Configure DNS and TLS

Graylog API Security allows you to enable TLS to add encryption to the API traffic that you capture. In this article, we review how to enable TLS, including how to use your own certificate-key pair and how to take advantage of the built-in cert-manager utility to generate a valid certificate-key pair.

Configure DNS

Before you can enable TLS or authentication, you must associate a DNS name with your Graylog API Security installation. We use the name MYGL-APISEC in the examples here. You can pick your own name for your installation.

The MYGL-APISEC name needs to resolve to the external IP address (EXTERNAL-IP) associated with your installation, as reported by this command:

Copy
kubectl get svc resurface-kubernetes-ingress -n resurface

After you create your DNS entry, you can access your Graylog API Security installation using this url: http://MYGL-APISEC/ui/

Enable TLS

You can generate a TLS certificate-key pair for your Graylog API Security installation, or you can use your own certificate if you have one already.

Hint: You must configure DNS resolution before you can enable TLS. We strongly recommend configuring TLS so that data is encrypted over the network.

Use Your Own Certificate

If you already have a TLS certificate-key pair, you can create a Kubernetes secret to store them:

Copy
kubectl create secret tls resurface-tls -n resurface --cert=PATH/TO/CERT/FILE --key=PATH/TO/KEY/FILE

Enable TLS for your Graylog API Security installation, referencing the Kubernetes secret:

Copy
helm upgrade resurface resurfaceio/resurface --namespace resurface --set ingress.tls.enabled=true --set ingress.tls.host=MYGL-APISEC --set ingress.tls.autoissue.enabled=false --set ingress.tls.byoc.secretname=resurface-tls --reuse-values

You can now access your installation using this url: https://MYGL-APISEC/ui

Generate a Certificate

If you don't have a TLS certificate-key pair yet, Graylog API Security makes it easy to generate one. Use the cert-manager utility to automatically issue or renew a TLS certificate for your Graylog API Security installation. This built-in functionality utilizes Let's Encrypt as your certificate authority.

First, install cert-manager into your environment:

Copy
helm repo add jetstack https://charts.jetstack.io; helm repo update; helm install cert-manager jetstack/cert-manager --version v1.14.5 --set installCRDs=true --set prometheus.enabled=false

Hint: Do not follow this step if cert-manager is already installed. The cert-manager utility should be installed only once per cluster.

Enable TLS for your Graylog API Security installation by using cert-manager to manage your certificate:

Copy
helm upgrade resurface resurfaceio/resurface --namespace resurface --set ingress.tls.enabled=true --set ingress.tls.host=MYGL-APISEC --set ingress.tls.autoissue.enabled=true --set ingress.tls.autoissue.staging=false --set ingress.tls.autoissue.email=MYEMAIL --reuse-values

You can now access your installation using this url: https://MYGL-APISEC/ui