Merge pull request #98 from upmc-enterprises/kibanaTLS

Generate certs for Kibana automatically

pkg/k8sutil/certs.go

@@ -108,6 +108,27 @@ func (k *K8sutil) generateConfig(configDir, certsDir, namespace, clusterName str
 		},
 	}
 
+	reqKibanaCSR := csr{
+		CN: "kibana",
+		Hosts: []string{
+			"localhost",
+			fmt.Sprintf("kibana-%s", clusterName),
+			fmt.Sprintf("%s.%s", fmt.Sprintf("kibana-%s", clusterName), namespace),
+			fmt.Sprintf("%s.%s.svc.cluster.local", fmt.Sprintf("kibana-%s", clusterName), namespace),
+		},
+		Key: key{
+			Algo: "rsa",
+			Size: 2048,
+		},
+		Names: []names{
+			names{
+				O:  "autogenerated",
+				OU: "elasticsearch cluster",
+				L:  "operator",
+			},
+		},
+	}
+
 	caCSR := csr{
 		Hosts: []string{
 			"localhost",
@@ -144,6 +165,13 @@ func (k *K8sutil) generateConfig(configDir, certsDir, namespace, clusterName str
 		logrus.Error(err)
 	}
 
+	reqKibanaCSRJSON, _ := json.Marshal(reqKibanaCSR)
+	f, err = os.Create(fmt.Sprintf("%s/req-kibana-csr.json", configDir))
+	_, err = f.Write(reqKibanaCSRJSON)
+	if err != nil {
+		logrus.Error(err)
+	}
+
 	reqCACSRJSON, _ := json.Marshal(caCSR)
 	f, err = os.Create(fmt.Sprintf("%s/ca-csr.json", configDir))
 	_, err = f.Write(reqCACSRJSON)
@@ -181,6 +209,15 @@ func (k *K8sutil) GenerateCerts(configDir, certsDir, namespace, clusterName stri
 		logrus.Error(err)
 	}
 
+	// Generate Kibana Cert
+	logrus.Info("Creating kibana cert...")
+	cmdKibana1 := exec.Command("cfssl", "gencert", "-ca", fmt.Sprintf("%s/ca.pem", certsDir), "-ca-key", fmt.Sprintf("%s/ca-key.pem", certsDir), "-config", fmt.Sprintf("%s/ca-config.json", configDir), "-profile=server", fmt.Sprintf("%s/req-kibana-csr.json", configDir))
+	cmdKibana2 := exec.Command("cfssljson", "-bare", fmt.Sprintf("%s/kibana", certsDir))
+	_, err = pipeCommands(cmdKibana1, cmdKibana2)
+	if err != nil {
+		logrus.Error(err)
+	}
+
 	logrus.Info("Converting node to pkcs12...")
 	cmdConvertNode := exec.Command("openssl", "pkcs12", "-export", "-inkey", fmt.Sprintf("%s/node-key.pem", certsDir), "-in", fmt.Sprintf("%s/node.pem", certsDir), "-out", fmt.Sprintf("%s/node.pkcs12", certsDir), "-password", "pass:changeit", "-certfile", fmt.Sprintf("%s/ca.pem", certsDir))
 	out, err := cmdConvertNode.Output()
@@ -241,6 +278,8 @@ func (k *K8sutil) CreateCertsSecret(namespace, clusterName, certsDir string) err
 	caKey, _ := ioutil.ReadFile(fmt.Sprintf("%s/ca-key.pem", certsDir))
 	node, _ := ioutil.ReadFile(fmt.Sprintf("%s/node.pem", certsDir))
 	nodeKey, _ := ioutil.ReadFile(fmt.Sprintf("%s/node-key.pem", certsDir))
+	kibanaKey, _ := ioutil.ReadFile(fmt.Sprintf("%s/kibana-key.pem", certsDir))
+	kibana, _ := ioutil.ReadFile(fmt.Sprintf("%s/kibana.pem", certsDir))
 
 	secret := &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
@@ -253,6 +292,8 @@ func (k *K8sutil) CreateCertsSecret(namespace, clusterName, certsDir string) err
 			"ca-key.pem":        caKey,
 			"node.pem":          node,
 			"node-key.pem":      nodeKey,
+			"kibana-key.pem":    kibanaKey,
+			"kibana.pem":        kibana,
 		},
 	}
 

pkg/k8sutil/deployments.go

@@ -321,6 +321,18 @@ func (k *K8sutil) CreateKibanaDeployment(baseImage, clusterName, namespace strin
 										Name:  "ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES",
 										Value: "/elasticsearch/config/certs/ca.pem",
 									},
+									v1.EnvVar{
+										Name:  "SERVER_SSL_ENABLED",
+										Value: "true",
+									},
+									v1.EnvVar{
+										Name:  "SERVER_SSL_KEY",
+										Value: "/elasticsearch/config/certs/kibana-key.pem",
+									},
+									v1.EnvVar{
+										Name:  "SERVER_SSL_CERTIFICATE",
+										Value: "/elasticsearch/config/certs/kibana.pem",
+									},
 									v1.EnvVar{
 										Name:  "NODE_DATA",
 										Value: "false",