Check where SES is running before passing along service token (#165411)

## Summary If a user is running serverless ES in the cloud and serverless KBN locally, passing the token can trigger an invalid configuration error: `serviceAccountToken cannot be specified when "username" is also defined` Additionally, the token is likely invalid anyways because the SES instance was not seeded with it. This PR checks the `elasticsearch.hosts` configuration for non-localhost values before passing along the token. ## Testing Add something like the following to `config/kibana.dev.yml` and run `yarn serverless`. Should not get a configuration error. ```yml elasticsearch.hosts: https://xxxxxxxxxx.es.us-west2.gcp.elastic-cloud.com:443 elasticsearch.username: kibana_system_user elasticsearch.password: xxxxxxxxxxxxxx ``` --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
2025-04-24 01:38:56 -04:00 · 2023-08-31 20:03:23 -06:00 · 2023-08-31 20:03:23 -06:00 · 6bbd3c67e1
commit 6bbd3c67e1
parent eaee02f913
1 changed files with 25 additions and 3 deletions
--- a/src/cli/serve/serve.js
+++ b/src/cli/serve/serve.js
@ -44,8 +44,30 @@ const getBootstrapScript = (isDev) => {
  }
 };

-const setServerlessKibanaDevServiceAccountIfPossible = (set, opts) => {
-  if (!opts.dev || !opts.serverless || process.env.isDevCliChild === 'true') {
+const setServerlessKibanaDevServiceAccountIfPossible = (get, set, opts) => {
+  const esHosts = [].concat(
+    get('elasticsearch.hosts', []),
+    opts.elasticsearch ? opts.elasticsearch.split(',') : []
+  );
+
+  /*
+   * We only handle the service token if serverless ES is running locally.
+   * Example would be if the user is running SES in the cloud and KBN serverless
+   * locally, they would be expected to handle auth on their own and this token
+   * is likely invalid anyways.
+   */
+  const isESlocalhost = esHosts.length
+    ? esHosts.some((hostUrl) => {
+        const parsedUrl = url.parse(hostUrl);
+        return (
+          parsedUrl.hostname === 'localhost' ||
+          parsedUrl.hostname === '127.0.0.1' ||
+          parsedUrl.hostname === 'host.docker.internal'
+        );
+      })
+    : true; // default is localhost:9200
+
+  if (!opts.dev || !opts.serverless || !isESlocalhost) {
    return;
  }

@ -86,7 +108,7 @@ export function applyConfigOverrides(rawConfig, opts, extraCliOptions) {

  if (opts.dev) {
    if (opts.serverless) {
-      setServerlessKibanaDevServiceAccountIfPossible(set, opts);
+      setServerlessKibanaDevServiceAccountIfPossible(get, set, opts);
    }

    if (!has('elasticsearch.serviceAccountToken') && opts.devCredentials !== false) {