Add elasticsearch_keystore_entries for custom keystore management #103
Description
Problem
The role manages keystore entries for bootstrap password and TLS keystore/truststore passwords, but there is no mechanism for custom keystore entries. Users with LDAP, SMTP, or other integrations that require secure settings must add keystore entries via post_tasks workarounds:
post_tasks:
- name: Add LDAP bind password to keystore
ansible.builtin.shell: >
echo "{{ vault_ldap_bind_pw }}" |
/usr/share/elasticsearch/bin/elasticsearch-keystore add -f -x
'xpack.security.authc.realms.ldap.rinis.secure_bind_password'
no_log: true
notify: Restart ElasticsearchThis approach is not idempotent — it always triggers a restart handler, even when the value hasn't changed.
Proposed Solution
Add an elasticsearch_keystore_entries dict variable:
elasticsearch_keystore_entries:
xpack.security.authc.realms.ldap.rinis.secure_bind_password: "{{ vault_ldap_bind_pw }}"
xpack.notification.email.account.smtp_account.smtp.secure_password: "{{ vault_smtp_pw }}"The role would idempotently manage these entries using the same pattern as existing keystore tasks:
elasticsearch-keystore show <key>to get current value- Compare with desired value
elasticsearch-keystore add -f -x <key>only when changed- Notify restart handler only on actual changes
This follows the same pattern already used for bootstrap.password and TLS keystore passwords in elasticsearch-keystore.yml.
Use Cases
- LDAP
secure_bind_password - SMTP
secure_passwordfor Watcher email - S3/GCS/Azure repository credentials
- Any
xpack.security.*secure setting