Improve error scenarios for user sync; Ensure user sync runs before Elastic container starts

salt/common/tools/sbin/so-user

@@ -142,6 +142,7 @@ function syncElastic() {
 
   sysUser=$(lookup_pillar "auth:user" "elasticsearch")
   sysPass=$(lookup_pillar "auth:pass" "elasticsearch")
+  [[ -z "$sysUser" || -z "$sysPass" ]] && fail "Elastic auth credentials for system user are missing"
   sysHash=$(hashPassword "$sysPass")
 
   # Generate the new users file
@@ -153,7 +154,9 @@ function syncElastic() {
     sqlite3 "$databasePath" | \
     jq -r '.user + ":" + .data.hashed_password' \
     >> "$usersFileTmp"
+  [[ $? != 0 ]] && fail "Unable to read credential hashes from database"
   mv -f "$usersFileTmp" "$elasticUsersFile"
+  [[ $? != 0 ]] && fail "Unable to create users file: $elasticUsersFile"
 
   # Generate the new users_roles file
   echo "superuser:${sysUser}" >> "$rolesFileTmp"
@@ -163,7 +166,9 @@ function syncElastic() {
     "order by ici.identifier;" | \
     sqlite3 "$databasePath" \
     >> "$rolesFileTmp"
+  [[ $? != 0 ]] && fail "Unable to read credential IDs from database"
   mv -f "$rolesFileTmp" "$elasticRolesFile"
+  [[ $? != 0 ]] && fail "Unable to create users file: $elasticRolesFile"
 }
 
 function syncAll() {

salt/elasticsearch/init.sls

@@ -169,6 +169,14 @@ eslogdir:
     - group: 939
     - makedirs: True
 
+# Must run before elasticsearch docker container is started!
+syncesusers:
+  cmd.run:
+    - name: so-user sync
+    - creates:
+      - /opt/so/conf/elasticsearch/users
+      - /opt/so/conf/elasticsearch/users_roles
+
 so-elasticsearch:
   docker_container.running:
     - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }}