-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cherry-pick #18096 to 7.x: Add k8s keystore backend #18774
Conversation
(cherry picked from commit b772f2a)
Pinging @elastic/integrations-platforms (Team:Platforms) |
💔 Build FailedExpand to view the summary
Build stats
Test stats 🧪
Steps errorsExpand to view the steps failures
Log outputExpand to view the last 100 lines of log output
|
CHANGELOG.next.asciidoc
Outdated
@@ -295,6 +295,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d | |||
- Add `urldecode` processor to for decoding URL-encoded fields. {pull}17505[17505] | |||
- Add support for AWS IAM `role_arn` in credentials config. {pull}17658[17658] {issue}12464[12464] | |||
- Add Kerberos support to Elasticsearch output. {pull}17927[17927] | |||
- Add k8s keystore backend. {pull}18096[18096] | |||
- Add support for fixed length extraction in `dissect` processor. {pull}17191[17191] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Extra line here?
return nil, errWrap(fmt.Errorf("no configs defined for autodiscover provider")) | ||
} | ||
|
||
builders, err := autodiscover.NewBuilders(config.Builders, nil) | ||
builders, err := autodiscover.NewBuilders(config.Builders, nil, nil) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we should start thinking in a different way of setting optional features in these autodiscover builders (and config mappers above).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeap, that would make sense!
Cherry-pick of PR #18096 to 7.x branch. Original message:
What does this PR do?
This PR implements a new Keystore Backend, which is used to retrieve k8s secrets and use them in configurations provided by hints-based autodiscover feature. Any hints based configuration has only access to the secrets of the same namespace of the pod by which was triggered.
We still need to decide if this keystone should be used along with the already used FileKeystore in static autodiscover configurations.
Why is it important?
This is important for the users so as to avoid having sensitive data on hints' configurations and being able to leverage k8s secrets for that purpose.
Checklist
CHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.How to test this PR locally
Test k8s keystore backend with hints autodiscover
Start metricbeat and ensure that Redis module is properly started and collecting metrics from the Redis server using the password provided via the k8s secret.
Use
https://github.com/elastic/beats/blob/master/deploy/kubernetes/metricbeat-kubernetes.yaml
but make sure thatsecrets
is added in the list ofresources
inClusterRole
.Redeploy redis Pod with a different password to check that it will fail to authenticate. Change:
--requirepass 'passpass2'
Test k8s keystore backend with static autodiscover templates
For Secret creation and Redis target pod use the steps from the previous scenario.
Test basic keystore with static autodiscover templates
passpass
:Related issues
cc: @exekias this one is still in progress and needs cleanups, docs and error handling but the approach is not expected to change.
TODOs: