Loading

Securing Logstash API

ECK

Access to the Logstash Monitoring APIs use HTTPS by default - the operator will set the values api.ssl.enabled: true, api.ssl.keystore.path and api.ssl.keystore.password.

You can further secure the Logstash Monitoring APIs by requiring HTTP Basic authentication by setting api.auth.type: basic, and providing the relevant credentials api.auth.basic.username and api.auth.basic.password:

apiVersion: v1 kind: Secret metadata: name: logstash-api-secret stringData: API_USERNAME: "AWESOME_USER" API_PASSWORD: "T0p_Secret" --- apiVersion: logstash.k8s.elastic.co/v1alpha1 kind: Logstash metadata: name: logstash-sample spec: version: 8.16.1 count: 1 config: api.auth.type: basic api.auth.basic.username: "${API_USERNAME}" api.auth.basic.password: "${API_PASSWORD}" podTemplate: spec: containers: - name: logstash envFrom: - secretRef: name: logstash-api-secret
  1. Store the username and password in a Secret.
  2. Map the username and password to the environment variables of the Pod.
  3. At Logstash startup, ${API_USERNAME} and ${API_PASSWORD} are replaced by the value of environment variables. Check using environment variables for more details.

An alternative is to set up keystore to resolve ${API_USERNAME} and ${API_PASSWORD}

Note

The variable substitution in config does not support the default value syntax.

The TLS Keystore is automatically generated and includes a certificate and a private key, with default password protection set to changeit. This password can be modified by configuring the api.ssl.keystore.password value.

apiVersion: logstash.k8s.elastic.co/v1alpha1 kind: Logstash metadata: name: logstash-sample spec: count: 1 version: 8.16.1 config: api.ssl.keystore.password: "${SSL_KEYSTORE_PASSWORD}"

If you want to use your own certificate, the required configuration is similar to Elasticsearch. Configure the certificate in api Service. Check Custom HTTP certificate.

apiVersion: logstash.k8s.elastic.co/v1alpha1 kind: Logstash metadata: name: logstash-sample spec: version: 8.16.1 count: 1 elasticsearchRef: name: "elasticsearch-sample" services: - name: api tls: certificate: secretName: my-cert
  1. The service name api is reserved for Logstash monitoring endpoint.

You can disable TLS by disabling the generation of the self-signed certificate in the API service definition

apiVersion: logstash.k8s.elastic.co/v1alpha1 kind: Logstash metadata: name: logstash-sample spec: version: 8.16.1 count: 1 elasticsearchRef: name: "elasticsearch-sample" services: - name: api tls: selfSignedCertificate: disabled: true