threatstack · olhado · Apr 7, 2021
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -6,10 +6,6 @@ provisioner:
   name: salt_solo
   bootstrap_url: 'https://raw.githubusercontent.com/olhado/kitchen-salt/master/assets/install.sh'
   is_file_root: true
-  # Use this section (and comment out the `threatstack.sls` definition in the `pillars` section)
-  # to grab pillar data from the `pillar.example` file
-  # pillars_from_files:
-  #   threatstack.sls: pillar.example
   pillars:
     top.sls:
       base:
@@ -31,15 +27,27 @@ provisioner:
       <% if ENV['TS_CONFIG_ARGS'] %>
       ts_agent_config_args: <%= ENV['TS_CONFIG_ARGS'] %>
       <% end %>
+  # Use this section (and comment out the `threatstack.sls` definition in the `pillars` section)
+  # to grab pillar data from the `pillar.example` file
+  # pillars_from_files:
+  #   threatstack.sls: pillar.example
   state_top:
     base:
       '*':
         - threatstack
 
 platforms:
   - name: amazonlinux-1
-    image: amazonlinux:1
+    provisioner:
+      salt_bootstrap_options: '-R archive.repo.saltstack.com stable 2019.2'
+      pillars:
+        threatstack.sls:
+          pkg_url: https://pkg.threatstack.com/v2/Amazon/1
+          gpg_key: https://app.threatstack.com/RPM-GPG-KEY-THREATSTACK
+          gpg_key_file: '/etc/pki/rpm-gpg/RPM-GPG-KEY-THREATSTACK'
+          gpg_key_file_uri: 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-THREATSTACK'
     driver_config:
+      image: amazonlinux:1
       run_command: /sbin/init
       privileged: true
       run_options:
@@ -53,8 +61,15 @@ platforms:
         - sed -i 's/local_events = yes/local_events = no/g' /etc/audit/auditd.conf
         - chkconfig auditd on
   - name: amazonlinux-2
-    image: amazonlinux:2
+    provisioner:
+      pillars:
+        threatstack.sls:
+          pkg_url: https://pkg.threatstack.com/v2/Amazon/2
+          gpg_key: https://app.threatstack.com/RPM-GPG-KEY-THREATSTACK
+          gpg_key_file: '/etc/pki/rpm-gpg/RPM-GPG-KEY-THREATSTACK'
+          gpg_key_file_uri: 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-THREATSTACK'
     driver_config:
+      image: amazonlinux:2
       run_command: /sbin/init
       privileged: true
       run_options:
@@ -69,10 +84,17 @@ platforms:
         - yum install -y audit initscripts
         - sed -i 's/local_events = yes/local_events = no/g' /etc/audit/auditd.conf
         - systemctl enable auditd.service
-    image: centos:7
   - name: centos-7
-    image: centos:7
+    provisioner:
+      salt_bootstrap_options: '-R archive.repo.saltstack.com stable 2019.2'
+      pillars:
+        threatstack.sls:
+          pkg_url: https://pkg.threatstack.com/v2/EL/7
+          gpg_key: https://app.threatstack.com/RPM-GPG-KEY-THREATSTACK
+          gpg_key_file: '/etc/pki/rpm-gpg/RPM-GPG-KEY-THREATSTACK'
+          gpg_key_file_uri: 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-THREATSTACK'
     driver_config:
+      image: centos:7
       run_command: /sbin/init
       privileged: true
       run_options:
@@ -93,8 +115,15 @@ platforms:
         - sed -i 's/local_events = yes/local_events = no/g' /etc/audit/auditd.conf
         - systemctl enable auditd.service
   - name: centos-8
-    image: centos:8
+    provisioner:
+      pillars:
+        threatstack.sls:
+          pkg_url: https://pkg.threatstack.com/v2/EL/8
+          gpg_key: https://app.threatstack.com/RPM-GPG-KEY-THREATSTACK
+          gpg_key_file: '/etc/pki/rpm-gpg/RPM-GPG-KEY-THREATSTACK'
+          gpg_key_file_uri: 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-THREATSTACK'
     driver_config:
+      image: centos:8
       run_command: /sbin/init
       privileged: true
       run_options:
@@ -106,8 +135,15 @@ platforms:
         - sed -i 's/local_events = yes/local_events = no/g' /etc/audit/auditd.conf
         - systemctl enable auditd.service
   - name: debian-8
-    image: debian:8
+    provisioner:
+      salt_bootstrap_options: '-R archive.repo.saltstack.com'
+      pillars:
+        threatstack.sls:
+          pkg_url: https://pkg.threatstack.com/v2/Ubuntu
+          gpg_key: https://app.threatstack.com/APT-GPG-KEY-THREATSTACK
+          pkg_component: main
     driver_config:
+      image: debian:8
       run_command: /sbin/init
       cap_add:
         - SYS_ADMIN
@@ -125,8 +161,14 @@ platforms:
         - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
         - systemctl enable ssh.service
   - name: debian-9
-    image: debian:9
+    provisioner:
+      pillars:
+        threatstack.sls:
+          pkg_url: https://pkg.threatstack.com/v2/Ubuntu
+          gpg_key: https://app.threatstack.com/APT-GPG-KEY-THREATSTACK
+          pkg_component: main
     driver_config:
+      image: debian:9
       run_command: /bin/systemd
       cap_add:
         - SYS_ADMIN
@@ -138,8 +180,14 @@ platforms:
         - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
         - systemctl enable ssh.service
   - name: debian-10
-    image: debian:10
+    provisioner:
+      pillars:
+        threatstack.sls:
+          pkg_url: https://pkg.threatstack.com/v2/Ubuntu
+          gpg_key: https://app.threatstack.com/APT-GPG-KEY-THREATSTACK
+          pkg_component: main
     driver_config:
+      image: debian:10
       run_command: /sbin/init
       cap_add:
         - SYS_ADMIN
@@ -151,8 +199,14 @@ platforms:
         - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
         - systemctl enable ssh.service
   - name: ubuntu-16.04
-    image: ubuntu:16.04
+    provisioner:
+      pillars:
+        threatstack.sls:
+          pkg_url: https://pkg.threatstack.com/v2/Ubuntu
+          gpg_key: https://app.threatstack.com/APT-GPG-KEY-THREATSTACK
+          pkg_component: main
     driver_config:
+      image: ubuntu:16.04
       run_command: /sbin/init
       cap_add:
         - SYS_ADMIN
@@ -164,8 +218,14 @@ platforms:
         - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
         - systemctl enable ssh.service
   - name: ubuntu-18.04
-    image: ubuntu:18.04
+    provisioner:
+      pillars:
+        threatstack.sls:
+          pkg_url: https://pkg.threatstack.com/v2/Ubuntu
+          gpg_key: https://app.threatstack.com/APT-GPG-KEY-THREATSTACK
+          pkg_component: main
     driver_config:
+      image: ubuntu:18.04
       run_command: /sbin/init
       cap_add:
         - SYS_ADMIN
@@ -177,8 +237,14 @@ platforms:
         - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
         - systemctl enable ssh.service
   - name: ubuntu-20.04
-    image: ubuntu:20.04
+    provisioner:
+      pillars:
+        threatstack.sls:
+          pkg_url: https://pkg.threatstack.com/v2/Ubuntu
+          gpg_key: https://app.threatstack.com/APT-GPG-KEY-THREATSTACK
+          pkg_component: main
     driver_config:
+      image: ubuntu:20.04
       run_command: /sbin/init
       cap_add:
         - SYS_ADMIN

diff --git a/threatstack/init.sls b/threatstack/init.sls
@@ -15,8 +15,15 @@
   {% set _ = pkg_location.update({ 'pkg_url': pillar['pkg_url']}) %}
 {% endif %}
 
+# If the package component is explicitly set, use the override and move on
+{% if pillar['pkg_component'] is defined %}
+  {% set _ = pkg_location.update({ 'pkg_component': pillar['pkg_component']}) %}
+{% else %}
+  {% set _ = pkg_location.update({ 'pkg_component': "main" }) %}
+{% endif %}
+
 # Check if OS is not supported in 2.X, and assign the repository URL appropriately
-{% if pkg_url is not defined %}
+{% if pkg_location.pkg_url is not defined %}
   {% set _ = pkg_location.update({ 'pkg_url': agent2_pkg_url_base}) %}
 
   # Set the rest of the URL path
@@ -51,6 +58,13 @@
     {% set gpgkey_file_uri = 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-THREATSTACK' %}
 {% endif %}
 
+# Overrride gpgcheck on yum repositories. NOT RECOMMENDED IN PRODUCTION ENVIRONMENTS
+{% if pillar['gpgcheck'] is defined %}
+  {% set gpgcheck = pillar['gpgcheck'] %}
+{% else %}
+  {% set gpgcheck = 1 %}
+{% endif %}
+
 {% if pillar['ts_agent_extra_args'] is defined %}
   {% set agent_extra_args = pillar['ts_agent_extra_args'] %}
 {% else %}
@@ -71,7 +85,7 @@ threatstack-repo:
     - name: 'curl -q -f {{ gpgkey }} | apt-key add -'
     - unless: 'apt-key list | grep "Threat Stack"'
   pkgrepo.managed:
-    - name: deb {{ pkg_location.pkg_url }} {{ os_maj_ver.ver }} main
+    - name: deb {{ pkg_location.pkg_url }} {{ os_maj_ver.ver }} {{ pkg_location.pkg_component }}
     - file: '/etc/apt/sources.list.d/threatstack.list'
 {% elif os_family=="RedHat" %}
   cmd.run:
@@ -81,7 +95,7 @@ threatstack-repo:
     - name: threatstack
     - humanname: Threat Stack Package Repository
     - gpgkey: {{ gpgkey_file_uri }}
-    - gpgcheck: 1
+    - gpgcheck: {{ gpgcheck }}
     - enabled: 1
     - baseurl: {{ pkg_location.pkg_url }}
 {% endif %}