Improve docs and logging for kbn/es auth and setup (#165422)

Closes #164657 ## Summary - Improve kbn/es docs to include prerequisites for using serverless - Better guidance to use `--ssl` flag to enable security - Alert the user how to authenticate with Elastic registry if it fails - Guidance for using `--ssl` and authentication
2025-04-24 17:59:23 -04:00 · 2023-09-01 01:42:30 -06:00 · 2023-09-01 01:42:30 -06:00 · 150a883f5c
commit 150a883f5c
parent bc3732680e
5 changed files with 48 additions and 14 deletions
--- a/packages/kbn-es/README.mdx
+++ b/packages/kbn-es/README.mdx
@ -10,14 +10,20 @@ tags: ['kibana', 'dev', 'contributor', 'operations', 'es']
 > A command line utility for running elasticsearch from snapshot, source, archive, docker, serverless or even building snapshot artifacts. 

 ## Getting started
-If running elasticsearch from source, elasticsearch needs to be cloned to a sibling directory of Kibana.
-
-If running elasticsearch serverless or a docker container, docker is required to be installed locally. Installation instructions can be found [here](https://www.docker.com/).
-
 To run, go to the Kibana root and run `node scripts/es --help` to get the latest command line options.

 The script attempts to preserve the existing interfaces used by Elasticsearch CLI. This includes passing through options with the `-E` argument and the `ES_JAVA_OPTS` environment variable for Java options.

+If running elasticsearch from source, elasticsearch needs to be cloned to a sibling directory of Kibana.
+
+### Serverless & Docker Prerequisites 
+If running elasticsearch serverless or a docker container, there is some required initial setup:
+
+1. Install Docker. Instructions can be found [here](https://www.docker.com/).
+1. Authentication with Elastic's Docker registry [here](https://docker-auth.elastic.co/github_auth).
+1. Increase OS virtual memory limits. More info in the [ES docs](https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html).
+
+
 ### Examples

 Run a snapshot install with a trial license
--- a/packages/kbn-es/src/cli_commands/docker.ts
+++ b/packages/kbn-es/src/cli_commands/docker.ts
@ -28,7 +28,7 @@ export const docker: Command = {
      --image             Full path to image of ES to run, has precedence over tag. [default: ${DOCKER_IMG}]
      --password          Sets password for elastic user [default: ${password}]
      --port              The port to bind to on 127.0.0.1 [default: ${DEFAULT_PORT}]
-      --ssl               Sets up SSL on Elasticsearch
+      --ssl               Sets up SSL and enables security plugin on Elasticsearch
      --kill              Kill running ES nodes if detected
      -E                  Additional key=value settings to pass to Elasticsearch
      -D                  Override Docker command
--- a/packages/kbn-es/src/cli_commands/serverless.ts
+++ b/packages/kbn-es/src/cli_commands/serverless.ts
@ -26,7 +26,7 @@ export const serverless: Command = {
      --image             Full path of ESS image to run, has precedence over tag. [default: ${SERVERLESS_IMG}]
      --clean             Remove existing file system object store before running
      --port              The port to bind to on 127.0.0.1 [default: ${DEFAULT_PORT}]
-      --ssl               Sets up SSL on Elasticsearch
+      --ssl               Sets up SSL and enables security plugin on Elasticsearch
      --kill              Kill running ESS nodes if detected
      --background        Start ESS without attaching to the first node's logs
      -E                  Additional key=value settings to pass to Elasticsearch
--- a/packages/kbn-es/src/utils/docker.ts
+++ b/packages/kbn-es/src/utils/docker.ts
@ -24,6 +24,11 @@ import {
  ESS_CONFIG_PATH,
  ESS_FILES_PATH,
 } from '../paths';
+import {
+  ELASTIC_SERVERLESS_SUPERUSER,
+  ELASTIC_SERVERLESS_SUPERUSER_PASSWORD,
+} from './ess_file_realm';
+import { SYSTEM_INDICES_SUPERUSER } from './native_realm';

 interface BaseOptions {
  tag?: string;
@ -320,10 +325,14 @@ export async function maybePullDockerImage(log: ToolingLog, image: string) {
  log.info(chalk.bold(`Checking for image: ${image}`));

  await execa('docker', ['pull', image], {
-    // inherit is required to show Docker output
-    stdio: ['ignore', 'inherit', 'inherit'],
-  }).catch(({ message }) => {
-    throw createCliError(message);
+    // inherit is required to show Docker pull output
+    stdio: ['ignore', 'inherit', 'pipe'],
+  }).catch(({ message, stderr }) => {
+    throw createCliError(
+      stderr.includes('unauthorized: authentication required')
+        ? `Error authenticating with ${DOCKER_REGISTRY}. Visit https://docker-auth.elastic.co/github_auth to login.`
+        : message
+    );
  });
 }

@ -393,6 +402,14 @@ export function resolveEsArgs(

    args.forEach((arg) => {
      const [key, ...value] = arg.split('=');
+
+      // Guide the user to use SSL flag instead of manual setup
+      if (key === 'xpack.security.enabled' && value?.[0] === 'true') {
+        throw createCliError(
+          'Use the --ssl flag to automatically enable and set up the security plugin.'
+        );
+      }
+
      esArgs.set(key.trim(), value.join('=').trim());
    });
  }
@ -556,6 +573,20 @@ export async function runServerlessCluster(log: ToolingLog, options: ServerlessO
      Stop the cluster:     ${chalk.bold(`docker container stop ${nodeNames.join(' ')}`)}
    `);

+  if (options.ssl) {
+    log.success(`SSL and Security have been enabled for ES.
+      Login through your browser with username ${chalk.bold.cyan(
+        ELASTIC_SERVERLESS_SUPERUSER
+      )} or ${chalk.bold.cyan(SYSTEM_INDICES_SUPERUSER)} and password ${chalk.bold.magenta(
+      ELASTIC_SERVERLESS_SUPERUSER_PASSWORD
+    )}.
+    `);
+
+    log.warning(`Kibana should be started with the SSL flag so that it can authenticate with ES.
+      See packages/kbn-es/src/ess_resources/README.md for additional information on authentication.    
+    `);
+  }
+
  if (!options.background) {
    // The ESS cluster has to be started detached, so we attach a logger afterwards for output
    await execa('docker', ['logs', '-f', SERVERLESS_NODES[0].name], {
--- a/x-pack/test_serverless/functional/test_suites/observability/cypress/oblt_config.base.ts
+++ b/x-pack/test_serverless/functional/test_suites/observability/cypress/oblt_config.base.ts
@ -16,10 +16,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
    ...svlSharedConfig.getAll(),
    esTestCluster: {
      ...svlSharedConfig.get('esTestCluster'),
-      serverArgs: [
-        ...svlSharedConfig.get('esTestCluster.serverArgs'),
-        'xpack.security.enabled=true',
-      ],
+      serverArgs: [...svlSharedConfig.get('esTestCluster.serverArgs')],
    },
    kbnTestServer: {
      ...svlSharedConfig.get('kbnTestServer'),