Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expose Kibana keystore for secure settings #1063

Merged
merged 14 commits into from
Jun 13, 2019
Merged

Expose Kibana keystore for secure settings #1063

merged 14 commits into from
Jun 13, 2019

Conversation

sebgl
Copy link
Contributor

@sebgl sebgl commented Jun 12, 2019

Expose Kibana keystore the same way it's done in Elasticsearch through a user-provided secret reference:

# This sample sets up a single Kibana instance pointing to a remote Elasticsearch cluster
apiVersion: kibana.k8s.elastic.co/v1alpha1
kind: Kibana
metadata:
  name: kibana-sample
spec:
  version: 7.1.0
  nodeCount: 1
 secureSettings:
   secretName: kb-secure-settings

Contrary to Elasticsearch, we don't reconcile the user secret contents into our own secret, but we mount the user secret into the pod directly.
Kibana being stateless and secure settings being loaded at Kibana startup, it's simpler to just recreate Kibana pods if there is any changes in secure settings. This is done through propagating the user secret resource version into the pod labels.
The user secret needs to be in the same namespace as Kibana, and will be watched by the operator dynamic watches for reconciliation.

Fixes #755.

pebrc
pebrc approved these changes Jun 13, 2019
View reviewed changes
operators/pkg/controller/kibana/securesettings/initcontainer.go
./bin/kibana-keystore add "$key" --stdin < "$filename"
done

echo "Keystore initialization successful."
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we not moving all of those scripts into config maps?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could do that, yes. I have mixed feelings though: that's another configmap to manage (a single one for multiple clusters?) + another volume to mount in the ES pod + another VolumeMount to setup in the init container to avoid 10 lines of bash in the pod spec (but probably adds more than 10 lines in the json-prettified pod spec because of additional volumes).
I can also reduce this to ~5 lines of bash.

thbkrkr
thbkrkr approved these changes Jun 13, 2019
View reviewed changes
Copy link
Contributor

@thbkrkr thbkrkr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@sebgl sebgl merged commit 9cf7b06 into elastic:master Jun 13, 2019
@pebrc pebrc added >feature Adds or discusses adding a feature to the product v0.9.0 labels Jul 19, 2019
@thbkrkr thbkrkr mentioned this pull request Sep 10, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pebrc pebrc pebrc approved these changes

@thbkrkr thbkrkr thbkrkr approved these changes

@artemnikitin artemnikitin Awaiting requested review from artemnikitin

@barkbay barkbay Awaiting requested review from barkbay

@idanmo idanmo Awaiting requested review from idanmo

@nkvoll nkvoll Awaiting requested review from nkvoll

Assignees
No one assigned
Labels
>feature Adds or discusses adding a feature to the product v0.9.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Expose the Kibana keystore
3 participants
@sebgl @thbkrkr @pebrc