Allow to set node types for elasticsearch

.github/workflows/test_role_elasticsearch.yml

@@ -70,8 +70,14 @@ jobs:
       max-parallel: 1
       matrix:
         distro: [ubuntu2204]
-        scenario: [elasticsearch_default, elasticsearch_cluster-oss, elasticsearch_no-security]
-        release: [7, 8]
+        scenario:
+          - elasticsearch_default
+          - elasticsearch_roles_calculation
+          - elasticsearch_cluster-oss
+          - elasticsearch_no-security
+        release:
+          - 7
+          - 8
 
     steps:
       - name: Check out code

docs/role-elasticsearch.md

@@ -17,7 +17,7 @@ Requirements
 Role Variables
 --------------
 
-* *elasticsearch_enable*: Start and enable Elasticsearch (default: `true`)
+* *elasticsearch_node_types*: List of types of this very node. Please refer to [official docs](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html) for details. (default: not set. allowed value: array of types)
 * *elasticsearch_heap*: Heapsize for Elasticsearch. (Half of free memory on host. Maximum 30GB. (default: Half of hosts memory. Min 1GB, Max 30GB)
 * *elasticsearch_tls_key_passphrase*: Passphrase for elasticsearch certificates (default: `PleaseChangeMeIndividually`)
 * *elasticsearch_cert_expiration_buffer*: Ansible will renew the elasticsearch certificate if its validity is shorter than this value, which should be number of days. (default: `30`)

molecule/elasticsearch_default/molecule.yml

@@ -4,7 +4,17 @@ dependency:
 driver:
   name: docker
 platforms:
-  - name: elasticsearch_default
+  - name: elasticsearch_default1
+    groups:
+      - elasticsearch
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    cgroupns_mode: host
+    privileged: true
+    pre_build_image: true
+  - name: elasticsearch_default2
     groups:
       - elasticsearch
     image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"

molecule/elasticsearch_roles_calculation/converge.yml

@@ -0,0 +1,23 @@
+---
+# The workaround for arbitrarily named role directory is important because the git repo has one name and the role within it another
+# Found at: https://github.com/ansible-community/molecule/issues/1567#issuecomment-436876722
+- name: Converge
+  collections:
+    - netways.elasticstack
+  hosts: all
+  vars:
+    elasticsearch_jna_workaround: true
+    elasticsearch_disable_systemcallfilterchecks: true
+    elastic_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}"
+    elasticsearch_node_types:
+      - master
+      - data
+    elasticsearch_heap: 1
+    elasticsearch_check_calculation: true
+  tasks:
+    - name: Include Elastics repos role
+      include_role:
+        name: repos
+    - name: Include Elasticsearch
+      include_role:
+        name: elasticsearch

molecule/elasticsearch_roles_calculation/molecule.yml

@@ -0,0 +1,40 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+platforms:
+  - name: elasticsearch-cluster1
+    groups:
+      - elasticsearch
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    cgroupns_mode: host
+    privileged: true
+    pre_build_image: true
+  - name: elasticsearch-cluster2
+    groups:
+      - elasticsearch
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    cgroupns_mode: host
+    privileged: true
+    pre_build_image: true
+  - name: elasticsearch-cluster3
+    groups:
+      - elasticsearch
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    cgroupns_mode: host
+    privileged: true
+    pre_build_image: true
+provisioner:
+  name: ansible
+verifier:
+  name: ansible

molecule/elasticsearch_roles_calculation/prepare.yml

@@ -0,0 +1,36 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: Refresh apt cache
+      apt:
+        update_cache: yes
+      when: ansible_os_family == "Debian"
+
+    - name: Install git
+      package:
+        name: git
+
+    - name: Install packages for RHEL
+      package:
+        name:
+          - iproute
+          - NetworkManager
+      when: ansible_os_family == "RedHat"
+
+    - name: Start NetworkManager
+      service:
+        name: NetworkManager
+        state: started
+        enabled: yes
+      when: ansible_os_family == "RedHat"
+
+    - name: Install packages for Debian
+      package:
+        name:
+          - gpg
+          - gpg-agent
+          - procps
+          - curl
+          - iproute2
+      when: ansible_os_family == "Debian"

molecule/elasticsearch_roles_calculation/requirements.yml

@@ -0,0 +1,3 @@
+---
+collections:
+  - community.general

roles/beats/tasks/beats-security.yml

@@ -229,7 +229,7 @@
 
 - name: Fetch Beats password # noqa: risky-shell-pipe
   shell: >
-    if test -v BASH; then set -o pipefail; fi;
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
     grep "PASSWORD elastic" {{ elasticstack_initial_passwords }} |
     awk {' print $4 '}
   register: beats_writer_password

roles/elasticsearch/defaults/main.yml

@@ -26,6 +26,7 @@ elasticsearch_jna_workaround: false
 # elasticstack_ca: First host in the `elasticsearch` group
 elasticstack_ca_dir: /opt/es-ca
 elasticstack_initial_passwords: /usr/share/elasticsearch/initial_passwords
+elasticsearch_initialized_file: "{{ elasticstack_initial_passwords | dirname }}/cluster_initialized"
 elasticstack_ca_pass: PleaseChangeMe
 elasticsearch_tls_key_passphrase: PleaseChangeMeIndividually
 elasticstack_ca_expiration_buffer: 30

roles/elasticsearch/tasks/elasticsearch-security.yml

@@ -234,7 +234,7 @@
 
 - name: Set bootstrap password # noqa: risky-shell-pipe
   shell: >
-    if test -v BASH; then set -o pipefail; fi;
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
     echo "{{ elasticsearch_bootstrap_pw }}" |
     /usr/share/elasticsearch/bin/elasticsearch-keystore
     add -x 'bootstrap.password'
@@ -248,7 +248,7 @@
 
 - name: Get xpack.security.http.ssl.keystore.secure_password # noqa: risky-shell-pipe
   shell: >
-    if test -v BASH; then set -o pipefail; fi;
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
     /usr/share/elasticsearch/bin/elasticsearch-keystore
     show 'xpack.security.http.ssl.keystore.secure_password'
   when:
@@ -261,7 +261,7 @@
 
 - name: Set xpack.security.http.ssl.keystore.secure_password # noqa: risky-shell-pipe
   shell: >
-    if test -v BASH; then set -o pipefail; fi;
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
     echo "{{ elasticsearch_tls_key_passphrase }}" |
     /usr/share/elasticsearch/bin/elasticsearch-keystore
     add -f -x 'xpack.security.http.ssl.keystore.secure_password'
@@ -276,7 +276,7 @@
 
 - name: Remove xpack.security.http.ssl.keystore.secure_password # noqa: risky-shell-pipe
   shell: >
-    if test -v BASH; then set -o pipefail; fi;
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
     /usr/share/elasticsearch/bin/elasticsearch-keystore
     remove 'xpack.security.http.ssl.keystore.secure_password'
   changed_when: false
@@ -290,7 +290,7 @@
 
 - name: Get xpack.security.http.ssl.truststore.secure_password # noqa: risky-shell-pipe
   shell: >
-    if test -v BASH; then set -o pipefail; fi;
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
     /usr/share/elasticsearch/bin/elasticsearch-keystore
     show 'xpack.security.http.ssl.truststore.secure_password'
   when:
@@ -303,7 +303,7 @@
 
 - name: Set xpack.security.http.ssl.truststore.secure_password # noqa: risky-shell-pipe
   shell: >
-    if test -v BASH; then set -o pipefail; fi;
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
     echo "{{ elasticsearch_tls_key_passphrase }}" |
     /usr/share/elasticsearch/bin/elasticsearch-keystore
     add -f -x 'xpack.security.http.ssl.truststore.secure_password'
@@ -317,7 +317,7 @@
 
 - name: Remove xpack.security.http.ssl.truststore.secure_password # noqa: risky-shell-pipe
   shell: >
-    if test -v BASH; then set -o pipefail; fi;
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
     /usr/share/elasticsearch/bin/elasticsearch-keystore
     remove 'xpack.security.http.ssl.truststore.secure_password'
   changed_when: false
@@ -330,7 +330,7 @@
 
 - name: Get xpack.security.transport.ssl.keystore.secure_password # noqa: risky-shell-pipe
   shell: >
-    if test -v BASH; then set -o pipefail; fi;
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
     /usr/share/elasticsearch/bin/elasticsearch-keystore
     show 'xpack.security.transport.ssl.keystore.secure_password'
   when:
@@ -343,7 +343,7 @@
 
 - name: Set xpack.security.transport.ssl.keystore.secure_password # noqa: risky-shell-pipe
   shell: >
-    if test -v BASH; then set -o pipefail; fi;
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
     echo "{{ elasticsearch_tls_key_passphrase }}" |
     /usr/share/elasticsearch/bin/elasticsearch-keystore
     add -f -x 'xpack.security.transport.ssl.keystore.secure_password'
@@ -357,7 +357,7 @@
 
 - name: Remove xpack.security.transport.ssl.keystore.secure_password # noqa: risky-shell-pipe
   shell: >
-    if test -v BASH; then set -o pipefail; fi;
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
     /usr/share/elasticsearch/bin/elasticsearch-keystore
     remove 'xpack.security.transport.ssl.keystore.secure_password'
   changed_when: false
@@ -370,7 +370,7 @@
 
 - name: Get xpack.security.transport.ssl.truststore.secure_password # noqa: risky-shell-pipe
   shell: >
-    if test -v BASH; then set -o pipefail; fi;
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
     /usr/share/elasticsearch/bin/elasticsearch-keystore
     show 'xpack.security.transport.ssl.truststore.secure_password'
   when:
@@ -383,7 +383,7 @@
 
 - name: Set xpack.security.transport.ssl.truststore.secure_password # noqa: risky-shell-pipe
   shell: >
-    if test -v BASH; then set -o pipefail; fi;
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
     echo "{{ elasticsearch_tls_key_passphrase }}" |
     /usr/share/elasticsearch/bin/elasticsearch-keystore
     add -f -x 'xpack.security.transport.ssl.truststore.secure_password'
@@ -397,7 +397,7 @@
 
 - name: Remove xpack.security.transport.ssl.truststore.secure_password # noqa: risky-shell-pipe
   shell: >
-    if test -v BASH; then set -o pipefail; fi;
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
     /usr/share/elasticsearch/bin/elasticsearch-keystore
     remove 'xpack.security.transport.ssl.truststore.secure_password'
   changed_when: false
@@ -519,7 +519,6 @@
   service:
     name: elasticsearch
     state: started
-  when: elasticsearch_enable | bool
   failed_when: false
 
 - name: Wait for all instances to start
@@ -556,22 +555,23 @@
 
 - name: Check for cluster status with bootstrap password # noqa: risky-shell-pipe
   shell: >
-    if test -v BASH; then set -o pipefail; fi;
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
     curl -ks
     {{ elasticsearch_http_protocol }}://elastic:{{ elasticsearch_bootstrap_pw }}@localhost:{{ elasticstack_elasticsearch_http_port }}/_cluster/health?pretty |
     grep status |
     cut -d\" -f4
   register: elasticsearch_cluster_status_bootstrap
   changed_when: false
   no_log: true
+  ignore_errors: true
   when: not elasticsearch_passwords_file.stat.exists | bool
   until: elasticsearch_cluster_status_bootstrap.stdout == "green"
   retries: 5
   delay: 10
 
 - name: Fetch Elastic password # noqa: risky-shell-pipe
   shell: >
-    if test -v BASH; then set -o pipefail; fi;
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
     grep "PASSWORD elastic" {{ elasticstack_initial_passwords }} |
     awk {' print $4 '}
   register: elasticstack_password
@@ -582,23 +582,35 @@
 
 - name: Check for cluster status with elastic password # noqa: risky-shell-pipe
   shell: >
-    if test -v BASH; then set -o pipefail; fi;
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
     curl -ks
     {{ elasticsearch_http_protocol }}://elastic:{{ elasticstack_password.stdout }}@localhost:{{ elasticstack_elasticsearch_http_port }}/_cluster/health?pretty |
     grep status |
     cut -d\" -f4
   register: elasticsearch_cluster_status
   changed_when: false
-  # no_log: true
+  no_log: true
   ignore_errors: true
   when: elasticsearch_passwords_file.stat.exists | bool
   until: elasticsearch_cluster_status.stdout == "green"
   retries: 20
   delay: 10
 
+- name: Leave a file showing that the cluster is set up
+  template:
+    dest: "{{ elasticsearch_initialized_file }}"
+    src: elasticsearch_initialized.j2
+    owner: root
+    group: root
+    mode: "0600"
+
+- name: Set var that cluster is set up
+  set_fact:
+    elaticsearch_cluster_set_up: true
+
 - name: Create initial passwords # noqa: risky-shell-pipe
   shell: >
-    if test -v BASH; then set -o pipefail; fi;
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
     /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto -b >
     {{ elasticstack_initial_passwords }}
   when: inventory_hostname == elasticstack_ca