Add security to telemetry deployment

1 files changed, 37 insertions, 0 deletions

diff --git a/doc/telemetry.md b/doc/telemetry.md
new file mode 100644
index 0000000..ee8d0dd
--- /dev/null
+++ b/doc/telemetry.md
@@ -0,0 +1,37 @@
+# create elasticsearch passwords
+
+in elasticsearch container
+
+```bash
+./bin/elasticsearch-setup-passwords auto
+```
+
+save passwords in consul, at:
+
+- `secrets/telemetry/elastic_passwords/apm_system` for user `apm_system`
+- `secrets/telemetry/elastic_passwords/kibana_system` for user `kibana_system`
+- `secrets/telemetry/elastic_passwords/elastic` for user `elastic`
+
+check kibana works, login to kibana with user `elastic`
+
+# create role and user for apm
+
+create role `apm_writer`, give privileges:
+
+- cluster privileges `manage_ilm`, `read_ilm`, `manage_ingest_pipelines`
+- on index `apm-*` privileges `create_doc`, `create_index`, `view_index_metadata`
+- on index `apm-*sourcemap` privilege `read_cross_cluster`
+
+create user `apm` with roles `apm_writer` and `apm_system`. give it a randomly generated password that you save in `secrets/telemetry/elastic_passwords/apm`
+
+check apm data is ingested correctly (visible in kibana)
+
+# create role and user for grafana
+
+create role `grafana`, give privileges:
+
+- on index `apm-*` privileges `read` and `view_index_metadata`
+
+create user `grafana` with role `grafana`. give it a randomly generated password that you save in `secrets/telemetry/elastic_passwords/grafana`
+
+check grafana works