From 4d275ef796342f8551ca90526e137e4a6afc52a9 Mon Sep 17 00:00:00 2001 From: Nathan L Smith Date: Wed, 18 Feb 2026 11:15:20 -0600 Subject: [PATCH 1/2] Generate Kibana encryption keys on startup Replaces hardcoded encryption keys with dynamically generated ones. A new setup_kibana_keys service generates three 32-char hex keys on first run and persists them on the etc volume. Kibana merges the generated keys into its config at startup. Closes #6 Co-Authored-By: Claude Opus 4.6 --- compose.yaml | 28 +++++++++++++++++++++++++--- config/kibana.yml | 6 ++---- scripts/generate-kibana-keys.sh | 22 ++++++++++++++++++++++ 3 files changed, 49 insertions(+), 7 deletions(-) create mode 100644 scripts/generate-kibana-keys.sh diff --git a/compose.yaml b/compose.yaml index 25a0575..34dcb33 100644 --- a/compose.yaml +++ b/compose.yaml @@ -25,6 +25,8 @@ configs: file: scripts/create-api-key.sh create-certs.sh: file: scripts/create-certs.sh + generate-kibana-keys.sh: + file: scripts/generate-kibana-keys.sh elasticsearch.yml: file: config/elasticsearch.yml kibana.yml: @@ -107,23 +109,30 @@ services: - esdata:/usr/share/elasticsearch/data - eslogs:/usr/share/elasticsearch/logs kibana: - # TODO generate encryption keys + command: > + sh -c ' + cp /usr/share/kibana/config/kibana.yml.base /usr/share/kibana/config/kibana.yml && + cat /etc/elastic/kibana_encryption_keys.yml >> /usr/share/kibana/config/kibana.yml && + /usr/local/bin/kibana-docker + ' configs: - source: kibana.yml - target: /usr/share/kibana/config/kibana.yml + target: /usr/share/kibana/config/kibana.yml.base - source: node.options target: /usr/share/kibana/config/node.options container_name: kibana depends_on: elasticsearch: condition: service_healthy + setup_kibana_keys: + condition: service_completed_successfully setup_kibana_user: condition: service_completed_successfully develop: watch: - action: sync+restart path: config/kibana.yml - target: /usr/share/kibana/config/kibana.yml + target: /usr/share/kibana/config/kibana.yml.base environment: - ELASTICSEARCH_HOSTS=https://elasticsearch:${ES_PORT} - ELASTICSEARCH_PASSWORD=${ELASTIC_PASSWORD} @@ -142,6 +151,7 @@ services: restart: unless-stopped volumes: - certs:/usr/share/kibana/config/certs + - etc:/etc/elastic - kibana_data:/usr/share/kibana/data - kibana_logs:/usr/share/kibana/logs otelcol: @@ -243,6 +253,18 @@ services: command: bash bin/set-kibana-system-user-password.sh volumes: - certs:/usr/share/elasticsearch/config/certs + setup_kibana_keys: + command: bash /bin/generate-kibana-keys.sh + configs: + - mode: 0700 + source: generate-kibana-keys.sh + target: /bin/generate-kibana-keys.sh + container_name: "setup_kibana_keys" + hostname: host.docker.internal + image: pnnlmiscscripts/curl-jq + user: "0" + volumes: + - etc:/etc/elastic setup_universal_profiling: scale: 0 configs: diff --git a/config/kibana.yml b/config/kibana.yml index 6355a5e..a1b3537 100644 --- a/config/kibana.yml +++ b/config/kibana.yml @@ -222,10 +222,8 @@ uiSettings.overrides: feature_flags.overrides: discover.cascadeLayoutEnabled: true -# Encryption settings -xpack.encryptedSavedObjects.encryptionKey: 0c4fb61f013d771f43d321e5b2484f4d -xpack.reporting.encryptionKey: 369ecfa55ee4b9e8c3d5481c6589287a -xpack.security.encryptionKey: 944c9b01e335cf7eebcda4413797f494 +# Encryption keys are generated at startup by the setup_kibana_keys service +# and appended to this config file. See scripts/generate-kibana-keys.sh. # Other xpack settings xpack.profiling.enabled: true diff --git a/scripts/generate-kibana-keys.sh b/scripts/generate-kibana-keys.sh new file mode 100644 index 0000000..d85c92b --- /dev/null +++ b/scripts/generate-kibana-keys.sh @@ -0,0 +1,22 @@ +#!/bin/bash +set -eo pipefail + +OUTPUT_FILE="/etc/elastic/kibana_encryption_keys.yml" + +if [ -f "$OUTPUT_FILE" ]; then + echo "Kibana encryption keys already exist at $OUTPUT_FILE, skipping." >&2 + exit 0 +fi + +# Generate three 32-character hex keys +KEY1=$(cat /dev/urandom | tr -dc 'a-f0-9' | head -c 32) +KEY2=$(cat /dev/urandom | tr -dc 'a-f0-9' | head -c 32) +KEY3=$(cat /dev/urandom | tr -dc 'a-f0-9' | head -c 32) + +cat > "$OUTPUT_FILE" <&2 From 8e7222295e3af863e0d4c86664dd1768b9910469 Mon Sep 17 00:00:00 2001 From: Nathan L Smith Date: Wed, 18 Feb 2026 13:15:09 -0600 Subject: [PATCH 2/2] Fix SIGPIPE error in key generation script Replace `cat /dev/urandom | tr | head` pipeline with `dd | xxd` to avoid SIGPIPE exit code 141 when used with `set -eo pipefail`. Co-Authored-By: Claude Opus 4.6 --- scripts/generate-kibana-keys.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/generate-kibana-keys.sh b/scripts/generate-kibana-keys.sh index d85c92b..b15ba84 100644 --- a/scripts/generate-kibana-keys.sh +++ b/scripts/generate-kibana-keys.sh @@ -9,9 +9,9 @@ if [ -f "$OUTPUT_FILE" ]; then fi # Generate three 32-character hex keys -KEY1=$(cat /dev/urandom | tr -dc 'a-f0-9' | head -c 32) -KEY2=$(cat /dev/urandom | tr -dc 'a-f0-9' | head -c 32) -KEY3=$(cat /dev/urandom | tr -dc 'a-f0-9' | head -c 32) +KEY1=$(dd if=/dev/urandom bs=16 count=1 2>/dev/null | xxd -p) +KEY2=$(dd if=/dev/urandom bs=16 count=1 2>/dev/null | xxd -p) +KEY3=$(dd if=/dev/urandom bs=16 count=1 2>/dev/null | xxd -p) cat > "$OUTPUT_FILE" <