logstsh - filebeats ssl work started

templates/_helpers.tpl

@@ -24,7 +24,7 @@ elasticsearch.{{ default .Release.Namespace .Values.namespaceTag }}.{{ .Values.d
 Logstash input dns
 */}}
 {{- define "logstash.dns" -}}
-logstash.{{ .Values.logstash.pipelines_group_name }}.{{ default .Release.Namespace .Values.namespaceTag }}.{{ .Values.domainSuffix }}
+logstash.{{ .Values.logstash.beats.pipelines_group_name }}.{{ default .Release.Namespace .Values.namespaceTag }}.{{ .Values.domainSuffix }}
 {{- end -}}
 
 {{/*

templates/filebeat.yaml

@@ -30,6 +30,8 @@ spec:
           - mountPath: /usr/share/filebeat/logs/example.sh
             subPath: example.sh
             name: example-script
+          - mountPath: /usr/share/filebeat/certs
+            name: logstash-certs
         volumes:
         - name: config
           secret:
@@ -39,6 +41,10 @@ spec:
           configMap:
             name: filebeat-example-script
             defaultMode: 0777
+        - name: logstash-certs
+          secret:
+            secretName: logstash-secret-{{ .Values.logstash.beats.pipelines_group_name }}
+
 ---
 apiVersion: v1
 kind: Secret

templates/logstash_beats.yaml

@@ -55,10 +55,10 @@ spec:
           mountPath: /app/elastic/logstash/config/pipelines/{{- .name -}}.config
           subPath: {{ .name -}}.config
         {{- end }}
-        - name: logstash-certs
-          mountPath: /usr/share/logstash/certs-logstash
         - name: es-certs
           mountPath: /usr/share/logstash/config/certs
+        - mountPath: /usr/share/logstash/certs-logstash
+          name: certs-logstash
         env:
           - name: LOGSTASH_USER
             valueFrom:
@@ -83,12 +83,15 @@ spec:
           name: logstash-{{- $.Values.logstash.beats.pipelines_group_name -}}-{{- .name -}}-config
           defaultMode: 511
       {{- end }}
-      - name: logstash-certs
-        secret:
-          secretName: logstash-beats-ls-http-certs-public
       - name: es-certs
         secret:
           secretName: elastic-elasticsearch-http-cert-secret-internal
+      - name: certs-logstash
+        secret:
+          secretName: logstash-secret-{{ .Values.logstash.beats.pipelines_group_name }}
+      http:
+        tls:
+          secretName: logstash-secret-{{ .Values.logstash.beats.pipelines_group_name }}
   pipelinesRef:
     secretName: logstash-{{ .Values.logstash.beats.pipelines_group_name }}-pipelines-yml
 ---
@@ -112,3 +115,20 @@ data:
     {{ tpl .output $ | nindent 6 }} 
 ---
 {{- end }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: logstash-{{ .Values.logstash.beats.pipelines_group_name }}
+spec:
+  secretName: logstash-secret-{{ .Values.logstash.beats.pipelines_group_name }}
+  dnsNames:
+    - "{{ template "logstash.dns" . }}"
+{{- range $index_i :=  until (.Values.logstash.count |int ) }}
+    - "{{$prefix}}{{$index_i}}.{{$concatUrl}}"
+{{- end }}    
+    - "logstash.{{ .Release.Namespace }}"
+  issuerRef:
+    name: dev-staging  
+    kind: ClusterIssuer
+  privateKey:
+    encoding: "PKCS8"  

values/dev/observability/values.yaml

@@ -131,6 +131,10 @@ logstash:
         input {
           beats {
             port => 5044
+            ssl_enabled  => "true"
+            ssl_certificate_authorities => ["/usr/share/logstash/certs-logstash/ca.crt"]
+            ssl_certificate => "/usr/share/logstash/certs-logstash/tls.crt"
+            ssl_key => "/usr/share/logstash/certs-logstash/tls.key"
           }
         }
       filter: |-
@@ -222,6 +226,12 @@ filebeat:
   output: |
     output.logstash:
       hosts: ["logstash-beats-ls-beats-0.observability.svc:5044"]
+      ssl.enabled: true
+      ssl.certificate_authorities: ["/usr/share/filebeat/certs/ca.crt"]
+      ssl.verification_mode: none
+      ssl.certificate: "/usr/share/filebeat/certs/tls.crt"
+      ssl.key: "/usr/share/filebeat/certs/tls.key"
+