diff --git a/config/enterprise_versions.yml b/config/enterprise_versions.yml index a4660ffefc..def148b96c 100644 --- a/config/enterprise_versions.yml +++ b/config/enterprise_versions.yml @@ -47,13 +47,13 @@ components: version: master # eck-kibana holds the version of Kibana built for tigera/kibana eck-kibana: - version: 8.18.8 + version: 8.19.8 kibana: image: kibana version: master # eck-elasticsearch holds the version of Elasticsearch built for tigera/elasticsearch eck-elasticsearch: - version: 8.18.8 + version: 8.19.8 elasticsearch: image: elasticsearch version: master diff --git a/pkg/components/enterprise.go b/pkg/components/enterprise.go index e6b902f77b..bb2f180988 100644 --- a/pkg/components/enterprise.go +++ b/pkg/components/enterprise.go @@ -85,12 +85,12 @@ var ( } ComponentEckElasticsearch = Component{ - Version: "8.18.8", + Version: "8.19.8", variant: enterpriseVariant, } ComponentEckKibana = Component{ - Version: "8.18.8", + Version: "8.19.8", variant: enterpriseVariant, } diff --git a/pkg/render/logstorage/kibana/kibana.go b/pkg/render/logstorage/kibana/kibana.go index 41bde889aa..a228e59a42 100644 --- a/pkg/render/logstorage/kibana/kibana.go +++ b/pkg/render/logstorage/kibana/kibana.go @@ -232,6 +232,22 @@ func (k *kibana) kibanaCR() *kbv1.Kibana { // Telemetry is unwanted for the majority of our customers and if enabled can cause blocked flows. This flag // can still be overwritten in the Kibana Settings if the user desires it. "telemetry.optIn": false, + // Disabling all the fleet egress is a difficult task. It does not seem to adhere to the doocumented settings. + // A combination of settings is required. + "xpack.fleet.enabled": false, + "xpack.fleet.agents.enabled": false, + "xpack.fleet.isAirGapped": true, + "xpack.fleet.packages": []string{}, + "xpack.fleet.registryUrl": "http://localhost:5601", + // Setting this to false will prevent it from connecting to endpoints outside of this cluster. + // See: https://www.elastic.co/guide/en/kibana/8.19/settings.html + "newsfeed.enabled": false, + // Setting this to localhost will prevent AI features from connecting to endpoints outside of this cluster. + // No other way of disabling AI is possible at this time. We will still get this log, but at least it + // prevents us from seeing denied traffic in the service graph: + // "[INFO ][plugins.observabilityAIAssistant] Knowledge base index does not exist. Aborting updating index assets" + // "[ERROR][plugins.taskManager] Failed to poll for work: Response aborted while reading the body" + "xpack.productDocBase.artifactRepositoryUrl": "http://localhost:5601", } var initContainers []corev1.Container diff --git a/pkg/render/logstorage/kibana/kibana_test.go b/pkg/render/logstorage/kibana/kibana_test.go index 525c446778..64ffe6cdf1 100644 --- a/pkg/render/logstorage/kibana/kibana_test.go +++ b/pkg/render/logstorage/kibana/kibana_test.go @@ -146,7 +146,13 @@ var _ = Describe("Kibana rendering tests", func() { "kibana.k8s.elastic.co", "v1", "Kibana").(*kbv1.Kibana) Expect(resultKB.Spec.Config.Data["xpack.security.session.lifespan"]).To(Equal("8h")) Expect(resultKB.Spec.Config.Data["xpack.security.session.idleTimeout"]).To(Equal("30m")) - + Expect(resultKB.Spec.Config.Data["xpack.fleet.enabled"]).To(BeFalse()) + Expect(resultKB.Spec.Config.Data["xpack.fleet.agents.enabled"]).To(BeFalse()) + Expect(resultKB.Spec.Config.Data["xpack.fleet.isAirGapped"]).To(BeTrue()) + Expect(resultKB.Spec.Config.Data["xpack.fleet.packages"]).To(Equal([]string{})) + Expect(resultKB.Spec.Config.Data["xpack.fleet.registryUrl"]).To(Equal("http://localhost:5601")) + Expect(resultKB.Spec.Config.Data["newsfeed.enabled"]).To(BeFalse()) + Expect(resultKB.Spec.Config.Data["xpack.productDocBase.artifactRepositoryUrl"]).To(Equal("http://localhost:5601")) }) It("should render toleration on GKE", func() {