logstash/docsk8s/setting-up/ls-k8s-secure.asciidoc

[[ls-k8s-secure]]
=== Secure your environment

WARNING: This documentation is still in development and may be changed or removed in a future release.

In order to prepare your environment to be production ready, you'll need to set up secure communication between each of your Elastic resources.

[[security-communication]]
==== Secure communication

[[security-tls]]
===== Setting up TLS

Transport layer security (TLS) helps ensure safe communication between the {stack} components running in {k8s}.
Let's take {filebeat} and {ls} TLS mutual verification as an link:{filebeat-ref}/configuring-ssl-logstash.html[example]. {ls} serves as the server side, while {filebeat} is the client.

Create a `Secret` containing server and client SSL keys:

[source,sh]
--
kubectl create secret generic logstash-beats-tls --from-file=ca.crt --from-file=client.crt --from-file=client.key --from-file=server.crt --from-file=server.pkcs8.key
--

On {ls}, configure the server certificates to the pipeline:

[source,ruby]
--
input {
    beats {
        port => "5044"
        ssl_enabled => true
        ssl_certificate_authorities => ["/usr/share/logstash/config/ca.crt"]
        ssl_certificate => "/usr/share/logstash/config/server.crt"
        ssl_key => "/usr/share/logstash/config/server.pkcs8.key"
        ssl_client_authentication => "required"
    }
}
--

Mount the keys we just created to {ls} `Deployment`:

[source,yaml]
--
          volumeMounts:
            - name: logstash-beats-tls
              mountPath: /usr/share/logstash/config/ca.crt
              subPath: ca.crt
            - name: logstash-beats-tls
              mountPath: /usr/share/logstash/config/server.pkcs8.key
              subPath: server.pkcs8.key
            - name: logstash-beats-tls
              mountPath: /usr/share/logstash/config/server.crt
              subPath: server.crt
      volumes:
        - name: logstash-beats-tls
          secret:
            secretName: logstash-beats-tls
--

On {filebeat}, configure the client certificates:

[source,yaml]
--
apiVersion: beat.k8s.elastic.co/v1beta1
kind: Beat
metadata:
  name: demo
spec:
  type: filebeat
  config:
    output.logstash:
      ssl.certificate_authorities: ["/usr/share/filebeat/ca.crt"]
      ssl.certificate: "/usr/share/filebeat/client.crt"
      ssl.key: "/usr/share/filebeat/client.key"
(...)
  deployment:
    podTemplate:
      spec:
        containers:
          - name: filebeat
            volumeMounts:
              - name: logstash-beats-tls
                mountPath: /usr/share/filebeat/ca.crt
                subPath: ca.crt
              - name: logstash-beats-tls
                mountPath: /usr/share/filebeat/client.key
                subPath: client.key
              - name: logstash-beats-tls
                mountPath: /usr/share/filebeat/client.crt
                subPath: client.crt
        volumes:
          - name: logstash-beats-tls
            secret:
              secretName: logstash-beats-tls
--

[[security-eck-secrets]]
===== Securing connection to {es} on ECK


[[security-eck-secrets-pw]]
====== Authentication

ECK creates a user for every Elastic resource. To access these resources, such as {es}, {ls} needs a username and password.

The default username of {es} is `elastic`. You can also run the command to check the username:

[source,sh]
--
> kubectl describe secret demo-es-elastic-user
Name:         demo-es-elastic-user
Namespace:    default
Labels:       common.k8s.elastic.co/type=elasticsearch
              eck.k8s.elastic.co/credentials=true
              eck.k8s.elastic.co/owner-kind=Elasticsearch
              eck.k8s.elastic.co/owner-name=demo
              eck.k8s.elastic.co/owner-namespace=default
              elasticsearch.k8s.elastic.co/cluster-name=demo
Annotations:  <none>

Type:  Opaque

Data
====
elastic:  24 bytes <1>
--

<1> `elastic` is the username of the resources

To get the password, set `SecretKeyRef` and pass it as a container environment variable in `Deployment`:

[source,yaml]
--
    spec:
      containers:
        - name: logstash
          env:
            - name: ELASTICSEARCH_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: demo-es-elastic-user
                  key: elastic
--

[[security-eck-secrets-self-signed]]
====== Using self-signed certificate

If your certificate is issued by a well-known CA, you can skip this section, otherwise, you need to mount the CA certificate from the `Secret` created by ECK.

[source,yaml]
--
          volumeMounts:
            - name: es-certs
              mountPath: /usr/share/logstash/config/es_ca.crt
              subPath: ca.crt
      volumes:
        - name: es-certs
          secret:
            secretName: demo-es-http-certs-public
--

[[security-k8s-secret]]
==== Using secrets

NOTE: This is for illustration purposes. In production, managing {k8s} secrets should be done using recognized link:https://kubernetes.io/docs/concepts/security/secrets-good-practices/[good practices] to ensure the protection of sensitive information.

To store sensitive information, such as a password, we can use a {k8s} `Secret`, and reference it as a container environment variable.

Encode confidential data with Base64:

[source,sh]
--
echo -n "changeme" | base64
--

NOTE: Base64 is an encoding algorithm not encryption.

Create `Secret` to hold the result of the encoding:

[source,yaml]
--
apiVersion: v1
kind: Secret
metadata:
  name: logstash-secret
type: Opaque
data:
  ES_PW: Y2hhbmdlbWU=
--

Reference the confidential data in `Deployment`:

[source,yaml]
--
    spec:
      containers:
        - name: logstash
          env:
            - name: ELASTICSEARCH_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: logstash-secret
                  key: ES_PW
--

[[security-logstash-keystore]]
==== Using the {ls} keystore

{ls} can use the key of {logstash-ref}/keystore.html[keystore] in place of the confidential data when configure sensitive settings.

To create `Secret` from an existing keystore `logstash.keystore`:

[source,sh]
--
kubectl create secret generic logstash-keystore --from-file=logstash.keystore --dry-run=client -o yaml
--

Mount the `Secret` to the {ls} config directory in `Deployment`:

[source,yaml]
--
apiVersion: apps/v1
kind: Deployment
(...)
    spec:
      containers:
        - name: logstash
          env:
            - name: LOGSTASH_KEYSTORE_PASS <1>
              valueFrom:
                secretKeyRef:
                  name: logstash-secret
                  key: LOGSTASH_KEYSTORE_PASS
(...)
          volumeMounts:
            - name: logstash-keystore
              mountPath: /usr/share/logstash/config/logstash.keystore
              subPath: logstash.keystore
      volumes:
        - name: logstash-keystore
          secret:
            secretName: logstash-keystore
--

<1> `LOGSTASH_KEYSTORE_PASS` is required when the keystore is protected by {logstash-ref}/keystore.html#keystore-password[password]