Skip to content
This repository has been archived by the owner on Jun 24, 2022. It is now read-only.

Enable certificate deployment as part of X-Pack Security set-up #331

Closed
wants to merge 4 commits into from

Conversation

cdahlqvist
Copy link

The playbook does not currently seem to support deploying and configuring certificates as part of setting up X-Pack security. This PR adds support for uploading and deploying certificates as part of the installation. I am new to Ansible, so any feedback and suggestions around how to improve this will be much appreciated.

@gingerwizard
Copy link

@cdahlqvist this is a great addition and something i think @jpcarey planned to add. Can we, however, get a test? I think id want to test that this works on a 2 node deployment min and that the cluster forms.

I assume this test is unlikely to work if we dont provide ssl.verification_mode:certificate.

I can help with a test if needed.

@jpcarey
Copy link
Contributor

jpcarey commented Aug 17, 2017

My thought was to just check if http or transport TLS was enabled in the configured elasticsearch.yml settings, then check that the configured cert paths (pem or java keystore type) were valid - if not provide a failure message that certificates had not been deployed to the node being provisioned. This does get a little tricky in that the certs need to be in the config path, or java security would not allow usage of the files. This has the expectation that the end user's playbook would create the appropriate config folder and place the certs into that location before running this role. I personally think the steps to copy the certs is a config deployment problem outside the scope of this role.

I could however see adding the ability to use the certgen tool we provide for creating and signing certs automatically for each node - but I'd rather see that as a separate role.

@gingerwizard
Copy link

For reference this functionality is supported in the puppet module, although it uses a java keystore. Ansible supports managing keystores in addition.

Whilst i agree with @jpcarey as to the role division, the need for the certs to be in the config path troubles me - especially given we use instance_name to support multiple instances on a box - thus the config paths are variable. Could we maybe ask the user to provide locations on the server, and simply copy them into the required locations ourselves. I think this would be reasonable compromise.

@jpcarey

@jpcarey
Copy link
Contributor

jpcarey commented Aug 18, 2017

@gingerwizard so end user would provide an array of files (generic, to support any type), and we would just make sure each is copied?

@gingerwizard
Copy link

@jpcarey the array they provide would be files on the remote machine - rather than the local machine.

@gingerwizard
Copy link

And yes we we ensure they are copied into each instance and the parameters inserted into the elasticsearch.yml

@gingerwizard
Copy link

@jpcarey do we have an agreed approach here? I think its pretty simple and id like to try and get it done before 6.0

@medcl
Copy link

medcl commented May 24, 2019

I'd like to get this feature merge into master, is there any update?

@elasticmachine
Copy link
Collaborator

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

@rozling
Copy link

rozling commented May 31, 2019

I would also love to see this merged soon.

However unless I'm mistaken there is one step missing to enable certificate deployment (from the docs):

If you secured the node’s certificate with a password, add the password to your Elasticsearch keystore:
[snip]

If this isn't done, Elasticsearch doesn't start as it can't read the certificate, and the playbook hangs.

Whilst i agree with @jpcarey as to the role division, the need for the certs to be in the config path troubles me - especially given we use instance_name to support multiple instances on a box - thus the config paths are variable

@gingerwizard now that it looks like #566 will be merged soon, maybe this simplifies things a bit?

Edit: I should mention I haven't been able to find a way around the playbook hanging due to being unable to read the cert, other than running the role twice and adding the certificate password to the keystore in between runs. If anyone knows of such a workaround I'd be glad to hear it!

@jmlrt jmlrt added the feature label Sep 17, 2019
@jmlrt
Copy link
Member

jmlrt commented Sep 17, 2019

I'm closing this PR as we have current work in progress in #597

@jmlrt jmlrt closed this Sep 17, 2019
@jmlrt jmlrt mentioned this pull request Nov 19, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants