Add option to forgo autogenerated SSL config

docs/ssl-tls-setup.md

@@ -2,6 +2,8 @@
 
 The role allows configuring HTTP and transport layer SSL/TLS for the cluster. You will need to generate and provide your own PKCS12 or PEM encoded certificates as described in [Encrypting communications in Elasticsearch](https://www.elastic.co/guide/en/elasticsearch/reference/7.4/configuring-tls.html#configuring-tls).
 
+If you don't want this role to add autogenerated SSL configuration to elasticsearch.yml set `es_enable_auto_ssl_configuration` to `false` (default: `true`).
+
 The following should be configured to ensure a security-enabled cluster successfully forms:
 
 * `es_enable_http_ssl`  Default `false`. Setting this to `true` will enable HTTP client SSL/TLS
@@ -38,6 +40,7 @@ $ bin/elasticsearch-certutil cert --ca ./my-ca.p12 --out ./my-keystore.p12 --pas
 
 ## Additional optional SSL/TLS configuration
 
+* `es_enable_auto_ssl_configuration`  Default `true`. Whether this role should add automatically generated SSL config to elasticsearch.yml.
 * `es_ssl_certificate_path`  Default `{{ es_conf_dir }}/certs`. The location where certificates should be stored on the ES node.
 * `es_ssl_verification_mode` Default `certificate`. See [SSL verification_mode](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#ssl-tls-settings) for options.
 * `es_ssl_certificate_authority`  PEM encoded certificate file that should be trusted.