using fluentd and prometheus user and roles for elasticsearch

ansible/vars/vault.yml

@@ -37,7 +37,7 @@ vault:
   # elastic search
   elasticsearch:
     elastic:
-      user: elastic
+      user: admin
       password: s1cret0
   # Fluentd
   fluentd:

ansible/vars/vault.yml.j2

@@ -38,7 +38,7 @@ vault:
   # elasticsearch and fluentd
   logging:
     elastic:
-      user: elastic
+      user: admin
       password: {{ elasticsearch_admin_password }}
     fluentd:
       shared_key: {{ fluentd_shared_key }}

argocd/system/logging/templates/elasticsearch-fluentd-role.yaml

@@ -0,0 +1,19 @@
+kind: Secret
+apiVersion: v1
+metadata:
+  name: es-fluentd-roles-secret
+stringData:
+  roles.yml: |-
+    fluentd_role:
+      cluster: ['manage_index_templates', 'monitor', 'manage_ilm']
+      indices:
+      - names: [ '*' ]
+        privileges: [
+          'indices:admin/create',
+          'write',
+          'create',
+          'delete',
+          'create_index',
+          'manage',
+          'manage_ilm'
+        ]

argocd/system/logging/templates/elasticsearch-fluentd-secret.yaml

@@ -0,0 +1,10 @@
+{{- $passwordValue := (randAlphaNum 16) | b64enc | quote }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: es-fluentd-user-file-realm
+type: kubernetes.io/basic-auth
+data:
+  username: {{ "fluentd" | b64enc }}
+  password: {{ $passwordValue }}
+  roles: {{ "fluentd_role" | b64enc }}

argocd/system/logging/templates/elasticsearch-prometheus-role.yaml

@@ -0,0 +1,17 @@
+kind: Secret
+apiVersion: v1
+metadata:
+  name: es-prometheus-roles-secret
+stringData:
+  roles.yml: |-
+    prometheus_role:
+      cluster: [
+        'cluster:monitor/health',
+        'cluster:monitor/nodes/stats',
+        'cluster:monitor/state',
+        'cluster:monitor/nodes/info',
+        'cluster:monitor/prometheus/metrics'
+      ] 
+      indices:
+      - names: [ '*' ]
+        privileges: [ 'indices:admin/aliases/get', 'indices:admin/mappings/get', 'indices:monitor/stats', 'indices:data/read/search' ]

argocd/system/logging/templates/elasticsearch-prometheus-secret.yaml

@@ -0,0 +1,10 @@
+{{- $passwordValue := (randAlphaNum 16) | b64enc | quote }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: es-prometheus-user-file-realm
+type: kubernetes.io/basic-auth
+data:
+  username: {{ "prometheus" | b64enc }}
+  password: {{ $passwordValue }}
+  roles: {{ "prometheus_role" | b64enc }}

argocd/system/logging/templates/elasticsearch.yaml

@@ -10,8 +10,14 @@ spec:
       selfSignedCertificate:
         disabled: true
   auth:
+    roles:
+    - secretName: es-fluentd-roles-secret
+    - secretName: es-prometheus-roles-secret
+    - secretName: my-roles-secret
     fileRealm:
     - secretName: es-admin-user-file-realm
+    - secretName: es-fluentd-user-file-realm
+    - secretName: es-prometheus-user-file-realm
   nodeSets:
     - name: default
       count: {{ .Values.elasticsearch.clusterNodes }}

argocd/system/logging/values.yaml

@@ -215,13 +215,13 @@ fluentd:
     - name: FLUENT_ELASTICSEARCH_USER
       valueFrom:
         secretKeyRef:
-          name: "es-admin-user-file-realm"
+          name: "es-fluentd-user-file-realm"
           key: username
     # Elastic operator stores elastic user password in a secret
     - name: FLUENT_ELASTICSEARCH_PASSWORD
       valueFrom:
         secretKeyRef:
-          name: "es-admin-user-file-realm"
+          name: "es-fluentd-user-file-realm"
           key: password
     # Fluentd forward security
     - name: FLUENTD_FORWARD_SEC_SHARED_KEY
@@ -703,10 +703,10 @@ prometheus-elasticsearch-exporter:
   # Elastic search passord from secret
   extraEnvSecrets:
     ES_USERNAME:
-      secret: es-admin-user-file-realm
+      secret: es-prometheus-user-file-realm
       key: username
     ES_PASSWORD:
-      secret: es-admin-user-file-realm
+      secret: es-prometheus-user-file-realm
       key: password
 
   # Elastic search URI