From 627970fc32f1040f5de0da5db7a7de5fa3d3a20e Mon Sep 17 00:00:00 2001 From: David Kilfoyle Date: Tue, 22 Oct 2024 11:55:07 -0400 Subject: [PATCH 01/13] [Docs] Add note on how to access generated encryptionKeys --- .../kibana.asciidoc | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docs/orchestrating-elastic-stack-applications/kibana.asciidoc b/docs/orchestrating-elastic-stack-applications/kibana.asciidoc index 77d01aa739..51b6106fe1 100644 --- a/docs/orchestrating-elastic-stack-applications/kibana.asciidoc +++ b/docs/orchestrating-elastic-stack-applications/kibana.asciidoc @@ -206,6 +206,18 @@ To deploy more than one instance of Kibana, all the instances must share a same * `xpack.reporting.encryptionKey` * `xpack.encryptedSavedObjects.encryptionKey` +[TIP] +==== +If you need to access these encryption keys, you can find them using the `kubectl get secrets` command. The secret is named after the corresponding Kibana instance. + +For example, for a Kibana named `my-kibana`, you can run the following command to retrieve the `xpack.security.encryptionKey` key: + +[source,shell,subs="attributes"] +---- +kubectl get secret my-kibana-kb-config -o json | jq -r '.data["kibana.yml"] | @base64d' | yq .xpack.security.encryptionKey +---- +==== + You can provide your own encryption keys using a secure setting, as described in <<{p}-kibana-secure-settings,Secure settings>>. NOTE: While most reconfigurations of your Kibana instances are carried out in rolling upgrade fashion, all version upgrades will cause Kibana downtime. This happens because you can only run a single version of Kibana at any given time. For more information, check link:https://www.elastic.co/guide/en/kibana/current/upgrade.html[Upgrade Kibana]. From 12e1884e1620f728404918e8c9e03a1145947d23 Mon Sep 17 00:00:00 2001 From: David Kilfoyle <41695641+kilfoyle@users.noreply.github.com> Date: Tue, 22 Oct 2024 13:06:20 -0400 Subject: [PATCH 02/13] Update docs/orchestrating-elastic-stack-applications/kibana.asciidoc Co-authored-by: Stef Nestor <26751266+stefnestor@users.noreply.github.com> --- docs/orchestrating-elastic-stack-applications/kibana.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/orchestrating-elastic-stack-applications/kibana.asciidoc b/docs/orchestrating-elastic-stack-applications/kibana.asciidoc index 51b6106fe1..adfd009e54 100644 --- a/docs/orchestrating-elastic-stack-applications/kibana.asciidoc +++ b/docs/orchestrating-elastic-stack-applications/kibana.asciidoc @@ -214,7 +214,7 @@ For example, for a Kibana named `my-kibana`, you can run the following command t [source,shell,subs="attributes"] ---- -kubectl get secret my-kibana-kb-config -o json | jq -r '.data["kibana.yml"] | @base64d' | yq .xpack.security.encryptionKey +kubectl get secret my-kibana-kb-config -o json | jq -r '.data["kibana.yml"] | @base64d' | grep encryptionKey ---- ==== From a4e5fe1fa1f72e96e2ad9a9c378d8c5f81e7961b Mon Sep 17 00:00:00 2001 From: David Kilfoyle <41695641+kilfoyle@users.noreply.github.com> Date: Wed, 23 Oct 2024 15:36:42 -0400 Subject: [PATCH 03/13] Update docs/orchestrating-elastic-stack-applications/kibana.asciidoc Co-authored-by: Stef Nestor <26751266+stefnestor@users.noreply.github.com> --- docs/orchestrating-elastic-stack-applications/kibana.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/orchestrating-elastic-stack-applications/kibana.asciidoc b/docs/orchestrating-elastic-stack-applications/kibana.asciidoc index adfd009e54..e3d3f863af 100644 --- a/docs/orchestrating-elastic-stack-applications/kibana.asciidoc +++ b/docs/orchestrating-elastic-stack-applications/kibana.asciidoc @@ -210,7 +210,7 @@ To deploy more than one instance of Kibana, all the instances must share a same ==== If you need to access these encryption keys, you can find them using the `kubectl get secrets` command. The secret is named after the corresponding Kibana instance. -For example, for a Kibana named `my-kibana`, you can run the following command to retrieve the `xpack.security.encryptionKey` key: +The secret is named after the corresponding Kibana instance. For example, for a Kibana named `my-kibana`, you can run the following command to retrieve the `xpack.security.encryptionKey` key: [source,shell,subs="attributes"] ---- From 97a96b66334291d4155b50e089df8009679103a0 Mon Sep 17 00:00:00 2001 From: David Kilfoyle <41695641+kilfoyle@users.noreply.github.com> Date: Wed, 23 Oct 2024 15:36:48 -0400 Subject: [PATCH 04/13] Update docs/orchestrating-elastic-stack-applications/kibana.asciidoc Co-authored-by: Stef Nestor <26751266+stefnestor@users.noreply.github.com> --- docs/orchestrating-elastic-stack-applications/kibana.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/orchestrating-elastic-stack-applications/kibana.asciidoc b/docs/orchestrating-elastic-stack-applications/kibana.asciidoc index e3d3f863af..4c03561920 100644 --- a/docs/orchestrating-elastic-stack-applications/kibana.asciidoc +++ b/docs/orchestrating-elastic-stack-applications/kibana.asciidoc @@ -208,7 +208,7 @@ To deploy more than one instance of Kibana, all the instances must share a same [TIP] ==== -If you need to access these encryption keys, you can find them using the `kubectl get secrets` command. The secret is named after the corresponding Kibana instance. +If you need to access these encryption keys, you can find them using the `kubectl get secrets` command. For example, when link:{kibana-ref}/xpack-security-secure-saved-objects.html#encryption-key-rotation[rotating encryption keys] extract the current value of `xpack.encryptedSavedObjects.encryptionKey` in order to set it as a historical encryption value under `xpack.encryptedSavedObjects.keyRotation.decryptionOnlyKeys`. The secret is named after the corresponding Kibana instance. For example, for a Kibana named `my-kibana`, you can run the following command to retrieve the `xpack.security.encryptionKey` key: From 3870ee1ac794092d9a313bd2a2065dfecfc7b451 Mon Sep 17 00:00:00 2001 From: David Kilfoyle <41695641+kilfoyle@users.noreply.github.com> Date: Wed, 23 Oct 2024 15:36:59 -0400 Subject: [PATCH 05/13] Update docs/orchestrating-elastic-stack-applications/kibana.asciidoc Co-authored-by: Stef Nestor <26751266+stefnestor@users.noreply.github.com> --- docs/orchestrating-elastic-stack-applications/kibana.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/orchestrating-elastic-stack-applications/kibana.asciidoc b/docs/orchestrating-elastic-stack-applications/kibana.asciidoc index 4c03561920..3ac4cb6708 100644 --- a/docs/orchestrating-elastic-stack-applications/kibana.asciidoc +++ b/docs/orchestrating-elastic-stack-applications/kibana.asciidoc @@ -214,7 +214,7 @@ The secret is named after the corresponding Kibana instance. For example, for a [source,shell,subs="attributes"] ---- -kubectl get secret my-kibana-kb-config -o json | jq -r '.data["kibana.yml"] | @base64d' | grep encryptionKey +kubectl get secret my-kibana-kb-config -o json | jq -r '.data["kibana.yml"] | @base64d' | grep -B 1 encryptionKey ---- ==== From 8787a8af0b6e16907b6712b60179651560acda93 Mon Sep 17 00:00:00 2001 From: David Kilfoyle <41695641+kilfoyle@users.noreply.github.com> Date: Wed, 23 Oct 2024 15:38:38 -0400 Subject: [PATCH 06/13] Update docs/orchestrating-elastic-stack-applications/kibana.asciidoc --- docs/orchestrating-elastic-stack-applications/kibana.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/orchestrating-elastic-stack-applications/kibana.asciidoc b/docs/orchestrating-elastic-stack-applications/kibana.asciidoc index 3ac4cb6708..4788d5ad1b 100644 --- a/docs/orchestrating-elastic-stack-applications/kibana.asciidoc +++ b/docs/orchestrating-elastic-stack-applications/kibana.asciidoc @@ -208,7 +208,7 @@ To deploy more than one instance of Kibana, all the instances must share a same [TIP] ==== -If you need to access these encryption keys, you can find them using the `kubectl get secrets` command. For example, when link:{kibana-ref}/xpack-security-secure-saved-objects.html#encryption-key-rotation[rotating encryption keys] extract the current value of `xpack.encryptedSavedObjects.encryptionKey` in order to set it as a historical encryption value under `xpack.encryptedSavedObjects.keyRotation.decryptionOnlyKeys`. +If you need to access these encryption keys, you can find them using the `kubectl get secrets` command. For example, link:{kibana-ref}/xpack-security-secure-saved-objects.html#encryption-key-rotation[rotating encryption keys] extract the current value of `xpack.encryptedSavedObjects.encryptionKey` in order to set it as an historical encryption value under `xpack.encryptedSavedObjects.keyRotation.decryptionOnlyKeys`. The secret is named after the corresponding Kibana instance. For example, for a Kibana named `my-kibana`, you can run the following command to retrieve the `xpack.security.encryptionKey` key: From 80af99f9f38519a8f369f520ca3159aee35964dd Mon Sep 17 00:00:00 2001 From: David Kilfoyle <41695641+kilfoyle@users.noreply.github.com> Date: Thu, 24 Oct 2024 09:37:51 -0400 Subject: [PATCH 07/13] Update docs/orchestrating-elastic-stack-applications/kibana.asciidoc Co-authored-by: Peter Brachwitz --- docs/orchestrating-elastic-stack-applications/kibana.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/orchestrating-elastic-stack-applications/kibana.asciidoc b/docs/orchestrating-elastic-stack-applications/kibana.asciidoc index 4788d5ad1b..5fc761708d 100644 --- a/docs/orchestrating-elastic-stack-applications/kibana.asciidoc +++ b/docs/orchestrating-elastic-stack-applications/kibana.asciidoc @@ -208,7 +208,7 @@ To deploy more than one instance of Kibana, all the instances must share a same [TIP] ==== -If you need to access these encryption keys, you can find them using the `kubectl get secrets` command. For example, link:{kibana-ref}/xpack-security-secure-saved-objects.html#encryption-key-rotation[rotating encryption keys] extract the current value of `xpack.encryptedSavedObjects.encryptionKey` in order to set it as an historical encryption value under `xpack.encryptedSavedObjects.keyRotation.decryptionOnlyKeys`. +If you need to access these encryption keys, you can find them using the `kubectl get secrets` command. For example, link:{kibana-ref}/xpack-security-secure-saved-objects.html#encryption-key-rotation[to rotate the encryption keys] extract the current value of `xpack.encryptedSavedObjects.encryptionKey` in order to set it as a decryption-only key under `xpack.encryptedSavedObjects.keyRotation.decryptionOnlyKeys`. The secret is named after the corresponding Kibana instance. For example, for a Kibana named `my-kibana`, you can run the following command to retrieve the `xpack.security.encryptionKey` key: From 8c7450de4ca08a7d7deeff461057ecfabb5fab75 Mon Sep 17 00:00:00 2001 From: David Kilfoyle <41695641+kilfoyle@users.noreply.github.com> Date: Thu, 24 Oct 2024 09:38:04 -0400 Subject: [PATCH 08/13] Update docs/orchestrating-elastic-stack-applications/kibana.asciidoc Co-authored-by: Peter Brachwitz --- docs/orchestrating-elastic-stack-applications/kibana.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/orchestrating-elastic-stack-applications/kibana.asciidoc b/docs/orchestrating-elastic-stack-applications/kibana.asciidoc index 5fc761708d..90b29437ea 100644 --- a/docs/orchestrating-elastic-stack-applications/kibana.asciidoc +++ b/docs/orchestrating-elastic-stack-applications/kibana.asciidoc @@ -210,7 +210,7 @@ To deploy more than one instance of Kibana, all the instances must share a same ==== If you need to access these encryption keys, you can find them using the `kubectl get secrets` command. For example, link:{kibana-ref}/xpack-security-secure-saved-objects.html#encryption-key-rotation[to rotate the encryption keys] extract the current value of `xpack.encryptedSavedObjects.encryptionKey` in order to set it as a decryption-only key under `xpack.encryptedSavedObjects.keyRotation.decryptionOnlyKeys`. -The secret is named after the corresponding Kibana instance. For example, for a Kibana named `my-kibana`, you can run the following command to retrieve the `xpack.security.encryptionKey` key: +The secret is named after the corresponding Kibana instance. For example, for a Kibana named `my-kibana`, you can run the following command to retrieve the current encryption keys: [source,shell,subs="attributes"] ---- From 25c867f667860f4e98039cb2921024847c0914cf Mon Sep 17 00:00:00 2001 From: David Kilfoyle <41695641+kilfoyle@users.noreply.github.com> Date: Thu, 24 Oct 2024 09:38:22 -0400 Subject: [PATCH 09/13] Update docs/orchestrating-elastic-stack-applications/kibana.asciidoc Co-authored-by: Peter Brachwitz --- docs/orchestrating-elastic-stack-applications/kibana.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/orchestrating-elastic-stack-applications/kibana.asciidoc b/docs/orchestrating-elastic-stack-applications/kibana.asciidoc index 90b29437ea..2ee06ff410 100644 --- a/docs/orchestrating-elastic-stack-applications/kibana.asciidoc +++ b/docs/orchestrating-elastic-stack-applications/kibana.asciidoc @@ -214,7 +214,7 @@ The secret is named after the corresponding Kibana instance. For example, for a [source,shell,subs="attributes"] ---- -kubectl get secret my-kibana-kb-config -o json | jq -r '.data["kibana.yml"] | @base64d' | grep -B 1 encryptionKey +kubectl get secret my-kibana-kb-config -o jsonpath '{ .data.kibana\.yml }' | base64 --decode | grep -B 1 encryptionKey ---- ==== From 219cbca42bdd83118bfed6892b331968c55aba6a Mon Sep 17 00:00:00 2001 From: David Kilfoyle <41695641+kilfoyle@users.noreply.github.com> Date: Mon, 28 Oct 2024 09:17:52 -0400 Subject: [PATCH 10/13] Update docs/orchestrating-elastic-stack-applications/kibana.asciidoc Co-authored-by: Thibault Richard --- docs/orchestrating-elastic-stack-applications/kibana.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/orchestrating-elastic-stack-applications/kibana.asciidoc b/docs/orchestrating-elastic-stack-applications/kibana.asciidoc index 2ee06ff410..c928bb2e3b 100644 --- a/docs/orchestrating-elastic-stack-applications/kibana.asciidoc +++ b/docs/orchestrating-elastic-stack-applications/kibana.asciidoc @@ -210,7 +210,7 @@ To deploy more than one instance of Kibana, all the instances must share a same ==== If you need to access these encryption keys, you can find them using the `kubectl get secrets` command. For example, link:{kibana-ref}/xpack-security-secure-saved-objects.html#encryption-key-rotation[to rotate the encryption keys] extract the current value of `xpack.encryptedSavedObjects.encryptionKey` in order to set it as a decryption-only key under `xpack.encryptedSavedObjects.keyRotation.decryptionOnlyKeys`. -The secret is named after the corresponding Kibana instance. For example, for a Kibana named `my-kibana`, you can run the following command to retrieve the current encryption keys: +The secret is named after the corresponding Kibana instance. For example, for a Kibana named `my-kibana`, you can run the following command to retrieve the current encryption keys: [source,shell,subs="attributes"] ---- From 71b4c8aa8050ccaf9547f8003d4afb736132c94d Mon Sep 17 00:00:00 2001 From: David Kilfoyle <41695641+kilfoyle@users.noreply.github.com> Date: Mon, 28 Oct 2024 10:56:23 -0400 Subject: [PATCH 11/13] Update docs/orchestrating-elastic-stack-applications/kibana.asciidoc Co-authored-by: Peter Brachwitz --- docs/orchestrating-elastic-stack-applications/kibana.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/orchestrating-elastic-stack-applications/kibana.asciidoc b/docs/orchestrating-elastic-stack-applications/kibana.asciidoc index c928bb2e3b..f30ec1ac1d 100644 --- a/docs/orchestrating-elastic-stack-applications/kibana.asciidoc +++ b/docs/orchestrating-elastic-stack-applications/kibana.asciidoc @@ -208,7 +208,7 @@ To deploy more than one instance of Kibana, all the instances must share a same [TIP] ==== -If you need to access these encryption keys, you can find them using the `kubectl get secrets` command. For example, link:{kibana-ref}/xpack-security-secure-saved-objects.html#encryption-key-rotation[to rotate the encryption keys] extract the current value of `xpack.encryptedSavedObjects.encryptionKey` in order to set it as a decryption-only key under `xpack.encryptedSavedObjects.keyRotation.decryptionOnlyKeys`. +If you need to access these encryption keys, you can find them using the `kubectl get secrets` command. The secret is named after the corresponding Kibana instance. For example, for a Kibana named `my-kibana`, you can run the following command to retrieve the current encryption keys: From 8daceabdc73acbac33986e1da72ab2fa763fd764 Mon Sep 17 00:00:00 2001 From: David Kilfoyle <41695641+kilfoyle@users.noreply.github.com> Date: Mon, 28 Oct 2024 11:17:41 -0400 Subject: [PATCH 12/13] Update docs/orchestrating-elastic-stack-applications/kibana.asciidoc --- docs/orchestrating-elastic-stack-applications/kibana.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/orchestrating-elastic-stack-applications/kibana.asciidoc b/docs/orchestrating-elastic-stack-applications/kibana.asciidoc index f30ec1ac1d..7da4c283e0 100644 --- a/docs/orchestrating-elastic-stack-applications/kibana.asciidoc +++ b/docs/orchestrating-elastic-stack-applications/kibana.asciidoc @@ -214,7 +214,7 @@ The secret is named after the corresponding Kibana instance. For example, for a [source,shell,subs="attributes"] ---- -kubectl get secret my-kibana-kb-config -o jsonpath '{ .data.kibana\.yml }' | base64 --decode | grep -B 1 encryptionKey +kubectl get secret c14-kb-config -o jsonpath='{ .data.kibana\.yml }' | base64 --decode | grep -A1 encryptedSavedObjects ---- ==== From efae835010fafa4ff4c059c72b60995de9818f57 Mon Sep 17 00:00:00 2001 From: Thibault Richard Date: Mon, 28 Oct 2024 16:32:00 +0100 Subject: [PATCH 13/13] Update docs/orchestrating-elastic-stack-applications/kibana.asciidoc --- docs/orchestrating-elastic-stack-applications/kibana.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/orchestrating-elastic-stack-applications/kibana.asciidoc b/docs/orchestrating-elastic-stack-applications/kibana.asciidoc index 7da4c283e0..ddd733c368 100644 --- a/docs/orchestrating-elastic-stack-applications/kibana.asciidoc +++ b/docs/orchestrating-elastic-stack-applications/kibana.asciidoc @@ -214,7 +214,7 @@ The secret is named after the corresponding Kibana instance. For example, for a [source,shell,subs="attributes"] ---- -kubectl get secret c14-kb-config -o jsonpath='{ .data.kibana\.yml }' | base64 --decode | grep -A1 encryptedSavedObjects +kubectl get secret my-kibana-kb-config -o jsonpath='{ .data.kibana\.yml }' | base64 --decode | grep -A1 encryptedSavedObjects ---- ====