Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bitnami/kibana] Wrong ENV reference in libkibana.sh #76379

Open
chocolattej opened this issue Jan 17, 2025 · 3 comments
Open

[bitnami/kibana] Wrong ENV reference in libkibana.sh #76379

chocolattej opened this issue Jan 17, 2025 · 3 comments
Assignees
@javsalgar
Labels
kibana triage Triage is needed

Comments

@chocolattej
Copy link

this part is script for configure the kibana TLS

        if is_boolean_yes "$SERVER_ENABLE_TLS"; then
            kibana_conf_set "server.ssl.enabled" "true" "bool"
            [[ "$SERVER_FLAVOR" = "opensearch-dashboards" ]] && kibana_conf_set "opensearch_security.cookie.secure" "true" "bool"
            if is_boolean_yes "$SERVER_TLS_USE_PEM"; then
                kibana_conf_set "server.ssl.certificate" "$SERVER_CERT_LOCATION"
                kibana_conf_set "server.ssl.key" "$SERVER_KEY_LOCATION"
                if ! is_empty_value "$SERVER_KEY_PASSWORD"; then
                    if [[ "$SERVER_FLAVOR" = "opensearch-dashboards" ]]; then
                        kibana_conf_set "server.ssl.keyPassphrase" "$SERVER_KEY_PASSWORD"
                    else
                        kibana_set_key_value "server.ssl.keyPassphrase" "$SERVER_KEY_PASSWORD"
                    fi
                fi
            else
                kibana_conf_set "server.ssl.keystore.path" "$SERVER_KEYSTORE_LOCATION"
                if ! is_empty_value "$SERVER_KEYSTORE_PASSWORD"; then
                    if [[ "$SERVER_FLAVOR" = "opensearch-dashboards" ]]; then
                        kibana_conf_set "server.ssl.keystore.password" "$SERVER_KEY_PASSWORD"
                    else
                        kibana_set_key_value "server.ssl.keystore.password" "$SERVER_KEY_PASSWORD"
                    fi
                fi
            fi
        fi

as you see above if you intend to use KEYSTORE

its checking for the $SERVER_KEYSTORE_PASSWORD is not empty

if ! is_empty_value "$SERVER_KEYSTORE_PASSWORD"; then

then configure the server.ssl.keystore.password

  if [[ "$SERVER_FLAVOR" = "opensearch-dashboards" ]]; then
      kibana_conf_set "server.ssl.keystore.password" "$SERVER_KEY_PASSWORD"
  else
      kibana_set_key_value "server.ssl.keystore.password" "$SERVER_KEY_PASSWORD"

but this line seem refference into $SERVER_KEY_PASSWORD instead of SERVER_KEYSTORE_PASSWORD that was checked before

ps. I didn't know this is a wrong refference or intended but my k8s is could not able to start after configure key kibana-keystore-password and the logs result in

kibana 03:30:07.82 INFO ==>
kibana 03:30:07.82 INFO ==> Welcome to the Bitnami kibana container
kibana 03:30:07.82 INFO ==> Subscribe to project updates by watching https://github.com/bitnami/containers
kibana 03:30:07.82 INFO ==> Did you know there are enterprise versions of the Bitnami catalog? For enhanced secure software supply chain features, unlimited pulls from Docker, LTS support, or application customization, see Bitnami Premium or Tanzu Application Catalog. See https://www.arrow.com/globalecs/na/vendors/bitnami/ for more information.
kibana 03:30:07.83 INFO ==>
kibana 03:30:07.83 INFO ==> ** Starting Kibana setup **
kibana 03:30:07.86 INFO ==> Configuring/Initializing Kibana...
kibana 03:30:07.87 INFO ==> Found mounted configuration directory
/opt/bitnami/scripts/libkibana.sh: line 30: 2: missing value
@github-actions github-actions bot added the triage Triage is needed label Jan 17, 2025
@javsalgar
Copy link
Contributor

Hi!

Thank you so much for spotting the issue. As you discovered it, would you like to submit a PR? If not, the team will work on it.

@javsalgar javsalgar changed the title Wrong ENV referrence in libkibana.sh [bitnami/kibana] Wrong ENV referrence in libkibana.sh Jan 17, 2025
@chocolattej
Copy link
Author

I would like to, but I'm not used to git hub that much so i will try my best to submit PR soon

Also another things is keystore configuration is still not work properly after solve this environment reference issues
after resolve the process still error

kibana 07:16:31.82 INFO  ==> Subscribe to project updates by watching https://github.com/bitnami/containers
kibana 07:16:31.82 INFO  ==> Did you know there are enterprise versions of the Bitnami catalog? For enhanced secure software supply chain features, unlimited pulls from Docker, LTS support, or application customization, see Bitnami Premium or Tanzu Application Catalog. See https://www.arrow.com/globalecs/na/vendors/bitnami/ for more information.
kibana 07:16:31.82 INFO  ==>
kibana 07:16:31.82 DEBUG ==> Copying files from /opt/bitnami/kibana/config.default to /opt/bitnami/kibana/config
kibana 07:16:31.83 INFO  ==> ** Starting Kibana setup **
kibana 07:16:31.85 DEBUG ==> Validating settings in SERVER_* environment variables...
kibana 07:16:31.86 INFO  ==> Configuring/Initializing Kibana...
kibana 07:16:31.86 DEBUG ==> Ensuring expected directories/files exist...
kibana 07:16:31.87 INFO  ==> Found mounted configuration directory
kibana 07:16:31.91 DEBUG ==> Storing key: server.ssl.keystore.password
Kibana is currently running with legacy OpenSSL providers enabled! For details and instructions on how to disable see https://www.elastic.co/guide/en/kibana/8.17/production.html#openssl-legacy-provider
ERROR: Kibana keystore not found. Use 'create' command to create one.
kibana 07:16:32.27 DEBUG ==> Storing key: elasticsearch.ssl.truststore.password
Kibana is currently running with legacy OpenSSL providers enabled! For details and instructions on how to disable see https://www.elastic.co/guide/en/kibana/8.17/production.html#openssl-legacy-provider
ERROR: Kibana keystore not found. Use 'create' command to create one.
kibana 07:16:32.62 INFO  ==> ** Kibana setup finished! **

kibana 07:16:32.63 INFO  ==> ** Starting Kibana **
Kibana is currently running with legacy OpenSSL providers enabled! For details and instructions on how to disable see https://www.elastic.co/guide/en/kibana/8.17/production.html#openssl-legacy-provider
{"log.level":"info","@timestamp":"2025-01-22T07:16:33.383Z","log.logger":"elastic-apm-node","ecs.version":"8.10.0","agentVersion":"4.7.3","env":{"pid":1,"proctitle":"/opt/bitnami/kibana/bin/../node/glibc-217/bin/node","os":"linux 6.8.0-51-generic","arch":"x64","host":"jt-kibana-6b694457cd-mt66w","timezone":"UTC+00","runtime":"Node.js v20.15.1"},"config":{"active":{"source":"start","value":true},"breakdownMetrics":{"source":"start","value":false},"captureBody":{"source":"start","value":"off","commonName":"capture_body"},"captureHeaders":{"source":"start","value":false},"centralConfig":{"source":"start","value":false},"contextPropagationOnly":{"source":"start","value":true},"environment":{"source":"start","value":"production"},"globalLabels":{"source":"start","value":[["kibana_uuid","acb57247-06f0-4ab5-8c8e-fd8776b27c74"],["git_rev","86cbc85e621f4f3f701ed230f4e859ac5a80145b"]],"sourceValue":{"kibana_uuid":"acb57247-06f0-4ab5-8c8e-fd8776b27c74","git_rev":"86cbc85e621f4f3f701ed230f4e859ac5a80145b"}},"logLevel":{"source":"default","value":"info","commonName":"log_level"},"metricsInterval":{"source":"start","value":120,"sourceValue":"120s"},"serverUrl":{"source":"start","value":"https://kibana-cloud-apm.apm.us-east-1.aws.found.io/","commonName":"server_url"},"transactionSampleRate":{"source":"start","value":0.1,"commonName":"transaction_sample_rate"},"captureSpanStackTraces":{"source":"start","sourceValue":false},"secretToken":{"source":"start","value":"[REDACTED]","commonName":"secret_token"},"serviceName":{"source":"start","value":"kibana","commonName":"service_name"},"serviceVersion":{"source":"start","value":"8.17.0","commonName":"service_version"}},"activationMethod":"require","message":"Elastic APM Node.js Agent v4.7.3"}
Native global console methods have been overridden in production environment.
[2025-01-22T07:16:34.682+00:00][INFO ][root] Kibana is starting
[2025-01-22T07:16:34.750+00:00][INFO ][node] Kibana process configured with roles: [background_tasks, ui]
[2025-01-22T07:16:42.268+00:00][INFO ][plugins-service] The following plugins are disabled: "cloudChat,cloudExperiments,cloudFullStory,dataUsage,investigateApp,investigate,profilingDataAccess,profiling,searchHomepage,searchIndices,securitySolutionServerless,serverless,serverlessObservability,serverlessSearch".
[2025-01-22T07:16:42.372+00:00][INFO ][root] Kibana is shutting down
[2025-01-22T07:16:42.376+00:00][FATAL][root] Reason: PKCS#12 MAC could not be verified. Invalid password?
Error: PKCS#12 MAC could not be verified. Invalid password?
    at Object.p12.pkcs12FromAsn1 (/opt/bitnami/kibana/node_modules/node-forge/lib/pkcs12.js:475:13)
    at readPkcs12Keystore (/opt/bitnami/kibana/node_modules/@kbn/crypto/src/pkcs12.js:48:33)
    at new SslConfig (/opt/bitnami/kibana/node_modules/@kbn/server-http-tools/src/ssl/ssl_config.js:102:42)
    at new HttpConfig (/opt/bitnami/kibana/node_modules/@kbn/core-http-server-internal/src/http_config.js:360:16)
    at /opt/bitnami/kibana/node_modules/@kbn/core-http-server-internal/src/http_service.js:54:254
    at /opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/operators/map.js:10:37
    at OperatorSubscriber._this._next (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/operators/OperatorSubscriber.js:33:21)
    at OperatorSubscriber.Subscriber.next (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/Subscriber.js:51:18)
    at /opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/observable/combineLatest.js:51:40
    at OperatorSubscriber._this._next (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/operators/OperatorSubscriber.js:33:21)
    at OperatorSubscriber.Subscriber.next (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/Subscriber.js:51:18)
    at /opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/operators/map.js:10:24
    at OperatorSubscriber._this._next (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/operators/OperatorSubscriber.js:33:21)
    at OperatorSubscriber.Subscriber.next (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/Subscriber.js:51:18)
    at /opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/operators/distinctUntilChanged.js:18:28
    at OperatorSubscriber._this._next (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/operators/OperatorSubscriber.js:33:21)
    at OperatorSubscriber.Subscriber.next (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/Subscriber.js:51:18)
    at /opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/operators/map.js:10:24
    at OperatorSubscriber._this._next (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/operators/OperatorSubscriber.js:33:21)
    at OperatorSubscriber.Subscriber.next (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/Subscriber.js:51:18)
    at ReplaySubject._subscribe (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/ReplaySubject.js:54:24)
    at ReplaySubject.Observable._trySubscribe (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:41:25)
    at ReplaySubject.Subject._trySubscribe (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/Subject.js:123:47)
    at /opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:35:31
    at Object.errorContext (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/util/errorContext.js:22:9)
    at ReplaySubject.Observable.subscribe (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:26:24)
    at /opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/operators/share.js:65:18
    at OperatorSubscriber.<anonymous> (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/util/lift.js:14:28)
    at /opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:30:30
    at Object.errorContext (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/util/errorContext.js:22:9)
    at Observable.subscribe (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:26:24)
    at /opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/operators/map.js:9:16
    at OperatorSubscriber.<anonymous> (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/util/lift.js:14:28)
    at /opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:30:30
    at Object.errorContext (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/util/errorContext.js:22:9)
    at Observable.subscribe (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:26:24)
    at /opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/operators/distinctUntilChanged.js:13:16
    at OperatorSubscriber.<anonymous> (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/util/lift.js:14:28)
    at /opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:30:30
    at Object.errorContext (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/util/errorContext.js:22:9)
    at Observable.subscribe (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:26:24)
    at /opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/operators/map.js:9:16
    at OperatorSubscriber.<anonymous> (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/util/lift.js:14:28)
    at /opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:30:30
    at Object.errorContext (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/util/errorContext.js:22:9)
    at Observable.subscribe (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:26:24)
    at /opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/observable/combineLatest.js:44:28
    at maybeSchedule (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/observable/combineLatest.js:72:9)
    at _loop_1 (/opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/observable/combineLatest.js:41:17)
    at /opt/bitnami/kibana/node_modules/rxjs/dist/cjs/internal/observable/combineLatest.js:61:17

 FATAL  Error: PKCS#12 MAC could not be verified. Invalid password?

as you see above if you prefer to configure the Keystore instead of PEM certificate you will achieved by this function

kibana_set_key_value() {
    local key="${1:?missing key}"
    local value="${2:?missing value}"

    debug "Storing key: ${key}"
    kibana-keystore add --stdin --force "$key" <<<"$value"
}

here is the calling function

kibana_set_key_value "server.ssl.keystore.password" "$SERVER_KEYSTORE_PASSWORD"

I try to redo the process mannually by this cli

kibana-keystore add --stdin --force "server.ssl.keystore.password" <<<"$SERVER_KEYSTORE_PASSWORD"

the result show this

I have no name!@kibana-6c5bf7568c-fszkp:/$ kibana-keystore add --stdin --force "server.ssl.keystore.password" <<<"$SERVER_KEY_PASSWORD"
Kibana is currently running with legacy OpenSSL providers enabled! For details and instructions on how to disable see https://www.elastic.co/guide/en/kibana/8.17/production.html#openssl-legacy-provider
ERROR: Kibana keystore not found. Use 'create' command to create one.

its confirm from the logs above with this error happen

kibana 07:16:31.91 DEBUG ==> Storing key: server.ssl.keystore.password
Kibana is currently running with legacy OpenSSL providers enabled! For details and instructions on how to disable see https://www.elastic.co/guide/en/kibana/8.17/production.html#openssl-legacy-provider
ERROR: Kibana keystore not found. Use 'create' command to create one.

so i think the problem is you could not configure the JKS in configuration file /opt/bitnami/kibana/config/kibana.yml like this

...
elasticsearch:
  username: kibana_system
  password: xxxxxxxxxxxxxx
  ssl:
    verificationMode: full
    truststore:
      path: /opt/bitnami/kibana/config/certs/elasticsearch/elasticsearch.truststore.p12
server:
  ssl:
    enabled: true
    keystore:
      path: /opt/bitnami/kibana/config/certs/server/kibana.keystore.p12

but configure the keystore password using cli instead of configuration file because they could not find it propery like kibana-keystore create command

so i would suggest to change this to

kibana_conf_set "server.ssl.keystore.password" "$SERVER_KEYSTORE_PASSWORD"

@carrodher carrodher changed the title [bitnami/kibana] Wrong ENV referrence in libkibana.sh [bitnami/kibana] Wrong ENV reference in libkibana.sh Jan 22, 2025
@javsalgar
Copy link
Contributor

javsalgar commented Jan 22, 2025
edited
Loading

Thank you so much for the detailed report! Please let us know if you find any issue with the PR, and we will help you or create the PR. But as you discovered the issue, I think it's better that you appear as the contributor

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@javsalgar javsalgar

Labels
kibana triage Triage is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@javsalgar @chocolattej