Commit 093c7796 authored by Pedro Eduardo Trujillo's avatar Pedro Eduardo Trujillo
Browse files

Merge branch 'dev' into 'master' 

Implementa gestión de credenciales

See merge request redmic-project/elastic/elasticsearch!4
parents 0f0ca922 b617f762

.gitlab-ci.yml

+71 −12
Original line number Diff line number Diff line 
image: docker:stable



stages:

  - package

  - test-package

  - deploy



docker-build-dev:

docker-build-commit-non-master-branches:

  stage: package

  image: docker:stable

  variables:

    DOCKER_DRIVER: overlay2

    PARENT_IMAGE_NAME: registry.gitlab.com/redmic-project/docker/elasticsearch-xpack

    PARENT_IMAGE_TAG: latest

  services:

    - docker:dind

  only:
@@ -17,23 +18,44 @@ docker-build-dev: 
    - master

  script:

    - docker login -u gitlab-ci-token -p ${CI_JOB_TOKEN} ${CI_REGISTRY}

    - docker build -t ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA} -t ${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME}-latest .

    - >

      docker build --build-arg PARENT_IMAGE_NAME=${PARENT_IMAGE_NAME} --build-arg PARENT_IMAGE_TAG=${PARENT_IMAGE_TAG}

      -t ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA} -t ${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME}-latest .

    - docker push ${CI_REGISTRY_IMAGE}



docker-build-pro:

docker-build-commit-master-branch:

  stage: package

  image: docker:stable

  variables:

    DOCKER_DRIVER: overlay2

    PARENT_IMAGE_NAME: registry.gitlab.com/redmic-project/docker/elasticsearch-xpack

    PARENT_IMAGE_TAG: latest

  services:

    - docker:dind

  only:

    - master

  script:

    - docker login -u gitlab-ci-token -p ${CI_JOB_TOKEN} ${CI_REGISTRY}

    - docker build -t ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA} -t ${CI_REGISTRY_IMAGE}:latest .

    - >

      docker build --build-arg PARENT_IMAGE_NAME=${PARENT_IMAGE_NAME} --build-arg PARENT_IMAGE_TAG=${PARENT_IMAGE_TAG}

      -t ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA} -t ${CI_REGISTRY_IMAGE}:latest .

    - docker push ${CI_REGISTRY_IMAGE}



docker-tag-already-built-image:

  stage: package

  image: docker:stable

  variables:

    DOCKER_DRIVER: overlay2

  services:

    - docker:dind

  only:

    - tags

  script:

    - docker login -u gitlab-ci-token -p ${CI_JOB_TOKEN} ${CI_REGISTRY}

    - docker tag ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA} ${CI_REGISTRY_IMAGE}:${CI_COMMIT_TAG}

    - docker push ${CI_REGISTRY_IMAGE}



container_scanning:

container-scanning:

  stage: test-package

  image: docker:stable

  variables:
@@ -43,8 +65,6 @@ container_scanning: 
    - docker:stable-dind

  only:

    - branches

  except:

    - master

  script:

    - docker run -d --name db arminc/clair-db:latest

    - docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.1
@@ -55,7 +75,9 @@ container_scanning: 
    - mv clair-scanner_linux_amd64 clair-scanner

    - chmod +x clair-scanner

    - touch clair-whitelist.yml

    - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-sast-container-report.json -l clair.log -w clair-whitelist.yml ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA} || true

    - >

      ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-sast-container-report.json -l clair.log

      -w clair-whitelist.yml ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA} || true

  artifacts:

    paths: [gl-sast-container-report.json]
@@ -69,21 +91,54 @@ deploy-dev: 
    IMAGE_NAME: ${CI_REGISTRY_IMAGE}

    IMAGE_TAG: ${CI_COMMIT_SHA}

    COMPOSE_FILE: docker-compose.tmpl.yml:docker-compose.dev.yml

    OLD_ELASTIC_ADMIN_PASS: ${DEV_OLD_ELASTIC_ADMIN_PASS}

    ELASTIC_ADMIN_PASS: ${DEV_ELASTIC_ADMIN_PASS}

    ELASTIC_USER: ${DEV_ELASTIC_USER}

    ELASTIC_USER_PASS: ${DEV_ELASTIC_USER_PASS}

    ELASTIC_USER_ROLE: ${DEV_ELASTIC_USER_ROLE}

  services:

    - docker:dind

  script:

    - create-nets.sh elastic-net

    - >

      deploy.sh IMAGE_NAME=${IMAGE_NAME} IMAGE_TAG=${IMAGE_TAG} COMPOSE_FILE=${COMPOSE_FILE}

      ELASTIC_USER=${ELASTIC_USER} ELASTIC_USER_PASS=${ELASTIC_USER_PASS}

      OLD_ELASTIC_ADMIN_PASS=${OLD_ELASTIC_ADMIN_PASS} ELASTIC_ADMIN_PASS=${ELASTIC_ADMIN_PASS}

      ELASTIC_USER=${ELASTIC_USER} ELASTIC_USER_PASS=${ELASTIC_USER_PASS} ELASTIC_USER_ROLE=${ELASTIC_USER_ROLE}

  environment:

    name: dev

  only:

    - dev

  when: manual



deploy-supporting-branch:

  stage: deploy

  image: registry.gitlab.com/redmic-project/docker/docker-deploy

  variables:

    DOCKER_DRIVER: overlay2

    SSH_REMOTE: ${DEV_SSH_REMOTE}

    SERVICE: ${CI_PROJECT_NAME}

    IMAGE_NAME: ${CI_REGISTRY_IMAGE}

    IMAGE_TAG: ${CI_COMMIT_SHA}

    COMPOSE_FILE: docker-compose.tmpl.yml:docker-compose.dev.yml

    OLD_ELASTIC_ADMIN_PASS: ${DEV_OLD_ELASTIC_ADMIN_PASS}

    ELASTIC_ADMIN_PASS: ${DEV_ELASTIC_ADMIN_PASS}

    ELASTIC_USER: ${DEV_ELASTIC_USER}

    ELASTIC_USER_PASS: ${DEV_ELASTIC_USER_PASS}

    ELASTIC_USER_ROLE: ${DEV_ELASTIC_USER_ROLE}

  services:

    - docker:dind

  script:

    - >

      deploy.sh IMAGE_NAME=${IMAGE_NAME} IMAGE_TAG=${IMAGE_TAG} COMPOSE_FILE=${COMPOSE_FILE}

      OLD_ELASTIC_ADMIN_PASS=${OLD_ELASTIC_ADMIN_PASS} ELASTIC_ADMIN_PASS=${ELASTIC_ADMIN_PASS}

      ELASTIC_USER=${ELASTIC_USER} ELASTIC_USER_PASS=${ELASTIC_USER_PASS} ELASTIC_USER_ROLE=${ELASTIC_USER_ROLE}

  environment:

    name: dev

  only:

    - branches

  except:

    - master

    - dev

  when: manual



deploy-pro:
@@ -96,15 +151,19 @@ deploy-pro: 
    IMAGE_NAME: ${CI_REGISTRY_IMAGE}

    IMAGE_TAG: ${CI_COMMIT_SHA}

    COMPOSE_FILE: docker-compose.tmpl.yml:docker-compose.prod.yml

    OLD_ELASTIC_ADMIN_PASS: ${PRO_OLD_ELASTIC_ADMIN_PASS}

    ELASTIC_ADMIN_PASS: ${PRO_ELASTIC_ADMIN_PASS}

    ELASTIC_USER: ${PRO_ELASTIC_USER}

    ELASTIC_USER_PASS: ${PRO_ELASTIC_USER_PASS}

    ELASTIC_USER_ROLE: ${PRO_ELASTIC_USER_ROLE}

  services:

    - docker:dind

  script:

    - create-nets.sh elastic-net

    - >

      deploy.sh IMAGE_NAME=${IMAGE_NAME} IMAGE_TAG=${IMAGE_TAG} COMPOSE_FILE=${COMPOSE_FILE}

      ELASTIC_USER=${ELASTIC_USER} ELASTIC_USER_PASS=${ELASTIC_USER_PASS}

      OLD_ELASTIC_ADMIN_PASS=${OLD_ELASTIC_ADMIN_PASS} ELASTIC_ADMIN_PASS=${ELASTIC_ADMIN_PASS}

      ELASTIC_USER=${ELASTIC_USER} ELASTIC_USER_PASS=${ELASTIC_USER_PASS} ELASTIC_USER_ROLE=${ELASTIC_USER_ROLE}

  environment:

    name: pro

  only:

Dockerfile

+8 −4
Original line number Diff line number Diff line 
FROM registry.gitlab.com/redmic-project/docker/elasticsearch-xpack:latest

ARG PARENT_IMAGE_NAME

ARG PARENT_IMAGE_TAG



FROM ${PARENT_IMAGE_NAME}:${PARENT_IMAGE_TAG}



ENV ES_CLUSTER_NAME="clustername" \

	ES_NODE_NAME="nodename" \
@@ -11,8 +14,9 @@ ENV ES_CLUSTER_NAME="clustername" \ 
	ES_NETWORK_BIND_HOST="0.0.0.0" \

	ES_NETWORK_PUBLISH_HOST="_eth0_" \

	ES_DISCOVERY_ZEN_MINIMUM_MASTER_NODES=2 \

	ES_PATH="/usr/share/elasticsearch" \

	ES_DATA_PATH="/usr/share/elasticsearch/data"

	ES_PATH="/usr/share/elasticsearch"



ENV ES_DATA_PATH="${ES_PATH}/data"



RUN apt-get update && \

	apt-get install -y --no-install-recommends \
@@ -20,7 +24,7 @@ RUN apt-get update && \ 
		dnsutils && \

	ulimit -n 65536



COPY config/ /usr/share/elasticsearch/config/

COPY config/ ${ES_PATH}/config/

COPY scripts/ /



VOLUME ["${ES_DATA_PATH}"]

docker-compose.tmpl.yml

+6 −1
Original line number Diff line number Diff line
@@ -9,6 +9,11 @@ services: 
      - ES_BOOTSTRAP_MEMORY_LOCK=true

      - ES_JAVA_OPTS=-Xms2g -Xmx2g -Djava.security.policy=file:///usr/share/elasticsearch/config/grovy-classes_whitelist.policy

      - ES_PLUGINS

      - OLD_ELASTIC_ADMIN_PASS

      - ELASTIC_ADMIN_PASS

      - ELASTIC_USER

      - ELASTIC_USER_PASS

      - ELASTIC_USER_ROLE

    ulimits:

      memlock:

        soft: -1
@@ -18,7 +23,7 @@ services: 
      interval: 30s

      timeout: 10s

      retries: 3

      start_period: 2m

      start_period: 5m



networks:

  elastic-net:

scripts/docker-entrypoint.sh

+9 −7
Original line number Diff line number Diff line 
#!/bin/bash



FILENAME="elasticsearch"

TEMPLATE_FILENAME="elasticsearch"

OTHER_NODES=""



chown -R elasticsearch:elasticsearch ${ES_DATA_PATH}
@@ -39,7 +39,7 @@ if [ -n "${SWARM_MODE}" ]; then 
    fi

fi



envsubst < /${FILENAME}.template > ${ES_PATH}/config/${FILENAME}.yml

envsubst < /${TEMPLATE_FILENAME}.template > ${ES_PATH}/config/${TEMPLATE_FILENAME}.yml



# Search nodes

if [ -n "${OTHER_NODES}" ];then
@@ -47,7 +47,7 @@ if [ -n "${OTHER_NODES}" ];then 
	export ES_DISCOVERY_ZEN_PING_UNICAST_HOSTS=${OTHER_NODES%,}

	ES_DISCOVERY_ZEN_PING_UNICAST_HOSTS=",${ES_DISCOVERY_ZEN_PING_UNICAST_HOSTS}"

	echo "discovery.zen.ping.unicast.hosts: ${ES_DISCOVERY_ZEN_PING_UNICAST_HOSTS}" \

		| sed -e 's/,/\n   - /g' >> ${ES_PATH}/config/${FILENAME}.yml

		| sed -e 's/,/\n   - /g' >> ${ES_PATH}/config/${TEMPLATE_FILENAME}.yml

else

    echo "There is no another nodes in cluster. I am alone!"

fi
@@ -68,8 +68,8 @@ function check_credentials_s3() { 
        exit 1

    fi



    echo "cloud.aws.s3.access_key: ${AWS_ACCESS_KEY_ID}" >> ${ES_PATH}/config/${FILENAME}.yml

    echo "cloud.aws.s3.secret_key: ${AWS_SECRET_ACCESS_KEY}" >> ${ES_PATH}/config/${FILENAME}.yml

    echo "cloud.aws.s3.access_key: ${AWS_ACCESS_KEY_ID}" >> ${ES_PATH}/config/${TEMPLATE_FILENAME}.yml

    echo "cloud.aws.s3.secret_key: ${AWS_SECRET_ACCESS_KEY}" >> ${ES_PATH}/config/${TEMPLATE_FILENAME}.yml

}
@@ -91,6 +91,8 @@ for PLUGIN in "${PLUGINS[@]}"; do 
    fi

done



cat ${ES_PATH}/config/${FILENAME}.yml

cat ${ES_PATH}/config/${TEMPLATE_FILENAME}.yml



./manage-users.sh & disown



gosu elasticsearch "$@"

scripts/manage-users.sh

0 → 100755
+78 −0
Original line number Diff line number Diff line 
#!/bin/sh



ELASTIC_ADMIN=elastic

retryManageUsers=true



while [ ${retryManageUsers} ]

do

	responseStatus=$(curl --write-out %{http_code} --silent --output /dev/null \

		-u "${ELASTIC_ADMIN}:${ELASTIC_ADMIN_PASS}" \

		localhost:9200/_cluster/health)



	echo "Trying to manage users, got ${responseStatus} response"



	if [ "${responseStatus}" -eq "401" ] || [ "${responseStatus}" -eq "200" ]

	then

		retryManageUsers=false

	else

		sleep 1

		continue

	fi



	echo "Trying to update admin password"



	if [ "${responseStatus}" -eq "401" ]

	then

		curl -XPUT -u "${ELASTIC_ADMIN}:${OLD_ELASTIC_ADMIN_PASS}" \

			"localhost:9200/_xpack/security/user/${ELASTIC_ADMIN}/_password" \

			-H "Content-Type: application/json" -d "{

				\"password\": \"${ELASTIC_ADMIN_PASS}\"

			}"



		if [ "${?}" -eq "0" ]

		then

			echo "Admin password updated"

		fi

	else

		echo "Admin password already updated"

	fi



	echo "Trying to create default role and user"



	responseStatus=$(curl --write-out %{http_code} --silent --output /dev/null \

		-u "${ELASTIC_ADMIN}:${ELASTIC_ADMIN_PASS}" \

		"localhost:9200/_xpack/security/role/${ELASTIC_USER_ROLE}")



	if [ "${responseStatus}" -eq "404" ]

	then

		curl -XPOST -u "${ELASTIC_ADMIN}:${ELASTIC_ADMIN_PASS}" \

			"localhost:9200/_xpack/security/role/${ELASTIC_USER_ROLE}" \

			-H "Content-Type: application/json" -d '{

				"run_as": [],

				"cluster": [ "monitor" ],

				"indices": [{

					"names": [ "*" ],

					"privileges": [ "all" ]

				}]

			}'



		if [ "${?}" -eq "0" ]

		then

			echo "Role created"

		fi



		curl -XPOST -u "${ELASTIC_ADMIN}:${ELASTIC_ADMIN_PASS}" \

			"localhost:9200/_xpack/security/user/${ELASTIC_USER}" \

			-H "Content-Type: application/json" -d "{

				\"password\": \"${ELASTIC_USER_PASS}\",

				\"roles\": [ \"${ELASTIC_USER_ROLE}\" ]

			}"



		if [ "${?}" -eq "0" ]

		then

			echo "User created"

		fi

	else

		echo "Default role already created, default user should has been created too"

	fi

done