diff --git a/.github/workflows/test_elasticsearch_custom_certs.yml b/.github/workflows/test_elasticsearch_custom_certs.yml index dbfc35be..d1d1baf1 100644 --- a/.github/workflows/test_elasticsearch_custom_certs.yml +++ b/.github/workflows/test_elasticsearch_custom_certs.yml @@ -62,7 +62,7 @@ jobs: fail-fast: false max-parallel: 10 matrix: - distro: ${{ (github.event_name == 'pull_request' || github.event_name == 'merge_group') && fromJSON('["rockylinux10","debian13"]') || fromJSON('["rockylinux9","rockylinux10","ubuntu2204","ubuntu2404","debian11","debian12","debian13"]') }} + distro: ${{ (github.event_name == 'pull_request' || github.event_name == 'merge_group') && fromJSON('["rockylinux10","debian13"]') || fromJSON('["rockylinux9","rockylinux10","ubuntu2204","ubuntu2404","debian12","debian13"]') }} scenario: - elasticsearch_custom_certs - elasticsearch_custom_certs_minimal diff --git a/.github/workflows/test_elasticsearch_modules.yml b/.github/workflows/test_elasticsearch_modules.yml index 4057d4a0..a1febebd 100644 --- a/.github/workflows/test_elasticsearch_modules.yml +++ b/.github/workflows/test_elasticsearch_modules.yml @@ -61,7 +61,7 @@ jobs: fail-fast: false max-parallel: 10 matrix: - distro: ${{ (github.event_name == 'pull_request' || github.event_name == 'merge_group') && fromJSON('["rockylinux10","debian13"]') || fromJSON('["rockylinux9","rockylinux10","ubuntu2204","ubuntu2404","debian11","debian12","debian13"]') }} + distro: ${{ (github.event_name == 'pull_request' || github.event_name == 'merge_group') && fromJSON('["rockylinux10","debian13"]') || fromJSON('["rockylinux9","rockylinux10","ubuntu2204","ubuntu2404","debian12","debian13"]') }} scenario: - elasticsearch_test_modules release: diff --git a/.github/workflows/test_full_stack.yml b/.github/workflows/test_full_stack.yml index b42d92d6..e1f22aec 100644 --- a/.github/workflows/test_full_stack.yml +++ b/.github/workflows/test_full_stack.yml @@ -80,7 +80,7 @@ jobs: strategy: fail-fast: false matrix: - distro: ${{ (github.event_name == 'pull_request' || github.event_name == 'merge_group') && fromJSON('["rockylinux9","debian13"]') || fromJSON('["rockylinux9","ubuntu2204","ubuntu2404","debian11","debian12","debian13"]') }} + distro: ${{ (github.event_name == 'pull_request' || github.event_name == 'merge_group') && fromJSON('["rockylinux9","debian13"]') || fromJSON('["rockylinux9","ubuntu2204","ubuntu2404","debian12","debian13"]') }} scenario: - elasticstack_default - es_kibana diff --git a/.github/workflows/test_role_beats.yml b/.github/workflows/test_role_beats.yml index 529380ea..f1aeee66 100644 --- a/.github/workflows/test_role_beats.yml +++ b/.github/workflows/test_role_beats.yml @@ -65,7 +65,7 @@ jobs: fail-fast: false max-parallel: 10 matrix: - distro: ${{ (github.event_name == 'pull_request' || github.event_name == 'merge_group') && fromJSON('["rockylinux10","debian13"]') || fromJSON('["rockylinux9","rockylinux10","ubuntu2204","ubuntu2404","debian11","debian12","debian13"]') }} + distro: ${{ (github.event_name == 'pull_request' || github.event_name == 'merge_group') && fromJSON('["rockylinux10","debian13"]') || fromJSON('["rockylinux9","rockylinux10","ubuntu2204","ubuntu2404","debian12","debian13"]') }} scenario: [beats_default, beats_peculiar, beats_advanced, beats_security] release: [8, 9] diff --git a/.github/workflows/test_role_elasticsearch.yml b/.github/workflows/test_role_elasticsearch.yml index 1740c2ce..dded38c1 100644 --- a/.github/workflows/test_role_elasticsearch.yml +++ b/.github/workflows/test_role_elasticsearch.yml @@ -65,7 +65,7 @@ jobs: fail-fast: false max-parallel: 10 matrix: - distro: ${{ (github.event_name == 'pull_request' || github.event_name == 'merge_group') && fromJSON('["rockylinux10","debian13"]') || fromJSON('["rockylinux9","rockylinux10","ubuntu2204","ubuntu2404","debian11","debian12","debian13"]') }} + distro: ${{ (github.event_name == 'pull_request' || github.event_name == 'merge_group') && fromJSON('["rockylinux10","debian13"]') || fromJSON('["rockylinux9","rockylinux10","ubuntu2204","ubuntu2404","debian12","debian13"]') }} scenario: - elasticsearch_default - elasticsearch_roles_calculation diff --git a/.github/workflows/test_role_kibana.yml b/.github/workflows/test_role_kibana.yml index 67b0dff2..bce3792c 100644 --- a/.github/workflows/test_role_kibana.yml +++ b/.github/workflows/test_role_kibana.yml @@ -65,7 +65,7 @@ jobs: fail-fast: false max-parallel: 10 matrix: - distro: ${{ (github.event_name == 'pull_request' || github.event_name == 'merge_group') && fromJSON('["rockylinux10","debian13"]') || fromJSON('["rockylinux9","rockylinux10","ubuntu2204","ubuntu2404","debian11","debian12","debian13"]') }} + distro: ${{ (github.event_name == 'pull_request' || github.event_name == 'merge_group') && fromJSON('["rockylinux10","debian13"]') || fromJSON('["rockylinux9","rockylinux10","ubuntu2204","ubuntu2404","debian12","debian13"]') }} scenario: [kibana_default, kibana_custom, kibana_custom_certs] release: [8, 9] diff --git a/.github/workflows/test_role_logstash.yml b/.github/workflows/test_role_logstash.yml index 9f5c5516..7b207932 100644 --- a/.github/workflows/test_role_logstash.yml +++ b/.github/workflows/test_role_logstash.yml @@ -65,7 +65,7 @@ jobs: fail-fast: false max-parallel: 10 matrix: - distro: ${{ (github.event_name == 'pull_request' || github.event_name == 'merge_group') && fromJSON('["rockylinux10","debian13"]') || fromJSON('["rockylinux9","rockylinux10","ubuntu2204","ubuntu2404","debian11","debian12","debian13"]') }} + distro: ${{ (github.event_name == 'pull_request' || github.event_name == 'merge_group') && fromJSON('["rockylinux10","debian13"]') || fromJSON('["rockylinux9","rockylinux10","ubuntu2204","ubuntu2404","debian12","debian13"]') }} scenario: - logstash_default - logstash_ssl diff --git a/.github/workflows/test_role_repos.yml b/.github/workflows/test_role_repos.yml index 11800e47..9f3a6c31 100644 --- a/.github/workflows/test_role_repos.yml +++ b/.github/workflows/test_role_repos.yml @@ -65,7 +65,7 @@ jobs: fail-fast: false max-parallel: 10 matrix: - distro: ${{ (github.event_name == 'pull_request' || github.event_name == 'merge_group') && fromJSON('["rockylinux10","debian13"]') || fromJSON('["rockylinux9","rockylinux10","ubuntu2204","ubuntu2404","debian11","debian12","debian13"]') }} + distro: ${{ (github.event_name == 'pull_request' || github.event_name == 'merge_group') && fromJSON('["rockylinux10","debian13"]') || fromJSON('["rockylinux9","rockylinux10","ubuntu2204","ubuntu2404","debian12","debian13"]') }} scenario: - repos_default release: diff --git a/molecule/beats_default/molecule.yml b/molecule/beats_default/molecule.yml index 42fa8303..470aae6b 100644 --- a/molecule/beats_default/molecule.yml +++ b/molecule/beats_default/molecule.yml @@ -7,10 +7,10 @@ dependency: driver: name: default platforms: - - name: beats-def-${MOLECULE_DISTRO:-debian11}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX} + - name: beats-def-${MOLECULE_DISTRO:-debian12}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX} groups: - elasticsearch - distro: "${MOLECULE_DISTRO:-debian11}" + distro: "${MOLECULE_DISTRO:-debian12}" memory_mb: 4096 provisioner: name: ansible diff --git a/molecule/beats_peculiar/molecule.yml b/molecule/beats_peculiar/molecule.yml index 1e8e7fff..b9570835 100644 --- a/molecule/beats_peculiar/molecule.yml +++ b/molecule/beats_peculiar/molecule.yml @@ -7,8 +7,8 @@ dependency: driver: name: default platforms: - - name: beats-pec-${MOLECULE_DISTRO:-debian11}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX} - distro: "${MOLECULE_DISTRO:-debian11}" + - name: beats-pec-${MOLECULE_DISTRO:-debian12}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX} + distro: "${MOLECULE_DISTRO:-debian12}" memory_mb: 2048 provisioner: name: ansible diff --git a/molecule/elasticsearch_custom/molecule.yml b/molecule/elasticsearch_custom/molecule.yml index b8d3acdb..7056cd74 100644 --- a/molecule/elasticsearch_custom/molecule.yml +++ b/molecule/elasticsearch_custom/molecule.yml @@ -7,10 +7,10 @@ dependency: driver: name: default platforms: - - name: "es-custom-${MOLECULE_DISTRO:-debian11}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" + - name: "es-custom-${MOLECULE_DISTRO:-debian12}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" groups: - elasticsearch - distro: "${MOLECULE_DISTRO:-debian11}" + distro: "${MOLECULE_DISTRO:-debian12}" memory_mb: 4096 provisioner: name: ansible diff --git a/molecule/elasticsearch_default/molecule.yml b/molecule/elasticsearch_default/molecule.yml index 7cd6a9d6..dd2419c0 100644 --- a/molecule/elasticsearch_default/molecule.yml +++ b/molecule/elasticsearch_default/molecule.yml @@ -7,15 +7,15 @@ dependency: driver: name: default platforms: - - name: "es-def1-${MOLECULE_DISTRO:-debian11}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" + - name: "es-def1-${MOLECULE_DISTRO:-debian12}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" groups: - elasticsearch - distro: "${MOLECULE_DISTRO:-debian11}" + distro: "${MOLECULE_DISTRO:-debian12}" memory_mb: 4096 - - name: "es-def2-${MOLECULE_DISTRO:-debian11}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" + - name: "es-def2-${MOLECULE_DISTRO:-debian12}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" groups: - elasticsearch - distro: "${MOLECULE_DISTRO:-debian11}" + distro: "${MOLECULE_DISTRO:-debian12}" memory_mb: 4096 provisioner: name: ansible diff --git a/molecule/elasticsearch_diagnostics/molecule.yml b/molecule/elasticsearch_diagnostics/molecule.yml index b21d442d..ffa055e1 100644 --- a/molecule/elasticsearch_diagnostics/molecule.yml +++ b/molecule/elasticsearch_diagnostics/molecule.yml @@ -7,10 +7,10 @@ dependency: driver: name: default platforms: - - name: "es-diag-${MOLECULE_DISTRO:-debian11}-r${ELASTIC_RELEASE:-9}" + - name: "es-diag-${MOLECULE_DISTRO:-debian12}-r${ELASTIC_RELEASE:-9}" groups: - elasticsearch - distro: "${MOLECULE_DISTRO:-debian11}" + distro: "${MOLECULE_DISTRO:-debian12}" memory_mb: 4096 provisioner: name: ansible diff --git a/molecule/elasticsearch_no-security/molecule.yml b/molecule/elasticsearch_no-security/molecule.yml index 131bf400..96b3eecc 100644 --- a/molecule/elasticsearch_no-security/molecule.yml +++ b/molecule/elasticsearch_no-security/molecule.yml @@ -7,15 +7,15 @@ dependency: driver: name: default platforms: - - name: "elasticsearch-nosecurity1-${MOLECULE_DISTRO:-debian11}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" + - name: "elasticsearch-nosecurity1-${MOLECULE_DISTRO:-debian12}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" groups: - elasticsearchXYZ - distro: "${MOLECULE_DISTRO:-debian11}" + distro: "${MOLECULE_DISTRO:-debian12}" memory_mb: 4096 - - name: "elasticsearch-nosecurity2-${MOLECULE_DISTRO:-debian11}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" + - name: "elasticsearch-nosecurity2-${MOLECULE_DISTRO:-debian12}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" groups: - elasticsearchXYZ - distro: "${MOLECULE_DISTRO:-debian11}" + distro: "${MOLECULE_DISTRO:-debian12}" memory_mb: 4096 provisioner: name: ansible diff --git a/molecule/elasticsearch_roles_calculation/molecule.yml b/molecule/elasticsearch_roles_calculation/molecule.yml index 7402013e..6167573b 100644 --- a/molecule/elasticsearch_roles_calculation/molecule.yml +++ b/molecule/elasticsearch_roles_calculation/molecule.yml @@ -7,20 +7,20 @@ dependency: driver: name: default platforms: - - name: "es-calc1-${MOLECULE_DISTRO:-debian11}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" + - name: "es-calc1-${MOLECULE_DISTRO:-debian12}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" groups: - elasticsearch - distro: "${MOLECULE_DISTRO:-debian11}" + distro: "${MOLECULE_DISTRO:-debian12}" memory_mb: 4096 - - name: "es-calc2-${MOLECULE_DISTRO:-debian11}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" + - name: "es-calc2-${MOLECULE_DISTRO:-debian12}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" groups: - elasticsearch - distro: "${MOLECULE_DISTRO:-debian11}" + distro: "${MOLECULE_DISTRO:-debian12}" memory_mb: 4096 - - name: "es-calc3-${MOLECULE_DISTRO:-debian11}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" + - name: "es-calc3-${MOLECULE_DISTRO:-debian12}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" groups: - elasticsearch - distro: "${MOLECULE_DISTRO:-debian11}" + distro: "${MOLECULE_DISTRO:-debian12}" memory_mb: 4096 provisioner: name: ansible diff --git a/molecule/elasticsearch_test_modules/molecule.yml b/molecule/elasticsearch_test_modules/molecule.yml index b2cb0b6d..4e7f2d4c 100644 --- a/molecule/elasticsearch_test_modules/molecule.yml +++ b/molecule/elasticsearch_test_modules/molecule.yml @@ -7,10 +7,10 @@ dependency: driver: name: default platforms: - - name: "es-mod-${MOLECULE_DISTRO:-debian11}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" + - name: "es-mod-${MOLECULE_DISTRO:-debian12}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" groups: - elasticsearch - distro: "${MOLECULE_DISTRO:-debian11}" + distro: "${MOLECULE_DISTRO:-debian12}" memory_mb: 4096 provisioner: name: ansible diff --git a/molecule/elasticsearch_upgrade_8to9/molecule.yml b/molecule/elasticsearch_upgrade_8to9/molecule.yml index 662c324c..020ca9f7 100644 --- a/molecule/elasticsearch_upgrade_8to9/molecule.yml +++ b/molecule/elasticsearch_upgrade_8to9/molecule.yml @@ -9,15 +9,15 @@ dependency: driver: name: default platforms: - - name: "es-upg89-n1-${MOLECULE_DISTRO:-debian11}${MOLECULE_RUN_SUFFIX}" + - name: "es-upg89-n1-${MOLECULE_DISTRO:-debian12}${MOLECULE_RUN_SUFFIX}" groups: - elasticsearch - distro: "${MOLECULE_DISTRO:-debian11}" + distro: "${MOLECULE_DISTRO:-debian12}" memory_mb: 4096 - - name: "es-upg89-n2-${MOLECULE_DISTRO:-debian11}${MOLECULE_RUN_SUFFIX}" + - name: "es-upg89-n2-${MOLECULE_DISTRO:-debian12}${MOLECULE_RUN_SUFFIX}" groups: - elasticsearch - distro: "${MOLECULE_DISTRO:-debian11}" + distro: "${MOLECULE_DISTRO:-debian12}" memory_mb: 4096 provisioner: name: ansible diff --git a/molecule/elasticsearch_upgrade_8to9_single/molecule.yml b/molecule/elasticsearch_upgrade_8to9_single/molecule.yml index bce8873b..47e13687 100644 --- a/molecule/elasticsearch_upgrade_8to9_single/molecule.yml +++ b/molecule/elasticsearch_upgrade_8to9_single/molecule.yml @@ -9,10 +9,10 @@ dependency: driver: name: default platforms: - - name: "es-upgs-${MOLECULE_DISTRO:-debian11}${MOLECULE_RUN_SUFFIX}" + - name: "es-upgs-${MOLECULE_DISTRO:-debian12}${MOLECULE_RUN_SUFFIX}" groups: - elasticsearch - distro: "${MOLECULE_DISTRO:-debian11}" + distro: "${MOLECULE_DISTRO:-debian12}" memory_mb: 4096 provisioner: name: ansible diff --git a/molecule/es_kibana/molecule.yml b/molecule/es_kibana/molecule.yml index f19618d9..453a3cb6 100644 --- a/molecule/es_kibana/molecule.yml +++ b/molecule/es_kibana/molecule.yml @@ -7,20 +7,20 @@ dependency: driver: name: default platforms: - - name: "eskb-es1-${MOLECULE_DISTRO:-debian11}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" + - name: "eskb-es1-${MOLECULE_DISTRO:-debian12}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" groups: - elasticsearch - distro: "${MOLECULE_DISTRO:-debian11}" + distro: "${MOLECULE_DISTRO:-debian12}" memory_mb: 4096 - - name: "eskb-es2-${MOLECULE_DISTRO:-debian11}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" + - name: "eskb-es2-${MOLECULE_DISTRO:-debian12}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" groups: - elasticsearch - distro: "${MOLECULE_DISTRO:-debian11}" + distro: "${MOLECULE_DISTRO:-debian12}" memory_mb: 4096 - - name: "eskb-kb1-${MOLECULE_DISTRO:-debian11}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" + - name: "eskb-kb1-${MOLECULE_DISTRO:-debian12}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" groups: - kibana - distro: "${MOLECULE_DISTRO:-debian11}" + distro: "${MOLECULE_DISTRO:-debian12}" memory_mb: 2048 provisioner: name: ansible diff --git a/molecule/kibana_default/molecule.yml b/molecule/kibana_default/molecule.yml index 40f023ab..385986c5 100644 --- a/molecule/kibana_default/molecule.yml +++ b/molecule/kibana_default/molecule.yml @@ -7,8 +7,8 @@ dependency: driver: name: default platforms: - - name: "kib-def-${MOLECULE_DISTRO:-debian11}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" - distro: "${MOLECULE_DISTRO:-debian11}" + - name: "kib-def-${MOLECULE_DISTRO:-debian12}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" + distro: "${MOLECULE_DISTRO:-debian12}" provisioner: name: ansible env: diff --git a/molecule/logstash_elasticsearch/molecule.yml b/molecule/logstash_elasticsearch/molecule.yml index 77976d5e..4e6f9a18 100644 --- a/molecule/logstash_elasticsearch/molecule.yml +++ b/molecule/logstash_elasticsearch/molecule.yml @@ -7,10 +7,10 @@ dependency: driver: name: default platforms: - - name: "ls-es-es1-${MOLECULE_DISTRO:-debian11}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" + - name: "ls-es-es1-${MOLECULE_DISTRO:-debian12}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" groups: - elasticsearch - distro: "${MOLECULE_DISTRO:-debian11}" + distro: "${MOLECULE_DISTRO:-debian12}" memory_mb: 4096 - name: "ls-es-ls1-${MOLECULE_DISTRO:-debian12}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" groups: diff --git a/molecule/repos_default/molecule.yml b/molecule/repos_default/molecule.yml index 1f4c120c..40bc769b 100644 --- a/molecule/repos_default/molecule.yml +++ b/molecule/repos_default/molecule.yml @@ -7,8 +7,8 @@ dependency: driver: name: default platforms: - - name: "repos-def-${MOLECULE_DISTRO:-debian11}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" - distro: "${MOLECULE_DISTRO:-debian11}" + - name: "repos-def-${MOLECULE_DISTRO:-debian12}-r${ELASTIC_RELEASE:-9}${MOLECULE_RUN_SUFFIX}" + distro: "${MOLECULE_DISTRO:-debian12}" memory_mb: 512 provisioner: name: ansible diff --git a/molecule/shared/create.yml b/molecule/shared/create.yml index 04fdbc70..1f826b68 100644 --- a/molecule/shared/create.yml +++ b/molecule/shared/create.yml @@ -46,7 +46,6 @@ incus_storage_pool: "{{ lookup('env', 'INCUS_STORAGE_POOL') | default('lvm-pool', true) }}" # Pre-baked local images with SSH + python3 + authorized_keys ready. incus_images: - debian11: "molecule-debian-11" debian12: "molecule-debian-12" debian13: "molecule-debian-13" rockylinux9: "molecule-rockylinux-9" diff --git a/molecule/shared/set_ci_watermarks.yml b/molecule/shared/set_ci_watermarks.yml index 6ecbd2cd..1ee38cba 100644 --- a/molecule/shared/set_ci_watermarks.yml +++ b/molecule/shared/set_ci_watermarks.yml @@ -4,6 +4,8 @@ # scenarios where disk space is constrained. Runs once per cluster. # # Requires: Elasticsearch running with security enabled. +# Uses elasticstack_password (set by the elasticsearch role) when +# available, falls back to reading from the initial_passwords file. - name: Read elastic password for watermark setup ansible.builtin.shell: | set -o pipefail @@ -15,6 +17,7 @@ changed_when: false no_log: true run_once: true + when: elasticstack_password is not defined or elasticstack_password.stdout | default('') | length == 0 - name: Set lenient disk watermarks (CI) ansible.builtin.uri: @@ -28,7 +31,7 @@ cluster.routing.allocation.disk.watermark.flood_stage.frozen: "99%" body_format: json user: elastic - password: "{{ _ci_elastic_pass.stdout }}" + password: "{{ elasticstack_password.stdout | default(_ci_elastic_pass.stdout | default('')) }}" validate_certs: false force_basic_auth: true register: _ci_watermark_result diff --git a/molecule/shared/verify_fetch_password.yml b/molecule/shared/verify_fetch_password.yml index bbf6e0de..2ad955bf 100644 --- a/molecule/shared/verify_fetch_password.yml +++ b/molecule/shared/verify_fetch_password.yml @@ -7,13 +7,6 @@ # _verify_delegate_to: host to delegate to (default: omitted, runs locally) # _verify_run_once: whether to run once (default: true) -- name: Use user-defined elastic password - ansible.builtin.set_fact: - elastic_pass: - stdout: "{{ _verify_elastic_password }}" - when: _verify_elastic_password | default('') | length > 0 - run_once: "{{ _verify_run_once | default(true) }}" # noqa: run-once[task] - - name: Fetch Elastic password from file ansible.builtin.shell: | set -o pipefail @@ -26,3 +19,13 @@ run_once: "{{ _verify_run_once | default(true) }}" # noqa: run-once[task] delegate_to: "{{ _verify_delegate_to | default(omit) }}" when: _verify_elastic_password | default('') | length == 0 + +# set_fact MUST come after the shell task: Ansible's `register` runs +# even on skipped tasks, overwriting the variable with a dict that +# lacks `.stdout`. Putting set_fact second ensures it wins. +- name: Use user-defined elastic password + ansible.builtin.set_fact: + elastic_pass: + stdout: "{{ _verify_elastic_password }}" + when: _verify_elastic_password | default('') | length > 0 + run_once: "{{ _verify_run_once | default(true) }}" # noqa: run-once[task] diff --git a/roles/beats/meta/main.yml b/roles/beats/meta/main.yml index fb36ede6..02e51807 100644 --- a/roles/beats/meta/main.yml +++ b/roles/beats/meta/main.yml @@ -15,7 +15,6 @@ galaxy_info: - "10" - name: Debian versions: - - bullseye - bookworm - trixie - name: Ubuntu diff --git a/roles/elasticsearch/meta/main.yml b/roles/elasticsearch/meta/main.yml index b2a4b4e9..1eaa741c 100644 --- a/roles/elasticsearch/meta/main.yml +++ b/roles/elasticsearch/meta/main.yml @@ -14,7 +14,6 @@ galaxy_info: - "10" - name: Debian versions: - - bullseye - bookworm - trixie - name: Ubuntu diff --git a/roles/elasticsearch/tasks/elasticsearch-security.yml b/roles/elasticsearch/tasks/elasticsearch-security.yml index ddb8c0f2..523b8ccf 100644 --- a/roles/elasticsearch/tasks/elasticsearch-security.yml +++ b/roles/elasticsearch/tasks/elasticsearch-security.yml @@ -747,13 +747,6 @@ retries: 30 delay: 10 - - name: Use user-defined elastic password - ansible.builtin.set_fact: - elasticstack_password: - stdout: "{{ elasticsearch_elastic_password }}" - no_log: "{{ elasticstack_no_log }}" - when: elasticsearch_elastic_password | default('') | length > 0 - - name: Fetch Elastic password from file ansible.builtin.include_tasks: file: "{{ role_path }}/../elasticstack/tasks/fetch_password.yml" @@ -761,9 +754,22 @@ _password_user: elastic _password_fact: elasticstack_password when: - - elasticsearch_elastic_password | default('') | length == 0 - elasticsearch_passwords_file.stat.exists | bool + # On fresh install the passwords file doesn't exist yet, so the fetch + # above is skipped. But the elasticstack shared role may have already + # set elasticstack_password to the user-defined value — which hasn't + # actually been applied to ES yet. Clear it so the API check below + # is safely skipped (the bootstrap-password check already confirmed + # the cluster is reachable). + - name: Clear premature user-defined password on fresh install + ansible.builtin.set_fact: + elasticstack_password: + stdout: "" + when: + - not elasticsearch_passwords_file.stat.exists | bool + - elasticsearch_elastic_password | default('') | length > 0 + - name: Check for API availability with elastic password ansible.builtin.uri: url: "{{ elasticsearch_http_protocol }}://{{ elasticsearch_api_host }}:{{ elasticstack_elasticsearch_http_port }}" @@ -773,14 +779,47 @@ force_basic_auth: true register: elasticsearch_api_status changed_when: false + failed_when: false no_log: "{{ elasticstack_no_log }}" when: - elasticstack_password is defined - elasticstack_password.stdout | default('') | length > 0 - until: (elasticsearch_api_status.json | default({})).cluster_name is defined + until: >- + (elasticsearch_api_status.json | default({})).cluster_name is defined + or (elasticsearch_api_status.status | default(0)) == 401 retries: 20 delay: 10 + # If the auto-generated password returned 401, the user-defined + # password was already applied in a previous run. Switch to it. + - name: Switch to user-defined password after prior change + ansible.builtin.set_fact: + elasticstack_password: + stdout: "{{ elasticsearch_elastic_password }}" + no_log: "{{ elasticstack_no_log }}" + when: + - elasticsearch_elastic_password | default('') | length > 0 + - elasticsearch_api_status is defined + - (elasticsearch_api_status.status | default(0)) == 401 + + - name: Verify API availability with user-defined password + ansible.builtin.uri: + url: "{{ elasticsearch_http_protocol }}://{{ elasticsearch_api_host }}:{{ elasticstack_elasticsearch_http_port }}" + user: elastic + password: "{{ elasticstack_password.stdout }}" + validate_certs: "{{ elasticsearch_validate_api_certs }}" + force_basic_auth: true + register: elasticsearch_api_status + changed_when: false + no_log: "{{ elasticstack_no_log }}" + when: + - elasticsearch_elastic_password | default('') | length > 0 + - elasticsearch_api_status is defined + - (elasticsearch_api_status.status | default(0)) == 401 + until: (elasticsearch_api_status.json | default({})).cluster_name is defined + retries: 10 + delay: 5 + - name: Work around low resources on CI/CD nodes when: ansible_facts.virtualization_type in ["container", "docker", "lxc"] block: @@ -802,7 +841,7 @@ cluster.routing.allocation.disk.watermark.flood_stage.frozen: "99%" body_format: json user: elastic - password: "{{ elasticstack_password.stdout | default(elasticsearch_bootstrap_pw) }}" + password: "{{ (elasticstack_password.stdout | default('')) or elasticsearch_bootstrap_pw }}" validate_certs: "{{ elasticsearch_validate_api_certs }}" force_basic_auth: true register: elasticsearch_watermark_response @@ -915,7 +954,7 @@ when: - inventory_hostname == elasticstack_ca_host - elasticsearch_elastic_password | default('') | length > 0 - - elasticsearch_freshstart_security.changed | bool + - elasticstack_password.stdout | default('') != elasticsearch_elastic_password block: - name: Fetch auto-generated elastic password ansible.builtin.include_tasks: @@ -944,6 +983,18 @@ stdout: "{{ elasticsearch_elastic_password }}" no_log: "{{ elasticstack_no_log }}" + # On fresh install the passwords file was just created but elasticstack_password + # may still be unset (the shared role couldn't fetch it because the file didn't + # exist yet). Fetch now so downstream tasks (cluster settings, watermarks) work. + - name: Fetch elastic password after initial setup + ansible.builtin.include_tasks: + file: "{{ role_path }}/../elasticstack/tasks/fetch_password.yml" + vars: + _password_user: elastic + _password_fact: elasticstack_password + when: + - elasticstack_password is not defined or (elasticstack_password.stdout | default('') | length == 0) + # Maybe make sure that Elasticsearch is using the right protocol http(s) to connect, even in newly setup clusters # -- Certificate expiry warnings -- diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml index f0102647..d4b1f539 100644 --- a/roles/elasticsearch/tasks/main.yml +++ b/roles/elasticsearch/tasks/main.yml @@ -531,9 +531,11 @@ ansible.builtin.debug: msg: >- Using {{ elasticsearch_heap | int * 1024 }} of - {{ (_es_cgroup_memory.content is defined and (_es_cgroup_memory.content | b64decode | trim) != 'max') - | ternary((_es_cgroup_memory.content | b64decode | trim) | int // 1048576 ~ ' MB (cgroup limit)', - ansible_facts.memtotal_mb ~ ' MB') }} + {% if _es_cgroup_memory.content is defined and (_es_cgroup_memory.content | b64decode | trim) != 'max' %} + {{ (_es_cgroup_memory.content | b64decode | trim) | int // 1048576 }} MB (cgroup limit) + {% else %} + {{ ansible_facts.memtotal_mb }} MB + {% endif %} as heap for Elasticsearch when: elasticsearch_heap is defined and (elasticsearch_heap | string | length > 0) @@ -580,7 +582,7 @@ - name: Check if settings already match ansible.builtin.set_fact: - _es_cluster_settings_changed: "{{ _needs_update }}" + _es_cluster_settings_changed: "{{ _needs_update | trim }}" vars: _current: "{{ _es_current_cluster_settings.json.persistent }}" _needs_update: >- diff --git a/roles/elasticsearch/templates/log4j2.properties.j2 b/roles/elasticsearch/templates/log4j2.properties.j2 index b56ca7a6..ffe666ca 100644 --- a/roles/elasticsearch/templates/log4j2.properties.j2 +++ b/roles/elasticsearch/templates/log4j2.properties.j2 @@ -1,4 +1,4 @@ -{{ ansible_managed | comment('#') }} +{{ ansible_managed | comment }} status = error diff --git a/roles/kibana/meta/main.yml b/roles/kibana/meta/main.yml index 9e99e750..1432001d 100644 --- a/roles/kibana/meta/main.yml +++ b/roles/kibana/meta/main.yml @@ -14,7 +14,6 @@ galaxy_info: - "10" - name: Debian versions: - - bullseye - bookworm - trixie - name: Ubuntu diff --git a/roles/kibana/tasks/kibana-security.yml b/roles/kibana/tasks/kibana-security.yml index 10b42259..45dbb0b6 100644 --- a/roles/kibana/tasks/kibana-security.yml +++ b/roles/kibana/tasks/kibana-security.yml @@ -67,6 +67,15 @@ _validate_ca_extracted_fact: _kibana_ca_extracted when: not (_kibana_content_mode | bool) + # -- Ensure cert directory exists before deploying -- + - name: Create certificate directory + ansible.builtin.file: + path: /etc/kibana/certs + state: directory + owner: root + group: kibana + mode: "0750" + # -- Deploy certificates -- - name: Write Kibana certificate (from content) diff --git a/roles/logstash/meta/main.yml b/roles/logstash/meta/main.yml index 9868f486..e3a2f610 100644 --- a/roles/logstash/meta/main.yml +++ b/roles/logstash/meta/main.yml @@ -14,7 +14,6 @@ galaxy_info: - "10" - name: Debian versions: - - bullseye - bookworm - trixie - name: Ubuntu diff --git a/roles/repos/meta/main.yml b/roles/repos/meta/main.yml index 2dcd33db..3693d9c5 100644 --- a/roles/repos/meta/main.yml +++ b/roles/repos/meta/main.yml @@ -15,7 +15,6 @@ galaxy_info: - "10" - name: Debian versions: - - bullseye - bookworm - trixie - name: Ubuntu