diff --git a/GIDs b/GIDs index bf6db93..6730192 100644 --- a/GIDs +++ b/GIDs @@ -1,11 +1,12 @@ 827 chaton-dev 828 deployment 829 nasqueron-irc +835 opensearch 3001 ops #3002 is intentionally left unassigned 3003 deployment 3004 mediawiki 3005 nasquenautes 9001 salt 9002 deploy 9003 web diff --git a/UIDs b/UIDs index f6f670f..78d7260 100644 --- a/UIDs +++ b/UIDs @@ -1,9 +1,10 @@ 830 odderon 831 builder 832 chaton 833 viper 834 tc2 +835 opensearch 3004 mediawiki 9001 salt 9002 deploy 8900 zr diff --git a/_modules/opensearch.py b/_modules/opensearch.py new file mode 100644 index 0000000..d0242bf --- /dev/null +++ b/_modules/opensearch.py @@ -0,0 +1,105 @@ +# -*- coding: utf-8 -*- + +# ------------------------------------------------------------- +# Salt — PaaS OpenSearch execution module +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# Project: Nasqueron +# Description: Functions related to OpenSearch configuration +# License: BSD-2-Clause +# ------------------------------------------------------------- + + +from salt.exceptions import CommandExecutionError, SaltCloudConfigError + + +def get_config(nodename=None): + """ + A function to get relevant values for OpenSearch configuration. + + CLI Example: + + salt * opensearch.get_config + """ + if nodename is None: + nodename = __grains__['id'] + + try: + clusters = __pillar__['opensearch_clusters'] + except KeyError: + clusters = [] + + for _, cluster in clusters.items(): + if nodename in cluster['nodes']: + return _expand_cluster_config(nodename, cluster) + + raise CommandExecutionError( + SaltCloudConfigError( + "Node {0} not declared in pillar opensearch_clusters.".format(nodename) + ) + ) + + +def _expand_cluster_config(nodename, config): + config = dict(config) + nodes = _convert_to_ip(config["nodes"]) + + config.update({ + "nodes": nodes, + "nodes_certificates": _get_nodes_info(config["nodes"]), + "node_name": nodename, + "network_host": _get_ip(nodename), + "lead_nodes": nodes, + }) + + return config + + +def _convert_to_ip(ids): + return [_get_ip(id) for id in ids] + + +def _get_ip(nodename): + try: + network = __pillar__['nodes'][nodename]['network'] + except KeyError: + raise CommandExecutionError( + SaltCloudConfigError( + "Node {0} not declared in pillar nodes.".format(nodename) + ) + ) + + for field in ['ipv4_address', 'ipv6_address']: + if field in network: + return network[field] + + +def _get_nodes_info(ids): + return [_get_node_info(id) for id in ids] + + +def _get_node_info(nodename): + return { + "id": nodename, + "fqdn": __pillar__['nodes'][nodename]['hostname'], + "ip": _get_ip(nodename), + } + + +def hash_password(clear_password): + command = "/opt/opensearch/plugins/opensearch-security/tools/hash.sh -p '{0}'".format(clear_password) + env = { + "JAVA_HOME": "/opt/opensearch/jdk", + } + + return __salt__['cmd.shell'](command, env=env) + + +def list_certificates(nodename=None): + config = get_config(nodename=None) + + certificates = ['admin', 'root-ca'] + + for node in config["nodes_certificates"]: + certificates.extend([node['id'], node['id'] + '_http']) + + return certificates diff --git a/pillar/credentials/zr.sls b/pillar/credentials/zr.sls index 7a15e4b..b4c8b5c 100644 --- a/pillar/credentials/zr.sls +++ b/pillar/credentials/zr.sls @@ -1,115 +1,128 @@ # ------------------------------------------------------------- # Salt configuration for Nasqueron servers # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Project: Nasqueron # Created: 2018-09-12 # License: Trivial work, not eligible to copyright # ------------------------------------------------------------- # ------------------------------------------------------------- # Zemke-Rhyne credentials # # Map K on DevCentral with hierarchical keys # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - zr_credentials: # # Credentials used by Nasqueron services # nasqueron: # login.nasqueron.org auth-grove: mysql: 67 # status.nasqueron.org cachet: mysql: 47 app_key: 126 # pad.nasqueron.org etherpad: # This API key is used by Wolfplex API to access to the pad lists api: 125 # notifications.nasqueron.org notifications: broker: 56 mailgun: 82 sentry: 141 + # OpenSearch clusters + opensearch: + infra-logs: + internal_users: + admin: 163 + dashboards: 164 + # photos.nasqueron.org pixelfed: mysql: 142 app_key: 143 mailgun: 145 # sentry.nasqueron.org sentry: postgresql: 139 app_key: 140 # # Credentials used by Nasqueron members private services # dereckson: # River Sector phabricator: mysql: 133 # # Credentials used by Espace Win services # espacewin: # bugzilla.espace-win.org bugzilla: mysql: 131 # # Credentials used by Wolfplex services # wolfplex: # phabricator.wolfplex.be phabricator: mysql: 135 mailgun: 138 # # Credentials used by Zed services # zed: # code.zed.dereckson.be phabricator: mysql: 134 sendgrid: 45 # ------------------------------------------------------------- # Zemke-Rhyne clients # # This section should list all the Docker engines server # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - zr_clients: - key: 2 allowedConnectionFrom: - 172.27.26.49 - dwellers.nasqueron.drake - dwellers.nasqueron.org restrictCommand: comment: Zemke-Rhyne + - key: 162 + allowedConnectionFrom: + - cloudhugger.nasqueron.org + restrictCommand: + comment: Zemke-Rhyne + - key: 152 allowedConnectionFrom: - docker-001.nasqueron.org restrictCommand: comment: Zemke-Rhyne diff --git a/pillar/nodes/nodes.sls b/pillar/nodes/nodes.sls index e78b132..aa2b2bc 100644 --- a/pillar/nodes/nodes.sls +++ b/pillar/nodes/nodes.sls @@ -1,152 +1,152 @@ # ------------------------------------------------------------- # Salt — Nodes # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Project: Nasqueron # Created: 2017-10-20 # License: Trivial work, not eligible to copyright # ------------------------------------------------------------- nodes: ## ## Forest: Nasqueron ## Semantic field: https://devcentral.nasqueron.org/P27 ## cloudhugger: forest: nasqueron-infra hostname: cloudhugger.nasqueron.org roles: - - paas-kubernetes + - opensearch network: ipv4_interface: eno1 ipv4_address: 188.165.200.229 ipv4_gateway: 188.165.200.254 ipv6_interface: eno1 ipv6_address: fe80::ec4:7aff:fe6a:36e8 ipv6_gateway: fe80::ee30:91ff:fee0:df80 ipv6_prefix: 64 ipv6_native: True ipv6_tunnel: False dwellers: forest: nasqueron-infra hostname: dwellers.nasqueron.org roles: - paas-lxc - paas-docker - mastodon flags: install_docker_devel_tools: True network: ipv4_address: 51.255.124.11 ipv4_gateway: 91.121.86.254 ipv6_tunnel: True docker-001: forest: nasqueron-infra hostname: docker-001.nasqueron.org roles: - paas-docker network: ipv4_address: 51.255.124.9 ipv4_gateway: 91.121.86.254 ipv6_tunnel: False equatower: forest: nasqueron-infra hostname: equatower.nasqueron.org roles: - paas-docker network: ipv4_address: 51.255.124.10 ipv4_gateway: 91.121.86.254 ipv6_tunnel: True router-001: forest: nasqueron-infra hostname: router-001.nasqueron.org roles: - router network: ipv4_interface: vmx0 ipv4_address: 51.255.124.8 ipv4_netmask: 255.255.255.255 ipv4_gateway: 91.121.86.254 ipv4_ovh_failover: True private_interface: vmx1 private_address: 172.27.27.1 private_netmask: 255.255.255.0 ipv6_tunnel: False ysul: forest: nasqueron-dev hostname: ysul.nasqueron.org roles: - devserver - saltmaster - dbserver-mysql - webserver-legacy zfs: pool: arcology network: ipv4_interface: igb0 ipv4_address: 163.172.49.16 ipv4_gateway: 163.172.49.1 ipv4_aliases: - 212.83.187.132 ipv6_tunnel: True ipv6_gateway: 2001:470:1f12:9e1::1 windriver: forest: nasqueron-dev hostname: windriver.nasqueron.org roles: - devserver - saltmaster - dbserver-mysql - webserver-legacy zfs: pool: arcology network: ipv4_interface: igb0 ipv4_address: 51.159.18.59 ipv4_gateway: 51.159.18.1 ipv6_interface: igb0 ipv6_address: 2001:0bc8:6005:0005:aa1e:84ff:fef3:5d9c ipv6_gateway: fe80::a293:51ff:feb7:5073 ipv6_prefix: 128 ipv6_native: True ipv6_tunnel: False ## ## Forest: Eglide ## Semantic field: ? (P27 used for "Eglide" too) ## ## This forest is intended to separate credentials ## between Eglide and Nasqueron servers. ## eglide: forest: eglide hostname: eglide.org roles: - shellserver network: ipv4_interface: ens2 ipv4_address: 51.159.150.221 ipv4_gateway: "" ipv6_tunnel: True fixes: rsyslog_xconsole: True diff --git a/pillar/opensearch/clusters.sls b/pillar/opensearch/clusters.sls new file mode 100644 index 0000000..f3c803d --- /dev/null +++ b/pillar/opensearch/clusters.sls @@ -0,0 +1,18 @@ +# +# Currently, declare OpenSearch clusters as single-node, per machine. +# + +opensearch_clusters: + + # + # Infrastructure: logs and metrics + # + + infra_logs: + cluster_name: infra-logs + cluster_type: single-node + nodes: + - cloudhugger + users: + admin: nasqueron.opensearch.infra-logs.internal_users.admin + dashboards: nasqueron.opensearch.infra-logs.internal_users.dashboards diff --git a/pillar/opensearch/software.sls b/pillar/opensearch/software.sls new file mode 100644 index 0000000..be03a8d --- /dev/null +++ b/pillar/opensearch/software.sls @@ -0,0 +1,19 @@ +# ------------------------------------------------------------- +# Current versions for Linux x64 +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +opensearch_products: + opensearch: + version: 1.2.3 + hash: a594ac2808e6e476d647e47e45e837fba3e21671285ce39b2cee1c32d5e6887d + + opensearch-dashboards: + version: 1.2.0 + hash: 14623798e61be6913e2a218d6ba3e308e5036359d7bda58482ad2f1340aa3c85 + +# ------------------------------------------------------------- +# Cleanup legacy versions +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +opensearch_legacy_products: + opensearch: [] diff --git a/pillar/top.sls b/pillar/top.sls index c8225ad..5eb03be 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -1,57 +1,60 @@ # ------------------------------------------------------------- # Salt configuration for Nasqueron servers # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Project: Nasqueron # Created: 2016-04-10 # License: Trivial work, not eligible to copyright # ------------------------------------------------------------- base: '*': - core.users - core.groups - core.network - certificates.certificates - nodes.nodes - nodes.forests - hotfixes.roles - webserver.sites - cloudhugger: [] + cloudhugger: + - credentials.zr + - opensearch.software + - opensearch.clusters docker-001: - credentials.zr - paas.docker - saas.jenkins - saas.phpbb - saas.sentry dwellers: - credentials.zr - paas.docker - saas.sentry eglide: - shellserver.quassel equatower: - credentials.zr - paas.docker - saas.jenkins - saas.phpbb - saas.sentry ysul: - devserver.repos - credentials.zr - saas.mediawiki - viperserv.bots - viperserv.fantoir - webserver.labs - webserver.wwwroot51 windriver: - devserver.ports - devserver.repos - webserver.labs - webserver.wwwroot51 diff --git a/roles/opensearch/init.sls b/roles/opensearch/init.sls new file mode 100644 index 0000000..6025408 --- /dev/null +++ b/roles/opensearch/init.sls @@ -0,0 +1,9 @@ +# ------------------------------------------------------------- +# Salt — Provision OpenSearch +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# Project: Nasqueron +# License: Trivial work, not eligible to copyright +# ------------------------------------------------------------- + +include: + - .opensearch diff --git a/roles/opensearch/opensearch/config.sls b/roles/opensearch/opensearch/config.sls new file mode 100644 index 0000000..4d12106 --- /dev/null +++ b/roles/opensearch/opensearch/config.sls @@ -0,0 +1,104 @@ +# ------------------------------------------------------------- +# Salt — Provision OpenSearch +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# Project: Nasqueron +# ------------------------------------------------------------- + +{% set config = salt['opensearch.get_config']() %} + +# ------------------------------------------------------------- +# OpenSearch +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +/opt/opensearch/config/opensearch.yml: + file.managed: + - source: salt://roles/opensearch/opensearch/files/opensearch.conf + - user: opensearch + - group: opensearch + - template: jinja + - context: + config: {{ config }} + +# ------------------------------------------------------------- +# TLS certificates +# +# This method is based on OpenSearch Ansible playbook to +# generate self-signed certificates for node to node (transport) +# communication, and for the rest API. +# +# The certificates are generated by Search Guard Offline TLS Tool. +# +# This should only run on one node, then provisioned everywhere. +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +/usr/local/dl/search-guard-tlstool.zip: + file.managed: + - source: https://maven.search-guard.com/search-guard-tlstool/1.8/search-guard-tlstool-1.8.zip + - source_hash: f59f963c7ee28d557849ccde297660a3c593a6bf3531d7852fb9ab8b4fc7597e + +/opt/tlstool: + archive.extracted: + - source: /usr/local/dl/search-guard-tlstool.zip + - enforce_toplevel: False + - user: opensearch + - group: opensearch + +/opt/tlstool/config/tlsconfig.yml: + file.managed: + - source: salt://roles/opensearch/opensearch/files/tlsconfig.yml.jinja + - template: jinja + - context: + config: {{ config }} + domain_name: {{ grains['domain'] }} + node_full_domain_name: {{ grains['fqdn'] }} + +opensearch_generate_certificates: + cmd.run: + - name: /opt/tlstool/tools/sgtlstool.sh -c /opt/tlstool/config/tlsconfig.yml -ca -crt -t /opt/tlstool/config/ + - env: + JAVA_HOME: /opt/opensearch/jdk + - creates: /opt/tlstool/config/root-ca.pem + +{% for certificate in salt['opensearch.list_certificates']() %} + +opensearch_deploy_certificate_{{ certificate }}: + cmd.run: + - name: install --mode=0600 --owner=opensearch {{ certificate }}.pem {{ certificate }}.key /opt/opensearch/config + - cwd: /opt/tlstool/config + - creates: /opt/opensearch/config/{{ certificate }}.pem + +{% endfor %} + +# ------------------------------------------------------------- +# Security plugin +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +/opt/opensearch/plugins/opensearch-security/securityconfig/internal_users.yml: + file.managed: + - source: salt://roles/opensearch/opensearch/files/internal_users.yml.jinja + - user: opensearch + - group: opensearch + - template: jinja + - context: + users: + {% for user, credential in config['users'].items() %} + {{ user }}: + username: {{ salt['zr.get_username'](credential) }} + password: {{ salt['zr.get_password'](credential) }} + {% endfor %} + +opensearch_security_initialize: + cmd.run: + - name: > + bash /opt/opensearch/plugins/opensearch-security/tools/securityadmin.sh + -cacert /opt/opensearch/config/root-ca.pem + -cert /opt/opensearch/config/admin.pem + -key /opt/opensearch/config/admin.key + -f /opt/opensearch/plugins/opensearch-security/securityconfig/internal_users.yml + -nhnv -icl + -h {{ config['network_host'] }} + + touch /opt/opensearch/plugins/opensearch-security/securityconfig/.initialized + - env: + JAVA_HOME: /opt/opensearch/jdk + - creates: /opt/opensearch/plugins/opensearch-security/securityconfig/.initialized diff --git a/roles/opensearch/opensearch/files/account.conf b/roles/opensearch/opensearch/files/account.conf new file mode 100644 index 0000000..0ee9058 --- /dev/null +++ b/roles/opensearch/opensearch/files/account.conf @@ -0,0 +1 @@ +{{ username }}:{{ password }} diff --git a/roles/opensearch/opensearch/files/es-query.sh.jinja b/roles/opensearch/opensearch/files/es-query.sh.jinja new file mode 100644 index 0000000..0a30774 --- /dev/null +++ b/roles/opensearch/opensearch/files/es-query.sh.jinja @@ -0,0 +1,23 @@ +#!/bin/sh + +# ------------------------------------------------------------- +# OpenSearch wrapper +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# Project: Nasqueron +# License: Trivial work, not eligible to copyright +# Source file: roles/opensearch/opensearch/files/es-query.sh.jinja +# ------------------------------------------------------------- +# +# +# This file is managed by our rOPS SaltStack repository. +# +# Changes to this file may cause incorrect behavior +# and will be lost if the state is redeployed. +# + +OPENSEARCH_ACCOUNT=$(cat $HOME/.opensearch-account) + +COMMAND=$1 +shift + +curl {{ url }}/$COMMAND -u $OPENSEARCH_ACCOUNT -k "$@" diff --git a/roles/opensearch/opensearch/files/internal_users.yml.jinja b/roles/opensearch/opensearch/files/internal_users.yml.jinja new file mode 100644 index 0000000..1139eb5 --- /dev/null +++ b/roles/opensearch/opensearch/files/internal_users.yml.jinja @@ -0,0 +1,38 @@ +# ------------------------------------------------------------- +# OpenSearch configuration +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# Project: Nasqueron +# License: Trivial work, not eligible to copyright +# Source file: roles/opensearch/opensearch/files/internal_users.yml.jinja +# ------------------------------------------------------------- +# +# +# This file is managed by our rOPS SaltStack repository. +# +# Changes to this file may cause incorrect behavior +# and will be lost if the state is redeployed. +# + +_meta: + type: "internalusers" + config_version: 2 + +# ------------------------------------------------------------- +# Reserved users to ensure access continuity +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +{{ users['admin']['username'] }}: + hash: {{ salt['opensearch.hash_password'](users['admin']['password']) }} + reserved: true + backend_roles: + - "admin" + description: "Alternative admin user" + +# ------------------------------------------------------------- +# Dashboards (formerly Kibana) +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +{{ users['dashboards']['username'] }}: + hash: {{ salt['opensearch.hash_password'](users['dashboards']['password']) }} + reserved: true + description: "Dashboards to OpenSearch machine user" diff --git a/roles/opensearch/opensearch/files/opensearch.conf b/roles/opensearch/opensearch/files/opensearch.conf new file mode 100644 index 0000000..4fcdb88 --- /dev/null +++ b/roles/opensearch/opensearch/files/opensearch.conf @@ -0,0 +1,40 @@ +cluster.name: {{ config['cluster_name'] }} +node.name: {{ config['node_name'] }} +network.host: {{ config['network_host'] }} +http.port: 9200 +bootstrap.memory_lock: true + +{% if config['cluster_type'] == 'single-node' %} +discovery.type: single-node +{% else %} +discovery.seed_hosts: +{% for node in config["nodes"] %} + - {{ node }} +{% endfor %} +cluster.initial_master_nodes: +{% for node in config["lead_nodes"] %} + - {{ node }} +{% endfor %} +{% endif %} + +plugins.security.allow_default_init_securityindex: true +plugins.security.audit.type: internal_opensearch +plugins.security.enable_snapshot_restore_privilege: true +plugins.security.check_snapshot_restore_write_privileges: true +plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] + +plugins.security.ssl.transport.pemcert_filepath: {{ config["node_name"] }}.pem +plugins.security.ssl.transport.pemkey_filepath: {{ config["node_name"] }}.key +plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem +plugins.security.ssl.transport.enforce_hostname_verification: false +plugins.security.ssl.transport.resolve_hostname: false +plugins.security.ssl.http.enabled: true +plugins.security.ssl.http.pemcert_filepath: {{ config["node_name"] }}_http.pem +plugins.security.ssl.http.pemkey_filepath: {{ config["node_name"] }}_http.key +plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem +plugins.security.nodes_dn: +{% for node in config["nodes_certificates"] %} +- CN={{ node["fqdn"] }},OU=Infrastructure,DC=nasqueron,DC=org +{% endfor %} +plugins.security.authcz.admin_dn: +- CN=admin.infra-logs.nasqueron.org,OU=CA,DC=nasqueron,DC=org diff --git a/roles/opensearch/opensearch/files/opensearch.service b/roles/opensearch/opensearch/files/opensearch.service new file mode 100644 index 0000000..176272f --- /dev/null +++ b/roles/opensearch/opensearch/files/opensearch.service @@ -0,0 +1,34 @@ +[Unit] +Description=OpenSearch search, analytics, and visualization suite +Documentation=https://opensearch.org/docs/latest/ +After=network.target + +[Service] +RuntimeDirectory=opensearch +PrivateTmp=true + +User=opensearch +Group=opensearch + +LimitNOFILE=65536 +LimitMEMLOCK=infinity +LimitNPROC=4096 +LimitAS=infinity +LimitFSIZE=infinity + +Environment="KNN_LIB_DIR=/opt/opensearch/plugins/opensearch-knn/knnlib" +WorkingDirectory=/opt/opensearch +ExecStart=/opt/opensearch/bin/opensearch -p /opt/opensearch/opensearch.pid -q + +StandardOutput=journal +StandardError=inherit + +# To shutdown: send SIGTERM signal to JVM, success if exit code 143 +TimeoutStopSec=0 +KillSignal=SIGTERM +KillMode=process +SendSIGKILL=no +SuccessExitStatus=143 + +[Install] +WantedBy=multi-user.target diff --git a/roles/opensearch/opensearch/files/tlsconfig.yml.jinja b/roles/opensearch/opensearch/files/tlsconfig.yml.jinja new file mode 100644 index 0000000..45a5f1a --- /dev/null +++ b/roles/opensearch/opensearch/files/tlsconfig.yml.jinja @@ -0,0 +1,55 @@ +# ------------------------------------------------------------- +# OpenSearch configuration +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# Project: Nasqueron +# License: Trivial work, not eligible to copyright +# Source file: roles/opensearch/opensearch/files/tlsconfig.yml.jinja +# ------------------------------------------------------------- +# +# +# This file is managed by our rOPS SaltStack repository. +# +# Changes to this file may cause incorrect behavior +# and will be lost if the state is redeployed. +# + +# ------------------------------------------------------------- +# CA +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +ca: + root: + dn: CN=root.ca-{{ config['cluster_name'] }}.{{ domain_name }},OU=CA,DC=nasqueron,DC=org + keysize: 2048 + validityDays: 730 + pkPassword: none + file: root-ca.pem + +defaults: + validityDays: 730 + pkPassword: none + httpsEnabled: true + reuseTransportCertificatesForHttp: false + verifyHostnames: false + resolveHostnames: false + +# ------------------------------------------------------------- +# Nodes +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +nodes: +{% for node in config['nodes_certificates'] %} + - name: {{ node['id'] }} + dn: CN={{ node['fqdn'] }},OU=Infrastructure,DC=nasqueron,DC=org + dns: {{ node['fqdn'] }} + ip: {{ node['ip'] }} +{% endfor %} + +# ------------------------------------------------------------- +# Clients +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +clients: + - name: admin + dn: CN=admin.{{ config['cluster_name'] }}.{{ domain_name }},OU=CA,DC=nasqueron,DC=org + admin: True diff --git a/roles/opensearch/opensearch/init.sls b/roles/opensearch/opensearch/init.sls new file mode 100644 index 0000000..1a7b94d --- /dev/null +++ b/roles/opensearch/opensearch/init.sls @@ -0,0 +1,13 @@ +# ------------------------------------------------------------- +# Salt — Provision OpenSearch +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# Project: Nasqueron +# License: Trivial work, not eligible to copyright +# ------------------------------------------------------------- + +include: + - .kernel + - .software + - .config + - .service + - .wrapper diff --git a/roles/opensearch/opensearch/kernel.sls b/roles/opensearch/opensearch/kernel.sls new file mode 100644 index 0000000..6ba3a5e --- /dev/null +++ b/roles/opensearch/opensearch/kernel.sls @@ -0,0 +1,20 @@ +# ------------------------------------------------------------- +# Salt — Provision OpenSearch +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# Project: Nasqueron +# License: Trivial work, not eligible to copyright +# ------------------------------------------------------------- + +# ------------------------------------------------------------- +# Virtual memory +# +# https://opensearch.org/docs/latest/opensearch/install/important-settings/ +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +{% if grains['kernel'] == 'Linux' %} + +vm.max_map_count: + sysctl.present: + - value: 262144 + +{% endif %} diff --git a/roles/opensearch/opensearch/service.sls b/roles/opensearch/opensearch/service.sls new file mode 100644 index 0000000..c3a0b92 --- /dev/null +++ b/roles/opensearch/opensearch/service.sls @@ -0,0 +1,31 @@ +# ------------------------------------------------------------- +# Salt — Provision OpenSearch +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# Project: Nasqueron +# License: Trivial work, not eligible to copyright +# ------------------------------------------------------------- + +# ------------------------------------------------------------- +# systemd +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +{% from "map.jinja" import services with context %} + +# ------------------------------------------------------------- +# Unit configuration +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +{% if services['manager'] == 'systemd' %} + +opensearch_unit: + file.managed: + - name: /etc/systemd/system/opensearch.service + - source: salt://roles/opensearch/opensearch/files/opensearch.service + - mode: 0644 + service.running: + - name: opensearch + - enable: true + - watch: + - file: opensearch_unit + +{% endif %} diff --git a/roles/opensearch/opensearch/software.sls b/roles/opensearch/opensearch/software.sls new file mode 100644 index 0000000..a99fcaa --- /dev/null +++ b/roles/opensearch/opensearch/software.sls @@ -0,0 +1,76 @@ +# ------------------------------------------------------------- +# Salt — Provision OpenSearch +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# Project: Nasqueron +# License: Trivial work, not eligible to copyright +# ------------------------------------------------------------- + +{% from "map.jinja" import shells with context %} + +# ------------------------------------------------------------- +# User account +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +opensearch_group: + group.present: + - name: opensearch + - gid: 835 + +opensearch_user: + user.present: + - name: opensearch + - fullname: OpenSearch + - uid: 835 + - gid: opensearch + - home: /opt/opensearch + - shell: {{ shells['bash'] }} + +# ------------------------------------------------------------- +# Download and extract tarballs +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +/usr/local/dl: + file.directory + +{% if grains['kernel'] == 'Linux' and grains['cpuarch'] == 'x86_64' %} +{% for product, info in pillar['opensearch_products'].items() %} + +{% set distname = product + "-" + info['version'] %} + +/usr/local/dl/{{ distname }}.tar.gz: + file.managed: + - source: https://artifacts.opensearch.org/releases/bundle/{{ product }}/{{ info['version'] }}/{{ distname }}-linux-x64.tar.gz + - source_hash: {{ info['hash'] }} + +/opt/{{ product }}: + file.directory: + - user: opensearch + - group: opensearch + +extract_opensearch_{{ product }}: + archive.extracted: + - name: /opt/{{ product }} + - source: /usr/local/dl/{{ distname }}.tar.gz + - user: opensearch + - group: opensearch + - overwrite: True + - enforce_toplevel: False + - options: --strip 1 + - onchanges: + - file: /usr/local/dl/{{ distname }}.tar.gz + +{% endfor %} +{% endif %} + +# ------------------------------------------------------------- +# Cleanup legacy versions +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +{% for product, versions in pillar['opensearch_legacy_products'].items() %} +{% for version in versions %} + +/usr/local/dl/{{ product }}-{{ version }}.tar.gz: + file.absent + +{% endfor %} +{% endfor %} diff --git a/roles/opensearch/opensearch/wrapper.sls b/roles/opensearch/opensearch/wrapper.sls new file mode 100644 index 0000000..01fc616 --- /dev/null +++ b/roles/opensearch/opensearch/wrapper.sls @@ -0,0 +1,32 @@ +# ------------------------------------------------------------- +# Salt — Provision OpenSearch +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# Project: Nasqueron +# License: Trivial work, not eligible to copyright +# ------------------------------------------------------------- + +{% set config = salt['opensearch.get_config']() %} + +# ------------------------------------------------------------- +# Wrapper for curl +# Admin client for OpenSearch +# +# https://opensearch.org/docs/latest/opensearch/install/important-settings/ +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +/usr/local/bin/es-query: + file.managed: + - source: salt://roles/opensearch/opensearch/files/es-query.sh.jinja + - mode: 0755 + - template: jinja + - context: + url: https://{{ config['network_host'] }}:9200 + +/root/.opensearch-account: + file.managed: + - source: salt://roles/opensearch/opensearch/files/account.conf + - mode: 0600 + - template: jinja + - context: + username: {{ salt['zr.get_username'](config['users']['admin']) }} + password: {{ salt['zr.get_password'](config['users']['admin']) }} diff --git a/top.sls b/top.sls index a5f93da..f5f54c8 100644 --- a/top.sls +++ b/top.sls @@ -1,41 +1,41 @@ # ------------------------------------------------------------- # Salt configuration for Nasqueron servers # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Project: Nasqueron # Created: 2016-04-10 # License: Trivial work, not eligible to copyright # ------------------------------------------------------------- base: '*': - roles/core - roles/webserver-content 'local': - roles/saltmaster 'ysul': - roles/builder - roles/dbserver-mysql - roles/devserver - roles/viperserv - roles/webserver-core - roles/webserver-legacy - roles/webserver-varnish 'windriver': - roles/builder - roles/dbserver-mysql - roles/dbserver-pgsql - roles/devserver - roles/webserver-core - roles/webserver-legacy 'cloudhugger': - - roles/paas-kubernetes + - roles/opensearch 'docker-001': - roles/paas-docker 'dwellers': - roles/paas-docker/docker - roles/paas-lxc/lxc 'eglide': - roles/webserver-core - roles/shellserver 'equatower': - roles/paas-docker