[kibana] add 8.x compatibility (#1679)

This PR is updating the Kibana chart to make it compatible with 8.x version.
elastic · Sep 9, 2022 · d0f0761 · d0f0761
1 parent a11730e
commit d0f0761
Show file tree

Hide file tree

Showing 16 changed files with 259 additions and 173 deletions.
diff --git a/helpers/examples.mk b/helpers/examples.mk
@@ -1,5 +1,5 @@
 SHELL := /bin/bash
-GOSS_VERSION := v0.3.6
+GOSS_VERSION := v0.3.18
 GOSS_FILE ?= goss.yaml
 GOSS_SELECTOR ?= release=$(RELEASE)
 STACK_VERSION := 8.4.1
@@ -13,7 +13,7 @@ help: ## Display this help
 goss: ## Run goss tests
 	set -e; \
 	for i in $$(seq 1 5); do \
-		curl -s -L "https://github.com/aelsabbahy/goss/releases/download/v0.3.6/goss-linux-amd64" -o /tmp/goss; \
+		curl -s -L "https://github.com/aelsabbahy/goss/releases/download/$(GOSS_VERSION)/goss-linux-amd64" -o /tmp/goss; \
 		if [ -z "$$GOSS_CONTAINER" ]; then \
 			sleep 5; \
 			echo "Retrieving pod ($$i/5)"; \
@@ -22,7 +22,7 @@ goss: ## Run goss tests
 			echo "Testing with pod: $$GOSS_CONTAINER" && \
 			kubectl cp "test/$(GOSS_FILE)" "$$GOSS_CONTAINER:/tmp/$(GOSS_FILE)" && \
 			kubectl cp "/tmp/goss" "$$GOSS_CONTAINER:/tmp/goss" && \
-			kubectl exec "$$GOSS_CONTAINER" -- sh -c "chmod +rx /tmp/goss && /tmp/goss --gossfile \"/tmp/$(GOSS_FILE)\" validate --retry-timeout 300s --sleep 5s --color --format documentation"; \
+			kubectl exec "$$GOSS_CONTAINER" -- sh -c "chmod +rx /tmp/goss && if [ -f ~/.elasticsearch-serviceaccounttoken ]; then . ~/.elasticsearch-serviceaccounttoken; fi; /tmp/goss --gossfile \"/tmp/$(GOSS_FILE)\" validate --retry-timeout 300s --sleep 5s --color --format documentation"; \
 			break; \
 		fi; \
 	done
diff --git a/kibana/README.md b/kibana/README.md
diff --git a/kibana/examples/default/README.md b/kibana/examples/default/README.md
@@ -9,11 +9,13 @@ This example deploy Kibana 8.4.1 using [default values][].
 
 * Deploy Kibana chart with the default values: `make install`
 
-* You can now setup a port forward to query Kibana indices:
+* You can now retrieve the `elastic` user password and setup a port forward to connect Kibana:
 
   ```
-  kubectl port-forward svc/elasticsearch-master 9200
-  curl localhost:9200/_cat/indices
+  # Get elastic user password:
+  kubectl get secrets --namespace=default elasticsearch-master-credentials -ojsonpath='{.data.password}' | base64 -d
+  # Setup port forward
+  kubectl port-forward svc/helm-kibana-default-kibana 5601
   ```
 
 

diff --git a/kibana/examples/default/test/goss.yaml b/kibana/examples/default/test/goss.yaml
@@ -2,19 +2,15 @@ http:
   http://localhost:5601/api/status:
     status: 200
     timeout: 2000
-    username: "{{ .Env.ELASTICSEARCH_USERNAME }}"
-    password: "{{ .Env.ELASTICSEARCH_PASSWORD }}"
+    request-headers:
+      - "Authorization: Bearer {{ .Env.ELASTICSEARCH_SERVICEACCOUNTTOKEN}}"
     body:
       - '"number":"8.4.1"'
 
   http://localhost:5601/app/kibana:
     status: 200
     timeout: 2000
-    username: "{{ .Env.ELASTICSEARCH_USERNAME }}"
-    password: "{{ .Env.ELASTICSEARCH_PASSWORD }}"
 
   http://helm-kibana-default-kibana:5601/app/kibana:
     status: 200
     timeout: 2000
-    username: "{{ .Env.ELASTICSEARCH_USERNAME }}"
-    password: "{{ .Env.ELASTICSEARCH_PASSWORD }}"
diff --git a/kibana/examples/security/Makefile b/kibana/examples/security/Makefile
@@ -14,5 +14,5 @@ purge:
 	helm del $(RELEASE)
 
 secrets:
-	encryptionkey=$$(docker run --rm busybox:1.31.1 /bin/sh -c "< /dev/urandom tr -dc _A-Za-z0-9 | head -c50") && \
+	encryptionkey=$$(docker run --rm docker.elastic.co/kibana/kibana:$(STACK_VERSION) /bin/sh -c "< /dev/urandom tr -dc _A-Za-z0-9 | head -c50") && \
 	kubectl create secret generic kibana --from-literal=encryptionkey=$$encryptionkey
diff --git a/kibana/examples/security/README.md b/kibana/examples/security/README.md
@@ -8,13 +8,15 @@ Elasticsearch (see [values][]).
 
 * Deploy [Elasticsearch Helm chart][].
 
-* Deploy Kibana chart with security: `make install`
+* Deploy Kibana chart with security: `make secrets install`
 
-* You can now setup a port forward to query Kibana indices:
+* You can now retrieve the `elastic` user password and setup a port forward to connect Kibana:
 
   ```
-  kubectl port-forward svc/security-master 9200
-  curl -u elastic:changeme https://localhost:9200/_cat/indices
+  # Get elastic user password:
+  kubectl get secrets --namespace=default security-master-credentials -ojsonpath='{.data.password}' | base64 -d
+  # Setup port forward
+  kubectl port-forward svc/helm-kibana-security-kibana 5601
   ```
 
 

diff --git a/kibana/examples/security/test/goss.yaml b/kibana/examples/security/test/goss.yaml
@@ -1,27 +1,18 @@
 http:
-  https://localhost:5601/app/kibana:
+  https://localhost:5601/api/status:
     status: 200
     timeout: 2000
     allow-insecure: true
-    username: '{{ .Env.ELASTICSEARCH_USERNAME }}'
-    password: '{{ .Env.ELASTICSEARCH_PASSWORD }}'
-
-  https://helm-kibana-security-kibana:5601/app/kibana:
-    status: 200
-    timeout: 2000
-    allow-insecure: true
-    username: '{{ .Env.ELASTICSEARCH_USERNAME }}'
-    password: '{{ .Env.ELASTICSEARCH_PASSWORD }}'
+    request-headers:
+      - "Authorization: Bearer {{ .Env.ELASTICSEARCH_SERVICEACCOUNTTOKEN}}"
+    body:
+      - '"number":"8.4.1"'
 
 file:
   /usr/share/kibana/config/kibana.yml:
     exists: true
     contains:
-      - 'server.ssl:'
-      - '  enabled: true'
-      - '  key: /usr/share/kibana/config/certs/elastic-certificate.pem'
-      - '  certificate: /usr/share/kibana/config/certs/elastic-certificate.pem'
-      - 'xpack.security.encryptionKey:'
-      - 'elasticsearch.ssl:'
-      - '  certificateAuthorities: /usr/share/kibana/config/certs/elastic-certificate.pem'
-      - '  verificationMode: certificate'
+      - "server.ssl.certificate: /usr/share/kibana/config/certs/elastic-certificate.pem"
+      - "server.ssl.enabled: true"
+      - "server.ssl.key: /usr/share/kibana/config/certs/elastic-certificate.pem"
+      - "xpack.security.encryptionKey:"
diff --git a/kibana/examples/security/values.yaml b/kibana/examples/security/values.yaml
@@ -1,37 +1,21 @@
 ---
 elasticsearchHosts: "https://security-master:9200"
+elasticsearchCertificateSecret: elastic-certificate-pem
+elasticsearchCertificateAuthoritiesFile: elastic-certificate.pem
+elasticsearchCredentialSecret: security-master-credentials
 
 extraEnvs:
   - name: "KIBANA_ENCRYPTION_KEY"
     valueFrom:
       secretKeyRef:
         name: kibana
         key: encryptionkey
-  - name: "ELASTICSEARCH_USERNAME"
-    valueFrom:
-      secretKeyRef:
-        name: security-master-credentials
-        key: username
-  - name: "ELASTICSEARCH_PASSWORD"
-    valueFrom:
-      secretKeyRef:
-        name: security-master-credentials
-        key: password
 
 kibanaConfig:
   kibana.yml: |
-    server.ssl:
-      enabled: true
-      key: /usr/share/kibana/config/certs/elastic-certificate.pem
-      certificate: /usr/share/kibana/config/certs/elastic-certificate.pem
+    server.ssl.certificate: /usr/share/kibana/config/certs/elastic-certificate.pem
+    server.ssl.enabled: true
+    server.ssl.key: /usr/share/kibana/config/certs/elastic-certificate.pem
     xpack.security.encryptionKey: ${KIBANA_ENCRYPTION_KEY}
-    elasticsearch.ssl:
-      certificateAuthorities: /usr/share/kibana/config/certs/elastic-certificate.pem
-      verificationMode: certificate
 
 protocol: https
-
-secretMounts:
-  - name: elastic-certificate-pem
-    secretName: elastic-certificate-pem
-    path: /usr/share/kibana/config/certs
diff --git a/kibana/examples/upgrade/values.yaml b/kibana/examples/upgrade/values.yaml
@@ -1,14 +1,2 @@
 ---
 elasticsearchHosts: "http://upgrade-master:9200"
-
-extraEnvs:
-  - name: "ELASTICSEARCH_USERNAME"
-    valueFrom:
-      secretKeyRef:
-        name: upgrade-master-credentials
-        key: username
-  - name: "ELASTICSEARCH_PASSWORD"
-    valueFrom:
-      secretKeyRef:
-        name: upgrade-master-credentials
-        key: password
diff --git a/kibana/templates/NOTES.txt b/kibana/templates/NOTES.txt
@@ -0,0 +1,4 @@
+1. Watch all containers come up.
+  $ kubectl get pods --namespace={{ .Release.Namespace }} -l release={{ .Release.Name }} -w
+2. Retrieve the elastic user's password.
+  $ kubectl get secrets --namespace={{ .Release.Namespace }} {{ .Values.elasticsearchCredentialSecret }} -ojsonpath='{.data.password}' | base64 -d
diff --git a/kibana/templates/_helpers.tpl b/kibana/templates/_helpers.tpl
@@ -30,3 +30,7 @@ heritage: {{ .Release.Service }}
 {{ toYaml .Values.labels }}
 {{- end }}
 {{- end -}}
+
+{{- define "kibana.home_dir" -}}
+/usr/share/kibana
+{{- end -}}
diff --git a/kibana/templates/configmap-helm-scripts.yaml b/kibana/templates/configmap-helm-scripts.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "kibana.fullname" . }}-helm-scripts
+  labels: {{ include "kibana.labels" . | nindent 4 }}
+data:
+  kibana-entrypoint.sh: |
+    #!/bin/bash
+    set -euo pipefail
+
+    echo "export ELASTICSEARCH_SERVICEACCOUNTTOKEN=$({{ template "kibana.home_dir" . }}/node/bin/node {{ template "kibana.home_dir" . }}/helm-scripts/parse-token.js {{ template "kibana.home_dir" . }}/config/tokens/{{ template "kibana.fullname" . }}.json)" > $HOME/.elasticsearch-serviceaccounttoken
+    source $HOME/.elasticsearch-serviceaccounttoken
+
+    # https://github.com/elastic/dockerfiles/blob/a405a4d692031b72cefcb8523bd464aa3221ec47/kibana/Dockerfile#L131
+    exec /bin/tini -- /usr/local/bin/kibana-docker "$@"
+
+  parse-token.js: |
+    let dataFile = process.argv[2];
+    let dataContent = require(dataFile.toString());
+    console.log(dataContent.token.value);
diff --git a/kibana/templates/deployment.yaml b/kibana/templates/deployment.yaml
@@ -47,19 +47,28 @@ spec:
       hostAliases: {{ toYaml .Values.hostAliases | nindent 6 }}
       {{- end }}
       volumes:
-        {{- range .Values.secretMounts }}
-        - name: {{ .name }}
+        - name: kibana-tokens
+          emptyDir: {}
+        - name: kibana-helm-scripts
+          configMap:
+            name: {{ template "kibana.fullname" . }}-helm-scripts
+            defaultMode: 0755
+        - name: elasticsearch-certs
           secret:
-            secretName: {{ .secretName }}
-        {{- end }}
+            secretName: {{ .Values.elasticsearchCertificateSecret }}
         {{- if .Values.kibanaConfig }}
         - name: kibanaconfig
           configMap:
             name: {{ template "kibana.fullname" . }}-config
         {{- end }}
-      {{- if .Values.extraVolumes }}
+        {{- range .Values.secretMounts }}
+        - name: {{ .name }}
+          secret:
+            secretName: {{ .secretName }}
+        {{- end }}
+        {{- if .Values.extraVolumes }}
 {{ toYaml .Values.extraVolumes | indent 8 }}
-      {{- end }}
+        {{- end }}
     {{- with .Values.nodeSelector }}
       nodeSelector:
 {{ toYaml . | indent 8 }}
@@ -76,11 +85,36 @@ spec:
       imagePullSecrets:
 {{ toYaml .Values.imagePullSecrets | indent 8 }}
     {{- end }}
+      initContainers:
+      - name: configure-kibana-token
+        image: "{{ .Values.image }}:{{ .Values.imageTag }}"
+        imagePullPolicy: "{{ .Values.imagePullPolicy }}"
+        # TODO add retries
+        command:
+          - sh
+          - -c
+          - curl --output {{ template "kibana.home_dir" . }}/config/tokens/{{ template "kibana.fullname" . }}.json --fail -XPOST --cacert {{ template "kibana.home_dir" . }}/config/certs/{{ .Values.elasticsearchCertificateAuthoritiesFile }} -u "$(ELASTICSEARCH_USERNAME):$(ELASTICSEARCH_PASSWORD)" "{{ .Values.elasticsearchHosts }}/_security/service/elastic/kibana/credential/token/{{ template "kibana.fullname" . }}?pretty"
+        env:
+          - name: "ELASTICSEARCH_USERNAME"
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.elasticsearchCredentialSecret }}
+                key: username
+          - name: "ELASTICSEARCH_PASSWORD"
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.elasticsearchCredentialSecret }}
+                key: password
+        volumeMounts:
+          - name: elasticsearch-certs
+            mountPath: {{ template "kibana.home_dir" . }}/config/certs
+            readOnly: true
+          - name: kibana-tokens
+            mountPath: {{ template "kibana.home_dir" . }}/config/tokens
       {{- if .Values.extraInitContainers }}
       # Currently some extra blocks accept strings
       # to continue with backwards compatibility this is being kept
       # whilst also allowing for yaml to be specified too.
-      initContainers:
       {{- if eq "string" (printf "%T" .Values.extraInitContainers) }}
 {{ tpl .Values.extraInitContainers . | indent 6 }}
       {{- else }}
@@ -93,6 +127,8 @@ spec:
 {{ toYaml .Values.securityContext | indent 10 }}
         image: "{{ .Values.image }}:{{ .Values.imageTag }}"
         imagePullPolicy: "{{ .Values.imagePullPolicy }}"
+        command: ["/bin/bash"]
+        args: ["-c","{{ template "kibana.home_dir" . }}/helm-scripts/kibana-entrypoint.sh"]
         env:
           {{- if .Values.elasticsearchURL }}
           - name: ELASTICSEARCH_URL
@@ -101,6 +137,8 @@ spec:
           - name: ELASTICSEARCH_HOSTS
             value: "{{ .Values.elasticsearchHosts }}"
           {{- end }}
+          - name: ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES
+            value: "{{ template "kibana.home_dir" . }}/config/certs/{{ .Values.elasticsearchCertificateAuthoritiesFile }}"
           - name: SERVER_HOST
             value: "{{ .Values.serverHost }}"
 {{- if .Values.extraEnvs }}
@@ -150,6 +188,14 @@ spec:
         resources:
 {{ toYaml .Values.resources | indent 10 }}
         volumeMounts:
+          - name: elasticsearch-certs
+            mountPath: {{ template "kibana.home_dir" . }}/config/certs
+            readOnly: true
+          - name: kibana-tokens
+            mountPath: {{ template "kibana.home_dir" . }}/config/tokens
+            readOnly: true
+          - name: kibana-helm-scripts
+            mountPath: {{ template "kibana.home_dir" . }}/helm-scripts
           {{- range .Values.secretMounts }}
           - name: {{ .name }}
             mountPath: {{ .path }}
@@ -159,7 +205,7 @@ spec:
           {{- end }}
           {{- range $path, $config := .Values.kibanaConfig }}
           - name: kibanaconfig
-            mountPath: /usr/share/kibana/config/{{ $path }}
+            mountPath: {{ template "kibana.home_dir" . }}/config/{{ $path }}
             subPath: {{ $path }}
           {{- end -}}
         {{- if .Values.extraVolumeMounts }}

diff --git a/kibana/templates/job.yaml b/kibana/templates/job.yaml
@@ -0,0 +1,50 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "kibana.fullname" . }}-post-delete
+  labels: {{ include "kibana.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-delete,post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded
+    {{- if .Values.annotations }}
+    {{- range $key, $value := .Values.annotations }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+    {{- end }}
+spec:
+  backoffLimit: 3
+  template:
+    spec:
+      restartPolicy: Never
+      containers:
+        - name: clean-kibana-token
+          image: "{{ .Values.image }}:{{ .Values.imageTag }}"
+          imagePullPolicy: "{{ .Values.imagePullPolicy }}"
+          command: ["curl"]
+          args:
+            - --fail
+            - -XDELETE
+            - --cacert
+            - {{ template "kibana.home_dir" . }}/config/certs/{{ .Values.elasticsearchCertificateAuthoritiesFile }}
+            - -u
+            - "$(ELASTICSEARCH_USERNAME):$(ELASTICSEARCH_PASSWORD)"
+            - "{{ .Values.elasticsearchHosts }}/_security/service/elastic/kibana/credential/token/{{ template "kibana.fullname" . }}"
+          env:
+            - name: "ELASTICSEARCH_USERNAME"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.elasticsearchCredentialSecret }}
+                  key: username
+            - name: "ELASTICSEARCH_PASSWORD"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.elasticsearchCredentialSecret }}
+                  key: password
+          volumeMounts:
+            - name: elasticsearch-certs
+              mountPath: {{ template "kibana.home_dir" . }}/config/certs
+              readOnly: true
+      volumes:
+        - name: elasticsearch-certs
+          secret:
+            secretName: {{ .Values.elasticsearchCertificateSecret }}