From 4b46128dd501547330d58cd1ea6439131ff378ba Mon Sep 17 00:00:00 2001 From: ivareri Date: Sun, 15 Oct 2023 18:19:19 +0200 Subject: [PATCH 1/8] Added option for ssl verification_mode --- docs/role-elasticsearch.md | 1 + roles/elasticsearch/defaults/main.yml | 1 + roles/elasticsearch/templates/elasticsearch.yml.j2 | 7 +++---- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/role-elasticsearch.md b/docs/role-elasticsearch.md index bfcdf3d1..772f77f3 100644 --- a/docs/role-elasticsearch.md +++ b/docs/role-elasticsearch.md @@ -35,6 +35,7 @@ Role Variables This variable activates a workaround to start on systems that have certain hardening measures active. See [Stackoverflow](https://stackoverflow.com/questions/47824643/unable-to-load-jna-native-support-library-elasticsearch-6-x/50371992#50371992) for details and logmessages to look for. **WARNING**: This will change your `/etc/sysconfig/elasticseach`or `/etc/default/elasticsearch` file and overwrite `ES_JAVA_OPTS`. See this [issue](https://github.com/netways/ansible-role-elasticsearch/issues/79) for details. * *elasticsearch_jna_workaround*: Activate JNA workaround. (default: `false`) +* *elasticsearch_ssl_verification_mode*: Defines how to verify the certificates presented by another party in the TLS connection These variables are identical over all our elastic related roles, hence the different naming schemes. diff --git a/roles/elasticsearch/defaults/main.yml b/roles/elasticsearch/defaults/main.yml index bcadfb3d..afcfc3ae 100644 --- a/roles/elasticsearch/defaults/main.yml +++ b/roles/elasticsearch/defaults/main.yml @@ -47,6 +47,7 @@ elasticstack_ca_expiration_buffer: 30 elasticsearch_cert_expiration_buffer: 30 elasticstack_ca_will_expire_soon: false elasticsearch_cert_will_expire_soon: false +elasticsearch_ssl_verification_mode: none # "global" variables for all roles diff --git a/roles/elasticsearch/templates/elasticsearch.yml.j2 b/roles/elasticsearch/templates/elasticsearch.yml.j2 index c809f309..4136cf5a 100644 --- a/roles/elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/elasticsearch/templates/elasticsearch.yml.j2 @@ -52,10 +52,9 @@ xpack.monitoring.collection.enabled: {{ elasticsearch_monitoring_enabled }} {% if elasticsearch_security | bool %} xpack.security.enabled: true xpack.security.transport.ssl.enabled: true -#xpack.security.transport.ssl.verification_mode: certificate -xpack.security.transport.ssl.verification_mode: none -xpack.security.transport.ssl.keystore.path: certs/{{ ansible_hostname }}.p12 -xpack.security.transport.ssl.truststore.path: certs/{{ ansible_hostname }}.p12 +xpack.security.transport.ssl.verification_mode: {{ elasticsearch_ssl_verification_mode }} +xpack.security.transport.ssl.keystore.path: certs/{{ ansible_hostname }}.p12 +xpack.security.transport.ssl.truststore.path: certs/{{ ansible_hostname }}.p12 {% if elasticsearch_http_security | bool %} xpack.security.http.ssl.enabled: true xpack.security.http.ssl.keystore.path: certs/{{ ansible_hostname }}.p12 From 93e00004d50a4ccd69bda328b43b085e61e5258b Mon Sep 17 00:00:00 2001 From: ivareri Date: Sun, 15 Oct 2023 21:33:13 +0200 Subject: [PATCH 2/8] Added options for transport and http ports --- docs/role-elasticsearch.md | 2 ++ roles/elasticsearch/templates/elasticsearch.yml.j2 | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/docs/role-elasticsearch.md b/docs/role-elasticsearch.md index 772f77f3..956c746d 100644 --- a/docs/role-elasticsearch.md +++ b/docs/role-elasticsearch.md @@ -36,6 +36,8 @@ This variable activates a workaround to start on systems that have certain harde * *elasticsearch_jna_workaround*: Activate JNA workaround. (default: `false`) * *elasticsearch_ssl_verification_mode*: Defines how to verify the certificates presented by another party in the TLS connection +* *elasticsearch_http_port*: The port to bind for HTTP client communication +* *elasticsearch_transport_port*: The port to bind for communication between nodes These variables are identical over all our elastic related roles, hence the different naming schemes. diff --git a/roles/elasticsearch/templates/elasticsearch.yml.j2 b/roles/elasticsearch/templates/elasticsearch.yml.j2 index 4136cf5a..844caf6a 100644 --- a/roles/elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/elasticsearch/templates/elasticsearch.yml.j2 @@ -7,6 +7,12 @@ network.host: [ {{ elasticsearch_network_host }} ] {% else %} network.host: [ "_local_", "_site_" ] {% endif %} +{% if elasticsearch_http_port is defined %} +http.port: "{{ elasticsearch_http_port }}" +{% endif %} +{% if elasticsearch_transport_port is defined %} +transport.port: "{{ elasticsearch_transport_port }}" +{% endif %} {% if elasticsearch_http_publish_host is defined %} http.publish_host: "{{ elasticsearch_http_publish_host }}" {% endif %} From 18b8dcb4e5b0972ad90559dbc360e4717cfcaca5 Mon Sep 17 00:00:00 2001 From: ivareri Date: Sun, 15 Oct 2023 21:34:11 +0200 Subject: [PATCH 3/8] Added ansible managed header to config file --- roles/elasticsearch/templates/elasticsearch.yml.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/elasticsearch/templates/elasticsearch.yml.j2 b/roles/elasticsearch/templates/elasticsearch.yml.j2 index 844caf6a..207ad743 100644 --- a/roles/elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/elasticsearch/templates/elasticsearch.yml.j2 @@ -1,3 +1,5 @@ +{{ ansible_managed | comment }} + node.name: "{{ ansible_hostname }}" path.data: {{ elasticsearch_datapath }} path.logs: {{ elasticsearch_logpath }} From fbef56934ca318c3a1d11ba0ff4adf61893599a0 Mon Sep 17 00:00:00 2001 From: ivareri Date: Sun, 15 Oct 2023 21:38:33 +0200 Subject: [PATCH 4/8] Don't add deprecated monitoring setting for elasticsearch 8 --- roles/elasticsearch/templates/elasticsearch.yml.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/elasticsearch/templates/elasticsearch.yml.j2 b/roles/elasticsearch/templates/elasticsearch.yml.j2 index 207ad743..f3a83183 100644 --- a/roles/elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/elasticsearch/templates/elasticsearch.yml.j2 @@ -56,7 +56,9 @@ bootstrap.system_call_filter: false {% endif %} {% if elasticstack_variant == "elastic" %} xpack.ml.enabled: {{ elasticsearch_ml_enabled }} +{% if elasticstack_release == 7 %} xpack.monitoring.collection.enabled: {{ elasticsearch_monitoring_enabled }} +{% endif %} {% if elasticsearch_security | bool %} xpack.security.enabled: true xpack.security.transport.ssl.enabled: true From 0e419b0a17081936b296ba7e645ef9ce96a4258b Mon Sep 17 00:00:00 2001 From: ivareri Date: Sun, 15 Oct 2023 21:41:59 +0200 Subject: [PATCH 5/8] Qucikfix to manually set seed hosts. Otherwise all nodes, not only master nodes, are added to seed hosts --- docs/role-elasticsearch.md | 1 + roles/elasticsearch/templates/elasticsearch.yml.j2 | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/docs/role-elasticsearch.md b/docs/role-elasticsearch.md index 956c746d..818b40ca 100644 --- a/docs/role-elasticsearch.md +++ b/docs/role-elasticsearch.md @@ -38,6 +38,7 @@ This variable activates a workaround to start on systems that have certain harde * *elasticsearch_ssl_verification_mode*: Defines how to verify the certificates presented by another party in the TLS connection * *elasticsearch_http_port*: The port to bind for HTTP client communication * *elasticsearch_transport_port*: The port to bind for communication between nodes +* *elasticsearch_seed_hosts*: Set elasticsearch seed hosts These variables are identical over all our elastic related roles, hence the different naming schemes. diff --git a/roles/elasticsearch/templates/elasticsearch.yml.j2 b/roles/elasticsearch/templates/elasticsearch.yml.j2 index f3a83183..6919f9e5 100644 --- a/roles/elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/elasticsearch/templates/elasticsearch.yml.j2 @@ -30,11 +30,16 @@ node.roles: [ {% for type in elasticsearch_node_types %}{{ type }}{% if not loop discovery.type: single-node {% endif %} +{# Quickfix to override seed_hosts. Otherwise all nodes, not only master nodes are added to seed_hosts #} +{% if elasticsearch_seed_hosts is defined %} +discovery.seed_hosts: {{ elasticsearch_seed_hosts }} +{% else %} {% if elasticstack_release | int < 8 or groups['elasticsearch'] | length > 1 %} discovery.seed_hosts: [ {% for host in groups['elasticsearch'] %} "{{ hostvars[host].ansible_default_ipv4.address | default(hostvars[host].ansible_all_ipv4_addresses[0]) }}"{% if not loop.last %},{% endif %} {% endfor %} ] {% endif %} +{% endif %} {% if not elaticsearch_cluster_set_up | bool and groups['elasticsearch'] | length > 1 %} {% if elasticsearch_node_types is defined %} From 7217f4592a72f72d43e739d7c7bb726543d2700c Mon Sep 17 00:00:00 2001 From: ivareri Date: Sun, 15 Oct 2023 21:45:52 +0200 Subject: [PATCH 6/8] Add option to set security enrollment --- docs/role-elasticsearch.md | 1 + roles/elasticsearch/templates/elasticsearch.yml.j2 | 3 +++ 2 files changed, 4 insertions(+) diff --git a/docs/role-elasticsearch.md b/docs/role-elasticsearch.md index 818b40ca..c93b7e79 100644 --- a/docs/role-elasticsearch.md +++ b/docs/role-elasticsearch.md @@ -39,6 +39,7 @@ This variable activates a workaround to start on systems that have certain harde * *elasticsearch_http_port*: The port to bind for HTTP client communication * *elasticsearch_transport_port*: The port to bind for communication between nodes * *elasticsearch_seed_hosts*: Set elasticsearch seed hosts +* *elasticsearch_security_enrollment*: Controls enrollment (of nodes and Kibana) to a local node that’s been autoconfigured for security. These variables are identical over all our elastic related roles, hence the different naming schemes. diff --git a/roles/elasticsearch/templates/elasticsearch.yml.j2 b/roles/elasticsearch/templates/elasticsearch.yml.j2 index 6919f9e5..5ff3ea10 100644 --- a/roles/elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/elasticsearch/templates/elasticsearch.yml.j2 @@ -66,6 +66,9 @@ xpack.monitoring.collection.enabled: {{ elasticsearch_monitoring_enabled }} {% endif %} {% if elasticsearch_security | bool %} xpack.security.enabled: true +{% if elasticsearch_security_enrollment is defined %} +xpack.security.enrollment.enabled: {{ elasticsearch_security_enrollment }} +{% endif %} xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: {{ elasticsearch_ssl_verification_mode }} xpack.security.transport.ssl.keystore.path: certs/{{ ansible_hostname }}.p12 From 8e4d24b77188e7810f0eb7a67b8bb5d182fec422 Mon Sep 17 00:00:00 2001 From: ivareri Date: Mon, 23 Oct 2023 20:43:19 +0200 Subject: [PATCH 7/8] Use elasticstack_elasticsearch_http_port for http.port --- docs/role-elasticsearch.md | 1 - roles/elasticsearch/templates/elasticsearch.yml.j2 | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/role-elasticsearch.md b/docs/role-elasticsearch.md index c93b7e79..c1c71ab4 100644 --- a/docs/role-elasticsearch.md +++ b/docs/role-elasticsearch.md @@ -36,7 +36,6 @@ This variable activates a workaround to start on systems that have certain harde * *elasticsearch_jna_workaround*: Activate JNA workaround. (default: `false`) * *elasticsearch_ssl_verification_mode*: Defines how to verify the certificates presented by another party in the TLS connection -* *elasticsearch_http_port*: The port to bind for HTTP client communication * *elasticsearch_transport_port*: The port to bind for communication between nodes * *elasticsearch_seed_hosts*: Set elasticsearch seed hosts * *elasticsearch_security_enrollment*: Controls enrollment (of nodes and Kibana) to a local node that’s been autoconfigured for security. diff --git a/roles/elasticsearch/templates/elasticsearch.yml.j2 b/roles/elasticsearch/templates/elasticsearch.yml.j2 index 5ff3ea10..cc6a5060 100644 --- a/roles/elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/elasticsearch/templates/elasticsearch.yml.j2 @@ -9,8 +9,8 @@ network.host: [ {{ elasticsearch_network_host }} ] {% else %} network.host: [ "_local_", "_site_" ] {% endif %} -{% if elasticsearch_http_port is defined %} -http.port: "{{ elasticsearch_http_port }}" +{% if elasticstack_elasticsearch_http_port is defined %} +http.port: "{{ elasticstack_elasticsearch_http_port }}" {% endif %} {% if elasticsearch_transport_port is defined %} transport.port: "{{ elasticsearch_transport_port }}" From 394d85914d7a06c59aef42b69a0ca59471684e8c Mon Sep 17 00:00:00 2001 From: ivareri Date: Mon, 23 Oct 2023 20:46:29 +0200 Subject: [PATCH 8/8] Change default ssl verification mode to full --- roles/elasticsearch/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/elasticsearch/defaults/main.yml b/roles/elasticsearch/defaults/main.yml index 3f53a872..57f86c69 100644 --- a/roles/elasticsearch/defaults/main.yml +++ b/roles/elasticsearch/defaults/main.yml @@ -47,7 +47,7 @@ elasticstack_ca_expiration_buffer: 30 elasticsearch_cert_expiration_buffer: 30 elasticstack_ca_will_expire_soon: false elasticsearch_cert_will_expire_soon: false -elasticsearch_ssl_verification_mode: none +elasticsearch_ssl_verification_mode: full # only used internally elasticsearch_freshstart: