Install OSQuery and Kolide fleet
################################
:tags: openstack, ansible

Table of Contents
=================

      * [About this repository](#about-this-repository)
      * [OpenStack-Ansible Integration](#openstack-ansible-integration)
      * [TODO](#todo)


About this repository
---------------------

This set of playbooks will deploy osquery. If this is being deployed as part of
an OpenStack all of the inventory needs will be provided for.


**These playbooks require Ansible 2.4+.**

Highlevel overview of Osquery & Kolide Fleet  infrastructure these playbooks will
build and operate against.

.. image:: assets/place-holder.svg
    :scale: 50 %
    :alt: Osquery & Kolide Fleet Architecture Diagram
    :align: center

OpenStack-Ansible Integration
-----------------------------

These playbooks can be used as standalone inventory or as an integrated part of
an OpenStack-Ansible deployment. For a simple example of standalone inventory,
see ``inventory.example.yml``.

Setup | system configuration
^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Clone the osquery-osa repo

.. code-block:: bash

    cd /opt
    git clone https://github.com/openstack/openstack-ansible-ops

Copy the env.d file into place

.. code-block:: bash

    cd /opt/openstack-ansible-ops/osquery
    cp env.d/fleet.yml /etc/openstack_deploy/env.d/

Copy the conf.d file into place

.. code-block:: bash

    cp conf.d/fleet.yml /etc/openstack_deploy/conf.d/

In **fleet.yml**, list your logging hosts under fleet-logstash_hosts to create
the kolide fleet cluster in multiple containers and one logging host under
`fleet_hosts` to create the fleet container

.. code-block:: bash

    vi /etc/openstack_deploy/conf.d/fleet.yml

Create the containers

.. code-block:: bash

   cd /opt/openstack-ansible/playbooks
   openstack-ansible lxc-containers-create.yml -e 'container_group=fleet'


Update the `/etc/hosts` file 

.. code-block:: bash

   cd /opt/openstack-ansible/playbooks
   openstack-ansible openstack-hosts-setup.yml -e 'container_group=fleet'



Create an haproxy entry for kolide-fleet service 8443

.. code-block:: bash

    cd /opt/openstack-ansible-ops/osquery
    cat haproxy.example  >> /etc/openstack_deploy/user_variables.yml

    cd /opt/openstack-ansible/playbooks/
    openstack-ansible haproxy-install.yml --tags=haproxy-service-config


Deploying | Installing with embedded Ansible
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

If this is being executed on a system that already has Ansible installed but is
incompatible with these playbooks the script `bootstrap-embedded-ansible.sh` can
be sourced to grab an embedded version of Ansible prior to executing the
playbooks.

.. code-block:: bash

    source bootstrap-embedded-ansible.sh


Deploying | Manually resolving the dependencies
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This playbook has external role dependencies. If Ansible is not installed with
the `bootstrap-ansible.sh` script these dependencies can be resolved with the
``ansible-galaxy`` command and the ``ansible-role-requirements.yml`` file.

* Example galaxy execution

.. code-block:: bash

    ansible-galaxy install -r ansible-role-requirements.yml


In the even that some of the modules are alread installed execute the following

.. code-block:: bash

    ansible-galaxy install -r ansible-role-requirements.yml --ignore-errors


Once the dependencies are set make sure to set the action plugin path to the
location of the config_template action directory. This can be done using the
environment variable `ANSIBLE_ACTION_PLUGINS` or through the use of an
`ansible.cfg` file.


Deploying | The environment
^^^^^^^^^^^^^^^^^^^^^^^^^^^

Install master/data Fleet nodes on the elastic-logstash containers,
deploy logstash, deploy Kibana, and then deploy all of the service beats.

.. code-block:: bashG

    cd /opt/openstack-ansible-ops/osquery
    ansible-playbook site.yml $USER_VARS


* The `openstack-ansible` command can be used if the version of ansible on the
  system is greater than **2.5**. This will automatically pick up the necessary
  group_vars for hosts in an OSA deployment.

* If required add ``-e@/opt/openstack-ansible/inventory/group_vars/all/all.yml``
  to import sufficient OSA group variables to define the OpenStack release.
  Journalbeat will then deploy onto all hosts/containers for releases prior to
  Rocky, and hosts only for Rocky onwards. If the variable ``openstack_release``
  is undefined the default behaviour is to deploy Journalbeat to hosts only.

* Alternatively if using the embedded ansible, create a symlink to include all
  of the OSA group_vars. These are not available by default with the embedded
  ansible and can be symlinked into the ops repo.

.. code-block:: bash

    ln -s /opt/openstack-ansible/inventory/group_vars /opt/openstack-ansible-ops/osquery/group_vars


The individual playbooks found within this repository can be independently run
at anytime.

Architecture | Data flow
^^^^^^^^^^^^^^^^^^^^^^^^

This diagram outlines the data flow from within an Elastic-Stack deployment.

.. image:: assets/place-holder.svg
    :scale: 50 %
    :alt: Kolide & Osquery Data Flow Diagram
    :align: center

TODO
----
The following is a list of open items.
 - [ ] Test Redhat familly Operating Systems
 - [ ] missing mariadb cluster (should all work needs additional vars)
 - [ ] use haproxy instead of the kolide fleet server ip
 - [ ] add/update tags
 - [ ] add testing