feat(security, uiam): make @kbn\es to manage UIAM containers when in UIAM mode#243752
Conversation
|
Hey @elastic/kibana-operations! The PR is still in draft, but I wanted to check if the approach (incorporating UIAM into The idea is that UIAM will become a mandatory part of the ECS offering soon (and eventually ECH as well), so logically, making UIAM bootstrapping (running and initializing Cosmos DB Emulator + UIAM service) part of the local ES Serverless bootstrapping makes sense to me (vs. running it as a separate script). This should hopefully also make it easy to use UIAM in our API integration/functional/Scout tests. But before moving forward with this approach, I want to check if you're fine with this and whether there are any gotchas I should be aware of. Thanks! |
| export const MOCK_IDP_UIAM_ORGANIZATION_ID = '1234567890'; | ||
| export const MOCK_IDP_UIAM_PROJECT_ID = 'abcde1234567890'; | ||
|
|
||
| export const MOCK_IDP_UIAM_SERVICE_INTERNAL_URL = 'http://uiam-cosmosdb:8090'; |
There was a problem hiding this comment.
note: since both ES and UIAM service are running within the same Docker network they can use this internal addressing. Kibana should still rely on localhost/127.0.0.1
| maybeCreateDockerNetwork, | ||
| maybePullDockerImage, | ||
| printESImageInfo, | ||
| printDockerImageInfo, |
There was a problem hiding this comment.
note: renamed since now it's equally used for ES and UIAM images/containers and there is nothing specific to ES in that function.
| /** | ||
| * Pulls and prints info about the Docker image. | ||
| */ | ||
| async function setupDockerImage({ log, image }: { log: ToolingLog; image: string }) { |
There was a problem hiding this comment.
note: extracted this from setupDocker to use both of these functions for both ES and UIAM containers (Cosmos DB emulator + UIAM service)
| const UIAM_DOCKER_REGISTRY = 'docker.elastic.co'; | ||
| const UIAM_DOCKER_REPO = `${UIAM_DOCKER_REGISTRY}/cloud-ci/uiam`; | ||
| // Taken from GitOps version file for UIAM service (dev env, services/uiam/versions.yaml) | ||
| const UIAM_DOCKER_LATEST_VERIFIED_TAG = 'git-fb324ba1e88f'; |
There was a problem hiding this comment.
note: we'd need help from QA/Operations teams to switch to something like :latest-verified, but that's not critical.
There was a problem hiding this comment.
as in set up a pipeline to keep verifying new versions and pushing them to our kibana-ci/ folder in the container registry?
There was a problem hiding this comment.
Yep, if possible!
There was a problem hiding this comment.
let's add that to the tasks in the original issue
There was a problem hiding this comment.
Yep, added to the list of tasks in the related meta issue
| `uiam.tokens.jwt.signing.secret=${MOCK_IDP_UIAM_SIGNING_SECRET}`, | ||
|
|
||
| '--health-cmd', | ||
| 'timeout 1 bash -c "</dev/tcp/localhost/8090"', |
There was a problem hiding this comment.
note: unfortunately, we cannot use curl-based health check here as we do for CosmosDB Emulator since there is no curl in UIAM service OS image, so I'm just checking if port is open.
|
|
||
| const fetchDispatcher = new Agent({ connect: { rejectUnauthorized: false } }); | ||
|
|
||
| log.info(chalk.bold(`Initializing Cosmos DB (${COSMOS_DB_ENDPOINT}/${UIAM_COSMOS_DB_NAME})…`)); |
There was a problem hiding this comment.
note: I don't have any health check here since by the time we call this function Cosmos DB emulator container should be healthy (based on the Docker health check). Let's see if it's stable enough.
Your approach seems fine to me since this is tightly coupled with Serverless. Splitting into another UIAM package would likely end up with recreating some Docker management functions or a circular dependency on If we wanted proper separation I think it would make sense to split all the Docker stuff into a new generic package to wrap Docker and utilize that in both |
|
Great, thank you for the feedback @Ikuni17! I'll move forward with this approach and tag you all for review once it's ready.
Yeah, that sounds like a good long-term plan (not for now, but in the future). I know other teams are also juggling with different Docker setups in their scripts and would highly benefit from a common and more generic (and opinionated Kibana-centric) Docker package/tools. |
| await setupDockerImage({ log, image: uiamImage }); | ||
| } | ||
|
|
||
| uimaNodeNames.push(...(await runUiamContainers(log))); |
There was a problem hiding this comment.
do these images need to be started before all the others?
There was a problem hiding this comment.
Not necessarily (at least today). Even though both ES and Kibana depend on UIAM, we just need to start them before anyone is using Kibana or ES with UIAM credentials.
There was a problem hiding this comment.
maybe then this startup can be started in parallel with the other nodes? I am trying to look for traces of how long these containers' startup is taking but I believe they have a 15s maximum timeout per container to start up? so ideally it's all <30s?
There was a problem hiding this comment.
maybe then this startup can be started in parallel with the other nodes?
Yeah, I think we can start UIAM containers in parallel with ES containers, or are you asking if we can start both Cosmos DB Emulator container and UIAM service container at the same time too? The former is definitely yes, the latter, likely yes too, but I'd need to double-check.
This will make the code more complex, but, I agree, it's worth it considering that we want to use this for CI and tests.
but I believe they have a 15s maximum timeout per container to start up? so ideally it's all <30s?
That's correct, although I'm testing on my local laptop, we might see a different picture on CI, so yeah, let me see if I can spin these up in parallel. I'm confident that UIAM container is quite fast to bootstrap, but I'm not so confident about Cosmos DB emulator.
There was a problem hiding this comment.
Okay, done! I had to change how we expose UIAM ports (initially, we were exposing the UIAM service port from the UIAM Cosmos DB container, so there was a dependency), but now it seems to be working well.
…sDB emulator HTTPS setup
ae22055 to
7d9c918
Compare
| waitForSecurityIndex: jest.fn(), | ||
| })); | ||
|
|
||
| jest.mock('./docker_uiam', () => { |
There was a problem hiding this comment.
note: I test docker_uiam unit separately to not over-complicate base docker tests.
💚 Build Succeeded
Metrics [docs]Public APIs missing comments
Unknown metric groupsAPI count
History
|
kc13greiner
left a comment
There was a problem hiding this comment.
LGTM! 🚀 works great!
| expect(scoutConfig).toEqual(expectedConfig); | ||
| }); | ||
|
|
||
| it(`should return a properly structured 'ScoutTestConfig' object for 'serverless=es' in UIAM mode`, async () => { |
There was a problem hiding this comment.
thank you for adding the tests
| }; | ||
|
|
||
| export const getOrganizationId = (kbnServerArgs: string[]) => { | ||
| return getopts(kbnServerArgs)['xpack.cloud.organization_id'] as string | undefined; |
There was a problem hiding this comment.
question: it can be undefined only for stateful use case? Do we want to adjust stateful config and have a default value as well?
There was a problem hiding this comment.
it can be undefined only for stateful use case?
In theory, it should be undefined only for the tests we treat as on-prem-only. The tests for both stateful ECH and stateless ECS should have the xpack.cloud.organization_id configuration set as, unlike xpack.cloud.serverless.* it's not serverless-specific.
Do we want to adjust stateful config and have a default value as well?
It's probably not used anywhere, but we can, yeah. Either in this PR or in a follow-up (#244518). Do we have some base config that we use for all our stateful tests where we already configure xpack.cloud.* (aka treat them as tests for our managed offerings)?
| '--xpack.cloud.billing_url=/billing/overview/', | ||
| '--xpack.cloud.deployments_url=/deployments', | ||
| '--xpack.cloud.id=ftr_fake_cloud_id', | ||
| `--xpack.cloud.organization_id=${MOCK_IDP_UIAM_ORGANIZATION_ID}`, |
There was a problem hiding this comment.
With this in place all the serverless configs will have the same predefined org id. Do we want to have a similar predefined value for stateful? maybe also imported from '@kbn/mock-idp-utils'?
There was a problem hiding this comment.
Discussed over Slack and agreed that it makes sense to add Org ID in all configs where we configure xpack.cloud - will do it in #244518. Thanks!
dmlemeshko
left a comment
There was a problem hiding this comment.
code changes LGTM, left few questions
…n UIAM mode (elastic#243752) ## Summary Make `@kbn\es` to manage UIAM containers when in Serverless + UIAM mode as it's going to be a default for Serverless at some point. __NOTE:__ This PR includes some groundwork for initializing UIAM in tests (i.e., passing the `--uiam` flag from test configs down to `@kbn/es` APIs). However, it doesn't include tests yet. The reason is that I'd like to start with Scout tests, but it's not yet possible to have a dedicated Scout config where we can toggle UIAM mode. I'm working with @elastic/appex-qa to add the remaining changes to make this happen, but it will likely go in a follow-up. If you feel like we need to move the test-related changes to a separate PR, just let me know. ## How to test First, run Elasticsearch Severless in the UIAM mode: ```shell $ yarn es serverless --projectType oblt --uiam --- │ info es01 is running. │ Container Name: es01 │ Container Id: 9bb06af54a4b98c4dd3f75e21e6b1a47e5bad7cf2b8e0d7f18e3ec0e3321cf72 │ │ View logs: docker logs -f es01 │ Shell access: docker exec -it es01 /bin/bash │ │ info es02 is running. │ Container Name: es02 │ Container Id: 688e43ce813c68450c70c87f2ccc29738e06e0a45a7ccd4041c86718ac103866 │ │ View logs: docker logs -f es02 │ Shell access: docker exec -it es02 /bin/bash │ │ info es03 is running. │ Container Name: es03 │ Container Id: 658fe85658de8d0915e63480dc6b96b1e5e4e092e48314b001965c039eb104f4 │ │ View logs: docker logs -f es03 │ Shell access: docker exec -it es03 /bin/bash ... info Waiting for "uiam-cosmosdb" container (starting)… info Waiting for "uiam" container (starting)… │ info The "uiam-cosmosdb" container is up and ready. │ Container Name: uiam-cosmosdb │ Container Id: e0ea6a43bfc5379b10cf5af941b6677e0cb8d90e075b4b36ff0c487ff188386a │ │ View logs: docker logs -f uiam-cosmosdb │ Shell access: docker exec -it uiam-cosmosdb /bin/bash │ │ info The "uiam" container is up and ready. │ Container Name: uiam │ Container Id: b4a9b5f56bc2155201fc942e22d1fde3d51453e60b45cf74693b43535edd1cb4 │ │ View logs: docker logs -f uiam │ Shell access: docker exec -it uiam /bin/bash │ ... succ ES cluster is ready succ Created role mapping for mock identity provider. You can now login using cloud-saml-kibana realm ``` Then, run Kibana Serverless in the UIAM mode: ```shell $ yarn start --serverless=oblt --uiam --- ... Kibana will be configured to support UIAM. [2025-11-26T09:17:56.417+01:00][INFO ][root] Kibana is starting ... [2025-11-26T09:19:34.241+01:00][INFO ][status] Kibana is now available ``` At this point, you should be able to log in into Kibana through a mock IdP provider/select as you'd normally do. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
…n UIAM mode (elastic#243752) ## Summary Make `@kbn\es` to manage UIAM containers when in Serverless + UIAM mode as it's going to be a default for Serverless at some point. __NOTE:__ This PR includes some groundwork for initializing UIAM in tests (i.e., passing the `--uiam` flag from test configs down to `@kbn/es` APIs). However, it doesn't include tests yet. The reason is that I'd like to start with Scout tests, but it's not yet possible to have a dedicated Scout config where we can toggle UIAM mode. I'm working with @elastic/appex-qa to add the remaining changes to make this happen, but it will likely go in a follow-up. If you feel like we need to move the test-related changes to a separate PR, just let me know. ## How to test First, run Elasticsearch Severless in the UIAM mode: ```shell $ yarn es serverless --projectType oblt --uiam --- │ info es01 is running. │ Container Name: es01 │ Container Id: 9bb06af54a4b98c4dd3f75e21e6b1a47e5bad7cf2b8e0d7f18e3ec0e3321cf72 │ │ View logs: docker logs -f es01 │ Shell access: docker exec -it es01 /bin/bash │ │ info es02 is running. │ Container Name: es02 │ Container Id: 688e43ce813c68450c70c87f2ccc29738e06e0a45a7ccd4041c86718ac103866 │ │ View logs: docker logs -f es02 │ Shell access: docker exec -it es02 /bin/bash │ │ info es03 is running. │ Container Name: es03 │ Container Id: 658fe85658de8d0915e63480dc6b96b1e5e4e092e48314b001965c039eb104f4 │ │ View logs: docker logs -f es03 │ Shell access: docker exec -it es03 /bin/bash ... info Waiting for "uiam-cosmosdb" container (starting)… info Waiting for "uiam" container (starting)… │ info The "uiam-cosmosdb" container is up and ready. │ Container Name: uiam-cosmosdb │ Container Id: e0ea6a43bfc5379b10cf5af941b6677e0cb8d90e075b4b36ff0c487ff188386a │ │ View logs: docker logs -f uiam-cosmosdb │ Shell access: docker exec -it uiam-cosmosdb /bin/bash │ │ info The "uiam" container is up and ready. │ Container Name: uiam │ Container Id: b4a9b5f56bc2155201fc942e22d1fde3d51453e60b45cf74693b43535edd1cb4 │ │ View logs: docker logs -f uiam │ Shell access: docker exec -it uiam /bin/bash │ ... succ ES cluster is ready succ Created role mapping for mock identity provider. You can now login using cloud-saml-kibana realm ``` Then, run Kibana Serverless in the UIAM mode: ```shell $ yarn start --serverless=oblt --uiam --- ... Kibana will be configured to support UIAM. [2025-11-26T09:17:56.417+01:00][INFO ][root] Kibana is starting ... [2025-11-26T09:19:34.241+01:00][INFO ][status] Kibana is now available ``` At this point, you should be able to log in into Kibana through a mock IdP provider/select as you'd normally do. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
…n UIAM mode (elastic#243752) ## Summary Make `@kbn\es` to manage UIAM containers when in Serverless + UIAM mode as it's going to be a default for Serverless at some point. __NOTE:__ This PR includes some groundwork for initializing UIAM in tests (i.e., passing the `--uiam` flag from test configs down to `@kbn/es` APIs). However, it doesn't include tests yet. The reason is that I'd like to start with Scout tests, but it's not yet possible to have a dedicated Scout config where we can toggle UIAM mode. I'm working with @elastic/appex-qa to add the remaining changes to make this happen, but it will likely go in a follow-up. If you feel like we need to move the test-related changes to a separate PR, just let me know. ## How to test First, run Elasticsearch Severless in the UIAM mode: ```shell $ yarn es serverless --projectType oblt --uiam --- │ info es01 is running. │ Container Name: es01 │ Container Id: 9bb06af54a4b98c4dd3f75e21e6b1a47e5bad7cf2b8e0d7f18e3ec0e3321cf72 │ │ View logs: docker logs -f es01 │ Shell access: docker exec -it es01 /bin/bash │ │ info es02 is running. │ Container Name: es02 │ Container Id: 688e43ce813c68450c70c87f2ccc29738e06e0a45a7ccd4041c86718ac103866 │ │ View logs: docker logs -f es02 │ Shell access: docker exec -it es02 /bin/bash │ │ info es03 is running. │ Container Name: es03 │ Container Id: 658fe85658de8d0915e63480dc6b96b1e5e4e092e48314b001965c039eb104f4 │ │ View logs: docker logs -f es03 │ Shell access: docker exec -it es03 /bin/bash ... info Waiting for "uiam-cosmosdb" container (starting)… info Waiting for "uiam" container (starting)… │ info The "uiam-cosmosdb" container is up and ready. │ Container Name: uiam-cosmosdb │ Container Id: e0ea6a43bfc5379b10cf5af941b6677e0cb8d90e075b4b36ff0c487ff188386a │ │ View logs: docker logs -f uiam-cosmosdb │ Shell access: docker exec -it uiam-cosmosdb /bin/bash │ │ info The "uiam" container is up and ready. │ Container Name: uiam │ Container Id: b4a9b5f56bc2155201fc942e22d1fde3d51453e60b45cf74693b43535edd1cb4 │ │ View logs: docker logs -f uiam │ Shell access: docker exec -it uiam /bin/bash │ ... succ ES cluster is ready succ Created role mapping for mock identity provider. You can now login using cloud-saml-kibana realm ``` Then, run Kibana Serverless in the UIAM mode: ```shell $ yarn start --serverless=oblt --uiam --- ... Kibana will be configured to support UIAM. [2025-11-26T09:17:56.417+01:00][INFO ][root] Kibana is starting ... [2025-11-26T09:19:34.241+01:00][INFO ][status] Kibana is now available ``` At this point, you should be able to log in into Kibana through a mock IdP provider/select as you'd normally do. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary Add basic UIAM Scout API tests: * ✅ It should be possible to login via UIAM flow * ✅ It should be possible to invalidate UIAM session token * ✅ It should be possible to refresh UIAM session token ~~__Blocked By:__ #244306 and #243752 --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Dzmitry Lemechko <dzmitry.lemechko@elastic.co>
## Summary Add basic UIAM Scout API tests: * ✅ It should be possible to login via UIAM flow * ✅ It should be possible to invalidate UIAM session token * ✅ It should be possible to refresh UIAM session token ~~__Blocked By:__ elastic#244306 and elastic#243752 --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Dzmitry Lemechko <dzmitry.lemechko@elastic.co>
## Summary Add basic UIAM Scout API tests: * ✅ It should be possible to login via UIAM flow * ✅ It should be possible to invalidate UIAM session token * ✅ It should be possible to refresh UIAM session token ~~__Blocked By:__ elastic#244306 and elastic#243752 --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Dzmitry Lemechko <dzmitry.lemechko@elastic.co>
## Summary Add basic UIAM Scout API tests: * ✅ It should be possible to login via UIAM flow * ✅ It should be possible to invalidate UIAM session token * ✅ It should be possible to refresh UIAM session token ~~__Blocked By:__ elastic#244306 and elastic#243752 --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Dzmitry Lemechko <dzmitry.lemechko@elastic.co>
Summary
Make
@kbn\esto manage UIAM containers when in Serverless + UIAM mode as it's going to be a default for Serverless at some point.NOTE: This PR includes some groundwork for initializing UIAM in tests (i.e., passing the
--uiamflag from test configs down to@kbn/esAPIs). However, it doesn't include tests yet. The reason is that I'd like to start with Scout tests, but it's not yet possible to have a dedicated Scout config where we can toggle UIAM mode. I'm working with @elastic/appex-qa to add the remaining changes to make this happen, but it will likely go in a follow-up. If you feel like we need to move the test-related changes to a separate PR, just let me know.How to test
First, run Elasticsearch Severless in the UIAM mode:
Then, run Kibana Serverless in the UIAM mode:
At this point, you should be able to log in into Kibana through a mock IdP provider/select as you'd normally do.