Merge pull request #1232 from amazeeio/opendistro

Migrate from SearchGuard to OpenDistro Security

.lagoon.secrets.yaml

@@ -20,8 +20,8 @@ parameters:
     description: Password to for incoming logstash http connections
     generate: expression
     from: "[a-zA-Z0-9]{32}"
-  - name: SEARCHGUARD_COOKIE_PASSWORD
-    description: Password to for searchguard cookies
+  - name: OPENDISTRO_SECURITY_COOKIE_PASSWORD
+    description: Password to for opendistro-security cookies
     generate: expression
     from: "[a-zA-Z0-9]{32}"
   - name: SAFE_BRANCH
@@ -76,6 +76,6 @@ objects:
 - kind: Secret
   apiVersion: v1
   metadata:
-    name: searchguard-cookie-password
+    name: opendistro-security-cookie-password
   stringData:
-    SEARCHGUARD_COOKIE_PASSWORD: ${SEARCHGUARD_COOKIE_PASSWORD}
+    OPENDISTRO_SECURITY_COOKIE_PASSWORD: ${OPENDISTRO_SECURITY_COOKIE_PASSWORD}

Makefile

@@ -190,8 +190,10 @@ build/athenapdf-service: images/athenapdf-service/Dockerfile
 
 elasticimages :=  elasticsearch__6 \
 								  elasticsearch__7 \
+								  elasticsearch__7.1 \
 									kibana__6 \
 									kibana__7 \
+									kibana__7.1 \
 									logstash__6 \
 									logstash__7
 
@@ -210,7 +212,7 @@ $(build-elasticimages): build/commons
 base-images-with-versions += $(elasticimages)
 s3-images += elasticimages
 
-build/elasticsearch__6 build/elasticsearch__7 build/kibana__6 build/kibana__7 build/logstash__6 build/logstash__7: images/commons
+build/elasticsearch__6 build/elasticsearch__7 build/elasticsearch__7.1 build/kibana__6 build/kibana__7 build/kibana__7.1 build/logstash__6 build/logstash__7: images/commons
 
 #######
 ####### Python Images
@@ -445,9 +447,9 @@ $(build-services-galera):
 
 # Dependencies of Service Images
 build/auth-server build/logs2slack build/logs2rocketchat build/openshiftbuilddeploy build/openshiftbuilddeploymonitor build/openshiftjobs build/openshiftjobsmonitor build/openshiftmisc build/openshiftremove build/rest2tasks build/webhook-handler build/webhooks2tasks build/api build/cli build/ui: build/yarn-workspace-builder
-build/logs2logs-db: build/logstash__6
-build/logs-db: build/elasticsearch__6
-build/logs-db-ui: build/kibana__6
+build/logs2logs-db: build/logstash__7
+build/logs-db: build/elasticsearch__7.1
+build/logs-db-ui: build/kibana__7.1
 build/logs-db-curator: build/curator
 build/auto-idler: build/oc
 build/storage-calculator: build/oc

docs/administering_lagoon/install.md

@@ -62,12 +62,12 @@ In order to use a local Lagoon to deploy itself on an OpenShift, we need a subse
 
 4.  As soon as the build is done, go to the `Application > Deployments` section of the OpenShift Project and you should see all the Lagoon Deployment Configs deployed and running. Also go to `Application > Routes` and click on the generated route for `rest2tasks` (for a local OpenShift this will be http://rest2tasks-lagoon-develop.192.168.99.100.xip.io/), if you get `welcome to rest2tasks` as result, you did everything correct, bravo!
 
-### Searchguard
+### OpendistroSecurity
 
-Once Lagoon is install operational you need to initialise Searchguard to allow Kibana multitenancy. This only needs to be run once in a new setup of lagoon.
+Once Lagoon is install operational you need to initialise OpendistroSecurity to allow Kibana multitenancy. This only needs to be run once in a new setup of lagoon.
 
 1. Open a shell of an elasticsearch pod in logs-db.
-2. run ./sgadmin_demo.sh
+2. run ./securityadmin_demo.sh
 
 ### Configure Installed Lagoon
 

images/elasticsearch/Dockerfile6

@@ -15,9 +15,7 @@ COPY --from=commons /home /home
 
 RUN curl -sL https://github.com/krallin/tini/releases/download/v0.18.0/tini -o /sbin/tini && chmod a+x /sbin/tini
 
-COPY peer-finder /bin/
-COPY configure-es.sh /lagoon/
-COPY docker-entrypoint.sh /lagoon/entrypoints/90-elasticsearch.sh
+COPY docker-entrypoint.sh.6 /lagoon/entrypoints/90-elasticsearch.sh
 
 RUN chmod g+w /etc/passwd \
     && mkdir -p /home

images/elasticsearch/Dockerfile7

@@ -15,9 +15,7 @@ COPY --from=commons /home /home
 
 RUN curl -sL https://github.com/krallin/tini/releases/download/v0.18.0/tini -o /sbin/tini && chmod a+x /sbin/tini
 
-COPY peer-finder /bin/
-COPY configure-es.sh /lagoon/
-COPY docker-entrypoint.sh /lagoon/entrypoints/90-elasticsearch.sh
+COPY docker-entrypoint.sh.7 /lagoon/entrypoints/90-elasticsearch.sh
 
 RUN chmod g+w /etc/passwd \
     && mkdir -p /home
@@ -33,28 +31,27 @@ ENV TMPDIR=/tmp \
     # When Bash is invoked as non-interactive (like `bash -c command`) it sources a file that is given in `BASH_ENV`
     BASH_ENV=/home/.bashrc
 
-RUN sed -i 's/discovery.zen.minimum_master_nodes: 1//' config/elasticsearch.yml
-
-RUN echo $'xpack.security.enabled: false\n\
-\n\
+RUN echo $'\n\
 node.name: "${HOSTNAME}"\n\
 node.master: "${NODE_MASTER}"\n\
 node.data: "${NODE_DATA}"\n\
 node.ingest: "${NODE_INGEST}"\n\
 node.ml: "${NODE_ML}"\n\
 xpack.ml.enabled: "${XPACK_ML_ENABLED}"\n\
-cluster.remote.connect: "${CLUSTER_REMOTE_CONNECT}"\n\
-discovery.zen.minimum_master_nodes: "${DISCOVERY_ZEN_MINIMUM_MASTER_NODES}"' >> config/elasticsearch.yml
+xpack.watcher.enabled: "${XPACK_WATCHER_ENABLED}"\n\
+xpack.security.enabled: "${XPACK_SECURITY_ENABLED}"\n\
+cluster.remote.connect: "${CLUSTER_REMOTE_CONNECT}"' >> config/elasticsearch.yml
 
 RUN fix-permissions config
 
-ENV ES_JAVA_OPTS="-Xms200m -Xmx200m" \
-    DISCOVERY_ZEN_MINIMUM_MASTER_NODES=1 \
+ENV ES_JAVA_OPTS="-Xms400m -Xmx400m" \
     NODE_MASTER=true \
     NODE_DATA=true \
     NODE_INGEST=true \
     NODE_ML=true \
     XPACK_ML_ENABLED=true \
+    XPACK_WATCHER_ENABLED=true \
+    XPACK_SECURITY_ENABLED=false \
     CLUSTER_REMOTE_CONNECT=true \
     EXTRA_OPTS=""
 

images/elasticsearch/Dockerfile7.1

@@ -0,0 +1,63 @@
+ARG IMAGE_REPO
+FROM ${IMAGE_REPO:-lagoon}/commons as commons
+FROM docker.elastic.co/elasticsearch/elasticsearch:7.1.1
+
+LABEL maintainer="amazee.io"
+ENV LAGOON=elasticsearch
+
+ARG LAGOON_VERSION
+ENV LAGOON_VERSION=$LAGOON_VERSION
+
+# Copy commons files
+COPY --from=commons /lagoon /lagoon
+COPY --from=commons /bin/fix-permissions /bin/ep /bin/docker-sleep /bin/
+COPY --from=commons /home /home
+
+RUN curl -sL https://github.com/krallin/tini/releases/download/v0.18.0/tini -o /sbin/tini && chmod a+x /sbin/tini
+
+COPY docker-entrypoint.sh.7 /lagoon/entrypoints/90-elasticsearch.sh
+
+RUN chmod g+w /etc/passwd \
+    && mkdir -p /home
+
+# Reproduce behavior of Alpine: Run Bash as sh
+RUN rm -f /bin/sh && ln -s /bin/bash /bin/sh
+
+ENV TMPDIR=/tmp \
+    TMP=/tmp \
+    HOME=/home \
+    # When Bash is invoked via `sh` it behaves like the old Bourne Shell and sources a file that is given in `ENV`
+    ENV=/home/.bashrc \
+    # When Bash is invoked as non-interactive (like `bash -c command`) it sources a file that is given in `BASH_ENV`
+    BASH_ENV=/home/.bashrc
+
+RUN echo $'\n\
+node.name: "${HOSTNAME}"\n\
+node.master: "${NODE_MASTER}"\n\
+node.data: "${NODE_DATA}"\n\
+node.ingest: "${NODE_INGEST}"\n\
+node.ml: "${NODE_ML}"\n\
+xpack.ml.enabled: "${XPACK_ML_ENABLED}"\n\
+xpack.watcher.enabled: "${XPACK_WATCHER_ENABLED}"\n\
+xpack.security.enabled: "${XPACK_SECURITY_ENABLED}"\n\
+cluster.remote.connect: "${CLUSTER_REMOTE_CONNECT}"' >> config/elasticsearch.yml
+
+RUN fix-permissions config
+
+ENV ES_JAVA_OPTS="-Xms400m -Xmx400m" \
+    NODE_MASTER=true \
+    NODE_DATA=true \
+    NODE_INGEST=true \
+    NODE_ML=true \
+    XPACK_ML_ENABLED=true \
+    XPACK_WATCHER_ENABLED=true \
+    XPACK_SECURITY_ENABLED=false \
+    CLUSTER_REMOTE_CONNECT=true \
+    EXTRA_OPTS=""
+
+
+VOLUME [ "/usr/share/elasticsearch/data" ]
+
+ENTRYPOINT ["/sbin/tini", "--", "/lagoon/entrypoints.bash"]
+
+CMD ["/usr/local/bin/docker-entrypoint.sh"]

images/elasticsearch/docker-entrypoint.sh → images/elasticsearch/docker-entrypoint.sh.6

@@ -12,9 +12,8 @@ if [ -z "$POD_NAMESPACE" ]; then
 else
   # Is running in Kubernetes/OpenShift, so find all other pods
   # belonging to the namespace
-  echo "Elasticsearch: Finding peers"
+  echo "Elasticsearch: Running in Kubernetes, setting up for clustering"
   K8S_SVC_NAME=$(hostname -f | cut -d"." -f2)
   echo "Using service name: ${K8S_SVC_NAME}"
-  # copy the pristine version to the one that can be edited
-  /usr/bin/peer-finder -on-start="/lagoon/configure-es.sh" -service=${K8S_SVC_NAME}
+  echo "discovery.zen.ping.unicast.hosts: ${K8S_SVC_NAME}" >> /usr/share/elasticsearch/config/elasticsearch.yml
 fi

images/elasticsearch/docker-entrypoint.sh.7

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+if [ ! -z "$EXTRA_OPTS" ]; then
+  echo -e "${EXTRA_OPTS}" >> /usr/share/elasticsearch/config/elasticsearch.yml
+fi
+
+if [ -z "$POD_NAMESPACE" ]; then
+  # Single container runs in docker
+  echo "POD_NAMESPACE not set, spin up single node"
+  sed -i 's/cluster.initial_master_nodes:.*//' /usr/share/elasticsearch/config/elasticsearch.yml
+  echo "cluster.initial_master_nodes: ${HOSTNAME}" >> /usr/share/elasticsearch/config/elasticsearch.yml
+else
+  # Is running in Kubernetes/OpenShift, so find all other pods
+  # belonging to the namespace
+  echo "Elasticsearch: Running in Kubernetes, setting up for clustering"
+  K8S_SVC_NAME=$(hostname -f | cut -d"." -f2)
+  echo "Using service name: ${K8S_SVC_NAME}"
+  sed -i 's/discovery.seed_hosts:.*//' /usr/share/elasticsearch/config/elasticsearch.yml
+  sed -i 's/cluster.initial_master_nodes:.*//' /usr/share/elasticsearch/config/elasticsearch.ym
+  echo "discovery.seed_hosts: ${K8S_SVC_NAME}" >> /usr/share/elasticsearch/config/elasticsearch.yml
+  echo "cluster.initial_master_nodes: ${K8S_SVC_NAME}-0" >> /usr/share/elasticsearch/config/elasticsearch.yml
+fi

images/kibana/Dockerfile7.1

@@ -0,0 +1,42 @@
+ARG IMAGE_REPO
+FROM ${IMAGE_REPO:-lagoon}/commons as commons
+FROM docker.elastic.co/kibana/kibana:7.1.1
+
+LABEL maintainer="amazee.io"
+ENV LAGOON=kibana
+
+USER root
+
+ARG LAGOON_VERSION
+ENV LAGOON_VERSION=$LAGOON_VERSION
+
+# Copy commons files
+COPY --from=commons /lagoon /lagoon
+COPY --from=commons /bin/fix-permissions /bin/ep /bin/docker-sleep /bin/
+COPY --from=commons /home /home
+
+RUN curl -sL https://github.com/krallin/tini/releases/download/v0.18.0/tini -o /sbin/tini && chmod a+x /sbin/tini
+
+RUN chmod g+w /etc/passwd \
+    && mkdir -p /home
+
+# Reproduce behavior of Alpine: Run Bash as sh
+RUN rm -f /bin/sh && ln -s /bin/bash /bin/sh
+
+ENV TMPDIR=/tmp \
+    TMP=/tmp \
+    HOME=/home \
+    # When Bash is invoked via `sh` it behaves like the old Bourne Shell and sources a file that is given in `ENV`
+    ENV=/home/.bashrc \
+    # When Bash is invoked as non-interactive (like `bash -c command`) it sources a file that is given in `BASH_ENV`
+    BASH_ENV=/home/.bashrc
+
+RUN fix-permissions /usr/share/kibana
+
+# tells the local development environment on which port we are running
+# ENV LAGOON_LOCALDEV_HTTP_PORT=5601
+
+ENV NODE_OPTIONS="--max-old-space-size=200"
+
+ENTRYPOINT ["/sbin/tini", "--", "/lagoon/entrypoints.bash"]
+CMD ["/bin/bash", "/usr/local/bin/kibana-docker"]

images/oc-build-deploy-dind/openshift-templates/elasticsearch-cluster/services.yml

@@ -44,6 +44,7 @@ objects:
       project: ${SAFE_PROJECT}
     name: ${SERVICE_NAME}
   spec:
+    publishNotReadyAddresses: true
     clusterIP: None
     ports:
     - name: 9200-tcp

node-packages/commons/src/local-logging.js

@@ -39,14 +39,14 @@ const logger = new winston.Logger({
       timestamp: true,
       handleExceptions: true,
     }),
-    new winston.transports.Logstash({
-      level: 'silly',
-      port: 28777,
-      host: 'logs2logs-db',
-      timeout_connect_retries: 1000, // if we loose connection to logstash, retry in 1 sec
-      max_connect_retries: 100000, // retry to connect to logstash for 100'000 times
-      node_name: packageName,
-    }),
+    // new winston.transports.Logstash({
+    //   level: 'silly',
+    //   port: 28777,
+    //   host: 'logs2logs-db',
+    //   timeout_connect_retries: 1000, // if we loose connection to logstash, retry in 1 sec
+    //   max_connect_retries: 100000, // retry to connect to logstash for 100'000 times
+    //   node_name: packageName,
+    // }),
   ],
 });
 

services/api/package.json

@@ -18,7 +18,7 @@
     "sync:gitlab:groups": "flow-node dist/gitlab-sync/groups",
     "sync:gitlab:projects": "flow-node dist/gitlab-sync/projects",
     "sync:gitlab:all": "yarn run sync:gitlab:users && yarn run sync:gitlab:groups && yarn run sync:gitlab:projects",
-    "sync:searchguard": "flow-node --max-http-header-size=80000 dist/helpers/sync-groups-searchguard"
+    "sync:opendistro-security": "flow-node --max-http-header-size=80000 dist/helpers/sync-groups-opendistro-security"
   },
   "keywords": [],
   "author": "amazee.io <hello@amazee.io> (http://www.amazee.io)",

services/api/src/clients/searchguardClient.js → services/api/src/clients/opendistroSecurityClient.js

@@ -3,10 +3,10 @@ const got = require('got');
 
 const { LOGSDB_ADMIN_PASSWORD } = process.env;
 
-const searchguardClient = got.extend({
-  baseUrl: 'http://logs-db:9200/_searchguard/api/',
+const opendistroSecurityClient = got.extend({
+  baseUrl: 'http://logs-db:9200/_opendistro/_security/api/',
   json: true,
   auth: `admin:${LOGSDB_ADMIN_PASSWORD || '<password not set>'}`,
 });
 
-module.exports = searchguardClient;
+module.exports = opendistroSecurityClient;

services/api/src/helpers/sync-groups-searchguard.ts → services/api/src/helpers/sync-groups-opendistro-security.ts

@@ -2,7 +2,7 @@ import * as R from 'ramda';
 import { logger } from '@lagoon/commons/src/local-logging';
 import { getSqlClient } from '../clients/sqlClient';
 import { Group } from '../models/group';
-import { SearchguardOperations } from '../resources/group/searchguard';
+import { OpendistroSecurityOperations } from '../resources/group/opendistroSecurity';
 import { keycloakAdminClient } from '../clients/keycloakClient';
 
 
@@ -47,7 +47,7 @@ const refreshToken = async keycloakAdminClient => {
     logger.debug(`Processing ${group.name}`);
     const projectIdsArray = await GroupModel.getProjectsFromGroupAndSubgroups(group)
     const projectIds = R.join(',')(projectIdsArray)
-    await SearchguardOperations(sqlClient, GroupModel).syncGroup(group.name, projectIds);
+    await OpendistroSecurityOperations(sqlClient, GroupModel).syncGroup(group.name, projectIds);
   }
 
   logger.info('Migration completed');