Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Operator handle rotating Kibana EncryptionKeys #8171

Open
stefnestor opened this issue Oct 31, 2024 · 3 comments
Open

Operator handle rotating Kibana EncryptionKeys #8171

stefnestor opened this issue Oct 31, 2024 · 3 comments
Labels
>feature Adds or discusses adding a feature to the product

Comments

@stefnestor
Copy link
Contributor

Follow-up to #8150 (comment)

But in general I believe we should not try to squeeze the key rotation topic into this TIP. Because just doing what you are describing here will not rotate the encryption keys it will just duplicate the key into a decpryption-only key and lead to a crash looping Kibana pod, because the primary encryption key cannot also be a decryption-only key. So the primary key has also to be changed to a new valid (!) value. I believe key rotation is something ECK should orchestrate not users manually. This would be a new operator feature.

The business problem to solve is users not knowing to originally set Kibana *.encryptionKey values and then needing to override either those or xpack.encryptedSavedObjects.keyRotation.decryptionOnlyKeys in order to later decrypt snapshot restored (and reindexed?) Kibana Saved Objects. I expect this comes up infrequently but the hope is to align ECK to easier full cluster migrations/restores. Or at least forewarn users of general manual flow in ECK docs if it doesn't end up automated.
@stefnestor stefnestor added the >feature Adds or discusses adding a feature to the product label Oct 31, 2024
@kaykhan
Copy link

kaykhan commented Nov 1, 2024

I came across this issue a few days ago installing fresh ECK and had no idea i needed to set encryptionKey (before we have never had to). Now i updated the operator config to set it although i'm not entirely sure if i needed to do anything else.

      config:
        xpack.encryptedSavedObjects:
            encryptionKey: <key>

@stefnestor
Copy link
Contributor Author

@kaykhan kindly reference Scale out Kibana (master) which includes changes from #8150. Per doc, ECK by default sets these encryptionKey values for you, although you can override as needed (which'd be same as bare metal process). The purpose of this Github issue is to have ECK automate encryption key rotations, but this is an infrequent process. If you have further questions, kindly raise them in Discuss or a Support case where we're happy to help.

@kaykhan
Copy link

kaykhan commented Nov 1, 2024

@kaykhan kindly reference Scale out Kibana (master) which includes changes from #8150. Per doc, ECK by default sets these encryptionKey values for you, although you can override as needed (which'd be same as bare metal process). The purpose of this Github issue is to have ECK automate encryption key rotations, but this is an infrequent process. If you have further questions, kindly raise them in Discuss or a Support case where we're happy to help.

I see so it seems like i should not need to set this manually? The reason i did this is because when i killed the Kibana pod and it rebooted everything was encrypted and it did not work

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
>feature Adds or discusses adding a feature to the product
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kaykhan @stefnestor