Feature/use uri not curl 123 (#186)

Close #123
Close #266 
Close #265 
Close #11

---------

Co-authored-by: Afeef Ghannam <afeef.ghannam@netways.de>
Co-authored-by: Afeef Ghannam <39904920+afeefghannam89@users.noreply.github.com>
Co-authored-by: Thomas Widhalm <thomas.widhalm@netways.de>
Co-authored-by: denise <denise.siemer@hotmail.de>

Author: 4 people

README.md

@@ -35,31 +35,34 @@ collections:
 
 You will need the following Ansible collections installed
 
-* community.general (probably already present)
+* `community.general` (probably already present)
+
+You will need these packages / libraries installed. Some very basic packages like `openssl` get handled by the collection if needed. The following list contains packages and libraries which only apply to special cases or need for you to decide on the installation method.
+
+* `passlib` Python library if you do not disable password hashing for logstash user and you want to use logstash role from this collection. It should be installed with pip on the Ansible controller.
 
 You may want the following Ansible roles installed. There other ways to achieve what they are doing but using them is easy and convenient.
 
-* geerlingguy.redis
-* openssl if you want to use Elastic Security
+* `geerlingguy.redis` if you want to use logstash role
 
 ### Supported systems
 
 We test the collection on the following Linux distributions. Each one with Elastic Stack 7 and 8.
 
+* Rocky Linux 9
 * Rocky Linux 8
-* Ubuntu 20.04 LTS
 * Ubuntu 22.04 LTS
+* Ubuntu 20.04 LTS
 * Debian 11
+* Debian 10
+* CentOS 8
 
 We know from personal experience, that the collections work in following combinations. Missing tests mostly come from incompatibilties between the distribution and our testing environment, not from problems with the collection itself.
 
 * CentOS 7 - Elastic Stack 7
 
 ### Known Issues
 
-There are known issues with the following Linux distributions.
-
-* Rocky Linux 9: The GnuPG key used by Elastic seems to be incompatible with this version of Rocky.
 
 ## Usage
 

docs/role-logstash.md

@@ -20,6 +20,10 @@ Requirements
 
 * `community.general` collection
 
+You will need these packages / libraries installed. Some very basic packages like `openssl` get handled by the collection if needed. The following list contains packages and libraries which only apply to special cases or need for you to decide on the installation method.
+
+* `passlib` Python library if you do not disable password hashing for logstash user. It should be installed with pip on the Ansible controller.
+
 You need to have the Elastic Repos configured on your system. You can use our [role](./role-repos.md)
 
 If you want to use the default pipeline configuration you need to have `git` available.
@@ -68,7 +72,7 @@ Aside from `logstash.yml` we can manage Logstashs pipelines.
 * *logstash_password_hash*: Generate and use a hash from your `logstash_password` (default: `true`)
 * *logstash_password_hash_algorithm*: Password hashing algorithms. Value must be same as `xpack.security.authc.password_hashing.algorithm` (default: `bcrypt`)
 * *logstash_password_salt_length*: base64 encoded Salt character lenght. This value must be integer and must be compatible to the selected password hashing algorithms (default: `22`)
-**logstash_password_hash_salt_seed*: A seed to generate random but idempotent salt on the elasticstack ca host. The salt will be used to create idempotent logstash hashed user password (default: `SeedChangeMe`)
+* *logstash_password_hash_salt_seed*: A seed to generate random but idempotent salt on the elasticstack ca host. The salt will be used to create idempotent logstash hashed user password (default: `SeedChangeMe`)
 * *logstash_password*: Password of Elasticsearch user. It must be at least 6 characters long (default: `password`)
 * *logstash_user_indices*: Indices the user has access to (default: `'"ecs-logstash*", "logstash*", "logs*"'`)
 * *logstash_reset_writer_role*: Reset user and role with every run: (default: `true`)

requirements-test.txt

@@ -3,4 +3,4 @@ ansible-lint
 molecule
 molecule-plugins[docker]
 pytest
-passlib
+passlib

roles/elasticsearch/tasks/elasticsearch-keystore.yml

@@ -0,0 +1,184 @@
+---
+
+- name: Create keystore
+  ansible.builtin.command: /usr/share/elasticsearch/bin/elasticsearch-keystore create
+  args:
+    creates: /etc/elasticsearch/elasticsearch.keystore
+
+- name: Check for bootstrap password
+  ansible.builtin.command: /usr/share/elasticsearch/bin/elasticsearch-keystore list
+  changed_when: false
+  register: elasticsearch_keystore
+
+- name: Set bootstrap password # noqa: risky-shell-pipe
+  ansible.builtin.shell: >
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
+    echo "{{ elasticsearch_bootstrap_pw }}" |
+    /usr/share/elasticsearch/bin/elasticsearch-keystore
+    add -x 'bootstrap.password'
+  when: "'bootstrap.password' not in elasticsearch_keystore.stdout_lines"
+  changed_when: false
+  no_log: true
+  notify:
+    - Restart Elasticsearch
+  ignore_errors: "{{ ansible_check_mode }}"
+
+- name: Get xpack.security.http.ssl.keystore.secure_password # noqa: risky-shell-pipe
+  ansible.builtin.shell: >
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
+    /usr/share/elasticsearch/bin/elasticsearch-keystore
+    show 'xpack.security.http.ssl.keystore.secure_password'
+  when:
+    - "'xpack.security.http.ssl.keystore.secure_password' in elasticsearch_keystore.stdout_lines"
+    - elasticsearch_http_security
+  register: elasticsearch_http_ssl_keystore_secure_password
+  ignore_errors: "{{ ansible_check_mode }}"
+  no_log: true
+  changed_when: false
+
+- name: Set xpack.security.http.ssl.keystore.secure_password # noqa: risky-shell-pipe
+  ansible.builtin.shell: >
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
+    echo "{{ elasticsearch_tls_key_passphrase }}" |
+    /usr/share/elasticsearch/bin/elasticsearch-keystore
+    add -f -x 'xpack.security.http.ssl.keystore.secure_password'
+  changed_when: false
+  no_log: true
+  when:
+    - elasticsearch_http_ssl_keystore_secure_password.stdout is undefined or elasticsearch_tls_key_passphrase != elasticsearch_http_ssl_keystore_secure_password.stdout
+    - elasticsearch_http_security
+  notify:
+    - Restart Elasticsearch
+
+- name: Remove xpack.security.http.ssl.keystore.secure_password # noqa: risky-shell-pipe
+  ansible.builtin.shell: >
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
+    /usr/share/elasticsearch/bin/elasticsearch-keystore
+    remove 'xpack.security.http.ssl.keystore.secure_password'
+  changed_when: false
+  no_log: true
+  when:
+    - "'xpack.security.http.ssl.keystore.secure_password' in elasticsearch_keystore.stdout_lines"
+    - not elasticsearch_http_security
+  notify:
+    - Restart Elasticsearch
+
+- name: Get xpack.security.http.ssl.truststore.secure_password # noqa: risky-shell-pipe
+  ansible.builtin.shell: >
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
+    /usr/share/elasticsearch/bin/elasticsearch-keystore
+    show 'xpack.security.http.ssl.truststore.secure_password'
+  when:
+    - "'xpack.security.http.ssl.truststore.secure_password' in elasticsearch_keystore.stdout_lines"
+    - elasticsearch_http_security
+  register: elasticsearch_http_ssl_truststore_secure_password
+  ignore_errors: "{{ ansible_check_mode }}"
+  no_log: true
+  changed_when: false
+
+- name: Set xpack.security.http.ssl.truststore.secure_password # noqa: risky-shell-pipe
+  ansible.builtin.shell: >
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
+    echo "{{ elasticsearch_tls_key_passphrase }}" |
+    /usr/share/elasticsearch/bin/elasticsearch-keystore
+    add -f -x 'xpack.security.http.ssl.truststore.secure_password'
+  changed_when: false
+  no_log: true
+  when:
+    - elasticsearch_http_ssl_truststore_secure_password.stdout is undefined or elasticsearch_tls_key_passphrase != elasticsearch_http_ssl_truststore_secure_password.stdout
+    - elasticsearch_http_security
+  notify:
+    - Restart Elasticsearch
+
+- name: Remove xpack.security.http.ssl.truststore.secure_password # noqa: risky-shell-pipe
+  ansible.builtin.shell: >
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
+    /usr/share/elasticsearch/bin/elasticsearch-keystore
+    remove 'xpack.security.http.ssl.truststore.secure_password'
+  changed_when: false
+  no_log: true
+  when:
+    - "'xpack.security.http.ssl.truststore.secure_password' in elasticsearch_keystore.stdout_lines"
+    - not elasticsearch_http_security
+  notify:
+    - Restart Elasticsearch
+
+- name: Get xpack.security.transport.ssl.keystore.secure_password # noqa: risky-shell-pipe
+  ansible.builtin.shell: >
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
+    /usr/share/elasticsearch/bin/elasticsearch-keystore
+    show 'xpack.security.transport.ssl.keystore.secure_password'
+  when:
+    - "'xpack.security.transport.ssl.keystore.secure_password' in elasticsearch_keystore.stdout_lines"
+    - elasticsearch_security
+  register: elasticsearch_transport_ssl_keystore_secure_password
+  ignore_errors: "{{ ansible_check_mode }}"
+  no_log: true
+  changed_when: false
+
+- name: Set xpack.security.transport.ssl.keystore.secure_password # noqa: risky-shell-pipe
+  ansible.builtin.shell: >
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
+    echo "{{ elasticsearch_tls_key_passphrase }}" |
+    /usr/share/elasticsearch/bin/elasticsearch-keystore
+    add -f -x 'xpack.security.transport.ssl.keystore.secure_password'
+  changed_when: false
+  no_log: true
+  when:
+    - elasticsearch_transport_ssl_keystore_secure_password.stdout is undefined or elasticsearch_tls_key_passphrase != elasticsearch_transport_ssl_keystore_secure_password.stdout
+    - elasticsearch_security
+  notify:
+    - Restart Elasticsearch
+
+- name: Remove xpack.security.transport.ssl.keystore.secure_password # noqa: risky-shell-pipe
+  ansible.builtin.shell: >
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
+    /usr/share/elasticsearch/bin/elasticsearch-keystore
+    remove 'xpack.security.transport.ssl.keystore.secure_password'
+  changed_when: false
+  no_log: true
+  when:
+    - "'xpack.security.transport.ssl.keystore.secure_password' in elasticsearch_keystore.stdout_lines"
+    - not elasticsearch_security
+  notify:
+    - Restart Elasticsearch
+
+- name: Get xpack.security.transport.ssl.truststore.secure_password # noqa: risky-shell-pipe
+  ansible.builtin.shell: >
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
+    /usr/share/elasticsearch/bin/elasticsearch-keystore
+    show 'xpack.security.transport.ssl.truststore.secure_password'
+  when:
+    - "'xpack.security.transport.ssl.truststore.secure_password' in elasticsearch_keystore.stdout_lines"
+    - elasticsearch_security
+  register: elasticsearch_transport_ssl_truststore_secure_password
+  ignore_errors: "{{ ansible_check_mode }}"
+  no_log: true
+  changed_when: false
+
+- name: Set xpack.security.transport.ssl.truststore.secure_password # noqa: risky-shell-pipe
+  ansible.builtin.shell: >
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
+    echo "{{ elasticsearch_tls_key_passphrase }}" |
+    /usr/share/elasticsearch/bin/elasticsearch-keystore
+    add -f -x 'xpack.security.transport.ssl.truststore.secure_password'
+  changed_when: false
+  no_log: true
+  when:
+    - elasticsearch_transport_ssl_truststore_secure_password.stdout is undefined or elasticsearch_tls_key_passphrase != elasticsearch_transport_ssl_truststore_secure_password.stdout
+    - elasticsearch_security
+  notify:
+    - Restart Elasticsearch
+
+- name: Remove xpack.security.transport.ssl.truststore.secure_password # noqa: risky-shell-pipe
+  ansible.builtin.shell: >
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
+    /usr/share/elasticsearch/bin/elasticsearch-keystore
+    remove 'xpack.security.transport.ssl.truststore.secure_password'
+  changed_when: false
+  no_log: true
+  when:
+    - "'xpack.security.transport.ssl.truststore.secure_password' in elasticsearch_keystore.stdout_lines"
+    - not elasticsearch_security
+  notify:
+    - Restart Elasticsearch