Merge pull request #252 from stfc/reset_elastic_passwords

RyanH-STFC · web-flow · commit ed0e0055b622 · 2025-10-14T09:32:15.000+01:00
ENH: Add task to reset passwords for elasticsearch
diff --git a/chatops_deployment/ansible/roles/elastic/tasks/elasticsearch_passwords.yml b/chatops_deployment/ansible/roles/elastic/tasks/elasticsearch_passwords.yml
@@ -0,0 +1,112 @@
+---
+- name: Flush Handlers to kickstart Elasticsearch to set up passwords
+  ansible.builtin.meta: flush_handlers
+
+- name: Install expect for the interactive shells
+  become: true
+  ansible.builtin.apt:
+    name: expect
+    update_cache: true
+    state: latest # noqa: package-latest
+
+- name: Set the elastic user password
+  block:
+    - name: Wait for Elasticsearch to be ready and check if current password is correct
+      become: true
+      ansible.builtin.uri:
+        url: https://localhost:9200
+        return_content: true
+        validate_certs: false
+        url_username: "elastic"
+        url_password: "{{ elastic_password }}"
+        status_code: [401, 200]
+        ca_path: /etc/elasticsearch/certs/elasticsearch.crt
+      until: elastic_uri_output.status == 401 or elastic_uri_output.status == 200
+      retries: 10
+      delay: 5
+      register: elastic_uri_output
+
+    - name: Reset Elastic user password
+      become: true
+      ansible.builtin.shell: |
+        expect << EOF
+          spawn /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic -s -i
+          expect -ex "Please confirm that you would like to continue \[y/N\]"
+          send "y\r"
+          expect -ex "Enter password for \[elastic\]:"
+          send "{{ elastic_password }}\r"
+          expect -ex "Re-enter password for \[elastic\]:"
+          send "{{ elastic_password }}\r"
+          expect eof
+        EOF
+      when: elastic_uri_output.status == 401
+      register: elastic_result
+      changed_when: elastic_result.rc == 0
+
+- name: Set the kibana_system user password
+  block:
+    - name: Wait for Elasticsearch to be ready and check if current password is correct
+      become: true
+      ansible.builtin.uri:
+        url: https://localhost:9200
+        return_content: true
+        validate_certs: false
+        url_username: "kibana_system"
+        url_password: "{{ kibana_system_password }}"
+        status_code: [401, 200]
+        ca_path: /etc/elasticsearch/certs/elasticsearch.crt
+      until: elastic_uri_output.status == 401 or elastic_uri_output.status == 200
+      retries: 10
+      delay: 5
+      register: elastic_uri_output
+
+    - name: Reset kibana_system user password
+      become: true
+      ansible.builtin.shell: |
+        expect << EOF
+          spawn /usr/share/elasticsearch/bin/elasticsearch-reset-password -u kibana_system -s -i
+          expect -ex "Please confirm that you would like to continue \[y/N\]"
+          send "y\r"
+          expect -ex "Enter password for \[kibana_system\]:"
+          send "{{ kibana_system_password }}\r"
+          expect -ex "Re-enter password for \[kibana_system\]:"
+          send "{{ kibana_system_password }}\r"
+          expect eof
+        EOF
+      when: elastic_uri_output.status == 401
+      register: elastic_result
+      changed_when: elastic_result.rc == 0
+
+- name: Set the logstash_system user password
+  block:
+    - name: Wait for Elasticsearch to be ready and check if current password is correct
+      become: true
+      ansible.builtin.uri:
+        url: https://localhost:9200
+        return_content: true
+        validate_certs: false
+        url_username: "logstash_system"
+        url_password: "{{ logstash_system_password }}"
+        status_code: [401, 200]
+        ca_path: /etc/elasticsearch/certs/elasticsearch.crt
+      until: elastic_uri_output.status == 401 or elastic_uri_output.status == 200
+      retries: 10
+      delay: 5
+      register: elastic_uri_output
+
+    - name: Reset logstash_system user password
+      become: true
+      ansible.builtin.shell: |
+        expect << EOF
+          spawn /usr/share/elasticsearch/bin/elasticsearch-reset-password -u logstash_system -s -i
+          expect -ex "Please confirm that you would like to continue \[y/N\]"
+          send "y\r"
+          expect -ex "Enter password for \[logstash_system\]:"
+          send "{{ logstash_system_password }}\r"
+          expect -ex "Re-enter password for \[logstash_system\]:"
+          send "{{ logstash_system_password }}\r"
+          expect eof
+        EOF
+      when: elastic_uri_output.status == 401
+      register: elastic_result
+      changed_when: elastic_result.rc == 0
diff --git a/chatops_deployment/ansible/roles/elastic/tasks/main.yml b/chatops_deployment/ansible/roles/elastic/tasks/main.yml
@@ -4,6 +4,11 @@
   tags:
     - elasticsearch
 
+- name: Set Elasticsearch passwords
+  ansible.builtin.import_tasks: elasticsearch_passwords.yml
+  tags:
+    - elasticsearch
+
 - name: Install Kibana
   ansible.builtin.import_tasks: kibana.yml
   tags:
