Skip to content

fix(kibana): compare keystore values by last output line#162

Open
Oddly wants to merge 1 commit into
mainfrom
fix/kibana-keystore-idempotent-compare
Open

fix(kibana): compare keystore values by last output line#162
Oddly wants to merge 1 commit into
mainfrom
fix/kibana-keystore-idempotent-compare

Conversation

@Oddly

@Oddly Oddly commented Jun 28, 2026

Copy link
Copy Markdown
Owner

kibana-keystore show can print a runtime warning on stdout before the value (for example the legacy OpenSSL provider notice). The keystore idempotency checks for elasticsearch.password, server.ssl.keystore.password, xpack.security.encryptionKey and xpack.encryptedSavedObjects.encryptionKey compared the desired value against the full stdout, so they never matched when a warning was present and the kibana-keystore add command ran on every play run.

Compare against the last line of the command output instead, which is the stored value.

Summary by CodeRabbit

  • Bug Fixes
    • Improved Kibana keystore update checks so saved secrets are compared more reliably.
    • Reduced unnecessary configuration updates and restart triggers when keystore values have not changed.
    • Added safer handling for missing output during secret verification.

kibana-keystore show can print a runtime warning (e.g. the legacy OpenSSL
provider notice) on stdout before the value. The keystore idempotency checks
compared the full stdout against the desired value, so they never matched and
the keystore add command ran on every play run. Compare against the last
output line instead.
@coderabbitai

coderabbitai Bot commented Jun 28, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Four when conditions in roles/kibana/tasks/kibana-keystore.yml are updated to compare keystore secret values against stdout_lines[-1] | default('') instead of the raw stdout string, affecting idempotency checks for elasticsearch.password, server.ssl.keystore.password, xpack.security.encryptionKey, and xpack.encryptedSavedObjects.encryptionKey.

Changes

Kibana Keystore Idempotency Fix

Layer / File(s) Summary
stdout_lines[-1] idempotency checks
roles/kibana/tasks/kibana-keystore.yml
All four keystore entry when conditions switch from stdout to stdout_lines[-1] | default('') for comparing current vs. desired secret values.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly describes the main fix: comparing Kibana keystore values using the last output line.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/kibana-keystore-idempotent-compare

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
roles/kibana/tasks/kibana-keystore.yml (1)

98-113: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

These keystore updates never trigger the restart handler.

Line 105, Line 150, Line 196, and Line 226 force the task to stay ok, so notify: Restart Kibana on the same tasks is inert even when kibana-keystore add actually rewrites a secret. That leaves Kibana running with stale in-memory credentials/keys after a real update.

Suggested fix
 - name: kibana-keystore | Set elasticsearch.password in keystore
   ansible.builtin.command: >
     /usr/share/kibana/bin/kibana-keystore
     add -x -f 'elasticsearch.password'
   args:
     stdin: "{{ kibana_password.stdout }}"
   environment: "{{ _kibana_keystore_env }}"
-  changed_when: false
   no_log: true
   when:
     - kibana_security | bool
     - >-
       _kibana_ks_es_password.stdout is undefined or
       kibana_password.stdout != (_kibana_ks_es_password.stdout_lines[-1] | default(''))
   notify:
     - Restart Kibana

Apply the same change to the other three Set ... in keystore tasks.

As per path instructions, roles/*/tasks/** must be reviewed for correct handler notifications.

Also applies to: 140-161, 189-204, 219-234

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@roles/kibana/tasks/kibana-keystore.yml` around lines 98 - 113, The keystore
update tasks in kibana-keystore.yml are forcing unchanged status, which prevents
the existing Restart Kibana handler from running when secrets are actually
rewritten. Update the relevant “Set ... in keystore” tasks, including the one
using ansible.builtin.command for elasticsearch.password and the other matching
keystore add tasks in the same file, so they report a change when
kibana-keystore add updates a value instead of staying ok; keep the notify:
Restart Kibana hook on those tasks so handler execution is triggered correctly.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@roles/kibana/tasks/kibana-keystore.yml`:
- Around line 98-113: The keystore update tasks in kibana-keystore.yml are
forcing unchanged status, which prevents the existing Restart Kibana handler
from running when secrets are actually rewritten. Update the relevant “Set ...
in keystore” tasks, including the one using ansible.builtin.command for
elasticsearch.password and the other matching keystore add tasks in the same
file, so they report a change when kibana-keystore add updates a value instead
of staying ok; keep the notify: Restart Kibana hook on those tasks so handler
execution is triggered correctly.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1d45bc64-c405-4ceb-9711-273db218db1d

📥 Commits

Reviewing files that changed from the base of the PR and between 76f7a50 and 75f288e.

📒 Files selected for processing (1)
  • roles/kibana/tasks/kibana-keystore.yml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant