From e91fd969ace4c83cd461378419dd6aa96399edc2 Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Fri, 19 Jun 2020 12:56:54 +0000
Subject: [PATCH] Verify TLS by default for Kibana to Elasticsearch

Currently, if internal TLS communication is enabled, Kibana to
Elasticsearch communication is unverified. This is because we set
elasticsearch.ssl.verificationMode to 'none' by default (via
kibana_elasticsearch_ssl_verify). This is poor a security
posture.

This change changes the default value of
'kibana_elasticsearch_ssl_verify' to 'true'.

Change-Id: Ie4fa8e3a60d69cf5c4bdd975030c92be8113ffb1
Closes-Bug: #1885110
---
 ansible/roles/kibana/defaults/main.yml                     | 2 +-
 releasenotes/notes/kibana-tls-verify-8bfcb822268ad0d8.yaml | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/kibana-tls-verify-8bfcb822268ad0d8.yaml

diff --git a/ansible/roles/kibana/defaults/main.yml b/ansible/roles/kibana/defaults/main.yml
index 5ca8cbb47f..8bbdaa3e27 100644
--- a/ansible/roles/kibana/defaults/main.yml
+++ b/ansible/roles/kibana/defaults/main.yml
@@ -32,7 +32,7 @@ kibana_services:
 kibana_default_app_id: "discover"
 kibana_elasticsearch_request_timeout: 300000
 kibana_elasticsearch_shard_timeout: 0
-kibana_elasticsearch_ssl_verify: false
+kibana_elasticsearch_ssl_verify: true
 
 
 ####################
diff --git a/releasenotes/notes/kibana-tls-verify-8bfcb822268ad0d8.yaml b/releasenotes/notes/kibana-tls-verify-8bfcb822268ad0d8.yaml
new file mode 100644
index 0000000000..addbd07d08
--- /dev/null
+++ b/releasenotes/notes/kibana-tls-verify-8bfcb822268ad0d8.yaml
@@ -0,0 +1,6 @@
+---
+upgrade:
+  - |
+    Changes the default value of ``kibana_elasticsearch_ssl_verify`` from
+    ``false`` to ``true``. `LP#1885110
+    <https://bugs.launchpad.net/kolla-ansible/+bug/1885110>`__