Elastic Cloud On kubernetes

Elastic Orchestration Elastic Cloud on Kubernetes (ECK)
1

Hi ..,
I am giving a try on Elastic cloud on Kubernetes, I have deployed the operator, Elasticsearch and Kibana. Everything is up and running fine.
Now I want to implement openid connect to kibana using Keycloak, On doing this Do I need any licence or basic licence is sufficient.
Because, We set up Elasticsearch (version 7.8.0) with an OpenID Connect "oidc" realm with Keycloak as provider. We called the realm "oidc1":
[...]
xpack.security.authc.realms.oidc.oidc1:
claims.principal: name
op.authorization_endpoint: https://keycloak.text/auth/realms/oidc1/protocol/openid-connect/auth
op.endsession_endpoint: https://keycloak.text/auth/realms/oidc1/protocol/openid-connect/logout
op.issuer: https://keycloak.text/auth/realms/oidc1
op.jwkset_path: https://keycloak.text/auth/realms/oidc1/protocol/openid-connect/certs
op.token_endpoint: https://keycloak.text/auth/realms/oidc1/protocol/openid-connect/auth
op.userinfo_endpoint: https://keycloak.text/auth/realms/oidc1/protocol/openid-connect/userinfo
order: 0
rp.client_id: kibana
rp.post_logout_redirect_uri: https://ip-removed:port/logged_out
rp.redirect_uri: https://ip-removed:port/api/security/oidc/callback
rp.response_type: code
xpack.security.authc.token.enabled: true

The "rp.client_secret" is injected into keystore from secret.

To make Kibana (version 7.8.0) use this OpenId Connect realm we added to the Kibana config:
xpack.security.authc.providers:
basic.basic1:
order: 1
oidc.keycloak:
order: 0
realm: oidc1

After configuring all this we experienced the following issues:

  • Kibana correctly shows the login selections: "Login with oidc/oidc1" and "Login with Elasticsearch" as expected
  • Choosing "Log in with oidc/oidc1" it is not redirting to keycloak... It is giving me authorization issue.

In the Elasticsearch, kibana logs there is literally nothing(!) regarding this oidc login.

Help is really appreciated.

Thanks,
VIneeth.

2

Is anybody there to help me on this?

3

Can you be a bit more specific about the error you are seeing?

Also if you put your configuration examples into triple backticks ``` they will be properly formatted and this will make it much easier to spot any mistakes (especially given that YAML is whitespace sensitive)

4

image
image1181×130 8.23 KB

5

I have verified for oidc to unable, we need to have platinum licence right. So may be because of that I am unable to authenticate through oidc.

6

Yes SAML and OpenID Connect are Platinum/Enterprise features. We have an overview of all features and their respective license tiers here: https://www.elastic.co/subscriptions#elastic-stack-security

Please note that ECK is only offered in two licensing tiers: Basic (which is free) and Enterprise. https://www.elastic.co/guide/en/cloud-on-k8s/master/k8s-licensing.html

So in order to use OpenID Connect with ECK you would need an Enterprise license.

7

Hi Peter,
Here,In the ECK documentation I found only for beats, kibana, elasticsearch.
There is nothing for logstash, But I want to use logstash for my elastic operator. For this do I have to go for standalone logstash or Any other approach you would like to suggest?
Thank You,
Vineeth.

9

Hi,

Logstash is not supported by ECK, you can refer to this documentation in order to get everything you need to configure it manually.

11

Do elastic operator itself is having any UI to view clusters it is managing, resources etc...,