Enabling security for logging services

By default, the security features of logging services are enabled when they are installed together with IBM Cloud Private. You might install more instances of logging without any security. Starting with IBM Cloud Private version 3.2.0, operating logging in this mode is deprecated. You must enable security on existing logging instances. For custom installation of logging services with security turned off, complete the following steps to enable security after you upgrade to the latest version.

Before you begin, consider the following tips:

• The following instructions enable security of a logging service instance.

  Note: This setting enables certificate-based authentication between components of logging, rather than requiring users to be authenticated into IBM Cloud Private before they access Kibana. More documentation for user authentication and authorization is available in the main logging topics.

• Certificates that are used by logging services are deleted and regenerated. Back up your certificates, as needed.
• Helm release name, logging is used in these instructions. If you use a different release name, replace the name with the logging release name.
• When you change instances that are installed with IBM Cloud Private, be sure to make the same changes to the values under the Logging: section of your config.yaml file. This action ensures that the values are reapplied when you upgrade or apply patches.

1. Extract the existing logging chart parameters.

   • Extract Helm parameters by running the following command: helm get values logging --tls > values-old.yaml
   • Optionally, apply prior adjustments. All Kubernetes resource manifest adjustments that are made by using the kubectl command are overridden with values that are defined in chart parameters. Replica count, JVM heap size, or container memory limits are a few examples. If prior Kubernetes resource manifests were adjusted, make sure that you apply the same adjustments to values-old.yaml.

2. Prepare chart parameters.

   • Create a values-override.yaml file to include the following security settings. These settings are the values for logging typically installed with IBM Cloud Private.

      elasticsearch:
        security:
          authc:
            enabled: true
      security:
        ca:
        # set to `external` to use existing CA stored in Kubernetes secret to generate certs
        # set to `internal` to self-signed CA generated by Logging Service
        origin: external
        external:
          # the secret need to be in the same namespace as the chart release
          secretName: cluster-ca-cert
          # the Kubenetes field name (key) within the specified secret that stores CA cert
          certFieldName: tls.crt
          # the Kubenets field name (key) within the specified secret that stores CA private key
          keyFieldName: tls.key
     

   • Adjust security settings for standard mode. For example, if you want a new certificate authority, you must set security.ca.origin to internal, and delete the external section.

      security:
          ca:
            origin: internal
     

     For detailed parameter information, see the Helm chart readme file.

3. Download the chart.

   • Identify chart version.

     Logging chart versions vary based on the installed IBM Cloud Private version. You can use IBM Cloud Private management console to find chart versions in the service catalog. The logging chart can be identified by the name ibm-icplogging under the mgmt-repo repository. You can also select SOURCE & TAR FILES from the IBM Cloud Private management console to find a local link to a chart.

   • Download the chart .tar file.

     Run the following command by using the local link found in Step 3:

      curl -k https://<master ip>:8443/mgmt-repo/requiredAssets/ibm-icplogging-x.y.z.tgz > ibm-icplogging-x.y.z.tgz
     

4. Remove the existing logging certificates, if applicable.

   • For logging that is installed with IBM Cloud Private, run the following command:

     kubectl delete secret logging-elk-certs -n kube-system
     

   • For logging that is install separately, run the following command:

     kubectl delete secret <logging_helm_release_name>-ibm-icplogging-certs -n <logging_name_space>
     

5. Upgrade the Helm chart.

   Run the following command. Replace x.y.z with the version that you found in Step 3:

   helm upgrade logging ibm-icplogging-x.y.z.tgz -f values-old.yaml -f values-override.yaml --recreate-pods --force --timeout 600 --tls
   

6. The logging service becomes available in approximately 5 - 10 minutes. You can also check Helm upgrade status by using the following command:

    helm history --tls logging