Add Elastic Agent

.github/workflows/molecule.yml

@@ -15,10 +15,13 @@ jobs:
     strategy:
       max-parallel: 4
       matrix:
-        distro: [centos7, debian10, rockylinux8]
-        scenario: [default, peculiar]
-# disabling full stack until Elasticsearch issues are fixed
-        #scenario: [default, full_stack]
+        distro: [centos7]
+        # disabling other distros due to bug in Elasticsearch
+        #distro: [centos7, debian10, rockylinux8]
+        scenario: [default, peculiar, agent]
+        # See https://github.com/NETWAYS/ansible-role-logstash/issues/139
+        # before re-enabling full_stack
+        #scenario: [default, peculiar, agent, full_stack]
 
     steps:
       - name: Check out code

README.md

@@ -15,6 +15,10 @@ You need to have Filebeat available in your software repositories. We provide a
 Role Variables
 --------------
 
+* *beats_agent*: Use Elastic Agent (Default: `false`)
+* *beats_fleet_token*: If you're not using `elastic_stack_full_stack` you have to set this to your Fleet server token when using `beats_agent`
+* *beats_fleet_server*: The inventory hostname (and DNS resolvable name) of the fleet server for this host
+
 * *beats_filebeat*: Install and manage filebeat (Default: `true`)
 * *beats_filebeat_version*: Install specific version (Default: none. Possible values: e.g. ``-7.10.1` for RedHat compatible systems or `=1:7.10.1-1` for Debian compatible systems or `latest`)
 * *filebeat_enable*: Automatically start Filebeat (Default: `true`)

defaults/main.yml

@@ -1,5 +1,6 @@
 ---
 # defaults file for beats
+beats_agent: false
 beats_security: false
 beats_filebeat: true
 beats_auditbeat: false
@@ -44,6 +45,8 @@ filebeat_mysql_slowlog_input: false
 #filebeat_modules:
 #  - system
 
+beats_fleet_token_name: fleettoken
+
 auditbeat_setup: true
 auditbeat_enable: true
 auditbeat_output: elasticsearch

molecule/agent/converge.yml

@@ -0,0 +1,23 @@
+---
+# The workaround for arbitrarily named role directory is important because the
+# git repo has one name and the role within it another
+# Found at:
+# https://github.com/ansible-community/molecule/issues/1567#issuecomment-436876722
+- name: Converge
+  hosts: all
+  vars:
+    elastic_stack_full_stack: true
+    beats_filebeat: false
+    beats_metricbeat: false
+    beats_agent: true
+    beats_fleet_server: beats-agent
+  tasks:
+    - name: "Include Elastics repos role"
+      include_role:
+        name: elastic-repos
+    - name: "Include Elasticsearch role"
+      include_role:
+        name: elasticsearch
+    - name: "Include Beats"
+      include_role:
+        name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"

molecule/agent/molecule.yml

@@ -0,0 +1,21 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+platforms:
+  - name: beats-agent
+    groups:
+      - elasticsearch
+      - logstash
+      - filebeat
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    #volumes:
+    #  - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    pre_build_image: true
+provisioner:
+  name: ansible
+verifier:
+  name: ansible

molecule/agent/prepare.yml

@@ -0,0 +1,17 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: Install git
+      package:
+        name: git
+      when: ansible_os_family != "Debian"
+    - name: Install packages for Debian
+      apt:
+        name:
+          - git
+          - gpg
+          - procps
+          - curl
+        update_cache: yes
+      when: ansible_os_family == "Debian"

molecule/agent/requirements.yml

@@ -0,0 +1,7 @@
+---
+- name: elastic-repos
+  src: https://github.com/netways/ansible-role-elastic-repos
+  scm: git
+- name: elasticsearch
+  src: https://github.com/widhalmt/ansible-role-elasticsearch.git
+  scm: git

molecule/default/molecule.yml

@@ -7,8 +7,8 @@ platforms:
   - name: beats_default_${MOLECULE_DISTRO:-centos7}
     image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
     command: ${MOLECULE_DOCKER_COMMAND:-""}
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    #volumes:
+    #  - /sys/fs/cgroup:/sys/fs/cgroup:ro
     privileged: true
     pre_build_image: true
 provisioner:

molecule/full_stack/molecule.yml

@@ -11,8 +11,8 @@ platforms:
       - filebeat
     image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
     command: ${MOLECULE_DOCKER_COMMAND:-""}
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    #volumes:
+    #  - /sys/fs/cgroup:/sys/fs/cgroup:ro
     privileged: true
     pre_build_image: true
 provisioner:

molecule/peculiar/molecule.yml

@@ -7,8 +7,8 @@ platforms:
   - name: beats_peculiar_${MOLECULE_DISTRO:-centos7}
     image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
     command: ${MOLECULE_DOCKER_COMMAND:-""}
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    #volumes:
+    #  - /sys/fs/cgroup:/sys/fs/cgroup:ro
     privileged: true
     pre_build_image: true
 provisioner:

tasks/beats-agent.yml

@@ -0,0 +1,62 @@
+---
+
+- name: Check for requirements
+  fail:
+    msg: "Needs Token or full stack roles"
+  when:
+    - not elastic_stack_full_stack | bool
+    - beats_fleet_token is undefined
+
+- name: Install Elastic Agent
+  package:
+    name: elastic-agent
+
+- name: Generate Fleet Token
+  block:
+
+    - name: Generate Token
+      shell: >
+        /usr/share/elasticsearch/bin/elasticsearch-service-tokens
+        create
+        elastic/fleet-server
+        {{ beats_fleet_token_name }} >
+        /usr/share/elasticsearch/token-{{ beats_fleet_token_name }}
+      args:
+        creates: "/usr/share/elasticsearch/token-{{ beats_fleet_token_name }}"
+
+    - name: Secure access to token
+      file:
+        path: /usr/share/elasticsearch/token-{{ beats_fleet_token_name }}
+        owner: root
+        group: root
+        mode: 0600
+
+    - name: Read token
+      shell: >
+        grep ^SERVICE_TOKEN
+        /usr/share/elasticsearch/token-{{ beats_fleet_token_name }} |
+        cut -d= -f2
+      changed_when: false
+      register: read_token
+
+    - name: Use token as fact
+      set_fact:
+        beats_fleet_token: "{{ read_token.stdout }}"
+
+  when: elastic_stack_full_stack | bool
+  delegate_to: "{{ elasticsearch_ca }}"
+
+- name: Setup fleet server
+  block:
+
+    - name: Run fleet server setup
+      command: >
+        elastic-agent
+        enroll
+        --insecure
+        "--fleet-server-service-token={{ beats_fleet_token }}"
+        --fleet-server-es-ca=/etc/beats/certs/ca.crt
+        -f --fleet-server-es=https://{{ elasticsearch_ca }}:9200
+      changed_when: false
+
+  when: ansible_hostname == beats_fleet_server

tasks/main.yml

@@ -58,6 +58,9 @@
   - elastic_stack_full_stack | bool
   - elastic_variant == "elastic"
 
+- import_tasks: beats-agent.yml
+  when: beats_agent | bool
+
 - import_tasks: filebeat.yml
   when: beats_filebeat | bool