Disable login kibana 8.2

We are using eck operator and oauth2-proxy for single sign on. And we want to disable the kibana login page so that after successful sign in, oauth2 directly will take the user to dashboard. But how should we do that? when we do xpack.security.disabled: false on Elasticsearch.yml, It gives error:

{"timestamp": "2022-05-12T15:15:24+00:00", "message": "readiness probe failed", "curl_rc": "35"}

Elasticsearch.yml:

apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: es_cluster
spec:
  version: 8.2.0
  nodeSets:
    - name: default
      count: 1
      config:
        xpack.security.enabled: false
      podTemplate:
        spec:
          containers:
            - name: elasticsearch
              env:
                - name: ES_JAVA_OPTS
                  value: 1
              resources:
                requests:
                  memory: 1
                  cpu: 2
                limits:
                  memory: 128
        volumeClaimTemplates:
          - metadata:
              name: elasticsearch-data
            spec:
              accessModes:
                - ReadWriteOnce
              resources:
                requests:
                  storage: 70
              storageClassName: gp2

kibana.yml:

apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
  name: kibana
spec:
  version: 8.2.0
  http:
    service:
      spec:
        type: LoadBalancer
        ports:
        - name: https
          port: 443
          targetPort: 3000
      metadata:
        annotations:
          # Note that the backend talks over HTTP.
          service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
          # TODO: Fill in with the ARN of your certificate.
          service.beta.kubernetes.io/aws-load-balancer-ssl-cert: 
          # Only run SSL on the port named "https" below.
          service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
    tls:
      selfSignedCertificate:
        disabled: true
  count: 1
  elasticsearchRef:
    name: kube-es
  podTemplate:
    spec:
      containers:
      - name: kibana
        resources:
          requests:
            memory: 1Gi
            cpu: 0.5
          limits:
            memory: 2.5Gi
            cpu: 2
      - name: kibana-proxy
        image: 'quay.io/oauth2-proxy/oauth2-proxy:latest'
        imagePullPolicy: IfNotPresent
        args:
          - --cookie-secret=
          - --client-id=
          - --client-secret=
          - --upstream=http://localhost:5601
          - --email-domain=
          - --footer=-
          - --http-address=http://:3000
          - --redirect-url=
        ports:
          - containerPort: 3000
            name: http
            protocol: TCP
        resources:
          limits:
            memory: 500Mi
          requests:
            cpu: 0.5
            memory: 256Mi

Why use an oauth proxy when Kibana can do oauth natively?

Yes, this was the way it was setup previously in our company so we thought we could just replicate it on kubernetes. But we can use the native one also. But just curious, how can we disable the login on kibana ?

With eck, idk if that's possible.

Even when i try to do oauth natively, It asks for xpack.security.authc.realms.oidc.oidc1.rp.client_secret which needs to be stored in keystore as per documentation. But how would I be able to enter my client_secret in keystore using just yaml files?

U can create a k8s secret with the value and then add it to the config. See Secure settings | Elastic Cloud on Kubernetes [2.2] | Elastic

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.