From e2b7d6ea42107f128cb12383d2898df2c1b8d1f7 Mon Sep 17 00:00:00 2001 From: David Okon Date: Fri, 13 Feb 2026 11:22:37 +0100 Subject: [PATCH 1/3] improve encryption key handling and adjustable encryption key size, also output if existing encryption keys are found --- roles/elasticstack/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/elasticstack/defaults/main.yml b/roles/elasticstack/defaults/main.yml index ee14ca30..819934c0 100644 --- a/roles/elasticstack/defaults/main.yml +++ b/roles/elasticstack/defaults/main.yml @@ -25,6 +25,7 @@ elasticstack_security: true elasticstack_variant: elastic elasticstack_force_pip: false elasticstack_manage_pip: false +elasticstack_encryption_key_size: 64 # for debugging only elasticstack_no_log: true From 93897fb964d5d3a25a10a8a501465af598d9a418 Mon Sep 17 00:00:00 2001 From: David Okon Date: Fri, 13 Feb 2026 12:09:57 +0100 Subject: [PATCH 2/3] implemented checks if encryption keys already exist --- roles/kibana/tasks/kibana-security.yml | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/roles/kibana/tasks/kibana-security.yml b/roles/kibana/tasks/kibana-security.yml index db4479ed..40d226fa 100644 --- a/roles/kibana/tasks/kibana-security.yml +++ b/roles/kibana/tasks/kibana-security.yml @@ -1,5 +1,15 @@ --- +- name: Ensure encryption key exists + ansible.builtin.stat: + path: "{{ elasticstack_ca_dir }}/encryption_key" + register: encryption_key_exists + +- name: Ensure saved encryption key exists + ansible.builtin.stat: + path: "{{ elasticstack_ca_dir }}/savedobjects_encryption_key" + register: savedobjects_encryption_key_exists + - name: Ensure kibana certificate exists ansible.builtin.stat: path: "/etc/kibana/certs/{{ ansible_hostname }}-kibana.p12" @@ -125,11 +135,14 @@ - name: Generate encryption key # noqa: risky-shell-pipe ansible.builtin.shell: > if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi; - openssl rand -base64 36 > + openssl rand -base64 {{ elasticstack_encryption_key_size }} > {{ elasticstack_ca_dir }}/encryption_key changed_when: false args: creates: "{{ elasticstack_ca_dir }}/encryption_key" + - debug: + msg: "File exists..." + when: encryption_key_exists.stat.exits - name: Fetch encryption key ansible.builtin.command: cat {{ elasticstack_ca_dir }}/encryption_key @@ -139,12 +152,14 @@ - name: Generate saved objects encryption key # noqa: risky-shell-pipe ansible.builtin.shell: > if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi; - openssl rand - -base64 36 > + openssl rand -base64 {{ elasticstack_encryption_key_size }} > {{ elasticstack_ca_dir }}/savedobjects_encryption_key changed_when: false args: creates: "{{ elasticstack_ca_dir }}/savedobjects_encryption_key" + - debug: + msg: "File exists..." + when: savedobjects_encryption_key_exists.stat.exits - name: Fetch saved objects encryption key ansible.builtin.command: cat {{ elasticstack_ca_dir }}/savedobjects_encryption_key From d63b1c2782e65bedf317e4ec27bb47ff0d5be94f Mon Sep 17 00:00:00 2001 From: David Okon Date: Fri, 13 Feb 2026 14:19:36 +0100 Subject: [PATCH 3/3] removed trailing spaces for lint --- roles/kibana/tasks/kibana-security.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/kibana/tasks/kibana-security.yml b/roles/kibana/tasks/kibana-security.yml index 40d226fa..3851b2f9 100644 --- a/roles/kibana/tasks/kibana-security.yml +++ b/roles/kibana/tasks/kibana-security.yml @@ -8,7 +8,7 @@ - name: Ensure saved encryption key exists ansible.builtin.stat: path: "{{ elasticstack_ca_dir }}/savedobjects_encryption_key" - register: savedobjects_encryption_key_exists + register: savedobjects_encryption_key_exists - name: Ensure kibana certificate exists ansible.builtin.stat: @@ -142,7 +142,7 @@ creates: "{{ elasticstack_ca_dir }}/encryption_key" - debug: msg: "File exists..." - when: encryption_key_exists.stat.exits + when: encryption_key_exists.stat.exits - name: Fetch encryption key ansible.builtin.command: cat {{ elasticstack_ca_dir }}/encryption_key