Add Elastic Agent

fixes #47

Author: widhalmt

.github/workflows/molecule.yml

@@ -13,10 +13,10 @@ jobs:
     runs-on: ubuntu-latest
 
     strategy:
-      # max-parallel: 4
+      max-parallel: 4
       matrix:
         distro: [centos7, debian10, rockylinux8]
-        scenario: [default]
+        scenario: [default, agent]
 # disabling full stack until Elasticsearch issues are fixed
         #scenario: [default, full_stack]
 

README.md

@@ -15,6 +15,10 @@ You need to have Filebeat available in your software repositories. We provide a
 Role Variables
 --------------
 
+* *beats_agent*: Use Elastic Agent (Default: `false`)
+* *beats_fleet_token*: If you're not using `elastic_stack_full_stack` you have to set this to your Fleet server token when using `beats_agent`
+* *beats_fleet_server*: The inventory hostname (and DNS resolvable name) of the fleet server for this host
+
 * *filebeat_enable*: Automatically start Filebeat (Default: `true`)
 * *filebeat_output*: Set to `logstash` or `elasticsearch`. (default: `logstash`)
 * *filebeat_syslog_udp*: Use UDP Syslog input (Default: `false`)

defaults/main.yml

@@ -1,5 +1,6 @@
 ---
 # defaults file for beats
+beats_agent: false
 beats_filebeat: true
 filebeat_output: logstash
 beats_target_hosts:
@@ -37,6 +38,8 @@ filebeat_enable: true
 #filebeat_modules:
 #  - system
 
+beats_fleet_token_name: fleettoken
+
 elastic_stack_full_stack: false
 elasticsearch_http_security: false
 

molecule/agent/INSTALL.rst

@@ -0,0 +1,22 @@
+*******
+Docker driver installation guide
+*******
+
+Requirements
+============
+
+* Docker Engine
+
+Install
+=======
+
+Please refer to the `Virtual environment`_ documentation for installation best
+practices. If not using a virtual environment, please consider passing the
+widely recommended `'--user' flag`_ when invoking ``pip``.
+
+.. _Virtual environment: https://virtualenv.pypa.io/en/latest/
+.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site
+
+.. code-block:: bash
+
+    $ pip install 'molecule[docker]'

molecule/agent/converge.yml

@@ -0,0 +1,24 @@
+---
+# The workaround for arbitrarily named role directory is important because the
+# git repo has one name and the role within it another
+# Found at:
+# https://github.com/ansible-community/molecule/issues/1567#issuecomment-436876722
+- name: Converge
+  hosts: all
+  vars:
+    elastic_stack_full_stack: true
+    elasticsearch_http_security: true
+    beats_filebeat: false
+    beats_metricbeat: false
+    beats_agent: true
+    beats_fleet_server: beats-agent
+  tasks:
+    - name: "Include Elastics repos role"
+      include_role:
+        name: elastic-repos
+    - name: "Include Elasticsearch role"
+      include_role:
+        name: elasticsearch
+    - name: "Include Beats"
+      include_role:
+        name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"

molecule/agent/molecule.yml

@@ -0,0 +1,21 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+platforms:
+  - name: beats-agent
+    groups:
+      - elasticsearch
+      - logstash
+      - filebeat
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    pre_build_image: true
+provisioner:
+  name: ansible
+verifier:
+  name: ansible

molecule/agent/prepare.yml

@@ -0,0 +1,17 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: Install git
+      package:
+        name: git
+      when: ansible_os_family != "Debian"
+    - name: Install packages for Debian
+      apt:
+        name:
+          - git
+          - gpg
+          - procps
+          - curl
+        update_cache: yes
+      when: ansible_os_family == "Debian"

molecule/agent/requirements.yml

@@ -0,0 +1,7 @@
+---
+- name: elastic-repos
+  src: https://github.com/netways/ansible-role-elastic-repos
+  scm: git
+- name: elasticsearch
+  src: https://github.com/widhalmt/ansible-role-elasticsearch.git
+  scm: git

tasks/beats-agent.yml

@@ -0,0 +1,61 @@
+---
+
+- name: Check for requirements
+  fail:
+    msg: "Needs Token or full stack roles"
+  when:
+    - not elastic_stack_full_stack | bool
+    - beats_fleet_token is undefined
+
+- name: Install Elastic Agent
+  package:
+    name: elastic-agent
+
+- name: Generate Fleet Token
+  block:
+
+    - name: Generate Token
+      shell: >
+        /usr/share/elasticsearch/bin/elasticsearch-service-tokens
+        create
+        elastic/fleet-server
+        {{ beats_fleet_token_name }} >
+        /usr/share/elasticsearch/token-{{ beats_fleet_token_name }}
+      args:
+        creates: "/usr/share/elasticsearch/token-{{ beats_fleet_token_name }}"
+
+    - name: Secure access to token
+      file:
+        path: /usr/share/elasticsearch/token-{{ beats_fleet_token_name }}
+        owner: root
+        group: root
+        mode: 0600
+
+    - name: Read token
+      shell: >
+        grep ^SERVICE_TOKEN
+        /usr/share/elasticsearch/token-{{ beats_fleet_token_name }} |
+        cut -d= -f2
+      changed_when: false
+      register: read_token
+
+    - name: Use token as fact
+      set_fact:
+        beats_fleet_token: "{{ read_token.stdout }}"
+
+  when: elastic_stack_full_stack | bool
+  delegate_to: "{{ elasticsearch_ca }}"
+
+- name: Setup fleet server
+  block:
+
+    - name: Run fleet server setup
+      command: >
+        elastic-agent
+        enroll
+        --insecure
+        "--fleet-server-service-token={{ beats_fleet_token }}"
+        --fleet-server-es-ca=/etc/beats/certs/ca.crt
+        -f --fleet-server-es=https://{{ elasticsearch_ca }}:9200
+
+  when: ansible_hostname == beats_fleet_server

tasks/main.yml

@@ -18,5 +18,8 @@
 - import_tasks: beats-security.yml
   when: elasticsearch_http_security | bool
 
+- import_tasks: beats-agent.yml
+  when: beats_agent | bool
+
 - import_tasks: filebeat.yml
   when: beats_filebeat | bool