Skip to content

Revert "fix(elasticsearch): skip bootstrap-only checks when joining existing cluster (#149)"#150

Merged
Oddly merged 1 commit into
mainfrom
revert/149-bootstrap-checks-gating
May 7, 2026
Merged

Revert "fix(elasticsearch): skip bootstrap-only checks when joining existing cluster (#149)"#150
Oddly merged 1 commit into
mainfrom
revert/149-bootstrap-checks-gating

Conversation

@Oddly

@Oddly Oddly commented May 7, 2026

Copy link
Copy Markdown
Owner

Reverts #149.

The block-level when: not elasticsearch_cluster_set_up | bool on the "Runtime cluster setup" block in elasticsearch-security.yml regresses fresh-install scenarios. The block contains an inner set_fact that flips elasticsearch_cluster_set_up to true partway through, after the initial passwords file is written. Ansible copies a block-level when onto every inner task and re-evaluates it against the current variable state, so every task after that internal set_fact silently skips — including Fetch elastic password after initial setup, which is what sets elasticstack_password. Downstream consumers (cluster settings, watermarks, the molecule shared set_ci_watermarks helper) then see elasticstack_password undefined and either fall back to a hardcoded path that doesn't exist for custom-path scenarios, or fail outright.

I caught this on a workflow_dispatch of Test Role elasticsearch against main after the merge: elasticsearch_custom, elasticsearch_cert_content, and elasticsearch_diagnostics failed at the watermark step on rocky9 + ES 9 (and debian13 for diagnostics). The same scenarios were green on the schedule run from yesterday, and main is exactly +2 commits since then (#147 + #149), confirming the regression source.

I'm reverting both files in #149 together. The main.yml master-count change isn't broken by itself, but it's only useful in combination with the join-existing-cluster path, so it goes back along with the security-tasks revert and returns in the follow-up PR.

A follow-up will replace this with task-level gating: add not elasticsearch_cluster_set_up | bool to the individual bootstrap-password tasks (Check for API with bootstrap password, the recovery sub-block, the Fail task, and Check for cluster status with bootstrap password) so they skip on a joining node without poisoning the inner set_fact. Reopens #148.

Summary by CodeRabbit

Release Notes

  • Bug Fixes
    • Refined Elasticsearch cluster setup execution logic to respect system check mode
    • Simplified master-node validation to consistently enforce odd-count requirement for cluster stability

…xisting cluster (#149)"

This reverts commit 39037c0.

The block-level `when: not elasticsearch_cluster_set_up | bool` on the
"Runtime cluster setup" block in elasticsearch-security.yml regresses
fresh-install scenarios. The block contains an inner set_fact that
flips elasticsearch_cluster_set_up to true partway through, after the
initial passwords file is written. Block-level when is copied to every
inner task and re-evaluated against the current variable state, so
every task after that internal set_fact silently skips — including the
"Fetch elastic password after initial setup" task that sets
elasticstack_password. Downstream consumers (cluster settings,
watermarks, the molecule shared set_ci_watermarks helper) then see
elasticstack_password undefined and either fall back to a hardcoded
file path that doesn't exist on custom-path scenarios, or fail
outright.

Symptom in CI: elasticsearch_custom, elasticsearch_cert_content, and
elasticsearch_diagnostics scenarios fail at the watermark setup step
on rocky9/debian13 + ES 9. Previously green on the same scenarios.

Reverting both files together. The main.yml master-count change is
reverted alongside it because it's only useful in combination with the
join-existing-cluster path that needs further work to land cleanly.
A follow-up PR will gate only the bootstrap-password tasks
individually instead of the whole block.

Reopens #148.
@Oddly Oddly added the ci:run Trigger gated pull request CI label May 7, 2026
@coderabbitai

coderabbitai Bot commented May 7, 2026

Copy link
Copy Markdown

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: fa30f7a4-5877-4fcf-867f-f40274e70b0f

📥 Commits

Reviewing files that changed from the base of the PR and between 39037c0 and 3821d12.

📒 Files selected for processing (2)
  • roles/elasticsearch/tasks/elasticsearch-security.yml
  • roles/elasticsearch/tasks/main.yml

📝 Walkthrough

Walkthrough

This PR removes conditional guards that depended on elasticsearch_cluster_set_up state from two task blocks. Master-node validation now enforces its odd-count constraint unconditionally, and runtime cluster setup execution now depends only on check-mode status rather than prior cluster setup completion.

Changes

Remove Cluster Setup State Guards

Layer / File(s) Summary
Validation Constraints
roles/elasticsearch/tasks/main.yml
Master-node count validation no longer skips when elasticsearch_cluster_set_up is true; the even-count failure condition now applies unconditionally.
Runtime Setup Conditions
roles/elasticsearch/tasks/elasticsearch-security.yml
Runtime cluster setup block condition is simplified from when: not ansible_check_mode and not elasticsearch_cluster_set_up | bool to when: not ansible_check_mode.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related issues

Possibly related PRs

  • Oddly/elasticstack#147: Modifies how elasticsearch_cluster_set_up variable is set and used; these changes remove conditional dependencies on that variable.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch revert/149-bootstrap-checks-gating

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions github-actions Bot removed the ci:run Trigger gated pull request CI label May 7, 2026
@Oddly Oddly merged commit 833cfb3 into main May 7, 2026
23 of 24 checks passed
@Oddly Oddly deleted the revert/149-bootstrap-checks-gating branch May 7, 2026 19:13
Oddly added a commit that referenced this pull request May 7, 2026
…cluster (#151)

Adds `not elasticsearch_cluster_set_up | bool` to the four bootstrap-password
tasks in elasticsearch-security.yml plus the master-count check in main.yml,
so a joining node skips the checks that only make sense for fresh-bootstrap.
Reopens issue #148 after the previous attempt (#149, reverted in #150)
regressed fresh-install scenarios.

The previous attempt put the gate on the whole "Runtime cluster setup" block.
That block contains an inner `set_fact` that flips elasticsearch_cluster_set_up
to true after the initial passwords file is written. Ansible re-evaluates
block-level whens per task against the live variable, so every inner task
after that flip silently skipped, including the fetch that sets
elasticstack_password. Downstream tasks then saw it undefined and either
fell back to a hardcoded path that doesn't exist on custom-path scenarios,
or failed outright.

Gating per task avoids that — each task's when is independent and doesn't
get re-evaluated against later state. The four gated tasks all already had
`not elasticsearch_passwords_file.stat.exists | bool` in their when, so
they're a clean place for the additional guard.

The master-count check in main.yml was uncontroversial in #149 — it sits
before the security tasks run and the inner flip never reaches it — so it
returns unchanged.

No molecule scenario covers the join-existing-cluster path: it would need
a multi-node setup where the joining node sees the passwords file as absent
(stat delegated to the CA host), which the existing single-node scenarios
can't reproduce. Existing scenarios still validate the fresh-bootstrap path
and would catch a regression like the one #149 introduced.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant