[elasticsearch] Separate passwords in clusters

cloudscale-ch · Jan 11, 2024 · 8b734f3 · 8b734f3
1 parent 6b9e156
commit 8b734f3
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 9 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -41,6 +41,15 @@ Changed
 
 - The role now supports new Elasticsearch v8.x password management mechanism.
 
+- The role can now manage passwords in separate Elasticsearch clusters defined
+  in one Ansible inventory.
+
+  .. warning:: Due to this change, Elasticsearch passwords stored in the
+               :file:`ansible/secret/` subdirectory will be read from a different
+               location. If passwords are not moved to the new location, role
+               will reset the Elasticsearch built-in users passwords
+               automatically. This might result in data loss.
+
 
 `debops v3.1.0`_ - 2023-11-29
 -----------------------------

diff --git a/ansible/roles/elasticsearch/defaults/main.yml b/ansible/roles/elasticsearch/defaults/main.yml
@@ -251,13 +251,22 @@ elasticsearch__api_base_url: '{{ "https://" + ansible_fqdn + ":9200" }}'
 # ``elastic`` user account has superuser privileges.
 elasticsearch__api_username: 'elastic'
 
+                                                                   # ]]]
+# .. envvar:: elasticsearch__secret_path [[[
+#
+# Path to the directory in the :ref:`debops.secret` storage where passwords of
+# Elastcisearch built-in users will be stored.
+elasticsearch__secret_path: '{{ "elasticsearch/credentials/"
+                                + elasticsearch__cluster_name + "/built-in" }}'
+
                                                                    # ]]]
 # .. envvar:: elasticsearch__api_password [[[
 #
 # The password used to access the Elasticsearch API, stored in the
 # :file:`secret/` directory, managed by the :ref:`debops.secret` Ansible role.
-elasticsearch__api_password: '{{ lookup("password", secret + "/elasticsearch/credentials/"
-                                       + "built-in/" + elasticsearch__api_username + "/password") }}'
+elasticsearch__api_password: '{{ lookup("password", secret + "/"
+                                 + elasticsearch__secret_path + "/"
+                                 + elasticsearch__api_username + "/password") }}'
 
                                                                    # ]]]
 # .. envvar:: elasticsearch__native_roles [[[

diff --git a/ansible/roles/elasticsearch/tasks/authentication.yml b/ansible/roles/elasticsearch/tasks/authentication.yml
@@ -31,7 +31,7 @@
 
 - name: Create required directories on Ansible Controller
   ansible.builtin.file:
-    path: '{{ secret + "/elasticsearch/credentials/built-in/" + item.split()[0] }}'
+    path: '{{ secret + "/" + elasticsearch__secret_path + "/" + item.split()[0] }}'
     state: 'directory'
     mode: '0755'
   loop: '{{ elasticsearch__register_builtin_users.stdout_lines }}'
@@ -43,7 +43,7 @@
 - name: Save generated user passwords on Ansible Controller
   ansible.builtin.copy:
     content: '{{ item.split()[1] }}'
-    dest: '{{ secret + "/elasticsearch/credentials/built-in/" + item.split()[0] + "/password" }}'
+    dest: '{{ secret + "/" + elasticsearch__secret_path + "/" + item.split()[0] + "/password" }}'
     mode: '0644'
   loop: '{{ elasticsearch__register_builtin_users.stdout_lines }}'
   become: False

diff --git a/ansible/roles/elasticsearch/tasks/reset_password.yml b/ansible/roles/elasticsearch/tasks/reset_password.yml
@@ -16,7 +16,7 @@
 
 - name: Create required directories on Ansible Controller
   ansible.builtin.file:
-    path: '{{ secret + "/elasticsearch/credentials/built-in/" + item }}'
+    path: '{{ secret + "/" + elasticsearch__secret_path + "/" + item }}'
     state: 'directory'
     mode: '0755'
   become: False
@@ -27,7 +27,7 @@
 - name: Save generated password of account '{{ item }}'
   ansible.builtin.copy:
     content: '{{ elasticsearch__register_builtin_password.stdout }}'
-    dest: '{{ secret + "/elasticsearch/credentials/built-in/" + item + "/password" }}'
+    dest: '{{ secret + "/" + elasticsearch__secret_path + "/" + item + "/password" }}'
     mode: '0644'
   become: False
   delegate_to: 'localhost'

diff --git a/docs/ansible/roles/elasticsearch/getting-started.rst b/docs/ansible/roles/elasticsearch/getting-started.rst
@@ -49,9 +49,9 @@ With secure cluster communication over TLS, the :ref:`debops.elasticsearch`
 role can use the Elasticsearch API to manage user accounts and role definitions
 in the cluster. A default set of `built-in users`__ will be created
 automatically; passwords of these users will be stored in the
-:file:`secret/elasticsearch/credentials/built-in/` directory on the Ansible
-Controller (managed by the :ref:`debops.secret` role). After that, with the
-base URL of the Elasticsearch API set in the
+:file:`secret/elasticsearch/credentials/<cluster_name>/built-in/` directory on
+the Ansible Controller (managed by the :ref:`debops.secret` role). After that,
+with the base URL of the Elasticsearch API set in the
 :envvar:`elasticsearch__api_base_url` variable, the role can manage
 Elasticsearch roles and user accounts using the ``elastic`` superuser account.