[kibana] add 8.x compatibility

[jmlrt]

This PR is updating the Kibana chart to make it compatible with 8.x version.

[jmlrt]

As a current status, Kibana is starting but fails then with Unable to retrieve version information from Elasticsearch nodes. security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip] error.

Full logs

[2022-08-30T12:47:46.226+00:00][INFO ][node] Kibana process configured with roles: [background_tasks, ui]
[2022-08-30T12:47:59.425+00:00][INFO ][http.server.Preboot] http server running at http://0.0.0.0:5601
[2022-08-30T12:47:59.472+00:00][INFO ][plugins-system.preboot] Setting up [1] plugins: [interactiveSetup]
[2022-08-30T12:47:59.541+00:00][WARN ][config.deprecation] The default mechanism for Reporting privileges will work differently in future versions, which will affect the behavior of this cluster. Set "xpack.reporting.roles.enabled" to "false" to adopt the future behavior before upgrading.
[2022-08-30T12:47:59.931+00:00][INFO ][plugins-system.standard] Setting up [121] plugins: [translations,monitoringCollection,licensing,globalSearch,globalSearchProviders,features,mapsEms,licenseApiGuard,usageCollection,taskManager,telemetryCollectionManager,telemetryCollectionXpack,kibanaUsageCollection,share,embeddable,uiActionsEnhanced,screenshotMode,banners,newsfeed,fieldFormats,expressions,dataViews,charts,esUiShared,customIntegrations,home,searchprofiler,painlessLab,grokdebugger,management,advancedSettings,spaces,security,lists,encryptedSavedObjects,cloud,snapshotRestore,screenshotting,telemetry,licenseManagement,eventLog,actions,console,bfetch,data,watcher,reporting,fileUpload,ingestPipelines,alerting,unifiedSearch,savedObjects,graph,savedObjectsTagging,savedObjectsManagement,presentationUtil,expressionShape,expressionRevealImage,expressionRepeatImage,expressionMetric,expressionImage,controls,eventAnnotation,dataViewFieldEditor,triggersActionsUi,transform,stackAlerts,ruleRegistry,discover,fleet,indexManagement,remoteClusters,crossClusterReplication,indexLifecycleManagement,cloudSecurityPosture,discoverEnhanced,aiops,visualizations,canvas,visTypeXy,visTypeVislib,visTypeVega,visTypeTimeseries,rollup,visTypeTimelion,visTypeTagcloud,visTypeTable,visTypeMetric,visTypeHeatmap,visTypeMarkdown,dashboard,dashboardEnhanced,expressionXY,expressionTagcloud,expressionPartitionVis,visTypePie,expressionMetricVis,expressionLegacyMetricVis,expressionHeatmap,expressionGauge,lens,osquery,maps,dataVisualizer,ml,cases,timelines,sessionView,kubernetesSecurity,securitySolution,visTypeGauge,sharedUX,observability,synthetics,infra,upgradeAssistant,monitoring,logstash,enterpriseSearch,apm,dataViewManagement]
[2022-08-30T12:47:59.950+00:00][INFO ][plugins.taskManager] TaskManager is identified by the Kibana UUID: 30acffde-3b14-4fec-bfe6-bb59aca0a0cf
[2022-08-30T12:48:00.064+00:00][WARN ][plugins.security.config] Generating a random key for xpack.security.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.security.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-08-30T12:48:00.064+00:00][WARN ][plugins.security.config] Session cookies will be transmitted over insecure connections. This is not recommended.
[2022-08-30T12:48:00.142+00:00][WARN ][plugins.security.config] Generating a random key for xpack.security.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.security.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-08-30T12:48:00.143+00:00][WARN ][plugins.security.config] Session cookies will be transmitted over insecure connections. This is not recommended.
[2022-08-30T12:48:00.150+00:00][WARN ][plugins.encryptedSavedObjects] Saved objects encryption key is not set. This will severely limit Kibana functionality. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-08-30T12:48:00.168+00:00][WARN ][plugins.actions] APIs are disabled because the Encrypted Saved Objects plugin is missing encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-08-30T12:48:00.355+00:00][WARN ][plugins.reporting.config] Generating a random key for xpack.reporting.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.reporting.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-08-30T12:48:00.356+00:00][WARN ][plugins.reporting.config] Found 'server.host: "0.0.0.0"' in Kibana configuration. Reporting is not able to use this as the Kibana server hostname. To enable PNG/PDF Reporting to work, 'xpack.reporting.kibanaServer.hostname: localhost' is automatically set in the configuration. You can prevent this message by adding 'xpack.reporting.kibanaServer.hostname: localhost' in kibana.yml.
[2022-08-30T12:48:00.362+00:00][WARN ][plugins.alerting] APIs are disabled because the Encrypted Saved Objects plugin is missing encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-08-30T12:48:00.458+00:00][INFO ][plugins.ruleRegistry] Installing common resources shared between all indices
[2022-08-30T12:48:00.529+00:00][INFO ][plugins.cloudSecurityPosture] Registered task successfully [Task: cloud_security_posture-stats_task]
[2022-08-30T12:48:01.576+00:00][INFO ][plugins.screenshotting.config] Chromium sandbox provides an additional layer of protection, and is supported for Linux Ubuntu 20.04 OS. Automatically enabling Chromium sandbox.
[2022-08-30T12:48:01.678+00:00][ERROR][elasticsearch-service] Unable to retrieve version information from Elasticsearch nodes. security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip]
[2022-08-30T12:48:03.031+00:00][INFO ][plugins.screenshotting.chromium] Browser executable: /usr/share/kibana/x-pack/plugins/screenshotting/chromium/headless_shell-linux_x64/headless_shell

The kibana enrollment token is successfully created by the init container calling Elasticsearch API and mounted into the kibana pod under /usr/share/kibana/config/tokens/kb-kibana. However, triggering manually the kibana-setup command is failing with Invalid enrollment token provided error.

Steps to reproduce:

1. Deploy Elasticsearch chart: helm install es ./elasticsearch from this PR
2. Deploy kibana chart: helm install kb ./kibana from this PR
3. Check kibana pod name:

$ kubectl get pod | grep kibana
kb-kibana-5cc4f4577f-v6h2l   1/1     Running   0          49m

4. Check kibana pod logs: kubectl logs kb-kibana-5cc4f4577f-v6h2l
5. Connect into the kibana pod: kubectl exec -it kb-kibana-5cc4f4577f-v6h2l -- bash
6. Then inside the pod:
   • Check kibana config:

     kibana@kb-kibana-5cc4f4577f-v6h2l:~$ cat config/kibana.yml
     elasticsearch.ssl.certificate: /usr/share/kibana/config/certs/tls.crt
     elasticsearch.ssl.key: /usr/share/kibana/config/certs/tls.key
     elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/config/certs/ca.crt"]
     

   • Check enrollment token:

      kibana@kb-kibana-5cc4f4577f-v6h2l:~$ cat config/tokens/kb-kibana
      {
        "created" : true,
        "token" : {
          "name" : "kb-kibana",
          "value" : "AAEAAWVsYXN0aWMva2liYW5hL2tiLWtpYmFuYTpBX0o5X2puSVNUdVA0N0dVOTdEUFFB"
        }
      }
     

   • Check that the enrollment token is valid:

     kibana@kb-kibana-5cc4f4577f-v6h2l:~$ curl --cacert config/certs/ca.crt -H "Authorization: Bearer AAEAAWVsYXN0aWMva2liYW5hL2tiLWtpYmFuYTpBX0o5X2puSVNUdVA0N0dVOTdEUFFB" https://elasticsearch-master:9200/_cluster/health
     {"cluster_name":"elasticsearch","status":"green","timed_out":false,"number_of_nodes":3,"number_of_data_nodes":3,"active_primary_shards":2,"active_shards":4,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":0,"delayed_unassigned_shards":0,"number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards_percent_as_number":100.0}
     

   • Run kibana-setup:

     kibana@kb-kibana-5cc4f4577f-v6h2l:~$ ./bin/kibana-setup -t AAEAAWVsYXN0aWMva2liYW5hL2tiLWtpYmFuYTpBX0o5X2puSVNUdVA0N0dVOTdEUFFB
     Invalid enrollment token provided.
     
     To generate a new enrollment token run:
       bin/elasticsearch-create-enrollment-token -s kibana
     

cc @jbudz @nkammah

[jmlrt]

@jbudz The generated enrollment token is valid since we can use it to query Elasticsearch from the kibana pod. I'm not sure why the kibana-setup command is marking it as invalid.

I didn't find any way to get more details about this failure (I didn't find any option for more verbose logs). The errors seem to happen in the decodeEnrollmentToken function, but I don't speak JS/TS. Do you have any idea of what is happening?

[jmlrt]

• Run kibana-setup:

  kibana@kb-kibana-5cc4f4577f-v6h2l:~$ ./bin/kibana-setup -t AAEAAWVsYXN0aWMva2liYW5hL2tiLWtpYmFuYTpBX0o5X2puSVNUdVA0N0dVOTdEUFFB
  Invalid enrollment token provided.
  
  To generate a new enrollment token run:
    bin/elasticsearch-create-enrollment-token -s kibana
  

Note also that I tried regenerating the token using the elasticsearch-create-enrollment-token command as mentioned in the error message, however, this command is only working with Elasticsearch clusters that have been auto-configured for security as described in the doc which is not the case in helm-charts scenarios.

[jbudz]

There's two different tokens and I think we may be confusing the two:

enrollment token:

• generated by bin/elasticsearch-create-enrollment-token
• when consumed via bin/kibana-setup configures kibana.yml:

elasticsearch.hosts: ["https://localhost:9200/"]
elasticsearch.serviceAccountToken: XXXXXXX
elasticsearch.ssl.certificateAuthorities:
  [/absolute/path/to/kibana-8.3.3/data/ca_1659104310110.crt]
xpack.fleet.outputs:
  [
    {
      id: fleet-default-output,
      name: default,
      is_default: true,
      is_default_monitoring: true,
      type: elasticsearch,
      hosts: ["https://localhost:9200/"],
      ca_trusted_fingerprint: XXXXXXX,
    },
  ]

service account token (used here):

• gets the value needed to set elasticsearch.serviceAccountToken in kibana.yml

[jmlrt]

These 2 tokens are really confusing.

This makes things a lot more complicated because the token is generated from the kibana init container when the chart is already deployed. That means that we can't use it in the Helm template itself to modify the kibana.yaml config map or environment variable before the real kibana container is starting.

AFAIK, the only thing we can do is mount it as a file into the kibana container and run a command to use it while kibana process has already been started.

[jbudz]

I'm thinking that might work..can we send a sighup signal without interfering with the process monitor? elastic/kibana#52756 (comment). It sounds like that may not work for all configurations though, need to check.

[jmlrt]

Another solution would be to override the Kibana container command in the Helm template to run a script that read the mounted file, parse the token and load it as an environment variable or edit the kibana.yaml file, then finally start kibana by running manually the default image command.

I'd like to avoid if we can, because that any change in the default image command (in a different kibana version or for people using customized kibana image) would break the chart. However, I feel that that may be the only way to do it.

[jmlrt]

Reloading the kibana config with kill -HUP doesn't seem to handle the elasticsearch.serviceAccountToken value in my tests. In addition, I discovered that the kibana.yaml config file is opened in RO, so editing it to add this parameter requires too much workarounds. I ended up using a custom entrypoint scripts as mentioned in my previous comment => 2319e09

I guess that we can still rework it if we change the kibana docker image entrypoint in a later version.

[jmlrt]

The good news is that kibana seems to start successfully with the custom entry point that parse the token file and load it as an environment variable before launching kibana 🎉

[2022-09-05T13:43:24.118+00:00][INFO ][node] Kibana process configured with roles: [background_tasks, ui]
[2022-09-05T13:43:36.382+00:00][INFO ][http.server.Preboot] http server running at http://0.0.0.0:5601
[2022-09-05T13:43:36.432+00:00][INFO ][plugins-system.preboot] Setting up [1] plugins: [interactiveSetup]
[2022-09-05T13:43:36.478+00:00][WARN ][config.deprecation] The default mechanism for Reporting privileges will work differently in future versions, which will affect the behavior of this cluster. Set "xpack.reporting.roles.enabled" to "false" to adopt the future behavior before upgrading.
[2022-09-05T13:43:36.852+00:00][INFO ][plugins-system.standard] Setting up [121] plugins: [translations,monitoringCollection,licensing,globalSearch,globalSearchProviders,features,mapsEms,licenseApiGuard,usageCollection,taskManager,telemetryCollectionManager,telemetryCollectionXpack,kibanaUsageCollection,share,embeddable,uiActionsEnhanced,screenshotMode,banners,newsfeed,fieldFormats,expressions,dataViews,charts,esUiShared,customIntegrations,home,searchprofiler,painlessLab,grokdebugger,management,advancedSettings,spaces,security,lists,encryptedSavedObjects,cloud,snapshotRestore,screenshotting,telemetry,licenseManagement,eventLog,actions,console,bfetch,data,watcher,reporting,fileUpload,ingestPipelines,alerting,unifiedSearch,savedObjects,graph,savedObjectsTagging,savedObjectsManagement,presentationUtil,expressionShape,expressionRevealImage,expressionRepeatImage,expressionMetric,expressionImage,controls,eventAnnotation,dataViewFieldEditor,triggersActionsUi,transform,stackAlerts,ruleRegistry,discover,fleet,indexManagement,remoteClusters,crossClusterReplication,indexLifecycleManagement,cloudSecurityPosture,discoverEnhanced,aiops,visualizations,canvas,visTypeXy,visTypeVislib,visTypeVega,visTypeTimeseries,rollup,visTypeTimelion,visTypeTagcloud,visTypeTable,visTypeMetric,visTypeHeatmap,visTypeMarkdown,dashboard,dashboardEnhanced,expressionXY,expressionTagcloud,expressionPartitionVis,visTypePie,expressionMetricVis,expressionLegacyMetricVis,expressionHeatmap,expressionGauge,lens,osquery,maps,dataVisualizer,ml,cases,timelines,sessionView,kubernetesSecurity,securitySolution,visTypeGauge,sharedUX,observability,synthetics,infra,upgradeAssistant,monitoring,logstash,enterpriseSearch,apm,dataViewManagement]
[2022-09-05T13:43:36.873+00:00][INFO ][plugins.taskManager] TaskManager is identified by the Kibana UUID: cba19720-d0e8-4568-ad0b-c8e6c9d8155a
[2022-09-05T13:43:37.014+00:00][WARN ][plugins.security.config] Generating a random key for xpack.security.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.security.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-09-05T13:43:37.015+00:00][WARN ][plugins.security.config] Session cookies will be transmitted over insecure connections. This is not recommended.
[2022-09-05T13:43:37.046+00:00][WARN ][plugins.security.config] Generating a random key for xpack.security.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.security.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-09-05T13:43:37.047+00:00][WARN ][plugins.security.config] Session cookies will be transmitted over insecure connections. This is not recommended.
[2022-09-05T13:43:37.055+00:00][WARN ][plugins.encryptedSavedObjects] Saved objects encryption key is not set. This will severely limit Kibana functionality. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-09-05T13:43:37.072+00:00][WARN ][plugins.actions] APIs are disabled because the Encrypted Saved Objects plugin is missing encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-09-05T13:43:37.253+00:00][WARN ][plugins.reporting.config] Generating a random key for xpack.reporting.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.reporting.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-09-05T13:43:37.254+00:00][WARN ][plugins.reporting.config] Found 'server.host: "0.0.0.0"' in Kibana configuration. Reporting is not able to use this as the Kibana server hostname. To enable PNG/PDF Reporting to work, 'xpack.reporting.kibanaServer.hostname: localhost' is automatically set in the configuration. You can prevent this message by adding 'xpack.reporting.kibanaServer.hostname: localhost' in kibana.yml.
[2022-09-05T13:43:37.259+00:00][WARN ][plugins.alerting] APIs are disabled because the Encrypted Saved Objects plugin is missing encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-09-05T13:43:37.352+00:00][INFO ][plugins.ruleRegistry] Installing common resources shared between all indices
[2022-09-05T13:43:37.420+00:00][INFO ][plugins.cloudSecurityPosture] Registered task successfully [Task: cloud_security_posture-stats_task]
[2022-09-05T13:43:38.384+00:00][INFO ][plugins.screenshotting.config] Chromium sandbox provides an additional layer of protection, and is supported for Linux Ubuntu 20.04 OS. Automatically enabling Chromium sandbox.
[2022-09-05T13:43:40.001+00:00][INFO ][plugins.screenshotting.chromium] Browser executable: /usr/share/kibana/x-pack/plugins/screenshotting/chromium/headless_shell-linux_x64/headless_shell
[2022-09-05T13:43:40.712+00:00][INFO ][savedobjects-service] Waiting until all Elasticsearch nodes are compatible with Kibana before starting saved objects migrations...
[2022-09-05T13:43:40.712+00:00][INFO ][savedobjects-service] Starting saved objects migrations
[2022-09-05T13:43:40.759+00:00][INFO ][savedobjects-service] [.kibana_task_manager] INIT -> CREATE_NEW_TARGET. took: 29ms.
[2022-09-05T13:43:40.786+00:00][INFO ][savedobjects-service] [.kibana] INIT -> CREATE_NEW_TARGET. took: 59ms.
[2022-09-05T13:43:41.974+00:00][INFO ][savedobjects-service] [.kibana_task_manager] CREATE_NEW_TARGET -> MARK_VERSION_INDEX_READY. took: 1216ms.
[2022-09-05T13:43:42.074+00:00][INFO ][savedobjects-service] [.kibana_task_manager] MARK_VERSION_INDEX_READY -> DONE. took: 100ms.
[2022-09-05T13:43:42.075+00:00][INFO ][savedobjects-service] [.kibana_task_manager] Migration completed after 1346ms
[2022-09-05T13:43:42.176+00:00][INFO ][savedobjects-service] [.kibana] CREATE_NEW_TARGET -> MARK_VERSION_INDEX_READY. took: 1390ms.
[2022-09-05T13:43:42.333+00:00][INFO ][savedobjects-service] [.kibana] MARK_VERSION_INDEX_READY -> DONE. took: 157ms.
[2022-09-05T13:43:42.333+00:00][INFO ][savedobjects-service] [.kibana] Migration completed after 1606ms
[2022-09-05T13:43:42.338+00:00][INFO ][plugins-system.preboot] Stopping all plugins.
[2022-09-05T13:43:42.339+00:00][INFO ][plugins-system.standard] Starting [121] plugins: [translations,monitoringCollection,licensing,globalSearch,globalSearchProviders,features,mapsEms,licenseApiGuard,usageCollection,taskManager,telemetryCollectionManager,telemetryCollectionXpack,kibanaUsageCollection,share,embeddable,uiActionsEnhanced,screenshotMode,banners,newsfeed,fieldFormats,expressions,dataViews,charts,esUiShared,customIntegrations,home,searchprofiler,painlessLab,grokdebugger,management,advancedSettings,spaces,security,lists,encryptedSavedObjects,cloud,snapshotRestore,screenshotting,telemetry,licenseManagement,eventLog,actions,console,bfetch,data,watcher,reporting,fileUpload,ingestPipelines,alerting,unifiedSearch,savedObjects,graph,savedObjectsTagging,savedObjectsManagement,presentationUtil,expressionShape,expressionRevealImage,expressionRepeatImage,expressionMetric,expressionImage,controls,eventAnnotation,dataViewFieldEditor,triggersActionsUi,transform,stackAlerts,ruleRegistry,discover,fleet,indexManagement,remoteClusters,crossClusterReplication,indexLifecycleManagement,cloudSecurityPosture,discoverEnhanced,aiops,visualizations,canvas,visTypeXy,visTypeVislib,visTypeVega,visTypeTimeseries,rollup,visTypeTimelion,visTypeTagcloud,visTypeTable,visTypeMetric,visTypeHeatmap,visTypeMarkdown,dashboard,dashboardEnhanced,expressionXY,expressionTagcloud,expressionPartitionVis,visTypePie,expressionMetricVis,expressionLegacyMetricVis,expressionHeatmap,expressionGauge,lens,osquery,maps,dataVisualizer,ml,cases,timelines,sessionView,kubernetesSecurity,securitySolution,visTypeGauge,sharedUX,observability,synthetics,infra,upgradeAssistant,monitoring,logstash,enterpriseSearch,apm,dataViewManagement]
[2022-09-05T13:43:44.548+00:00][INFO ][plugins.monitoring.monitoring] config sourced from: production cluster
[2022-09-05T13:43:46.584+00:00][INFO ][http.server.Kibana] http server running at http://0.0.0.0:5601
[2022-09-05T13:43:46.670+00:00][INFO ][status] Kibana is now degraded
[2022-09-05T13:43:46.736+00:00][INFO ][plugins.monitoring.monitoring.kibana-monitoring] Starting monitoring stats collection
[2022-09-05T13:43:46.737+00:00][INFO ][plugins.fleet] Beginning fleet setup
[2022-09-05T13:43:50.143+00:00][INFO ][plugins.ml] Task ML:saved-objects-sync-task: scheduled with interval 1h
[2022-09-05T13:43:50.640+00:00][INFO ][plugins.ruleRegistry] Installed common resources shared between all indices
[2022-09-05T13:43:50.641+00:00][INFO ][plugins.ruleRegistry] Installing resources for index .alerts-security.alerts
[2022-09-05T13:43:50.641+00:00][INFO ][plugins.ruleRegistry] Installing resources for index .preview.alerts-security.alerts
[2022-09-05T13:43:50.642+00:00][INFO ][plugins.ruleRegistry] Installing resources for index .alerts-observability.uptime.alerts
[2022-09-05T13:43:50.642+00:00][INFO ][plugins.ruleRegistry] Installing resources for index .alerts-observability.logs.alerts
[2022-09-05T13:43:50.642+00:00][INFO ][plugins.ruleRegistry] Installing resources for index .alerts-observability.metrics.alerts
[2022-09-05T13:43:50.642+00:00][INFO ][plugins.ruleRegistry] Installing resources for index .alerts-observability.apm.alerts
[2022-09-05T13:43:51.234+00:00][INFO ][plugins.ruleRegistry] Installed resources for index .alerts-observability.logs.alerts
[2022-09-05T13:43:51.235+00:00][INFO ][plugins.ruleRegistry] Installed resources for index .alerts-observability.apm.alerts
[2022-09-05T13:43:51.236+00:00][INFO ][plugins.ruleRegistry] Installed resources for index .alerts-observability.uptime.alerts
[2022-09-05T13:43:51.237+00:00][INFO ][plugins.ruleRegistry] Installed resources for index .alerts-observability.metrics.alerts
[2022-09-05T13:43:51.265+00:00][INFO ][plugins.ruleRegistry] Installed resources for index .alerts-security.alerts
[2022-09-05T13:43:53.831+00:00][INFO ][status] Kibana is now available (was degraded)
[2022-09-05T13:43:54.042+00:00][INFO ][plugins.reporting.store] Creating ILM policy for managing reporting indices: kibana-reporting
[2022-09-05T13:43:55.644+00:00][INFO ][plugins.ml] Task ML:saved-objects-sync-task: 1 ML saved object synced
[2022-09-05T13:43:55.867+00:00][INFO ][plugins.ruleRegistry] Installed resources for index .preview.alerts-security.alerts
[2022-09-05T13:43:58.318+00:00][INFO ][plugins.fleet] Fleet setup completed
[2022-09-05T13:43:58.373+00:00][INFO ][plugins.securitySolution] Dependent plugin setup complete - Starting ManifestTask
[2022-09-05T13:43:59.188+00:00][INFO ][plugins.securitySolution.endpoint:metadata-check-transforms-task:0.0.1] no endpoint installation found
[2022-09-05T13:44:03.724+00:00][INFO ][plugins.synthetics] Installed synthetics index templates

When I'm connecting to the UI, I can now reach the login page:

So the next step is to find how to connect.

[jmlrt]

When I'm connecting to the UI, I can now reach the login page:

So the next step is to find how to connect.

Note that we can login to kibana with the elastic user whose password can be found into the default/elasticsearch-master-credentials k8s secret. Not sure if we should try to handle the creation of a kibana specific user in the helm-charts or let customers handle this in their own config.

[jmlrt]

@jbudz @elastic/release-eng @framsouza I think this PR is ready for review.

The Kibana upgrade test (upgrade from 7.17.x to 8.4.1 is failing for now. I'll investigate in a follow-up PR of that's something we can fix or if we need to disable it and advertise that upgrade from the previous major version isn't supported.

[jbudz]

@elastic/kibana-security can you review this approach? short version: interactive setup isn't an option in a helm environment, so we're manually configuring kibana similar to the cli.

• a kibana service account token is created
• certificates are added
• hostname is set

[framsouza]

I've tested locally and everything worked smoothly. Well done, @jmlrt ! That was a really good achievement. 🎆

[azasypkin]

The approach to configure Kibana security LGTM, just left one question and one nit. Thank you!

[azasypkin]

question: Sorry if it's a dumb question, but I'm not Helm chart/k8s expert: what would happen if the user installs Kibana helm chart, then uninstalls it and try to install it again? Won't this request fail because the init container will try to create the token with the same name (kibana.fullname)?

[jmlrt]

Now that's a really relevant question. When you uninstall the chart, there is a K8S job that is triggered using Helm post-delete hooks that will call Elasticsearch again to remove the token. This way, if we re-install the chart, it can recreate a new token with the same name.

helm-charts/kibana/templates/job.yaml

Lines 1 to 7 in 80e4ada

	apiVersion: batch/v1
	kind: Job
	metadata:
	name: {{ template "kibana.fullname" . }}-post-delete
	labels: {{ include "kibana.labels" . | nindent 4 }}
	annotations:
	"helm.sh/hook": post-delete,post-upgrade

helm-charts/kibana/templates/job.yaml

Lines 23 to 31 in 80e4ada

	command: ["curl"]
	args:
	- --fail
	- -XDELETE
	- --cacert
	- {{ template "kibana.home_dir" . }}/config/certs/{{ .Values.elasticsearchCertificateAuthoritiesFile }}
	- -u
	- "$(ELASTICSEARCH_USERNAME):$(ELASTICSEARCH_PASSWORD)"
	- "{{ .Values.elasticsearchHosts }}/_security/service/elastic/kibana/credential/token/{{ template "kibana.fullname" . }}"

[azasypkin]

Awesome, thank you for clarifying that!

[pjaak]

Hi @jmlrt ,

Having problems with this, I see there was a comment made above about having the initContainer creating the token. It means everytime the container is terminated it will try create a token with the same name. For example, we run our elastic environment on AWS spot so the container can be terminated regularly, however it is not failing to start up because it is trying to create a token which already exists. Not sure what to do about this

Thanks

[jmlrt]

Hi @pjaak, thanks for reporting this bug 👍🏻. I could reproduce locally and need to find a way to fix it.

[pjaak]

Hi @jmlrt ,

I would propose maybe a helm pre-install hook so it only runs on the first helm install. Similar to the way you do the delete token in the post-delete. :)