Add an option to not upload SSL/TLS certs (#727)

smutel · web-flow · commit fdfaa5c88806 · 2020-10-12T10:02:25.000+02:00
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -55,6 +55,7 @@ es_heap_dump_path: "/var/lib/elasticsearch"
 es_enable_auto_ssl_configuration: true
 es_enable_http_ssl: false
 es_enable_transport_ssl: false
+es_ssl_upload: true
 es_ssl_keystore: ""
 es_ssl_keystore_password: ""
 es_ssl_truststore: ""
diff --git a/docs/ssl-tls-setup.md b/docs/ssl-tls-setup.md
@@ -2,6 +2,8 @@
 
 The role allows configuring HTTP and transport layer SSL/TLS for the cluster. You will need to generate and provide your own PKCS12 or PEM encoded certificates as described in [Encrypting communications in Elasticsearch](https://www.elastic.co/guide/en/elasticsearch/reference/7.4/configuring-tls.html#configuring-tls).
 
+By default this role will upload the certs to your elasticsearch servers. If you already copied the certs by your own way, set `es_ssl_upload` to `false` (default: `true`) 
+
 If you don't want this role to add autogenerated SSL configuration to elasticsearch.yml set `es_enable_auto_ssl_configuration` to `false` (default: `true`).
 
 The following should be configured to ensure a security-enabled cluster successfully forms:
diff --git a/tasks/elasticsearch-ssl.yml b/tasks/elasticsearch-ssl.yml
@@ -7,14 +7,15 @@
   set_fact: es_same_keystore=true
   when: es_ssl_keystore == es_ssl_truststore
 
-- name: ensure certificate directory exists
+- name: Ensure certificate directory exists
   become: yes
   file:
     dest: "{{ es_ssl_certificate_path }}"
     state: directory
     owner: root
     group: "{{ es_group }}"
     mode: "750"
+  when: es_ssl_upload
 
 - name: Upload SSL/TLS keystore
   become: yes
@@ -24,7 +25,7 @@
     owner: "{{ es_user }}"
     group: "{{ es_group }}"
     mode: "640"
-  when: es_ssl_keystore and es_ssl_truststore
+  when: es_ssl_upload and es_ssl_keystore and es_ssl_truststore
   notify: restart elasticsearch
   register: copy_keystore
 
@@ -36,7 +37,7 @@
     owner: "{{ es_user }}"
     group: "{{ es_group }}"
     mode: "640"
-  when: es_ssl_keystore and es_ssl_truststore
+  when: es_ssl_upload and es_ssl_keystore and es_ssl_truststore
   notify: restart elasticsearch
   register: copy_truststore
 
@@ -51,7 +52,7 @@
   with_items:
     - "{{ es_ssl_key }}"
     - "{{ es_ssl_certificate }}"
-  when: es_ssl_key and es_ssl_certificate
+  when: es_ssl_upload and es_ssl_key and es_ssl_certificate
   #Restart if these change
   notify: restart elasticsearch
   register: copy_certificates
@@ -66,7 +67,7 @@
     mode: "640"
   #Restart if this changes
   notify: restart elasticsearch
-  when: (es_ssl_certificate_authority is defined) and (es_ssl_certificate_authority|length > 0)
+  when: es_ssl_upload and (es_ssl_certificate_authority is defined) and (es_ssl_certificate_authority|length > 0)
 
 - name: Set keystore password
   become: yes
