From 072179f21bf0f9d64034910e28b464b5ebecb3f4 Mon Sep 17 00:00:00 2001 From: Sam Crauwels Date: Thu, 12 Mar 2026 20:02:31 +0100 Subject: [PATCH 1/2] Fix cert validation become for remote_src certificates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When elasticsearch_tls_remote_src is true, certificate files live on the remote host and may require elevated privileges to read (e.g. FreeIPA certs in /etc/pki). The validation tasks previously hardcoded become: false, causing permission denied errors. Now become is set dynamically based on _validate_remote_src — local certs are validated without privilege escalation, remote certs use become as expected. Replaces #97 (rebased on current main). --- .../tasks/certs/cert_validate.yml | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/roles/elasticstack/tasks/certs/cert_validate.yml b/roles/elasticstack/tasks/certs/cert_validate.yml index bdaa07c..c1c9238 100644 --- a/roles/elasticstack/tasks/certs/cert_validate.yml +++ b/roles/elasticstack/tasks/certs/cert_validate.yml @@ -18,7 +18,7 @@ path: "{{ _validate_cert_path }}" register: _elasticstack_validate_cert_stat delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}" - become: false + become: "{{ _validate_remote_src | bool }}" - name: certs | cert_validate | Fail if certificate file missing — {{ _validate_service }} ansible.builtin.fail: @@ -36,7 +36,7 @@ failed_when: false changed_when: false delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}" - become: false + become: "{{ _validate_remote_src | bool }}" - name: certs | cert_validate | Probe for P12 format — {{ _validate_service }} ansible.builtin.command: @@ -47,7 +47,7 @@ failed_when: false changed_when: false delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}" - become: false + become: "{{ _validate_remote_src | bool }}" no_log: true when: _elasticstack_validate_pem_probe.rc != 0 @@ -80,7 +80,7 @@ path: "{{ _elasticstack_validate_derived_key }}" register: _elasticstack_validate_derived_key_stat delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}" - become: false + become: "{{ _validate_remote_src | bool }}" - name: certs | cert_validate | Fail if derived key not found — {{ _validate_service }} ansible.builtin.fail: @@ -116,7 +116,7 @@ register: _elasticstack_validate_pem_count changed_when: false delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}" - become: false + become: "{{ _validate_remote_src | bool }}" - name: certs | cert_validate | Set CA extracted fact — {{ _validate_service }} ansible.builtin.set_fact: @@ -136,7 +136,7 @@ failed_when: false changed_when: false delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}" - become: false + become: "{{ _validate_remote_src | bool }}" when: _elasticstack_validate_pem_probe.rc == 0 - name: certs | cert_validate | Fail if certificate already expired — {{ _validate_service }} @@ -162,7 +162,7 @@ register: _elasticstack_validate_cert_modulus changed_when: false delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}" - become: false + become: "{{ _validate_remote_src | bool }}" - name: certs | cert_validate | Get key modulus — {{ _validate_service }} ansible.builtin.shell: @@ -176,7 +176,7 @@ changed_when: false failed_when: false delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}" - become: false + become: "{{ _validate_remote_src | bool }}" no_log: true # If RSA modulus failed, try EC key @@ -192,7 +192,7 @@ changed_when: false failed_when: false delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}" - become: false + become: "{{ _validate_remote_src | bool }}" no_log: true when: _elasticstack_validate_key_modulus.rc != 0 @@ -203,7 +203,7 @@ register: _elasticstack_validate_ec_cert_fp changed_when: false delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}" - become: false + become: "{{ _validate_remote_src | bool }}" when: _elasticstack_validate_key_modulus.rc != 0 - name: certs | cert_validate | Fail if RSA key does not match certificate — {{ _validate_service }} @@ -240,7 +240,7 @@ register: _elasticstack_validate_san_output changed_when: false delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}" - become: false + become: "{{ _validate_remote_src | bool }}" - name: certs | cert_validate | Warn if SAN does not include this node — {{ _validate_service }} ansible.builtin.debug: From c560dd69d84015258d0322e23bb41691303a5eaa Mon Sep 17 00:00:00 2001 From: Sam Crauwels Date: Thu, 12 Mar 2026 21:02:06 +0100 Subject: [PATCH 2/2] Fix kibana_extra_config template for string values MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Commit b10dc0c changed the Kibana extra_config rendering from verbatim output to to_nice_yaml, which works for dict values but wraps strings in quotes — producing invalid YAML like 'elasticsearch.ssl.verificationMode: none' instead of a proper key-value line. The template now checks if the value is a mapping (dict) and uses to_nice_yaml only in that case, falling back to verbatim output for strings. This was causing all kibana_custom and kibana_custom_certs molecule scenarios to fail. --- roles/kibana/templates/kibana.yml.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/kibana/templates/kibana.yml.j2 b/roles/kibana/templates/kibana.yml.j2 index ed4da5c..de15f6b 100644 --- a/roles/kibana/templates/kibana.yml.j2 +++ b/roles/kibana/templates/kibana.yml.j2 @@ -43,5 +43,9 @@ server.ssl.keystore.path: "/etc/kibana/certs/{{ inventory_hostname }}-kibana.p12 {% endif %} {% if kibana_extra_config is defined and kibana_extra_config %} +{% if kibana_extra_config is mapping %} {{ kibana_extra_config | to_nice_yaml(indent=2, sort_keys=False) }} +{% else %} +{{ kibana_extra_config }} +{% endif %} {% endif %}