added secure conn elastic-logstash

b81fd650 · Natalia Szakiel · 5fef5cab · b81fd650 · b81fd650 · b81fd650
Commit b81fd650 authored 8 months ago by Natalia Szakiel
--- a/templates/elasticsearch.yaml
+++ b/templates/elasticsearch.yaml
@@ -16,6 +16,11 @@ spec:
    count: {{ .count}}
    config: 
      xpack.security.authc.token.enabled: true
+      xpack.security.enabled: true
+      xpack.security.http.ssl.enabled: true
+      xpack.security.http.ssl.key: /usr/share/elasticsearch/config/certs/tls.key
+      xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/certs/tls.crt
+      xpack.security.http.ssl.certificate_authorities: ["/usr/share/elasticsearch/config/certs/ca.crt"]
    volumeClaimTemplates:
      - metadata:
          name: elasticsearch-data 
@@ -55,7 +60,11 @@ spec:
          {{- with .resources }}
          resources:
            {{- toYaml . | nindent 12 }}
-          {{- end }}                           
+          {{- end }}   
+          volumeMounts:
+          - name: elasticsearch-certificates
+            mountPath: /usr/share/elasticsearch/config/certs
+            readOnly: true                       
          env:
            - name: ELASTICSEARCH_PASSWORD
              valueFrom:
@@ -65,6 +74,11 @@ spec:
          {{- with $.Values.elasticsearch.env }}
          {{- toYaml . | nindent 10 }}
          {{- end }} 
+        volumes: 
+        - name: elasticsearch-certificates
+          secret:
+            secretName: elasticsearch-certificates
+
  {{- end }}
  http:
    tls:
@@ -78,6 +92,7 @@ metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    nginx.ingress.kubernetes.io/proxy-ssl-secret: elasticsearch-certificates
    acme.cert-manager.io/http01-edit-in-place: "true"
    cert-manager.io/cluster-issuer: dev-staging
 spec:
@@ -123,6 +138,20 @@ stringData:
      - names: [ '*' ]
        privileges:  ["read","write","create","create_index","manage","manage_ilm"]
 ---
-
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: elasticsearch-cert
+spec:
+  secretName: elasticsearch-certificates
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+  dnsNames:
+    -  {{ template "elasticsearch.dns" . }}
+    -  {{ .Release.Name }}-elasticsearch-es-http.{{  .Release.Namespace   }}
+    -  {{ .Release.Name }}-elasticsearch-es-http.{{  .Release.Namespace   }}.svc
+  issuerRef:
+    name: dev-staging
+    kind: ClusterIssuer


--- a/templates/logstash_beats.yaml
+++ b/templates/logstash_beats.yaml
@@ -55,6 +55,9 @@ spec:
          mountPath: /app/elastic/logstash/config/pipelines/{{- .name -}}.config
          subPath: {{ .name -}}.config
        {{- end }}
+        - name: logstash-ca-cert
+          mountPath: /usr/share/logstash/config/certs
+          readOnly: true
        env:
          - name: LOGSTASH_USER
            valueFrom:
@@ -75,6 +78,9 @@ spec:
          name: logstash-{{- $.Values.logstash.beats.pipelines_group_name -}}-{{- .name -}}-config
          defaultMode: 511
      {{- end }}
+      - name: logstash-ca-cert
+        secret:
+          secretName: elasticsearch-certificates
  pipelinesRef:
    secretName: logstash-{{ .Values.logstash.beats.pipelines_group_name }}-pipelines-yml
 ---

--- a/values/dev/observability/values.yaml
+++ b/values/dev/observability/values.yaml
@@ -147,7 +147,8 @@ logstash:
            user => "${LOGSTASH_USER}"
            password => "${LOGSTASH_PASSWORD}"
            ssl => true
-            ssl_certificate_verification => false
+            #ssl_certificate_verification => false
+            cacert => "/usr/share/logstash/config/certs/ca.crt"
            data_stream => "true"
            data_stream_type => "logs"
            data_stream_dataset => "filebeat"