-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add k8s keystore backend #18096
Add k8s keystore backend #18096
Conversation
Signed-off-by: chrismark <[email protected]>
Signed-off-by: chrismark <[email protected]>
Signed-off-by: chrismark <[email protected]>
❕ Build Aborted
Expand to view the summary
Build stats
Steps errorsExpand to view the steps failures
Log outputExpand to view the last 100 lines of log output
|
Signed-off-by: chrismark <[email protected]>
Signed-off-by: chrismark <[email protected]>
Pinging @elastic/integrations-platforms (Team:Platforms) |
63b3095
to
a0d1181
Compare
Signed-off-by: chrismark <[email protected]>
Signed-off-by: chrismark <[email protected]>
Signed-off-by: chrismark <[email protected]>
Signed-off-by: chrismark <[email protected]>
Signed-off-by: chrismark <[email protected]>
Signed-off-by: chrismark <[email protected]>
Signed-off-by: chrismark <[email protected]>
Signed-off-by: chrismark <[email protected]>
@urso thanks for reviewing here! I ve pushed changes in your comments' direction. Let me know what you think. Also, documentation have been added/updated along with some basic tests. I plan to add more tests about this feature in follow-up PR since I need to update |
Signed-off-by: chrismark <[email protected]>
Signed-off-by: chrismark <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, really cool feature.
Please check CI.
💔 Tests FailedExpand to view the summary
Build stats
Test stats 🧪
Test errorsExpand to view the tests failures
--------------------- >> end captured stdout << ----------------------
Steps errorsExpand to view the steps failures
Log outputExpand to view the last 100 lines of log output
|
Failing jobs seem to be unrelated since they have been failing on master already. |
(cherry picked from commit b772f2a)
What does this PR do?
This PR implements a new Keystore Backend, which is used to retrieve k8s secrets and use them in configurations provided by hints-based autodiscover feature. Any hints based configuration has only access to the secrets of the same namespace of the pod by which was triggered.
We still need to decide if this keystone should be used along with the already used FileKeystore in static autodiscover configurations.
Why is it important?
This is important for the users so as to avoid having sensitive data on hints' configurations and being able to leverage k8s secrets for that purpose.
Checklist
CHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.How to test this PR locally
Test k8s keystore backend with hints autodiscover
Start metricbeat and ensure that Redis module is properly started and collecting metrics from the Redis server using the password provided via the k8s secret.
Use
https://github.com/elastic/beats/blob/master/deploy/kubernetes/metricbeat-kubernetes.yaml
but make sure thatsecrets
is added in the list ofresources
inClusterRole
.Redeploy redis Pod with a different password to check that it will fail to authenticate. Change:
--requirepass 'passpass2'
Test k8s keystore backend with static autodiscover templates
For Secret creation and Redis target pod use the steps from the previous scenario.
Test basic keystore with static autodiscover templates
passpass
:Related issues
cc: @exekias this one is still in progress and needs cleanups, docs and error handling but the approach is not expected to change.
TODOs: