Ansible Role kibana

This role installs and configures Kibana, a visualization and exploration tool for data stored in Elasticsearch.

Note that this role does NOT let you specify a particular Kibana version. It simply installs the latest available Kibana version from the repos configured in the system. If you want or need to install a specific version, have a look at the linuxfabrik.lfops.repo_elasticsearch role, which also provides Kibana packages.

Available since LFOps 5.0.0.

Dependent Roles

Any LFOps playbook that installs this role runs these for you. Optional ones can be disabled via the playbook’s skip variables.

• The official Elasticsearch repository (which also provides Kibana packages) must be enabled (role: linuxfabrik.lfops.repo_elasticsearch).

Requirements

Manual steps:

• Deploy a running Elasticsearch installation by running the elasticsearch playbook (role: linuxfabrik.lfops.elasticsearch).

• Create a service account token for Kibana on an Elasticsearch node:

  elastic_host='localhost'
  elastic_cacert='/etc/elasticsearch/certs/http_ca.crt'
  
  curl --cacert "$elastic_cacert" \
      --user "elastic:${ELASTIC_PASSWORD}" \
      --request POST "https://$elastic_host:9200/_security/service/elastic/kibana/credential/token/kibana-token-01?pretty=true" \
      --header "Content-Type: application/json"
  

Tags

kibana

• Installs and configures Kibana.

• Triggers: kibana.service restart.

kibana:configure

• Deploys configuration files.

• Triggers: kibana.service restart.

kibana:state

• Manages the state of the Kibana service.

• Triggers: none.

Mandatory Role Variables

kibana__elasticsearch_service_account_token

• Service account token for Kibana to authenticate to Elasticsearch. See Post-Installation Steps for how to create this token.

• Type: String.

• Default: none

kibana__xpack_encrypted_saved_objects_encryption_key

• Encryption key for encrypted saved objects (alerts, actions, connectors). Must be at least 32 characters. Generate with openssl rand -base64 32. Note: Use the same key across all Kibana instances when load-balancing.

• Type: String.

• Default: none

kibana__xpack_reporting_encryption_key

• Encryption key for reporting features. Must be at least 32 characters. Generate with openssl rand -base64 32. Note: Use the same key across all Kibana instances when load-balancing.

• Type: String.

• Default: none

kibana__xpack_security_encryption_key

• Encryption key for security features (session data, tokens). Must be at least 32 characters. Generate with openssl rand -base64 32. Note: Use the same key across all Kibana instances when load-balancing.

• Type: String.

• Default: none

Example:

# mandatory
kibana__elasticsearch_service_account_token: 'AAEAAWVsYXN0aWMva2liYW5hL3Rva2VuMTpabGQ...'
kibana__xpack_encrypted_saved_objects_encryption_key: '...'
kibana__xpack_reporting_encryption_key: '...'
kibana__xpack_security_encryption_key: '...'

Optional Role Variables

kibana__csp_strict

• Enables strict Content Security Policy (CSP) mode for additional protection against XSS attacks. Set to false if you have compatibility issues with certain browsers or plugins.

• Type: Bool.

• Default: true

kibana__elasticsearch_ca_cert

• ASCII-armored PEM CA certificate for TLS connections to Elasticsearch. Should match the CA used by Elasticsearch.

• Type: String.

• Default: unset

kibana__elasticsearch_hosts

• List of URLs of the Elasticsearch instances to use for all queries. Supports multiple hosts for high availability.

• Type: List.

• Default: ['https://localhost:9200']

kibana__elasticsearch_ssl_verification_mode

• Controls the verification of certificates presented by Elasticsearch. One of: full (performs hostname verification), certificate (skips hostname verification) or none (skips verification entirely).

• Type: String.

• Default: 'full'

kibana__logging

• Kibana logging configuration. Maps 1:1 to Kibana’s logging schema, so any combination of appenders, loggers, and root settings is supported. Setting this variable in the inventory replaces the default entirely; there is no recursive merge. The default writes JSON-formatted logs to /var/log/kibana/kibana.log, rotates them daily, and keeps 14 rotations.

• Type: Dictionary.

• Default:

  appenders:
    file:
      type: 'rolling-file'
      fileName: '/var/log/kibana/kibana.log'
      layout:
        type: 'json'
      policy:
        type: 'time-interval'
        interval: '24h'
        modulate: true
      strategy:
        type: 'numeric'
        max: 14
  root:
    appenders:
      - 'default'
      - 'file'
  

kibana__raw

• Raw content which will be appended to the kibana.yml config file.

• Type: String.

• Default: unset

kibana__server_host

• Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values. To allow connections from remote users, set this parameter to a non-loopback address.

• Type: String.

• Default: '0.0.0.0'

kibana__server_name

• A human-readable name for this Kibana instance.

• Type: String.

• Default: '{{ ansible_facts["nodename"] }}'

kibana__server_port

• The port on which the Kibana server will listen.

• Type: Number.

• Default: 5601

kibana__server_public_base_url

• The publicly available URL that end users will use to access Kibana. This is used for generating links in emails and other places.

• Type: String.

• Default: unset

kibana__server_security_response_headers_disable_embedding

• Prevents embedding Kibana in iframes to mitigate clickjacking attacks. Set to false if you need to embed Kibana in other applications.

• Type: Bool.

• Default: true

kibana__server_ssl_certificate

• Path to the PEM-format SSL certificate file for HTTPS connections from browsers to Kibana. Required when kibana__server_ssl_enabled: true is set. The role will set ownership to kibana:root and mode to 0644.

• Type: String.

• Default: unset

kibana__server_ssl_enabled

• Enables SSL/TLS for incoming connections from browsers to the Kibana server. When enabled, kibana__server_ssl_certificate and kibana__server_ssl_key must be provided.

• Type: Bool.

• Default: false

kibana__server_ssl_key

• Path to the PEM-format SSL private key file for HTTPS connections from browsers to Kibana. Required when kibana__server_ssl_enabled: true is set. The role will set ownership to kibana:kibana and mode to 0400 for security.

• Type: String.

• Default: unset

kibana__service_enabled

• Enables or disables the kibana service, analogous to systemctl enable/disable --now.

• Type: Bool.

• Default: true

kibana__service_state

• Controls the state of the kibana service, analogous to systemctl start/stop/restart/reload. Possible options:

  • started

  • stopped

  • restarted

  • reloaded

• Type: String.

• Default: 'started'

Example:

# optional
kibana__csp_strict: true
kibana__elasticsearch_ca_cert: '{{ lookup("ansible.builtin.file", "{{ inventory_dir }}/group_files/elasticsearch_cluster/etc/elasticsearch/certs/ca.crt") }}'
kibana__elasticsearch_hosts:
  - 'https://elasticsearch01.example.com:9200'
  - 'https://elasticsearch02.example.com:9200'
  - 'https://elasticsearch03.example.com:9200'
kibana__elasticsearch_ssl_verification_mode: 'full'
kibana__logging:
  appenders:
    console_appender:
      type: 'console'
      layout:
        type: 'pattern'
        highlight: true
  root:
    level: 'info'
    appenders:
      - 'console_appender'
  loggers:
    - name: 'plugins.reporting'
      level: 'debug'
kibana__raw: |-
  xpack.fleet.agents.enabled: true
kibana__server_host: '0.0.0.0'
kibana__server_name: 'kibana-prod-01'
kibana__server_port: 5601
kibana__server_public_base_url: 'https://kibana.example.com'
kibana__server_security_response_headers_disable_embedding: true
kibana__server_ssl_certificate: '/etc/pki/tls/certs/kibana-server.crt'
kibana__server_ssl_enabled: true
kibana__server_ssl_key: '/etc/pki/tls/private/kibana-server.key'
kibana__service_enabled: true
kibana__service_state: 'started'

License

The Unlicense

Author Information

Linuxfabrik GmbH, Zurich