ansible-elasticsearch icon indicating copy to clipboard operation
ansible-elasticsearch copied to clipboard

Published 20 hours ago verified publisher icon elastic

Feature: ability to specify multiple certificate authorities

Open adongy opened this issue 4 years ago • 15 comments

Describe the feature:

I'd like to be able to specify multiple certificate authorities for the security settings of my cluster.

Currently, the playbook only supports a single file:

https://github.com/elastic/ansible-elasticsearch/blob/37fc61bc2e1a9f879676f98b36b24ccaaed4d4e6/tasks/elasticsearch-ssl.yml#L59-L69 https://github.com/elastic/ansible-elasticsearch/blob/cab03ece106f22ac32172f4a73e33c0a33f5f550/templates/elasticsearch.yml.j2#L46-L48 https://github.com/elastic/ansible-elasticsearch/blob/cab03ece106f22ac32172f4a73e33c0a33f5f550/templates/elasticsearch.yml.j2#L60-L62

The official documentation describes the parameters as a "List of paths to PEM encoded certificate files that should be trusted." https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#_pem_encoded_files_2

My usecase is rolling updates of certificate authorities without cluster downtime.

Currently, Elasticsearch dynamically reloads certificates when they are updated. When the verification_mode is set to certificate or full, if the new certificate is signed by the CA, the update is transparent: other cluster nodes will still validate the certificate and continue communication.

Best practices for CAs recommend rotating the authority regularly. If there is only one file declared in the configuration, as soon as a node reloads the new authority, it will not accept communication with other cluster nodes that have not updated their certificate to be signed by the new authority.

A solution to this is having multiple certificate authorities declared, replace one of them with the new authority while keeping the old one, update each node's certificates to be signed by the new authority, and remove the old authority at the end.

In our case, the playbook could be updated in a retrocompatible way by checking the variable type: variable is string is true when it's a string and false when it's a list (unfortunately, strings will pass both of the string and sequence test). It should work for both the jinja template and the tasks.

Thanks!

adongy avatar Aug 04 '20 13:08 adongy

In addition to this, I'd like to add that since elasticsearch dynamically reloads certificates without the need for a restart, I currently need to set es_restart_on_change to false.

One another solution would be to template the tls part in the elasticsearch.yml configuration file, and mange certificate rotation in a different part of my playbook, but I would need to be able to specify a custom template for elasticsearch.yml.j2, as I am unaware of a feature in Ansible that would allow me to override templates in a role.

adongy avatar Aug 05 '20 09:08 adongy

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] avatar Nov 23 '20 15:11 botelastic[bot]

I'm still looking for this improvement.

adongy avatar Nov 24 '20 09:11 adongy

Hi @adongy, Thanks for opening this issue. Unfortunately we currently don't have time to work on it so please be patient.

jmlrt avatar Nov 24 '20 14:11 jmlrt

Another issue is that it should be better to have a CA for transport layer, and another for "public/beat" connection, i.e. different configs for xpack.security.transport.ssl and xpack.security.http.ssl I have an internal CA that manages cluster nodes, while another one is used to validate inblound connections from clients.

iorfix avatar Nov 30 '20 16:11 iorfix

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] avatar Feb 28 '21 16:02 botelastic[bot]

still valid

jmlrt avatar Mar 03 '21 11:03 jmlrt

still valid

jmlrt avatar Apr 12 '21 12:04 jmlrt

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] avatar Jul 11 '21 13:07 botelastic[bot]

still valid

jmlrt avatar Jul 19 '21 06:07 jmlrt

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] avatar Oct 17 '21 08:10 botelastic[bot]

still valid

jmlrt avatar Oct 18 '21 07:10 jmlrt

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] avatar Jan 16 '22 08:01 botelastic[bot]

still valid

sahibthg avatar Feb 01 '22 10:02 sahibthg

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] avatar Jun 24 '22 04:06 botelastic[bot]