Auto configure TLS for new nodes of new clusters

distribution/src/bin/elasticsearch

@@ -16,11 +16,13 @@
 source "`dirname "$0"`"/elasticsearch-env
 
 CHECK_KEYSTORE=true
+ATTEMPT_SECURITY_AUTO_CONFIG="${ATTEMPT_SECURITY_AUTO_CONFIG:-true}"
 DAEMONIZE=false
 for option in "$@"; do
   case "$option" in
     -h|--help|-V|--version)
       CHECK_KEYSTORE=false
+      ATTEMPT_SECURITY_AUTO_CONFIG=false
       ;;
     -d|--daemonize)
       DAEMONIZE=true
@@ -45,6 +47,22 @@ then
   fi
 fi
 
+if [[ $ATTEMPT_SECURITY_AUTO_CONFIG = true ]]; then
+  # It is possible that an auto-conf failure prevents the node from starting, but this is only the exceptional case (exit code 1).
+  # Most likely an auto-conf failure will leave the configuration untouched (exit codes 73, 78 and 80), optionally printing a message
+  # if the error is uncommon or unexpected, but it should otherwise let the node to start as usual.
+  # It is passed in all the command line options in order to read the node settings ones (-E), while the other parameters are ignored
+  # (a small caveat is that it also inspects the -v option in order to provide more information on how auto config went)
+  if ! bin/elasticsearch-security-config "$@" <<<"$KEYSTORE_PASSWORD"; then
+    retval=$?
+    # these exit codes cover the cases where auto-conf cannot run but the node should NOT be prevented from starting as usual
+    # eg the node is restarted, is already configured in an incompatible way, or the file system permissions do not allow it
+    if [[ $retval -ne 80 ]] && [[ $retval -ne 73 ]] && [[ $retval -ne 78 ]]; then
+      exit $retval
+    fi
+  fi
+fi
+
 # The JVM options parser produces the final JVM options to start Elasticsearch.
 # It does this by incorporating JVM options in the following way:
 #   - first, system JVM options are applied (these are hardcoded options in the

distribution/src/bin/elasticsearch-env

@@ -119,20 +119,29 @@ if [[ "$ES_DISTRIBUTION_TYPE" == "docker" ]]; then
 
   declare -a es_arg_array
 
+  containsElement () {
+    local e match="$1"
+    shift
+    for e; do [[ "$e" == "$match" ]] && return 0; done
+    return 1
+  }
+
   while IFS='=' read -r envvar_key envvar_value
   do
     # Elasticsearch settings need to have at least two dot separated lowercase
     # words, e.g. `cluster.name`, or uppercased with underscore separators and
     # prefixed with `ES_SETTING_`, e.g. `ES_SETTING_CLUSTER_NAME`. Underscores in setting names
     # are escaped by writing them as a double-underscore e.g. "__"
     if [[ ! -z "$envvar_value" ]]; then
+      es_opt=""
       if [[ "$envvar_key" =~ ^[a-z0-9_]+\.[a-z0-9_]+ ]]; then
         es_opt="-E${envvar_key}=${envvar_value}"
-        es_arg_array+=("${es_opt}")
       elif [[ "$envvar_key" =~ ^ES_SETTING(_{1,2}[A-Z]+)+$ ]]; then
           # The long-hand sed `y` command works in any sed variant.
           envvar_key="$(echo "$envvar_key" | sed -e 's/^ES_SETTING_//; s/_/./g ; s/\.\./_/g; y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/' )"
           es_opt="-E${envvar_key}=${envvar_value}"
+      fi
+      if [[ ! -z "${es_opt}" ]] && ! containsElement "${es_opt}" "$@" ; then
           es_arg_array+=("${es_opt}")
       fi
     fi

libs/cli/src/main/java/org/elasticsearch/cli/ExitCodes.java

@@ -12,8 +12,9 @@
  * POSIX exit codes.
  */
 public class ExitCodes {
+    // please be extra careful when changing these as the values might be used in scripts,
+    // usages of which are not tracked by the IDE
     public static final int OK = 0;
-    public static final int NOOP = 63;           // nothing to do
     public static final int USAGE = 64;          // command line usage error
     public static final int DATA_ERROR = 65;     // data format error
     public static final int NO_INPUT = 66;       // cannot open input
@@ -27,6 +28,7 @@ public class ExitCodes {
     public static final int PROTOCOL = 76;       // remote error in protocol
     public static final int NOPERM = 77;         // permission denied
     public static final int CONFIG = 78;         // configuration error
+    public static final int NOOP = 80;           // nothing to do
 
     private ExitCodes() { /* no instance, just constants */ }
 }