Cyberdefense/VulnWhisperer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add ansible provisioning (#122)

Browse Source 
* first ansible skeleton

* first commit of ansible installation of vulnwhisperer outside docker

* first ansible skeleton

* first commit of ansible installation of vulnwhisperer outside docker

* refactor the ansible role a bit

* update readme, add fail validation step to provision.yml and fix
typo when calling a logging funciton
This commit is contained in:
Andrea Lusuardi
2018-11-14 10:14:12 +01:00
committed by Quim Montal
parent a8671a7303
commit 3a09f60543
95 changed files with 4459 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
ansible/roles/elastic.elasticsearch/test/integration/debug.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Dump all variables to a file
changed_when: False
copy:
content: '{{ vars | to_nice_json }} '
dest: '/tmp/vars.json'

3
ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/Gemfile Normal file
View File

@ -0,0 +1,3 @@
source 'https://rubygems.org'
gem 'rspec-retry'

10
ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/issue_test_spec.rb Normal file
View File

@ -0,0 +1,10 @@
require 'spec_helper'
require 'json'
vars = JSON.parse(File.read('/tmp/vars.json'))
shared_examples 'issue_test::init' do |vars|
#Add custom tests here for the issue-test.yml test
end

139
ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/multi_spec.rb Normal file
View File

@ -0,0 +1,139 @@
require 'spec_helper'
require 'json'
vars = JSON.parse(File.read('/tmp/vars.json'))
shared_examples 'multi::init' do |vars|
describe service('master_elasticsearch') do
it { should be_running }
end
#test configuration parameters have been set - test all appropriately set in config file
describe file("/etc/elasticsearch/#{vars['es_instance_name']}/elasticsearch.yml") do
it { should be_file }
it { should contain 'http.port: 9201' }
it { should contain 'transport.tcp.port: 9301' }
it { should contain 'node.data: true' }
it { should contain 'node.master: false' }
it { should contain "node.name: localhost-#{vars['es_instance_name']}" }
it { should_not contain 'bootstrap.memory_lock: true' }
if vars['es_major_version'] == '6.x'
it { should_not contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" }
else
it { should contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" }
end
it { should contain "path.data: /opt/elasticsearch/data-1/localhost-#{vars['es_instance_name']},/opt/elasticsearch/data-2/localhost-#{vars['es_instance_name']}" }
it { should contain "path.logs: /var/log/elasticsearch/localhost-#{vars['es_instance_name']}" }
end
#test configuration parameters have been set for master - test all appropriately set in config file
describe file('/etc/elasticsearch/master/elasticsearch.yml') do
it { should be_file }
it { should contain 'http.port: 9200' }
it { should contain 'transport.tcp.port: 9300' }
it { should contain 'node.data: false' }
it { should contain 'node.master: true' }
it { should contain 'node.name: localhost-master' }
it { should contain 'bootstrap.memory_lock: true' }
if vars['es_major_version'] == '6.x'
it { should_not contain 'path.conf: /etc/elasticsearch/master' }
else
it { should contain 'path.conf: /etc/elasticsearch/master' }
end
it { should contain 'path.data: /opt/elasticsearch/master/localhost-master' }
it { should contain 'path.logs: /var/log/elasticsearch/localhost-master' }
end
describe 'Master listening' do
it 'listening in port 9200' do
expect(port 9200).to be_listening
end
end
#test we started on the correct port was used for master
describe 'master started' do
it 'master node should be running', :retry => 3, :retry_wait => 10 do
expect(curl_json('http://localhost:9200')['name']).to eq('localhost-master')
end
end
#test we started on the correct port was used for node 1
describe "#{vars['es_instance_name']} started" do
it 'node should be running', :retry => 3, :retry_wait => 10 do
expect(curl_json('http://localhost:9201')['name']).to eq("localhost-#{vars['es_instance_name']}")
end
end
#Confirm scripts are on both nodes
describe file('/etc/elasticsearch/master/scripts') do
it { should be_directory }
it { should be_owned_by 'elasticsearch' }
end
describe file('/etc/elasticsearch/master/scripts/calculate-score.groovy') do
it { should be_file }
it { should be_owned_by 'elasticsearch' }
end
#Confirm that the data directory has only been set for the first node
describe file('/opt/elasticsearch/master/localhost-master') do
it { should be_directory }
it { should be_owned_by 'elasticsearch' }
end
describe file("/opt/elasticsearch/data-1/localhost-#{vars['es_instance_name']}") do
it { should be_directory }
it { should be_owned_by 'elasticsearch' }
end
describe file("/opt/elasticsearch/data-2/localhost-#{vars['es_instance_name']}") do
it { should be_directory }
it { should be_owned_by 'elasticsearch' }
end
#test to make sure mlock was applied
describe command('curl -s "localhost:9200/_nodes/localhost-master/process?pretty=true" | grep mlockall') do
its(:stdout) { should match /true/ }
its(:exit_status) { should eq 0 }
end
#test to make sure mlock was not applied
describe command("curl -s 'localhost:9201/_nodes/localhost-#{vars['es_instance_name']}/process?pretty=true' | grep mlockall") do
its(:stdout) { should match /false/ }
its(:exit_status) { should eq 0 }
end
describe 'version check on master' do
it 'should be reported as version '+vars['es_version'] do
command = command('curl -s localhost:9200 | grep number')
expect(command.stdout).to match(vars['es_version'])
expect(command.exit_status).to eq(0)
end
end
describe 'version check on data' do
it 'should be reported as version '+vars['es_version'] do
command = command('curl -s localhost:9201 | grep number')
expect(command.stdout).to match(vars['es_version'])
expect(command.exit_status).to eq(0)
end
end
for plugin in vars['es_plugins']
plugin = plugin['plugin']
describe command('curl -s localhost:9200/_nodes/plugins?pretty=true | grep '+plugin) do
its(:exit_status) { should eq 0 }
end
describe command('curl -s localhost:9201/_nodes/plugins?pretty=true | grep '+plugin) do
its(:exit_status) { should eq 0 }
end
describe file('/usr/share/elasticsearch/plugins/'+plugin) do
it { should be_directory }
it { should be_owned_by 'elasticsearch' }
end
end
end

13
ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/oss_spec.rb Normal file
View File

@ -0,0 +1,13 @@
require 'spec_helper'
shared_examples 'oss::init' do |vars|
describe file("/etc/elasticsearch/#{vars['es_instance_name']}/log4j2.properties") do
it { should be_file }
it { should be_owned_by 'elasticsearch' }
it { should_not contain 'CUSTOM LOG4J FILE' }
end
describe file("/etc/elasticsearch/#{vars['es_instance_name']}/jvm.options") do
it { should be_file }
it { should be_owned_by vars['es_user'] }
end
end

4
ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/oss_to_xpack_upgrade_spec.rb Normal file
View File

@ -0,0 +1,4 @@
require 'spec_helper'
shared_examples 'oss_to_xpack_upgrade::init' do |vars|
end

4
ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/oss_upgrade_spec.rb Normal file
View File

@ -0,0 +1,4 @@
require 'spec_helper'
shared_examples 'oss_upgrade::init' do |vars|
end

170
ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/shared_spec.rb Normal file
View File

@ -0,0 +1,170 @@
require 'spec_helper'
require 'json'
vars = JSON.parse(File.read('/tmp/vars.json'))
families = {
'Debian' => {
'shell' => '/bin/false',
'password' => '*',
'defaults_path' => '/etc/default/elasticsearch'
},
'RedHat' => {
'shell' => '/sbin/nologin',
'password' => '!!',
'defaults_path' => '/etc/sysconfig/elasticsearch'
}
}
family = families[vars['ansible_os_family']]
es_api_url = "http://localhost:#{vars['es_api_port']}"
username = vars['es_api_basic_auth_username']
password = vars['es_api_basic_auth_password']
shared_examples 'shared::init' do |vars|
describe 'version check' do
it 'should be reported as version '+vars['es_version'] do
expect(curl_json(es_api_url, username=username, password=password)['version']['number']).to eq(vars['es_version'])
end
end
describe 'xpack checks' do
if vars['es_enable_xpack']
it 'should be be running the xpack version' do
expect(curl_json("#{es_api_url}/_xpack", username=username, password=password)['tagline']).to eq('You know, for X')
end
it 'xpack should be activated' do
expect(curl_json("#{es_api_url}/_license", username=username, password=password)['license']['status']).to eq('active')
end
features = curl_json("#{es_api_url}/_xpack", username=username, password=password)
curl_json("#{es_api_url}/_xpack", username=username, password=password)['features'].each do |feature,values|
enabled = vars['es_xpack_features'].include? feature
status = if enabled then 'enabled' else 'disabled' end
it "the xpack feature '#{feature}' to be #{status}" do
expect(values['enabled'] = enabled)
end
end
# X-Pack is no longer installed as a plugin in elasticsearch
if vars['es_major_version'] == '5.x'
describe file('/usr/share/elasticsearch/plugins/x-pack') do
it { should be_directory }
it { should be_owned_by vars['es_user'] }
end
describe file("/etc/elasticsearch/#{vars['es_instance_name']}/x-pack") do
it { should be_directory }
it { should be_owned_by vars['es_user'] }
end
describe 'x-pack-core plugin' do
it 'should be installed with the correct version' do
plugins = curl_json("#{es_api_url}/_nodes/plugins", username=username, password=password)
node, data = plugins['nodes'].first
version = 'plugin not found'
name = 'x-pack'
data['plugins'].each do |plugin|
if plugin['name'] == name
version = plugin['version']
end
end
expect(version).to eql(vars['es_version'])
end
end
end
end
end
describe user(vars['es_user']) do
it { should exist }
it { should belong_to_group vars['es_group'] }
it { should have_uid vars['es_user_id'] } if vars.key?('es_user_id')
it { should have_login_shell family['shell'] }
its(:encrypted_password) { should eq(family['password']) }
end
describe package(vars['es_package_name']) do
it { should be_installed }
end
describe service("#{vars['es_instance_name']}_elasticsearch") do
it { should be_running }
end
describe port(vars['es_api_port']) do
it { should be_listening.with('tcp') }
end
if vars['es_templates']
describe file('/etc/elasticsearch/templates') do
it { should be_directory }
it { should be_owned_by vars['es_user'] }
end
describe file('/etc/elasticsearch/templates/basic.json') do
it { should be_file }
it { should be_owned_by vars['es_user'] }
end
#This is possibly subject to format changes in the response across versions so may fail in the future
describe 'Template Contents Correct' do
it 'should be reported as being installed', :retry => 3, :retry_wait => 10 do
template = curl_json("#{es_api_url}/_template/basic", username=username, password=password)
expect(template.key?('basic'))
expect(template['basic']['settings']['index']['number_of_shards']).to eq("1")
expect(template['basic']['mappings']['type1']['_source']['enabled']).to eq(false)
end
end
end
if vars['es_scripts']
describe file("/etc/elasticsearch/#{vars['es_instance_name']}/scripts") do
it { should be_directory }
it { should be_owned_by 'elasticsearch' }
end
describe file("/etc/elasticsearch/#{vars['es_instance_name']}/scripts/calculate-score.groovy") do
it { should be_file }
it { should be_owned_by 'elasticsearch' }
end
end
describe file('/etc/init.d/elasticsearch') do
it { should_not exist }
end
describe file(family['defaults_path']) do
its(:content) { should match '' }
end
describe file('/etc/elasticsearch/elasticsearch.yml') do
it { should_not exist }
end
describe file('/etc/elasticsearch/logging.yml') do
it { should_not exist }
end
if vars.key?('es_plugins')
vars['es_plugins'].each do |plugin|
name = plugin['plugin']
describe file('/usr/share/elasticsearch/plugins/'+name) do
it { should be_directory }
it { should be_owned_by vars['es_user'] }
end
it 'should be installed and the right version' do
plugins = curl_json("#{es_api_url}/_nodes/plugins", username=username, password=password)
version = nil
_node, data = plugins['nodes'].first
data['plugins'].each do |p|
version = p['version'] if p['name'] == name
end
expect(version).to eql(vars['es_version'])
end
end
end
describe file("/etc/elasticsearch/#{vars['es_instance_name']}/elasticsearch.yml") do
it { should contain "node.name: localhost-#{vars['es_instance_name']}" }
it { should contain 'cluster.name: elasticsearch' }
if vars['es_major_version'] == '6.x'
it { should_not contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" }
else
it { should contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" }
end
its(:content) { should match "path.data: #{vars['data_dirs'].join(',')}" }
its(:content) { should match "path.logs: /var/log/elasticsearch/localhost-#{vars['es_instance_name']}" }
end
end

26
ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/spec_helper.rb Normal file
View File

@ -0,0 +1,26 @@
require 'serverspec'
require 'net/http'
require 'json'
set :backend, :exec
require 'rspec/retry'
RSpec.configure do |config|
# show retry status in spec process
config.verbose_retry = true
# show exception that triggers a retry if verbose_retry is set to true
config.display_try_failure_messages = true
end
def curl_json(uri, username=nil, password=nil)
uri = URI(uri)
req = Net::HTTP::Get.new(uri)
if username && password
req.basic_auth username, password
end
res = Net::HTTP.start(uri.hostname, uri.port) {|http|
http.request(req)
}
return JSON.parse(res.body)
end

17
ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/xpack_spec.rb Normal file
View File

@ -0,0 +1,17 @@
require 'spec_helper'
shared_examples 'xpack::init' do |vars|
describe file("/etc/elasticsearch/#{vars['es_instance_name']}/elasticsearch.yml") do
it { should contain "node.name: localhost-#{vars['es_instance_name']}" }
it { should contain 'cluster.name: elasticsearch' }
if vars['es_major_version'] == '6.x'
it { should_not contain 'path.conf: /etc/elasticsearch/security_node' }
else
it { should contain 'path.conf: /etc/elasticsearch/security_node' }
end
it { should contain "path.data: /var/lib/elasticsearch/localhost-#{vars['es_instance_name']}" }
it { should contain "path.logs: /var/log/elasticsearch/localhost-#{vars['es_instance_name']}" }
it { should contain 'xpack.security.enabled: false' }
it { should contain 'xpack.watcher.enabled: false' }
end
end

103
ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/xpack_upgrade_spec.rb Normal file
View File

@ -0,0 +1,103 @@
require 'spec_helper'
require 'json'
vars = JSON.parse(File.read('/tmp/vars.json'))
shared_examples 'xpack_upgrade::init' do |vars|
describe file("/etc/elasticsearch/#{vars['es_instance_name']}/elasticsearch.yml") do
it { should contain "node.name: localhost-#{vars['es_instance_name']}" }
it { should contain 'cluster.name: elasticsearch' }
if vars['es_major_version'] == '6.x'
it { should_not contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" }
else
it { should contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" }
end
it { should contain "path.data: /var/lib/elasticsearch/localhost-#{vars['es_instance_name']}" }
it { should contain "path.logs: /var/log/elasticsearch/localhost-#{vars['es_instance_name']}" }
end
#Test users file, users_roles and roles.yml
describe file("/etc/elasticsearch/#{vars['es_instance_name']}#{vars['es_xpack_conf_subdir']}/users_roles") do
it { should be_owned_by 'elasticsearch' }
it { should contain 'admin:es_admin' }
it { should contain 'power_user:testUser' }
end
describe file("/etc/elasticsearch/#{vars['es_instance_name']}#{vars['es_xpack_conf_subdir']}/users") do
it { should be_owned_by 'elasticsearch' }
it { should contain 'testUser:' }
it { should contain 'es_admin:' }
end
describe 'security roles' do
it 'should list the security roles' do
roles = curl_json('http://localhost:9200/_xpack/security/role', username='es_admin', password='changeMeAgain')
expect(roles.key?('superuser'))
end
end
describe file("/etc/elasticsearch/#{vars['es_instance_name']}/elasticsearch.yml") do
it { should contain 'security.authc.realms.file1.order: 0' }
it { should contain 'security.authc.realms.file1.type: file' }
it { should contain 'security.authc.realms.native1.order: 1' }
it { should contain 'security.authc.realms.native1.type: native' }
end
#Test contents of role_mapping.yml
describe file("/etc/elasticsearch/#{vars['es_instance_name']}#{vars['es_xpack_conf_subdir']}/role_mapping.yml") do
it { should be_owned_by 'elasticsearch' }
it { should contain 'power_user:' }
it { should contain '- cn=admins,dc=example,dc=com' }
it { should contain 'user:' }
it { should contain '- cn=admins,dc=example,dc=com' }
end
#check accounts are correct i.e. we can auth and they have the correct roles
describe 'kibana4_server access check' do
it 'should be reported as version '+vars['es_version'] do
command = command('curl -s localhost:9200/ -u kibana4_server:changeMe | grep number')
expect(command.stdout).to match(vars['es_version'])
expect(command.exit_status).to eq(0)
end
end
describe 'security users' do
result = curl_json('http://localhost:9200/_xpack/security/user', username='elastic', password='elasticChanged')
it 'should have the elastic user' do
expect(result['elastic']['username']).to eq('elastic')
expect(result['elastic']['roles']).to eq(['superuser'])
expect(result['elastic']['enabled']).to eq(true)
end
it 'should have the kibana user' do
expect(result['kibana']['username']).to eq('kibana')
expect(result['kibana']['roles']).to eq(['kibana_system'])
expect(result['kibana']['enabled']).to eq(true)
end
it 'should have the kibana_server user' do
expect(result['kibana4_server']['username']).to eq('kibana4_server')
expect(result['kibana4_server']['roles']).to eq(['kibana4_server'])
expect(result['kibana4_server']['enabled']).to eq(true)
end
it 'should have the logstash user' do
expect(result['logstash_system']['username']).to eq('logstash_system')
expect(result['logstash_system']['roles']).to eq(['logstash_system'])
expect(result['logstash_system']['enabled']).to eq(true)
end
end
describe 'logstash_system access check' do
it 'should be reported as version '+vars['es_version'] do
command = command('curl -s localhost:9200/ -u logstash_system:aNewLogstashPassword | grep number')
expect(command.stdout).to match(vars['es_version'])
expect(command.exit_status).to eq(0)
end
end
if vars['es_major_version'] == '5.x' # kibana default password has been removed in 6.x
describe 'kibana access check' do
it 'should be reported as version '+vars['es_version'] do
result = curl_json('http://localhost:9200/', username='kibana', password='changeme')
expect(result['version']['number']).to eq(vars['es_version'])
end
end
end
end

50
ansible/roles/elastic.elasticsearch/test/integration/issue-test.yml Normal file
View File

@ -0,0 +1,50 @@
#This file is for users to test issues and reproduce them using the test framework.
#Modify the playbook below and test with kitchen i.e. `kitchen test issue-test`
#To add custom tests modify the serverspec file ./helpers/serverspec/issue_test_spec.rb
#Idempot test is enabled for this test
- name: Simple Example
hosts: localhost
post_tasks:
- include: elasticsearch/test/integration/debug.yml
roles:
- elasticsearch
vars:
es_instance_name: "security_node"
es_xpack_license: "{{ lookup('file', '/tmp/license.json') }}"
es_config:
xpack.security.enabled: True
xpack.security.authc.realms.file1.type: "file"
xpack.security.authc.realms.file1.order: 1
xpack.security.authc.realms.native1.type: "native"
xpack.security.authc.realms.native1.order: 0
es_heap_size: "1g"
es_enable_xpack: true
es_plugins:
- plugin: ingest-geoip
es_xpack_features:
- security
- alerting
es_api_basic_auth_username: elastic
es_api_basic_auth_password: changeme
es_users:
file:
test_user:
password: changeme
roles:
- kibana_system
native:
kibana:
password: changeme
roles:
- kibana_system
elastic:
password: aNewPassWord
es_roles:
native:
logstash:
cluster:
- manage_index_templates
logstash_system:
cluster:
- manage_index_templates

2
ansible/roles/elastic.elasticsearch/test/integration/issue-test/issue-test.yml Normal file
View File

@ -0,0 +1,2 @@
---
- host: test-kitchen

8
ansible/roles/elastic.elasticsearch/test/integration/issue-test/serverspec/default_spec.rb Normal file
View File

@ -0,0 +1,8 @@
require 'issue_test_spec'
require 'json'
vars = JSON.parse(File.read('/tmp/vars.json'))
describe 'Issue Test' do
include_examples 'issue_test::init', vars
end

51
ansible/roles/elastic.elasticsearch/test/integration/multi.yml Normal file
View File

@ -0,0 +1,51 @@
---
# Test ability to deploy multiple instances to a machine
- name: Elasticsearch Multi test - master on 9200
hosts: localhost
post_tasks:
- include: elasticsearch/test/integration/debug.yml
roles:
- elasticsearch
vars:
es_instance_name: "master"
es_data_dirs:
- "/opt/elasticsearch/master"
es_config:
discovery.zen.ping.unicast.hosts: "localhost:9300"
http.port: 9200
transport.tcp.port: 9300
node.data: false
node.master: true
bootstrap.memory_lock: true
es_enable_xpack: false
es_scripts: true
es_templates: true
es_heap_size: "1g"
es_api_port: 9200
es_plugins:
- plugin: ingest-geoip
- name: Elasticsearch Multi test - data on 9201
hosts: localhost
post_tasks:
- include: elasticsearch/test/integration/debug.yml
roles:
- elasticsearch
vars:
es_enable_xpack: false
es_scripts: true
es_templates: true
es_heap_size: "1g"
es_api_port: 9201
es_plugins:
- plugin: ingest-geoip
es_instance_name: "node1"
es_data_dirs:
- "/opt/elasticsearch/data-1"
- "/opt/elasticsearch/data-2"
es_config:
discovery.zen.ping.unicast.hosts: "localhost:9300"
http.port: 9201
transport.tcp.port: 9301
node.data: true
node.master: false

2
ansible/roles/elastic.elasticsearch/test/integration/multi/multi.yml Normal file
View File

@ -0,0 +1,2 @@
---
- host: test-kitchen

9
ansible/roles/elastic.elasticsearch/test/integration/multi/serverspec/default_spec.rb Normal file
View File

@ -0,0 +1,9 @@
require 'multi_spec'
require 'shared_spec'
require 'json'
vars = JSON.parse(File.read('/tmp/vars.json'))
describe 'Multi Tests' do
include_examples 'shared::init', vars
include_examples 'multi::init', vars
end

27
ansible/roles/elastic.elasticsearch/test/integration/oss-to-xpack-upgrade.yml Normal file
View File

@ -0,0 +1,27 @@
---
- name: Standard test for single node setup. Tests idempotence.
hosts: localhost
post_tasks:
- include: elasticsearch/test/integration/debug.yml
roles:
- elasticsearch
vars:
es_instance_name: "node1"
es_version: "{{ '6.2.4' if es_major_version == '6.x' else '5.6.9' }}" # This is set to an older version than the current default to force an upgrade
es_enable_xpack: false
es_heap_size: "1g"
- name: Standard test for single node setup. Tests idempotence.
hosts: localhost
post_tasks:
- include: elasticsearch/test/integration/debug.yml
roles:
- elasticsearch
vars:
es_instance_name: "node1"
es_enable_xpack: true
es_api_basic_auth_username: elastic
es_api_basic_auth_password: changeme
es_heap_size: "1g"
es_xpack_features:
- security

2
ansible/roles/elastic.elasticsearch/test/integration/oss-to-xpack-upgrade/oss-to-xpack-upgrade.yml Normal file
View File

@ -0,0 +1,2 @@
---
- host: test-kitchen

9
ansible/roles/elastic.elasticsearch/test/integration/oss-to-xpack-upgrade/serverspec/default_spec.rb Normal file
View File

@ -0,0 +1,9 @@
require 'oss_to_xpack_upgrade_spec'
require 'shared_spec'
require 'json'
vars = JSON.parse(File.read('/tmp/vars.json'))
describe 'oss to xpack upgrade Tests' do
include_examples 'shared::init', vars
include_examples 'oss_to_xpack_upgrade::init', vars
end

23
ansible/roles/elastic.elasticsearch/test/integration/oss-upgrade.yml Normal file
View File

@ -0,0 +1,23 @@
---
- name: Standard test for single node setup. Tests idempotence.
hosts: localhost
post_tasks:
- include: elasticsearch/test/integration/debug.yml
roles:
- elasticsearch
vars:
es_instance_name: "node1"
es_version: "{{ '6.2.4' if es_major_version == '6.x' else '5.6.9' }}" # This is set to an older version than the current default to force an upgrade
es_enable_xpack: false
es_heap_size: "1g"
- name: Standard test for single node setup. Tests idempotence.
hosts: localhost
post_tasks:
- include: elasticsearch/test/integration/debug.yml
roles:
- elasticsearch
vars:
es_instance_name: "node1"
es_enable_xpack: false
es_heap_size: "1g"

2
ansible/roles/elastic.elasticsearch/test/integration/oss-upgrade/oss-upgrade.yml Normal file
View File

@ -0,0 +1,2 @@
---
- host: test-kitchen

9
ansible/roles/elastic.elasticsearch/test/integration/oss-upgrade/serverspec/default_spec.rb Normal file
View File

@ -0,0 +1,9 @@
require 'oss_upgrade_spec'
require 'shared_spec'
require 'json'
vars = JSON.parse(File.read('/tmp/vars.json'))
describe 'oss upgrade Tests' do
include_examples 'oss_upgrade::init', vars
include_examples 'shared::init', vars
end

15
ansible/roles/elastic.elasticsearch/test/integration/oss.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: Standard test for single node setup. Tests idempotence.
hosts: localhost
post_tasks:
- include: elasticsearch/test/integration/debug.yml
roles:
- elasticsearch
vars:
es_instance_name: "node1"
es_enable_xpack: false
es_heap_size: "1g"
es_plugins:
- plugin: ingest-geoip
#Do not add tests here. This test is run twice and confirms idempotency.

2
ansible/roles/elastic.elasticsearch/test/integration/oss/oss.yml Normal file
View File

@ -0,0 +1,2 @@
---
- host: test-kitchen

12
ansible/roles/elastic.elasticsearch/test/integration/oss/serverspec/default_spec.rb Normal file
View File

@ -0,0 +1,12 @@
require 'oss_spec'
require 'shared_spec'
require 'json'
vars = JSON.parse(File.read('/tmp/vars.json'))
describe 'OSS Tests' do
include_examples 'oss::init', vars
include_examples 'shared::init', vars
end

166
ansible/roles/elastic.elasticsearch/test/integration/xpack-upgrade.yml Normal file
View File

@ -0,0 +1,166 @@
---
- name: Elasticsearch Xpack tests initial
hosts: localhost
post_tasks:
- include: elasticsearch/test/integration/debug.yml
roles:
- elasticsearch
vars:
es_instance_name: "node1"
es_api_port: 9200
es_config:
http.port: 9200
transport.tcp.port: 9300
discovery.zen.ping.unicast.hosts: "localhost:9300"
xpack.security.authc.realms.file1.type: "file"
xpack.security.authc.realms.file1.order: 0
xpack.security.authc.realms.native1.type: "native"
xpack.security.authc.realms.native1.order: 1
es_heap_size: "1g"
es_templates: true
es_version: "{{ '6.2.4' if es_major_version == '6.x' else '5.6.9' }}" # This is set to an older version than the current default to force an upgrade
es_enable_xpack: true
es_xpack_license: "{{ lookup('file', '/tmp/license.json') }}"
es_plugins:
- plugin: ingest-geoip
es_xpack_features:
- security
- alerting
es_api_basic_auth_username: elastic
es_api_basic_auth_password: changeme
es_message_auth_file: system_key
es_role_mapping:
power_user:
- "cn=admins,dc=example,dc=com"
user:
- "cn=users,dc=example,dc=com"
- "cn=admins,dc=example,dc=com"
es_users:
native:
kibana4_server:
password: changeMe
roles:
- kibana4_server
logstash_system:
#this should be successfully modified
password: aNewLogstashPassword
#this will be ignored
roles:
- kibana4_server
elastic:
password: elasticChanged
file:
es_admin:
password: changeMe
roles:
- admin
testUser:
password: changeMeAlso!
roles:
- power_user
- user
es_roles:
file:
admin:
cluster:
- all
indices:
- names: '*'
privileges:
- all
power_user:
cluster:
- monitor
indices:
- names: '*'
privileges:
- all
user:
indices:
- names: '*'
privileges:
- read
kibana4_server:
cluster:
- monitor
indices:
- names: '.kibana'
privileges:
- all
native:
logstash:
cluster:
- manage_index_templates
indices:
- names: 'logstash-*'
privileges:
- write
- delete
- create_index
#this will be ignored - its reserved
logstash_system:
cluster:
- manage_index_templates
indices:
- names: 'logstash-*'
privileges:
- write
- delete
- create_index
#modifies the installation. Changes es_admin password and upgrades ES. Tests confirm the correct version is installed.
- name: Elasticsearch Xpack modify
hosts: localhost
post_tasks:
- include: elasticsearch/test/integration/debug.yml
roles:
- elasticsearch
vars:
es_api_port: 9200
es_instance_name: "node1"
es_config:
http.port: 9200
transport.tcp.port: 9300
discovery.zen.ping.unicast.hosts: "localhost:9300"
xpack.security.enabled: True
xpack.security.authc.realms.file1.type: "file"
xpack.security.authc.realms.file1.order: 0
xpack.security.authc.realms.native1.type: "native"
xpack.security.authc.realms.native1.order: 1
es_heap_size: "1g"
es_templates: true
es_enable_xpack: true
es_xpack_license: "{{ lookup('file', '/tmp/license.json') }}"
es_plugins:
- plugin: ingest-attachment
es_xpack_features:
- security
- alerting
es_api_basic_auth_username: elastic
es_api_basic_auth_password: elasticChanged
es_role_mapping:
power_user:
- "cn=admins,dc=example,dc=com"
user:
- "cn=users,dc=example,dc=com"
- "cn=admins,dc=example,dc=com"
es_users:
native:
kibana4_server:
password: changeMe
roles:
- kibana4_server
logstash_system:
#this will be ignored
roles:
- kibana4_server
file:
es_admin:
password: changeMeAgain
roles:
- admin
testUser:
password: changeMeAlso!
roles:
- power_user
- user

9
ansible/roles/elastic.elasticsearch/test/integration/xpack-upgrade/serverspec/default_spec.rb Normal file
View File

@ -0,0 +1,9 @@
require 'xpack_upgrade_spec'
require 'shared_spec'
require 'json'
vars = JSON.parse(File.read('/tmp/vars.json'))
describe 'Xpack upgrade Tests' do
include_examples 'shared::init', vars
include_examples 'xpack_upgrade::init', vars
end

2
ansible/roles/elastic.elasticsearch/test/integration/xpack-upgrade/xpack-upgrade.yml Normal file
View File

@ -0,0 +1,2 @@
---
- host: test-kitchen

22
ansible/roles/elastic.elasticsearch/test/integration/xpack.yml Normal file
View File

@ -0,0 +1,22 @@
#Tests x-pack is idempotent and works when security is not enabled
---
- name: Elasticsearch Xpack tests - no security and manual download
hosts: localhost
post_tasks:
- include: elasticsearch/test/integration/debug.yml
roles:
- elasticsearch
vars:
es_api_port: 9200
es_instance_name: "node1"
es_config:
http.port: 9200
transport.tcp.port: 9300
discovery.zen.ping.unicast.hosts: "localhost:9300"
es_xpack_custom_url: "https://artifacts.elastic.co/downloads/packs/x-pack/x-pack-{{ es_version }}.zip"
es_heap_size: 2g
es_enable_xpack: true
es_xpack_features:
- monitoring
- graph
- ml

9
ansible/roles/elastic.elasticsearch/test/integration/xpack/serverspec/default_spec.rb Normal file
View File

@ -0,0 +1,9 @@
require 'xpack_spec'
require 'shared_spec'
require 'json'
vars = JSON.parse(File.read('/tmp/vars.json'))
describe 'Xpack upgrade Tests' do
include_examples 'shared::init', vars
include_examples 'xpack::init', vars
end

2
ansible/roles/elastic.elasticsearch/test/integration/xpack/xpack.yml Normal file
View File

@ -0,0 +1,2 @@
---
- host: test-kitchen