Skip to content

fix(elasticsearch): skip bootstrap-only checks when joining existing cluster#151

Merged
Oddly merged 1 commit into
mainfrom
fix/skip-bootstrap-checks-on-join-v2
May 7, 2026
Merged

fix(elasticsearch): skip bootstrap-only checks when joining existing cluster#151
Oddly merged 1 commit into
mainfrom
fix/skip-bootstrap-checks-on-join-v2

Conversation

@Oddly

@Oddly Oddly commented May 7, 2026

Copy link
Copy Markdown
Owner

Reopens #148 after the first attempt (#149) was reverted in #150.

The previous attempt put the gate on the whole "Runtime cluster setup" block in elasticsearch-security.yml. That block contains an inner set_fact that flips elasticsearch_cluster_set_up to true partway through, after the initial passwords file is written. Ansible re-evaluates a block-level when: against each task's live variable state, so every task after that internal flip silently skipped — including Fetch elastic password after initial setup, which is what sets elasticstack_password. Downstream consumers (cluster settings, watermarks, the molecule shared set_ci_watermarks helper) then saw elasticstack_password undefined and either fell back to a hardcoded /usr/share/elasticsearch/initial_passwords path that doesn't exist on custom-path scenarios, or failed outright. CI on main caught it on elasticsearch_custom, elasticsearch_cert_content, and elasticsearch_diagnostics.

This version gates per task instead. Each of the four bootstrap-only tasks gets - not elasticsearch_cluster_set_up | bool added to its existing when: list (alongside not elasticsearch_passwords_file.stat.exists | bool which they all already had). Per-task when: is evaluated independently, so the inner set_fact doesn't poison subsequent tasks. The four gated tasks are Check for API with bootstrap password, the Recover elastic user after interrupted security setup sub-block, the Fail if bootstrap password check failed and recovery was not attempted task, and Check for cluster status with bootstrap password. A comment on the block explains why the gating is at task level rather than block level.

The master-count check in main.yml returns unchanged from #149 — it sits before the security tasks run and the inner flip never reaches it, so it was uncontroversial and just got reverted along with #149 for a clean rollback.

No molecule scenario exercises the join-existing-cluster path: it would need a multi-node setup where the joining node sees the passwords file as absent (stat delegated to the CA host), which single-node scenarios can't reproduce. Adding one is more disruptive than the fix warrants. The existing scenarios still validate the fresh-bootstrap regression class — they're what flagged #149's issue when I ran the full elasticsearch-role workflow against main, and they'll catch the same shape of regression on this PR too.

…cluster

Adds `not elasticsearch_cluster_set_up | bool` to the four bootstrap-password
tasks in elasticsearch-security.yml plus the master-count check in main.yml,
so a joining node skips the checks that only make sense for fresh-bootstrap.
Reopens issue #148 after the previous attempt (#149, reverted in #150)
regressed fresh-install scenarios.

The previous attempt put the gate on the whole "Runtime cluster setup" block.
That block contains an inner `set_fact` that flips elasticsearch_cluster_set_up
to true after the initial passwords file is written. Ansible re-evaluates
block-level whens per task against the live variable, so every inner task
after that flip silently skipped, including the fetch that sets
elasticstack_password. Downstream tasks then saw it undefined and either
fell back to a hardcoded path that doesn't exist on custom-path scenarios,
or failed outright.

Gating per task avoids that — each task's when is independent and doesn't
get re-evaluated against later state. The four gated tasks all already had
`not elasticsearch_passwords_file.stat.exists | bool` in their when, so
they're a clean place for the additional guard.

The master-count check in main.yml was uncontroversial in #149 — it sits
before the security tasks run and the inner flip never reaches it — so it
returns unchanged.

No molecule scenario covers the join-existing-cluster path: it would need
a multi-node setup where the joining node sees the passwords file as absent
(stat delegated to the CA host), which the existing single-node scenarios
can't reproduce. Existing scenarios still validate the fresh-bootstrap path
and would catch a regression like the one #149 introduced.
@Oddly Oddly added the ci:run Trigger gated pull request CI label May 7, 2026
@coderabbitai

coderabbitai Bot commented May 7, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@Oddly has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 56 minutes and 24 seconds before requesting another review.

To continue reviewing without waiting, purchase usage credits in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c43a5313-7265-4489-ba0b-628a2b235897

📥 Commits

Reviewing files that changed from the base of the PR and between 833cfb3 and 7bbfc7f.

📒 Files selected for processing (2)
  • roles/elasticsearch/tasks/elasticsearch-security.yml
  • roles/elasticsearch/tasks/main.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/skip-bootstrap-checks-on-join-v2

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions github-actions Bot removed the ci:run Trigger gated pull request CI label May 7, 2026
@Oddly Oddly merged commit 3cf2547 into main May 7, 2026
53 checks passed
@Oddly Oddly deleted the fix/skip-bootstrap-checks-on-join-v2 branch May 7, 2026 20:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant