{"id":530,"date":"2021-06-02T17:51:07","date_gmt":"2021-06-02T17:51:07","guid":{"rendered":"https:\/\/cloudspert.com\/?p=530"},"modified":"2025-03-13T00:33:56","modified_gmt":"2025-03-13T00:33:56","slug":"opendistro-with-keycloak","status":"publish","type":"post","link":"https:\/\/cloudspert.com\/?p=530","title":{"rendered":"OpenDistro with Keycloak"},"content":{"rendered":"<figure><img decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/746\/1*5owUByvOrUXktFI7JwujUw.png\"\/><figcaption>Source <a href=\"https:\/\/logz.io\/\">https:\/\/logz.io<\/a><\/figcaption><\/figure>\n<h3>OpenDistro with\u00a0OpenID<\/h3>\n<p>After Elastic changed its license from the open-source <a href=\"https:\/\/www.apache.org\/licenses\/LICENSE-2.0\">Apache 2.0-license ALv2)<\/a> to the non-open-source friendly <a href=\"https:\/\/www.mongodb.com\/licensing\/server-side-public-license\">Server Side Public License (SSPL)<\/a>, AWS launched a new fork of both elasticsearch and kibana, This created a media war between AWS and Elastic, you can read all about it\u00a0<a href=\"https:\/\/www.zdnet.com\/article\/aws-as-predicted-is-forking-elasticsearch\/\">here<\/a>.<\/p>\n<p>This article aims to install and run OpenDistro with OpenID authentication on kubernetes. In this article helm will be used to install OpenDistro.<\/p>\n<p><strong><em>Note:<\/em><\/strong> In this article we\u2019ll not detail how to install keycloak, we\u2019ll do that in another\u00a0article.<\/p>\n<h4>Requirements<\/h4>\n<ul>\n<li>Helm<\/li>\n<li>Kubernetes with persistence storage<\/li>\n<\/ul>\n<h3>Keycloak<\/h3>\n<p>Keycloak is an open source Identity and Access Management solution for applications and services. That means that keycloak is used as a delegue for both authentications and authorizations, this makes it easy to secure applications and services with little to no\u00a0code.<\/p>\n<p>To achive its job, keycloak operations are based of the two protocol\u00a0:<\/p>\n<ul>\n<li>SAML<\/li>\n<li>OpenID<\/li>\n<\/ul>\n<p>For more information on these protocols go\u00a0<a href=\"https:\/\/www.keycloak.org\/docs\/latest\/securing_apps\/#supported-protocols\">here<\/a>.<\/p>\n<p>In this example we\u2019ll be using OpenID, to configure keyloak follow the following steps:<\/p>\n<p>Create a new realm, you can use the master realm or an existing realm, in this article all of the configuration are created under a realm named opendistro.<\/p>\n<figure><img decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*iHDKLg4QrZEVFr1WrIHZ9w.png\"\/><figcaption>Create a\u00a0realm<\/figcaption><\/figure>\n<p>Create a new client named kibana-sso, add the url of kibana as well, this url will be used for the callback\u00a0later.<\/p>\n<figure><img decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*UJEkPiABocFOTbWdKTmFAw.png\"\/><figcaption>Create kibana\u00a0client<\/figcaption><\/figure>\n<p>Change the access type from public to confidential and click save, this will enable the use of this client only by authenticated clients, by default it is set to\u00a0public.<\/p>\n<figure><img decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*8IRkpDBKEJhmnh8xhBR-0Q.png\"\/><figcaption>Change the access type to confidential<\/figcaption><\/figure>\n<p>After clicking save, a new tab <strong><em>credentials<\/em><\/strong> will be created, save the <strong><em>Secret <\/em><\/strong>value for\u00a0later.<\/p>\n<figure><img decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*Ln0UCwhGIklHVotVNp76kg.png\"\/><figcaption>kibana secret<\/figcaption><\/figure>\n<p>Create a new role, the role must map to an existing role in ElasticSearch. Create another role with the name <strong><em>all_access<\/em><\/strong><\/p>\n<figure><img decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*yVhEd4ORbLZgcvC8bXP_PA.png\"\/><figcaption>Create an admin\u00a0role<\/figcaption><\/figure>\n<p>Create a new\u00a0user<\/p>\n<figure><img decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*oGJzhXUiFOV_ymInG59BfQ.png\"\/><figcaption>Create a new user\u00a0<strong>user1<\/strong><\/figcaption><\/figure>\n<p>Assign the different roles to the created\u00a0user<\/p>\n<figure><img decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*Gdv3IarRUhKWmZJPIv3RRg.png\"\/><figcaption>Add roles to the user\u00a0<strong>user1<\/strong><\/figcaption><\/figure>\n<h3>Configure OpenDistro<\/h3>\n<h4>Create SSL certificates<\/h4>\n<p>Running OpenDistro chart requires the creation of certificates, theses certificates will be used to encrypt transport traffic (traffic between components like the master node and data node), transport certificates are required in the case of deploying with helm. To generate the certificates follow the steps\u00a0bellow.<\/p>\n<ol>\n<li>Create root\u00a0CA<\/li>\n<\/ol>\n<pre>openssl req -new -x509 -sha256 -key root-ca-key.pem -out root-ca.pem -days 365<\/pre>\n<p>You can change the days as you\u00a0need<\/p>\n<p>2. Create Node Certificates<\/p>\n<pre>openssl genrsa -out node-key-temp.pem 4096<br \/>openssl pkcs8 -inform PEM -outform PEM -in <br \/>        node-key-temp.pem -topk8 -nocrypt <br \/>        -v1 PBE-SHA1-3DES -out node-key.pem<br \/>openssl req -new -key node-key.pem -out node.csr<br \/>openssl x509 -req -in node.csr -CA root-ca.pem -CAkey <br \/>        root-ca-key.pem -CAcreateserial -sha256 <br \/>        -out node.pem -days 120<\/pre>\n<p>3. Create SSL certificates for\u00a0kibana<\/p>\n<pre>openssl genrsa -out kibana-key.pem 4096<br \/>openssl req -new -key kibana-key.pem -out kibana.csr<br \/>openssl x509 -req -in kibana.csr -CAkey <br \/>        root-ca-key.pem -CA root-ca.pem  <br \/>        -out kibana.pem  -days 365 -sha256<\/pre>\n<p>4. Import certificates as a kubernetes secret<\/p>\n<pre>kubectl -n opendistro create secret generic  <br \/>         elasticsearch-transport-certs  <br \/>        --from-file=elk-transport-crt.pem=node.pem <br \/>        --from-file=elk-transport-key.pem=node-key.pem <br \/>        --from-file=elk-transport-root-ca.pem=root-ca.pem<br \/>kubectl -n opendistro create  secret  tls <br \/>         kibana-tls-secret <br \/>         --cert=kibana.pem  <br \/>         --key=kibana-key.pem<\/pre>\n<h4>Helm chart<\/h4>\n<p>At this time OpenDistro for Elasticsearch helm chart is not packaged yet, you can find the chart on <a href=\"https:\/\/github.com\/opendistro-for-elasticsearch\/opendistro-build.git\">GitHub<\/a>, if you have a helm registry you can package it and make available for other teams to use, or you can clone the repository and use it directly.<\/p>\n<pre>git clone <a href=\"https:\/\/github.com\/opendistro-for-elasticsearch\/opendistro-build.git\">https:\/\/github.com\/opendistro-for-elasticsearch\/opendistro-build.git<\/a><\/pre>\n<h4>Configure Kibana<\/h4>\n<p>First create a secret that contains kibana username and password, this password will be used by kibana to login with Elasticsearch.<\/p>\n<pre>kubectl -n opendistro create secret  generic elasticsearch-account <br \/>        --from-literal=username=kibanaserver  <br \/>        --from-literal=password=&lt;YOUR_PASSWORD&gt;<\/pre>\n<p>You can set the password to whatever you want, passwords can be overwritten before starting the\u00a0cluster.<\/p>\n<p>In the <strong><em>values.yml<\/em><\/strong> file add the following values.<\/p>\n<pre>kibana:                         <br \/>  enabled: true                         <br \/>  imagePullPolicy: \"IfNotPresent\"<br \/>  elasticsearchAccount:<br \/>    secret: \"elasticsearch-account\"                         <br \/>  ingress:                           <br \/>    enabled: true                           <br \/>    path: \/                           <br \/>    hosts:                            <br \/>    - kibana.example.com                           <br \/>    tls:<br \/>    - secretName: kibana-tls-secret<br \/>      hosts:<br \/>     - kibana.example.com                        <br \/>  config:<br \/>     server.name: kibana                           <br \/>     server.host: \"0\"                           <br \/>     elasticsearch.hosts: http:\/\/&lt;opendistro-client&gt;:&lt;opendistro-client-port&gt;                        <br \/>     logging.verbose: false                           <br \/>     server.ssl.enabled: false                           <br \/><strong><em># Secure Cookies can be set if kibana SSL is enabled<\/em><\/strong><br \/>     opendistro_security.cookie.secure: false<br \/>     elasticsearch.username: ${ELASTICSEARCH_USERNAME}<br \/>     elasticsearch.password: ${ELASTICSEARCH_PASSWORD}<br \/><strong><em># Enable multitenancy <\/em><\/strong>                         <br \/>     opendistro_security.multitenancy.enabled: true                           <strong><em># You can disable the create of default tenant    <\/em><\/strong>              <br \/>     #opendistro_security.multitenancy.tenants.enable_private: false<br \/>     #opendistro_security.multitenancy.tenants.enable_global: false<br \/>     opendistro_security.readonly_mode.roles: [\"kibana_read_only\"]<br \/><strong><em>#Multi-tenancy uses a specific header, <\/em><\/strong><strong><em>securitytenant, that must be present with the standard <\/em><\/strong><strong><em>Authorization header. If the <\/em><\/strong><strong><em>securitytenant header is not whitelisted, Kibana starts with a red status<\/em><\/strong><br \/>     elasticsearch.requestHeadersWhitelist: [\"securitytenant\",\"Authorization\"]                                                                                                                             <br \/><strong><em># Enable authentification via client certificates <\/em><\/strong><em><br \/>     <\/em>opendistro_security.allow_client_certificates: true<br \/><strong><em>#Kibana OICD configuration<\/em><\/strong><em><br \/>     <\/em>opendistro_security.auth.type: \"openid\"<br \/>     opendistro_security.openid.connect_url: \"https:\/\/keyclock.example.com\/auth\/realms\/opendistro\/.well-known\/openid-configuration\"<br \/>     opendistro_security.openid.client_id: \"kibana-sso\" <br \/>     opendistro_security.openid.client_secret: \"&lt;keyclock-secret&gt;\"<br \/>     opendistro_security.openid.base_redirect_url:  https:\/\/kibana.example.com<\/pre>\n<p><strong><em>Note:<\/em><\/strong> By default image pull policy defaults to Always, you need to change it to IfNotPresent, otherwise the chart deployment will take time in the case of a change in the configurations.<\/p>\n<h4>Configure Elasticsearch<\/h4>\n<p>Elasticsearch configuration consists of multiple\u00a0parties:<\/p>\n<ul>\n<li>Configure authentication backend (local,\u00a0openid)<\/li>\n<li>Change default passwords for system users (kibanaserver, admin..)<\/li>\n<li>Configure <em>elasticsearch.yaml<\/em> file<\/li>\n<\/ul>\n<p>In an effort to avoid having to exec into the pod to configure the various security options, security options can can be passed through the <strong><em>securityconfig<\/em><\/strong> option in the helm chart. For full examples you can see the\u00a0<a href=\"https:\/\/github.com\/opendistro-for-elasticsearch\/security\/tree\/main\/securityconfig\">link<\/a>.<\/p>\n<h4>Configure authentication backend<\/h4>\n<p>Configuration need to be passed as secrets, then mounted to the pods, to configure OpenID as a second authentication backend you can use the the YAML file\u00a0below.<\/p>\n<p>When using Elasticsearch with multiple authentication backend the order is specified via the parameter <em>order<\/em> in the backend configuration, if the first one is successful then the client is authorized, if not the second backend is used, and so\u00a0on.<\/p>\n<pre>_meta:<br \/>  type: \"config\"<br \/>  config_version: 2<br \/>config:<br \/>  pemtrustedcas_content: |-<br \/>    &lt;OPENID_CA_ROOT|base64&gt;<br \/>  dynamic:<br \/>    filtered_alias_mode: \"warn\"<br \/>    disable_rest_auth: false<br \/>    disable_intertransport_auth: false<br \/>    respect_request_indices_options: false<br \/>    license: null<br \/>    kibana:<br \/>      multitenancy_enabled: true<br \/>      server_username: kibanaserver<br \/>    authc:<br \/>      basic_internal_auth_domain:<br \/>        description: \"Authenticate via HTTP Basic against internal users database\"<br \/>        http_enabled: true<br \/>        transport_enabled: true<br \/>        order: 4<br \/>        http_authenticator:<br \/>          type: basic<br \/>          challenge: true<br \/>        authentication_backend:<br \/>          type: intern<br \/>      openid_auth_domain:<br \/>        http_enabled: true<br \/>        transport_enabled: true<br \/>        order: 1<br \/>        http_authenticator:<br \/>          type: openid<br \/>          challenge: false<br \/>          config:<br \/>            subject_key: preferred_username<br \/>            roles_key: roles<br \/>            openid_connect_url: https:\/\/keycloak.example.com\/auth\/realms\/opendistro\/.well-known\/openid-configuration<br \/>            enable_ssl: true<br \/>        authentication_backend:<br \/>          type: noop<\/pre>\n<p><strong><em>Note<\/em><\/strong>: Write the configuration into a file named <em>configs.yml.<\/em><\/p>\n<p>Create a kubernetes secret from the created\u00a0file.<\/p>\n<pre>kubectl -n  opendistro create secret generic security-config  --from-file=config.yml<\/pre>\n<h4>Change default passwords for system\u00a0users<\/h4>\n<p>By default Elasticsearch starts with defaults passwords for some critical accounts such as the admin account, before starting the instance,theses passwords must be\u00a0changed.<\/p>\n<p>The password hash must be set in the configuration and not the password in clear text, to set the hash you can use htpasswd command or the script that can be found in the docker image of Elasticsearch.<\/p>\n<pre>docker run -it  amazon\/opendistro-for-elasticsearch  bash<br \/>cd \/usr\/share\/elasticsearch\/plugins\/opendistro_security\/tools<br \/>chmod +x hash.sh<br \/>.\/hash.sh &lt;password&gt;<\/pre>\n<p>Do the process for all user in the <a href=\"https:\/\/github.com\/opendistro-for-elasticsearch\/security\/blob\/main\/securityconfig\/internal_users.yml\">file<\/a>, and write it to a file named <em>internal_users.yml.<\/em><\/p>\n<p>Create a kubernetes secret from the created\u00a0file.<\/p>\n<pre>kubectl -n  opendistro create secret generic  internal-users-secret  --from-file=internal_users.yml<\/pre>\n<h4>Configure elasticsearch<\/h4>\n<p>In the <strong><em>values.yml<\/em><\/strong> file add the following values.<\/p>\n<pre>elasticsearch:                         <br \/>  imagePullPolicy: \"IfNotPresent\"<br \/>  securityConfig:<br \/>    enabled: true<br \/>    configSecret: \"security-config\" <br \/>    internalUsersSecret: \"internal-users-secret\"<br \/>  ssl:<br \/>    transport:                             <br \/>      existingCertSecret: elasticsearch-transport-certs<br \/>  master:<br \/>    enabled: true<br \/>    replicas: 1 <br \/>  data:   <br \/>    enabled: true <br \/>    replicas: 1               <br \/>  client:    <br \/>    enabled: true     <br \/>    dedicatedPod:                             <br \/>      enabled: false                         <br \/>  config:                           <br \/>#NODES_DN, is the name of the subject of the certificate<br \/>    opendistro_security.nodes_dn:<br \/>    - '&lt;ssl_cert_nodes_dn&gt;'                           <br \/>    processors: ${PROCESSORS:1}<br \/>    opendistro_security.allow_unsafe_democertificates: false<br \/>    opendistro_security.restapi.roles_enabled: [\"all_access\", \"security_rest_api_access\"]<br \/>    opendistro_security.audit.type: internal_elasticsearch<br \/>    opendistro_security.ssl.transport.pemcert_filepath: elk-transport-crt.pem<br \/>    opendistro_security.ssl.transport.pemkey_filepath: elk-transport-key.pem<br \/>    opendistro_security.ssl.transport.pemtrustedcas_filepath: elk-transport-root-ca.pem<br \/>    opendistro_security.ssl.http.enabled: false                                                                                                                                                                                                #Must set to true to enable the create of users and OpenID configuration <br \/>    opendistro_security.allow_default_init_securityindex: true<br \/>    opendistro_security.ssl.transport.enforce_hostname_verification: false<br \/>    discovery.zen.minimum_master_nodes: 1<br \/>    cluster.name: &lt;cluster_name&gt;nsole-openshift-console.apps-crc.testing\/<\/pre>\n<p>In the case of kubernetes, creating a certificate for each pod is not practical, for this reason a single certificate can be shared between the all the node. To enforce security, Elasticsearch can be configured to accept certificate with a certain subject via the <strong><em>opendistro_security.nodes_dn <\/em><\/strong>parmeter.<\/p>\n<p>To get the full subject of a certificate you can use the command\u00a0below.<\/p>\n<pre>openssl x509 -subject -nameopt RFC2253 -noout -in &lt;cert_file&gt;<\/pre>\n<p><strong><em>Note:<\/em><\/strong> the <strong><em>nodes_dn<\/em><\/strong> can accept regex expresions as\u00a0well.<\/p>\n<h3><strong>Install OpenDistro<\/strong><\/h3>\n<pre>helm upgrade --install <br \/>     -n opendistro  &lt;release_name&gt;  -f values.yaml <br \/>     \/opendistro-build\/helm\/opendistro-es <\/pre>\n<h3>Improvements<\/h3>\n<p>We can use cert-manager to manage transport SSL certifications, we\u2019ll do this in another article, so stay\u00a0tuned<\/p>\n<p>You can find all the files on my Github repository.<\/p>\n<p><a href=\"https:\/\/github.com\/abdellahseddikpro\/blog\/tree\/master\/opendistro-keycloak\">abdellahseddikpro\/blog<\/a><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/medium.com\/_\/stat?event=post.clientViewed&amp;referrerSource=full_rss&amp;postId=ae3bb8ae6051\" width=\"1\" height=\"1\" alt=\"\"\/><\/p>","protected":false},"excerpt":{"rendered":"<p>Source https:\/\/logz.io OpenDistro with\u00a0OpenID After Elastic changed its license from the open-source Apache 2.0-license ALv2) to the non-open-source friendly Server Side Public License (SSPL), AWS launched a new fork of both elasticsearch and kibana, This created a media war between AWS and Elastic, you can read all about it\u00a0here. This article aims to install and run OpenDistro with OpenID authentication on kubernetes. In this article helm will be used to install OpenDistro. Note: In this article we\u2019ll not detail how to install keycloak, we\u2019ll do that in another\u00a0article. Requirements Helm Kubernetes with persistence storage Keycloak Keycloak is an open source Identity and Access Management solution for applications and services. That means that keycloak is used as a delegue for both authentications and authorizations, this makes it easy to secure applications and services with little to no\u00a0code. To achive its job, keycloak operations are based of the two protocol\u00a0: SAML OpenID For more information on these protocols go\u00a0here. In this example we\u2019ll be using OpenID, to configure keyloak follow the following steps: Create a new realm, you can use the master realm or an existing realm, in this article all of the configuration are created under a realm named opendistro. Create a\u00a0realm Create a new client named kibana-sso, add the url of kibana as well, this url will be used for the callback\u00a0later. Create kibana\u00a0client Change the access type from public to confidential and click save, this will enable the use of this client only by authenticated clients, by default it is set to\u00a0public. Change the access type to confidential After clicking save, a new tab credentials will be created, save the Secret value for\u00a0later. kibana secret Create a new role, the role must map to an existing role in ElasticSearch. Create another role with the name all_access Create an admin\u00a0role Create a new\u00a0user Create a new user\u00a0user1 Assign the different roles to the created\u00a0user Add roles to the user\u00a0user1 Configure OpenDistro Create SSL certificates Running OpenDistro chart requires the creation of certificates, theses certificates will be used to encrypt transport traffic (traffic between components like the master node and data node), transport certificates are required in the case of deploying with helm. To generate the certificates follow the steps\u00a0bellow. Create root\u00a0CA openssl req -new -x509 -sha256 -key root-ca-key.pem -out root-ca.pem -days 365 You can change the days as you\u00a0need 2. Create Node Certificates openssl genrsa -out node-key-temp.pem 4096openssl pkcs8 -inform PEM -outform PEM -in node-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node-key.pemopenssl req -new -key node-key.pem -out node.csropenssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem -days 120 3. Create SSL certificates for\u00a0kibana openssl genrsa -out kibana-key.pem 4096openssl req -new -key kibana-key.pem -out kibana.csropenssl x509 -req -in kibana.csr -CAkey root-ca-key.pem -CA root-ca.pem -out kibana.pem -days 365 -sha256 4. Import certificates as a kubernetes secret kubectl -n opendistro create secret generic elasticsearch-transport-certs &#8211;from-file=elk-transport-crt.pem=node.pem &#8211;from-file=elk-transport-key.pem=node-key.pem &#8211;from-file=elk-transport-root-ca.pem=root-ca.pemkubectl -n opendistro create secret tls kibana-tls-secret &#8211;cert=kibana.pem &#8211;key=kibana-key.pem Helm chart At this time OpenDistro for Elasticsearch helm chart is not packaged yet, you can find the chart on GitHub, if you have a helm registry you can package it and make available for other teams to use, or you can clone the repository and use it directly. git clone https:\/\/github.com\/opendistro-for-elasticsearch\/opendistro-build.git Configure Kibana First create a secret that contains kibana username and password, this password will be used by kibana to login with Elasticsearch. kubectl -n opendistro create secret generic elasticsearch-account &#8211;from-literal=username=kibanaserver &#8211;from-literal=password=&lt;YOUR_PASSWORD&gt; You can set the password to whatever you want, passwords can be overwritten before starting the\u00a0cluster. In the values.yml file add the following values. kibana: enabled: true imagePullPolicy: \u00ab\u00a0IfNotPresent\u00a0\u00bb elasticsearchAccount: secret: \u00ab\u00a0elasticsearch-account\u00a0\u00bb ingress: enabled: true path: \/ hosts: &#8211; kibana.example.com tls: &#8211; secretName: kibana-tls-secret hosts: &#8211; kibana.example.com config: server.name: kibana server.host: \u00ab\u00a00\u00a0\u00bb elasticsearch.hosts: http:\/\/&lt;opendistro-client&gt;:&lt;opendistro-client-port&gt; logging.verbose: false server.ssl.enabled: false # Secure Cookies can be set if kibana SSL is enabled opendistro_security.cookie.secure: false elasticsearch.username: ${ELASTICSEARCH_USERNAME} elasticsearch.password: ${ELASTICSEARCH_PASSWORD}# Enable multitenancy opendistro_security.multitenancy.enabled: true # You can disable the create of default tenant #opendistro_security.multitenancy.tenants.enable_private: false #opendistro_security.multitenancy.tenants.enable_global: false opendistro_security.readonly_mode.roles: [\u00ab\u00a0kibana_read_only\u00a0\u00bb]#Multi-tenancy uses a specific header, securitytenant, that must be present with the standard Authorization header. If the securitytenant header is not whitelisted, Kibana starts with a red status elasticsearch.requestHeadersWhitelist: [\u00ab\u00a0securitytenant\u00a0\u00bb,\u00a0\u00bbAuthorization\u00a0\u00bb] # Enable authentification via client certificates opendistro_security.allow_client_certificates: true#Kibana OICD configuration opendistro_security.auth.type: \u00ab\u00a0openid\u00a0\u00bb opendistro_security.openid.connect_url: \u00ab\u00a0https:\/\/keyclock.example.com\/auth\/realms\/opendistro\/.well-known\/openid-configuration\u00a0\u00bb opendistro_security.openid.client_id: \u00ab\u00a0kibana-sso\u00a0\u00bb opendistro_security.openid.client_secret: \u00ab\u00a0&lt;keyclock-secret&gt;\u00a0\u00bb opendistro_security.openid.base_redirect_url: https:\/\/kibana.example.com Note: By default image pull policy defaults to Always, you need to change it to IfNotPresent, otherwise the chart deployment will take time in the case of a change in the configurations. Configure Elasticsearch Elasticsearch configuration consists of multiple\u00a0parties: Configure authentication backend (local,\u00a0openid) Change default passwords for system users (kibanaserver, admin..) Configure elasticsearch.yaml file In an effort to avoid having to exec into the pod to configure the various security options, security options can can be passed through the securityconfig option in the helm chart. For full examples you can see the\u00a0link. Configure authentication backend Configuration need to be passed as secrets, then mounted to the pods, to configure OpenID as a second authentication backend you can use the the YAML file\u00a0below. When using Elasticsearch with multiple authentication backend the order is specified via the parameter order in the backend configuration, if the first one is successful then the client is authorized, if not the second backend is used, and so\u00a0on. _meta: type: \u00ab\u00a0config\u00a0\u00bb config_version: 2config: pemtrustedcas_content: |- &lt;OPENID_CA_ROOT|base64&gt; dynamic: filtered_alias_mode: \u00ab\u00a0warn\u00a0\u00bb disable_rest_auth: false disable_intertransport_auth: false respect_request_indices_options: false license: null kibana: multitenancy_enabled: true server_username: kibanaserver authc: basic_internal_auth_domain: description: \u00ab\u00a0Authenticate via HTTP Basic against internal users database\u00a0\u00bb http_enabled: true transport_enabled: true order: 4 http_authenticator: type: basic challenge: true authentication_backend: type: intern openid_auth_domain: http_enabled: true transport_enabled: true order: 1 http_authenticator: type: openid challenge: false config: subject_key: preferred_username roles_key: roles openid_connect_url: https:\/\/keycloak.example.com\/auth\/realms\/opendistro\/.well-known\/openid-configuration enable_ssl: true authentication_backend: type: noop Note: Write the configuration into a file named configs.yml. Create a kubernetes secret from the created\u00a0file. kubectl -n opendistro create secret generic security-config &#8211;from-file=config.yml Change default passwords for system\u00a0users By default Elasticsearch starts with defaults passwords for some critical accounts such as the admin account, before starting the instance,theses passwords must be\u00a0changed. The<\/p>\n","protected":false},"author":3,"featured_media":638,"comment_status":"open","ping_status":"open","sticky":false,"template":"elementor_canvas","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[15],"tags":[],"class_list":["post-530","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-opendistro","entry","has-media"],"jetpack_featured_media_url":"https:\/\/cloudspert.com\/wp-content\/uploads\/2021\/06\/KEYCLOAK.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/cloudspert.com\/index.php?rest_route=\/wp\/v2\/posts\/530","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudspert.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudspert.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudspert.com\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudspert.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=530"}],"version-history":[{"count":1,"href":"https:\/\/cloudspert.com\/index.php?rest_route=\/wp\/v2\/posts\/530\/revisions"}],"predecessor-version":[{"id":639,"href":"https:\/\/cloudspert.com\/index.php?rest_route=\/wp\/v2\/posts\/530\/revisions\/639"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudspert.com\/index.php?rest_route=\/wp\/v2\/media\/638"}],"wp:attachment":[{"href":"https:\/\/cloudspert.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=530"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudspert.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=530"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudspert.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=530"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}