elasticmachine
commented
5 years ago Pinging @elastic/kibana-operations
Open jbudz opened 5 years ago
elasticmachine
commented
5 years ago Pinging @elastic/kibana-operations
tylersmalley
commented
4 years ago @TJM, can you confirm if the Secure Settings keystore would work for you?
TJM
commented
4 years ago I am afraid the Secure Settings would have the same "issue" that environment variables have. I would need to be able to automatically run the command (cat /file/containing/setting/value | bin/kibana-keystore add the.setting.name.to.set --stdin). I do like the idea of using the keystore over environment variables, but the problem of getting the value from the "file" where DDC provides the secret value into the keystore is still there. We will be moving away from DDC (docker datacenter / docker swarm) this year, and will have a whole new way to provide secrets. We have added a helper script to cat the values into the appropriate environment variables for now.
tylersmalley
commented
4 years ago @jbudz or @spalger - are you aware of any precedence for this in Elasticsearch?
spalger
commented
4 years ago I don't think I've seen a {var}_FILE pattern before, I think a wrapper script is the right solution unless the community speaks up and expresses a wider need for this.
TJM
commented
4 years ago Does no one else use secrets to provide passwords? Or does no one else use Docker Datacenter swam anymore? Docker Secrets are provided as a filename, similar to mounting the secret in K8s. Perhaps, if the "password" starts with a "/" check to see if its a readable file, and if so, read its contents in and replace the variable? I just thought that using ELASTICSEARCH_PASSWORD_FILE would be more supportable?
spalger
commented
4 years ago Yeah, I understand the concept behind the request I just can't recall hearing the request from anyone else, or seeing a similar feature implemented in other products, and would prefer to not modify the way that configuration is loaded unless it's really necessary. It's a very core, old and important system that needs to be as easy to understand and maintain as possible.
It also sounds like you've been able to accomplish your needs with a simple helper script so it doesn't sound like you really need this implemented. Is that right?
TJM
commented
4 years ago I was honestly hoping that other people would jump on board (me too's). I really dislike having to modify the docker image. Lots of overhead just to get a secret into a variable :) (silly docker enterprise)
RasmusGodske
commented
4 years ago I agree with @TJM aswell on this as well. ElasticSearch already supports this ElasticSearch Secrets.
byt3bl33d3r
commented
3 years ago +1, this should be supported throughout the entire ELK stack IMHO. I really don't like the idea of passing credentials via environment variables.
rafaelcaviquioli
commented
3 years ago I'm also migrating all application services to use _FILE instead of env vars after a vulnerability assessment, I got surprised when I noticed Kibana doesn't have ELASTICSEARCH_PASSWORD_FILE.
So far, I could apply this change for MongoDB, Postgres, RabbitMQ, Elastichsearch successfully except for Kibana.
Elasticsearch itself contains a documentation section describing the use of ELASTIC_PASSWORD_FILE: https://www.elastic.co/guide/en/elasticsearch/reference/master/docker.html#docker-configuration-methods
References.
o https://owasp.org/www-community/vulnerabilities/Password_Plaintext_Storage o https://cheatsheetseries.owasp.org/cheatsheets/Kubernetes_Security_Cheat_Sheet.html (keep secrets as secrets) o https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets o https://cloudberry.engineering/article/dockerfile-security-best-practices/
radusuciu
commented
1 year ago Would also use this feature! I think it's worthwhile supporting even outside of the context of docker swarm/compose.
TT-JBlock
commented
11 months ago +1
JF-Fentron
commented
7 months ago +1
Transferring from https://github.com/elastic/kibana-docker/issues/139