Last active
December 10, 2021 21:58
-
-
Save Schnitzel/1e386654b6abf75bf4d66a544db4aa6a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kibana: | |
config: | |
elasticsearch: | |
hosts: | |
- http://elasticsearch-opendistro-es-client-service:9200/ | |
requestTimeout: 90000 | |
username: kibanaserver | |
password: <<Plaintext KibanaServer Password>> | |
ssl: | |
# this is inside the cluster | |
verificationMode: none | |
requestHeadersWhitelist: | |
- "securitytenant" | |
- "Authorization" | |
server: | |
name: kibana | |
host: "0" | |
maxPayloadBytes: 104857600 | |
newsfeed: | |
enabled: false | |
telemetry: | |
optIn: false | |
enabled: false | |
opendistro_security: | |
auth: | |
type: openid | |
openid: | |
connect_url: https://<<Keycloak URL>>/auth/realms/lagoon/.well-known/openid-configuration | |
client_id: lagoon-opendistro-security | |
client_secret: <<Copy ClientSecret for lagoon-opendistro-security from Keycloak>> | |
base_redirect_url: https://<<Kibana URL>> | |
scope: "profile email" | |
cookie: | |
password: <<Random 32 Characters>> | |
secure: 'false' | |
multitenancy: | |
enabled: true | |
tenants: | |
enable_global: true | |
enable_private: false | |
ingress: | |
enabled: true | |
annotations: | |
kubernetes.io/tls-acme: "true" | |
path: / | |
hosts: | |
- <<Kibana URL>> | |
tls: | |
- secretName: <<Kibana URL>>-tls | |
hosts: | |
- <<Kibana URL>> | |
elasticsearch: | |
client: | |
replicas: 3 | |
resources: | |
limits: | |
cpu: 1 | |
memory: 1Gi | |
requests: | |
cpu: 1 | |
memory: 1Gi | |
javaOpts: "-Xms500m -Xmx500m -Dlog4j2.formatMsgNoLookups=true" | |
podDisruptionBudget: | |
enabled: true | |
minAvailable: 3 | |
ingress: | |
enabled: true | |
annotations: | |
kubernetes.io/tls-acme: "true" | |
path: / | |
hosts: | |
- <<Elasticsearch URL>> | |
tls: | |
- secretName: <<Elasticsearch URL>>-tls | |
hosts: | |
- <<Elasticsearch URL>> | |
master: | |
replicas: 3 | |
resources: | |
limits: | |
cpu: 1 | |
memory: 1Gi | |
requests: | |
cpu: 1 | |
memory: 1Gi | |
javaOpts: "-Xms500m -Xmx500m -Dlog4j2.formatMsgNoLookups=true" | |
podDisruptionBudget: | |
enabled: true | |
minAvailable: 3 | |
data: | |
replicas: 3 | |
persistence: | |
size: 10Gi | |
resources: | |
limits: | |
cpu: 1 | |
memory: 1Gi | |
requests: | |
cpu: 1 | |
memory: 1Gi | |
javaOpts: "-Xms500m -Xmx500m -Dlog4j2.formatMsgNoLookups=true" | |
podDisruptionBudget: | |
enabled: true | |
minAvailable: 8 | |
ssl: | |
transport: | |
existingCertSecret: "opendistro-es-transport-cert" | |
existingCertSecretCertSubPath: es-transport-crt.pem | |
existingCertSecretKeySubPath: es-transport-key.pem | |
existingCertSecretRootCASubPath: es-transport-ca.pem | |
admin: | |
enabled: true | |
existingCertSecret: "opendistro-es-admin-cert" | |
existingCertSecretCertSubPath: es-admin-crt.pem | |
existingCertSecretKeySubPath: es-admin-key.pem | |
existingCertSecretRootCASubPath: es-admin-ca.pem | |
# opendistro-security specific config | |
# https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/yaml/ | |
securityConfig: | |
enabled: true | |
path: "/usr/share/elasticsearch/plugins/opendistro_security/securityconfig" | |
config: | |
securityConfigSecret: "security-config" | |
data: | |
config.yml: | | |
_meta: | |
type: "config" | |
config_version: 2 | |
config: | |
dynamic: | |
do_not_fail_on_forbidden: true | |
authc: | |
basic_internal_auth_domain: | |
order: 0 | |
http_authenticator: | |
type: basic | |
challenge: false | |
authentication_backend: | |
# internal_users.yml | |
type: internal | |
openid_auth_domain: | |
order: 1 | |
http_authenticator: | |
type: openid | |
challenge: false | |
config: | |
subject_key: preferred_username | |
roles_key: groups | |
openid_connect_url: https://<<Keycloak URL>>/auth/realms/lagoon/.well-known/openid-configuration | |
authentication_backend: | |
# already authenticated via oidc | |
type: noop | |
# See /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh | |
internal_users.yml: | | |
_meta: | |
type: "internalusers" | |
config_version: 2 | |
admin: | |
reserved: true | |
hash: "<<Hashed Admin Password>>" | |
backend_roles: | |
- admin | |
kibanaserver: | |
reserved: true | |
hash: "<<Hashed KibanaServer Password>>" | |
roles_mapping.yml: | | |
_meta: | |
type: "rolesmapping" | |
config_version: 2 | |
# this gives access to opendistro-security management | |
all_access: | |
backend_roles: | |
- admin | |
- platform-owner | |
kibana_server: | |
reserved: true | |
users: | |
- kibanaserver | |
kibana_user: | |
users: | |
- '*' | |
action_groups.yml: | | |
_meta: | |
type: "actiongroups" | |
config_version: 2 | |
roles.yml: | | |
_meta: | |
type: "roles" | |
config_version: 2 | |
# Restrict users so they can only view visualization and dashboard on kibana | |
kibana_read_only: | |
reserved: true | |
# The security REST API access role is used to assign specific users access to change the security settings through the REST API. | |
security_rest_api_access: | |
reserved: true | |
# Allows users to view alerts | |
alerting_view_alerts: | |
reserved: true | |
index_permissions: | |
- index_patterns: | |
- ".opendistro-alerting-alert*" | |
allowed_actions: | |
- read | |
# Allows users to view and acknowledge alerts | |
alerting_crud_alerts: | |
reserved: true | |
index_permissions: | |
- index_patterns: | |
- ".opendistro-alerting-alert*" | |
allowed_actions: | |
- crud | |
# Allows users to use all alerting functionality | |
alerting_full_access: | |
reserved: true | |
index_permissions: | |
- index_patterns: | |
- ".opendistro-alerting-config" | |
- ".opendistro-alerting-alert*" | |
allowed_actions: | |
- crud | |
tenants.yml: | | |
_meta: | |
type: "tenants" | |
config_version: 2 | |
admin_tenant: | |
reserved: false | |
description: "Tenant for admin user" | |
nodes_dn.yml: | | |
_meta: | |
type: "nodesdn" | |
config_version: 2 | |
# general elasticsearch config | |
# https://github.com/opendistro-for-elasticsearch/security/blob/master/securityconfig/elasticsearch.yml.example | |
# https://www.elastic.co/guide/en/elasticsearch/reference/current/important-settings.html | |
# https://www.elastic.co/guide/en/elasticsearch/reference/current/settings.html | |
config: | |
opendistro_security: | |
# bootstrap the .opendistro_security index using the config given in | |
# elasticsearch.securityConfig.config.data. | |
# This will not overwrite an existing .opendistro_security index. | |
# https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/security-admin/ | |
allow_default_init_securityindex: true | |
# This is checked by ES when you attempt to use the admin certs. | |
# https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/security-admin/ | |
authcz: | |
admin_dn: | |
- "CN=admin.elasticsearch.svc.cluster.local" | |
# this is checked by the nodes for transport TLS | |
nodes_dn: | |
- 'CN=node.elasticsearch.svc.cluster.local' | |
# TLS is mandatory for transport traffic (node <-> node). | |
ssl: | |
transport: | |
pemcert_filepath: elk-transport-crt.pem | |
pemkey_filepath: elk-transport-key.pem | |
pemtrustedcas_filepath: elk-transport-root-ca.pem | |
# TODO use hostname verification | |
enforce_hostname_verification: false | |
resolve_hostname: false | |
# https://github.com/opendistro-for-elasticsearch/security/blob/master/securityconfig/elasticsearch.yml.example#L27 | |
roles_mapping_resolution: BOTH | |
restapi: | |
roles_enabled: | |
- all_access | |
- security_rest_api_access | |
# https://github.com/opendistro-for-elasticsearch/security/blob/master/securityconfig/elasticsearch.yml.example | |
#enable_snapshot_restore_privilege: true | |
#check_snapshot_restore_write_privileges: true |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment