Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cherry-pick #16306 to 7.x: Enable keystore for autodiscover static configuration #18089

Merged
merged 5 commits into from
May 4, 2020
Merged

Cherry-pick #16306 to 7.x: Enable keystore for autodiscover static configuration #18089

merged 5 commits into from
May 4, 2020

Conversation

ChrsMark
Copy link
Member

@ChrsMark ChrsMark commented Apr 29, 2020
edited by zube bot
Loading

Cherry-pick of PR #16306 to 7.x branch. Original message:

Close #12597.

What this PR does

This PR makes use of keystore for containers/pods that are autodiscovered with static configurations only. Hint based configuration should not have access to the keystore for security reasons.

How to test it manually

  1. Create the keystore to store password for REDIS:
./metricbeat keystore create                                                                                 
Created metricbeat keystore
./metricbeat keystore add REDIS_PASSWORD                                                                      
Enter value for REDIS_PASSWORD: 
Successfully updated the keystore
  1. Enable autodiscover with static template:
metricbeat.autodiscover:
  providers:
    - type: docker
      templates:
        - condition:
            contains:
              docker.container.image: redis
          config:
            - module: redis
              metricsets: ["info", "keyspace"]
              hosts: ["${data.host}:6379"]
              password: ${REDIS_PASSWORD}
  1. Start metricbeat
  2. Start a password redis server in a container to be autodiscovred:
docker run -p 6379:6379 \
--entrypoint "redis-server" redis --appendonly yes --requirepass 'passpass'

Check that REDIS metrics are successfully collected.
Try to start REDIS with a different password so as to make Metricbeat fail.

Now check that hints based autodiscovered containers have not access to the keystore:

  1. Configure hint's based autodiscover:
metricbeat.autodiscover:
  providers:
    - type: docker
      hints.enabled: true
  1. Check that hints have no access to the keystore:
docker run -p 6379:6379 \
-l co.elastic.metrics/module=redis \
-l co.elastic.metrics/metricsets=info \
-l co.elastic.metrics/password='${REDIS_PASSWORD}' \
-l co.elastic.metrics/hosts='${data.host}:6379' \
--entrypoint "redis-server" redis --appendonly yes --requirepass 'passpass'

You should see Metribeat failing to access REDIS since the password is not retrievable.

cc: @exekias

@ChrsMark ChrsMark requested a review from a team as a code owner April 29, 2020 13:10
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Apr 29, 2020
@ChrsMark ChrsMark added the Team:Platforms Label for the Integrations - Platforms team label Apr 29, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/integrations-platforms (Team:Platforms)

@ChrsMark ChrsMark self-assigned this Apr 29, 2020
@ChrsMark ChrsMark requested review from a team April 29, 2020 13:11
exekias
exekias reviewed Apr 29, 2020
View reviewed changes
CHANGELOG.next.asciidoc Outdated
@@ -263,6 +263,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Add `replace` processor for replacing string values of fields. {pull}17342[17342]
- Add `urldecode` processor to for decoding URL-encoded fields. {pull}17505[17505]
- Add support for AWS IAM `role_arn` in credentials config. {pull}17658[17658] {issue}12464[12464]
- Add keystore support for autodiscover static configurations. {pull]16306[16306]
- Add Kerberos support to Elasticsearch output. {pull}17927[17927]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

leftover here

@elasticmachine
Copy link
Collaborator

elasticmachine commented Apr 29, 2020
edited
Loading

💔 Build Failed

Pipeline View Test View Changes Artifacts preview stats

Expand to view the summary

Build stats

  • Build Cause: [Started by user Chris Mark, Replayed Random Crashes #6]

  • Start Time: 2020-05-04T07:09:26.637+0000

  • Duration: 69 min 58 sec (4138223)

  • Commit: 846cc85

Test stats 🧪

Test Results
Failed 0
Passed 5825
Skipped 904
Total 6729

Steps errors

Expand to view the steps failures

  • Name: Make -C generator/_templates/metricbeat test

    • Description: make -C generator/_templates/metricbeat test

    • Result: FAILURE

    • Duration: 2 min 51 sec<

    • Start Time: 2020-05-04T07:37:23.922+0000

Log output

Expand to view the last 100 lines of log output 

[2020-05-04T08:17:57.282Z] Stashed 23 file(s)
[2020-05-04T08:17:57.296Z] Archiving artifacts
[2020-05-04T08:17:58.048Z] + curl -sSLo codecov https://codecov.io/bash
[2020-05-04T08:17:58.314Z] + FILE=auditbeat/build/coverage/full.cov
[2020-05-04T08:17:58.314Z] + [ -f auditbeat/build/coverage/full.cov ]
[2020-05-04T08:17:58.314Z] + FILE=filebeat/build/coverage/full.cov
[2020-05-04T08:17:58.314Z] + [ -f filebeat/build/coverage/full.cov ]
[2020-05-04T08:17:58.314Z] + FILE=heartbeat/build/coverage/full.cov
[2020-05-04T08:17:58.314Z] + [ -f heartbeat/build/coverage/full.cov ]
[2020-05-04T08:17:58.314Z] + FILE=libbeat/build/coverage/full.cov
[2020-05-04T08:17:58.314Z] + [ -f libbeat/build/coverage/full.cov ]
[2020-05-04T08:17:58.314Z] + FILE=metricbeat/build/coverage/full.cov
[2020-05-04T08:17:58.314Z] + [ -f metricbeat/build/coverage/full.cov ]
[2020-05-04T08:17:58.314Z] + FILE=packetbeat/build/coverage/full.cov
[2020-05-04T08:17:58.314Z] + [ -f packetbeat/build/coverage/full.cov ]
[2020-05-04T08:17:58.314Z] + FILE=winlogbeat/build/coverage/full.cov
[2020-05-04T08:17:58.314Z] + [ -f winlogbeat/build/coverage/full.cov ]
[2020-05-04T08:17:58.314Z] + FILE=journalbeat/build/coverage/full.cov
[2020-05-04T08:17:58.314Z] + [ -f journalbeat/build/coverage/full.cov ]
[2020-05-04T08:17:59.842Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats
[2020-05-04T08:18:00.160Z] + find . -type f -name TEST*.xml -path */build/* -delete
[2020-05-04T08:18:00.176Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Lint
[2020-05-04T08:18:00.284Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Winlogbeat-oss
[2020-05-04T08:18:00.374Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Generators-Metricbeat-Linux
[2020-05-04T08:18:00.456Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Dockerlogbeat
[2020-05-04T08:18:00.538Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Elastic-Agent-x-pack
[2020-05-04T08:18:00.620Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Journalbeat-oss
[2020-05-04T08:18:00.702Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Functionbeat-x-pack
[2020-05-04T08:18:00.790Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Metricbeat-OSS-Unit-tests
[2020-05-04T08:18:00.878Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Elastic-Agent-x-pack-Windows
[2020-05-04T08:18:00.958Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Metricbeat-crosscompile
[2020-05-04T08:18:01.056Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Heartbeat-oss
[2020-05-04T08:18:01.137Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Auditbeat-x-pack
[2020-05-04T08:18:01.226Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Libbeat-x-pack
[2020-05-04T08:18:01.328Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Winlogbeat-Windows-x-pack
[2020-05-04T08:18:01.420Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Filebeat-Windows
[2020-05-04T08:18:01.530Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Auditbeat-Linux
[2020-05-04T08:18:01.611Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Packetbeat-oss
[2020-05-04T08:18:01.706Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Auditbeat-crosscompile
[2020-05-04T08:18:01.793Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Metricbeat-Windows
[2020-05-04T08:18:01.887Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Winlogbeat-Windows
[2020-05-04T08:18:01.982Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Filebeat-x-pack
[2020-05-04T08:18:02.076Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Heartbeat-Windows
[2020-05-04T08:18:02.172Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Functionbeat-Windows
[2020-05-04T08:18:02.262Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Libbeat-oss
[2020-05-04T08:18:02.353Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Auditbeat-Windows
[2020-05-04T08:18:02.437Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Filebeat-oss
[2020-05-04T08:18:02.530Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Metricbeat-OSS-Integration-tests
[2020-05-04T08:18:02.612Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Metricbeat-Python-integration-tests
[2020-05-04T08:18:02.697Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Libbeat-crosscompile
[2020-05-04T08:18:02.785Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Libbeat-stress-tests
[2020-05-04T08:18:02.874Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Metricbeat-x-pack
[2020-05-04T08:18:03.243Z] + cat
[2020-05-04T08:18:03.244Z] + /usr/local/bin/runbld ./runbld-script
[2020-05-04T08:18:03.244Z] Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
[2020-05-04T08:18:09.833Z] runbld>>> runbld started
[2020-05-04T08:18:09.833Z] runbld>>> 1.6.11/a66728ff8f4356963772e6e6d2069392fa06acbe
[2020-05-04T08:18:11.239Z] runbld>>> The following profiles matched the job 'Beats/beats-beats-mbp/PR-18089' in order of occurrence in the config (last value wins).
[2020-05-04T08:18:12.628Z] runbld>>> Debug logging enabled.
[2020-05-04T08:18:12.628Z] runbld>>> Storing result
[2020-05-04T08:18:12.892Z] runbld>>> Store result: created {:total 2, :successful 2, :failed 0} 1
[2020-05-04T08:18:12.892Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200504081812-57909AE7
[2020-05-04T08:18:12.892Z] runbld>>> Adding system facts.
[2020-05-04T08:18:13.841Z] runbld>>> Adding vcs info for the latest commit:  6444d42689bfd3130408a0064fa92a6d8a1ee30e
[2020-05-04T08:18:13.841Z] runbld>>> >>>>>>>>>>>> SCRIPT EXECUTION BEGIN >>>>>>>>>>>>
[2020-05-04T08:18:13.841Z] runbld>>> Adding /usr/lib/jvm/java-8-openjdk-amd64/bin to the path.
[2020-05-04T08:18:13.841Z] + echo 'Processing JUnit reports with runbld...'
[2020-05-04T08:18:13.841Z] Processing JUnit reports with runbld...
[2020-05-04T08:18:14.101Z] runbld>>> <<<<<<<<<<<< SCRIPT EXECUTION END <<<<<<<<<<<<
[2020-05-04T08:18:14.101Z] runbld>>> DURATION: 12ms
[2020-05-04T08:18:14.101Z] runbld>>> STDOUT: 40 bytes
[2020-05-04T08:18:14.101Z] runbld>>> STDERR: 49 bytes
[2020-05-04T08:18:14.101Z] runbld>>> WRAPPED PROCESS: SUCCESS (0)
[2020-05-04T08:18:14.101Z] runbld>>> Searching for build metadata in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats
[2020-05-04T08:18:15.486Z] runbld>>> Storing build metadata: 
[2020-05-04T08:18:15.486Z] runbld>>> Adding test report.
[2020-05-04T08:18:15.487Z] runbld>>> Searching for junit test output files with the pattern: TEST-.*\.xml$ in: /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats
[2020-05-04T08:18:16.428Z] runbld>>> Found 93 test output files
[2020-05-04T08:18:17.005Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-openmetrics.xml
[2020-05-04T08:18:17.005Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-istio.xml
[2020-05-04T08:18:17.005Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-iis.xml
[2020-05-04T08:18:17.005Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-activemq.xml
[2020-05-04T08:18:17.272Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-tomcat.xml
[2020-05-04T08:18:17.272Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-cloudfoundry.xml
[2020-05-04T08:18:17.851Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Metricbeat-OSS-Integration-tests/metricbeat/build/TEST-go-integration-windows.xml
[2020-05-04T08:18:17.851Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089/src/github.com/elastic/beats/Metricbeat-OSS-Integration-tests/metricbeat/build/TEST-go-integration-graphite.xml
[2020-05-04T08:18:18.112Z] runbld>>> Test output logs contained: Errors: 0 Failures: 0 Tests: 6579 Skipped: 722
[2020-05-04T08:18:18.372Z] runbld>>> Storing result
[2020-05-04T08:18:18.372Z] runbld>>> FAILURES: 0
[2020-05-04T08:18:18.632Z] runbld>>> Store result: updated {:total 2, :successful 2, :failed 0} 2
[2020-05-04T08:18:18.632Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200504081812-57909AE7
[2020-05-04T08:18:18.632Z] runbld>>> Email notification disabled by environment variable.
[2020-05-04T08:18:18.632Z] runbld>>> Slack notification disabled by environment variable.
[2020-05-04T08:18:24.172Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18089
[2020-05-04T08:18:24.369Z] [INFO] getVaultSecret: Getting secrets
[2020-05-04T08:18:24.434Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-05-04T08:18:25.142Z] + chmod 755 generate-build-data.sh
[2020-05-04T08:18:25.143Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18089/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18089/runs/7 FAILURE 4138223
[2020-05-04T08:18:25.693Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18089/runs/7/steps/?limit=10000 -o steps-info.json
[2020-05-04T08:18:26.244Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18089/runs/7/tests/?status=FAILED -o tests-errors.json

@ChrsMark
Copy link
Member Author

It think I will include the "reverted" changes for the broken docs after #18097 is merged to master.

@ChrsMark
Copy link
Member Author

Removed docs changes that were reverted on #18097 .

@andresrc andresrc removed the needs_team Indicates that the issue/PR needs a Team:* label label May 2, 2020
@ChrsMark
Copy link
Member Author

ChrsMark commented May 4, 2020

jenkins, test this please

@ChrsMark ChrsMark merged commit e5279ae into elastic:7.x May 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@exekias exekias exekias approved these changes

@kaiyan-sheng kaiyan-sheng Awaiting requested review from kaiyan-sheng

Assignees

@ChrsMark ChrsMark

Labels
backport review Team:Platforms Label for the Integrations - Platforms team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ChrsMark @elasticmachine @exekias @kaiyan-sheng @andresrc