Elasticsearch config (#288)

ivareri · widhalmt · web-flow · commit 2da77e0f655b · 2024-02-09T17:16:51.000Z
Minor tweaks and fixes to Elasticsearch configuration file

---------

Co-authored-by: Thomas Widhalm &lt;thomas.widhalm@netways.de&gt;
diff --git a/docs/role-elasticsearch.md b/docs/role-elasticsearch.md
@@ -48,6 +48,10 @@ elasticsearch_extra_config:
 This variable activates a workaround to start on systems that have certain hardening measures active. See [Stackoverflow](https://stackoverflow.com/questions/47824643/unable-to-load-jna-native-support-library-elasticsearch-6-x/50371992#50371992) for details and logmessages to look for. **WARNING**: This will change your `/etc/sysconfig/elasticseach`or `/etc/default/elasticsearch` file and overwrite `ES_JAVA_OPTS`. See this [issue](https://github.com/netways/ansible-role-elasticsearch/issues/79) for details.
 
 * *elasticsearch_jna_workaround*: Activate JNA workaround. (default: `false`)
+* *elasticsearch_ssl_verification_mode*: Defines how to verify the certificates presented by another party in the TLS connection
+* *elasticsearch_transport_port*: The port to bind for communication between nodes
+* *elasticsearch_seed_hosts*: Set elasticsearch seed hosts
+* *elasticsearch_security_enrollment*: Controls enrollment (of nodes and Kibana) to a local node that’s been autoconfigured for security.
 
 These variables are identical over all our elastic related roles, hence the different naming schemes.
 
diff --git a/roles/elasticsearch/defaults/main.yml b/roles/elasticsearch/defaults/main.yml
@@ -47,6 +47,7 @@ elasticstack_ca_expiration_buffer: 30
 elasticsearch_cert_expiration_buffer: 30
 elasticstack_ca_will_expire_soon: false
 elasticsearch_cert_will_expire_soon: false
+elasticsearch_ssl_verification_mode: full
 
 # only used internally
 elasticsearch_freshstart:
diff --git a/roles/elasticsearch/templates/elasticsearch.yml.j2 b/roles/elasticsearch/templates/elasticsearch.yml.j2
@@ -1,3 +1,5 @@
+{{ ansible_managed | comment }}
+
 node.name: "{{ ansible_hostname }}"
 path.data: {{ elasticsearch_datapath }}
 path.logs: {{ elasticsearch_logpath }}
@@ -7,6 +9,12 @@ network.host: [ {{ elasticsearch_network_host }} ]
 {% else %}
 network.host: [ "_local_", "_site_" ]
 {% endif %}
+{% if elasticstack_elasticsearch_http_port is defined %}
+http.port: "{{ elasticstack_elasticsearch_http_port }}"
+{% endif %}
+{% if elasticsearch_transport_port is defined %}
+transport.port: "{{ elasticsearch_transport_port }}"
+{% endif %}
 {% if elasticsearch_http_publish_host is defined %}
 http.publish_host: "{{ elasticsearch_http_publish_host }}"
 {% endif %}
@@ -22,11 +30,16 @@ node.roles: [ {% for type in elasticsearch_node_types %}{{ type }}{% if not loop
 discovery.type: single-node
 {% endif %}
 
+{# Quickfix to override seed_hosts. Otherwise all nodes, not only master nodes are added to seed_hosts #}
+{% if elasticsearch_seed_hosts is defined %}
+discovery.seed_hosts: {{ elasticsearch_seed_hosts }}
+{% else %}
 {% if elasticstack_release | int < 8 or groups['elasticsearch'] | length > 1 %}
 discovery.seed_hosts: [ {% for host in groups['elasticsearch']  %}
 "{{ hostvars[host].ansible_default_ipv4.address | default(hostvars[host].ansible_all_ipv4_addresses[0]) }}"{% if not loop.last %},{% endif %}
 {% endfor %} ]
 {% endif %}
+{% endif %}
 
 {% if not elaticsearch_cluster_set_up | bool and groups['elasticsearch'] | length > 1 %}
 {% if elasticsearch_node_types is defined %}
@@ -48,14 +61,18 @@ bootstrap.system_call_filter: false
 {% endif %}
 {% if elasticstack_variant == "elastic" %}
 xpack.ml.enabled: {{ elasticsearch_ml_enabled }}
+{% if elasticstack_release == 7 %}
 xpack.monitoring.collection.enabled: {{ elasticsearch_monitoring_enabled }}
+{% endif %}
 {% if elasticsearch_security | bool %}
 xpack.security.enabled: true
+{% if elasticsearch_security_enrollment is defined %}
+xpack.security.enrollment.enabled: {{ elasticsearch_security_enrollment }}
+{% endif %}
 xpack.security.transport.ssl.enabled: true
-#xpack.security.transport.ssl.verification_mode: certificate 
-xpack.security.transport.ssl.verification_mode: none 
-xpack.security.transport.ssl.keystore.path: certs/{{ ansible_hostname }}.p12 
-xpack.security.transport.ssl.truststore.path: certs/{{ ansible_hostname }}.p12 
+xpack.security.transport.ssl.verification_mode: {{ elasticsearch_ssl_verification_mode }}
+xpack.security.transport.ssl.keystore.path: certs/{{ ansible_hostname }}.p12
+xpack.security.transport.ssl.truststore.path: certs/{{ ansible_hostname }}.p12
 {% if elasticsearch_http_security | bool %}
 xpack.security.http.ssl.enabled: true
 xpack.security.http.ssl.keystore.path: certs/{{ ansible_hostname }}.p12
