From e91fd969ace4c83cd461378419dd6aa96399edc2 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Fri, 19 Jun 2020 12:56:54 +0000 Subject: [PATCH] Verify TLS by default for Kibana to Elasticsearch Currently, if internal TLS communication is enabled, Kibana to Elasticsearch communication is unverified. This is because we set elasticsearch.ssl.verificationMode to 'none' by default (via kibana_elasticsearch_ssl_verify). This is poor a security posture. This change changes the default value of 'kibana_elasticsearch_ssl_verify' to 'true'. Change-Id: Ie4fa8e3a60d69cf5c4bdd975030c92be8113ffb1 Closes-Bug: #1885110 --- ansible/roles/kibana/defaults/main.yml | 2 +- releasenotes/notes/kibana-tls-verify-8bfcb822268ad0d8.yaml | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/kibana-tls-verify-8bfcb822268ad0d8.yaml diff --git a/ansible/roles/kibana/defaults/main.yml b/ansible/roles/kibana/defaults/main.yml index 5ca8cbb47f..8bbdaa3e27 100644 --- a/ansible/roles/kibana/defaults/main.yml +++ b/ansible/roles/kibana/defaults/main.yml @@ -32,7 +32,7 @@ kibana_services: kibana_default_app_id: "discover" kibana_elasticsearch_request_timeout: 300000 kibana_elasticsearch_shard_timeout: 0 -kibana_elasticsearch_ssl_verify: false +kibana_elasticsearch_ssl_verify: true #################### diff --git a/releasenotes/notes/kibana-tls-verify-8bfcb822268ad0d8.yaml b/releasenotes/notes/kibana-tls-verify-8bfcb822268ad0d8.yaml new file mode 100644 index 0000000000..addbd07d08 --- /dev/null +++ b/releasenotes/notes/kibana-tls-verify-8bfcb822268ad0d8.yaml @@ -0,0 +1,6 @@ +--- +upgrade: + - | + Changes the default value of ``kibana_elasticsearch_ssl_verify`` from + ``false`` to ``true``. `LP#1885110 + `__