ansible role update

ansible/roles/helm_install/files/elasticsearch/examples/security/Makefile

@@ -0,0 +1,36 @@
+default: test
+
+include ../../../helpers/examples.mk
+
+RELEASE := helm-es-security
+ELASTICSEARCH_IMAGE := docker.elastic.co/elasticsearch/elasticsearch:$(STACK_VERSION)
+TIMEOUT := 1200s
+
+install:
+	helm upgrade --wait --timeout=$(TIMEOUT) --install --values values.yaml $(RELEASE) ../../
+
+test: secrets install goss
+
+purge:
+	kubectl delete secrets elastic-certificates elastic-certificate-pem elastic-certificate-crt|| true
+	helm del $(RELEASE)
+
+pull-elasticsearch-image:
+	docker pull $(ELASTICSEARCH_IMAGE)
+
+secrets:
+	docker rm -f elastic-helm-charts-certs || true
+	rm -f elastic-certificates.p12 elastic-certificate.pem elastic-certificate.crt elastic-stack-ca.p12 || true
+	docker run --name elastic-helm-charts-certs -i -w /tmp \
+		$(ELASTICSEARCH_IMAGE) \
+		/bin/sh -c " \
+			elasticsearch-certutil ca --out /tmp/elastic-stack-ca.p12 --pass '' && \
+			elasticsearch-certutil cert --name security-master --dns security-master --ca /tmp/elastic-stack-ca.p12 --pass '' --ca-pass '' --out /tmp/elastic-certificates.p12" && \
+	docker cp elastic-helm-charts-certs:/tmp/elastic-certificates.p12 ./ && \
+	docker rm -f elastic-helm-charts-certs && \
+	openssl pkcs12 -nodes -passin pass:'' -in elastic-certificates.p12 -out elastic-certificate.pem && \
+	openssl x509 -outform der -in elastic-certificate.pem -out elastic-certificate.crt && \
+	kubectl create secret generic elastic-certificates --from-file=elastic-certificates.p12 && \
+	kubectl create secret generic elastic-certificate-pem --from-file=elastic-certificate.pem && \
+	kubectl create secret generic elastic-certificate-crt --from-file=elastic-certificate.crt && \
+	rm -f elastic-certificates.p12 elastic-certificate.pem elastic-certificate.crt elastic-stack-ca.p12

ansible/roles/helm_install/files/elasticsearch/examples/security/README.md

@@ -0,0 +1,29 @@
+# Security
+
+This example deploy a 3 nodes Elasticsearch 8.4.1 with authentication and
+autogenerated certificates for TLS (see [values][]).
+
+Note that this configuration should be used for test only. For a production
+deployment you should generate SSL certificates following the [official docs][].
+
+## Usage
+
+* Create the required secrets: `make secrets`
+
+* Deploy Elasticsearch chart with the default values: `make install`
+
+* You can now setup a port forward to query Elasticsearch API:
+
+  ```
+  kubectl port-forward svc/security-master 9200
+  curl -u elastic:changeme https://localhost:9200/_cat/indices
+  ```
+
+## Testing
+
+You can also run [goss integration tests][] using `make test`
+
+
+[goss integration tests]: https://github.com/elastic/helm-charts/tree/main/elasticsearch/examples/security/test/goss.yaml
+[official docs]: https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-tls.html#node-certificates
+[values]: https://github.com/elastic/helm-charts/tree/main/elasticsearch/examples/security/values.yaml

ansible/roles/helm_install/files/elasticsearch/examples/security/test/goss.yaml

@@ -0,0 +1,44 @@
+http:
+  https://security-master:9200/_cluster/health:
+    status: 200
+    timeout: 2000
+    allow-insecure: true
+    username: elastic
+    password: "{{ .Env.ELASTIC_PASSWORD }}"
+    body:
+      - "green"
+      - '"number_of_nodes":3'
+      - '"number_of_data_nodes":3'
+
+  https://localhost:9200/:
+    status: 200
+    timeout: 2000
+    allow-insecure: true
+    username: elastic
+    password: "{{ .Env.ELASTIC_PASSWORD }}"
+    body:
+      - '"cluster_name" : "security"'
+      - "You Know, for Search"
+
+  https://localhost:9200/_license:
+    status: 200
+    timeout: 2000
+    allow-insecure: true
+    username: elastic
+    password: "{{ .Env.ELASTIC_PASSWORD }}"
+    body:
+      - "active"
+      - "basic"
+
+file:
+  /usr/share/elasticsearch/config/elasticsearch.yml:
+    exists: true
+    contains:
+      - "xpack.security.enabled: true"
+      - "xpack.security.transport.ssl.enabled: true"
+      - "xpack.security.transport.ssl.verification_mode: certificate"
+      - "xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12"
+      - "xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12"
+      - "xpack.security.http.ssl.enabled: true"
+      - "xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12"
+      - "xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12"

ansible/roles/helm_install/files/elasticsearch/examples/security/values.yaml

@@ -0,0 +1,28 @@
+---
+clusterName: "security"
+nodeGroup: "master"
+
+createCert: false
+
+roles:
+  - master
+  - ingest
+  - data
+
+protocol: https
+
+esConfig:
+  elasticsearch.yml: |
+    xpack.security.enabled: true
+    xpack.security.transport.ssl.enabled: true
+    xpack.security.transport.ssl.verification_mode: certificate
+    xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
+    xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
+    xpack.security.http.ssl.enabled: true
+    xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
+    xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
+
+secretMounts:
+  - name: elastic-certificates
+    secretName: elastic-certificates
+    path: /usr/share/elasticsearch/config/certs