More cleanup of the osquery role

This cleanup should make things easier to integrate with OSA
while also better supporting a stand alone deployment.

Change-Id: I7321981a9ced7bf2e807a25cadde5463b39eef8f
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>

osquery/README.rst

@@ -83,13 +83,29 @@ Update the `/etc/hosts` file *(optional)*
 
 Create an haproxy entry for kolide-fleet service 8443
 
+Add the following configuration item to the `haproxy_extra_services` variable
+within a **user** defined variable file.
+
+.. code-block:: yaml
+
+    haproxy_extra_services:
+      - service:
+          haproxy_service_name: kolide-fleet
+          haproxy_ssl: False
+          haproxy_backend_nodes: "{{ groups['kolide-fleet_all'] | default([]) }}"
+          haproxy_port: 6443  # This is set using the "kolide_fleet_port" variable
+          haproxy_check_port: 443  # This is set using the "kolide_fleet_port" variable
+          haproxy_backend_port: 443  # This is set using the "kolide_fleet_port" variable
+          haproxy_balance_type: tcp
+
+
+With the appropriate haproxy configuration in place, setup haproxy to begin
+load balancing the traffic.
+
 .. code-block:: bash
 
-    cd /opt/openstack-ansible-ops/osquery
-    cat haproxy.example  >> /etc/openstack_deploy/user_variables.yml
-
     cd /opt/openstack-ansible/playbooks/
-    openstack-ansible haproxy-install.yml --tags=haproxy-service-config
+    openstack-ansible haproxy-install.yml
 
 
 Deploying | Installing with embedded Ansible
@@ -136,21 +152,36 @@ Deploying | The environment
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 Create some basic passwords keys that are needed by fleet
-.. code-block:: bashG
 
-    echo "kolide_fleet_db_password: $(openssl rand -base64 16)" > /etc/openstack_deploy/fleet_user_vars.yml
-    echo "kolide_fleet_jwt_key: $(openssl rand -base64 32)" >> /etc/openstack_deploy/fleet_user_vars.yml
-    echo "kolide_fleet_admin_password: $(openssl rand -base64 16)" >> /etc/openstack_deploy/fleet_user_vars.yml
-    echo "mariadb_root_password: $(openssl rand -base64 16)" >> /etc/openstack_deploy/fleet_user_vars.yml
+.. code-block:: bash
+
+    echo "kolide_fleet_db_password: $(openssl rand -base64 16)" > /etc/openstack_deploy/user_secrets.yml
+    echo "kolide_fleet_jwt_key: $(openssl rand -base64 32)" >> /etc/openstack_deploy/user_secrets.yml
+    echo "kolide_fleet_admin_password: $(openssl rand -base64 16)" >> /etc/openstack_deploy/user_secrets.yml
+    # NOTICE: This may already be defined
+    echo "galera_root_password: $(openssl rand -base64 16)" >> /etc/openstack_deploy/user_secrets.yml
 
 
 Install master/data Fleet nodes on the elastic-logstash containers,
 deploy logstash, deploy Kibana, and then deploy all of the service beats.
 
-.. code-block:: bashG
+
+.. code-block:: bash
 
     cd /opt/openstack-ansible-ops/osquery
-    ansible-playbook site.yml -e@/etc/openstack_deploy/fleet_user_vars.yml
+    ansible-playbook site.yml -e@/etc/openstack_deploy/user_secrets.yml
+
+
+If the `installOSquery.yml` playbook is executed with a limit, a single
+kolide-fleet host must be part of the limit. This requirement exists because
+the nodes running osquery require certificates to authenticate to the
+kolide-fleet cluster. Should a node within the kolide-fleet cluster not be
+part of the limit the playbooks will not be able to fetch the required
+certificates.
+
+.. code-block:: bash
+
+    ansible-playbook installOSquery.yml $USER_VARS --limit 'host1,host2,kolide-fleet_all[0]'
 
 
 * The `openstack-ansible` command can be used if the version of ansible on the
@@ -167,6 +198,7 @@ deploy logstash, deploy Kibana, and then deploy all of the service beats.
   of the OSA group_vars. These are not available by default with the embedded
   ansible and can be symlinked into the ops repo.
 
+
 .. code-block:: bash
 
     ln -s /opt/openstack-ansible/inventory/group_vars /opt/openstack-ansible-ops/osquery/group_vars
@@ -175,6 +207,7 @@ deploy logstash, deploy Kibana, and then deploy all of the service beats.
 The individual playbooks found within this repository can be independently run
 at anytime.
 
+
 Architecture | Data flow
 ^^^^^^^^^^^^^^^^^^^^^^^^
 

osquery/conf.d/fleet.yml

@@ -1,4 +1,4 @@
-fleet_hosts:
+kolide_hosts:
   logging1:
     ip: 10.0.236.110
   logging2:

osquery/env.d/fleet.yml

@@ -1,32 +1,28 @@
 ---
 component_skel:
-  fleet:
+  kolide-fleet:
     belongs_to:
       - fleet_all
+      - kolide-fleet_all
 
   mariadb:
     belongs_to:
       - fleet_all
       - mariadb_all
 
-  osquery:
-    belongs_to:
-      - fleet_all
-
 container_skel:
-  fleet_container:
+  kolide-fleet_container:
     belongs_to:
-      - fleet_containers
+      - kolide_containers
     contains:
-      - fleet
+      - kolide-fleet
       - mariadb
-      - osquery
 
 physical_skel:
-  fleet_containers:
+  kolide_containers:
     belongs_to:
       - all_containers
 
-  fleet_hosts:
+  kolide_hosts:
     belongs_to:
       - hosts

osquery/haproxy.example

@@ -1,9 +0,0 @@
-haproxy_extra_services:
-  - service:
-      haproxy_service_name: kolide-fleet
-      haproxy_ssl: False
-      haproxy_backend_nodes: "{{ groups['fleet_all'] | default([]) }}"  # Fleet nodes
-      haproxy_port: 6443  # This is set using the "kolide_fleet_port" variable
-      haproxy_check_port: 443  # This is set using the "kolide_fleet_port" variable
-      haproxy_backend_port: 443  # This is set using the "kolide_fleet_port" variable
-      haproxy_balance_type: tcp

osquery/installDB.yml

@@ -27,15 +27,13 @@
       fail:
         msg: >-
           The root password for the galera cluster is not defined. To proceed with this
-          installation define the variable `mariadb_root_password` in line or within a
+          installation define the variable `galera_root_password` in line or within a
           variable file.
       when:
-        - mariadb_root_password is undefined
+        - galera_root_password is undefined
 
   roles:
     - role: galera_server
-      galera_root_user: "{{ mariadb_root_user }}"
-      galera_root_password: "{{ mariadb_root_password }}"
       galera_cluster_members: "{{ groups['mariadb_all'] }}"
       galera_wsrep_node_name: "{{ inventory_hostname }}"
       galera_cluster_name: telemetry_galera_cluster

osquery/installKolideFleet.yml

@@ -1,6 +1,6 @@
 ---
 - name: Install Kolide Fleet
-  hosts: "fleet_all"
+  hosts: "kolide-fleet_all"
   become: true
 
   vars_files:

osquery/installOSquery.yml

@@ -13,8 +13,33 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+- name: Get osquery facts
+  hosts: "{{ kolide_fleet_host | default(groups['kolide-fleet_all'][0]) }}"
+  become: true
+  vars_files:
+    - vars/variables.yml
+  tags:
+    - always
+
+  environment: "{{ deployment_environment_variables | default({}) }}"
+
+  gather_facts: "{{ osa_gather_facts | default(True) }}"
+
+  tasks:
+    - name: Fetch Certificates
+      fetch:
+        flat: yes
+        src: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+      with_items:
+        - src: "{{ kolide_fleet_ssl_cert }}"
+          dest: "/tmp/{{ kolide_fleet_ssl_cert | basename }}"
+        - src: "{{ kolide_fleet_ssl_key }}"
+          dest: "/tmp/{{ kolide_fleet_ssl_key | basename }}"
+
+
 - name: Install osquery
-  hosts: "fleet_all:osquery:hosts"
+  hosts: "hosts:all_containers"
   become: true
   vars_files:
     - vars/variables.yml
@@ -32,19 +57,6 @@
         - /etc/osquery
         - /etc/osquery/ssl
 
-    - name: Synchronize certifactes back
-      synchronize:
-        mode: pull
-        src: "{{ item.src }}"
-        dest: "{{ item.dest }}"
-      with_items:
-        - src: "{{ kolide_fleet_ssl_cert }}"
-          dest: "/tmp/{{ kolide_fleet_ssl_cert | basename }}"
-        - src: "{{ kolide_fleet_ssl_key }}"
-          dest: "/tmp/{{ kolide_fleet_ssl_key | basename }}"
-      when:
-        - inventory_hostname == groups['fleet_all'][0]
-
     - name: Copy certifactes over
       copy:
         src: "{{ item.src }}"
@@ -54,14 +66,12 @@
           src: "/tmp/{{ kolide_fleet_ssl_cert | basename }}"
         - dest: "{{ kolide_fleet_ssl_key }}"
           src: "/tmp/{{ kolide_fleet_ssl_key | basename }}"
-      when:
-        - inventory_hostname != groups['fleet_all'][0]
 
     - name: retrieve Enrollment Token
       command: /usr/local/bin/fleetctl get enroll-secret
       changed_when: false
       register: _enrollment_token
-      delegate_to: "{{ groups['fleet_all'][0] }}"
+      delegate_to: "{{ groups['kolide-fleet_all'][0] }}"
       run_once: true
 
     - name: Set kolide fleet enrollment token fact

osquery/inventory.example.yml

@@ -24,16 +24,12 @@ hosts:
     logging01: {}
 
 # This is the location where fleet(s) will live
-fleet_all:
-  hosts:
-    logging01: {}
+kolide-fleet_all:
+  children:
+    kolide_hosts:
+      hosts:
+        logging01: {}
 
 mariadb_all:
   children:
-    fleet_all: {}
-
-osquery_all:
-  hosts:
-    logging02:
-      ansible_host: 172.16.27.101
-      ansible_user: root
+    kolide-fleet_all: {}

osquery/roles/fleet/defaults/main.yml

@@ -20,7 +20,7 @@ kolide_fleet_db_user: fleet
 #kolide_fleet_db_password: fleetSecrete
 
 kolide_fleet_port: "8443"
-kolide_fleet_address: "0.0.0.0:{{ kolide_fleet_port }}"
+kolide_fleet_address: "127.0.0.1:{{ kolide_fleet_port }}"
 kolide_fleet_version: "2.0.0-rc5"
 kolide_fleet_url: "https://github.com/kolide/fleet/releases/download"
 
@@ -43,7 +43,6 @@ kolide_fleet_ssl_key_purge: false
 mariadb_bind_address: "0.0.0.0"
 mariadb_root_remote: 1
 mariadb_root_user: root
-#mariadb_root_password: fleetSecrete
 mariadb_databases:
   - name: "{{ kolide_fleet_db_name }}"
 
@@ -52,5 +51,3 @@ mariadb_users:
     password: "{{ kolide_fleet_db_password }}"
     priv: " {{ kolide_fleet_db_name }}.*:ALL"
     host: "%"
-
-galera_root_password: "{{ mariadb_root_password }}"

osquery/roles/fleet/tasks/createFleetDB.yml

@@ -16,7 +16,7 @@
 - name: Create DB for service
   mysql_db:
     login_user: "{{ mariadb_root_user }}"
-    login_password: "{{ mariadb_root_password }}"
+    login_password: "{{ galera_root_password }}"
     login_host: "{{ mariadb_login_host | default('localhost') }}"
     name: "{{ kolide_fleet_db_name }}"
     state: "present"
@@ -28,7 +28,7 @@
 - name: Grant access to the DB for the service
   mysql_user:
     login_user: "{{ mariadb_root_user }}"
-    login_password: "{{ mariadb_root_password }}"
+    login_password: "{{ galera_root_password }}"
     login_host: "{{ mariadb_login_host | default('localhost') }}"
     name: "{{ kolide_fleet_db_user }}"
     password: "{{ kolide_fleet_db_password }}"

osquery/roles/fleet/tasks/fleetSSLkeyCreate.yml

@@ -65,23 +65,23 @@
         - src: "{{ kolide_fleet_ssl_key }}"
           dest: "/tmp/{{ kolide_fleet_ssl_key | basename }}"
       when:
-        - (groups['fleet_all'] | length) > 1
+        - (groups['kolide-fleet_all'] | length) > 1
       notify:
         - Cleanup certifactes
   when:
-    - inventory_hostname == groups['fleet_all'][0]
+    - inventory_hostname == groups['kolide-fleet_all'][0]
 
 - name: Copy certifactes over
   copy:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
-    with_items:
-      - dest: "{{ kolide_fleet_ssl_csr }}"
-        src: "/tmp/{{ kolide_fleet_ssl_csr | basename }}"
-      - dest: "{{ kolide_fleet_ssl_cert }}"
-        src: "/tmp/{{ kolide_fleet_ssl_cert | basename }}"
-      - dest: "{{ kolide_fleet_ssl_key }}"
-        src: "/tmp/{{ kolide_fleet_ssl_key | basename }}"
+  with_items:
+    - dest: "{{ kolide_fleet_ssl_csr }}"
+      src: "/tmp/{{ kolide_fleet_ssl_csr | basename }}"
+    - dest: "{{ kolide_fleet_ssl_cert }}"
+      src: "/tmp/{{ kolide_fleet_ssl_cert | basename }}"
+    - dest: "{{ kolide_fleet_ssl_key }}"
+      src: "/tmp/{{ kolide_fleet_ssl_key | basename }}"
   when:
-    - inventory_hostname != groups['fleet_all'][0]
-    - (groups['fleet_all'] | length) > 1
+    - inventory_hostname != groups['kolide-fleet_all'][0]
+    - (groups['kolide-fleet_all'] | length) > 1

osquery/roles/fleet/vars/main.yml

@@ -1,35 +0,0 @@
----
-# Kolide Fleet vars
-kolide_fleet_db_name: fleet
-kolide_fleet_db_user: fleet
-#kolide_fleet_db_password: fleetSecrete
-
-kolide_fleet_address: "127.0.0.1:{{ kolide_fleet_port }}"
-kolide_fleet_version: "2.0.0-rc5"
-kolide_fleet_url: "https://github.com/kolide/fleet/releases/download"
-
-kolide_fleet_admin_email: admin@openstack.org
-#kolide_fleet_admin_password: AdminSecrete
-
-kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert
-kolide_fleet_ssl_key: /etc/ssl/private/fleet.key
-
-kolide_fleet_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
-kolide_fleet_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
-
-#kolide_fleet_osquery_enroll_secret: "{{ kolide_fleet_enroll_secret }}"
-# MariaDB/Gallera Variables
-#mariadb_root_password: fleetSecrete
-mariadb_bind_address: "0.0.0.0"
-mariadb_root_remote: 1
-mariadb_root_user: root
-mariadb_databases:
-  - name: "{{ kolide_fleet_db_name }}"
-
-mariadb_users:
-  - name: "{{ kolide_fleet_db_user }}"
-    password: "{{ kolide_fleet_db_password }}"
-    priv: " {{ kolide_fleet_db_name }}.*:ALL"
-    host: "%"
-
-galera_root_password: "{{ mariadb_root_password }}"

osquery/vars/variables.yml

@@ -1,7 +1,5 @@
 ---
 
-mariadb_root_user: root
-
 kolide_fleet_enable: true
 
 kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert
@@ -20,7 +18,7 @@ osquery_rsyslog: false
 
 osquery_flags:
   - "--tls_server_certs={{ kolide_fleet_ssl_cert }}"
-  - "--tls_hostname={{ hostvars[groups['fleet_all'][0]]['ansible_host'] }}:443"
+  - "--tls_hostname={{ hostvars[groups['kolide-fleet_all'][0]]['ansible_host'] }}:443"
   - "--host_identifier=hostname"
   - "--enroll_tls_endpoint=/api/v1/osquery/enroll"
   - "--config_plugin=tls"