Remove searchguard tool

inventories/opensearch/group_vars/all/all.yml

@@ -7,11 +7,11 @@ os_download_url: https://artifacts.opensearch.org/releases/bundle/opensearch
 
 # opensearch version
 # 2.x Latest Version
-os_version: "2.19.1"
+os_version: "2.19.2"
 
 # opensearch dashboards version
 # 2.x Latest Version
-os_dashboards_version: "2.19.1"
+os_dashboards_version: "2.19.2"
 
 # Configure hostnames for opensearch nodes
 # It is required to configure SSL

inventory.ini

@@ -0,0 +1,24 @@
+os1 ansible_host=10.0.1.1  ansible_user=root ip=10.0.1.1 roles=data,master
+os2 ansible_host=10.0.1.2  ansible_user=root ip=10.0.1.2 roles=data,master
+os3 ansible_host=10.0.1.3  ansible_user=root ip=10.0.1.3 roles=data,master
+os4 ansible_host=10.0.1.4  ansible_user=root ip=10.0.1.4 roles=data,ingest
+os5 ansible_host=10.0.1.5  ansible_user=root ip=10.0.1.5 roles=data,ingest
+
+dashboards1 ansible_host=10.0.1.6  ansible_user=root ip=10.0.1.6
+
+# List all the nodes in the os cluster
+[os-cluster]
+os1
+os2
+os3
+os4
+os5
+
+# List all the Master eligible nodes under this group
+[master]
+os1
+os2
+os3
+
+[dashboards]
+dashboards1

roles/linux/opensearch/defaults/main.yml

@@ -23,3 +23,4 @@ systemctl_path: /etc/systemd/system
 
 # Auth type: 'internal' or 'oidc' (OpenID). Default: internal
 auth_type: internal
+opensearch_nodecerts_path: /tmp/opensearch-nodecerts

roles/linux/opensearch/tasks/certificate.yml

@@ -0,0 +1,123 @@
+---
+  - name: Security Plugin configuration | Generate root CA private key (4096 bits, RSA)
+    community.crypto.openssl_privatekey:
+      path: /tmp/opensearch-nodecerts/config/root-ca.key
+      format: pkcs8
+      cipher: auto
+    delegate_to: localhost
+    run_once: true
+
+  - name: Security Plugin configuration | Create certificate signing request (CSR) for CA certificate
+    community.crypto.openssl_csr_pipe:
+      privatekey_path: /tmp/opensearch-nodecerts/config/root-ca.key
+      common_name: "opensearch_root_ca.{{ domain_name }}"
+      use_common_name_for_san: false 
+      basic_constraints:
+        - 'CA:TRUE'
+      basic_constraints_critical: true
+      key_usage:
+        - keyCertSign
+      key_usage_critical: true
+    register: ca_csr
+    delegate_to: localhost
+
+  - name: Security Plugin configuration | Create self-signed CA certificate from CSR
+    community.crypto.x509_certificate:
+      path: /tmp/opensearch-nodecerts/config/root-ca.pem
+      csr_content: "{{ ca_csr.csr }}"
+      privatekey_path: /tmp/opensearch-nodecerts/config/root-ca.key
+      provider: selfsigned
+    delegate_to: localhost
+
+  - name: Security Plugin configuration | Create Node private key (4096 bits, RSA)
+    community.crypto.openssl_privatekey:
+      path: "/tmp/opensearch-nodecerts/config/{{ item }}.key"
+      format: pkcs8
+      cipher: auto
+    loop: "{{ groups['os-cluster'] }}"
+    delegate_to: localhost
+    run_once: true
+
+  - name: Security Plugin configuration | Create HTTP Node private key (4096 bits, RSA)
+    community.crypto.openssl_privatekey:
+      path: "/tmp/opensearch-nodecerts/config/{{ item }}_http.key"
+      format: pkcs8
+      cipher: auto
+    loop: "{{ groups['os-cluster'] }}"
+    delegate_to: localhost
+    run_once: true
+
+  - name: Security Plugin configuration | Create Admin private key (4096 bits, RSA)
+    community.crypto.openssl_privatekey:
+      path: /tmp/opensearch-nodecerts/config/admin.key
+      format: pkcs8
+      cipher: auto
+    delegate_to: localhost
+    run_once: true
+    #openssl pkcs8 -in /etc/opensearch/cert/admin.key.pem -topk8 -out /etc/opensearch/cert/new_admin.key.pem -v1 PBE-SHA1-3DES
+
+  - name: Security Plugin configuration | Create Node certificate signing request (CSR)
+    community.crypto.openssl_csr:
+      path: "/tmp/opensearch-nodecerts/config/{{ item }}.csr"
+      privatekey_path: "/tmp/opensearch-nodecerts/config/{{ item }}.key"
+      common_name: "{{ item }}.{{ domain_name }}"
+      organization_name: "{{ domain_name }}"
+      organizational_unit_name: "Os"
+      subject_alt_name: "DNS:{{ item }}"
+    loop: "{{ groups['os-cluster'] }}"
+    delegate_to: localhost
+    run_once: true
+
+  - name: Security Plugin configuration | Create Node HTTP certificate signing request (CSR)
+    community.crypto.openssl_csr:
+      path: "/tmp/opensearch-nodecerts/config/{{ item }}_http.csr"
+      privatekey_path: "/tmp/opensearch-nodecerts/config/{{ item }}_http.key"
+      common_name: "{{ item }}.{{ domain_name }}"
+      organization_name: "{{ domain_name }}"
+      organizational_unit_name: "Os"
+      subject_alt_name: "DNS:{{ item }}"
+    loop: "{{ groups['os-cluster'] }}"
+    delegate_to: localhost
+    run_once: true
+
+  - name: Security Plugin configuration | Create Admin signing request (CSR)
+    community.crypto.openssl_csr:
+      path: /tmp/opensearch-nodecerts/config/admin.csr
+      privatekey_path: /tmp/opensearch-nodecerts/config/admin.key
+      common_name: "admin.{{ domain_name }}"
+      organization_name: "{{ domain_name }}"
+      organizational_unit_name: "Os"
+    delegate_to: localhost
+    run_once: true
+
+  - name: Security Plugin configuration | Create self-signed Node certificate from CSR
+    community.crypto.x509_certificate:
+      path: "/tmp/opensearch-nodecerts/config/{{ item }}.pem"
+      csr_path: "/tmp/opensearch-nodecerts/config/{{ item }}.csr"
+      ownca_path: "/tmp/opensearch-nodecerts/config/root-ca.pem"
+      ownca_privatekey_path: "/tmp/opensearch-nodecerts/config/root-ca.key"
+      provider: ownca
+    loop: "{{ groups['os-cluster'] }}"
+    delegate_to: localhost
+    run_once: true
+
+  - name: Security Plugin configuration | Create self-signed HTTP Node certificate from CSR
+    community.crypto.x509_certificate:
+      path: "/tmp/opensearch-nodecerts/config/{{ item }}_http.pem"
+      csr_path: "/tmp/opensearch-nodecerts/config/{{ item }}_http.csr"
+      ownca_path: "/tmp/opensearch-nodecerts/config/root-ca.pem"
+      ownca_privatekey_path: "/tmp/opensearch-nodecerts/config/root-ca.key"
+      provider: ownca
+    loop: "{{ groups['os-cluster'] }}"
+    delegate_to: localhost
+    run_once: true
+
+  - name: Security Plugin configuration | Create self-signed Admin certificate from CSR
+    community.crypto.x509_certificate:
+      path: "/tmp/opensearch-nodecerts/config/admin.pem"
+      csr_path: "/tmp/opensearch-nodecerts/config/admin.csr"
+      ownca_path: "/tmp/opensearch-nodecerts/config/root-ca.pem"
+      ownca_privatekey_path: "/tmp/opensearch-nodecerts/config/root-ca.key"
+      provider: ownca
+    delegate_to: localhost
+    run_once: true

roles/linux/opensearch/tasks/main.yml

@@ -5,13 +5,13 @@
     name: "{{ inventory_hostname }}"
 
 # Disabling for Amazon Linux 2, Ubuntu and Debian as selinux is disabled by default.
-- name: Disable the selinux
-  ansible.posix.selinux:
-    state: disabled
-  when:
-    - ansible_distribution != "Ubuntu"
-    - ansible_distribution != "Amazon"
-    - ansible_distribution != "Debian"
+#- name: Disable the selinux
+#  ansible.posix.selinux:
+#    state: disabled
+#  when:
+#    - ansible_distribution != "Ubuntu"
+#    - ansible_distribution != "Amazon"
+#    - ansible_distribution != "Debian"
 
 - name: Populate the nodes to /etc/hosts
   ansible.builtin.import_tasks: etchosts.yml

roles/linux/opensearch/tasks/security.yml

@@ -20,45 +20,17 @@
   register: configuration
   become: false
 
-- name: Security Plugin configuration | Download certificates generation tool
-  local_action:
-    module: get_url
-    url: https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-tlstool/1.5/search-guard-tlstool-1.5.tar.gz
-    dest: /tmp/opensearch-nodecerts/search-guard-tlstool.tar.gz
-  run_once: true
-  when: configuration.changed
-  become: false
-
-- name: Security Plugin configuration | Extract the certificates generation tool
-  local_action: command chdir=/tmp/opensearch-nodecerts tar -xvf search-guard-tlstool.tar.gz
-  run_once: true
-  when: configuration.changed
-  become: false
-
-- name: Security Plugin configuration | Make the executable file
+- name: Security Plugin configuration | Create local temporary directory for certificates generation
   local_action:
     module: file
-    dest: /tmp/opensearch-nodecerts/tools/sgtlstool.sh
-    mode: a+x
-  run_once: true
-  when: configuration.changed
-  become: false
-
-- name: Security Plugin configuration | Prepare the certificates generation template file
-  local_action:
-    module: template
-    src: tlsconfig.yml
-    dest: /tmp/opensearch-nodecerts/config/tlsconfig.yml
+    path: /tmp/opensearch-nodecerts/config
+    state: directory
   run_once: true
-  when: configuration.changed
+  register: configuration
   become: false
 
-- name: Security Plugin configuration | Generate the node & admin certificates in local
-  local_action:
-    module: command /tmp/opensearch-nodecerts/tools/sgtlstool.sh -c /tmp/opensearch-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opensearch-nodecerts/config/
-  run_once: true
-  when: configuration.changed
-  become: false
+- name: Create CRT
+  ansible.builtin.import_tasks: certificate.yml
 
 - name: Security Plugin configuration | IaC enabled - Check certificate
   when: iac_enable
@@ -137,15 +109,6 @@
     marker: "## {mark} OpenSearch Security common configuration ##"
   when: configuration.changed or iac_enable
 
-- name: Security Plugin configuration | Copy the security configuration file 2 to cluster
-  ansible.builtin.blockinfile:
-    block: "{{ lookup('file', '/tmp/opensearch-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}"
-    dest: "{{ os_conf_dir }}/opensearch.yml"
-    backup: true
-    insertafter: EOF
-    marker: "## {mark} opensearch Security Node & Admin certificates configuration ##"
-  when: configuration.changed or iac_enable
-
 - name: Security Plugin configuration | Create security plugin configuration folder
   ansible.builtin.file:
     dest: "{{ os_sec_plugin_conf_path }}"
@@ -166,10 +129,6 @@
     force: true
   when: auth_type == 'oidc' or copy_custom_security_configs
 
-- name: Security Plugin configuration | Prepare the opensearch security configuration file
-  ansible.builtin.command: sed -i 's/searchguard/plugins.security/g' {{ os_conf_dir }}/opensearch.yml
-  when: configuration.changed or iac_enable
-
 - name: Security Plugin configuration | Set the file ownerships
   ansible.builtin.file:
     dest: "{{ os_home }}"

roles/linux/opensearch/templates/security_conf.yml

@@ -4,3 +4,17 @@ plugins.security.audit.type: internal_opensearch
 plugins.security.enable_snapshot_restore_privilege: true
 plugins.security.check_snapshot_restore_write_privileges: true
 plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
+
+plugins.security.ssl.transport.pemcert_filepath: "{{ inventory_hostname }}.pem"
+plugins.security.ssl.transport.pemkey_filepath: "{{ inventory_hostname }}.key"
+plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
+plugins.security.ssl.transport.enforce_hostname_verification: false
+plugins.security.ssl.transport.resolve_hostname: false
+plugins.security.ssl.http.enabled: true
+plugins.security.ssl.http.pemcert_filepath: "{{ inventory_hostname }}_http.pem"
+plugins.security.ssl.http.pemkey_filepath: "{{ inventory_hostname }}_http.key"
+plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
+plugins.security.nodes_dn:
+- CN=*.{{ domain_name }},OU=Os,O={{ domain_name }}
+plugins.security.authcz.admin_dn:
+- CN=admin.{{ domain_name }},OU=Os,O={{ domain_name }}