Playbook for elasticsearch cluster deployment using ansible with ssl transport enabled.
Tested on ansible 2.8.1, python version = 3.6.8
Deployment steps:
-
Install required roles:
$ ansible-galaxy install -r requirements.yml
-
Copy and change
inventory.sample.yml
file:$ cp inventory.sample.yml inventory.yml
-
Deploy elasticsearch master servers:
$ ansible-playbook -i inventory.yml pb.es-master.yml
-
Deploy elasticsearch data servers:
$ ansible-playbook -i inventory.yml pb.es-data.yml
-
Credentials are created in new directory called
./credentials
while deploying. -
Generate ssl certificates.
Now elasticsearch should start successful but after first restart it will fail because x-pack security feature is enabled but ssl transport is not configured which is required starting from basic license.
Note: at the moment the used elasticsearch role does not provide any way to generate and use ssl certificates automatically, that's why we should do in manually.
See the "Transport TLS/SSL encryption" part in Elasticsearch Security: Configure TLS/SSL & PKI Authentication for details.
-
Next, you should create local
./certs
directory and copy newly createdelastic-certificates.p12
andelastic-stack-ca.p12
files into it. -
After that, stop all your elasticsearch nodes by running:
Note: check that all_nodes variable is configured properly in
inventory.yml
file.$ ansible-playbook -i inventory.yml pb.es-stop.yml
-
Copy certificates from local directory to all elasticsearch nodes:
$ ansible-playbook -i inventory.yml pb.es-cp-certs.yml
-
Enable ssl transport:
$ ansible-playbook -i inventory.yml pb.es-enable-ssl.yml
-
Now when the configuration is done, start your elasticsearch nodes.
Note: Here could be some transport issues. I've solved them by starting master nodes one by one, and after that I've started all data nodes by manipulating inventory file and running:
$ ansible-playbook -i inventory.yml pb.es-start.yml