add bash scripts for elk stack
This commit is contained in:
tsvetkov
2
README.md
Normal file
2
README.md
Normal file
@@ -0,0 +1,2 @@
|
||||
Various scripts used by the [elk-jdbc-sso](https://git.96-fromsofia.net/k8s/elk-jdbc-sso) stack.
|
||||
Refer to this project for details on when and how to use these scripts.
|
||||
115
configure-authentik-oidc.sh
Normal file
115
configure-authentik-oidc.sh
Normal file
@@ -0,0 +1,115 @@
|
||||
#!/usr/bin/env bash
|
||||
# =============================================================================
|
||||
# configure-authentik-oidc.sh
|
||||
# Configures Authentik with an OIDC Provider and Application for Kibana SSO
|
||||
# Run AFTER Authentik is fully started and accessible
|
||||
# =============================================================================
|
||||
set -euo pipefail
|
||||
|
||||
AUTHENTIK_URL="${1:-http://localhost:9000}"
|
||||
BOOTSTRAP_TOKEN="${2:-bootstrap-token-elk-lab-2024}"
|
||||
KIBANA_URL="https://kibana.elk.local:30443"
|
||||
|
||||
AUTH_HEADER="Authorization: Bearer ${BOOTSTRAP_TOKEN}"
|
||||
CT="Content-Type: application/json"
|
||||
|
||||
echo "=== Configuring Authentik OIDC for Kibana ==="
|
||||
echo "Authentik URL: ${AUTHENTIK_URL}"
|
||||
|
||||
# Wait for Authentik
|
||||
echo ">>> Waiting for Authentik API..."
|
||||
until curl -sf "${AUTHENTIK_URL}/-/health/ready/" > /dev/null 2>&1; do
|
||||
echo " Waiting..."
|
||||
sleep 5
|
||||
done
|
||||
echo " Authentik is ready!"
|
||||
|
||||
# --- Step 1: Create a Certificate-Key Pair (optional, for signed JWTs) ---
|
||||
echo ">>> Creating certificate key pair..."
|
||||
CERT_RESP=$(curl -sf -X POST "${AUTHENTIK_URL}/api/v3/crypto/certificatekeypairs/generate/" \
|
||||
-H "${AUTH_HEADER}" -H "${CT}" \
|
||||
-d '{
|
||||
"common_name": "kibana-oidc-signing",
|
||||
"subject_alt_name": "kibana.elk.local",
|
||||
"validity_days": 365
|
||||
}' 2>/dev/null || echo '{}')
|
||||
CERT_ID=$(echo "$CERT_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin).get('pk',''))" 2>/dev/null || echo "")
|
||||
echo " Certificate ID: ${CERT_ID:-skipped}"
|
||||
|
||||
# --- Step 2: Create Scope Mappings (if not already present) ---
|
||||
echo ">>> Checking scope mappings..."
|
||||
SCOPES_RESP=$(curl -sf "${AUTHENTIK_URL}/api/v3/propertymappings/scope/?ordering=scope_name" \
|
||||
-H "${AUTH_HEADER}" 2>/dev/null || echo '{"results":[]}')
|
||||
|
||||
# --- Step 3: Create OIDC Provider ---
|
||||
echo ">>> Creating OIDC Provider for Kibana..."
|
||||
PROVIDER_BODY=$(cat <<PROVIDER_JSON
|
||||
{
|
||||
"name": "Kibana OIDC Provider",
|
||||
"authorization_flow": "default-provider-authorization-implicit-consent",
|
||||
"client_type": "confidential",
|
||||
"client_id": "kibana",
|
||||
"client_secret": "kibana-client-secret-2024",
|
||||
"redirect_uris": "${KIBANA_URL}/api/security/oidc/callback",
|
||||
"signing_key": ${CERT_ID:+\"$CERT_ID\"}${CERT_ID:-null},
|
||||
"sub_mode": "user_username",
|
||||
"issuer_mode": "per_provider",
|
||||
"access_code_validity": "minutes=1",
|
||||
"access_token_validity": "minutes=5",
|
||||
"refresh_token_validity": "days=30"
|
||||
}
|
||||
PROVIDER_JSON
|
||||
)
|
||||
|
||||
PROVIDER_RESP=$(curl -sf -X POST "${AUTHENTIK_URL}/api/v3/providers/oauth2/" \
|
||||
-H "${AUTH_HEADER}" -H "${CT}" \
|
||||
-d "${PROVIDER_BODY}" 2>/dev/null || echo '{}')
|
||||
PROVIDER_ID=$(echo "$PROVIDER_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin).get('pk',''))" 2>/dev/null || echo "")
|
||||
|
||||
if [ -z "$PROVIDER_ID" ]; then
|
||||
echo " Provider may already exist, looking it up..."
|
||||
PROVIDER_ID=$(curl -sf "${AUTHENTIK_URL}/api/v3/providers/oauth2/?search=Kibana" \
|
||||
-H "${AUTH_HEADER}" | python3 -c "import sys,json; r=json.load(sys.stdin)['results']; print(r[0]['pk'] if r else '')" 2>/dev/null || echo "")
|
||||
fi
|
||||
echo " Provider ID: ${PROVIDER_ID}"
|
||||
|
||||
# --- Step 4: Create Application ---
|
||||
echo ">>> Creating Kibana Application..."
|
||||
APP_RESP=$(curl -sf -X POST "${AUTHENTIK_URL}/api/v3/core/applications/" \
|
||||
-H "${AUTH_HEADER}" -H "${CT}" \
|
||||
-d "{
|
||||
\"name\": \"Kibana\",
|
||||
\"slug\": \"kibana\",
|
||||
\"provider\": ${PROVIDER_ID},
|
||||
\"meta_launch_url\": \"${KIBANA_URL}\",
|
||||
\"meta_description\": \"ELK Stack - Kibana Dashboard\",
|
||||
\"policy_engine_mode\": \"any\"
|
||||
}" 2>/dev/null || echo '{}')
|
||||
APP_SLUG=$(echo "$APP_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin).get('slug',''))" 2>/dev/null || echo "")
|
||||
|
||||
if [ -z "$APP_SLUG" ]; then
|
||||
echo " Application may already exist."
|
||||
APP_SLUG="kibana"
|
||||
fi
|
||||
echo " Application slug: ${APP_SLUG}"
|
||||
|
||||
echo ""
|
||||
echo "╔══════════════════════════════════════════════════════════════╗"
|
||||
echo "║ Authentik OIDC Configuration Complete! ║"
|
||||
echo "╠══════════════════════════════════════════════════════════════╣"
|
||||
echo "║ ║"
|
||||
echo "║ OIDC Provider: Kibana OIDC Provider ║"
|
||||
echo "║ Client ID: kibana ║"
|
||||
echo "║ Client Secret: kibana-client-secret-2024 ║"
|
||||
echo "║ Application: kibana ║"
|
||||
echo "║ ║"
|
||||
echo "║ Issuer URL: ║"
|
||||
echo "║ ${AUTHENTIK_URL}/application/o/kibana/ ║"
|
||||
echo "║ ║"
|
||||
echo "║ Endpoints: ║"
|
||||
echo "║ Authorization: .../application/o/authorize/ ║"
|
||||
echo "║ Token: .../application/o/token/ ║"
|
||||
echo "║ UserInfo: .../application/o/userinfo/ ║"
|
||||
echo "║ JWKS: .../application/o/kibana/jwks/ ║"
|
||||
echo "║ ║"
|
||||
echo "╚══════════════════════════════════════════════════════════════╝"
|
||||
118
generate-certs.sh
Normal file
118
generate-certs.sh
Normal file
@@ -0,0 +1,118 @@
|
||||
#!/usr/bin/env bash
|
||||
# =============================================================================
|
||||
# generate-certs.sh — Generate a custom CA and TLS certificates for ELK stack
|
||||
# =============================================================================
|
||||
set -euo pipefail
|
||||
|
||||
CERT_DIR="${1:-./certs}"
|
||||
DAYS_VALID=825
|
||||
CA_SUBJECT="/C=US/ST=State/L=City/O=ELK-Lab/OU=Infrastructure/CN=ELK-Lab-CA"
|
||||
DOMAIN="elk.local"
|
||||
|
||||
mkdir -p "${CERT_DIR}"
|
||||
|
||||
echo ">>> Generating Custom CA..."
|
||||
openssl genrsa -out "${CERT_DIR}/ca.key" 4096
|
||||
openssl req -x509 -new -nodes \
|
||||
-key "${CERT_DIR}/ca.key" \
|
||||
-sha256 -days ${DAYS_VALID} \
|
||||
-out "${CERT_DIR}/ca.crt" \
|
||||
-subj "${CA_SUBJECT}"
|
||||
|
||||
# --- Function to generate a certificate signed by the CA ---
|
||||
generate_cert() {
|
||||
local NAME="$1"
|
||||
local CN="$2"
|
||||
local SANS="$3"
|
||||
|
||||
echo ">>> Generating certificate for ${NAME} (CN=${CN})..."
|
||||
|
||||
openssl genrsa -out "${CERT_DIR}/${NAME}.key" 2048
|
||||
|
||||
cat > "${CERT_DIR}/${NAME}.cnf" <<SSLCNF
|
||||
[req]
|
||||
distinguished_name = req_dn
|
||||
req_extensions = v3_req
|
||||
prompt = no
|
||||
|
||||
[req_dn]
|
||||
C = US
|
||||
ST = State
|
||||
L = City
|
||||
O = ELK-Lab
|
||||
OU = ${NAME}
|
||||
CN = ${CN}
|
||||
|
||||
[v3_req]
|
||||
basicConstraints = CA:FALSE
|
||||
keyUsage = digitalSignature, keyEncipherment
|
||||
extendedKeyUsage = serverAuth, clientAuth
|
||||
subjectAltName = ${SANS}
|
||||
SSLCNF
|
||||
|
||||
openssl req -new -nodes \
|
||||
-key "${CERT_DIR}/${NAME}.key" \
|
||||
-out "${CERT_DIR}/${NAME}.csr" \
|
||||
-config "${CERT_DIR}/${NAME}.cnf"
|
||||
|
||||
openssl x509 -req \
|
||||
-in "${CERT_DIR}/${NAME}.csr" \
|
||||
-CA "${CERT_DIR}/ca.crt" \
|
||||
-CAkey "${CERT_DIR}/ca.key" \
|
||||
-CAcreateserial \
|
||||
-out "${CERT_DIR}/${NAME}.crt" \
|
||||
-days ${DAYS_VALID} \
|
||||
-sha256 \
|
||||
-extensions v3_req \
|
||||
-extfile "${CERT_DIR}/${NAME}.cnf"
|
||||
|
||||
rm -f "${CERT_DIR}/${NAME}.csr" "${CERT_DIR}/${NAME}.cnf"
|
||||
}
|
||||
|
||||
# --- Elasticsearch ---
|
||||
generate_cert "elasticsearch" "elasticsearch" \
|
||||
"DNS:elasticsearch,DNS:elasticsearch.elk.svc.cluster.local,DNS:elasticsearch.elk.svc,DNS:localhost,IP:127.0.0.1"
|
||||
|
||||
# --- Kibana ---
|
||||
generate_cert "kibana" "kibana" \
|
||||
"DNS:kibana,DNS:kibana.elk.svc.cluster.local,DNS:kibana.elk.svc,DNS:localhost,IP:127.0.0.1"
|
||||
|
||||
# --- Logstash ---
|
||||
generate_cert "logstash" "logstash" \
|
||||
"DNS:logstash,DNS:logstash.elk.svc.cluster.local,DNS:logstash.elk.svc,DNS:localhost,IP:127.0.0.1"
|
||||
|
||||
# --- NGINX ---
|
||||
generate_cert "nginx" "kibana.${DOMAIN}" \
|
||||
"DNS:kibana.${DOMAIN},DNS:nginx,DNS:nginx.elk.svc.cluster.local,DNS:localhost,IP:127.0.0.1"
|
||||
|
||||
# --- Authentik ---
|
||||
generate_cert "authentik" "authentik.${DOMAIN}" \
|
||||
"DNS:authentik.${DOMAIN},DNS:authentik,DNS:authentik-server,DNS:authentik-server.elk.svc.cluster.local,DNS:localhost,IP:127.0.0.1"
|
||||
|
||||
# --- Create Elasticsearch PKCS12 keystore ---
|
||||
echo ">>> Creating Elasticsearch PKCS12 keystore..."
|
||||
openssl pkcs12 -export \
|
||||
-in "${CERT_DIR}/elasticsearch.crt" \
|
||||
-inkey "${CERT_DIR}/elasticsearch.key" \
|
||||
-CAfile "${CERT_DIR}/ca.crt" \
|
||||
-chain \
|
||||
-out "${CERT_DIR}/elasticsearch.p12" \
|
||||
-passout pass:changeit
|
||||
|
||||
# --- Create Elasticsearch HTTP PKCS12 keystore ---
|
||||
cp "${CERT_DIR}/elasticsearch.p12" "${CERT_DIR}/elastic-http.p12"
|
||||
|
||||
# --- Cleanup serial file ---
|
||||
rm -f "${CERT_DIR}/ca.srl"
|
||||
|
||||
echo ""
|
||||
echo "=== Certificates generated in ${CERT_DIR}/ ==="
|
||||
ls -la "${CERT_DIR}/"
|
||||
echo ""
|
||||
echo "CA certificate: ${CERT_DIR}/ca.crt"
|
||||
echo "CA private key: ${CERT_DIR}/ca.key"
|
||||
echo "Elasticsearch cert: ${CERT_DIR}/elasticsearch.crt"
|
||||
echo "Kibana cert: ${CERT_DIR}/kibana.crt"
|
||||
echo "Logstash cert: ${CERT_DIR}/logstash.crt"
|
||||
echo "NGINX cert: ${CERT_DIR}/nginx.crt"
|
||||
echo "Authentik cert: ${CERT_DIR}/authentik.crt"
|
||||
Reference in New Issue
Block a user