Skip to content

Commit

Permalink
Use kibana access token for connections
Browse files Browse the repository at this point in the history
  • Loading branch information
makelicious committed Jul 11, 2024
1 parent aaabb2c commit 5c56c2e
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 10 deletions.
6 changes: 4 additions & 2 deletions infrastructure/docker-compose.deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,7 @@ services:
- ELASTICSEARCH_HOST=elasticsearch:9200
- ELASTICSEARCH_USERNAME=elastic
- ELASTICSEARCH_PASSWORD=${ELASTICSEARCH_SUPERUSER_PASSWORD}
- KIBANA_ACCESS_TOKEN=${KIBANA_ACCESS_TOKEN}
- KIBANA_HOST=kibana:5601
command: ['--strict.perms=false']
deploy:
Expand Down Expand Up @@ -129,8 +130,8 @@ services:
entrypoint:
[
'curl',
'-u',
'elastic:${ELASTICSEARCH_SUPERUSER_PASSWORD}',
'-H',
'Authorization: Bearer ${KIBANA_ACCESS_TOKEN}',
'-X',
'POST',
'http://kibana:5601/api/saved_objects/_import?overwrite=true',
Expand Down Expand Up @@ -177,6 +178,7 @@ services:
environment:
- ELASTICSEARCH_USERNAME=elastic
- ELASTICSEARCH_PASSWORD=${ELASTICSEARCH_SUPERUSER_PASSWORD}
- KIBANA_ACCESS_TOKEN=${KIBANA_ACCESS_TOKEN}
configs:
- source: kibana.{{ts}}
target: /usr/share/kibana/config/kibana.yml
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/monitoring/kibana/kibana.yml
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ xpack.infra.sources.default.logAlias: 'logs-*,filebeat-*,kibana_sample_data_logs
# Kibana can also authenticate to Elasticsearch via "service account tokens".
# Service account tokens are Bearer style tokens that replace the traditional username/password based configuration.
# Use this token instead of a username/password.
# elasticsearch.serviceAccountToken: "my_token"
elasticsearch.serviceAccountToken: '{{KIBANA_ACCESS_TOKEN}}'

# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
# the elasticsearch.requestTimeout setting.
Expand Down
15 changes: 8 additions & 7 deletions infrastructure/monitoring/kibana/setup-config.sh
Original file line number Diff line number Diff line change
Expand Up @@ -15,23 +15,24 @@ kibana_alerting_api_url="http://kibana:5601/api/alerting/rules/_find?page=1&per_
docker_command="docker run --rm -v /opt/opencrvs/infrastructure/monitoring/kibana/config.ndjson:/config.ndjson --network=opencrvs_overlay_net curlimages/curl"

# Initial API status check to ensure Kibana is ready
status_code=$($docker_command --connect-timeout 60 -u elastic:$ELASTICSEARCH_SUPERUSER_PASSWORD -o /dev/null -w '%{http_code}' "$kibana_alerting_api_url")
status_code=$($docker_command --connect-timeout 60 -H 'Authorization: Bearer $KIBANA_ACCESS_TOKEN' -o /dev/null -w '%{http_code}' "$kibana_alerting_api_url")

if [ "$status_code" -ne 200 ]; then
echo "Kibana is not ready. API returned status code: $status_code"
exit 1
fi

# Delete all alerts
$docker_command --connect-timeout 60 -u elastic:$ELASTICSEARCH_SUPERUSER_PASSWORD "$kibana_alerting_api_url" | docker run --rm -i --network=opencrvs_overlay_net ghcr.io/jqlang/jq -r '.data[].id' | while read -r id; do
$docker_command --connect-timeout 60 -X DELETE -H 'kbn-xsrf: true' -u elastic:$ELASTICSEARCH_SUPERUSER_PASSWORD "http://kibana:5601/api/alerting/rule/$id"
$docker_command --connect-timeout 60 -H 'Authorization: Bearer $KIBANA_ACCESS_TOKEN' "$kibana_alerting_api_url" | docker run --rm -i --network=opencrvs_overlay_net ghcr.io/jqlang/jq -r '.data[].id' | while read -r id; do
$docker_command --connect-timeout 60 -X DELETE -H 'kbn-xsrf: true' -H 'Authorization: Bearer $KIBANA_ACCESS_TOKEN' "http://kibana:5601/api/alerting/rule/$id"
done

# Import configuration
$docker_command --connect-timeout 60 -u elastic:$ELASTICSEARCH_SUPERUSER_PASSWORD -X POST "http://kibana:5601/api/saved_objects/_import?overwrite=true" -H 'kbn-xsrf: true' --form file=@/config.ndjson > /dev/null
$docker_command --connect-timeout 60 -H 'Authorization: Bearer $KIBANA_ACCESS_TOKEN' -X POST "http://kibana:5601/api/saved_objects/_import?overwrite=true" -H 'kbn-xsrf: true' --form file=@/config.ndjson > /dev/null

# Re-enable all alerts
$docker_command --connect-timeout 60 -u elastic:$ELASTICSEARCH_SUPERUSER_PASSWORD "$kibana_alerting_api_url" | docker run --rm -i --network=opencrvs_overlay_net ghcr.io/jqlang/jq -r '.data[].id' | while read -r id; do
$docker_command --connect-timeout 60 -X POST -H 'kbn-xsrf: true' -u elastic:$ELASTICSEARCH_SUPERUSER_PASSWORD "http://kibana:5601/api/alerting/rule/$id/_disable"
$docker_command --connect-timeout 60 -X POST -H 'kbn-xsrf: true' -u elastic:$ELASTICSEARCH_SUPERUSER_PASSWORD "http://kibana:5601/api/alerting/rule/$id/_enable"
$docker_command --connect-timeout 60 -H 'Authorization: Bearer $KIBANA_ACCESS_TOKEN' "$kibana_alerting_api_url" | docker run --rm -i --network=opencrvs_overlay_net ghcr.io/jqlang/jq -r '.data[].id' | while read -r id; do
$docker_command --connect-timeout 60 -X POST -H 'kbn-xsrf: true' -H 'Authorization: Bearer $KIBANA_ACCESS_TOKEN' "http://kibana:5601/api/alerting/rule/$id/_disable"
$docker_command --connect-timeout 60 -X POST -H 'kbn-xsrf: true' -H 'Authorization: Bearer $KIBANA_ACCESS_TOKEN' "http://kibana:5601/api/alerting/rule/$id/_enable"
done

0 comments on commit 5c56c2e

Please sign in to comment.