Kibana
Kibana is the Elastic Stack analytics and visualization UI. The HelmForge chart connects Kibana to an existing Elasticsearch cluster or an optional HelmForge Elasticsearch dependency for self-contained environments.
Key Features
- Official Elastic Kibana image pinned to
9.4.2 - Optional Wolfi image flavor
- Basic auth or Elasticsearch service account token wiring
- Static encryption key support for HA sessions and encrypted saved objects
- Optional HelmForge Elasticsearch subchart for local and self-contained installs
- Ingress, Gateway API, dual-stack Services, NetworkPolicy, ServiceMonitor, PDB, and External Secrets
Installation
helm repo add helmforge https://repo.helmforge.dev
helm repo update
helm install kibana helmforge/kibana --namespace observability --create-namespace \
--set elasticsearch.hosts[0]=http://elasticsearch:9200helm install kibana oci://ghcr.io/helmforgedev/helm/kibana --namespace observability --create-namespaceExamples
Bundled Elasticsearch:
bundledElasticsearch:
enabled: true
elasticsearch:
hosts:
- http://kibana-bundled-elasticsearch:9200Secured Elasticsearch:
elasticsearch:
hosts:
- https://elasticsearch:9200
auth:
type: serviceAccountToken
existingSecret: kibana-elasticsearch-token
tls:
enabled: true
certificateAuthoritiesSecret: elasticsearch-caOperations
Set stable encryption keys before scaling beyond one replica. Elastic recommends matching Kibana and Elasticsearch versions across the stack.
Architecture
The chart deploys Kibana as the visualization layer for Elasticsearch. It can connect to an external Elasticsearch cluster or deploy the HelmForge Elasticsearch subchart for self-contained environments. Authentication can be disabled for local tests, use basic credentials, or use a service account token.
Runtime flow:
- Users reach Kibana through Ingress or Gateway API.
- Kibana reads stable encryption keys from generated or existing Secrets.
- Kibana connects to one or more Elasticsearch endpoints.
- Optional TLS CA material verifies Elasticsearch certificates.
- Optional ServiceMonitor scrapes Kibana process metrics.
Production Values
Use stable encryption keys, TLS verification, service account tokens, and explicit network policy:
replicaCount: 2
elasticsearch:
hosts:
- https://elasticsearch:9200
auth:
type: serviceAccountToken
existingSecret: kibana-elasticsearch-token
tls:
enabled: true
certificateAuthoritiesSecret: elasticsearch-ca
verificationMode: certificate
encryptionKeys:
existingSecret: kibana-encryption-keys
networkPolicy:
enabled: trueStable encryption keys are required before scaling beyond one pod. Without them, sessions, saved object encryption, and reporting features can fail across restarts or replicas.
Bundled Elasticsearch
For development or self-contained validation, enable the HelmForge Elasticsearch dependency:
bundledElasticsearch:
enabled: true
elasticsearch:
hosts:
- http://kibana-bundled-elasticsearch:9200
bundled-elasticsearch:
clusterProfile: dev
image:
tag: '9.4.2'
kibana:
enabled: false
master:
persistence:
enabled: false
sysctlInit:
enabled: falseFor production, prefer a separately managed Elasticsearch release with its own capacity, backup, and upgrade plan.
Secrets And External Secrets
Service account token example:
elasticsearch:
auth:
type: serviceAccountToken
existingSecret: kibana-elasticsearch-token
externalSecrets:
enabled: true
secretStoreRef:
name: cluster-secrets
kind: ClusterSecretStore
data:
- secretKey: service-account-token
remoteRef:
key: elastic/kibana
property: service-account-tokenUse the same target Secret names in Kibana values and ExternalSecret configuration to avoid race conditions or orphaned credentials.
Networking
Ingress example:
ingress:
enabled: true
ingressClassName: nginx
hosts:
- host: kibana.example.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: kibana-tls
hosts:
- kibana.example.comGateway API example:
gateway:
enabled: true
parentRefs:
- name: shared-gateway
namespace: gateway-system
hostnames:
- kibana.example.comUpgrade Notes
Keep Kibana and Elasticsearch versions aligned. When upgrading:
- Confirm Elasticsearch is compatible with the target Kibana version.
- Back up saved objects and Elasticsearch data according to the Elastic runbook.
- Keep encryption keys stable.
- Roll out Kibana after Elasticsearch is healthy.
Validation
After deployment:
helm test kibana -n kibana
kubectl get pods -n kibana -l app.kubernetes.io/name=kibana
kubectl logs -n kibana deploy/kibana --since=10m
kubectl get events -n kibana --sort-by=.lastTimestampAlso validate login, saved object access, index pattern discovery, and TLS verification against Elasticsearch.
Common Issues
| Symptom | Likely Cause | Fix |
|---|---|---|
| Kibana reports encryption key warnings | Keys are generated or unstable | Set encryptionKeys.existingSecret. |
| Cannot connect to Elasticsearch | Wrong hosts, credentials, CA, or NetworkPolicy | Validate DNS, Secret keys, CA Secret, and egress. |
| TLS verification fails | CA Secret missing or verification mode wrong | Mount the correct CA and set verificationMode. |
| Version compatibility errors | Kibana and Elasticsearch versions differ | Align stack versions before rollout. |
Values
| Parameter | Default | Description |
|---|---|---|
image.repository | docker.elastic.co/kibana/kibana | Official Kibana image. |
image.flavor | default | Image flavor: default or wolfi. |
replicaCount | 1 | Number of Kibana replicas. |
elasticsearch.hosts | [http://elasticsearch:9200] | Elasticsearch endpoints. |
bundledElasticsearch.enabled | false | Deploy HelmForge Elasticsearch dependency. |
elasticsearch.auth.type | none | Auth mode: none, basic, or serviceAccountToken. |
encryptionKeys.existingSecret | "" | Secret with stable Kibana encryption keys. |
gateway.enabled | false | Render Gateway API HTTPRoute. |
serviceMonitor.enabled | false | Render ServiceMonitor. |
externalSecrets.enabled | false | Render ExternalSecret resources. |