Schnitzel/gist:1e386654b6abf75bf4d66a544db4aa6a Secret

## gistfile1.txt
kibana:
  config:
    elasticsearch:
      hosts:
      - http://elasticsearch-opendistro-es-client-service:9200/
      requestTimeout: 90000
      username: kibanaserver
      password: <<Plaintext KibanaServer Password>>
      ssl:
        # this is inside the cluster
        verificationMode: none
      requestHeadersWhitelist:
      - "securitytenant"
      - "Authorization"

    server:
      name: kibana
      host: "0"
      maxPayloadBytes: 104857600

    newsfeed:
      enabled: false
    telemetry:
      optIn: false
      enabled: false

    opendistro_security:
      auth:
        type: openid
      openid:
        connect_url: https://<<Keycloak URL>>/auth/realms/lagoon/.well-known/openid-configuration
        client_id: lagoon-opendistro-security
        client_secret: <<Copy ClientSecret for lagoon-opendistro-security from Keycloak>>
        base_redirect_url: https://<<Kibana URL>>
        scope: "profile email"
      cookie:
        password: <<Random 32 Characters>>
        secure: 'false'
      multitenancy:
        enabled: true
        tenants:
          enable_global: true
          enable_private: false

  ingress:
    enabled: true
    annotations:
     kubernetes.io/tls-acme: "true"
    path: /
    hosts:
      - <<Kibana URL>>
    tls:
      - secretName: <<Kibana URL>>-tls
        hosts:
          - <<Kibana URL>>

elasticsearch:

  client:
    replicas: 3
    resources:
      limits:
        cpu: 1
        memory: 1Gi
      requests:
        cpu: 1
        memory: 1Gi
    javaOpts: "-Xms500m -Xmx500m -Dlog4j2.formatMsgNoLookups=true"
    podDisruptionBudget:
      enabled: true
      minAvailable: 3

    ingress:
      enabled: true
      annotations:
        kubernetes.io/tls-acme: "true"
      path: /
      hosts:
        - <<Elasticsearch URL>>
      tls:
        - secretName: <<Elasticsearch URL>>-tls
          hosts:
            - <<Elasticsearch URL>>

  master:
    replicas: 3
    resources:
      limits:
        cpu: 1
        memory: 1Gi
      requests:
        cpu: 1
        memory: 1Gi
    javaOpts: "-Xms500m -Xmx500m -Dlog4j2.formatMsgNoLookups=true"
    podDisruptionBudget:
      enabled: true
      minAvailable: 3
  data:
    replicas: 3
    persistence:
      size: 10Gi
    resources:
      limits:
        cpu: 1
        memory: 1Gi
      requests:
        cpu: 1
        memory: 1Gi
    javaOpts: "-Xms500m -Xmx500m -Dlog4j2.formatMsgNoLookups=true"
    podDisruptionBudget:
      enabled: true
      minAvailable: 8
  ssl:
    transport:
      existingCertSecret: "opendistro-es-transport-cert"
      existingCertSecretCertSubPath: es-transport-crt.pem
      existingCertSecretKeySubPath: es-transport-key.pem
      existingCertSecretRootCASubPath: es-transport-ca.pem
    admin:
      enabled: true
      existingCertSecret: "opendistro-es-admin-cert"
      existingCertSecretCertSubPath: es-admin-crt.pem
      existingCertSecretKeySubPath: es-admin-key.pem
      existingCertSecretRootCASubPath: es-admin-ca.pem

  # opendistro-security specific config
  # https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/yaml/
  securityConfig:
    enabled: true
    path: "/usr/share/elasticsearch/plugins/opendistro_security/securityconfig"
    config:
      securityConfigSecret: "security-config"
      data:
        config.yml: |
          _meta:
            type: "config"
            config_version: 2
          config:
            dynamic:
              do_not_fail_on_forbidden: true
              authc:
                basic_internal_auth_domain:
                  order: 0
                  http_authenticator:
                    type: basic
                    challenge: false
                  authentication_backend:
                    # internal_users.yml
                    type: internal
                openid_auth_domain:
                  order: 1
                  http_authenticator:
                    type: openid
                    challenge: false
                    config:
                      subject_key: preferred_username
                      roles_key: groups
                      openid_connect_url: https://<<Keycloak URL>>/auth/realms/lagoon/.well-known/openid-configuration
                  authentication_backend:
                    # already authenticated via oidc
                    type: noop

        # See /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh
        internal_users.yml: |
          _meta:
            type: "internalusers"
            config_version: 2
          admin:
            reserved: true
            hash: "<<Hashed Admin Password>>"
            backend_roles:
            - admin
          kibanaserver:
            reserved: true
            hash: "<<Hashed KibanaServer Password>>"

        roles_mapping.yml: |
          _meta:
            type: "rolesmapping"
            config_version: 2
          # this gives access to opendistro-security management
          all_access:
            backend_roles:
            - admin
            - platform-owner
          kibana_server:
            reserved: true
            users:
            - kibanaserver
          kibana_user:
            users:
            - '*'

        action_groups.yml: |
          _meta:
            type: "actiongroups"
            config_version: 2

        roles.yml: |
          _meta:
            type: "roles"
            config_version: 2
          # Restrict users so they can only view visualization and dashboard on kibana
          kibana_read_only:
            reserved: true
          # The security REST API access role is used to assign specific users access to change the security settings through the REST API.
          security_rest_api_access:
            reserved: true
          # Allows users to view alerts
          alerting_view_alerts:
            reserved: true
            index_permissions:
            - index_patterns:
              - ".opendistro-alerting-alert*"
              allowed_actions:
              - read
          # Allows users to view and acknowledge alerts
          alerting_crud_alerts:
            reserved: true
            index_permissions:
            - index_patterns:
              - ".opendistro-alerting-alert*"
              allowed_actions:
              - crud
          # Allows users to use all alerting functionality
          alerting_full_access:
            reserved: true
            index_permissions:
            - index_patterns:
              - ".opendistro-alerting-config"
              - ".opendistro-alerting-alert*"
              allowed_actions:
              - crud

        tenants.yml: |
          _meta:
            type: "tenants"
            config_version: 2
          admin_tenant:
            reserved: false
            description: "Tenant for admin user"

        nodes_dn.yml: |
          _meta:
            type: "nodesdn"
            config_version: 2

  # general elasticsearch config
  # https://github.com/opendistro-for-elasticsearch/security/blob/master/securityconfig/elasticsearch.yml.example
  # https://www.elastic.co/guide/en/elasticsearch/reference/current/important-settings.html
  # https://www.elastic.co/guide/en/elasticsearch/reference/current/settings.html
  config:
    opendistro_security:
      # bootstrap the .opendistro_security index using the config given in
      # elasticsearch.securityConfig.config.data.
      # This will not overwrite an existing .opendistro_security index.
      # https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/security-admin/
      allow_default_init_securityindex: true
      # This is checked by ES when you attempt to use the admin certs.
      # https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/security-admin/
      authcz:
        admin_dn:
        - "CN=admin.elasticsearch.svc.cluster.local"
      # this is checked by the nodes for transport TLS
      nodes_dn:
      - 'CN=node.elasticsearch.svc.cluster.local'
      # TLS is mandatory for transport traffic (node <-> node).
      ssl:
        transport:
          pemcert_filepath: elk-transport-crt.pem
          pemkey_filepath: elk-transport-key.pem
          pemtrustedcas_filepath: elk-transport-root-ca.pem
          # TODO use hostname verification
          enforce_hostname_verification: false
          resolve_hostname: false
      # https://github.com/opendistro-for-elasticsearch/security/blob/master/securityconfig/elasticsearch.yml.example#L27
      roles_mapping_resolution: BOTH
      restapi:
        roles_enabled:
        - all_access
        - security_rest_api_access
      # https://github.com/opendistro-for-elasticsearch/security/blob/master/securityconfig/elasticsearch.yml.example
      #enable_snapshot_restore_privilege: true
      #check_snapshot_restore_write_privileges: true
	kibana:
	config:
	elasticsearch:
	hosts:
	- http://elasticsearch-opendistro-es-client-service:9200/
	requestTimeout: 90000
	username: kibanaserver
	password: <<Plaintext KibanaServer Password>>
	ssl:
	# this is inside the cluster
	verificationMode: none
	requestHeadersWhitelist:
	- "securitytenant"
	- "Authorization"

	server:
	name: kibana
	host: "0"
	maxPayloadBytes: 104857600

	newsfeed:
	enabled: false
	telemetry:
	optIn: false
	enabled: false

	opendistro_security:
	auth:
	type: openid
	openid:
	connect_url: https://<<Keycloak URL>>/auth/realms/lagoon/.well-known/openid-configuration
	client_id: lagoon-opendistro-security
	client_secret: <<Copy ClientSecret for lagoon-opendistro-security from Keycloak>>
	base_redirect_url: https://<<Kibana URL>>
	scope: "profile email"
	cookie:
	password: <<Random 32 Characters>>
	secure: 'false'
	multitenancy:
	enabled: true
	tenants:
	enable_global: true
	enable_private: false

	ingress:
	enabled: true
	annotations:
	kubernetes.io/tls-acme: "true"
	path: /
	hosts:
	- <<Kibana URL>>
	tls:
	- secretName: <<Kibana URL>>-tls
	hosts:
	- <<Kibana URL>>

	elasticsearch:

	client:
	replicas: 3
	resources:
	limits:
	cpu: 1
	memory: 1Gi
	requests:
	cpu: 1
	memory: 1Gi
	javaOpts: "-Xms500m -Xmx500m -Dlog4j2.formatMsgNoLookups=true"
	podDisruptionBudget:
	enabled: true
	minAvailable: 3

	ingress:
	enabled: true
	annotations:
	kubernetes.io/tls-acme: "true"
	path: /
	hosts:
	- <<Elasticsearch URL>>
	tls:
	- secretName: <<Elasticsearch URL>>-tls
	hosts:
	- <<Elasticsearch URL>>

	master:
	replicas: 3
	resources:
	limits:
	cpu: 1
	memory: 1Gi
	requests:
	cpu: 1
	memory: 1Gi
	javaOpts: "-Xms500m -Xmx500m -Dlog4j2.formatMsgNoLookups=true"
	podDisruptionBudget:
	enabled: true
	minAvailable: 3
	data:
	replicas: 3
	persistence:
	size: 10Gi
	resources:
	limits:
	cpu: 1
	memory: 1Gi
	requests:
	cpu: 1
	memory: 1Gi
	javaOpts: "-Xms500m -Xmx500m -Dlog4j2.formatMsgNoLookups=true"
	podDisruptionBudget:
	enabled: true
	minAvailable: 8
	ssl:
	transport:
	existingCertSecret: "opendistro-es-transport-cert"
	existingCertSecretCertSubPath: es-transport-crt.pem
	existingCertSecretKeySubPath: es-transport-key.pem
	existingCertSecretRootCASubPath: es-transport-ca.pem
	admin:
	enabled: true
	existingCertSecret: "opendistro-es-admin-cert"
	existingCertSecretCertSubPath: es-admin-crt.pem
	existingCertSecretKeySubPath: es-admin-key.pem
	existingCertSecretRootCASubPath: es-admin-ca.pem

	# opendistro-security specific config
	# https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/yaml/
	securityConfig:
	enabled: true
	path: "/usr/share/elasticsearch/plugins/opendistro_security/securityconfig"
	config:
	securityConfigSecret: "security-config"
	data:
	config.yml: \|
	_meta:
	type: "config"
	config_version: 2
	config:
	dynamic:
	do_not_fail_on_forbidden: true
	authc:
	basic_internal_auth_domain:
	order: 0
	http_authenticator:
	type: basic
	challenge: false
	authentication_backend:
	# internal_users.yml
	type: internal
	openid_auth_domain:
	order: 1
	http_authenticator:
	type: openid
	challenge: false
	config:
	subject_key: preferred_username
	roles_key: groups
	openid_connect_url: https://<<Keycloak URL>>/auth/realms/lagoon/.well-known/openid-configuration
	authentication_backend:
	# already authenticated via oidc
	type: noop

	# See /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh
	internal_users.yml: \|
	_meta:
	type: "internalusers"
	config_version: 2
	admin:
	reserved: true
	hash: "<<Hashed Admin Password>>"
	backend_roles:
	- admin
	kibanaserver:
	reserved: true
	hash: "<<Hashed KibanaServer Password>>"

	roles_mapping.yml: \|
	_meta:
	type: "rolesmapping"
	config_version: 2
	# this gives access to opendistro-security management
	all_access:
	backend_roles:
	- admin
	- platform-owner
	kibana_server:
	reserved: true
	users:
	- kibanaserver
	kibana_user:
	users:
	- '*'

	action_groups.yml: \|
	_meta:
	type: "actiongroups"
	config_version: 2

	roles.yml: \|
	_meta:
	type: "roles"
	config_version: 2
	# Restrict users so they can only view visualization and dashboard on kibana
	kibana_read_only:
	reserved: true
	# The security REST API access role is used to assign specific users access to change the security settings through the REST API.
	security_rest_api_access:
	reserved: true
	# Allows users to view alerts
	alerting_view_alerts:
	reserved: true
	index_permissions:
	- index_patterns:
	- ".opendistro-alerting-alert*"
	allowed_actions:
	- read
	# Allows users to view and acknowledge alerts
	alerting_crud_alerts:
	reserved: true
	index_permissions:
	- index_patterns:
	- ".opendistro-alerting-alert*"
	allowed_actions:
	- crud
	# Allows users to use all alerting functionality
	alerting_full_access:
	reserved: true
	index_permissions:
	- index_patterns:
	- ".opendistro-alerting-config"
	- ".opendistro-alerting-alert*"
	allowed_actions:
	- crud

	tenants.yml: \|
	_meta:
	type: "tenants"
	config_version: 2
	admin_tenant:
	reserved: false
	description: "Tenant for admin user"

	nodes_dn.yml: \|
	_meta:
	type: "nodesdn"
	config_version: 2

	# general elasticsearch config
	# https://github.com/opendistro-for-elasticsearch/security/blob/master/securityconfig/elasticsearch.yml.example
	# https://www.elastic.co/guide/en/elasticsearch/reference/current/important-settings.html
	# https://www.elastic.co/guide/en/elasticsearch/reference/current/settings.html
	config:
	opendistro_security:
	# bootstrap the .opendistro_security index using the config given in
	# elasticsearch.securityConfig.config.data.
	# This will not overwrite an existing .opendistro_security index.
	# https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/security-admin/
	allow_default_init_securityindex: true
	# This is checked by ES when you attempt to use the admin certs.
	# https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/security-admin/
	authcz:
	admin_dn:
	- "CN=admin.elasticsearch.svc.cluster.local"
	# this is checked by the nodes for transport TLS
	nodes_dn:
	- 'CN=node.elasticsearch.svc.cluster.local'
	# TLS is mandatory for transport traffic (node <-> node).
	ssl:
	transport:
	pemcert_filepath: elk-transport-crt.pem
	pemkey_filepath: elk-transport-key.pem
	pemtrustedcas_filepath: elk-transport-root-ca.pem
	# TODO use hostname verification
	enforce_hostname_verification: false
	resolve_hostname: false
	# https://github.com/opendistro-for-elasticsearch/security/blob/master/securityconfig/elasticsearch.yml.example#L27
	roles_mapping_resolution: BOTH
	restapi:
	roles_enabled:
	- all_access
	- security_rest_api_access
	# https://github.com/opendistro-for-elasticsearch/security/blob/master/securityconfig/elasticsearch.yml.example
	#enable_snapshot_restore_privilege: true
	#check_snapshot_restore_write_privileges: true