Doubts about elasticsearch puppet module with certain plugins

[vfern...@keedio.com]

Hi !

First of all , thank you for your help.

I don´t understand a puppet behaviour with a elasticsearch puppet module. It´s probably that my lack of experience wirh puppet is the cause.

• Module version: Elastic Search 6.3.1
• Puppet version: 5.5
• OS and version: CentOS 7.5

I have deployed a elasticsearch 6.3.1 development cluster with 3 nodes via puppet. It has also been installed a search guard "search-guard-6:6.3.1-23.0" through puppet. To activate search guard plugin in dev environment , I have used two scripts included in this plugin, "install_demo_configuration.sh" and "sgadmin_demo.sh". These scripts, add certain configurations lines to elasticsearch.yml. Every time puppet agent request the catalog in these machines ,the elasticsearch.yml is overwritten according to the configuration of the manifest, and search guard doesn´t work. This also causes elasticsearch service to stop working. The elasticsearch manifest that we have used to install elasticsearch and search guard plugin :

------------------------------------------------------------------------------------------------------------------------------------------------------------------------

include ::java

class profile::elk6::elasticsearch {

$version=hiera('profile::elk6::elasticsearch::version')
$clustername=hiera('profile::elk6::elasticsearch::clustername')
$ismaster=hiera('profile::elk6::elasticsearch::ismaster')
$isdatanode=hiera('profile::elk6::elasticsearch::isdatanode')
$esmasters=hiera('profile::elk6::elasticsearch::esmasters')
$datadir=hiera('profile::elk6::elasticsearch::datadir')
$esheapsize=hiera('profile::elk6::elasticsearch::heapsize')
$config_hash ={ 'ES_HEAP_SIZE' => "$esheapsize", 'MAX_LOCKED_MEMORY' => "unlimited" }
    class { '::elasticsearch':
        version          => $version,
        status           => 'enabled',
        manage_repo      => true,
        datadir          => $datadir,
        config           => {
          'cluster.name' => $clustername,
          'network.host' => $::ipaddress_eth0,
          'node.data' => $isdatanode,
          'node.master' => $ismaster,
          'discovery.zen.ping.unicast.hosts'=> $esmasters,
          'discovery.zen.minimum_master_nodes'=> 2,
          'http.port' =>  9200,
          'http.cors.allow-origin' => "/.*/",
          'http.cors.enabled' =>  true,
          'http.cors.allow-headers' => "Authorization, X-Requested-With, Content-Type, Content-Length",
          'http.cors.allow-credentials' => true
 #         'bootstrap.unlockall' => 'true'
        },
        init_defaults => $config_hash,

    }

elasticsearch::plugin { 'com.floragunn:search-guard-6:6.3.1-23.0':
     instances  => 'esmaster',
}
elasticsearch::instance { 'es-01': }

# checks if ES is available on localhost
 es_instance_conn_validator { "es$::ipaddress_eth0" :
  server => $::ipaddress_eth0,
  port   => '9200',
}

------------------------------------------------------------------------------------------------------------------------------------------------------------------------

When the elasticsearch.yml is overwritten and search guard causes that elasticsearch service to stop working , the log shows:

"java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]"

"Caused by: org.elasticsearch.ElasticsearchException: searchguard.ssl.transport.keystore_filepath or searchguard.ssl.transport.pemkey_filepath must be set if transport ssl is reqested."

¿Is it possible to add the configurations lines for search guard plugin in the puppet manifest and avoid this behavior? ¿Is there a mistake in my puppet manifest?

Regards and thanks in advance!