chore: add security to Kibana and add casadmin user

bcgov · Jan 29, 2025 · 42aa8ed · 42aa8ed
1 parent 9bf19be
commit 42aa8ed
Show file tree

Hide file tree

Showing 5 changed files with 79 additions and 0 deletions.
diff --git a/helm/cas-efk/README.md b/helm/cas-efk/README.md
@@ -18,3 +18,12 @@ In order to enable inter-node security, and therefore basic auth, a certificate
 1. Run `mkdir certs && oc cp es-cluster-0:/usr/share/elasticsearch/certs/elastic-stack-ca.zip ./certs/elastic-stack-ca.zip` to copy the certificate authority to a local directory.
 1. Unzip the CA with `unzip ./certs/elastic-stack-ca.zip -d ./certs`.
 1. Run `oc create secret generic <secret-name> --from-file=certs/ca/ca.crt --from-file=certs/ca/ca.key -n <namespace>` to create a secret with the certificate authority.
+
+## Updating the Kibana ElasticSearch password
+
+In order for Kibana to be able to connect with Elasticsearch, the password for the `elastic` user needs to be acquired. This can be done by running the following:
+
+1. Get your login command from the OpenShift cluster and login in your terminal. _Ensure you are logged in to the correct project_!
+1. In your console, use `oc get pods` in your namespace to find the deployed Elastic pod name. It should be named something like `es-cluster-0`. Use this wherever you see `<pod-name>` in the directions below.
+1. After the ElasticSearch pods have been deployed, run `oc exec -it es-cluster-0 -- bin/elasticsearch-reset-password -bs -u kibana_system` to reset the password for the `kibana_system` user. The output below will be the new password. Copy this into the `password` field in the secret `kibana` in the `es-password` key.
+1. Restart the Kibana pod with `oc rollout restart deployment/kibana -n <namespace>`.
diff --git a/helm/cas-efk/templates/elasticsearch-configmap.yaml b/helm/cas-efk/templates/elasticsearch-configmap.yaml
@@ -15,4 +15,9 @@ data:
     xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/certs/${HOSTNAME}/${HOSTNAME}.key
     xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/certs/${HOSTNAME}/${HOSTNAME}.crt
     xpack.security.transport.ssl.certificate_authorities: ["/usr/share/elasticsearch/config/certs/ca.crt"]
+
+    # Kibana security config
+    xpack.security.authc.realms.pki.realm1.order: 1
+    xpack.security.authc.realms.pki.realm1.certificate_authorities: "/usr/share/elasticsearch/config/certs/ca.crt"
+    xpack.security.authc.realms.native.realm2.order: 2
 {{ end }}
diff --git a/helm/cas-efk/templates/elasticsearch-statefulset.yaml b/helm/cas-efk/templates/elasticsearch-statefulset.yaml
@@ -77,6 +77,16 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: status.podIP
+            - name: KIBANA_ADMIN_USER
+              valueFrom:
+                secretKeyRef:
+                  name: cas-kibana-admin
+                  key: "username"
+            - name: KIBANA_ADMIN_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: cas-kibana-admin
+                  key: "password"
           command:
             - sh
             - -c
@@ -87,6 +97,7 @@ spec:
                 --out ./config/certs/${HOSTNAME}.zip --silent
               unzip -q -o ./config/certs/${HOSTNAME}.zip -d ./config/certs
               rm ./config/certs/${HOSTNAME}.zip
+              bin/elasticsearch-users useradd ${KIBANA_ADMIN_USER} -p ${KIBANA_ADMIN_PASS} -r kibana_admin
               exec /usr/local/bin/docker-entrypoint.sh
       volumes:
         - name: {{ .Values.elasticsearch.volume }}

diff --git a/helm/cas-efk/templates/kibana-configmap b/helm/cas-efk/templates/kibana-configmap
@@ -0,0 +1,15 @@
+{{ if .Values.elasticsearch.security }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kibana-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    "app.kubernetes.io/part-of": efk-stack
+data:
+  kibana.yml: |
+    elasticsearch.username: "kibana_system"
+    elasticsearch.password: ${ES_PASSWORD}
+    elasticsearch.hosts: ["http://elasticsearch:9200"]
+    elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/config/certs/ca.crt"]
+{{ end }}
diff --git a/helm/cas-efk/templates/kibana-deployment.yaml b/helm/cas-efk/templates/kibana-deployment.yaml
@@ -25,5 +25,44 @@ spec:
           env:
             - name: ELASTICSEARCH_URL
               value: {{ .Values.elasticsearch.host }}:{{ .Values.elasticsearch.port.rest }}
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+            - name: ES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: kibana
+                  key: "es-password"
           ports:
             - containerPort: {{ .Values.kibana.port }}
+          volumeMounts:
+            {{- if .Values.elasticsearch.security }}
+            - name: kibana-cert
+              mountPath: /usr/share/kibana/config/certs/kibana.crt
+              subPath: kibana.crt
+            - name: kibana-cert
+              mountPath: /usr/share/kibana/config/certs/kibana.key
+              subPath: kibana.key
+            - name: cert-authority
+              mountPath: /usr/share/kibana/config/certs/ca.crt
+              subPath: ca.crt
+            - name: cert-authority
+              mountPath: /usr/share/kibana/config/certs/ca.key
+              subPath: ca.key
+            - name: config
+              mountPath: /usr/share/kibana/config/kibana.yml
+              subPath: kibana.yml
+            {{ end }}
+      volumes:
+        {{- if .Values.elasticsearch.security }}
+        - name: cert-authority
+          secret:
+            secretName: {{ .Values.elasticsearch.caSecret }}
+        - name: kibana-cert
+          secret:
+            secretName: elastic-certs
+        - name: config
+          configMap:
+            name: kibana-config
+        {{ end }}