santerikainulainen/ansible-role-elasticsearch
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add SSL/TLS support

Browse source 
This commit introduces SSL/TLS support for the elastic search transport
layer. It assumes certificates are generated externally, and only
handles uploading and configuring the server accordingly.
This commit is contained in:
Aeva Black 2019-06-27 13:53:23 -07:00
parent 5b1d028bd2
commit d7efa2048a
4 changed files with 53 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
defaults/main.yml
View file

@ -40,3 +40,11 @@ es_debian_startup_timeout: 10
# JVM custom parameters # JVM custom parameters
es_jvm_custom_parameters: '' es_jvm_custom_parameters: ''
# SSL/TLS parameters
es_enable_http_ssl: false
es_enable_transport_ssl: false
es_ssl_key: ""
es_ssl_certificate: ""
es_ssl_certificate_authority: ""
es_ssl_certificate_path: "/etc/elasticsearch/certs"

23
tasks/elasticsearch-ssl.yml Normal file
View file

@ -0,0 +1,23 @@
---
- name: ensure certificate directory exists
file:
dest: "{{ es_ssl_certificate_path }}"
state: directory
- name: Upload HTTP SSL/TLS certificates
copy:
src: "{{ item }}"
dest: "{{ es_ssl_certificate_path }}/{{ item | basename }}"
with_items:
- "{{ es_ssl_key }}"
- "{{ es_ssl_certificate }}"
when: es_enable_http_ssl|bool or es_enable_transport_ssl|bool
- local_action: stat path="{{ role_path }}/files/{{ es_ssl_certificate_authority }}"
register: es_cafile
- name: Upload SSL Certificate Authority
copy:
src: "{{ es_ssl_certificate_authority }}"
dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}"
when: es_cafile.stat.exists|bool and es_cafile.stat.isreg|bool

3
tasks/main.yml
View file

@ -51,6 +51,9 @@
tags: tags:
- xpack - xpack
- name: include ssl.yml
include: elasticsearch-ssl.yml
- name: flush handlers - name: flush handlers
meta: flush_handlers meta: flush_handlers

19
templates/elasticsearch.yml.j2
View file

@ -55,3 +55,22 @@ xpack.notification.email:
password: {{ es_mail_config['pass'] }} password: {{ es_mail_config['pass'] }}
{% endif %} {% endif %}
{% endif %} {% endif %}
{% if es_enable_http_ssl | bool %}
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: "{{ es_ssl_certificate_path }}/{{ es_ssl_key | basename }}"
xpack.security.http.ssl.certificate: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate | basename }}"
#xpack.security.http.ssl.client_authentication: optional
{% if es_ssl_certificate_authority %}
xpack.security.http.ssl.certificate_authorities: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}"
{% endif %}
{% else %}
# xpack.security.http.ssl.enabled: false
{% endif %}
{% if es_enable_transport_ssl | bool %}
xpack.security.transport.ssl.enabled: true
#xpack.security.transport.ssl.verification_mode: certificate
{% else %}
# xpack.security.transport.ssl.enabled: false
{% endif %}