Securing Logstash API
editSecuring Logstash API
editEnable HTTPS
editAccess to the Logstash Monitoring APIs use HTTPS by default - the operator will set the values api.ssl.enabled: true
, api.ssl.keystore.path
and api.ssl.keystore.password
.
You can further secure the Logstash Monitoring APIs by requiring HTTP Basic authentication by setting api.auth.type: basic
, and providing the relevant credentials api.auth.basic.username
and api.auth.basic.password
:
apiVersion: v1 kind: Secret metadata: name: logstash-api-secret stringData: API_USERNAME: "AWESOME_USER" API_PASSWORD: "T0p_Secret" --- apiVersion: logstash.k8s.elastic.co/v1alpha1 kind: Logstash metadata: name: logstash-sample spec: version: 8.17.0 count: 1 config: api.auth.type: basic api.auth.basic.username: "${API_USERNAME}" api.auth.basic.password: "${API_PASSWORD}" podTemplate: spec: containers: - name: logstash envFrom: - secretRef: name: logstash-api-secret
Store the username and password in a Secret. |
|
Map the username and password to the environment variables of the Pod. |
|
At Logstash startup, |
An alternative is to set up keystore to resolve ${API_USERNAME}
and ${API_PASSWORD}
The variable substitution in config
does not support the default value syntax.
TLS keystore
editThe TLS Keystore is automatically generated and includes a certificate and a private key, with default password protection set to changeit
.
This password can be modified by configuring the api.ssl.keystore.password
value.
apiVersion: logstash.k8s.elastic.co/v1alpha1 kind: Logstash metadata: name: logstash-sample spec: count: 1 version: 8.17.0 config: api.ssl.keystore.password: "${SSL_KEYSTORE_PASSWORD}"
Provide your own certificate
editIf you want to use your own certificate, the required configuration is similar to Elasticsearch. Configure the certificate in api
Service. Check Custom HTTP certificate.
Disable TLS
editYou can disable TLS by disabling the generation of the self-signed certificate in the API service definition
apiVersion: logstash.k8s.elastic.co/v1alpha1 kind: Logstash metadata: name: logstash-sample spec: version: 8.17.0 count: 1 elasticsearchRef: name: "elasticsearch-sample" services: - name: api tls: selfSignedCertificate: disabled: true