Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 25 additions & 3 deletions compose.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ configs:
file: scripts/create-api-key.sh
create-certs.sh:
file: scripts/create-certs.sh
generate-kibana-keys.sh:
file: scripts/generate-kibana-keys.sh
elasticsearch.yml:
file: config/elasticsearch.yml
kibana.yml:
Expand Down Expand Up @@ -107,23 +109,30 @@ services:
- esdata:/usr/share/elasticsearch/data
- eslogs:/usr/share/elasticsearch/logs
kibana:
# TODO generate encryption keys
command: >
sh -c '
cp /usr/share/kibana/config/kibana.yml.base /usr/share/kibana/config/kibana.yml &&
cat /etc/elastic/kibana_encryption_keys.yml >> /usr/share/kibana/config/kibana.yml &&
/usr/local/bin/kibana-docker
'
configs:
- source: kibana.yml
target: /usr/share/kibana/config/kibana.yml
target: /usr/share/kibana/config/kibana.yml.base
- source: node.options
target: /usr/share/kibana/config/node.options
container_name: kibana
depends_on:
elasticsearch:
condition: service_healthy
setup_kibana_keys:
condition: service_completed_successfully
setup_kibana_user:
condition: service_completed_successfully
develop:
watch:
- action: sync+restart
path: config/kibana.yml
target: /usr/share/kibana/config/kibana.yml
target: /usr/share/kibana/config/kibana.yml.base
environment:
- ELASTICSEARCH_HOSTS=https://elasticsearch:${ES_PORT}
- ELASTICSEARCH_PASSWORD=${ELASTIC_PASSWORD}
Expand All @@ -142,6 +151,7 @@ services:
restart: unless-stopped
volumes:
- certs:/usr/share/kibana/config/certs
- etc:/etc/elastic
- kibana_data:/usr/share/kibana/data
- kibana_logs:/usr/share/kibana/logs
otelcol:
Expand Down Expand Up @@ -243,6 +253,18 @@ services:
command: bash bin/set-kibana-system-user-password.sh
volumes:
- certs:/usr/share/elasticsearch/config/certs
setup_kibana_keys:
command: bash /bin/generate-kibana-keys.sh
configs:
- mode: 0700
source: generate-kibana-keys.sh
target: /bin/generate-kibana-keys.sh
container_name: "setup_kibana_keys"
hostname: host.docker.internal
image: pnnlmiscscripts/curl-jq
user: "0"
volumes:
- etc:/etc/elastic
setup_universal_profiling:
scale: 0
configs:
Expand Down
6 changes: 2 additions & 4 deletions config/kibana.yml
Original file line number Diff line number Diff line change
Expand Up @@ -222,10 +222,8 @@ uiSettings.overrides:
feature_flags.overrides:
discover.cascadeLayoutEnabled: true

# Encryption settings
xpack.encryptedSavedObjects.encryptionKey: 0c4fb61f013d771f43d321e5b2484f4d
xpack.reporting.encryptionKey: 369ecfa55ee4b9e8c3d5481c6589287a
xpack.security.encryptionKey: 944c9b01e335cf7eebcda4413797f494
# Encryption keys are generated at startup by the setup_kibana_keys service
# and appended to this config file. See scripts/generate-kibana-keys.sh.

# Other xpack settings
xpack.profiling.enabled: true
Expand Down
22 changes: 22 additions & 0 deletions scripts/generate-kibana-keys.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
#!/bin/bash
set -eo pipefail

OUTPUT_FILE="/etc/elastic/kibana_encryption_keys.yml"

if [ -f "$OUTPUT_FILE" ]; then
echo "Kibana encryption keys already exist at $OUTPUT_FILE, skipping." >&2
exit 0
fi

# Generate three 32-character hex keys
KEY1=$(dd if=/dev/urandom bs=16 count=1 2>/dev/null | xxd -p)
KEY2=$(dd if=/dev/urandom bs=16 count=1 2>/dev/null | xxd -p)
KEY3=$(dd if=/dev/urandom bs=16 count=1 2>/dev/null | xxd -p)

cat > "$OUTPUT_FILE" <<EOF
xpack.encryptedSavedObjects.encryptionKey: ${KEY1}
xpack.reporting.encryptionKey: ${KEY2}
xpack.security.encryptionKey: ${KEY3}
EOF

echo "Kibana encryption keys generated and written to $OUTPUT_FILE" >&2