Skip to content
This repository has been archived by the owner on May 16, 2023. It is now read-only.

[kibana] add 8.x compatibility #1679

Merged
merged 29 commits into from
Sep 9, 2022
Merged

[kibana] add 8.x compatibility #1679

merged 29 commits into from
Sep 9, 2022

Conversation

jmlrt
Copy link
Member

@jmlrt jmlrt commented Aug 4, 2022

This PR is updating the Kibana chart to make it compatible with 8.x version.

jmlrt added 6 commits August 4, 2022 18:00
this is just to avoid constant pods killed during tests
This commit is adding an initContainer to Kibana Pod to retrieve a
service account token from Elasticsearch API.

Resources:
- https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-service-token.html
This commit adds a post-delete Job to delete the Kibana ServiceAccount
token from Elasticsearch chen the chart is uninstalled.

This is required to avoid an error because token already exists during
re-installations.
@jmlrt jmlrt added the kibana label Aug 4, 2022
@jmlrt jmlrt requested review from jbudz, a team and framsouza August 4, 2022 16:31
@jmlrt
Copy link
Member Author

jmlrt commented Aug 30, 2022

As a current status, Kibana is starting but fails then with Unable to retrieve version information from Elasticsearch nodes. security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip] error.

Full logs
[2022-08-30T12:47:46.226+00:00][INFO ][node] Kibana process configured with roles: [background_tasks, ui]
[2022-08-30T12:47:59.425+00:00][INFO ][http.server.Preboot] http server running at http://0.0.0.0:5601
[2022-08-30T12:47:59.472+00:00][INFO ][plugins-system.preboot] Setting up [1] plugins: [interactiveSetup]
[2022-08-30T12:47:59.541+00:00][WARN ][config.deprecation] The default mechanism for Reporting privileges will work differently in future versions, which will affect the behavior of this cluster. Set "xpack.reporting.roles.enabled" to "false" to adopt the future behavior before upgrading.
[2022-08-30T12:47:59.931+00:00][INFO ][plugins-system.standard] Setting up [121] plugins: [translations,monitoringCollection,licensing,globalSearch,globalSearchProviders,features,mapsEms,licenseApiGuard,usageCollection,taskManager,telemetryCollectionManager,telemetryCollectionXpack,kibanaUsageCollection,share,embeddable,uiActionsEnhanced,screenshotMode,banners,newsfeed,fieldFormats,expressions,dataViews,charts,esUiShared,customIntegrations,home,searchprofiler,painlessLab,grokdebugger,management,advancedSettings,spaces,security,lists,encryptedSavedObjects,cloud,snapshotRestore,screenshotting,telemetry,licenseManagement,eventLog,actions,console,bfetch,data,watcher,reporting,fileUpload,ingestPipelines,alerting,unifiedSearch,savedObjects,graph,savedObjectsTagging,savedObjectsManagement,presentationUtil,expressionShape,expressionRevealImage,expressionRepeatImage,expressionMetric,expressionImage,controls,eventAnnotation,dataViewFieldEditor,triggersActionsUi,transform,stackAlerts,ruleRegistry,discover,fleet,indexManagement,remoteClusters,crossClusterReplication,indexLifecycleManagement,cloudSecurityPosture,discoverEnhanced,aiops,visualizations,canvas,visTypeXy,visTypeVislib,visTypeVega,visTypeTimeseries,rollup,visTypeTimelion,visTypeTagcloud,visTypeTable,visTypeMetric,visTypeHeatmap,visTypeMarkdown,dashboard,dashboardEnhanced,expressionXY,expressionTagcloud,expressionPartitionVis,visTypePie,expressionMetricVis,expressionLegacyMetricVis,expressionHeatmap,expressionGauge,lens,osquery,maps,dataVisualizer,ml,cases,timelines,sessionView,kubernetesSecurity,securitySolution,visTypeGauge,sharedUX,observability,synthetics,infra,upgradeAssistant,monitoring,logstash,enterpriseSearch,apm,dataViewManagement]
[2022-08-30T12:47:59.950+00:00][INFO ][plugins.taskManager] TaskManager is identified by the Kibana UUID: 30acffde-3b14-4fec-bfe6-bb59aca0a0cf
[2022-08-30T12:48:00.064+00:00][WARN ][plugins.security.config] Generating a random key for xpack.security.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.security.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-08-30T12:48:00.064+00:00][WARN ][plugins.security.config] Session cookies will be transmitted over insecure connections. This is not recommended.
[2022-08-30T12:48:00.142+00:00][WARN ][plugins.security.config] Generating a random key for xpack.security.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.security.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-08-30T12:48:00.143+00:00][WARN ][plugins.security.config] Session cookies will be transmitted over insecure connections. This is not recommended.
[2022-08-30T12:48:00.150+00:00][WARN ][plugins.encryptedSavedObjects] Saved objects encryption key is not set. This will severely limit Kibana functionality. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-08-30T12:48:00.168+00:00][WARN ][plugins.actions] APIs are disabled because the Encrypted Saved Objects plugin is missing encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-08-30T12:48:00.355+00:00][WARN ][plugins.reporting.config] Generating a random key for xpack.reporting.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.reporting.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-08-30T12:48:00.356+00:00][WARN ][plugins.reporting.config] Found 'server.host: "0.0.0.0"' in Kibana configuration. Reporting is not able to use this as the Kibana server hostname. To enable PNG/PDF Reporting to work, 'xpack.reporting.kibanaServer.hostname: localhost' is automatically set in the configuration. You can prevent this message by adding 'xpack.reporting.kibanaServer.hostname: localhost' in kibana.yml.
[2022-08-30T12:48:00.362+00:00][WARN ][plugins.alerting] APIs are disabled because the Encrypted Saved Objects plugin is missing encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-08-30T12:48:00.458+00:00][INFO ][plugins.ruleRegistry] Installing common resources shared between all indices
[2022-08-30T12:48:00.529+00:00][INFO ][plugins.cloudSecurityPosture] Registered task successfully [Task: cloud_security_posture-stats_task]
[2022-08-30T12:48:01.576+00:00][INFO ][plugins.screenshotting.config] Chromium sandbox provides an additional layer of protection, and is supported for Linux Ubuntu 20.04 OS. Automatically enabling Chromium sandbox.
[2022-08-30T12:48:01.678+00:00][ERROR][elasticsearch-service] Unable to retrieve version information from Elasticsearch nodes. security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip]
[2022-08-30T12:48:03.031+00:00][INFO ][plugins.screenshotting.chromium] Browser executable: /usr/share/kibana/x-pack/plugins/screenshotting/chromium/headless_shell-linux_x64/headless_shell

The kibana enrollment token is successfully created by the init container calling Elasticsearch API and mounted into the kibana pod under /usr/share/kibana/config/tokens/kb-kibana. However, triggering manually the kibana-setup command is failing with Invalid enrollment token provided error.

Steps to reproduce:

  1. Deploy Elasticsearch chart: helm install es ./elasticsearch from this PR
  2. Deploy kibana chart: helm install kb ./kibana from this PR
  3. Check kibana pod name:
$ kubectl get pod | grep kibana
kb-kibana-5cc4f4577f-v6h2l   1/1     Running   0          49m
  1. Check kibana pod logs: kubectl logs kb-kibana-5cc4f4577f-v6h2l
  2. Connect into the kibana pod: kubectl exec -it kb-kibana-5cc4f4577f-v6h2l -- bash
  3. Then inside the pod:
    • Check kibana config:
      kibana@kb-kibana-5cc4f4577f-v6h2l:~$ cat config/kibana.yml
      elasticsearch.ssl.certificate: /usr/share/kibana/config/certs/tls.crt
      elasticsearch.ssl.key: /usr/share/kibana/config/certs/tls.key
      elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/config/certs/ca.crt"]
      
    • Check enrollment token:
       kibana@kb-kibana-5cc4f4577f-v6h2l:~$ cat config/tokens/kb-kibana
       {
         "created" : true,
         "token" : {
           "name" : "kb-kibana",
           "value" : "AAEAAWVsYXN0aWMva2liYW5hL2tiLWtpYmFuYTpBX0o5X2puSVNUdVA0N0dVOTdEUFFB"
         }
       }
      
    • Check that the enrollment token is valid:
      kibana@kb-kibana-5cc4f4577f-v6h2l:~$ curl --cacert config/certs/ca.crt -H "Authorization: Bearer AAEAAWVsYXN0aWMva2liYW5hL2tiLWtpYmFuYTpBX0o5X2puSVNUdVA0N0dVOTdEUFFB" https://elasticsearch-master:9200/_cluster/health
      {"cluster_name":"elasticsearch","status":"green","timed_out":false,"number_of_nodes":3,"number_of_data_nodes":3,"active_primary_shards":2,"active_shards":4,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":0,"delayed_unassigned_shards":0,"number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards_percent_as_number":100.0}
      
    • Run kibana-setup:
      kibana@kb-kibana-5cc4f4577f-v6h2l:~$ ./bin/kibana-setup -t AAEAAWVsYXN0aWMva2liYW5hL2tiLWtpYmFuYTpBX0o5X2puSVNUdVA0N0dVOTdEUFFB
      Invalid enrollment token provided.
      
      To generate a new enrollment token run:
        bin/elasticsearch-create-enrollment-token -s kibana
      

cc @jbudz @nkammah

@jmlrt
Copy link
Member Author

jmlrt commented Aug 30, 2022

@jbudz The generated enrollment token is valid since we can use it to query Elasticsearch from the kibana pod. I'm not sure why the kibana-setup command is marking it as invalid.

I didn't find any way to get more details about this failure (I didn't find any option for more verbose logs). The errors seem to happen in the decodeEnrollmentToken function, but I don't speak JS/TS. Do you have any idea of what is happening?

@jmlrt
Copy link
Member Author

jmlrt commented Aug 30, 2022

  • Run kibana-setup:
    kibana@kb-kibana-5cc4f4577f-v6h2l:~$ ./bin/kibana-setup -t AAEAAWVsYXN0aWMva2liYW5hL2tiLWtpYmFuYTpBX0o5X2puSVNUdVA0N0dVOTdEUFFB
    Invalid enrollment token provided.
    
    To generate a new enrollment token run:
      bin/elasticsearch-create-enrollment-token -s kibana
    

Note also that I tried regenerating the token using the elasticsearch-create-enrollment-token command as mentioned in the error message, however, this command is only working with Elasticsearch clusters that have been auto-configured for security as described in the doc which is not the case in helm-charts scenarios.

command:
- sh
- -c
- curl --output /usr/share/kibana/config/tokens/{{ template "kibana.fullname" . }} --fail -XPOST --cacert /usr/share/kibana/config/certs/tls.crt -u "$(ELASTICSEARCH_USERNAME):$(ELASTICSEARCH_PASSWORD)" "{{ .Values.elasticsearchHosts }}/_security/service/elastic/kibana/credential/token/{{ template "kibana.fullname" . }}?pretty"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's two different tokens and I think we may be confusing the two:

enrollment token:

  • generated by bin/elasticsearch-create-enrollment-token
  • when consumed via bin/kibana-setup configures kibana.yml:
elasticsearch.hosts: ["https://localhost:9200/"]
elasticsearch.serviceAccountToken: XXXXXXX
elasticsearch.ssl.certificateAuthorities:
  [/absolute/path/to/kibana-8.3.3/data/ca_1659104310110.crt]
xpack.fleet.outputs:
  [
    {
      id: fleet-default-output,
      name: default,
      is_default: true,
      is_default_monitoring: true,
      type: elasticsearch,
      hosts: ["https://localhost:9200/"],
      ca_trusted_fingerprint: XXXXXXX,
    },
  ]

service account token (used here):

  • gets the value needed to set elasticsearch.serviceAccountToken in kibana.yml

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These 2 tokens are really confusing.

This makes things a lot more complicated because the token is generated from the kibana init container when the chart is already deployed. That means that we can't use it in the Helm template itself to modify the kibana.yaml config map or environment variable before the real kibana container is starting.

AFAIK, the only thing we can do is mount it as a file into the kibana container and run a command to use it while kibana process has already been started.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm thinking that might work..can we send a sighup signal without interfering with the process monitor? elastic/kibana#52756 (comment). It sounds like that may not work for all configurations though, need to check.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another solution would be to override the Kibana container command in the Helm template to run a script that read the mounted file, parse the token and load it as an environment variable or edit the kibana.yaml file, then finally start kibana by running manually the default image command.

I'd like to avoid if we can, because that any change in the default image command (in a different kibana version or for people using customized kibana image) would break the chart. However, I feel that that may be the only way to do it.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reloading the kibana config with kill -HUP doesn't seem to handle the elasticsearch.serviceAccountToken value in my tests. In addition, I discovered that the kibana.yaml config file is opened in RO, so editing it to add this parameter requires too much workarounds. I ended up using a custom entrypoint scripts as mentioned in my previous comment => 2319e09

I guess that we can still rework it if we change the kibana docker image entrypoint in a later version.

@jmlrt
Copy link
Member Author

jmlrt commented Sep 5, 2022

The good news is that kibana seems to start successfully with the custom entry point that parse the token file and load it as an environment variable before launching kibana 🎉

[2022-09-05T13:43:24.118+00:00][INFO ][node] Kibana process configured with roles: [background_tasks, ui]
[2022-09-05T13:43:36.382+00:00][INFO ][http.server.Preboot] http server running at http://0.0.0.0:5601
[2022-09-05T13:43:36.432+00:00][INFO ][plugins-system.preboot] Setting up [1] plugins: [interactiveSetup]
[2022-09-05T13:43:36.478+00:00][WARN ][config.deprecation] The default mechanism for Reporting privileges will work differently in future versions, which will affect the behavior of this cluster. Set "xpack.reporting.roles.enabled" to "false" to adopt the future behavior before upgrading.
[2022-09-05T13:43:36.852+00:00][INFO ][plugins-system.standard] Setting up [121] plugins: [translations,monitoringCollection,licensing,globalSearch,globalSearchProviders,features,mapsEms,licenseApiGuard,usageCollection,taskManager,telemetryCollectionManager,telemetryCollectionXpack,kibanaUsageCollection,share,embeddable,uiActionsEnhanced,screenshotMode,banners,newsfeed,fieldFormats,expressions,dataViews,charts,esUiShared,customIntegrations,home,searchprofiler,painlessLab,grokdebugger,management,advancedSettings,spaces,security,lists,encryptedSavedObjects,cloud,snapshotRestore,screenshotting,telemetry,licenseManagement,eventLog,actions,console,bfetch,data,watcher,reporting,fileUpload,ingestPipelines,alerting,unifiedSearch,savedObjects,graph,savedObjectsTagging,savedObjectsManagement,presentationUtil,expressionShape,expressionRevealImage,expressionRepeatImage,expressionMetric,expressionImage,controls,eventAnnotation,dataViewFieldEditor,triggersActionsUi,transform,stackAlerts,ruleRegistry,discover,fleet,indexManagement,remoteClusters,crossClusterReplication,indexLifecycleManagement,cloudSecurityPosture,discoverEnhanced,aiops,visualizations,canvas,visTypeXy,visTypeVislib,visTypeVega,visTypeTimeseries,rollup,visTypeTimelion,visTypeTagcloud,visTypeTable,visTypeMetric,visTypeHeatmap,visTypeMarkdown,dashboard,dashboardEnhanced,expressionXY,expressionTagcloud,expressionPartitionVis,visTypePie,expressionMetricVis,expressionLegacyMetricVis,expressionHeatmap,expressionGauge,lens,osquery,maps,dataVisualizer,ml,cases,timelines,sessionView,kubernetesSecurity,securitySolution,visTypeGauge,sharedUX,observability,synthetics,infra,upgradeAssistant,monitoring,logstash,enterpriseSearch,apm,dataViewManagement]
[2022-09-05T13:43:36.873+00:00][INFO ][plugins.taskManager] TaskManager is identified by the Kibana UUID: cba19720-d0e8-4568-ad0b-c8e6c9d8155a
[2022-09-05T13:43:37.014+00:00][WARN ][plugins.security.config] Generating a random key for xpack.security.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.security.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-09-05T13:43:37.015+00:00][WARN ][plugins.security.config] Session cookies will be transmitted over insecure connections. This is not recommended.
[2022-09-05T13:43:37.046+00:00][WARN ][plugins.security.config] Generating a random key for xpack.security.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.security.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-09-05T13:43:37.047+00:00][WARN ][plugins.security.config] Session cookies will be transmitted over insecure connections. This is not recommended.
[2022-09-05T13:43:37.055+00:00][WARN ][plugins.encryptedSavedObjects] Saved objects encryption key is not set. This will severely limit Kibana functionality. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-09-05T13:43:37.072+00:00][WARN ][plugins.actions] APIs are disabled because the Encrypted Saved Objects plugin is missing encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-09-05T13:43:37.253+00:00][WARN ][plugins.reporting.config] Generating a random key for xpack.reporting.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.reporting.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-09-05T13:43:37.254+00:00][WARN ][plugins.reporting.config] Found 'server.host: "0.0.0.0"' in Kibana configuration. Reporting is not able to use this as the Kibana server hostname. To enable PNG/PDF Reporting to work, 'xpack.reporting.kibanaServer.hostname: localhost' is automatically set in the configuration. You can prevent this message by adding 'xpack.reporting.kibanaServer.hostname: localhost' in kibana.yml.
[2022-09-05T13:43:37.259+00:00][WARN ][plugins.alerting] APIs are disabled because the Encrypted Saved Objects plugin is missing encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-09-05T13:43:37.352+00:00][INFO ][plugins.ruleRegistry] Installing common resources shared between all indices
[2022-09-05T13:43:37.420+00:00][INFO ][plugins.cloudSecurityPosture] Registered task successfully [Task: cloud_security_posture-stats_task]
[2022-09-05T13:43:38.384+00:00][INFO ][plugins.screenshotting.config] Chromium sandbox provides an additional layer of protection, and is supported for Linux Ubuntu 20.04 OS. Automatically enabling Chromium sandbox.
[2022-09-05T13:43:40.001+00:00][INFO ][plugins.screenshotting.chromium] Browser executable: /usr/share/kibana/x-pack/plugins/screenshotting/chromium/headless_shell-linux_x64/headless_shell
[2022-09-05T13:43:40.712+00:00][INFO ][savedobjects-service] Waiting until all Elasticsearch nodes are compatible with Kibana before starting saved objects migrations...
[2022-09-05T13:43:40.712+00:00][INFO ][savedobjects-service] Starting saved objects migrations
[2022-09-05T13:43:40.759+00:00][INFO ][savedobjects-service] [.kibana_task_manager] INIT -> CREATE_NEW_TARGET. took: 29ms.
[2022-09-05T13:43:40.786+00:00][INFO ][savedobjects-service] [.kibana] INIT -> CREATE_NEW_TARGET. took: 59ms.
[2022-09-05T13:43:41.974+00:00][INFO ][savedobjects-service] [.kibana_task_manager] CREATE_NEW_TARGET -> MARK_VERSION_INDEX_READY. took: 1216ms.
[2022-09-05T13:43:42.074+00:00][INFO ][savedobjects-service] [.kibana_task_manager] MARK_VERSION_INDEX_READY -> DONE. took: 100ms.
[2022-09-05T13:43:42.075+00:00][INFO ][savedobjects-service] [.kibana_task_manager] Migration completed after 1346ms
[2022-09-05T13:43:42.176+00:00][INFO ][savedobjects-service] [.kibana] CREATE_NEW_TARGET -> MARK_VERSION_INDEX_READY. took: 1390ms.
[2022-09-05T13:43:42.333+00:00][INFO ][savedobjects-service] [.kibana] MARK_VERSION_INDEX_READY -> DONE. took: 157ms.
[2022-09-05T13:43:42.333+00:00][INFO ][savedobjects-service] [.kibana] Migration completed after 1606ms
[2022-09-05T13:43:42.338+00:00][INFO ][plugins-system.preboot] Stopping all plugins.
[2022-09-05T13:43:42.339+00:00][INFO ][plugins-system.standard] Starting [121] plugins: [translations,monitoringCollection,licensing,globalSearch,globalSearchProviders,features,mapsEms,licenseApiGuard,usageCollection,taskManager,telemetryCollectionManager,telemetryCollectionXpack,kibanaUsageCollection,share,embeddable,uiActionsEnhanced,screenshotMode,banners,newsfeed,fieldFormats,expressions,dataViews,charts,esUiShared,customIntegrations,home,searchprofiler,painlessLab,grokdebugger,management,advancedSettings,spaces,security,lists,encryptedSavedObjects,cloud,snapshotRestore,screenshotting,telemetry,licenseManagement,eventLog,actions,console,bfetch,data,watcher,reporting,fileUpload,ingestPipelines,alerting,unifiedSearch,savedObjects,graph,savedObjectsTagging,savedObjectsManagement,presentationUtil,expressionShape,expressionRevealImage,expressionRepeatImage,expressionMetric,expressionImage,controls,eventAnnotation,dataViewFieldEditor,triggersActionsUi,transform,stackAlerts,ruleRegistry,discover,fleet,indexManagement,remoteClusters,crossClusterReplication,indexLifecycleManagement,cloudSecurityPosture,discoverEnhanced,aiops,visualizations,canvas,visTypeXy,visTypeVislib,visTypeVega,visTypeTimeseries,rollup,visTypeTimelion,visTypeTagcloud,visTypeTable,visTypeMetric,visTypeHeatmap,visTypeMarkdown,dashboard,dashboardEnhanced,expressionXY,expressionTagcloud,expressionPartitionVis,visTypePie,expressionMetricVis,expressionLegacyMetricVis,expressionHeatmap,expressionGauge,lens,osquery,maps,dataVisualizer,ml,cases,timelines,sessionView,kubernetesSecurity,securitySolution,visTypeGauge,sharedUX,observability,synthetics,infra,upgradeAssistant,monitoring,logstash,enterpriseSearch,apm,dataViewManagement]
[2022-09-05T13:43:44.548+00:00][INFO ][plugins.monitoring.monitoring] config sourced from: production cluster
[2022-09-05T13:43:46.584+00:00][INFO ][http.server.Kibana] http server running at http://0.0.0.0:5601
[2022-09-05T13:43:46.670+00:00][INFO ][status] Kibana is now degraded
[2022-09-05T13:43:46.736+00:00][INFO ][plugins.monitoring.monitoring.kibana-monitoring] Starting monitoring stats collection
[2022-09-05T13:43:46.737+00:00][INFO ][plugins.fleet] Beginning fleet setup
[2022-09-05T13:43:50.143+00:00][INFO ][plugins.ml] Task ML:saved-objects-sync-task: scheduled with interval 1h
[2022-09-05T13:43:50.640+00:00][INFO ][plugins.ruleRegistry] Installed common resources shared between all indices
[2022-09-05T13:43:50.641+00:00][INFO ][plugins.ruleRegistry] Installing resources for index .alerts-security.alerts
[2022-09-05T13:43:50.641+00:00][INFO ][plugins.ruleRegistry] Installing resources for index .preview.alerts-security.alerts
[2022-09-05T13:43:50.642+00:00][INFO ][plugins.ruleRegistry] Installing resources for index .alerts-observability.uptime.alerts
[2022-09-05T13:43:50.642+00:00][INFO ][plugins.ruleRegistry] Installing resources for index .alerts-observability.logs.alerts
[2022-09-05T13:43:50.642+00:00][INFO ][plugins.ruleRegistry] Installing resources for index .alerts-observability.metrics.alerts
[2022-09-05T13:43:50.642+00:00][INFO ][plugins.ruleRegistry] Installing resources for index .alerts-observability.apm.alerts
[2022-09-05T13:43:51.234+00:00][INFO ][plugins.ruleRegistry] Installed resources for index .alerts-observability.logs.alerts
[2022-09-05T13:43:51.235+00:00][INFO ][plugins.ruleRegistry] Installed resources for index .alerts-observability.apm.alerts
[2022-09-05T13:43:51.236+00:00][INFO ][plugins.ruleRegistry] Installed resources for index .alerts-observability.uptime.alerts
[2022-09-05T13:43:51.237+00:00][INFO ][plugins.ruleRegistry] Installed resources for index .alerts-observability.metrics.alerts
[2022-09-05T13:43:51.265+00:00][INFO ][plugins.ruleRegistry] Installed resources for index .alerts-security.alerts
[2022-09-05T13:43:53.831+00:00][INFO ][status] Kibana is now available (was degraded)
[2022-09-05T13:43:54.042+00:00][INFO ][plugins.reporting.store] Creating ILM policy for managing reporting indices: kibana-reporting
[2022-09-05T13:43:55.644+00:00][INFO ][plugins.ml] Task ML:saved-objects-sync-task: 1 ML saved object synced
[2022-09-05T13:43:55.867+00:00][INFO ][plugins.ruleRegistry] Installed resources for index .preview.alerts-security.alerts
[2022-09-05T13:43:58.318+00:00][INFO ][plugins.fleet] Fleet setup completed
[2022-09-05T13:43:58.373+00:00][INFO ][plugins.securitySolution] Dependent plugin setup complete - Starting ManifestTask
[2022-09-05T13:43:59.188+00:00][INFO ][plugins.securitySolution.endpoint:metadata-check-transforms-task:0.0.1] no endpoint installation found
[2022-09-05T13:44:03.724+00:00][INFO ][plugins.synthetics] Installed synthetics index templates

When I'm connecting to the UI, I can now reach the login page:
Screenshot 2022-09-05 at 16 07 41

So the next step is to find how to connect.

@jmlrt
Copy link
Member Author

jmlrt commented Sep 5, 2022

When I'm connecting to the UI, I can now reach the login page: Screenshot 2022-09-05 at 16 07 41

So the next step is to find how to connect.

Note that we can login to kibana with the elastic user whose password can be found into the default/elasticsearch-master-credentials k8s secret. Not sure if we should try to handle the creation of a kibana specific user in the helm-charts or let customers handle this in their own config.

@jmlrt jmlrt changed the title kibana 8x [kibana] add 8.x compatibility Sep 7, 2022
@jmlrt jmlrt marked this pull request as ready for review September 7, 2022 14:34
@jmlrt jmlrt requested a review from jbudz September 7, 2022 14:34
@jmlrt
Copy link
Member Author

jmlrt commented Sep 7, 2022

@jbudz @elastic/release-eng @framsouza I think this PR is ready for review.

The Kibana upgrade test (upgrade from 7.17.x to 8.4.1 is failing for now. I'll investigate in a follow-up PR of that's something we can fix or if we need to disable it and advertise that upgrade from the previous major version isn't supported.

@@ -76,11 +85,36 @@ spec:
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 8 }}
{{- end }}
initContainers:
- name: configure-kibana-token
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@elastic/kibana-security can you review this approach? short version: interactive setup isn't an option in a helm environment, so we're manually configuring kibana similar to the cli.

  • a kibana service account token is created
  • certificates are added
  • hostname is set

@framsouza
Copy link
Contributor

I've tested locally and everything worked smoothly. Well done, @jmlrt ! That was a really good achievement. 🎆

Copy link
Member

@azasypkin azasypkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The approach to configure Kibana security LGTM, just left one question and one nit. Thank you!

kibana/templates/configmap-helm-scripts.yaml Show resolved Hide resolved
command:
- sh
- -c
- curl --output {{ template "kibana.home_dir" . }}/config/tokens/{{ template "kibana.fullname" . }}.json --fail -XPOST --cacert {{ template "kibana.home_dir" . }}/config/certs/{{ .Values.elasticsearchCertificateAuthoritiesFile }} -u "$(ELASTICSEARCH_USERNAME):$(ELASTICSEARCH_PASSWORD)" "{{ .Values.elasticsearchHosts }}/_security/service/elastic/kibana/credential/token/{{ template "kibana.fullname" . }}?pretty"
Copy link
Member

@azasypkin azasypkin Sep 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: Sorry if it's a dumb question, but I'm not Helm chart/k8s expert: what would happen if the user installs Kibana helm chart, then uninstalls it and try to install it again? Won't this request fail because the init container will try to create the token with the same name (kibana.fullname)?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that's a really relevant question. When you uninstall the chart, there is a K8S job that is triggered using Helm post-delete hooks that will call Elasticsearch again to remove the token. This way, if we re-install the chart, it can recreate a new token with the same name.

apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "kibana.fullname" . }}-post-delete
labels: {{ include "kibana.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-delete,post-upgrade

command: ["curl"]
args:
- --fail
- -XDELETE
- --cacert
- {{ template "kibana.home_dir" . }}/config/certs/{{ .Values.elasticsearchCertificateAuthoritiesFile }}
- -u
- "$(ELASTICSEARCH_USERNAME):$(ELASTICSEARCH_PASSWORD)"
- "{{ .Values.elasticsearchHosts }}/_security/service/elastic/kibana/credential/token/{{ template "kibana.fullname" . }}"

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, thank you for clarifying that!

@jmlrt jmlrt merged commit d0f0761 into elastic:main Sep 9, 2022
@jmlrt jmlrt deleted the kibana-8x branch September 9, 2022 12:13
jmlrt added a commit to jmlrt/helm-charts that referenced this pull request Sep 9, 2022
@pjaak
Copy link

pjaak commented Sep 25, 2022

Hi @jmlrt ,

Having problems with this, I see there was a comment made above about having the initContainer creating the token. It means everytime the container is terminated it will try create a token with the same name. For example, we run our elastic environment on AWS spot so the container can be terminated regularly, however it is not failing to start up because it is trying to create a token which already exists. Not sure what to do about this

Thanks

@jmlrt
Copy link
Member Author

jmlrt commented Sep 28, 2022

Hi @pjaak, thanks for reporting this bug 👍🏻. I could reproduce locally and need to find a way to fix it.

@pjaak
Copy link

pjaak commented Sep 28, 2022

Hi @jmlrt ,

I would propose maybe a helm pre-install hook so it only runs on the first helm install. Similar to the way you do the delete token in the post-delete. :)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants