From 7ed8ca6085e3b3caf353fef74cc375d098c6c7d8 Mon Sep 17 00:00:00 2001 From: Dawid Poliszak Date: Sat, 11 Oct 2025 06:25:56 +0200 Subject: [PATCH 1/7] reproduction --- .../docker-compose.yml | 2 +- .../enterprise-ror-newplatform-kibana.yml | 70 ++++++++++++++ .../kbn-2/free-ror-newplatform-kibana.yml | 70 ++++++++++++++ ror-demo-cluster/conf/kbn-2/kibana.crt | 21 +++++ ror-demo-cluster/conf/kbn-2/kibana.key | 28 ++++++ .../conf/kbn-2/pro-ror-newplatform-kibana.yml | 70 ++++++++++++++ .../conf/kbn-2/ror-oldplatform-kibana.yml | 15 +++ .../kbn/enterprise-ror-newplatform-kibana.yml | 92 +++++++++++-------- .../conf/kbn/free-ror-newplatform-kibana.yml | 56 ++++++++++- .../conf/kbn/pro-ror-newplatform-kibana.yml | 56 ++++++++++- ror-demo-cluster/docker-compose.yml | 48 +++++++++- .../Dockerfile-use-ror-binaries-from-api | 22 +++++ .../Dockerfile-use-ror-binaries-from-file | 23 +++++ .../images/kbn-2/install-ror-kbn-using-api.sh | 74 +++++++++++++++ .../kbn-2/install-ror-kbn-using-file.sh | 59 ++++++++++++ .../images/reverse-proxy/Dockerfile | 28 ++++++ .../images/reverse-proxy/deva-notix.conf | 44 +++++++++ ror-demo-cluster/run.sh | 4 +- 18 files changed, 739 insertions(+), 43 deletions(-) create mode 100644 ror-demo-cluster/conf/kbn-2/enterprise-ror-newplatform-kibana.yml create mode 100644 ror-demo-cluster/conf/kbn-2/free-ror-newplatform-kibana.yml create mode 100644 ror-demo-cluster/conf/kbn-2/kibana.crt create mode 100644 ror-demo-cluster/conf/kbn-2/kibana.key create mode 100644 ror-demo-cluster/conf/kbn-2/pro-ror-newplatform-kibana.yml create mode 100644 ror-demo-cluster/conf/kbn-2/ror-oldplatform-kibana.yml create mode 100644 ror-demo-cluster/images/kbn-2/Dockerfile-use-ror-binaries-from-api create mode 100644 ror-demo-cluster/images/kbn-2/Dockerfile-use-ror-binaries-from-file create mode 100755 ror-demo-cluster/images/kbn-2/install-ror-kbn-using-api.sh create mode 100755 ror-demo-cluster/images/kbn-2/install-ror-kbn-using-file.sh create mode 100644 ror-demo-cluster/images/reverse-proxy/Dockerfile create mode 100644 ror-demo-cluster/images/reverse-proxy/deva-notix.conf diff --git a/ror-cluster-elastic-cloud-demo/docker-compose.yml b/ror-cluster-elastic-cloud-demo/docker-compose.yml index 4dbc87a..000b166 100644 --- a/ror-cluster-elastic-cloud-demo/docker-compose.yml +++ b/ror-cluster-elastic-cloud-demo/docker-compose.yml @@ -39,7 +39,7 @@ services: kbn-ror: build: context: . - dockerfile: images/kbn/${KBN_DOCKERFILE} + dockerfile: images/kbn-2/${KBN_DOCKERFILE} args: KBN_VERSION: $KBN_VERSION ROR_VERSION: $ROR_KBN_VERSION diff --git a/ror-demo-cluster/conf/kbn-2/enterprise-ror-newplatform-kibana.yml b/ror-demo-cluster/conf/kbn-2/enterprise-ror-newplatform-kibana.yml new file mode 100644 index 0000000..2f605e7 --- /dev/null +++ b/ror-demo-cluster/conf/kbn-2/enterprise-ror-newplatform-kibana.yml @@ -0,0 +1,70 @@ +server.name: kibana-ror-2 +server.host: 0.0.0.0 +server.basePath: /deva-notix +server.rewriteBasePath: false +server.publicBaseUrl: "https://localhost:8443/deva-notix" + +elasticsearch.username: kibana +elasticsearch.password: kibana +elasticsearch.ssl.verificationMode: none +server.xsrf.allowlist: [] + +# generated with: +# $ openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout kibana.key -out kibana.crt +server.ssl.enabled: true +server.ssl.certificate: /usr/share/kibana/config/kibana.crt +server.ssl.key: /usr/share/kibana/config/kibana.key +server.ssl.redirectHttpFromPort: 80 + +xpack.security.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" +xpack.encryptedSavedObjects.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" + +xpack.reporting.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" +xpack.reporting.queue.timeout: 120000 +xpack.reporting.csv.maxSizeBytes: 10485760 + +# disable "Your data is not secure. Don't lose one bit. Secure your data for free with Elastic." +xpack.security.showInsecureClusterWarning: false + +# alternative to disable spaces +xpack.spaces.maxSpaces: 0 + +# Explore underlying data +xpack.discoverEnhanced.actions.exploreDataInContextMenu.enabled: true +xpack.discoverEnhanced.actions.exploreDataInChart.enabled: true + +# session lifecycle management +xpack.security.session.idleTimeout: 3d +xpack.security.session.lifespan: 7d +xpack.security.session.cleanupInterval: 1d + +readonlyrest_kbn.logLevel: trace +readonlyrest_kbn.cookiePass: '12312313123213123213123abcdefghijklm' +readonlyrest_kbn.store_sessions_in_index: true + +#################### Kibana additional settings ################### +newsfeed.enabled: false +telemetry.optIn: false +telemetry.enabled: false +telemetry.allowChangingOptInStatus: false +i18n.locale: en + +#################### Kibana logging settings ###################### + +logging.appenders.roll-file.type: rolling-file +logging.appenders.roll-file.fileName: /usr/share/kibana/logs/kibana.log +logging.appenders.roll-file.policy.type: time-interval +logging.appenders.roll-file.policy.interval: 24h +logging.appenders.roll-file.policy.modulate: true +logging.appenders.roll-file.strategy.type: numeric +logging.appenders.roll-file.strategy.pattern: '.%i' +logging.appenders.roll-file.strategy.max: 2 +logging.appenders.roll-file.layout.type: json +logging.root.appenders: [roll-file,default] +logging.root.level: info + + +#################### Kibana CCS settings ###################### +monitoring.ui.ccs.enabled: false + + diff --git a/ror-demo-cluster/conf/kbn-2/free-ror-newplatform-kibana.yml b/ror-demo-cluster/conf/kbn-2/free-ror-newplatform-kibana.yml new file mode 100644 index 0000000..2f605e7 --- /dev/null +++ b/ror-demo-cluster/conf/kbn-2/free-ror-newplatform-kibana.yml @@ -0,0 +1,70 @@ +server.name: kibana-ror-2 +server.host: 0.0.0.0 +server.basePath: /deva-notix +server.rewriteBasePath: false +server.publicBaseUrl: "https://localhost:8443/deva-notix" + +elasticsearch.username: kibana +elasticsearch.password: kibana +elasticsearch.ssl.verificationMode: none +server.xsrf.allowlist: [] + +# generated with: +# $ openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout kibana.key -out kibana.crt +server.ssl.enabled: true +server.ssl.certificate: /usr/share/kibana/config/kibana.crt +server.ssl.key: /usr/share/kibana/config/kibana.key +server.ssl.redirectHttpFromPort: 80 + +xpack.security.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" +xpack.encryptedSavedObjects.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" + +xpack.reporting.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" +xpack.reporting.queue.timeout: 120000 +xpack.reporting.csv.maxSizeBytes: 10485760 + +# disable "Your data is not secure. Don't lose one bit. Secure your data for free with Elastic." +xpack.security.showInsecureClusterWarning: false + +# alternative to disable spaces +xpack.spaces.maxSpaces: 0 + +# Explore underlying data +xpack.discoverEnhanced.actions.exploreDataInContextMenu.enabled: true +xpack.discoverEnhanced.actions.exploreDataInChart.enabled: true + +# session lifecycle management +xpack.security.session.idleTimeout: 3d +xpack.security.session.lifespan: 7d +xpack.security.session.cleanupInterval: 1d + +readonlyrest_kbn.logLevel: trace +readonlyrest_kbn.cookiePass: '12312313123213123213123abcdefghijklm' +readonlyrest_kbn.store_sessions_in_index: true + +#################### Kibana additional settings ################### +newsfeed.enabled: false +telemetry.optIn: false +telemetry.enabled: false +telemetry.allowChangingOptInStatus: false +i18n.locale: en + +#################### Kibana logging settings ###################### + +logging.appenders.roll-file.type: rolling-file +logging.appenders.roll-file.fileName: /usr/share/kibana/logs/kibana.log +logging.appenders.roll-file.policy.type: time-interval +logging.appenders.roll-file.policy.interval: 24h +logging.appenders.roll-file.policy.modulate: true +logging.appenders.roll-file.strategy.type: numeric +logging.appenders.roll-file.strategy.pattern: '.%i' +logging.appenders.roll-file.strategy.max: 2 +logging.appenders.roll-file.layout.type: json +logging.root.appenders: [roll-file,default] +logging.root.level: info + + +#################### Kibana CCS settings ###################### +monitoring.ui.ccs.enabled: false + + diff --git a/ror-demo-cluster/conf/kbn-2/kibana.crt b/ror-demo-cluster/conf/kbn-2/kibana.crt new file mode 100644 index 0000000..e299680 --- /dev/null +++ b/ror-demo-cluster/conf/kbn-2/kibana.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDazCCAlOgAwIBAgIUBiE6BT/+Rshrppljbwt9YUKI0L4wDQYJKoZIhvcNAQEL +BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM +GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA5MjYxODQyNThaFw0zNDA5 +MjQxODQyNThaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDG3G4Thxy7EozvjLSipdvZqjqCsfsjS9hpYP3yCYHd +X6Zd1jEIrUnU7m0K9Mqnu4ws+rMKFVPG8VTGtwYtvhirp3E5Z452BCpPVlA95buA +tgFaPF7fD/KexrlZZguBGmGvg1Tl2XbuTPMxy2bOaQEB23MnKdfGrG/vrZW4dYBn +BdbITpZv3RTtpiM6nWLaGXKMuZKa5jLLvATqF6NyoSDzp0h/mLkAlyK9YGCcAfcX +FenpHfO7bXK0j+cuZOxLTqWqfvXk3W+PIti0x1oX+wCWUeLcunu55ULZiCmHkp1j +SxQRGJtlBFMcCQ1cqVzjCcXNG2yLhvvLiNbieZsQQEMVAgMBAAGjUzBRMB0GA1Ud +DgQWBBQAhrFCBCBAdrJH179OeQI2at+wHDAfBgNVHSMEGDAWgBQAhrFCBCBAdrJH +179OeQI2at+wHDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBI +esiejMlKXp0mj34N5NDs3I7+AHIFIGTY+u6I4kF+tuiAcCYWWF4cG3g0pJzvokIi +wIdjCQjXBwfbu6KBv0wphqlSJ9lwDPBGBG1Lc6Sg+wHTqrdwL8f4FcJF1IB92mLc +wNSQNnjqxgcD5AOTqVHIy9hhJVufZonypIMSRV5xndv5qGP2TjSM4bF/Cj3YIK9D +2pLAUG3Vj3YIr0jOiyRbYlzaXpV9hPwfkbLSrqi/RwHvZtUv7B7roAY1mSg5wYFg +CbHH7nmpV3wzaF47Y/k+O4+37DbCYuDJwrLyhqksqQiN55s4UG15ATBS8fYWfRnf +t2WXvSztBJ6TS+pOm6GM +-----END CERTIFICATE----- diff --git a/ror-demo-cluster/conf/kbn-2/kibana.key b/ror-demo-cluster/conf/kbn-2/kibana.key new file mode 100644 index 0000000..8bb8fc5 --- /dev/null +++ b/ror-demo-cluster/conf/kbn-2/kibana.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDG3G4Thxy7Eozv +jLSipdvZqjqCsfsjS9hpYP3yCYHdX6Zd1jEIrUnU7m0K9Mqnu4ws+rMKFVPG8VTG +twYtvhirp3E5Z452BCpPVlA95buAtgFaPF7fD/KexrlZZguBGmGvg1Tl2XbuTPMx +y2bOaQEB23MnKdfGrG/vrZW4dYBnBdbITpZv3RTtpiM6nWLaGXKMuZKa5jLLvATq +F6NyoSDzp0h/mLkAlyK9YGCcAfcXFenpHfO7bXK0j+cuZOxLTqWqfvXk3W+PIti0 +x1oX+wCWUeLcunu55ULZiCmHkp1jSxQRGJtlBFMcCQ1cqVzjCcXNG2yLhvvLiNbi +eZsQQEMVAgMBAAECggEAF5FSPmA56HXXXCCJ2+jaOF6zVn/vaox3lm2XSxMTYAAR +AHf9EbEv2dtz8uN2DRDuGPqRM3W5mw9I49AXHF62H8nVYl9Cg/wUY5iwI9XRNfzc +Biy3dao3L9gPaWftnxxYTWu8KQ1vyeg2vkUD5xyMsQKoEBEmcHZJQdeJsfXDBPJ3 +tQSkDSrnr4f7uEQvr9iidEXnyfz1azF0snZ00IkBXRV2dcbTOIu6W+2uI1/Pthjt +rAoqvSuwBlUtvQG7Btat4tL84LNTfH+SoXJK1v4JwbqydV/U47Cc0Tp2inJugfVA +o6Cj5ptKvxI7mkFQuoyG4bm3x+79XeNbrYxhBK3hlQKBgQDnvMTfdIxC+rU+cKY0 +6sEaCzNbh3ZGqgVpBRj0i7EfdBNOctzlFSQGQhCD1SnXc7ihNZ5t2MKJRap3MNDX +Xh6jllgkjXnw1V+b2E1nBtkp/F8dWnrvzwJbSN+KeCP+zio6g2gKYLZab0GIRTEB +QvXgeaWAmIuxq2GENF8K1FuQYwKBgQDbrnsDKJI3rpfLbzrZB22gwdmq7wZWllzc +1Axiqn6xXqghXPLna3fDAbisQgRrQFTjBU9gM3isp4PGVurdPQa35ve6UAgoJUat +hIqvBzcbER3YEBksJtLvai9m9yQ69vYdMPbR10ZhA6EqTcp2MgyIEvAvue964J2p +3L1/r6bsJwKBgCksRN5e2rzbxm/9m8ozG3QBIXLVspIDi0qJeVGZsDKicPuzNMQO +6YOjIUQLD5AUI22hFTD3Hjk9g3gB2Fkrg84U3DxCVrQPdRk/aSEw+kyXZl7UwJry +8Lw/SlhT2DFhd+dFiaquXDfdJIuNn5NVzlG/y0P51ngOtxjCJVDLQil5AoGAa0qk +Ob6u6xMSgAErNKQ0HreOn7Vt2wxE/nVyNx4eEnKwmtrSp8QNEejdUQRNNDSPQPFu ++wUoguqtqUj6HGOZzGe5xf0gfrr18fkx4pobh9SsRsJWCQJNMzEhRaCeyU2klk07 +vvDtJqSnKgokP+XhyPO26xhcph7d4gA1bQ9U7zECgYAX4Fe9+2Uzmu035C5oHgUv +dA4NRP9lutpH0uboUxo1hdxKtTM1dmeXAj+SL5jyYBpfE3c8Ha3QGlIN8sHiKZTA +0A3bRAHjoKNULPgiODmwaK9y1vOm0Kol6QsJ3QZrc+iHf3wscMnimSwH2XxPnNSD +zh06Wun9UBVUZbdsIPDcLg== +-----END PRIVATE KEY----- diff --git a/ror-demo-cluster/conf/kbn-2/pro-ror-newplatform-kibana.yml b/ror-demo-cluster/conf/kbn-2/pro-ror-newplatform-kibana.yml new file mode 100644 index 0000000..2f605e7 --- /dev/null +++ b/ror-demo-cluster/conf/kbn-2/pro-ror-newplatform-kibana.yml @@ -0,0 +1,70 @@ +server.name: kibana-ror-2 +server.host: 0.0.0.0 +server.basePath: /deva-notix +server.rewriteBasePath: false +server.publicBaseUrl: "https://localhost:8443/deva-notix" + +elasticsearch.username: kibana +elasticsearch.password: kibana +elasticsearch.ssl.verificationMode: none +server.xsrf.allowlist: [] + +# generated with: +# $ openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout kibana.key -out kibana.crt +server.ssl.enabled: true +server.ssl.certificate: /usr/share/kibana/config/kibana.crt +server.ssl.key: /usr/share/kibana/config/kibana.key +server.ssl.redirectHttpFromPort: 80 + +xpack.security.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" +xpack.encryptedSavedObjects.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" + +xpack.reporting.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" +xpack.reporting.queue.timeout: 120000 +xpack.reporting.csv.maxSizeBytes: 10485760 + +# disable "Your data is not secure. Don't lose one bit. Secure your data for free with Elastic." +xpack.security.showInsecureClusterWarning: false + +# alternative to disable spaces +xpack.spaces.maxSpaces: 0 + +# Explore underlying data +xpack.discoverEnhanced.actions.exploreDataInContextMenu.enabled: true +xpack.discoverEnhanced.actions.exploreDataInChart.enabled: true + +# session lifecycle management +xpack.security.session.idleTimeout: 3d +xpack.security.session.lifespan: 7d +xpack.security.session.cleanupInterval: 1d + +readonlyrest_kbn.logLevel: trace +readonlyrest_kbn.cookiePass: '12312313123213123213123abcdefghijklm' +readonlyrest_kbn.store_sessions_in_index: true + +#################### Kibana additional settings ################### +newsfeed.enabled: false +telemetry.optIn: false +telemetry.enabled: false +telemetry.allowChangingOptInStatus: false +i18n.locale: en + +#################### Kibana logging settings ###################### + +logging.appenders.roll-file.type: rolling-file +logging.appenders.roll-file.fileName: /usr/share/kibana/logs/kibana.log +logging.appenders.roll-file.policy.type: time-interval +logging.appenders.roll-file.policy.interval: 24h +logging.appenders.roll-file.policy.modulate: true +logging.appenders.roll-file.strategy.type: numeric +logging.appenders.roll-file.strategy.pattern: '.%i' +logging.appenders.roll-file.strategy.max: 2 +logging.appenders.roll-file.layout.type: json +logging.root.appenders: [roll-file,default] +logging.root.level: info + + +#################### Kibana CCS settings ###################### +monitoring.ui.ccs.enabled: false + + diff --git a/ror-demo-cluster/conf/kbn-2/ror-oldplatform-kibana.yml b/ror-demo-cluster/conf/kbn-2/ror-oldplatform-kibana.yml new file mode 100644 index 0000000..de0b5d6 --- /dev/null +++ b/ror-demo-cluster/conf/kbn-2/ror-oldplatform-kibana.yml @@ -0,0 +1,15 @@ +server.name: kibana-ror +server.host: 0.0.0.0 + +elasticsearch.username: kibana +elasticsearch.password: kibana +elasticsearch.ssl.verificationMode: none + +# generated with: +# $ openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout kibana.key -out kibana.crt +server.ssl.enabled: true +server.ssl.certificate: /usr/share/kibana/config/kibana.crt +server.ssl.key: /usr/share/kibana/config/kibana.key +server.ssl.redirectHttpFromPort: 80 + +xpack.security.enabled: false diff --git a/ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml b/ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml index 9abf6b5..4366a6c 100644 --- a/ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml +++ b/ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml @@ -1,9 +1,13 @@ server.name: kibana-ror server.host: 0.0.0.0 +server.basePath: /deva-notix +server.rewriteBasePath: false +server.publicBaseUrl: "https://localhost:8443/deva-notix" elasticsearch.username: kibana elasticsearch.password: kibana elasticsearch.ssl.verificationMode: none +server.xsrf.allowlist: [] # generated with: # $ openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout kibana.key -out kibana.crt @@ -12,41 +16,55 @@ server.ssl.certificate: /usr/share/kibana/config/kibana.crt server.ssl.key: /usr/share/kibana/config/kibana.key server.ssl.redirectHttpFromPort: 80 -readonlyrest_kbn.logLevel: info +xpack.security.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" +xpack.encryptedSavedObjects.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" + +xpack.reporting.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" +xpack.reporting.queue.timeout: 120000 +xpack.reporting.csv.maxSizeBytes: 10485760 + +# disable "Your data is not secure. Don't lose one bit. Secure your data for free with Elastic." +xpack.security.showInsecureClusterWarning: false + +# alternative to disable spaces +xpack.spaces.maxSpaces: 0 + +# Explore underlying data +xpack.discoverEnhanced.actions.exploreDataInContextMenu.enabled: true +xpack.discoverEnhanced.actions.exploreDataInChart.enabled: true + +# session lifecycle management +xpack.security.session.idleTimeout: 3d +xpack.security.session.lifespan: 7d +xpack.security.session.cleanupInterval: 1d + +readonlyrest_kbn.logLevel: trace readonlyrest_kbn.cookiePass: '12312313123213123213123abcdefghijklm' -readonlyrest_kbn: - auth: - signature_key: "9yzBfnLaTYLfGPzyKW9es76RKYhUVgmuv6ZtehaScj5msGpBpa5FWpwk295uJYaaffTFnQC5tsknh2AguVDaTrqCLfM5zCTqdE4UGNL73h28Bg4dPrvTAFQyygQqv4xfgnevBED6VZYdfjXAQLc8J8ywaHQQSmprZqYCWGE6sM3vzNUEWWB3kmGrEKa4sGbXhmXZCvL6NDnEJhXPDJAzu9BMQxn8CzVLqrx6BxDgPYF8gZCxtyxMckXwCaYXrxAGbjkYH69F4wYhuAdHSWgRAQCuWwYmWCA6g39j4VPge5pv962XYvxwJpvn23Y5KvNZ5S5c6crdG4f4gTCXnU36x92fKMQzsQV9K4phcuNvMWkpqVB6xMA5aPzUeHcGytD93dG8D52P5BxsgaJJE6QqDrk3Y2vyLw9ZEbJhPRJxbuBKVCBtVx26Ldd46dq5eyyzmNEyQGLrjQ4qd978VtG8TNT5rkn4ETJQEju5HfCBbjm3urGLFVqxhGVawecT4YM9Rry4EqXWkRJGTFQWQRnweUFbKNbVTC9NxcXEp6K5rSPEy9trb5UYLYhhMJ9fWSBMuenGRjNSJxeurMRCaxPpNppBLFnp8qW5ezfHgCBpEjkSNNzP4uXMZFAXmdUfJ8XQdPTWuYfdHYc5TZWnzrdq9wcfFQRDpDB2zX5Myu96krDt9vA7wNKfYwkSczA6qUQV66jA8nV4Cs38cDAKVBXnxz22ddAVrPv8ajpu7hgBtULMURjvLt94Nc5FDKw79CTTQxffWEj9BJCDCpQnTufmT8xenywwVJvtj49yv2MP2mGECrVDRmcGUAYBKR8G6ZnFAYDVC9UhY46FGWDcyVX3HKwgtHeb45Ww7dsW8JdMnZYctaEU585GZmqTJp2LcAWRcQPH25JewnPX8pjzVpJNcy7avfA2bcU86bfASvQBDUCrhjgRmK2ECR6vzPwTsYKRgFrDqb62FeMdrKgJ9vKs435T5ACN7MNtdRXHQ4fj5pNpUMDW26Wd7tt9bkBTqEGf" - - oidc_keycloak: - buttonName: "Keycloak OIDC" - type: "oidc" - protocol: "https" - issuer: 'http://kc.localhost:8080/realms/ror' - authorizationURL: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/auth' - tokenURL: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/token' - userInfoURL: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/userinfo' - jwksURL: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/certs' - clientID: 'kibana-ror' - clientSecret: 'kibanasecret123' - scope: 'openid profile email' - usernameParameter: 'preferred_username' - groupsParameter: 'groups' - kibanaExternalHost: 'localhost:15601' - logoutUrl: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/logout' - oidc_lemon_ldap: - buttonName: "LemonLDAP OpenID" - type: "oidc" - protocol: "https" - issuer: 'https://oidctest.wsweet.org/' - authorizationURL: 'https://oidctest.wsweet.org/oauth2/authorize' - tokenURL: 'https://oidctest.wsweet.org/oauth2/token' - userInfoURL: 'https://oidctest.wsweet.org/oauth2/userinfo' - clientID: 'private' - clientSecret: 'tardis' - scope: 'openid users roles' - usernameParameter: 'sub' - groupsParameter: 'roles' - kibanaExternalHost: 'localhost:15601' - logoutUrl: 'https://oidctest.wsweet.org/oauth2/logout' - jwksURL: 'https://oidctest.wsweet.org/oauth2/jwks' +readonlyrest_kbn.store_sessions_in_index: true + +#################### Kibana additional settings ################### +newsfeed.enabled: false +telemetry.optIn: false +telemetry.enabled: false +telemetry.allowChangingOptInStatus: false +i18n.locale: en + +#################### Kibana logging settings ###################### + +logging.appenders.roll-file.type: rolling-file +logging.appenders.roll-file.fileName: /usr/share/kibana/logs/kibana.log +logging.appenders.roll-file.policy.type: time-interval +logging.appenders.roll-file.policy.interval: 24h +logging.appenders.roll-file.policy.modulate: true +logging.appenders.roll-file.strategy.type: numeric +logging.appenders.roll-file.strategy.pattern: '.%i' +logging.appenders.roll-file.strategy.max: 2 +logging.appenders.roll-file.layout.type: json +logging.root.appenders: [roll-file,default] +logging.root.level: info + + +#################### Kibana CCS settings ###################### +monitoring.ui.ccs.enabled: false + + diff --git a/ror-demo-cluster/conf/kbn/free-ror-newplatform-kibana.yml b/ror-demo-cluster/conf/kbn/free-ror-newplatform-kibana.yml index 3df3d8e..4366a6c 100644 --- a/ror-demo-cluster/conf/kbn/free-ror-newplatform-kibana.yml +++ b/ror-demo-cluster/conf/kbn/free-ror-newplatform-kibana.yml @@ -1,9 +1,13 @@ server.name: kibana-ror server.host: 0.0.0.0 +server.basePath: /deva-notix +server.rewriteBasePath: false +server.publicBaseUrl: "https://localhost:8443/deva-notix" elasticsearch.username: kibana elasticsearch.password: kibana elasticsearch.ssl.verificationMode: none +server.xsrf.allowlist: [] # generated with: # $ openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout kibana.key -out kibana.crt @@ -12,5 +16,55 @@ server.ssl.certificate: /usr/share/kibana/config/kibana.crt server.ssl.key: /usr/share/kibana/config/kibana.key server.ssl.redirectHttpFromPort: 80 -readonlyrest_kbn.logLevel: info +xpack.security.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" +xpack.encryptedSavedObjects.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" + +xpack.reporting.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" +xpack.reporting.queue.timeout: 120000 +xpack.reporting.csv.maxSizeBytes: 10485760 + +# disable "Your data is not secure. Don't lose one bit. Secure your data for free with Elastic." +xpack.security.showInsecureClusterWarning: false + +# alternative to disable spaces +xpack.spaces.maxSpaces: 0 + +# Explore underlying data +xpack.discoverEnhanced.actions.exploreDataInContextMenu.enabled: true +xpack.discoverEnhanced.actions.exploreDataInChart.enabled: true + +# session lifecycle management +xpack.security.session.idleTimeout: 3d +xpack.security.session.lifespan: 7d +xpack.security.session.cleanupInterval: 1d + +readonlyrest_kbn.logLevel: trace readonlyrest_kbn.cookiePass: '12312313123213123213123abcdefghijklm' +readonlyrest_kbn.store_sessions_in_index: true + +#################### Kibana additional settings ################### +newsfeed.enabled: false +telemetry.optIn: false +telemetry.enabled: false +telemetry.allowChangingOptInStatus: false +i18n.locale: en + +#################### Kibana logging settings ###################### + +logging.appenders.roll-file.type: rolling-file +logging.appenders.roll-file.fileName: /usr/share/kibana/logs/kibana.log +logging.appenders.roll-file.policy.type: time-interval +logging.appenders.roll-file.policy.interval: 24h +logging.appenders.roll-file.policy.modulate: true +logging.appenders.roll-file.strategy.type: numeric +logging.appenders.roll-file.strategy.pattern: '.%i' +logging.appenders.roll-file.strategy.max: 2 +logging.appenders.roll-file.layout.type: json +logging.root.appenders: [roll-file,default] +logging.root.level: info + + +#################### Kibana CCS settings ###################### +monitoring.ui.ccs.enabled: false + + diff --git a/ror-demo-cluster/conf/kbn/pro-ror-newplatform-kibana.yml b/ror-demo-cluster/conf/kbn/pro-ror-newplatform-kibana.yml index 3df3d8e..4366a6c 100644 --- a/ror-demo-cluster/conf/kbn/pro-ror-newplatform-kibana.yml +++ b/ror-demo-cluster/conf/kbn/pro-ror-newplatform-kibana.yml @@ -1,9 +1,13 @@ server.name: kibana-ror server.host: 0.0.0.0 +server.basePath: /deva-notix +server.rewriteBasePath: false +server.publicBaseUrl: "https://localhost:8443/deva-notix" elasticsearch.username: kibana elasticsearch.password: kibana elasticsearch.ssl.verificationMode: none +server.xsrf.allowlist: [] # generated with: # $ openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout kibana.key -out kibana.crt @@ -12,5 +16,55 @@ server.ssl.certificate: /usr/share/kibana/config/kibana.crt server.ssl.key: /usr/share/kibana/config/kibana.key server.ssl.redirectHttpFromPort: 80 -readonlyrest_kbn.logLevel: info +xpack.security.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" +xpack.encryptedSavedObjects.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" + +xpack.reporting.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" +xpack.reporting.queue.timeout: 120000 +xpack.reporting.csv.maxSizeBytes: 10485760 + +# disable "Your data is not secure. Don't lose one bit. Secure your data for free with Elastic." +xpack.security.showInsecureClusterWarning: false + +# alternative to disable spaces +xpack.spaces.maxSpaces: 0 + +# Explore underlying data +xpack.discoverEnhanced.actions.exploreDataInContextMenu.enabled: true +xpack.discoverEnhanced.actions.exploreDataInChart.enabled: true + +# session lifecycle management +xpack.security.session.idleTimeout: 3d +xpack.security.session.lifespan: 7d +xpack.security.session.cleanupInterval: 1d + +readonlyrest_kbn.logLevel: trace readonlyrest_kbn.cookiePass: '12312313123213123213123abcdefghijklm' +readonlyrest_kbn.store_sessions_in_index: true + +#################### Kibana additional settings ################### +newsfeed.enabled: false +telemetry.optIn: false +telemetry.enabled: false +telemetry.allowChangingOptInStatus: false +i18n.locale: en + +#################### Kibana logging settings ###################### + +logging.appenders.roll-file.type: rolling-file +logging.appenders.roll-file.fileName: /usr/share/kibana/logs/kibana.log +logging.appenders.roll-file.policy.type: time-interval +logging.appenders.roll-file.policy.interval: 24h +logging.appenders.roll-file.policy.modulate: true +logging.appenders.roll-file.strategy.type: numeric +logging.appenders.roll-file.strategy.pattern: '.%i' +logging.appenders.roll-file.strategy.max: 2 +logging.appenders.roll-file.layout.type: json +logging.root.appenders: [roll-file,default] +logging.root.level: info + + +#################### Kibana CCS settings ###################### +monitoring.ui.ccs.enabled: false + + diff --git a/ror-demo-cluster/docker-compose.yml b/ror-demo-cluster/docker-compose.yml index f907d81..deb29ba 100644 --- a/ror-demo-cluster/docker-compose.yml +++ b/ror-demo-cluster/docker-compose.yml @@ -88,6 +88,39 @@ services: soft: -1 hard: -1 + kbn-ror-2: + build: + context: . + dockerfile: images/kbn-2/${KBN_DOCKERFILE:-KBN_DOCKERFILE_NOT_CONFIGURED} + args: + KBN_VERSION: ${KBN_VERSION:-KBN_VERSION_NOT_CONFIGURED} + ROR_VERSION: ${ROR_KBN_VERSION:-ROR_KBN_VERSION_NOT_CONFIGURED} + ROR_FILE: ${KBN_ROR_FILE:-KBN_ROR_FILE_NOT_CONFIGURED} + ROR_LICENSE_EDITION: ${ROR_LICENSE_EDITION:-ROR_LICENSE_EDITION_NOT_CONFIGURED} + ports: + - "15602:5601" + depends_on: + es-ror: + condition: service_healthy + keycloak: + condition: service_healthy + required: false + environment: + ELASTICSEARCH_HOSTS: https://es-ror:9200 + ROR_ACTIVATION_KEY: $ROR_ACTIVATION_KEY + SERVER_NAME: kbn-ror-2 + healthcheck: + test: [ "CMD-SHELL", "curl -fksS --connect-timeout 3 --max-time 5 --retry 2 --retry-connrefused -u admin:admin https://127.0.0.1:5601/api/features >/dev/null || exit 1" ] + interval: 10s + timeout: 10s + retries: 30 + start_period: 60s + networks: + - es-ror-network + ulimits: + memlock: + soft: -1 + hard: -1 initializer: build: context: . @@ -111,7 +144,20 @@ services: - ./init-scripts:/scripts networks: - es-ror-network - + proxy: + build: + context: . + dockerfile: images/reverse-proxy/Dockerfile + depends_on: + es-ror: + condition: service_healthy + kbn-ror: + condition: service_healthy + networks: + - es-ror-network + ports: + - "8082:80" + - "8443:443" networks: es-ror-network: driver: bridge diff --git a/ror-demo-cluster/images/kbn-2/Dockerfile-use-ror-binaries-from-api b/ror-demo-cluster/images/kbn-2/Dockerfile-use-ror-binaries-from-api new file mode 100644 index 0000000..03d13ac --- /dev/null +++ b/ror-demo-cluster/images/kbn-2/Dockerfile-use-ror-binaries-from-api @@ -0,0 +1,22 @@ +ARG KBN_VERSION=please_set_kbn_version_arg + +FROM docker.elastic.co/kibana/kibana:${KBN_VERSION} + +ARG KBN_VERSION=please_set_kbn_version_arg +ARG ROR_VERSION=please_set_ror_version_arg +ARG ROR_LICENSE_EDITION=please_set_ror_license_edition_arg + +COPY conf/kbn-2/ror-oldplatform-kibana.yml /usr/share/kibana/config/ror-oldplatform-kibana.yml +COPY conf/kbn-2/enterprise-ror-newplatform-kibana.yml /usr/share/kibana/config/enterprise-ror-newplatform-kibana.yml +COPY conf/kbn-2/pro-ror-newplatform-kibana.yml /usr/share/kibana/config/pro-ror-newplatform-kibana.yml +COPY conf/kbn-2/free-ror-newplatform-kibana.yml /usr/share/kibana/config/free-ror-newplatform-kibana.yml +COPY conf/kbn-2/kibana.crt /usr/share/kibana/config/kibana.crt +COPY conf/kbn-2/kibana.key /usr/share/kibana/config/kibana.key +COPY images/kbn-2/install-ror-kbn-using-api.sh /tmp/install-ror.sh + +USER root + +RUN /tmp/install-ror.sh && \ + chown -R kibana:kibana /usr/share/kibana/config + +USER kibana diff --git a/ror-demo-cluster/images/kbn-2/Dockerfile-use-ror-binaries-from-file b/ror-demo-cluster/images/kbn-2/Dockerfile-use-ror-binaries-from-file new file mode 100644 index 0000000..e63967d --- /dev/null +++ b/ror-demo-cluster/images/kbn-2/Dockerfile-use-ror-binaries-from-file @@ -0,0 +1,23 @@ +ARG KBN_VERSION=please_set_kbn_version_arg + +FROM docker.elastic.co/kibana/kibana:${KBN_VERSION} + +ARG KBN_VERSION=please_set_kbn_version_arg +ARG ROR_FILE=please_set_ror_file_path +ARG ROR_LICENSE_EDITION=please_set_ror_license_edition_arg + +COPY conf/kbn-2/ror-oldplatform-kibana.yml /usr/share/kibana/config/ror-oldplatform-kibana.yml +COPY conf/kbn-2/enterprise-ror-newplatform-kibana.yml /usr/share/kibana/config/enterprise-ror-newplatform-kibana.yml +COPY conf/kbn-2/pro-ror-newplatform-kibana.yml /usr/share/kibana/config/pro-ror-newplatform-kibana.yml +COPY conf/kbn-2/free-ror-newplatform-kibana.yml /usr/share/kibana/config/free-ror-newplatform-kibana.yml +COPY conf/kbn-2/kibana.crt /usr/share/kibana/config/kibana.crt +COPY conf/kbn-2/kibana.key /usr/share/kibana/config/kibana.key +COPY images/kbn-2/install-ror-kbn-using-file.sh /tmp/install-ror.sh +COPY $ROR_FILE /tmp/ror.zip + +USER root + +RUN /tmp/install-ror.sh && \ + chown -R kibana:kibana /usr/share/kibana/config + +USER kibana diff --git a/ror-demo-cluster/images/kbn-2/install-ror-kbn-using-api.sh b/ror-demo-cluster/images/kbn-2/install-ror-kbn-using-api.sh new file mode 100755 index 0000000..5fa2d92 --- /dev/null +++ b/ror-demo-cluster/images/kbn-2/install-ror-kbn-using-api.sh @@ -0,0 +1,74 @@ +#!/bin/bash -e + +function greater_than_or_equal() { + [ "$1" = "$(echo -e "$1\n$2" | sort -V | tail -n 1)" ]; +} + +if [[ -z "$KBN_VERSION" ]]; then + echo "No KBN_VERSION variable is set" + exit 1 +fi + +if [[ -z "$ROR_VERSION" ]]; then + echo "No ROR_VERSION variable is set" + exit 3 +fi + +ROR_KBN_EDITION="" +if greater_than_or_equal "$ROR_VERSION" "1.43.0" && greater_than_or_equal "$KBN_VERSION" "7.9.0"; then + ROR_KBN_EDITION="kbn_universal" +else + ROR_KBN_EDITION="kbn_free" +fi +ROR_DOWNLOAD_URL="https://api.beshu.tech/download/kbn?esVersion=$KBN_VERSION&pluginVersion=$ROR_VERSION&edition=$ROR_KBN_EDITION&email=ror-sandbox%40readonlyrest.com" + +echo "Installing KBN ROR $ROR_VERSION..." +if ! greater_than_or_equal "$KBN_VERSION" "7.0.0"; then + export NODE_OPTIONS="--max-old-space-size=8192" +fi + +if greater_than_or_equal "$KBN_VERSION" "7.11.0" ; then + /usr/share/kibana/bin/kibana-plugin install "$ROR_DOWNLOAD_URL" +elif greater_than_or_equal "$KBN_VERSION" "7.2.0" ; then + /usr/share/kibana/bin/kibana-plugin install --allow-root "$ROR_DOWNLOAD_URL" +else + /usr/share/kibana/bin/kibana-plugin install "$ROR_DOWNLOAD_URL" +fi + +if greater_than_or_equal "$KBN_VERSION" "8.15.0" ; then + echo "Patching KBN $KBN_VERSION (ROR $ROR_VERSION)..." + /usr/share/kibana/node/glibc-217/bin/node plugins/readonlyrestkbn/ror-tools.js patch --I_UNDERSTAND_AND_ACCEPT_KBN_PATCHING=yes +elif greater_than_or_equal "$KBN_VERSION" "7.9.0" ; then + echo "Patching KBN $KBN_VERSION (ROR $ROR_VERSION)..." + /usr/share/kibana/node/bin/node plugins/readonlyrestkbn/ror-tools.js patch --I_UNDERSTAND_AND_ACCEPT_KBN_PATCHING=yes +fi + + if greater_than_or_equal "$KBN_VERSION" "7.9.0"; then + case "${ROR_LICENSE_EDITION:-}" in + ENT) + mv /usr/share/kibana/config/enterprise-ror-newplatform-kibana.yml \ + /usr/share/kibana/config/kibana.yml + ;; + PRO) + mv /usr/share/kibana/config/pro-ror-newplatform-kibana.yml \ + /usr/share/kibana/config/kibana.yml + ;; + FREE) + mv /usr/share/kibana/config/free-ror-newplatform-kibana.yml \ + /usr/share/kibana/config/kibana.yml + ;; + "") + echo "ERROR: ROR_LICENSE_EDITION is not set" >&2 + exit 1 + ;; + *) + echo "ERROR: Unsupported ROR_LICENSE_EDITION='${ROR_LICENSE_EDITION}'" >&2 + exit 2 + ;; + esac + else + mv /usr/share/kibana/config/ror-oldplatform-kibana.yml /usr/share/kibana/config/kibana.yml + rm -rf /usr/share/kibana/optimize # for some reason we have to remove it and let kibana optimize it on startup + fi + +echo "DONE!" diff --git a/ror-demo-cluster/images/kbn-2/install-ror-kbn-using-file.sh b/ror-demo-cluster/images/kbn-2/install-ror-kbn-using-file.sh new file mode 100755 index 0000000..ab04efe --- /dev/null +++ b/ror-demo-cluster/images/kbn-2/install-ror-kbn-using-file.sh @@ -0,0 +1,59 @@ +#!/bin/bash -e + +function greater_than_or_equal() { + [ "$1" = "$(echo -e "$1\n$2" | sort -V | tail -n 1)" ]; +} + +if [[ -z "$KBN_VERSION" ]]; then + echo "No KBN_VERSION variable is set" + exit 1 +fi + +echo "Installing KBN ROR $ROR_VERSION..." +if ! greater_than_or_equal "$KBN_VERSION" "7.0.0"; then + export NODE_OPTIONS="--max-old-space-size=8192" +fi + +if greater_than_or_equal "$KBN_VERSION" "7.11.0" ; then + /usr/share/kibana/bin/kibana-plugin install file:///tmp/ror.zip +else + /usr/share/kibana/bin/kibana-plugin install --allow-root file:///tmp/ror.zip +fi + +if greater_than_or_equal "$KBN_VERSION" "8.15.0" ; then + echo "Patching KBN $KBN_VERSION (ROR $ROR_VERSION)..." + /usr/share/kibana/node/glibc-217/bin/node plugins/readonlyrestkbn/ror-tools.js patch --I_UNDERSTAND_AND_ACCEPT_KBN_PATCHING=yes +elif greater_than_or_equal "$KBN_VERSION" "7.9.0" ; then + echo "Patching KBN $KBN_VERSION (ROR $ROR_VERSION)..." + /usr/share/kibana/node/bin/node plugins/readonlyrestkbn/ror-tools.js patch --I_UNDERSTAND_AND_ACCEPT_KBN_PATCHING=yes +fi + + if greater_than_or_equal "$KBN_VERSION" "7.9.0"; then + case "${ROR_LICENSE_EDITION:-}" in + ENT) + mv /usr/share/kibana/config/enterprise-ror-newplatform-kibana.yml \ + /usr/share/kibana/config/kibana.yml + ;; + PRO) + mv /usr/share/kibana/config/pro-ror-newplatform-kibana.yml \ + /usr/share/kibana/config/kibana.yml + ;; + FREE) + mv /usr/share/kibana/config/free-ror-newplatform-kibana.yml \ + /usr/share/kibana/config/kibana.yml + ;; + "") + echo "ERROR: ROR_LICENSE_EDITION is not set" >&2 + exit 1 + ;; + *) + echo "ERROR: Unsupported ROR_LICENSE_EDITION='${ROR_LICENSE_EDITION}'" >&2 + exit 2 + ;; + esac + else + mv /usr/share/kibana/config/ror-oldplatform-kibana.yml /usr/share/kibana/config/kibana.yml + rm -rf /usr/share/kibana/optimize # for some reason we have to remove it and let kibana optimize it on startup + fi + +echo "DONE!" \ No newline at end of file diff --git a/ror-demo-cluster/images/reverse-proxy/Dockerfile b/ror-demo-cluster/images/reverse-proxy/Dockerfile new file mode 100644 index 0000000..c018f1b --- /dev/null +++ b/ror-demo-cluster/images/reverse-proxy/Dockerfile @@ -0,0 +1,28 @@ +# Dockerfile +FROM httpd:2.4 + +# Enable required modules: proxy, balancer, lbmethod, rewrite, headers, slotmem, ssl, wstunnel, socache +RUN sed -i \ + -e 's/^#\(LoadModule slotmem_shm_module modules\/mod_slotmem_shm.so\)/\1/' \ + -e 's/^#\(LoadModule socache_shmcb_module modules\/mod_socache_shmcb.so\)/\1/' \ + -e 's/^#\(LoadModule proxy_module modules\/mod_proxy.so\)/\1/' \ + -e 's/^#\(LoadModule proxy_http_module modules\/mod_proxy_http.so\)/\1/' \ + -e 's/^#\(LoadModule proxy_wstunnel_module modules\/mod_proxy_wstunnel.so\)/\1/' \ + -e 's/^#\(LoadModule proxy_balancer_module modules\/mod_proxy_balancer.so\)/\1/' \ + -e 's/^#\(LoadModule lbmethod_byrequests_module modules\/mod_lbmethod_byrequests.so\)/\1/' \ + -e 's/^#\(LoadModule rewrite_module modules\/mod_rewrite.so\)/\1/' \ + -e 's/^#\(LoadModule headers_module modules\/mod_headers.so\)/\1/' \ + -e 's/^#\(LoadModule ssl_module modules\/mod_ssl.so\)/\1/' \ + /usr/local/apache2/conf/httpd.conf + +RUN echo "ServerName localhost" >> /usr/local/apache2/conf/httpd.conf \ + && echo "Listen 443" >> /usr/local/apache2/conf/httpd.conf + +# Copy vhost and include it +COPY images/reverse-proxy/deva-notix.conf /usr/local/apache2/conf/extra/deva-notix.conf +RUN echo "Include conf/extra/deva-notix.conf" >> /usr/local/apache2/conf/httpd.conf + +# Copy TLS certs (provide server.crt and server.key under images/reverse-proxy/certs) +COPY conf/reverse-proxy/certs/ /usr/local/apache2/conf/certs/ + +EXPOSE 80 443 diff --git a/ror-demo-cluster/images/reverse-proxy/deva-notix.conf b/ror-demo-cluster/images/reverse-proxy/deva-notix.conf new file mode 100644 index 0000000..6224062 --- /dev/null +++ b/ror-demo-cluster/images/reverse-proxy/deva-notix.conf @@ -0,0 +1,44 @@ + + ServerName localhost + + ErrorLog /usr/local/apache2/logs/deva-notix_error.log + CustomLog /usr/local/apache2/logs/deva-notix_access.log combined + + SSLEngine On + SSLCertificateFile "/usr/local/apache2/conf/certs/server.crt" + SSLCertificateKeyFile "/usr/local/apache2/conf/certs/server.key" + SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 + SSLCipherSuite HIGH:!aNULL:!MD5 + SSLHonorCipherOrder On + + Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" + + ProxyPreserveHost On + ProxyRequests Off + + RequestHeader set X-Forwarded-Proto "https" + RequestHeader set X-Forwarded-Host "%{Host}i" + RequestHeader set X-Forwarded-Port "443" + + SSLProxyEngine On + SSLProxyVerify none + SSLProxyCheckPeerName off + SSLProxyCheckPeerCN off + + + BalancerMember "https://kbn-ror:5601" route=server-1 loadfactor=1 keepalive=On connectiontimeout=10 retry=2 timeout=300 + BalancerMember "https://kbn-ror-2:5601" route=server-2 loadfactor=1 keepalive=On connectiontimeout=10 retry=2 timeout=300 + ProxySet lbmethod=byrequests stickysession=ROUTEID nofailover=Off + + + + RewriteEngine On + RewriteRule ^/deva-notix$ /deva-notix/ [R,L] + RewriteRule ^/notix$ /deva-notix/ [R,L] + RewriteRule ^/deva-notix/(.*) balancer://deva-notix/$1 [NC,QSA,P] + + Header add Set-Cookie "ROUTEID=%{BALANCER_WORKER_ROUTE}e; Path=/deva-notix; HttpOnly; SameSite=Lax; Secure" env=BALANCER_ROUTE_CHANGED + + + + diff --git a/ror-demo-cluster/run.sh b/ror-demo-cluster/run.sh index 51e7852..92adf5a 100755 --- a/ror-demo-cluster/run.sh +++ b/ror-demo-cluster/run.sh @@ -65,10 +65,10 @@ echo -e " case "${ROR_LICENSE_EDITION:-}" in ENT) - echo -e "You can access ROR KBN here: https://localhost:15601 (login via 'Keycloak' button; users: 'extUser1:extUser1', 'extUser2:extUser2').\nKeycloak admin console: http://kc.localhost:8080/admin (admin:admin)" + echo -e "You can access ROR KBN via proxy here: https://localhost:8443/deva-notix" ;; PRO|FREE) - echo -e "You can access ROR KBN here: https://localhost:15601" + echo -e "You can access ROR KBN via proxy : https://localhost:8443/deva-notix" ;; *) ;; From c30cb8b976d2348082f113a472354c950626c2a3 Mon Sep 17 00:00:00 2001 From: Dawid Poliszak Date: Sat, 11 Oct 2025 14:06:43 +0200 Subject: [PATCH 2/7] poc --- .../docker-compose.yml | 2 +- .../enterprise-ror-newplatform-kibana.yml | 70 ++++++++++++++ .../kbn-2/free-ror-newplatform-kibana.yml | 70 ++++++++++++++ ror-demo-cluster/conf/kbn-2/kibana.crt | 21 +++++ ror-demo-cluster/conf/kbn-2/kibana.key | 28 ++++++ .../conf/kbn-2/pro-ror-newplatform-kibana.yml | 70 ++++++++++++++ .../conf/kbn-2/ror-oldplatform-kibana.yml | 15 +++ .../kbn/enterprise-ror-newplatform-kibana.yml | 92 +++++++++++-------- .../conf/kbn/free-ror-newplatform-kibana.yml | 56 ++++++++++- .../conf/kbn/pro-ror-newplatform-kibana.yml | 56 ++++++++++- ror-demo-cluster/docker-compose.yml | 48 +++++++++- .../Dockerfile-use-ror-binaries-from-api | 22 +++++ .../Dockerfile-use-ror-binaries-from-file | 23 +++++ .../images/kbn-2/install-ror-kbn-using-api.sh | 74 +++++++++++++++ .../kbn-2/install-ror-kbn-using-file.sh | 59 ++++++++++++ .../images/reverse-proxy/Dockerfile | 28 ++++++ .../images/reverse-proxy/deva-notix.conf | 44 +++++++++ ror-demo-cluster/run.sh | 4 +- 18 files changed, 739 insertions(+), 43 deletions(-) create mode 100644 ror-demo-cluster/conf/kbn-2/enterprise-ror-newplatform-kibana.yml create mode 100644 ror-demo-cluster/conf/kbn-2/free-ror-newplatform-kibana.yml create mode 100644 ror-demo-cluster/conf/kbn-2/kibana.crt create mode 100644 ror-demo-cluster/conf/kbn-2/kibana.key create mode 100644 ror-demo-cluster/conf/kbn-2/pro-ror-newplatform-kibana.yml create mode 100644 ror-demo-cluster/conf/kbn-2/ror-oldplatform-kibana.yml create mode 100644 ror-demo-cluster/images/kbn-2/Dockerfile-use-ror-binaries-from-api create mode 100644 ror-demo-cluster/images/kbn-2/Dockerfile-use-ror-binaries-from-file create mode 100755 ror-demo-cluster/images/kbn-2/install-ror-kbn-using-api.sh create mode 100755 ror-demo-cluster/images/kbn-2/install-ror-kbn-using-file.sh create mode 100644 ror-demo-cluster/images/reverse-proxy/Dockerfile create mode 100644 ror-demo-cluster/images/reverse-proxy/deva-notix.conf diff --git a/ror-cluster-elastic-cloud-demo/docker-compose.yml b/ror-cluster-elastic-cloud-demo/docker-compose.yml index 4dbc87a..000b166 100644 --- a/ror-cluster-elastic-cloud-demo/docker-compose.yml +++ b/ror-cluster-elastic-cloud-demo/docker-compose.yml @@ -39,7 +39,7 @@ services: kbn-ror: build: context: . - dockerfile: images/kbn/${KBN_DOCKERFILE} + dockerfile: images/kbn-2/${KBN_DOCKERFILE} args: KBN_VERSION: $KBN_VERSION ROR_VERSION: $ROR_KBN_VERSION diff --git a/ror-demo-cluster/conf/kbn-2/enterprise-ror-newplatform-kibana.yml b/ror-demo-cluster/conf/kbn-2/enterprise-ror-newplatform-kibana.yml new file mode 100644 index 0000000..2f605e7 --- /dev/null +++ b/ror-demo-cluster/conf/kbn-2/enterprise-ror-newplatform-kibana.yml @@ -0,0 +1,70 @@ +server.name: kibana-ror-2 +server.host: 0.0.0.0 +server.basePath: /deva-notix +server.rewriteBasePath: false +server.publicBaseUrl: "https://localhost:8443/deva-notix" + +elasticsearch.username: kibana +elasticsearch.password: kibana +elasticsearch.ssl.verificationMode: none +server.xsrf.allowlist: [] + +# generated with: +# $ openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout kibana.key -out kibana.crt +server.ssl.enabled: true +server.ssl.certificate: /usr/share/kibana/config/kibana.crt +server.ssl.key: /usr/share/kibana/config/kibana.key +server.ssl.redirectHttpFromPort: 80 + +xpack.security.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" +xpack.encryptedSavedObjects.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" + +xpack.reporting.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" +xpack.reporting.queue.timeout: 120000 +xpack.reporting.csv.maxSizeBytes: 10485760 + +# disable "Your data is not secure. Don't lose one bit. Secure your data for free with Elastic." +xpack.security.showInsecureClusterWarning: false + +# alternative to disable spaces +xpack.spaces.maxSpaces: 0 + +# Explore underlying data +xpack.discoverEnhanced.actions.exploreDataInContextMenu.enabled: true +xpack.discoverEnhanced.actions.exploreDataInChart.enabled: true + +# session lifecycle management +xpack.security.session.idleTimeout: 3d +xpack.security.session.lifespan: 7d +xpack.security.session.cleanupInterval: 1d + +readonlyrest_kbn.logLevel: trace +readonlyrest_kbn.cookiePass: '12312313123213123213123abcdefghijklm' +readonlyrest_kbn.store_sessions_in_index: true + +#################### Kibana additional settings ################### +newsfeed.enabled: false +telemetry.optIn: false +telemetry.enabled: false +telemetry.allowChangingOptInStatus: false +i18n.locale: en + +#################### Kibana logging settings ###################### + +logging.appenders.roll-file.type: rolling-file +logging.appenders.roll-file.fileName: /usr/share/kibana/logs/kibana.log +logging.appenders.roll-file.policy.type: time-interval +logging.appenders.roll-file.policy.interval: 24h +logging.appenders.roll-file.policy.modulate: true +logging.appenders.roll-file.strategy.type: numeric +logging.appenders.roll-file.strategy.pattern: '.%i' +logging.appenders.roll-file.strategy.max: 2 +logging.appenders.roll-file.layout.type: json +logging.root.appenders: [roll-file,default] +logging.root.level: info + + +#################### Kibana CCS settings ###################### +monitoring.ui.ccs.enabled: false + + diff --git a/ror-demo-cluster/conf/kbn-2/free-ror-newplatform-kibana.yml b/ror-demo-cluster/conf/kbn-2/free-ror-newplatform-kibana.yml new file mode 100644 index 0000000..2f605e7 --- /dev/null +++ b/ror-demo-cluster/conf/kbn-2/free-ror-newplatform-kibana.yml @@ -0,0 +1,70 @@ +server.name: kibana-ror-2 +server.host: 0.0.0.0 +server.basePath: /deva-notix +server.rewriteBasePath: false +server.publicBaseUrl: "https://localhost:8443/deva-notix" + +elasticsearch.username: kibana +elasticsearch.password: kibana +elasticsearch.ssl.verificationMode: none +server.xsrf.allowlist: [] + +# generated with: +# $ openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout kibana.key -out kibana.crt +server.ssl.enabled: true +server.ssl.certificate: /usr/share/kibana/config/kibana.crt +server.ssl.key: /usr/share/kibana/config/kibana.key +server.ssl.redirectHttpFromPort: 80 + +xpack.security.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" +xpack.encryptedSavedObjects.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" + +xpack.reporting.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" +xpack.reporting.queue.timeout: 120000 +xpack.reporting.csv.maxSizeBytes: 10485760 + +# disable "Your data is not secure. Don't lose one bit. Secure your data for free with Elastic." +xpack.security.showInsecureClusterWarning: false + +# alternative to disable spaces +xpack.spaces.maxSpaces: 0 + +# Explore underlying data +xpack.discoverEnhanced.actions.exploreDataInContextMenu.enabled: true +xpack.discoverEnhanced.actions.exploreDataInChart.enabled: true + +# session lifecycle management +xpack.security.session.idleTimeout: 3d +xpack.security.session.lifespan: 7d +xpack.security.session.cleanupInterval: 1d + +readonlyrest_kbn.logLevel: trace +readonlyrest_kbn.cookiePass: '12312313123213123213123abcdefghijklm' +readonlyrest_kbn.store_sessions_in_index: true + +#################### Kibana additional settings ################### +newsfeed.enabled: false +telemetry.optIn: false +telemetry.enabled: false +telemetry.allowChangingOptInStatus: false +i18n.locale: en + +#################### Kibana logging settings ###################### + +logging.appenders.roll-file.type: rolling-file +logging.appenders.roll-file.fileName: /usr/share/kibana/logs/kibana.log +logging.appenders.roll-file.policy.type: time-interval +logging.appenders.roll-file.policy.interval: 24h +logging.appenders.roll-file.policy.modulate: true +logging.appenders.roll-file.strategy.type: numeric +logging.appenders.roll-file.strategy.pattern: '.%i' +logging.appenders.roll-file.strategy.max: 2 +logging.appenders.roll-file.layout.type: json +logging.root.appenders: [roll-file,default] +logging.root.level: info + + +#################### Kibana CCS settings ###################### +monitoring.ui.ccs.enabled: false + + diff --git a/ror-demo-cluster/conf/kbn-2/kibana.crt b/ror-demo-cluster/conf/kbn-2/kibana.crt new file mode 100644 index 0000000..e299680 --- /dev/null +++ b/ror-demo-cluster/conf/kbn-2/kibana.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDazCCAlOgAwIBAgIUBiE6BT/+Rshrppljbwt9YUKI0L4wDQYJKoZIhvcNAQEL +BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM +GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA5MjYxODQyNThaFw0zNDA5 +MjQxODQyNThaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDG3G4Thxy7EozvjLSipdvZqjqCsfsjS9hpYP3yCYHd +X6Zd1jEIrUnU7m0K9Mqnu4ws+rMKFVPG8VTGtwYtvhirp3E5Z452BCpPVlA95buA +tgFaPF7fD/KexrlZZguBGmGvg1Tl2XbuTPMxy2bOaQEB23MnKdfGrG/vrZW4dYBn +BdbITpZv3RTtpiM6nWLaGXKMuZKa5jLLvATqF6NyoSDzp0h/mLkAlyK9YGCcAfcX +FenpHfO7bXK0j+cuZOxLTqWqfvXk3W+PIti0x1oX+wCWUeLcunu55ULZiCmHkp1j +SxQRGJtlBFMcCQ1cqVzjCcXNG2yLhvvLiNbieZsQQEMVAgMBAAGjUzBRMB0GA1Ud +DgQWBBQAhrFCBCBAdrJH179OeQI2at+wHDAfBgNVHSMEGDAWgBQAhrFCBCBAdrJH +179OeQI2at+wHDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBI +esiejMlKXp0mj34N5NDs3I7+AHIFIGTY+u6I4kF+tuiAcCYWWF4cG3g0pJzvokIi +wIdjCQjXBwfbu6KBv0wphqlSJ9lwDPBGBG1Lc6Sg+wHTqrdwL8f4FcJF1IB92mLc +wNSQNnjqxgcD5AOTqVHIy9hhJVufZonypIMSRV5xndv5qGP2TjSM4bF/Cj3YIK9D +2pLAUG3Vj3YIr0jOiyRbYlzaXpV9hPwfkbLSrqi/RwHvZtUv7B7roAY1mSg5wYFg +CbHH7nmpV3wzaF47Y/k+O4+37DbCYuDJwrLyhqksqQiN55s4UG15ATBS8fYWfRnf +t2WXvSztBJ6TS+pOm6GM +-----END CERTIFICATE----- diff --git a/ror-demo-cluster/conf/kbn-2/kibana.key b/ror-demo-cluster/conf/kbn-2/kibana.key new file mode 100644 index 0000000..8bb8fc5 --- /dev/null +++ b/ror-demo-cluster/conf/kbn-2/kibana.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDG3G4Thxy7Eozv +jLSipdvZqjqCsfsjS9hpYP3yCYHdX6Zd1jEIrUnU7m0K9Mqnu4ws+rMKFVPG8VTG +twYtvhirp3E5Z452BCpPVlA95buAtgFaPF7fD/KexrlZZguBGmGvg1Tl2XbuTPMx +y2bOaQEB23MnKdfGrG/vrZW4dYBnBdbITpZv3RTtpiM6nWLaGXKMuZKa5jLLvATq +F6NyoSDzp0h/mLkAlyK9YGCcAfcXFenpHfO7bXK0j+cuZOxLTqWqfvXk3W+PIti0 +x1oX+wCWUeLcunu55ULZiCmHkp1jSxQRGJtlBFMcCQ1cqVzjCcXNG2yLhvvLiNbi +eZsQQEMVAgMBAAECggEAF5FSPmA56HXXXCCJ2+jaOF6zVn/vaox3lm2XSxMTYAAR +AHf9EbEv2dtz8uN2DRDuGPqRM3W5mw9I49AXHF62H8nVYl9Cg/wUY5iwI9XRNfzc +Biy3dao3L9gPaWftnxxYTWu8KQ1vyeg2vkUD5xyMsQKoEBEmcHZJQdeJsfXDBPJ3 +tQSkDSrnr4f7uEQvr9iidEXnyfz1azF0snZ00IkBXRV2dcbTOIu6W+2uI1/Pthjt +rAoqvSuwBlUtvQG7Btat4tL84LNTfH+SoXJK1v4JwbqydV/U47Cc0Tp2inJugfVA +o6Cj5ptKvxI7mkFQuoyG4bm3x+79XeNbrYxhBK3hlQKBgQDnvMTfdIxC+rU+cKY0 +6sEaCzNbh3ZGqgVpBRj0i7EfdBNOctzlFSQGQhCD1SnXc7ihNZ5t2MKJRap3MNDX +Xh6jllgkjXnw1V+b2E1nBtkp/F8dWnrvzwJbSN+KeCP+zio6g2gKYLZab0GIRTEB +QvXgeaWAmIuxq2GENF8K1FuQYwKBgQDbrnsDKJI3rpfLbzrZB22gwdmq7wZWllzc +1Axiqn6xXqghXPLna3fDAbisQgRrQFTjBU9gM3isp4PGVurdPQa35ve6UAgoJUat +hIqvBzcbER3YEBksJtLvai9m9yQ69vYdMPbR10ZhA6EqTcp2MgyIEvAvue964J2p +3L1/r6bsJwKBgCksRN5e2rzbxm/9m8ozG3QBIXLVspIDi0qJeVGZsDKicPuzNMQO +6YOjIUQLD5AUI22hFTD3Hjk9g3gB2Fkrg84U3DxCVrQPdRk/aSEw+kyXZl7UwJry +8Lw/SlhT2DFhd+dFiaquXDfdJIuNn5NVzlG/y0P51ngOtxjCJVDLQil5AoGAa0qk +Ob6u6xMSgAErNKQ0HreOn7Vt2wxE/nVyNx4eEnKwmtrSp8QNEejdUQRNNDSPQPFu ++wUoguqtqUj6HGOZzGe5xf0gfrr18fkx4pobh9SsRsJWCQJNMzEhRaCeyU2klk07 +vvDtJqSnKgokP+XhyPO26xhcph7d4gA1bQ9U7zECgYAX4Fe9+2Uzmu035C5oHgUv +dA4NRP9lutpH0uboUxo1hdxKtTM1dmeXAj+SL5jyYBpfE3c8Ha3QGlIN8sHiKZTA +0A3bRAHjoKNULPgiODmwaK9y1vOm0Kol6QsJ3QZrc+iHf3wscMnimSwH2XxPnNSD +zh06Wun9UBVUZbdsIPDcLg== +-----END PRIVATE KEY----- diff --git a/ror-demo-cluster/conf/kbn-2/pro-ror-newplatform-kibana.yml b/ror-demo-cluster/conf/kbn-2/pro-ror-newplatform-kibana.yml new file mode 100644 index 0000000..2f605e7 --- /dev/null +++ b/ror-demo-cluster/conf/kbn-2/pro-ror-newplatform-kibana.yml @@ -0,0 +1,70 @@ +server.name: kibana-ror-2 +server.host: 0.0.0.0 +server.basePath: /deva-notix +server.rewriteBasePath: false +server.publicBaseUrl: "https://localhost:8443/deva-notix" + +elasticsearch.username: kibana +elasticsearch.password: kibana +elasticsearch.ssl.verificationMode: none +server.xsrf.allowlist: [] + +# generated with: +# $ openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout kibana.key -out kibana.crt +server.ssl.enabled: true +server.ssl.certificate: /usr/share/kibana/config/kibana.crt +server.ssl.key: /usr/share/kibana/config/kibana.key +server.ssl.redirectHttpFromPort: 80 + +xpack.security.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" +xpack.encryptedSavedObjects.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" + +xpack.reporting.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" +xpack.reporting.queue.timeout: 120000 +xpack.reporting.csv.maxSizeBytes: 10485760 + +# disable "Your data is not secure. Don't lose one bit. Secure your data for free with Elastic." +xpack.security.showInsecureClusterWarning: false + +# alternative to disable spaces +xpack.spaces.maxSpaces: 0 + +# Explore underlying data +xpack.discoverEnhanced.actions.exploreDataInContextMenu.enabled: true +xpack.discoverEnhanced.actions.exploreDataInChart.enabled: true + +# session lifecycle management +xpack.security.session.idleTimeout: 3d +xpack.security.session.lifespan: 7d +xpack.security.session.cleanupInterval: 1d + +readonlyrest_kbn.logLevel: trace +readonlyrest_kbn.cookiePass: '12312313123213123213123abcdefghijklm' +readonlyrest_kbn.store_sessions_in_index: true + +#################### Kibana additional settings ################### +newsfeed.enabled: false +telemetry.optIn: false +telemetry.enabled: false +telemetry.allowChangingOptInStatus: false +i18n.locale: en + +#################### Kibana logging settings ###################### + +logging.appenders.roll-file.type: rolling-file +logging.appenders.roll-file.fileName: /usr/share/kibana/logs/kibana.log +logging.appenders.roll-file.policy.type: time-interval +logging.appenders.roll-file.policy.interval: 24h +logging.appenders.roll-file.policy.modulate: true +logging.appenders.roll-file.strategy.type: numeric +logging.appenders.roll-file.strategy.pattern: '.%i' +logging.appenders.roll-file.strategy.max: 2 +logging.appenders.roll-file.layout.type: json +logging.root.appenders: [roll-file,default] +logging.root.level: info + + +#################### Kibana CCS settings ###################### +monitoring.ui.ccs.enabled: false + + diff --git a/ror-demo-cluster/conf/kbn-2/ror-oldplatform-kibana.yml b/ror-demo-cluster/conf/kbn-2/ror-oldplatform-kibana.yml new file mode 100644 index 0000000..de0b5d6 --- /dev/null +++ b/ror-demo-cluster/conf/kbn-2/ror-oldplatform-kibana.yml @@ -0,0 +1,15 @@ +server.name: kibana-ror +server.host: 0.0.0.0 + +elasticsearch.username: kibana +elasticsearch.password: kibana +elasticsearch.ssl.verificationMode: none + +# generated with: +# $ openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout kibana.key -out kibana.crt +server.ssl.enabled: true +server.ssl.certificate: /usr/share/kibana/config/kibana.crt +server.ssl.key: /usr/share/kibana/config/kibana.key +server.ssl.redirectHttpFromPort: 80 + +xpack.security.enabled: false diff --git a/ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml b/ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml index 9abf6b5..4366a6c 100644 --- a/ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml +++ b/ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml @@ -1,9 +1,13 @@ server.name: kibana-ror server.host: 0.0.0.0 +server.basePath: /deva-notix +server.rewriteBasePath: false +server.publicBaseUrl: "https://localhost:8443/deva-notix" elasticsearch.username: kibana elasticsearch.password: kibana elasticsearch.ssl.verificationMode: none +server.xsrf.allowlist: [] # generated with: # $ openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout kibana.key -out kibana.crt @@ -12,41 +16,55 @@ server.ssl.certificate: /usr/share/kibana/config/kibana.crt server.ssl.key: /usr/share/kibana/config/kibana.key server.ssl.redirectHttpFromPort: 80 -readonlyrest_kbn.logLevel: info +xpack.security.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" +xpack.encryptedSavedObjects.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" + +xpack.reporting.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" +xpack.reporting.queue.timeout: 120000 +xpack.reporting.csv.maxSizeBytes: 10485760 + +# disable "Your data is not secure. Don't lose one bit. Secure your data for free with Elastic." +xpack.security.showInsecureClusterWarning: false + +# alternative to disable spaces +xpack.spaces.maxSpaces: 0 + +# Explore underlying data +xpack.discoverEnhanced.actions.exploreDataInContextMenu.enabled: true +xpack.discoverEnhanced.actions.exploreDataInChart.enabled: true + +# session lifecycle management +xpack.security.session.idleTimeout: 3d +xpack.security.session.lifespan: 7d +xpack.security.session.cleanupInterval: 1d + +readonlyrest_kbn.logLevel: trace readonlyrest_kbn.cookiePass: '12312313123213123213123abcdefghijklm' -readonlyrest_kbn: - auth: - signature_key: "9yzBfnLaTYLfGPzyKW9es76RKYhUVgmuv6ZtehaScj5msGpBpa5FWpwk295uJYaaffTFnQC5tsknh2AguVDaTrqCLfM5zCTqdE4UGNL73h28Bg4dPrvTAFQyygQqv4xfgnevBED6VZYdfjXAQLc8J8ywaHQQSmprZqYCWGE6sM3vzNUEWWB3kmGrEKa4sGbXhmXZCvL6NDnEJhXPDJAzu9BMQxn8CzVLqrx6BxDgPYF8gZCxtyxMckXwCaYXrxAGbjkYH69F4wYhuAdHSWgRAQCuWwYmWCA6g39j4VPge5pv962XYvxwJpvn23Y5KvNZ5S5c6crdG4f4gTCXnU36x92fKMQzsQV9K4phcuNvMWkpqVB6xMA5aPzUeHcGytD93dG8D52P5BxsgaJJE6QqDrk3Y2vyLw9ZEbJhPRJxbuBKVCBtVx26Ldd46dq5eyyzmNEyQGLrjQ4qd978VtG8TNT5rkn4ETJQEju5HfCBbjm3urGLFVqxhGVawecT4YM9Rry4EqXWkRJGTFQWQRnweUFbKNbVTC9NxcXEp6K5rSPEy9trb5UYLYhhMJ9fWSBMuenGRjNSJxeurMRCaxPpNppBLFnp8qW5ezfHgCBpEjkSNNzP4uXMZFAXmdUfJ8XQdPTWuYfdHYc5TZWnzrdq9wcfFQRDpDB2zX5Myu96krDt9vA7wNKfYwkSczA6qUQV66jA8nV4Cs38cDAKVBXnxz22ddAVrPv8ajpu7hgBtULMURjvLt94Nc5FDKw79CTTQxffWEj9BJCDCpQnTufmT8xenywwVJvtj49yv2MP2mGECrVDRmcGUAYBKR8G6ZnFAYDVC9UhY46FGWDcyVX3HKwgtHeb45Ww7dsW8JdMnZYctaEU585GZmqTJp2LcAWRcQPH25JewnPX8pjzVpJNcy7avfA2bcU86bfASvQBDUCrhjgRmK2ECR6vzPwTsYKRgFrDqb62FeMdrKgJ9vKs435T5ACN7MNtdRXHQ4fj5pNpUMDW26Wd7tt9bkBTqEGf" - - oidc_keycloak: - buttonName: "Keycloak OIDC" - type: "oidc" - protocol: "https" - issuer: 'http://kc.localhost:8080/realms/ror' - authorizationURL: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/auth' - tokenURL: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/token' - userInfoURL: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/userinfo' - jwksURL: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/certs' - clientID: 'kibana-ror' - clientSecret: 'kibanasecret123' - scope: 'openid profile email' - usernameParameter: 'preferred_username' - groupsParameter: 'groups' - kibanaExternalHost: 'localhost:15601' - logoutUrl: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/logout' - oidc_lemon_ldap: - buttonName: "LemonLDAP OpenID" - type: "oidc" - protocol: "https" - issuer: 'https://oidctest.wsweet.org/' - authorizationURL: 'https://oidctest.wsweet.org/oauth2/authorize' - tokenURL: 'https://oidctest.wsweet.org/oauth2/token' - userInfoURL: 'https://oidctest.wsweet.org/oauth2/userinfo' - clientID: 'private' - clientSecret: 'tardis' - scope: 'openid users roles' - usernameParameter: 'sub' - groupsParameter: 'roles' - kibanaExternalHost: 'localhost:15601' - logoutUrl: 'https://oidctest.wsweet.org/oauth2/logout' - jwksURL: 'https://oidctest.wsweet.org/oauth2/jwks' +readonlyrest_kbn.store_sessions_in_index: true + +#################### Kibana additional settings ################### +newsfeed.enabled: false +telemetry.optIn: false +telemetry.enabled: false +telemetry.allowChangingOptInStatus: false +i18n.locale: en + +#################### Kibana logging settings ###################### + +logging.appenders.roll-file.type: rolling-file +logging.appenders.roll-file.fileName: /usr/share/kibana/logs/kibana.log +logging.appenders.roll-file.policy.type: time-interval +logging.appenders.roll-file.policy.interval: 24h +logging.appenders.roll-file.policy.modulate: true +logging.appenders.roll-file.strategy.type: numeric +logging.appenders.roll-file.strategy.pattern: '.%i' +logging.appenders.roll-file.strategy.max: 2 +logging.appenders.roll-file.layout.type: json +logging.root.appenders: [roll-file,default] +logging.root.level: info + + +#################### Kibana CCS settings ###################### +monitoring.ui.ccs.enabled: false + + diff --git a/ror-demo-cluster/conf/kbn/free-ror-newplatform-kibana.yml b/ror-demo-cluster/conf/kbn/free-ror-newplatform-kibana.yml index 3df3d8e..4366a6c 100644 --- a/ror-demo-cluster/conf/kbn/free-ror-newplatform-kibana.yml +++ b/ror-demo-cluster/conf/kbn/free-ror-newplatform-kibana.yml @@ -1,9 +1,13 @@ server.name: kibana-ror server.host: 0.0.0.0 +server.basePath: /deva-notix +server.rewriteBasePath: false +server.publicBaseUrl: "https://localhost:8443/deva-notix" elasticsearch.username: kibana elasticsearch.password: kibana elasticsearch.ssl.verificationMode: none +server.xsrf.allowlist: [] # generated with: # $ openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout kibana.key -out kibana.crt @@ -12,5 +16,55 @@ server.ssl.certificate: /usr/share/kibana/config/kibana.crt server.ssl.key: /usr/share/kibana/config/kibana.key server.ssl.redirectHttpFromPort: 80 -readonlyrest_kbn.logLevel: info +xpack.security.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" +xpack.encryptedSavedObjects.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" + +xpack.reporting.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" +xpack.reporting.queue.timeout: 120000 +xpack.reporting.csv.maxSizeBytes: 10485760 + +# disable "Your data is not secure. Don't lose one bit. Secure your data for free with Elastic." +xpack.security.showInsecureClusterWarning: false + +# alternative to disable spaces +xpack.spaces.maxSpaces: 0 + +# Explore underlying data +xpack.discoverEnhanced.actions.exploreDataInContextMenu.enabled: true +xpack.discoverEnhanced.actions.exploreDataInChart.enabled: true + +# session lifecycle management +xpack.security.session.idleTimeout: 3d +xpack.security.session.lifespan: 7d +xpack.security.session.cleanupInterval: 1d + +readonlyrest_kbn.logLevel: trace readonlyrest_kbn.cookiePass: '12312313123213123213123abcdefghijklm' +readonlyrest_kbn.store_sessions_in_index: true + +#################### Kibana additional settings ################### +newsfeed.enabled: false +telemetry.optIn: false +telemetry.enabled: false +telemetry.allowChangingOptInStatus: false +i18n.locale: en + +#################### Kibana logging settings ###################### + +logging.appenders.roll-file.type: rolling-file +logging.appenders.roll-file.fileName: /usr/share/kibana/logs/kibana.log +logging.appenders.roll-file.policy.type: time-interval +logging.appenders.roll-file.policy.interval: 24h +logging.appenders.roll-file.policy.modulate: true +logging.appenders.roll-file.strategy.type: numeric +logging.appenders.roll-file.strategy.pattern: '.%i' +logging.appenders.roll-file.strategy.max: 2 +logging.appenders.roll-file.layout.type: json +logging.root.appenders: [roll-file,default] +logging.root.level: info + + +#################### Kibana CCS settings ###################### +monitoring.ui.ccs.enabled: false + + diff --git a/ror-demo-cluster/conf/kbn/pro-ror-newplatform-kibana.yml b/ror-demo-cluster/conf/kbn/pro-ror-newplatform-kibana.yml index 3df3d8e..4366a6c 100644 --- a/ror-demo-cluster/conf/kbn/pro-ror-newplatform-kibana.yml +++ b/ror-demo-cluster/conf/kbn/pro-ror-newplatform-kibana.yml @@ -1,9 +1,13 @@ server.name: kibana-ror server.host: 0.0.0.0 +server.basePath: /deva-notix +server.rewriteBasePath: false +server.publicBaseUrl: "https://localhost:8443/deva-notix" elasticsearch.username: kibana elasticsearch.password: kibana elasticsearch.ssl.verificationMode: none +server.xsrf.allowlist: [] # generated with: # $ openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout kibana.key -out kibana.crt @@ -12,5 +16,55 @@ server.ssl.certificate: /usr/share/kibana/config/kibana.crt server.ssl.key: /usr/share/kibana/config/kibana.key server.ssl.redirectHttpFromPort: 80 -readonlyrest_kbn.logLevel: info +xpack.security.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" +xpack.encryptedSavedObjects.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" + +xpack.reporting.encryptionKey: "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!" +xpack.reporting.queue.timeout: 120000 +xpack.reporting.csv.maxSizeBytes: 10485760 + +# disable "Your data is not secure. Don't lose one bit. Secure your data for free with Elastic." +xpack.security.showInsecureClusterWarning: false + +# alternative to disable spaces +xpack.spaces.maxSpaces: 0 + +# Explore underlying data +xpack.discoverEnhanced.actions.exploreDataInContextMenu.enabled: true +xpack.discoverEnhanced.actions.exploreDataInChart.enabled: true + +# session lifecycle management +xpack.security.session.idleTimeout: 3d +xpack.security.session.lifespan: 7d +xpack.security.session.cleanupInterval: 1d + +readonlyrest_kbn.logLevel: trace readonlyrest_kbn.cookiePass: '12312313123213123213123abcdefghijklm' +readonlyrest_kbn.store_sessions_in_index: true + +#################### Kibana additional settings ################### +newsfeed.enabled: false +telemetry.optIn: false +telemetry.enabled: false +telemetry.allowChangingOptInStatus: false +i18n.locale: en + +#################### Kibana logging settings ###################### + +logging.appenders.roll-file.type: rolling-file +logging.appenders.roll-file.fileName: /usr/share/kibana/logs/kibana.log +logging.appenders.roll-file.policy.type: time-interval +logging.appenders.roll-file.policy.interval: 24h +logging.appenders.roll-file.policy.modulate: true +logging.appenders.roll-file.strategy.type: numeric +logging.appenders.roll-file.strategy.pattern: '.%i' +logging.appenders.roll-file.strategy.max: 2 +logging.appenders.roll-file.layout.type: json +logging.root.appenders: [roll-file,default] +logging.root.level: info + + +#################### Kibana CCS settings ###################### +monitoring.ui.ccs.enabled: false + + diff --git a/ror-demo-cluster/docker-compose.yml b/ror-demo-cluster/docker-compose.yml index f907d81..deb29ba 100644 --- a/ror-demo-cluster/docker-compose.yml +++ b/ror-demo-cluster/docker-compose.yml @@ -88,6 +88,39 @@ services: soft: -1 hard: -1 + kbn-ror-2: + build: + context: . + dockerfile: images/kbn-2/${KBN_DOCKERFILE:-KBN_DOCKERFILE_NOT_CONFIGURED} + args: + KBN_VERSION: ${KBN_VERSION:-KBN_VERSION_NOT_CONFIGURED} + ROR_VERSION: ${ROR_KBN_VERSION:-ROR_KBN_VERSION_NOT_CONFIGURED} + ROR_FILE: ${KBN_ROR_FILE:-KBN_ROR_FILE_NOT_CONFIGURED} + ROR_LICENSE_EDITION: ${ROR_LICENSE_EDITION:-ROR_LICENSE_EDITION_NOT_CONFIGURED} + ports: + - "15602:5601" + depends_on: + es-ror: + condition: service_healthy + keycloak: + condition: service_healthy + required: false + environment: + ELASTICSEARCH_HOSTS: https://es-ror:9200 + ROR_ACTIVATION_KEY: $ROR_ACTIVATION_KEY + SERVER_NAME: kbn-ror-2 + healthcheck: + test: [ "CMD-SHELL", "curl -fksS --connect-timeout 3 --max-time 5 --retry 2 --retry-connrefused -u admin:admin https://127.0.0.1:5601/api/features >/dev/null || exit 1" ] + interval: 10s + timeout: 10s + retries: 30 + start_period: 60s + networks: + - es-ror-network + ulimits: + memlock: + soft: -1 + hard: -1 initializer: build: context: . @@ -111,7 +144,20 @@ services: - ./init-scripts:/scripts networks: - es-ror-network - + proxy: + build: + context: . + dockerfile: images/reverse-proxy/Dockerfile + depends_on: + es-ror: + condition: service_healthy + kbn-ror: + condition: service_healthy + networks: + - es-ror-network + ports: + - "8082:80" + - "8443:443" networks: es-ror-network: driver: bridge diff --git a/ror-demo-cluster/images/kbn-2/Dockerfile-use-ror-binaries-from-api b/ror-demo-cluster/images/kbn-2/Dockerfile-use-ror-binaries-from-api new file mode 100644 index 0000000..03d13ac --- /dev/null +++ b/ror-demo-cluster/images/kbn-2/Dockerfile-use-ror-binaries-from-api @@ -0,0 +1,22 @@ +ARG KBN_VERSION=please_set_kbn_version_arg + +FROM docker.elastic.co/kibana/kibana:${KBN_VERSION} + +ARG KBN_VERSION=please_set_kbn_version_arg +ARG ROR_VERSION=please_set_ror_version_arg +ARG ROR_LICENSE_EDITION=please_set_ror_license_edition_arg + +COPY conf/kbn-2/ror-oldplatform-kibana.yml /usr/share/kibana/config/ror-oldplatform-kibana.yml +COPY conf/kbn-2/enterprise-ror-newplatform-kibana.yml /usr/share/kibana/config/enterprise-ror-newplatform-kibana.yml +COPY conf/kbn-2/pro-ror-newplatform-kibana.yml /usr/share/kibana/config/pro-ror-newplatform-kibana.yml +COPY conf/kbn-2/free-ror-newplatform-kibana.yml /usr/share/kibana/config/free-ror-newplatform-kibana.yml +COPY conf/kbn-2/kibana.crt /usr/share/kibana/config/kibana.crt +COPY conf/kbn-2/kibana.key /usr/share/kibana/config/kibana.key +COPY images/kbn-2/install-ror-kbn-using-api.sh /tmp/install-ror.sh + +USER root + +RUN /tmp/install-ror.sh && \ + chown -R kibana:kibana /usr/share/kibana/config + +USER kibana diff --git a/ror-demo-cluster/images/kbn-2/Dockerfile-use-ror-binaries-from-file b/ror-demo-cluster/images/kbn-2/Dockerfile-use-ror-binaries-from-file new file mode 100644 index 0000000..e63967d --- /dev/null +++ b/ror-demo-cluster/images/kbn-2/Dockerfile-use-ror-binaries-from-file @@ -0,0 +1,23 @@ +ARG KBN_VERSION=please_set_kbn_version_arg + +FROM docker.elastic.co/kibana/kibana:${KBN_VERSION} + +ARG KBN_VERSION=please_set_kbn_version_arg +ARG ROR_FILE=please_set_ror_file_path +ARG ROR_LICENSE_EDITION=please_set_ror_license_edition_arg + +COPY conf/kbn-2/ror-oldplatform-kibana.yml /usr/share/kibana/config/ror-oldplatform-kibana.yml +COPY conf/kbn-2/enterprise-ror-newplatform-kibana.yml /usr/share/kibana/config/enterprise-ror-newplatform-kibana.yml +COPY conf/kbn-2/pro-ror-newplatform-kibana.yml /usr/share/kibana/config/pro-ror-newplatform-kibana.yml +COPY conf/kbn-2/free-ror-newplatform-kibana.yml /usr/share/kibana/config/free-ror-newplatform-kibana.yml +COPY conf/kbn-2/kibana.crt /usr/share/kibana/config/kibana.crt +COPY conf/kbn-2/kibana.key /usr/share/kibana/config/kibana.key +COPY images/kbn-2/install-ror-kbn-using-file.sh /tmp/install-ror.sh +COPY $ROR_FILE /tmp/ror.zip + +USER root + +RUN /tmp/install-ror.sh && \ + chown -R kibana:kibana /usr/share/kibana/config + +USER kibana diff --git a/ror-demo-cluster/images/kbn-2/install-ror-kbn-using-api.sh b/ror-demo-cluster/images/kbn-2/install-ror-kbn-using-api.sh new file mode 100755 index 0000000..5fa2d92 --- /dev/null +++ b/ror-demo-cluster/images/kbn-2/install-ror-kbn-using-api.sh @@ -0,0 +1,74 @@ +#!/bin/bash -e + +function greater_than_or_equal() { + [ "$1" = "$(echo -e "$1\n$2" | sort -V | tail -n 1)" ]; +} + +if [[ -z "$KBN_VERSION" ]]; then + echo "No KBN_VERSION variable is set" + exit 1 +fi + +if [[ -z "$ROR_VERSION" ]]; then + echo "No ROR_VERSION variable is set" + exit 3 +fi + +ROR_KBN_EDITION="" +if greater_than_or_equal "$ROR_VERSION" "1.43.0" && greater_than_or_equal "$KBN_VERSION" "7.9.0"; then + ROR_KBN_EDITION="kbn_universal" +else + ROR_KBN_EDITION="kbn_free" +fi +ROR_DOWNLOAD_URL="https://api.beshu.tech/download/kbn?esVersion=$KBN_VERSION&pluginVersion=$ROR_VERSION&edition=$ROR_KBN_EDITION&email=ror-sandbox%40readonlyrest.com" + +echo "Installing KBN ROR $ROR_VERSION..." +if ! greater_than_or_equal "$KBN_VERSION" "7.0.0"; then + export NODE_OPTIONS="--max-old-space-size=8192" +fi + +if greater_than_or_equal "$KBN_VERSION" "7.11.0" ; then + /usr/share/kibana/bin/kibana-plugin install "$ROR_DOWNLOAD_URL" +elif greater_than_or_equal "$KBN_VERSION" "7.2.0" ; then + /usr/share/kibana/bin/kibana-plugin install --allow-root "$ROR_DOWNLOAD_URL" +else + /usr/share/kibana/bin/kibana-plugin install "$ROR_DOWNLOAD_URL" +fi + +if greater_than_or_equal "$KBN_VERSION" "8.15.0" ; then + echo "Patching KBN $KBN_VERSION (ROR $ROR_VERSION)..." + /usr/share/kibana/node/glibc-217/bin/node plugins/readonlyrestkbn/ror-tools.js patch --I_UNDERSTAND_AND_ACCEPT_KBN_PATCHING=yes +elif greater_than_or_equal "$KBN_VERSION" "7.9.0" ; then + echo "Patching KBN $KBN_VERSION (ROR $ROR_VERSION)..." + /usr/share/kibana/node/bin/node plugins/readonlyrestkbn/ror-tools.js patch --I_UNDERSTAND_AND_ACCEPT_KBN_PATCHING=yes +fi + + if greater_than_or_equal "$KBN_VERSION" "7.9.0"; then + case "${ROR_LICENSE_EDITION:-}" in + ENT) + mv /usr/share/kibana/config/enterprise-ror-newplatform-kibana.yml \ + /usr/share/kibana/config/kibana.yml + ;; + PRO) + mv /usr/share/kibana/config/pro-ror-newplatform-kibana.yml \ + /usr/share/kibana/config/kibana.yml + ;; + FREE) + mv /usr/share/kibana/config/free-ror-newplatform-kibana.yml \ + /usr/share/kibana/config/kibana.yml + ;; + "") + echo "ERROR: ROR_LICENSE_EDITION is not set" >&2 + exit 1 + ;; + *) + echo "ERROR: Unsupported ROR_LICENSE_EDITION='${ROR_LICENSE_EDITION}'" >&2 + exit 2 + ;; + esac + else + mv /usr/share/kibana/config/ror-oldplatform-kibana.yml /usr/share/kibana/config/kibana.yml + rm -rf /usr/share/kibana/optimize # for some reason we have to remove it and let kibana optimize it on startup + fi + +echo "DONE!" diff --git a/ror-demo-cluster/images/kbn-2/install-ror-kbn-using-file.sh b/ror-demo-cluster/images/kbn-2/install-ror-kbn-using-file.sh new file mode 100755 index 0000000..ab04efe --- /dev/null +++ b/ror-demo-cluster/images/kbn-2/install-ror-kbn-using-file.sh @@ -0,0 +1,59 @@ +#!/bin/bash -e + +function greater_than_or_equal() { + [ "$1" = "$(echo -e "$1\n$2" | sort -V | tail -n 1)" ]; +} + +if [[ -z "$KBN_VERSION" ]]; then + echo "No KBN_VERSION variable is set" + exit 1 +fi + +echo "Installing KBN ROR $ROR_VERSION..." +if ! greater_than_or_equal "$KBN_VERSION" "7.0.0"; then + export NODE_OPTIONS="--max-old-space-size=8192" +fi + +if greater_than_or_equal "$KBN_VERSION" "7.11.0" ; then + /usr/share/kibana/bin/kibana-plugin install file:///tmp/ror.zip +else + /usr/share/kibana/bin/kibana-plugin install --allow-root file:///tmp/ror.zip +fi + +if greater_than_or_equal "$KBN_VERSION" "8.15.0" ; then + echo "Patching KBN $KBN_VERSION (ROR $ROR_VERSION)..." + /usr/share/kibana/node/glibc-217/bin/node plugins/readonlyrestkbn/ror-tools.js patch --I_UNDERSTAND_AND_ACCEPT_KBN_PATCHING=yes +elif greater_than_or_equal "$KBN_VERSION" "7.9.0" ; then + echo "Patching KBN $KBN_VERSION (ROR $ROR_VERSION)..." + /usr/share/kibana/node/bin/node plugins/readonlyrestkbn/ror-tools.js patch --I_UNDERSTAND_AND_ACCEPT_KBN_PATCHING=yes +fi + + if greater_than_or_equal "$KBN_VERSION" "7.9.0"; then + case "${ROR_LICENSE_EDITION:-}" in + ENT) + mv /usr/share/kibana/config/enterprise-ror-newplatform-kibana.yml \ + /usr/share/kibana/config/kibana.yml + ;; + PRO) + mv /usr/share/kibana/config/pro-ror-newplatform-kibana.yml \ + /usr/share/kibana/config/kibana.yml + ;; + FREE) + mv /usr/share/kibana/config/free-ror-newplatform-kibana.yml \ + /usr/share/kibana/config/kibana.yml + ;; + "") + echo "ERROR: ROR_LICENSE_EDITION is not set" >&2 + exit 1 + ;; + *) + echo "ERROR: Unsupported ROR_LICENSE_EDITION='${ROR_LICENSE_EDITION}'" >&2 + exit 2 + ;; + esac + else + mv /usr/share/kibana/config/ror-oldplatform-kibana.yml /usr/share/kibana/config/kibana.yml + rm -rf /usr/share/kibana/optimize # for some reason we have to remove it and let kibana optimize it on startup + fi + +echo "DONE!" \ No newline at end of file diff --git a/ror-demo-cluster/images/reverse-proxy/Dockerfile b/ror-demo-cluster/images/reverse-proxy/Dockerfile new file mode 100644 index 0000000..c018f1b --- /dev/null +++ b/ror-demo-cluster/images/reverse-proxy/Dockerfile @@ -0,0 +1,28 @@ +# Dockerfile +FROM httpd:2.4 + +# Enable required modules: proxy, balancer, lbmethod, rewrite, headers, slotmem, ssl, wstunnel, socache +RUN sed -i \ + -e 's/^#\(LoadModule slotmem_shm_module modules\/mod_slotmem_shm.so\)/\1/' \ + -e 's/^#\(LoadModule socache_shmcb_module modules\/mod_socache_shmcb.so\)/\1/' \ + -e 's/^#\(LoadModule proxy_module modules\/mod_proxy.so\)/\1/' \ + -e 's/^#\(LoadModule proxy_http_module modules\/mod_proxy_http.so\)/\1/' \ + -e 's/^#\(LoadModule proxy_wstunnel_module modules\/mod_proxy_wstunnel.so\)/\1/' \ + -e 's/^#\(LoadModule proxy_balancer_module modules\/mod_proxy_balancer.so\)/\1/' \ + -e 's/^#\(LoadModule lbmethod_byrequests_module modules\/mod_lbmethod_byrequests.so\)/\1/' \ + -e 's/^#\(LoadModule rewrite_module modules\/mod_rewrite.so\)/\1/' \ + -e 's/^#\(LoadModule headers_module modules\/mod_headers.so\)/\1/' \ + -e 's/^#\(LoadModule ssl_module modules\/mod_ssl.so\)/\1/' \ + /usr/local/apache2/conf/httpd.conf + +RUN echo "ServerName localhost" >> /usr/local/apache2/conf/httpd.conf \ + && echo "Listen 443" >> /usr/local/apache2/conf/httpd.conf + +# Copy vhost and include it +COPY images/reverse-proxy/deva-notix.conf /usr/local/apache2/conf/extra/deva-notix.conf +RUN echo "Include conf/extra/deva-notix.conf" >> /usr/local/apache2/conf/httpd.conf + +# Copy TLS certs (provide server.crt and server.key under images/reverse-proxy/certs) +COPY conf/reverse-proxy/certs/ /usr/local/apache2/conf/certs/ + +EXPOSE 80 443 diff --git a/ror-demo-cluster/images/reverse-proxy/deva-notix.conf b/ror-demo-cluster/images/reverse-proxy/deva-notix.conf new file mode 100644 index 0000000..6224062 --- /dev/null +++ b/ror-demo-cluster/images/reverse-proxy/deva-notix.conf @@ -0,0 +1,44 @@ + + ServerName localhost + + ErrorLog /usr/local/apache2/logs/deva-notix_error.log + CustomLog /usr/local/apache2/logs/deva-notix_access.log combined + + SSLEngine On + SSLCertificateFile "/usr/local/apache2/conf/certs/server.crt" + SSLCertificateKeyFile "/usr/local/apache2/conf/certs/server.key" + SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 + SSLCipherSuite HIGH:!aNULL:!MD5 + SSLHonorCipherOrder On + + Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" + + ProxyPreserveHost On + ProxyRequests Off + + RequestHeader set X-Forwarded-Proto "https" + RequestHeader set X-Forwarded-Host "%{Host}i" + RequestHeader set X-Forwarded-Port "443" + + SSLProxyEngine On + SSLProxyVerify none + SSLProxyCheckPeerName off + SSLProxyCheckPeerCN off + + + BalancerMember "https://kbn-ror:5601" route=server-1 loadfactor=1 keepalive=On connectiontimeout=10 retry=2 timeout=300 + BalancerMember "https://kbn-ror-2:5601" route=server-2 loadfactor=1 keepalive=On connectiontimeout=10 retry=2 timeout=300 + ProxySet lbmethod=byrequests stickysession=ROUTEID nofailover=Off + + + + RewriteEngine On + RewriteRule ^/deva-notix$ /deva-notix/ [R,L] + RewriteRule ^/notix$ /deva-notix/ [R,L] + RewriteRule ^/deva-notix/(.*) balancer://deva-notix/$1 [NC,QSA,P] + + Header add Set-Cookie "ROUTEID=%{BALANCER_WORKER_ROUTE}e; Path=/deva-notix; HttpOnly; SameSite=Lax; Secure" env=BALANCER_ROUTE_CHANGED + + + + diff --git a/ror-demo-cluster/run.sh b/ror-demo-cluster/run.sh index 51e7852..ce2fca2 100755 --- a/ror-demo-cluster/run.sh +++ b/ror-demo-cluster/run.sh @@ -65,10 +65,10 @@ echo -e " case "${ROR_LICENSE_EDITION:-}" in ENT) - echo -e "You can access ROR KBN here: https://localhost:15601 (login via 'Keycloak' button; users: 'extUser1:extUser1', 'extUser2:extUser2').\nKeycloak admin console: http://kc.localhost:8080/admin (admin:admin)" + echo -e "You can access ROR KBN via proxy here: https://localhost:8443/deva-notix (admin:admin)" ;; PRO|FREE) - echo -e "You can access ROR KBN here: https://localhost:15601" + echo -e "You can access ROR KBN via proxy : https://localhost:8443/deva-notix (admin:admin)" ;; *) ;; From 0ddf181af90c5a4420f8b258b55f8331725579e4 Mon Sep 17 00:00:00 2001 From: Dawid Poliszak Date: Fri, 7 Nov 2025 08:22:22 +0100 Subject: [PATCH 3/7] provide oidc example --- .../enterprise-ror-newplatform-kibana.yml | 37 ++++++++++++++++++- .../kbn/enterprise-ror-newplatform-kibana.yml | 36 ++++++++++++++++++ .../images/reverse-proxy/deva-notix.conf | 14 ++++--- ror-demo-cluster/run.sh | 3 +- 4 files changed, 82 insertions(+), 8 deletions(-) diff --git a/ror-demo-cluster/conf/kbn-2/enterprise-ror-newplatform-kibana.yml b/ror-demo-cluster/conf/kbn-2/enterprise-ror-newplatform-kibana.yml index 2f605e7..d165b16 100644 --- a/ror-demo-cluster/conf/kbn-2/enterprise-ror-newplatform-kibana.yml +++ b/ror-demo-cluster/conf/kbn-2/enterprise-ror-newplatform-kibana.yml @@ -66,5 +66,40 @@ logging.root.level: info #################### Kibana CCS settings ###################### monitoring.ui.ccs.enabled: false - +readonlyrest_kbn: + auth: + signature_key: "9yzBfnLaTYLfGPzyKW9es76RKYhUVgmuv6ZtehaScj5msGpBpa5FWpwk295uJYaaffTFnQC5tsknh2AguVDaTrqCLfM5zCTqdE4UGNL73h28Bg4dPrvTAFQyygQqv4xfgnevBED6VZYdfjXAQLc8J8ywaHQQSmprZqYCWGE6sM3vzNUEWWB3kmGrEKa4sGbXhmXZCvL6NDnEJhXPDJAzu9BMQxn8CzVLqrx6BxDgPYF8gZCxtyxMckXwCaYXrxAGbjkYH69F4wYhuAdHSWgRAQCuWwYmWCA6g39j4VPge5pv962XYvxwJpvn23Y5KvNZ5S5c6crdG4f4gTCXnU36x92fKMQzsQV9K4phcuNvMWkpqVB6xMA5aPzUeHcGytD93dG8D52P5BxsgaJJE6QqDrk3Y2vyLw9ZEbJhPRJxbuBKVCBtVx26Ldd46dq5eyyzmNEyQGLrjQ4qd978VtG8TNT5rkn4ETJQEju5HfCBbjm3urGLFVqxhGVawecT4YM9Rry4EqXWkRJGTFQWQRnweUFbKNbVTC9NxcXEp6K5rSPEy9trb5UYLYhhMJ9fWSBMuenGRjNSJxeurMRCaxPpNppBLFnp8qW5ezfHgCBpEjkSNNzP4uXMZFAXmdUfJ8XQdPTWuYfdHYc5TZWnzrdq9wcfFQRDpDB2zX5Myu96krDt9vA7wNKfYwkSczA6qUQV66jA8nV4Cs38cDAKVBXnxz22ddAVrPv8ajpu7hgBtULMURjvLt94Nc5FDKw79CTTQxffWEj9BJCDCpQnTufmT8xenywwVJvtj49yv2MP2mGECrVDRmcGUAYBKR8G6ZnFAYDVC9UhY46FGWDcyVX3HKwgtHeb45Ww7dsW8JdMnZYctaEU585GZmqTJp2LcAWRcQPH25JewnPX8pjzVpJNcy7avfA2bcU86bfASvQBDUCrhjgRmK2ECR6vzPwTsYKRgFrDqb62FeMdrKgJ9vKs435T5ACN7MNtdRXHQ4fj5pNpUMDW26Wd7tt9bkBTqEGf" + + oidc_keycloak: + buttonName: "Keycloak OIDC" + type: "oidc" + protocol: "https" + issuer: 'http://kc.localhost:8080/realms/ror' + authorizationURL: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/auth' + tokenURL: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/token' + userInfoURL: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/userinfo' + jwksURL: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/certs' + clientID: 'kibana-ror' + clientSecret: 'kibanasecret123' + scope: 'openid profile email' + usernameParameter: 'preferred_username' + groupsParameter: 'groups' + kibanaExternalHost: 'localhost:8443/deva-notix' + logoutUrl: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/logout' + oidc_lemon_ldap: + buttonName: "LemonLDAP OpenID" + type: "oidc" + protocol: "https" + issuer: 'https://oidctest.wsweet.org/' + authorizationURL: 'https://oidctest.wsweet.org/oauth2/authorize' + tokenURL: 'https://oidctest.wsweet.org/oauth2/token' + userInfoURL: 'https://oidctest.wsweet.org/oauth2/userinfo' + clientID: 'private' + clientSecret: 'tardis' + scope: 'openid users roles' + usernameParameter: 'sub' + groupsParameter: 'roles' + kibanaExternalHost: 'localhost:8443/deva-notix' + logoutUrl: 'https://oidctest.wsweet.org/oauth2/logout' + jwksURL: 'https://oidctest.wsweet.org/oauth2/jwks' diff --git a/ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml b/ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml index 4366a6c..7b1f228 100644 --- a/ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml +++ b/ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml @@ -66,5 +66,41 @@ logging.root.level: info #################### Kibana CCS settings ###################### monitoring.ui.ccs.enabled: false +readonlyrest_kbn: + auth: + signature_key: "9yzBfnLaTYLfGPzyKW9es76RKYhUVgmuv6ZtehaScj5msGpBpa5FWpwk295uJYaaffTFnQC5tsknh2AguVDaTrqCLfM5zCTqdE4UGNL73h28Bg4dPrvTAFQyygQqv4xfgnevBED6VZYdfjXAQLc8J8ywaHQQSmprZqYCWGE6sM3vzNUEWWB3kmGrEKa4sGbXhmXZCvL6NDnEJhXPDJAzu9BMQxn8CzVLqrx6BxDgPYF8gZCxtyxMckXwCaYXrxAGbjkYH69F4wYhuAdHSWgRAQCuWwYmWCA6g39j4VPge5pv962XYvxwJpvn23Y5KvNZ5S5c6crdG4f4gTCXnU36x92fKMQzsQV9K4phcuNvMWkpqVB6xMA5aPzUeHcGytD93dG8D52P5BxsgaJJE6QqDrk3Y2vyLw9ZEbJhPRJxbuBKVCBtVx26Ldd46dq5eyyzmNEyQGLrjQ4qd978VtG8TNT5rkn4ETJQEju5HfCBbjm3urGLFVqxhGVawecT4YM9Rry4EqXWkRJGTFQWQRnweUFbKNbVTC9NxcXEp6K5rSPEy9trb5UYLYhhMJ9fWSBMuenGRjNSJxeurMRCaxPpNppBLFnp8qW5ezfHgCBpEjkSNNzP4uXMZFAXmdUfJ8XQdPTWuYfdHYc5TZWnzrdq9wcfFQRDpDB2zX5Myu96krDt9vA7wNKfYwkSczA6qUQV66jA8nV4Cs38cDAKVBXnxz22ddAVrPv8ajpu7hgBtULMURjvLt94Nc5FDKw79CTTQxffWEj9BJCDCpQnTufmT8xenywwVJvtj49yv2MP2mGECrVDRmcGUAYBKR8G6ZnFAYDVC9UhY46FGWDcyVX3HKwgtHeb45Ww7dsW8JdMnZYctaEU585GZmqTJp2LcAWRcQPH25JewnPX8pjzVpJNcy7avfA2bcU86bfASvQBDUCrhjgRmK2ECR6vzPwTsYKRgFrDqb62FeMdrKgJ9vKs435T5ACN7MNtdRXHQ4fj5pNpUMDW26Wd7tt9bkBTqEGf" + + oidc_keycloak: + buttonName: "Keycloak OIDC" + type: "oidc" + protocol: "https" + issuer: 'http://kc.localhost:8080/realms/ror' + authorizationURL: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/auth' + tokenURL: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/token' + userInfoURL: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/userinfo' + jwksURL: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/certs' + clientID: 'kibana-ror' + clientSecret: 'kibanasecret123' + scope: 'openid profile email' + usernameParameter: 'preferred_username' + groupsParameter: 'groups' + kibanaExternalHost: 'localhost:8443/deva-notix' + logoutUrl: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/logout' + oidc_lemon_ldap: + buttonName: "LemonLDAP OpenID" + type: "oidc" + protocol: "https" + issuer: 'https://oidctest.wsweet.org/' + authorizationURL: 'https://oidctest.wsweet.org/oauth2/authorize' + tokenURL: 'https://oidctest.wsweet.org/oauth2/token' + userInfoURL: 'https://oidctest.wsweet.org/oauth2/userinfo' + clientID: 'private' + clientSecret: 'tardis' + scope: 'openid users roles' + usernameParameter: 'sub' + groupsParameter: 'roles' + kibanaExternalHost: 'localhost:8443/deva-notix' + logoutUrl: 'https://oidctest.wsweet.org/oauth2/logout' + jwksURL: 'https://oidctest.wsweet.org/oauth2/jwks' diff --git a/ror-demo-cluster/images/reverse-proxy/deva-notix.conf b/ror-demo-cluster/images/reverse-proxy/deva-notix.conf index 6224062..ac7efd6 100644 --- a/ror-demo-cluster/images/reverse-proxy/deva-notix.conf +++ b/ror-demo-cluster/images/reverse-proxy/deva-notix.conf @@ -33,12 +33,14 @@ RewriteEngine On - RewriteRule ^/deva-notix$ /deva-notix/ [R,L] - RewriteRule ^/notix$ /deva-notix/ [R,L] - RewriteRule ^/deva-notix/(.*) balancer://deva-notix/$1 [NC,QSA,P] + RewriteRule ^/deva-notix$ /deva-notix/ [R=301,L] + RewriteRule ^/notix$ /deva-notix/ [R=301,L] - Header add Set-Cookie "ROUTEID=%{BALANCER_WORKER_ROUTE}e; Path=/deva-notix; HttpOnly; SameSite=Lax; Secure" env=BALANCER_ROUTE_CHANGED - - + # Don't rewrite prefix for OIDC endpoints + RewriteRule ^/deva-notix/(ror_kbn_(?:oidc_lemon_ldap|oidc_keycloak)/.*)$ \ + balancer://deva-notix/deva-notix/$1 [NC,QSA,P,L] + RewriteRule ^/deva-notix/(.*)$ balancer://deva-notix/$1 [NC,QSA,P,L] + Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; Path=/; HttpOnly; SameSite=Lax" env=BALANCER_ROUTE_CHANGED + \ No newline at end of file diff --git a/ror-demo-cluster/run.sh b/ror-demo-cluster/run.sh index ce2fca2..fff989b 100755 --- a/ror-demo-cluster/run.sh +++ b/ror-demo-cluster/run.sh @@ -65,7 +65,8 @@ echo -e " case "${ROR_LICENSE_EDITION:-}" in ENT) - echo -e "You can access ROR KBN via proxy here: https://localhost:8443/deva-notix (admin:admin)" + echo -e "You can access ROR KBN via proxy here: https://localhost:8443/deva-notix (admin:admin) (login via 'Keycloak' button; users: 'extUser1:extUser1', 'extUser2:extUser2').\nKeycloak admin console: http://kc.localhost:8080/admin (admin:admin)" + ;; PRO|FREE) echo -e "You can access ROR KBN via proxy : https://localhost:8443/deva-notix (admin:admin)" From 62afd2b56e73d1000f5df7f06f555f20012688f8 Mon Sep 17 00:00:00 2001 From: Dawid Poliszak Date: Mon, 10 Nov 2025 08:37:54 +0100 Subject: [PATCH 4/7] remove rewriting OIDC based paths skipping logic --- .../conf/kbn-2/enterprise-ror-newplatform-kibana.yml | 2 +- .../conf/kbn/enterprise-ror-newplatform-kibana.yml | 2 +- ror-demo-cluster/conf/keycloak/ror-realm.json | 2 +- ror-demo-cluster/images/reverse-proxy/deva-notix.conf | 4 ---- 4 files changed, 3 insertions(+), 7 deletions(-) diff --git a/ror-demo-cluster/conf/kbn-2/enterprise-ror-newplatform-kibana.yml b/ror-demo-cluster/conf/kbn-2/enterprise-ror-newplatform-kibana.yml index d165b16..40b4959 100644 --- a/ror-demo-cluster/conf/kbn-2/enterprise-ror-newplatform-kibana.yml +++ b/ror-demo-cluster/conf/kbn-2/enterprise-ror-newplatform-kibana.yml @@ -99,7 +99,7 @@ readonlyrest_kbn: scope: 'openid users roles' usernameParameter: 'sub' groupsParameter: 'roles' - kibanaExternalHost: 'localhost:8443/deva-notix' + kibanaExternalHost: 'localhost:8443' logoutUrl: 'https://oidctest.wsweet.org/oauth2/logout' jwksURL: 'https://oidctest.wsweet.org/oauth2/jwks' diff --git a/ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml b/ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml index 7b1f228..7c7cbca 100644 --- a/ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml +++ b/ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml @@ -99,7 +99,7 @@ readonlyrest_kbn: scope: 'openid users roles' usernameParameter: 'sub' groupsParameter: 'roles' - kibanaExternalHost: 'localhost:8443/deva-notix' + kibanaExternalHost: 'localhost:8443' logoutUrl: 'https://oidctest.wsweet.org/oauth2/logout' jwksURL: 'https://oidctest.wsweet.org/oauth2/jwks' diff --git a/ror-demo-cluster/conf/keycloak/ror-realm.json b/ror-demo-cluster/conf/keycloak/ror-realm.json index 3e806f2..feb1152 100644 --- a/ror-demo-cluster/conf/keycloak/ror-realm.json +++ b/ror-demo-cluster/conf/keycloak/ror-realm.json @@ -11,7 +11,7 @@ "redirectUris": ["*"], "webOrigins": ["*"], "attributes": { - "post.logout.redirect.uris": "https://localhost:15601/*" + "post.logout.redirect.uris": "https://localhost:8443/*" }, "protocolMappers": [ { diff --git a/ror-demo-cluster/images/reverse-proxy/deva-notix.conf b/ror-demo-cluster/images/reverse-proxy/deva-notix.conf index ac7efd6..fe87da9 100644 --- a/ror-demo-cluster/images/reverse-proxy/deva-notix.conf +++ b/ror-demo-cluster/images/reverse-proxy/deva-notix.conf @@ -36,10 +36,6 @@ RewriteRule ^/deva-notix$ /deva-notix/ [R=301,L] RewriteRule ^/notix$ /deva-notix/ [R=301,L] - # Don't rewrite prefix for OIDC endpoints - RewriteRule ^/deva-notix/(ror_kbn_(?:oidc_lemon_ldap|oidc_keycloak)/.*)$ \ - balancer://deva-notix/deva-notix/$1 [NC,QSA,P,L] - RewriteRule ^/deva-notix/(.*)$ balancer://deva-notix/$1 [NC,QSA,P,L] Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; Path=/; HttpOnly; SameSite=Lax" env=BALANCER_ROUTE_CHANGED From f68573e70b4fea5ce79729146d1691cd57ac761f Mon Sep 17 00:00:00 2001 From: Dawid Poliszak Date: Tue, 25 Nov 2025 08:51:39 +0100 Subject: [PATCH 5/7] add cert --- .../conf/reverse-proxy/certs/server.crt | 17 +++++++++++ .../conf/reverse-proxy/certs/server.key | 28 +++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 ror-demo-cluster/conf/reverse-proxy/certs/server.crt create mode 100644 ror-demo-cluster/conf/reverse-proxy/certs/server.key diff --git a/ror-demo-cluster/conf/reverse-proxy/certs/server.crt b/ror-demo-cluster/conf/reverse-proxy/certs/server.crt new file mode 100644 index 0000000..d7b9dd4 --- /dev/null +++ b/ror-demo-cluster/conf/reverse-proxy/certs/server.crt @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyTCCAbGgAwIBAgIJAPBXGOZLL6X6MA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV +BAMMCWxvY2FsaG9zdDAeFw0yNTEwMTEwNDMzMDdaFw0yODAxMTQwNDMzMDdaMBQx +EjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBALZAVV3iMJc/3R7E1Cn4WnPHYBDFSqP6rznKuS56pfk2MACX+X6jdsrTTZMn +I8gQWwnPIPm2m6CFAoEqI17u+qGUTmZS0Ph9qmWLFPR18zyX+bpLLmoNBzRjZJce +3EULVqdzRSvXq/aSnNn0VbBk6PA3Wmf8pduiYmMKST4ZYz9lxAP1iWa6GmqLi8ZU +EWbRaiTdfsyME/HrYLjdhUrTHO0hHPEIsHCrHJYH3J9PJqL6BJXuTOEiZKyQJBxX +bzh8KAemOU1gNdm0x19PDJ9n4GthiSDON0uBEETIswMETywsdFBDBf/npWYyFsSY +wIKEVTDsgYTgg10yvCMcSWZaFLUCAwEAAaMeMBwwGgYDVR0RBBMwEYIJbG9jYWxo +b3N0hwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQAfA5Inuxr32WkWda03CXayL1Uf +CVii5BAdniEjAUm67My9qxSNaffUQr6kCnyWFWRzwbaYdSrBJSEyxzPoyTKR7FRh +ELYtKmedfBMMYA1skAqBolTjHdz8nULIV3OerSyLtAdSHwbGpjBKwmrY/RmB7bFe +p9kNUwQU9mVRrgJ6xt/1Ms0k0d6etPBguFYEhVdyT1M6Gj608KP2gvkP4hjsTP8Q +Lxm0nVg6A7wiwFPmbanO3BfisfngxMHs3DdK68Oiy1HrJqxY46D+qnkbpleyCyOd +nK8xg3WoRlhvzNvWK/FGxYXqwZGcJi3TySBKlvQpngjOc7EimHVsuho0jSao +-----END CERTIFICATE----- diff --git a/ror-demo-cluster/conf/reverse-proxy/certs/server.key b/ror-demo-cluster/conf/reverse-proxy/certs/server.key new file mode 100644 index 0000000..e5adfbd --- /dev/null +++ b/ror-demo-cluster/conf/reverse-proxy/certs/server.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC2QFVd4jCXP90e +xNQp+Fpzx2AQxUqj+q85yrkueqX5NjAAl/l+o3bK002TJyPIEFsJzyD5tpughQKB +KiNe7vqhlE5mUtD4faplixT0dfM8l/m6Sy5qDQc0Y2SXHtxFC1anc0Ur16v2kpzZ +9FWwZOjwN1pn/KXbomJjCkk+GWM/ZcQD9Ylmuhpqi4vGVBFm0Wok3X7MjBPx62C4 +3YVK0xztIRzxCLBwqxyWB9yfTyai+gSV7kzhImSskCQcV284fCgHpjlNYDXZtMdf +TwyfZ+BrYYkgzjdLgRBEyLMDBE8sLHRQQwX/56VmMhbEmMCChFUw7IGE4INdMrwj +HElmWhS1AgMBAAECggEAAaVzH/X7GmKpTK3afMaRipoyc/RUSEbrbko2ggT5mtay +eE7nIg239P0TplCkMhpzuBL26UqM/VY2P5Rx3VmrSepdCu+Uk6oO7/vhpJOsLs/w +oY4sTSjw97guIG9W7gi8L6cK6Op50zBf2lgqrf07XXAikO3nUaSV3u8o2jbAfsIY +pjT/XLWsYF3XYXfH8RMRKv+tQNhCAch2Un/tug3N1tXSTcbjGwIay97Ytj8pYPcd ++1hZay9t5MXa5CAVOusrwbfShQ+sXpWenH13DqvvQX8GA/zd8bA3UV5oaDvQpw3v +HTLMr7EiFsAExc7vPr6E8X8hLfju2BdKTu0i8z7fwQKBgQDw9eyfui3jSI2EE08H +wLvLT6pZSrJ2TIQd75c9mdL04YkCwxTMCufvZwYj7PG0srRdNNlO1UTxEQNoAJ03 +U2C1qjjOQG9X71+Fj1+mtv8V8KllpZFxiItySZOpLYJe4GbqXkef/dMG+/JZ6KwY +gJuEQeiXc+LBFAYWrx9goXoQRwKBgQDBoFmIEidr3020+JJEFvIOXzZ/OkcV2Do+ +C8K4/wqUvectYVRgHlH2tTcXW+7ngVrdqnPMFeBxylxymnD7yUIS2GuV6WXeqzPg +CPuzr8OiE634qmxemj3UpbRFO3ctU00/8SeOcbnnHTrBQhrnSBC8K4Y3bXutFhba +Hb3T2NfNIwKBgQCqPxdQQ1romvphtsK/14zXuRHCxOQScT1naUCSZXyHSFJlgS/Q +emQk4cWU3HRqF1kYAZ8H8+ch68NcWBK8ZEyQDhTUpPIGTzpOQ15xjBnuhnspNjHs +5Wyg8xtBDMZwAly0eqhgghX3eUth+uKc7UDz0R1k5JvxjxQ+Mr0YqP51QQKBgCVm +hsS81PaGPKlPNlmGoRzbkVhD9oUmriFb/jHjubR/dg8S9MxYLvbbjBer/1qiZt3Y +VeO++gqgzvioEljgSC4Btc5QNggrw6prscrEkaJV8M3OhX5EhtrzYv3Yfa24oHxQ +ZZajKwiUYcwAq9eu2OSv943vTOtjD+jzw74O7ahHAoGAS3T27W6SkloZi9t+SFSY +BeINYvV3ciRNGN48k00v28+5sFJ7uaqkxkd+t8RGn7nGaA7n+nJNXexyiJzVVKjS +zL5WaQuduTDJHpW5HbAQp3bMpCrYhI6YL9EzXEedWkLaTh+Ox9yVc3nDBNx0lGw3 +yRdF/RqO80s0HbQhbJMtcMQ= +-----END PRIVATE KEY----- From e667d9c6596bb1eab2804b1e28e6850eb579ee40 Mon Sep 17 00:00:00 2001 From: coutoPL Date: Tue, 25 Nov 2025 10:08:14 +0100 Subject: [PATCH 6/7] logging --- .../conf/kbn/enterprise-ror-newplatform-kibana.yml | 2 +- ror-demo-cluster/images/reverse-proxy/deva-notix.conf | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml b/ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml index 7c7cbca..3000107 100644 --- a/ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml +++ b/ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml @@ -84,7 +84,7 @@ readonlyrest_kbn: scope: 'openid profile email' usernameParameter: 'preferred_username' groupsParameter: 'groups' - kibanaExternalHost: 'localhost:8443/deva-notix' + kibanaExternalHost: 'localhost:8443' logoutUrl: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/logout' oidc_lemon_ldap: buttonName: "LemonLDAP OpenID" diff --git a/ror-demo-cluster/images/reverse-proxy/deva-notix.conf b/ror-demo-cluster/images/reverse-proxy/deva-notix.conf index fe87da9..1bf7c94 100644 --- a/ror-demo-cluster/images/reverse-proxy/deva-notix.conf +++ b/ror-demo-cluster/images/reverse-proxy/deva-notix.conf @@ -1,8 +1,12 @@ ServerName localhost - ErrorLog /usr/local/apache2/logs/deva-notix_error.log - CustomLog /usr/local/apache2/logs/deva-notix_access.log combined + # Redirect logs to stdout/stderr for Docker + ErrorLog /proc/self/fd/2 + + # Custom log format: timestamp, method, URL, response code, response time, client IP + LogFormat "%t \"%r\" %s %b %D μs - Client: %a - Backend: %{BALANCER_WORKER_ROUTE}e" proxy_format + CustomLog /proc/self/fd/1 proxy_format SSLEngine On SSLCertificateFile "/usr/local/apache2/conf/certs/server.crt" From 2234b15311770125a3cebd7f15ab5481febafe46 Mon Sep 17 00:00:00 2001 From: Dawid Poliszak Date: Mon, 8 Dec 2025 06:28:28 +0100 Subject: [PATCH 7/7] adjust realm config --- ror-demo-cluster/conf/es/readonlyrest.yml | 7 +- .../enterprise-ror-newplatform-kibana.yml | 18 ++++- .../kbn/enterprise-ror-newplatform-kibana.yml | 26 +++---- ror-demo-cluster/conf/keycloak/ror-realm.json | 76 ++++++++++++------- 4 files changed, 82 insertions(+), 45 deletions(-) diff --git a/ror-demo-cluster/conf/es/readonlyrest.yml b/ror-demo-cluster/conf/es/readonlyrest.yml index 252c463..f52599b 100644 --- a/ror-demo-cluster/conf/es/readonlyrest.yml +++ b/ror-demo-cluster/conf/es/readonlyrest.yml @@ -65,8 +65,11 @@ readonlyrest: - local_group: id: "EndUsers" name: "End Users" - external_group_ids: [ "*" ] - + external_group_ids: [ "extEndUsers" ] + - local_group: + id: "BusinessUsers" + name: "Business Users" + external_group_ids: [ "extBusinessUsers" ] ror_kbn: - name: kbn1 signature_key: "9yzBfnLaTYLfGPzyKW9es76RKYhUVgmuv6ZtehaScj5msGpBpa5FWpwk295uJYaaffTFnQC5tsknh2AguVDaTrqCLfM5zCTqdE4UGNL73h28Bg4dPrvTAFQyygQqv4xfgnevBED6VZYdfjXAQLc8J8ywaHQQSmprZqYCWGE6sM3vzNUEWWB3kmGrEKa4sGbXhmXZCvL6NDnEJhXPDJAzu9BMQxn8CzVLqrx6BxDgPYF8gZCxtyxMckXwCaYXrxAGbjkYH69F4wYhuAdHSWgRAQCuWwYmWCA6g39j4VPge5pv962XYvxwJpvn23Y5KvNZ5S5c6crdG4f4gTCXnU36x92fKMQzsQV9K4phcuNvMWkpqVB6xMA5aPzUeHcGytD93dG8D52P5BxsgaJJE6QqDrk3Y2vyLw9ZEbJhPRJxbuBKVCBtVx26Ldd46dq5eyyzmNEyQGLrjQ4qd978VtG8TNT5rkn4ETJQEju5HfCBbjm3urGLFVqxhGVawecT4YM9Rry4EqXWkRJGTFQWQRnweUFbKNbVTC9NxcXEp6K5rSPEy9trb5UYLYhhMJ9fWSBMuenGRjNSJxeurMRCaxPpNppBLFnp8qW5ezfHgCBpEjkSNNzP4uXMZFAXmdUfJ8XQdPTWuYfdHYc5TZWnzrdq9wcfFQRDpDB2zX5Myu96krDt9vA7wNKfYwkSczA6qUQV66jA8nV4Cs38cDAKVBXnxz22ddAVrPv8ajpu7hgBtULMURjvLt94Nc5FDKw79CTTQxffWEj9BJCDCpQnTufmT8xenywwVJvtj49yv2MP2mGECrVDRmcGUAYBKR8G6ZnFAYDVC9UhY46FGWDcyVX3HKwgtHeb45Ww7dsW8JdMnZYctaEU585GZmqTJp2LcAWRcQPH25JewnPX8pjzVpJNcy7avfA2bcU86bfASvQBDUCrhjgRmK2ECR6vzPwTsYKRgFrDqb62FeMdrKgJ9vKs435T5ACN7MNtdRXHQ4fj5pNpUMDW26Wd7tt9bkBTqEGf" diff --git a/ror-demo-cluster/conf/kbn-2/enterprise-ror-newplatform-kibana.yml b/ror-demo-cluster/conf/kbn-2/enterprise-ror-newplatform-kibana.yml index 40b4959..ec416f5 100644 --- a/ror-demo-cluster/conf/kbn-2/enterprise-ror-newplatform-kibana.yml +++ b/ror-demo-cluster/conf/kbn-2/enterprise-ror-newplatform-kibana.yml @@ -69,7 +69,19 @@ monitoring.ui.ccs.enabled: false readonlyrest_kbn: auth: signature_key: "9yzBfnLaTYLfGPzyKW9es76RKYhUVgmuv6ZtehaScj5msGpBpa5FWpwk295uJYaaffTFnQC5tsknh2AguVDaTrqCLfM5zCTqdE4UGNL73h28Bg4dPrvTAFQyygQqv4xfgnevBED6VZYdfjXAQLc8J8ywaHQQSmprZqYCWGE6sM3vzNUEWWB3kmGrEKa4sGbXhmXZCvL6NDnEJhXPDJAzu9BMQxn8CzVLqrx6BxDgPYF8gZCxtyxMckXwCaYXrxAGbjkYH69F4wYhuAdHSWgRAQCuWwYmWCA6g39j4VPge5pv962XYvxwJpvn23Y5KvNZ5S5c6crdG4f4gTCXnU36x92fKMQzsQV9K4phcuNvMWkpqVB6xMA5aPzUeHcGytD93dG8D52P5BxsgaJJE6QqDrk3Y2vyLw9ZEbJhPRJxbuBKVCBtVx26Ldd46dq5eyyzmNEyQGLrjQ4qd978VtG8TNT5rkn4ETJQEju5HfCBbjm3urGLFVqxhGVawecT4YM9Rry4EqXWkRJGTFQWQRnweUFbKNbVTC9NxcXEp6K5rSPEy9trb5UYLYhhMJ9fWSBMuenGRjNSJxeurMRCaxPpNppBLFnp8qW5ezfHgCBpEjkSNNzP4uXMZFAXmdUfJ8XQdPTWuYfdHYc5TZWnzrdq9wcfFQRDpDB2zX5Myu96krDt9vA7wNKfYwkSczA6qUQV66jA8nV4Cs38cDAKVBXnxz22ddAVrPv8ajpu7hgBtULMURjvLt94Nc5FDKw79CTTQxffWEj9BJCDCpQnTufmT8xenywwVJvtj49yv2MP2mGECrVDRmcGUAYBKR8G6ZnFAYDVC9UhY46FGWDcyVX3HKwgtHeb45Ww7dsW8JdMnZYctaEU585GZmqTJp2LcAWRcQPH25JewnPX8pjzVpJNcy7avfA2bcU86bfASvQBDUCrhjgRmK2ECR6vzPwTsYKRgFrDqb62FeMdrKgJ9vKs435T5ACN7MNtdRXHQ4fj5pNpUMDW26Wd7tt9bkBTqEGf" - + saml_keycloak: + buttonName: 'Keycloak SAML' + enabled: true + type: 'saml' + issuer: 'ror-saml' + entryPoint: 'http://kc.localhost:8080/realms/ror/protocol/saml' + kibanaExternalHost: 'localhost:8443' + protocol: 'https' + usernameParameter: 'nameID' + groupsParameter: 'memberOf' + logoutUrl: 'http://kc.localhost:8080/realms/ror/protocol/saml' + YOU_SHOULD_READ_ME_IN_STRATEGY_CONFIGURATION_LOG: 'unknown conf params should be passed unmodified to the underlying passport-saml library' + cert: 'MIICrDCCAZQCCQDN5Tcc+Rn6rTANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDDA1rZXljbG9hay1zYW1sMB4XDTI1MTExMDA0MjQyOFoXDTM1MTEwODA0MjQyOFowGDEWMBQGA1UEAwwNa2V5Y2xvYWstc2FtbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJv0EFcTjNkpn5kV/XedCJ/AQKsPafZ7u33u3zfYgZbTh0V+CJ4bUAZyTfvGrcxR/iZy3hkYQBL7DGM6c/fYJGq1IH+/jxAk/GBY9tVnxotRsyhIMJYtZCb+DBUVX+wLowv2kZPlf/6OibjVpy+I6klQxIU8aeMkd+M/Phl97l+pRUjTuQZvEaEtkVLcsG6gEUcNo2X0MpNFwT7UgpGZLGy8zSHGNu703tb8w0oCYTEj42WqLWYNm5NMqD/clbPRj8g+1qZHpSoIH+p/cqVfU+oAZd3R2Y8SGR2OhYwyu9wHRnuqgiEgCIYbzwyh3IzX+57R8MQxHnjBFnzJKFtBWHMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAUGrj7hEEHJvm58RYTjqhcJ38MVkgEmAnGovObxvS9Xi6ZBct4irWdpyESowRJtY4nxFGs0uiArOpQDkteSeDzJs/IkSg3xTx3UwOpevf8IV5gU8Bwq68Fyh9An8NvczE5XhLZD1Tacphlz5OzoXthMsS1pcCumr5ZELwMtvLYAWkEV/cKmlis4JuMEZXc5v9KVybsmHv1hgM+fxg1neuWrPK1JebuVm4oaHUHYKCxqn9MXjnDvOq6MkYtKBfcYf6BKk29lapYuHNiRTi0hMPD1tWVaZg3H1/uMxlLXDxAZqkS4DNq/7MeIMUWemOqxQHZAi4rtplrVl/F3WES6pqWw==' oidc_keycloak: buttonName: "Keycloak OIDC" type: "oidc" @@ -79,12 +91,12 @@ readonlyrest_kbn: tokenURL: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/token' userInfoURL: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/userinfo' jwksURL: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/certs' - clientID: 'kibana-ror' + clientID: 'ror-oidc' clientSecret: 'kibanasecret123' scope: 'openid profile email' usernameParameter: 'preferred_username' groupsParameter: 'groups' - kibanaExternalHost: 'localhost:8443/deva-notix' + kibanaExternalHost: 'localhost:8443' logoutUrl: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/logout' oidc_lemon_ldap: buttonName: "LemonLDAP OpenID" diff --git a/ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml b/ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml index ba6078b..596585d 100644 --- a/ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml +++ b/ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml @@ -69,19 +69,19 @@ monitoring.ui.ccs.enabled: false readonlyrest_kbn: auth: signature_key: "9yzBfnLaTYLfGPzyKW9es76RKYhUVgmuv6ZtehaScj5msGpBpa5FWpwk295uJYaaffTFnQC5tsknh2AguVDaTrqCLfM5zCTqdE4UGNL73h28Bg4dPrvTAFQyygQqv4xfgnevBED6VZYdfjXAQLc8J8ywaHQQSmprZqYCWGE6sM3vzNUEWWB3kmGrEKa4sGbXhmXZCvL6NDnEJhXPDJAzu9BMQxn8CzVLqrx6BxDgPYF8gZCxtyxMckXwCaYXrxAGbjkYH69F4wYhuAdHSWgRAQCuWwYmWCA6g39j4VPge5pv962XYvxwJpvn23Y5KvNZ5S5c6crdG4f4gTCXnU36x92fKMQzsQV9K4phcuNvMWkpqVB6xMA5aPzUeHcGytD93dG8D52P5BxsgaJJE6QqDrk3Y2vyLw9ZEbJhPRJxbuBKVCBtVx26Ldd46dq5eyyzmNEyQGLrjQ4qd978VtG8TNT5rkn4ETJQEju5HfCBbjm3urGLFVqxhGVawecT4YM9Rry4EqXWkRJGTFQWQRnweUFbKNbVTC9NxcXEp6K5rSPEy9trb5UYLYhhMJ9fWSBMuenGRjNSJxeurMRCaxPpNppBLFnp8qW5ezfHgCBpEjkSNNzP4uXMZFAXmdUfJ8XQdPTWuYfdHYc5TZWnzrdq9wcfFQRDpDB2zX5Myu96krDt9vA7wNKfYwkSczA6qUQV66jA8nV4Cs38cDAKVBXnxz22ddAVrPv8ajpu7hgBtULMURjvLt94Nc5FDKw79CTTQxffWEj9BJCDCpQnTufmT8xenywwVJvtj49yv2MP2mGECrVDRmcGUAYBKR8G6ZnFAYDVC9UhY46FGWDcyVX3HKwgtHeb45Ww7dsW8JdMnZYctaEU585GZmqTJp2LcAWRcQPH25JewnPX8pjzVpJNcy7avfA2bcU86bfASvQBDUCrhjgRmK2ECR6vzPwTsYKRgFrDqb62FeMdrKgJ9vKs435T5ACN7MNtdRXHQ4fj5pNpUMDW26Wd7tt9bkBTqEGf" - saml_keycloak: - buttonName: 'Keycloak SAML' - enabled: true - type: 'saml' - issuer: 'ror-saml' - entryPoint: 'http://kc.localhost:8080/realms/ror/protocol/saml' - kibanaExternalHost: 'localhost:15601' - protocol: 'https' - usernameParameter: 'nameID' - groupsParameter: 'Role' - logoutUrl: 'http://kc.localhost:8080/realms/ror/protocol/saml' - YOU_SHOULD_READ_ME_IN_STRATEGY_CONFIGURATION_LOG: 'unknown conf params should be passed unmodified to the underlying passport-saml library' - cert: 'MIICrDCCAZQCCQDN5Tcc+Rn6rTANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDDA1rZXljbG9hay1zYW1sMB4XDTI1MTExMDA0MjQyOFoXDTM1MTEwODA0MjQyOFowGDEWMBQGA1UEAwwNa2V5Y2xvYWstc2FtbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJv0EFcTjNkpn5kV/XedCJ/AQKsPafZ7u33u3zfYgZbTh0V+CJ4bUAZyTfvGrcxR/iZy3hkYQBL7DGM6c/fYJGq1IH+/jxAk/GBY9tVnxotRsyhIMJYtZCb+DBUVX+wLowv2kZPlf/6OibjVpy+I6klQxIU8aeMkd+M/Phl97l+pRUjTuQZvEaEtkVLcsG6gEUcNo2X0MpNFwT7UgpGZLGy8zSHGNu703tb8w0oCYTEj42WqLWYNm5NMqD/clbPRj8g+1qZHpSoIH+p/cqVfU+oAZd3R2Y8SGR2OhYwyu9wHRnuqgiEgCIYbzwyh3IzX+57R8MQxHnjBFnzJKFtBWHMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAUGrj7hEEHJvm58RYTjqhcJ38MVkgEmAnGovObxvS9Xi6ZBct4irWdpyESowRJtY4nxFGs0uiArOpQDkteSeDzJs/IkSg3xTx3UwOpevf8IV5gU8Bwq68Fyh9An8NvczE5XhLZD1Tacphlz5OzoXthMsS1pcCumr5ZELwMtvLYAWkEV/cKmlis4JuMEZXc5v9KVybsmHv1hgM+fxg1neuWrPK1JebuVm4oaHUHYKCxqn9MXjnDvOq6MkYtKBfcYf6BKk29lapYuHNiRTi0hMPD1tWVaZg3H1/uMxlLXDxAZqkS4DNq/7MeIMUWemOqxQHZAi4rtplrVl/F3WES6pqWw==' + saml_keycloak: + buttonName: 'Keycloak SAML' + enabled: true + type: 'saml' + issuer: 'ror-saml' + entryPoint: 'http://kc.localhost:8080/realms/ror/protocol/saml' + kibanaExternalHost: 'localhost:8443' + protocol: 'https' + usernameParameter: 'nameID' + groupsParameter: 'memberOf' + logoutUrl: 'http://kc.localhost:8080/realms/ror/protocol/saml' + YOU_SHOULD_READ_ME_IN_STRATEGY_CONFIGURATION_LOG: 'unknown conf params should be passed unmodified to the underlying passport-saml library' + cert: 'MIICrDCCAZQCCQDN5Tcc+Rn6rTANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDDA1rZXljbG9hay1zYW1sMB4XDTI1MTExMDA0MjQyOFoXDTM1MTEwODA0MjQyOFowGDEWMBQGA1UEAwwNa2V5Y2xvYWstc2FtbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJv0EFcTjNkpn5kV/XedCJ/AQKsPafZ7u33u3zfYgZbTh0V+CJ4bUAZyTfvGrcxR/iZy3hkYQBL7DGM6c/fYJGq1IH+/jxAk/GBY9tVnxotRsyhIMJYtZCb+DBUVX+wLowv2kZPlf/6OibjVpy+I6klQxIU8aeMkd+M/Phl97l+pRUjTuQZvEaEtkVLcsG6gEUcNo2X0MpNFwT7UgpGZLGy8zSHGNu703tb8w0oCYTEj42WqLWYNm5NMqD/clbPRj8g+1qZHpSoIH+p/cqVfU+oAZd3R2Y8SGR2OhYwyu9wHRnuqgiEgCIYbzwyh3IzX+57R8MQxHnjBFnzJKFtBWHMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAUGrj7hEEHJvm58RYTjqhcJ38MVkgEmAnGovObxvS9Xi6ZBct4irWdpyESowRJtY4nxFGs0uiArOpQDkteSeDzJs/IkSg3xTx3UwOpevf8IV5gU8Bwq68Fyh9An8NvczE5XhLZD1Tacphlz5OzoXthMsS1pcCumr5ZELwMtvLYAWkEV/cKmlis4JuMEZXc5v9KVybsmHv1hgM+fxg1neuWrPK1JebuVm4oaHUHYKCxqn9MXjnDvOq6MkYtKBfcYf6BKk29lapYuHNiRTi0hMPD1tWVaZg3H1/uMxlLXDxAZqkS4DNq/7MeIMUWemOqxQHZAi4rtplrVl/F3WES6pqWw==' oidc_keycloak: buttonName: "Keycloak OIDC" type: "oidc" diff --git a/ror-demo-cluster/conf/keycloak/ror-realm.json b/ror-demo-cluster/conf/keycloak/ror-realm.json index 5987209..b628aa4 100644 --- a/ror-demo-cluster/conf/keycloak/ror-realm.json +++ b/ror-demo-cluster/conf/keycloak/ror-realm.json @@ -22,7 +22,7 @@ "clientId": "ror-saml", "name": "ror-saml", "description": "Sample configuration of ReadonlyREST plugin with a SAML Provider", - "adminUrl": "https://localhost:15601/ror_kbn_saml_kc/assert", + "adminUrl": "https://localhost:8443/deva-notix/ror_kbn_saml_kc/assert", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, @@ -44,12 +44,12 @@ "protocol": "saml", "attributes": { "saml.assertion.signature": "false", - "saml_assertion_consumer_url_redirect": "https://localhost:15601/ror_kbn_saml_kc/assert", + "saml_assertion_consumer_url_redirect": "https://localhost:8443/deva-notix/ror_kbn_saml_kc/assert", "saml.force.post.binding": "true", "saml.multivalued.roles": "false", - "saml_single_logout_service_url_post": "https://localhost:15601/ror_kbn_saml_kc/notifyLogout", + "saml_single_logout_service_url_post": "https://localhost:8443/deva-notix/ror_kbn_saml_kc/notifyLogout", "saml.encrypt": "false", - "saml_assertion_consumer_url_post": "https://localhost:15601/ror_kbn_saml_kc/assert", + "saml_assertion_consumer_url_post": "https://localhost:8443/deva-notix/ror_kbn_saml_kc/assert", "saml.server.signature": "true", "saml.server.signature.keyinfo.ext": "false", "exclude.session.state.from.auth.response": "false", @@ -63,31 +63,36 @@ "saml.onetimeuse.condition": "false", "saml_signature_canonicalization_method": "http://www.w3.org/2001/10/xml-exc-c14n#" }, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, "protocolMappers": [ { - "name": "username", + "id": "93c6e2c2-4517-4f58-a11f-01636d632ee7", + "name": "memberOf", "protocol": "saml", - "protocolMapper": "saml-user-property-mapper", + "protocolMapper": "saml-group-membership-mapper", "consentRequired": false, "config": { - "user.attribute": "username", - "friendly.name": "UserName", - "attribute.name": "UserName", - "attribute.nameformat": "Basic" + "single": "true", + "attribute.nameformat": "Basic", + "full.path": "false", + "attribute.name": "memberOf" } - }, - { - "name": "email", - "protocol": "saml", - "protocolMapper": "saml-user-property-mapper", - "consentRequired": false, - "config": { - "user.attribute": "email", - "friendly.name": "email", - "attribute.name": "email", - "attribute.nameformat": "Basic" - } - }] + } + ], + "defaultClientScopes": [ + "web-origins", + "role_list", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] }, { "clientId": "ror-oidc", @@ -121,7 +126,24 @@ } ], "groups": [ - {"name": "extEndUsers"} + { + "id": "f0f0e6ef-ecfa-45d4-b7aa-c9b8b84926f9", + "name": "extEndUsers", + "path": "/extEndUsers", + "attributes": {}, + "realmRoles": [], + "clientRoles": {}, + "subGroups": [] + }, + { + "id": "f0f0e6ef-ecfa-45d4-b7aa-c9b8b84926f1", + "name": "extBusinessUsers", + "path": "/extBusinessUsers", + "attributes": {}, + "realmRoles": [], + "clientRoles": {}, + "subGroups": [] + } ], "users": [ { @@ -129,8 +151,8 @@ "enabled": true, "emailVerified": true, "credentials": [ { "type": "password", "value": "extUser1", "temporary": false } ], - "groups": ["extEndUsers"], - "realmRoles": ["offline_access", "uma_authorization"] + "groups": ["extEndUsers", "extBusinessUsers"], + "realmRoles": ["extEndUsers", "extBusinessUsers"] }, { "username": "extUser2", @@ -138,7 +160,7 @@ "emailVerified": true, "credentials": [ { "type": "password", "value": "extUser2", "temporary": false } ], "groups": ["extEndUsers"], - "realmRoles": ["offline_access", "uma_authorization"] + "realmRoles": ["extEndUsers"] } ], "defaultDefaultClientScopes": ["web-origins", "role_list", "profile", "roles", "email"],