Skip to content

Latest commit

 

History

History
116 lines (93 loc) · 4.65 KB

8x-support.md

File metadata and controls

116 lines (93 loc) · 4.65 KB

8.x support

In December 2021, we made the hard decision to deprecate this Ansible playbook without adding support for Elasticsearch 8.X. We acknowledge the impact this has had on many developers and organizations, and while we are not reverting the decision, we decided to share some guidelines around how to proceed from here, for folks wanting to keep using this playbook with Elasticsearch 8.X.


At a high level, this role is expected to work in most cases for fresh installs and upgrades from 7.17+ by only overriding the es_version variable as long as the security is enforced properly using the SSL/TLS doc.

  1. install the last released version of the role from galaxy: ansible-galaxy install elastic.elasticsearch,v7.17.0

  2. copy the TLS PKCS12 keystore and truststore (https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#security-http-pkcs12-files)

  3. write a minimal playbook to deploy 8.2.3 on localhost:

- hosts: localhost
  roles:
    - elastic.elasticsearch
  vars:
    es_version: 8.2.3
    es_api_basic_auth_username: elastic
    es_api_basic_auth_password: changeme
    es_enable_http_ssl: true
    es_enable_transport_ssl: true
    es_ssl_keystore: "certs/keystore-password.p12"
    es_ssl_truststore: "certs/truststore-password.p12"
    es_ssl_keystore_password: password1
    es_ssl_truststore_password: password2
    es_validate_certs: no
  1. deploy locally: ansible-playbook es.yml

Context for the below experiment

The intent is to assess if the current playbook can still work with ES 8.X and what modifications may be needed. The testing was done on Ubuntu 20.04 and CentOS7 GCP VMs.

The only code change done in the Ansible playbook was the override of the es_version variable.

What is working

  • ✅ Deploying a standalone Elasticsearch cluster in 8.2.3 with the security example playbook from 7.x:
  • ✅ managing Elasticsearch users
  • ✅ upgrading a 7.17.0 standalone cluster with security already enabled to 8.2.3
  • ✅ managing Elasticsearch license

The below configuration was used in the tests

- hosts: localhost
  roles:
  - elastic.elasticsearch
  vars:
    es_config:
      xpack.security.authc.realms.file.file1.order: 0
    es_api_basic_auth_username: elastic
    es_api_basic_auth_password: changeme
    es_api_sleep: 5
    es_enable_http_ssl: true
    es_enable_transport_ssl: true
    es_ssl_keystore: "test/integration/files/certs/keystore-password.p12"
    es_ssl_truststore: "test/integration/files/certs/truststore-password.p12"
    es_ssl_keystore_password: password1
    es_ssl_truststore_password: password2
    es_validate_certs: no
    es_users:
      file:
        es_admin:
          password: changeMe
          roles:
          - admin
        testUser:
          password: changeMeAlso!
          roles:
          - power_user
          - user
    es_roles:
      file:
        admin:
          cluster:
          - all
          indices:
          - names: '*'
             privileges:
              - all
      power_user:
        cluster:
          - monitor
        indices:
          - names: '*'
            privileges:
              - all
      user:
        indices:
          - names: '*'
            privileges:
              - read

What is not working

Deploying an 8.X cluster with the default Ansible configuration (no security) will not work.

When runnin Elasticsearch 8.x outside of Ansible without any security configuration, Elasticsearch will autogenerate a security configuration and still activate security. However, when you run Elasticsearch 8.x as part of the Ansible role without any security configuration, this will fail because the Ansible role will not be able to retrieve and use the autogenerated security configuration.

To tackle this, you always have to specify your own security configuration based on the SSL/TLS doc.

What has not been tested

Deploying a 3 nodes cluster

When trying to deploy a 3 nodes clusters, the nodes seem to be configured successfully but they aren't able to communicate together with the test certificates (the ones used in automated standalone tests). It's highly likely that the problem lies with the tests certs themselves and not with the role.

Should you be able to deploy a multi-node clusters, you will most likely have to change the configuration to use the new node.roles parameter (example) instead of the node.master and node.data (which got deprecated in 7.9, but the role never got fixed.