Conversation
Oddly
force-pushed
the
fix/role-bugs
branch
10 times, most recently
from
2fedb00 to
565aa2d
Compare
The rolling upgrade trigger in elasticsearch/tasks/main.yml accessed
ansible_facts.packages['elasticsearch'][0].version without first
checking that the 'elasticsearch' key exists, which throws a Jinja2
KeyError on fresh installs. Added the missing guard to match the
pre-upgrade block at line 168.
The repos role used string comparison for distribution_major_version
which breaks on Rocky Linux 10 ("10" < "9" lexicographically). Switched
to int comparison. Fixed the same pattern in the elasticstack_default
molecule converge.
The logstash "Restart Logstash noauto" handler was missing the
freshstart guard that all other role handlers have, which could cause
restarts during initial installation.
The logstash_ident mutate block was emitted in both 50-filter.conf and
90-output.conf with inconsistent hostname values (inventory_hostname vs
ansible_facts.hostname). Removed the duplicate from 90-output.conf.
All three beat templates hardcoded ssl.verification_mode: none, silently
disabling certificate validation even when a CA is deployed. Replaced
with a configurable beats_ssl_verification_mode variable defaulting to
"certificate".
The ES audit log appender in log4j2.properties was emitted
unconditionally even when elasticsearch_security is false. Wrapped it in
a guard and added an elasticsearch_logging_audit default.
The setup-passwords command makes HTTP calls to ES but had no retry logic. If ES briefly becomes unavailable between the cluster health check and the setup-passwords call (e.g. during cert reload), the whole converge fails. Now retries up to 10 times with 15s delay. Also writes to a temp file first and moves on success, so a partial failure doesn't leave a corrupt passwords file that would cause the creates guard to skip retries.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes several correctness issues found during a deep audit of the role tasks and templates.
The rolling upgrade trigger checked
ansible_facts.packages['elasticsearch'][0].versionwithout first verifying theelasticsearchkey exists, causing a Jinja2 KeyError on fresh installs. The repos role used string comparison fordistribution_major_versionwhich evaluates"10" >= "9"as false — switched to| int. The logstash noauto handler was missing the freshstart guard present in all other role handlers. Thelogstash_identmutate block was duplicated in both the filter and output templates with inconsistent hostname sources — removed the duplicate from90-output.conf.j2. All three beat templates hardcodedssl.verification_mode: none, now controlled bybeats_ssl_verification_modedefaulting tocertificate. The ES audit log appender inlog4j2.propertieswas emitted unconditionally even with security disabled — now guarded byelasticsearch_logging_auditandelasticsearch_security.Closes #33