filebeat logstash ssl fix

templates/_helpers.tpl

@@ -37,4 +37,12 @@ Logstash input dns for many ingressRouteTCPs
 {{- range $index :=  until $maxRange -}}
     {{- $urlPrefix}}{{$index }}{{ $concatUrl }}{{if lt $index (sub $maxRange 1)  }},{{end}}
 {{- end -}} 
+{{- end -}}
+
+
+{{/*
+Filebeat input dns
+*/}}
+{{- define "filebeat.dns" -}}
+filebeat.{{ default .Release.Namespace .Values.namespaceTag }}.{{ .Values.domainSuffix }}
 {{- end -}}
\ No newline at end of file

templates/filebeat.yaml

@@ -31,7 +31,7 @@ spec:
             subPath: example.sh
             name: example-script
           - mountPath: /usr/share/filebeat/certs
-            name: logstash-certs
+            name: filebeat-certs
           - mountPath: /usr/share/filebeat/es-certs # used for monitoring
             name: es-certs
           env:
@@ -61,9 +61,9 @@ spec:
           configMap:
             name: filebeat-example-script
             defaultMode: 0777
-        - name: logstash-certs
+        - name: filebeat-certs
           secret:
-            secretName: logstash-secret-{{ .Values.logstash.beats.pipelines_group_name }}
+            secretName: filebeat-certs
         - name: es-certs # used for monitoring
           secret:
             secretName: elastic-elasticsearch-http-cert-secret-internal
@@ -131,4 +131,19 @@ data:
     CLUSTER_UUID=$(curl -s -u "elastic:$ES_PASSWORD" -X GET "$ELASTIC_ELASTICSEARCH_ES_HOSTS/" -Ss -k | jq -r '.cluster_uuid')
 
     # Store cluster UUID in a file
-    echo "CLUSTER_UUID=$CLUSTER_UUID" > /etc/cluster_uuid.env
\ No newline at end of file
+    echo "CLUSTER_UUID=$CLUSTER_UUID" > /etc/cluster_uuid.env
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: filebeat-certificate
+spec:
+  secretName: filebeat-certs
+  duration: {{ .Values.filebeat.cert.duration }}
+  renewBefore: {{ .Values.filebeat.cert.renewBefore }}
+  commonName: {{ template "filebeat.dns" . }}
+  dnsNames:
+    - "{{ template "logstash.dns" . }}"
+  issuerRef:
+    name: internal-ca
+    kind: ClusterIssuer
\ No newline at end of file

templates/logstash_beats.yaml

@@ -167,6 +167,9 @@ kind: Certificate
 metadata:
   name: logstash-{{ .Values.logstash.beats.pipelines_group_name }}
 spec:
+  duration: {{ .Values.logstash.cert.duration }}
+  renewBefore: {{ .Values.logstash.cert.renewBefore }}
+  commonName: {{ template "logstash.dns" . }}
   secretName: logstash-secret-{{ .Values.logstash.beats.pipelines_group_name }}
   dnsNames:
     - "{{ template "logstash.dns" . }}"

values/dev/observability/values.yaml

@@ -114,6 +114,9 @@ logstash:
       memory: 4Gi
     limits:
       memory: 4Gi
+  cert:
+    duration: 2160h0m0s # 90d
+    renewBefore: 360h0m0s # 15d
   pipelines_yml_config: |-
     - pipeline.id: main
       path.config: "/app/elastic/logstash/config/pipelines/*.config"  
@@ -203,7 +206,9 @@ filebeat:
 
   # Number of messages per minute. Provide negative number to generate messages without time limit.
   messagesPerMinute: 30
-
+  cert:
+    duration: 2160h0m0s # 90d
+    renewBefore: 360h0m0s # 15d
   # Filebeat configuration file - input 
   input: |
     filebeat.inputs:
@@ -228,7 +233,7 @@ filebeat:
     output.logstash:
       hosts: ["logstash-beats-ls-beats-0.observability.svc:5044"]
       ssl.enabled: true
-      ssl.certificate_authorities: ["/usr/share/filebeat/certs/ca.crt"]
+      ssl.certificate_authorities: ["/usr/share/filebeat/es-certs/ca.crt"]
       ssl.verification_mode: full
       ssl.certificate: "/usr/share/filebeat/certs/tls.crt"
       ssl.key: "/usr/share/filebeat/certs/tls.key"