search

fedelemantuano / ansible-kibana

Ansible role for Kibana
https://galaxy.ansible.com/fedelemantuano/kibana
Apache License 2.0
17 stars 20 forks source link

Enable SSL/TLS for Kibana. Optionally secure kibana settings in the k… #13

Closed mirkenstein closed 4 years ago

mirkenstein commented 4 years ago

Features enabled by the SSL/TLS playbook

  1. Encrypt communication with elasticsearch. See the oficial documentation on details of the implementation: Encrypt traffic between Kibana and Elasticsearch and Configure Kibana to use the client certificate and private key.

To enable this module simple set the variable

es_enable_http_ssl: true

a. If your certificate and private key are contained in a PKCS#12 (.p12 or .pfx) file then use 

es_ssl_keystore: "files/certs/my-keystore.p12"
es_ssl_keystore_password: elastic

b. Otherwise, if your certificate and private key are in PEM format:

es_ssl_cert: "files/certs/client/client.crt"
es_ssl_key: "files/certs/client/client.key"
es_ssl_key_passphrase: elastic
  1. Kibana Server SSL for Encrypt traffic between the browser and Kibana as described in Encrypt Communications in Kibana

Set the variable:

enable_server_ssl: true

a. If your Kibana server certificate and private key are contained in a PKCS#12 (.p12 or .pfx) file then use

server_ssl_keystore: "files/certs/my-keystore.p12"
server_ssl_keystore_password: elastic

b. If your server certificate and private key are in PEM format:

server_ssl_cert: "files/certs/server/server.crt"
server_ssl_key: "files/certs/server/server.key"
server_ssl_key_passphrase: elastic
  1. Implement Secure Settings

Stores the Kibana username/password in he Kibana keystore instead of the kibana.conf file.

secure_settings: true

  - name: Simple Example with SSL 
    hosts: kibana-node
    roles:
    - role: fedelemantuano.kibana
      es_version: 7.6.2
      kibana_api_host: "{{ ansible_default_ipv4.address }}"
      #Secure communication with Elasticsearch
      es_enable_http_ssl: true
      es_ssl_verification_mode: "certificate"
      #Use se the PKCS12 .p12 or pfx keystore file.
      es_ssl_keystore: "files/certs/my-keystore.p12""
      es_ssl_keystore_password: elastic
      #Alternatively use the certificate/key 
      #es_ssl_cert: "files/certs/client/client.crt"
      #es_ssl_key: "files/certs/client/client.key"
      #es_ssl_key_passphrase: elastic
      enable_server_ssl: true
      server_ssl_keystore: "files/certs/my-keystore.p12"
      server_ssl_keystore_password: elastic
      #server_ssl_cert: "files/certs/server/server.crt"
      #server_ssl_key: "files/certs/server/server.key"
      #server_ssl_key_passphrase: elastic
      #Store kibana settings in the keystore
      secure_settings: true
      es_user: kibana
      es_pass: changeme
      kibana_config:
          server.name: "{{ inventory_hostname }}"
          server.port: 5601
          server.host: "{{ ansible_default_ipv4.address }}"
          elasticsearch.hosts: "https://{{ ansible_default_ipv4.address }}:9200"
          xpack.security.audit.enabled: true

Debugging tips

Check what is stored in the Kibana keystore. 

[root@kibana-host]# /usr/share/kibana/bin/kibana-keystore list  --allow-root
elasticsearch.ssl.keystore.password
server.ssl.keystore.password
elasticsearch.username
elasticsearch.password
[root@kibana-host]#
fedelemantuano commented 4 years ago

Thanks for this PR @mirkenstein. Do you have time to manage this role with me?

mirkenstein commented 4 years ago

@fedelemantuano, I do have time to mange this role together with you. I plan to submit another major PR in the near future. I will be adding more capabilities and will be accounting for the various edge use-cases when deploying Kibana and updating the SSL certs overtime.