No OneTemporary
Actions

Size

9 KB

Referenced Files

None

Subscribers

None

View Options

	diff --git a/roles/opensearch/opensearch/config.sls b/roles/opensearch/opensearch/config.sls
	index 4d12106..d340244 100644
	--- a/roles/opensearch/opensearch/config.sls
	+++ b/roles/opensearch/opensearch/config.sls
	@@ -1,104 +1,70 @@
	# -------------------------------------------------------------
	# Salt — Provision OpenSearch
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	# Project: Nasqueron
	# -------------------------------------------------------------

	{% set config = salt['opensearch.get_config']() %}

	# -------------------------------------------------------------
	# OpenSearch
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	/opt/opensearch/config/opensearch.yml:
	file.managed:
	- source: salt://roles/opensearch/opensearch/files/opensearch.conf
	- user: opensearch
	- group: opensearch
	- template: jinja
	- context:
	config: {{ config }}

	# -------------------------------------------------------------
	# TLS certificates
	#
	# This method is based on OpenSearch Ansible playbook to
	# generate self-signed certificates for node to node (transport)
	# communication, and for the rest API.
	#
	# The certificates are generated by Search Guard Offline TLS Tool.
	#
	# This should only run on one node, then provisioned everywhere.
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	/usr/local/dl/search-guard-tlstool.zip:
	file.managed:
	- source: https://maven.search-guard.com/search-guard-tlstool/1.8/search-guard-tlstool-1.8.zip
	- source_hash: f59f963c7ee28d557849ccde297660a3c593a6bf3531d7852fb9ab8b4fc7597e

	/opt/tlstool:
	archive.extracted:
	- source: /usr/local/dl/search-guard-tlstool.zip
	- enforce_toplevel: False
	- user: opensearch
	- group: opensearch

	/opt/tlstool/config/tlsconfig.yml:
	file.managed:
	- source: salt://roles/opensearch/opensearch/files/tlsconfig.yml.jinja
	- template: jinja
	- context:
	config: {{ config }}
	domain_name: {{ grains['domain'] }}
	node_full_domain_name: {{ grains['fqdn'] }}

	opensearch_generate_certificates:
	cmd.run:
	- name: /opt/tlstool/tools/sgtlstool.sh -c /opt/tlstool/config/tlsconfig.yml -ca -crt -t /opt/tlstool/config/
	- env:
	JAVA_HOME: /opt/opensearch/jdk
	- creates: /opt/tlstool/config/root-ca.pem

	{% for certificate in salt['opensearch.list_certificates']() %}

	opensearch_deploy_certificate_{{ certificate }}:
	cmd.run:
	- name: install --mode=0600 --owner=opensearch {{ certificate }}.pem {{ certificate }}.key /opt/opensearch/config
	- cwd: /opt/tlstool/config
	- creates: /opt/opensearch/config/{{ certificate }}.pem

	{% endfor %}
	-
	-# -------------------------------------------------------------
	-# Security plugin
	-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	-
	-/opt/opensearch/plugins/opensearch-security/securityconfig/internal_users.yml:
	- file.managed:
	- - source: salt://roles/opensearch/opensearch/files/internal_users.yml.jinja
	- - user: opensearch
	- - group: opensearch
	- - template: jinja
	- - context:
	- users:
	- {% for user, credential in config['users'].items() %}
	- {{ user }}:
	- username: {{ salt['zr.get_username'](credential) }}
	- password: {{ salt['zr.get_password'](credential) }}
	- {% endfor %}
	-
	-opensearch_security_initialize:
	- cmd.run:
	- - name: >
	- bash /opt/opensearch/plugins/opensearch-security/tools/securityadmin.sh
	- -cacert /opt/opensearch/config/root-ca.pem
	- -cert /opt/opensearch/config/admin.pem
	- -key /opt/opensearch/config/admin.key
	- -f /opt/opensearch/plugins/opensearch-security/securityconfig/internal_users.yml
	- -nhnv -icl
	- -h {{ config['network_host'] }}
	-
	- touch /opt/opensearch/plugins/opensearch-security/securityconfig/.initialized
	- - env:
	- JAVA_HOME: /opt/opensearch/jdk
	- - creates: /opt/opensearch/plugins/opensearch-security/securityconfig/.initialized
	diff --git a/roles/opensearch/opensearch/files/security_initialize.sh b/roles/opensearch/opensearch/files/security_initialize.sh
	new file mode 100755
	index 0000000..49bc2d9
	--- /dev/null
	+++ b/roles/opensearch/opensearch/files/security_initialize.sh
	@@ -0,0 +1,19 @@
	+#!/bin/sh
	+
	+set -e
	+
	+OPENSEARCH_HOSTNAME=$1
	+ROOT=/opt/opensearch
	+
	+# Wait a little bit to let OpenSearch start
	+sleep 5
	+
	+bash $ROOT/plugins/opensearch-security/tools/securityadmin.sh \
	+ -cacert $ROOT/config/root-ca.pem \
	+ -cert $ROOT/config/admin.pem \
	+ -key $ROOT/config/admin.key \
	+ -f $ROOT/plugins/opensearch-security/securityconfig/internal_users.yml \
	+ -nhnv -icl \
	+ -h "$OPENSEARCH_HOSTNAME"
	+
	+touch $ROOT/plugins/opensearch-security/securityconfig/.initialized
	diff --git a/roles/opensearch/opensearch/init.sls b/roles/opensearch/opensearch/init.sls
	index 1a7b94d..07d4044 100644
	--- a/roles/opensearch/opensearch/init.sls
	+++ b/roles/opensearch/opensearch/init.sls
	@@ -1,13 +1,14 @@
	# -------------------------------------------------------------
	# Salt — Provision OpenSearch
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	# Project: Nasqueron
	# License: Trivial work, not eligible to copyright
	# -------------------------------------------------------------

	include:
	- .kernel
	- .software
	- .config
	- .service
	+ - .security
	- .wrapper
	diff --git a/roles/opensearch/opensearch/security.sls b/roles/opensearch/opensearch/security.sls
	new file mode 100644
	index 0000000..f38368e
	--- /dev/null
	+++ b/roles/opensearch/opensearch/security.sls
	@@ -0,0 +1,34 @@
	+# -------------------------------------------------------------
	+# Salt — Provision OpenSearch
	+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	+# Project: Nasqueron
	+# License: Trivial work, not eligible to copyright
	+# -------------------------------------------------------------
	+
	+{% set config = salt['opensearch.get_config']() %}
	+
	+# -------------------------------------------------------------
	+# Security plugin
	+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	+
	+/opt/opensearch/plugins/opensearch-security/securityconfig/internal_users.yml:
	+ file.managed:
	+ - source: salt://roles/opensearch/opensearch/files/internal_users.yml.jinja
	+ - user: opensearch
	+ - group: opensearch
	+ - template: jinja
	+ - context:
	+ users:
	+ {% for user, credential in config['users'].items() %}
	+ {{ user }}:
	+ username: {{ salt['zr.get_username'](credential) }}
	+ password: {{ salt['zr.get_password'](credential) }}
	+ {% endfor %}
	+
	+opensearch_security_initialize:
	+ cmd.script:
	+ - source: salt://roles/opensearch/opensearch/files/security_initialize.sh
	+ - args: {{ config['network_host'] }}
	+ - env:
	+ JAVA_HOME: /opt/opensearch/jdk
	+ - creates: /opt/opensearch/plugins/opensearch-security/securityconfig/.initialized
	diff --git a/roles/opensearch/opensearch/software.sls b/roles/opensearch/opensearch/software.sls
	index a99fcaa..5f9afc4 100644
	--- a/roles/opensearch/opensearch/software.sls
	+++ b/roles/opensearch/opensearch/software.sls
	@@ -1,76 +1,77 @@
	# -------------------------------------------------------------
	# Salt — Provision OpenSearch
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	# Project: Nasqueron
	# License: Trivial work, not eligible to copyright
	# -------------------------------------------------------------

	{% from "map.jinja" import shells with context %}

	# -------------------------------------------------------------
	# User account
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	opensearch_group:
	group.present:
	- name: opensearch
	- gid: 835

	opensearch_user:
	user.present:
	- name: opensearch
	- fullname: OpenSearch
	- uid: 835
	- gid: opensearch
	- home: /opt/opensearch
	- shell: {{ shells['bash'] }}

	# -------------------------------------------------------------
	# Download and extract tarballs
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	/usr/local/dl:
	file.directory

	{% if grains['kernel'] == 'Linux' and grains['cpuarch'] == 'x86_64' %}
	{% for product, info in pillar['opensearch_products'].items() %}

	{% set distname = product + "-" + info['version'] %}

	/usr/local/dl/{{ distname }}.tar.gz:
	file.managed:
	- source: https://artifacts.opensearch.org/releases/bundle/{{ product }}/{{ info['version'] }}/{{ distname }}-linux-x64.tar.gz
	- source_hash: {{ info['hash'] }}

	/opt/{{ product }}:
	file.directory:
	- user: opensearch
	- group: opensearch

	extract_opensearch_{{ product }}:
	archive.extracted:
	- name: /opt/{{ product }}
	- source: /usr/local/dl/{{ distname }}.tar.gz
	- user: opensearch
	- group: opensearch
	- - overwrite: True
	- enforce_toplevel: False
	- options: --strip 1
	- - onchanges:
	- - file: /usr/local/dl/{{ distname }}.tar.gz

	{% endfor %}
	{% endif %}

	+/opt/opensearch/plugins/opensearch-security/tools/hash.sh:
	+ file.managed:
	+ - mode: 0755
	+
	# -------------------------------------------------------------
	# Cleanup legacy versions
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	{% for product, versions in pillar['opensearch_legacy_products'].items() %}
	{% for version in versions %}

	/usr/local/dl/{{ product }}-{{ version }}.tar.gz:
	file.absent

	{% endfor %}
	{% endfor %}

File Metadata

Mime Type: text/x-diff
Expires: Fri, Sep 19, 00:31 (1 d, 1 h)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 2991971
Default Alt Text: (9 KB)

No OneTemporaryActions

View Options

File Metadata

Event Timeline

No OneTemporary
Actions