From e01af7977ff89dd50e2a023c599a909305acf627 Mon Sep 17 00:00:00 2001 From: pemontto Date: Wed, 16 Oct 2019 16:36:43 +0100 Subject: [PATCH] Better support for different truststores --- tasks/elasticsearch-ssl.yml | 74 +++++++++++++++++++++---------------- 1 file changed, 43 insertions(+), 31 deletions(-) diff --git a/tasks/elasticsearch-ssl.yml b/tasks/elasticsearch-ssl.yml index f35e381..9f83024 100644 --- a/tasks/elasticsearch-ssl.yml +++ b/tasks/elasticsearch-ssl.yml @@ -1,20 +1,32 @@ --- + +- name: set fact es_same_keystore + set_fact: es_same_keystore=false + +- name: set fact es_same_keystore if stores match + set_fact: es_same_keystore=false + when: es_ssl_keystore == es_ssl_truststore + - name: ensure certificate directory exists file: dest: "{{ es_ssl_certificate_path }}" state: directory -- name: Upload SSL/TLS keystore and truststore +- name: Upload SSL/TLS keystore copy: - src: "{{ item }}" - dest: "{{ es_ssl_certificate_path }}/{{ item | basename }}" - with_items: - - "{{ es_ssl_keystore }}" - - "{{ es_ssl_truststore }}" + src: "{{ es_ssl_keystore }}" + dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_keystore | basename }}" when: es_ssl_keystore and es_ssl_truststore - #Restart if these change notify: restart elasticsearch - register: copy_keystores + register: copy_keystore + +- name: Upload SSL/TLS truststore + copy: + src: "{{ es_ssl_truststore }}" + dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_truststore | basename }}" + when: es_ssl_keystore and es_ssl_truststore + notify: restart elasticsearch + register: copy_truststore - name: Upload SSL/TLS key and certificate copy: @@ -36,23 +48,39 @@ notify: restart elasticsearch when: es_ssl_certificate_authority | bool -- name: Set transport keystore password +- name: Set keystore password shell: echo "{{ es_ssl_keystore_password }}" | {{ es_home }}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.keystore.secure_password' no_log: True - when: es_ssl_keystore_password and copy_keystores.changed + when: es_ssl_keystore_password and copy_keystore.changed or (es_same_keystore and copy_truststore.changed) with_items: - http - transport -- name: Set transport truststore password +- name: Set truststore password shell: echo "{{ es_ssl_truststore_password }}" | {{ es_home }}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.truststore.secure_password' no_log: True - when: es_ssl_truststore_password and copy_keystores.changed + when: es_ssl_truststore_password and copy_truststore.changed or (es_same_keystore and copy_keystore.changed) with_items: - http - transport -- name: Set transport key password +- name: Remove keystore password + shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.keystore.secure_password'" + when: es_ssl_keystore_password == "" and copy_keystore.changed or (es_same_keystore and copy_truststore.changed) + ignore_errors: yes + with_items: + - http + - transport + +- name: Remove truststore password + shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.truststore.secure_password'" + when: es_ssl_truststore_password == "" and copy_truststore.changed or (es_same_keystore and copy_keystore.changed) + ignore_errors: yes + with_items: + - http + - transport + +- name: Set key password shell: echo "{{ es_ssl_key_password }}" | {{ es_home }}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.secure_key_passphrase' no_log: True when: es_ssl_key_password and copy_certificates.changed @@ -60,26 +88,10 @@ - http - transport -- name: Remove transport keystore password - shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.keystore.secure_password'" - no_log: True - when: es_ssl_keystore_password == "" and copy_keystores.changed - with_items: - - http - - transport - -- name: Remove transport truststore password - shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.truststore.secure_password'" - no_log: True - when: es_ssl_truststore_password == "" and copy_keystores.changed - with_items: - - http - - transport - -- name: Remove transport key password +- name: Remove key password shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.secure_key_passphrase'" - no_log: True when: es_ssl_key_password == "" and copy_certificates.changed + ignore_errors: yes with_items: - http - transport