Add option for invalid certificates

2019-10-12 00:03:47 +01:00 · 2019-10-12 00:03:47 +01:00 · d0064c6a88
commit d0064c6a88
parent 551d93b646
8 changed files with 21 additions and 6 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -44,7 +44,7 @@ es_debian_startup_timeout: 10
 # JVM custom parameters
 es_jvm_custom_parameters: ''

-es_security_api: "_{{ 'xpack/security' if es_version is version_compare('7.0.0', '<=') else 'security' }}"
+es_security_api: "{{ '_security' if es_version is version_compare('7.0.0', '>=') else '_xpack/security' }}"

 # SSL/TLS parameters
 es_enable_http_ssl: false
@ -56,3 +56,4 @@ es_ssl_certificate: ""
 es_ssl_certificate_authority: ""
 es_ssl_certificate_path: "/etc/elasticsearch/certs"
 es_ssl_verification_mode: "certificate"
+es_validate_certs: "yes"
--- a/tasks/compatibility-variables.yml
+++ b/tasks/compatibility-variables.yml
@ -24,7 +24,7 @@
  when:
    - not es_enable_xpack

- name: Set the URL scheme based if http ssl/tls is enabled
+- name: Set the URL scheme to https if SSL/TLS is enabled
  set_fact:
    es_api_scheme: "https"
-  when: es_enable_http_ssl
+  when: es_enable_http_ssl | bool
--- a/tasks/elasticsearch-ssl.yml
+++ b/tasks/elasticsearch-ssl.yml
@ -32,4 +32,6 @@
  copy:
    src: "{{ es_ssl_certificate_authority }}"
    dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}"
-  when: es_ssl_certificate_authority
+  #Restart if this changes
+  notify: restart elasticsearch
+  when: es_ssl_certificate_authority | bool
--- a/tasks/elasticsearch-template.yml
+++ b/tasks/elasticsearch-template.yml
@ -24,6 +24,7 @@
    force_basic_auth: yes
    body_format: json
    body: "{{ lookup('file', item) }}"
+    validate_certs: "{{ es_validate_certs }}"
  when: load_templates.changed and es_start_service
  with_fileglob:
    - "{{ es_templates_fileglob | default('') }}"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -56,6 +56,8 @@
 - name: include elasticsearch-ssl.yml
  include: elasticsearch-ssl.yml
  when: es_enable_http_ssl or es_enable_transport_ssl
+  tags:
+      - xpack

 - name: flush handlers
  meta: flush_handlers
--- a/tasks/xpack/security/elasticsearch-security-native.yml
+++ b/tasks/xpack/security/elasticsearch-security-native.yml
@ -27,6 +27,7 @@
    password: "{{es_api_basic_auth_password}}"
    force_basic_auth: yes
    status_code: 200
+    validate_certs: "{{ es_validate_certs }}"
  register: user_list_response
  when: manage_native_users
  check_mode: no
@ -59,6 +60,7 @@
    user: "{{es_api_basic_auth_username}}"
    password: "{{es_api_basic_auth_password}}"
    force_basic_auth: yes
+    validate_certs: "{{ es_validate_certs }}"
  when: change_api_password

 - name: set fact es_api_basic_auth_password
@ -79,6 +81,7 @@
    user: "{{es_api_basic_auth_username}}"
    password: "{{es_api_basic_auth_password}}"
    force_basic_auth: yes
+    validate_certs: "{{ es_validate_certs }}"
  when: manage_native_users
  with_items: "{{ users_to_remove | default([]) }}"

@ -102,6 +105,7 @@
    user: "{{es_api_basic_auth_username}}"
    password: "{{es_api_basic_auth_password}}"
    force_basic_auth: yes
+    validate_certs: "{{ es_validate_certs }}"
  when: native_users[item].password is defined
  no_log: True
  with_items: "{{ users_to_ignore | default([]) }}"
@ -121,6 +125,7 @@
    user: "{{es_api_basic_auth_username}}"
    password: "{{es_api_basic_auth_password}}"
    force_basic_auth: yes
+    validate_certs: "{{ es_validate_certs }}"
  when: manage_native_users
  no_log: True
  with_items: "{{ users_to_modify | default([]) }}"
@ -137,6 +142,7 @@
    password: "{{es_api_basic_auth_password}}"
    force_basic_auth: yes
    status_code: 200
+    validate_certs: "{{ es_validate_certs }}"
  register: role_list_response
  when: manage_native_roles
  check_mode: no
@ -171,6 +177,7 @@
    user: "{{es_api_basic_auth_username}}"
    password: "{{es_api_basic_auth_password}}"
    force_basic_auth: yes
+    validate_certs: "{{ es_validate_certs }}"
  when: manage_native_roles
  with_items: "{{roles_to_remove | default([]) }}"

@ -189,5 +196,6 @@
    user: "{{es_api_basic_auth_username}}"
    password: "{{es_api_basic_auth_password}}"
    force_basic_auth: yes
+    validate_certs: "{{ es_validate_certs }}"
  when: manage_native_roles
  with_items: "{{ roles_to_modify | default([]) }}"
--- a/tasks/xpack/security/elasticsearch-xpack-activation.yml
+++ b/tasks/xpack/security/elasticsearch-xpack-activation.yml
@ -9,6 +9,7 @@
    body: "{{ es_xpack_license }}"
    return_content: yes
    force_basic_auth: yes
+    validate_certs: "{{ es_validate_certs }}"
  register: license_activated
  no_log: True
  failed_when: >