From 3821d12e94fbc6138737266d986b13b0bd9cf509 Mon Sep 17 00:00:00 2001 From: Sam Crauwels Date: Thu, 7 May 2026 21:11:39 +0200 Subject: [PATCH] Revert "fix(elasticsearch): skip bootstrap-only checks when joining existing cluster (#149)" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit 39037c02118d67df2fd4b659f79e82f780b128ea. The block-level `when: not elasticsearch_cluster_set_up | bool` on the "Runtime cluster setup" block in elasticsearch-security.yml regresses fresh-install scenarios. The block contains an inner set_fact that flips elasticsearch_cluster_set_up to true partway through, after the initial passwords file is written. Block-level when is copied to every inner task and re-evaluated against the current variable state, so every task after that internal set_fact silently skips — including the "Fetch elastic password after initial setup" task that sets elasticstack_password. Downstream consumers (cluster settings, watermarks, the molecule shared set_ci_watermarks helper) then see elasticstack_password undefined and either fall back to a hardcoded file path that doesn't exist on custom-path scenarios, or fail outright. Symptom in CI: elasticsearch_custom, elasticsearch_cert_content, and elasticsearch_diagnostics scenarios fail at the watermark setup step on rocky9/debian13 + ES 9. Previously green on the same scenarios. Reverting both files together. The main.yml master-count change is reverted alongside it because it's only useful in combination with the join-existing-cluster path that needs further work to land cleanly. A follow-up PR will gate only the bootstrap-password tasks individually instead of the whole block. Reopens #148. --- roles/elasticsearch/tasks/elasticsearch-security.yml | 10 +--------- roles/elasticsearch/tasks/main.yml | 6 ------ 2 files changed, 1 insertion(+), 15 deletions(-) diff --git a/roles/elasticsearch/tasks/elasticsearch-security.yml b/roles/elasticsearch/tasks/elasticsearch-security.yml index 52b0b77..9ec3f83 100644 --- a/roles/elasticsearch/tasks/elasticsearch-security.yml +++ b/roles/elasticsearch/tasks/elasticsearch-security.yml @@ -648,15 +648,7 @@ when: elasticsearch_http_security - name: elasticsearch-security | Runtime cluster setup (requires running Elasticsearch) - # Runtime cluster setup uses the bootstrap password to seed the elastic user, - # built-in user passwords, etc. on a fresh cluster. When joining an existing - # cluster (elasticsearch_cluster_set_up: true) those are already part of the - # replicated cluster state, the bootstrap password is no longer accepted, - # and this whole block fails with "Bootstrap password authentication failed - # and this is not the CA host". See issue #148. - when: - - not ansible_check_mode - - not elasticsearch_cluster_set_up | bool + when: not ansible_check_mode block: - name: elasticsearch-security | Check for API with bootstrap password ansible.builtin.uri: diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml index 8339e91..a59ba41 100644 --- a/roles/elasticsearch/tasks/main.yml +++ b/roles/elasticsearch/tasks/main.yml @@ -125,17 +125,11 @@ elasticsearch_count_of_master_nodes: >- {{ ansible_play_hosts_all | intersect(groups['elasticsearch_role_master'] | default([])) | length }} - # The odd-master-count rule is required for a fresh-bootstrapped cluster - # to have a stable initial quorum. When joining an existing cluster - # (elasticsearch_cluster_set_up: true) the cluster already has its own - # master-eligible quorum independent of how many new nodes are added in - # this play, so the check is irrelevant and would block legitimate joins. - name: Check count of master nodes ansible.builtin.fail: msg: "There must be an odd count of master nodes. You have {{ elasticsearch_count_of_master_nodes }}" when: - elasticsearch_count_of_master_nodes | int % 2 == 0 - - not elasticsearch_cluster_set_up | bool - name: End play in checks ansible.builtin.meta: end_host