From f672b9705cbcf0da1ba05672b0ea40beeda1afef Mon Sep 17 00:00:00 2001 From: Tyler Hale Date: Tue, 4 Apr 2023 14:18:31 -0600 Subject: [PATCH] Initial commit --- README.md | 45 +++++++-- hosts.yml | 14 +++ kibana.yml | 7 ++ roles/kibana/defaults/main.yml | 18 ++++ roles/kibana/handlers/main.yml | 13 +++ roles/kibana/tasks/main.yml | 41 ++++++++ roles/kibana/templates/kibana.yml.j2 | 142 +++++++++++++++++++++++++++ site.yml | 5 + 8 files changed, 276 insertions(+), 9 deletions(-) create mode 100644 hosts.yml create mode 100644 kibana.yml create mode 100644 roles/kibana/defaults/main.yml create mode 100644 roles/kibana/handlers/main.yml create mode 100644 roles/kibana/tasks/main.yml create mode 100644 roles/kibana/templates/kibana.yml.j2 create mode 100644 site.yml diff --git a/README.md b/README.md index 10ab456..58eee53 100644 --- a/README.md +++ b/README.md @@ -1,19 +1,46 @@ # Ansible-Kibana +Installs and configures a RHEL based machine as a Kibana server +## Role Variables -## Requirements - -## Variables - -| Variable | Required | Default | Choices | Description | -| -------- | -------- | ------- | ------- | ----------- | -| | | | | | +| Variable | Required | Default | Choices | Comments | +| ----------------------------------------- | -------- | ----------------------- | ----------------------------- | ------------------------------------------------------------ | +| kibana_server_port | Yes | "5601" | | | +| kibana_server_host | Yes | "0.0.0.0" | | | +| kibana_elasticsearch_url | Yes | "http://localhost:9200" | | | +| kibana_elasticsearch_username | No | "" | | | +| kibana_elasticsearch_password | No | "" | | | +| kibana_server_ssl_enabled | No | "" | | | +| kibana_server_ssl_certificate | No | "" | | | +| kibana_server_ssl_key | No | "" | | | +| kibana_elasticsearch_ssl_verificationMode | No | "" | "full", "certificate", "none" | Default is undefined/full | +| kibana_firewall_access | No | "" | | Defines IPs that should be allowed access to the kibana port | ## Example +--- + +Execute playbook against multiple Kibana frontends with a single elasticsearch server + +`ansible-playbook -i hosts site.yml` + +```yaml +--- +# file: hosts +kibana: + hosts: + ki01: + ansible_host: 192.168.0.10 + ki02: + ansible_host: 192.168.0.11 + vars: + kibana_elasticsearch_url: "http://10.1.1.19:9200" + kibana_firewall_access: + - "10.1.1.1" + - "10.1.1.254" +``` + ## License See LICENSE file for full license information. - -## Screenshots diff --git a/hosts.yml b/hosts.yml new file mode 100644 index 0000000..b040914 --- /dev/null +++ b/hosts.yml @@ -0,0 +1,14 @@ +--- +# file: hosts.yml + +kibana: + hosts: + kpi-opsmon01: + ansible_host: 10.1.25.71 + + vars: + ansible_user: ansible + kibana_elasticsearch_url: "http://10.1.1.20:9200" + kibana_firewall_access: + - "10.1.1.62/24" + - "10.1.1.75/24" diff --git a/kibana.yml b/kibana.yml new file mode 100644 index 0000000..b3f0355 --- /dev/null +++ b/kibana.yml @@ -0,0 +1,7 @@ +--- +# file: kibana.yml + +- hosts: kibana + become: true + roles: + - kibana diff --git a/roles/kibana/defaults/main.yml b/roles/kibana/defaults/main.yml new file mode 100644 index 0000000..00dc767 --- /dev/null +++ b/roles/kibana/defaults/main.yml @@ -0,0 +1,18 @@ +--- +# file: roles/kibana/defaults/main.yml + +kibana_server_port: "5601" +kibana_server_host: "0.0.0.0" + +kibana_elasticsearch_url: "http://localhost:9200" +kibana_elasticsearch_username: "" +kibana_elasticsearch_password: "" + +kibana_server_ssl_enabled: "" +kibana_server_ssl_certificate: "" +kibana_server_ssl_key: "" + +kibana_es_version: "8" +kibana_elasticsearch_ssl_verificationMode: "" + +kibana_firewall_access: "" diff --git a/roles/kibana/handlers/main.yml b/roles/kibana/handlers/main.yml new file mode 100644 index 0000000..be1c10c --- /dev/null +++ b/roles/kibana/handlers/main.yml @@ -0,0 +1,13 @@ +--- +# file: roles/kibana/handlers/main.yml + +- name: Reload firewalld + service: + name: firewalld + state: reloaded + +- name: Restart Kibana + service: + name: kibana + state: restarted + become: yes diff --git a/roles/kibana/tasks/main.yml b/roles/kibana/tasks/main.yml new file mode 100644 index 0000000..6404956 --- /dev/null +++ b/roles/kibana/tasks/main.yml @@ -0,0 +1,41 @@ +--- +# file: roles/kibana/tasks/main.yml + +- name: Add elasticsearch repo + yum_repository: + name: elasticsearch + description: "Elasticsearch repository for {{ kibana_es_version }}.x packages" + baseurl: "https://artifacts.elastic.co/packages/{{ kibana_es_version }}.x/yum" + gpgcheck: false + gpgkey: "https://artifacts.elastic.co/GPG-KEY-elasticsearch" + state: present + +- name: Install Kibana + package: + name: kibana + state: latest + +- name: Ensure Kibana is running and enabled + service: + name: kibana + state: started + enabled: true + +- name: Enforce the Kibana configuration + template: + src: kibana.yml.j2 + dest: /etc/kibana/kibana.yml + owner: root + group: root + mode: 0644 + notify: Restart Kibana + +- name: Allow firewall access for approved devices + firewalld: + rich_rule: 'rule family=ipv4 source address={{ item }} port port={{ kibana_server_port }} protocol=tcp accept' + permanent: yes + immediate: yes + state: enabled + loop: "{{ kibana_firewall_access }}" + notify: Reload firewalld + when: kibana_firewall_access != "" diff --git a/roles/kibana/templates/kibana.yml.j2 b/roles/kibana/templates/kibana.yml.j2 new file mode 100644 index 0000000..398d556 --- /dev/null +++ b/roles/kibana/templates/kibana.yml.j2 @@ -0,0 +1,142 @@ +# {{ ansible_managed }} + +# Kibana is served by a back end server. This setting specifies the port to use. +{% if kibana_server_port != "5601" %} +server.port: {{ kibana_server_port }} +{% else %} +#server.port: 5601 +{% endif %} + +# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values. +# The default is 'localhost', which usually means remote machines will not be able to connect. +# To allow connections from remote users, set this parameter to a non-loopback address. +server.host: "{{ kibana_server_host }}" + +# Enables you to specify a path to mount Kibana at if you are running behind a proxy. +# Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath +# from requests it receives, and to prevent a deprecation warning at startup. +# This setting cannot end in a slash. +#server.basePath: "" + +# Specifies whether Kibana should rewrite requests that are prefixed with +# `server.basePath` or require that they are rewritten by your reverse proxy. +# This setting was effectively always `false` before Kibana 6.3 and will +# default to `true` starting in Kibana 7.0. +#server.rewriteBasePath: false + +# The maximum payload size in bytes for incoming server requests. +#server.maxPayloadBytes: 1048576 + +# The Kibana server's name. This is used for display purposes. +#server.name: "your-hostname" + +# The URLs of the Elasticsearch instances to use for all your queries. +elasticsearch.hosts: ["{{ kibana_elasticsearch_url }}"] + +# When this setting's value is true Kibana uses the hostname specified in the server.host +# setting. When the value of this setting is false, Kibana uses the hostname of the host +# that connects to this Kibana instance. +#elasticsearch.preserveHost: true + +# Kibana uses an index in Elasticsearch to store saved searches, visualizations and +# dashboards. Kibana creates a new index if the index doesn't already exist. +#kibana.index: ".kibana" + +# The default application to load. +#kibana.defaultAppId: "home" + +# If your Elasticsearch is protected with basic authentication, these settings provide +# the username and password that the Kibana server uses to perform maintenance on the Kibana +# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which +# is proxied through the Kibana server. +{% if kibana_elasticsearch_username and kibana_elasticsearch_password %} +elasticsearch.username: "{{ kibana_elasticsearch_username }}" +elasticsearch.password: "{{ kibana_elasticsearch_password }}" +{% else %} +#elasticsearch.username: "kibana_system" +#elasticsearch.password: "pass" +{% endif %} + +# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively. +# These settings enable SSL for outgoing requests from the Kibana server to the browser. +{% if kibana_server_ssl_enabled %} +server.ssl.enabled: "{{ kibana_server_ssl_enabled }}" +{% else %} +#server.ssl.enabled: false +{% endif %} +{% if kibana_server_ssl_certificate %} +server.ssl.certificate: "{{ kibana_server_ssl_certificate }}" +{% else %} +#server.ssl.certificate: /path/to/your/server.crt +{% endif %} +{% if kibana_server_ssl_key %} +server.ssl.key: "{{ kibana_server_ssl_key }}" +{% else %} +#server.ssl.key: /path/to/your/server.key +{% endif %} + +# Optional settings that provide the paths to the PEM-format SSL certificate and key files. +# These files are used to verify the identity of Kibana to Elasticsearch and are required when +# xpack.security.http.ssl.client_authentication in Elasticsearch is set to required. +#elasticsearch.ssl.certificate: /path/to/your/client.crt +#elasticsearch.ssl.key: /path/to/your/client.key + +# Optional setting that enables you to specify a path to the PEM file for the certificate +# authority for your Elasticsearch instance. +#elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ] + +# To disregard the validity of SSL certificates, change this setting's value to 'none'. +{% if kibana_elasticsearch_ssl_verificationMode %} +elasticsearch.ssl.verificationMode: {{ kibana_elasticsearch_ssl_verificationMode }} +{% else %} +#elasticsearch.ssl.verificationMode: full +{% endif %} + +# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of +# the elasticsearch.requestTimeout setting. +#elasticsearch.pingTimeout: 1500 + +# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value +# must be a positive integer. +#elasticsearch.requestTimeout: 30000 + +# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side +# headers, set this value to [] (an empty list). +#elasticsearch.requestHeadersWhitelist: [ authorization ] + +# Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten +# by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration. +#elasticsearch.customHeaders: {} + +# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable. +#elasticsearch.shardTimeout: 30000 + +# Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying. +#elasticsearch.startupTimeout: 5000 + +# Logs queries sent to Elasticsearch. Requires logging.verbose set to true. +#elasticsearch.logQueries: false + +# Specifies the path where Kibana creates the process ID file. +#pid.file: /var/run/kibana.pid + +# Enables you to specify a file where Kibana stores log output. +#logging.dest: stdout + +# Set the value of this setting to true to suppress all logging output. +#logging.silent: false + +# Set the value of this setting to true to suppress all logging output other than error messages. +#logging.quiet: false + +# Set the value of this setting to true to log all events, including system usage information +# and all requests. +#logging.verbose: false + +# Set the interval in milliseconds to sample system and process performance +# metrics. Minimum is 100ms. Defaults to 5000. +#ops.interval: 5000 + +# Specifies locale to be used for all localizable strings, dates and number formats. +# Supported languages are the following: English - en , by default , Chinese - zh-CN . +#i18n.locale: "en" diff --git a/site.yml b/site.yml new file mode 100644 index 0000000..30ebf8b --- /dev/null +++ b/site.yml @@ -0,0 +1,5 @@ +--- +# file: site.yml +## This playbook deploys the whole application stack in this site. + +- import_playbook: kibana.yml