Beats SSL Support

[rheak]

Can SSL Support be added to this role similar to what was recently added to the ansible-elasticsearch role?

[jmlrt]

Hi @rheak

What do you mean by SSL support for this role?
Configuration to connect to a TLS elasticsearch output like in this example can already be added in output_conf variable.

Is there something missing?

[rheak]

Hi @jmlrt - I currently have a few conditional tasks to create ssl dir and copy up certificates, similar to what was done in the elasticsearch role. I am using the output_conf as you suggested for the config.

- name: ensure certificate directory exists
   .........

- name: Upload SSL/TLS key and certificate
   .........

- name: Upload SSL Certificate Authority

[jmlrt]

OK, we may add the tasks to upload the certificates into this role if you want to create a PR for that.
For the output_conf, that will stay the recommanded way to manage TLS elasticsearch output.

[hulta82]

Its no problem to configure secure connection for both inputs and outputs. But the main feature that is missing (elastic.elasticsearch project has this) is support for beats keystore. At the moment you have to put passwords as plain text inside your yml or manually create the keys in a pre_tasks.

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[jmlrt]

still valid

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[jmlrt]

still valid

[ph]

@jmlrt I wonder if this Allow embedding of certificate solve some of the problem of this request.

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[jmlrt]

still valid

[cutler-scott-newrelic]

Chiming in to add a +1 for this feature request. I am implementing an Ansible playbook right now that uses both the ES role and beats role. For ES I can specify es_ssl_keystore: "certs/node.p12" and the playbook will upload that cert from the ansible server to the target machine. For beats there is no equivalent option so instead I have to upload the cert and restart the service manually...

tasks:
    - name: Copy Elastic certs to Metricbeats directory
      copy:
        src: /etc/elasticsearch/certs
        dest: /etc/metricbeat/certs
        owner: root
        group: root
        remote_src: yes
      become: yes
    - name: Wait before restarting Metricbeats
      pause:
        minutes: 3
    - name: Restart metricbeat service after Copy
      systemd:
        state: restarted
        name: metricbeat.service
        enabled: yes
      become: yes

[metabsd]

Has anyone managed to use the role to push an embeded certificate authorities? I'm having trouble and I think my problem is with the jinja2 template and the to_nice_yaml filter. Thank you!

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[jmlrt]

still valid

[mirkenstein]

See my pull request: Feature keystore #149

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[jmlrt]

still valid

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[botelastic]

This issue has been automatically closed because it has not had recent activity since being marked as stale.