santerikainulainen/ansible-role-elasticsearch
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Better support for different truststores

Browse source
This commit is contained in:
pemontto 2019-10-16 16:36:43 +01:00
parent 2b0343e135
commit e01af7977f
No known key found for this signature in database
GPG key ID: EDCB93C3DA1B5DA9
1 changed files with 43 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

74
tasks/elasticsearch-ssl.yml
View file

@ -1,20 +1,32 @@
---
- name: set fact es_same_keystore
set_fact: es_same_keystore=false
- name: set fact es_same_keystore if stores match
set_fact: es_same_keystore=false
when: es_ssl_keystore == es_ssl_truststore
- name: ensure certificate directory exists
file:
dest: "{{ es_ssl_certificate_path }}"
state: directory
- name: Upload SSL/TLS keystore and truststore
- name: Upload SSL/TLS keystore
copy:
src: "{{ item }}"
dest: "{{ es_ssl_certificate_path }}/{{ item | basename }}"
with_items:
- "{{ es_ssl_keystore }}"
- "{{ es_ssl_truststore }}"
src: "{{ es_ssl_keystore }}"
dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_keystore | basename }}"
when: es_ssl_keystore and es_ssl_truststore
#Restart if these change
notify: restart elasticsearch
register: copy_keystores
register: copy_keystore
- name: Upload SSL/TLS truststore
copy:
src: "{{ es_ssl_truststore }}"
dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_truststore | basename }}"
when: es_ssl_keystore and es_ssl_truststore
notify: restart elasticsearch
register: copy_truststore
- name: Upload SSL/TLS key and certificate
copy:
@ -36,23 +48,39 @@
notify: restart elasticsearch
when: es_ssl_certificate_authority | bool
- name: Set transport keystore password
- name: Set keystore password
shell: echo "{{ es_ssl_keystore_password }}" | {{ es_home }}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.keystore.secure_password'
no_log: True
when: es_ssl_keystore_password and copy_keystores.changed
when: es_ssl_keystore_password and copy_keystore.changed or (es_same_keystore and copy_truststore.changed)
with_items:
- http
- transport
- name: Set transport truststore password
- name: Set truststore password
shell: echo "{{ es_ssl_truststore_password }}" | {{ es_home }}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.truststore.secure_password'
no_log: True
when: es_ssl_truststore_password and copy_keystores.changed
when: es_ssl_truststore_password and copy_truststore.changed or (es_same_keystore and copy_keystore.changed)
with_items:
- http
- transport
- name: Set transport key password
- name: Remove keystore password
shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.keystore.secure_password'"
when: es_ssl_keystore_password == "" and copy_keystore.changed or (es_same_keystore and copy_truststore.changed)
ignore_errors: yes
with_items:
- http
- transport
- name: Remove truststore password
shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.truststore.secure_password'"
when: es_ssl_truststore_password == "" and copy_truststore.changed or (es_same_keystore and copy_keystore.changed)
ignore_errors: yes
with_items:
- http
- transport
- name: Set key password
shell: echo "{{ es_ssl_key_password }}" | {{ es_home }}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.secure_key_passphrase'
no_log: True
when: es_ssl_key_password and copy_certificates.changed
@ -60,26 +88,10 @@
- http
- transport
- name: Remove transport keystore password
shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.keystore.secure_password'"
no_log: True
when: es_ssl_keystore_password == "" and copy_keystores.changed
with_items:
- http
- transport
- name: Remove transport truststore password
shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.truststore.secure_password'"
no_log: True
when: es_ssl_truststore_password == "" and copy_keystores.changed
with_items:
- http
- transport
- name: Remove transport key password
- name: Remove key password
shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.secure_key_passphrase'"
no_log: True
when: es_ssl_key_password == "" and copy_certificates.changed
ignore_errors: yes
with_items:
- http
- transport