diff --git a/.github/workflows/trigger-e2e-tests.yml b/.github/workflows/trigger-e2e-tests.yml index 2948a68..dc61c3e 100644 --- a/.github/workflows/trigger-e2e-tests.yml +++ b/.github/workflows/trigger-e2e-tests.yml @@ -14,7 +14,7 @@ jobs: fail-fast: false matrix: version: ["8.15.2", "7.17.24"] - env: [docker, eck] + env: [docker] steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/environments/eck-ror/kind-cluster/bootstrap-eck.sh b/environments/eck-ror/kind-cluster/bootstrap-eck.sh deleted file mode 100755 index c9caf2f..0000000 --- a/environments/eck-ror/kind-cluster/bootstrap-eck.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash -e - -cd "$(dirname "$0")" - -if [[ -z "$ECK_VERSION" ]]; then - echo "ECK_VERSION is not defined" - exit 1 -fi - -kubectl create -f "https://download.elastic.co/downloads/eck/$ECK_VERSION/crds.yaml" -kubectl apply -f "https://download.elastic.co/downloads/eck/$ECK_VERSION/operator.yaml" diff --git a/environments/eck-ror/kind-cluster/kind-cluster-config.yml b/environments/eck-ror/kind-cluster/kind-cluster-config.yml deleted file mode 100644 index ce6e37f..0000000 --- a/environments/eck-ror/kind-cluster/kind-cluster-config.yml +++ /dev/null @@ -1,13 +0,0 @@ -kind: Cluster -apiVersion: kind.x-k8s.io/v1alpha4 -nodes: -- role: control-plane - extraPortMappings: - - containerPort: 30010 - hostPort: 9200 - - containerPort: 30011 - hostPort: 5601 - - containerPort: 30012 - hostPort: 8888 -- role: worker -- role: worker diff --git a/environments/eck-ror/kind-cluster/ror/es-np.yml b/environments/eck-ror/kind-cluster/ror/es-np.yml deleted file mode 100644 index 99aa03f..0000000 --- a/environments/eck-ror/kind-cluster/ror/es-np.yml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: es-np -spec: - type: NodePort - ports: - - port: 9200 - name: esport - targetPort: 9200 - nodePort: 30010 - - port: 8888 - name: debugport - targetPort: 8888 - nodePort: 30012 - selector: - common.k8s.elastic.co/type: elasticsearch - elasticsearch.k8s.elastic.co/cluster-name: quickstart diff --git a/environments/eck-ror/kind-cluster/ror/es.yml b/environments/eck-ror/kind-cluster/ror/es.yml deleted file mode 100644 index 9740e02..0000000 --- a/environments/eck-ror/kind-cluster/ror/es.yml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: elasticsearch.k8s.elastic.co/v1 -kind: Elasticsearch -metadata: - name: quickstart -spec: - version: ${ES_VERSION} - image: beshultd/elasticsearch-readonlyrest:${ES_VERSION}-ror-latest - nodeSets: - - name: default - count: 1 - podTemplate: - spec: - containers: - - name: elasticsearch - securityContext: - runAsNonRoot: false - runAsUser: 0 - runAsGroup: 0 - env: - - name: I_UNDERSTAND_IMPLICATION_OF_ES_PATCHING - value: "yes" - - name: INTERNAL_USR_PASS - valueFrom: - secretKeyRef: - name: quickstart-es-internal-users - key: elastic-internal - - name: INTERNAL_PROBE_PASS - valueFrom: - secretKeyRef: - name: quickstart-es-internal-users - key: elastic-internal-probe - - name: KIBANA_SERVICE_ACCOUNT_TOKEN - valueFrom: - secretKeyRef: - name: quickstart-kibana-user - key: ${QUICK_KIBANA_USER_SECRET_KEY} - volumeMounts: - - name: config-ror - mountPath: /usr/share/elasticsearch/config/readonlyrest.yml - subPath: readonlyrest.yml - - name: config-log4j2 - mountPath: /usr/share/elasticsearch/config/log4j2.properties - subPath: log4j2.properties - volumes: - - name: config-ror - configMap: - name: config-readonlyrest.yml - - name: config-log4j2 - configMap: - name: config-log4j2.properties.yml \ No newline at end of file diff --git a/environments/eck-ror/kind-cluster/ror/kbn-np.yml b/environments/eck-ror/kind-cluster/ror/kbn-np.yml deleted file mode 100644 index cddac9f..0000000 --- a/environments/eck-ror/kind-cluster/ror/kbn-np.yml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: kbn-np -spec: - type: NodePort - ports: - - port: 5601 - targetPort: 5601 - nodePort: 30011 - selector: - common.k8s.elastic.co/type: kibana - kibana.k8s.elastic.co/name: quickstart diff --git a/environments/eck-ror/kind-cluster/ror/kbn.yml b/environments/eck-ror/kind-cluster/ror/kbn.yml deleted file mode 100644 index f9727b3..0000000 --- a/environments/eck-ror/kind-cluster/ror/kbn.yml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: kibana.k8s.elastic.co/v1 -kind: Kibana -metadata: - name: quickstart -spec: - version: ${KBN_VERSION} - image: beshultd/kibana-readonlyrest:${KBN_VERSION}-ror-latest - count: 1 - elasticsearchRef: - name: quickstart - config: - # csp needs to be disabled to let cypress e2e tests works - csp.strict: false - csp.warnLegacyBrowsers: false - # KBN ROR settings - readonlyrest_kbn: - cookiePass: '12312313123213123213123adadasdasdasd' - logLevel: trace - store_sessions_in_index: true - ${ELATICSEARCH_USER} - ${ELATICSEARCH_PASSWORD} - - podTemplate: - spec: - securityContext: - runAsNonRoot: false - runAsUser: 0 - runAsGroup: 0 - containers: - - name: kibana - env: - - name: ROR_ACTIVATION_KEY - value: "${ROR_ACTIVATION_KEY}" - - name: I_UNDERSTAND_IMPLICATION_OF_KBN_PATCHING - value: "yes" diff --git a/environments/eck-ror/kind-cluster/ror/log4j2.properties.yml b/environments/eck-ror/kind-cluster/ror/log4j2.properties.yml deleted file mode 100644 index fb5aef6..0000000 --- a/environments/eck-ror/kind-cluster/ror/log4j2.properties.yml +++ /dev/null @@ -1,77 +0,0 @@ -apiVersion: v1 -data: - log4j2.properties: | - status=error - - logger.action.name=org.elasticsearch.action - logger.action.level=info - appender.console.type=Console - appender.console.name=console - appender.console.layout.type=PatternLayout - appender.console.layout.pattern=[%d{ISO8601}][%-5p][%-25c{1.}] %marker%m%n - appender.rolling.type=RollingFile - appender.rolling.name=rolling - appender.rolling.fileName=${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}.log - appender.rolling.layout.type=PatternLayout - appender.rolling.layout.pattern=[%d{ISO8601}][%-5p][%-25c{1.}] %marker%.10000m%n - appender.rolling.filePattern=${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}-%d{yyyy-MM-dd}.log - appender.rolling.policies.type=Policies - appender.rolling.policies.time.type=TimeBasedTriggeringPolicy - appender.rolling.policies.time.interval=1 - appender.rolling.policies.time.modulate=true - rootLogger.level=info - rootLogger.appenderRef.console.ref=console - rootLogger.appenderRef.rolling.ref=rolling - appender.deprecation_rolling.type=RollingFile - appender.deprecation_rolling.name=deprecation_rolling - appender.deprecation_rolling.fileName=${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_deprecation.log - appender.deprecation_rolling.layout.type=PatternLayout - appender.deprecation_rolling.layout.pattern=[%d{ISO8601}][%-5p][%-25c{1.}] %marker%.10000m%n - appender.deprecation_rolling.filePattern=${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_deprecation-%i.log.gz - appender.deprecation_rolling.policies.type=Policies - appender.deprecation_rolling.policies.size.type=SizeBasedTriggeringPolicy - appender.deprecation_rolling.policies.size.size=1GB - appender.deprecation_rolling.strategy.type=DefaultRolloverStrategy - appender.deprecation_rolling.strategy.max=4 - logger.deprecation.name = org.elasticsearch.deprecation - logger.deprecation.level = deprecation - logger.deprecation.appenderRef.header_warning.ref = header_warning - logger.deprecation.appenderRef.deprecation_rolling.ref=deprecation_rolling - logger.deprecation.additivity=false - appender.index_search_slowlog_rolling.type=RollingFile - appender.index_search_slowlog_rolling.name=index_search_slowlog_rolling - appender.index_search_slowlog_rolling.fileName=${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_search_slowlog.log - appender.index_search_slowlog_rolling.layout.type=PatternLayout - appender.index_search_slowlog_rolling.layout.pattern=[%d{ISO8601}][%-5p][%-25c] %marker%.10000m%n - appender.index_search_slowlog_rolling.filePattern=${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_search_slowlog-%d{yyyy-MM-dd}.log - appender.index_search_slowlog_rolling.policies.type=Policies - appender.index_search_slowlog_rolling.policies.time.type=TimeBasedTriggeringPolicy - appender.index_search_slowlog_rolling.policies.time.interval=1 - appender.index_search_slowlog_rolling.policies.time.modulate=true - logger.index_search_slowlog_rolling.name=index.search.slowlog - logger.index_search_slowlog_rolling.level=trace - logger.index_search_slowlog_rolling.appenderRef.index_search_slowlog_rolling.ref=index_search_slowlog_rolling - logger.index_search_slowlog_rolling.additivity=false - appender.index_indexing_slowlog_rolling.type=RollingFile - appender.index_indexing_slowlog_rolling.name=index_indexing_slowlog_rolling - appender.index_indexing_slowlog_rolling.fileName=${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_indexing_slowlog.log - appender.index_indexing_slowlog_rolling.layout.type=PatternLayout - appender.index_indexing_slowlog_rolling.layout.pattern=[%d{ISO8601}][%-5p][%-25c] %marker%.10000m%n - appender.index_indexing_slowlog_rolling.filePattern=${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_indexing_slowlog-%d{yyyy-MM-dd}.log - appender.index_indexing_slowlog_rolling.policies.type=Policies - appender.index_indexing_slowlog_rolling.policies.time.type=TimeBasedTriggeringPolicy - appender.index_indexing_slowlog_rolling.policies.time.interval=1 - appender.index_indexing_slowlog_rolling.policies.time.modulate=true - logger.index_indexing_slowlog.name=index.indexing.slowlog.index - logger.index_indexing_slowlog.level=trace - logger.index_indexing_slowlog.appenderRef.index_indexing_slowlog_rolling.ref=index_indexing_slowlog_rolling - logger.index_indexing_slowlog.additivity=false - - appender.header_warning.type = HeaderWarningAppender - appender.header_warning.name = header_warning - - logger.ror.name=tech.beshu.ror.accesscontrol - logger.ror.level=info -kind: ConfigMap -metadata: - name: config-log4j2.properties.yml \ No newline at end of file diff --git a/environments/eck-ror/kind-cluster/ror/ror-initial-config.yml b/environments/eck-ror/kind-cluster/ror/ror-initial-config.yml deleted file mode 100644 index 0ade3f7..0000000 --- a/environments/eck-ror/kind-cluster/ror/ror-initial-config.yml +++ /dev/null @@ -1,100 +0,0 @@ -apiVersion: v1 -data: - readonlyrest.yml: | - - helpers: - cr: &common-rules - kibana_access: rw - kibana_hide_apps: [ "Enterprise Search|Overview", "Observability" ] - kibana_index: ".kibana_@{acl:current_group}" - - ag: &all-groups - groups: - - id: admins_group - name: administrators - - id: infosec_group - name: infosec - - id: template_group - name: template - - readonlyrest: - - response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin - prompt_for_basic_auth: false - - audit: - enabled: true - outputs: - - type: index - index_template: "'readonlyrest_audit_'yyyy-MM-dd" - - access_control_rules: - - - name: "Kibana service account - token" - verbosity: error - token_authentication: - token: "Bearer ${KIBANA_SERVICE_ACCOUNT_TOKEN}" - username: service_account - - - name: "Kibana service account - user/pass" - verbosity: error - auth_key: kibana:kibana - - - name: "PROBE" - verbosity: error - auth_key: "elastic-internal-probe:${INTERNAL_PROBE_PASS}" - - - name: "ELASTIC-INTERNAL" - verbosity: error - auth_key: "elastic-internal:${INTERNAL_USR_PASS}" - - - name: PERSONAL_GRP - groups: [ Personal ] - <<: *common-rules - kibana_index: '.kibana_@{user}' - - - name: ADMIN_GRP - groups: [ admins_group ] - <<: *common-rules - kibana_access: admin - - - name: infosec - groups: [ infosec_group ] - <<: *common-rules - kibana_hide_apps: [ "Enterprise Search|Overview", "Observability", "Management" ] - - - name: Template Tenancy - groups: [ template_group ] - <<: *common-rules - - - name: "Reporting tests: user2" - auth_key: user2:dev - kibana: - index: ".kibana_user2" - access: rw - indices: [ "invoices" ] - - - name: "Reporting tests: user3" - auth_key: user3:dev - kibana: - index: ".kibana_user3" - access: rw - indices: [ "invoices" ] - - users: - - username: admin - auth_key: admin:dev - <<: *all-groups - - - username: user1 - auth_key: user1:dev - <<: *all-groups - - impersonation: - - impersonator: admin - users: ["*"] - auth_key: admin:dev - -kind: ConfigMap -metadata: - name: config-readonlyrest.yml diff --git a/environments/eck-ror/print-logs.sh b/environments/eck-ror/print-logs.sh deleted file mode 100755 index 8557cab..0000000 --- a/environments/eck-ror/print-logs.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -e - -cd "$(dirname "$0")" - -for pod in $(docker exec ror-eck-control-plane kubectl get pods --output=jsonpath='{.items[*].metadata.name}'); do - echo "Logs from pod: $pod": - echo "" - kubectl logs $pod - echo "--------------------------------------------------" -done diff --git a/environments/eck-ror/readme.md b/environments/eck-ror/readme.md deleted file mode 100644 index eabc4ff..0000000 --- a/environments/eck-ror/readme.md +++ /dev/null @@ -1,20 +0,0 @@ -# README - -## Requirements: -* docker installed -* kind tool installed (https://github.com/kubernetes-sigs/kind) - -## RUNNING -1. Running the ECK+ROR PoC: `$ ./start.sh --es --kbn ` - (you can pick ECK version by adding optional --eck param) - -2. Log into Kibana `https://localhost:5601` using given credentials: - * `admin:admin` (admin user) - -3. Clean after playing with the PoC: `$ ./stop-and-clean.sh` - -## CUSTOMIZING -* if you have a PRO or ENTERPRISE ROR license (you can obtain one in [Customer Portal](https://readonlyrest.com/customer)) you - can set it in `kind-cluster/ror/kbn.yml` -* initial ROR settings (when you have a PRO or ENTERPRISE ROR license you can change the ROR settings in the Admin UI) - can be changed in `kind-cluster/ror/ror-initial-config.yml` \ No newline at end of file diff --git a/environments/eck-ror/start.sh b/environments/eck-ror/start.sh deleted file mode 100755 index 0a61667..0000000 --- a/environments/eck-ror/start.sh +++ /dev/null @@ -1,151 +0,0 @@ -#!/usr/bin/env bash -set -e - -cd "$(dirname "$0")" - -if ! command -v kind &> /dev/null; then - echo "Cannot find 'kind' tool. Please follow the installation steps: https://github.com/kubernetes-sigs/kind#installation-and-usage" - exit 1 -fi - -if ! command -v docker &> /dev/null; then - echo "Cannot find 'docker'. Please follow the installation steps: https://docs.docker.com/engine/install/" - exit 2 -fi - -show_help() { - echo "Usage: ./start.sh --es --kbn --eck " - exit 1 -} - -export ES_VERSION="" -export KBN_VERSION="" -export ECK_VERSION="2.13.0" - -while [[ $# -gt 0 ]]; do - case $1 in - --es) - if [[ -n $2 && $2 != --* ]]; then - ES_VERSION="$2" - shift 2 - else - echo "Error: --es requires a version argument" - show_help - fi - ;; - --kbn) - if [[ -n $2 && $2 != --* ]]; then - KBN_VERSION="$2" - shift 2 - else - echo "Error: --kbn requires a version argument" - show_help - fi - ;; - --eck) - if [[ -n $2 && $2 != --* ]]; then - ECK_VERSION="$2" - shift 2 - else - echo "Error: --eck requires a version argument" - show_help - fi - ;; - *) - echo "Unknown option: $1" - show_help - ;; - esac -done - -if [[ -z $ES_VERSION || -z $KBN_VERSION ]]; then - echo "Error: Both --es and --kbn arguments are required" - show_help -fi - -echo "CONFIGURING K8S CLUSTER ..." -kind create cluster --name ror-eck --config kind-cluster/kind-cluster-config.yml -docker exec ror-eck-control-plane /bin/bash -c "sysctl -w vm.max_map_count=262144" -docker exec ror-eck-worker /bin/bash -c "sysctl -w vm.max_map_count=262144" -docker exec ror-eck-worker2 /bin/bash -c "sysctl -w vm.max_map_count=262144" - -echo "CONFIGURING ECK $ECK_VERSION ..." -docker cp kind-cluster/bootstrap-eck.sh ror-eck-control-plane:/ -docker exec ror-eck-control-plane chmod +x bootstrap-eck.sh -docker exec ror-eck-control-plane bash -c "export ECK_VERSION=$ECK_VERSION && ./bootstrap-eck.sh" - -echo "CONFIGURING ES $ES_VERSION AND KBN $KBN_VERSION WITH ROR ..." - -SUBSTITUTED_DIR="kind-cluster/subst-ror" -cleanup() { - rm -rf "$SUBSTITUTED_DIR" -} - -trap cleanup EXIT -mkdir -p "$SUBSTITUTED_DIR" - -subsitute_env_in_yaml_templates() { - MAJOR_VERSION=$(echo "$ES_VERSION" | cut -d '.' -f1) - MINOR_VERSION=$(echo "$ES_VERSION" | cut -d '.' -f2) - - if [[ "$MAJOR_VERSION" -eq 7 && "$MINOR_VERSION" -le 16 ]]; then - export ELATICSEARCH_USER="elasticsearch.username: kibana" - export ELATICSEARCH_PASSWORD="elasticsearch.password: kibana" - export QUICK_KIBANA_USER_SECRET_KEY="default-quickstart-kibana-user" - else - export QUICK_KIBANA_USER_SECRET_KEY="token" - fi - - for file in kind-cluster/ror/*.yml; do - filename=$(basename "$file") - if [[ "$filename" == "es.yml" || "$filename" == "kbn.yml" ]]; then - envsubst < "$file" > "$SUBSTITUTED_DIR/$filename" - else - cp "$file" "$SUBSTITUTED_DIR" - fi - done - - docker cp "$SUBSTITUTED_DIR" ror-eck-control-plane:/ror/ -} - -subsitute_env_in_yaml_templates - -docker exec ror-eck-control-plane bash -c 'cd ror && ls | xargs -n 1 kubectl apply -f' - -echo "" -echo "------------------------------------------" -echo "ECK and ROR is being bootstrapped. Wait for all pods to be run and then open your browser and try to access https://localhost:5601/ (credentials admin:admin)" -echo "" - -check_pods_running() { - pod_status=$(docker exec ror-eck-control-plane kubectl get pods | grep quickstart) - - all_ready=true - while read -r line; do - ready=$(echo "$line" | awk '{print $2}') - status=$(echo "$line" | awk '{print $3}') - - if [[ "$status" != "Running" || "$ready" != "1/1" ]]; then - all_ready=false - fi - done <<< "$pod_status" - echo -e "$pod_status" - - $all_ready && return 0 || return 1 -} - -TIMEOUT_IN_SECONDS=300 -INTERVAL_IN_SECONDS=5 - -echo "Waiting for all pods to be in Running and Ready state (1/1)..." -elapsed_time=0 -while ! check_pods_running; do - sleep $INTERVAL_IN_SECONDS - - elapsed_time=$((elapsed_time + INTERVAL_IN_SECONDS)) - if [[ "$elapsed_time" -ge "$TIMEOUT_IN_SECONDS" ]]; then - echo "Timeout reached after $TIMEOUT_IN_SECONDS seconds." - exit 1 - fi -done -echo "All pods are in Running and Ready (1/1) state." diff --git a/environments/eck-ror/stop-and-clean.sh b/environments/eck-ror/stop-and-clean.sh deleted file mode 100755 index e5ec741..0000000 --- a/environments/eck-ror/stop-and-clean.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/usr/bin/env bash -set -e - -cd "$(dirname "$0")" - -kind delete cluster --name ror-eck diff --git a/environments/elk-ror/conf/es/log4j2.properties b/environments/elk-ror/conf/es/log4j2.properties index 00ba0a2..cdafac8 100644 --- a/environments/elk-ror/conf/es/log4j2.properties +++ b/environments/elk-ror/conf/es/log4j2.properties @@ -85,4 +85,4 @@ appender.header_warning.type = HeaderWarningAppender appender.header_warning.name = header_warning logger.ror.name=tech.beshu.ror.accesscontrol.blocks.rules.elasticsearch.indices -logger.ror.level=debug +logger.ror.level=info diff --git a/environments/elk-ror/conf/es/readonlyrest.yml b/environments/elk-ror/conf/es/readonlyrest.yml index f005037..f798373 100644 --- a/environments/elk-ror/conf/es/readonlyrest.yml +++ b/environments/elk-ror/conf/es/readonlyrest.yml @@ -69,7 +69,6 @@ readonlyrest: access: rw indices: ["invoices"] - # USERS TO GROUPS ############ users: - username: admin auth_key: admin:dev diff --git a/environments/elk-ror/conf/kbn/kibana.yml b/environments/elk-ror/conf/kbn/kibana.yml index 4f647f7..3251cac 100644 --- a/environments/elk-ror/conf/kbn/kibana.yml +++ b/environments/elk-ror/conf/kbn/kibana.yml @@ -28,5 +28,5 @@ telemetry.enabled: false readonlyrest_kbn: cookiePass: '12312313123213123213123adadasdasdasd' - logLevel: trace + logLevel: info store_sessions_in_index: true diff --git a/run-env-and-tests.sh b/run-env-and-tests.sh index eb9578b..52c4e97 100755 --- a/run-env-and-tests.sh +++ b/run-env-and-tests.sh @@ -1,7 +1,7 @@ #!/bin/bash -e if [ $# -ne 2 ]; then - echo "Two parameters are required: 1) ELK version 2) enviroment name (available options: docker, eck)" + echo "Two parameters are required: 1) ELK version 2) enviroment name (available options: docker)" exit 1 fi @@ -11,9 +11,6 @@ case "$2" in "docker") ENV_NAME="elk-ror" ;; - "eck") - ENV_NAME="eck-ror" - ;; *) echo 'Only "docker" and 'eck' are available environments' exit 2;