Merge pull request #759 from jmpsec/fix-cicd-single-yaml

Adapt creation of deb packages to single YAML configuration

Author: javuto

deploy/cicd/deb/deb-conffiles

@@ -1,2 +1,2 @@
-/opt/osctrl/config/{{ OSCTRL_COMPONENT }}.json
+/opt/osctrl/config/{{ OSCTRL_COMPONENT }}.yml
 /etc/systemd/system/osctrl-{{ OSCTRL_COMPONENT }}.service

deploy/cicd/deb/generate-deb-package.sh

@@ -34,12 +34,9 @@ cp deploy/cicd/deb/deb-conffiles "${DEB_DIR}/DEBIAN/conffiles" && \
     sed -i "s#{{ OSCTRL_COMPONENT }}#${OSCTRL_COMPONENT}#g" "${DEB_DIR}/DEBIAN/conffiles"
 
 
-# Example configs
-cp deploy/config/db.json "${DEB_DIR}/tmp/osctrl-${OSCTRL_COMPONENT}/db.json.example" && \
-    chmod 640 "${DEB_DIR}/tmp/osctrl-${OSCTRL_COMPONENT}/db.json.example"
-
-cp deploy/config/redis.json "${DEB_DIR}/tmp/osctrl-${OSCTRL_COMPONENT}/redis.json.example" && \
-    chmod 640 "${DEB_DIR}/tmp/osctrl-${OSCTRL_COMPONENT}/redis.json.example"
+# Example configuration
+cp deploy/config/${OSCTRL_COMPONENT}.yml "${DEB_DIR}/tmp/osctrl-${OSCTRL_COMPONENT}/${OSCTRL_COMPONENT}.yml.example" && \
+    chmod 640 "${DEB_DIR}/tmp/osctrl-${OSCTRL_COMPONENT}/${OSCTRL_COMPONENT}.yml.example"
 
 
 # General components content
@@ -52,31 +49,7 @@ cp deploy/config/service.json "${DEB_DIR}/opt/osctrl/config/${OSCTRL_COMPONENT}.
 # Generate systemd config file
 EXECSTART="/opt/osctrl/bin/osctrl-${OSCTRL_COMPONENT} \\
     --config \\
-    --config-file /opt/osctrl/config/${OSCTRL_COMPONENT}.json \\
-    --redis \\
-    --redis-file /opt/osctrl/config/redis.json \\
-    --db \\
-    --db-file /opt/osctrl/config/db.json"
-
-if [ "$OSCTRL_COMPONENT" == "admin" ]
-then
-    ADMIN_ARGS=" \\
-    --jwt \\
-    --jwt-file /opt/osctrl/config/jwt.json \\
-    --carved /opt/osctrl/carves \\
-    --templates /opt/osctrl/tmpl_admin \\
-    --static /opt/osctrl/static \\
-    --osquery-tables /opt/osctrl/data/osquery-${OSQUERY_VERSION}.json"
-    EXECSTART+=${ADMIN_ARGS}
-fi
-
-if [ "$OSCTRL_COMPONENT" == "api" ]
-then
-    API_ARGS=" \\
-    --jwt \\
-    --jwt-file /opt/osctrl/config/jwt.json"
-    EXECSTART+=${API_ARGS}
-fi
+    --config-file /opt/osctrl/config/${OSCTRL_COMPONENT}.yml"
 
 cat > "${DEB_DIR}/etc/systemd/system/osctrl-${OSCTRL_COMPONENT}.service" << EOF
 [Unit]
@@ -116,29 +89,14 @@ then
     mkdir -p "${DEB_DIR}/opt/osctrl/static"
     mkdir -p "${DEB_DIR}/opt/osctrl/tmpl_admin"
 
-    # Copy configs
-    cp deploy/config/jwt.json "${DEB_DIR}/opt/osctrl/config/jwt.json" && \
-        chmod 640 "${DEB_DIR}/opt/osctrl/config/jwt.json"
-
-    # Copy Osctrl-admin web assets
+    # Copy osctrl-admin web assets
     cp -r cmd/admin/templates "${DEB_DIR}/opt/osctrl/tmpl_admin"
     cp -r cmd/admin/static "${DEB_DIR}/opt/osctrl/static"
 
     # Copy osquery schema
     cp deploy/osquery/data/${OSQUERY_VERSION}.json "${DEB_DIR}/opt/osctrl/data/osquery-${OSQUERY_VERSION}.json"
 
     # Define conffiles
-    echo "/opt/osctrl/config/jwt.json" >> "${DEB_DIR}/DEBIAN/conffiles"
     echo "/opt/osctrl/data/osquery-${OSQUERY_VERSION}.json" >> "${DEB_DIR}/DEBIAN/conffiles"
 
 fi
-
-if [ "$OSCTRL_COMPONENT" == "api" ]
-then
-    # Copy configs
-    cp deploy/config/jwt.json "${DEB_DIR}/opt/osctrl/config/jwt.json" && \
-        chmod 640 "${DEB_DIR}/opt/osctrl/config/jwt.json"
-
-    # Define conffiles
-    echo "/opt/osctrl/config/jwt.json" >> "${DEB_DIR}/DEBIAN/conffiles"
-fi

deploy/cicd/deb/pre-install.sh

@@ -28,18 +28,13 @@ then
     chown root:osctrl -R /opt/osctrl/config
 fi
 
-################### Copy needed configs ###################
-if [ ! -f /opt/osctrl/config/db.json ]
+################### Copy needed configuration ###################
+if [ ! -f /opt/osctrl/config/{{ OSCTRL_COMPONENT }}.yml ]
 then
-    cp /tmp/osctrl-{{ OSCTRL_COMPONENT }}/db.json.example /opt/osctrl/config/db.json
-    chown root:root /opt/osctrl/config/db.json.example
+    cp /tmp/osctrl-{{ OSCTRL_COMPONENT }}/{{ OSCTRL_COMPONENT }}.yml.example /opt/osctrl/config/{{ OSCTRL_COMPONENT }}.yml
+    chown root:root /opt/osctrl/config/{{ OSCTRL_COMPONENT }}.yml
 fi
 
-if [ ! -f /opt/osctrl/config/redis.json ]
-then
-    cp /tmp/osctrl-{{ OSCTRL_COMPONENT }}/redis.json.example /opt/osctrl/config/redis.json
-    chown root:root /opt/osctrl/config/redis.json.example
-fi
 rm -rd /tmp/osctrl-{{ OSCTRL_COMPONENT }}
 
 ################### osctrl-admin web assets ###################

deploy/config/admin.yml

@@ -0,0 +1,167 @@
+# YAML configuration for osctrl-admin
+
+service:
+  listener: 0.0.0.0
+  port: 9000
+  # Valid values: "debug", "info", "warn", "error"
+  logLevel: info
+  # Valid values: "json", "console"
+  logFormat: json
+  host: 0.0.0.0
+  # Valid values: "none", "json", "db", "saml", "oidc", "oauth"
+  auth: none
+  auditLog: false
+
+# Database configuration
+db:
+  type: postgres
+  host: 127.0.0.1
+  port: 5432
+  name: osctrl
+  username: postgres
+  password: postgres
+  sslmode: disable
+  maxIdleConns: 20
+  maxOpenConns: 100
+  connMaxLifetime: 30
+  connRetry: 10
+  filePath: ./osctrl.db
+
+# Redis cache configuration
+redis:
+  host: 127.0.0.1
+  port: 6379
+  password: ""
+  connectionString: ""
+  db: 0
+  connRetry: 10
+
+# Osquery nodes configuration
+osquery:
+  version: 5.20.0
+  tablesFile: data/5.20.0.json
+  logger: true
+  config: true
+  query: true
+  carve: true
+
+# Osctrl daemon configuration
+osctrld:
+  enabled: false
+
+# SAML authentication configuration
+saml:
+  certPath: ""
+  keyPath: ""
+  metadataUrl: ""
+  rootUrl: ""
+  loginUrl: ""
+  logoutUrl: ""
+  jitProvision: false
+  spInitiated: false
+
+# JWT authentication configuration
+jwt:
+  jwtSecret: ""
+  hoursToExpire: 3
+
+# TLS termination configuration
+tls:
+  termination: false
+  certificateFile: config/tls.crt
+  keyFile: config/tls.key
+
+# Logger configuration to handle received logs from osquery nodes
+logger:
+  # Valid values: "none", "stdout", "file", "db", "graylog", "splunk", "logstash", "kinesis", "s3", "kafka", "elastic"
+  type: db
+  loggerDBSame: false
+  alwaysLog: false
+  db:
+    type: ""
+    host: ""
+    port: 0
+    name: ""
+    username: ""
+    password: ""
+    sslmode: ""
+    maxIdleConns: 0
+    maxOpenConns: 0
+    connMaxLifetime: 0
+    connRetry: 0
+    filePath: ""
+  s3:
+    bucket: ""
+    region: ""
+    accessKey: ""
+    secretAccessKey: ""
+  graylog:
+    url: ""
+    host: ""
+    queries: ""
+    status: ""
+    results: ""
+  elastic:
+    host: ""
+    port: ""
+    indexPrefix: ""
+    dateSeparator: ""
+    indexSeparator: ""
+  splunk:
+    url: ""
+    token: ""
+    host: ""
+    index: ""
+  logstash:
+    host: ""
+    port: ""
+    protocol: ""
+    path: ""
+  kinesis:
+    stream: ""
+    region: ""
+    endpoint: ""
+    accessKey: ""
+    secretKey: ""
+    sessionToken: ""
+  kafka:
+    bootstrapServers: ""
+    sslCALocation: ""
+    connectionTimeout: 0s
+    sasl:
+      mechanism: ""
+      username: ""
+      password: ""
+    topic: ""
+  local:
+    filePath: ""
+    maxSize: 0
+    maxBackups: 0
+    maxAge: 0
+    compress: false
+
+# Carver configuration to handle file carves from osquery nodes
+carver:
+  # Valid values: "none", "local", "db", "s3"
+  type: db
+  s3:
+    bucket: ""
+    region: ""
+    accessKey: ""
+    secretAccessKey: ""
+  local:
+    carvesDir: ./carved_files/
+
+admin:
+  sessionKey: ""
+  staticDir: ./static
+  keyFile: false
+  templatesDir: ./tmpl_admin
+  brandingImage: ./static/img/brand.png
+  backgroundImage: ./static/img/circuit.svg
+
+# Debug configuration
+debug:
+  enableHttp: false
+  httpFile: debug-http-admin.log
+  showBody: false

deploy/config/api.yml

@@ -0,0 +1,77 @@
+# YAML configuration for osctrl-api
+
+service:
+  listener: 0.0.0.0
+  port: 9000
+  # Valid values: "debug", "info", "warn", "error"
+  logLevel: info
+  # Valid values: "json", "console"
+  logFormat: json
+  host: 0.0.0.0
+  auth: none
+  auditLog: false
+
+# Database configuration
+db:
+  type: postgres
+  host: 127.0.0.1
+  port: 5432
+  name: osctrl
+  username: postgres
+  password: postgres
+  sslmode: disable
+  maxIdleConns: 20
+  maxOpenConns: 100
+  connMaxLifetime: 30
+  connRetry: 10
+  filePath: ./osctrl.db
+
+# Redis cache configuration
+redis:
+  host: 127.0.0.1
+  port: 6379
+  password: ""
+  connectionString: ""
+  db: 0
+  connRetry: 10
+
+# Osquery nodes configuration
+osquery:
+  version: 5.20.0
+  tablesFile: data/5.20.0.json
+  logger: true
+  config: true
+  query: true
+  carve: true
+
+# JWT authentication configuration
+jwt:
+  jwtSecret: ""
+  hoursToExpire: 3
+
+# TLS termination  configuration
+tls:
+  termination: false
+  certificateFile: config/tls.crt
+  keyFile: config/tls.key
+
+# Logger configuration to handle received logs from osquery nodes
+logger:
+  type: db
+  loggerDBSame: false
+  alwaysLog: false
+  db: null
+  s3: null
+  graylog: null
+  elastic: null
+  splunk: null
+  logstash: null
+  kinesis: null
+  kafka: null
+  local: null
+
+# Debug configuration
+debug:
+  enableHttp: false
+  httpFile: debug-http-api.log
+  showBody: false