From f31712145388babe2448696a40edfeb9510566c0 Mon Sep 17 00:00:00 2001
From: Sam Crauwels <scrauwels@rinis.nl>
Date: Thu, 12 Mar 2026 17:42:27 +0100
Subject: [PATCH] Create Kibana certificate directory unconditionally

The /etc/kibana/certs directory is needed for both the Kibana web UI
TLS certificates and the Elasticsearch connection CA certificate.
Previously it was only created inside the kibana_tls block, so
deployments that use ES TLS certificates but haven't enabled Kibana
TLS yet would fail because the directory didn't exist.

Move the directory creation before the kibana_tls conditional block
so it is always present when certificate tasks need it.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 roles/kibana/tasks/kibana-security.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/roles/kibana/tasks/kibana-security.yml b/roles/kibana/tasks/kibana-security.yml
index 45dbb0b..5ebe1b5 100644
--- a/roles/kibana/tasks/kibana-security.yml
+++ b/roles/kibana/tasks/kibana-security.yml
@@ -10,6 +10,14 @@
 
     # -- Kibana web UI certificate (only when kibana_tls is enabled) --
 
+    - name: Create certificate directory
+      ansible.builtin.file:
+        path: /etc/kibana/certs
+        state: directory
+        owner: root
+        group: kibana
+        mode: "0750"
+
     - name: Handle Kibana web UI certificates
       when: kibana_tls | bool
       block: