Merge pull request #1 from punktDe/v8-update

Kibana v8 support

Author: medanthelinium

defaults/main.yaml

@@ -1,4 +1,5 @@
 kibana:
+  version: 8
   prefix:
     config: >-
       {%- if ansible_system == 'Linux' -%}
@@ -9,8 +10,7 @@ kibana:
   repository:
     apt:
       key_url: https://artifacts.elastic.co/GPG-KEY-elasticsearch
-      repository: |
-        deb https://artifacts.elastic.co/packages/7.x/apt stable main
+      repository: https://artifacts.elastic.co/packages/{{ vars.kibana.version }}.x/apt
   domain:
   use_dehydrated: yes
   oauth2_proxy:

meta/main.yaml

@@ -1,2 +1,3 @@
 dependencies:
   - role: nginx
+  - role: elasticsearch

tasks/configure.yaml

@@ -0,0 +1,5 @@
+---
+- name: Enable Kibana
+  service:
+    name: kibana
+    enabled: yes

tasks/install.yaml

@@ -1,33 +1,61 @@
-- when: ansible_distribution == 'Ubuntu'
-  block:
-    - name: Add Elastic repository key
-      apt_key:
-        url: "{{ kibana.repository.apt.key_url }}"
+---
+- name: Install python3-debian package with apt
+  ansible.builtin.apt:
+    name: python3-debian
+    update_cache: yes
 
-    - name: Add Elastic repository
-      loop:
-        - /etc/apt/sources.list.d/elastic.list
-      copy:
-        content: "{{ kibana.repository.apt.repository }}"
-        dest: "{{ item }}"
-      register: kibana_add_apt_repository
+- name: Remove the legacy apt repository
+  ansible.builtin.file:
+    dest: /etc/apt/sources.list.d/elastic.list
+    state: absent
+      
+- name: Add the Kibana apt repository
+  register: kibana_repository_added
+  ansible.builtin.deb822_repository:
+    name: elastic
+    uris: "{{ kibana.repository.apt.repository }}"
+    signed_by: "{{ kibana.repository.apt.key_url }}"
+    types: [deb]
+    components: [main]
+    suites: [stable]
+    state: present
+    enabled: yes
 
-    - name: Update apt cache
-      when: kibana_add_apt_repository.changed
-      apt:
-        update_cache: yes
+- name: Update apt cache
+  when: kibana_repository_added.changed
+  ansible.builtin.apt:
+    update_cache: yes
 
-    - name: Install Kibana
-      apt:
-        name: kibana
+- name: Install Kibana
+  notify: Restart Kibana
+  ansible.builtin.apt:
+    name: kibana
 
-    - name: Restart Kibana after package upgrade
-      lineinfile:
-        path: /etc/default/kibana
-        regexp: '^#?RESTART_ON_UPGRADE='
-        line: RESTART_ON_UPGRADE=true
+- name: Restart Kibana after package upgrade
+  ansible.builtin.lineinfile:
+    path: /etc/default/kibana
+    regexp: '^#?RESTART_ON_UPGRADE='
+    line: RESTART_ON_UPGRADE=true
 
-- name: Enable Kibana
-  service:
-    name: kibana
-    enabled: yes
+- name: Handle Kibana v8 service ovverides
+  when: kibana.version >= 8
+  block:
+  - name: Make sure the service override folder exists for the Kibana systemd service
+    ansible.builtin.file:
+      dest: /etc/systemd/system/kibana.service.d
+      state: directory
+      owner: root
+      mode: "0755"
+
+  - name: Override the Kibana systemd service to disable the log.dest parameter
+    notify: Restart Kibana
+    ansible.builtin.copy:
+      content: |
+        [Service]
+        ExecStart=
+        ExecStart=/usr/share/kibana/bin/kibana --pid.file="/run/kibana/kibana.pid"
+      dest: /etc/systemd/system/kibana.service.d/override.conf
+
+  - name: Reload systemd daemons
+    ansible.builtin.systemd:
+      daemon_reload: yes

tasks/kibana.yaml

@@ -1,6 +1,6 @@
 - name: Template Kibana config
   loop:
-    - src: kibana/kibana.yml
+    - src: kibana/kibana.yml.j2
       dest: "{{ kibana.prefix.config }}/kibana.yml"
   loop_control:
     label: "{{ item.dest }}"

tasks/main.yaml

@@ -1,3 +1,12 @@
+---
 - import_tasks: install.yaml
+  when: ansible_os_family == "Debian"
+
+- import_tasks: configure.yaml
+
 - import_tasks: nginx.yaml
+
+- import_tasks: password.yaml
+  when: kibana.version is version('8', '>=')
+
 - import_tasks: kibana.yaml

tasks/password.yaml

@@ -0,0 +1,28 @@
+---
+- name: Display an error about missing kibana_system password
+  when: not elasticsearch.users.builtin.kibana_system.password
+  ansible.builtin.fail:
+    msg: >-
+      [ERROR]: The password for built-in user 'kibana_system' is not defined.
+      Starting with ElasticSearch 8, security is enabled by default,
+      which means that the built-in users must be password-protected.
+      Please set the variable `elasticsearch.users.builtin.kibana_system.password`
+      to your desired password.
+
+- name: Check if the password for the kibana_system user is already defined
+  changed_when: kibana_system_password_already_set.status == 401
+  failed_when: kibana_system_password_already_set is failed and kibana_system_password_already_set.status != 401
+  register: kibana_system_password_already_set
+  ansible.builtin.uri:
+    url: http://localhost:9200
+    user: kibana_system
+    password: "{{ elasticsearch.users.builtin.kibana_system.password }}"
+    force_basic_auth: yes
+
+- name: Define a password for the kibana_password user
+  when: kibana_system_password_already_set is changed
+  changed_when: yes
+  ansible.builtin.shell:
+    cmd: >-
+      printf "{{ elasticsearch.users.builtin.kibana_system.password }}\n{{ elasticsearch.users.builtin.kibana_system.password }}" |
+      {{ elasticsearch.prefix.bin }}/elasticsearch-reset-password -b -u kibana_system -i

templates/kibana/kibana.yml

@@ -0,0 +1,5 @@
+{% if kibana.version is not defined or kibana.version is version('8', '<') %}
+{{ kibana['kibana.yml'] | to_nice_yaml(indent=2) }}
+{% else %}
+{{ kibana['kibana.yml'] | ansible.utils.remove_keys(target=['apm', 'graph', 'ml', 'reporting', 'xpack']) | to_nice_yaml(indent=2) }}
+{% endif %}

templates/kibana/kibana.yml.j2

@@ -1,58 +1,92 @@
+map $http_upgrade $connection_upgrade {
+  default upgrade;
+  ''      close;
+}
+
+{% if dehydrated | cert_exists(kibana.domain) and kibana.use_dehydrated %}
 server {
-    {% if dehydrated|cert_exists(kibana.domain) and kibana.use_dehydrated %}
-    listen 0.0.0.0:443 ssl http2;
-    listen [::]:443 ssl http2;
-    {% else %}
-    listen 0.0.0.0:80;
-    listen [::]:80;
-    {% endif %}
+  listen 0.0.0.0:80;
+  listen [::]:80;
+  {% if ansible_local.proserver|default(none) and ansible_local.proserver.routing.with_gate64 -%}
+  listen [::1]:87 proxy_protocol;
+  {%- endif %}
+
+  server_name {{ kibana.domain }};
+
+  root /var/null;
+
+  location / {
+    return 301 https://$host$request_uri;
+  }
+
+  include {{ nginx.prefix.config }}/include/letsencrypt.conf;
+}
+
+server {
+  listen 0.0.0.0:443 ssl http2;
+  listen [::]:443 ssl http2;
 
-    server_name {{ kibana.domain }};
+  server_name {{ kibana.domain }};
+  
+  client_max_body_size 100M;
 
-    include {{ nginx.prefix.config }}/include/security_headers.conf;
+  include {{ nginx.prefix.config }}/include/security_headers.conf;
 
+  {% if kibana.oauth2_proxy %}
+  location /proserver/iap {
+    proxy_pass http://[::1]:{{ oauth2_proxy.config[kibana.oauth2_proxy].http_address.split(":")[-1] }};
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Scheme $scheme;
+    proxy_set_header X-Auth-Request-Redirect $request_uri;
+  }
+
+  location = /proserver/iap/auth {
+    proxy_pass http://[::1]:{{ oauth2_proxy.config[kibana.oauth2_proxy].http_address.split(":")[-1] }};
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Scheme $scheme;
+    proxy_set_header Content-Length "";
+    proxy_pass_request_body off;
+  }
+  {% endif %}
+
+  location / {
     {% if kibana.oauth2_proxy %}
-    location /proserver/iap {
-        proxy_pass http://[::1]:{{ oauth2_proxy.config[kibana.oauth2_proxy].http_address.split(":")[-1] }};
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Scheme $scheme;
-        proxy_set_header X-Auth-Request-Redirect $request_uri;
-    }
-
-    location = /proserver/iap/auth {
-        proxy_pass http://[::1]:{{ oauth2_proxy.config[kibana.oauth2_proxy].http_address.split(":")[-1] }};
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Scheme $scheme;
-        proxy_set_header Content-Length "";
-        proxy_pass_request_body off;
-    }
+    auth_request /proserver/iap/auth;
+    error_page 401 = /proserver/iap/sign_in;
+    auth_request_set $auth_cookie $upstream_http_set_cookie;
+    add_header Set-Cookie $auth_cookie;
     {% endif %}
 
-    location / {
-        {% if kibana.oauth2_proxy %}
-        auth_request /proserver/iap/auth;
-        error_page 401 = /proserver/iap/sign_in;
-        auth_request_set $auth_cookie $upstream_http_set_cookie;
-        add_header Set-Cookie $auth_cookie;
-        {% endif %}
-
-        proxy_pass http://127.0.0.1:5601;
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
-        proxy_set_header Host $host;
-        proxy_cache_bypass $http_upgrade;
-    }
-
-    {% if dehydrated|cert_exists(kibana.domain) and kibana.use_dehydrated -%}
-    ############################################################################
-    # HTTPS
-    ############################################################################
-    ssl_certificate {{ dehydrated|cert_fullchain(kibana.domain) }};
-    ssl_certificate_key {{ dehydrated|cert_privkey(kibana.domain) }};
-    ssl_trusted_certificate {{ dehydrated|cert_chain(kibana.domain) }};
-    include {{ nginx.prefix.config }}/include/https_params.conf;
-    {% endif %}
+    proxy_pass http://127.0.0.1:5601;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_set_header Host $host;
+    proxy_cache_bypass $http_upgrade;
+  }
+
+  ssl_certificate {{ dehydrated|cert_fullchain(kibana.domain) }};
+  ssl_certificate_key {{ dehydrated|cert_privkey(kibana.domain) }};
+  ssl_trusted_certificate {{ dehydrated|cert_chain(kibana.domain) }};
+  include {{ nginx.prefix.config }}/include/https_params.conf;
+}
+{% else %}
+
+server {
+  listen 0.0.0.0:80;
+  listen [::]:80;
+
+  server_name {{ kibana.domain }};
+
+  location / {
+    proxy_pass http://127.0.0.1:5601;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_set_header Host $host;
+    proxy_cache_bypass $http_upgrade;
+  }
 }
+{% endif %}