187 lines
5.2 KiB
YAML
187 lines
5.2 KiB
YAML
|
|
- name: Install unzip dependency.
|
|
package:
|
|
name: unzip
|
|
state: present
|
|
delegate_to: "127.0.0.1"
|
|
when:
|
|
- node_certs_generator
|
|
|
|
- name: Check if certificate exists locally
|
|
stat:
|
|
path: "{{ node_certs_destination }}/{{ elasticsearch_node_name }}.crt"
|
|
register: certificate_file_exists
|
|
|
|
- name: Write the instances.yml file in the selected node (force = no)
|
|
template:
|
|
src: instances.yml.j2
|
|
dest: "{{ node_certs_source }}/instances.yml"
|
|
force: no
|
|
register: instances_file_exists
|
|
tags:
|
|
- config
|
|
- xpack-security
|
|
when:
|
|
- node_certs_generator
|
|
- not certificate_file_exists.stat.exists
|
|
|
|
- name: Update instances.yml status after generation
|
|
stat:
|
|
path: "{{ node_certs_source }}/instances.yml"
|
|
register: instances_file_exists
|
|
when:
|
|
- node_certs_generator
|
|
|
|
- name: Check if the certificates ZIP file exists
|
|
stat:
|
|
path: "{{ node_certs_source }}/certs.zip"
|
|
register: xpack_certs_zip
|
|
when:
|
|
- node_certs_generator
|
|
|
|
- name: Importing custom CA key
|
|
copy:
|
|
src: "{{ master_certs_path }}/ca/{{ ca_key_name }}"
|
|
dest: "{{ node_certs_source }}/{{ ca_key_name }}"
|
|
mode: '0664'
|
|
when:
|
|
- not generate_CA
|
|
- node_certs_generator
|
|
tags: xpack-security
|
|
|
|
- name: Importing custom CA cert
|
|
copy:
|
|
src: "{{ master_certs_path }}/ca/{{ ca_cert_name }}"
|
|
dest: "{{ node_certs_source }}/{{ ca_cert_name }}"
|
|
mode: '0664'
|
|
when:
|
|
- not generate_CA
|
|
- node_certs_generator
|
|
tags: xpack-security
|
|
|
|
- name: Generating certificates for Elasticsearch security (generating CA)
|
|
command: >-
|
|
/usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem
|
|
--in {{ node_certs_source }}/instances.yml
|
|
--out {{ node_certs_source }}/certs.zip
|
|
when:
|
|
- node_certs_generator
|
|
- not xpack_certs_zip.stat.exists
|
|
- generate_CA
|
|
tags: xpack-security
|
|
|
|
- name: Generating certificates for Elasticsearch security (using provided CA | Without CA Password)
|
|
command: >-
|
|
/usr/share/elasticsearch/bin/elasticsearch-certutil cert
|
|
--ca-key {{ node_certs_source }}/{{ ca_key_name }}
|
|
--ca-cert {{ node_certs_source }}/{{ ca_cert_name }}
|
|
--pem --in {{ node_certs_source }}/instances.yml
|
|
--out {{ node_certs_source }}/certs.zip
|
|
when:
|
|
- node_certs_generator
|
|
- not xpack_certs_zip.stat.exists
|
|
- not generate_CA
|
|
- ca_password | length == 0
|
|
tags: xpack-security
|
|
|
|
- name: Generating certificates for Elasticsearch security (using provided CA | Using CA Password)
|
|
command: >-
|
|
/usr/share/elasticsearch/bin/elasticsearch-certutil cert
|
|
--ca-key {{ node_certs_source }}/{{ ca_key_name }}
|
|
--ca-cert {{ node_certs_source }}/{{ ca_cert_name }}
|
|
--pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip
|
|
--ca-pass {{ ca_password }}
|
|
when:
|
|
- node_certs_generator
|
|
- not xpack_certs_zip.stat.exists
|
|
- not generate_CA
|
|
- ca_password | length > 0
|
|
tags: xpack-security
|
|
|
|
- name: Verify the Elastic certificates directory
|
|
file:
|
|
path: "{{ master_certs_path }}"
|
|
state: directory
|
|
mode: '0700'
|
|
delegate_to: "127.0.0.1"
|
|
when:
|
|
- node_certs_generator
|
|
|
|
- name: Verify the Certificates Authority directory
|
|
file:
|
|
path: "{{ master_certs_path }}/ca/"
|
|
state: directory
|
|
mode: '0700'
|
|
delegate_to: "127.0.0.1"
|
|
when:
|
|
- node_certs_generator
|
|
|
|
- name: Copying certificates to Ansible master
|
|
fetch:
|
|
src: "{{ node_certs_source }}/certs.zip"
|
|
dest: "{{ master_certs_path }}/"
|
|
flat: yes
|
|
mode: 0700
|
|
when:
|
|
- node_certs_generator
|
|
tags: xpack-security
|
|
|
|
- name: Delete certs.zip in Generator node
|
|
file:
|
|
state: absent
|
|
path: "{{ node_certs_source }}/certs.zip"
|
|
when:
|
|
- node_certs_generator
|
|
|
|
- name: Unzip generated certs.zip
|
|
unarchive:
|
|
src: "{{ master_certs_path }}/certs.zip"
|
|
dest: "{{ master_certs_path }}/"
|
|
become: true
|
|
delegate_to: "127.0.0.1"
|
|
when:
|
|
- node_certs_generator
|
|
tags: xpack-security
|
|
|
|
- name: Copying node's certificate from master
|
|
copy:
|
|
src: "{{ item }}"
|
|
dest: "{{ node_certs_destination }}/"
|
|
with_items:
|
|
- "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key"
|
|
- "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt"
|
|
- "{{ master_certs_path }}/ca/ca.crt"
|
|
when:
|
|
- generate_CA
|
|
tags: xpack-security
|
|
|
|
- name: Copying node's certificate from master (Custom CA)
|
|
copy:
|
|
src: "{{ item }}"
|
|
dest: "{{ node_certs_destination }}/"
|
|
with_items:
|
|
- "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key"
|
|
- "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt"
|
|
- "{{ master_certs_path }}/ca/{{ ca_cert_name }}"
|
|
when:
|
|
- not generate_CA
|
|
tags: xpack-security
|
|
|
|
- name: Ensuring folder permissions
|
|
file:
|
|
path: "{{ node_certs_destination }}/"
|
|
mode: '0774'
|
|
state: directory
|
|
recurse: yes
|
|
when:
|
|
- elasticsearch_xpack_security
|
|
- generate_CA
|
|
tags: xpack-security
|
|
|
|
- name: Set elasticsearch bootstrap password
|
|
shell: >-
|
|
set -o pipefail;
|
|
echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password
|
|
when:
|
|
- node_certs_generator
|