Features enabled by the SSL/TLS playbook
- Encrypt communication with elasticsearch. See the oficial documentation on details of the implementation: Encrypt traffic between Kibana and Elasticsearch and Configure Kibana to use the client certificate and private key.
To enable this module simple set the variable
es_enable_http_ssl: truea. If your certificate and private key are contained in a PKCS#12 (*.p12 or *.pfx) file then use
es_ssl_keystore: "files/certs/my-keystore.p12"
es_ssl_keystore_password: elasticb. Otherwise, if your certificate and private key are in PEM format:
es_ssl_cert: "files/certs/client/client.crt"
es_ssl_key: "files/certs/client/client.key"
es_ssl_key_passphrase: elastic- Kibana Server SSL for Encrypt traffic between the browser and Kibana as described in Encrypt Communications in Kibana
Set the variable:
enable_server_ssl: truea. If your Kibana server certificate and private key are contained in a PKCS#12 (*.p12 or *.pfx) file then use
server_ssl_keystore: "files/certs/my-keystore.p12"
server_ssl_keystore_password: elasticb. If your server certificate and private key are in PEM format:
server_ssl_cert: "files/certs/server/server.crt"
server_ssl_key: "files/certs/server/server.key"
server_ssl_key_passphrase: elastic- Implement Secure Settings
Stores the Kibana username/password in he Kibana keystore instead of the kibana.conf file.
secure_settings: true
4. Implement OIDC kibana configuration as documented here
Configuring Kibana and
Set up OpenID Connect with Azure, Google, or Okta
Secure your clusters with OpenID Connect
This is controlled via es_enable_oidc: true
And will add the following settings to kibana.yml
xpack.security.authc.providers:
oidc.oidc1:
order: 0
realm: oidc1
description: "Log in with my OpenID Connect"
basic.basic1:
order: 1If you are using a Kibana instance of version 7.6 or earlier change the settings in your kibana.yml to:
xpack.security.authc.providers: [oidc]
xpack.security.authc.oidc.realm: "oidc1"
server.xsrf.whitelist: [/api/security/v1/oidc] - name: Simple Kibana Playbook with SSL enabled
hosts: kibana-node
roles:
- role: fedelemantuano.kibana
es_version: 7.11.2
kibana_api_host: "{{ ansible_default_ipv4.address }}"
#Secure communication with Elasticsearch
es_enable_http_ssl: true
es_ssl_verification_mode: "certificate"
#Use se the PKCS12 .p12 or pfx keystore file.
es_ssl_keystore: "files/certs/my-keystore.p12""
es_ssl_keystore_password: elastic
#Alternatively use the certificate/key
#es_ssl_cert: "files/certs/client/client.crt"
#es_ssl_key: "files/certs/client/client.key"
#es_ssl_key_passphrase: elastic
enable_server_ssl: true
server_ssl_keystore: "files/certs/my-keystore.p12"
server_ssl_keystore_password: elastic
#server_ssl_cert: "files/certs/server/server.crt"
#server_ssl_key: "files/certs/server/server.key"
#server_ssl_key_passphrase: elastic
#Store kibana settings in the keystore
secure_settings: true
es_user: kibana_system
es_pass: changeme
es_enable_oidc: false
kibana_config:
server.name: "{{ inventory_hostname }}"
server.port: 5601
server.host: "{{ ansible_default_ipv4.address }}"
elasticsearch.hosts: "https://{{ ansible_default_ipv4.address }}:9200"
xpack.security.audit.enabled: true
#Add this when deploying behing AWS ALB Target Group
#server.basePath: "/kibana"
#server.rewriteBasePath: true
Check what is stored in the Kibana keystore.
[root@kibana-host]# /usr/share/kibana/bin/kibana-keystore list --allow-root
elasticsearch.ssl.keystore.password
server.ssl.keystore.password
elasticsearch.username
elasticsearch.password
[root@kibana-host]#Use this playbook for removing kibana from RPM based system.
- hosts: kibana-node
tasks:
- yum:
name: kibana
state: absent
become: true
- file:
path: "{{item}}"
state: absent
loop:
- /etc/kibana
- /usr/share/kibana
- /var/lib/kibana
become: true