Configuring offload client certificates on Kubernetes and OpenShift

Configuring client keys for analytics offload.

The topic Configuring offload server certificates on Kubernetes and OpenShift covers how to configure your ingestion pod to trust your offload endpoint server certificate. This topic covers how to configure mTLS client certificates to be used when your ingestion pod communicates with the offload endpoint.

To configure client certificates, follow the same steps as Configuring offload server certificates on Kubernetes and OpenShift, but add your client certificate and key to the analytics_offload_certificates.yaml file.

For example:

apiVersion: v1
kind: Secret
metadata:
  name: offload-certificates
stringData:
  cacert: |-
    -----BEGIN CERTIFICATE-----
    ... 
  clientcert: |-
    -----BEGIN CERTIFICATE-----
    ...
  clientkey: |-
    -----BEGIN CERTIFICATE-----
    ...

All certificates added to the offload-certificates secret are created as individual files in the ingestion pod's /etc/velox/external_certs/offload directory. You can confirm that the certificate files were created with this command:

kubectl exec -ti <ingestion pod> -- bash -ic "ls /etc/velox/external_certs/offload"

In this example, the command output that is returned shows the three certificate files corresponding to the ones specified in analytics_offload_certificates.yaml:

cacert  clientcert  client

Note: If you have multiple offload targets, then add the certificates for each target with a unique name. For example:

stringData:
  certname_target1: |-
    -----BEGIN CERTIFICATE-----
    ...
  certname_target2: |-
    -----BEGIN CERTIFICATE-----
    ...

Update the offload plugin configuration in your analytics CR to reference the certificates in /etc/velox/external_certs/offload as required.

Example HTTP plugin that specifies client certificates:

  external:
    offload:
      enabled: true
      output: |
        http {
          url => "https://example.com"
          http_method => "post"
          ssl_certificate_authorities => "/etc/velox/external_certs/offload/cacert"
          ssl_certificate => "/etc/velox/external_certs/offload/clientcert"
          ssl_key => "/etc/velox/external_certs/offload/clientkey"
          id => "API Connect analytics event data"
        }

For other plugin types the TLS property names might differ, check the Logstash documentation.

Important: After updating your offload configuration, take a new analytics infrastructure configuration backup to ensure that you have backups of your analytics_offload_certificates.yaml file, your offload secret, and your analytics CR. See Backup, restore, and disaster recovery.