search

shazChaudhry / docker-elastic

Deploy Elastic stack in a Docker Swarm cluster. Ship application logs and metrics using beats & GELF plugin to Elasticsearch
347 stars 188 forks source link

Adding SSL to kibana for alerts #45

Open wingerlion opened 3 years ago

wingerlion commented 3 years ago

I'm trying to add alerts but first I need to activate transport layer security. I have generated my self signed certificated using this bash


#!/bin/bash

# Generate Root Key rootCA.key with 2048
openssl genrsa -passout pass:"$1" -des3 -out rootCA.key 2048

# Generate Root PEM (rootCA.pem) with 1024 days validity.
openssl req -passin pass:"$1" -subj "/C=US/ST=Random/L=Random/O=Global Security/OU=IT Department/CN=Local Certificate"  -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

# Add root cert as trusted cert
if [[ "$OSTYPE" == "linux-gnu"* ]]; then
        # Linux
        yum -y install ca-certificates
        update-ca-trust force-enable
        cp rootCA.pem /etc/pki/ca-trust/source/anchors/
        update-ca-trust
        #meeting ES requirement
        sysctl -w vm.max_map_count=262144
elif [[ "$OSTYPE" == "darwin"* ]]; then
        # Mac OSX
        security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain rootCA.pem
else
        # Unknown.
        echo "Couldn't find desired Operating System. Exiting Now ......"
        exit 1
fi

# Generate Kib01 Cert
openssl req -subj "/C=US/ST=Random/L=Random/O=Global Security/OU=IT Department/CN=localhost"  -new -sha256 -nodes -out kib01.csr -newkey rsa:2048 -keyout kib01.key
openssl x509 -req -passin pass:"$1" -in kib01.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out kib01.crt -days 500 -sha256 -extfile  <(printf "subjectAltName=DNS:localhost,DNS:kib01")

I have added the following SSL variables in Kibana Service:

  - XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY=Vss86whNwQrKjA3D8aKTCRN6SnZLX4rv
  - SERVER_SSL_ENABLED=false
  - SERVER_SSL_KEY=config/certs/kib01.key
  - SERVER_SSL_CERTIFICATE=config/certs/kib01.crt
  - SERVER_SSL_KEYPASSPHRASE=testest123
  - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/rootCA.pem

docker.compose.yml

version: "3.8"

# 10 Things to Consider When Planning Your Elasticsearch Project: https://ecmarchitect.com/archives/2015/07/27/4031
# Using Apache JMeter to Test Elasticsearch: https://ecmarchitect.com/archives/2014/09/02/3915

services:

  swarm-listener:
    image: dockerflow/docker-flow-swarm-listener:latest
    hostname: swarm-listener
    networks:
      - elastic
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
    environment:
      - DF_NOTIFY_CREATE_SERVICE_URL=http://proxy:8080/v1/docker-flow-proxy/reconfigure
      - DF_NOTIFY_REMOVE_SERVICE_URL=http://proxy:8080/v1/docker-flow-proxy/remove
    deploy:
      placement:
        constraints: [node.role == manager]

  proxy:
    image: dockerflow/docker-flow-proxy:latest
    hostname: proxy
    ports:
      - "80:80"
      - "443:443"
      - "9200:9200"
      - "8200:8200"
    networks:
      - elastic
    environment:
      - LISTENER_ADDRESS=swarm-listener
      - MODE=swarm
      - BIND_PORTS=9200,8200
    deploy:
      replicas: 2

  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION:-7.7.0}
    environment:
      # https://github.com/docker/swarmkit/issues/1951
      - node.name={{.Node.Hostname}}
      - discovery.seed_hosts=elasticsearch
      - cluster.initial_master_nodes=${INITIAL_MASTER_NODES:-node1}
      - cluster.name=DevOps
      - ELASTIC_PASSWORD=${ELASTICSEARCH_PASSWORD:-changeme}
      - xpack.security.enabled=true
      - xpack.monitoring.collection.enabled=true
      - xpack.security.audit.enabled=true
      - xpack.license.self_generated.type=trial
      - network.host=0.0.0.0
    networks:
      - elastic
    volumes:
      - elasticsearch:/usr/share/elasticsearch/data
    deploy:
      mode: 'global'
      endpoint_mode: dnsrr
      labels:
        - com.df.notify=true
        - com.df.distribute=true
        - com.df.servicePath=/
        - com.df.port=9200
        - com.df.srcPort=9200

  logstash:
    image: docker.elastic.co/logstash/logstash:${ELASTIC_VERSION:-7.7.0}
    hostname: "{{.Node.Hostname}}-logstash"
    environment:
      - XPACK_MONITORING_ELASTICSEARCH_URL=http://elasticsearch:9200
      - XPACK_MONITORING_ELASTICSEARCH_USERNAME=${ELASTICSEARCH_USERNAME:-elastic}
      - XPACK_MONITORING_ELASTICSEARCH_PASSWORD=${ELASTICSEARCH_PASSWORD:-changeme}
    ports:
      - "12201:12201/udp"
    networks:
      - elastic
    configs:
      - source: ls_config
        target: /usr/share/logstash/pipeline/logstash.conf

  kibana:
    image: docker.elastic.co/kibana/kibana:${ELASTIC_VERSION:-7.7.0}
    hostname: "{{.Node.Hostname}}-kibana"
    environment:
      - ELASTICSEARCH_URL=http://elasticsearch:9200
      - ELASTICSEARCH_USERNAME=${ELASTICSEARCH_USERNAME:-elastic}
      - ELASTICSEARCH_PASSWORD=${ELASTICSEARCH_PASSWORD:-changeme}
      - SERVER_NAME="{{.Node.Hostname}}-kibana"
      - XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY=Vss86whNwQrKjA3D8aKTCRN6SnZLX4rv
      - SERVER_SSL_ENABLED=false
      - SERVER_SSL_KEY=config/certs/kib01.key
      - SERVER_SSL_CERTIFICATE=config/certs/kib01.crt
      - SERVER_SSL_KEYPASSPHRASE=testest123
      - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/rootCA.pem
    configs:
      - source: key_config
        target: /usr/share/kibana/config/certs/kib01.key
      - source: crt_config
        target: /usr/share/kibana/config/certs/kib01.crt
      - source: root_config
        target: /usr/share/kibana/config/certs/rootCA.pem
    networks:
      - elastic
    volumes:
      - kibana:/usr/share/kibana/data
    deploy:
      labels:
        - com.df.notify=true
        - com.df.distribute=true
        - com.df.servicePath=/
        - com.df.port=5601
        - com.df.srcPort=80

  apm-server:
    image: docker.elastic.co/apm/apm-server:${ELASTIC_VERSION:-7.7.0}
    hostname: "{{.Node.Hostname}}-apm-server"
    networks:
      - elastic
    command: >
        --strict.perms=false -e
        -E apm-server.rum.enabled=true
        -E setup.kibana.host=kibana:5601
        -E setup.kibana.username=${ELASTICSEARCH_USERNAME}
        -E setup.kibana.password=${ELASTICSEARCH_PASSWORD}
        -E setup.template.settings.index.number_of_replicas=0
        -E apm-server.kibana.enabled=true
        -E apm-server.kibana.host=kibana:5601
        -E apm-server.kibana.username=${ELASTICSEARCH_USERNAME}
        -E apm-server.kibana.password=${ELASTICSEARCH_PASSWORD}
        -E output.elasticsearch.hosts=["elasticsearch:9200"]
        -E output.elasticsearch.username=${ELASTICSEARCH_USERNAME}
        -E output.elasticsearch.password=${ELASTICSEARCH_PASSWORD}
        -E xpack.monitoring.enabled=true
    deploy:
      labels:
        - com.df.notify=true
        - com.df.distribute=true
        - com.df.servicePath=/
        - com.df.port=8200
        - com.df.srcPort=8200

networks:
    elastic:
      external: true

volumes:
  elasticsearch:
  kibana:

configs:
  ls_config:
    file: $PWD/elk/logstash/config/pipeline/logstash.conf
  ||key_config:
    file: $PWD/keyskeys/kib01.key
  crt_config:
    file: $PWD/keyskeys/kib01.crt
  root_config:
    file: $PWD/keyskeys/rootCA.pem

0 results until now.

image

Can you please advise as to how I configure kibana to work with SSL?

By the way thx @shazChaudhry for the repo. It is very useful to me :)

Thanks in advance.

shazChaudhry commented 3 years ago

@wingerlion Please accept my apologies. I have never tried SSL with this repo.