Add code for automatic updates

NOTICE.md

@@ -4,4 +4,4 @@
 
 Here's a list of sponsors who contributed by having the collection improved via outsourcing to NETWAYS.
 
-* CID GmbH : Thank you so much for sponsoring. Especially the feature to have different types of Elasticsearch nodes in the cluster.
+* CID GmbH : Thank you so much for sponsoring. Especially the feature to have different types of Elasticsearch nodes in the cluster and the ingetration of rolling upgrades.

README.md

@@ -79,13 +79,13 @@ You will want to have reliable DNS resolution or enter all hosts of the stack in
 
 The variable `elasticstack_no_log` can be set to `false` if you want to see the output of all tasks. It defaults to `true` because some tasks could reveal passwords in production.
 
-### Versioning
+### Versions and upgrades
 
-*elasticstack_version*: Version number of tools to install. Only set if you don't want the latest. (default: none).
+*elasticstack_version*: Version number of tools to install. Only set if you don't want the latest on new setups. (default: none). If you already have an installation of Elastic Stack, this collection will query the version of Elasticsearch on the CA host and use it for all further installations in the same setup. (Only if you run the `elasticsearch` role before all others) Example: `7.17.2`
 
-*elasticstack_release*: Major release version of Elastic stack to configure. (default: `7`)
+*elasticstack_release*: Major release version of Elastic stack to configure. (default: `7`) Make sure it corresponds to `elasticstack_version` if you set both.
 
-For OSS version see `elasticstack_variant` below. **IMPORTANT** Do not change the version once you have set up the stack. There are unpredictable effects to be expected when using this for upgrades. And upgrade mechanism is already on it's way. (default: none. Example: `7.17.2`)
+For OSS version see `elasticstack_variant` below.
 
 *elasticstack_variant*: Variant of the stack to install. Valid values: `elastic` or `oss`. (default: `elastic`)
 
@@ -99,6 +99,14 @@ roles:
         elasticstack_version: 8.8.1
 ```
 
+#### Upgrades ####
+
+Set `elasticstack_version` to the version you want to upgrade to. Positively do read and understand Elastics changelog and "breaking changes" of your target version and all between your current and the target version. Do not use unless you have a valid backup.
+
+If an upgrade fails, you can try re-running the collection with the same settings. There are several tasks that can provide "self-healing". Please do not rely on these mechanisms, they are more of a "convenience recovery" for easier steps.
+
+The collection will make sure to upgrade Elasticsearch nodes one by one.
+
 ### Default Passwords
 
 Default passwords can be seen during generation, or found later in `/usr/share/elasticsearch/initial_passwords`

docs/role-elasticsearch.md

@@ -13,6 +13,7 @@ Role Variables
 --------------
 
 * *elasticsearch_node_types*: List of types of this very node. Please refer to [official docs](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html) for details. (default: not set. allowed value: array of types)
++ *elasticsearch_nodename*': Node name of the Elasticsearch node. (default: value of `ansible_hostname`)
 * *elasticsearch_clustername*: Name the Elasticsearch Cluster (default: `elasticsearch`)
 * *elasticsearch_heap*: Heapsize for Elasticsearch. (Half of free memory on host. Maximum 30GB. (default: Half of hosts memory. Min 1GB, Max 30GB)
 * *elasticsearch_tls_key_passphrase*: Passphrase for elasticsearch certificates (default: `PleaseChangeMeIndividually`)
@@ -53,6 +54,10 @@ This variable activates a workaround to start on systems that have certain harde
 * *elasticsearch_seed_hosts*: Set elasticsearch seed hosts
 * *elasticsearch_security_enrollment*: Controls enrollment (of nodes and Kibana) to a local node that’s been autoconfigured for security.
 
+The following variable was only integrated to speed up upgrades of non-production clusters. Use with caution and at your own risk:
+
+* *elasticsearch_unsafe_upgrade_restart*: This will still perform rolling upgrades, but will first update the package and then restart the service. In contrast the default behaviour is to stop the service, do the upgrade and then start again. (default: `false`)
+
 These variables are identical over all our elastic related roles, hence the different naming schemes.
 
 * *elasticstack_ca*: Set to the inventory hostname of the host that should house the CA for certificates for inter-node communication. (default: First node in the `elasticsearch` host group)

molecule/elasticstack_default/verify.yml

@@ -136,4 +136,3 @@
         success_msg: "'{{ item }}' was found in nodes.content"
       with_inventory_hostnames: all
       when: groups[elasticstack_elasticsearch_group_name] | length > 1
-

roles/beats/defaults/main.yml

@@ -6,7 +6,6 @@ beats_auditbeat: false
 beats_metricbeat: false
 beats_target_hosts:
   - localhost
-elasticstack_beats_port: 5044
 beats_logging: file
 beats_logpath: /var/log/beats
 beats_loglevel: info
@@ -58,23 +57,6 @@ beats_metricbeat_modules:
   - system
 beats_metricbeat_loadbalance: true
 
-elasticstack_release: 8
-elasticstack_full_stack: true
-elasticstack_variant: elastic
-elasticstack_security: true
-
-elasticstack_elasticsearch_group_name: elasticsearch
-elasticstack_logstash_group_name: logstash
-
-elasticstack_ca_dir: /opt/es-ca
-elasticstack_ca_pass: PleaseChangeMe
-elasticstack_initial_passwords: /usr/share/elasticsearch/initial_passwords
-elasticstack_elasticsearch_http_port: 9200
-elasticstack_no_log: true
 beats_cert_validity_period: 1095
 beats_cert_expiration_buffer: "+30d"
 beats_cert_will_expire_soon: false
-
-# Variables for debugging and development
-
-elasticstack_override_beats_tls: false

roles/beats/tasks/auditbeat.yml

@@ -16,20 +16,26 @@
     name: "{{ beats_auditbeat_package }}"
     enablerepo:
       - 'elastic-{{ elasticstack_release }}.x'
+  notify:
+    - Restart Auditbeat
   when:
     - ansible_os_family == "RedHat"
     - elasticstack_full_stack | bool
 
 - name: Install Auditbeat - rpm - standalone
   ansible.builtin.package:
     name: "{{ beats_auditbeat_package }}"
+  notify:
+    - Restart Auditbeat
   when:
     - ansible_os_family == "RedHat"
     - not elasticstack_full_stack | bool
 
 - name: Install Auditbeat - deb
   ansible.builtin.package:
     name: "{{ beats_auditbeat_package }}"
+  notify:
+    - Restart Auditbeat
   when:
     - ansible_os_family == "Debian"
 

roles/beats/tasks/beats-security.yml

@@ -1,17 +1,5 @@
 ---
 
-- name: Install packages for security tasks
-  ansible.builtin.package:
-    name:
-      - unzip
-      - python3-cryptography
-      - openssl
-  tags:
-    - certificates
-    - renew_ca
-    - renew_kibana_cert
-    - renew_beats_cert
-
 - name: Ensure beats certificate exists
   ansible.builtin.stat:
     path: "/etc/beats/certs/{{ inventory_hostname }}-beats.crt"

roles/beats/tasks/filebeat.yml

@@ -15,20 +15,26 @@
     name: "{{ beats_filebeat_package }}"
     enablerepo:
       - 'elastic-{{ elasticstack_release }}.x'
+  notify:
+    - Restart Filebeat
   when:
     - ansible_os_family == "RedHat"
     - elasticstack_full_stack | bool
 
 - name: Install Filebeat - rpm - standalone
   ansible.builtin.package:
     name: "{{ beats_filebeat_package }}"
+  notify:
+    - Restart Filebeat
   when:
     - ansible_os_family == "RedHat"
     - not elasticstack_full_stack | bool
 
 - name: Install Filebeat - deb
   ansible.builtin.package:
     name: "{{ beats_filebeat_package }}"
+  notify:
+    - Restart Filebeat
   when:
     - ansible_os_family == "Debian"
 

roles/beats/tasks/main.yml

@@ -1,10 +1,8 @@
 ---
 
-- name: Include OS specific vars
-  ansible.builtin.include_vars: '{{ item }}'
-  with_first_found:
-    - '{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml'
-    - '{{ ansible_os_family }}.yml'
+- name: Include global role
+  ansible.builtin.import_role:
+    name: netways.elasticstack.elasticstack
 
 - name: Update apt cache.
   ansible.builtin.apt:
@@ -25,18 +23,6 @@
         - elasticstack_variant != "oss"
         - not elasticstack_override_beats_tls | bool
 
-    - name: Set elasticstack_ca variable if not already done by user
-      ansible.builtin.set_fact:
-        elasticstack_ca: "{{ groups[elasticstack_elasticsearch_group_name][0] }}"
-      when:
-        - beats_security | bool
-        - elasticstack_ca is undefined
-        - groups[elasticstack_elasticsearch_group_name] is defined
-      tags:
-        - certificates
-        - renew_ca
-        - renew_beats_cert
-
     - name: Set beats_ca_dir if whole stack is used
       ansible.builtin.set_fact:
         beats_ca_dir: "/etc/beats/certs"

roles/beats/tasks/metricbeat.yml

@@ -16,20 +16,26 @@
     name: "{{ beats_metricbeat_package }}"
     enablerepo:
       - 'elastic-{{ elasticstack_release }}.x'
+  notify:
+    - Restart Metricbeat
   when:
     - ansible_os_family == "RedHat"
     - elasticstack_full_stack | bool
 
 - name: Install Metricbeat - rpm - standalone
   ansible.builtin.package:
     name: "{{ beats_metricbeat_package }}"
+  notify:
+    - Restart Metricbeat
   when:
     - ansible_os_family == "RedHat"
     - not elasticstack_full_stack | bool
 
 - name: Install Metricbeat - deb
   ansible.builtin.package:
     name: "{{ beats_metricbeat_package }}"
+  notify:
+    - Restart Metricbeat
   when:
     - ansible_os_family == "Debian"
 

roles/elasticsearch/defaults/main.yml

@@ -31,39 +31,18 @@ elasticsearch_heap_dump_path: "/var/lib/elasticsearch"
 
 elasticsearch_jna_workaround: false
 
-# The following variables are to be used when activating security
-# They follow a different naming scheme to show that they are global
-# to our set of Elastic Stack related Ansible roles
-
-# elasticstack_ca: First host in the `elasticsearch` group
-elasticstack_ca_dir: /opt/es-ca
-elasticstack_initial_passwords: /usr/share/elasticsearch/initial_passwords
 elasticsearch_initialized_file: "{{ elasticstack_initial_passwords | dirname }}/cluster_initialized"
-elasticstack_ca_name: "CN=Elastic Certificate Tool Autogenerated CA"
-elasticstack_ca_pass: PleaseChangeMe
-elasticstack_ca_validity_period: 1095
 elasticsearch_tls_key_passphrase: PleaseChangeMeIndividually
 elasticsearch_cert_validity_period: 1095
-elasticstack_ca_expiration_buffer: 30
 elasticsearch_cert_expiration_buffer: 30
-elasticstack_ca_will_expire_soon: false
 elasticsearch_cert_will_expire_soon: false
 elasticsearch_ssl_verification_mode: full
 
+# use this only for non-prod environments and at your own risk!
+elasticsearch_unsafe_upgrade_restart: false
+
 # only used internally
 elasticsearch_freshstart:
   changed: false
 elasticsearch_freshstart_security:
   changed: false
-
-# "global" variables for all roles
-
-elasticstack_release: 8
-elasticstack_full_stack: true
-elasticstack_variant: elastic
-elasticstack_elasticsearch_http_port: 9200
-elasticstack_no_log: true
-
-elasticstack_elasticsearch_group_name: elasticsearch
-elasticstack_logstash_group_name: logstash
-elasticstack_kibana_group_name: kibana