feat(*): Update tasks to allow for a single host as CA cert source

Modify the role tasks to allow for a single host to be used for CA cert download instead of separate hosts for the sidecar and graylog CA certs. Furthermore, use ansible tempfile module instead of predictable tempdir for cert creation. Implements #2

feat(*): Update tasks to allow for a single host as CA cert source
abb71c58 · Alexander Käb · 5879fede · abb71c58 · abb71c58 · abb71c58
Commit abb71c58 authored 2 years ago by Alexander Käb
--- a/README.md
+++ b/README.md
@@ -35,11 +35,22 @@ graylog_sidecar_server_api_token:
 ## Node Certificates

 For node certificates to be generated you will need to create an additional host group
-named `sidecar-ca` with a single host, that stores the CA certificate that should be
-used for client certificate generation.
+named `sidecar-ca` with a single host (or multiple but only the first will be used),
+that stores the CA certificate that should be used for client certificate generation.

-The CA file must be available at: `/etc/graylog/sidecar/sidecar-ca.pem`
-The CA file's key must be available at: `/etc/graylog/sidecar/sidecar-ca.key`
+In addition, the CA certificate that was used to create the certificates for the Graylog
+nodes themselves must also be available to be distributed, as it is required for TLS
+communication of `filebeat` for example. Therefore, make the graylog nodes available
+via a host group called `graylog-nodes`.
+
+You may also use a completely separate host to store the CA files for Graylog and the
+Sidecar service. If this is the case, you need to set the `use_central_ca_host` variable
+to `true` and provide a host group called `ca-store`. The other groups mentioned earlier
+may be omitted.
+
+The log node CA file must be available at: `/etc/graylog/graylog-ca.pem`
+The sidecar CA file must be available at: `/etc/graylog/sidecar/sidecar-ca.pem`
+The sidecar CA file's key must be available at: `/etc/graylog/sidecar/sidecar-ca.key`

 The location of the files can be configured via variable. The name of the files however
 must be as specified. The following variables are available in regard to the node
@@ -49,9 +60,16 @@ certificates.
 # Whether to generate node certificates (default: true)
 generate_node_certs: true

+# Whether to use a central host to obtain the required certificates from (default: false)
+use_central_ca_host: false
+
 # The local directory where certs are stored before being uploaded
 tmp_cert_dir: "/tmp/graylog-sidecar-certs"

+# The path where the CA certificate of the graylog nodes should be
+# fetched from the remote machine specified in the 'graylog-nodes' host group
+gl_node_ca_path: "/etc/graylog/"
+
 # The path where the CA certificate and key should be fetched from
 # the remote machine specified in the 'sidecar-ca' host group
 gl_sidecar_ca_path: "/etc/graylog/sidecar"

--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -12,7 +12,6 @@ filebeat_repo_urls:

 # --- OTHER ---
 generate_node_certs: true
-tmp_cert_dir: "/tmp/graylog-sidecar-certs" # local directory
 gl_sidecar_ca_path: "/etc/graylog/sidecar"
 sidecar_cert_dir: "/etc/graylog/sidecar"
 cert_valid_days: 1095

--- a/tasks/filebeat.yml
+++ b/tasks/filebeat.yml
- name: Run filebeat tasks
-  when: (groups['sidecar-ca'] is defined | ternary(inventory_hostname not in groups['sidecar-ca'], true))
+---
+- name: Add filebeat repository (Debian | Ubuntu)
+  become: true
+  when: ansible_os_family == 'Debian'
  block:
-    - name: Add filebeat repository (Debian | Ubuntu)
-      become: true
-      when: ansible_os_family == 'Debian'
-      block:
-        - name: Ensure Apt Can Use Https
-          ansible.builtin.apt:
-            name: apt-transport-https
-            state: present
-
-        - name: Ensure ES Signing Key Is Present
-          ansible.builtin.apt_key:
-            url: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
-            id: '46095ACC8548582C1A2699A9D27D666CD88E42B4'
-            state: present^
+    - name: Ensure Apt Can Use Https
+      ansible.builtin.apt:
+        name: apt-transport-https
+        state: present

-        - name: Ensure ES Repo Is Enabled
-          ansible.builtin.apt_repository:
-            repo: "deb {{ filebeat_repo_urls['Debian'] }} stable main"
-            state: present
+    - name: Ensure ES Signing Key Is Present
+      ansible.builtin.apt_key:
+        url: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
+        id: '46095ACC8548582C1A2699A9D27D666CD88E42B4'
+        state: present^

-    - name: Add filebeat repository (RedHat)
-      ansible.builtin.yum_repository:
-        name: elastic-8.x
-        description: Elastic Yum Repo 8.x
-        baseurl: "{{ filebeat_repo_urls['RedHat'] }}"
-        gpgcheck: true
-        gpgkey: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
+    - name: Ensure ES Repo Is Enabled
+      ansible.builtin.apt_repository:
+        repo: "deb {{ filebeat_repo_urls['Debian'] }} stable main"
        state: present
-      when: ansible_os_family == 'RedHat'
-      become: true

-    - name: Install filebeat package
-      ansible.builtin.package:
-        name: filebeat
-        state: present
-      become: true
+- name: Add filebeat repository (RedHat)
+  ansible.builtin.yum_repository:
+    name: elastic-8.x
+    description: Elastic Yum Repo 8.x
+    baseurl: "{{ filebeat_repo_urls['RedHat'] }}"
+    gpgcheck: true
+    gpgkey: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
+    state: present
+  when: ansible_os_family == 'RedHat'
+  become: true
+
+- name: Install filebeat package
+  ansible.builtin.package:
+    name: filebeat
+    state: present
+  become: true
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -5,13 +5,64 @@
  changed_when: false
  become: true

- name: Include sidecar tasks
-  ansible.builtin.include_tasks: sidecar.yml
-  when: (groups['sidecar-ca'] is defined | ternary(inventory_hostname not in groups['sidecar-ca'], true))
+- name: Verify that host groups are available if not using a single host
+  when: not use_central_ca_host
+  block:
+    - name: Fail if 'sidecar-ca' host group is missing # noqa: run_once[task]
+      ansible.builtin.fail:
+        msg: "Please add a host group 'sidecar-ca' with the host(s) storing the CA file first"
+      run_once: true
+      when: "not (groups['sidecar-ca'] is defined)"

- name: Include filebeat tasks
-  ansible.builtin.import_tasks: filebeat.yml
-  when: install_filebeat and (groups['sidecar-ca'] is defined | ternary(inventory_hostname not in groups['sidecar-ca'], true))
+    - name: Fail if 'graylog-nodes' host group is missing # noqa: run_once[task]
+      ansible.builtin.fail:
+        msg: "Please add a host group 'graylog-nodes' with the host(s) storing the log node CA file first"
+      run_once: true
+      when: "not (groups['graylog-nodes'] is defined)"
+
+- name: Fail if 'ca-store' host group is missing while using opetion 'use_central_ca_host' # noqa: run_once[task]
+  ansible.builtin.fail:
+    msg: "Please add a host group 'sidecar-ca' with the host(s) storing the CA file first"
+  run_once: true
+  when: "(not (groups['ca-store'] is defined)) and use_central_ca_host"
+
+- name: Include tasks when not using single ca-host
+  when: not use_central_ca_host
+  block:
+    - name: Include sidecar tasks (when not using a single ca store)
+      ansible.builtin.include_tasks: sidecar.yml
+      when: >
+        (inventory_hostname not in groups['sidecar-ca']) and
+        (inventory_hostname not in groups['graylog-nodes'])
+
+    - name: Include filebeat tasks
+      ansible.builtin.include_tasks: filebeat.yml
+      when: >
+        install_filebeat and
+        (inventory_hostname not in groups['sidecar-ca']) and
+        (inventory_hostname not in groups['graylog-nodes'])
+
+- name: Include tasks when using single ca-host
+  when: use_central_ca_host
+  block:
+    - name: Include sidecar tasks (when using a single ca store)
+      ansible.builtin.include_tasks: sidecar.yml
+      when: >
+        ((groups['sidecar-ca'] is defined) and (groups['graylog-nodes'] is defined) | ternary(
+          (inventory_hostname not in groups['sidecar-ca']) and
+          (inventory_hostname not in groups['graylog-nodes'])
+        , true)) and
+        (inventory_hostname not in groups['ca-store'])
+
+    - name: Include filebeat tasks
+      ansible.builtin.include_tasks: filebeat.yml
+      when: >
+        install_filebeat and
+        ((groups['sidecar-ca'] is defined) and (groups['graylog-nodes'] is defined) | ternary(
+          (inventory_hostname not in groups['sidecar-ca']) and
+          (inventory_hostname not in groups['graylog-nodes'])
+        , true)) and
+        (inventory_hostname not in groups['ca-store'])

 - name: Switch back to default policy
  ansible.builtin.command:

--- a/tasks/node-certs.yml
+++ b/tasks/node-certs.yml
 ---
- name: Fail if 'sidecar-ca' host group is missing # noqa: run_once[task]
-  ansible.builtin.fail:
-    msg: "Please add a host group 'sidecar-ca' with the host(s) storing the CA file first"
-  run_once: true
-  when: "not (groups['sidecar-ca'] is defined)"
-
 - name: Node Certificates | Create temporary directopry for certificates # noqa: run_once[task]
-  ansible.builtin.file:
-    path: "{{ tmp_cert_dir }}"
+  ansible.builtin.tempfile:
    state: directory
-    mode: 0755
+    prefix: "graylog."
  run_once: true
  delegate_to: localhost
+  register: tmp_cert_dir

 - name: Node Certificates | Fetch Sidecar CA Cert
  ansible.builtin.fetch:
@@ -21,13 +15,21 @@
  with_items:
    - "{{ gl_sidecar_ca_path }}/sidecar-ca.pem"
    - "{{ gl_sidecar_ca_path }}/sidecar-ca.key"
-  delegate_to: "{{ groups['sidecar-ca'] | first }}"
+  delegate_to: "{{ groups[use_central_ca_host | bool | ternary('ca-store', 'sidecar-ca')] | first }}"
+  become: true
+  run_once: true
+
+- name: Node Certificates | Fetch Graylog Node CA Cert
+  ansible.builtin.fetch:
+    src: "{{ gl_node_ca_path }}/graylog-ca.pem"
+    dest: "{{ tmp_cert_dir }}/"
+    flat: true
+  delegate_to: "{{ groups[use_central_ca_host | bool | ternary('ca-store', 'graylog-nodes')] | first }}"
  become: true
  run_once: true

 - name: Node Certificates
  delegate_to: localhost
-  when: (groups['sidecar-ca'] is defined | ternary(inventory_hostname not in groups['sidecar-ca'], true))
  block:
    - name: Node Certificates | Generate private keys
      community.crypto.openssl_privatekey:
@@ -55,7 +57,6 @@

 - name: Node Certificates | Copy Certificates
  become: true
-  when: (groups['sidecar-ca'] is defined | ternary(inventory_hostname not in groups['sidecar-ca'], true))
  block:
    - name: Node Certificates | Copy Node certificates
      ansible.builtin.copy:
@@ -66,3 +67,4 @@
        - { file: "sidecar-{{ inventory_hostname }}.key", mode: "0600" }
        - { file: "sidecar-{{ inventory_hostname }}.pem", mode: "0644" }
        - { file: "sidecar-ca.pem", mode: "0644" }
+        - { file: "graylog-ca.pem", mode: "0644" }
--- a/templates/sidecar.yml.j2
+++ b/templates/sidecar.yml.j2
@@ -2,4 +2,4 @@

 server_url: {{ graylog_sidecar_server_url }}
 server_api_token: {{ graylog_sidecar_server_api_token }}
-node_id: {{ graylog_sidecar_node_id }}
\ No newline at end of file
+node_id: {{ graylog_sidecar_node_id }}