Decoupled local actions and updated SearchGuard certificate generator binary

2020-04-29 15:54:29 +02:00 · 2020-04-29 15:54:29 +02:00 · ae160cf6c3
commit ae160cf6c3
parent 53ad5c62cc
3 changed files with 49 additions and 42 deletions
--- a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml
+++ b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml
@ -0,0 +1,40 @@
+---
+
+- name: RedHat/CentOS/Fedora | Create local temporary directory for certificates generation
+  local_action:
+    module: file
+    path: /tmp/opendistro-nodecerts
+    state: directory
+  run_once: true
+
+- name: RedHat/CentOS/Fedora | Download certificates generation tool
+  local_action:
+    module: get_url
+    url: https://releases.floragunn.com/search-guard-tlstool/1.7/search-guard-tlstool-1.7.zip
+    dest: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip
+  run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip
+
+- name: RedHat/CentOS/Fedora | Extract the certificates generation tool
+  local_action:
+    module: unarchive
+    src: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip
+    dest: /tmp/opendistro-nodecerts/
+
+- name: RedHat/CentOS/Fedora | Add the execution bit to the binary
+  local_action:
+    module: file
+    dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh
+    mode: a+x
+  run_once: true
+
+- name: RedHat/CentOS/Fedora | Prepare the certificates generation template file
+  local_action:
+    module: template
+    src: "templates/tlsconfig.yml.j2"
+    dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml
+  run_once: true
+
+- name: RedHat/CentOS/Fedora | Generate the node & admin certificates in local
+  local_action:
+    module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ -f
+  run_once: true
--- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml
+++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml
@ -35,46 +35,6 @@
  package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present
  register: install

-## Here we are going to use self-signed certificates for Transport (Node-Node communication) & REST API layer
-## Using searchguard offline TLS tool to create node & root certificates
- name: RedHat/CentOS/Fedora | Create local temporary directory for certificates generation
-  local_action:
-    module: file
-    path: /tmp/opendistro-nodecerts
-    state: directory
-  run_once: true
-
- name: RedHat/CentOS/Fedora | Download certificates generation tool
-  local_action:
-    module: get_url
-    url: https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-tlstool/1.5/search-guard-tlstool-1.5.zip
-    dest: /tmp/opendistro-nodecerts/search-guard-tlstool.zip
-  run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip
-
- name: RedHat/CentOS/Fedora | Extract the certificates generation tool
-  local_action:
-    module: unarchive
-    src: /tmp/opendistro-nodecerts/search-guard-tlstool.zip
-    dest: /tmp/opendistro-nodecerts/
-
- name: RedHat/CentOS/Fedora | Add the execution bit to the binary
-  local_action:
-    module: file
-    dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh
-    mode: a+x
-  run_once: true
-
- name: RedHat/CentOS/Fedora | Prepare the certificates generation template file
-  local_action:
-    module: template
-    src: "templates/tlsconfig.yml.j2"
-    dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml
-  run_once: true
-
- name: RedHat/CentOS/Fedora | Generate the node & admin certificates in local
-  local_action:
-    module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/
-  run_once: true

 - name: RedHat/CentOS/Fedora | Copy the node & admin certificates to Elasticsearch cluster
  copy:
--- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml
+++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml
@ -1,10 +1,12 @@
 ---
+- import_tasks: LocalActions.yml
+
 - import_tasks: RedHat.yml
  when: ansible_os_family == 'RedHat'

 - name: Configure OpenDistro Elasticsearch JVM memmory.
  template:
-    src: jvm.options.j2
+    src: "templates/jvm.options.j2"
    dest: /etc/elasticsearch/jvm.options
    owner: root
    group: elasticsearch
@ -19,7 +21,12 @@
  when: ansible_os_family == "RedHat"

 - name: Copy Configuration File
-  template: src=elasticsearch.yml dest={{conf_dir}}/elasticsearch.yml group=elasticsearch mode=0644 backup=yes
+  template: 
+    src: "templates/elasticsearch.ym.j2"
+    dest: "{{conf_dir}}/elasticsearch.yml"
+    group: elasticsearch
+    mode: 0644
+    backup: yes
  register: system_change
  notify: restart elasticsearch