Add option to forgo autogenerated SSL config

pemontto · pemontto · commit 8156ab482157 · 2019-11-15T12:24:29.000Z
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -49,6 +49,7 @@ es_debian_startup_timeout: 10
 es_jvm_custom_parameters: ''
 
 # SSL/TLS parameters
+es_enable_auto_ssl_configuration: true
 es_enable_http_ssl: false
 es_enable_transport_ssl: false
 es_ssl_keystore: ""
diff --git a/docs/ssl-tls-setup.md b/docs/ssl-tls-setup.md
@@ -2,6 +2,8 @@
 
 The role allows configuring HTTP and transport layer SSL/TLS for the cluster. You will need to generate and provide your own PKCS12 or PEM encoded certificates as described in [Encrypting communications in Elasticsearch](https://www.elastic.co/guide/en/elasticsearch/reference/7.4/configuring-tls.html#configuring-tls).
 
+If you don't want this role to add autogenerated SSL configuration to elasticsearch.yml set `es_enable_auto_ssl_configuration` to `false` (default: `true`).
+
 The following should be configured to ensure a security-enabled cluster successfully forms:
 
 * `es_enable_http_ssl`  Default `false`. Setting this to `true` will enable HTTP client SSL/TLS
@@ -38,6 +40,7 @@ $ bin/elasticsearch-certutil cert --ca ./my-ca.p12 --out ./my-keystore.p12 --pas
 
 ## Additional optional SSL/TLS configuration
 
+* `es_enable_auto_ssl_configuration`  Default `true`. Whether this role should add automatically generated SSL config to elasticsearch.yml.
 * `es_ssl_certificate_path`  Default `{{ es_conf_dir }}/certs`. The location where certificates should be stored on the ES node.
 * `es_ssl_verification_mode` Default `certificate`. See [SSL verification_mode](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#ssl-tls-settings) for options.
 * `es_ssl_certificate_authority`  PEM encoded certificate file that should be trusted.
diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2
@@ -34,7 +34,7 @@ action.auto_create_index: {{ es_action_auto_create_index }}
 {% if es_enable_xpack and es_api_basic_auth_username is defined and es_api_basic_auth_password is defined %}
 xpack.security.enabled: true
 
-{% if es_enable_transport_ssl | bool %}
+{% if es_enable_transport_ssl and es_enable_auto_ssl_configuration %}
 xpack.security.transport.ssl.enabled: true
 xpack.security.transport.ssl.verification_mode: "{{ es_ssl_verification_mode }}"
 {% if es_ssl_keystore and es_ssl_truststore %}
@@ -47,11 +47,9 @@ xpack.security.transport.ssl.certificate: "{{ es_ssl_certificate_path }}/{{ es_s
 xpack.security.transport.ssl.certificate_authorities: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}"
 {% endif %}
 {% endif %}
-{% else %}
-# xpack.security.transport.ssl.enabled: false
 {% endif %}
 
-{% if es_enable_http_ssl | bool %}
+{% if es_enable_http_ssl and es_enable_auto_ssl_configuration %}
 xpack.security.http.ssl.enabled: true
 {% if es_ssl_keystore and es_ssl_truststore %}
 xpack.security.http.ssl.keystore.path: "{{ es_ssl_certificate_path }}/{{ es_ssl_keystore | basename }}"
@@ -63,8 +61,6 @@ xpack.security.http.ssl.certificate: "{{ es_ssl_certificate_path }}/{{ es_ssl_ce
 xpack.security.http.ssl.certificate_authorities: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}"
 {% endif %}
 {% endif %}
-{% else %}
-# xpack.security.http.ssl.enabled: false
 {% endif %}
 {% endif %}
 
