Skip to content

feat: store kibana secrets #534

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Oct 22, 2025
Merged

feat: store kibana secrets #534

merged 5 commits into from
Oct 22, 2025

Conversation

@shemau
Copy link
Contributor

@shemau shemau commented Oct 2, 2025
edited
Loading

Description

Store kibana account secrets in secrets manager, when secrets manager is supplied to a deployable architecture.

#529

Release required?

  • No release
  • Patch release (x.x.X)
  • Minor release (x.X.x)
  • Major release (X.x.x)
Release notes content

Run the pipeline

If the CI pipeline doesn't run when you create the PR, the PR requires a user with GitHub collaborators access to run the pipeline.

Run the CI pipeline when the PR is ready for review and you expect tests to pass. Add a comment to the PR with the following text:

/run pipeline

Checklist for reviewers

  • If relevant, a test for the change is included or updated with this PR.
  • If relevant, documentation for the change is included or updated with this PR.

For mergers

  • Use a conventional commit message to set the release level. Follow the guidelines.
  • Include information that users need to know about the PR in the commit message. The commit message becomes part of the GitHub release notes.
  • Use the Squash and merge option.

@shemau shemau marked this pull request as draft October 2, 2025 16:23
@shemau
Copy link
Contributor Author

shemau commented Oct 2, 2025

Some TODO: remain in the variable validation sections.

@shemau
Copy link
Contributor Author

shemau commented Oct 15, 2025

From the fully configurable test:

 2025/10/15 09:42:26 Terraform apply |   # module.secrets_manager_service_credentials[0].module.secrets["els-fc-da-u3i-kibana-app-password"].ibm_sm_arbitrary_secret.arbitrary_secret[0] will be created
 2025/10/15 09:42:26 Terraform apply |   + resource "ibm_sm_arbitrary_secret" "arbitrary_secret" {
 2025/10/15 09:42:26 Terraform apply |       + created_at        = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + created_by        = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + crn               = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + custom_metadata   = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + downloaded        = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + endpoint_type     = "private"
 2025/10/15 09:42:26 Terraform apply |       + id                = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + instance_id       = "79c6d411-c18f-4670-b009-b0044a238667"
 2025/10/15 09:42:26 Terraform apply |       + labels            = []
 2025/10/15 09:42:26 Terraform apply |       + locks_total       = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + name              = "els-fc-da-u3i-kibana-app-password"
 2025/10/15 09:42:26 Terraform apply |       + payload           = (sensitive value)
 2025/10/15 09:42:26 Terraform apply |       + region            = "us-south"
 2025/10/15 09:42:26 Terraform apply |       + retrieved_at      = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + secret_group_id   = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + secret_id         = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + secret_type       = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + state             = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + state_description = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + updated_at        = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + versions_total    = (known after apply)
 2025/10/15 09:42:26 Terraform apply |     }
 2025/10/15 09:42:26 Terraform apply | 
 2025/10/15 09:42:26 Terraform apply |   # module.secrets_manager_service_credentials[0].module.secrets["els-fc-da-u3i-kibana-system-password"].ibm_sm_arbitrary_secret.arbitrary_secret[0] will be created
 2025/10/15 09:42:26 Terraform apply |   + resource "ibm_sm_arbitrary_secret" "arbitrary_secret" {
 2025/10/15 09:42:26 Terraform apply |       + created_at        = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + created_by        = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + crn               = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + custom_metadata   = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + downloaded        = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + endpoint_type     = "private"
 2025/10/15 09:42:26 Terraform apply |       + id                = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + instance_id       = "79c6d411-c18f-4670-b009-b0044a238667"
 2025/10/15 09:42:26 Terraform apply |       + labels            = []
 2025/10/15 09:42:26 Terraform apply |       + locks_total       = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + name              = "els-fc-da-u3i-kibana-system-password"
 2025/10/15 09:42:26 Terraform apply |       + payload           = (sensitive value)
 2025/10/15 09:42:26 Terraform apply |       + region            = "us-south"
 2025/10/15 09:42:26 Terraform apply |       + retrieved_at      = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + secret_group_id   = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + secret_id         = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + secret_type       = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + state             = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + state_description = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + updated_at        = (known after apply)
 2025/10/15 09:42:26 Terraform apply |       + versions_total    = (known after apply)
 2025/10/15 09:42:26 Terraform apply |     }

The kibana system and app login password secrets are added as secrets manager secrets.

@shemau
Copy link
Contributor Author

shemau commented Oct 15, 2025

During a manual run the secrets were intercepted in secrets manager and had expected random values in them.

@shemau shemau marked this pull request as ready for review October 15, 2025 09:57
@shemau
Copy link
Contributor Author

shemau commented Oct 15, 2025

/run pipeline

@daniel-butler-irl
Copy link
Contributor

@shemau looks good, but are upgrades safe? I think so just double checking

@shemau
Copy link
Contributor Author

shemau commented Oct 17, 2025

It is safe upgrading with no migration issues. The original secret is still in the secrets array. The two passwords already exist and remain unchanged, they are just added to the secrets array. The upgrade (assuming kibana is on AND a secret manager CRN is passed) will just add two new secret resources.

@shemau
Copy link
Contributor Author

shemau commented Oct 20, 2025

/run pipeline

@shemau
Copy link
Contributor Author

shemau commented Oct 21, 2025

This change does not include any password generation rules. It fails with

         2025/10/20 10:13:53 Terraform plan |   + admin_pass = (sensitive value)
         2025/10/20 10:13:53 Terraform plan | 
         2025/10/20 10:13:53 Terraform plan | Error: database user (admin) validation error:
         2025/10/20 10:13:53 Terraform plan | password must contain at least one lower case letter

re-running to see if this always happens, or if there is intermittent issue with a very small chance that all 32 characters are not lower case.

@shemau
Copy link
Contributor Author

shemau commented Oct 21, 2025

/run pipeline

@akocbek akocbek merged commit 1186809 into main Oct 22, 2025
2 checks passed
@akocbek akocbek deleted the kibana-secrets branch October 22, 2025 12:21
@terraform-ibm-modules-ops
Copy link
Contributor

🎉 This PR is included in version 2.4.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@daniel-butler-irl daniel-butler-irl daniel-butler-irl approved these changes

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@shemau @daniel-butler-irl @terraform-ibm-modules-ops @akocbek