Securing Logstash API

Enable HTTPS ¶

Access to the Logstash Monitoring APIs use HTTPS by default - the operator will set the values api.ssl.enabled: true, api.ssl.keystore.path and api.ssl.keystore.password.

You can further secure the Logstash Monitoring APIs by requiring HTTP Basic authentication by setting api.auth.type: basic, and providing the relevant credentials api.auth.basic.username and api.auth.basic.password:

					apiVersion: v1
kind: Secret
metadata:
  name: logstash-api-secret
stringData:
  API_USERNAME: "AWESOME_USER"   1
  API_PASSWORD: "T0p_Secret"     1
---
apiVersion: logstash.k8s.elastic.co/v1alpha1
kind: Logstash
metadata:
  name: logstash-sample
spec:
  version: 8.16.1
  count: 1
  config:
    api.auth.type: basic
    api.auth.basic.username: "${API_USERNAME}"   3
    api.auth.basic.password: "${API_PASSWORD}"   3
  podTemplate:
    spec:
      containers:
        - name: logstash
          envFrom:
            - secretRef:
                name: logstash-api-secret   2

		
	

Store the username and password in a Secret.
Map the username and password to the environment variables of the Pod.
At Logstash startup, ${API_USERNAME} and ${API_PASSWORD} are replaced by the value of environment variables. Check using environment variables for more details.

An alternative is to set up keystore to resolve ${API_USERNAME} and ${API_PASSWORD}

Note

The variable substitution in config does not support the default value syntax.

TLS keystore ¶

The TLS Keystore is automatically generated and includes a certificate and a private key, with default password protection set to changeit. This password can be modified by configuring the api.ssl.keystore.password value.

					apiVersion: logstash.k8s.elastic.co/v1alpha1
kind: Logstash
metadata:
  name: logstash-sample
spec:
  count: 1
  version: 8.16.1
  config:
    api.ssl.keystore.password: "${SSL_KEYSTORE_PASSWORD}"

		
	

Provide your own certificate ¶

If you want to use your own certificate, the required configuration is similar to Elasticsearch. Configure the certificate in api Service. Check Custom HTTP certificate.

					apiVersion: logstash.k8s.elastic.co/v1alpha1
kind: Logstash
metadata:
  name: logstash-sample
spec:
  version: 8.16.1
  count: 1
  elasticsearchRef:
    name: "elasticsearch-sample"
  services:
    - name: api   1
      tls:
        certificate:
          secretName: my-cert

		
	

The service name api is reserved for Logstash monitoring endpoint.

Disable TLS ¶

You can disable TLS by disabling the generation of the self-signed certificate in the API service definition

					apiVersion: logstash.k8s.elastic.co/v1alpha1
kind: Logstash
metadata:
  name: logstash-sample
spec:
  version: 8.16.1
  count: 1
  elasticsearchRef:
    name: "elasticsearch-sample"
  services:
    - name: api
      tls:
        selfSignedCertificate:
          disabled: true

		
	