Support explicit kibana_system password variable to avoid initial_passwords sync

[Oddly]

Problem

When using a vault-managed kibana_system password, a pre_task is required in the playbook to sync the password into the initial_passwords file before the ES role runs. Without this sync, the ES role generates a random password, and the Kibana role reads that random password from initial_passwords — but the post-deploy play has already set a different (vault) password on ES via the API. Result: Kibana starts with the wrong password and can't authenticate.

This is easy to forget (we missed it for the monitoring cluster) and requires understanding the internal initial_passwords mechanism.

Current workaround

# Required pre_task in every playbook that deploys ES + Kibana:
pre_tasks:
  - name: Sync kibana_system password in initial_passwords
    ansible.builtin.lineinfile:
      path: /usr/share/elasticsearch/initial_passwords
      regexp: "^PASSWORD kibana_system = "
      line: "PASSWORD kibana_system = {{ vault_kibana_system_pw }}"

Proposed solution

Add an explicit variable (e.g. kibana_system_password) that takes precedence over the generated password:

# group_vars — single source of truth
kibana_system_password: "{{ vault_kibana_system_pw }}"

The role should:

1. If kibana_system_password is defined → use it everywhere (ES API + kibana.yml)
2. If not defined → current behavior (generate random, store in initial_passwords)

This follows the same pattern as elasticsearch_elastic_password which already works this way for the elastic user.

Impact

• No more pre_task sync needed in playbooks
• Single variable in group_vars controls the password
• Reduces risk of password mismatch between ES and Kibana
• Works for both main and monitoring clusters without special handling