NETWAYS · widhalmt · Sep 7, 2023 · Aug 4, 2023 · Aug 4, 2023 · Aug 11, 2023
diff --git a/docs/role-beats.md b/docs/role-beats.md
@@ -10,7 +10,6 @@ Requirements
 
 You need to have the beats you want to install available in your software repositories. We provide a [role](./role-repos.md) for just that but if you have other ways of managing software, just make sure it's available. Alternatively you can install the Beats yourself.
 
-* `cryptography` >= 2.5 
 * `community.crypto` collection: ansible-galaxy collection install community.crypto
 
 Role Variables
@@ -87,7 +86,6 @@ beats_filebeat_journald_inputs:
 * *beats_loglevel*: Level of logging (for all beats) (Default: `info`)
 * *beats_logpath*: If logging to file, where to put logfiles (Default: `/var/log/beats`)
 * *beats_fields*: Fields that are added to every input in the configuration
-* *beats_manage_unzip*: Install `unzip` via package manager (Default: `true`)
 
 The following variables only apply if you use this role together with our other Elastic Stack roles.
 

diff --git a/docs/role-elasticsearch.md b/docs/role-elasticsearch.md
@@ -9,11 +9,6 @@ If you use the role to set up security you, can use its CA to create certificate
 
 Please note that setting `elasticsearch_bootstrap_pw` as variable will only take effect when initialising Elasticsearch. Changes after starting elasticsearch for the first time will not change the bootstrap password for the instance and will lead to breaking tests.
 
-Requirements
-------------
-
-* `cryptography` >= 2.5
-
 Role Variables
 --------------
 

diff --git a/docs/role-kibana.md b/docs/role-kibana.md
@@ -5,11 +5,6 @@ Ansible Role: Kibana
 
 This roles installs and configures Kibana.
 
-Requirements
-------------
-
-* `cryptography` >= 2.5
-
 Role Variables
 --------------
 

diff --git a/docs/role-logstash.md b/docs/role-logstash.md
@@ -19,7 +19,6 @@ Requirements
 ------------
 
 * `community.general` collection
-* `cryptography` >= 2.5
 
 You need to have the Elastic Repos configured on your system. You can use our [role](./role-repos.md)
 

diff --git a/roles/beats/defaults/main.yml b/roles/beats/defaults/main.yml
@@ -10,7 +10,6 @@ elasticstack_beats_port: 5044
 beats_logging: file
 beats_logpath: /var/log/beats
 beats_loglevel: info
-beats_manage_unzip: true
 
 # Use TLS without Elastic X-Pack #
 

diff --git a/roles/beats/tasks/beats-security.yml b/roles/beats/tasks/beats-security.yml
@@ -1,11 +1,15 @@
 ---
 
-- name: Install unzip for certificate handling
+- name: Install packages for security tasks
   ansible.builtin.package:
-    name: unzip
-  when: beats_manage_unzip | bool
+    name:
+      - unzip
+      - python3-cryptography
+      - openssl
   tags:
+    - certificates
     - renew_ca
+    - renew_kibana_cert
     - renew_beats_cert
 
 - name: Ensure beats certificate exists

diff --git a/roles/elasticsearch/tasks/elasticsearch-security.yml b/roles/elasticsearch/tasks/elasticsearch-security.yml
@@ -1,5 +1,17 @@
 ---
 
+- name: Install packages for security tasks
+  ansible.builtin.package:
+    name:
+      - unzip
+      - python3-cryptography
+      - openssl
+  tags:
+    - certificates
+    - renew_ca
+    - renew_kibana_cert
+    - renew_es_cert
+
 - name: Set elasticstack_ca variable if not already done by user
   ansible.builtin.set_fact:
     elasticstack_ca: "{{ groups['elasticsearch'][0] }}"

diff --git a/roles/kibana/tasks/kibana-security.yml b/roles/kibana/tasks/kibana-security.yml
@@ -1,8 +1,11 @@
 ---
 
-- name: Make sure openssl is installed
+- name: Install packages for security tasks
   ansible.builtin.package:
-    name: openssl
+    name:
+      - unzip
+      - python3-cryptography
+      - openssl
   tags:
     - certificates
     - renew_ca

diff --git a/roles/logstash/tasks/logstash-security.yml b/roles/logstash/tasks/logstash-security.yml
@@ -1,8 +1,11 @@
 ---
 
-- name: Install unzip for certificate handling
+- name: Install packages for security tasks
   ansible.builtin.package:
-    name: unzip
+    name:
+      - unzip
+      - python3-cryptography
+      - openssl
   tags:
     - certificates
     - renew_ca
@@ -383,7 +386,7 @@
 
 - name: Create logstash password hash salt
   ansible.builtin.copy:
-    content: "{{ lookup('password', '/dev/null', chars=['ascii_lowercase', 'digits'], length=logstash_password_hash_salt_length, seed=logstash_password_hash_salt_seed)}}"
+    content: "{{ lookup('password', '/dev/null', chars=['ascii_lowercase', 'digits'], length=logstash_password_hash_salt_length, seed=logstash_password_hash_salt_seed) }}"
     dest: /root/logstash_password_hash_salt
     owner: root
     group: root