Problem with puppet CA and elasticsearch.keystore

In all our greatness, we decided to use our puppet CA infrastucture for elasticsearch, which is working rather good. However the part where java_ks is called for adding the CA to the keystore for elasticsearch, keeps being executed. We ran an evaltrace and found that the following code is being executed:

/Stage[main]/Elasticsearch::Config/Java_ks[elasticsearch_ca]: Starting to evaluate the resource (968 of 1840)
Executing: 'keytool -list -keystore /etc/elasticsearch/elasticsearch.ks -alias elasticsearch_ca'
Executing: 'keytool -list -v -keystore /etc/elasticsearch/elasticsearch.ks -alias elasticsearch_ca'
Executing: 'keytool -v -printcert -file /etc/elasticsearch/certs/ca.pem'
Executing: 'keytool -list -keystore /etc/elasticsearch/elasticsearch.ks -alias elasticsearch_ca'
Executing: 'keytool -delete -alias elasticsearch_ca -keystore /etc/elasticsearch/elasticsearch.ks'
Executing: 'keytool -importcert -noprompt -alias elasticsearch_ca -file /etc/elasticsearch/certs/ca.pem -keystore /etc/elasticsearch/elasticsearch.ks -trustcacerts'
Executing: 'keytool -list -v -keystore /etc/elasticsearch/elasticsearch.ks -alias elasticsearch_ca'
Executing: 'keytool -v -printcert -file /etc/elasticsearch/certs/ca.pem'
/Stage[main]/Elasticsearch::Config/Java_ks[elasticsearch_ca]/ensure: ensure changed 'present' to 'latest' (corrective)
/Stage[main]/Elasticsearch::Config/Java_ks[elasticsearch_ca]: The container Class[Elasticsearch::Config] will propagate my refresh event

Expected was:

/Stage[main]/Elasticsearch::Config/Java_ks[elasticsearch_ca]: Starting to evaluate the resource (949 of 1839)
Executing: 'keytool -list -keystore /etc/elasticsearch/elasticsearch.ks -alias elasticsearch_ca'
Executing: 'keytool -list -v -keystore /etc/elasticsearch/elasticsearch.ks -alias elasticsearch_ca
Executing: 'keytool -v -printcert -file /etc/elasticsearch/certs/ca.pem'
Executing: 'keytool -list -v -keystore /etc/elasticsearch/elasticsearch.ks -alias elasticsearch_ca'
Executing: 'keytool -v -printcert -file /etc/elasticsearch/certs/ca.pem'
/Stage[main]/Elasticsearch::Config/Java_ks[elasticsearch_ca]: Evaluated in 1.47 seconds

We don't know what the exact check is between these outcomes, but we suspected that there was a field with the sha256sum. Since the 'new' puppet CA environment uses a root and intermediate certificate we suspected this field get overwritten. So we added the intermediate by hand to the keystore and removed it from the copy of the original puppet CA.

The effect is that the resource Java_ks[elasticsearch_ca] stays the same.

We where wondering if we are on track here or if one of you has a better suggestion to deal with this issue

Code we used:

include elasticsearch
include java
  file { '/etc/elasticsearch/certs':
    ensure => directory,
    owner  => 'root',
    group  => 'elasticsearch',
    mode   => '0750',
  }

  file { "/etc/elasticsearch/certs/${facts['networking']['fqdn']}.crt":
    ensure  => file,
    source  => "/etc/puppetlabs/puppet/ssl/certs/${facts['networking']['fqdn']}.pem",
    owner   => 'root',
    group   => 'elasticsearch',
    mode    => '0640',
    require => File['/etc/elasticsearch/certs'],
  }

  file { "/etc/elasticsearch/certs/${facts['networking']['fqdn']}.key":
    ensure  => file,
    source  => "/etc/puppetlabs/puppet/ssl/private_keys/${facts['networking']['fqdn']}.pem",
    owner   => 'root',
    group   => 'elasticsearch',
    mode    => '0640',
    require => File['/etc/elasticsearch/certs'],
  }

  file { "/etc/elasticsearch/certs/ca.pem":
    ensure  => file,
    source  => '/etc/puppetlabs/puppet/ssl/certs/ca.pem',
    owner   => 'root',
    group   => 'elasticsearch',
    mode    => '0640',
    require => File['/etc/elasticsearch/certs'],
  }

voxpupuli / puppet-elasticsearch

Problem with puppet CA and elasticsearch.keystore #1225