Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cherry-pick #18096 to 7.x: Add k8s keystore backend #18774

Merged
merged 2 commits into from
May 28, 2020

Conversation

ChrsMark
Copy link
Member

Cherry-pick of PR #18096 to 7.x branch. Original message:

What does this PR do?

This PR implements a new Keystore Backend, which is used to retrieve k8s secrets and use them in configurations provided by hints-based autodiscover feature. Any hints based configuration has only access to the secrets of the same namespace of the pod by which was triggered.

We still need to decide if this keystone should be used along with the already used FileKeystore in static autodiscover configurations.

Why is it important?

This is important for the users so as to avoid having sensitive data on hints' configurations and being able to leverage k8s secrets for that purpose.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

Test k8s keystore backend with hints autodiscover

  1. Create the k8s secret:
cat <<EOF | kubectl apply -f -                                                                                                                   
apiVersion: v1
kind: Secret
metadata:
  name: somesecret
type: Opaque
data:
  value: $(echo -n "passpass" | base64)
EOF
  1. Start the Redis sever as hints autodiscover target:
cat <<EOF | kubectl apply -f -                                                                                                                   
apiVersion: v1
kind: Service
metadata:
  name: redis
  labels:
    app: redis
spec:
  clusterIP: None
  ports:
  - name: web
    port: 6379
    protocol: TCP
  selector:
    app: redis
  type: ClusterIP
---
apiVersion: v1
kind: Pod
metadata:
  name: redis
  labels:
    role: main
    app: redis
  annotations:
    co.elastic.metrics/module: redis
    co.elastic.metrics/hosts: '${data.host}:6379'
    co.elastic.metrics/password: "${kubernetes.default.somesecret.value}"
spec:
  containers:
    - name: redis
      image: redis
      command:
        - redis-server
        - "--requirepass 'passpass'"
EOF
  1. Configure Metricbeat with hints autodiscover enabled:
metricbeat.autodiscover:
  providers:
    - type: kubernetes
      node: ${NODE_NAME}
      hints.enabled: true
  1. Start metricbeat and ensure that Redis module is properly started and collecting metrics from the Redis server using the password provided via the k8s secret.
    Use https://github.com/elastic/beats/blob/master/deploy/kubernetes/metricbeat-kubernetes.yaml but make sure that secrets is added in the list of resources in ClusterRole.

  2. Redeploy redis Pod with a different password to check that it will fail to authenticate. Change: --requirepass 'passpass2'

Test k8s keystore backend with static autodiscover templates

For Secret creation and Redis target pod use the steps from the previous scenario.

  1. Configure Metricbeat with static autodiscover templates:
metricbeat.autodiscover:
  providers:
    - type: kubernetes
      node: ${NODE_NAME}
      templates:
        - condition:
            contains:
              kubernetes.pod.name: "redis"
          config:
            - module: redis
              hosts: "${data.host}:6379"
              password: "${kubernetes.default.somesecret.value}"
  1. Start Metricbeat and check that Redis module successfully collects metrics.
  2. Deploy redis pod with a different password to make metricset fail to authenticate.

Test basic keystore with static autodiscover templates

  1. Create the File Keystore. pod start Redis with passpass:
./metricbeat keystore create                                                                                 
Created metricbeat keystore
./metricbeat keystore add REDIS_PASSWORD                                                                      
Enter value for REDIS_PASSWORD: 
Successfully updated the keystore
  1. Metricbeat Configuration
metricbeat.autodiscover:
  providers:
    - type: kubernetes
      node: ${NODE_NAME}
      templates:
        - condition:
            contains:
              kubernetes.pod.name: "redis"
          config:
            - module: redis
              hosts: "${data.host}:6379"
              password: "${REDIS_PASSWORD}"
  1. Start Metricbeat and expect to see the module to collect metrics
  2. Try to start Redis pod with a different password so as to make metricset fail to collect metrics.

Related issues

cc: @exekias this one is still in progress and needs cleanups, docs and error handling but the approach is not expected to change.

TODOs:

  • Add docs
  • Add tests
  • Remove sensitive logging

@ChrsMark ChrsMark requested a review from a team as a code owner May 27, 2020 13:43
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label May 27, 2020
@ChrsMark ChrsMark added the Team:Platforms Label for the Integrations - Platforms team label May 27, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/integrations-platforms (Team:Platforms)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label May 27, 2020
@ChrsMark ChrsMark self-assigned this May 27, 2020
@elasticmachine
Copy link
Collaborator

elasticmachine commented May 27, 2020

💔 Build Failed

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [Pull request #18774 updated]

  • Start Time: 2020-05-28T07:16:47.623+0000

  • Duration: 78 min 29 sec

Test stats 🧪

Test Results
Failed 0
Passed 6639
Skipped 1053
Total 7692

Steps errors

Expand to view the steps failures

  • Name: Integration tests
    • Description: MODULE=kubernetes make -C metricbeat integration-tests

    • Duration: 1 min 5 sec

    • Start Time: 2020-05-28T07:41:20.418+0000

    • log

Log output

Expand to view the last 100 lines of log output

[2020-05-28T08:34:50.641Z] + [ -f auditbeat/build/coverage/full.cov ]
[2020-05-28T08:34:50.641Z] + FILE=filebeat/build/coverage/full.cov
[2020-05-28T08:34:50.641Z] + [ -f filebeat/build/coverage/full.cov ]
[2020-05-28T08:34:50.641Z] + FILE=heartbeat/build/coverage/full.cov
[2020-05-28T08:34:50.641Z] + [ -f heartbeat/build/coverage/full.cov ]
[2020-05-28T08:34:50.641Z] + FILE=libbeat/build/coverage/full.cov
[2020-05-28T08:34:50.641Z] + [ -f libbeat/build/coverage/full.cov ]
[2020-05-28T08:34:50.641Z] + FILE=metricbeat/build/coverage/full.cov
[2020-05-28T08:34:50.641Z] + [ -f metricbeat/build/coverage/full.cov ]
[2020-05-28T08:34:50.641Z] + FILE=packetbeat/build/coverage/full.cov
[2020-05-28T08:34:50.642Z] + [ -f packetbeat/build/coverage/full.cov ]
[2020-05-28T08:34:50.642Z] + FILE=winlogbeat/build/coverage/full.cov
[2020-05-28T08:34:50.642Z] + [ -f winlogbeat/build/coverage/full.cov ]
[2020-05-28T08:34:50.642Z] + FILE=journalbeat/build/coverage/full.cov
[2020-05-28T08:34:50.642Z] + [ -f journalbeat/build/coverage/full.cov ]
[2020-05-28T08:34:51.099Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats
[2020-05-28T08:34:51.408Z] + find . -type f -name TEST*.xml -path */build/* -delete
[2020-05-28T08:34:51.421Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Lint
[2020-05-28T08:34:51.502Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Winlogbeat-oss
[2020-05-28T08:34:51.567Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Elastic-Agent-x-pack
[2020-05-28T08:34:51.634Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Dockerlogbeat
[2020-05-28T08:34:51.706Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Journalbeat-oss
[2020-05-28T08:34:51.775Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Functionbeat-x-pack
[2020-05-28T08:34:51.846Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Generators-Metricbeat-Linux
[2020-05-28T08:34:51.913Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Elastic-Agent-x-pack-Windows
[2020-05-28T08:34:51.978Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-crosscompile
[2020-05-28T08:34:52.044Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-OSS-Unit-tests
[2020-05-28T08:34:52.112Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Heartbeat-oss
[2020-05-28T08:34:52.184Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Auditbeat-x-pack
[2020-05-28T08:34:52.251Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Libbeat-x-pack
[2020-05-28T08:34:52.321Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Auditbeat-Linux
[2020-05-28T08:34:52.390Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Packetbeat-oss
[2020-05-28T08:34:52.458Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Filebeat-x-pack-Windows
[2020-05-28T08:34:52.531Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Winlogbeat-Windows-x-pack
[2020-05-28T08:34:52.604Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Filebeat-Windows
[2020-05-28T08:34:52.678Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Auditbeat-crosscompile
[2020-05-28T08:34:52.747Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-Windows
[2020-05-28T08:34:52.814Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Filebeat-x-pack
[2020-05-28T08:34:52.877Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Winlogbeat-Windows
[2020-05-28T08:34:52.940Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-x-pack-Windows
[2020-05-28T08:34:53.004Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Generators-Beat-Linux
[2020-05-28T08:34:53.067Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Functionbeat-Windows
[2020-05-28T08:34:53.134Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Heartbeat-Windows
[2020-05-28T08:34:53.200Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Auditbeat-Windows
[2020-05-28T08:34:53.264Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Filebeat-oss
[2020-05-28T08:34:53.328Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-Python-integration-tests
[2020-05-28T08:34:53.406Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Libbeat-oss
[2020-05-28T08:34:53.470Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-OSS-Integration-tests
[2020-05-28T08:34:53.537Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Libbeat-crosscompile
[2020-05-28T08:34:53.602Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Libbeat-stress-tests
[2020-05-28T08:34:53.667Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-x-pack
[2020-05-28T08:34:54.017Z] + cat
[2020-05-28T08:34:54.017Z] + /usr/local/bin/runbld ./runbld-script
[2020-05-28T08:34:54.017Z] Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
[2020-05-28T08:35:00.608Z] runbld>>> runbld started
[2020-05-28T08:35:00.608Z] runbld>>> 1.6.11/a66728ff8f4356963772e6e6d2069392fa06acbe
[2020-05-28T08:35:02.520Z] runbld>>> The following profiles matched the job 'Beats/beats-beats-mbp/PR-18774' in order of occurrence in the config (last value wins).
[2020-05-28T08:35:03.461Z] runbld>>> Debug logging enabled.
[2020-05-28T08:35:03.461Z] runbld>>> Storing result
[2020-05-28T08:35:03.722Z] runbld>>> Store result: created {:total 2, :successful 2, :failed 0} 1
[2020-05-28T08:35:03.722Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200528083503-BACA901E
[2020-05-28T08:35:03.722Z] runbld>>> Adding system facts.
[2020-05-28T08:35:04.672Z] runbld>>> Adding vcs info for the latest commit:  5af66847f027c6d0f09d060122db31a2673f3169
[2020-05-28T08:35:04.672Z] runbld>>> >>>>>>>>>>>> SCRIPT EXECUTION BEGIN >>>>>>>>>>>>
[2020-05-28T08:35:04.672Z] runbld>>> Adding /usr/lib/jvm/java-8-openjdk-amd64/bin to the path.
[2020-05-28T08:35:04.933Z] Processing JUnit reports with runbld...
[2020-05-28T08:35:04.933Z] + echo 'Processing JUnit reports with runbld...'
[2020-05-28T08:35:05.194Z] runbld>>> <<<<<<<<<<<< SCRIPT EXECUTION END <<<<<<<<<<<<
[2020-05-28T08:35:05.194Z] runbld>>> DURATION: 18ms
[2020-05-28T08:35:05.194Z] runbld>>> STDOUT: 40 bytes
[2020-05-28T08:35:05.194Z] runbld>>> STDERR: 49 bytes
[2020-05-28T08:35:05.194Z] runbld>>> WRAPPED PROCESS: SUCCESS (0)
[2020-05-28T08:35:05.194Z] runbld>>> Searching for build metadata in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats
[2020-05-28T08:35:06.578Z] runbld>>> Storing build metadata: 
[2020-05-28T08:35:06.578Z] runbld>>> Adding test report.
[2020-05-28T08:35:06.578Z] runbld>>> Searching for junit test output files with the pattern: TEST-.*\.xml$ in: /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats
[2020-05-28T08:35:07.520Z] runbld>>> Found 97 test output files
[2020-05-28T08:35:08.092Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-OSS-Integration-tests/metricbeat/build/TEST-go-integration-graphite.xml
[2020-05-28T08:35:08.092Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-OSS-Integration-tests/metricbeat/build/TEST-go-integration-windows.xml
[2020-05-28T08:35:09.476Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-openmetrics.xml
[2020-05-28T08:35:09.476Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-tomcat.xml
[2020-05-28T08:35:09.476Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-istio.xml
[2020-05-28T08:35:09.476Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-cloudfoundry.xml
[2020-05-28T08:35:09.476Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-iis.xml
[2020-05-28T08:35:09.476Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-activemq.xml
[2020-05-28T08:35:09.476Z] runbld>>> Test output logs contained: Errors: 0 Failures: 0 Tests: 7542 Skipped: 850
[2020-05-28T08:35:09.476Z] runbld>>> Storing result
[2020-05-28T08:35:09.476Z] runbld>>> FAILURES: 0
[2020-05-28T08:35:09.737Z] runbld>>> Store result: updated {:total 2, :successful 2, :failed 0} 2
[2020-05-28T08:35:09.737Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200528083503-BACA901E
[2020-05-28T08:35:09.737Z] runbld>>> Email notification disabled by environment variable.
[2020-05-28T08:35:09.737Z] runbld>>> Slack notification disabled by environment variable.
[2020-05-28T08:35:15.456Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774
[2020-05-28T08:35:15.671Z] [INFO] getVaultSecret: Getting secrets
[2020-05-28T08:35:15.714Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-05-28T08:35:16.396Z] + chmod 755 generate-build-data.sh
[2020-05-28T08:35:16.397Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18774/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18774/runs/3 FAILURE 4708513
[2020-05-28T08:35:16.397Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18774/runs/3/steps/?limit=10000 -o steps-info.json
[2020-05-28T08:35:17.740Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18774/runs/3/tests/?status=FAILED -o tests-errors.json
[2020-05-28T08:35:18.291Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18774/runs/3/log/ -o pipeline-log.txt

@@ -295,6 +295,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Add `urldecode` processor to for decoding URL-encoded fields. {pull}17505[17505]
- Add support for AWS IAM `role_arn` in credentials config. {pull}17658[17658] {issue}12464[12464]
- Add Kerberos support to Elasticsearch output. {pull}17927[17927]
- Add k8s keystore backend. {pull}18096[18096]
- Add support for fixed length extraction in `dissect` processor. {pull}17191[17191]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Extra line here?

return nil, errWrap(fmt.Errorf("no configs defined for autodiscover provider"))
}

builders, err := autodiscover.NewBuilders(config.Builders, nil)
builders, err := autodiscover.NewBuilders(config.Builders, nil, nil)
Copy link
Member

@jsoriano jsoriano May 28, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should start thinking in a different way of setting optional features in these autodiscover builders (and config mappers above).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeap, that would make sense!

@ChrsMark ChrsMark merged commit a6dd728 into elastic:7.x May 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport review Team:Platforms Label for the Integrations - Platforms team
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants