Configuring offload client certificates on Kubernetes and OpenShift®

Configuring client keys for analytics offload.

The topic Configuring offload server certificates on Kubernetes and Red Hat OpenShift covers how to configure your ingestion pod to trust your offload endpoint server certificate. This documentS covers how to configure mTLS client certificates to be used when your ingestion pod communicates with the offload endpoint.

To configure client certificates, follow the same steps as Configuring offload server certificates on Kubernetes and Red Hat OpenShift, but add your client certificate and key to the analytics_offload_certificates.yaml file.

For example:

apiVersion: v1
kind: Secret
metadata:
  name: offload-certificates
stringData:
  cacert: |-
    -----BEGIN CERTIFICATE-----
    ... 
  clientcert: |-
    -----BEGIN CERTIFICATE-----
    ...
  clientkey: |-
    -----BEGIN CERTIFICATE-----
    ...

All certificates added to the offload-certificates secret are created as individual files in the ingestion pod's /etc/velox/external_certs/offload directory. You can confirm that the certificate files were created with this command:

kubectl exec -ti <ingestion pod> -- bash -ic "ls /etc/velox/external_certs/offload"

In this example, the command output that is returned shows the three certificate files corresponding to the ones specified in analytics_offload_certificates.yaml:

cacert  clientcert  client

Note: If you have multiple offload targets, then add the certificates for each target with a unique name. For example,

Update the offload plug-in configuration in your analytics CR to reference the certificates in /etc/velox/external_certs/offload as required.

Example HTTP plug-in that specifies client certificates:

  external:
    offload:
      enabled: true
      output: |
        http {
          url => "https://example.com"
          http_method => "post"
          ssl_certificate_authorities => "/etc/velox/external_certs/offload/cacert"
          ssl_certificate => "/etc/velox/external_certs/offload/clientcert"
          ssl_key => "/etc/velox/external_certs/offload/clientkey"
          id => "API Connect analytics event data"
        }

For other plug-in types the TLS property names might differ, check the Logstash documentation.

Important: After updating your offload configuration, take a new analytics infrastructure configuration backup to ensure that you have backups of your analytics_offload_certificates.yaml file, your offload secret, and your analytics CR. See Backup, restore, and disaster recovery.