Fix permissions and add password option
This commit is contained in:
Jose M
parent
5ca2237264
commit
3d3b3bc1d0
@ -41,18 +41,22 @@
|
|||||||
|
|
||||||
- name: Importing custom CA key
|
- name: Importing custom CA key
|
||||||
copy:
|
copy:
|
||||||
src: "{{ master_certs_destination }}/ca/{{ ca_key_name }}"
|
src: "{{ master_certs_path }}/ca/{{ ca_key_name }}"
|
||||||
dest: "{{ node_certs_source }}/{{ ca_key_name }}"
|
dest: "{{ node_certs_source }}/{{ ca_key_name }}"
|
||||||
|
mode: '0664'
|
||||||
when:
|
when:
|
||||||
- not generate_CA
|
- not generate_CA
|
||||||
|
- node_certs_generator
|
||||||
tags: xpack-security
|
tags: xpack-security
|
||||||
|
|
||||||
- name: Importing custom CA cert
|
- name: Importing custom CA cert
|
||||||
copy:
|
copy:
|
||||||
src: "{{ master_certs_destination }}/ca/{{ ca_cert_name }}"
|
src: "{{ master_certs_path }}/ca/{{ ca_cert_name }}"
|
||||||
dest: "{{ node_certs_source }}/{{ ca_cert_name }}"
|
dest: "{{ node_certs_source }}/{{ ca_cert_name }}"
|
||||||
|
mode: '0664'
|
||||||
when:
|
when:
|
||||||
- not generate_CA
|
- not generate_CA
|
||||||
|
- node_certs_generator
|
||||||
tags: xpack-security
|
tags: xpack-security
|
||||||
|
|
||||||
- name: Generating certificates for Elasticsearch security (generating CA)
|
- name: Generating certificates for Elasticsearch security (generating CA)
|
||||||
@ -65,17 +69,34 @@
|
|||||||
- generate_CA
|
- generate_CA
|
||||||
tags: xpack-security
|
tags: xpack-security
|
||||||
|
|
||||||
- name: Generating certificates for Elasticsearch security (using provided CA)
|
- name: Generating certificates for Elasticsearch security (using provided CA | Without CA Password)
|
||||||
shell: /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip
|
shell: >-
|
||||||
|
/usr/share/elasticsearch/bin/elasticsearch-certutil cert
|
||||||
|
--ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }}
|
||||||
|
--pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip
|
||||||
when:
|
when:
|
||||||
- node_certs_generator
|
- node_certs_generator
|
||||||
- not xpack_certs_zip.stat.exists
|
- not xpack_certs_zip.stat.exists
|
||||||
- not generate_CA
|
- not generate_CA
|
||||||
tags: xpack-security
|
- ca_password == ""
|
||||||
|
tags: xpack-security
|
||||||
|
|
||||||
|
- name: Generating certificates for Elasticsearch security (using provided CA | Using CA Password)
|
||||||
|
shell: >-
|
||||||
|
/usr/share/elasticsearch/bin/elasticsearch-certutil cert
|
||||||
|
--ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }}
|
||||||
|
--pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip
|
||||||
|
--ca-pass {{ca_password}}
|
||||||
|
when:
|
||||||
|
- node_certs_generator
|
||||||
|
- not xpack_certs_zip.stat.exists
|
||||||
|
- not generate_CA
|
||||||
|
- ca_password != ""
|
||||||
|
tags: xpack-security
|
||||||
|
|
||||||
- name: Verify the Elastic certificates directory
|
- name: Verify the Elastic certificates directory
|
||||||
file:
|
file:
|
||||||
path: "{{ master_certs_destination }}"
|
path: "{{ master_certs_path }}"
|
||||||
state: directory
|
state: directory
|
||||||
mode: '0700'
|
mode: '0700'
|
||||||
delegate_to: "127.0.0.1"
|
delegate_to: "127.0.0.1"
|
||||||
@ -84,7 +105,7 @@
|
|||||||
|
|
||||||
- name: Verify the Certificates Authority directory
|
- name: Verify the Certificates Authority directory
|
||||||
file:
|
file:
|
||||||
path: "{{ master_certs_destination }}/ca/"
|
path: "{{ master_certs_path }}/ca/"
|
||||||
state: directory
|
state: directory
|
||||||
mode: '0700'
|
mode: '0700'
|
||||||
delegate_to: "127.0.0.1"
|
delegate_to: "127.0.0.1"
|
||||||
@ -94,7 +115,7 @@
|
|||||||
- name: Copying certificates to Ansible master
|
- name: Copying certificates to Ansible master
|
||||||
fetch:
|
fetch:
|
||||||
src: "{{ node_certs_source }}/certs.zip"
|
src: "{{ node_certs_source }}/certs.zip"
|
||||||
dest: "{{ master_certs_destination }}/"
|
dest: "{{ master_certs_path }}/"
|
||||||
flat: yes
|
flat: yes
|
||||||
mode: 0700
|
mode: 0700
|
||||||
when:
|
when:
|
||||||
@ -110,38 +131,22 @@
|
|||||||
|
|
||||||
- name: Unzip generated certs.zip
|
- name: Unzip generated certs.zip
|
||||||
unarchive:
|
unarchive:
|
||||||
src: "{{master_certs_destination}}/certs.zip"
|
src: "{{master_certs_path}}/certs.zip"
|
||||||
dest: "{{master_certs_destination}}/"
|
dest: "{{master_certs_path}}/"
|
||||||
become: true
|
become: true
|
||||||
delegate_to: "127.0.0.1"
|
delegate_to: "127.0.0.1"
|
||||||
when:
|
when:
|
||||||
- node_certs_generator
|
- node_certs_generator
|
||||||
tags: xpack-security
|
tags: xpack-security
|
||||||
|
|
||||||
- name: Ensuring certificates folder owner
|
|
||||||
file:
|
|
||||||
path: "{{ node_certs_destination }}/"
|
|
||||||
state: directory
|
|
||||||
recurse: yes
|
|
||||||
owner: elasticsearch
|
|
||||||
group: elasticsearch
|
|
||||||
tags: xpack-security
|
|
||||||
|
|
||||||
- name: Ensuring certificates folder permissions
|
|
||||||
file:
|
|
||||||
path: "{{ node_certs_destination }}/"
|
|
||||||
mode: '0770'
|
|
||||||
recurse: yes
|
|
||||||
tags: xpack-security
|
|
||||||
|
|
||||||
- name: Copying node's certificate from master
|
- name: Copying node's certificate from master
|
||||||
copy:
|
copy:
|
||||||
src: "{{item}}"
|
src: "{{item}}"
|
||||||
dest: "{{node_certs_destination}}/"
|
dest: "{{node_certs_destination}}/"
|
||||||
with_items:
|
with_items:
|
||||||
- "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key"
|
- "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key"
|
||||||
- "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt"
|
- "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt"
|
||||||
- "{{master_certs_destination}}/ca/ca.crt"
|
- "{{master_certs_path}}/ca/ca.crt"
|
||||||
when:
|
when:
|
||||||
- generate_CA
|
- generate_CA
|
||||||
tags: xpack-security
|
tags: xpack-security
|
||||||
@ -151,13 +156,24 @@
|
|||||||
src: "{{item}}"
|
src: "{{item}}"
|
||||||
dest: "{{node_certs_destination}}/"
|
dest: "{{node_certs_destination}}/"
|
||||||
with_items:
|
with_items:
|
||||||
- "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key"
|
- "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key"
|
||||||
- "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt"
|
- "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt"
|
||||||
- "{{master_certs_destination}}/ca/{{ca_cert_name}}"
|
- "{{master_certs_path}}/ca/{{ca_cert_name}}"
|
||||||
when:
|
when:
|
||||||
- not generate_CA
|
- not generate_CA
|
||||||
tags: xpack-security
|
tags: xpack-security
|
||||||
|
|
||||||
|
- name: Ensuring folder permissions
|
||||||
|
file:
|
||||||
|
path: "{{ node_certs_destination }}/"
|
||||||
|
mode: '0774'
|
||||||
|
state: directory
|
||||||
|
recurse: yes
|
||||||
|
when:
|
||||||
|
- elasticsearch_xpack_security
|
||||||
|
- generate_CA
|
||||||
|
tags: xpack-security
|
||||||
|
|
||||||
- name: Set elasticsearch bootstrap password
|
- name: Set elasticsearch bootstrap password
|
||||||
shell: >-
|
shell: >-
|
||||||
echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password
|
echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user