neonmei
commented
3 years ago Ok, I got it to work with elasticsearch reusing the already existing instances variable for backwards-compatibility (although I believe that variable has to be flattened eventually) and without needing the current two stages (with first stage being only executed on the bootstrap node for cert generation).
So elasticsearch roles can generate certificates and deploy in a single role run. For this, I have introduced a elasticsearch_ssl_method defaulting to legacy, so the existing method of -for example- elasticsearch-certutil still works, even though it's deprecated. If we change it to ansible, it will instead use the new tasks with the ansible modules to generate the ca/certificates.
I'll run some extra tests and open corresponding PRs, this should also be documented on the wazuh-documentation side, as it does introduce new variables.
sergiogp98
Hi team! right now we rely on these methods for auto-generation of certificates:
both have their ups and downs, but overall they impose strong restrictions on how we execute the playbook/roles (because they're not idempotent and that might trip over already existing certs). Ansible does provide it's family of idempotent modules openssl_privatekey/openssl_csr/openssl_certificate. The proposal would be to replace those external tools (in the case of opendistro, we download a third-party tool ) and let ansible+ssl generate the ca/keys reusing and expanding on the already existing instances variable. Optimally, we should not require two runs/stages of the elasticsearch roles.
Regards.