Skip to content

use a unique name for the ca cert on the ansible controller #382

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tbauriedel merged 4 commits into from
Sep 24, 2025
Merged

use a unique name for the ca cert on the ansible controller #382

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9c912de
use a unique name for the ca cert on the ansible controller
zerwes Apr 8, 2025
844cf9a
Merge branch 'main' into fix/elasticsearch-ca-uniquename
tbauriedel Sep 24, 2025
68f4968
Update roles/elasticsearch/tasks/elasticsearch-security.yml
tbauriedel Sep 24, 2025
8618a72
Update roles/elasticsearch/tasks/elasticsearch-security.yml
tbauriedel Sep 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions roles/elasticsearch/tasks/elasticsearch-security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,24 +1,24 @@
---

- name: Ensure ca exists

Check warning on line 3 in roles/elasticsearch/tasks/elasticsearch-security.yml

View workflow job for this annotation

GitHub Actions / lint

var-naming[no-role-prefix] 

Variables names from within roles should use elasticsearch_ as a prefix. (register: elasticstack_ca_exists)

Check warning on line 3 in roles/elasticsearch/tasks/elasticsearch-security.yml

View workflow job for this annotation

GitHub Actions / lint_full / lint

var-naming[no-role-prefix] 

Variables names from within roles should use elasticsearch_ as a prefix. (register: elasticstack_ca_exists)
ansible.builtin.stat:
path: "{{ elasticstack_ca_dir }}/elastic-stack-ca.p12"
register: elasticstack_ca_exists
when: inventory_hostname == elasticstack_ca_host

- name: Get CA informations

Check warning on line 9 in roles/elasticsearch/tasks/elasticsearch-security.yml

View workflow job for this annotation

GitHub Actions / lint

var-naming[no-role-prefix] 

Variables names from within roles should use elasticsearch_ as a prefix. (register: elasticstack_ca_infos)

Check warning on line 9 in roles/elasticsearch/tasks/elasticsearch-security.yml

View workflow job for this annotation

GitHub Actions / lint_full / lint

var-naming[no-role-prefix] 

Variables names from within roles should use elasticsearch_ as a prefix. (register: elasticstack_ca_infos)
cert_info:
path: "{{ elasticstack_ca_dir }}/elastic-stack-ca.p12"
passphrase: "{{ elasticstack_ca_pass | default(omit, true) }}"
register: elasticstack_ca_infos
when: inventory_hostname == elasticstack_ca_host and elasticstack_ca_exists.stat.exists | bool

- name: Set the ca expiration date in days

Check warning on line 16 in roles/elasticsearch/tasks/elasticsearch-security.yml

View workflow job for this annotation

GitHub Actions / lint

var-naming[no-role-prefix] 

Variables names from within roles should use elasticsearch_ as a prefix. (set_fact: elasticstack_ca_expiration_days)

Check warning on line 16 in roles/elasticsearch/tasks/elasticsearch-security.yml

View workflow job for this annotation

GitHub Actions / lint_full / lint

var-naming[no-role-prefix] 

Variables names from within roles should use elasticsearch_ as a prefix. (set_fact: elasticstack_ca_expiration_days)
ansible.builtin.set_fact:
elasticstack_ca_expiration_days: "{{ ((elasticstack_ca_infos.not_valid_after | to_datetime()) - (ansible_date_time.date | to_datetime('%Y-%m-%d'))).days }}"
when: inventory_hostname == elasticstack_ca_host and elasticstack_ca_infos.skipped is not defined

- name: Set ca will expire soon to true

Check warning on line 21 in roles/elasticsearch/tasks/elasticsearch-security.yml

View workflow job for this annotation

GitHub Actions / lint

var-naming[no-role-prefix] 

Variables names from within roles should use elasticsearch_ as a prefix. (set_fact: elasticstack_ca_will_expire_soon)

Check warning on line 21 in roles/elasticsearch/tasks/elasticsearch-security.yml

View workflow job for this annotation

GitHub Actions / lint_full / lint

var-naming[no-role-prefix] 

Variables names from within roles should use elasticsearch_ as a prefix. (set_fact: elasticstack_ca_will_expire_soon)
ansible.builtin.set_fact:
elasticstack_ca_will_expire_soon: true
when: >
Expand Down Expand Up @@ -264,7 +264,7 @@
- name: Fetch ca certificate from ca host to Ansible controller
ansible.builtin.fetch:
src: "{{ elasticstack_ca_dir }}/ca.crt"
dest: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/ca.crt"
dest: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ elasticstack_ca_host }}.crt"
flat: yes
when: inventory_hostname == elasticstack_ca_host
tags:
Expand Down Expand Up @@ -297,8 +297,8 @@

- name: Copy the ca certificate to elasticsearch nodes
ansible.builtin.copy:
src: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/ca.crt"
dest: "/etc/elasticsearch/certs"
src: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ elasticstack_ca_host }}.crt"
dest: "/etc/elasticsearch/certs/ca.crt"
owner: root
group: elasticsearch
mode: 0640
Expand Down Expand Up @@ -404,7 +404,7 @@
retries: 5
delay: 10

- name: Fetch Elastic password # noqa: risky-shell-pipe

Check warning on line 407 in roles/elasticsearch/tasks/elasticsearch-security.yml

View workflow job for this annotation

GitHub Actions / lint

var-naming[no-role-prefix] 

Variables names from within roles should use elasticsearch_ as a prefix. (register: elasticstack_password)

Check warning on line 407 in roles/elasticsearch/tasks/elasticsearch-security.yml

View workflow job for this annotation

GitHub Actions / lint_full / lint

var-naming[no-role-prefix] 

Variables names from within roles should use elasticsearch_ as a prefix. (register: elasticstack_password)
ansible.builtin.shell: >
if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
grep "PASSWORD elastic" {{ elasticstack_initial_passwords }} |
Expand Down
Loading