[RORDEV-616] simplified ECK example (#1036)

.gitignore

@@ -59,4 +59,5 @@ docker-envs/build-ror-in-docker/builds/
 docker-envs/misc-clusters/ror-with-elastic-cloud-poc/certs-generator/ouput/*
 docker-envs/misc-clusters/ror-with-elastic-cloud-poc/certs-generator/input/*
 docker-envs/misc-clusters/ror-with-elastic-cloud-poc/certs/*
+docker-envs/eck/kind-cluster/subst-ror
 **/.base

docker-envs/eck/eck-ror-bootstrap.sh

@@ -1,30 +1,99 @@
-#!/bin/bash -e
+#!/usr/bin/env bash
+set -e
 
-if ! command -v kind &> /dev/null
-then
-    echo "Cannot find 'kind' tool. Please follow the installation steps: https://github.com/kubernetes-sigs/kind#installation-and-usage" 
-    exit 1
+cd "$(dirname "$0")"
+
+if ! command -v kind &> /dev/null; then
+  echo "Cannot find 'kind' tool. Please follow the installation steps: https://github.com/kubernetes-sigs/kind#installation-and-usage"
+  exit 1
 fi
 
-if ! command -v docker &> /dev/null
-then
+if ! command -v docker &> /dev/null; then
   echo "Cannot find 'docker'. Please follow the installation steps: https://docs.docker.com/engine/install/"
   exit 2
 fi
 
+show_help() {
+  echo "Usage: ./eck-ror-bootstrap.sh --es <elasticsearch_version> --kbn <kibana_version> --eck <eck_version>"
+  exit 1
+}
+
+export ES_VERSION=""
+export KBN_VERSION=""
+export ECK_VERSION="2.13.0"
+
+while [[ $# -gt 0 ]]; do
+  case $1 in
+  --es)
+    if [[ -n $2 && $2 != --* ]]; then
+      ES_VERSION="$2"
+      shift 2
+    else
+      echo "Error: --es requires a version argument"
+      show_help
+    fi
+    ;;
+  --kbn)
+    if [[ -n $2 && $2 != --* ]]; then
+      KBN_VERSION="$2"
+      shift 2
+    else
+      echo "Error: --kbn requires a version argument"
+      show_help
+    fi
+    ;;
+  --eck)
+      if [[ -n $2 && $2 != --* ]]; then
+        ECK_VERSION="$2"
+        shift 2
+      else
+        echo "Error: --eck requires a version argument"
+        show_help
+      fi
+      ;;
+  *)
+    echo "Unknown option: $1"
+    show_help
+    ;;
+  esac
+done
+
+if [[ -z $ES_VERSION || -z $KBN_VERSION ]]; then
+  echo "Error: Both --es and --kbn arguments are required"
+  show_help
+fi
+
 echo "CONFIGURING K8S CLUSTER ..."
 kind create cluster --name ror-eck --config kind-cluster/kind-cluster-config.yml
 docker exec ror-eck-control-plane /bin/bash -c "sysctl -w vm.max_map_count=262144"
 docker exec ror-eck-worker        /bin/bash -c "sysctl -w vm.max_map_count=262144"
 docker exec ror-eck-worker2       /bin/bash -c "sysctl -w vm.max_map_count=262144"
 
-echo "CONFIGURING ECK ..."
+echo "CONFIGURING ECK $ECK_VERSION ..."
 docker cp kind-cluster/bootstrap-eck.sh ror-eck-control-plane:/
 docker exec ror-eck-control-plane chmod +x bootstrap-eck.sh
-docker exec ror-eck-control-plane ./bootstrap-eck.sh
+docker exec ror-eck-control-plane bash -c "export ECK_VERSION=$ECK_VERSION && ./bootstrap-eck.sh"
+
+echo "CONFIGURING ES $ES_VERSION AND KBN $KBN_VERSION WITH ROR ..."
+
+SUBSTITUTED_DIR="kind-cluster/subst-ror"
+cleanup() {
+  rm -rf "$SUBSTITUTED_DIR"
+}
+
+trap cleanup EXIT
+mkdir -p "$SUBSTITUTED_DIR"
+
+for file in kind-cluster/ror/*.yml; do
+  FILENAME=$(basename "$file")
+  if [[ "$FILENAME" == "es.yml" || "$FILENAME" == "kbn.yml" ]]; then
+    envsubst < "$file" > "$SUBSTITUTED_DIR/$FILENAME"
+  else
+    cp "$file" "$SUBSTITUTED_DIR"
+  fi
+done
 
-echo "CONFIGURING ES AND KBN WITH ROR ..."
-docker cp kind-cluster/ror ror-eck-control-plane:/
+docker cp "$SUBSTITUTED_DIR" ror-eck-control-plane:/ror/
 docker exec ror-eck-control-plane bash -c 'cd ror && ls | xargs -n 1 kubectl apply -f'
 
 echo ""

docker-envs/eck/eck-ror-cleanup.sh

@@ -1,3 +1,6 @@
-#!/bin/bash -e
+#!/usr/bin/env bash
+set -e
+
+cd "$(dirname "$0")"
 
 kind delete cluster --name ror-eck

docker-envs/eck/kind-cluster/bootstrap-eck.sh

@@ -1,4 +1,11 @@
 #!/bin/bash -e
 
-kubectl create -f https://download.elastic.co/downloads/eck/2.10.0/crds.yaml
-kubectl apply -f https://download.elastic.co/downloads/eck/2.10.0/operator.yaml
+cd "$(dirname "$0")"
+
+if [[ -z "$ECK_VERSION" ]]; then
+  echo "ECK_VERSION is not defined"
+  exit 1
+fi
+
+kubectl create -f "https://download.elastic.co/downloads/eck/$ECK_VERSION/crds.yaml"
+kubectl apply -f "https://download.elastic.co/downloads/eck/$ECK_VERSION/operator.yaml"

docker-envs/eck/kind-cluster/ror/es.yml

@@ -3,17 +3,22 @@ kind: Elasticsearch
 metadata:
   name: quickstart
 spec:
-  version: 8.11.3
+  version: ${ES_VERSION}
+  image: beshultd/elasticsearch-readonlyrest:${ES_VERSION}-ror-latest
   nodeSets:
     - name: default
       count: 2
       podTemplate:
         spec:
-          securityContext:
-            runAsUser: 1000
           containers:
             - name: elasticsearch
+              securityContext:
+                runAsNonRoot: false
+                runAsUser: 0
+                runAsGroup: 0
               env:
+                - name: I_UNDERSTAND_IMPLICATION_OF_ES_PATCHING
+                  value: "yes"
                 - name: INTERNAL_USR_PASS
                   valueFrom:
                     secretKeyRef:
@@ -29,55 +34,19 @@ spec:
                     secretKeyRef:
                       name: quickstart-kibana-user
                       key: token
-                - name: ES_JAVA_OPTS
-                  value: -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:8888
+                - name: ADMIN_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: admin-password-secret
+                      key: ADMIN_PASSWORD
               volumeMounts:
-                - name: elasticsearch-modules
-                  mountPath: /usr/share/elasticsearch/modules
-                - name: elasticsearch-lib
-                  mountPath: /usr/share/elasticsearch/lib
                 - name: config-ror
                   mountPath: /usr/share/elasticsearch/config/readonlyrest.yml
                   subPath: readonlyrest.yml
                 - name: config-log4j2
                   mountPath: /usr/share/elasticsearch/config/log4j2.properties
                   subPath: log4j2.properties
-          initContainers:
-            - name: sysctl
-              securityContext:
-                runAsUser: 0
-                privileged: true
-              command: [ 'sh', '-c', 'sysctl -w vm.max_map_count=262144' ]
-            - name: install-ror-es-plugin
-              securityContext:
-                allowPrivilegeEscalation: false
-                runAsUser: 0
-              command:
-                - "/bin/bash"
-                - "-c"
-                - |
-                  set -e
-                  
-                  /usr/share/elasticsearch/bin/elasticsearch-plugin install --batch "https://api.beshu.tech/download/es?edition=es&esVersion=$ES_VERSION&email=eck-example%40readonlyrest.com"
-                  /usr/share/elasticsearch/jdk/bin/java -jar /usr/share/elasticsearch/plugins/readonlyrest/ror-tools.jar patch
-                  
-                  cp -r /usr/share/elasticsearch/modules /target/usr/share/elasticsearch
-                  cp -r /usr/share/elasticsearch/lib /target/usr/share/elasticsearch
-              env:
-                - name: ES_VERSION
-                  valueFrom:
-                    fieldRef:
-                      fieldPath: metadata.labels['elasticsearch.k8s.elastic.co/version']
-              volumeMounts:
-                - name: elasticsearch-modules
-                  mountPath: /target/usr/share/elasticsearch/modules
-                - name: elasticsearch-lib
-                  mountPath: /target/usr/share/elasticsearch/lib
           volumes:
-            - name: elasticsearch-modules
-              emptyDir: { }
-            - name: elasticsearch-lib
-              emptyDir: { }
             - name: config-ror
               configMap:
                 name: config-readonlyrest.yml

docker-envs/eck/kind-cluster/ror/kbn.yml

@@ -3,7 +3,8 @@ kind: Kibana
 metadata:
   name: quickstart
 spec:
-  version: 8.11.3
+  version: ${KBN_VERSION}
+  image: beshultd/kibana-readonlyrest:${KBN_VERSION}-ror-latest
   count: 2
   elasticsearchRef:
     name: quickstart
@@ -14,55 +15,13 @@ spec:
   podTemplate:
     spec:
       securityContext:
-        runAsUser: 1000
+        runAsNonRoot: false
+        runAsUser: 0
+        runAsGroup: 0
       containers:
         - name: kibana
-          volumeMounts:
-            - name: kibana-plugins
-              mountPath: /usr/share/kibana/plugins
-            - name: kibana-node-modules-kbn
-              mountPath: /usr/share/kibana/node_modules/@kbn
-            - name: kibana-src
-              mountPath: /usr/share/kibana/src
-            - name: kibana-xpack-plugins
-              mountPath: /usr/share/kibana/x-pack/plugins
-      initContainers:
-        - name: install-ror-kbn-plugin
-          securityContext:
-            allowPrivilegeEscalation: false
-            runAsUser: 0
-          command:
-            - "/bin/bash"
-            - "-c"
-            - |
-              set -e
-              
-              /usr/share/kibana/bin/kibana-plugin install "https://api.beshu.tech/download/kbn?esVersion=$KBN_VERSION&edition=kbn_universal&email=eck-example%40readonlyrest.com"
-              /usr/share/kibana/node/bin/node /usr/share/kibana/plugins/readonlyrestkbn/ror-tools.js patch
-              
-              cp -r /usr/share/kibana/node_modules/@kbn /target/usr/share/kibana/node_modules
-              cp -r /usr/share/kibana/src /target/usr/share/kibana
-              cp -r /usr/share/kibana/x-pack/plugins /target/usr/share/kibana/x-pack
           env:
-            - name: KBN_VERSION
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.labels['kibana.k8s.elastic.co/version']
-          volumeMounts:
-            - name: kibana-plugins
-              mountPath: /usr/share/kibana/plugins
-            - name: kibana-node-modules-kbn
-              mountPath: /target/usr/share/kibana/node_modules/@kbn
-            - name: kibana-src
-              mountPath: /target/usr/share/kibana/src
-            - name: kibana-xpack-plugins
-              mountPath: /target/usr/share/kibana/x-pack/plugins
-      volumes:
-        - name: kibana-plugins
-          emptyDir: { }
-        - name: kibana-node-modules-kbn
-          emptyDir: { }
-        - name: kibana-src
-          emptyDir: { }
-        - name: kibana-xpack-plugins
-          emptyDir: { }
+            - name: ROR_ACTIVATION_KEY
+              value: "<YOUR_ACTIVATION_KEY/>"
+            - name: I_UNDERSTAND_IMPLICATION_OF_KBN_PATCHING
+              value: "yes"

docker-envs/eck/kind-cluster/ror/log4j2.properties.yml

@@ -69,7 +69,9 @@ data:
     
     appender.header_warning.type = HeaderWarningAppender
     appender.header_warning.name = header_warning
-
+  
+    logger.ror.name=tech.beshu.ror.accesscontrol
+    logger.ror.level=info
 kind: ConfigMap
 metadata:
   name: config-log4j2.properties.yml

docker-envs/eck/kind-cluster/ror/ror-initial-config.yml

@@ -20,14 +20,7 @@ data:
 
        - name: "Admin access"
          type: allow
-         auth_key: "admin:admin"
-     
-       - name: "User 1"
-         type: allow
-         auth_key: "user1:test"
-         indices: ["kibana_sample*"]
-         kibana:
-           access: ro
+         auth_key: "admin:${ADMIN_PASSWORD}"
 
 kind: ConfigMap
 metadata:

docker-envs/eck/kind-cluster/ror/secrets.yml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: admin-password-secret
+type: Opaque
+data:
+  ADMIN_PASSWORD: YWRtaW4=

docker-envs/eck/readme.md

@@ -1,13 +1,20 @@
 # README
 
-0. Requirements:
-    * docker installed
-    * kind tool installed (https://github.com/kubernetes-sigs/kind)
-
-1. Running the ECK+ROR PoC: `$ ./eck-ror-bootstrap.sh`
+## Requirements:
+* docker installed
+* kind tool installed (https://github.com/kubernetes-sigs/kind)
+
+## RUNNING
+1. Running the ECK+ROR PoC: `$ ./eck-ror-bootstrap.sh --es <ES_VESION> --kbn <KBN_VERSION>` 
+   (you can pick ECK version by adding optional --eck <ECK_VERSION> param)
 
 2. Log into Kibana `https://localhost:15601` using given credentials:
     * `admin:admin` (admin user)
-    * `user1:test` (RO user)
 
 3. Clean after playing with the PoC: `$ ./eck-ror-cleanup.sh`
+
+## CUSTOMIZING
+* if you have a PRO or ENTERPRISE ROR license (you can obtain one in [Customer Portal](https://readonlyrest.com/customer)) you
+   can set it in `kind-cluster/ror/kbn.yml`
+* initial ROR settings (when you have a PRO or ENTERPRISE ROR license you can change the ROR settings in the Admin UI) 
+   can be changed in `kind-cluster/ror/ror-initial-config.yml`