multiple updates to osquery

* move playbooks to roles
   * update documentation
   * update haproxy
     - set 6443 as default port for kolide fleet
   * add galera support

Change-Id: I2fdefcb6bec98486c16b54cf33e2b7940b88d50b

osquery/.gitignore

@@ -0,0 +1,3 @@
+inventory.dev.yml
+*.retry
+telemetry.yaml

osquery/ansible-role-requirements.yml

@@ -9,7 +9,7 @@
   version: master
 - name: osquery
   scm: git
-  src: https://github.com/juju4/ansible-osquery
+  src: https://github.com/kloud-pro/ansible-osquery
   version: master
 - name: redis
   scm: git
@@ -27,3 +27,11 @@
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-galera_server
   version: master
+- name: apt_package_pinning
+  scm: git
+  src: https://git.openstack.org/openstack/openstack-ansible-apt_package_pinning
+  version: master
+- name: plugins
+  scm: git
+  src: https://git.openstack.org/openstack/openstack-ansible-plugins
+  version: master

osquery/bootstrap-embedded-ansible.sh

@@ -0,0 +1,129 @@
+#!/usr/bin/env bash
+# Copyright 2018, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+export OPTS=()
+export ANSIBLE_EMBED_HOME="${HOME}/ansible25"
+OPTS+=('ANSIBLE_EMBED_HOME')
+
+source /etc/os-release
+if [[ ! -e "${ANSIBLE_EMBED_HOME}/bin/ansible" ]]; then
+  if [  ${VERSION_ID} = "14.04" ]; then
+    apt-get update
+    apt-get -y install python-virtualenv
+    echo "done installing python-virtualenv"
+  else
+    apt-get update
+    apt-get -y install python3-virtualenv python-virtualenv
+    echo "done installing python-virtualenv python3-virtualenv"
+  fi
+
+  if [[ -e "${HOME}/.pip" ]]; then
+    echo "..................moving .pip out of place to boostrap"
+    mv ${HOME}/.pip ${HOME}/.off-pip
+  fi
+
+  if [[ -f "/usr/bin/python2" ]]; then
+    virtualenv --python="/usr/bin/python2" "${ANSIBLE_EMBED_HOME}"
+  elif [[ -f "/usr/bin/python3" ]]; then
+    virtualenv --python="/usr/bin/python3" "${ANSIBLE_EMBED_HOME}"
+  else
+    virtualenv "${ANSIBLE_EMBED_HOME}"
+  fi
+
+  eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade --force pip"
+  eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade ansible==2.5.5.0 --isolated"
+  eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade jmespath --isolated"
+  echo "Ansible can be found here: ${ANSIBLE_EMBED_HOME}/bin"
+
+  if [[ -e "${HOME}/.off-pip" ]]; then
+    mv ${HOME}/off-pip ${HOME}/.pip
+    echo "..................moving .pip back in to place"
+  fi
+fi
+
+if [[ ! -d "${ANSIBLE_EMBED_HOME}/repositories/ansible-config_template" ]]; then
+  mkdir -p "${ANSIBLE_EMBED_HOME}/repositories"
+  git clone https://git.openstack.org/openstack/ansible-config_template "${ANSIBLE_EMBED_HOME}/repositories/ansible-config_template"
+  pushd "${ANSIBLE_EMBED_HOME}/repositories/ansible-config_template"
+    git checkout a5c9d97e18683f0fdf9769d94ba174c72e2d093c  # HEAD of master from 20-06-18
+  popd
+fi
+
+if [[ ! -d "${ANSIBLE_EMBED_HOME}/repositories/openstack_ansible_plugins" ]]; then
+  mkdir -p "${ANSIBLE_EMBED_HOME}/repositories"
+  git clone https://git.openstack.org/openstack/openstack-ansible-plugins "${ANSIBLE_EMBED_HOME}/repositories/openstack-ansible-plugins"
+  pushd "${ANSIBLE_EMBED_HOME}/repositories/openstack-ansible-plugins"
+    git checkout cef7946b3b3b3e4d02406c228741985a94b72cff  # HEAD of master from 20-06-18
+  popd
+fi
+
+if [[ ! -d "${ANSIBLE_EMBED_HOME}/repositories/roles/systemd_service" ]]; then
+  mkdir -p "${ANSIBLE_EMBED_HOME}/repositories"
+  git clone https://git.openstack.org/openstack/ansible-role-systemd_service "${ANSIBLE_EMBED_HOME}/repositories/roles/systemd_service"
+  pushd "${ANSIBLE_EMBED_HOME}/repositories/roles/systemd_service"
+    git checkout 02f5ff1c0e073af53bed2141a045e608162970ea  # HEAD of master from 20-06-18
+  popd
+fi
+
+if [[ -f "/etc/openstack_deploy/openstack_inventory.json" ]]; then
+  if [[ ! -f "${ANSIBLE_EMBED_HOME}/inventory/openstack_inventory.sh" ]]; then
+    mkdir -p "${ANSIBLE_EMBED_HOME}/inventory"
+    cat > "${ANSIBLE_EMBED_HOME}/inventory/openstack_inventory.sh" <<EOF
+#!/usr/bin/env bash
+cat /etc/openstack_deploy/openstack_inventory.json
+EOF
+    chmod +x "${ANSIBLE_EMBED_HOME}/inventory/openstack_inventory.sh"
+  fi
+
+  export USER_VARS="$(for i in $(ls -1 /etc/openstack_deploy/user_*secret*.yml); do echo -n "-e@$i "; done)"
+  OPTS+=('USER_VARS')
+  echo "env USER_VARS set"
+  echo "Extra users variables can be expanded by including the option \$USER_VARS on a playbook run."
+
+  export ANSIBLE_INVENTORY="${ANSIBLE_EMBED_HOME}/inventory/openstack_inventory.sh"
+  OPTS+=('ANSIBLE_INVENTORY')
+  echo "env ANSIBLE_INVENTORY set"
+fi
+
+export ANSIBLE_HOST_KEY_CHECKING="False"
+OPTS+=('ANSIBLE_HOST_KEY_CHECKING')
+echo "env ANSIBLE_HOST_KEY_CHECKING set"
+
+export ANSIBLE_ROLES_PATH="${ANSIBLE_EMBED_HOME}/repositories/roles"
+OPTS+=('ANSIBLE_ROLES_PATH')
+echo "env ANSIBLE_ROLES_PATH set"
+
+export ANSIBLE_ACTION_PLUGINS="${ANSIBLE_EMBED_HOME}/repositories/ansible-config_template/action"
+OPTS+=('ANSIBLE_ACTION_PLUGINS')
+echo "env ANSIBLE_ACTION_PLUGINS set"
+
+export ANSIBLE_CONNECTION_PLUGINS="${ANSIBLE_EMBED_HOME}/repositories/openstack-ansible-plugins/connection/"
+OPTS+=('ANSIBLE_CONNECTION_PLUGINS')
+echo "env ANSIBLE_CONNECTION_PLUGINS set"
+
+source ${ANSIBLE_EMBED_HOME}/bin/activate
+echo "Embedded Ansible has been activated. Run 'deactivate' to leave the embedded environment".
+
+function deactivate_embedded_venv {
+  deactivate
+  for i in ${OPTS[@]}; do
+    unset ${i}
+  done
+  unset deactivate_embedded_venv
+  unalias deactivate
+}
+
+
+alias deactivate=deactivate_embedded_venv

osquery/conf.d/fleet.yml

@@ -1,6 +1,14 @@
 fleet_hosts:
   logging1:
-    ip: 172.22.8.27
+    ip: 10.0.236.110
+  logging2:
+    ip: 10.0.236.111
+  logging3:
+    ip: 10.0.236.112
 mariadb_hosts:
   logging1:
-    ip: 172.22.8.27
+    ip: 10.0.236.110
+  logging2:
+    ip: 10.0.236.111
+  logging3:
+    ip: 10.0.236.112

osquery/haproxy.example

@@ -3,7 +3,7 @@ haproxy_extra_services:
       haproxy_service_name: kolide-fleet
       haproxy_ssl: False
       haproxy_backend_nodes: "{{ groups['fleet'] | default([]) }}"  # Fleet nodes
-      haproxy_port: 8443  # This is set using the "kolide_fleet_port" variable
+      haproxy_port: 6443  # This is set using the "kolide_fleet_port" variable
       haproxy_check_port: 443  # This is set using the "kolide_fleet_port" variable
       haproxy_backend_port: 443  # This is set using the "kolide_fleet_port" variable
       haproxy_balance_type: tcp

osquery/installDB.yml

@@ -13,17 +13,21 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Install MariaDB server
-  hosts: mariadb
+- name: Install MariaDB Galera Cluster
+  hosts: "mariadb"
   become: true
+  user: root
+  gather_facts: "{{ osa_gather_facts | default(True) }}"
+
   vars_files:
     - vars/variables.yml
 
-  environment: "{{ deployment_environment_variables | default({}) }}"
-
-  gather_facts: "{{ osa_gather_facts | default(True) }}"
-  serial: 1
-  user: root
-
   roles:
-    - role: "mariadb"
+    - role: galera_server
+      galera_root_user: "{{ mariadb_root_user }}"
+      galera_root_password: "{{ mariadb_root_password }}"
+      galera_cluster_members: "{{ groups['mariadb'] }}"
+      galera_wsrep_node_name: "{{ inventory_hostname }}"
+      galera_cluster_name: telemetry_galera_cluster
+
+  environment: "{{ deployment_environment_variables | default({}) }}"

osquery/installKolideFleet.yml

@@ -10,33 +10,5 @@
 
   gather_facts: "{{ osa_gather_facts | default(True) }}"
 
-  tasks:
-    # install SSL certs
-    - include_tasks: fleetSSL.yml
-
-    # install software requirements
-    - include_tasks: fleetRequirements.yml
-
-    # install kolide fleet server
-    - include_tasks: fleetServerInstall.yml
-
-    # drop the configuration
-    - include_tasks: fleetConfig.yml
-
-    # add files for systemd
-    - include_tasks:  fleetService.yml
-      when:
-        - ansible_service_mgr == "systemd"
-
-    # migrate the database
-    - include_tasks:  fleetMigrateDB.yml
-      run_once: true
-
-    # start fleet via systemd
-    - include_tasks:  fleetStartService.yml
-
-    # configure kolide fleet & set admin account
-    - include_tasks:  fleetRegisterAdmin.yml
-
-    # retrieve and set enrollment token
-    - include_tasks:  fleetGetEnrollmentToken.yml
+  roles:
+    - role: fleet

osquery/installOSquery.yml

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 - name: Install osquery
-  hosts: hosts
+  hosts: "osquery"
   become: true
   vars_files:
     - vars/variables.yml
@@ -34,6 +34,21 @@
         var: hostvars[groups['fleet'][0]]['ansible_host']
         verbosity: 2
 
+    - name: Store ssl cert
+      slurp:
+        src: "{{ kolide_fleet_ssl_cert }}"
+      register: _kolide_fleet_ssl_cert
+
+    - name: Store ssl key
+      slurp:
+        src: "{{ kolide_fleet_ssl_key }}"
+      register: _kolide_fleet_ssl_key
+
+    - name: Register a fact for the cert and key
+      set_fact:
+        kolide_fleet_ssl_cert_fact: "{{ _kolide_fleet_ssl_cert.content }}"
+        kolide_fleet_ssl_key_fact: "{{ _kolide_fleet_ssl_key.content }}"
+
     - name: Distribute self signed ssl cert
       copy:
         dest: "{{ kolide_fleet_ssl_cert }}"

osquery/inventory.example.yml

@@ -24,9 +24,12 @@ hosts:
     logging01:
 
 # This is the location where fleet(s) will live
+mariadb:
+  hosts:
+    logging01:
 fleet:
   hosts:
     logging01:
 osquery:
   hosts:
-    all:
+    logging01:

osquery/inventory.yaml

@@ -0,0 +1,35 @@
+---
+
+################################## ALL HOSTS ##################################
+all:
+  hosts:
+    # Local host
+    localhost:
+      ansible_connection: local
+
+################################## REQUIRED ###################################
+    logging01:
+      ansible_host: 104.130.207.70
+      ansible_user: root
+
+  vars: {}
+
+
+################################### GROUPS ####################################
+
+# The hosts group is used to target physical host machines. Enter all physical
+# host machines here.
+hosts:
+  hosts:
+    logging01:
+
+# This is the location where fleet(s) will live
+mariadb:
+  hosts:
+    logging01:
+fleet:
+  hosts:
+    logging01:
+osquery:
+  hosts:
+    logging01:

osquery/readme.rst

@@ -22,7 +22,7 @@ an OpenStack all of the inventory needs will be provided for.
 Highlevel overview of Osquery & Kolide Fleet  infrastructure these playbooks will
 build and operate against.
 
-.. image:: assets/place-holder.svg
+.. image:: assets/overview-osquery.png
     :scale: 50 %
     :alt: Osquery & Kolide Fleet Architecture Diagram
     :align: center
@@ -70,15 +70,15 @@ Create the containers
 .. code-block:: bash
 
    cd /opt/openstack-ansible/playbooks
-   openstack-ansible lxc-containers-create.yml -e 'container_group=fleet'
+   openstack-ansible lxc-containers-create.yml --limit fleet_all
 
 
-Update the `/etc/hosts` file 
+Update the `/etc/hosts` file *(optional)*
 
 .. code-block:: bash
 
    cd /opt/openstack-ansible/playbooks
-   openstack-ansible openstack-hosts-setup.yml -e 'container_group=fleet'
+   openstack-ansible openstack-hosts-setup.yml
 
 
 
@@ -136,13 +136,20 @@ environment variable `ANSIBLE_ACTION_PLUGINS` or through the use of an
 Deploying | The environment
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
+Create some basic passwords keys that are needed by fleet
+.. code-block:: bashG
+
+    echo "kolide_fleet_jwt_key: $(openssl rand -base64 32)" > /etc/openstack_deploy/fleet_user_vars.yml
+    echo "mariadb_root_password: $(openssl rand -base64 16)" >> /etc/openstack_deploy/fleet_user_vars.yml
+
+
 Install master/data Fleet nodes on the elastic-logstash containers,
 deploy logstash, deploy Kibana, and then deploy all of the service beats.
 
 .. code-block:: bashG
 
     cd /opt/openstack-ansible-ops/osquery
-    ansible-playbook site.yml $USER_VARS
+    ansible-playbook site.yml -e@/etc/openstack_deploy/fleet_user_vars.yml
 
 
 * The `openstack-ansible` command can be used if the version of ansible on the
@@ -172,7 +179,7 @@ Architecture | Data flow
 
 This diagram outlines the data flow from within an Elastic-Stack deployment.
 
-.. image:: assets/place-holder.svg
+.. image:: assets/architecture-osquery.png
     :scale: 50 %
     :alt: Kolide & Osquery Data Flow Diagram
     :align: center
@@ -180,8 +187,9 @@ This diagram outlines the data flow from within an Elastic-Stack deployment.
 TODO
 ----
 The following is a list of open items.
- - [ ] Test Redhat familly Operating Systems
- - [ ] missing mariadb cluster (should all work needs additional vars)
+ - [x] Test Redhat familly Operating Systems
+ - [x] missing mariadb cluster (should all work needs additional vars)
  - [ ] use haproxy instead of the kolide fleet server ip
  - [ ] add/update tags
+ - [ ] convert to roles
  - [ ] add testing

osquery/registerSSLcerts.yml

@@ -0,0 +1,73 @@
+---
+# Copyright 2018, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Install Kolide Fleet
+  hosts: "fleet"
+  become: true
+
+  vars_files:
+    - vars/variables.yml
+
+  environment: "{{ deployment_environment_variables | default({}) }}"
+
+  gather_facts: "{{ osa_gather_facts | default(True) }}"
+
+  pre_tasks:
+    - name: Store ssl cert
+      slurp:
+        src: "{{ kolide_fleet_ssl_cert }}"
+      register: _kolide_fleet_ssl_cert
+
+    - name: Store ssl ca cert
+      slurp:
+        src: "{{ kolide_fleet_ssl_ca_cert }}"
+      register: _kolide_fleet_ssl_ca_cert
+      when: kolide_fleet_user_ssl_ca_cert is defined
+
+    - name: Register a fact for the cert and key
+      set_fact:
+        kolide_fleet_ssl_cert_fact: "{{ _kolide_fleet_ssl_cert.content }}"
+
+    - name: Register a fact for the cert and key
+      set_fact:
+        kolide_fleet_ssl_ca_cert_fact: "{{ _kolide_fleet_ssl_ca_cert.content }}"
+      when: kolide_fleet_user_ssl_ca_cert is defined
+
+    - name: Distribute self signed ssl cert
+      copy:
+        dest: "{{ kolide_fleet_ssl_cert }}"
+        content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_ssl_cert_fact'] | b64decode }}"
+        mode: "0640"
+
+    - name: Distribute self signed CA ssl cert
+      copy:
+        dest: "{{ kolide_fleet_ca_ssl_cert }}"
+        content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_ssl_ca_cert_fact'] | b64decode }}"
+        mode: "0640"
+      when: kolide_fleet_user_ssl_ca_cert is defined
+
+    - name: retrieve Enrollment Token
+      command: /usr/local/bin/fleetctl get enroll-secret
+      register: _enrollment_token
+
+    - name: Set kolide fleet enrollment token fact
+      set_fact:
+        kolide_fleet_enroll_secret: "{{ _enrollment_token.stdout }}"
+
+    - name: write enroll secret
+      copy:
+        dest: "{{ osquery_enroll_secret_dir }}"
+        content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_enroll_secret'] }}"
+        mode: "0640"

osquery/roles/fleet/defaults/main.yml

@@ -0,0 +1,41 @@
+# Kolide Fleet vars
+kolide_fleet_db_name: fleet
+kolide_fleet_db_user: fleet
+
+#kolide_fleet_db_password: fleetSecrete
+
+kolide_fleet_port: "443"
+kolide_fleet_address: "0.0.0.0:{{ kolide_fleet_port }}"
+kolide_fleet_version: "2.0.0-rc5"
+kolide_fleet_url: "https://github.com/kolide/fleet/releases/download"
+
+kolide_fleet_admin_email: admin@openstack.org
+#kolide_fleet_admin_password: AdminSecrete
+
+kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert
+kolide_fleet_ssl_key: /etc/ssl/private/fleet.key
+kolide_fleet_ssl_pem: /etc/ssl/private/fleet.pem
+kolide_fleet_ssl_ca_cert: /etc/ssl/certs/fleet-ca.pem
+kolide_fleet_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ ansible_host }}/subjectAltName=IP.1={{ ansible_host }}/subjectAltName=IP.2=localhost"
+
+kolide_fleet_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
+kolide_fleet_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
+
+#kolide_fleet_osquery_enroll_secret: "{{ kolide_fleet_enroll_secret }}"
+
+
+# MariaDB/Gallera Variables
+mariadb_bind_address: "0.0.0.0"
+mariadb_root_remote: 1
+mariadb_root_user: root
+#mariadb_root_password: fleetSecrete
+mariadb_databases:
+  - name: "{{ kolide_fleet_db_name }}"
+
+mariadb_users:
+  - name: "{{ kolide_fleet_db_user }}"
+    password: "{{ kolide_fleet_db_password }}"
+    priv: " {{ kolide_fleet_db_name }}.*:ALL"
+    host: "%"
+
+galera_root_password: "{{ mariadb_root_password }}"

osquery/roles/fleet/tasks/createFleetDB.yml

@@ -0,0 +1,43 @@
+---
+# Copyright 2018, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Create DB for service
+  mysql_db:
+    login_user: "{{ mariadb_root_user }}"
+    login_password: "{{ mariadb_root_password }}"
+    login_host: "{{ mariadb_login_host | default('localhost') }}"
+    name: "{{ kolide_fleet_db_name }}"
+    state: "present"
+  delegate_to: "{{ groups['mariadb'][0] }}"
+  no_log: False
+  tags:
+    - fleet_db_install
+
+- name: Grant access to the DB for the service
+  mysql_user:
+    login_user: "{{ mariadb_root_user }}"
+    login_password: "{{ mariadb_root_password }}"
+    login_host: "{{ mariadb_login_host | default('localhost') }}"
+    name: "{{ kolide_fleet_db_user }}"
+    password: "{{ kolide_fleet_db_password }}"
+    host: "{{ item }}"
+    state: "present"
+    priv: "{{ kolide_fleet_db_name }}.*:ALL"
+    append_privs: "{{ kolide_fleet_db_append_privs | default(omit) }}"
+  delegate_to: "{{ groups['mariadb'][0] }}"
+  with_items: "{{ grant_list | default(['localhost', '%']) }}"
+  no_log: False
+  tags:
+    - fleet_db_install

osquery/roles/fleet/tasks/fleetRequirements.yml

@@ -13,13 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-#- name:    Install prerequisites
-#  apt:     name= {{item}} update_cache=yes
-#  with_items:
-#   - apt-transport-https
-#   - ca-certificates
-#   - curl
-#   - software-properties-common
 - name: Run the systemd service role
   include_role:
     name: redis

osquery/roles/fleet/tasks/main.yml

@@ -0,0 +1,33 @@
+---
+# install SSL certs
+- include_tasks: createFleetDB.yml
+
+# install SSL certs
+- include_tasks: fleetSSL.yml
+
+# install software requirements
+- include_tasks: fleetRequirements.yml
+
+# install kolide fleet server
+- include_tasks: fleetServerInstall.yml
+
+# drop the configuration
+- include_tasks: fleetConfig.yml
+
+# add files for systemd
+- include_tasks:  fleetService.yml
+  when:
+    - ansible_service_mgr == "systemd"
+
+# migrate the database
+- include_tasks:  fleetMigrateDB.yml
+  run_once: true
+
+# start fleet via systemd
+- include_tasks:  fleetStartService.yml
+
+# configure kolide fleet & set admin account
+- include_tasks:  fleetRegisterAdmin.yml
+
+# retrieve and set enrollment token
+- include_tasks:  fleetGetEnrollmentToken.yml

osquery/roles/fleet/vars/main.yml

@@ -0,0 +1,38 @@
+# Kolide Fleet vars
+kolide_fleet_db_name: fleet
+kolide_fleet_db_user: fleet
+#kolide_fleet_db_password: fleetSecrete
+
+kolide_fleet_port: "443"
+kolide_fleet_address: "0.0.0.0:{{ kolide_fleet_port }}"
+kolide_fleet_version: "2.0.0-rc5"
+kolide_fleet_url: "https://github.com/kolide/fleet/releases/download"
+
+kolide_fleet_admin_email: admin@openstack.org
+#kolide_fleet_admin_password: AdminSecrete
+
+kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert
+kolide_fleet_ssl_key: /etc/ssl/private/fleet.key
+kolide_fleet_ssl_pem: /etc/ssl/private/fleet.pem
+kolide_fleet_ssl_ca_cert: /etc/ssl/certs/fleet-ca.pem
+kolide_fleet_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ ansible_host }}/subjectAltName=IP.1={{ ansible_host }}/subjectAltName=IP.2=localhost"
+
+kolide_fleet_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
+kolide_fleet_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
+
+#kolide_fleet_osquery_enroll_secret: "{{ kolide_fleet_enroll_secret }}"
+# MariaDB/Gallera Variables
+#mariadb_root_password: fleetSecrete
+mariadb_bind_address: "0.0.0.0"
+mariadb_root_remote: 1
+mariadb_root_user: root
+mariadb_databases:
+  - name: "{{ kolide_fleet_db_name }}"
+
+mariadb_users:
+  - name: "{{ kolide_fleet_db_user }}"
+    password: "{{ kolide_fleet_db_password }}"
+    priv: " {{ kolide_fleet_db_name }}.*:ALL"
+    host: "%"
+
+galera_root_password: "{{ mariadb_root_password }}"

osquery/site-fleet.yml

@@ -0,0 +1,15 @@
+---
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- import_playbook: installDB.yml
+- import_playbook: installKolideFleet.yml

osquery/site-osquery.yml

@@ -0,0 +1,15 @@
+---
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- import_playbook: registerSSLcerts.yml
+- import_playbook: installOSquery.yml

osquery/site.yml

@@ -13,6 +13,5 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- import_playbook: installMariaDB.yml
-- import_playbook: installKolideFleet.yml
-- import_playbook: installOsquery.yml
+- import_playbook: site-fleet.yml
+- import_playbook: site-osquery.yml

osquery/vars/variables.yml

@@ -1,32 +1,17 @@
+mariadb_root_user: root
+
+#
 kolide_fleet_enable: true
-kolide_fleet_cluster: false
-
-# Kolide Fleet vars
-kolide_fleet_db_name: fleet
-kolide_fleet_db_user: fleet
-kolide_fleet_db_password: fleetSecrete
-
-kolide_fleet_port: "443"
-kolide_fleet_address: "0.0.0.0:{{ kolide_fleet_port }}"
-kolide_fleet_version: "2.0.0-rc3"
-kolide_fleet_url: "https://github.com/kolide/fleet/releases/download"
-
-kolide_fleet_admin_email: admin@openstack.org
-#kolide_fleet_admin_password: AdminSecrete
 
 kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert
 kolide_fleet_ssl_key: /etc/ssl/private/fleet.key
 kolide_fleet_ssl_pem: /etc/ssl/private/fleet.pem
 kolide_fleet_ssl_ca_cert: /etc/ssl/certs/fleet-ca.pem
-kolide_fleet_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}/subjectAltName=IP.2={{ ansible_host }}}/subjectAltName=IP.3=localhost"
-
-kolide_fleet_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
-kolide_fleet_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
-
-#kolide_fleet_osquery_enroll_secret: "{{ kolide_fleet_enroll_secret }}"
+kolide_fleet_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ ansible_host }}/subjectAltName=IP.1={{ ansible_host }}/subjectAltName=IP.2=localhost"
 
 # Osquery vars
 osquery_enroll_secret_dir: /etc/osquery/osquery_enroll_secret
+osquery_debug_packages_install: false
 
 osquery_debug_packages_install: false
 
@@ -53,16 +38,3 @@ osquery_flags:
     - "--logger_tls_endpoint=/api/v1/osquery/log"
     - "--logger_tls_period=10"
     - "--enroll_secret_path={{ osquery_enroll_secret_dir }}"
-
-# MariaDB/Gallera Variables
-#mariadb_root_password: fleetSecrete
-mariadb_bind_address: "0.0.0.0"
-mariadb_root_remote: 1
-mariadb_databases:
-  - name: "{{ kolide_fleet_db_name }}"
-
-mariadb_users:
-  - name: "{{ kolide_fleet_db_user }}"
-    password: "{{ kolide_fleet_db_password }}"
-    priv: " {{ kolide_fleet_db_name }}.*:ALL"
-    host: "%"