Changing the key-value pair

pki: tls|none to tls: true|false in the remote input (server) and the forwards output (client). Use jinja builtin tests, true and false in selectattr.
linux-system-roles · Aug 15, 2020 · 1284609 · 1284609
1 parent 70ec7a5
commit 1284609
Show file tree

Hide file tree

Showing 11 changed files with 33 additions and 27 deletions.
diff --git a/README.md b/README.md
@@ -115,11 +115,13 @@ This is a schematic logging configuration to show log messages from input_nameA
   **available options**
   - `udp_ports`: List of UDP port numbers to listen. Default to `514`.
   - `tcp_ports`: List of TCP port numbers to listen. Default to `514`.
-  - `pki`: Set to `tls` to use the `tls` enabled connection. Default to None.
+  - `tls`: Set to `true` to encrypt the connection using the default TLS implementation used by the provider. Default to `false`.
   - `pki_authmode`: Specifying the default network driver authentication mode. `x509/name`, `x509/fingerprint`, `anon` is accepted. Default to `x509/name`.
   - `permitted_clients`: List of hostnames, IP addresses, fingerprints(sha1), and wildcard DNS domains which will be allowed by the `logging` server to connect and send logs over TLS. Default to `['*.{{ logging_domain }}']`
 
-  There are 3 type of items in the remote type - udp, plain tcp and tls tcp. The udp type contains `udp_ports`; the plain tcp type contains `tcp_ports` but no `pki: tls`; the tls tcp type contains tcp_ports as well as `pki: tls`. Please note that it is not allowed for them to be conflicted. I.e., if there are 2 udp type items, it fails to deploy.
+  There are 3 type of items in the remote type - udp, plain tcp and tls tcp. The udp type contains `udp_ports`; the plain tcp type contains `tcp_ports` but no `tls: true`; the tls tcp type contains tcp_ports as well as `tls: true`. Please note that it is not allowed for them to be conflicted. I.e., if there are 2 udp type items, it fails to deploy.
+
+  Sample valid configuration
   ```
   - name: remote_udp
     type: remote
@@ -130,7 +132,7 @@ This is a schematic logging configuration to show log messages from input_nameA
   - name: remote_tcp
     type: remote
     tcp_ports: [6514, ...]
-    pki: tls
+    tls: true
     pki_authmode: x509/name
     permitted_clients: ['*.example.com']
   ```
@@ -184,7 +186,7 @@ This is a schematic logging configuration to show log messages from input_nameA
   - `target`: Target host (fqdn). **Required**.
   - `udp_port`: UDP port number. Default to `514`.
   - `tcp_port`: TCP port number. Default to `514`.
-  - `pki`: Set to `tls` to use the `tls` enabled connection. Default to None.
+  - `tls`: Set to `true` to encrypt the connection using the default TLS implementation used by the provider. Default to `false`.
   - `pki_authmode`: Specifying the default network driver authentication mode. `x509/name`, `x509/fingerprint`, `anon` is accepted. Default to `x509/name`.
   - `permitted_server`: Hostname, IP address, fingerprint(sha1) or wildcard DNS domain of the server which this client will be allowed to connect and send logs over TLS. Default to `*.{{ logging_domain }}`
 

diff --git a/roles/rsyslog/tasks/inputs/remote/main.yml b/roles/rsyslog/tasks/inputs/remote/main.yml
@@ -4,19 +4,23 @@
     - name: Ensure Remote inputs contain no conflict connection type
       fail:
         msg: "Error: {{ item.0.name }} and {{ item.1.name }} conflict."
-      loop: "{{ [__logging_remote_udp, __logging_remote_tcp, __logging_remote_tls] }}"
+      loop: "{{ [__logging_remote_udp, __logging_remote_ptcp, __logging_remote_tlstcp] }}"
       when:
         - item | length > 1
   vars:
-    __logging_remote_udp: "{{ logging_inputs | selectattr('type', '==', 'remote') |
+    __logging_remote: "{{ logging_inputs | selectattr('type', '==', 'remote') | list }}"
+    __logging_remote_udp: "{{ __logging_remote |
                               selectattr('udp_ports', 'defined') | list }}"
-    __logging_remote_tcp: "{{ logging_inputs | selectattr('type', '==', 'remote') |
-                              selectattr('tcp_ports', 'defined') |
-                              selectattr('pki', 'undefined') | list }}"
-    __logging_remote_tls: "{{ logging_inputs | selectattr('type', '==', 'remote') |
-                              selectattr('tcp_ports', 'defined') |
-                              selectattr('pki', 'defined') |
-                              selectattr('pki', '==', 'tls') | list }}"
+    __logging_remote_tcp: "{{ __logging_remote |
+                              selectattr('tcp_ports', 'defined') | list }}"
+    __logging_remote_tls: "{{ __logging_remote_tcp |
+                              selectattr('tls', 'defined') | list }}"
+    __logging_remote_ptcp: "{{ __logging_remote_tcp |
+                               selectattr('tls', 'undefined') | list }} +
+                            {{ __logging_remote_tls |
+                               selectattr('tls', 'false') | list }}"
+    __logging_remote_tlstcp: "{{ __logging_remote_tls |
+                                 selectattr('tls', 'true') | list }}"
 
 - name: Install/Update remote input packages and generate configuration files in /etc/rsyslog.d
   vars:

diff --git a/roles/rsyslog/tasks/main.yml b/roles/rsyslog/tasks/main.yml
@@ -209,12 +209,12 @@
 
       vars:
         __logging_forwards_tls: "{{ logging_outputs | selectattr('type', '==', 'forwards') |
-                                  selectattr('pki', 'defined') |
-                                  selectattr('pki', '==', 'tls') | list }}"
+                                  selectattr('tls', 'defined') |
+                                  selectattr('tls', 'true') | list }}"
         __logging_remote_tls: "{{ logging_inputs | selectattr('type', '==', 'remote') |
                                   selectattr('tcp_ports', 'defined') |
-                                  selectattr('pki', 'defined') |
-                                  selectattr('pki', '==', 'tls') | list }}"
+                                  selectattr('tls', 'defined') |
+                                  selectattr('tls', 'true') | list }}"
 
       when:
         - __rsyslog_enabled | bool

diff --git a/roles/rsyslog/templates/input_remote.j2 b/roles/rsyslog/templates/input_remote.j2
@@ -15,7 +15,7 @@ input(name="{{ item.name }}" type="imudp" port=["{{ item.udp_ports | join('","')
 {% endfor %}
 {% for tport in item.tcp_ports | d([]) %}
 {%   set __logging_loop_index = loop.index %}
-{%   if item.pki | d() != 'tls' %}
+{%   if not item.tls | d(false) | bool %}
 # Log messages from remote hosts over plain TCP
 input(name="{{ item.name }}_{{ __logging_loop_index }}" type="imptcp" port="{{ tport }}")
 {%   else %}

diff --git a/roles/rsyslog/templates/input_remote_module.j2 b/roles/rsyslog/templates/input_remote_module.j2
@@ -4,7 +4,7 @@ module(load="imudp" threads="{{ logging_udp_threads }}"
        TimeRequery="{{ logging_udp_system_time_requery }}"
        BatchSize="{{ logging_udp_batch_size }}")
 {% elif item.tcp_ports is defined %}
-{%   if item.pki | d() != 'tls' %}
+{%   if not item.tls | d(false) | bool %}
 # Read messages sent over plain TCP
 module(load="imptcp" threads="{{ logging_tcp_threads }}")
 {%   else %}

diff --git a/roles/rsyslog/templates/output_forwards.j2 b/roles/rsyslog/templates/output_forwards.j2
@@ -16,7 +16,7 @@ ruleset(name="{{ item.name }}") {
 {% endif %}
         type="omfwd"
         Target="{{ item.target }}"
-{% if item.pki | d() == "tls" %}
+{% if item.tls | d(false) | bool %}
         StreamDriver="{{ __rsyslog_tls_netstream_driver }}"
         StreamDriverMode="1"
         StreamDriverAuthMode="{{ item.pki_authmode | d(__rsyslog_default_pki_authmode) }}"

diff --git a/tests/tests_basics_forwards_cacert.yml b/tests/tests_basics_forwards_cacert.yml
@@ -53,7 +53,7 @@
             severity: info
             target: host.domain
             tcp_port: 1514
-            pki: tls
+            tls: true
             pki_authmode: anon
             permitted_server: '*.example.com'
         logging_inputs:

diff --git a/tests/tests_basics_forwards_cert.yml b/tests/tests_basics_forwards_cert.yml
@@ -67,7 +67,7 @@
             severity: info
             target: host.domain
             tcp_port: 1514
-            pki: tls
+            tls: true
             permitted_server: '*.example.com'
         logging_inputs:
           - name: basic_input

diff --git a/tests/tests_basics_forwards_cert_missing.yml b/tests/tests_basics_forwards_cert_missing.yml
@@ -40,7 +40,7 @@
                 facility: local1
                 severity: info
                 target: host.domain
-                pki: tls
+                tls: true
                 tcp_port: 1514
             logging_inputs:
               - name: basic_input

diff --git a/tests/tests_server.yml b/tests/tests_server.yml
@@ -43,14 +43,14 @@
           - name: remote_tcp
             type: remote
             tcp_ports: [6514, 40000, 40001]
-            pki: tls
+            tls: true
             pki_authmode: x509/name
             permitted_clients:
               - '*.client.com'
               - '*.example.com'
           - name: remote_ptcp
             type: remote
-            tcp_ports: [514, 40010, 40011]
+            tcp_ports: [514, 40010, 40011, 40012]
           - name: remote_udp
             type: remote
             udp_ports: [514, 40020]

diff --git a/tests/tests_server_conflict.yml b/tests/tests_server_conflict.yml
@@ -44,15 +44,15 @@
               - name: remote_tcp_0
                 type: remote
                 tcp_ports: [6514, 40000, 40001]
-                pki: tls
+                tls: true
                 pki_authmode: x509/name
                 permitted_clients:
                   - '*.client.com'
                   - '*.example.com'
               - name: remote_tcp_1
                 type: remote
                 tcp_ports: [514, 40010, 40011]
-                pki: tls
+                tls: true
               - name: remote_udp
                 type: remote
                 udp_ports: [514, 40020]