Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[docs] Add note on how to access generated Kibana encryptionKeys #8150

Merged
merged 13 commits into from
Oct 28, 2024
Merged

[docs] Add note on how to access generated Kibana encryptionKeys #8150

Changes from 10 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
627970f
[Docs] Add note on how to access generated encryptionKeys
kilfoyle Oct 22, 2024
12e1884
Update docs/orchestrating-elastic-stack-applications/kibana.asciidoc
kilfoyle Oct 22, 2024
a4e5fe1
Update docs/orchestrating-elastic-stack-applications/kibana.asciidoc
kilfoyle Oct 23, 2024
97a96b6
Update docs/orchestrating-elastic-stack-applications/kibana.asciidoc
kilfoyle Oct 23, 2024
3870ee1
Update docs/orchestrating-elastic-stack-applications/kibana.asciidoc
kilfoyle Oct 23, 2024
8787a8a
Update docs/orchestrating-elastic-stack-applications/kibana.asciidoc
kilfoyle Oct 23, 2024
80af99f
Update docs/orchestrating-elastic-stack-applications/kibana.asciidoc
kilfoyle Oct 24, 2024
8c7450d
Update docs/orchestrating-elastic-stack-applications/kibana.asciidoc
kilfoyle Oct 24, 2024
25c867f
Update docs/orchestrating-elastic-stack-applications/kibana.asciidoc
kilfoyle Oct 24, 2024
219cbca
Update docs/orchestrating-elastic-stack-applications/kibana.asciidoc
kilfoyle Oct 28, 2024
71b4c8a
Update docs/orchestrating-elastic-stack-applications/kibana.asciidoc
kilfoyle Oct 28, 2024
8daceab
Update docs/orchestrating-elastic-stack-applications/kibana.asciidoc
kilfoyle Oct 28, 2024
efae835
Update docs/orchestrating-elastic-stack-applications/kibana.asciidoc
thbkrkr Oct 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions docs/orchestrating-elastic-stack-applications/kibana.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,18 @@ To deploy more than one instance of Kibana, all the instances must share a same
* `xpack.reporting.encryptionKey`
* `xpack.encryptedSavedObjects.encryptionKey`

[TIP]
====
If you need to access these encryption keys, you can find them using the `kubectl get secrets` command. For example, link:{kibana-ref}/xpack-security-secure-saved-objects.html#encryption-key-rotation[to rotate the encryption keys] extract the current value of `xpack.encryptedSavedObjects.encryptionKey` in order to set it as a decryption-only key under `xpack.encryptedSavedObjects.keyRotation.decryptionOnlyKeys`.
kilfoyle marked this conversation as resolved.
Show resolved Hide resolved

The secret is named after the corresponding Kibana instance. For example, for a Kibana named `my-kibana`, you can run the following command to retrieve the current encryption keys:

[source,shell,subs="attributes"]
----
kubectl get secret my-kibana-kb-config -o jsonpath '{ .data.kibana\.yml }' | base64 --decode | grep -B 1 encryptionKey
Copy link
Contributor

@thbkrkr thbkrkr Oct 28, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This command fails with error: template format specified but no template given. An = is important to assign the jsonpath.

Suggested change
kubectl get secret my-kibana-kb-config -o jsonpath '{ .data.kibana\.yml }' | base64 --decode | grep -B 1 encryptionKey
kubectl get secret my-kibana-kb-config -o jsonpath='{ .data.kibana\.yml }' | base64 --decode | grep -B 1 encryptionKey

Now it works, I feel that it can be confusing because there are several encryptionKey.

> kubectl get secret test-kb-config -o jsonpath='{ .data.kibana\.yml }' | base64 --decode | grep -B 1 encryptionKey
    encryptedSavedObjects:
        encryptionKey: K8MYAwOohLrviRp4tXlQqS7Gb7AWPe6DsRI9TUs0PoyHAdmpKDjupE8Q3ms4lwmQ
--
    reporting:
        encryptionKey: EcZHDgOz5BJqLdp26t6ittWg3tCJHkCIraciRUqDU2NncYbpO5DNJ4pt1Ayb5VEV
--
                        realm: oidc1
        encryptionKey: PIhbYdOg76JfzhnhzNpTz2JOasEj7oh1hpmZ47ZMEeTRR7Un1akRHVmA0pnDEBsw

I guess you don't want to provide an example using yq?

Then here is a proposal to continue using grep:

> kubectl get secret c14-kb-config -o jsonpath='{ .data.kibana\.yml }' | base64 --decode | grep -A1 encryptedSavedObjects
    encryptedSavedObjects:
        encryptionKey: K8MYAwOohLrviRp4tXlQqS7Gb7AWPe6DsRI9TUs0PoyHAdmpKDjupE8Q3ms4lwmQ

Copy link
Contributor Author

@kilfoyle kilfoyle Oct 28, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @thbkrkr!
@stefnestor Please let me know if you like the proposal.

(I've added it in already but if you disagree, please let us know)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@thbkrkr I see that Stef will be offline for a couple of days, so I think it's safe to merge this. If she'd like anything changed I can open a new PR.

kilfoyle marked this conversation as resolved.
Show resolved Hide resolved
----
====

You can provide your own encryption keys using a secure setting, as described in <<{p}-kibana-secure-settings,Secure settings>>.

NOTE: While most reconfigurations of your Kibana instances are carried out in rolling upgrade fashion, all version upgrades will cause Kibana downtime. This happens because you can only run a single version of Kibana at any given time. For more information, check link:https://www.elastic.co/guide/en/kibana/current/upgrade.html[Upgrade Kibana].
Expand Down