Skip to content

Update tasks to use cert_info plugin #163

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 47 commits into from
May 30, 2023
Merged

Update tasks to use cert_info plugin #163

merged 47 commits into from
May 30, 2023

Conversation

@danopt
Copy link
Contributor

@danopt danopt commented May 17, 2023
edited by afeefghannam89
Loading

Fixes #161. Update certificate handling tasks and docs

@widhalmt
Copy link
Member

Linter fails because of #159 . We already have a PR #160 and only wait for one last approve from someone who requested changes.

@danopt
Copy link
Contributor Author

danopt commented May 17, 2023
edited
Loading

Tasks have been updated to use cert_info plugin in:

  • Elasticsearch role
  • Kibana role
  • Logstash role

I verified the renewing mechanism in the Elasticsearch role and Kibana role. I'm still checking why I can't get the mechanism to work in the Logstash role, but the plugin and the task itself are working fine.

I will double check one more time. It'll be ready for review on Friday.

@danopt danopt marked this pull request as draft May 17, 2023 14:01
@widhalmt
Copy link
Member

Please note, that we have to use different formats for certificates with the different tools. Logstash for example forces us to use PKCS8 certificates. And there's a bug that doesn't allow to use passwords with all the certificates. So some are encrypted and some aren't. :-(

@danopt
Copy link
Contributor Author

danopt commented May 19, 2023
edited
Loading

The task which checks the not_valid_after date in the Logstash role uses a .p12 certificate. The module can check that date.

I think I found a minor bug, because the logstash role won't copy the .p12 to the logstash_certs_dir but maybe someone can verify that for me who knows more about the creation process of the certificates of this role.

I copied the certificate from /opt/es-ca/ to {{ logstash_certs_dir }}/{{ ansible_hostname }}-ls.p12. After that the renewing mechanism was triggered. So the task works fine for the logstash role, too.

@danopt danopt marked this pull request as ready for review May 19, 2023 11:48
lcndsmr
lcndsmr approved these changes May 22, 2023
View reviewed changes
Copy link
Member

@lcndsmr lcndsmr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested on existing nps-elaszic (centos 8), works like a charm!

@afeefghannam89
Copy link
Member

@danopt Thank you very much for this notice. You are right. I have fixed it.

The task which checks the not_valid_after date in the Logstash role uses a .p12 certificate. The module can check that date.

I think I found a minor bug, because the logstash role won't copy the .p12 to the logstash_certs_dir but maybe someone can verify that for me who knows more about the creation process of the certificates of this role.

I copied the certificate from /opt/es-ca/ to {{ logstash_certs_dir }}/{{ ansible_hostname }}-ls.p12. After that the renewing mechanism was triggered. So the task works fine for the logstash role, too.

@lcndsmr
Copy link
Member

lcndsmr commented May 23, 2023

Tested on existing nps elastic - failed on beats role

lcndsmr
lcndsmr requested changes May 23, 2023
View reviewed changes
Copy link
Member

@lcndsmr lcndsmr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Beats role missing

@widhalmt
Copy link
Member

My central systems seem to lack a python cryptography module. Maybe they are too old (CentOS 7). Newer systems where I tested, failed - all of them are hosts with only beats.

@widhalmt
Copy link
Member

I just checked. The required python-cryptography package is not available in a version >=2.5. So CentOS 7 won't be easy to support. Since CentOS 7 is still supported until June 2024 I don't want to drop the support all together. What do you think of building an if that doesn't check for certificate age on CentOS 7? What that be easily added? Or could we lower the bar for the dependency to the library?

@afeefghannam89
Copy link
Member

@dnssmr beat role is missing or failed on beat role?

Can you please post the Error, thanks

@afeefghannam89
Copy link
Member

I just checked. The required python-cryptography package is not available in a version >=2.5. So CentOS 7 won't be easy to support. Since CentOS 7 is still supported until June 2024 I don't want to drop the support all together. What do you think of building an if that doesn't check for certificate age on CentOS 7? What that be easily added? Or could we lower the bar for the dependency to the library?

This package should be installed using pip not through package manager. I would like to write this as requirement in the README, What do you think? Can you please install the cryptography and test it?

@afeefghannam89
Copy link
Member

Tested on existing nps-elaszic (centos 8), works like a charm!

Was the beat problem on this cluster?

@widhalmt
Copy link
Member

I just checked. The required python-cryptography package is not available in a version >=2.5. So CentOS 7 won't be easy to support. Since CentOS 7 is still supported until June 2024 I don't want to drop the support all together. What do you think of building an if that doesn't check for certificate age on CentOS 7? What that be easily added? Or could we lower the bar for the dependency to the library?

This package should be installed using pip not through package manager. I would like to write this as requirement in the README, What do you think? Can you please install the cryptography and test it?

Yes, I'll install it and test. Anyway, would really love it to work with with packages alone. But that's not a reason to force users to. We can just write it into the dependencies, you're right

@afeefghannam89 afeefghannam89 added this pull request to the merge queue May 29, 2023
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to no response for status checks May 29, 2023
@afeefghannam89 afeefghannam89 added this pull request to the merge queue May 29, 2023
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to no response for status checks May 29, 2023
@afeefghannam89 afeefghannam89 enabled auto-merge May 29, 2023 16:38
@afeefghannam89 afeefghannam89 added this pull request to the merge queue May 29, 2023
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to no response for status checks May 29, 2023
@afeefghannam89 afeefghannam89 enabled auto-merge May 30, 2023 11:07
@afeefghannam89 afeefghannam89 added this pull request to the merge queue May 30, 2023
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to no response for status checks May 30, 2023
@afeefghannam89 afeefghannam89 added this pull request to the merge queue May 30, 2023
@afeefghannam89 afeefghannam89 removed this pull request from the merge queue due to a manual request May 30, 2023
@afeefghannam89 afeefghannam89 merged commit 58997de into main May 30, 2023
@afeefghannam89 afeefghannam89 deleted the fix/locales-dependency branch May 30, 2023 15:33
ivareri pushed a commit to ivareri/ansible-collection-elasticstack that referenced this pull request Jun 17, 2025
@danopt @afeefghannam89
Update tasks to use cert_info plugin (NETWAYS#163)
7664a32 
Fixes NETWAYS#161. Update certificate handling tasks and docs

---------

Co-authored-by: Afeef Ghannam <39904920+afeefghannam89@users.noreply.github.com>
Co-authored-by: Afeef Ghannam <afeef.ghannam@netways.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lcndsmr lcndsmr lcndsmr approved these changes

@afeefghannam89 afeefghannam89 Awaiting requested review from afeefghannam89

@widhalmt widhalmt Awaiting requested review from widhalmt

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Idempotence - Certificate expiration date fails on second run

4 participants

@danopt @widhalmt @afeefghannam89 @lcndsmr