Skip to content

Coolify deployment #54

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ton77v merged 25 commits into from
May 29, 2026
Merged

Coolify deployment #54

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
ea85b06
feat: docker-compose stack to deploy the cluster to Coolify
ton77v Oct 29, 2024
302057f
feat: deployment instructions
ton77v Oct 29, 2024
44836d3
fix: Coolify deployment instructions
ton77v Oct 29, 2024
1357583
fix: Coolify-specific syntax for volume mapping
ton77v Oct 29, 2024
a372a55
fix: Coolify-specific syntax for volume mapping
ton77v Oct 29, 2024
857be9a
fix: back to general syntax for volumes mapping in Coolify
ton77v Oct 29, 2024
c61a3d2
fix: multi-stage build for Kibana 9+
ton77v May 15, 2025
da90d15
Merge branch 'master' into coolify_deployment
ton77v May 15, 2025
87d15bc
fix: ca-certificates for wget
ton77v May 15, 2025
61808bc
fix: wget without silent mode
ton77v May 15, 2025
e6bf44c
feat: enforce LF line breaks
ton77v May 15, 2025
a4b52c3
feat: variable dir inside Kibana's .tar.gz
ton77v May 15, 2025
adbba63
fix: build args vs multi-stage setup
ton77v May 15, 2025
6778917
fix: proper enryption to Kibana configs
ton77v May 28, 2026
25580c9
merge upstream/master: resolve ror-newplatform-kibana.yml rename + pr…
ton77v May 28, 2026
6401a7d
coolify-demo: adopt upstream license-edition kbn config flow
ton77v May 28, 2026
7ee20ec
coolify-demo: address review — use official ROR images, self-containe…
ton77v May 28, 2026
622a627
fix: changes requested during the code review
ton77v May 28, 2026
835450a
fix: correct env var name for ROR ES/KBN patching ack
ton77v May 28, 2026
42889bb
fix: don't switch to ES/KBN user — entrypoint needs root to patch
ton77v May 28, 2026
fa9008c
fix: kbn-ror healthcheck uses http (server.ssl.enabled=false in kiban…
ton77v May 28, 2026
9ce4112
fix: ensure initializer entrypoint is executable
ton77v May 28, 2026
f2a598e
fix: kbn-ror patching env var name for ROR 1.69.x
ton77v May 28, 2026
9a05791
chore: drop ror_kbn external auth block — no SSO in coolify-demo
ton77v May 28, 2026
9591075
chore: ES patching env var name matches KBN + e2e convention
ton77v May 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions coolify-demo/.dockerignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
.env
readme.md
docker-compose.*
1 change: 1 addition & 0 deletions coolify-demo/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
.env
11 changes: 11 additions & 0 deletions coolify-demo/build_starter.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
#!/bin/bash

echo "🏃🏿‍♂️‍➡️ build_starter: installing dependencies"
# coolify-helper image uses Alpine
apk update && apk add jq curl

echo "🏃🏿‍♂️‍➡️ build_starter: setting up environment variables"
source set_env_vars.sh

echo "🏃🏿‍♂️‍➡️ build_starter: starting the 🐳 build"
docker compose build
33 changes: 33 additions & 0 deletions coolify-demo/conf/es/ca.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
-----BEGIN CERTIFICATE-----
MIIFvTCCA6WgAwIBAgIUXHtIhBOyU0vug0Jd0kjUZntK6e8wDQYJKoZIhvcNAQEL
BQAwbjELMAkGA1UEBhMCR0IxDzANBgNVBAgMBkxvbmRvbjEPMA0GA1UEBwwGTG9u
ZG9uMQ4wDAYDVQQKDAVCZXNodTELMAkGA1UECwwCSVQxIDAeBgNVBAMMF3JlYWRv
bmx5cmVzdC5iZXNodS50ZWNoMB4XDTI0MTIyMjA3MTk1N1oXDTM0MTIyMDA3MTk1
N1owbjELMAkGA1UEBhMCR0IxDzANBgNVBAgMBkxvbmRvbjEPMA0GA1UEBwwGTG9u
ZG9uMQ4wDAYDVQQKDAVCZXNodTELMAkGA1UECwwCSVQxIDAeBgNVBAMMF3JlYWRv
bmx5cmVzdC5iZXNodS50ZWNoMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
AgEAhE1ezdFslIwiGNTXr1Vbh0ar6W1l7l2fPnSxsZmGW+Pp/OwD03INeUVrsAU9
CWMCjFUt/yKqpm48lZrAUyI7cUDEGl90XtaZ5MdlEIhIg6Az6bRD7YA0Xfb2k0EJ
HbNvDZ9mMX6mwuxqgrbpkuavvull8qxV6MAES1Ts6owTgQI4KhQ7Y8Q/5093MgxY
qgnPZzrOPa6alizu+q7Rr9zHmpKqSIK/JB8LlmPLbJMNAWyp8iiRHzt4LmlrNQF2
3A+gvNVllnUn3zFAz6c+yKtfJcsj67+JFhLvloy7rqrOTf5/+jpEogQal8J5qqIs
I0Kex7l+gR9EFCOdCNbzBvmYBGyow7Rl3zWH3gWiiOdcN6Vdq9sREwd39L+3BT2d
S2RdLAu8kRGrlw/KJsXJUrRRRhDasxsz5XKXWUB64jxDdHjzNx3N2FHuH3yc/Kbq
Qsc3q6pVnysc14MtPtwKHA7eCyjalsh+Vq6njoKJlF6ptSPop0poU9kCfH5WE5wp
F0Xz8pA6cmjuGs5KoIYPN/36aLQ8QcPTtgZPFOBUrZUTTp+Bbd7W3vG/nWG6nRqR
ml0I6jTF6xq9AoJFemk6aXKvyZHKs2nH79aod9hSKRNrtZNJY/ZSsFbXbvSq9qri
SP5Hgdh1QUHgJjy4ohRDIUhuyDqCiPIG/KM9/9Vh90r+gRkCAwEAAaNTMFEwHQYD
VR0OBBYEFM+STMzYeJ3os3MlrPDbb4+NgpQEMB8GA1UdIwQYMBaAFM+STMzYeJ3o
s3MlrPDbb4+NgpQEMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIB
ABW1XECYHw+Prlwic+ZCpnF9jMsiy1ALzkE90l9Rkmi68ruJBAsZDkQKRXVTkOYO
RsS7bgZo7CavWKcuEaw/JbMH5D4TNvbziKhX6EuAR3GpdZZxGT2N4uasaCHPcAeT
JoLxOuzSsjSN3aPWXyNzis3z9aeJuYjbfzp0R7Gz/bTHSYV7hMNnEazE8itF4iQx
6/NkmL6twHOv1kPicpAXpjLswWPyUWZCj9TI9BpREJ1txyInhwBEKOgYBnQ2iwCU
RVE2OQjlSavkgf6wxkFQaiZJavB+ckO6aJTw5kcjB1wtZEUj+Ykg9v26LBiUzYPF
I0gQR7hcl8ku3mj5ujNbm/Tmi+P8sEq+l3MbrIVNipHQFxjSq6lfG4VXVdwurWl0
8q0b4sVGvL+lowOne/NgAUmXJROWBu1/KkUIADpv74h8I2vdYDic4YM6wMPvTOGj
nrwLWiI0H4L2AqA5oTEdQOpqGHpierlgiy3etcjBwItjc5yqZioG3m70BSX21J6m
pDF2WkGoJArGVr6Y78oZqp01vYFRprfocmvcGm5fZZn0H8RnnEu47c5r3g3AG6sD
Q9BwmMDm9Xjz84OAGAcheZWHRZ856znzL3oUJIGskFX3U/Z6O6WjIVrwJodxUydr
2yLDrf3XKKQYY9d61GCjWI5o6VPpR+42lXuQWAMtaU9K
-----END CERTIFICATE-----
29 changes: 29 additions & 0 deletions coolify-demo/conf/es/elasticsearch.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE-----
MIIE5zCCAs+gAwIBAgIUBuxS2b5y2Q4NfK+HlNZ9FeNx+nEwDQYJKoZIhvcNAQEL
BQAwbjELMAkGA1UEBhMCR0IxDzANBgNVBAgMBkxvbmRvbjEPMA0GA1UEBwwGTG9u
ZG9uMQ4wDAYDVQQKDAVCZXNodTELMAkGA1UECwwCSVQxIDAeBgNVBAMMF3JlYWRv
bmx5cmVzdC5iZXNodS50ZWNoMB4XDTI0MTIyMjA3MjIxNFoXDTM0MTIyMDA3MjIx
NFowXTELMAkGA1UEBhMCR0IxDzANBgNVBAgMBkxvbmRvbjEPMA0GA1UEBwwGTG9u
ZG9uMQ4wDAYDVQQKDAVCZXNodTELMAkGA1UECwwCSVQxDzANBgNVBAMMBmVzLXJv
cjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/yBwMeUvUOA8Y7UAB8
i94KkVnusNGLIO29SQzjfdzs9AjHZYdkwZw9KgtPs2oC/+WYdiqKn5IKWdl5iKqk
2knb+7bZROzeXnkdcNS6N9DUPsub4/a6iqJjN+FqadhkIaYaClRktE2oxjmt7iVu
5XUyXFO9McLRw48KULRE/RIUsqaOpfK6jeSOivI38Sam2R3aXUG+yF67MDNUWITp
ily3tOGUX9Bnn/S52bvXwc6ubwclE86WnCwDGrl0mG4cxTlJo/DkKiVTyJs/pskD
gSgzNMNrvjFjg30GsGNiTCH0UfQWR8tPq7E6lDCClalwHbn1USGn3gurz6V9bvTE
sE0CAwEAAaOBjTCBijAcBgNVHREEFTATggZlcy1yb3KCCWxvY2FsaG9zdDAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwCwYDVR0PBAQDAgOoMB0GA1UdDgQW
BBTv2iDvnAwcJryknoX7wZjzUhFFvTAfBgNVHSMEGDAWgBTPkkzM2Hid6LNzJazw
22+PjYKUBDANBgkqhkiG9w0BAQsFAAOCAgEAdwKOiTPJbPu8H2vYng/r+w496sqZ
SOkKhrAk6dkcry5CxeopOKOrxGHUqRWnBRauM6MxXwWCKdb1rkIns3nXbJqkGge2
DGJSlVTfUDGifUS2JTfwhb4eiQR9s902jP8nSOsNpk5IK78973jsias1OtW/geoP
a3kDQgaKUKEsplMBOq4DI8ijtGRP9npyeGr4gpPxpYaUDrC6JqPZnprEen+fafwx
kMlKPT420Re8U8KKq1hwLJ5xi5I5mmAXIncDLaxRPappEs8GXuaz/Fqh6mmgqTWk
vU2950ulsM+eI8bp/7NuTFoFVKhKvjXBb27jGafmFv66jn1nupUDXL7JH8waIeud
w5XyXHlAmm+8ZTSyBXiR5J/v+odTT8QHnNmoP48ZDMQgYy6i3mbKgXfuP/7G5Vfh
cUs+XkN2GNRRbkWBgdFSovBDmDZaf7aihBGOu1AX/4Oxz6/dZTCRuo6GGwf0tuJl
SiWz/XUDmVs4M+eAiKVl3Emkb01SgD6HS9fS0uuyrEahya4FAWrjzxTf9cD1IEOL
YhVFPTQH4l0gkEaO9582LVDcSmtwKVl56AvXU/vU0UaXLTbfcNYZDusAlUHrYg+R
hnS8TGNoN6NXZuqg8NEiDM+6HinIwZ1cCaxugThIWVpDq9+2FNYlW3/QQ1sP+Nko
V4yBt5pes2mUbbA=
-----END CERTIFICATE-----
28 changes: 28 additions & 0 deletions coolify-demo/conf/es/elasticsearch.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC/8gcDHlL1DgPG
O1AAfIveCpFZ7rDRiyDtvUkM433c7PQIx2WHZMGcPSoLT7NqAv/lmHYqip+SClnZ
eYiqpNpJ2/u22UTs3l55HXDUujfQ1D7Lm+P2uoqiYzfhamnYZCGmGgpUZLRNqMY5
re4lbuV1MlxTvTHC0cOPClC0RP0SFLKmjqXyuo3kjoryN/Emptkd2l1BvsheuzAz
VFiE6Ypct7ThlF/QZ5/0udm718HOrm8HJRPOlpwsAxq5dJhuHMU5SaPw5ColU8ib
P6bJA4EoMzTDa74xY4N9BrBjYkwh9FH0FkfLT6uxOpQwgpWpcB259VEhp94Lq8+l
fW70xLBNAgMBAAECggEAHkKt0FQLiA65kZrwNeNsuYi4+ZCj16Uzf8eDqMCEqzvA
DVJCM2IzE8qgwj/CbUgjx7KNjo9kMMXo/Fwoq55pu5Muz9jZAO7dvgJiM2dYPVf4
vmjJO7CVApzZxnPcU/0VQPaCAmQN+OBOv/EnxkcBbcSOwbTmD2y6g+aAaqslqp/K
Wc1ci/+H4iaevj5MrUAq7PelLzsMk+fZKfjipOgQMW9oxQ030XuDi4pR41qAvVO3
YFvagoKweBAZ6vVMf2x3EFOtJTKk6aBL/VqsvVVVRURwmLqRsr5QvuJQgypS34QV
a3iqh70cR4GZ/WTCnotHZ1p0MjLMBT4EnG1L6lLXEQKBgQD5TkFQxswdUms5D3fR
FLmcJUUnqdY/0V6OmxtRY4VBIrFBIYaZHlv/xrJH6yGNTOBwbwTxKLNInGdosoFe
6f/0JWVfJ/qHrurnk0EAqB8R+PwCPswhpXbYQcAjBHjtGpCLtwuUdMpIpSE9t5mp
Yvap3GaJdjmSinoEAH/YvgcCbwKBgQDFGXlHdfbd8jZTpfhyPjUv9aUc2AbEPfbr
FrwicLYfkEKn+DMecIzwL0WTqCqOs3J/u214BZkeXruoopJPGqLZrjyJ8Q6mONUq
bjWztM/BSCYas+texNAjUpbx7iddAEeapCnFdwmynfEP7mK6cL9GzfOV5oZsNbi8
nk2PSRtnAwKBgDUhj1v2siOBoCZN/JwLja8QZleYo3eAWGWN+tlym0CRczNNQNE7
HiI5p18aZlEl1CNCFcyLfwH3izZN7LJcrlbK7XrFG2h1R8zIni7UpaJ/7L1RwtFc
4SIfiSItXtQxOCL+hLJD3aRzxMzRZycpVyZGOXgMQSLQ7kYSES0Q+o9zAoGATkpA
ElKZLK/5RGC4vyhWmCZK35ovlePHILp3IHcE4KS81VuRcpXiZcVhLbWuseA1qucY
JISUvauDfwiUdTdvWGgNQ/2sg/ovMht02V0I6Q1vlUvCQnKK+nzj2FVw7VAfIR30
Oat+/qQeDOXz8Xq3f7hu+SwIWRM9vi5jQHcZm2ECgYEApIVmSxeLk4Rd20O/+qfU
h7R8twf66tY/fREockSyr70sfLI8tVFn3bBgK40iWRAdKNU2lv9i0TqZ54EujrB0
e9y2GkzYWYzU+79eAlzjdgZ3warnTTGRbp0NloV4wIHB6mUGykVB53kXKIDyjvQG
Swi56SGrTE/zmC8gl25EgHc=
-----END PRIVATE KEY-----
Comment on lines +1 to +28
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 28, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

Remove this private key from the repository and rotate it immediately.

This is the cluster’s TLS private key in plaintext. Anyone who pulls the branch can impersonate the Elasticsearch endpoint for deployments that reuse this cert/key pair. Load the key from a secret/volume at deploy time and rotate the certificate set now that it has been committed.

🧰 Tools
🪛 Betterleaks (1.3.1)

[high] 1-1: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.

(private-key)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@coolify-demo/conf/es/elasticsearch.key` around lines 1 - 28, The committed
plaintext TLS private key (coolify-demo/conf/es/elasticsearch.key) must be
removed and rotated: delete the file from the repo, add elasticsearch.key to
.gitignore, purge it from history using git-filter-repo or BFG (do not rely on a
simple git rm), generate a new certificate/key pair and rotate the cluster
certificates immediately, and update deployment code to load the new private key
from a secure secret source (Kubernetes Secret, cloud secret manager, or mounted
volume) instead of embedding it in the repository; also check any references to
elasticsearch.key in deployment/config code and replace them to load from the
secret at runtime.

Copy link
Copy Markdown
Contributor Author

@ton77v ton77v May 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is demo key from upstream

Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ton77v, understood — if this is a self-signed demo key shipped with the upstream project and not used in any production environment, the risk is much lower. I'll note this for future reviews so it isn't flagged again.

One thing worth keeping in mind: static analysis tools (like Betterleaks) will continue to flag it on every scan since they can't distinguish a known demo key from a real leaked secret. If that becomes noisy, you could add a .gitignore or inline suppression comment to silence those specific detections.

🐇 (˶ᵔ ᵕ ᵔ˶)

✏️ Learnings added 
Learnt from: ton77v
Repo: beshu-tech/ror-sandbox PR: 54
File: coolify-demo/conf/es/elasticsearch.key:1-28
Timestamp: 2026-05-28T10:24:27.963Z
Learning: In the `beshu-tech/ror-sandbox` repository, the file `coolify-demo/conf/es/elasticsearch.key` contains a self-signed TLS private key that is a demo/example key from the upstream project. It is not a production secret and does not need to be rotated or removed. Do not flag it as a leaked credential in future reviews.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

33 changes: 33 additions & 0 deletions coolify-demo/conf/es/elasticsearch.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
cluster.name: ror-cluster
node.name: ror-es01
network.host: 0.0.0.0

path.repo: /tmp/repositories

# XPACK SSL
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: elasticsearch.key
xpack.security.http.ssl.certificate: elasticsearch.crt
xpack.security.http.ssl.certificate_authorities: ca.crt
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.client_authentication: optional
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: elasticsearch.key
xpack.security.transport.ssl.certificate: elasticsearch.crt
xpack.security.transport.ssl.certificate_authorities: ca.crt
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: optional

# ROR SSL
#xpack.security.enabled: false
#http.type: ssl_netty4
#readonlyrest.ssl.enable: true
#readonlyrest.ssl.keystore_file: "ror-keystore.jks"
#readonlyrest.ssl.keystore_pass: readonlyrest
#readonlyrest.ssl.key_pass: readonlyrest
#transport.type: ror_ssl_internode
#readonlyrest.ssl_internode.enable: true
#readonlyrest.ssl_internode.keystore_file: "ror-keystore.jks"
#readonlyrest.ssl_internode.keystore_pass: readonlyrest
#readonlyrest.ssl_internode.key_pass: readonlyrest
58 changes: 58 additions & 0 deletions coolify-demo/conf/es/readonlyrest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
readonlyrest:

audit:
enabled: true
outputs: [index]

access_control_rules:

- name: "KIBANA"
type: allow
auth_key: kibana:kibana
verbosity: error
Comment thread
coderabbitai[bot] marked this conversation as resolved.

- name: "Admins"
groups: [Administrators]
kibana:
access: admin

- name: "End users"
groups: ["EndUsers"]
indices: ["*-frontend-*", "kibana_sample_data_*"]
kibana:
index: .kibana_end_@{user}
access: rw
hide_apps: ["Security", "Observability"]

- name: "Business users"
groups: ["BusinessUsers"]
indices: ["*-business-*", "kibana_sample_data_*"]
kibana:
index: .kibana_business_@{user}
access: ro
hide_apps: ["Security", "Observability"]

users:
- username: admin
auth_key: admin:admin
groups:
- id: "Administrators"
name: "Administrators"
- id: "EndUsers"
name: "End Users"
- id: "BusinessUsers"
name: "Business Users"

- username: user1
auth_key: user1:test
groups:
- id: "EndUsers"
name: "End Users"
- id: "BusinessUsers"
name: "Business Users"

- username: user2
auth_key: user2:test
groups:
- id: "EndUsers"
name: "End Users"
13 changes: 13 additions & 0 deletions coolify-demo/conf/kbn/kibana.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
server.name: kibana-ror
server.host: 0.0.0.0

elasticsearch.username: kibana
elasticsearch.password: kibana
elasticsearch.ssl.verificationMode: none
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 28, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Don’t disable Elasticsearch certificate verification here.

The stack already ships a CA, but Kibana is configured to trust any certificate on the Elasticsearch connection. That turns the HTTPS hop into unauthenticated TLS. Copy the CA into the Kibana image and set elasticsearch.ssl.certificateAuthorities instead of verificationMode: none.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@coolify-demo/conf/kbn/kibana.yml` at line 6, The kibana.yml currently
disables TLS verification via elasticsearch.ssl.verificationMode: none; instead
copy the Elasticsearch CA into the Kibana image (or mount it into the container)
and replace the verificationMode setting by configuring
elasticsearch.ssl.certificateAuthorities to point to the CA file path inside the
Kibana image; remove or omit elasticsearch.ssl.verificationMode and ensure the
certificate file is present and referenced so Kibana validates Elasticsearch’s
certificate using the shipped CA.

Copy link
Copy Markdown
Contributor Author

@ton77v ton77v May 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO acceptable for demo

Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ton77v, understood — acknowledged for a demo environment. I'll note this for future reviews.

(ᵕ—ᴗ—)

✏️ Learnings added 
Learnt from: ton77v
Repo: beshu-tech/ror-sandbox PR: 54
File: coolify-demo/conf/kbn/kibana.yml:6-6
Timestamp: 2026-05-28T10:28:49.525Z
Learning: In `coolify-demo/conf/kbn/kibana.yml`, `elasticsearch.ssl.verificationMode: none` is intentional for the demo/sandbox deployment. The maintainer (ton77v) considers disabled certificate verification acceptable for this demo context and does not want it flagged in reviews.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.


server.ssl.enabled: false

xpack.encryptedSavedObjects.encryptionKey: "min-32-byte-long-strong-encryption-key"

readonlyrest_kbn.logLevel: info
readonlyrest_kbn.cookiePass: '12312313123213123213123abcdefghijklm'
Comment on lines +10 to +13

This comment was marked as resolved.

Sign in to view

Copy link
Copy Markdown
Contributor Author

@ton77v ton77v May 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

already replied above

Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
gh pr view 54 --repo beshu-tech/ror-sandbox --comments --json comments -q '.comments[] | {author: .author.login, body: .body}'

Length of output: 36986

@ton77v, acknowledged! Looking at the broader PR context, this is a public demo/sandbox environment where all credentials are intentionally placeholder values (admin:admin, kibana:kibana, "min-32-byte-long-strong-encryption-key"). The concern about secret rotation is less applicable here since the goal is a reproducible, shareable demo stack rather than a production deployment. Thanks for the context.

✏️ Learnings added 
Learnt from: ton77v
Repo: beshu-tech/ror-sandbox PR: 54
File: coolify-demo/conf/kbn/kibana.yml:10-13
Timestamp: 2026-05-28T10:30:51.056Z
Learning: In the `beshu-tech/ror-sandbox` repository, the `coolify-demo/` stack is a public demo/sandbox environment. All credentials and secret-like values (e.g., `admin:admin`, `kibana:kibana`, `xpack.encryptedSavedObjects.encryptionKey: "min-32-byte-long-strong-encryption-key"`, `readonlyrest_kbn.cookiePass`) are intentionally hardcoded placeholder values for reproducibility. Do not flag these as security issues requiring rotation or secret injection.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

17 changes: 17 additions & 0 deletions coolify-demo/docker-compose.local.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
services:

es-ror:
networks:
- es-ror-network

kbn-ror:
networks:
- es-ror-network

initializer:
networks:
- es-ror-network

networks:
es-ror-network:
driver: bridge
82 changes: 82 additions & 0 deletions coolify-demo/docker-compose.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
services:

es-ror:
container_name: es-ror
env_file: ".env"
build:
context: .
dockerfile: images/es/Dockerfile
args:
ES_VERSION: ${ES_VERSION:-9.0.1}
ROR_ES_VERSION: ${ROR_ES_VERSION:-1.64.1}
ports:
- "19200:9200"
- "19300:9300"
- "5000:5000"
environment:
- cluster.name=ror-es-cluster
- node.name=es-ror-single
- discovery.type=single-node
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms512m -Xmx512m -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5000"
healthcheck:
test: [ "CMD", "curl", "-fk", "-u", "admin:admin", "https://localhost:9200/_cluster/health" ]
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Security concern: Hard-coded credentials in health check

The health check contains hard-coded admin credentials. Consider using environment variables for these credentials to improve security and maintainability.

- test: [ "CMD", "curl", "-fk", "-u", "admin:admin", "https://localhost:9200/_cluster/health" ]
+ test: [ "CMD", "curl", "-fk", "-u", "${ES_ADMIN_USER:-admin}:${ES_ADMIN_PASSWORD:-admin}", "https://localhost:9200/_cluster/health" ]
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
test: [ "CMD", "curl", "-fk", "-u", "admin:admin", "https://localhost:9200/_cluster/health" ]
test: [ "CMD", "curl", "-fk", "-u", "${ES_ADMIN_USER:-admin}:${ES_ADMIN_PASSWORD:-admin}", "https://localhost:9200/_cluster/health" ]
🤖 Prompt for AI Agents 
In coolify-demo/docker-compose.yaml at line 24, the health check uses hard-coded
admin credentials in the curl command. Replace the hard-coded username and
password with environment variables by referencing them in the command, and
define these variables securely in the environment section or an external
secrets file to improve security and maintainability.

interval: 10s
timeout: 10s
retries: 30
start_period: 60s
ulimits:
memlock:
soft: -1
hard: -1

kbn-ror:
container_name: kbn-ror
env_file: ".env"
build:
context: .
dockerfile: images/kbn/Dockerfile
args:
KBN_VERSION: ${KBN_VERSION:-9.0.1}
ROR_KBN_VERSION: ${ROR_KBN_VERSION:-1.64.1}
depends_on:
es-ror:
condition: service_healthy
ports:
- "15601:5601"
environment:
ELASTICSEARCH_HOSTS: https://es-ror:9200
ROR_ACTIVATION_KEY: $ROR_ACTIVATION_KEY
healthcheck:
test: [ "CMD", "curl", "--fail", "-u", "kibana:kibana", "http://localhost:5601/api/status" ]
interval: 10s
timeout: 10s
retries: 30
start_period: 60s
ulimits:
memlock:
soft: -1
hard: -1

initializer:
Comment thread
coutoPL marked this conversation as resolved.
container_name: initializer
build:
context: .
dockerfile: images/cluster-initializer/Dockerfile
depends_on:
es-ror:
condition: service_healthy
kbn-ror:
condition: service_healthy
environment:
ELASTICSEARCH_ADDRESS: https://es-ror:9200
ELASTICSEARCH_USER: kibana
ELASTICSEARCH_PASSWORD: kibana
healthcheck:
test: "test -f /tmp/init_done || exit 1"
interval: 10s
timeout: 10s
retries: 30
start_period: 60s
volumes:
- ./init-scripts:/scripts:ro
10 changes: 10 additions & 0 deletions coolify-demo/images/cluster-initializer/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
FROM ubuntu:24.04

COPY images/cluster-initializer/entrypoint.sh /entrypoint.sh

RUN chmod +x /entrypoint.sh && \
apt-get update --fix-missing && \
apt-get install -y jq curl && \
rm -rf /var/lib/apt/lists/*

ENTRYPOINT [ "/entrypoint.sh" ]
14 changes: 14 additions & 0 deletions coolify-demo/images/cluster-initializer/entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
#!/bin/bash -e

cd /scripts

for script in *.sh; do
if [ -f "$script" ]; then
echo "Running $script..."
bash "$script"
echo "--------------------------------"
fi
done

touch /tmp/init_done
tail -f /dev/null
15 changes: 15 additions & 0 deletions coolify-demo/images/es/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
ARG ES_VERSION="please_set_ES_VERSION_arg"
ARG ROR_ES_VERSION="please_set_ROR_ES_VERSION_arg"

FROM beshultd/elasticsearch-readonlyrest:${ES_VERSION}-ror-${ROR_ES_VERSION}

USER root
COPY conf/es/readonlyrest.yml /usr/share/elasticsearch/config/readonlyrest.yml
COPY conf/es/elasticsearch.yml /usr/share/elasticsearch/config/elasticsearch.yml
COPY conf/es/ca.crt /usr/share/elasticsearch/config/ca.crt
COPY conf/es/elasticsearch.crt /usr/share/elasticsearch/config/elasticsearch.crt
COPY conf/es/elasticsearch.key /usr/share/elasticsearch/config/elasticsearch.key
RUN chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/config

ENV I_UNDERSTAND_AND_ACCEPT_ES_PATCHING=yes
# stay as root — official image's entrypoint patches ES then drops to elasticsearch user
12 changes: 12 additions & 0 deletions coolify-demo/images/kbn/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
ARG KBN_VERSION="please_set_KBN_VERSION_arg"
ARG ROR_KBN_VERSION="please_set_ROR_KBN_VERSION_arg"

FROM beshultd/kibana-readonlyrest:${KBN_VERSION}-ror-${ROR_KBN_VERSION}

USER root
COPY conf/kbn/kibana.yml /usr/share/kibana/config/kibana.yml
RUN chown -R kibana:kibana /usr/share/kibana/config \
&& chmod 664 /usr/share/kibana/config/kibana.yml

ENV I_UNDERSTAND_AND_ACCEPT_KBN_PATCHING=yes
# stay as root — official image's entrypoint patches Kibana then drops to kibana user
13 changes: 13 additions & 0 deletions coolify-demo/init-scripts/init.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
#!/bin/bash -ex

set -o pipefail

cd "$(dirname "$0")"

source utils/lib.sh

createDataStream "logs-frontend-dev" && generate_log_documents 100 | putDocument "logs-frontend-dev"
createDataStream "logs-business-dev" && generate_log_documents 100 | putDocument "logs-business-dev"
createDataStream "logs-system-dev" && generate_log_documents 100 | putDocument "logs-system-dev"

createIndex "data-business-index" && generate_log_documents 100 | putDocument "data-business-index"
Loading