From 86f8406571f6aa1045f41108c8b2259ae2e619bd Mon Sep 17 00:00:00 2001
From: Sam Crauwels <sam.crauwels@gmail.com>
Date: Thu, 12 Mar 2026 20:01:09 +0100
Subject: [PATCH] Create Kibana certificate directory unconditionally

The /etc/kibana/certs directory is needed for both Kibana TLS and ES
connection CA certificates. Previously it was only created inside the
kibana_tls block, so deployments with ES TLS but without Kibana TLS
would fail. Move directory creation before the conditional.
---
 roles/kibana/tasks/kibana-security.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/roles/kibana/tasks/kibana-security.yml b/roles/kibana/tasks/kibana-security.yml
index 9c38ca4..045c126 100644
--- a/roles/kibana/tasks/kibana-security.yml
+++ b/roles/kibana/tasks/kibana-security.yml
@@ -10,6 +10,14 @@
 
     # -- Kibana web UI certificate (only when kibana_tls is enabled) --
 
+    - name: kibana-security | Create certificate directory
+      ansible.builtin.file:
+        path: /etc/kibana/certs
+        state: directory
+        owner: root
+        group: kibana
+        mode: "0750"
+
     - name: kibana-security | Handle Kibana web UI certificates
       when: kibana_tls | bool
       block: