Elasticsearch
What is "Persistence ElasticSearch" Hook about?
The ElasticSearch persistenceProvider hook saves all findings and reports into the configured ElasticSearch index. This allows for some easy searching and visualization of the findings. To learn more about Elasticsearch visit elastic.io.
Installing the Elasticsearch persistenceProvider hook will add a ReadOnly Hook to your namespace.
This hook supports both Elasticsearch as well as OpenSearch. The configuration is the same for both.
Deployment
The persistence-elastic chart can be deployed via helm:
# Install HelmChart (use -n to configure another namespace)
helm upgrade --install persistence-elastic oci://ghcr.io/securecodebox/helm/persistence-elastic
Requirements
Kubernetes: >=v1.11.0-0
Additional Chart Configurations
Connecting the hook an Elasticsearch Cluster
The Elastic hook requires an existing Elasticsearch instance to store findings. To set up the hook, follow these steps:
-
Deploy an Elasticsearch Cluster: You can deploy an Elasticsearch cluster using various methods, such as using the official Elastic Cloud, self-hosting, or using a managed service. For Kubernetes environments, we recommend using the Elastic Cloud on Kubernetes (ECK) operator. See the ECK documentation for instructions on deploying Elasticsearch.
-
Create a Custom Values File: Create a new
custom-values.yamlfile with the following content to configure the hook to connect to your Elasticsearch instance:externalElasticStack:
elasticsearchAddress: "https://quickstart-es-http:9200" # these are the default values for the ECK quickstart, change them to match your setup
kibanaAddress: "https://quickstart-kb-http:5601"
authentication:
userSecret: "elasticsearch-credentials-secret"
# Alternatively, use an API key:
# apiKeySecret: "elasticsearch-api-key-secret" -
Create Kubernetes Secrets for Elasticsearch Credentials: Use the following
kubectlcommand to create a secret for Elasticsearch credentials:kubectl create secret generic elasticsearch-credentials-secret \
--from-literal=username=your-username \
--from-literal=password=your-passwordIf using an API key, create the secret as follows:
kubectl create secret generic elasticsearch-api-key-secret \
--from-literal=id=your-api-key-id \
--from-literal=key=your-api-key -
Deploy the Hook: Install the persistence-elastic chart using Helm with the custom values file:
helm upgrade --install persistence-elastic oci://ghcr.io/securecodebox/helm/persistence-elastic --values custom-values.yaml
Ensure that the userSecret or apiKeySecret is created in your Kubernetes cluster with the appropriate credentials for accessing your Elasticsearch instance.
Elasticsearch Indexing
For the elasticsearch indexSuffix you can provide a date format pattern. We use Luxon to format the date. So checkout
the Luxon documentation to see what kind of format patterns you can use for the
indexSuffix. Default pattern is yyyy-MM-dd
Values
| Key | Type | Default | Description |
|---|---|---|---|
| affinity | object | {} | |
| authentication | object | {"apiKeySecret":null,"userSecret":null} | Configure authentication schema and credentials the persistence provider should use to connect to elasticsearch user and apikey are mutually exclusive, only set one! |
| authentication.apiKeySecret | string | nil | Link a pre-existing generic secret with id and key key / value pairs |
| authentication.userSecret | string | nil | Link a pre-existing generic secret with username and password key / value pairs |
| dashboardImporter.enabled | bool | true | Enable if you want to import some example kibana dashboards for secureCodeBox findings analytics. |
| dashboardImporter.image.repository | string | "securecodebox/persistence-elastic-dashboard-importer" | |
| dashboardImporter.image.tag | string | nil | |
| externalElasticStack.elasticsearchAddress | string | "https://elasticsearch.example.com" | The URL of the elasticsearch service to persists all findings to. |
| externalElasticStack.kibanaAddress | string | "https://kibana.example.com" | The URL of the kibana service used to visualize all findings. |
| fullnameOverride | string | "" | |
| hook.affinity | object | {} | Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) |
| hook.env | list | [] | Optional environment variables mapped into the hook (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
| hook.extraVolumeMounts | list | [] | Optional VolumeMounts mapped into the hook (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
| hook.extraVolumes | list | [] | Optional Volumes mapped into the hook (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
| hook.image.repository | string | "docker.io/securecodebox/hook-persistence-elastic" | Hook image repository |
| hook.image.tag | string | defaults to the charts version | The image Tag defaults to the charts version if not defined. |
| hook.labels | object | {} | Add Kubernetes Labels to the hook definition |
| hook.priority | int | 0 | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. |
| hook.resources | object | { requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } } | Optional resources lets you control resource limits and requests for the hook container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
| hook.tolerations | list | [] | Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
| hook.ttlSecondsAfterFinished | string | nil | Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
| imagePullSecrets | list | [] | Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) |
| indexAppendNamespace | bool | true | Define if the name of the namespace where this hook is deployed to must be added to the index name. The namespace can be used to separate index by tenants (namespaces). |
| indexPrefix | string | "scb" | Define a specific index prefix used for all elasticsearch indices. |
| indexSuffix | string | "yyyy-MM-dd" | Define a specific index suffix based on date pattern (YEAR (yyyy), MONTH (yyyy-MM), WEEK (yyyy-'W'W), DATE (yyyy-MM-dd)). We use Luxon for date formatting (https://moment.github.io/luxon/docs/manual/formatting.html#table-of-tokens) |
| nameOverride | string | "" | |
| nodeSelector | object | {} | |
| podSecurityContext | object | {} | |
| resources | object | {} | |
| securityContext | object | {} | |
| tolerations | list | [] |
License
Code of secureCodeBox is licensed under the Apache License 2.0.