From 5c7ace52d2f1e80fce3754b26380a00c67f18a00 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Fri, 27 Mar 2026 14:11:42 +0100 Subject: [PATCH 01/12] Remove Elastic Stack 7 as supported and tested version --- README.md | 22 +++++++------------ molecule/beats_peculiar/converge.yml | 6 ----- molecule/beats_peculiar/verify.yml | 7 ------ .../logstash_specific_version/converge.yml | 6 ----- molecule/logstash_specific_version/verify.yml | 7 ------ roles/elasticsearch/tasks/main.yml | 7 ------ .../templates/elasticsearch.yml.j2 | 10 --------- roles/kibana/tasks/main.yml | 7 ------ roles/repos/tasks/debian.yml | 2 -- 9 files changed, 8 insertions(+), 66 deletions(-) diff --git a/README.md b/README.md index b5dad47e..74db34ab 100644 --- a/README.md +++ b/README.md @@ -62,7 +62,7 @@ You may want the following Ansible roles installed. There other ways to achieve ### Supported systems -We test the collection on the following Linux distributions. Each one with Elastic Stack 7 and 8. +We test the collection on the following Linux distributions. Each one with Elastic Stack 8. * Rocky Linux 9 * Rocky Linux 8 @@ -72,10 +72,6 @@ We test the collection on the following Linux distributions. Each one with Elast * Debian 10 * CentOS 8 -We know from personal experience, that the collections work in following combinations. Missing tests mostly come from incompatibilties between the distribution and our testing environment, not from problems with the collection itself. - -* CentOS 7 - Elastic Stack 7 - ## Caveats and information for long time users ### Variable renaming @@ -98,9 +94,9 @@ The variable `elasticstack_no_log` can be set to `false` if you want to see the ### Versions and upgrades -*elasticstack_version*: Version number of tools to install. Only set if you don't want the latest on new setups. (default: none). If you already have an installation of Elastic Stack, this collection will query the version of Elasticsearch on the CA host and use it for all further installations in the same setup. (Only if you run the `elasticsearch` role before all others) Example: `7.17.2` +*elasticstack_version*: Version number of tools to install. Only set if you don't want the latest on new setups. (default: none). If you already have an installation of Elastic Stack, this collection will query the version of Elasticsearch on the CA host and use it for all further installations in the same setup. (Only if you run the `elasticsearch` role before all others) Example: `8.11.2` -*elasticstack_release*: Major release version of Elastic stack to configure. (default: `7`) Make sure it corresponds to `elasticstack_version` if you set both. +*elasticstack_release*: Major release version of Elastic stack to configure. (default: `8`) Make sure it corresponds to `elasticstack_version` if you set both. For OSS version see `elasticstack_variant` below. @@ -142,8 +138,6 @@ ansible-galaxy install geerlingguy.redis 1) Default: For general Elastic Stack installations using all features use the following. You will need Redis installed and running for the default setup to run. A viable way is using the `geerlingguy.redis` role. -2) Specific: For OSS Installation without X-Pack features you can use the following. _Note_: this is only available for version `7.x`. - Our default configuration will collect filesystem logs placed by `rsyslog`. Therefor our example playbook makes sure, `rsyslog` is installed. If you don't want that, please change the configuration of the `beats` module. Without syslog you won't receive any messages with the default configuration. There are some comments in the Playbook. Either fill them with the correct values (`remote_user`) or consider them as a hint to commonly used options. @@ -163,7 +157,7 @@ The execution order of the roles is important! (see below) - netways.elasticstack vars: elasticstack_variant: elastic #oss - # elasticstack_release: 8 #7 + # elasticstack_release: 8 roles: - repos @@ -175,7 +169,7 @@ The execution order of the roles is important! (see below) vars: elasticstack_variant: elastic #oss elasticsearch_jna_workaround: true - # elasticstack_release: 8 #7 + # elasticstack_release: 8 roles: - elasticsearch @@ -187,7 +181,7 @@ The execution order of the roles is important! (see below) vars: elasticstack_variant: elastic #oss elasticstack_override_beats_tls: true - # elasticstack_release: 8 #7 + # elasticstack_release: 8 roles: - geerlingguy.redis - logstash @@ -199,7 +193,7 @@ The execution order of the roles is important! (see below) - netways.elasticstack vars: elasticstack_variant: elastic #oss - # elasticstack_release: 8 #7 + # elasticstack_release: 8 roles: - kibana @@ -211,7 +205,7 @@ The execution order of the roles is important! (see below) vars: elasticstack_variant: elastic #oss elasticstack_override_beats_tls: true - # elasticstack_release: 8 #7 + # elasticstack_release: 8 pre_tasks: - name: Install Rsyslog ansible.builtin.package: diff --git a/molecule/beats_peculiar/converge.yml b/molecule/beats_peculiar/converge.yml index e5a46244..fd020406 100644 --- a/molecule/beats_peculiar/converge.yml +++ b/molecule/beats_peculiar/converge.yml @@ -40,12 +40,6 @@ elasticstack_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}" tasks: - - name: Set Filebeat version for 7.x - ansible.builtin.set_fact: - elasticstack_version: "7.17.1" - when: - - elasticstack_release == 7 - - name: Set Filebeat version for 8.x ansible.builtin.set_fact: elasticstack_version: "8.4.1" diff --git a/molecule/beats_peculiar/verify.yml b/molecule/beats_peculiar/verify.yml index c7aa9fd5..d6334ab1 100644 --- a/molecule/beats_peculiar/verify.yml +++ b/molecule/beats_peculiar/verify.yml @@ -13,13 +13,6 @@ ansible.builtin.debug: var: beats_filebeat_version.stdout - - name: Fail if Filebeat has the wrong version - ansible.builtin.fail: - msg: "Filebeat has the wrong version" - when: - - beats_filebeat_version.stdout.find('7.17.1') == -1 - - elasticstack_release == 7 - - name: Fail if Filebeat has the wrong version ansible.builtin.fail: msg: "Filebeat has the wrong version" diff --git a/molecule/logstash_specific_version/converge.yml b/molecule/logstash_specific_version/converge.yml index cabf8ae4..4c129cfd 100644 --- a/molecule/logstash_specific_version/converge.yml +++ b/molecule/logstash_specific_version/converge.yml @@ -18,12 +18,6 @@ elasticstack_no_log: false tasks: - - name: Set Filebeat version for 7.x - ansible.builtin.set_fact: - elasticstack_version: "7.17.1" - when: - - elasticstack_release == 7 - - name: Set Filebeat version for 8.x ansible.builtin.set_fact: elasticstack_version: "8.4.1" diff --git a/molecule/logstash_specific_version/verify.yml b/molecule/logstash_specific_version/verify.yml index 788e70f4..d29c102a 100644 --- a/molecule/logstash_specific_version/verify.yml +++ b/molecule/logstash_specific_version/verify.yml @@ -9,13 +9,6 @@ ansible.builtin.command: "/usr/share/logstash/bin/logstash --version | grep ^logstash" register: logstash_version - - name: Fail if Logstash has the wrong version - ansible.builtin.fail: - msg: "Logstash has the wrong version" - when: - - logstash_version.stdout.find('7.17.1') == -1 - - elasticstack_release == 7 - - name: Fail if Logstash has the wrong version ansible.builtin.fail: msg: "Logstash has the wrong version" diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml index f1e3f71b..d592f01a 100644 --- a/roles/elasticsearch/tasks/main.yml +++ b/roles/elasticsearch/tasks/main.yml @@ -1,12 +1,5 @@ --- -- name: Check for versions - ansible.builtin.fail: - msg: "No OSS package with version later than 7 is available for Elasticsearch" - when: - - elasticstack_release | int > 7 - - elasticstack_variant == "oss" - - name: Include global role ansible.builtin.import_role: name: netways.elasticstack.elasticstack diff --git a/roles/elasticsearch/templates/elasticsearch.yml.j2 b/roles/elasticsearch/templates/elasticsearch.yml.j2 index 1d4238cd..12cdfeb2 100644 --- a/roles/elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/elasticsearch/templates/elasticsearch.yml.j2 @@ -27,10 +27,6 @@ http.publish_port: {{ elasticsearch_http_publish_port }} node.roles: [ {% for type in elasticsearch_node_types %}{{ type }}{% if not loop.last %}, {% endif %}{% endfor %} ] {% endif %} -{% if elasticstack_release | int > 7 and groups[elasticstack_elasticsearch_group_name] | length == 1 %} -discovery.type: single-node -{% endif %} - {# Quickfix to override seed_hosts. Otherwise all nodes, not only master nodes are added to seed_hosts #} {% if elasticsearch_seed_hosts is defined %} discovery.seed_hosts: {{ elasticsearch_seed_hosts }} @@ -57,14 +53,8 @@ cluster.initial_master_nodes: [ {% for host in groups[elasticstack_elasticsearch {% if elasticstack_temperature is defined %} node.attr.temp: "{{ elasticstack_temperature }}" {% endif %} -{% if elasticsearch_disable_systemcallfilterchecks | bool and elasticstack_release == 7 %} -bootstrap.system_call_filter: false -{% endif %} {% if elasticstack_variant == "elastic" %} xpack.ml.enabled: {{ elasticsearch_ml_enabled }} -{% if elasticstack_release == 7 %} -xpack.monitoring.collection.enabled: {{ elasticsearch_monitoring_enabled }} -{% endif %} {% if elasticsearch_security | bool %} xpack.security.enabled: true {% if elasticsearch_security_enrollment is defined %} diff --git a/roles/kibana/tasks/main.yml b/roles/kibana/tasks/main.yml index 597ebce3..9540132f 100644 --- a/roles/kibana/tasks/main.yml +++ b/roles/kibana/tasks/main.yml @@ -1,12 +1,5 @@ --- -- name: Check for versions - ansible.builtin.fail: - msg: "No OSS package with version later than 7 is available for Kibana" - when: - - elasticstack_release | int > 7 - - elasticstack_variant == "oss" - - name: Include global role ansible.builtin.import_role: name: netways.elasticstack.elasticstack diff --git a/roles/repos/tasks/debian.yml b/roles/repos/tasks/debian.yml index 225322c3..99515b13 100644 --- a/roles/repos/tasks/debian.yml +++ b/roles/repos/tasks/debian.yml @@ -64,8 +64,6 @@ path: /etc/apt/sources.list.d/artifacts_elastic_co_packages_{{ item }}_x_apt.list state: absent with_items: - - "7" - - "oss-7" - "8" - "oss-8" From 369ed4120eff799377e9bfc2c81b69103a4ff329 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Fri, 27 Mar 2026 14:18:16 +0100 Subject: [PATCH 02/12] Remove version 7 from GitHub actions and documentation --- .github/workflows/test_full_stack.yml | 1 - .github/workflows/test_role_beats.yml | 1 - .github/workflows/test_role_elasticsearch.yml | 1 - .github/workflows/test_role_kibana.yml | 1 - .github/workflows/test_role_logstash.yml | 1 - .github/workflows/test_role_repos.yml | 1 - .github/workflows/test_roles_pr.yml | 1 - docs/getting-started.md | 2 +- docs/role-elasticsearch.md | 2 +- docs/role-kibana.md | 2 +- docs/role-repos.md | 2 +- 11 files changed, 4 insertions(+), 11 deletions(-) diff --git a/.github/workflows/test_full_stack.yml b/.github/workflows/test_full_stack.yml index c065a334..953ad30b 100644 --- a/.github/workflows/test_full_stack.yml +++ b/.github/workflows/test_full_stack.yml @@ -39,7 +39,6 @@ jobs: scenario: - elasticstack_default release: - - 7 - 8 ansible_version: - "ansible-core>=2.19,<2.20" #Correspond ansible>=12.0,<13.0 diff --git a/.github/workflows/test_role_beats.yml b/.github/workflows/test_role_beats.yml index 13cd7dc4..b50b723e 100644 --- a/.github/workflows/test_role_beats.yml +++ b/.github/workflows/test_role_beats.yml @@ -45,7 +45,6 @@ jobs: - beats_default - beats_peculiar release: - - 7 - 8 ansible_version: - "ansible>=9.0,<10.0" #Correspond ansible-core>=2.16,<2.17 diff --git a/.github/workflows/test_role_elasticsearch.yml b/.github/workflows/test_role_elasticsearch.yml index 2ab6adf4..ef9c58cb 100644 --- a/.github/workflows/test_role_elasticsearch.yml +++ b/.github/workflows/test_role_elasticsearch.yml @@ -47,7 +47,6 @@ jobs: - elasticsearch_cluster-oss - elasticsearch_no-security release: - - 7 - 8 ansible_version: - "ansible-core>=2.19,<2.20" #Correspond ansible>=12.0,<13.0 diff --git a/.github/workflows/test_role_kibana.yml b/.github/workflows/test_role_kibana.yml index c36322c0..704844fe 100644 --- a/.github/workflows/test_role_kibana.yml +++ b/.github/workflows/test_role_kibana.yml @@ -45,7 +45,6 @@ jobs: scenario: - kibana_default release: - - 7 - 8 ansible_version: - "ansible-core>=2.19,<2.20" #Correspond ansible>=12.0,<13.0 diff --git a/.github/workflows/test_role_logstash.yml b/.github/workflows/test_role_logstash.yml index 4eb2cbe4..4031bd21 100644 --- a/.github/workflows/test_role_logstash.yml +++ b/.github/workflows/test_role_logstash.yml @@ -46,7 +46,6 @@ jobs: - logstash_specific_version - logstash_pipelines release: - - 7 - 8 ansible_version: - "ansible-core>=2.19,<2.20" #Correspond ansible>=12.0,<13.0 diff --git a/.github/workflows/test_role_repos.yml b/.github/workflows/test_role_repos.yml index 979a709f..57fb4fce 100644 --- a/.github/workflows/test_role_repos.yml +++ b/.github/workflows/test_role_repos.yml @@ -48,7 +48,6 @@ jobs: - repos_default - repos_oss release: - - 7 - 8 ansible_version: - "ansible-core>=2.19,<2.20" #Correspond ansible>=12.0,<13.0 diff --git a/.github/workflows/test_roles_pr.yml b/.github/workflows/test_roles_pr.yml index f0d0245e..efc2494d 100644 --- a/.github/workflows/test_roles_pr.yml +++ b/.github/workflows/test_roles_pr.yml @@ -38,7 +38,6 @@ jobs: scenario: - elasticstack_default release: - - 7 - 8 python_version: - "3.11" diff --git a/docs/getting-started.md b/docs/getting-started.md index 79569b50..289264b4 100644 --- a/docs/getting-started.md +++ b/docs/getting-started.md @@ -59,5 +59,5 @@ Variables Every role got its own set of variables, in addition a few variables are useable on any role. Below are all general collection vars. -* *elasticstack_release*: Major release version of Elastic stack to configure. (default: `7`) +* *elasticstack_release*: Major release version of Elastic stack to configure. (default: `8`) * *elasticstack_variant*: Variant of the stack to install. Valid values: `elastic` or `oss`. (default: `elastic`) diff --git a/docs/role-elasticsearch.md b/docs/role-elasticsearch.md index 1be8ce3b..58ee7ca3 100644 --- a/docs/role-elasticsearch.md +++ b/docs/role-elasticsearch.md @@ -65,7 +65,7 @@ These variables are identical over all our elastic related roles, hence the diff * *elasticstack_ca_validity_period*: number of days that the generated CA are valid (default: 1095). * *elasticstack_ca_expiration_buffer*: Ansible will renew the CA if its validity is shorter than this value, which should be number of days. (default: 30) * *elasticstack_ca_will_expire_soon*: Set it to true to renew the CA and the certificate of all Elastic Stack components (default: `false`), Or run the playbook with `--tags renew_ca` to do that. -* *elasticstack_release*: Major release version of Elastic stack to configure. (default: `7`) +* *elasticstack_release*: Major release version of Elastic stack to configure. (default: `8`) * *elasticstack_variant*: Variant of the stack to install. Valid values: `elastic` or `oss`. (default: `elastic`) * *elasticstack_elasticsearch_http_port*: Port of Elasticsearch http (Default: `9200`) diff --git a/docs/role-kibana.md b/docs/role-kibana.md index f1df2640..e39b7b67 100644 --- a/docs/role-kibana.md +++ b/docs/role-kibana.md @@ -36,7 +36,7 @@ These variables are identical over all our elastic related roles, hence the diff * *elasticstack_ca_dir*: Directory where on the Elasticsearch CA host certificates are stored. This is only useful in connection with out other Elastic Stack related roles. (default: `/opt/es-ca`) * *elasticstack_ca_pass*: Password for Elasticsearch CA (default: `PleaseChangeMe`) * *elasticstack_initial_passwords*: Path to file with initical elasticsearch passwords (default: `/usr/share/elasticsearch/initial_passwords`) -* *elasticstack_release*: Major release version of Elastic stack to configure. (default: `7`) +* *elasticstack_release*: Major release version of Elastic stack to configure. (default: `8`) * *elasticstack_variant*: Variant of the stack to install. Valid values: `elastic` or `oss` (default: `elastic`) diff --git a/docs/role-repos.md b/docs/role-repos.md index a47e62ce..ca1b06a4 100644 --- a/docs/role-repos.md +++ b/docs/role-repos.md @@ -16,7 +16,7 @@ Requirements Role Variables -------------- -* *elasticstack_release*: Major release version of Elastic stack to configure. (default: `7`). `7` and `8` are supported. +* *elasticstack_release*: Major release version of Elastic stack to configure. (default: `8`). * *elasticstack_variant*: Variant of the stack to install. Valid values: `elastic` or `oss`. (default: `elastic`). * *elasticstack_enable_repos*: Enable repositories after creating them. (default: `true`) Only works on RPM based distributions! From c79c2530d14e90dbe0d0abb1f3146750204ef2be Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Fri, 27 Mar 2026 14:32:26 +0100 Subject: [PATCH 03/12] Remove 7 dependent molecule scenarios **NOTE** We can not check Logstash OSS full cluster anymore! --- docs/role-beats.md | 4 +- docs/role-logstash.md | 2 +- .../elasticsearch_cluster-oss/converge.yml | 21 --------- .../elasticsearch_cluster-oss/molecule.yml | 32 ------------- .../elasticsearch_cluster-oss/prepare.yml | 19 -------- .../requirements.yml | 3 -- .../elasticsearch_no-security/converge.yml | 23 ---------- .../elasticsearch_no-security/molecule.yml | 32 ------------- .../elasticsearch_no-security/prepare.yml | 19 -------- .../requirements.yml | 3 -- molecule/elasticsearch_no-security/verify.yml | 45 ------------------- molecule/logstash_full_stack-oss/converge.yml | 41 ----------------- molecule/logstash_full_stack-oss/molecule.yml | 26 ----------- molecule/logstash_full_stack-oss/prepare.yml | 17 ------- .../logstash_full_stack-oss/requirements.yml | 8 ---- molecule/logstash_full_stack-oss/verify.yml | 36 --------------- molecule/repos_oss/converge.yml | 2 +- roles/beats/tasks/filebeat.yml | 2 - 18 files changed, 4 insertions(+), 331 deletions(-) delete mode 100644 molecule/elasticsearch_cluster-oss/converge.yml delete mode 100644 molecule/elasticsearch_cluster-oss/molecule.yml delete mode 100644 molecule/elasticsearch_cluster-oss/prepare.yml delete mode 100644 molecule/elasticsearch_cluster-oss/requirements.yml delete mode 100644 molecule/elasticsearch_no-security/converge.yml delete mode 100644 molecule/elasticsearch_no-security/molecule.yml delete mode 100644 molecule/elasticsearch_no-security/prepare.yml delete mode 100644 molecule/elasticsearch_no-security/requirements.yml delete mode 100644 molecule/elasticsearch_no-security/verify.yml delete mode 100644 molecule/logstash_full_stack-oss/converge.yml delete mode 100644 molecule/logstash_full_stack-oss/molecule.yml delete mode 100644 molecule/logstash_full_stack-oss/prepare.yml delete mode 100644 molecule/logstash_full_stack-oss/requirements.yml delete mode 100644 molecule/logstash_full_stack-oss/verify.yml diff --git a/docs/role-beats.md b/docs/role-beats.md index 5d742c82..469aeec7 100644 --- a/docs/role-beats.md +++ b/docs/role-beats.md @@ -61,7 +61,7 @@ beats_filebeat_journald_inputs: everything: id: everything ``` -* *beats_filebeat_docker*: Enable collection of Docker logs (default: `false`) **ONLY WORKS ON RELEASE 7 SO FAR** +* *beats_filebeat_docker*: Enable collection of Docker logs (default: `false`) * *beats_filebeat_docker_ids*: IDs of containers to collect. (default: `*`) * *beats_filebeat_loadbalance*: Enable loadbalancing for Filebeats Logstash output (default: `true`) @@ -95,7 +95,7 @@ The following variables only apply if you use this role together with our other * *elasticstack_ca_dir*: Directory where on the Elasticsearch CA host certificates are stored. This is only useful in connection with out other Elastic Stack related roles. (default: `/opt/es-ca`) * *elasticstack_ca_pass*: Password for Elasticsearch CA (default: `PleaseChangeMe`) * *elasticstack_initial_passwords*: Path to file with initical elasticsearch passwords (default: `/usr/share/elasticsearch/initial_passwords`) -* *elasticstack_version*: Install specific version (Default: none. Possible values: e.g. `7.10.1` or `latest`) +* *elasticstack_version*: Install specific version (Default: none. Possible values: e.g. `8.10.1` or `latest`) If you want to use this role with your own TLS certificates, use these variables. diff --git a/docs/role-logstash.md b/docs/role-logstash.md index 1b4e4b78..0e46b4d2 100644 --- a/docs/role-logstash.md +++ b/docs/role-logstash.md @@ -35,7 +35,7 @@ If you want to use the default pipeline (or other pipelines communicating via Re Role Variables -------------- -* *elasticstack_version*: Version number of Logstash to install (e.g. `7.10.1`). Only set if you don't want the latest. (default: none). For OSS version see `elasticstack_variant` below. +* *elasticstack_version*: Version number of Logstash to install (e.g. `8.10.1`). Only set if you don't want the latest. (default: none). For OSS version see `elasticstack_variant` below. * *logstash_enable*: Start and enable Logstash service (default: `true`) * *logstash_config_backup*: Keep backups of all changed configuration (default: `no`) * *logstash_manage_yaml*: Manage and overwrite `logstash.yml` (default: `true`) diff --git a/molecule/elasticsearch_cluster-oss/converge.yml b/molecule/elasticsearch_cluster-oss/converge.yml deleted file mode 100644 index ea69ec89..00000000 --- a/molecule/elasticsearch_cluster-oss/converge.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -# The workaround for arbitrarily named role directory is important because the git repo has one name and the role within it another -# Found at: https://github.com/ansible-community/molecule/issues/1567#issuecomment-436876722 -- name: Converge - collections: - - netways.elasticstack - hosts: all - vars: - elasticstack_variant: oss - elasticsearch_jna_workaround: true - elasticsearch_disable_systemcallfilterchecks: true - elasticstack_release: 7 - elasticsearch_heap: "1" - elasticstack_no_log: false - tasks: - - name: Include Elastics repos role - ansible.builtin.include_role: - name: repos - - name: Include Elasticsearch - ansible.builtin.include_role: - name: elasticsearch diff --git a/molecule/elasticsearch_cluster-oss/molecule.yml b/molecule/elasticsearch_cluster-oss/molecule.yml deleted file mode 100644 index 160c5275..00000000 --- a/molecule/elasticsearch_cluster-oss/molecule.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -dependency: - name: galaxy - options: - requirements-file: requirements.yml -driver: - name: docker -platforms: - - name: "elasticsearch-cluster1-${MOLECULE_DISTRO:-debian13}" - groups: - - elasticsearch - image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian13}-ansible:latest" - command: ${MOLECULE_DOCKER_COMMAND:-""} - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host - privileged: true - pre_build_image: true - - name: "elasticsearch-cluster2-${MOLECULE_DISTRO:-debian13}" - groups: - - elasticsearch - image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian13}-ansible:latest" - command: ${MOLECULE_DOCKER_COMMAND:-""} - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host - privileged: true - pre_build_image: true -provisioner: - name: ansible -verifier: - name: ansible diff --git a/molecule/elasticsearch_cluster-oss/prepare.yml b/molecule/elasticsearch_cluster-oss/prepare.yml deleted file mode 100644 index 2bf1ed5e..00000000 --- a/molecule/elasticsearch_cluster-oss/prepare.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: Prepare - hosts: all - tasks: - - name: Show discovered interpreter - debug: - var: ansible_facts.discovered_interpreter_python - - - name: Install packages for Debian - ansible.builtin.apt: - name: - - gpg - - gpg-agent - - procps - - curl - - iproute2 - - git - - openssl - update_cache: yes diff --git a/molecule/elasticsearch_cluster-oss/requirements.yml b/molecule/elasticsearch_cluster-oss/requirements.yml deleted file mode 100644 index 8dd51618..00000000 --- a/molecule/elasticsearch_cluster-oss/requirements.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -collections: - - community.general diff --git a/molecule/elasticsearch_no-security/converge.yml b/molecule/elasticsearch_no-security/converge.yml deleted file mode 100644 index b8fd37cc..00000000 --- a/molecule/elasticsearch_no-security/converge.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -# The workaround for arbitrarily named role directory is important because the git repo has one name and the role within it another -# Found at: https://github.com/ansible-community/molecule/issues/1567#issuecomment-436876722 -- name: Converge - collections: - - netways.elasticstack - hosts: all - vars: - elasticsearch_security: false - elasticstack_security: false - elasticsearch_jna_workaround: true - elasticsearch_disable_systemcallfilterchecks: true - elasticsearch_heap: "1" - elasticstack_release: 7 - elasticstack_no_log: false - elasticstack_elasticsearch_group_name: elasticsearchXYZ - tasks: - - name: Include Elastics repos role - ansible.builtin.include_role: - name: repos - - name: Include Elasticsearch - ansible.builtin.include_role: - name: elasticsearch diff --git a/molecule/elasticsearch_no-security/molecule.yml b/molecule/elasticsearch_no-security/molecule.yml deleted file mode 100644 index 112b7cdb..00000000 --- a/molecule/elasticsearch_no-security/molecule.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -dependency: - name: galaxy - options: - requirements-file: requirements.yml -driver: - name: docker -platforms: - - name: "elasticsearch-nosecurity1-${MOLECULE_DISTRO:-debian13}" - groups: - - elasticsearchXYZ - image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian13}-ansible:latest" - command: ${MOLECULE_DOCKER_COMMAND:-""} - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host - privileged: true - pre_build_image: true - - name: "elasticsearch-nosecurity2-${MOLECULE_DISTRO:-debian13}" - groups: - - elasticsearchXYZ - image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian13}-ansible:latest" - command: ${MOLECULE_DOCKER_COMMAND:-""} - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host - privileged: true - pre_build_image: true -provisioner: - name: ansible -verifier: - name: ansible diff --git a/molecule/elasticsearch_no-security/prepare.yml b/molecule/elasticsearch_no-security/prepare.yml deleted file mode 100644 index a4d70b7d..00000000 --- a/molecule/elasticsearch_no-security/prepare.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: Prepare - hosts: all - tasks: - - name: Show discovered interpreter - debug: - var: ansible_facts.discovered_interpreter_python - - - name: Install packages for Debian - ansible.builtin.apt: - name: - - gpg - - gpg-agent - - procps - - curl - - iproute2 - - git - update_cache: yes - when: ansible_os_family == "Debian" diff --git a/molecule/elasticsearch_no-security/requirements.yml b/molecule/elasticsearch_no-security/requirements.yml deleted file mode 100644 index 8dd51618..00000000 --- a/molecule/elasticsearch_no-security/requirements.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -collections: - - community.general diff --git a/molecule/elasticsearch_no-security/verify.yml b/molecule/elasticsearch_no-security/verify.yml deleted file mode 100644 index 83c81352..00000000 --- a/molecule/elasticsearch_no-security/verify.yml +++ /dev/null @@ -1,45 +0,0 @@ ---- -# This is an example playbook to execute Ansible tests. - -- name: Verify - hosts: all - vars: - elasticstack_elasticsearch_http_port: 9200 - elasticstack_elasticsearch_group_name: elasticsearchXYZ - tasks: - -# Remember, this is the no-security scenario. So no https -# The comment below will create an exception for KICS security scan - - name: Health check - ansible.builtin.uri: -# kics-scan ignore-line - url: http://localhost:{{ elasticstack_elasticsearch_http_port }}/_cluster/health - method: GET - return_content: yes - status_code: 200 - validate_certs: false - register: result - until: result.json.status == "green" - retries: 6 - delay: 10 - when: groups[elasticstack_elasticsearch_group_name] | length > 1 - - - name: Node check - ansible.builtin.uri: -# kics-scan ignore-line - url: http://localhost:{{ elasticstack_elasticsearch_http_port }}/_cat/nodes - method: GET - return_content: yes - status_code: 200 - validate_certs: false - register: nodes - when: groups[elasticstack_elasticsearch_group_name] | length > 1 - - - name: Check if all Nodes see each other - ansible.builtin.assert: - that: - - "'{{ item }}' in nodes.content" - fail_msg: "'{{ item }}' was not found in nodes.content" - success_msg: "'{{ item }}' was found in nodes.content" - with_inventory_hostnames: all - when: groups[elasticstack_elasticsearch_group_name] | length > 1 diff --git a/molecule/logstash_full_stack-oss/converge.yml b/molecule/logstash_full_stack-oss/converge.yml deleted file mode 100644 index 5f163e7a..00000000 --- a/molecule/logstash_full_stack-oss/converge.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -# The workaround for arbitrarily named role directory is important because the -# git repo has one name and the role within it another -# Found at: -# https://github.com/ansible-community/molecule/issues/1567#issuecomment-436876722 -# -# Currently security is not implemented with OSS. We leave the variable set -# to check for handling of misconfiguration (and be prepared for upcoming -# implementations) -# But we need to deactivate security in Elasticsearch to not lock out -# Logstash -- name: Converge - hosts: all - collections: - - netways.elasticstack - vars: - elasticstack_full_stack: true - elasticstack_variant: oss - logstash_security: false - logstash_pipeline_unsafe_shutdown: true - elasticstack_security: false - beats_filebeat_journald: true - logstash_beats_tls: false - elasticstack_release: 7 - elasticstack_no_log: false - tasks: - - name: "Include Elastics repos role" - ansible.builtin.include_role: - name: repos - - name: "Include Elasticsearch role" - ansible.builtin.include_role: - name: elasticsearch - - name: "Include Beats" - ansible.builtin.include_role: - name: beats - - name: "Include Redis" - ansible.builtin.include_role: - name: geerlingguy.redis - - name: "Include Logstash" - ansible.builtin.include_role: - name: logstash diff --git a/molecule/logstash_full_stack-oss/molecule.yml b/molecule/logstash_full_stack-oss/molecule.yml deleted file mode 100644 index 2f3cd65a..00000000 --- a/molecule/logstash_full_stack-oss/molecule.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -dependency: - name: galaxy - options: - requirements-file: requirements.yml -driver: - name: docker -platforms: - - name: "logstash-full-oss-${MOLECULE_DISTRO:-debian13}" - groups: - - elasticsearch - - logstash - - filebeat - image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian13}-ansible:latest" - command: ${MOLECULE_DOCKER_COMMAND:-""} - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host - privileged: true - pre_build_image: true -provisioner: - name: ansible - env: - ANSIBLE_ROLES_PATH: $MOLECULE_EPHEMERAL_DIRECTORY/roles:${HOME}/.ansible/roles:$MOLECULE_PROJECT_DIRECTORY/roles -verifier: - name: ansible diff --git a/molecule/logstash_full_stack-oss/prepare.yml b/molecule/logstash_full_stack-oss/prepare.yml deleted file mode 100644 index 9cc68f65..00000000 --- a/molecule/logstash_full_stack-oss/prepare.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- name: Prepare - hosts: all - tasks: - - name: Show discovered interpreter - debug: - var: ansible_facts.discovered_interpreter_python - - - name: Install packages for Debian - ansible.builtin.apt: - name: - - gpg - - gpg-agent - - procps - - curl - - git - update_cache: yes diff --git a/molecule/logstash_full_stack-oss/requirements.yml b/molecule/logstash_full_stack-oss/requirements.yml deleted file mode 100644 index 1c0204d5..00000000 --- a/molecule/logstash_full_stack-oss/requirements.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -roles: - # Versions higher than 1.6.0 seem to have a problem with idempotency on rocky 9 python 3.9, NOT on ubuntu2204 python 3.10 - - name: geerlingguy.redis - version: "1.6.0" - -collections: - - community.general diff --git a/molecule/logstash_full_stack-oss/verify.yml b/molecule/logstash_full_stack-oss/verify.yml deleted file mode 100644 index fc4bcc65..00000000 --- a/molecule/logstash_full_stack-oss/verify.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -# This is an example playbook to execute Ansible tests. - -- name: Check if Logstash configuration does what it should - hosts: all - vars: - elasticstack_elasticsearch_http_port: 9200 - elasticstack_beats_port: 5044 - tasks: - - name: Give some time for tools to connect - ansible.builtin.wait_for: - timeout: 120 - - name: Run syntax check - ansible.builtin.command: "/usr/share/logstash/bin/logstash --path.settings=/etc/logstash -t" - when: "'logstash' in group_names" - - name: Query for Logstasch indices - ansible.builtin.shell: > - curl -s http://localhost:{{ elasticstack_elasticsearch_http_port }}/_cat/indices | - grep logstash | - awk {' print $7 '} | - sort -n | - tail -1 - register: logstash_count - when: "elasticstack_elasticsearch_group_name is defined and elasticstack_elasticsearch_group_name in group_names" - - name: Show full output - ansible.builtin.debug: - var: logstash_count - when: "elasticstack_elasticsearch_group_name is defined and elasticstack_elasticsearch_group_name in group_names" - - name: Fail when logstash is empty - ansible.builtin.fail: - msg: "Logstash Index is empty" - when: "elasticstack_elasticsearch_group_name is defined and elasticstack_elasticsearch_group_name in group_names and logstash_count.stdout == 0" - - name: Show number of received events - ansible.builtin.debug: - msg: "Elasticsearch received {{ logstash_count.stdout }} events so far" - when: "elasticstack_elasticsearch_group_name is defined and elasticstack_elasticsearch_group_name in group_names" diff --git a/molecule/repos_oss/converge.yml b/molecule/repos_oss/converge.yml index 49416223..684d60aa 100644 --- a/molecule/repos_oss/converge.yml +++ b/molecule/repos_oss/converge.yml @@ -8,7 +8,7 @@ vars: elasticstack_variant: oss elasticstack_rpm_workaround: true - elasticstack_release: 7 + #elasticstack_release: 7 elasticstack_no_log: false tasks: - name: "Include Elastic Repos" diff --git a/roles/beats/tasks/filebeat.yml b/roles/beats/tasks/filebeat.yml index 0fbce0cb..9d2de066 100644 --- a/roles/beats/tasks/filebeat.yml +++ b/roles/beats/tasks/filebeat.yml @@ -110,8 +110,6 @@ owner: root group: root mode: 0644 - when: - - elasticstack_release | int > 7 - name: Enable Ingest Pipelines ansible.builtin.shell: > From 3973031cb58f05ec95bb6790e7edc3ed6542d49d Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Fri, 27 Mar 2026 16:14:19 +0100 Subject: [PATCH 04/12] Fix when conditions that won't make sense without 7 anymore --- docs/role-beats.md | 2 +- docs/role-logstash.md | 2 +- roles/elasticsearch/tasks/elasticsearch-parameters.yml | 8 -------- roles/elasticsearch/tasks/main.yml | 3 --- roles/elasticsearch/templates/elasticsearch.yml.j2 | 2 +- roles/logstash/templates/logstash.yml.j2 | 5 ++++- 6 files changed, 7 insertions(+), 15 deletions(-) delete mode 100644 roles/elasticsearch/tasks/elasticsearch-parameters.yml diff --git a/docs/role-beats.md b/docs/role-beats.md index 469aeec7..b88ce91a 100644 --- a/docs/role-beats.md +++ b/docs/role-beats.md @@ -53,7 +53,7 @@ beats_filebeat_log_inputs: negate: false match: after ``` -* *beats_filebeat_journald*: Enable collection of JournalD logs (default: `false`) - available since Filebeat 7.16 +* *beats_filebeat_journald*: Enable collection of JournalD logs (default: `false`) * *beats_filebeat_journald_inputs*: List of journald inputs. Use for different filters on events. You can add a list of `include_matches` entries for filtering. Default of `beats_filebeat_journald_inputs`: ``` diff --git a/docs/role-logstash.md b/docs/role-logstash.md index 0e46b4d2..dc2c31e5 100644 --- a/docs/role-logstash.md +++ b/docs/role-logstash.md @@ -109,7 +109,7 @@ The following variables configure extra fields in your events that help with ide The following variables are identical over all our elastic related roles, hence the different naming scheme. -*elasticstack_release*: Major release version of Elastic stack to configure. (default: `7`) +*elasticstack_release*: Major release version of Elastic stack to configure. (default: `8`) *elasticstack_variant*: Variant of the stack to install. Valid values: `elastic` or `oss`. (default: `elastic`) The following variables only apply if you use this role together with our Elasticsearch and Kibana roles. diff --git a/roles/elasticsearch/tasks/elasticsearch-parameters.yml b/roles/elasticsearch/tasks/elasticsearch-parameters.yml deleted file mode 100644 index 796c1054..00000000 --- a/roles/elasticsearch/tasks/elasticsearch-parameters.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Fail when security is not declared when elasticsearch >= 8 - ansible.builtin.fail: - msg: "Elasticsearch >= 8 requires enabled security. Set elasticsearch_security to true" - when: - - elasticstack_release | int >= 8 - - elasticstack_variant == 'elastic' - - elasticsearch_security is not defined or not elasticsearch_security diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml index d592f01a..bb52ac9f 100644 --- a/roles/elasticsearch/tasks/main.yml +++ b/roles/elasticsearch/tasks/main.yml @@ -12,9 +12,6 @@ changed_when: false when: ansible_os_family == 'Debian' -- name: Check-set-parameters - ansible.builtin.include_tasks: elasticsearch-parameters.yml - - name: Include OS specific vars ansible.builtin.include_vars: '{{ item }}' with_first_found: diff --git a/roles/elasticsearch/templates/elasticsearch.yml.j2 b/roles/elasticsearch/templates/elasticsearch.yml.j2 index 12cdfeb2..72eb6152 100644 --- a/roles/elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/elasticsearch/templates/elasticsearch.yml.j2 @@ -31,7 +31,7 @@ node.roles: [ {% for type in elasticsearch_node_types %}{{ type }}{% if not loop {% if elasticsearch_seed_hosts is defined %} discovery.seed_hosts: {{ elasticsearch_seed_hosts }} {% else %} -{% if elasticstack_release | int < 8 or groups[elasticstack_elasticsearch_group_name] | length > 1 %} +{% if groups[elasticstack_elasticsearch_group_name] | length > 1 %} discovery.seed_hosts: [ {% for host in groups[elasticstack_elasticsearch_group_name] %} "{{ hostvars[host].ansible_default_ipv4.address | default(hostvars[host].ansible_all_ipv4_addresses[0]) }}"{% if not loop.last %},{% endif %} {% endfor %} ] diff --git a/roles/logstash/templates/logstash.yml.j2 b/roles/logstash/templates/logstash.yml.j2 index c7d6aced..3a3c5af5 100644 --- a/roles/logstash/templates/logstash.yml.j2 +++ b/roles/logstash/templates/logstash.yml.j2 @@ -16,7 +16,10 @@ pipeline.ecs_compatibility: {{ logstash_global_ecs }} {% if logstash_pipeline_unsafe_shutdown is defined %} pipeline.unsafe_shutdown: {{ logstash_pipeline_unsafe_shutdown }} {% endif %} -{% if logstash_legacy_monitoring | bool and elasticstack_full_stack | bool and elasticstack_variant == "elastic" and elasticstack_release | int < 8 %} +{% if logstash_legacy_monitoring | bool and elasticstack_full_stack | bool and elasticstack_variant == "elastic" %} +{% if elasticstack_release | int >= 9 %} +xpack.monitoring.allow_legacy_collection: true +{% endif %} xpack.monitoring.enabled: true xpack.monitoring.elasticsearch.hosts: [ {% for host in logstash_elasticsearch %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %} ] xpack.monitoring.elasticsearch.username: elastic From 050de2e71180de0ead262308f2e97b78d16dca9a Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Fri, 27 Mar 2026 16:18:33 +0100 Subject: [PATCH 05/12] Remove OSS variants of Elasticsearch and Kibana --- .github/workflows/test_role_elasticsearch.yml | 1 - docs/role-elasticsearch.md | 4 ++-- docs/role-kibana.md | 4 ++-- roles/elasticsearch/tasks/elasticsearch-rolling-upgrade.yml | 6 +++--- roles/elasticsearch/tasks/main.yml | 2 +- roles/kibana/tasks/main.yml | 3 +-- 6 files changed, 9 insertions(+), 11 deletions(-) diff --git a/.github/workflows/test_role_elasticsearch.yml b/.github/workflows/test_role_elasticsearch.yml index ef9c58cb..ec079536 100644 --- a/.github/workflows/test_role_elasticsearch.yml +++ b/.github/workflows/test_role_elasticsearch.yml @@ -44,7 +44,6 @@ jobs: scenario: - elasticsearch_default - elasticsearch_roles_calculation - - elasticsearch_cluster-oss - elasticsearch_no-security release: - 8 diff --git a/docs/role-elasticsearch.md b/docs/role-elasticsearch.md index 58ee7ca3..95e66d13 100644 --- a/docs/role-elasticsearch.md +++ b/docs/role-elasticsearch.md @@ -66,7 +66,7 @@ These variables are identical over all our elastic related roles, hence the diff * *elasticstack_ca_expiration_buffer*: Ansible will renew the CA if its validity is shorter than this value, which should be number of days. (default: 30) * *elasticstack_ca_will_expire_soon*: Set it to true to renew the CA and the certificate of all Elastic Stack components (default: `false`), Or run the playbook with `--tags renew_ca` to do that. * *elasticstack_release*: Major release version of Elastic stack to configure. (default: `8`) -* *elasticstack_variant*: Variant of the stack to install. Valid values: `elastic` or `oss`. (default: `elastic`) +* *elasticstack_variant*: Variant of the stack to install. Valid values: `elastic`. (default: `elastic`) * *elasticstack_elasticsearch_http_port*: Port of Elasticsearch http (Default: `9200`) ``` @@ -75,7 +75,7 @@ These variables are identical over all our elastic related roles, hence the diff - netways.elasticstack hosts: elasticsearch-hosts vars: - elasticstack_variant: oss + elasticstack_variant: elastic elasticsearch_jna_workaround: true elasticsearch_disable_systemcallfilterchecks: true roles: diff --git a/docs/role-kibana.md b/docs/role-kibana.md index e39b7b67..5030a5fa 100644 --- a/docs/role-kibana.md +++ b/docs/role-kibana.md @@ -37,7 +37,7 @@ These variables are identical over all our elastic related roles, hence the diff * *elasticstack_ca_pass*: Password for Elasticsearch CA (default: `PleaseChangeMe`) * *elasticstack_initial_passwords*: Path to file with initical elasticsearch passwords (default: `/usr/share/elasticsearch/initial_passwords`) * *elasticstack_release*: Major release version of Elastic stack to configure. (default: `8`) -* *elasticstack_variant*: Variant of the stack to install. Valid values: `elastic` or `oss` (default: `elastic`) +* *elasticstack_variant*: Variant of the stack to install. Valid values: `elastic`. (default: `elastic`) If you use `localhost` in `kibana_elasticsearch_hosts` , certificate verification will skip hostname checks @@ -51,7 +51,7 @@ If you use `localhost` in `kibana_elasticsearch_hosts` , certificate verificatio hosts: kibana-host vars: elasticstack_full_stack: true - elasticstack_variant: oss + elasticstack_variant: elastic roles: - repos - kibana diff --git a/roles/elasticsearch/tasks/elasticsearch-rolling-upgrade.yml b/roles/elasticsearch/tasks/elasticsearch-rolling-upgrade.yml index 19801a76..cf7ea1c6 100644 --- a/roles/elasticsearch/tasks/elasticsearch-rolling-upgrade.yml +++ b/roles/elasticsearch/tasks/elasticsearch-rolling-upgrade.yml @@ -28,7 +28,7 @@ ansible.builtin.package: name: "{{ elasticsearch_package }}" enablerepo: - - 'elastic-{% if elasticstack_variant == "oss" %}oss-{% endif %}{{ elasticstack_release }}.x' + - 'elastic-{{ elasticstack_release }}.x' when: - ansible_os_family == "RedHat" - elasticstack_full_stack | bool @@ -57,7 +57,7 @@ ansible.builtin.package: name: "{{ elasticsearch_package }}" enablerepo: - - 'elastic-{% if elasticstack_variant == "oss" %}oss-{% endif %}{{ elasticstack_release }}.x' + - 'elastic-{{ elasticstack_release }}.x' when: - ansible_os_family == "RedHat" - elasticstack_full_stack | bool @@ -135,7 +135,7 @@ ansible.builtin.package: name: "{{ elasticsearch_package }}" enablerepo: - - 'elastic-{% if elasticstack_variant == "oss" %}oss-{% endif %}{{ elasticstack_release }}.x' + - 'elastic-{{ elasticstack_release }}.x' when: - ansible_os_family == "RedHat" - elasticstack_full_stack | bool diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml index bb52ac9f..dd165927 100644 --- a/roles/elasticsearch/tasks/main.yml +++ b/roles/elasticsearch/tasks/main.yml @@ -132,7 +132,7 @@ ansible.builtin.package: name: "{{ elasticsearch_package }}" enablerepo: - - 'elastic-{% if elasticstack_variant == "oss" %}oss-{% endif %}{{ elasticstack_release }}.x' + - 'elastic-{{ elasticstack_release }}.x' when: - ansible_os_family == "RedHat" - elasticstack_full_stack | bool diff --git a/roles/kibana/tasks/main.yml b/roles/kibana/tasks/main.yml index 9540132f..1107deda 100644 --- a/roles/kibana/tasks/main.yml +++ b/roles/kibana/tasks/main.yml @@ -38,7 +38,6 @@ kibana_package: >- {{ 'kibana' + - ('-oss' if elasticstack_variant == 'oss' else '') + ((elasticstack_versionseparator + elasticstack_version | string ) if (elasticstack_version is defined and elasticstack_version | length > 0)) | @@ -48,7 +47,7 @@ ansible.builtin.package: name: "{{ kibana_package }}" enablerepo: - - 'elastic-{% if elasticstack_variant == "oss" %}oss-{% endif %}{{ elasticstack_release }}.x' + - 'elastic-{{ elasticstack_release }}.x' notify: - Restart Kibana when: From c3c4ec9a93b9f9accdb97deb01eb801e380ade4f Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Fri, 27 Mar 2026 17:01:29 +0100 Subject: [PATCH 06/12] Do not call removed Molecule scenarios --- .github/workflows/test_role_elasticsearch.yml | 1 - .github/workflows/test_role_logstash.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/.github/workflows/test_role_elasticsearch.yml b/.github/workflows/test_role_elasticsearch.yml index ec079536..fab18efb 100644 --- a/.github/workflows/test_role_elasticsearch.yml +++ b/.github/workflows/test_role_elasticsearch.yml @@ -44,7 +44,6 @@ jobs: scenario: - elasticsearch_default - elasticsearch_roles_calculation - - elasticsearch_no-security release: - 8 ansible_version: diff --git a/.github/workflows/test_role_logstash.yml b/.github/workflows/test_role_logstash.yml index 4031bd21..b3a61821 100644 --- a/.github/workflows/test_role_logstash.yml +++ b/.github/workflows/test_role_logstash.yml @@ -42,7 +42,6 @@ jobs: matrix: distro: [ubuntu2204] scenario: - - logstash_full_stack-oss - logstash_specific_version - logstash_pipelines release: From d0e36f8f62404977dbbf402b684821547c616174 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Mon, 30 Mar 2026 16:55:52 +0200 Subject: [PATCH 07/12] Remove commented out version string in repos_oss scenario Falling back to default --- molecule/repos_oss/converge.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/molecule/repos_oss/converge.yml b/molecule/repos_oss/converge.yml index 684d60aa..d17b5ce4 100644 --- a/molecule/repos_oss/converge.yml +++ b/molecule/repos_oss/converge.yml @@ -8,7 +8,6 @@ vars: elasticstack_variant: oss elasticstack_rpm_workaround: true - #elasticstack_release: 7 elasticstack_no_log: false tasks: - name: "Include Elastic Repos" From 5b756cb48f705472d746435d87962e8d0316bd0e Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Mon, 30 Mar 2026 17:01:50 +0200 Subject: [PATCH 08/12] Revert change in single node configuration. Thanks @afeefghannam89 for noticing this error! --- roles/elasticsearch/templates/elasticsearch.yml.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/elasticsearch/templates/elasticsearch.yml.j2 b/roles/elasticsearch/templates/elasticsearch.yml.j2 index 72eb6152..95d2a0db 100644 --- a/roles/elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/elasticsearch/templates/elasticsearch.yml.j2 @@ -27,6 +27,10 @@ http.publish_port: {{ elasticsearch_http_publish_port }} node.roles: [ {% for type in elasticsearch_node_types %}{{ type }}{% if not loop.last %}, {% endif %}{% endfor %} ] {% endif %} +{% if and groups[elasticstack_elasticsearch_group_name] | length == 1 %} +discovery.type: single-node +{% endif %} + {# Quickfix to override seed_hosts. Otherwise all nodes, not only master nodes are added to seed_hosts #} {% if elasticsearch_seed_hosts is defined %} discovery.seed_hosts: {{ elasticsearch_seed_hosts }} From f1a1c95762536c0e65ce5112e6c7fdc3a68a57f9 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Mon, 30 Mar 2026 17:05:54 +0200 Subject: [PATCH 09/12] Remove artifacts of `elasticsearch_monitoring_enabled`. --- molecule/elasticstack_default/converge.yml | 1 - roles/elasticsearch/defaults/main.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/molecule/elasticstack_default/converge.yml b/molecule/elasticstack_default/converge.yml index 58119e39..18420b16 100644 --- a/molecule/elasticstack_default/converge.yml +++ b/molecule/elasticstack_default/converge.yml @@ -12,7 +12,6 @@ vars: elasticsearch_jna_workaround: true elasticsearch_disable_systemcallfilterchecks: true - elasticsearch_monitoring_enabled: false elasticstack_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}" elasticsearch_heap: "1" elasticstack_full_stack: true diff --git a/roles/elasticsearch/defaults/main.yml b/roles/elasticsearch/defaults/main.yml index 29aaa0c6..7b725ccd 100644 --- a/roles/elasticsearch/defaults/main.yml +++ b/roles/elasticsearch/defaults/main.yml @@ -4,7 +4,6 @@ elasticsearch_enable: true elasticsearch_ml_enabled: true elasticsearch_config_backup: false elasticsearch_manage_yaml: true -elasticsearch_monitoring_enabled: true elasticsearch_security: true elasticsearch_bootstrap_pw: PleaseChangeMe elasticsearch_http_security: true From bbdd374f55428c0d78d1b8526f3dd8fdca44abb9 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Mon, 30 Mar 2026 17:07:36 +0200 Subject: [PATCH 10/12] Improve documentation about OSS versions --- docs/role-repos.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/role-repos.md b/docs/role-repos.md index ca1b06a4..eab7f266 100644 --- a/docs/role-repos.md +++ b/docs/role-repos.md @@ -20,7 +20,7 @@ Role Variables * *elasticstack_variant*: Variant of the stack to install. Valid values: `elastic` or `oss`. (default: `elastic`). * *elasticstack_enable_repos*: Enable repositories after creating them. (default: `true`) Only works on RPM based distributions! -Please note that no `oss` versions are available for Elastic Stack later than `7`. This role will fail if you try to install them. +Please note that not all tool have `oss` versions available for Elastic Stack later than `7`. This role will fail if you try to install them. Elasticsearch and Kibana are not available as OSS > 7. Usage -------- From dd8ab7e688fa2513c7e91445f2e6743ff05083c4 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Wed, 1 Apr 2026 15:05:18 +0200 Subject: [PATCH 11/12] Remove duplicate linting step and fix `if` --- .github/workflows/test_linting.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/test_linting.yml b/.github/workflows/test_linting.yml index 91b56e40..ec484557 100644 --- a/.github/workflows/test_linting.yml +++ b/.github/workflows/test_linting.yml @@ -43,11 +43,7 @@ jobs: yamllint . if: ${{ inputs.rolename == '' }} - - name: Lint Role (yamllint). - run: | - ansible-lint roles/${{ inputs.rolename }} - if: ${{ inputs.rolename != '' }} - - name: Lint Role (ansible-lint). run: | ansible-lint roles/${{ inputs.rolename }} + if: ${{ inputs.rolename != '' }} From b660b83344c360af063a505b35ce4de2db2f3d3c Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Wed, 1 Apr 2026 15:06:18 +0200 Subject: [PATCH 12/12] Fix broken `if` Remove `and` with no left part --- roles/elasticsearch/templates/elasticsearch.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/elasticsearch/templates/elasticsearch.yml.j2 b/roles/elasticsearch/templates/elasticsearch.yml.j2 index 95d2a0db..f3b471bb 100644 --- a/roles/elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/elasticsearch/templates/elasticsearch.yml.j2 @@ -27,7 +27,7 @@ http.publish_port: {{ elasticsearch_http_publish_port }} node.roles: [ {% for type in elasticsearch_node_types %}{{ type }}{% if not loop.last %}, {% endif %}{% endfor %} ] {% endif %} -{% if and groups[elasticstack_elasticsearch_group_name] | length == 1 %} +{% if groups[elasticstack_elasticsearch_group_name] | length == 1 %} discovery.type: single-node {% endif %}