santerikainulainen/ansible-role-elasticsearch
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add SSL keystore and truststore

Browse source
This commit is contained in:
Nathan Young 2019-10-11 16:09:05 +01:00
parent 6811cde9db
commit 45ef5a467c
No known key found for this signature in database
GPG key ID: EB5E14327B10D023
5 changed files with 41 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

3
defaults/main.yml
View file

@ -45,7 +45,10 @@ es_jvm_custom_parameters: ''
# SSL/TLS parameters # SSL/TLS parameters
es_enable_http_ssl: false es_enable_http_ssl: false
es_enable_transport_ssl: false es_enable_transport_ssl: false
es_ssl_keystore: ""
es_ssl_truststore: ""
es_ssl_key: "" es_ssl_key: ""
es_ssl_certificate: "" es_ssl_certificate: ""
es_ssl_certificate_authority: "" es_ssl_certificate_authority: ""
es_ssl_certificate_path: "/etc/elasticsearch/certs" es_ssl_certificate_path: "/etc/elasticsearch/certs"
es_ssl_verification_mode: "certificate"

7
tasks/elasticsearch-parameters.yml
View file

@ -17,6 +17,13 @@
- es_api_basic_auth_username is not defined - es_api_basic_auth_username is not defined
- es_api_basic_auth_password is not defined - es_api_basic_auth_password is not defined
- name: fail when ssl enabled without defining a key and certificate
fail: msg="Enabling SSL/TLS (es_enable_http_ssl or es_enable_transport_ssl) requires es_ssl_keystore and es_ssl_truststore or es_ssl_key and es_ssl_certificate to be provided"
when:
- es_enable_http_ssl or es_enable_transport_ssl
- (es_ssl_key == "" or es_ssl_certificate == "")
- (es_ssl_keystore == "" or es_ssl_truststore == "")
- name: set fact file_reserved_users - name: set fact file_reserved_users
set_fact: file_reserved_users={{ es_users.file.keys() | list | intersect (reserved_xpack_users) }} set_fact: file_reserved_users={{ es_users.file.keys() | list | intersect (reserved_xpack_users) }}
when: es_users is defined and es_users.file is defined and (es_users.file.keys() | list | length > 0) and (es_users.file.keys() | list | intersect (reserved_xpack_users) | length > 0) when: es_users is defined and es_users.file is defined and (es_users.file.keys() | list | length > 0) and (es_users.file.keys() | list | intersect (reserved_xpack_users) | length > 0)

18
tasks/elasticsearch-ssl.yml
View file

@ -4,20 +4,28 @@
dest: "{{ es_ssl_certificate_path }}" dest: "{{ es_ssl_certificate_path }}"
state: directory state: directory
- name: Upload HTTP SSL/TLS certificates - name: Upload SSL/TLS keystore and truststore
copy: copy:
src: "{{ item }}" src: "{{ item }}"
dest: "{{ es_ssl_certificate_path }}/{{ item | basename }}" dest: "{{ es_ssl_certificate_path }}/{{ item | basename }}"
with_items: with_items:
- "{{ es_ssl_key }}" - "{{ es_ssl_key }}"
- "{{ es_ssl_certificate }}" - "{{ es_ssl_certificate }}"
when: es_enable_http_ssl|bool or es_enable_transport_ssl|bool when: es_ssl_keystore and es_ssl_truststore
register: copy_keystores
- local_action: stat path="{{ role_path }}/files/{{ es_ssl_certificate_authority }}" - name: Upload SSL/TLS key and certificate
register: es_cafile copy:
src: "{{ item }}"
dest: "{{ es_ssl_certificate_path }}/{{ item | basename }}"
with_items:
- "{{ es_ssl_key }}"
- "{{ es_ssl_certificate }}"
when: es_ssl_key and es_ssl_certificate
register: copy_certificates
- name: Upload SSL Certificate Authority - name: Upload SSL Certificate Authority
copy: copy:
src: "{{ es_ssl_certificate_authority }}" src: "{{ es_ssl_certificate_authority }}"
dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}" dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}"
when: es_cafile.stat.exists|bool and es_cafile.stat.isreg|bool when: es_ssl_certificate_authority

3
tasks/main.yml
View file

@ -53,8 +53,9 @@
tags: tags:
- xpack - xpack
- name: include ssl.yml - name: include elasticsearch-ssl.yml
include: elasticsearch-ssl.yml include: elasticsearch-ssl.yml
when: es_enable_http_ssl or es_enable_transport_ssl
- name: flush handlers - name: flush handlers
meta: flush_handlers meta: flush_handlers

18
templates/elasticsearch.yml.j2
View file

@ -58,19 +58,33 @@ xpack.notification.email:
{% if es_enable_http_ssl | bool %} {% if es_enable_http_ssl | bool %}
xpack.security.http.ssl.enabled: true xpack.security.http.ssl.enabled: true
{% if es_ssl_keystore and es_ssl_truststore %}
xpack.security.http.ssl.keystore.path: : "{{ es_ssl_certificate_path }}/{{ es_ssl_keystore | basename }}"
xpack.security.http.ssl.truststore.path: "{{ es_ssl_certificate_path }}/{{ es_ssl_truststore | basename }}"
{% elif es_ssl_key and es_ssl_certificate%}
xpack.security.http.ssl.key: "{{ es_ssl_certificate_path }}/{{ es_ssl_key | basename }}" xpack.security.http.ssl.key: "{{ es_ssl_certificate_path }}/{{ es_ssl_key | basename }}"
xpack.security.http.ssl.certificate: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate | basename }}" xpack.security.http.ssl.certificate: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate | basename }}"
#xpack.security.http.ssl.client_authentication: optional
{% if es_ssl_certificate_authority %} {% if es_ssl_certificate_authority %}
xpack.security.http.ssl.certificate_authorities: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}" xpack.security.http.ssl.certificate_authorities: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}"
{% endif %} {% endif %}
{% endif %}
{% else %} {% else %}
# xpack.security.http.ssl.enabled: false # xpack.security.http.ssl.enabled: false
{% endif %} {% endif %}
{% if es_enable_transport_ssl | bool %} {% if es_enable_transport_ssl | bool %}
xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.enabled: true
#xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.verification_mode: {{ es_ssl_verification_mode }}
{% if es_ssl_keystore and es_ssl_truststore %}
xpack.security.transport.ssl.keystore.path: : "{{ es_ssl_certificate_path }}/{{ es_ssl_keystore | basename }}"
xpack.security.transport.ssl.truststore.path: "{{ es_ssl_certificate_path }}/{{ es_ssl_truststore | basename }}"
{% elif es_ssl_key and es_ssl_certificate%}
xpack.security.transport.ssl.key: "{{ es_ssl_certificate_path }}/{{ es_ssl_key | basename }}"
xpack.security.transport.ssl.certificate: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate | basename }}"
{% if es_ssl_certificate_authority %}
xpack.security.transport.ssl.certificate_authorities: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}"
{% endif %}
{% endif %}
{% else %} {% else %}
# xpack.security.transport.ssl.enabled: false # xpack.security.transport.ssl.enabled: false
{% endif %} {% endif %}