Open philippkahr opened 2 years ago
We have recently reworked the way the enrolment tokens for Fleet/Elastic Agents in Fleet are generated. It is now the operator itself that is interacting with the Kibana API. The problem described in this issue remains: Fleet enrolment will fail if the basic authentication provider in Kibana is disabled.
The only "clever" thing we could do is inject the basic auth provider if the user has not specified one. This might however be undesired if they disabled it because of security requirements or company wide authentication policies etc.
We also have an implementation problem to solve in that the Kibana controller responsible for generating the kibana.yml
based on the user specified values and the values ECK sets is currently not aware of Fleet or Agent. We would need to a communication channel into the agent-kb association controller to allow the association controller to express to the Kibana controller that we want to use the Kibana API and need working basic auth for it.
Proposal
Use case. Why is this important?
When you deploy Kibana using ECK and set another realm to the order of 0, it automatically disables the built in basic realm. Take the following Kibana manifest as an example.
When you now want to deploy a fleet server, it will fail with the following error:
@pebrc explained:
From a user perspective it would be cool if ECK can do some magic to make this work when adding a fleet server for enrollment.