Set passphrase for beats tls key

widhalmt · tbauriedel · commit 7837a2f7ab15 · 2025-02-03T10:04:44.000+01:00
Side effect: Includes extra changes for listing names of pipelines in task names fixes #291
diff --git a/roles/logstash/tasks/logstash-security.yml b/roles/logstash/tasks/logstash-security.yml
@@ -304,7 +304,7 @@
     -topk8
     -passin pass:{{ logstash_tls_key_passphrase }}
     -out {{ logstash_certs_dir }}/{{ inventory_hostname }}-pkcs8.key
-    -nocrypt
+    -passout pass:{{ logstash_tls_key_passphrase }}
   args:
     creates: "{{ logstash_certs_dir }}/{{ inventory_hostname }}-pkcs8.key"
   no_log: "{{ elasticstack_no_log }}"
diff --git a/roles/logstash/tasks/manage_pipeline.yml b/roles/logstash/tasks/manage_pipeline.yml
@@ -1,11 +1,11 @@
 ---
 
-- name: Check if Logstash pipeline already exists
+- name: Check if Logstash pipeline {{ pipelinename.name }} already exists
   ansible.builtin.stat:
     path: "/etc/logstash/conf.d/{{ pipelinename.name }}"
   register: "logstash_pipeline_stat"
 
-- name: Check who managed pipeline in last run # noqa: risky-shell-pipe
+- name: Check who managed pipeline {{ pipelinename.name }} in last run # noqa: risky-shell-pipe
   ansible.builtin.shell: >
     if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
     grep -e '^# source:{{ pipelinename.name }}' /etc/logstash/pipelines.yml |
@@ -16,7 +16,7 @@
     - logstash_pipeline_stat.stat.exists | bool
     - logstash_pipeline_stat.stat.isdir | bool
 
-- name: Delete directory if changing manager
+- name: Delete directory if changing manager of pipeline {{ pipelinename.name }}
   ansible.builtin.file:
     path: "/etc/logstash/conf.d/{{ pipelinename.name }}"
     state: absent
@@ -25,15 +25,15 @@
     - logstash_pipeline_manager.stdout == "local"
     - pipelinename.source is defined
 
-- name: Create Logstash pipeline directories
+- name: Create Logstash pipeline {{ pipelinename.name }} directory
   ansible.builtin.file:
     path: "/etc/logstash/conf.d/{{ pipelinename.name }}"
     state: directory
     owner: root
     group: root
     mode: 0755
 
-- name: Check out pipeline configuration
+- name: Check out pipeline configuration for {{ pipelinename.name }}
   ansible.builtin.git:
     repo: "{{ pipelinename.source }}"
     dest: "/etc/logstash/conf.d/{{ pipelinename.name }}"
@@ -42,7 +42,7 @@
   notify:
     - Restart Logstash noauto
 
-- name: Create simple input
+- name: Create simple input for {{ pipelinename.name }}
   ansible.builtin.template:
     src: simple-input.conf.j2
     dest: "/etc/logstash/conf.d/{{ pipelinename.name }}\
@@ -54,7 +54,7 @@
   notify:
     - Restart Logstash noauto
 
-- name: Create simple output
+- name: Create simple output for {{ pipelinename.name }}
   ansible.builtin.template:
     src: simple-output.conf.j2
     dest: "/etc/logstash/conf.d/{{ pipelinename.name }}\
diff --git a/roles/logstash/templates/beats-input.conf.j2 b/roles/logstash/templates/beats-input.conf.j2
@@ -8,6 +8,7 @@ input {
     ssl_verify_mode => force_peer
     ssl_certificate_authorities => ["{{ logstash_certs_dir }}/ca.crt"]
     ssl_peer_metadata => false
+    ssl_key_passphrase => "{{ logstash_tls_key_passphrase }}"
 {% endif %}
 {% if logstash_beats_timeout is defined %}
     client_inactivity_timeout => "{{ logstash_beats_timeout }}"
