Merge branch 'main' into feature/aptcache-167

NETWAYS · Sep 7, 2023 · 559817a · 559817a
2 parents b6a1a51 + dc2f877
commit 559817a
Show file tree

Hide file tree

Showing 27 changed files with 347 additions and 363 deletions.
diff --git a/README.md b/README.md
@@ -35,31 +35,34 @@ collections:
 
 You will need the following Ansible collections installed
 
-* community.general (probably already present)
+* `community.general` (probably already present)
+
+You will need these packages / libraries installed. Some very basic packages like `openssl` get handled by the collection if needed. The following list contains packages and libraries which only apply to special cases or need for you to decide on the installation method.
+
+* `passlib` Python library if you do not disable password hashing for logstash user and you want to use logstash role from this collection. It should be installed with pip on the Ansible controller.
 
 You may want the following Ansible roles installed. There other ways to achieve what they are doing but using them is easy and convenient.
 
-* geerlingguy.redis
-* openssl if you want to use Elastic Security
+* `geerlingguy.redis` if you want to use logstash role
 
 ### Supported systems
 
 We test the collection on the following Linux distributions. Each one with Elastic Stack 7 and 8.
 
+* Rocky Linux 9
 * Rocky Linux 8
-* Ubuntu 20.04 LTS
 * Ubuntu 22.04 LTS
+* Ubuntu 20.04 LTS
 * Debian 11
+* Debian 10
+* CentOS 8
 
 We know from personal experience, that the collections work in following combinations. Missing tests mostly come from incompatibilties between the distribution and our testing environment, not from problems with the collection itself.
 
 * CentOS 7 - Elastic Stack 7
 
 ### Known Issues
 
-There are known issues with the following Linux distributions.
-
-* Rocky Linux 9: The GnuPG key used by Elastic seems to be incompatible with this version of Rocky.
 
 ## Usage
 

diff --git a/docs/role-beats.md b/docs/role-beats.md
@@ -10,7 +10,6 @@ Requirements
 
 You need to have the beats you want to install available in your software repositories. We provide a [role](./role-repos.md) for just that but if you have other ways of managing software, just make sure it's available. Alternatively you can install the Beats yourself.
 
-* `cryptography` >= 2.5 
 * `community.crypto` collection: ansible-galaxy collection install community.crypto
 
 Role Variables
@@ -87,7 +86,6 @@ beats_filebeat_journald_inputs:
 * *beats_loglevel*: Level of logging (for all beats) (Default: `info`)
 * *beats_logpath*: If logging to file, where to put logfiles (Default: `/var/log/beats`)
 * *beats_fields*: Fields that are added to every input in the configuration
-* *beats_manage_unzip*: Install `unzip` via package manager (Default: `true`)
 
 The following variables only apply if you use this role together with our other Elastic Stack roles.
 

diff --git a/docs/role-elasticsearch.md b/docs/role-elasticsearch.md
@@ -9,11 +9,6 @@ If you use the role to set up security you, can use its CA to create certificate
 
 Please note that setting `elasticsearch_bootstrap_pw` as variable will only take effect when initialising Elasticsearch. Changes after starting elasticsearch for the first time will not change the bootstrap password for the instance and will lead to breaking tests.
 
-Requirements
-------------
-
-* `cryptography` >= 2.5
-
 Role Variables
 --------------
 

diff --git a/docs/role-kibana.md b/docs/role-kibana.md
@@ -5,11 +5,6 @@ Ansible Role: Kibana
 
 This roles installs and configures Kibana.
 
-Requirements
-------------
-
-* `cryptography` >= 2.5
-
 Role Variables
 --------------
 

diff --git a/docs/role-logstash.md b/docs/role-logstash.md
@@ -19,7 +19,10 @@ Requirements
 ------------
 
 * `community.general` collection
-* `cryptography` >= 2.5
+
+You will need these packages / libraries installed. Some very basic packages like `openssl` get handled by the collection if needed. The following list contains packages and libraries which only apply to special cases or need for you to decide on the installation method.
+
+* `passlib` Python library if you do not disable password hashing for logstash user. It should be installed with pip on the Ansible controller.
 
 You need to have the Elastic Repos configured on your system. You can use our [role](./role-repos.md)
 
@@ -69,7 +72,7 @@ Aside from `logstash.yml` we can manage Logstashs pipelines.
 * *logstash_password_hash*: Generate and use a hash from your `logstash_password` (default: `true`)
 * *logstash_password_hash_algorithm*: Password hashing algorithms. Value must be same as `xpack.security.authc.password_hashing.algorithm` (default: `bcrypt`)
 * *logstash_password_salt_length*: base64 encoded Salt character lenght. This value must be integer and must be compatible to the selected password hashing algorithms (default: `22`)
-**logstash_password_hash_salt_seed*: A seed to generate random but idempotent salt on the elasticstack ca host. The salt will be used to create idempotent logstash hashed user password (default: `SeedChangeMe`)
+* *logstash_password_hash_salt_seed*: A seed to generate random but idempotent salt on the elasticstack ca host. The salt will be used to create idempotent logstash hashed user password (default: `SeedChangeMe`)
 * *logstash_password*: Password of Elasticsearch user. It must be at least 6 characters long (default: `password`)
 * *logstash_user_indices*: Indices the user has access to (default: `'"ecs-logstash*", "logstash*", "logs*"'`)
 * *logstash_reset_writer_role*: Reset user and role with every run: (default: `true`)

diff --git a/molecule/elasticsearch_cluster-oss/molecule.yml b/molecule/elasticsearch_cluster-oss/molecule.yml
@@ -1,6 +1,8 @@
 ---
 dependency:
   name: galaxy
+  options:
+    requirements-file: requirements.yml
 driver:
   name: docker
 platforms:

diff --git a/molecule/elasticsearch_default/molecule.yml b/molecule/elasticsearch_default/molecule.yml
@@ -1,6 +1,8 @@
 ---
 dependency:
   name: galaxy
+  options:
+    requirements-file: requirements.yml
 driver:
   name: docker
 platforms:

diff --git a/molecule/elasticsearch_no-security/molecule.yml b/molecule/elasticsearch_no-security/molecule.yml
@@ -1,6 +1,8 @@
 ---
 dependency:
   name: galaxy
+  options:
+    requirements-file: requirements.yml
 driver:
   name: docker
 platforms:

diff --git a/molecule/elasticsearch_roles_calculation/molecule.yml b/molecule/elasticsearch_roles_calculation/molecule.yml
@@ -1,6 +1,8 @@
 ---
 dependency:
   name: galaxy
+  options:
+    requirements-file: requirements.yml
 driver:
   name: docker
 platforms:

diff --git a/molecule/elasticstack_default/converge.yml b/molecule/elasticstack_default/converge.yml
@@ -40,6 +40,9 @@
     - name: Include logstash
       ansible.builtin.include_role:
         name: logstash
+    - name: Include kibana
+      ansible.builtin.include_role:
+        name: kibana
     - name: Include Beats
       ansible.builtin.include_role:
         name: beats
@@ -54,9 +57,3 @@
       ansible.builtin.service:
         name: rsyslog
         state: started
-    - name: Include kibana
-      ansible.builtin.include_role:
-        name: kibana
-    - name: Include Beats
-      ansible.builtin.include_role:
-        name: beats
diff --git a/molecule/elasticstack_default/molecule.yml b/molecule/elasticstack_default/molecule.yml
@@ -1,6 +1,8 @@
 ---
 dependency:
   name: galaxy
+  options:
+    requirements-file: requirements.yml
 driver:
   name: docker
 platforms:

diff --git a/molecule/logstash_full_stack-oss/molecule.yml b/molecule/logstash_full_stack-oss/molecule.yml
@@ -1,6 +1,8 @@
 ---
 dependency:
   name: galaxy
+  options:
+    requirements-file: requirements.yml
 driver:
   name: docker
 platforms:

diff --git a/molecule/logstash_pipelines/molecule.yml b/molecule/logstash_pipelines/molecule.yml
@@ -1,6 +1,8 @@
 ---
 dependency:
   name: galaxy
+  options:
+    requirements-file: requirements.yml
 driver:
   name: docker
 platforms:

diff --git a/molecule/logstash_specific_version/molecule.yml b/molecule/logstash_specific_version/molecule.yml
@@ -1,6 +1,8 @@
 ---
 dependency:
   name: galaxy
+  options:
+    requirements-file: requirements.yml
 driver:
   name: docker
 platforms:

diff --git a/molecule/repos_default/molecule.yml b/molecule/repos_default/molecule.yml
@@ -1,6 +1,8 @@
 ---
 dependency:
   name: galaxy
+  options:
+    requirements-file: requirements.yml
 driver:
   name: docker
 platforms:

diff --git a/molecule/repos_oss/molecule.yml b/molecule/repos_oss/molecule.yml
@@ -1,6 +1,8 @@
 ---
 dependency:
   name: galaxy
+  options:
+    requirements-file: requirements.yml
 driver:
   name: docker
 platforms:

diff --git a/requirements-test.txt b/requirements-test.txt
@@ -3,4 +3,4 @@ ansible-lint
 molecule
 molecule-plugins[docker]
 pytest
-passlib
+passlib
diff --git a/roles/beats/defaults/main.yml b/roles/beats/defaults/main.yml
@@ -10,7 +10,6 @@ elasticstack_beats_port: 5044
 beats_logging: file
 beats_logpath: /var/log/beats
 beats_loglevel: info
-beats_manage_unzip: true
 
 # Use TLS without Elastic X-Pack #
 

diff --git a/roles/beats/tasks/beats-security.yml b/roles/beats/tasks/beats-security.yml
@@ -1,11 +1,15 @@
 ---
 
-- name: Install unzip for certificate handling
+- name: Install packages for security tasks
   ansible.builtin.package:
-    name: unzip
-  when: beats_manage_unzip | bool
+    name:
+      - unzip
+      - python3-cryptography
+      - openssl
   tags:
+    - certificates
     - renew_ca
+    - renew_kibana_cert
     - renew_beats_cert
 
 - name: Ensure beats certificate exists
-Original file line number
+Diff line change
@@ Expand Up / @@ -3,4 +3,4 @@ ansible-lint @@
     molecule
     molecule-plugins[docker]
     pytest
-    passlib
+    passlib