Add docs on running the role with 8.X (#847)

* Add doc on 8.x support * Updating top level readme
2022-06-24 06:41:26 +02:00 · 2022-06-24 06:41:26 +02:00 · af05c6470e
commit af05c6470e
parent ff5f1b3ad1
2 changed files with 123 additions and 7 deletions
--- a/README.md
+++ b/README.md
@ -1,7 +1,10 @@
 # ARCHIVED

-This project is no longer maintained. For alternative getting started
-experiences, you may want to try one of these options:
+This project is no longer maintained.
+
+You are welcomed to keep using it and adapting it to work for your own needs, including with Elasticsearch [8.x](docs/8x-support.md).
+
+For alternative getting started experiences, you may want to try one of these options:

 - Start a [free trial on Elastic Cloud](https://www.elastic.co/cloud/elasticsearch-service/signup), our hosted service.
 - Take a look at [Elastic Cloud on Kubernetes (ECK)](https://elastic.co/guide/en/cloud-on-k8s/current/k8s-quickstart.html) for launching the stack via Kubernetes.
@ -9,13 +12,12 @@ experiences, you may want to try one of these options:
 - Take a look at the [Elastic Stack Terraform provider.](https://github.com/elastic/terraform-provider-elasticstack)

 # ansible-elasticsearch
-[![Build Status](https://img.shields.io/jenkins/s/https/devops-ci.elastic.co/job/elastic+ansible-elasticsearch+main.svg)](https://devops-ci.elastic.co/job/elastic+ansible-elasticsearch+main/)
 [![Ansible Galaxy](https://img.shields.io/badge/ansible--galaxy-elastic.elasticsearch-blue.svg)](https://galaxy.ansible.com/elastic/elasticsearch/)


-**THIS ROLE IS FOR 7.x & 6.x**
+**THIS ROLE IS FOR 7.x & 6.x**, but should still work with 8.x (see [note](docs/8x-support.md)).

-Ansible role for 7.x/6.x Elasticsearch.  Currently this works on Debian and RedHat based linux systems. Tested platforms are:
+Ansible role for 7.x/6.x Elasticsearch - tests used to run and pass on the below platforms:

 * Ubuntu 16.04
 * Ubuntu 18.04
@ -26,8 +28,6 @@ Ansible role for 7.x/6.x Elasticsearch.  Currently this works on Debian and RedH
 * CentOS 7
 * Amazon Linux 2

-The latest Elasticsearch versions of 7.x & 6.x are actively tested.
-
 ## BREAKING CHANGES

 ### Notice about multi-instance support
--- a/docs/8x-support.md
+++ b/docs/8x-support.md
@ -0,0 +1,116 @@
+# 8.x support
+
+In [December 2021](https://github.com/elastic/ansible-elasticsearch/pull/838), we made the hard decision to deprecate this Ansible playbook without adding support for Elasticsearch 8.X. 
+We acknowledge the impact this has had on many developers and organizations, and while we are not reverting the decision, we decided to share some guidelines around how to proceed from here, for folks wanting to keep using this playbook with Elasticsearch 8.X.
+
+---
+
+At a high level, this role is expected to work in most cases for fresh installs and upgrades from 7.17+ by only overriding the `es_version` variable as long as the security is enforced properly using the [SSL/TLS doc](ssl-tls-setup.md).
+
+1. install the last released version of the role from galaxy: `ansible-galaxy install elastic.elasticsearch,v7.17.0`
+
+2. copy the TLS PKCS12 keystore and truststore (https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#security-http-pkcs12-files) 
+
+3. write a minimal playbook to deploy 8.2.3 on localhost:
+```yaml
+- hosts: localhost
+  roles:
+    - elastic.elasticsearch
+  vars:
+    es_version: 8.2.3
+    es_api_basic_auth_username: elastic
+    es_api_basic_auth_password: changeme
+    es_enable_http_ssl: true
+    es_enable_transport_ssl: true
+    es_ssl_keystore: "certs/keystore-password.p12"
+    es_ssl_truststore: "certs/truststore-password.p12"
+    es_ssl_keystore_password: password1
+    es_ssl_truststore_password: password2
+    es_validate_certs: no
+```
+
+4. deploy locally: `ansible-playbook es.yml`
+
+## Context for the below experiment
+
+The intent is to assess if the current playbook can still work with ES 8.X and what modifications may be needed. The testing was done on Ubuntu 20.04 and CentOS7 GCP VMs.
+
+The only code change done in the Ansible playbook was the override of the `es_version` variable.
+
+### What is working
+
+- ✅ Deploying a standalone Elasticsearch cluster in 8.2.3 with the security example playbook from 7.x:
+- ✅ managing Elasticsearch users
+- ✅ upgrading a 7.17.0 standalone cluster **with security already enabled** to 8.2.3
+- ✅ managing Elasticsearch license
+
+The below configuration was used in the tests
+
+```yaml
+- hosts: localhost
+  roles:
+  - elastic.elasticsearch
+  vars:
+    es_config:
+      xpack.security.authc.realms.file.file1.order: 0
+    es_api_basic_auth_username: elastic
+    es_api_basic_auth_password: changeme
+    es_api_sleep: 5
+    es_enable_http_ssl: true
+    es_enable_transport_ssl: true
+    es_ssl_keystore: "test/integration/files/certs/keystore-password.p12"
+    es_ssl_truststore: "test/integration/files/certs/truststore-password.p12"
+    es_ssl_keystore_password: password1
+    es_ssl_truststore_password: password2
+    es_validate_certs: no
+    es_users:
+      file:
+        es_admin:
+          password: changeMe
+          roles:
+          - admin
+        testUser:
+          password: changeMeAlso!
+          roles:
+          - power_user
+          - user
+    es_roles:
+      file:
+        admin:
+          cluster:
+          - all
+          indices:
+          - names: '*'
+             privileges:
+              - all
+      power_user:
+        cluster:
+          - monitor
+        indices:
+          - names: '*'
+            privileges:
+              - all
+      user:
+        indices:
+          - names: '*'
+            privileges:
+              - read
+```             
+
+### What is not working
+
+**Deploying an 8.X cluster with the default Ansible configuration (no security) will not work.**
+
+When runnin Elasticsearch 8.x outside of Ansible without any security configuration, Elasticsearch will autogenerate a security configuration and still activate security.
+However, when you run Elasticsearch 8.x as part of the Ansible role without any security configuration, this will fail because the Ansible role will not be able to retrieve and use the autogenerated security configuration.
+
+To tackle this, you always have to specify your own security configuration based on the [SSL/TLS doc](ssl-tls-setup.md).
+
+
+### What has not been tested
+
+**Deploying a 3 nodes cluster**
+
+When trying to deploy a 3 nodes clusters, the nodes seem to be configured successfully but they aren't able to communicate together with the test certificates (the ones used in automated standalone tests). It's highly likely that the problem lies with the tests certs themselves and not with the role.
+
+Should you be able to deploy a multi-node clusters, you will most likely have to change the configuration to use the new `node.roles` parameter ([example](https://github.com/elastic/ansible-elasticsearch/pull/772)) instead of the `node.master` and `node.data` (which got deprecated in 7.9, but the role never got [fixed](https://github.com/elastic/ansible-elasticsearch/issues/731).