debops.kibana default variables
Sections
APT packages, version
The debops.kibana
role uses the debops.elatic_co
Ansible role to
configure the Elastic APT repositories and install the packages. The role
also installs the Ansible facts that provide the kibana version.
- kibana__base_packages
List of base APT packages to install.
kibana__base_packages: [ 'kibana' ]
- kibana__packages
List of additional APT packages to install with Kibana.
kibana__packages: []
- kibana__version
Store the detected Kibana version in a convenient variable for conditional configuration.
kibana__version: '{{ ansible_local.kibana.version | d("0.0.0") }}'
UNIX user and group, file paths
- kibana__user
Name of the UNIX user account used by Kibana.
kibana__user: 'kibana'
- kibana__group
Name of the UNIX primary group used by Kibana.
kibana__group: 'kibana'
- kibana__additional_groups
List of additional UNIX groups to which the Kibana user will belong.
kibana__additional_groups: '{{ ["ssl-cert"]
if kibana__pki_enabled | bool
else [] }}'
- kibana__keystore_path
Path to the Kibana keystore file.
kibana__keystore_path: '{{ "/var/lib/kibana/kibana.keystore"
if (kibana__version is version("7.0.0", "<"))
else "/etc/kibana/kibana.keystore" }}'
Frontend webserver options
- kibana__fqdn
The Fully Qualified Domain Name under which the Kibana web service will be published by the webserver.
kibana__fqdn: 'kibana.{{ kibana__domain }}'
- kibana__domain
The DNS domain used by the Kibana web service.
kibana__domain: '{{ ansible_domain }}'
- kibana__webserver_access_policy
Name of the debops.nginx access policy for the Kibana webservice. See the debops.nginx role documentation for more details.
kibana__webserver_access_policy: ''
- kibana__webserver_allow
List of IP addresses or CIDR subnets which will be allowed to connect to the Kibana webservice. If not specified, anybody can connect.
kibana__webserver_allow: []
- kibana__webserver_auth_basic_realm
A string which will be displayed as the realm in the browser user/password dialog box during HTTP Basic Authentication.
kibana__webserver_auth_basic_realm: 'Access to Kibana is restricted'
- kibana__webserver_auth_basic_filename
Absolute path to the file that contains usernames and passwords for HTTP Basic Authentication.
kibana__webserver_auth_basic_filename: ''
Kibana server options
- kibana__server_host
Specify the IP address or hostname on which Kibana server will listen for connections.
kibana__server_host: 'localhost'
- kibana__server_port
Specify the TCP port on which Kibana server will listen for connections.
kibana__server_port: '5601'
- kibana__server_name
Human-readable name of the Kibana server host.
kibana__server_name: '{{ kibana__fqdn }}'
- kibana__elasticsearch_url
The URL address of the Elasticsearch cluster the Kibana client should connect to. By default Kibana is configured to connect to a load-balancer Elasticsearch instance on the same host. This variable is used on Kibana < 7.0.0.
kibana__elasticsearch_url: 'http://localhost:9200'
- kibana__elasticsearch_hosts
The URL addresses of the Elasticsearch hosts the Kibana client should connect to. By default Kibana is configured to connect to a load-balancer Elasticsearch instance on the same host. This variable is used on Kibana >= 7.0.0.
kibana__elasticsearch_hosts: [ 'http://localhost:9200' ]
- kibana__elasticsearch_cluster_name
Name of the Elasticsearch cluster, used to lookup passwords in the
debops.secret subdirectory. This variable should be synchronized with
the elasticsearch__cluster_name
variable using Ansible inventory.
kibana__elasticsearch_cluster_name: '{{ kibana__domain | replace(".", "-") }}'
- kibana__elasticsearch_username
The username used by Kibana for internal maintenance on password-protected Elasticsearch clusters.
kibana__elasticsearch_username: '{{ ""
if (kibana__elasticsearch_hosts[0].startswith("http://"))
else ("kibana"
if (kibana__version is version("7.0.0", "<"))
else "kibana_system") }}'
- kibana__elasticsearch_secret_path
Path to the Elasticsearch passwords stored in the debops.secret
directory. It should be synchronized with elasticsearch__secret_path
variable for best results.
kibana__elasticsearch_secret_path: '{{ "elasticsearch/credentials/"
+ kibana__elasticsearch_cluster_name
+ "/built-in" }}'
- kibana__elasticsearch_password
The password used by Kibana for internal maintenance on password-protected Elasticsearch clusters.
kibana__elasticsearch_password: '{{ ""
if (kibana__elasticsearch_hosts[0].startswith("http://"))
else (lookup("password", secret + "/"
+ kibana__elasticsearch_secret_path + "/"
+ kibana__elasticsearch_username
+ "/password")) }}'
- kibana__index
The Elasticsearch index used by Kibana to store configuration. Deprecated in Kibana 7.11.
kibana__index: '.kibana'
- kibana__default_app_id
The default Kibana 'application' to load on start. Deprecated in Kibana 7.9.
kibana__default_app_id: 'discover'
- kibana__security_encryption_key
Key used to encrypt session information. Should be the same on all instances
when used id high-availability deployments. Key is stored in the
secret/
directory, managed by the debops.secret Ansible role.
kibana__security_encryption_key: '{{ lookup("password", secret
+ "/kibana/security_encryption_key length=32") }}'
- kibana__reporting_encryption_key
The static encryption key for reporting. Key is stored in the
secret/
directory, managed by the debops.secret Ansible role.
kibana__reporting_encryption_key: '{{ lookup("password", secret
+ "/kibana/reporting_encryption_key length=32") }}'
Connection encryption, TLS
- kibana__secure_connection
Enable or disable configuration of secure connection to the Elasticsearch cluster. By default this will be enable if username and password are defined.
kibana__secure_connection: '{{ True
if (kibana__elasticsearch_username | d() and
kibana__elasticsearch_password | d())
else False }}'
- kibana__pki_enabled
Enable or disable support for TLS connection encryption based on DebOps PKI, managed by the debops.pki Ansible role.
kibana__pki_enabled: '{{ (ansible_local.pki.enabled | d()) | bool }}'
- kibana__pki_base_path
The absolute path of th location of PKI realms.
kibana__pki_base_path: '{{ ansible_local.pki.base_path | d("/etc/pki/realms") }}'
- kibana__pki_realm
The PKI realm used by Kibana for the HTTP communication with Elasticsearch cluster.
kibana__pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
- kibana__pki_ca_file
Name of the file which contains Certificate Authorities trusted by Kibana, relative to the PKI realm directory.
kibana__pki_ca_file: '{{ ansible_local.pki.ca | d("CA.crt") }}'
- kibana__pki_key_file
Name of the file which contains the private key used by Kibana for HTTP communication with the Elasticsearch cluster, relative to the PKI realm directory.
kibana__pki_key_file: '{{ ansible_local.pki.key | d("default.key") }}'
- kibana__pki_crt_file
Name of the file which contains the X.509 certificate chain used by Kibana for HTTP communication with the Elasticsearch cluster, relative to the PKI realm directory. Java applications don't work well with Diffie-Hellman parameters embedded in the certificate chain, so let's use the "plain" one instead.
kibana__pki_crt_file: 'public/cert_intermediate.pem'
- kibana__tls_ca_certificate
Absolute path of the Certificate Authority certificate used by Kibana
kibana__tls_ca_certificate: '{{ kibana__pki_base_path + "/"
+ kibana__pki_realm + "/"
+ kibana__pki_ca_file }}'
- kibana__tls_private_key
Absolute path of the private key used by Kibana.
kibana__tls_private_key: '{{ kibana__pki_base_path + "/"
+ kibana__pki_realm + "/"
+ kibana__pki_key_file }}'
- kibana__tls_certificate
Absolute path of the X.509 certificate used by Kibana.
kibana__tls_certificate: '{{ kibana__pki_base_path + "/"
+ kibana__pki_realm + "/"
+ kibana__pki_crt_file }}'
Kibana configuration file
The variables below define the contents of the /etc/kibana/kibana.yml
configuration file. See kibana__configuration for the details and
configuration syntax.
- kibana__default_configuration
The default configuration options which should be present in the main configuration file.
kibana__default_configuration:
- name: 'server.port'
value: '{{ kibana__server_port }}'
comment: 'Kibana is served by a back end server. This setting specifies the port to use'
- name: 'server.host'
value: '{{ kibana__server_host }}'
comment: |
Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
The default is 'localhost', which usually means remote machines will not be able to connect.
To allow connections from remote users, set this parameter to a non-loopback address.
- name: 'server.name'
value: '{{ kibana__server_name }}'
comment: "The Kibana server's name. This is used for display purposes"
- name: 'server.basePath'
value: ''
state: 'comment'
comment: |
Enables you to specify a path to mount Kibana at if you are running behind a proxy. This only affects
the URLs generated by Kibana, your proxy is expected to remove the basePath value before forwarding requests
to Kibana. This setting cannot end in a slash.
- name: 'server.publicBaseUrl'
value: '{{ "https://" + ansible_fqdn }}'
comment: |
Specifies the public URL at which Kibana is available for end users. If
`server.basePath` is configured this URL should end with the same basePath.
state: '{{ "present"
if (kibana__version is version("7.0.0", ">="))
else "absent" }}'
- name: 'server.maxPayloadBytes'
value: 1048576
state: 'comment'
comment: 'The maximum payload size in bytes for incoming server requests'
- name: 'kibana.index'
value: '{{ kibana__index }}'
comment: |
Kibana uses an index in Elasticsearch to store saved searches, visualizations and
dashboards. Kibana creates a new index if the index doesn't already exist.
state: '{{ "present"
if (kibana__version is version("7.11.0", "<"))
else "absent" }}'
- name: 'kibana.defaultAppId'
value: '{{ kibana__default_app_id }}'
comment: 'The default application to load'
state: '{{ "present"
if (kibana__version is version("7.9.0", "<"))
else "absent" }}'
- name: 'elasticsearch.url'
value: '{{ kibana__elasticsearch_url }}'
comment: 'The URL of the Elasticsearch instance to use for all your queries'
state: '{{ "present"
if (kibana__version is version("7.0.0", "<"))
else "absent" }}'
- name: 'elasticsearch.hosts'
value: '{{ kibana__elasticsearch_hosts }}'
comment: 'The URLs of the Elasticsearch instances to use for all your queries'
state: '{{ "absent"
if (kibana__version is version("7.0.0", "<"))
else "present" }}'
- name: 'elasticsearch.preserveHost'
value: True
state: 'comment'
comment: |
When value of this option is true Kibana uses the hostname specified in the server.host
setting. When the value of this setting is false, Kibana uses the hostname of the host
that connects to this Kibana instance.
- name: 'elasticsearch.username'
value: '{{ kibana__elasticsearch_username }}'
state: '{{ "present"
if (kibana__elasticsearch_username | d() and
kibana__elasticsearch_password | d())
else "comment" }}'
comment: |
If your Elasticsearch is protected with basic authentication, these settings provide
the username and password that the Kibana server uses to perform maintenance on the Kibana
index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
is proxied through the Kibana server.
- name: 'elasticsearch.password'
value: '{{ kibana__elasticsearch_password }}'
state: '{{ "present"
if (kibana__elasticsearch_username | d() and
kibana__elasticsearch_password | d())
else "comment" }}'
- name: 'server.ssl.enabled'
value: False
state: 'comment'
comment: |
Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
These settings enable SSL for outgoing requests from the Kibana server to the browser.
- name: 'server.ssl.certificate'
value: '/path/to/your/server.crt'
state: 'comment'
- name: 'server.ssl.key'
value: '/path/to/your/server.key'
state: 'comment'
- name: 'elasticsearch.ssl.certificate'
value: '/path/to/your/client.crt'
state: 'comment'
comment: |
Optional settings that provide the paths to the PEM-format SSL certificate and key files.
These files validate that your Elasticsearch backend uses the same key files.
- name: 'elasticsearch.ssl.key'
value: '/path/to/your/client.key'
state: 'comment'
- name: 'elasticsearch.ssl.certificateAuthorities'
value: [ '/path/to/your/CA.pem' ]
state: 'comment'
comment: |
Optional setting that enables you to specify a path to the PEM file for the certificate
authority for your Elasticsearch instance.
# Reset the list of default certificate authorities.
- name: 'elasticsearch.ssl.certificateAuthorities'
value: ''
state: '{{ "present" if (kibana__secure_connection | bool and
kibana__pki_enabled | bool)
else "ignore" }}'
- name: 'elasticsearch.ssl.certificateAuthorities'
value: [ '{{ kibana__tls_ca_certificate }}' ]
state: '{{ "present" if (kibana__secure_connection | bool and
kibana__pki_enabled | bool)
else "ignore" }}'
- name: 'elasticsearch.ssl.certificate'
value: '{{ kibana__tls_certificate }}'
state: '{{ "present" if (kibana__secure_connection | bool and
kibana__pki_enabled | bool)
else "ignore" }}'
- name: 'elasticsearch.ssl.key'
value: '{{ kibana__tls_private_key }}'
state: '{{ "present" if (kibana__secure_connection | bool and
kibana__pki_enabled | bool)
else "ignore" }}'
- name: 'elasticsearch.ssl.verificationMode'
value: 'full'
state: 'comment'
comment: "To disregard the validity of SSL certificates, change this setting's value to 'none'"
- name: 'elasticsearch.pingTimeout'
value: 1500
state: 'comment'
comment: |
Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
the elasticsearch.requestTimeout setting.
- name: 'elasticsearch.requestTimeout'
value: 30000
state: 'comment'
comment: |
Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
must be a positive integer.
- name: 'elasticsearch.requestHeadersWhitelist'
value: [ 'authorization' ]
state: 'comment'
comment: |
List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
headers, set this value to [] (an empty list).
- name: 'elasticsearch.customHeaders'
empty: {}
state: 'comment'
comment: |
Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten
by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.
- name: 'elasticsearch.shardTimeout'
value: 0
state: 'comment'
comment: 'Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable'
- name: 'elasticsearch.startupTimeout'
value: 5000
state: 'comment'
comment: 'Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying'
- name: 'pid.file'
value: '/var/run/kibana.pid'
state: 'comment'
comment: 'Specifies the path where Kibana creates the process ID file'
- name: 'logging.dest'
value: 'stdout'
state: 'comment'
comment: 'Enables you specify a file where Kibana stores log output'
- name: 'logging.silent'
value: False
state: 'comment'
comment: 'Set the value of this setting to true to suppress all logging output'
- name: 'logging.quiet'
value: False
state: 'comment'
comment: 'Set the value of this setting to true to suppress all logging output other than error messages'
- name: 'logging.verbose'
value: False
state: 'comment'
comment: |
Set the value of this setting to true to log all events, including system usage information
and all requests.
- name: 'ops.interval'
value: 5000
state: 'comment'
comment: |
Set the interval in milliseconds to sample system and process performance
metrics. Minimum is 100ms. Defaults to 5000.
- name: 'i18n.defaultLocale'
state: 'comment'
comment: |
The default locale. This locale can be used in certain circumstances to substitute any missing
translations.
value: 'en'
- name: 'xpack.security.encryptionKey'
comment: |
An arbitrary string of 32 characters or more that is used to encrypt session information.
value: '{{ kibana__security_encryption_key }}'
- name: 'xpack.reporting.encryptionKey'
comment: |
The static encryption key for reporting. Use an alphanumeric text string that is at least 32 characters.
value: '{{ kibana__reporting_encryption_key }}'
- kibana__configuration
List of configuration options defined on all hosts in the Ansible inventory.
kibana__configuration: []
- kibana__group_configuration
List of configuration options defined on hosts in specific Ansible inventory group.
kibana__group_configuration: []
- kibana__host_configuration
List of configuration options defined on specific hosts in the Ansible inventory.
kibana__host_configuration: []
- kibana__plugin_configuration
List of configuration options defined separately for any Kibana plugins. See kibana__plugins for more details.
kibana__plugin_configuration: '{{ lookup("template",
"lookup/kibana__plugin_configuration.j2")
| from_yaml }}'
- kibana__dependent_role
A string that identifies another Ansible role that uses the debops.kibana
role as a dependency. This value is needed to correctly store the dependent
configuration options. See Usage as a role dependency for more details.
kibana__dependent_role: ''
- kibana__dependent_state
Specify the state of the dependent configuration options, either present
(options should be included in the configuration file) or absent
(options
should be removed from the configuration file).
See Usage as a role dependency for more details.
kibana__dependent_state: 'present'
- kibana__dependent_configuration
List of Kibana configuration options defined by another Ansible role and specified using role dependent variables.
kibana__dependent_configuration: []
- kibana__dependent_configuration_filter
Actual variable used in the combined Kibana configuration that unwraps the
dependent configuration specified by other Ansible roles and converts it into
format understood by the debops.kibana
configuration template.
See Usage as a role dependency for more details.
kibana__dependent_configuration_filter: '{{ lookup("template",
"lookup/kibana__dependent_configuration_filter.j2")
| from_yaml }}'
- kibana__combined_configuration
Actual list of Kibana configuration options passed to the configuration template. This list defines the order in which the options from different variables are processed.
kibana__combined_configuration: '{{ lookup("flattened", (kibana__default_configuration
+ kibana__plugin_configuration
+ kibana__dependent_configuration_filter
+ kibana__configuration
+ kibana__group_configuration
+ kibana__host_configuration)) }}'
- kibana__configuration_sections
List of sections defined in the /etc/kibana/kibana.yml
configuration file and corresponding variable groups.
See kibana__configuration_sections for more details.
kibana__configuration_sections:
- name: 'Server'
part: [ 'server', 'kibana' ]
- name: 'Elasticsearch'
part: 'elasticsearch'
- name: 'Map tiles'
part: 'tilemap'
- name: 'Logging'
part: 'logging'
- name: 'X-Pack'
part: 'xpack'
- name: 'Search Guard'
part: 'searchguard'
Plugin configuration
These variables define lists of Kibana plugins to install/remove, as well as additional configuration options for them. See kibana__plugins for more details.
- kibana__plugins
List of Kibana plugins to manage on all hosts in the Ansible inventory.
kibana__plugins: []
- kibana__group_plugins
List of Kibana plugins to manage on hosts in specific Ansible inventory group.
kibana__group_plugins: []
- kibana__host_plugins
List of Kibana plugins to manage on specific hosts in the Ansible inventory.
kibana__host_plugins: []
- kibana__combined_plugins
Actual list of Kibana plugins that combines other plugin variables and is used in the Ansible tasks and the configuration template.
kibana__combined_plugins: '{{ lookup("flattened", (kibana__plugins
+ kibana__group_plugins
+ kibana__host_plugins)) }}'
Kibana keystore contents
The variables below define the contents of the Kibana keystore which can be used to store passwords and other confidential data, which then can be referenced in Kibana configuration files. See kibana__keys for more details.
- kibana__keys
Kibana keystore content which should be present on all hosts in the Ansible inventory.
kibana__keys: []
- kibana__group_keys
Kibana keystore content which should be present on all hosts in the Ansible inventory.
kibana__group_keys: []
- kibana__host_keys
Kibana keystore content which should be present on hosts in a specific Ansible inventory group.
kibana__host_keys: []
- kibana__combined_keys
Kibana keystore content which should be present on specific hosts in the Ansible inventory.
kibana__combined_keys: '{{ kibana__keys
+ kibana__group_keys
+ kibana__host_keys }}'
Configuration for other Ansible roles
- kibana__etc_services__dependent_list
Configuration for the debops.etc_services Ansible role.
kibana__etc_services__dependent_list:
- name: 'kibana'
port: '{{ kibana__server_port }}'
- kibana__extrepo__dependent_sources
Configuration for the debops.extrepo Ansible role.
kibana__extrepo__dependent_sources:
- 'elastic'
- kibana__nginx__dependent_servers
Server configuration for the debops.nginx Ansible role.
kibana__nginx__dependent_servers:
- name: '{{ kibana__fqdn }}'
by_role: 'debops.kibana'
filename: 'debops.kibana'
deny_hidden: False
type: 'proxy'
proxy_options: |
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_cache_bypass $http_upgrade;
proxy_pass: 'http://kibana'
proxy_redirect: 'default'
allow: '{{ kibana__webserver_allow }}'
access_policy: '{{ kibana__webserver_access_policy }}'
auth_basic: '{{ True if kibana__webserver_auth_basic_filename | d() else False }}'
auth_basic_realm: '{{ kibana__webserver_auth_basic_realm }}'
auth_basic_filename: '{{ kibana__webserver_auth_basic_filename }}'
- kibana__nginx__dependent_upstreams
Upstream configuration for the debops.nginx Ansible role.
kibana__nginx__dependent_upstreams:
- name: 'kibana'
server: '{{ kibana__server_host + ":" + kibana__server_port }}'