Add TLS support for rsyslog

This patch implements creation of TLS certs and key for Elasticsearch connection. Change-Id: Ie97449b6f3e5d3a6481e087803d1982d7c6387f3
2019-06-20 15:24:37 +02:00 · 2019-06-20 15:24:37 +02:00 · bcb17115a3
commit bcb17115a3
parent 0ad12ff23a
3 changed files with 103 additions and 13 deletions
--- a/manifests/profile/base/logging/rsyslog.pp
+++ b/manifests/profile/base/logging/rsyslog.pp
@ -22,19 +22,84 @@
 #   (Optional) String. The current step of the deployment
 #   Defaults to hiera('step')
 #
-# [*elasticsearch*]
-#   (Optional) Hash. Configuration for output plugin omelasticsearch.
-#
 # [*service_names*]
 #   (Optional) List of services enabled on the current role. This is used
 #   to obtain per-service configuration information.
+#   Defaults to hiera('service_names', [])
 #
+# [*elasticsearch*]
+#   (Optional) Hash. Configuration for output plugin omelasticsearch.
+#   Defaults to undef
+#
+# [*elasticsearch_tls_ca_cert*]
+#   (Optional) String. Contains content of the CA cert for the CA that issued
+#   Elasticsearch server cert.
+#   Defaults to undef
+#
+# [*elasticsearch_tls_client_cert*]
+#   (Optional) String. Contains content of the client cert for doing client
+#   cert auth against Elasticsearch.
+#   Defaults to undef
+#
+# [*elasticsearch_tls_client_key*]
+#   (Optional) String. Contains content of the private key corresponding to
+#   the cert elasticsearch_tls_client_cert.
+#   Defaults to undef
 class tripleo::profile::base::logging::rsyslog (
-  $step            = Integer(hiera('step')),
-  $elasticsearch   = undef,
-  $service_names   = hiera('service_names', [])
+  $step                          = Integer(hiera('step')),
+  $service_names                 = hiera('service_names', []),
+  $elasticsearch                 = undef,
+  $elasticsearch_tls_ca_cert     = undef,
+  $elasticsearch_tls_client_cert = undef,
+  $elasticsearch_tls_client_key  = undef,
 ) {
  if $step >= 2 {
+    # NOTE: puppet-rsyslog does not have params manifest, so we don't have any
+    #       other choice than using hiera currently.
+    $rsyslog_confdir = hiera('rsyslog::confdir', '/etc/rsyslog.d')
+
+    if defined('$elasticsearch_tls_ca_cert') {
+      $cacert_path = "${rsyslog_confdir}/es-ca-cert.crt"
+      $cacert_conf = {'tls.cacert' => $cacert_path}
+
+      file { 'elasticsearch_ca_cert':
+        ensure  => 'present',
+        path    => $cacert_path,
+        content => $elasticsearch_tls_ca_cert
+      }
+      $esconf1 = merge($elasticsearch, $cacert_conf)
+    } else {
+      $esconf1 = $elasticsearch
+    }
+
+    if defined('$elasticsearch_tls_client_cert') {
+      $clientcert_path = "${rsyslog_confdir}/es-client-cert.pem"
+      $clientcert_conf = {'tls.mycert' => $clientcert_path}
+
+      file { 'elasticsearch_client_cert':
+        ensure  => 'present',
+        path    => $clientcert_path,
+        content => $elasticsearch_tls_client_cert
+      }
+      $esconf2 = merge($esconf1, $clientcert_conf)
+    } else {
+      $esconf2 = $esconf1
+    }
+
+    if defined('$elasticsearch_tls_client_key') {
+      $clientkey_path = "${rsyslog_confdir}/es-client-key.pem"
+      $clientkey_conf = {'tls.myprivkey' => $clientkey_path}
+
+      file { 'elasticsearch_client_key':
+        ensure  => 'present',
+        path    => $clientkey_path,
+        content => $elasticsearch_tls_client_key
+      }
+      $esconf = merge($esconf2, $clientkey_conf)
+    } else {
+      $esconf = $esconf2
+    }
+
    $modules = {
      'imfile'          => {},
      'omelasticsearch' => {},
@ -42,9 +107,10 @@ class tripleo::profile::base::logging::rsyslog (
    $actions = {
      'elasticsearch' => {
        'type'   => 'omelasticsearch',
-        'config' => $elasticsearch,
+        'config' => $esconf,
      }
    }
+
    class { '::rsyslog::server':
      modules => $modules,
      actions => $actions
--- a/releasenotes/notes/rsyslog-tls-dfa676eda2ec646f.yaml
+++ b/releasenotes/notes/rsyslog-tls-dfa676eda2ec646f.yaml
@ -0,0 +1,3 @@
+---
+features:
+  - Added TLS support for ELasticsearch output plugin in rsyslog service.
--- a/spec/classes/tripleo_profile_base_logging_rsyslog_spec.rb
+++ b/spec/classes/tripleo_profile_base_logging_rsyslog_spec.rb
@ -36,7 +36,10 @@ elastic_conf = <<-EOS
 # elasticsearch
 action(type="omelasticsearch"
    name="elasticsearch"
-)
+    tls.cacert="/etc/rsyslog.d/es-ca-cert.crt"
+    tls.mycert="/etc/rsyslog.d/es-client-cert.pem"
+    tls.myprivkey="/etc/rsyslog.d/es-client-key.pem"
+  )
 EOS

 describe 'tripleo::profile::base::logging::rsyslog' do
@ -46,14 +49,20 @@ describe 'tripleo::profile::base::logging::rsyslog' do
    end

    context 'on step 2' do
-      let(:params) { { :step => 2 } }
+      let(:params) do
+        { :step => 2,
+          :elasticsearch_tls_ca_cert => 'cacert',
+          :elasticsearch_tls_client_cert => 'clientcert',
+          :elasticsearch_tls_client_key => 'clientkey',
+        }
+      end

-      it 'should generate a rsyslog config file for horizon from hieradata' do
-        should contain_concat__fragment("rsyslog::component::module::imfile").with({
+      it 'should generate a rsyslog config file for horizon from hieradata and TLS certificates for Elasticsearch' do
+        should contain_concat__fragment('rsyslog::component::module::imfile').with({
          :target => '/etc/rsyslog.d/50_openstack_logs.conf',
          :content => "module(load=\"imfile\")\n",
        })
-        should contain_concat__fragment("rsyslog::component::module::omelasticsearch").with({
+        should contain_concat__fragment('rsyslog::component::module::omelasticsearch').with({
          :target => '/etc/rsyslog.d/50_openstack_logs.conf',
          :content => "module(load=\"omelasticsearch\")\n",
        })
@ -65,10 +74,22 @@ describe 'tripleo::profile::base::logging::rsyslog' do
          :target => '/etc/rsyslog.d/50_openstack_logs.conf',
          :content => horizon_test_log_conf,
        })
-        should contain_concat__fragment("rsyslog::component::action::elasticsearch").with({
+        should contain_concat__fragment('rsyslog::component::action::elasticsearch').with({
          :target => '/etc/rsyslog.d/50_openstack_logs.conf',
          :content => elastic_conf,
        })
+        should contain_file('elasticsearch_ca_cert').with({
+          :path => '/etc/rsyslog.d/es-ca-cert.crt',
+          :content => 'cacert',
+        })
+        should contain_file('elasticsearch_client_cert').with({
+          :path => '/etc/rsyslog.d/es-client-cert.pem',
+          :content => 'clientcert',
+        })
+        should contain_file('elasticsearch_client_key').with({
+          :path => '/etc/rsyslog.d/es-client-key.pem',
+          :content => 'clientkey',
+        })
      end
    end
  end