Change External-secrets structure and add oidc to kibana

2025-05-22 16:01:45 +03:00 · 2025-05-22 16:01:45 +03:00 · 7a0c80ba9b
commit 7a0c80ba9b
parent 6ae2f82e49
5 changed files with 44 additions and 7 deletions
--- a/charts/eck-resources/my-values/values-int.yaml
+++ b/charts/eck-resources/my-values/values-int.yaml
@ -1,2 +1,6 @@
 env: int
 host: kibana-int.dvirlabs.com
 oidc:
  existingSecret: kibana-oidc-secret
  realm: lab
--- a/charts/eck-resources/my-values/values-prod.yaml
+++ b/charts/eck-resources/my-values/values-prod.yaml
@ -1,2 +1,6 @@
 env: prod
 host: kibana.dvirlabs.com
 oidc:
  existingSecret: kibana-oidc-secret
  realm: lab
--- a/charts/eck-resources/templates/kibana.yaml
+++ b/charts/eck-resources/templates/kibana.yaml
@ -2,17 +2,28 @@ apiVersion: kibana.k8s.elastic.co/v1
 kind: Kibana
 metadata:
  name: kibana-{{ .Values.env }}
  namespace: monitoring
 spec:
  version: 8.12.0
  count: 1
  elasticsearchRef:
    name: elasticsearch-{{ .Values.env }}
  config:
-    server:
+    xpack.security.authc.providers:
-      basePath: ""
+      oidc.oidc1:
-      rewriteBasePath: false
+        order: 0
-      ssl:
+        realm: "keycloak"
-        enabled: false
+    xpack.security.authc.oidc.realms.keycloak:
      order: 0
      rp.client_id: "kibana"
      rp.response_type: "code"
      rp.redirect_uri: "https://{{ .Values.host }}/api/security/oidc/callback"
      rp.post_logout_redirect_uri: "https://{{ .Values.host }}"
      rp.client_secret: {{ (lookup "v1" "Secret" "monitoring" .Values.oidc.existingSecret).data.clientSecret | b64dec | quote }}
      idp.metadata_url: "https://keycloak.dvirlabs.com/realms/{{ .Values.oidc.realm }}/.well-known/openid-configuration"
      idp.entity_id: "https://keycloak.dvirlabs.com/realms/{{ .Values.oidc.realm }}"
      claim_patterns.principal: "preferred_username"
      claim_patterns.groups: "roles"
  http:
    tls:
      selfSignedCertificate:
--- a/manifests/external-secrets/grafana/external-secret.yaml
+++ b/manifests/external-secrets/grafana/external-secret.yaml
--- a/manifests/external-secrets/kibana/external-secret.yaml
+++ b/manifests/external-secrets/kibana/external-secret.yaml
@ -0,0 +1,18 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: kibana-oidc-secret
  namespace: monitoring
 spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault-backend
    kind: ClusterSecretStore
  target:
    name: kibana-oidc-secret
    creationPolicy: Owner
  data:
    - secretKey: clientSecret
      remoteRef:
        key: secret/kibana/oidc
        property: clientSecret