[Ansible] JFrog Platform 7.23.3 (#148)

Ansible/ansible_collections/jfrog/platform/CHANGELOG.md

@@ -1,6 +1,10 @@
 # JFrog Platform Ansible Collection Changelog
 All changes to this collection will be documented in this file.
 
+## [7.23.3] - Aug 5, 2021
+* Missioncontrol's Elasticsearch to use new JAVA_HOME path
+* Missioncontrol's Elasticsearch searchguard plugin to use by default `anonymous_auth_enabled: true`
+
 ## [7.21.12] - July 30, 2021
 * Added variable `postgres_enabled` to enable/disable default postgres role in `groups_vars/all/vars.yml`
 * Added documentation to used external database

Ansible/ansible_collections/jfrog/platform/galaxy.yml

@@ -9,7 +9,7 @@ namespace: "jfrog"
 name: "platform"
 
 # The version of the collection. Must be compatible with semantic versioning
-version: "7.21.12"
+version: "7.23.3"
 
 # The path to the Markdown (.md) readme file. This path is relative to the root of the collection
 readme: "README.md"

Ansible/ansible_collections/jfrog/platform/roles/artifactory/defaults/main.yml

@@ -2,7 +2,7 @@
 # defaults file for artifactory
 
 # The version of artifactory to install
-artifactory_version: 7.21.12
+artifactory_version: 7.23.3
 
 # Set this to true when SSL is enabled (to use artifactory_nginx_ssl role), default to false (implies artifactory uses artifactory_nginx role )
 artifactory_nginx_ssl_enabled: false

Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/install.yml

@@ -46,8 +46,8 @@
     url: "{{ artifactory_tar }}"
     timeout: "{{ artifactory_download_timeout }}"
     dest: "{{ jfrog_home_directory }}"
-  register: downloadartifactory
+  register: download_artifactory
-  until: downloadartifactory is succeeded
+  until: download_artifactory is succeeded
   retries: 3
   when: not artifactory_tar_check.stat.exists
 
@@ -60,7 +60,7 @@
     owner: "{{ artifactory_user }}"
     group: "{{ artifactory_group }}"
     creates: "{{ artifactory_untar_home }}"
-  when: downloadartifactory is succeeded
+  when: download_artifactory is succeeded
 
 - name: Check if app directory exists
   become: yes

Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/upgrade.yml

@@ -14,8 +14,8 @@
     url: "{{ artifactory_tar }}"
     timeout: "{{ artifactory_download_timeout }}"
     dest: "{{ jfrog_home_directory }}"
-  register: downloadartifactory
+  register: download_artifactory
-  until: downloadartifactory is succeeded
+  until: download_artifactory is succeeded
   retries: 3
   when: not artifactory_tar_check.stat.exists
 
@@ -28,14 +28,14 @@
     owner: "{{ artifactory_user }}"
     group: "{{ artifactory_group }}"
     creates: "{{ artifactory_untar_home }}"
-  when: downloadartifactory is succeeded
+  when: download_artifactory is succeeded
 
 - name: Stop artifactory
   become: yes
   systemd:
     name: "{{ artifactory_daemon }}"
     state: stopped
-  when: downloadartifactory.changed
+  when: download_artifactory.changed
 
 - name: Ensure jfrog_home_directory exists
   become: yes
@@ -48,12 +48,12 @@
   file:
     path: "{{ artifactory_home }}/app"
     state: absent
-  when: downloadartifactory.changed
+  when: download_artifactory.changed
 
 - name: Copy new app to artifactory app
   become: yes
   command: "cp -r {{ artifactory_untar_home }}/app/. {{ artifactory_home }}/app"
-  when: downloadartifactory.changed
+  when: download_artifactory.changed
 
 - name: Configure single license
   become: yes

Ansible/ansible_collections/jfrog/platform/roles/artifactory/vars/main.yml

@@ -1,6 +1,6 @@
 ---
 # platform collection version
-platform_collection_version: 7.21.12
+platform_collection_version: 7.23.3
 
 # indicates where this collection was downloaded from (galaxy, automation_hub, standalone)
 ansible_marketplace: galaxy

Ansible/ansible_collections/jfrog/platform/roles/distribution/defaults/main.yml

@@ -2,7 +2,7 @@
 # defaults file for distribution
 
 # The version of distribution to install
-distribution_version: 2.8.2
+distribution_version: 2.9.0
 
 # whether to enable HA
 distribution_ha_enabled: false

Ansible/ansible_collections/jfrog/platform/roles/distribution/tasks/install.yml

@@ -7,7 +7,7 @@
     name: expect
     state: present
   become: yes
-  when: ansible_os_family == 'Redhat'
+  when: ansible_os_family == 'RedHat'
 
 - name: Install expect dependency
   apt:
@@ -47,8 +47,8 @@
     url: "{{ distribution_tar }}"
     timeout: "{{ distribution_download_timeout }}"
     dest: "{{ jfrog_home_directory }}"
-  register: downloaddistribution
+  register: download_distribution
-  until: downloaddistribution is succeeded
+  until: download_distribution is succeeded
   retries: 3
   when: not distribution_tar_check.stat.exists
 
@@ -61,7 +61,7 @@
     owner: "{{ distribution_user }}"
     group: "{{ distribution_group }}"
     creates: "{{ distribution_untar_home }}"
-  when: downloaddistribution is succeeded
+  when: download_distribution is succeeded
 
 - name: Check if app directory exists
   become: yes

Ansible/ansible_collections/jfrog/platform/roles/distribution/tasks/upgrade.yml

@@ -14,8 +14,8 @@
     url: "{{ distribution_tar }}"
     timeout: "{{ distribution_download_timeout }}"
     dest: "{{ jfrog_home_directory }}"
-  register: downloaddistribution
+  register: download_distribution
-  until: downloaddistribution is succeeded
+  until: download_distribution is succeeded
   retries: 3
   when: not distribution_tar_check.stat.exists
 
@@ -28,33 +28,50 @@
     owner: "{{ distribution_user }}"
     group: "{{ distribution_group }}"
     creates: "{{ distribution_untar_home }}"
-  when: downloaddistribution is succeeded
+  when: download_distribution is succeeded
 
 - name: Stop distribution
   become: yes
   systemd:
     name: "{{ distribution_daemon }}"
     state: stopped
-  when: downloaddistribution.changed
+  when: download_distribution.changed
 
 - name: Delete distribution app
   become: yes
   file:
     path: "{{ distribution_home }}/app"
     state: absent
-  when: downloaddistribution.changed
+  when: download_distribution.changed
 
 - name: Copy new app to distribution app
   become: yes
   command: "cp -r {{ distribution_untar_home }}/app/. {{ distribution_home }}/app"
-  when: downloaddistribution.changed
+  when: download_distribution.changed
+
+- name: Check if systemyaml exists
+  become: yes
+  stat:
+    path: "{{ distribution_home }}/var/etc/system.yaml"
+  register: systemyaml
+
+- name: Configure systemyaml
+  become: yes
+  template:
+    src: "{{ distribution_system_yaml_template }}"
+    dest: "{{ distribution_home }}/var/etc/system.yaml"
+  when: 
+    - distribution_systemyaml is defined  
+    - distribution_systemyaml|length > 0
+    - distribution_systemyaml_override or (not systemyaml.stat.exists) 
+  notify: restart distribution
 
 - name: Check if install.sh wrapper script exist
   become: yes
   stat:
     path: "{{ distribution_install_script_path }}/install.sh"
   register: install_wrapper_script
-  when: downloaddistribution.changed
+  when: download_distribution.changed
 
 - name: Include interactive installer scripts
   include_vars: script/archive.yml
@@ -71,7 +88,7 @@
         YQ_PATH: "{{ distribution_thirdparty_path }}/yq"
   when:
     - install_wrapper_script.stat.exists
-    - downloaddistribution.changed
+    - download_distribution.changed
 
 - name: Ensure {{ distribution_home }}/var/etc/redis exists
   become: yes
@@ -95,23 +112,6 @@
     dest: "{{ distribution_home }}/var/etc/info/installer-info.json"
   notify: restart distribution
 
-- name: Check if systemyaml exists
-  become: yes
-  stat:
-    path: "{{ distribution_home }}/var/etc/system.yaml"
-  register: systemyaml
-
-- name: Configure systemyaml
-  become: yes
-  template:
-    src: "{{ distribution_system_yaml_template }}"
-    dest: "{{ distribution_home }}/var/etc/system.yaml"
-  when: 
-    - distribution_systemyaml is defined  
-    - distribution_systemyaml|length > 0
-    - distribution_systemyaml_override or (not systemyaml.stat.exists) 
-  notify: restart distribution
-
 - name: Update distribution permissions
   become: yes
   file:

Ansible/ansible_collections/jfrog/platform/roles/distribution/vars/main.yml

@@ -1,6 +1,6 @@
 ---
 # platform collection version
-platform_collection_version: 7.21.12
+platform_collection_version: 7.23.3
 
 # indicates were this collection was downlaoded from (galaxy, automation_hub, standalone)
 ansible_marketplace: galaxy

Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/defaults/main.yml

@@ -2,7 +2,7 @@
 # defaults file for mc
 
 # The version of missioncontrol to install
-missioncontrol_version: 4.7.8
+missioncontrol_version: 4.7.10
 
 # whether to enable HA
 mc_ha_enabled: false
@@ -44,14 +44,14 @@ es_gid: 1060
 mc_es_conf_base: "/etc/elasticsearch"
 mc_es_user: admin
 mc_es_password: admin
-mc_es_url: "http://localhost:8082"
+mc_es_url: "http://localhost:9200"
-mc_es_base_url: "http://localhost:8082/elasticsearch"
+mc_es_base_url: "http://localhost:9200/elasticsearch"
 mc_es_transport_port: 9300
 
 mc_es_home: "/usr/share/elasticsearch"
 mc_es_data_dir: "/var/lib/elasticsearch"
 mc_es_log_dir: "/var/log/elasticsearch"
-mc_es_java_home: "/usr/share/elasticsearch/jdk"
+mc_es_java_home: "{{ mc_thirdparty_path }}/java"
 mc_es_script_path: "/usr/share/elasticsearch/bin"
 mc_es_searchgaurd_home: "/usr/share/elasticsearch/plugins/search-guard-7"
 

Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/files/searchguard/sg_config.yml

@@ -0,0 +1,275 @@
+# This is the main Search Guard configuration file where authentication
+# and authorization is defined.
+#
+# You need to configure at least one authentication domain in the authc of this file.
+# An authentication domain is responsible for extracting the user credentials from
+# the request and for validating them against an authentication backend like Active Directory for example.
+#
+# If more than one authentication domain is configured the first one which succeeds wins.
+# If all authentication domains fail then the request is unauthenticated.
+# In this case an exception is thrown and/or the HTTP status is set to 401.
+#
+# After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect
+# the roles from a given backend for the authenticated user.
+#
+# Both, authc and auth can be enabled/disabled separately for REST and TRANSPORT layer. Default is true for both.
+#        http_enabled: true
+#        transport_enabled: true
+#
+# For HTTP it is possible to allow anonymous authentication. If that is the case then the HTTP authenticators try to
+# find user credentials in the HTTP request. If credentials are found then the user gets regularly authenticated.
+# If none can be found the user will be authenticated as an "anonymous" user. This user has always the username "sg_anonymous"
+# and one role named "sg_anonymous_backendrole".
+# If you enable anonymous authentication all HTTP authenticators will not challenge.
+#
+#
+# Note: If you define more than one HTTP authenticators make sure to put non-challenging authenticators like "proxy" or "clientcert"
+# first and the challenging one last.
+# Because it's not possible to challenge a client with two different authentication methods (for example
+# Kerberos and Basic) only one can have the challenge flag set to true. You can cope with this situation
+# by using pre-authentication, e.g. sending a HTTP Basic authentication header in the request.
+#
+# Default value of the challenge flag is true.
+#
+#
+# HTTP
+#   basic (challenging)
+#   proxy (not challenging, needs xff)
+#   kerberos (challenging) NOT FREE FOR COMMERCIAL
+#   clientcert (not challenging, needs https)
+#   jwt (not challenging) NOT FREE FOR COMMERCIAL
+#   host (not challenging) #DEPRECATED, will be removed in a future version.
+#                          host based authentication is configurable in sg_roles_mapping
+
+# Authc
+#   internal
+#   noop
+#   ldap  NOT FREE FOR COMMERCIAL USE
+
+# Authz
+#   ldap  NOT FREE FOR COMMERCIAL USE
+#   noop
+
+# For more details pls refer to  https://docs.search-guard.com/latest/authentication-authorization
+_sg_meta:
+  type: "config"
+  config_version: 2
+sg_config:
+  dynamic:
+    # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
+    # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
+    # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
+    #filtered_alias_mode: warn
+    #do_not_fail_on_forbidden: false
+    #kibana:
+    # Kibana multitenancy - NOT FREE FOR COMMERCIAL USE
+    # In addition to the config options below you need to set do_not_fail_on_forbidden to true (see above).
+    # Kibana needs to be configured for multi tenancy as well.
+    # See https://docs.search-guard.com/latest/kibana-multi-tenancy for details
+    #multitenancy_enabled: true
+    #server_username: kibanaserver
+    #index: '.kibana'
+    http:
+      anonymous_auth_enabled: true
+      xff:
+        enabled: false
+        internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
+        #internalProxies: '.*' # trust all internal proxies, regex pattern
+        #remoteIpHeader:  'x-forwarded-for'
+        ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
+        ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
+        ###### and here https://tools.ietf.org/html/rfc7239
+        ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
+    auth_token_provider: # NOT FREE FOR COMMERCIAL USE
+      # To enable using Search Guard auth tokens, you also need to enable the sg_issued_jwt_auth_domain below.
+      enabled: false
+      # JWTs produced by Search Guard are signed by default with a symmetric HMAC512 hash. For production systems,
+      # you must replace the value specified here by your own key. You can generate a new key for example with:
+      #  openssl rand -base64 512 | tr '/+' '_-'
+      # If you want ot use another signature algorithm, you can specify a complete JWK using the attriubute jwt_signing_key.
+      # Refer to the documentation for details.
+      jwt_signing_key_hs512: "eTDZjSqRD9Abhod9iqeGX_7o93a-eElTeXWAF6FmzQshmRIrPD-C9ET3pFjJ_IBrzmWIZDk8ig-X_PIyGmKsxNMsrU-0BNWF5gJq5xOp4rYTl8z66Tw9wr8tHLxLxgJqkLSuUCRBZvlZlQ7jNdhBBxgM-hdSSzsN1T33qdIwhrUeJ-KXI5yKUXHjoWFYb9tETbYQ4NvONowkCsXK_flp-E3F_OcKe_z5iVUszAV8QfCod1zhbya540kDejXCL6N_XMmhWJqum7UJ3hgf6DEtroPSnVpHt4iR5w9ArKK-IBgluPght03gNcoNqwz7p77TFbdOmUKF_PWy1bcdbaUoSg"
+      # JWTs produced by Search Guard are unencrypted by default. Set a key here to activate encryption using AES Key Wrap.
+      # If you want ot use another signature algorithm, you can specify a complete JWK using the attriubute jwt_encryption_key.
+      # Refer to the documentation for details.
+      #jwt_encryption_key_a256kw: "..."
+      # Specify the maximum time period an auth token may be valid. Omit max_validity to have keys with unlimited lifetime.
+      # Note that when creating auth tokens, users can specify an even shorter time period.
+      max_validity: "1y"
+      # This specifies the maximum number of valid tokens a user can have at the same time.
+      max_tokens_per_user: 100
+    authc:
+      kerberos_auth_domain:
+        http_enabled: false
+        transport_enabled: false
+        order: 6
+        http_authenticator:
+          type: kerberos # NOT FREE FOR COMMERCIAL USE
+          challenge: true
+          config:
+            # If true a lot of kerberos/security related debugging output will be logged to standard out
+            krb_debug: false
+            # If true then the realm will be stripped from the user name
+            strip_realm_from_principal: true
+        authentication_backend:
+          type: noop
+      basic_internal_auth_domain:
+        description: "Authenticate via HTTP Basic against internal users database"
+        http_enabled: true
+        transport_enabled: true
+        order: 4
+        http_authenticator:
+          type: basic
+          challenge: true
+        authentication_backend:
+          type: intern
+      proxy_auth_domain:
+        description: "Authenticate via proxy"
+        http_enabled: false
+        transport_enabled: false
+        order: 3
+        http_authenticator:
+          type: proxy
+          challenge: false
+          config:
+            user_header: "x-proxy-user"
+            roles_header: "x-proxy-roles"
+        authentication_backend:
+          type: noop
+      jwt_auth_domain:
+        description: "Authenticate via Json Web Token"
+        http_enabled: false
+        transport_enabled: false
+        order: 0
+        http_authenticator:
+          type: jwt
+          challenge: false
+          config:
+            signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"
+            jwt_header: "Authorization"
+            jwt_url_parameter: null
+            roles_key: null
+            subject_key: null
+        authentication_backend:
+          type: noop
+      sg_issued_jwt_auth_domain:
+        description: "Authenticate via Json Web Tokens issued by Search Guard"
+        http_enabled: false
+        # This auth domain is only available for HTTP
+        order: 1
+        http_authenticator:
+          type: sg_auth_token
+          challenge: false
+          # This auth domain automatically pulls configuration from the auth_token_provider config above
+        authentication_backend:
+          type: sg_auth_token
+      clientcert_auth_domain:
+        description: "Authenticate via SSL client certificates"
+        http_enabled: false
+        transport_enabled: false
+        order: 2
+        http_authenticator:
+          type: clientcert
+          config:
+            username_attribute: cn #optional, if omitted DN becomes username
+          challenge: false
+        authentication_backend:
+          type: noop
+      ldap:
+        description: "Authenticate via LDAP or Active Directory"
+        http_enabled: false
+        transport_enabled: false
+        order: 5
+        http_authenticator:
+          type: basic
+          challenge: false
+        authentication_backend:
+          # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
+          type: ldap # NOT FREE FOR COMMERCIAL USE
+          config:
+            # enable ldaps
+            enable_ssl: false
+            # enable start tls, enable_ssl should be false
+            enable_start_tls: false
+            # send client certificate
+            enable_ssl_client_auth: false
+            # verify ldap hostname
+            verify_hostnames: true
+            hosts:
+              - localhost:8389
+            bind_dn: null
+            password: null
+            userbase: 'ou=people,dc=example,dc=com'
+            # Filter to search for users (currently in the whole subtree beneath userbase)
+            # {0} is substituted with the username
+            usersearch: '(sAMAccountName={0})'
+            # Use this attribute from the user as username (if not set then DN is used)
+            username_attribute: null
+    authz:
+      roles_from_myldap:
+        description: "Authorize via LDAP or Active Directory"
+        http_enabled: false
+        transport_enabled: false
+        authorization_backend:
+          # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
+          type: ldap # NOT FREE FOR COMMERCIAL USE
+          config:
+            # enable ldaps
+            enable_ssl: false
+            # enable start tls, enable_ssl should be false
+            enable_start_tls: false
+            # send client certificate
+            enable_ssl_client_auth: false
+            # verify ldap hostname
+            verify_hostnames: true
+            hosts:
+              - localhost:8389
+            bind_dn: null
+            password: null
+            rolebase: 'ou=groups,dc=example,dc=com'
+            # Filter to search for roles (currently in the whole subtree beneath rolebase)
+            # {0} is substituted with the DN of the user
+            # {1} is substituted with the username
+            # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
+            rolesearch: '(member={0})'
+            # Specify the name of the attribute which value should be substituted with {2} above
+            userroleattribute: null
+            # Roles as an attribute of the user entry
+            userrolename: disabled
+            #userrolename: memberOf
+            # The attribute in a role entry containing the name of that role, Default is "name".
+            # Can also be "dn" to use the full DN as rolename.
+            rolename: cn
+            # Resolve nested roles transitive (roles which are members of other roles and so on ...)
+            resolve_nested_roles: true
+            userbase: 'ou=people,dc=example,dc=com'
+            # Filter to search for users (currently in the whole subtree beneath userbase)
+            # {0} is substituted with the username
+            usersearch: '(uid={0})'
+            # Skip users matching a user name, a wildcard or a regex pattern
+            #skip_users:
+            #  - 'cn=Michael Jackson,ou*people,o=TEST'
+            #  - '/\S*/'
+      roles_from_another_ldap:
+        description: "Authorize via another Active Directory"
+        http_enabled: false
+        transport_enabled: false
+        authorization_backend:
+          type: ldap # NOT FREE FOR COMMERCIAL USE
+          #config goes here ...
+  #    auth_failure_listeners:
+  #      ip_rate_limiting:
+  #        type: ip
+  #        allowed_tries: 10
+  #        time_window_seconds: 3600
+  #        block_expiry_seconds: 600
+  #        max_blocked_clients: 100000
+  #        max_tracked_clients: 100000
+  #      internal_authentication_backend_limiting:
+  #        type: username
+  #        authentication_backend: intern
+  #        allowed_tries: 10
+  #        time_window_seconds: 3600
+  #        block_expiry_seconds: 600
+  #        max_blocked_clients: 100000
+  #        max_tracked_clients: 100000

Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/install.yml

@@ -7,7 +7,7 @@
   yum:
     name: expect
     state: present
-  when: ansible_os_family == 'Redhat'
+  when: ansible_os_family == 'RedHat'
 
 - name: Install expect dependency
   become: yes
@@ -35,18 +35,33 @@
     shell: /bin/bash
     state: present
 
+- name: Check if mc tar exists
+  become: yes
+  stat:
+    path: "{{ jfrog_home_directory }}/{{ mc_tar_file_name }}"
+  register: mc_tar_check
+
 - name: Download mc
   become: yes
-  unarchive:
+  get_url:
-    src: "{{ mc_tar }}"
+    url: "{{ mc_tar }}"
+    timeout: "{{ mc_download_timeout }}"
     dest: "{{ jfrog_home_directory }}"
-    remote_src: yes
+  register: download_mc
+  until: download_mc is succeeded
+  retries: 3
+  when: not mc_tar_check.stat.exists
+
+- name: Extract mc tar
+  become: yes
+  unarchive:
+    src: "{{ jfrog_home_directory }}/{{ mc_tar_file_name }}"
+    dest: "{{ jfrog_home_directory }}"
+    remote_src: true
     owner: "{{ mc_user }}"
     group: "{{ mc_group }}"
     creates: "{{ mc_untar_home }}"
-  register: downloadmc
+  when: download_mc is succeeded
-  until: downloadmc is succeeded
-  retries: 3
 
 - name: Check if app directory exists
   become: yes

Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/main.yml

@@ -1,6 +1,10 @@
 - name: perform installation
   include_tasks: "install.yml"
-  when: not mc_upgrade_only
+  when: 
+    - mc_enabled
+    - not mc_upgrade_only
 - name: perform upgrade
   include_tasks: "upgrade.yml"
-  when: mc_upgrade_only
+  when:
+    - mc_enabled
+    - mc_upgrade_only

Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/setup-elasticsearch.yml

@@ -87,7 +87,7 @@
       - --strip-components=1
     owner: elasticsearch
     group: elasticsearch
-    creates: "{{ mc_es_java_home }}"
+    creates: "{{ mc_es_script_path }}"
   register: unarchive_result
   when: check_elasticsearch_package_result.matched > 0
 
@@ -159,12 +159,20 @@
   environment:
     ES_JAVA_HOME: "{{ mc_es_java_home }}"
     ES_PATH_CONF: "{{ mc_es_conf_base }}/"
-  register: start_elasticsearch_result
+  register: start_elasticsearch
   when: unarchive_result.extract_results.rc | default(128) == 0
 
 - name: Wait for elasticsearch to start
   pause:
-    seconds: 15
+    seconds: 30
+  when: start_elasticsearch.changed
+
+- name: Check if elasticsearch is running
+  wait_for: 
+    host: localhost
+    port: "{{ mc_es_transport_port }}"
+    delay: 5
+    connect_timeout: 1
 
 - name: Init searchguard plugin
   become: yes

Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/setup-searchguard.yml

@@ -22,7 +22,6 @@
 
 - name: Install searchguard plugin
   become: yes
-  become_user: elasticsearch
   ignore_errors: yes
   shell: |
     {{ mc_es_script_path }}/elasticsearch-plugin install \
@@ -57,6 +56,7 @@
   loop:
     - "sg_roles.yml"
     - "sg_roles_mapping.yml"
+    - "sg_config.yml"
 
 - name: Check execution bit
   become: yes

Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/upgrade-elasticsearch.yml

@@ -29,7 +29,7 @@
   shell: |
     {{ mc_es_script_path }}/elasticsearch-plugin remove {{ check_searchguard_bundle_result.files[0].path }}
   environment:
-    JAVA_HOME: "{{ mc_es_java_home }}"
+    ES_JAVA_HOME: "{{ mc_es_java_home }}"
     ES_PATH_CONF: "{{ mc_es_conf_base }}/config"
   register: remove_searchguard_result
   when: check_searchguard_bundle_result.matched == 1
@@ -75,6 +75,7 @@
       - --exclude=config
     owner: elasticsearch
     group: elasticsearch
+    creates: "{{ mc_es_script_path }}"
   register: unarchive_result
   when: check_elasticsearch_package_result.matched > 0
 
@@ -107,4 +108,16 @@
     ES_JAVA_HOME: "{{ mc_es_java_home }}"
     ES_PATH_CONF: "{{ mc_es_conf_base }}/"
   when: unarchive_result.extract_results.rc | default(128) == 0
-  register: start_elastcsearch_upgraded
+  register: start_elastcsearch
+
+- name: Wait for elasticsearch to start
+  pause:
+    seconds: 30
+  when: start_elasticsearch.changed
+
+- name: Check if elasticsearch is running
+  wait_for: 
+    host: localhost
+    port: "{{ mc_es_transport_port }}"
+    delay: 5
+    connect_timeout: 1

Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/upgrade-searchguard.yml

@@ -31,7 +31,6 @@
 
 - name: Install searchguard plugin
   become: yes
-  become_user: elasticsearch
   ignore_errors: yes
   shell: |
     {{ mc_es_script_path }}/elasticsearch-plugin install \

Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/tasks/upgrade.yml

@@ -14,8 +14,8 @@
     url: "{{ mc_tar }}"
     timeout: "{{ mc_download_timeout }}"
     dest: "{{ jfrog_home_directory }}"
-  register: downloadmc
+  register: download_mc
-  until: downloadmc is succeeded
+  until: download_mc is succeeded
   retries: 3
   when: not mc_tar_check.stat.exists
 
@@ -28,68 +28,37 @@
     owner: "{{ mc_user }}"
     group: "{{ mc_group }}"
     creates: "{{ mc_untar_home }}"
-  when: downloadmc is succeeded
+  when: download_mc is succeeded
 
 - name: Stop mc service
   become: yes
   systemd:
     name: "{{ mc_daemon }}"
     state: stopped
-  when: downloadmc.changed
+  when: download_mc.changed
 
 - name: Delete current app folder
   become: yes
   file:
     path: "{{ mc_home }}/app"
     state: absent
-  when: downloadmc.changed
+  when: download_mc.changed
 
 - name: Copy new app to mc app
   command: "cp -r {{ mc_untar_home }}/app/. {{ mc_home }}/app"
   become: yes
-  when: downloadmc.changed
+  when: download_mc.changed
 
 - name: Delete untar directory
   file:
     path: "{{ mc_untar_home }}"
     state: absent
   become: yes
-  when: downloadmc.changed
+  when: download_mc.changed
 
 - name: Upgrade elasticsearch
   import_tasks: upgrade-elasticsearch.yml
-  when: downloadmc.changed
+  when: download_mc.changed
-
-- name: Check if install.sh wrapper script exist
-  become: yes
-  stat:
-    path: "{{ mc_install_script_path }}/install.sh"
-  register: upgrade_wrapper_script
-  when: downloadmc.changed
-
-- name: Include interactive installer scripts
-  include_vars: script/archive.yml
-
-- name: Upgrade JFMC
-  include_tasks: expect.yml
-  vars:
-    exp_executable_cmd: "./install.sh -u {{ mc_user }} -g {{ mc_group }}"
-    exp_dir: "{{ mc_install_script_path }}"
-    exp_scenarios: "{{ mc_installer_scenario['main'] }}"
-  args:
-    apply:
-      environment:
-        YQ_PATH: "{{ mc_thirdparty_path }}/yq"
-  when: 
-    - upgrade_wrapper_script.stat.exists
-    - downloadmc.changed
-
-- name: Configure installer info
-  become: yes
-  template:
-    src: installer-info.json.j2
-    dest: "{{ mc_home }}/var/etc/info/installer-info.json"
-  notify: restart missioncontrol
 
 - name: Check if systemyaml exists
   become: yes
@@ -108,6 +77,37 @@
     - mc_systemyaml_override or (not systemyaml.stat.exists) 
   notify: restart missioncontrol
 
+- name: Check if install.sh wrapper script exist
+  become: yes
+  stat:
+    path: "{{ mc_install_script_path }}/install.sh"
+  register: upgrade_wrapper_script
+  when: download_mc.changed
+
+- name: Include interactive installer scripts
+  include_vars: script/archive.yml
+
+- name: Upgrade JFMC
+  include_tasks: expect.yml
+  vars:
+    exp_executable_cmd: "./install.sh -u {{ mc_user }} -g {{ mc_group }}"
+    exp_dir: "{{ mc_install_script_path }}"
+    exp_scenarios: "{{ mc_installer_scenario['main'] }}"
+  args:
+    apply:
+      environment:
+        YQ_PATH: "{{ mc_thirdparty_path }}/yq"
+  when: 
+    - upgrade_wrapper_script.stat.exists
+    - download_mc.changed
+
+- name: Configure installer info
+  become: yes
+  template:
+    src: installer-info.json.j2
+    dest: "{{ mc_home }}/var/etc/info/installer-info.json"
+  notify: restart missioncontrol
+
 - name: Update correct permissions
   become: yes
   file:

Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/vars/main.yml

@@ -1,6 +1,6 @@
 ---
 # platform collection version
-platform_collection_version: 7.21.12
+platform_collection_version: 7.23.3
 
 # indicates were this collection was downlaoded from (galaxy, automation_hub, standalone)
 ansible_marketplace: galaxy

Ansible/ansible_collections/jfrog/platform/roles/missioncontrol/vars/script/archive.yml

@@ -14,7 +14,7 @@ mc_installer_scenario:
       }
     - {
         "expecting": "please specify the ip address of this machine(?!.*Skipping prompt)",
-        "sending": "{% if mc_ha_node_type is defined and mc_ha_node_type == 'master' %}{{ ansible_host }}{% else %}{{ ansible_host }}{% endif %}"
+        "sending": "{{ ansible_host }}"
       }
     - {
         "expecting": "are you adding an additional node",

Ansible/ansible_collections/jfrog/platform/roles/postgres/tasks/main.yml

@@ -1,4 +1,3 @@
 - name: Install postgres
   include_tasks: "install.yml"
-  when:
+  when: postgres_enabled
-    - postgres_enabled

Ansible/ansible_collections/jfrog/platform/roles/xray/tasks/install.yml

@@ -2,9 +2,6 @@
 - debug:
     msg: "Performing installation of Xray version : {{ xray_version }}"
 
-- debug:
-    msg: "ansible_os_family: {{ ansible_os_family }}"
-
 - name: Install expect dependency
   become: yes
   yum:
@@ -50,8 +47,8 @@
     url: "{{ xray_tar }}"
     timeout: "{{ xray_download_timeout }}"
     dest: "{{ jfrog_home_directory }}"
-  register: downloadxray
+  register: download_xray
-  until: downloadxray is succeeded
+  until: download_xray is succeeded
   retries: 3
   when: not xray_tar_check.stat.exists
 
@@ -64,7 +61,7 @@
     owner: "{{ xray_user }}"
     group: "{{ xray_group }}"
     creates: "{{ xray_untar_home }}"
-  when: downloadxray is succeeded
+  when: download_xray is succeeded
 
 - name: Check if app directory exists
   become: yes
@@ -135,6 +132,13 @@
     dest: "{{ xray_home }}/app/bin/rabbitmq/rabbitmq.conf"
   notify: restart xray
 
+- name: Configure installer info
+  become: yes
+  template:
+    src: installer-info.json.j2
+    dest: "{{ xray_home }}/var/etc/info/installer-info.json"
+  notify: restart xray
+
 - name: Check if systemyaml exists
   become: yes
   stat:
@@ -152,13 +156,6 @@
     - xray_systemyaml_override or (not systemyaml.stat.exists) 
   notify: restart xray
 
-- name: Configure installer info
-  become: yes
-  template:
-    src: installer-info.json.j2
-    dest: "{{ xray_home }}/var/etc/info/installer-info.json"
-  notify: restart xray
-
 - name: Ensure permissions are correct
   become: yes
   file:

Ansible/ansible_collections/jfrog/platform/roles/xray/tasks/upgrade.yml

@@ -14,8 +14,8 @@
     url: "{{ xray_tar }}"
     timeout: "{{ xray_download_timeout }}"
     dest: "{{ jfrog_home_directory }}"
-  register: downloadxray
+  register: download_xray
-  until: downloadxray is succeeded
+  until: download_xray is succeeded
   retries: 3
   when: not xray_tar_check.stat.exists
 
@@ -28,38 +28,38 @@
     owner: "{{ xray_user }}"
     group: "{{ xray_group }}"
     creates: "{{ xray_untar_home }}"
-  when: downloadxray is succeeded
+  when: download_xray is succeeded
 
 - name: stop xray
   become: yes
   systemd:
     name: "{{ xray_daemon }}"   
     state: stopped
-  when: downloadxray.changed
+  when: download_xray.changed
 
 - name: Delete xray app
   become: yes
   file:
     path: "{{ xray_home }}/app"
     state: absent
-  when: downloadxray.changed
+  when: download_xray.changed
 
 - name: Copy new app to xray app
   become: yes
   command: "cp -r {{ xray_untar_home }}/app/. {{ xray_home }}/app"
-  when: downloadxray.changed
+  when: download_xray.changed
 
 - name: Upgrade rabbitmq
   import_tasks: rabbitmq/upgrade/RedHat.yml
   when:
     - ansible_os_family == 'RedHat'
-    - downloadxray.changed
+    - download_xray.changed
 
 - name: Upgrade rabbitmq
   import_tasks: rabbitmq/upgrade/Debian.yml
   when:
     - ansible_os_family == 'Debian'
-    - downloadxray.changed
+    - download_xray.changed
 
 - name: Check if install.sh wrapper script exist
   become: yes
@@ -82,7 +82,7 @@
         YQ_PATH: "{{ xray_thirdparty_path }}/yq"
   when:
     - install_wrapper_script.stat.exists
-    - downloadxray.changed
+    - download_xray.changed
 
 - name: Configure rabbitmq config
   become: yes
@@ -90,7 +90,7 @@
     src: "rabbitmq.conf.j2"
     dest: "{{ xray_home }}/app/bin/rabbitmq/rabbitmq.conf"
   when:
-    - downloadxray.changed
+    - download_xray.changed
   notify: restart xray
 
 - name: Check if systemyaml exists

Ansible/ansible_collections/jfrog/platform/roles/xray/vars/main.yml

@@ -1,6 +1,6 @@
 ---
 # platform collection version
-platform_collection_version: 7.21.12
+platform_collection_version: 7.23.3
 
 # indicates were this collection was downlaoded from (galaxy, automation_hub, standalone)
 ansible_marketplace: galaxy