santerikainulainen/ansible-role-elasticsearch
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add an option to not upload SSL/TLS certs (#727)

Browse source
This commit is contained in:
Samuel Mutel 2020-10-12 10:02:25 +02:00 committed by GitHub
parent 2a3793ce82
commit fdfaa5c888
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 9 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

1
defaults/main.yml
View file

@ -55,6 +55,7 @@ es_heap_dump_path: "/var/lib/elasticsearch"
es_enable_auto_ssl_configuration: true
es_enable_http_ssl: false
es_enable_transport_ssl: false
es_ssl_upload: true
es_ssl_keystore: ""
es_ssl_keystore_password: ""
es_ssl_truststore: ""

2
docs/ssl-tls-setup.md
View file

@ -2,6 +2,8 @@
The role allows configuring HTTP and transport layer SSL/TLS for the cluster. You will need to generate and provide your own PKCS12 or PEM encoded certificates as described in [Encrypting communications in Elasticsearch](https://www.elastic.co/guide/en/elasticsearch/reference/7.4/configuring-tls.html#configuring-tls).
By default this role will upload the certs to your elasticsearch servers. If you already copied the certs by your own way, set `es_ssl_upload` to `false` (default: `true`)
If you don't want this role to add autogenerated SSL configuration to elasticsearch.yml set `es_enable_auto_ssl_configuration` to `false` (default: `true`).
The following should be configured to ensure a security-enabled cluster successfully forms:

11
tasks/elasticsearch-ssl.yml
View file

@ -7,7 +7,7 @@
set_fact: es_same_keystore=true
when: es_ssl_keystore == es_ssl_truststore
- name: ensure certificate directory exists
- name: Ensure certificate directory exists
become: yes
file:
dest: "{{ es_ssl_certificate_path }}"
@ -15,6 +15,7 @@
owner: root
group: "{{ es_group }}"
mode: "750"
when: es_ssl_upload
- name: Upload SSL/TLS keystore
become: yes
@ -24,7 +25,7 @@
owner: "{{ es_user }}"
group: "{{ es_group }}"
mode: "640"
when: es_ssl_keystore and es_ssl_truststore
when: es_ssl_upload and es_ssl_keystore and es_ssl_truststore
notify: restart elasticsearch
register: copy_keystore
@ -36,7 +37,7 @@
owner: "{{ es_user }}"
group: "{{ es_group }}"
mode: "640"
when: es_ssl_keystore and es_ssl_truststore
when: es_ssl_upload and es_ssl_keystore and es_ssl_truststore
notify: restart elasticsearch
register: copy_truststore
@ -51,7 +52,7 @@
with_items:
- "{{ es_ssl_key }}"
- "{{ es_ssl_certificate }}"
when: es_ssl_key and es_ssl_certificate
when: es_ssl_upload and es_ssl_key and es_ssl_certificate
#Restart if these change
notify: restart elasticsearch
register: copy_certificates
@ -66,7 +67,7 @@
mode: "640"
#Restart if this changes
notify: restart elasticsearch
when: (es_ssl_certificate_authority is defined) and (es_ssl_certificate_authority|length > 0)
when: es_ssl_upload and (es_ssl_certificate_authority is defined) and (es_ssl_certificate_authority|length > 0)
- name: Set keystore password
become: yes