Ansible role for opendistro

#1

Is anyone working on an ansible role for opendistro? The searchguard role is outdated so would be difficult to use as a base. Not sure how much work would be involved to update ansible-elasticsearch to use opendistro OR xpack.

Any ideas?

#2

I am currently looking into creating an Ansible role for OpenDistro based on the old searchguard role. By the way, the old SG role does not seem to be very far away from what OpenDistro requires for deployment, or maybe I am missing something essential? I will post a link to a github repo as soon as I have something working and ready for an initial commit.

#3

The thing is it’s quite far behind the ansible-elasticsearch repo it forked. Otherwise off the top of my head it would be

  • Renaming the SG admin tools and paths
  • Confirming the Java components and tools.jar are available
  • Updating the systemd service template
  • Managing CA and certs (should the role do this?)
  • Ensure the ES OSS package is installed (this happens as a dependency of opendistroforelasticsearch)

My fork of ansible-elasticsearch, very limited beginnings. It’s perhaps a pipe dream I should give up on, but I’d like to support X-Pack and OpenDistro.

#4

Created a playbook to maintain Open Distro for ElasticSearch: https://github.com/rt711/opendistro-for-elasticsearch-ansible
Currently deploys the cluster with default passwords but I will change this shortly.
Feedback welcome.

As far as I know the role requirements will change with new Ansible Galaxy version, so maybe I will revisit the separate role idea a bit later.

1 Like
#5

How does this handle deploying the CA and certificates?

#6

Thank you for the question.
I hopefully add it this week. The playbook you have seen deploys default ones, but I aim for custom certificate deployment. I have couple of ideas how to do it:

  • use Ansible to manage the certs outside the repository: …/certs/
    • this comes first - done /as of 9th May 2019/
  • use Ansible to generate CSR, self sign maybe?
    • second
  • use Ansible with opendistro tooling to generate the certs