Guard URI retry loops against missing .json attribute

roles/elasticsearch/tasks/elasticsearch-rolling-upgrade.yml

@@ -103,7 +103,7 @@
         validate_certs: "{{ elasticsearch_validate_api_certs }}"
         force_basic_auth: true
       register: elasticsearch_response
-      until: elasticsearch_response.json.acknowledged | default(false)
+      until: (elasticsearch_response.json | default({})).acknowledged | default(false)
       retries: 10
       delay: 30
       no_log: "{{ elasticstack_no_log }}"
@@ -119,7 +119,7 @@
         validate_certs: "{{ elasticsearch_validate_api_certs }}"
         force_basic_auth: true
       register: elasticsearch_response
-      until: (elasticsearch_response.json.status | default('')) in ['green', 'yellow']
+      until: ((elasticsearch_response.json | default({})).status | default('')) in ['green', 'yellow']
       retries: 50
       delay: 30
       no_log: "{{ elasticstack_no_log }}"
@@ -137,7 +137,7 @@
         validate_certs: "{{ elasticsearch_validate_api_certs }}"
         force_basic_auth: true
       register: elasticsearch_response
-      until: elasticsearch_response.json.acknowledged | default(false)
+      until: (elasticsearch_response.json | default({})).acknowledged | default(false)
       retries: 5
       delay: 10
       no_log: "{{ elasticstack_no_log }}"
@@ -235,7 +235,7 @@
         validate_certs: "{{ elasticsearch_validate_api_certs }}"
         force_basic_auth: true
       register: elasticsearch_response
-      until: elasticsearch_response.json.acknowledged | default(false)
+      until: (elasticsearch_response.json | default({})).acknowledged | default(false)
       retries: 5
       delay: 30
       no_log: "{{ elasticstack_no_log }}"
@@ -249,7 +249,7 @@
         validate_certs: "{{ elasticsearch_validate_api_certs }}"
         force_basic_auth: true
       register: elasticsearch_response
-      until: (elasticsearch_response.json.status | default('')) in ['green', 'yellow']
+      until: ((elasticsearch_response.json | default({})).status | default('')) in ['green', 'yellow']
       retries: 30
       delay: 30
       no_log: "{{ elasticstack_no_log }}"

roles/elasticsearch/tasks/elasticsearch-security.yml

@@ -266,7 +266,7 @@
 
     # Extract CA chain from the already-deployed transport cert on the node.
     # Uses copy+content for idempotency (only writes when content changes).
     - name: Read CA chain from PEM bundle (transport cert)
       ansible.builtin.shell:
         cmd: >-
           awk '/-----BEGIN CERTIFICATE-----/{n++} n>1'
@@ -300,7 +300,7 @@
 
     # -- Remove stale auto-generated P12 files from a previous elasticsearch_ca deployment --
 
     - name: Find stale auto-generated P12 certificate files
       ansible.builtin.find:
         paths: /etc/elasticsearch/certs
         patterns: "*.p12"
@@ -366,7 +366,7 @@
     # The CA backup removes the entire elasticstack_ca_dir, which also
     # contains Kibana encryption key files. If those are regenerated,
     # Kibana can't decrypt its existing saved objects and enters 503.
     - name: Check for Kibana encryption keys before CA backup
       ansible.builtin.stat:
         path: "{{ elasticstack_ca_dir }}/{{ item }}"
       loop:
@@ -675,7 +675,7 @@
       no_log: "{{ elasticstack_no_log }}"
       when:
         - not elasticsearch_passwords_file.stat.exists | bool
-      until: elasticsearch_api_status_bootstrap.json.cluster_name is defined
+      until: (elasticsearch_api_status_bootstrap.json | default({})).cluster_name is defined
       retries: 30
       delay: 10
 
@@ -694,7 +694,7 @@
       no_log: "{{ elasticstack_no_log }}"
       when:
         - not elasticsearch_passwords_file.stat.exists | bool
-      until: elasticsearch_cluster_status_bootstrap.json.status in ["green", "yellow"]
+      until: (elasticsearch_cluster_status_bootstrap.json | default({})).status | default('') in ["green", "yellow"]
       retries: 30
       delay: 10
 
@@ -718,7 +718,7 @@
       no_log: "{{ elasticstack_no_log }}"
       when:
         - elasticsearch_passwords_file.stat.exists | bool
-      until: elasticsearch_api_status.json.cluster_name is defined
+      until: (elasticsearch_api_status.json | default({})).cluster_name is defined
       retries: 20
       delay: 10
 
@@ -768,7 +768,7 @@
       no_log: "{{ elasticstack_no_log }}"
       when:
         - elasticsearch_passwords_file.stat.exists | bool
-      until: (elasticsearch_cluster_status.json.status | default('')) in ['green', 'yellow']
+      until: ((elasticsearch_cluster_status.json | default({})).status | default('')) in ['green', 'yellow']
       retries: 20
       delay: 10
 

roles/elasticsearch/tasks/main.yml

@@ -141,7 +141,7 @@
 
 - name: Construct exact name of Elasticsearch package
   ansible.builtin.set_fact:
     elasticsearch_package: >-
       {{
       'elasticsearch' +
       ((elasticstack_versionseparator +
@@ -251,7 +251,7 @@
 
 # Pre-detect external cert state so the template renders consistently
 # across first and subsequent runs (idempotency).
 - name: Detect existing external CA for template rendering
   ansible.builtin.stat:
     path: /etc/elasticsearch/certs/ca.crt
   register: _existing_ca_cert
@@ -471,7 +471,7 @@
         url: "http://{{ elasticsearch_api_host }}:{{ elasticstack_elasticsearch_http_port }}/_cluster/health?pretty"
       register: elasticsearch_cluster_status
       ignore_errors: "{{ ansible_check_mode }}"
-      until: (elasticsearch_cluster_status.json.status | default('')) in ['green', 'yellow']
+      until: ((elasticsearch_cluster_status.json | default({})).status | default('')) in ['green', 'yellow']
       retries: 30
       delay: 10
       no_log: "{{ elasticstack_no_log }}"