Skip to content

Commit

Permalink
Merge branch '8.8' into backport/8.8/pr-155938
Browse files Browse the repository at this point in the history
  • Loading branch information
kibanamachine authored Apr 27, 2023
2 parents ddf2b1d + a387c0f commit 6b540ee
Show file tree
Hide file tree
Showing 29 changed files with 664 additions and 86 deletions.
1 change: 1 addition & 0 deletions config/serverless.oblt.yml
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
uiSettings.overrides.defaultRoute: /app/observability/overview
xpack.infra.logs.app_target: discover
35 changes: 17 additions & 18 deletions docs/settings/alert-action-settings.asciidoc
Original file line number Diff line number Diff line change
@@ -1,10 +1,14 @@
[role="xpack"]
[[alert-action-settings-kb]]
=== Alerting and action settings in {kib}
== Alerting and action settings in {kib}
++++
<titleabbrev>Alerting and action settings</titleabbrev>
++++

:description: Learn about the settings that affect {kib} {alert-features}.
:tags-products: [kibana, alerting]
:tags-content-type: [reference]
:tags-user-goals: [configure]

Alerting and actions are enabled by default in {kib}, but require you to configure the following:

. <<using-kibana-with-security,Set up {kib} to work with {stack} {security-features}>>.
Expand All @@ -15,7 +19,7 @@ You can configure the following settings in the `kibana.yml` file.

[float]
[[general-alert-action-settings]]
==== General settings
=== General settings

`xpack.encryptedSavedObjects.encryptionKey`::
A string of 32 or more characters used to encrypt sensitive properties on alerting rules and actions before they're stored in {es}. Third party credentials &mdash; such as the username and password used to connect to an SMTP service &mdash; are an example of encrypted properties.
Expand All @@ -29,7 +33,7 @@ Be sure to back up the encryption key value somewhere safe, as your alerting rul

[float]
[[action-settings]]
==== Action settings
=== Action settings

`xpack.actions.allowedHosts` {ess-icon}::
A list of hostnames that {kib} is allowed to connect to when built-in actions are triggered. It defaults to `[*]`, allowing any host, but keep in mind the potential for SSRF attacks when hosts are not explicitly added to the allowed hosts. An empty list `[]` can be used to block built-in actions from making any external connections.
Expand Down Expand Up @@ -71,7 +75,7 @@ xpack.actions.customHostSettings:
ssl:
verificationMode: 'none'
--

+
The settings in `xpack.actions.customHostSettings` can be used to override the
global option `xpack.actions.ssl.verificationMode` and provide customized TLS
settings on a per-server basis. Set `xpack.actions.ssl.verificationMode` to the
Expand Down Expand Up @@ -107,7 +111,7 @@ The options `smtp.ignoreTLS` and `smtp.requireTLS` can not both be set to true.
Default: `false`.

`xpack.actions.customHostSettings[n].ssl.rejectUnauthorized`::
Deprecated. Use <<action-config-custom-host-verification-mode,`xpack.actions.customHostSettings.ssl.verificationMode`>> instead. A boolean value indicating whether to bypass server certificate validation.
deprecated:[8.0.0] Use <<action-config-custom-host-verification-mode,`xpack.actions.customHostSettings.ssl.verificationMode`>> instead. A boolean value indicating whether to bypass server certificate validation.
Overrides the general `xpack.actions.rejectUnauthorized` configuration
for requests made for this hostname/port.

Expand All @@ -127,7 +131,7 @@ the files cannot be made available.

[[action-config-email-domain-allowlist]] `xpack.actions.email.domain_allowlist` {ess-icon}::
A list of allowed email domains which can be used with the email connector. When this setting is not used, all email domains are allowed. When this setting is used, if any email is attempted to be sent that (a) includes an addressee with an email domain that is not in the allowlist, or (b) includes a from address domain that is not in the allowlist, it will fail with a message indicating the email is not allowed.

+
WARNING: This feature is available in {kib} 7.17.4 and 8.3.0 onwards but is not supported in {kib} 8.0, 8.1 or 8.2. As such, this setting should be removed before upgrading from 7.17 to 8.0, 8.1 or 8.2. It is possible to configure the settings in 7.17.4 and then upgrade to 8.3.0 directly.

`xpack.actions.enableFooterInEmail` {ess-icon}::
Expand Down Expand Up @@ -160,8 +164,6 @@ proxy in tunneling mode, and display some of the interaction between the client
--
curl --verbose --proxytunnel --proxy http://localhost:8080 http://example.com
--
+


`xpack.actions.proxyBypassHosts` {ess-icon}::
Specifies hostnames which should not use the proxy, if using a proxy for actions. The value is an array of hostnames as strings. By default, all hosts will use the proxy, but if an action's hostname is in this list, the proxy will not be used. The settings `xpack.actions.proxyBypassHosts` and `xpack.actions.proxyOnlyHosts` cannot be used at the same time.
Expand All @@ -173,14 +175,14 @@ Specifies hostnames which should only use the proxy, if using a proxy for action
Specifies HTTP headers for the proxy, if using a proxy for actions. Default: {}.

`xpack.actions.proxyRejectUnauthorizedCertificates` {ess-icon}::
Deprecated. Use <<action-config-proxy-verification-mode,`xpack.actions.ssl.proxyVerificationMode`>> instead. Set to `false` to bypass certificate validation for the proxy, if using a proxy for actions. Default: `true`.
deprecated:[8.0.0] Use <<action-config-proxy-verification-mode,`xpack.actions.ssl.proxyVerificationMode`>> instead. Set to `false` to bypass certificate validation for the proxy, if using a proxy for actions. Default: `true`.

[[action-config-proxy-verification-mode]]`xpack.actions.ssl.proxyVerificationMode` {ess-icon}::
Controls the verification for the proxy server certificate that Kibana receives when making an outbound SSL/TLS connection to the proxy server. Valid values are `full`, `certificate`, and `none`.
Use `full` to perform hostname verification, `certificate` to skip hostname verification, and `none` to skip verification. Default: `full`. <<elasticsearch-ssl-verificationMode,Equivalent {kib} setting>>.

`xpack.actions.rejectUnauthorized` {ess-icon}::
Deprecated. Use <<action-config-verification-mode,`xpack.actions.ssl.verificationMode`>> instead. Set to `false` to bypass certificate validation for actions. Default: `true`.
deprecated:[8.0.0] Use <<action-config-verification-mode,`xpack.actions.ssl.verificationMode`>> instead. Set to `false` to bypass certificate validation for actions. Default: `true`.
+
As an alternative to setting `xpack.actions.rejectUnauthorized`, you can use the setting
`xpack.actions.customHostSettings` to set SSL options for specific servers.
Expand All @@ -206,9 +208,8 @@ For example, `20m`, `24h`, `7d`, `1w`. Default: `60s`.
Specifies the maximum number of times an action can be attempted to run. Can be minimum 1 and maximum 10.

`xpack.actions.run.connectorTypeOverrides` {ess-icon}::
Overrides the configs under `xpack.actions.run` for the connector type with the given ID. List the connector type identifier and its settings in an array of objects.
Overrides the configs under `xpack.actions.run` for the connector type with the given ID. List the connector type identifier and its settings in an array of objects. For example:
+
For example:
[source,yaml]
--
xpack.actions.run:
Expand All @@ -220,7 +221,7 @@ xpack.actions.run:

[float]
[[alert-settings]]
==== Alerting settings
=== Alerting settings

`xpack.alerting.maxEphemeralActionsPerAlert` {ess-icon}::
deprecated:[8.8.0]
Expand Down Expand Up @@ -257,9 +258,8 @@ Specifies the default timeout for tasks associated with all types of rules. The
For example, `20m`, `24h`, `7d`, `1w`. Default: `5m`.

`xpack.alerting.rules.run.ruleTypeOverrides` {ess-icon}::
Overrides the configs under `xpack.alerting.rules.run` for the rule type with the given ID. List the rule identifier and its settings in an array of objects.
Overrides the configs under `xpack.alerting.rules.run` for the rule type with the given ID. List the rule identifier and its settings in an array of objects. For example:
+
For example:
[source,yaml]
--
xpack.alerting.rules.run:
Expand All @@ -270,9 +270,8 @@ xpack.alerting.rules.run:
--

`xpack.alerting.rules.run.actions.connectorTypeOverrides` {ess-icon}::
Overrides the configs under `xpack.alerting.rules.run.actions` for the connector type with the given ID. List the connector type identifier and its settings in an array of objects.
Overrides the configs under `xpack.alerting.rules.run.actions` for the connector type with the given ID. List the connector type identifier and its settings in an array of objects. For example:
+
For example:
[source,yaml]
--
xpack.alerting.rules.run:
Expand Down
2 changes: 1 addition & 1 deletion docs/setup/settings.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -619,7 +619,7 @@ Set this value to false to disable the Upgrade Assistant UI. *Default: true*
Set this value to change the {kib} interface language.
Valid locales are: `en`, `zh-CN`, `ja-JP`. *Default: `en`*

include::{kib-repo-dir}/settings/alert-action-settings.asciidoc[]
include::{kib-repo-dir}/settings/alert-action-settings.asciidoc[leveloffset=+1]
include::{kib-repo-dir}/settings/apm-settings.asciidoc[]
include::{kib-repo-dir}/settings/banners-settings.asciidoc[]
include::{kib-repo-dir}/settings/cases-settings.asciidoc[leveloffset=+1]
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0 and the Server Side Public License, v 1; you may not use this file except
* in compliance with, at your election, the Elastic License 2.0 or the Server
* Side Public License, v 1.
*/

import { Env } from '@kbn/config';
import { rawConfigServiceMock, configServiceMock } from '@kbn/config-mocks';

export const mockConfigService = configServiceMock.create();
export const mockRawConfigService = rawConfigServiceMock.create();
export const mockRawConfigServiceConstructor = jest.fn(() => mockRawConfigService);
jest.doMock('@kbn/config', () => ({
ConfigService: jest.fn(() => mockConfigService),
Env,
RawConfigService: jest.fn(mockRawConfigServiceConstructor),
}));

jest.doMock('./root', () => ({
Root: jest.fn(() => ({
shutdown: jest.fn(),
})),
}));
61 changes: 61 additions & 0 deletions packages/core/root/core-root-server-internal/src/bootstrap.test.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0 and the Server Side Public License, v 1; you may not use this file except
* in compliance with, at your election, the Elastic License 2.0 or the Server
* Side Public License, v 1.
*/

import { of } from 'rxjs';
import type { CliArgs } from '@kbn/config';

import { mockRawConfigService, mockRawConfigServiceConstructor } from './bootstrap.test.mocks';

jest.mock('@kbn/core-logging-server-internal');

import { bootstrap } from './bootstrap';

const bootstrapCfg = {
configs: ['config/kibana.yml'],
cliArgs: {} as unknown as CliArgs,
applyConfigOverrides: () => ({}),
};

describe('bootstrap', () => {
describe('serverless', () => {
beforeEach(() => {
jest.clearAllMocks();
});

test('should load additional serverless files for a valid project', async () => {
mockRawConfigService.getConfig$.mockReturnValue(of({ serverless: 'es' }));
await bootstrap(bootstrapCfg);
expect(mockRawConfigServiceConstructor).toHaveBeenCalledTimes(2);
expect(mockRawConfigServiceConstructor).toHaveBeenNthCalledWith(
1,
bootstrapCfg.configs,
bootstrapCfg.applyConfigOverrides
);
expect(mockRawConfigServiceConstructor).toHaveBeenNthCalledWith(
2,
[
expect.stringContaining('config/serverless.yml'),
expect.stringContaining('config/serverless.es.yml'),
...bootstrapCfg.configs,
],
bootstrapCfg.applyConfigOverrides
);
});

test('should skip loading the serverless files for an invalid project', async () => {
mockRawConfigService.getConfig$.mockReturnValue(of({ serverless: 'not-valid' }));
await bootstrap(bootstrapCfg);
expect(mockRawConfigServiceConstructor).toHaveBeenCalledTimes(1);
expect(mockRawConfigServiceConstructor).toHaveBeenNthCalledWith(
1,
bootstrapCfg.configs,
bootstrapCfg.applyConfigOverrides
);
});
});
});
46 changes: 44 additions & 2 deletions packages/core/root/core-root-server-internal/src/bootstrap.ts
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,14 @@
*/

import chalk from 'chalk';
import { firstValueFrom } from 'rxjs';
import { getPackages } from '@kbn/repo-packages';
import { CliArgs, Env, RawConfigService } from '@kbn/config';
import { CriticalError } from '@kbn/core-base-server-internal';
import { resolve } from 'path';
import { getConfigDirectory } from '@kbn/utils';
import { statSync } from 'fs';
import { VALID_SERVERLESS_PROJECT_TYPES } from './root/serverless_config';
import { Root } from './root';
import { MIGRATION_EXCEPTION_CODE } from './constants';

Expand Down Expand Up @@ -38,15 +43,40 @@ export async function bootstrap({ configs, cliArgs, applyConfigOverrides }: Boot
// eslint-disable-next-line @typescript-eslint/no-var-requires
const { REPO_ROOT } = require('@kbn/repo-info');

const env = Env.createDefault(REPO_ROOT, {
let env = Env.createDefault(REPO_ROOT, {
configs,
cliArgs,
repoPackages: getPackages(REPO_ROOT),
});

const rawConfigService = new RawConfigService(env.configs, applyConfigOverrides);
let rawConfigService = new RawConfigService(env.configs, applyConfigOverrides);
rawConfigService.loadConfig();

// Hack to load the extra serverless config files if `serverless: {projectType}` is found in it.
const rawConfig = await firstValueFrom(rawConfigService.getConfig$());
const serverlessProjectType = rawConfig?.serverless;
if (
typeof serverlessProjectType === 'string' &&
VALID_SERVERLESS_PROJECT_TYPES.includes(serverlessProjectType)
) {
const extendedConfigs = [
...['serverless.yml', `serverless.${serverlessProjectType}.yml`]
.map((name) => resolve(getConfigDirectory(), name))
.filter(configFileExists),
...configs,
];

env = Env.createDefault(REPO_ROOT, {
configs: extendedConfigs,
cliArgs: { ...cliArgs, serverless: true },
repoPackages: getPackages(REPO_ROOT),
});

rawConfigService.stop();
rawConfigService = new RawConfigService(env.configs, applyConfigOverrides);
rawConfigService.loadConfig();
}

const root = new Root(rawConfigService, env, onRootShutdown);

process.on('SIGHUP', () => reloadConfiguration());
Expand Down Expand Up @@ -128,3 +158,15 @@ function onRootShutdown(reason?: any) {

process.exit(0);
}

function configFileExists(path: string) {
try {
return statSync(path).isFile();
} catch (err) {
if (err.code === 'ENOENT') {
return false;
}

throw err;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ import { uiSettingsConfig } from '@kbn/core-ui-settings-server-internal';

import { config as pluginsConfig } from '@kbn/core-plugins-server-internal';
import { elasticApmConfig } from './root/elastic_config';
import { serverlessConfig } from './root/serverless_config';

const rootConfigPath = '';

Expand All @@ -49,6 +50,7 @@ export function registerServiceConfig(configService: ConfigService) {
pluginsConfig,
savedObjectsConfig,
savedObjectsMigrationConfig,
serverlessConfig,
statusConfig,
uiSettingsConfig,
];
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0 and the Server Side Public License, v 1; you may not use this file except
* in compliance with, at your election, the Elastic License 2.0 or the Server
* Side Public License, v 1.
*/

import { schema, TypeOf, Type } from '@kbn/config-schema';
import { ServiceConfigDescriptor } from '@kbn/core-base-server-internal';

// Config validation for how to run Kibana in Serverless mode.
// Clients need to specify the project type to run in.
// Going for a simple `serverless` string because it serves as
// a direct replacement to the legacy --serverless CLI flag.
// If we even decide to extend this further, and converting it into an object,
// BWC can be ensured by adding the object definition as another alternative to `schema.oneOf`.

export const VALID_SERVERLESS_PROJECT_TYPES = ['es', 'oblt', 'security'];

const serverlessConfigSchema = schema.maybe(
schema.oneOf(
VALID_SERVERLESS_PROJECT_TYPES.map((projectName) => schema.literal(projectName)) as [
Type<typeof VALID_SERVERLESS_PROJECT_TYPES[number]> // This cast is needed because it's different to Type<T>[] :sight:
]
)
);

export type ServerlessConfigType = TypeOf<typeof serverlessConfigSchema>;

export const serverlessConfig: ServiceConfigDescriptor<ServerlessConfigType> = {
path: 'serverless',
schema: serverlessConfigSchema,
};
Loading

0 comments on commit 6b540ee

Please sign in to comment.