From b55c534282bd0dd0bf5f17b6d5a0071de1ee110c Mon Sep 17 00:00:00 2001
From: Patrick Dolinic <patrick.dolinic@netways.de>
Date: Tue, 5 Sep 2023 16:41:39 +0200
Subject: [PATCH 1/8] v1 adds a default kibana web certificate

---
 roles/kibana/defaults/main.yml         |  2 +-
 roles/kibana/tasks/kibana-security.yml |  5 +++++
 roles/kibana/tasks/kibana-web-cert.yml | 30 ++++++++++++++++++++++++++
 roles/management/vars/secret_vars.yml  |  7 ++++++
 4 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 roles/kibana/tasks/kibana-web-cert.yml
 create mode 100644 roles/management/vars/secret_vars.yml

diff --git a/roles/kibana/defaults/main.yml b/roles/kibana/defaults/main.yml
index cc21f125..4f8acf77 100644
--- a/roles/kibana/defaults/main.yml
+++ b/roles/kibana/defaults/main.yml
@@ -5,7 +5,7 @@ kibana_config_backup: true
 kibana_manage_yaml: true
 
 kibana_security: true
-kibana_tls: false
+kibana_tls: true
 kibana_tls_cert: /etc/kibana/certs/cert.pem
 kibana_tls_key: /etc/kibana/certs/key.pem
 kibana_tls_key_passphrase: PleaseChangeMe
diff --git a/roles/kibana/tasks/kibana-security.yml b/roles/kibana/tasks/kibana-security.yml
index d7058afb..ef9ccb60 100644
--- a/roles/kibana/tasks/kibana-security.yml
+++ b/roles/kibana/tasks/kibana-security.yml
@@ -255,3 +255,8 @@
     - certificates
     - renew_ca
     - renew_kibana_cert
+
+- name: Create default web certificate
+  include_tasks: kibana-web-cert.yml
+  when: kibana_tls | bool
+  
\ No newline at end of file
diff --git a/roles/kibana/tasks/kibana-web-cert.yml b/roles/kibana/tasks/kibana-web-cert.yml
new file mode 100644
index 00000000..bad08905
--- /dev/null
+++ b/roles/kibana/tasks/kibana-web-cert.yml
@@ -0,0 +1,30 @@
+--- 
+
+- name: Check if TLS certificate exists
+  stat:
+    path: "{{ kibana_tls_cert }}"
+  register: cert_stat
+
+- name: Check if TLS key exists
+  stat:
+    path: "{{ kibana_tls_key }}"
+  register: key_stat
+
+- name: Generate Kibana TLS certificate and key
+  command:
+    cmd: openssl req -x509 -newkey rsa:4096 -keyout {{ kibana_tls_key }} -out {{ kibana_tls_cert }} -days 3650 -nodes -subj "/CN={{ ansible_fqdn }}"
+  when: not cert_stat.stat.exists or not key_stat.stat.exists
+
+- name: Set proper permissions for Kibana TLS certificate
+  file:
+    path: "{{ kibana_tls_cert }}"
+    mode: '0644'
+    owner: kibana  
+    group: kibana  
+
+- name: Set proper permissions for Kibana TLS key
+  file:
+    path: "{{ kibana_tls_key }}"
+    mode: '0600' 
+    owner: kibana 
+    group: kibana 
\ No newline at end of file
diff --git a/roles/management/vars/secret_vars.yml b/roles/management/vars/secret_vars.yml
new file mode 100644
index 00000000..1e046e13
--- /dev/null
+++ b/roles/management/vars/secret_vars.yml
@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+38656537643463613365656432613766363835333237396562356434376634653530643536646564
+3633643539313139613966363864346534653261646562340a376639343231376132373338653030
+30393164373038616663646337623164623865313333393563326131663161383032656639373634
+6138373865366562610a333961623566666230643430363636653232383662303331623766363961
+36383631666562313235623436366432623838336331343061306562376264373164653037336638
+3833666463343731396238616166303332646131333537383766

From 0f73e0d31e9bb84113319fa63e38ae4159606cd1 Mon Sep 17 00:00:00 2001
From: Patrick Dolinic <patrick.dolinic@netways.de>
Date: Tue, 5 Sep 2023 16:48:59 +0200
Subject: [PATCH 2/8] v1.1 remove management-demo-file

---
 .gitignore | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 18c9f355..067140e2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 .cache
 *.swp
-__pycache__*
\ No newline at end of file
+__pycache__*
+roles/management

From 18d32dab425d1f6791cca641fb21115dfe9a10a1 Mon Sep 17 00:00:00 2001
From: Patrick Dolinic <patrick.dolinic@netways.de>
Date: Tue, 5 Sep 2023 17:06:37 +0200
Subject: [PATCH 3/8] v1.3 cleanups,checking linter

---
 roles/kibana/tasks/kibana-security.yml |  1 -
 roles/kibana/tasks/kibana-web-cert.yml | 22 +++++++++++-----------
 roles/management/vars/secret_vars.yml  |  7 -------
 3 files changed, 11 insertions(+), 19 deletions(-)
 delete mode 100644 roles/management/vars/secret_vars.yml

diff --git a/roles/kibana/tasks/kibana-security.yml b/roles/kibana/tasks/kibana-security.yml
index ef9ccb60..540a3613 100644
--- a/roles/kibana/tasks/kibana-security.yml
+++ b/roles/kibana/tasks/kibana-security.yml
@@ -259,4 +259,3 @@
 - name: Create default web certificate
   include_tasks: kibana-web-cert.yml
   when: kibana_tls | bool
-  
\ No newline at end of file
diff --git a/roles/kibana/tasks/kibana-web-cert.yml b/roles/kibana/tasks/kibana-web-cert.yml
index bad08905..5f3a0c0d 100644
--- a/roles/kibana/tasks/kibana-web-cert.yml
+++ b/roles/kibana/tasks/kibana-web-cert.yml
@@ -1,30 +1,30 @@
 --- 
 
 - name: Check if TLS certificate exists
-  stat:
+  ansible.builtin.stat:
     path: "{{ kibana_tls_cert }}"
   register: cert_stat
 
 - name: Check if TLS key exists
-  stat:
+  ansible.builtin.stat:
     path: "{{ kibana_tls_key }}"
   register: key_stat
 
-- name: Generate Kibana TLS certificate and key
-  command:
+- name: Generate default OpenSSL Kibana TLS certificate and key
+  ansible.builtin.command:
     cmd: openssl req -x509 -newkey rsa:4096 -keyout {{ kibana_tls_key }} -out {{ kibana_tls_cert }} -days 3650 -nodes -subj "/CN={{ ansible_fqdn }}"
   when: not cert_stat.stat.exists or not key_stat.stat.exists
 
 - name: Set proper permissions for Kibana TLS certificate
-  file:
+  ansible.builtin.file:
     path: "{{ kibana_tls_cert }}"
     mode: '0644'
-    owner: kibana  
-    group: kibana  
+    owner: kibana
+    group: kibana
 
 - name: Set proper permissions for Kibana TLS key
-  file:
+  ansible.builtin.file:
     path: "{{ kibana_tls_key }}"
-    mode: '0600' 
-    owner: kibana 
-    group: kibana 
\ No newline at end of file
+    mode: '0600'
+    owner: kibana
+    group: kibana
diff --git a/roles/management/vars/secret_vars.yml b/roles/management/vars/secret_vars.yml
deleted file mode 100644
index 1e046e13..00000000
--- a/roles/management/vars/secret_vars.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-38656537643463613365656432613766363835333237396562356434376634653530643536646564
-3633643539313139613966363864346534653261646562340a376639343231376132373338653030
-30393164373038616663646337623164623865313333393563326131663161383032656639373634
-6138373865366562610a333961623566666230643430363636653232383662303331623766363961
-36383631666562313235623436366432623838336331343061306562376264373164653037336638
-3833666463343731396238616166303332646131333537383766

From 3dee00694ee0fc0cecac03afca4c2fc9f19cf6d5 Mon Sep 17 00:00:00 2001
From: Patrick Dolinic <patrick.dolinic@netways.de>
Date: Tue, 5 Sep 2023 17:11:58 +0200
Subject: [PATCH 4/8] v1.4 fix idempotency via 2 tasks

---
 roles/kibana/tasks/kibana-web-cert.yml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/roles/kibana/tasks/kibana-web-cert.yml b/roles/kibana/tasks/kibana-web-cert.yml
index 5f3a0c0d..604036e4 100644
--- a/roles/kibana/tasks/kibana-web-cert.yml
+++ b/roles/kibana/tasks/kibana-web-cert.yml
@@ -10,10 +10,15 @@
     path: "{{ kibana_tls_key }}"
   register: key_stat
 
-- name: Generate default OpenSSL Kibana TLS certificate and key
+- name: Generate default OpenSSL Kibana TLS key
   ansible.builtin.command:
-    cmd: openssl req -x509 -newkey rsa:4096 -keyout {{ kibana_tls_key }} -out {{ kibana_tls_cert }} -days 3650 -nodes -subj "/CN={{ ansible_fqdn }}"
-  when: not cert_stat.stat.exists or not key_stat.stat.exists
+    cmd: openssl genpkey -algorithm RSA -out {{ kibana_tls_key }}
+  when: not key_stat.stat.exists
+
+- name: Generate default OpenSSL Kibana TLS certificate
+  ansible.builtin.command:
+    cmd: openssl req -x509 -key {{ kibana_tls_key }} -out {{ kibana_tls_cert }} -days 3650 -nodes -subj "/CN={{ ansible_fqdn }}"
+  when: not cert_stat.stat.exists
 
 - name: Set proper permissions for Kibana TLS certificate
   ansible.builtin.file:

From 747dc91de5e6eca3ff88bbb9bb8b164058b7d4c4 Mon Sep 17 00:00:00 2001
From: Patrick Dolinic <patrick.dolinic@netways.de>
Date: Tue, 5 Sep 2023 17:15:18 +0200
Subject: [PATCH 5/8] v1.5 fixes on linter

---
 roles/kibana/tasks/kibana-security.yml | 2 +-
 roles/kibana/tasks/kibana-web-cert.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/kibana/tasks/kibana-security.yml b/roles/kibana/tasks/kibana-security.yml
index 540a3613..dc4953d9 100644
--- a/roles/kibana/tasks/kibana-security.yml
+++ b/roles/kibana/tasks/kibana-security.yml
@@ -257,5 +257,5 @@
     - renew_kibana_cert
 
 - name: Create default web certificate
-  include_tasks: kibana-web-cert.yml
+  ansible.builtin.include_tasks: kibana-web-cert.yml
   when: kibana_tls | bool
diff --git a/roles/kibana/tasks/kibana-web-cert.yml b/roles/kibana/tasks/kibana-web-cert.yml
index 604036e4..d35d0c01 100644
--- a/roles/kibana/tasks/kibana-web-cert.yml
+++ b/roles/kibana/tasks/kibana-web-cert.yml
@@ -1,4 +1,4 @@
---- 
+---
 
 - name: Check if TLS certificate exists
   ansible.builtin.stat:

From fd97e8dafd937467f8afd5b294c56571bb6e3713 Mon Sep 17 00:00:00 2001
From: Patrick Dolinic <patrick.dolinic@netways.de>
Date: Tue, 5 Sep 2023 17:23:03 +0200
Subject: [PATCH 6/8] v1.6 fixes on idempotency

---
 roles/kibana/tasks/kibana-web-cert.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/roles/kibana/tasks/kibana-web-cert.yml b/roles/kibana/tasks/kibana-web-cert.yml
index d35d0c01..ad342703 100644
--- a/roles/kibana/tasks/kibana-web-cert.yml
+++ b/roles/kibana/tasks/kibana-web-cert.yml
@@ -14,11 +14,13 @@
   ansible.builtin.command:
     cmd: openssl genpkey -algorithm RSA -out {{ kibana_tls_key }}
   when: not key_stat.stat.exists
+  changed_when: not key_stat.stat.exists
 
 - name: Generate default OpenSSL Kibana TLS certificate
   ansible.builtin.command:
     cmd: openssl req -x509 -key {{ kibana_tls_key }} -out {{ kibana_tls_cert }} -days 3650 -nodes -subj "/CN={{ ansible_fqdn }}"
   when: not cert_stat.stat.exists
+  changed_when: not cert_stat.stat.exists
 
 - name: Set proper permissions for Kibana TLS certificate
   ansible.builtin.file:

From 3cbd7593b6203e49dc682b83f76d7fb5c93e83e4 Mon Sep 17 00:00:00 2001
From: Patrick Dolinic <patrick.dolinic@netways.de>
Date: Tue, 5 Sep 2023 17:29:45 +0200
Subject: [PATCH 7/8] v1.61 fix gitignore

---
 .gitignore | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 067140e2..ec4bd9e4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,3 @@
 .cache
 *.swp
 __pycache__*
-roles/management

From 2664cc6471d71f95106281f773922f0c12880d56 Mon Sep 17 00:00:00 2001
From: pdolinic <71389319+pdolinic@users.noreply.github.com>
Date: Tue, 5 Sep 2023 18:10:03 +0200
Subject: [PATCH 8/8] Update kibana-web-cert.yml

Default case is 2048 bits on most systems, 4096 should be more future proof
---
 roles/kibana/tasks/kibana-web-cert.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/kibana/tasks/kibana-web-cert.yml b/roles/kibana/tasks/kibana-web-cert.yml
index ad342703..fb9fd69c 100644
--- a/roles/kibana/tasks/kibana-web-cert.yml
+++ b/roles/kibana/tasks/kibana-web-cert.yml
@@ -12,7 +12,7 @@
 
 - name: Generate default OpenSSL Kibana TLS key
   ansible.builtin.command:
-    cmd: openssl genpkey -algorithm RSA -out {{ kibana_tls_key }}
+    cmd: openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out {{ kibana_tls_key }}
   when: not key_stat.stat.exists
   changed_when: not key_stat.stat.exists