Movatterモバイル変換

[0]ホーム
URL:

Loading
  1. Elastic Docs/
  2. Deploy and manage/
  3. Deploy/
  4. Elastic Cloud on Kubernetes/
  5. Orchestrate other Elastic applications/
  6. Logstash

Securing Logstash API

Access to theLogstash Monitoring APIs use HTTPS by default - the operator will set the valuesapi.ssl.enabled: true,api.ssl.keystore.path andapi.ssl.keystore.password.

You can further secure the Logstash Monitoring APIs by requiring HTTP Basic authentication by settingapi.auth.type: basic, and providing the relevant credentialsapi.auth.basic.username andapi.auth.basic.password:

apiVersion: v1kind: Secretmetadata:  name: logstash-api-secretstringData:  API_USERNAME: "AWESOME_USER"  API_PASSWORD: "T0p_Secret"---apiVersion: logstash.k8s.elastic.co/v1alpha1kind: Logstashmetadata:  name: logstash-samplespec:  version: 9.3.0  count: 1  config:    api.auth.type: basic    api.auth.basic.username: "${API_USERNAME}"    api.auth.basic.password: "${API_PASSWORD}"  podTemplate:    spec:      containers:        - name: logstash          envFrom:            - secretRef:                name: logstash-api-secret
  1. Store the username and password in a Secret.
  2. Map the username and password to the environment variables of the Pod.
  3. At Logstash startup,${API_USERNAME} and${API_PASSWORD} are replaced by the value of environment variables. Checkusing environment variables for more details.

An alternative is to set upkeystore to resolve${API_USERNAME} and${API_PASSWORD}

Note

The variable substitution inconfig does not support the default value syntax.

The TLS Keystore is automatically generated and includes a certificate and a private key, with default password protection set tochangeit. This password can be modified by configuring theapi.ssl.keystore.password value.

apiVersion: logstash.k8s.elastic.co/v1alpha1kind: Logstashmetadata:  name: logstash-samplespec:  count: 1  version: 9.3.0  config:    api.ssl.keystore.password: "${SSL_KEYSTORE_PASSWORD}"

If you want to use your own certificate, the required configuration is similar to Elasticsearch. Configure the certificate inapi Service. CheckCustom HTTP certificate.

apiVersion: logstash.k8s.elastic.co/v1alpha1kind: Logstashmetadata:  name: logstash-samplespec:  version: 9.3.0  count: 1  elasticsearchRef:    name: "elasticsearch-sample"  services:    - name: api      tls:        certificate:          secretName: my-cert
  1. The service nameapi is reserved for Logstash monitoring endpoint.

You can disable TLS by disabling the generation of the self-signed certificate in the API service definition

apiVersion: logstash.k8s.elastic.co/v1alpha1kind: Logstashmetadata:  name: logstash-samplespec:  version: 9.3.0  count: 1  elasticsearchRef:    name: "elasticsearch-sample"  services:    - name: api      tls:        selfSignedCertificate:          disabled: true
[8]ページ先頭
©2009-2026 Movatter.jp