Hello Community,
I am trying to add to heartbeat (all our infra is running in kubernetes) all our pods that have certs so we can monitor those via https and alert when is time to renew them. To access those via http I need to import certs to the hearbet yaml config. I saw that on the elastic documentation:
type: http
id: my-http-service
name: My HTTP Service
hosts: ["https://myhost:443"]
schedule: '@every 5s'
ssl:
certificate_authorities: ['/etc/ca.crt']
supported_protocols: ["TLSv1.0", "TLSv1.1", "TLSv1.2"]
What I do not find is how to add those certs to the pod? So it can point at the location. I have the secrets of the certs but I am not sure if I should create a secret for heatbeat? or if I should modify the existing one that I see in the kube-system:
if I have to create one do you have a process on how by creation it will be called by hearbeat? do I have to use any apiVersion? and if it is done by modifying the heartbeat token do I need to replace the ca.crt that I see there?
Thanks for the help. One thing that I forgot to mentioned is that I already have the certificate in a secret. I did use cert-manager to create that secret. Now, my question is how do I point the pod to use that secret? Do I have to create a user and then a secret for the user using a particular apiVersion in kubernetes? (that is the way I did it for other system but I have to follow their documentation). Or is there a particular way to just point at that secret within the yaml of heartbeat?
Sorry but those did not really help. I have already hearbeat configured and working. Also I have a secret that I created and has the certificate. Now how do I point to that secret?
If you're trying to validate self-signed certificates on pods' HTTPS endpoints, you'll only need to make all root CA certs available to heartbeat pods.
If you already have you CA cert as a K8s secret, you can mount it into the pod filesystem by creating a volume mapping. Eg:
Thanks Emilioalvap
ok this clears a lot how I can import my ca. I just need to make sure that my CA is under the secret. Quick questions. I was reading and I saw that it could be like this:
volumes:
-
secret:
secretName: NAME
defaultMode: 0400
name: cert
would that change anything and lastly I am trying to do it with tls.crt. Would that work?
This is really helping Emilioalvap! thanks. I think I got the whole concept but I do not have the ca.crt I just have the tls.crt and does not seem to work. I have the tls from Godaddy. Do you know if I can request the CA from them because when I requested it, they do not know what I am asking and I just got a name.pem file.
I'm sorry, I think I have initially mistaken what the problem here might be. The solution I described previously was considering using self-signed SSL certificates which are not trusted out-of-the-box by any OS.
That should not be the case if you using signed certificates provided by GoDaddy, their CA should be widely trusted by default.
Let me retrace a bit the, what error/s do you receive when setting up heartbeat monitors for these SSL endpoints that you mention?
If you don't specify ssl: options, Heartbeat should try to validate using the system's default cert pool, which should include GoDaddy's CA.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.