From 8683ab471ada3cc56fd5a340ad75e5cb211efebd Mon Sep 17 00:00:00 2001 From: lgromero Date: Tue, 22 Apr 2025 15:24:08 +0200 Subject: [PATCH] refs #1929 changes all certs to dynamic subdomain in oglog and ogcore --- .env | 1 + etc/filebeat/filebeat.yml | 8 +- etc/grafana/grafana.ini | 4 +- .../provisioning/datasources/prometheus.yaml | 2 +- .../resources/datasources/datasources.json | 6 +- etc/journalbeat/journalbeat.yml | 8 +- .../opensearch_dashboards.yml | 12 +- etc/opensearch/opensearch.yml | 6 +- etc/prometheus/prometheus.yml | 4 +- etc/prometheus/web-config.yml | 4 +- script/journal-upload.sh | 55 ++++++-- script/mkcerts.sh | 79 ++++++----- script/oglog_installer.sh | 125 ++++++++++-------- 13 files changed, 187 insertions(+), 127 deletions(-) diff --git a/.env b/.env index 4975b15..0f04560 100644 --- a/.env +++ b/.env @@ -1,3 +1,4 @@ OGLOG_IP=192.168.2.4 OGCORE_IP=192.168.2.1 OPENSEARCH_INITIAL_ADMIN_PASSWORD=CorrectHorse_BatteryStaple1 +SUBDOMAIN=opengnsys diff --git a/etc/filebeat/filebeat.yml b/etc/filebeat/filebeat.yml index dc6474d..da0be9f 100644 --- a/etc/filebeat/filebeat.yml +++ b/etc/filebeat/filebeat.yml @@ -9,14 +9,14 @@ setup.template.settings: index.number_of_shards: 1 output.elasticsearch: - hosts: ["https://oglog-os.mytld:9200"] + hosts: ["https://oglog-os.${SUBDOMAIN}:9200"] username: "admin" - password: "{{OPENSEARCH_INITIAL_ADMIN_PASSWORD}}" + password: "${OPENSEARCH_INITIAL_ADMIN_PASSWORD}" protocol: "https" ssl.enabled: true ssl.verification_mode: full - ssl.certificate: "/etc/filebeat/ogagent-fb.mytld.crt.pem" - ssl.key: "/etc/filebeat/ogagent-fb.mytld.key.pem" + ssl.certificate: "/etc/filebeat/ogagent-fb.${SUBDOMAIN}.crt.pem" + ssl.key: "/etc/filebeat/ogagent-fb.${SUBDOMAIN}.key.pem" processors: - add_host_metadata: diff --git a/etc/grafana/grafana.ini b/etc/grafana/grafana.ini index 445f32c..0b86e4c 100644 --- a/etc/grafana/grafana.ini +++ b/etc/grafana/grafana.ini @@ -1,7 +1,7 @@ [server] protocol = https -cert_file = /etc/grafana/oglog-graf.mytld.crt.pem -cert_key = /etc/grafana/oglog-graf.mytld.key.pem +cert_file = /etc/grafana/oglog-graf.${SUBDOMAIN}.crt.pem +cert_key = /etc/grafana/oglog-graf.${SUBDOMAIN}.key.pem [analytics] reporting_enabled = false diff --git a/etc/grafana/provisioning/datasources/prometheus.yaml b/etc/grafana/provisioning/datasources/prometheus.yaml index 5a73546..7e4d1f5 100644 --- a/etc/grafana/provisioning/datasources/prometheus.yaml +++ b/etc/grafana/provisioning/datasources/prometheus.yaml @@ -3,6 +3,6 @@ datasources: - name: Prometheus type: prometheus access: proxy - url: https://oglog-prom.mytld:9090 + url: https://oglog-prom.${SUBDOMAIN}:9090 isDefault: true diff --git a/etc/grafana/resources/datasources/datasources.json b/etc/grafana/resources/datasources/datasources.json index 83ea8f0..a8a7f35 100644 --- a/etc/grafana/resources/datasources/datasources.json +++ b/etc/grafana/resources/datasources/datasources.json @@ -8,7 +8,7 @@ "typeName": "OpenSearch", "typeLogoUrl": "public/plugins/grafana-opensearch-datasource/img/logo.svg", "access": "proxy", - "url": "https://oglog-os.mytld:9200", + "url": "https://oglog-os.${SUBDOMAIN}:9200", "user": "", "database": "", "basicAuth": true, @@ -20,7 +20,7 @@ "logMessageField": "", "maxConcurrentShardRequests": 5, "pplEnabled": true, - "serverName": "oglog-os.mytld", + "serverName": "oglog-os.${SUBDOMAIN}", "serverless": false, "timeField": "@timestamp", "tlsAuth": true, @@ -64,7 +64,7 @@ "typeName": "Prometheus", "typeLogoUrl": "public/app/plugins/datasource/prometheus/img/prometheus_logo.svg", "access": "proxy", - "url": "https://oglog-prom.mytld:9090", + "url": "https://oglog-prom.${SUBDOMAIN}:9090", "user": "", "database": "", "basicAuth": false, diff --git a/etc/journalbeat/journalbeat.yml b/etc/journalbeat/journalbeat.yml index 2ee6e65..5a4fb89 100644 --- a/etc/journalbeat/journalbeat.yml +++ b/etc/journalbeat/journalbeat.yml @@ -8,14 +8,14 @@ setup.template.settings: index.number_of_shards: 1 output.elasticsearch: - hosts: ["https://oglog-os.mytld:9200"] + hosts: ["https://oglog-os.{SUBDOMAIN}:9200"] username: "admin" - password: "{{OPENSEARCH_INITIAL_ADMIN_PASSWORD}}" + password: "${OPENSEARCH_INITIAL_ADMIN_PASSWORD}" protocol: "https" ssl.enabled: true ssl.verification_mode: full - ssl.certificate: "/etc/journalbeat/oglog-jb.mytld.crt.pem" - ssl.key: "/etc/journalbeat/oglog-jb.mytld.key.pem" + ssl.certificate: "/etc/journalbeat/oglog-jb.{SUBDOMAIN}.crt.pem" + ssl.key: "/etc/journalbeat/oglog-jb.{SUBDOMAIN}.key.pem" processors: - add_docker_metadata: ~ diff --git a/etc/opensearch-dashboards/opensearch_dashboards.yml b/etc/opensearch-dashboards/opensearch_dashboards.yml index ca51024..167db69 100644 --- a/etc/opensearch-dashboards/opensearch_dashboards.yml +++ b/etc/opensearch-dashboards/opensearch_dashboards.yml @@ -1,12 +1,12 @@ server.host: 0.0.0.0 -opensearch.hosts: ["https://oglog-os.mytld:9200"] +opensearch.hosts: ["https://oglog-os.${SUBDOMAIN}:9200"] opensearch.username: "admin" -opensearch.password: "{{OPENSEARCH_INITIAL_ADMIN_PASSWORD}}" +opensearch.password: "${OPENSEARCH_INITIAL_ADMIN_PASSWORD}" server.ssl.enabled: true -server.ssl.certificate: /etc/opensearch-dashboards/oglog-osdb.mytld.crt.pem -server.ssl.key: /etc/opensearch-dashboards/oglog-osdb.mytld.key.pem -opensearch.ssl.certificate: /etc/opensearch-dashboards/oglog-osdb.mytld.crt.pem -opensearch.ssl.key: /etc/opensearch-dashboards/oglog-osdb.mytld.key.pem +server.ssl.certificate: /etc/opensearch-dashboards/oglog-osdb.${SUBDOMAIN}.crt.pem +server.ssl.key: /etc/opensearch-dashboards/oglog-osdb.${SUBDOMAIN}.key.pem +opensearch.ssl.certificate: /etc/opensearch-dashboards/oglog-osdb.${SUBDOMAIN}.crt.pem +opensearch.ssl.key: /etc/opensearch-dashboards/oglog-osdb.${SUBDOMAIN}.key.pem opensearch.ssl.verificationMode: full opensearch.ssl.certificateAuthorities: ["/etc/ssl/certs/ca.crt.pem"] opensearch.ssl.alwaysPresentCertificate: true diff --git a/etc/opensearch/opensearch.yml b/etc/opensearch/opensearch.yml index 79733db..b924a91 100644 --- a/etc/opensearch/opensearch.yml +++ b/etc/opensearch/opensearch.yml @@ -1,12 +1,12 @@ # WARNING: revise all the lines below before you go into production -network.host: "{{IP_MAQUINA}}" +network.host: "${OGLOG_IP}" plugins.security.ssl.transport.pemcert_filepath: esnode.pem plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem plugins.security.ssl.transport.enforce_hostname_verification: false plugins.security.ssl.http.enabled: true -plugins.security.ssl.http.pemcert_filepath: oglog-os.mytld.crt.pem -plugins.security.ssl.http.pemkey_filepath: oglog-os.mytld.key.pem +plugins.security.ssl.http.pemcert_filepath: oglog-os.{SUBDOMAIN}.crt.pem +plugins.security.ssl.http.pemkey_filepath: oglog-os.{SUBDOMAIN}.key.pem plugins.security.ssl.http.pemtrustedcas_filepath: ca.crt.pem plugins.security.allow_unsafe_democertificates: true plugins.security.allow_default_init_securityindex: true diff --git a/etc/prometheus/prometheus.yml b/etc/prometheus/prometheus.yml index dff0af4..2a06216 100644 --- a/etc/prometheus/prometheus.yml +++ b/etc/prometheus/prometheus.yml @@ -5,9 +5,9 @@ global: scrape_configs: - job_name: ogserver static_configs: - - targets: ['ogserver.mytld:9100'] + - targets: ['ogserver.${SUBDOMAIN}:9100'] - job_name: ogagent static_configs: - - targets: ['ogagent.mytld:9100'] + - targets: ['ogagent.${SUBDOMAIN}:9100'] diff --git a/etc/prometheus/web-config.yml b/etc/prometheus/web-config.yml index 334916c..18bb410 100644 --- a/etc/prometheus/web-config.yml +++ b/etc/prometheus/web-config.yml @@ -1,4 +1,4 @@ tls_server_config: - cert_file: /etc/prometheus/oglog-prom.mytld.crt.pem - key_file: /etc/prometheus/oglog-prom.mytld.key.pem + cert_file: /etc/prometheus/oglog-prom.${SUBDOMAIN}.crt.pem + key_file: /etc/prometheus/oglog-prom.${SUBDOMAIN}.key.pem diff --git a/script/journal-upload.sh b/script/journal-upload.sh index cb8029e..9069c41 100755 --- a/script/journal-upload.sh +++ b/script/journal-upload.sh @@ -15,8 +15,6 @@ log "Inicio instalación ogcore: $(date)" log "Tamaño inicial del disco:" && df -h / log "Carga inicial CPU:" && uptime -# Variables -IP_SERVER="${IP_SERVER:?La variable IP_SERVER es requerida}" NFS_SERVER="ognartefactos.evlt.uma.es" LOCAL_MOUNT="/mnt" @@ -26,17 +24,54 @@ if ! mountpoint -q "$LOCAL_MOUNT"; then mount -t nfs "$NFS_SERVER:/" "$LOCAL_MOUNT" fi +# Cargar variables desde el archivo .env +ENV_FILE="../.env" + +if [ ! -f "$ENV_FILE" ]; then + echo "ERROR: No se encontró el archivo .env" + exit 1 +fi + +export $(grep -v '^#' "$ENV_FILE" | xargs) + +# Ejemplo de uso +echo "OGLOG se instalará en: $OGLOG_IP" +echo "Base de datos OGCORE en: $OGCORE_IP" + +# Validar la contraseña +if [[ ${#OPENSEARCH_INITIAL_ADMIN_PASSWORD} -lt 12 || \ + ! "$OPENSEARCH_INITIAL_ADMIN_PASSWORD" =~ [A-Z] || \ + ! "$OPENSEARCH_INITIAL_ADMIN_PASSWORD" =~ [0-9] || \ + ! "$OPENSEARCH_INITIAL_ADMIN_PASSWORD" =~ [^a-zA-Z0-9] ]]; then + log "ERROR: La contraseña OPENSEARCH_INITIAL_ADMIN_PASSWORD no cumple los requisitos." + exit 1 +fi + # Actualizar hosts -echo "$IP_SERVER oglog-jrem.mytld" >> /etc/hosts +echo "$OGCORE_IP oglog-jrem.mytld" >> /etc/hosts # Instalar dependencias apt-get update apt-get install -y prometheus-node-exporter systemd-journal-remote -# Copiar certificados -cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/certs/"{ca.crt.pem,ogserver.mytld.crt.pem} /etc/ssl/certs/ -cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/private/ogserver.mytld.key.nopass.pem" /etc/ssl/private/ogserver.mytld.key.pem -chmod 600 /etc/ssl/private/ogserver.mytld.key.pem +log "Generando certificados para ogcore con subdominio $SUBDOMAIN..." + +# Suponemos que el script de generación ya está descargado en /tmp o incluido en la instalación +./mkcerts.sh "$SUBDOMAIN" "$CERT_PASS" + +# Helper +get_cert_name() { + echo "oglog-$1.$SUBDOMAIN" +} + +# Directorio base +CA_DIR="./CA" +CERT_NAME=$(get_cert_name "server") +# Copiar certificados generados +cp "$CA_DIR/certs/ca.crt.pem" /etc/ssl/certs/ +cp "$CA_DIR/certs/$CERT_NAME.crt.pem" /etc/ssl/certs/ +cp "$CA_DIR/private/$CERT_NAME.key.nopass.pem" /etc/ssl/private/$CERT_NAME.key.pem +chmod 600 /etc/ssl/private/$CERT_NAME.key.pem # Configuración journal-upload sed -i -e '/DynamicUser/s/.*/DynamicUser=no/' \ @@ -47,9 +82,9 @@ systemctl daemon-reload cat >/etc/systemd/journal-upload.conf < " + exit 1 +fi + rm -rf CA -mkdir CA +mkdir -p CA cd CA cat >openssl.cnf <serial +mkdir -p certs csr newcerts private +chmod 0700 private +touch index.txt +echo 1000 >serial function gen_cert() { - ITEM="$1" - PRIVKEY_PASS="$2" - CA_PASS_FILE="$3" + NAME="$1" + DOMAIN="$NAME.$SUBDOMAIN" + PASS="$CERT_PASS" + CA_PASS_FILE="./ca-pass" - FILE_PRIVKEY_PASS="./$ITEM-pass" - KEY_FILE="private/$ITEM.key.pem" - KEY_NOPASS_FILE="private/$ITEM.key.nopass.pem" - SUBJ="/C=ES/ST=Madrid/L=Madrid/CN=$ITEM" - ADDEXT="subjectAltName=DNS:$ITEM" - CSR="csr/$ITEM.csr.pem" - CERT_FILE="certs/$ITEM.crt.pem" + FILE_PRIVKEY_PASS="./$NAME-pass" + KEY_FILE="private/$DOMAIN.key.pem" + KEY_NOPASS_FILE="private/$DOMAIN.key.nopass.pem" + SUBJ="/C=ES/ST=Madrid/L=Madrid/CN=$DOMAIN" + ADDEXT="subjectAltName=DNS:$DOMAIN" + CSR="csr/$DOMAIN.csr.pem" + CERT_FILE="certs/$DOMAIN.crt.pem" - touch "$FILE_PRIVKEY_PASS" + echo "$PASS" >"$FILE_PRIVKEY_PASS" chmod 0600 "$FILE_PRIVKEY_PASS" - echo "$PRIVKEY_PASS" >"$FILE_PRIVKEY_PASS" openssl genrsa -aes256 -out "$KEY_FILE" -passout file:"$FILE_PRIVKEY_PASS" 2048 openssl rsa -in "$KEY_FILE" -passin file:"$FILE_PRIVKEY_PASS" -out "$KEY_NOPASS_FILE" >/dev/null 2>&1 openssl req -config openssl.cnf -key "$KEY_FILE" -passin file:"$FILE_PRIVKEY_PASS" -new -sha256 -subj "$SUBJ" -addext "$ADDEXT" -out "$CSR" openssl ca -config openssl.cnf -batch -passin file:"$CA_PASS_FILE" -days 375 -notext -md sha256 -in "$CSR" -out "$CERT_FILE" >/dev/null 2>&1 + echo "Dominio generado: $DOMAIN" } - -## gen CA -CA_PASS=CorrectHorseBatteryStapleCA -CA_PASS_FILE=./ca-pass -touch "$CA_PASS_FILE" +## Generar CA +CA_PASS_FILE="./ca-pass" +echo "$CERT_PASS" >"$CA_PASS_FILE" chmod 0600 "$CA_PASS_FILE" -echo "$CA_PASS" >"$CA_PASS_FILE" openssl genrsa -aes256 -out private/ca.key.pem -passout file:"$CA_PASS_FILE" 4096 -#openssl rsa -in private/ca.key.pem -passin file:"$CA_PASS_FILE" -out private/ca.key.nopass.pem >/dev/null 2>&1 -openssl req -config openssl.cnf -key private/ca.key.pem -passin file:"$CA_PASS_FILE" -new -x509 -days 7300 -sha256 -subj '/C=ES/ST=Madrid/L=Madrid/CN=ca.mytld' -out certs/ca.crt.pem +openssl req -config openssl.cnf -key private/ca.key.pem -passin file:"$CA_PASS_FILE" -new -x509 -days 7300 -sha256 -subj "/C=ES/ST=Madrid/L=Madrid/CN=ca.$SUBDOMAIN.mytld" -out certs/ca.crt.pem +## Componentes a generar certificados +# COMPONENTES y su correspondencia: +# "os" → OpenSearch (certificado para /etc/opensearch/) +# "osdb" → OpenSearch Dashboards (certificado para /etc/opensearch-dashboards/) +# "jrem" → systemd-journal-remote (certificado para /etc/systemd/) +# "prom" → Prometheus (certificado para /etc/prometheus/) +# "graf" → Grafana (certificado para /etc/grafana/) +# "jb" → Journalbeat del cliente (certificado para /etc/journalbeat/) +# "agent-fb" → Filebeat del cliente ogagent (certificado para /etc/filebeat/) +# "server" → Servidor ogcore/ogboot/intermedio (uso genérico del certificado) -## todos estos en oglog -gen_cert oglog-os.mytld CorrectHorseBatteryStapleOglogOS "$CA_PASS_FILE" -gen_cert oglog-osdb.mytld CorrectHorseBatteryStapleOglogOS "$CA_PASS_FILE" -gen_cert oglog-jrem.mytld CorrectHorseBatteryStapleOglogJRem "$CA_PASS_FILE" -gen_cert oglog-jb.mytld CorrectHorseBatteryStapleOglogJB "$CA_PASS_FILE" -gen_cert oglog-prom.mytld CorrectHorseBatteryStapleOglogProm "$CA_PASS_FILE" -gen_cert oglog-graf.mytld CorrectHorseBatteryStapleOglogGraf "$CA_PASS_FILE" +COMPONENTES=("os" "osdb" "jrem" "jb" "prom" "graf" "server" "agent-fb") -## esto podria ser ogcore, ogboot... -gen_cert ogserver.mytld CorrectHorseBatteryStapleOgserver "$CA_PASS_FILE" - -## filebeat del agente -gen_cert ogagent-fb.mytld CorrectHorseBatteryStapleOgagentFB "$CA_PASS_FILE" +for comp in "${COMPONENTES[@]}"; do + gen_cert "oglog-$comp" + echo "address=/oglog-$comp.$SUBDOMAIN/127.0.0.1" >> /tmp/dnsmasq.oglog.conf +done cd .. diff --git a/script/oglog_installer.sh b/script/oglog_installer.sh index 89e4111..1f84f05 100755 --- a/script/oglog_installer.sh +++ b/script/oglog_installer.sh @@ -120,7 +120,8 @@ rm -f /tmp/filebeat.deb # Copiar configuraciones desde plantillas locales base_dir="$(dirname $(pwd))" - +./mkcerts.sh "$SUBDOMAIN" "$CERT_PASS" +log "Copiando configuraciones desde plantillas locales..." files_to_copy=( "journalbeat/journalbeat.yml" "filebeat/filebeat.yml" @@ -138,51 +139,59 @@ for file in "${files_to_copy[@]}"; do dest="/etc/$file" mkdir -p "$(dirname "$dest")" cp "$src" "$dest" - sed -i \ - -e "s/{{IP_MAQUINA}}/$OGLOG_IP/g" \ - -e "s/{{OPENSEARCH_INITIAL_ADMIN_PASSWORD}}/$OPENSEARCH_INITIAL_ADMIN_PASSWORD/g" "$dest" + envsubst < "$src" > "$dest" done chown -R grafana:grafana /etc/grafana/provisioning -# Copiar certificados específicos -cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/certs/ca.crt.pem" /etc/opensearch/ -cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/certs/oglog-os.mytld.crt.pem" /etc/opensearch/ -cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/private/oglog-os.mytld.key.nopass.pem" /etc/opensearch/oglog-os.mytld.key.pem +# Helper +get_cert_name() { + echo "oglog-$1.$SUBDOMAIN" +} -cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/certs/oglog-osdb.mytld.crt.pem" /etc/opensearch-dashboards/ -cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/private/oglog-osdb.mytld.key.nopass.pem" /etc/opensearch-dashboards/oglog-osdb.mytld.key.pem +# Directorio base +CA_DIR="./CA" -cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/certs/ca.crt.pem" /etc/systemd/ -cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/certs/oglog-jrem.mytld.crt.pem" /etc/systemd/ -cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/private/oglog-jrem.mytld.key.nopass.pem" /etc/systemd/oglog-jrem.mytld.key.pem +# Certificados por componente +cp "$CA_DIR/certs/ca.crt.pem" /etc/opensearch/ +cp "$CA_DIR/certs/$(get_cert_name os).crt.pem" /etc/opensearch/ +cp "$CA_DIR/private/$(get_cert_name os).key.nopass.pem" /etc/opensearch/$(get_cert_name os).key.pem -cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/certs/oglog-prom.mytld.crt.pem" /etc/prometheus/ -cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/private/oglog-prom.mytld.key.nopass.pem" /etc/prometheus/oglog-prom.mytld.key.pem +cp "$CA_DIR/certs/$(get_cert_name osdb).crt.pem" /etc/opensearch-dashboards/ +cp "$CA_DIR/private/$(get_cert_name osdb).key.nopass.pem" /etc/opensearch-dashboards/$(get_cert_name osdb).key.pem -cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/certs/oglog-graf.mytld.crt.pem" /etc/grafana/ -cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/private/oglog-graf.mytld.key.nopass.pem" /etc/grafana/oglog-graf.mytld.key.pem +cp "$CA_DIR/certs/ca.crt.pem" /etc/systemd/ +cp "$CA_DIR/certs/$(get_cert_name jrem).crt.pem" /etc/systemd/ +cp "$CA_DIR/private/$(get_cert_name jrem).key.nopass.pem" /etc/systemd/$(get_cert_name jrem).key.pem -cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/certs/oglog-jb.mytld.crt.pem" /etc/journalbeat/ -cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/private/oglog-jb.mytld.key.nopass.pem" /etc/journalbeat/oglog-jb.mytld.key.pem +cp "$CA_DIR/certs/$(get_cert_name prom).crt.pem" /etc/prometheus/ +cp "$CA_DIR/private/$(get_cert_name prom).key.nopass.pem" /etc/prometheus/$(get_cert_name prom).key.pem -cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/certs/ogagent-fb.mytld.crt.pem" /etc/filebeat/ -cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/private/ogagent-fb.mytld.key.nopass.pem" /etc/filebeat/ogagent-fb.mytld.key.pem +cp "$CA_DIR/certs/$(get_cert_name graf).crt.pem" /etc/grafana/ +cp "$CA_DIR/private/$(get_cert_name graf).key.nopass.pem" /etc/grafana/$(get_cert_name graf).key.pem -cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/certs/ca.crt.pem" /etc/ssl/certs/ +cp "$CA_DIR/certs/$(get_cert_name jb).crt.pem" /etc/journalbeat/ +cp "$CA_DIR/private/$(get_cert_name jb).key.nopass.pem" /etc/journalbeat/$(get_cert_name jb).key.pem + +cp "$CA_DIR/certs/$(get_cert_name agent-fb).crt.pem" /etc/filebeat/ +cp "$CA_DIR/private/$(get_cert_name agent-fb).key.nopass.pem" /etc/filebeat/$(get_cert_name agent-fb).key.pem + +cp "$CA_DIR/certs/ca.crt.pem" /etc/ssl/certs/ ln -sf /etc/ssl/certs/ca.crt.pem /etc/ssl/certs/"$(openssl x509 -in /etc/ssl/certs/ca.crt.pem -hash -noout).0" # Permisos específicos chown opensearch:opensearch /etc/opensearch/* chown opensearch-dashboards:opensearch-dashboards /etc/opensearch-dashboards/* -chown systemd-journal-remote:systemd-journal-remote /etc/systemd/oglog-jrem.mytld.* -chown prometheus:prometheus /etc/prometheus/oglog-prom.mytld.* -chown grafana:grafana /etc/grafana/oglog-graf.mytld.* +chown systemd-journal-remote:systemd-journal-remote /etc/systemd/$(get_cert_name jrem).* +chown prometheus:prometheus /etc/prometheus/$(get_cert_name prom).* +chown grafana:grafana /etc/grafana/$(get_cert_name graf).* install -d -o systemd-journal-remote -g systemd-journal-remote -m 0750 /var/log/journal/remote -sed -i -e '/ServerKeyFile/ s%.*%ServerKeyFile=/etc/systemd/oglog-jrem.mytld.key.pem%' /etc/systemd/journal-remote.conf -sed -i -e '/ServerCertificateFile/s%.*%ServerCertificateFile=/etc/systemd/oglog-jrem.mytld.crt.pem%' /etc/systemd/journal-remote.conf -sed -i -e '/TrustedCertificateFile/s%.*%TrustedCertificateFile=/etc/systemd/ca.crt.pem%' /etc/systemd/journal-remote.conf + +sed -i -e "/ServerKeyFile/ s%.*%ServerKeyFile=/etc/systemd/$(get_cert_name jrem).key.pem%" /etc/systemd/journal-remote.conf +sed -i -e "/ServerCertificateFile/s%.*%ServerCertificateFile=/etc/systemd/$(get_cert_name jrem).crt.pem%" /etc/systemd/journal-remote.conf +sed -i -e "/TrustedCertificateFile/s%.*%TrustedCertificateFile=/etc/systemd/ca.crt.pem%" /etc/systemd/journal-remote.conf + if ! grep -q -- "--web.config.file=/etc/prometheus/web-config.yml" /etc/default/prometheus; then sed -i -e '/^ARGS/s%"$% --web.config.file=/etc/prometheus/web-config.yml"%' /etc/default/prometheus fi @@ -213,16 +222,12 @@ for service in "${services_to_restart[@]}"; do sleep 5 done -# Añadimos la posconfiguracion una vez opensearch esta corriendo -# Configuración de OpenSearch - -#Index pattern para filebeat - -curl -X POST "https://oglog-os.mytld:9200/.kibana/_doc/index-pattern:filebeat-*" \ - --cert /etc/journalbeat/oglog-jb.mytld.crt.pem \ - --key /etc/journalbeat/oglog-jb.mytld.key.pem \ - -u admin:CorrectHorse_BatteryStaple1 \ +# Index pattern para filebeat +curl -X POST "https://oglog-os.${SUBDOMAIN}:9200/.kibana/_doc/index-pattern:filebeat-*" \ + --cert "/etc/journalbeat/$(get_cert_name jb).crt.pem" \ + --key "/etc/journalbeat/$(get_cert_name jb).key.pem" \ + -u "admin:$OPENSEARCH_INITIAL_ADMIN_PASSWORD" \ -H 'Content-Type: application/json' \ -d '{ "type": "index-pattern", @@ -232,11 +237,11 @@ curl -X POST "https://oglog-os.mytld:9200/.kibana/_doc/index-pattern:filebeat-*" } }' -# Index pattern para Journalbeat -curl -X POST "https://oglog-os.mytld:9200/.kibana/_doc/index-pattern:journalbeat-*" \ - --cert /etc/journalbeat/oglog-jb.mytld.crt.pem \ - --key /etc/journalbeat/oglog-jb.mytld.key.pem \ - -u admin:CorrectHorse_BatteryStaple1 \ +# Index pattern para journalbeat +curl -X POST "https://oglog-os.${SUBDOMAIN}:9200/.kibana/_doc/index-pattern:journalbeat-*" \ + --cert "/etc/journalbeat/$(get_cert_name jb).crt.pem" \ + --key "/etc/journalbeat/$(get_cert_name jb).key.pem" \ + -u "admin:$OPENSEARCH_INITIAL_ADMIN_PASSWORD" \ -H 'Content-Type: application/json' \ -d '{ "type": "index-pattern", @@ -246,15 +251,14 @@ curl -X POST "https://oglog-os.mytld:9200/.kibana/_doc/index-pattern:journalbeat } }' - echo "Importar pipelines de ingestión de OpenSearch" jq -c 'to_entries[]' "$base_dir/etc/opensearch/pipelines.json" | while read -r entry; do name=$(echo "$entry" | jq -r '.key') body=$(echo "$entry" | jq -c '.value') - curl -X PUT "https://oglog-os.mytld:9200/_ingest/pipeline/$name" \ - --cert /etc/journalbeat/oglog-jb.mytld.crt.pem \ - --key /etc/journalbeat/oglog-jb.mytld.key.pem \ + curl -X PUT "https://oglog-os.${SUBDOMAIN}:9200/_ingest/pipeline/$name" \ + --cert "/etc/journalbeat/$(get_cert_name jb).crt.pem" \ + --key "/etc/journalbeat/$(get_cert_name jb).key.pem" \ -u "admin:$OPENSEARCH_INITIAL_ADMIN_PASSWORD" \ -H "Content-Type: application/json" \ -d "$body" @@ -262,28 +266,37 @@ done echo "Importar búsquedas personalizadas de OpenSearch Dashboards" -# Obtener los IDs reales +# Obtener los IDs reales de index pattern +JOURNALBEAT_ID=$(curl -s -X GET "https://oglog-os.${SUBDOMAIN}:9200/.kibana/_search?q=type:index-pattern" \ + --cert "/etc/journalbeat/$(get_cert_name jb).crt.pem" \ + --key "/etc/journalbeat/$(get_cert_name jb).key.pem" \ + -u "admin:$OPENSEARCH_INITIAL_ADMIN_PASSWORD" \ + | jq -r '.hits.hits[] | "\(.["_id"])\t\(.["_source"]["index-pattern"].title)"' \ + | grep 'journalbeat-*' | cut -f1 | cut -d':' -f2) -JOURNALBEAT_ID=$(curl -s -X GET "https://oglog-os.mytld:9200/.kibana/_search?q=type:index-pattern" --cert /etc/journalbeat/oglog-jb.mytld.crt.pem --key /etc/journalbeat/oglog-jb.mytld.key.pem -u "admin:$OPENSEARCH_INITIAL_ADMIN_PASSWORD" | jq -r '.hits.hits[] | "\(.["_id"])\t\(.["_source"]["index-pattern"].title)"' | grep 'journalbeat-*' | cut -f1 | cut -d':' -f2) +FILEBEAT_ID=$(curl -s -X GET "https://oglog-os.${SUBDOMAIN}:9200/.kibana/_search?q=type:index-pattern" \ + --cert "/etc/journalbeat/$(get_cert_name jb).crt.pem" \ + --key "/etc/journalbeat/$(get_cert_name jb).key.pem" \ + -u "admin:$OPENSEARCH_INITIAL_ADMIN_PASSWORD" \ + | jq -r '.hits.hits[] | "\(.["_id"])\t\(.["_source"]["index-pattern"].title)"' \ + | grep 'filebeat-*' | cut -f1 | cut -d':' -f2) -FILEBEAT_ID=$(curl -s -X GET "https://oglog-os.mytld:9200/.kibana/_search?q=type:index-pattern" --cert /etc/journalbeat/oglog-jb.mytld.crt.pem --key /etc/journalbeat/oglog-jb.mytld.key.pem -u "admin:$OPENSEARCH_INITIAL_ADMIN_PASSWORD" | jq -r '.hits.hits[] | "\(.["_id"])\t\(.["_source"]["index-pattern"].title)"' | grep 'filebeat-*' | cut -f1 | cut -d':' -f2) - - -# Sustituir las variables en el fichero ndjson (sin modificar el original si quieres) +# Sustituir variables en el fichero ndjson (sin modificar el original si quieres) cp "$base_dir/etc/opensearch-dashboards/saved_searches.ndjson" /tmp/saved_searches_modified.ndjson sed -i "s|__journalbeat_index__|$JOURNALBEAT_ID|g" /tmp/saved_searches_modified.ndjson sed -i "s|__filebeat_index__|$FILEBEAT_ID|g" /tmp/saved_searches_modified.ndjson # Importar con overwrite -curl -X POST "https://oglog-osdb.mytld:5601/api/saved_objects/_import?overwrite=true" \ - --cert /etc/journalbeat/oglog-jb.mytld.crt.pem \ - --key /etc/journalbeat/oglog-jb.mytld.key.pem \ - -u admin:$OPENSEARCH_INITIAL_ADMIN_PASSWORD \ +curl -X POST "https://oglog-osdb.${SUBDOMAIN}:5601/api/saved_objects/_import?overwrite=true" \ + --cert "/etc/journalbeat/$(get_cert_name jb).crt.pem" \ + --key "/etc/journalbeat/$(get_cert_name jb).key.pem" \ + -u "admin:$OPENSEARCH_INITIAL_ADMIN_PASSWORD" \ -H "osd-xsrf: true" \ -F "file=@/tmp/saved_searches_modified.ndjson" + # Después de los reinicios log "Verificación final de servicios:" systemctl is-active journalbeat filebeat opensearch opensearch-dashboards prometheus grafana-server