From 5c56c2e85ad1847875bc85260075a2c9a528c0e5 Mon Sep 17 00:00:00 2001 From: Markus Date: Thu, 11 Jul 2024 16:37:10 +0300 Subject: [PATCH] Use kibana access token for connections --- infrastructure/docker-compose.deploy.yml | 6 ++++-- infrastructure/monitoring/kibana/kibana.yml | 2 +- infrastructure/monitoring/kibana/setup-config.sh | 15 ++++++++------- 3 files changed, 13 insertions(+), 10 deletions(-) diff --git a/infrastructure/docker-compose.deploy.yml b/infrastructure/docker-compose.deploy.yml index e6bda4d9..17792ffb 100644 --- a/infrastructure/docker-compose.deploy.yml +++ b/infrastructure/docker-compose.deploy.yml @@ -79,6 +79,7 @@ services: - ELASTICSEARCH_HOST=elasticsearch:9200 - ELASTICSEARCH_USERNAME=elastic - ELASTICSEARCH_PASSWORD=${ELASTICSEARCH_SUPERUSER_PASSWORD} + - KIBANA_ACCESS_TOKEN=${KIBANA_ACCESS_TOKEN} - KIBANA_HOST=kibana:5601 command: ['--strict.perms=false'] deploy: @@ -129,8 +130,8 @@ services: entrypoint: [ 'curl', - '-u', - 'elastic:${ELASTICSEARCH_SUPERUSER_PASSWORD}', + '-H', + 'Authorization: Bearer ${KIBANA_ACCESS_TOKEN}', '-X', 'POST', 'http://kibana:5601/api/saved_objects/_import?overwrite=true', @@ -177,6 +178,7 @@ services: environment: - ELASTICSEARCH_USERNAME=elastic - ELASTICSEARCH_PASSWORD=${ELASTICSEARCH_SUPERUSER_PASSWORD} + - KIBANA_ACCESS_TOKEN=${KIBANA_ACCESS_TOKEN} configs: - source: kibana.{{ts}} target: /usr/share/kibana/config/kibana.yml diff --git a/infrastructure/monitoring/kibana/kibana.yml b/infrastructure/monitoring/kibana/kibana.yml index 90404eca..1530fc33 100644 --- a/infrastructure/monitoring/kibana/kibana.yml +++ b/infrastructure/monitoring/kibana/kibana.yml @@ -64,7 +64,7 @@ xpack.infra.sources.default.logAlias: 'logs-*,filebeat-*,kibana_sample_data_logs # Kibana can also authenticate to Elasticsearch via "service account tokens". # Service account tokens are Bearer style tokens that replace the traditional username/password based configuration. # Use this token instead of a username/password. -# elasticsearch.serviceAccountToken: "my_token" +elasticsearch.serviceAccountToken: '{{KIBANA_ACCESS_TOKEN}}' # Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of # the elasticsearch.requestTimeout setting. diff --git a/infrastructure/monitoring/kibana/setup-config.sh b/infrastructure/monitoring/kibana/setup-config.sh index a2f5cca7..8692277a 100755 --- a/infrastructure/monitoring/kibana/setup-config.sh +++ b/infrastructure/monitoring/kibana/setup-config.sh @@ -15,7 +15,7 @@ kibana_alerting_api_url="http://kibana:5601/api/alerting/rules/_find?page=1&per_ docker_command="docker run --rm -v /opt/opencrvs/infrastructure/monitoring/kibana/config.ndjson:/config.ndjson --network=opencrvs_overlay_net curlimages/curl" # Initial API status check to ensure Kibana is ready -status_code=$($docker_command --connect-timeout 60 -u elastic:$ELASTICSEARCH_SUPERUSER_PASSWORD -o /dev/null -w '%{http_code}' "$kibana_alerting_api_url") +status_code=$($docker_command --connect-timeout 60 -H 'Authorization: Bearer $KIBANA_ACCESS_TOKEN' -o /dev/null -w '%{http_code}' "$kibana_alerting_api_url") if [ "$status_code" -ne 200 ]; then echo "Kibana is not ready. API returned status code: $status_code" @@ -23,15 +23,16 @@ if [ "$status_code" -ne 200 ]; then fi # Delete all alerts -$docker_command --connect-timeout 60 -u elastic:$ELASTICSEARCH_SUPERUSER_PASSWORD "$kibana_alerting_api_url" | docker run --rm -i --network=opencrvs_overlay_net ghcr.io/jqlang/jq -r '.data[].id' | while read -r id; do - $docker_command --connect-timeout 60 -X DELETE -H 'kbn-xsrf: true' -u elastic:$ELASTICSEARCH_SUPERUSER_PASSWORD "http://kibana:5601/api/alerting/rule/$id" +$docker_command --connect-timeout 60 -H 'Authorization: Bearer $KIBANA_ACCESS_TOKEN' "$kibana_alerting_api_url" | docker run --rm -i --network=opencrvs_overlay_net ghcr.io/jqlang/jq -r '.data[].id' | while read -r id; do + $docker_command --connect-timeout 60 -X DELETE -H 'kbn-xsrf: true' -H 'Authorization: Bearer $KIBANA_ACCESS_TOKEN' "http://kibana:5601/api/alerting/rule/$id" done # Import configuration -$docker_command --connect-timeout 60 -u elastic:$ELASTICSEARCH_SUPERUSER_PASSWORD -X POST "http://kibana:5601/api/saved_objects/_import?overwrite=true" -H 'kbn-xsrf: true' --form file=@/config.ndjson > /dev/null +$docker_command --connect-timeout 60 -H 'Authorization: Bearer $KIBANA_ACCESS_TOKEN' -X POST "http://kibana:5601/api/saved_objects/_import?overwrite=true" -H 'kbn-xsrf: true' --form file=@/config.ndjson > /dev/null # Re-enable all alerts -$docker_command --connect-timeout 60 -u elastic:$ELASTICSEARCH_SUPERUSER_PASSWORD "$kibana_alerting_api_url" | docker run --rm -i --network=opencrvs_overlay_net ghcr.io/jqlang/jq -r '.data[].id' | while read -r id; do - $docker_command --connect-timeout 60 -X POST -H 'kbn-xsrf: true' -u elastic:$ELASTICSEARCH_SUPERUSER_PASSWORD "http://kibana:5601/api/alerting/rule/$id/_disable" - $docker_command --connect-timeout 60 -X POST -H 'kbn-xsrf: true' -u elastic:$ELASTICSEARCH_SUPERUSER_PASSWORD "http://kibana:5601/api/alerting/rule/$id/_enable" +$docker_command --connect-timeout 60 -H 'Authorization: Bearer $KIBANA_ACCESS_TOKEN' "$kibana_alerting_api_url" | docker run --rm -i --network=opencrvs_overlay_net ghcr.io/jqlang/jq -r '.data[].id' | while read -r id; do + $docker_command --connect-timeout 60 -X POST -H 'kbn-xsrf: true' -H 'Authorization: Bearer $KIBANA_ACCESS_TOKEN' "http://kibana:5601/api/alerting/rule/$id/_disable" + $docker_command --connect-timeout 60 -X POST -H 'kbn-xsrf: true' -H 'Authorization: Bearer $KIBANA_ACCESS_TOKEN' "http://kibana:5601/api/alerting/rule/$id/_enable" done +