Add KibanaRef to Beats and support setup.kibana #3211
Conversation
pebrc
force-pushed
the
add-kibana-ref-beats
branch
from
ce20b9a to
b266156
Compare
There was a problem hiding this comment.
Nice! Did a first pass, just some nits. I'd do consider moving adding the config to the common part. I gave it a spin and I have two observations:
- unfortunately, Beat crashes if it can't reach Kibana (which is a common case since it starts up much faster)
- Filbebeat doesn't seem to have any useful dashboards for just plain logging
| @@ -24,3 +28,14 @@ processors: | |||
| - add_host_metadata: {} | |||
| `)) | |||
| ) | |||
|
|
|||
| func (d *Driver) configParams() (common.DefaultConfigs, error) { | |||
| kibanaConfig, err := common.BuildKibanaConfig(d.Client, v1beta1.BeatKibanaAssociation{Beat: &d.Beat}) | |||
There was a problem hiding this comment.
I think all Beats support that, that's at least what's there in their reference yamls (heartbeat, auditbeat, journalbeat, packetbeat). I think I'd assume we can just add it to the config for any other beat too. If it's supported it will likely follow the established pattern, if not, it will be ignored.
There was a problem hiding this comment.
That was my initial assumption as well also my initial implementation. I tried it with Heartbeat and it did not go well, meaning Heartbeat terminated when the Kibana config was in place. I did not look at the reference.yaml but the written documentation and saw that it is only mentioned in the Metricbeat, Filebeat and Auditbeat docs. The fact that it is actually also in all the other reference YAMLs means I will repeat the test once more to double check that my initial observation is correct.
There was a problem hiding this comment.
So take Heartbeat as an example: while it supports the settings in general, it does not come with dashboards to install and fails subsequently when not finding any stored objects to install into Kibana:
2020-06-10T12:46:32.632Z ERROR instance/beat.go:932 Exiting: Error importing Kibana dashboards: fail to import the dashboards in Kibana: Error importing directory /usr/share/heartbeat/kibana: No directory /usr/share/heartbeat/kibana/7
There was a problem hiding this comment.
Seems like (see below):
- filebeat, metricbeat, auditbeat, packetbeat have dashboards
- journalbeat has index patterns
- heartbeat doesn't have anything
$ cat beats | while read BEAT; do docker run --rm --entrypoint bash "docker.elastic.co/beats/$BEAT:7.7.0" -c "ls -laR /usr/share/$BEAT/kibana"; done
...
/usr/share/filebeat/kibana/7/dashboard:
total 1204
drwxr-x--- 1 root filebeat 4096 May 12 00:56 .
drwxr-x--- 1 root filebeat 4096 May 12 00:56 ..
-rw-r----- 1 root filebeat 18520 May 12 00:56 749203a0-67b1-11ea-a76f-bf44814e437d.json
-rw-r----- 1 root filebeat 10270 May 12 00:56 Coredns-Overview-Dashboard.json
-rw-r----- 1 root filebeat 23030 May 12 00:56 Filebeat-Cisco-ASA.json
...
/usr/share/metricbeat/kibana/7/dashboard:
total 1888
drwxr-x--- 1 root metricbeat 4096 May 12 01:02 .
drwxr-x--- 1 root metricbeat 4096 May 12 01:02 ..
-rw-r----- 1 root metricbeat 19152 May 12 01:02 Metricbeat-Host-Services-overview.json
-rw-r----- 1 root metricbeat 35650 May 12 01:02 Metricbeat-Oracle-overview.json...
...
/usr/share/journalbeat/kibana/default/index-pattern:
total 16
drwxr-x--- 1 root journalbeat 4096 May 12 00:30 .
drwxr-x--- 1 root journalbeat 4096 May 12 00:30 ..
-rw-r----- 1 root journalbeat 6616 May 12 00:30 journalbeat.json
/usr/share/heartbeat/kibana:
total 8
drwxr-x--- 1 root heartbeat 4096 May 12 00:26 .
drwxr-x--- 1 root heartbeat 4096 May 12 00:26 ..
...
/usr/share/auditbeat/kibana/7/dashboard:
total 232
drwxr-x--- 1 root auditbeat 4096 May 12 00:51 .
drwxr-x--- 1 root auditbeat 4096 May 12 00:51 ..
-rw-r----- 1 root auditbeat 22501 May 12 00:51 auditbeat-file-integrity.json
-rw-r----- 1 root auditbeat 6945 May 12 00:51 auditbeat-kernel-executions.json
...
/usr/share/packetbeat/kibana/7/dashboard:
total 300
drwxr-x--- 1 root packetbeat 4096 May 12 00:41 .
drwxr-x--- 1 root packetbeat 4096 May 12 00:41 ..
-rw-r----- 1 root packetbeat 22551 May 12 00:41 Packetbeat-cassandra.json
-rw-r----- 1 root packetbeat 14045 May 12 00:41 Packetbeat-dhcpv4.json
...
There was a problem hiding this comment.
Very nice shell magic there David :-) But for the purposes of this PR unless we want to enumerate the supported Beats we need to stick with Beat specific 'managed' config as suggested by me. Agreed?
There was a problem hiding this comment.
Yes, that's fine. My comment was more of a FYI :)
There was a problem hiding this comment.
The heartbeat error you encountered seems like a bug that should be fixed in the reference yaml, correct?
There was a problem hiding this comment.
I am not sure. I read it as "you asked me to import dashboards but there are no dashboards to import so I give up"
| @@ -28,6 +28,9 @@ const ( | |||
|
|
|||
| // ApmAgentUserRole is the name of the role used by APMServer instances to connect to Kibana | |||
| ApmAgentUserRole = "eck_apm_agent_user_role" | |||
|
|
|||
| // KibanaUserBuiltinRole is the name of the built-in Kibana user role | |||
| KibanaUserBuiltinRole = "kibana_user" | |||
There was a problem hiding this comment.
I changed it to kibana_admin and started using it.
| @@ -25,6 +25,10 @@ type BeatSpec struct { | |||
| // +kubebuilder:validation:Optional | |||
| ElasticsearchRef commonv1.ObjectSelector `json:"elasticsearchRef,omitempty"` | |||
|
|
|||
| // KibanaRef is a reference to a Kibana instance running in the same Kubernetes cluster. | |||
| // It allows automatic setup of dashboards and visualizations. | |||
| KibanaRef commonv1.ObjectSelector `json:"kibanaRef,omitempty"` | |||
There was a problem hiding this comment.
Just a note for other reviewers: I was wondering if we needed the Optional tag here since all the other ones have it, it looks like we only need it if we also set kubebuilder:validation:Required on the package which marks them all as required by default
|
|
||
| if err := cfg.MergeWith(esOutput); err != nil { | ||
| return err | ||
| esOutput := map[string]interface{}{ |
There was a problem hiding this comment.
Doesn't need to be resolved in your change, but this made me realize we need to add documentation on how beats and ssl verification interacts with custom certs. Opened this issue:
#3216
The only way I can think of being smarter here is if we check that the current associated certificate is valid for the host name (and everything else?) the beat will use, and if not, setting ssl verification mode to none. I'm not sure we want to do that silently though, and probably want the users to know they are disabling ssl.
I do wonder if we want to fail the association if we know that the beat cannot actually associate successfully with the current certificate.
|
LGTM on first pass, will take another look tomorrow for 👍 unless someone gets to it first. I'm good with waiting for the e2e test until a future PR, but can you open an issue so we don't forget? |
| return settings.NewCanonicalConfigFrom(esOutput) | ||
| } | ||
|
|
||
| // BuildKibanaConfig builds on optional Kibana configuration for dashboard setup and visualizations. |
There was a problem hiding this comment.
| // BuildKibanaConfig builds on optional Kibana configuration for dashboard setup and visualizations. | |
| // BuildKibanaConfig builds an optional Kibana configuration for dashboard setup and visualizations. |
| // use only the default config or only the provided config - no overriding, no merging | ||
| userConfig := beat.Spec.Config | ||
| if userConfig == nil { | ||
| if err := cfg.MergeWith(defaultConfig); err != nil { | ||
| if err := cfg.MergeWith(defaultConfig.Unmanaged); err != nil { |
There was a problem hiding this comment.
nit: it's not in your change but I just realized that in the debug log below we probably want to include the beat name/ns
| UserSecretSuffix: "beat-kb-user", | ||
| CASecretLabelName: kibana.KibanaNameLabelName, | ||
| ESUserRole: func(commonv1.Associated) (string, error) { | ||
| return user.KibanaAdminBuiltinRole, nil |
There was a problem hiding this comment.
Will this work with <7.5 version of Kibana? I don't see it in the docs.
There was a problem hiding this comment.
Good point. I forgot about that.
| "username": username, | ||
| "password": password, | ||
| }, | ||
| } |
There was a problem hiding this comment.
Should we consider addingsetup.dashboards.retry.enabled (docs) to avoid crashing?
There was a problem hiding this comment.
Not sure: it would hide this unpleasant startup behaviour but it could hide an actual misconfiguration by never failing. Having said that given the low priority of the auto-install dashboards feature I am happy to include it.
There was a problem hiding this comment.
That's true, but with this change it will be a common behavior between ES and Kibana - if someone configures output incorrectly Beat won't fail either. We can try to come up with a common solution as a part of #3197.
There was a problem hiding this comment.
Turns out there is a bug in libbeat that prevents the retry from actually working elastic/beats#12283 because a Kibana Client is created before the retry logic starts and does a first request that fails.
charith-elastic
added
the
exclude-from-release-notes
Adds a
kibanaRefto the Beats CRDkibana_adminrole to talk to KibanaAdds support for
setup.kibana(sorry for folding this into the same PR but testing was easier this way)kibanaReffor generic Beats (needs documentation how to use the credentials)TODO:
Fixes #3191 and #3192