Deploy elasticsearch role based security using helm charts

Elastic Stack Elasticsearch
1

I am trying to configure elasticsearch in our kubernetes cluster using helm charts and values.yaml as we use Azure DevOps pipelines for our deployment strategy into Azure Kubernetes clusters.

However, I am struggling to configure the in-built X-pack security so that I can utilitise the role based security features that come with elasticsearch.

Are there any tutorials/step-by-step guides on how to configure the helm charts and what values to enter into the values.yaml file so that I can get this working? I have found various things on github but, so far, I have been unable to get them working.

Is the alternative to use the ECK yaml file to deploy the entire thing but I am not sure whether I can do this via our DevOps pipeline.

Has anyone deployed elasticsearch via a DevOps pipeline and can offer some assistance?

Many thanks

Alan

2

hi Alan, By role based security features do u mean native realm and file realm?

3

I would like to have the ability of using the built in functionality so that different users can log into Kibana and have different roles...e.g. some users can edit and others users only have read access. I have spoken to the guys at elastic and they say that I can configure this using the basic subscription but when I enable xpack in the values.yml file, it fails to deploy so there is obviously some configuration steps that I am missing but I can't work out what I am missing...

4

Hey Alan,

I have the same use case which you just described i followed the following steps in elastic-cloud on kubernetes and it worked:

I had used filerealm to create custom roles and users and mapping them as secrets inside elasticsearch:

  1. create custom roles using the following snippet:
kind: Secret
apiVersion: v1
metadata:
  name: my-roles-secret
stringData:
  roles.yml: |-
    click_admins:
      run_as: [ 'clicks_watcher_1' ]
      cluster: [ 'monitor' ]
      indices:
      - names: [ 'events-*' ]
        privileges: [ 'read' ]
        field_security:
          grant: ['category', '@timestamp', 'message' ]
        query: '{"match": {"category": "click"}}'
  1. you can generate password for users using the following step:
mkdir filerealm
touch filerealm/users filerealm/users_roles

# create user 'myuser' with role 'monitoring_user'
docker run \
    -v $YOUR_PASSWORD/filerealm:/usr/share/elasticsearch/config \
    docker.elastic.co/elasticsearch/elasticsearch:7.7.1 \
    bin/elasticsearch-users useradd myuser -p mypassword -r monitoring_user
  1. once the role has been created map these roles to users into a new secret like this:
kind: Secret
apiVersion: v1
metadata:
  name: my-filerealm-secret
stringData:
  users: |-
    rdeniro:$2a$10$BBJ/ILiyJ1eBTYoRKxkqbuDEdYECplvxnqQ47uiowE7yGqvCEgj9W
    alpacino:$2a$10$cNwHnElYiMYZ/T3K4PvzGeJ1KbpXZp2PfoQD.gfaVdImnHOwIuBKS
    jacknich:{PBKDF2}50000$z1CLJt0MEFjkIK5iEfgvfnA6xq7lF25uasspsTKSo5Q=$XxCVLbaKDimOdyWgLCLJiyoiWpA/XDMe/xtVgn1r5Sg=
  users_roles: |-
    admin:rdeniro
    power_user:alpacino,jacknich
    user:jacknich
  1. final step is to add this secret in the secure setting of elasticsearch CR:
spec:
  version: 7.7.1
  auth:
    fileRealm:
    - secretName: my-filerealm-secret-1
    - secretName: my-filerealm-secret-2
  1. and enable xpack to use filerealm as an authentication mechanism:
xpack:
  security:
    authc:
      realms:
        file:
          file1:
            order: 0

this will be added under config for elasticsearch

hope this helps

5

that looks good...

My first problem is configuring xpack in the values.yml file for the standard deployment helm charts - it seems to be falling over there..

Once I have the master "elastic" account, I then have the second problem of creating accounts for the different users... can this be done through the kibana UI or does it have to be done via helm charts too?

I apologise if I don't make sense as I am VERY new to elasticsearch/k8s/helm etc... but thanks for all your help so far..

Alan

6

Hi Alan,

please paste the values.yaml and deployment.yaml which you are using in helm chart here, then i will be able to guide you.

Thanks,
Aman

7

I am utilisiing the standard elastic/elasticsearch helm chart after adding the repo..

esConfig:
elasticsearch.yml: |
xpack.security.enabled: true

I assume that I need to add the following section too:

extraEnvs:
 - name: ELASTIC_PASSWORD
   valueFrom:
     secretKeyRef:
       name: elastic-credentials
       key: password
 - name: ELASTIC_USERNAME
   valueFrom:
     secretKeyRef:
       name: elastic-credentials
       key: username

I haven't done any secretMounts as I am not sure whether I need those.. And I will need to link the user name and password to pipeline variables at some point.

8

I can see you have opened this topic in wrong section , you are using elastic search official helm chart so topic should me elasticsearch not elastic cloud on kubernetes.

alternatively what you can do it is:

add xpack.security.authc.realms.file.file1.order: 0 under elasticsearch.yaml

and have a init container edit your {ES-PATH-CONF}/users_roles and {ES-PATH-CONF}/users with the required roles and username

9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.