."
+    echo
 
-  sleep 40
+  else
+    echo "Waiting 40 seconds for Fleet Server setup."
+    echo
 
-  echo "Populating Fleet Settings."
-  set_fleet_values > /dev/null 2>&1
-  echo
+    sleep 40
+
+    echo "Populating Fleet Settings."
+    set_fleet_values > /dev/null 2>&1
+    echo
+  fi
 
   echo "READY SET GO!"
   echo
@@ -247,17 +265,19 @@ case "${ACTION}" in
   echo
   ;;
 
+
+
 "stop")
   echo "Stopping running containers."
 
-  ${COMPOSE} stop 
+  ${COMPOSE} ${COMPOSE_STRING} stop 
   ;;
 
 "destroy")
   echo "#####"
   echo "Stopping and removing the containers, network, and volumes created."
   echo "#####"
-  ${COMPOSE} down -v
+  ${COMPOSE} ${COMPOSE_STRING} down -v
   ;;
 
 "restart")
@@ -268,7 +288,7 @@ case "${ACTION}" in
   ;;
 
 "status")
-  ${COMPOSE} ps | grep -v setup
+  ${COMPOSE} ${COMPOSE_STRING} ps | grep -v setup
   ;;
 
 "clear")

no-fleet-docker-compose.yml

@@ -0,0 +1,146 @@
+services:
+  setup:
+    image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
+    container_name: ecp-elasticsearch-security-setup
+    volumes:
+      - certs:/usr/share/elasticsearch/config/certs:z
+    user: "0"
+    command: >
+      bash -c '
+        if [ x${ELASTIC_PASSWORD} == x ]; then
+          echo "Set the ELASTIC_PASSWORD environment variable in the .env file";
+          exit 1;
+        elif [ x${KIBANA_PASSWORD} == x ]; then
+          echo "Set the KIBANA_PASSWORD environment variable in the .env file";
+          exit 1;
+        fi;
+        if [ ! -f certs/ca.zip ]; then
+          echo "Creating CA";
+          bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip;
+          unzip config/certs/ca.zip -d config/certs;
+        fi;
+        if [ ! -f certs/certs.zip ]; then
+          echo "Creating certs";
+          echo -ne \
+          "instances:\n"\
+          "  - name: elasticsearch\n"\
+          "    dns:\n"\
+          "      - ecp-elasticsearch\n"\
+          "      - localhost\n"\
+          "    ip:\n"\
+          "      - 127.0.0.1\n"\
+          "  - name: kibana\n"\
+          "    dns:\n"\
+          "      - ecp-kibana\n"\
+          "      - localhost\n"\
+          "    ip:\n"\
+          "      - 127.0.0.1\n"\
+          > config/certs/instances.yml;
+          bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key;
+          unzip config/certs/certs.zip -d config/certs;
+          cat config/certs/elasticsearch/elasticsearch.crt config/certs/ca/ca.crt > config/certs/elasticsearch/elasticsearch.chain.pem
+        fi;
+        echo "Setting file permissions"
+        chown -R root:root config/certs;
+        find . -type d -exec chmod 750 \{\} \;;
+        find . -type f -exec chmod 640 \{\} \;;
+        echo "Waiting for Elasticsearch availability";
+        until curl -s --cacert config/certs/ca/ca.crt https://ecp-elasticsearch:9200 | grep -q "missing authentication credentials"; do sleep 30; done;
+        echo "Setting kibana_system password";
+        until curl -s -X POST --cacert config/certs/ca/ca.crt -u elastic:${ELASTIC_PASSWORD} -H "Content-Type: application/json" https://ecp-elasticsearch:9200/_security/user/kibana_system/_password -d "{\"password\":\"${KIBANA_PASSWORD}\"}" | grep -q "^{}"; do sleep 10; done;
+        echo "All done!";
+      '
+    healthcheck:
+      test: ["CMD-SHELL", "[ -f config/certs/elasticsearch/elasticsearch.crt ]"]
+      interval: 1s
+      timeout: 5s
+      retries: 120
+
+  elasticsearch:
+    depends_on:
+      setup:
+        condition: service_healthy
+    image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
+    container_name: ecp-elasticsearch
+    volumes:
+      - certs:/usr/share/elasticsearch/config/certs
+      - esdata01:/usr/share/elasticsearch/data
+    ports:
+      - ${ES_PORT}:9200
+    restart: always
+    environment:
+      - node.name=ecp-elasticsearch
+      - cluster.name=${CLUSTER_NAME}
+      - ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
+      - bootstrap.memory_lock=true
+      - discovery.type=single-node
+      - xpack.security.enabled=true
+      - xpack.security.http.ssl.enabled=true
+      - xpack.security.http.ssl.key=certs/elasticsearch/elasticsearch.key
+      - xpack.security.http.ssl.certificate=certs/elasticsearch/elasticsearch.chain.pem
+      - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
+      - xpack.security.http.ssl.verification_mode=certificate
+      - xpack.security.http.ssl.client_authentication=optional
+      - xpack.security.transport.ssl.enabled=true
+      - xpack.security.transport.ssl.key=certs/elasticsearch/elasticsearch.key
+      - xpack.security.transport.ssl.certificate=certs/elasticsearch/elasticsearch.crt
+      - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
+      - xpack.security.transport.ssl.verification_mode=certificate
+      - xpack.security.transport.ssl.client_authentication=optional
+      - xpack.license.self_generated.type=${LICENSE}
+    mem_limit: ${MEM_LIMIT}
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+    healthcheck:
+      test:
+        [
+          "CMD-SHELL",
+          "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'",
+        ]
+      interval: 10s
+      timeout: 10s
+      retries: 120
+
+  kibana:
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    image: docker.elastic.co/kibana/kibana:${STACK_VERSION}
+    container_name: ecp-kibana
+    volumes:
+      - certs:/usr/share/kibana/config/certs:z
+      - kibanadata:/usr/share/kibana/data
+      - ./kibana.yml:/usr/share/kibana/config/kibana.yml:Z
+    ports:
+      - ${KIBANA_PORT}:5601
+    restart: always
+    environment:
+      - SERVER_NAME=ecp-kibana
+      - ELASTICSEARCH_HOSTS=https://ecp-elasticsearch:9200
+      - ELASTICSEARCH_USERNAME=kibana_system
+      - ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD}
+      - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt
+      - SERVER_SSL_ENABLED=true
+      - SERVER_SSL_CERTIFICATE=config/certs/kibana/kibana.crt
+      - SERVER_SSL_KEY=config/certs/kibana/kibana.key
+      - SERVER_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt
+    mem_limit: ${MEM_LIMIT}
+    healthcheck:
+      test:
+        [
+          "CMD-SHELL",
+          "curl -I -s --cacert config/certs/ca/ca.crt https://localhost:5601 | grep -q 'HTTP/1.1 302 Found'",
+        ]
+      interval: 10s
+      timeout: 10s
+      retries: 120
+
+volumes:
+  certs:
+    driver: local
+  esdata01:
+    driver: local
+  kibanadata:
+    driver: local