forked from elastic/ansible-elasticsearch
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathelasticsearch-ssl.yml
124 lines (111 loc) · 3.95 KB
/
elasticsearch-ssl.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
---
- name: set fact es_same_keystore
set_fact: es_same_keystore=false
- name: set fact es_same_keystore if stores match
set_fact: es_same_keystore=true
when: es_ssl_keystore == es_ssl_truststore
- name: Ensure certificate directory exists
become: yes
file:
dest: "{{ es_ssl_certificate_path }}"
state: directory
owner: root
group: "{{ es_group }}"
mode: "750"
when: es_ssl_upload
- name: Upload SSL/TLS keystore
become: yes
copy:
src: "{{ es_ssl_keystore }}"
dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_keystore | basename }}"
owner: "{{ es_user }}"
group: "{{ es_group }}"
mode: "640"
when: es_ssl_upload and es_ssl_keystore and es_ssl_truststore
notify: restart elasticsearch
register: copy_keystore
- name: Upload SSL/TLS truststore
become: yes
copy:
src: "{{ es_ssl_truststore }}"
dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_truststore | basename }}"
owner: "{{ es_user }}"
group: "{{ es_group }}"
mode: "640"
when: es_ssl_upload and es_ssl_keystore and es_ssl_truststore
notify: restart elasticsearch
register: copy_truststore
- name: Upload SSL/TLS key and certificate
become: yes
copy:
src: "{{ item }}"
dest: "{{ es_ssl_certificate_path }}/{{ item | basename }}"
owner: "{{ es_user }}"
group: "{{ es_group }}"
mode: "640"
with_items:
- "{{ es_ssl_key }}"
- "{{ es_ssl_certificate }}"
when: es_ssl_upload and es_ssl_key and es_ssl_certificate
#Restart if these change
notify: restart elasticsearch
register: copy_certificates
- name: Upload SSL Certificate Authority
become: yes
copy:
src: "{{ es_ssl_certificate_authority }}"
dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}"
owner: "{{ es_user }}"
group: "{{ es_group }}"
mode: "640"
#Restart if this changes
notify: restart elasticsearch
when: es_ssl_upload and (es_ssl_certificate_authority is defined) and (es_ssl_certificate_authority|length > 0)
- name: Set keystore password
become: yes
shell: echo "{{ es_ssl_keystore_password }}" | {{ es_home }}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.keystore.secure_password'
no_log: True
when: es_ssl_keystore_password and (copy_keystore.changed or (es_same_keystore and copy_truststore.changed))
with_items:
- http
- transport
- name: Set truststore password
become: yes
shell: echo "{{ es_ssl_truststore_password }}" | {{ es_home }}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.truststore.secure_password'
no_log: True
when: es_ssl_truststore_password and (copy_truststore.changed or (es_same_keystore and copy_keystore.changed))
with_items:
- http
- transport
- name: Remove keystore password
become: yes
shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.keystore.secure_password'"
when: es_ssl_keystore_password == "" and (copy_keystore.changed or (es_same_keystore and copy_truststore.changed))
ignore_errors: yes
with_items:
- http
- transport
- name: Remove truststore password
become: yes
shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.truststore.secure_password'"
when: es_ssl_truststore_password == "" and (copy_truststore.changed or (es_same_keystore and copy_keystore.changed))
ignore_errors: yes
with_items:
- http
- transport
- name: Set key password
become: yes
shell: echo "{{ es_ssl_key_password }}" | {{ es_home }}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.secure_key_passphrase'
no_log: True
when: es_ssl_key_password and copy_certificates.changed
with_items:
- http
- transport
- name: Remove key password
become: yes
shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.secure_key_passphrase'"
when: es_ssl_key_password == "" and copy_certificates.changed
ignore_errors: yes
with_items:
- http
- transport