Skip to content

feat(kibana): allow supplying xpack encryption keys#160

Open
Oddly wants to merge 1 commit into
mainfrom
feat/kibana-encryption-keys
Open

feat(kibana): allow supplying xpack encryption keys#160
Oddly wants to merge 1 commit into
mainfrom
feat/kibana-encryption-keys

Conversation

@Oddly

@Oddly Oddly commented Jun 28, 2026

Copy link
Copy Markdown
Owner

The kibana role generates random xpack.security.encryptionKey and xpack.encryptedSavedObjects.encryptionKey on first run.

When migrating Kibana to a new host or running multiple instances, these keys must match the existing ones. Otherwise encrypted saved objects (alerting rules, connectors, Fleet tokens) and session state cannot be decrypted by the new instance.

This adds kibana_security_encryptionkey and kibana_encryptedsavedobjects_encryptionkey to supply the keys (written to the keystore via the existing flow). Both default to empty, preserving the generate-random behaviour, so there is no change for existing users. The kibana_custom molecule scenario sets both and asserts the provided values are stored in the keystore.

@coderabbitai

coderabbitai Bot commented Jun 28, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@Oddly, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 30 minutes and 13 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e7e78785-69e7-4e5d-ad97-7cff409d65af

📥 Commits

Reviewing files that changed from the base of the PR and between 76f7a50 and e136cdf.

📒 Files selected for processing (4)
  • molecule/kibana_custom/converge.yml
  • molecule/kibana_custom/verify.yml
  • roles/kibana/defaults/main.yml
  • roles/kibana/tasks/kibana-security.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/kibana-encryption-keys

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

The role generates random xpack.security.encryptionKey and
xpack.encryptedSavedObjects.encryptionKey on first run. When migrating Kibana
to a new host or running multiple instances these must match the existing keys,
otherwise encrypted saved objects (alerting rules, connectors, Fleet tokens)
and session state cannot be decrypted by the new instance.

Add kibana_security_encryptionkey and kibana_encryptedsavedobjects_encryptionkey
to supply them; empty keeps the generate-random default. Covered by the
kibana_custom molecule scenario.
@Oddly Oddly force-pushed the feat/kibana-encryption-keys branch from e2d61c3 to e136cdf Compare June 28, 2026 10:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant