Add security to telemetry deployment

This commit is contained in:
Alex 2022-02-26 18:56:16 +01:00
parent 823c8bd3ba
commit 8064d91dfb
Signed by untrusted user: lx
GPG key ID: 0E496D15096376BE
4 changed files with 48 additions and 2 deletions

View file

@ -8,3 +8,9 @@ output.elasticsearch:
# In case you specify and additional path, the scheme is required: `http://localhost:9200/path`. # In case you specify and additional path, the scheme is required: `http://localhost:9200/path`.
# IPv6 addresses should always be defined as: `https://[2001:db8::1]:9200`. # IPv6 addresses should always be defined as: `https://[2001:db8::1]:9200`.
hosts: ["localhost:9200"] hosts: ["localhost:9200"]
username: "apm"
password: "{{ key "secrets/telemetry/elastic_passwords/apm" }}"
logging:
level: warning
to_stderr: true

View file

@ -5,8 +5,8 @@ datasources:
type: elasticsearch type: elasticsearch
access: proxy access: proxy
url: http://localhost:9200 url: http://localhost:9200
password: '' password: '{{ key "secrets/telemetry/elastic_passwords/grafana" }}'
user: '' user: 'grafana'
database: apm-* database: apm-*
basicAuth: false basicAuth: false
isDefault: true isDefault: true

View file

@ -77,6 +77,7 @@ http.port=9200
cluster.name=es-docker-cluster cluster.name=es-docker-cluster
discovery.type=single-node discovery.type=single-node
bootstrap.memory_lock=true bootstrap.memory_lock=true
xpack.security.enabled=true
ES_JAVA_OPTS=-Xms512m -Xmx512m ES_JAVA_OPTS=-Xms512m -Xmx512m
EOH EOH
destination = "secrets/env" destination = "secrets/env"
@ -96,6 +97,8 @@ EOH
data = <<EOH data = <<EOH
SERVER_NAME=kibana.local SERVER_NAME=kibana.local
ELASTICSEARCH_HOSTS=http://localhost:9200 ELASTICSEARCH_HOSTS=http://localhost:9200
ELASTICSEARCH_USERNAME=kibana_system
ELASTICSEARCH_PASSWORD={{ key "secrets/telemetry/elastic_passwords/kibana_system" }}
EOH EOH
destination = "secrets/env" destination = "secrets/env"
env = true env = true

37
doc/telemetry.md Normal file
View file

@ -0,0 +1,37 @@
# create elasticsearch passwords
in elasticsearch container
```bash
./bin/elasticsearch-setup-passwords auto
```
save passwords in consul, at:
- `secrets/telemetry/elastic_passwords/apm_system` for user `apm_system`
- `secrets/telemetry/elastic_passwords/kibana_system` for user `kibana_system`
- `secrets/telemetry/elastic_passwords/elastic` for user `elastic`
check kibana works, login to kibana with user `elastic`
# create role and user for apm
create role `apm_writer`, give privileges:
- cluster privileges `manage_ilm`, `read_ilm`, `manage_ingest_pipelines`
- on index `apm-*` privileges `create_doc`, `create_index`, `view_index_metadata`
- on index `apm-*sourcemap` privilege `read_cross_cluster`
create user `apm` with roles `apm_writer` and `apm_system`. give it a randomly generated password that you save in `secrets/telemetry/elastic_passwords/apm`
check apm data is ingested correctly (visible in kibana)
# create role and user for grafana
create role `grafana`, give privileges:
- on index `apm-*` privileges `read` and `view_index_metadata`
create user `grafana` with role `grafana`. give it a randomly generated password that you save in `secrets/telemetry/elastic_passwords/grafana`
check grafana works