Cherry-pick #18096 to 7.x: Add k8s keystore backend

[ChrsMark]

Cherry-pick of PR #18096 to 7.x branch. Original message:

What does this PR do?

This PR implements a new Keystore Backend, which is used to retrieve k8s secrets and use them in configurations provided by hints-based autodiscover feature. Any hints based configuration has only access to the secrets of the same namespace of the pod by which was triggered.

We still need to decide if this keystone should be used along with the already used FileKeystore in static autodiscover configurations.

Why is it important?

This is important for the users so as to avoid having sensitive data on hints' configurations and being able to leverage k8s secrets for that purpose.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

Test k8s keystore backend with hints autodiscover

1. Create the k8s secret:

cat <<EOF | kubectl apply -f -                                                                                                                   
apiVersion: v1
kind: Secret
metadata:
  name: somesecret
type: Opaque
data:
  value: $(echo -n "passpass" | base64)
EOF

2. Start the Redis sever as hints autodiscover target:

cat <<EOF | kubectl apply -f -                                                                                                                   
apiVersion: v1
kind: Service
metadata:
  name: redis
  labels:
    app: redis
spec:
  clusterIP: None
  ports:
  - name: web
    port: 6379
    protocol: TCP
  selector:
    app: redis
  type: ClusterIP
---
apiVersion: v1
kind: Pod
metadata:
  name: redis
  labels:
    role: main
    app: redis
  annotations:
    co.elastic.metrics/module: redis
    co.elastic.metrics/hosts: '${data.host}:6379'
    co.elastic.metrics/password: "${kubernetes.default.somesecret.value}"
spec:
  containers:
    - name: redis
      image: redis
      command:
        - redis-server
        - "--requirepass 'passpass'"
EOF

3. Configure Metricbeat with hints autodiscover enabled:

metricbeat.autodiscover:
  providers:
    - type: kubernetes
      node: ${NODE_NAME}
      hints.enabled: true

4. Start metricbeat and ensure that Redis module is properly started and collecting metrics from the Redis server using the password provided via the k8s secret.
   Use https://github.com/elastic/beats/blob/master/deploy/kubernetes/metricbeat-kubernetes.yaml but make sure that secrets is added in the list of resources in ClusterRole.

5. Redeploy redis Pod with a different password to check that it will fail to authenticate. Change: --requirepass 'passpass2'

Test k8s keystore backend with static autodiscover templates

For Secret creation and Redis target pod use the steps from the previous scenario.

1. Configure Metricbeat with static autodiscover templates:

metricbeat.autodiscover:
  providers:
    - type: kubernetes
      node: ${NODE_NAME}
      templates:
        - condition:
            contains:
              kubernetes.pod.name: "redis"
          config:
            - module: redis
              hosts: "${data.host}:6379"
              password: "${kubernetes.default.somesecret.value}"

2. Start Metricbeat and check that Redis module successfully collects metrics.
3. Deploy redis pod with a different password to make metricset fail to authenticate.

Test basic keystore with static autodiscover templates

1. Create the File Keystore. pod start Redis with passpass:

./metricbeat keystore create                                                                                 
Created metricbeat keystore
./metricbeat keystore add REDIS_PASSWORD                                                                      
Enter value for REDIS_PASSWORD: 
Successfully updated the keystore

2. Metricbeat Configuration

metricbeat.autodiscover:
  providers:
    - type: kubernetes
      node: ${NODE_NAME}
      templates:
        - condition:
            contains:
              kubernetes.pod.name: "redis"
          config:
            - module: redis
              hosts: "${data.host}:6379"
              password: "${REDIS_PASSWORD}"

2. Start Metricbeat and expect to see the module to collect metrics
3. Try to start Redis pod with a different password so as to make metricset fail to collect metrics.

Related issues

• Closes [Metricbeat] Support pulling secrets from Kubernetes/OpenShift for autodiscovery #8847
• Relates Allow the Keystore to be completely pluggable #5832

cc: @exekias this one is still in progress and needs cleanups, docs and error handling but the approach is not expected to change.

TODOs:

• Add docs
• Add tests
• Remove sensitive logging

[elasticmachine]

Pinging @elastic/integrations-platforms (Team:Platforms)

[elasticmachine]

💔 Build Failed

Expand to view the summary

Build stats

• Build Cause: [Pull request #18774 updated]

• Start Time: 2020-05-28T07:16:47.623+0000

• Duration: 78 min 29 sec

Test stats 🧪

Test	Results
Failed	0
Passed	6639
Skipped	1053
Total	7692

Steps errors

Expand to view the steps failures

• Name: Integration tests

  • Description: MODULE=kubernetes make -C metricbeat integration-tests

  • Duration: 1 min 5 sec

  • Start Time: 2020-05-28T07:41:20.418+0000

  • log

Log output

Expand to view the last 100 lines of log output

[2020-05-28T08:34:50.641Z] + [ -f auditbeat/build/coverage/full.cov ]
[2020-05-28T08:34:50.641Z] + FILE=filebeat/build/coverage/full.cov
[2020-05-28T08:34:50.641Z] + [ -f filebeat/build/coverage/full.cov ]
[2020-05-28T08:34:50.641Z] + FILE=heartbeat/build/coverage/full.cov
[2020-05-28T08:34:50.641Z] + [ -f heartbeat/build/coverage/full.cov ]
[2020-05-28T08:34:50.641Z] + FILE=libbeat/build/coverage/full.cov
[2020-05-28T08:34:50.641Z] + [ -f libbeat/build/coverage/full.cov ]
[2020-05-28T08:34:50.641Z] + FILE=metricbeat/build/coverage/full.cov
[2020-05-28T08:34:50.641Z] + [ -f metricbeat/build/coverage/full.cov ]
[2020-05-28T08:34:50.641Z] + FILE=packetbeat/build/coverage/full.cov
[2020-05-28T08:34:50.642Z] + [ -f packetbeat/build/coverage/full.cov ]
[2020-05-28T08:34:50.642Z] + FILE=winlogbeat/build/coverage/full.cov
[2020-05-28T08:34:50.642Z] + [ -f winlogbeat/build/coverage/full.cov ]
[2020-05-28T08:34:50.642Z] + FILE=journalbeat/build/coverage/full.cov
[2020-05-28T08:34:50.642Z] + [ -f journalbeat/build/coverage/full.cov ]
[2020-05-28T08:34:51.099Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats
[2020-05-28T08:34:51.408Z] + find . -type f -name TEST*.xml -path */build/* -delete
[2020-05-28T08:34:51.421Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Lint
[2020-05-28T08:34:51.502Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Winlogbeat-oss
[2020-05-28T08:34:51.567Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Elastic-Agent-x-pack
[2020-05-28T08:34:51.634Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Dockerlogbeat
[2020-05-28T08:34:51.706Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Journalbeat-oss
[2020-05-28T08:34:51.775Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Functionbeat-x-pack
[2020-05-28T08:34:51.846Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Generators-Metricbeat-Linux
[2020-05-28T08:34:51.913Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Elastic-Agent-x-pack-Windows
[2020-05-28T08:34:51.978Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-crosscompile
[2020-05-28T08:34:52.044Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-OSS-Unit-tests
[2020-05-28T08:34:52.112Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Heartbeat-oss
[2020-05-28T08:34:52.184Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Auditbeat-x-pack
[2020-05-28T08:34:52.251Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Libbeat-x-pack
[2020-05-28T08:34:52.321Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Auditbeat-Linux
[2020-05-28T08:34:52.390Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Packetbeat-oss
[2020-05-28T08:34:52.458Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Filebeat-x-pack-Windows
[2020-05-28T08:34:52.531Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Winlogbeat-Windows-x-pack
[2020-05-28T08:34:52.604Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Filebeat-Windows
[2020-05-28T08:34:52.678Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Auditbeat-crosscompile
[2020-05-28T08:34:52.747Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-Windows
[2020-05-28T08:34:52.814Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Filebeat-x-pack
[2020-05-28T08:34:52.877Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Winlogbeat-Windows
[2020-05-28T08:34:52.940Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-x-pack-Windows
[2020-05-28T08:34:53.004Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Generators-Beat-Linux
[2020-05-28T08:34:53.067Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Functionbeat-Windows
[2020-05-28T08:34:53.134Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Heartbeat-Windows
[2020-05-28T08:34:53.200Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Auditbeat-Windows
[2020-05-28T08:34:53.264Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Filebeat-oss
[2020-05-28T08:34:53.328Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-Python-integration-tests
[2020-05-28T08:34:53.406Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Libbeat-oss
[2020-05-28T08:34:53.470Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-OSS-Integration-tests
[2020-05-28T08:34:53.537Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Libbeat-crosscompile
[2020-05-28T08:34:53.602Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Libbeat-stress-tests
[2020-05-28T08:34:53.667Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-x-pack
[2020-05-28T08:34:54.017Z] + cat
[2020-05-28T08:34:54.017Z] + /usr/local/bin/runbld ./runbld-script
[2020-05-28T08:34:54.017Z] Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
[2020-05-28T08:35:00.608Z] runbld>>> runbld started
[2020-05-28T08:35:00.608Z] runbld>>> 1.6.11/a66728ff8f4356963772e6e6d2069392fa06acbe
[2020-05-28T08:35:02.520Z] runbld>>> The following profiles matched the job 'Beats/beats-beats-mbp/PR-18774' in order of occurrence in the config (last value wins).
[2020-05-28T08:35:03.461Z] runbld>>> Debug logging enabled.
[2020-05-28T08:35:03.461Z] runbld>>> Storing result
[2020-05-28T08:35:03.722Z] runbld>>> Store result: created {:total 2, :successful 2, :failed 0} 1
[2020-05-28T08:35:03.722Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200528083503-BACA901E
[2020-05-28T08:35:03.722Z] runbld>>> Adding system facts.
[2020-05-28T08:35:04.672Z] runbld>>> Adding vcs info for the latest commit:  5af66847f027c6d0f09d060122db31a2673f3169
[2020-05-28T08:35:04.672Z] runbld>>> >>>>>>>>>>>> SCRIPT EXECUTION BEGIN >>>>>>>>>>>>
[2020-05-28T08:35:04.672Z] runbld>>> Adding /usr/lib/jvm/java-8-openjdk-amd64/bin to the path.
[2020-05-28T08:35:04.933Z] Processing JUnit reports with runbld...
[2020-05-28T08:35:04.933Z] + echo 'Processing JUnit reports with runbld...'
[2020-05-28T08:35:05.194Z] runbld>>> <<<<<<<<<<<< SCRIPT EXECUTION END <<<<<<<<<<<<
[2020-05-28T08:35:05.194Z] runbld>>> DURATION: 18ms
[2020-05-28T08:35:05.194Z] runbld>>> STDOUT: 40 bytes
[2020-05-28T08:35:05.194Z] runbld>>> STDERR: 49 bytes
[2020-05-28T08:35:05.194Z] runbld>>> WRAPPED PROCESS: SUCCESS (0)
[2020-05-28T08:35:05.194Z] runbld>>> Searching for build metadata in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats
[2020-05-28T08:35:06.578Z] runbld>>> Storing build metadata: 
[2020-05-28T08:35:06.578Z] runbld>>> Adding test report.
[2020-05-28T08:35:06.578Z] runbld>>> Searching for junit test output files with the pattern: TEST-.*\.xml$ in: /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats
[2020-05-28T08:35:07.520Z] runbld>>> Found 97 test output files
[2020-05-28T08:35:08.092Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-OSS-Integration-tests/metricbeat/build/TEST-go-integration-graphite.xml
[2020-05-28T08:35:08.092Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-OSS-Integration-tests/metricbeat/build/TEST-go-integration-windows.xml
[2020-05-28T08:35:09.476Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-openmetrics.xml
[2020-05-28T08:35:09.476Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-tomcat.xml
[2020-05-28T08:35:09.476Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-istio.xml
[2020-05-28T08:35:09.476Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-cloudfoundry.xml
[2020-05-28T08:35:09.476Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-iis.xml
[2020-05-28T08:35:09.476Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-activemq.xml
[2020-05-28T08:35:09.476Z] runbld>>> Test output logs contained: Errors: 0 Failures: 0 Tests: 7542 Skipped: 850
[2020-05-28T08:35:09.476Z] runbld>>> Storing result
[2020-05-28T08:35:09.476Z] runbld>>> FAILURES: 0
[2020-05-28T08:35:09.737Z] runbld>>> Store result: updated {:total 2, :successful 2, :failed 0} 2
[2020-05-28T08:35:09.737Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200528083503-BACA901E
[2020-05-28T08:35:09.737Z] runbld>>> Email notification disabled by environment variable.
[2020-05-28T08:35:09.737Z] runbld>>> Slack notification disabled by environment variable.
[2020-05-28T08:35:15.456Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18774
[2020-05-28T08:35:15.671Z] [INFO] getVaultSecret: Getting secrets
[2020-05-28T08:35:15.714Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-05-28T08:35:16.396Z] + chmod 755 generate-build-data.sh
[2020-05-28T08:35:16.397Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18774/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18774/runs/3 FAILURE 4708513
[2020-05-28T08:35:16.397Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18774/runs/3/steps/?limit=10000 -o steps-info.json
[2020-05-28T08:35:17.740Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18774/runs/3/tests/?status=FAILED -o tests-errors.json
[2020-05-28T08:35:18.291Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18774/runs/3/log/ -o pipeline-log.txt

[kaiyan-sheng]

Extra line here?

[jsoriano]

Maybe we should start thinking in a different way of setting optional features in these autodiscover builders (and config mappers above).

[ChrsMark]

Yeap, that would make sense!