ansible-role-elasticsearch/tasks/elasticsearch-ssl.yml

---

- name: set fact es_same_keystore
  set_fact: es_same_keystore=false

- name: set fact es_same_keystore if stores match
  set_fact: es_same_keystore=true
  when: es_ssl_keystore == es_ssl_truststore

- name: Ensure certificate directory exists
  become: yes
  file:
    dest: "{{ es_ssl_certificate_path }}"
    state: directory
    owner: root
    group: "{{ es_group }}"
    mode: "750"
  when: es_ssl_upload

- name: Upload SSL/TLS keystore
  become: yes
  copy:
    src: "{{ es_ssl_keystore }}"
    dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_keystore | basename }}"
    owner: "{{ es_user }}"
    group: "{{ es_group }}"
    mode: "640"
  when: es_ssl_upload and es_ssl_keystore and es_ssl_truststore
  notify: restart elasticsearch
  register: copy_keystore

- name: Upload SSL/TLS truststore
  become: yes
  copy:
    src: "{{ es_ssl_truststore }}"
    dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_truststore | basename }}"
    owner: "{{ es_user }}"
    group: "{{ es_group }}"
    mode: "640"
  when: es_ssl_upload and es_ssl_keystore and es_ssl_truststore
  notify: restart elasticsearch
  register: copy_truststore

- name: Upload SSL/TLS key and certificate
  become: yes
  copy:
    src: "{{ item }}"
    dest: "{{ es_ssl_certificate_path }}/{{ item | basename }}"
    owner: "{{ es_user }}"
    group: "{{ es_group }}"
    mode: "640"
  with_items:
    - "{{ es_ssl_key }}"
    - "{{ es_ssl_certificate }}"
  when: es_ssl_upload and es_ssl_key and es_ssl_certificate
  #Restart if these change
  notify: restart elasticsearch
  register: copy_certificates

- name: Upload SSL Certificate Authority
  become: yes
  copy:
    src: "{{ es_ssl_certificate_authority }}"
    dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}"
    owner: "{{ es_user }}"
    group: "{{ es_group }}"
    mode: "640"
  #Restart if this changes
  notify: restart elasticsearch
  when: es_ssl_upload and (es_ssl_certificate_authority is defined) and (es_ssl_certificate_authority|length > 0)

- name: Set keystore password
  become: yes
  shell: echo "{{ es_ssl_keystore_password }}" | {{ es_home }}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.keystore.secure_password'
  no_log: True
  when: es_ssl_keystore_password and (copy_keystore.changed or (es_same_keystore and copy_truststore.changed))
  with_items:
    - http
    - transport

- name: Set truststore password
  become: yes
  shell: echo "{{ es_ssl_truststore_password }}" | {{ es_home }}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.truststore.secure_password'
  no_log: True
  when: es_ssl_truststore_password and (copy_truststore.changed or (es_same_keystore and copy_keystore.changed))
  with_items:
    - http
    - transport

- name: Remove keystore password
  become: yes
  shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.keystore.secure_password'"
  when: es_ssl_keystore_password == "" and (copy_keystore.changed or (es_same_keystore and copy_truststore.changed))
  ignore_errors: yes
  with_items:
    - http
    - transport

- name: Remove truststore password
  become: yes
  shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.truststore.secure_password'"
  when: es_ssl_truststore_password == "" and (copy_truststore.changed or (es_same_keystore and copy_keystore.changed))
  ignore_errors: yes
  with_items:
    - http
    - transport

- name: Set key password
  become: yes
  shell: echo "{{ es_ssl_key_password }}" | {{ es_home }}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.secure_key_passphrase'
  no_log: True
  when: es_ssl_key_password and copy_certificates.changed
  with_items:
    - http
    - transport

- name: Remove key password
  become: yes
  shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.secure_key_passphrase'"
  when: es_ssl_key_password == "" and copy_certificates.changed
  ignore_errors: yes
  with_items:
    - http
    - transport
Add SSL/TLS support This commit introduces SSL/TLS support for the elastic search transport layer. It assumes certificates are generated externally, and only handles uploading and configuring the server accordingly. 2019-06-27 13:53:23 -07:00			`---`
Better support for different truststores 2019-10-16 16:36:43 +01:00
			`- name: set fact es_same_keystore`
			`set_fact: es_same_keystore=false`

			`- name: set fact es_same_keystore if stores match`
Fix es_same_keystore conditional 2019-10-16 16:39:31 +01:00			`set_fact: es_same_keystore=true`
Better support for different truststores 2019-10-16 16:36:43 +01:00			`when: es_ssl_keystore == es_ssl_truststore`

Add an option to not upload SSL/TLS certs (#727) 2020-10-12 10:02:25 +02:00			`- name: Ensure certificate directory exists`
Several tasks in elasticsearch-ssl.yml missing become 2020-01-28 14:23:22 -08:00			`become: yes`
Add SSL/TLS support This commit introduces SSL/TLS support for the elastic search transport layer. It assumes certificates are generated externally, and only handles uploading and configuring the server accordingly. 2019-06-27 13:53:23 -07:00			`file:`
			`dest: "{{ es_ssl_certificate_path }}"`
			`state: directory`
Fix permissions of cert directory and files 2019-10-31 10:55:40 +00:00			`owner: root`
			`group: "{{ es_group }}"`
fix files mode syntax From Ansible doc (https://docs.ansible.com/ansible/latest/modules/template_module.html#template-module) For those used to /usr/bin/chmod remember that modes are actually octal numbers. You must either add a leading zero so that Ansible's YAML parser knows it is an octal number (like 0644 or 01777) or quote it (like '644' or '1777') so Ansible receives a string and can do its own conversion from string into number. Giving Ansible a number without following one of these rules will end up with a decimal number which will have unexpected results. 2019-11-28 07:02:33 +01:00			`mode: "750"`
Add an option to not upload SSL/TLS certs (#727) 2020-10-12 10:02:25 +02:00			`when: es_ssl_upload`
Add SSL/TLS support This commit introduces SSL/TLS support for the elastic search transport layer. It assumes certificates are generated externally, and only handles uploading and configuring the server accordingly. 2019-06-27 13:53:23 -07:00
Better support for different truststores 2019-10-16 16:36:43 +01:00			`- name: Upload SSL/TLS keystore`
Several tasks in elasticsearch-ssl.yml missing become 2020-01-28 14:23:22 -08:00			`become: yes`
Add SSL/TLS support This commit introduces SSL/TLS support for the elastic search transport layer. It assumes certificates are generated externally, and only handles uploading and configuring the server accordingly. 2019-06-27 13:53:23 -07:00			`copy:`
Better support for different truststores 2019-10-16 16:36:43 +01:00			`src: "{{ es_ssl_keystore }}"`
			`dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_keystore \| basename }}"`
Fix permissions of cert directory and files 2019-10-31 10:55:40 +00:00			`owner: "{{ es_user }}"`
			`group: "{{ es_group }}"`
fix files mode syntax From Ansible doc (https://docs.ansible.com/ansible/latest/modules/template_module.html#template-module) For those used to /usr/bin/chmod remember that modes are actually octal numbers. You must either add a leading zero so that Ansible's YAML parser knows it is an octal number (like 0644 or 01777) or quote it (like '644' or '1777') so Ansible receives a string and can do its own conversion from string into number. Giving Ansible a number without following one of these rules will end up with a decimal number which will have unexpected results. 2019-11-28 07:02:33 +01:00			`mode: "640"`
Add an option to not upload SSL/TLS certs (#727) 2020-10-12 10:02:25 +02:00			`when: es_ssl_upload and es_ssl_keystore and es_ssl_truststore`
Better support for different truststores 2019-10-16 16:36:43 +01:00			`notify: restart elasticsearch`
			`register: copy_keystore`

			`- name: Upload SSL/TLS truststore`
Several tasks in elasticsearch-ssl.yml missing become 2020-01-28 14:23:22 -08:00			`become: yes`
Better support for different truststores 2019-10-16 16:36:43 +01:00			`copy:`
			`src: "{{ es_ssl_truststore }}"`
			`dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_truststore \| basename }}"`
Fix permissions of cert directory and files 2019-10-31 10:55:40 +00:00			`owner: "{{ es_user }}"`
			`group: "{{ es_group }}"`
fix files mode syntax From Ansible doc (https://docs.ansible.com/ansible/latest/modules/template_module.html#template-module) For those used to /usr/bin/chmod remember that modes are actually octal numbers. You must either add a leading zero so that Ansible's YAML parser knows it is an octal number (like 0644 or 01777) or quote it (like '644' or '1777') so Ansible receives a string and can do its own conversion from string into number. Giving Ansible a number without following one of these rules will end up with a decimal number which will have unexpected results. 2019-11-28 07:02:33 +01:00			`mode: "640"`
Add an option to not upload SSL/TLS certs (#727) 2020-10-12 10:02:25 +02:00			`when: es_ssl_upload and es_ssl_keystore and es_ssl_truststore`
Fix copy variables 2019-10-11 16:33:09 +01:00			`notify: restart elasticsearch`
Better support for different truststores 2019-10-16 16:36:43 +01:00			`register: copy_truststore`
Add SSL/TLS support This commit introduces SSL/TLS support for the elastic search transport layer. It assumes certificates are generated externally, and only handles uploading and configuring the server accordingly. 2019-06-27 13:53:23 -07:00
Add SSL keystore and truststore 2019-10-11 16:09:05 +01:00			`- name: Upload SSL/TLS key and certificate`
Several tasks in elasticsearch-ssl.yml missing become 2020-01-28 14:23:22 -08:00			`become: yes`
Add SSL keystore and truststore 2019-10-11 16:09:05 +01:00			`copy:`
			`src: "{{ item }}"`
			`dest: "{{ es_ssl_certificate_path }}/{{ item \| basename }}"`
Fix permissions of cert directory and files 2019-10-31 10:55:40 +00:00			`owner: "{{ es_user }}"`
			`group: "{{ es_group }}"`
fix files mode syntax From Ansible doc (https://docs.ansible.com/ansible/latest/modules/template_module.html#template-module) For those used to /usr/bin/chmod remember that modes are actually octal numbers. You must either add a leading zero so that Ansible's YAML parser knows it is an octal number (like 0644 or 01777) or quote it (like '644' or '1777') so Ansible receives a string and can do its own conversion from string into number. Giving Ansible a number without following one of these rules will end up with a decimal number which will have unexpected results. 2019-11-28 07:02:33 +01:00			`mode: "640"`
Add SSL keystore and truststore 2019-10-11 16:09:05 +01:00			`with_items:`
			`- "{{ es_ssl_key }}"`
			`- "{{ es_ssl_certificate }}"`
Add an option to not upload SSL/TLS certs (#727) 2020-10-12 10:02:25 +02:00			`when: es_ssl_upload and es_ssl_key and es_ssl_certificate`
Fix copy variables 2019-10-11 16:33:09 +01:00			`#Restart if these change`
			`notify: restart elasticsearch`
Add SSL keystore and truststore 2019-10-11 16:09:05 +01:00			`register: copy_certificates`
Add SSL/TLS support This commit introduces SSL/TLS support for the elastic search transport layer. It assumes certificates are generated externally, and only handles uploading and configuring the server accordingly. 2019-06-27 13:53:23 -07:00
			`- name: Upload SSL Certificate Authority`
Several tasks in elasticsearch-ssl.yml missing become 2020-01-28 14:23:22 -08:00			`become: yes`
Add SSL/TLS support This commit introduces SSL/TLS support for the elastic search transport layer. It assumes certificates are generated externally, and only handles uploading and configuring the server accordingly. 2019-06-27 13:53:23 -07:00			`copy:`
			`src: "{{ es_ssl_certificate_authority }}"`
			`dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority \| basename }}"`
Fix permissions of cert directory and files 2019-10-31 10:55:40 +00:00			`owner: "{{ es_user }}"`
			`group: "{{ es_group }}"`
fix files mode syntax From Ansible doc (https://docs.ansible.com/ansible/latest/modules/template_module.html#template-module) For those used to /usr/bin/chmod remember that modes are actually octal numbers. You must either add a leading zero so that Ansible's YAML parser knows it is an octal number (like 0644 or 01777) or quote it (like '644' or '1777') so Ansible receives a string and can do its own conversion from string into number. Giving Ansible a number without following one of these rules will end up with a decimal number which will have unexpected results. 2019-11-28 07:02:33 +01:00			`mode: "640"`
Add option for invalid certificates 2019-10-12 00:03:47 +01:00			`#Restart if this changes`
			`notify: restart elasticsearch`
Add an option to not upload SSL/TLS certs (#727) 2020-10-12 10:02:25 +02:00			`when: es_ssl_upload and (es_ssl_certificate_authority is defined) and (es_ssl_certificate_authority\|length > 0)`
Add ability to use key and truststore passwords 2019-10-12 00:57:49 +01:00
Better support for different truststores 2019-10-16 16:36:43 +01:00			`- name: Set keystore password`
Several tasks in elasticsearch-ssl.yml missing become 2020-01-28 14:23:22 -08:00			`become: yes`
Update tests 2019-10-13 16:18:55 +01:00			`shell: echo "{{ es_ssl_keystore_password }}" \| {{ es_home }}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.keystore.secure_password'`
Add ability to use key and truststore passwords 2019-10-12 00:57:49 +01:00			`no_log: True`
Fix conditional for password removal 2019-10-18 17:51:44 +01:00			`when: es_ssl_keystore_password and (copy_keystore.changed or (es_same_keystore and copy_truststore.changed))`
Add ability to use key and truststore passwords 2019-10-12 00:57:49 +01:00			`with_items:`
			`- http`
			`- transport`

Better support for different truststores 2019-10-16 16:36:43 +01:00			`- name: Set truststore password`
Several tasks in elasticsearch-ssl.yml missing become 2020-01-28 14:23:22 -08:00			`become: yes`
Update tests 2019-10-13 16:18:55 +01:00			`shell: echo "{{ es_ssl_truststore_password }}" \| {{ es_home }}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.truststore.secure_password'`
Add ability to use key and truststore passwords 2019-10-12 00:57:49 +01:00			`no_log: True`
Fix conditional for password removal 2019-10-18 17:51:44 +01:00			`when: es_ssl_truststore_password and (copy_truststore.changed or (es_same_keystore and copy_keystore.changed))`
Add ability to use key and truststore passwords 2019-10-12 00:57:49 +01:00			`with_items:`
			`- http`
			`- transport`

Better support for different truststores 2019-10-16 16:36:43 +01:00			`- name: Remove keystore password`
Several tasks in elasticsearch-ssl.yml missing become 2020-01-28 14:23:22 -08:00			`become: yes`
Better support for different truststores 2019-10-16 16:36:43 +01:00			`shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.keystore.secure_password'"`
Fix conditional for password removal 2019-10-18 17:51:44 +01:00			`when: es_ssl_keystore_password == "" and (copy_keystore.changed or (es_same_keystore and copy_truststore.changed))`
Better support for different truststores 2019-10-16 16:36:43 +01:00			`ignore_errors: yes`
Add ability to use key and truststore passwords 2019-10-12 00:57:49 +01:00			`with_items:`
			`- http`
			`- transport`

Better support for different truststores 2019-10-16 16:36:43 +01:00			`- name: Remove truststore password`
Several tasks in elasticsearch-ssl.yml missing become 2020-01-28 14:23:22 -08:00			`become: yes`
Better support for different truststores 2019-10-16 16:36:43 +01:00			`shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.truststore.secure_password'"`
Fix conditional for password removal 2019-10-18 17:51:44 +01:00			`when: es_ssl_truststore_password == "" and (copy_truststore.changed or (es_same_keystore and copy_keystore.changed))`
Better support for different truststores 2019-10-16 16:36:43 +01:00			`ignore_errors: yes`
Add ability to use key and truststore passwords 2019-10-12 00:57:49 +01:00			`with_items:`
			`- http`
			`- transport`

Better support for different truststores 2019-10-16 16:36:43 +01:00			`- name: Set key password`
Several tasks in elasticsearch-ssl.yml missing become 2020-01-28 14:23:22 -08:00			`become: yes`
Better support for different truststores 2019-10-16 16:36:43 +01:00			`shell: echo "{{ es_ssl_key_password }}" \| {{ es_home }}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.secure_key_passphrase'`
Add ability to use key and truststore passwords 2019-10-12 00:57:49 +01:00			`no_log: True`
Better support for different truststores 2019-10-16 16:36:43 +01:00			`when: es_ssl_key_password and copy_certificates.changed`
Add ability to use key and truststore passwords 2019-10-12 00:57:49 +01:00			`with_items:`
			`- http`
			`- transport`

Better support for different truststores 2019-10-16 16:36:43 +01:00			`- name: Remove key password`
Several tasks in elasticsearch-ssl.yml missing become 2020-01-28 14:23:22 -08:00			`become: yes`
Update tests 2019-10-13 16:18:55 +01:00			`shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.secure_key_passphrase'"`
Add ability to use key and truststore passwords 2019-10-12 00:57:49 +01:00			`when: es_ssl_key_password == "" and copy_certificates.changed`
Better support for different truststores 2019-10-16 16:36:43 +01:00			`ignore_errors: yes`
Add ability to use key and truststore passwords 2019-10-12 00:57:49 +01:00			`with_items:`
			`- http`
			`- transport`