The main goal of this role is to setup the Elasticsearch
and/or Kibana service base on Opensearch Elasticsearch distribution.
The current role definition is deploying Elasticsearch service and
configure tenants and users belong to tenants.
The current deployment is configuring users/tenant in internal_users
file, which is a "file database". In the future, the configuration would be
moved to Keycloack auth system.
Simply playbook for deploy a node with Opensearch and Kibana on single machine:
- host: somehost
become: true
vars:
tenant_configuration:
sftests.com:
kibana_autologin: "basic"
internal_users:
- user: "admin"
role: "admin"
password: "admin"
- user: "kibanaserver"
role: "kibanauser"
password: "kibanaserver"
users:
- user: "admin"
role: "admin"
password: "admin"
tenant: "sftests.com"
- user: "logstash"
role: "logstash"
password: "logstash"
tenant: "sftests.com"
- user: "curator"
role: "curator"
password: "curator"
tenant: "sftests.com"
- user: "kibana"
role: "readonly"
password: "kibana"
tenant: "sftests.com"
- user: "zuul"
role: "admin"
password: "zuul"
tenant: "sftests.com"
tasks:
- name: Setup ELK stack
include_role:
name: ansible-role-elastic-recheck
tasks_from: main.ymlWhere in vars is including user definition, that looks like:
vars:
internal_users:
- user: "admin"
role: "admin"
password: "<password>"
- user: "kibanaserver"
role: "kibanauser"
password: "<password>"
users:
- user: "<user>"
role: "<backend role>"
password: "<user password>"
tenant: "<tenant name | replace('.', '_') | replace('-', '_') >"The internal_users is setup users that are used for internal services.
One most important user is kibanaserver user, that should be specified
when Kibana service is included. The kibanaserver user has specific
configuration and the user should not be changed.
The users dict is "mapped" in Ansible roles with convention:
<user>_<tenant | replace('.', '_') | replace('-', '_')>For example, when user definition looks like:
users:
- {user: "admin", role: "admin", password: "admin", tenant: 'sftests.com'}generated user would look like:
admin_sftests_com
The backend roles configuration you can find here
and here.
It has been done because each tenant will have own admin user,
kibana (readonly user) and others. The current setup is to avoid user name
conflicts in the internal_users.yaml. As it was mentioned, in the future
user would be migrated to the Keycloack auth system, which should give
more options for user configuration.
Available roles:
- admin
- readonly
- kibanauser (if the user is
kibanaserver. More inSoftware Factory integrationsection)
The Software Factory Project can be configured to use ansible-role-elastic-recheck
role. To do that, on the beginning, you need to configure users that
later would be used by sfconfig tool.
The sfconfig.yaml file needs to have a dedicated parameter:
external_opensearch:
host: https://opensearch-host-2:9200
cacert_path: /etc/opensearch/opensearch/certs/localCA.pem
suffix: sftests_com
users:
curator_sftests_com:
password: curator
role: curator
logstash_sftests_com:
password: logstash
role: logstash
kibana_sftests_com:
password: kibana
role: readonly
kibana:
readonly_user_autologin: Basic
host_url: http://opensearch-host-2:5601Where:
- in external_opensearch:
host- define Opensearch API urlcacert_path- CA authority cert that would be verified by Logstash on startsuffix- the tenant name; it would be used by Logstash to configure destination index pattern, where the metrics would be sendusers- user definition that was also configured on Opensearch host. NOTE: each user should have correct name, that include the tenant name. Therolesubkey is defining what type of users should be configured. Mostly it is used to setup correct user forLogstashservice, but for example, if you would like to setup ownKibanaservice, you need to choosekibanaserverrole for the user. So far, thekibanaserveruser have very specific configuration and theansible-role-elastic-recheckrole is not configuring it.
- in kibana:
- readonly_user_autologin - if
Basicis set it means that there will created a special location in Apache2 config, that will inject authentication header, so user don't need to fill login form. Alternative options:None,JWT. NOTE: this role is only supportingBasicparameter. - host_url - the Kibana service endpoint.
Before you run the sfconfig tool, remember to add the external opensearch
fqdn into the network - static_hostnames, for example:
network:
(...)
static_hostnames:
- "123.123.123.123 opensearch.sftests.com"Then run the sfconfig tool.
The role can enable SSL support for the frontend service like Apache2. To configure that, set proper variables as in this example:
vars:
setup_ssl: true
ssl_cert_file: /etc/letsencrypt/live/opensearch.sftests.com/cert.pem
ssl_key_file: /etc/letsencrypt/live/opensearch.sftests.com/privkey.pem
ssl_chain_file: /etc/letsencrypt/live/opensearch.sftests.com/fullchain.pemManual configuration has been described in one of the Opensearch issue. This role is configuring Opensearch to use Letsencrypt certs, but it is not recommended. If you would like to use it, set proper variables as in this example:
vars:
# Configure Opensearch SSL
opensearch_ssl_key_file: /etc/letsencrypt/live/opensearch.sftests.com/privkey.pem
opensearch_ssl_cert_file: /etc/letsencrypt/live/opensearch.sftests.com/fullchain.pem
opensearch_ssl_ca_url: https://letsencrypt.org/certs/lets-encrypt-r3.pem
# Same variables are configuring Opensearch-dashboards SSL
opensearch_ssl_key_file: /etc/letsencrypt/live/opensearch.sftests.com/privkey.pem
opensearch_ssl_cert_file: /etc/letsencrypt/live/opensearch.sftests.com/fullchain.pem