Feature/kibana web default tls

.gitignore

@@ -1,3 +1,3 @@
 .cache
 *.swp
-__pycache__*
+__pycache__*

roles/kibana/defaults/main.yml

@@ -5,7 +5,7 @@ kibana_config_backup: true
 kibana_manage_yaml: true
 
 kibana_security: true
-kibana_tls: false
+kibana_tls: true
 kibana_tls_cert: /etc/kibana/certs/cert.pem
 kibana_tls_key: /etc/kibana/certs/key.pem
 kibana_tls_key_passphrase: PleaseChangeMe

roles/kibana/tasks/kibana-security.yml

@@ -255,3 +255,7 @@
     - certificates
     - renew_ca
     - renew_kibana_cert
+
+- name: Create default web certificate
+  ansible.builtin.include_tasks: kibana-web-cert.yml
+  when: kibana_tls | bool

roles/kibana/tasks/kibana-web-cert.yml

@@ -0,0 +1,37 @@
+---
+
+- name: Check if TLS certificate exists
+  ansible.builtin.stat:
+    path: "{{ kibana_tls_cert }}"
+  register: cert_stat
+
+- name: Check if TLS key exists
+  ansible.builtin.stat:
+    path: "{{ kibana_tls_key }}"
+  register: key_stat
+
+- name: Generate default OpenSSL Kibana TLS key
+  ansible.builtin.command:
+    cmd: openssl genpkey -algorithm RSA -out {{ kibana_tls_key }}
+  when: not key_stat.stat.exists
+  changed_when: not key_stat.stat.exists
+
+- name: Generate default OpenSSL Kibana TLS certificate
+  ansible.builtin.command:
+    cmd: openssl req -x509 -key {{ kibana_tls_key }} -out {{ kibana_tls_cert }} -days 3650 -nodes -subj "/CN={{ ansible_fqdn }}"
+  when: not cert_stat.stat.exists
+  changed_when: not cert_stat.stat.exists
+
+- name: Set proper permissions for Kibana TLS certificate
+  ansible.builtin.file:
+    path: "{{ kibana_tls_cert }}"
+    mode: '0644'
+    owner: kibana
+    group: kibana
+
+- name: Set proper permissions for Kibana TLS key
+  ansible.builtin.file:
+    path: "{{ kibana_tls_key }}"
+    mode: '0600'
+    owner: kibana
+    group: kibana