[Internal]: Cross-reference Kibana secure settings docs for ECK

[emrcbrn]

Description

Currently it is unclear which Secure settings are automatically generated by the ECK operator for Kibana and a user should verify various documentation pages to determine which ones are generated automatically but also which ones should be manually created for production use-cases.

Resources

• This is where it is correctly documented which settings are automatically generated: https://www.elastic.co/docs/deploy-manage/deploy/cloud-on-k8s/k8s-kibana-advanced-configuration#k8s-kibana-scaling
• This is the documentation for Secure settings on ECK: https://www.elastic.co/docs/deploy-manage/security/k8s-secure-settings
• This is the Kibana Saved Object guidance, containing some information referencing Secure key rotation for instance: https://www.elastic.co/docs/deploy-manage/security/secure-saved-objects

The documentation should be aligned & clarified to ensure users are aware of which settings are to be manually set or which ones are automatically generated in case they aren't set.

Which documentation set does this change impact?

Elastic On-Prem only

Feature differences

N/A

What release is this request related to?

N/A

Serverless release

N/A

Collaboration model

The documentation team

Point of contact.

Main contact: @emrcbrn

Stakeholders: N/A

[eedugon]

thanks for raising this @emrcbrn !

I agree we need to give better visibility to the settings mentioned in https://www.elastic.co/docs/deploy-manage/deploy/cloud-on-k8s/k8s-kibana-advanced-configuration#k8s-kibana-scaling

• xpack.security.encryptionKey
• xpack.reporting.encryptionKey
• xpack.encryptedSavedObjects.encryptionKey

The explanation about ECK handling those only appears in a doc about "scaling Kibana", and that's an issue.

Main objective:
> Ensure users are aware of which settings are to be manually set or which ones are automatically generated in case they aren't set.

Action items:

• [important] - Make a note or include the information about those 3 settings being handled by ECK in https://www.elastic.co/docs/deploy-manage/security/k8s-secure-settings#k8s-kibana-secure-settings

^^ Interestingly the example we share in the previous doc is for the user to set xpack.security.encryptionKey, and that's one of the settings that is managed by ECK automatically (i'm going to clarify with devs if both approaches are supported, ECK handling them and the user setting them so we can clarify it in the docs).

• About key rotation (https://www.elastic.co/docs/deploy-manage/security/secure-saved-objects#encryption-key-rotation), I'm going to check if ECK already takes care of it and / or if the user could configure it without conflicting with the ECK orchestrated config.

I'll update the list of action items as soon as I finalize the analysis.

Update - Responses from ECK team:

• User defined settings always take precedence in ECK so it is possible to override/manually configure the encryption keys. It can even be advisable to do so if the user has a better persistence story for those important keys than ECK currently has.

• ECK stores the keys in a Kubernetes secret. If the secret is deleted by accident the keys are lost and there is no backup.

If a user wants to follow the key rotation best practice shared there.... are they allowed?

ECK currently does not implement key rotation. So it would be up to the user to move the old keys to the decryptionOnlyKeys, etc.