-
Notifications
You must be signed in to change notification settings - Fork 723
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add KibanaRef to Beats and support setup.kibana #3211
Conversation
ce20b9a
to
b266156
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice! Did a first pass, just some nits. I'd do consider moving adding the config to the common part. I gave it a spin and I have two observations:
- unfortunately, Beat crashes if it can't reach Kibana (which is a common case since it starts up much faster)
- Filbebeat doesn't seem to have any useful dashboards for just plain logging
@@ -24,3 +28,14 @@ processors: | |||
- add_host_metadata: {} | |||
`)) | |||
) | |||
|
|||
func (d *Driver) configParams() (common.DefaultConfigs, error) { | |||
kibanaConfig, err := common.BuildKibanaConfig(d.Client, v1beta1.BeatKibanaAssociation{Beat: &d.Beat}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think all Beats support that, that's at least what's there in their reference yamls (heartbeat, auditbeat, journalbeat, packetbeat). I think I'd assume we can just add it to the config for any other beat too. If it's supported it will likely follow the established pattern, if not, it will be ignored.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That was my initial assumption as well also my initial implementation. I tried it with Heartbeat and it did not go well, meaning Heartbeat terminated when the Kibana config was in place. I did not look at the reference.yaml but the written documentation and saw that it is only mentioned in the Metricbeat, Filebeat and Auditbeat docs. The fact that it is actually also in all the other reference YAMLs means I will repeat the test once more to double check that my initial observation is correct.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So take Heartbeat as an example: while it supports the settings in general, it does not come with dashboards to install and fails subsequently when not finding any stored objects to install into Kibana:
2020-06-10T12:46:32.632Z ERROR instance/beat.go:932 Exiting: Error importing Kibana dashboards: fail to import the dashboards in Kibana: Error importing directory /usr/share/heartbeat/kibana: No directory /usr/share/heartbeat/kibana/7
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like (see below):
- filebeat, metricbeat, auditbeat, packetbeat have dashboards
- journalbeat has index patterns
- heartbeat doesn't have anything
$ cat beats | while read BEAT; do docker run --rm --entrypoint bash "docker.elastic.co/beats/$BEAT:7.7.0" -c "ls -laR /usr/share/$BEAT/kibana"; done
...
/usr/share/filebeat/kibana/7/dashboard:
total 1204
drwxr-x--- 1 root filebeat 4096 May 12 00:56 .
drwxr-x--- 1 root filebeat 4096 May 12 00:56 ..
-rw-r----- 1 root filebeat 18520 May 12 00:56 749203a0-67b1-11ea-a76f-bf44814e437d.json
-rw-r----- 1 root filebeat 10270 May 12 00:56 Coredns-Overview-Dashboard.json
-rw-r----- 1 root filebeat 23030 May 12 00:56 Filebeat-Cisco-ASA.json
...
/usr/share/metricbeat/kibana/7/dashboard:
total 1888
drwxr-x--- 1 root metricbeat 4096 May 12 01:02 .
drwxr-x--- 1 root metricbeat 4096 May 12 01:02 ..
-rw-r----- 1 root metricbeat 19152 May 12 01:02 Metricbeat-Host-Services-overview.json
-rw-r----- 1 root metricbeat 35650 May 12 01:02 Metricbeat-Oracle-overview.json...
...
/usr/share/journalbeat/kibana/default/index-pattern:
total 16
drwxr-x--- 1 root journalbeat 4096 May 12 00:30 .
drwxr-x--- 1 root journalbeat 4096 May 12 00:30 ..
-rw-r----- 1 root journalbeat 6616 May 12 00:30 journalbeat.json
/usr/share/heartbeat/kibana:
total 8
drwxr-x--- 1 root heartbeat 4096 May 12 00:26 .
drwxr-x--- 1 root heartbeat 4096 May 12 00:26 ..
...
/usr/share/auditbeat/kibana/7/dashboard:
total 232
drwxr-x--- 1 root auditbeat 4096 May 12 00:51 .
drwxr-x--- 1 root auditbeat 4096 May 12 00:51 ..
-rw-r----- 1 root auditbeat 22501 May 12 00:51 auditbeat-file-integrity.json
-rw-r----- 1 root auditbeat 6945 May 12 00:51 auditbeat-kernel-executions.json
...
/usr/share/packetbeat/kibana/7/dashboard:
total 300
drwxr-x--- 1 root packetbeat 4096 May 12 00:41 .
drwxr-x--- 1 root packetbeat 4096 May 12 00:41 ..
-rw-r----- 1 root packetbeat 22551 May 12 00:41 Packetbeat-cassandra.json
-rw-r----- 1 root packetbeat 14045 May 12 00:41 Packetbeat-dhcpv4.json
...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very nice shell magic there David :-) But for the purposes of this PR unless we want to enumerate the supported Beats we need to stick with Beat specific 'managed' config as suggested by me. Agreed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, that's fine. My comment was more of a FYI :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The heartbeat error you encountered seems like a bug that should be fixed in the reference yaml, correct?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure. I read it as "you asked me to import dashboards but there are no dashboards to import so I give up"
@@ -28,6 +28,9 @@ const ( | |||
|
|||
// ApmAgentUserRole is the name of the role used by APMServer instances to connect to Kibana | |||
ApmAgentUserRole = "eck_apm_agent_user_role" | |||
|
|||
// KibanaUserBuiltinRole is the name of the built-in Kibana user role | |||
KibanaUserBuiltinRole = "kibana_user" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove if not used?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I changed it to kibana_admin
and started using it.
@@ -25,6 +25,10 @@ type BeatSpec struct { | |||
// +kubebuilder:validation:Optional | |||
ElasticsearchRef commonv1.ObjectSelector `json:"elasticsearchRef,omitempty"` | |||
|
|||
// KibanaRef is a reference to a Kibana instance running in the same Kubernetes cluster. | |||
// It allows automatic setup of dashboards and visualizations. | |||
KibanaRef commonv1.ObjectSelector `json:"kibanaRef,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a note for other reviewers: I was wondering if we needed the Optional
tag here since all the other ones have it, it looks like we only need it if we also set kubebuilder:validation:Required
on the package which marks them all as required by default
|
||
if err := cfg.MergeWith(esOutput); err != nil { | ||
return err | ||
esOutput := map[string]interface{}{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doesn't need to be resolved in your change, but this made me realize we need to add documentation on how beats and ssl verification interacts with custom certs. Opened this issue:
#3216
The only way I can think of being smarter here is if we check that the current associated certificate is valid for the host name (and everything else?) the beat will use, and if not, setting ssl verification mode to none
. I'm not sure we want to do that silently though, and probably want the users to know they are disabling ssl.
I do wonder if we want to fail the association if we know that the beat cannot actually associate successfully with the current certificate.
LGTM on first pass, will take another look tomorrow for 👍 unless someone gets to it first. I'm good with waiting for the e2e test until a future PR, but can you open an issue so we don't forget? |
return settings.NewCanonicalConfigFrom(esOutput) | ||
} | ||
|
||
// BuildKibanaConfig builds on optional Kibana configuration for dashboard setup and visualizations. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// BuildKibanaConfig builds on optional Kibana configuration for dashboard setup and visualizations. | |
// BuildKibanaConfig builds an optional Kibana configuration for dashboard setup and visualizations. |
// use only the default config or only the provided config - no overriding, no merging | ||
userConfig := beat.Spec.Config | ||
if userConfig == nil { | ||
if err := cfg.MergeWith(defaultConfig); err != nil { | ||
if err := cfg.MergeWith(defaultConfig.Unmanaged); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: it's not in your change but I just realized that in the debug log below we probably want to include the beat name/ns
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, some questions about future work that we should discuss but do not need to be resolved in this PR
UserSecretSuffix: "beat-kb-user", | ||
CASecretLabelName: kibana.KibanaNameLabelName, | ||
ESUserRole: func(commonv1.Associated) (string, error) { | ||
return user.KibanaAdminBuiltinRole, nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this work with <7.5 version of Kibana? I don't see it in the docs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. I forgot about that.
"username": username, | ||
"password": password, | ||
}, | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we consider addingsetup.dashboards.retry.enabled
(docs) to avoid crashing?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure: it would hide this unpleasant startup behaviour but it could hide an actual misconfiguration by never failing. Having said that given the low priority of the auto-install dashboards feature I am happy to include it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's true, but with this change it will be a common behavior between ES and Kibana - if someone configures output incorrectly Beat won't fail either. We can try to come up with a common solution as a part of #3197.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Turns out there is a bug in libbeat that prevents the retry from actually working elastic/beats#12283 because a Kibana Client is created before the retry logic starts and does a first request that fails.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Adds a
kibanaRef
to the Beats CRDkibana_admin
role to talk to KibanaAdds support for
setup.kibana
(sorry for folding this into the same PR but testing was easier this way)kibanaRef
for generic Beats (needs documentation how to use the credentials)TODO:
Fixes #3191 and #3192