-
Notifications
You must be signed in to change notification settings - Fork 855
Enable certificate deployment as part of X-Pack Security set-up #331
Conversation
@cdahlqvist this is a great addition and something i think @jpcarey planned to add. Can we, however, get a test? I think id want to test that this works on a 2 node deployment min and that the cluster forms. I assume this test is unlikely to work if we dont provide ssl.verification_mode:certificate. I can help with a test if needed. |
My thought was to just check if http or transport TLS was enabled in the configured elasticsearch.yml settings, then check that the configured cert paths (pem or java keystore type) were valid - if not provide a failure message that certificates had not been deployed to the node being provisioned. This does get a little tricky in that the certs need to be in the config path, or java security would not allow usage of the files. This has the expectation that the end user's playbook would create the appropriate config folder and place the certs into that location before running this role. I personally think the steps to copy the certs is a config deployment problem outside the scope of this role. I could however see adding the ability to use the certgen tool we provide for creating and signing certs automatically for each node - but I'd rather see that as a separate role. |
For reference this functionality is supported in the puppet module, although it uses a java keystore. Ansible supports managing keystores in addition. Whilst i agree with @jpcarey as to the role division, the need for the certs to be in the config path troubles me - especially given we use |
@gingerwizard so end user would provide an array of files (generic, to support any type), and we would just make sure each is copied? |
@jpcarey the array they provide would be files on the remote machine - rather than the local machine. |
And yes we we ensure they are copied into each instance and the parameters inserted into the elasticsearch.yml |
@jpcarey do we have an agreed approach here? I think its pretty simple and id like to try and get it done before 6.0 |
I'd like to get this feature merge into master, is there any update? |
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
I would also love to see this merged soon. However unless I'm mistaken there is one step missing to enable certificate deployment (from the docs):
If this isn't done, Elasticsearch doesn't start as it can't read the certificate, and the playbook hangs.
@gingerwizard now that it looks like #566 will be merged soon, maybe this simplifies things a bit? Edit: I should mention I haven't been able to find a way around the playbook hanging due to being unable to read the cert, other than running the role twice and adding the certificate password to the keystore in between runs. If anyone knows of such a workaround I'd be glad to hear it! |
I'm closing this PR as we have current work in progress in #597 |
The playbook does not currently seem to support deploying and configuring certificates as part of setting up X-Pack security. This PR adds support for uploading and deploying certificates as part of the installation. I am new to Ansible, so any feedback and suggestions around how to improve this will be much appreciated.