Commit 7cefcfc4 authored by Pedro Eduardo Trujillo's avatar Pedro Eduardo Trujillo
Browse files

Actualiza config de despliegue y detalles menores 

Adapta despliegue de dev para nuevo entorno fijando nodos.
Introduce nuevas variables en ficheros compose, mejorando estilo.
Aplica cambios a definición de ci para ponerlo al día y reutilizar
elementos.
Corrige detalles de estilo de readme y elimina fichero inútil.
parent 9335b7ae

.gitignore

deleted100644 → 0
+0 −5
Original line number Diff line number Diff line 
.*

!.gitignore

!.gitlab-ci.yml

!.dockerignore

!.env

.gitlab-ci.yml

+77 −70
Original line number Diff line number Diff line
@@ -12,12 +12,13 @@ stages: 
  - deploy



variables:

  STACK: elastic

  PROJECT_PARENT_NAME: elastic



.deploy:

  variables:

    SERVICES_TO_CHECK: ${STACK}_${SERVICE_NAME}

  script:

    STACK: ${PROJECT_PARENT_NAME}

    DD_AWS_REGION: ${AWS_REGION}

  before_script:

    - mkdir -p deploy/certs deploy/config

    - echo "${CA_PEM}" > "deploy/certs/root-ca.pem"

    - echo "${CA_KEY}" > "deploy/certs/root-ca.key"
@@ -28,26 +29,19 @@ variables: 
    - echo "${ADMIN_KEY}" > "deploy/certs/admin.key"

    - echo "${ADMIN_CSR}" > "deploy/certs/admin.csr"

    - echo "${SG_USERS}" > "deploy/config/sg_internal_users.yml"

    - >

      deploy.sh IMAGE_NAME=${IMAGE_NAME} IMAGE_TAG=${IMAGE_TAG} COMPOSE_FILE=${COMPOSE_FILE} SG_ADMIN_DN=${SG_ADMIN_DN}

      SG_NODE_1_DN=${SG_NODE_1_DN} SG_NODE_2_DN=${SG_NODE_2_DN} SG_NODE_3_DN=${SG_NODE_3_DN} AWS_REGION=${AWS_REGION}

      S3_ACCESS_KEY=${S3_ACCESS_KEY} S3_SECRET_KEY=${S3_SECRET_KEY}



.deploy-development:

  variables:

    COMPOSE_FILE: docker-compose.${SERVICE_NAME}.tmpl.yml:docker-compose.${SERVICE_NAME}.dev.yml

  environment:

    name: dev/${SERVICE_NAME}



.deploy-production:

  variables:

    COMPOSE_FILE: docker-compose.${SERVICE_NAME}.tmpl.yml:docker-compose.${SERVICE_NAME}.prod.yml

  environment:

    name: pro/${SERVICE_NAME}



.deploy-es6-1:

  variables: &deploy-es6-1-variables

    SERVICE_NAME: es6-1

    SERVICES_TO_CHECK: ${PROJECT_PARENT_NAME}_es6-1

    NODE_PEM: ${NODE_1_PEM}

    NODE_KEY: ${NODE_1_KEY}

    NODE_CSR: ${NODE_1_CSR}
@@ -55,6 +49,7 @@ variables: 
.deploy-es6-2:

  variables: &deploy-es6-2-variables

    SERVICE_NAME: es6-2

    SERVICES_TO_CHECK: ${PROJECT_PARENT_NAME}_es6-2

    NODE_PEM: ${NODE_2_PEM}

    NODE_KEY: ${NODE_2_KEY}

    NODE_CSR: ${NODE_2_CSR}
@@ -62,120 +57,132 @@ variables: 
.deploy-es6-3:

  variables: &deploy-es6-3-variables

    SERVICE_NAME: es6-3

    SERVICES_TO_CHECK: ${PROJECT_PARENT_NAME}_es6-3

    NODE_PEM: ${NODE_3_PEM}

    NODE_KEY: ${NODE_3_KEY}

    NODE_CSR: ${NODE_3_CSR}



.deploy-es6-1-development:

  extends: .deploy-development

  variables: *deploy-es6-1-variables

  variables:

    COMPOSE_FILE: docker-compose.es6-1.tmpl.yml:docker-compose.es6-1.dev.yml

    <<: *deploy-es6-1-variables



.deploy-es6-2-development:

  extends: .deploy-development

  variables: *deploy-es6-2-variables

  variables:

    COMPOSE_FILE: docker-compose.es6-2.tmpl.yml:docker-compose.es6-2.dev.yml

    <<: *deploy-es6-2-variables



.deploy-es6-3-development:

  extends: .deploy-development

  variables: *deploy-es6-3-variables

  variables:

    COMPOSE_FILE: docker-compose.es6-3.tmpl.yml:docker-compose.es6-3.dev.yml

    <<: *deploy-es6-3-variables



.deploy-es6-1-production:

  extends: .deploy-production

  variables: *deploy-es6-1-variables

  variables:

    COMPOSE_FILE: docker-compose.es6-1.tmpl.yml:docker-compose.es6-1.prod.yml

    <<: *deploy-es6-1-variables



.deploy-es6-2-production:

  extends: .deploy-production

  variables: *deploy-es6-2-variables

  variables:

    COMPOSE_FILE: docker-compose.es6-2.tmpl.yml:docker-compose.es6-2.prod.yml

    <<: *deploy-es6-2-variables



.deploy-es6-3-production:

  extends: .deploy-production

  variables: *deploy-es6-3-variables

  variables:

    COMPOSE_FILE: docker-compose.es6-3.tmpl.yml:docker-compose.es6-3.prod.yml

    <<: *deploy-es6-3-variables



deploy-es6-1-support-branch-development:

  extends: .deploy-es6-1-development

.deploy-support-branch: &deploy-support-branch

  only:

    - branches

  except:

    - master

    - schedules



deploy-es6-1-support-branch-development:

  extends: .deploy-es6-1-development

  <<: *deploy-support-branch



deploy-es6-2-support-branch-development:

  extends: .deploy-es6-2-development

  only:

    - branches

  except:

    - master

    - schedules

  <<: *deploy-support-branch



deploy-es6-3-support-branch-development:

  extends: .deploy-es6-3-development

  <<: *deploy-support-branch



deploy-es6-1-support-branch-production:

  extends: .deploy-es6-1-production

  <<: *deploy-support-branch



deploy-es6-2-support-branch-production:

  extends: .deploy-es6-2-production

  <<: *deploy-support-branch



deploy-es6-3-support-branch-production:

  extends: .deploy-es6-3-production

  <<: *deploy-support-branch



.deploy-stable-branch: &deploy-stable-branch

  only:

    - branches

  except:

    - master

  except:

    - schedules



deploy-es6-1-stable-branch-development:

  extends: .deploy-es6-1-development

  only:

    - master

  except:

    - schedules

  <<: *deploy-stable-branch



deploy-es6-2-stable-branch-development:

  extends: .deploy-es6-2-development

  only:

    - master

  except:

    - schedules

  <<: *deploy-stable-branch



deploy-es6-3-stable-branch-development:

  extends: .deploy-es6-3-development

  only:

    - master

  except:

    - schedules

  <<: *deploy-stable-branch



deploy-es6-1-support-branch-production:

deploy-es6-1-stable-branch-production:

  extends: .deploy-es6-1-production

  only:

    - branches

  except:

    - master

    - schedules

  <<: *deploy-stable-branch



deploy-es6-2-support-branch-production:

deploy-es6-2-stable-branch-production:

  extends: .deploy-es6-2-production

  only:

    - branches

  except:

    - master

    - schedules

  <<: *deploy-stable-branch



deploy-es6-3-support-branch-production:

deploy-es6-3-stable-branch-production:

  extends: .deploy-es6-3-production

  <<: *deploy-stable-branch



.deploy-tag: &deploy-tag

  only:

    - branches

  except:

    - master

    - schedules

    - tags



deploy-es6-1-stable-branch-production:

deploy-es6-1-tag-development:

  extends: .deploy-es6-1-development

  <<: *deploy-tag



deploy-es6-2-tag-development:

  extends: .deploy-es6-2-development

  <<: *deploy-tag



deploy-es6-3-tag-development:

  extends: .deploy-es6-3-development

  <<: *deploy-tag



deploy-es6-1-tag-production:

  extends: .deploy-es6-1-production

  only:

    - master

  except:

    - schedules

  <<: *deploy-tag



deploy-es6-2-stable-branch-production:

deploy-es6-2-tag-production:

  extends: .deploy-es6-2-production

  only:

    - master

  except:

    - schedules

  <<: *deploy-tag



deploy-es6-3-stable-branch-production:

deploy-es6-3-tag-production:

  extends: .deploy-es6-3-production

  only:

    - master

  except:

    - schedules
 
  <<: *deploy-tag

README.md

+10 −10
Original line number Diff line number Diff line
@@ -8,7 +8,7 @@ Search Guard provides a tool, [Search Guard TLS Tool](https://search.maven.org/s 


First, create a yaml file with certificates definition, at `config/example.yml` inside extracted content:



```

```yml

ca:

  root:

    dn: CN=root-ca.example.net,O=EXAMPLE
@@ -49,10 +49,10 @@ clients: 


Then, use it with the script `tools/sgtlstool.sh` and generate the certificates:



```

$ ./sgtlstool.sh -c ../config/example.yml -v -ca

$ ./sgtlstool.sh -c ../config/example.yml -v -csr

$ ./sgtlstool.sh -c ../config/example.yml -v -crt -f -o

```sh

./sgtlstool.sh -c ../config/example.yml -v -ca

./sgtlstool.sh -c ../config/example.yml -v -csr

./sgtlstool.sh -c ../config/example.yml -v -crt -f -o

```



Your certificates will be generated inside `tools/out` directory.
@@ -63,7 +63,7 @@ Before using Search Guard, you must update the content of `/usr/share/elasticsea 


You can generate the password hashes with a [online tool](https://8gwifi.org/bccrypt.jsp), for example.



```

```yml

admin_elastic:

  readonly: true

  hash: $2a...
@@ -81,10 +81,10 @@ When using Search Guard at first time, is required to run a script as certified 


While running, get into container and run the following commands:



```

$ cd /usr/share/elasticsearch/plugins/search-guard-6/tools

```sh

cd /usr/share/elasticsearch/plugins/search-guard-6/tools



$ bash sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-6/sgconfig -icl \

bash sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-6/sgconfig -icl \

	-key /usr/share/elasticsearch/config/certs/admin.key \

	-cert /usr/share/elasticsearch/config/certs/admin.pem \

	-cacert /usr/share/elasticsearch/config/certs/root-ca.pem \
@@ -95,7 +95,7 @@ $ bash sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-6/sgconfig - 


In order to create backups, you must configure a snapshot repository first. Run these command once inside running container:



```

```sh

$ echo "${S3_ACCESS_KEY}" | elasticsearch-keystore add --stdin s3.client.default.access_key

$ echo "${S3_SECRET_KEY}" | elasticsearch-keystore add --stdin s3.client.default.secret_key

deploy/.env

+32 −0
Original line number Diff line number Diff line 
IMAGE_NAME=registry.gitlab.com/redmic-project/elastic/elasticsearch

IMAGE_TAG=latest



ES_PATH_DATA=/usr/share/elasticsearch/data

ES_XPACK_SECURITY_ENABLED=false

ES_SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH=certs/node.pem

ES_SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH=certs/node.key

ES_SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH=certs/root-ca.pem

ES_SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION=false

ES_SEARCHGUARD_SSL_TRANSPORT_RESOLVE_HOSTNAME=false

ES_SEARCHGUARD_SSL_HTTP_ENABLED=false

ES_SEARCHGUARD_SSL_HTTP_PEMCERT_FILEPATH=certs/node.pem

ES_SEARCHGUARD_SSL_HTTP_PEMKEY_FILEPATH=certs/node.key

ES_SEARCHGUARD_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH=certs/root-ca.pem

ES_SEARCHGUARD_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE=true

ES_SEARCHGUARD_ENTERPRISE_MODULES_ENABLED=false



PORT=9200

AWS_REGION=region



ELASTIC_NET_NAME=elastic6-net

ELASTIC_NET_DRIVER=overlay

METRIC_NET_NAME=metric-net

METRIC_NET_DRIVER=overlay



SG_FILE_MODE=0600

SG_FILE_UID=1000

SG_FILE_GID=1000



CA_PEM_NAME=ca-pem

CA_KEY_NAME=ca-key



ES_CONFIG_PATH=/usr/share/elasticsearch/config

ES_CERT_PATH=/usr/share/elasticsearch/config/certs

SG_CONFIG_PATH=/usr/share/elasticsearch/plugins/search-guard-6/sgconfig

deploy/docker-compose.es6-1.dev.yml

+12 −8
Original line number Diff line number Diff line
@@ -3,20 +3,24 @@ version: '3.5' 
services:

  es6-1:

    environment:

      - ES_JAVA_OPTS=-Xms1g -Xmx1g

      - cluster.name=${ES_CLUSTER_NAME:-es_dev}

      - discovery.zen.minimum_master_nodes=${ES_DISCOVERY_ZEN_MINIMUM_MASTER_NODES:-1}

      ES_JAVA_OPTS: ${ES_JAVA_OPTS:--Xms1g -Xmx1g}

      cluster.name: ${ES_CLUSTER_NAME:-es_dev}

      discovery.zen.minimum_master_nodes: ${ES_DISCOVERY_ZEN_MINIMUM_MASTER_NODES:-1}

    deploy:

      placement:

        constraints:

          - node.hostname == ${PLACEMENT_CONSTRAINTS_NODE_HOSTNAME_1:-hostname}

      resources:

        limits:

          cpus: '1'

          memory: 2G

          cpus: '${RESOURCES_LIMITS_CPUS:-1}'

          memory: ${RESOURCES_LIMITS_MEMORY:-2G}

        reservations:

          memory: 1639M

          cpus: '${RESOURCES_RESERVATIONS_CPUS:-0.1}'

          memory: ${RESOURCES_RESERVATIONS_MEMORY:-1639M}



volumes:

  es-data-vol:

    name: "${ES_DATA_VOL_NAME:-es6-1-data-vol}"

    name: ${ES_DATA_VOL_NAME:-es6-1-data-vol}



  es-conf-vol:

    name: "${ES_CONF_VOL_NAME:-es6-1-conf-vol}"
 
    name: ${ES_CONF_VOL_NAME:-es6-1-conf-vol}