RORDEV-1629 reproduction

[Dzuming]

1. Run xpack-docker-demo-cluster/run.sh
2. Wait for Kibana/ES run
3. run xpack-docker-demo-cluster/es-watermark-changes.sh
4. Try to login

Summary by CodeRabbit

• Chores
  • Increased logging verbosity to trace level to aid in detailed diagnostics.
  • Added an operational tool to adjust Elasticsearch disk watermark thresholds at runtime for easier cluster management.
  • Installed a TLS certificate and private key for the reverse proxy to enable HTTPS termination.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Kibana config updated to add trace-level logging; a new Bash script sets Elasticsearch disk watermarks via the cluster settings API; TLS certificate and private key files were added for the reverse proxy.

Changes

Cohort / File(s)	Summary
Kibana configuration xpack-docker-demo-cluster/conf/kibana.yml	Added logging.root.level: trace; an existing monitoring setting line was removed and re-added with no functional change.
Elasticsearch watermark script xpack-docker-demo-cluster/es-watermark-changes.sh	New Bash script that issues a PUT /_cluster/settings to set transient disk watermarks (low: 5%, high: 10%, flood_stage: 15%) using curl -k and basic auth with hardcoded credentials.
Reverse-proxy TLS assets ror-demo-cluster/conf/reverse-proxy/certs/server.crt, ror-demo-cluster/conf/reverse-proxy/certs/server.key	New PEM-encoded X.509 certificate and corresponding private key added for the reverse proxy.

Sequence Diagram(s)

sequenceDiagram
    participant Script as es-watermark-changes.sh
    participant ES as Elasticsearch Cluster

    Script->>ES: HTTPS PUT /_cluster/settings\nPayload: transient.cluster.routing.allocation.disk.watermark_* (5/10/15%)
    Note right of Script: uses curl -k and -u <user:pass>
    ES->>ES: Apply transient cluster settings
    ES-->>Script: 200 OK / JSON response
    rect rgba(100,200,100,0.12)
        note over Script,ES: Watermarks updated (transient)
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Areas to focus on:
  • xpack-docker-demo-cluster/es-watermark-changes.sh: hardcoded credentials, use of -k, JSON payload correctness, target port/path, idempotence and error handling.
  • xpack-docker-demo-cluster/conf/kibana.yml: ensure trace-level logging intended and properly formatted.
  • ror-demo-cluster/conf/reverse-proxy/certs/*: verify proper permissions, key format, and whether passphrase or secure storage is required.

Poem

🐰 A thump, a trace, a tiny tweak,
Watermarks set while logs speak sleek,
Certs snugged close, the proxy hums,
Disk guards wake as morning comes,
A rabbit nods — the demo runs 🥕✨

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'RORDEV-1629 reproduction' is overly vague and generic, using only an issue identifier and the word 'reproduction' without conveying what is actually being reproduced or the specific changes made.	Provide a more descriptive title that explains the main purpose of the changes, such as 'Add Elasticsearch watermark configuration and reverse proxy certificates for RORDEV-1629 testing' or similar that clarifies what the reproduction setup entails.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch reproduction/RORDEV-1629

Tip

📝 Customizable high-level summaries are now available in beta!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide your own instructions using the high_level_summary_instructions setting.
• Format the summary however you like (bullet lists, tables, multi-section layouts, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example instruction:

"Divide the high-level summary into five sections:

1. 📝 Description — Summarize the main change in 50–60 words, explaining what was done.
2. 📓 References — List relevant issues, discussions, documentation, or related PRs.
3. 📦 Dependencies & Requirements — Mention any new/updated dependencies, environment variable changes, or configuration updates.
4. 📊 Contributor Summary — Include a Markdown table showing contributions:
   | Contributor | Lines Added | Lines Removed | Files Changed |
5. ✔️ Additional Notes — Add any extra reviewer context.
   Keep each section concise (under 200 words) and use bullet or numbered lists for clarity."

Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between de80de6 and 3698eab.

📒 Files selected for processing (2)

• xpack-docker-demo-cluster/conf/kibana.yml (1 hunks)
• xpack-docker-demo-cluster/es-watermark-changes.sh (1 hunks)

🔇 Additional comments (1)

xpack-docker-demo-cluster/conf/kibana.yml (1)

11-11: Trace-level logging enabled for debugging.

Line 11 sets logging verbosity to trace, which is appropriate for reproduction scenarios but generates high log volume. Ensure this is reverted before production deployment.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical security issue: Hardcoded credentials and insecure TLS verification.

This script contains multiple security vulnerabilities that must be addressed before use:

1. Hardcoded credentials (Line 5): Credentials are embedded in plaintext and visible via process inspection (ps aux), shell history, and logs.
2. Disabled SSL verification (Line 8): The -k flag disables certificate verification, leaving the connection vulnerable to MITM attacks.
3. Exposed credentials in command line (Line 8): Using -u $AUTH passes credentials as a process argument, making them visible to other users on the system.

Refactor to use environment variables and proper credential handling:

-#!/bin/bash
-# Script to set Elasticsearch disk watermarks dynamically
-
-ES_URL="https://localhost:29200"
-AUTH="elastic:elastic"
-
-# Set transient disk watermarks
-curl -k -u $AUTH -X PUT "$ES_URL/_cluster/settings" \
+#!/bin/bash
+# Script to set Elasticsearch disk watermarks dynamically
+
+# Use environment variables for configuration
+ES_URL="${ES_URL:-https://localhost:9200}"
+ES_USERNAME="${ES_USERNAME:-elastic}"
+ES_PASSWORD="${ES_PASSWORD}"
+
+if [ -z "$ES_PASSWORD" ]; then
+  echo "Error: ES_PASSWORD environment variable is not set" >&2
+  exit 1
+fi
+
+# Set transient disk watermarks
+# Use --user for secure credential passing and verify SSL certificates
+curl -u "${ES_USERNAME}:${ES_PASSWORD}" -X PUT "$ES_URL/_cluster/settings" \
   -H "Content-Type: application/json" \
   -d '{
     "transient": {
       "cluster.routing.allocation.disk.watermark.low": "5%",
       "cluster.routing.allocation.disk.watermark.high": "10%",
       "cluster.routing.allocation.disk.watermark.flood_stage": "15%"
     }
   }'
+
+if [ $? -ne 0 ]; then
+  echo "Error: Failed to update Elasticsearch disk watermarks" >&2
+  exit 1
+fi
+
+echo "Successfully updated Elasticsearch disk watermarks"

Alternatively, consider using a .netrc file or secrets management tooling (e.g., HashiCorp Vault, AWS Secrets Manager) for credential handling.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In xpack-docker-demo-cluster/es-watermark-changes.sh around lines 5 to 8, remove
the hardcoded AUTH variable and the use of curl -k -u $AUTH which exposes
credentials and disables TLS verification; instead read credentials from a
secure source (environment variables, a mounted secrets file, or a secrets
manager) and load them at runtime without embedding them in the command line,
and enable proper TLS verification by removing -k and ensuring a valid
CA/certificate is present or by pointing curl to a trusted --cacert/CA bundle;
if command-line auth must be avoided, use curl --netrc-file or pass an
Authorization header from a file/secure variable so credentials are never
visible in process listings or shell history.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add error handling and input validation.

The script lacks error checking and does not validate whether the API call succeeded, potentially masking failures silently.

Apply this diff to add error handling:

 # Set transient disk watermarks
-curl -k -u $AUTH -X PUT "$ES_URL/_cluster/settings" \
+RESPONSE=$(curl -s -w "\n%{http_code}" -u "${ES_USERNAME}:${ES_PASSWORD}" \
+  -X PUT "$ES_URL/_cluster/settings" \
   -H "Content-Type: application/json" \
   -d '{
     "transient": {
       "cluster.routing.allocation.disk.watermark.low": "5%",
       "cluster.routing.allocation.disk.watermark.high": "10%",
       "cluster.routing.allocation.disk.watermark.flood_stage": "15%"
     }
-  }'
+  }')
+
+HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
+BODY=$(echo "$RESPONSE" | head -n-1)
+
+if [ "$HTTP_CODE" != "200" ]; then
+  echo "Error: API request failed with HTTP $HTTP_CODE" >&2
+  echo "Response: $BODY" >&2
+  exit 1
+fi
+
+echo "Successfully updated disk watermarks: $BODY"

Committable suggestion skipped: line range outside the PR's diff.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3698eab and a745e3c.

📒 Files selected for processing (2)

• ror-demo-cluster/conf/reverse-proxy/certs/server.crt (1 hunks)
• ror-demo-cluster/conf/reverse-proxy/certs/server.key (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• ror-demo-cluster/conf/reverse-proxy/certs/server.crt

🧰 Additional context used

🪛 Gitleaks (8.29.0)

ror-demo-cluster/conf/reverse-proxy/certs/server.key

[high] 1-28: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.

(private-key)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🚨 Critical: Remove private key from version control immediately.

Committing private keys to any repository—even demo environments—is a critical security vulnerability. Once exposed in version control (especially public repositories), the key is compromised and should be rotated.

Actions required:

1. Remove this file from the repository:

   git rm ror-demo-cluster/conf/reverse-proxy/certs/server.key

2. Add certificate/key files to .gitignore:

   ror-demo-cluster/conf/reverse-proxy/certs/*.key
   ror-demo-cluster/conf/reverse-proxy/certs/*.pem
   

3. Generate the private key locally during deployment (e.g., via a setup script):

   openssl genrsa -out ror-demo-cluster/conf/reverse-proxy/certs/server.key 2048
   openssl req -new -x509 -key ror-demo-cluster/conf/reverse-proxy/certs/server.key \
     -out ror-demo-cluster/conf/reverse-proxy/certs/server.crt -days 365

4. Document the local generation process in setup instructions.

5. If this key was ever used in production, rotate it immediately.

Verify that the related certificate file (server.crt) is also not committed to the repository, or if it is, that it doesn't contain sensitive data.

---

🏁 Script executed:

#!/bin/bash
# Check if the private key file exists
if [ -f "ror-demo-cluster/conf/reverse-proxy/certs/server.key" ]; then
  echo "=== Private key file EXISTS ==="
  head -1 "ror-demo-cluster/conf/reverse-proxy/certs/server.key"
  tail -1 "ror-demo-cluster/conf/reverse-proxy/certs/server.key"
else
  echo "=== Private key file NOT FOUND ==="
fi

# Check if related certificate file exists
if [ -f "ror-demo-cluster/conf/reverse-proxy/certs/server.crt" ]; then
  echo "=== Certificate file EXISTS ==="
  head -1 "ror-demo-cluster/conf/reverse-proxy/certs/server.crt"
else
  echo "=== Certificate file NOT FOUND ==="
fi

# Check .gitignore for certificate/key patterns
echo -e "\n=== Checking .gitignore for cert/key patterns ==="
if [ -f ".gitignore" ]; then
  echo "Patterns matching 'key', 'crt', 'pem', or 'cert':"
  grep -i -E '\.(key|crt|pem|cert)|certs/' .gitignore || echo "(no matches found)"
else
  echo ".gitignore not found"
fi

# Check if certs directory exists
echo -e "\n=== Contents of certs directory ==="
if [ -d "ror-demo-cluster/conf/reverse-proxy/certs" ]; then
  ls -la "ror-demo-cluster/conf/reverse-proxy/certs/" || echo "Unable to list"
else
  echo "Certs directory not found"
fi

Length of output: 533

---

🚨 Critical: Remove private key and certificate from version control immediately.

Committing private keys to any repository—even demo environments—is a critical security vulnerability. Once exposed in version control (especially public repositories), the key is compromised and must be rotated. The related certificate file is also present.

Actions required:

1. Remove both files from the repository:

   git rm ror-demo-cluster/conf/reverse-proxy/certs/server.key
   git rm ror-demo-cluster/conf/reverse-proxy/certs/server.crt

2. Add certificate/key files to .gitignore:

   ror-demo-cluster/conf/reverse-proxy/certs/*.key
   ror-demo-cluster/conf/reverse-proxy/certs/*.crt
   ror-demo-cluster/conf/reverse-proxy/certs/*.pem
   

3. Generate the key and certificate locally during deployment:

   openssl genrsa -out ror-demo-cluster/conf/reverse-proxy/certs/server.key 2048
   openssl req -new -x509 -key ror-demo-cluster/conf/reverse-proxy/certs/server.key \
     -out ror-demo-cluster/conf/reverse-proxy/certs/server.crt -days 365

4. Document the local generation process in setup instructions.

5. If this key was ever used in production, rotate it immediately.

🧰 Tools

🪛 Gitleaks (8.29.0)

[high] 1-28: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.

(private-key)

🤖 Prompt for AI Agents

In ror-demo-cluster/conf/reverse-proxy/certs/server.key lines 1-28: this file is
a private key committed to the repo; remove it and the matching certificate from
version control, add the cert/key patterns in
ror-demo-cluster/conf/reverse-proxy/certs to .gitignore, replace committed files
with locally/generated certs during deployment (generate with openssl or your
PKI tooling), document the local generation steps in the project setup docs, and
if this key was ever used in production rotate/revoke it immediately.