diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index 8e886ba1c1642747b48094582ac116a9a4f25aa4..6d74acc54dfde101d5cc9b5a212ceff12be43f33 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -24,7 +24,7 @@ elasticsearch.{{ default .Release.Namespace .Values.namespaceTag }}.{{ .Values.d
Logstash input dns
*/}}
{{- define "logstash.dns" -}}
-logstash.{{ .Values.logstash.pipelines_group_name }}.{{ default .Release.Namespace .Values.namespaceTag }}.{{ .Values.domainSuffix }}
+logstash.{{ .Values.logstash.beats.pipelines_group_name }}.{{ default .Release.Namespace .Values.namespaceTag }}.{{ .Values.domainSuffix }}
{{- end -}}
{{/*
@@ -37,4 +37,12 @@ Logstash input dns for many ingressRouteTCPs
{{- range $index := until $maxRange -}}
{{- $urlPrefix}}{{$index }}{{ $concatUrl }}{{if lt $index (sub $maxRange 1) }},{{end}}
{{- end -}}
+{{- end -}}
+
+
+{{/*
+Filebeat input dns
+*/}}
+{{- define "filebeat.dns" -}}
+filebeat.{{ default .Release.Namespace .Values.namespaceTag }}.{{ .Values.domainSuffix }}
{{- end -}}
\ No newline at end of file
diff --git a/templates/elasticsearch.yaml b/templates/elasticsearch.yaml
index a3395c1c8f58168e6c0857a69faa9ed7c36058b4..f0be1aa5c14f7ff7f6be2103857103fbf3adcf02 100644
--- a/templates/elasticsearch.yaml
+++ b/templates/elasticsearch.yaml
@@ -8,14 +8,26 @@ spec:
auth:
roles:
- secretName: logstash-writer-role-secret
+ - secretName: user-monitoring-role-secret
fileRealm:
- secretName: logstash-writer-secret
+ - secretName: user-monitoring-secret
nodeSets:
{{- range .Values.elasticsearch.nodeSets }}
- name: {{ .name }}
count: {{ .count}}
config:
xpack.security.authc.token.enabled: true
+ http.cors.enabled : true
+ http.cors.allow-origin : "*"
+ http.cors.allow-methods : OPTIONS, HEAD, GET, POST, PUT, DELETE
+ http.cors.allow-headers: "kbn-version, Origin, X-Requested-With, Content-Type, Accept, Engaged-Auth-Token"
+ xpack.security.enabled: true
+ xpack.security.http.ssl.enabled: true
+ xpack.security.http.ssl.key: /usr/share/elasticsearch/config/certs/tls.key
+ xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/certs/tls.crt
+ xpack.security.http.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/certs/ca.crt" ]
+ xpack.monitoring.collection.enabled: true
volumeClaimTemplates:
- metadata:
name: elasticsearch-data
@@ -47,6 +59,9 @@ spec:
privileged: true
containers:
- name: elasticsearch
+ volumeMounts:
+ - name: certs
+ mountPath: /usr/share/elasticsearch/config/certs
imagePullPolicy: Always
securityContext:
#runAsUser: 0
@@ -55,7 +70,7 @@ spec:
{{- with .resources }}
resources:
{{- toYaml . | nindent 12 }}
- {{- end }}
+ {{- end }}
env:
- name: ELASTICSEARCH_PASSWORD
valueFrom:
@@ -65,6 +80,10 @@ spec:
{{- with $.Values.elasticsearch.env }}
{{- toYaml . | nindent 10 }}
{{- end }}
+ volumes:
+ - name: certs
+ secret:
+ secretName: {{ $.Release.Name }}-elasticsearch-http-cert-secret-internal
{{- end }}
http:
tls:
@@ -123,6 +142,103 @@ stringData:
- names: [ '*' ]
privileges: ["read","write","create","create_index","manage","manage_ilm"]
---
-
-
-
+apiVersion: v1
+kind: Secret
+metadata:
+ name: user-monitoring-secret
+type: kubernetes.io/basic-auth
+data:
+ username: {{ "monitoring_user" | b64enc }}
+ {{- if .Release.IsInstall }}
+ password: {{ randAlphaNum 20 | b64enc }}
+ {{ else }}
+ password: {{ index (lookup "v1" "Secret" .Release.Namespace "user-monitoring-secret").data "password" }}
+ {{ end }}
+ roles: {{ "user-monitoring-role" | b64enc }}
+---
+kind: Secret
+apiVersion: v1
+metadata:
+ name: user-monitoring-role-secret
+stringData:
+ roles.yml: |-
+ user-monitoring-role:
+ cluster:
+ - monitor
+ - manage_index_templates
+ - manage_ingest_pipelines
+ - manage_ilm
+ - read_ilm
+ - manage
+ - cluster:admin/xpack/watcher/watch/put
+ - cluster:admin/xpack/watcher/watch/delete
+ indices:
+ - names:
+ - .monitoring-*
+ privileges:
+ - all
+ - names:
+ - .ds-*
+ privileges:
+ - all
+ - names:
+ - metricbeat-*
+ privileges:
+ - manage
+ - read
+ - create_doc
+ - view_index_metadata
+ - create_index
+ - names:
+ - filebeat-*
+ privileges:
+ - manage
+ - read
+ - create_doc
+ - view_index_metadata
+ - create_index
+ applications: []
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ name: selfsigned-ca
+spec:
+ selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: internal-ca
+spec:
+ isCA: true
+ commonName: internal-ca
+ secretName: internal-ca
+ issuerRef:
+ name: selfsigned-ca
+ kind: ClusterIssuer
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: internal-issuer
+spec:
+ ca:
+ secretName: internal-ca
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: elasticsearch-certificate
+spec:
+ secretName: {{ .Release.Name }}-elasticsearch-http-cert-secret-internal
+ duration: {{ .Values.elasticsearch.cert.duration }}
+ renewBefore: {{ .Values.elasticsearch.cert.renewBefore }}
+ commonName: {{ template "elasticsearch.dns" . }}
+ dnsNames:
+ - {{ template "elasticsearch.dns" . }}
+ - {{ .Release.Name }}-elasticsearch-es-http.{{ .Release.Namespace }}
+ - {{ .Release.Name }}-elasticsearch-es-http.{{ .Release.Namespace }}.svc
+ issuerRef:
+ name: internal-issuer
+ kind: Issuer
diff --git a/templates/filebeat.yaml b/templates/filebeat.yaml
index b4245309311dafa6fbbce88795bc733254da8bdb..b444a5d1a29d0fca0f2fb9642c1548ada53454da 100644
--- a/templates/filebeat.yaml
+++ b/templates/filebeat.yaml
@@ -10,7 +10,6 @@ spec:
type: filebeat
elasticsearchRef:
name: {{ .Release.Name }}-elasticsearch
- #clusterName: {{ .Release.Name }}-elasticsearch
daemonSet:
podTemplate:
metadata:
@@ -18,11 +17,11 @@ spec:
stack-namespace: {{ .Release.Namespace }}
spec:
securityContext:
- runAsUser: 0 # Running as root user
- fsGroup: 1000 # Filebeat user ID
+ runAsUser: 0
+ fsGroup: 1000
containers:
- name: filebeat
- command: ['sh', '-c',' exec /usr/share/filebeat/logs/example.sh & exec /usr/share/filebeat/filebeat -e -c /usr/share/filebeat/filebeat.yml']
+ command: ['sh', '-c', 'exec /usr/share/filebeat/logs/example.sh & exec /usr/share/filebeat/filebeat -e -c /usr/share/filebeat/filebeat.yml']
volumeMounts:
- mountPath: /usr/share/filebeat/filebeat.yml
subPath: filebeat.yml
@@ -30,6 +29,25 @@ spec:
- mountPath: /usr/share/filebeat/logs/example.sh
subPath: example.sh
name: example-script
+ - mountPath: /usr/share/filebeat/certs
+ name: filebeat-certs
+ - mountPath: /usr/share/filebeat/es-certs # used for monitoring
+ name: es-certs
+ env:
+ - name: ELASTIC_ELASTICSEARCH_ES_HOSTS
+ value: 'https://elastic-elasticsearch-es-http.{{ .Release.Namespace }}.svc:9200'
+ - name: LOGSTASH_HOSTS
+ value: 'logstash-{{ .Values.logstash.beats.pipelines_group_name }}-ls-api.{{ .Release.Namespace }}:5044'
+ - name: MONITORING_USER
+ valueFrom:
+ secretKeyRef:
+ name: user-monitoring-secret
+ key: username
+ - name: MONITORING_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: user-monitoring-secret
+ key: password
volumes:
- name: config
secret:
@@ -39,6 +57,12 @@ spec:
configMap:
name: filebeat-example-script
defaultMode: 0777
+ - name: filebeat-certs
+ secret:
+ secretName: filebeat-certs-secret
+ - name: es-certs # used for monitoring
+ secret:
+ secretName: elastic-elasticsearch-http-cert-secret-internal
---
apiVersion: v1
kind: Secret
@@ -90,4 +114,18 @@ data:
echo "2022-04-01 $((RANDOM % 3 + 9)):$((RANDOM % 60)):$((RANDOM % 60)).000 | $count | $status | $data" >> /usr/share/filebeat/logs/example.log
count=$((count + 1))
done
----
\ No newline at end of file
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: filebeat-certificate
+spec:
+ secretName: filebeat-certs-secret
+ duration: {{ .Values.filebeat.cert.duration }}
+ renewBefore: {{ .Values.filebeat.cert.renewBefore }}
+ commonName: {{ template "filebeat.dns" . }}
+ dnsNames:
+ - "{{ template "filebeat.dns" . }}"
+ issuerRef:
+ name: internal-issuer
+ kind: Issuer
\ No newline at end of file
diff --git a/templates/kibana.yaml b/templates/kibana.yaml
index f3a9a3bcc08c8dc6f4321db711657df6a0302ffd..53948d99b5b2c443183ae1a22650f2aa1970087a 100644
--- a/templates/kibana.yaml
+++ b/templates/kibana.yaml
@@ -8,8 +8,12 @@ spec:
count: {{ .Values.kibana.count }}
image: {{ .Values.kibana.image }}:{{ default .Values.elasticVersion .Values.kibana.imageTag }}
config:
+ server.ssl.enabled: true
+ server.ssl.certificate: /usr/share/kibana/config/certs/tls.crt
+ server.ssl.key: /usr/share/kibana/config/certs/tls.key
+ elasticsearch.ssl.certificateAuthorities: /usr/share/kibana/config/certs/ca.crt
elasticsearch.requestTimeout: 120000
- elasticsearch.ssl.verificationMode: none
+ elasticsearch.ssl.verificationMode: full
server.publicBaseUrl: "{{ template "kibana.dns.fullPath" . }}"
{{- if and (.Values.kibana.ingressSubpath) (ne "/" .Values.kibana.ingressSubpath) }}
server.basePath: {{ .Values.kibana.ingressSubpath }}
@@ -39,24 +43,23 @@ spec:
{{- end }}
volumeMounts:
- mountPath: /usr/share/kibana/config/elasticsearch-secrets-certs
- name: secrets-certs
+ name: secrets-certs
+ - name: es-certs
+ mountPath: /usr/share/kibana/config/certs
readinessProbe:
httpGet:
scheme: HTTPS
path: {{- with .Values.kibana.ingressSubpath }} {{ . }} {{- end }}
port: 5601
- env:
- - name: NODE_EXTRA_CA_CERTS
- value: /usr/share/kibana/config/elasticsearch-secrets-certs/ca.crt
- {{- with .Values.kibana.env }}
- {{- toYaml . | nindent 10 }}
- {{- end }}
volumes:
- name: secrets-certs
projected:
sources:
- secret:
- name: elastic-kibana-cert-secret
+ name: {{ .Release.Name }}-kibana-cert-secret
+ - name: es-certs
+ secret:
+ secretName: elastic-elasticsearch-http-cert-secret-internal
http:
tls:
certificate:
diff --git a/templates/logstash_beats.yaml b/templates/logstash_beats.yaml
index ff650212de719686b1d18f53e20b443e47639e09..1422171884fa737793f4568b58c4aed420ba9f3a 100644
--- a/templates/logstash_beats.yaml
+++ b/templates/logstash_beats.yaml
@@ -34,10 +34,12 @@ spec:
selector:
statefulset.kubernetes.io/pod-name: logstash-beats-ls-{{$index}}
{{- end}}
- config:
- {{- with .Values.logstash.config }}
- {{- toYaml . | nindent 4 }}
- {{- end }}
+ config:
+ xpack.monitoring.enabled: true
+ xpack.monitoring.elasticsearch.hosts: ["${ELASTIC_ELASTICSEARCH_ES_HOSTS}"]
+ xpack.monitoring.elasticsearch.username: "${MONITORING_USER}"
+ xpack.monitoring.elasticsearch.password: "${MONITORING_PASSWORD}"
+ xpack.monitoring.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/certs/ca.crt
podTemplate:
metadata:
labels:
@@ -55,6 +57,10 @@ spec:
mountPath: /app/elastic/logstash/config/pipelines/{{- .name -}}.config
subPath: {{ .name -}}.config
{{- end }}
+ - name: es-certs
+ mountPath: /usr/share/logstash/config/certs
+ - mountPath: /usr/share/logstash/certs-logstash
+ name: certs-logstash
env:
- name: LOGSTASH_USER
valueFrom:
@@ -65,9 +71,23 @@ spec:
valueFrom:
secretKeyRef:
name: logstash-writer-secret
- key: password
+ key: password
+ - name: MONITORING_USER
+ valueFrom:
+ secretKeyRef:
+ name: user-monitoring-secret
+ key: username
+ - name: MONITORING_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: user-monitoring-secret
+ key: password
- name: ELASTIC_ELASTICSEARCH_ES_HOSTS
value: 'https://elastic-elasticsearch-es-http.{{ .Release.Namespace }}.svc:9200'
+ - name: ELASTICSEARCH_SSL_CERTIFICATE_VERIFICATION
+ value: "true"
+ - name: ELASTICSEARCH_SSL_CA_PATH
+ value: "/usr/share/logstash/config/certs/ca.crt"
volumes:
{{- range .Values.logstash.beats.pipelines }}
- name: pipeline-config-{{- .name }}
@@ -75,6 +95,12 @@ spec:
name: logstash-{{- $.Values.logstash.beats.pipelines_group_name -}}-{{- .name -}}-config
defaultMode: 511
{{- end }}
+ - name: es-certs
+ secret:
+ secretName: elastic-elasticsearch-http-cert-secret-internal
+ - name: certs-logstash
+ secret:
+ secretName: logstash-secret-{{ .Values.logstash.beats.pipelines_group_name }}
pipelinesRef:
secretName: logstash-{{ .Values.logstash.beats.pipelines_group_name }}-pipelines-yml
---
@@ -98,3 +124,63 @@ data:
{{ tpl .output $ | nindent 6 }}
---
{{- end }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: logstash-api-{{ .Values.logstash.beats.pipelines_group_name }}
+ annotations:
+ nginx.ingress.kubernetes.io/ssl-redirect: "true"
+ nginx.ingress.kubernetes.io/proxy-body-size: 50m
+ external-dns.alpha.kubernetes.io/hostname: "{{ template "logstash.dns" . }},{{- include "logstash.dns.array" . | trim}}"
+spec:
+ ingressClassName: nginx
+ tls:
+ - hosts:
+ - {{ template "logstash.dns" . }}
+ secretName: logstash-secret-{{ .Values.logstash.beats.pipelines_group_name }}
+ rules:
+ - host: {{ template "logstash.dns" . }}
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: logstash-{{ .Values.logstash.beats.pipelines_group_name }}-ls-api
+ port:
+ number: 9600
+---
+{{ $concatUrl := (include "logstash.dns" .) }}
+{{ $prefix := (default "l" .Values.logstash.urlPrefix) }}
+{{- range $index_i := until (.Values.logstash.count |int ) -}}
+{{- printf "\n"}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: tcp-services-{{ $.Values.logstash.pipelines_group_name }}-{{$index_i}}
+data:
+ 5044: "observability/logstash-{{ $.Values.logstash.beats.pipelines_group_name }}-ls-{{$index_i}}:5044"
+{{- end }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: logstash-{{ .Values.logstash.beats.pipelines_group_name }}
+spec:
+ duration: {{ .Values.logstash.cert.duration }}
+ renewBefore: {{ .Values.logstash.cert.renewBefore }}
+ commonName: {{ template "logstash.dns" . }}
+ secretName: logstash-secret-{{ .Values.logstash.beats.pipelines_group_name }}
+ dnsNames:
+ - "{{ template "logstash.dns" . }}"
+{{- range $index_i := until (.Values.logstash.count |int ) }}
+ - "{{$prefix}}{{$index_i}}.{{$concatUrl}}"
+{{- end }}
+ - "logstash.{{ .Release.Namespace }}"
+ - "logstash-{{ .Values.logstash.beats.pipelines_group_name }}-ls-api.{{ .Release.Namespace }}"
+ issuerRef:
+ name: internal-issuer
+ kind: Issuer
+ privateKey:
+ encoding: "PKCS8"
+---
\ No newline at end of file
diff --git a/values/dev/observability-operator/values.yaml b/values/dev/observability-operator/values.yaml
index 31e909cb195e956c26df4ab20d57731df4c932b1..a02b93c301e0100a56f7bcdf4845ee645ea99820 100644
--- a/values/dev/observability-operator/values.yaml
+++ b/values/dev/observability-operator/values.yaml
@@ -5,4 +5,4 @@ createClusterScopedResources: false
webhook:
enabled: false
config:
- validateStorageClass: true
\ No newline at end of file
+ validateStorageClass: false
\ No newline at end of file
diff --git a/values/dev/observability/values.yaml b/values/dev/observability/values.yaml
index 5513fb28b8e3ea32a29473abba07c48af70b7bb8..d4feb65243c2bd27aac293a3d403c1d4374a2247 100644
--- a/values/dev/observability/values.yaml
+++ b/values/dev/observability/values.yaml
@@ -114,6 +114,9 @@ logstash:
memory: 4Gi
limits:
memory: 4Gi
+ cert:
+ duration: 2160h0m0s # 90d
+ renewBefore: 360h0m0s # 15d
pipelines_yml_config: |-
- pipeline.id: main
path.config: "/app/elastic/logstash/config/pipelines/*.config"
@@ -131,6 +134,11 @@ logstash:
input {
beats {
port => 5044
+ ssl => true
+ ssl_certificate_authorities => ["/usr/share/logstash/certs-logstash/ca.crt"]
+ ssl_certificate => "/usr/share/logstash/certs-logstash/tls.crt"
+ ssl_key => "/usr/share/logstash/certs-logstash/tls.key"
+ ssl_verify_mode => "force_peer"
}
}
filter: |-
@@ -146,8 +154,9 @@ logstash:
hosts => [ "${ELASTIC_ELASTICSEARCH_ES_HOSTS}" ]
user => "${LOGSTASH_USER}"
password => "${LOGSTASH_PASSWORD}"
- ssl => true
- ssl_certificate_verification => false
+ ssl_enabled => "true"
+ ssl_verification_mode => "full"
+ ssl_certificate_authorities => "/usr/share/logstash/config/certs/ca.crt"
data_stream => "true"
data_stream_type => "logs"
data_stream_dataset => "filebeat"
@@ -178,8 +187,9 @@ logstash:
index => "%{[@metadata][beat]}-%{[@metadata][version]}"
user => "${LOGSTASH_USER}"
password => "${LOGSTASH_PASSWORD}"
- ssl => true
- ssl_certificate_verification => false
+ ssl_enabled => "true"
+ ssl_verification_mode => "full"
+ ssl_certificate_authorities => "${ELASTIC_ELASTICSEARCH_ES_SSL_CERTIFICATE_AUTHORITY}"
}
stdout {
codec => rubydebug
@@ -196,7 +206,9 @@ filebeat:
# Number of messages per minute. Provide negative number to generate messages without time limit.
messagesPerMinute: 30
-
+ cert:
+ duration: 2160h0m0s # 90d
+ renewBefore: 360h0m0s # 15d
# Filebeat configuration file - input
input: |
filebeat.inputs:
@@ -219,7 +231,15 @@ filebeat:
name: "test"
output: |
output.logstash:
- hosts: ["logstash-beats-ls-beats-0.observability.svc:5044"]
-
-
-
+ hosts: ["${LOGSTASH_HOSTS}"]
+ ssl.enabled: true
+ ssl.certificate_authorities: ["/usr/share/filebeat/es-certs/ca.crt"]
+ ssl.verification_mode: full
+ ssl.certificate: "/usr/share/filebeat/certs/tls.crt"
+ ssl.key: "/usr/share/filebeat/certs/tls.key"
+ monitoring.enabled: "true"
+ monitoring.elasticsearch:
+ hosts: ["${ELASTIC_ELASTICSEARCH_ES_HOSTS}"]
+ ssl.certificate_authorities: ["/usr/share/filebeat/es-certs/ca.crt"]
+ username: "${MONITORING_USER}"
+ password: "${MONITORING_PASSWORD}"
\ No newline at end of file