From 0ff067505e4fe586640b5c8a3b2066ea1f342ad9 Mon Sep 17 00:00:00 2001
From: Shahab Dogar <shahab@dogar.dev>
Date: Fri, 6 Feb 2026 22:16:16 +0500
Subject: [PATCH] feat: ElasticSearch | add oidc login for kibana

---
 elasticsearch/cluster.yaml | 45 ++++++++++++++++++++++++++++++++++++++
 elasticsearch/kibana.yaml  | 10 ++++++++-
 2 files changed, 54 insertions(+), 1 deletion(-)

diff --git a/elasticsearch/cluster.yaml b/elasticsearch/cluster.yaml
index 2a51db7..dd49aac 100644
--- a/elasticsearch/cluster.yaml
+++ b/elasticsearch/cluster.yaml
@@ -1,4 +1,14 @@
 ---
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: kibana-authentik
+  namespace: elastic-system
+  annotations:
+    operator.1password.io/auto-restart: "true"
+spec:
+  itemPath: "vaults/Lab/items/kibana-authentik"
+---
 apiVersion: elasticsearch.k8s.elastic.co/v1
 kind: Elasticsearch
 metadata:
@@ -10,6 +20,11 @@ spec:
     tls:
       certificate:
         secretName: elasticsearch-es-http-tls-internal
+  secureSettings:
+  - secretName: kibana-authentik
+    entries:
+    - key: client-secret
+      path: "xpack.security.authc.realms.oidc.authentik.rp.client_secret"
   nodeSets:
   - name: master
     count: 3
@@ -32,6 +47,21 @@ spec:
         storageClassName: longhorn
     config:
       node.roles: ["master"]
+      xpack.security.authc.token.enabled: true
+      xpack.security.authc.realms.oidc.authentik:
+        order: 2
+        rp.client_id: "atlY82FGIBYvUg87cnENzks5ft1AUUtIfQsXSDog"
+        rp.response_type: code
+        rp.redirect_uri: "https://kibana.dogar.dev/api/security/oidc/callback"
+        op.issuer: "https://auth.dogar.dev/application/o/kibana/"
+        op.authorization_endpoint: "https://auth.dogar.dev/application/o/authorize/"
+        op.token_endpoint: "https://auth.dogar.dev/application/o/token/"
+        op.jwkset_path: "https://auth.dogar.dev/application/o/kibana/jwks/"
+        op.userinfo_endpoint: "https://auth.dogar.dev/application/o/userinfo/"
+        op.endsession_endpoint: "https://auth.dogar.dev/application/o/kibana/end-session/"
+        rp.post_logout_redirect_uri: "https://kibana.dogar.dev/security/logged_out"
+        claims.principal: sub
+        claims.groups: groups
   - name: data
     count: 3
     podTemplate:
@@ -53,3 +83,18 @@ spec:
         storageClassName: longhorn
     config:
       node.roles: ["data", "ingest"]
+      xpack.security.authc.token.enabled: true
+      xpack.security.authc.realms.oidc.authentik:
+        order: 2
+        rp.client_id: "atlY82FGIBYvUg87cnENzks5ft1AUUtIfQsXSDog"
+        rp.response_type: code
+        rp.redirect_uri: "https://kibana.dogar.dev/api/security/oidc/callback"
+        op.issuer: "https://auth.dogar.dev/application/o/kibana/"
+        op.authorization_endpoint: "https://auth.dogar.dev/application/o/authorize/"
+        op.token_endpoint: "https://auth.dogar.dev/application/o/token/"
+        op.jwkset_path: "https://auth.dogar.dev/application/o/kibana/jwks/"
+        op.userinfo_endpoint: "https://auth.dogar.dev/application/o/userinfo/"
+        op.endsession_endpoint: "https://auth.dogar.dev/application/o/kibana/end-session/"
+        rp.post_logout_redirect_uri: "https://kibana.dogar.dev/security/logged_out"
+        claims.principal: sub
+        claims.groups: groups
diff --git a/elasticsearch/kibana.yaml b/elasticsearch/kibana.yaml
index b202afe..b4bbfde 100644
--- a/elasticsearch/kibana.yaml
+++ b/elasticsearch/kibana.yaml
@@ -13,4 +13,12 @@ spec:
     tls:
       certificate:
         secretName: kibana-kb-http-tls-internal
-
+  config:
+    server.publicBaseUrl: "https://kibana.dogar.dev"
+    xpack.security.authc.providers:
+      oidc.authentik:
+        order: 0
+        realm: authentik
+        description: "Log in with Authentik"
+      basic.basic1:
+        order: 1