From eb5f4be7cdee00accd45ed966cbe7f176a3e1b84 Mon Sep 17 00:00:00 2001 From: Kalibh Halford Date: Wed, 20 Aug 2025 15:12:35 +0100 Subject: [PATCH 1/2] ENH: Add task to reset passwords for elasticsearch Adds a task that resets the passwords to the elastic search system users to values set in our variables --- .../elastic/tasks/elasticsearch_passwords.yml | 112 ++++++++++++++++++ .../ansible/roles/elastic/tasks/main.yml | 5 + 2 files changed, 117 insertions(+) create mode 100644 chatops_deployment/ansible/roles/elastic/tasks/elasticsearch_passwords.yml diff --git a/chatops_deployment/ansible/roles/elastic/tasks/elasticsearch_passwords.yml b/chatops_deployment/ansible/roles/elastic/tasks/elasticsearch_passwords.yml new file mode 100644 index 00000000..48db56c2 --- /dev/null +++ b/chatops_deployment/ansible/roles/elastic/tasks/elasticsearch_passwords.yml @@ -0,0 +1,112 @@ +--- +- name: Flush Handlers to kickstart Elasticsearch to set up passwords + ansible.builtin.meta: flush_handlers + +- name: Install expect for the interactive shells + become: true + ansible.builtin.apt: + name: expect + update_cache: true + state: latest # noqa: package-latest + +- name: Set the elastic user password + block: + - name: Wait for Elasticsearch to be ready and check if current password is correct + become: true + ansible.builtin.uri: + url: https://localhost:9200 + return_content: true + validate_certs: false + url_username: "elastic" + url_password: "{{ elastic_password }}" + status_code: [401, 200] + ca_path: /etc/elasticsearch/certs/elasticsearch.crt + until: uri_output.status == 401 or uri_output.status == 200 + retries: 10 + delay: 5 + register: uri_output + + - name: Reset Elastic user password + become: true + ansible.builtin.shell: | + expect << EOF + spawn /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic -s -i + expect -ex "Please confirm that you would like to continue \[y/N\]" + send "y\r" + expect -ex "Enter password for \[elastic\]:" + send "{{ elastic_password }}\r" + expect -ex "Re-enter password for \[elastic\]:" + send "{{ elastic_password }}\r" + expect eof + EOF + when: uri_output.status == 401 + register: _ + changed_when: _.rc == 0 + +- name: Set the kibana_system user password + block: + - name: Wait for Elasticsearch to be ready and check if current password is correct + become: true + ansible.builtin.uri: + url: https://localhost:9200 + return_content: true + validate_certs: false + url_username: "kibana_system" + url_password: "{{ kibana_system_password }}" + status_code: [401, 200] + ca_path: /etc/elasticsearch/certs/elasticsearch.crt + until: uri_output.status == 401 or uri_output.status == 200 + retries: 10 + delay: 5 + register: uri_output + + - name: Reset kibana_system user password + become: true + ansible.builtin.shell: | + expect << EOF + spawn /usr/share/elasticsearch/bin/elasticsearch-reset-password -u kibana_system -s -i + expect -ex "Please confirm that you would like to continue \[y/N\]" + send "y\r" + expect -ex "Enter password for \[kibana_system\]:" + send "{{ kibana_system_password }}\r" + expect -ex "Re-enter password for \[kibana_system\]:" + send "{{ kibana_system_password }}\r" + expect eof + EOF + when: uri_output.status == 401 + register: _ + changed_when: _.rc == 0 + +- name: Set the logstash_system user password + block: + - name: Wait for Elasticsearch to be ready and check if current password is correct + become: true + ansible.builtin.uri: + url: https://localhost:9200 + return_content: true + validate_certs: false + url_username: "logstash_system" + url_password: "{{ logstash_system_password }}" + status_code: [401, 200] + ca_path: /etc/elasticsearch/certs/elasticsearch.crt + until: uri_output.status == 401 or uri_output.status == 200 + retries: 10 + delay: 5 + register: uri_output + + - name: Reset logstash_system user password + become: true + ansible.builtin.shell: | + expect << EOF + spawn /usr/share/elasticsearch/bin/elasticsearch-reset-password -u logstash_system -s -i + expect -ex "Please confirm that you would like to continue \[y/N\]" + send "y\r" + expect -ex "Enter password for \[logstash_system\]:" + send "{{ logstash_system_password }}\r" + expect -ex "Re-enter password for \[logstash_system\]:" + send "{{ logstash_system_password }}\r" + expect eof + EOF + when: uri_output.status == 401 + register: _ + changed_when: _.rc == 0 diff --git a/chatops_deployment/ansible/roles/elastic/tasks/main.yml b/chatops_deployment/ansible/roles/elastic/tasks/main.yml index 2e43e567..275e030b 100644 --- a/chatops_deployment/ansible/roles/elastic/tasks/main.yml +++ b/chatops_deployment/ansible/roles/elastic/tasks/main.yml @@ -4,6 +4,11 @@ tags: - elasticsearch +- name: Set Elasticsearch passwords + ansible.builtin.import_tasks: elasticsearch_passwords.yml + tags: + - elasticsearch + - name: Install Kibana ansible.builtin.import_tasks: kibana.yml tags: From 69fd9ff25c23ca9c7931c3c52e0789dc60502e83 Mon Sep 17 00:00:00 2001 From: Kalibh Halford Date: Mon, 13 Oct 2025 12:38:20 +0100 Subject: [PATCH 2/2] LINT: Add role prefix to variables Ansible lint requires variables in roles to have the role name prefixed to them. --- .../elastic/tasks/elasticsearch_passwords.yml | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/chatops_deployment/ansible/roles/elastic/tasks/elasticsearch_passwords.yml b/chatops_deployment/ansible/roles/elastic/tasks/elasticsearch_passwords.yml index 48db56c2..f3dea61d 100644 --- a/chatops_deployment/ansible/roles/elastic/tasks/elasticsearch_passwords.yml +++ b/chatops_deployment/ansible/roles/elastic/tasks/elasticsearch_passwords.yml @@ -21,10 +21,10 @@ url_password: "{{ elastic_password }}" status_code: [401, 200] ca_path: /etc/elasticsearch/certs/elasticsearch.crt - until: uri_output.status == 401 or uri_output.status == 200 + until: elastic_uri_output.status == 401 or elastic_uri_output.status == 200 retries: 10 delay: 5 - register: uri_output + register: elastic_uri_output - name: Reset Elastic user password become: true @@ -39,9 +39,9 @@ send "{{ elastic_password }}\r" expect eof EOF - when: uri_output.status == 401 - register: _ - changed_when: _.rc == 0 + when: elastic_uri_output.status == 401 + register: elastic_result + changed_when: elastic_result.rc == 0 - name: Set the kibana_system user password block: @@ -55,10 +55,10 @@ url_password: "{{ kibana_system_password }}" status_code: [401, 200] ca_path: /etc/elasticsearch/certs/elasticsearch.crt - until: uri_output.status == 401 or uri_output.status == 200 + until: elastic_uri_output.status == 401 or elastic_uri_output.status == 200 retries: 10 delay: 5 - register: uri_output + register: elastic_uri_output - name: Reset kibana_system user password become: true @@ -73,9 +73,9 @@ send "{{ kibana_system_password }}\r" expect eof EOF - when: uri_output.status == 401 - register: _ - changed_when: _.rc == 0 + when: elastic_uri_output.status == 401 + register: elastic_result + changed_when: elastic_result.rc == 0 - name: Set the logstash_system user password block: @@ -89,10 +89,10 @@ url_password: "{{ logstash_system_password }}" status_code: [401, 200] ca_path: /etc/elasticsearch/certs/elasticsearch.crt - until: uri_output.status == 401 or uri_output.status == 200 + until: elastic_uri_output.status == 401 or elastic_uri_output.status == 200 retries: 10 delay: 5 - register: uri_output + register: elastic_uri_output - name: Reset logstash_system user password become: true @@ -107,6 +107,6 @@ send "{{ logstash_system_password }}\r" expect eof EOF - when: uri_output.status == 401 - register: _ - changed_when: _.rc == 0 + when: elastic_uri_output.status == 401 + register: elastic_result + changed_when: elastic_result.rc == 0