tls keystores password in elasticsearch.keystore not updated when es_upload_ssl==false

[schallee]

Describe the feature:

Elasticsearch version

7.10.2

Role version: fec4907

JVM version: 15.0.1

OS version (uname -a if on a Unix-like system):

Linux leaves 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linux
Debian 10 "Buster"

Description of the problem including expected versus actual behaviour:

The changing of elasticsearch-keystore values depends on copy_keystore.changed and/or copy_truststore.changed. These are only set when the stores have been uploaded with es_upload_ssl==true.

The PEM variants of the same are also likely affected.

I started putting together a PR for this that checked whether the ssl/tls keystore/truststore are newer than elasticsearch.keystore and updating the passwords if they were but this is fairly complex change that should probably be discussed first. The changes needed were fairly significant, both PR #684 and PR #757 potentially would conflict. Additionally stating files in ansible is different on *nix and windows.

Playbook:

Any playbook that specifies es_ssl_keystore_password or es_ssl_truststore_password and es_ssl_upload=false.

Provide logs from Ansible:

ES Logs if relevant:

[Bernhard-Fluehmann]

@schallee What about following the proper keystore support as proposed by my pull request and configure these passwords directly there? IMHO this would reduce complexity.

[schallee]

I'm assuming you are referring to PR #757.

For me this would work just fine and I am doing similar in a work around (running the role twice).

I worry that it does not fit within the flow of the role and certainly confuses the purpose of es_ssl_keystore_password and es_ssl_truststore_password. If these are to remain it would need to be clearly documented that they can't be used when not uploading keys and that it needs to be done using the your method. I'd probably go for the flexibility of your approach and remove the vars but that would certainly break some setups.

[Bernhard-Fluehmann]

@schallee You are right about backwords compatibility. So a fix would still make sense. Anyway it should not interfere too much with the generic keystore entry support. As long as ssl stuff always use -f then you would need a same entry with force:true in the generic keystore settings to interfere with it. And IMHO configuring in two separate places simultaneously makes not sense and will most likely not be done. What you think?

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[jmlrt]

still valid

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[jmlrt]

still valid

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.