Securing Logstash API

edit

Enable HTTPS

edit

Access to the Logstash Monitoring APIs use HTTPS by default - the operator will set the values api.ssl.enabled: true, api.ssl.keystore.path and api.ssl.keystore.password.

You can further secure the Logstash Monitoring APIs by requiring HTTP Basic authentication by setting api.auth.type: basic, and providing the relevant credentials api.auth.basic.username and api.auth.basic.password:

apiVersion: v1
kind: Secret
metadata:
  name: logstash-api-secret
stringData:
  API_USERNAME: "AWESOME_USER"   
  API_PASSWORD: "T0p_Secret"     
---
apiVersion: logstash.k8s.elastic.co/v1alpha1
kind: Logstash
metadata:
  name: logstash-sample
spec:
  version: 8.16.0
  count: 1
  config:
    api.auth.type: basic
    api.auth.basic.username: "${API_USERNAME}"   
    api.auth.basic.password: "${API_PASSWORD}"   
  podTemplate:
    spec:
      containers:
        - name: logstash
          envFrom:
            - secretRef:
                name: logstash-api-secret   

Store the username and password in a Secret.

Map the username and password to the environment variables of the Pod.

At Logstash startup, ${API_USERNAME} and ${API_PASSWORD} are replaced by the value of environment variables. Check using environment variables for more details.

An alternative is to set up keystore to resolve ${API_USERNAME} and ${API_PASSWORD}

The variable substitution in config does not support the default value syntax.

TLS keystore

edit

The TLS Keystore is automatically generated and includes a certificate and a private key, with default password protection set to changeit. This password can be modified by configuring the api.ssl.keystore.password value.

apiVersion: logstash.k8s.elastic.co/v1alpha1
kind: Logstash
metadata:
  name: logstash-sample
spec:
  count: 1
  version: 8.16.0
  config:
    api.ssl.keystore.password: "${SSL_KEYSTORE_PASSWORD}"

Provide your own certificate

edit

If you want to use your own certificate, the required configuration is similar to Elasticsearch. Configure the certificate in api Service. Check Custom HTTP certificate.

apiVersion: logstash.k8s.elastic.co/v1alpha1
kind: Logstash
metadata:
  name: logstash-sample
spec:
  version: 8.16.0
  count: 1
  elasticsearchRef:
    name: "elasticsearch-sample"
  services:
    - name: api   
      tls:
        certificate:
          secretName: my-cert

The service name api is reserved for Logstash monitoring endpoint.

Disable TLS

edit

You can disable TLS by disabling the generation of the self-signed certificate in the API service definition

apiVersion: logstash.k8s.elastic.co/v1alpha1
kind: Logstash
metadata:
  name: logstash-sample
spec:
  version: 8.16.0
  count: 1
  elasticsearchRef:
    name: "elasticsearch-sample"
  services:
    - name: api
      tls:
        selfSignedCertificate:
          disabled: true