Add user-defined elastic password and LogsDB support#91
Merged
Conversation
Add elasticsearch_elastic_password variable that changes the auto-generated elastic superuser password after initial security setup and uses the user-defined value for all subsequent API calls. The initial_passwords file is preserved for other built-in users (kibana_system, beats_system, etc.). The elasticstack-passwords.yml shared task checks for the user-defined password first, falling back to the file when unset. Add elasticsearch_logsdb variable (default true for 9.x, false for 8.x) that enables the LogsDB index mode via cluster.logsdb.enabled persistent cluster setting. LogsDB uses synthetic _source and optimized compression for up to 4x storage savings. Fresh 9.x installs enable this by default but 8.x→9.x upgrades do not — this matches the upstream 9.x default behavior. Fix pre-commit ansible-lint hook to not pass filenames directly, so that exclude_paths in .ansible-lint is respected for molecule/shared/ task files. Closes #89, closes #71.
When elasticsearch_logsdb defaults to true on 9.x, the effective cluster settings dict is non-empty and the "Apply persistent cluster settings" block fires. In scenarios that don't include the elasticstack role (like elasticsearch_test_modules), elasticstack_password is never set outside of elasticsearch-security.yml, causing an undefined variable error. Skip the block when security is enabled but no password is available yet. When security is disabled, the block runs unconditionally since no auth is needed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
elasticsearch_elastic_passwordfor setting the elastic superuser password to a user-defined value after initial security setup. When set, the role changes the auto-generated password via the_security/user/elastic/_passwordAPI and uses the new password for all subsequent API calls. Theinitial_passwordsfile is kept for other built-in users (kibana_system, beats_system, etc.)elasticsearch_logsdb(defaulttruefor 9.x,falsefor 8.x) that enables LogsDB index mode viacluster.logsdb.enabledpersistent cluster setting. Matches upstream 9.x fresh-install behavior on upgrade clustersexclude_pathsfrom.ansible-lint(was passing filenames directly, bypassing excludes formolecule/shared/)Test plan
elasticsearch_default— verifies user-defined password works for API calls, old auto-generated password returns 401, LogsDB cluster setting is appliedelasticsearch_elastic_passwordset)Closes #89, closes #71.