Securing Logstash APIedit

Enable HTTPSedit

Access to the Logstash Monitoring APIs use HTTPS by default - the operator will set the values api.ssl.enabled: true, api.ssl.keystore.path and api.ssl.keystore.password.

You can further secure the Logstash Monitoring APIs by requiring HTTP Basic authentication by setting api.auth.type: basic, and providing the relevant credentials api.auth.basic.username and api.auth.basic.password:

apiVersion: v1
kind: Secret
metadata:
  name: logstash-api-secret
stringData:
  API_USERNAME: "AWESOME_USER"   
  API_PASSWORD: "T0p_Secret"     
---
apiVersion: logstash.k8s.elastic.co/v1alpha1
kind: Logstash
metadata:
  name: logstash-sample
spec:
  version: 8.13.2
  count: 1
  config:
    api.auth.type: basic
    api.auth.basic.username: "${API_USERNAME}"   
    api.auth.basic.password: "${API_PASSWORD}"   
  podTemplate:
    spec:
      containers:
        - name: logstash
          envFrom:
            - secretRef:
                name: logstash-api-secret   

Store the username and password in a Secret.

Map the username and password to the environment variables of the Pod.

At Logstash startup, ${API_USERNAME} and ${API_PASSWORD} are replaced by the value of environment variables. Check using environment variables for more details.

An alternative is to set up keystore to resolve ${API_USERNAME} and ${API_PASSWORD}

The variable substitution in config does not support the default value syntax.

TLS keystoreedit

The TLS Keystore is automatically generated and includes a certificate and a private key, with default password protection set to changeit. This password can be modified by configuring the api.ssl.keystore.password value.

apiVersion: logstash.k8s.elastic.co/v1alpha1
kind: Logstash
metadata:
  name: logstash-sample
spec:
  count: 1
  version: 8.13.2
  config:
    api.ssl.keystore.password: "${SSL_KEYSTORE_PASSWORD}"

Provide your own certificateedit

If you want to use your own certificate, the required configuration is similar to Elasticsearch. Configure the certificate in api Service. Check Custom HTTP certificate.

apiVersion: logstash.k8s.elastic.co/v1alpha1
kind: Logstash
metadata:
  name: logstash-sample
spec:
  version: 8.13.2
  count: 1
  elasticsearchRef:
    name: "elasticsearch-sample"
  services:
    - name: api   
      tls:
        certificate:
          secretName: my-cert

The service name api is reserved for Logstash monitoring endpoint.

Disable TLSedit

You can disable TLS by disabling the generation of the self-signed certificate in the API service definition

apiVersion: logstash.k8s.elastic.co/v1alpha1
kind: Logstash
metadata:
  name: logstash-sample
spec:
  version: 8.13.2
  count: 1
  elasticsearchRef:
    name: "elasticsearch-sample"
  services:
    - name: api
      tls:
        selfSignedCertificate:
          disabled: true