Ansible Role kibana
This role installs and configures Kibana, a visualization and exploration tool for data stored in Elasticsearch.
Note that this role does NOT let you specify a particular Kibana version. It simply installs the latest available Kibana version from the repos configured in the system. If you want or need to install a specific version, have a look at the linuxfabrik.lfops.repo_elasticsearch role, which also provides Kibana packages.
Mandatory Requirements
Enable the official Elasticsearch repository (which also provides Kibana packages). This can be done using the linuxfabrik.lfops.repo_elasticsearch role.
A running Elasticsearch installation. This can be done using the linuxfabrik.lfops.elasticsearch role.
If you use the kibana playbook, the repository setup is automatically done for you.
Pre-Installation Steps
Create a service account token for Kibana on an Elasticsearch node:
elastic_host='localhost'
elastic_cacert='/etc/elasticsearch/certs/http_ca.crt'
curl --cacert "$elastic_cacert" \
--user "elastic:${ELASTIC_PASSWORD}" \
--request POST "https://$elastic_host:9200/_security/service/elastic/kibana/credential/token/kibana-token-01?pretty=true" \
--header "Content-Type: application/json"
Mandatory Role Variables
Variable |
Description |
|---|---|
|
Service account token for Kibana to authenticate to Elasticsearch. See Post-Installation Steps for how to create this token. |
|
Encryption key for encrypted saved objects (alerts, actions, connectors). Must be at least 32 characters. Generate with |
|
Encryption key for reporting features. Must be at least 32 characters. Generate with |
|
Encryption key for security features (session data, tokens). Must be at least 32 characters. Generate with |
Example:
# mandatory
kibana__elasticsearch_service_account_token: 'AAEAAWVsYXN0aWMva2liYW5hL3Rva2VuMTpabGQ...'
kibana__xpack_encrypted_saved_objects_encryption_key: '...'
kibana__xpack_reporting_encryption_key: '...'
kibana__xpack_security_encryption_key: '...'
Optional Role Variables
Variable |
Description |
Default Value |
|---|---|---|
|
Boolean. Enables strict Content Security Policy (CSP) mode for additional protection against XSS attacks. Set to |
|
|
ASCII-armored PEM CA certificate for TLS connections to Elasticsearch. Should match the CA used by Elasticsearch. |
unset |
|
List of URLs of the Elasticsearch instances to use for all queries. Supports multiple hosts for high availability. |
|
|
Controls the verification of certificates presented by Elasticsearch. One of: |
|
|
Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values. To allow connections from remote users, set this parameter to a non-loopback address. |
|
|
A human-readable name for this Kibana instance. |
|
|
The port on which the Kibana server will listen. |
|
|
The publicly available URL that end users will use to access Kibana. This is used for generating links in emails and other places. |
unset |
|
Prevents embedding Kibana in iframes to mitigate clickjacking attacks. Set to |
|
|
Path to the PEM-format SSL certificate file for HTTPS connections from browsers to Kibana. Required when |
unset |
|
Boolean. Enables SSL/TLS for incoming connections from browsers to the Kibana server. When enabled, |
|
|
Path to the PEM-format SSL private key file for HTTPS connections from browsers to Kibana. Required when |
unset |
|
Multiline string. Raw content which will be appended to the |
unset |
|
Enables or disables the kibana service, analogous to |
|
|
Controls the state of the kibana service, analogous to |
|
Example:
# optional
kibana__csp_strict: true
kibana__elasticsearch_ca_cert: '{{ lookup("ansible.builtin.file", "{{ inventory_dir }}/group_files/elasticsearch_cluster/etc/elasticsearch/certs/ca.crt") }}'
kibana__elasticsearch_hosts:
- 'https://elasticsearch01.example.com:9200'
- 'https://elasticsearch02.example.com:9200'
- 'https://elasticsearch03.example.com:9200'
kibana__elasticsearch_ssl_verification_mode: 'full'
kibana__server_host: '0.0.0.0'
kibana__server_name: 'kibana-prod-01'
kibana__server_port: 5601
kibana__server_public_base_url: 'https://kibana.example.com'
kibana__server_security_response_headers_disable_embedding: true
kibana__server_ssl_certificate: '/etc/pki/tls/certs/kibana-server.crt'
kibana__server_ssl_enabled: true
kibana__server_ssl_key: '/etc/pki/tls/private/kibana-server.key'
kibana__raw: |-
logging.root.level: debug
xpack.fleet.agents.enabled: true
kibana__service_enabled: true
kibana__service_state: 'started'