From 006532e81dd0e56c68e7895b4385e4f072fdf390 Mon Sep 17 00:00:00 2001
From: tsvetkov <tsvetkov@elina>
Date: Fri, 27 Feb 2026 09:48:42 +0000
Subject: [PATCH] add bash scripts for elk stack

---
 README.md                   |   2 +
 configure-authentik-oidc.sh | 115 +++++++++++++++++++++++++++++++++++
 generate-certs.sh           | 118 ++++++++++++++++++++++++++++++++++++
 3 files changed, 235 insertions(+)
 create mode 100644 README.md
 create mode 100644 configure-authentik-oidc.sh
 create mode 100644 generate-certs.sh

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..9774628
--- /dev/null
+++ b/README.md
@@ -0,0 +1,2 @@
+Various scripts used by the [elk-jdbc-sso](https://git.96-fromsofia.net/k8s/elk-jdbc-sso) stack.
+Refer to this project for details on when and how to use these scripts.
diff --git a/configure-authentik-oidc.sh b/configure-authentik-oidc.sh
new file mode 100644
index 0000000..1d93b31
--- /dev/null
+++ b/configure-authentik-oidc.sh
@@ -0,0 +1,115 @@
+#!/usr/bin/env bash
+# =============================================================================
+# configure-authentik-oidc.sh
+# Configures Authentik with an OIDC Provider and Application for Kibana SSO
+# Run AFTER Authentik is fully started and accessible
+# =============================================================================
+set -euo pipefail
+
+AUTHENTIK_URL="${1:-http://localhost:9000}"
+BOOTSTRAP_TOKEN="${2:-bootstrap-token-elk-lab-2024}"
+KIBANA_URL="https://kibana.elk.local:30443"
+
+AUTH_HEADER="Authorization: Bearer ${BOOTSTRAP_TOKEN}"
+CT="Content-Type: application/json"
+
+echo "=== Configuring Authentik OIDC for Kibana ==="
+echo "Authentik URL: ${AUTHENTIK_URL}"
+
+# Wait for Authentik
+echo ">>> Waiting for Authentik API..."
+until curl -sf "${AUTHENTIK_URL}/-/health/ready/" > /dev/null 2>&1; do
+  echo "  Waiting..."
+  sleep 5
+done
+echo "  Authentik is ready!"
+
+# --- Step 1: Create a Certificate-Key Pair (optional, for signed JWTs) ---
+echo ">>> Creating certificate key pair..."
+CERT_RESP=$(curl -sf -X POST "${AUTHENTIK_URL}/api/v3/crypto/certificatekeypairs/generate/" \
+  -H "${AUTH_HEADER}" -H "${CT}" \
+  -d '{
+    "common_name": "kibana-oidc-signing",
+    "subject_alt_name": "kibana.elk.local",
+    "validity_days": 365
+  }' 2>/dev/null || echo '{}')
+CERT_ID=$(echo "$CERT_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin).get('pk',''))" 2>/dev/null || echo "")
+echo "  Certificate ID: ${CERT_ID:-skipped}"
+
+# --- Step 2: Create Scope Mappings (if not already present) ---
+echo ">>> Checking scope mappings..."
+SCOPES_RESP=$(curl -sf "${AUTHENTIK_URL}/api/v3/propertymappings/scope/?ordering=scope_name" \
+  -H "${AUTH_HEADER}" 2>/dev/null || echo '{"results":[]}')
+
+# --- Step 3: Create OIDC Provider ---
+echo ">>> Creating OIDC Provider for Kibana..."
+PROVIDER_BODY=$(cat <<PROVIDER_JSON
+{
+  "name": "Kibana OIDC Provider",
+  "authorization_flow": "default-provider-authorization-implicit-consent",
+  "client_type": "confidential",
+  "client_id": "kibana",
+  "client_secret": "kibana-client-secret-2024",
+  "redirect_uris": "${KIBANA_URL}/api/security/oidc/callback",
+  "signing_key": ${CERT_ID:+\"$CERT_ID\"}${CERT_ID:-null},
+  "sub_mode": "user_username",
+  "issuer_mode": "per_provider",
+  "access_code_validity": "minutes=1",
+  "access_token_validity": "minutes=5",
+  "refresh_token_validity": "days=30"
+}
+PROVIDER_JSON
+)
+
+PROVIDER_RESP=$(curl -sf -X POST "${AUTHENTIK_URL}/api/v3/providers/oauth2/" \
+  -H "${AUTH_HEADER}" -H "${CT}" \
+  -d "${PROVIDER_BODY}" 2>/dev/null || echo '{}')
+PROVIDER_ID=$(echo "$PROVIDER_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin).get('pk',''))" 2>/dev/null || echo "")
+
+if [ -z "$PROVIDER_ID" ]; then
+  echo "  Provider may already exist, looking it up..."
+  PROVIDER_ID=$(curl -sf "${AUTHENTIK_URL}/api/v3/providers/oauth2/?search=Kibana" \
+    -H "${AUTH_HEADER}" | python3 -c "import sys,json; r=json.load(sys.stdin)['results']; print(r[0]['pk'] if r else '')" 2>/dev/null || echo "")
+fi
+echo "  Provider ID: ${PROVIDER_ID}"
+
+# --- Step 4: Create Application ---
+echo ">>> Creating Kibana Application..."
+APP_RESP=$(curl -sf -X POST "${AUTHENTIK_URL}/api/v3/core/applications/" \
+  -H "${AUTH_HEADER}" -H "${CT}" \
+  -d "{
+    \"name\": \"Kibana\",
+    \"slug\": \"kibana\",
+    \"provider\": ${PROVIDER_ID},
+    \"meta_launch_url\": \"${KIBANA_URL}\",
+    \"meta_description\": \"ELK Stack - Kibana Dashboard\",
+    \"policy_engine_mode\": \"any\"
+  }" 2>/dev/null || echo '{}')
+APP_SLUG=$(echo "$APP_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin).get('slug',''))" 2>/dev/null || echo "")
+
+if [ -z "$APP_SLUG" ]; then
+  echo "  Application may already exist."
+  APP_SLUG="kibana"
+fi
+echo "  Application slug: ${APP_SLUG}"
+
+echo ""
+echo "╔══════════════════════════════════════════════════════════════╗"
+echo "║          Authentik OIDC Configuration Complete!             ║"
+echo "╠══════════════════════════════════════════════════════════════╣"
+echo "║                                                            ║"
+echo "║  OIDC Provider:  Kibana OIDC Provider                     ║"
+echo "║  Client ID:      kibana                                   ║"
+echo "║  Client Secret:  kibana-client-secret-2024                ║"
+echo "║  Application:    kibana                                   ║"
+echo "║                                                            ║"
+echo "║  Issuer URL:                                               ║"
+echo "║    ${AUTHENTIK_URL}/application/o/kibana/                  ║"
+echo "║                                                            ║"
+echo "║  Endpoints:                                                ║"
+echo "║    Authorization: .../application/o/authorize/             ║"
+echo "║    Token:         .../application/o/token/                 ║"
+echo "║    UserInfo:      .../application/o/userinfo/              ║"
+echo "║    JWKS:          .../application/o/kibana/jwks/           ║"
+echo "║                                                            ║"
+echo "╚══════════════════════════════════════════════════════════════╝"
diff --git a/generate-certs.sh b/generate-certs.sh
new file mode 100644
index 0000000..8510c1d
--- /dev/null
+++ b/generate-certs.sh
@@ -0,0 +1,118 @@
+#!/usr/bin/env bash
+# =============================================================================
+# generate-certs.sh — Generate a custom CA and TLS certificates for ELK stack
+# =============================================================================
+set -euo pipefail
+
+CERT_DIR="${1:-./certs}"
+DAYS_VALID=825
+CA_SUBJECT="/C=US/ST=State/L=City/O=ELK-Lab/OU=Infrastructure/CN=ELK-Lab-CA"
+DOMAIN="elk.local"
+
+mkdir -p "${CERT_DIR}"
+
+echo ">>> Generating Custom CA..."
+openssl genrsa -out "${CERT_DIR}/ca.key" 4096
+openssl req -x509 -new -nodes \
+  -key "${CERT_DIR}/ca.key" \
+  -sha256 -days ${DAYS_VALID} \
+  -out "${CERT_DIR}/ca.crt" \
+  -subj "${CA_SUBJECT}"
+
+# --- Function to generate a certificate signed by the CA ---
+generate_cert() {
+  local NAME="$1"
+  local CN="$2"
+  local SANS="$3"
+
+  echo ">>> Generating certificate for ${NAME} (CN=${CN})..."
+
+  openssl genrsa -out "${CERT_DIR}/${NAME}.key" 2048
+
+  cat > "${CERT_DIR}/${NAME}.cnf" <<SSLCNF
+[req]
+distinguished_name = req_dn
+req_extensions     = v3_req
+prompt             = no
+
+[req_dn]
+C  = US
+ST = State
+L  = City
+O  = ELK-Lab
+OU = ${NAME}
+CN = ${CN}
+
+[v3_req]
+basicConstraints     = CA:FALSE
+keyUsage             = digitalSignature, keyEncipherment
+extendedKeyUsage     = serverAuth, clientAuth
+subjectAltName       = ${SANS}
+SSLCNF
+
+  openssl req -new -nodes \
+    -key "${CERT_DIR}/${NAME}.key" \
+    -out "${CERT_DIR}/${NAME}.csr" \
+    -config "${CERT_DIR}/${NAME}.cnf"
+
+  openssl x509 -req \
+    -in "${CERT_DIR}/${NAME}.csr" \
+    -CA "${CERT_DIR}/ca.crt" \
+    -CAkey "${CERT_DIR}/ca.key" \
+    -CAcreateserial \
+    -out "${CERT_DIR}/${NAME}.crt" \
+    -days ${DAYS_VALID} \
+    -sha256 \
+    -extensions v3_req \
+    -extfile "${CERT_DIR}/${NAME}.cnf"
+
+  rm -f "${CERT_DIR}/${NAME}.csr" "${CERT_DIR}/${NAME}.cnf"
+}
+
+# --- Elasticsearch ---
+generate_cert "elasticsearch" "elasticsearch" \
+  "DNS:elasticsearch,DNS:elasticsearch.elk.svc.cluster.local,DNS:elasticsearch.elk.svc,DNS:localhost,IP:127.0.0.1"
+
+# --- Kibana ---
+generate_cert "kibana" "kibana" \
+  "DNS:kibana,DNS:kibana.elk.svc.cluster.local,DNS:kibana.elk.svc,DNS:localhost,IP:127.0.0.1"
+
+# --- Logstash ---
+generate_cert "logstash" "logstash" \
+  "DNS:logstash,DNS:logstash.elk.svc.cluster.local,DNS:logstash.elk.svc,DNS:localhost,IP:127.0.0.1"
+
+# --- NGINX ---
+generate_cert "nginx" "kibana.${DOMAIN}" \
+  "DNS:kibana.${DOMAIN},DNS:nginx,DNS:nginx.elk.svc.cluster.local,DNS:localhost,IP:127.0.0.1"
+
+# --- Authentik ---
+generate_cert "authentik" "authentik.${DOMAIN}" \
+  "DNS:authentik.${DOMAIN},DNS:authentik,DNS:authentik-server,DNS:authentik-server.elk.svc.cluster.local,DNS:localhost,IP:127.0.0.1"
+
+# --- Create Elasticsearch PKCS12 keystore ---
+echo ">>> Creating Elasticsearch PKCS12 keystore..."
+openssl pkcs12 -export \
+  -in "${CERT_DIR}/elasticsearch.crt" \
+  -inkey "${CERT_DIR}/elasticsearch.key" \
+  -CAfile "${CERT_DIR}/ca.crt" \
+  -chain \
+  -out "${CERT_DIR}/elasticsearch.p12" \
+  -passout pass:changeit
+
+# --- Create Elasticsearch HTTP PKCS12 keystore ---
+cp "${CERT_DIR}/elasticsearch.p12" "${CERT_DIR}/elastic-http.p12"
+
+# --- Cleanup serial file ---
+rm -f "${CERT_DIR}/ca.srl"
+
+echo ""
+echo "=== Certificates generated in ${CERT_DIR}/ ==="
+ls -la "${CERT_DIR}/"
+echo ""
+echo "CA certificate:       ${CERT_DIR}/ca.crt"
+echo "CA private key:       ${CERT_DIR}/ca.key"
+echo "Elasticsearch cert:   ${CERT_DIR}/elasticsearch.crt"
+echo "Kibana cert:          ${CERT_DIR}/kibana.crt"
+echo "Logstash cert:        ${CERT_DIR}/logstash.crt"
+echo "NGINX cert:           ${CERT_DIR}/nginx.crt"
+echo "Authentik cert:       ${CERT_DIR}/authentik.crt"