zware/JFrog-Cloud-Installers
1
0
Fork 0
mirror of https://github.com/ZwareBear/JFrog-Cloud-Installers.git synced 2026-01-21 07:06:56 -06:00
Code Issues Packages Projects Releases Wiki Activity

[Ansible] JFrog Platform 10.0.1 release (#166)

Browse Source
This commit is contained in:
Ram Mohan Rao Chukka
2021-10-22 13:13:22 +05:30
committed by GitHub
parent 8d5ff07819
commit 37bab36884
78 changed files with 876 additions and 731 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
Ansible/ansible_collections/jfrog/platform/roles/insight/README.md Normal file
View File

@@ -0,0 +1,26 @@
# Insight
The insight role will install insight software onto the host. An Artifactory server and Postgress database is required.
### Role Variables
* _insight_upgrade_only_: Perform an software upgrade only. Default is false.
Additional variables can be found in [defaults/main.yml](./defaults/main.yml).
## Example Playbook
```
---
- hosts: insight_servers
roles:
- insight
```
## Upgrades
The insight role supports software upgrades. To use a role to perform a software upgrade only, use the _insight_upgrade_only_ variables and specify the version. See the following example.
```
- hosts: insight_servers
vars:
insight_version: "{{ lookup('env', 'insight_version_upgrade') }}"
insight_upgrade_only: true
roles:
- insight
```

87
Ansible/ansible_collections/jfrog/platform/roles/insight/defaults/main.yml Normal file
View File

@@ -0,0 +1,87 @@
# defaults file for insight
# The version of insight to install
insight_version: 1.0.1
# whether to enable HA
insight_ha_enabled: false
insight_ha_node_type: master
# The location where insight should install
jfrog_home_directory: /opt/jfrog
# The remote insight download file
insight_tar_file_name: jfrog-insight-{{ insight_version }}-linux.tar.gz
insight_tar: https://releases.jfrog.io/artifactory/jfrog-insight/linux/{{ insight_version }}/{{ insight_tar_file_name }}
# Timeout in seconds for URL request
insight_download_timeout: 10
#The insight install directory
insight_untar_home: "{{ jfrog_home_directory }}/jfrog-insight-{{ insight_version }}-linux"
insight_home: "{{ jfrog_home_directory }}/insight"
insight_install_script_path: "{{ insight_home }}/app/bin"
insight_thirdparty_path: "{{ insight_home }}/app/third-party"
insight_archive_service_cmd: "{{ insight_install_script_path }}/installService.sh"
insight_service_file: /lib/systemd/system/insight.service
#insight users and groups
insight_user: insight
insight_group: insight
insight_uid: 1040
insight_gid: 1040
insight_daemon: insight
# Insight ElasticSearch Details
es_uid: 1060
es_gid: 1060
insight_es_conf_base: "/etc/elasticsearch"
insight_es_user: admin
insight_es_password: admin
insight_es_url: "http://localhost:9200"
insight_es_transport_port: 9300
insight_es_home: "/usr/share/elasticsearch"
insight_es_data_dir: "/var/lib/elasticsearch"
insight_es_log_dir: "/var/log/elasticsearch"
insight_es_java_home: "/usr/share/elasticsearch/jdk"
insight_es_script_path: "/usr/share/elasticsearch/bin"
insight_es_searchgaurd_home: "/usr/share/elasticsearch/plugins/search-guard-7"
# if this is an upgrade
insight_upgrade_only: false
insight_system_yaml_template: system.yaml.j2
# Provide systemyaml content below with 2-space indentation
insight_systemyaml: |-
configVersion: 1
shared:
jfrogUrl: {{ jfrog_url }}
node:
ip: {{ ansible_host }}
id: {{ ansible_hostname }}
database:
type: "{{ insight_db_type }}"
driver: "{{ insight_db_driver }}"
url: "{{ insight_db_url }}"
username: "{{ insight_db_user }}"
elasticsearch:
unicastFile: {{ insight_es_conf_base }}/config/unicast_hosts.txt
password: {{ insight_es_password }}
url: {{ insight_es_url }}
username: {{ insight_es_user }}
external: true
security:
joinKey: {{ join_key }}
router:
entrypoints:
internalPort: 8046
# Note: insight_systemyaml_override is by default false, if you want to change default insight_systemyaml
insight_systemyaml_override: false

28
Ansible/ansible_collections/jfrog/platform/roles/insight/files/searchguard/localhost.key Normal file
View File

@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDY1nDD1cW5ykZV
rTXrAMJeLuZknW9tg+4s8R+XYrzRMTNr9tAXEYNEa+T92HtqrKaVZtdGiQ6NmS95
EYezEgVmyGQEuuVlY8ChcX8XgpBsJPBV4+XIRju+RSyEW+ZNkT3EWTRKab+KSgN2
aZ2OT16UqfJd3JjATZw//xXHRWhCQhchX3nNyzkIgENPtdtSweSLG4NjOHY08U7g
Zee21MCqa/58NVECJXlqK/Tfw/3SPgCmSHLLCyybWfClLmXXIjBuSTtSOLDPj4pw
VrZeR0aePs7ZNJnX/tUICNSZeNzs7+n9QUoAiKYSNKSdDw270Lbo5GQdWuM7nkrc
2txeH8wvAgMBAAECggEAGzbuzZAVp40nlAvlPyrH5PeQmwLXarCq7Uu7Yfir0hA8
Gp9429cALqThXKrAR/yF+9eodTCGebxxejR6X5MyHQWm5/Znts307fjyBoqwgveF
N9fJOIBNce1PT7K+Y5szBrhbbmt59Wqh/J6iKQD1J0YdJoKlTp1vBZPdBoxDhZfN
TgayY4e71ox7Vew+QrxDXzMA3J+EbbBXFL2yOmpNI/FPpEtbCE9arjSa7oZXJAvd
Aenc6GYctkdbtjpX7zHXz5kHzaAEdmorR+q3w6k8cDHBvc+UoRYgLz3fBaVhhQca
rP4PYp04ztIn3qcOpVoisUkpsQcev2cJrWeFW0WgAQKBgQD7ZFsGH8cE84zFzOKk
ee53zjlmIvXqjQWzSkmxy9UmDnYxEOZbn6epK2I5dtCbU9ZZ3f4KM8TTAM5GCOB+
j4cN/rqM7MdhkgGL/Dgw+yxGVlwkSsQMil16vqdCIRhEhqjChc7KaixuaBNtIBV0
+9ZRfoS5fEjrctX4/lULwS6EAQKBgQDcz/C6PV3mXk8u7B48kGAJaKbafh8S3BnF
V0zA7qI/aQHuxmLGIQ7hNfihdZwFgYG4h5bXvBKGsxwu0JGvYDNL44R9zXuztsVX
PEixV572Bx87+mrVEt3bwj3lhbohzorjSF2nnJuFA+FZ0r4sQwudyZ2c8yCqRVhI
mfj36FWQLwKBgHNw1zfNuee1K6zddCpRb8eGZOdZIJJv5fE6KPNDhgLu2ymW+CGV
BDn0GSwIOq1JZ4JnJbRrp3O5x/9zLhwQLtWnZuU2CiztDlbJIMilXuSB3dgwmSyl
EV4/VLFSX0GAkNia96YN8Y9Vra4L8K6Cwx0zOyGuSBIO7uFjcYxvTrwBAoGAWeYn
AgweAL6Ayn/DR7EYCHydAfO7PvhxXZDPZPVDBUIBUW9fo36uCi7pDQNPBEbXw4Mg
fLDLch/V55Fu3tHx0IHO3VEdfet5qKyYg+tCgrQfmVG40QsfXGtWu+2X/E+U6Df8
OVNfVeZghytv1aFuR01gaBfsQqZ87QITBQuIWm0CgYAKdzhETd+jBBLYyOCaS8mh
zQr/ljIkrZIwPUlBkj6TAsmTJTbh7O6lf50CQMEHyE0MNFOHrvkKn89BObXcmwtV
92parLTR7RAeaPMRxCZs4Xd/oABYVGFjMa7TVNA2S6HReDqqTpJrCCkyVuYkr1f2
OflnwX2RlaWl45n0qkwkTw==
-----END PRIVATE KEY-----

51
Ansible/ansible_collections/jfrog/platform/roles/insight/files/searchguard/localhost.pem Normal file
View File

@@ -0,0 +1,51 @@
-----BEGIN CERTIFICATE-----
MIIEcjCCA1qgAwIBAgIGAXY81RkkMA0GCSqGSIb3DQEBCwUAMG4xEzARBgoJkiaJ
k/IsZAEZFgNjb20xFTATBgoJkiaJk/IsZAEZFgVqZnJvZzEUMBIGA1UECgwLamZy
b2csIEluYy4xCzAJBgNVBAsMAkNBMR0wGwYDVQQDDBRzaWduaW5nLmNhLmpmcm9n
LmNvbTAeFw0yMDEyMDcxMDUyNDhaFw0zMDEyMDUxMDUyNDhaMGwxEzARBgoJkiaJ
k/IsZAEZFgNjb20xGTAXBgoJkiaJk/IsZAEZFglsb2NhbGhvc3QxGDAWBgNVBAoM
D2xvY2FsaG9zdCwgSW5jLjEMMAoGA1UECwwDT3BzMRIwEAYDVQQDDAlsb2NhbGhv
c3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDY1nDD1cW5ykZVrTXr
AMJeLuZknW9tg+4s8R+XYrzRMTNr9tAXEYNEa+T92HtqrKaVZtdGiQ6NmS95EYez
EgVmyGQEuuVlY8ChcX8XgpBsJPBV4+XIRju+RSyEW+ZNkT3EWTRKab+KSgN2aZ2O
T16UqfJd3JjATZw//xXHRWhCQhchX3nNyzkIgENPtdtSweSLG4NjOHY08U7gZee2
1MCqa/58NVECJXlqK/Tfw/3SPgCmSHLLCyybWfClLmXXIjBuSTtSOLDPj4pwVrZe
R0aePs7ZNJnX/tUICNSZeNzs7+n9QUoAiKYSNKSdDw270Lbo5GQdWuM7nkrc2txe
H8wvAgMBAAGjggEWMIIBEjCBmgYDVR0jBIGSMIGPgBSh7peJvc4Im3WkR6/FaUD/
aYDa8qF0pHIwcDETMBEGCgmSJomT8ixkARkWA2NvbTEaMBgGCgmSJomT8ixkARkW
Cmpmcm9namZyb2cxFDASBgNVBAoMC0pGcm9nLCBJbmMuMQswCQYDVQQLDAJDQTEa
MBgGA1UEAwwRcm9vdC5jYS5qZnJvZy5jb22CAQIwHQYDVR0OBBYEFIuWN8D/hFhl
w0bdSyG+PmymjpVUMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMCAGA1Ud
JQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAUBgNVHREEDTALgglsb2NhbGhv
c3QwDQYJKoZIhvcNAQELBQADggEBAJQJljyNH/bpvmiYO0+d8El+BdaU7FI2Q2Sq
1xBz/qBQSVmUB0iIeblTdQ58nYW6A/pvh8EnTWE7tRPXw3WQR4it8ldGSDQe2zHt
9U0hcC7DSzYGxlHLm0UI/LNwzdRy0kY8LArE/zGDSQ+6hp2Op21IHtzGfJnILG5G
OZdDWOB/e4cQw2/AcnsrapJU4MJCx28l0N9aSx4wr7SNosHuYOO8CimAdsqQukVt
rcrJZyHNvG5eQUVuQnZRywXDX6tLj8HQHfYLRaMqD57GMU0dg/kvYTYrYR/krbcG
Qf1D/9GCsn081fYblSfSSRRxrbhdYcoI/6xNHIC2y7bO8ZJD9zw=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEPTCCAyWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBwMRMwEQYKCZImiZPyLGQB
GRYDY29tMRowGAYKCZImiZPyLGQBGRYKamZyb2dqZnJvZzEUMBIGA1UECgwLSkZy
b2csIEluYy4xCzAJBgNVBAsMAkNBMRowGAYDVQQDDBFyb290LmNhLmpmcm9nLmNv
bTAeFw0yMDEyMDcxMDUyNDhaFw0zMDEyMDUxMDUyNDhaMG4xEzARBgoJkiaJk/Is
ZAEZFgNjb20xFTATBgoJkiaJk/IsZAEZFgVqZnJvZzEUMBIGA1UECgwLamZyb2cs
IEluYy4xCzAJBgNVBAsMAkNBMR0wGwYDVQQDDBRzaWduaW5nLmNhLmpmcm9nLmNv
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALCe74VmqSryFPESO/oq
bgspiOSwGheG/AbUf/2XXPLZNbZJ/hhuI6T+iSW5FYy3jETwwODDlF8GBN6R33+U
gNCjXIMBDUOWkETe1fD2zj1HMTC6angykKJy2Xkw+sWniELbYfTu+SLHsBMPQnVI
jFwDLcbSMbs7ieU/IuQTEnEZxPiKcokOaF7vPntfPwdvRoGwMR0VuX7h+20Af1Il
3ntOuoasoV66K6KuiBRkSBcsV2ercCRQlpXCvIsTJVWASpSTNrpKy8zejjePw/xs
ieMGSo6WIxnIJnOLTJWnrw8sZt0tiNrLbB8npSvP67uUMDGhrZ3Tnro9JtujquOE
zMUCAwEAAaOB4zCB4DASBgNVHRMBAf8ECDAGAQH/AgEAMIGaBgNVHSMEgZIwgY+A
FBX3TQRxJRItQ/hi81MA3eZggFs7oXSkcjBwMRMwEQYKCZImiZPyLGQBGRYDY29t
MRowGAYKCZImiZPyLGQBGRYKamZyb2dqZnJvZzEUMBIGA1UECgwLSkZyb2csIElu
Yy4xCzAJBgNVBAsMAkNBMRowGAYDVQQDDBFyb290LmNhLmpmcm9nLmNvbYIBATAd
BgNVHQ4EFgQUoe6Xib3OCJt1pEevxWlA/2mA2vIwDgYDVR0PAQH/BAQDAgGGMA0G
CSqGSIb3DQEBCwUAA4IBAQAzkcvT1tTjnjguRH4jGPxP1fidiM0DWiWZQlRT9Evt
BkltRwkqOZIdrBLy/KJbOxRSCRaKpxyIYd5bWrCDCWvXArBFDY9j3jGGk8kqXb0/
VajEKDjHXzJM7HXAzyJO2hKVK4/OoPlzhKqR1ZbZF1F8Omzo7+oNwPqf5Y5hnn2M
qrUWxE216mWE8v7gvbfu39w9XKTFH1/RPgAAJet2dunyLbz3W5NgyBbCWGj/qJCz
TUDD9I8az/XX73HLpkXbcEY5/qrPV6EQWzf+ec4EcgrEi0f8gTKzl7OQaqYDxObk
yixmONVlwYD2FpWqJYAfg04u/CRQMXPPCdUQh/eKrHUg
-----END CERTIFICATE-----

23
Ansible/ansible_collections/jfrog/platform/roles/insight/files/searchguard/root-ca.pem Normal file
View File

@@ -0,0 +1,23 @@
-----BEGIN CERTIFICATE-----
MIIDvjCCAqagAwIBAgIBATANBgkqhkiG9w0BAQsFADBwMRMwEQYKCZImiZPyLGQB
GRYDY29tMRowGAYKCZImiZPyLGQBGRYKamZyb2dqZnJvZzEUMBIGA1UECgwLSkZy
b2csIEluYy4xCzAJBgNVBAsMAkNBMRowGAYDVQQDDBFyb290LmNhLmpmcm9nLmNv
bTAeFw0yMDEyMDcxMDUyNDdaFw0zMDEyMDUxMDUyNDdaMHAxEzARBgoJkiaJk/Is
ZAEZFgNjb20xGjAYBgoJkiaJk/IsZAEZFgpqZnJvZ2pmcm9nMRQwEgYDVQQKDAtK
RnJvZywgSW5jLjELMAkGA1UECwwCQ0ExGjAYBgNVBAMMEXJvb3QuY2EuamZyb2cu
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxyTSYCbGefbdAHgW
zxXhCh7gvOUzyThaC6bcvY7yMqVu3YPxMAV1LEz+J0VMeGvu5HzONyGq89TaIKtr
AyZKxM957Q/TK0NPi0HUIT1wZKPuH89DeH79gfBjyv8XMUhFzKxAaosEa4rhkAMe
B4ukk9twfGotKU1y4j6m1V1gckeDZDRIW4tNzQbEBsL+ZcxDnCeSAAHW3Djb5yzQ
Yj3LPIRN0yu0fL8oN4yVn5tysAfXTum7HIuyKp3gfxhQgSXGVIDHd7Z1HcLrUe2o
2Z7dlsrFCUgHPccOxyFzxGI8bCPFYU75QqbxP699L1chma0It/2D0YxcrXhRkzzg
wzrBFwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFBX3TQRx
JRItQ/hi81MA3eZggFs7MB0GA1UdDgQWBBQV900EcSUSLUP4YvNTAN3mYIBbOzAO
BgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAH5XYiOBvHdd3bRfyHeo
Y2i7+u59VU3HDdOm/FVI0JqkzFAp6DLk6Ow5w/2MXbasga03lJ9SpHvKVne+VOaH
Df7xEqCIZeQVofNyOfsl4NOu6NgPSlQx0FZ6lPToZDBGp7D6ftnJcUujGk0W9y7k
GwxojLnP1f/KyjYTCCK6sDXwSn3fZGF5WmnHlzZEyKlLQoLNoEZ1uTjg2CRsa/RU
QxobwNzHGbrLZw5pfeoiF7G27RGoUA/S6mfVFQJVDP5Y3/xJRii56tMaJPwPh0sN
QPLbNvNgeU1dET1msMBnZvzNUko2fmBc2+pU7PyrL9V2pgfHq981Db1ShkNYtMhD
bMw=
-----END CERTIFICATE-----

275
Ansible/ansible_collections/jfrog/platform/roles/insight/files/searchguard/sg_config.yml Normal file
View File

@@ -0,0 +1,275 @@
# This is the main Search Guard configuration file where authentication
# and authorization is defined.
#
# You need to configure at least one authentication domain in the authc of this file.
# An authentication domain is responsible for extracting the user credentials from
# the request and for validating them against an authentication backend like Active Directory for example.
#
# If more than one authentication domain is configured the first one which succeeds wins.
# If all authentication domains fail then the request is unauthenticated.
# In this case an exception is thrown and/or the HTTP status is set to 401.
#
# After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect
# the roles from a given backend for the authenticated user.
#
# Both, authc and auth can be enabled/disabled separately for REST and TRANSPORT layer. Default is true for both.
# http_enabled: true
# transport_enabled: true
#
# For HTTP it is possible to allow anonymous authentication. If that is the case then the HTTP authenticators try to
# find user credentials in the HTTP request. If credentials are found then the user gets regularly authenticated.
# If none can be found the user will be authenticated as an "anonymous" user. This user has always the username "sg_anonymous"
# and one role named "sg_anonymous_backendrole".
# If you enable anonymous authentication all HTTP authenticators will not challenge.
#
#
# Note: If you define more than one HTTP authenticators make sure to put non-challenging authenticators like "proxy" or "clientcert"
# first and the challenging one last.
# Because it's not possible to challenge a client with two different authentication methods (for example
# Kerberos and Basic) only one can have the challenge flag set to true. You can cope with this situation
# by using pre-authentication, e.g. sending a HTTP Basic authentication header in the request.
#
# Default value of the challenge flag is true.
#
#
# HTTP
# basic (challenging)
# proxy (not challenging, needs xff)
# kerberos (challenging) NOT FREE FOR COMMERCIAL
# clientcert (not challenging, needs https)
# jwt (not challenging) NOT FREE FOR COMMERCIAL
# host (not challenging) #DEPRECATED, will be removed in a future version.
# host based authentication is configurable in sg_roles_mapping
# Authc
# internal
# noop
# ldap NOT FREE FOR COMMERCIAL USE
# Authz
# ldap NOT FREE FOR COMMERCIAL USE
# noop
# For more details pls refer to https://docs.search-guard.com/latest/authentication-authorization
_sg_meta:
type: "config"
config_version: 2
sg_config:
dynamic:
# Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
# Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
#do_not_fail_on_forbidden: false
#kibana:
# Kibana multitenancy - NOT FREE FOR COMMERCIAL USE
# In addition to the config options below you need to set do_not_fail_on_forbidden to true (see above).
# Kibana needs to be configured for multi tenancy as well.
# See https://docs.search-guard.com/latest/kibana-multi-tenancy for details
#multitenancy_enabled: true
#server_username: kibanaserver
#index: '.kibana'
http:
anonymous_auth_enabled: true
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
#internalProxies: '.*' # trust all internal proxies, regex pattern
#remoteIpHeader: 'x-forwarded-for'
###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
###### and here https://tools.ietf.org/html/rfc7239
###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
auth_token_provider: # NOT FREE FOR COMMERCIAL USE
# To enable using Search Guard auth tokens, you also need to enable the sg_issued_jwt_auth_domain below.
enabled: false
# JWTs produced by Search Guard are signed by default with a symmetric HMAC512 hash. For production systems,
# you must replace the value specified here by your own key. You can generate a new key for example with:
# openssl rand -base64 512 | tr '/+' '_-'
# If you want ot use another signature algorithm, you can specify a complete JWK using the attriubute jwt_signing_key.
# Refer to the documentation for details.
jwt_signing_key_hs512: "eTDZjSqRD9Abhod9iqeGX_7o93a-eElTeXWAF6FmzQshmRIrPD-C9ET3pFjJ_IBrzmWIZDk8ig-X_PIyGmKsxNMsrU-0BNWF5gJq5xOp4rYTl8z66Tw9wr8tHLxLxgJqkLSuUCRBZvlZlQ7jNdhBBxgM-hdSSzsN1T33qdIwhrUeJ-KXI5yKUXHjoWFYb9tETbYQ4NvONowkCsXK_flp-E3F_OcKe_z5iVUszAV8QfCod1zhbya540kDejXCL6N_XMmhWJqum7UJ3hgf6DEtroPSnVpHt4iR5w9ArKK-IBgluPght03gNcoNqwz7p77TFbdOmUKF_PWy1bcdbaUoSg"
# JWTs produced by Search Guard are unencrypted by default. Set a key here to activate encryption using AES Key Wrap.
# If you want ot use another signature algorithm, you can specify a complete JWK using the attriubute jwt_encryption_key.
# Refer to the documentation for details.
#jwt_encryption_key_a256kw: "..."
# Specify the maximum time period an auth token may be valid. Omit max_validity to have keys with unlimited lifetime.
# Note that when creating auth tokens, users can specify an even shorter time period.
max_validity: "1y"
# This specifies the maximum number of valid tokens a user can have at the same time.
max_tokens_per_user: 100
authc:
kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 6
http_authenticator:
type: kerberos # NOT FREE FOR COMMERCIAL USE
challenge: true
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
proxy_auth_domain:
description: "Authenticate via proxy"
http_enabled: false
transport_enabled: false
order: 3
http_authenticator:
type: proxy
challenge: false
config:
user_header: "x-proxy-user"
roles_header: "x-proxy-roles"
authentication_backend:
type: noop
jwt_auth_domain:
description: "Authenticate via Json Web Token"
http_enabled: false
transport_enabled: false
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"
jwt_header: "Authorization"
jwt_url_parameter: null
roles_key: null
subject_key: null
authentication_backend:
type: noop
sg_issued_jwt_auth_domain:
description: "Authenticate via Json Web Tokens issued by Search Guard"
http_enabled: false
# This auth domain is only available for HTTP
order: 1
http_authenticator:
type: sg_auth_token
challenge: false
# This auth domain automatically pulls configuration from the auth_token_provider config above
authentication_backend:
type: sg_auth_token
clientcert_auth_domain:
description: "Authenticate via SSL client certificates"
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop
ldap:
description: "Authenticate via LDAP or Active Directory"
http_enabled: false
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: 'ou=people,dc=example,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: 'ou=groups,dc=example,dc=com'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(member={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
userbase: 'ou=people,dc=example,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(uid={0})'
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/'
roles_from_another_ldap:
description: "Authorize via another Active Directory"
http_enabled: false
transport_enabled: false
authorization_backend:
type: ldap # NOT FREE FOR COMMERCIAL USE
#config goes here ...
# auth_failure_listeners:
# ip_rate_limiting:
# type: ip
# allowed_tries: 10
# time_window_seconds: 3600
# block_expiry_seconds: 600
# max_blocked_clients: 100000
# max_tracked_clients: 100000
# internal_authentication_backend_limiting:
# type: username
# authentication_backend: intern
# allowed_tries: 10
# time_window_seconds: 3600
# block_expiry_seconds: 600
# max_blocked_clients: 100000
# max_tracked_clients: 100000

7
Ansible/ansible_collections/jfrog/platform/roles/insight/files/searchguard/sg_roles.yml Normal file
View File

@@ -0,0 +1,7 @@
_sg_meta:
type: "roles"
config_version: 2
sg_anonymous:
cluster_permissions:
- cluster:monitor/health

48
Ansible/ansible_collections/jfrog/platform/roles/insight/files/searchguard/sg_roles_mapping.yml Normal file
View File

@@ -0,0 +1,48 @@
# In this file users, backendroles and hosts can be mapped to Search Guard roles.
# Permissions for Search Guard roles are configured in sg_roles.yml
_sg_meta:
type: "rolesmapping"
config_version: 2
## Demo roles mapping
SGS_ALL_ACCESS:
description: "Maps admin to SGS_ALL_ACCESS"
reserved: true
backend_roles:
- "admin"
SGS_OWN_INDEX:
description: "Allow full access to an index named like the username"
reserved: false
users:
- "*"
SGS_LOGSTASH:
reserved: false
backend_roles:
- "logstash"
SGS_KIBANA_USER:
description: "Maps kibanauser to SGS_KIBANA_USER"
reserved: false
backend_roles:
- "kibanauser"
SGS_READALL:
reserved: true
backend_roles:
- "readall"
SGS_MANAGE_SNAPSHOTS:
reserved: true
backend_roles:
- "snapshotrestore"
SGS_KIBANA_SERVER:
reserved: true
users:
- "kibanaserver"
sg_anonymous:
backend_roles:
- sg_anonymous_backendrole

28
Ansible/ansible_collections/jfrog/platform/roles/insight/files/searchguard/sgadmin.key Normal file
View File

@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCa3GuNbI30EdRs
S2Dmq87i/4Y7QeOldogzmNYH3m7GMjPFJcJg11Yc2HsAbBYs86fW6gGvO+68bFmY
X5kYvPN+L8KRUCSvmvjHCGf7ULmxiG2Wh7RPzQaAdvqqkMGW1QDwwxA25tP9KfZv
nP/08CPmboP8rcCEhX6HCVh0Im+WT3BBxkikjhVaVru2cLPtKtgtBX7a3HY7XMfp
DRYhXZNf+ZxfWewLQhNNndHwjtuJooLHdtX4WEXUhsrXS7/I+M7BdL/fB0ptwfvg
x1WvC2JnvNnvgdMBoUevlHjugWBVGo4AhOpFqAmQ8MxXZUhPGinDxjFvwrHYwYm0
w7tVAnTbAgMBAAECggEAAr7esZKzD5ilnWx7RkKMikAvFyKUkJXvnq6RXXFZoZKm
/5tPtABEOKbYekoU3SPgeWkLseK568YBbqXM9ySsLerpSIvVIq1T660pHsowP32/
8MoRkmYOPRj6WgcX/UetEan7r66ktfT9AJpM6gDgzFm5Zgz0knvFawJ7w8Yzqmks
8JqjA1E433xEUtc00Qm4z7You1I5eyrz1zKxBPZATVM6ScbDq2WXqwgIGUbnAHG2
6PADvOPP+8Kl0/JNC+SkE8J+KvfCYnJIDZaWTCjdd4cjkFAAHXi16BvF6PY3veel
/LT2nr1/YmcADCt4wuWGn+1HRF+mJgjqTVcfQSJrbQKBgQDJG45Hmku7fnNAn/A9
FPHmo7CpymxXpg12yf7BuKr4irpJpa6WmXB6EsxCy91rffQTDEh8TnpJG6yj5vyJ
b0dEt3u8RtBfx49UhKG/pDYi9mnUuazH0u6BHu+w4fRi3Cju7sY4qM4aj8rnAlU0
2DnXWEKIfhd+1cXDwyI8DyuvfwKBgQDFIV7ZgI1weZv7EnNiIKs65y4NWG4uG7jB
Z+Wx8xx9n5OKVxw21NPt2pZzzW3Y3+pRXypcjH13XPrZxfaUt1Y8ylC3/DHFgsid
iXyfjmit4TWiW9busC09Q8YwFZZbMWj/Wd1PRav3/zDICf3B1QRXEqqpYfUtAbXf
SaanZNGopQKBgQDFwO77weHOkN1MIvndVoc4QKYrj/1Rgtuif6afX7Pfiqr8WIuB
U4iiwXFSDZ3BYa1sPZvZgGIHGct9sFmL23y9OZ/W19t3E4kBlxpmlFcXsi8HGz2n
kOcu2Pjheo8R12P475rDhFqHC/Z9inG28RiPhR6HkVYRRqydf3hejpxqiQKBgEJw
ZM9ZjFIEKpYMOecwq4VGtTa6Pyg7H6HPqpK3JTsRtWBCy7ePM35O1bZh3kvh689R
C631i7PXGpSbK+gjgmUqqtnXnc67rXGrDN2Z2Z4A8VqvKVl490ZWuU0reWly1bh6
SSSWjsceswo4k9XoPXY7TFmaMk/g67M913VDfYYhAoGAXp6HYCZga72N6RdB38TY
i08c/O/xksfkNVo0SuVqr99uQ5TN+d2+o+t5H9Fekl1y9jUSK6q6q6+Vp8zSiyzV
GwAWk9u8dBGoNiWs4cOtQAdyeLbGDIHbIv4jeRqqSl87H6R6wJY4+fWdfm9/KEG7
N957kwur+XYzE0RfG5wgS3o=
-----END PRIVATE KEY-----

50
Ansible/ansible_collections/jfrog/platform/roles/insight/files/searchguard/sgadmin.pem Normal file
View File

@@ -0,0 +1,50 @@
-----BEGIN CERTIFICATE-----
MIIESjCCAzKgAwIBAgIGAXY81RknMA0GCSqGSIb3DQEBCwUAMG4xEzARBgoJkiaJ
k/IsZAEZFgNjb20xFTATBgoJkiaJk/IsZAEZFgVqZnJvZzEUMBIGA1UECgwLamZy
b2csIEluYy4xCzAJBgNVBAsMAkNBMR0wGwYDVQQDDBRzaWduaW5nLmNhLmpmcm9n
LmNvbTAeFw0yMDEyMDcxMDUyNDlaFw0zMDEyMDUxMDUyNDlaMGYxEzARBgoJkiaJ
k/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdzZ2FkbWluMRYwFAYDVQQKDA1z
Z2FkbWluLCBJbmMuMQwwCgYDVQQLDANPcHMxEDAOBgNVBAMMB3NnYWRtaW4wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCa3GuNbI30EdRsS2Dmq87i/4Y7
QeOldogzmNYH3m7GMjPFJcJg11Yc2HsAbBYs86fW6gGvO+68bFmYX5kYvPN+L8KR
UCSvmvjHCGf7ULmxiG2Wh7RPzQaAdvqqkMGW1QDwwxA25tP9KfZvnP/08CPmboP8
rcCEhX6HCVh0Im+WT3BBxkikjhVaVru2cLPtKtgtBX7a3HY7XMfpDRYhXZNf+Zxf
WewLQhNNndHwjtuJooLHdtX4WEXUhsrXS7/I+M7BdL/fB0ptwfvgx1WvC2JnvNnv
gdMBoUevlHjugWBVGo4AhOpFqAmQ8MxXZUhPGinDxjFvwrHYwYm0w7tVAnTbAgMB
AAGjgfUwgfIwgZoGA1UdIwSBkjCBj4AUoe6Xib3OCJt1pEevxWlA/2mA2vKhdKRy
MHAxEzARBgoJkiaJk/IsZAEZFgNjb20xGjAYBgoJkiaJk/IsZAEZFgpqZnJvZ2pm
cm9nMRQwEgYDVQQKDAtKRnJvZywgSW5jLjELMAkGA1UECwwCQ0ExGjAYBgNVBAMM
EXJvb3QuY2EuamZyb2cuY29tggECMB0GA1UdDgQWBBSSIpvK2db0wJf7bw1mhYt8
A0JUQTAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSUBAf8EDDAK
BggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAn3cM0PDh8vTJS8zZ7HylMpZl
SaZwd3sxshhBKx4JEc85WQPp60nVADqVhnkVa1rfQQURaMP87hqmzf9eOcesnjn6
17eSVpDpZ0B1qV46hJd15yYKqFLavqtFpy0ePpk4EoanwJUikphT3yuIB6v3gqfY
h20t7/XmkjEwfGkmgmXOZNb9uOpKjkotWRR/IslSMxoozsdWYQLaqA0De/7Tqpmi
mortmVTOtZCX/ZChuN2XzqUnWZT+xIJomAj4ZCOlw03Yd9eUhrDZBmrYHiUmS4VO
wWFDER3zhwncjg0X2rOqL6N5P8TIfqpVgf1VuDhTAj/GY1ZKrXol28WwQQCA9w==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEPTCCAyWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBwMRMwEQYKCZImiZPyLGQB
GRYDY29tMRowGAYKCZImiZPyLGQBGRYKamZyb2dqZnJvZzEUMBIGA1UECgwLSkZy
b2csIEluYy4xCzAJBgNVBAsMAkNBMRowGAYDVQQDDBFyb290LmNhLmpmcm9nLmNv
bTAeFw0yMDEyMDcxMDUyNDhaFw0zMDEyMDUxMDUyNDhaMG4xEzARBgoJkiaJk/Is
ZAEZFgNjb20xFTATBgoJkiaJk/IsZAEZFgVqZnJvZzEUMBIGA1UECgwLamZyb2cs
IEluYy4xCzAJBgNVBAsMAkNBMR0wGwYDVQQDDBRzaWduaW5nLmNhLmpmcm9nLmNv
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALCe74VmqSryFPESO/oq
bgspiOSwGheG/AbUf/2XXPLZNbZJ/hhuI6T+iSW5FYy3jETwwODDlF8GBN6R33+U
gNCjXIMBDUOWkETe1fD2zj1HMTC6angykKJy2Xkw+sWniELbYfTu+SLHsBMPQnVI
jFwDLcbSMbs7ieU/IuQTEnEZxPiKcokOaF7vPntfPwdvRoGwMR0VuX7h+20Af1Il
3ntOuoasoV66K6KuiBRkSBcsV2ercCRQlpXCvIsTJVWASpSTNrpKy8zejjePw/xs
ieMGSo6WIxnIJnOLTJWnrw8sZt0tiNrLbB8npSvP67uUMDGhrZ3Tnro9JtujquOE
zMUCAwEAAaOB4zCB4DASBgNVHRMBAf8ECDAGAQH/AgEAMIGaBgNVHSMEgZIwgY+A
FBX3TQRxJRItQ/hi81MA3eZggFs7oXSkcjBwMRMwEQYKCZImiZPyLGQBGRYDY29t
MRowGAYKCZImiZPyLGQBGRYKamZyb2dqZnJvZzEUMBIGA1UECgwLSkZyb2csIElu
Yy4xCzAJBgNVBAsMAkNBMRowGAYDVQQDDBFyb290LmNhLmpmcm9nLmNvbYIBATAd
BgNVHQ4EFgQUoe6Xib3OCJt1pEevxWlA/2mA2vIwDgYDVR0PAQH/BAQDAgGGMA0G
CSqGSIb3DQEBCwUAA4IBAQAzkcvT1tTjnjguRH4jGPxP1fidiM0DWiWZQlRT9Evt
BkltRwkqOZIdrBLy/KJbOxRSCRaKpxyIYd5bWrCDCWvXArBFDY9j3jGGk8kqXb0/
VajEKDjHXzJM7HXAzyJO2hKVK4/OoPlzhKqR1ZbZF1F8Omzo7+oNwPqf5Y5hnn2M
qrUWxE216mWE8v7gvbfu39w9XKTFH1/RPgAAJet2dunyLbz3W5NgyBbCWGj/qJCz
TUDD9I8az/XX73HLpkXbcEY5/qrPV6EQWzf+ec4EcgrEi0f8gTKzl7OQaqYDxObk
yixmONVlwYD2FpWqJYAfg04u/CRQMXPPCdUQh/eKrHUg
-----END CERTIFICATE-----

13
Ansible/ansible_collections/jfrog/platform/roles/insight/handlers/main.yml Normal file
View File

@@ -0,0 +1,13 @@
---
# handlers file for insight
- name: restart insight
become: yes
systemd:
name: "{{ insight_daemon }}"
state: restarted
- name: stop insight
become: yes
systemd:
name: "{{ insight_daemon }}"
state: stopped

27
Ansible/ansible_collections/jfrog/platform/roles/insight/meta/main.yml Normal file
View File

@@ -0,0 +1,27 @@
---
dependencies: []
galaxy_info:
author: "JFrog Maintainers Team <installers@jfrog.com>"
description: "The insight role will install insight software onto the host. An Artifactory server and Postgress database are required."
company: JFrog
issue_tracker_url: "https://github.com/jfrog/JFrog-Cloud-Installers/issues"
license: license (Apache-2.0)
min_ansible_version: 2.9
platforms:
- name: EL
versions:
- 7
- 8
- name: Ubuntu
versions:
- xenial
- bionic
- focal
- name: Debian
versions:
- stretch
- buster
galaxy_tags:
- insight
- jfrog

13
Ansible/ansible_collections/jfrog/platform/roles/insight/tasks/Debian.yml Normal file
View File

@@ -0,0 +1,13 @@
- name: Install prerequisite packages
become: yes
apt:
name: ["expect", "locales", "acl"]
state: present
update_cache: yes
cache_valid_time: 3600
- name: Ensure UTF-8 locale exists
become: yes
locale_gen:
name: en_US.UTF-8
state: present

5
Ansible/ansible_collections/jfrog/platform/roles/insight/tasks/RedHat.yml Normal file
View File

@@ -0,0 +1,5 @@
- name: Install prerequisite packages
become: yes
yum:
name: ["expect", "acl"]
state: present

45
Ansible/ansible_collections/jfrog/platform/roles/insight/tasks/expect.yml Normal file
View File

@@ -0,0 +1,45 @@
- name: Prepare expect scenario script
set_fact:
expect_scenario: |
set timeout 300
spawn {{ exp_executable_cmd }}
expect_before timeout { exit 1 }
set CYCLE_END 0
set count 0
while { $CYCLE_END == 0 } {
expect {
{% for each_request in exp_scenarios %}
-nocase -re {{ '{' }}{{ each_request.expecting }}.*} {
send "{{ each_request.sending }}\n"
}
{% endfor %}
eof {
set CYCLE_END 1
}
}
set count "[expr $count + 1]"
if { $count > 16} {
exit 128
}
}
expect eof
lassign [wait] pid spawnid os_error_flag value
if {$os_error_flag == 0} {
puts "INSTALLER_EXIT_STATUS-$value"
} else {
puts "INSTALLER_EXIT_STATUS-$value"
}
- name: Interactive with expect
become: yes
ignore_errors: yes
shell: |
{{ expect_scenario }}
args:
executable: /usr/bin/expect
chdir: "{{ exp_dir }}"
register: exp_result
changed_when: false

170
Ansible/ansible_collections/jfrog/platform/roles/insight/tasks/install.yml Normal file
View File

@@ -0,0 +1,170 @@
- name: Install prerequisite packages
include_tasks: "{{ ansible_os_family }}.yml"
- name: Ensure group insight exist
become: yes
group:
name: "{{ insight_group }}"
state: present
- name: Ensure user insight exist
become: yes
user:
name: "{{ insight_user }}"
group: "{{ insight_group }}"
create_home: yes
home: "{{ insight_home }}"
shell: /bin/bash
state: present
- name: Check if insight tar already exists
become: yes
stat:
path: "{{ jfrog_home_directory }}/{{ insight_tar_file_name }}"
register: insight_tar_check
- name: Download insight
become: yes
get_url:
url: "{{ insight_tar }}"
timeout: "{{ insight_download_timeout }}"
dest: "{{ jfrog_home_directory }}"
register: download_insight
until: download_insight is succeeded
retries: 3
when: not insight_tar_check.stat.exists
- name: Extract insight tar
become: yes
unarchive:
src: "{{ jfrog_home_directory }}/{{ insight_tar_file_name }}"
dest: "{{ jfrog_home_directory }}"
owner: "{{ insight_user }}"
group: "{{ insight_group }}"
creates: "{{ insight_untar_home }}"
remote_src: true
when: download_insight is succeeded
- name: Check if app directory exists
become: yes
stat:
path: "{{ insight_home }}/app"
register: app_dir_check
- name: Copy untar directory to insight home
become: yes
copy:
src: "{{ insight_untar_home }}/"
dest: "{{ insight_home }}"
owner: "{{ insight_user }}"
group: "{{ insight_group }}"
mode: 0755
remote_src: yes
when: not app_dir_check.stat.exists
- name: Create required directories
become: yes
file:
path: "{{ item }}"
state: directory
recurse: yes
owner: "{{ insight_user }}"
group: "{{ insight_group }}"
loop:
- "{{ insight_home }}/var/etc"
- "{{ insight_home }}/var/etc/security/"
- "{{ insight_home }}/var/etc/info/"
- name: Configure master key
become: yes
copy:
dest: "{{ insight_home }}/var/etc/security/master.key"
content: "{{ master_key }}"
owner: "{{ insight_user }}"
group: "{{ insight_group }}"
mode: 0640
- name: Setup elasticsearch
import_tasks: setup-elasticsearch.yml
- name: Check if install.sh wrapper script exist
become: yes
stat:
path: "{{ insight_install_script_path }}/install.sh"
register: install_wrapper_script
- name: Include interactive installer scripts
include_vars: script/archive.yml
- name: Install Insight
include_tasks: expect.yml
vars:
exp_executable_cmd: "./install.sh -u {{ insight_user }} -g {{ insight_group }}"
exp_dir: "{{ insight_install_script_path }}"
exp_scenarios: "{{ insight_installer_scenario['main'] }}"
args:
apply:
environment:
YQ_PATH: "{{ insight_thirdparty_path }}/yq"
when: install_wrapper_script.stat.exists
- name: Configure installer info
become: yes
template:
src: installer-info.json.j2
dest: "{{ insight_home }}/var/etc/info/installer-info.json"
owner: "{{ insight_user }}"
group: "{{ insight_group }}"
mode: 0644
notify: restart insight
- name: Check if system.yaml exists
become: yes
stat:
path: "{{ insight_home }}/var/etc/system.yaml"
register: systemyaml
- name: Configure system.yaml
become: yes
template:
src: "{{ insight_system_yaml_template }}"
dest: "{{ insight_home }}/var/etc/system.yaml"
owner: "{{ insight_user }}"
group: "{{ insight_group }}"
mode: 0644
when:
- insight_systemyaml is defined
- insight_systemyaml | length > 0
- insight_systemyaml_override or (not systemyaml.stat.exists)
notify: restart insight
- name: Update correct permissions
become: yes
file:
path: "{{ insight_home }}"
state: directory
recurse: yes
owner: "{{ insight_user }}"
group: "{{ insight_group }}"
- name: Install insight as a service
become: yes
command: "{{ insight_archive_service_cmd }}"
args:
chdir: "{{ insight_install_script_path }}"
creates: "{{ insight_service_file }}"
register: check_service_status_result
- name: Restart insight
meta: flush_handlers
- name: Make sure insight is up and running
uri:
url: http://127.0.0.1:8082/router/api/v1/system/health
timeout: 130
status_code: 200
register: result
until: result is succeeded
retries: 25
delay: 5
when: not ansible_check_mode

11
Ansible/ansible_collections/jfrog/platform/roles/insight/tasks/main.yml Normal file
View File

@@ -0,0 +1,11 @@
- name: Perform installation
include_tasks: "install.yml"
when:
- insight_enabled
- not insight_upgrade_only
- name: Perform upgrade
include_tasks: "upgrade.yml"
when:
- insight_enabled
- insight_upgrade_only

185
Ansible/ansible_collections/jfrog/platform/roles/insight/tasks/setup-elasticsearch.yml Normal file
View File

@@ -0,0 +1,185 @@
- name: Ensure group elasticsearch exists
become: yes
group:
name: elasticsearch
state: present
- name: Ensure user elasticsearch exists
become: yes
user:
name: elasticsearch
group: elasticsearch
create_home: yes
home: "{{ insight_es_home }}"
shell: /bin/bash
state: present
- name: Create required directories
become: yes
file:
path: "{{ item }}"
state: directory
recurse: yes
owner: elasticsearch
group: elasticsearch
mode: 0644
loop:
- "{{ insight_es_conf_base }}"
- "{{ insight_es_data_dir }}"
- "{{ insight_es_log_dir }}"
- "{{ insight_es_home }}"
- name: Set max file descriptors limit
become: yes
pam_limits:
domain: 'elasticsearch'
limit_type: '-'
limit_item: nofile
value: '65536'
- name: Update nproc limit
become: yes
pam_limits:
domain: 'elasticsearch'
limit_type: '-'
limit_item: nproc
value: '4096'
- name: Set vm.max_map_count in /etc/sysctl.conf
become: yes
sysctl:
name: vm.max_map_count
value: '262144'
sysctl_set: yes
- name: Find elasticsearch package
become: yes
find:
paths: "{{ insight_home }}/app/third-party/elasticsearch"
patterns: "^elasticsearch-.+\\.tar.gz$"
use_regex: yes
file_type: file
register: check_elasticsearch_package_result
- name: Set elasticsearch package file name
set_fact:
insight_elasticsearch_package: "{{ check_elasticsearch_package_result.files[0].path }}"
when: check_elasticsearch_package_result.matched > 0
- name: Ensure elasticsearch home exists
become: yes
file:
path: "{{ insight_es_home }}"
state: directory
owner: elasticsearch
group: elasticsearch
mode: 0644
- name: Extract elasticsearch package
become: yes
unarchive:
src: "{{ insight_elasticsearch_package }}"
dest: "{{ insight_es_home }}"
remote_src: yes
extra_opts:
- --strip-components=1
owner: elasticsearch
group: elasticsearch
creates: "{{ insight_es_java_home }}"
register: unarchive_result
when: check_elasticsearch_package_result.matched > 0
- name: Copy elasticsearch config files to ES_PATH_CONF dir
become: yes
command: "cp -r {{ insight_es_home }}/config/. {{ insight_es_conf_base }}/"
when: unarchive_result.changed
- name: Remove elasticsearch config dir
become: yes
file:
path: "{{ insight_es_home }}/config"
state: absent
when: unarchive_result.changed
- name: Generate HA elasticsearch.yml template file
become: yes
template:
src: templates/ha/{{ insight_ha_node_type }}.elasticsearch.yml.j2
dest: "{{ insight_es_conf_base }}/elasticsearch.yml"
owner: elasticsearch
group: elasticsearch
mode: 0644
when: unarchive_result.extract_results.rc | default(128) == 0
- name: Generate elasticsearch.yml template file
become: yes
template:
src: templates/elasticsearch.yml.j2
dest: "{{ insight_es_conf_base }}/elasticsearch.yml"
owner: elasticsearch
group: elasticsearch
mode: 0644
when: unarchive_result.extract_results.rc | default(128) == 0
- name: Create empty unicast_hosts.txt file
become: yes
file:
path: "{{ insight_es_conf_base }}/unicast_hosts.txt"
state: touch
mode: 0664
owner: elasticsearch
group: elasticsearch
- name: Setup searchguard plugin
import_tasks: setup-searchguard.yml
- name: Update directories permissions
become: yes
file:
path: "{{ item }}"
state: directory
recurse: yes
owner: elasticsearch
group: elasticsearch
mode: 0755
loop:
- "{{ insight_es_conf_base }}"
- "{{ insight_es_data_dir }}"
- "{{ insight_es_log_dir }}"
- "{{ insight_es_home }}"
- name: Start elasticsearch
become: yes
become_user: elasticsearch
shell: |
nohup {{ insight_es_script_path }}/elasticsearch -d
environment:
ES_JAVA_HOME: "{{ insight_es_java_home }}"
ES_PATH_CONF: "{{ insight_es_conf_base }}/"
register: start_elasticsearch
when: unarchive_result.extract_results.rc | default(128) == 0
- name: Wait for elasticsearch to start
pause:
seconds: 30
when: start_elasticsearch.changed
- name: Check if elasticsearch is running
wait_for:
host: localhost
port: "{{ insight_es_transport_port }}"
delay: 5
connect_timeout: 1
- name: Init searchguard plugin
become: yes
become_user: elasticsearch
shell: |
./sgadmin.sh -p {{ insight_es_transport_port }} -cacert root-ca.pem \
-cert sgadmin.pem -key sgadmin.key -cd {{ insight_es_searchgaurd_home }}/sgconfig/ -nhnv -icl
args:
chdir: "{{ insight_es_searchgaurd_home }}/tools/"
environment:
JAVA_HOME: "{{ insight_es_java_home }}"
register: install_searchguard_result
when: check_searchguard_bundle_result.matched == 1

67
Ansible/ansible_collections/jfrog/platform/roles/insight/tasks/setup-searchguard.yml Normal file
View File

@@ -0,0 +1,67 @@
- name: Copy elasticsearch cert files
become: yes
copy:
src: "files/searchguard/{{ item }}"
dest: "{{ insight_es_conf_base }}/{{ item }}"
owner: elasticsearch
group: elasticsearch
mode: 0600
loop:
- "localhost.pem"
- "localhost.key"
- "root-ca.pem"
- name: Find searchguard bundle
become: yes
find:
paths: "{{ insight_home }}/app/third-party/elasticsearch/"
patterns: "^search-guard-.+\\.zip$"
use_regex: yes
file_type: file
register: check_searchguard_bundle_result
- name: Install searchguard plugin
become: yes
ignore_errors: yes
shell: |
{{ insight_es_script_path }}/elasticsearch-plugin install \
-b file://{{ check_searchguard_bundle_result.files[0].path }}
environment:
ES_JAVA_HOME: "{{ insight_es_java_home }}"
ES_PATH_CONF: "{{ insight_es_conf_base }}/"
register: install_searchguard_result
when: check_searchguard_bundle_result.matched == 1
- name: Copy searchguard certificate files
become: yes
copy:
src: "files/searchguard/{{ item }}"
dest: "{{ insight_es_searchgaurd_home }}/tools/{{ item }}"
owner: elasticsearch
group: elasticsearch
mode: 0600
loop:
- "sgadmin.pem"
- "sgadmin.key"
- "root-ca.pem"
- name: Copy SG roles files
become: yes
copy:
src: "files/searchguard/{{ item }}"
dest: "{{ insight_es_searchgaurd_home }}/sgconfig/{{ item }}"
owner: elasticsearch
group: elasticsearch
mode: 0600
loop:
- "sg_roles.yml"
- "sg_roles_mapping.yml"
- "sg_config.yml"
- name: Check execution bit
become: yes
file:
path: "{{ insight_es_searchgaurd_home }}/tools/sgadmin.sh"
owner: elasticsearch
group: elasticsearch
mode: 0700

136
Ansible/ansible_collections/jfrog/platform/roles/insight/tasks/upgrade-elasticsearch.yml Normal file
View File

@@ -0,0 +1,136 @@
- name: Kill elasticsearch process
become: yes
shell: |
set -o pipefail
ps -ef | grep -v grep | grep -w elasticsearch | awk '{print $2}' | while read curr_ps_id
do
echo "process ${curr_ps_id} still running"
echo "$(ps -ef | grep -v grep | grep ${curr_ps_id})"
kill -9 ${curr_ps_id}
done
args:
executable: /bin/bash
changed_when: false
- name: Find searchguard bundle for removal
become: yes
find:
paths: "{{ insight_home }}/app/third-party/elasticsearch/"
patterns: "^search-guard-.+\\.zip$"
use_regex: yes
file_type: file
register: check_searchguard_bundle_result
- name: Remove searchguard plugin
become: yes
become_user: elasticsearch
ignore_errors: yes
shell: |
{{ insight_es_script_path }}/elasticsearch-plugin remove {{ check_searchguard_bundle_result.files[0].path }}
environment:
ES_JAVA_HOME: "{{ insight_es_java_home }}"
ES_PATH_CONF: "{{ insight_es_conf_base }}/config"
register: remove_searchguard_result
when: check_searchguard_bundle_result.matched == 1
- name: Delete elasticsearch home dir
become: yes
file:
path: "{{ insight_es_home }}"
state: absent
- name: Create elasticsearch home dir
become: yes
file:
path: "{{ insight_es_home }}"
state: directory
owner: elasticsearch
group: elasticsearch
mode: 0755
- name: Find elasticsearch package
become: yes
find:
paths: "{{ insight_home }}/app/third-party/elasticsearch"
patterns: "^elasticsearch-.+\\.tar.gz$"
use_regex: yes
file_type: file
register: check_elasticsearch_package_result
- name: Set elasticsearch package file name
set_fact:
insight_elasticsearch_package: "{{ check_elasticsearch_package_result.files[0].path }}"
when: check_elasticsearch_package_result.matched > 0
- name: Extract elasticsearch package
become: yes
unarchive:
src: "{{ insight_elasticsearch_package }}"
dest: "{{ insight_es_home }}"
remote_src: yes
extra_opts:
- --strip-components=1
- --exclude=config
owner: elasticsearch
group: elasticsearch
creates: "{{ insight_es_java_home }}"
register: unarchive_result
when: check_elasticsearch_package_result.matched > 0
- name: Generate HA elasticsearch.yml template file
become: yes
template:
src: templates/ha/{{ insight_ha_node_type }}.elasticsearch.yml.j2
dest: "{{ insight_es_conf_base }}/elasticsearch.yml"
owner: elasticsearch
group: elasticsearch
mode: 0644
when: unarchive_result.extract_results.rc | default(128) == 0
- name: Create empty unicast_hosts.txt file
become: yes
file:
path: "{{ insight_es_conf_base }}/unicast_hosts.txt"
state: touch
owner: elasticsearch
group: elasticsearch
mode: 0644
- name: Upgrade searchguard plugin
import_tasks: upgrade-searchguard.yml
- name: Start elasticsearch
become: yes
become_user: elasticsearch
shell: |
nohup {{ insight_es_script_path }}/elasticsearch -d
environment:
ES_JAVA_HOME: "{{ insight_es_java_home }}"
ES_PATH_CONF: "{{ insight_es_conf_base }}/"
when: unarchive_result.extract_results.rc | default(128) == 0
register: start_elastcsearch
- name: Wait for elasticsearch to start
pause:
seconds: 30
when: start_elasticsearch.changed
- name: Check if elasticsearch is running
wait_for:
host: localhost
port: "{{ insight_es_transport_port }}"
delay: 5
connect_timeout: 1
- name: Init searchguard plugin
become: yes
become_user: elasticsearch
shell: |
./sgadmin.sh -p {{ insight_es_transport_port }} -cacert root-ca.pem \
-cert sgadmin.pem -key sgadmin.key -cd {{ insight_es_searchgaurd_home }}/sgconfig/ -nhnv -icl
args:
chdir: "{{ insight_es_searchgaurd_home }}/tools/"
environment:
JAVA_HOME: "{{ insight_es_java_home }}"
register: install_searchguard_result
when: check_searchguard_bundle_result.matched == 1

76
Ansible/ansible_collections/jfrog/platform/roles/insight/tasks/upgrade-searchguard.yml Normal file
View File

@@ -0,0 +1,76 @@
- name: Create elasticsearch config path folder
become: yes
file:
path: "{{ insight_es_conf_base }}"
state: directory
owner: elasticsearch
group: elasticsearch
mode: 0755
- name: Copy elasticsearch cert files
become: yes
copy:
src: "files/searchguard/{{ item }}"
dest: "{{ insight_es_conf_base }}/{{ item }}"
owner: elasticsearch
group: elasticsearch
mode: 0600
loop:
- "localhost.pem"
- "localhost.key"
- "root-ca.pem"
- name: Find searchguard bundle
become: yes
find:
paths: "{{ insight_home }}/app/third-party/elasticsearch/"
patterns: "^search-guard-.+\\.zip$"
use_regex: yes
file_type: file
register: check_searchguard_bundle_result
- name: Install searchguard plugin
become: yes
ignore_errors: yes
shell: |
{{ insight_es_script_path }}/elasticsearch-plugin install \
-b file://{{ check_searchguard_bundle_result.files[0].path }}
environment:
ES_JAVA_HOME: "{{ insight_es_java_home }}"
ES_PATH_CONF: "{{ insight_es_conf_base }}/"
register: install_searchguard_result
when: check_searchguard_bundle_result.matched == 1
- name: Copy searchguard cert files
become: yes
copy:
src: "files/searchguard/{{ item }}"
dest: "{{ insight_es_searchgaurd_home }}/tools/{{ item }}"
owner: elasticsearch
group: elasticsearch
mode: 0600
loop:
- "sgadmin.pem"
- "sgadmin.key"
- "root-ca.pem"
- name: Copy SG roles files
become: yes
copy:
src: "files/searchguard/{{ item }}"
dest: "{{ insight_es_searchgaurd_home }}/sgconfig/{{ item }}"
owner: elasticsearch
group: elasticsearch
mode: 0600
loop:
- "sg_roles.yml"
- "sg_roles_mapping.yml"
- "sg_config.yml"
- name: Check execution bit
become: yes
file:
path: "{{ insight_es_searchgaurd_home }}/tools/sgadmin.sh"
owner: elasticsearch
group: elasticsearch
mode: 0700

128
Ansible/ansible_collections/jfrog/platform/roles/insight/tasks/upgrade.yml Normal file
View File

@@ -0,0 +1,128 @@
- name: Check if insight tar exists
become: yes
stat:
path: "{{ jfrog_home_directory }}/{{ insight_tar_file_name }}"
register: insight_tar_check
- name: Download insight for upgrade
become: yes
get_url:
url: "{{ insight_tar }}"
timeout: "{{ insight_download_timeout }}"
dest: "{{ jfrog_home_directory }}"
register: download_insight
until: download_insight is succeeded
retries: 3
when: not insight_tar_check.stat.exists
- name: Extract insight tar
become: yes
unarchive:
src: "{{ jfrog_home_directory }}/{{ insight_tar_file_name }}"
dest: "{{ jfrog_home_directory }}"
remote_src: true
owner: "{{ insight_user }}"
group: "{{ insight_group }}"
creates: "{{ insight_untar_home }}"
when: download_insight is succeeded
- name: Stop insight
meta: flush_handlers
- name: Delete current app folder
become: yes
file:
path: "{{ insight_home }}/app"
state: absent
when: download_insight.changed
- name: Copy new app to insight app
command: "cp -r {{ insight_untar_home }}/app/. {{ insight_home }}/app"
become: yes
when: download_insight.changed
- name: Delete untar directory
become: yes
file:
path: "{{ insight_untar_home }}"
state: absent
when: download_insight.changed
- name: Upgrade elasticsearch
import_tasks: upgrade-elasticsearch.yml
when: download_insight.changed
- name: Check if system.yaml exists
become: yes
stat:
path: "{{ insight_home }}/var/etc/system.yaml"
register: systemyaml
- name: Configure system.yaml
become: yes
template:
src: "{{ insight_system_yaml_template }}"
dest: "{{ insight_home }}/var/etc/system.yaml"
owner: "{{ insight_user }}"
group: "{{ insight_group }}"
mode: 0644
when:
- insight_systemyaml is defined
- insight_systemyaml | length > 0
- insight_systemyaml_override or (not systemyaml.stat.exists)
notify: restart insight
- name: Check if install.sh wrapper script exist
become: yes
stat:
path: "{{ insight_install_script_path }}/install.sh"
register: upgrade_wrapper_script
when: download_insight.changed
- name: Include interactive installer scripts
include_vars: script/archive.yml
- name: Upgrade Insight
include_tasks: expect.yml
vars:
exp_executable_cmd: "./install.sh -u {{ insight_user }} -g {{ insight_group }}"
exp_dir: "{{ insight_install_script_path }}"
exp_scenarios: "{{ insight_installer_scenario['main'] }}"
args:
apply:
environment:
YQ_PATH: "{{ insight_thirdparty_path }}/yq"
when:
- upgrade_wrapper_script.stat.exists
- download_insight.changed
- name: Configure installer info
become: yes
template:
src: installer-info.json.j2
dest: "{{ insight_home }}/var/etc/info/installer-info.json"
mode: 0644
notify: restart insight
- name: Update correct permissions
become: yes
file:
path: "{{ insight_home }}"
state: directory
recurse: yes
owner: "{{ insight_user }}"
group: "{{ insight_group }}"
- name: Restart insight
meta: flush_handlers
- name: Make sure insight is up and running
uri:
url: http://127.0.0.1:8082/router/api/v1/system/health
timeout: 130
status_code: 200
register: result
until: result is succeeded
retries: 25
delay: 5
when: not ansible_check_mode

22
Ansible/ansible_collections/jfrog/platform/roles/insight/templates/elasticsearch.yml.j2 Normal file
View File

@@ -0,0 +1,22 @@
discovery.seed_providers: file
transport.port: {{ insight_es_transport_port }}
transport.host: 0.0.0.0
transport.publish_host: {{ ansible_host }}
network.host: 0.0.0.0
node.name: {{ ansible_host }}
cluster.initial_master_nodes: {{ ansible_host }}
bootstrap.memory_lock: false
path.data: {{ insight_es_data_dir }}
path.logs: {{ insight_es_log_dir }}
xpack.security.enabled: false
searchguard.ssl.transport.pemcert_filepath: localhost.pem
searchguard.ssl.transport.pemkey_filepath: localhost.key
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.nodes_dn:
- CN=localhost,OU=Ops,O=localhost\, Inc.,DC=localhost,DC=com
searchguard.authcz.admin_dn:
- CN=sgadmin,OU=Ops,O=sgadmin\, Inc.,DC=sgadmin,DC=com
searchguard.enterprise_modules_enabled: false

15
Ansible/ansible_collections/jfrog/platform/roles/insight/templates/ha/master.elasticsearch.yml.j2 Normal file
View File

@@ -0,0 +1,15 @@
discovery.seed_providers: file
{% if insight_elasticsearch_package | regex_search(".*oss-7.*") %}
cluster.initial_master_nodes: {{ ansible_host }}
{% endif %}
xpack.security.enabled: false
path.data: {{ insight_es_home }}/data
path.logs: {{ insight_es_home }}/logs
network.host: 0.0.0.0
node.name: {{ ansible_host }}
transport.host: 0.0.0.0
transport.port: 9300
transport.publish_host: {{ ansible_host }}

22
Ansible/ansible_collections/jfrog/platform/roles/insight/templates/ha/master.system.yaml.j2 Normal file
View File

@@ -0,0 +1,22 @@
configVersion: 1
shared:
jfrogUrl: {{ jfrog_url }}
node:
ip: {{ ansible_host }}
database:
type: "{{ insight_db_type }}"
driver: "{{ insight_db_driver }}"
url: "{{ insight_db_url }}"
username: "{{ insight_db_user }}"
password: "{{ insight_db_password }}"
elasticsearch:
unicastFile: {{ insight_es_conf_base }}/unicast_hosts.txt
password: {{ insight_es_password }}
url: {{ insight_es_url }}
username: {{ insight_es_user }}
external: true
security:
joinKey: {{ join_key }}
router:
entrypoints:
internalPort: 8046

12
Ansible/ansible_collections/jfrog/platform/roles/insight/templates/ha/slave.elasticsearch.yml.j2 Normal file
View File

@@ -0,0 +1,12 @@
#bootstrap.memory_lock: true
discovery.seed_providers: file
xpack.security.enabled: false
path.data: {{ insight_es_home }}/data
path.logs: {{ insight_es_home }}/logs
network.host: 0.0.0.0
node.name: {{ ansible_host }}
transport.host: 0.0.0.0
transport.port: 9300
transport.publish_host: {{ ansible_host }}

23
Ansible/ansible_collections/jfrog/platform/roles/insight/templates/ha/slave.system.yaml.j2 Normal file
View File

@@ -0,0 +1,23 @@
configVersion: 1
shared:
jfrogUrl: {{ jfrog_url }}
node:
ip: {{ ansible_host }}
database:
type: "{{ insight_db_type }}"
driver: "{{ insight_db_driver }}"
url: "{{ insight_db_url }}"
username: "{{ insight_db_user }}"
password: "{{ insight_db_password }}"
elasticsearch:
unicastFile: {{ insight_es_conf_base }}/unicast_hosts.txt
clusterSetup: YES
password: {{ insight_es_password }}
url: {{ insight_es_url }}
username: {{ insight_es_user }}
external: true
security:
joinKey: {{ join_key }}
router:
entrypoints:
internalPort: 8046

9
Ansible/ansible_collections/jfrog/platform/roles/insight/templates/installer-info.json.j2 Normal file
View File

@@ -0,0 +1,9 @@
{{ ansible_managed | comment }}
{
"productId": "Ansible_Insight/{{ platform_collection_version }}-{{ insight_version }}",
"features": [
{
"featureId": "Channel/{{ ansible_marketplace }}"
}
]
}

1
Ansible/ansible_collections/jfrog/platform/roles/insight/templates/system.yaml.j2 Normal file
View File

@@ -0,0 +1 @@
{{ insight_systemyaml }}

5
Ansible/ansible_collections/jfrog/platform/roles/insight/vars/main.yml Normal file
View File

@@ -0,0 +1,5 @@
# platform collection version
platform_collection_version: 10.0.1
# indicates were this collection was downlaoded from (galaxy, automation_hub, standalone)
ansible_marketplace: galaxy

58
Ansible/ansible_collections/jfrog/platform/roles/insight/vars/script/archive.yml Normal file
View File

@@ -0,0 +1,58 @@
insight_installer_scenario:
main:
- {
"expecting": "(data|installation) directory \\(",
"sending": "{{ insight_home }}"
}
- {
"expecting": "jfrog url( \\(.+\\))?:(?!.*Skipping prompt)",
"sending": "{{ jfrog_url }}"
}
- {
"expecting": "join key:(?!.*Skipping prompt)",
"sending": "{{ join_key }}"
}
- {
"expecting": "please specify the ip address of this machine(?!.*Skipping prompt)",
"sending": "{{ ansible_host }}"
}
- {
"expecting": "are you adding an additional node",
"sending": "{% if insight_ha_node_type is defined and insight_ha_node_type == 'master' %}n{% else %}y{% endif %}"
}
- {
"expecting": "do you want to install postgresql",
"sending": "n"
}
- {
"expecting": "do you want to install elasticsearch",
"sending": "n"
}
- {
"expecting": "(postgresql|database) url.+\\[jdbc:postgresql.+\\]:",
"sending": "{{ insight_db_url }}"
}
- {
"expecting": "(postgresql|database) password",
"sending": "{{ insight_db_password }}"
}
- {
"expecting": "(postgresql|database) username",
"sending": "{{ insight_db_user }}"
}
- {
"expecting": "confirm database password",
"sending": "{{ insight_db_password }}"
}
- {
"expecting": "elasticsearch url:(?!.*Skipping prompt)",
"sending": "{{ insight_es_url }}"
}
- {
"expecting": "elasticsearch username:",
"sending": "{{ insight_es_user }}"
}
- {
"expecting": "elasticsearch password:",
"sending": "{{ insight_es_password }}"
}