Skip to content

Commit

Permalink
try to use kibana_system account instead of elastic
Browse files Browse the repository at this point in the history
  • Loading branch information
makelicious committed Jul 12, 2024
1 parent 3122b24 commit 1350143
Show file tree
Hide file tree
Showing 5 changed files with 16 additions and 15 deletions.
3 changes: 3 additions & 0 deletions infrastructure/deployment/deploy.sh
Original file line number Diff line number Diff line change
Expand Up @@ -329,6 +329,9 @@ export ROTATING_METRICBEAT_ELASTIC_PASSWORD=`generate_password`
# Used by APM for writing data to ElasticSearch
export ROTATING_APM_ELASTIC_PASSWORD=`generate_password`

# Used by Kibana for writing data to ElasticSearch
export ROTATING_KIBANA_ELASTIC_PASSWORD=`generate_password`

# Download core compose files to /tmp/
for compose_file in ${COMPOSE_FILES_DOWNLOADED_FROM_CORE[@]}; do
if [ ! -f $compose_file ]; then
Expand Down
11 changes: 5 additions & 6 deletions infrastructure/docker-compose.deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,6 @@ services:
- ELASTICSEARCH_HOST=elasticsearch:9200
- ELASTICSEARCH_USERNAME=elastic
- ELASTICSEARCH_PASSWORD=${ELASTICSEARCH_SUPERUSER_PASSWORD}
- KIBANA_ACCESS_TOKEN=${KIBANA_ACCESS_TOKEN}
- KIBANA_HOST=kibana:5601
command: ['--strict.perms=false']
deploy:
Expand Down Expand Up @@ -130,8 +129,8 @@ services:
entrypoint:
[
'curl',
'-H',
'Authorization: Bearer ${KIBANA_ACCESS_TOKEN}',
'-u',
'kibana_system:${ROTATING_KIBANA_ELASTIC_PASSWORD}',
'-X',
'POST',
'http://kibana:5601/api/saved_objects/_import?overwrite=true',
Expand Down Expand Up @@ -176,9 +175,8 @@ services:
networks:
- overlay_net
environment:
- ELASTICSEARCH_USERNAME=elastic
- ELASTICSEARCH_PASSWORD=${ELASTICSEARCH_SUPERUSER_PASSWORD}
- KIBANA_ACCESS_TOKEN=${KIBANA_ACCESS_TOKEN}
- ELASTICSEARCH_USERNAME=kibana_system
- ELASTICSEARCH_PASSWORD=${ROTATING_KIBANA_ELASTIC_PASSWORD}
configs:
- source: kibana.{{ts}}
target: /usr/share/kibana/config/kibana.yml
Expand Down Expand Up @@ -369,6 +367,7 @@ services:
- APM_ELASTIC_PASSWORD=${ROTATING_APM_ELASTIC_PASSWORD}
- SEARCH_ELASTIC_USERNAME=search-user
- SEARCH_ELASTIC_PASSWORD=${ROTATING_SEARCH_ELASTIC_PASSWORD}
- KIBANA_ELASTIC_PASSWORD=${ROTATING_KIBANA_ELASTIC_PASSWORD}
- KIBANA_USERNAME=${KIBANA_USERNAME}
- KIBANA_PASSWORD=${KIBANA_PASSWORD}
volumes:
Expand Down
1 change: 1 addition & 0 deletions infrastructure/elasticsearch/setup-users.sh
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ users_passwords=(
[beats_system]="${METRICBEAT_ELASTIC_PASSWORD:-}"
[apm_system]="${APM_ELASTIC_PASSWORD:-}"
[$KIBANA_USERNAME]="${KIBANA_PASSWORD:-}"
[kibana_system]="${KIBANA_SYSTEM_PASSWORD:-}"
)

# -------------------------------------
Expand Down
1 change: 0 additions & 1 deletion infrastructure/monitoring/kibana/kibana.yml
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,6 @@ xpack.infra.sources.default.logAlias: 'logs-*,filebeat-*,kibana_sample_data_logs
# Kibana can also authenticate to Elasticsearch via "service account tokens".
# Service account tokens are Bearer style tokens that replace the traditional username/password based configuration.
# Use this token instead of a username/password.
elasticsearch.serviceAccountToken: '{{KIBANA_ACCESS_TOKEN}}'

# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
# the elasticsearch.requestTimeout setting.
Expand Down
15 changes: 7 additions & 8 deletions infrastructure/monitoring/kibana/setup-config.sh
Original file line number Diff line number Diff line change
Expand Up @@ -15,24 +15,23 @@ kibana_alerting_api_url="http://kibana:5601/api/alerting/rules/_find?page=1&per_
docker_command="docker run --rm -v /opt/opencrvs/infrastructure/monitoring/kibana/config.ndjson:/config.ndjson --network=opencrvs_overlay_net curlimages/curl"

# Initial API status check to ensure Kibana is ready
status_code=$($docker_command --connect-timeout 60 -H "Authorization: Bearer $KIBANA_ACCESS_TOKEN" -o /dev/null -w '%{http_code}' "$kibana_alerting_api_url")
status_code=$($docker_command --connect-timeout 60 -u kibana_system:${ROTATING_KIBANA_ELASTIC_PASSWORD} -o /dev/null -w '%{http_code}' "$kibana_alerting_api_url")

if [ "$status_code" -ne 200 ]; then
echo "Kibana is not ready. API returned status code: $status_code"
exit 1
fi

# Delete all alerts
$docker_command --connect-timeout 60 -H "Authorization: Bearer $KIBANA_ACCESS_TOKEN" "$kibana_alerting_api_url" | docker run --rm -i --network=opencrvs_overlay_net ghcr.io/jqlang/jq -r '.data[].id' | while read -r id; do
$docker_command --connect-timeout 60 -X DELETE -H 'kbn-xsrf: true' -H "Authorization: Bearer $KIBANA_ACCESS_TOKEN" "http://kibana:5601/api/alerting/rule/$id"
$docker_command --connect-timeout 60 -u kibana_system:${ROTATING_KIBANA_ELASTIC_PASSWORD} "$kibana_alerting_api_url" | docker run --rm -i --network=opencrvs_overlay_net ghcr.io/jqlang/jq -r '.data[].id' | while read -r id; do
$docker_command --connect-timeout 60 -X DELETE -H 'kbn-xsrf: true' -u kibana_system:${ROTATING_KIBANA_ELASTIC_PASSWORD} "http://kibana:5601/api/alerting/rule/$id"
done

# Import configuration
$docker_command --connect-timeout 60 -H "Authorization: Bearer $KIBANA_ACCESS_TOKEN" -X POST "http://kibana:5601/api/saved_objects/_import?overwrite=true" -H 'kbn-xsrf: true' --form file=@/config.ndjson > /dev/null
$docker_command --connect-timeout 60 -u kibana_system:${ROTATING_KIBANA_ELASTIC_PASSWORD} -X POST "http://kibana:5601/api/saved_objects/_import?overwrite=true" -H 'kbn-xsrf: true' --form file=@/config.ndjson > /dev/null

# Re-enable all alerts
$docker_command --connect-timeout 60 -H "Authorization: Bearer $KIBANA_ACCESS_TOKEN" "$kibana_alerting_api_url" | docker run --rm -i --network=opencrvs_overlay_net ghcr.io/jqlang/jq -r '.data[].id' | while read -r id; do
$docker_command --connect-timeout 60 -X POST -H 'kbn-xsrf: true' -H "Authorization: Bearer $KIBANA_ACCESS_TOKEN" "http://kibana:5601/api/alerting/rule/$id/_disable"
$docker_command --connect-timeout 60 -X POST -H 'kbn-xsrf: true' -H "Authorization: Bearer $KIBANA_ACCESS_TOKEN" "http://kibana:5601/api/alerting/rule/$id/_enable"
$docker_command --connect-timeout 60 -u kibana_system:${ROTATING_KIBANA_ELASTIC_PASSWORD} "$kibana_alerting_api_url" | docker run --rm -i --network=opencrvs_overlay_net ghcr.io/jqlang/jq -r '.data[].id' | while read -r id; do
$docker_command --connect-timeout 60 -X POST -H 'kbn-xsrf: true' -u kibana_system:${ROTATING_KIBANA_ELASTIC_PASSWORD} "http://kibana:5601/api/alerting/rule/$id/_disable"
$docker_command --connect-timeout 60 -X POST -H 'kbn-xsrf: true' -u kibana_system:${ROTATING_KIBANA_ELASTIC_PASSWORD} "http://kibana:5601/api/alerting/rule/$id/_enable"
done

0 comments on commit 1350143

Please sign in to comment.