[kbn-test] Disable TLS for svl Kibana #171434
Conversation
This reverts commit d3c69c3.
dmlemeshko
changed the title
| // Serverless Specific | ||
| if (vars.serverless) { | ||
| log.info(`Serverless mode detected`); | ||
|
|
||
| vars.esTestCluster.serverArgs.push( | ||
| `xpack.security.authc.realms.saml.cloud-saml-kibana.sp.entity_id=http://host.docker.internal:${kibanaPort}`, | ||
| `xpack.security.authc.realms.saml.cloud-saml-kibana.sp.logout=http://host.docker.internal:${kibanaPort}/logout`, | ||
| `xpack.security.authc.realms.saml.cloud-saml-kibana.sp.acs=http://host.docker.internal:${kibanaPort}/api/security/saml/callback` | ||
| ); | ||
| } |
There was a problem hiding this comment.
It was the reason for Cypress tests to fail. Please avoid overriding SAML configuration for both Kibana & ES, we keep things up-to-date in x-pack/test_serverless/shared/config.base.ts
There was a problem hiding this comment.
@dmlemeshko if serverless ES is running in docker and Kibana is running locally, then https://github.com/elastic/kibana/blob/main/x-pack/test_serverless/shared/config.base.ts#L78-L80
http://localhost:${servers.kibana.port} is not going to be reachable from ES docker container, because localhost will be referencing the container itself, not the host where Kibana is running
There was a problem hiding this comment.
http://localhost:${servers.kibana.port} is not going to be reachable from ES docker container, because localhost will be referencing the container itself, not the host where Kibana is running
Just to confirm my understanding, why do you require Kibana to be accessible from the ES container? If you're referring to URLs in sp.{logout|acs}, then it doesn't matter — ES solely uses these URLs to generate a special URL for redirecting users during login or logout. Hence, the important part here is that the user's browser can access these URLs.
| SAMLResponse: await createSAMLResponse({ | ||
| username, | ||
| roles: [], | ||
| kibanaUrl, | ||
| }), | ||
| }); |
There was a problem hiding this comment.
Using @kbn/mock-idp-plugin to get SAML response
dmlemeshko
requested review from
MadameSheema,
patrykkopycinski,
oatkiller,
maximpn,
banderror and
a team
as code owners
dmlemeshko
added
v8.12.0
release_note:skip
| esServerlessOptions?: Pick<ServerlessOptions, 'image' | 'tag' | 'resources' | 'host'>; | ||
| esServerlessOptions?: Pick< | ||
| ServerlessOptions, | ||
| 'image' | 'tag' | 'resources' | 'host' | 'kibanaUrl' |
There was a problem hiding this comment.
We need to pass kibanaUrl to ES arguments, as it is used to configure SAML.
See https://github.com/elastic/kibana/pull/170852/files#diff-8f7aba0b3396374d5da09418deddf4ae0c2e31881871e5b59a4c4f5e6b9bdec3R472-R517
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]
History
To update your PR or re-run it, just comment with: cc @dmlemeshko |
Summary
This PR disables TLS mode for Kibana run in serverless.
Related to #170417 enabling serverless roles testing
Blocked by #171513
PR is created in cooperation with @azasypkin and intended to simplify the automated testing process for serverless:
starting Kibana with TLS enabled adds unnecessary complexity to the process of getting session cookie and overall Kibana APIs calling with Dev certificate in the tests.
The selected approach is to disable TLS for Kibana and simply rely on #171513 to configure mocked idp realm for Serverless ES with TLS enabled.