Enabling security for logging services

By default, the security features of logging services are enabled when they are installed together with IBM Cloud Pak for Multicloud Management. You must enable security on existing logging instances. For custom installation of logging services with security turned off, complete the following steps to enable security.

Before you begin, consider the following tips:

  1. Extract the existing logging chart parameters.

    • Extract Helm parameters by running the following command: helm get values logging --tls > values-old.yaml
    • Optionally, apply prior adjustments. All Kubernetes resource manifest adjustments that are made by using the kubectl command are overridden with values that are defined in chart parameters. Replica count, JVM heap size, or container memory limits are a few examples. If prior Kubernetes resource manifests were adjusted, make sure that you apply the same adjustments to values-old.yaml.
  2. Prepare chart parameters.

    • Create a values-override.yaml file to include the following security settings. These settings are the values for logging typically installed with IBM Cloud Pak for Multicloud Management.

             enabled: true
         # set to `external` to use existing CA stored in Kubernetes secret to generate certs
         # set to `internal` to self-signed CA generated by Logging Service
         origin: external
           # the secret need to be in the same namespace as the chart release
           secretName: cluster-ca-cert
           # the Kubenetes field name (key) within the specified secret that stores CA cert
           certFieldName: tls.crt
           # the Kubenets field name (key) within the specified secret that stores CA private key
           keyFieldName: tls.key
    • Adjust security settings for standard mode. For example, if you want a new certificate authority, you must set security.ca.origin to internal, and delete the external section.

             origin: internal

      For detailed parameter information, see the Helm chart readme file.

  3. Download the chart.

    • Identify chart version.

      Logging chart versions vary based on the installed version of IBM Cloud Pak for Multicloud Management. You can use the console to find chart versions in the service catalog. The logging chart can be identified by the name ibm-icplogging under the mgmt-repo repository. You can also select SOURCE & TAR FILES from the console to find a local link to a chart.

    • Download the chart .tar file.

      Run the following command by using the local link found in Step 3:

       curl -k https://<master ip>:8443/mgmt-repo/requiredAssets/ibm-icplogging-x.y.z.tgz > ibm-icplogging-x.y.z.tgz
  4. Remove the existing logging certificates, if applicable.

    • For logging that is installed with IBM Cloud Pak for Multicloud Management, run the following command:
      kubectl delete secret logging-elk-certs -n kube-system
    • For logging that is install separately, run the following command:
      kubectl delete secret <logging_helm_release_name>-ibm-icplogging-certs -n <logging_name_space>
  5. Upgrade the Helm chart.

    Run the following command. Replace x.y.z with the version that you found in Step 3:

    helm upgrade logging ibm-icplogging-x.y.z.tgz -f values-old.yaml -f values-override.yaml --recreate-pods --force --timeout 600 --tls
  6. The logging service becomes available in approximately 5 - 10 minutes. You can also check Helm upgrade status by using the following command:

     helm history --tls logging