From 1976ab309cde1202c1473eec01bd3601e912118f Mon Sep 17 00:00:00 2001 From: Ram Mohan Rao Chukka <1331672+chukka@users.noreply.github.com> Date: Thu, 5 Aug 2021 15:22:21 +0530 Subject: [PATCH] [Ansible] JFrog Platform 7.23.3 (#148) --- .../jfrog/platform/CHANGELOG.md | 4 + .../jfrog/platform/galaxy.yml | 2 +- .../roles/artifactory/defaults/main.yml | 2 +- .../roles/artifactory/tasks/install.yml | 6 +- .../roles/artifactory/tasks/upgrade.yml | 12 +- .../platform/roles/artifactory/vars/main.yml | 2 +- .../roles/distribution/defaults/main.yml | 2 +- .../roles/distribution/tasks/install.yml | 8 +- .../roles/distribution/tasks/upgrade.yml | 50 ++-- .../platform/roles/distribution/vars/main.yml | 2 +- .../roles/missioncontrol/defaults/main.yml | 8 +- .../files/searchguard/sg_config.yml | 275 ++++++++++++++++++ .../roles/missioncontrol/tasks/install.yml | 29 +- .../roles/missioncontrol/tasks/main.yml | 8 +- .../tasks/setup-elasticsearch.yml | 14 +- .../tasks/setup-searchguard.yml | 2 +- .../tasks/upgrade-elasticsearch.yml | 17 +- .../tasks/upgrade-searchguard.yml | 1 - .../roles/missioncontrol/tasks/upgrade.yml | 78 ++--- .../roles/missioncontrol/vars/main.yml | 2 +- .../missioncontrol/vars/script/archive.yml | 2 +- .../platform/roles/postgres/tasks/main.yml | 3 +- .../platform/roles/xray/tasks/install.yml | 23 +- .../platform/roles/xray/tasks/upgrade.yml | 20 +- .../jfrog/platform/roles/xray/vars/main.yml | 2 +- 25 files changed, 444 insertions(+), 130 deletions(-) create mode 100644 Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/files/searchguard/sg_config.yml diff --git a/Ansible/ansible_collections/jfrog/platform/CHANGELOG.md b/Ansible/ansible_collections/jfrog/platform/CHANGELOG.md index 46e5ed3..6e84ca8 100644 --- a/Ansible/ansible_collections/jfrog/platform/CHANGELOG.md +++ b/Ansible/ansible_collections/jfrog/platform/CHANGELOG.md @@ -1,6 +1,10 @@ # JFrog Platform Ansible Collection Changelog All changes to this collection will be documented in this file. +## [7.23.3] - Aug 5, 2021 +* Missioncontrol's Elasticsearch to use new JAVA_HOME path +* Missioncontrol's Elasticsearch searchguard plugin to use by default `anonymous_auth_enabled: true` + ## [7.21.12] - July 30, 2021 * Added variable `postgres_enabled` to enable/disable default postgres role in `groups_vars/all/vars.yml` * Added documentation to used external database diff --git a/Ansible/ansible_collections/jfrog/platform/galaxy.yml b/Ansible/ansible_collections/jfrog/platform/galaxy.yml index ed9aba5..50f165e 100644 --- a/Ansible/ansible_collections/jfrog/platform/galaxy.yml +++ b/Ansible/ansible_collections/jfrog/platform/galaxy.yml @@ -9,7 +9,7 @@ namespace: "jfrog" name: "platform" # The version of the collection. Must be compatible with semantic versioning -version: "7.21.12" +version: "7.23.3" # The path to the Markdown (.md) readme file. This path is relative to the root of the collection readme: "README.md" diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/defaults/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/defaults/main.yml index 0deb592..b24bbec 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/defaults/main.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/defaults/main.yml @@ -2,7 +2,7 @@ # defaults file for artifactory # The version of artifactory to install -artifactory_version: 7.21.12 +artifactory_version: 7.23.3 # Set this to true when SSL is enabled (to use artifactory_nginx_ssl role), default to false (implies artifactory uses artifactory_nginx role ) artifactory_nginx_ssl_enabled: false diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/install.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/install.yml index 3fce7f3..e25d921 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/install.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/install.yml @@ -46,8 +46,8 @@ url: "{{ artifactory_tar }}" timeout: "{{ artifactory_download_timeout }}" dest: "{{ jfrog_home_directory }}" - register: downloadartifactory - until: downloadartifactory is succeeded + register: download_artifactory + until: download_artifactory is succeeded retries: 3 when: not artifactory_tar_check.stat.exists @@ -60,7 +60,7 @@ owner: "{{ artifactory_user }}" group: "{{ artifactory_group }}" creates: "{{ artifactory_untar_home }}" - when: downloadartifactory is succeeded + when: download_artifactory is succeeded - name: Check if app directory exists become: yes diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/upgrade.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/upgrade.yml index d201618..84fde71 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/upgrade.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/upgrade.yml @@ -14,8 +14,8 @@ url: "{{ artifactory_tar }}" timeout: "{{ artifactory_download_timeout }}" dest: "{{ jfrog_home_directory }}" - register: downloadartifactory - until: downloadartifactory is succeeded + register: download_artifactory + until: download_artifactory is succeeded retries: 3 when: not artifactory_tar_check.stat.exists @@ -28,14 +28,14 @@ owner: "{{ artifactory_user }}" group: "{{ artifactory_group }}" creates: "{{ artifactory_untar_home }}" - when: downloadartifactory is succeeded + when: download_artifactory is succeeded - name: Stop artifactory become: yes systemd: name: "{{ artifactory_daemon }}" state: stopped - when: downloadartifactory.changed + when: download_artifactory.changed - name: Ensure jfrog_home_directory exists become: yes @@ -48,12 +48,12 @@ file: path: "{{ artifactory_home }}/app" state: absent - when: downloadartifactory.changed + when: download_artifactory.changed - name: Copy new app to artifactory app become: yes command: "cp -r {{ artifactory_untar_home }}/app/. {{ artifactory_home }}/app" - when: downloadartifactory.changed + when: download_artifactory.changed - name: Configure single license become: yes diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/vars/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/vars/main.yml index 9d62b2e..84158ad 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/vars/main.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/vars/main.yml @@ -1,6 +1,6 @@ --- # platform collection version -platform_collection_version: 7.21.12 +platform_collection_version: 7.23.3 # indicates where this collection was downloaded from (galaxy, automation_hub, standalone) ansible_marketplace: galaxy \ No newline at end of file diff --git a/Ansible/ansible_collections/jfrog/platform/roles/distribution/defaults/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/distribution/defaults/main.yml index 0f7e2e7..43650a9 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/distribution/defaults/main.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/distribution/defaults/main.yml @@ -2,7 +2,7 @@ # defaults file for distribution # The version of distribution to install -distribution_version: 2.8.2 +distribution_version: 2.9.0 # whether to enable HA distribution_ha_enabled: false diff --git a/Ansible/ansible_collections/jfrog/platform/roles/distribution/tasks/install.yml b/Ansible/ansible_collections/jfrog/platform/roles/distribution/tasks/install.yml index 661d508..2cefcec 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/distribution/tasks/install.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/distribution/tasks/install.yml @@ -7,7 +7,7 @@ name: expect state: present become: yes - when: ansible_os_family == 'Redhat' + when: ansible_os_family == 'RedHat' - name: Install expect dependency apt: @@ -47,8 +47,8 @@ url: "{{ distribution_tar }}" timeout: "{{ distribution_download_timeout }}" dest: "{{ jfrog_home_directory }}" - register: downloaddistribution - until: downloaddistribution is succeeded + register: download_distribution + until: download_distribution is succeeded retries: 3 when: not distribution_tar_check.stat.exists @@ -61,7 +61,7 @@ owner: "{{ distribution_user }}" group: "{{ distribution_group }}" creates: "{{ distribution_untar_home }}" - when: downloaddistribution is succeeded + when: download_distribution is succeeded - name: Check if app directory exists become: yes diff --git a/Ansible/ansible_collections/jfrog/platform/roles/distribution/tasks/upgrade.yml b/Ansible/ansible_collections/jfrog/platform/roles/distribution/tasks/upgrade.yml index 657d253..95eb818 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/distribution/tasks/upgrade.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/distribution/tasks/upgrade.yml @@ -14,8 +14,8 @@ url: "{{ distribution_tar }}" timeout: "{{ distribution_download_timeout }}" dest: "{{ jfrog_home_directory }}" - register: downloaddistribution - until: downloaddistribution is succeeded + register: download_distribution + until: download_distribution is succeeded retries: 3 when: not distribution_tar_check.stat.exists @@ -28,33 +28,50 @@ owner: "{{ distribution_user }}" group: "{{ distribution_group }}" creates: "{{ distribution_untar_home }}" - when: downloaddistribution is succeeded + when: download_distribution is succeeded - name: Stop distribution become: yes systemd: name: "{{ distribution_daemon }}" state: stopped - when: downloaddistribution.changed + when: download_distribution.changed - name: Delete distribution app become: yes file: path: "{{ distribution_home }}/app" state: absent - when: downloaddistribution.changed + when: download_distribution.changed - name: Copy new app to distribution app become: yes command: "cp -r {{ distribution_untar_home }}/app/. {{ distribution_home }}/app" - when: downloaddistribution.changed + when: download_distribution.changed + +- name: Check if systemyaml exists + become: yes + stat: + path: "{{ distribution_home }}/var/etc/system.yaml" + register: systemyaml + +- name: Configure systemyaml + become: yes + template: + src: "{{ distribution_system_yaml_template }}" + dest: "{{ distribution_home }}/var/etc/system.yaml" + when: + - distribution_systemyaml is defined + - distribution_systemyaml|length > 0 + - distribution_systemyaml_override or (not systemyaml.stat.exists) + notify: restart distribution - name: Check if install.sh wrapper script exist become: yes stat: path: "{{ distribution_install_script_path }}/install.sh" register: install_wrapper_script - when: downloaddistribution.changed + when: download_distribution.changed - name: Include interactive installer scripts include_vars: script/archive.yml @@ -71,7 +88,7 @@ YQ_PATH: "{{ distribution_thirdparty_path }}/yq" when: - install_wrapper_script.stat.exists - - downloaddistribution.changed + - download_distribution.changed - name: Ensure {{ distribution_home }}/var/etc/redis exists become: yes @@ -95,23 +112,6 @@ dest: "{{ distribution_home }}/var/etc/info/installer-info.json" notify: restart distribution -- name: Check if systemyaml exists - become: yes - stat: - path: "{{ distribution_home }}/var/etc/system.yaml" - register: systemyaml - -- name: Configure systemyaml - become: yes - template: - src: "{{ distribution_system_yaml_template }}" - dest: "{{ distribution_home }}/var/etc/system.yaml" - when: - - distribution_systemyaml is defined - - distribution_systemyaml|length > 0 - - distribution_systemyaml_override or (not systemyaml.stat.exists) - notify: restart distribution - - name: Update distribution permissions become: yes file: diff --git a/Ansible/ansible_collections/jfrog/platform/roles/distribution/vars/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/distribution/vars/main.yml index 0052425..2f68406 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/distribution/vars/main.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/distribution/vars/main.yml @@ -1,6 +1,6 @@ --- # platform collection version -platform_collection_version: 7.21.12 +platform_collection_version: 7.23.3 # indicates were this collection was downlaoded from (galaxy, automation_hub, standalone) ansible_marketplace: galaxy diff --git a/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/defaults/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/defaults/main.yml index 5c79653..bbd48bd 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/defaults/main.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/defaults/main.yml @@ -2,7 +2,7 @@ # defaults file for mc # The version of missioncontrol to install -missioncontrol_version: 4.7.8 +missioncontrol_version: 4.7.10 # whether to enable HA mc_ha_enabled: false @@ -44,14 +44,14 @@ es_gid: 1060 mc_es_conf_base: "/etc/elasticsearch" mc_es_user: admin mc_es_password: admin -mc_es_url: "http://localhost:8082" -mc_es_base_url: "http://localhost:8082/elasticsearch" +mc_es_url: "http://localhost:9200" +mc_es_base_url: "http://localhost:9200/elasticsearch" mc_es_transport_port: 9300 mc_es_home: "/usr/share/elasticsearch" mc_es_data_dir: "/var/lib/elasticsearch" mc_es_log_dir: "/var/log/elasticsearch" -mc_es_java_home: "/usr/share/elasticsearch/jdk" +mc_es_java_home: "{{ mc_thirdparty_path }}/java" mc_es_script_path: "/usr/share/elasticsearch/bin" mc_es_searchgaurd_home: "/usr/share/elasticsearch/plugins/search-guard-7" diff --git a/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/files/searchguard/sg_config.yml b/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/files/searchguard/sg_config.yml new file mode 100644 index 0000000..2e420ce --- /dev/null +++ b/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/files/searchguard/sg_config.yml @@ -0,0 +1,275 @@ +# This is the main Search Guard configuration file where authentication +# and authorization is defined. +# +# You need to configure at least one authentication domain in the authc of this file. +# An authentication domain is responsible for extracting the user credentials from +# the request and for validating them against an authentication backend like Active Directory for example. +# +# If more than one authentication domain is configured the first one which succeeds wins. +# If all authentication domains fail then the request is unauthenticated. +# In this case an exception is thrown and/or the HTTP status is set to 401. +# +# After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect +# the roles from a given backend for the authenticated user. +# +# Both, authc and auth can be enabled/disabled separately for REST and TRANSPORT layer. Default is true for both. +# http_enabled: true +# transport_enabled: true +# +# For HTTP it is possible to allow anonymous authentication. If that is the case then the HTTP authenticators try to +# find user credentials in the HTTP request. If credentials are found then the user gets regularly authenticated. +# If none can be found the user will be authenticated as an "anonymous" user. This user has always the username "sg_anonymous" +# and one role named "sg_anonymous_backendrole". +# If you enable anonymous authentication all HTTP authenticators will not challenge. +# +# +# Note: If you define more than one HTTP authenticators make sure to put non-challenging authenticators like "proxy" or "clientcert" +# first and the challenging one last. +# Because it's not possible to challenge a client with two different authentication methods (for example +# Kerberos and Basic) only one can have the challenge flag set to true. You can cope with this situation +# by using pre-authentication, e.g. sending a HTTP Basic authentication header in the request. +# +# Default value of the challenge flag is true. +# +# +# HTTP +# basic (challenging) +# proxy (not challenging, needs xff) +# kerberos (challenging) NOT FREE FOR COMMERCIAL +# clientcert (not challenging, needs https) +# jwt (not challenging) NOT FREE FOR COMMERCIAL +# host (not challenging) #DEPRECATED, will be removed in a future version. +# host based authentication is configurable in sg_roles_mapping + +# Authc +# internal +# noop +# ldap NOT FREE FOR COMMERCIAL USE + +# Authz +# ldap NOT FREE FOR COMMERCIAL USE +# noop + +# For more details pls refer to https://docs.search-guard.com/latest/authentication-authorization +_sg_meta: + type: "config" + config_version: 2 +sg_config: + dynamic: + # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index + # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default) + # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently + #filtered_alias_mode: warn + #do_not_fail_on_forbidden: false + #kibana: + # Kibana multitenancy - NOT FREE FOR COMMERCIAL USE + # In addition to the config options below you need to set do_not_fail_on_forbidden to true (see above). + # Kibana needs to be configured for multi tenancy as well. + # See https://docs.search-guard.com/latest/kibana-multi-tenancy for details + #multitenancy_enabled: true + #server_username: kibanaserver + #index: '.kibana' + http: + anonymous_auth_enabled: true + xff: + enabled: false + internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern + #internalProxies: '.*' # trust all internal proxies, regex pattern + #remoteIpHeader: 'x-forwarded-for' + ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help + ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For + ###### and here https://tools.ietf.org/html/rfc7239 + ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve + auth_token_provider: # NOT FREE FOR COMMERCIAL USE + # To enable using Search Guard auth tokens, you also need to enable the sg_issued_jwt_auth_domain below. + enabled: false + # JWTs produced by Search Guard are signed by default with a symmetric HMAC512 hash. For production systems, + # you must replace the value specified here by your own key. You can generate a new key for example with: + # openssl rand -base64 512 | tr '/+' '_-' + # If you want ot use another signature algorithm, you can specify a complete JWK using the attriubute jwt_signing_key. + # Refer to the documentation for details. + jwt_signing_key_hs512: "eTDZjSqRD9Abhod9iqeGX_7o93a-eElTeXWAF6FmzQshmRIrPD-C9ET3pFjJ_IBrzmWIZDk8ig-X_PIyGmKsxNMsrU-0BNWF5gJq5xOp4rYTl8z66Tw9wr8tHLxLxgJqkLSuUCRBZvlZlQ7jNdhBBxgM-hdSSzsN1T33qdIwhrUeJ-KXI5yKUXHjoWFYb9tETbYQ4NvONowkCsXK_flp-E3F_OcKe_z5iVUszAV8QfCod1zhbya540kDejXCL6N_XMmhWJqum7UJ3hgf6DEtroPSnVpHt4iR5w9ArKK-IBgluPght03gNcoNqwz7p77TFbdOmUKF_PWy1bcdbaUoSg" + # JWTs produced by Search Guard are unencrypted by default. Set a key here to activate encryption using AES Key Wrap. + # If you want ot use another signature algorithm, you can specify a complete JWK using the attriubute jwt_encryption_key. + # Refer to the documentation for details. + #jwt_encryption_key_a256kw: "..." + # Specify the maximum time period an auth token may be valid. Omit max_validity to have keys with unlimited lifetime. + # Note that when creating auth tokens, users can specify an even shorter time period. + max_validity: "1y" + # This specifies the maximum number of valid tokens a user can have at the same time. + max_tokens_per_user: 100 + authc: + kerberos_auth_domain: + http_enabled: false + transport_enabled: false + order: 6 + http_authenticator: + type: kerberos # NOT FREE FOR COMMERCIAL USE + challenge: true + config: + # If true a lot of kerberos/security related debugging output will be logged to standard out + krb_debug: false + # If true then the realm will be stripped from the user name + strip_realm_from_principal: true + authentication_backend: + type: noop + basic_internal_auth_domain: + description: "Authenticate via HTTP Basic against internal users database" + http_enabled: true + transport_enabled: true + order: 4 + http_authenticator: + type: basic + challenge: true + authentication_backend: + type: intern + proxy_auth_domain: + description: "Authenticate via proxy" + http_enabled: false + transport_enabled: false + order: 3 + http_authenticator: + type: proxy + challenge: false + config: + user_header: "x-proxy-user" + roles_header: "x-proxy-roles" + authentication_backend: + type: noop + jwt_auth_domain: + description: "Authenticate via Json Web Token" + http_enabled: false + transport_enabled: false + order: 0 + http_authenticator: + type: jwt + challenge: false + config: + signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key" + jwt_header: "Authorization" + jwt_url_parameter: null + roles_key: null + subject_key: null + authentication_backend: + type: noop + sg_issued_jwt_auth_domain: + description: "Authenticate via Json Web Tokens issued by Search Guard" + http_enabled: false + # This auth domain is only available for HTTP + order: 1 + http_authenticator: + type: sg_auth_token + challenge: false + # This auth domain automatically pulls configuration from the auth_token_provider config above + authentication_backend: + type: sg_auth_token + clientcert_auth_domain: + description: "Authenticate via SSL client certificates" + http_enabled: false + transport_enabled: false + order: 2 + http_authenticator: + type: clientcert + config: + username_attribute: cn #optional, if omitted DN becomes username + challenge: false + authentication_backend: + type: noop + ldap: + description: "Authenticate via LDAP or Active Directory" + http_enabled: false + transport_enabled: false + order: 5 + http_authenticator: + type: basic + challenge: false + authentication_backend: + # LDAP authentication backend (authenticate users against a LDAP or Active Directory) + type: ldap # NOT FREE FOR COMMERCIAL USE + config: + # enable ldaps + enable_ssl: false + # enable start tls, enable_ssl should be false + enable_start_tls: false + # send client certificate + enable_ssl_client_auth: false + # verify ldap hostname + verify_hostnames: true + hosts: + - localhost:8389 + bind_dn: null + password: null + userbase: 'ou=people,dc=example,dc=com' + # Filter to search for users (currently in the whole subtree beneath userbase) + # {0} is substituted with the username + usersearch: '(sAMAccountName={0})' + # Use this attribute from the user as username (if not set then DN is used) + username_attribute: null + authz: + roles_from_myldap: + description: "Authorize via LDAP or Active Directory" + http_enabled: false + transport_enabled: false + authorization_backend: + # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too) + type: ldap # NOT FREE FOR COMMERCIAL USE + config: + # enable ldaps + enable_ssl: false + # enable start tls, enable_ssl should be false + enable_start_tls: false + # send client certificate + enable_ssl_client_auth: false + # verify ldap hostname + verify_hostnames: true + hosts: + - localhost:8389 + bind_dn: null + password: null + rolebase: 'ou=groups,dc=example,dc=com' + # Filter to search for roles (currently in the whole subtree beneath rolebase) + # {0} is substituted with the DN of the user + # {1} is substituted with the username + # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute + rolesearch: '(member={0})' + # Specify the name of the attribute which value should be substituted with {2} above + userroleattribute: null + # Roles as an attribute of the user entry + userrolename: disabled + #userrolename: memberOf + # The attribute in a role entry containing the name of that role, Default is "name". + # Can also be "dn" to use the full DN as rolename. + rolename: cn + # Resolve nested roles transitive (roles which are members of other roles and so on ...) + resolve_nested_roles: true + userbase: 'ou=people,dc=example,dc=com' + # Filter to search for users (currently in the whole subtree beneath userbase) + # {0} is substituted with the username + usersearch: '(uid={0})' + # Skip users matching a user name, a wildcard or a regex pattern + #skip_users: + # - 'cn=Michael Jackson,ou*people,o=TEST' + # - '/\S*/' + roles_from_another_ldap: + description: "Authorize via another Active Directory" + http_enabled: false + transport_enabled: false + authorization_backend: + type: ldap # NOT FREE FOR COMMERCIAL USE + #config goes here ... + # auth_failure_listeners: + # ip_rate_limiting: + # type: ip + # allowed_tries: 10 + # time_window_seconds: 3600 + # block_expiry_seconds: 600 + # max_blocked_clients: 100000 + # max_tracked_clients: 100000 + # internal_authentication_backend_limiting: + # type: username + # authentication_backend: intern + # allowed_tries: 10 + # time_window_seconds: 3600 + # block_expiry_seconds: 600 + # max_blocked_clients: 100000 + # max_tracked_clients: 100000 \ No newline at end of file diff --git a/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/install.yml b/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/install.yml index 4a8c75b..73df689 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/install.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/install.yml @@ -7,7 +7,7 @@ yum: name: expect state: present - when: ansible_os_family == 'Redhat' + when: ansible_os_family == 'RedHat' - name: Install expect dependency become: yes @@ -35,18 +35,33 @@ shell: /bin/bash state: present +- name: Check if mc tar exists + become: yes + stat: + path: "{{ jfrog_home_directory }}/{{ mc_tar_file_name }}" + register: mc_tar_check + - name: Download mc become: yes - unarchive: - src: "{{ mc_tar }}" + get_url: + url: "{{ mc_tar }}" + timeout: "{{ mc_download_timeout }}" dest: "{{ jfrog_home_directory }}" - remote_src: yes + register: download_mc + until: download_mc is succeeded + retries: 3 + when: not mc_tar_check.stat.exists + +- name: Extract mc tar + become: yes + unarchive: + src: "{{ jfrog_home_directory }}/{{ mc_tar_file_name }}" + dest: "{{ jfrog_home_directory }}" + remote_src: true owner: "{{ mc_user }}" group: "{{ mc_group }}" creates: "{{ mc_untar_home }}" - register: downloadmc - until: downloadmc is succeeded - retries: 3 + when: download_mc is succeeded - name: Check if app directory exists become: yes diff --git a/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/main.yml index 6786b82..45d81c1 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/main.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/main.yml @@ -1,6 +1,10 @@ - name: perform installation include_tasks: "install.yml" - when: not mc_upgrade_only + when: + - mc_enabled + - not mc_upgrade_only - name: perform upgrade include_tasks: "upgrade.yml" - when: mc_upgrade_only \ No newline at end of file + when: + - mc_enabled + - mc_upgrade_only \ No newline at end of file diff --git a/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/setup-elasticsearch.yml b/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/setup-elasticsearch.yml index a48f0b4..09d1b9a 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/setup-elasticsearch.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/setup-elasticsearch.yml @@ -87,7 +87,7 @@ - --strip-components=1 owner: elasticsearch group: elasticsearch - creates: "{{ mc_es_java_home }}" + creates: "{{ mc_es_script_path }}" register: unarchive_result when: check_elasticsearch_package_result.matched > 0 @@ -159,12 +159,20 @@ environment: ES_JAVA_HOME: "{{ mc_es_java_home }}" ES_PATH_CONF: "{{ mc_es_conf_base }}/" - register: start_elasticsearch_result + register: start_elasticsearch when: unarchive_result.extract_results.rc | default(128) == 0 - name: Wait for elasticsearch to start pause: - seconds: 15 + seconds: 30 + when: start_elasticsearch.changed + +- name: Check if elasticsearch is running + wait_for: + host: localhost + port: "{{ mc_es_transport_port }}" + delay: 5 + connect_timeout: 1 - name: Init searchguard plugin become: yes diff --git a/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/setup-searchguard.yml b/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/setup-searchguard.yml index 565a43c..c7c429f 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/setup-searchguard.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/setup-searchguard.yml @@ -22,7 +22,6 @@ - name: Install searchguard plugin become: yes - become_user: elasticsearch ignore_errors: yes shell: | {{ mc_es_script_path }}/elasticsearch-plugin install \ @@ -57,6 +56,7 @@ loop: - "sg_roles.yml" - "sg_roles_mapping.yml" + - "sg_config.yml" - name: Check execution bit become: yes diff --git a/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/upgrade-elasticsearch.yml b/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/upgrade-elasticsearch.yml index dfe0685..e0aba98 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/upgrade-elasticsearch.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/upgrade-elasticsearch.yml @@ -29,7 +29,7 @@ shell: | {{ mc_es_script_path }}/elasticsearch-plugin remove {{ check_searchguard_bundle_result.files[0].path }} environment: - JAVA_HOME: "{{ mc_es_java_home }}" + ES_JAVA_HOME: "{{ mc_es_java_home }}" ES_PATH_CONF: "{{ mc_es_conf_base }}/config" register: remove_searchguard_result when: check_searchguard_bundle_result.matched == 1 @@ -75,6 +75,7 @@ - --exclude=config owner: elasticsearch group: elasticsearch + creates: "{{ mc_es_script_path }}" register: unarchive_result when: check_elasticsearch_package_result.matched > 0 @@ -107,4 +108,16 @@ ES_JAVA_HOME: "{{ mc_es_java_home }}" ES_PATH_CONF: "{{ mc_es_conf_base }}/" when: unarchive_result.extract_results.rc | default(128) == 0 - register: start_elastcsearch_upgraded + register: start_elastcsearch + +- name: Wait for elasticsearch to start + pause: + seconds: 30 + when: start_elasticsearch.changed + +- name: Check if elasticsearch is running + wait_for: + host: localhost + port: "{{ mc_es_transport_port }}" + delay: 5 + connect_timeout: 1 diff --git a/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/upgrade-searchguard.yml b/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/upgrade-searchguard.yml index 5db18e2..e521460 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/upgrade-searchguard.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/upgrade-searchguard.yml @@ -31,7 +31,6 @@ - name: Install searchguard plugin become: yes - become_user: elasticsearch ignore_errors: yes shell: | {{ mc_es_script_path }}/elasticsearch-plugin install \ diff --git a/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/upgrade.yml b/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/upgrade.yml index c342850..4172ded 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/upgrade.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/upgrade.yml @@ -14,8 +14,8 @@ url: "{{ mc_tar }}" timeout: "{{ mc_download_timeout }}" dest: "{{ jfrog_home_directory }}" - register: downloadmc - until: downloadmc is succeeded + register: download_mc + until: download_mc is succeeded retries: 3 when: not mc_tar_check.stat.exists @@ -28,68 +28,37 @@ owner: "{{ mc_user }}" group: "{{ mc_group }}" creates: "{{ mc_untar_home }}" - when: downloadmc is succeeded + when: download_mc is succeeded - name: Stop mc service become: yes systemd: name: "{{ mc_daemon }}" state: stopped - when: downloadmc.changed + when: download_mc.changed - name: Delete current app folder become: yes file: path: "{{ mc_home }}/app" state: absent - when: downloadmc.changed + when: download_mc.changed - name: Copy new app to mc app command: "cp -r {{ mc_untar_home }}/app/. {{ mc_home }}/app" become: yes - when: downloadmc.changed + when: download_mc.changed - name: Delete untar directory file: path: "{{ mc_untar_home }}" state: absent become: yes - when: downloadmc.changed + when: download_mc.changed - name: Upgrade elasticsearch import_tasks: upgrade-elasticsearch.yml - when: downloadmc.changed - -- name: Check if install.sh wrapper script exist - become: yes - stat: - path: "{{ mc_install_script_path }}/install.sh" - register: upgrade_wrapper_script - when: downloadmc.changed - -- name: Include interactive installer scripts - include_vars: script/archive.yml - -- name: Upgrade JFMC - include_tasks: expect.yml - vars: - exp_executable_cmd: "./install.sh -u {{ mc_user }} -g {{ mc_group }}" - exp_dir: "{{ mc_install_script_path }}" - exp_scenarios: "{{ mc_installer_scenario['main'] }}" - args: - apply: - environment: - YQ_PATH: "{{ mc_thirdparty_path }}/yq" - when: - - upgrade_wrapper_script.stat.exists - - downloadmc.changed - -- name: Configure installer info - become: yes - template: - src: installer-info.json.j2 - dest: "{{ mc_home }}/var/etc/info/installer-info.json" - notify: restart missioncontrol + when: download_mc.changed - name: Check if systemyaml exists become: yes @@ -108,6 +77,37 @@ - mc_systemyaml_override or (not systemyaml.stat.exists) notify: restart missioncontrol +- name: Check if install.sh wrapper script exist + become: yes + stat: + path: "{{ mc_install_script_path }}/install.sh" + register: upgrade_wrapper_script + when: download_mc.changed + +- name: Include interactive installer scripts + include_vars: script/archive.yml + +- name: Upgrade JFMC + include_tasks: expect.yml + vars: + exp_executable_cmd: "./install.sh -u {{ mc_user }} -g {{ mc_group }}" + exp_dir: "{{ mc_install_script_path }}" + exp_scenarios: "{{ mc_installer_scenario['main'] }}" + args: + apply: + environment: + YQ_PATH: "{{ mc_thirdparty_path }}/yq" + when: + - upgrade_wrapper_script.stat.exists + - download_mc.changed + +- name: Configure installer info + become: yes + template: + src: installer-info.json.j2 + dest: "{{ mc_home }}/var/etc/info/installer-info.json" + notify: restart missioncontrol + - name: Update correct permissions become: yes file: diff --git a/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/vars/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/vars/main.yml index a1f294e..68274c2 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/vars/main.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/vars/main.yml @@ -1,6 +1,6 @@ --- # platform collection version -platform_collection_version: 7.21.12 +platform_collection_version: 7.23.3 # indicates were this collection was downlaoded from (galaxy, automation_hub, standalone) ansible_marketplace: galaxy \ No newline at end of file diff --git a/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/vars/script/archive.yml b/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/vars/script/archive.yml index 6d66540..91a2208 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/vars/script/archive.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/vars/script/archive.yml @@ -14,7 +14,7 @@ mc_installer_scenario: } - { "expecting": "please specify the ip address of this machine(?!.*Skipping prompt)", - "sending": "{% if mc_ha_node_type is defined and mc_ha_node_type == 'master' %}{{ ansible_host }}{% else %}{{ ansible_host }}{% endif %}" + "sending": "{{ ansible_host }}" } - { "expecting": "are you adding an additional node", diff --git a/Ansible/ansible_collections/jfrog/platform/roles/postgres/tasks/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/postgres/tasks/main.yml index a6a5ffa..e4fc070 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/postgres/tasks/main.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/postgres/tasks/main.yml @@ -1,4 +1,3 @@ - name: Install postgres include_tasks: "install.yml" - when: - - postgres_enabled \ No newline at end of file + when: postgres_enabled diff --git a/Ansible/ansible_collections/jfrog/platform/roles/xray/tasks/install.yml b/Ansible/ansible_collections/jfrog/platform/roles/xray/tasks/install.yml index 57f1923..a134a5c 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/xray/tasks/install.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/xray/tasks/install.yml @@ -2,9 +2,6 @@ - debug: msg: "Performing installation of Xray version : {{ xray_version }}" -- debug: - msg: "ansible_os_family: {{ ansible_os_family }}" - - name: Install expect dependency become: yes yum: @@ -50,8 +47,8 @@ url: "{{ xray_tar }}" timeout: "{{ xray_download_timeout }}" dest: "{{ jfrog_home_directory }}" - register: downloadxray - until: downloadxray is succeeded + register: download_xray + until: download_xray is succeeded retries: 3 when: not xray_tar_check.stat.exists @@ -64,7 +61,7 @@ owner: "{{ xray_user }}" group: "{{ xray_group }}" creates: "{{ xray_untar_home }}" - when: downloadxray is succeeded + when: download_xray is succeeded - name: Check if app directory exists become: yes @@ -135,6 +132,13 @@ dest: "{{ xray_home }}/app/bin/rabbitmq/rabbitmq.conf" notify: restart xray +- name: Configure installer info + become: yes + template: + src: installer-info.json.j2 + dest: "{{ xray_home }}/var/etc/info/installer-info.json" + notify: restart xray + - name: Check if systemyaml exists become: yes stat: @@ -152,13 +156,6 @@ - xray_systemyaml_override or (not systemyaml.stat.exists) notify: restart xray -- name: Configure installer info - become: yes - template: - src: installer-info.json.j2 - dest: "{{ xray_home }}/var/etc/info/installer-info.json" - notify: restart xray - - name: Ensure permissions are correct become: yes file: diff --git a/Ansible/ansible_collections/jfrog/platform/roles/xray/tasks/upgrade.yml b/Ansible/ansible_collections/jfrog/platform/roles/xray/tasks/upgrade.yml index 85d19f4..105d7bf 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/xray/tasks/upgrade.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/xray/tasks/upgrade.yml @@ -14,8 +14,8 @@ url: "{{ xray_tar }}" timeout: "{{ xray_download_timeout }}" dest: "{{ jfrog_home_directory }}" - register: downloadxray - until: downloadxray is succeeded + register: download_xray + until: download_xray is succeeded retries: 3 when: not xray_tar_check.stat.exists @@ -28,38 +28,38 @@ owner: "{{ xray_user }}" group: "{{ xray_group }}" creates: "{{ xray_untar_home }}" - when: downloadxray is succeeded + when: download_xray is succeeded - name: stop xray become: yes systemd: name: "{{ xray_daemon }}" state: stopped - when: downloadxray.changed + when: download_xray.changed - name: Delete xray app become: yes file: path: "{{ xray_home }}/app" state: absent - when: downloadxray.changed + when: download_xray.changed - name: Copy new app to xray app become: yes command: "cp -r {{ xray_untar_home }}/app/. {{ xray_home }}/app" - when: downloadxray.changed + when: download_xray.changed - name: Upgrade rabbitmq import_tasks: rabbitmq/upgrade/RedHat.yml when: - ansible_os_family == 'RedHat' - - downloadxray.changed + - download_xray.changed - name: Upgrade rabbitmq import_tasks: rabbitmq/upgrade/Debian.yml when: - ansible_os_family == 'Debian' - - downloadxray.changed + - download_xray.changed - name: Check if install.sh wrapper script exist become: yes @@ -82,7 +82,7 @@ YQ_PATH: "{{ xray_thirdparty_path }}/yq" when: - install_wrapper_script.stat.exists - - downloadxray.changed + - download_xray.changed - name: Configure rabbitmq config become: yes @@ -90,7 +90,7 @@ src: "rabbitmq.conf.j2" dest: "{{ xray_home }}/app/bin/rabbitmq/rabbitmq.conf" when: - - downloadxray.changed + - download_xray.changed notify: restart xray - name: Check if systemyaml exists diff --git a/Ansible/ansible_collections/jfrog/platform/roles/xray/vars/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/xray/vars/main.yml index a1f294e..68274c2 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/xray/vars/main.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/xray/vars/main.yml @@ -1,6 +1,6 @@ --- # platform collection version -platform_collection_version: 7.21.12 +platform_collection_version: 7.23.3 # indicates were this collection was downlaoded from (galaxy, automation_hub, standalone) ansible_marketplace: galaxy \ No newline at end of file