refs #1929 changes all certs to dynamic subdomain in oglog and ogcore
parent
b957867d41
commit
8683ab471a
1
.env
1
.env
|
|
@ -1,3 +1,4 @@
|
|||
OGLOG_IP=192.168.2.4
|
||||
OGCORE_IP=192.168.2.1
|
||||
OPENSEARCH_INITIAL_ADMIN_PASSWORD=CorrectHorse_BatteryStaple1
|
||||
SUBDOMAIN=opengnsys
|
||||
|
|
|
|||
|
|
@ -9,14 +9,14 @@ setup.template.settings:
|
|||
index.number_of_shards: 1
|
||||
|
||||
output.elasticsearch:
|
||||
hosts: ["https://oglog-os.mytld:9200"]
|
||||
hosts: ["https://oglog-os.${SUBDOMAIN}:9200"]
|
||||
username: "admin"
|
||||
password: "{{OPENSEARCH_INITIAL_ADMIN_PASSWORD}}"
|
||||
password: "${OPENSEARCH_INITIAL_ADMIN_PASSWORD}"
|
||||
protocol: "https"
|
||||
ssl.enabled: true
|
||||
ssl.verification_mode: full
|
||||
ssl.certificate: "/etc/filebeat/ogagent-fb.mytld.crt.pem"
|
||||
ssl.key: "/etc/filebeat/ogagent-fb.mytld.key.pem"
|
||||
ssl.certificate: "/etc/filebeat/ogagent-fb.${SUBDOMAIN}.crt.pem"
|
||||
ssl.key: "/etc/filebeat/ogagent-fb.${SUBDOMAIN}.key.pem"
|
||||
|
||||
processors:
|
||||
- add_host_metadata:
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
[server]
|
||||
protocol = https
|
||||
cert_file = /etc/grafana/oglog-graf.mytld.crt.pem
|
||||
cert_key = /etc/grafana/oglog-graf.mytld.key.pem
|
||||
cert_file = /etc/grafana/oglog-graf.${SUBDOMAIN}.crt.pem
|
||||
cert_key = /etc/grafana/oglog-graf.${SUBDOMAIN}.key.pem
|
||||
|
||||
[analytics]
|
||||
reporting_enabled = false
|
||||
|
|
|
|||
|
|
@ -3,6 +3,6 @@ datasources:
|
|||
- name: Prometheus
|
||||
type: prometheus
|
||||
access: proxy
|
||||
url: https://oglog-prom.mytld:9090
|
||||
url: https://oglog-prom.${SUBDOMAIN}:9090
|
||||
isDefault: true
|
||||
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
"typeName": "OpenSearch",
|
||||
"typeLogoUrl": "public/plugins/grafana-opensearch-datasource/img/logo.svg",
|
||||
"access": "proxy",
|
||||
"url": "https://oglog-os.mytld:9200",
|
||||
"url": "https://oglog-os.${SUBDOMAIN}:9200",
|
||||
"user": "",
|
||||
"database": "",
|
||||
"basicAuth": true,
|
||||
|
|
@ -20,7 +20,7 @@
|
|||
"logMessageField": "",
|
||||
"maxConcurrentShardRequests": 5,
|
||||
"pplEnabled": true,
|
||||
"serverName": "oglog-os.mytld",
|
||||
"serverName": "oglog-os.${SUBDOMAIN}",
|
||||
"serverless": false,
|
||||
"timeField": "@timestamp",
|
||||
"tlsAuth": true,
|
||||
|
|
@ -64,7 +64,7 @@
|
|||
"typeName": "Prometheus",
|
||||
"typeLogoUrl": "public/app/plugins/datasource/prometheus/img/prometheus_logo.svg",
|
||||
"access": "proxy",
|
||||
"url": "https://oglog-prom.mytld:9090",
|
||||
"url": "https://oglog-prom.${SUBDOMAIN}:9090",
|
||||
"user": "",
|
||||
"database": "",
|
||||
"basicAuth": false,
|
||||
|
|
|
|||
|
|
@ -8,14 +8,14 @@ setup.template.settings:
|
|||
index.number_of_shards: 1
|
||||
|
||||
output.elasticsearch:
|
||||
hosts: ["https://oglog-os.mytld:9200"]
|
||||
hosts: ["https://oglog-os.{SUBDOMAIN}:9200"]
|
||||
username: "admin"
|
||||
password: "{{OPENSEARCH_INITIAL_ADMIN_PASSWORD}}"
|
||||
password: "${OPENSEARCH_INITIAL_ADMIN_PASSWORD}"
|
||||
protocol: "https"
|
||||
ssl.enabled: true
|
||||
ssl.verification_mode: full
|
||||
ssl.certificate: "/etc/journalbeat/oglog-jb.mytld.crt.pem"
|
||||
ssl.key: "/etc/journalbeat/oglog-jb.mytld.key.pem"
|
||||
ssl.certificate: "/etc/journalbeat/oglog-jb.{SUBDOMAIN}.crt.pem"
|
||||
ssl.key: "/etc/journalbeat/oglog-jb.{SUBDOMAIN}.key.pem"
|
||||
|
||||
processors:
|
||||
- add_docker_metadata: ~
|
||||
|
|
|
|||
|
|
@ -1,12 +1,12 @@
|
|||
server.host: 0.0.0.0
|
||||
opensearch.hosts: ["https://oglog-os.mytld:9200"]
|
||||
opensearch.hosts: ["https://oglog-os.${SUBDOMAIN}:9200"]
|
||||
opensearch.username: "admin"
|
||||
opensearch.password: "{{OPENSEARCH_INITIAL_ADMIN_PASSWORD}}"
|
||||
opensearch.password: "${OPENSEARCH_INITIAL_ADMIN_PASSWORD}"
|
||||
server.ssl.enabled: true
|
||||
server.ssl.certificate: /etc/opensearch-dashboards/oglog-osdb.mytld.crt.pem
|
||||
server.ssl.key: /etc/opensearch-dashboards/oglog-osdb.mytld.key.pem
|
||||
opensearch.ssl.certificate: /etc/opensearch-dashboards/oglog-osdb.mytld.crt.pem
|
||||
opensearch.ssl.key: /etc/opensearch-dashboards/oglog-osdb.mytld.key.pem
|
||||
server.ssl.certificate: /etc/opensearch-dashboards/oglog-osdb.${SUBDOMAIN}.crt.pem
|
||||
server.ssl.key: /etc/opensearch-dashboards/oglog-osdb.${SUBDOMAIN}.key.pem
|
||||
opensearch.ssl.certificate: /etc/opensearch-dashboards/oglog-osdb.${SUBDOMAIN}.crt.pem
|
||||
opensearch.ssl.key: /etc/opensearch-dashboards/oglog-osdb.${SUBDOMAIN}.key.pem
|
||||
opensearch.ssl.verificationMode: full
|
||||
opensearch.ssl.certificateAuthorities: ["/etc/ssl/certs/ca.crt.pem"]
|
||||
opensearch.ssl.alwaysPresentCertificate: true
|
||||
|
|
|
|||
|
|
@ -1,12 +1,12 @@
|
|||
# WARNING: revise all the lines below before you go into production
|
||||
network.host: "{{IP_MAQUINA}}"
|
||||
network.host: "${OGLOG_IP}"
|
||||
plugins.security.ssl.transport.pemcert_filepath: esnode.pem
|
||||
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
|
||||
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
|
||||
plugins.security.ssl.transport.enforce_hostname_verification: false
|
||||
plugins.security.ssl.http.enabled: true
|
||||
plugins.security.ssl.http.pemcert_filepath: oglog-os.mytld.crt.pem
|
||||
plugins.security.ssl.http.pemkey_filepath: oglog-os.mytld.key.pem
|
||||
plugins.security.ssl.http.pemcert_filepath: oglog-os.{SUBDOMAIN}.crt.pem
|
||||
plugins.security.ssl.http.pemkey_filepath: oglog-os.{SUBDOMAIN}.key.pem
|
||||
plugins.security.ssl.http.pemtrustedcas_filepath: ca.crt.pem
|
||||
plugins.security.allow_unsafe_democertificates: true
|
||||
plugins.security.allow_default_init_securityindex: true
|
||||
|
|
|
|||
|
|
@ -5,9 +5,9 @@ global:
|
|||
scrape_configs:
|
||||
- job_name: ogserver
|
||||
static_configs:
|
||||
- targets: ['ogserver.mytld:9100']
|
||||
- targets: ['ogserver.${SUBDOMAIN}:9100']
|
||||
|
||||
- job_name: ogagent
|
||||
static_configs:
|
||||
- targets: ['ogagent.mytld:9100']
|
||||
- targets: ['ogagent.${SUBDOMAIN}:9100']
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
tls_server_config:
|
||||
cert_file: /etc/prometheus/oglog-prom.mytld.crt.pem
|
||||
key_file: /etc/prometheus/oglog-prom.mytld.key.pem
|
||||
cert_file: /etc/prometheus/oglog-prom.${SUBDOMAIN}.crt.pem
|
||||
key_file: /etc/prometheus/oglog-prom.${SUBDOMAIN}.key.pem
|
||||
|
||||
|
|
|
|||
|
|
@ -15,8 +15,6 @@ log "Inicio instalación ogcore: $(date)"
|
|||
log "Tamaño inicial del disco:" && df -h /
|
||||
log "Carga inicial CPU:" && uptime
|
||||
|
||||
# Variables
|
||||
IP_SERVER="${IP_SERVER:?La variable IP_SERVER es requerida}"
|
||||
NFS_SERVER="ognartefactos.evlt.uma.es"
|
||||
LOCAL_MOUNT="/mnt"
|
||||
|
||||
|
|
@ -26,17 +24,54 @@ if ! mountpoint -q "$LOCAL_MOUNT"; then
|
|||
mount -t nfs "$NFS_SERVER:/" "$LOCAL_MOUNT"
|
||||
fi
|
||||
|
||||
# Cargar variables desde el archivo .env
|
||||
ENV_FILE="../.env"
|
||||
|
||||
if [ ! -f "$ENV_FILE" ]; then
|
||||
echo "ERROR: No se encontró el archivo .env"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
export $(grep -v '^#' "$ENV_FILE" | xargs)
|
||||
|
||||
# Ejemplo de uso
|
||||
echo "OGLOG se instalará en: $OGLOG_IP"
|
||||
echo "Base de datos OGCORE en: $OGCORE_IP"
|
||||
|
||||
# Validar la contraseña
|
||||
if [[ ${#OPENSEARCH_INITIAL_ADMIN_PASSWORD} -lt 12 || \
|
||||
! "$OPENSEARCH_INITIAL_ADMIN_PASSWORD" =~ [A-Z] || \
|
||||
! "$OPENSEARCH_INITIAL_ADMIN_PASSWORD" =~ [0-9] || \
|
||||
! "$OPENSEARCH_INITIAL_ADMIN_PASSWORD" =~ [^a-zA-Z0-9] ]]; then
|
||||
log "ERROR: La contraseña OPENSEARCH_INITIAL_ADMIN_PASSWORD no cumple los requisitos."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Actualizar hosts
|
||||
echo "$IP_SERVER oglog-jrem.mytld" >> /etc/hosts
|
||||
echo "$OGCORE_IP oglog-jrem.mytld" >> /etc/hosts
|
||||
|
||||
# Instalar dependencias
|
||||
apt-get update
|
||||
apt-get install -y prometheus-node-exporter systemd-journal-remote
|
||||
|
||||
# Copiar certificados
|
||||
cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/certs/"{ca.crt.pem,ogserver.mytld.crt.pem} /etc/ssl/certs/
|
||||
cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/private/ogserver.mytld.key.nopass.pem" /etc/ssl/private/ogserver.mytld.key.pem
|
||||
chmod 600 /etc/ssl/private/ogserver.mytld.key.pem
|
||||
log "Generando certificados para ogcore con subdominio $SUBDOMAIN..."
|
||||
|
||||
# Suponemos que el script de generación ya está descargado en /tmp o incluido en la instalación
|
||||
./mkcerts.sh "$SUBDOMAIN" "$CERT_PASS"
|
||||
|
||||
# Helper
|
||||
get_cert_name() {
|
||||
echo "oglog-$1.$SUBDOMAIN"
|
||||
}
|
||||
|
||||
# Directorio base
|
||||
CA_DIR="./CA"
|
||||
CERT_NAME=$(get_cert_name "server")
|
||||
# Copiar certificados generados
|
||||
cp "$CA_DIR/certs/ca.crt.pem" /etc/ssl/certs/
|
||||
cp "$CA_DIR/certs/$CERT_NAME.crt.pem" /etc/ssl/certs/
|
||||
cp "$CA_DIR/private/$CERT_NAME.key.nopass.pem" /etc/ssl/private/$CERT_NAME.key.pem
|
||||
chmod 600 /etc/ssl/private/$CERT_NAME.key.pem
|
||||
|
||||
# Configuración journal-upload
|
||||
sed -i -e '/DynamicUser/s/.*/DynamicUser=no/' \
|
||||
|
|
@ -47,9 +82,9 @@ systemctl daemon-reload
|
|||
|
||||
cat >/etc/systemd/journal-upload.conf <<EOF
|
||||
[Upload]
|
||||
URL=https://oglog-jrem.mytld:19532
|
||||
ServerKeyFile=/etc/ssl/private/ogserver.mytld.key.pem
|
||||
ServerCertificateFile=/etc/ssl/certs/ogserver.mytld.crt.pem
|
||||
URL=https://$(get_cert_name jrem):19532
|
||||
ServerKeyFile=/etc/ssl/private/$CERT_NAME.key.pem
|
||||
ServerCertificateFile=/etc/ssl/certs/$CERT_NAME.crt.pem
|
||||
TrustedCertificateFile=/etc/ssl/certs/ca.crt.pem
|
||||
EOF
|
||||
|
||||
|
|
|
|||
|
|
@ -1,7 +1,15 @@
|
|||
#!/bin/bash
|
||||
|
||||
SUBDOMAIN="$1"
|
||||
CERT_PASS="$2"
|
||||
|
||||
if [ -z "$SUBDOMAIN" ] || [ -z "$CERT_PASS" ]; then
|
||||
echo "Uso: $0 <subdominio> <contraseña-certificados>"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
rm -rf CA
|
||||
mkdir CA
|
||||
mkdir -p CA
|
||||
cd CA
|
||||
|
||||
cat >openssl.cnf <<EOF
|
||||
|
|
@ -42,55 +50,58 @@ default_md = sha256
|
|||
countryName = Country Name (2 letter code)
|
||||
EOF
|
||||
|
||||
mkdir certs csr newcerts private; chmod 0700 private; touch index.txt; echo 1000 >serial
|
||||
mkdir -p certs csr newcerts private
|
||||
chmod 0700 private
|
||||
touch index.txt
|
||||
echo 1000 >serial
|
||||
|
||||
function gen_cert() {
|
||||
ITEM="$1"
|
||||
PRIVKEY_PASS="$2"
|
||||
CA_PASS_FILE="$3"
|
||||
NAME="$1"
|
||||
DOMAIN="$NAME.$SUBDOMAIN"
|
||||
PASS="$CERT_PASS"
|
||||
CA_PASS_FILE="./ca-pass"
|
||||
|
||||
FILE_PRIVKEY_PASS="./$ITEM-pass"
|
||||
KEY_FILE="private/$ITEM.key.pem"
|
||||
KEY_NOPASS_FILE="private/$ITEM.key.nopass.pem"
|
||||
SUBJ="/C=ES/ST=Madrid/L=Madrid/CN=$ITEM"
|
||||
ADDEXT="subjectAltName=DNS:$ITEM"
|
||||
CSR="csr/$ITEM.csr.pem"
|
||||
CERT_FILE="certs/$ITEM.crt.pem"
|
||||
FILE_PRIVKEY_PASS="./$NAME-pass"
|
||||
KEY_FILE="private/$DOMAIN.key.pem"
|
||||
KEY_NOPASS_FILE="private/$DOMAIN.key.nopass.pem"
|
||||
SUBJ="/C=ES/ST=Madrid/L=Madrid/CN=$DOMAIN"
|
||||
ADDEXT="subjectAltName=DNS:$DOMAIN"
|
||||
CSR="csr/$DOMAIN.csr.pem"
|
||||
CERT_FILE="certs/$DOMAIN.crt.pem"
|
||||
|
||||
touch "$FILE_PRIVKEY_PASS"
|
||||
echo "$PASS" >"$FILE_PRIVKEY_PASS"
|
||||
chmod 0600 "$FILE_PRIVKEY_PASS"
|
||||
echo "$PRIVKEY_PASS" >"$FILE_PRIVKEY_PASS"
|
||||
|
||||
openssl genrsa -aes256 -out "$KEY_FILE" -passout file:"$FILE_PRIVKEY_PASS" 2048
|
||||
openssl rsa -in "$KEY_FILE" -passin file:"$FILE_PRIVKEY_PASS" -out "$KEY_NOPASS_FILE" >/dev/null 2>&1
|
||||
openssl req -config openssl.cnf -key "$KEY_FILE" -passin file:"$FILE_PRIVKEY_PASS" -new -sha256 -subj "$SUBJ" -addext "$ADDEXT" -out "$CSR"
|
||||
openssl ca -config openssl.cnf -batch -passin file:"$CA_PASS_FILE" -days 375 -notext -md sha256 -in "$CSR" -out "$CERT_FILE" >/dev/null 2>&1
|
||||
echo "Dominio generado: $DOMAIN"
|
||||
}
|
||||
|
||||
|
||||
## gen CA
|
||||
CA_PASS=CorrectHorseBatteryStapleCA
|
||||
CA_PASS_FILE=./ca-pass
|
||||
touch "$CA_PASS_FILE"
|
||||
## Generar CA
|
||||
CA_PASS_FILE="./ca-pass"
|
||||
echo "$CERT_PASS" >"$CA_PASS_FILE"
|
||||
chmod 0600 "$CA_PASS_FILE"
|
||||
echo "$CA_PASS" >"$CA_PASS_FILE"
|
||||
openssl genrsa -aes256 -out private/ca.key.pem -passout file:"$CA_PASS_FILE" 4096
|
||||
#openssl rsa -in private/ca.key.pem -passin file:"$CA_PASS_FILE" -out private/ca.key.nopass.pem >/dev/null 2>&1
|
||||
openssl req -config openssl.cnf -key private/ca.key.pem -passin file:"$CA_PASS_FILE" -new -x509 -days 7300 -sha256 -subj '/C=ES/ST=Madrid/L=Madrid/CN=ca.mytld' -out certs/ca.crt.pem
|
||||
openssl req -config openssl.cnf -key private/ca.key.pem -passin file:"$CA_PASS_FILE" -new -x509 -days 7300 -sha256 -subj "/C=ES/ST=Madrid/L=Madrid/CN=ca.$SUBDOMAIN.mytld" -out certs/ca.crt.pem
|
||||
|
||||
## Componentes a generar certificados
|
||||
# COMPONENTES y su correspondencia:
|
||||
# "os" → OpenSearch (certificado para /etc/opensearch/)
|
||||
# "osdb" → OpenSearch Dashboards (certificado para /etc/opensearch-dashboards/)
|
||||
# "jrem" → systemd-journal-remote (certificado para /etc/systemd/)
|
||||
# "prom" → Prometheus (certificado para /etc/prometheus/)
|
||||
# "graf" → Grafana (certificado para /etc/grafana/)
|
||||
# "jb" → Journalbeat del cliente (certificado para /etc/journalbeat/)
|
||||
# "agent-fb" → Filebeat del cliente ogagent (certificado para /etc/filebeat/)
|
||||
# "server" → Servidor ogcore/ogboot/intermedio (uso genérico del certificado)
|
||||
|
||||
## todos estos en oglog
|
||||
gen_cert oglog-os.mytld CorrectHorseBatteryStapleOglogOS "$CA_PASS_FILE"
|
||||
gen_cert oglog-osdb.mytld CorrectHorseBatteryStapleOglogOS "$CA_PASS_FILE"
|
||||
gen_cert oglog-jrem.mytld CorrectHorseBatteryStapleOglogJRem "$CA_PASS_FILE"
|
||||
gen_cert oglog-jb.mytld CorrectHorseBatteryStapleOglogJB "$CA_PASS_FILE"
|
||||
gen_cert oglog-prom.mytld CorrectHorseBatteryStapleOglogProm "$CA_PASS_FILE"
|
||||
gen_cert oglog-graf.mytld CorrectHorseBatteryStapleOglogGraf "$CA_PASS_FILE"
|
||||
COMPONENTES=("os" "osdb" "jrem" "jb" "prom" "graf" "server" "agent-fb")
|
||||
|
||||
## esto podria ser ogcore, ogboot...
|
||||
gen_cert ogserver.mytld CorrectHorseBatteryStapleOgserver "$CA_PASS_FILE"
|
||||
|
||||
## filebeat del agente
|
||||
gen_cert ogagent-fb.mytld CorrectHorseBatteryStapleOgagentFB "$CA_PASS_FILE"
|
||||
for comp in "${COMPONENTES[@]}"; do
|
||||
gen_cert "oglog-$comp"
|
||||
echo "address=/oglog-$comp.$SUBDOMAIN/127.0.0.1" >> /tmp/dnsmasq.oglog.conf
|
||||
done
|
||||
|
||||
cd ..
|
||||
|
|
|
|||
|
|
@ -120,7 +120,8 @@ rm -f /tmp/filebeat.deb
|
|||
|
||||
# Copiar configuraciones desde plantillas locales
|
||||
base_dir="$(dirname $(pwd))"
|
||||
|
||||
./mkcerts.sh "$SUBDOMAIN" "$CERT_PASS"
|
||||
log "Copiando configuraciones desde plantillas locales..."
|
||||
files_to_copy=(
|
||||
"journalbeat/journalbeat.yml"
|
||||
"filebeat/filebeat.yml"
|
||||
|
|
@ -138,51 +139,59 @@ for file in "${files_to_copy[@]}"; do
|
|||
dest="/etc/$file"
|
||||
mkdir -p "$(dirname "$dest")"
|
||||
cp "$src" "$dest"
|
||||
sed -i \
|
||||
-e "s/{{IP_MAQUINA}}/$OGLOG_IP/g" \
|
||||
-e "s/{{OPENSEARCH_INITIAL_ADMIN_PASSWORD}}/$OPENSEARCH_INITIAL_ADMIN_PASSWORD/g" "$dest"
|
||||
envsubst < "$src" > "$dest"
|
||||
done
|
||||
|
||||
chown -R grafana:grafana /etc/grafana/provisioning
|
||||
|
||||
# Copiar certificados específicos
|
||||
cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/certs/ca.crt.pem" /etc/opensearch/
|
||||
cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/certs/oglog-os.mytld.crt.pem" /etc/opensearch/
|
||||
cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/private/oglog-os.mytld.key.nopass.pem" /etc/opensearch/oglog-os.mytld.key.pem
|
||||
# Helper
|
||||
get_cert_name() {
|
||||
echo "oglog-$1.$SUBDOMAIN"
|
||||
}
|
||||
|
||||
cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/certs/oglog-osdb.mytld.crt.pem" /etc/opensearch-dashboards/
|
||||
cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/private/oglog-osdb.mytld.key.nopass.pem" /etc/opensearch-dashboards/oglog-osdb.mytld.key.pem
|
||||
# Directorio base
|
||||
CA_DIR="./CA"
|
||||
|
||||
cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/certs/ca.crt.pem" /etc/systemd/
|
||||
cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/certs/oglog-jrem.mytld.crt.pem" /etc/systemd/
|
||||
cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/private/oglog-jrem.mytld.key.nopass.pem" /etc/systemd/oglog-jrem.mytld.key.pem
|
||||
# Certificados por componente
|
||||
cp "$CA_DIR/certs/ca.crt.pem" /etc/opensearch/
|
||||
cp "$CA_DIR/certs/$(get_cert_name os).crt.pem" /etc/opensearch/
|
||||
cp "$CA_DIR/private/$(get_cert_name os).key.nopass.pem" /etc/opensearch/$(get_cert_name os).key.pem
|
||||
|
||||
cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/certs/oglog-prom.mytld.crt.pem" /etc/prometheus/
|
||||
cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/private/oglog-prom.mytld.key.nopass.pem" /etc/prometheus/oglog-prom.mytld.key.pem
|
||||
cp "$CA_DIR/certs/$(get_cert_name osdb).crt.pem" /etc/opensearch-dashboards/
|
||||
cp "$CA_DIR/private/$(get_cert_name osdb).key.nopass.pem" /etc/opensearch-dashboards/$(get_cert_name osdb).key.pem
|
||||
|
||||
cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/certs/oglog-graf.mytld.crt.pem" /etc/grafana/
|
||||
cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/private/oglog-graf.mytld.key.nopass.pem" /etc/grafana/oglog-graf.mytld.key.pem
|
||||
cp "$CA_DIR/certs/ca.crt.pem" /etc/systemd/
|
||||
cp "$CA_DIR/certs/$(get_cert_name jrem).crt.pem" /etc/systemd/
|
||||
cp "$CA_DIR/private/$(get_cert_name jrem).key.nopass.pem" /etc/systemd/$(get_cert_name jrem).key.pem
|
||||
|
||||
cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/certs/oglog-jb.mytld.crt.pem" /etc/journalbeat/
|
||||
cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/private/oglog-jb.mytld.key.nopass.pem" /etc/journalbeat/oglog-jb.mytld.key.pem
|
||||
cp "$CA_DIR/certs/$(get_cert_name prom).crt.pem" /etc/prometheus/
|
||||
cp "$CA_DIR/private/$(get_cert_name prom).key.nopass.pem" /etc/prometheus/$(get_cert_name prom).key.pem
|
||||
|
||||
cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/certs/ogagent-fb.mytld.crt.pem" /etc/filebeat/
|
||||
cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/private/ogagent-fb.mytld.key.nopass.pem" /etc/filebeat/ogagent-fb.mytld.key.pem
|
||||
cp "$CA_DIR/certs/$(get_cert_name graf).crt.pem" /etc/grafana/
|
||||
cp "$CA_DIR/private/$(get_cert_name graf).key.nopass.pem" /etc/grafana/$(get_cert_name graf).key.pem
|
||||
|
||||
cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/certs/ca.crt.pem" /etc/ssl/certs/
|
||||
cp "$CA_DIR/certs/$(get_cert_name jb).crt.pem" /etc/journalbeat/
|
||||
cp "$CA_DIR/private/$(get_cert_name jb).key.nopass.pem" /etc/journalbeat/$(get_cert_name jb).key.pem
|
||||
|
||||
cp "$CA_DIR/certs/$(get_cert_name agent-fb).crt.pem" /etc/filebeat/
|
||||
cp "$CA_DIR/private/$(get_cert_name agent-fb).key.nopass.pem" /etc/filebeat/$(get_cert_name agent-fb).key.pem
|
||||
|
||||
cp "$CA_DIR/certs/ca.crt.pem" /etc/ssl/certs/
|
||||
ln -sf /etc/ssl/certs/ca.crt.pem /etc/ssl/certs/"$(openssl x509 -in /etc/ssl/certs/ca.crt.pem -hash -noout).0"
|
||||
|
||||
# Permisos específicos
|
||||
chown opensearch:opensearch /etc/opensearch/*
|
||||
chown opensearch-dashboards:opensearch-dashboards /etc/opensearch-dashboards/*
|
||||
chown systemd-journal-remote:systemd-journal-remote /etc/systemd/oglog-jrem.mytld.*
|
||||
chown prometheus:prometheus /etc/prometheus/oglog-prom.mytld.*
|
||||
chown grafana:grafana /etc/grafana/oglog-graf.mytld.*
|
||||
chown systemd-journal-remote:systemd-journal-remote /etc/systemd/$(get_cert_name jrem).*
|
||||
chown prometheus:prometheus /etc/prometheus/$(get_cert_name prom).*
|
||||
chown grafana:grafana /etc/grafana/$(get_cert_name graf).*
|
||||
|
||||
install -d -o systemd-journal-remote -g systemd-journal-remote -m 0750 /var/log/journal/remote
|
||||
sed -i -e '/ServerKeyFile/ s%.*%ServerKeyFile=/etc/systemd/oglog-jrem.mytld.key.pem%' /etc/systemd/journal-remote.conf
|
||||
sed -i -e '/ServerCertificateFile/s%.*%ServerCertificateFile=/etc/systemd/oglog-jrem.mytld.crt.pem%' /etc/systemd/journal-remote.conf
|
||||
sed -i -e '/TrustedCertificateFile/s%.*%TrustedCertificateFile=/etc/systemd/ca.crt.pem%' /etc/systemd/journal-remote.conf
|
||||
|
||||
sed -i -e "/ServerKeyFile/ s%.*%ServerKeyFile=/etc/systemd/$(get_cert_name jrem).key.pem%" /etc/systemd/journal-remote.conf
|
||||
sed -i -e "/ServerCertificateFile/s%.*%ServerCertificateFile=/etc/systemd/$(get_cert_name jrem).crt.pem%" /etc/systemd/journal-remote.conf
|
||||
sed -i -e "/TrustedCertificateFile/s%.*%TrustedCertificateFile=/etc/systemd/ca.crt.pem%" /etc/systemd/journal-remote.conf
|
||||
|
||||
if ! grep -q -- "--web.config.file=/etc/prometheus/web-config.yml" /etc/default/prometheus; then
|
||||
sed -i -e '/^ARGS/s%"$% --web.config.file=/etc/prometheus/web-config.yml"%' /etc/default/prometheus
|
||||
fi
|
||||
|
|
@ -213,16 +222,12 @@ for service in "${services_to_restart[@]}"; do
|
|||
sleep 5
|
||||
done
|
||||
|
||||
# Añadimos la posconfiguracion una vez opensearch esta corriendo
|
||||
|
||||
# Configuración de OpenSearch
|
||||
|
||||
#Index pattern para filebeat
|
||||
|
||||
curl -X POST "https://oglog-os.mytld:9200/.kibana/_doc/index-pattern:filebeat-*" \
|
||||
--cert /etc/journalbeat/oglog-jb.mytld.crt.pem \
|
||||
--key /etc/journalbeat/oglog-jb.mytld.key.pem \
|
||||
-u admin:CorrectHorse_BatteryStaple1 \
|
||||
# Index pattern para filebeat
|
||||
curl -X POST "https://oglog-os.${SUBDOMAIN}:9200/.kibana/_doc/index-pattern:filebeat-*" \
|
||||
--cert "/etc/journalbeat/$(get_cert_name jb).crt.pem" \
|
||||
--key "/etc/journalbeat/$(get_cert_name jb).key.pem" \
|
||||
-u "admin:$OPENSEARCH_INITIAL_ADMIN_PASSWORD" \
|
||||
-H 'Content-Type: application/json' \
|
||||
-d '{
|
||||
"type": "index-pattern",
|
||||
|
|
@ -232,11 +237,11 @@ curl -X POST "https://oglog-os.mytld:9200/.kibana/_doc/index-pattern:filebeat-*"
|
|||
}
|
||||
}'
|
||||
|
||||
# Index pattern para Journalbeat
|
||||
curl -X POST "https://oglog-os.mytld:9200/.kibana/_doc/index-pattern:journalbeat-*" \
|
||||
--cert /etc/journalbeat/oglog-jb.mytld.crt.pem \
|
||||
--key /etc/journalbeat/oglog-jb.mytld.key.pem \
|
||||
-u admin:CorrectHorse_BatteryStaple1 \
|
||||
# Index pattern para journalbeat
|
||||
curl -X POST "https://oglog-os.${SUBDOMAIN}:9200/.kibana/_doc/index-pattern:journalbeat-*" \
|
||||
--cert "/etc/journalbeat/$(get_cert_name jb).crt.pem" \
|
||||
--key "/etc/journalbeat/$(get_cert_name jb).key.pem" \
|
||||
-u "admin:$OPENSEARCH_INITIAL_ADMIN_PASSWORD" \
|
||||
-H 'Content-Type: application/json' \
|
||||
-d '{
|
||||
"type": "index-pattern",
|
||||
|
|
@ -246,15 +251,14 @@ curl -X POST "https://oglog-os.mytld:9200/.kibana/_doc/index-pattern:journalbeat
|
|||
}
|
||||
}'
|
||||
|
||||
|
||||
echo "Importar pipelines de ingestión de OpenSearch"
|
||||
jq -c 'to_entries[]' "$base_dir/etc/opensearch/pipelines.json" | while read -r entry; do
|
||||
name=$(echo "$entry" | jq -r '.key')
|
||||
body=$(echo "$entry" | jq -c '.value')
|
||||
|
||||
curl -X PUT "https://oglog-os.mytld:9200/_ingest/pipeline/$name" \
|
||||
--cert /etc/journalbeat/oglog-jb.mytld.crt.pem \
|
||||
--key /etc/journalbeat/oglog-jb.mytld.key.pem \
|
||||
curl -X PUT "https://oglog-os.${SUBDOMAIN}:9200/_ingest/pipeline/$name" \
|
||||
--cert "/etc/journalbeat/$(get_cert_name jb).crt.pem" \
|
||||
--key "/etc/journalbeat/$(get_cert_name jb).key.pem" \
|
||||
-u "admin:$OPENSEARCH_INITIAL_ADMIN_PASSWORD" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d "$body"
|
||||
|
|
@ -262,28 +266,37 @@ done
|
|||
|
||||
echo "Importar búsquedas personalizadas de OpenSearch Dashboards"
|
||||
|
||||
# Obtener los IDs reales
|
||||
# Obtener los IDs reales de index pattern
|
||||
JOURNALBEAT_ID=$(curl -s -X GET "https://oglog-os.${SUBDOMAIN}:9200/.kibana/_search?q=type:index-pattern" \
|
||||
--cert "/etc/journalbeat/$(get_cert_name jb).crt.pem" \
|
||||
--key "/etc/journalbeat/$(get_cert_name jb).key.pem" \
|
||||
-u "admin:$OPENSEARCH_INITIAL_ADMIN_PASSWORD" \
|
||||
| jq -r '.hits.hits[] | "\(.["_id"])\t\(.["_source"]["index-pattern"].title)"' \
|
||||
| grep 'journalbeat-*' | cut -f1 | cut -d':' -f2)
|
||||
|
||||
JOURNALBEAT_ID=$(curl -s -X GET "https://oglog-os.mytld:9200/.kibana/_search?q=type:index-pattern" --cert /etc/journalbeat/oglog-jb.mytld.crt.pem --key /etc/journalbeat/oglog-jb.mytld.key.pem -u "admin:$OPENSEARCH_INITIAL_ADMIN_PASSWORD" | jq -r '.hits.hits[] | "\(.["_id"])\t\(.["_source"]["index-pattern"].title)"' | grep 'journalbeat-*' | cut -f1 | cut -d':' -f2)
|
||||
FILEBEAT_ID=$(curl -s -X GET "https://oglog-os.${SUBDOMAIN}:9200/.kibana/_search?q=type:index-pattern" \
|
||||
--cert "/etc/journalbeat/$(get_cert_name jb).crt.pem" \
|
||||
--key "/etc/journalbeat/$(get_cert_name jb).key.pem" \
|
||||
-u "admin:$OPENSEARCH_INITIAL_ADMIN_PASSWORD" \
|
||||
| jq -r '.hits.hits[] | "\(.["_id"])\t\(.["_source"]["index-pattern"].title)"' \
|
||||
| grep 'filebeat-*' | cut -f1 | cut -d':' -f2)
|
||||
|
||||
FILEBEAT_ID=$(curl -s -X GET "https://oglog-os.mytld:9200/.kibana/_search?q=type:index-pattern" --cert /etc/journalbeat/oglog-jb.mytld.crt.pem --key /etc/journalbeat/oglog-jb.mytld.key.pem -u "admin:$OPENSEARCH_INITIAL_ADMIN_PASSWORD" | jq -r '.hits.hits[] | "\(.["_id"])\t\(.["_source"]["index-pattern"].title)"' | grep 'filebeat-*' | cut -f1 | cut -d':' -f2)
|
||||
|
||||
|
||||
# Sustituir las variables en el fichero ndjson (sin modificar el original si quieres)
|
||||
# Sustituir variables en el fichero ndjson (sin modificar el original si quieres)
|
||||
cp "$base_dir/etc/opensearch-dashboards/saved_searches.ndjson" /tmp/saved_searches_modified.ndjson
|
||||
|
||||
sed -i "s|__journalbeat_index__|$JOURNALBEAT_ID|g" /tmp/saved_searches_modified.ndjson
|
||||
sed -i "s|__filebeat_index__|$FILEBEAT_ID|g" /tmp/saved_searches_modified.ndjson
|
||||
|
||||
# Importar con overwrite
|
||||
curl -X POST "https://oglog-osdb.mytld:5601/api/saved_objects/_import?overwrite=true" \
|
||||
--cert /etc/journalbeat/oglog-jb.mytld.crt.pem \
|
||||
--key /etc/journalbeat/oglog-jb.mytld.key.pem \
|
||||
-u admin:$OPENSEARCH_INITIAL_ADMIN_PASSWORD \
|
||||
curl -X POST "https://oglog-osdb.${SUBDOMAIN}:5601/api/saved_objects/_import?overwrite=true" \
|
||||
--cert "/etc/journalbeat/$(get_cert_name jb).crt.pem" \
|
||||
--key "/etc/journalbeat/$(get_cert_name jb).key.pem" \
|
||||
-u "admin:$OPENSEARCH_INITIAL_ADMIN_PASSWORD" \
|
||||
-H "osd-xsrf: true" \
|
||||
-F "file=@/tmp/saved_searches_modified.ndjson"
|
||||
|
||||
|
||||
|
||||
# Después de los reinicios
|
||||
log "Verificación final de servicios:"
|
||||
systemctl is-active journalbeat filebeat opensearch opensearch-dashboards prometheus grafana-server
|
||||
|
|
|
|||
Loading…
Reference in New Issue