[RORDEV-1912] Reproduction

ror-demo-cluster/conf/es/readonlyrest.yml

@@ -9,67 +9,22 @@ readonlyrest:
     - name: "KIBANA"
       type: allow
       auth_key: kibana:kibana
-      verbosity: error
 
     - name: "Admins"
-      groups: [Administrators]
+      auth_key: admin:admin
       kibana:
         access: admin
 
     - name: "End users"
-      groups: ["EndUsers"]
-      indices: ["frontend_logs", "kibana_sample_data_*"]
+      auth_key: user1:test
+      indices: ["example", "frontend_logs", "kibana_sample_data_*", ".kibana-01"]
       kibana:
-        index: .kibana_end_@{user}
         access: rw
-        hide_apps: ["Security", "Observability"]
+        index: ".kibana-01"
 
     - name: "Business users"
-      groups: ["BusinessUsers"]
-      indices: ["business_logs", "kibana_sample_data_*"]
+      auth_key: user2:test
+      indices: ["example", "business_logs", "kibana_sample_data_*", ".kibana-02"]
       kibana:
-        index: .kibana_business_@{user}
         access: rw
-        hide_apps: ["Security", "Observability"]
-
-  users:
-    - username: admin
-      auth_key: admin:admin
-      groups:
-        - id: "Administrators"
-          name: "Administrators"
-        - id: "EndUsers"
-          name: "End Users"
-        - id: "BusinessUsers"
-          name: "Business Users"
-
-    - username: user1
-      auth_key: user1:test
-      groups:
-        - id: "EndUsers"
-          name: "End Users"
-        - id: "BusinessUsers"
-          name: "Business Users"
-
-    - username: user2
-      auth_key: user2:test
-      groups:
-        - id: "EndUsers"
-          name: "End Users"
-
-    - username: "*"
-      ror_kbn_auth:
-        name: "kbn1"
-        groups: ["*"]
-      groups:
-        - local_group:
-            id: "EndUsers"
-            name: "End Users"
-          external_group_ids: [ "extEndUsers" ]
-        - local_group:
-            id: "BusinessUsers"
-            name: "Business Users"
-          external_group_ids: [ "extBusinessUsers" ]
-  ror_kbn:
-    - name: kbn1
-      signature_key: "9yzBfnLaTYLfGPzyKW9es76RKYhUVgmuv6ZtehaScj5msGpBpa5FWpwk295uJYaaffTFnQC5tsknh2AguVDaTrqCLfM5zCTqdE4UGNL73h28Bg4dPrvTAFQyygQqv4xfgnevBED6VZYdfjXAQLc8J8ywaHQQSmprZqYCWGE6sM3vzNUEWWB3kmGrEKa4sGbXhmXZCvL6NDnEJhXPDJAzu9BMQxn8CzVLqrx6BxDgPYF8gZCxtyxMckXwCaYXrxAGbjkYH69F4wYhuAdHSWgRAQCuWwYmWCA6g39j4VPge5pv962XYvxwJpvn23Y5KvNZ5S5c6crdG4f4gTCXnU36x92fKMQzsQV9K4phcuNvMWkpqVB6xMA5aPzUeHcGytD93dG8D52P5BxsgaJJE6QqDrk3Y2vyLw9ZEbJhPRJxbuBKVCBtVx26Ldd46dq5eyyzmNEyQGLrjQ4qd978VtG8TNT5rkn4ETJQEju5HfCBbjm3urGLFVqxhGVawecT4YM9Rry4EqXWkRJGTFQWQRnweUFbKNbVTC9NxcXEp6K5rSPEy9trb5UYLYhhMJ9fWSBMuenGRjNSJxeurMRCaxPpNppBLFnp8qW5ezfHgCBpEjkSNNzP4uXMZFAXmdUfJ8XQdPTWuYfdHYc5TZWnzrdq9wcfFQRDpDB2zX5Myu96krDt9vA7wNKfYwkSczA6qUQV66jA8nV4Cs38cDAKVBXnxz22ddAVrPv8ajpu7hgBtULMURjvLt94Nc5FDKw79CTTQxffWEj9BJCDCpQnTufmT8xenywwVJvtj49yv2MP2mGECrVDRmcGUAYBKR8G6ZnFAYDVC9UhY46FGWDcyVX3HKwgtHeb45Ww7dsW8JdMnZYctaEU585GZmqTJp2LcAWRcQPH25JewnPX8pjzVpJNcy7avfA2bcU86bfASvQBDUCrhjgRmK2ECR6vzPwTsYKRgFrDqb62FeMdrKgJ9vKs435T5ACN7MNtdRXHQ4fj5pNpUMDW26Wd7tt9bkBTqEGf"
+        index: ".kibana-02"

ror-demo-cluster/conf/kbn-01/free-ror-newplatform-kibana.yml

@@ -0,0 +1,23 @@
+server.host: 0.0.0.0
+
+elasticsearch.username: kibana
+elasticsearch.password: kibana
+elasticsearch.ssl.verificationMode: none
+
+# generated with:
+# $ openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout kibana.key -out kibana.crt
+server.ssl.enabled: true
+server.ssl.certificate: /usr/share/kibana/config/kibana.crt
+server.ssl.key: /usr/share/kibana/config/kibana.key
+server.ssl.redirectHttpFromPort: 80
+
+readonlyrest_kbn.logLevel: info
+readonlyrest_kbn.store_sessions_in_index: true
+# instance-specific settings
+readonlyrest_kbn.cookiePass: 'kibana-01-cookie-pass-1234567890'
+readonlyrest_kbn.sessions_index_name: ".ror-sessions-kibana-01"
+kibana.index: ".kibana-01"
+
+# the same on both instances
+xpack.reporting.encryptionKey: "kbn-ror-0x-reporting-encryption-key-1234567890"
+xpack.encryptedSavedObjects.encryptionKey: "kbn-ror-0x-encrypted-saved-objects-encryption-key-1234567890"

ror-demo-cluster/conf/kbn-02/enterprise-ror-newplatform-kibana.yml

@@ -0,0 +1,64 @@
+server.name: kibana-ror
+server.host: 0.0.0.0
+
+elasticsearch.username: kibana
+elasticsearch.password: kibana
+elasticsearch.ssl.verificationMode: none
+
+# generated with:
+# $ openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout kibana.key -out kibana.crt
+server.ssl.enabled: true
+server.ssl.certificate: /usr/share/kibana/config/kibana.crt
+server.ssl.key: /usr/share/kibana/config/kibana.key
+server.ssl.redirectHttpFromPort: 80
+
+readonlyrest_kbn.logLevel: info
+readonlyrest_kbn.cookiePass: '12312313123213123213123abcdefghijklm'
+readonlyrest_kbn:
+  auth:
+      signature_key: "9yzBfnLaTYLfGPzyKW9es76RKYhUVgmuv6ZtehaScj5msGpBpa5FWpwk295uJYaaffTFnQC5tsknh2AguVDaTrqCLfM5zCTqdE4UGNL73h28Bg4dPrvTAFQyygQqv4xfgnevBED6VZYdfjXAQLc8J8ywaHQQSmprZqYCWGE6sM3vzNUEWWB3kmGrEKa4sGbXhmXZCvL6NDnEJhXPDJAzu9BMQxn8CzVLqrx6BxDgPYF8gZCxtyxMckXwCaYXrxAGbjkYH69F4wYhuAdHSWgRAQCuWwYmWCA6g39j4VPge5pv962XYvxwJpvn23Y5KvNZ5S5c6crdG4f4gTCXnU36x92fKMQzsQV9K4phcuNvMWkpqVB6xMA5aPzUeHcGytD93dG8D52P5BxsgaJJE6QqDrk3Y2vyLw9ZEbJhPRJxbuBKVCBtVx26Ldd46dq5eyyzmNEyQGLrjQ4qd978VtG8TNT5rkn4ETJQEju5HfCBbjm3urGLFVqxhGVawecT4YM9Rry4EqXWkRJGTFQWQRnweUFbKNbVTC9NxcXEp6K5rSPEy9trb5UYLYhhMJ9fWSBMuenGRjNSJxeurMRCaxPpNppBLFnp8qW5ezfHgCBpEjkSNNzP4uXMZFAXmdUfJ8XQdPTWuYfdHYc5TZWnzrdq9wcfFQRDpDB2zX5Myu96krDt9vA7wNKfYwkSczA6qUQV66jA8nV4Cs38cDAKVBXnxz22ddAVrPv8ajpu7hgBtULMURjvLt94Nc5FDKw79CTTQxffWEj9BJCDCpQnTufmT8xenywwVJvtj49yv2MP2mGECrVDRmcGUAYBKR8G6ZnFAYDVC9UhY46FGWDcyVX3HKwgtHeb45Ww7dsW8JdMnZYctaEU585GZmqTJp2LcAWRcQPH25JewnPX8pjzVpJNcy7avfA2bcU86bfASvQBDUCrhjgRmK2ECR6vzPwTsYKRgFrDqb62FeMdrKgJ9vKs435T5ACN7MNtdRXHQ4fj5pNpUMDW26Wd7tt9bkBTqEGf"
+      saml_keycloak:
+        buttonName: 'Keycloak SAML'
+        enabled: true
+        type: 'saml'
+        issuer: 'ror-saml'
+        entryPoint: 'http://kc.localhost:8080/realms/ror/protocol/saml'
+        kibanaExternalHost: 'localhost:15601'
+        protocol: 'https'
+        usernameParameter: 'nameID'
+        groupsParameter: 'Role'
+        logoutUrl: 'http://kc.localhost:8080/realms/ror/protocol/saml'
+        YOU_SHOULD_READ_ME_IN_STRATEGY_CONFIGURATION_LOG: 'unknown conf params should be passed unmodified to the underlying passport-saml library'
+        cert: 'MIICrDCCAZQCCQDN5Tcc+Rn6rTANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDDA1rZXljbG9hay1zYW1sMB4XDTI1MTExMDA0MjQyOFoXDTM1MTEwODA0MjQyOFowGDEWMBQGA1UEAwwNa2V5Y2xvYWstc2FtbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJv0EFcTjNkpn5kV/XedCJ/AQKsPafZ7u33u3zfYgZbTh0V+CJ4bUAZyTfvGrcxR/iZy3hkYQBL7DGM6c/fYJGq1IH+/jxAk/GBY9tVnxotRsyhIMJYtZCb+DBUVX+wLowv2kZPlf/6OibjVpy+I6klQxIU8aeMkd+M/Phl97l+pRUjTuQZvEaEtkVLcsG6gEUcNo2X0MpNFwT7UgpGZLGy8zSHGNu703tb8w0oCYTEj42WqLWYNm5NMqD/clbPRj8g+1qZHpSoIH+p/cqVfU+oAZd3R2Y8SGR2OhYwyu9wHRnuqgiEgCIYbzwyh3IzX+57R8MQxHnjBFnzJKFtBWHMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAUGrj7hEEHJvm58RYTjqhcJ38MVkgEmAnGovObxvS9Xi6ZBct4irWdpyESowRJtY4nxFGs0uiArOpQDkteSeDzJs/IkSg3xTx3UwOpevf8IV5gU8Bwq68Fyh9An8NvczE5XhLZD1Tacphlz5OzoXthMsS1pcCumr5ZELwMtvLYAWkEV/cKmlis4JuMEZXc5v9KVybsmHv1hgM+fxg1neuWrPK1JebuVm4oaHUHYKCxqn9MXjnDvOq6MkYtKBfcYf6BKk29lapYuHNiRTi0hMPD1tWVaZg3H1/uMxlLXDxAZqkS4DNq/7MeIMUWemOqxQHZAi4rtplrVl/F3WES6pqWw=='
+      oidc_keycloak:
+        buttonName: "Keycloak OIDC"
+        type: "oidc"
+        protocol: "https"
+        issuer: 'http://kc.localhost:8080/realms/ror'
+        authorizationURL: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/auth'
+        tokenURL: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/token'
+        userInfoURL: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/userinfo'
+        jwksURL: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/certs'
+        clientID: 'ror-oidc'
+        clientSecret: 'kibanasecret123'
+        scope: 'openid profile email'
+        usernameParameter: 'preferred_username'
+        groupsParameter: 'groups'
+        kibanaExternalHost: 'localhost:15601'
+        logoutUrl: 'http://kc.localhost:8080/realms/ror/protocol/openid-connect/logout'
+      oidc_lemon_ldap:
+        buttonName: "LemonLDAP OpenID"
+        type: "oidc"
+        protocol: "https"
+        issuer: 'https://oidctest.wsweet.org/'
+        authorizationURL: 'https://oidctest.wsweet.org/oauth2/authorize'
+        tokenURL: 'https://oidctest.wsweet.org/oauth2/token'
+        userInfoURL: 'https://oidctest.wsweet.org/oauth2/userinfo'
+        clientID: 'private'
+        clientSecret: 'tardis'
+        scope: 'openid users roles'
+        usernameParameter: 'sub'
+        groupsParameter: 'roles'
+        kibanaExternalHost: 'localhost:15601'
+        logoutUrl: 'https://oidctest.wsweet.org/oauth2/logout'
+        jwksURL: 'https://oidctest.wsweet.org/oauth2/jwks'

ror-demo-cluster/conf/kbn-02/free-ror-newplatform-kibana.yml

@@ -0,0 +1,23 @@
+server.host: 0.0.0.0
+
+elasticsearch.username: kibana
+elasticsearch.password: kibana
+elasticsearch.ssl.verificationMode: none
+
+# generated with:
+# $ openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout kibana.key -out kibana.crt
+server.ssl.enabled: true
+server.ssl.certificate: /usr/share/kibana/config/kibana.crt
+server.ssl.key: /usr/share/kibana/config/kibana.key
+server.ssl.redirectHttpFromPort: 80
+
+readonlyrest_kbn.logLevel: info
+readonlyrest_kbn.store_sessions_in_index: true
+# instance-specific settings
+readonlyrest_kbn.cookiePass: 'kibana-02-cookie-pass-1234567890'
+readonlyrest_kbn.sessions_index_name: ".ror-sessions-kibana-02"
+kibana.index: ".kibana-02"
+
+# the same on both instances
+xpack.reporting.encryptionKey: "kbn-ror-0x-reporting-encryption-key-1234567890"
+xpack.encryptedSavedObjects.encryptionKey: "kbn-ror-0x-encrypted-saved-objects-encryption-key-1234567890"

ror-demo-cluster/conf/kbn-02/kibana.crt

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDazCCAlOgAwIBAgIUBiE6BT/+Rshrppljbwt9YUKI0L4wDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA5MjYxODQyNThaFw0zNDA5
+MjQxODQyNThaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDG3G4Thxy7EozvjLSipdvZqjqCsfsjS9hpYP3yCYHd
+X6Zd1jEIrUnU7m0K9Mqnu4ws+rMKFVPG8VTGtwYtvhirp3E5Z452BCpPVlA95buA
+tgFaPF7fD/KexrlZZguBGmGvg1Tl2XbuTPMxy2bOaQEB23MnKdfGrG/vrZW4dYBn
+BdbITpZv3RTtpiM6nWLaGXKMuZKa5jLLvATqF6NyoSDzp0h/mLkAlyK9YGCcAfcX
+FenpHfO7bXK0j+cuZOxLTqWqfvXk3W+PIti0x1oX+wCWUeLcunu55ULZiCmHkp1j
+SxQRGJtlBFMcCQ1cqVzjCcXNG2yLhvvLiNbieZsQQEMVAgMBAAGjUzBRMB0GA1Ud
+DgQWBBQAhrFCBCBAdrJH179OeQI2at+wHDAfBgNVHSMEGDAWgBQAhrFCBCBAdrJH
+179OeQI2at+wHDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBI
+esiejMlKXp0mj34N5NDs3I7+AHIFIGTY+u6I4kF+tuiAcCYWWF4cG3g0pJzvokIi
+wIdjCQjXBwfbu6KBv0wphqlSJ9lwDPBGBG1Lc6Sg+wHTqrdwL8f4FcJF1IB92mLc
+wNSQNnjqxgcD5AOTqVHIy9hhJVufZonypIMSRV5xndv5qGP2TjSM4bF/Cj3YIK9D
+2pLAUG3Vj3YIr0jOiyRbYlzaXpV9hPwfkbLSrqi/RwHvZtUv7B7roAY1mSg5wYFg
+CbHH7nmpV3wzaF47Y/k+O4+37DbCYuDJwrLyhqksqQiN55s4UG15ATBS8fYWfRnf
+t2WXvSztBJ6TS+pOm6GM
+-----END CERTIFICATE-----

ror-demo-cluster/conf/kbn-02/kibana.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDG3G4Thxy7Eozv
+jLSipdvZqjqCsfsjS9hpYP3yCYHdX6Zd1jEIrUnU7m0K9Mqnu4ws+rMKFVPG8VTG
+twYtvhirp3E5Z452BCpPVlA95buAtgFaPF7fD/KexrlZZguBGmGvg1Tl2XbuTPMx
+y2bOaQEB23MnKdfGrG/vrZW4dYBnBdbITpZv3RTtpiM6nWLaGXKMuZKa5jLLvATq
+F6NyoSDzp0h/mLkAlyK9YGCcAfcXFenpHfO7bXK0j+cuZOxLTqWqfvXk3W+PIti0
+x1oX+wCWUeLcunu55ULZiCmHkp1jSxQRGJtlBFMcCQ1cqVzjCcXNG2yLhvvLiNbi
+eZsQQEMVAgMBAAECggEAF5FSPmA56HXXXCCJ2+jaOF6zVn/vaox3lm2XSxMTYAAR
+AHf9EbEv2dtz8uN2DRDuGPqRM3W5mw9I49AXHF62H8nVYl9Cg/wUY5iwI9XRNfzc
+Biy3dao3L9gPaWftnxxYTWu8KQ1vyeg2vkUD5xyMsQKoEBEmcHZJQdeJsfXDBPJ3
+tQSkDSrnr4f7uEQvr9iidEXnyfz1azF0snZ00IkBXRV2dcbTOIu6W+2uI1/Pthjt
+rAoqvSuwBlUtvQG7Btat4tL84LNTfH+SoXJK1v4JwbqydV/U47Cc0Tp2inJugfVA
+o6Cj5ptKvxI7mkFQuoyG4bm3x+79XeNbrYxhBK3hlQKBgQDnvMTfdIxC+rU+cKY0
+6sEaCzNbh3ZGqgVpBRj0i7EfdBNOctzlFSQGQhCD1SnXc7ihNZ5t2MKJRap3MNDX
+Xh6jllgkjXnw1V+b2E1nBtkp/F8dWnrvzwJbSN+KeCP+zio6g2gKYLZab0GIRTEB
+QvXgeaWAmIuxq2GENF8K1FuQYwKBgQDbrnsDKJI3rpfLbzrZB22gwdmq7wZWllzc
+1Axiqn6xXqghXPLna3fDAbisQgRrQFTjBU9gM3isp4PGVurdPQa35ve6UAgoJUat
+hIqvBzcbER3YEBksJtLvai9m9yQ69vYdMPbR10ZhA6EqTcp2MgyIEvAvue964J2p
+3L1/r6bsJwKBgCksRN5e2rzbxm/9m8ozG3QBIXLVspIDi0qJeVGZsDKicPuzNMQO
+6YOjIUQLD5AUI22hFTD3Hjk9g3gB2Fkrg84U3DxCVrQPdRk/aSEw+kyXZl7UwJry
+8Lw/SlhT2DFhd+dFiaquXDfdJIuNn5NVzlG/y0P51ngOtxjCJVDLQil5AoGAa0qk
+Ob6u6xMSgAErNKQ0HreOn7Vt2wxE/nVyNx4eEnKwmtrSp8QNEejdUQRNNDSPQPFu
++wUoguqtqUj6HGOZzGe5xf0gfrr18fkx4pobh9SsRsJWCQJNMzEhRaCeyU2klk07
+vvDtJqSnKgokP+XhyPO26xhcph7d4gA1bQ9U7zECgYAX4Fe9+2Uzmu035C5oHgUv
+dA4NRP9lutpH0uboUxo1hdxKtTM1dmeXAj+SL5jyYBpfE3c8Ha3QGlIN8sHiKZTA
+0A3bRAHjoKNULPgiODmwaK9y1vOm0Kol6QsJ3QZrc+iHf3wscMnimSwH2XxPnNSD
+zh06Wun9UBVUZbdsIPDcLg==
+-----END PRIVATE KEY-----

ror-demo-cluster/conf/kbn-02/ror-oldplatform-kibana.yml

@@ -0,0 +1,15 @@
+server.name: kibana-ror
+server.host: 0.0.0.0
+
+elasticsearch.username: kibana
+elasticsearch.password: kibana
+elasticsearch.ssl.verificationMode: none
+
+# generated with:
+# $ openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout kibana.key -out kibana.crt
+server.ssl.enabled: true
+server.ssl.certificate: /usr/share/kibana/config/kibana.crt
+server.ssl.key: /usr/share/kibana/config/kibana.key
+server.ssl.redirectHttpFromPort: 80
+
+xpack.security.enabled: false

ror-demo-cluster/docker-compose.yml

@@ -1,27 +1,4 @@
 services:
-  # Enterprise-only service
-  keycloak:
-    image: quay.io/keycloak/keycloak:20.0.5
-    profiles: ["ENT"]
-    environment:
-      - KEYCLOAK_ADMIN=admin
-      - KEYCLOAK_ADMIN_PASSWORD=admin
-      - KEYCLOAK_FRONTEND_URL=http://kc.localhost:8080
-    volumes:
-      - ./conf/keycloak/ror-realm.json:/opt/keycloak/data/import/ror-realm.json:ro
-    command: ["start-dev", "--import-realm", "--hostname=kc.localhost", "--http-enabled=true", "--http-port=8080"]
-    ports:
-      - "8080:8080"
-    healthcheck:
-      test: ["CMD-SHELL", "curl -fksS --connect-timeout 3 --max-time 5 --retry 5 --retry-connrefused http://127.0.0.1:8080/realms/ror/.well-known/openid-configuration >/dev/null || exit 1"]
-      interval: 10s
-      timeout: 10s
-      retries: 30
-      start_period: 40s
-    networks:
-      es-ror-network:
-        aliases:
-          - kc.localhost
 
   es-ror:
     build:
@@ -55,10 +32,10 @@ services:
         soft: -1
         hard: -1
 
-  kbn-ror:
+  kbn-ror-01:
     build:
       context: .
-      dockerfile: images/kbn/${KBN_DOCKERFILE:-KBN_DOCKERFILE_NOT_CONFIGURED}
+      dockerfile: images/kbn-01/${KBN_DOCKERFILE:-KBN_DOCKERFILE_NOT_CONFIGURED}
       args:
         KBN_VERSION: ${KBN_VERSION:-KBN_VERSION_NOT_CONFIGURED}
         ROR_VERSION: ${ROR_KBN_VERSION:-ROR_KBN_VERSION_NOT_CONFIGURED}
@@ -67,14 +44,43 @@ services:
     depends_on:
       es-ror:
         condition: service_healthy
-      keycloak:
-        condition: service_healthy
-        required: false
     ports:
       - "15601:5601"
     environment:
       ELASTICSEARCH_HOSTS: https://es-ror:9200
       ROR_ACTIVATION_KEY: $ROR_ACTIVATION_KEY
+      SERVER_NAME: kbn-ror-01
+    healthcheck:
+      test: ["CMD-SHELL", "curl -fksS --connect-timeout 3 --max-time 5 --retry 2 --retry-connrefused -u admin:admin https://127.0.0.1:5601/api/features >/dev/null || exit 1"]
+      interval: 10s
+      timeout: 10s
+      retries: 30
+      start_period: 60s
+    networks:
+      - es-ror-network
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+
+  kbn-ror-02:
+    build:
+      context: .
+      dockerfile: images/kbn-02/${KBN_DOCKERFILE:-KBN_DOCKERFILE_NOT_CONFIGURED}
+      args:
+        KBN_VERSION: ${KBN_VERSION:-KBN_VERSION_NOT_CONFIGURED}
+        ROR_VERSION: ${ROR_KBN_VERSION:-ROR_KBN_VERSION_NOT_CONFIGURED}
+        ROR_FILE: ${KBN_ROR_FILE:-KBN_ROR_FILE_NOT_CONFIGURED}
+        ROR_LICENSE_EDITION: ${ROR_LICENSE_EDITION:-ROR_LICENSE_EDITION_NOT_CONFIGURED}
+    depends_on:
+      es-ror:
+        condition: service_healthy
+    ports:
+      - "25601:5601"
+    environment:
+      ELASTICSEARCH_HOSTS: https://es-ror:9200
+      ROR_ACTIVATION_KEY: $ROR_ACTIVATION_KEY
+      SERVER_NAME: kbn-ror-02
     healthcheck:
       test: ["CMD-SHELL", "curl -fksS --connect-timeout 3 --max-time 5 --retry 2 --retry-connrefused -u admin:admin https://127.0.0.1:5601/api/features >/dev/null || exit 1"]
       interval: 10s
@@ -95,7 +101,9 @@ services:
     depends_on:
       es-ror:
         condition: service_healthy
-      kbn-ror:
+      kbn-ror-01:
+        condition: service_healthy
+      kbn-ror-02:
         condition: service_healthy
     environment:
       ELASTICSEARCH_ADDRESS: https://es-ror:9200

ror-demo-cluster/images/kbn-01/Dockerfile-use-ror-binaries-from-api

@@ -0,0 +1,22 @@
+ARG KBN_VERSION=please_set_kbn_version_arg
+
+FROM docker.elastic.co/kibana/kibana:${KBN_VERSION}
+
+ARG KBN_VERSION=please_set_kbn_version_arg
+ARG ROR_VERSION=please_set_ror_version_arg
+ARG ROR_LICENSE_EDITION=please_set_ror_license_edition_arg
+
+COPY conf/kbn-01/ror-oldplatform-kibana.yml /usr/share/kibana/config/ror-oldplatform-kibana.yml
+COPY conf/kbn-01/enterprise-ror-newplatform-kibana.yml /usr/share/kibana/config/enterprise-ror-newplatform-kibana.yml
+COPY conf/kbn-01/pro-ror-newplatform-kibana.yml /usr/share/kibana/config/pro-ror-newplatform-kibana.yml
+COPY conf/kbn-01/free-ror-newplatform-kibana.yml /usr/share/kibana/config/free-ror-newplatform-kibana.yml
+COPY conf/kbn-01/kibana.crt /usr/share/kibana/config/kibana.crt
+COPY conf/kbn-01/kibana.key /usr/share/kibana/config/kibana.key
+COPY images/kbn-01/install-ror-kbn-using-api.sh /tmp/install-ror.sh
+
+USER root
+
+RUN /tmp/install-ror.sh && \
+    chown -R kibana:kibana /usr/share/kibana/config
+
+USER kibana