nishiki/ansible-role-elasticsearch
1
0
Fork 0
Code Issues Pull requests Releases2 Wiki Activity Actions

feat: add SSL certificate

Browse source
This commit is contained in:
Adrien Waksberg 2023-11-13 16:24:05 +01:00
parent 96e0ab4b64
commit 30f4484bd6
4 changed files with 93 additions and 1 deletions

2
README.md
View file

@ -26,6 +26,8 @@ Install and configure Elasticsearch
path.logs: /var/log/elasticsearch
```
* `elasticsearch_ssl_key`: - string contain ssl private key if `xpack.security.transport.ssl.key` is defined in elasticsearch_config
* `elasticsearch_ssl_certificate`: - string contain ssl certificate if `xpack.security.transport.certificate.key` is defined in elasticsearch_config
* `elasticsearch_users` - hash with the users to managed
```yaml

54
molecule/default/converge.yml
View file

@ -6,6 +6,60 @@
vars:
elasticsearch_password: mysecret
elasticsearch_heap_size: 512m
elasticsearch_config:
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.certificate: /etc/elasticsearch/certificate.pem
xpack.security.transport.ssl.key: /etc/elasticsearch/key.pem
elasticsearch_ssl_certificate: |
-----BEGIN CERTIFICATE-----
MIIDOzCCAiMCFF0yQzyw+sBIqfYykFNGS9xImVk2MA0GCSqGSIb3DQEBCwUAMFkx
CzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZGcmFuY2UxDjAMBgNVBAcMBVBhcmlzMRMw
EQYDVQQKDApFbnRyZXByaXNlMRQwEgYDVQQDDAtleGFtcGxlLmNvbTAgFw0yMzEx
MTMxNTAwMzJaGA8yMTIzMTAyMDE1MDAzMlowWTELMAkGA1UEBhMCRlIxDzANBgNV
BAgMBkZyYW5jZTEOMAwGA1UEBwwFUGFyaXMxEzARBgNVBAoMCkVudHJlcHJpc2Ux
FDASBgNVBAMMC2V4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAoM8v9Gp+nLULI6XjFiXgQzz1wjsCSAyBgPOApaA5QcMTeTVrCphGQX0A
3wfT4rs1bBrVphbM9FpV85QzL6fmw3SOSPh6SdSJE+pd7V0mFX1/foeJJcIJnQfU
3k5eUfDBwgsU4ad/oxyP/GLs4ZPyjeh7L8oOcejeY37T7IX2y3af7TyfIS7hDof8
DOFjhv0/FB9nexpdh7toGlbjjHljg0BNupWog2Nr1W55/4UCMOnX+iUrgUpU3a7j
e6TgFgBYMel4KCH9MNdJ5+pPs4Nt8cVkX4FfZSJnfnLlVYHw8mTpTtw1gSsjuDxS
bKrDd5i3+2xLr7GCyd9SnEBwiDZ13QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA2
rKOA7EAgJrGPkZMT1s9k0ABMX7FU5QHwHPNA3pxjpFSHGRnX9nV+/qSgQugo3Qs8
s+eEa7i37G8fgCN6XrSd+jhcWjKbMQOa1FwxBEQg+giUeWXZBei71hx0naBIJ8On
Mm6mctHQDlEymRvCxzyo/280tCE+gI6pF4JCf5D8pcJVcavkubp/saMhhiK6E3pH
KM/lbUoO6Ly4dRhIf5SFAHOxth6lsAGMIFwZr0+tYBNln2vvHuexbIrj7I9GFcme
PGIV+cLQEoYhuz+2C9V/FRQwm5p3bNbd9hSYJ93Vi6n9/25OzsCmM4YGbrPnixWe
EOT8/oluROEiuHHikq5/
-----END CERTIFICATE-----
elasticsearch_ssl_key: |
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCgzy/0an6ctQsj
peMWJeBDPPXCOwJIDIGA84CloDlBwxN5NWsKmEZBfQDfB9PiuzVsGtWmFsz0WlXz
lDMvp+bDdI5I+HpJ1IkT6l3tXSYVfX9+h4klwgmdB9TeTl5R8MHCCxThp3+jHI/8
Yuzhk/KN6Hsvyg5x6N5jftPshfbLdp/tPJ8hLuEOh/wM4WOG/T8UH2d7Gl2Hu2ga
VuOMeWODQE26laiDY2vVbnn/hQIw6df6JSuBSlTdruN7pOAWAFgx6XgoIf0w10nn
6k+zg23xxWRfgV9lImd+cuVVgfDyZOlO3DWBKyO4PFJsqsN3mLf7bEuvsYLJ31Kc
QHCINnXdAgMBAAECggEABG86OBAAvlMKw9ik/r0cJlaFw22rpi98GcF9RHP66DqY
LKFBuqjQ1Sj8j2nwmKHHexvxVNNvovRjxuQJFlEXvr+V1eLOQn9zKUKvBObq8DBG
Bgf4SvuDFtq6rsez96f/O9ng4UkkbqvQt6nFtQHGsE2fKgX1KIR+r3k1oGHgWKN5
Sd71E6yr0/4q3m8TleV9PrC4kghQ5j8sntXurdfhlRM9w4wNMb5M9F8ebgxErd7i
6ncVoKdpe18cubU+9wUxW5MxrasheHmfwdgjIQyU69srsERhxRZ4mhBl7n7UCCDK
1MZ5tKph+fV4t3P/xHXW1HGhMj4UgRTLjnr6e5yOGQKBgQDjQonV85cga1SeLh4Y
8NXLKHZHL56VmS7jOQ4V6GEEWqz/2IGi1GZjKv1KOY14M+GnRPD+0LTWex8ubELL
r/0tvlx3kiuPyEMsSnIrVlaiVr1yWPLdrVaerfO8hD3WykpwH5enHOdhaoezN314
4X3Xj0+V8zZ7I1mzA0T1bPmCBQKBgQC1JVV67qoPg6X7g54j9HK4fWzRAT0cGXV7
60x78JQdcDSP4yqwDHqvryRDMP38xwSbvyegERQcbZjLbl1YY5T6ZL2ovu1OemC7
6lSOSwOCD89QVsrYV52mY1qmOsuNgLIwJ1PJVY5IeFmfCpR9IFeIhdPhj2VtsAqC
M4T1hCAz+QKBgQCSIIq4g7S9J8Z1H3pC1zjhNNc41qnFz4WSnXEtLQqU3ik3KWPR
63kact4DCBarH9EM2QuNDW36K5jVJM+eYT8OVsTmLZrNDRwEMqpOq2lxYQzXpdIk
L/zuczOyF+YbYl+S0P2WesNcpD81QYzwWS2tmXy3EngJnaVjscp5dOTKcQKBgFAJ
r+xCWdfDBmrMK+qdDrdfi94JWxP4V8WqIMA+e2NKeZ7985WX3fmUPESH+CFhWjLq
0jpScX1iG3n/SLVOQrwkGPzfZ4EeZ3GAR14b3O/xxlssDjJq/BhRm/MI1XmvXIwU
RFwYNmbk7kxsY1GqIaML5qOqNVmyx+Hhm6TTfVsZAoGBALubBpgAoT+lKHw6fC6D
7TSCcxFd5tYHHw4RUmK85RcTrbjC7LksAd01T54tdM7nZRlijgJUNsYzDfv/SuSp
F3OGK/Tmx3MW5O+lq5O+2oRmUSfcIUgnrjgUeevj6Rgt1qx33WEoKBM2rVBIBqOn
ZKrzDBkVG/H+H0hwiV219PLE
-----END PRIVATE KEY-----
elasticsearch_users:
toto:
password: supers3cret

14
molecule/default/tests/test_default.py
View file

@ -12,6 +12,20 @@ def test_config_file(host):
assert config.mode == 0o640
assert config.contains('path.data: /var/lib/elasticsearch')
def test_ssl_key_file(host):
config = host.file('/etc/elasticsearch/key.pem')
assert config.user == 'root'
assert config.group == 'elasticsearch'
assert config.mode == 0o640
assert config.contains('-----BEGIN PRIVATE KEY-----')
def test_ssl_certificate_file(host):
config = host.file('/etc/elasticsearch/certificate.pem')
assert config.user == 'root'
assert config.group == 'elasticsearch'
assert config.mode == 0o640
assert config.contains('-----BEGIN CERTIFICATE-----')
def test_service(host):
service = host.service('elasticsearch')
assert service.is_running

24
tasks/config.yml
View file

@ -10,12 +10,34 @@
notify: Restart elasticsearch
tags: elasticsearch
- name: Copy SSL certificate
ansible.builtin.copy:
content: "{{ elasticsearch_ssl_certificate }}"
dest: "{{ elasticsearch_full_config['xpack.security.transport.ssl.certificate'] }}"
owner: root
group: elasticsearch
mode: "0640"
when: "'xpack.security.transport.ssl.certificate' in elasticsearch_full_config"
notify: Restart elasticsearch
tags: elasticsearch
- name: Copy SSL key
ansible.builtin.copy:
content: "{{ elasticsearch_ssl_key }}"
dest: "{{ elasticsearch_full_config['xpack.security.transport.ssl.key'] }}"
owner: root
group: elasticsearch
mode: "0640"
when: "'xpack.security.transport.ssl.key' in elasticsearch_full_config"
notify: Restart elasticsearch
tags: elasticsearch
- name: Copy config file
ansible.builtin.copy:
content: "{{ elasticsearch_full_config | to_yaml }}"
dest: /etc/elasticsearch/elasticsearch.yml
owner: root
group: elasticsearch
mode: 0640
mode: "0640"
notify: Restart elasticsearch
tags: elasticsearch